================================ WARNING: inconsistent lock state 5.15.158-syzkaller #0 Not tainted -------------------------------- inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. syz-executor.1/9345 [HC1[1]:SC0[0]:HE0:SE1] takes: ffff8880b9a35bb8 (lock#9){?.+.}-{2:2}, at: local_lock_acquire+0xd/0x170 include/linux/local_lock_internal.h:28 {HARDIRQ-ON-W} state was registered at: lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 local_lock_acquire+0x29/0x170 include/linux/local_lock_internal.h:29 __mmap_lock_do_trace_acquire_returned+0x7c/0x340 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_lock include/linux/mmap_lock.h:118 [inline] get_arg_page+0x344/0x370 fs/exec.c:220 copy_string_kernel+0x167/0x2a0 fs/exec.c:639 kernel_execve+0x57b/0x9b0 fs/exec.c:1996 call_usermodehelper_exec_async+0x22f/0x370 kernel/umh.c:112 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:300 irq event stamp: 26 hardirqs last enabled at (25): [] syscall_enter_from_user_mode+0x2e/0x240 kernel/entry/common.c:113 hardirqs last disabled at (26): [] sysvec_call_function_single+0xa/0xb0 arch/x86/kernel/smp.c:243 softirqs last enabled at (0): [] copy_process+0x13b9/0x3ef0 kernel/fork.c:2151 softirqs last disabled at (0): [<0000000000000000>] 0x0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(lock#9); lock(lock#9); *** DEADLOCK *** 3 locks held by syz-executor.1/9345: #0: ffffffff8c91fae0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x9/0x30 include/linux/rcupdate.h:312 #1: ffffffff8c91fae0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:311 #2: ffff888079397128 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:136 [inline] #2: ffff888079397128 (&mm->mmap_lock){++++}-{3:3}, at: stack_map_get_build_id_offset+0x23e/0x930 kernel/bpf/stackmap.c:185 stack backtrace: CPU: 0 PID: 9345 Comm: syz-executor.1 Not tainted 5.15.158-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106 valid_state+0x134/0x1c0 kernel/locking/lockdep.c:3932 mark_lock_irq+0xa8/0xba0 kernel/locking/lockdep.c:4135 mark_lock+0x21a/0x340 kernel/locking/lockdep.c:4591 mark_usage kernel/locking/lockdep.c:4483 [inline] __lock_acquire+0xb5c/0x1ff0 kernel/locking/lockdep.c:4966 lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 local_lock_acquire+0x29/0x170 include/linux/local_lock_internal.h:29 __mmap_lock_do_trace_acquire_returned+0x7c/0x340 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:137 [inline] stack_map_get_build_id_offset+0x612/0x930 kernel/bpf/stackmap.c:185 __bpf_get_stack+0x495/0x570 kernel/bpf/stackmap.c:496 ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1490 [inline] bpf_get_stack_raw_tp+0x1b2/0x220 kernel/trace/bpf_trace.c:1480 bpf_prog_e6cf5f9c69743609+0x3a/0x90 bpf_dispatcher_nop_func include/linux/bpf.h:790 [inline] __bpf_prog_run include/linux/filter.h:621 [inline] bpf_prog_run include/linux/filter.h:635 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:1880 [inline] bpf_trace_run2+0x29e/0x340 kernel/trace/bpf_trace.c:1917 trace_tlb_flush+0xed/0x110 include/trace/events/tlb.h:38 flush_tlb_func+0x480/0x590 arch/x86/mm/tlb.c:851 flush_smp_call_function_queue+0x2b5/0x760 kernel/smp.c:628 __sysvec_call_function_single+0x9a/0x250 arch/x86/kernel/smp.c:248 sysvec_call_function_single+0x89/0xb0 arch/x86/kernel/smp.c:243 asm_sysvec_call_function_single+0x16/0x20 arch/x86/include/asm/idtentry.h:646 RIP: 0010:__fget_files_rcu fs/file.c:887 [inline] RIP: 0010:__fget_files+0x18d/0x480 fs/file.c:935 Code: 21 f1 4c 8d 2c c8 4d 89 ee 49 c1 ee 03 48 bb 00 00 00 00 00 fc ff df 41 80 3c 1e 00 74 08 4c 89 ef e8 97 99 ec ff 49 8b 45 00 <48> 85 c0 0f 84 8f 02 00 00 48 89 c1 48 89 04 24 48 8d a8 84 00 00 RSP: 0018:ffffc90001d97e38 EFLAGS: 00000246 RAX: ffff888078e8d400 RBX: dffffc0000000000 RCX: 00000000000000d8 RDX: ffff8880193d9dc0 RSI: 00000000000000d8 RDI: 0000000000000100 RBP: ffff888020c9f908 R08: ffffffff81dd9abc R09: fffffbfff1f7ee19 R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888077543118 R13: ffff888077d4f6c0 R14: 1ffff1100efa9ed8 R15: 0000000000004000 __fget fs/file.c:944 [inline] __fget_light fs/file.c:1048 [inline] __fdget+0x184/0x220 fs/file.c:1056 fdget include/linux/file.h:65 [inline] __do_sys_ioctl fs/ioctl.c:862 [inline] __se_sys_ioctl+0x1f/0x160 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 RIP: 0033:0x7ff27f30cc0b Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 RSP: 002b:00007ff27d87f0f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff27f30cc0b RDX: 0000000000000000 RSI: 0000000000006364 RDI: 00000000000000d8 RBP: 00007ff27f43af80 R08: 0000000000000000 R09: 00007ffe211183d7 R10: 0000000000000008 R11: 0000000000000246 R12: ffffffffffffffb0 R13: 000000000000000b R14: 00007ffe211182f0 R15: 00007ffe211183d8 ---------------- Code disassembly (best guess): 0: 21 f1 and %esi,%ecx 2: 4c 8d 2c c8 lea (%rax,%rcx,8),%r13 6: 4d 89 ee mov %r13,%r14 9: 49 c1 ee 03 shr $0x3,%r14 d: 48 bb 00 00 00 00 00 movabs $0xdffffc0000000000,%rbx 14: fc ff df 17: 41 80 3c 1e 00 cmpb $0x0,(%r14,%rbx,1) 1c: 74 08 je 0x26 1e: 4c 89 ef mov %r13,%rdi 21: e8 97 99 ec ff call 0xffec99bd 26: 49 8b 45 00 mov 0x0(%r13),%rax * 2a: 48 85 c0 test %rax,%rax <-- trapping instruction 2d: 0f 84 8f 02 00 00 je 0x2c2 33: 48 89 c1 mov %rax,%rcx 36: 48 89 04 24 mov %rax,(%rsp) 3a: 48 rex.W 3b: 8d .byte 0x8d 3c: a8 84 test $0x84,%al