bisecting cause commit starting from 88b06399c9c766c283e070b022b5ceafa4f63f19 building syzkaller on da958a4d24db4dfddd875298efb23733d05272d5 testing commit 88b06399c9c766c283e070b022b5ceafa4f63f19 with gcc (GCC) 10.2.1 20210217 kernel signature: dc2d0e09867a5698534b2c637a1d2319b0d53caf835e49a89bea215126002008 all runs: crashed: WARNING in io_link_timeout_fn testing release v5.12 testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 with gcc (GCC) 10.2.1 20210217 kernel signature: 1109f9be8385a1b187df831786445ddf0445ad7ec30cbcbf6eddc2eec6f9ddc3 all runs: crashed: WARNING: refcount bug in io_link_timeout_fn testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b with gcc (GCC) 10.2.1 20210217 kernel signature: 9d21064640c713b8d677f57b1bcd0cf8e762c6d3bf0e6457a6babaafd000596a all runs: OK # git bisect start 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 f40ddce88593482919761f74910f42f4b84c004b Bisecting: 6798 revisions left to test after this (roughly 13 steps) [d99676af540c2dc829999928fb81c58c80a1dce4] Merge tag 'drm-next-2021-02-19' of git://anongit.freedesktop.org/drm/drm testing commit d99676af540c2dc829999928fb81c58c80a1dce4 with gcc (GCC) 10.2.1 20210217 kernel signature: e8a4f131abd7b840465ae07f96e3542c69425a508713c90979ff1c76ed1303ff run #0: crashed: WARNING: refcount bug in io_link_timeout_fn run #1: crashed: WARNING: refcount bug in io_link_timeout_fn run #2: crashed: WARNING: refcount bug in io_link_timeout_fn run #3: crashed: WARNING: refcount bug in io_link_timeout_fn run #4: crashed: WARNING: refcount bug in io_link_timeout_fn run #5: crashed: WARNING: refcount bug in io_link_timeout_fn run #6: crashed: WARNING: refcount bug in io_link_timeout_fn run #7: crashed: WARNING: refcount bug in io_link_timeout_fn run #8: boot failed: WARNING in kvm_wait run #9: boot failed: WARNING in kvm_wait # git bisect bad d99676af540c2dc829999928fb81c58c80a1dce4 Bisecting: 3717 revisions left to test after this (roughly 12 steps) [f9d58de23152f2c16f326d7e014cfa2933b00304] Merge tag 'affs-for-5.12-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit f9d58de23152f2c16f326d7e014cfa2933b00304 with gcc (GCC) 10.2.1 20210217 kernel signature: 2fe5a9a5b67c7564086a67d7d0ac9455b9a64f503c806954b72ff753fbd8338c all runs: OK # git bisect good f9d58de23152f2c16f326d7e014cfa2933b00304 Bisecting: 1854 revisions left to test after this (roughly 11 steps) [de1617578849acab8e16c9ffdce39b91fb50639d] Merge tag 'media/v5.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit de1617578849acab8e16c9ffdce39b91fb50639d with gcc (GCC) 10.2.1 20210217 kernel signature: e41149f7a3156efb2aea57db1142858ba8636141c241a7d05762ad76ab2394bd run #0: crashed: WARNING in kvm_wait run #1: crashed: WARNING: refcount bug in io_link_timeout_fn run #2: crashed: WARNING: refcount bug in io_link_timeout_fn run #3: crashed: WARNING: refcount bug in io_link_timeout_fn run #4: crashed: WARNING: refcount bug in io_link_timeout_fn run #5: crashed: WARNING: refcount bug in io_link_timeout_fn run #6: crashed: WARNING: refcount bug in io_link_timeout_fn run #7: crashed: WARNING: refcount bug in io_link_timeout_fn run #8: crashed: WARNING: refcount bug in io_link_timeout_fn run #9: crashed: WARNING: refcount bug in io_link_timeout_fn # git bisect bad de1617578849acab8e16c9ffdce39b91fb50639d Bisecting: 929 revisions left to test after this (roughly 10 steps) [4a037ad5d115b2cc79a5071a7854475f365476fa] Merge tag 'for-linus-5.12-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip testing commit 4a037ad5d115b2cc79a5071a7854475f365476fa with gcc (GCC) 10.2.1 20210217 kernel signature: c7aa668493c078ab905f880d5b11265ccae49c7181d4b8f9655328cba2872865 run #0: basic kernel testing failed: timed out run #1: basic kernel testing failed: timed out run #2: basic kernel testing failed: timed out run #3: basic kernel testing failed: timed out run #4: basic kernel testing failed: timed out run #5: basic kernel testing failed: timed out run #6: basic kernel testing failed: timed out run #7: basic kernel testing failed: timed out run #8: boot failed: WARNING in kvm_wait run #9: boot failed: WARNING in kvm_wait # git bisect skip 4a037ad5d115b2cc79a5071a7854475f365476fa Bisecting: 929 revisions left to test after this (roughly 10 steps) [254e11efde66ca0a0ce0c99a62c377314b5984ff] rcu/nocb: Re-offload support testing commit 254e11efde66ca0a0ce0c99a62c377314b5984ff with gcc (GCC) 10.2.1 20210217 kernel signature: 3e1aa76da9ba71d0391654a209f989c7f9612d1dc127732cc0e5cdbd9bd8a537 all runs: OK # git bisect good 254e11efde66ca0a0ce0c99a62c377314b5984ff Bisecting: 929 revisions left to test after this (roughly 10 steps) [99b05ce74ceeb474ff4db37a0861b135063b7c7f] media: allegro: activate v4l2-ctrls only for current codec testing commit 99b05ce74ceeb474ff4db37a0861b135063b7c7f with gcc (GCC) 10.2.1 20210217 kernel signature: 8ba8ce48df6ad2019f9afc5d84041bb21297282acf54db7c7b6c29f7f7e3bd01 all runs: OK # git bisect good 99b05ce74ceeb474ff4db37a0861b135063b7c7f Bisecting: 747 revisions left to test after this (roughly 10 steps) [d089f48fba28db14d0fe7753248f2575a9ddfc73] Merge tag 'core-rcu-2021-02-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit d089f48fba28db14d0fe7753248f2575a9ddfc73 with gcc (GCC) 10.2.1 20210217 kernel signature: 03653dd379ff1cfe3b5caca336d734ebcd9ef3a5e703733885d0b61ba60672c1 run #0: crashed: WARNING: refcount bug in io_link_timeout_fn run #1: crashed: WARNING: refcount bug in io_link_timeout_fn run #2: crashed: WARNING: refcount bug in io_link_timeout_fn run #3: crashed: WARNING: refcount bug in io_link_timeout_fn run #4: crashed: WARNING: refcount bug in io_link_timeout_fn run #5: crashed: WARNING: refcount bug in io_link_timeout_fn run #6: crashed: WARNING: refcount bug in io_link_timeout_fn run #7: crashed: WARNING: refcount bug in io_link_timeout_fn run #8: boot failed: can't ssh into the instance run #9: boot failed: can't ssh into the instance # git bisect bad d089f48fba28db14d0fe7753248f2575a9ddfc73 Bisecting: 429 revisions left to test after this (roughly 9 steps) [bd018bbaa58640da786d4289563e71c5ef3938c7] Merge tag 'for-5.12/libata-2021-02-17' of git://git.kernel.dk/linux-block testing commit bd018bbaa58640da786d4289563e71c5ef3938c7 with gcc (GCC) 10.2.1 20210217 kernel signature: 5bf3aedb13911de85f6b8c1ae418b76cdf733a9ba7ed4293e70d5bc2c20f2c28 all runs: OK # git bisect good bd018bbaa58640da786d4289563e71c5ef3938c7 Bisecting: 255 revisions left to test after this (roughly 8 steps) [9820b4dca0f9c6b7ab8b4307286cdace171b724d] Merge tag 'for-5.12/drivers-2021-02-17' of git://git.kernel.dk/linux-block testing commit 9820b4dca0f9c6b7ab8b4307286cdace171b724d with gcc (GCC) 10.2.1 20210217 kernel signature: 4c6556d5c541074b735b51e45a688e56c40e8045956e6fce4ca67a1b6ca30073 all runs: OK # git bisect good 9820b4dca0f9c6b7ab8b4307286cdace171b724d Bisecting: 132 revisions left to test after this (roughly 7 steps) [b5183bc94b6d2789abb9b5eda6cc3e0601524c79] Merge tag 'irq-core-2021-02-15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit b5183bc94b6d2789abb9b5eda6cc3e0601524c79 with gcc (GCC) 10.2.1 20210217 kernel signature: 905c645ac3f09e60f9620049cadc8a8da10e32d34a1837693e60fb4a88c80b74 all runs: crashed: WARNING: refcount bug in io_link_timeout_fn # git bisect bad b5183bc94b6d2789abb9b5eda6cc3e0601524c79 Bisecting: 61 revisions left to test after this (roughly 6 steps) [45d189c6062922ffe272e98013ba464b355dede7] io_uring: replace force_nonblock with flags testing commit 45d189c6062922ffe272e98013ba464b355dede7 with gcc (GCC) 10.2.1 20210217 kernel signature: 51e9012cbed206313fed733c1537c55209c27a4540c16b183c3490c30d02d942 all runs: OK # git bisect good 45d189c6062922ffe272e98013ba464b355dede7 Bisecting: 30 revisions left to test after this (roughly 5 steps) [4e32635834a30b8aa9583d3899a8ecc6416023fb] io_uring: optimise SQPOLL mm/files grabbing testing commit 4e32635834a30b8aa9583d3899a8ecc6416023fb with gcc (GCC) 10.2.1 20210217 kernel signature: ca8bbab1fa43cf8da58aa423dd561b096a0269ba9d9cc0d4c6409e1965386dd8 run #0: crashed: possible deadlock in io_link_timeout_fn run #1: crashed: possible deadlock in io_timeout_fn run #2: crashed: possible deadlock in io_timeout_fn run #3: crashed: possible deadlock in io_link_timeout_fn run #4: crashed: possible deadlock in io_timeout_fn run #5: crashed: possible deadlock in io_link_timeout_fn run #6: crashed: possible deadlock in io_link_timeout_fn run #7: crashed: possible deadlock in io_link_timeout_fn run #8: crashed: possible deadlock in io_link_timeout_fn run #9: crashed: possible deadlock in io_link_timeout_fn # git bisect bad 4e32635834a30b8aa9583d3899a8ecc6416023fb Bisecting: 15 revisions left to test after this (roughly 4 steps) [c5eef2b9449ba267f53bfa7cf63d2bc93acbee32] io_uring: take comp_state from ctx testing commit c5eef2b9449ba267f53bfa7cf63d2bc93acbee32 with gcc (GCC) 10.2.1 20210217 kernel signature: e91e7aacb477ebc6debad6feb0c9fe263b485f69b2b2720f63c7dd79f8f476fe all runs: OK # git bisect good c5eef2b9449ba267f53bfa7cf63d2bc93acbee32 Bisecting: 7 revisions left to test after this (roughly 3 steps) [e68a3ff8c342b655f01f74a577c15605eec9aa12] io_uring: assign file_slot prior to calling io_sqe_file_register() testing commit e68a3ff8c342b655f01f74a577c15605eec9aa12 with gcc (GCC) 10.2.1 20210217 kernel signature: a9a3c790e39cb53ac00722e4ee824df1548220503316937f33bd7202b6d75e8b run #0: crashed: possible deadlock in io_timeout_fn run #1: crashed: WARNING: refcount bug in io_link_timeout_fn run #2: crashed: possible deadlock in io_link_timeout_fn run #3: crashed: possible deadlock in io_link_timeout_fn run #4: crashed: possible deadlock in io_link_timeout_fn run #5: crashed: possible deadlock in tctx_task_work run #6: crashed: WARNING: refcount bug in io_link_timeout_fn run #7: crashed: possible deadlock in io_link_timeout_fn run #8: crashed: possible deadlock in tctx_task_work run #9: crashed: possible deadlock in io_link_timeout_fn # git bisect bad e68a3ff8c342b655f01f74a577c15605eec9aa12 Bisecting: 3 revisions left to test after this (roughly 2 steps) [91f245d5d5de0802428a478802ec051f7de2f5d6] io_uring: enable kmemcg account for io_uring requests testing commit 91f245d5d5de0802428a478802ec051f7de2f5d6 with gcc (GCC) 10.2.1 20210217 kernel signature: 96b0b6ef396a3043598499c1448ae527f3c25fc2686e572076d470dc896863b3 run #0: crashed: WARNING: refcount bug in io_link_timeout_fn run #1: crashed: possible deadlock in tctx_task_work run #2: crashed: possible deadlock in tctx_task_work run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky # git bisect bad 91f245d5d5de0802428a478802ec051f7de2f5d6 Bisecting: 1 revision left to test after this (roughly 1 step) [ed670c3f90a67d9e16ab6d8893be6f072d79cd4c] io_uring: fix possible deadlock in io_uring_poll testing commit ed670c3f90a67d9e16ab6d8893be6f072d79cd4c with gcc (GCC) 10.2.1 20210217 kernel signature: 4ebc642cd675f12df699e10cdef2420c51040bf06875a487f241ea6428a01a27 all runs: OK # git bisect good ed670c3f90a67d9e16ab6d8893be6f072d79cd4c Bisecting: 0 revisions left to test after this (roughly 0 steps) [c7dae4ba46c9d7d56430b800907b708711995414] io_uring: enable req cache for IRQ driven IO testing commit c7dae4ba46c9d7d56430b800907b708711995414 with gcc (GCC) 10.2.1 20210217 kernel signature: 951733e9e1e7b60b15c809f9ab4e96cdd072f9cb23b1339087fb66418887ecd5 all runs: OK # git bisect good c7dae4ba46c9d7d56430b800907b708711995414 91f245d5d5de0802428a478802ec051f7de2f5d6 is the first bad commit commit 91f245d5d5de0802428a478802ec051f7de2f5d6 Author: Jens Axboe Date: Tue Feb 9 13:48:50 2021 -0700 io_uring: enable kmemcg account for io_uring requests This puts io_uring under the memory cgroups accounting and limits for requests. Signed-off-by: Jens Axboe fs/io_uring.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) culprit signature: 96b0b6ef396a3043598499c1448ae527f3c25fc2686e572076d470dc896863b3 parent signature: 951733e9e1e7b60b15c809f9ab4e96cdd072f9cb23b1339087fb66418887ecd5 Reproducer flagged being flaky revisions tested: 20, total time: 5h21m9.318321764s (build: 2h19m6.508793088s, test: 2h59m51.979251255s) first bad commit: 91f245d5d5de0802428a478802ec051f7de2f5d6 io_uring: enable kmemcg account for io_uring requests recipients (to): ["axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org"] recipients (cc): ["linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "viro@zeniv.linux.org.uk"] crash: possible deadlock in tctx_task_work ======================================================== WARNING: possible irq lock inversion dependency detected 5.11.0-rc6-syzkaller #0 Not tainted -------------------------------------------------------- syz-executor913/1715 just changed the state of lock: ffff88801e107978 (&tctx->task_lock ){+...}-{2:2} , at: spin_lock include/linux/spinlock.h:354 [inline] , at: __tctx_task_work fs/io_uring.c:2193 [inline] , at: tctx_task_work+0x85/0x310 fs/io_uring.c:2232 but this lock was taken by another, HARDIRQ-safe lock in the past: ( &ctx->completion_lock ){-...}-{2:2} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock( &tctx->task_lock ); local_irq_disable(); lock(&ctx->completion_lock ); lock( &tctx->task_lock ); lock(&ctx->completion_lock ); *** DEADLOCK *** no locks held by syz-executor913/1715. the shortest dependencies between 2nd lock and 1st lock: -> (&ctx->completion_lock ){-...}-{2:2} { IN-HARDIRQ-W at: lock_acquire kernel/locking/lockdep.c:5442 [inline] lock_acquire+0x1a8/0x720 kernel/locking/lockdep.c:5407 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:159 io_timeout_fn+0x6a/0x390 fs/io_uring.c:5770 __run_hrtimer kernel/time/hrtimer.c:1519 [inline] __hrtimer_run_queues+0x4d7/0xb00 kernel/time/hrtimer.c:1583 hrtimer_interrupt+0x300/0x930 kernel/time/hrtimer.c:1645 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1085 [inline] __sysvec_apic_timer_interrupt+0x146/0x540 arch/x86/kernel/apic/apic.c:1102 asm_call_irq_on_stack+0xf/0x20 __run_sysvec_on_irqstack arch/x86/include/asm/irq_stack.h:37 [inline] run_sysvec_on_irqstack_cond arch/x86/include/asm/irq_stack.h:89 [inline] sysvec_apic_timer_interrupt+0xbd/0x100 arch/x86/kernel/apic/apic.c:1096 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:629 __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [inline] _raw_spin_unlock_irq+0x25/0x40 kernel/locking/spinlock.c:199 spin_unlock_irq include/linux/spinlock.h:404 [inline] io_timeout fs/io_uring.c:5979 [inline] io_issue_sqe+0x10ab/0x4910 fs/io_uring.c:6351 __io_queue_sqe+0x1b8/0xc70 fs/io_uring.c:6616 io_queue_link_head fs/io_uring.c:6702 [inline] io_submit_sqe fs/io_uring.c:6749 [inline] io_submit_sqes+0x149f/0x2460 fs/io_uring.c:7005 __do_sys_io_uring_enter+0xb94/0x17d0 fs/io_uring.c:9533 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 INITIAL USE at: lock_acquire kernel/locking/lockdep.c:5442 [inline] lock_acquire+0x1a8/0x720 kernel/locking/lockdep.c:5407 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:159 io_req_complete_post+0x49/0x780 fs/io_uring.c:1925 __io_req_complete fs/io_uring.c:1965 [inline] io_req_complete fs/io_uring.c:1970 [inline] __io_queue_sqe+0x30e/0xc70 fs/io_uring.c:6660 io_submit_sqe fs/io_uring.c:6764 [inline] io_submit_sqes+0x1110/0x2460 fs/io_uring.c:7005 __do_sys_io_uring_enter+0xb94/0x17d0 fs/io_uring.c:9533 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 } ... key at: [] __key.9+0x0/0x40 ... acquired at: __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] io_task_work_add fs/io_uring.c:2247 [inline] io_req_task_work_add+0x10d/0x500 fs/io_uring.c:2297 io_free_req_deferred fs/io_uring.c:2496 [inline] io_put_req_deferred fs/io_uring.c:2504 [inline] io_kill_timeout.part.0+0x22a/0x390 fs/io_uring.c:1641 io_kill_timeout fs/io_uring.c:1690 [inline] io_flush_timeouts fs/io_uring.c:1709 [inline] io_commit_cqring+0x210/0x9b0 fs/io_uring.c:1717 io_req_complete_post+0x65/0x780 fs/io_uring.c:1927 __io_req_complete fs/io_uring.c:1965 [inline] io_req_complete fs/io_uring.c:1970 [inline] __io_queue_sqe+0x30e/0xc70 fs/io_uring.c:6660 io_submit_sqe fs/io_uring.c:6764 [inline] io_submit_sqes+0x1110/0x2460 fs/io_uring.c:7005 __do_sys_io_uring_enter+0xb94/0x17d0 fs/io_uring.c:9533 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 -> (&tctx->task_lock ){+...}-{2:2} { HARDIRQ-ON-W at: lock_acquire kernel/locking/lockdep.c:5442 [inline] lock_acquire+0x1a8/0x720 kernel/locking/lockdep.c:5407 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] __tctx_task_work fs/io_uring.c:2193 [inline] tctx_task_work+0x85/0x310 fs/io_uring.c:2232 task_work_run+0xc0/0x160 kernel/task_work.c:140 tracehook_notify_signal include/linux/tracehook.h:212 [inline] handle_signal_work kernel/entry/common.c:145 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x221/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302 entry_SYSCALL_64_after_hwframe+0x44/0xa9 INITIAL USE at: lock_acquire kernel/locking/lockdep.c:5442 [inline] lock_acquire+0x1a8/0x720 kernel/locking/lockdep.c:5407 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] io_task_work_add fs/io_uring.c:2247 [inline] io_req_task_work_add+0x10d/0x500 fs/io_uring.c:2297 io_free_req_deferred fs/io_uring.c:2496 [inline] io_put_req_deferred fs/io_uring.c:2504 [inline] io_kill_timeout.part.0+0x22a/0x390 fs/io_uring.c:1641 io_kill_timeout fs/io_uring.c:1690 [inline] io_flush_timeouts fs/io_uring.c:1709 [inline] io_commit_cqring+0x210/0x9b0 fs/io_uring.c:1717 io_req_complete_post+0x65/0x780 fs/io_uring.c:1927 __io_req_complete fs/io_uring.c:1965 [inline] io_req_complete fs/io_uring.c:1970 [inline] __io_queue_sqe+0x30e/0xc70 fs/io_uring.c:6660 io_submit_sqe fs/io_uring.c:6764 [inline] io_submit_sqes+0x1110/0x2460 fs/io_uring.c:7005 __do_sys_io_uring_enter+0xb94/0x17d0 fs/io_uring.c:9533 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 } ... key at: [] __key.15+0x0/0x40 ... acquired at: mark_usage kernel/locking/lockdep.c:4320 [inline] __lock_acquire+0x87b/0x57d0 kernel/locking/lockdep.c:4786 lock_acquire kernel/locking/lockdep.c:5442 [inline] lock_acquire+0x1a8/0x720 kernel/locking/lockdep.c:5407 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] __tctx_task_work fs/io_uring.c:2193 [inline] tctx_task_work+0x85/0x310 fs/io_uring.c:2232 task_work_run+0xc0/0x160 kernel/task_work.c:140 tracehook_notify_signal include/linux/tracehook.h:212 [inline] handle_signal_work kernel/entry/common.c:145 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x221/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302 entry_SYSCALL_64_after_hwframe+0x44/0xa9 stack backtrace: CPU: 1 PID: 1715 Comm: syz-executor913 Not tainted 5.11.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x9a/0xcc lib/dump_stack.c:120 print_irq_inversion_bug kernel/locking/lockdep.c:4413 [inline] check_usage_backwards kernel/locking/lockdep.c:3884 [inline] mark_lock_irq kernel/locking/lockdep.c:3974 [inline] mark_lock.cold+0x6d/0x72 kernel/locking/lockdep.c:4411 mark_usage kernel/locking/lockdep.c:4320 [inline] __lock_acquire+0x87b/0x57d0 kernel/locking/lockdep.c:4786 lock_acquire kernel/locking/lockdep.c:5442 [inline] lock_acquire+0x1a8/0x720 kernel/locking/lockdep.c:5407 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] __tctx_task_work fs/io_uring.c:2193 [inline] tctx_task_work+0x85/0x310 fs/io_uring.c:2232 task_work_run+0xc0/0x160 kernel/task_work.c:140 tracehook_notify_signal include/linux/tracehook.h:212 [inline] handle_signal_work kernel/entry/common.c:145 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x221/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4510d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00000000005efcd8 EFLAGS: 00000216 ORIG_RAX: 00000000000001aa RAX: 0000000000000100 RBX: 0000000000000003 RCX: 00000000004510d9 RDX: 0000000000000000 RSI: 000000000000450c RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000216 R12: 00000000005efd28 R13: 00000000005efd40 R14: 00000000005efd80 R15: 00000000000019f2