BUG: sleeping function called from invalid context at net/core/sock.c:2807 in_atomic(): 1, irqs_disabled(): 0, pid: 11977, name: syz-executor.2 2 locks held by syz-executor.2/11977: #0: (sk_lock-AF_TIPC){+.+.}, at: [] lock_sock include/net/sock.h:1473 [inline] #0: (sk_lock-AF_TIPC){+.+.}, at: [] __tipc_sendstream+0x435/0x8c0 net/tipc/socket.c:1077 #1: (((&sub->timer))){+.-.}, at: [] lockdep_copy_map include/linux/lockdep.h:174 [inline] #1: (((&sub->timer))){+.-.}, at: [] call_timer_fn+0xb8/0x650 kernel/time/timer.c:1270 Preemption disabled at: [] __do_softirq+0xe8/0x9ff kernel/softirq.c:265 CPU: 1 PID: 11977 Comm: syz-executor.2 Not tainted 4.14.262-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 ___might_sleep.cold+0x235/0x250 kernel/sched/core.c:6041 lock_sock_nested+0x31/0x100 net/core/sock.c:2807 lock_sock include/net/sock.h:1473 [inline] tipc_bind+0x49/0x600 net/tipc/socket.c:599 tipc_conn_kref_release net/tipc/server.c:105 [inline] kref_put include/linux/kref.h:70 [inline] conn_put+0x12e/0x580 net/tipc/server.c:121 tipc_conn_sendmsg+0x2b8/0x3b0 net/tipc/server.c:476 tipc_subscrp_timeout+0x1c8/0x240 net/tipc/subscr.c:147 call_timer_fn+0x14a/0x650 kernel/time/timer.c:1280 expire_timers+0x232/0x4d0 kernel/time/timer.c:1319 __run_timers kernel/time/timer.c:1637 [inline] run_timer_softirq+0x1d5/0x5a0 kernel/time/timer.c:1650 SQUASHFS error: lzo decompression failed, data probably corrupt __do_softirq+0x24d/0x9ff kernel/softirq.c:288 SQUASHFS error: squashfs_read_data failed to read block 0x60 invoke_softirq kernel/softirq.c:368 [inline] irq_exit+0x193/0x240 kernel/softirq.c:409 exiting_irq arch/x86/include/asm/apic.h:638 [inline] smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1106 apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:793 RIP: 0010:__kmalloc_reserve net/core/skbuff.c:140 [inline] RIP: 0010:__alloc_skb+0x99/0x510 net/core/skbuff.c:205 RSP: 0018:ffff8880b06bf8e0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10 RAX: ffff8880657d8fc0 RBX: 0000000000000001 RCX: 0000000000000007 RDX: 00000000000000ff RSI: ffff88806f891878 RDI: 0000000000000000 RBP: 0000000000010400 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: ffff88809d87e000 R12: 00000000014000c0 R13: 00000000ffffffff R14: ffff8880b553ba80 R15: ffff8880afe75580 alloc_skb_fclone include/linux/skbuff.h:1022 [inline] tipc_buf_acquire+0x28/0xf0 net/tipc/msg.c:66 tipc_msg_build+0xcf/0xec0 net/tipc/msg.c:260 __tipc_sendstream+0x4d5/0x8c0 net/tipc/socket.c:1085 SQUASHFS error: Unable to read fragment cache entry [60] tipc_sendstream+0x4c/0x70 net/tipc/socket.c:1042 SQUASHFS error: Unable to read page, block 60, size 1f sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 sock_write_iter+0x22c/0x370 net/socket.c:925 SQUASHFS error: Unable to read fragment cache entry [60] call_write_iter include/linux/fs.h:1780 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x44c/0x630 fs/read_write.c:482 vfs_write+0x17f/0x4d0 fs/read_write.c:544 SYSC_write fs/read_write.c:590 [inline] SyS_write+0xf2/0x210 fs/read_write.c:582 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7f3c229bdfe9 RSP: 002b:00007f3c21333168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f3c22ad0f60 RCX: 00007f3c229bdfe9 RDX: 000000002000011a RSI: 0000000020001240 RDI: 0000000000000005 RBP: 00007f3c22a1808d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff9dd6919f R14: 00007f3c21333300 R15: 0000000000022000 ================================ WARNING: inconsistent lock state 4.14.262-syzkaller #0 Tainted: G W -------------------------------- inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. syz-executor.2/11977 [HC0[0]:SC1[3]:HE1:SE0] takes: (k-sk_lock-AF_TIPC){+.?.}, at: [] lock_sock include/net/sock.h:1473 [inline] (k-sk_lock-AF_TIPC){+.?.}, at: [] tipc_bind+0x49/0x600 net/tipc/socket.c:599 {SOFTIRQ-ON-W} state was registered at: __trace_hardirqs_on_caller kernel/locking/lockdep.c:2883 [inline] trace_hardirqs_on_caller+0x3a8/0x580 kernel/locking/lockdep.c:2930 __local_bh_enable_ip+0xc1/0x170 kernel/softirq.c:190 lock_sock include/net/sock.h:1473 [inline] tipc_setsockopt+0xaf/0x3f0 net/tipc/socket.c:2400 kernel_setsockopt+0xfb/0x1b0 net/socket.c:3396 tipc_create_listen_sock net/tipc/server.c:334 [inline] tipc_open_listening_sock net/tipc/server.c:396 [inline] tipc_server_start+0x2da/0x880 net/tipc/server.c:611 tipc_topsrv_start net/tipc/subscr.c:382 [inline] tipc_topsrv_init_net+0x53b/0x730 net/tipc/subscr.c:397 ops_init+0xaa/0x3e0 net/core/net_namespace.c:118 __register_pernet_operations net/core/net_namespace.c:883 [inline] register_pernet_operations+0x32f/0x750 net/core/net_namespace.c:957 register_pernet_device+0x28/0x70 net/core/net_namespace.c:1045 tipc_init+0x7d/0x137 net/tipc/core.c:136 do_one_initcall+0x88/0x210 init/main.c:826 do_initcall_level init/main.c:892 [inline] do_initcalls init/main.c:900 [inline] do_basic_setup init/main.c:918 [inline] kernel_init_freeable+0x565/0x626 init/main.c:1075 kernel_init+0xd/0x15e init/main.c:1000 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 irq event stamp: 8552 hardirqs last enabled at (8552): [] restore_regs_and_return_to_kernel+0x0/0x2a hardirqs last disabled at (8551): [] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:793 softirqs last enabled at (8114): [] spin_unlock_bh include/linux/spinlock.h:362 [inline] softirqs last enabled at (8114): [] tipc_sk_rcv+0x764/0x1660 net/tipc/socket.c:1838 softirqs last disabled at (8159): [] invoke_softirq kernel/softirq.c:368 [inline] softirqs last disabled at (8159): [] irq_exit+0x193/0x240 kernel/softirq.c:409 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(k-sk_lock-AF_TIPC); lock(k-sk_lock-AF_TIPC); *** DEADLOCK *** 2 locks held by syz-executor.2/11977: #0: (sk_lock-AF_TIPC){+.+.}, at: [] lock_sock include/net/sock.h:1473 [inline] #0: (sk_lock-AF_TIPC){+.+.}, at: [] __tipc_sendstream+0x435/0x8c0 net/tipc/socket.c:1077 #1: (((&sub->timer))){+.-.}, at: [] lockdep_copy_map include/linux/lockdep.h:174 [inline] #1: (((&sub->timer))){+.-.}, at: [] call_timer_fn+0xb8/0x650 kernel/time/timer.c:1270 stack backtrace: CPU: 1 PID: 11977 Comm: syz-executor.2 Tainted: G W 4.14.262-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_usage_bug.cold+0x42e/0x570 kernel/locking/lockdep.c:2589 valid_state kernel/locking/lockdep.c:2602 [inline] mark_lock_irq kernel/locking/lockdep.c:2796 [inline] mark_lock+0xb4d/0x1050 kernel/locking/lockdep.c:3194 mark_irqflags kernel/locking/lockdep.c:3072 [inline] __lock_acquire+0xc81/0x3f20 kernel/locking/lockdep.c:3448 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 lock_sock_nested+0xb7/0x100 net/core/sock.c:2816 lock_sock include/net/sock.h:1473 [inline] tipc_bind+0x49/0x600 net/tipc/socket.c:599 tipc_conn_kref_release net/tipc/server.c:105 [inline] kref_put include/linux/kref.h:70 [inline] conn_put+0x12e/0x580 net/tipc/server.c:121 tipc_conn_sendmsg+0x2b8/0x3b0 net/tipc/server.c:476 tipc_subscrp_timeout+0x1c8/0x240 net/tipc/subscr.c:147 call_timer_fn+0x14a/0x650 kernel/time/timer.c:1280 expire_timers+0x232/0x4d0 kernel/time/timer.c:1319 __run_timers kernel/time/timer.c:1637 [inline] run_timer_softirq+0x1d5/0x5a0 kernel/time/timer.c:1650 __do_softirq+0x24d/0x9ff kernel/softirq.c:288 invoke_softirq kernel/softirq.c:368 [inline] irq_exit+0x193/0x240 kernel/softirq.c:409 exiting_irq arch/x86/include/asm/apic.h:638 [inline] smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1106 apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:793 RIP: 0010:__kmalloc_reserve net/core/skbuff.c:140 [inline] RIP: 0010:__alloc_skb+0x99/0x510 net/core/skbuff.c:205 RSP: 0018:ffff8880b06bf8e0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10 RAX: ffff8880657d8fc0 RBX: 0000000000000001 RCX: 0000000000000007 RDX: 00000000000000ff RSI: ffff88806f891878 RDI: 0000000000000000 RBP: 0000000000010400 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: ffff88809d87e000 R12: 00000000014000c0 R13: 00000000ffffffff R14: ffff8880b553ba80 R15: ffff8880afe75580 alloc_skb_fclone include/linux/skbuff.h:1022 [inline] tipc_buf_acquire+0x28/0xf0 net/tipc/msg.c:66 tipc_msg_build+0xcf/0xec0 net/tipc/msg.c:260 __tipc_sendstream+0x4d5/0x8c0 net/tipc/socket.c:1085 tipc_sendstream+0x4c/0x70 net/tipc/socket.c:1042 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 sock_write_iter+0x22c/0x370 net/socket.c:925 call_write_iter include/linux/fs.h:1780 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x44c/0x630 fs/read_write.c:482 vfs_write+0x17f/0x4d0 fs/read_write.c:544 SYSC_write fs/read_write.c:590 [inline] SyS_write+0xf2/0x210 fs/read_write.c:582 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7f3c229bdfe9 RSP: 002b:00007f3c21333168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f3c22ad0f60 RCX: 00007f3c229bdfe9 RDX: 000000002000011a RSI: 0000000020001240 RDI: 0000000000000005 RBP: 00007f3c22a1808d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff9dd6919f R14: 00007f3c21333300 R15: 0000000000022000 SQUASHFS error: Unable to read page, block 60, size 1f audit: type=1800 audit(1642625131.760:29): pid=11935 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.4" name="file1" dev="loop4" ino=5 res=0 SQUASHFS error: lzo decompression failed, data probably corrupt SQUASHFS error: squashfs_read_data failed to read block 0x60 SQUASHFS error: Unable to read fragment cache entry [60] SQUASHFS error: Unable to read page, block 60, size 1f SQUASHFS error: Unable to read fragment cache entry [60] SQUASHFS error: Unable to read page, block 60, size 1f audit: type=1800 audit(1642625131.900:30): pid=11990 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.5" name="file1" dev="loop5" ino=5 res=0 SQUASHFS error: lzo decompression failed, data probably corrupt SQUASHFS error: squashfs_read_data failed to read block 0x60 SQUASHFS error: Unable to read fragment cache entry [60] SQUASHFS error: Unable to read page, block 60, size 1f SQUASHFS error: lzo decompression failed, data probably corrupt SQUASHFS error: Unable to read fragment cache entry [60] SQUASHFS error: squashfs_read_data failed to read block 0x60 SQUASHFS error: Unable to read page, block 60, size 1f SQUASHFS error: Unable to read fragment cache entry [60] audit: type=1800 audit(1642625133.070:31): pid=12007 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.4" name="file1" dev="loop4" ino=5 res=0 SQUASHFS error: lzo decompression failed, data probably corrupt SQUASHFS error: Unable to read page, block 60, size 1f SQUASHFS error: Unable to read fragment cache entry [60] SQUASHFS error: Unable to read page, block 60, size 1f SQUASHFS error: squashfs_read_data failed to read block 0x60 SQUASHFS error: Unable to read fragment cache entry [60] SQUASHFS error: Unable to read page, block 60, size 1f SQUASHFS error: Unable to read fragment cache entry [60] SQUASHFS error: Unable to read page, block 60, size 1f audit: type=1800 audit(1642625133.130:32): pid=12004 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.3" name="file1" dev="loop3" ino=5 res=0 audit: type=1800 audit(1642625133.170:33): pid=12019 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.5" name="file1" dev="loop5" ino=5 res=0 netlink: 12981 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 12985 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 12981 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 12981 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 12989 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 12981 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 12989 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 12981 bytes leftover after parsing attributes in process `syz-executor.5'. SQUASHFS error: lzo decompression failed, data probably corrupt SQUASHFS error: squashfs_read_data failed to read block 0x60 SQUASHFS error: Unable to read fragment cache entry [60] SQUASHFS error: Unable to read page, block 60, size 1f SQUASHFS error: Unable to read fragment cache entry [60] SQUASHFS error: Unable to read page, block 60, size 1f audit: type=1800 audit(1642625134.000:34): pid=12080 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.4" name="file1" dev="loop4" ino=5 res=0 SQUASHFS error: lzo decompression failed, data probably corrupt SQUASHFS error: squashfs_read_data failed to read block 0x60 SQUASHFS error: Unable to read fragment cache entry [60] SQUASHFS error: Unable to read page, block 60, size 1f SQUASHFS error: Unable to read fragment cache entry [60] SQUASHFS error: Unable to read page, block 60, size 1f audit: type=1800 audit(1642625134.090:35): pid=12065 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.3" name="file1" dev="loop3" ino=5 res=0 netlink: 12981 bytes leftover after parsing attributes in process `syz-executor.5'. kvm: emulating exchange as write Zero length message leads to an empty skb