syz-executor.5: attempt to access beyond end of device loop5: rw=4096, sector=2, nr_sectors = 2 limit=0 EXT4-fs (loop5): unable to read superblock ======================================================== WARNING: possible irq lock inversion dependency detected 6.4.0-rc7-next-20230623 #1 Not tainted -------------------------------------------------------- kworker/1:1H/6048 just changed the state of lock: ffffffff85815818 (blkg_stat_lock){+.-.}-{2:2}, at: __blkcg_rstat_flush.isra.0+0x11f/0x4e0 but this lock was taken by another, HARDIRQ-safe lock in the past: (per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu)){-.-.}-{2:2} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(blkg_stat_lock); local_irq_disable(); lock(per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu)); lock(blkg_stat_lock); lock(per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu)); *** DEADLOCK *** 5 locks held by kworker/1:1H/6048: #0: ffff888008eed138 ((wq_completion)kblockd){+.+.}-{0:0}, at: process_one_work+0x99d/0x1770 #1: ffff8880438dfdb0 ((work_completion)(&(&hctx->run_work)->work)){+.+.}-{0:0}, at: process_one_work+0x9d0/0x1770 #2: ffffffff8560b6c0 (rcu_read_lock){....}-{1:2}, at: blk_mq_run_work_fn+0x1b5/0x390 #3: ffffffff8560b5a0 (rcu_callback){....}-{0:0}, at: rcu_core+0x83e/0x28b0 #4: ffffffff8560b6c0 (rcu_read_lock){....}-{1:2}, at: __blkcg_rstat_flush.isra.0+0x93/0x4e0 the shortest dependencies between 2nd lock and 1st lock: -> (per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu)){-.-.}-{2:2} { IN-HARDIRQ-W at: lock_acquire+0x19a/0x4c0 _raw_spin_lock_irqsave+0x3a/0x60 cgroup_rstat_updated+0xcb/0x2e0 __cgroup_account_cputime_field+0xa0/0x120 account_system_index_time+0x199/0x2c0 update_process_times+0x26/0x150 tick_sched_handle+0x8e/0x170 tick_sched_timer+0xe6/0x110 __hrtimer_run_queues+0x17f/0xb60 hrtimer_interrupt+0x2ef/0x750 __sysvec_apic_timer_interrupt+0xff/0x380 sysvec_apic_timer_interrupt+0x69/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 stack_trace_consume_entry+0xaf/0x170 arch_stack_walk+0x77/0xf0 stack_trace_save+0x90/0xd0 kasan_save_stack+0x22/0x50 kasan_set_track+0x25/0x30 __kasan_slab_alloc+0x59/0x70 kmem_cache_alloc+0x16b/0x370 alloc_empty_file+0x76/0x1d0 path_openat+0xd8/0x2710 do_filp_open+0x1ba/0x410 do_sys_openat2+0x164/0x1d0 __x64_sys_openat+0x143/0x200 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 IN-SOFTIRQ-W at: lock_acquire+0x19a/0x4c0 _raw_spin_lock_irqsave+0x3a/0x60 cgroup_rstat_updated+0xcb/0x2e0 __cgroup_account_cputime+0x75/0xc0 update_curr+0x350/0x6d0 dequeue_task_fair+0x20e/0x14a0 load_balance+0xcb4/0x2790 rebalance_domains+0x66c/0xc00 __do_softirq+0x1b7/0x7d4 irq_exit_rcu+0x93/0xc0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 __sanitizer_cov_trace_pc+0x3b/0x70 shmem_get_folio_gfp.constprop.0+0x5e1/0x17d0 shmem_fallocate+0x782/0xef0 vfs_fallocate+0x493/0xe80 __x64_sys_fallocate+0xd3/0x140 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 INITIAL USE at: lock_acquire+0x19a/0x4c0 _raw_spin_lock_irqsave+0x3a/0x60 cgroup_rstat_flush_locked+0x131/0xd80 cgroup_rstat_flush+0x37/0x50 do_flush_stats+0x97/0xf0 flush_memcg_stats_dwork+0x9/0x50 process_one_work+0xabf/0x1770 worker_thread+0x64f/0x12a0 kthread+0x33f/0x440 ret_from_fork+0x2c/0x50 } ... key at: [] __key.0+0x0/0x40 ... acquired at: _raw_spin_lock+0x2b/0x40 __blkcg_rstat_flush.isra.0+0x11f/0x4e0 blkcg_rstat_flush+0x87/0xb0 cgroup_rstat_flush_locked+0x706/0xd80 cgroup_rstat_flush+0x37/0x50 do_flush_stats+0x97/0xf0 mem_cgroup_wb_stats+0x3d8/0x4b0 balance_dirty_pages+0x339/0x2640 balance_dirty_pages_ratelimited_flags+0xbce/0x1130 fault_dirty_shared_page+0x2b3/0x500 do_wp_page+0x3c8/0x3b00 __handle_mm_fault+0xcbc/0x2d20 handle_mm_fault+0x1af/0xba0 do_user_addr_fault+0x58e/0x12f0 exc_page_fault+0x9c/0x1a0 asm_exc_page_fault+0x26/0x30 -> (blkg_stat_lock){+.-.}-{2:2} { HARDIRQ-ON-W at: lock_acquire+0x19a/0x4c0 _raw_spin_lock+0x2b/0x40 __blkcg_rstat_flush.isra.0+0x11f/0x4e0 __blkg_release+0xfa/0x3b0 rcu_core+0x8c8/0x28b0 __do_softirq+0x1b7/0x7d4 irq_exit_rcu+0x93/0xc0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 write_comp_data+0x21/0x90 scsi_init_command+0x9b/0x280 scsi_queue_rq+0x1540/0x3120 blk_mq_dispatch_rq_list+0x600/0x1dc0 __blk_mq_sched_dispatch_requests+0xcd8/0x1520 blk_mq_sched_dispatch_requests+0x10a/0x190 blk_mq_run_work_fn+0x206/0x390 process_one_work+0xabf/0x1770 worker_thread+0x64f/0x12a0 kthread+0x33f/0x440 ret_from_fork+0x2c/0x50 IN-SOFTIRQ-W at: lock_acquire+0x19a/0x4c0 _raw_spin_lock+0x2b/0x40 __blkcg_rstat_flush.isra.0+0x11f/0x4e0 __blkg_release+0xfa/0x3b0 rcu_core+0x8c8/0x28b0 __do_softirq+0x1b7/0x7d4 irq_exit_rcu+0x93/0xc0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 write_comp_data+0x21/0x90 scsi_init_command+0x9b/0x280 scsi_queue_rq+0x1540/0x3120 blk_mq_dispatch_rq_list+0x600/0x1dc0 __blk_mq_sched_dispatch_requests+0xcd8/0x1520 blk_mq_sched_dispatch_requests+0x10a/0x190 blk_mq_run_work_fn+0x206/0x390 process_one_work+0xabf/0x1770 worker_thread+0x64f/0x12a0 kthread+0x33f/0x440 ret_from_fork+0x2c/0x50 INITIAL USE at: lock_acquire+0x19a/0x4c0 _raw_spin_lock+0x2b/0x40 __blkcg_rstat_flush.isra.0+0x11f/0x4e0 blkcg_rstat_flush+0x87/0xb0 cgroup_rstat_flush_locked+0x706/0xd80 cgroup_rstat_flush+0x37/0x50 do_flush_stats+0x97/0xf0 mem_cgroup_wb_stats+0x3d8/0x4b0 balance_dirty_pages+0x339/0x2640 balance_dirty_pages_ratelimited_flags+0xbce/0x1130 fault_dirty_shared_page+0x2b3/0x500 do_wp_page+0x3c8/0x3b00 __handle_mm_fault+0xcbc/0x2d20 handle_mm_fault+0x1af/0xba0 do_user_addr_fault+0x58e/0x12f0 exc_page_fault+0x9c/0x1a0 asm_exc_page_fault+0x26/0x30 } ... key at: [] blkg_stat_lock+0x18/0x60 ... acquired at: __lock_acquire+0x8b8/0x6340 lock_acquire+0x19a/0x4c0 _raw_spin_lock+0x2b/0x40 __blkcg_rstat_flush.isra.0+0x11f/0x4e0 __blkg_release+0xfa/0x3b0 rcu_core+0x8c8/0x28b0 __do_softirq+0x1b7/0x7d4 irq_exit_rcu+0x93/0xc0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 write_comp_data+0x21/0x90 scsi_init_command+0x9b/0x280 scsi_queue_rq+0x1540/0x3120 blk_mq_dispatch_rq_list+0x600/0x1dc0 __blk_mq_sched_dispatch_requests+0xcd8/0x1520 blk_mq_sched_dispatch_requests+0x10a/0x190 blk_mq_run_work_fn+0x206/0x390 process_one_work+0xabf/0x1770 worker_thread+0x64f/0x12a0 kthread+0x33f/0x440 ret_from_fork+0x2c/0x50 stack backtrace: CPU: 1 PID: 6048 Comm: kworker/1:1H Not tainted 6.4.0-rc7-next-20230623 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Workqueue: kblockd blk_mq_run_work_fn Call Trace: dump_stack_lvl+0x91/0xf0 print_irq_inversion_bug.part.0+0x3d5/0x570 mark_lock.part.0+0x900/0x2f50 __lock_acquire+0x8b8/0x6340 lock_acquire+0x19a/0x4c0 _raw_spin_lock+0x2b/0x40 __blkcg_rstat_flush.isra.0+0x11f/0x4e0 __blkg_release+0xfa/0x3b0 rcu_core+0x8c8/0x28b0 __do_softirq+0x1b7/0x7d4 irq_exit_rcu+0x93/0xc0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:write_comp_data+0x21/0x90 Code: 90 90 90 90 90 90 90 90 90 49 89 f1 49 89 d2 49 89 f8 65 8b 05 98 31 b7 7e 89 c6 81 e6 00 01 00 00 65 48 8b 14 25 c0 8a 03 00 00 01 ff 00 74 0e 85 f6 74 59 8b 82 9c 14 00 00 85 c0 74 4f 8b RSP: 0018:ffff8880438df928 EFLAGS: 00000246 RAX: 0000000080000000 RBX: ffff88800cc06120 RCX: ffffffff82e1cafb RDX: ffff8880449eb680 RSI: 0000000000000000 RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800bed6000 R13: 0000000000000005 R14: ffff88800c4ee000 R15: ffff88800bed6000 scsi_init_command+0x9b/0x280 scsi_queue_rq+0x1540/0x3120 blk_mq_dispatch_rq_list+0x600/0x1dc0 __blk_mq_sched_dispatch_requests+0xcd8/0x1520 blk_mq_sched_dispatch_requests+0x10a/0x190 blk_mq_run_work_fn+0x206/0x390 process_one_work+0xabf/0x1770 worker_thread+0x64f/0x12a0 kthread+0x33f/0x440 ret_from_fork+0x2c/0x50 syz-executor.5: attempt to access beyond end of device loop5: rw=4096, sector=2, nr_sectors = 2 limit=0 EXT4-fs (loop5): unable to read superblock netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'. ---------------- Code disassembly (best guess): 0: 90 nop 1: 90 nop 2: 90 nop 3: 90 nop 4: 90 nop 5: 90 nop 6: 90 nop 7: 90 nop 8: 90 nop 9: 49 89 f1 mov %rsi,%r9 c: 49 89 d2 mov %rdx,%r10 f: 49 89 f8 mov %rdi,%r8 12: 65 8b 05 98 31 b7 7e mov %gs:0x7eb73198(%rip),%eax # 0x7eb731b1 19: 89 c6 mov %eax,%esi 1b: 81 e6 00 01 00 00 and $0x100,%esi 21: 65 48 8b 14 25 c0 8a mov %gs:0x38ac0,%rdx 28: 03 00 * 2a: a9 00 01 ff 00 test $0xff0100,%eax <-- trapping instruction 2f: 74 0e je 0x3f 31: 85 f6 test %esi,%esi 33: 74 59 je 0x8e 35: 8b 82 9c 14 00 00 mov 0x149c(%rdx),%eax 3b: 85 c0 test %eax,%eax 3d: 74 4f je 0x8e 3f: 8b .byte 0x8b