#4: (kbd_event_lock){....}, at: [] spin_lock include/linux/spinlock.h:316 [inline] #4: (kbd_event_lock){....}, at: [] kbd_event+0x82/0x36d0 drivers/tty/vt/keyboard.c:1458 #5: (tasklist_lock){.?.+}, at: [] debug_show_all_locks+0xd3/0x400 kernel/locking/lockdep.c:4552 ============================================= BUG: workqueue lockup - pool cpus=1 node=0 flags=0x0 nice=0 stuck for 30s! Showing busy workqueues and worker pools: workqueue events: flags=0x0 pwq 2: cpus=1 node=0 flags=0x0 nice=0 active=3/256 in-flight: 17:console_callback pending: jump_label_update_timeout, cache_reap pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=3/256 pending: check_corruption, vmstat_shepherd, cache_reap workqueue events_long: flags=0x0 pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=1/256 pending: gc_worker workqueue events_power_efficient: flags=0x80 pwq 2: cpus=1 node=0 flags=0x0 nice=0 active=2/256 pending: neigh_periodic_work, do_cache_clean pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=1/256 pending: neigh_periodic_work workqueue mm_percpu_wq: flags=0x8 pwq 2: cpus=1 node=0 flags=0x0 nice=0 active=1/256 pending: vmstat_update pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=1/256 pending: vmstat_update workqueue writeback: flags=0x4e pwq 4: cpus=0-1 flags=0x4 nice=0 active=2/256 in-flight: 3715:wb_workfn pending: wb_workfn workqueue kblockd: flags=0x18 pwq 1: cpus=0 node=0 flags=0x0 nice=-20 active=2/256 pending: blk_timeout_work, blk_mq_timeout_work pool 2: cpus=1 node=0 flags=0x0 nice=0 hung=0s workers=5 idle: 6261 24 1272 6260 pool 4: cpus=0-1 flags=0x4 nice=0 hung=0s workers=13 idle: 3280 3711 5 21 3704 3288 3610 64 92 3284 3674 29 TCP: request_sock_TCP: Possible SYN flooding on port 20010. Sending cookies. Check SNMP counters. nla_parse: 2 callbacks suppressed netlink: 10 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 10 bytes leftover after parsing attributes in process `syz-executor3'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=14041 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=51 sclass=netlink_route_socket pig=14041 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=14041 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=14064 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=51 sclass=netlink_route_socket pig=14064 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=14064 comm=syz-executor4 device eql entered promiscuous mode device eql entered promiscuous mode handle_userfault: 26 callbacks suppressed FAULT_FLAG_ALLOW_RETRY missing 20 CPU: 0 PID: 14196 Comm: syz-executor0 Not tainted 4.14.0-rc3+ #25 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 handle_userfault+0x11ec/0x23a0 fs/userfaultfd.c:427 shmem_getpage_gfp+0x2992/0x3730 mm/shmem.c:1729 shmem_fault+0x2b9/0x960 mm/shmem.c:1997 __do_fault+0xeb/0x30f mm/memory.c:3170 do_read_fault mm/memory.c:3580 [inline] do_fault mm/memory.c:3680 [inline] handle_pte_fault mm/memory.c:3910 [inline] __handle_mm_fault+0x1b9b/0x39c0 mm/memory.c:4034 handle_mm_fault+0x334/0x8d0 mm/memory.c:4071 faultin_page mm/gup.c:502 [inline] __get_user_pages+0x50c/0x15f0 mm/gup.c:699 __get_user_pages_locked mm/gup.c:910 [inline] __get_user_pages_unlocked mm/gup.c:984 [inline] get_user_pages_unlocked+0x23d/0x460 mm/gup.c:1009 get_user_pages_fast+0x91/0xd0 mm/gup.c:1752 get_futex_key+0x461/0x1d50 kernel/futex.c:547 futex_wake_op kernel/futex.c:1618 [inline] do_futex+0xe91/0x20d0 kernel/futex.c:3476 C_SYSC_futex kernel/futex_compat.c:200 [inline] compat_SyS_futex+0x27f/0x380 kernel/futex_compat.c:174 do_syscall_32_irqs_on arch/x86/entry/common.c:329 [inline] do_fast_syscall_32+0x3f2/0xf05 arch/x86/entry/common.c:391 entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:124 RIP: 0023:0xf7feac79 RSP: 002b:00000000f77e605c EFLAGS: 00000296 ORIG_RAX: 00000000000000f0 RAX: ffffffffffffffda RBX: 0000000020012ffc RCX: 0000000000000005 RDX: 00000000000001ff RSI: 0000000020060ff0 RDI: 0000000020034000 RBP: 00000000000000ff R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 syz-executor1: vmalloc: allocation failure: 17178296320 bytes, mode:0x14080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null) syz-executor1 cpuset=/ mems_allowed=0 CPU: 0 PID: 14235 Comm: syz-executor1 Not tainted 4.14.0-rc3+ #25 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 warn_alloc+0x1c2/0x2f0 mm/page_alloc.c:3254 __vmalloc_node_range+0x581/0x710 mm/vmalloc.c:1781 __vmalloc_node mm/vmalloc.c:1810 [inline] __vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1832 kvmalloc_node+0x82/0xd0 mm/util.c:406 kvmalloc include/linux/mm.h:529 [inline] kvmalloc_array include/linux/mm.h:545 [inline] xt_alloc_entry_offsets+0x21/0x30 net/netfilter/x_tables.c:774 translate_table+0x235/0x1690 net/ipv6/netfilter/ip6_tables.c:705 do_replace net/ipv6/netfilter/ip6_tables.c:1150 [inline] do_ip6t_set_ctl+0x34b/0x5c0 net/ipv6/netfilter/ip6_tables.c:1676 nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114 ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:919 sctp_setsockopt+0x278/0x5a00 net/sctp/socket.c:3944 compat_sock_common_setsockopt+0x104/0x140 net/core/sock.c:2973 C_SYSC_setsockopt net/compat.c:403 [inline] compat_SyS_setsockopt+0x17c/0x410 net/compat.c:386 do_syscall_32_irqs_on arch/x86/entry/common.c:329 [inline] do_fast_syscall_32+0x3f2/0xf05 arch/x86/entry/common.c:391 entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:124 RIP: 0023:0xf7ffcc79 RSP: 002b:00000000f77f805c EFLAGS: 00000296 ORIG_RAX: 000000000000016e RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000000029 RDX: 0000000000000040 RSI: 0000000020001fde RDI: 0000000000000004 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Mem-Info: active_anon:96622 inactive_anon:31 isolated_anon:0 active_file:3590 inactive_file:6192 isolated_file:0 unevictable:0 dirty:455 writeback:0 unstable:0 slab_reclaimable:7656 slab_unreclaimable:91440 mapped:22074 shmem:174 pagetables:843 bounce:0 free:1403322 free_pcp:494 free_cma:0 Node 0 active_anon:378256kB inactive_anon:124kB active_file:14360kB inactive_file:24768kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:88296kB dirty:1820kB writeback:0kB shmem:696kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 47104kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no Node 0 DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB lowmem_reserve[]: 0 2886 6399 6399 Node 0 DMA32 free:2957304kB min:30408kB low:38008kB high:45608kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129332kB managed:2958156kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:852kB local_pcp:680kB free_cma:0kB lowmem_reserve[]: 0 0 3513 3513 Node 0 Normal free:2647908kB min:37008kB low:46260kB high:55512kB active_anon:376296kB inactive_anon:124kB active_file:14360kB inactive_file:46476kB unevictable:0kB writepending:1820kB present:4718592kB managed:3597444kB mlocked:0kB kernel_stack:4512kB pagetables:3224kB bounce:0kB free_pcp:1016kB local_pcp:612kB free_cma:0kB SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=14275 comm=syz-executor6 lowmem_reserve[]: 0 0 0 0 Node 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. Node 0 DMA32: 4*4kB (UM) 3*8kB (UM) 3*16kB (M) 3*32kB (UM) 3*64kB (M) 3*128kB (M) 3*256kB (UM) 5*512kB (UM) 2*1024kB (UM) 3*2048kB (UM) 719*4096kB (M) = 2957304kB Node 0 Normal: 73*4kB (UME) 35*8kB (UE) 11*16kB (UME) 665*32kB (UM) 800*64kB (UME) 288*128kB (UM) 66*256kB (UME) 13*512kB (UME) 8*1024kB (UME) 3*2048kB (UM) 610*4096kB (M) = 2646540kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 9955 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965979 pages RAM 0 pages HighMem/MovableOnly 323102 pages reserved netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. audit: type=1326 audit(1507179674.374:62): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=14375 comm="syz-executor3" exe="/root/syz-executor3" sig=31 arch=40000003 syscall=240 compat=1 ip=0xf7f98c79 code=0xffff0000 audit: type=1326 audit(1507179674.538:63): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=14375 comm="syz-executor3" exe="/root/syz-executor3" sig=31 arch=40000003 syscall=240 compat=1 ip=0xf7f98c79 code=0xffff0000 netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. device gre0 entered promiscuous mode QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl netlink: 16 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor1'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65527 sclass=netlink_route_socket pig=15019 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65527 sclass=netlink_route_socket pig=15019 comm=syz-executor3 netlink: 4 bytes leftover after parsing attributes in process `syz-executor1'. QAT: Invalid ioctl device syz5 entered promiscuous mode QAT: Invalid ioctl device syz5 left promiscuous mode device syz5 entered promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. IPv6: Can't replace route, no match found netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. IPv6: Can't replace route, no match found ALSA: seq fatal error: cannot create timer (-19) netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. QAT: Invalid ioctl netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. QAT: Invalid ioctl netlink: 37 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 37 bytes leftover after parsing attributes in process `syz-executor3'. sock: process `syz-executor3' is using obsolete getsockopt SO_BSDCOMPAT device syz0 entered promiscuous mode device syz0 left promiscuous mode device syz0 entered promiscuous mode ====================================================== WARNING: possible circular locking dependency detected 4.14.0-rc3+ #25 Not tainted ------------------------------------------------------ syz-executor6/15378 is trying to acquire lock: (&pipe->mutex/1){+.+.}, at: [] pipe_lock_nested fs/pipe.c:66 [inline] (&pipe->mutex/1){+.+.}, at: [] pipe_lock+0x56/0x70 fs/pipe.c:74 but task is already holding lock: (sb_writers){.+.+}, at: [] file_start_write include/linux/fs.h:2696 [inline] (sb_writers){.+.+}, at: [] do_splice fs/splice.c:1146 [inline] (sb_writers){.+.+}, at: [] SYSC_splice fs/splice.c:1402 [inline] (sb_writers){.+.+}, at: [] SyS_splice+0x1117/0x1630 fs/splice.c:1382 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #5 (sb_writers){.+.+}: percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:35 [inline] percpu_down_read include/linux/percpu-rwsem.h:58 [inline] __sb_start_write+0x18f/0x290 fs/super.c:1340 sb_start_write include/linux/fs.h:1541 [inline] mnt_want_write+0x3f/0xb0 fs/namespace.c:386 filename_create+0x12b/0x520 fs/namei.c:3628 kern_path_create+0x33/0x40 fs/namei.c:3674 handle_create+0xc0/0x760 drivers/base/devtmpfs.c:202 -> #4 ((complete)&req.done){+.+.}: check_prevs_add kernel/locking/lockdep.c:2020 [inline] validate_chain kernel/locking/lockdep.c:2469 [inline] __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002 complete_acquire include/linux/completion.h:39 [inline] __wait_for_common kernel/sched/completion.c:108 [inline] wait_for_common kernel/sched/completion.c:122 [inline] wait_for_completion+0xcb/0x7b0 kernel/sched/completion.c:143 devtmpfs_create_node+0x32b/0x4a0 drivers/base/devtmpfs.c:114 device_add+0x120f/0x1640 drivers/base/core.c:1824 device_register+0x1d/0x20 drivers/base/core.c:1905 tty_register_device_attr+0x422/0x740 drivers/tty/tty_io.c:2955 tty_port_register_device_attr_serdev+0x100/0x140 drivers/tty/tty_port.c:165 uart_add_one_port+0xa7a/0x15b0 drivers/tty/serial/serial_core.c:2797 serial8250_register_8250_port+0xfac/0x1990 drivers/tty/serial/8250/8250_core.c:1052