======================================================== WARNING: possible irq lock inversion dependency detected 5.7.0-rc4-syzkaller #0 Not tainted -------------------------------------------------------- syz-executor.1/8486 just changed the state of lock: ffff8880934d84d8 (&ctx->completion_lock){-...}-{2:2}, at: io_timeout_fn+0x7e/0x3e0 fs/io_uring.c:4664 but this lock took another, HARDIRQ-unsafe lock in the past: (&fs->lock){+.+.}-{2:2} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&fs->lock); local_irq_disable(); lock(&ctx->completion_lock); lock(&fs->lock); lock(&ctx->completion_lock); *** DEADLOCK *** 1 lock held by syz-executor.1/8486: #0: ffff8880934d8428 (&ctx->uring_lock){+.+.}-{3:3}, at: __do_sys_io_uring_enter fs/io_uring.c:7630 [inline] #0: ffff8880934d8428 (&ctx->uring_lock){+.+.}-{3:3}, at: __se_sys_io_uring_enter fs/io_uring.c:7589 [inline] #0: ffff8880934d8428 (&ctx->uring_lock){+.+.}-{3:3}, at: __x64_sys_io_uring_enter+0x5bb/0x900 fs/io_uring.c:7589 the shortest dependencies between 2nd lock and 1st lock: -> (&fs->lock){+.+.}-{2:2} { HARDIRQ-ON-W at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4934 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:353 [inline] set_fs_pwd+0x85/0x1e0 fs/fs_struct.c:39 ksys_chdir+0xe7/0x160 fs/open.c:467 devtmpfs_setup drivers/base/devtmpfs.c:391 [inline] devtmpfsd+0x82/0xf0 drivers/base/devtmpfs.c:401 kthread+0x340/0x410 kernel/kthread.c:268 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 SOFTIRQ-ON-W at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4934 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:353 [inline] set_fs_pwd+0x85/0x1e0 fs/fs_struct.c:39 ksys_chdir+0xe7/0x160 fs/open.c:467 devtmpfs_setup drivers/base/devtmpfs.c:391 [inline] devtmpfsd+0x82/0xf0 drivers/base/devtmpfs.c:401 kthread+0x340/0x410 kernel/kthread.c:268 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 INITIAL USE at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4934 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:353 [inline] set_fs_pwd+0x85/0x1e0 fs/fs_struct.c:39 ksys_chdir+0xe7/0x160 fs/open.c:467 devtmpfs_setup drivers/base/devtmpfs.c:391 [inline] devtmpfsd+0x82/0xf0 drivers/base/devtmpfs.c:401 kthread+0x340/0x410 kernel/kthread.c:268 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 } ... key at: [] __key.29200+0x0/0x40 ... acquired at: __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:353 [inline] io_req_work_drop_env fs/io_uring.c:1057 [inline] __io_req_aux_free+0x315/0xa70 fs/io_uring.c:1380 __io_free_req+0x19/0x4e0 fs/io_uring.c:1385 __io_double_put_req fs/io_uring.c:1654 [inline] io_fail_links fs/io_uring.c:1531 [inline] io_req_find_next+0x44a/0x610 fs/io_uring.c:1553 io_steal_work+0xe7/0x350 fs/io_uring.c:1640 io_worker_handle_work+0x5c8/0x1360 fs/io-wq.c:531 io_wqe_worker+0xa38/0xf40 fs/io-wq.c:576 kthread+0x340/0x410 kernel/kthread.c:268 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 -> (&ctx->completion_lock){-...}-{2:2} { IN-HARDIRQ-W at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4934 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x95/0xc0 kernel/locking/spinlock.c:159 io_timeout_fn+0x7e/0x3e0 fs/io_uring.c:4664 __run_hrtimer kernel/time/hrtimer.c:1520 [inline] __hrtimer_run_queues+0x1f0/0xb60 kernel/time/hrtimer.c:1584 hrtimer_interrupt+0x2e5/0x770 kernel/time/hrtimer.c:1646 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113 [inline] smp_apic_timer_interrupt+0x15e/0x5f0 arch/x86/kernel/apic/apic.c:1138 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 arch_local_irq_enable arch/x86/include/asm/paravirt.h:769 [inline] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline] _raw_spin_unlock_irq+0x4e/0x80 kernel/locking/spinlock.c:199 spin_unlock_irq include/linux/spinlock.h:403 [inline] io_timeout fs/io_uring.c:4863 [inline] io_issue_sqe+0x1a91/0x44f0 fs/io_uring.c:5262 __io_queue_sqe.part.94+0x216/0xcf0 fs/io_uring.c:5638 io_submit_sqe fs/io_uring.c:5793 [inline] io_submit_sqes+0x14bf/0x2210 fs/io_uring.c:5994 __do_sys_io_uring_enter fs/io_uring.c:7631 [inline] __se_sys_io_uring_enter fs/io_uring.c:7589 [inline] __x64_sys_io_uring_enter+0x5cf/0x900 fs/io_uring.c:7589 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 INITIAL USE at: lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4934 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x95/0xc0 kernel/locking/spinlock.c:159 __io_cqring_add_event+0x41/0x80 fs/io_uring.c:1291 io_cqring_add_event fs/io_uring.c:1301 [inline] io_epoll_ctl fs/io_uring.c:3299 [inline] io_issue_sqe+0xd88/0x44f0 fs/io_uring.c:5366 io_wq_submit_work+0x8d/0x130 fs/io_uring.c:5441 io_worker_handle_work+0x5c8/0x1360 fs/io-wq.c:531 io_wqe_worker+0xa38/0xf40 fs/io-wq.c:576 kthread+0x340/0x410 kernel/kthread.c:268 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 } ... key at: [] __key.82900+0x0/0x40 ... acquired at: mark_lock_irq kernel/locking/lockdep.c:3585 [inline] mark_lock+0x2ab/0x620 kernel/locking/lockdep.c:3935 mark_usage kernel/locking/lockdep.c:3831 [inline] __lock_acquire+0x142c/0x3690 kernel/locking/lockdep.c:4309 lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4934 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x95/0xc0 kernel/locking/spinlock.c:159 io_timeout_fn+0x7e/0x3e0 fs/io_uring.c:4664 __run_hrtimer kernel/time/hrtimer.c:1520 [inline] __hrtimer_run_queues+0x1f0/0xb60 kernel/time/hrtimer.c:1584 hrtimer_interrupt+0x2e5/0x770 kernel/time/hrtimer.c:1646 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113 [inline] smp_apic_timer_interrupt+0x15e/0x5f0 arch/x86/kernel/apic/apic.c:1138 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 arch_local_irq_enable arch/x86/include/asm/paravirt.h:769 [inline] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline] _raw_spin_unlock_irq+0x4e/0x80 kernel/locking/spinlock.c:199 spin_unlock_irq include/linux/spinlock.h:403 [inline] io_timeout fs/io_uring.c:4863 [inline] io_issue_sqe+0x1a91/0x44f0 fs/io_uring.c:5262 __io_queue_sqe.part.94+0x216/0xcf0 fs/io_uring.c:5638 io_submit_sqe fs/io_uring.c:5793 [inline] io_submit_sqes+0x14bf/0x2210 fs/io_uring.c:5994 __do_sys_io_uring_enter fs/io_uring.c:7631 [inline] __se_sys_io_uring_enter fs/io_uring.c:7589 [inline] __x64_sys_io_uring_enter+0x5cf/0x900 fs/io_uring.c:7589 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 stack backtrace: CPU: 1 PID: 8486 Comm: syz-executor.1 Not tainted 5.7.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 print_irq_inversion_bug kernel/locking/lockdep.c:3448 [inline] check_usage_forwards.cold.63+0x20/0x29 kernel/locking/lockdep.c:3472 mark_lock_irq kernel/locking/lockdep.c:3585 [inline] mark_lock+0x2ab/0x620 kernel/locking/lockdep.c:3935 mark_usage kernel/locking/lockdep.c:3831 [inline] __lock_acquire+0x142c/0x3690 kernel/locking/lockdep.c:4309 lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4934 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x95/0xc0 kernel/locking/spinlock.c:159 io_timeout_fn+0x7e/0x3e0 fs/io_uring.c:4664 __run_hrtimer kernel/time/hrtimer.c:1520 [inline] __hrtimer_run_queues+0x1f0/0xb60 kernel/time/hrtimer.c:1584 hrtimer_interrupt+0x2e5/0x770 kernel/time/hrtimer.c:1646 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113 [inline] smp_apic_timer_interrupt+0x15e/0x5f0 arch/x86/kernel/apic/apic.c:1138 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 RIP: 0010:__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [inline] RIP: 0010:_raw_spin_unlock_irq+0x4e/0x80 kernel/locking/spinlock.c:199 Code: d4 88 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 31 48 83 3d 0b 0d a7 01 00 74 25 fb 66 0f 1f 44 00 00 01 00 00 00 e8 c8 99 19 fa 65 8b 05 09 c4 d4 78 85 c0 74 02 5b RSP: 0018:ffffc9000962f8c0 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: dffffc0000000000 RBX: ffff8880934d84c0 RCX: 0000000000000006 RDX: 1ffffffff11a8cf6 RSI: 0000000000000008 RDI: ffffffff88d467b0 RBP: ffffc9000962fa60 R08: fffffbfff16ae366 R09: fffffbfff16ae366 R10: ffffffff8b571b2f R11: fffffbfff16ae365 R12: ffff888091952440 R13: 0000000000000000 R14: ffff8880934d8000 R15: ffff888091952498 spin_unlock_irq include/linux/spinlock.h:403 [inline] io_timeout fs/io_uring.c:4863 [inline] io_issue_sqe+0x1a91/0x44f0 fs/io_uring.c:5262 __io_queue_sqe.part.94+0x216/0xcf0 fs/io_uring.c:5638 io_submit_sqe fs/io_uring.c:5793 [inline] io_submit_sqes+0x14bf/0x2210 fs/io_uring.c:5994 __do_sys_io_uring_enter fs/io_uring.c:7631 [inline] __se_sys_io_uring_enter fs/io_uring.c:7589 [inline] __x64_sys_io_uring_enter+0x5cf/0x900 fs/io_uring.c:7589 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45ce69 Code: 2d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f64aebc3c78 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa RAX: ffffffffffffffda RBX: 0000000000008280 RCX: 000000000045ce69 RDX: 0000000000000000 RSI: 000000000000450c RDI: 0000000000000005 RBP: 000000000118bf78 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c R13: 00007ffcf8c1978f R14: 00007f64aebc49c0 R15: 000000000118bf2c