================================ WARNING: inconsistent lock state 5.10.0-syzkaller #0 Not tainted -------------------------------- inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. syz-executor.5/17263 [HC0[0]:SC1[1]:HE1:SE0] takes: ffff888142f12ca8 (&file_data->lock){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline] ffff888142f12ca8 (&file_data->lock){+.?.}-{2:2}, at: io_file_data_ref_zero+0x78/0x4d0 fs/io_uring.c:7361 {SOFTIRQ-ON-W} state was registered at: lock_acquire kernel/locking/lockdep.c:5437 [inline] lock_acquire+0x29d/0x750 kernel/locking/lockdep.c:5402 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] io_sqe_files_register fs/io_uring.c:7496 [inline] __io_uring_register fs/io_uring.c:9665 [inline] __do_sys_io_uring_register+0x3552/0x41f0 fs/io_uring.c:9755 do_syscall_32_irqs_on arch/x86/entry/common.c:78 [inline] __do_fast_syscall_32+0x56/0x80 arch/x86/entry/common.c:137 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:160 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c irq event stamp: 16186 hardirqs last enabled at (16186): [] asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:628 hardirqs last disabled at (16185): [] sysvec_apic_timer_interrupt+0xc/0x100 arch/x86/kernel/apic/apic.c:1096 softirqs last enabled at (14942): [] asm_call_irq_on_stack+0xf/0x20 softirqs last disabled at (15687): [] asm_call_irq_on_stack+0xf/0x20 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&file_data->lock); lock(&file_data->lock); *** DEADLOCK *** 3 locks held by syz-executor.5/17263: #0: ffff888012066458 (&mm->mmap_lock#2){++++}-{3:3}, at: mmap_read_lock_killable include/linux/mmap_lock.h:126 [inline] #0: ffff888012066458 (&mm->mmap_lock#2){++++}-{3:3}, at: __get_user_pages_locked mm/gup.c:1307 [inline] #0: ffff888012066458 (&mm->mmap_lock#2){++++}-{3:3}, at: get_user_pages_unlocked+0x298/0x730 mm/gup.c:1938 #1: ffffffff8b78e000 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2479 [inline] #1: ffffffff8b78e000 (rcu_callback){....}-{0:0}, at: rcu_core+0x6f4/0xf80 kernel/rcu/tree.c:2723 #2: ffffffff8b78e120 (rcu_read_lock){....}-{1:2}, at: percpu_ref_put_many.constprop.0+0x0/0x290 include/linux/cgroup.h:576 stack backtrace: CPU: 1 PID: 17263 Comm: syz-executor.5 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 print_usage_bug kernel/locking/lockdep.c:4413 [inline] valid_state kernel/locking/lockdep.c:3751 [inline] mark_lock_irq kernel/locking/lockdep.c:3954 [inline] mark_lock.cold+0x56/0x73 kernel/locking/lockdep.c:4411 mark_usage kernel/locking/lockdep.c:4306 [inline] __lock_acquire+0x11b4/0x54b0 kernel/locking/lockdep.c:4786 lock_acquire kernel/locking/lockdep.c:5437 [inline] lock_acquire+0x29d/0x750 kernel/locking/lockdep.c:5402 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] io_file_data_ref_zero+0x78/0x4d0 fs/io_uring.c:7361 percpu_ref_put_many.constprop.0+0x258/0x290 include/linux/percpu-refcount.h:322 rcu_do_batch kernel/rcu/tree.c:2489 [inline] rcu_core+0x75d/0xf80 kernel/rcu/tree.c:2723 __do_softirq+0x2bc/0xa77 kernel/softirq.c:343 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:226 [inline] __irq_exit_rcu+0x17f/0x200 kernel/softirq.c:420 irq_exit_rcu+0x5/0x20 kernel/softirq.c:432 sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1096 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:628 RIP: 0010:__alloc_pages_nodemask+0x229/0x740 mm/page_alloc.c:4985 Code: 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 0f b6 14 11 84 d2 74 09 80 fa 03 0f 8e ed 03 00 00 41 3b 76 08 0f 82 61 03 00 00 <48> 89 c1 48 89 44 24 60 48 ba 00 00 00 00 00 fc ff df 48 c1 e9 03 RSP: 0018:ffffc90015ddec70 EFLAGS: 00000202 RAX: ffff88813fffd300 RBX: 1ffff92002bbbd92 RCX: 1ffff11027fffa61 RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffff88813fffd308 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 R13: 0000000000000081 R14: ffff88813fffd300 R15: 0000000000100cca alloc_pages_vma+0xdd/0x770 mm/mempolicy.c:2230 shmem_alloc_page+0x11f/0x1f0 mm/shmem.c:1565 shmem_alloc_and_acct_page+0x161/0x8a0 mm/shmem.c:1590 shmem_getpage_gfp+0x551/0x2450 mm/shmem.c:1893 shmem_fault+0x1fe/0x870 mm/shmem.c:2114 __do_fault+0x10d/0x4d0 mm/memory.c:3623 do_shared_fault mm/memory.c:4071 [inline] do_fault mm/memory.c:4149 [inline] handle_pte_fault mm/memory.c:4385 [inline] __handle_mm_fault mm/memory.c:4520 [inline] handle_mm_fault+0x312b/0x5760 mm/memory.c:4618 faultin_page mm/gup.c:851 [inline] __get_user_pages+0x7ca/0x1490 mm/gup.c:1070 __get_user_pages_locked mm/gup.c:1256 [inline] get_user_pages_unlocked+0x1b3/0x730 mm/gup.c:1938 __gup_longterm_unlocked mm/gup.c:2510 [inline] internal_get_user_pages_fast+0x1797/0x23b0 mm/gup.c:2598 get_user_pages_fast+0x66/0xa0 mm/gup.c:2690 iov_iter_get_pages+0x2a2/0xf50 lib/iov_iter.c:1328 __bio_iov_iter_get_pages block/bio.c:1012 [inline] bio_iov_iter_get_pages+0x224/0x1230 block/bio.c:1120 __blkdev_direct_IO fs/block_dev.c:404 [inline] blkdev_direct_IO+0x927/0x12a0 fs/block_dev.c:494 generic_file_read_iter+0x25e/0x4e0 mm/filemap.c:2609 blkdev_read_iter+0x11b/0x180 fs/block_dev.c:1925 call_read_iter include/linux/fs.h:1896 [inline] aio_read+0x2aa/0x460 fs/aio.c:1541 __io_submit_one fs/aio.c:1834 [inline] io_submit_one+0xe88/0x1bd0 fs/aio.c:1883 __do_compat_sys_io_submit fs/aio.c:1984 [inline] __se_compat_sys_io_submit fs/aio.c:1954 [inline] __ia32_compat_sys_io_submit+0x197/0x390 fs/aio.c:1954 do_syscall_32_irqs_on arch/x86/entry/common.c:78 [inline] __do_fast_syscall_32+0x56/0x80 arch/x86/entry/common.c:137 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:160 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c RIP: 0023:0xf7f60549 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:00000000f555a0cc EFLAGS: 00000296 ORIG_RAX: 00000000000000f8 RAX: ffffffffffffffda RBX: 00000000f5518000 RCX: 0000000000000008 RDX: 00000000200000c0 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000