========================================================
WARNING: possible irq lock inversion dependency detected
5.14.0-rc1-syzkaller #0 Not tainted
--------------------------------------------------------
syz-executor.5/15365 just changed the state of lock:
ffff88802f636168 (&new->fa_lock){.+..}-{2:2}, at: kill_fasync_rcu fs/fcntl.c:1012 [inline]
ffff88802f636168 (&new->fa_lock){.+..}-{2:2}, at: kill_fasync fs/fcntl.c:1033 [inline]
ffff88802f636168 (&new->fa_lock){.+..}-{2:2}, at: kill_fasync+0x132/0x460 fs/fcntl.c:1026
but this lock was taken by another, HARDIRQ-safe lock in the past:
(&dev->event_lock){-...}-{2:2}
and interrupts could create inverse lock ordering between them.
other info that might help us debug this:
Chain exists of:
&dev->event_lock --> &client->buffer_lock --> &new->fa_lock
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&new->fa_lock);
local_irq_disable();
lock(&dev->event_lock);
lock(&client->buffer_lock);
<Interrupt>
lock(&dev->event_lock);
*** DEADLOCK ***
2 locks held by syz-executor.5/15365:
#0: ffffffff90291698 (&fsnotify_mark_srcu){....}-{0:0}, at: fsnotify+0x2ed/0x1050 fs/notify/fsnotify.c:515
#1: ffffffff8b97b900 (rcu_read_lock){....}-{1:2}, at: kill_fasync+0x3d/0x460 fs/fcntl.c:1031
the shortest dependencies between 2nd lock and 1st lock:
-> (&dev->event_lock){-...}-{2:2} {
IN-HARDIRQ-W at:
lock_acquire kernel/locking/lockdep.c:5625 [inline]
lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:159
input_event drivers/input/input.c:445 [inline]
input_event+0x7b/0xb0 drivers/input/input.c:438
input_report_key include/linux/input.h:425 [inline]
psmouse_report_standard_buttons+0x2c/0x80 drivers/input/mouse/psmouse-base.c:123
psmouse_report_standard_packet drivers/input/mouse/psmouse-base.c:141 [inline]
psmouse_process_byte+0x1e1/0x890 drivers/input/mouse/psmouse-base.c:232
psmouse_handle_byte+0x41/0x1b0 drivers/input/mouse/psmouse-base.c:274
psmouse_interrupt+0x304/0xf00 drivers/input/mouse/psmouse-base.c:426
serio_interrupt+0x88/0x150 drivers/input/serio/serio.c:1002
i8042_interrupt+0x27a/0x520 drivers/input/serio/i8042.c:602
__handle_irq_event_percpu+0x303/0x8f0 kernel/irq/handle.c:156
handle_irq_event_percpu kernel/irq/handle.c:196 [inline]
handle_irq_event+0x102/0x280 kernel/irq/handle.c:213
handle_edge_irq+0x25f/0xd00 kernel/irq/chip.c:819
generic_handle_irq_desc include/linux/irqdesc.h:158 [inline]
handle_irq arch/x86/kernel/irq.c:231 [inline]
__common_interrupt+0x9d/0x210 arch/x86/kernel/irq.c:250
common_interrupt+0x9f/0xd0 arch/x86/kernel/irq.c:240
asm_common_interrupt+0x1e/0x40 arch/x86/include/asm/idtentry.h:629
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:161 [inline]
_raw_spin_unlock_irqrestore+0x38/0x70 kernel/locking/spinlock.c:191
spin_unlock_irqrestore include/linux/spinlock.h:409 [inline]
i8042_command+0x12e/0x150 drivers/input/serio/i8042.c:352
i8042_aux_write+0xd7/0x120 drivers/input/serio/i8042.c:387
serio_write include/linux/serio.h:125 [inline]
ps2_do_sendbyte+0x2cf/0x710 drivers/input/serio/libps2.c:40
ps2_sendbyte+0x58/0x150 drivers/input/serio/libps2.c:92
cypress_ps2_sendbyte+0x2e/0x160 drivers/input/mouse/cypress_ps2.c:42
cypress_ps2_read_cmd_status drivers/input/mouse/cypress_ps2.c:116 [inline]
cypress_send_ext_cmd+0x1d0/0x8e0 drivers/input/mouse/cypress_ps2.c:189
cypress_detect+0x75/0x190 drivers/input/mouse/cypress_ps2.c:205
psmouse_do_detect drivers/input/mouse/psmouse-base.c:1009 [inline]
psmouse_try_protocol+0x211/0x370 drivers/input/mouse/psmouse-base.c:1023
psmouse_extensions+0x557/0x930 drivers/input/mouse/psmouse-base.c:1146
psmouse_switch_protocol+0x52a/0x740 drivers/input/mouse/psmouse-base.c:1542
psmouse_connect+0x5e9/0xfd0 drivers/input/mouse/psmouse-base.c:1632
serio_connect_driver drivers/input/serio/serio.c:47 [inline]
serio_driver_probe+0x72/0xa0 drivers/input/serio/serio.c:778
call_driver_probe drivers/base/dd.c:517 [inline]
really_probe+0x23c/0xcd0 drivers/base/dd.c:595
__driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
__driver_attach+0x22d/0x4e0 drivers/base/dd.c:1136
bus_for_each_dev+0x147/0x1d0 drivers/base/bus.c:301
serio_attach_driver drivers/input/serio/serio.c:808 [inline]
serio_handle_event+0x5f6/0xa30 drivers/input/serio/serio.c:227
process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
INITIAL USE at:
lock_acquire kernel/locking/lockdep.c:5625 [inline]
lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:159
input_inject_event+0xa6/0x320 drivers/input/input.c:471
__led_set_brightness drivers/leds/led-core.c:47 [inline]
led_set_brightness_nopm drivers/leds/led-core.c:271 [inline]
led_set_brightness_nosleep+0xe6/0x1a0 drivers/leds/led-core.c:287
led_set_brightness+0x134/0x170 drivers/leds/led-core.c:264
led_trigger_event drivers/leds/led-triggers.c:388 [inline]
led_trigger_event+0x75/0xd0 drivers/leds/led-triggers.c:377
kbd_led_trigger_activate+0xc9/0x100 drivers/tty/vt/keyboard.c:1029
led_trigger_set+0x61e/0xbd0 drivers/leds/led-triggers.c:195
led_trigger_set_default drivers/leds/led-triggers.c:259 [inline]
led_trigger_set_default+0x1a6/0x230 drivers/leds/led-triggers.c:246
led_classdev_register_ext+0x5b1/0x7c0 drivers/leds/led-class.c:412
led_classdev_register include/linux/leds.h:190 [inline]
input_leds_connect+0x4bd/0x860 drivers/input/input-leds.c:139
input_attach_handler+0x180/0x1f0 drivers/input/input.c:1035
input_register_device.cold+0xf0/0x304 drivers/input/input.c:2335
atkbd_connect+0x739/0xa00 drivers/input/keyboard/atkbd.c:1293
serio_connect_driver drivers/input/serio/serio.c:47 [inline]
serio_driver_probe+0x72/0xa0 drivers/input/serio/serio.c:778
call_driver_probe drivers/base/dd.c:517 [inline]
really_probe+0x23c/0xcd0 drivers/base/dd.c:595
__driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
__driver_attach+0x22d/0x4e0 drivers/base/dd.c:1136
bus_for_each_dev+0x147/0x1d0 drivers/base/bus.c:301
serio_attach_driver drivers/input/serio/serio.c:808 [inline]
serio_handle_event+0x5f6/0xa30 drivers/input/serio/serio.c:227
process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
}
... key at: [<ffffffff905340a0>] __key.8+0x0/0x40
... acquired at:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:354 [inline]
evdev_pass_values.part.0+0xf6/0x970 drivers/input/evdev.c:261
evdev_pass_values drivers/input/evdev.c:253 [inline]
evdev_events+0x359/0x3e0 drivers/input/evdev.c:306
input_to_handler+0x2a0/0x4c0 drivers/input/input.c:115
input_pass_values.part.0+0x230/0x710 drivers/input/input.c:145
input_pass_values drivers/input/input.c:134 [inline]
input_handle_event+0x373/0x1440 drivers/input/input.c:404
input_inject_event+0x1bd/0x320 drivers/input/input.c:476
evdev_write+0x430/0x760 drivers/input/evdev.c:530
vfs_write+0x28e/0xa40 fs/read_write.c:603
ksys_write+0x1ee/0x250 fs/read_write.c:658
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
-> (&client->buffer_lock){....}-{2:2} {
INITIAL USE at:
lock_acquire kernel/locking/lockdep.c:5625 [inline]
lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline]
_raw_spin_lock_irq+0x32/0x50 kernel/locking/spinlock.c:167
spin_lock_irq include/linux/spinlock.h:379 [inline]
evdev_fetch_next_event drivers/input/evdev.c:545 [inline]
evdev_read+0x402/0xe40 drivers/input/evdev.c:586
do_loop_readv_writev fs/read_write.c:761 [inline]
do_loop_readv_writev fs/read_write.c:748 [inline]
do_iter_read+0x48e/0x6e0 fs/read_write.c:803
vfs_readv+0xe5/0x150 fs/read_write.c:921
do_readv+0x27f/0x300 fs/read_write.c:958
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
}
... key at: [<ffffffff90534520>] __key.4+0x0/0x40
... acquired at:
__raw_read_lock include/linux/rwlock_api_smp.h:149 [inline]
_raw_read_lock+0x5b/0x70 kernel/locking/spinlock.c:223
kill_fasync_rcu fs/fcntl.c:1012 [inline]
kill_fasync fs/fcntl.c:1033 [inline]
kill_fasync+0x132/0x460 fs/fcntl.c:1026
__pass_event drivers/input/evdev.c:240 [inline]
evdev_pass_values.part.0+0x64e/0x970 drivers/input/evdev.c:278
evdev_pass_values drivers/input/evdev.c:253 [inline]
evdev_events+0x359/0x3e0 drivers/input/evdev.c:306
input_to_handler+0x2a0/0x4c0 drivers/input/input.c:115
input_pass_values.part.0+0x230/0x710 drivers/input/input.c:145
input_pass_values drivers/input/input.c:134 [inline]
input_handle_event+0x373/0x1440 drivers/input/input.c:404
input_inject_event+0x1bd/0x320 drivers/input/input.c:476
evdev_write+0x430/0x760 drivers/input/evdev.c:530
vfs_write+0x28e/0xa40 fs/read_write.c:603
ksys_write+0x1ee/0x250 fs/read_write.c:658
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
-> (&new->fa_lock){.+..}-{2:2} {
HARDIRQ-ON-R at:
lock_acquire kernel/locking/lockdep.c:5625 [inline]
lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590
__raw_read_lock include/linux/rwlock_api_smp.h:149 [inline]
_raw_read_lock+0x5b/0x70 kernel/locking/spinlock.c:223
kill_fasync_rcu fs/fcntl.c:1012 [inline]
kill_fasync fs/fcntl.c:1033 [inline]
kill_fasync+0x132/0x460 fs/fcntl.c:1026
fsnotify_add_event+0x3ba/0x500 fs/notify/notification.c:128
inotify_handle_inode_event+0x31b/0x5c0 fs/notify/inotify/inotify_fsnotify.c:119
fsnotify_handle_inode_event.isra.0+0x1b8/0x270 fs/notify/fsnotify.c:263
fsnotify_handle_event fs/notify/fsnotify.c:310 [inline]
send_to_group fs/notify/fsnotify.c:364 [inline]
fsnotify+0xc27/0x1050 fs/notify/fsnotify.c:541
fsnotify_parent include/linux/fsnotify.h:71 [inline]
fsnotify_file include/linux/fsnotify.h:90 [inline]
fsnotify_open include/linux/fsnotify.h:268 [inline]
do_sys_openat2+0x3a3/0x420 fs/open.c:1209
do_sys_open fs/open.c:1220 [inline]
__do_sys_open fs/open.c:1228 [inline]
__se_sys_open fs/open.c:1224 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1224
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
INITIAL USE at:
lock_acquire kernel/locking/lockdep.c:5625 [inline]
lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590
__raw_write_lock_irq include/linux/rwlock_api_smp.h:196 [inline]
_raw_write_lock_irq+0x32/0x50 kernel/locking/spinlock.c:311
fasync_remove_entry+0xb6/0x1f0 fs/fcntl.c:890
fasync_helper+0x9e/0xb0 fs/fcntl.c:993
__fput+0x712/0x920 fs/file_table.c:277
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
INITIAL READ USE at:
lock_acquire kernel/locking/lockdep.c:5625 [inline]
lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590
__raw_read_lock include/linux/rwlock_api_smp.h:149 [inline]
_raw_read_lock+0x5b/0x70 kernel/locking/spinlock.c:223
kill_fasync_rcu fs/fcntl.c:1012 [inline]
kill_fasync fs/fcntl.c:1033 [inline]
kill_fasync+0x132/0x460 fs/fcntl.c:1026
__pass_event drivers/input/evdev.c:240 [inline]
evdev_pass_values.part.0+0x64e/0x970 drivers/input/evdev.c:278
evdev_pass_values drivers/input/evdev.c:253 [inline]
evdev_events+0x359/0x3e0 drivers/input/evdev.c:306
input_to_handler+0x2a0/0x4c0 drivers/input/input.c:115
input_pass_values.part.0+0x230/0x710 drivers/input/input.c:145
input_pass_values drivers/input/input.c:134 [inline]
input_handle_event+0x373/0x1440 drivers/input/input.c:404
input_inject_event+0x1bd/0x320 drivers/input/input.c:476
evdev_write+0x430/0x760 drivers/input/evdev.c:530
vfs_write+0x28e/0xa40 fs/read_write.c:603
ksys_write+0x1ee/0x250 fs/read_write.c:658
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
}
... key at: [<ffffffff9028e080>] __key.0+0x0/0x40
... acquired at:
mark_usage kernel/locking/lockdep.c:4494 [inline]
__lock_acquire+0x123a/0x54a0 kernel/locking/lockdep.c:4969
lock_acquire kernel/locking/lockdep.c:5625 [inline]
lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590
__raw_read_lock include/linux/rwlock_api_smp.h:149 [inline]
_raw_read_lock+0x5b/0x70 kernel/locking/spinlock.c:223
kill_fasync_rcu fs/fcntl.c:1012 [inline]
kill_fasync fs/fcntl.c:1033 [inline]
kill_fasync+0x132/0x460 fs/fcntl.c:1026
fsnotify_add_event+0x3ba/0x500 fs/notify/notification.c:128
inotify_handle_inode_event+0x31b/0x5c0 fs/notify/inotify/inotify_fsnotify.c:119
fsnotify_handle_inode_event.isra.0+0x1b8/0x270 fs/notify/fsnotify.c:263
fsnotify_handle_event fs/notify/fsnotify.c:310 [inline]
send_to_group fs/notify/fsnotify.c:364 [inline]
fsnotify+0xc27/0x1050 fs/notify/fsnotify.c:541
fsnotify_parent include/linux/fsnotify.h:71 [inline]
fsnotify_file include/linux/fsnotify.h:90 [inline]
fsnotify_open include/linux/fsnotify.h:268 [inline]
do_sys_openat2+0x3a3/0x420 fs/open.c:1209
do_sys_open fs/open.c:1220 [inline]
__do_sys_open fs/open.c:1228 [inline]
__se_sys_open fs/open.c:1224 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1224
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
stack backtrace:
CPU: 0 PID: 15365 Comm: syz-executor.5 Not tainted 5.14.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
print_irq_inversion_bug kernel/locking/lockdep.c:203 [inline]
check_usage_backwards kernel/locking/lockdep.c:4066 [inline]
mark_lock_irq kernel/locking/lockdep.c:4156 [inline]
mark_lock.cold+0x1d/0x8e kernel/locking/lockdep.c:4593
mark_usage kernel/locking/lockdep.c:4494 [inline]
__lock_acquire+0x123a/0x54a0 kernel/locking/lockdep.c:4969
lock_acquire kernel/locking/lockdep.c:5625 [inline]
lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590
__raw_read_lock include/linux/rwlock_api_smp.h:149 [inline]
_raw_read_lock+0x5b/0x70 kernel/locking/spinlock.c:223
kill_fasync_rcu fs/fcntl.c:1012 [inline]
kill_fasync fs/fcntl.c:1033 [inline]
kill_fasync+0x132/0x460 fs/fcntl.c:1026
fsnotify_add_event+0x3ba/0x500 fs/notify/notification.c:128
inotify_handle_inode_event+0x31b/0x5c0 fs/notify/inotify/inotify_fsnotify.c:119
fsnotify_handle_inode_event.isra.0+0x1b8/0x270 fs/notify/fsnotify.c:263
fsnotify_handle_event fs/notify/fsnotify.c:310 [inline]
send_to_group fs/notify/fsnotify.c:364 [inline]
fsnotify+0xc27/0x1050 fs/notify/fsnotify.c:541
fsnotify_parent include/linux/fsnotify.h:71 [inline]
fsnotify_file include/linux/fsnotify.h:90 [inline]
fsnotify_open include/linux/fsnotify.h:268 [inline]
do_sys_openat2+0x3a3/0x420 fs/open.c:1209
do_sys_open fs/open.c:1220 [inline]
__do_sys_open fs/open.c:1228 [inline]
__se_sys_open fs/open.c:1224 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1224
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f729991b188 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665d9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000080
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038
R13: 0000000000a9fb1f R14: 00007f729991b300 R15: 0000000000022000