======================================================== WARNING: possible irq lock inversion dependency detected 6.4.0-rc7-next-20230623 #1 Not tainted -------------------------------------------------------- syz-executor.6/274 just changed the state of lock: ffffffff85815818 (blkg_stat_lock){+.-.}-{2:2}, at: __blkcg_rstat_flush.isra.0+0x11f/0x4e0 but this lock was taken by another, HARDIRQ-safe lock in the past: (per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu)){-.-.}-{2:2} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(blkg_stat_lock); local_irq_disable(); lock(per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu)); lock(blkg_stat_lock); lock(per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu)); *** DEADLOCK *** 5 locks held by syz-executor.6/274: #0: ffffffff85687bb0 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mmap+0xf5/0x1770 #1: ffff8880165426a0 (&mm->mmap_lock){++++}-{3:3}, at: dup_mmap+0x113/0x1770 #2: ffff888008459d60 (&mm->mmap_lock/1){+.+.}-{3:3}, at: dup_mmap+0x163/0x1770 #3: ffffffff8560b5a0 (rcu_callback){....}-{0:0}, at: rcu_core+0x83e/0x28b0 #4: ffffffff8560b6c0 (rcu_read_lock){....}-{1:2}, at: __blkcg_rstat_flush.isra.0+0x93/0x4e0 the shortest dependencies between 2nd lock and 1st lock: -> (per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu)){-.-.}-{2:2} { IN-HARDIRQ-W at: lock_acquire+0x19a/0x4c0 _raw_spin_lock_irqsave+0x3a/0x60 cgroup_rstat_updated+0xcb/0x2e0 __cgroup_account_cputime_field+0xa0/0x120 account_system_index_time+0x199/0x2c0 update_process_times+0x26/0x150 tick_sched_handle+0x8e/0x170 tick_sched_timer+0xe6/0x110 __hrtimer_run_queues+0x17f/0xb60 hrtimer_interrupt+0x2ef/0x750 __sysvec_apic_timer_interrupt+0xff/0x380 sysvec_apic_timer_interrupt+0x69/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 lock_acquire+0x4d/0x4c0 fs_reclaim_acquire+0x121/0x170 kmem_cache_alloc_lru+0x5a/0x680 __d_alloc+0x31/0x9c0 d_alloc_parallel+0x10e/0x1640 lookup_open.isra.0+0x909/0x1400 path_openat+0x96c/0x2710 do_filp_open+0x1ba/0x410 do_sys_openat2+0x164/0x1d0 __x64_sys_openat+0x143/0x200 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 IN-SOFTIRQ-W at: lock_acquire+0x19a/0x4c0 _raw_spin_lock_irqsave+0x3a/0x60 cgroup_rstat_updated+0xcb/0x2e0 __cgroup_account_cputime+0x75/0xc0 update_curr+0x350/0x6d0 enqueue_task_fair+0x6a9/0x1ca0 activate_task+0xe7/0x250 ttwu_do_activate+0x10d/0x7a0 try_to_wake_up+0x627/0x1b30 __do_softirq+0x6de/0x7d4 irq_exit_rcu+0x93/0xc0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 __orc_find+0xa7/0xf0 unwind_next_frame+0x2b1/0x2490 arch_stack_walk+0x87/0xf0 stack_trace_save+0x90/0xd0 set_track_prepare+0x74/0xd0 __create_object+0x3b2/0xc90 kmem_cache_alloc+0x20b/0x370 security_file_alloc+0x38/0x170 init_file+0x98/0x1f0 alloc_empty_file+0x94/0x1d0 path_openat+0xd8/0x2710 do_filp_open+0x1ba/0x410 do_sys_openat2+0x164/0x1d0 __x64_sys_openat+0x143/0x200 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 INITIAL USE at: lock_acquire+0x19a/0x4c0 _raw_spin_lock_irqsave+0x3a/0x60 cgroup_rstat_flush_locked+0x131/0xd80 cgroup_rstat_flush+0x37/0x50 do_flush_stats+0x97/0xf0 flush_memcg_stats_dwork+0x9/0x50 process_one_work+0xabf/0x1770 worker_thread+0x64f/0x12a0 kthread+0x33f/0x440 ret_from_fork+0x2c/0x50 } ... key at: [] __key.0+0x0/0x40 ... acquired at: _raw_spin_lock+0x2b/0x40 __blkcg_rstat_flush.isra.0+0x11f/0x4e0 blkcg_rstat_flush+0x87/0xb0 cgroup_rstat_flush_locked+0x706/0xd80 cgroup_rstat_flush+0x37/0x50 do_flush_stats+0x97/0xf0 flush_memcg_stats_dwork+0x9/0x50 process_one_work+0xabf/0x1770 worker_thread+0x64f/0x12a0 kthread+0x33f/0x440 ret_from_fork+0x2c/0x50 -> (blkg_stat_lock){+.-.}-{2:2} { HARDIRQ-ON-W at: lock_acquire+0x19a/0x4c0 _raw_spin_lock+0x2b/0x40 __blkcg_rstat_flush.isra.0+0x11f/0x4e0 __blkg_release+0xfa/0x3b0 rcu_core+0x8c8/0x28b0 __do_softirq+0x1b7/0x7d4 irq_exit_rcu+0x93/0xc0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 obj_cgroup_charge+0x1a0/0x530 kmem_cache_alloc+0x9f/0x370 anon_vma_fork+0xe6/0x630 dup_mmap+0xe49/0x1770 copy_process+0x3e68/0x7320 kernel_clone+0xeb/0x7d0 __do_sys_clone+0xba/0x100 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 IN-SOFTIRQ-W at: lock_acquire+0x19a/0x4c0 _raw_spin_lock+0x2b/0x40 __blkcg_rstat_flush.isra.0+0x11f/0x4e0 __blkg_release+0xfa/0x3b0 rcu_core+0x8c8/0x28b0 __do_softirq+0x1b7/0x7d4 irq_exit_rcu+0x93/0xc0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 obj_cgroup_charge+0x1a0/0x530 kmem_cache_alloc+0x9f/0x370 anon_vma_fork+0xe6/0x630 dup_mmap+0xe49/0x1770 copy_process+0x3e68/0x7320 kernel_clone+0xeb/0x7d0 __do_sys_clone+0xba/0x100 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 INITIAL USE at: lock_acquire+0x19a/0x4c0 _raw_spin_lock+0x2b/0x40 __blkcg_rstat_flush.isra.0+0x11f/0x4e0 blkcg_rstat_flush+0x87/0xb0 cgroup_rstat_flush_locked+0x706/0xd80 cgroup_rstat_flush+0x37/0x50 do_flush_stats+0x97/0xf0 flush_memcg_stats_dwork+0x9/0x50 process_one_work+0xabf/0x1770 worker_thread+0x64f/0x12a0 kthread+0x33f/0x440 ret_from_fork+0x2c/0x50 } ... key at: [] blkg_stat_lock+0x18/0x60 ... acquired at: __lock_acquire+0x8b8/0x6340 lock_acquire+0x19a/0x4c0 _raw_spin_lock+0x2b/0x40 __blkcg_rstat_flush.isra.0+0x11f/0x4e0 __blkg_release+0xfa/0x3b0 rcu_core+0x8c8/0x28b0 __do_softirq+0x1b7/0x7d4 irq_exit_rcu+0x93/0xc0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 obj_cgroup_charge+0x1a0/0x530 kmem_cache_alloc+0x9f/0x370 anon_vma_fork+0xe6/0x630 dup_mmap+0xe49/0x1770 copy_process+0x3e68/0x7320 kernel_clone+0xeb/0x7d0 __do_sys_clone+0xba/0x100 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 stack backtrace: CPU: 1 PID: 274 Comm: syz-executor.6 Not tainted 6.4.0-rc7-next-20230623 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Call Trace: dump_stack_lvl+0x91/0xf0 print_irq_inversion_bug.part.0+0x3d5/0x570 mark_lock.part.0+0x900/0x2f50 __lock_acquire+0x8b8/0x6340 lock_acquire+0x19a/0x4c0 _raw_spin_lock+0x2b/0x40 __blkcg_rstat_flush.isra.0+0x11f/0x4e0 __blkg_release+0xfa/0x3b0 rcu_core+0x8c8/0x28b0 __do_softirq+0x1b7/0x7d4 irq_exit_rcu+0x93/0xc0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:obj_cgroup_charge+0x1a0/0x530 Code: 85 1a 03 00 00 48 c7 45 28 00 00 00 00 48 c7 c6 7b fa 83 81 48 89 ef e8 ae c7 a9 ff 4d 85 e4 74 06 e8 34 a1 cf ff fb 45 31 e4 <45> 84 ff 75 67 48 89 dd 81 e3 ff 0f 00 00 4c 89 ef 48 c1 ed 0c 83 RSP: 0018:ffff88801a7878a8 EFLAGS: 00000246 RAX: 00000000000d21cd RBX: 0000000000000118 RCX: ffffffff812d1fbf RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8183fa9c RBP: ffff88806cf36160 R08: 0000000000000001 R09: fffffbfff0ef9b6e R10: ffffffff877cdb77 R11: 0000000000000001 R12: 0000000000000000 R13: ffff888040ce3980 R14: 0000000000000cc0 R15: 0000000000000001 kmem_cache_alloc+0x9f/0x370 anon_vma_fork+0xe6/0x630 dup_mmap+0xe49/0x1770 copy_process+0x3e68/0x7320 kernel_clone+0xeb/0x7d0 __do_sys_clone+0xba/0x100 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7fe46aec910b Code: ed 0f 85 60 01 00 00 64 4c 8b 0c 25 10 00 00 00 45 31 c0 4d 8d 91 d0 02 00 00 31 d2 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 89 00 00 00 41 89 c5 85 c0 0f 85 90 00 00 RSP: 002b:00007ffc0c326520 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe46aec910b RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011 RBP: 0000000000000001 R08: 0000000000000000 R09: 00005555555d9400 R10: 00005555555d96d0 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000001 R14: 0000000000000001 R15: 00007ffc0c326600 netlink: 12 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.5'. lo: entered promiscuous mode lo: entered allmulticast mode ---------------- Code disassembly (best guess), 1 bytes skipped: 0: 1a 03 sbb (%rbx),%al 2: 00 00 add %al,(%rax) 4: 48 c7 45 28 00 00 00 movq $0x0,0x28(%rbp) b: 00 c: 48 c7 c6 7b fa 83 81 mov $0xffffffff8183fa7b,%rsi 13: 48 89 ef mov %rbp,%rdi 16: e8 ae c7 a9 ff callq 0xffa9c7c9 1b: 4d 85 e4 test %r12,%r12 1e: 74 06 je 0x26 20: e8 34 a1 cf ff callq 0xffcfa159 25: fb sti 26: 45 31 e4 xor %r12d,%r12d * 29: 45 84 ff test %r15b,%r15b <-- trapping instruction 2c: 75 67 jne 0x95 2e: 48 89 dd mov %rbx,%rbp 31: 81 e3 ff 0f 00 00 and $0xfff,%ebx 37: 4c 89 ef mov %r13,%rdi 3a: 48 c1 ed 0c shr $0xc,%rbp 3e: 83 .byte 0x83