bisecting cause commit starting from ae46d2aa6a7fbe8ca0946f24b061b6ccdc6c3f25 building syzkaller on db9bcd4b9fd510dc1b4b2b2021180c8432844b9b testing commit ae46d2aa6a7fbe8ca0946f24b061b6ccdc6c3f25 with gcc (GCC) 8.1.0 kernel signature: a0426cfa2431e7d68cd10062397b363642775ad6f7df0522eb398c42c03bee46 all runs: crashed: possible deadlock in shmem_uncharge testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: 15b98a67192ff222fa6c550aaff38a7237f0a0e76b16d0df20b2c9c6dac687e9 all runs: OK # git bisect start ae46d2aa6a7fbe8ca0946f24b061b6ccdc6c3f25 7111951b8d4973bda27ff663f2cf18b663d15b48 Bisecting: 6225 revisions left to test after this (roughly 13 steps) [4646de87d32526ee87b46c2e0130413367fb5362] Merge tag 'mailbox-v5.7' of git://git.linaro.org/landing-teams/working/fujitsu/integration testing commit 4646de87d32526ee87b46c2e0130413367fb5362 with gcc (GCC) 8.1.0 kernel signature: b0f66649d19164b3e25917f6789aa7b414b454ec3de48abbc07ca8764340b9ca all runs: OK # git bisect good 4646de87d32526ee87b46c2e0130413367fb5362 Bisecting: 3145 revisions left to test after this (roughly 12 steps) [5c8db3eb381745c010ba746373a279e92502bdc8] Merge branch 'i2c/for-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux testing commit 5c8db3eb381745c010ba746373a279e92502bdc8 with gcc (GCC) 8.1.0 kernel signature: 828dc805d195defdfe560cf07a403366137ffa2b5efc5bf9d443b8d291b54899 all runs: OK # git bisect good 5c8db3eb381745c010ba746373a279e92502bdc8 Bisecting: 1463 revisions left to test after this (roughly 11 steps) [854e80bcfdafb8d99d308e21798cd0116338783d] Merge tag 'arm-dt-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 854e80bcfdafb8d99d308e21798cd0116338783d with gcc (GCC) 8.1.0 kernel signature: d8146f9168f626b94ccfc82aabdc422ce2a069945c359c2d0f57a1d1e65b1ecd all runs: OK # git bisect good 854e80bcfdafb8d99d308e21798cd0116338783d Bisecting: 755 revisions left to test after this (roughly 10 steps) [d5ca32738f8fbd3632928929cccb5789d44be390] Merge tag 'timers-urgent-2020-04-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit d5ca32738f8fbd3632928929cccb5789d44be390 with gcc (GCC) 8.1.0 kernel signature: 95b363930fe4341c8207d6ef68efea8c45e42c0cb5bf5a1d05e12eca86f1b44b all runs: OK # git bisect good d5ca32738f8fbd3632928929cccb5789d44be390 Bisecting: 345 revisions left to test after this (roughly 9 steps) [04de788e61a576820baf03ff8accc246ca146cb3] Merge tag 'nfs-for-5.7-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs testing commit 04de788e61a576820baf03ff8accc246ca146cb3 with gcc (GCC) 8.1.0 kernel signature: e20fd4e76f974ec796b6a28ac3416b014a1585b6b086af79b1fb4ea9efa18998 all runs: OK # git bisect good 04de788e61a576820baf03ff8accc246ca146cb3 Bisecting: 166 revisions left to test after this (roughly 8 steps) [38e2c63ec3d323310ba873601e864af79b90b457] Merge tag 'leds-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/pavel/linux-leds testing commit 38e2c63ec3d323310ba873601e864af79b90b457 with gcc (GCC) 8.1.0 kernel signature: b8dc3f916a5200aabe0e82f02764db5f15e5dbc03d445ad9813c20d136714f9a all runs: crashed: possible deadlock in shmem_uncharge # git bisect bad 38e2c63ec3d323310ba873601e864af79b90b457 Bisecting: 89 revisions left to test after this (roughly 7 steps) [3f3673d7d324d872d9d8ddb73b3e5e47fbf12e0d] include/linux/swapops.h: correct guards for non_swap_entry() testing commit 3f3673d7d324d872d9d8ddb73b3e5e47fbf12e0d with gcc (GCC) 8.1.0 kernel signature: 49467570d440eb59c77c84c7ace69067ab0e8e654d64179c11e0190071696aec all runs: crashed: possible deadlock in shmem_uncharge # git bisect bad 3f3673d7d324d872d9d8ddb73b3e5e47fbf12e0d Bisecting: 44 revisions left to test after this (roughly 6 steps) [ffd05793963a44bd119311df3c02b191982574ee] userfaultfd: wp: support write protection for userfault vma range testing commit ffd05793963a44bd119311df3c02b191982574ee with gcc (GCC) 8.1.0 kernel signature: 70e364130c7d596b25f05126f9a7bff6c320ed3ea20414b246122299d243d2d7 all runs: OK # git bisect good ffd05793963a44bd119311df3c02b191982574ee Bisecting: 22 revisions left to test after this (roughly 5 steps) [ed7f9fec8c8f8227ebd1fb69feda60ce4a7df61f] powernv/memtrace: always online added memory blocks testing commit ed7f9fec8c8f8227ebd1fb69feda60ce4a7df61f with gcc (GCC) 8.1.0 kernel signature: bb1d9b3a9999fdab67bda8cce96742589ed58a16f44bafec42637541a579e9f2 all runs: OK # git bisect good ed7f9fec8c8f8227ebd1fb69feda60ce4a7df61f Bisecting: 11 revisions left to test after this (roughly 4 steps) [77337edee7598d82fb5acf66cb91a5b3f0c46add] mm/compaction: add missing annotation for compact_lock_irqsave testing commit 77337edee7598d82fb5acf66cb91a5b3f0c46add with gcc (GCC) 8.1.0 kernel signature: 79d18cb8612b894ae6dbb56096ec41f9ea1c14b0cea963b3146c6f54c6c918ec all runs: crashed: possible deadlock in shmem_uncharge # git bisect bad 77337edee7598d82fb5acf66cb91a5b3f0c46add Bisecting: 5 revisions left to test after this (roughly 3 steps) [104049017b774036fa971722a202a17e6585a200] mm/memory_hotplug.c: use __pfn_to_section() instead of open-coding testing commit 104049017b774036fa971722a202a17e6585a200 with gcc (GCC) 8.1.0 kernel signature: a78dabb6f1aa951937c2fc18349a2580b21456effaa74ff5c026e12f8509c99b all runs: OK # git bisect good 104049017b774036fa971722a202a17e6585a200 Bisecting: 2 revisions left to test after this (roughly 2 steps) [71725ed10c40696dc6bdccf8e225815dcef24dba] mm: huge tmpfs: try to split_huge_page() when punching hole testing commit 71725ed10c40696dc6bdccf8e225815dcef24dba with gcc (GCC) 8.1.0 kernel signature: 53d9b2b5e377d9357d5b7eb01547dec73f8a52ad90492319b7c108b8606ba90a all runs: crashed: possible deadlock in shmem_uncharge # git bisect bad 71725ed10c40696dc6bdccf8e225815dcef24dba Bisecting: 0 revisions left to test after this (roughly 1 step) [343c3d7f0927e000427fae5e361aa560f83dd5b5] mm/shmem.c: clean code by removing unnecessary assignment testing commit 343c3d7f0927e000427fae5e361aa560f83dd5b5 with gcc (GCC) 8.1.0 kernel signature: 7a1abd6a8292f723c586fe860c2aba13a1c3a5c9dc72a6511776e9c436dd1f91 run #0: boot failed: failed to get create image operation operation-1586423369069-5a2d7f9607594-91525f45-cc48f7a4: googleapi: Error 503: Internal error. Please try again or contact Google Support. (Code: '7440397599000885916'), backendError run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 343c3d7f0927e000427fae5e361aa560f83dd5b5 71725ed10c40696dc6bdccf8e225815dcef24dba is the first bad commit commit 71725ed10c40696dc6bdccf8e225815dcef24dba Author: Hugh Dickins Date: Mon Apr 6 20:07:57 2020 -0700 mm: huge tmpfs: try to split_huge_page() when punching hole Yang Shi writes: Currently, when truncating a shmem file, if the range is partly in a THP (start or end is in the middle of THP), the pages actually will just get cleared rather than being freed, unless the range covers the whole THP. Even though all the subpages are truncated (randomly or sequentially), the THP may still be kept in page cache. This might be fine for some usecases which prefer preserving THP, but balloon inflation is handled in base page size. So when using shmem THP as memory backend, QEMU inflation actually doesn't work as expected since it doesn't free memory. But the inflation usecase really needs to get the memory freed. (Anonymous THP will also not get freed right away, but will be freed eventually when all subpages are unmapped: whereas shmem THP still stays in page cache.) Split THP right away when doing partial hole punch, and if split fails just clear the page so that read of the punched area will return zeroes. Hugh Dickins adds: Our earlier "team of pages" huge tmpfs implementation worked in the way that Yang Shi proposes; and we have been using this patch to continue to split the huge page when hole-punched or truncated, since converting over to the compound page implementation. Although huge tmpfs gives out huge pages when available, if the user specifically asks to truncate or punch a hole (perhaps to free memory, perhaps to reduce the memcg charge), then the filesystem should do so as best it can, splitting the huge page. That is not always possible: any additional reference to the huge page prevents split_huge_page() from succeeding, so the result can be flaky. But in practice it works successfully enough that we've not seen any problem from that. Add shmem_punch_compound() to encapsulate the decision of when a split is needed, and doing the split if so. Using this simplifies the flow in shmem_undo_range(); and the first (trylock) pass does not need to do any page clearing on failure, because the second pass will either succeed or do that clearing. Following the example of zero_user_segment() when clearing a partial page, add flush_dcache_page() and set_page_dirty() when clearing a hole - though I'm not certain that either is needed. But: split_huge_page() would be sure to fail if shmem_undo_range()'s pagevec holds further references to the huge page. The easiest way to fix that is for find_get_entries() to return early, as soon as it has put one compound head or tail into the pagevec. At first this felt like a hack; but on examination, this convention better suits all its callers - or will do, if the slight one-page-per-pagevec slowdown in shmem_unlock_mapping() and shmem_seek_hole_data() is transformed into a 512-page-per-pagevec speedup by checking for compound pages there. Signed-off-by: Hugh Dickins Signed-off-by: Andrew Morton Cc: Yang Shi Cc: Alexander Duyck Cc: "Michael S. Tsirkin" Cc: David Hildenbrand Cc: "Kirill A. Shutemov" Cc: Matthew Wilcox Cc: Andrea Arcangeli Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2002261959020.10801@eggly.anvils Signed-off-by: Linus Torvalds mm/filemap.c | 14 ++++++++- mm/shmem.c | 98 ++++++++++++++++++++++++++---------------------------------- mm/swap.c | 4 +++ 3 files changed, 60 insertions(+), 56 deletions(-) culprit signature: 53d9b2b5e377d9357d5b7eb01547dec73f8a52ad90492319b7c108b8606ba90a parent signature: 7a1abd6a8292f723c586fe860c2aba13a1c3a5c9dc72a6511776e9c436dd1f91 revisions tested: 15, total time: 3h37m37.064470952s (build: 1h28m38.001763889s, test: 2h7m54.096806911s) first bad commit: 71725ed10c40696dc6bdccf8e225815dcef24dba mm: huge tmpfs: try to split_huge_page() when punching hole cc: ["akpm@linux-foundation.org" "hughd@google.com" "torvalds@linux-foundation.org"] crash: possible deadlock in shmem_uncharge ===================================================== WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected 5.6.0-syzkaller #0 Not tainted ----------------------------------------------------- syz-executor.3/8556 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: ffff888087fa26b8 (&info->lock){....}-{2:2}, at: shmem_uncharge+0x1f/0x230 mm/shmem.c:341 and this task is already holding: ffff888087fa2a08 (&xa->xa_lock#4){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:353 [inline] ffff888087fa2a08 (&xa->xa_lock#4){..-.}-{2:2}, at: split_huge_page_to_list+0x6ff/0x2690 mm/huge_memory.c:2864 which would create a new lock dependency: (&xa->xa_lock#4){..-.}-{2:2} -> (&info->lock){....}-{2:2} but this new dependency connects a SOFTIRQ-irq-safe lock: (&xa->xa_lock#4){..-.}-{2:2} ... which became SOFTIRQ-irq-safe at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x95/0xc0 kernel/locking/spinlock.c:159 test_clear_page_writeback+0x18f/0xd50 mm/page-writeback.c:2728 end_page_writeback+0x17d/0x350 mm/filemap.c:1317 end_bio_bh_io_sync+0xb4/0x100 fs/buffer.c:3012 req_bio_endio block/blk-core.c:245 [inline] blk_update_request+0x294/0xa60 block/blk-core.c:1472 scsi_end_request+0x77/0x5e0 drivers/scsi/scsi_lib.c:575 scsi_io_completion+0x1a0/0xfc0 drivers/scsi/scsi_lib.c:959 blk_done_softirq+0x2b1/0x400 block/blk-softirq.c:37 __do_softirq+0x26e/0xa0c kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x191/0x1d0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] do_IRQ+0xd9/0x260 arch/x86/kernel/irq.c:263 ret_from_intr+0x0/0x2b tomoyo_path_matches_pattern+0x60/0x260 security/tomoyo/util.c:923 tomoyo_compare_name_union+0x58/0xa0 security/tomoyo/file.c:87 tomoyo_check_path_acl+0x94/0x100 security/tomoyo/file.c:260 tomoyo_check_acl+0xf7/0x330 security/tomoyo/domain.c:175 tomoyo_path_permission+0x1e1/0x340 security/tomoyo/file.c:586 tomoyo_path_perm+0x2a2/0x370 security/tomoyo/file.c:838 security_inode_getattr+0xab/0x100 security/security.c:1273 vfs_getattr+0x17/0x40 fs/stat.c:117 vfs_statx_fd+0x3f/0x80 fs/stat.c:147 vfs_fstat include/linux/fs.h:3295 [inline] __do_sys_newfstat+0x6b/0xc0 fs/stat.c:388 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 to a SOFTIRQ-irq-unsafe lock: (shmlock_user_lock){+.+.}-{2:2} ... which became SOFTIRQ-irq-unsafe at: ... lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:353 [inline] user_shm_lock+0x94/0x180 mm/mlock.c:855 hugetlb_file_setup+0x431/0x59d fs/hugetlbfs/inode.c:1416 newseg+0x383/0xc30 ipc/shm.c:652 ipcget_new ipc/util.c:344 [inline] ipcget+0xed/0xb40 ipc/util.c:643 ksys_shmget ipc/shm.c:742 [inline] __do_sys_shmget ipc/shm.c:747 [inline] __se_sys_shmget ipc/shm.c:745 [inline] __x64_sys_shmget+0x133/0x1a0 ipc/shm.c:745 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 other info that might help us debug this: Chain exists of: &xa->xa_lock#4 --> &info->lock --> shmlock_user_lock Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(shmlock_user_lock); local_irq_disable(); lock(&xa->xa_lock#4); lock(&info->lock); lock(&xa->xa_lock#4); *** DEADLOCK *** 5 locks held by syz-executor.3/8556: #0: ffff88809044e450 (sb_writers#7){.+.+}-{0:0}, at: sb_start_write include/linux/fs.h:1655 [inline] #0: ffff88809044e450 (sb_writers#7){.+.+}-{0:0}, at: do_sys_ftruncate+0x1e6/0x430 fs/open.c:190 #1: ffff888087fa2910 (&sb->s_type->i_mutex_key#16){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:797 [inline] #1: ffff888087fa2910 (&sb->s_type->i_mutex_key#16){+.+.}-{3:3}, at: do_truncate+0xcb/0x180 fs/open.c:62 #2: ffff888087fa2ad0 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: i_mmap_lock_read include/linux/fs.h:541 [inline] #2: ffff888087fa2ad0 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: split_huge_page_to_list+0x389/0x2690 mm/huge_memory.c:2825 #3: ffff88812ffffcd8 (&pgdat->lru_lock){....}-{2:2}, at: split_huge_page_to_list+0x59a/0x2690 mm/huge_memory.c:2855 #4: ffff888087fa2a08 (&xa->xa_lock#4){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:353 [inline] #4: ffff888087fa2a08 (&xa->xa_lock#4){..-.}-{2:2}, at: split_huge_page_to_list+0x6ff/0x2690 mm/huge_memory.c:2864 the dependencies between SOFTIRQ-irq-safe lock and the holding lock: -> (&xa->xa_lock#4){..-.}-{2:2} { IN-SOFTIRQ-W at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x95/0xc0 kernel/locking/spinlock.c:159 test_clear_page_writeback+0x18f/0xd50 mm/page-writeback.c:2728 end_page_writeback+0x17d/0x350 mm/filemap.c:1317 end_bio_bh_io_sync+0xb4/0x100 fs/buffer.c:3012 req_bio_endio block/blk-core.c:245 [inline] blk_update_request+0x294/0xa60 block/blk-core.c:1472 scsi_end_request+0x77/0x5e0 drivers/scsi/scsi_lib.c:575 scsi_io_completion+0x1a0/0xfc0 drivers/scsi/scsi_lib.c:959 blk_done_softirq+0x2b1/0x400 block/blk-softirq.c:37 __do_softirq+0x26e/0xa0c kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x191/0x1d0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] do_IRQ+0xd9/0x260 arch/x86/kernel/irq.c:263 ret_from_intr+0x0/0x2b tomoyo_path_matches_pattern+0x60/0x260 security/tomoyo/util.c:923 tomoyo_compare_name_union+0x58/0xa0 security/tomoyo/file.c:87 tomoyo_check_path_acl+0x94/0x100 security/tomoyo/file.c:260 tomoyo_check_acl+0xf7/0x330 security/tomoyo/domain.c:175 tomoyo_path_permission+0x1e1/0x340 security/tomoyo/file.c:586 tomoyo_path_perm+0x2a2/0x370 security/tomoyo/file.c:838 security_inode_getattr+0xab/0x100 security/security.c:1273 vfs_getattr+0x17/0x40 fs/stat.c:117 vfs_statx_fd+0x3f/0x80 fs/stat.c:147 vfs_fstat include/linux/fs.h:3295 [inline] __do_sys_newfstat+0x6b/0xc0 fs/stat.c:388 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 INITIAL USE at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline] _raw_spin_lock_irq+0x5e/0x80 kernel/locking/spinlock.c:167 spin_lock_irq include/linux/spinlock.h:378 [inline] __add_to_page_cache_locked+0x4f0/0x9f0 mm/filemap.c:855 add_to_page_cache_lru+0x136/0x490 mm/filemap.c:921 do_read_cache_page+0x2f9/0xaa0 mm/filemap.c:2755 read_mapping_page include/linux/pagemap.h:397 [inline] read_part_sector+0xd8/0x486 block/partitions/core.c:643 adfspart_check_ICS+0x92/0xb30 block/partitions/acorn.c:360 check_partition block/partitions/core.c:140 [inline] blk_add_partitions+0x396/0xc80 block/partitions/core.c:571 bdev_disk_changed+0x175/0x290 fs/block_dev.c:1544 __blkdev_get+0x8dd/0x1180 fs/block_dev.c:1647 register_disk block/genhd.c:763 [inline] __device_add_disk+0xc49/0xf60 block/genhd.c:853 add_disk include/linux/genhd.h:294 [inline] brd_init+0x206/0x392 drivers/block/brd.c:533 do_one_initcall+0xc3/0x580 init/main.c:1158 do_initcall_level init/main.c:1231 [inline] do_initcalls init/main.c:1247 [inline] do_basic_setup init/main.c:1267 [inline] kernel_init_freeable+0x48b/0x4ff init/main.c:1451 kernel_init+0x7/0x102 init/main.c:1358 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 } ... key at: [] __key.18058+0x0/0x40 ... acquired at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x95/0xc0 kernel/locking/spinlock.c:159 shmem_uncharge+0x1f/0x230 mm/shmem.c:341 __split_huge_page mm/huge_memory.c:2613 [inline] split_huge_page_to_list+0x1b95/0x2690 mm/huge_memory.c:2886 split_huge_page include/linux/huge_mm.h:204 [inline] shmem_punch_compound+0xcf/0x130 mm/shmem.c:814 shmem_undo_range+0x597/0x1370 mm/shmem.c:870 shmem_truncate_range+0xf/0x80 mm/shmem.c:980 shmem_setattr+0x70e/0xc20 mm/shmem.c:1039 notify_change+0x72f/0xd00 fs/attr.c:336 do_truncate+0xda/0x180 fs/open.c:64 do_sys_ftruncate+0x325/0x430 fs/open.c:195 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 the dependencies between the lock to be acquired and SOFTIRQ-irq-unsafe lock: -> (shmlock_user_lock){+.+.}-{2:2} { HARDIRQ-ON-W at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:353 [inline] user_shm_lock+0x94/0x180 mm/mlock.c:855 hugetlb_file_setup+0x431/0x59d fs/hugetlbfs/inode.c:1416 newseg+0x383/0xc30 ipc/shm.c:652 ipcget_new ipc/util.c:344 [inline] ipcget+0xed/0xb40 ipc/util.c:643 ksys_shmget ipc/shm.c:742 [inline] __do_sys_shmget ipc/shm.c:747 [inline] __se_sys_shmget ipc/shm.c:745 [inline] __x64_sys_shmget+0x133/0x1a0 ipc/shm.c:745 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 SOFTIRQ-ON-W at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:353 [inline] user_shm_lock+0x94/0x180 mm/mlock.c:855 hugetlb_file_setup+0x431/0x59d fs/hugetlbfs/inode.c:1416 newseg+0x383/0xc30 ipc/shm.c:652 ipcget_new ipc/util.c:344 [inline] ipcget+0xed/0xb40 ipc/util.c:643 ksys_shmget ipc/shm.c:742 [inline] __do_sys_shmget ipc/shm.c:747 [inline] __se_sys_shmget ipc/shm.c:745 [inline] __x64_sys_shmget+0x133/0x1a0 ipc/shm.c:745 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 INITIAL USE at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:353 [inline] user_shm_lock+0x94/0x180 mm/mlock.c:855 shmem_lock+0x177/0x260 mm/shmem.c:2184 shmctl_do_lock+0x682/0x830 ipc/shm.c:1111 ksys_shmctl.constprop.18+0x1dc/0x260 ipc/shm.c:1188 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 } ... key at: [] shmlock_user_lock+0x18/0x5c0 ... acquired at: __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:353 [inline] user_shm_lock+0x94/0x180 mm/mlock.c:855 shmem_lock+0x177/0x260 mm/shmem.c:2184 shmctl_do_lock+0x682/0x830 ipc/shm.c:1111 ksys_shmctl.constprop.18+0x1dc/0x260 ipc/shm.c:1188 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 -> (&info->lock){....}-{2:2} { INITIAL USE at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline] _raw_spin_lock_irq+0x5e/0x80 kernel/locking/spinlock.c:167 spin_lock_irq include/linux/spinlock.h:378 [inline] shmem_getpage_gfp+0x946/0x1cb0 mm/shmem.c:1882 shmem_getpage mm/shmem.c:154 [inline] shmem_write_begin+0xcf/0x1b0 mm/shmem.c:2483 generic_perform_write+0x253/0x410 mm/filemap.c:3302 __generic_file_write_iter+0x1ff/0x520 mm/filemap.c:3431 generic_file_write_iter+0x328/0x616 mm/filemap.c:3463 call_write_iter include/linux/fs.h:1907 [inline] new_sync_write+0x417/0x6c0 fs/read_write.c:483 vfs_write+0x18b/0x490 fs/read_write.c:558 ksys_write+0xec/0x1c0 fs/read_write.c:611 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 } ... key at: [] __key.56465+0x0/0x40 ... acquired at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x95/0xc0 kernel/locking/spinlock.c:159 shmem_uncharge+0x1f/0x230 mm/shmem.c:341 __split_huge_page mm/huge_memory.c:2613 [inline] split_huge_page_to_list+0x1b95/0x2690 mm/huge_memory.c:2886 split_huge_page include/linux/huge_mm.h:204 [inline] shmem_punch_compound+0xcf/0x130 mm/shmem.c:814 shmem_undo_range+0x597/0x1370 mm/shmem.c:870 shmem_truncate_range+0xf/0x80 mm/shmem.c:980 shmem_setattr+0x70e/0xc20 mm/shmem.c:1039 notify_change+0x72f/0xd00 fs/attr.c:336 do_truncate+0xda/0x180 fs/open.c:64 do_sys_ftruncate+0x325/0x430 fs/open.c:195 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 stack backtrace: CPU: 1 PID: 8556 Comm: syz-executor.3 Not tainted 5.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 print_bad_irq_dependency kernel/locking/lockdep.c:2132 [inline] check_irq_usage.cold.63+0x57e/0x6d8 kernel/locking/lockdep.c:2330 check_prev_add kernel/locking/lockdep.c:2519 [inline] check_prevs_add kernel/locking/lockdep.c:2620 [inline] validate_chain kernel/locking/lockdep.c:3237 [inline] __lock_acquire+0x256f/0x3740 kernel/locking/lockdep.c:4344 lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x95/0xc0 kernel/locking/spinlock.c:159 shmem_uncharge+0x1f/0x230 mm/shmem.c:341 __split_huge_page mm/huge_memory.c:2613 [inline] split_huge_page_to_list+0x1b95/0x2690 mm/huge_memory.c:2886 split_huge_page include/linux/huge_mm.h:204 [inline] shmem_punch_compound+0xcf/0x130 mm/shmem.c:814 shmem_undo_range+0x597/0x1370 mm/shmem.c:870 shmem_truncate_range+0xf/0x80 mm/shmem.c:980 shmem_setattr+0x70e/0xc20 mm/shmem.c:1039 notify_change+0x72f/0xd00 fs/attr.c:336 do_truncate+0xda/0x180 fs/open.c:64 do_sys_ftruncate+0x325/0x430 fs/open.c:195 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45c889 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fa3d56dac78 EFLAGS: 00000246 ORIG_RAX: 000000000000004d RAX: ffffffffffffffda RBX: 00007fa3d56db6d4 RCX: 000000000045c889 RDX: 0000000000000000 RSI: 00000000000001ff RDI: 0000000000000006 RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000000e7 R14: 00000000004c3726 R15: 000000000076bfac