[v5.15] inconsistent lock state in kernfs_path_from_node
1 view
Skip to first unread message
syzbot
May 20, 2026, 10:09:26 AM (2 days ago) May 20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 93741761e5e3 Linux 5.15.207
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13e71ca6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=353ae28c40b35af5
dashboard link: https://syzkaller.appspot.com/bug?extid=cf8db3e15e1fb1872a53
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/33bc193847b4/disk-93741761.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/24fe0e2c618a/vmlinux-93741761.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0222d2a4b225/bzImage-93741761.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cf8db3...@syzkaller.appspotmail.com
================================
WARNING: inconsistent lock state
syzkaller #0 Not tainted
--------------------------------
inconsistent {INITIAL USE} -> {IN-NMI} usage.
syz.4.2921/14216 [HC2[2]:SC0[0]:HE0:SE1] takes:
ffffffff8c450338 (kernfs_rename_lock){....}-{2:2}, at: kernfs_path_from_node+0x84/0xb30 fs/kernfs/dir.c:224
{INITIAL USE} state was registered at:
lock_acquire+0x19e/0x400 kernel/locking/lockdep.c:5623
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline]
_raw_spin_lock_irq+0xab/0xf0 kernel/locking/spinlock.c:170
spin_lock_irq include/linux/spinlock.h:389 [inline]
kernfs_rename_ns+0x52a/0x930 fs/kernfs/dir.c:1629
sysfs_rename_link_ns+0x171/0x1b0 fs/sysfs/symlink.c:192
device_rename+0x11c/0x1a0 drivers/base/core.c:4267
dev_change_name+0x2dd/0xbf0 net/core/dev.c:1323
do_setlink+0xa4e/0x3d60 net/core/rtnetlink.c:2764
__rtnl_newlink net/core/rtnetlink.c:3455 [inline]
rtnl_newlink+0x1658/0x1a50 net/core/rtnetlink.c:3577
rtnetlink_rcv_msg+0x844/0xf30 net/core/rtnetlink.c:5687
netlink_rcv_skb+0x1f5/0x440 net/netlink/af_netlink.c:2507
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x774/0x920 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x8ba/0xbe0 net/netlink/af_netlink.c:1918
sock_sendmsg_nosec net/socket.c:706 [inline]
__sock_sendmsg net/socket.c:718 [inline]
__sys_sendto+0x46d/0x620 net/socket.c:2072
__do_sys_sendto net/socket.c:2084 [inline]
__se_sys_sendto net/socket.c:2080 [inline]
__x64_sys_sendto+0xda/0xf0 net/socket.c:2080
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
irq event stamp: 2060
hardirqs last enabled at (2059): [<ffffffff89e00e46>] asm_sysvec_irq_work+0x16/0x20 arch/x86/include/asm/idtentry.h:713
hardirqs last disabled at (2060): [<ffffffff89bcd65f>] irqentry_enter+0xf/0x50 kernel/entry/common.c:332
softirqs last enabled at (2014): [<ffffffff87e376a5>] local_bh_enable+0x5/0x20 include/linux/bottom_half.h:31
softirqs last disabled at (1998): [<ffffffff87e37685>] local_bh_disable+0x5/0x20 include/linux/bottom_half.h:18
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(kernfs_rename_lock);
<Interrupt>
lock(kernfs_rename_lock);
*** DEADLOCK ***
1 lock held by syz.4.2921/14216:
#0: ffffffff8c31f320 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x9/0x30 include/linux/rcupdate.h:313
stack backtrace:
CPU: 0 PID: 14216 Comm: syz.4.2921 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<#DB>
dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
lock_acquire+0x2c3/0x400 kernel/locking/lockdep.c:5614
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xb0/0x100 kernel/locking/spinlock.c:162
kernfs_path_from_node+0x84/0xb30 fs/kernfs/dir.c:224
kernfs_path include/linux/kernfs.h:547 [inline]
cgroup_path include/linux/cgroup.h:663 [inline]
get_mm_memcg_path+0xba/0x330 mm/mmap_lock.c:82
__mmap_lock_do_trace_start_locking+0xe2/0x2f0 mm/mmap_lock.c:95
__mmap_lock_trace_start_locking include/linux/mmap_lock.h:29 [inline]
mmap_read_trylock include/linux/mmap_lock.h:135 [inline]
stack_map_get_build_id_offset+0x562/0x860 kernel/bpf/stackmap.c:185
__bpf_get_stackid+0x55d/0x920 kernel/bpf/stackmap.c:294
bpf_prog_12712c88fd19bd5b+0x21/0x984
bpf_dispatcher_nop_func include/linux/bpf.h:888 [inline]
__bpf_prog_run include/linux/filter.h:628 [inline]
bpf_prog_run include/linux/filter.h:635 [inline]
bpf_overflow_handler+0x1c2/0x4a0 kernel/events/core.c:10297
__perf_event_overflow+0x364/0x530 kernel/events/core.c:9515
perf_bp_event+0x276/0x320 kernel/events/core.c:10484
hw_breakpoint_handler arch/x86/kernel/hw_breakpoint.c:555 [inline]
hw_breakpoint_exceptions_notify+0x152/0x470 arch/x86/kernel/hw_breakpoint.c:586
notifier_call_chain kernel/notifier.c:83 [inline]
atomic_notifier_call_chain+0x15d/0x280 kernel/notifier.c:198
notify_die+0x141/0x1a0 kernel/notifier.c:529
notify_debug+0x20/0x30 arch/x86/kernel/traps.c:872
exc_debug_kernel arch/x86/kernel/traps.c:929 [inline]
exc_debug+0xcf/0x130 arch/x86/kernel/traps.c:1029
asm_exc_debug+0x1a/0x40 arch/x86/include/asm/idtentry.h:642
RIP: 0010:__get_user_nocheck_8+0x9/0x13 arch/x86/lib/getuser.S:160
Code: 90 0f 01 cb 0f ae e8 0f b7 10 31 c0 0f 01 ca c3 90 0f 01 cb 0f ae e8 8b 10 31 c0 0f 01 ca c3 90 90 0f 01 cb 0f ae e8 48 8b 10 <31> c0 0f 01 ca c3 90 0f 01 ca 31 d2 48 c7 c0 f2 ff ff ff c3 00 00
RSP: 0000:ffffc9000325f640 EFLAGS: 00040806
RAX: 0000200000000300 RBX: 0000000000000000 RCX: ffff88802dbc3b80
RDX: 00006370692f736e RSI: 0000200000000300 RDI: 00007fffffffeff0
RBP: 0000000000000001 R08: 0000000000000003 R09: 0000000000000000
R10: dffffc0000000000 R11: fffff5200064bf27 R12: 0000200000000300
R13: 00007fffffffeff0 R14: 00000000ffffffff R15: dffffc0000000000
</#DB>
<TASK>
perf_callchain_user+0x40e/0xfd0 arch/x86/events/core.c:2900
get_perf_callchain+0x33d/0x460 kernel/events/callchain.c:221
perf_callchain kernel/events/core.c:7606 [inline]
perf_prepare_sample+0x352/0x1cd0 kernel/events/core.c:7633
__perf_event_output kernel/events/core.c:7802 [inline]
perf_event_output_forward+0x185/0x2e0 kernel/events/core.c:7822
__perf_event_overflow+0x364/0x530 kernel/events/core.c:9515
perf_swevent_hrtimer+0x41b/0x5b0 kernel/events/core.c:10934
__run_hrtimer kernel/time/hrtimer.c:1685 [inline]
__hrtimer_run_queues+0x4b4/0xb70 kernel/time/hrtimer.c:1749
hrtimer_interrupt+0x3bb/0x8d0 kernel/time/hrtimer.c:1811
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1097 [inline]
__sysvec_apic_timer_interrupt+0x137/0x4a0 arch/x86/kernel/apic/apic.c:1114
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
sysvec_apic_timer_interrupt+0x4d/0xc0 arch/x86/kernel/apic/apic.c:1108
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0033:0x7fc2b9713bfd
Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 89 f8 48 89 fa c5 f9 ef c0 25 ff 0f 00 00 3d e0 0f 00 00 0f 87 27 01 00 00 c5 fd 74 0f <c5> fd d7 c1 85 c0 74 5b f3 0f bc c0 e9 30 01 00 00 66 90 f3 0f bc
RSP: 002b:00007fc2b798d8a8 EFLAGS: 00000283
RAX: 0000000000000300 RBX: 00007fc2b798dde0 RCX: 2f666c65732f636f
RDX: 0000200000000300 RSI: 00007fc2b97f50c0 RDI: 0000200000000300
RBP: 0000200000000300 R08: 00007fc2b798e010 R09: 00000000ffffffff
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000073 R14: 00007fc2b97ca0dd R15: 00007fc2b798dea0
</TASK>
----------------
Code disassembly (best guess):
0: 90 nop
1: 0f 01 cb stac
4: 0f ae e8 lfence
7: 0f b7 10 movzwl (%rax),%edx
a: 31 c0 xor %eax,%eax
c: 0f 01 ca clac
f: c3 ret
10: 90 nop
11: 0f 01 cb stac
14: 0f ae e8 lfence
17: 8b 10 mov (%rax),%edx
19: 31 c0 xor %eax,%eax
1b: 0f 01 ca clac
1e: c3 ret
1f: 90 nop
20: 90 nop
21: 0f 01 cb stac
24: 0f ae e8 lfence
27: 48 8b 10 mov (%rax),%rdx
* 2a: 31 c0 xor %eax,%eax <-- trapping instruction
2c: 0f 01 ca clac
2f: c3 ret
30: 90 nop
31: 0f 01 ca clac
34: 31 d2 xor %edx,%edx
36: 48 c7 c0 f2 ff ff ff mov $0xfffffffffffffff2,%rax
3d: c3 ret
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 93741761e5e3 Linux 5.15.207
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13e71ca6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=353ae28c40b35af5
dashboard link: https://syzkaller.appspot.com/bug?extid=cf8db3e15e1fb1872a53
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/33bc193847b4/disk-93741761.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/24fe0e2c618a/vmlinux-93741761.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0222d2a4b225/bzImage-93741761.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cf8db3...@syzkaller.appspotmail.com
================================
WARNING: inconsistent lock state
syzkaller #0 Not tainted
--------------------------------
inconsistent {INITIAL USE} -> {IN-NMI} usage.
syz.4.2921/14216 [HC2[2]:SC0[0]:HE0:SE1] takes:
ffffffff8c450338 (kernfs_rename_lock){....}-{2:2}, at: kernfs_path_from_node+0x84/0xb30 fs/kernfs/dir.c:224
{INITIAL USE} state was registered at:
lock_acquire+0x19e/0x400 kernel/locking/lockdep.c:5623
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline]
_raw_spin_lock_irq+0xab/0xf0 kernel/locking/spinlock.c:170
spin_lock_irq include/linux/spinlock.h:389 [inline]
kernfs_rename_ns+0x52a/0x930 fs/kernfs/dir.c:1629
sysfs_rename_link_ns+0x171/0x1b0 fs/sysfs/symlink.c:192
device_rename+0x11c/0x1a0 drivers/base/core.c:4267
dev_change_name+0x2dd/0xbf0 net/core/dev.c:1323
do_setlink+0xa4e/0x3d60 net/core/rtnetlink.c:2764
__rtnl_newlink net/core/rtnetlink.c:3455 [inline]
rtnl_newlink+0x1658/0x1a50 net/core/rtnetlink.c:3577
rtnetlink_rcv_msg+0x844/0xf30 net/core/rtnetlink.c:5687
netlink_rcv_skb+0x1f5/0x440 net/netlink/af_netlink.c:2507
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x774/0x920 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x8ba/0xbe0 net/netlink/af_netlink.c:1918
sock_sendmsg_nosec net/socket.c:706 [inline]
__sock_sendmsg net/socket.c:718 [inline]
__sys_sendto+0x46d/0x620 net/socket.c:2072
__do_sys_sendto net/socket.c:2084 [inline]
__se_sys_sendto net/socket.c:2080 [inline]
__x64_sys_sendto+0xda/0xf0 net/socket.c:2080
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
irq event stamp: 2060
hardirqs last enabled at (2059): [<ffffffff89e00e46>] asm_sysvec_irq_work+0x16/0x20 arch/x86/include/asm/idtentry.h:713
hardirqs last disabled at (2060): [<ffffffff89bcd65f>] irqentry_enter+0xf/0x50 kernel/entry/common.c:332
softirqs last enabled at (2014): [<ffffffff87e376a5>] local_bh_enable+0x5/0x20 include/linux/bottom_half.h:31
softirqs last disabled at (1998): [<ffffffff87e37685>] local_bh_disable+0x5/0x20 include/linux/bottom_half.h:18
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(kernfs_rename_lock);
<Interrupt>
lock(kernfs_rename_lock);
*** DEADLOCK ***
1 lock held by syz.4.2921/14216:
#0: ffffffff8c31f320 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x9/0x30 include/linux/rcupdate.h:313
stack backtrace:
CPU: 0 PID: 14216 Comm: syz.4.2921 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<#DB>
dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
lock_acquire+0x2c3/0x400 kernel/locking/lockdep.c:5614
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xb0/0x100 kernel/locking/spinlock.c:162
kernfs_path_from_node+0x84/0xb30 fs/kernfs/dir.c:224
kernfs_path include/linux/kernfs.h:547 [inline]
cgroup_path include/linux/cgroup.h:663 [inline]
get_mm_memcg_path+0xba/0x330 mm/mmap_lock.c:82
__mmap_lock_do_trace_start_locking+0xe2/0x2f0 mm/mmap_lock.c:95
__mmap_lock_trace_start_locking include/linux/mmap_lock.h:29 [inline]
mmap_read_trylock include/linux/mmap_lock.h:135 [inline]
stack_map_get_build_id_offset+0x562/0x860 kernel/bpf/stackmap.c:185
__bpf_get_stackid+0x55d/0x920 kernel/bpf/stackmap.c:294
bpf_prog_12712c88fd19bd5b+0x21/0x984
bpf_dispatcher_nop_func include/linux/bpf.h:888 [inline]
__bpf_prog_run include/linux/filter.h:628 [inline]
bpf_prog_run include/linux/filter.h:635 [inline]
bpf_overflow_handler+0x1c2/0x4a0 kernel/events/core.c:10297
__perf_event_overflow+0x364/0x530 kernel/events/core.c:9515
perf_bp_event+0x276/0x320 kernel/events/core.c:10484
hw_breakpoint_handler arch/x86/kernel/hw_breakpoint.c:555 [inline]
hw_breakpoint_exceptions_notify+0x152/0x470 arch/x86/kernel/hw_breakpoint.c:586
notifier_call_chain kernel/notifier.c:83 [inline]
atomic_notifier_call_chain+0x15d/0x280 kernel/notifier.c:198
notify_die+0x141/0x1a0 kernel/notifier.c:529
notify_debug+0x20/0x30 arch/x86/kernel/traps.c:872
exc_debug_kernel arch/x86/kernel/traps.c:929 [inline]
exc_debug+0xcf/0x130 arch/x86/kernel/traps.c:1029
asm_exc_debug+0x1a/0x40 arch/x86/include/asm/idtentry.h:642
RIP: 0010:__get_user_nocheck_8+0x9/0x13 arch/x86/lib/getuser.S:160
Code: 90 0f 01 cb 0f ae e8 0f b7 10 31 c0 0f 01 ca c3 90 0f 01 cb 0f ae e8 8b 10 31 c0 0f 01 ca c3 90 90 0f 01 cb 0f ae e8 48 8b 10 <31> c0 0f 01 ca c3 90 0f 01 ca 31 d2 48 c7 c0 f2 ff ff ff c3 00 00
RSP: 0000:ffffc9000325f640 EFLAGS: 00040806
RAX: 0000200000000300 RBX: 0000000000000000 RCX: ffff88802dbc3b80
RDX: 00006370692f736e RSI: 0000200000000300 RDI: 00007fffffffeff0
RBP: 0000000000000001 R08: 0000000000000003 R09: 0000000000000000
R10: dffffc0000000000 R11: fffff5200064bf27 R12: 0000200000000300
R13: 00007fffffffeff0 R14: 00000000ffffffff R15: dffffc0000000000
</#DB>
<TASK>
perf_callchain_user+0x40e/0xfd0 arch/x86/events/core.c:2900
get_perf_callchain+0x33d/0x460 kernel/events/callchain.c:221
perf_callchain kernel/events/core.c:7606 [inline]
perf_prepare_sample+0x352/0x1cd0 kernel/events/core.c:7633
__perf_event_output kernel/events/core.c:7802 [inline]
perf_event_output_forward+0x185/0x2e0 kernel/events/core.c:7822
__perf_event_overflow+0x364/0x530 kernel/events/core.c:9515
perf_swevent_hrtimer+0x41b/0x5b0 kernel/events/core.c:10934
__run_hrtimer kernel/time/hrtimer.c:1685 [inline]
__hrtimer_run_queues+0x4b4/0xb70 kernel/time/hrtimer.c:1749
hrtimer_interrupt+0x3bb/0x8d0 kernel/time/hrtimer.c:1811
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1097 [inline]
__sysvec_apic_timer_interrupt+0x137/0x4a0 arch/x86/kernel/apic/apic.c:1114
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
sysvec_apic_timer_interrupt+0x4d/0xc0 arch/x86/kernel/apic/apic.c:1108
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0033:0x7fc2b9713bfd
Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 89 f8 48 89 fa c5 f9 ef c0 25 ff 0f 00 00 3d e0 0f 00 00 0f 87 27 01 00 00 c5 fd 74 0f <c5> fd d7 c1 85 c0 74 5b f3 0f bc c0 e9 30 01 00 00 66 90 f3 0f bc
RSP: 002b:00007fc2b798d8a8 EFLAGS: 00000283
RAX: 0000000000000300 RBX: 00007fc2b798dde0 RCX: 2f666c65732f636f
RDX: 0000200000000300 RSI: 00007fc2b97f50c0 RDI: 0000200000000300
RBP: 0000200000000300 R08: 00007fc2b798e010 R09: 00000000ffffffff
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000073 R14: 00007fc2b97ca0dd R15: 00007fc2b798dea0
</TASK>
----------------
Code disassembly (best guess):
0: 90 nop
1: 0f 01 cb stac
4: 0f ae e8 lfence
7: 0f b7 10 movzwl (%rax),%edx
a: 31 c0 xor %eax,%eax
c: 0f 01 ca clac
f: c3 ret
10: 90 nop
11: 0f 01 cb stac
14: 0f ae e8 lfence
17: 8b 10 mov (%rax),%edx
19: 31 c0 xor %eax,%eax
1b: 0f 01 ca clac
1e: c3 ret
1f: 90 nop
20: 90 nop
21: 0f 01 cb stac
24: 0f ae e8 lfence
27: 48 8b 10 mov (%rax),%rdx
* 2a: 31 c0 xor %eax,%eax <-- trapping instruction
2c: 0f 01 ca clac
2f: c3 ret
30: 90 nop
31: 0f 01 ca clac
34: 31 d2 xor %edx,%edx
36: 48 c7 c0 f2 ff ff ff mov $0xfffffffffffffff2,%rax
3d: c3 ret
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
May 20, 2026, 10:54:26 AM (2 days ago) May 20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 93741761e5e3 Linux 5.15.207
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1663647e580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1529ecec580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/33bc193847b4/disk-93741761.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/24fe0e2c618a/vmlinux-93741761.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0222d2a4b225/bzImage-93741761.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cf8db3...@syzkaller.appspotmail.com
hrtimer: interrupt took 40586 ns
irq event stamp: 2650
hardirqs last enabled at (2649): [<ffffffff89e00e46>] asm_sysvec_irq_work+0x16/0x20 arch/x86/include/asm/idtentry.h:713
hardirqs last disabled at (2650): [<ffffffff89bcd65f>] irqentry_enter+0xf/0x50 kernel/entry/common.c:332
softirqs last enabled at (2606): [<ffffffff81495b1b>] __do_softirq kernel/softirq.c:610 [inline]
softirqs last enabled at (2606): [<ffffffff81495b1b>] invoke_softirq kernel/softirq.c:450 [inline]
softirqs last enabled at (2606): [<ffffffff81495b1b>] __irq_exit_rcu+0x13b/0x230 kernel/softirq.c:659
softirqs last disabled at (2149): [<ffffffff81495b1b>] __do_softirq kernel/softirq.c:610 [inline]
softirqs last disabled at (2149): [<ffffffff81495b1b>] invoke_softirq kernel/softirq.c:450 [inline]
softirqs last disabled at (2149): [<ffffffff81495b1b>] __irq_exit_rcu+0x13b/0x230 kernel/softirq.c:659
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(kernfs_rename_lock);
<Interrupt>
lock(kernfs_rename_lock);
*** DEADLOCK ***
1 lock held by syz.1.18/4390:
RAX: 0000200000000300 RBX: 0000000000000000 RCX: ffff888020390000
RAX: 0000000000000300 RBX: 00007fffa8dcd9b0 RCX: 2f666c65732f636f
RDX: 0000200000000300 RSI: 00007f7efedbe0c0 RDI: 0000200000000300
RBP: 0000200000000300 R08: 00007fffa8dcdbe0 R09: 00000000ffffffff
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 93741761e5e3 Linux 5.15.207
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=353ae28c40b35af5
dashboard link: https://syzkaller.appspot.com/bug?extid=cf8db3e15e1fb1872a53
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16c62d96580000
dashboard link: https://syzkaller.appspot.com/bug?extid=cf8db3e15e1fb1872a53
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1529ecec580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/33bc193847b4/disk-93741761.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/24fe0e2c618a/vmlinux-93741761.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0222d2a4b225/bzImage-93741761.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cf8db3...@syzkaller.appspotmail.com
================================
WARNING: inconsistent lock state
syzkaller #0 Not tainted
--------------------------------
inconsistent {INITIAL USE} -> {IN-NMI} usage.
syz.1.18/4390 [HC2[2]:SC0[0]:HE0:SE1] takes:
WARNING: inconsistent lock state
syzkaller #0 Not tainted
--------------------------------
inconsistent {INITIAL USE} -> {IN-NMI} usage.
hardirqs last enabled at (2649): [<ffffffff89e00e46>] asm_sysvec_irq_work+0x16/0x20 arch/x86/include/asm/idtentry.h:713
hardirqs last disabled at (2650): [<ffffffff89bcd65f>] irqentry_enter+0xf/0x50 kernel/entry/common.c:332
softirqs last enabled at (2606): [<ffffffff81495b1b>] __do_softirq kernel/softirq.c:610 [inline]
softirqs last enabled at (2606): [<ffffffff81495b1b>] invoke_softirq kernel/softirq.c:450 [inline]
softirqs last enabled at (2606): [<ffffffff81495b1b>] __irq_exit_rcu+0x13b/0x230 kernel/softirq.c:659
softirqs last disabled at (2149): [<ffffffff81495b1b>] __do_softirq kernel/softirq.c:610 [inline]
softirqs last disabled at (2149): [<ffffffff81495b1b>] invoke_softirq kernel/softirq.c:450 [inline]
softirqs last disabled at (2149): [<ffffffff81495b1b>] __irq_exit_rcu+0x13b/0x230 kernel/softirq.c:659
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(kernfs_rename_lock);
<Interrupt>
lock(kernfs_rename_lock);
*** DEADLOCK ***
#0: ffffffff8c31f320 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x9/0x30 include/linux/rcupdate.h:313
stack backtrace:
CPU: 1 PID: 4390 Comm: syz.1.18 Not tainted syzkaller #0
stack backtrace:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<#DB>
dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
lock_acquire+0x2c3/0x400 kernel/locking/lockdep.c:5614
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xb0/0x100 kernel/locking/spinlock.c:162
kernfs_path_from_node+0x84/0xb30 fs/kernfs/dir.c:224
kernfs_path include/linux/kernfs.h:547 [inline]
cgroup_path include/linux/cgroup.h:663 [inline]
get_mm_memcg_path+0xba/0x330 mm/mmap_lock.c:82
__mmap_lock_do_trace_start_locking+0xe2/0x2f0 mm/mmap_lock.c:95
__mmap_lock_trace_start_locking include/linux/mmap_lock.h:29 [inline]
mmap_read_trylock include/linux/mmap_lock.h:135 [inline]
stack_map_get_build_id_offset+0x562/0x860 kernel/bpf/stackmap.c:185
__bpf_get_stackid+0x55d/0x920 kernel/bpf/stackmap.c:294
bpf_prog_12712c88fd19bd5b+0x21/0x37c
Call Trace:
<#DB>
dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
lock_acquire+0x2c3/0x400 kernel/locking/lockdep.c:5614
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xb0/0x100 kernel/locking/spinlock.c:162
kernfs_path_from_node+0x84/0xb30 fs/kernfs/dir.c:224
kernfs_path include/linux/kernfs.h:547 [inline]
cgroup_path include/linux/cgroup.h:663 [inline]
get_mm_memcg_path+0xba/0x330 mm/mmap_lock.c:82
__mmap_lock_do_trace_start_locking+0xe2/0x2f0 mm/mmap_lock.c:95
__mmap_lock_trace_start_locking include/linux/mmap_lock.h:29 [inline]
mmap_read_trylock include/linux/mmap_lock.h:135 [inline]
stack_map_get_build_id_offset+0x562/0x860 kernel/bpf/stackmap.c:185
__bpf_get_stackid+0x55d/0x920 kernel/bpf/stackmap.c:294
bpf_dispatcher_nop_func include/linux/bpf.h:888 [inline]
__bpf_prog_run include/linux/filter.h:628 [inline]
bpf_prog_run include/linux/filter.h:635 [inline]
bpf_overflow_handler+0x1c2/0x4a0 kernel/events/core.c:10297
__perf_event_overflow+0x364/0x530 kernel/events/core.c:9515
perf_bp_event+0x276/0x320 kernel/events/core.c:10484
hw_breakpoint_handler arch/x86/kernel/hw_breakpoint.c:555 [inline]
hw_breakpoint_exceptions_notify+0x152/0x470 arch/x86/kernel/hw_breakpoint.c:586
notifier_call_chain kernel/notifier.c:83 [inline]
atomic_notifier_call_chain+0x15d/0x280 kernel/notifier.c:198
notify_die+0x141/0x1a0 kernel/notifier.c:529
notify_debug+0x20/0x30 arch/x86/kernel/traps.c:872
exc_debug_kernel arch/x86/kernel/traps.c:929 [inline]
exc_debug+0xcf/0x130 arch/x86/kernel/traps.c:1029
asm_exc_debug+0x1a/0x40 arch/x86/include/asm/idtentry.h:642
RIP: 0010:__get_user_nocheck_8+0x9/0x13 arch/x86/lib/getuser.S:160
Code: 90 0f 01 cb 0f ae e8 0f b7 10 31 c0 0f 01 ca c3 90 0f 01 cb 0f ae e8 8b 10 31 c0 0f 01 ca c3 90 90 0f 01 cb 0f ae e8 48 8b 10 <31> c0 0f 01 ca c3 90 0f 01 ca 31 d2 48 c7 c0 f2 ff ff ff c3 00 00
RSP: 0000:ffffc9000334f640 EFLAGS: 00040806
__bpf_prog_run include/linux/filter.h:628 [inline]
bpf_prog_run include/linux/filter.h:635 [inline]
bpf_overflow_handler+0x1c2/0x4a0 kernel/events/core.c:10297
__perf_event_overflow+0x364/0x530 kernel/events/core.c:9515
perf_bp_event+0x276/0x320 kernel/events/core.c:10484
hw_breakpoint_handler arch/x86/kernel/hw_breakpoint.c:555 [inline]
hw_breakpoint_exceptions_notify+0x152/0x470 arch/x86/kernel/hw_breakpoint.c:586
notifier_call_chain kernel/notifier.c:83 [inline]
atomic_notifier_call_chain+0x15d/0x280 kernel/notifier.c:198
notify_die+0x141/0x1a0 kernel/notifier.c:529
notify_debug+0x20/0x30 arch/x86/kernel/traps.c:872
exc_debug_kernel arch/x86/kernel/traps.c:929 [inline]
exc_debug+0xcf/0x130 arch/x86/kernel/traps.c:1029
asm_exc_debug+0x1a/0x40 arch/x86/include/asm/idtentry.h:642
RIP: 0010:__get_user_nocheck_8+0x9/0x13 arch/x86/lib/getuser.S:160
Code: 90 0f 01 cb 0f ae e8 0f b7 10 31 c0 0f 01 ca c3 90 0f 01 cb 0f ae e8 8b 10 31 c0 0f 01 ca c3 90 90 0f 01 cb 0f ae e8 48 8b 10 <31> c0 0f 01 ca c3 90 0f 01 ca 31 d2 48 c7 c0 f2 ff ff ff c3 00 00
RAX: 0000200000000300 RBX: 0000000000000000 RCX: ffff888020390000
RDX: 00006370692f736e RSI: 0000200000000300 RDI: 00007fffffffeff0
RBP: 0000000000000001 R08: 0000000000000003 R09: 0000000000000000
R10: dffffc0000000000 R11: fffff52000669f27 R12: 0000200000000300
RBP: 0000000000000001 R08: 0000000000000003 R09: 0000000000000000
R13: 00007fffffffeff0 R14: 00000000ffffffff R15: dffffc0000000000
</#DB>
<TASK>
perf_callchain_user+0x40e/0xfd0 arch/x86/events/core.c:2900
get_perf_callchain+0x33d/0x460 kernel/events/callchain.c:221
perf_callchain kernel/events/core.c:7606 [inline]
perf_prepare_sample+0x352/0x1cd0 kernel/events/core.c:7633
__perf_event_output kernel/events/core.c:7802 [inline]
perf_event_output_forward+0x185/0x2e0 kernel/events/core.c:7822
__perf_event_overflow+0x364/0x530 kernel/events/core.c:9515
perf_swevent_hrtimer+0x41b/0x5b0 kernel/events/core.c:10934
__run_hrtimer kernel/time/hrtimer.c:1685 [inline]
__hrtimer_run_queues+0x4b4/0xb70 kernel/time/hrtimer.c:1749
hrtimer_interrupt+0x3bb/0x8d0 kernel/time/hrtimer.c:1811
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1097 [inline]
__sysvec_apic_timer_interrupt+0x137/0x4a0 arch/x86/kernel/apic/apic.c:1114
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
sysvec_apic_timer_interrupt+0x4d/0xc0 arch/x86/kernel/apic/apic.c:1108
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0033:0x7f7efecdcbfd
</#DB>
<TASK>
perf_callchain_user+0x40e/0xfd0 arch/x86/events/core.c:2900
get_perf_callchain+0x33d/0x460 kernel/events/callchain.c:221
perf_callchain kernel/events/core.c:7606 [inline]
perf_prepare_sample+0x352/0x1cd0 kernel/events/core.c:7633
__perf_event_output kernel/events/core.c:7802 [inline]
perf_event_output_forward+0x185/0x2e0 kernel/events/core.c:7822
__perf_event_overflow+0x364/0x530 kernel/events/core.c:9515
perf_swevent_hrtimer+0x41b/0x5b0 kernel/events/core.c:10934
__run_hrtimer kernel/time/hrtimer.c:1685 [inline]
__hrtimer_run_queues+0x4b4/0xb70 kernel/time/hrtimer.c:1749
hrtimer_interrupt+0x3bb/0x8d0 kernel/time/hrtimer.c:1811
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1097 [inline]
__sysvec_apic_timer_interrupt+0x137/0x4a0 arch/x86/kernel/apic/apic.c:1114
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
sysvec_apic_timer_interrupt+0x4d/0xc0 arch/x86/kernel/apic/apic.c:1108
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 89 f8 48 89 fa c5 f9 ef c0 25 ff 0f 00 00 3d e0 0f 00 00 0f 87 27 01 00 00 c5 fd 74 0f <c5> fd d7 c1 85 c0 74 5b f3 0f bc c0 e9 30 01 00 00 66 90 f3 0f bc
RSP: 002b:00007fffa8dcd478 EFLAGS: 00000283
RAX: 0000000000000300 RBX: 00007fffa8dcd9b0 RCX: 2f666c65732f636f
RDX: 0000200000000300 RSI: 00007f7efedbe0c0 RDI: 0000200000000300
RBP: 0000200000000300 R08: 00007fffa8dcdbe0 R09: 00000000ffffffff
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000073 R14: 00007f7efed930dd R15: 00007fffa8dcda70
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages