page:ffffea0001088000 refcount:0 mapcount:0 mapping:0000000000000000 index:0x9 pfn:0x42200 ====================================================== WARNING: possible circular locking dependency detected 5.16.0-rc3-syzkaller #0 Not tainted ------------------------------------------------------ kworker/u4:7/8629 is trying to acquire lock: ffffffff8c9fa098 ((console_sem).lock){-.-.}-{2:2}, at: down_trylock+0x1c/0x90 kernel/locking/semaphore.c:138 but task is already holding lock: ffff88813fffacd8 (&zone->lock){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:349 [inline] ffff88813fffacd8 (&zone->lock){..-.}-{2:2}, at: free_pcppages_bulk+0x5a7/0x870 mm/page_alloc.c:1511 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #5 (&zone->lock){..-.}-{2:2}: lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:349 [inline] rmqueue_bulk mm/page_alloc.c:3017 [inline] __rmqueue_pcplist+0x255/0x2090 mm/page_alloc.c:3616 rmqueue_pcplist+0x1e1/0x4e0 mm/page_alloc.c:3654 rmqueue+0x1f04/0x2330 mm/page_alloc.c:3682 get_page_from_freelist+0x493/0x9e0 mm/page_alloc.c:4146 __alloc_pages+0x255/0x580 mm/page_alloc.c:5369 __get_free_pages mm/page_alloc.c:5418 [inline] get_zeroed_page+0x13/0x40 mm/page_alloc.c:5427 pud_alloc_one include/asm-generic/pgalloc.h:166 [inline] __pud_alloc+0x8b/0x220 mm/memory.c:4834 pud_alloc include/linux/mm.h:2276 [inline] preallocate_vmalloc_pages+0x106/0x168 arch/x86/mm/init_64.c:1314 mm_init+0x1e/0x41 init/main.c:838 start_kernel+0x1c2/0x56e init/main.c:982 secondary_startup_64_no_verify+0xb1/0xbb -> #4 (lock#2){..-.}-{2:2}: lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637 local_lock_acquire+0x23/0x130 include/linux/local_lock_internal.h:29 rmqueue_pcplist+0x121/0x4e0 mm/page_alloc.c:3644 rmqueue+0x1f04/0x2330 mm/page_alloc.c:3682 get_page_from_freelist+0x493/0x9e0 mm/page_alloc.c:4146 __alloc_pages+0x255/0x580 mm/page_alloc.c:5369 __stack_depot_save+0x3b4/0x4a0 lib/stackdepot.c:359 kasan_save_stack mm/kasan/common.c:40 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] __kasan_slab_alloc+0xd2/0xf0 mm/kasan/common.c:467 kasan_slab_alloc include/linux/kasan.h:259 [inline] slab_post_alloc_hook mm/slab.h:519 [inline] slab_alloc_node mm/slub.c:3234 [inline] slab_alloc mm/slub.c:3242 [inline] kmem_cache_alloc+0x1c9/0x310 mm/slub.c:3247 kmem_cache_zalloc include/linux/slab.h:714 [inline] fill_pool lib/debugobjects.c:171 [inline] __debug_object_init+0x14c4/0x1860 lib/debugobjects.c:565 debug_object_init lib/debugobjects.c:620 [inline] debug_object_activate+0x188/0x6a0 lib/debugobjects.c:706 debug_timer_activate kernel/time/timer.c:729 [inline] __mod_timer+0x824/0xd20 kernel/time/timer.c:1050 queue_delayed_work_on+0x135/0x230 kernel/workqueue.c:1703 process_one_work+0x853/0x1140 kernel/workqueue.c:2298 worker_thread+0xac1/0x1320 kernel/workqueue.c:2445 kthread+0x468/0x490 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 -> #3 (&base->lock){-.-.}-{2:2}: lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162 lock_timer_base+0x12a/0x270 kernel/time/timer.c:946 __mod_timer+0x202/0xd20 kernel/time/timer.c:1019 queue_delayed_work_on+0x135/0x230 kernel/workqueue.c:1703 psi_enqueue kernel/sched/stats.h:131 [inline] enqueue_task kernel/sched/core.c:1995 [inline] activate_task kernel/sched/core.c:2024 [inline] wake_up_new_task+0xd74/0xed0 kernel/sched/core.c:4501 kernel_clone+0x3e6/0x7e0 kernel/fork.c:2606 kernel_thread+0x155/0x1d0 kernel/fork.c:2634 rest_init+0x21/0x2e0 init/main.c:690 start_kernel+0x4bf/0x56e init/main.c:1135 secondary_startup_64_no_verify+0xb1/0xbb -> #2 (&rq->__lock){-.-.}-{2:2}: lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637 _raw_spin_lock_nested+0x2d/0x40 kernel/locking/spinlock.c:368 raw_spin_rq_lock_nested+0x25/0x110 kernel/sched/core.c:478 raw_spin_rq_lock kernel/sched/sched.h:1316 [inline] rq_lock kernel/sched/sched.h:1614 [inline] task_fork_fair+0x5d/0x3c0 kernel/sched/fair.c:11193 sched_post_fork+0x2d1/0x330 kernel/sched/core.c:4448 copy_process+0x51a5/0x5ca0 kernel/fork.c:2406 kernel_clone+0x22a/0x7e0 kernel/fork.c:2582 kernel_thread+0x155/0x1d0 kernel/fork.c:2634 rest_init+0x21/0x2e0 init/main.c:690 start_kernel+0x4bf/0x56e init/main.c:1135 secondary_startup_64_no_verify+0xb1/0xbb -> #1 (&p->pi_lock){-.-.}-{2:2}: lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162 try_to_wake_up+0x9f/0xd20 kernel/sched/core.c:4003 up+0x6d/0x90 kernel/locking/semaphore.c:190 __up_console_sem+0x11a/0x1e0 kernel/printk/printk.c:254 console_unlock+0x6e8/0xe90 kernel/printk/printk.c:2727 do_con_write+0xe299/0xe3b0 drivers/tty/vt/vt.c:2965 con_write+0x20/0x40 drivers/tty/vt/vt.c:3295 process_output_block drivers/tty/n_tty.c:592 [inline] n_tty_write+0xdda/0x1320 drivers/tty/n_tty.c:2288 do_tty_write drivers/tty/tty_io.c:1038 [inline] file_tty_write+0x5c5/0x9a0 drivers/tty/tty_io.c:1110 call_write_iter include/linux/fs.h:2162 [inline] new_sync_write fs/read_write.c:503 [inline] vfs_write+0xb11/0xe90 fs/read_write.c:590 ksys_write+0x18f/0x2c0 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae -> #0 ((console_sem).lock){-.-.}-{2:2}: check_prev_add kernel/locking/lockdep.c:3063 [inline] check_prevs_add kernel/locking/lockdep.c:3186 [inline] validate_chain+0x1dfb/0x8240 kernel/locking/lockdep.c:3801 __lock_acquire+0x1382/0x2b00 kernel/locking/lockdep.c:5027 lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162 down_trylock+0x1c/0x90 kernel/locking/semaphore.c:138 __down_trylock_console_sem+0x105/0x250 kernel/printk/printk.c:237 console_trylock kernel/printk/printk.c:2542 [inline] console_trylock_spinning+0x8a/0x3f0 kernel/printk/printk.c:1843 vprintk_emit+0xa1/0x140 kernel/printk/printk.c:2244 _printk+0xcf/0x118 kernel/printk/printk.c:2266 __dump_page mm/debug.c:91 [inline] dump_page+0x4dd/0x10e0 mm/debug.c:183 __free_one_page+0xd3e/0xda0 mm/page_alloc.c:1071 free_pcppages_bulk+0x690/0x870 mm/page_alloc.c:1531 free_unref_page+0x26d/0x580 mm/page_alloc.c:3408 io_ring_ctx_free+0x67e/0x89e fs/io_uring.c:9381 io_ring_exit_work+0x64d/0x6b7 fs/io_uring.c:9533 process_one_work+0x853/0x1140 kernel/workqueue.c:2298 worker_thread+0xac1/0x1320 kernel/workqueue.c:2445 kthread+0x468/0x490 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 other info that might help us debug this: Chain exists of: (console_sem).lock --> lock#2 --> &zone->lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&zone->lock); lock(lock#2); lock(&zone->lock); lock((console_sem).lock); *** DEADLOCK *** 4 locks held by kworker/u4:7/8629: #0: ffff888011469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x7ca/0x1140 #1: ffffc9000ff67d20 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x808/0x1140 kernel/workqueue.c:2273 #2: ffff8880b9b350e8 (lock#2){..-.}-{2:2}, at: local_lock_acquire+0x7/0x130 include/linux/local_lock_internal.h:28 #3: ffff88813fffacd8 (&zone->lock){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:349 [inline] #3: ffff88813fffacd8 (&zone->lock){..-.}-{2:2}, at: free_pcppages_bulk+0x5a7/0x870 mm/page_alloc.c:1511 stack backtrace: CPU: 1 PID: 8629 Comm: kworker/u4:7 Not tainted 5.16.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound io_ring_exit_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 check_noncircular+0x2f9/0x3b0 kernel/locking/lockdep.c:2143 check_prev_add kernel/locking/lockdep.c:3063 [inline] check_prevs_add kernel/locking/lockdep.c:3186 [inline] validate_chain+0x1dfb/0x8240 kernel/locking/lockdep.c:3801 __lock_acquire+0x1382/0x2b00 kernel/locking/lockdep.c:5027 lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162 down_trylock+0x1c/0x90 kernel/locking/semaphore.c:138 __down_trylock_console_sem+0x105/0x250 kernel/printk/printk.c:237 console_trylock kernel/printk/printk.c:2542 [inline] console_trylock_spinning+0x8a/0x3f0 kernel/printk/printk.c:1843 vprintk_emit+0xa1/0x140 kernel/printk/printk.c:2244 _printk+0xcf/0x118 kernel/printk/printk.c:2266 __dump_page mm/debug.c:91 [inline] dump_page+0x4dd/0x10e0 mm/debug.c:183 __free_one_page+0xd3e/0xda0 mm/page_alloc.c:1071 free_pcppages_bulk+0x690/0x870 mm/page_alloc.c:1531 free_unref_page+0x26d/0x580 mm/page_alloc.c:3408 io_ring_ctx_free+0x67e/0x89e fs/io_uring.c:9381 io_ring_exit_work+0x64d/0x6b7 fs/io_uring.c:9533 process_one_work+0x853/0x1140 kernel/workqueue.c:2298 worker_thread+0xac1/0x1320 kernel/workqueue.c:2445 kthread+0x468/0x490 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 flags: 0xfff00000000008(dirty|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000008 ffffc9000ff678a0 ffffea0000a24a08 0000000000000000 raw: 0000000000000009 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: VM_BUG_ON_PAGE(page->flags & (((1UL << 24) - 1) & ~0)) page_owner tracks the page as freed page last allocated via order 9, migratetype Unmovable, gfp_mask 0x452dc0(GFP_KERNEL_ACCOUNT|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 18631, ts 405706616923, free_ts 405836046225 prep_new_page mm/page_alloc.c:2418 [inline] get_page_from_freelist+0x729/0x9e0 mm/page_alloc.c:4149 __alloc_pages+0x255/0x580 mm/page_alloc.c:5369 __get_free_pages+0x8/0x30 mm/page_alloc.c:5418 io_allocate_scq_urings+0x238/0x43f fs/io_uring.c:10316 io_uring_create+0x486/0xc73 fs/io_uring.c:10434 io_uring_setup fs/io_uring.c:10524 [inline] __do_sys_io_uring_setup fs/io_uring.c:10530 [inline] __se_sys_io_uring_setup fs/io_uring.c:10527 [inline] __x64_sys_io_uring_setup+0x226/0x2a0 fs/io_uring.c:10527 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1338 [inline] free_pcp_prepare+0xd1c/0xe00 mm/page_alloc.c:1389 free_unref_page_prepare mm/page_alloc.c:3309 [inline] free_unref_page+0x7d/0x580 mm/page_alloc.c:3388 io_ring_ctx_free+0x67e/0x89e fs/io_uring.c:9381 io_ring_exit_work+0x64d/0x6b7 fs/io_uring.c:9533 process_one_work+0x853/0x1140 kernel/workqueue.c:2298 worker_thread+0xac1/0x1320 kernel/workqueue.c:2445 kthread+0x468/0x490 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 ------------[ cut here ]------------ kernel BUG at mm/page_alloc.c:1071! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8629 Comm: kworker/u4:7 Not tainted 5.16.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound io_ring_exit_work RIP: 0010:__free_one_page+0xd3e/0xda0 mm/page_alloc.c:1071 Code: 8b 34 24 e9 ae fd ff ff 4c 89 e7 48 c7 c6 20 7b 7c 8a e8 95 f1 f6 ff 0f 0b 0f 0b 48 89 f7 48 c7 c6 a0 79 7c 8a e8 82 f1 f6 ff <0f> 0b 0f 0b 48 89 f7 48 c7 c6 00 7a 7c 8a e8 6f f1 f6 ff 0f 0b 48 RSP: 0000:ffffc9000ff67758 EFLAGS: 00010046 RAX: 5e9153d045bd1a00 RBX: ffff88813fffa700 RCX: ffff888018641d00 RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff RBP: ffff88813fffa830 R08: ffffffff81d74f15 R09: ffffed1017364f2c R10: ffffed1017364f2c R11: 0000000000000000 R12: 0000000000042200 R13: 0000000000000000 R14: 0000000000000009 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555557090708 CR3: 000000001a089000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: free_pcppages_bulk+0x690/0x870 mm/page_alloc.c:1531 free_unref_page+0x26d/0x580 mm/page_alloc.c:3408 io_ring_ctx_free+0x67e/0x89e fs/io_uring.c:9381 io_ring_exit_work+0x64d/0x6b7 fs/io_uring.c:9533 process_one_work+0x853/0x1140 kernel/workqueue.c:2298 worker_thread+0xac1/0x1320 kernel/workqueue.c:2445 kthread+0x468/0x490 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 Modules linked in: ---[ end trace 58d0289d5e490068 ]--- RIP: 0010:__free_one_page+0xd3e/0xda0 mm/page_alloc.c:1071 Code: 8b 34 24 e9 ae fd ff ff 4c 89 e7 48 c7 c6 20 7b 7c 8a e8 95 f1 f6 ff 0f 0b 0f 0b 48 89 f7 48 c7 c6 a0 79 7c 8a e8 82 f1 f6 ff <0f> 0b 0f 0b 48 89 f7 48 c7 c6 00 7a 7c 8a e8 6f f1 f6 ff 0f 0b 48 RSP: 0000:ffffc9000ff67758 EFLAGS: 00010046 RAX: 5e9153d045bd1a00 RBX: ffff88813fffa700 RCX: ffff888018641d00 RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff RBP: ffff88813fffa830 R08: ffffffff81d74f15 R09: ffffed1017364f2c R10: ffffed1017364f2c R11: 0000000000000000 R12: 0000000000042200 R13: 0000000000000000 R14: 0000000000000009 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555557090708 CR3: 000000001a089000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400