================================ WARNING: inconsistent lock state 6.9.0-syzkaller-08654-g0cc6f45cecb4 #0 Not tainted -------------------------------- inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. syz-executor.1/5904 [HC1[1]:SC0[0]:HE0:SE1] takes: ffff88802c238ac0 (lock#13){?.+.}-{2:2}, at: local_lock_acquire include/linux/local_lock_internal.h:29 [inline] ffff88802c238ac0 (lock#13){?.+.}-{2:2}, at: __mmap_lock_do_trace_acquire_returned+0x7f/0x790 mm/mmap_lock.c:237 {HARDIRQ-ON-W} state was registered at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x97/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:166 [inline] get_mmap_lock_carefully mm/memory.c:5628 [inline] lock_mm_and_find_vma+0xeb/0x580 mm/memory.c:5688 do_user_addr_fault+0x29c/0x1010 arch/x86/mm/fault.c:1355 handle_page_fault arch/x86/mm/fault.c:1475 [inline] exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1533 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 copy_user_generic arch/x86/include/asm/uaccess_64.h:110 [inline] raw_copy_to_user arch/x86/include/asm/uaccess_64.h:131 [inline] copy_to_user_iter lib/iov_iter.c:25 [inline] iterate_iovec include/linux/iov_iter.h:51 [inline] iterate_and_advance2 include/linux/iov_iter.h:247 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x48f/0xfc0 lib/iov_iter.c:185 copy_page_to_iter lib/iov_iter.c:362 [inline] copy_page_to_iter+0xf1/0x180 lib/iov_iter.c:349 process_vm_rw_pages mm/process_vm_access.c:45 [inline] process_vm_rw_single_vec mm/process_vm_access.c:118 [inline] process_vm_rw_core.constprop.0+0x5c9/0xa10 mm/process_vm_access.c:216 process_vm_rw+0x301/0x360 mm/process_vm_access.c:284 __do_sys_process_vm_readv mm/process_vm_access.c:296 [inline] __se_sys_process_vm_readv mm/process_vm_access.c:292 [inline] __ia32_sys_process_vm_readv+0xdf/0x1b0 mm/process_vm_access.c:292 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x75/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e irq event stamp: 5504 hardirqs last enabled at (5503): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (5503): [] _raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194 hardirqs last disabled at (5504): [] sysvec_call_function_single+0xe/0xb0 arch/x86/kernel/smp.c:266 softirqs last enabled at (2382): [] local_bh_enable include/linux/bottom_half.h:33 [inline] softirqs last enabled at (2382): [] fpregs_unlock arch/x86/include/asm/fpu/api.h:80 [inline] softirqs last enabled at (2382): [] fpu_clone+0x332/0xba0 arch/x86/kernel/fpu/core.c:634 softirqs last disabled at (2380): [] local_bh_disable include/linux/bottom_half.h:20 [inline] softirqs last disabled at (2380): [] fpregs_lock arch/x86/include/asm/fpu/api.h:72 [inline] softirqs last disabled at (2380): [] fpu_clone+0x2c7/0xba0 arch/x86/kernel/fpu/core.c:630 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(lock#13); lock(lock#13); *** DEADLOCK *** 2 locks held by syz-executor.1/5904: #0: ffffffff8dbb2fe0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #0: ffffffff8dbb2fe0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline] #0: ffffffff8dbb2fe0 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2402 [inline] #0: ffffffff8dbb2fe0 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x1c2/0x590 kernel/trace/bpf_trace.c:2444 #1: ffff888027a7f3a0 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:165 [inline] #1: ffff888027a7f3a0 (&mm->mmap_lock){++++}-{3:3}, at: stack_map_get_build_id_offset+0x28a/0x770 kernel/bpf/stackmap.c:141 stack backtrace: CPU: 2 PID: 5904 Comm: syz-executor.1 Not tainted 6.9.0-syzkaller-08654-g0cc6f45cecb4 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_usage_bug kernel/locking/lockdep.c:3971 [inline] valid_state kernel/locking/lockdep.c:4013 [inline] mark_lock_irq kernel/locking/lockdep.c:4216 [inline] mark_lock+0x923/0xc60 kernel/locking/lockdep.c:4678 mark_usage kernel/locking/lockdep.c:4564 [inline] __lock_acquire+0x1359/0x3b30 kernel/locking/lockdep.c:5091 lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x97/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:166 [inline] stack_map_get_build_id_offset+0x608/0x770 kernel/bpf/stackmap.c:141 __bpf_get_stack+0x68a/0x710 kernel/bpf/stackmap.c:449 ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1994 [inline] bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1984 bpf_prog_ec3b2eefa702d8d3+0x42/0x46 bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline] __bpf_prog_run include/linux/filter.h:691 [inline] bpf_prog_run include/linux/filter.h:698 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2403 [inline] bpf_trace_run2+0x231/0x590 kernel/trace/bpf_trace.c:2444 trace_tlb_flush+0xf3/0x170 include/trace/events/tlb.h:38 csd_do_func kernel/smp.c:133 [inline] __flush_smp_call_function_queue+0x27a/0x8c0 kernel/smp.c:511 __sysvec_call_function_single+0x8c/0x410 arch/x86/kernel/smp.c:271 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline] sysvec_call_function_single+0x90/0xb0 arch/x86/kernel/smp.c:266 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709 RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x80 kernel/locking/spinlock.c:194 Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 46 a5 8b f6 48 89 df e8 0e 22 8c f6 f7 c5 00 02 00 00 75 23 9c 58 f6 c4 02 75 37 01 00 00 00 e8 25 67 7d f6 65 8b 05 b6 d7 22 75 85 c0 74 16 5b RSP: 0018:ffffc9000d84fc40 EFLAGS: 00000246 RAX: 0000000000000002 RBX: ffff88802c22c9c0 RCX: 1ffffffff1fc3b21 RDX: 0000000000000000 RSI: ffffffff8b2cb500 RDI: ffffffff8b8f4920 RBP: 0000000000000246 R08: 0000000000000001 R09: 0000000000000001 R10: ffffffff8fe21b97 R11: 0000000000000001 R12: dffffc0000000000 R13: ffffc9000d84fda8 R14: ffffffff8ae0f0da R15: ffff888019412458 hrtimer_start_expires include/linux/hrtimer.h:289 [inline] hrtimer_sleeper_start_expires kernel/time/hrtimer.c:1949 [inline] do_nanosleep+0x1f3/0x510 kernel/time/hrtimer.c:2025 hrtimer_nanosleep+0x1ab/0x440 kernel/time/hrtimer.c:2081 common_nsleep+0xa1/0xd0 kernel/time/posix-timers.c:1350 __do_sys_clock_nanosleep_time32 kernel/time/posix-timers.c:1424 [inline] __se_sys_clock_nanosleep_time32 kernel/time/posix-timers.c:1401 [inline] __ia32_sys_clock_nanosleep_time32+0x334/0x4d0 kernel/time/posix-timers.c:1401 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x75/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf72b2579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000fff152f0 EFLAGS: 00000293 ORIG_RAX: 000000000000010b RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000000000 RDX: 00000000fff15324 RSI: 00000000fff1531c RDI: 00000000fff15324 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ---------------- Code disassembly (best guess): 0: f5 cmc 1: 53 push %rbx 2: 48 8b 74 24 10 mov 0x10(%rsp),%rsi 7: 48 89 fb mov %rdi,%rbx a: 48 83 c7 18 add $0x18,%rdi e: e8 46 a5 8b f6 call 0xf68ba559 13: 48 89 df mov %rbx,%rdi 16: e8 0e 22 8c f6 call 0xf68c2229 1b: f7 c5 00 02 00 00 test $0x200,%ebp 21: 75 23 jne 0x46 23: 9c pushf 24: 58 pop %rax 25: f6 c4 02 test $0x2,%ah 28: 75 37 jne 0x61 * 2a: bf 01 00 00 00 mov $0x1,%edi <-- trapping instruction 2f: e8 25 67 7d f6 call 0xf67d6759 34: 65 8b 05 b6 d7 22 75 mov %gs:0x7522d7b6(%rip),%eax # 0x7522d7f1 3b: 85 c0 test %eax,%eax 3d: 74 16 je 0x55 3f: 5b pop %rbx