Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.35' (ECDSA) to the list of known hosts. syzkaller login: [ 27.867164] IPVS: ftp: loaded support on port[0] = 21 executing program [ 28.059272] FAULT_INJECTION: forcing a failure. [ 28.059272] name failslab, interval 1, probability 0, space 0, times 1 [ 28.070931] CPU: 1 PID: 7999 Comm: syz-executor400 Not tainted 4.14.302-syzkaller #0 [ 28.078876] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 28.088296] Call Trace: [ 28.090867] dump_stack+0x1b2/0x281 [ 28.094578] should_fail.cold+0x10a/0x149 [ 28.098699] ? commit_echoes+0x4c/0x1e0 [ 28.102930] should_failslab+0xd6/0x130 [ 28.106882] __kmalloc+0x6d/0x400 [ 28.110309] ? tty_buffer_alloc+0xc0/0x270 [ 28.114548] tty_buffer_alloc+0xc0/0x270 [ 28.118585] __tty_buffer_request_room+0x12c/0x290 [ 28.123492] tty_insert_flip_string_fixed_flag+0x8b/0x210 [ 28.129011] tty_insert_flip_string_and_push_buffer+0x3e/0x160 [ 28.134958] pty_write+0xc3/0xf0 [ 28.138397] ? commit_echoes+0x108/0x1e0 [ 28.142432] tty_put_char+0xfe/0x120 [ 28.146121] ? dev_match_devt+0x80/0x80 [ 28.150067] ? pty_write_room+0xa9/0xd0 [ 28.154014] ? ptmx_open+0x300/0x300 [ 28.157702] __process_echoes+0x48c/0x8c0 [ 28.161826] n_tty_receive_buf_common+0x9a3/0x25a0 [ 28.166730] ? n_tty_receive_buf2+0x40/0x40 [ 28.171025] tty_ioctl+0xe8a/0x1430 [ 28.174626] ? tty_fasync+0x2c0/0x2c0 [ 28.178401] ? proc_fail_nth_write+0x7b/0x180 [ 28.182876] ? trace_hardirqs_on+0x10/0x10 [ 28.187092] ? fsnotify+0x974/0x11b0 [ 28.190794] ? proc_tgid_io_accounting+0x7a0/0x7a0 [ 28.195716] ? debug_check_no_obj_freed+0x2c0/0x680 [ 28.200798] ? SyS_write+0x1b7/0x210 [ 28.204498] ? tty_fasync+0x2c0/0x2c0 [ 28.208279] do_vfs_ioctl+0x75a/0xff0 [ 28.212058] ? lock_acquire+0x170/0x3f0 [ 28.216022] ? ioctl_preallocate+0x1a0/0x1a0 [ 28.220421] ? __fget+0x265/0x3e0 [ 28.223898] ? do_vfs_ioctl+0xff0/0xff0 [ 28.227956] ? security_file_ioctl+0x83/0xb0 [ 28.232433] SyS_ioctl+0x7f/0xb0 [ 28.235789] ? do_vfs_ioctl+0xff0/0xff0 [ 28.239737] do_syscall_64+0x1d5/0x640 [ 28.243613] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 28.249042] RIP: 0033:0x7f9ec00749d9 [ 28.252727] RSP: 002b:00007f9ec0005268 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 28.267019] RAX: ffffffffffffffda RBX: 00007f9ec00fe4d0 RCX: 00007f9ec00749d9 [ 28.274836] RDX: 0000000020000080 RSI: 0000000000005412 RDI: 0000000000000003 [ 28.282265] RBP: 00007f9ec00cb15c R08: 0000000000000001 R09: 0000000000000000 [ 28.289638] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9ec0005280 [ 28.297151] R13: 00007f9ec00fe4d8 R14: 00007f9ec000527c R15: 0000000000000001 [ 28.304407] [ 28.304409] ====================================================== [ 28.304411] WARNING: possible circular locking dependency detected [ 28.304412] 4.14.302-syzkaller #0 Not tainted [ 28.304414] ------------------------------------------------------ [ 28.304415] syz-executor400/7999 is trying to acquire lock: [ 28.304416] (console_owner){....}, at: [] console_unlock+0x307/0xf20 [ 28.304421] [ 28.304422] but task is already holding lock: [ 28.304423] (&(&port->lock)->rlock){-.-.}, at: [] tty_insert_flip_string_and_push_buffer+0x2b/0x160 [ 28.304428] [ 28.304429] which lock already depends on the new lock. [ 28.304430] [ 28.304431] [ 28.304432] the existing dependency chain (in reverse order) is: [ 28.304433] [ 28.304434] -> #2 (&(&port->lock)->rlock){-.-.}: [ 28.304438] _raw_spin_lock_irqsave+0x8c/0xc0 [ 28.304439] tty_port_tty_get+0x1d/0x80 [ 28.304441] tty_port_default_wakeup+0x11/0x40 [ 28.304442] serial8250_tx_chars+0x3fe/0xc70 [ 28.304443] serial8250_handle_irq.part.0+0x2c7/0x390 [ 28.304445] serial8250_default_handle_irq+0x8a/0x1f0 [ 28.304447] serial8250_interrupt+0xf3/0x210 [ 28.304448] __handle_irq_event_percpu+0xee/0x7f0 [ 28.304449] handle_irq_event+0xed/0x240 [ 28.304450] handle_edge_irq+0x224/0xc40 [ 28.304452] handle_irq+0x35/0x50 [ 28.304453] do_IRQ+0x93/0x1d0 [ 28.304454] ret_from_intr+0x0/0x1e [ 28.304455] native_safe_halt+0xe/0x10 [ 28.304456] default_idle+0x47/0x370 [ 28.304457] do_idle+0x250/0x3c0 [ 28.304459] cpu_startup_entry+0x14/0x20 [ 28.304460] start_kernel+0x743/0x763 [ 28.304461] secondary_startup_64+0xa5/0xb0 [ 28.304462] [ 28.304462] -> #1 (&port_lock_key){-.-.}: [ 28.304466] _raw_spin_lock_irqsave+0x8c/0xc0 [ 28.304468] serial8250_console_write+0x8cb/0xb40 [ 28.304469] console_unlock+0x99d/0xf20 [ 28.304470] vprintk_emit+0x224/0x620 [ 28.304472] vprintk_func+0x58/0x160 [ 28.304473] printk+0x9e/0xbc [ 28.304474] register_console+0x6f4/0xad0 [ 28.304475] univ8250_console_init+0x2f/0x3a [ 28.304476] console_init+0x46/0x53 [ 28.304478] start_kernel+0x521/0x763 [ 28.304479] secondary_startup_64+0xa5/0xb0 [ 28.304480] [ 28.304480] -> #0 (console_owner){....}: [ 28.304484] lock_acquire+0x170/0x3f0 [ 28.304485] console_unlock+0x36f/0xf20 [ 28.304487] vprintk_emit+0x224/0x620 [ 28.304488] vprintk_func+0x58/0x160 [ 28.304489] printk+0x9e/0xbc [ 28.304490] should_fail.cold+0xdf/0x149 [ 28.304492] should_failslab+0xd6/0x130 [ 28.304493] __kmalloc+0x6d/0x400 [ 28.304494] tty_buffer_alloc+0xc0/0x270 [ 28.304495] __tty_buffer_request_room+0x12c/0x290 [ 28.304497] tty_insert_flip_string_fixed_flag+0x8b/0x210 [ 28.304499] tty_insert_flip_string_and_push_buffer+0x3e/0x160 [ 28.304500] pty_write+0xc3/0xf0 [ 28.304501] tty_put_char+0xfe/0x120 [ 28.304502] __process_echoes+0x48c/0x8c0 [ 28.304504] n_tty_receive_buf_common+0x9a3/0x25a0 [ 28.304505] tty_ioctl+0xe8a/0x1430 [ 28.304506] do_vfs_ioctl+0x75a/0xff0 [ 28.304507] SyS_ioctl+0x7f/0xb0 [ 28.304509] do_syscall_64+0x1d5/0x640 [ 28.304510] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 28.304511] [ 28.304512] other info that might help us debug this: [ 28.304513] [ 28.304514] Chain exists of: [ 28.304514] console_owner --> &port_lock_key --> &(&port->lock)->rlock [ 28.304520] [ 28.304521] Possible unsafe locking scenario: [ 28.304522] [ 28.304523] CPU0 CPU1 [ 28.304524] ---- ---- [ 28.304525] lock(&(&port->lock)->rlock); [ 28.304528] lock(&port_lock_key); [ 28.304531] lock(&(&port->lock)->rlock); [ 28.304533] lock(console_owner); [ 28.304535] [ 28.304536] *** DEADLOCK *** [ 28.304537] [ 28.304538] 6 locks held by syz-executor400/7999: [ 28.304539] #0: (&tty->ldisc_sem){++++}, at: [] tty_ldisc_ref_wait+0x22/0x80 [ 28.304543] #1: (&port->buf.lock/1){+.+.}, at: [] tty_ioctl+0xe20/0x1430 [ 28.304548] #2: (&o_tty->termios_rwsem/1){++++}, at: [] isig+0x36d/0x420 [ 28.304553] #3: (&ldata->output_lock){+.+.}, at: [] n_tty_receive_buf_common+0x965/0x25a0 [ 28.304558] #4: (&(&port->lock)->rlock){-.-.}, at: [] tty_insert_flip_string_and_push_buffer+0x2b/0x160 [ 28.304563] #5: (console_lock){+.+.}, at: [] vprintk_func+0x58/0x160 [ 28.304567] [ 28.304568] stack backtrace: [ 28.304570] CPU: 1 PID: 7999 Comm: syz-executor400 Not tainted 4.14.302-syzkaller #0 [ 28.304573] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 28.304574] Call Trace: [ 28.304575] dump_stack+0x1b2/0x281 [ 28.304576] print_circular_bug.constprop.0.cold+0x2d7/0x41e [ 28.304578] __lock_acquire+0x2e0e/0x3f20 [ 28.304579] ? trace_hardirqs_on+0x10/0x10 [ 28.304580] ? snprintf+0xd0/0xd0 [ 28.304581] ? console_unlock+0x34a/0xf20 [ 28.304582] lock_acquire+0x170/0x3f0 [ 28.304584] ? console_unlock+0x307/0xf20 [ 28.304585] console_unlock+0x36f/0xf20 [ 28.304586] ? console_unlock+0x307/0xf20 [ 28.304587] vprintk_emit+0x224/0x620 [ 28.304588] vprintk_func+0x58/0x160 [ 28.304589] printk+0x9e/0xbc [ 28.304591] ? log_store.cold+0x16/0x16 [ 28.304592] ? ___ratelimit+0x2b5/0x510 [ 28.304593] should_fail.cold+0xdf/0x149 [ 28.304594] ? commit_echoes+0x4c/0x1e0 [ 28.304595] should_failslab+0xd6/0x130 [ 28.304596] __kmalloc+0x6d/0x400 [ 28.304598] ? tty_buffer_alloc+0xc0/0x270 [ 28.304599] tty_buffer_alloc+0xc0/0x270 [ 28.304600] __tty_buffer_request_room+0x12c/0x290 [ 28.304602] tty_insert_flip_string_fixed_flag+0x8b/0x210 [ 28.304603] tty_insert_flip_string_and_push_buffer+0x3e/0x160 [ 28.304604] pty_write+0xc3/0xf0 [ 28.304606] ? commit_echoes+0x108/0x1e0 [ 28.304607] tty_put_char+0xfe/0x120 [ 28.304608] ? dev_match_devt+0x80/0x80 [ 28.304609] ? pty_write_room+0xa9/0xd0 [ 28.304610] ? ptmx_open+0x300/0x300 [ 28.304611] __process_echoes+0x48c/0x8c0 [ 28.304613] n_tty_receive_buf_common+0x9a3/0x25a0 [ 28.304614] ? n_tty_receive_buf2+0x40/0x40 [ 28.304615] tty_ioctl+0xe8a/0x1430 [ 28.304616] ? tty_fasync+0x2c0/0x2c0 [ 28.304618] ? proc_fail_nth_write+0x7b/0x180 [ 28.304619] ? trace_hardirqs_on+0x10/0x10 [ 28.304620] ? fsnotify+0x974/0x11b0 [ 28.304621] ? proc_tgid_io_accounting+0x7a0/0x7a0 [ 28.304623] ? debug_check_no_obj_freed+0x2c0/0x680 [ 28.304624] ? SyS_write+0x1b7/0x210 [ 28.304625] ? tty_fasync+0x2c0/0x2c0 [ 28.304626] do_vfs_ioctl+0x75a/0xff0 [ 28.304627] ? lock_acquire+0x170/0x3f0 [ 28.304629] ? ioctl_preallocate+0x1a0/0x1a0 [ 28.304630] ? __fget+0x265/0x3e0 [ 28.304631] ? do_vfs_ioctl+0xff0/0xff0 [ 28.304632] ? security_file_ioctl+0x83/0xb0 [ 28.304633] SyS_ioctl+0x7f/0xb0 [ 28.304635] ? do_vfs_ioctl+0xff0/0xff0 [ 28.304636] do_syscall_64+0x1d5/0x640 [ 28.304637] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 28.304638] RIP: 0033:0x7f9ec00749d9 [ 28.304640] RSP: 002b:00007f9ec0005268 EFLAGS: 00000246 ORIG_RAX: