================================================================== ====================================================== WARNING: possible circular locking dependency detected 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 Not tainted ------------------------------------------------------ syz-executor.1/2048 is trying to acquire lock: ffffffff84a888e0 (console_owner){-.-.}-{0:0}, at: console_unlock+0x2b2/0x97a kernel/printk/printk.c:2707 but task is already holding lock: ffffffff84c3a588 (report_lock){-.-.}-{2:2}, at: start_report mm/kasan/report.c:109 [inline] ffffffff84c3a588 (report_lock){-.-.}-{2:2}, at: __kasan_report mm/kasan/report.c:434 [inline] ffffffff84c3a588 (report_lock){-.-.}-{2:2}, at: kasan_report+0x84/0x1e0 mm/kasan/report.c:459 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #7 (report_lock){-.-.}-{2:2}: lock_acquire.part.0+0x1d0/0x424 kernel/locking/lockdep.c:5639 lock_acquire+0x54/0x6a kernel/locking/lockdep.c:5612 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3e/0x62 kernel/locking/spinlock.c:162 start_report mm/kasan/report.c:109 [inline] __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0x84/0x1e0 mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256 __timerqueue_less lib/timerqueue.c:22 [inline] rb_add_cached include/linux/rbtree.h:174 [inline] timerqueue_add+0xb0/0x1d0 lib/timerqueue.c:40 -> #6 (hrtimer_bases.lock){-.-.}-{2:2}: lock_acquire.part.0+0x1d0/0x424 kernel/locking/lockdep.c:5639 lock_acquire+0x54/0x6a kernel/locking/lockdep.c:5612 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3e/0x62 kernel/locking/spinlock.c:162 lock_hrtimer_base kernel/time/hrtimer.c:173 [inline] hrtimer_start_range_ns+0x9e/0x6dc kernel/time/hrtimer.c:1296 hrtimer_start_expires include/linux/hrtimer.h:432 [inline] do_start_rt_bandwidth kernel/sched/rt.c:69 [inline] start_rt_bandwidth kernel/sched/rt.c:80 [inline] inc_rt_group kernel/sched/rt.c:1208 [inline] inc_rt_tasks kernel/sched/rt.c:1252 [inline] __enqueue_rt_entity kernel/sched/rt.c:1428 [inline] enqueue_rt_entity kernel/sched/rt.c:1474 [inline] enqueue_task_rt+0x520/0x568 kernel/sched/rt.c:1509 enqueue_task+0x66/0x136 kernel/sched/core.c:2010 __sched_setscheduler.constprop.0+0x704/0xdd4 kernel/sched/core.c:7475 _sched_setscheduler kernel/sched/core.c:7521 [inline] sched_setscheduler_nocheck kernel/sched/core.c:7568 [inline] sched_set_fifo+0xc8/0x108 kernel/sched/core.c:7592 drm_vblank_worker_init+0xea/0x10c drivers/gpu/drm/drm_vblank_work.c:263 drm_vblank_init+0xec/0x24e drivers/gpu/drm/drm_vblank.c:551 vkms_create drivers/gpu/drm/vkms/vkms_drv.c:194 [inline] vkms_init+0x272/0x45c drivers/gpu/drm/vkms/vkms_drv.c:233 do_one_initcall+0x13a/0x7ea init/main.c:1300 do_initcall_level init/main.c:1373 [inline] do_initcalls init/main.c:1389 [inline] do_basic_setup init/main.c:1408 [inline] kernel_init_freeable+0x510/0x5b4 init/main.c:1613 kernel_init+0x28/0x21c init/main.c:1502 ret_from_exception+0x0/0x10 -> #5 (&rt_b->rt_runtime_lock){-...}-{2:2}: lock_acquire.part.0+0x1d0/0x424 kernel/locking/lockdep.c:5639 lock_acquire+0x54/0x6a kernel/locking/lockdep.c:5612 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x32/0x48 kernel/locking/spinlock.c:154 __enable_runtime kernel/sched/rt.c:840 [inline] rq_online_rt+0x78/0x1b8 kernel/sched/rt.c:2431 set_rq_online.part.0+0xaa/0xc2 kernel/sched/core.c:8965 set_rq_online kernel/sched/core.c:9075 [inline] sched_cpu_activate+0x1c0/0x250 kernel/sched/core.c:9070 cpuhp_invoke_callback+0x282/0x504 kernel/cpu.c:191 cpuhp_thread_fun+0x2f6/0x4b0 kernel/cpu.c:791 smpboot_thread_fn+0x448/0x6cc kernel/smpboot.c:164 kthread+0x19e/0x1fa kernel/kthread.c:377 ret_from_exception+0x0/0x10 -> #4 (&rq->__lock){-.-.}-{2:2}: lock_acquire.part.0+0x1d0/0x424 kernel/locking/lockdep.c:5639 lock_acquire+0x54/0x6a kernel/locking/lockdep.c:5612 _raw_spin_lock_nested+0x36/0x4e kernel/locking/spinlock.c:378 raw_spin_rq_lock_nested+0x22/0x34 kernel/sched/core.c:489 raw_spin_rq_lock kernel/sched/sched.h:1318 [inline] rq_lock kernel/sched/sched.h:1616 [inline] task_fork_fair+0xa8/0x218 kernel/sched/fair.c:11146 sched_post_fork+0x16e/0x196 kernel/sched/core.c:4462 copy_process+0x3378/0x3c34 kernel/fork.c:2379 kernel_clone+0xee/0x920 kernel/fork.c:2555 kernel_thread+0xf8/0x130 kernel/fork.c:2607 rest_init+0x34/0x3f2 init/main.c:690 arch_call_rest_init+0x18/0x20 init/main.c:881 start_kernel+0x66a/0x698 init/main.c:1138 -> #3 (&p->pi_lock){-.-.}-{2:2}: lock_acquire.part.0+0x1d0/0x424 kernel/locking/lockdep.c:5639 lock_acquire+0x54/0x6a kernel/locking/lockdep.c:5612 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3e/0x62 kernel/locking/spinlock.c:162 try_to_wake_up+0xa4/0x748 kernel/sched/core.c:4017 default_wake_function+0x28/0x36 kernel/sched/core.c:6723 woken_wake_function+0x38/0x48 kernel/sched/wait.c:481 __wake_up_common+0xb6/0x236 kernel/sched/wait.c:108 __wake_up_common_lock+0xd6/0x136 kernel/sched/wait.c:138 __wake_up+0x10/0x18 kernel/sched/wait.c:157 tty_wakeup+0x58/0xbe drivers/tty/tty_io.c:534 tty_port_default_wakeup+0x2c/0x44 drivers/tty/tty_port.c:51 tty_port_tty_wakeup+0x3a/0x46 drivers/tty/tty_port.c:413 uart_write_wakeup+0x34/0x48 drivers/tty/serial/serial_core.c:106 serial8250_tx_chars+0x322/0x592 drivers/tty/serial/8250/8250_port.c:1845 serial8250_handle_irq.part.0+0x284/0x286 drivers/tty/serial/8250/8250_port.c:1932 serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1905 [inline] serial8250_default_handle_irq+0xac/0x142 drivers/tty/serial/8250/8250_port.c:1949 serial8250_interrupt+0xbe/0x1a6 drivers/tty/serial/8250/8250_core.c:126 __handle_irq_event_percpu+0x16e/0x6ec kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] handle_irq_event+0x6a/0xfa kernel/irq/handle.c:210 handle_fasteoi_irq+0x1c0/0x4d6 kernel/irq/chip.c:715 generic_handle_irq_desc include/linux/irqdesc.h:158 [inline] handle_irq_desc kernel/irq/irqdesc.c:646 [inline] generic_handle_domain_irq+0x7c/0x9c kernel/irq/irqdesc.c:680 plic_handle_irq+0x122/0x242 drivers/irqchip/irq-sifive-plic.c:242 generic_handle_irq_desc include/linux/irqdesc.h:158 [inline] handle_irq_desc kernel/irq/irqdesc.c:646 [inline] generic_handle_domain_irq+0x7c/0x9c kernel/irq/irqdesc.c:680 riscv_intc_irq+0x7e/0xc8 drivers/irqchip/irq-riscv-intc.c:40 generic_handle_arch_irq+0x36/0x54 kernel/irq/handle.c:238 ret_from_exception+0x0/0x10 wait_for_interrupt arch/riscv/include/asm/processor.h:74 [inline] arch_cpu_idle+0x10/0x20 arch/riscv/kernel/process.c:40 -> #2 (&tty->write_wait){-.-.}-{2:2}: lock_acquire.part.0+0x1d0/0x424 kernel/locking/lockdep.c:5639 lock_acquire+0x54/0x6a kernel/locking/lockdep.c:5612 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3e/0x62 kernel/locking/spinlock.c:162 __wake_up_common_lock+0xc4/0x136 kernel/sched/wait.c:137 __wake_up+0x10/0x18 kernel/sched/wait.c:157 tty_wakeup+0x58/0xbe drivers/tty/tty_io.c:534 tty_port_default_wakeup+0x2c/0x44 drivers/tty/tty_port.c:51 tty_port_tty_wakeup+0x3a/0x46 drivers/tty/tty_port.c:413 uart_write_wakeup+0x34/0x48 drivers/tty/serial/serial_core.c:106 serial8250_tx_chars+0x322/0x592 drivers/tty/serial/8250/8250_port.c:1845 serial8250_handle_irq.part.0+0x284/0x286 drivers/tty/serial/8250/8250_port.c:1932 serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1905 [inline] serial8250_default_handle_irq+0xac/0x142 drivers/tty/serial/8250/8250_port.c:1949 serial8250_interrupt+0xbe/0x1a6 drivers/tty/serial/8250/8250_core.c:126 __handle_irq_event_percpu+0x16e/0x6ec kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] handle_irq_event+0x6a/0xfa kernel/irq/handle.c:210 handle_fasteoi_irq+0x1c0/0x4d6 kernel/irq/chip.c:715 generic_handle_irq_desc include/linux/irqdesc.h:158 [inline] handle_irq_desc kernel/irq/irqdesc.c:646 [inline] generic_handle_domain_irq+0x7c/0x9c kernel/irq/irqdesc.c:680 plic_handle_irq+0x122/0x242 drivers/irqchip/irq-sifive-plic.c:242 generic_handle_irq_desc include/linux/irqdesc.h:158 [inline] handle_irq_desc kernel/irq/irqdesc.c:646 [inline] generic_handle_domain_irq+0x7c/0x9c kernel/irq/irqdesc.c:680 riscv_intc_irq+0x7e/0xc8 drivers/irqchip/irq-riscv-intc.c:40 generic_handle_arch_irq+0x36/0x54 kernel/irq/handle.c:238 ret_from_exception+0x0/0x10 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] _raw_spin_unlock_irqrestore+0x68/0x98 kernel/locking/spinlock.c:194 -> #1 (&port_lock_key){-.-.}-{2:2}: lock_acquire.part.0+0x1d0/0x424 kernel/locking/lockdep.c:5639 lock_acquire+0x54/0x6a kernel/locking/lockdep.c:5612 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3e/0x62 kernel/locking/spinlock.c:162 serial8250_console_write+0x848/0x8e6 drivers/tty/serial/8250/8250_port.c:3387 univ8250_console_write+0x46/0x54 drivers/tty/serial/8250/8250_core.c:575 call_console_drivers kernel/printk/printk.c:1929 [inline] console_unlock+0x666/0x97a kernel/printk/printk.c:2711 register_console+0x250/0x534 kernel/printk/printk.c:3054 uart_configure_port drivers/tty/serial/serial_core.c:2402 [inline] uart_add_one_port+0xbf2/0xc14 drivers/tty/serial/serial_core.c:2917 serial8250_register_8250_port+0x8ce/0xc6e drivers/tty/serial/8250/8250_core.c:1082 of_platform_serial_probe+0x7ae/0xa9c drivers/tty/serial/8250/8250_of.c:232 platform_probe+0xc8/0x172 drivers/base/platform.c:1416 call_driver_probe drivers/base/dd.c:517 [inline] really_probe+0x1a6/0x89e drivers/base/dd.c:596 __driver_probe_device+0x24a/0x2d4 drivers/base/dd.c:752 driver_probe_device+0x60/0x1a4 drivers/base/dd.c:782 __driver_attach+0x178/0x33e drivers/base/dd.c:1141 bus_for_each_dev+0x122/0x194 drivers/base/bus.c:301 driver_attach+0x32/0x3c drivers/base/dd.c:1158 bus_add_driver+0x2c6/0x41a drivers/base/bus.c:618 driver_register+0x144/0x286 drivers/base/driver.c:171 __platform_driver_register+0x46/0x52 drivers/base/platform.c:863 of_platform_serial_driver_init+0x22/0x2a drivers/tty/serial/8250/8250_of.c:341 do_one_initcall+0x13a/0x7ea init/main.c:1300 do_initcall_level init/main.c:1373 [inline] do_initcalls init/main.c:1389 [inline] do_basic_setup init/main.c:1408 [inline] kernel_init_freeable+0x510/0x5b4 init/main.c:1613 kernel_init+0x28/0x21c init/main.c:1502 ret_from_exception+0x0/0x10 -> #0 (console_owner){-.-.}-{0:0}: check_noncircular+0x1de/0x1fe kernel/locking/lockdep.c:2143 check_prev_add kernel/locking/lockdep.c:3063 [inline] check_prevs_add kernel/locking/lockdep.c:3186 [inline] validate_chain kernel/locking/lockdep.c:3801 [inline] __lock_acquire+0x19a4/0x333e kernel/locking/lockdep.c:5027 lock_acquire.part.0+0x1d0/0x424 kernel/locking/lockdep.c:5639 lock_acquire+0x54/0x6a kernel/locking/lockdep.c:5612 console_lock_spinning_enable kernel/printk/printk.c:1781 [inline] console_unlock+0x304/0x97a kernel/printk/printk.c:2708 vprintk_emit+0xd2/0x416 kernel/printk/printk.c:2245 vprintk_default+0x22/0x2e kernel/printk/printk.c:2256 vprintk+0x108/0x13e kernel/printk/printk_safe.c:50 _printk+0xa0/0xc8 kernel/printk/printk.c:2266 start_report mm/kasan/report.c:110 [inline] __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0x9a/0x1e0 mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256 __timerqueue_less lib/timerqueue.c:22 [inline] rb_add_cached include/linux/rbtree.h:174 [inline] timerqueue_add+0xb0/0x1d0 lib/timerqueue.c:40 other info that might help us debug this: Chain exists of: console_owner --> hrtimer_bases.lock --> report_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(report_lock); lock(hrtimer_bases.lock); lock(report_lock); lock(console_owner); *** DEADLOCK *** 7 locks held by syz-executor.1/2048: #0: ffffffff855cf108 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:72 [inline] #0: ffffffff855cf108 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x2fe/0x9a0 net/core/rtnetlink.c:5589 #1: ffffffff84b73e00 (rcu_read_lock){....}-{1:2}, at: INIT_LIST_HEAD include/linux/list.h:38 [inline] #1: ffffffff84b73e00 (rcu_read_lock){....}-{1:2}, at: list_splice_init include/linux/list.h:492 [inline] #1: ffffffff84b73e00 (rcu_read_lock){....}-{1:2}, at: netif_receive_skb_list_internal+0x244/0x816 net/core/dev.c:5568 #2: ffffffff84b73e00 (rcu_read_lock){....}-{1:2}, at: __skb_pull include/linux/skbuff.h:2398 [inline] #2: ffffffff84b73e00 (rcu_read_lock){....}-{1:2}, at: ip_local_deliver_finish+0x7e/0x278 net/ipv4/ip_input.c:228 #3: ffffaf800bba18b0 (slock-AF_INET/1){+.-.}-{2:2}, at: tcp_v4_rcv+0x1bd4/0x1f46 net/ipv4/tcp_ipv4.c:2115 #4: ffffaf805a9cb418 (hrtimer_bases.lock){-.-.}-{2:2}, at: __run_hrtimer kernel/time/hrtimer.c:1689 [inline] #4: ffffaf805a9cb418 (hrtimer_bases.lock){-.-.}-{2:2}, at: __hrtimer_run_queues+0x262/0xa16 kernel/time/hrtimer.c:1749 #5: ffffffff84c3a588 (report_lock){-.-.}-{2:2}, at: start_report mm/kasan/report.c:109 [inline] #5: ffffffff84c3a588 (report_lock){-.-.}-{2:2}, at: __kasan_report mm/kasan/report.c:434 [inline] #5: ffffffff84c3a588 (report_lock){-.-.}-{2:2}, at: kasan_report+0x84/0x1e0 mm/kasan/report.c:459 #6: ffffffff84a88600 (console_lock){+.+.}-{0:0}, at: vprintk_default+0x22/0x2e kernel/printk/printk.c:2256 stack backtrace: CPU: 0 PID: 2048 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119 [] __dump_stack lib/dump_stack.c:88 [inline] [] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106 [] dump_stack+0x1c/0x24 lib/dump_stack.c:113 [] print_circular_bug+0x34e/0x3d8 kernel/locking/lockdep.c:2021 [] check_noncircular+0x1de/0x1fe kernel/locking/lockdep.c:2143 [] check_prev_add kernel/locking/lockdep.c:3063 [inline] [] check_prevs_add kernel/locking/lockdep.c:3186 [inline] [] validate_chain kernel/locking/lockdep.c:3801 [inline] [] __lock_acquire+0x19a4/0x333e kernel/locking/lockdep.c:5027 [] lock_acquire.part.0+0x1d0/0x424 kernel/locking/lockdep.c:5639 [] lock_acquire+0x54/0x6a kernel/locking/lockdep.c:5612 [] console_lock_spinning_enable kernel/printk/printk.c:1781 [inline] [] console_unlock+0x304/0x97a kernel/printk/printk.c:2708 [] vprintk_emit+0xd2/0x416 kernel/printk/printk.c:2245 [] vprintk_default+0x22/0x2e kernel/printk/printk.c:2256 [] vprintk+0x108/0x13e kernel/printk/printk_safe.c:50 [] _printk+0xa0/0xc8 kernel/printk/printk.c:2266 [] start_report mm/kasan/report.c:110 [inline] [] __kasan_report mm/kasan/report.c:434 [inline] [] kasan_report+0x9a/0x1e0 mm/kasan/report.c:459 [] check_region_inline mm/kasan/generic.c:183 [inline] [] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256 [] __timerqueue_less lib/timerqueue.c:22 [inline] [] rb_add_cached include/linux/rbtree.h:174 [inline] [] timerqueue_add+0xb0/0x1d0 lib/timerqueue.c:40 BUG: KASAN: user-memory-access in __timerqueue_less lib/timerqueue.c:22 [inline] BUG: KASAN: user-memory-access in rb_add_cached include/linux/rbtree.h:174 [inline] BUG: KASAN: user-memory-access in timerqueue_add+0xb0/0x1d0 lib/timerqueue.c:40 Read of size 8 at addr 000000003c18dd1d by task syz-executor.1/2048 CPU: 0 PID: 2048 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119 [] __dump_stack lib/dump_stack.c:88 [inline] [] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106 [] __kasan_report mm/kasan/report.c:446 [inline] [] kasan_report+0x1de/0x1e0 mm/kasan/report.c:459 [] check_region_inline mm/kasan/generic.c:183 [inline] [] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256 [] __timerqueue_less lib/timerqueue.c:22 [inline] [] rb_add_cached include/linux/rbtree.h:174 [inline] [] timerqueue_add+0xb0/0x1d0 lib/timerqueue.c:40 ================================================================== Unable to handle kernel paging request at virtual address 000000003c18dd1d Oops [#1] Modules linked in: CPU: 0 PID: 2048 Comm: syz-executor.1 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 Hardware name: riscv-virtio,qemu (DT) epc : __timerqueue_less lib/timerqueue.c:22 [inline] epc : rb_add_cached include/linux/rbtree.h:174 [inline] epc : timerqueue_add+0xb0/0x1d0 lib/timerqueue.c:40 ra : __timerqueue_less lib/timerqueue.c:22 [inline] ra : rb_add_cached include/linux/rbtree.h:174 [inline] ra : timerqueue_add+0xb0/0x1d0 lib/timerqueue.c:40 epc : ffffffff80c2bca8 ra : ffffffff80c2bca8 sp : ffffaf801211bfd0 gp : ffffffff85863ac0 tp : ffffaf800ecf0000 t0 : ffffffff86bcb657 t1 : fffffffef0b0dfa4 t2 : 0000000000000000 s0 : ffffaf801211c020 s1 : 000000003c18dd05 a0 : 0000000000000001 a1 : 0000000000000003 a2 : 1ffff5f001d9e001 a3 : ffffffff831afd3a a4 : 0000000000000000 a5 : ffffaf800ecf1000 a6 : 0000000000f00000 a7 : ffffffff8586fd23 s2 : ffffaf801211bab8 s3 : 00000000209ad193 s4 : ffffaf805a9cbd18 s5 : 000000f1323d5a80 s6 : 0000000000000000 s7 : ffffaf805a9cb4d0 s8 : ffffaf805a9cb490 s9 : ffffaf805a9cbd50 s10: ffffaf805a9cb400 s11: 0000000000010101 t3 : 000000000000003d t4 : fffffffef0b0dfa4 t5 : fffffffef0b0dfa5 t6 : ffffaf801211ba38 status: 0000000000000100 badaddr: 000000003c18dd1d cause: 000000000000000d ---[ end trace 0000000000000000 ]---