------------[ cut here ]------------
do_IRQ(): ®
has overflown the kernel stack (cur:81c52fd4,sp:ffff8880a946bca0,irq stk top-bottom:ffff8880ae700080-ffff8880ae708000,exception stk top-bottom:fffffe0000036080-fffffe0000040000,ip:gue6_err+0x1/0x6b0)
list_add corruption. next->prev should be prev (ffff8880ae72d8d8), but was 0000000000000aae. (next=ffff8880a94be4f0).
WARNING: CPU: 1 PID: -1624034296 at arch/x86/kernel/irq_64.c:61 stack_overflow_check arch/x86/kernel/irq_64.c:61 [inline]
WARNING: CPU: 1 PID: -1624034296 at arch/x86/kernel/irq_64.c:61 handle_irq+0x2cb/0x3d8 arch/x86/kernel/irq_64.c:73
------------[ cut here ]------------
Kernel panic - not syncing: panic_on_warn set ...
kernel BUG at lib/list_debug.c:23!
CPU: 1 PID: -1624034296 Comm: ®
Not tainted 4.20.0+ #4
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
CPU: 0 PID: 10622 Comm: syz-executor3 Not tainted 4.20.0+ #4
Call Trace:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
<IRQ>
RIP: 0010:__list_add_valid.cold+0xf/0x3c lib/list_debug.c:23
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
Code: 35 fe eb d5 4c 89 e7 e8 ea 77 35 fe eb a3 4c 89 f7 e8 e0 77 35 fe e9 56 ff ff ff 4c 89 e1 48 c7 c7 40 39 81 88 e8 10 0a d8 fd <0f> 0b 48 89 f2 4c 89 e1 4c 89 ee 48 c7 c7 80 3a 81 88 e8 f9 09 d8
RSP: 0000:ffff8880ae607770 EFLAGS: 00010086
RAX: 0000000000000075 RBX: ffff88805ce06470 RCX: 0000000000000000
panic+0x2cb/0x589 kernel/panic.c:189
RDX: 0000000000000000 RSI: ffffffff8167d666 RDI: ffffed1015cc0ee0
RBP: ffff8880ae607788 R08: 0000000000000075 R09: ffffed1015cc5021
R10: ffffed1015cc5020 R11: ffff8880ae628107 R12: ffff8880a94be4f0
R13: ffff88805ce06470 R14: ffff8880ae72d8d8 R15: ffff8880ae607ad0
FS: 0000000001efb940(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000470020 CR3: 00000000817b9000 CR4: 00000000001406f0
__warn.cold+0x20/0x4b kernel/panic.c:544
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
report_bug+0x263/0x2b0 lib/bug.c:186
Call Trace:
fixup_bug arch/x86/kernel/traps.c:178 [inline]
fixup_bug arch/x86/kernel/traps.c:173 [inline]
do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
<IRQ>
do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:290
__list_add include/linux/list.h:60 [inline]
list_add include/linux/list.h:79 [inline]
list_move include/linux/list.h:171 [inline]
detach_tasks kernel/sched/fair.c:7557 [inline]
load_balance+0x1bdd/0x39d0 kernel/sched/fair.c:8979
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
RIP: 0010:stack_overflow_check arch/x86/kernel/irq_64.c:61 [inline]
RIP: 0010:handle_irq+0x2cb/0x3d8 arch/x86/kernel/irq_64.c:73
Code: ff b3 80 00 00 00 4d 89 f8 50 48 c7 c7 a0 07 45 88 65 48 8b 34 25 40 ee 01 00 52 48 81 c6 a8 06 00 00 4c 89 f2 e8 05 4a 1e 00 <0f> 0b 48 83 c4 18 e9 33 ff ff ff e8 85 9a 98 00 e9 62 fd ff ff 4c
RSP: 0018:ffff8880ae707f50 EFLAGS: 00010086
RAX: 0000000000000000 RBX: ffff8880a946bbf8 RCX: 0000000000000000
RDX: 0000000000010100 RSI: ffffffff8167d666 RDI: 0000000000000005
RBP: ffff8880ae707fb0 R08: ffff8880a94be440 R09: ffffed1015ce3ef9
R10: ffffed1015ce3ef8 R11: ffff8880ae71f7c7 R12: ffff8880a126c900
R13: ffff8880a946bc90 R14: 0000000081c52fd4 R15: ffff8880ae700080
rebalance_domains+0x815/0xf00 kernel/sched/fair.c:9366
do_IRQ+0x99/0x1d0 arch/x86/kernel/irq.c:246
common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:583
</IRQ>
run_rebalance_domains+0x376/0x4e0 kernel/sched/fair.c:9986
__do_softirq+0x30b/0xb11 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x180/0x1d0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x1b7/0x760 arch/x86/kernel/apic/apic.c:1062
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:766 [inline]
RIP: 0010:lock_is_held_type+0x17e/0x210 kernel/locking/lockdep.c:3881
Code: 00 00 00 fc ff df 41 c7 85 7c 08 00 00 00 00 00 00 48 c1 e8 03 80 3c 10 00 75 63 48 83 3d 19 67 2f 08 00 74 30 48 89 df 57 9d <0f> 1f 44 00 00 48 83 c4 08 44 89 e0 5b 41 5c 41 5d 5d c3 48 83 c4
RSP: 0000:ffff888052cef7a8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff13249e6 RBX: 0000000000000286 RCX: dffffc0000000000
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000286
RBP: ffff888052cef7c8 R08: ffff888052d12440 R09: 0000000000000004
R10: 0000000000000000 R11: ffff8880ae62dc7b R12: 0000000000000000
R13: ffff888052d12440 R14: ffff888052cef8aa R15: ffff888052cefac8
lock_is_held include/linux/lockdep.h:337 [inline]
xa_entry include/linux/xarray.h:902 [inline]
xas_next_entry include/linux/xarray.h:1327 [inline]
filemap_map_pages+0xe7c/0x1cb0 mm/filemap.c:2610
do_fault_around mm/memory.c:3370 [inline]
do_read_fault mm/memory.c:3404 [inline]
do_fault mm/memory.c:3535 [inline]
handle_pte_fault mm/memory.c:3766 [inline]
__handle_mm_fault+0x3f57/0x5690 mm/memory.c:3890
handle_mm_fault+0x4ec/0xc80 mm/memory.c:3927
do_user_addr_fault arch/x86/mm/fault.c:1475 [inline]
__do_page_fault+0x5da/0xd60 arch/x86/mm/fault.c:1541
do_page_fault+0xe6/0x7d8 arch/x86/mm/fault.c:1572
page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1143
RIP: 0033:0x470020
Code: ff e9 cd fe ff ff 0f 1f 40 00 48 c7 85 c0 fb ff ff b0 d6 47 00 48 89 9d c8 fb ff ff e9 0e ff ff ff 66 0f 1f 84 00 00 00 00 00 <48> 81 f9 ff ff ff 7f 7e 17 48 c7 c0 d4 ff ff ff 64 c7 00 4b 00 00
RSP: 002b:00007fffb20df920 EFLAGS: 00010246
RAX: 0000000000000016 RBX: 00007fffb20dfe80 RCX: 0000000000000016
RDX: 0000000000000000 RSI: 00000000004bd061 RDI: 00007fffb20e0146
RBP: 00007fffb20dfe70 R08: 7a79732f64656966 R09: 00000000ffffffff
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bd04b
R13: 00007fffb20dfff8 R14: 00000000004bd061 R15: 0000000000000000
Modules linked in:
---[ end trace 152f029a084561dd ]---
RIP: 0010:__list_add_valid.cold+0xf/0x3c lib/list_debug.c:23
Code: 35 fe eb d5 4c 89 e7 e8 ea 77 35 fe eb a3 4c 89 f7 e8 e0 77 35 fe e9 56 ff ff ff 4c 89 e1 48 c7 c7 40 39 81 88 e8 10 0a d8 fd <0f> 0b 48 89 f2 4c 89 e1 4c 89 ee 48 c7 c7 80 3a 81 88 e8 f9 09 d8
RSP: 0000:ffff8880ae607770 EFLAGS: 00010086
RAX: 0000000000000075 RBX: ffff88805ce06470 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8167d666 RDI: ffffed1015cc0ee0
RBP: ffff8880ae607788 R08: 0000000000000075 R09: ffffed1015cc5021
R10: ffffed1015cc5020 R11: ffff8880ae628107 R12: ffff8880a94be4f0
R13: ffff88805ce06470 R14: ffff8880ae72d8d8 R15: ffff8880ae607ad0
FS: 0000000001efb940(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000470020 CR3: 00000000817b9000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Shutting down cpus with NMI
Kernel Offset: disabled
======================================================
WARNING: possible circular locking dependency detected
4.20.0+ #4 Not tainted
------------------------------------------------------
syz-executor3/10622 is trying to acquire lock:
0000000038c795f2 ((console_sem).lock){-.-.}, at: down_trylock+0x13/0x70 kernel/locking/semaphore.c:136
but task is already holding lock:
00000000d8e555f3 (&rq->lock){-.-.}, at: rq_lock_irqsave kernel/sched/sched.h:1133 [inline]
00000000d8e555f3 (&rq->lock){-.-.}, at: load_balance+0xd1f/0x39d0 kernel/sched/fair.c:8972
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&rq->lock){-.-.}:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
rq_lock kernel/sched/sched.h:1149 [inline]
task_fork_fair+0xb5/0x7a0 kernel/sched/fair.c:10058
sched_fork+0x437/0xb90 kernel/sched/core.c:2359
copy_process+0x1ff6/0x8730 kernel/fork.c:1893
_do_fork+0x1a9/0x1170 kernel/fork.c:2222
kernel_thread+0x34/0x40 kernel/fork.c:2281
rest_init+0x28/0x37b init/main.c:409
arch_call_rest_init+0xe/0x1b
start_kernel+0x882/0x8bd init/main.c:741
x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:470
x86_64_start_kernel+0x77/0x7b arch/x86/kernel/head64.c:451
secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243
-> #1 (&p->pi_lock){-.-.}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:152
try_to_wake_up+0xb9/0x1480 kernel/sched/core.c:1965
wake_up_process+0x10/0x20 kernel/sched/core.c:2129
__up.isra.0+0x1c0/0x2a0 kernel/locking/semaphore.c:262
up+0x13e/0x1c0 kernel/locking/semaphore.c:187
__up_console_sem+0xb7/0x1c0 kernel/printk/printk.c:236
console_unlock+0x778/0x11e0 kernel/printk/printk.c:2426
do_con_write+0x1021/0x2420 drivers/tty/vt/vt.c:2767
con_write+0x27/0xb0 drivers/tty/vt/vt.c:3116
process_output_block drivers/tty/n_tty.c:593 [inline]
n_tty_write+0x497/0x1220 drivers/tty/n_tty.c:2331
do_tty_write drivers/tty/tty_io.c:959 [inline]
tty_write+0x45b/0x7a0 drivers/tty/tty_io.c:1043
__vfs_write+0x116/0xb40 fs/read_write.c:485
vfs_write+0x20c/0x580 fs/read_write.c:549
ksys_write+0x105/0x260 fs/read_write.c:598
__do_sys_write fs/read_write.c:610 [inline]
__se_sys_write fs/read_write.c:607 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:607
do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #0 ((console_sem).lock){-.-.}:
lock_acquire+0x1db/0x570 kernel/locking/lockdep.c:3841
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:152
down_trylock+0x13/0x70 kernel/locking/semaphore.c:136
__down_trylock_console_sem+0xa8/0x210 kernel/printk/printk.c:219
console_trylock+0x15/0xa0 kernel/printk/printk.c:2242
console_trylock_spinning kernel/printk/printk.c:1662 [inline]
vprintk_emit+0x351/0x960 kernel/printk/printk.c:1930
vprintk_default+0x28/0x30 kernel/printk/printk.c:1958
vprintk_func+0x7e/0x189 kernel/printk/printk_safe.c:398
printk+0xba/0xed kernel/printk/printk.c:1991
__list_add_valid.cold+0xf/0x3c lib/list_debug.c:23
__list_add include/linux/list.h:60 [inline]
list_add include/linux/list.h:79 [inline]
list_move include/linux/list.h:171 [inline]
detach_tasks kernel/sched/fair.c:7557 [inline]
load_balance+0x1bdd/0x39d0 kernel/sched/fair.c:8979
rebalance_domains+0x815/0xf00 kernel/sched/fair.c:9366
run_rebalance_domains+0x376/0x4e0 kernel/sched/fair.c:9986
__do_softirq+0x30b/0xb11 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x180/0x1d0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x1b7/0x760 arch/x86/kernel/apic/apic.c:1062
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
arch_local_irq_restore arch/x86/include/asm/paravirt.h:766 [inline]
lock_is_held_type+0x17e/0x210 kernel/locking/lockdep.c:3881
lock_is_held include/linux/lockdep.h:337 [inline]
xa_entry include/linux/xarray.h:902 [inline]
xas_next_entry include/linux/xarray.h:1327 [inline]
filemap_map_pages+0xe7c/0x1cb0 mm/filemap.c:2610
do_fault_around mm/memory.c:3370 [inline]
do_read_fault mm/memory.c:3404 [inline]
do_fault mm/memory.c:3535 [inline]
handle_pte_fault mm/memory.c:3766 [inline]
__handle_mm_fault+0x3f57/0x5690 mm/memory.c:3890
handle_mm_fault+0x4ec/0xc80 mm/memory.c:3927
do_user_addr_fault arch/x86/mm/fault.c:1475 [inline]
__do_page_fault+0x5da/0xd60 arch/x86/mm/fault.c:1541
do_page_fault+0xe6/0x7d8 arch/x86/mm/fault.c:1572
page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1143
other info that might help us debug this:
Chain exists of:
(console_sem).lock --> &p->pi_lock --> &rq->lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&rq->lock);
lock(&p->pi_lock);
lock(&rq->lock);
lock((console_sem).lock);
*** DEADLOCK ***
5 locks held by syz-executor3/10622:
#0: 000000009af8786d (&mm->mmap_sem){++++}, at: do_user_addr_fault arch/x86/mm/fault.c:1416 [inline]
#0: 000000009af8786d (&mm->mmap_sem){++++}, at: __do_page_fault+0x339/0xd60 arch/x86/mm/fault.c:1541
#1: 00000000ef6595a2 (rcu_read_lock){....}, at: filemap_map_pages+0x33e/0x1cb0 mm/filemap.c:2606
#2: 00000000f76a6fb6 (&(ptlock_ptr(page))->rlock#2){+.+.}, at: spin_lock include/linux/spinlock.h:329 [inline]
#2: 00000000f76a6fb6 (&(ptlock_ptr(page))->rlock#2){+.+.}, at: pte_alloc_one_map mm/memory.c:3073 [inline]
#2: 00000000f76a6fb6 (&(ptlock_ptr(page))->rlock#2){+.+.}, at: alloc_set_pte+0x1355/0x1e30 mm/memory.c:3202
#3: 00000000ef6595a2 (rcu_read_lock){....}, at: rebalance_domains+0x120/0xf00 kernel/sched/fair.c:9324
#4: 00000000d8e555f3 (&rq->lock){-.-.}, at: rq_lock_irqsave kernel/sched/sched.h:1133 [inline]
#4: 00000000d8e555f3 (&rq->lock){-.-.}, at: load_balance+0xd1f/0x39d0 kernel/sched/fair.c:8972
stack backtrace:
CPU: 0 PID: 10622 Comm: syz-executor3 Not tainted 4.20.0+ #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
print_circular_bug.isra.0.cold+0x1cc/0x28f kernel/locking/lockdep.c:1224
check_prev_add kernel/locking/lockdep.c:1866 [inline]
check_prevs_add kernel/locking/lockdep.c:1979 [inline]
validate_chain kernel/locking/lockdep.c:2350 [inline]
__lock_acquire+0x3014/0x4a30 kernel/locking/lockdep.c:3338
lock_acquire+0x1db/0x570 kernel/locking/lockdep.c:3841
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:152
down_trylock+0x13/0x70 kernel/locking/semaphore.c:136
__down_trylock_console_sem+0xa8/0x210 kernel/printk/printk.c:219
console_trylock+0x15/0xa0 kernel/printk/printk.c:2242
console_trylock_spinning kernel/printk/printk.c:1662 [inline]
vprintk_emit+0x351/0x960 kernel/printk/printk.c:1930
vprintk_default+0x28/0x30 kernel/printk/printk.c:1958
vprintk_func+0x7e/0x189 kernel/printk/printk_safe.c:398
printk+0xba/0xed kernel/printk/printk.c:1991
__list_add_valid.cold+0xf/0x3c lib/list_debug.c:23
__list_add include/linux/list.h:60 [inline]
list_add include/linux/list.h:79 [inline]
list_move include/linux/list.h:171 [inline]
detach_tasks kernel/sched/fair.c:7557 [inline]
load_balance+0x1bdd/0x39d0 kernel/sched/fair.c:8979
rebalance_domains+0x815/0xf00 kernel/sched/fair.c:9366
run_rebalance_domains+0x376/0x4e0 kernel/sched/fair.c:9986
__do_softirq+0x30b/0xb11 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x180/0x1d0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x1b7/0x760 arch/x86/kernel/apic/apic.c:1062
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:766 [inline]
RIP: 0010:lock_is_held_type+0x17e/0x210 kernel/locking/lockdep.c:3881
Code: 00 00 00 fc ff df 41 c7 85 7c 08 00 00 00 00 00 00 48 c1 e8 03 80 3c 10 00 75 63 48 83 3d 19 67 2f 08 00 74 30 48 89 df 57 9d <0f> 1f 44 00 00 48 83 c4 08 44 89 e0 5b 41 5c 41 5d 5d c3 48 83 c4
RSP: 0000:ffff888052cef7a8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff13249e6 RBX: 0000000000000286 RCX: dffffc0000000000
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000286
RBP: ffff888052cef7c8 R08: ffff888052d12440 R09: 0000000000000004
R10: 0000000000000000 R11: ffff8880ae62dc7b R12: 0000000000000000
R13: ffff888052d12440 R14: ffff888052cef8aa R15: ffff888052cefac8
lock_is_held include/linux/lockdep.h:337 [inline]
xa_entry include/linux/xarray.h:902 [inline]
xas_next_entry include/linux/xarray.h:1327 [inline]
filemap_map_pages+0xe7c/0x1cb0 mm/filemap.c:2610
do_fault_around mm/memory.c:3370 [inline]
do_read_fault mm/memory.c:3404 [inline]
do_fault mm/memory.c:3535 [inline]
handle_pte_fault mm/memory.c:3766 [inline]
__handle_mm_fault+0x3f57/0x5690 mm/memory.c:3890
handle_mm_fault+0x4ec/0xc80 mm/memory.c:3927
do_user_addr_fault arch/x86/mm/fault.c:1475 [inline]
__do_page_fault+0x5da/0xd60 arch/x86/mm/fault.c:1541
do_page_fault+0xe6/0x7d8 arch/x86/mm/fault.c:1572
page_fault+
Lost 9 message(s)!
Rebooting in 86400 seconds..