==================================================================
kasan: CONFIG_KASAN_INLINE enabled
BUG: KASAN: stack-out-of-bounds in __read_once_size include/linux/compiler.h:191 [inline]
BUG: KASAN: stack-out-of-bounds in test_idle_cores kernel/sched/fair.c:6000 [inline]
BUG: KASAN: stack-out-of-bounds in select_idle_core kernel/sched/fair.c:6047 [inline]
BUG: KASAN: stack-out-of-bounds in select_idle_sibling+0xbb1/0xdb0 kernel/sched/fair.c:6197
kasan: GPF could be caused by NULL-ptr deref or user memory access
Read of size 4 at addr ffff8880a9d9e508 by task syz-executor4/14331
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 4.20.0+ #296
CPU: 1 PID: 14331 Comm: syz-executor4 Not tainted 4.20.0+ #296
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:task_css include/linux/cgroup.h:477 [inline]
RIP: 0010:task_ca kernel/sched/cpuacct.c:43 [inline]
RIP: 0010:cpuacct_account_field+0x140/0x3d0 kernel/sched/cpuacct.c:365
Call Trace:
Code: 86 95 08 00 85 c0 74 0d 80 3d 27 db d1 08 00 0f 84 a4 01 00 00 49 8d 7e 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 4e 02 00 00 4d 8b 7e 10 49 81 ff c0 51 78 89 0f
<IRQ>
RSP: 0018:ffff8880ae6078a8 EFLAGS: 00010002
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d3/0x2c6 lib/dump_stack.c:113
RAX: dffffc0000000000 RBX: ffff8880ae607918 RCX: ffffffff81626af4
RDX: 000000000836b158 RSI: 0000000000000008 RDI: 0000000041b58ac3
RBP: ffff8880ae607940 R08: 0000000000000000 R09: 0000000000000000
R10: fffffbfff0ddece8 R11: ffffffff86ef6747 R12: 0000000000827d1b
print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
R13: dffffc0000000000 R14: 0000000041b58ab3 R15: ffff8880a9e1c240
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
FS: 0000000000000000(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
CR2: 0000000000000000 CR3: 0000000099316000 CR4: 00000000001426f0
__read_once_size include/linux/compiler.h:191 [inline]
test_idle_cores kernel/sched/fair.c:6000 [inline]
select_idle_core kernel/sched/fair.c:6047 [inline]
select_idle_sibling+0xbb1/0xdb0 kernel/sched/fair.c:6197
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
cgroup_account_cputime_field include/linux/cgroup.h:775 [inline]
task_group_account_field kernel/sched/cputime.c:108 [inline]
account_system_index_time+0x1e8/0x5d0 kernel/sched/cputime.c:171
select_task_rq_fair+0xa3b/0x3ad0 kernel/sched/fair.c:6652
irqtime_account_process_tick.isra.6+0x38e/0x490 kernel/sched/cputime.c:380
account_process_tick+0x282/0x350 kernel/sched/cputime.c:483
update_process_times+0x21/0x70 kernel/time/timer.c:1633
tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:161
tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1271
__run_hrtimer kernel/time/hrtimer.c:1389 [inline]
__hrtimer_run_queues+0x41c/0x10d0 kernel/time/hrtimer.c:1451
hrtimer_interrupt+0x313/0x780 kernel/time/hrtimer.c:1509
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline]
smp_apic_timer_interrupt+0x1a1/0x760 arch/x86/kernel/apic/apic.c:1060
select_task_rq kernel/sched/core.c:1536 [inline]
try_to_wake_up+0x4e7/0x1460 kernel/sched/core.c:2041
wake_up_process+0x10/0x20 kernel/sched/core.c:2129
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
hrtimer_wakeup+0x48/0x60 kernel/time/hrtimer.c:1637
</IRQ>
__run_hrtimer kernel/time/hrtimer.c:1389 [inline]
__hrtimer_run_queues+0x41c/0x10d0 kernel/time/hrtimer.c:1451
Modules linked in:
======================================================
WARNING: possible circular locking dependency detected
4.20.0+ #296 Not tainted
------------------------------------------------------
syz-executor4/14331 is trying to acquire lock:
00000000c889a69e ((console_sem).lock){-.-.}, at: down_trylock+0x13/0x70 kernel/locking/semaphore.c:136
but task is already holding lock:
00000000425f965b (report_lock){-...}, at: kasan_start_report mm/kasan/report.c:170 [inline]
00000000425f965b (report_lock){-...}, at: kasan_report_error mm/kasan/report.c:346 [inline]
00000000425f965b (report_lock){-...}, at: kasan_report+0x8b/0x110 mm/kasan/report.c:412
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (report_lock){-...}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x99/0xd0 kernel/locking/spinlock.c:152
kasan_start_report mm/kasan/report.c:170 [inline]
kasan_report_error mm/kasan/report.c:346 [inline]
kasan_report+0x8b/0x110 mm/kasan/report.c:412
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
__read_once_size include/linux/compiler.h:191 [inline]
test_idle_cores kernel/sched/fair.c:6000 [inline]
select_idle_core kernel/sched/fair.c:6047 [inline]
select_idle_sibling+0xbb1/0xdb0 kernel/sched/fair.c:6197
select_task_rq_fair+0xa3b/0x3ad0 kernel/sched/fair.c:6652
select_task_rq kernel/sched/core.c:1536 [inline]
try_to_wake_up+0x4e7/0x1460 kernel/sched/core.c:2041
wake_up_process+0x10/0x20 kernel/sched/core.c:2129
hrtimer_wakeup+0x48/0x60 kernel/time/hrtimer.c:1637
__run_hrtimer kernel/time/hrtimer.c:1389 [inline]
__hrtimer_run_queues+0x41c/0x10d0 kernel/time/hrtimer.c:1451
hrtimer_interrupt+0x313/0x780 kernel/time/hrtimer.c:1509
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline]
smp_apic_timer_interrupt+0x1a1/0x760 arch/x86/kernel/apic/apic.c:1060
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
bytes_is_nonzero mm/kasan/kasan.c:167 [inline]
memory_is_nonzero mm/kasan/kasan.c:184 [inline]
memory_is_poisoned_n mm/kasan/kasan.c:210 [inline]
memory_is_poisoned mm/kasan/kasan.c:241 [inline]
check_memory_region_inline mm/kasan/kasan.c:257 [inline]
check_memory_region+0x117/0x1b0 mm/kasan/kasan.c:267
kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 kernel/rcu/tree.c:305
rcu_is_watching+0x10/0x30 kernel/rcu/tree.c:932
rcu_read_lock include/linux/rcupdate.h:608 [inline]
lock_page_memcg+0x210/0x350 mm/memcontrol.c:1862
page_remove_file_rmap mm/rmap.c:1215 [inline]
page_remove_rmap+0x855/0x1a30 mm/rmap.c:1300
zap_pte_range mm/memory.c:1091 [inline]
zap_pmd_range mm/memory.c:1193 [inline]
zap_pud_range mm/memory.c:1222 [inline]
zap_p4d_range mm/memory.c:1243 [inline]
unmap_page_range+0xf52/0x25b0 mm/memory.c:1264
unmap_single_vma+0x19b/0x310 mm/memory.c:1309
unmap_vmas+0x125/0x200 mm/memory.c:1339
exit_mmap+0x2be/0x590 mm/mmap.c:3156
__mmput kernel/fork.c:1050 [inline]
mmput+0x247/0x610 kernel/fork.c:1071
exit_mm kernel/exit.c:545 [inline]
do_exit+0xe74/0x26d0 kernel/exit.c:854
do_group_exit+0x177/0x440 kernel/exit.c:970
get_signal+0x8b0/0x1980 kernel/signal.c:2517
do_signal+0x9c/0x21c0 arch/x86/kernel/signal.c:816
exit_to_usermode_loop+0x2e5/0x380 arch/x86/entry/common.c:162
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_32_irqs_on arch/x86/entry/common.c:341 [inline]
do_fast_syscall_32+0xcd5/0xfb2 arch/x86/entry/common.c:397
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
-> #1 (&p->pi_lock){-.-.}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x99/0xd0 kernel/locking/spinlock.c:152
try_to_wake_up+0xdc/0x1460 kernel/sched/core.c:1965
wake_up_process+0x10/0x20 kernel/sched/core.c:2129
__up.isra.1+0x1c0/0x2a0 kernel/locking/semaphore.c:262
up+0x13c/0x1c0 kernel/locking/semaphore.c:187
__up_console_sem+0xbe/0x1b0 kernel/printk/printk.c:236
console_unlock+0x819/0x1180 kernel/printk/printk.c:2426
vprintk_emit+0x39c/0x990 kernel/printk/printk.c:1931
vprintk_default+0x28/0x30 kernel/printk/printk.c:1958
vprintk_func+0x7e/0x181 kernel/printk/printk_safe.c:398
printk+0xa7/0xcf kernel/printk/printk.c:1991
check_stack_usage kernel/exit.c:755 [inline]
do_exit.cold.19+0x57/0x16f kernel/exit.c:916
do_group_exit+0x177/0x440 kernel/exit.c:970
__do_sys_exit_group kernel/exit.c:981 [inline]
__se_sys_exit_group kernel/exit.c:979 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:979
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #0 ((console_sem).lock){-.-.}:
lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3841
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x99/0xd0 kernel/locking/spinlock.c:152
down_trylock+0x13/0x70 kernel/locking/semaphore.c:136
__down_trylock_console_sem+0xae/0x200 kernel/printk/printk.c:219
console_trylock+0x15/0xa0 kernel/printk/printk.c:2242
console_trylock_spinning kernel/printk/printk.c:1662 [inline]
vprintk_emit+0x37d/0x990 kernel/printk/printk.c:1930
vprintk_default+0x28/0x30 kernel/printk/printk.c:1958
vprintk_func+0x7e/0x181 kernel/printk/printk_safe.c:398
printk+0xa7/0xcf kernel/printk/printk.c:1991
kasan_start_report mm/kasan/report.c:171 [inline]
kasan_report_error mm/kasan/report.c:346 [inline]
kasan_report+0x9b/0x110 mm/kasan/report.c:412
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
__read_once_size include/linux/compiler.h:191 [inline]
test_idle_cores kernel/sched/fair.c:6000 [inline]
select_idle_core kernel/sched/fair.c:6047 [inline]
select_idle_sibling+0xbb1/0xdb0 kernel/sched/fair.c:6197
select_task_rq_fair+0xa3b/0x3ad0 kernel/sched/fair.c:6652
select_task_rq kernel/sched/core.c:1536 [inline]
try_to_wake_up+0x4e7/0x1460 kernel/sched/core.c:2041
wake_up_process+0x10/0x20 kernel/sched/core.c:2129
hrtimer_wakeup+0x48/0x60 kernel/time/hrtimer.c:1637
__run_hrtimer kernel/time/hrtimer.c:1389 [inline]
__hrtimer_run_queues+0x41c/0x10d0 kernel/time/hrtimer.c:1451
hrtimer_interrupt+0x313/0x780 kernel/time/hrtimer.c:1509
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline]
smp_apic_timer_interrupt+0x1a1/0x760 arch/x86/kernel/apic/apic.c:1060
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
bytes_is_nonzero mm/kasan/kasan.c:167 [inline]
memory_is_nonzero mm/kasan/kasan.c:184 [inline]
memory_is_poisoned_n mm/kasan/kasan.c:210 [inline]
memory_is_poisoned mm/kasan/kasan.c:241 [inline]
check_memory_region_inline mm/kasan/kasan.c:257 [inline]
check_memory_region+0x117/0x1b0 mm/kasan/kasan.c:267
kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 kernel/rcu/tree.c:305
rcu_is_watching+0x10/0x30 kernel/rcu/tree.c:932
rcu_read_lock include/linux/rcupdate.h:608 [inline]
lock_page_memcg+0x210/0x350 mm/memcontrol.c:1862
page_remove_file_rmap mm/rmap.c:1215 [inline]
page_remove_rmap+0x855/0x1a30 mm/rmap.c:1300
zap_pte_range mm/memory.c:1091 [inline]
zap_pmd_range mm/memory.c:1193 [inline]
zap_pud_range mm/memory.c:1222 [inline]
zap_p4d_range mm/memory.c:1243 [inline]
unmap_page_range+0xf52/0x25b0 mm/memory.c:1264
unmap_single_vma+0x19b/0x310 mm/memory.c:1309
unmap_vmas+0x125/0x200 mm/memory.c:1339
exit_mmap+0x2be/0x590 mm/mmap.c:3156
__mmput kernel/fork.c:1050 [inline]
mmput+0x247/0x610 kernel/fork.c:1071
exit_mm kernel/exit.c:545 [inline]
do_exit+0xe74/0x26d0 kernel/exit.c:854
do_group_exit+0x177/0x440 kernel/exit.c:970
get_signal+0x8b0/0x1980 kernel/signal.c:2517
do_signal+0x9c/0x21c0 arch/x86/kernel/signal.c:816
exit_to_usermode_loop+0x2e5/0x380 arch/x86/entry/common.c:162
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_32_irqs_on arch/x86/entry/common.c:341 [inline]
do_fast_syscall_32+0xcd5/0xfb2 arch/x86/entry/common.c:397
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
other info that might help us debug this:
Chain exists of:
(console_sem).lock --> &p->pi_lock --> report_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(report_lock);
lock(&p->pi_lock);
lock(report_lock);
lock((console_sem).lock);
*** DEADLOCK ***
5 locks held by syz-executor4/14331:
#0: 000000003fd18177 (&(ptlock_ptr(page))->rlock#2){+.+.}, at: spin_lock include/linux/spinlock.h:329 [inline]
#0: 000000003fd18177 (&(ptlock_ptr(page))->rlock#2){+.+.}, at: zap_pte_range mm/memory.c:1052 [inline]
#0: 000000003fd18177 (&(ptlock_ptr(page))->rlock#2){+.+.}, at: zap_pmd_range mm/memory.c:1193 [inline]
#0: 000000003fd18177 (&(ptlock_ptr(page))->rlock#2){+.+.}, at: zap_pud_range mm/memory.c:1222 [inline]
#0: 000000003fd18177 (&(ptlock_ptr(page))->rlock#2){+.+.}, at: zap_p4d_range mm/memory.c:1243 [inline]
#0: 000000003fd18177 (&(ptlock_ptr(page))->rlock#2){+.+.}, at: unmap_page_range+0x98e/0x25b0 mm/memory.c:1264
#1: 000000003488ec63 (rcu_read_lock){....}, at: lock_page_memcg+0x0/0x350 mm/memcontrol.c:2909
#2: 00000000555727d6 (&p->pi_lock){-.-.}, at: try_to_wake_up+0xdc/0x1460 kernel/sched/core.c:1965
#3: 000000003488ec63 (rcu_read_lock){....}, at: select_task_rq_fair+0x39a/0x3ad0 kernel/sched/fair.c:6605
#4: 00000000425f965b (report_lock){-...}, at: kasan_start_report mm/kasan/report.c:170 [inline]
#4: 00000000425f965b (report_lock){-...}, at: kasan_report_error mm/kasan/report.c:346 [inline]
#4: 00000000425f965b (report_lock){-...}, at: kasan_report+0x8b/0x110 mm/kasan/report.c:412
stack backtrace:
CPU: 1 PID: 14331 Comm: syz-executor4 Not tainted 4.20.0+ #296
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d3/0x2c6 lib/dump_stack.c:113
print_circular_bug.isra.34.cold.56+0x1bd/0x27d kernel/locking/lockdep.c:1224
check_prev_add kernel/locking/lockdep.c:1866 [inline]
check_prevs_add kernel/locking/lockdep.c:1979 [inline]
validate_chain kernel/locking/lockdep.c:2350 [inline]
__lock_acquire+0x3360/0x4c20 kernel/locking/lockdep.c:3338
lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3841
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x99/0xd0 kernel/locking/spinlock.c:152
down_trylock+0x13/0x70 kernel/locking/semaphore.c:136
__down_trylock_console_sem+0xae/0x200 kernel/printk/printk.c:219
console_trylock+0x15/0xa0 kernel/printk/printk.c:2242
console_trylock_spinning kernel/printk/printk.c:1662 [inline]
vprintk_emit+0x37d/0x990 kernel/printk/printk.c:1930
vprintk_default+0x28/0x30 kernel/printk/printk.c:1958
vprintk_func+0x7e/0x181 kernel/printk/printk_safe.c:398
printk+0xa7/0xcf kernel/printk/printk.c:1991
kasan_start_report mm/kasan/report.c:171 [inline]
kasan_report_error mm/kasan/report.c:346 [inline]
kasan_report+0x9b/0x110 mm/kasan/report.c:412
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
__read_once_size include/linux/compiler.h:191 [inline]
test_idle_cores kernel/sched/fair.c:6000 [inline]
select_idle_core kernel/sched/fair.c:6047 [inline]
select_idle_sibling+0xbb1/0xdb0 kernel/sched/fair.c:6197
select_task_rq_fair+0xa3b/0x3ad0 kernel/sched/fair.c:6652
select_task_rq kernel/sched/core.c:1536 [inline]
try_to_wake_up+0x4e7/0x1460 kernel/sched/core.c:2041
wake_up_process
Lost 168 message(s)!
---[ end trace a41d335fba94df44 ]---
RIP: 0010:task_css include/linux/cgroup.h:477 [inline]
RIP: 0010:task_ca kernel/sched/cpuacct.c:43 [inline]
RIP: 0010:cpuacct_account_field+0x140/0x3d0 kernel/sched/cpuacct.c:365
Code: 86 95 08 00 85 c0 74 0d 80 3d 27 db d1 08 00 0f 84 a4 01 00 00 49 8d 7e 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 4e 02 00 00 4d 8b 7e 10 49 81 ff c0 51 78 89 0f
RSP: 0018:ffff8880ae6078a8 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: ffff8880ae607918 RCX: ffffffff81626af4
RDX: 000000000836b158 RSI: 0000000000000008 RDI: 0000000041b58ac3
RBP: ffff8880ae607940 R08: 0000000000000000 R09: 0000000000000000
R10: fffffbfff0ddece8 R11: ffffffff86ef6747 R12: 0000000000827d1b
R13: dffffc0000000000 R14: 0000000041b58ab3 R15: ffff8880a9e1c240
FS: 0000000000000000(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
hrtimer_interrupt+0x313/0x780 kernel/time/hrtimer.c:1509
CR2: 0000000000000000 CR3: 0000000099316000 CR4: 00000000001426f0
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline]
smp_apic_timer_interrupt+0x1a1/0x760 arch/x86/kernel/apic/apic.c:1060
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400