===================================== WARNING: bad unlock balance detected! 6.5.0-rc4-syzkaller #0 Not tainted ------------------------------------- syz-executor.0/3374 is trying to release lock (&mm->mmap_lock) at: [] mmap_read_unlock include/linux/mmap_lock.h:173 [inline] [] maybe_unlock_mmap_for_io mm/internal.h:709 [inline] [] fault_dirty_shared_page+0x242/0x2b0 mm/memory.c:3003 but there are no more locks to release! other info that might help us debug this: 1 lock held by syz-executor.0/3374: #0: ffff888101b69498 (&vma->vm_lock->lock){....}-{3:3}, at: vma_start_read include/linux/mm.h:654 [inline] #0: ffff888101b69498 (&vma->vm_lock->lock){....}-{3:3}, at: lock_vma_under_rcu+0xe2/0x2d0 mm/memory.c:5461 stack backtrace: CPU: 0 PID: 3374 Comm: syz-executor.0 Not tainted 6.5.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8e/0xf0 lib/dump_stack.c:106 __lock_release kernel/locking/lockdep.c:5438 [inline] lock_release+0x1fc/0x2c0 kernel/locking/lockdep.c:5781 up_read+0x16/0x20 kernel/locking/rwsem.c:1615 mmap_read_unlock include/linux/mmap_lock.h:173 [inline] maybe_unlock_mmap_for_io mm/internal.h:709 [inline] fault_dirty_shared_page+0x242/0x2b0 mm/memory.c:3003 wp_page_shared mm/memory.c:3323 [inline] do_wp_page+0x640/0x1c00 mm/memory.c:3392 handle_pte_fault mm/memory.c:5013 [inline] __handle_mm_fault+0x80a/0x1b10 mm/memory.c:5137 handle_mm_fault+0x39d/0x690 mm/memory.c:5302 do_user_addr_fault+0x21c/0xb10 arch/x86/mm/fault.c:1342 handle_page_fault arch/x86/mm/fault.c:1483 [inline] exc_page_fault+0x5d/0xb0 arch/x86/mm/fault.c:1539 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570 RIP: 0033:0x7f864cd80b1d Code: 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 83 fa 20 72 37 c5 fe 6f 06 48 83 fa 40 0f 87 b9 00 00 00 c5 fe 6f 4c 16 e0 fe 7f 07 c5 fe 7f 4c 17 e0 0f 01 d6 75 04 c5 f8 77 c3 c5 fc 77 RSP: 002b:00007ffdb78c4e58 EFLAGS: 00010283 RAX: 0000000020001240 RBX: 00007ffdb78c4f68 RCX: 00007f864c923000 RDX: 0000000000000020 RSI: 00007f864c923230 RDI: 0000000020001240 RBP: 0000000000000032 R08: 00007f864cd23000 R09: 00007f864cebef8c R10: 00007ffdb78c4f90 R11: 0000000000000246 R12: 00007f864c923210 R13: fffffffffffffffe R14: 00007f864c923000 R15: 00007f864c923218 ------------[ cut here ]------------ DEBUG_RWSEMS_WARN_ON(tmp < 0): count = 0xffffffffffffff00, magic = 0xffff888100066170, owner = 0x1, curr 0xffff888107e49b40, list empty WARNING: CPU: 0 PID: 3374 at kernel/locking/rwsem.c:1348 __up_read+0x190/0x210 kernel/locking/rwsem.c:1348 Modules linked in: CPU: 0 PID: 3374 Comm: syz-executor.0 Not tainted 6.5.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 RIP: 0010:__up_read+0x190/0x210 kernel/locking/rwsem.c:1348 Code: 8b 4b 68 48 39 c2 48 c7 c2 63 79 33 83 48 c7 c0 91 0b 35 83 48 0f 44 c2 48 8b 13 65 4c 8b 0c 25 80 c8 02 00 50 e8 c0 c9 f7 ff <0f> 0b 58 e9 51 ff ff ff 48 8b 57 58 48 8d 47 58 c6 05 5c 1e 7a 02 RSP: 0000:ffffc90001a0bcf8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888100066170 RCX: 0000000000000000 RDX: ffff888107e49b40 RSI: ffffffff8116e001 RDI: 0000000000000001 RBP: ffff888100066040 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 205d343733335420 R12: 0000000000000004 R13: 0000000000000001 R14: ffff8881036f5540 R15: ffff8881032d36d8 FS: 00005555565d5480(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020001240 CR3: 0000000105f9f000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mmap_read_unlock include/linux/mmap_lock.h:173 [inline] maybe_unlock_mmap_for_io mm/internal.h:709 [inline] fault_dirty_shared_page+0x242/0x2b0 mm/memory.c:3003 wp_page_shared mm/memory.c:3323 [inline] do_wp_page+0x640/0x1c00 mm/memory.c:3392 handle_pte_fault mm/memory.c:5013 [inline] __handle_mm_fault+0x80a/0x1b10 mm/memory.c:5137 handle_mm_fault+0x39d/0x690 mm/memory.c:5302 do_user_addr_fault+0x21c/0xb10 arch/x86/mm/fault.c:1342 handle_page_fault arch/x86/mm/fault.c:1483 [inline] exc_page_fault+0x5d/0xb0 arch/x86/mm/fault.c:1539 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570 RIP: 0033:0x7f864cd80b1d Code: 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 83 fa 20 72 37 c5 fe 6f 06 48 83 fa 40 0f 87 b9 00 00 00 c5 fe 6f 4c 16 e0 fe 7f 07 c5 fe 7f 4c 17 e0 0f 01 d6 75 04 c5 f8 77 c3 c5 fc 77 RSP: 002b:00007ffdb78c4e58 EFLAGS: 00010283 RAX: 0000000020001240 RBX: 00007ffdb78c4f68 RCX: 00007f864c923000 RDX: 0000000000000020 RSI: 00007f864c923230 RDI: 0000000020001240 RBP: 0000000000000032 R08: 00007f864cd23000 R09: 00007f864cebef8c R10: 00007ffdb78c4f90 R11: 0000000000000246 R12: 00007f864c923210 R13: fffffffffffffffe R14: 00007f864c923000 R15: 00007f864c923218