================================
WARNING: inconsistent lock state
6.10.0-rc2-syzkaller-00824-gfd8db07705c5 #0 Not tainted
--------------------------------
inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
sshd/5097 [HC1[1]:SC0[2]:HE0:SE0] takes:
ffff8880b94387e8 (lock#9){?.+.}-{2:2}, at: local_lock_acquire include/linux/local_lock_internal.h:29 [inline]
ffff8880b94387e8 (lock#9){?.+.}-{2:2}, at: __mmap_lock_do_trace_start_locking+0x83/0x620 mm/mmap_lock.c:230
{HARDIRQ-ON-W} state was registered at:
  lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
  local_lock_acquire include/linux/local_lock_internal.h:29 [inline]
  __mmap_lock_do_trace_start_locking+0x9c/0x620 mm/mmap_lock.c:230
  __mmap_lock_trace_start_locking include/linux/mmap_lock.h:29 [inline]
  mmap_read_lock include/linux/mmap_lock.h:143 [inline]
  process_vm_rw_single_vec mm/process_vm_access.c:105 [inline]
  process_vm_rw_core mm/process_vm_access.c:216 [inline]
  process_vm_rw+0xa27/0xcf0 mm/process_vm_access.c:284
  __do_sys_process_vm_readv mm/process_vm_access.c:296 [inline]
  __se_sys_process_vm_readv mm/process_vm_access.c:292 [inline]
  __x64_sys_process_vm_readv+0xe0/0x100 mm/process_vm_access.c:292
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f
irq event stamp: 25957
hardirqs last  enabled at (25956): [<ffffffff8b86a773>] irqentry_exit+0x63/0x90 kernel/entry/common.c:357
hardirqs last disabled at (25957): [<ffffffff8b86833e>] sysvec_apic_timer_interrupt+0xe/0xc0 arch/x86/kernel/apic/apic.c:1043
softirqs last  enabled at (25940): [<ffffffff89a2072f>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
softirqs last  enabled at (25940): [<ffffffff89a2072f>] nf_conntrack_tcp_packet+0x23ff/0x57f0 net/netfilter/nf_conntrack_proto_tcp.c:1294
softirqs last disabled at (25950): [<ffffffff89578cb2>] local_bh_disable include/linux/bottom_half.h:20 [inline]
softirqs last disabled at (25950): [<ffffffff89578cb2>] rcu_read_lock_bh include/linux/rcupdate.h:833 [inline]
softirqs last disabled at (25950): [<ffffffff89578cb2>] __dev_queue_xmit+0x2d2/0x3d30 net/core/dev.c:4318

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(lock#9);
  <Interrupt>
    lock(lock#9);

 *** DEADLOCK ***

10 locks held by sshd/5097:
 #0: ffff88802de1bf98 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1602 [inline]
 #0: ffff88802de1bf98 (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendmsg+0x22/0x50 net/ipv4/tcp.c:1352
 #1: ffffffff8e333fa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
 #1: ffffffff8e333fa0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline]
 #1: ffffffff8e333fa0 (rcu_read_lock){....}-{1:2}, at: __ip_queue_xmit+0x5f/0x1b70 net/ipv4/ip_output.c:470
 #2: ffffffff8e333fa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
 #2: ffffffff8e333fa0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline]
 #2: ffffffff8e333fa0 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x45f/0x1380 net/ipv4/ip_output.c:228
 #3: ffffffff8e334000 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #3: ffffffff8e334000 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:833 [inline]
 #3: ffffffff8e334000 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x2d2/0x3d30 net/core/dev.c:4318
 #4: ffff88801c2e5258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
 #4: ffff88801c2e5258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:197 [inline]
 #4: ffff88801c2e5258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3794 [inline]
 #4: ffff88801c2e5258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x12ae/0x3d30 net/core/dev.c:4359
 #5: ffff888140e8c0d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #5: ffff888140e8c0d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4347 [inline]
 #5: ffff888140e8c0d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x1c4/0x5f0 net/sched/sch_generic.c:341
 #6: ffffffff8e333fa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
 #6: ffffffff8e333fa0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline]
 #6: ffffffff8e333fa0 (rcu_read_lock){....}-{1:2}, at: dev_queue_xmit_nit+0x2b/0xc10 net/core/dev.c:2292
 #7: ffff8880b942c898 (hrtimer_bases.lock){-.-.}-{2:2}, at: hrtimer_interrupt+0xfb/0x990 kernel/time/hrtimer.c:1794
 #8: ffffffff8e34e0c8 (tk_core.seq.seqcount){----}-{0:0}, at: ktime_get_update_offsets_now+0x3c/0x250 kernel/time/timekeeping.c:2320
 #9: ffffffff8e333fa0 (rcu_read_lock){....}-{1:2}, at: trace_call_bpf+0xbc/0x8a0

stack backtrace:
CPU: 0 PID: 5097 Comm: sshd Not tainted 6.10.0-rc2-syzkaller-00824-gfd8db07705c5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 valid_state+0x13a/0x1c0 kernel/locking/lockdep.c:4013
 mark_lock_irq+0xbb/0xc20 kernel/locking/lockdep.c:4216
 mark_lock+0x223/0x350 kernel/locking/lockdep.c:4678
 mark_usage kernel/locking/lockdep.c:4564 [inline]
 __lock_acquire+0xb8e/0x1fd0 kernel/locking/lockdep.c:5091
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
 local_lock_acquire include/linux/local_lock_internal.h:29 [inline]
 __mmap_lock_do_trace_start_locking+0x9c/0x620 mm/mmap_lock.c:230
 __mmap_lock_trace_start_locking include/linux/mmap_lock.h:29 [inline]
 mmap_read_trylock include/linux/mmap_lock.h:162 [inline]
 stack_map_get_build_id_offset+0x98a/0x9d0 kernel/bpf/stackmap.c:141
 __bpf_get_stack+0x4ad/0x5a0 kernel/bpf/stackmap.c:449
 bpf_prog_e6cf5f9c69743609+0x42/0x46
 bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline]
 __bpf_prog_run include/linux/filter.h:691 [inline]
 bpf_prog_run include/linux/filter.h:698 [inline]
 bpf_prog_run_array include/linux/bpf.h:2104 [inline]
 trace_call_bpf+0x369/0x8a0 kernel/trace/bpf_trace.c:147
 perf_trace_run_bpf_submit+0x7c/0x1d0 kernel/events/core.c:10269
 perf_trace_lock+0x388/0x490 include/trace/events/lock.h:50
 trace_lock_release include/trace/events/lock.h:69 [inline]
 lock_release+0x986/0x9f0 kernel/locking/lockdep.c:5765
 seqcount_lockdep_reader_access+0x10f/0x220 include/linux/seqlock.h:71
 ktime_get_update_offsets_now+0x3c/0x250 kernel/time/timekeeping.c:2320
 hrtimer_update_base kernel/time/hrtimer.c:634 [inline]
 hrtimer_interrupt+0x133/0x990 kernel/time/hrtimer.c:1795
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1032 [inline]
 __sysvec_apic_timer_interrupt+0x110/0x3f0 arch/x86/kernel/apic/apic.c:1049
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:___slab_alloc+0x4f7/0x14b0 mm/slub.c:3596
Code: e9 78 fb ff ff e8 79 88 95 09 f7 c3 00 02 00 00 74 18 e9 8e fe ff ff 48 c7 43 10 00 00 00 00 4c 89 ff 48 89 de e8 f9 15 00 00 <49> 83 7c 24 18 00 0f 84 89 06 00 00 48 c7 44 24 60 00 00 00 00 9c
RSP: 0018:ffffc900034ceaf0 EFLAGS: 00000206
RAX: 1c203612e1458500 RBX: 0000000000000246 RCX: ffffffff8172d6ba
RDX: dffffc0000000000 RSI: ffffffff8bcabb80 RDI: ffffffff8c1fef40
RBP: ffff8880b9446700 R08: ffffffff92fab647 R09: 1ffffffff25f56c8
R10: dffffc0000000000 R11: fffffbfff25f56c9 R12: ffff8880b94466e0
R13: ffff88802c570000 R14: 00000000ffffffff R15: ffff888018ae3780
 __slab_alloc+0x58/0xa0 mm/slub.c:3756
 __slab_alloc_node mm/slub.c:3809 [inline]
 slab_alloc_node mm/slub.c:3988 [inline]
 kmem_cache_alloc_noprof+0x1c1/0x2a0 mm/slub.c:4007
 skb_clone+0x20c/0x390 net/core/skbuff.c:2052
 dev_queue_xmit_nit+0x419/0xc10 net/core/dev.c:2311
 xmit_one net/core/dev.c:3574 [inline]
 dev_hard_start_xmit+0x15f/0x7e0 net/core/dev.c:3594
 sch_direct_xmit+0x2b6/0x5f0 net/sched/sch_generic.c:343
 __dev_xmit_skb net/core/dev.c:3807 [inline]
 __dev_queue_xmit+0x1a24/0x3d30 net/core/dev.c:4359
 dev_queue_xmit include/linux/netdevice.h:3095 [inline]
 neigh_hh_output include/net/neighbour.h:526 [inline]
 neigh_output include/net/neighbour.h:540 [inline]
 ip_finish_output2+0xd41/0x1380 net/ipv4/ip_output.c:235
 ip_local_out net/ipv4/ip_output.c:129 [inline]
 __ip_queue_xmit+0x118c/0x1b70 net/ipv4/ip_output.c:535
 __tcp_transmit_skb+0x2544/0x3b30 net/ipv4/tcp_output.c:1466
 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]
 tcp_write_xmit+0x18b4/0x6a10 net/ipv4/tcp_output.c:2829
 __tcp_push_pending_frames+0x9b/0x360 net/ipv4/tcp_output.c:3014
 tcp_sendmsg_locked+0x43b1/0x4e10 net/ipv4/tcp.c:1321
 tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1353
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x1a6/0x270 net/socket.c:745
 sock_write_iter+0x2dd/0x400 net/socket.c:1160
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0xa72/0xc90 fs/read_write.c:590
 ksys_write+0x1a0/0x2c0 fs/read_write.c:643
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f40f5516bf2
Code: 89 c7 48 89 44 24 08 e8 7b 34 fa ff 48 8b 44 24 08 48 83 c4 28 c3 c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 6f 48 8b 15 07 a2 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffe6eb54e88 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000002c RCX: 00007f40f5516bf2
RDX: 000000000000002c RSI: 00005629ab4a7960 RDI: 0000000000000004
RBP: 00005629ab4b03f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000056297fd96aa4
R13: 000000000000004a R14: 000056297fd973e8 R15: 00007ffe6eb54ef8
 </TASK>
----------------
Code disassembly (best guess):
   0:	e9 78 fb ff ff       	jmp    0xfffffb7d
   5:	e8 79 88 95 09       	call   0x9958883
   a:	f7 c3 00 02 00 00    	test   $0x200,%ebx
  10:	74 18                	je     0x2a
  12:	e9 8e fe ff ff       	jmp    0xfffffea5
  17:	48 c7 43 10 00 00 00 	movq   $0x0,0x10(%rbx)
  1e:	00
  1f:	4c 89 ff             	mov    %r15,%rdi
  22:	48 89 de             	mov    %rbx,%rsi
  25:	e8 f9 15 00 00       	call   0x1623
* 2a:	49 83 7c 24 18 00    	cmpq   $0x0,0x18(%r12) <-- trapping instruction
  30:	0f 84 89 06 00 00    	je     0x6bf
  36:	48 c7 44 24 60 00 00 	movq   $0x0,0x60(%rsp)
  3d:	00 00
  3f:	9c                   	pushf