=============================
[ BUG: Invalid wait context ]
6.12.0-next-20241119-syzkaller #0 Not tainted
-----------------------------
syz.2.1878/12255 is trying to lock:
ffff8880b86429c0 (&c->lock){-.-.}-{3:3}, at: local_lock_acquire include/linux/local_lock_internal.h:29 [inline]
ffff8880b86429c0 (&c->lock){-.-.}-{3:3}, at: ___slab_alloc+0x265/0x14b0 mm/slub.c:3692
other info that might help us debug this:
context-{2:2}
2 locks held by syz.2.1878/12255:
#0: ffffffff8e937ae0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
#0: ffffffff8e937ae0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
#0: ffffffff8e937ae0 (rcu_read_lock){....}-{1:3}, at: ieee80211_rx_napi+0xd6/0x3c0 net/mac80211/rx.c:5491
#1: ffff888056c80168 (&rdev->bss_lock){+.-.}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
#1: ffff888056c80168 (&rdev->bss_lock){+.-.}-{3:3}, at: cfg80211_inform_single_bss_data+0xd6e/0x2090 net/wireless/scan.c:2329
stack backtrace:
CPU: 0 UID: 0 PID: 12255 Comm: syz.2.1878 Not tainted 6.12.0-next-20241119-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_lock_invalid_wait_context kernel/locking/lockdep.c:4826 [inline]
check_wait_context kernel/locking/lockdep.c:4898 [inline]
__lock_acquire+0x15a8/0x2100 kernel/locking/lockdep.c:5176
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
local_lock_acquire include/linux/local_lock_internal.h:29 [inline]
___slab_alloc+0x27e/0x14b0 mm/slub.c:3692
__slab_alloc+0x58/0xa0 mm/slub.c:3905
__slab_alloc_node mm/slub.c:3980 [inline]
slab_alloc_node mm/slub.c:4141 [inline]
__kmalloc_cache_noprof+0x27b/0x390 mm/slub.c:4309
kmalloc_noprof include/linux/slab.h:901 [inline]
add_stack_record_to_list mm/page_owner.c:172 [inline]
inc_stack_record_count mm/page_owner.c:214 [inline]
__set_page_owner+0x55f/0x800 mm/page_owner.c:329
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0x3725/0x3870 mm/page_alloc.c:3510
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4787
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
stack_depot_save_flags+0x666/0x830 lib/stackdepot.c:627
kasan_save_stack+0x4f/0x60 mm/kasan/common.c:48
__kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:544
task_work_add+0xd9/0x490 kernel/task_work.c:77
__run_posix_cpu_timers kernel/time/posix-cpu-timers.c:1223 [inline]
run_posix_cpu_timers+0x6ac/0x810 kernel/time/posix-cpu-timers.c:1422
tick_sched_handle kernel/time/tick-sched.c:276 [inline]
tick_nohz_handler+0x37c/0x500 kernel/time/tick-sched.c:297
__run_hrtimer kernel/time/hrtimer.c:1739 [inline]
__hrtimer_run_queues+0x551/0xd50 kernel/time/hrtimer.c:1803
hrtimer_interrupt+0x403/0xa40 kernel/time/hrtimer.c:1865
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1038 [inline]
__sysvec_apic_timer_interrupt+0x110/0x420 arch/x86/kernel/apic/apic.c:1055
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0x52/0xc0 arch/x86/kernel/apic/apic.c:1049
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:211 [inline]
RIP: 0010:unwind_next_frame+0x19c/0x22d0 arch/x86/kernel/unwind_orc.c:494
Code: f8 00 00 00 48 c7 c0 00 00 00 81 4d 89 fe 49 29 c6 49 c1 ee 08 48 c7 c0 e4 2c 47 91 48 c7 c1 e8 2c 73 91 48 29 c1 48 c1 e9 02 <31> d2 80 3d 53 e5 e0 0c 00 0f 45 d1 8d 42 ff 44 39 f0 0f 86 55 18
RSP: 0018:ffffc900000069f0 EFLAGS: 00000202
RAX: ffffffff91472ce4 RBX: ffffc90000006b08 RCX: 00000000000b0001
RDX: dffffc0000000000 RSI: ffffffff8bc86c0e RDI: 0000000000000001
RBP: ffffc90000006af5 R08: 0000000000000016 R09: ffffc90000006bb0
R10: ffffc90000006b10 R11: ffffffff818b35d0 R12: dffffc0000000000
R13: ffffc90000006ac0 R14: 00000000000ac86c R15: ffffffff8bc86c0d
arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x118/0x1d0 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2338 [inline]
slab_free mm/slub.c:4598 [inline]
kfree+0x196/0x420 mm/slub.c:4746
ieee80211_inform_bss+0xbb2/0x1080 net/mac80211/scan.c:160
rdev_inform_bss net/wireless/rdev-ops.h:418 [inline]
cfg80211_inform_single_bss_data+0xec1/0x2090 net/wireless/scan.c:2334
cfg80211_inform_bss_data+0x3ce/0x5e80 net/wireless/scan.c:3189
cfg80211_inform_bss_frame_data+0x3b8/0x720 net/wireless/scan.c:3284
ieee80211_bss_info_update+0x8a7/0xbc0 net/mac80211/scan.c:226
ieee80211_scan_rx+0x526/0x9c0 net/mac80211/scan.c:340
__ieee80211_rx_handle_packet net/mac80211/rx.c:5232 [inline]
ieee80211_rx_list+0x2c44/0x3810 net/mac80211/rx.c:5469
ieee80211_rx_napi+0x18a/0x3c0 net/mac80211/rx.c:5492
ieee80211_rx include/net/mac80211.h:5163 [inline]
ieee80211_handle_queued_frames+0xe7/0x1e0 net/mac80211/main.c:441
tasklet_action_common+0x426/0x620 kernel/softirq.c:804
handle_softirqs+0x2c5/0x980 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf7/0x220 kernel/softirq.c:655
irq_exit_rcu+0x9/0x30 kernel/softirq.c:671
instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline]
sysvec_call_function_single+0xa3/0xc0 arch/x86/kernel/smp.c:266
asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709
RIP: 0010:finish_task_switch+0x1ea/0x870 kernel/sched/core.c:5243
Code: c9 50 e8 79 07 0c 00 48 83 c4 08 4c 89 f7 e8 9d 39 00 00 e9 de 04 00 00 4c 89 f7 e8 50 7e 5c 0a e8 8b 9f 38 00 fb 48 8b 5d c0 <48> 8d bb f8 15 00 00 48 89 f8 48 c1 e8 03 49 be 00 00 00 00 00 fc
RSP: 0018:ffffc900032dfc88 EFLAGS: 00000282
RAX: 3c6c8280960d3f00 RBX: ffff888033e7bc00 RCX: ffffffff9a391903
RDX: dffffc0000000000 RSI: ffffffff8c0a9640 RDI: ffffffff8c5e8720
RBP: ffffc900032dfcd0 R08: ffffffff90185bf7 R09: 1ffffffff2030b7e
R10: dffffc0000000000 R11: fffffbfff2030b7f R12: 1ffff110170c7edc
R13: dffffc0000000000 R14: ffff8880b863e8c0 R15: ffff8880b863f6e0
context_switch kernel/sched/core.c:5372 [inline]
__schedule+0x1858/0x4c30 kernel/sched/core.c:6756
__schedule_loop kernel/sched/core.c:6833 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6848
exit_to_user_mode_loop kernel/entry/common.c:102 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
irqentry_exit_to_user_mode+0x5e/0x250 kernel/entry/common.c:231
asm_sysvec_reschedule_ipi+0x1a/0x20 arch/x86/include/asm/idtentry.h:707
RIP: 0033:0x7f549c23eeb0
Code: 0e 00 eb 9d 66 0f 1f 44 00 00 48 89 df 31 f6 31 c0 e8 84 e1 13 00 48 81 c4 90 00 00 00 48 98 5b c3 66 0f 1f 84 00 00 00 00 00 <41> 54 55 53 48 89 fb 48 81 ec d0 00 00 00 48 89 74 24 28 48 89 54
RSP: 002b:00007f549c1b7058 EFLAGS: 00000216
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f549c3f3cb3
RDX: 0000000000084188 RSI: 0000000000000002 RDI: 00007f549c3f2969
RBP: 00007f549c3f3cb3 R08: 0000000000000000 R09: 7fffffffffffffff
R10: 00007f549c1fa038 R11: 0000000000000010 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f549c536130 R15: 00007ffe21da37f8
vkms_vblank_simulate: vblank timer overrun
----------------
Code disassembly (best guess):
0: f8 clc
1: 00 00 add %al,(%rax)
3: 00 48 c7 add %cl,-0x39(%rax)
6: c0 00 00 rolb $0x0,(%rax)
9: 00 81 4d 89 fe 49 add %al,0x49fe894d(%rcx)
f: 29 c6 sub %eax,%esi
11: 49 c1 ee 08 shr $0x8,%r14
15: 48 c7 c0 e4 2c 47 91 mov $0xffffffff91472ce4,%rax
1c: 48 c7 c1 e8 2c 73 91 mov $0xffffffff91732ce8,%rcx
23: 48 29 c1 sub %rax,%rcx
26: 48 c1 e9 02 shr $0x2,%rcx
* 2a: 31 d2 xor %edx,%edx <-- trapping instruction
2c: 80 3d 53 e5 e0 0c 00 cmpb $0x0,0xce0e553(%rip) # 0xce0e586
33: 0f 45 d1 cmovne %ecx,%edx
36: 8d 42 ff lea -0x1(%rdx),%eax
39: 44 39 f0 cmp %r14d,%eax
3c: 0f .byte 0xf
3d: 86 55 18 xchg %dl,0x18(%rbp)