Syzkaller hit 'possible deadlock in console_unlock' bug. RBP: 00000000006cb018 R08: 0000000000000001 R09: 0000000000000031 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000 ====================================================== WARNING: possible circular locking dependency detected 4.20.0-rc7+ #8 Not tainted ------------------------------------------------------ syz-executor579/2028 is trying to acquire lock: 00000000e478796d (console_owner){-.-.}, at: log_next kernel/printk/printk.c:489 [inline] 00000000e478796d (console_owner){-.-.}, at: console_unlock+0x33d/0xd30 kernel/printk/printk.c:2401 but task is already holding lock: 0000000030388923 (&(&port->lock)->rlock){-.-.}, at: pty_write+0xcd/0x1d0 drivers/tty/pty.c:120 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&(&port->lock)->rlock){-.-.}: tty_port_tty_get+0x1b/0x80 drivers/tty/tty_port.c:287 tty_port_default_wakeup+0x11/0x40 drivers/tty/tty_port.c:47 serial8250_tx_chars+0x4b9/0xa00 drivers/tty/serial/8250/8250_port.c:1825 serial8250_handle_irq.part.20+0x18d/0x210 drivers/tty/serial/8250/8250_port.c:1898 serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1918 [inline] serial8250_default_handle_irq+0xe9/0x110 drivers/tty/serial/8250/8250_port.c:1914 serial8250_interrupt+0xe2/0x180 drivers/tty/serial/8250/8250_core.c:125 __handle_irq_event_percpu+0x16e/0x860 kernel/irq/handle.c:149 handle_irq_event_percpu+0x96/0x1b0 kernel/irq/handle.c:189 handle_irq_event+0xa1/0x130 kernel/irq/handle.c:206 handle_edge_irq+0x1d3/0x7a0 kernel/irq/chip.c:791 generic_handle_irq_desc include/linux/irqdesc.h:154 [inline] handle_irq+0x16d/0x300 arch/x86/kernel/irq_64.c:78 do_IRQ+0x71/0x190 arch/x86/kernel/irq.c:246 ret_from_intr+0x0/0x1d native_safe_halt arch/x86/include/asm/irqflags.h:57 [inline] arch_safe_halt arch/x86/include/asm/irqflags.h:99 [inline] default_idle+0x81/0x3c0 arch/x86/kernel/process.c:561 cpuidle_idle_call kernel/sched/idle.c:153 [inline] do_idle+0x287/0x3c0 kernel/sched/idle.c:262 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:353 start_secondary+0x39d/0x490 arch/x86/kernel/smpboot.c:271 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243 -> #1 (&port_lock_key){-.-.}: serial8250_console_write+0x6d5/0x8b0 drivers/tty/serial/8250/8250_port.c:3266 call_console_drivers kernel/printk/printk.c:1728 [inline] console_unlock+0x847/0xd30 kernel/printk/printk.c:2414 vprintk_emit+0x214/0x590 kernel/printk/printk.c:1922 vprintk_func+0x52/0xe0 kernel/printk/printk_safe.c:398 printk+0xb2/0xdd kernel/printk/printk.c:1997 register_console+0x6b3/0xb40 kernel/printk/printk.c:2729 univ8250_console_init+0x2c/0x35 drivers/tty/serial/8250/8250_core.c:681 console_init+0x4fc/0x72d kernel/printk/printk.c:2815 start_kernel+0x527/0x80f init/main.c:667 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243 -> #0 (console_owner){-.-.}: console_lock_spinning_enable kernel/printk/printk.c:1591 [inline] console_unlock+0x3a9/0xd30 kernel/printk/printk.c:2411 vprintk_emit+0x214/0x590 kernel/printk/printk.c:1922 vprintk_func+0x52/0xe0 kernel/printk/printk_safe.c:398 printk+0xb2/0xdd kernel/printk/printk.c:1997 fail_dump lib/fault-inject.c:44 [inline] should_fail+0x911/0xa90 lib/fault-inject.c:149 __should_failslab+0xe3/0x120 mm/failslab.c:32 should_failslab+0x5/0x10 mm/slab_common.c:1578 slab_pre_alloc_hook mm/slab.h:423 [inline] slab_alloc_node mm/slub.c:2670 [inline] slab_alloc mm/slub.c:2752 [inline] __kmalloc+0x6d/0x2d0 mm/slub.c:3783 kmalloc include/linux/slab.h:551 [inline] tty_buffer_alloc drivers/tty/tty_buffer.c:175 [inline] __tty_buffer_request_room+0x265/0x700 drivers/tty/tty_buffer.c:273 tty_insert_flip_string_fixed_flag+0x83/0x1c0 drivers/tty/tty_buffer.c:318 tty_insert_flip_string include/linux/tty_flip.h:37 [inline] pty_write+0xff/0x1d0 drivers/tty/pty.c:122 tty_send_xchar+0x1d7/0x2c0 drivers/tty/tty_io.c:1092 n_tty_ioctl_helper+0x107/0x340 drivers/tty/tty_ioctl.c:927 n_tty_ioctl+0x14c/0x2e0 drivers/tty/n_tty.c:2464 tty_ioctl+0x329/0x1570 drivers/tty/tty_io.c:2653 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x19e/0x14c0 fs/ioctl.c:698 ksys_ioctl+0x84/0x90 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 do_syscall_64+0x141/0x5f0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Chain exists of: console_owner --> &port_lock_key --> &(&port->lock)->rlock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&(&port->lock)->rlock); lock(&port_lock_key); lock(&(&port->lock)->rlock); lock(console_owner); *** DEADLOCK *** 5 locks held by syz-executor579/2028: #0: 00000000bc8dd2b4 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:263 #1: 00000000924a8679 (&tty->atomic_write_lock){+.+.}, at: tty_write_lock+0x1b/0x60 drivers/tty/tty_io.c:885 #2: 0000000000cf4898 (&tty->termios_rwsem){++++}, at: tty_send_xchar+0x17f/0x2c0 drivers/tty/tty_io.c:1089 #3: 0000000030388923 (&(&port->lock)->rlock){-.-.}, at: pty_write+0xcd/0x1d0 drivers/tty/pty.c:120 #4: 000000002c728420 (console_lock){+.+.}, at: console_trylock_spinning kernel/printk/printk.c:1653 [inline] #4: 000000002c728420 (console_lock){+.+.}, at: vprintk_emit+0x206/0x590 kernel/printk/printk.c:1921 stack backtrace: CPU: 0 PID: 2028 Comm: syz-executor579 Not tainted 4.20.0-rc7+ #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xfa/0x1ce lib/dump_stack.c:113 print_circular_bug.isra.34+0x31a/0x353 kernel/locking/lockdep.c:1221 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2347 [inline] __lock_acquire+0x3256/0x41e0 kernel/locking/lockdep.c:3341 lock_acquire+0x15b/0x420 kernel/locking/lockdep.c:3844 console_lock_spinning_enable kernel/printk/printk.c:1591 [inline] console_unlock+0x3a9/0xd30 kernel/printk/printk.c:2411 vprintk_emit+0x214/0x590 kernel/printk/printk.c:1922 vprintk_func+0x52/0xe0 kernel/printk/printk_safe.c:398 printk+0xb2/0xdd kernel/printk/printk.c:1997 fail_dump lib/fault-inject.c:44 [inline] should_fail+0x911/0xa90 lib/fault-inject.c:149 __should_failslab+0xe3/0x120 mm/failslab.c:32 should_failslab+0x5/0x10 mm/slab_common.c:1578 slab_pre_alloc_hook mm/slab.h:423 [inline] slab_alloc_node mm/slub.c:2670 [inline] slab_alloc mm/slub.c:2752 [inline] __kmalloc+0x6d/0x2d0 mm/slub.c:3783 kmalloc include/linux/slab.h:551 [inline] tty_buffer_alloc drivers/tty/tty_buffer.c:175 [inline] __tty_buffer_request_room+0x265/0x700 drivers/tty/tty_buffer.c:273 tty_insert_flip_string_fixed_flag+0x83/0x1c0 drivers/tty/tty_buffer.c:318 tty_insert_flip_string include/linux/tty_flip.h:37 [inline] pty_write+0xff/0x1d0 drivers/tty/pty.c:122 tty_send_xchar+0x1d7/0x2c0 drivers/tty/tty_io.c:1092 n_tty_ioctl_helper+0x107/0x340 drivers/tty/tty_ioctl.c:927 n_tty_ioctl+0x14c/0x2e0 drivers/tty/n_tty.c:2464 tty_ioctl+0x329/0x1570 drivers/tty/tty_io.c:2653 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x19e/0x14c0 fs/ioctl.c:698 ksys_ioctl+0x84/0x90 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 do_syscall_64+0x141/0x5f0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4402e9 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffd52f4ba48 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004402e9 RDX: 0000000000000002 RSI: 000000000000540a RDI: 0000000000000003 RBP: 00000000006cb018 R08: 0000000000000001 R09: 0000000000000031 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000 Syzkaller reproducer: # {Threaded:false Collide:false Repeat:false RepeatTimes:0 Procs:1 Sandbox: Fault:true FaultCall:1 FaultNth:0 EnableTun:false UseTmpDir:false EnableCgroups:false EnableNetdev:false ResetNet:false HandleSegv:false Repro:false Trace:false} r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) ioctl$TCXONC(r0, 0x540a, 0x2) C reproducer: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static int inject_fault(int nth) { int fd; char buf[16]; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); sprintf(buf, "%d", nth + 1); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); long res = 0; memcpy((void*)0x200000c0, "/dev/ptmx\x00", 10); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x200000c0, 0, 0); if (res != -1) r[0] = res; write_file("/sys/kernel/debug/failslab/ignore-gfp-wait", "N"); write_file("/sys/kernel/debug/fail_futex/ignore-private", "N"); inject_fault(0); syscall(__NR_ioctl, r[0], 0x540a, 2); return 0; }