===================================================== WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected syzkaller #0 Tainted: G L ----------------------------------------------------- syz.5.8277/3267 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: ffff88807ddb7750 (&new->fa_lock){...-}-{3:3}, at: kill_fasync_rcu fs/fcntl.c:1135 [inline] ffff88807ddb7750 (&new->fa_lock){...-}-{3:3}, at: kill_fasync fs/fcntl.c:1159 [inline] ffff88807ddb7750 (&new->fa_lock){...-}-{3:3}, at: kill_fasync+0x138/0x510 fs/fcntl.c:1152 and this task is already holding: ffff88802b871468 (&tty->flow.lock){....}-{3:3}, at: class_spinlock_irqsave_constructor include/linux/spinlock.h:618 [inline] ffff88802b871468 (&tty->flow.lock){....}-{3:3}, at: start_tty+0x21/0x190 drivers/tty/tty_io.c:793 which would create a new lock dependency: (&tty->flow.lock){....}-{3:3} -> (&new->fa_lock){...-}-{3:3} but this new dependency connects a SOFTIRQ-irq-safe lock: (kbd_event_lock){..-.}-{3:3} ... which became SOFTIRQ-irq-safe at: lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825 __raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:341 [inline] class_spinlock_constructor include/linux/spinlock.h:586 [inline] kbd_event+0x89/0x1930 drivers/tty/vt/keyboard.c:1510 input_handle_events_default+0x119/0x1b0 drivers/input/input.c:2541 input_pass_values+0x753/0x880 drivers/input/input.c:128 input_event_dispose drivers/input/input.c:353 [inline] input_handle_event+0x37f/0x1500 drivers/input/input.c:370 input_event drivers/input/input.c:396 [inline] input_event+0x8e/0xd0 drivers/input/input.c:391 hidinput_hid_event+0x4dc/0x23d0 drivers/hid/hid-input.c:1747 hid_process_event+0x4bc/0x5a0 drivers/hid/hid-core.c:1565 hid_process_report drivers/hid/hid-core.c:1713 [inline] hid_report_raw_event+0xa62/0x13a0 drivers/hid/hid-core.c:2074 __hid_input_report.constprop.0+0x33f/0x460 drivers/hid/hid-core.c:2144 hid_irq_in+0x52e/0x6b0 drivers/hid/usbhid/hid-core.c:286 __usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657 usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741 dummy_timer+0xd85/0x3670 drivers/usb/gadget/udc/dummy_hcd.c:1995 __run_hrtimer kernel/time/hrtimer.c:1785 [inline] __hrtimer_run_queues+0x50e/0xa70 kernel/time/hrtimer.c:1849 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1866 handle_softirqs+0x1eb/0x9e0 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xef/0x150 kernel/softirq.c:723 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline] sysvec_apic_timer_interrupt+0xa3/0xc0 arch/x86/kernel/apic/apic.c:1056 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 srso_alias_safe_ret+0x0/0x7 srso_alias_return_thunk+0x5/0xfbef5 arch/x86/lib/retpoline.S:220 deref_stack_reg arch/x86/kernel/unwind_orc.c:422 [inline] unwind_next_frame+0xb1d/0x1ea0 arch/x86/kernel/unwind_orc.c:600 arch_stack_walk+0x94/0xf0 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122 kasan_save_stack+0x30/0x50 mm/kasan/common.c:57 kasan_save_track+0x14/0x30 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:415 kmalloc_noprof include/linux/slab.h:962 [inline] kzalloc_noprof include/linux/slab.h:1204 [inline] kobject_uevent_env+0x263/0x18b0 lib/kobject_uevent.c:540 driver_bound+0x13e/0x220 drivers/base/dd.c:422 really_probe+0x3d4/0xa60 drivers/base/dd.c:711 __driver_probe_device+0x1de/0x400 drivers/base/dd.c:803 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:833 __device_attach_driver+0x1ff/0x3e0 drivers/base/dd.c:961 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1033 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1088 bus_probe_device+0x64/0x160 drivers/base/bus.c:574 device_add+0x11d9/0x1950 drivers/base/core.c:3689 hid_add_device+0x2bf/0x440 drivers/hid/hid-core.c:2951 usbhid_probe+0xd57/0x1350 drivers/hid/usbhid/hid-core.c:1450 usb_probe_interface+0x303/0x8f0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:583 [inline] really_probe+0x241/0xa60 drivers/base/dd.c:661 __driver_probe_device+0x1de/0x400 drivers/base/dd.c:803 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:833 __device_attach_driver+0x1ff/0x3e0 drivers/base/dd.c:961 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1033 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1088 bus_probe_device+0x64/0x160 drivers/base/bus.c:574 device_add+0x11d9/0x1950 drivers/base/core.c:3689 usb_set_configuration+0xd97/0x1c60 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xa1/0xe0 drivers/usb/core/generic.c:250 usb_probe_device+0xef/0x400 drivers/usb/core/driver.c:291 call_driver_probe drivers/base/dd.c:583 [inline] really_probe+0x241/0xa60 drivers/base/dd.c:661 __driver_probe_device+0x1de/0x400 drivers/base/dd.c:803 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:833 __device_attach_driver+0x1ff/0x3e0 drivers/base/dd.c:961 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1033 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1088 bus_probe_device+0x64/0x160 drivers/base/bus.c:574 device_add+0x11d9/0x1950 drivers/base/core.c:3689 usb_new_device.cold+0x685/0x115c drivers/usb/core/hub.c:2695 hub_port_connect drivers/usb/core/hub.c:5567 [inline] hub_port_connect_change drivers/usb/core/hub.c:5707 [inline] port_event drivers/usb/core/hub.c:5871 [inline] hub_event+0x314d/0x4af0 drivers/usb/core/hub.c:5953 process_one_work+0x9d7/0x1920 kernel/workqueue.c:3275 process_scheduled_works kernel/workqueue.c:3358 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3439 kthread+0x370/0x450 kernel/kthread.c:467 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 to a SOFTIRQ-irq-unsafe lock: (tasklist_lock){.+.+}-{3:3} ... which became SOFTIRQ-irq-unsafe at: ... lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825 __raw_read_lock include/linux/rwlock_api_smp.h:161 [inline] _raw_read_lock+0x5f/0x70 kernel/locking/spinlock.c:228 __do_wait+0x13b/0x8b0 kernel/exit.c:1672 do_wait+0x1ec/0x5a0 kernel/exit.c:1716 kernel_wait+0xa1/0x160 kernel/exit.c:1892 call_usermodehelper_exec_sync kernel/umh.c:136 [inline] call_usermodehelper_exec_work+0xf6/0x180 kernel/umh.c:163 process_one_work+0x9d7/0x1920 kernel/workqueue.c:3275 process_scheduled_works kernel/workqueue.c:3358 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3439 kthread+0x370/0x450 kernel/kthread.c:467 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 other info that might help us debug this: Chain exists of: kbd_event_lock --> &tty->flow.lock --> tasklist_lock Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(tasklist_lock); local_irq_disable(); lock(kbd_event_lock); lock(&tty->flow.lock); lock(kbd_event_lock); *** DEADLOCK *** 6 locks held by syz.5.8277/3267: #0: ffff88802b8710a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243 #1: ffff88802b871130 (&tty->atomic_write_lock){+.+.}-{4:4}, at: tty_write_lock drivers/tty/tty_io.c:942 [inline] #1: ffff88802b871130 (&tty->atomic_write_lock){+.+.}-{4:4}, at: tty_send_xchar+0x1ce/0x380 drivers/tty/tty_io.c:1148 #2: ffff88802b8712e8 (&tty->termios_rwsem){++++}-{4:4}, at: tty_send_xchar+0x1f7/0x380 drivers/tty/tty_io.c:1151 #3: ffff88802b871468 (&tty->flow.lock){....}-{3:3}, at: class_spinlock_irqsave_constructor include/linux/spinlock.h:618 [inline] #3: ffff88802b871468 (&tty->flow.lock){....}-{3:3}, at: start_tty+0x21/0x190 drivers/tty/tty_io.c:793 #4: ffff88802b8710a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref+0x21/0x90 drivers/tty/tty_ldisc.c:263 #5: ffffffff8e7e93e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline] #5: ffffffff8e7e93e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline] #5: ffffffff8e7e93e0 (rcu_read_lock){....}-{1:3}, at: kill_fasync fs/fcntl.c:1158 [inline] #5: ffffffff8e7e93e0 (rcu_read_lock){....}-{1:3}, at: kill_fasync+0x62/0x510 fs/fcntl.c:1152 the dependencies between SOFTIRQ-irq-safe lock and the holding lock: -> (kbd_event_lock){..-.}-{3:3} { IN-SOFTIRQ-W at: lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825 __raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:341 [inline] class_spinlock_constructor include/linux/spinlock.h:586 [inline] kbd_event+0x89/0x1930 drivers/tty/vt/keyboard.c:1510 input_handle_events_default+0x119/0x1b0 drivers/input/input.c:2541 input_pass_values+0x753/0x880 drivers/input/input.c:128 input_event_dispose drivers/input/input.c:353 [inline] input_handle_event+0x37f/0x1500 drivers/input/input.c:370 input_event drivers/input/input.c:396 [inline] input_event+0x8e/0xd0 drivers/input/input.c:391 hidinput_hid_event+0x4dc/0x23d0 drivers/hid/hid-input.c:1747 hid_process_event+0x4bc/0x5a0 drivers/hid/hid-core.c:1565 hid_process_report drivers/hid/hid-core.c:1713 [inline] hid_report_raw_event+0xa62/0x13a0 drivers/hid/hid-core.c:2074 __hid_input_report.constprop.0+0x33f/0x460 drivers/hid/hid-core.c:2144 hid_irq_in+0x52e/0x6b0 drivers/hid/usbhid/hid-core.c:286 __usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657 usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741 dummy_timer+0xd85/0x3670 drivers/usb/gadget/udc/dummy_hcd.c:1995 __run_hrtimer kernel/time/hrtimer.c:1785 [inline] __hrtimer_run_queues+0x50e/0xa70 kernel/time/hrtimer.c:1849 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1866 handle_softirqs+0x1eb/0x9e0 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xef/0x150 kernel/softirq.c:723 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline] sysvec_apic_timer_interrupt+0xa3/0xc0 arch/x86/kernel/apic/apic.c:1056 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 srso_alias_safe_ret+0x0/0x7 srso_alias_return_thunk+0x5/0xfbef5 arch/x86/lib/retpoline.S:220 deref_stack_reg arch/x86/kernel/unwind_orc.c:422 [inline] unwind_next_frame+0xb1d/0x1ea0 arch/x86/kernel/unwind_orc.c:600 arch_stack_walk+0x94/0xf0 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122 kasan_save_stack+0x30/0x50 mm/kasan/common.c:57 kasan_save_track+0x14/0x30 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:415 kmalloc_noprof include/linux/slab.h:962 [inline] kzalloc_noprof include/linux/slab.h:1204 [inline] kobject_uevent_env+0x263/0x18b0 lib/kobject_uevent.c:540 driver_bound+0x13e/0x220 drivers/base/dd.c:422 really_probe+0x3d4/0xa60 drivers/base/dd.c:711 __driver_probe_device+0x1de/0x400 drivers/base/dd.c:803 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:833 __device_attach_driver+0x1ff/0x3e0 drivers/base/dd.c:961 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1033 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1088 bus_probe_device+0x64/0x160 drivers/base/bus.c:574 device_add+0x11d9/0x1950 drivers/base/core.c:3689 hid_add_device+0x2bf/0x440 drivers/hid/hid-core.c:2951 usbhid_probe+0xd57/0x1350 drivers/hid/usbhid/hid-core.c:1450 usb_probe_interface+0x303/0x8f0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:583 [inline] really_probe+0x241/0xa60 drivers/base/dd.c:661 __driver_probe_device+0x1de/0x400 drivers/base/dd.c:803 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:833 __device_attach_driver+0x1ff/0x3e0 drivers/base/dd.c:961 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1033 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1088 bus_probe_device+0x64/0x160 drivers/base/bus.c:574 device_add+0x11d9/0x1950 drivers/base/core.c:3689 usb_set_configuration+0xd97/0x1c60 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xa1/0xe0 drivers/usb/core/generic.c:250 usb_probe_device+0xef/0x400 drivers/usb/core/driver.c:291 call_driver_probe drivers/base/dd.c:583 [inline] really_probe+0x241/0xa60 drivers/base/dd.c:661 __driver_probe_device+0x1de/0x400 drivers/base/dd.c:803 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:833 __device_attach_driver+0x1ff/0x3e0 drivers/base/dd.c:961 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1033 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1088 bus_probe_device+0x64/0x160 drivers/base/bus.c:574 device_add+0x11d9/0x1950 drivers/base/core.c:3689 usb_new_device.cold+0x685/0x115c drivers/usb/core/hub.c:2695 hub_port_connect drivers/usb/core/hub.c:5567 [inline] hub_port_connect_change drivers/usb/core/hub.c:5707 [inline] port_event drivers/usb/core/hub.c:5871 [inline] hub_event+0x314d/0x4af0 drivers/usb/core/hub.c:5953 process_one_work+0x9d7/0x1920 kernel/workqueue.c:3275 process_scheduled_works kernel/workqueue.c:3358 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3439 kthread+0x370/0x450 kernel/kthread.c:467 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 INITIAL USE at: lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline] _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162 class_spinlock_irqsave_constructor include/linux/spinlock.h:618 [inline] vt_reset_unicode+0x1e/0x170 drivers/tty/vt/keyboard.c:2126 reset_vc+0x77/0x280 drivers/tty/vt/vt_ioctl.c:966 vc_init+0x9e/0x490 drivers/tty/vt/vt.c:3721 con_init+0x448/0x5f0 drivers/tty/vt/vt.c:3786 console_init+0x423/0x620 kernel/printk/printk.c:4407 start_kernel+0x305/0x480 init/main.c:1147 x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310 x86_64_start_kernel+0x12b/0x130 arch/x86/kernel/head64.c:291 common_startup_64+0x13e/0x148 } ... key at: [] kbd_event_lock+0x18/0x60 keyboard.c:-1 -> (&tty->flow.lock){....}-{3:3} { INITIAL USE at: lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline] _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162 class_spinlock_irqsave_constructor include/linux/spinlock.h:618 [inline] start_tty+0x21/0x190 drivers/tty/tty_io.c:793 n_tty_set_termios+0x57e/0xf20 drivers/tty/n_tty.c:1848 tty_set_termios+0x6bf/0x980 drivers/tty/tty_ioctl.c:348 set_termios+0x5c8/0x880 drivers/tty/tty_ioctl.c:516 tty_mode_ioctl+0x17e/0xd40 drivers/tty/tty_ioctl.c:803 n_tty_ioctl_helper+0x47/0x2b0 drivers/tty/tty_ioctl.c:982 n_tty_ioctl+0x53/0x370 drivers/tty/n_tty.c:2496 tty_ioctl+0x1204/0x1690 drivers/tty/tty_io.c:2801 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f } ... key at: [] __key.4+0x0/0x40 ... acquired at: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline] _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162 class_spinlock_irqsave_constructor include/linux/spinlock.h:618 [inline] stop_tty+0x21/0x130 drivers/tty/tty_io.c:765 fn_hold+0xb8/0xe0 drivers/tty/vt/keyboard.c:524 k_spec drivers/tty/vt/keyboard.c:662 [inline] k_spec+0x100/0x140 drivers/tty/vt/keyboard.c:651 kbd_keycode drivers/tty/vt/keyboard.c:1497 [inline] kbd_event+0xd15/0x1930 drivers/tty/vt/keyboard.c:1515 input_handle_events_default+0x119/0x1b0 drivers/input/input.c:2541 input_pass_values+0x753/0x880 drivers/input/input.c:128 input_event_dispose drivers/input/input.c:342 [inline] input_handle_event+0x7e4/0x1500 drivers/input/input.c:370 input_inject_event+0x1f1/0x3b0 drivers/input/input.c:424 evdev_write+0x3ef/0x610 drivers/input/evdev.c:528 vfs_write+0x2aa/0x1070 fs/read_write.c:686 ksys_write+0x1f8/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f the dependencies between the lock to be acquired and SOFTIRQ-irq-unsafe lock: -> (tasklist_lock){.+.+}-{3:3} { HARDIRQ-ON-R at: lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825 __raw_read_lock include/linux/rwlock_api_smp.h:161 [inline] _raw_read_lock+0x5f/0x70 kernel/locking/spinlock.c:228 __do_wait+0x13b/0x8b0 kernel/exit.c:1672 do_wait+0x1ec/0x5a0 kernel/exit.c:1716 kernel_wait+0xa1/0x160 kernel/exit.c:1892 call_usermodehelper_exec_sync kernel/umh.c:136 [inline] call_usermodehelper_exec_work+0xf6/0x180 kernel/umh.c:163 process_one_work+0x9d7/0x1920 kernel/workqueue.c:3275 process_scheduled_works kernel/workqueue.c:3358 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3439 kthread+0x370/0x450 kernel/kthread.c:467 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 SOFTIRQ-ON-R at: lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825 __raw_read_lock include/linux/rwlock_api_smp.h:161 [inline] _raw_read_lock+0x5f/0x70 kernel/locking/spinlock.c:228 __do_wait+0x13b/0x8b0 kernel/exit.c:1672 do_wait+0x1ec/0x5a0 kernel/exit.c:1716 kernel_wait+0xa1/0x160 kernel/exit.c:1892 call_usermodehelper_exec_sync kernel/umh.c:136 [inline] call_usermodehelper_exec_work+0xf6/0x180 kernel/umh.c:163 process_one_work+0x9d7/0x1920 kernel/workqueue.c:3275 process_scheduled_works kernel/workqueue.c:3358 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3439 kthread+0x370/0x450 kernel/kthread.c:467 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 INITIAL USE at: lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825 __raw_write_lock_irq include/linux/rwlock_api_smp.h:211 [inline] _raw_write_lock_irq+0x36/0x50 kernel/locking/spinlock.c:326 copy_process+0x70a5/0x7a10 kernel/fork.c:2369 kernel_clone+0xfc/0x9a0 kernel/fork.c:2654 user_mode_thread+0xcc/0x110 kernel/fork.c:2730 rest_init+0x21/0x260 init/main.c:725 start_kernel+0x47f/0x480 init/main.c:1210 x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310 x86_64_start_kernel+0x12b/0x130 arch/x86/kernel/head64.c:291 common_startup_64+0x13e/0x148 INITIAL READ USE at: lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825 __raw_read_lock include/linux/rwlock_api_smp.h:161 [inline] _raw_read_lock+0x5f/0x70 kernel/locking/spinlock.c:228 __do_wait+0x13b/0x8b0 kernel/exit.c:1672 do_wait+0x1ec/0x5a0 kernel/exit.c:1716 kernel_wait+0xa1/0x160 kernel/exit.c:1892 call_usermodehelper_exec_sync kernel/umh.c:136 [inline] call_usermodehelper_exec_work+0xf6/0x180 kernel/umh.c:163 process_one_work+0x9d7/0x1920 kernel/workqueue.c:3275 process_scheduled_works kernel/workqueue.c:3358 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3439 kthread+0x370/0x450 kernel/kthread.c:467 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 } ... key at: [] tasklist_lock+0x18/0x40 ... acquired at: __raw_read_lock include/linux/rwlock_api_smp.h:161 [inline] _raw_read_lock+0x5f/0x70 kernel/locking/spinlock.c:228 send_sigurg+0xed/0xc80 fs/fcntl.c:978 sk_send_sigurg+0x76/0x370 net/core/sock.c:3669 queue_oob net/unix/af_unix.c:2352 [inline] unix_stream_sendmsg+0xbbf/0x1310 net/unix/af_unix.c:2486 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa54/0xc30 net/socket.c:2592 ___sys_sendmsg+0x190/0x1e0 net/socket.c:2646 __sys_sendmmsg+0x205/0x430 net/socket.c:2735 __do_sys_sendmmsg net/socket.c:2762 [inline] __se_sys_sendmmsg net/socket.c:2759 [inline] __x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2759 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> (&f_owner->lock){....}-{3:3} { INITIAL USE at: lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825 __raw_write_lock_irq include/linux/rwlock_api_smp.h:211 [inline] _raw_write_lock_irq+0x36/0x50 kernel/locking/spinlock.c:326 __f_setown+0x65/0x390 fs/fcntl.c:136 fcntl_dirnotify+0x6a0/0xb00 fs/notify/dnotify/dnotify.c:369 do_fcntl+0x996/0x1670 fs/fcntl.c:538 __do_sys_fcntl fs/fcntl.c:602 [inline] __se_sys_fcntl fs/fcntl.c:587 [inline] __x64_sys_fcntl+0x163/0x200 fs/fcntl.c:587 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f INITIAL READ USE at: lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:172 [inline] _raw_read_lock_irqsave+0x74/0x90 kernel/locking/spinlock.c:236 send_sigio+0x31/0x3e0 fs/fcntl.c:918 dnotify_handle_event+0x15e/0x2b0 fs/notify/dnotify/dnotify.c:113 fsnotify_handle_inode_event.isra.0+0x1e3/0x410 fs/notify/fsnotify.c:272 fsnotify_handle_event fs/notify/fsnotify.c:327 [inline] send_to_group fs/notify/fsnotify.c:375 [inline] fsnotify+0x187d/0x3550 fs/notify/fsnotify.c:592 fsnotify_name include/linux/fsnotify.h:55 [inline] fsnotify_name include/linux/fsnotify.h:48 [inline] fsnotify_move+0x158/0x710 include/linux/fsnotify.h:268 vfs_rename+0xec8/0x1fc0 fs/namei.c:6052 filename_renameat2+0x754/0xa60 fs/namei.c:6144 __do_sys_renameat2 fs/namei.c:6173 [inline] __se_sys_renameat2 fs/namei.c:6168 [inline] __x64_sys_renameat2+0xef/0x140 fs/namei.c:6168 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f } ... key at: [] __key.1+0x0/0x40 ... acquired at: __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:172 [inline] _raw_read_lock_irqsave+0x74/0x90 kernel/locking/spinlock.c:236 send_sigio+0x31/0x3e0 fs/fcntl.c:918 kill_fasync_rcu fs/fcntl.c:1144 [inline] kill_fasync fs/fcntl.c:1159 [inline] kill_fasync+0x214/0x510 fs/fcntl.c:1152 lease_break_callback+0x23/0x30 fs/locks.c:577 __break_lease+0x7f4/0x19b0 fs/locks.c:1657 break_lease include/linux/filelock.h:484 [inline] break_lease include/linux/filelock.h:469 [inline] do_dentry_open+0xd3a/0x1660 fs/open.c:940 vfs_open+0x82/0x3f0 fs/open.c:1081 do_open fs/namei.c:4671 [inline] path_openat+0x208c/0x31a0 fs/namei.c:4830 do_file_open+0x20e/0x430 fs/namei.c:4859 do_sys_openat2+0x10d/0x1e0 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_open fs/open.c:1380 [inline] __se_sys_open fs/open.c:1376 [inline] __x64_sys_open+0xfe/0x1d0 fs/open.c:1376 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> (&new->fa_lock){...-}-{3:3} { IN-SOFTIRQ-R at: lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:172 [inline] _raw_read_lock_irqsave+0x46/0x90 kernel/locking/spinlock.c:236 kill_fasync_rcu fs/fcntl.c:1135 [inline] kill_fasync fs/fcntl.c:1159 [inline] kill_fasync+0x138/0x510 fs/fcntl.c:1152 sock_wake_async+0x132/0x160 net/socket.c:1509 sk_wake_async_rcu include/net/sock.h:2579 [inline] sk_wake_async_rcu include/net/sock.h:2576 [inline] sock_def_readable+0x53f/0x630 net/core/sock.c:3613 tcp_data_ready+0x114/0x5a0 net/ipv4/tcp_input.c:5629 tcp_data_queue+0x1aca/0x4fd0 net/ipv4/tcp_input.c:5719 tcp_rcv_established+0xb64/0x3980 net/ipv4/tcp_input.c:6710 tcp_v4_do_rcv+0xc64/0x10a0 net/ipv4/tcp_ipv4.c:1880 tcp_v4_rcv+0x2de5/0x4680 net/ipv4/tcp_ipv4.c:2315 ip_protocol_deliver_rcu+0xba/0x4d0 net/ipv4/ip_input.c:207 ip_local_deliver_finish+0x3f2/0x6e0 net/ipv4/ip_input.c:241 NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ip_local_deliver+0x19a/0x1f0 net/ipv4/ip_input.c:262 dst_input include/net/dst.h:480 [inline] ip_rcv_finish net/ipv4/ip_input.c:453 [inline] NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ip_rcv+0x2d9/0x5d0 net/ipv4/ip_input.c:573 __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:6156 __netif_receive_skb+0x1f/0x120 net/core/dev.c:6269 process_backlog+0x37a/0x1580 net/core/dev.c:6621 __napi_poll.constprop.0+0xaf/0x450 net/core/dev.c:7685 napi_poll net/core/dev.c:7748 [inline] net_rx_action+0xa40/0xf20 net/core/dev.c:7900 handle_softirqs+0x1eb/0x9e0 kernel/softirq.c:622 do_softirq kernel/softirq.c:523 [inline] do_softirq+0xac/0xe0 kernel/softirq.c:510 __local_bh_enable_ip+0xf8/0x120 kernel/softirq.c:450 sk_stream_wait_memory+0x63b/0x10c0 net/core/stream.c:149 tcp_sendmsg_locked+0x16f9/0x45f0 net/ipv4/tcp.c:1417 tcp_sendmsg+0x2e/0x50 net/ipv4/tcp.c:1464 inet_sendmsg+0xb9/0x140 net/ipv4/af_inet.c:859 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] __sys_sendto+0x467/0x520 net/socket.c:2206 __do_sys_sendto net/socket.c:2213 [inline] __se_sys_sendto net/socket.c:2209 [inline] __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2209 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f INITIAL USE at: lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825 __raw_write_lock_irq include/linux/rwlock_api_smp.h:211 [inline] _raw_write_lock_irq+0x36/0x50 kernel/locking/spinlock.c:326 fasync_remove_entry+0xb2/0x1e0 fs/fcntl.c:1012 fasync_helper+0xaf/0xd0 fs/fcntl.c:1115 lease_modify+0x22c/0x480 fs/locks.c:1514 generic_delete_lease fs/locks.c:1945 [inline] generic_setlease+0xe94/0x1300 fs/locks.c:1973 kernel_setlease fs/locks.c:2031 [inline] vfs_setlease+0x283/0x370 fs/locks.c:2065 fcntl_setlease+0x151/0x180 fs/locks.c:2110 do_fcntl+0x1149/0x1670 fs/fcntl.c:535 __do_sys_fcntl fs/fcntl.c:602 [inline] __se_sys_fcntl fs/fcntl.c:587 [inline] __x64_sys_fcntl+0x163/0x200 fs/fcntl.c:587 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f INITIAL READ USE at: lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:172 [inline] _raw_read_lock_irqsave+0x74/0x90 kernel/locking/spinlock.c:236 kill_fasync_rcu fs/fcntl.c:1135 [inline] kill_fasync fs/fcntl.c:1159 [inline] kill_fasync+0x138/0x510 fs/fcntl.c:1152 lease_break_callback+0x23/0x30 fs/locks.c:577 __break_lease+0x7f4/0x19b0 fs/locks.c:1657 break_lease include/linux/filelock.h:484 [inline] break_lease include/linux/filelock.h:469 [inline] do_dentry_open+0xd3a/0x1660 fs/open.c:940 vfs_open+0x82/0x3f0 fs/open.c:1081 do_open fs/namei.c:4671 [inline] path_openat+0x208c/0x31a0 fs/namei.c:4830 do_file_open+0x20e/0x430 fs/namei.c:4859 do_sys_openat2+0x10d/0x1e0 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_open fs/open.c:1380 [inline] __se_sys_open fs/open.c:1376 [inline] __x64_sys_open+0xfe/0x1d0 fs/open.c:1376 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f } ... key at: [] __key.0+0x0/0x40 ... acquired at: lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:172 [inline] _raw_read_lock_irqsave+0x74/0x90 kernel/locking/spinlock.c:236 kill_fasync_rcu fs/fcntl.c:1135 [inline] kill_fasync fs/fcntl.c:1159 [inline] kill_fasync+0x138/0x510 fs/fcntl.c:1152 tty_wakeup+0xe8/0x120 drivers/tty/tty_io.c:515 __start_tty drivers/tty/tty_io.c:777 [inline] __start_tty drivers/tty/tty_io.c:770 [inline] start_tty+0x127/0x190 drivers/tty/tty_io.c:794 tty_send_xchar+0x2a5/0x380 drivers/tty/tty_io.c:1153 n_tty_ioctl_helper+0x1b9/0x2b0 drivers/tty/tty_ioctl.c:969 n_tty_ioctl+0x53/0x370 drivers/tty/n_tty.c:2496 tty_ioctl+0x1204/0x1690 drivers/tty/tty_io.c:2801 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f stack backtrace: CPU: 1 UID: 0 PID: 3267 Comm: syz.5.8277 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 print_bad_irq_dependency kernel/locking/lockdep.c:2616 [inline] check_irq_usage+0x7aa/0x810 kernel/locking/lockdep.c:2857 check_prev_add kernel/locking/lockdep.c:3169 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain kernel/locking/lockdep.c:3908 [inline] __lock_acquire+0x14cf/0x2630 kernel/locking/lockdep.c:5237 lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:172 [inline] _raw_read_lock_irqsave+0x74/0x90 kernel/locking/spinlock.c:236 kill_fasync_rcu fs/fcntl.c:1135 [inline] kill_fasync fs/fcntl.c:1159 [inline] kill_fasync+0x138/0x510 fs/fcntl.c:1152 tty_wakeup+0xe8/0x120 drivers/tty/tty_io.c:515 __start_tty drivers/tty/tty_io.c:777 [inline] __start_tty drivers/tty/tty_io.c:770 [inline] start_tty+0x127/0x190 drivers/tty/tty_io.c:794 tty_send_xchar+0x2a5/0x380 drivers/tty/tty_io.c:1153 n_tty_ioctl_helper+0x1b9/0x2b0 drivers/tty/tty_ioctl.c:969 n_tty_ioctl+0x53/0x370 drivers/tty/n_tty.c:2496 tty_ioctl+0x1204/0x1690 drivers/tty/tty_io.c:2801 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3640d9c629 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3641bb0028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f3641016180 RCX: 00007f3640d9c629 RDX: 0000000000000002 RSI: 000000000000540a RDI: 0000000000000003 RBP: 00007f3640e32b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f3641016218 R14: 00007f3641016180 R15: 00007ffd1fe83d78