BUG: sleeping function called from invalid context at mm/vmalloc.c:3409 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 19001, name: syz-executor preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 0 4 locks held by syz-executor/19001: #0: ffffffff8e6dd7d0 (dup_mmap_sem){++++}-{0:0}, at: dup_mm kernel/fork.c:1484 [inline] #0: ffffffff8e6dd7d0 (dup_mmap_sem){++++}-{0:0}, at: copy_mm kernel/fork.c:1537 [inline] #0: ffffffff8e6dd7d0 (dup_mmap_sem){++++}-{0:0}, at: copy_process+0x4076/0x7690 kernel/fork.c:2175 #1: ffff8880568de2a0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_write_lock_killable include/linux/mmap_lock.h:415 [inline] #1: ffff8880568de2a0 (&mm->mmap_lock){++++}-{4:4}, at: dup_mmap+0xfd/0x21d0 mm/mmap.c:1727 #2: ffff8880256c62a0 (&mm->mmap_lock/1){+.+.}-{4:4}, at: mmap_write_lock_nested include/linux/mmap_lock.h:405 [inline] #2: ffff8880256c62a0 (&mm->mmap_lock/1){+.+.}-{4:4}, at: dup_mmap+0x198/0x21d0 mm/mmap.c:1734 #3: ffffffff8e5c10e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline] #3: ffffffff8e5c10e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline] #3: ffffffff8e5c10e0 (rcu_read_lock){....}-{1:3}, at: get_mem_cgroup_from_objcg+0x25/0x330 include/linux/memcontrol.h:508 Preemption disabled at: [] preempt_schedule_irq+0x41/0x90 kernel/sched/core.c:7286 CPU: 0 UID: 0 PID: 19001 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 __might_resched+0x3c0/0x5e0 kernel/sched/core.c:8957 vfree+0x75/0xb50 mm/vmalloc.c:3409 futex_hash_free+0x98/0xc0 kernel/futex/core.c:1742 __mmdrop+0x33f/0x580 kernel/fork.c:692 mmdrop include/linux/sched/mm.h:55 [inline] mmdrop_sched include/linux/sched/mm.h:83 [inline] mmdrop_lazy_tlb_sched include/linux/sched/mm.h:110 [inline] finish_task_switch.isra.0+0x7a4/0xc10 kernel/sched/core.c:5250 context_switch kernel/sched/core.c:5360 [inline] __schedule+0x1198/0x5de0 kernel/sched/core.c:6961 preempt_schedule_irq+0x51/0x90 kernel/sched/core.c:7288 irqentry_exit+0x36/0x90 kernel/entry/common.c:197 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:lock_release+0x183/0x2f0 kernel/locking/lockdep.c:5893 Code: 0f c1 05 78 e4 3e 12 83 f8 01 0f 85 1d 01 00 00 9c 58 f6 c4 02 0f 85 08 01 00 00 41 f7 c5 00 02 00 00 74 01 fb 48 8b 44 24 10 <65> 48 2b 05 8d a2 3e 12 0f 85 58 01 00 00 48 83 c4 18 5b 41 5c 41 RSP: 0018:ffffc9000332f1d0 EFLAGS: 00000206 RAX: 10936da7e14d6000 RBX: ffffffff8e5c10e0 RCX: ffffc9000332f1dc RDX: 0000000000000004 RSI: ffffffff8de27e4d RDI: ffffffff8c162e00 RBP: ffff8880504faa00 R08: 898076a32ee37a11 R09: 0000000000000000 R10: 1ffff1100a09f542 R11: 0000000000000000 R12: ffffffff822872e7 R13: 0000000000000202 R14: ffff88801daf8000 R15: 0000000000000005 rcu_lock_release include/linux/rcupdate.h:341 [inline] rcu_read_unlock+0x1c/0x60 include/linux/rcupdate.h:871 percpu_ref_tryget_many include/linux/percpu-refcount.h:250 [inline] percpu_ref_tryget include/linux/percpu-refcount.h:266 [inline] css_tryget include/linux/cgroup_refcnt.h:45 [inline] css_tryget include/linux/cgroup_refcnt.h:42 [inline] get_mem_cgroup_from_objcg+0x1d7/0x330 include/linux/memcontrol.h:511 obj_cgroup_charge_pages+0x12/0x1f0 mm/memcontrol.c:2798 __memcg_kmem_charge_page+0xc2/0x2e0 mm/memcontrol.c:2844 __alloc_frozen_pages_noprof+0x325/0x23f0 mm/page_alloc.c:5165 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416 alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline] alloc_pages_noprof+0x131/0x390 mm/mempolicy.c:2507 pagetable_alloc_noprof include/linux/mm.h:2881 [inline] __pte_alloc_one_noprof include/asm-generic/pgalloc.h:75 [inline] pte_alloc_one+0x1c/0x3a0 arch/x86/mm/pgtable.c:18 __pte_alloc+0x6d/0x3c0 mm/memory.c:452 copy_pte_range mm/memory.c:1107 [inline] copy_pmd_range mm/memory.c:1261 [inline] copy_pud_range mm/memory.c:1298 [inline] copy_p4d_range mm/memory.c:1322 [inline] copy_page_range+0x3b83/0x5c80 mm/memory.c:1410 dup_mmap+0xe88/0x21d0 mm/mmap.c:1834 dup_mm kernel/fork.c:1485 [inline] copy_mm kernel/fork.c:1537 [inline] copy_process+0x4081/0x7690 kernel/fork.c:2175 kernel_clone+0xfc/0x930 kernel/fork.c:2605 __do_compat_sys_ia32_clone+0xcb/0x110 arch/x86/kernel/sys_ia32.c:254 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0x7c/0x3a0 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf7fe2579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000ffcb105c EFLAGS: 00000292 ORIG_RAX: 0000000000000078 RAX: ffffffffffffffda RBX: 0000000001200011 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000571b34a8 RBP: 00000000f7474ff4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ---------------- Code disassembly (best guess): 0: 0f c1 05 78 e4 3e 12 xadd %eax,0x123ee478(%rip) # 0x123ee47f 7: 83 f8 01 cmp $0x1,%eax a: 0f 85 1d 01 00 00 jne 0x12d 10: 9c pushf 11: 58 pop %rax 12: f6 c4 02 test $0x2,%ah 15: 0f 85 08 01 00 00 jne 0x123 1b: 41 f7 c5 00 02 00 00 test $0x200,%r13d 22: 74 01 je 0x25 24: fb sti 25: 48 8b 44 24 10 mov 0x10(%rsp),%rax * 2a: 65 48 2b 05 8d a2 3e sub %gs:0x123ea28d(%rip),%rax # 0x123ea2bf <-- trapping instruction 31: 12 32: 0f 85 58 01 00 00 jne 0x190 38: 48 83 c4 18 add $0x18,%rsp 3c: 5b pop %rbx 3d: 41 5c pop %r12 3f: 41 rex.B