================================================================== kasan: CONFIG_KASAN_INLINE enabled BUG: KASAN: stack-out-of-bounds in __read_once_size include/linux/compiler.h:191 [inline] BUG: KASAN: stack-out-of-bounds in test_idle_cores kernel/sched/fair.c:6000 [inline] BUG: KASAN: stack-out-of-bounds in select_idle_core kernel/sched/fair.c:6047 [inline] BUG: KASAN: stack-out-of-bounds in select_idle_sibling+0xbb1/0xdb0 kernel/sched/fair.c:6197 kasan: GPF could be caused by NULL-ptr deref or user memory access Read of size 4 at addr ffff8880a9d9e508 by task syz-executor4/14331 general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 4.20.0+ #296 CPU: 1 PID: 14331 Comm: syz-executor4 Not tainted 4.20.0+ #296 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:task_css include/linux/cgroup.h:477 [inline] RIP: 0010:task_ca kernel/sched/cpuacct.c:43 [inline] RIP: 0010:cpuacct_account_field+0x140/0x3d0 kernel/sched/cpuacct.c:365 Call Trace: Code: 86 95 08 00 85 c0 74 0d 80 3d 27 db d1 08 00 0f 84 a4 01 00 00 49 8d 7e 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 4e 02 00 00 4d 8b 7e 10 49 81 ff c0 51 78 89 0f RSP: 0018:ffff8880ae6078a8 EFLAGS: 00010002 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d3/0x2c6 lib/dump_stack.c:113 RAX: dffffc0000000000 RBX: ffff8880ae607918 RCX: ffffffff81626af4 RDX: 000000000836b158 RSI: 0000000000000008 RDI: 0000000041b58ac3 RBP: ffff8880ae607940 R08: 0000000000000000 R09: 0000000000000000 R10: fffffbfff0ddece8 R11: ffffffff86ef6747 R12: 0000000000827d1b print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 R13: dffffc0000000000 R14: 0000000041b58ab3 R15: ffff8880a9e1c240 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 FS: 0000000000000000(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432 CR2: 0000000000000000 CR3: 0000000099316000 CR4: 00000000001426f0 __read_once_size include/linux/compiler.h:191 [inline] test_idle_cores kernel/sched/fair.c:6000 [inline] select_idle_core kernel/sched/fair.c:6047 [inline] select_idle_sibling+0xbb1/0xdb0 kernel/sched/fair.c:6197 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: cgroup_account_cputime_field include/linux/cgroup.h:775 [inline] task_group_account_field kernel/sched/cputime.c:108 [inline] account_system_index_time+0x1e8/0x5d0 kernel/sched/cputime.c:171 select_task_rq_fair+0xa3b/0x3ad0 kernel/sched/fair.c:6652 irqtime_account_process_tick.isra.6+0x38e/0x490 kernel/sched/cputime.c:380 account_process_tick+0x282/0x350 kernel/sched/cputime.c:483 update_process_times+0x21/0x70 kernel/time/timer.c:1633 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:161 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1271 __run_hrtimer kernel/time/hrtimer.c:1389 [inline] __hrtimer_run_queues+0x41c/0x10d0 kernel/time/hrtimer.c:1451 hrtimer_interrupt+0x313/0x780 kernel/time/hrtimer.c:1509 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline] smp_apic_timer_interrupt+0x1a1/0x760 arch/x86/kernel/apic/apic.c:1060 select_task_rq kernel/sched/core.c:1536 [inline] try_to_wake_up+0x4e7/0x1460 kernel/sched/core.c:2041 wake_up_process+0x10/0x20 kernel/sched/core.c:2129 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807 hrtimer_wakeup+0x48/0x60 kernel/time/hrtimer.c:1637 __run_hrtimer kernel/time/hrtimer.c:1389 [inline] __hrtimer_run_queues+0x41c/0x10d0 kernel/time/hrtimer.c:1451 Modules linked in: ====================================================== WARNING: possible circular locking dependency detected 4.20.0+ #296 Not tainted ------------------------------------------------------ syz-executor4/14331 is trying to acquire lock: 00000000c889a69e ((console_sem).lock){-.-.}, at: down_trylock+0x13/0x70 kernel/locking/semaphore.c:136 but task is already holding lock: 00000000425f965b (report_lock){-...}, at: kasan_start_report mm/kasan/report.c:170 [inline] 00000000425f965b (report_lock){-...}, at: kasan_report_error mm/kasan/report.c:346 [inline] 00000000425f965b (report_lock){-...}, at: kasan_report+0x8b/0x110 mm/kasan/report.c:412 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (report_lock){-...}: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x99/0xd0 kernel/locking/spinlock.c:152 kasan_start_report mm/kasan/report.c:170 [inline] kasan_report_error mm/kasan/report.c:346 [inline] kasan_report+0x8b/0x110 mm/kasan/report.c:412 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432 __read_once_size include/linux/compiler.h:191 [inline] test_idle_cores kernel/sched/fair.c:6000 [inline] select_idle_core kernel/sched/fair.c:6047 [inline] select_idle_sibling+0xbb1/0xdb0 kernel/sched/fair.c:6197 select_task_rq_fair+0xa3b/0x3ad0 kernel/sched/fair.c:6652 select_task_rq kernel/sched/core.c:1536 [inline] try_to_wake_up+0x4e7/0x1460 kernel/sched/core.c:2041 wake_up_process+0x10/0x20 kernel/sched/core.c:2129 hrtimer_wakeup+0x48/0x60 kernel/time/hrtimer.c:1637 __run_hrtimer kernel/time/hrtimer.c:1389 [inline] __hrtimer_run_queues+0x41c/0x10d0 kernel/time/hrtimer.c:1451 hrtimer_interrupt+0x313/0x780 kernel/time/hrtimer.c:1509 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline] smp_apic_timer_interrupt+0x1a1/0x760 arch/x86/kernel/apic/apic.c:1060 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807 bytes_is_nonzero mm/kasan/kasan.c:167 [inline] memory_is_nonzero mm/kasan/kasan.c:184 [inline] memory_is_poisoned_n mm/kasan/kasan.c:210 [inline] memory_is_poisoned mm/kasan/kasan.c:241 [inline] check_memory_region_inline mm/kasan/kasan.c:257 [inline] check_memory_region+0x117/0x1b0 mm/kasan/kasan.c:267 kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272 atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 kernel/rcu/tree.c:305 rcu_is_watching+0x10/0x30 kernel/rcu/tree.c:932 rcu_read_lock include/linux/rcupdate.h:608 [inline] lock_page_memcg+0x210/0x350 mm/memcontrol.c:1862 page_remove_file_rmap mm/rmap.c:1215 [inline] page_remove_rmap+0x855/0x1a30 mm/rmap.c:1300 zap_pte_range mm/memory.c:1091 [inline] zap_pmd_range mm/memory.c:1193 [inline] zap_pud_range mm/memory.c:1222 [inline] zap_p4d_range mm/memory.c:1243 [inline] unmap_page_range+0xf52/0x25b0 mm/memory.c:1264 unmap_single_vma+0x19b/0x310 mm/memory.c:1309 unmap_vmas+0x125/0x200 mm/memory.c:1339 exit_mmap+0x2be/0x590 mm/mmap.c:3156 __mmput kernel/fork.c:1050 [inline] mmput+0x247/0x610 kernel/fork.c:1071 exit_mm kernel/exit.c:545 [inline] do_exit+0xe74/0x26d0 kernel/exit.c:854 do_group_exit+0x177/0x440 kernel/exit.c:970 get_signal+0x8b0/0x1980 kernel/signal.c:2517 do_signal+0x9c/0x21c0 arch/x86/kernel/signal.c:816 exit_to_usermode_loop+0x2e5/0x380 arch/x86/entry/common.c:162 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_32_irqs_on arch/x86/entry/common.c:341 [inline] do_fast_syscall_32+0xcd5/0xfb2 arch/x86/entry/common.c:397 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 -> #1 (&p->pi_lock){-.-.}: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x99/0xd0 kernel/locking/spinlock.c:152 try_to_wake_up+0xdc/0x1460 kernel/sched/core.c:1965 wake_up_process+0x10/0x20 kernel/sched/core.c:2129 __up.isra.1+0x1c0/0x2a0 kernel/locking/semaphore.c:262 up+0x13c/0x1c0 kernel/locking/semaphore.c:187 __up_console_sem+0xbe/0x1b0 kernel/printk/printk.c:236 console_unlock+0x819/0x1180 kernel/printk/printk.c:2426 vprintk_emit+0x39c/0x990 kernel/printk/printk.c:1931 vprintk_default+0x28/0x30 kernel/printk/printk.c:1958 vprintk_func+0x7e/0x181 kernel/printk/printk_safe.c:398 printk+0xa7/0xcf kernel/printk/printk.c:1991 check_stack_usage kernel/exit.c:755 [inline] do_exit.cold.19+0x57/0x16f kernel/exit.c:916 do_group_exit+0x177/0x440 kernel/exit.c:970 __do_sys_exit_group kernel/exit.c:981 [inline] __se_sys_exit_group kernel/exit.c:979 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:979 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 ((console_sem).lock){-.-.}: lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3841 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x99/0xd0 kernel/locking/spinlock.c:152 down_trylock+0x13/0x70 kernel/locking/semaphore.c:136 __down_trylock_console_sem+0xae/0x200 kernel/printk/printk.c:219 console_trylock+0x15/0xa0 kernel/printk/printk.c:2242 console_trylock_spinning kernel/printk/printk.c:1662 [inline] vprintk_emit+0x37d/0x990 kernel/printk/printk.c:1930 vprintk_default+0x28/0x30 kernel/printk/printk.c:1958 vprintk_func+0x7e/0x181 kernel/printk/printk_safe.c:398 printk+0xa7/0xcf kernel/printk/printk.c:1991 kasan_start_report mm/kasan/report.c:171 [inline] kasan_report_error mm/kasan/report.c:346 [inline] kasan_report+0x9b/0x110 mm/kasan/report.c:412 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432 __read_once_size include/linux/compiler.h:191 [inline] test_idle_cores kernel/sched/fair.c:6000 [inline] select_idle_core kernel/sched/fair.c:6047 [inline] select_idle_sibling+0xbb1/0xdb0 kernel/sched/fair.c:6197 select_task_rq_fair+0xa3b/0x3ad0 kernel/sched/fair.c:6652 select_task_rq kernel/sched/core.c:1536 [inline] try_to_wake_up+0x4e7/0x1460 kernel/sched/core.c:2041 wake_up_process+0x10/0x20 kernel/sched/core.c:2129 hrtimer_wakeup+0x48/0x60 kernel/time/hrtimer.c:1637 __run_hrtimer kernel/time/hrtimer.c:1389 [inline] __hrtimer_run_queues+0x41c/0x10d0 kernel/time/hrtimer.c:1451 hrtimer_interrupt+0x313/0x780 kernel/time/hrtimer.c:1509 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline] smp_apic_timer_interrupt+0x1a1/0x760 arch/x86/kernel/apic/apic.c:1060 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807 bytes_is_nonzero mm/kasan/kasan.c:167 [inline] memory_is_nonzero mm/kasan/kasan.c:184 [inline] memory_is_poisoned_n mm/kasan/kasan.c:210 [inline] memory_is_poisoned mm/kasan/kasan.c:241 [inline] check_memory_region_inline mm/kasan/kasan.c:257 [inline] check_memory_region+0x117/0x1b0 mm/kasan/kasan.c:267 kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272 atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 kernel/rcu/tree.c:305 rcu_is_watching+0x10/0x30 kernel/rcu/tree.c:932 rcu_read_lock include/linux/rcupdate.h:608 [inline] lock_page_memcg+0x210/0x350 mm/memcontrol.c:1862 page_remove_file_rmap mm/rmap.c:1215 [inline] page_remove_rmap+0x855/0x1a30 mm/rmap.c:1300 zap_pte_range mm/memory.c:1091 [inline] zap_pmd_range mm/memory.c:1193 [inline] zap_pud_range mm/memory.c:1222 [inline] zap_p4d_range mm/memory.c:1243 [inline] unmap_page_range+0xf52/0x25b0 mm/memory.c:1264 unmap_single_vma+0x19b/0x310 mm/memory.c:1309 unmap_vmas+0x125/0x200 mm/memory.c:1339 exit_mmap+0x2be/0x590 mm/mmap.c:3156 __mmput kernel/fork.c:1050 [inline] mmput+0x247/0x610 kernel/fork.c:1071 exit_mm kernel/exit.c:545 [inline] do_exit+0xe74/0x26d0 kernel/exit.c:854 do_group_exit+0x177/0x440 kernel/exit.c:970 get_signal+0x8b0/0x1980 kernel/signal.c:2517 do_signal+0x9c/0x21c0 arch/x86/kernel/signal.c:816 exit_to_usermode_loop+0x2e5/0x380 arch/x86/entry/common.c:162 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_32_irqs_on arch/x86/entry/common.c:341 [inline] do_fast_syscall_32+0xcd5/0xfb2 arch/x86/entry/common.c:397 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 other info that might help us debug this: Chain exists of: (console_sem).lock --> &p->pi_lock --> report_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(report_lock); lock(&p->pi_lock); lock(report_lock); lock((console_sem).lock); *** DEADLOCK *** 5 locks held by syz-executor4/14331: #0: 000000003fd18177 (&(ptlock_ptr(page))->rlock#2){+.+.}, at: spin_lock include/linux/spinlock.h:329 [inline] #0: 000000003fd18177 (&(ptlock_ptr(page))->rlock#2){+.+.}, at: zap_pte_range mm/memory.c:1052 [inline] #0: 000000003fd18177 (&(ptlock_ptr(page))->rlock#2){+.+.}, at: zap_pmd_range mm/memory.c:1193 [inline] #0: 000000003fd18177 (&(ptlock_ptr(page))->rlock#2){+.+.}, at: zap_pud_range mm/memory.c:1222 [inline] #0: 000000003fd18177 (&(ptlock_ptr(page))->rlock#2){+.+.}, at: zap_p4d_range mm/memory.c:1243 [inline] #0: 000000003fd18177 (&(ptlock_ptr(page))->rlock#2){+.+.}, at: unmap_page_range+0x98e/0x25b0 mm/memory.c:1264 #1: 000000003488ec63 (rcu_read_lock){....}, at: lock_page_memcg+0x0/0x350 mm/memcontrol.c:2909 #2: 00000000555727d6 (&p->pi_lock){-.-.}, at: try_to_wake_up+0xdc/0x1460 kernel/sched/core.c:1965 #3: 000000003488ec63 (rcu_read_lock){....}, at: select_task_rq_fair+0x39a/0x3ad0 kernel/sched/fair.c:6605 #4: 00000000425f965b (report_lock){-...}, at: kasan_start_report mm/kasan/report.c:170 [inline] #4: 00000000425f965b (report_lock){-...}, at: kasan_report_error mm/kasan/report.c:346 [inline] #4: 00000000425f965b (report_lock){-...}, at: kasan_report+0x8b/0x110 mm/kasan/report.c:412 stack backtrace: CPU: 1 PID: 14331 Comm: syz-executor4 Not tainted 4.20.0+ #296 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d3/0x2c6 lib/dump_stack.c:113 print_circular_bug.isra.34.cold.56+0x1bd/0x27d kernel/locking/lockdep.c:1224 check_prev_add kernel/locking/lockdep.c:1866 [inline] check_prevs_add kernel/locking/lockdep.c:1979 [inline] validate_chain kernel/locking/lockdep.c:2350 [inline] __lock_acquire+0x3360/0x4c20 kernel/locking/lockdep.c:3338 lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3841 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x99/0xd0 kernel/locking/spinlock.c:152 down_trylock+0x13/0x70 kernel/locking/semaphore.c:136 __down_trylock_console_sem+0xae/0x200 kernel/printk/printk.c:219 console_trylock+0x15/0xa0 kernel/printk/printk.c:2242 console_trylock_spinning kernel/printk/printk.c:1662 [inline] vprintk_emit+0x37d/0x990 kernel/printk/printk.c:1930 vprintk_default+0x28/0x30 kernel/printk/printk.c:1958 vprintk_func+0x7e/0x181 kernel/printk/printk_safe.c:398 printk+0xa7/0xcf kernel/printk/printk.c:1991 kasan_start_report mm/kasan/report.c:171 [inline] kasan_report_error mm/kasan/report.c:346 [inline] kasan_report+0x9b/0x110 mm/kasan/report.c:412 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432 __read_once_size include/linux/compiler.h:191 [inline] test_idle_cores kernel/sched/fair.c:6000 [inline] select_idle_core kernel/sched/fair.c:6047 [inline] select_idle_sibling+0xbb1/0xdb0 kernel/sched/fair.c:6197 select_task_rq_fair+0xa3b/0x3ad0 kernel/sched/fair.c:6652 select_task_rq kernel/sched/core.c:1536 [inline] try_to_wake_up+0x4e7/0x1460 kernel/sched/core.c:2041 wake_up_process Lost 168 message(s)! ---[ end trace a41d335fba94df44 ]--- RIP: 0010:task_css include/linux/cgroup.h:477 [inline] RIP: 0010:task_ca kernel/sched/cpuacct.c:43 [inline] RIP: 0010:cpuacct_account_field+0x140/0x3d0 kernel/sched/cpuacct.c:365 Code: 86 95 08 00 85 c0 74 0d 80 3d 27 db d1 08 00 0f 84 a4 01 00 00 49 8d 7e 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 4e 02 00 00 4d 8b 7e 10 49 81 ff c0 51 78 89 0f RSP: 0018:ffff8880ae6078a8 EFLAGS: 00010002 RAX: dffffc0000000000 RBX: ffff8880ae607918 RCX: ffffffff81626af4 RDX: 000000000836b158 RSI: 0000000000000008 RDI: 0000000041b58ac3 RBP: ffff8880ae607940 R08: 0000000000000000 R09: 0000000000000000 R10: fffffbfff0ddece8 R11: ffffffff86ef6747 R12: 0000000000827d1b R13: dffffc0000000000 R14: 0000000041b58ab3 R15: ffff8880a9e1c240 FS: 0000000000000000(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 hrtimer_interrupt+0x313/0x780 kernel/time/hrtimer.c:1509 CR2: 0000000000000000 CR3: 0000000099316000 CR4: 00000000001426f0 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline] smp_apic_timer_interrupt+0x1a1/0x760 arch/x86/kernel/apic/apic.c:1060 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400