===================================================== WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected 6.10.0-rc5-syzkaller-00155-g66e55ff12e73 #0 Not tainted ----------------------------------------------------- syz.3.3669/13994 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: ffff88802748d168 (&new->fa_lock){...-}-{2:2}, at: kill_fasync_rcu fs/fcntl.c:1028 [inline] ffff88802748d168 (&new->fa_lock){...-}-{2:2}, at: kill_fasync fs/fcntl.c:1049 [inline] ffff88802748d168 (&new->fa_lock){...-}-{2:2}, at: kill_fasync+0x138/0x4f0 fs/fcntl.c:1042 and this task is already holding: ffff8880577b8028 (&client->buffer_lock){-.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] ffff8880577b8028 (&client->buffer_lock){-.-.}-{2:2}, at: evdev_pass_values+0x10e/0x9b0 drivers/input/evdev.c:261 which would create a new lock dependency: (&client->buffer_lock){-.-.}-{2:2} -> (&new->fa_lock){...-}-{2:2} but this new dependency connects a HARDIRQ-irq-safe lock: (&client->buffer_lock){-.-.}-{2:2} ... which became HARDIRQ-irq-safe at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] evdev_pass_values+0x10e/0x9b0 drivers/input/evdev.c:261 evdev_events+0x1b7/0x390 drivers/input/evdev.c:306 input_to_handler+0x2a1/0x4d0 drivers/input/input.c:129 input_pass_values+0x5c9/0x840 drivers/input/input.c:161 input_event_dispose+0x508/0x630 drivers/input/input.c:389 input_handle_event+0x11c/0xd80 drivers/input/input.c:406 input_event drivers/input/input.c:435 [inline] input_event+0x83/0xa0 drivers/input/input.c:427 hidinput_hid_event+0xa12/0x2410 drivers/hid/hid-input.c:1746 hid_process_event+0x4b7/0x5e0 drivers/hid/hid-core.c:1540 hid_process_report drivers/hid/hid-core.c:1688 [inline] hid_report_raw_event+0x96b/0x11c0 drivers/hid/hid-core.c:2015 hid_input_report+0x345/0x440 drivers/hid/hid-core.c:2089 hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:284 __usb_hcd_giveback_urb+0x466/0x6e0 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734 dummy_timer+0x13f6/0x3530 drivers/usb/gadget/udc/dummy_hcd.c:1987 __run_hrtimer kernel/time/hrtimer.c:1687 [inline] __hrtimer_run_queues+0x20c/0xcc0 kernel/time/hrtimer.c:1751 hrtimer_interrupt+0x31b/0x800 kernel/time/hrtimer.c:1813 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1032 [inline] __sysvec_apic_timer_interrupt+0x10f/0x450 arch/x86/kernel/apic/apic.c:1049 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:160 [inline] _raw_spin_unlock_irq+0x29/0x50 kernel/locking/spinlock.c:202 spin_unlock_irq include/linux/spinlock.h:401 [inline] get_signal+0x1dc9/0x2670 kernel/signal.c:2912 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x14a/0x2a0 kernel/entry/common.c:218 do_int80_emulation+0x111/0x200 arch/x86/entry/common.c:256 asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:626 to a HARDIRQ-irq-unsafe lock: (tasklist_lock){.+.+}-{2:2} ... which became HARDIRQ-irq-unsafe at: ... lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_read_lock include/linux/rwlock_api_smp.h:150 [inline] _raw_read_lock+0x5f/0x70 kernel/locking/spinlock.c:228 __do_wait+0x105/0x890 kernel/exit.c:1583 do_wait+0x219/0x570 kernel/exit.c:1627 kernel_wait+0xa0/0x160 kernel/exit.c:1803 call_usermodehelper_exec_sync kernel/umh.c:137 [inline] call_usermodehelper_exec_work+0xf1/0x170 kernel/umh.c:164 process_one_work+0x958/0x1ad0 kernel/workqueue.c:3248 process_scheduled_works kernel/workqueue.c:3329 [inline] worker_thread+0x6c8/0xf30 kernel/workqueue.c:3409 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 other info that might help us debug this: Chain exists of: &client->buffer_lock --> &new->fa_lock --> tasklist_lock Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(tasklist_lock); local_irq_disable(); lock(&client->buffer_lock); lock(&new->fa_lock); lock(&client->buffer_lock); *** DEADLOCK *** 7 locks held by syz.3.3669/13994: #0: ffff88801daed110 (&evdev->mutex){+.+.}-{3:3}, at: evdev_write+0x1ff/0x750 drivers/input/evdev.c:513 #1: ffff88801927e230 (&dev->event_lock#2){-.-.}-{2:2}, at: input_inject_event+0xa4/0x370 drivers/input/input.c:460 #2: ffffffff8dbb5160 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #2: ffffffff8dbb5160 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline] #2: ffffffff8dbb5160 (rcu_read_lock){....}-{1:2}, at: input_inject_event+0xca/0x370 drivers/input/input.c:462 #3: ffffffff8dbb5160 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #3: ffffffff8dbb5160 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline] #3: ffffffff8dbb5160 (rcu_read_lock){....}-{1:2}, at: input_pass_values+0xb2/0x840 drivers/input/input.c:153 #4: ffffffff8dbb5160 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #4: ffffffff8dbb5160 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline] #4: ffffffff8dbb5160 (rcu_read_lock){....}-{1:2}, at: evdev_events+0x87/0x390 drivers/input/evdev.c:298 #5: ffff8880577b8028 (&client->buffer_lock){-.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] #5: ffff8880577b8028 (&client->buffer_lock){-.-.}-{2:2}, at: evdev_pass_values+0x10e/0x9b0 drivers/input/evdev.c:261 #6: ffffffff8dbb5160 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #6: ffffffff8dbb5160 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline] #6: ffffffff8dbb5160 (rcu_read_lock){....}-{1:2}, at: kill_fasync fs/fcntl.c:1048 [inline] #6: ffffffff8dbb5160 (rcu_read_lock){....}-{1:2}, at: kill_fasync+0x6d/0x4f0 fs/fcntl.c:1042 the dependencies between HARDIRQ-irq-safe lock and the holding lock: -> (&client->buffer_lock){-.-.}-{2:2} { IN-HARDIRQ-W at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] evdev_pass_values+0x10e/0x9b0 drivers/input/evdev.c:261 evdev_events+0x1b7/0x390 drivers/input/evdev.c:306 input_to_handler+0x2a1/0x4d0 drivers/input/input.c:129 input_pass_values+0x5c9/0x840 drivers/input/input.c:161 input_event_dispose+0x508/0x630 drivers/input/input.c:389 input_handle_event+0x11c/0xd80 drivers/input/input.c:406 input_event drivers/input/input.c:435 [inline] input_event+0x83/0xa0 drivers/input/input.c:427 hidinput_hid_event+0xa12/0x2410 drivers/hid/hid-input.c:1746 hid_process_event+0x4b7/0x5e0 drivers/hid/hid-core.c:1540 hid_process_report drivers/hid/hid-core.c:1688 [inline] hid_report_raw_event+0x96b/0x11c0 drivers/hid/hid-core.c:2015 hid_input_report+0x345/0x440 drivers/hid/hid-core.c:2089 hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:284 __usb_hcd_giveback_urb+0x466/0x6e0 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734 dummy_timer+0x13f6/0x3530 drivers/usb/gadget/udc/dummy_hcd.c:1987 __run_hrtimer kernel/time/hrtimer.c:1687 [inline] __hrtimer_run_queues+0x20c/0xcc0 kernel/time/hrtimer.c:1751 hrtimer_interrupt+0x31b/0x800 kernel/time/hrtimer.c:1813 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1032 [inline] __sysvec_apic_timer_interrupt+0x10f/0x450 arch/x86/kernel/apic/apic.c:1049 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:160 [inline] _raw_spin_unlock_irq+0x29/0x50 kernel/locking/spinlock.c:202 spin_unlock_irq include/linux/spinlock.h:401 [inline] get_signal+0x1dc9/0x2670 kernel/signal.c:2912 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x14a/0x2a0 kernel/entry/common.c:218 do_int80_emulation+0x111/0x200 arch/x86/entry/common.c:256 asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:626 IN-SOFTIRQ-W at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] evdev_pass_values+0x10e/0x9b0 drivers/input/evdev.c:261 evdev_events+0x1b7/0x390 drivers/input/evdev.c:306 input_to_handler+0x2a1/0x4d0 drivers/input/input.c:129 input_pass_values+0x5c9/0x840 drivers/input/input.c:161 input_event_dispose+0x508/0x630 drivers/input/input.c:389 input_handle_event+0x11c/0xd80 drivers/input/input.c:406 input_event drivers/input/input.c:435 [inline] input_event+0x83/0xa0 drivers/input/input.c:427 hidinput_hid_event+0xa12/0x2410 drivers/hid/hid-input.c:1746 hid_process_event+0x4b7/0x5e0 drivers/hid/hid-core.c:1540 hid_process_report drivers/hid/hid-core.c:1688 [inline] hid_report_raw_event+0x96b/0x11c0 drivers/hid/hid-core.c:2015 hid_input_report+0x345/0x440 drivers/hid/hid-core.c:2089 hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:284 __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734 dummy_timer+0x13f6/0x3530 drivers/usb/gadget/udc/dummy_hcd.c:1987 __run_hrtimer kernel/time/hrtimer.c:1687 [inline] __hrtimer_run_queues+0x20c/0xcc0 kernel/time/hrtimer.c:1751 hrtimer_interrupt+0x31b/0x800 kernel/time/hrtimer.c:1813 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1032 [inline] __sysvec_apic_timer_interrupt+0x10f/0x450 arch/x86/kernel/apic/apic.c:1049 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0x43/0xb0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] _raw_spin_unlock_irqrestore+0x31/0x80 kernel/locking/spinlock.c:194 call_timer_fn+0x1a0/0x610 kernel/time/timer.c:1792 expire_timers kernel/time/timer.c:1843 [inline] __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417 __run_timer_base kernel/time/timer.c:2428 [inline] __run_timer_base kernel/time/timer.c:2421 [inline] run_timer_base+0x111/0x190 kernel/time/timer.c:2437 run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2447 handle_softirqs+0x216/0x8f0 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu kernel/softirq.c:637 [inline] irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:160 [inline] _raw_spin_unlock_irq+0x29/0x50 kernel/locking/spinlock.c:202 spin_unlock_irq include/linux/spinlock.h:401 [inline] get_signal+0x1dc9/0x2670 kernel/signal.c:2912 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x14a/0x2a0 kernel/entry/common.c:218 do_int80_emulation+0x111/0x200 arch/x86/entry/common.c:256 asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:626 INITIAL USE at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162 evdev_set_clk_type drivers/input/evdev.c:201 [inline] evdev_do_ioctl+0xada/0x1ae0 drivers/input/evdev.c:1126 evdev_ioctl_handler drivers/input/evdev.c:1272 [inline] evdev_ioctl_compat+0x173/0x1a0 drivers/input/evdev.c:1288 __do_compat_sys_ioctl+0x2c3/0x330 fs/ioctl.c:1007 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e } ... key at: [] __key.1+0x0/0x40 the dependencies between the lock to be acquired and HARDIRQ-irq-unsafe lock: -> (tasklist_lock){.+.+}-{2:2} { HARDIRQ-ON-R at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_read_lock include/linux/rwlock_api_smp.h:150 [inline] _raw_read_lock+0x5f/0x70 kernel/locking/spinlock.c:228 __do_wait+0x105/0x890 kernel/exit.c:1583 do_wait+0x219/0x570 kernel/exit.c:1627 kernel_wait+0xa0/0x160 kernel/exit.c:1803 call_usermodehelper_exec_sync kernel/umh.c:137 [inline] call_usermodehelper_exec_work+0xf1/0x170 kernel/umh.c:164 process_one_work+0x958/0x1ad0 kernel/workqueue.c:3248 process_scheduled_works kernel/workqueue.c:3329 [inline] worker_thread+0x6c8/0xf30 kernel/workqueue.c:3409 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 SOFTIRQ-ON-R at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_read_lock include/linux/rwlock_api_smp.h:150 [inline] _raw_read_lock+0x5f/0x70 kernel/locking/spinlock.c:228 __do_wait+0x105/0x890 kernel/exit.c:1583 do_wait+0x219/0x570 kernel/exit.c:1627 kernel_wait+0xa0/0x160 kernel/exit.c:1803 call_usermodehelper_exec_sync kernel/umh.c:137 [inline] call_usermodehelper_exec_work+0xf1/0x170 kernel/umh.c:164 process_one_work+0x958/0x1ad0 kernel/workqueue.c:3248 process_scheduled_works kernel/workqueue.c:3329 [inline] worker_thread+0x6c8/0xf30 kernel/workqueue.c:3409 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 INITIAL USE at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_write_lock_irq include/linux/rwlock_api_smp.h:195 [inline] _raw_write_lock_irq+0x36/0x50 kernel/locking/spinlock.c:326 copy_process+0x4784/0x6f50 kernel/fork.c:2516 kernel_clone+0xfd/0x980 kernel/fork.c:2797 user_mode_thread+0xb4/0xf0 kernel/fork.c:2875 rest_init+0x23/0x2b0 init/main.c:712 start_kernel+0x3df/0x4c0 init/main.c:1103 x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:507 x86_64_start_kernel+0xb2/0xc0 arch/x86/kernel/head64.c:488 common_startup_64+0x13e/0x148 INITIAL READ USE at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_read_lock include/linux/rwlock_api_smp.h:150 [inline] _raw_read_lock+0x5f/0x70 kernel/locking/spinlock.c:228 __do_wait+0x105/0x890 kernel/exit.c:1583 do_wait+0x219/0x570 kernel/exit.c:1627 kernel_wait+0xa0/0x160 kernel/exit.c:1803 call_usermodehelper_exec_sync kernel/umh.c:137 [inline] call_usermodehelper_exec_work+0xf1/0x170 kernel/umh.c:164 process_one_work+0x958/0x1ad0 kernel/workqueue.c:3248 process_scheduled_works kernel/workqueue.c:3329 [inline] worker_thread+0x6c8/0xf30 kernel/workqueue.c:3409 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 } ... key at: [] tasklist_lock+0x18/0x40 ... acquired at: __raw_read_lock include/linux/rwlock_api_smp.h:150 [inline] _raw_read_lock+0x5f/0x70 kernel/locking/spinlock.c:228 send_sigio+0xb4/0x3c0 fs/fcntl.c:830 kill_fasync_rcu fs/fcntl.c:1035 [inline] kill_fasync fs/fcntl.c:1049 [inline] kill_fasync+0x1f6/0x4f0 fs/fcntl.c:1042 lease_break_callback+0x23/0x30 fs/locks.c:558 __break_lease+0x67c/0x17d0 fs/locks.c:1592 break_lease include/linux/filelock.h:431 [inline] break_lease include/linux/filelock.h:421 [inline] vfs_truncate+0x32e/0x4e0 fs/open.c:105 do_sys_truncate+0x130/0x190 fs/open.c:134 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e -> (&f->f_owner.lock){...-}-{2:2} { IN-SOFTIRQ-R at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline] _raw_read_lock_irqsave+0x46/0x90 kernel/locking/spinlock.c:236 send_sigurg+0x22/0xc30 fs/fcntl.c:855 sk_send_sigurg+0x7a/0x370 net/core/sock.c:3411 tcp_check_urg net/ipv4/tcp_input.c:5801 [inline] tcp_urg+0x343/0xb80 net/ipv4/tcp_input.c:5842 tcp_rcv_established+0x8de/0x21b0 net/ipv4/tcp_input.c:6191 tcp_v6_do_rcv+0x836/0x16f0 net/ipv6/tcp_ipv6.c:1644 tcp_v6_rcv+0x2e54/0x3b10 net/ipv6/tcp_ipv6.c:1916 ip6_protocol_deliver_rcu+0x188/0x1530 net/ipv6/ip6_input.c:438 ip6_input_finish+0x14f/0x2f0 net/ipv6/ip6_input.c:483 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip6_input+0xa1/0xd0 net/ipv6/ip6_input.c:492 dst_input include/net/dst.h:460 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ipv6_rcv+0x265/0x680 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5625 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5739 process_backlog+0x133/0x760 net/core/dev.c:6068 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6722 napi_poll net/core/dev.c:6791 [inline] net_rx_action+0x9b6/0xf10 net/core/dev.c:6907 handle_softirqs+0x216/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 sk_stream_wait_memory+0x65e/0x10e0 net/core/stream.c:145 tcp_sendmsg_locked+0xa7c/0x3550 net/ipv4/tcp.c:1309 tcp_sendmsg+0x2e/0x50 net/ipv4/tcp.c:1351 inet6_sendmsg+0xb9/0x140 net/ipv6/af_inet6.c:661 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x371/0x4e0 net/socket.c:2192 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __ia32_sys_sendto+0xdd/0x1b0 net/socket.c:2200 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e INITIAL USE at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_write_lock_irq include/linux/rwlock_api_smp.h:195 [inline] _raw_write_lock_irq+0x36/0x50 kernel/locking/spinlock.c:326 f_modown+0x2a/0x380 fs/fcntl.c:93 fcntl_dirnotify+0x8d2/0xdf0 fs/notify/dnotify/dnotify.c:368 do_fcntl+0x310/0x1380 fs/fcntl.c:441 do_compat_fcntl64+0x35d/0x6b0 fs/fcntl.c:696 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e INITIAL READ USE at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_read_lock_irq include/linux/rwlock_api_smp.h:169 [inline] _raw_read_lock_irq+0x67/0x80 kernel/locking/spinlock.c:244 f_getowner_uids fs/fcntl.c:255 [inline] do_fcntl+0x4b7/0x1380 fs/fcntl.c:421 do_compat_fcntl64+0x35d/0x6b0 fs/fcntl.c:696 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e } ... key at: [] __key.2+0x0/0x40 ... acquired at: __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline] _raw_read_lock_irqsave+0x74/0x90 kernel/locking/spinlock.c:236 send_sigio+0x28/0x3c0 fs/fcntl.c:816 kill_fasync_rcu fs/fcntl.c:1035 [inline] kill_fasync fs/fcntl.c:1049 [inline] kill_fasync+0x1f6/0x4f0 fs/fcntl.c:1042 sock_wake_async+0x132/0x160 net/socket.c:1475 sk_wake_async_rcu include/net/sock.h:2443 [inline] sk_wake_async_rcu include/net/sock.h:2440 [inline] sock_def_error_report+0x352/0x400 net/core/sock.c:3340 sk_error_report+0x3e/0x2a0 net/core/sock.c:347 tcp_reset+0x1cb/0x450 net/ipv4/tcp_input.c:4487 tcp_rcv_synsent_state_process net/ipv4/tcp_input.c:6410 [inline] tcp_rcv_state_process+0x1f8a/0x4f30 net/ipv4/tcp_input.c:6693 tcp_v6_do_rcv+0x42f/0x16f0 net/ipv6/tcp_ipv6.c:1669 sk_backlog_rcv include/net/sock.h:1106 [inline] __release_sock+0x14c/0x400 net/core/sock.c:2983 release_sock+0x5a/0x220 net/core/sock.c:3549 tcp_sendmsg+0x38/0x50 net/ipv4/tcp.c:1352 inet6_sendmsg+0xb9/0x140 net/ipv6/af_inet6.c:661 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x371/0x4e0 net/socket.c:2192 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __ia32_sys_sendto+0xdd/0x1b0 net/socket.c:2200 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e -> (&new->fa_lock){...-}-{2:2} { IN-SOFTIRQ-R at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline] _raw_read_lock_irqsave+0x46/0x90 kernel/locking/spinlock.c:236 kill_fasync_rcu fs/fcntl.c:1028 [inline] kill_fasync fs/fcntl.c:1049 [inline] kill_fasync+0x138/0x4f0 fs/fcntl.c:1042 sock_wake_async+0x132/0x160 net/socket.c:1475 sk_wake_async_rcu include/net/sock.h:2443 [inline] sk_wake_async_rcu include/net/sock.h:2440 [inline] sock_def_readable+0x520/0x610 net/core/sock.c:3355 tcp_urg net/ipv4/tcp_input.c:5856 [inline] tcp_urg+0x656/0xb80 net/ipv4/tcp_input.c:5836 tcp_rcv_established+0x8de/0x21b0 net/ipv4/tcp_input.c:6191 tcp_v6_do_rcv+0x836/0x16f0 net/ipv6/tcp_ipv6.c:1644 tcp_v6_rcv+0x2e54/0x3b10 net/ipv6/tcp_ipv6.c:1916 ip6_protocol_deliver_rcu+0x188/0x1530 net/ipv6/ip6_input.c:438 ip6_input_finish+0x14f/0x2f0 net/ipv6/ip6_input.c:483 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip6_input+0xa1/0xd0 net/ipv6/ip6_input.c:492 dst_input include/net/dst.h:460 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ipv6_rcv+0x265/0x680 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5625 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5739 process_backlog+0x133/0x760 net/core/dev.c:6068 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6722 napi_poll net/core/dev.c:6791 [inline] net_rx_action+0x9b6/0xf10 net/core/dev.c:6907 handle_softirqs+0x216/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 sk_stream_wait_memory+0x65e/0x10e0 net/core/stream.c:145 tcp_sendmsg_locked+0xa7c/0x3550 net/ipv4/tcp.c:1309 tcp_sendmsg+0x2e/0x50 net/ipv4/tcp.c:1351 inet6_sendmsg+0xb9/0x140 net/ipv6/af_inet6.c:661 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x371/0x4e0 net/socket.c:2192 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __ia32_sys_sendto+0xdd/0x1b0 net/socket.c:2200 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e INITIAL USE at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_write_lock_irq include/linux/rwlock_api_smp.h:195 [inline] _raw_write_lock_irq+0x36/0x50 kernel/locking/spinlock.c:326 fasync_remove_entry+0xb9/0x1f0 fs/fcntl.c:905 fasync_helper+0xaf/0xd0 fs/fcntl.c:1008 sock_fasync+0x98/0x140 net/socket.c:1446 __fput+0x94a/0xbb0 fs/file_table.c:419 task_work_run+0x14e/0x250 kernel/task_work.c:180 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x278/0x2a0 kernel/entry/common.c:218 __do_fast_syscall_32+0x80/0x120 arch/x86/entry/common.c:389 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e INITIAL READ USE at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline] _raw_read_lock_irqsave+0x74/0x90 kernel/locking/spinlock.c:236 kill_fasync_rcu fs/fcntl.c:1028 [inline] kill_fasync fs/fcntl.c:1049 [inline] kill_fasync+0x138/0x4f0 fs/fcntl.c:1042 sock_wake_async+0x132/0x160 net/socket.c:1475 sk_wake_async_rcu include/net/sock.h:2443 [inline] sk_wake_async_rcu include/net/sock.h:2440 [inline] sock_def_error_report+0x352/0x400 net/core/sock.c:3340 sk_error_report+0x3e/0x2a0 net/core/sock.c:347 tcp_reset+0x1cb/0x450 net/ipv4/tcp_input.c:4487 tcp_rcv_synsent_state_process net/ipv4/tcp_input.c:6410 [inline] tcp_rcv_state_process+0x1f8a/0x4f30 net/ipv4/tcp_input.c:6693 tcp_v6_do_rcv+0x42f/0x16f0 net/ipv6/tcp_ipv6.c:1669 sk_backlog_rcv include/net/sock.h:1106 [inline] __release_sock+0x14c/0x400 net/core/sock.c:2983 release_sock+0x5a/0x220 net/core/sock.c:3549 tcp_sendmsg+0x38/0x50 net/ipv4/tcp.c:1352 inet6_sendmsg+0xb9/0x140 net/ipv6/af_inet6.c:661 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x371/0x4e0 net/socket.c:2192 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __ia32_sys_sendto+0xdd/0x1b0 net/socket.c:2200 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e } ... key at: [] __key.0+0x0/0x40 ... acquired at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline] _raw_read_lock_irqsave+0x74/0x90 kernel/locking/spinlock.c:236 kill_fasync_rcu fs/fcntl.c:1028 [inline] kill_fasync fs/fcntl.c:1049 [inline] kill_fasync+0x138/0x4f0 fs/fcntl.c:1042 __pass_event drivers/input/evdev.c:240 [inline] evdev_pass_values+0x619/0x9b0 drivers/input/evdev.c:278 evdev_events+0x1b7/0x390 drivers/input/evdev.c:306 input_to_handler+0x2a1/0x4d0 drivers/input/input.c:129 input_pass_values+0x5c9/0x840 drivers/input/input.c:161 input_event_dispose+0x37a/0x630 drivers/input/input.c:378 input_handle_event+0x11c/0xd80 drivers/input/input.c:406 input_inject_event+0x1bb/0x370 drivers/input/input.c:465 evdev_write+0x450/0x750 drivers/input/evdev.c:530 vfs_write+0x29a/0x1140 fs/read_write.c:588 ksys_write+0x1f8/0x260 fs/read_write.c:643 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e stack backtrace: CPU: 2 PID: 13994 Comm: syz.3.3669 Not tainted 6.10.0-rc5-syzkaller-00155-g66e55ff12e73 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_bad_irq_dependency kernel/locking/lockdep.c:2626 [inline] check_irq_usage+0xe3c/0x1490 kernel/locking/lockdep.c:2865 check_prev_add kernel/locking/lockdep.c:3138 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain kernel/locking/lockdep.c:3869 [inline] __lock_acquire+0x248e/0x3b30 kernel/locking/lockdep.c:5137 lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline] _raw_read_lock_irqsave+0x74/0x90 kernel/locking/spinlock.c:236 kill_fasync_rcu fs/fcntl.c:1028 [inline] kill_fasync fs/fcntl.c:1049 [inline] kill_fasync+0x138/0x4f0 fs/fcntl.c:1042 __pass_event drivers/input/evdev.c:240 [inline] evdev_pass_values+0x619/0x9b0 drivers/input/evdev.c:278 evdev_events+0x1b7/0x390 drivers/input/evdev.c:306 input_to_handler+0x2a1/0x4d0 drivers/input/input.c:129 input_pass_values+0x5c9/0x840 drivers/input/input.c:161 input_event_dispose+0x37a/0x630 drivers/input/input.c:378 input_handle_event+0x11c/0xd80 drivers/input/input.c:406 input_inject_event+0x1bb/0x370 drivers/input/input.c:465 evdev_write+0x450/0x750 drivers/input/evdev.c:530 vfs_write+0x29a/0x1140 fs/read_write.c:588 ksys_write+0x1f8/0x260 fs/read_write.c:643 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf7472579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000f5d8a57c EFLAGS: 00000292 ORIG_RAX: 0000000000000004 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020000040 RDX: 0000000000001068 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ---------------- Code disassembly (best guess), 2 bytes skipped: 0: 10 06 adc %al,(%rsi) 2: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi 6: 10 07 adc %al,(%rdi) 8: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi c: 10 08 adc %cl,(%rax) e: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi 1e: 00 51 52 add %dl,0x52(%rcx) 21: 55 push %rbp 22: 89 e5 mov %esp,%ebp 24: 0f 34 sysenter 26: cd 80 int $0x80 * 28: 5d pop %rbp <-- trapping instruction 29: 5a pop %rdx 2a: 59 pop %rcx 2b: c3 ret 2c: 90 nop 2d: 90 nop 2e: 90 nop 2f: 90 nop 30: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi 37: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi