===================================================== WARNING: SOFTIRQ-READ-safe -> SOFTIRQ-READ-unsafe lock order detected 6.11.0-rc7-syzkaller-g5f5673607153 #0 Not tainted ----------------------------------------------------- syz.4.158/7086 [HC0[0]:SC0[8]:HE1:SE0] is trying to acquire: ffff0000ee9591e0 (&pch->downl){+.+.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] ffff0000ee9591e0 (&pch->downl){+.+.}-{2:2}, at: ppp_connect_channel+0x160/0x570 drivers/net/ppp/ppp_generic.c:3485 and this task is already holding: ffff0000f29b0e10 (&ppp->rlock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] ffff0000f29b0e10 (&ppp->rlock){+...}-{2:2}, at: ppp_connect_channel+0x154/0x570 drivers/net/ppp/ppp_generic.c:3484 which would create a new lock dependency: (&ppp->rlock){+...}-{2:2} -> (&pch->downl){+.+.}-{2:2} but this new dependency connects a SOFTIRQ-READ-irq-safe lock: (&pch->upl){++.-}-{2:2} ... which became SOFTIRQ-READ-irq-safe at: lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 __raw_read_lock_bh include/linux/rwlock_api_smp.h:176 [inline] _raw_read_lock_bh+0x54/0x6c kernel/locking/spinlock.c:252 ppp_input+0x34c/0x854 drivers/net/ppp/ppp_generic.c:2307 ppp_async_process+0x98/0x150 drivers/net/ppp/ppp_async.c:495 tasklet_action_common+0x318/0x3f4 kernel/softirq.c:785 tasklet_action+0x68/0x8c kernel/softirq.c:811 handle_softirqs+0x2e4/0xbfc kernel/softirq.c:554 run_ksoftirqd+0x70/0x158 kernel/softirq.c:928 smpboot_thread_fn+0x4b0/0x90c kernel/smpboot.c:164 kthread+0x288/0x310 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 to a SOFTIRQ-READ-irq-unsafe lock: (&pch->downl){+.+.}-{2:2} ... which became SOFTIRQ-READ-irq-unsafe at: ... lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline] ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304 pppoe_rcv_core+0xfc/0x314 drivers/net/ppp/pppoe.c:379 sk_backlog_rcv include/net/sock.h:1111 [inline] __release_sock+0x1a8/0x3d8 net/core/sock.c:3004 release_sock+0x68/0x1b8 net/core/sock.c:3558 pppoe_sendmsg+0xc8/0x5d8 drivers/net/ppp/pppoe.c:903 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x56c/0x840 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmmsg+0x318/0x7e0 net/socket.c:2737 __do_sys_sendmmsg net/socket.c:2766 [inline] __se_sys_sendmmsg net/socket.c:2763 [inline] __arm64_sys_sendmmsg+0xa0/0xbc net/socket.c:2763 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 other info that might help us debug this: Chain exists of: &pch->upl --> &ppp->rlock --> &pch->downl Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&pch->downl); local_irq_disable(); lock(&pch->upl); lock(&ppp->rlock); lock(&pch->upl); *** DEADLOCK *** 5 locks held by syz.4.158/7086: #0: ffff8000914b4048 (ppp_mutex){+.+.}-{3:3}, at: ppp_ioctl+0x118/0x2534 drivers/net/ppp/ppp_generic.c:729 #1: ffff0000c6ac84c0 (&pn->all_ppp_mutex){+.+.}-{3:3}, at: ppp_connect_channel+0x74/0x570 drivers/net/ppp/ppp_generic.c:3474 #2: ffff0000ee959248 (&pch->upl){++.-}-{2:2}, at: ppp_connect_channel+0x94/0x570 drivers/net/ppp/ppp_generic.c:3478 #3: ffff0000f29b0e50 (&ppp->wlock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] #3: ffff0000f29b0e50 (&ppp->wlock){+...}-{2:2}, at: ppp_connect_channel+0x148/0x570 drivers/net/ppp/ppp_generic.c:3484 #4: ffff0000f29b0e10 (&ppp->rlock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] #4: ffff0000f29b0e10 (&ppp->rlock){+...}-{2:2}, at: ppp_connect_channel+0x154/0x570 drivers/net/ppp/ppp_generic.c:3484 the dependencies between SOFTIRQ-READ-irq-safe lock and the holding lock: -> (&pch->upl){++.-}-{2:2} { HARDIRQ-ON-W at: lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 __raw_write_lock_bh include/linux/rwlock_api_smp.h:202 [inline] _raw_write_lock_bh+0x48/0x60 kernel/locking/spinlock.c:334 ppp_disconnect_channel+0x3c/0x298 drivers/net/ppp/ppp_generic.c:3522 ppp_unregister_channel+0xa8/0x2ac drivers/net/ppp/ppp_generic.c:2996 ppp_sync_close+0xe8/0x16c drivers/net/ppp/ppp_synctty.c:236 tty_ldisc_close drivers/tty/tty_ldisc.c:455 [inline] tty_ldisc_kill+0x1b0/0x300 drivers/tty/tty_ldisc.c:613 tty_ldisc_release+0x190/0x23c drivers/tty/tty_ldisc.c:781 tty_release_struct+0x34/0xd4 drivers/tty/tty_io.c:1696 tty_release+0xb64/0x1014 drivers/tty/tty_io.c:1867 __fput+0x1bc/0x774 fs/file_table.c:422 ____fput+0x20/0x30 fs/file_table.c:450 task_work_run+0x230/0x2e0 kernel/task_work.c:228 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] do_notify_resume+0x178/0x1f4 arch/arm64/kernel/entry-common.c:151 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 HARDIRQ-ON-R at: lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 __raw_read_lock_bh include/linux/rwlock_api_smp.h:176 [inline] _raw_read_lock_bh+0x54/0x6c kernel/locking/spinlock.c:252 ppp_channel_push+0x38/0x208 drivers/net/ppp/ppp_generic.c:2186 ppp_write+0x2f4/0x438 drivers/net/ppp/ppp_generic.c:540 vfs_write+0x3c8/0xc80 fs/read_write.c:588 ksys_write+0x15c/0x26c fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:652 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 IN-SOFTIRQ-R at: lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 __raw_read_lock_bh include/linux/rwlock_api_smp.h:176 [inline] _raw_read_lock_bh+0x54/0x6c kernel/locking/spinlock.c:252 ppp_input+0x34c/0x854 drivers/net/ppp/ppp_generic.c:2307 ppp_async_process+0x98/0x150 drivers/net/ppp/ppp_async.c:495 tasklet_action_common+0x318/0x3f4 kernel/softirq.c:785 tasklet_action+0x68/0x8c kernel/softirq.c:811 handle_softirqs+0x2e4/0xbfc kernel/softirq.c:554 run_ksoftirqd+0x70/0x158 kernel/softirq.c:928 smpboot_thread_fn+0x4b0/0x90c kernel/smpboot.c:164 kthread+0x288/0x310 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 INITIAL USE at: lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 __raw_write_lock_bh include/linux/rwlock_api_smp.h:202 [inline] _raw_write_lock_bh+0x48/0x60 kernel/locking/spinlock.c:334 ppp_disconnect_channel+0x3c/0x298 drivers/net/ppp/ppp_generic.c:3522 ppp_unregister_channel+0xa8/0x2ac drivers/net/ppp/ppp_generic.c:2996 ppp_sync_close+0xe8/0x16c drivers/net/ppp/ppp_synctty.c:236 tty_ldisc_close drivers/tty/tty_ldisc.c:455 [inline] tty_ldisc_kill+0x1b0/0x300 drivers/tty/tty_ldisc.c:613 tty_ldisc_release+0x190/0x23c drivers/tty/tty_ldisc.c:781 tty_release_struct+0x34/0xd4 drivers/tty/tty_io.c:1696 tty_release+0xb64/0x1014 drivers/tty/tty_io.c:1867 __fput+0x1bc/0x774 fs/file_table.c:422 ____fput+0x20/0x30 fs/file_table.c:450 task_work_run+0x230/0x2e0 kernel/task_work.c:228 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] do_notify_resume+0x178/0x1f4 arch/arm64/kernel/entry-common.c:151 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 INITIAL READ USE at: lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 __raw_read_lock_bh include/linux/rwlock_api_smp.h:176 [inline] _raw_read_lock_bh+0x54/0x6c kernel/locking/spinlock.c:252 ppp_channel_push+0x38/0x208 drivers/net/ppp/ppp_generic.c:2186 ppp_write+0x2f4/0x438 drivers/net/ppp/ppp_generic.c:540 vfs_write+0x3c8/0xc80 fs/read_write.c:588 ksys_write+0x15c/0x26c fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:652 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 } ... key at: [] ppp_register_net_channel.__key.3+0x0/0x20 -> (&ppp->wlock){+...}-{2:2} { HARDIRQ-ON-W at: lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x48/0x60 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] ppp_get_stats64+0xbc/0x268 drivers/net/ppp/ppp_generic.c:1539 dev_get_stats+0xac/0x6a4 net/core/dev.c:10894 rtnl_fill_stats+0x50/0x7c0 net/core/rtnetlink.c:1268 rtnl_fill_ifinfo+0x1504/0x1dc0 net/core/rtnetlink.c:1909 rtmsg_ifinfo_build_skb+0x178/0x25c net/core/rtnetlink.c:4079 rtmsg_ifinfo_event net/core/rtnetlink.c:4113 [inline] rtmsg_ifinfo+0xa0/0x188 net/core/rtnetlink.c:4122 register_netdevice+0xea4/0x11a8 net/core/dev.c:10491 ppp_unit_register drivers/net/ppp/ppp_generic.c:1219 [inline] ppp_dev_configure+0x6c4/0x944 drivers/net/ppp/ppp_generic.c:1275 ppp_create_interface drivers/net/ppp/ppp_generic.c:3348 [inline] ppp_unattached_ioctl drivers/net/ppp/ppp_generic.c:1060 [inline] ppp_ioctl+0x9d0/0x2534 drivers/net/ppp/ppp_generic.c:733 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 INITIAL USE at: lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x48/0x60 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] ppp_get_stats64+0xbc/0x268 drivers/net/ppp/ppp_generic.c:1539 dev_get_stats+0xac/0x6a4 net/core/dev.c:10894 rtnl_fill_stats+0x50/0x7c0 net/core/rtnetlink.c:1268 rtnl_fill_ifinfo+0x1504/0x1dc0 net/core/rtnetlink.c:1909 rtmsg_ifinfo_build_skb+0x178/0x25c net/core/rtnetlink.c:4079 rtmsg_ifinfo_event net/core/rtnetlink.c:4113 [inline] rtmsg_ifinfo+0xa0/0x188 net/core/rtnetlink.c:4122 register_netdevice+0xea4/0x11a8 net/core/dev.c:10491 ppp_unit_register drivers/net/ppp/ppp_generic.c:1219 [inline] ppp_dev_configure+0x6c4/0x944 drivers/net/ppp/ppp_generic.c:1275 ppp_create_interface drivers/net/ppp/ppp_generic.c:3348 [inline] ppp_unattached_ioctl drivers/net/ppp/ppp_generic.c:1060 [inline] ppp_ioctl+0x9d0/0x2534 drivers/net/ppp/ppp_generic.c:733 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 } ... key at: [] ppp_dev_configure.__key.68+0x0/0x20 ... acquired at: __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x48/0x60 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] ppp_connect_channel+0x148/0x570 drivers/net/ppp/ppp_generic.c:3484 ppp_ioctl+0x1424/0x2534 drivers/net/ppp/ppp_generic.c:761 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 -> (&ppp->rlock){+...}-{2:2} { HARDIRQ-ON-W at: lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x48/0x60 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] ppp_get_stats64+0x3c/0x268 drivers/net/ppp/ppp_generic.c:1534 dev_get_stats+0xac/0x6a4 net/core/dev.c:10894 rtnl_fill_stats+0x50/0x7c0 net/core/rtnetlink.c:1268 rtnl_fill_ifinfo+0x1504/0x1dc0 net/core/rtnetlink.c:1909 rtmsg_ifinfo_build_skb+0x178/0x25c net/core/rtnetlink.c:4079 rtmsg_ifinfo_event net/core/rtnetlink.c:4113 [inline] rtmsg_ifinfo+0xa0/0x188 net/core/rtnetlink.c:4122 register_netdevice+0xea4/0x11a8 net/core/dev.c:10491 ppp_unit_register drivers/net/ppp/ppp_generic.c:1219 [inline] ppp_dev_configure+0x6c4/0x944 drivers/net/ppp/ppp_generic.c:1275 ppp_create_interface drivers/net/ppp/ppp_generic.c:3348 [inline] ppp_unattached_ioctl drivers/net/ppp/ppp_generic.c:1060 [inline] ppp_ioctl+0x9d0/0x2534 drivers/net/ppp/ppp_generic.c:733 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 INITIAL USE at: lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x48/0x60 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] ppp_get_stats64+0x3c/0x268 drivers/net/ppp/ppp_generic.c:1534 dev_get_stats+0xac/0x6a4 net/core/dev.c:10894 rtnl_fill_stats+0x50/0x7c0 net/core/rtnetlink.c:1268 rtnl_fill_ifinfo+0x1504/0x1dc0 net/core/rtnetlink.c:1909 rtmsg_ifinfo_build_skb+0x178/0x25c net/core/rtnetlink.c:4079 rtmsg_ifinfo_event net/core/rtnetlink.c:4113 [inline] rtmsg_ifinfo+0xa0/0x188 net/core/rtnetlink.c:4122 register_netdevice+0xea4/0x11a8 net/core/dev.c:10491 ppp_unit_register drivers/net/ppp/ppp_generic.c:1219 [inline] ppp_dev_configure+0x6c4/0x944 drivers/net/ppp/ppp_generic.c:1275 ppp_create_interface drivers/net/ppp/ppp_generic.c:3348 [inline] ppp_unattached_ioctl drivers/net/ppp/ppp_generic.c:1060 [inline] ppp_ioctl+0x9d0/0x2534 drivers/net/ppp/ppp_generic.c:733 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 } ... key at: [] ppp_dev_configure.__key+0x0/0x20 ... acquired at: __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x48/0x60 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] ppp_ioctl+0x1988/0x2534 drivers/net/ppp/ppp_generic.c:900 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 the dependencies between the lock to be acquired and SOFTIRQ-READ-irq-unsafe lock: -> (&pch->downl){+.+.}-{2:2} { HARDIRQ-ON-W at: lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x48/0x60 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] ppp_unregister_channel+0x78/0x2ac drivers/net/ppp/ppp_generic.c:2992 ppp_sync_close+0xe8/0x16c drivers/net/ppp/ppp_synctty.c:236 tty_ldisc_close drivers/tty/tty_ldisc.c:455 [inline] tty_ldisc_kill+0x1b0/0x300 drivers/tty/tty_ldisc.c:613 tty_ldisc_release+0x190/0x23c drivers/tty/tty_ldisc.c:781 tty_release_struct+0x34/0xd4 drivers/tty/tty_io.c:1696 tty_release+0xb64/0x1014 drivers/tty/tty_io.c:1867 __fput+0x1bc/0x774 fs/file_table.c:422 ____fput+0x20/0x30 fs/file_table.c:450 task_work_run+0x230/0x2e0 kernel/task_work.c:228 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] do_notify_resume+0x178/0x1f4 arch/arm64/kernel/entry-common.c:151 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 SOFTIRQ-ON-W at: lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline] ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304 pppoe_rcv_core+0xfc/0x314 drivers/net/ppp/pppoe.c:379 sk_backlog_rcv include/net/sock.h:1111 [inline] __release_sock+0x1a8/0x3d8 net/core/sock.c:3004 release_sock+0x68/0x1b8 net/core/sock.c:3558 pppoe_sendmsg+0xc8/0x5d8 drivers/net/ppp/pppoe.c:903 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x56c/0x840 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmmsg+0x318/0x7e0 net/socket.c:2737 __do_sys_sendmmsg net/socket.c:2766 [inline] __se_sys_sendmmsg net/socket.c:2763 [inline] __arm64_sys_sendmmsg+0xa0/0xbc net/socket.c:2763 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 INITIAL USE at: lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x48/0x60 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] ppp_unregister_channel+0x78/0x2ac drivers/net/ppp/ppp_generic.c:2992 ppp_sync_close+0xe8/0x16c drivers/net/ppp/ppp_synctty.c:236 tty_ldisc_close drivers/tty/tty_ldisc.c:455 [inline] tty_ldisc_kill+0x1b0/0x300 drivers/tty/tty_ldisc.c:613 tty_ldisc_release+0x190/0x23c drivers/tty/tty_ldisc.c:781 tty_release_struct+0x34/0xd4 drivers/tty/tty_io.c:1696 tty_release+0xb64/0x1014 drivers/tty/tty_io.c:1867 __fput+0x1bc/0x774 fs/file_table.c:422 ____fput+0x20/0x30 fs/file_table.c:450 task_work_run+0x230/0x2e0 kernel/task_work.c:228 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] do_notify_resume+0x178/0x1f4 arch/arm64/kernel/entry-common.c:151 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 } ... key at: [] ppp_register_net_channel.__key.1+0x0/0x20 ... acquired at: __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x48/0x60 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] ppp_connect_channel+0x160/0x570 drivers/net/ppp/ppp_generic.c:3485 ppp_ioctl+0x1424/0x2534 drivers/net/ppp/ppp_generic.c:761 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 stack backtrace: CPU: 0 UID: 0 PID: 7086 Comm: syz.4.158 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:319 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:326 __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:119 dump_stack+0x1c/0x28 lib/dump_stack.c:128 __lock_acquire+0x1c98/0x779c lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x48/0x60 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] ppp_connect_channel+0x160/0x570 drivers/net/ppp/ppp_generic.c:3485 ppp_ioctl+0x1424/0x2534 drivers/net/ppp/ppp_generic.c:761 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598