[syzbot] [fuse?] possible deadlock in __folio_end_writeback
10 views
Skip to first unread message
syzbot
Oct 7, 2025, 5:19:31 PMOct 7
to ak...@linux-foundation.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, linu...@kvack.org, mik...@szeredi.hu, syzkall...@googlegroups.com, wi...@infradead.org
Hello,
syzbot found the following issue on:
HEAD commit: cbf33b8e0b36 Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17a25ee2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1b4263e12240e6e1
dashboard link: https://syzkaller.appspot.com/bug?extid=27727256237e6bdd3649
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14eaea7c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=134c4304580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-cbf33b8e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/54786e46ef23/vmlinux-cbf33b8e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/dd6f88ce083b/bzImage-cbf33b8e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+277272...@syzkaller.appspotmail.com
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
=====================================================
WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected
syzkaller #0 Not tainted
-----------------------------------------------------
kworker/u4:0/12 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
ffffffff995aa110 (&p->sequence){+.-.}-{0:0}, at: __fprop_add_percpu_max+0x10d/0x210 lib/flex_proportions.c:186
and this task is already holding:
ffff888040a24240 (&xa->xa_lock#12){-...}-{3:3}, at: __folio_end_writeback+0x1da/0x950 mm/page-writeback.c:2996
which would create a new lock dependency:
(&xa->xa_lock#12){-...}-{3:3} -> (&p->sequence){+.-.}-{0:0}
but this new dependency connects a HARDIRQ-irq-safe lock:
(&xa->xa_lock#12){-...}-{3:3}
... which became HARDIRQ-irq-safe at:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
__folio_end_writeback+0x1da/0x950 mm/page-writeback.c:2996
folio_end_writeback_no_dropbehind+0x151/0x290 mm/filemap.c:1668
folio_end_writeback+0xea/0x220 mm/filemap.c:1694
end_bio_bh_io_sync+0xba/0x120 fs/buffer.c:2776
blk_update_request+0x57e/0xe60 block/blk-mq.c:998
scsi_end_request+0x7c/0x830 drivers/scsi/scsi_lib.c:637
scsi_io_completion+0x131/0x390 drivers/scsi/scsi_lib.c:1078
ata_qc_complete_multiple+0x1ae/0x280 drivers/ata/libata-sata.c:789
ahci_qc_complete drivers/ata/libahci.c:1887 [inline]
ahci_handle_port_interrupt+0x3d5/0x610 drivers/ata/libahci.c:1954
ahci_port_intr drivers/ata/libahci.c:1965 [inline]
ahci_handle_port_intr+0x19f/0x2e0 drivers/ata/libahci.c:1996
ahci_single_level_irq_intr+0x9b/0xe0 drivers/ata/libahci.c:2030
__handle_irq_event_percpu+0x295/0xab0 kernel/irq/handle.c:203
handle_irq_event_percpu kernel/irq/handle.c:240 [inline]
handle_irq_event+0x8b/0x1e0 kernel/irq/handle.c:257
handle_edge_irq+0x23b/0xa10 kernel/irq/chip.c:855
generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
handle_irq arch/x86/kernel/irq.c:254 [inline]
call_irq_handler arch/x86/kernel/irq.c:-1 [inline]
__common_interrupt+0x141/0x1f0 arch/x86/kernel/irq.c:325
common_interrupt+0xb6/0xe0 arch/x86/kernel/irq.c:318
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
_raw_spin_unlock_irqrestore+0xa8/0x110 kernel/locking/spinlock.c:194
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
ata_scsi_queuecmd+0x3f0/0x5c0 drivers/ata/libata-scsi.c:4398
scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1626 [inline]
scsi_queue_rq+0x1c91/0x2cc0 drivers/scsi/scsi_lib.c:1868
blk_mq_dispatch_rq_list+0x4c0/0x1900 block/blk-mq.c:2129
__blk_mq_do_dispatch_sched block/blk-mq-sched.c:168 [inline]
blk_mq_do_dispatch_sched block/blk-mq-sched.c:182 [inline]
__blk_mq_sched_dispatch_requests+0xda4/0x1570 block/blk-mq-sched.c:307
blk_mq_sched_dispatch_requests+0xd7/0x190 block/blk-mq-sched.c:329
blk_mq_run_hw_queue+0x404/0x4f0 block/blk-mq.c:2367
blk_mq_dispatch_list+0xd0c/0xe00 include/linux/spinlock.h:-1
blk_mq_flush_plug_list+0x469/0x550 block/blk-mq.c:2976
__blk_flush_plug+0x3d3/0x4b0 block/blk-core.c:1225
blk_finish_plug+0x5e/0x90 block/blk-core.c:1252
wb_writeback+0xa80/0xaf0 fs/fs-writeback.c:2233
wb_check_old_data_flush fs/fs-writeback.c:2301 [inline]
wb_do_writeback fs/fs-writeback.c:2354 [inline]
wb_workfn+0xaef/0xef0 fs/fs-writeback.c:2382
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
to a HARDIRQ-irq-unsafe lock:
(&p->sequence){+.-.}-{0:0}
... which became HARDIRQ-irq-unsafe at:
...
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
do_write_seqcount_begin_nested include/linux/seqlock.h:477 [inline]
do_write_seqcount_begin include/linux/seqlock.h:503 [inline]
fprop_new_period+0x1a3/0x3a0 lib/flex_proportions.c:74
writeout_period+0x8b/0x130 mm/page-writeback.c:615
call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0x103/0x180 kernel/time/timer.c:2404
handle_softirqs+0x283/0x870 kernel/softirq.c:622
run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1063
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
other info that might help us debug this:
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&p->sequence);
local_irq_disable();
lock(&xa->xa_lock#12);
lock(&p->sequence);
<Interrupt>
lock(&xa->xa_lock#12);
*** DEADLOCK ***
5 locks held by kworker/u4:0/12:
#0: ffff888030f92948 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3238 [inline]
#0: ffff888030f92948 ((wq_completion)writeback){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 kernel/workqueue.c:3346
#1: ffffc900001e7bc0 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3239 [inline]
#1: ffffc900001e7bc0 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 kernel/workqueue.c:3346
#2: ffff888000a240e0 (&type->s_umount_key#54){.+.+}-{4:4}, at: super_trylock_shared+0x20/0xf0 fs/super.c:562
#3: ffff888040a24638 (&fi->lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
#3: ffff888040a24638 (&fi->lock){+.+.}-{3:3}, at: fuse_writepages_send fs/fuse/file.c:2089 [inline]
#3: ffff888040a24638 (&fi->lock){+.+.}-{3:3}, at: fuse_iomap_writeback_range+0x818/0x1800 fs/fuse/file.c:2150
#4: ffff888040a24240 (&xa->xa_lock#12){-...}-{3:3}, at: __folio_end_writeback+0x1da/0x950 mm/page-writeback.c:2996
the dependencies between HARDIRQ-irq-safe lock and the holding lock:
-> (&xa->xa_lock#12){-...}-{3:3} {
IN-HARDIRQ-W at:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
__folio_end_writeback+0x1da/0x950 mm/page-writeback.c:2996
folio_end_writeback_no_dropbehind+0x151/0x290 mm/filemap.c:1668
folio_end_writeback+0xea/0x220 mm/filemap.c:1694
end_bio_bh_io_sync+0xba/0x120 fs/buffer.c:2776
blk_update_request+0x57e/0xe60 block/blk-mq.c:998
scsi_end_request+0x7c/0x830 drivers/scsi/scsi_lib.c:637
scsi_io_completion+0x131/0x390 drivers/scsi/scsi_lib.c:1078
ata_qc_complete_multiple+0x1ae/0x280 drivers/ata/libata-sata.c:789
ahci_qc_complete drivers/ata/libahci.c:1887 [inline]
ahci_handle_port_interrupt+0x3d5/0x610 drivers/ata/libahci.c:1954
ahci_port_intr drivers/ata/libahci.c:1965 [inline]
ahci_handle_port_intr+0x19f/0x2e0 drivers/ata/libahci.c:1996
ahci_single_level_irq_intr+0x9b/0xe0 drivers/ata/libahci.c:2030
__handle_irq_event_percpu+0x295/0xab0 kernel/irq/handle.c:203
handle_irq_event_percpu kernel/irq/handle.c:240 [inline]
handle_irq_event+0x8b/0x1e0 kernel/irq/handle.c:257
handle_edge_irq+0x23b/0xa10 kernel/irq/chip.c:855
generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
handle_irq arch/x86/kernel/irq.c:254 [inline]
call_irq_handler arch/x86/kernel/irq.c:-1 [inline]
__common_interrupt+0x141/0x1f0 arch/x86/kernel/irq.c:325
common_interrupt+0xb6/0xe0 arch/x86/kernel/irq.c:318
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
_raw_spin_unlock_irqrestore+0xa8/0x110 kernel/locking/spinlock.c:194
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
ata_scsi_queuecmd+0x3f0/0x5c0 drivers/ata/libata-scsi.c:4398
scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1626 [inline]
scsi_queue_rq+0x1c91/0x2cc0 drivers/scsi/scsi_lib.c:1868
blk_mq_dispatch_rq_list+0x4c0/0x1900 block/blk-mq.c:2129
__blk_mq_do_dispatch_sched block/blk-mq-sched.c:168 [inline]
blk_mq_do_dispatch_sched block/blk-mq-sched.c:182 [inline]
__blk_mq_sched_dispatch_requests+0xda4/0x1570 block/blk-mq-sched.c:307
blk_mq_sched_dispatch_requests+0xd7/0x190 block/blk-mq-sched.c:329
blk_mq_run_hw_queue+0x404/0x4f0 block/blk-mq.c:2367
blk_mq_dispatch_list+0xd0c/0xe00 include/linux/spinlock.h:-1
blk_mq_flush_plug_list+0x469/0x550 block/blk-mq.c:2976
__blk_flush_plug+0x3d3/0x4b0 block/blk-core.c:1225
blk_finish_plug+0x5e/0x90 block/blk-core.c:1252
wb_writeback+0xa80/0xaf0 fs/fs-writeback.c:2233
wb_check_old_data_flush fs/fs-writeback.c:2301 [inline]
wb_do_writeback fs/fs-writeback.c:2354 [inline]
wb_workfn+0xaef/0xef0 fs/fs-writeback.c:2382
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
INITIAL USE at:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0xa2/0xf0 kernel/locking/spinlock.c:170
spin_lock_irq include/linux/spinlock.h:376 [inline]
shmem_add_to_page_cache+0x72d/0xba0 mm/shmem.c:887
shmem_alloc_and_add_folio+0x846/0xf60 mm/shmem.c:1936
shmem_get_folio_gfp+0x59d/0x1660 mm/shmem.c:2533
shmem_read_folio_gfp+0x8a/0xe0 mm/shmem.c:5931
drm_gem_get_pages+0x223/0xa20 drivers/gpu/drm/drm_gem.c:656
drm_gem_shmem_get_pages_locked+0x201/0x440 drivers/gpu/drm/drm_gem_shmem_helper.c:200
drm_gem_shmem_pin_locked+0x22c/0x460 drivers/gpu/drm/drm_gem_shmem_helper.c:261
drm_gem_shmem_vmap_locked+0x46b/0x790 drivers/gpu/drm/drm_gem_shmem_helper.c:365
drm_gem_vmap_locked drivers/gpu/drm/drm_gem.c:1279 [inline]
drm_gem_vmap+0x10a/0x1d0 drivers/gpu/drm/drm_gem.c:1321
drm_client_buffer_vmap+0x43/0x80 drivers/gpu/drm/drm_client.c:312
drm_fbdev_shmem_driver_fbdev_probe+0x258/0x900 drivers/gpu/drm/drm_fbdev_shmem.c:160
drm_fb_helper_single_fb_probe drivers/gpu/drm/drm_fb_helper.c:1650 [inline]
__drm_fb_helper_initial_config_and_unlock+0x1236/0x18a0 drivers/gpu/drm/drm_fb_helper.c:1830
drm_fbdev_client_hotplug+0x16c/0x230 drivers/gpu/drm/clients/drm_fbdev_client.c:52
drm_client_register+0x172/0x210 drivers/gpu/drm/drm_client.c:141
drm_fbdev_client_setup+0x19f/0x3f0 drivers/gpu/drm/clients/drm_fbdev_client.c:159
drm_client_setup+0x107/0x220 drivers/gpu/drm/clients/drm_client_setup.c:46
vkms_create drivers/gpu/drm/vkms/vkms_drv.c:201 [inline]
vkms_init+0x3e0/0x4b0 drivers/gpu/drm/vkms/vkms_drv.c:221
do_one_initcall+0x233/0x820 init/main.c:1283
do_initcall_level+0x104/0x190 init/main.c:1345
do_initcalls+0x59/0xa0 init/main.c:1361
kernel_init_freeable+0x334/0x4b0 init/main.c:1593
kernel_init+0x1d/0x1d0 init/main.c:1483
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
}
... key at: [<ffffffff995cb060>] xa_init_flags.__key+0x0/0x20
the dependencies between the lock to be acquired
and HARDIRQ-irq-unsafe lock:
-> (&p->sequence){+.-.}-{0:0} {
HARDIRQ-ON-W at:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
do_write_seqcount_begin_nested include/linux/seqlock.h:477 [inline]
do_write_seqcount_begin include/linux/seqlock.h:503 [inline]
fprop_new_period+0x1a3/0x3a0 lib/flex_proportions.c:74
writeout_period+0x8b/0x130 mm/page-writeback.c:615
call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0x103/0x180 kernel/time/timer.c:2404
handle_softirqs+0x283/0x870 kernel/softirq.c:622
run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1063
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
IN-SOFTIRQ-W at:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
do_write_seqcount_begin_nested include/linux/seqlock.h:477 [inline]
do_write_seqcount_begin include/linux/seqlock.h:503 [inline]
fprop_new_period+0x1a3/0x3a0 lib/flex_proportions.c:74
writeout_period+0x8b/0x130 mm/page-writeback.c:615
call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0x103/0x180 kernel/time/timer.c:2404
handle_softirqs+0x283/0x870 kernel/softirq.c:622
run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1063
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
INITIAL USE at:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
do_write_seqcount_begin_nested include/linux/seqlock.h:477 [inline]
do_write_seqcount_begin include/linux/seqlock.h:503 [inline]
fprop_new_period+0x1a3/0x3a0 lib/flex_proportions.c:74
writeout_period+0x8b/0x130 mm/page-writeback.c:615
call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0x103/0x180 kernel/time/timer.c:2404
handle_softirqs+0x283/0x870 kernel/softirq.c:622
run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1063
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
INITIAL READ USE at:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
seqcount_lockdep_reader_access include/linux/seqlock.h:72 [inline]
fprop_fraction_percpu+0x170/0x400 lib/flex_proportions.c:155
__wb_calc_thresh+0x119/0x4a0 mm/page-writeback.c:913
wb_bg_dirty_limits mm/page-writeback.c:2130 [inline]
domain_over_bg_thresh mm/page-writeback.c:2144 [inline]
wb_over_bg_thresh+0x154/0x3d0 mm/page-writeback.c:2165
wb_check_background_flush fs/fs-writeback.c:2257 [inline]
wb_do_writeback fs/fs-writeback.c:2355 [inline]
wb_workfn+0xb1c/0xef0 fs/fs-writeback.c:2382
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
}
... key at: [<ffffffff99ac9760>] fprop_global_init.__key.1+0x0/0x20
... acquired at:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
seqcount_lockdep_reader_access include/linux/seqlock.h:72 [inline]
fprop_fraction_percpu+0x130/0x400 lib/flex_proportions.c:155
__fprop_add_percpu_max+0x10d/0x210 lib/flex_proportions.c:186
wb_domain_writeout_add mm/page-writeback.c:562 [inline]
__wb_writeout_add+0xa5/0x290 mm/page-writeback.c:586
__folio_end_writeback+0x4d5/0x950 mm/page-writeback.c:3003
folio_end_writeback_no_dropbehind+0x151/0x290 mm/filemap.c:1668
folio_end_writeback+0xea/0x220 mm/filemap.c:1694
fuse_writepage_finish fs/fuse/file.c:1837 [inline]
fuse_send_writepage fs/fuse/file.c:1887 [inline]
fuse_flush_writepages+0x6c8/0x900 fs/fuse/file.c:1912
fuse_writepages_send fs/fuse/file.c:2091 [inline]
fuse_iomap_writeback_range+0x923/0x1800 fs/fuse/file.c:2150
iomap_writeback_range fs/iomap/buffered-io.c:1593 [inline]
iomap_writeback_folio+0xe72/0x1c80 fs/iomap/buffered-io.c:1718
iomap_writepages+0x162/0x2d0 fs/iomap/buffered-io.c:1770
fuse_writepages+0x2ad/0x380 fs/fuse/file.c:2220
do_writepages+0x32b/0x550 mm/page-writeback.c:2604
__writeback_single_inode+0x145/0xff0 fs/fs-writeback.c:1719
writeback_sb_inodes+0x6c7/0x1010 fs/fs-writeback.c:2015
__writeback_inodes_wb+0x111/0x240 fs/fs-writeback.c:2086
wb_writeback+0x44f/0xaf0 fs/fs-writeback.c:2197
wb_check_background_flush fs/fs-writeback.c:2267 [inline]
wb_do_writeback fs/fs-writeback.c:2355 [inline]
wb_workfn+0xb63/0xef0 fs/fs-writeback.c:2382
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
stack backtrace:
CPU: 0 UID: 0 PID: 12 Comm: kworker/u4:0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: writeback wb_workfn (flush-0:42)
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_bad_irq_dependency kernel/locking/lockdep.c:2616 [inline]
check_irq_usage kernel/locking/lockdep.c:2857 [inline]
check_prev_add kernel/locking/lockdep.c:3169 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain+0x1f05/0x2140 kernel/locking/lockdep.c:3908
__lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
seqcount_lockdep_reader_access include/linux/seqlock.h:72 [inline]
fprop_fraction_percpu+0x130/0x400 lib/flex_proportions.c:155
__fprop_add_percpu_max+0x10d/0x210 lib/flex_proportions.c:186
wb_domain_writeout_add mm/page-writeback.c:562 [inline]
__wb_writeout_add+0xa5/0x290 mm/page-writeback.c:586
__folio_end_writeback+0x4d5/0x950 mm/page-writeback.c:3003
folio_end_writeback_no_dropbehind+0x151/0x290 mm/filemap.c:1668
folio_end_writeback+0xea/0x220 mm/filemap.c:1694
fuse_writepage_finish fs/fuse/file.c:1837 [inline]
fuse_send_writepage fs/fuse/file.c:1887 [inline]
fuse_flush_writepages+0x6c8/0x900 fs/fuse/file.c:1912
fuse_writepages_send fs/fuse/file.c:2091 [inline]
fuse_iomap_writeback_range+0x923/0x1800 fs/fuse/file.c:2150
iomap_writeback_range fs/iomap/buffered-io.c:1593 [inline]
iomap_writeback_folio+0xe72/0x1c80 fs/iomap/buffered-io.c:1718
iomap_writepages+0x162/0x2d0 fs/iomap/buffered-io.c:1770
fuse_writepages+0x2ad/0x380 fs/fuse/file.c:2220
do_writepages+0x32b/0x550 mm/page-writeback.c:2604
__writeback_single_inode+0x145/0xff0 fs/fs-writeback.c:1719
writeback_sb_inodes+0x6c7/0x1010 fs/fs-writeback.c:2015
__writeback_inodes_wb+0x111/0x240 fs/fs-writeback.c:2086
wb_writeback+0x44f/0xaf0 fs/fs-writeback.c:2197
wb_check_background_flush fs/fs-writeback.c:2267 [inline]
wb_do_writeback fs/fs-writeback.c:2355 [inline]
wb_workfn+0xb63/0xef0 fs/fs-writeback.c:2382
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: cbf33b8e0b36 Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17a25ee2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1b4263e12240e6e1
dashboard link: https://syzkaller.appspot.com/bug?extid=27727256237e6bdd3649
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14eaea7c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=134c4304580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-cbf33b8e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/54786e46ef23/vmlinux-cbf33b8e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/dd6f88ce083b/bzImage-cbf33b8e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+277272...@syzkaller.appspotmail.com
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
=====================================================
WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected
syzkaller #0 Not tainted
-----------------------------------------------------
kworker/u4:0/12 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
ffffffff995aa110 (&p->sequence){+.-.}-{0:0}, at: __fprop_add_percpu_max+0x10d/0x210 lib/flex_proportions.c:186
and this task is already holding:
ffff888040a24240 (&xa->xa_lock#12){-...}-{3:3}, at: __folio_end_writeback+0x1da/0x950 mm/page-writeback.c:2996
which would create a new lock dependency:
(&xa->xa_lock#12){-...}-{3:3} -> (&p->sequence){+.-.}-{0:0}
but this new dependency connects a HARDIRQ-irq-safe lock:
(&xa->xa_lock#12){-...}-{3:3}
... which became HARDIRQ-irq-safe at:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
__folio_end_writeback+0x1da/0x950 mm/page-writeback.c:2996
folio_end_writeback_no_dropbehind+0x151/0x290 mm/filemap.c:1668
folio_end_writeback+0xea/0x220 mm/filemap.c:1694
end_bio_bh_io_sync+0xba/0x120 fs/buffer.c:2776
blk_update_request+0x57e/0xe60 block/blk-mq.c:998
scsi_end_request+0x7c/0x830 drivers/scsi/scsi_lib.c:637
scsi_io_completion+0x131/0x390 drivers/scsi/scsi_lib.c:1078
ata_qc_complete_multiple+0x1ae/0x280 drivers/ata/libata-sata.c:789
ahci_qc_complete drivers/ata/libahci.c:1887 [inline]
ahci_handle_port_interrupt+0x3d5/0x610 drivers/ata/libahci.c:1954
ahci_port_intr drivers/ata/libahci.c:1965 [inline]
ahci_handle_port_intr+0x19f/0x2e0 drivers/ata/libahci.c:1996
ahci_single_level_irq_intr+0x9b/0xe0 drivers/ata/libahci.c:2030
__handle_irq_event_percpu+0x295/0xab0 kernel/irq/handle.c:203
handle_irq_event_percpu kernel/irq/handle.c:240 [inline]
handle_irq_event+0x8b/0x1e0 kernel/irq/handle.c:257
handle_edge_irq+0x23b/0xa10 kernel/irq/chip.c:855
generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
handle_irq arch/x86/kernel/irq.c:254 [inline]
call_irq_handler arch/x86/kernel/irq.c:-1 [inline]
__common_interrupt+0x141/0x1f0 arch/x86/kernel/irq.c:325
common_interrupt+0xb6/0xe0 arch/x86/kernel/irq.c:318
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
_raw_spin_unlock_irqrestore+0xa8/0x110 kernel/locking/spinlock.c:194
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
ata_scsi_queuecmd+0x3f0/0x5c0 drivers/ata/libata-scsi.c:4398
scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1626 [inline]
scsi_queue_rq+0x1c91/0x2cc0 drivers/scsi/scsi_lib.c:1868
blk_mq_dispatch_rq_list+0x4c0/0x1900 block/blk-mq.c:2129
__blk_mq_do_dispatch_sched block/blk-mq-sched.c:168 [inline]
blk_mq_do_dispatch_sched block/blk-mq-sched.c:182 [inline]
__blk_mq_sched_dispatch_requests+0xda4/0x1570 block/blk-mq-sched.c:307
blk_mq_sched_dispatch_requests+0xd7/0x190 block/blk-mq-sched.c:329
blk_mq_run_hw_queue+0x404/0x4f0 block/blk-mq.c:2367
blk_mq_dispatch_list+0xd0c/0xe00 include/linux/spinlock.h:-1
blk_mq_flush_plug_list+0x469/0x550 block/blk-mq.c:2976
__blk_flush_plug+0x3d3/0x4b0 block/blk-core.c:1225
blk_finish_plug+0x5e/0x90 block/blk-core.c:1252
wb_writeback+0xa80/0xaf0 fs/fs-writeback.c:2233
wb_check_old_data_flush fs/fs-writeback.c:2301 [inline]
wb_do_writeback fs/fs-writeback.c:2354 [inline]
wb_workfn+0xaef/0xef0 fs/fs-writeback.c:2382
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
to a HARDIRQ-irq-unsafe lock:
(&p->sequence){+.-.}-{0:0}
... which became HARDIRQ-irq-unsafe at:
...
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
do_write_seqcount_begin_nested include/linux/seqlock.h:477 [inline]
do_write_seqcount_begin include/linux/seqlock.h:503 [inline]
fprop_new_period+0x1a3/0x3a0 lib/flex_proportions.c:74
writeout_period+0x8b/0x130 mm/page-writeback.c:615
call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0x103/0x180 kernel/time/timer.c:2404
handle_softirqs+0x283/0x870 kernel/softirq.c:622
run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1063
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
other info that might help us debug this:
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&p->sequence);
local_irq_disable();
lock(&xa->xa_lock#12);
lock(&p->sequence);
<Interrupt>
lock(&xa->xa_lock#12);
*** DEADLOCK ***
5 locks held by kworker/u4:0/12:
#0: ffff888030f92948 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3238 [inline]
#0: ffff888030f92948 ((wq_completion)writeback){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 kernel/workqueue.c:3346
#1: ffffc900001e7bc0 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3239 [inline]
#1: ffffc900001e7bc0 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 kernel/workqueue.c:3346
#2: ffff888000a240e0 (&type->s_umount_key#54){.+.+}-{4:4}, at: super_trylock_shared+0x20/0xf0 fs/super.c:562
#3: ffff888040a24638 (&fi->lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
#3: ffff888040a24638 (&fi->lock){+.+.}-{3:3}, at: fuse_writepages_send fs/fuse/file.c:2089 [inline]
#3: ffff888040a24638 (&fi->lock){+.+.}-{3:3}, at: fuse_iomap_writeback_range+0x818/0x1800 fs/fuse/file.c:2150
#4: ffff888040a24240 (&xa->xa_lock#12){-...}-{3:3}, at: __folio_end_writeback+0x1da/0x950 mm/page-writeback.c:2996
the dependencies between HARDIRQ-irq-safe lock and the holding lock:
-> (&xa->xa_lock#12){-...}-{3:3} {
IN-HARDIRQ-W at:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
__folio_end_writeback+0x1da/0x950 mm/page-writeback.c:2996
folio_end_writeback_no_dropbehind+0x151/0x290 mm/filemap.c:1668
folio_end_writeback+0xea/0x220 mm/filemap.c:1694
end_bio_bh_io_sync+0xba/0x120 fs/buffer.c:2776
blk_update_request+0x57e/0xe60 block/blk-mq.c:998
scsi_end_request+0x7c/0x830 drivers/scsi/scsi_lib.c:637
scsi_io_completion+0x131/0x390 drivers/scsi/scsi_lib.c:1078
ata_qc_complete_multiple+0x1ae/0x280 drivers/ata/libata-sata.c:789
ahci_qc_complete drivers/ata/libahci.c:1887 [inline]
ahci_handle_port_interrupt+0x3d5/0x610 drivers/ata/libahci.c:1954
ahci_port_intr drivers/ata/libahci.c:1965 [inline]
ahci_handle_port_intr+0x19f/0x2e0 drivers/ata/libahci.c:1996
ahci_single_level_irq_intr+0x9b/0xe0 drivers/ata/libahci.c:2030
__handle_irq_event_percpu+0x295/0xab0 kernel/irq/handle.c:203
handle_irq_event_percpu kernel/irq/handle.c:240 [inline]
handle_irq_event+0x8b/0x1e0 kernel/irq/handle.c:257
handle_edge_irq+0x23b/0xa10 kernel/irq/chip.c:855
generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
handle_irq arch/x86/kernel/irq.c:254 [inline]
call_irq_handler arch/x86/kernel/irq.c:-1 [inline]
__common_interrupt+0x141/0x1f0 arch/x86/kernel/irq.c:325
common_interrupt+0xb6/0xe0 arch/x86/kernel/irq.c:318
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
_raw_spin_unlock_irqrestore+0xa8/0x110 kernel/locking/spinlock.c:194
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
ata_scsi_queuecmd+0x3f0/0x5c0 drivers/ata/libata-scsi.c:4398
scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1626 [inline]
scsi_queue_rq+0x1c91/0x2cc0 drivers/scsi/scsi_lib.c:1868
blk_mq_dispatch_rq_list+0x4c0/0x1900 block/blk-mq.c:2129
__blk_mq_do_dispatch_sched block/blk-mq-sched.c:168 [inline]
blk_mq_do_dispatch_sched block/blk-mq-sched.c:182 [inline]
__blk_mq_sched_dispatch_requests+0xda4/0x1570 block/blk-mq-sched.c:307
blk_mq_sched_dispatch_requests+0xd7/0x190 block/blk-mq-sched.c:329
blk_mq_run_hw_queue+0x404/0x4f0 block/blk-mq.c:2367
blk_mq_dispatch_list+0xd0c/0xe00 include/linux/spinlock.h:-1
blk_mq_flush_plug_list+0x469/0x550 block/blk-mq.c:2976
__blk_flush_plug+0x3d3/0x4b0 block/blk-core.c:1225
blk_finish_plug+0x5e/0x90 block/blk-core.c:1252
wb_writeback+0xa80/0xaf0 fs/fs-writeback.c:2233
wb_check_old_data_flush fs/fs-writeback.c:2301 [inline]
wb_do_writeback fs/fs-writeback.c:2354 [inline]
wb_workfn+0xaef/0xef0 fs/fs-writeback.c:2382
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
INITIAL USE at:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0xa2/0xf0 kernel/locking/spinlock.c:170
spin_lock_irq include/linux/spinlock.h:376 [inline]
shmem_add_to_page_cache+0x72d/0xba0 mm/shmem.c:887
shmem_alloc_and_add_folio+0x846/0xf60 mm/shmem.c:1936
shmem_get_folio_gfp+0x59d/0x1660 mm/shmem.c:2533
shmem_read_folio_gfp+0x8a/0xe0 mm/shmem.c:5931
drm_gem_get_pages+0x223/0xa20 drivers/gpu/drm/drm_gem.c:656
drm_gem_shmem_get_pages_locked+0x201/0x440 drivers/gpu/drm/drm_gem_shmem_helper.c:200
drm_gem_shmem_pin_locked+0x22c/0x460 drivers/gpu/drm/drm_gem_shmem_helper.c:261
drm_gem_shmem_vmap_locked+0x46b/0x790 drivers/gpu/drm/drm_gem_shmem_helper.c:365
drm_gem_vmap_locked drivers/gpu/drm/drm_gem.c:1279 [inline]
drm_gem_vmap+0x10a/0x1d0 drivers/gpu/drm/drm_gem.c:1321
drm_client_buffer_vmap+0x43/0x80 drivers/gpu/drm/drm_client.c:312
drm_fbdev_shmem_driver_fbdev_probe+0x258/0x900 drivers/gpu/drm/drm_fbdev_shmem.c:160
drm_fb_helper_single_fb_probe drivers/gpu/drm/drm_fb_helper.c:1650 [inline]
__drm_fb_helper_initial_config_and_unlock+0x1236/0x18a0 drivers/gpu/drm/drm_fb_helper.c:1830
drm_fbdev_client_hotplug+0x16c/0x230 drivers/gpu/drm/clients/drm_fbdev_client.c:52
drm_client_register+0x172/0x210 drivers/gpu/drm/drm_client.c:141
drm_fbdev_client_setup+0x19f/0x3f0 drivers/gpu/drm/clients/drm_fbdev_client.c:159
drm_client_setup+0x107/0x220 drivers/gpu/drm/clients/drm_client_setup.c:46
vkms_create drivers/gpu/drm/vkms/vkms_drv.c:201 [inline]
vkms_init+0x3e0/0x4b0 drivers/gpu/drm/vkms/vkms_drv.c:221
do_one_initcall+0x233/0x820 init/main.c:1283
do_initcall_level+0x104/0x190 init/main.c:1345
do_initcalls+0x59/0xa0 init/main.c:1361
kernel_init_freeable+0x334/0x4b0 init/main.c:1593
kernel_init+0x1d/0x1d0 init/main.c:1483
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
}
... key at: [<ffffffff995cb060>] xa_init_flags.__key+0x0/0x20
the dependencies between the lock to be acquired
and HARDIRQ-irq-unsafe lock:
-> (&p->sequence){+.-.}-{0:0} {
HARDIRQ-ON-W at:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
do_write_seqcount_begin_nested include/linux/seqlock.h:477 [inline]
do_write_seqcount_begin include/linux/seqlock.h:503 [inline]
fprop_new_period+0x1a3/0x3a0 lib/flex_proportions.c:74
writeout_period+0x8b/0x130 mm/page-writeback.c:615
call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0x103/0x180 kernel/time/timer.c:2404
handle_softirqs+0x283/0x870 kernel/softirq.c:622
run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1063
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
IN-SOFTIRQ-W at:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
do_write_seqcount_begin_nested include/linux/seqlock.h:477 [inline]
do_write_seqcount_begin include/linux/seqlock.h:503 [inline]
fprop_new_period+0x1a3/0x3a0 lib/flex_proportions.c:74
writeout_period+0x8b/0x130 mm/page-writeback.c:615
call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0x103/0x180 kernel/time/timer.c:2404
handle_softirqs+0x283/0x870 kernel/softirq.c:622
run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1063
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
INITIAL USE at:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
do_write_seqcount_begin_nested include/linux/seqlock.h:477 [inline]
do_write_seqcount_begin include/linux/seqlock.h:503 [inline]
fprop_new_period+0x1a3/0x3a0 lib/flex_proportions.c:74
writeout_period+0x8b/0x130 mm/page-writeback.c:615
call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0x103/0x180 kernel/time/timer.c:2404
handle_softirqs+0x283/0x870 kernel/softirq.c:622
run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1063
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
INITIAL READ USE at:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
seqcount_lockdep_reader_access include/linux/seqlock.h:72 [inline]
fprop_fraction_percpu+0x170/0x400 lib/flex_proportions.c:155
__wb_calc_thresh+0x119/0x4a0 mm/page-writeback.c:913
wb_bg_dirty_limits mm/page-writeback.c:2130 [inline]
domain_over_bg_thresh mm/page-writeback.c:2144 [inline]
wb_over_bg_thresh+0x154/0x3d0 mm/page-writeback.c:2165
wb_check_background_flush fs/fs-writeback.c:2257 [inline]
wb_do_writeback fs/fs-writeback.c:2355 [inline]
wb_workfn+0xb1c/0xef0 fs/fs-writeback.c:2382
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
}
... key at: [<ffffffff99ac9760>] fprop_global_init.__key.1+0x0/0x20
... acquired at:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
seqcount_lockdep_reader_access include/linux/seqlock.h:72 [inline]
fprop_fraction_percpu+0x130/0x400 lib/flex_proportions.c:155
__fprop_add_percpu_max+0x10d/0x210 lib/flex_proportions.c:186
wb_domain_writeout_add mm/page-writeback.c:562 [inline]
__wb_writeout_add+0xa5/0x290 mm/page-writeback.c:586
__folio_end_writeback+0x4d5/0x950 mm/page-writeback.c:3003
folio_end_writeback_no_dropbehind+0x151/0x290 mm/filemap.c:1668
folio_end_writeback+0xea/0x220 mm/filemap.c:1694
fuse_writepage_finish fs/fuse/file.c:1837 [inline]
fuse_send_writepage fs/fuse/file.c:1887 [inline]
fuse_flush_writepages+0x6c8/0x900 fs/fuse/file.c:1912
fuse_writepages_send fs/fuse/file.c:2091 [inline]
fuse_iomap_writeback_range+0x923/0x1800 fs/fuse/file.c:2150
iomap_writeback_range fs/iomap/buffered-io.c:1593 [inline]
iomap_writeback_folio+0xe72/0x1c80 fs/iomap/buffered-io.c:1718
iomap_writepages+0x162/0x2d0 fs/iomap/buffered-io.c:1770
fuse_writepages+0x2ad/0x380 fs/fuse/file.c:2220
do_writepages+0x32b/0x550 mm/page-writeback.c:2604
__writeback_single_inode+0x145/0xff0 fs/fs-writeback.c:1719
writeback_sb_inodes+0x6c7/0x1010 fs/fs-writeback.c:2015
__writeback_inodes_wb+0x111/0x240 fs/fs-writeback.c:2086
wb_writeback+0x44f/0xaf0 fs/fs-writeback.c:2197
wb_check_background_flush fs/fs-writeback.c:2267 [inline]
wb_do_writeback fs/fs-writeback.c:2355 [inline]
wb_workfn+0xb63/0xef0 fs/fs-writeback.c:2382
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
stack backtrace:
CPU: 0 UID: 0 PID: 12 Comm: kworker/u4:0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: writeback wb_workfn (flush-0:42)
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_bad_irq_dependency kernel/locking/lockdep.c:2616 [inline]
check_irq_usage kernel/locking/lockdep.c:2857 [inline]
check_prev_add kernel/locking/lockdep.c:3169 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain+0x1f05/0x2140 kernel/locking/lockdep.c:3908
__lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
seqcount_lockdep_reader_access include/linux/seqlock.h:72 [inline]
fprop_fraction_percpu+0x130/0x400 lib/flex_proportions.c:155
__fprop_add_percpu_max+0x10d/0x210 lib/flex_proportions.c:186
wb_domain_writeout_add mm/page-writeback.c:562 [inline]
__wb_writeout_add+0xa5/0x290 mm/page-writeback.c:586
__folio_end_writeback+0x4d5/0x950 mm/page-writeback.c:3003
folio_end_writeback_no_dropbehind+0x151/0x290 mm/filemap.c:1668
folio_end_writeback+0xea/0x220 mm/filemap.c:1694
fuse_writepage_finish fs/fuse/file.c:1837 [inline]
fuse_send_writepage fs/fuse/file.c:1887 [inline]
fuse_flush_writepages+0x6c8/0x900 fs/fuse/file.c:1912
fuse_writepages_send fs/fuse/file.c:2091 [inline]
fuse_iomap_writeback_range+0x923/0x1800 fs/fuse/file.c:2150
iomap_writeback_range fs/iomap/buffered-io.c:1593 [inline]
iomap_writeback_folio+0xe72/0x1c80 fs/iomap/buffered-io.c:1718
iomap_writepages+0x162/0x2d0 fs/iomap/buffered-io.c:1770
fuse_writepages+0x2ad/0x380 fs/fuse/file.c:2220
do_writepages+0x32b/0x550 mm/page-writeback.c:2604
__writeback_single_inode+0x145/0xff0 fs/fs-writeback.c:1719
writeback_sb_inodes+0x6c7/0x1010 fs/fs-writeback.c:2015
__writeback_inodes_wb+0x111/0x240 fs/fs-writeback.c:2086
wb_writeback+0x44f/0xaf0 fs/fs-writeback.c:2197
wb_check_background_flush fs/fs-writeback.c:2267 [inline]
wb_do_writeback fs/fs-writeback.c:2355 [inline]
wb_workfn+0xb63/0xef0 fs/fs-writeback.c:2382
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Hillf Danton
Oct 7, 2025, 9:10:38 PMOct 7
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Tue, 07 Oct 2025 14:19:29 -0700 [thread overview]
--- x/lib/flex_proportions.c
+++ y/lib/flex_proportions.c
@@ -64,12 +64,14 @@ void fprop_global_destroy(struct fprop_g
bool fprop_new_period(struct fprop_global *p, int periods)
{
s64 events = percpu_counter_sum(&p->events);
+ unsigned long flags;
/*
* Don't do anything if there are no events.
*/
if (events <= 1)
return false;
+ local_irq_save(flags);
preempt_disable_nested();
write_seqcount_begin(&p->sequence);
if (periods < 64)
@@ -79,6 +81,7 @@ bool fprop_new_period(struct fprop_globa
p->period += periods;
write_seqcount_end(&p->sequence);
preempt_enable_nested();
+ local_irq_restore(flags);
return true;
}
--
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: cbf33b8e0b36 Merge tag 'bpf-fixes' of git://git.kernel.org..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17a25ee2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=1b4263e12240e6e1
> dashboard link: https://syzkaller.appspot.com/bug?extid=27727256237e6bdd3649
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14eaea7c580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=134c4304580000
#syz test
>
> syzbot found the following issue on:
>
> HEAD commit: cbf33b8e0b36 Merge tag 'bpf-fixes' of git://git.kernel.org..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17a25ee2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=1b4263e12240e6e1
> dashboard link: https://syzkaller.appspot.com/bug?extid=27727256237e6bdd3649
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14eaea7c580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=134c4304580000
--- x/lib/flex_proportions.c
+++ y/lib/flex_proportions.c
@@ -64,12 +64,14 @@ void fprop_global_destroy(struct fprop_g
bool fprop_new_period(struct fprop_global *p, int periods)
{
s64 events = percpu_counter_sum(&p->events);
+ unsigned long flags;
/*
* Don't do anything if there are no events.
*/
if (events <= 1)
return false;
+ local_irq_save(flags);
preempt_disable_nested();
write_seqcount_begin(&p->sequence);
if (periods < 64)
@@ -79,6 +81,7 @@ bool fprop_new_period(struct fprop_globa
p->period += periods;
write_seqcount_end(&p->sequence);
preempt_enable_nested();
+ local_irq_restore(flags);
return true;
}
--
syzbot
Oct 7, 2025, 9:32:04 PMOct 7
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+277272...@syzkaller.appspotmail.com
Tested-by: syzbot+277272...@syzkaller.appspotmail.com
Tested on:
commit: 0d97f206 Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1672da7c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d6fcded704acad42
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+277272...@syzkaller.appspotmail.com
Tested-by: syzbot+277272...@syzkaller.appspotmail.com
Tested on:
commit: 0d97f206 Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1672da7c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d6fcded704acad42
dashboard link: https://syzkaller.appspot.com/bug?extid=27727256237e6bdd3649
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=10ef5458580000
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Note: testing is done by a robot and is best-effort only.
Hillf Danton
Oct 9, 2025, 4:55:33 AMOct 9
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Tue, 07 Oct 2025 14:19:29 -0700 [thread overview]
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: cbf33b8e0b36 Merge tag 'bpf-fixes' of git://git.kernel.org..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17a25ee2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=1b4263e12240e6e1
> dashboard link: https://syzkaller.appspot.com/bug?extid=27727256237e6bdd3649
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14eaea7c580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=134c4304580000
#syz test
>
> syzbot found the following issue on:
>
> HEAD commit: cbf33b8e0b36 Merge tag 'bpf-fixes' of git://git.kernel.org..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17a25ee2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=1b4263e12240e6e1
> dashboard link: https://syzkaller.appspot.com/bug?extid=27727256237e6bdd3649
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14eaea7c580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=134c4304580000
--- x/include/linux/flex_proportions.h
+++ y/include/linux/flex_proportions.h
@@ -31,7 +31,7 @@ struct fprop_global {
/* Current period */
unsigned int period;
/* Synchronization with period transitions */
- seqcount_t sequence;
+ seqlock_t sequence;
};
int fprop_global_init(struct fprop_global *p, gfp_t gfp);
--- x/lib/flex_proportions.c
+++ y/lib/flex_proportions.c
@@ -44,7 +44,7 @@ int fprop_global_init(struct fprop_globa
err = percpu_counter_init(&p->events, 1, gfp);
if (err)
return err;
- seqcount_init(&p->sequence);
+ seqlock_init(&p->sequence);
return 0;
}
@@ -64,21 +64,20 @@ void fprop_global_destroy(struct fprop_g
bool fprop_new_period(struct fprop_global *p, int periods)
{
s64 events = percpu_counter_sum(&p->events);
+ unsigned long flags;
/*
* Don't do anything if there are no events.
*/
if (events <= 1)
return false;
- preempt_disable_nested();
{
s64 events = percpu_counter_sum(&p->events);
+ unsigned long flags;
/*
* Don't do anything if there are no events.
*/
if (events <= 1)
return false;
- write_seqcount_begin(&p->sequence);
+ write_seqlock_irqsave(&p->sequence, flags);
if (periods < 64)
events -= events >> periods;
/* Use addition to avoid losing events happening between sum and set */
percpu_counter_add(&p->events, -events);
p->period += periods;
- write_seqcount_end(&p->sequence);
- preempt_enable_nested();
+ write_sequnlock_irqrestore(&p->sequence, flags);
return true;
}
@@ -148,15 +147,15 @@ void fprop_fraction_percpu(struct fprop_
struct fprop_local_percpu *pl,
unsigned long *numerator, unsigned long *denominator)
{
- unsigned int seq;
+ unsigned seq;
s64 num, den;
do {
- seq = read_seqcount_begin(&p->sequence);
+ seq = read_seqbegin(&p->sequence);
fprop_reflect_period_percpu(p, pl);
num = percpu_counter_read_positive(&pl->events);
den = percpu_counter_read_positive(&p->events);
- } while (read_seqcount_retry(&p->sequence, seq));
+ } while (read_seqretry(&p->sequence, seq));
/*
* Make fraction <= 1 and denominator > 0 even in presence of percpu
--
syzbot
Oct 9, 2025, 5:16:05 AMOct 9
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+277272...@syzkaller.appspotmail.com
Tested-by: syzbot+277272...@syzkaller.appspotmail.com
Tested on:
commit: ec714e37 Merge tag 'perf-tools-for-v6.18-1-2025-10-08'..
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+277272...@syzkaller.appspotmail.com
Tested-by: syzbot+277272...@syzkaller.appspotmail.com
Tested on:
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16834542580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a19be70789ed377
dashboard link: https://syzkaller.appspot.com/bug?extid=27727256237e6bdd3649
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=17b51892580000
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Tingmao Wang
Dec 1, 2025, 3:43:10 AM (6 days ago) Dec 1
to Miklos Szeredi, linux-...@vger.kernel.org, ak...@linux-foundation.org, linu...@kvack.org, wi...@infradead.org, Hillf Danton, syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hi all, just for information, I seem to be able to reproduce this
occasionally (have seen it happen on 3 separate occasions) when lockdep is
enabled, but it doesn't seem like there is any mention of this on lore
aside from this syzbot report, hence sending this quick email.
The setup is a QEMU VM using virtiofs exported from the host via virtiofsd
as the guest rootfs. The guest is running Debian (Docker image extracted
as rootfs). I'm not sure exactly how to reproduce it, but it seems like
it happens when doing things like "apt update" / "apt install <thing>".
First observed on next-20251031 but now happens in 6.18.0-rc7.
Sometimes the warning is "WARNING: possible irq lock inversion dependency
detected" instead. Console log for this at
https://fileshare.maowtm.org/20251130/lockdep-splat.txt
First few lines:
========================================================
WARNING: possible irq lock inversion dependency detected
6.18.0-rc7-dev-00007-g3ef6e4434e3a #1 Tainted: G N
--------------------------------------------------------
swapper/4/0 just changed the state of lock:
ffff8881030c0880 (&xa->xa_lock#8){-...}-{3:3}, at: __folio_end_writeback (./include/linux/instrumented.h:82 ./include/asm-generic/bitops/instrumented-lock.h:79 ./include/linux/page-flags.h:772 mm/page-writeback.c:2997)
but this lock took another, HARDIRQ-unsafe lock in the past:
> [...]
occasionally (have seen it happen on 3 separate occasions) when lockdep is
enabled, but it doesn't seem like there is any mention of this on lore
aside from this syzbot report, hence sending this quick email.
The setup is a QEMU VM using virtiofs exported from the host via virtiofsd
as the guest rootfs. The guest is running Debian (Docker image extracted
as rootfs). I'm not sure exactly how to reproduce it, but it seems like
it happens when doing things like "apt update" / "apt install <thing>".
First observed on next-20251031 but now happens in 6.18.0-rc7.
Sometimes the warning is "WARNING: possible irq lock inversion dependency
detected" instead. Console log for this at
https://fileshare.maowtm.org/20251130/lockdep-splat.txt
First few lines:
========================================================
WARNING: possible irq lock inversion dependency detected
6.18.0-rc7-dev-00007-g3ef6e4434e3a #1 Tainted: G N
--------------------------------------------------------
swapper/4/0 just changed the state of lock:
ffff8881030c0880 (&xa->xa_lock#8){-...}-{3:3}, at: __folio_end_writeback (./include/linux/instrumented.h:82 ./include/asm-generic/bitops/instrumented-lock.h:79 ./include/linux/page-flags.h:772 mm/page-writeback.c:2997)
but this lock took another, HARDIRQ-unsafe lock in the past:
(&p->sequence){+.-.}-{0:0}
Reply all
Reply to author
Forward
0 new messages