From: syzbot <syzbot+d10e9d53059eb8aed654@syzkaller.appspotmail.com>
To: cgroups@vger.kernel.org, hannes@cmpxchg.org,
linux-kernel@vger.kernel.org, mkoutny@suse.com,
netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com,
tj@kernel.org
Subject: [syzbot] [cgroups?] possible deadlock in console_flush_all (4)
Date: Fri, 08 Aug 2025 04:25:33 -0700 [thread overview]
Message-ID: <6895dead.050a0220.7f033.005e.GAE@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: d9104cec3e8f Merge tag 'bpf-next-6.17' of git://git.kernel..
git tree: net-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=14464ea2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ac0888b9ad46cd69
dashboard link: https://syzkaller.appspot.com/bug?extid=d10e9d53059eb8aed654
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=140a62f0580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=120a62f0580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ed717a4a878a/disk-d9104cec.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/08035d746f31/vmlinux-d9104cec.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7b5bf8caca80/bzImage-d9104cec.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d10e9d53059eb8aed654@syzkaller.appspotmail.com
FAULT_INJECTION: forcing a failure.
name fail_usercopy, interval 1, probability 0, space 0, times 1
======================================================
WARNING: possible circular locking dependency detected
6.16.0-syzkaller-06574-gd9104cec3e8f #0 Not tainted
------------------------------------------------------
syz-executor502/5847 is trying to acquire lock:
ffffffff8e130720 (console_owner){....}-{0:0}, at: rcu_try_lock_acquire include/linux/rcupdate.h:336 [inline]
ffffffff8e130720 (console_owner){....}-{0:0}, at: srcu_read_lock_nmisafe include/linux/srcu.h:346 [inline]
ffffffff8e130720 (console_owner){....}-{0:0}, at: console_srcu_read_lock kernel/printk/printk.c:288 [inline]
ffffffff8e130720 (console_owner){....}-{0:0}, at: console_flush_all+0x13a/0xc40 kernel/printk/printk.c:3203
but task is already holding lock:
ffff8880b8739f58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:636
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #4 (&rq->__lock){-.-.}-{2:2}:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
_raw_spin_lock_nested+0x32/0x50 kernel/locking/spinlock.c:378
raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:636
raw_spin_rq_lock kernel/sched/sched.h:1522 [inline]
task_rq_lock+0xbc/0x470 kernel/sched/core.c:736
cgroup_move_task+0x92/0x2a0 kernel/sched/psi.c:1174
css_set_move_task+0x658/0x9e0 kernel/cgroup/cgroup.c:918
cgroup_post_fork+0x1ef/0x790 kernel/cgroup/cgroup.c:6759
copy_process+0x3862/0x3c00 kernel/fork.c:2416
kernel_clone+0x21e/0x840 kernel/fork.c:2602
user_mode_thread+0xdd/0x140 kernel/fork.c:2680
rest_init+0x23/0x300 init/main.c:709
start_kernel+0x3a9/0x410 init/main.c:1097
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:307
x86_64_start_kernel+0x143/0x1c0 arch/x86/kernel/head64.c:288
common_startup_64+0x13e/0x147
-> #3 (&p->pi_lock){-.-.}-{2:2}:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:557 [inline]
try_to_wake_up+0x6e/0x1290 kernel/sched/core.c:4210
__wake_up_common kernel/sched/wait.c:90 [inline]
__wake_up_common_lock+0x137/0x1f0 kernel/sched/wait.c:107
tty_port_default_wakeup+0xa2/0xf0 drivers/tty/tty_port.c:69
serial8250_tx_chars+0x72e/0x970 drivers/tty/serial/8250/8250_port.c:1728
serial8250_handle_irq+0x633/0xbb0 drivers/tty/serial/8250/8250_port.c:1836
serial8250_default_handle_irq+0xbf/0x1e0 drivers/tty/serial/8250/8250_port.c:1856
serial8250_interrupt+0x8d/0x160 drivers/tty/serial/8250/8250_core.c:82
__handle_irq_event_percpu+0x289/0x980 kernel/irq/handle.c:158
handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
handle_irq_event+0x8b/0x1e0 kernel/irq/handle.c:210
handle_edge_irq+0x23b/0x9f0 kernel/irq/chip.c:849
generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
handle_irq arch/x86/kernel/irq.c:254 [inline]
call_irq_handler arch/x86/kernel/irq.c:266 [inline]
__common_interrupt+0x143/0x250 arch/x86/kernel/irq.c:292
common_interrupt+0xb6/0xe0 arch/x86/kernel/irq.c:285
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
pv_native_safe_halt+0x13/0x20 arch/x86/kernel/paravirt.c:81
arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
default_idle+0x13/0x20 arch/x86/kernel/process.c:757
default_idle_call+0x74/0xb0 kernel/sched/idle.c:122
cpuidle_idle_call kernel/sched/idle.c:190 [inline]
do_idle+0x1e8/0x510 kernel/sched/idle.c:330
cpu_startup_entry+0x44/0x60 kernel/sched/idle.c:428
rest_init+0x2de/0x300 init/main.c:744
start_kernel+0x3a9/0x410 init/main.c:1097
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:307
x86_64_start_kernel+0x143/0x1c0 arch/x86/kernel/head64.c:288
common_startup_64+0x13e/0x147
-> #2 (&tty->write_wait){-.-.}-{3:3}:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
__wake_up_common_lock+0x2f/0x1f0 kernel/sched/wait.c:106
tty_port_default_wakeup+0xa2/0xf0 drivers/tty/tty_port.c:69
serial8250_tx_chars+0x72e/0x970 drivers/tty/serial/8250/8250_port.c:1728
serial8250_handle_irq+0x633/0xbb0 drivers/tty/serial/8250/8250_port.c:1836
serial8250_default_handle_irq+0xbf/0x1e0 drivers/tty/serial/8250/8250_port.c:1856
serial8250_interrupt+0x8d/0x160 drivers/tty/serial/8250/8250_core.c:82
__handle_irq_event_percpu+0x289/0x980 kernel/irq/handle.c:158
handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
handle_irq_event+0x8b/0x1e0 kernel/irq/handle.c:210
handle_edge_irq+0x23b/0x9f0 kernel/irq/chip.c:849
generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
handle_irq arch/x86/kernel/irq.c:254 [inline]
call_irq_handler arch/x86/kernel/irq.c:266 [inline]
__common_interrupt+0x143/0x250 arch/x86/kernel/irq.c:292
common_interrupt+0xb6/0xe0 arch/x86/kernel/irq.c:285
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
pv_native_safe_halt+0x13/0x20 arch/x86/kernel/paravirt.c:81
arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
default_idle+0x13/0x20 arch/x86/kernel/process.c:757
default_idle_call+0x74/0xb0 kernel/sched/idle.c:122
cpuidle_idle_call kernel/sched/idle.c:190 [inline]
do_idle+0x1e8/0x510 kernel/sched/idle.c:330
cpu_startup_entry+0x44/0x60 kernel/sched/idle.c:428
rest_init+0x2de/0x300 init/main.c:744
start_kernel+0x3a9/0x410 init/main.c:1097
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:307
x86_64_start_kernel+0x143/0x1c0 arch/x86/kernel/head64.c:288
common_startup_64+0x13e/0x147
-> #1 (&port_lock_key){-.-.}-{3:3}:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
uart_port_lock_irqsave include/linux/serial_core.h:717 [inline]
serial8250_console_write+0x17e/0x1ba0 drivers/tty/serial/8250/8250_port.c:3355
console_emit_next_record kernel/printk/printk.c:3138 [inline]
console_flush_all+0x728/0xc40 kernel/printk/printk.c:3226
__console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
console_unlock+0xc4/0x270 kernel/printk/printk.c:3325
vprintk_emit+0x5b7/0x7a0 kernel/printk/printk.c:2450
_printk+0xcf/0x120 kernel/printk/printk.c:2475
register_console+0xa8b/0xf90 kernel/printk/printk.c:4125
univ8250_console_init+0x3a/0x70 drivers/tty/serial/8250/8250_core.c:516
console_init+0x10e/0x430 kernel/printk/printk.c:4323
start_kernel+0x254/0x410 init/main.c:1035
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:307
x86_64_start_kernel+0x143/0x1c0 arch/x86/kernel/head64.c:288
common_startup_64+0x13e/0x147
-> #0 (console_owner){....}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908
__lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
console_lock_spinning_enable kernel/printk/printk.c:1924 [inline]
console_emit_next_record kernel/printk/printk.c:3132 [inline]
console_flush_all+0x6d2/0xc40 kernel/printk/printk.c:3226
__console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
console_unlock+0xc4/0x270 kernel/printk/printk.c:3325
vprintk_emit+0x5b7/0x7a0 kernel/printk/printk.c:2450
_printk+0xcf/0x120 kernel/printk/printk.c:2475
fail_dump lib/fault-inject.c:66 [inline]
should_fail_ex+0x3f5/0x560 lib/fault-inject.c:174
strncpy_from_user+0x36/0x290 lib/strncpy_from_user.c:118
strncpy_from_user_nofault+0x72/0x150 mm/maccess.c:193
bpf_probe_read_user_str_common kernel/trace/bpf_trace.c:215 [inline]
____bpf_probe_read_compat_str kernel/trace/bpf_trace.c:310 [inline]
bpf_probe_read_compat_str+0xe2/0x180 kernel/trace/bpf_trace.c:306
bpf_prog_56079403e473c493+0x70/0x76
bpf_dispatcher_nop_func include/linux/bpf.h:1322 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
bpf_trace_run2+0x281/0x4b0 kernel/trace/bpf_trace.c:2298
__bpf_trace_tlb_flush+0xf5/0x150 include/trace/events/tlb.h:38
__traceiter_tlb_flush+0x76/0xd0 include/trace/events/tlb.h:38
__do_trace_tlb_flush include/trace/events/tlb.h:38 [inline]
trace_tlb_flush+0x115/0x140 include/trace/events/tlb.h:38
switch_mm_irqs_off+0x53e/0x7a0 arch/x86/mm/tlb.c:-1
context_switch kernel/sched/core.c:5335 [inline]
__schedule+0x109d/0x4d30 kernel/sched/core.c:6954
preempt_schedule_irq+0xb5/0x150 kernel/sched/core.c:7281
irqentry_exit+0x6f/0x90 kernel/entry/common.c:196
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
lock_acquire+0x175/0x360 kernel/locking/lockdep.c:5872
fs_reclaim_acquire+0x99/0x100 mm/page_alloc.c:4062
might_alloc include/linux/sched/mm.h:318 [inline]
slab_pre_alloc_hook mm/slub.c:4099 [inline]
slab_alloc_node mm/slub.c:4177 [inline]
kmem_cache_alloc_lru_noprof+0x49/0x3d0 mm/slub.c:4216
__d_alloc+0x36/0x7a0 fs/dcache.c:1690
d_alloc_pseudo+0x21/0xc0 fs/dcache.c:1821
alloc_path_pseudo fs/file_table.c:363 [inline]
alloc_file_pseudo+0xcc/0x210 fs/file_table.c:379
__anon_inode_getfile fs/anon_inodes.c:166 [inline]
__anon_inode_getfd fs/anon_inodes.c:291 [inline]
anon_inode_getfd+0xca/0x1b0 fs/anon_inodes.c:326
bpf_enable_runtime_stats kernel/bpf/syscall.c:5829 [inline]
bpf_enable_stats+0xdc/0x140 kernel/bpf/syscall.c:5850
__sys_bpf+0x325/0x870 kernel/bpf/syscall.c:6105
__do_sys_bpf kernel/bpf/syscall.c:6132 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6130 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6130
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Chain exists of:
console_owner --> &p->pi_lock --> &rq->__lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&rq->__lock);
lock(&p->pi_lock);
lock(&rq->__lock);
lock(console_owner);
*** DEADLOCK ***
7 locks held by syz-executor502/5847:
#0: ffffffff8e1bb9c8 (bpf_stats_enabled_mutex){+.+.}-{4:4}, at: bpf_enable_runtime_stats kernel/bpf/syscall.c:5821 [inline]
#0: ffffffff8e1bb9c8 (bpf_stats_enabled_mutex){+.+.}-{4:4}, at: bpf_enable_stats+0x94/0x140 kernel/bpf/syscall.c:5850
#1: ffffffff8e243360 (fs_reclaim){+.+.}-{0:0}, at: might_alloc include/linux/sched/mm.h:318 [inline]
#1: ffffffff8e243360 (fs_reclaim){+.+.}-{0:0}, at: slab_pre_alloc_hook mm/slub.c:4099 [inline]
#1: ffffffff8e243360 (fs_reclaim){+.+.}-{0:0}, at: slab_alloc_node mm/slub.c:4177 [inline]
#1: ffffffff8e243360 (fs_reclaim){+.+.}-{0:0}, at: kmem_cache_alloc_lru_noprof+0x49/0x3d0 mm/slub.c:4216
#2: ffffffff8e255260 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}, at: fs_reclaim_acquire+0x7d/0x100 mm/page_alloc.c:4062
#3: ffff8880b8739f58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:636
#4: ffffffff8e13c4e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#4: ffffffff8e13c4e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
#4: ffffffff8e13c4e0 (rcu_read_lock){....}-{1:3}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2256 [inline]
#4: ffffffff8e13c4e0 (rcu_read_lock){....}-{1:3}, at: bpf_trace_run2+0x186/0x4b0 kernel/trace/bpf_trace.c:2298
#5: ffffffff8e130780 (console_lock){+.+.}-{0:0}, at: _printk+0xcf/0x120 kernel/printk/printk.c:2475
#6: ffffffff8e018050 (console_srcu){....}-{0:0}, at: rcu_try_lock_acquire include/linux/rcupdate.h:336 [inline]
#6: ffffffff8e018050 (console_srcu){....}-{0:0}, at: srcu_read_lock_nmisafe include/linux/srcu.h:346 [inline]
#6: ffffffff8e018050 (console_srcu){....}-{0:0}, at: console_srcu_read_lock kernel/printk/printk.c:288 [inline]
#6: ffffffff8e018050 (console_srcu){....}-{0:0}, at: console_flush_all+0x13a/0xc40 kernel/printk/printk.c:3203
stack backtrace:
CPU: 1 UID: 0 PID: 5847 Comm: syz-executor502 Not tainted 6.16.0-syzkaller-06574-gd9104cec3e8f #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043
check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908
__lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
console_lock_spinning_enable kernel/printk/printk.c:1924 [inline]
console_emit_next_record kernel/printk/printk.c:3132 [inline]
console_flush_all+0x6d2/0xc40 kernel/printk/printk.c:3226
__console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
console_unlock+0xc4/0x270 kernel/printk/printk.c:3325
vprintk_emit+0x5b7/0x7a0 kernel/printk/printk.c:2450
_printk+0xcf/0x120 kernel/printk/printk.c:2475
fail_dump lib/fault-inject.c:66 [inline]
should_fail_ex+0x3f5/0x560 lib/fault-inject.c:174
strncpy_from_user+0x36/0x290 lib/strncpy_from_user.c:118
strncpy_from_user_nofault+0x72/0x150 mm/maccess.c:193
bpf_probe_read_user_str_common kernel/trace/bpf_trace.c:215 [inline]
____bpf_probe_read_compat_str kernel/trace/bpf_trace.c:310 [inline]
bpf_probe_read_compat_str+0xe2/0x180 kernel/trace/bpf_trace.c:306
bpf_prog_56079403e473c493+0x70/0x76
bpf_dispatcher_nop_func include/linux/bpf.h:1322 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
bpf_trace_run2+0x281/0x4b0 kernel/trace/bpf_trace.c:2298
__bpf_trace_tlb_flush+0xf5/0x150 include/trace/events/tlb.h:38
__traceiter_tlb_flush+0x76/0xd0 include/trace/events/tlb.h:38
__do_trace_tlb_flush include/trace/events/tlb.h:38 [inline]
trace_tlb_flush+0x115/0x140 include/trace/events/tlb.h:38
switch_mm_irqs_off+0x53e/0x7a0 arch/x86/mm/tlb.c:-1
context_switch kernel/sched/core.c:5335 [inline]
__schedule+0x109d/0x4d30 kernel/sched/core.c:6954
preempt_schedule_irq+0xb5/0x150 kernel/sched/core.c:7281
irqentry_exit+0x6f/0x90 kernel/entry/common.c:196
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_acquire+0x175/0x360 kernel/locking/lockdep.c:5872
Code: 00 00 00 00 9c 8f 44 24 30 f7 44 24 30 00 02 00 00 0f 85 cd 00 00 00 f7 44 24 08 00 02 00 00 74 01 fb 65 48 8b 05 cb 8e fc 10 <48> 3b 44 24 58 0f 85 f2 00 00 00 48 83 c4 60 5b 41 5c 41 5d 41 5e
RSP: 0018:ffffc90003d4fa68 EFLAGS: 00000206
RAX: e3643158a89e2500 RBX: 0000000000000000 RCX: e3643158a89e2500
RDX: 0000000000030000 RSI: ffffffff8db65e8b RDI: ffffffff8be30a00
RBP: ffffffff8215895d R08: ffffc90003d4f888 R09: 0000000000000020
R10: 00000000b2b5dd6f R11: ffffffff819de180 R12: 0000000000000000
R13: ffffffff8e255260 R14: 0000000000000001 R15: 0000000000000246
fs_reclaim_acquire+0x99/0x100 mm/page_alloc.c:4062
might_alloc include/linux/sched/mm.h:318 [inline]
slab_pre_alloc_hook mm/slub.c:4099 [inline]
slab_alloc_node mm/slub.c:4177 [inline]
kmem_cache_alloc_lru_noprof+0x49/0x3d0 mm/slub.c:4216
__d_alloc+0x36/0x7a0 fs/dcache.c:1690
d_alloc_pseudo+0x21/0xc0 fs/dcache.c:1821
alloc_path_pseudo fs/file_table.c:363 [inline]
alloc_file_pseudo+0xcc/0x210 fs/file_table.c:379
__anon_inode_getfile fs/anon_inodes.c:166 [inline]
__anon_inode_getfd fs/anon_inodes.c:291 [inline]
anon_inode_getfd+0xca/0x1b0 fs/anon_inodes.c:326
bpf_enable_runtime_stats kernel/bpf/syscall.c:5829 [inline]
bpf_enable_stats+0xdc/0x140 kernel/bpf/syscall.c:5850
__sys_bpf+0x325/0x870 kernel/bpf/syscall.c:6105
__do_sys_bpf kernel/bpf/syscall.c:6132 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6130 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6130
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe51845c8d9
Code: Unable to access opcode bytes at 0x7fe51845c8af.
RSP: 002b:00007ffe3c17a318 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007ffe3c17a330 RCX: 00007fe51845c8d9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000020
RBP: 0000000000000001 R08: 00007ffe3c17a0b7 R09: 0000000000000140
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
CPU: 1 UID: 0 PID: 5847 Comm: syz-executor502 Not tainted 6.16.0-syzkaller-06574-gd9104cec3e8f #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
fail_dump lib/fault-inject.c:73 [inline]
should_fail_ex+0x414/0x560 lib/fault-inject.c:174
strncpy_from_user+0x36/0x290 lib/strncpy_from_user.c:118
strncpy_from_user_nofault+0x72/0x150 mm/maccess.c:193
bpf_probe_read_user_str_common kernel/trace/bpf_trace.c:215 [inline]
____bpf_probe_read_compat_str kernel/trace/bpf_trace.c:310 [inline]
bpf_probe_read_compat_str+0xe2/0x180 kernel/trace/bpf_trace.c:306
bpf_prog_56079403e473c493+0x70/0x76
bpf_dispatcher_nop_func include/linux/bpf.h:1322 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
bpf_trace_run2+0x281/0x4b0 kernel/trace/bpf_trace.c:2298
__bpf_trace_tlb_flush+0xf5/0x150 include/trace/events/tlb.h:38
__traceiter_tlb_flush+0x76/0xd0 include/trace/events/tlb.h:38
__do_trace_tlb_flush include/trace/events/tlb.h:38 [inline]
trace_tlb_flush+0x115/0x140 include/trace/events/tlb.h:38
switch_mm_irqs_off+0x53e/0x7a0 arch/x86/mm/tlb.c:-1
context_switch kernel/sched/core.c:5335 [inline]
__schedule+0x109d/0x4d30 kernel/sched/core.c:6954
preempt_schedule_irq+0xb5/0x150 kernel/sched/core.c:7281
irqentry_exit+0x6f/0x90 kernel/entry/common.c:196
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_acquire+0x175/0x360 kernel/locking/lockdep.c:5872
Code: 00 00 00 00 9c 8f 44 24 30 f7 44 24 30 00 02 00 00 0f 85 cd 00 00 00 f7 44 24 08 00 02 00 00 74 01 fb 65 48 8b 05 cb 8e fc 10 <48> 3b 44 24 58 0f 85 f2 00 00 00 48 83 c4 60 5b 41 5c 41 5d 41 5e
RSP: 0018:ffffc90003d4fa68 EFLAGS: 00000206
RAX: e3643158a89e2500 RBX: 0000000000000000 RCX: e3643158a89e2500
RDX: 0000000000030000 RSI: ffffffff8db65e8b RDI: ffffffff8be30a00
RBP: ffffffff8215895d R08: ffffc90003d4f888 R09: 0000000000000020
R10: 00000000b2b5dd6f R11: ffffffff819de180 R12: 0000000000000000
R13: ffffffff8e255260 R14: 0000000000000001 R15: 0000000000000246
fs_reclaim_acquire+0x99/0x100 mm/page_alloc.c:4062
might_alloc include/linux/sched/mm.h:318 [inline]
slab_pre_alloc_hook mm/slub.c:4099 [inline]
slab_alloc_node mm/slub.c:4177 [inline]
kmem_cache_alloc_lru_noprof+0x49/0x3d0 mm/slub.c:4216
__d_alloc+0x36/0x7a0 fs/dcache.c:1690
d_alloc_pseudo+0x21/0xc0 fs/dcache.c:1821
alloc_path_pseudo fs/file_table.c:363 [inline]
alloc_file_pseudo+0xcc/0x210 fs/file_table.c:379
__anon_inode_getfile fs/anon_inodes.c:166 [inline]
__anon_inode_getfd fs/anon_inodes.c:291 [inline]
anon_inode_getfd+0xca/0x1b0 fs/anon_inodes.c:326
bpf_enable_runtime_stats kernel/bpf/syscall.c:5829 [inline]
bpf_enable_stats+0xdc/0x140 kernel/bpf/syscall.c:5850
__sys_bpf+0x325/0x870 kernel/bpf/syscall.c:6105
__do_sys_bpf kernel/bpf/syscall.c:6132 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6130 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6130
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe51845c8d9
Code: Unable to access opcode bytes at 0x7fe51845c8af.
RSP: 002b:00007ffe3c17a318 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007ffe3c17a330 RCX: 00007fe51845c8d9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000020
RBP: 0000000000000001 R08: 00007ffe3c17a0b7 R09: 0000000000000140
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: 9c pushf
5: 8f 44 24 30 pop 0x30(%rsp)
9: f7 44 24 30 00 02 00 testl $0x200,0x30(%rsp)
10: 00
11: 0f 85 cd 00 00 00 jne 0xe4
17: f7 44 24 08 00 02 00 testl $0x200,0x8(%rsp)
1e: 00
1f: 74 01 je 0x22
21: fb sti
22: 65 48 8b 05 cb 8e fc mov %gs:0x10fc8ecb(%rip),%rax # 0x10fc8ef5
29: 10
* 2a: 48 3b 44 24 58 cmp 0x58(%rsp),%rax <-- trapping instruction
2f: 0f 85 f2 00 00 00 jne 0x127
35: 48 83 c4 60 add $0x60,%rsp
39: 5b pop %rbx
3a: 41 5c pop %r12
3c: 41 5d pop %r13
3e: 41 5e pop %r14
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
reply other threads:[~2025-08-08 11:25 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6895dead.050a0220.7f033.005e.GAE@google.com \
--to=syzbot+d10e9d53059eb8aed654@syzkaller.appspotmail.com \
--cc=cgroups@vger.kernel.org \
--cc=hannes@cmpxchg.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkoutny@suse.com \
--cc=netdev@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.