================================ WARNING: inconsistent lock state 6.10.0-syzkaller-08676-g720261cfc732 #0 Not tainted -------------------------------- inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. syz.2.836/7554 [HC1[1]:SC1[1]:HE0:SE0] takes: ffff88802c038aa0 (lock#13){?.+.}-{2:2}, at: local_lock_acquire include/linux/local_lock_internal.h:29 [inline] ffff88802c038aa0 (lock#13){?.+.}-{2:2}, at: __mmap_lock_do_trace_acquire_returned+0x7f/0x790 mm/mmap_lock.c:237 {HARDIRQ-ON-W} state was registered at: lock_acquire kernel/locking/lockdep.c:5759 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5724 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x97/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_write_lock_killable include/linux/mmap_lock.h:123 [inline] vm_mmap_pgoff+0x2be/0x360 mm/util.c:586 ksys_mmap_pgoff+0x332/0x5d0 mm/mmap.c:1443 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e irq event stamp: 16277 hardirqs last enabled at (16276): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (16276): [] _raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194 hardirqs last disabled at (16277): [] sysvec_call_function_single+0xe/0xb0 arch/x86/kernel/smp.c:266 softirqs last enabled at (16212): [] rcu_lock_release include/linux/rcupdate.h:337 [inline] softirqs last enabled at (16212): [] rcu_read_unlock_bh include/linux/rcupdate.h:907 [inline] softirqs last enabled at (16212): [] __dev_queue_xmit+0x86d/0x4300 net/core/dev.c:4450 softirqs last disabled at (16213): [] do_softirq kernel/softirq.c:455 [inline] softirqs last disabled at (16213): [] do_softirq+0xb2/0xf0 kernel/softirq.c:442 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(lock#13); lock(lock#13); *** DEADLOCK *** 6 locks held by syz.2.836/7554: #0: ffff88802ad256d8 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1607 [inline] #0: ffff88802ad256d8 (sk_lock-AF_INET){+.+.}-{0:0}, at: raw_sendmsg+0xd83/0x3ae0 net/ipv4/raw.c:650 #1: ffffffff8dbb4f20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:327 [inline] #1: ffffffff8dbb4f20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:839 [inline] #1: ffffffff8dbb4f20 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x364/0x2590 net/ipv4/ip_output.c:228 #2: ffffffff8dbb4f20 (rcu_read_lock){....}-{1:2}, at: local_lock_release include/linux/local_lock_internal.h:38 [inline] #2: ffffffff8dbb4f20 (rcu_read_lock){....}-{1:2}, at: process_backlog+0x3f1/0x15f0 net/core/dev.c:6105 #3: ffffffff8dbb4f20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:327 [inline] #3: ffffffff8dbb4f20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:839 [inline] #3: ffffffff8dbb4f20 (rcu_read_lock){....}-{1:2}, at: ip_local_deliver_finish+0x263/0x570 net/ipv4/ip_input.c:232 #4: ffffffff8dbb4f20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:327 [inline] #4: ffffffff8dbb4f20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:839 [inline] #4: ffffffff8dbb4f20 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2405 [inline] #4: ffffffff8dbb4f20 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x1c2/0x590 kernel/trace/bpf_trace.c:2447 #5: ffff8880273be098 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:163 [inline] #5: ffff8880273be098 (&mm->mmap_lock){++++}-{3:3}, at: stack_map_get_build_id_offset+0x28a/0x760 kernel/bpf/stackmap.c:141 stack backtrace: CPU: 0 PID: 7554 Comm: syz.2.836 Not tainted 6.10.0-syzkaller-08676-g720261cfc732 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_usage_bug kernel/locking/lockdep.c:3970 [inline] valid_state kernel/locking/lockdep.c:4012 [inline] mark_lock_irq kernel/locking/lockdep.c:4215 [inline] mark_lock+0x923/0xc60 kernel/locking/lockdep.c:4677 mark_usage kernel/locking/lockdep.c:4563 [inline] __lock_acquire+0x1419/0x3cb0 kernel/locking/lockdep.c:5096 lock_acquire kernel/locking/lockdep.c:5759 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5724 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x97/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:164 [inline] stack_map_get_build_id_offset+0x602/0x760 kernel/bpf/stackmap.c:141 __bpf_get_stack+0x68a/0x710 kernel/bpf/stackmap.c:449 ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1997 [inline] bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1987 bpf_prog_ec3b2eefa702d8d3+0x42/0x46 bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline] __bpf_prog_run include/linux/filter.h:691 [inline] bpf_prog_run include/linux/filter.h:698 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2406 [inline] bpf_trace_run2+0x231/0x590 kernel/trace/bpf_trace.c:2447 __traceiter_tlb_flush+0x64/0xb0 include/trace/events/tlb.h:38 trace_tlb_flush+0xf3/0x170 include/trace/events/tlb.h:38 csd_do_func kernel/smp.c:134 [inline] __flush_smp_call_function_queue+0x27a/0x8c0 kernel/smp.c:512 __sysvec_call_function_single+0x8c/0x410 arch/x86/kernel/smp.c:271 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline] sysvec_call_function_single+0x43/0xb0 arch/x86/kernel/smp.c:266 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709 RIP: 0010:__sanitizer_cov_trace_pc+0x18/0x60 kernel/kcov.c:203 Code: 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 15 c4 68 75 7e 65 8b 05 c5 68 75 7e a9 00 01 ff 00 <48> 8b 34 24 74 0f f6 c4 01 74 35 8b 82 1c 16 00 00 85 c0 74 2b 8b RSP: 0018:ffffc900000074d8 EFLAGS: 00000206 RAX: 0000000080000102 RBX: ffffffff90559760 RCX: ffffffff813c8334 RDX: ffff888065c98000 RSI: ffffffff813c8347 RDI: 0000000000000006 RBP: ffffffff90559760 R08: 0000000000000006 R09: ffffffff89480295 R10: ffffffff894802cd R11: 0000000000000000 R12: ffffffff89480295 R13: ffffffff894802cd R14: dffffc0000000000 R15: ffffffff90559764 __orc_find+0x7a/0x130 arch/x86/kernel/unwind_orc.c:100 orc_find arch/x86/kernel/unwind_orc.c:227 [inline] unwind_next_frame+0x335/0x23a0 arch/x86/kernel/unwind_orc.c:494 arch_stack_walk+0x100/0x170 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0x95/0xd0 kernel/stacktrace.c:122 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579 poison_slab_object+0xf7/0x160 mm/kasan/common.c:240 __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2235 [inline] slab_free mm/slub.c:4464 [inline] kmem_cache_free+0x12f/0x3a0 mm/slub.c:4539 skb_kfree_head net/core/skbuff.c:1082 [inline] skb_kfree_head net/core/skbuff.c:1079 [inline] skb_free_head+0x18a/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x75c/0x980 net/core/skbuff.c:1123 skb_release_all net/core/skbuff.c:1188 [inline] __kfree_skb net/core/skbuff.c:1202 [inline] consume_skb net/core/skbuff.c:1426 [inline] consume_skb+0xd0/0x170 net/core/skbuff.c:1420 icmp_rcv+0xabf/0x1010 net/ipv4/icmp.c:1291 ip_protocol_deliver_rcu+0x462/0x4e0 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x316/0x570 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip_local_deliver+0x18e/0x1f0 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:460 [inline] ip_rcv_finish net/ipv4/ip_input.c:449 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip_rcv+0x2c5/0x5d0 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core+0x199/0x1e0 net/core/dev.c:5660 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5774 process_backlog+0x443/0x15f0 net/core/dev.c:6107 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6771 napi_poll net/core/dev.c:6840 [inline] net_rx_action+0xa92/0x1010 net/core/dev.c:6962 handle_softirqs+0x216/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:909 [inline] __dev_queue_xmit+0x882/0x4300 net/core/dev.c:4450 dev_queue_xmit include/linux/netdevice.h:3105 [inline] neigh_hh_output include/net/neighbour.h:526 [inline] neigh_output include/net/neighbour.h:540 [inline] ip_finish_output2+0x16c1/0x2590 net/ipv4/ip_output.c:235 __ip_finish_output net/ipv4/ip_output.c:313 [inline] __ip_finish_output+0x49e/0x950 net/ipv4/ip_output.c:295 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433 dst_output include/net/dst.h:450 [inline] ip_local_out net/ipv4/ip_output.c:129 [inline] ip_send_skb net/ipv4/ip_output.c:1495 [inline] ip_push_pending_frames+0x2fb/0x5b0 net/ipv4/ip_output.c:1515 raw_sendmsg+0x147e/0x3ae0 net/ipv4/raw.c:657 inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x90d/0xb50 net/socket.c:2597 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2651 __sys_sendmmsg+0x2a5/0x450 net/socket.c:2730 __compat_sys_sendmmsg net/compat.c:360 [inline] __do_compat_sys_sendmmsg net/compat.c:367 [inline] __se_compat_sys_sendmmsg net/compat.c:364 [inline] __ia32_compat_sys_sendmmsg+0x9d/0x100 net/compat.c:364 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf7f5f579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000f5cf556c EFLAGS: 00000296 ORIG_RAX: 0000000000000159 RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000020005240 RDX: 0000000004000095 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: 90 nop 3: 90 nop 4: 90 nop 5: 90 nop 6: 90 nop 7: 90 nop 8: 90 nop 9: 90 nop a: 90 nop b: 90 nop c: 90 nop d: 90 nop e: 90 nop f: 90 nop 10: 90 nop 11: 90 nop 12: f3 0f 1e fa endbr64 16: 65 48 8b 15 c4 68 75 mov %gs:0x7e7568c4(%rip),%rdx # 0x7e7568e2 1d: 7e 1e: 65 8b 05 c5 68 75 7e mov %gs:0x7e7568c5(%rip),%eax # 0x7e7568ea 25: a9 00 01 ff 00 test $0xff0100,%eax * 2a: 48 8b 34 24 mov (%rsp),%rsi <-- trapping instruction 2e: 74 0f je 0x3f 30: f6 c4 01 test $0x1,%ah 33: 74 35 je 0x6a 35: 8b 82 1c 16 00 00 mov 0x161c(%rdx),%eax 3b: 85 c0 test %eax,%eax 3d: 74 2b je 0x6a 3f: 8b .byte 0x8b