===================================================== WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted ----------------------------------------------------- syz-executor.4/5972 [HC0[0]:SC1[3]:HE0:SE0] is trying to acquire: ffff88802a167200 (&stab->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] ffff88802a167200 (&stab->lock){+.-.}-{2:2}, at: __sock_map_delete net/core/sock_map.c:414 [inline] ffff88802a167200 (&stab->lock){+.-.}-{2:2}, at: sock_map_delete_elem+0xc8/0x150 net/core/sock_map.c:446 and this task is already holding: ffff888015098018 (&pool->lock){-.-.}-{2:2}, at: __queue_work+0x39e/0x1170 kernel/workqueue.c:2360 which would create a new lock dependency: (&pool->lock){-.-.}-{2:2} -> (&stab->lock){+.-.}-{2:2} but this new dependency connects a HARDIRQ-irq-safe lock: (&pool->lock){-.-.}-{2:2} ... which became HARDIRQ-irq-safe at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 __queue_work+0x39e/0x1170 kernel/workqueue.c:2360 queue_work_on+0xf4/0x120 kernel/workqueue.c:2435 tick_nohz_activate kernel/time/tick-sched.c:1491 [inline] tick_setup_sched_timer+0x47c/0x790 kernel/time/tick-sched.c:1592 hrtimer_switch_to_hres kernel/time/hrtimer.c:750 [inline] hrtimer_run_queues+0x33c/0x450 kernel/time/hrtimer.c:1918 run_local_timers kernel/time/timer.c:2453 [inline] update_process_times+0xcf/0x220 kernel/time/timer.c:2475 tick_periodic+0x7e/0x230 kernel/time/tick-common.c:100 tick_handle_periodic+0x45/0x120 kernel/time/tick-common.c:112 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1032 [inline] __sysvec_apic_timer_interrupt+0x112/0x410 arch/x86/kernel/apic/apic.c:1049 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 lock_acquire+0x1f2/0x540 kernel/locking/lockdep.c:5722 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] d_alloc+0x6a/0x1e0 fs/dcache.c:1707 d_alloc_parallel+0xe9/0x12b0 fs/dcache.c:2462 __lookup_slow+0x194/0x460 fs/namei.c:1677 lookup_one_len+0x181/0x1b0 fs/namei.c:2756 tracefs_start_creating+0x110/0x2a0 fs/tracefs/inode.c:479 tracefs_create_file+0x9d/0x810 fs/tracefs/inode.c:567 trace_create_file+0x33/0x70 kernel/trace/trace.c:9167 event_trace_init+0xe5/0x1f0 kernel/trace/trace_events.c:4097 tracer_init_tracefs_work_func+0x12/0x3c0 kernel/trace/trace.c:10175 process_one_work+0x9ac/0x1a60 kernel/workqueue.c:3254 process_scheduled_works kernel/workqueue.c:3335 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3416 kthread+0x2c4/0x3a0 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 to a HARDIRQ-irq-unsafe lock: (&stab->lock){+.-.}-{2:2} ... which became HARDIRQ-irq-unsafe at: ... lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] __sock_map_delete net/core/sock_map.c:414 [inline] sock_map_delete_elem+0xc8/0x150 net/core/sock_map.c:446 bpf_prog_2c29ac5cdc6b1842+0x42/0x4a bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] bpf_trace_run2+0x154/0x420 kernel/trace/bpf_trace.c:2420 __bpf_trace_contention_end+0xca/0x110 include/trace/events/lock.h:122 trace_contention_end+0xce/0x120 include/trace/events/lock.h:122 __mutex_lock_common kernel/locking/mutex.c:617 [inline] __mutex_lock+0x19c/0x9c0 kernel/locking/mutex.c:752 nf_sockopt_find.constprop.0+0x2a/0x290 net/netfilter/nf_sockopt.c:67 nf_getsockopt+0x2d/0xe0 net/netfilter/nf_sockopt.c:113 ipv6_getsockopt+0x1fd/0x2c0 net/ipv6/ipv6_sockglue.c:1494 tcp_getsockopt+0xa1/0x100 net/ipv4/tcp.c:4373 do_sock_getsockopt+0x2e8/0x760 net/socket.c:2373 __sys_getsockopt+0x1a1/0x270 net/socket.c:2402 __do_sys_getsockopt net/socket.c:2412 [inline] __se_sys_getsockopt net/socket.c:2409 [inline] __x64_sys_getsockopt+0xbd/0x160 net/socket.c:2409 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd5/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6d/0x75 other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&stab->lock); local_irq_disable(); lock(&pool->lock); lock(&stab->lock); lock(&pool->lock); *** DEADLOCK *** 6 locks held by syz-executor.4/5972: #0: ffff88801f173aa0 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:124 [inline] #0: ffff88801f173aa0 (&mm->mmap_lock){++++}-{3:3}, at: vm_mmap_pgoff+0x160/0x3c0 mm/util.c:571 #1: ffffffff8d7b49e0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline] #1: ffffffff8d7b49e0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline] #1: ffffffff8d7b49e0 (rcu_read_lock){....}-{1:2}, at: mt_validate+0xd5/0x4390 lib/maple_tree.c:7578 #2: ffffc90000007cb0 (fs/notify/mark.c:89){..-.}-{0:0}, at: call_timer_fn+0x11a/0x5b0 kernel/time/timer.c:1789 #3: ffffffff8d7b49e0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline] #3: ffffffff8d7b49e0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline] #3: ffffffff8d7b49e0 (rcu_read_lock){....}-{1:2}, at: __queue_work+0xf2/0x1170 kernel/workqueue.c:2324 #4: ffff888015098018 (&pool->lock){-.-.}-{2:2}, at: __queue_work+0x39e/0x1170 kernel/workqueue.c:2360 #5: ffffffff8d7b49e0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline] #5: ffffffff8d7b49e0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline] #5: ffffffff8d7b49e0 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2380 [inline] #5: ffffffff8d7b49e0 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0xe4/0x420 kernel/trace/bpf_trace.c:2420 the dependencies between HARDIRQ-irq-safe lock and the holding lock: -> (&pool->lock){-.-.}-{2:2} { IN-HARDIRQ-W at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 __queue_work+0x39e/0x1170 kernel/workqueue.c:2360 queue_work_on+0xf4/0x120 kernel/workqueue.c:2435 tick_nohz_activate kernel/time/tick-sched.c:1491 [inline] tick_setup_sched_timer+0x47c/0x790 kernel/time/tick-sched.c:1592 hrtimer_switch_to_hres kernel/time/hrtimer.c:750 [inline] hrtimer_run_queues+0x33c/0x450 kernel/time/hrtimer.c:1918 run_local_timers kernel/time/timer.c:2453 [inline] update_process_times+0xcf/0x220 kernel/time/timer.c:2475 tick_periodic+0x7e/0x230 kernel/time/tick-common.c:100 tick_handle_periodic+0x45/0x120 kernel/time/tick-common.c:112 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1032 [inline] __sysvec_apic_timer_interrupt+0x112/0x410 arch/x86/kernel/apic/apic.c:1049 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 lock_acquire+0x1f2/0x540 kernel/locking/lockdep.c:5722 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] d_alloc+0x6a/0x1e0 fs/dcache.c:1707 d_alloc_parallel+0xe9/0x12b0 fs/dcache.c:2462 __lookup_slow+0x194/0x460 fs/namei.c:1677 lookup_one_len+0x181/0x1b0 fs/namei.c:2756 tracefs_start_creating+0x110/0x2a0 fs/tracefs/inode.c:479 tracefs_create_file+0x9d/0x810 fs/tracefs/inode.c:567 trace_create_file+0x33/0x70 kernel/trace/trace.c:9167 event_trace_init+0xe5/0x1f0 kernel/trace/trace_events.c:4097 tracer_init_tracefs_work_func+0x12/0x3c0 kernel/trace/trace.c:10175 process_one_work+0x9ac/0x1a60 kernel/workqueue.c:3254 process_scheduled_works kernel/workqueue.c:3335 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3416 kthread+0x2c4/0x3a0 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 IN-SOFTIRQ-W at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 __queue_work+0x39e/0x1170 kernel/workqueue.c:2360 call_timer_fn+0x1a3/0x5b0 kernel/time/timer.c:1792 expire_timers kernel/time/timer.c:1838 [inline] __run_timers+0x567/0xab0 kernel/time/timer.c:2408 __run_timer_base kernel/time/timer.c:2419 [inline] __run_timer_base kernel/time/timer.c:2412 [inline] run_timer_base+0x111/0x190 kernel/time/timer.c:2428 run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2438 __do_softirq+0x21b/0x8de kernel/softirq.c:554 invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu kernel/softirq.c:633 [inline] irq_exit_rcu+0xb9/0x120 kernel/softirq.c:645 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline] arch_safe_halt arch/x86/include/asm/irqflags.h:86 [inline] default_idle+0xf/0x20 arch/x86/kernel/process.c:742 default_idle_call+0x6d/0xb0 kernel/sched/idle.c:117 cpuidle_idle_call kernel/sched/idle.c:191 [inline] do_idle+0x32c/0x3f0 kernel/sched/idle.c:332 cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:430 rest_init+0x16f/0x2b0 init/main.c:730 arch_call_rest_init+0x13/0x40 init/main.c:831 start_kernel+0x3a3/0x490 init/main.c:1077 x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:509 x86_64_start_kernel+0xb2/0xc0 arch/x86/kernel/head64.c:490 common_startup_64+0x13e/0x148 INITIAL USE at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 __queue_work+0x39e/0x1170 kernel/workqueue.c:2360 queue_work_on+0xf4/0x120 kernel/workqueue.c:2435 queue_work include/linux/workqueue.h:605 [inline] start_poll_synchronize_rcu_expedited+0x147/0x180 kernel/rcu/tree_exp.h:1017 rcu_init+0x1625/0x20c0 kernel/rcu/tree.c:5240 start_kernel+0x19e/0x490 init/main.c:969 x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:509 x86_64_start_kernel+0xb2/0xc0 arch/x86/kernel/head64.c:490 common_startup_64+0x13e/0x148 } ... key at: [] __key.17+0x0/0x40 the dependencies between the lock to be acquired and HARDIRQ-irq-unsafe lock: -> (&stab->lock){+.-.}-{2:2} { HARDIRQ-ON-W at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] __sock_map_delete net/core/sock_map.c:414 [inline] sock_map_delete_elem+0xc8/0x150 net/core/sock_map.c:446 bpf_prog_2c29ac5cdc6b1842+0x42/0x4a bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] bpf_trace_run2+0x154/0x420 kernel/trace/bpf_trace.c:2420 __bpf_trace_contention_end+0xca/0x110 include/trace/events/lock.h:122 trace_contention_end+0xce/0x120 include/trace/events/lock.h:122 __mutex_lock_common kernel/locking/mutex.c:617 [inline] __mutex_lock+0x19c/0x9c0 kernel/locking/mutex.c:752 nf_sockopt_find.constprop.0+0x2a/0x290 net/netfilter/nf_sockopt.c:67 nf_getsockopt+0x2d/0xe0 net/netfilter/nf_sockopt.c:113 ipv6_getsockopt+0x1fd/0x2c0 net/ipv6/ipv6_sockglue.c:1494 tcp_getsockopt+0xa1/0x100 net/ipv4/tcp.c:4373 do_sock_getsockopt+0x2e8/0x760 net/socket.c:2373 __sys_getsockopt+0x1a1/0x270 net/socket.c:2402 __do_sys_getsockopt net/socket.c:2412 [inline] __se_sys_getsockopt net/socket.c:2409 [inline] __x64_sys_getsockopt+0xbd/0x160 net/socket.c:2409 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd5/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6d/0x75 IN-SOFTIRQ-W at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] __sock_map_delete net/core/sock_map.c:414 [inline] sock_map_delete_elem+0xc8/0x150 net/core/sock_map.c:446 bpf_prog_2c29ac5cdc6b1842+0x42/0x4a bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] bpf_trace_run2+0x154/0x420 kernel/trace/bpf_trace.c:2420 __bpf_trace_contention_end+0xca/0x110 include/trace/events/lock.h:122 trace_contention_end.constprop.0+0xe2/0x140 include/trace/events/lock.h:122 __pv_queued_spin_lock_slowpath+0x266/0xc80 kernel/locking/qspinlock.c:560 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:584 [inline] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline] queued_spin_lock include/asm-generic/qspinlock.h:114 [inline] do_raw_spin_lock+0x210/0x2c0 kernel/locking/spinlock_debug.c:116 __queue_work+0x39e/0x1170 kernel/workqueue.c:2360 call_timer_fn+0x1a3/0x5b0 kernel/time/timer.c:1792 expire_timers kernel/time/timer.c:1838 [inline] __run_timers+0x567/0xab0 kernel/time/timer.c:2408 __run_timer_base kernel/time/timer.c:2419 [inline] __run_timer_base kernel/time/timer.c:2412 [inline] run_timer_base+0x111/0x190 kernel/time/timer.c:2428 run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2438 __do_softirq+0x21b/0x8de kernel/softirq.c:554 invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu kernel/softirq.c:633 [inline] irq_exit_rcu+0xb9/0x120 kernel/softirq.c:645 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 mt_locked lib/maple_tree.c:781 [inline] mt_slot lib/maple_tree.c:788 [inline] mas_slot lib/maple_tree.c:821 [inline] mt_validate_nulls+0x5a4/0x9e0 lib/maple_tree.c:7547 mt_validate+0x3148/0x4390 lib/maple_tree.c:7601 validate_mm+0x9c/0x4b0 mm/mmap.c:288 mmap_region+0x15e6/0x2aa0 mm/mmap.c:2952 do_mmap+0x8ae/0xf10 mm/mmap.c:1387 vm_mmap_pgoff+0x1ab/0x3c0 mm/util.c:573 ksys_mmap_pgoff+0x425/0x5b0 mm/mmap.c:1433 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:79 [inline] __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:79 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd5/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6d/0x75 INITIAL USE at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] __sock_map_delete net/core/sock_map.c:414 [inline] sock_map_delete_elem+0xc8/0x150 net/core/sock_map.c:446 bpf_prog_2c29ac5cdc6b1842+0x42/0x4a bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] bpf_trace_run2+0x154/0x420 kernel/trace/bpf_trace.c:2420 __bpf_trace_contention_end+0xca/0x110 include/trace/events/lock.h:122 trace_contention_end+0xce/0x120 include/trace/events/lock.h:122 __mutex_lock_common kernel/locking/mutex.c:617 [inline] __mutex_lock+0x19c/0x9c0 kernel/locking/mutex.c:752 nf_sockopt_find.constprop.0+0x2a/0x290 net/netfilter/nf_sockopt.c:67 nf_getsockopt+0x2d/0xe0 net/netfilter/nf_sockopt.c:113 ipv6_getsockopt+0x1fd/0x2c0 net/ipv6/ipv6_sockglue.c:1494 tcp_getsockopt+0xa1/0x100 net/ipv4/tcp.c:4373 do_sock_getsockopt+0x2e8/0x760 net/socket.c:2373 __sys_getsockopt+0x1a1/0x270 net/socket.c:2402 __do_sys_getsockopt net/socket.c:2412 [inline] __se_sys_getsockopt net/socket.c:2409 [inline] __x64_sys_getsockopt+0xbd/0x160 net/socket.c:2409 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd5/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6d/0x75 } ... key at: [] __key.1+0x0/0x40 ... acquired at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] __sock_map_delete net/core/sock_map.c:414 [inline] sock_map_delete_elem+0xc8/0x150 net/core/sock_map.c:446 bpf_prog_2c29ac5cdc6b1842+0x42/0x4a bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] bpf_trace_run2+0x154/0x420 kernel/trace/bpf_trace.c:2420 __bpf_trace_contention_end+0xca/0x110 include/trace/events/lock.h:122 trace_contention_end.constprop.0+0xe2/0x140 include/trace/events/lock.h:122 __pv_queued_spin_lock_slowpath+0x266/0xc80 kernel/locking/qspinlock.c:560 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:584 [inline] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline] queued_spin_lock include/asm-generic/qspinlock.h:114 [inline] do_raw_spin_lock+0x210/0x2c0 kernel/locking/spinlock_debug.c:116 __queue_work+0x39e/0x1170 kernel/workqueue.c:2360 call_timer_fn+0x1a3/0x5b0 kernel/time/timer.c:1792 expire_timers kernel/time/timer.c:1838 [inline] __run_timers+0x567/0xab0 kernel/time/timer.c:2408 __run_timer_base kernel/time/timer.c:2419 [inline] __run_timer_base kernel/time/timer.c:2412 [inline] run_timer_base+0x111/0x190 kernel/time/timer.c:2428 run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2438 __do_softirq+0x21b/0x8de kernel/softirq.c:554 invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu kernel/softirq.c:633 [inline] irq_exit_rcu+0xb9/0x120 kernel/softirq.c:645 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 mt_locked lib/maple_tree.c:781 [inline] mt_slot lib/maple_tree.c:788 [inline] mas_slot lib/maple_tree.c:821 [inline] mt_validate_nulls+0x5a4/0x9e0 lib/maple_tree.c:7547 mt_validate+0x3148/0x4390 lib/maple_tree.c:7601 validate_mm+0x9c/0x4b0 mm/mmap.c:288 mmap_region+0x15e6/0x2aa0 mm/mmap.c:2952 do_mmap+0x8ae/0xf10 mm/mmap.c:1387 vm_mmap_pgoff+0x1ab/0x3c0 mm/util.c:573 ksys_mmap_pgoff+0x425/0x5b0 mm/mmap.c:1433 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:79 [inline] __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:79 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd5/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6d/0x75 stack backtrace: CPU: 0 PID: 5972 Comm: syz-executor.4 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_bad_irq_dependency kernel/locking/lockdep.c:2626 [inline] check_irq_usage+0xe3c/0x1490 kernel/locking/lockdep.c:2865 check_prev_add kernel/locking/lockdep.c:3138 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain kernel/locking/lockdep.c:3869 [inline] __lock_acquire+0x248e/0x3b30 kernel/locking/lockdep.c:5137 lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] __sock_map_delete net/core/sock_map.c:414 [inline] sock_map_delete_elem+0xc8/0x150 net/core/sock_map.c:446 bpf_prog_2c29ac5cdc6b1842+0x42/0x4a bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:657 [inline] bpf_prog_run include/linux/filter.h:664 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] bpf_trace_run2+0x154/0x420 kernel/trace/bpf_trace.c:2420 __bpf_trace_contention_end+0xca/0x110 include/trace/events/lock.h:122 trace_contention_end.constprop.0+0xe2/0x140 include/trace/events/lock.h:122 __pv_queued_spin_lock_slowpath+0x266/0xc80 kernel/locking/qspinlock.c:560 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:584 [inline] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline] queued_spin_lock include/asm-generic/qspinlock.h:114 [inline] do_raw_spin_lock+0x210/0x2c0 kernel/locking/spinlock_debug.c:116 __queue_work+0x39e/0x1170 kernel/workqueue.c:2360 call_timer_fn+0x1a3/0x5b0 kernel/time/timer.c:1792 expire_timers kernel/time/timer.c:1838 [inline] __run_timers+0x567/0xab0 kernel/time/timer.c:2408 __run_timer_base kernel/time/timer.c:2419 [inline] __run_timer_base kernel/time/timer.c:2412 [inline] run_timer_base+0x111/0x190 kernel/time/timer.c:2428 run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2438 __do_softirq+0x21b/0x8de kernel/softirq.c:554 invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu kernel/softirq.c:633 [inline] irq_exit_rcu+0xb9/0x120 kernel/softirq.c:645 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:mt_locked lib/maple_tree.c:781 [inline] RIP: 0010:mt_slot lib/maple_tree.c:788 [inline] RIP: 0010:mas_slot lib/maple_tree.c:821 [inline] RIP: 0010:mt_validate_nulls+0x5a4/0x9e0 lib/maple_tree.c:7547 Code: 85 15 04 00 00 48 8b 1b 48 85 db 74 3e e8 74 cb cd f6 be ff ff ff ff 48 89 df e8 47 c3 12 00 31 ff 89 c3 89 c6 e8 3c c6 cd f6 <85> db 75 1d e8 53 cb cd f6 e8 8e 79 b3 f6 31 ff 89 c3 89 c6 e8 23 RSP: 0018:ffffc90017e0f858 EFLAGS: 00000293 RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff8ac070d4 RDX: ffff888027198000 RSI: 0000000000000000 RDI: 0000000000000005 RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000003 R13: 0000000000000000 R14: 0000000000000300 R15: ffff88802878bb00 mt_validate+0x3148/0x4390 lib/maple_tree.c:7601 validate_mm+0x9c/0x4b0 mm/mmap.c:288 mmap_region+0x15e6/0x2aa0 mm/mmap.c:2952 do_mmap+0x8ae/0xf10 mm/mmap.c:1387 vm_mmap_pgoff+0x1ab/0x3c0 mm/util.c:573 ksys_mmap_pgoff+0x425/0x5b0 mm/mmap.c:1433 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:79 [inline] __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:79 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd5/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7f39fec7dea3 Code: f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 41 89 ca 41 f7 c1 ff 0f 00 00 75 14 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 25 c3 0f 1f 40 00 48 c7 c0 b0 ff ff ff 64 c7 RSP: 002b:00007ffe386bd618 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 RAX: ffffffffffffffda RBX: 0000000000600000 RCX: 00007f39fec7dea3 RDX: 0000000000000003 RSI: 00000000005c0000 RDI: 0000001b31360000 RBP: 0000001b31360000 R08: 0000000000000004 R09: 0000000000040000 R10: 0000000000000011 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001 ---------------- Code disassembly (best guess): 0: 85 15 04 00 00 48 test %edx,0x48000004(%rip) # 0x4800000a 6: 8b 1b mov (%rbx),%ebx 8: 48 85 db test %rbx,%rbx b: 74 3e je 0x4b d: e8 74 cb cd f6 call 0xf6cdcb86 12: be ff ff ff ff mov $0xffffffff,%esi 17: 48 89 df mov %rbx,%rdi 1a: e8 47 c3 12 00 call 0x12c366 1f: 31 ff xor %edi,%edi 21: 89 c3 mov %eax,%ebx 23: 89 c6 mov %eax,%esi 25: e8 3c c6 cd f6 call 0xf6cdc666 * 2a: 85 db test %ebx,%ebx <-- trapping instruction 2c: 75 1d jne 0x4b 2e: e8 53 cb cd f6 call 0xf6cdcb86 33: e8 8e 79 b3 f6 call 0xf6b379c6 38: 31 ff xor %edi,%edi 3a: 89 c3 mov %eax,%ebx 3c: 89 c6 mov %eax,%esi 3e: e8 .byte 0xe8 3f: 23 .byte 0x23