__do_page_fault+0x549/0xad0 arch/x86/mm/fault.c:1442 page_fault+0x25/0x50 arch/x86/entry/entry_64.S:1123 RIP: 0010:copy_user_enhanced_fast_string+0xe/0x20 arch/x86/lib/copy_user_64.S:181 ============================================ RSP: 0018:ffff888154867a40 EFLAGS: 00010206 WARNING: possible recursive locking detected 4.14.215-syzkaller #0 Not tainted RAX: ffffed1011f66e00 RBX: 0000000000001000 RCX: 0000000000001000 -------------------------------------------- RDX: 0000000000001000 RSI: 0000000020ffe000 RDI: ffff88808fb36000 syz-executor.2/18738 is trying to acquire lock: ( RBP: 0000000020ffe000 R08: 0000000000000001 R09: ffffed1011f66dff &port_lock_key R10: ffff88808fb36fff R11: 0000000000000000 R12: 00007ffffffff000 ){-.-.}, at: [] uart_write+0x109/0x560 drivers/tty/serial/serial_core.c:604 R13: ffff88808fb36000 R14: 0000000020fff000 R15: ffff888156cfe6c0 but task is already holding lock: copy_user_generic arch/x86/include/asm/uaccess_64.h:37 [inline] raw_copy_from_user arch/x86/include/asm/uaccess_64.h:55 [inline] _copy_from_user+0xbe/0x100 lib/usercopy.c:13 ( copy_from_user include/linux/uaccess.h:147 [inline] __mcopy_atomic mm/userfaultfd.c:560 [inline] mcopy_atomic+0x1177/0x1ef0 mm/userfaultfd.c:598 &port_lock_key ){-.-.} , at: [] serial8250_handle_irq.part.0+0x20/0x330 drivers/tty/serial/8250/8250_port.c:1873 other info that might help us debug this: userfaultfd_copy fs/userfaultfd.c:1713 [inline] userfaultfd_ioctl+0x30d/0x30a0 fs/userfaultfd.c:1858 Possible unsafe locking scenario: CPU0 ---- lock( &port_lock_key); lock( &port_lock_key); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by syz-executor.2/18738: #0: ( &(&i->lock)->rlock){-.-.} vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 , at: [] spin_lock include/linux/spinlock.h:317 [inline] , at: [] serial8250_interrupt+0x3a/0x210 drivers/tty/serial/8250/8250_core.c:119 #1: ( &port_lock_key ){-.-.} , at: [] serial8250_handle_irq.part.0+0x20/0x330 drivers/tty/serial/8250/8250_port.c:1873 #2: SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 ( &tty->ldisc_sem do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 ){++++} entry_SYSCALL_64_after_hwframe+0x46/0xbb , at: [] tty_ldisc_ref+0x1b/0x80 drivers/tty/tty_ldisc.c:305 stack backtrace: RIP: 0033:0x45e219 RSP: 002b:00007f8baf892c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e219 RDX: 0000000020000440 RSI: 00000000c028aa03 RDI: 0000000000000003 RBP: 000000000119bfc0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119bf8c R13: 00007ffca413b9ef R14: 00007f8baf8939c0 R15: 000000000119bf8c CPU: 0 PID: 18738 Comm: syz-executor.2 Not tainted 4.14.215-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x283 lib/dump_stack.c:58 print_deadlock_bug kernel/locking/lockdep.c:1800 [inline] check_deadlock kernel/locking/lockdep.c:1847 [inline] validate_chain kernel/locking/lockdep.c:2448 [inline] __lock_acquire.cold+0x180/0x97c kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x8c/0xc0 kernel/locking/spinlock.c:160 uart_write+0x109/0x560 drivers/tty/serial/serial_core.c:604 n_hdlc_send_frames+0x241/0x410 drivers/tty/n_hdlc.c:404 n_hdlc_tty_wakeup+0x95/0xb0 drivers/tty/n_hdlc.c:480 tty_wakeup+0xc3/0xf0 drivers/tty/tty_io.c:533 tty_port_default_wakeup+0x26/0x40 drivers/tty/tty_port.c:49 serial8250_tx_chars+0x3fe/0xbf0 drivers/tty/serial/8250/8250_port.c:1810 serial8250_handle_irq.part.0+0x28d/0x330 drivers/tty/serial/8250/8250_port.c:1897 serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1870 [inline] serial8250_default_handle_irq+0x8a/0x1f0 drivers/tty/serial/8250/8250_port.c:1913 serial8250_interrupt+0xf3/0x210 drivers/tty/serial/8250/8250_core.c:129 __handle_irq_event_percpu+0xee/0x7f0 kernel/irq/handle.c:147 handle_irq_event_percpu kernel/irq/handle.c:187 [inline] handle_irq_event+0xf0/0x246 kernel/irq/handle.c:204 handle_edge_irq+0x224/0xc40 kernel/irq/chip.c:770 generic_handle_irq_desc include/linux/irqdesc.h:159 [inline] handle_irq+0x35/0x50 arch/x86/kernel/irq_64.c:87 do_IRQ+0x93/0x1d0 arch/x86/kernel/irq.c:230 common_interrupt+0x93/0x93 arch/x86/entry/entry_64.S:576 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:779 [inline] RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0xa3/0xe0 kernel/locking/spinlock.c:192 RSP: 0018:ffff8881516d7cd0 EFLAGS: 00000286 ORIG_RAX: ffffffffffffffc8 RAX: 1ffffffff11e1251 RBX: 0000000000000286 RCX: 0000000000000000 RDX: dffffc0000000000 RSI: 0000000000000001 RDI: 0000000000000286 RBP: ffff8880ba424c40 R08: ffff88823fff7018 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000 R13: ffff8881516d7e28 R14: ffff888094724580 R15: 0000000000000001 hrtimer_start_expires include/linux/hrtimer.h:391 [inline] do_nanosleep+0x1c3/0x600 kernel/time/hrtimer.c:1480 hrtimer_nanosleep+0x1da/0x450 kernel/time/hrtimer.c:1537 SYSC_nanosleep kernel/time/hrtimer.c:1569 [inline] SyS_nanosleep+0x116/0x170 kernel/time/hrtimer.c:1556 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x45c6e1 RSP: 002b:00007ffe47d144c0 EFLAGS: 00000293 ORIG_RAX: 0000000000000023 RAX: ffffffffffffffda RBX: 00000000000e3696 RCX: 000000000045c6e1 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffe47d144d0 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: 00007ffe47d145c0 R11: 0000000000000293 R12: 000000000119bf80 R13: 000000000119ca00 R14: 00000000000003e8 R15: 000000000119bf8c