================================ WARNING: inconsistent lock state 6.9.0-rc6-syzkaller-00290-gb9158815de52 #0 Not tainted -------------------------------- inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. syz-executor.2/9267 [HC1[1]:SC0[0]:HE0:SE1] takes: ffff8880b9438a80 (lock#10){?.+.}-{2:2}, at: local_lock_acquire include/linux/local_lock_internal.h:29 [inline] ffff8880b9438a80 (lock#10){?.+.}-{2:2}, at: __mmap_lock_do_trace_acquire_returned+0x7f/0x790 mm/mmap_lock.c:237 {HARDIRQ-ON-W} state was registered at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x97/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:166 [inline] get_mmap_lock_carefully mm/memory.c:5633 [inline] lock_mm_and_find_vma+0xeb/0x580 mm/memory.c:5693 do_user_addr_fault+0x29c/0x1080 arch/x86/mm/fault.c:1385 handle_page_fault arch/x86/mm/fault.c:1505 [inline] exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1563 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 do_strncpy_from_user lib/strncpy_from_user.c:41 [inline] strncpy_from_user+0x164/0x300 lib/strncpy_from_user.c:139 getxattr+0xd5/0x190 fs/xattr.c:765 __do_sys_fgetxattr fs/xattr.c:817 [inline] __se_sys_fgetxattr fs/xattr.c:808 [inline] __x64_sys_fgetxattr+0x1d3/0x2a0 fs/xattr.c:808 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f irq event stamp: 104 hardirqs last enabled at (103): [] __raw_read_unlock_irqrestore include/linux/rwlock_api_smp.h:241 [inline] hardirqs last enabled at (103): [] _raw_read_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:268 hardirqs last disabled at (104): [] sysvec_call_function_single+0xe/0xb0 arch/x86/kernel/smp.c:266 softirqs last enabled at (0): [] copy_process+0x24cc/0x9090 kernel/fork.c:2336 softirqs last disabled at (0): [<0000000000000000>] 0x0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(lock#10); lock(lock#10); *** DEADLOCK *** 4 locks held by syz-executor.2/9267: #0: ffff88805d47e0a0 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:124 [inline] #0: ffff88805d47e0a0 (&mm->mmap_lock){++++}-{3:3}, at: vm_mmap_pgoff+0x160/0x3c0 mm/util.c:571 #1: ffff8880b9438a80 (lock#10){?.+.}-{2:2}, at: local_lock_acquire include/linux/local_lock_internal.h:29 [inline] #1: ffff8880b9438a80 (lock#10){?.+.}-{2:2}, at: __mmap_lock_do_trace_acquire_returned+0x7f/0x790 mm/mmap_lock.c:237 #2: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #2: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline] #2: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: get_memcg_path_buf mm/mmap_lock.c:139 [inline] #2: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: get_mm_memcg_path+0xb1/0x6f0 mm/mmap_lock.c:209 #3: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #3: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline] #3: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2380 [inline] #3: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0xe4/0x420 kernel/trace/bpf_trace.c:2420 stack backtrace: CPU: 0 PID: 9267 Comm: syz-executor.2 Not tainted 6.9.0-rc6-syzkaller-00290-gb9158815de52 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_usage_bug kernel/locking/lockdep.c:3971 [inline] valid_state kernel/locking/lockdep.c:4013 [inline] mark_lock_irq kernel/locking/lockdep.c:4216 [inline] mark_lock+0x923/0xc60 kernel/locking/lockdep.c:4678 mark_usage kernel/locking/lockdep.c:4564 [inline] __lock_acquire+0x1359/0x3b30 kernel/locking/lockdep.c:5091 lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x97/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:166 [inline] stack_map_get_build_id_offset+0x5df/0x7d0 kernel/bpf/stackmap.c:141 __bpf_get_stack+0x6bf/0x700 kernel/bpf/stackmap.c:449 ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1985 [inline] bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1975 bpf_prog_e6cf5f9c69743609+0x42/0x4a bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:650 [inline] bpf_prog_run include/linux/filter.h:664 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] bpf_trace_run2+0x22c/0x420 kernel/trace/bpf_trace.c:2420 __bpf_trace_tlb_flush+0xd2/0x110 include/trace/events/tlb.h:38 trace_tlb_flush+0xf3/0x170 include/trace/events/tlb.h:38 csd_do_func kernel/smp.c:133 [inline] __flush_smp_call_function_queue+0x27d/0x8c0 kernel/smp.c:511 __sysvec_call_function_single+0x8c/0x410 arch/x86/kernel/smp.c:271 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline] sysvec_call_function_single+0x90/0xb0 arch/x86/kernel/smp.c:266 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709 RIP: 0010:__raw_read_unlock_irqrestore include/linux/rwlock_api_smp.h:242 [inline] RIP: 0010:_raw_read_unlock_irqrestore+0x31/0x80 kernel/locking/spinlock.c:268 Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 b6 dd 8c f6 48 89 df e8 ee 5d 8d f6 f7 c5 00 02 00 00 75 23 9c 58 f6 c4 02 75 37 01 00 00 00 e8 f5 94 7e f6 65 8b 05 06 94 23 75 85 c0 74 16 5b RSP: 0018:ffffc9000ce57ce8 EFLAGS: 00000246 RAX: 0000000000000002 RBX: ffffffff8dbf9a20 RCX: 1ffffffff280b7eb RDX: 0000000000000000 RSI: ffffffff8b2cbf40 RDI: ffffffff8b8f8320 RBP: 0000000000000287 R08: 0000000000000001 R09: fffffbfff27ff24f R10: ffffffff93ff927f R11: 0000000000000003 R12: 0000000000000000 R13: ffff88802e0d2800 R14: 0000000000000100 R15: ffff8880172a9e00 kernfs_path_from_node+0x4e/0x60 fs/kernfs/dir.c:231 kernfs_path include/linux/kernfs.h:598 [inline] cgroup_path include/linux/cgroup.h:599 [inline] get_mm_memcg_path+0x1a3/0x6f0 mm/mmap_lock.c:213 __mmap_lock_do_trace_acquire_returned+0x13e/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_write_lock_killable include/linux/mmap_lock.h:125 [inline] vm_mmap_pgoff+0x2f7/0x3c0 mm/util.c:571 ksys_mmap_pgoff+0x7d/0x5b0 mm/mmap.c:1431 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:79 [inline] __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:79 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f33cc27dce3 Code: f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 41 89 ca 41 f7 c1 ff 0f 00 00 75 14 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 25 c3 0f 1f 40 00 48 c7 c0 b0 ff ff ff 64 c7 RSP: 002b:00007f33ccfe5ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 RAX: ffffffffffffffda RBX: 0000000000000334 RCX: 00007f33cc27dce3 RDX: 0000000000000003 RSI: 0000000008400000 RDI: 0000000000000000 RBP: 00000000200001c2 R08: 00000000ffffffff R09: 0000000000000000 R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000000003 R13: 00007f33ccfe5f80 R14: 00007f33ccfe5f40 R15: 0000000020000500 vkms_vblank_simulate: vblank timer overrun ---------------- Code disassembly (best guess): 0: f5 cmc 1: 53 push %rbx 2: 48 8b 74 24 10 mov 0x10(%rsp),%rsi 7: 48 89 fb mov %rdi,%rbx a: 48 83 c7 18 add $0x18,%rdi e: e8 b6 dd 8c f6 call 0xf68cddc9 13: 48 89 df mov %rbx,%rdi 16: e8 ee 5d 8d f6 call 0xf68d5e09 1b: f7 c5 00 02 00 00 test $0x200,%ebp 21: 75 23 jne 0x46 23: 9c pushf 24: 58 pop %rax 25: f6 c4 02 test $0x2,%ah 28: 75 37 jne 0x61 * 2a: bf 01 00 00 00 mov $0x1,%edi <-- trapping instruction 2f: e8 f5 94 7e f6 call 0xf67e9529 34: 65 8b 05 06 94 23 75 mov %gs:0x75239406(%rip),%eax # 0x75239441 3b: 85 c0 test %eax,%eax 3d: 74 16 je 0x55 3f: 5b pop %rbx