BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 8720, name: udevd
preempt_count: 100, expected: 0
RCU nest depth: 1, expected: 0
INFO: lockdep is turned off.
Preemption disabled at:
[<ffffffff8a800113>] softirq_handle_begin kernel/softirq.c:409 [inline]
[<ffffffff8a800113>] __do_softirq+0x113/0x75b kernel/softirq.c:547
CPU: 1 PID: 8720 Comm: udevd Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 __might_resched+0x538/0x6a0 kernel/sched/core.c:9890
 __mutex_lock_common+0xd2/0x26c0 kernel/locking/mutex.c:580
 __mutex_lock kernel/locking/mutex.c:747 [inline]
 mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:799
 gsm_send+0x5d2/0x8f0 drivers/tty/n_gsm.c:724
 gsm_command drivers/tty/n_gsm.c:788 [inline]
 gsm_dlci_begin_close drivers/tty/n_gsm.c:1930 [inline]
 gsm_dlci_t1+0x3e7/0x6b0 drivers/tty/n_gsm.c:1854
 call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474
 expire_timers kernel/time/timer.c:1519 [inline]
 __run_timers+0x76a/0x980 kernel/time/timer.c:1790
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803
 __do_softirq+0x277/0x75b kernel/softirq.c:571
 __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:rol32 include/linux/bitops.h:126 [inline]
RIP: 0010:jhash2 include/linux/jhash.h:129 [inline]
RIP: 0010:hash_stack lib/stackdepot.c:276 [inline]
RIP: 0010:__stack_depot_save+0x89/0x4a0 lib/stackdepot.c:444
Code: 75 83 fe 04 72 6d 44 89 ed 44 89 e8 4c 89 fa 66 90 03 02 03 6a 04 44 03 6a 08 44 29 e8 44 89 ef c1 c7 04 31 c7 41 01 ed 29 fd <89> fb c1 c3 06 31 eb 44 01 ef 41 29 dd 89 d9 c1 c1 08 44 31 e9 01
RSP: 0018:ffffc9000a44f838 EFLAGS: 00000a16
RAX: 00000000bd977095 RBX: 00000000602cff92 RCX: 000000007e0376b4
RDX: ffffc9000a44f91c RSI: 0000000000000005 RDI: 000000006ccc4b88
RBP: 000000002259ba6a R08: 000000000000000a R09: 0000000000000001
R10: fffffbfff1c4f066 R11: 1ffffffff1c4f065 R12: 0000000000002800
R13: 000000006c3bb9a3 R14: 0000000000000000 R15: ffffc9000a44f8e0
 save_stack+0x103/0x1e0 mm/page_owner.c:128
 __reset_page_owner+0x52/0x1a0 mm/page_owner.c:148
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1458 [inline]
 free_pcp_prepare+0x80c/0x8f0 mm/page_alloc.c:1508
 free_unref_page_prepare mm/page_alloc.c:3386 [inline]
 free_unref_page+0x7d/0x630 mm/page_alloc.c:3482
 qlist_free_all+0x2b/0x70 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x169/0x180 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0x1f/0x70 mm/kasan/common.c:302
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slab.h:737 [inline]
 slab_alloc_node mm/slub.c:3398 [inline]
 slab_alloc mm/slub.c:3406 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
 kmem_cache_alloc+0x1cc/0x300 mm/slub.c:3422
 getname_flags+0xb8/0x4e0 fs/namei.c:139
 vfs_fstatat fs/stat.c:266 [inline]
 __do_sys_newfstatat fs/stat.c:437 [inline]
 __se_sys_newfstatat+0xe2/0x7b0 fs/stat.c:431
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f55f33251da
Code: 48 89 f2 b9 00 01 00 00 48 89 fe bf 9c ff ff ff e9 0b 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 90 41 89 ca b8 06 01 00 00 0f 05 <3d> 00 f0 ff ff 77 07 31 c0 c3 0f 1f 40 00 48 8b 15 69 fc 0c 00 f7
RSP: 002b:00007ffd07f99ee8 EFLAGS: 00000246 ORIG_RAX: 0000000000000106
RAX: ffffffffffffffda RBX: 000000000000000e RCX: 00007f55f33251da
RDX: 00007ffd07f99ef8 RSI: 00007ffd07f99fc7 RDI: 00000000ffffff9c
RBP: 00007ffd07f9b000 R08: 0000000000000007 R09: 000055f52cab7ef0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd07f9b428
R13: 0000000000000000 R14: 00007ffd07f9b428 R15: 000055f52b470160
 </TASK>
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 3632, name: syz-fuzzer
preempt_count: 100, expected: 0
RCU nest depth: 1, expected: 0
INFO: lockdep is turned off.
Preemption disabled at:
[<ffffffff8a800113>] softirq_handle_begin kernel/softirq.c:409 [inline]
[<ffffffff8a800113>] __do_softirq+0x113/0x75b kernel/softirq.c:547
CPU: 1 PID: 3632 Comm: syz-fuzzer Tainted: G        W          6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 __might_resched+0x538/0x6a0 kernel/sched/core.c:9890
 __mutex_lock_common+0xd2/0x26c0 kernel/locking/mutex.c:580
 __mutex_lock kernel/locking/mutex.c:747 [inline]
 mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:799
 gsm_send+0x5d2/0x8f0 drivers/tty/n_gsm.c:724
 gsm_command drivers/tty/n_gsm.c:788 [inline]
 gsm_dlci_begin_close drivers/tty/n_gsm.c:1930 [inline]
 gsm_dlci_t1+0x3e7/0x6b0 drivers/tty/n_gsm.c:1854
 call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474
 expire_timers kernel/time/timer.c:1519 [inline]
 __run_timers+0x76a/0x980 kernel/time/timer.c:1790
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803
 __do_softirq+0x277/0x75b kernel/softirq.c:571
 __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:rcu_read_unlock include/linux/rcupdate.h:767 [inline]
RIP: 0010:count_memcg_event_mm+0x2d2/0x390 include/linux/memcontrol.h:1094
Code: 89 fe ff ff e8 ef 23 c0 ff eb 1f e8 e8 23 c0 ff e8 f3 33 7e 08 4d 85 ed 74 89 e8 d9 23 c0 ff fb 49 bd 00 00 00 00 00 fc ff df <e8> 99 ab a8 ff 84 c0 74 07 e8 c0 23 c0 ff eb 4f e8 c9 39 7e 08 89
RSP: 0000:ffffc90003c4fb20 EFLAGS: 00000293
RAX: ffffffff81c98237 RBX: 0000000000000000 RCX: ffff888021530000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003c4fbf0 R08: ffffffff81c981ac R09: fffffbfff1c4f066
R10: fffffbfff1c4f066 R11: 1ffffffff1c4f065 R12: ffff88801232e000
R13: dffffc0000000000 R14: 1ffff92000789f68 R15: 0000000000000046
 handle_mm_fault+0x13e/0x3660 mm/memory.c:5196
 do_user_addr_fault+0x69b/0xcb0 arch/x86/mm/fault.c:1428
 handle_page_fault arch/x86/mm/fault.c:1519 [inline]
 exc_page_fault+0x7a/0x120 arch/x86/mm/fault.c:1575
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x466a7c
Code: 4c 01 de 48 29 c3 c5 fe 6f 06 c5 fe 6f 4e 20 c5 fe 6f 56 40 c5 fe 6f 5e 60 48 01 c6 c5 fd 7f 07 c5 fd 7f 4f 20 c5 fd 7f 57 40 <c5> fd 7f 5f 60 48 01 c7 48 29 c3 77 cf 48 01 c3 48 01 fb c4 c1 7e
RSP: 002b:000000c0036ee9a8 EFLAGS: 00010202
RAX: 0000000000000080 RBX: 0000000000000460 RCX: 000000c03a55cd80
RDX: 0000000000000000 RSI: 000000c03a55c920 RDI: 000000c03a55cfa0
RBP: 000000c0036ee9d8 R08: 00007f4cc139e5b8 R09: 0000000000000000
R10: 000000c03a55ce00 R11: 0000000000000020 R12: 000000c03a55ce00
R13: 0000000000000001 R14: 000000c00028c9c0 R15: ffffffffffffffff
 </TASK>
----------------
Code disassembly (best guess):
   0:	75 83                	jne    0xffffff85
   2:	fe 04 72             	incb   (%rdx,%rsi,2)
   5:	6d                   	insl   (%dx),%es:(%rdi)
   6:	44 89 ed             	mov    %r13d,%ebp
   9:	44 89 e8             	mov    %r13d,%eax
   c:	4c 89 fa             	mov    %r15,%rdx
   f:	66 90                	xchg   %ax,%ax
  11:	03 02                	add    (%rdx),%eax
  13:	03 6a 04             	add    0x4(%rdx),%ebp
  16:	44 03 6a 08          	add    0x8(%rdx),%r13d
  1a:	44 29 e8             	sub    %r13d,%eax
  1d:	44 89 ef             	mov    %r13d,%edi
  20:	c1 c7 04             	rol    $0x4,%edi
  23:	31 c7                	xor    %eax,%edi
  25:	41 01 ed             	add    %ebp,%r13d
  28:	29 fd                	sub    %edi,%ebp
* 2a:	89 fb                	mov    %edi,%ebx <-- trapping instruction
  2c:	c1 c3 06             	rol    $0x6,%ebx
  2f:	31 eb                	xor    %ebp,%ebx
  31:	44 01 ef             	add    %r13d,%edi
  34:	41 29 dd             	sub    %ebx,%r13d
  37:	89 d9                	mov    %ebx,%ecx
  39:	c1 c1 08             	rol    $0x8,%ecx
  3c:	44 31 e9             	xor    %r13d,%ecx
  3f:	01                   	.byte 0x1