[v6.1] possible deadlock in snd_hrtimer_callback
0 views
Skip to first unread message
syzbot
Apr 6, 2024, 12:27:21 AMApr 6
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 347385861c50 Linux 6.1.84
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13010315180000
kernel config: https://syzkaller.appspot.com/x/.config?x=40dfd13b04bfc094
dashboard link: https://syzkaller.appspot.com/bug?extid=8a96df1e0d79616cb7e7
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/73d2a8622b6e/disk-34738586.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e7bc2e0101a7/vmlinux-34738586.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7b96d1168608/bzImage-34738586.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8a96df...@syzkaller.appspotmail.com
=====================================================
WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected
6.1.84-syzkaller #0 Not tainted
-----------------------------------------------------
syz-executor.1/24560 [HC0[0]:SC0[2]:HE0:SE0] is trying to acquire:
ffff88805afaf240 (&stab->lock){+.-.}-{2:2}, at: __sock_map_delete net/core/sock_map.c:416 [inline]
ffff88805afaf240 (&stab->lock){+.-.}-{2:2}, at: sock_map_delete_elem+0x97/0x130 net/core/sock_map.c:448
and this task is already holding:
ffff88805bb0e060 (&tu->qlock){....}-{2:2}, at: spin_lock_irq include/linux/spinlock.h:376 [inline]
ffff88805bb0e060 (&tu->qlock){....}-{2:2}, at: realloc_user_queue+0xcd/0x2a0 sound/core/timer.c:1475
which would create a new lock dependency:
(&tu->qlock){....}-{2:2} -> (&stab->lock){+.-.}-{2:2}
but this new dependency connects a HARDIRQ-irq-safe lock:
(&timer->lock){-.-.}-{2:2}
... which became HARDIRQ-irq-safe at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
snd_hrtimer_callback+0x56/0x370 sound/core/hrtimer.c:38
__run_hrtimer kernel/time/hrtimer.c:1686 [inline]
__hrtimer_run_queues+0x5e5/0xe50 kernel/time/hrtimer.c:1750
hrtimer_interrupt+0x392/0x980 kernel/time/hrtimer.c:1812
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1095 [inline]
__sysvec_apic_timer_interrupt+0x156/0x580 arch/x86/kernel/apic/apic.c:1112
sysvec_apic_timer_interrupt+0x8c/0xb0 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653
wg_ratelimiter_gc_entries+0x201/0x470
process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
kthread+0x28d/0x320 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:307
to a HARDIRQ-irq-unsafe lock:
(&stab->lock){+.-.}-{2:2}
... which became HARDIRQ-irq-unsafe at:
...
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178
sock_map_update_common+0x1b6/0x5b0 net/core/sock_map.c:492
sock_map_update_elem_sys+0x55b/0x910 net/core/sock_map.c:581
map_update_elem+0x503/0x680 kernel/bpf/syscall.c:1448
__sys_bpf+0x337/0x6c0 kernel/bpf/syscall.c:4993
__do_sys_bpf kernel/bpf/syscall.c:5109 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5107 [inline]
__x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:5107
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
other info that might help us debug this:
Chain exists of:
&timer->lock --> &tu->qlock --> &stab->lock
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&stab->lock);
local_irq_disable();
lock(&timer->lock);
lock(&tu->qlock);
<Interrupt>
lock(&timer->lock);
*** DEADLOCK ***
2 locks held by syz-executor.1/24560:
#0: ffff88805bb0e060 (&tu->qlock){....}-{2:2}, at: spin_lock_irq include/linux/spinlock.h:376 [inline]
#0: ffff88805bb0e060 (&tu->qlock){....}-{2:2}, at: realloc_user_queue+0xcd/0x2a0 sound/core/timer.c:1475
#1: ffffffff8d12a980 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:350 [inline]
#1: ffffffff8d12a980 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:791 [inline]
#1: ffffffff8d12a980 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2272 [inline]
#1: ffffffff8d12a980 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x110/0x410 kernel/trace/bpf_trace.c:2312
the dependencies between HARDIRQ-irq-safe lock and the holding lock:
-> (&timer->lock){-.-.}-{2:2} {
IN-HARDIRQ-W at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
snd_hrtimer_callback+0x56/0x370 sound/core/hrtimer.c:38
__run_hrtimer kernel/time/hrtimer.c:1686 [inline]
__hrtimer_run_queues+0x5e5/0xe50 kernel/time/hrtimer.c:1750
hrtimer_interrupt+0x392/0x980 kernel/time/hrtimer.c:1812
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1095 [inline]
__sysvec_apic_timer_interrupt+0x156/0x580 arch/x86/kernel/apic/apic.c:1112
sysvec_apic_timer_interrupt+0x8c/0xb0 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653
wg_ratelimiter_gc_entries+0x201/0x470
process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
kthread+0x28d/0x320 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:307
IN-SOFTIRQ-W at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
snd_hrtimer_callback+0x56/0x370 sound/core/hrtimer.c:38
__run_hrtimer kernel/time/hrtimer.c:1686 [inline]
__hrtimer_run_queues+0x5e5/0xe50 kernel/time/hrtimer.c:1750
hrtimer_interrupt+0x392/0x980 kernel/time/hrtimer.c:1812
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1095 [inline]
__sysvec_apic_timer_interrupt+0x156/0x580 arch/x86/kernel/apic/apic.c:1112
sysvec_apic_timer_interrupt+0x3e/0xb0 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653
unwind_next_frame+0x551/0x2220 arch/x86/kernel/unwind_orc.c:461
arch_stack_walk+0x10d/0x140 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x113/0x1c0 kernel/stacktrace.c:122
save_stack+0xf6/0x1e0 mm/page_owner.c:127
__set_page_owner+0x26/0x390 mm/page_owner.c:190
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2513
prep_new_page mm/page_alloc.c:2520 [inline]
get_page_from_freelist+0x31a1/0x3320 mm/page_alloc.c:4279
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5547
__alloc_pages_node include/linux/gfp.h:237 [inline]
alloc_pages_node+0x127/0x1b0 include/linux/gfp.h:260
page_frag_alloc_1k net/core/skbuff.c:163 [inline]
__napi_alloc_skb+0x34b/0x520 net/core/skbuff.c:681
napi_alloc_skb include/linux/skbuff.h:3231 [inline]
page_to_skb+0x282/0xb60 drivers/net/virtio_net.c:501
receive_mergeable drivers/net/virtio_net.c:1128 [inline]
receive_buf+0x436/0x5520 drivers/net/virtio_net.c:1267
virtnet_receive drivers/net/virtio_net.c:1562 [inline]
virtnet_poll+0x6d3/0x1470 drivers/net/virtio_net.c:1680
__napi_poll+0xc7/0x470 net/core/dev.c:6537
napi_poll net/core/dev.c:6604 [inline]
net_rx_action+0x70f/0xeb0 net/core/dev.c:6718
__do_softirq+0x2e9/0xa4c kernel/softirq.c:571
invoke_softirq kernel/softirq.c:445 [inline]
__irq_exit_rcu+0x155/0x240 kernel/softirq.c:650
irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
common_interrupt+0xa4/0xc0 arch/x86/kernel/irq.c:240
asm_common_interrupt+0x22/0x40 arch/x86/include/asm/idtentry.h:644
unwind_next_frame+0x551/0x2220 arch/x86/kernel/unwind_orc.c:461
arch_stack_walk+0x10d/0x140 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x113/0x1c0 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:955 [inline]
__kmalloc+0xb2/0x230 mm/slab_common.c:968
kmalloc include/linux/slab.h:561 [inline]
tomoyo_realpath_from_path+0xcb/0x5d0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x29f/0x710 security/tomoyo/file.c:822
tomoyo_path_unlink+0xcc/0x100 security/tomoyo/tomoyo.c:149
security_path_unlink+0xd7/0x130 security/security.c:1189
do_unlinkat+0x3e0/0x820 fs/namei.c:4388
__do_sys_unlink fs/namei.c:4440 [inline]
__se_sys_unlink fs/namei.c:4438 [inline]
__x64_sys_unlink+0x45/0x50 fs/namei.c:4438
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
INITIAL USE at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
snd_timer_resolution+0x4d/0xe0 sound/core/timer.c:489
initialize_timer sound/core/seq/seq_timer.c:373 [inline]
seq_timer_start sound/core/seq/seq_timer.c:391 [inline]
snd_seq_timer_start+0x258/0x4d0 sound/core/seq/seq_timer.c:405
snd_seq_queue_process_event sound/core/seq/seq_queue.c:660 [inline]
snd_seq_control_queue+0x312/0x1a10 sound/core/seq/seq_queue.c:721
snd_seq_deliver_single_event+0x529/0xc70 sound/core/seq/seq_clientmgr.c:638
snd_seq_deliver_event+0x247/0x950 sound/core/seq/seq_clientmgr.c:839
snd_seq_kernel_client_dispatch+0x200/0x2f0 sound/core/seq/seq_clientmgr.c:2337
send_timer_event sound/core/seq/oss/seq_oss_timer.c:140 [inline]
snd_seq_oss_timer_start+0x3b8/0x730 sound/core/seq/oss/seq_oss_timer.c:161
send_midi_event sound/core/seq/oss/seq_oss_midi.c:622 [inline]
snd_seq_oss_midi_input+0x2fe/0xcf0 sound/core/seq/oss/seq_oss_midi.c:544
snd_seq_deliver_single_event+0x529/0xc70 sound/core/seq/seq_clientmgr.c:638
deliver_to_subscribers sound/core/seq/seq_clientmgr.c:693 [inline]
snd_seq_deliver_event+0x4db/0x950 sound/core/seq/seq_clientmgr.c:828
snd_seq_kernel_client_dispatch+0x200/0x2f0 sound/core/seq/seq_clientmgr.c:2337
dummy_input+0x1ca/0x2d0 sound/core/seq/seq_dummy.c:90
snd_seq_deliver_single_event+0x529/0xc70 sound/core/seq/seq_clientmgr.c:638
snd_seq_deliver_event+0x247/0x950 sound/core/seq/seq_clientmgr.c:839
snd_seq_kernel_client_dispatch+0x200/0x2f0 sound/core/seq/seq_clientmgr.c:2337
snd_seq_oss_dispatch sound/core/seq/oss/seq_oss_device.h:138 [inline]
snd_seq_oss_oob_user sound/core/seq/oss/seq_oss_ioctl.c:55 [inline]
snd_seq_oss_ioctl+0xdb0/0x11e0 sound/core/seq/oss/seq_oss_ioctl.c:142
odev_ioctl+0xb4/0xe0 sound/core/seq/oss/seq_oss.c:184
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xf1/0x160 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
}
... key at: [<ffffffff920a68c0>] snd_timer_new.__key+0x0/0x20
-> (&tu->qlock){....}-{2:2} {
INITIAL USE at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0xcf/0x110 kernel/locking/spinlock.c:170
spin_lock_irq include/linux/spinlock.h:376 [inline]
realloc_user_queue+0xcd/0x2a0 sound/core/timer.c:1475
snd_timer_user_open+0xf8/0x160 sound/core/timer.c:1503
chrdev_open+0x54a/0x630 fs/char_dev.c:414
do_dentry_open+0x7f9/0x10f0 fs/open.c:882
do_open fs/namei.c:3628 [inline]
path_openat+0x2644/0x2e60 fs/namei.c:3785
do_filp_open+0x230/0x480 fs/namei.c:3812
do_sys_openat2+0x13b/0x500 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1345
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
}
... key at: [<ffffffff920a6ec0>] snd_timer_user_open.__key+0x0/0x20
... acquired at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
snd_timer_user_ccallback+0x169/0x530 sound/core/timer.c:1383
snd_timer_notify1+0x1ad/0x350 sound/core/timer.c:516
snd_timer_start1+0x544/0x640 sound/core/timer.c:578
snd_timer_start sound/core/timer.c:696 [inline]
snd_timer_user_start+0x193/0x220 sound/core/timer.c:1985
snd_timer_user_continue sound/core/timer.c:2015 [inline]
__snd_timer_user_ioctl+0x756/0x5040 sound/core/timer.c:2114
snd_timer_user_ioctl+0x5d/0x80 sound/core/timer.c:2129
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xf1/0x160 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
the dependencies between the lock to be acquired
and HARDIRQ-irq-unsafe lock:
-> (&stab->lock){+.-.}-{2:2} {
HARDIRQ-ON-W at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178
sock_map_update_common+0x1b6/0x5b0 net/core/sock_map.c:492
sock_map_update_elem_sys+0x55b/0x910 net/core/sock_map.c:581
map_update_elem+0x503/0x680 kernel/bpf/syscall.c:1448
__sys_bpf+0x337/0x6c0 kernel/bpf/syscall.c:4993
__do_sys_bpf kernel/bpf/syscall.c:5109 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5107 [inline]
__x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:5107
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
IN-SOFTIRQ-W at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178
__sock_map_delete net/core/sock_map.c:416 [inline]
sock_map_delete_elem+0x97/0x130 net/core/sock_map.c:448
0xffffffffa0001fde
bpf_dispatcher_nop_func include/linux/bpf.h:989 [inline]
__bpf_prog_run include/linux/filter.h:603 [inline]
bpf_prog_run include/linux/filter.h:610 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2273 [inline]
bpf_trace_run2+0x1fd/0x410 kernel/trace/bpf_trace.c:2312
__bpf_trace_kfree+0x6e/0x90 include/trace/events/kmem.h:94
trace_kfree include/trace/events/kmem.h:94 [inline]
kfree+0xf6/0x190 mm/slab_common.c:994
skb_free_head net/core/skbuff.c:762 [inline]
skb_release_data+0x5de/0x7a0 net/core/skbuff.c:791
skb_release_all net/core/skbuff.c:856 [inline]
__kfree_skb net/core/skbuff.c:870 [inline]
consume_skb+0xa3/0x140 net/core/skbuff.c:1035
mac80211_hwsim_beacon_tx+0x5f8/0xaa0 drivers/net/wireless/mac80211_hwsim.c:2116
__iterate_interfaces+0x21e/0x4b0 net/mac80211/util.c:788
ieee80211_iterate_active_interfaces_atomic+0xd4/0x170 net/mac80211/util.c:824
mac80211_hwsim_beacon+0xd0/0x1e0 drivers/net/wireless/mac80211_hwsim.c:2142
__run_hrtimer kernel/time/hrtimer.c:1686 [inline]
__hrtimer_run_queues+0x5e5/0xe50 kernel/time/hrtimer.c:1750
hrtimer_run_softirq+0x196/0x2c0 kernel/time/hrtimer.c:1767
__do_softirq+0x2e9/0xa4c kernel/softirq.c:571
invoke_softirq kernel/softirq.c:445 [inline]
__irq_exit_rcu+0x155/0x240 kernel/softirq.c:650
irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653
__sanitizer_cov_trace_switch+0x50/0xe0
shmem_get_folio_gfp+0x4c4/0x3470 mm/shmem.c:1919
shmem_get_folio mm/shmem.c:2072 [inline]
shmem_write_begin+0x16e/0x4e0 mm/shmem.c:2559
generic_perform_write+0x2fc/0x5e0 mm/filemap.c:3817
__generic_file_write_iter+0x176/0x400 mm/filemap.c:3945
generic_file_write_iter+0xab/0x310 mm/filemap.c:3977
call_write_iter include/linux/fs.h:2265 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x7ae/0xba0 fs/read_write.c:584
ksys_write+0x19c/0x2c0 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
INITIAL USE at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178
sock_map_update_common+0x1b6/0x5b0 net/core/sock_map.c:492
sock_map_update_elem_sys+0x55b/0x910 net/core/sock_map.c:581
map_update_elem+0x503/0x680 kernel/bpf/syscall.c:1448
__sys_bpf+0x337/0x6c0 kernel/bpf/syscall.c:4993
__do_sys_bpf kernel/bpf/syscall.c:5109 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5107 [inline]
__x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:5107
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
}
... key at: [<ffffffff920b1320>] sock_map_alloc.__key+0x0/0x20
... acquired at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178
__sock_map_delete net/core/sock_map.c:416 [inline]
sock_map_delete_elem+0x97/0x130 net/core/sock_map.c:448
bpf_prog_2c29ac5cdc6b1842+0x3a/0x3e
bpf_dispatcher_nop_func include/linux/bpf.h:989 [inline]
__bpf_prog_run include/linux/filter.h:603 [inline]
bpf_prog_run include/linux/filter.h:610 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2273 [inline]
bpf_trace_run2+0x1fd/0x410 kernel/trace/bpf_trace.c:2312
__bpf_trace_kfree+0x6e/0x90 include/trace/events/kmem.h:94
trace_kfree include/trace/events/kmem.h:94 [inline]
kfree+0xf6/0x190 mm/slab_common.c:994
realloc_user_queue+0xf1/0x2a0 sound/core/timer.c:1476
snd_timer_user_open+0xf8/0x160 sound/core/timer.c:1503
chrdev_open+0x54a/0x630 fs/char_dev.c:414
do_dentry_open+0x7f9/0x10f0 fs/open.c:882
do_open fs/namei.c:3628 [inline]
path_openat+0x2644/0x2e60 fs/namei.c:3785
do_filp_open+0x230/0x480 fs/namei.c:3812
do_sys_openat2+0x13b/0x500 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1345
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
stack backtrace:
CPU: 1 PID: 24560 Comm: syz-executor.1 Not tainted 6.1.84-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_bad_irq_dependency kernel/locking/lockdep.c:2604 [inline]
check_irq_usage kernel/locking/lockdep.c:2843 [inline]
check_prev_add kernel/locking/lockdep.c:3094 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
validate_chain+0x4d16/0x5950 kernel/locking/lockdep.c:3825
__lock_acquire+0x125b/0x1f80 kernel/locking/lockdep.c:5049
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178
__sock_map_delete net/core/sock_map.c:416 [inline]
sock_map_delete_elem+0x97/0x130 net/core/sock_map.c:448
bpf_prog_2c29ac5cdc6b1842+0x3a/0x3e
bpf_dispatcher_nop_func include/linux/bpf.h:989 [inline]
__bpf_prog_run include/linux/filter.h:603 [inline]
bpf_prog_run include/linux/filter.h:610 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2273 [inline]
bpf_trace_run2+0x1fd/0x410 kernel/trace/bpf_trace.c:2312
__bpf_trace_kfree+0x6e/0x90 include/trace/events/kmem.h:94
trace_kfree include/trace/events/kmem.h:94 [inline]
kfree+0xf6/0x190 mm/slab_common.c:994
realloc_user_queue+0xf1/0x2a0 sound/core/timer.c:1476
snd_timer_user_open+0xf8/0x160 sound/core/timer.c:1503
chrdev_open+0x54a/0x630 fs/char_dev.c:414
do_dentry_open+0x7f9/0x10f0 fs/open.c:882
do_open fs/namei.c:3628 [inline]
path_openat+0x2644/0x2e60 fs/namei.c:3785
do_filp_open+0x230/0x480 fs/namei.c:3812
do_sys_openat2+0x13b/0x500 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1345
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f317a47de69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f317b2d40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f317a5abf80 RCX: 00007f317a47de69
RDX: 0000000000000000 RSI: 0000000020000040 RDI: ffffffffffffff9c
RBP: 00007f317a4ca47a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f317a5abf80 R15: 00007ffe68e746e8
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 347385861c50 Linux 6.1.84
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13010315180000
kernel config: https://syzkaller.appspot.com/x/.config?x=40dfd13b04bfc094
dashboard link: https://syzkaller.appspot.com/bug?extid=8a96df1e0d79616cb7e7
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/73d2a8622b6e/disk-34738586.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e7bc2e0101a7/vmlinux-34738586.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7b96d1168608/bzImage-34738586.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8a96df...@syzkaller.appspotmail.com
=====================================================
WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected
6.1.84-syzkaller #0 Not tainted
-----------------------------------------------------
syz-executor.1/24560 [HC0[0]:SC0[2]:HE0:SE0] is trying to acquire:
ffff88805afaf240 (&stab->lock){+.-.}-{2:2}, at: __sock_map_delete net/core/sock_map.c:416 [inline]
ffff88805afaf240 (&stab->lock){+.-.}-{2:2}, at: sock_map_delete_elem+0x97/0x130 net/core/sock_map.c:448
and this task is already holding:
ffff88805bb0e060 (&tu->qlock){....}-{2:2}, at: spin_lock_irq include/linux/spinlock.h:376 [inline]
ffff88805bb0e060 (&tu->qlock){....}-{2:2}, at: realloc_user_queue+0xcd/0x2a0 sound/core/timer.c:1475
which would create a new lock dependency:
(&tu->qlock){....}-{2:2} -> (&stab->lock){+.-.}-{2:2}
but this new dependency connects a HARDIRQ-irq-safe lock:
(&timer->lock){-.-.}-{2:2}
... which became HARDIRQ-irq-safe at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
snd_hrtimer_callback+0x56/0x370 sound/core/hrtimer.c:38
__run_hrtimer kernel/time/hrtimer.c:1686 [inline]
__hrtimer_run_queues+0x5e5/0xe50 kernel/time/hrtimer.c:1750
hrtimer_interrupt+0x392/0x980 kernel/time/hrtimer.c:1812
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1095 [inline]
__sysvec_apic_timer_interrupt+0x156/0x580 arch/x86/kernel/apic/apic.c:1112
sysvec_apic_timer_interrupt+0x8c/0xb0 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653
wg_ratelimiter_gc_entries+0x201/0x470
process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
kthread+0x28d/0x320 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:307
to a HARDIRQ-irq-unsafe lock:
(&stab->lock){+.-.}-{2:2}
... which became HARDIRQ-irq-unsafe at:
...
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178
sock_map_update_common+0x1b6/0x5b0 net/core/sock_map.c:492
sock_map_update_elem_sys+0x55b/0x910 net/core/sock_map.c:581
map_update_elem+0x503/0x680 kernel/bpf/syscall.c:1448
__sys_bpf+0x337/0x6c0 kernel/bpf/syscall.c:4993
__do_sys_bpf kernel/bpf/syscall.c:5109 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5107 [inline]
__x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:5107
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
other info that might help us debug this:
Chain exists of:
&timer->lock --> &tu->qlock --> &stab->lock
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&stab->lock);
local_irq_disable();
lock(&timer->lock);
lock(&tu->qlock);
<Interrupt>
lock(&timer->lock);
*** DEADLOCK ***
2 locks held by syz-executor.1/24560:
#0: ffff88805bb0e060 (&tu->qlock){....}-{2:2}, at: spin_lock_irq include/linux/spinlock.h:376 [inline]
#0: ffff88805bb0e060 (&tu->qlock){....}-{2:2}, at: realloc_user_queue+0xcd/0x2a0 sound/core/timer.c:1475
#1: ffffffff8d12a980 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:350 [inline]
#1: ffffffff8d12a980 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:791 [inline]
#1: ffffffff8d12a980 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2272 [inline]
#1: ffffffff8d12a980 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x110/0x410 kernel/trace/bpf_trace.c:2312
the dependencies between HARDIRQ-irq-safe lock and the holding lock:
-> (&timer->lock){-.-.}-{2:2} {
IN-HARDIRQ-W at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
snd_hrtimer_callback+0x56/0x370 sound/core/hrtimer.c:38
__run_hrtimer kernel/time/hrtimer.c:1686 [inline]
__hrtimer_run_queues+0x5e5/0xe50 kernel/time/hrtimer.c:1750
hrtimer_interrupt+0x392/0x980 kernel/time/hrtimer.c:1812
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1095 [inline]
__sysvec_apic_timer_interrupt+0x156/0x580 arch/x86/kernel/apic/apic.c:1112
sysvec_apic_timer_interrupt+0x8c/0xb0 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653
wg_ratelimiter_gc_entries+0x201/0x470
process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
kthread+0x28d/0x320 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:307
IN-SOFTIRQ-W at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
snd_hrtimer_callback+0x56/0x370 sound/core/hrtimer.c:38
__run_hrtimer kernel/time/hrtimer.c:1686 [inline]
__hrtimer_run_queues+0x5e5/0xe50 kernel/time/hrtimer.c:1750
hrtimer_interrupt+0x392/0x980 kernel/time/hrtimer.c:1812
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1095 [inline]
__sysvec_apic_timer_interrupt+0x156/0x580 arch/x86/kernel/apic/apic.c:1112
sysvec_apic_timer_interrupt+0x3e/0xb0 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653
unwind_next_frame+0x551/0x2220 arch/x86/kernel/unwind_orc.c:461
arch_stack_walk+0x10d/0x140 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x113/0x1c0 kernel/stacktrace.c:122
save_stack+0xf6/0x1e0 mm/page_owner.c:127
__set_page_owner+0x26/0x390 mm/page_owner.c:190
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2513
prep_new_page mm/page_alloc.c:2520 [inline]
get_page_from_freelist+0x31a1/0x3320 mm/page_alloc.c:4279
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5547
__alloc_pages_node include/linux/gfp.h:237 [inline]
alloc_pages_node+0x127/0x1b0 include/linux/gfp.h:260
page_frag_alloc_1k net/core/skbuff.c:163 [inline]
__napi_alloc_skb+0x34b/0x520 net/core/skbuff.c:681
napi_alloc_skb include/linux/skbuff.h:3231 [inline]
page_to_skb+0x282/0xb60 drivers/net/virtio_net.c:501
receive_mergeable drivers/net/virtio_net.c:1128 [inline]
receive_buf+0x436/0x5520 drivers/net/virtio_net.c:1267
virtnet_receive drivers/net/virtio_net.c:1562 [inline]
virtnet_poll+0x6d3/0x1470 drivers/net/virtio_net.c:1680
__napi_poll+0xc7/0x470 net/core/dev.c:6537
napi_poll net/core/dev.c:6604 [inline]
net_rx_action+0x70f/0xeb0 net/core/dev.c:6718
__do_softirq+0x2e9/0xa4c kernel/softirq.c:571
invoke_softirq kernel/softirq.c:445 [inline]
__irq_exit_rcu+0x155/0x240 kernel/softirq.c:650
irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
common_interrupt+0xa4/0xc0 arch/x86/kernel/irq.c:240
asm_common_interrupt+0x22/0x40 arch/x86/include/asm/idtentry.h:644
unwind_next_frame+0x551/0x2220 arch/x86/kernel/unwind_orc.c:461
arch_stack_walk+0x10d/0x140 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x113/0x1c0 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:955 [inline]
__kmalloc+0xb2/0x230 mm/slab_common.c:968
kmalloc include/linux/slab.h:561 [inline]
tomoyo_realpath_from_path+0xcb/0x5d0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x29f/0x710 security/tomoyo/file.c:822
tomoyo_path_unlink+0xcc/0x100 security/tomoyo/tomoyo.c:149
security_path_unlink+0xd7/0x130 security/security.c:1189
do_unlinkat+0x3e0/0x820 fs/namei.c:4388
__do_sys_unlink fs/namei.c:4440 [inline]
__se_sys_unlink fs/namei.c:4438 [inline]
__x64_sys_unlink+0x45/0x50 fs/namei.c:4438
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
INITIAL USE at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
snd_timer_resolution+0x4d/0xe0 sound/core/timer.c:489
initialize_timer sound/core/seq/seq_timer.c:373 [inline]
seq_timer_start sound/core/seq/seq_timer.c:391 [inline]
snd_seq_timer_start+0x258/0x4d0 sound/core/seq/seq_timer.c:405
snd_seq_queue_process_event sound/core/seq/seq_queue.c:660 [inline]
snd_seq_control_queue+0x312/0x1a10 sound/core/seq/seq_queue.c:721
snd_seq_deliver_single_event+0x529/0xc70 sound/core/seq/seq_clientmgr.c:638
snd_seq_deliver_event+0x247/0x950 sound/core/seq/seq_clientmgr.c:839
snd_seq_kernel_client_dispatch+0x200/0x2f0 sound/core/seq/seq_clientmgr.c:2337
send_timer_event sound/core/seq/oss/seq_oss_timer.c:140 [inline]
snd_seq_oss_timer_start+0x3b8/0x730 sound/core/seq/oss/seq_oss_timer.c:161
send_midi_event sound/core/seq/oss/seq_oss_midi.c:622 [inline]
snd_seq_oss_midi_input+0x2fe/0xcf0 sound/core/seq/oss/seq_oss_midi.c:544
snd_seq_deliver_single_event+0x529/0xc70 sound/core/seq/seq_clientmgr.c:638
deliver_to_subscribers sound/core/seq/seq_clientmgr.c:693 [inline]
snd_seq_deliver_event+0x4db/0x950 sound/core/seq/seq_clientmgr.c:828
snd_seq_kernel_client_dispatch+0x200/0x2f0 sound/core/seq/seq_clientmgr.c:2337
dummy_input+0x1ca/0x2d0 sound/core/seq/seq_dummy.c:90
snd_seq_deliver_single_event+0x529/0xc70 sound/core/seq/seq_clientmgr.c:638
snd_seq_deliver_event+0x247/0x950 sound/core/seq/seq_clientmgr.c:839
snd_seq_kernel_client_dispatch+0x200/0x2f0 sound/core/seq/seq_clientmgr.c:2337
snd_seq_oss_dispatch sound/core/seq/oss/seq_oss_device.h:138 [inline]
snd_seq_oss_oob_user sound/core/seq/oss/seq_oss_ioctl.c:55 [inline]
snd_seq_oss_ioctl+0xdb0/0x11e0 sound/core/seq/oss/seq_oss_ioctl.c:142
odev_ioctl+0xb4/0xe0 sound/core/seq/oss/seq_oss.c:184
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xf1/0x160 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
}
... key at: [<ffffffff920a68c0>] snd_timer_new.__key+0x0/0x20
-> (&tu->qlock){....}-{2:2} {
INITIAL USE at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0xcf/0x110 kernel/locking/spinlock.c:170
spin_lock_irq include/linux/spinlock.h:376 [inline]
realloc_user_queue+0xcd/0x2a0 sound/core/timer.c:1475
snd_timer_user_open+0xf8/0x160 sound/core/timer.c:1503
chrdev_open+0x54a/0x630 fs/char_dev.c:414
do_dentry_open+0x7f9/0x10f0 fs/open.c:882
do_open fs/namei.c:3628 [inline]
path_openat+0x2644/0x2e60 fs/namei.c:3785
do_filp_open+0x230/0x480 fs/namei.c:3812
do_sys_openat2+0x13b/0x500 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1345
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
}
... key at: [<ffffffff920a6ec0>] snd_timer_user_open.__key+0x0/0x20
... acquired at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
snd_timer_user_ccallback+0x169/0x530 sound/core/timer.c:1383
snd_timer_notify1+0x1ad/0x350 sound/core/timer.c:516
snd_timer_start1+0x544/0x640 sound/core/timer.c:578
snd_timer_start sound/core/timer.c:696 [inline]
snd_timer_user_start+0x193/0x220 sound/core/timer.c:1985
snd_timer_user_continue sound/core/timer.c:2015 [inline]
__snd_timer_user_ioctl+0x756/0x5040 sound/core/timer.c:2114
snd_timer_user_ioctl+0x5d/0x80 sound/core/timer.c:2129
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xf1/0x160 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
the dependencies between the lock to be acquired
and HARDIRQ-irq-unsafe lock:
-> (&stab->lock){+.-.}-{2:2} {
HARDIRQ-ON-W at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178
sock_map_update_common+0x1b6/0x5b0 net/core/sock_map.c:492
sock_map_update_elem_sys+0x55b/0x910 net/core/sock_map.c:581
map_update_elem+0x503/0x680 kernel/bpf/syscall.c:1448
__sys_bpf+0x337/0x6c0 kernel/bpf/syscall.c:4993
__do_sys_bpf kernel/bpf/syscall.c:5109 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5107 [inline]
__x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:5107
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
IN-SOFTIRQ-W at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178
__sock_map_delete net/core/sock_map.c:416 [inline]
sock_map_delete_elem+0x97/0x130 net/core/sock_map.c:448
0xffffffffa0001fde
bpf_dispatcher_nop_func include/linux/bpf.h:989 [inline]
__bpf_prog_run include/linux/filter.h:603 [inline]
bpf_prog_run include/linux/filter.h:610 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2273 [inline]
bpf_trace_run2+0x1fd/0x410 kernel/trace/bpf_trace.c:2312
__bpf_trace_kfree+0x6e/0x90 include/trace/events/kmem.h:94
trace_kfree include/trace/events/kmem.h:94 [inline]
kfree+0xf6/0x190 mm/slab_common.c:994
skb_free_head net/core/skbuff.c:762 [inline]
skb_release_data+0x5de/0x7a0 net/core/skbuff.c:791
skb_release_all net/core/skbuff.c:856 [inline]
__kfree_skb net/core/skbuff.c:870 [inline]
consume_skb+0xa3/0x140 net/core/skbuff.c:1035
mac80211_hwsim_beacon_tx+0x5f8/0xaa0 drivers/net/wireless/mac80211_hwsim.c:2116
__iterate_interfaces+0x21e/0x4b0 net/mac80211/util.c:788
ieee80211_iterate_active_interfaces_atomic+0xd4/0x170 net/mac80211/util.c:824
mac80211_hwsim_beacon+0xd0/0x1e0 drivers/net/wireless/mac80211_hwsim.c:2142
__run_hrtimer kernel/time/hrtimer.c:1686 [inline]
__hrtimer_run_queues+0x5e5/0xe50 kernel/time/hrtimer.c:1750
hrtimer_run_softirq+0x196/0x2c0 kernel/time/hrtimer.c:1767
__do_softirq+0x2e9/0xa4c kernel/softirq.c:571
invoke_softirq kernel/softirq.c:445 [inline]
__irq_exit_rcu+0x155/0x240 kernel/softirq.c:650
irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653
__sanitizer_cov_trace_switch+0x50/0xe0
shmem_get_folio_gfp+0x4c4/0x3470 mm/shmem.c:1919
shmem_get_folio mm/shmem.c:2072 [inline]
shmem_write_begin+0x16e/0x4e0 mm/shmem.c:2559
generic_perform_write+0x2fc/0x5e0 mm/filemap.c:3817
__generic_file_write_iter+0x176/0x400 mm/filemap.c:3945
generic_file_write_iter+0xab/0x310 mm/filemap.c:3977
call_write_iter include/linux/fs.h:2265 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x7ae/0xba0 fs/read_write.c:584
ksys_write+0x19c/0x2c0 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
INITIAL USE at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178
sock_map_update_common+0x1b6/0x5b0 net/core/sock_map.c:492
sock_map_update_elem_sys+0x55b/0x910 net/core/sock_map.c:581
map_update_elem+0x503/0x680 kernel/bpf/syscall.c:1448
__sys_bpf+0x337/0x6c0 kernel/bpf/syscall.c:4993
__do_sys_bpf kernel/bpf/syscall.c:5109 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5107 [inline]
__x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:5107
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
}
... key at: [<ffffffff920b1320>] sock_map_alloc.__key+0x0/0x20
... acquired at:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178
__sock_map_delete net/core/sock_map.c:416 [inline]
sock_map_delete_elem+0x97/0x130 net/core/sock_map.c:448
bpf_prog_2c29ac5cdc6b1842+0x3a/0x3e
bpf_dispatcher_nop_func include/linux/bpf.h:989 [inline]
__bpf_prog_run include/linux/filter.h:603 [inline]
bpf_prog_run include/linux/filter.h:610 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2273 [inline]
bpf_trace_run2+0x1fd/0x410 kernel/trace/bpf_trace.c:2312
__bpf_trace_kfree+0x6e/0x90 include/trace/events/kmem.h:94
trace_kfree include/trace/events/kmem.h:94 [inline]
kfree+0xf6/0x190 mm/slab_common.c:994
realloc_user_queue+0xf1/0x2a0 sound/core/timer.c:1476
snd_timer_user_open+0xf8/0x160 sound/core/timer.c:1503
chrdev_open+0x54a/0x630 fs/char_dev.c:414
do_dentry_open+0x7f9/0x10f0 fs/open.c:882
do_open fs/namei.c:3628 [inline]
path_openat+0x2644/0x2e60 fs/namei.c:3785
do_filp_open+0x230/0x480 fs/namei.c:3812
do_sys_openat2+0x13b/0x500 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1345
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
stack backtrace:
CPU: 1 PID: 24560 Comm: syz-executor.1 Not tainted 6.1.84-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_bad_irq_dependency kernel/locking/lockdep.c:2604 [inline]
check_irq_usage kernel/locking/lockdep.c:2843 [inline]
check_prev_add kernel/locking/lockdep.c:3094 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
validate_chain+0x4d16/0x5950 kernel/locking/lockdep.c:3825
__lock_acquire+0x125b/0x1f80 kernel/locking/lockdep.c:5049
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178
__sock_map_delete net/core/sock_map.c:416 [inline]
sock_map_delete_elem+0x97/0x130 net/core/sock_map.c:448
bpf_prog_2c29ac5cdc6b1842+0x3a/0x3e
bpf_dispatcher_nop_func include/linux/bpf.h:989 [inline]
__bpf_prog_run include/linux/filter.h:603 [inline]
bpf_prog_run include/linux/filter.h:610 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2273 [inline]
bpf_trace_run2+0x1fd/0x410 kernel/trace/bpf_trace.c:2312
__bpf_trace_kfree+0x6e/0x90 include/trace/events/kmem.h:94
trace_kfree include/trace/events/kmem.h:94 [inline]
kfree+0xf6/0x190 mm/slab_common.c:994
realloc_user_queue+0xf1/0x2a0 sound/core/timer.c:1476
snd_timer_user_open+0xf8/0x160 sound/core/timer.c:1503
chrdev_open+0x54a/0x630 fs/char_dev.c:414
do_dentry_open+0x7f9/0x10f0 fs/open.c:882
do_open fs/namei.c:3628 [inline]
path_openat+0x2644/0x2e60 fs/namei.c:3785
do_filp_open+0x230/0x480 fs/namei.c:3812
do_sys_openat2+0x13b/0x500 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1345
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f317a47de69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f317b2d40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f317a5abf80 RCX: 00007f317a47de69
RDX: 0000000000000000 RSI: 0000000020000040 RDI: ffffffffffffff9c
RBP: 00007f317a4ca47a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f317a5abf80 R15: 00007ffe68e746e8
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages