======================================================== WARNING: possible irq lock inversion dependency detected 6.4.0-rc7-next-20230623 #1 Not tainted -------------------------------------------------------- syz-executor.5/4875 just changed the state of lock: ffffffff85815818 (blkg_stat_lock){+.-.}-{2:2}, at: __blkcg_rstat_flush.isra.0+0x11f/0x4e0 but this lock was taken by another, HARDIRQ-safe lock in the past: (per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu)){-.-.}-{2:2} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(blkg_stat_lock); local_irq_disable(); lock(per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu)); lock(blkg_stat_lock); lock(per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu)); *** DEADLOCK *** 3 locks held by syz-executor.5/4875: #0: ffff88800ff0e418 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xe7/0x1300 #1: ffffffff8560b5a0 (rcu_callback){....}-{0:0}, at: rcu_core+0x83e/0x28b0 #2: ffffffff8560b6c0 (rcu_read_lock){....}-{1:2}, at: __blkcg_rstat_flush.isra.0+0x93/0x4e0 the shortest dependencies between 2nd lock and 1st lock: -> (per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu)){-.-.}-{2:2} { IN-HARDIRQ-W at: lock_acquire+0x19a/0x4c0 _raw_spin_lock_irqsave+0x3a/0x60 cgroup_rstat_updated+0xcb/0x2e0 __cgroup_account_cputime_field+0xa0/0x120 account_system_index_time+0x199/0x2c0 update_process_times+0x26/0x150 tick_sched_handle+0x8e/0x170 tick_sched_timer+0xe6/0x110 __hrtimer_run_queues+0x17f/0xb60 hrtimer_interrupt+0x2ef/0x750 __sysvec_apic_timer_interrupt+0xff/0x380 sysvec_apic_timer_interrupt+0x69/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 __sanitizer_cov_trace_const_cmp4+0x8/0x20 __get_task_ioprio+0x1df/0x290 vfs_read+0x39e/0x8f0 ksys_read+0x122/0x250 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 IN-SOFTIRQ-W at: lock_acquire+0x19a/0x4c0 _raw_spin_lock_irqsave+0x3a/0x60 cgroup_rstat_updated+0xcb/0x2e0 __cgroup_account_cputime+0x75/0xc0 update_curr+0x350/0x6d0 dequeue_task_fair+0x20e/0x14a0 load_balance+0xcb4/0x2790 rebalance_domains+0x66c/0xc00 __do_softirq+0x1b7/0x7d4 irq_exit_rcu+0x93/0xc0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 __sanitizer_cov_trace_pc+0x11/0x70 in_gate_area_no_mm+0x10/0x80 core_kernel_text+0x24/0xa0 kernel_text_address+0x11/0xc0 __kernel_text_address+0xd/0x40 unwind_get_return_address+0x59/0xa0 arch_stack_walk+0x9d/0xf0 stack_trace_save+0x90/0xd0 set_track_prepare+0x74/0xd0 __create_object+0x3b2/0xc90 kmem_cache_alloc+0x20b/0x370 security_file_alloc+0x38/0x170 init_file+0x98/0x1f0 alloc_empty_file+0x94/0x1d0 path_openat+0xd8/0x2710 do_filp_open+0x1ba/0x410 do_sys_openat2+0x164/0x1d0 __x64_sys_openat+0x143/0x200 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 INITIAL USE at: lock_acquire+0x19a/0x4c0 _raw_spin_lock_irqsave+0x3a/0x60 cgroup_rstat_flush_locked+0x131/0xd80 cgroup_rstat_flush+0x37/0x50 do_flush_stats+0x97/0xf0 flush_memcg_stats_dwork+0x9/0x50 process_one_work+0xabf/0x1770 worker_thread+0x64f/0x12a0 kthread+0x33f/0x440 ret_from_fork+0x2c/0x50 } ... key at: [] __key.0+0x0/0x40 ... acquired at: _raw_spin_lock+0x2b/0x40 __blkcg_rstat_flush.isra.0+0x11f/0x4e0 blkcg_rstat_flush+0x87/0xb0 cgroup_rstat_flush_locked+0x706/0xd80 cgroup_rstat_flush+0x37/0x50 do_flush_stats+0x97/0xf0 flush_memcg_stats_dwork+0x9/0x50 process_one_work+0xabf/0x1770 worker_thread+0x64f/0x12a0 kthread+0x33f/0x440 ret_from_fork+0x2c/0x50 -> (blkg_stat_lock){+.-.}-{2:2} { HARDIRQ-ON-W at: lock_acquire+0x19a/0x4c0 _raw_spin_lock+0x2b/0x40 __blkcg_rstat_flush.isra.0+0x11f/0x4e0 __blkg_release+0xfa/0x3b0 rcu_core+0x8c8/0x28b0 __do_softirq+0x1b7/0x7d4 irq_exit_rcu+0x93/0xc0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 __sanitizer_cov_trace_pc+0x60/0x70 get_symbol_offset+0x82/0x150 kallsyms_lookup_buildid+0xdc/0x230 __sprint_symbol.constprop.0+0xab/0x200 symbol_string+0x405/0x470 pointer+0x3b4/0xc70 vsnprintf+0x5ac/0x1650 seq_vprintf+0xc7/0x170 SEQ_printf+0xc5/0x120 print_cpu+0x157/0xb30 timer_list_show+0xf4/0x1e0 seq_read_iter+0x514/0x1300 proc_reg_read_iter+0x214/0x2f0 vfs_read+0x4b5/0x8f0 __x64_sys_pread64+0x1f6/0x250 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 IN-SOFTIRQ-W at: lock_acquire+0x19a/0x4c0 _raw_spin_lock+0x2b/0x40 __blkcg_rstat_flush.isra.0+0x11f/0x4e0 __blkg_release+0xfa/0x3b0 rcu_core+0x8c8/0x28b0 __do_softirq+0x1b7/0x7d4 irq_exit_rcu+0x93/0xc0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 __sanitizer_cov_trace_pc+0x60/0x70 get_symbol_offset+0x82/0x150 kallsyms_lookup_buildid+0xdc/0x230 __sprint_symbol.constprop.0+0xab/0x200 symbol_string+0x405/0x470 pointer+0x3b4/0xc70 vsnprintf+0x5ac/0x1650 seq_vprintf+0xc7/0x170 SEQ_printf+0xc5/0x120 print_cpu+0x157/0xb30 timer_list_show+0xf4/0x1e0 seq_read_iter+0x514/0x1300 proc_reg_read_iter+0x214/0x2f0 vfs_read+0x4b5/0x8f0 __x64_sys_pread64+0x1f6/0x250 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 INITIAL USE at: lock_acquire+0x19a/0x4c0 _raw_spin_lock+0x2b/0x40 __blkcg_rstat_flush.isra.0+0x11f/0x4e0 blkcg_rstat_flush+0x87/0xb0 cgroup_rstat_flush_locked+0x706/0xd80 cgroup_rstat_flush+0x37/0x50 do_flush_stats+0x97/0xf0 flush_memcg_stats_dwork+0x9/0x50 process_one_work+0xabf/0x1770 worker_thread+0x64f/0x12a0 kthread+0x33f/0x440 ret_from_fork+0x2c/0x50 } ... key at: [] blkg_stat_lock+0x18/0x60 ... acquired at: __lock_acquire+0x8b8/0x6340 lock_acquire+0x19a/0x4c0 _raw_spin_lock+0x2b/0x40 __blkcg_rstat_flush.isra.0+0x11f/0x4e0 __blkg_release+0xfa/0x3b0 rcu_core+0x8c8/0x28b0 __do_softirq+0x1b7/0x7d4 irq_exit_rcu+0x93/0xc0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 __sanitizer_cov_trace_pc+0x60/0x70 get_symbol_offset+0x82/0x150 kallsyms_lookup_buildid+0xdc/0x230 __sprint_symbol.constprop.0+0xab/0x200 symbol_string+0x405/0x470 pointer+0x3b4/0xc70 vsnprintf+0x5ac/0x1650 seq_vprintf+0xc7/0x170 SEQ_printf+0xc5/0x120 print_cpu+0x157/0xb30 timer_list_show+0xf4/0x1e0 seq_read_iter+0x514/0x1300 proc_reg_read_iter+0x214/0x2f0 vfs_read+0x4b5/0x8f0 __x64_sys_pread64+0x1f6/0x250 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 stack backtrace: CPU: 0 PID: 4875 Comm: syz-executor.5 Not tainted 6.4.0-rc7-next-20230623 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Call Trace: dump_stack_lvl+0x91/0xf0 print_irq_inversion_bug.part.0+0x3d5/0x570 mark_lock.part.0+0x900/0x2f50 __lock_acquire+0x8b8/0x6340 lock_acquire+0x19a/0x4c0 _raw_spin_lock+0x2b/0x40 __blkcg_rstat_flush.isra.0+0x11f/0x4e0 __blkg_release+0xfa/0x3b0 rcu_core+0x8c8/0x28b0 __do_softirq+0x1b7/0x7d4 irq_exit_rcu+0x93/0xc0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:__sanitizer_cov_trace_pc+0x60/0x70 Code: 82 78 14 00 00 83 f8 02 75 20 48 8b 8a 80 14 00 00 8b 92 7c 14 00 00 48 8b 01 48 83 c0 01 48 39 c2 76 07 48 89 01 48 89 34 c1 1b b1 08 03 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 RSP: 0018:ffff8880439df3a8 EFLAGS: 00000212 RAX: 000000000001e344 RBX: 0000000000000008 RCX: ffffc90002fd7000 RDX: 0000000000040000 RSI: ffffffff8141ced2 RDI: 0000000000000001 RBP: ffffffff84e7285d R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000008 R11: 0000000000000001 R12: 0000000000000017 R13: 0000000000000033 R14: dffffc0000000000 R15: ffff8880439df490 get_symbol_offset+0x82/0x150 kallsyms_lookup_buildid+0xdc/0x230 __sprint_symbol.constprop.0+0xab/0x200 symbol_string+0x405/0x470 pointer+0x3b4/0xc70 vsnprintf+0x5ac/0x1650 seq_vprintf+0xc7/0x170 SEQ_printf+0xc5/0x120 print_cpu+0x157/0xb30 timer_list_show+0xf4/0x1e0 seq_read_iter+0x514/0x1300 proc_reg_read_iter+0x214/0x2f0 vfs_read+0x4b5/0x8f0 __x64_sys_pread64+0x1f6/0x250 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7f7f82b20b19 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7f80096188 EFLAGS: 00000246 ORIG_RAX: 0000000000000011 RAX: ffffffffffffffda RBX: 00007f7f82c33f60 RCX: 00007f7f82b20b19 RDX: 000000000000100a RSI: 0000000020004240 RDI: 0000000000000004 RBP: 00007f7f82b7af6d R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000056e R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe277683df R14: 00007f7f80096300 R15: 0000000000022000 UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy misc raw-gadget: fail, usb_gadget_register_driver returned -16 ---------------- Code disassembly (best guess), 1 bytes skipped: 0: 78 14 js 0x16 2: 00 00 add %al,(%rax) 4: 83 f8 02 cmp $0x2,%eax 7: 75 20 jne 0x29 9: 48 8b 8a 80 14 00 00 mov 0x1480(%rdx),%rcx 10: 8b 92 7c 14 00 00 mov 0x147c(%rdx),%edx 16: 48 8b 01 mov (%rcx),%rax 19: 48 83 c0 01 add $0x1,%rax 1d: 48 39 c2 cmp %rax,%rdx 20: 76 07 jbe 0x29 22: 48 89 01 mov %rax,(%rcx) 25: 48 89 34 c1 mov %rsi,(%rcx,%rax,8) * 29: e9 1b b1 08 03 jmpq 0x308b149 <-- trapping instruction 2e: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1) 35: 00 00 00 00 39: 90 nop 3a: 90 nop 3b: 90 nop 3c: 90 nop 3d: 90 nop 3e: 90 nop