BUG: spinlock recursion on CPU#0, syz-executor110/7601
lock: 0xffff88806b63c740, .magic: dead4ead, .owner: syz-executor110/7601, .owner_cpu: 1
CPU: 0 PID: 7601 Comm: syz-executor110 Tainted: G D 6.6.0-syzkaller-15494-g6bc986ab839c #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
do_raw_spin_lock+0x237/0x2b0 kernel/locking/spinlock_debug.c:114
raw_spin_rq_lock_nested kernel/sched/core.c:566 [inline]
raw_spin_rq_lock_nested+0x7e/0x130 kernel/sched/core.c:551
raw_spin_rq_lock kernel/sched/sched.h:1349 [inline]
rq_lock kernel/sched/sched.h:1663 [inline]
ttwu_queue kernel/sched/core.c:4019 [inline]
try_to_wake_up+0x654/0x15d0 kernel/sched/core.c:4342
kick_pool+0x253/0x460 kernel/workqueue.c:1142
__queue_work+0x5d9/0x1050 kernel/workqueue.c:1800
call_timer_fn+0x193/0x580 kernel/time/timer.c:1700
expire_timers kernel/time/timer.c:1746 [inline]
__run_timers+0x585/0xb10 kernel/time/timer.c:2022
run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035
__do_softirq+0x21a/0x968 kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1076
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:lock_acquire+0x1ef/0x510 kernel/locking/lockdep.c:5721
Code: c1 05 8d 88 9a 7e 83 f8 01 0f 85 b0 02 00 00 9c 58 f6 c4 02 0f 85 9b 02 00 00 48 85 ed 74 01 fb 48 b8 00 00 00 00 00 fc ff df <48> 01 c3 48 c7 03 00 00 00 00 48 c7 43 08 00 00 00 00 48 8b 84 24
RSP: 0018:ffffc9000b427420 EFLAGS: 00000206
RAX: dffffc0000000000 RBX: 1ffff92001684e86 RCX: 0000000000000001
RDX: 1ffff1100526d3a7 RSI: ffffffff8accaca0 RDI: ffffffff8b2ec600
RBP: 0000000000000200 R08: 0000000000000000 R09: fffffbfff23e25d8
R10: ffffffff91f12ec7 R11: dffffc0000000000 R12: 0000000000000001
R13: 0000000000000000 R14: ffff88806b636e80 R15: 0000000000000000
local_lock_acquire include/linux/local_lock_internal.h:29 [inline]
folio_add_lru+0x2b2/0x7d0 mm/swap.c:515
folio_add_lru_vma+0xb0/0x100 mm/swap.c:537
wp_page_copy mm/memory.c:3189 [inline]
do_wp_page+0x19fa/0x3a70 mm/memory.c:3510
handle_pte_fault mm/memory.c:5054 [inline]
__handle_mm_fault+0x1d7c/0x3d60 mm/memory.c:5179
handle_mm_fault+0x478/0xa00 mm/memory.c:5344
do_user_addr_fault+0x3d1/0x1000 arch/x86/mm/fault.c:1413
handle_page_fault arch/x86/mm/fault.c:1505 [inline]
exc_page_fault+0x5c/0xd0 arch/x86/mm/fault.c:1561
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:112 [inline]
RIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:133 [inline]
RIP: 0010:copy_to_user_iter lib/iov_iter.c:25 [inline]
RIP: 0010:iterate_iovec include/linux/iov_iter.h:51 [inline]
RIP: 0010:iterate_and_advance2 include/linux/iov_iter.h:247 [inline]
RIP: 0010:iterate_and_advance include/linux/iov_iter.h:271 [inline]
RIP: 0010:_copy_to_iter+0x4c7/0x11d0 lib/iov_iter.c:186
Code: 45 e8 8d 37 27 fd 48 8b 4c 24 18 89 ee 48 8b 44 24 28 4c 8d 34 01 4c 89 f7 e8 e5 6e 7d fd 0f 01 cb 48 89 e9 4c 89 ff 4c 89 f6 <f3> a4 0f 1f 00 0f 01 ca 48 89 e8 48 29 eb 48 29 c8 48 01 cb 48 01
RSP: 0018:ffffc9000b427970 EFLAGS: 00050246
RAX: 0000000000000001 RBX: 0000000000001000 RCX: 0000000000000e80
RDX: 0000000000000000 RSI: ffff888010b19180 RDI: 0000000020755000
RBP: 0000000000001000 R08: 0000000000000000 R09: ffffed10021633ff
R10: ffff888010b19fff R11: 0000000000000000 R12: 0000000000754b80
R13: ffffc9000b427d60 R14: ffff888010b19000 R15: 0000000020754e80
copy_page_to_iter lib/iov_iter.c:381 [inline]
copy_page_to_iter+0xf1/0x180 lib/iov_iter.c:368
process_vm_rw_pages mm/process_vm_access.c:45 [inline]
process_vm_rw_single_vec mm/process_vm_access.c:117 [inline]
process_vm_rw_core.constprop.0+0x5cd/0xa10 mm/process_vm_access.c:215
process_vm_rw+0x2ff/0x360 mm/process_vm_access.c:283
__do_sys_process_vm_readv mm/process_vm_access.c:295 [inline]
__se_sys_process_vm_readv mm/process_vm_access.c:291 [inline]
__x64_sys_process_vm_readv+0xe2/0x1b0 mm/process_vm_access.c:291
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fd00a215259
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd00a1d3228 EFLAGS: 00000246 ORIG_RAX: 0000000000000136
RAX: ffffffffffffffda RBX: 00007fd00a29c308 RCX: 00007fd00a215259
RDX: 0000000000000002 RSI: 0000000020008400 RDI: 0000000000001db0
RBP: 00007fd00a29c300 R08: 0000000000000286 R09: 0000000000000000
R10: 0000000020008640 R11: 0000000000000246 R12: 00007fd00a269074
R13: 0000000000000000 R14: 00007ffec3c6eb10 R15: 00007ffec3c6ebf8
</TASK>
----------------
Code disassembly (best guess):
0: c1 05 8d 88 9a 7e 83 roll $0x83,0x7e9a888d(%rip) # 0x7e9a8894
7: f8 clc
8: 01 0f add %ecx,(%rdi)
a: 85 b0 02 00 00 9c test %esi,-0x63fffffe(%rax)
10: 58 pop %rax
11: f6 c4 02 test $0x2,%ah
14: 0f 85 9b 02 00 00 jne 0x2b5
1a: 48 85 ed test %rbp,%rbp
1d: 74 01 je 0x20
1f: fb sti
20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
27: fc ff df
* 2a: 48 01 c3 add %rax,%rbx <-- trapping instruction
2d: 48 c7 03 00 00 00 00 movq $0x0,(%rbx)
34: 48 c7 43 08 00 00 00 movq $0x0,0x8(%rbx)
3b: 00
3c: 48 rex.W
3d: 8b .byte 0x8b
3e: 84 .byte 0x84
3f: 24 .byte 0x24