BUG: sleeping function called from invalid context at kernel/workqueue.c:3010
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 28921, name: syz-executor.4
preempt_count: 102, expected: 0
RCU nest depth: 2, expected: 0
4 locks held by syz-executor.4/28921:
 #0: ffff88801b38ee10 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:761 [inline]
 #0: ffff88801b38ee10 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: __sock_release+0x86/0x280 net/socket.c:649
 #1: ffffffff8bd87040 (rcu_read_lock){....}-{1:2}, at: __skb_unlink include/linux/skbuff.h:2292 [inline]
 #1: ffffffff8bd87040 (rcu_read_lock){....}-{1:2}, at: __skb_dequeue include/linux/skbuff.h:2307 [inline]
 #1: ffffffff8bd87040 (rcu_read_lock){....}-{1:2}, at: process_backlog+0x34b/0x7c0 net/core/dev.c:5920
 #2: ffffffff8bd87040 (rcu_read_lock){....}-{1:2}, at: __skb_pull include/linux/skbuff.h:2542 [inline]
 #2: ffffffff8bd87040 (rcu_read_lock){....}-{1:2}, at: ip_local_deliver_finish+0x206/0x4c0 net/ipv4/ip_input.c:230
 #3: ffff888074e0d4b0 (slock-AF_INET/1){+.-.}-{2:2}, at: tcp_v4_rcv+0x31a9/0x3930 net/ipv4/tcp_ipv4.c:2072
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 0 PID: 28921 Comm: syz-executor.4 Not tainted 5.19.0-rc4-next-20220628-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 __might_resched.cold+0x222/0x26b kernel/sched/core.c:9859
 start_flush_work kernel/workqueue.c:3010 [inline]
 __flush_work+0x109/0xb10 kernel/workqueue.c:3074
 __cancel_work_timer+0x3f9/0x570 kernel/workqueue.c:3162
 sk_psock_stop+0x4cb/0x630 net/core/skmsg.c:810
 sock_map_destroy+0x333/0x760 net/core/sock_map.c:1581
 inet_csk_destroy_sock+0x196/0x440 net/ipv4/inet_connection_sock.c:1011
 tcp_done+0x23b/0x340 net/ipv4/tcp.c:4572
 tcp_rcv_state_process+0x1b34/0x4eb0 net/ipv4/tcp_input.c:6612
 tcp_v4_do_rcv+0x339/0x9b0 net/ipv4/tcp_ipv4.c:1682
 tcp_v4_rcv+0x3436/0x3930 net/ipv4/tcp_ipv4.c:2076
 ip_protocol_deliver_rcu+0xa3/0x7c0 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x2e8/0x4c0 net/ipv4/ip_input.c:233
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip_local_deliver+0x1aa/0x200 net/ipv4/ip_input.c:254
 dst_input include/net/dst.h:461 [inline]
 ip_rcv_finish+0x1cb/0x2f0 net/ipv4/ip_input.c:437
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip_rcv+0xaa/0xd0 net/ipv4/ip_input.c:557
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5480
 __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5594
 process_backlog+0x3a0/0x7c0 net/core/dev.c:5922
 __napi_poll+0xb3/0x6d0 net/core/dev.c:6506
 napi_poll net/core/dev.c:6573 [inline]
 net_rx_action+0x9c1/0xd90 net/core/dev.c:6684
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:571
 do_softirq.part.0+0xde/0x130 kernel/softirq.c:472
 </IRQ>
 <TASK>
 do_softirq kernel/softirq.c:464 [inline]
 __local_bh_enable_ip+0x102/0x120 kernel/softirq.c:396
 tcp_close+0x38/0xc0 net/ipv4/tcp.c:2976
 sock_map_close+0x3b9/0x780 net/core/sock_map.c:1607
 inet_release+0x12e/0x270 net/ipv4/af_inet.c:428
 __sock_release+0xcd/0x280 net/socket.c:650
 sock_close+0x18/0x20 net/socket.c:1365
 __fput+0x277/0x9d0 fs/file_table.c:317
 task_work_run+0xdd/0x1a0 kernel/task_work.c:177
 get_signal+0x1c5/0x2600 kernel/signal.c:2634
 arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869
 exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
 exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f1572e89109

================================
WARNING: inconsistent lock state
5.19.0-rc4-next-20220628-syzkaller #0 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
syz-executor.4/28921 [HC0[0]:SC1[1]:HE0:SE0] takes:
ffffffff8bebb5f8 (vmap_area_lock){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:360 [inline]
ffffffff8bebb5f8 (vmap_area_lock){+.?.}-{2:2}, at: find_vmap_area+0x1c/0x130 mm/vmalloc.c:1836
{SOFTIRQ-ON-W} state was registered at:
  lock_acquire kernel/locking/lockdep.c:5665 [inline]
  lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5630
  __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
  _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
  spin_lock include/linux/spinlock.h:360 [inline]
  alloc_vmap_area+0xa0b/0x1d30 mm/vmalloc.c:1617
  __get_vm_area_node+0x142/0x3f0 mm/vmalloc.c:2484
  get_vm_area_caller+0x43/0x50 mm/vmalloc.c:2537
  __ioremap_caller.constprop.0+0x292/0x600 arch/x86/mm/ioremap.c:280
  acpi_os_ioremap include/acpi/acpi_io.h:13 [inline]
  acpi_map drivers/acpi/osl.c:296 [inline]
  acpi_os_map_iomem+0x463/0x550 drivers/acpi/osl.c:355
  acpi_tb_acquire_table+0xd8/0x209 drivers/acpi/acpica/tbdata.c:142
  acpi_tb_validate_table drivers/acpi/acpica/tbdata.c:317 [inline]
  acpi_tb_validate_table+0x50/0x8c drivers/acpi/acpica/tbdata.c:308
  acpi_tb_verify_temp_table+0x84/0x674 drivers/acpi/acpica/tbdata.c:504
  acpi_reallocate_root_table+0x374/0x3e0 drivers/acpi/acpica/tbxface.c:180
  acpi_early_init+0x13a/0x438 drivers/acpi/bus.c:1213
  start_kernel+0x3d4/0x494 init/main.c:1103
  secondary_startup_64_no_verify+0xce/0xdb
irq event stamp: 59239
hardirqs last  enabled at (59238): [<ffffffff81609c0e>] __up_console_sem+0xae/0xc0 kernel/printk/printk.c:264
hardirqs last disabled at (59239): [<ffffffff89452d2c>] dump_stack_lvl+0x2e/0x134 lib/dump_stack.c:105
softirqs last  enabled at (58916): [<ffffffff87db3ec8>] tcp_close+0x38/0xc0 net/ipv4/tcp.c:2976
softirqs last disabled at (58917): [<ffffffff814896fe>] do_softirq.part.0+0xde/0x130 kernel/softirq.c:472

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(vmap_area_lock);
  <Interrupt>
    lock(vmap_area_lock);

 *** DEADLOCK ***

4 locks held by syz-executor.4/28921:
 #0: ffff88801b38ee10 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:761 [inline]
 #0: ffff88801b38ee10 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: __sock_release+0x86/0x280 net/socket.c:649
 #1: ffffffff8bd87040 (rcu_read_lock){....}-{1:2}, at: __skb_unlink include/linux/skbuff.h:2292 [inline]
 #1: ffffffff8bd87040 (rcu_read_lock){....}-{1:2}, at: __skb_dequeue include/linux/skbuff.h:2307 [inline]
 #1: ffffffff8bd87040 (rcu_read_lock){....}-{1:2}, at: process_backlog+0x34b/0x7c0 net/core/dev.c:5920
 #2: ffffffff8bd87040 (rcu_read_lock){....}-{1:2}, at: __skb_pull include/linux/skbuff.h:2542 [inline]
 #2: ffffffff8bd87040 (rcu_read_lock){....}-{1:2}, at: ip_local_deliver_finish+0x206/0x4c0 net/ipv4/ip_input.c:230
 #3: ffff888074e0d4b0 (slock-AF_INET/1){+.-.}-{2:2}, at: tcp_v4_rcv+0x31a9/0x3930 net/ipv4/tcp_ipv4.c:2072

stack backtrace:
CPU: 0 PID: 28921 Comm: syz-executor.4 Not tainted 5.19.0-rc4-next-20220628-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_usage_bug kernel/locking/lockdep.c:3961 [inline]
 valid_state kernel/locking/lockdep.c:3973 [inline]
 mark_lock_irq kernel/locking/lockdep.c:4176 [inline]
 mark_lock.part.0.cold+0x18/0xd8 kernel/locking/lockdep.c:4632
 mark_lock kernel/locking/lockdep.c:4596 [inline]
 mark_usage kernel/locking/lockdep.c:4527 [inline]
 __lock_acquire+0x11e7/0x5660 kernel/locking/lockdep.c:5007
 lock_acquire kernel/locking/lockdep.c:5665 [inline]
 lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5630
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:360 [inline]
 find_vmap_area+0x1c/0x130 mm/vmalloc.c:1836
 check_heap_object mm/usercopy.c:176 [inline]
 __check_object_size mm/usercopy.c:250 [inline]
 __check_object_size+0x1f8/0x700 mm/usercopy.c:212
 check_object_size include/linux/thread_info.h:199 [inline]
 __copy_from_user_inatomic include/linux/uaccess.h:62 [inline]
 copy_from_user_nmi arch/x86/lib/usercopy.c:47 [inline]
 copy_from_user_nmi+0xcb/0x130 arch/x86/lib/usercopy.c:31
 copy_code arch/x86/kernel/dumpstack.c:91 [inline]
 show_opcodes+0x59/0xb0 arch/x86/kernel/dumpstack.c:121
 show_iret_regs+0xd/0x33 arch/x86/kernel/dumpstack.c:149
 __show_regs+0x1e/0x60 arch/x86/kernel/process_64.c:74
 show_trace_log_lvl+0x25b/0x2ba arch/x86/kernel/dumpstack.c:292
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 __might_resched.cold+0x222/0x26b kernel/sched/core.c:9859
 start_flush_work kernel/workqueue.c:3010 [inline]
 __flush_work+0x109/0xb10 kernel/workqueue.c:3074
 __cancel_work_timer+0x3f9/0x570 kernel/workqueue.c:3162
 sk_psock_stop+0x4cb/0x630 net/core/skmsg.c:810
 sock_map_destroy+0x333/0x760 net/core/sock_map.c:1581
 inet_csk_destroy_sock+0x196/0x440 net/ipv4/inet_connection_sock.c:1011
 tcp_done+0x23b/0x340 net/ipv4/tcp.c:4572
 tcp_rcv_state_process+0x1b34/0x4eb0 net/ipv4/tcp_input.c:6612
 tcp_v4_do_rcv+0x339/0x9b0 net/ipv4/tcp_ipv4.c:1682
 tcp_v4_rcv+0x3436/0x3930 net/ipv4/tcp_ipv4.c:2076
 ip_protocol_deliver_rcu+0xa3/0x7c0 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x2e8/0x4c0 net/ipv4/ip_input.c:233
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip_local_deliver+0x1aa/0x200 net/ipv4/ip_input.c:254
 dst_input include/net/dst.h:461 [inline]
 ip_rcv_finish+0x1cb/0x2f0 net/ipv4/ip_input.c:437
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip_rcv+0xaa/0xd0 net/ipv4/ip_input.c:557
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5480
 __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5594
 process_backlog+0x3a0/0x7c0 net/core/dev.c:5922
 __napi_poll+0xb3/0x6d0 net/core/dev.c:6506
 napi_poll net/core/dev.c:6573 [inline]
 net_rx_action+0x9c1/0xd90 net/core/dev.c:6684
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:571
 do_softirq.part.0+0xde/0x130 kernel/softirq.c:472
 </IRQ>
 <TASK>
 do_softirq kernel/softirq.c:464 [inline]
 __local_bh_enable_ip+0x102/0x120 kernel/softirq.c:396
 tcp_close+0x38/0xc0 net/ipv4/tcp.c:2976
 sock_map_close+0x3b9/0x780 net/core/sock_map.c:1607
 inet_release+0x12e/0x270 net/ipv4/af_inet.c:428
 __sock_release+0xcd/0x280 net/socket.c:650
 sock_close+0x18/0x20 net/socket.c:1365
 __fput+0x277/0x9d0 fs/file_table.c:317
 task_work_run+0xdd/0x1a0 kernel/task_work.c:177
 get_signal+0x1c5/0x2600 kernel/signal.c:2634
 arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869
 exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
 exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f1572e89109
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1574056168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: 00000000009e675d RBX: 00007f1572f9c030 RCX: 00007f1572e89109
RDX: ffffffffffffff60 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00007f1572ee305d R08: 0000000000000000 R09: 0000000000000f00
R10: 000000000000f401 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffdb300afcf R14: 00007f1574056300 R15: 0000000000022000
 </TASK>
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1574056168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: 00000000009e675d RBX: 00007f1572f9c030 RCX: 00007f1572e89109
RDX: ffffffffffffff60 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00007f1572ee305d R08: 0000000000000000 R09: 0000000000000f00
R10: 000000000000f401 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffdb300afcf R14: 00007f1574056300 R15: 0000000000022000
 </TASK>
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	ff c3                	inc    %ebx
   2:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
   9:	00 00 00
   c:	0f 1f 40 00          	nopl   0x0(%rax)
  10:	48 89 f8             	mov    %rdi,%rax
  13:	48 89 f7             	mov    %rsi,%rdi
  16:	48 89 d6             	mov    %rdx,%rsi
  19:	48 89 ca             	mov    %rcx,%rdx
  1c:	4d 89 c2             	mov    %r8,%r10
  1f:	4d 89 c8             	mov    %r9,%r8
  22:	4c 8b 4c 24 08       	mov    0x8(%rsp),%r9
  27:	0f 05                	syscall
* 29:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax <-- trapping instruction
  2f:	73 01                	jae    0x32
  31:	c3                   	retq
  32:	48 c7 c1 b8 ff ff ff 	mov    $0xffffffffffffffb8,%rcx
  39:	f7 d8                	neg    %eax
  3b:	64 89 01             	mov    %eax,%fs:(%rcx)
  3e:	48                   	rex.W