================================
WARNING: inconsistent lock state
6.10.0-syzkaller-04559-g7d30b8aa4fc3 #0 Not tainted
--------------------------------
inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
syz.1.20/5373 [HC1[1]:SC0[0]:HE0:SE1] takes:
ffff8880b9338798 (lock#10){?.+.}-{2:2}, at: local_lock_acquire include/linux/local_lock_internal.h:29 [inline]
ffff8880b9338798 (lock#10){?.+.}-{2:2}, at: __mmap_lock_do_trace_acquire_returned+0x8f/0x630 mm/mmap_lock.c:237
{HARDIRQ-ON-W} state was registered at:
  lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5753
  local_lock_acquire include/linux/local_lock_internal.h:29 [inline]
  __mmap_lock_do_trace_acquire_returned+0xa8/0x630 mm/mmap_lock.c:237
  __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]
  mmap_read_trylock include/linux/mmap_lock.h:164 [inline]
  get_mmap_lock_carefully mm/memory.c:5716 [inline]
  lock_mm_and_find_vma+0x213/0x2f0 mm/memory.c:5776
  do_user_addr_fault arch/x86/mm/fault.c:1361 [inline]
  handle_page_fault arch/x86/mm/fault.c:1481 [inline]
  exc_page_fault+0x1bf/0x8c0 arch/x86/mm/fault.c:1539
  asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
  __put_user_4+0x11/0x20 arch/x86/lib/putuser.S:86
  schedule_tail+0x96/0xb0 kernel/sched/core.c:5123
  ret_from_fork+0x24/0x80 arch/x86/kernel/process.c:143
  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
irq event stamp: 20
hardirqs last  enabled at (19): [<ffffffff8bb0bfe3>] do_user_addr_fault arch/x86/mm/fault.c:1283 [inline]
hardirqs last  enabled at (19): [<ffffffff8bb0bfe3>] handle_page_fault arch/x86/mm/fault.c:1481 [inline]
hardirqs last  enabled at (19): [<ffffffff8bb0bfe3>] exc_page_fault+0x113/0x8c0 arch/x86/mm/fault.c:1539
hardirqs last disabled at (20): [<ffffffff8bb0b3ce>] sysvec_call_function_single+0xe/0xc0 arch/x86/kernel/smp.c:266
softirqs last  enabled at (0): [<ffffffff8157a193>] rcu_lock_acquire include/linux/rcupdate.h:327 [inline]
softirqs last  enabled at (0): [<ffffffff8157a193>] rcu_read_lock include/linux/rcupdate.h:839 [inline]
softirqs last  enabled at (0): [<ffffffff8157a193>] copy_process+0xa03/0x3dc0 kernel/fork.c:2242
softirqs last disabled at (0): [<0000000000000000>] 0x0

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(lock#10);
  <Interrupt>
    lock(lock#10);

 *** DEADLOCK ***

4 locks held by syz.1.20/5373:
 #0: ffff888020afa2f8 (&vma->vm_lock->lock){++++}-{3:3}, at: vma_start_read include/linux/mm.h:683 [inline]
 #0: ffff888020afa2f8 (&vma->vm_lock->lock){++++}-{3:3}, at: lock_vma_under_rcu+0x2f9/0x6e0 mm/memory.c:5845
 #1: ffffffff8e735fe0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:327 [inline]
 #1: ffffffff8e735fe0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:839 [inline]
 #1: ffffffff8e735fe0 (rcu_read_lock){....}-{1:2}, at: __pte_offset_map+0x82/0x380 mm/pgtable-generic.c:287
 #2: ffffffff8e735fe0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:327 [inline]
 #2: ffffffff8e735fe0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:839 [inline]
 #2: ffffffff8e735fe0 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2405 [inline]
 #2: ffffffff8e735fe0 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x1fc/0x540 kernel/trace/bpf_trace.c:2447
 #3: ffff888030231498 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:163 [inline]
 #3: ffff888030231498 (&mm->mmap_lock){++++}-{3:3}, at: stack_map_get_build_id_offset+0x237/0x9d0 kernel/bpf/stackmap.c:141

stack backtrace:
CPU: 1 PID: 5373 Comm: syz.1.20 Not tainted 6.10.0-syzkaller-04559-g7d30b8aa4fc3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 valid_state+0x13a/0x1c0 kernel/locking/lockdep.c:4012
 mark_lock_irq+0xbb/0xc20 kernel/locking/lockdep.c:4215
 mark_lock+0x223/0x350 kernel/locking/lockdep.c:4677
 mark_usage kernel/locking/lockdep.c:4563 [inline]
 __lock_acquire+0xb8e/0x1fd0 kernel/locking/lockdep.c:5090
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5753
 local_lock_acquire include/linux/local_lock_internal.h:29 [inline]
 __mmap_lock_do_trace_acquire_returned+0xa8/0x630 mm/mmap_lock.c:237
 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]
 mmap_read_trylock include/linux/mmap_lock.h:164 [inline]
 stack_map_get_build_id_offset+0x9af/0x9d0 kernel/bpf/stackmap.c:141
 __bpf_get_stack+0x4ad/0x5a0 kernel/bpf/stackmap.c:449
 ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1997 [inline]
 bpf_get_stack_raw_tp+0x1a3/0x240 kernel/trace/bpf_trace.c:1987
 bpf_prog_ec3b2eefa702d8d3+0x43/0x47
 bpf_dispatcher_nop_func include/linux/bpf.h:1252 [inline]
 __bpf_prog_run include/linux/filter.h:691 [inline]
 bpf_prog_run include/linux/filter.h:698 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2406 [inline]
 bpf_trace_run2+0x2ec/0x540 kernel/trace/bpf_trace.c:2447
 trace_tlb_flush+0x118/0x140 include/trace/events/tlb.h:38
 flush_tlb_func+0x4e7/0x630 arch/x86/mm/tlb.c:892
 csd_do_func kernel/smp.c:134 [inline]
 __flush_smp_call_function_queue+0x3fc/0x1690 kernel/smp.c:512
 __sysvec_call_function_single+0xb8/0x430 arch/x86/kernel/smp.c:271
 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline]
 sysvec_call_function_single+0x9e/0xc0 arch/x86/kernel/smp.c:266
 </IRQ>
 <TASK>
 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709
RIP: 0010:get_current arch/x86/include/asm/current.h:49 [inline]
RIP: 0010:write_comp_data kernel/kcov.c:235 [inline]
RIP: 0010:__sanitizer_cov_trace_const_cmp8+0x8/0x90 kernel/kcov.c:311
Code: 44 0a 20 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 4c 8b 04 24 <65> 48 8b 0c 25 80 d5 03 00 65 8b 05 d0 72 6d 7e a9 00 01 ff 00 74
RSP: 0000:ffffc90004da7858 EFLAGS: 00000246
RAX: 1ffff920009b4f18 RBX: dffffc0000000000 RCX: 1ffff1100449462f
RDX: 0000000012a58830 RSI: 0000000012a58067 RDI: 0000000000000000
RBP: ffffc90004da7950 R08: ffffffff81eb1875 R09: 1ffffffff269e0b8
R10: dffffc0000000000 R11: fffffbfff269e0b9 R12: 1ffff920009b4f14
R13: ffff8880224a3178 R14: 0000000012a58067 R15: 1ffff920009b4f1c
 __pte_needs_invert arch/x86/include/asm/pgtable-invert.h:18 [inline]
 protnone_mask arch/x86/include/asm/pgtable-invert.h:24 [inline]
 pmd_pfn arch/x86/include/asm/pgtable.h:238 [inline]
 pte_lockptr include/linux/mm.h:2960 [inline]
 __pte_offset_map_lock+0x135/0x300 mm/pgtable-generic.c:374
 pte_offset_map_lock include/linux/mm.h:3025 [inline]
 do_anonymous_page mm/memory.c:4431 [inline]
 do_pte_missing mm/memory.c:3895 [inline]
 handle_pte_fault+0x1c9a/0x7090 mm/memory.c:5381
 __handle_mm_fault mm/memory.c:5524 [inline]
 handle_mm_fault+0x10df/0x1ba0 mm/memory.c:5689
 do_user_addr_fault arch/x86/mm/fault.c:1338 [inline]
 handle_page_fault arch/x86/mm/fault.c:1481 [inline]
 exc_page_fault+0x459/0x8c0 arch/x86/mm/fault.c:1539
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7fa305c47c47
Code: b9 40 42 0f 00 ba 81 00 00 00 4c 89 e6 41 c7 04 24 01 00 00 00 bf ca 00 00 00 31 c0 e8 42 f6 12 00 eb c1 0f b6 35 81 da de 00 <8b> bf 98 00 00 00 31 d2 e8 5c 64 ff ff eb 83 48 8d 3d 35 de 19 00
RSP: 002b:00007fa3057ff100 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 00007fa3057ff6c0 RCX: 00007fa305d2ddd6
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007fa305f05f80
RBP: 00007fa305f05f80 R08: 0000000000000000 R09: 00007ffe6bd0e067
R10: 0000000000000008 R11: 0000000000000246 R12: ffffffffffffffa8
R13: 000000000000000b R14: 00007ffe6bd0df80 R15: 00007ffe6bd0e068
 </TASK>
----------------
Code disassembly (best guess):
   0:	44 0a 20             	or     (%rax),%r12b
   3:	c3                   	ret
   4:	cc                   	int3
   5:	cc                   	int3
   6:	cc                   	int3
   7:	cc                   	int3
   8:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
   f:	00 00 00
  12:	90                   	nop
  13:	90                   	nop
  14:	90                   	nop
  15:	90                   	nop
  16:	90                   	nop
  17:	90                   	nop
  18:	90                   	nop
  19:	90                   	nop
  1a:	90                   	nop
  1b:	90                   	nop
  1c:	90                   	nop
  1d:	90                   	nop
  1e:	90                   	nop
  1f:	90                   	nop
  20:	90                   	nop
  21:	90                   	nop
  22:	f3 0f 1e fa          	endbr64
  26:	4c 8b 04 24          	mov    (%rsp),%r8
* 2a:	65 48 8b 0c 25 80 d5 	mov    %gs:0x3d580,%rcx <-- trapping instruction
  31:	03 00
  33:	65 8b 05 d0 72 6d 7e 	mov    %gs:0x7e6d72d0(%rip),%eax        # 0x7e6d730a
  3a:	a9 00 01 ff 00       	test   $0xff0100,%eax
  3f:	74                   	.byte 0x74