BUG: sleeping function called from invalid context at net/core/sock.c:2502 in_atomic(): 1, irqs_disabled(): 0, pid: 3340, name: syzkaller229718 2 locks held by syzkaller229718/3340: #0: (&mm->mmap_sem){++++++}, at: [] __do_page_fault+0x319/0xd40 arch/x86/mm/fault.c:1335 #1: (rcu_callback){......}, at: [] __rcu_reclaim kernel/rcu/rcu.h:108 [inline] #1: (rcu_callback){......}, at: [] rcu_do_batch kernel/rcu/tree.c:2789 [inline] #1: (rcu_callback){......}, at: [] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] #1: (rcu_callback){......}, at: [] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] #1: (rcu_callback){......}, at: [] rcu_process_callbacks+0x977/0x1300 kernel/rcu/tree.c:3037 Preemption disabled at:[ 24.981593] [] __do_softirq+0xdb/0x951 kernel/softirq.c:261 CPU: 0 PID: 3340 Comm: syzkaller229718 Not tainted 4.9.77-ge12a9c4 #27 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801db207cd8 ffffffff81d941c9 ffffffff838b971b 0000000000000000 0000000000000100 ffff8801cc734800 ffff8801cc734800 ffff8801db207d10 ffffffff811b9b24 ffff8801cc734800 ffffffff83edcd20 00000000000009c6 Call Trace: [ 25.032552] [] __dump_stack lib/dump_stack.c:15 [inline] [ 25.032552] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] ___might_sleep+0x2f4/0x470 kernel/sched/core.c:7971 [] __might_sleep+0x95/0x1a0 kernel/sched/core.c:7928 [] lock_sock_nested+0x34/0x120 net/core/sock.c:2502 [] lock_sock include/net/sock.h:1404 [inline] [] inet_shutdown+0x62/0x350 net/ipv4/af_inet.c:823 [] pppol2tp_session_close+0xa0/0xe0 net/l2tp/l2tp_ppp.c:441 [] l2tp_tunnel_closeall+0x21f/0x3a0 net/l2tp/l2tp_core.c:1368 [] l2tp_tunnel_destruct+0x30e/0x5a0 net/l2tp/l2tp_core.c:1324 [] __sk_destruct+0x53/0x570 net/core/sock.c:1428 [] __rcu_reclaim kernel/rcu/rcu.h:118 [inline] [] rcu_do_batch kernel/rcu/tree.c:2789 [inline] [] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] [] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] [] rcu_process_callbacks+0x898/0x1300 kernel/rcu/tree.c:3037 [] __do_softirq+0x206/0x951 kernel/softirq.c:284 [] invoke_softirq kernel/softirq.c:364 [inline] [] irq_exit+0x165/0x190 kernel/softirq.c:405 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:960 [] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:741 [ 25.167368] [] ? clear_huge_page+0x89/0x470 mm/memory.c:4027 [] ___might_sleep+0x31/0x470 kernel/sched/core.c:7937 [] clear_huge_page+0x9c/0x470 mm/memory.c:4027 [] __do_huge_pmd_anonymous_page mm/huge_memory.c:558 [inline] [] do_huge_pmd_anonymous_page+0x6c2/0x10d0 mm/huge_memory.c:700 [] create_huge_pmd mm/memory.c:3403 [inline] [] __handle_mm_fault mm/memory.c:3553 [inline] [] handle_mm_fault+0x158b/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1044 ================================= [ INFO: inconsistent lock state ] 4.9.77-ge12a9c4 #27 Tainted: G W --------------------------------- inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. syzkaller229718/3340 [HC0[0]:SC1[3]:HE1:SE0] takes: (sk_lock-AF_PPPOX){+.?.+.}, at: [] lock_sock include/net/sock.h:1404 [inline] (sk_lock-AF_PPPOX){+.?.+.}, at: [] inet_shutdown+0x62/0x350 net/ipv4/af_inet.c:823 mark_held_locks+0xaf/0x100 kernel/locking/lockdep.c:2660 __trace_hardirqs_on_caller kernel/locking/lockdep.c:2689 [inline] trace_hardirqs_on_caller+0x38b/0x590 kernel/locking/lockdep.c:2736 trace_hardirqs_on+0xd/0x10 kernel/locking/lockdep.c:2743 __local_bh_enable_ip+0x6a/0xd0 kernel/softirq.c:186 local_bh_enable include/linux/bottom_half.h:31 [inline] lock_sock_nested+0xdc/0x120 net/core/sock.c:2512 lock_sock include/net/sock.h:1404 [inline] pppol2tp_connect+0xd3/0x18f0 net/l2tp/l2tp_ppp.c:590 SYSC_connect+0x1b6/0x310 net/socket.c:1562 SyS_connect+0x24/0x30 net/socket.c:1543 do_syscall_32_irqs_on arch/x86/entry/common.c:322 [inline] do_fast_syscall_32+0x2f7/0x890 arch/x86/entry/common.c:384 entry_SYSENTER_compat+0x74/0x83 arch/x86/entry/entry_64_compat.S:127 irq event stamp: 436 hardirqs last enabled at (436): [] restore_regs_and_iret+0x0/0x1d hardirqs last disabled at (435): [] apic_timer_interrupt+0x9b/0xb0 arch/x86/entry/entry_64.S:741 softirqs last enabled at (290): [] spin_unlock_bh include/linux/spinlock.h:352 [inline] softirqs last enabled at (290): [] release_sock+0x14c/0x1c0 net/core/sock.c:2531 softirqs last disabled at (333): [] invoke_softirq kernel/softirq.c:364 [inline] softirqs last disabled at (333): [] irq_exit+0x165/0x190 kernel/softirq.c:405 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(sk_lock-AF_PPPOX); lock(sk_lock-AF_PPPOX); *** DEADLOCK *** 2 locks held by syzkaller229718/3340: #0: (&mm->mmap_sem){++++++}, at: [] __do_page_fault+0x319/0xd40 arch/x86/mm/fault.c:1335 #1: (rcu_callback){......}, at: [] __rcu_reclaim kernel/rcu/rcu.h:108 [inline] #1: (rcu_callback){......}, at: [] rcu_do_batch kernel/rcu/tree.c:2789 [inline] #1: (rcu_callback){......}, at: [] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] #1: (rcu_callback){......}, at: [] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] #1: (rcu_callback){......}, at: [] rcu_process_callbacks+0x977/0x1300 kernel/rcu/tree.c:3037 stack backtrace: CPU: 0 PID: 3340 Comm: syzkaller229718 Tainted: G W 4.9.77-ge12a9c4 #27 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801db207a50 ffffffff81d941c9 ffff8801cc734800 ffffffff853c14d0 ffff8801cc735100 ffffffff83a5f240 0000000000000000 ffff8801db207ac0 ffffffff8123a0b6 0000000000000003 ffff880100000001 ffff880100000000 Call Trace: [ 25.486121] [] __dump_stack lib/dump_stack.c:15 [inline] [ 25.486121] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_usage_bug+0x356/0x3b0 kernel/locking/lockdep.c:2387 [] valid_state kernel/locking/lockdep.c:2400 [inline] [] mark_lock_irq kernel/locking/lockdep.c:2602 [inline] [] mark_lock+0xca2/0xfd0 kernel/locking/lockdep.c:3065 [] mark_irqflags kernel/locking/lockdep.c:2923 [inline] [] __lock_acquire+0xb4c/0x3640 kernel/locking/lockdep.c:3302 [] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 [] lock_sock_nested+0xc6/0x120 net/core/sock.c:2511 [] lock_sock include/net/sock.h:1404 [inline] [] inet_shutdown+0x62/0x350 net/ipv4/af_inet.c:823 [] pppol2tp_session_close+0xa0/0xe0 net/l2tp/l2tp_ppp.c:441 [] l2tp_tunnel_closeall+0x21f/0x3a0 net/l2tp/l2tp_core.c:1368 [] l2tp_tunnel_destruct+0x30e/0x5a0 net/l2tp/l2tp_core.c:1324 [] __sk_destruct+0x53/0x570 net/core/sock.c:1428 [] __rcu_reclaim kernel/rcu/rcu.h:118 [inline] [] rcu_do_batch kernel/rcu/tree.c:2789 [inline] [] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] [] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] [] rcu_process_callbacks+0x898/0x1300 kernel/rcu/tree.c:3037 [] __do_softirq+0x206/0x951 kernel/softirq.c:284 [] invoke_softirq kernel/softirq.c:364 [inline] [] irq_exit+0x165/0x190 kernel/softirq.c:405 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:960 [] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:741 [ 25.656373] [] ? clear_huge_page+0x89/0x470 mm/memory.c:4027 [] ___might_sleep+0x31/0x470 kernel/sched/core.c:7937 [] clear_huge_page+0x9c/0x470 mm/memory.c:4027 [] __do_huge_pmd_anonymous_page mm/huge_memory.c:558 [inline] [] do_huge_pmd_anonymous_page+0x6c2/0x10d0 mm/huge_memory.c:700 [] create_huge_pmd mm/memory.c:3403 [inline] [] __handle_mm_fault mm/memory.c:3553 [inline] [] handle_mm_fault+0x158b/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1044 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 3340 at net/ipv4/af_inet.c:167 inet_sock_destruct+0x5f6/0x7b0 net/ipv4/af_inet.c:167