do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7ff5e09da0f2 ================================ WARNING: inconsistent lock state 6.0.0-rc4-syzkaller-00136-g0727a9a5fbc1 #0 Not tainted -------------------------------- inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. dhcpcd/3186 [HC0[0]:SC1[1]:HE0:SE0] takes: ffffffff8c0bf378 (vmap_area_lock){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:349 [inline] ffffffff8c0bf378 (vmap_area_lock){+.?.}-{2:2}, at: find_vmap_area+0x1c/0x130 mm/vmalloc.c:1836 {SOFTIRQ-ON-W} state was registered at: lock_acquire kernel/locking/lockdep.c:5666 [inline] lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:349 [inline] alloc_vmap_area+0xa0b/0x1d50 mm/vmalloc.c:1617 __get_vm_area_node+0x142/0x3f0 mm/vmalloc.c:2484 get_vm_area_caller+0x43/0x50 mm/vmalloc.c:2537 __ioremap_caller.constprop.0+0x292/0x600 arch/x86/mm/ioremap.c:280 acpi_os_ioremap include/acpi/acpi_io.h:13 [inline] acpi_map drivers/acpi/osl.c:296 [inline] acpi_os_map_iomem+0x463/0x550 drivers/acpi/osl.c:355 acpi_tb_acquire_table+0xd8/0x209 drivers/acpi/acpica/tbdata.c:142 acpi_tb_validate_table drivers/acpi/acpica/tbdata.c:317 [inline] acpi_tb_validate_table+0x50/0x8c drivers/acpi/acpica/tbdata.c:308 acpi_tb_verify_temp_table+0x84/0x674 drivers/acpi/acpica/tbdata.c:504 acpi_reallocate_root_table+0x374/0x3e0 drivers/acpi/acpica/tbxface.c:180 acpi_early_init+0x13a/0x438 drivers/acpi/bus.c:1214 start_kernel+0x3cf/0x48f init/main.c:1099 secondary_startup_64_no_verify+0xce/0xdb irq event stamp: 8857427 hardirqs last enabled at (8857426): [] console_emit_next_record.constprop.0+0x694/0x840 kernel/printk/printk.c:2738 hardirqs last disabled at (8857427): [] dump_stack_lvl+0x2e/0x134 lib/dump_stack.c:105 softirqs last enabled at (8857374): [] invoke_softirq kernel/softirq.c:445 [inline] softirqs last enabled at (8857374): [] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650 softirqs last disabled at (8857377): [] invoke_softirq kernel/softirq.c:445 [inline] softirqs last disabled at (8857377): [] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(vmap_area_lock); lock(vmap_area_lock); *** DEADLOCK *** 4 locks held by dhcpcd/3186: #0: ffffffff8c06d9d0 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mmap kernel/fork.c:589 [inline] #0: ffffffff8c06d9d0 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mm+0x108/0x13a0 kernel/fork.c:1524 #1: ffff88801d466a28 (&mm->mmap_lock#2){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:87 [inline] #1: ffff88801d466a28 (&mm->mmap_lock#2){++++}-{3:3}, at: dup_mmap kernel/fork.c:590 [inline] #1: ffff88801d466a28 (&mm->mmap_lock#2){++++}-{3:3}, at: dup_mm+0x129/0x13a0 kernel/fork.c:1524 #2: ffff88801fcf7828 (&mm->mmap_lock/1){+.+.}-{3:3}, at: mmap_write_lock_nested include/linux/mmap_lock.h:78 [inline] #2: ffff88801fcf7828 (&mm->mmap_lock/1){+.+.}-{3:3}, at: dup_mmap kernel/fork.c:599 [inline] #2: ffff88801fcf7828 (&mm->mmap_lock/1){+.+.}-{3:3}, at: dup_mm+0x17b/0x13a0 kernel/fork.c:1524 #3: ffffffff8c0ea448 (remove_cache_srcu){....}-{0:0}, at: kasan_quarantine_reduce+0x41/0x200 mm/kasan/quarantine.c:296 stack backtrace: CPU: 0 PID: 3186 Comm: dhcpcd Not tainted 6.0.0-rc4-syzkaller-00136-g0727a9a5fbc1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_usage_bug kernel/locking/lockdep.c:3961 [inline] valid_state kernel/locking/lockdep.c:3973 [inline] mark_lock_irq kernel/locking/lockdep.c:4176 [inline] mark_lock.part.0.cold+0x18/0xd8 kernel/locking/lockdep.c:4632 mark_lock kernel/locking/lockdep.c:4596 [inline] mark_usage kernel/locking/lockdep.c:4527 [inline] __lock_acquire+0x11d9/0x56d0 kernel/locking/lockdep.c:5007 lock_acquire kernel/locking/lockdep.c:5666 [inline] lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:349 [inline] find_vmap_area+0x1c/0x130 mm/vmalloc.c:1836 check_heap_object mm/usercopy.c:176 [inline] __check_object_size mm/usercopy.c:250 [inline] __check_object_size+0x1f8/0x700 mm/usercopy.c:212 check_object_size include/linux/thread_info.h:199 [inline] __copy_from_user_inatomic include/linux/uaccess.h:62 [inline] copy_from_user_nmi arch/x86/lib/usercopy.c:47 [inline] copy_from_user_nmi+0xcb/0x130 arch/x86/lib/usercopy.c:31 copy_code arch/x86/kernel/dumpstack.c:91 [inline] show_opcodes+0x59/0xb0 arch/x86/kernel/dumpstack.c:121 show_iret_regs+0xd/0x33 arch/x86/kernel/dumpstack.c:149 __show_regs+0x1e/0x60 arch/x86/kernel/process_64.c:74 show_trace_log_lvl+0x25b/0x2ba arch/x86/kernel/dumpstack.c:292 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 warn_alloc.cold+0x9b/0x189 mm/page_alloc.c:4356 __alloc_pages_slowpath.constprop.0+0x1d6e/0x2240 mm/page_alloc.c:5257 __alloc_pages+0x43d/0x510 mm/page_alloc.c:5528 alloc_pages+0x1a6/0x270 mm/mempolicy.c:2270 alloc_slab_page mm/slub.c:1824 [inline] allocate_slab+0x29a/0x3d0 mm/slub.c:1977 new_slab mm/slub.c:2029 [inline] ___slab_alloc+0x7f1/0xe10 mm/slub.c:3031 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118 slab_alloc_node mm/slub.c:3209 [inline] kmem_cache_alloc_node+0x11d/0x3f0 mm/slub.c:3293 __alloc_skb+0x210/0x2f0 net/core/skbuff.c:422 alloc_skb include/linux/skbuff.h:1257 [inline] bcm_can_tx+0x259/0x830 net/can/bcm.c:288 bcm_tx_timeout_handler+0x22c/0x5b0 net/can/bcm.c:424 __run_hrtimer kernel/time/hrtimer.c:1685 [inline] __hrtimer_run_queues+0x5fa/0xe40 kernel/time/hrtimer.c:1749 hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1766 __do_softirq+0x1d3/0x9c6 kernel/softirq.c:571 invoke_softirq kernel/softirq.c:445 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1106 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649 RIP: 0010:phys_addr_valid arch/x86/mm/physaddr.h:7 [inline] RIP: 0010:__phys_addr+0x8b/0x140 arch/x86/mm/physaddr.c:28 Code: 00 00 00 00 00 fc ff df 48 89 c1 83 e0 07 48 c1 e9 03 0f b6 14 11 38 c2 7f 08 84 d2 0f 85 99 00 00 00 44 0f b6 2d 42 ef a7 0c 3f 00 00 00 44 89 ee e8 c8 20 45 00 41 80 fd 3f 0f 87 02 d5 03 RSP: 0000:ffffc9000312f8e0 EFLAGS: 00000246 RAX: 0000000000000005 RBX: ffff888150232c00 RCX: 1ffffffff1bbdaa3 RDX: 0000000000000000 RSI: ffffffff8136e5a8 RDI: 0000000000000006 RBP: ffff8881d0232c00 R08: 0000000000000006 R09: ffff8881d0232c00 R10: 0000000150232c00 R11: 0000000000000000 R12: 0000000150232c00 R13: 000000000000002e R14: ffff888150232c00 R15: ffff888011841c80 virt_to_folio include/linux/mm.h:856 [inline] virt_to_slab mm/slab.h:175 [inline] ___cache_free+0x17/0xf0 mm/slub.c:3541 qlink_free mm/kasan/quarantine.c:168 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:447 kasan_slab_alloc include/linux/kasan.h:224 [inline] slab_post_alloc_hook mm/slab.h:727 [inline] slab_alloc_node mm/slub.c:3243 [inline] slab_alloc mm/slub.c:3251 [inline] __kmem_cache_alloc_lru mm/slub.c:3258 [inline] kmem_cache_alloc+0x14a/0x3b0 mm/slub.c:3268 anon_vma_alloc mm/rmap.c:93 [inline] anon_vma_fork+0xed/0x640 mm/rmap.c:359 dup_mmap kernel/fork.c:658 [inline] dup_mm+0xa52/0x13a0 kernel/fork.c:1524 copy_mm kernel/fork.c:1576 [inline] copy_process+0x3cb9/0x7090 kernel/fork.c:2256 kernel_clone+0xe7/0xab0 kernel/fork.c:2673 __do_sys_clone+0xba/0x100 kernel/fork.c:2807 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7ff5e09da0f2 Code: ed 0f 85 11 01 00 00 64 48 8b 04 25 10 00 00 00 45 31 c0 31 d2 31 f6 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 a2 00 00 00 41 89 c5 85 c0 0f 85 af 00 00 RSP: 002b:00007ffc317797e0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 000055710c158548 RCX: 00007ff5e09da0f2 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011 RBP: 0000000000000000 R08: 0000000000000000 R09: 000055710c158510 R10: 00007ff5e0914a10 R11: 0000000000000246 R12: 0000000000000000 R13: 000055710c158510 R14: 0000000000000000 R15: 000055710c158544 Code: ed 0f 85 11 01 00 00 64 48 8b 04 25 10 00 00 00 45 31 c0 31 d2 31 f6 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 a2 00 00 00 41 89 c5 85 c0 0f 85 af 00 00 RSP: 002b:00007ffc317797e0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 000055710c158548 RCX: 00007ff5e09da0f2 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011 RBP: 0000000000000000 R08: 0000000000000000 R09: 000055710c158510 R10: 00007ff5e0914a10 R11: 0000000000000246 R12: 0000000000000000 R13: 000055710c158510 R14: 0000000000000000 R15: 000055710c158544 Mem-Info: active_anon:1547 inactive_anon:94694 isolated_anon:0 active_file:11730 inactive_file:705 isolated_file:0 unevictable:768 dirty:0 writeback:0 slab_reclaimable:21012 slab_unreclaimable:1412011 mapped:20075 shmem:3046 pagetables:588 bounce:0 kernel_misc_reclaimable:0 free:30198 free_pcp:1030 free_cma:0 Node 0 active_anon:6188kB inactive_anon:378744kB active_file:46908kB inactive_file:2796kB unevictable:1536kB isolated(anon):0kB isolated(file):0kB mapped:80300kB dirty:0kB writeback:0kB shmem:10648kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 6144kB writeback_tmp:0kB kernel_stack:9648kB pagetables:2328kB all_unreclaimable? no Node 1 active_anon:0kB inactive_anon:32kB active_file:12kB inactive_file:24kB unevictable:1536kB isolated(anon):0kB isolated(file):0kB mapped:0kB dirty:0kB writeback:0kB shmem:1536kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 0kB writeback_tmp:0kB kernel_stack:16kB pagetables:24kB all_unreclaimable? no Node 0 DMA free:10588kB boost:0kB min:200kB low:248kB high:296kB reserved_highatomic:0KB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15360kB mlocked:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB lowmem_reserve[]: 0 2631 2632 2632 2632 Node 0 DMA32 free:31256kB boost:79996kB min:115552kB low:124440kB high:133328kB reserved_highatomic:0KB active_anon:6188kB inactive_anon:378744kB active_file:46908kB inactive_file:2796kB unevictable:1536kB writepending:0kB present:3129332kB managed:2699788kB mlocked:0kB bounce:0kB free_pcp:580kB local_pcp:556kB free_cma:0kB lowmem_reserve[]: 0 0 0 0 0 Node 0 Normal free:0kB boost:0kB min:12kB low:12kB high:12kB reserved_highatomic:0KB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:1048576kB managed:912kB mlocked:0kB bounce:0kB free_pcp:4kB local_pcp:0kB free_cma:0kB lowmem_reserve[]: 0 0 0 0 0 Node 1 Normal free:80472kB boost:0kB min:54336kB low:67920kB high:81504kB reserved_highatomic:0KB active_anon:0kB inactive_anon:32kB active_file:12kB inactive_file:24kB unevictable:1536kB writepending:0kB present:4194304kB managed:4117620kB mlocked:0kB bounce:0kB free_pcp:7336kB local_pcp:732kB free_cma:0kB lowmem_reserve[]: 0 0 0 0 0 Node 0 DMA: 7*4kB (U) 0*8kB 0*16kB 0*32kB 1*64kB (U) 0*128kB 1*256kB (U) 0*512kB 0*1024kB 1*2048kB (M) 2*4096kB (M) = 10588kB Node 0 DMA32: 1049*4kB (UME) 385*8kB (UME) 351*16kB (UME) 487*32kB (UME) 29*64kB (UME) 8*128kB (UME) 1*256kB (U) 0*512kB 0*1024kB 0*2048kB 0*4096kB = 31612kB Node 0 Normal: 0*4kB 0*8kB 0*16kB 0*32kB 0*64kB 0*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 0kB Node 1 Normal: 8*4kB (ME) 9*8kB (ME) 3*16kB (ME) 12*32kB (ME) 11*64kB (UME) 21*128kB (UME) 19*256kB (UME) 12*512kB (UME) 6*1024kB (U) 7*2048kB (UME) 11*4096kB (UM) = 80472kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=1048576kB Node 0 hugepages_total=2 hugepages_free=2 hugepages_surp=0 hugepages_size=2048kB Node 1 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=1048576kB Node 1 hugepages_total=2 hugepages_free=2 hugepages_surp=0 hugepages_size=2048kB 15433 total pagecache pages 0 pages in swap cache Free swap = 0kB Total swap = 0kB 2097051 pages RAM 0 pages HighMem/MovableOnly 388631 pages reserved 0 pages cma reserved SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC) cache: skbuff_head_cache, object size: 240, buffer size: 320, default order: 0, min order: 0 node 0: slabs: 99126, objs: 1189512, free: 0 node 1: slabs: 242154, objs: 2905848, free: 22 ---------------- Code disassembly (best guess), 7 bytes skipped: 0: df 48 89 fisttps -0x77(%rax) 3: c1 83 e0 07 48 c1 e9 roll $0xe9,-0x3eb7f820(%rbx) a: 03 0f add (%rdi),%ecx c: b6 14 mov $0x14,%dh e: 11 38 adc %edi,(%rax) 10: c2 7f 08 retq $0x87f 13: 84 d2 test %dl,%dl 15: 0f 85 99 00 00 00 jne 0xb4 1b: 44 0f b6 2d 42 ef a7 movzbl 0xca7ef42(%rip),%r13d # 0xca7ef65 22: 0c * 23: bf 3f 00 00 00 mov $0x3f,%edi <-- trapping instruction 28: 44 89 ee mov %r13d,%esi 2b: e8 c8 20 45 00 callq 0x4520f8 30: 41 80 fd 3f cmp $0x3f,%r13b 34: 0f .byte 0xf 35: 87 02 xchg %eax,(%rdx) 37: d5 (bad) 38: 03 .byte 0x3