===================================================== WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected 5.18.0-rc1-syzkaller #0 Not tainted ----------------------------------------------------- syz-executor.0/2048 [HC0[0]:SC0[2]:HE0:SE0] is trying to acquire: ffff888100e2d420 (&htab->buckets[i].lock){+...}-{2:2}, at: sock_hash_delete_elem+0x4c/0xe0 net/core/sock_map.c:920 and this task is already holding: ffff888237d2d8d8 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested kernel/sched/core.c:554 [inline] ffff888237d2d8d8 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock kernel/sched/sched.h:1303 [inline] ffff888237d2d8d8 (&rq->__lock){-.-.}-{2:2}, at: rq_lock kernel/sched/sched.h:1601 [inline] ffff888237d2d8d8 (&rq->__lock){-.-.}-{2:2}, at: __schedule+0x156/0xa60 kernel/sched/core.c:6296 which would create a new lock dependency: (&rq->__lock){-.-.}-{2:2} -> (&htab->buckets[i].lock){+...}-{2:2} but this new dependency connects a HARDIRQ-irq-safe lock: (&rq->__lock){-.-.}-{2:2} ... which became HARDIRQ-irq-safe at: lock_acquire+0x101/0x2f0 kernel/locking/lockdep.c:5634 _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378 raw_spin_rq_lock_nested kernel/sched/core.c:554 [inline] raw_spin_rq_lock kernel/sched/sched.h:1303 [inline] rq_lock kernel/sched/sched.h:1601 [inline] scheduler_tick+0x4a/0x120 kernel/sched/core.c:5339 update_process_times+0xa3/0xb0 kernel/time/timer.c:1790 tick_periodic+0xcb/0xe0 kernel/time/tick-common.c:100 tick_handle_periodic+0x1e/0x80 kernel/time/tick-common.c:112 timer_interrupt+0x13/0x20 arch/x86/kernel/time.c:57 __handle_irq_event_percpu+0xf1/0x390 kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] handle_irq_event+0x30/0x70 kernel/irq/handle.c:210 handle_edge_irq+0xd4/0x1f0 kernel/irq/chip.c:817 generic_handle_irq_desc include/linux/irqdesc.h:158 [inline] handle_irq arch/x86/kernel/irq.c:231 [inline] __common_interrupt+0xa4/0x150 arch/x86/kernel/irq.c:250 common_interrupt+0xa5/0xd0 arch/x86/kernel/irq.c:240 asm_common_interrupt+0x22/0x40 console_unlock+0x5eb/0x7c0 kernel/printk/printk.c:2779 vprintk_emit+0x80/0x160 kernel/printk/printk.c:2272 _printk+0x58/0x72 kernel/printk/printk.c:2293 landlock_init+0x26/0x29 security/landlock/setup.c:32 initialize_lsm+0x24/0x54 security/security.c:237 ordered_lsm_init+0x204/0x227 security/security.c:361 security_init+0x40/0x46 security/security.c:407 start_kernel+0x30d/0x3e0 init/main.c:1118 secondary_startup_64_no_verify+0xc4/0xcb to a HARDIRQ-irq-unsafe lock: (&htab->buckets[i].lock){+...}-{2:2} ... which became HARDIRQ-irq-unsafe at: ... lock_acquire+0x101/0x2f0 kernel/locking/lockdep.c:5634 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 sock_hash_free+0x8e/0x290 net/core/sock_map.c:1137 process_one_work+0x286/0x5b0 kernel/workqueue.c:2289 worker_thread+0x244/0x3f0 kernel/workqueue.c:2436 kthread+0xe5/0x100 kernel/kthread.c:376 ret_from_fork+0x22/0x30 other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&htab->buckets[i].lock); local_irq_disable(); lock(&rq->__lock); lock(&htab->buckets[i].lock); lock(&rq->__lock); *** DEADLOCK *** 2 locks held by syz-executor.0/2048: #0: ffff888237d2d8d8 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested kernel/sched/core.c:554 [inline] #0: ffff888237d2d8d8 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock kernel/sched/sched.h:1303 [inline] #0: ffff888237d2d8d8 (&rq->__lock){-.-.}-{2:2}, at: rq_lock kernel/sched/sched.h:1601 [inline] #0: ffff888237d2d8d8 (&rq->__lock){-.-.}-{2:2}, at: __schedule+0x156/0xa60 kernel/sched/core.c:6296 #1: ffffffff83185f30 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x0/0x30 include/trace/events/initcall.h:48 the dependencies between HARDIRQ-irq-safe lock and the holding lock: -> (&rq->__lock){-.-.}-{2:2} { IN-HARDIRQ-W at: lock_acquire+0x101/0x2f0 kernel/locking/lockdep.c:5634 _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378 raw_spin_rq_lock_nested kernel/sched/core.c:554 [inline] raw_spin_rq_lock kernel/sched/sched.h:1303 [inline] rq_lock kernel/sched/sched.h:1601 [inline] scheduler_tick+0x4a/0x120 kernel/sched/core.c:5339 update_process_times+0xa3/0xb0 kernel/time/timer.c:1790 tick_periodic+0xcb/0xe0 kernel/time/tick-common.c:100 tick_handle_periodic+0x1e/0x80 kernel/time/tick-common.c:112 timer_interrupt+0x13/0x20 arch/x86/kernel/time.c:57 __handle_irq_event_percpu+0xf1/0x390 kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] handle_irq_event+0x30/0x70 kernel/irq/handle.c:210 handle_edge_irq+0xd4/0x1f0 kernel/irq/chip.c:817 generic_handle_irq_desc include/linux/irqdesc.h:158 [inline] handle_irq arch/x86/kernel/irq.c:231 [inline] __common_interrupt+0xa4/0x150 arch/x86/kernel/irq.c:250 common_interrupt+0xa5/0xd0 arch/x86/kernel/irq.c:240 asm_common_interrupt+0x22/0x40 console_unlock+0x5eb/0x7c0 kernel/printk/printk.c:2779 vprintk_emit+0x80/0x160 kernel/printk/printk.c:2272 _printk+0x58/0x72 kernel/printk/printk.c:2293 landlock_init+0x26/0x29 security/landlock/setup.c:32 initialize_lsm+0x24/0x54 security/security.c:237 ordered_lsm_init+0x204/0x227 security/security.c:361 security_init+0x40/0x46 security/security.c:407 start_kernel+0x30d/0x3e0 init/main.c:1118 secondary_startup_64_no_verify+0xc4/0xcb IN-SOFTIRQ-W at: lock_acquire+0x101/0x2f0 kernel/locking/lockdep.c:5634 _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378 raw_spin_rq_lock_nested kernel/sched/core.c:554 [inline] raw_spin_rq_lock kernel/sched/sched.h:1303 [inline] rq_lock kernel/sched/sched.h:1601 [inline] ttwu_queue kernel/sched/core.c:3873 [inline] try_to_wake_up+0x25f/0x530 kernel/sched/core.c:4198 call_timer_fn+0xe5/0x340 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers+0x16a/0x200 kernel/time/timer.c:1734 run_timer_softirq+0x1f/0x40 kernel/time/timer.c:1747 __do_softirq+0x205/0x51e kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0xb2/0x140 kernel/softirq.c:637 irq_exit_rcu+0x9/0x20 kernel/softirq.c:649 sysvec_apic_timer_interrupt+0x97/0xb0 arch/x86/kernel/apic/apic.c:1097 asm_sysvec_apic_timer_interrupt+0x16/0x20 native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline] arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline] default_idle+0x13/0x20 arch/x86/kernel/process.c:733 default_idle_call+0x4f/0x90 kernel/sched/idle.c:109 cpuidle_idle_call kernel/sched/idle.c:191 [inline] do_idle+0xee/0x290 kernel/sched/idle.c:303 cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:400 start_kernel+0x35d/0x3e0 init/main.c:1140 secondary_startup_64_no_verify+0xc4/0xcb INITIAL USE at: lock_acquire+0x101/0x2f0 kernel/locking/lockdep.c:5634 _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378 raw_spin_rq_lock_nested+0x1f/0x30 kernel/sched/core.c:554 raw_spin_rq_lock kernel/sched/sched.h:1303 [inline] _raw_spin_rq_lock_irqsave kernel/sched/sched.h:1322 [inline] rq_attach_root+0x51/0x1b0 kernel/sched/topology.c:469 sched_init+0x30a/0x476 kernel/sched/core.c:9578 start_kernel+0x185/0x3e0 init/main.c:998 secondary_startup_64_no_verify+0xc4/0xcb } ... key at: [] sched_init.__key+0x0/0x10 the dependencies between the lock to be acquired and HARDIRQ-irq-unsafe lock: -> (&htab->buckets[i].lock){+...}-{2:2} { HARDIRQ-ON-W at: lock_acquire+0x101/0x2f0 kernel/locking/lockdep.c:5634 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 sock_hash_free+0x8e/0x290 net/core/sock_map.c:1137 process_one_work+0x286/0x5b0 kernel/workqueue.c:2289 worker_thread+0x244/0x3f0 kernel/workqueue.c:2436 kthread+0xe5/0x100 kernel/kthread.c:376 ret_from_fork+0x22/0x30 INITIAL USE at: lock_acquire+0x101/0x2f0 kernel/locking/lockdep.c:5634 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 sock_hash_free+0x8e/0x290 net/core/sock_map.c:1137 process_one_work+0x286/0x5b0 kernel/workqueue.c:2289 worker_thread+0x244/0x3f0 kernel/workqueue.c:2436 kthread+0xe5/0x100 kernel/kthread.c:376 ret_from_fork+0x22/0x30 } ... key at: [] sock_hash_alloc.__key+0x0/0x10 ... acquired at: lock_acquire+0x101/0x2f0 kernel/locking/lockdep.c:5634 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 sock_hash_delete_elem+0x4c/0xe0 net/core/sock_map.c:920 ____bpf_map_delete_elem kernel/bpf/helpers.c:69 [inline] bpf_map_delete_elem+0x31/0x40 kernel/bpf/helpers.c:66 ___bpf_prog_run+0x13ea/0x1b70 kernel/bpf/core.c:1835 __bpf_prog_run32+0xbb/0xe0 kernel/bpf/core.c:2062 bpf_dispatcher_nop_func include/linux/bpf.h:804 [inline] __bpf_prog_run include/linux/filter.h:628 [inline] bpf_prog_run include/linux/filter.h:635 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2022 [inline] bpf_trace_run2+0x88/0x140 kernel/trace/bpf_trace.c:2059 trace_contention_end+0xb7/0xe0 include/trace/events/lock.h:120 __pv_queued_spin_lock_slowpath+0x381/0x3c0 kernel/locking/qspinlock.c:560 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:591 [inline] queued_spin_lock_slowpath+0x11/0x20 arch/x86/include/asm/qspinlock.h:51 queued_spin_lock include/asm-generic/qspinlock.h:85 [inline] do_raw_spin_lock+0x8f/0xa0 kernel/locking/spinlock_debug.c:115 raw_spin_rq_lock_nested kernel/sched/core.c:554 [inline] raw_spin_rq_lock kernel/sched/sched.h:1303 [inline] rq_lock kernel/sched/sched.h:1601 [inline] __schedule+0x156/0xa60 kernel/sched/core.c:6296 preempt_schedule_common kernel/sched/core.c:6547 [inline] __cond_resched+0x34/0x90 kernel/sched/core.c:8154 dentry_kill+0x62/0x120 dput+0xca/0x170 fs/dcache.c:913 __fput+0x16f/0x210 fs/file_table.c:330 task_work_run+0x66/0xa0 kernel/task_work.c:164 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0xcd/0xe0 kernel/entry/common.c:169 exit_to_user_mode_prepare+0xb1/0x150 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x62/0x2a0 kernel/entry/common.c:294 do_syscall_64+0x55/0xc0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae stack backtrace: CPU: 1 PID: 2048 Comm: syz-executor.0 Not tainted 5.18.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8d/0xdb lib/dump_stack.c:106 print_bad_irq_dependency kernel/locking/lockdep.c:2578 [inline] check_irq_usage kernel/locking/lockdep.c:2817 [inline] check_prev_add kernel/locking/lockdep.c:3068 [inline] check_prevs_add kernel/locking/lockdep.c:3183 [inline] validate_chain+0x20a2/0x20e0 kernel/locking/lockdep.c:3798 __lock_acquire+0x8d8/0xb30 kernel/locking/lockdep.c:5022 lock_acquire+0x101/0x2f0 kernel/locking/lockdep.c:5634 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 sock_hash_delete_elem+0x4c/0xe0 net/core/sock_map.c:920 ____bpf_map_delete_elem kernel/bpf/helpers.c:69 [inline] bpf_map_delete_elem+0x31/0x40 kernel/bpf/helpers.c:66 ___bpf_prog_run+0x13ea/0x1b70 kernel/bpf/core.c:1835 __bpf_prog_run32+0xbb/0xe0 kernel/bpf/core.c:2062 bpf_dispatcher_nop_func include/linux/bpf.h:804 [inline] __bpf_prog_run include/linux/filter.h:628 [inline] bpf_prog_run include/linux/filter.h:635 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2022 [inline] bpf_trace_run2+0x88/0x140 kernel/trace/bpf_trace.c:2059 trace_contention_end+0xb7/0xe0 include/trace/events/lock.h:120 __pv_queued_spin_lock_slowpath+0x381/0x3c0 kernel/locking/qspinlock.c:560 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:591 [inline] queued_spin_lock_slowpath+0x11/0x20 arch/x86/include/asm/qspinlock.h:51 queued_spin_lock include/asm-generic/qspinlock.h:85 [inline] do_raw_spin_lock+0x8f/0xa0 kernel/locking/spinlock_debug.c:115 raw_spin_rq_lock_nested kernel/sched/core.c:554 [inline] raw_spin_rq_lock kernel/sched/sched.h:1303 [inline] rq_lock kernel/sched/sched.h:1601 [inline] __schedule+0x156/0xa60 kernel/sched/core.c:6296 preempt_schedule_common kernel/sched/core.c:6547 [inline] __cond_resched+0x34/0x90 kernel/sched/core.c:8154 dentry_kill+0x62/0x120 dput+0xca/0x170 fs/dcache.c:913 __fput+0x16f/0x210 fs/file_table.c:330 task_work_run+0x66/0xa0 kernel/task_work.c:164 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0xcd/0xe0 kernel/entry/common.c:169 exit_to_user_mode_prepare+0xb1/0x150 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x62/0x2a0 kernel/entry/common.c:294 do_syscall_64+0x55/0xc0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x559c94b6cc9a Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24 RSP: 002b:00007fffec5681b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000559c94b6cc9a RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000000000000226 R08: 0000001b2c160000 R09: 0000559c94c9bf8c R10: 00007fffec568300 R11: 0000000000000293 R12: 00007f8f72f15910 R13: ffffffffffffffff R14: 00007f8f72f15000 R15: 000000000000b3b2