BUG: sleeping function called from invalid context at mm/vmalloc.c:3409 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 21731, name: syz.4.3339 preempt_count: 1, expected: 0 RCU nest depth: 0, expected: 0 3 locks held by syz.4.3339/21731: #0: ffff88802a5e4428 (sb_writers#5){.+.+}-{0:0}, at: get_signal+0x22e3/0x26d0 kernel/signal.c:3019 #1: ffff888053f44d20 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock_killable include/linux/mmap_lock.h:462 [inline] #1: ffff888053f44d20 (&mm->mmap_lock){++++}-{4:4}, at: dump_user_range+0x159/0xb70 fs/coredump.c:1352 #2: ffff888013243ee0 (mapping.invalidate_lock#2){++++}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:934 [inline] #2: ffff888013243ee0 (mapping.invalidate_lock#2){++++}-{4:4}, at: page_cache_ra_unbounded+0x173/0x7d0 mm/readahead.c:228 Preemption disabled at: [] preempt_schedule_irq+0x41/0x90 kernel/sched/core.c:7286 CPU: 0 UID: 0 PID: 21731 Comm: syz.4.3339 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 __might_resched+0x3c0/0x5e0 kernel/sched/core.c:8957 vfree+0x75/0xb50 mm/vmalloc.c:3409 futex_hash_free+0x98/0xc0 kernel/futex/core.c:1742 __mmdrop+0x33f/0x580 kernel/fork.c:692 mmdrop include/linux/sched/mm.h:55 [inline] mmdrop_sched include/linux/sched/mm.h:83 [inline] mmdrop_lazy_tlb_sched include/linux/sched/mm.h:110 [inline] finish_task_switch.isra.0+0x7a4/0xc10 kernel/sched/core.c:5250 context_switch kernel/sched/core.c:5360 [inline] __schedule+0x1198/0x5de0 kernel/sched/core.c:6961 preempt_schedule_irq+0x51/0x90 kernel/sched/core.c:7288 irqentry_exit+0x36/0x90 kernel/entry/common.c:197 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693 RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:27 [inline] RIP: 0010:check_kcov_mode kernel/kcov.c:183 [inline] RIP: 0010:__sanitizer_cov_trace_pc+0x10/0x70 kernel/kcov.c:217 Code: 00 00 5b e9 e2 9e 25 03 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 34 24 65 48 8b 15 38 f5 1a 12 <65> 8b 05 49 f5 1a 12 a9 00 01 ff 00 74 1d f6 c4 01 74 43 a9 00 00 RSP: 0018:ffffc900035f6760 EFLAGS: 00000246 RAX: 0000000000000002 RBX: 0000000000000000 RCX: ffffffff81f19290 RDX: ffff888022ee8000 RSI: ffffffff81f19525 RDI: 0000000000000005 RBP: 0000000000112cca R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffffea00009f2a00 R14: 0000000000000000 R15: 0000000000000308 __filemap_add_folio+0x8d5/0x11e0 mm/filemap.c:869 filemap_add_folio+0x10e/0x220 mm/filemap.c:969 page_cache_ra_unbounded+0x337/0x7d0 mm/readahead.c:275 do_page_cache_ra mm/readahead.c:327 [inline] page_cache_ra_order+0xa41/0xd70 mm/readahead.c:529 page_cache_async_ra+0x69c/0xa00 mm/readahead.c:689 do_async_mmap_readahead mm/filemap.c:3332 [inline] filemap_fault+0xd42/0x2930 mm/filemap.c:3431 __do_fault+0x10d/0x490 mm/memory.c:5152 do_read_fault mm/memory.c:5573 [inline] do_fault mm/memory.c:5707 [inline] do_pte_missing+0xf50/0x3ba0 mm/memory.c:4234 handle_pte_fault mm/memory.c:6052 [inline] __handle_mm_fault+0x152a/0x2a50 mm/memory.c:6195 handle_mm_fault+0x589/0xd10 mm/memory.c:6364 faultin_page mm/gup.c:1144 [inline] __get_user_pages+0x551/0x34a0 mm/gup.c:1446 __get_user_pages_locked mm/gup.c:1712 [inline] get_dump_page+0x257/0x3d0 mm/gup.c:2212 dump_user_range+0x195/0xb70 fs/coredump.c:1364 elf_core_dump+0x2caa/0x4120 fs/binfmt_elf.c:2085 coredump_write fs/coredump.c:1049 [inline] vfs_coredump+0x2b97/0x5670 fs/coredump.c:1168 get_signal+0x22e3/0x26d0 kernel/signal.c:3019 arch_do_signal_or_restart+0x8f/0x790 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x84/0x110 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] __do_fast_syscall_32+0x2ac/0x3a0 arch/x86/entry/syscall_32.c:309 do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf706e579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000f545e61c EFLAGS: 00000246 ORIG_RAX: 00000000000000f0 RAX: 00000000000000f0 RBX: 00000000f7414f8c RCX: 0000000000000081 RDX: 00000000000f4240 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: 5b pop %rbx 3: e9 e2 9e 25 03 jmp 0x3259eea 8: 66 90 xchg %ax,%ax a: 90 nop b: 90 nop c: 90 nop d: 90 nop e: 90 nop f: 90 nop 10: 90 nop 11: 90 nop 12: 90 nop 13: 90 nop 14: 90 nop 15: 90 nop 16: 90 nop 17: 90 nop 18: 90 nop 19: 90 nop 1a: f3 0f 1e fa endbr64 1e: 48 8b 34 24 mov (%rsp),%rsi 22: 65 48 8b 15 38 f5 1a mov %gs:0x121af538(%rip),%rdx # 0x121af562 29: 12 * 2a: 65 8b 05 49 f5 1a 12 mov %gs:0x121af549(%rip),%eax # 0x121af57a <-- trapping instruction 31: a9 00 01 ff 00 test $0xff0100,%eax 36: 74 1d je 0x55 38: f6 c4 01 test $0x1,%ah 3b: 74 43 je 0x80 3d: a9 .byte 0xa9