bisecting cause commit starting from ab6f762f0f53162d41497708b33c9a3236d3609e building syzkaller on a8c6a3f8da30ccf825c6001c81a8adff21829c30 testing commit ab6f762f0f53162d41497708b33c9a3236d3609e with gcc (GCC) 8.1.0 kernel signature: c60aa873344710ae55e8c6f92fd74de4d79453ed10730405f8af10e943857e7b run #0: crashed: possible deadlock in shmem_mfill_atomic_pte run #1: crashed: possible deadlock in shmem_mfill_atomic_pte run #2: crashed: possible deadlock in shmem_mfill_atomic_pte run #3: crashed: possible deadlock in shmem_mfill_atomic_pte run #4: crashed: possible deadlock in shmem_mfill_atomic_pte run #5: crashed: possible deadlock in shmem_mfill_atomic_pte run #6: crashed: possible deadlock in shmem_mfill_atomic_pte run #7: crashed: possible deadlock in shmem_mfill_atomic_pte run #8: crashed: possible deadlock in shmem_mfill_atomic_pte run #9: crashed: possible deadlock in shmem_uncharge testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: e4a040a5420c43043ea2d5e37c6ab542f1948754f5e031c8480dfaa5d34c9dc0 all runs: OK # git bisect start ab6f762f0f53162d41497708b33c9a3236d3609e 7111951b8d4973bda27ff663f2cf18b663d15b48 Bisecting: 6783 revisions left to test after this (roughly 13 steps) [4646de87d32526ee87b46c2e0130413367fb5362] Merge tag 'mailbox-v5.7' of git://git.linaro.org/landing-teams/working/fujitsu/integration testing commit 4646de87d32526ee87b46c2e0130413367fb5362 with gcc (GCC) 8.1.0 kernel signature: a025b25458281bd7b1a4cec338ea989f0f182fbb4c0a1877b9f7320b90d2cfd0 all runs: OK # git bisect good 4646de87d32526ee87b46c2e0130413367fb5362 Bisecting: 3281 revisions left to test after this (roughly 12 steps) [79f51b7b9c4719303f758ae8406c4e5997ed6aa3] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit 79f51b7b9c4719303f758ae8406c4e5997ed6aa3 with gcc (GCC) 8.1.0 kernel signature: 1c7fd87bd38fdf8f44271e93f9ff1a7ade2df80bc110552011643403682e877d all runs: OK # git bisect good 79f51b7b9c4719303f758ae8406c4e5997ed6aa3 Bisecting: 1680 revisions left to test after this (roughly 11 steps) [aa1a8ce533324d12696a9f4b71dbc5eb561a2e04] Merge tag 'trace-v5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit aa1a8ce533324d12696a9f4b71dbc5eb561a2e04 with gcc (GCC) 8.1.0 kernel signature: 72c327b14fcddf768b3d0491967a7a061686b817493352806723e61adf39486f all runs: OK # git bisect good aa1a8ce533324d12696a9f4b71dbc5eb561a2e04 Bisecting: 903 revisions left to test after this (roughly 10 steps) [04de788e61a576820baf03ff8accc246ca146cb3] Merge tag 'nfs-for-5.7-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs testing commit 04de788e61a576820baf03ff8accc246ca146cb3 with gcc (GCC) 8.1.0 kernel signature: 1606ea50856ee88e472d4decb971ba0bc123997ac94a206ad0fc6db746cde440 all runs: OK # git bisect good 04de788e61a576820baf03ff8accc246ca146cb3 Bisecting: 451 revisions left to test after this (roughly 9 steps) [9b06860d7c1f1f4cb7d70f92e47dfa4a91bd5007] Merge tag 'libnvdimm-for-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm testing commit 9b06860d7c1f1f4cb7d70f92e47dfa4a91bd5007 with gcc (GCC) 8.1.0 kernel signature: a77da4cf6a588c65a9cbb5d59455000a94d6c9cee68874dc58518ef38ef5645a run #0: crashed: possible deadlock in shmem_mfill_atomic_pte run #1: crashed: possible deadlock in shmem_mfill_atomic_pte run #2: crashed: possible deadlock in shmem_mfill_atomic_pte run #3: crashed: possible deadlock in shmem_uncharge run #4: crashed: possible deadlock in shmem_mfill_atomic_pte run #5: crashed: possible deadlock in shmem_mfill_atomic_pte run #6: crashed: possible deadlock in shmem_mfill_atomic_pte run #7: crashed: possible deadlock in shmem_mfill_atomic_pte run #8: crashed: possible deadlock in shmem_mfill_atomic_pte run #9: crashed: possible deadlock in shmem_mfill_atomic_pte # git bisect bad 9b06860d7c1f1f4cb7d70f92e47dfa4a91bd5007 Bisecting: 234 revisions left to test after this (roughly 8 steps) [8645f09bad14df3776484b44933a41c446343087] Merge tag 'mfd-next-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd testing commit 8645f09bad14df3776484b44933a41c446343087 with gcc (GCC) 8.1.0 kernel signature: aabcda720eb61190fe564885f7d35a915f585d1842de3a52147fca438e458d64 run #0: crashed: possible deadlock in shmem_mfill_atomic_pte run #1: crashed: possible deadlock in shmem_uncharge run #2: crashed: possible deadlock in shmem_mfill_atomic_pte run #3: crashed: possible deadlock in shmem_mfill_atomic_pte run #4: crashed: possible deadlock in shmem_mfill_atomic_pte run #5: crashed: possible deadlock in shmem_mfill_atomic_pte run #6: crashed: possible deadlock in shmem_mfill_atomic_pte run #7: crashed: possible deadlock in shmem_mfill_atomic_pte run #8: crashed: possible deadlock in shmem_mfill_atomic_pte run #9: crashed: possible deadlock in shmem_mfill_atomic_pte # git bisect bad 8645f09bad14df3776484b44933a41c446343087 Bisecting: 108 revisions left to test after this (roughly 7 steps) [30428ef5d1e8caf78639cc70a802f1cb7b1cec04] lib/test_lockup: test module to generate lockups testing commit 30428ef5d1e8caf78639cc70a802f1cb7b1cec04 with gcc (GCC) 8.1.0 kernel signature: d810cfb69257a80410df2f5c5c3e9dcb1312a10504c2a11e022237f6d4f2213c run #0: crashed: possible deadlock in shmem_mfill_atomic_pte run #1: crashed: possible deadlock in shmem_mfill_atomic_pte run #2: crashed: possible deadlock in shmem_mfill_atomic_pte run #3: crashed: possible deadlock in shmem_mfill_atomic_pte run #4: crashed: possible deadlock in shmem_mfill_atomic_pte run #5: crashed: possible deadlock in shmem_mfill_atomic_pte run #6: crashed: possible deadlock in shmem_mfill_atomic_pte run #7: crashed: possible deadlock in shmem_mfill_atomic_pte run #8: crashed: possible deadlock in shmem_mfill_atomic_pte run #9: crashed: possible deadlock in shmem_uncharge # git bisect bad 30428ef5d1e8caf78639cc70a802f1cb7b1cec04 Bisecting: 53 revisions left to test after this (roughly 6 steps) [dccacf8def2b718528754867b58b37734b59b0d7] mm/page_ext.c: drop pfn_present() check when onlining testing commit dccacf8def2b718528754867b58b37734b59b0d7 with gcc (GCC) 8.1.0 kernel signature: 1004be396e1ac9f308a8fff57523cd725ae3934504f695f7779c0cb081c77037 all runs: OK # git bisect good dccacf8def2b718528754867b58b37734b59b0d7 Bisecting: 26 revisions left to test after this (roughly 5 steps) [81aba9e06ba8cc1e2494258bc4b48875af522f32] mm/slub: add missing annotation for put_map() testing commit 81aba9e06ba8cc1e2494258bc4b48875af522f32 with gcc (GCC) 8.1.0 kernel signature: ef1b84d10bc06045934d934914ad6c317d1bd8983e5f19809e8d36c8c14c0367 run #0: crashed: possible deadlock in shmem_mfill_atomic_pte run #1: crashed: possible deadlock in shmem_uncharge run #2: crashed: possible deadlock in shmem_mfill_atomic_pte run #3: crashed: possible deadlock in shmem_mfill_atomic_pte run #4: crashed: possible deadlock in shmem_mfill_atomic_pte run #5: crashed: possible deadlock in shmem_mfill_atomic_pte run #6: crashed: possible deadlock in shmem_mfill_atomic_pte run #7: crashed: possible deadlock in shmem_mfill_atomic_pte run #8: crashed: possible deadlock in shmem_mfill_atomic_pte run #9: crashed: possible deadlock in shmem_uncharge # git bisect bad 81aba9e06ba8cc1e2494258bc4b48875af522f32 Bisecting: 13 revisions left to test after this (roughly 4 steps) [bc58ebd506c369c26337cf6b1a400af1a25c989c] hv_balloon: don't check for memhp_auto_online manually testing commit bc58ebd506c369c26337cf6b1a400af1a25c989c with gcc (GCC) 8.1.0 kernel signature: d80b52479a33571f481c841e399830329fd3b402de95468df6c37503062731fe all runs: OK # git bisect good bc58ebd506c369c26337cf6b1a400af1a25c989c Bisecting: 6 revisions left to test after this (roughly 3 steps) [71725ed10c40696dc6bdccf8e225815dcef24dba] mm: huge tmpfs: try to split_huge_page() when punching hole testing commit 71725ed10c40696dc6bdccf8e225815dcef24dba with gcc (GCC) 8.1.0 kernel signature: e8806b6e45970e875bfb66536dbc5de2298a5e57a462784627022d117dbc897b run #0: crashed: possible deadlock in shmem_mfill_atomic_pte run #1: crashed: possible deadlock in shmem_mfill_atomic_pte run #2: crashed: possible deadlock in shmem_mfill_atomic_pte run #3: crashed: possible deadlock in shmem_mfill_atomic_pte run #4: crashed: possible deadlock in shmem_mfill_atomic_pte run #5: crashed: possible deadlock in shmem_mfill_atomic_pte run #6: crashed: possible deadlock in shmem_mfill_atomic_pte run #7: crashed: possible deadlock in shmem_mfill_atomic_pte run #8: crashed: possible deadlock in shmem_uncharge run #9: crashed: possible deadlock in shmem_mfill_atomic_pte # git bisect bad 71725ed10c40696dc6bdccf8e225815dcef24dba Bisecting: 3 revisions left to test after this (roughly 2 steps) [5f47adf762b78cae97de58d9ff01d2d44db09467] mm/memory_hotplug: allow to specify a default online_type testing commit 5f47adf762b78cae97de58d9ff01d2d44db09467 with gcc (GCC) 8.1.0 kernel signature: 1410e09484fe98c66fec3be817c962f747a0aa1ac0e7cfc9191e32dcd91711d7 all runs: OK # git bisect good 5f47adf762b78cae97de58d9ff01d2d44db09467 Bisecting: 1 revision left to test after this (roughly 1 step) [27d80fa24326b7b33c8ee7527843776e5df808a7] mm/shmem.c: distribute switch variables for initialization testing commit 27d80fa24326b7b33c8ee7527843776e5df808a7 with gcc (GCC) 8.1.0 kernel signature: 515c8ef34a1932a1886e1677d284d4a0b9375f3aaf41c0a46b0429bfbafa814f all runs: OK # git bisect good 27d80fa24326b7b33c8ee7527843776e5df808a7 Bisecting: 0 revisions left to test after this (roughly 0 steps) [343c3d7f0927e000427fae5e361aa560f83dd5b5] mm/shmem.c: clean code by removing unnecessary assignment testing commit 343c3d7f0927e000427fae5e361aa560f83dd5b5 with gcc (GCC) 8.1.0 kernel signature: 246fdf3d081de8732e3007d8bb4c4ac19ccf45b61b055727c211b65584a144e5 all runs: OK # git bisect good 343c3d7f0927e000427fae5e361aa560f83dd5b5 71725ed10c40696dc6bdccf8e225815dcef24dba is the first bad commit commit 71725ed10c40696dc6bdccf8e225815dcef24dba Author: Hugh Dickins Date: Mon Apr 6 20:07:57 2020 -0700 mm: huge tmpfs: try to split_huge_page() when punching hole Yang Shi writes: Currently, when truncating a shmem file, if the range is partly in a THP (start or end is in the middle of THP), the pages actually will just get cleared rather than being freed, unless the range covers the whole THP. Even though all the subpages are truncated (randomly or sequentially), the THP may still be kept in page cache. This might be fine for some usecases which prefer preserving THP, but balloon inflation is handled in base page size. So when using shmem THP as memory backend, QEMU inflation actually doesn't work as expected since it doesn't free memory. But the inflation usecase really needs to get the memory freed. (Anonymous THP will also not get freed right away, but will be freed eventually when all subpages are unmapped: whereas shmem THP still stays in page cache.) Split THP right away when doing partial hole punch, and if split fails just clear the page so that read of the punched area will return zeroes. Hugh Dickins adds: Our earlier "team of pages" huge tmpfs implementation worked in the way that Yang Shi proposes; and we have been using this patch to continue to split the huge page when hole-punched or truncated, since converting over to the compound page implementation. Although huge tmpfs gives out huge pages when available, if the user specifically asks to truncate or punch a hole (perhaps to free memory, perhaps to reduce the memcg charge), then the filesystem should do so as best it can, splitting the huge page. That is not always possible: any additional reference to the huge page prevents split_huge_page() from succeeding, so the result can be flaky. But in practice it works successfully enough that we've not seen any problem from that. Add shmem_punch_compound() to encapsulate the decision of when a split is needed, and doing the split if so. Using this simplifies the flow in shmem_undo_range(); and the first (trylock) pass does not need to do any page clearing on failure, because the second pass will either succeed or do that clearing. Following the example of zero_user_segment() when clearing a partial page, add flush_dcache_page() and set_page_dirty() when clearing a hole - though I'm not certain that either is needed. But: split_huge_page() would be sure to fail if shmem_undo_range()'s pagevec holds further references to the huge page. The easiest way to fix that is for find_get_entries() to return early, as soon as it has put one compound head or tail into the pagevec. At first this felt like a hack; but on examination, this convention better suits all its callers - or will do, if the slight one-page-per-pagevec slowdown in shmem_unlock_mapping() and shmem_seek_hole_data() is transformed into a 512-page-per-pagevec speedup by checking for compound pages there. Signed-off-by: Hugh Dickins Signed-off-by: Andrew Morton Cc: Yang Shi Cc: Alexander Duyck Cc: "Michael S. Tsirkin" Cc: David Hildenbrand Cc: "Kirill A. Shutemov" Cc: Matthew Wilcox Cc: Andrea Arcangeli Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2002261959020.10801@eggly.anvils Signed-off-by: Linus Torvalds mm/filemap.c | 14 ++++++++- mm/shmem.c | 98 ++++++++++++++++++++++++++---------------------------------- mm/swap.c | 4 +++ 3 files changed, 60 insertions(+), 56 deletions(-) culprit signature: e8806b6e45970e875bfb66536dbc5de2298a5e57a462784627022d117dbc897b parent signature: 246fdf3d081de8732e3007d8bb4c4ac19ccf45b61b055727c211b65584a144e5 revisions tested: 16, total time: 3h35m42.197031022s (build: 1h33m10.642707412s, test: 2h1m33.505967743s) first bad commit: 71725ed10c40696dc6bdccf8e225815dcef24dba mm: huge tmpfs: try to split_huge_page() when punching hole cc: ["akpm@linux-foundation.org" "hughd@google.com" "torvalds@linux-foundation.org"] crash: possible deadlock in shmem_mfill_atomic_pte ======================================================== WARNING: possible irq lock inversion dependency detected 5.6.0-syzkaller #0 Not tainted -------------------------------------------------------- syz-executor.3/8472 just changed the state of lock: ffff88809711b238 (&info->lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:353 [inline] ffff88809711b238 (&info->lock){+.+.}-{2:2}, at: shmem_mfill_atomic_pte+0xc21/0x19c0 mm/shmem.c:2402 but this lock was taken by another, SOFTIRQ-safe lock in the past: (&xa->xa_lock#4){..-.}-{2:2} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&info->lock); local_irq_disable(); lock(&xa->xa_lock#4); lock(&info->lock); lock(&xa->xa_lock#4); *** DEADLOCK *** 2 locks held by syz-executor.3/8472: #0: ffff888099ca3a28 (&mm->mmap_sem#2){++++}-{3:3}, at: __mcopy_atomic mm/userfaultfd.c:491 [inline] #0: ffff888099ca3a28 (&mm->mmap_sem#2){++++}-{3:3}, at: mcopy_atomic+0x131/0x2050 mm/userfaultfd.c:632 #1: ffff8880a0ff0d38 (ptlock_ptr(page)#2){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:353 [inline] #1: ffff8880a0ff0d38 (ptlock_ptr(page)#2){+.+.}-{2:2}, at: shmem_mfill_atomic_pte+0xbaf/0x19c0 mm/shmem.c:2389 the shortest dependencies between 2nd lock and 1st lock: -> (&xa->xa_lock#4){..-.}-{2:2} { IN-SOFTIRQ-W at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x95/0xc0 kernel/locking/spinlock.c:159 test_clear_page_writeback+0x18f/0xd50 mm/page-writeback.c:2728 end_page_writeback+0x17d/0x350 mm/filemap.c:1317 end_bio_bh_io_sync+0xb4/0x100 fs/buffer.c:3012 req_bio_endio block/blk-core.c:245 [inline] blk_update_request+0x294/0xa60 block/blk-core.c:1472 scsi_end_request+0x77/0x5e0 drivers/scsi/scsi_lib.c:575 scsi_io_completion+0x1a0/0xfc0 drivers/scsi/scsi_lib.c:959 blk_done_softirq+0x2b1/0x400 block/blk-softirq.c:37 __do_softirq+0x26e/0xa0c kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x191/0x1d0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] do_IRQ+0xd9/0x260 arch/x86/kernel/irq.c:263 ret_from_intr+0x0/0x2b arch_local_irq_restore arch/x86/include/asm/paravirt.h:759 [inline] qlink_free mm/kasan/quarantine.c:151 [inline] qlist_free_all+0xe4/0x130 mm/kasan/quarantine.c:167 quarantine_reduce+0x158/0x1a0 mm/kasan/quarantine.c:260 __kasan_kmalloc.constprop.17+0x98/0xd0 mm/kasan/common.c:499 slab_post_alloc_hook mm/slab.h:586 [inline] slab_alloc mm/slab.c:3320 [inline] kmem_cache_alloc+0x11b/0x750 mm/slab.c:3484 getname_flags+0xb5/0x500 fs/namei.c:138 user_path_at_empty+0x18/0x40 fs/namei.c:2632 user_path_at include/linux/namei.h:59 [inline] vfs_statx+0xb5/0x130 fs/stat.c:197 vfs_lstat include/linux/fs.h:3284 [inline] __do_sys_newlstat+0x77/0xd0 fs/stat.c:364 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 INITIAL USE at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline] _raw_spin_lock_irq+0x5e/0x80 kernel/locking/spinlock.c:167 spin_lock_irq include/linux/spinlock.h:378 [inline] __add_to_page_cache_locked+0x4f0/0x9f0 mm/filemap.c:855 add_to_page_cache_lru+0x136/0x490 mm/filemap.c:921 do_read_cache_page+0x2f9/0xaa0 mm/filemap.c:2755 read_mapping_page include/linux/pagemap.h:397 [inline] read_part_sector+0xd8/0x486 block/partitions/core.c:643 adfspart_check_ICS+0x92/0xb30 block/partitions/acorn.c:360 check_partition block/partitions/core.c:140 [inline] blk_add_partitions+0x396/0xc80 block/partitions/core.c:571 bdev_disk_changed+0x175/0x290 fs/block_dev.c:1544 __blkdev_get+0x8dd/0x1180 fs/block_dev.c:1647 register_disk block/genhd.c:763 [inline] __device_add_disk+0xc49/0xf60 block/genhd.c:853 add_disk include/linux/genhd.h:294 [inline] brd_init+0x206/0x392 drivers/block/brd.c:533 do_one_initcall+0xc3/0x580 init/main.c:1158 do_initcall_level init/main.c:1231 [inline] do_initcalls init/main.c:1247 [inline] do_basic_setup init/main.c:1267 [inline] kernel_init_freeable+0x48b/0x4ff init/main.c:1451 kernel_init+0x7/0x102 init/main.c:1358 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 } ... key at: [] __key.18058+0x0/0x40 ... acquired at: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x95/0xc0 kernel/locking/spinlock.c:159 shmem_uncharge+0x1f/0x230 mm/shmem.c:341 __split_huge_page mm/huge_memory.c:2613 [inline] split_huge_page_to_list+0x1b95/0x2690 mm/huge_memory.c:2886 split_huge_page include/linux/huge_mm.h:204 [inline] shmem_punch_compound+0xcf/0x130 mm/shmem.c:814 shmem_undo_range+0x597/0x1370 mm/shmem.c:870 shmem_truncate_range+0xf/0x80 mm/shmem.c:980 shmem_setattr+0x806/0xc20 mm/shmem.c:1039 notify_change+0x72f/0xd00 fs/attr.c:336 do_truncate+0xda/0x180 fs/open.c:64 do_sys_ftruncate+0x325/0x430 fs/open.c:195 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 -> (&info->lock){+.+.}-{2:2} { HARDIRQ-ON-W at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:353 [inline] shmem_mfill_atomic_pte+0xc21/0x19c0 mm/shmem.c:2402 shmem_mcopy_atomic_pte+0xa/0x10 mm/shmem.c:2440 mfill_atomic_pte mm/userfaultfd.c:449 [inline] __mcopy_atomic mm/userfaultfd.c:582 [inline] mcopy_atomic+0x7d5/0x2050 mm/userfaultfd.c:632 userfaultfd_copy fs/userfaultfd.c:1743 [inline] userfaultfd_ioctl+0xaf8/0x36a0 fs/userfaultfd.c:1941 vfs_ioctl fs/ioctl.c:47 [inline] ksys_ioctl+0xb8/0x110 fs/ioctl.c:763 __do_sys_ioctl fs/ioctl.c:772 [inline] __se_sys_ioctl fs/ioctl.c:770 [inline] __x64_sys_ioctl+0x6a/0xb0 fs/ioctl.c:770 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 SOFTIRQ-ON-W at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:353 [inline] shmem_mfill_atomic_pte+0xc21/0x19c0 mm/shmem.c:2402 shmem_mcopy_atomic_pte+0xa/0x10 mm/shmem.c:2440 mfill_atomic_pte mm/userfaultfd.c:449 [inline] __mcopy_atomic mm/userfaultfd.c:582 [inline] mcopy_atomic+0x7d5/0x2050 mm/userfaultfd.c:632 userfaultfd_copy fs/userfaultfd.c:1743 [inline] userfaultfd_ioctl+0xaf8/0x36a0 fs/userfaultfd.c:1941 vfs_ioctl fs/ioctl.c:47 [inline] ksys_ioctl+0xb8/0x110 fs/ioctl.c:763 __do_sys_ioctl fs/ioctl.c:772 [inline] __se_sys_ioctl fs/ioctl.c:770 [inline] __x64_sys_ioctl+0x6a/0xb0 fs/ioctl.c:770 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 INITIAL USE at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline] _raw_spin_lock_irq+0x5e/0x80 kernel/locking/spinlock.c:167 spin_lock_irq include/linux/spinlock.h:378 [inline] shmem_getpage_gfp+0x946/0x1cb0 mm/shmem.c:1882 shmem_getpage mm/shmem.c:154 [inline] shmem_write_begin+0xcf/0x1b0 mm/shmem.c:2483 generic_perform_write+0x253/0x410 mm/filemap.c:3302 __generic_file_write_iter+0x1ff/0x520 mm/filemap.c:3431 generic_file_write_iter+0x328/0x616 mm/filemap.c:3463 call_write_iter include/linux/fs.h:1907 [inline] new_sync_write+0x417/0x6c0 fs/read_write.c:483 vfs_write+0x18b/0x490 fs/read_write.c:558 ksys_write+0xec/0x1c0 fs/read_write.c:611 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 } ... key at: [] __key.56465+0x0/0x40 ... acquired at: mark_lock_irq kernel/locking/lockdep.c:3585 [inline] mark_lock+0x300/0x760 kernel/locking/lockdep.c:3935 mark_usage kernel/locking/lockdep.c:3852 [inline] __lock_acquire+0x9ce/0x3740 kernel/locking/lockdep.c:4298 lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:353 [inline] shmem_mfill_atomic_pte+0xc21/0x19c0 mm/shmem.c:2402 shmem_mcopy_atomic_pte+0xa/0x10 mm/shmem.c:2440 mfill_atomic_pte mm/userfaultfd.c:449 [inline] __mcopy_atomic mm/userfaultfd.c:582 [inline] mcopy_atomic+0x7d5/0x2050 mm/userfaultfd.c:632 userfaultfd_copy fs/userfaultfd.c:1743 [inline] userfaultfd_ioctl+0xaf8/0x36a0 fs/userfaultfd.c:1941 vfs_ioctl fs/ioctl.c:47 [inline] ksys_ioctl+0xb8/0x110 fs/ioctl.c:763 __do_sys_ioctl fs/ioctl.c:772 [inline] __se_sys_ioctl fs/ioctl.c:770 [inline] __x64_sys_ioctl+0x6a/0xb0 fs/ioctl.c:770 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 stack backtrace: CPU: 0 PID: 8472 Comm: syz-executor.3 Not tainted 5.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 print_irq_inversion_bug kernel/locking/lockdep.c:3448 [inline] check_usage_backwards.cold.61+0x1d/0x26 kernel/locking/lockdep.c:3499 mark_lock_irq kernel/locking/lockdep.c:3585 [inline] mark_lock+0x300/0x760 kernel/locking/lockdep.c:3935 mark_usage kernel/locking/lockdep.c:3852 [inline] __lock_acquire+0x9ce/0x3740 kernel/locking/lockdep.c:4298 lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:353 [inline] shmem_mfill_atomic_pte+0xc21/0x19c0 mm/shmem.c:2402 shmem_mcopy_atomic_pte+0xa/0x10 mm/shmem.c:2440 mfill_atomic_pte mm/userfaultfd.c:449 [inline] __mcopy_atomic mm/userfaultfd.c:582 [inline] mcopy_atomic+0x7d5/0x2050 mm/userfaultfd.c:632 userfaultfd_copy fs/userfaultfd.c:1743 [inline] userfaultfd_ioctl+0xaf8/0x36a0 fs/userfaultfd.c:1941 vfs_ioctl fs/ioctl.c:47 [inline] ksys_ioctl+0xb8/0x110 fs/ioctl.c:763 __do_sys_ioctl fs/ioctl.c:772 [inline] __se_sys_ioctl fs/ioctl.c:770 [inline] __x64_sys_ioctl+0x6a/0xb0 fs/ioctl.c:770 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45c889 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f5ec1defc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f5ec1df06d4 RCX: 000000000045c889 RDX: 00000000200a0fe0 RSI: 00000000c028aa03 RDI: 0000000000000004 RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000005b3 R14: 00000000004c854c R15: 000000000076bf0c