================================ WARNING: inconsistent lock state 6.9.0-rc7-syzkaller-00012-gdccb07f2914c #0 Not tainted -------------------------------- inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. syz-executor.5/18037 [HC1[1]:SC0[0]:HE0:SE1] takes: ffff8880b9538a80 (lock#10){?.+.}-{2:2}, at: local_lock_acquire include/linux/local_lock_internal.h:29 [inline] ffff8880b9538a80 (lock#10){?.+.}-{2:2}, at: __mmap_lock_do_trace_acquire_returned+0x7f/0x790 mm/mmap_lock.c:237 {HARDIRQ-ON-W} state was registered at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x97/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_lock include/linux/mmap_lock.h:147 [inline] __mm_populate+0x2ec/0x380 mm/gup.c:1779 mm_populate include/linux/mm.h:3413 [inline] vm_mmap_pgoff+0x2d0/0x3c0 mm/util.c:578 ksys_mmap_pgoff+0x425/0x5b0 mm/mmap.c:1431 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:79 [inline] __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:79 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f irq event stamp: 418 hardirqs last enabled at (417): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (417): [] _raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194 hardirqs last disabled at (418): [] sysvec_call_function_single+0xe/0xb0 arch/x86/kernel/smp.c:266 softirqs last enabled at (0): [] copy_process+0x24cc/0x9090 kernel/fork.c:2336 softirqs last disabled at (0): [<0000000000000000>] 0x0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(lock#10); lock(lock#10); *** DEADLOCK *** 3 locks held by syz-executor.5/18037: #0: ffffffff8e599f48 (tty_mutex){+.+.}-{3:3}, at: ptmx_open drivers/tty/pty.c:823 [inline] #0: ffffffff8e599f48 (tty_mutex){+.+.}-{3:3}, at: ptmx_open+0xf6/0x350 drivers/tty/pty.c:790 #1: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #1: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline] #1: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2380 [inline] #1: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0xe4/0x420 kernel/trace/bpf_trace.c:2420 #2: ffff88807ef6c420 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:165 [inline] #2: ffff88807ef6c420 (&mm->mmap_lock){++++}-{3:3}, at: stack_map_get_build_id_offset+0x1e8/0x7d0 kernel/bpf/stackmap.c:141 stack backtrace: CPU: 1 PID: 18037 Comm: syz-executor.5 Not tainted 6.9.0-rc7-syzkaller-00012-gdccb07f2914c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_usage_bug kernel/locking/lockdep.c:3971 [inline] valid_state kernel/locking/lockdep.c:4013 [inline] mark_lock_irq kernel/locking/lockdep.c:4216 [inline] mark_lock+0x923/0xc60 kernel/locking/lockdep.c:4678 mark_usage kernel/locking/lockdep.c:4564 [inline] __lock_acquire+0x1359/0x3b30 kernel/locking/lockdep.c:5091 lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x97/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:166 [inline] stack_map_get_build_id_offset+0x5df/0x7d0 kernel/bpf/stackmap.c:141 __bpf_get_stack+0x6bf/0x700 kernel/bpf/stackmap.c:449 ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1985 [inline] bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1975 bpf_prog_e6cf5f9c69743609+0x42/0x4a bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:650 [inline] bpf_prog_run include/linux/filter.h:664 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] bpf_trace_run2+0x22c/0x420 kernel/trace/bpf_trace.c:2420 __bpf_trace_tlb_flush+0xd2/0x110 include/trace/events/tlb.h:38 trace_tlb_flush+0xf3/0x170 include/trace/events/tlb.h:38 csd_do_func kernel/smp.c:133 [inline] __flush_smp_call_function_queue+0x27d/0x8c0 kernel/smp.c:511 __sysvec_call_function_single+0x8c/0x410 arch/x86/kernel/smp.c:271 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline] sysvec_call_function_single+0x90/0xb0 arch/x86/kernel/smp.c:266 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709 RIP: 0010:class_dev_iter_next drivers/base/class.c:348 [inline] RIP: 0010:class_find_device+0x172/0x300 drivers/base/class.c:452 Code: 00 fc ff df eb 52 e8 6d 14 f4 fb 49 8d 7f 40 48 89 f8 48 c1 e8 03 42 80 3c 30 00 0f 85 60 01 00 00 4c 8b 64 24 50 4d 8b 7f 40 <4d> 85 e4 0f 84 c6 00 00 00 e8 40 14 f4 fb 49 8d 7f 58 48 89 fa 48 RSP: 0018:ffffc9001360f7a0 EFLAGS: 00000246 RAX: 1ffff110034e09a0 RBX: ffffc9001360f7e0 RCX: ffffc9000da42000 RDX: 0000000000040000 RSI: ffffffff859af8e3 RDI: ffff88801a704d00 RBP: ffffc9001360f870 R08: 0000000000000001 R09: fffffbfff27ff238 R10: ffffffff93ff91c7 R11: 0000000000000001 R12: 0000000000000000 R13: ffffffff8598c770 R14: dffffc0000000000 R15: ffff88801cf83000 class_find_device_by_devt include/linux/device/class.h:145 [inline] tty_get_device drivers/tty/tty_io.c:3099 [inline] alloc_tty_struct+0x6cc/0x8d0 drivers/tty/tty_io.c:3146 tty_init_dev.part.0+0x1e/0x660 drivers/tty/tty_io.c:1415 tty_init_dev+0x60/0x80 drivers/tty/tty_io.c:1412 ptmx_open drivers/tty/pty.c:824 [inline] ptmx_open+0x104/0x350 drivers/tty/pty.c:790 chrdev_open+0x270/0x6f0 fs/char_dev.c:414 do_dentry_open+0x8dd/0x18c0 fs/open.c:955 do_open fs/namei.c:3642 [inline] path_openat+0x1dfb/0x2990 fs/namei.c:3799 do_filp_open+0x1dc/0x430 fs/namei.c:3826 do_sys_openat2+0x17a/0x1e0 fs/open.c:1406 do_sys_open fs/open.c:1421 [inline] __do_sys_openat fs/open.c:1437 [inline] __se_sys_openat fs/open.c:1432 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1432 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7feb2867dca9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007feb293b70c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007feb287abf80 RCX: 00007feb2867dca9 RDX: 0000000000121301 RSI: 00000000200000c0 RDI: ffffffffffffff9c RBP: 00007feb286c947e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007feb287abf80 R15: 00007fff8318e748 ---------------- Code disassembly (best guess), 3 bytes skipped: 0: df eb fucomip %st(3),%st 2: 52 push %rdx 3: e8 6d 14 f4 fb call 0xfbf41475 8: 49 8d 7f 40 lea 0x40(%r15),%rdi c: 48 89 f8 mov %rdi,%rax f: 48 c1 e8 03 shr $0x3,%rax 13: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1) 18: 0f 85 60 01 00 00 jne 0x17e 1e: 4c 8b 64 24 50 mov 0x50(%rsp),%r12 23: 4d 8b 7f 40 mov 0x40(%r15),%r15 * 27: 4d 85 e4 test %r12,%r12 <-- trapping instruction 2a: 0f 84 c6 00 00 00 je 0xf6 30: e8 40 14 f4 fb call 0xfbf41475 35: 49 8d 7f 58 lea 0x58(%r15),%rdi 39: 48 89 fa mov %rdi,%rdx 3c: 48 rex.W