[syzbot] [net?] WARNING: locking bug in task_tick_fair

From: syzbot
Date: Sun Dec 29 2024 - 01:40:30 EST


Hello,

syzbot found the following issue on:

HEAD commit: 9b2ffa6148b1 Merge tag 'mtd/fixes-for-6.13-rc5' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=117fffe8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=aa8dc22aa6de51f5
dashboard link: https://syzkaller.appspot.com/bug?extid=0c4dbc3a5494dbdf1200
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-9b2ffa61.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cd632c833a3f/vmlinux-9b2ffa61.xz
kernel image: https://storage.googleapis.com/syzbot-assets/25241b47c08c/bzImage-9b2ffa61.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0c4dbc3a5494dbdf1200@xxxxxxxxxxxxxxxxxxxxxxxxx

=============================
[ BUG: Invalid wait context ]
6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0 Not tainted
-----------------------------
syz-executor/5922 is trying to lock:
ffff88807ffd8298 (&zone->lock){-.-.}-{3:3}, at: rmqueue_bulk mm/page_alloc.c:2309 [inline]
ffff88807ffd8298 (&zone->lock){-.-.}-{3:3}, at: __rmqueue_pcplist+0x6bb/0x1600 mm/page_alloc.c:3003
other info that might help us debug this:
context-{2:2}
4 locks held by syz-executor/5922:
#0: ffff888028dc8f18 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1623 [inline]
#0: ffff888028dc8f18 (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendmsg+0x20/0x50 net/ipv4/tcp.c:1357
#1: ffffffff8e1bb900 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
#1: ffffffff8e1bb900 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
#1: ffffffff8e1bb900 (rcu_read_lock){....}-{1:3}, at: __ip_queue_xmit+0x73/0x1970 net/ipv4/ip_output.c:471
#2: ffff88806a63ebd8 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:598
#3: ffff88806a644c58 (&pcp->lock){+.+.}-{3:3}, at: spin_trylock include/linux/spinlock.h:361 [inline]
#3: ffff88806a644c58 (&pcp->lock){+.+.}-{3:3}, at: rmqueue_pcplist mm/page_alloc.c:3032 [inline]
#3: ffff88806a644c58 (&pcp->lock){+.+.}-{3:3}, at: rmqueue mm/page_alloc.c:3076 [inline]
#3: ffff88806a644c58 (&pcp->lock){+.+.}-{3:3}, at: get_page_from_freelist+0x350/0x2f80 mm/page_alloc.c:3473
stack backtrace:
CPU: 0 UID: 0 PID: 5922 Comm: syz-executor Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_lock_invalid_wait_context kernel/locking/lockdep.c:4826 [inline]
check_wait_context kernel/locking/lockdep.c:4898 [inline]
__lock_acquire+0x878/0x3c40 kernel/locking/lockdep.c:5176
lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849
kasan_save_stack+0x42/0x60 mm/kasan/common.c:48
task_tick_numa kernel/sched/fair.c:3616 [inline]
task_tick_fair+0x524/0x8e0 kernel/sched/fair.c:13101
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1038 [inline]
__sysvec_apic_timer_interrupt+0x10f/0x400 arch/x86/kernel/apic/apic.c:1055
R13: 000000000000ffff R14: 0000000000000000 R15: ffff888032c8e6c8


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup