======================================================== WARNING: possible irq lock inversion dependency detected 5.9.0-rc2-syzkaller #0 Not tainted -------------------------------------------------------- syz-executor.0/10487 just changed the state of lock: ffff8880a3473d48 (&timer->lock){..-.}-{2:2}, at: snd_timer_interrupt sound/core/timer.c:856 [inline] ffff8880a3473d48 (&timer->lock){..-.}-{2:2}, at: snd_timer_interrupt+0xa0/0xe20 sound/core/timer.c:840 but this lock took another, SOFTIRQ-READ-unsafe lock in the past: (&f->f_owner.lock){.+.+}-{2:2} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Chain exists of: &timer->lock --> &new->fa_lock --> &f->f_owner.lock Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&f->f_owner.lock); local_irq_disable(); lock(&timer->lock); lock(&new->fa_lock); lock(&timer->lock); *** DEADLOCK *** 4 locks held by syz-executor.0/10487: #0: ffff8880a1c18450 (sb_writers#4){.+.+}-{0:0}, at: sb_start_write include/linux/fs.h:1643 [inline] #0: ffff8880a1c18450 (sb_writers#4){.+.+}-{0:0}, at: mnt_want_write+0x37/0xa0 fs/namespace.c:354 #1: ffff888082400388 (&type->i_mutex_dir_key#3/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:814 [inline] #1: ffff888082400388 (&type->i_mutex_dir_key#3/1){+.+.}-{3:3}, at: filename_create+0x13b/0x3f0 fs/namei.c:3466 #2: ffffffff8af08cd8 (tomoyo_ss){....}-{0:0}, at: tomoyo_path_perm+0x1d1/0x3c0 security/tomoyo/file.c:847 #3: ffffc90000007db8 ((&priv->tlist)){+.-.}-{0:0}, at: lockdep_copy_map include/linux/lockdep.h:35 [inline] #3: ffffc90000007db8 ((&priv->tlist)){+.-.}-{0:0}, at: call_timer_fn+0xd3/0x5b0 kernel/time/timer.c:1403 the shortest dependencies between 2nd lock and 1st lock: -> (&f->f_owner.lock){.+.+}-{2:2} { HARDIRQ-ON-R at: lock_acquire+0x188/0xac0 kernel/locking/lockdep.c:5020 __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] _raw_read_lock+0x5b/0x70 kernel/locking/spinlock.c:223 f_getown_ex fs/fcntl.c:206 [inline] do_fcntl+0x94e/0xe50 fs/fcntl.c:387 __do_sys_fcntl fs/fcntl.c:463 [inline] __se_sys_fcntl fs/fcntl.c:448 [inline] __x64_sys_fcntl+0x11a/0x160 fs/fcntl.c:448 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 SOFTIRQ-ON-R at: lock_acquire+0x188/0xac0 kernel/locking/lockdep.c:5020 __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] _raw_read_lock+0x5b/0x70 kernel/locking/spinlock.c:223 f_getown_ex fs/fcntl.c:206 [inline] do_fcntl+0x94e/0xe50 fs/fcntl.c:387 __do_sys_fcntl fs/fcntl.c:463 [inline] __se_sys_fcntl fs/fcntl.c:448 [inline] __x64_sys_fcntl+0x11a/0x160 fs/fcntl.c:448 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 INITIAL USE at: lock_acquire+0x188/0xac0 kernel/locking/lockdep.c:5020 __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] _raw_read_lock+0x5b/0x70 kernel/locking/spinlock.c:223 send_sigio+0x1f/0x2d0 fs/fcntl.c:786 kill_fasync_rcu fs/fcntl.c:1009 [inline] kill_fasync fs/fcntl.c:1023 [inline] kill_fasync+0x1e1/0x3a0 fs/fcntl.c:1016 snd_timer_user_ccallback+0x253/0x300 sound/core/timer.c:1387 snd_timer_notify1+0x117/0x330 sound/core/timer.c:516 snd_timer_start1+0x3ee/0x710 sound/core/timer.c:577 snd_timer_user_start+0xee/0x140 sound/core/timer.c:1985 __snd_timer_user_ioctl+0xc45/0x1db0 sound/core/timer.c:2108 snd_timer_user_ioctl+0x55/0x71 sound/core/timer.c:2129 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x120/0x190 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 } ... key at: [] __key.50580+0x0/0x40 ... acquired at: __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] _raw_read_lock+0x5b/0x70 kernel/locking/spinlock.c:223 send_sigio+0x1f/0x2d0 fs/fcntl.c:786 kill_fasync_rcu fs/fcntl.c:1009 [inline] kill_fasync fs/fcntl.c:1023 [inline] kill_fasync+0x1e1/0x3a0 fs/fcntl.c:1016 snd_timer_user_ccallback+0x253/0x300 sound/core/timer.c:1387 snd_timer_notify1+0x117/0x330 sound/core/timer.c:516 snd_timer_start1+0x3ee/0x710 sound/core/timer.c:577 snd_timer_user_start+0xee/0x140 sound/core/timer.c:1985 __snd_timer_user_ioctl+0xc45/0x1db0 sound/core/timer.c:2108 snd_timer_user_ioctl+0x55/0x71 sound/core/timer.c:2129 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x120/0x190 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 -> (&new->fa_lock){....}-{2:2} { INITIAL USE at: lock_acquire+0x188/0xac0 kernel/locking/lockdep.c:5020 __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] _raw_read_lock+0x5b/0x70 kernel/locking/spinlock.c:223 kill_fasync_rcu fs/fcntl.c:1002 [inline] kill_fasync fs/fcntl.c:1023 [inline] kill_fasync+0x14c/0x3a0 fs/fcntl.c:1016 snd_timer_user_ccallback+0x253/0x300 sound/core/timer.c:1387 snd_timer_notify1+0x117/0x330 sound/core/timer.c:516 snd_timer_start1+0x3ee/0x710 sound/core/timer.c:577 snd_timer_user_start+0xee/0x140 sound/core/timer.c:1985 __snd_timer_user_ioctl+0xc45/0x1db0 sound/core/timer.c:2108 snd_timer_user_ioctl+0x55/0x71 sound/core/timer.c:2129 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x120/0x190 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 } ... key at: [] __key.46457+0x0/0x40 ... acquired at: __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] _raw_read_lock+0x5b/0x70 kernel/locking/spinlock.c:223 kill_fasync_rcu fs/fcntl.c:1002 [inline] kill_fasync fs/fcntl.c:1023 [inline] kill_fasync+0x14c/0x3a0 fs/fcntl.c:1016 snd_timer_user_ccallback+0x253/0x300 sound/core/timer.c:1387 snd_timer_notify1+0x117/0x330 sound/core/timer.c:516 snd_timer_start1+0x3ee/0x710 sound/core/timer.c:577 snd_timer_user_start+0xee/0x140 sound/core/timer.c:1985 __snd_timer_user_ioctl+0xc45/0x1db0 sound/core/timer.c:2108 snd_timer_user_ioctl+0x55/0x71 sound/core/timer.c:2129 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x120/0x190 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 -> (&timer->lock){..-.}-{2:2} { IN-SOFTIRQ-W at: lock_acquire+0x188/0xac0 kernel/locking/lockdep.c:5020 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:159 snd_timer_interrupt sound/core/timer.c:856 [inline] snd_timer_interrupt+0xa0/0xe20 sound/core/timer.c:840 call_timer_fn+0x16f/0x5b0 kernel/time/timer.c:1413 expire_timers kernel/time/timer.c:1458 [inline] __run_timers kernel/time/timer.c:1755 [inline] run_timer_softirq+0x589/0x1170 kernel/time/timer.c:1768 __do_softirq+0x1d5/0xa45 kernel/softirq.c:298 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706 __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline] do_softirq_own_stack+0xa4/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu kernel/softirq.c:423 [inline] irq_exit_rcu+0x132/0x150 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0x48/0xd0 arch/x86/kernel/apic/apic.c:1091 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:581 unwind_get_return_address arch/x86/kernel/unwind_orc.c:317 [inline] unwind_get_return_address+0x6c/0x90 arch/x86/kernel/unwind_orc.c:312 arch_stack_walk+0x9a/0xf0 arch/x86/kernel/stacktrace.c:26 stack_trace_save+0x85/0xb0 kernel/stacktrace.c:123 kasan_save_stack+0x19/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc mm/kasan/common.c:461 [inline] __kasan_kmalloc.constprop.14+0xc1/0xd0 mm/kasan/common.c:434 slab_post_alloc_hook+0x40/0x480 mm/slab.h:518 slab_alloc_node mm/slub.c:2892 [inline] slab_alloc mm/slub.c:2900 [inline] kmem_cache_alloc_trace+0xe2/0x1e0 mm/slub.c:2917 kmalloc include/linux/slab.h:554 [inline] tomoyo_print_header security/tomoyo/audit.c:156 [inline] tomoyo_init_log+0x1b1/0x20f0 security/tomoyo/audit.c:255 tomoyo_supervisor+0x2a8/0xb80 security/tomoyo/common.c:2097 tomoyo_audit_path_log security/tomoyo/file.c:168 [inline] tomoyo_path_permission security/tomoyo/file.c:587 [inline] tomoyo_path_permission+0x29d/0x440 security/tomoyo/file.c:573 tomoyo_path_perm+0x34a/0x3c0 security/tomoyo/file.c:838 tomoyo_path_symlink+0x82/0xd0 security/tomoyo/tomoyo.c:200 security_path_symlink+0xbb/0x110 security/security.c:1109 do_symlinkat+0xda/0x1b0 fs/namei.c:3984 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 INITIAL USE at: lock_acquire+0x188/0xac0 kernel/locking/lockdep.c:5020 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:159 snd_timer_notify sound/core/timer.c:1087 [inline] snd_timer_notify+0xcc/0x330 sound/core/timer.c:1074 snd_pcm_timer_notify sound/core/pcm_native.c:581 [inline] snd_pcm_post_stop+0x1a0/0x210 sound/core/pcm_native.c:1431 snd_pcm_action_single+0xc9/0x110 sound/core/pcm_native.c:1209 snd_pcm_stop sound/core/pcm_native.c:1455 [inline] snd_pcm_drop+0xfd/0x180 sound/core/pcm_native.c:2133 snd_pcm_oss_sync+0x1f0/0x7a0 sound/core/oss/pcm_oss.c:1711 snd_pcm_oss_release+0x1c4/0x240 sound/core/oss/pcm_oss.c:2546 __fput+0x1ff/0x830 fs/file_table.c:281 task_work_run+0xc2/0x160 kernel/task_work.c:141 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:140 [inline] exit_to_user_mode_prepare+0x1b6/0x1c0 kernel/entry/common.c:167 syscall_exit_to_user_mode+0x41/0x2a0 kernel/entry/common.c:242 entry_SYSCALL_64_after_hwframe+0x44/0xa9 } ... key at: [] __key.34689+0x0/0x40 ... acquired at: mark_lock_irq kernel/locking/lockdep.c:3579 [inline] mark_lock+0x7b5/0x1aa0 kernel/locking/lockdep.c:4006 mark_usage kernel/locking/lockdep.c:3905 [inline] __lock_acquire+0x1567/0x4fb0 kernel/locking/lockdep.c:4380 lock_acquire+0x188/0xac0 kernel/locking/lockdep.c:5020 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:159 snd_timer_interrupt sound/core/timer.c:856 [inline] snd_timer_interrupt+0xa0/0xe20 sound/core/timer.c:840 call_timer_fn+0x16f/0x5b0 kernel/time/timer.c:1413 expire_timers kernel/time/timer.c:1458 [inline] __run_timers kernel/time/timer.c:1755 [inline] run_timer_softirq+0x589/0x1170 kernel/time/timer.c:1768 __do_softirq+0x1d5/0xa45 kernel/softirq.c:298 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706 __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline] do_softirq_own_stack+0xa4/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu kernel/softirq.c:423 [inline] irq_exit_rcu+0x132/0x150 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0x48/0xd0 arch/x86/kernel/apic/apic.c:1091 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:581 unwind_get_return_address arch/x86/kernel/unwind_orc.c:317 [inline] unwind_get_return_address+0x6c/0x90 arch/x86/kernel/unwind_orc.c:312 arch_stack_walk+0x9a/0xf0 arch/x86/kernel/stacktrace.c:26 stack_trace_save+0x85/0xb0 kernel/stacktrace.c:123 kasan_save_stack+0x19/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc mm/kasan/common.c:461 [inline] __kasan_kmalloc.constprop.14+0xc1/0xd0 mm/kasan/common.c:434 slab_post_alloc_hook+0x40/0x480 mm/slab.h:518 slab_alloc_node mm/slub.c:2892 [inline] slab_alloc mm/slub.c:2900 [inline] kmem_cache_alloc_trace+0xe2/0x1e0 mm/slub.c:2917 kmalloc include/linux/slab.h:554 [inline] tomoyo_print_header security/tomoyo/audit.c:156 [inline] tomoyo_init_log+0x1b1/0x20f0 security/tomoyo/audit.c:255 tomoyo_supervisor+0x2a8/0xb80 security/tomoyo/common.c:2097 tomoyo_audit_path_log security/tomoyo/file.c:168 [inline] tomoyo_path_permission security/tomoyo/file.c:587 [inline] tomoyo_path_permission+0x29d/0x440 security/tomoyo/file.c:573 tomoyo_path_perm+0x34a/0x3c0 security/tomoyo/file.c:838 tomoyo_path_symlink+0x82/0xd0 security/tomoyo/tomoyo.c:200 security_path_symlink+0xbb/0x110 security/security.c:1109 do_symlinkat+0xda/0x1b0 fs/namei.c:3984 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 stack backtrace: CPU: 0 PID: 10487 Comm: syz-executor.0 Not tainted 5.9.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x99/0xd0 lib/dump_stack.c:118 print_irq_inversion_bug kernel/locking/lockdep.c:599 [inline] check_usage_forwards.cold.50+0x39/0x42 kernel/locking/lockdep.c:3453 mark_lock_irq kernel/locking/lockdep.c:3579 [inline] mark_lock+0x7b5/0x1aa0 kernel/locking/lockdep.c:4006 mark_usage kernel/locking/lockdep.c:3905 [inline] __lock_acquire+0x1567/0x4fb0 kernel/locking/lockdep.c:4380 lock_acquire+0x188/0xac0 kernel/locking/lockdep.c:5020 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:159 snd_timer_interrupt sound/core/timer.c:856 [inline] snd_timer_interrupt+0xa0/0xe20 sound/core/timer.c:840 call_timer_fn+0x16f/0x5b0 kernel/time/timer.c:1413 expire_timers kernel/time/timer.c:1458 [inline] __run_timers kernel/time/timer.c:1755 [inline] run_timer_softirq+0x589/0x1170 kernel/time/timer.c:1768 __do_softirq+0x1d5/0xa45 kernel/softirq.c:298 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706 __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline] do_softirq_own_stack+0xa4/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu kernel/softirq.c:423 [inline] irq_exit_rcu+0x132/0x150 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0x48/0xd0 arch/x86/kernel/apic/apic.c:1091 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:581 RIP: 0010:unwind_get_return_address arch/x86/kernel/unwind_orc.c:317 [inline] RIP: 0010:unwind_get_return_address+0x6c/0x90 arch/x86/kernel/unwind_orc.c:312 Code: 80 3c 02 00 75 32 48 8b 7b 48 e8 df 76 18 00 85 c0 74 d3 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 80 3c 02 00 75 18 <48> 8b 43 48 5b 5d c3 e8 88 69 78 00 eb a8 48 89 ef e8 8e 69 78 00 RSP: 0018:ffffc9000277f3d0 EFLAGS: 00000246 RAX: dffffc0000000000 RBX: ffffc9000277f3e8 RCX: 0000000000000000 RDX: 1ffff920004efe86 RSI: 0000000000000000 RDI: ffffffff81a43580 RBP: ffffc9000277f430 R08: ffffffff8d14cfbe R09: 0000000000000001 R10: 0000000000076022 R11: 000000000002872d R12: ffffc9000277f4a0 R13: 0000000000000000 R14: ffff88808527cec0 R15: ffff8880b5842140 arch_stack_walk+0x9a/0xf0 arch/x86/kernel/stacktrace.c:26 stack_trace_save+0x85/0xb0 kernel/stacktrace.c:123 kasan_save_stack+0x19/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc mm/kasan/common.c:461 [inline] __kasan_kmalloc.constprop.14+0xc1/0xd0 mm/kasan/common.c:434 slab_post_alloc_hook+0x40/0x480 mm/slab.h:518 slab_alloc_node mm/slub.c:2892 [inline] slab_alloc mm/slub.c:2900 [inline] kmem_cache_alloc_trace+0xe2/0x1e0 mm/slub.c:2917 kmalloc include/linux/slab.h:554 [inline] tomoyo_print_header security/tomoyo/audit.c:156 [inline] tomoyo_init_log+0x1b1/0x20f0 security/tomoyo/audit.c:255 tomoyo_supervisor+0x2a8/0xb80 security/tomoyo/common.c:2097 tomoyo_audit_path_log security/tomoyo/file.c:168 [inline] tomoyo_path_permission security/tomoyo/file.c:587 [inline] tomoyo_path_permission+0x29d/0x440 security/tomoyo/file.c:573 tomoyo_path_perm+0x34a/0x3c0 security/tomoyo/file.c:838 tomoyo_path_symlink+0x82/0xd0 security/tomoyo/tomoyo.c:200 security_path_symlink+0xbb/0x110 security/security.c:1109 do_symlinkat+0xda/0x1b0 fs/namei.c:3984 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x465ef7 Code: 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 58 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd44338408 EFLAGS: 00000202 ORIG_RAX: 0000000000000058 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000465ef7 RDX: 00007ffd443384f3 RSI: 00000000004bfd6e RDI: 00007ffd443384e0 RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffd443382a0 R10: 00007ffd44338157 R11: 0000000000000202 R12: 0000000000000001 R13: 0000000000000000 R14: 0000000000000001 R15: 00007ffd443384e0