RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000009 RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000a R13: 0000000000000954 R14: 00000000004d59a8 R15: 0000000000000000 ====================================================== WARNING: possible circular locking dependency detected 4.19.115-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.3/9843 is trying to acquire lock: 0000000020dfefd8 (console_owner){-...}, at: console_trylock_spinning kernel/printk/printk.c:1669 [inline] 0000000020dfefd8 (console_owner){-...}, at: vprintk_emit+0x3d8/0x6e0 kernel/printk/printk.c:1936 but task is already holding lock: 00000000ee4e4600 (&(&port->lock)->rlock){-.-.}, at: tty_port_close_start.part.0+0x28/0x540 drivers/tty/tty_port.c:574 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&(&port->lock)->rlock){-.-.}: tty_port_tty_get+0x1d/0x80 drivers/tty/tty_port.c:289 tty_port_default_wakeup+0x11/0x40 drivers/tty/tty_port.c:47 serial8250_tx_chars+0x48f/0xae0 drivers/tty/serial/8250/8250_port.c:1806 serial8250_handle_irq.part.0+0x24b/0x290 drivers/tty/serial/8250/8250_port.c:1879 serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1865 [inline] serial8250_default_handle_irq+0xb5/0x140 drivers/tty/serial/8250/8250_port.c:1895 serial8250_interrupt+0xf2/0x1d0 drivers/tty/serial/8250/8250_core.c:125 __handle_irq_event_percpu+0x144/0x8e0 kernel/irq/handle.c:149 handle_irq_event_percpu+0x76/0x160 kernel/irq/handle.c:189 handle_irq_event+0xa2/0x12d kernel/irq/handle.c:206 handle_edge_irq+0x24b/0x8c0 kernel/irq/chip.c:797 generic_handle_irq_desc include/linux/irqdesc.h:155 [inline] handle_irq+0x35/0x50 arch/x86/kernel/irq_64.c:87 do_IRQ+0x93/0x1c0 arch/x86/kernel/irq.c:246 ret_from_intr+0x0/0x1e native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:60 arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline] default_idle+0x49/0x320 arch/x86/kernel/process.c:565 cpuidle_idle_call kernel/sched/idle.c:153 [inline] do_idle+0x2ee/0x4b0 kernel/sched/idle.c:263 cpu_startup_entry+0xc6/0xd0 kernel/sched/idle.c:369 start_secondary+0x3e4/0x590 arch/x86/kernel/smpboot.c:271 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243 -> #1 (&port_lock_key){-.-.}: serial8250_console_write+0x79f/0x9c0 drivers/tty/serial/8250/8250_port.c:3251 call_console_drivers kernel/printk/printk.c:1736 [inline] console_unlock+0xb26/0xfe0 kernel/printk/printk.c:2429 vprintk_emit+0x282/0x6e0 kernel/printk/printk.c:1937 vprintk_func+0x79/0x17e kernel/printk/printk_safe.c:398 printk+0xba/0xed kernel/printk/printk.c:2012 register_console+0x752/0xb50 kernel/printk/printk.c:2745 univ8250_console_init+0x3a/0x46 drivers/tty/serial/8250/8250_core.c:684 console_init+0x4cb/0x718 kernel/printk/printk.c:2831 start_kernel+0x594/0x81c init/main.c:660 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243 -> #0 (console_owner){-...}: console_trylock_spinning kernel/printk/printk.c:1690 [inline] vprintk_emit+0x415/0x6e0 kernel/printk/printk.c:1936 vprintk_func+0x79/0x17e kernel/printk/printk_safe.c:398 printk+0xba/0xed kernel/printk/printk.c:2012 tty_port_close_start.part.0+0x4f0/0x540 drivers/tty/tty_port.c:576 tty_port_close_start drivers/tty/tty_port.c:648 [inline] tty_port_close+0x46/0xe0 drivers/tty/tty_port.c:641 tty_release+0x3b9/0xe90 drivers/tty/tty_io.c:1678 __fput+0x2cd/0x890 fs/file_table.c:278 task_work_run+0x13f/0x1b0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x25a/0x2b0 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Chain exists of: console_owner --> &port_lock_key --> &(&port->lock)->rlock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&(&port->lock)->rlock); lock(&port_lock_key); lock(&(&port->lock)->rlock); lock(console_owner); *** DEADLOCK *** 2 locks held by syz-executor.3/9843: #0: 00000000a6eeedcf (&tty->legacy_mutex){+.+.}, at: tty_lock+0x6a/0xa0 drivers/tty/tty_mutex.c:19 #1: 00000000ee4e4600 (&(&port->lock)->rlock){-.-.}, at: tty_port_close_start.part.0+0x28/0x540 drivers/tty/tty_port.c:574 stack backtrace: CPU: 0 PID: 9843 Comm: syz-executor.3 Not tainted 4.19.115-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 print_circular_bug.isra.0.cold+0x1c4/0x282 kernel/locking/lockdep.c:1221 check_prev_add kernel/locking/lockdep.c:1861 [inline] check_prevs_add kernel/locking/lockdep.c:1974 [inline] validate_chain kernel/locking/lockdep.c:2415 [inline] __lock_acquire+0x2e19/0x49c0 kernel/locking/lockdep.c:3411 lock_acquire+0x170/0x400 kernel/locking/lockdep.c:3903 console_trylock_spinning kernel/printk/printk.c:1690 [inline] vprintk_emit+0x415/0x6e0 kernel/printk/printk.c:1936 vprintk_func+0x79/0x17e kernel/printk/printk_safe.c:398 printk+0xba/0xed kernel/printk/printk.c:2012 tty_port_close_start.part.0+0x4f0/0x540 drivers/tty/tty_port.c:576 tty_port_close_start drivers/tty/tty_port.c:648 [inline] tty_port_close+0x46/0xe0 drivers/tty/tty_port.c:641 tty_release+0x3b9/0xe90 drivers/tty/tty_io.c:1678 __fput+0x2cd/0x890 fs/file_table.c:278 task_work_run+0x13f/0x1b0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x25a/0x2b0 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x416421 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007fff0c11beb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416421 RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000770120 R09: 01ffffffffffffff R10: 00007fff0c11bf80 R11: 0000000000000293 R12: 000000000076bf00 R13: 0000000000770128 R14: 0000000000000000 R15: 000000000076bf0c selinux_nlmsg_perm: 6 callbacks suppressed SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9847 comm=syz-executor.5 netlink: 4 bytes leftover after parsing attributes in process `syz-executor.5'. binder: BINDER_SET_CONTEXT_MGR already set binder: BINDER_SET_CONTEXT_MGR already set binder: 9882:9888 ioctl 40046207 0 returned -16 binder: 9826:9842 ioctl 40046207 0 returned -16 netlink: 'syz-executor.5': attribute type 1 has an invalid length. binder: 9826:9891 ioctl 80045010 20000040 returned -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9909 comm=syz-executor.2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9909 comm=syz-executor.2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9909 comm=syz-executor.2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9909 comm=syz-executor.2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9909 comm=syz-executor.2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9909 comm=syz-executor.2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9909 comm=syz-executor.2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9909 comm=syz-executor.2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9909 comm=syz-executor.2 binder_alloc: 9917: binder_alloc_buf, no vma netlink: 'syz-executor.5': attribute type 1 has an invalid length. binder: 9917:9933 ioctl 80045010 20000040 returned -22 bond3: Enslaving macvlan2 as an active interface with a down link netlink: 4 bytes leftover after parsing attributes in process `syz-executor.5'. ttyprintk ttyprintk: tty_port_close_start: tty->count = 1 port count = 2 bond3: Releasing active interface macvlan2 binder_alloc: 9999: binder_alloc_buf, no vma binder_alloc: 10017: binder_alloc_buf, no vma netlink: 'syz-executor.5': attribute type 1 has an invalid length. binder_alloc: 10026: binder_alloc_buf, no vma binder: 10026:10039 ioctl 80045010 20000040 returned -22 bond4: Enslaving macvlan2 as an active interface with a down link netlink: 4 bytes leftover after parsing attributes in process `syz-executor.5'. bond4: Releasing active interface macvlan2 reject_tg_check: 11 callbacks suppressed ipt_REJECT: TCP_RESET invalid for non-tcp binder_alloc: 10100: binder_alloc_buf, no vma ipt_REJECT: TCP_RESET invalid for non-tcp binder_alloc: 10113: binder_alloc_buf, no vma ipt_REJECT: TCP_RESET invalid for non-tcp netlink: 'syz-executor.5': attribute type 1 has an invalid length. binder_alloc: 10123: binder_alloc_buf, no vma ipt_REJECT: TCP_RESET invalid for non-tcp binder: 10123:10137 ioctl 80045010 20000040 returned -22 bond5: Enslaving macvlan2 as an active interface with a down link ipt_REJECT: TCP_RESET invalid for non-tcp netlink: 4 bytes leftover after parsing attributes in process `syz-executor.5'. ipt_REJECT: TCP_RESET invalid for non-tcp bond5: Releasing active interface macvlan2 ipt_REJECT: TCP_RESET invalid for non-tcp ipt_REJECT: TCP_RESET invalid for non-tcp binder_alloc: 10211: binder_alloc_buf, no vma netlink: 'syz-executor.5': attribute type 1 has an invalid length. bond6: Enslaving macvlan2 as an active interface with a down link binder_alloc: 10258: binder_alloc_buf, no vma ipt_REJECT: TCP_RESET invalid for non-tcp ipt_REJECT: TCP_RESET invalid for non-tcp netlink: 'syz-executor.5': attribute type 1 has an invalid length. binder_alloc: 10266: binder_alloc_buf, no vma binder: 10266:10288 ioctl 80045010 20000040 returned -22 netlink: 'syz-executor.5': attribute type 1 has an invalid length. binder_alloc: 10343: binder_alloc_buf, no vma binder_alloc: 10386: binder_alloc_buf, no vma [U]  netlink: 'syz-executor.5': attribute type 1 has an invalid length. bond9 (uninitialized): Released all slaves binder_alloc: 10394: binder_alloc_buf, no vma binder: 10394:10409 ioctl 80045010 20000040 returned -22 netlink: 'syz-executor.5': attribute type 1 has an invalid length. bond9 (uninitialized): Released all slaves binder_alloc: 10432: binder_alloc_buf, no vma binder_alloc: 10445: binder_alloc_buf, no vma [U]  [U]  netlink: 'syz-executor.5': attribute type 1 has an invalid length. bond9 (uninitialized): Released all slaves netlink: 'syz-executor.5': attribute type 1 has an invalid length. bond9 (uninitialized): Released all slaves netlink: 'syz-executor.5': attribute type 1 has an invalid length. binder: 10542:10548 unknown command 25347 binder: 10542:10548 ioctl c0306201 200000c0 returned -22 binder: 10542:10548 ioctl 80047441 20000040 returned -22 bond9 (uninitialized): Released all slaves [U]  binder: 10542:10548 unknown command 25347 binder: BINDER_SET_CONTEXT_MGR already set binder: 10542:10560 ioctl 40046207 0 returned -16 binder: 10542:10548 ioctl c0306201 200000c0 returned -22 binder: 10542:10562 ioctl 80047441 20000040 returned -22 netlink: 'syz-executor.5': attribute type 1 has an invalid length. bond9 (uninitialized): Released all slaves netlink: 'syz-executor.5': attribute type 1 has an invalid length. bond9 (uninitialized): Released all slaves netlink: 'syz-executor.5': attribute type 1 has an invalid length. binder: 10594:10606 ioctl 40505330 20000080 returned -22 bond9 (uninitialized): Released all slaves [U]  binder: 10594:10606 ioctl 40505330 20000080 returned -22 [U]  netlink: 'syz-executor.5': attribute type 1 has an invalid length. bond9 (uninitialized): Released all slaves [U]  netlink: 'syz-executor.5': attribute type 1 has an invalid length. binder: 10636:10639 ioctl c0306201 200000c0 returned -11 bond9 (uninitialized): Released all slaves binder: BINDER_SET_CONTEXT_MGR already set binder: 10636:10639 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10636:10645 ioctl 40046207 0 returned -16 binder: 10636:10645 unknown command 1075077893 binder: 10636:10645 ioctl c0306201 20000280 returned -22 binder: 10636:10645 ioctl 540a 3 returned -22 netlink: 'syz-executor.5': attribute type 1 has an invalid length. reject_tg_check: 21 callbacks suppressed ipt_REJECT: TCP_RESET invalid for non-tcp bond9 (uninitialized): Released all slaves ipt_REJECT: TCP_RESET invalid for non-tcp ipt_REJECT: TCP_RESET invalid for non-tcp binder: 10636:10645 ioctl c0306201 200000c0 returned -11 binder_alloc_new_buf_locked: 9 callbacks suppressed binder_alloc: 10636: binder_alloc_buf, no vma ipt_REJECT: TCP_RESET invalid for non-tcp binder: BINDER_SET_CONTEXT_MGR already set binder: 10636:10645 ioctl 40046207 0 returned -16 ipt_REJECT: TCP_RESET invalid for non-tcp ipt_REJECT: TCP_RESET invalid for non-tcp binder: BINDER_SET_CONTEXT_MGR already set binder: 10636:10694 unknown command 1075077893 binder: 10636:10639 ioctl 40046207 0 returned -16 binder: 10636:10694 ioctl c0306201 20000280 returned -22 binder: 10706:10708 unknown command 1074553605 binder: 10706:10708 ioctl c0306201 20000200 returned -22 ipt_REJECT: TCP_RESET invalid for non-tcp ipt_REJECT: TCP_RESET invalid for non-tcp ipt_REJECT: TCP_RESET invalid for non-tcp ipt_REJECT: TCP_RESET invalid for non-tcp [U]  binder: 10706:10717 unknown command 1074553605 binder: 10706:10717 ioctl c0306201 20000200 returned -22