================================ WARNING: inconsistent lock state 6.9.0-rc6-syzkaller-00227-g3d25a941ea50 #0 Not tainted -------------------------------- inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. syz-executor.5/8657 [HC1[1]:SC0[0]:HE0:SE1] takes: ffff8880b9538a80 (lock#11){?.+.}-{2:2}, at: local_lock_acquire include/linux/local_lock_internal.h:29 [inline] ffff8880b9538a80 (lock#11){?.+.}-{2:2}, at: __mmap_lock_do_trace_acquire_returned+0x7f/0x790 mm/mmap_lock.c:237 {HARDIRQ-ON-W} state was registered at: lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x97/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:166 [inline] get_mmap_lock_carefully mm/memory.c:5633 [inline] lock_mm_and_find_vma+0xeb/0x580 mm/memory.c:5693 do_user_addr_fault+0x29c/0x1080 arch/x86/mm/fault.c:1385 handle_page_fault arch/x86/mm/fault.c:1505 [inline] exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1563 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 irq event stamp: 2620 hardirqs last enabled at (2619): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (2619): [] _raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194 hardirqs last disabled at (2620): [] sysvec_call_function_single+0xe/0xb0 arch/x86/kernel/smp.c:266 softirqs last enabled at (2528): [] local_bh_enable include/linux/bottom_half.h:33 [inline] softirqs last enabled at (2528): [] fpregs_unlock arch/x86/include/asm/fpu/api.h:80 [inline] softirqs last enabled at (2528): [] fpu_clone+0x393/0xbc0 arch/x86/kernel/fpu/core.c:634 softirqs last disabled at (2526): [] local_bh_disable include/linux/bottom_half.h:20 [inline] softirqs last disabled at (2526): [] fpregs_lock arch/x86/include/asm/fpu/api.h:72 [inline] softirqs last disabled at (2526): [] fpu_clone+0x328/0xbc0 arch/x86/kernel/fpu/core.c:630 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(lock#11); lock(lock#11); *** DEADLOCK *** 2 locks held by syz-executor.5/8657: #0: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #0: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline] #0: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2380 [inline] #0: ffffffff8d9b4e20 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0xe4/0x420 kernel/trace/bpf_trace.c:2420 #1: ffff88807de14420 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:165 [inline] #1: ffff88807de14420 (&mm->mmap_lock){++++}-{3:3}, at: stack_map_get_build_id_offset+0x1e8/0x7d0 kernel/bpf/stackmap.c:141 stack backtrace: CPU: 1 PID: 8657 Comm: syz-executor.5 Not tainted 6.9.0-rc6-syzkaller-00227-g3d25a941ea50 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_usage_bug kernel/locking/lockdep.c:3971 [inline] valid_state kernel/locking/lockdep.c:4013 [inline] mark_lock_irq kernel/locking/lockdep.c:4216 [inline] mark_lock+0x923/0xc60 kernel/locking/lockdep.c:4678 mark_usage kernel/locking/lockdep.c:4564 [inline] __lock_acquire+0x1359/0x3b30 kernel/locking/lockdep.c:5091 lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x97/0x790 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:166 [inline] stack_map_get_build_id_offset+0x5df/0x7d0 kernel/bpf/stackmap.c:141 __bpf_get_stack+0x6bf/0x700 kernel/bpf/stackmap.c:449 ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1985 [inline] bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1975 bpf_prog_e6cf5f9c69743609+0x42/0x4a bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:650 [inline] bpf_prog_run include/linux/filter.h:664 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] bpf_trace_run2+0x22c/0x420 kernel/trace/bpf_trace.c:2420 __bpf_trace_tlb_flush+0xd2/0x110 include/trace/events/tlb.h:38 trace_tlb_flush+0xf3/0x170 include/trace/events/tlb.h:38 csd_do_func kernel/smp.c:133 [inline] __flush_smp_call_function_queue+0x27d/0x8c0 kernel/smp.c:511 __sysvec_call_function_single+0x8c/0x410 arch/x86/kernel/smp.c:271 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline] sysvec_call_function_single+0x90/0xb0 arch/x86/kernel/smp.c:266 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709 RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x80 kernel/locking/spinlock.c:194 Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 86 f4 8c f6 48 89 df e8 de 70 8d f6 f7 c5 00 02 00 00 75 23 9c 58 f6 c4 02 75 37 01 00 00 00 e8 c5 ab 7e f6 65 8b 05 d6 aa 23 75 85 c0 74 16 5b RSP: 0018:ffffc9000c737b88 EFLAGS: 00000246 RAX: 0000000000000002 RBX: ffffffff94afe0d0 RCX: 1ffffffff1f7fc49 RDX: 0000000000000000 RSI: ffffffff8b2cbf40 RDI: ffffffff8b8f81e0 RBP: 0000000000000212 R08: 0000000000000001 R09: 0000000000000001 R10: ffffffff8fc024d7 R11: 0000000000000000 R12: 0000000000000000 R13: ffffffff94afe0c8 R14: ffffc9000c737cd0 R15: 1ffff920018e6f78 debug_object_free+0x291/0x500 lib/debugobjects.c:865 futex_wait+0x106/0x380 kernel/futex/waitwake.c:704 do_futex+0x22b/0x350 kernel/futex/syscalls.c:102 __do_sys_futex kernel/futex/syscalls.c:179 [inline] __se_sys_futex kernel/futex/syscalls.c:160 [inline] __x64_sys_futex+0x1e1/0x4c0 kernel/futex/syscalls.c:160 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff9c007dca9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffcb4a54f58 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: ffffffffffffffda RBX: 00000000000546a4 RCX: 00007ff9c007dca9 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007ff9c01ac05c RBP: 00007ffcb4a55060 R08: 0000000000000001 R09: 0000000000000f9c R10: 00007ffcb4a55040 R11: 0000000000000246 R12: 00000000000546d6 R13: 00007ff9c01ac05c R14: 00007ffcb4a55040 R15: 0000000000000032 ---------------- Code disassembly (best guess): 0: f5 cmc 1: 53 push %rbx 2: 48 8b 74 24 10 mov 0x10(%rsp),%rsi 7: 48 89 fb mov %rdi,%rbx a: 48 83 c7 18 add $0x18,%rdi e: e8 86 f4 8c f6 call 0xf68cf499 13: 48 89 df mov %rbx,%rdi 16: e8 de 70 8d f6 call 0xf68d70f9 1b: f7 c5 00 02 00 00 test $0x200,%ebp 21: 75 23 jne 0x46 23: 9c pushf 24: 58 pop %rax 25: f6 c4 02 test $0x2,%ah 28: 75 37 jne 0x61 * 2a: bf 01 00 00 00 mov $0x1,%edi <-- trapping instruction 2f: e8 c5 ab 7e f6 call 0xf67eabf9 34: 65 8b 05 d6 aa 23 75 mov %gs:0x7523aad6(%rip),%eax # 0x7523ab11 3b: 85 c0 test %eax,%eax 3d: 74 16 je 0x55 3f: 5b pop %rbx