audit: type=1804 audit(1580465328.989:333): pid=13432 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op=invalid_pcr cause=open_writers comm="syz-executor.1" name="/root/syzkaller-testdir706543638/syzkaller.lB94lC/84/bus" dev="sda1" ino=16947 res=1 audit: type=1804 audit(1580465329.089:334): pid=13434 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op=invalid_pcr cause=open_writers comm="syz-executor.1" name="/root/syzkaller-testdir706543638/syzkaller.lB94lC/84/bus" dev="sda1" ino=16947 res=1 BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908 in_atomic(): 1, irqs_disabled(): 0, pid: 9718, name: kworker/u4:6 3 locks held by kworker/u4:6/9718: #0: 00000000b633f07b ((wq_completion)"%s""bat_events"){+.+.}, at: __write_once_size include/linux/compiler.h:220 [inline] #0: 00000000b633f07b ((wq_completion)"%s""bat_events"){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: 00000000b633f07b ((wq_completion)"%s""bat_events"){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:40 [inline] #0: 00000000b633f07b ((wq_completion)"%s""bat_events"){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:59 [inline] #0: 00000000b633f07b ((wq_completion)"%s""bat_events"){+.+.}, at: set_work_data kernel/workqueue.c:617 [inline] #0: 00000000b633f07b ((wq_completion)"%s""bat_events"){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline] #0: 00000000b633f07b ((wq_completion)"%s""bat_events"){+.+.}, at: process_one_work+0x87e/0x1750 kernel/workqueue.c:2124 #1: 00000000dba18768 ((work_completion)(&(&bat_priv->nc.work)->work)){+.+.}, at: process_one_work+0x8b4/0x1750 kernel/workqueue.c:2128 #2: 0000000098c0a661 ((&sp->resync_t)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:168 [inline] #2: 0000000098c0a661 ((&sp->resync_t)){+.-.}, at: call_timer_fn+0xda/0x720 kernel/time/timer.c:1316 Preemption disabled at: [] __do_softirq+0xf3/0x921 kernel/softirq.c:269 CPU: 1 PID: 9718 Comm: kworker/u4:6 Not tainted 4.19.100-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: bat_events batadv_nc_worker Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 ___might_sleep.cold+0x1bd/0x1f6 kernel/sched/core.c:6192 __might_sleep+0x95/0x190 kernel/sched/core.c:6145 __mutex_lock_common kernel/locking/mutex.c:908 [inline] __mutex_lock+0xc8/0x1300 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 tpk_write+0x5d/0x340 drivers/char/ttyprintk.c:123 resync_tnc+0x1b6/0x320 drivers/net/hamradio/6pack.c:522 call_timer_fn+0x18d/0x720 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers kernel/time/timer.c:1684 [inline] __run_timers kernel/time/timer.c:1652 [inline] run_timer_softirq+0x64f/0x16a0 kernel/time/timer.c:1697 __do_softirq+0x25c/0x921 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x180/0x1d0 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0x13b/0x550 arch/x86/kernel/apic/apic.c:1094 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:893 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:789 [inline] RIP: 0010:lock_release+0x47a/0xa30 kernel/locking/lockdep.c:3925 Code: 00 00 00 00 00 48 c1 e8 03 80 3c 10 00 0f 85 a7 03 00 00 48 83 3d 0d 21 a0 07 00 0f 84 65 02 00 00 48 8b bd 68 ff ff ff 57 9d <0f> 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 48 c7 04 03 00 00 00 RSP: 0018:ffff8880419afc18 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: 1ffffffff11e4ae9 RBX: 1ffff11008335f89 RCX: 1ffff1101523f98e RDX: dffffc0000000000 RSI: 0000000000000003 RDI: 0000000000000286 RBP: ffff8880419afcd0 R08: ffff8880a91fc400 R09: 0000000000000002 R10: ffffed1015d24732 R11: ffff8880ae923993 R12: ffff8880a91fc400 R13: ffffffff873815ea R14: 0000000000000003 R15: ffff8880419afca8 rcu_lock_release include/linux/rcupdate.h:247 [inline] rcu_read_unlock include/linux/rcupdate.h:681 [inline] batadv_nc_purge_orig_hash net/batman-adv/network-coding.c:423 [inline] batadv_nc_worker+0x225/0x760 net/batman-adv/network-coding.c:730 process_one_work+0x989/0x1750 kernel/workqueue.c:2153 worker_thread+0x98/0xe40 kernel/workqueue.c:2296 kthread+0x354/0x420 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 ================================ WARNING: inconsistent lock state 4.19.100-syzkaller #0 Tainted: G W -------------------------------- inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. kworker/u4:6/9718 [HC0[0]:SC1[1]:HE1:SE0] takes: 000000002d7ed59c (&tpk_port.port_write_mutex){+.?.}, at: tpk_write+0x5d/0x340 drivers/char/ttyprintk.c:123 {SOFTIRQ-ON-W} state was registered at: lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3903 __mutex_lock_common kernel/locking/mutex.c:925 [inline] __mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 tpk_close+0x50/0x95 drivers/char/ttyprintk.c:104 tty_release+0x3ba/0xe90 drivers/tty/tty_io.c:1678 __fput+0x2dd/0x8b0 fs/file_table.c:278 ____fput+0x16/0x20 fs/file_table.c:309 task_work_run+0x145/0x1c0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x53d/0x620 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe irq event stamp: 4898360 hardirqs last enabled at (4898360): [] trace_hardirqs_on_thunk+0x1a/0x1c hardirqs last disabled at (4898359): [] trace_hardirqs_off_thunk+0x1a/0x1c softirqs last enabled at (4898242): [] spin_unlock_bh include/linux/spinlock.h:374 [inline] softirqs last enabled at (4898242): [] batadv_nc_purge_paths+0x28f/0x3a0 net/batman-adv/network-coding.c:482 softirqs last disabled at (4898249): [] invoke_softirq kernel/softirq.c:372 [inline] softirqs last disabled at (4898249): [] irq_exit+0x180/0x1d0 kernel/softirq.c:412 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&tpk_port.port_write_mutex); lock(&tpk_port.port_write_mutex); *** DEADLOCK *** 3 locks held by kworker/u4:6/9718: #0: 00000000b633f07b ((wq_completion)"%s""bat_events"){+.+.}, at: __write_once_size include/linux/compiler.h:220 [inline] #0: 00000000b633f07b ((wq_completion)"%s""bat_events"){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: 00000000b633f07b ((wq_completion)"%s""bat_events"){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:40 [inline] #0: 00000000b633f07b ((wq_completion)"%s""bat_events"){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:59 [inline] #0: 00000000b633f07b ((wq_completion)"%s""bat_events"){+.+.}, at: set_work_data kernel/workqueue.c:617 [inline] #0: 00000000b633f07b ((wq_completion)"%s""bat_events"){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline] #0: 00000000b633f07b ((wq_completion)"%s""bat_events"){+.+.}, at: process_one_work+0x87e/0x1750 kernel/workqueue.c:2124 #1: 00000000dba18768 ((work_completion)(&(&bat_priv->nc.work)->work)){+.+.}, at: process_one_work+0x8b4/0x1750 kernel/workqueue.c:2128 #2: 0000000098c0a661 ((&sp->resync_t)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:168 [inline] #2: 0000000098c0a661 ((&sp->resync_t)){+.-.}, at: call_timer_fn+0xda/0x720 kernel/time/timer.c:1316 stack backtrace: CPU: 1 PID: 9718 Comm: kworker/u4:6 Tainted: G W 4.19.100-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: bat_events batadv_nc_worker Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_usage_bug.cold+0x330/0x42a kernel/locking/lockdep.c:2540 valid_state kernel/locking/lockdep.c:2553 [inline] mark_lock_irq kernel/locking/lockdep.c:2747 [inline] mark_lock+0xd1b/0x1370 kernel/locking/lockdep.c:3127 mark_irqflags kernel/locking/lockdep.c:3005 [inline] __lock_acquire+0xc62/0x49c0 kernel/locking/lockdep.c:3368 lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3903 __mutex_lock_common kernel/locking/mutex.c:925 [inline] __mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 tpk_write+0x5d/0x340 drivers/char/ttyprintk.c:123 resync_tnc+0x1b6/0x320 drivers/net/hamradio/6pack.c:522 call_timer_fn+0x18d/0x720 kernel/time/timer.c:1326 audit: type=1800 audit(1580465329.859:335): pid=13432 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op=collect_data cause=failed comm="syz-executor.1" name="bus" dev="sda1" ino=16947 res=0 expire_timers kernel/time/timer.c:1363 [inline] __run_timers kernel/time/timer.c:1684 [inline] __run_timers kernel/time/timer.c:1652 [inline] run_timer_softirq+0x64f/0x16a0 kernel/time/timer.c:1697 audit: type=1800 audit(1580465329.899:336): pid=13434 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op=collect_data cause=failed comm="syz-executor.1" name="bus" dev="sda1" ino=16947 res=0 __do_softirq+0x25c/0x921 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x180/0x1d0 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0x13b/0x550 arch/x86/kernel/apic/apic.c:1094 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:893 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:789 [inline] RIP: 0010:lock_release+0x47a/0xa30 kernel/locking/lockdep.c:3925 Code: 00 00 00 00 00 48 c1 e8 03 80 3c 10 00 0f 85 a7 03 00 00 48 83 3d 0d 21 a0 07 00 0f 84 65 02 00 00 48 8b bd 68 ff ff ff 57 9d <0f> 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 48 c7 04 03 00 00 00 RSP: 0018:ffff8880419afc18 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: 1ffffffff11e4ae9 RBX: 1ffff11008335f89 RCX: 1ffff1101523f98e RDX: dffffc0000000000 RSI: 0000000000000003 RDI: 0000000000000286 RBP: ffff8880419afcd0 R08: ffff8880a91fc400 R09: 0000000000000002 R10: ffffed1015d24732 R11: ffff8880ae923993 R12: ffff8880a91fc400 R13: ffffffff873815ea R14: 0000000000000003 R15: ffff8880419afca8 rcu_lock_release include/linux/rcupdate.h:247 [inline] rcu_read_unlock include/linux/rcupdate.h:681 [inline] batadv_nc_purge_orig_hash net/batman-adv/network-coding.c:423 [inline] batadv_nc_worker+0x225/0x760 net/batman-adv/network-coding.c:730 process_one_work+0x989/0x1750 kernel/workqueue.c:2153 worker_thread+0x98/0xe40 kernel/workqueue.c:2296 kthread+0x354/0x420 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 audit: type=1800 audit(1580465330.949:337): pid=13456 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op=collect_data cause=failed comm="syz-executor.0" name="bus" dev="sda1" ino=17014 res=0 audit: type=1800 audit(1580465331.189:338): pid=13491 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op=collect_data cause=failed comm="syz-executor.3" name="bus" dev="sda1" ino=17020 res=0 BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908 in_atomic(): 1, irqs_disabled(): 0, pid: 13883, name: syz-executor.5 INFO: lockdep is turned off. Preemption disabled at: [] kmap_atomic include/linux/highmem.h:69 [inline] [] clear_user_highpage include/linux/highmem.h:136 [inline] [] clear_subpage+0x23/0x110 mm/memory.c:4715 CPU: 1 PID: 13883 Comm: syz-executor.5 Tainted: G W 4.19.100-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 ___might_sleep.cold+0x1bd/0x1f6 kernel/sched/core.c:6192 __might_sleep+0x95/0x190 kernel/sched/core.c:6145 __mutex_lock_common kernel/locking/mutex.c:908 [inline] __mutex_lock+0xc8/0x1300 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 tpk_write+0x5d/0x340 drivers/char/ttyprintk.c:123 resync_tnc+0x1b6/0x320 drivers/net/hamradio/6pack.c:522 call_timer_fn+0x18d/0x720 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers kernel/time/timer.c:1684 [inline] __run_timers kernel/time/timer.c:1652 [inline] run_timer_softirq+0x64f/0x16a0 kernel/time/timer.c:1697 __do_softirq+0x25c/0x921 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x180/0x1d0 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0x13b/0x550 arch/x86/kernel/apic/apic.c:1094 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:893 RIP: 0010:clear_page_erms+0x7/0x10 arch/x86/lib/clear_page_64.S:48 Code: 48 89 47 18 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 c3 0f 1f 80 00 00 00 00 b9 00 10 00 00 31 c0 aa c3 90 90 90 90 90 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 RSP: 0000:ffff88804ac0fb10 EFLAGS: 00010246 ORIG_RAX: ffffffffffffff13 RAX: 0000000000000000 RBX: ffff888000000000 RCX: 00000000000002c0 RDX: 1ffff11013d002b5 RSI: ffffffff8194b416 RDI: ffff888028631d40 RBP: ffff88804ac0fb28 R08: ffff88809e800280 R09: 0000000000000000 R10: 00000000de36da84 R11: 0000000063cde82d R12: ffff88809e800280 R13: 0000000000000031 R14: 0000000000000000 R15: 0000000000000000 process_huge_page mm/memory.c:4669 [inline] clear_huge_page+0xb5/0x4d0 mm/memory.c:4729 __do_huge_pmd_anonymous_page mm/huge_memory.c:588 [inline] do_huge_pmd_anonymous_page+0x757/0x14e0 mm/huge_memory.c:746 create_huge_pmd mm/memory.c:3932 [inline] __handle_mm_fault+0x2c80/0x3f80 mm/memory.c:4136 handle_mm_fault+0x1b5/0x690 mm/memory.c:4202 __do_page_fault+0x62a/0xe90 arch/x86/mm/fault.c:1390 do_page_fault+0x71/0x57d arch/x86/mm/fault.c:1465 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1204 RIP: 0033:0x442591 Code: 8d 15 13 f9 0a 00 8b 0c 8a 8b 04 82 29 c8 c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 fa 20 48 89 f8 73 77 f6 c2 01 74 0b 0f b6 0e <88> 0f 48 ff c6 48 ff c7 f6 c2 02 74 12 0f b7 0e 66 89 0f 48 83 c6 RSP: 002b:00007ffd45d94718 EFLAGS: 00010202 RAX: 0000000020000640 RBX: 0000000000000000 RCX: 000000000000002f RDX: 000000000000000b RSI: 0000000000760020 RDI: 0000000020000640 RBP: 0000000000760000 R08: 0000000000000000 R09: 0000000000000004 R10: 0000000000000075 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd45d94900 R14: 0000000000760008 R15: 00007ffd45d94910