================================ WARNING: inconsistent lock state 6.9.0-rc6-syzkaller-00046-g18daea77cca6 #0 Not tainted -------------------------------- inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. syz-executor.1/6980 [HC1[1]:SC0[0]:HE0:SE1] takes: ffff88806b438a80 (lock#13){?.+.}-{2:2}, at: local_lock_acquire include/linux/local_lock_internal.h:29 [inline] ffff88806b438a80 (lock#13){?.+.}-{2:2}, at: __mmap_lock_do_trace_acquire_returned+0x7f/0x790 mm/mmap_lock.c:237 {HARDIRQ-ON-W} state was registered at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x97/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_write_lock_killable include/linux/mmap_lock.h:125 [inline] __vm_munmap+0x2d8/0x3a0 mm/mmap.c:2969 __do_sys_munmap mm/mmap.c:2989 [inline] __se_sys_munmap mm/mmap.c:2986 [inline] __x64_sys_munmap+0x61/0x90 mm/mmap.c:2986 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f irq event stamp: 60 hardirqs last enabled at (59): [] irqentry_exit+0x3b/0x90 kernel/entry/common.c:357 hardirqs last disabled at (60): [] sysvec_call_function_single+0xe/0xb0 arch/x86/kernel/smp.c:266 softirqs last enabled at (0): [] copy_process+0x24cc/0x9090 kernel/fork.c:2336 softirqs last disabled at (0): [<0000000000000000>] 0x0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(lock#13); lock(lock#13); *** DEADLOCK *** 3 locks held by syz-executor.1/6980: #0: ffff88802906cdf0 (&vma->vm_lock->lock){++++}-{3:3}, at: vma_start_read include/linux/mm.h:677 [inline] #0: ffff88802906cdf0 (&vma->vm_lock->lock){++++}-{3:3}, at: lock_vma_under_rcu+0x1e2/0x950 mm/memory.c:5762 #1: ffffffff8d7b0e20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #1: ffffffff8d7b0e20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline] #1: ffffffff8d7b0e20 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2380 [inline] #1: ffffffff8d7b0e20 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0xe4/0x420 kernel/trace/bpf_trace.c:2420 #2: ffff88801507d720 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:165 [inline] #2: ffff88801507d720 (&mm->mmap_lock){++++}-{3:3}, at: stack_map_get_build_id_offset+0x1e8/0x7d0 kernel/bpf/stackmap.c:141 stack backtrace: CPU: 2 PID: 6980 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller-00046-g18daea77cca6 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_usage_bug kernel/locking/lockdep.c:3971 [inline] valid_state kernel/locking/lockdep.c:4013 [inline] mark_lock_irq kernel/locking/lockdep.c:4216 [inline] mark_lock+0x923/0xc60 kernel/locking/lockdep.c:4678 mark_usage kernel/locking/lockdep.c:4564 [inline] __lock_acquire+0x1359/0x3b30 kernel/locking/lockdep.c:5091 lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x97/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:166 [inline] stack_map_get_build_id_offset+0x5df/0x7d0 kernel/bpf/stackmap.c:141 __bpf_get_stack+0x6bf/0x700 kernel/bpf/stackmap.c:449 ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1985 [inline] bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1975 ___bpf_prog_run+0x3e51/0xabd0 kernel/bpf/core.c:1997 __bpf_prog_run32+0xc1/0x100 kernel/bpf/core.c:2236 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:650 [inline] bpf_prog_run include/linux/filter.h:664 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] bpf_trace_run2+0x229/0x420 kernel/trace/bpf_trace.c:2420 __bpf_trace_tlb_flush+0xd2/0x110 include/trace/events/tlb.h:38 trace_tlb_flush+0xf3/0x170 include/trace/events/tlb.h:38 csd_do_func kernel/smp.c:133 [inline] __flush_smp_call_function_queue+0x27a/0x8c0 kernel/smp.c:511 __sysvec_call_function_single+0x8c/0x410 arch/x86/kernel/smp.c:271 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline] sysvec_call_function_single+0x90/0xb0 arch/x86/kernel/smp.c:266 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709 RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:218 [inline] RIP: 0010:unwind_next_frame+0x289/0x23a0 arch/x86/kernel/unwind_orc.c:494 Code: 90 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 09 84 d2 74 05 e8 df f1 ab 00 42 8b 04 b5 3c 5e df 90 <41> 83 c5 01 4a 8d 3c ad 3c 5e df 90 48 89 fa 48 c1 ea 03 89 44 24 RSP: 0000:ffffc900036cf460 EFLAGS: 00000246 RAX: 000000000002e5ca RBX: ffffc900036cf4e0 RCX: ffffc90005c4d000 RDX: 0000000000000000 RSI: ffffffff813d191b RDI: ffffffff90e2acf0 RBP: 0000000000000001 R08: 0000000000000004 R09: 000000000000d3ad R10: 00000000000a0000 R11: dffffc0000000000 R12: ffffffff81d3ada5 R13: 000000000000d3ad R14: 000000000000d3ad R15: ffffc900036cf515 arch_stack_walk+0x100/0x170 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0x95/0xd0 kernel/stacktrace.c:122 save_stack+0x162/0x1f0 mm/page_owner.c:156 __set_page_owner+0x8a/0x560 mm/page_owner.c:325 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534 prep_new_page mm/page_alloc.c:1541 [inline] get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317 __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575 alloc_pages_mpol+0x275/0x610 mm/mempolicy.c:2264 vma_alloc_folio+0xad/0x160 mm/mempolicy.c:2303 folio_prealloc mm/memory.c:1046 [inline] alloc_anon_folio mm/memory.c:4375 [inline] do_anonymous_page mm/memory.c:4433 [inline] do_pte_missing mm/memory.c:3878 [inline] handle_pte_fault mm/memory.c:5300 [inline] __handle_mm_fault+0x2705/0x4a80 mm/memory.c:5441 handle_mm_fault+0x476/0xa00 mm/memory.c:5606 do_user_addr_fault+0x426/0x1080 arch/x86/mm/fault.c:1362 handle_page_fault arch/x86/mm/fault.c:1505 [inline] exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1563 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0033:0x7f6197c2c8f1 Code: 25 b7 ff ff 48 89 d7 e8 7d dc ff ff 48 89 c7 e8 75 dc ff ff 0f 1f 44 00 00 41 57 41 56 41 55 41 54 55 53 48 81 ec 88 01 00 00 <48> 89 7c 24 38 48 89 74 24 30 48 89 54 24 28 48 89 4c 24 20 4c 89 RSP: 002b:00007f6198933f00 EFLAGS: 00010206 RAX: 00007f6197c2c8e0 RBX: 00007f6197dabf80 RCX: 0000000020000300 RDX: 0000000001008002 RSI: 00000000200005c0 RDI: 0000000020000580 RBP: 00007f6197cca4a4 R08: 0000000000000001 R09: 00000000000005d8 R10: 0000000020000580 R11: 0000000001008002 R12: 0000000000000000 R13: 000000000000000b R14: 00007f6197dabf80 R15: 00007fff90bcc1b8 ---------------- Code disassembly (best guess): 0: 90 nop 1: 48 89 fa mov %rdi,%rdx 4: 48 c1 ea 03 shr $0x3,%rdx 8: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx c: 48 89 f8 mov %rdi,%rax f: 83 e0 07 and $0x7,%eax 12: 83 c0 03 add $0x3,%eax 15: 38 d0 cmp %dl,%al 17: 7c 09 jl 0x22 19: 84 d2 test %dl,%dl 1b: 74 05 je 0x22 1d: e8 df f1 ab 00 call 0xabf201 22: 42 8b 04 b5 3c 5e df mov -0x6f20a1c4(,%r14,4),%eax 29: 90 * 2a: 41 83 c5 01 add $0x1,%r13d <-- trapping instruction 2e: 4a 8d 3c ad 3c 5e df lea -0x6f20a1c4(,%r13,4),%rdi 35: 90 36: 48 89 fa mov %rdi,%rdx 39: 48 c1 ea 03 shr $0x3,%rdx 3d: 89 .byte 0x89 3e: 44 rex.R 3f: 24 .byte 0x24