================================ WARNING: inconsistent lock state 6.9.0-rc7-syzkaller-00056-g45db3ab70092 #0 Not tainted -------------------------------- inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. syz-executor.5/30779 [HC1[1]:SC0[0]:HE0:SE1] takes: ffff8880b9438a80 (lock#12){?.+.}-{2:2}, at: local_lock_acquire include/linux/local_lock_internal.h:29 [inline] ffff8880b9438a80 (lock#12){?.+.}-{2:2}, at: __mmap_lock_do_trace_acquire_returned+0x7f/0x790 mm/mmap_lock.c:237 {HARDIRQ-ON-W} state was registered at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x97/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:166 [inline] get_mmap_lock_carefully mm/memory.c:5633 [inline] lock_mm_and_find_vma+0xeb/0x580 mm/memory.c:5693 do_user_addr_fault+0x29c/0x1030 arch/x86/mm/fault.c:1354 handle_page_fault arch/x86/mm/fault.c:1474 [inline] exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1532 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 copy_user_generic arch/x86/include/asm/uaccess_64.h:110 [inline] raw_copy_to_user arch/x86/include/asm/uaccess_64.h:131 [inline] copy_to_user_iter lib/iov_iter.c:25 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x379/0x1140 lib/iov_iter.c:185 copy_page_to_iter lib/iov_iter.c:362 [inline] copy_page_to_iter+0xf1/0x180 lib/iov_iter.c:349 pipe_read+0x543/0x1400 fs/pipe.c:327 call_read_iter include/linux/fs.h:2104 [inline] new_sync_read fs/read_write.c:395 [inline] vfs_read+0xa00/0xb80 fs/read_write.c:476 ksys_read+0x1f8/0x260 fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f irq event stamp: 3876 hardirqs last enabled at (3875): [] irqentry_exit+0x3b/0x90 kernel/entry/common.c:357 hardirqs last disabled at (3876): [] sysvec_call_function_single+0xe/0xb0 arch/x86/kernel/smp.c:266 softirqs last enabled at (3874): [] softirq_handle_end kernel/softirq.c:400 [inline] softirqs last enabled at (3874): [] handle_softirqs+0x5be/0x8f0 kernel/softirq.c:582 softirqs last disabled at (3851): [] __do_softirq kernel/softirq.c:588 [inline] softirqs last disabled at (3851): [] invoke_softirq kernel/softirq.c:428 [inline] softirqs last disabled at (3851): [] __irq_exit_rcu kernel/softirq.c:637 [inline] softirqs last disabled at (3851): [] irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(lock#12); lock(lock#12); *** DEADLOCK *** 2 locks held by syz-executor.5/30779: #0: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #0: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline] #0: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2380 [inline] #0: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0xe4/0x420 kernel/trace/bpf_trace.c:2420 #1: ffff88807f5fe0a0 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:165 [inline] #1: ffff88807f5fe0a0 (&mm->mmap_lock){++++}-{3:3}, at: stack_map_get_build_id_offset+0x1e8/0x7d0 kernel/bpf/stackmap.c:141 stack backtrace: CPU: 0 PID: 30779 Comm: syz-executor.5 Not tainted 6.9.0-rc7-syzkaller-00056-g45db3ab70092 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_usage_bug kernel/locking/lockdep.c:3971 [inline] valid_state kernel/locking/lockdep.c:4013 [inline] mark_lock_irq kernel/locking/lockdep.c:4216 [inline] mark_lock+0x923/0xc60 kernel/locking/lockdep.c:4678 mark_usage kernel/locking/lockdep.c:4564 [inline] __lock_acquire+0x1359/0x3b30 kernel/locking/lockdep.c:5091 lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x97/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:166 [inline] stack_map_get_build_id_offset+0x5df/0x7d0 kernel/bpf/stackmap.c:141 __bpf_get_stack+0x6bf/0x700 kernel/bpf/stackmap.c:449 ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1985 [inline] bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1975 bpf_prog_e6cf5f9c69743609+0x42/0x4a bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:650 [inline] bpf_prog_run include/linux/filter.h:664 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] bpf_trace_run2+0x22c/0x420 kernel/trace/bpf_trace.c:2420 __bpf_trace_tlb_flush+0xd2/0x110 include/trace/events/tlb.h:38 trace_tlb_flush+0xf3/0x170 include/trace/events/tlb.h:38 csd_do_func kernel/smp.c:133 [inline] __flush_smp_call_function_queue+0x27d/0x8c0 kernel/smp.c:511 __sysvec_call_function_single+0x8c/0x410 arch/x86/kernel/smp.c:271 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline] sysvec_call_function_single+0x90/0xb0 arch/x86/kernel/smp.c:266 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709 RIP: 0010:sk_filter include/linux/filter.h:909 [inline] RIP: 0010:unix_dgram_sendmsg+0x65e/0x1b10 net/unix/af_unix.c:2053 Code: 5c 24 28 48 8b 90 88 03 00 00 49 89 c5 48 89 54 24 50 e8 d5 c1 11 f8 4d 85 ff 0f 84 41 05 00 00 e8 c7 c1 11 f8 48 8b 74 24 30 01 00 00 00 4c 89 ff e8 95 05 4a ff 31 ff 41 89 c4 89 c6 e8 89 RSP: 0018:ffffc9000a37f8b0 EFLAGS: 00000287 RAX: 000000000001814d RBX: 0000000000000000 RCX: ffffc9000f7ea000 RDX: 0000000000040000 RSI: ffff88802eb7c140 RDI: 0000000000000001 RBP: ffffc9000a37f960 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88802f6b8000 R14: 1ffff9200146ff24 R15: ffff88802f6ba800 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0xab8/0xc90 net/socket.c:2584 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2638 __sys_sendmmsg+0x1a1/0x450 net/socket.c:2724 __do_sys_sendmmsg net/socket.c:2753 [inline] __se_sys_sendmmsg net/socket.c:2750 [inline] __x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2750 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f054a47dd69 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f054b1bf0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f054a5abf80 RCX: 00007f054a47dd69 RDX: 0000000000000318 RSI: 00000000200bd000 RDI: 0000000000000004 RBP: 00007f054a4ca49e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f054a5abf80 R15: 00007ffeb93e1a08 ---------------- Code disassembly (best guess): 0: 5c pop %rsp 1: 24 28 and $0x28,%al 3: 48 8b 90 88 03 00 00 mov 0x388(%rax),%rdx a: 49 89 c5 mov %rax,%r13 d: 48 89 54 24 50 mov %rdx,0x50(%rsp) 12: e8 d5 c1 11 f8 call 0xf811c1ec 17: 4d 85 ff test %r15,%r15 1a: 0f 84 41 05 00 00 je 0x561 20: e8 c7 c1 11 f8 call 0xf811c1ec 25: 48 8b 74 24 30 mov 0x30(%rsp),%rsi * 2a: ba 01 00 00 00 mov $0x1,%edx <-- trapping instruction 2f: 4c 89 ff mov %r15,%rdi 32: e8 95 05 4a ff call 0xff4a05cc 37: 31 ff xor %edi,%edi 39: 41 89 c4 mov %eax,%r12d 3c: 89 c6 mov %eax,%esi 3e: e8 .byte 0xe8 3f: 89 .byte 0x89