[v6.1] possible deadlock in task_fork_fair
0 views
Skip to first unread message
syzbot
Feb 11, 2024, 10:37:18 AMFeb 11
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: f1bb70486c9c Linux 6.1.77
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12fbe034180000
kernel config: https://syzkaller.appspot.com/x/.config?x=39447811cb133e7e
dashboard link: https://syzkaller.appspot.com/bug?extid=e79a999646be8bb1dca9
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f93cb7e9dad2/disk-f1bb7048.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/22703d1d86ee/vmlinux-f1bb7048.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4129725af309/bzImage-f1bb7048.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e79a99...@syzkaller.appspotmail.com
FAULT_INJECTION: forcing a failure.
name fail_usercopy, interval 1, probability 0, space 0, times 0
======================================================
WARNING: possible circular locking dependency detected
6.1.77-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.0/9606 is trying to acquire lock:
ffffffff8d0068d8 ((console_sem).lock){-...}-{2:2}, at: down_trylock+0x1c/0xa0 kernel/locking/semaphore.c:139
but task is already holding lock:
ffff8880b9839e18 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x26/0x140 kernel/sched/core.c:537
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&rq->__lock){-.-.}-{2:2}:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
_raw_spin_lock_nested+0x2d/0x40 kernel/locking/spinlock.c:378
raw_spin_rq_lock_nested+0x26/0x140 kernel/sched/core.c:537
raw_spin_rq_lock kernel/sched/sched.h:1354 [inline]
rq_lock kernel/sched/sched.h:1644 [inline]
task_fork_fair+0x5d/0x350 kernel/sched/fair.c:11863
sched_cgroup_fork+0x374/0x400 kernel/sched/core.c:4686
copy_process+0x2442/0x4060 kernel/fork.c:2384
kernel_clone+0x222/0x920 kernel/fork.c:2682
user_mode_thread+0x12e/0x190 kernel/fork.c:2758
rest_init+0x23/0x300 init/main.c:696
start_kernel+0x0/0x53f init/main.c:891
start_kernel+0x496/0x53f init/main.c:1138
secondary_startup_64_no_verify+0xcf/0xdb
-> #1 (&p->pi_lock){-.-.}-{2:2}:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
try_to_wake_up+0xad/0x12e0 kernel/sched/core.c:4112
up+0x6e/0x90 kernel/locking/semaphore.c:191
__up_console_sem+0xf8/0x1e0 kernel/printk/printk.c:260
__console_unlock kernel/printk/printk.c:2662 [inline]
console_unlock+0x591/0x7c0 kernel/printk/printk.c:2873
vprintk_emit+0x523/0x740 kernel/printk/printk.c:2268
_printk+0xd1/0x111 kernel/printk/printk.c:2293
printk_stack_address arch/x86/kernel/dumpstack.c:72 [inline]
show_trace_log_lvl+0x388/0x410 arch/x86/kernel/dumpstack.c:285
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
fail_dump lib/fault-inject.c:52 [inline]
should_fail_ex+0x3a6/0x4d0 lib/fault-inject.c:147
should_failslab+0x5/0x20 mm/slab_common.c:1452
slab_pre_alloc_hook+0x59/0x300 mm/slab.h:712
slab_alloc_node mm/slub.c:3318 [inline]
__kmem_cache_alloc_node+0x47/0x260 mm/slub.c:3437
__do_kmalloc_node mm/slab_common.c:954 [inline]
__kmalloc_node+0xa2/0x230 mm/slab_common.c:962
kmalloc_node include/linux/slab.h:579 [inline]
kvmalloc_node+0x6e/0x180 mm/util.c:581
kvmalloc include/linux/slab.h:706 [inline]
map_get_next_key+0x27b/0x620 kernel/bpf/syscall.c:1549
__sys_bpf+0x364/0x6c0 kernel/bpf/syscall.c:4999
__do_sys_bpf kernel/bpf/syscall.c:5109 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5107 [inline]
__x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:5107
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
-> #0 ((console_sem).lock){-...}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3090 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
validate_chain+0x1661/0x5950 kernel/locking/lockdep.c:3825
__lock_acquire+0x125b/0x1f80 kernel/locking/lockdep.c:5049
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
down_trylock+0x1c/0xa0 kernel/locking/semaphore.c:139
__down_trylock_console_sem+0x105/0x250 kernel/printk/printk.c:243
console_trylock kernel/printk/printk.c:2615 [inline]
console_trylock_spinning kernel/printk/printk.c:1867 [inline]
vprintk_emit+0x1ee/0x740 kernel/printk/printk.c:2267
_printk+0xd1/0x111 kernel/printk/printk.c:2293
fail_dump lib/fault-inject.c:45 [inline]
should_fail_ex+0x387/0x4d0 lib/fault-inject.c:147
strncpy_from_user+0x32/0x360 lib/strncpy_from_user.c:118
strncpy_from_user_nofault+0x6c/0x130 mm/maccess.c:186
bpf_probe_read_user_str_common kernel/trace/bpf_trace.c:204 [inline]
____bpf_probe_read_compat_str kernel/trace/bpf_trace.c:310 [inline]
bpf_probe_read_compat_str+0xe4/0x180 kernel/trace/bpf_trace.c:306
bpf_prog_e42f6260c1b72fb3+0x35/0x37
bpf_dispatcher_nop_func include/linux/bpf.h:989 [inline]
__bpf_prog_run include/linux/filter.h:600 [inline]
bpf_prog_run include/linux/filter.h:607 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2275 [inline]
bpf_trace_run4+0x253/0x470 kernel/trace/bpf_trace.c:2316
__traceiter_sched_switch+0x91/0xc0 include/trace/events/sched.h:222
trace_sched_switch include/trace/events/sched.h:222 [inline]
__schedule+0x2116/0x4550 kernel/sched/core.c:6555
preempt_schedule_irq+0xf7/0x1c0 kernel/sched/core.c:6870
irqentry_exit+0x53/0x80 kernel/entry/common.c:433
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653
rcu_read_lock_sched_held+0x56/0x130 kernel/rcu/update.c:120
task_css include/linux/cgroup.h:509 [inline]
mem_cgroup_from_task+0x49/0x110 mm/memcontrol.c:985
get_obj_cgroup_from_current+0x168/0x280 mm/memcontrol.c:3020
memcg_slab_pre_alloc_hook mm/slab.h:485 [inline]
slab_pre_alloc_hook+0x90/0x300 mm/slab.h:715
slab_alloc_node mm/slub.c:3318 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x4e/0x2d0 mm/slub.c:3422
anon_vma_alloc mm/rmap.c:93 [inline]
__anon_vma_prepare+0xb7/0x400 mm/rmap.c:202
anon_vma_prepare include/linux/rmap.h:159 [inline]
do_anonymous_page mm/memory.c:4150 [inline]
handle_pte_fault mm/memory.c:4991 [inline]
__handle_mm_fault mm/memory.c:5135 [inline]
handle_mm_fault+0x4b0f/0x5340 mm/memory.c:5256
do_user_addr_fault arch/x86/mm/fault.c:1380 [inline]
handle_page_fault arch/x86/mm/fault.c:1471 [inline]
exc_page_fault+0x26f/0x660 arch/x86/mm/fault.c:1527
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
other info that might help us debug this:
Chain exists of:
(console_sem).lock --> &p->pi_lock --> &rq->__lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&rq->__lock);
lock(&p->pi_lock);
lock(&rq->__lock);
lock((console_sem).lock);
*** DEADLOCK ***
4 locks held by syz-executor.0/9606:
#0: ffff888015305b58 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:136 [inline]
#0: ffff888015305b58 (&mm->mmap_lock){++++}-{3:3}, at: get_mmap_lock_carefully mm/memory.c:5284 [inline]
#0: ffff888015305b58 (&mm->mmap_lock){++++}-{3:3}, at: lock_mm_and_find_vma+0x2e/0x2e0 mm/memory.c:5346
#1: ffffffff8d12a740 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:318 [inline]
#1: ffffffff8d12a740 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:759 [inline]
#1: ffffffff8d12a740 (rcu_read_lock){....}-{1:2}, at: get_obj_cgroup_from_current+0xd4/0x280 mm/memcontrol.c:3016
#2: ffff8880b9839e18 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x26/0x140 kernel/sched/core.c:537
#3: ffffffff8d12a740 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:318 [inline]
#3: ffffffff8d12a740 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:759 [inline]
#3: ffffffff8d12a740 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2274 [inline]
#3: ffffffff8d12a740 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run4+0x16a/0x470 kernel/trace/bpf_trace.c:2316
stack backtrace:
CPU: 0 PID: 9606 Comm: syz-executor.0 Not tainted 6.1.77-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
check_noncircular+0x2fa/0x3b0 kernel/locking/lockdep.c:2170
check_prev_add kernel/locking/lockdep.c:3090 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
validate_chain+0x1661/0x5950 kernel/locking/lockdep.c:3825
__lock_acquire+0x125b/0x1f80 kernel/locking/lockdep.c:5049
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
down_trylock+0x1c/0xa0 kernel/locking/semaphore.c:139
__down_trylock_console_sem+0x105/0x250 kernel/printk/printk.c:243
console_trylock kernel/printk/printk.c:2615 [inline]
console_trylock_spinning kernel/printk/printk.c:1867 [inline]
vprintk_emit+0x1ee/0x740 kernel/printk/printk.c:2267
_printk+0xd1/0x111 kernel/printk/printk.c:2293
fail_dump lib/fault-inject.c:45 [inline]
should_fail_ex+0x387/0x4d0 lib/fault-inject.c:147
strncpy_from_user+0x32/0x360 lib/strncpy_from_user.c:118
strncpy_from_user_nofault+0x6c/0x130 mm/maccess.c:186
bpf_probe_read_user_str_common kernel/trace/bpf_trace.c:204 [inline]
____bpf_probe_read_compat_str kernel/trace/bpf_trace.c:310 [inline]
bpf_probe_read_compat_str+0xe4/0x180 kernel/trace/bpf_trace.c:306
bpf_prog_e42f6260c1b72fb3+0x35/0x37
bpf_dispatcher_nop_func include/linux/bpf.h:989 [inline]
__bpf_prog_run include/linux/filter.h:600 [inline]
bpf_prog_run include/linux/filter.h:607 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2275 [inline]
bpf_trace_run4+0x253/0x470 kernel/trace/bpf_trace.c:2316
__traceiter_sched_switch+0x91/0xc0 include/trace/events/sched.h:222
trace_sched_switch include/trace/events/sched.h:222 [inline]
__schedule+0x2116/0x4550 kernel/sched/core.c:6555
preempt_schedule_irq+0xf7/0x1c0 kernel/sched/core.c:6870
irqentry_exit+0x53/0x80 kernel/entry/common.c:433
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653
RIP: 0010:rcu_read_lock_sched_held+0x56/0x130 kernel/rcu/update.c:120
Code: c7 04 24 b3 8a b5 41 48 c7 44 24 08 68 0e 8d 8c 48 c7 44 24 10 80 f7 71 81 48 89 e3 48 c1 eb 03 48 b8 f1 f1 f1 f1 00 f3 f3 f3 <4a> 89 04 33 e8 41 66 18 09 85 c0 74 2a 45 31 ff e8 a5 3e 01 00 84
RSP: 0000:ffffc90013187a60 EFLAGS: 00000a02
RAX: f3f3f300f1f1f1f1 RBX: 1ffff92002630f4c RCX: ffff88807d0f5940
RDX: dffffc0000000000 RSI: ffffffff8b3d0da0 RDI: ffff88807d0f5940
RBP: ffffc90013187ae8 R08: dffffc0000000000 R09: fffffbfff2092245
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffff888140008140 R14: dffffc0000000000 R15: dffffc0000000000
task_css include/linux/cgroup.h:509 [inline]
mem_cgroup_from_task+0x49/0x110 mm/memcontrol.c:985
get_obj_cgroup_from_current+0x168/0x280 mm/memcontrol.c:3020
memcg_slab_pre_alloc_hook mm/slab.h:485 [inline]
slab_pre_alloc_hook+0x90/0x300 mm/slab.h:715
slab_alloc_node mm/slub.c:3318 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x4e/0x2d0 mm/slub.c:3422
anon_vma_alloc mm/rmap.c:93 [inline]
__anon_vma_prepare+0xb7/0x400 mm/rmap.c:202
anon_vma_prepare include/linux/rmap.h:159 [inline]
do_anonymous_page mm/memory.c:4150 [inline]
handle_pte_fault mm/memory.c:4991 [inline]
__handle_mm_fault mm/memory.c:5135 [inline]
handle_mm_fault+0x4b0f/0x5340 mm/memory.c:5256
do_user_addr_fault arch/x86/mm/fault.c:1380 [inline]
handle_page_fault arch/x86/mm/fault.c:1471 [inline]
exc_page_fault+0x26f/0x660 arch/x86/mm/fault.c:1527
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7f6530e29793
Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c
RSP: 002b:00007f6531bed530 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 00007f6531bed5d0 RCX: 00007f65275ff000
RDX: 00007f6531bed770 RSI: 0000000000000003 RDI: 00007f6531bed670
RBP: 0000000000000139 R08: 000000000000000a R09: 00000000000002e6
R10: 000000000000033e R11: 00007f6531bed5d0 R12: 00007f6531bed5d0
R13: 00007f6530eeccc0 R14: 0000000000000058 R15: 00007f6531bed670
</TASK>
CPU: 0 PID: 9606 Comm: syz-executor.0 Not tainted 6.1.77-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
fail_dump lib/fault-inject.c:52 [inline]
should_fail_ex+0x3a6/0x4d0 lib/fault-inject.c:147
strncpy_from_user+0x32/0x360 lib/strncpy_from_user.c:118
strncpy_from_user_nofault+0x6c/0x130 mm/maccess.c:186
bpf_probe_read_user_str_common kernel/trace/bpf_trace.c:204 [inline]
____bpf_probe_read_compat_str kernel/trace/bpf_trace.c:310 [inline]
bpf_probe_read_compat_str+0xe4/0x180 kernel/trace/bpf_trace.c:306
bpf_prog_e42f6260c1b72fb3+0x35/0x37
bpf_dispatcher_nop_func include/linux/bpf.h:989 [inline]
__bpf_prog_run include/linux/filter.h:600 [inline]
bpf_prog_run include/linux/filter.h:607 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2275 [inline]
bpf_trace_run4+0x253/0x470 kernel/trace/bpf_trace.c:2316
__traceiter_sched_switch+0x91/0xc0 include/trace/events/sched.h:222
trace_sched_switch include/trace/events/sched.h:222 [inline]
__schedule+0x2116/0x4550 kernel/sched/core.c:6555
preempt_schedule_irq+0xf7/0x1c0 kernel/sched/core.c:6870
irqentry_exit+0x53/0x80 kernel/entry/common.c:433
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653
RIP: 0010:rcu_read_lock_sched_held+0x56/0x130 kernel/rcu/update.c:120
Code: c7 04 24 b3 8a b5 41 48 c7 44 24 08 68 0e 8d 8c 48 c7 44 24 10 80 f7 71 81 48 89 e3 48 c1 eb 03 48 b8 f1 f1 f1 f1 00 f3 f3 f3 <4a> 89 04 33 e8 41 66 18 09 85 c0 74 2a 45 31 ff e8 a5 3e 01 00 84
RSP: 0000:ffffc90013187a60 EFLAGS: 00000a02
RAX: f3f3f300f1f1f1f1 RBX: 1ffff92002630f4c RCX: ffff88807d0f5940
RDX: dffffc0000000000 RSI: ffffffff8b3d0da0 RDI: ffff88807d0f5940
RBP: ffffc90013187ae8 R08: dffffc0000000000 R09: fffffbfff2092245
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffff888140008140 R14: dffffc0000000000 R15: dffffc0000000000
task_css include/linux/cgroup.h:509 [inline]
mem_cgroup_from_task+0x49/0x110 mm/memcontrol.c:985
get_obj_cgroup_from_current+0x168/0x280 mm/memcontrol.c:3020
memcg_slab_pre_alloc_hook mm/slab.h:485 [inline]
slab_pre_alloc_hook+0x90/0x300 mm/slab.h:715
slab_alloc_node mm/slub.c:3318 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x4e/0x2d0 mm/slub.c:3422
anon_vma_alloc mm/rmap.c:93 [inline]
__anon_vma_prepare+0xb7/0x400 mm/rmap.c:202
anon_vma_prepare include/linux/rmap.h:159 [inline]
do_anonymous_page mm/memory.c:4150 [inline]
handle_pte_fault mm/memory.c:4991 [inline]
__handle_mm_fault mm/memory.c:5135 [inline]
handle_mm_fault+0x4b0f/0x5340 mm/memory.c:5256
do_user_addr_fault arch/x86/mm/fault.c:1380 [inline]
handle_page_fault arch/x86/mm/fault.c:1471 [inline]
exc_page_fault+0x26f/0x660 arch/x86/mm/fault.c:1527
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7f6530e29793
Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c
RSP: 002b:00007f6531bed530 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 00007f6531bed5d0 RCX: 00007f65275ff000
RDX: 00007f6531bed770 RSI: 0000000000000003 RDI: 00007f6531bed670
RBP: 0000000000000139 R08: 000000000000000a R09: 00000000000002e6
R10: 000000000000033e R11: 00007f6531bed5d0 R12: 00007f6531bed5d0
R13: 00007f6530eeccc0 R14: 0000000000000058 R15: 00007f6531bed670
</TASK>
loop0: detected capacity change from 0 to 32768
XFS (loop0): Mounting V5 filesystem in no-recovery mode. Filesystem will be inconsistent.
XFS (loop0): Quotacheck needed: Please wait.
XFS (loop0): Quotacheck: Unsuccessful (Error -117): Disabling quotas.
----------------
Code disassembly (best guess):
0: c7 04 24 b3 8a b5 41 movl $0x41b58ab3,(%rsp)
7: 48 c7 44 24 08 68 0e movq $0xffffffff8c8d0e68,0x8(%rsp)
e: 8d 8c
10: 48 c7 44 24 10 80 f7 movq $0xffffffff8171f780,0x10(%rsp)
17: 71 81
19: 48 89 e3 mov %rsp,%rbx
1c: 48 c1 eb 03 shr $0x3,%rbx
20: 48 b8 f1 f1 f1 f1 00 movabs $0xf3f3f300f1f1f1f1,%rax
27: f3 f3 f3
* 2a: 4a 89 04 33 mov %rax,(%rbx,%r14,1) <-- trapping instruction
2e: e8 41 66 18 09 call 0x9186674
33: 85 c0 test %eax,%eax
35: 74 2a je 0x61
37: 45 31 ff xor %r15d,%r15d
3a: e8 a5 3e 01 00 call 0x13ee4
3f: 84 .byte 0x84
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: f1bb70486c9c Linux 6.1.77
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12fbe034180000
kernel config: https://syzkaller.appspot.com/x/.config?x=39447811cb133e7e
dashboard link: https://syzkaller.appspot.com/bug?extid=e79a999646be8bb1dca9
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f93cb7e9dad2/disk-f1bb7048.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/22703d1d86ee/vmlinux-f1bb7048.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4129725af309/bzImage-f1bb7048.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e79a99...@syzkaller.appspotmail.com
FAULT_INJECTION: forcing a failure.
name fail_usercopy, interval 1, probability 0, space 0, times 0
======================================================
WARNING: possible circular locking dependency detected
6.1.77-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.0/9606 is trying to acquire lock:
ffffffff8d0068d8 ((console_sem).lock){-...}-{2:2}, at: down_trylock+0x1c/0xa0 kernel/locking/semaphore.c:139
but task is already holding lock:
ffff8880b9839e18 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x26/0x140 kernel/sched/core.c:537
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&rq->__lock){-.-.}-{2:2}:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
_raw_spin_lock_nested+0x2d/0x40 kernel/locking/spinlock.c:378
raw_spin_rq_lock_nested+0x26/0x140 kernel/sched/core.c:537
raw_spin_rq_lock kernel/sched/sched.h:1354 [inline]
rq_lock kernel/sched/sched.h:1644 [inline]
task_fork_fair+0x5d/0x350 kernel/sched/fair.c:11863
sched_cgroup_fork+0x374/0x400 kernel/sched/core.c:4686
copy_process+0x2442/0x4060 kernel/fork.c:2384
kernel_clone+0x222/0x920 kernel/fork.c:2682
user_mode_thread+0x12e/0x190 kernel/fork.c:2758
rest_init+0x23/0x300 init/main.c:696
start_kernel+0x0/0x53f init/main.c:891
start_kernel+0x496/0x53f init/main.c:1138
secondary_startup_64_no_verify+0xcf/0xdb
-> #1 (&p->pi_lock){-.-.}-{2:2}:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
try_to_wake_up+0xad/0x12e0 kernel/sched/core.c:4112
up+0x6e/0x90 kernel/locking/semaphore.c:191
__up_console_sem+0xf8/0x1e0 kernel/printk/printk.c:260
__console_unlock kernel/printk/printk.c:2662 [inline]
console_unlock+0x591/0x7c0 kernel/printk/printk.c:2873
vprintk_emit+0x523/0x740 kernel/printk/printk.c:2268
_printk+0xd1/0x111 kernel/printk/printk.c:2293
printk_stack_address arch/x86/kernel/dumpstack.c:72 [inline]
show_trace_log_lvl+0x388/0x410 arch/x86/kernel/dumpstack.c:285
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
fail_dump lib/fault-inject.c:52 [inline]
should_fail_ex+0x3a6/0x4d0 lib/fault-inject.c:147
should_failslab+0x5/0x20 mm/slab_common.c:1452
slab_pre_alloc_hook+0x59/0x300 mm/slab.h:712
slab_alloc_node mm/slub.c:3318 [inline]
__kmem_cache_alloc_node+0x47/0x260 mm/slub.c:3437
__do_kmalloc_node mm/slab_common.c:954 [inline]
__kmalloc_node+0xa2/0x230 mm/slab_common.c:962
kmalloc_node include/linux/slab.h:579 [inline]
kvmalloc_node+0x6e/0x180 mm/util.c:581
kvmalloc include/linux/slab.h:706 [inline]
map_get_next_key+0x27b/0x620 kernel/bpf/syscall.c:1549
__sys_bpf+0x364/0x6c0 kernel/bpf/syscall.c:4999
__do_sys_bpf kernel/bpf/syscall.c:5109 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5107 [inline]
__x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:5107
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
-> #0 ((console_sem).lock){-...}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3090 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
validate_chain+0x1661/0x5950 kernel/locking/lockdep.c:3825
__lock_acquire+0x125b/0x1f80 kernel/locking/lockdep.c:5049
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
down_trylock+0x1c/0xa0 kernel/locking/semaphore.c:139
__down_trylock_console_sem+0x105/0x250 kernel/printk/printk.c:243
console_trylock kernel/printk/printk.c:2615 [inline]
console_trylock_spinning kernel/printk/printk.c:1867 [inline]
vprintk_emit+0x1ee/0x740 kernel/printk/printk.c:2267
_printk+0xd1/0x111 kernel/printk/printk.c:2293
fail_dump lib/fault-inject.c:45 [inline]
should_fail_ex+0x387/0x4d0 lib/fault-inject.c:147
strncpy_from_user+0x32/0x360 lib/strncpy_from_user.c:118
strncpy_from_user_nofault+0x6c/0x130 mm/maccess.c:186
bpf_probe_read_user_str_common kernel/trace/bpf_trace.c:204 [inline]
____bpf_probe_read_compat_str kernel/trace/bpf_trace.c:310 [inline]
bpf_probe_read_compat_str+0xe4/0x180 kernel/trace/bpf_trace.c:306
bpf_prog_e42f6260c1b72fb3+0x35/0x37
bpf_dispatcher_nop_func include/linux/bpf.h:989 [inline]
__bpf_prog_run include/linux/filter.h:600 [inline]
bpf_prog_run include/linux/filter.h:607 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2275 [inline]
bpf_trace_run4+0x253/0x470 kernel/trace/bpf_trace.c:2316
__traceiter_sched_switch+0x91/0xc0 include/trace/events/sched.h:222
trace_sched_switch include/trace/events/sched.h:222 [inline]
__schedule+0x2116/0x4550 kernel/sched/core.c:6555
preempt_schedule_irq+0xf7/0x1c0 kernel/sched/core.c:6870
irqentry_exit+0x53/0x80 kernel/entry/common.c:433
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653
rcu_read_lock_sched_held+0x56/0x130 kernel/rcu/update.c:120
task_css include/linux/cgroup.h:509 [inline]
mem_cgroup_from_task+0x49/0x110 mm/memcontrol.c:985
get_obj_cgroup_from_current+0x168/0x280 mm/memcontrol.c:3020
memcg_slab_pre_alloc_hook mm/slab.h:485 [inline]
slab_pre_alloc_hook+0x90/0x300 mm/slab.h:715
slab_alloc_node mm/slub.c:3318 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x4e/0x2d0 mm/slub.c:3422
anon_vma_alloc mm/rmap.c:93 [inline]
__anon_vma_prepare+0xb7/0x400 mm/rmap.c:202
anon_vma_prepare include/linux/rmap.h:159 [inline]
do_anonymous_page mm/memory.c:4150 [inline]
handle_pte_fault mm/memory.c:4991 [inline]
__handle_mm_fault mm/memory.c:5135 [inline]
handle_mm_fault+0x4b0f/0x5340 mm/memory.c:5256
do_user_addr_fault arch/x86/mm/fault.c:1380 [inline]
handle_page_fault arch/x86/mm/fault.c:1471 [inline]
exc_page_fault+0x26f/0x660 arch/x86/mm/fault.c:1527
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
other info that might help us debug this:
Chain exists of:
(console_sem).lock --> &p->pi_lock --> &rq->__lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&rq->__lock);
lock(&p->pi_lock);
lock(&rq->__lock);
lock((console_sem).lock);
*** DEADLOCK ***
4 locks held by syz-executor.0/9606:
#0: ffff888015305b58 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:136 [inline]
#0: ffff888015305b58 (&mm->mmap_lock){++++}-{3:3}, at: get_mmap_lock_carefully mm/memory.c:5284 [inline]
#0: ffff888015305b58 (&mm->mmap_lock){++++}-{3:3}, at: lock_mm_and_find_vma+0x2e/0x2e0 mm/memory.c:5346
#1: ffffffff8d12a740 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:318 [inline]
#1: ffffffff8d12a740 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:759 [inline]
#1: ffffffff8d12a740 (rcu_read_lock){....}-{1:2}, at: get_obj_cgroup_from_current+0xd4/0x280 mm/memcontrol.c:3016
#2: ffff8880b9839e18 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x26/0x140 kernel/sched/core.c:537
#3: ffffffff8d12a740 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:318 [inline]
#3: ffffffff8d12a740 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:759 [inline]
#3: ffffffff8d12a740 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2274 [inline]
#3: ffffffff8d12a740 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run4+0x16a/0x470 kernel/trace/bpf_trace.c:2316
stack backtrace:
CPU: 0 PID: 9606 Comm: syz-executor.0 Not tainted 6.1.77-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
check_noncircular+0x2fa/0x3b0 kernel/locking/lockdep.c:2170
check_prev_add kernel/locking/lockdep.c:3090 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
validate_chain+0x1661/0x5950 kernel/locking/lockdep.c:3825
__lock_acquire+0x125b/0x1f80 kernel/locking/lockdep.c:5049
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
down_trylock+0x1c/0xa0 kernel/locking/semaphore.c:139
__down_trylock_console_sem+0x105/0x250 kernel/printk/printk.c:243
console_trylock kernel/printk/printk.c:2615 [inline]
console_trylock_spinning kernel/printk/printk.c:1867 [inline]
vprintk_emit+0x1ee/0x740 kernel/printk/printk.c:2267
_printk+0xd1/0x111 kernel/printk/printk.c:2293
fail_dump lib/fault-inject.c:45 [inline]
should_fail_ex+0x387/0x4d0 lib/fault-inject.c:147
strncpy_from_user+0x32/0x360 lib/strncpy_from_user.c:118
strncpy_from_user_nofault+0x6c/0x130 mm/maccess.c:186
bpf_probe_read_user_str_common kernel/trace/bpf_trace.c:204 [inline]
____bpf_probe_read_compat_str kernel/trace/bpf_trace.c:310 [inline]
bpf_probe_read_compat_str+0xe4/0x180 kernel/trace/bpf_trace.c:306
bpf_prog_e42f6260c1b72fb3+0x35/0x37
bpf_dispatcher_nop_func include/linux/bpf.h:989 [inline]
__bpf_prog_run include/linux/filter.h:600 [inline]
bpf_prog_run include/linux/filter.h:607 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2275 [inline]
bpf_trace_run4+0x253/0x470 kernel/trace/bpf_trace.c:2316
__traceiter_sched_switch+0x91/0xc0 include/trace/events/sched.h:222
trace_sched_switch include/trace/events/sched.h:222 [inline]
__schedule+0x2116/0x4550 kernel/sched/core.c:6555
preempt_schedule_irq+0xf7/0x1c0 kernel/sched/core.c:6870
irqentry_exit+0x53/0x80 kernel/entry/common.c:433
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653
RIP: 0010:rcu_read_lock_sched_held+0x56/0x130 kernel/rcu/update.c:120
Code: c7 04 24 b3 8a b5 41 48 c7 44 24 08 68 0e 8d 8c 48 c7 44 24 10 80 f7 71 81 48 89 e3 48 c1 eb 03 48 b8 f1 f1 f1 f1 00 f3 f3 f3 <4a> 89 04 33 e8 41 66 18 09 85 c0 74 2a 45 31 ff e8 a5 3e 01 00 84
RSP: 0000:ffffc90013187a60 EFLAGS: 00000a02
RAX: f3f3f300f1f1f1f1 RBX: 1ffff92002630f4c RCX: ffff88807d0f5940
RDX: dffffc0000000000 RSI: ffffffff8b3d0da0 RDI: ffff88807d0f5940
RBP: ffffc90013187ae8 R08: dffffc0000000000 R09: fffffbfff2092245
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffff888140008140 R14: dffffc0000000000 R15: dffffc0000000000
task_css include/linux/cgroup.h:509 [inline]
mem_cgroup_from_task+0x49/0x110 mm/memcontrol.c:985
get_obj_cgroup_from_current+0x168/0x280 mm/memcontrol.c:3020
memcg_slab_pre_alloc_hook mm/slab.h:485 [inline]
slab_pre_alloc_hook+0x90/0x300 mm/slab.h:715
slab_alloc_node mm/slub.c:3318 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x4e/0x2d0 mm/slub.c:3422
anon_vma_alloc mm/rmap.c:93 [inline]
__anon_vma_prepare+0xb7/0x400 mm/rmap.c:202
anon_vma_prepare include/linux/rmap.h:159 [inline]
do_anonymous_page mm/memory.c:4150 [inline]
handle_pte_fault mm/memory.c:4991 [inline]
__handle_mm_fault mm/memory.c:5135 [inline]
handle_mm_fault+0x4b0f/0x5340 mm/memory.c:5256
do_user_addr_fault arch/x86/mm/fault.c:1380 [inline]
handle_page_fault arch/x86/mm/fault.c:1471 [inline]
exc_page_fault+0x26f/0x660 arch/x86/mm/fault.c:1527
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7f6530e29793
Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c
RSP: 002b:00007f6531bed530 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 00007f6531bed5d0 RCX: 00007f65275ff000
RDX: 00007f6531bed770 RSI: 0000000000000003 RDI: 00007f6531bed670
RBP: 0000000000000139 R08: 000000000000000a R09: 00000000000002e6
R10: 000000000000033e R11: 00007f6531bed5d0 R12: 00007f6531bed5d0
R13: 00007f6530eeccc0 R14: 0000000000000058 R15: 00007f6531bed670
</TASK>
CPU: 0 PID: 9606 Comm: syz-executor.0 Not tainted 6.1.77-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
fail_dump lib/fault-inject.c:52 [inline]
should_fail_ex+0x3a6/0x4d0 lib/fault-inject.c:147
strncpy_from_user+0x32/0x360 lib/strncpy_from_user.c:118
strncpy_from_user_nofault+0x6c/0x130 mm/maccess.c:186
bpf_probe_read_user_str_common kernel/trace/bpf_trace.c:204 [inline]
____bpf_probe_read_compat_str kernel/trace/bpf_trace.c:310 [inline]
bpf_probe_read_compat_str+0xe4/0x180 kernel/trace/bpf_trace.c:306
bpf_prog_e42f6260c1b72fb3+0x35/0x37
bpf_dispatcher_nop_func include/linux/bpf.h:989 [inline]
__bpf_prog_run include/linux/filter.h:600 [inline]
bpf_prog_run include/linux/filter.h:607 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2275 [inline]
bpf_trace_run4+0x253/0x470 kernel/trace/bpf_trace.c:2316
__traceiter_sched_switch+0x91/0xc0 include/trace/events/sched.h:222
trace_sched_switch include/trace/events/sched.h:222 [inline]
__schedule+0x2116/0x4550 kernel/sched/core.c:6555
preempt_schedule_irq+0xf7/0x1c0 kernel/sched/core.c:6870
irqentry_exit+0x53/0x80 kernel/entry/common.c:433
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653
RIP: 0010:rcu_read_lock_sched_held+0x56/0x130 kernel/rcu/update.c:120
Code: c7 04 24 b3 8a b5 41 48 c7 44 24 08 68 0e 8d 8c 48 c7 44 24 10 80 f7 71 81 48 89 e3 48 c1 eb 03 48 b8 f1 f1 f1 f1 00 f3 f3 f3 <4a> 89 04 33 e8 41 66 18 09 85 c0 74 2a 45 31 ff e8 a5 3e 01 00 84
RSP: 0000:ffffc90013187a60 EFLAGS: 00000a02
RAX: f3f3f300f1f1f1f1 RBX: 1ffff92002630f4c RCX: ffff88807d0f5940
RDX: dffffc0000000000 RSI: ffffffff8b3d0da0 RDI: ffff88807d0f5940
RBP: ffffc90013187ae8 R08: dffffc0000000000 R09: fffffbfff2092245
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffff888140008140 R14: dffffc0000000000 R15: dffffc0000000000
task_css include/linux/cgroup.h:509 [inline]
mem_cgroup_from_task+0x49/0x110 mm/memcontrol.c:985
get_obj_cgroup_from_current+0x168/0x280 mm/memcontrol.c:3020
memcg_slab_pre_alloc_hook mm/slab.h:485 [inline]
slab_pre_alloc_hook+0x90/0x300 mm/slab.h:715
slab_alloc_node mm/slub.c:3318 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x4e/0x2d0 mm/slub.c:3422
anon_vma_alloc mm/rmap.c:93 [inline]
__anon_vma_prepare+0xb7/0x400 mm/rmap.c:202
anon_vma_prepare include/linux/rmap.h:159 [inline]
do_anonymous_page mm/memory.c:4150 [inline]
handle_pte_fault mm/memory.c:4991 [inline]
__handle_mm_fault mm/memory.c:5135 [inline]
handle_mm_fault+0x4b0f/0x5340 mm/memory.c:5256
do_user_addr_fault arch/x86/mm/fault.c:1380 [inline]
handle_page_fault arch/x86/mm/fault.c:1471 [inline]
exc_page_fault+0x26f/0x660 arch/x86/mm/fault.c:1527
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7f6530e29793
Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c
RSP: 002b:00007f6531bed530 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 00007f6531bed5d0 RCX: 00007f65275ff000
RDX: 00007f6531bed770 RSI: 0000000000000003 RDI: 00007f6531bed670
RBP: 0000000000000139 R08: 000000000000000a R09: 00000000000002e6
R10: 000000000000033e R11: 00007f6531bed5d0 R12: 00007f6531bed5d0
R13: 00007f6530eeccc0 R14: 0000000000000058 R15: 00007f6531bed670
</TASK>
loop0: detected capacity change from 0 to 32768
XFS (loop0): Mounting V5 filesystem in no-recovery mode. Filesystem will be inconsistent.
XFS (loop0): Quotacheck needed: Please wait.
XFS (loop0): Quotacheck: Unsuccessful (Error -117): Disabling quotas.
----------------
Code disassembly (best guess):
0: c7 04 24 b3 8a b5 41 movl $0x41b58ab3,(%rsp)
7: 48 c7 44 24 08 68 0e movq $0xffffffff8c8d0e68,0x8(%rsp)
e: 8d 8c
10: 48 c7 44 24 10 80 f7 movq $0xffffffff8171f780,0x10(%rsp)
17: 71 81
19: 48 89 e3 mov %rsp,%rbx
1c: 48 c1 eb 03 shr $0x3,%rbx
20: 48 b8 f1 f1 f1 f1 00 movabs $0xf3f3f300f1f1f1f1,%rax
27: f3 f3 f3
* 2a: 4a 89 04 33 mov %rax,(%rbx,%r14,1) <-- trapping instruction
2e: e8 41 66 18 09 call 0x9186674
33: 85 c0 test %eax,%eax
35: 74 2a je 0x61
37: 45 31 ff xor %r15d,%r15d
3a: e8 a5 3e 01 00 call 0x13ee4
3f: 84 .byte 0x84
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Mar 16, 2024, 5:21:32 PMMar 16
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: d7543167affd Linux 6.1.82
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12142021180000
kernel config: https://syzkaller.appspot.com/x/.config?x=59059e181681c079
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12c7a1c9180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a2421980b49a/disk-d7543167.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/52a6bb44161f/vmlinux-d7543167.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9b3723bf43a9/bzImage-d7543167.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e79a99...@syzkaller.appspotmail.com
------------[ cut here ]------------
------------------------------------------------------
kworker/0:1/14 is trying to acquire lock:
ffffffff8d006ad8 ((console_sem).lock){....}-{2:2}, at: down_trylock+0x1c/0xa0 kernel/locking/semaphore.c:139
but task is already holding lock:
ffff8880b993aa18 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x26/0x140 kernel/sched/core.c:537
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&rq->__lock){-.-.}-{2:2}:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
_raw_spin_lock_nested+0x2d/0x40 kernel/locking/spinlock.c:378
raw_spin_rq_lock_nested+0x26/0x140 kernel/sched/core.c:537
raw_spin_rq_lock kernel/sched/sched.h:1354 [inline]
rq_lock kernel/sched/sched.h:1644 [inline]
task_fork_fair+0x5d/0x350 kernel/sched/fair.c:11863
sched_cgroup_fork+0x374/0x400 kernel/sched/core.c:4686
copy_process+0x2442/0x4060 kernel/fork.c:2384
kernel_clone+0x222/0x920 kernel/fork.c:2682
user_mode_thread+0x12e/0x190 kernel/fork.c:2758
rest_init+0x23/0x300 init/main.c:696
start_kernel+0x0/0x53f init/main.c:891
start_kernel+0x496/0x53f init/main.c:1138
secondary_startup_64_no_verify+0xcf/0xdb
-> #1 (&p->pi_lock){-.-.}-{2:2}:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
try_to_wake_up+0xad/0x12e0 kernel/sched/core.c:4112
up+0x6e/0x90 kernel/locking/semaphore.c:191
__up_console_sem+0x11a/0x1e0 kernel/printk/printk.c:260
dev_printk_emit+0xd9/0x118 drivers/base/core.c:4913
_dev_warn+0x11e/0x165 drivers/base/core.c:4969
_request_firmware+0xc4c/0x1200 drivers/base/firmware_loader/main.c:852
request_firmware_work_func+0x126/0x270 drivers/base/firmware_loader/main.c:1105
process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
kthread+0x28d/0x320 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:307
-> #0 ((console_sem).lock){....}-{2:2}:
report_bug+0x342/0x500 lib/bug.c:219
handle_bug+0x3d/0x70 arch/x86/kernel/traps.c:324
exc_invalid_op+0x16/0x40 arch/x86/kernel/traps.c:345
asm_exc_invalid_op+0x16/0x20 arch/x86/include/asm/idtentry.h:568
__local_bh_enable_ip+0x1b3/0x1f0
sock_hash_delete_elem+0x1a0/0x2f0 net/core/sock_map.c:940
bpf_prog_2c29ac5cdc6b1842+0x3a/0x3e
bpf_trace_run2+0x1fd/0x410 kernel/trace/bpf_trace.c:2312
trace_sched_migrate_task include/trace/events/sched.h:274 [inline]
set_task_cpu+0x503/0x5a0 kernel/sched/core.c:3154
detach_task kernel/sched/fair.c:8386 [inline]
detach_tasks kernel/sched/fair.c:8525 [inline]
load_balance+0x5e2d/0x85f0 kernel/sched/fair.c:10584
newidle_balance+0x6e7/0x10b0 kernel/sched/fair.c:11596
pick_next_task_fair+0x27d/0xdc0 kernel/sched/fair.c:7887
__pick_next_task kernel/sched/core.c:5868 [inline]
pick_next_task kernel/sched/core.c:5943 [inline]
__schedule+0x7a9/0x4550 kernel/sched/core.c:6522
schedule+0xbf/0x180 kernel/sched/core.c:6634
schedule_timeout+0x1b9/0x300 kernel/time/timer.c:1935
synchronize_rcu_expedited_wait_once kernel/rcu/tree_exp.h:570 [inline]
synchronize_rcu_expedited_wait kernel/rcu/tree_exp.h:621 [inline]
rcu_exp_wait_wake kernel/rcu/tree_exp.h:689 [inline]
rcu_exp_sel_wait_wake+0x764/0x1d50 kernel/rcu/tree_exp.h:723
process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
kthread+0x28d/0x320 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:307
other info that might help us debug this:
Chain exists of:
(console_sem).lock --> &p->pi_lock --> &rq->__lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&rq->__lock);
lock(&p->pi_lock);
lock(&rq->__lock);
lock((console_sem).lock);
*** DEADLOCK ***
5 locks held by kworker/0:1/14:
#0: ffff888012472138 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
#1: ffffc90000137d20 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
#2: ffffffff8d12a940 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:319 [inline]
#2: ffffffff8d12a940 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:760 [inline]
#2: ffffffff8d12a940 (rcu_read_lock){....}-{1:2}, at: newidle_balance+0x2dd/0x10b0 kernel/sched/fair.c:11565
#3: ffff8880b993aa18 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x26/0x140 kernel/sched/core.c:537
#4: ffffffff8d12a940 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:319 [inline]
#4: ffffffff8d12a940 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:760 [inline]
#4: ffffffff8d12a940 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2272 [inline]
#4: ffffffff8d12a940 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x110/0x410 kernel/trace/bpf_trace.c:2312
stack backtrace:
CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 6.1.82-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Workqueue: rcu_gp wait_rcu_exp_gp
report_bug+0x342/0x500 lib/bug.c:219
handle_bug+0x3d/0x70 arch/x86/kernel/traps.c:324
exc_invalid_op+0x16/0x40 arch/x86/kernel/traps.c:345
asm_exc_invalid_op+0x16/0x20 arch/x86/include/asm/idtentry.h:568
RIP: 0010:__local_bh_enable_ip+0x1b3/0x1f0 kernel/softirq.c:376
Code: 04 25 28 00 00 00 48 3b 44 24 60 75 4a 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b e9 d0 fe ff ff e8 3f 00 00 00 eb a2 <0f> 0b e9 02 ff ff ff 48 c7 c1 64 97 73 8e 80 e1 07 80 c1 03 38 c1
RSP: 0018:ffffc90000136d20 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 1ffff92000026da8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff88978b20
RBP: ffffc90000136de0 R08: dffffc0000000000 R09: ffffed100ea268ad
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0000000000000002 R14: ffffc90000136d60 R15: 0000000000000201
sock_hash_delete_elem+0x1a0/0x2f0 net/core/sock_map.c:940
bpf_prog_2c29ac5cdc6b1842+0x3a/0x3e
bpf_trace_run2+0x1fd/0x410 kernel/trace/bpf_trace.c:2312
trace_sched_migrate_task include/trace/events/sched.h:274 [inline]
set_task_cpu+0x503/0x5a0 kernel/sched/core.c:3154
detach_task kernel/sched/fair.c:8386 [inline]
detach_tasks kernel/sched/fair.c:8525 [inline]
load_balance+0x5e2d/0x85f0 kernel/sched/fair.c:10584
newidle_balance+0x6e7/0x10b0 kernel/sched/fair.c:11596
pick_next_task_fair+0x27d/0xdc0 kernel/sched/fair.c:7887
__pick_next_task kernel/sched/core.c:5868 [inline]
pick_next_task kernel/sched/core.c:5943 [inline]
__schedule+0x7a9/0x4550 kernel/sched/core.c:6522
schedule+0xbf/0x180 kernel/sched/core.c:6634
schedule_timeout+0x1b9/0x300 kernel/time/timer.c:1935
synchronize_rcu_expedited_wait_once kernel/rcu/tree_exp.h:570 [inline]
synchronize_rcu_expedited_wait kernel/rcu/tree_exp.h:621 [inline]
rcu_exp_wait_wake kernel/rcu/tree_exp.h:689 [inline]
rcu_exp_sel_wait_wake+0x764/0x1d50 kernel/rcu/tree_exp.h:723
process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
kthread+0x28d/0x320 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:307
</TASK>
WARNING: CPU: 0 PID: 14 at kernel/softirq.c:376 __local_bh_enable_ip+0x1b3/0x1f0
Modules linked in:
CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 6.1.82-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Workqueue: rcu_gp wait_rcu_exp_gp
RIP: 0010:__local_bh_enable_ip+0x1b3/0x1f0 kernel/softirq.c:376
Code: 04 25 28 00 00 00 48 3b 44 24 60 75 4a 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b e9 d0 fe ff ff e8 3f 00 00 00 eb a2 <0f> 0b e9 02 ff ff ff 48 c7 c1 64 97 73 8e 80 e1 07 80 c1 03 38 c1
RSP: 0018:ffffc90000136d20 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 1ffff92000026da8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff88978b20
RBP: ffffc90000136de0 R08: dffffc0000000000 R09: ffffed100ea268ad
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0000000000000002 R14: ffffc90000136d60 R15: 0000000000000201
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f16d1b6b0d0 CR3: 000000000ce8e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
sock_hash_delete_elem+0x1a0/0x2f0 net/core/sock_map.c:940
bpf_prog_2c29ac5cdc6b1842+0x3a/0x3e
bpf_trace_run2+0x1fd/0x410 kernel/trace/bpf_trace.c:2312
trace_sched_migrate_task include/trace/events/sched.h:274 [inline]
set_task_cpu+0x503/0x5a0 kernel/sched/core.c:3154
detach_task kernel/sched/fair.c:8386 [inline]
detach_tasks kernel/sched/fair.c:8525 [inline]
load_balance+0x5e2d/0x85f0 kernel/sched/fair.c:10584
newidle_balance+0x6e7/0x10b0 kernel/sched/fair.c:11596
pick_next_task_fair+0x27d/0xdc0 kernel/sched/fair.c:7887
__pick_next_task kernel/sched/core.c:5868 [inline]
pick_next_task kernel/sched/core.c:5943 [inline]
__schedule+0x7a9/0x4550 kernel/sched/core.c:6522
schedule+0xbf/0x180 kernel/sched/core.c:6634
schedule_timeout+0x1b9/0x300 kernel/time/timer.c:1935
synchronize_rcu_expedited_wait_once kernel/rcu/tree_exp.h:570 [inline]
synchronize_rcu_expedited_wait kernel/rcu/tree_exp.h:621 [inline]
rcu_exp_wait_wake kernel/rcu/tree_exp.h:689 [inline]
rcu_exp_sel_wait_wake+0x764/0x1d50 kernel/rcu/tree_exp.h:723
process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
kthread+0x28d/0x320 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:307
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: d7543167affd Linux 6.1.82
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12142021180000
kernel config: https://syzkaller.appspot.com/x/.config?x=59059e181681c079
dashboard link: https://syzkaller.appspot.com/bug?extid=e79a999646be8bb1dca9
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10056c81180000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12c7a1c9180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a2421980b49a/disk-d7543167.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/52a6bb44161f/vmlinux-d7543167.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9b3723bf43a9/bzImage-d7543167.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e79a99...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
6.1.82-syzkaller #0 Not tainted
WARNING: possible circular locking dependency detected
------------------------------------------------------
kworker/0:1/14 is trying to acquire lock:
ffffffff8d006ad8 ((console_sem).lock){....}-{2:2}, at: down_trylock+0x1c/0xa0 kernel/locking/semaphore.c:139
but task is already holding lock:
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&rq->__lock){-.-.}-{2:2}:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
_raw_spin_lock_nested+0x2d/0x40 kernel/locking/spinlock.c:378
raw_spin_rq_lock_nested+0x26/0x140 kernel/sched/core.c:537
raw_spin_rq_lock kernel/sched/sched.h:1354 [inline]
rq_lock kernel/sched/sched.h:1644 [inline]
task_fork_fair+0x5d/0x350 kernel/sched/fair.c:11863
sched_cgroup_fork+0x374/0x400 kernel/sched/core.c:4686
copy_process+0x2442/0x4060 kernel/fork.c:2384
kernel_clone+0x222/0x920 kernel/fork.c:2682
user_mode_thread+0x12e/0x190 kernel/fork.c:2758
rest_init+0x23/0x300 init/main.c:696
start_kernel+0x0/0x53f init/main.c:891
start_kernel+0x496/0x53f init/main.c:1138
secondary_startup_64_no_verify+0xcf/0xdb
-> #1 (&p->pi_lock){-.-.}-{2:2}:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
try_to_wake_up+0xad/0x12e0 kernel/sched/core.c:4112
up+0x6e/0x90 kernel/locking/semaphore.c:191
__console_unlock kernel/printk/printk.c:2662 [inline]
console_unlock+0x591/0x7c0 kernel/printk/printk.c:2873
vprintk_emit+0x523/0x740 kernel/printk/printk.c:2268
dev_vprintk_emit+0x2aa/0x323 drivers/base/core.c:4902
console_unlock+0x591/0x7c0 kernel/printk/printk.c:2873
vprintk_emit+0x523/0x740 kernel/printk/printk.c:2268
dev_printk_emit+0xd9/0x118 drivers/base/core.c:4913
_dev_warn+0x11e/0x165 drivers/base/core.c:4969
_request_firmware+0xc4c/0x1200 drivers/base/firmware_loader/main.c:852
request_firmware_work_func+0x126/0x270 drivers/base/firmware_loader/main.c:1105
process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
kthread+0x28d/0x320 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:307
-> #0 ((console_sem).lock){....}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3090 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
validate_chain+0x1661/0x5950 kernel/locking/lockdep.c:3825
__lock_acquire+0x125b/0x1f80 kernel/locking/lockdep.c:5049
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
down_trylock+0x1c/0xa0 kernel/locking/semaphore.c:139
__down_trylock_console_sem+0x105/0x250 kernel/printk/printk.c:243
console_trylock kernel/printk/printk.c:2615 [inline]
console_trylock_spinning kernel/printk/printk.c:1867 [inline]
vprintk_emit+0x1ee/0x740 kernel/printk/printk.c:2267
_printk+0xd1/0x111 kernel/printk/printk.c:2293
__report_bug lib/bug.c:195 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
validate_chain+0x1661/0x5950 kernel/locking/lockdep.c:3825
__lock_acquire+0x125b/0x1f80 kernel/locking/lockdep.c:5049
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
down_trylock+0x1c/0xa0 kernel/locking/semaphore.c:139
__down_trylock_console_sem+0x105/0x250 kernel/printk/printk.c:243
console_trylock kernel/printk/printk.c:2615 [inline]
console_trylock_spinning kernel/printk/printk.c:1867 [inline]
vprintk_emit+0x1ee/0x740 kernel/printk/printk.c:2267
_printk+0xd1/0x111 kernel/printk/printk.c:2293
report_bug+0x342/0x500 lib/bug.c:219
handle_bug+0x3d/0x70 arch/x86/kernel/traps.c:324
exc_invalid_op+0x16/0x40 arch/x86/kernel/traps.c:345
asm_exc_invalid_op+0x16/0x20 arch/x86/include/asm/idtentry.h:568
__local_bh_enable_ip+0x1b3/0x1f0
sock_hash_delete_elem+0x1a0/0x2f0 net/core/sock_map.c:940
bpf_prog_2c29ac5cdc6b1842+0x3a/0x3e
bpf_dispatcher_nop_func include/linux/bpf.h:989 [inline]
__bpf_prog_run include/linux/filter.h:600 [inline]
bpf_prog_run include/linux/filter.h:607 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2273 [inline]
__bpf_prog_run include/linux/filter.h:600 [inline]
bpf_prog_run include/linux/filter.h:607 [inline]
bpf_trace_run2+0x1fd/0x410 kernel/trace/bpf_trace.c:2312
trace_sched_migrate_task include/trace/events/sched.h:274 [inline]
set_task_cpu+0x503/0x5a0 kernel/sched/core.c:3154
detach_task kernel/sched/fair.c:8386 [inline]
detach_tasks kernel/sched/fair.c:8525 [inline]
load_balance+0x5e2d/0x85f0 kernel/sched/fair.c:10584
newidle_balance+0x6e7/0x10b0 kernel/sched/fair.c:11596
pick_next_task_fair+0x27d/0xdc0 kernel/sched/fair.c:7887
__pick_next_task kernel/sched/core.c:5868 [inline]
pick_next_task kernel/sched/core.c:5943 [inline]
__schedule+0x7a9/0x4550 kernel/sched/core.c:6522
schedule+0xbf/0x180 kernel/sched/core.c:6634
schedule_timeout+0x1b9/0x300 kernel/time/timer.c:1935
synchronize_rcu_expedited_wait_once kernel/rcu/tree_exp.h:570 [inline]
synchronize_rcu_expedited_wait kernel/rcu/tree_exp.h:621 [inline]
rcu_exp_wait_wake kernel/rcu/tree_exp.h:689 [inline]
rcu_exp_sel_wait_wake+0x764/0x1d50 kernel/rcu/tree_exp.h:723
process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
kthread+0x28d/0x320 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:307
other info that might help us debug this:
Chain exists of:
(console_sem).lock --> &p->pi_lock --> &rq->__lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&rq->__lock);
lock(&p->pi_lock);
lock(&rq->__lock);
lock((console_sem).lock);
*** DEADLOCK ***
#0: ffff888012472138 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
#1: ffffc90000137d20 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
#2: ffffffff8d12a940 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:319 [inline]
#2: ffffffff8d12a940 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:760 [inline]
#2: ffffffff8d12a940 (rcu_read_lock){....}-{1:2}, at: newidle_balance+0x2dd/0x10b0 kernel/sched/fair.c:11565
#3: ffff8880b993aa18 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x26/0x140 kernel/sched/core.c:537
#4: ffffffff8d12a940 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:319 [inline]
#4: ffffffff8d12a940 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:760 [inline]
#4: ffffffff8d12a940 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2272 [inline]
#4: ffffffff8d12a940 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x110/0x410 kernel/trace/bpf_trace.c:2312
stack backtrace:
CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 6.1.82-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Workqueue: rcu_gp wait_rcu_exp_gp
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
check_noncircular+0x2fa/0x3b0 kernel/locking/lockdep.c:2170
check_prev_add kernel/locking/lockdep.c:3090 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
validate_chain+0x1661/0x5950 kernel/locking/lockdep.c:3825
__lock_acquire+0x125b/0x1f80 kernel/locking/lockdep.c:5049
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
down_trylock+0x1c/0xa0 kernel/locking/semaphore.c:139
__down_trylock_console_sem+0x105/0x250 kernel/printk/printk.c:243
console_trylock kernel/printk/printk.c:2615 [inline]
console_trylock_spinning kernel/printk/printk.c:1867 [inline]
vprintk_emit+0x1ee/0x740 kernel/printk/printk.c:2267
_printk+0xd1/0x111 kernel/printk/printk.c:2293
__report_bug lib/bug.c:195 [inline]
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
check_noncircular+0x2fa/0x3b0 kernel/locking/lockdep.c:2170
check_prev_add kernel/locking/lockdep.c:3090 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
validate_chain+0x1661/0x5950 kernel/locking/lockdep.c:3825
__lock_acquire+0x125b/0x1f80 kernel/locking/lockdep.c:5049
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
down_trylock+0x1c/0xa0 kernel/locking/semaphore.c:139
__down_trylock_console_sem+0x105/0x250 kernel/printk/printk.c:243
console_trylock kernel/printk/printk.c:2615 [inline]
console_trylock_spinning kernel/printk/printk.c:1867 [inline]
vprintk_emit+0x1ee/0x740 kernel/printk/printk.c:2267
_printk+0xd1/0x111 kernel/printk/printk.c:2293
report_bug+0x342/0x500 lib/bug.c:219
handle_bug+0x3d/0x70 arch/x86/kernel/traps.c:324
exc_invalid_op+0x16/0x40 arch/x86/kernel/traps.c:345
asm_exc_invalid_op+0x16/0x20 arch/x86/include/asm/idtentry.h:568
RIP: 0010:__local_bh_enable_ip+0x1b3/0x1f0 kernel/softirq.c:376
Code: 04 25 28 00 00 00 48 3b 44 24 60 75 4a 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b e9 d0 fe ff ff e8 3f 00 00 00 eb a2 <0f> 0b e9 02 ff ff ff 48 c7 c1 64 97 73 8e 80 e1 07 80 c1 03 38 c1
RSP: 0018:ffffc90000136d20 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 1ffff92000026da8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff88978b20
RBP: ffffc90000136de0 R08: dffffc0000000000 R09: ffffed100ea268ad
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0000000000000002 R14: ffffc90000136d60 R15: 0000000000000201
sock_hash_delete_elem+0x1a0/0x2f0 net/core/sock_map.c:940
bpf_prog_2c29ac5cdc6b1842+0x3a/0x3e
bpf_dispatcher_nop_func include/linux/bpf.h:989 [inline]
__bpf_prog_run include/linux/filter.h:600 [inline]
bpf_prog_run include/linux/filter.h:607 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2273 [inline]
__bpf_prog_run include/linux/filter.h:600 [inline]
bpf_prog_run include/linux/filter.h:607 [inline]
bpf_trace_run2+0x1fd/0x410 kernel/trace/bpf_trace.c:2312
trace_sched_migrate_task include/trace/events/sched.h:274 [inline]
set_task_cpu+0x503/0x5a0 kernel/sched/core.c:3154
detach_task kernel/sched/fair.c:8386 [inline]
detach_tasks kernel/sched/fair.c:8525 [inline]
load_balance+0x5e2d/0x85f0 kernel/sched/fair.c:10584
newidle_balance+0x6e7/0x10b0 kernel/sched/fair.c:11596
pick_next_task_fair+0x27d/0xdc0 kernel/sched/fair.c:7887
__pick_next_task kernel/sched/core.c:5868 [inline]
pick_next_task kernel/sched/core.c:5943 [inline]
__schedule+0x7a9/0x4550 kernel/sched/core.c:6522
schedule+0xbf/0x180 kernel/sched/core.c:6634
schedule_timeout+0x1b9/0x300 kernel/time/timer.c:1935
synchronize_rcu_expedited_wait_once kernel/rcu/tree_exp.h:570 [inline]
synchronize_rcu_expedited_wait kernel/rcu/tree_exp.h:621 [inline]
rcu_exp_wait_wake kernel/rcu/tree_exp.h:689 [inline]
rcu_exp_sel_wait_wake+0x764/0x1d50 kernel/rcu/tree_exp.h:723
process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
kthread+0x28d/0x320 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:307
</TASK>
WARNING: CPU: 0 PID: 14 at kernel/softirq.c:376 __local_bh_enable_ip+0x1b3/0x1f0
Modules linked in:
CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 6.1.82-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Workqueue: rcu_gp wait_rcu_exp_gp
RIP: 0010:__local_bh_enable_ip+0x1b3/0x1f0 kernel/softirq.c:376
Code: 04 25 28 00 00 00 48 3b 44 24 60 75 4a 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b e9 d0 fe ff ff e8 3f 00 00 00 eb a2 <0f> 0b e9 02 ff ff ff 48 c7 c1 64 97 73 8e 80 e1 07 80 c1 03 38 c1
RSP: 0018:ffffc90000136d20 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 1ffff92000026da8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff88978b20
RBP: ffffc90000136de0 R08: dffffc0000000000 R09: ffffed100ea268ad
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0000000000000002 R14: ffffc90000136d60 R15: 0000000000000201
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f16d1b6b0d0 CR3: 000000000ce8e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
sock_hash_delete_elem+0x1a0/0x2f0 net/core/sock_map.c:940
bpf_prog_2c29ac5cdc6b1842+0x3a/0x3e
bpf_dispatcher_nop_func include/linux/bpf.h:989 [inline]
__bpf_prog_run include/linux/filter.h:600 [inline]
bpf_prog_run include/linux/filter.h:607 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2273 [inline]
__bpf_prog_run include/linux/filter.h:600 [inline]
bpf_prog_run include/linux/filter.h:607 [inline]
bpf_trace_run2+0x1fd/0x410 kernel/trace/bpf_trace.c:2312
trace_sched_migrate_task include/trace/events/sched.h:274 [inline]
set_task_cpu+0x503/0x5a0 kernel/sched/core.c:3154
detach_task kernel/sched/fair.c:8386 [inline]
detach_tasks kernel/sched/fair.c:8525 [inline]
load_balance+0x5e2d/0x85f0 kernel/sched/fair.c:10584
newidle_balance+0x6e7/0x10b0 kernel/sched/fair.c:11596
pick_next_task_fair+0x27d/0xdc0 kernel/sched/fair.c:7887
__pick_next_task kernel/sched/core.c:5868 [inline]
pick_next_task kernel/sched/core.c:5943 [inline]
__schedule+0x7a9/0x4550 kernel/sched/core.c:6522
schedule+0xbf/0x180 kernel/sched/core.c:6634
schedule_timeout+0x1b9/0x300 kernel/time/timer.c:1935
synchronize_rcu_expedited_wait_once kernel/rcu/tree_exp.h:570 [inline]
synchronize_rcu_expedited_wait kernel/rcu/tree_exp.h:621 [inline]
rcu_exp_wait_wake kernel/rcu/tree_exp.h:689 [inline]
rcu_exp_sel_wait_wake+0x764/0x1d50 kernel/rcu/tree_exp.h:723
process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
kthread+0x28d/0x320 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:307
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages