BUG: sleeping function called from invalid context at ./include/linux/percpu-rwsem.h:34 in_atomic(): 1, irqs_disabled(): 0, pid: 21001, name: syz-executor1 2 locks held by syz-executor1/21001: #0: (&net->xfrm.xfrm_cfg_mutex){+.+.}, at: [<00000000a8e0242b>] xfrm_netlink_rcv+0x60/0x90 net/xfrm/xfrm_user.c:2598 #1: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...}, at: [<00000000496b0258>] spin_lock_bh include/linux/spinlock.h:315 [inline] #1: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...}, at: [<00000000496b0258>] xfrm_policy_flush+0x5d3/0x770 net/xfrm/xfrm_policy.c:969 CPU: 0 PID: 21001 Comm: syz-executor1 Not tainted 4.15.0-rc5+ #177 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6060 __might_sleep+0x95/0x190 kernel/sched/core.c:6013 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:34 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock+0x1c/0x90 kernel/cpu.c:293 get_online_cpus include/linux/cpu.h:117 [inline] xfrm_policy_cache_flush+0x1d0/0x710 net/xfrm/xfrm_policy.c:1767 xfrm_policy_flush+0x650/0x770 net/xfrm/xfrm_policy.c:978 xfrm_flush_policy+0x153/0x440 net/xfrm/xfrm_user.c:2061 xfrm_user_rcv_msg+0x422/0x860 net/xfrm/xfrm_user.c:2591 netlink_rcv_skb+0x224/0x470 net/netlink/af_netlink.c:2441 xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2599 netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline] netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334 netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897 sock_sendmsg_nosec net/socket.c:628 [inline] sock_sendmsg+0xca/0x110 net/socket.c:638 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2018 __sys_sendmsg+0xe5/0x210 net/socket.c:2052 SYSC_sendmsg net/socket.c:2063 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2059 entry_SYSCALL_64_fastpath+0x23/0x9a RIP: 0033:0x452ac9 RSP: 002b:00007f270e525c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9 RDX: 0000000000000000 RSI: 0000000020007fc8 RDI: 0000000000000014 RBP: 000000000000004d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006ee7d8 R13: 00000000ffffffff R14: 00007f270e5266d4 R15: 0000000000000000 ===================================================== WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected 4.15.0-rc5+ #177 Tainted: G W ----------------------------------------------------- syz-executor1/21001 [HC0[0]:SC0[2]:HE1:SE0] is trying to acquire: (cpu_hotplug_lock.rw_sem){++++}, at: [<00000000c06e1f52>] get_online_cpus include/linux/cpu.h:117 [inline] (cpu_hotplug_lock.rw_sem){++++}, at: [<00000000c06e1f52>] xfrm_policy_cache_flush+0x1d0/0x710 net/xfrm/xfrm_policy.c:1767 and this task is already holding: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...}, at: [<00000000496b0258>] spin_lock_bh include/linux/spinlock.h:315 [inline] (&(&net->xfrm.xfrm_policy_lock)->rlock){+...}, at: [<00000000496b0258>] xfrm_policy_flush+0x5d3/0x770 net/xfrm/xfrm_policy.c:969 which would create a new lock dependency: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...} -> (cpu_hotplug_lock.rw_sem){++++} but this new dependency connects a SOFTIRQ-irq-safe lock: (slock-AF_INET6){+.-.} ... which became SOFTIRQ-irq-safe at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:310 [inline] sctp_rcv+0x1ab1/0x35c0 net/sctp/input.c:242 sctp6_rcv+0x15/0x30 net/sctp/ipv6.c:1006 ip6_input_finish+0x37e/0x17a0 net/ipv6/ip6_input.c:284 NF_HOOK include/linux/netfilter.h:250 [inline] ip6_input+0xe9/0x560 net/ipv6/ip6_input.c:327 dst_input include/net/dst.h:449 [inline] ip6_rcv_finish+0x1a9/0x7a0 net/ipv6/ip6_input.c:71 NF_HOOK include/linux/netfilter.h:250 [inline] ipv6_rcv+0xf37/0x1fa0 net/ipv6/ip6_input.c:208 __netif_receive_skb_core+0x1a41/0x3460 net/core/dev.c:4499 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4564 process_backlog+0x203/0x740 net/core/dev.c:5244 napi_poll net/core/dev.c:5642 [inline] net_rx_action+0x792/0x1910 net/core/dev.c:5708 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1115 do_softirq.part.21+0x14d/0x190 kernel/softirq.c:329 do_softirq kernel/softirq.c:177 [inline] __local_bh_enable_ip+0x1ee/0x230 kernel/softirq.c:182 local_bh_enable include/linux/bottom_half.h:32 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:727 [inline] ip6_finish_output2+0xba0/0x23a0 net/ipv6/ip6_output.c:121 ip6_finish_output+0x698/0xaf0 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:239 [inline] ip6_output+0x1eb/0x840 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:443 [inline] NF_HOOK include/linux/netfilter.h:250 [inline] ip6_xmit+0xd84/0x2090 net/ipv6/ip6_output.c:277 sctp_v6_xmit+0x438/0x630 net/sctp/ipv6.c:225 sctp_packet_transmit+0x225e/0x3750 net/sctp/output.c:638 sctp_outq_flush+0xabb/0x4060 net/sctp/outqueue.c:911 sctp_outq_uncork+0x5a/0x70 net/sctp/outqueue.c:776 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1807 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1210 [inline] sctp_do_sm+0x4e0/0x6ed0 net/sctp/sm_sideeffect.c:1181 sctp_primitive_ASSOCIATE+0x9d/0xd0 net/sctp/primitive.c:88 __sctp_connect+0x829/0xca0 net/sctp/socket.c:1254 sctp_connect+0xb4/0xf0 net/sctp/socket.c:4330 inet_dgram_connect+0x16b/0x1f0 net/ipv4/af_inet.c:542 SYSC_connect+0x213/0x4a0 net/socket.c:1611 SyS_connect+0x24/0x30 net/socket.c:1592 entry_SYSCALL_64_fastpath+0x23/0x9a to a SOFTIRQ-irq-unsafe lock: (cpu_hotplug_lock.rw_sem){++++} ... which became SOFTIRQ-irq-unsafe at: ... lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 down_write+0x87/0x120 kernel/locking/rwsem.c:70 percpu_down_write+0xa3/0x500 kernel/locking/percpu-rwsem.c:145 cpus_write_lock kernel/cpu.c:305 [inline] _cpu_up+0x60/0x510 kernel/cpu.c:990 do_cpu_up+0x73/0xa0 kernel/cpu.c:1066 cpu_up+0x18/0x20 kernel/cpu.c:1074 smp_init+0x13a/0x152 kernel/smp.c:578 kernel_init_freeable+0x2fe/0x521 init/main.c:1064 kernel_init+0x13/0x172 init/main.c:996 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:515 other info that might help us debug this: Chain exists of: slock-AF_INET6 --> &(&net->xfrm.xfrm_policy_lock)->rlock --> cpu_hotplug_lock.rw_sem Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(cpu_hotplug_lock.rw_sem); local_irq_disable(); lock(slock-AF_INET6); lock(&(&net->xfrm.xfrm_policy_lock)->rlock); lock(slock-AF_INET6); *** DEADLOCK *** 2 locks held by syz-executor1/21001: #0: (&net->xfrm.xfrm_cfg_mutex){+.+.}, at: [<00000000a8e0242b>] xfrm_netlink_rcv+0x60/0x90 net/xfrm/xfrm_user.c:2598 #1: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...}, at: [<00000000496b0258>] spin_lock_bh include/linux/spinlock.h:315 [inline] #1: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...}, at: [<00000000496b0258>] xfrm_policy_flush+0x5d3/0x770 net/xfrm/xfrm_policy.c:969 the dependencies between SOFTIRQ-irq-safe lock and the holding lock: -> (slock-AF_INET6){+.-.} ops: 251621 { HARDIRQ-ON-W at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168 spin_lock_bh include/linux/spinlock.h:315 [inline] lock_sock_nested+0x44/0x110 net/core/sock.c:2772 lock_sock include/net/sock.h:1462 [inline] sock_setsockopt+0x16b/0x1af0 net/core/sock.c:717 SYSC_setsockopt net/socket.c:1817 [inline] SyS_setsockopt+0x2ff/0x360 net/socket.c:1800 entry_SYSCALL_64_fastpath+0x23/0x9a IN-SOFTIRQ-W at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:310 [inline] sctp_rcv+0x1ab1/0x35c0 net/sctp/input.c:242 sctp6_rcv+0x15/0x30 net/sctp/ipv6.c:1006 ip6_input_finish+0x37e/0x17a0 net/ipv6/ip6_input.c:284 NF_HOOK include/linux/netfilter.h:250 [inline] ip6_input+0xe9/0x560 net/ipv6/ip6_input.c:327 dst_input include/net/dst.h:449 [inline] ip6_rcv_finish+0x1a9/0x7a0 net/ipv6/ip6_input.c:71 NF_HOOK include/linux/netfilter.h:250 [inline] ipv6_rcv+0xf37/0x1fa0 net/ipv6/ip6_input.c:208 __netif_receive_skb_core+0x1a41/0x3460 net/core/dev.c:4499 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4564 process_backlog+0x203/0x740 net/core/dev.c:5244 napi_poll net/core/dev.c:5642 [inline] net_rx_action+0x792/0x1910 net/core/dev.c:5708 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1115 do_softirq.part.21+0x14d/0x190 kernel/softirq.c:329 do_softirq kernel/softirq.c:177 [inline] __local_bh_enable_ip+0x1ee/0x230 kernel/softirq.c:182 local_bh_enable include/linux/bottom_half.h:32 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:727 [inline] ip6_finish_output2+0xba0/0x23a0 net/ipv6/ip6_output.c:121 ip6_finish_output+0x698/0xaf0 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:239 [inline] ip6_output+0x1eb/0x840 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:443 [inline] NF_HOOK include/linux/netfilter.h:250 [inline] ip6_xmit+0xd84/0x2090 net/ipv6/ip6_output.c:277 sctp_v6_xmit+0x438/0x630 net/sctp/ipv6.c:225 sctp_packet_transmit+0x225e/0x3750 net/sctp/output.c:638 sctp_outq_flush+0xabb/0x4060 net/sctp/outqueue.c:911 sctp_outq_uncork+0x5a/0x70 net/sctp/outqueue.c:776 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1807 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1210 [inline] sctp_do_sm+0x4e0/0x6ed0 net/sctp/sm_sideeffect.c:1181 sctp_primitive_ASSOCIATE+0x9d/0xd0 net/sctp/primitive.c:88 __sctp_connect+0x829/0xca0 net/sctp/socket.c:1254 sctp_connect+0xb4/0xf0 net/sctp/socket.c:4330 inet_dgram_connect+0x16b/0x1f0 net/ipv4/af_inet.c:542 SYSC_connect+0x213/0x4a0 net/socket.c:1611 SyS_connect+0x24/0x30 net/socket.c:1592 entry_SYSCALL_64_fastpath+0x23/0x9a INITIAL USE at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168 spin_lock_bh include/linux/spinlock.h:315 [inline] lock_sock_nested+0x44/0x110 net/core/sock.c:2772 lock_sock include/net/sock.h:1462 [inline] sock_setsockopt+0x16b/0x1af0 net/core/sock.c:717 SYSC_setsockopt net/socket.c:1817 [inline] SyS_setsockopt+0x2ff/0x360 net/socket.c:1800 entry_SYSCALL_64_fastpath+0x23/0x9a } ... key at: [<000000005dd6311b>] af_family_slock_keys+0x50/0x180 ... acquired at: __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168 spin_lock_bh include/linux/spinlock.h:315 [inline] xfrm_policy_delete+0x3e/0x90 net/xfrm/xfrm_policy.c:1247 xfrm_sk_free_policy include/net/xfrm.h:1256 [inline] inet_csk_destroy_sock+0x320/0x3f0 net/ipv4/inet_connection_sock.c:836 dccp_close+0x853/0xc20 net/dccp/proto.c:1084 inet_release+0xed/0x1c0 net/ipv4/af_inet.c:427 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432 sock_release+0x8d/0x1e0 net/socket.c:593 sock_close+0x16/0x20 net/socket.c:1121 __fput+0x327/0x7e0 fs/file_table.c:210 ____fput+0x15/0x20 fs/file_table.c:244 task_work_run+0x199/0x270 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x9bb/0x1ad0 kernel/exit.c:865 do_group_exit+0x149/0x400 kernel/exit.c:968 get_signal+0x73f/0x16c0 kernel/signal.c:2335 do_signal+0x90/0x1eb0 arch/x86/kernel/signal.c:809 exit_to_usermode_loop+0x214/0x310 arch/x86/entry/common.c:158 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline] syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264 entry_SYSCALL_64_fastpath+0x98/0x9a -> (&(&net->xfrm.xfrm_policy_lock)->rlock){+...} ops: 1717 { HARDIRQ-ON-W at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168 spin_lock_bh include/linux/spinlock.h:315 [inline] xfrm_policy_byid+0x89/0x3c0 net/xfrm/xfrm_policy.c:850 xfrm_add_pol_expire+0x5a2/0xae0 net/xfrm/xfrm_user.c:2098 xfrm_user_rcv_msg+0x422/0x860 net/xfrm/xfrm_user.c:2591 netlink_rcv_skb+0x224/0x470 net/netlink/af_netlink.c:2441 xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2599 netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline] netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334 netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897 sock_sendmsg_nosec net/socket.c:628 [inline] sock_sendmsg+0xca/0x110 net/socket.c:638 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2018 __sys_sendmsg+0xe5/0x210 net/socket.c:2052 SYSC_sendmsg net/socket.c:2063 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2059 entry_SYSCALL_64_fastpath+0x23/0x9a INITIAL USE at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168 spin_lock_bh include/linux/spinlock.h:315 [inline] xfrm_policy_byid+0x89/0x3c0 net/xfrm/xfrm_policy.c:850 xfrm_add_pol_expire+0x5a2/0xae0 net/xfrm/xfrm_user.c:2098 xfrm_user_rcv_msg+0x422/0x860 net/xfrm/xfrm_user.c:2591 netlink_rcv_skb+0x224/0x470 net/netlink/af_netlink.c:2441 xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2599 netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline] netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334 netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897 sock_sendmsg_nosec net/socket.c:628 [inline] sock_sendmsg+0xca/0x110 net/socket.c:638 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2018 __sys_sendmsg+0xe5/0x210 net/socket.c:2052 SYSC_sendmsg net/socket.c:2063 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2059 entry_SYSCALL_64_fastpath+0x23/0x9a } ... key at: [<00000000360d5ad0>] __key.66927+0x0/0x40 ... acquired at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock+0x42/0x90 kernel/cpu.c:293 get_online_cpus include/linux/cpu.h:117 [inline] xfrm_policy_cache_flush+0x1d0/0x710 net/xfrm/xfrm_policy.c:1767 xfrm_policy_flush+0x650/0x770 net/xfrm/xfrm_policy.c:978 xfrm_flush_policy+0x153/0x440 net/xfrm/xfrm_user.c:2061 xfrm_user_rcv_msg+0x422/0x860 net/xfrm/xfrm_user.c:2591 netlink_rcv_skb+0x224/0x470 net/netlink/af_netlink.c:2441 xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2599 netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline] netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334 netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897 sock_sendmsg_nosec net/socket.c:628 [inline] sock_sendmsg+0xca/0x110 net/socket.c:638 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2018 __sys_sendmsg+0xe5/0x210 net/socket.c:2052 SYSC_sendmsg net/socket.c:2063 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2059 entry_SYSCALL_64_fastpath+0x23/0x9a the dependencies between the lock to be acquired and SOFTIRQ-irq-unsafe lock: -> (cpu_hotplug_lock.rw_sem){++++} ops: 3087 { HARDIRQ-ON-W at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 down_write+0x87/0x120 kernel/locking/rwsem.c:70 percpu_down_write+0xa3/0x500 kernel/locking/percpu-rwsem.c:145 cpus_write_lock kernel/cpu.c:305 [inline] _cpu_up+0x60/0x510 kernel/cpu.c:990 do_cpu_up+0x73/0xa0 kernel/cpu.c:1066 cpu_up+0x18/0x20 kernel/cpu.c:1074 smp_init+0x13a/0x152 kernel/smp.c:578 kernel_init_freeable+0x2fe/0x521 init/main.c:1064 kernel_init+0x13/0x172 init/main.c:996 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:515 HARDIRQ-ON-R at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock+0x42/0x90 kernel/cpu.c:293 get_online_cpus include/linux/cpu.h:117 [inline] kmem_cache_create+0x26/0x2a0 mm/slab_common.c:440 debug_objects_mem_init+0xda/0x910 lib/debugobjects.c:1139 start_kernel+0x6dd/0x819 init/main.c:671 x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:378 x86_64_start_kernel+0x77/0x7a arch/x86/kernel/head64.c:359 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:237 SOFTIRQ-ON-W at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 down_write+0x87/0x120 kernel/locking/rwsem.c:70 percpu_down_write+0xa3/0x500 kernel/locking/percpu-rwsem.c:145 cpus_write_lock kernel/cpu.c:305 [inline] _cpu_up+0x60/0x510 kernel/cpu.c:990 do_cpu_up+0x73/0xa0 kernel/cpu.c:1066 cpu_up+0x18/0x20 kernel/cpu.c:1074 smp_init+0x13a/0x152 kernel/smp.c:578 kernel_init_freeable+0x2fe/0x521 init/main.c:1064 kernel_init+0x13/0x172 init/main.c:996 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:515 SOFTIRQ-ON-R at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock+0x42/0x90 kernel/cpu.c:293 get_online_cpus include/linux/cpu.h:117 [inline] kmem_cache_create+0x26/0x2a0 mm/slab_common.c:440 debug_objects_mem_init+0xda/0x910 lib/debugobjects.c:1139 start_kernel+0x6dd/0x819 init/main.c:671 x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:378 x86_64_start_kernel+0x77/0x7a arch/x86/kernel/head64.c:359 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:237 INITIAL USE at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock kernel/cpu.c:293 [inline] __cpuhp_setup_state+0x60/0x140 kernel/cpu.c:1670 cpuhp_setup_state_nocalls include/linux/cpuhotplug.h:229 [inline] kvm_guest_init+0x1f3/0x20f arch/x86/kernel/kvm.c:528 setup_arch+0x17e8/0x1a02 arch/x86/kernel/setup.c:1266 start_kernel+0xcd/0x819 init/main.c:532 x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:378 x86_64_start_kernel+0x77/0x7a arch/x86/kernel/head64.c:359 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:237 } ... key at: [<0000000080e3f502>] cpu_hotplug_lock+0xd8/0x140 ... acquired at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock+0x42/0x90 kernel/cpu.c:293 get_online_cpus include/linux/cpu.h:117 [inline] xfrm_policy_cache_flush+0x1d0/0x710 net/xfrm/xfrm_policy.c:1767 xfrm_policy_flush+0x650/0x770 net/xfrm/xfrm_policy.c:978 xfrm_flush_policy+0x153/0x440 net/xfrm/xfrm_user.c:2061 xfrm_user_rcv_msg+0x422/0x860 net/xfrm/xfrm_user.c:2591 netlink_rcv_skb+0x224/0x470 net/netlink/af_netlink.c:2441 xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2599 netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline] netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334 netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897 sock_sendmsg_nosec net/socket.c:628 [inline] sock_sendmsg+0xca/0x110 net/socket.c:638 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2018 __sys_sendmsg+0xe5/0x210 net/socket.c:2052 SYSC_sendmsg net/socket.c:2063 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2059 entry_SYSCALL_64_fastpath+0x23/0x9a stack backtrace: CPU: 0 PID: 21001 Comm: syz-executor1 Tainted: G W 4.15.0-rc5+ #177 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_bad_irq_dependency kernel/locking/lockdep.c:1565 [inline] check_usage+0xad0/0xb60 kernel/locking/lockdep.c:1597 check_irq_usage kernel/locking/lockdep.c:1653 [inline] check_prev_add_irq kernel/locking/lockdep_states.h:8 [inline] check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1971 [inline] validate_chain kernel/locking/lockdep.c:2412 [inline] __lock_acquire+0x2bd1/0x3e00 kernel/locking/lockdep.c:3426 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock+0x42/0x90 kernel/cpu.c:293 get_online_cpus include/linux/cpu.h:117 [inline] xfrm_policy_cache_flush+0x1d0/0x710 net/xfrm/xfrm_policy.c:1767 xfrm_policy_flush+0x650/0x770 net/xfrm/xfrm_policy.c:978 xfrm_flush_policy+0x153/0x440 net/xfrm/xfrm_user.c:2061 xfrm_user_rcv_msg+0x422/0x860 net/xfrm/xfrm_user.c:2591 netlink_rcv_skb+0x224/0x470 net/netlink/af_netlink.c:2441 xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2599 netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline] netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334 netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897 sock_sendmsg_nosec net/socket.c:628 [inline] sock_sendmsg+0xca/0x110 net/socket.c:638 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2018 __sys_sendmsg+0xe5/0x210 net/socket.c:2052 SYSC_sendmsg net/socket.c:2063 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2059 entry_SYSCALL_64_fastpath+0x23/0x9a RIP: 0033:0x452ac9 RSP: 002b:00007f270e525c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9 RDX: 0000000000000000 RSI: 0000000020007fc8 RDI: 0000000000000014 RBP: 000000000000004d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006ee7d8 R13: 00000000ffffffff R14: 00007f270e5266d4 R15: 0000000000000000 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 21356 Comm: syz-executor2 Tainted: G W 4.15.0-rc5+ #177 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3368 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3542 kmem_cache_zalloc include/linux/slab.h:678 [inline] alloc_mm_slot mm/khugepaged.c:369 [inline] __khugepaged_enter+0xbd/0x540 mm/khugepaged.c:405 khugepaged_enter include/linux/khugepaged.h:54 [inline] do_huge_pmd_anonymous_page+0x10d9/0x1b00 mm/huge_memory.c:680 create_huge_pmd mm/memory.c:3828 [inline] __handle_mm_fault+0x1a0c/0x3ce0 mm/memory.c:4032 handle_mm_fault+0x334/0x8d0 mm/memory.c:4098 __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1429 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1504 page_fault+0x4c/0x60 arch/x86/entry/entry_64.S:1225 RIP: 0033:0x40180b RSP: 002b:00007f4f9eac2b90 EFLAGS: 00010246 RAX: 0000000020000000 RBX: 000000000000003e RCX: 0000000000000000 RDX: 86e93b418a5934b6 RSI: 0000000000000000 RDI: 00007f4f9eac3608 RBP: 0000000020f3b000 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000003e R11: 0000000000000000 R12: 00000000006f68c0 R13: 0000000000000013 R14: 00007f4f9eac36d4 R15: ffffffffffffffff oom_reaper: reaped process 21356 (syz-executor2), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 21459 Comm: syz-executor1 Tainted: G W 4.15.0-rc5+ #177 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3368 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3542 kmem_cache_zalloc include/linux/slab.h:678 [inline] alloc_mm_slot mm/khugepaged.c:369 [inline] __khugepaged_enter+0xbd/0x540 mm/khugepaged.c:405 khugepaged_enter include/linux/khugepaged.h:54 [inline] do_huge_pmd_anonymous_page+0x10d9/0x1b00 mm/huge_memory.c:680 create_huge_pmd mm/memory.c:3828 [inline] __handle_mm_fault+0x1a0c/0x3ce0 mm/memory.c:4032 handle_mm_fault+0x334/0x8d0 mm/memory.c:4098 __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1429 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1504 page_fault+0x4c/0x60 arch/x86/entry/entry_64.S:1225 RIP: 0033:0x40180b RSP: 002b:00007f270e525b90 EFLAGS: 00010246 RAX: 0000000020000000 RBX: 0000000000000066 RCX: 0000000000000000 RDX: 9f240a4be52da1d6 RSI: 0000000000000000 RDI: 00007f270e526608 RBP: 0000000020f0dc2a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000066 R11: 0000000000000000 R12: 00000000006f68c0 R13: 0000000000000013 R14: 00007f270e5266d4 R15: ffffffffffffffff oom_reaper: reaped process 21459 (syz-executor1), now anon-rss:0kB, file-rss:4kB, shmem-rss:0kB SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=21529 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=21555 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=21591 comm=syz-executor0 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 21682 Comm: syz-executor3 Tainted: G W 4.15.0-rc5+ #177 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3368 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3542 anon_vma_chain_alloc mm/rmap.c:128 [inline] __anon_vma_prepare+0xbc/0x6b0 mm/rmap.c:182 anon_vma_prepare include/linux/rmap.h:153 [inline] do_huge_pmd_anonymous_page+0x1127/0x1b00 mm/huge_memory.c:678 create_huge_pmd mm/memory.c:3828 [inline] __handle_mm_fault+0x1a0c/0x3ce0 mm/memory.c:4032 handle_mm_fault+0x334/0x8d0 mm/memory.c:4098 __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1429 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1504 page_fault+0x2c/0x60 arch/x86/entry/entry_64.S:1225 RIP: 0010:copy_user_generic_unrolled+0x86/0xc0 arch/x86/lib/copy_user_64.S:65 RSP: 0018:ffff8801c3a67a20 EFLAGS: 00010202 RAX: ffffed003874cf71 RBX: 0000000020614000 RCX: 0000000000000004 RDX: 0000000000000000 RSI: 0000000020614000 RDI: ffff8801c3a67b68 RBP: ffff8801c3a67a50 R08: ffffed003874cf71 R09: ffffed003874cf71 R10: 0000000000000004 R11: ffffed003874cf70 R12: 0000000000000020 R13: ffff8801c3a67b68 R14: 00007ffffffff000 R15: 0000000020614020 copy_from_user include/linux/uaccess.h:147 [inline] ipmr_ioctl+0x30a/0xab0 net/ipv4/ipmr.c:1695 raw_ioctl+0x139/0x240 net/ipv4/raw.c:921 inet_ioctl+0x182/0x1c0 net/ipv4/af_inet.c:908 sock_do_ioctl+0x65/0xb0 net/socket.c:956 sock_ioctl+0x2c2/0x440 net/socket.c:1053 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 entry_SYSCALL_64_fastpath+0x23/0x9a RIP: 0033:0x452ac9 RSP: 002b:00007fd07a743c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fd07a743aa0 RCX: 0000000000452ac9 RDX: 0000000020614000 RSI: 00000000000089e1 RDI: 0000000000000013 RBP: 00007fd07a743a90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b767a R13: 00007fd07a743bc8 R14: 00000000004b767a R15: 0000000000000000 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 21805 Comm: syz-executor0 Tainted: G W 4.15.0-rc5+ #177 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc_node mm/slab.c:3289 [inline] kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3632 __alloc_skb+0xf1/0x780 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:983 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1180 [inline] netlink_sendmsg+0xa86/0xe60 net/netlink/af_netlink.c:1872 sock_sendmsg_nosec net/socket.c:628 [inline] sock_sendmsg+0xca/0x110 net/socket.c:638 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2018 __sys_sendmsg+0xe5/0x210 net/socket.c:2052 SYSC_sendmsg net/socket.c:2063 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2059 entry_SYSCALL_64_fastpath+0x23/0x9a RIP: 0033:0x452ac9 RSP: 002b:00007efd226acc58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007efd226acaa0 RCX: 0000000000452ac9 RDX: 0000000000000000 RSI: 000000002001e000 RDI: 0000000000000013 RBP: 00007efd226aca90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b767a R13: 00007efd226acbc8 R14: 00000000004b767a R15: 0000000000000000 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 21901 Comm: syz-executor4 Tainted: G W 4.15.0-rc5+ #177 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3368 [inline] __do_kmalloc mm/slab.c:3706 [inline] __kmalloc+0x63/0x760 mm/slab.c:3717 kmalloc include/linux/slab.h:504 [inline] rds_info_getsockopt+0x579/0x770 net/rds/info.c:191 rds_getsockopt+0x142/0x280 net/rds/af_rds.c:395 SYSC_getsockopt net/socket.c:1852 [inline] SyS_getsockopt+0x178/0x340 net/socket.c:1834 entry_SYSCALL_64_fastpath+0x23/0x9a RIP: 0033:0x452ac9 RSP: 002b:00007fba34874c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000037 RAX: ffffffffffffffda RBX: 00007fba34874aa0 RCX: 0000000000452ac9 RDX: 0000000000002711 RSI: 0000000100000114 RDI: 0000000000000013 RBP: 00007fba34874a90 R08: 0000000020dcaffc R09: 0000000000000000 R10: 0000000020861fd8 R11: 0000000000000212 R12: 00000000004b767a R13: 00007fba34874bc8 R14: 00000000004b767a R15: 0000000000000000 nla_parse: 2 callbacks suppressed netlink: 64 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 64 bytes leftover after parsing attributes in process `syz-executor0'. SELinux: unrecognized netlink message: protocol=6 nlmsg_type=2455 sclass=netlink_xfrm_socket pig=22196 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=22210 comm=syz-executor0 netlink: 156 bytes leftover after parsing attributes in process `syz-executor0'. sctp: [Deprecated]: syz-executor0 (pid 23194) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor0 (pid 23194) Use of int in maxseg socket option. Use struct sctp_assoc_value instead netlink: 92 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 92 bytes leftover after parsing attributes in process `syz-executor0'.