================================ WARNING: inconsistent lock state 6.1.94-syzkaller #0 Not tainted -------------------------------- inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. sed/4418 [HC0[0]:SC1[1]:HE0:SE0] takes: ffff8880b9835e90 (lock#10){+.?.}-{2:2}, at: local_lock_acquire include/linux/local_lock_internal.h:29 [inline] ffff8880b9835e90 (lock#10){+.?.}-{2:2}, at: __mmap_lock_do_trace_acquire_returned+0x84/0x670 mm/mmap_lock.c:237 {SOFTIRQ-ON-W} state was registered at: lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x9d/0x670 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:137 [inline] get_mmap_lock_carefully mm/memory.c:5304 [inline] lock_mm_and_find_vma+0x219/0x2e0 mm/memory.c:5366 do_user_addr_fault arch/x86/mm/fault.c:1312 [inline] handle_page_fault arch/x86/mm/fault.c:1431 [inline] exc_page_fault+0x169/0x620 arch/x86/mm/fault.c:1487 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570 irq event stamp: 7873 hardirqs last enabled at (7872): [] handle_softirqs+0x1ef/0xa40 kernel/softirq.c:555 hardirqs last disabled at (7873): [] __raw_spin_lock_irq include/linux/spinlock_api_smp.h:117 [inline] hardirqs last disabled at (7873): [] _raw_spin_lock_irq+0xa9/0x110 kernel/locking/spinlock.c:170 softirqs last enabled at (7546): [] __do_softirq kernel/softirq.c:605 [inline] softirqs last enabled at (7546): [] invoke_softirq kernel/softirq.c:445 [inline] softirqs last enabled at (7546): [] __irq_exit_rcu+0x157/0x240 kernel/softirq.c:654 softirqs last disabled at (7871): [] __do_softirq kernel/softirq.c:605 [inline] softirqs last disabled at (7871): [] invoke_softirq kernel/softirq.c:445 [inline] softirqs last disabled at (7871): [] __irq_exit_rcu+0x157/0x240 kernel/softirq.c:654 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(lock#10); lock(lock#10); *** DEADLOCK *** 4 locks held by sed/4418: #0: ffff88801246e2d8 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:87 [inline] #0: ffff88801246e2d8 (&mm->mmap_lock){++++}-{3:3}, at: vm_mmap_pgoff+0x175/0x2d0 mm/util.c:518 #1: ffff888027cb4288 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:468 [inline] #1: ffff888027cb4288 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: __vma_adjust+0xa6f/0x1f40 mm/mmap.c:740 #2: ffff8880b9828358 (&base->lock){-.-.}-{2:2}, at: __run_timers+0x111/0x890 kernel/time/timer.c:1802 #3: ffffffff8d12acc0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:350 [inline] #3: ffffffff8d12acc0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:791 [inline] #3: ffffffff8d12acc0 (rcu_read_lock){....}-{1:2}, at: trace_call_bpf+0xbe/0x6a0 kernel/trace/bpf_trace.c:134 stack backtrace: CPU: 0 PID: 4418 Comm: sed Not tainted 6.1.94-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 valid_state+0x136/0x1c0 kernel/locking/lockdep.c:3969 mark_lock_irq+0xa8/0xba0 kernel/locking/lockdep.c:4172 mark_lock+0x21c/0x340 kernel/locking/lockdep.c:4628 __lock_acquire+0xb7f/0x1f80 kernel/locking/lockdep.c:5003 lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662 local_lock_acquire include/linux/local_lock_internal.h:29 [inline] __mmap_lock_do_trace_acquire_returned+0x9d/0x670 mm/mmap_lock.c:237 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:137 [inline] stack_map_get_build_id_offset+0x99e/0x9c0 kernel/bpf/stackmap.c:144 __bpf_get_stack+0x495/0x570 kernel/bpf/stackmap.c:452 bpf_prog_e6cf5f9c69743609+0x3a/0x3e bpf_dispatcher_nop_func include/linux/bpf.h:989 [inline] __bpf_prog_run include/linux/filter.h:603 [inline] bpf_prog_run include/linux/filter.h:610 [inline] bpf_prog_run_array include/linux/bpf.h:1635 [inline] trace_call_bpf+0x345/0x6a0 kernel/trace/bpf_trace.c:135 perf_trace_run_bpf_submit+0x7b/0x1d0 kernel/events/core.c:9924 perf_trace_timer_class+0x2c8/0x380 include/trace/events/timer.h:12 trace_timer_cancel include/trace/events/timer.h:138 [inline] debug_deactivate kernel/time/timer.c:832 [inline] detach_timer+0x2f4/0x380 kernel/time/timer.c:878 expire_timers kernel/time/timer.c:1538 [inline] __run_timers+0x60c/0x890 kernel/time/timer.c:1820 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1833 handle_softirqs+0x2ee/0xa40 kernel/softirq.c:571 __do_softirq kernel/softirq.c:605 [inline] invoke_softirq kernel/softirq.c:445 [inline] __irq_exit_rcu+0x157/0x240 kernel/softirq.c:654 irq_exit_rcu+0x5/0x20 kernel/softirq.c:666 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1106 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653 RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0xd4/0x130 kernel/locking/spinlock.c:194 Code: 9c 8f 44 24 20 42 80 3c 23 00 74 08 4c 89 f7 e8 42 b7 4c f7 f6 44 24 21 02 75 4e 41 f7 c7 00 02 00 00 74 01 fb bf 01 00 00 00 d7 05 c9 f6 65 8b 05 c8 12 6d 75 85 c0 74 3f 48 c7 04 24 0e 36 RSP: 0018:ffffc90005dfe8a0 EFLAGS: 00000206 RAX: 28a6018a63f8ef00 RBX: 1ffff92000bbfd18 RCX: ffffffff816ad40a RDX: dffffc0000000000 RSI: ffffffff8aec0240 RDI: 0000000000000001 RBP: ffffc90005dfe930 R08: dffffc0000000000 R09: fffffbfff2093a4b R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000 R13: 1ffff92000bbfd14 R14: ffffc90005dfe8c0 R15: 0000000000000246 debug_object_activate+0x2f9/0x4e0 lib/debugobjects.c:715 debug_rcu_head_queue kernel/rcu/rcu.h:189 [inline] call_rcu+0x93/0xa10 kernel/rcu/tree.c:2829 mas_wr_node_store lib/maple_tree.c:4219 [inline] mas_wr_modify+0x2a65/0x4d80 lib/maple_tree.c:4418 mas_store_prealloc+0x304/0x460 lib/maple_tree.c:5786 __vma_adjust+0x183f/0x1f40 mm/mmap.c:824 __split_vma+0x36e/0x530 do_mas_align_munmap+0x41c/0x15f0 mm/mmap.c:2470 do_mas_munmap+0x246/0x2b0 mm/mmap.c:2640 mmap_region+0x8e6/0x1fa0 mm/mmap.c:2688 do_mmap+0x8c5/0xf60 mm/mmap.c:1425 vm_mmap_pgoff+0x1ca/0x2d0 mm/util.c:520 ksys_mmap_pgoff+0x4f5/0x6d0 mm/mmap.c:1471 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7f70e1275b74 Code: 63 08 44 89 e8 5b 41 5c 41 5d c3 41 89 ca 41 f7 c1 ff 0f 00 00 74 0c c7 05 f5 46 01 00 16 00 00 00 eb 17 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 0c f7 d8 89 05 dc 46 01 00 48 83 c8 ff c3 0f RSP: 002b:00007ffce02a6a78 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 RAX: ffffffffffffffda RBX: 00007ffce02a6b28 RCX: 00007f70e1275b74 RDX: 0000000000000003 RSI: 0000000000002000 RDI: 00007f70e0fab000 RBP: 00007ffce02a6e10 R08: 0000000000000003 R09: 0000000000052000 R10: 0000000000000812 R11: 0000000000000246 R12: 00007f70e1259570 R13: 00007ffce02a6e98 R14: 0000000000052120 R15: 0000000000000000 ---------------- Code disassembly (best guess): 0: 9c pushf 1: 8f 44 24 20 pop 0x20(%rsp) 5: 42 80 3c 23 00 cmpb $0x0,(%rbx,%r12,1) a: 74 08 je 0x14 c: 4c 89 f7 mov %r14,%rdi f: e8 42 b7 4c f7 call 0xf74cb756 14: f6 44 24 21 02 testb $0x2,0x21(%rsp) 19: 75 4e jne 0x69 1b: 41 f7 c7 00 02 00 00 test $0x200,%r15d 22: 74 01 je 0x25 24: fb sti 25: bf 01 00 00 00 mov $0x1,%edi * 2a: e8 d7 05 c9 f6 call 0xf6c90606 <-- trapping instruction 2f: 65 8b 05 c8 12 6d 75 mov %gs:0x756d12c8(%rip),%eax # 0x756d12fe 36: 85 c0 test %eax,%eax 38: 74 3f je 0x79 3a: 48 rex.W 3b: c7 .byte 0xc7 3c: 04 24 add $0x24,%al 3e: 0e (bad) 3f: 36 ss