[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.15.202' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 63.505956][ T8180] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 63.866035][ T8180] usb 1-1: config 0 has an invalid interface number: 123 but max is 0 [ 63.874358][ T8180] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 63.885894][ T8180] usb 1-1: config 0 has no interface number 0 [ 63.892006][ T8180] usb 1-1: config 0 interface 123 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 15 [ 64.066040][ T8180] usb 1-1: New USB device found, idVendor=0781, idProduct=0100, bcdDevice= 1.00 [ 64.075093][ T8180] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 64.084299][ T8180] usb 1-1: Product: syz [ 64.089076][ T8180] usb 1-1: Manufacturer: syz [ 64.093705][ T8180] usb 1-1: SerialNumber: syz [ 64.102704][ T8180] usb 1-1: config 0 descriptor?? [ 64.366111][ T8506] [ 64.368572][ T8506] ======================================================== [ 64.375744][ T8506] WARNING: possible irq lock inversion dependency detected [ 64.382926][ T8506] 5.10.0-rc1-next-20201030-syzkaller #0 Not tainted [ 64.389486][ T8506] -------------------------------------------------------- [ 64.396657][ T8506] syz-executor138/8506 just changed the state of lock: [ 64.403479][ T8506] ffff88801d4c3a38 (&f->f_owner.lock){.+..}-{2:2}, at: do_fcntl+0x8ab/0x1070 [ 64.412235][ T8506] but this lock was taken by another, HARDIRQ-safe lock in the past: [ 64.420266][ T8506] (&dev->event_lock){-...}-{2:2} [ 64.420279][ T8506] [ 64.420279][ T8506] [ 64.420279][ T8506] and interrupts could create inverse lock ordering between them. [ 64.420279][ T8506] [ 64.439547][ T8506] [ 64.439547][ T8506] other info that might help us debug this: [ 64.447577][ T8506] Chain exists of: [ 64.447577][ T8506] &dev->event_lock --> &new->fa_lock --> &f->f_owner.lock [ 64.447577][ T8506] [ 64.460586][ T8506] Possible interrupt unsafe locking scenario: [ 64.460586][ T8506] [ 64.468880][ T8506] CPU0 CPU1 [ 64.474236][ T8506] ---- ---- [ 64.479597][ T8506] lock(&f->f_owner.lock); [ 64.484083][ T8506] local_irq_disable(); [ 64.490808][ T8506] lock(&dev->event_lock); [ 64.497813][ T8506] lock(&new->fa_lock); [ 64.504545][ T8506] [ 64.507973][ T8506] lock(&dev->event_lock); [ 64.512637][ T8506] [ 64.512637][ T8506] *** DEADLOCK *** [ 64.512637][ T8506] [ 64.520756][ T8506] no locks held by syz-executor138/8506. [ 64.526355][ T8506] [ 64.526355][ T8506] the shortest dependencies between 2nd lock and 1st lock: [ 64.535707][ T8506] -> (&dev->event_lock){-...}-{2:2} { [ 64.541321][ T8506] IN-HARDIRQ-W at: [ 64.545550][ T8506] lock_acquire+0x1af/0x8b0 [ 64.552195][ T8506] _raw_spin_lock_irqsave+0x39/0x50 [ 64.559553][ T8506] input_event+0x7b/0xb0 [ 64.565944][ T8506] psmouse_report_standard_buttons+0x2c/0x80 [ 64.574076][ T8506] psmouse_process_byte+0x1e1/0x890 [ 64.581416][ T8506] psmouse_handle_byte+0x41/0x1b0 [ 64.588755][ T8506] psmouse_interrupt+0x304/0xf00 [ 64.595850][ T8506] serio_interrupt+0x88/0x150 [ 64.602672][ T8506] i8042_interrupt+0x27a/0x520 [ 64.609580][ T8506] __handle_irq_event_percpu+0x303/0x8f0 [ 64.617357][ T8506] handle_irq_event+0x102/0x290 [ 64.624365][ T8506] handle_edge_irq+0x25f/0xd00 [ 64.631744][ T8506] asm_call_irq_on_stack+0xf/0x20 [ 64.638991][ T8506] common_interrupt+0x120/0x200 [ 64.645998][ T8506] asm_common_interrupt+0x1e/0x40 [ 64.653172][ T8506] _raw_spin_unlock_irqrestore+0x25/0x50 [ 64.660954][ T8506] i8042_command+0x12e/0x150 [ 64.667690][ T8506] i8042_aux_write+0xd7/0x120 [ 64.674525][ T8506] ps2_do_sendbyte+0x2ca/0x710 [ 64.681432][ T8506] ps2_sendbyte+0x58/0x150 [ 64.688006][ T8506] cypress_ps2_sendbyte+0x2e/0x160 [ 64.695270][ T8506] cypress_send_ext_cmd+0x1d0/0x8d0 [ 64.702611][ T8506] cypress_detect+0x75/0x190 [ 64.709357][ T8506] psmouse_try_protocol+0x211/0x370 [ 64.716710][ T8506] psmouse_extensions+0x557/0x930 [ 64.723877][ T8506] psmouse_switch_protocol+0x52a/0x740 [ 64.731502][ T8506] psmouse_connect+0x5e6/0xfc0 [ 64.738478][ T8506] serio_driver_probe+0x72/0xa0 [ 64.745480][ T8506] really_probe+0x291/0xde0 [ 64.752135][ T8506] driver_probe_device+0x26b/0x3d0 [ 64.759412][ T8506] device_driver_attach+0x228/0x290 [ 64.766755][ T8506] __driver_attach+0x15b/0x2f0 [ 64.773664][ T8506] bus_for_each_dev+0x147/0x1d0 [ 64.780658][ T8506] serio_handle_event+0x5f6/0xa30 [ 64.787836][ T8506] process_one_work+0x933/0x15a0 [ 64.794932][ T8506] worker_thread+0x64c/0x1120 [ 64.801849][ T8506] kthread+0x3af/0x4a0 [ 64.808156][ T8506] ret_from_fork+0x1f/0x30 [ 64.814724][ T8506] INITIAL USE at: [ 64.818911][ T8506] lock_acquire+0x1af/0x8b0 [ 64.825478][ T8506] _raw_spin_lock_irqsave+0x39/0x50 [ 64.832752][ T8506] input_inject_event+0xa6/0x310 [ 64.839763][ T8506] led_set_brightness_nosleep+0xe6/0x1a0 [ 64.847463][ T8506] led_set_brightness+0x134/0x170 [ 64.854545][ T8506] led_trigger_event+0x70/0xd0 [ 64.861368][ T8506] kbd_led_trigger_activate+0xfa/0x130 [ 64.868880][ T8506] led_trigger_set+0x61e/0xbd0 [ 64.876827][ T8506] led_trigger_set_default+0x1a6/0x230 [ 64.884341][ T8506] led_classdev_register_ext+0x5b1/0x7c0 [ 64.892115][ T8506] input_leds_connect+0x3fb/0x740 [ 64.899195][ T8506] input_attach_handler+0x180/0x1f0 [ 64.906449][ T8506] input_register_device.cold+0xf0/0x307 [ 64.914145][ T8506] atkbd_connect+0x736/0xa00 [ 64.920791][ T8506] serio_driver_probe+0x72/0xa0 [ 64.927698][ T8506] really_probe+0x291/0xde0 [ 64.934254][ T8506] driver_probe_device+0x26b/0x3d0 [ 64.941434][ T8506] device_driver_attach+0x228/0x290 [ 64.948686][ T8506] __driver_attach+0x15b/0x2f0 [ 64.955514][ T8506] bus_for_each_dev+0x147/0x1d0 [ 64.962419][ T8506] serio_handle_event+0x5f6/0xa30 [ 64.969499][ T8506] process_one_work+0x933/0x15a0 [ 64.976490][ T8506] worker_thread+0x64c/0x1120 [ 64.983239][ T8506] kthread+0x3af/0x4a0 [ 64.989363][ T8506] ret_from_fork+0x1f/0x30 [ 64.995842][ T8506] } [ 64.998603][ T8506] ... key at: [] __key.8+0x0/0x40 [ 65.005966][ T8506] ... acquired at: [ 65.010024][ T8506] _raw_spin_lock+0x2a/0x40 [ 65.014689][ T8506] evdev_pass_values.part.0+0xf6/0x970 [ 65.020302][ T8506] evdev_events+0x28b/0x3f0 [ 65.024958][ T8506] input_to_handler+0x2a0/0x4c0 [ 65.029960][ T8506] input_pass_values.part.0+0x284/0x700 [ 65.035653][ T8506] input_handle_event+0x324/0x1400 [ 65.040973][ T8506] input_inject_event+0x2f5/0x310 [ 65.046141][ T8506] evdev_write+0x430/0x760 [ 65.050703][ T8506] vfs_write+0x28e/0x700 [ 65.055089][ T8506] ksys_write+0x1ee/0x250 [ 65.059572][ T8506] do_syscall_64+0x2d/0x70 [ 65.064144][ T8506] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.070175][ T8506] [ 65.072475][ T8506] -> (&client->buffer_lock){....}-{2:2} { [ 65.078348][ T8506] INITIAL USE at: [ 65.082392][ T8506] lock_acquire+0x1af/0x8b0 [ 65.088801][ T8506] _raw_spin_lock+0x2a/0x40 [ 65.095292][ T8506] evdev_pass_values.part.0+0xf6/0x970 [ 65.102633][ T8506] evdev_events+0x28b/0x3f0 [ 65.109017][ T8506] input_to_handler+0x2a0/0x4c0 [ 65.115749][ T8506] input_pass_values.part.0+0x284/0x700 [ 65.123183][ T8506] input_handle_event+0x324/0x1400 [ 65.130349][ T8506] input_inject_event+0x2f5/0x310 [ 65.137687][ T8506] evdev_write+0x430/0x760 [ 65.143985][ T8506] vfs_write+0x28e/0x700 [ 65.150110][ T8506] ksys_write+0x1ee/0x250 [ 65.156324][ T8506] do_syscall_64+0x2d/0x70 [ 65.162622][ T8506] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.170477][ T8506] } [ 65.173145][ T8506] ... key at: [] __key.4+0x0/0x40 [ 65.180403][ T8506] ... acquired at: [ 65.184358][ T8506] _raw_read_lock+0x5b/0x70 [ 65.189010][ T8506] kill_fasync+0x14b/0x460 [ 65.193570][ T8506] evdev_pass_values.part.0+0x64e/0x970 [ 65.199274][ T8506] evdev_events+0x28b/0x3f0 [ 65.203925][ T8506] input_to_handler+0x2a0/0x4c0 [ 65.208925][ T8506] input_pass_values.part.0+0x284/0x700 [ 65.214624][ T8506] input_handle_event+0x324/0x1400 [ 65.219893][ T8506] input_inject_event+0x2f5/0x310 [ 65.225061][ T8506] evdev_write+0x430/0x760 [ 65.229626][ T8506] vfs_write+0x28e/0x700 [ 65.234012][ T8506] ksys_write+0x1ee/0x250 [ 65.238503][ T8506] do_syscall_64+0x2d/0x70 [ 65.243065][ T8506] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.249108][ T8506] [ 65.251408][ T8506] -> (&new->fa_lock){....}-{2:2} { [ 65.256586][ T8506] INITIAL READ USE at: [ 65.260978][ T8506] lock_acquire+0x1af/0x8b0 [ 65.267625][ T8506] _raw_read_lock+0x5b/0x70 [ 65.274269][ T8506] kill_fasync+0x14b/0x460 [ 65.280843][ T8506] evdev_pass_values.part.0+0x64e/0x970 [ 65.288529][ T8506] evdev_events+0x28b/0x3f0 [ 65.295185][ T8506] input_to_handler+0x2a0/0x4c0 [ 65.302181][ T8506] input_pass_values.part.0+0x284/0x700 [ 65.309880][ T8506] input_handle_event+0x324/0x1400 [ 65.317236][ T8506] input_inject_event+0x2f5/0x310 [ 65.324400][ T8506] evdev_write+0x430/0x760 [ 65.330971][ T8506] vfs_write+0x28e/0x700 [ 65.337367][ T8506] ksys_write+0x1ee/0x250 [ 65.343839][ T8506] do_syscall_64+0x2d/0x70 [ 65.350672][ T8506] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.358702][ T8506] } [ 65.361274][ T8506] ... key at: [] __key.0+0x0/0x40 [ 65.368444][ T8506] ... acquired at: [ 65.372309][ T8506] _raw_read_lock+0x5b/0x70 [ 65.376967][ T8506] send_sigio+0x24/0x360 [ 65.381352][ T8506] kill_fasync+0x205/0x460 [ 65.385951][ T8506] evdev_pass_values.part.0+0x64e/0x970 [ 65.391647][ T8506] evdev_events+0x28b/0x3f0 [ 65.396307][ T8506] input_to_handler+0x2a0/0x4c0 [ 65.401304][ T8506] input_pass_values.part.0+0x284/0x700 [ 65.407090][ T8506] input_handle_event+0x324/0x1400 [ 65.412357][ T8506] input_inject_event+0x2f5/0x310 [ 65.417612][ T8506] evdev_write+0x430/0x760 [ 65.422177][ T8506] vfs_write+0x28e/0x700 [ 65.426564][ T8506] ksys_write+0x1ee/0x250 [ 65.431040][ T8506] do_syscall_64+0x2d/0x70 [ 65.435688][ T8506] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.441731][ T8506] [ 65.444028][ T8506] -> (&f->f_owner.lock){.+..}-{2:2} { [ 65.449395][ T8506] HARDIRQ-ON-R at: [ 65.453352][ T8506] lock_acquire+0x1af/0x8b0 [ 65.459474][ T8506] _raw_read_lock+0x5b/0x70 [ 65.465599][ T8506] do_fcntl+0x8ab/0x1070 [ 65.471462][ T8506] __x64_sys_fcntl+0x165/0x1e0 [ 65.477856][ T8506] do_syscall_64+0x2d/0x70 [ 65.483894][ T8506] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.491409][ T8506] INITIAL READ USE at: [ 65.495714][ T8506] lock_acquire+0x1af/0x8b0 [ 65.502185][ T8506] _raw_read_lock+0x5b/0x70 [ 65.508661][ T8506] send_sigio+0x24/0x360 [ 65.514892][ T8506] kill_fasync+0x205/0x460 [ 65.521292][ T8506] evdev_pass_values.part.0+0x64e/0x970 [ 65.528806][ T8506] evdev_events+0x28b/0x3f0 [ 65.535288][ T8506] input_to_handler+0x2a0/0x4c0 [ 65.542110][ T8506] input_pass_values.part.0+0x284/0x700 [ 65.549622][ T8506] input_handle_event+0x324/0x1400 [ 65.556711][ T8506] input_inject_event+0x2f5/0x310 [ 65.563797][ T8506] evdev_write+0x430/0x760 [ 65.570200][ T8506] vfs_write+0x28e/0x700 [ 65.576417][ T8506] ksys_write+0x1ee/0x250 [ 65.582722][ T8506] do_syscall_64+0x2d/0x70 [ 65.589128][ T8506] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.596991][ T8506] } [ 65.599501][ T8506] ... key at: [] __key.5+0x0/0x40 [ 65.607275][ T8506] ... acquired at: [ 65.611064][ T8506] __lock_acquire+0x11f5/0x5590 [ 65.616126][ T8506] lock_acquire+0x1af/0x8b0 [ 65.620780][ T8506] _raw_read_lock+0x5b/0x70 [ 65.625567][ T8506] do_fcntl+0x8ab/0x1070 [ 65.629969][ T8506] __x64_sys_fcntl+0x165/0x1e0 [ 65.634903][ T8506] do_syscall_64+0x2d/0x70 [ 65.639483][ T8506] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.645524][ T8506] [ 65.647831][ T8506] [ 65.647831][ T8506] stack backtrace: [ 65.653705][ T8506] CPU: 0 PID: 8506 Comm: syz-executor138 Not tainted 5.10.0-rc1-next-20201030-syzkaller #0 [ 65.663652][ T8506] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.673679][ T8506] Call Trace: [ 65.676950][ T8506] dump_stack+0x107/0x163 [ 65.681278][ T8506] mark_lock.cold+0x1a/0x74 [ 65.685765][ T8506] ? lock_chain_count+0x20/0x20 [ 65.690629][ T8506] ? do_sys_openat2+0x153/0x420 [ 65.695468][ T8506] ? do_syscall_64+0x2d/0x70 [ 65.700046][ T8506] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.706160][ T8506] __lock_acquire+0x11f5/0x5590 [ 65.711016][ T8506] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 65.719328][ T8506] ? lockdep_hardirqs_on+0x79/0x100 [ 65.724514][ T8506] lock_acquire+0x1af/0x8b0 [ 65.728999][ T8506] ? do_fcntl+0x8ab/0x1070 [ 65.733393][ T8506] ? lock_release+0x710/0x710 [ 65.738052][ T8506] ? putname+0xe1/0x120 [ 65.742237][ T8506] ? do_sys_openat2+0xa1/0x420 [ 65.746983][ T8506] _raw_read_lock+0x5b/0x70 [ 65.751464][ T8506] ? do_fcntl+0x8ab/0x1070 [ 65.755885][ T8506] do_fcntl+0x8ab/0x1070 [ 65.760106][ T8506] ? f_setown+0x230/0x230 [ 65.764428][ T8506] ? __x64_sys_openat+0x13f/0x1f0 [ 65.769443][ T8506] ? tomoyo_file_fcntl+0x6e/0xc0 [ 65.774361][ T8506] ? bpf_lsm_file_fcntl+0x5/0x10 [ 65.779277][ T8506] __x64_sys_fcntl+0x165/0x1e0 [ 65.784024][ T8506] do_syscall_64+0x2d/0x70 [ 65.788470][ T8506] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.794422][ T8506] RIP: 0033:0x4475d9 [ 65.798295][ T8506] Code: e8 bc af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b d7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 65.817956][ T8506] RSP: 002b:00007ffd26d7f9d8 EFLAGS