hid-generic 0000:0004:FFFFFFFD.0002: hidraw1: HID v0.00 Device [syz0] on sy BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620 in_atomic(): 1, irqs_disabled(): 0, pid: 3197, name: syz-executor.4 1 lock held by syz-executor.4/3197: #0: (sb_writers#6){.+.+.+}, at: [] file_start_write include/linux/fs.h:2543 [inline] #0: (sb_writers#6){.+.+.+}, at: [] do_sendfile+0x8a6/0xba0 fs/read_write.c:1228 Preemption disabled at:[] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 CPU: 1 PID: 3197 Comm: syz-executor.4 Not tainted 4.4.174+ #17 0000000000000000 ac77befc5d002042 ffff8801db707870 ffffffff81aad1a1 ffff8800bac897c0 0000000000000101 ffff8800bac897c0 0000000000000101 ffff8800bac897c0 ffff8801db7078a8 ffffffff813a6f33 ffff8800bac897c0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] ___might_sleep.cold+0x1c6/0x1dc kernel/sched/core.c:7988 [] __might_sleep+0x90/0x1a0 kernel/sched/core.c:7948 [] mutex_lock_nested+0x8d/0xb80 kernel/locking/mutex.c:620 [] __generic_file_fsync+0xcf/0x1c0 fs/libfs.c:944 [] generic_file_fsync+0x78/0x120 fs/libfs.c:977 [] ext4_sync_file+0x772/0xf10 fs/ext4/fsync.c:109 [] vfs_fsync_range+0x111/0x260 fs/sync.c:195 [] generic_write_sync include/linux/fs.h:2517 [inline] [] dio_complete+0x3e6/0x720 fs/direct-io.c:266 [] dio_bio_end_aio+0x176/0x3f0 fs/direct-io.c:312 [] bio_endio+0x187/0x1e0 block/bio.c:1786 [] req_bio_endio block/blk-core.c:157 [inline] [] blk_update_request+0x267/0xa50 block/blk-core.c:2653 [] scsi_end_request+0x9c/0x5d0 drivers/scsi/scsi_lib.c:695 [] scsi_io_completion+0x275/0x1810 drivers/scsi/scsi_lib.c:918 [] scsi_finish_command+0x3a4/0x520 drivers/scsi/scsi.c:607 [] scsi_softirq_done+0x259/0x370 drivers/scsi/scsi_lib.c:1654 [] blk_done_softirq+0x258/0x3a0 block/blk-softirq.c:35 [] __do_softirq+0x226/0xa3f kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x10a/0x150 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:652 [inline] [] do_IRQ+0x111/0x1d0 arch/x86/kernel/irq.c:251 [] common_interrupt+0x9d/0x9d arch/x86/entry/entry_64.S:623 [] ? preempt_count_add+0x3b/0x1d0 kernel/sched/core.c:3069 [] is_module_text_address+0x13/0x50 kernel/module.c:4107 [] __kernel_text_address+0x68/0xa0 kernel/extable.c:103 [] print_context_stack+0x59/0xd0 arch/x86/kernel/dumpstack.c:107 [] dump_trace+0x179/0x390 arch/x86/kernel/dumpstack_64.c:243 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kfree+0xf4/0x310 mm/slub.c:3749 [] iter_file_splice_write+0x4da/0xb30 fs/splice.c:1053 [] do_splice_from fs/splice.c:1128 [inline] [] direct_splice_actor+0x126/0x1a0 fs/splice.c:1294 [] splice_direct_to_actor+0x2ce/0x850 fs/splice.c:1247 [] do_splice_direct+0x1a5/0x260 fs/splice.c:1337 [] do_sendfile+0x4ed/0xba0 fs/read_write.c:1229 [] C_SYSC_sendfile fs/read_write.c:1311 [inline] [] compat_SyS_sendfile+0x144/0x160 fs/read_write.c:1294 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a ================================= [ INFO: inconsistent lock state ] 4.4.174+ #17 Not tainted --------------------------------- inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. syz-executor.4/3197 [HC0[0]:SC1[1]:HE1:SE0] takes: (&sb->s_type->i_mutex_key#9){+.?.+.}, at: [] __generic_file_fsync+0xcf/0x1c0 fs/libfs.c:944 {SOFTIRQ-ON-W} state was registered at: [] mark_irqflags kernel/locking/lockdep.c:2817 [inline] [] __lock_acquire+0xe73/0x4f50 kernel/locking/lockdep.c:3169 [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xc1/0xb80 kernel/locking/mutex.c:621 [] bprm_fill_uid fs/exec.c:1357 [inline] [] prepare_binprm+0x2bf/0x770 fs/exec.c:1391 [] do_execveat_common.isra.0+0xd86/0x1e90 fs/exec.c:1620 [] do_execve fs/exec.c:1683 [inline] [] SYSC_execve fs/exec.c:1764 [inline] [] SyS_execve+0x42/0x50 fs/exec.c:1759 [] return_from_execve+0x0/0x23 irq event stamp: 11488 hardirqs last enabled at (11488): [] restore_regs_and_iret+0x0/0x1d hardirqs last disabled at (11487): [] apic_timer_interrupt+0x98/0xb0 arch/x86/entry/entry_64.S:768 softirqs last enabled at (11202): [] __do_softirq+0x4da/0xa3f kernel/softirq.c:299 softirqs last disabled at (11425): [] invoke_softirq kernel/softirq.c:350 [inline] softirqs last disabled at (11425): [] irq_exit+0x10a/0x150 kernel/softirq.c:391 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&sb->s_type->i_mutex_key#9); lock(&sb->s_type->i_mutex_key#9); *** DEADLOCK *** 1 lock held by syz-executor.4/3197: #0: (sb_writers#6){.+.+.+}, at: [] file_start_write include/linux/fs.h:2543 [inline] #0: (sb_writers#6){.+.+.+}, at: [] do_sendfile+0x8a6/0xba0 fs/read_write.c:1228 stack backtrace: CPU: 1 PID: 3197 Comm: syz-executor.4 Not tainted 4.4.174+ #17 0000000000000000 ac77befc5d002042 ffff8801db707610 ffffffff81aad1a1 0000000000000090 ffff8800bac897c0 ffffffff83abf2c0 ffffffff84057a80 ffff8800bac8a0d0 ffff8801db707688 ffffffff813ad456 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_usage_bug.cold+0x454/0x592 kernel/locking/lockdep.c:2267 [] valid_state kernel/locking/lockdep.c:2280 [inline] [] mark_lock_irq kernel/locking/lockdep.c:2478 [inline] [] mark_lock+0x6fd/0x1440 kernel/locking/lockdep.c:2933 [] mark_irqflags kernel/locking/lockdep.c:2799 [inline] [] __lock_acquire+0x145e/0x4f50 kernel/locking/lockdep.c:3169 [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xc1/0xb80 kernel/locking/mutex.c:621 [] __generic_file_fsync+0xcf/0x1c0 fs/libfs.c:944 [] generic_file_fsync+0x78/0x120 fs/libfs.c:977 [] ext4_sync_file+0x772/0xf10 fs/ext4/fsync.c:109 [] vfs_fsync_range+0x111/0x260 fs/sync.c:195 [] generic_write_sync include/linux/fs.h:2517 [inline] [] dio_complete+0x3e6/0x720 fs/direct-io.c:266 [] dio_bio_end_aio+0x176/0x3f0 fs/direct-io.c:312 [] bio_endio+0x187/0x1e0 block/bio.c:1786 [] req_bio_endio block/blk-core.c:157 [inline] [] blk_update_request+0x267/0xa50 block/blk-core.c:2653 [] scsi_end_request+0x9c/0x5d0 drivers/scsi/scsi_lib.c:695 [] scsi_io_completion+0x275/0x1810 drivers/scsi/scsi_lib.c:918 [] scsi_finish_command+0x3a4/0x520 drivers/scsi/scsi.c:607 [] scsi_softirq_done+0x259/0x370 drivers/scsi/scsi_lib.c:1654 [] blk_done_softirq+0x258/0x3a0 block/blk-softirq.c:35 [] __do_softirq+0x226/0xa3f kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x10a/0x150 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:652 [inline] [] do_IRQ+0x111/0x1d0 arch/x86/kernel/irq.c:251 [] common_interrupt+0x9d/0x9d arch/x86/entry/entry_64.S:623 [] ? preempt_count_add+0x3b/0x1d0 kernel/sched/core.c:3069 [] is_module_text_address+0x13/0x50 kernel/module.c:4107 [] __kernel_text_address+0x68/0xa0 kernel/extable.c:103 [] print_context_stack+0x59/0xd0 arch/x86/kernel/dumpstack.c:107 [] dump_trace+0x179/0x390 arch/x86/kernel/dumpstack_64.c:243 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kfree+0xf4/0x310 mm/slub.c:3749 [] iter_file_splice_write+0x4da/0xb30 fs/splice.c:1053 [] do_splice_from fs/splice.c:1128 [inline] [] direct_splice_actor+0x126/0x1a0 fs/splice.c:1294 [] splice_direct_to_actor+0x2ce/0x850 fs/splice.c:1247 [] do_splice_direct+0x1a5/0x260 fs/splice.c:1337 [] do_sendfile+0x4ed/0xba0 fs/read_write.c:1229 [] C_SYSC_sendfile fs/read_write.c:1311 [inline] [] compat_SyS_sendfile+0x144/0x160 fs/read_write.c:1294 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a BUG: sleeping function called from invalid context at fs/buffer.c:1395 in_atomic(): 1, irqs_disabled(): 0, pid: 3197, name: syz-executor.4 INFO: lockdep is turned off. Preemption disabled at:[] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 CPU: 1 PID: 3197 Comm: syz-executor.4 Not tainted 4.4.174+ #17 0000000000000000 ac77befc5d002042 ffff8801db7076a8 ffffffff81aad1a1 ffff8800bac897c0 0000000000000101 ffff8800bac897c0 0000000000000101 ffff8800bac897c0 ffff8801db7076e0 ffffffff813a6f33 ffff8800bac897c0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] ___might_sleep.cold+0x1c6/0x1dc kernel/sched/core.c:7988 [] __might_sleep+0x90/0x1a0 kernel/sched/core.c:7948 [] __getblk_gfp+0x41/0x80 fs/buffer.c:1395 [] sb_getblk include/linux/buffer_head.h:313 [inline] [] __ext4_get_inode_loc+0x332/0xfb0 fs/ext4/inode.c:4054 [] ext4_write_inode+0x21d/0x3d0 fs/ext4/inode.c:4808 [] write_inode fs/fs-writeback.c:1145 [inline] [] __writeback_single_inode+0x51a/0x1380 fs/fs-writeback.c:1343 [] writeback_single_inode+0x256/0x450 fs/fs-writeback.c:1397 [] sync_inode fs/fs-writeback.c:2391 [inline] [] sync_inode_metadata+0xc3/0x100 fs/fs-writeback.c:2411 [] __generic_file_fsync+0x14e/0x1c0 fs/libfs.c:951 [] generic_file_fsync+0x78/0x120 fs/libfs.c:977 [] ext4_sync_file+0x772/0xf10 fs/ext4/fsync.c:109 [] vfs_fsync_range+0x111/0x260 fs/sync.c:195 [] generic_write_sync include/linux/fs.h:2517 [inline] [] dio_complete+0x3e6/0x720 fs/direct-io.c:266 [] dio_bio_end_aio+0x176/0x3f0 fs/direct-io.c:312 [] bio_endio+0x187/0x1e0 block/bio.c:1786 [] req_bio_endio block/blk-core.c:157 [inline] [] blk_update_request+0x267/0xa50 block/blk-core.c:2653 [] scsi_end_request+0x9c/0x5d0 drivers/scsi/scsi_lib.c:695 [] scsi_io_completion+0x275/0x1810 drivers/scsi/scsi_lib.c:918 [] scsi_finish_command+0x3a4/0x520 drivers/scsi/scsi.c:607 [] scsi_softirq_done+0x259/0x370 drivers/scsi/scsi_lib.c:1654 [] blk_done_softirq+0x258/0x3a0 block/blk-softirq.c:35 [] __do_softirq+0x226/0xa3f kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x10a/0x150 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:652 [inline] [] do_IRQ+0x111/0x1d0 arch/x86/kernel/irq.c:251 [] common_interrupt+0x9d/0x9d arch/x86/entry/entry_64.S:623 [] ? preempt_count_add+0x3b/0x1d0 kernel/sched/core.c:3069 [] is_module_text_address+0x13/0x50 kernel/module.c:4107 [] __kernel_text_address+0x68/0xa0 kernel/extable.c:103 [] print_context_stack+0x59/0xd0 arch/x86/kernel/dumpstack.c:107 [] dump_trace+0x179/0x390 arch/x86/kernel/dumpstack_64.c:243 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kfree+0xf4/0x310 mm/slub.c:3749 [] iter_file_splice_write+0x4da/0xb30 fs/splice.c:1053 [] do_splice_from fs/splice.c:1128 [inline] [] direct_splice_actor+0x126/0x1a0 fs/splice.c:1294 [] splice_direct_to_actor+0x2ce/0x850 fs/splice.c:1247 [] do_splice_direct+0x1a5/0x260 fs/splice.c:1337 [] do_sendfile+0x4ed/0xba0 fs/read_write.c:1229 [] C_SYSC_sendfile fs/read_write.c:1311 [inline] [] compat_SyS_sendfile+0x144/0x160 fs/read_write.c:1294 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a BUG: scheduling while atomic: syz-executor.4/3197/0x00000102 INFO: lockdep is turned off. Modules linked in: Preemption disabled at:[] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 CPU: 1 PID: 3197 Comm: syz-executor.4 Not tainted 4.4.174+ #17 0000000000000000 ac77befc5d002042 ffff8801db7073e8 ffffffff81aad1a1 0000000000000000 ffff8800bac897c0 0000000000000102 0000000000000001 000000000001e880 ffff8801db707408 ffffffff813a6fa9 ffff8801db71e880 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] __schedule_bug.cold+0x60/0x71 kernel/sched/core.c:3138 [] schedule_debug kernel/sched/core.c:3153 [inline] [] __schedule+0x118b/0x1ee0 kernel/sched/core.c:3265 [] schedule+0x99/0x1d0 kernel/sched/core.c:3355 [] schedule_timeout+0x47b/0x7c0 kernel/time/timer.c:1515 [] io_schedule_timeout+0x1ba/0x390 kernel/sched/core.c:4937 [] io_schedule include/linux/sched.h:447 [inline] [] bit_wait_io+0x23/0xc0 kernel/sched/wait.c:595 [] __wait_on_bit+0xbd/0x140 kernel/sched/wait.c:395 [] out_of_line_wait_on_bit+0xe2/0x120 kernel/sched/wait.c:408 [] wait_on_bit_io include/linux/wait.h:1015 [inline] [] __wait_on_buffer+0x5e/0x80 fs/buffer.c:123 [] wait_on_buffer include/linux/buffer_head.h:342 [inline] [] __sync_dirty_buffer+0x17e/0x1d0 fs/buffer.c:3143 [] sync_dirty_buffer+0x1b/0x20 fs/buffer.c:3155 [] ext4_write_inode+0x36c/0x3d0 fs/ext4/inode.c:4816 [] write_inode fs/fs-writeback.c:1145 [inline] [] __writeback_single_inode+0x51a/0x1380 fs/fs-writeback.c:1343 [] writeback_single_inode+0x256/0x450 fs/fs-writeback.c:1397 [] sync_inode fs/fs-writeback.c:2391 [inline] [] sync_inode_metadata+0xc3/0x100 fs/fs-writeback.c:2411 [] __generic_file_fsync+0x14e/0x1c0 fs/libfs.c:951 [] generic_file_fsync+0x78/0x120 fs/libfs.c:977 [] ext4_sync_file+0x772/0xf10 fs/ext4/fsync.c:109 [] vfs_fsync_range+0x111/0x260 fs/sync.c:195 [] generic_write_sync include/linux/fs.h:2517 [inline] [] dio_complete+0x3e6/0x720 fs/direct-io.c:266 [] dio_bio_end_aio+0x176/0x3f0 fs/direct-io.c:312 [] bio_endio+0x187/0x1e0 block/bio.c:1786 [] req_bio_endio block/blk-core.c:157 [inline] [] blk_update_request+0x267/0xa50 block/blk-core.c:2653 [] scsi_end_request+0x9c/0x5d0 drivers/scsi/scsi_lib.c:695 [] scsi_io_completion+0x275/0x1810 drivers/scsi/scsi_lib.c:918 [] scsi_finish_command+0x3a4/0x520 drivers/scsi/scsi.c:607 [] scsi_softirq_done+0x259/0x370 drivers/scsi/scsi_lib.c:1654 [] blk_done_softirq+0x258/0x3a0 block/blk-softirq.c:35 [] __do_softirq+0x226/0xa3f kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x10a/0x150 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:652 [inline] [] do_IRQ+0x111/0x1d0 arch/x86/kernel/irq.c:251 [] common_interrupt+0x9d/0x9d arch/x86/entry/entry_64.S:623 [] ? preempt_count_add+0x3b/0x1d0 kernel/sched/core.c:3069 [] is_module_text_address+0x13/0x50 kernel/module.c:4107 [] __kernel_text_address+0x68/0xa0 kernel/extable.c:103 [] print_context_stack+0x59/0xd0 arch/x86/kernel/dumpstack.c:107 [] dump_trace+0x179/0x390 arch/x86/kernel/dumpstack_64.c:243 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kfree+0xf4/0x310 mm/slub.c:3749 [] iter_file_splice_write+0x4da/0xb30 fs/splice.c:1053 [] do_splice_from fs/splice.c:1128 [inline] [] direct_splice_actor+0x126/0x1a0 fs/splice.c:1294 [] splice_direct_to_actor+0x2ce/0x850 fs/splice.c:1247 [] do_splice_direct+0x1a5/0x260 fs/splice.c:1337 [] do_sendfile+0x4ed/0xba0 fs/read_write.c:1229 [] C_SYSC_sendfile fs/read_write.c:1311 [inline] [] compat_SyS_sendfile+0x144/0x160 fs/read_write.c:1294 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a softirq: huh, entered softirq 4 BLOCK ffffffff81a5ee40 with preempt_count 00000101, exited with 00000000?