ip6_tables: ip6tables: counters copy to user failed while replacing table
INFO: task syz-executor.1:17606 blocked for more than 140 seconds.
      Not tainted 4.14.193-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.1  D29576 17606  10853 0x80000004
Call Trace:
 context_switch kernel/sched/core.c:2808 [inline]
 __schedule+0x88b/0x1de0 kernel/sched/core.c:3384
 schedule+0x8d/0x1b0 kernel/sched/core.c:3428
 __rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:292 [inline]
 rwsem_down_read_failed+0x1e6/0x350 kernel/locking/rwsem-xadd.c:309
 call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
 __down_read arch/x86/include/asm/rwsem.h:66 [inline]
 down_read+0x44/0x80 kernel/locking/rwsem.c:26
 exit_mm kernel/exit.c:511 [inline]
 do_exit+0x598/0x27f0 kernel/exit.c:852
 do_group_exit+0x100/0x2e0 kernel/exit.c:962
 get_signal+0x38d/0x1ca0 kernel/signal.c:2423
 do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
 exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45ce69
RSP: 002b:00007ffd61d84c08 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffff92 RBX: 000000000000002d RCX: 000000000045ce69
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000118bf2c
RBP: 000000000118bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 00007ffd61d84cf0 R11: 0000000000000246 R12: 00000000000003e8
R13: 000000000027b325 R14: 000000000027b2f8 R15: 000000000118bf2c
INFO: task syz-executor.1:17657 blocked for more than 140 seconds.
      Not tainted 4.14.193-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.1  D29328 17657  10853 0x80000004
Call Trace:
 context_switch kernel/sched/core.c:2808 [inline]
 __schedule+0x88b/0x1de0 kernel/sched/core.c:3384
 schedule+0x8d/0x1b0 kernel/sched/core.c:3428
 __rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:292 [inline]
 rwsem_down_read_failed+0x1e6/0x350 kernel/locking/rwsem-xadd.c:309
 call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
 __down_read arch/x86/include/asm/rwsem.h:66 [inline]
 down_read+0x44/0x80 kernel/locking/rwsem.c:26
 exit_mm kernel/exit.c:511 [inline]
 do_exit+0x598/0x27f0 kernel/exit.c:852
 do_group_exit+0x100/0x2e0 kernel/exit.c:962
 get_signal+0x38d/0x1ca0 kernel/signal.c:2423
 do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
 exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45ce69
RSP: 002b:00007fa0920bacf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000118bfc8 RCX: 000000000045ce69
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000118bfc8
RBP: 000000000118bfc0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bfcc
R13: 00007ffd61d84b8f R14: 00007fa0920bb9c0 R15: 000000000118bfcc

Showing all locks held in the system:
1 lock held by khungtaskd/1064:
 #0:  (tasklist_lock){.+.+}, at: [<ffffffff814778d4>] debug_show_all_locks+0x7c/0x21a kernel/locking/lockdep.c:4548
2 locks held by agetty/6068:
 #0:  (&tty->ldisc_sem){++++}, at: [<ffffffff8343ce32>] tty_ldisc_ref_wait+0x22/0x80 drivers/tty/tty_ldisc.c:284
 #1:  (&ldata->atomic_read_lock){+.+.}, at: [<ffffffff83432183>] n_tty_read+0x1e3/0x1680 drivers/tty/n_tty.c:2156
2 locks held by kworker/u4:2/30815:
 #0:  ("events_unbound"){+.+.}, at: [<ffffffff813ba640>] process_one_work+0x6b0/0x14a0 kernel/workqueue.c:2087
 #1:  ((&sub_info->work)){+.+.}, at: [<ffffffff813ba676>] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2091
2 locks held by kworker/u4:3/30899:
 #0:  ("events_unbound"){+.+.}, at: [<ffffffff813ba640>] process_one_work+0x6b0/0x14a0 kernel/workqueue.c:2087
 #1:  ((&sub_info->work)){+.+.}, at: [<ffffffff813ba676>] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2091
1 lock held by syz-executor.1/17606:
 #0:  (&mm->mmap_sem){++++}, at: [<ffffffff81372168>] exit_mm kernel/exit.c:511 [inline]
 #0:  (&mm->mmap_sem){++++}, at: [<ffffffff81372168>] do_exit+0x598/0x27f0 kernel/exit.c:852
1 lock held by syz-executor.1/17657:
 #0:  (&mm->mmap_sem){++++}, at: [<ffffffff81372168>] exit_mm kernel/exit.c:511 [inline]
 #0:  (&mm->mmap_sem){++++}, at: [<ffffffff81372168>] do_exit+0x598/0x27f0 kernel/exit.c:852

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 1064 Comm: khungtaskd Not tainted 4.14.193-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 nmi_cpu_backtrace.cold+0x57/0x93 lib/nmi_backtrace.c:101
 nmi_trigger_cpumask_backtrace+0x13a/0x17f lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:140 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:195 [inline]
 watchdog+0x5b9/0xb40 kernel/hung_task.c:274
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 17611 Comm: syz-executor.1 Not tainted 4.14.193-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff88805ad1a300 task.stack: ffff88802a128000
RIP: 0010:strlen+0x2c/0x90 lib/string.c:482
RSP: 0018:ffff8880aeb07b38 EFLAGS: 00000046
RAX: 0000000000000000 RBX: 1ffff11015d60f87 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff87d84e60 RDI: ffffffff86ab6540
RBP: ffffffff86ab6540 R08: 0000000000000000 R09: 00000000000a6012
R10: 0000000000000000 R11: ffff88805ad1a300 R12: ffffffff87d6f180
R13: ffffffff87d84e60 R14: 0000000000000000 R15: ffff8880aeb07be8
FS:  00007fa0920dc700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff5e9ffb30 CR3: 0000000097108000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 strlen include/linux/string.h:294 [inline]
 trace_event_get_offsets_lock include/trace/events/lock.h:39 [inline]
 perf_trace_lock+0xc6/0x490 include/trace/events/lock.h:39
 trace_lock_release include/trace/events/lock.h:58 [inline]
 lock_release+0x4df/0x870 kernel/locking/lockdep.c:4016
 perf_event_wakeup kernel/events/core.c:5571 [inline]
 perf_pending_event+0x152/0x260 kernel/events/core.c:5598
 irq_work_run_list+0xf0/0x160 kernel/irq_work.c:156
 irq_work_run+0x4e/0xc0 kernel/irq_work.c:171
 smp_irq_work_interrupt+0xa3/0x4e0 arch/x86/kernel/irq_work.c:21
 irq_work_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:824
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:779 [inline]
RIP: 0010:kmem_cache_free+0x173/0x2b0 mm/slab.c:3759
RSP: 0018:ffff8880aeb07e18 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff09
RAX: 0000000000000007 RBX: ffff88805e9b9540 RCX: 1ffff1100b5a3575
RDX: 0000000000000000 RSI: ffff88805ad1abb0 RDI: 0000000000000286
RBP: ffff88821f8b9800 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000286
R13: ffffffff814d0150 R14: ffff88805e9b9548 R15: dffffc0000000000
 __rcu_reclaim kernel/rcu/rcu.h:195 [inline]
 rcu_do_batch kernel/rcu/tree.c:2699 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
 rcu_process_callbacks+0x780/0x1180 kernel/rcu/tree.c:2946
 __do_softirq+0x254/0xa1d kernel/softirq.c:288
 invoke_softirq kernel/softirq.c:368 [inline]
 irq_exit+0x193/0x240 kernel/softirq.c:409
 exiting_irq arch/x86/include/asm/apic.h:648 [inline]
 smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1102
 apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:793
 </IRQ>
RIP: 0010:vma_compute_subtree_gap mm/mmap.c:279 [inline]
RIP: 0010:vma_gap_callbacks_propagate mm/mmap.c:391 [inline]
RIP: 0010:vma_gap_update+0xcf/0x240 mm/mmap.c:405
RSP: 0018:ffff88802a12fbb8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10
RAX: 1ffff1100c51419b RBX: ffff888086d08378 RCX: ffffc900090a5000
RDX: 0000000000040000 RSI: ffffffff817cd949 RDI: ffff8880628a0cd8
RBP: ffff8880628a0cc0 R08: ffff888086d08378 R09: 0000000000000001
R10: 0000000000000000 R11: ffff88805ad1a300 R12: dffffc0000000000
R13: 0000000000100000 R14: 0000000000000000 R15: ffff888086d08358
 __vma_link_rb mm/mmap.c:552 [inline]
 __vma_link mm/mmap.c:596 [inline]
 vma_link+0xd2/0x2e0 mm/mmap.c:610
 copy_vma+0x675/0x9f0 mm/mmap.c:3177
 move_vma+0x217/0x7e0 mm/mremap.c:296
 mremap_to mm/mremap.c:488 [inline]
 SYSC_mremap mm/mremap.c:556 [inline]
 SyS_mremap+0x9e9/0xd6c mm/mremap.c:519
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45ce69
RSP: 002b:00007fa0920dbc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000019
RAX: ffffffffffffffda RBX: 00000000000209c0 RCX: 000000000045ce69
RDX: 0000000000800000 RSI: 0000000000002000 RDI: 0000000020a94000
RBP: 000000000118bf70 R08: 0000000020130000 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007ffd61d84b8f R14: 00007fa0920dc9c0 R15: 000000000118bf2c
Code: b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 89 fd 48 c1 ea 03 53 48 83 ec 08 0f b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 48 <80> 7d 00 00 74 39 48 bb 00 00 00 00 00 fc ff df 48 89 e8 48 83