BUG: sleeping function called from invalid context at ./include/linux/percpu-rwsem.h:34 in_atomic(): 1, irqs_disabled(): 0, pid: 29044, name: syz-executor2 2 locks held by syz-executor2/29044: #0: (&net->xfrm.xfrm_cfg_mutex){+.+.}, at: [<00000000222e7cc3>] xfrm_netlink_rcv+0x60/0x90 net/xfrm/xfrm_user.c:2598 #1: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...}, at: [<00000000f9951d29>] spin_lock_bh include/linux/spinlock.h:315 [inline] #1: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...}, at: [<00000000f9951d29>] xfrm_policy_flush+0x424/0x770 net/xfrm/xfrm_policy.c:951 CPU: 0 PID: 29044 Comm: syz-executor2 Not tainted 4.15.0-rc5+ #177 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6060 __might_sleep+0x95/0x190 kernel/sched/core.c:6013 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:34 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock+0x1c/0x90 kernel/cpu.c:293 get_online_cpus include/linux/cpu.h:117 [inline] xfrm_policy_cache_flush+0x1d0/0x710 net/xfrm/xfrm_policy.c:1767 xfrm_policy_flush+0x650/0x770 net/xfrm/xfrm_policy.c:978 xfrm_flush_policy+0x153/0x440 net/xfrm/xfrm_user.c:2061 xfrm_user_rcv_msg+0x422/0x860 net/xfrm/xfrm_user.c:2591 netlink_rcv_skb+0x224/0x470 net/netlink/af_netlink.c:2441 xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2599 netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline] netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334 netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897 sock_sendmsg_nosec net/socket.c:628 [inline] sock_sendmsg+0xca/0x110 net/socket.c:638 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2018 __sys_sendmsg+0xe5/0x210 net/socket.c:2052 SYSC_sendmsg net/socket.c:2063 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2059 entry_SYSCALL_64_fastpath+0x23/0x9a RIP: 0033:0x452ac9 RSP: 002b:00007f4d17243c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9 RDX: 0000000000000000 RSI: 0000000020007fc8 RDI: 0000000000000013 RBP: 0000000000000587 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f6548 R13: 00000000ffffffff R14: 00007f4d172446d4 R15: 0000000000000000 ===================================================== WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected 4.15.0-rc5+ #177 Tainted: G W ----------------------------------------------------- syz-executor2/29044 [HC0[0]:SC0[2]:HE1:SE0] is trying to acquire: (cpu_hotplug_lock.rw_sem){++++}, at: [<00000000368eaf70>] get_online_cpus include/linux/cpu.h:117 [inline] (cpu_hotplug_lock.rw_sem){++++}, at: [<00000000368eaf70>] xfrm_policy_cache_flush+0x1d0/0x710 net/xfrm/xfrm_policy.c:1767 and this task is already holding: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...}, at: [<00000000f9951d29>] spin_lock_bh include/linux/spinlock.h:315 [inline] (&(&net->xfrm.xfrm_policy_lock)->rlock){+...}, at: [<00000000f9951d29>] xfrm_policy_flush+0x424/0x770 net/xfrm/xfrm_policy.c:951 which would create a new lock dependency: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...} -> (cpu_hotplug_lock.rw_sem){++++} but this new dependency connects a SOFTIRQ-irq-safe lock: (slock-AF_INET6/1){+.-.} ... which became SOFTIRQ-irq-safe at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 _raw_spin_lock_nested+0x28/0x40 kernel/locking/spinlock.c:354 tcp_v6_rcv+0x1f6e/0x2b60 net/ipv6/tcp_ipv6.c:1516 ip6_input_finish+0x37e/0x17a0 net/ipv6/ip6_input.c:284 NF_HOOK include/linux/netfilter.h:250 [inline] ip6_input+0xe9/0x560 net/ipv6/ip6_input.c:327 dst_input include/net/dst.h:449 [inline] ip6_rcv_finish+0x1a9/0x7a0 net/ipv6/ip6_input.c:71 NF_HOOK include/linux/netfilter.h:250 [inline] ipv6_rcv+0xf37/0x1fa0 net/ipv6/ip6_input.c:208 __netif_receive_skb_core+0x1a41/0x3460 net/core/dev.c:4499 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4564 process_backlog+0x203/0x740 net/core/dev.c:5244 napi_poll net/core/dev.c:5642 [inline] net_rx_action+0x792/0x1910 net/core/dev.c:5708 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1115 do_softirq.part.21+0x14d/0x190 kernel/softirq.c:329 do_softirq kernel/softirq.c:177 [inline] __local_bh_enable_ip+0x1ee/0x230 kernel/softirq.c:182 local_bh_enable include/linux/bottom_half.h:32 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:727 [inline] ip6_finish_output2+0xba0/0x23a0 net/ipv6/ip6_output.c:121 ip6_finish_output+0x698/0xaf0 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:239 [inline] ip6_output+0x1eb/0x840 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:443 [inline] NF_HOOK include/linux/netfilter.h:250 [inline] ip6_xmit+0xd84/0x2090 net/ipv6/ip6_output.c:277 inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139 tcp_transmit_skb+0x1b1b/0x38c0 net/ipv4/tcp_output.c:1176 tcp_send_syn_data net/ipv4/tcp_output.c:3430 [inline] tcp_connect+0x1c7f/0x4090 net/ipv4/tcp_output.c:3495 tcp_v6_connect+0x1dc1/0x22e0 net/ipv6/tcp_ipv6.c:307 __inet_stream_connect+0x2d4/0xf00 net/ipv4/af_inet.c:620 tcp_sendmsg_fastopen net/ipv4/tcp.c:1168 [inline] tcp_sendmsg_locked+0x264e/0x3c70 net/ipv4/tcp.c:1214 tcp_sendmsg+0x2f/0x50 net/ipv4/tcp.c:1463 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:628 [inline] sock_sendmsg+0xca/0x110 net/socket.c:638 SYSC_sendto+0x361/0x5c0 net/socket.c:1719 SyS_sendto+0x40/0x50 net/socket.c:1687 entry_SYSCALL_64_fastpath+0x23/0x9a to a SOFTIRQ-irq-unsafe lock: (cpu_hotplug_lock.rw_sem){++++} ... which became SOFTIRQ-irq-unsafe at: ... lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 down_write+0x87/0x120 kernel/locking/rwsem.c:70 percpu_down_write+0xa3/0x500 kernel/locking/percpu-rwsem.c:145 cpus_write_lock kernel/cpu.c:305 [inline] _cpu_up+0x60/0x510 kernel/cpu.c:990 do_cpu_up+0x73/0xa0 kernel/cpu.c:1066 cpu_up+0x18/0x20 kernel/cpu.c:1074 smp_init+0x13a/0x152 kernel/smp.c:578 kernel_init_freeable+0x2fe/0x521 init/main.c:1064 kernel_init+0x13/0x172 init/main.c:996 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:515 other info that might help us debug this: Chain exists of: slock-AF_INET6/1 --> &(&net->xfrm.xfrm_policy_lock)->rlock --> cpu_hotplug_lock.rw_sem Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(cpu_hotplug_lock.rw_sem); local_irq_disable(); lock(slock-AF_INET6/1); lock(&(&net->xfrm.xfrm_policy_lock)->rlock); lock(slock-AF_INET6/1); *** DEADLOCK *** 2 locks held by syz-executor2/29044: #0: (&net->xfrm.xfrm_cfg_mutex){+.+.}, at: [<00000000222e7cc3>] xfrm_netlink_rcv+0x60/0x90 net/xfrm/xfrm_user.c:2598 #1: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...}, at: [<00000000f9951d29>] spin_lock_bh include/linux/spinlock.h:315 [inline] #1: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...}, at: [<00000000f9951d29>] xfrm_policy_flush+0x424/0x770 net/xfrm/xfrm_policy.c:951 the dependencies between SOFTIRQ-irq-safe lock and the holding lock: -> (slock-AF_INET6/1){+.-.} ops: 5393 { HARDIRQ-ON-W at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 _raw_spin_lock_nested+0x28/0x40 kernel/locking/spinlock.c:354 sctp_close+0x454/0x9a0 net/sctp/socket.c:1596 inet_release+0xed/0x1c0 net/ipv4/af_inet.c:427 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432 sock_release+0x8d/0x1e0 net/socket.c:593 sock_close+0x16/0x20 net/socket.c:1121 __fput+0x327/0x7e0 fs/file_table.c:210 ____fput+0x15/0x20 fs/file_table.c:244 task_work_run+0x199/0x270 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x9bb/0x1ad0 kernel/exit.c:865 do_group_exit+0x149/0x400 kernel/exit.c:968 get_signal+0x73f/0x16c0 kernel/signal.c:2335 do_signal+0x90/0x1eb0 arch/x86/kernel/signal.c:809 exit_to_usermode_loop+0x214/0x310 arch/x86/entry/common.c:158 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline] syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264 entry_SYSCALL_64_fastpath+0x98/0x9a IN-SOFTIRQ-W at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 _raw_spin_lock_nested+0x28/0x40 kernel/locking/spinlock.c:354 tcp_v6_rcv+0x1f6e/0x2b60 net/ipv6/tcp_ipv6.c:1516 ip6_input_finish+0x37e/0x17a0 net/ipv6/ip6_input.c:284 NF_HOOK include/linux/netfilter.h:250 [inline] ip6_input+0xe9/0x560 net/ipv6/ip6_input.c:327 dst_input include/net/dst.h:449 [inline] ip6_rcv_finish+0x1a9/0x7a0 net/ipv6/ip6_input.c:71 NF_HOOK include/linux/netfilter.h:250 [inline] ipv6_rcv+0xf37/0x1fa0 net/ipv6/ip6_input.c:208 __netif_receive_skb_core+0x1a41/0x3460 net/core/dev.c:4499 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4564 process_backlog+0x203/0x740 net/core/dev.c:5244 napi_poll net/core/dev.c:5642 [inline] net_rx_action+0x792/0x1910 net/core/dev.c:5708 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1115 do_softirq.part.21+0x14d/0x190 kernel/softirq.c:329 do_softirq kernel/softirq.c:177 [inline] __local_bh_enable_ip+0x1ee/0x230 kernel/softirq.c:182 local_bh_enable include/linux/bottom_half.h:32 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:727 [inline] ip6_finish_output2+0xba0/0x23a0 net/ipv6/ip6_output.c:121 ip6_finish_output+0x698/0xaf0 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:239 [inline] ip6_output+0x1eb/0x840 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:443 [inline] NF_HOOK include/linux/netfilter.h:250 [inline] ip6_xmit+0xd84/0x2090 net/ipv6/ip6_output.c:277 inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139 tcp_transmit_skb+0x1b1b/0x38c0 net/ipv4/tcp_output.c:1176 tcp_send_syn_data net/ipv4/tcp_output.c:3430 [inline] tcp_connect+0x1c7f/0x4090 net/ipv4/tcp_output.c:3495 tcp_v6_connect+0x1dc1/0x22e0 net/ipv6/tcp_ipv6.c:307 __inet_stream_connect+0x2d4/0xf00 net/ipv4/af_inet.c:620 tcp_sendmsg_fastopen net/ipv4/tcp.c:1168 [inline] tcp_sendmsg_locked+0x264e/0x3c70 net/ipv4/tcp.c:1214 tcp_sendmsg+0x2f/0x50 net/ipv4/tcp.c:1463 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:628 [inline] sock_sendmsg+0xca/0x110 net/socket.c:638 SYSC_sendto+0x361/0x5c0 net/socket.c:1719 SyS_sendto+0x40/0x50 net/socket.c:1687 entry_SYSCALL_64_fastpath+0x23/0x9a INITIAL USE at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 _raw_spin_lock_nested+0x28/0x40 kernel/locking/spinlock.c:354 sctp_close+0x454/0x9a0 net/sctp/socket.c:1596 inet_release+0xed/0x1c0 net/ipv4/af_inet.c:427 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432 sock_release+0x8d/0x1e0 net/socket.c:593 sock_close+0x16/0x20 net/socket.c:1121 __fput+0x327/0x7e0 fs/file_table.c:210 ____fput+0x15/0x20 fs/file_table.c:244 task_work_run+0x199/0x270 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x9bb/0x1ad0 kernel/exit.c:865 do_group_exit+0x149/0x400 kernel/exit.c:968 get_signal+0x73f/0x16c0 kernel/signal.c:2335 do_signal+0x90/0x1eb0 arch/x86/kernel/signal.c:809 exit_to_usermode_loop+0x214/0x310 arch/x86/entry/common.c:158 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline] syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264 entry_SYSCALL_64_fastpath+0x98/0x9a } ... key at: [<000000000c2d8dc8>] af_family_slock_keys+0x51/0x180 ... acquired at: __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168 spin_lock_bh include/linux/spinlock.h:315 [inline] xfrm_policy_delete+0x3e/0x90 net/xfrm/xfrm_policy.c:1247 xfrm_sk_free_policy include/net/xfrm.h:1261 [inline] sk_common_release+0x210/0x2f0 net/core/sock.c:3025 sctp_close+0x464/0x9a0 net/sctp/socket.c:1602 inet_release+0xed/0x1c0 net/ipv4/af_inet.c:427 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432 sock_release+0x8d/0x1e0 net/socket.c:593 sock_close+0x16/0x20 net/socket.c:1121 __fput+0x327/0x7e0 fs/file_table.c:210 ____fput+0x15/0x20 fs/file_table.c:244 task_work_run+0x199/0x270 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x9bb/0x1ad0 kernel/exit.c:865 do_group_exit+0x149/0x400 kernel/exit.c:968 get_signal+0x73f/0x16c0 kernel/signal.c:2335 do_signal+0x90/0x1eb0 arch/x86/kernel/signal.c:809 exit_to_usermode_loop+0x214/0x310 arch/x86/entry/common.c:158 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline] syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264 entry_SYSCALL_64_fastpath+0x98/0x9a -> (&(&net->xfrm.xfrm_policy_lock)->rlock){+...} ops: 909 { HARDIRQ-ON-W at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168 spin_lock_bh include/linux/spinlock.h:315 [inline] xfrm_sk_policy_insert+0xef/0x580 net/xfrm/xfrm_policy.c:1268 xfrm_user_policy+0x525/0x8c0 net/xfrm/xfrm_state.c:2077 do_ip_setsockopt.isra.12+0xfd9/0x3160 net/ipv4/ip_sockglue.c:1161 ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1248 raw_setsockopt+0xb7/0xd0 net/ipv4/raw.c:855 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978 SYSC_setsockopt net/socket.c:1821 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1800 entry_SYSCALL_64_fastpath+0x23/0x9a INITIAL USE at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168 spin_lock_bh include/linux/spinlock.h:315 [inline] xfrm_sk_policy_insert+0xef/0x580 net/xfrm/xfrm_policy.c:1268 xfrm_user_policy+0x525/0x8c0 net/xfrm/xfrm_state.c:2077 do_ip_setsockopt.isra.12+0xfd9/0x3160 net/ipv4/ip_sockglue.c:1161 ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1248 raw_setsockopt+0xb7/0xd0 net/ipv4/raw.c:855 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978 SYSC_setsockopt net/socket.c:1821 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1800 entry_SYSCALL_64_fastpath+0x23/0x9a } ... key at: [<000000008c2dba78>] __key.66927+0x0/0x40 ... acquired at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock+0x42/0x90 kernel/cpu.c:293 get_online_cpus include/linux/cpu.h:117 [inline] xfrm_policy_cache_flush+0x1d0/0x710 net/xfrm/xfrm_policy.c:1767 xfrm_policy_flush+0x650/0x770 net/xfrm/xfrm_policy.c:978 xfrm_flush_policy+0x153/0x440 net/xfrm/xfrm_user.c:2061 xfrm_user_rcv_msg+0x422/0x860 net/xfrm/xfrm_user.c:2591 netlink_rcv_skb+0x224/0x470 net/netlink/af_netlink.c:2441 xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2599 netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline] netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334 netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897 sock_sendmsg_nosec net/socket.c:628 [inline] sock_sendmsg+0xca/0x110 net/socket.c:638 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2018 __sys_sendmsg+0xe5/0x210 net/socket.c:2052 SYSC_sendmsg net/socket.c:2063 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2059 entry_SYSCALL_64_fastpath+0x23/0x9a the dependencies between the lock to be acquired and SOFTIRQ-irq-unsafe lock: -> (cpu_hotplug_lock.rw_sem){++++} ops: 1907 { HARDIRQ-ON-W at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 down_write+0x87/0x120 kernel/locking/rwsem.c:70 percpu_down_write+0xa3/0x500 kernel/locking/percpu-rwsem.c:145 cpus_write_lock kernel/cpu.c:305 [inline] _cpu_up+0x60/0x510 kernel/cpu.c:990 do_cpu_up+0x73/0xa0 kernel/cpu.c:1066 cpu_up+0x18/0x20 kernel/cpu.c:1074 smp_init+0x13a/0x152 kernel/smp.c:578 kernel_init_freeable+0x2fe/0x521 init/main.c:1064 kernel_init+0x13/0x172 init/main.c:996 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:515 HARDIRQ-ON-R at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock+0x42/0x90 kernel/cpu.c:293 get_online_cpus include/linux/cpu.h:117 [inline] kmem_cache_create+0x26/0x2a0 mm/slab_common.c:440 debug_objects_mem_init+0xda/0x910 lib/debugobjects.c:1139 start_kernel+0x6dd/0x819 init/main.c:671 x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:378 x86_64_start_kernel+0x77/0x7a arch/x86/kernel/head64.c:359 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:237 SOFTIRQ-ON-W at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 down_write+0x87/0x120 kernel/locking/rwsem.c:70 percpu_down_write+0xa3/0x500 kernel/locking/percpu-rwsem.c:145 cpus_write_lock kernel/cpu.c:305 [inline] _cpu_up+0x60/0x510 kernel/cpu.c:990 do_cpu_up+0x73/0xa0 kernel/cpu.c:1066 cpu_up+0x18/0x20 kernel/cpu.c:1074 smp_init+0x13a/0x152 kernel/smp.c:578 kernel_init_freeable+0x2fe/0x521 init/main.c:1064 kernel_init+0x13/0x172 init/main.c:996 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:515 SOFTIRQ-ON-R at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock+0x42/0x90 kernel/cpu.c:293 get_online_cpus include/linux/cpu.h:117 [inline] kmem_cache_create+0x26/0x2a0 mm/slab_common.c:440 debug_objects_mem_init+0xda/0x910 lib/debugobjects.c:1139 start_kernel+0x6dd/0x819 init/main.c:671 x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:378 x86_64_start_kernel+0x77/0x7a arch/x86/kernel/head64.c:359 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:237 INITIAL USE at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock kernel/cpu.c:293 [inline] __cpuhp_setup_state+0x60/0x140 kernel/cpu.c:1670 cpuhp_setup_state_nocalls include/linux/cpuhotplug.h:229 [inline] kvm_guest_init+0x1f3/0x20f arch/x86/kernel/kvm.c:528 setup_arch+0x17e8/0x1a02 arch/x86/kernel/setup.c:1266 start_kernel+0xcd/0x819 init/main.c:532 x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:378 x86_64_start_kernel+0x77/0x7a arch/x86/kernel/head64.c:359 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:237 } ... key at: [<00000000c16b9780>] cpu_hotplug_lock+0xd8/0x140 ... acquired at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock+0x42/0x90 kernel/cpu.c:293 get_online_cpus include/linux/cpu.h:117 [inline] xfrm_policy_cache_flush+0x1d0/0x710 net/xfrm/xfrm_policy.c:1767 xfrm_policy_flush+0x650/0x770 net/xfrm/xfrm_policy.c:978 xfrm_flush_policy+0x153/0x440 net/xfrm/xfrm_user.c:2061 xfrm_user_rcv_msg+0x422/0x860 net/xfrm/xfrm_user.c:2591 netlink_rcv_skb+0x224/0x470 net/netlink/af_netlink.c:2441 xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2599 netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline] netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334 netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897 sock_sendmsg_nosec net/socket.c:628 [inline] sock_sendmsg+0xca/0x110 net/socket.c:638 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2018 __sys_sendmsg+0xe5/0x210 net/socket.c:2052 SYSC_sendmsg net/socket.c:2063 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2059 entry_SYSCALL_64_fastpath+0x23/0x9a stack backtrace: CPU: 0 PID: 29044 Comm: syz-executor2 Tainted: G W 4.15.0-rc5+ #177 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_bad_irq_dependency kernel/locking/lockdep.c:1565 [inline] check_usage+0xad0/0xb60 kernel/locking/lockdep.c:1597 check_irq_usage kernel/locking/lockdep.c:1653 [inline] check_prev_add_irq kernel/locking/lockdep_states.h:8 [inline] check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1971 [inline] validate_chain kernel/locking/lockdep.c:2412 [inline] __lock_acquire+0x2bd1/0x3e00 kernel/locking/lockdep.c:3426 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock+0x42/0x90 kernel/cpu.c:293 get_online_cpus include/linux/cpu.h:117 [inline] xfrm_policy_cache_flush+0x1d0/0x710 net/xfrm/xfrm_policy.c:1767 xfrm_policy_flush+0x650/0x770 net/xfrm/xfrm_policy.c:978 xfrm_flush_policy+0x153/0x440 net/xfrm/xfrm_user.c:2061 xfrm_user_rcv_msg+0x422/0x860 net/xfrm/xfrm_user.c:2591 netlink_rcv_skb+0x224/0x470 net/netlink/af_netlink.c:2441 xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2599 netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline] netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334 netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897 sock_sendmsg_nosec net/socket.c:628 [inline] sock_sendmsg+0xca/0x110 net/socket.c:638 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2018 __sys_sendmsg+0xe5/0x210 net/socket.c:2052 SYSC_sendmsg net/socket.c:2063 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2059 entry_SYSCALL_64_fastpath+0x23/0x9a RIP: 0033:0x452ac9 RSP: 002b:00007f4d17243c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9 RDX: 0000000000000000 RSI: 0000000020007fc8 RDI: 0000000000000013 RBP: 0000000000000587 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f6548 R13: 00000000ffffffff R14: 00007f4d172446d4 R15: 0000000000000000 netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. nla_parse: 136 callbacks suppressed netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 30037 Comm: syz-executor3 Tainted: G W 4.15.0-rc5+ #177 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3368 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3542 anon_vma_chain_alloc mm/rmap.c:128 [inline] __anon_vma_prepare+0xbc/0x6b0 mm/rmap.c:182 anon_vma_prepare include/linux/rmap.h:153 [inline] do_huge_pmd_anonymous_page+0x1127/0x1b00 mm/huge_memory.c:678 create_huge_pmd mm/memory.c:3828 [inline] __handle_mm_fault+0x1a0c/0x3ce0 mm/memory.c:4032 handle_mm_fault+0x334/0x8d0 mm/memory.c:4098 __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1429 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1504 page_fault+0x2c/0x60 arch/x86/entry/entry_64.S:1225 RIP: 0010:__put_user_4+0x1c/0x30 arch/x86/lib/putuser.S:68 RSP: 0018:ffff8801bcc57e50 EFLAGS: 00010293 RAX: 0000000000000014 RBX: 00007fffffffeffd RCX: 00000000207ccff8 RDX: 0000000000000044 RSI: ffffc9000248a000 RDI: 0000000000000282 RBP: ffff8801bcc57f48 R08: 0000000000000000 R09: 1ffff1003798afa7 R10: ffff8801bcc57d00 R11: ffff8801cf0c2788 R12: 1ffff1003798afd0 R13: 0000000000000014 R14: 0000000000000005 R15: 0000000000000015 entry_SYSCALL_64_fastpath+0x23/0x9a RIP: 0033:0x452ac9 RSP: 002b:00007fa015eefc58 EFLAGS: 00000212 ORIG_RAX: 0000000000000035 RAX: ffffffffffffffda RBX: 00007fa015eefaa0 RCX: 0000000000452ac9 RDX: 0000000000000084 RSI: 0000000000000005 RDI: 000000000000000a RBP: 00007fa015eefa90 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000207ccff8 R11: 0000000000000212 R12: 00000000004b767a R13: 00007fa015eefbc8 R14: 00000000004b767a R15: 0000000000000000 CPU: 1 PID: 30066 Comm: syz-executor7 Tainted: G W 4.15.0-rc5+ #177 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3368 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3542 anon_vma_chain_alloc mm/rmap.c:128 [inline] __anon_vma_prepare+0xbc/0x6b0 mm/rmap.c:182 anon_vma_prepare include/linux/rmap.h:153 [inline] do_huge_pmd_anonymous_page+0x1127/0x1b00 mm/huge_memory.c:678 create_huge_pmd mm/memory.c:3828 [inline] __handle_mm_fault+0x1a0c/0x3ce0 mm/memory.c:4032 handle_mm_fault+0x334/0x8d0 mm/memory.c:4098 __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1429 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1504 page_fault+0x2c/0x60 arch/x86/entry/entry_64.S:1225 RIP: 0010:__put_user_4+0x1c/0x30 arch/x86/lib/putuser.S:68 RSP: 0018:ffff8801d0377e50 EFLAGS: 00010293 RAX: 0000000000000014 RBX: 00007fffffffeffd RCX: 00000000207ccff8 RDX: 0000000000000044 RSI: ffffc900018f3000 RDI: 0000000000000282 RBP: ffff8801d0377f48 R08: 0000000000000000 R09: 1ffff1003a06efa7 R10: ffff8801d0377d00 R11: ffff8801cf41f448 R12: 1ffff1003a06efd0 R13: 0000000000000014 R14: 0000000000000005 R15: 0000000000000015 entry_SYSCALL_64_fastpath+0x23/0x9a RIP: 0033:0x452ac9 RSP: 002b:00007fc17e298c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000035 RAX: ffffffffffffffda RBX: 00007fc17e298aa0 RCX: 0000000000452ac9 RDX: 0000000000000084 RSI: 0000000000000005 RDI: 000000000000000a RBP: 00007fc17e298a90 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000207ccff8 R11: 0000000000000212 R12: 00000000004b767a R13: 00007fc17e298bc8 R14: 00000000004b767a R15: 0000000000000000 nla_parse: 251 callbacks suppressed netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'.