FAULT_INJECTION: forcing a failure.
name fail_usercopy, interval 1, probability 0, space 0, times 0
======================================================
WARNING: possible circular locking dependency detected
6.11.0-rc6-syzkaller-00183-gb831f83e40a2 #0 Not tainted
------------------------------------------------------
syz.1.421/7602 is trying to acquire lock:
ffffffff8e613cb8 ((console_sem).lock){-...}-{2:2}, at: down_trylock+0x20/0xa0 kernel/locking/semaphore.c:139
but task is already holding lock:
ffff8880b883e998 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:560
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&rq->__lock){-.-.}-{2:2}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
_raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378
raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:560
raw_spin_rq_lock kernel/sched/sched.h:1415 [inline]
rq_lock kernel/sched/sched.h:1714 [inline]
task_fork_fair+0x61/0x1e0 kernel/sched/fair.c:12710
sched_cgroup_fork+0x37c/0x410 kernel/sched/core.c:4633
copy_process+0x2217/0x3dc0 kernel/fork.c:2483
kernel_clone+0x223/0x880 kernel/fork.c:2781
user_mode_thread+0x132/0x1a0 kernel/fork.c:2859
rest_init+0x23/0x300 init/main.c:712
start_kernel+0x47a/0x500 init/main.c:1103
x86_64_start_reservations+0x2a/0x30 arch/x86/kernel/head64.c:507
x86_64_start_kernel+0x9f/0xa0 arch/x86/kernel/head64.c:488
common_startup_64+0x13e/0x147
-> #1 (&p->pi_lock){-.-.}-{2:2}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]
try_to_wake_up+0xb0/0x1470 kernel/sched/core.c:4051
up+0x72/0x90 kernel/locking/semaphore.c:191
__up_console_sem kernel/printk/printk.c:340 [inline]
__console_unlock kernel/printk/printk.c:2801 [inline]
console_unlock+0x22f/0x4d0 kernel/printk/printk.c:3120
vprintk_emit+0x5dc/0x7c0 kernel/printk/printk.c:2348
_printk+0xd5/0x120 kernel/printk/printk.c:2373
netdev_info+0x122/0x170 net/core/dev.c:11817
bond_enslave+0x2e01/0x3b10 drivers/net/bonding/bond_main.c:2315
do_set_master net/core/rtnetlink.c:2701 [inline]
do_setlink+0xe73/0x41f0 net/core/rtnetlink.c:2907
__rtnl_newlink net/core/rtnetlink.c:3696 [inline]
rtnl_newlink+0x180d/0x20a0 net/core/rtnetlink.c:3743
rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6647
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
__sys_sendto+0x3a4/0x4f0 net/socket.c:2204
__do_sys_sendto net/socket.c:2216 [inline]
__se_sys_sendto net/socket.c:2212 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2212
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 ((console_sem).lock){-...}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3133 [inline]
check_prevs_add kernel/locking/lockdep.c:3252 [inline]
validate_chain+0x18e0/0x5900 kernel/locking/lockdep.c:3868
__lock_acquire+0x137a/0x2040 kernel/locking/lockdep.c:5142
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
down_trylock+0x20/0xa0 kernel/locking/semaphore.c:139
__down_trylock_console_sem+0x109/0x250 kernel/printk/printk.c:323
console_trylock kernel/printk/printk.c:2754 [inline]
console_trylock_spinning kernel/printk/printk.c:1958 [inline]
vprintk_emit+0x2aa/0x7c0 kernel/printk/printk.c:2347
_printk+0xd5/0x120 kernel/printk/printk.c:2373
fail_dump lib/fault-inject.c:45 [inline]
should_fail_ex+0x391/0x4e0 lib/fault-inject.c:153
strncpy_from_user+0x36/0x2e0 lib/strncpy_from_user.c:118
strncpy_from_user_nofault+0x71/0x140 mm/maccess.c:186
bpf_probe_read_user_str_common kernel/trace/bpf_trace.c:216 [inline]
____bpf_probe_read_compat_str kernel/trace/bpf_trace.c:311 [inline]
bpf_probe_read_compat_str+0xe9/0x180 kernel/trace/bpf_trace.c:307
bpf_prog_1ccb8ba97563bf77+0x40/0x63
bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline]
__bpf_prog_run include/linux/filter.h:691 [inline]
bpf_prog_run include/linux/filter.h:698 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2406 [inline]
bpf_trace_run2+0x2ec/0x540 kernel/trace/bpf_trace.c:2447
__traceiter_tlb_flush+0x77/0xd0 include/trace/events/tlb.h:38
trace_tlb_flush+0x118/0x140 include/trace/events/tlb.h:38
switch_mm_irqs_off+0x7cb/0xae0
context_switch kernel/sched/core.c:5172 [inline]
__schedule+0x1079/0x4a10 kernel/sched/core.c:6529
preempt_schedule_irq+0xfb/0x1c0 kernel/sched/core.c:6851
irqentry_exit+0x5e/0x90 kernel/entry/common.c:354
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
obj_cgroup_charge+0x350/0x5d0
__memcg_slab_post_alloc_hook+0x1b1/0x7e0 mm/memcontrol.c:3012
memcg_slab_post_alloc_hook mm/slub.c:2164 [inline]
slab_post_alloc_hook mm/slub.c:4002 [inline]
slab_alloc_node mm/slub.c:4041 [inline]
__kmalloc_cache_noprof+0x1f4/0x2c0 mm/slub.c:4188
fuse_lookup_name+0x14c/0x890 fs/fuse/dir.c:378
fuse_lookup+0x182/0x600 fs/fuse/dir.c:429
lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633
filename_create+0x297/0x540 fs/namei.c:3980
do_mkdirat+0xbd/0x3a0 fs/namei.c:4225
__do_sys_mkdirat fs/namei.c:4248 [inline]
__se_sys_mkdirat fs/namei.c:4246 [inline]
__x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4246
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Chain exists of:
(console_sem).lock --> &p->pi_lock --> &rq->__lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&rq->__lock);
lock(&p->pi_lock);
lock(&rq->__lock);
lock((console_sem).lock);
*** DEADLOCK ***
5 locks held by syz.1.421/7602:
#0: ffff88805ef12420 (sb_writers#17){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:515
#1: ffff88805e661708 (&type->i_mutex_dir_key#8/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:835 [inline]
#1: ffff88805e661708 (&type->i_mutex_dir_key#8/1){+.+.}-{3:3}, at: filename_create+0x260/0x540 fs/namei.c:3979
#2: ffff88805e661bd0 (&fi->mutex){+.+.}-{3:3}, at: fuse_lock_inode+0xd3/0x120 fs/fuse/inode.c:554
#3: ffff8880b883e998 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:560
#4: ffffffff8e738320 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:326 [inline]
#4: ffffffff8e738320 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
#4: ffffffff8e738320 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2405 [inline]
#4: ffffffff8e738320 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x1fc/0x540 kernel/trace/bpf_trace.c:2447
stack backtrace:
CPU: 0 UID: 0 PID: 7602 Comm: syz.1.421 Not tainted 6.11.0-rc6-syzkaller-00183-gb831f83e40a2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2186
check_prev_add kernel/locking/lockdep.c:3133 [inline]
check_prevs_add kernel/locking/lockdep.c:3252 [inline]
validate_chain+0x18e0/0x5900 kernel/locking/lockdep.c:3868
__lock_acquire+0x137a/0x2040 kernel/locking/lockdep.c:5142
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
down_trylock+0x20/0xa0 kernel/locking/semaphore.c:139
__down_trylock_console_sem+0x109/0x250 kernel/printk/printk.c:323
console_trylock kernel/printk/printk.c:2754 [inline]
console_trylock_spinning kernel/printk/printk.c:1958 [inline]
vprintk_emit+0x2aa/0x7c0 kernel/printk/printk.c:2347
_printk+0xd5/0x120 kernel/printk/printk.c:2373
fail_dump lib/fault-inject.c:45 [inline]
should_fail_ex+0x391/0x4e0 lib/fault-inject.c:153
strncpy_from_user+0x36/0x2e0 lib/strncpy_from_user.c:118
strncpy_from_user_nofault+0x71/0x140 mm/maccess.c:186
bpf_probe_read_user_str_common kernel/trace/bpf_trace.c:216 [inline]
____bpf_probe_read_compat_str kernel/trace/bpf_trace.c:311 [inline]
bpf_probe_read_compat_str+0xe9/0x180 kernel/trace/bpf_trace.c:307
bpf_prog_1ccb8ba97563bf77+0x40/0x63
bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline]
__bpf_prog_run include/linux/filter.h:691 [inline]
bpf_prog_run include/linux/filter.h:698 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2406 [inline]
bpf_trace_run2+0x2ec/0x540 kernel/trace/bpf_trace.c:2447
__traceiter_tlb_flush+0x77/0xd0 include/trace/events/tlb.h:38
trace_tlb_flush+0x118/0x140 include/trace/events/tlb.h:38
switch_mm_irqs_off+0x7cb/0xae0
context_switch kernel/sched/core.c:5172 [inline]
__schedule+0x1079/0x4a10 kernel/sched/core.c:6529
preempt_schedule_irq+0xfb/0x1c0 kernel/sched/core.c:6851
irqentry_exit+0x5e/0x90 kernel/entry/common.c:354
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:obj_cgroup_charge+0x350/0x5d0 mm/memcontrol.c:2919
Code: 44 24 60 42 80 3c 23 00 74 08 4c 89 ff e8 68 1c f7 ff f6 44 24 61 02 0f 85 ca 00 00 00 41 f7 c6 00 02 00 00 74 01 fb 45 31 f6 <80> 7c 24 0c 00 75 4f 48 8b 5c 24 20 48 89 d8 48 c1 e8 0c 31 d2 89
RSP: 0018:ffffc9000a1d77c0 EFLAGS: 00000246
RAX: 0fd991acbfe85500 RBX: 1ffff9200143af04 RCX: ffffffff81703f9a
RDX: dffffc0000000000 RSI: ffffffff8bead560 RDI: ffffffff8c3fb980
RBP: ffffc9000a1d78c0 R08: ffffffff93fa69bf R09: 1ffffffff27f4d37
R10: dffffc0000000000 R11: fffffbfff27f4d38 R12: dffffc0000000000
R13: 1ffff9200143af00 R14: 0000000000000000 R15: ffffc9000a1d7820
__memcg_slab_post_alloc_hook+0x1b1/0x7e0 mm/memcontrol.c:3012
memcg_slab_post_alloc_hook mm/slub.c:2164 [inline]
slab_post_alloc_hook mm/slub.c:4002 [inline]
slab_alloc_node mm/slub.c:4041 [inline]
__kmalloc_cache_noprof+0x1f4/0x2c0 mm/slub.c:4188
fuse_lookup_name+0x14c/0x890 fs/fuse/dir.c:378
fuse_lookup+0x182/0x600 fs/fuse/dir.c:429
lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633
filename_create+0x297/0x540 fs/namei.c:3980
do_mkdirat+0xbd/0x3a0 fs/namei.c:4225
__do_sys_mkdirat fs/namei.c:4248 [inline]
__se_sys_mkdirat fs/namei.c:4246 [inline]
__x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4246
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fae9937cef9
Code: Unable to access opcode bytes at 0x7fae9937cecf.
RSP: 002b:00007fae9a1f3038 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007fae99535f80 RCX: 00007fae9937cef9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: ffffffffffffff9c
RBP: 00007fae9a1f3090 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 0000000000000000 R14: 00007fae99535f80 R15: 00007ffd22cd19b8
CPU: 0 UID: 0 PID: 7602 Comm: syz.1.421 Not tainted 6.11.0-rc6-syzkaller-00183-gb831f83e40a2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
fail_dump lib/fault-inject.c:52 [inline]
should_fail_ex+0x3b0/0x4e0 lib/fault-inject.c:153
strncpy_from_user+0x36/0x2e0 lib/strncpy_from_user.c:118
strncpy_from_user_nofault+0x71/0x140 mm/maccess.c:186
bpf_probe_read_user_str_common kernel/trace/bpf_trace.c:216 [inline]
____bpf_probe_read_compat_str kernel/trace/bpf_trace.c:311 [inline]
bpf_probe_read_compat_str+0xe9/0x180 kernel/trace/bpf_trace.c:307
bpf_prog_1ccb8ba97563bf77+0x40/0x63
bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline]
__bpf_prog_run include/linux/filter.h:691 [inline]
bpf_prog_run include/linux/filter.h:698 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2406 [inline]
bpf_trace_run2+0x2ec/0x540 kernel/trace/bpf_trace.c:2447
__traceiter_tlb_flush+0x77/0xd0 include/trace/events/tlb.h:38
trace_tlb_flush+0x118/0x140 include/trace/events/tlb.h:38
switch_mm_irqs_off+0x7cb/0xae0
context_switch kernel/sched/core.c:5172 [inline]
__schedule+0x1079/0x4a10 kernel/sched/core.c:6529
preempt_schedule_irq+0xfb/0x1c0 kernel/sched/core.c:6851
irqentry_exit+0x5e/0x90 kernel/entry/common.c:354
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:obj_cgroup_charge+0x350/0x5d0 mm/memcontrol.c:2919
Code: 44 24 60 42 80 3c 23 00 74 08 4c 89 ff e8 68 1c f7 ff f6 44 24 61 02 0f 85 ca 00 00 00 41 f7 c6 00 02 00 00 74 01 fb 45 31 f6 <80> 7c 24 0c 00 75 4f 48 8b 5c 24 20 48 89 d8 48 c1 e8 0c 31 d2 89
RSP: 0018:ffffc9000a1d77c0 EFLAGS: 00000246
RAX: 0fd991acbfe85500 RBX: 1ffff9200143af04 RCX: ffffffff81703f9a
RDX: dffffc0000000000 RSI: ffffffff8bead560 RDI: ffffffff8c3fb980
RBP: ffffc9000a1d78c0 R08: ffffffff93fa69bf R09: 1ffffffff27f4d37
R10: dffffc0000000000 R11: fffffbfff27f4d38 R12: dffffc0000000000
R13: 1ffff9200143af00 R14: 0000000000000000 R15: ffffc9000a1d7820
__memcg_slab_post_alloc_hook+0x1b1/0x7e0 mm/memcontrol.c:3012
memcg_slab_post_alloc_hook mm/slub.c:2164 [inline]
slab_post_alloc_hook mm/slub.c:4002 [inline]
slab_alloc_node mm/slub.c:4041 [inline]
__kmalloc_cache_noprof+0x1f4/0x2c0 mm/slub.c:4188
fuse_lookup_name+0x14c/0x890 fs/fuse/dir.c:378
fuse_lookup+0x182/0x600 fs/fuse/dir.c:429
lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633
filename_create+0x297/0x540 fs/namei.c:3980
do_mkdirat+0xbd/0x3a0 fs/namei.c:4225
__do_sys_mkdirat fs/namei.c:4248 [inline]
__se_sys_mkdirat fs/namei.c:4246 [inline]
__x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4246
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fae9937cef9
Code: Unable to access opcode bytes at 0x7fae9937cecf.
RSP: 002b:00007fae9a1f3038 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007fae99535f80 RCX: 00007fae9937cef9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: ffffffffffffff9c
RBP: 00007fae9a1f3090 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 0000000000000000 R14: 00007fae99535f80 R15: 00007ffd22cd19b8
----------------
Code disassembly (best guess):
0: 44 24 60 rex.R and $0x60,%al
3: 42 80 3c 23 00 cmpb $0x0,(%rbx,%r12,1)
8: 74 08 je 0x12
a: 4c 89 ff mov %r15,%rdi
d: e8 68 1c f7 ff call 0xfff71c7a
12: f6 44 24 61 02 testb $0x2,0x61(%rsp)
17: 0f 85 ca 00 00 00 jne 0xe7
1d: 41 f7 c6 00 02 00 00 test $0x200,%r14d
24: 74 01 je 0x27
26: fb sti
27: 45 31 f6 xor %r14d,%r14d
* 2a: 80 7c 24 0c 00 cmpb $0x0,0xc(%rsp) <-- trapping instruction
2f: 75 4f jne 0x80
31: 48 8b 5c 24 20 mov 0x20(%rsp),%rbx
36: 48 89 d8 mov %rbx,%rax
39: 48 c1 e8 0c shr $0xc,%rax
3d: 31 d2 xor %edx,%edx
3f: 89 .byte 0x89