=================================
[ INFO: inconsistent lock state ]
4.9.102-gd054505 #34 Not tainted
---------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
syz-executor2/3855 [HC0[0]:SC1[1]:HE1:SE0] takes:
 (&(&rnp->exp_lock)->rlock){+.?...}, at: [<ffffffff81282b1b>] spin_lock include/linux/spinlock.h:302 [inline]
 (&(&rnp->exp_lock)->rlock){+.?...}, at: [<ffffffff81282b1b>] exp_funnel_lock kernel/rcu/tree_exp.h:271 [inline]
 (&(&rnp->exp_lock)->rlock){+.?...}, at: [<ffffffff81282b1b>] _synchronize_rcu_expedited+0x1fb/0x840 kernel/rcu/tree_exp.h:569
  mark_irqflags kernel/locking/lockdep.c:2941 [inline]
  __lock_acquire+0xdd0/0x4070 kernel/locking/lockdep.c:3302
  lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
  __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline]
  _raw_spin_lock+0x36/0x50 kernel/locking/spinlock.c:151
  spin_lock include/linux/spinlock.h:302 [inline]
  rcu_exp_wait_wake+0x2d2/0x5e0 kernel/rcu/tree_exp.h:504
  rcu_exp_sel_wait_wake kernel/rcu/tree_exp.h:535 [inline]
  _synchronize_rcu_expedited+0x73c/0x840 kernel/rcu/tree_exp.h:575
  synchronize_rcu_expedited kernel/rcu/tree_exp.h:687 [inline]
  synchronize_rcu.part.62+0xd3/0x110 kernel/rcu/tree_plugin.h:676
  synchronize_rcu+0x27/0x90 kernel/rcu/tree_plugin.h:679
  rcu_test_sync_prims+0x9/0x30 kernel/rcu/update.c:829
  rcu_scheduler_starting+0x51/0x80 kernel/rcu/tree.c:4016
  rest_init+0xf/0x189 init/main.c:388
  start_kernel+0x67e/0x6b2 init/main.c:664
  x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:196
  x86_64_start_kernel+0x13f/0x162 arch/x86/kernel/head64.c:177
irq event stamp: 8381380
hardirqs last  enabled at (8381380): [<ffffffff8114971a>] __local_bh_enable_ip+0x6a/0xd0 kernel/softirq.c:186
hardirqs last disabled at (8381379): [<ffffffff811496e2>] __local_bh_enable_ip+0x32/0xd0 kernel/softirq.c:163
softirqs last  enabled at (8377466): [<ffffffff8336e5c8>] tcp_close+0x8e8/0x1070 net/ipv4/tcp.c:2247
softirqs last disabled at (8380317): [<ffffffff8114b0b7>] invoke_softirq kernel/softirq.c:364 [inline]
softirqs last disabled at (8380317): [<ffffffff8114b0b7>] irq_exit+0x147/0x190 kernel/softirq.c:405

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&(&rnp->exp_lock)->rlock);
  <Interrupt>
    lock(&(&rnp->exp_lock)->rlock);

 *** DEADLOCK ***

1 lock held by syz-executor2/3855:
 #0:  (rcu_callback){......}, at: [<ffffffff812879be>] __rcu_reclaim kernel/rcu/rcu.h:108 [inline]
 #0:  (rcu_callback){......}, at: [<ffffffff812879be>] rcu_do_batch kernel/rcu/tree.c:2789 [inline]
 #0:  (rcu_callback){......}, at: [<ffffffff812879be>] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline]
 #0:  (rcu_callback){......}, at: [<ffffffff812879be>] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline]
 #0:  (rcu_callback){......}, at: [<ffffffff812879be>] rcu_process_callbacks+0x98e/0x12b0 kernel/rcu/tree.c:3037

stack backtrace:
CPU: 1 PID: 3855 Comm: syz-executor2 Not tainted 4.9.102-gd054505 #34
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801db307708 ffffffff81eb3489 ffff8801d9516000 ffffffff85595250
 ffff8801d95168f0 ffff8801d9516910 0000000000000000 ffff8801db307778
 ffffffff814277eb 0000000000000001 0000000000000001 ffff880100000000
Call Trace:
 <IRQ> [  620.271156]  [<ffffffff81eb3489>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ> [  620.271156]  [<ffffffff81eb3489>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff814277eb>] print_usage_bug.cold.56+0x327/0x421 kernel/locking/lockdep.c:2387
 [<ffffffff812352e6>] valid_state kernel/locking/lockdep.c:2400 [inline]
 [<ffffffff812352e6>] mark_lock_irq kernel/locking/lockdep.c:2602 [inline]
 [<ffffffff812352e6>] mark_lock+0xcc6/0x1280 kernel/locking/lockdep.c:3065
 [<ffffffff81237210>] mark_irqflags kernel/locking/lockdep.c:2923 [inline]
 [<ffffffff81237210>] __lock_acquire+0xd40/0x4070 kernel/locking/lockdep.c:3302
 [<ffffffff8123afb0>] lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
 [<ffffffff839f6c86>] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline]
 [<ffffffff839f6c86>] _raw_spin_lock+0x36/0x50 kernel/locking/spinlock.c:151
 [<ffffffff81282b1b>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff81282b1b>] exp_funnel_lock kernel/rcu/tree_exp.h:271 [inline]
 [<ffffffff81282b1b>] _synchronize_rcu_expedited+0x1fb/0x840 kernel/rcu/tree_exp.h:569
 [<ffffffff812841b3>] synchronize_rcu_expedited kernel/rcu/tree_exp.h:687 [inline]
 [<ffffffff812841b3>] synchronize_rcu.part.62+0xd3/0x110 kernel/rcu/tree_plugin.h:676
 [<ffffffff81284217>] synchronize_rcu+0x27/0x90 kernel/rcu/tree_plugin.h:679
 [<ffffffff836bad2a>] __l2tp_session_unhash+0x38a/0x520 net/l2tp/l2tp_core.c:1796
 [<ffffffff836bb0b7>] l2tp_tunnel_closeall+0x1f7/0x350 net/l2tp/l2tp_core.c:1364
 [<ffffffff836bb972>] l2tp_tunnel_destruct+0x2f2/0x590 net/l2tp/l2tp_core.c:1324
 [<ffffffff83020095>] __sk_destruct+0x55/0x590 net/core/sock.c:1428
 [<ffffffff812878de>] __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
 [<ffffffff812878de>] rcu_do_batch kernel/rcu/tree.c:2789 [inline]
 [<ffffffff812878de>] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline]
 [<ffffffff812878de>] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline]
 [<ffffffff812878de>] rcu_process_callbacks+0x8ae/0x12b0 kernel/rcu/tree.c:3037
 [<ffffffff839fe4bb>] __do_softirq+0x20b/0x937 kernel/softirq.c:284
 [<ffffffff8114b0b7>] invoke_softirq kernel/softirq.c:364 [inline]
 [<ffffffff8114b0b7>] irq_exit+0x147/0x190 kernel/softirq.c:405
 [<ffffffff839fd0a1>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff839fd0a1>] smp_apic_timer_interrupt+0x81/0xa0 arch/x86/kernel/apic/apic.c:960
 [<ffffffff839f9230>] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:648
 <EOI> [  620.583810]  [<ffffffff839f753e>] ? arch_local_irq_enable arch/x86/include/asm/paravirt.h:778 [inline]
 <EOI> [  620.583810]  [<ffffffff839f753e>] ? __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:170 [inline]
 <EOI> [  620.583810]  [<ffffffff839f753e>] ? _raw_spin_unlock_irq+0x2e/0x50 kernel/locking/spinlock.c:199
 [<ffffffff811babdd>] finish_lock_switch kernel/sched/sched.h:1212 [inline]
 [<ffffffff811babdd>] finish_task_switch+0x1ed/0x640 kernel/sched/core.c:2825
 [<ffffffff839e69f5>] context_switch kernel/sched/core.c:2958 [inline]
 [<ffffffff839e69f5>] __schedule+0x655/0x1bd0 kernel/sched/core.c:3502
 [<ffffffff839e7fef>] schedule+0x7f/0x1b0 kernel/sched/core.c:3557
 [<ffffffff839f4f45>] freezable_schedule include/linux/freezer.h:171 [inline]
 [<ffffffff839f4f45>] do_nanosleep+0x1f5/0x4d0 kernel/time/hrtimer.c:1497
 [<ffffffff812a6400>] hrtimer_nanosleep+0x210/0x540 kernel/time/hrtimer.c:1566
 [<ffffffff812a67fc>] SYSC_nanosleep kernel/time/hrtimer.c:1604 [inline]
 [<ffffffff812a67fc>] SyS_nanosleep+0xcc/0x120 kernel/time/hrtimer.c:1593
 [<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 [<ffffffff839f78d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
BUG: sleeping function called from invalid context at kernel/rcu/tree_exp.h:281
in_atomic(): 1, irqs_disabled(): 0, pid: 3855, name: syz-executor2
INFO: lockdep is turned off.
Preemption disabled at:[  620.734446] [<ffffffff839e7fe8>] schedule+0x78/0x1b0 kernel/sched/core.c:3556
CPU: 1 PID: 3855 Comm: syz-executor2 Not tainted 4.9.102-gd054505 #34
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801db3079b0 ffffffff81eb3489 ffffffff839e7fe8 0000000000000000
 0000000000000102 ffff8801d9516000 ffff8801d9516000 ffff8801db3079e8
 ffffffff81424440 ffff8801d9516000 ffffffff83c6d5e0 0000000000000119
Call Trace:
 <IRQ> [  620.785121]  [<ffffffff81eb3489>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ> [  620.785121]  [<ffffffff81eb3489>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81424440>] ___might_sleep.cold.123+0x1bc/0x1f5 kernel/sched/core.c:7992
 [<ffffffff811bb485>] __might_sleep+0x95/0x1a0 kernel/sched/core.c:7949
 [<ffffffff81282f20>] exp_funnel_lock kernel/rcu/tree_exp.h:279 [inline]
 [<ffffffff81282f20>] _synchronize_rcu_expedited+0x600/0x840 kernel/rcu/tree_exp.h:569
binder_alloc: binder_alloc_mmap_handler: 15410 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 15410:15467 ioctl 40046207 0 returned -16
binder: 15410:15471 unknown command 26379
binder: 15410:15471 ioctl c0306201 20008fd0 returned -22
binder_alloc: 15410: binder_alloc_buf, no vma
binder: 15410:15467 transaction failed 29189/-3, size 0-0 line 3141
binder: undelivered TRANSACTION_ERROR: 29189
binder: send failed reply for transaction 412 to 15410:15422
 [<ffffffff812841b3>] synchronize_rcu_expedited kernel/rcu/tree_exp.h:687 [inline]
 [<ffffffff812841b3>] synchronize_rcu.part.62+0xd3/0x110 kernel/rcu/tree_plugin.h:676
 [<ffffffff81284217>] synchronize_rcu+0x27/0x90 kernel/rcu/tree_plugin.h:679
 [<ffffffff836bad2a>] __l2tp_session_unhash+0x38a/0x520 net/l2tp/l2tp_core.c:1796
 [<ffffffff836bb0b7>] l2tp_tunnel_closeall+0x1f7/0x350 net/l2tp/l2tp_core.c:1364
 [<ffffffff836bb972>] l2tp_tunnel_destruct+0x2f2/0x590 net/l2tp/l2tp_core.c:1324
 [<ffffffff83020095>] __sk_destruct+0x55/0x590 net/core/sock.c:1428
 [<ffffffff812878de>] __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
 [<ffffffff812878de>] rcu_do_batch kernel/rcu/tree.c:2789 [inline]
 [<ffffffff812878de>] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline]
 [<ffffffff812878de>] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline]
 [<ffffffff812878de>] rcu_process_callbacks+0x8ae/0x12b0 kernel/rcu/tree.c:3037
 [<ffffffff839fe4bb>] __do_softirq+0x20b/0x937 kernel/softirq.c:284
 [<ffffffff8114b0b7>] invoke_softirq kernel/softirq.c:364 [inline]
 [<ffffffff8114b0b7>] irq_exit+0x147/0x190 kernel/softirq.c:405
 [<ffffffff839fd0a1>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff839fd0a1>] smp_apic_timer_interrupt+0x81/0xa0 arch/x86/kernel/apic/apic.c:960
 [<ffffffff839f9230>] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:648
 <EOI> [  621.068648]  [<ffffffff839f753e>] ? arch_local_irq_enable arch/x86/include/asm/paravirt.h:778 [inline]
 <EOI> [  621.068648]  [<ffffffff839f753e>] ? __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:170 [inline]
 <EOI> [  621.068648]  [<ffffffff839f753e>] ? _raw_spin_unlock_irq+0x2e/0x50 kernel/locking/spinlock.c:199
 [<ffffffff811babdd>] finish_lock_switch kernel/sched/sched.h:1212 [inline]
 [<ffffffff811babdd>] finish_task_switch+0x1ed/0x640 kernel/sched/core.c:2825
 [<ffffffff839e69f5>] context_switch kernel/sched/core.c:2958 [inline]
 [<ffffffff839e69f5>] __schedule+0x655/0x1bd0 kernel/sched/core.c:3502
 [<ffffffff839e7fef>] schedule+0x7f/0x1b0 kernel/sched/core.c:3557
 [<ffffffff839f4f45>] freezable_schedule include/linux/freezer.h:171 [inline]
 [<ffffffff839f4f45>] do_nanosleep+0x1f5/0x4d0 kernel/time/hrtimer.c:1497
 [<ffffffff812a6400>] hrtimer_nanosleep+0x210/0x540 kernel/time/hrtimer.c:1566
 [<ffffffff812a67fc>] SYSC_nanosleep kernel/time/hrtimer.c:1604 [inline]
 [<ffffffff812a67fc>] SyS_nanosleep+0xcc/0x120 kernel/time/hrtimer.c:1593
 [<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 [<ffffffff839f78d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
IP: [<ffffffff836ba8bc>] l2tp_session_free+0x11c/0x200 net/l2tp/l2tp_core.c:1765
PGD 1bf5b5067 [  621.213515] PUD 1bc6ea067 
Oops: 0002 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 3855 Comm: syz-executor2 Tainted: G        W       4.9.102-gd054505 #34
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801d9516000 task.stack: ffff8801bc6c8000
RIP: 0010:[<ffffffff836ba8bc>]  [<ffffffff836ba8bc>] l2tp_session_free+0x11c/0x200 net/l2tp/l2tp_core.c:1765
RSP: 0018:ffff8801db307cf0  EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8801da0fb180 RCX: 0000000000000000
RDX: 1ffff1003ae9e610 RSI: ffffffff836ba891 RDI: ffff8801d74f3080
RBP: ffff8801db307d10 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801d74f2f00
R13: ffff8801da0fb188 R14: 0000000000000000 R15: ffff8801d74f2f58
FS:  000000000130a940(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 00000001bf5b4000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffff8801d6c0c400 ffff8801da0fb180 ffff8801d6c0c7d0 ffffffff836c4700
 ffff8801db307d38 ffffffff836c21a2 ffff8801d6c0c840 ffff8801d6c0c400
 ffffffff836c20d0 ffff8801db307d70 ffffffff83020095 ffff8801d6c0c840
Call Trace:
 [<ffffffff836c21a2>] l2tp_session_dec_refcount_1 net/l2tp/l2tp_core.h:297 [inline]
 [<ffffffff836c21a2>] pppol2tp_session_destruct+0xd2/0x110 net/l2tp/l2tp_ppp.c:460
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29189
 [<ffffffff83020095>] __sk_destruct+0x55/0x590 net/core/sock.c:1428
 [<ffffffff83027b23>] sk_destruct+0x63/0x80 net/core/sock.c:1463
 [<ffffffff83027c9e>] __sk_free+0x15e/0x220 net/core/sock.c:1471
 [<ffffffff83027d8b>] sk_free+0x2b/0x40 net/core/sock.c:1482
 [<ffffffff836c475a>] sock_put include/net/sock.h:1588 [inline]
 [<ffffffff836c475a>] pppol2tp_session_sock_put+0x5a/0x70 net/l2tp/l2tp_ppp.c:271
 [<ffffffff836bb128>] l2tp_tunnel_closeall+0x268/0x350 net/l2tp/l2tp_core.c:1371
 [<ffffffff836bb972>] l2tp_tunnel_destruct+0x2f2/0x590 net/l2tp/l2tp_core.c:1324
 [<ffffffff83020095>] __sk_destruct+0x55/0x590 net/core/sock.c:1428
 [<ffffffff812878de>] __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
 [<ffffffff812878de>] rcu_do_batch kernel/rcu/tree.c:2789 [inline]
 [<ffffffff812878de>] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline]
 [<ffffffff812878de>] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline]
 [<ffffffff812878de>] rcu_process_callbacks+0x8ae/0x12b0 kernel/rcu/tree.c:3037
 [<ffffffff839fe4bb>] __do_softirq+0x20b/0x937 kernel/softirq.c:284
 [<ffffffff8114b0b7>] invoke_softirq kernel/softirq.c:364 [inline]
 [<ffffffff8114b0b7>] irq_exit+0x147/0x190 kernel/softirq.c:405
 [<ffffffff839fd0a1>] exiting_irq arch/x86/include/asm/apic.h:659 [inline]
 [<ffffffff839fd0a1>] smp_apic_timer_interrupt+0x81/0xa0 arch/x86/kernel/apic/apic.c:960
 [<ffffffff839f9230>] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:648
 <EOI> [  621.524012]  [<ffffffff839f753e>] ? arch_local_irq_enable arch/x86/include/asm/paravirt.h:778 [inline]
 <EOI> [  621.524012]  [<ffffffff839f753e>] ? __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:170 [inline]
 <EOI> [  621.524012]  [<ffffffff839f753e>] ? _raw_spin_unlock_irq+0x2e/0x50 kernel/locking/spinlock.c:199
 [<ffffffff811babdd>] finish_lock_switch kernel/sched/sched.h:1212 [inline]
 [<ffffffff811babdd>] finish_task_switch+0x1ed/0x640 kernel/sched/core.c:2825
 [<ffffffff839e69f5>] context_switch kernel/sched/core.c:2958 [inline]
 [<ffffffff839e69f5>] __schedule+0x655/0x1bd0 kernel/sched/core.c:3502
 [<ffffffff839e7fef>] schedule+0x7f/0x1b0 kernel/sched/core.c:3557
 [<ffffffff839f4f45>] freezable_schedule include/linux/freezer.h:171 [inline]
 [<ffffffff839f4f45>] do_nanosleep+0x1f5/0x4d0 kernel/time/hrtimer.c:1497
 [<ffffffff812a6400>] hrtimer_nanosleep+0x210/0x540 kernel/time/hrtimer.c:1566
 [<ffffffff812a67fc>] SYSC_nanosleep kernel/time/hrtimer.c:1604 [inline]
 [<ffffffff812a67fc>] SyS_nanosleep+0xcc/0x120 kernel/time/hrtimer.c:1593
 [<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 [<ffffffff839f78d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: 49 8d bc 24 80 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 c6 00 00 00 4d 8b b4 24 80 01 00 00 <f0> 41 ff 8e 80 00 00 00 74 69 e8 d5 42 ca fd 4c 89 ea 48 b8 00 
RIP  [<ffffffff836ba8bc>] l2tp_session_free+0x11c/0x200 net/l2tp/l2tp_core.c:1765
 RSP <ffff8801db307cf0>
CR2: 0000000000000080
---[ end trace 45ac9c18fce319d5 ]---