===================================================== WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected 6.9.0-rc2-syzkaller-00002-g026e680b0a08 #0 Not tainted ----------------------------------------------------- syz-executor.2/12509 [HC0[0]:SC0[2]:HE0:SE0] is trying to acquire: ffff88805c6c6820 (&htab->buckets[i].lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] ffff88805c6c6820 (&htab->buckets[i].lock){+.-.}-{2:2}, at: sock_hash_delete_elem+0xd4/0x360 net/core/sock_map.c:939 and this task is already holding: ffff88801da943f0 (&dev->event_lock){-.-.}-{2:2}, at: drm_atomic_helper_fake_vblank+0x168/0x2e0 drivers/gpu/drm/drm_atomic_helper.c:2465 which would create a new lock dependency: (&dev->event_lock){-.-.}-{2:2} -> (&htab->buckets[i].lock){+.-.}-{2:2} but this new dependency connects a HARDIRQ-irq-safe lock: (&dev->event_lock){-.-.}-{2:2} ... which became HARDIRQ-irq-safe at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162 drm_handle_vblank+0x125/0xbf0 drivers/gpu/drm/drm_vblank.c:1885 vkms_vblank_simulate+0xed/0x3e0 drivers/gpu/drm/vkms/vkms_crtc.c:29 __run_hrtimer kernel/time/hrtimer.c:1692 [inline] __hrtimer_run_queues+0x20c/0xcc0 kernel/time/hrtimer.c:1756 hrtimer_interrupt+0x31b/0x800 kernel/time/hrtimer.c:1818 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1032 [inline] __sysvec_apic_timer_interrupt+0x10f/0x450 arch/x86/kernel/apic/apic.c:1049 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline] arch_safe_halt arch/x86/include/asm/irqflags.h:86 [inline] default_idle+0xf/0x20 arch/x86/kernel/process.c:742 default_idle_call+0x6d/0xb0 kernel/sched/idle.c:117 cpuidle_idle_call kernel/sched/idle.c:191 [inline] do_idle+0x32c/0x3f0 kernel/sched/idle.c:332 cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:430 start_secondary+0x220/0x2b0 arch/x86/kernel/smpboot.c:313 common_startup_64+0x13e/0x148 to a HARDIRQ-irq-unsafe lock: (&htab->buckets[i].lock){+.-.}-{2:2} ... which became HARDIRQ-irq-unsafe at: ... lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] sock_hash_free+0x130/0x820 net/core/sock_map.c:1154 bpf_map_free_deferred+0x1ce/0x420 kernel/bpf/syscall.c:734 process_one_work+0x902/0x1a30 kernel/workqueue.c:3254 process_scheduled_works kernel/workqueue.c:3335 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3416 kthread+0x2c1/0x3a0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&htab->buckets[i].lock); local_irq_disable(); lock(&dev->event_lock); lock(&htab->buckets[i].lock); lock(&dev->event_lock); *** DEADLOCK *** 8 locks held by syz-executor.2/12509: #0: ffff88801da942f8 (&dev->clientlist_mutex){+.+.}-{3:3}, at: drm_client_dev_restore+0xd8/0x2a0 drivers/gpu/drm/drm_client.c:242 #1: ffff888018ecda80 (&helper->lock){+.+.}-{3:3}, at: __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:242 [inline] #1: ffff888018ecda80 (&helper->lock){+.+.}-{3:3}, at: __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:230 [inline] #1: ffff888018ecda80 (&helper->lock){+.+.}-{3:3}, at: drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:278 [inline] #1: ffff888018ecda80 (&helper->lock){+.+.}-{3:3}, at: drm_fb_helper_lastclose+0xbf/0x160 drivers/gpu/drm/drm_fb_helper.c:2005 #2: ffff88801da941b0 (&dev->master_mutex){+.+.}-{3:3}, at: drm_master_internal_acquire+0x21/0x80 drivers/gpu/drm/drm_auth.c:452 #3: ffff888018ecd898 (&client->modeset_mutex){+.+.}-{3:3}, at: drm_client_modeset_commit_locked+0x4c/0x580 drivers/gpu/drm/drm_client_modeset.c:1152 #4: ffffc90003df7c50 (crtc_ww_class_acquire){+.+.}-{0:0}, at: drm_client_modeset_commit_atomic+0xd0/0x810 drivers/gpu/drm/drm_client_modeset.c:990 #5: ffff888015eac8d0 (crtc_ww_class_mutex){+.+.}-{3:3}, at: modeset_lock+0x488/0x6c0 drivers/gpu/drm/drm_modeset_lock.c:314 #6: ffff88801da943f0 (&dev->event_lock){-.-.}-{2:2}, at: drm_atomic_helper_fake_vblank+0x168/0x2e0 drivers/gpu/drm/drm_atomic_helper.c:2465 #7: ffffffff8d7b4c20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #7: ffffffff8d7b4c20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline] #7: ffffffff8d7b4c20 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2380 [inline] #7: ffffffff8d7b4c20 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0xe4/0x420 kernel/trace/bpf_trace.c:2420 the dependencies between HARDIRQ-irq-safe lock and the holding lock: -> (&dev->event_lock){-.-.}-{2:2} { IN-HARDIRQ-W at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162 drm_handle_vblank+0x125/0xbf0 drivers/gpu/drm/drm_vblank.c:1885 vkms_vblank_simulate+0xed/0x3e0 drivers/gpu/drm/vkms/vkms_crtc.c:29 __run_hrtimer kernel/time/hrtimer.c:1692 [inline] __hrtimer_run_queues+0x20c/0xcc0 kernel/time/hrtimer.c:1756 hrtimer_interrupt+0x31b/0x800 kernel/time/hrtimer.c:1818 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1032 [inline] __sysvec_apic_timer_interrupt+0x10f/0x450 arch/x86/kernel/apic/apic.c:1049 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline] arch_safe_halt arch/x86/include/asm/irqflags.h:86 [inline] default_idle+0xf/0x20 arch/x86/kernel/process.c:742 default_idle_call+0x6d/0xb0 kernel/sched/idle.c:117 cpuidle_idle_call kernel/sched/idle.c:191 [inline] do_idle+0x32c/0x3f0 kernel/sched/idle.c:332 cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:430 start_secondary+0x220/0x2b0 arch/x86/kernel/smpboot.c:313 common_startup_64+0x13e/0x148 IN-SOFTIRQ-W at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162 drm_handle_vblank+0x125/0xbf0 drivers/gpu/drm/drm_vblank.c:1885 vkms_vblank_simulate+0xed/0x3e0 drivers/gpu/drm/vkms/vkms_crtc.c:29 __run_hrtimer kernel/time/hrtimer.c:1692 [inline] __hrtimer_run_queues+0x20c/0xcc0 kernel/time/hrtimer.c:1756 hrtimer_interrupt+0x31b/0x800 kernel/time/hrtimer.c:1818 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1032 [inline] __sysvec_apic_timer_interrupt+0x10f/0x450 arch/x86/kernel/apic/apic.c:1049 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 __sanitizer_cov_trace_cmp8+0x0/0x20 kernel/kcov.c:278 __orc_find+0xc4/0x130 arch/x86/kernel/unwind_orc.c:102 orc_find arch/x86/kernel/unwind_orc.c:227 [inline] unwind_next_frame+0x335/0x23a0 arch/x86/kernel/unwind_orc.c:494 arch_stack_walk+0x100/0x170 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0x95/0xd0 kernel/stacktrace.c:122 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 __kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541 __call_rcu_common.constprop.0+0x9a/0x790 kernel/rcu/tree.c:2734 __put_cred+0x110/0x170 kernel/cred.c:110 put_cred_many include/linux/cred.h:267 [inline] put_cred_many include/linux/cred.h:261 [inline] exit_creds+0x19e/0x210 kernel/cred.c:131 __put_task_struct+0x128/0x3d0 kernel/fork.c:977 put_task_struct include/linux/sched/task.h:138 [inline] put_task_struct include/linux/sched/task.h:125 [inline] delayed_put_task_struct+0x22c/0x300 kernel/exit.c:229 rcu_do_batch kernel/rcu/tree.c:2196 [inline] rcu_core+0x828/0x16b0 kernel/rcu/tree.c:2471 __do_softirq+0x218/0x922 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:924 [inline] run_ksoftirqd+0x35/0x60 kernel/softirq.c:916 smpboot_thread_fn+0x661/0xa10 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 INITIAL USE at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] vkms_crtc_atomic_flush+0x98/0x2b0 drivers/gpu/drm/vkms/vkms_crtc.c:253 drm_atomic_helper_commit_planes+0x61c/0x1000 drivers/gpu/drm/drm_atomic_helper.c:2820 vkms_atomic_commit_tail+0x5e/0x240 drivers/gpu/drm/vkms/vkms_drv.c:73 commit_tail+0x284/0x410 drivers/gpu/drm/drm_atomic_helper.c:1832 drm_atomic_helper_commit+0x2fd/0x380 drivers/gpu/drm/drm_atomic_helper.c:2072 drm_atomic_commit+0x227/0x300 drivers/gpu/drm/drm_atomic.c:1514 drm_client_modeset_commit_atomic+0x6c6/0x810 drivers/gpu/drm/drm_client_modeset.c:1051 drm_client_modeset_commit_locked+0x14d/0x580 drivers/gpu/drm/drm_client_modeset.c:1154 drm_client_modeset_commit+0x4f/0x80 drivers/gpu/drm/drm_client_modeset.c:1180 __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:251 [inline] __drm_fb_helper_restore_fbdev_mode_unlocked+0x130/0x180 drivers/gpu/drm/drm_fb_helper.c:230 drm_fb_helper_set_par+0xd8/0x120 drivers/gpu/drm/drm_fb_helper.c:1344 fbcon_init+0x880/0x1890 drivers/video/fbdev/core/fbcon.c:1093 visual_init+0x31d/0x620 drivers/tty/vt/vt.c:1011 do_bind_con_driver.isra.0+0x57a/0xbf0 drivers/tty/vt/vt.c:3823 do_take_over_console+0x4f4/0x650 drivers/tty/vt/vt.c:4389 do_fbcon_takeover+0xe8/0x210 drivers/video/fbdev/core/fbcon.c:531 do_fb_registered drivers/video/fbdev/core/fbcon.c:2968 [inline] fbcon_fb_registered+0x375/0x670 drivers/video/fbdev/core/fbcon.c:2988 do_register_framebuffer drivers/video/fbdev/core/fbmem.c:449 [inline] register_framebuffer+0x485/0x840 drivers/video/fbdev/core/fbmem.c:515 __drm_fb_helper_initial_config_and_unlock+0xecb/0x1660 drivers/gpu/drm/drm_fb_helper.c:1871 drm_fb_helper_initial_config drivers/gpu/drm/drm_fb_helper.c:1936 [inline] drm_fb_helper_initial_config+0x44/0x60 drivers/gpu/drm/drm_fb_helper.c:1928 drm_fbdev_generic_client_hotplug+0x1a6/0x280 drivers/gpu/drm/drm_fbdev_generic.c:279 drm_client_register+0x195/0x280 drivers/gpu/drm/drm_client.c:141 drm_fbdev_generic_setup+0x184/0x340 drivers/gpu/drm/drm_fbdev_generic.c:341 vkms_create drivers/gpu/drm/vkms/vkms_drv.c:226 [inline] vkms_init+0x62d/0x760 drivers/gpu/drm/vkms/vkms_drv.c:252 do_one_initcall+0x128/0x630 init/main.c:1238 do_initcall_level init/main.c:1300 [inline] do_initcalls init/main.c:1316 [inline] do_basic_setup init/main.c:1335 [inline] kernel_init_freeable+0x660/0xc50 init/main.c:1548 kernel_init+0x1c/0x2b0 init/main.c:1437 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 } ... key at: [] __key.5+0x0/0x40 the dependencies between the lock to be acquired and HARDIRQ-irq-unsafe lock: -> (&htab->buckets[i].lock){+.-.}-{2:2} { HARDIRQ-ON-W at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] sock_hash_free+0x130/0x820 net/core/sock_map.c:1154 bpf_map_free_deferred+0x1ce/0x420 kernel/bpf/syscall.c:734 process_one_work+0x902/0x1a30 kernel/workqueue.c:3254 process_scheduled_works kernel/workqueue.c:3335 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3416 kthread+0x2c1/0x3a0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 IN-SOFTIRQ-W at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] sock_hash_delete_elem+0xd4/0x360 net/core/sock_map.c:939 0xffffffffa0002513 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] bpf_trace_run2+0x151/0x420 kernel/trace/bpf_trace.c:2420 trace_kfree include/trace/events/kmem.h:94 [inline] kfree+0x225/0x390 mm/slub.c:4377 skb_kfree_head net/core/skbuff.c:1096 [inline] skb_free_head+0x110/0x1e0 net/core/skbuff.c:1108 skb_release_data+0x76c/0x990 net/core/skbuff.c:1136 skb_release_all net/core/skbuff.c:1202 [inline] napi_consume_skb+0x15c/0x2b0 net/core/skbuff.c:1512 e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970 e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline] e1000_clean+0x4a0/0x2840 drivers/net/ethernet/intel/e1000/e1000_main.c:3801 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6632 napi_poll net/core/dev.c:6701 [inline] net_rx_action+0x9ad/0xf10 net/core/dev.c:6816 __do_softirq+0x218/0x922 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:851 [inline] __dev_queue_xmit+0x879/0x3f20 net/core/dev.c:4362 dev_queue_xmit include/linux/netdevice.h:3091 [inline] neigh_hh_output include/net/neighbour.h:526 [inline] neigh_output include/net/neighbour.h:540 [inline] ip_finish_output2+0x16bf/0x2590 net/ipv4/ip_output.c:235 __ip_finish_output net/ipv4/ip_output.c:313 [inline] __ip_finish_output+0x49e/0x950 net/ipv4/ip_output.c:295 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433 dst_output include/net/dst.h:450 [inline] ip_local_out+0x33e/0x4a0 net/ipv4/ip_output.c:129 __ip_queue_xmit+0x747/0x1940 net/ipv4/ip_output.c:535 __tcp_transmit_skb+0x29c1/0x3da0 net/ipv4/tcp_output.c:1462 __tcp_send_ack.part.0+0x390/0x720 net/ipv4/tcp_output.c:4232 __tcp_send_ack net/ipv4/tcp_output.c:4238 [inline] tcp_send_ack+0x82/0xa0 net/ipv4/tcp_output.c:4238 __tcp_cleanup_rbuf+0x278/0x4b0 net/ipv4/tcp.c:1492 tcp_recvmsg_locked+0x1158/0x24d0 net/ipv4/tcp.c:2548 tcp_recvmsg+0x12e/0x680 net/ipv4/tcp.c:2578 inet_recvmsg+0x12b/0x6a0 net/ipv4/af_inet.c:883 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x1b2/0x250 net/socket.c:1068 sock_read_iter+0x2c7/0x3c0 net/socket.c:1138 call_read_iter include/linux/fs.h:2102 [inline] new_sync_read fs/read_write.c:395 [inline] vfs_read+0x9fd/0xb80 fs/read_write.c:476 ksys_read+0x1f8/0x260 fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd2/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x72/0x7a INITIAL USE at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] sock_hash_free+0x130/0x820 net/core/sock_map.c:1154 bpf_map_free_deferred+0x1ce/0x420 kernel/bpf/syscall.c:734 process_one_work+0x902/0x1a30 kernel/workqueue.c:3254 process_scheduled_works kernel/workqueue.c:3335 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3416 kthread+0x2c1/0x3a0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 } ... key at: [] __key.0+0x0/0x40 ... acquired at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] sock_hash_delete_elem+0xd4/0x360 net/core/sock_map.c:939 bpf_prog_57bcfd8cc5d23e49+0x66/0x6a bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] bpf_trace_run2+0x151/0x420 kernel/trace/bpf_trace.c:2420 trace_kfree include/trace/events/kmem.h:94 [inline] kfree+0x225/0x390 mm/slub.c:4377 drm_send_event_helper+0x4c1/0x5f0 drivers/gpu/drm/drm_file.c:770 drm_crtc_send_vblank_event+0x14e/0x1d0 drivers/gpu/drm/drm_vblank.c:1129 drm_atomic_helper_fake_vblank+0x1ab/0x2e0 drivers/gpu/drm/drm_atomic_helper.c:2467 drm_atomic_helper_commit_tail+0x7c/0xf0 drivers/gpu/drm/drm_atomic_helper.c:1753 commit_tail+0x356/0x410 drivers/gpu/drm/drm_atomic_helper.c:1834 drm_atomic_helper_commit+0x2fd/0x380 drivers/gpu/drm/drm_atomic_helper.c:2072 drm_atomic_commit+0x227/0x300 drivers/gpu/drm/drm_atomic.c:1514 drm_client_modeset_commit_atomic+0x6c6/0x810 drivers/gpu/drm/drm_client_modeset.c:1051 drm_client_modeset_commit_locked+0x14d/0x580 drivers/gpu/drm/drm_client_modeset.c:1154 drm_client_modeset_commit+0x4f/0x80 drivers/gpu/drm/drm_client_modeset.c:1180 __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:251 [inline] __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:230 [inline] drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:278 [inline] drm_fb_helper_lastclose+0xc7/0x160 drivers/gpu/drm/drm_fb_helper.c:2005 drm_fbdev_generic_client_restore+0x2c/0x40 drivers/gpu/drm/drm_fbdev_generic.c:258 drm_client_dev_restore+0x188/0x2a0 drivers/gpu/drm/drm_client.c:247 drm_release+0x32f/0x3e0 drivers/gpu/drm/drm_file.c:437 __fput+0x270/0xb80 fs/file_table.c:422 __fput_sync+0x47/0x50 fs/file_table.c:507 __do_sys_close fs/open.c:1556 [inline] __se_sys_close fs/open.c:1541 [inline] __ia32_sys_close+0x86/0x100 fs/open.c:1541 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x7a/0x120 arch/x86/entry/common.c:321 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:346 entry_SYSENTER_compat_after_hwframe+0x7f/0x89 stack backtrace: CPU: 0 PID: 12509 Comm: syz-executor.2 Not tainted 6.9.0-rc2-syzkaller-00002-g026e680b0a08 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_bad_irq_dependency kernel/locking/lockdep.c:2626 [inline] check_irq_usage+0xe3c/0x1490 kernel/locking/lockdep.c:2865 check_prev_add kernel/locking/lockdep.c:3138 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain kernel/locking/lockdep.c:3869 [inline] __lock_acquire+0x248e/0x3b30 kernel/locking/lockdep.c:5137 lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] sock_hash_delete_elem+0xd4/0x360 net/core/sock_map.c:939 bpf_prog_57bcfd8cc5d23e49+0x66/0x6a bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] bpf_trace_run2+0x151/0x420 kernel/trace/bpf_trace.c:2420 trace_kfree include/trace/events/kmem.h:94 [inline] kfree+0x225/0x390 mm/slub.c:4377 drm_send_event_helper+0x4c1/0x5f0 drivers/gpu/drm/drm_file.c:770 drm_crtc_send_vblank_event+0x14e/0x1d0 drivers/gpu/drm/drm_vblank.c:1129 drm_atomic_helper_fake_vblank+0x1ab/0x2e0 drivers/gpu/drm/drm_atomic_helper.c:2467 drm_atomic_helper_commit_tail+0x7c/0xf0 drivers/gpu/drm/drm_atomic_helper.c:1753 commit_tail+0x356/0x410 drivers/gpu/drm/drm_atomic_helper.c:1834 drm_atomic_helper_commit+0x2fd/0x380 drivers/gpu/drm/drm_atomic_helper.c:2072 drm_atomic_commit+0x227/0x300 drivers/gpu/drm/drm_atomic.c:1514 drm_client_modeset_commit_atomic+0x6c6/0x810 drivers/gpu/drm/drm_client_modeset.c:1051 drm_client_modeset_commit_locked+0x14d/0x580 drivers/gpu/drm/drm_client_modeset.c:1154 drm_client_modeset_commit+0x4f/0x80 drivers/gpu/drm/drm_client_modeset.c:1180 __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:251 [inline] __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:230 [inline] drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:278 [inline] drm_fb_helper_lastclose+0xc7/0x160 drivers/gpu/drm/drm_fb_helper.c:2005 drm_fbdev_generic_client_restore+0x2c/0x40 drivers/gpu/drm/drm_fbdev_generic.c:258 drm_client_dev_restore+0x188/0x2a0 drivers/gpu/drm/drm_client.c:247 drm_release+0x32f/0x3e0 drivers/gpu/drm/drm_file.c:437 __fput+0x270/0xb80 fs/file_table.c:422 __fput_sync+0x47/0x50 fs/file_table.c:507 __do_sys_close fs/open.c:1556 [inline] __se_sys_close fs/open.c:1541 [inline] __ia32_sys_close+0x86/0x100 fs/open.c:1541 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x7a/0x120 arch/x86/entry/common.c:321 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:346 entry_SYSENTER_compat_after_hwframe+0x7f/0x89 RIP: 0023:0xf7259579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000ffeb15e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000006 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000005704f400 RDX: 0000000000000000 RSI: 00000000f73b0ff4 RDI: 0000000000000000 RBP: 00000000f7255000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ------------[ cut here ]------------ raw_local_irq_restore() called with IRQs enabled WARNING: CPU: 0 PID: 12509 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x29/0x30 kernel/locking/irqflag-debug.c:10 Modules linked in: CPU: 0 PID: 12509 Comm: syz-executor.2 Not tainted 6.9.0-rc2-syzkaller-00002-g026e680b0a08 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:warn_bogus_irq_restore+0x29/0x30 kernel/locking/irqflag-debug.c:10 Code: 90 f3 0f 1e fa 90 80 3d c1 12 b4 04 00 74 06 90 c3 cc cc cc cc c6 05 b2 12 b4 04 01 90 48 c7 c7 a0 cf 0c 8b e8 a8 12 7c f6 90 <0f> 0b 90 90 eb df 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc90003df7968 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88801da943d8 RCX: ffffffff8150eb59 RDX: ffff888046c54880 RSI: ffffffff8150eb66 RDI: 0000000000000001 RBP: 0000000000000293 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 61636f6c5f776172 R12: 0000000000000293 R13: ffff8880001a5c00 R14: ffff888015eac078 R15: ffff88805927a000 FS: 0000000000000000(0000) GS:ffff88802c200000(0063) knlGS:000000005704f400 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 0000000031023000 CR3: 0000000046faa000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] _raw_spin_unlock_irqrestore+0x74/0x80 kernel/locking/spinlock.c:194 spin_unlock_irqrestore include/linux/spinlock.h:406 [inline] drm_atomic_helper_fake_vblank+0x1f1/0x2e0 drivers/gpu/drm/drm_atomic_helper.c:2471 drm_atomic_helper_commit_tail+0x7c/0xf0 drivers/gpu/drm/drm_atomic_helper.c:1753 commit_tail+0x356/0x410 drivers/gpu/drm/drm_atomic_helper.c:1834 drm_atomic_helper_commit+0x2fd/0x380 drivers/gpu/drm/drm_atomic_helper.c:2072 drm_atomic_commit+0x227/0x300 drivers/gpu/drm/drm_atomic.c:1514 drm_client_modeset_commit_atomic+0x6c6/0x810 drivers/gpu/drm/drm_client_modeset.c:1051 drm_client_modeset_commit_locked+0x14d/0x580 drivers/gpu/drm/drm_client_modeset.c:1154 drm_client_modeset_commit+0x4f/0x80 drivers/gpu/drm/drm_client_modeset.c:1180 __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:251 [inline] __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:230 [inline] drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:278 [inline] drm_fb_helper_lastclose+0xc7/0x160 drivers/gpu/drm/drm_fb_helper.c:2005 drm_fbdev_generic_client_restore+0x2c/0x40 drivers/gpu/drm/drm_fbdev_generic.c:258 drm_client_dev_restore+0x188/0x2a0 drivers/gpu/drm/drm_client.c:247 drm_release+0x32f/0x3e0 drivers/gpu/drm/drm_file.c:437 __fput+0x270/0xb80 fs/file_table.c:422 __fput_sync+0x47/0x50 fs/file_table.c:507 __do_sys_close fs/open.c:1556 [inline] __se_sys_close fs/open.c:1541 [inline] __ia32_sys_close+0x86/0x100 fs/open.c:1541 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x7a/0x120 arch/x86/entry/common.c:321 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:346 entry_SYSENTER_compat_after_hwframe+0x7f/0x89 RIP: 0023:0xf7259579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000ffeb15e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000006 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000005704f400 RDX: 0000000000000000 RSI: 00000000f73b0ff4 RDI: 0000000000000000 RBP: 00000000f7255000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ---------------- Code disassembly (best guess), 2 bytes skipped: 0: 10 06 adc %al,(%rsi) 2: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi 6: 10 07 adc %al,(%rdi) 8: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi c: 10 08 adc %cl,(%rax) e: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi 1e: 00 51 52 add %dl,0x52(%rcx) 21: 55 push %rbp 22: 89 e5 mov %esp,%ebp 24: 0f 34 sysenter 26: cd 80 int $0x80 * 28: 5d pop %rbp <-- trapping instruction 29: 5a pop %rdx 2a: 59 pop %rcx 2b: c3 ret 2c: 90 nop 2d: 90 nop 2e: 90 nop 2f: 90 nop 30: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi 37: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi