page:ffffea0001088000 refcount:0 mapcount:0 mapping:0000000000000000 index:0x9 pfn:0x42200
======================================================
WARNING: possible circular locking dependency detected
5.16.0-rc3-syzkaller #0 Not tainted
------------------------------------------------------
kworker/u4:7/8629 is trying to acquire lock:
ffffffff8c9fa098 ((console_sem).lock){-.-.}-{2:2}, at: down_trylock+0x1c/0x90 kernel/locking/semaphore.c:138
but task is already holding lock:
ffff88813fffacd8 (&zone->lock){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:349 [inline]
ffff88813fffacd8 (&zone->lock){..-.}-{2:2}, at: free_pcppages_bulk+0x5a7/0x870 mm/page_alloc.c:1511
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #5 (&zone->lock){..-.}-{2:2}:
lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:349 [inline]
rmqueue_bulk mm/page_alloc.c:3017 [inline]
__rmqueue_pcplist+0x255/0x2090 mm/page_alloc.c:3616
rmqueue_pcplist+0x1e1/0x4e0 mm/page_alloc.c:3654
rmqueue+0x1f04/0x2330 mm/page_alloc.c:3682
get_page_from_freelist+0x493/0x9e0 mm/page_alloc.c:4146
__alloc_pages+0x255/0x580 mm/page_alloc.c:5369
__get_free_pages mm/page_alloc.c:5418 [inline]
get_zeroed_page+0x13/0x40 mm/page_alloc.c:5427
pud_alloc_one include/asm-generic/pgalloc.h:166 [inline]
__pud_alloc+0x8b/0x220 mm/memory.c:4834
pud_alloc include/linux/mm.h:2276 [inline]
preallocate_vmalloc_pages+0x106/0x168 arch/x86/mm/init_64.c:1314
mm_init+0x1e/0x41 init/main.c:838
start_kernel+0x1c2/0x56e init/main.c:982
secondary_startup_64_no_verify+0xb1/0xbb
-> #4 (lock#2){..-.}-{2:2}:
lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637
local_lock_acquire+0x23/0x130 include/linux/local_lock_internal.h:29
rmqueue_pcplist+0x121/0x4e0 mm/page_alloc.c:3644
rmqueue+0x1f04/0x2330 mm/page_alloc.c:3682
get_page_from_freelist+0x493/0x9e0 mm/page_alloc.c:4146
__alloc_pages+0x255/0x580 mm/page_alloc.c:5369
__stack_depot_save+0x3b4/0x4a0 lib/stackdepot.c:359
kasan_save_stack mm/kasan/common.c:40 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0xd2/0xf0 mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:259 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:3234 [inline]
slab_alloc mm/slub.c:3242 [inline]
kmem_cache_alloc+0x1c9/0x310 mm/slub.c:3247
kmem_cache_zalloc include/linux/slab.h:714 [inline]
fill_pool lib/debugobjects.c:171 [inline]
__debug_object_init+0x14c4/0x1860 lib/debugobjects.c:565
debug_object_init lib/debugobjects.c:620 [inline]
debug_object_activate+0x188/0x6a0 lib/debugobjects.c:706
debug_timer_activate kernel/time/timer.c:729 [inline]
__mod_timer+0x824/0xd20 kernel/time/timer.c:1050
queue_delayed_work_on+0x135/0x230 kernel/workqueue.c:1703
process_one_work+0x853/0x1140 kernel/workqueue.c:2298
worker_thread+0xac1/0x1320 kernel/workqueue.c:2445
kthread+0x468/0x490 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
-> #3 (&base->lock){-.-.}-{2:2}:
lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
lock_timer_base+0x12a/0x270 kernel/time/timer.c:946
__mod_timer+0x202/0xd20 kernel/time/timer.c:1019
queue_delayed_work_on+0x135/0x230 kernel/workqueue.c:1703
psi_enqueue kernel/sched/stats.h:131 [inline]
enqueue_task kernel/sched/core.c:1995 [inline]
activate_task kernel/sched/core.c:2024 [inline]
wake_up_new_task+0xd74/0xed0 kernel/sched/core.c:4501
kernel_clone+0x3e6/0x7e0 kernel/fork.c:2606
kernel_thread+0x155/0x1d0 kernel/fork.c:2634
rest_init+0x21/0x2e0 init/main.c:690
start_kernel+0x4bf/0x56e init/main.c:1135
secondary_startup_64_no_verify+0xb1/0xbb
-> #2 (&rq->__lock){-.-.}-{2:2}:
lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637
_raw_spin_lock_nested+0x2d/0x40 kernel/locking/spinlock.c:368
raw_spin_rq_lock_nested+0x25/0x110 kernel/sched/core.c:478
raw_spin_rq_lock kernel/sched/sched.h:1316 [inline]
rq_lock kernel/sched/sched.h:1614 [inline]
task_fork_fair+0x5d/0x3c0 kernel/sched/fair.c:11193
sched_post_fork+0x2d1/0x330 kernel/sched/core.c:4448
copy_process+0x51a5/0x5ca0 kernel/fork.c:2406
kernel_clone+0x22a/0x7e0 kernel/fork.c:2582
kernel_thread+0x155/0x1d0 kernel/fork.c:2634
rest_init+0x21/0x2e0 init/main.c:690
start_kernel+0x4bf/0x56e init/main.c:1135
secondary_startup_64_no_verify+0xb1/0xbb
-> #1 (&p->pi_lock){-.-.}-{2:2}:
lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
try_to_wake_up+0x9f/0xd20 kernel/sched/core.c:4003
up+0x6d/0x90 kernel/locking/semaphore.c:190
__up_console_sem+0x11a/0x1e0 kernel/printk/printk.c:254
console_unlock+0x6e8/0xe90 kernel/printk/printk.c:2727
do_con_write+0xe299/0xe3b0 drivers/tty/vt/vt.c:2965
con_write+0x20/0x40 drivers/tty/vt/vt.c:3295
process_output_block drivers/tty/n_tty.c:592 [inline]
n_tty_write+0xdda/0x1320 drivers/tty/n_tty.c:2288
do_tty_write drivers/tty/tty_io.c:1038 [inline]
file_tty_write+0x5c5/0x9a0 drivers/tty/tty_io.c:1110
call_write_iter include/linux/fs.h:2162 [inline]
new_sync_write fs/read_write.c:503 [inline]
vfs_write+0xb11/0xe90 fs/read_write.c:590
ksys_write+0x18f/0x2c0 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
-> #0 ((console_sem).lock){-.-.}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3063 [inline]
check_prevs_add kernel/locking/lockdep.c:3186 [inline]
validate_chain+0x1dfb/0x8240 kernel/locking/lockdep.c:3801
__lock_acquire+0x1382/0x2b00 kernel/locking/lockdep.c:5027
lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
down_trylock+0x1c/0x90 kernel/locking/semaphore.c:138
__down_trylock_console_sem+0x105/0x250 kernel/printk/printk.c:237
console_trylock kernel/printk/printk.c:2542 [inline]
console_trylock_spinning+0x8a/0x3f0 kernel/printk/printk.c:1843
vprintk_emit+0xa1/0x140 kernel/printk/printk.c:2244
_printk+0xcf/0x118 kernel/printk/printk.c:2266
__dump_page mm/debug.c:91 [inline]
dump_page+0x4dd/0x10e0 mm/debug.c:183
__free_one_page+0xd3e/0xda0 mm/page_alloc.c:1071
free_pcppages_bulk+0x690/0x870 mm/page_alloc.c:1531
free_unref_page+0x26d/0x580 mm/page_alloc.c:3408
io_ring_ctx_free+0x67e/0x89e fs/io_uring.c:9381
io_ring_exit_work+0x64d/0x6b7 fs/io_uring.c:9533
process_one_work+0x853/0x1140 kernel/workqueue.c:2298
worker_thread+0xac1/0x1320 kernel/workqueue.c:2445
kthread+0x468/0x490 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
other info that might help us debug this:
Chain exists of:
(console_sem).lock --> lock#2 --> &zone->lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&zone->lock);
lock(lock#2);
lock(&zone->lock);
lock((console_sem).lock);
*** DEADLOCK ***
4 locks held by kworker/u4:7/8629:
#0: ffff888011469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x7ca/0x1140
#1: ffffc9000ff67d20 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x808/0x1140 kernel/workqueue.c:2273
#2: ffff8880b9b350e8 (lock#2){..-.}-{2:2}, at: local_lock_acquire+0x7/0x130 include/linux/local_lock_internal.h:28
#3: ffff88813fffacd8 (&zone->lock){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:349 [inline]
#3: ffff88813fffacd8 (&zone->lock){..-.}-{2:2}, at: free_pcppages_bulk+0x5a7/0x870 mm/page_alloc.c:1511
stack backtrace:
CPU: 1 PID: 8629 Comm: kworker/u4:7 Not tainted 5.16.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_unbound io_ring_exit_work
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106
check_noncircular+0x2f9/0x3b0 kernel/locking/lockdep.c:2143
check_prev_add kernel/locking/lockdep.c:3063 [inline]
check_prevs_add kernel/locking/lockdep.c:3186 [inline]
validate_chain+0x1dfb/0x8240 kernel/locking/lockdep.c:3801
__lock_acquire+0x1382/0x2b00 kernel/locking/lockdep.c:5027
lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
down_trylock+0x1c/0x90 kernel/locking/semaphore.c:138
__down_trylock_console_sem+0x105/0x250 kernel/printk/printk.c:237
console_trylock kernel/printk/printk.c:2542 [inline]
console_trylock_spinning+0x8a/0x3f0 kernel/printk/printk.c:1843
vprintk_emit+0xa1/0x140 kernel/printk/printk.c:2244
_printk+0xcf/0x118 kernel/printk/printk.c:2266
__dump_page mm/debug.c:91 [inline]
dump_page+0x4dd/0x10e0 mm/debug.c:183
__free_one_page+0xd3e/0xda0 mm/page_alloc.c:1071
free_pcppages_bulk+0x690/0x870 mm/page_alloc.c:1531
free_unref_page+0x26d/0x580 mm/page_alloc.c:3408
io_ring_ctx_free+0x67e/0x89e fs/io_uring.c:9381
io_ring_exit_work+0x64d/0x6b7 fs/io_uring.c:9533
process_one_work+0x853/0x1140 kernel/workqueue.c:2298
worker_thread+0xac1/0x1320 kernel/workqueue.c:2445
kthread+0x468/0x490 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
flags: 0xfff00000000008(dirty|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000008 ffffc9000ff678a0 ffffea0000a24a08 0000000000000000
raw: 0000000000000009 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: VM_BUG_ON_PAGE(page->flags & (((1UL << 24) - 1) & ~0))
page_owner tracks the page as freed
page last allocated via order 9, migratetype Unmovable, gfp_mask 0x452dc0(GFP_KERNEL_ACCOUNT|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 18631, ts 405706616923, free_ts 405836046225
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0x729/0x9e0 mm/page_alloc.c:4149
__alloc_pages+0x255/0x580 mm/page_alloc.c:5369
__get_free_pages+0x8/0x30 mm/page_alloc.c:5418
io_allocate_scq_urings+0x238/0x43f fs/io_uring.c:10316
io_uring_create+0x486/0xc73 fs/io_uring.c:10434
io_uring_setup fs/io_uring.c:10524 [inline]
__do_sys_io_uring_setup fs/io_uring.c:10530 [inline]
__se_sys_io_uring_setup fs/io_uring.c:10527 [inline]
__x64_sys_io_uring_setup+0x226/0x2a0 fs/io_uring.c:10527
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0xd1c/0xe00 mm/page_alloc.c:1389
free_unref_page_prepare mm/page_alloc.c:3309 [inline]
free_unref_page+0x7d/0x580 mm/page_alloc.c:3388
io_ring_ctx_free+0x67e/0x89e fs/io_uring.c:9381
io_ring_exit_work+0x64d/0x6b7 fs/io_uring.c:9533
process_one_work+0x853/0x1140 kernel/workqueue.c:2298
worker_thread+0xac1/0x1320 kernel/workqueue.c:2445
kthread+0x468/0x490 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
------------[ cut here ]------------
kernel BUG at mm/page_alloc.c:1071!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8629 Comm: kworker/u4:7 Not tainted 5.16.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_unbound io_ring_exit_work
RIP: 0010:__free_one_page+0xd3e/0xda0 mm/page_alloc.c:1071
Code: 8b 34 24 e9 ae fd ff ff 4c 89 e7 48 c7 c6 20 7b 7c 8a e8 95 f1 f6 ff 0f 0b 0f 0b 48 89 f7 48 c7 c6 a0 79 7c 8a e8 82 f1 f6 ff <0f> 0b 0f 0b 48 89 f7 48 c7 c6 00 7a 7c 8a e8 6f f1 f6 ff 0f 0b 48
RSP: 0000:ffffc9000ff67758 EFLAGS: 00010046
RAX: 5e9153d045bd1a00 RBX: ffff88813fffa700 RCX: ffff888018641d00
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffff88813fffa830 R08: ffffffff81d74f15 R09: ffffed1017364f2c
R10: ffffed1017364f2c R11: 0000000000000000 R12: 0000000000042200
R13: 0000000000000000 R14: 0000000000000009 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555557090708 CR3: 000000001a089000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
free_pcppages_bulk+0x690/0x870 mm/page_alloc.c:1531
free_unref_page+0x26d/0x580 mm/page_alloc.c:3408
io_ring_ctx_free+0x67e/0x89e fs/io_uring.c:9381
io_ring_exit_work+0x64d/0x6b7 fs/io_uring.c:9533
process_one_work+0x853/0x1140 kernel/workqueue.c:2298
worker_thread+0xac1/0x1320 kernel/workqueue.c:2445
kthread+0x468/0x490 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Modules linked in:
---[ end trace 58d0289d5e490068 ]---
RIP: 0010:__free_one_page+0xd3e/0xda0 mm/page_alloc.c:1071
Code: 8b 34 24 e9 ae fd ff ff 4c 89 e7 48 c7 c6 20 7b 7c 8a e8 95 f1 f6 ff 0f 0b 0f 0b 48 89 f7 48 c7 c6 a0 79 7c 8a e8 82 f1 f6 ff <0f> 0b 0f 0b 48 89 f7 48 c7 c6 00 7a 7c 8a e8 6f f1 f6 ff 0f 0b 48
RSP: 0000:ffffc9000ff67758 EFLAGS: 00010046
RAX: 5e9153d045bd1a00 RBX: ffff88813fffa700 RCX: ffff888018641d00
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffff88813fffa830 R08: ffffffff81d74f15 R09: ffffed1017364f2c
R10: ffffed1017364f2c R11: 0000000000000000 R12: 0000000000042200
R13: 0000000000000000 R14: 0000000000000009 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555557090708 CR3: 000000001a089000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400