BUG: sleeping function called from invalid context at kernel/workqueue.c:3019 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 2959, name: kworker/0:3 preempt_count: 100, expected: 0 RCU nest depth: 0, expected: 0 6 locks held by kworker/0:3/2959: #0: ffff888142dd7938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff888142dd7938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline] #0: ffff888142dd7938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline] #0: ffff888142dd7938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:635 [inline] #0: ffff888142dd7938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:662 [inline] #0: ffff888142dd7938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x7a4/0x1450 kernel/workqueue.c:2269 #1: ffffc90001acfdb8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x7d1/0x1450 kernel/workqueue.c:2273 #2: ffff88801c200220 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:760 [inline] #2: ffff88801c200220 (&dev->mutex){....}-{3:3}, at: hub_event+0x127/0x36c0 drivers/usb/core/hub.c:5662 #3: ffff888010aca220 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:760 [inline] #3: ffff888010aca220 (&dev->mutex){....}-{3:3}, at: usb_disconnect.cold+0x4d/0x67e drivers/usb/core/hub.c:2216 #4: ffff88801ac59cb8 (kn->active#327){+.+.}-{0:0}, at: kernfs_remove_by_name_ns+0x3a/0x80 fs/kernfs/dir.c:1544 #5: ffffc90000007d78 ((&dum_hcd->timer)){+.-.}-{0:0}, at: lockdep_copy_map include/linux/lockdep.h:35 [inline] #5: ffffc90000007d78 ((&dum_hcd->timer)){+.-.}-{0:0}, at: call_timer_fn+0xcd/0x4a0 kernel/time/timer.c:1411 irq event stamp: 74195 hardirqs last enabled at (74194): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] hardirqs last enabled at (74194): [] _raw_spin_unlock_irq+0x1f/0x40 kernel/locking/spinlock.c:202 hardirqs last disabled at (74195): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (74195): [] _raw_spin_lock_irqsave+0x4e/0x50 kernel/locking/spinlock.c:162 softirqs last enabled at (73900): [] rcu_read_unlock_bh include/linux/rcupdate.h:754 [inline] softirqs last enabled at (73900): [] keep_key_fresh drivers/net/wireguard/send.c:135 [inline] softirqs last enabled at (73900): [] wg_packet_create_data_done drivers/net/wireguard/send.c:259 [inline] softirqs last enabled at (73900): [] wg_packet_tx_worker+0x25b/0x570 drivers/net/wireguard/send.c:276 softirqs last disabled at (74145): [] invoke_softirq kernel/softirq.c:432 [inline] softirqs last disabled at (74145): [] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:636 Preemption disabled at: [] softirq_handle_begin kernel/softirq.c:396 [inline] [] __do_softirq+0xe1/0x9c2 kernel/softirq.c:534 CPU: 0 PID: 2959 Comm: kworker/0:3 Not tainted 5.16.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 __might_resched.cold+0x222/0x26b kernel/sched/core.c:9542 start_flush_work kernel/workqueue.c:3019 [inline] __flush_work+0xdd/0xa30 kernel/workqueue.c:3083 __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3171 hci_cmd_sync_cancel net/bluetooth/hci_sync.c:346 [inline] hci_cmd_sync_cancel+0xaf/0x130 net/bluetooth/hci_sync.c:338 btusb_intr_complete+0x32c/0x400 drivers/bluetooth/btusb.c:937 __usb_hcd_giveback_urb+0x238/0x3f0 drivers/usb/core/hcd.c:1656 dummy_timer+0xeb8/0x2eb0 drivers/usb/gadget/udc/dummy_hcd.c:1987 call_timer_fn+0x163/0x4a0 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers.part.0+0x524/0x890 kernel/time/timer.c:1734 __run_timers kernel/time/timer.c:1715 [inline] run_timer_softirq+0x9c/0x190 kernel/time/timer.c:1747 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:636 irq_exit_rcu+0x5/0x20 kernel/softirq.c:648 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 RIP: 0010:lock_acquire+0x1ef/0x510 kernel/locking/lockdep.c:5605 Code: 16 ae 7e 83 f8 01 0f 85 b4 02 00 00 9c 58 f6 c4 02 0f 85 9f 02 00 00 48 83 7c 24 08 00 74 01 fb 48 b8 00 00 00 00 00 fc ff df <48> 01 c3 48 c7 03 00 00 00 00 48 c7 43 08 00 00 00 00 48 8b 84 24 RSP: 0018:ffffc90001acf628 EFLAGS: 00000206 RAX: dffffc0000000000 RBX: 1ffff92000359ec7 RCX: 0000000000000001 RDX: 1ffff1100f7eb88b RSI: ffffffff88eb5a60 RDI: ffffffff89414d60 RBP: 0000000000000001 R08: 0000000000115018 R09: 0000000000000001 R10: fffffbfff1e40318 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: ffff88801ac59cb8 R15: 0000000000000000 kernfs_drain fs/kernfs/dir.c:470 [inline] __kernfs_remove+0x6b5/0x8c0 fs/kernfs/dir.c:1351 kernfs_remove_by_name_ns+0x3a/0x80 fs/kernfs/dir.c:1544 kernfs_remove_by_name include/linux/kernfs.h:570 [inline] remove_files+0x87/0x1a0 fs/sysfs/group.c:28 sysfs_remove_group+0x72/0x140 fs/sysfs/group.c:288 sysfs_remove_groups fs/sysfs/group.c:312 [inline] sysfs_remove_groups+0x4a/0x90 fs/sysfs/group.c:304 device_remove_groups drivers/base/core.c:2480 [inline] device_remove_attrs+0xb8/0x150 drivers/base/core.c:2680 device_del+0x48c/0xc20 drivers/base/core.c:3580 device_unregister+0xe/0xa0 drivers/base/core.c:3614 usb_remove_ep_devs+0x32/0x70 drivers/usb/core/endpoint.c:188 remove_intf_ep_devs drivers/usb/core/message.c:1267 [inline] usb_disable_device+0x266/0x660 drivers/usb/core/message.c:1418 usb_disconnect.cold+0x209/0x67e drivers/usb/core/hub.c:2225 hub_port_connect drivers/usb/core/hub.c:5199 [inline] hub_port_connect_change drivers/usb/core/hub.c:5488 [inline] port_event drivers/usb/core/hub.c:5634 [inline] hub_event+0xb22/0x36c0 drivers/usb/core/hub.c:5716 process_one_work+0x87f/0x1450 kernel/workqueue.c:2298 worker_thread+0x598/0x1040 kernel/workqueue.c:2445 kthread+0x3ab/0x480 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 BUG: sleeping function called from invalid context at kernel/workqueue.c:3019 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 50, name: kworker/u4:2 preempt_count: 101, expected: 0 RCU nest depth: 0, expected: 0 3 locks held by kworker/u4:2/50: #0: ffff888022081138 ((wq_completion)bat_events){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff888022081138 ((wq_completion)bat_events){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline] #0: ffff888022081138 ((wq_completion)bat_events){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline] #0: ffff888022081138 ((wq_completion)bat_events){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:635 [inline] #0: ffff888022081138 ((wq_completion)bat_events){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:662 [inline] #0: ffff888022081138 ((wq_completion)bat_events){+.+.}-{0:0}, at: process_one_work+0x7a4/0x1450 kernel/workqueue.c:2269 #1: ffffc900017ffdb8 ((work_completion)(&(&bat_priv->nc.work)->work)){+.+.}-{0:0}, at: process_one_work+0x7d1/0x1450 kernel/workqueue.c:2273 #2: ffffc90000007d98 ((&dum_hcd->timer)){+.-.}-{0:0}, at: lockdep_copy_map include/linux/lockdep.h:35 [inline] #2: ffffc90000007d98 ((&dum_hcd->timer)){+.-.}-{0:0}, at: call_timer_fn+0xcd/0x4a0 kernel/time/timer.c:1411 irq event stamp: 558601 hardirqs last enabled at (558600): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] hardirqs last enabled at (558600): [] _raw_spin_unlock_irq+0x1f/0x40 kernel/locking/spinlock.c:202 hardirqs last disabled at (558601): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (558601): [] _raw_spin_lock_irqsave+0x4e/0x50 kernel/locking/spinlock.c:162 softirqs last enabled at (558596): [] spin_unlock_bh include/linux/spinlock.h:394 [inline] softirqs last enabled at (558596): [] batadv_nc_purge_paths+0x1e9/0x2d0 net/batman-adv/network-coding.c:475 softirqs last disabled at (558597): [] do_softirq.part.0+0xde/0x130 kernel/softirq.c:459 Preemption disabled at: [<0000000000000000>] 0x0 CPU: 0 PID: 50 Comm: kworker/u4:2 Tainted: G W 5.16.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: bat_events batadv_nc_worker Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 __might_resched.cold+0x222/0x26b kernel/sched/core.c:9542 start_flush_work kernel/workqueue.c:3019 [inline] __flush_work+0xdd/0xa30 kernel/workqueue.c:3083 __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3171 hci_cmd_sync_cancel net/bluetooth/hci_sync.c:346 [inline] hci_cmd_sync_cancel+0xaf/0x130 net/bluetooth/hci_sync.c:338 btusb_intr_complete+0x32c/0x400 drivers/bluetooth/btusb.c:937 __usb_hcd_giveback_urb+0x238/0x3f0 drivers/usb/core/hcd.c:1656 dummy_timer+0xeb8/0x2eb0 drivers/usb/gadget/udc/dummy_hcd.c:1987 call_timer_fn+0x163/0x4a0 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers.part.0+0x524/0x890 kernel/time/timer.c:1734 __run_timers kernel/time/timer.c:1715 [inline] run_timer_softirq+0x9c/0x190 kernel/time/timer.c:1747 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 do_softirq.part.0+0xde/0x130 kernel/softirq.c:459 do_softirq kernel/softirq.c:451 [inline] __local_bh_enable_ip+0x102/0x120 kernel/softirq.c:383 spin_unlock_bh include/linux/spinlock.h:394 [inline] batadv_nc_purge_paths+0x1e9/0x2d0 net/batman-adv/network-coding.c:475 batadv_nc_worker+0x6e0/0xd70 net/batman-adv/network-coding.c:724 process_one_work+0x87f/0x1450 kernel/workqueue.c:2298 worker_thread+0x598/0x1040 kernel/workqueue.c:2445 kthread+0x3ab/0x480 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 BUG: sleeping function called from invalid context at kernel/workqueue.c:3019 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 2959, name: kworker/0:3 preempt_count: 101, expected: 0 RCU nest depth: 0, expected: 0 4 locks held by kworker/0:3/2959: #0: ffff88800fc64d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff88800fc64d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline] #0: ffff88800fc64d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline] #0: ffff88800fc64d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:635 [inline] #0: ffff88800fc64d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:662 [inline] #0: ffff88800fc64d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x7a4/0x1450 kernel/workqueue.c:2269 #1: ffffc90001acfdb8 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work+0x7d1/0x1450 kernel/workqueue.c:2273 #2: ffffffff8c456048 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0x5/0x50 net/core/link_watch.c:251 #3: ffffc90000007d78 ((&dum_hcd->timer)){+.-.}-{0:0}, at: lockdep_copy_map include/linux/lockdep.h:35 [inline] #3: ffffc90000007d78 ((&dum_hcd->timer)){+.-.}-{0:0}, at: call_timer_fn+0xcd/0x4a0 kernel/time/timer.c:1411 irq event stamp: 97527 hardirqs last enabled at (97526): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] hardirqs last enabled at (97526): [] _raw_spin_unlock_irq+0x1f/0x40 kernel/locking/spinlock.c:202 hardirqs last disabled at (97527): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (97527): [] _raw_spin_lock_irqsave+0x4e/0x50 kernel/locking/spinlock.c:162 softirqs last enabled at (97514): [] spin_unlock_bh include/linux/spinlock.h:394 [inline] softirqs last enabled at (97514): [] clusterip_netdev_event+0x34e/0x550 net/ipv4/netfilter/ipt_CLUSTERIP.c:233 softirqs last disabled at (97523): [] invoke_softirq kernel/softirq.c:432 [inline] softirqs last disabled at (97523): [] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:636 Preemption disabled at: [] vprintk_emit+0x61/0x2f0 kernel/printk/printk.c:2238 CPU: 0 PID: 2959 Comm: kworker/0:3 Tainted: G W 5.16.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events linkwatch_event Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 __might_resched.cold+0x222/0x26b kernel/sched/core.c:9542 start_flush_work kernel/workqueue.c:3019 [inline] __flush_work+0xdd/0xa30 kernel/workqueue.c:3083 __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3171 hci_cmd_sync_cancel net/bluetooth/hci_sync.c:346 [inline] hci_cmd_sync_cancel+0xaf/0x130 net/bluetooth/hci_sync.c:338 btusb_tx_complete+0x2e4/0x380 drivers/bluetooth/btusb.c:1342 __usb_hcd_giveback_urb+0x238/0x3f0 drivers/usb/core/hcd.c:1656 dummy_timer+0xeb8/0x2eb0 drivers/usb/gadget/udc/dummy_hcd.c:1987 call_timer_fn+0x163/0x4a0 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers.part.0+0x524/0x890 kernel/time/timer.c:1734 __run_timers kernel/time/timer.c:1715 [inline] run_timer_softirq+0x9c/0x190 kernel/time/timer.c:1747 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:636 irq_exit_rcu+0x5/0x20 kernel/softirq.c:648 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 RIP: 0010:console_trylock_spinning kernel/printk/printk.c:1885 [inline] RIP: 0010:vprintk_emit+0x21c/0x2f0 kernel/printk/printk.c:2244 Code: 8a e8 68 0a fe ff e8 93 09 00 00 48 85 db 0f 85 c5 00 00 00 9c 58 f6 c4 02 0f 85 c4 00 00 00 48 85 db 74 01 fb 68 b7 50 56 81 <45> 31 c9 41 b8 01 00 00 00 31 c9 ba 01 00 00 00 31 f6 48 c7 c7 e0 RSP: 0018:ffffc90001acf9d0 EFLAGS: 00000206 RAX: 0000000000000002 RBX: 0000000000000200 RCX: 1ffffffff1e10aa6 RDX: 0000000000000000 RSI: ffffffff88eb5780 RDI: ffffffff89414d60 RBP: ffffc90001acfa10 R08: 0000000000000001 R09: ffffffff8f078a27 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000042 R13: 0000000000000000 R14: ffffffff89edb1e0 R15: 0000000000000000 _printk+0xad/0xde kernel/printk/printk.c:2266 addrconf_notify.cold+0x56/0x62 net/ipv6/addrconf.c:3590 notifier_call_chain+0x94/0x170 kernel/notifier.c:83 netdev_state_change net/core/dev.c:1309 [inline] netdev_state_change+0xd7/0x100 net/core/dev.c:1302 linkwatch_do_dev+0xbe/0xf0 net/core/link_watch.c:167 __linkwatch_run_queue+0x1cd/0x590 net/core/link_watch.c:213 linkwatch_event+0x37/0x50 net/core/link_watch.c:252 process_one_work+0x87f/0x1450 kernel/workqueue.c:2298 worker_thread+0x598/0x1040 kernel/workqueue.c:2445 kthread+0x3ab/0x480 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 BUG: sleeping function called from invalid context at kernel/workqueue.c:3019 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 2, name: kthreadd preempt_count: 101, expected: 0 RCU nest depth: 0, expected: 0 2 locks held by kthreadd/2: #0: ffffffff8ae938b8 (vmap_area_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:349 [inline] #0: ffffffff8ae938b8 (vmap_area_lock){+.+.}-{2:2}, at: alloc_vmap_area+0x6c4/0x1b60 mm/vmalloc.c:1561 #1: ffffc90000007d78 ((&dum_hcd->timer)){+.-.}-{0:0}, at: lockdep_copy_map include/linux/lockdep.h:35 [inline] #1: ffffc90000007d78 ((&dum_hcd->timer)){+.-.}-{0:0}, at: call_timer_fn+0xcd/0x4a0 kernel/time/timer.c:1411 irq event stamp: 45547 hardirqs last enabled at (45546): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] hardirqs last enabled at (45546): [] _raw_spin_unlock_irq+0x1f/0x40 kernel/locking/spinlock.c:202 hardirqs last disabled at (45547): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (45547): [] _raw_spin_lock_irqsave+0x4e/0x50 kernel/locking/spinlock.c:162 softirqs last enabled at (43278): [] invoke_softirq kernel/softirq.c:432 [inline] softirqs last enabled at (43278): [] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:636 softirqs last disabled at (45379): [] invoke_softirq kernel/softirq.c:432 [inline] softirqs last disabled at (45379): [] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:636 Preemption disabled at: [<0000000000000000>] 0x0 CPU: 0 PID: 2 Comm: kthreadd Tainted: G W 5.16.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 __might_resched.cold+0x222/0x26b kernel/sched/core.c:9542 start_flush_work kernel/workqueue.c:3019 [inline] __flush_work+0xdd/0xa30 kernel/workqueue.c:3083 __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3171 hci_cmd_sync_cancel net/bluetooth/hci_sync.c:346 [inline] hci_cmd_sync_cancel+0xaf/0x130 net/bluetooth/hci_sync.c:338 btusb_intr_complete+0x32c/0x400 drivers/bluetooth/btusb.c:937 __usb_hcd_giveback_urb+0x238/0x3f0 drivers/usb/core/hcd.c:1656 dummy_timer+0xeb8/0x2eb0 drivers/usb/gadget/udc/dummy_hcd.c:1987 call_timer_fn+0x163/0x4a0 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers.part.0+0x524/0x890 kernel/time/timer.c:1734 __run_timers kernel/time/timer.c:1715 [inline] run_timer_softirq+0x9c/0x190 kernel/time/timer.c:1747 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:636 irq_exit_rcu+0x5/0x20 kernel/softirq.c:648 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 RIP: 0010:find_va_links mm/vmalloc.c:882 [inline] RIP: 0010:insert_vmap_area.constprop.0+0x67/0x410 mm/vmalloc.c:1038 Code: 8d 7d 08 49 8b 75 00 48 bd 00 00 00 00 00 fc ff df 4d 89 fe 49 c1 ee 03 49 01 ee 48 8d 7b f8 48 89 f8 48 c1 e8 03 80 3c 28 00 <0f> 85 a6 02 00 00 41 80 3e 00 4c 8b 43 f8 0f 85 79 02 00 00 48 8d RSP: 0018:ffffc90000c77870 EFLAGS: 00000246 RAX: 1ffff11003d7afed RBX: ffff88801ebd7f70 RCX: ffffc900026a1000 RDX: ffffc90002691000 RSI: ffffc90002688000 RDI: ffff88801ebd7f68 RBP: dffffc0000000000 R08: ffffc900026a6000 R09: 0000000000000003 R10: fffff5200018ef0a R11: 000000000007c08a R12: ffff88801f33a080 R13: ffff8880671a6360 R14: ffffed100ce34c6d R15: ffff8880671a6368 alloc_vmap_area+0x6cc/0x1b60 mm/vmalloc.c:1562 __get_vm_area_node.constprop.0+0xd5/0x300 mm/vmalloc.c:2434 __vmalloc_node_range+0x108/0x940 mm/vmalloc.c:3055 alloc_thread_stack_node kernel/fork.c:244 [inline] dup_task_struct kernel/fork.c:886 [inline] copy_process+0x720/0x6a60 kernel/fork.c:2023 kernel_clone+0xb8/0x7f0 kernel/fork.c:2582 kernel_thread+0xa3/0xe0 kernel/fork.c:2634 create_kthread kernel/kthread.c:350 [inline] kthreadd+0x455/0x6a0 kernel/kthread.c:685 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 BUG: sleeping function called from invalid context at kernel/workqueue.c:3019 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 8, name: kworker/u4:0 preempt_count: 100, expected: 0 RCU nest depth: 2, expected: 0 6 locks held by kworker/u4:0/8: #0: ffff888079364138 ((wq_completion)phy8){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff888079364138 ((wq_completion)phy8){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline] #0: ffff888079364138 ((wq_completion)phy8){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline] #0: ffff888079364138 ((wq_completion)phy8){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:635 [inline] #0: ffff888079364138 ((wq_completion)phy8){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:662 [inline] #0: ffff888079364138 ((wq_completion)phy8){+.+.}-{0:0}, at: process_one_work+0x7a4/0x1450 kernel/workqueue.c:2269 #1: ffffc90000cd7db8 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: process_one_work+0x7d1/0x1450 kernel/workqueue.c:2273 #2: ffff888067020d40 (&wdev->mtx){+.+.}-{3:3}, at: sdata_lock net/mac80211/ieee80211_i.h:1013 [inline] #2: ffff888067020d40 (&wdev->mtx){+.+.}-{3:3}, at: ieee80211_ibss_rx_queued_mgmt+0xf4/0x3000 net/mac80211/ibss.c:1628 #3: ffffffff8ad7a300 (rcu_read_lock){....}-{1:2}, at: ieee80211_update_sta_info net/mac80211/ibss.c:996 [inline] ffffffff8ad7a300 (rcu_read_lock){....}-{1:2}, at: ieee80211_rx_bss_info net/mac80211/ibss.c:1117 [inline] ffffffff8ad7a300 (rcu_read_lock){....}-{1:2}, at: ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1610 [inline] ffffffff8ad7a300 (rcu_read_lock){....}-{1:2}, at: ieee80211_ibss_rx_queued_mgmt+0xe5a/0x3000 net/mac80211/ibss.c:1639 #4: ffffffff8ad7a300 (rcu_read_lock){....}-{1:2}, at: ieee80211_chandef_rate_flags include/net/cfg80211.h:882 [inline] #4: ffffffff8ad7a300 (rcu_read_lock){....}-{1:2}, at: ieee80211_sta_get_rates+0xed/0x800 net/mac80211/util.c:2101 #5: ffffc90000007d78 ((&dum_hcd->timer)){+.-.}-{0:0}, at: lockdep_copy_map include/linux/lockdep.h:35 [inline] #5: ffffc90000007d78 ((&dum_hcd->timer)){+.-.}-{0:0}, at: call_timer_fn+0xcd/0x4a0 kernel/time/timer.c:1411 irq event stamp: 778893 hardirqs last enabled at (778892): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] hardirqs last enabled at (778892): [] _raw_spin_unlock_irq+0x1f/0x40 kernel/locking/spinlock.c:202 hardirqs last disabled at (778893): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (778893): [] _raw_spin_lock_irqsave+0x4e/0x50 kernel/locking/spinlock.c:162 softirqs last enabled at (778876): [] spin_unlock_bh include/linux/spinlock.h:394 [inline] softirqs last enabled at (778876): [] ieee80211_ibss_work+0x2b5/0xcd0 net/mac80211/ibss.c:1702 softirqs last disabled at (778889): [] invoke_softirq kernel/softirq.c:432 [inline] softirqs last disabled at (778889): [] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:636 Preemption disabled at: [] softirq_handle_begin kernel/softirq.c:396 [inline] [] __do_softirq+0xe1/0x9c2 kernel/softirq.c:534 CPU: 0 PID: 8 Comm: kworker/u4:0 Tainted: G W 5.16.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: phy8 ieee80211_iface_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 __might_resched.cold+0x222/0x26b kernel/sched/core.c:9542 start_flush_work kernel/workqueue.c:3019 [inline] __flush_work+0xdd/0xa30 kernel/workqueue.c:3083 __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3171 hci_cmd_sync_cancel net/bluetooth/hci_sync.c:346 [inline] hci_cmd_sync_cancel+0xaf/0x130 net/bluetooth/hci_sync.c:338 btusb_intr_complete+0x32c/0x400 drivers/bluetooth/btusb.c:937 __usb_hcd_giveback_urb+0x238/0x3f0 drivers/usb/core/hcd.c:1656 dummy_timer+0xeb8/0x2eb0 drivers/usb/gadget/udc/dummy_hcd.c:1987 call_timer_fn+0x163/0x4a0 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers.part.0+0x524/0x890 kernel/time/timer.c:1734 __run_timers kernel/time/timer.c:1715 [inline] run_timer_softirq+0x9c/0x190 kernel/time/timer.c:1747 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:636 irq_exit_rcu+0x5/0x20 kernel/softirq.c:648 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 RIP: 0010:lock_acquire+0x1ef/0x510 kernel/locking/lockdep.c:5605 Code: 16 ae 7e 83 f8 01 0f 85 b4 02 00 00 9c 58 f6 c4 02 0f 85 9f 02 00 00 48 83 7c 24 08 00 74 01 fb 48 b8 00 00 00 00 00 fc ff df <48> 01 c3 48 c7 03 00 00 00 00 48 c7 43 08 00 00 00 00 48 8b 84 24 RSP: 0018:ffffc90000cd7950 EFLAGS: 00000206 RAX: dffffc0000000000 RBX: 1ffff9200019af2c RCX: df4174b92c4a0034 RDX: 1ffff11002118c2b RSI: ffffffff88eb5a60 RDI: ffffffff89414d60 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8f078a07 R10: fffffbfff1e0f140 R11: 000000000007c08a R12: 0000000000000002 R13: 0000000000000000 R14: ffffffff8ad7a300 R15: 0000000000000000 rcu_lock_acquire include/linux/rcupdate.h:268 [inline] rcu_read_lock include/linux/rcupdate.h:688 [inline] ieee80211_vif_get_shift net/mac80211/ieee80211_i.h:1052 [inline] ieee80211_sta_get_rates+0x112/0x800 net/mac80211/util.c:2102 ieee80211_update_sta_info net/mac80211/ibss.c:1003 [inline] ieee80211_rx_bss_info net/mac80211/ibss.c:1117 [inline] ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1610 [inline] ieee80211_ibss_rx_queued_mgmt+0xf15/0x3000 net/mac80211/ibss.c:1639 ieee80211_iface_process_skb net/mac80211/iface.c:1468 [inline] ieee80211_iface_work+0x729/0x970 net/mac80211/iface.c:1522 process_one_work+0x87f/0x1450 kernel/workqueue.c:2298 worker_thread+0x598/0x1040 kernel/workqueue.c:2445 kthread+0x3ab/0x480 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 ---------------- Code disassembly (best guess), 1 bytes skipped: 0: ae scas %es:(%rdi),%al 1: 7e 83 jle 0xffffff86 3: f8 clc 4: 01 0f add %ecx,(%rdi) 6: 85 b4 02 00 00 9c 58 test %esi,0x589c0000(%rdx,%rax,1) d: f6 c4 02 test $0x2,%ah 10: 0f 85 9f 02 00 00 jne 0x2b5 16: 48 83 7c 24 08 00 cmpq $0x0,0x8(%rsp) 1c: 74 01 je 0x1f 1e: fb sti 1f: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 26: fc ff df * 29: 48 01 c3 add %rax,%rbx <-- trapping instruction 2c: 48 c7 03 00 00 00 00 movq $0x0,(%rbx) 33: 48 c7 43 08 00 00 00 movq $0x0,0x8(%rbx) 3a: 00 3b: 48 rex.W 3c: 8b .byte 0x8b 3d: 84 .byte 0x84 3e: 24 .byte 0x24