================================ WARNING: inconsistent lock state 6.9.0-rc7-syzkaller #0 Not tainted -------------------------------- inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. syz-executor.5/8579 [HC1[1]:SC0[0]:HE0:SE1] takes: ffff8880b9538a80 (lock#11){?.+.}-{2:2}, at: local_lock_acquire include/linux/local_lock_internal.h:29 [inline] ffff8880b9538a80 (lock#11){?.+.}-{2:2}, at: __mmap_lock_do_trace_acquire_returned+0x7f/0x790 mm/mmap_lock.c:237 {HARDIRQ-ON-W} state was registered at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x97/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_write_lock_killable include/linux/mmap_lock.h:125 [inline] vm_mmap_pgoff+0x2f7/0x3c0 mm/util.c:571 ksys_mmap_pgoff+0x425/0x5b0 mm/mmap.c:1431 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:79 [inline] __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:79 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f irq event stamp: 86 hardirqs last enabled at (85): [] irqentry_exit+0x3b/0x90 kernel/entry/common.c:357 hardirqs last disabled at (86): [] sysvec_call_function_single+0xe/0xb0 arch/x86/kernel/smp.c:266 softirqs last enabled at (0): [] copy_process+0x24cc/0x9090 kernel/fork.c:2336 softirqs last disabled at (0): [<0000000000000000>] 0x0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(lock#11); lock(lock#11); *** DEADLOCK *** 2 locks held by syz-executor.5/8579: #0: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #0: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline] #0: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2380 [inline] #0: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0xe4/0x420 kernel/trace/bpf_trace.c:2420 #1: ffff88807e3a4da0 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:165 [inline] #1: ffff88807e3a4da0 (&mm->mmap_lock){++++}-{3:3}, at: stack_map_get_build_id_offset+0x1e8/0x7d0 kernel/bpf/stackmap.c:141 stack backtrace: CPU: 1 PID: 8579 Comm: syz-executor.5 Not tainted 6.9.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_usage_bug kernel/locking/lockdep.c:3971 [inline] valid_state kernel/locking/lockdep.c:4013 [inline] mark_lock_irq kernel/locking/lockdep.c:4216 [inline] mark_lock+0x923/0xc60 kernel/locking/lockdep.c:4678 mark_usage kernel/locking/lockdep.c:4564 [inline] __lock_acquire+0x1359/0x3b30 kernel/locking/lockdep.c:5091 lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x97/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:166 [inline] stack_map_get_build_id_offset+0x5df/0x7d0 kernel/bpf/stackmap.c:141 __bpf_get_stack+0x6bf/0x700 kernel/bpf/stackmap.c:449 ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1985 [inline] bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1975 bpf_prog_e6cf5f9c69743609+0x42/0x4a bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:650 [inline] bpf_prog_run include/linux/filter.h:664 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] bpf_trace_run2+0x22c/0x420 kernel/trace/bpf_trace.c:2420 __bpf_trace_tlb_flush+0xd2/0x110 include/trace/events/tlb.h:38 trace_tlb_flush+0xf3/0x170 include/trace/events/tlb.h:38 csd_do_func kernel/smp.c:133 [inline] __flush_smp_call_function_queue+0x27d/0x8c0 kernel/smp.c:511 __sysvec_call_function_single+0x8c/0x410 arch/x86/kernel/smp.c:271 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline] sysvec_call_function_single+0x90/0xb0 arch/x86/kernel/smp.c:266 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709 RIP: 0010:refill_obj_stock+0x275/0x510 mm/memcontrol.c:3549 Code: 80 3c 02 00 0f 85 1f 02 00 00 4a 03 1c e5 40 7b 46 8d 48 89 df e8 eb d7 fe ff 4d 85 ed 75 7c 9c 58 f6 c4 02 0f 85 ac 01 00 00 <48> 8b 04 24 48 85 c0 74 08 48 89 c7 e8 1a 7a ff ff 45 85 ff 75 7b RSP: 0018:ffffc900032afc48 EFLAGS: 00000246 RAX: 0000000000000006 RBX: ffff8880b95394e0 RCX: 1ffffffff1f7fcc1 RDX: 0000000000000000 RSI: ffffffff8b2cbf20 RDI: ffffffff8b8f82e0 RBP: ffff88805e678900 R08: 0000000000000001 R09: 0000000000000001 R10: ffffffff8fc02897 R11: 0000000000000000 R12: 0000000000000001 R13: 0000000000000200 R14: ffff8880b95394e0 R15: 0000000000000000 obj_cgroup_charge+0x220/0x390 mm/memcontrol.c:3595 __memcg_slab_pre_alloc_hook mm/slub.c:1919 [inline] memcg_slab_pre_alloc_hook mm/slub.c:1940 [inline] slab_pre_alloc_hook mm/slub.c:3751 [inline] slab_alloc_node mm/slub.c:3827 [inline] kmem_cache_alloc+0x2ba/0x320 mm/slub.c:3852 sk_prot_alloc+0x60/0x2a0 net/core/sock.c:2074 sk_alloc+0x36/0xb90 net/core/sock.c:2133 inet_create net/ipv4/af_inet.c:326 [inline] inet_create+0x3a1/0x1070 net/ipv4/af_inet.c:252 __sock_create+0x331/0x800 net/socket.c:1571 sock_create net/socket.c:1622 [inline] __sys_socket_create net/socket.c:1659 [inline] __sys_socket+0x14f/0x260 net/socket.c:1706 __do_sys_socket net/socket.c:1720 [inline] __se_sys_socket net/socket.c:1718 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1718 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fd358a7dca9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd35976b0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000029 RAX: ffffffffffffffda RBX: 00007fd358babf80 RCX: 00007fd358a7dca9 RDX: 0000000000000000 RSI: 4000000000000001 RDI: 0000000000000002 RBP: 00007fd358ac947e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fd358babf80 R15: 00007fff131090a8 ---------------- Code disassembly (best guess): 0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 4: 0f 85 1f 02 00 00 jne 0x229 a: 4a 03 1c e5 40 7b 46 add -0x72b984c0(,%r12,8),%rbx 11: 8d 12: 48 89 df mov %rbx,%rdi 15: e8 eb d7 fe ff call 0xfffed805 1a: 4d 85 ed test %r13,%r13 1d: 75 7c jne 0x9b 1f: 9c pushf 20: 58 pop %rax 21: f6 c4 02 test $0x2,%ah 24: 0f 85 ac 01 00 00 jne 0x1d6 * 2a: 48 8b 04 24 mov (%rsp),%rax <-- trapping instruction 2e: 48 85 c0 test %rax,%rax 31: 74 08 je 0x3b 33: 48 89 c7 mov %rax,%rdi 36: e8 1a 7a ff ff call 0xffff7a55 3b: 45 85 ff test %r15d,%r15d 3e: 75 7b jne 0xbb