====================================================== WARNING: possible circular locking dependency detected syzkaller #0 Not tainted ------------------------------------------------------ kworker/1:4/6459 is trying to acquire lock: ffff8880297d12e8 (&tty->termios_rwsem){++++}-{4:4}, at: n_tty_flush_buffer+0x25/0x1b0 drivers/tty/n_tty.c:352 but task is already holding lock: ffff88813ff390b8 (&buf->lock){+.+.}-{4:4}, at: tty_buffer_flush+0x72/0x310 drivers/tty/tty_buffer.c:229 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (&buf->lock){+.+.}-{4:4}: __mutex_lock_common kernel/locking/mutex.c:598 [inline] __mutex_lock+0x193/0x1060 kernel/locking/mutex.c:760 tty_buffer_flush+0x72/0x310 drivers/tty/tty_buffer.c:229 tty_ldisc_flush+0x64/0xe0 drivers/tty/tty_ldisc.c:388 __do_SAK+0x713/0x880 drivers/tty/tty_io.c:3025 vc_SAK+0x7f/0x320 drivers/tty/vt/vt_ioctl.c:994 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3263 process_scheduled_works kernel/workqueue.c:3346 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3427 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 -> #2 (console_lock){+.+.}-{0:0}: console_lock+0x7a/0xa0 kernel/printk/printk.c:2822 uart_configure_port drivers/tty/serial/serial_core.c:2547 [inline] serial_core_add_one_port drivers/tty/serial/serial_core.c:3105 [inline] serial_core_register_port+0xec4/0x25d0 drivers/tty/serial/serial_core.c:3331 serial8250_register_8250_port+0x15a3/0x23e0 drivers/tty/serial/8250/8250_core.c:818 serial_pnp_probe+0x431/0x910 drivers/tty/serial/8250/8250_pnp.c:480 pnp_device_probe+0x2a8/0x4d0 drivers/pnp/driver.c:111 call_driver_probe drivers/base/dd.c:581 [inline] really_probe+0x241/0xa90 drivers/base/dd.c:659 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831 __driver_attach+0x283/0x580 drivers/base/dd.c:1217 bus_for_each_dev+0x13e/0x1d0 drivers/base/bus.c:370 bus_add_driver+0x2e9/0x690 drivers/base/bus.c:678 driver_register+0x15c/0x4b0 drivers/base/driver.c:249 serial8250_init+0xc9/0x1e0 drivers/tty/serial/8250/8250_platform.c:320 do_one_initcall+0x123/0x6e0 init/main.c:1283 do_initcall_level init/main.c:1345 [inline] do_initcalls init/main.c:1361 [inline] do_basic_setup init/main.c:1380 [inline] kernel_init_freeable+0x5c8/0x920 init/main.c:1593 kernel_init+0x1c/0x2b0 init/main.c:1483 ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 -> #1 (&port->mutex){+.+.}-{4:4}: __mutex_lock_common kernel/locking/mutex.c:598 [inline] __mutex_lock+0x193/0x1060 kernel/locking/mutex.c:760 class_mutex_constructor include/linux/mutex.h:228 [inline] uart_set_termios+0x8e/0x6b0 drivers/tty/serial/serial_core.c:1670 tty_set_termios+0x64b/0x980 drivers/tty/tty_ioctl.c:341 set_termios+0x5c6/0x880 drivers/tty/tty_ioctl.c:516 tty_mode_ioctl+0x57e/0xd30 drivers/tty/tty_ioctl.c:803 n_tty_ioctl_helper+0x4b/0x2b0 drivers/tty/tty_ioctl.c:982 n_tty_ioctl+0x7f/0x370 drivers/tty/n_tty.c:2509 tty_ioctl+0x700/0x1680 drivers/tty/tty_io.c:2801 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (&tty->termios_rwsem){++++}-{4:4}: check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain kernel/locking/lockdep.c:3908 [inline] __lock_acquire+0x126f/0x1c90 kernel/locking/lockdep.c:5237 lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825 down_write+0x92/0x200 kernel/locking/rwsem.c:1590 n_tty_flush_buffer+0x25/0x1b0 drivers/tty/n_tty.c:352 tty_buffer_flush+0x239/0x310 drivers/tty/tty_buffer.c:241 tty_ldisc_flush+0x64/0xe0 drivers/tty/tty_ldisc.c:388 __do_SAK+0x713/0x880 drivers/tty/tty_io.c:3025 vc_SAK+0x7f/0x320 drivers/tty/vt/vt_ioctl.c:994 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3263 process_scheduled_works kernel/workqueue.c:3346 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3427 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 other info that might help us debug this: Chain exists of: &tty->termios_rwsem --> console_lock --> &buf->lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&buf->lock); lock(console_lock); lock(&buf->lock); lock(&tty->termios_rwsem); *** DEADLOCK *** 5 locks held by kworker/1:4/6459: #0: ffff88813ff11948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3238 #1: ffffc900030b7d00 ((work_completion)(&vc_cons[currcons].SAK_work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3239 #2: ffffffff8e3b1de0 (console_lock){+.+.}-{0:0}, at: class_console_lock_constructor include/linux/console.h:669 [inline] #2: ffffffff8e3b1de0 (console_lock){+.+.}-{0:0}, at: vc_SAK+0x13/0x320 drivers/tty/vt/vt_ioctl.c:985 #3: ffff8880297d10a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref drivers/tty/tty_ldisc.c:263 [inline] #3: ffff8880297d10a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_flush+0x1c/0xe0 drivers/tty/tty_ldisc.c:386 #4: ffff88813ff390b8 (&buf->lock){+.+.}-{4:4}, at: tty_buffer_flush+0x72/0x310 drivers/tty/tty_buffer.c:229 stack backtrace: CPU: 1 UID: 0 PID: 6459 Comm: kworker/1:4 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: events vc_SAK Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_circular_bug+0x275/0x350 kernel/locking/lockdep.c:2043 check_noncircular+0x14c/0x170 kernel/locking/lockdep.c:2175 check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain kernel/locking/lockdep.c:3908 [inline] __lock_acquire+0x126f/0x1c90 kernel/locking/lockdep.c:5237 lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825 down_write+0x92/0x200 kernel/locking/rwsem.c:1590 n_tty_flush_buffer+0x25/0x1b0 drivers/tty/n_tty.c:352 tty_buffer_flush+0x239/0x310 drivers/tty/tty_buffer.c:241 tty_ldisc_flush+0x64/0xe0 drivers/tty/tty_ldisc.c:388 __do_SAK+0x713/0x880 drivers/tty/tty_io.c:3025 vc_SAK+0x7f/0x320 drivers/tty/vt/vt_ioctl.c:994 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3263 process_scheduled_works kernel/workqueue.c:3346 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3427 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 tty tty1: SAK: killed process 6462 (syz.0.16): by fd#3 tty tty1: SAK: killed process 6463 (syz.0.16): by fd#3 usb 1-1: USB disconnect, device number 3 usb 1-1: new high-speed USB device number 4 using dummy_hcd usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 usb 1-1: New USB device found, idVendor=0926, idProduct=3333, bcdDevice= 0.40 usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 usb 1-1: config 0 descriptor?? keytouch 0003:0926:3333.0003: fixing up Keytouch IEC report descriptor input: HID 0926:3333 as /devices/platform/dummy_hcd.0/usb1/1-1/1-1:0.0/0003:0926:3333.0003/input/input7 keytouch 0003:0926:3333.0003: input,hidraw0: USB HID v0.00 Keyboard [HID 0926:3333] on usb-dummy_hcd.0-1/input0 tty tty1: SAK: killed process 6469 (syz.0.18): by fd#3 tty tty1: SAK: killed process 6470 (syz.0.18): by fd#3