BUG: sleeping function called from invalid context at mm/vmalloc.c:3409 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 15183, name: syz.6.2314 preempt_count: 1, expected: 0 RCU nest depth: 1, expected: 0 2 locks held by syz.6.2314/15183: #0: ffff8880250dd7e0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:453 [inline] #0: ffff8880250dd7e0 (&mm->mmap_lock){++++}-{4:4}, at: __mm_populate+0x21f/0x380 mm/gup.c:1962 #1: ffffffff8e5c10a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline] #1: ffffffff8e5c10a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline] #1: ffffffff8e5c10a0 (rcu_read_lock){....}-{1:3}, at: percpu_ref_put_many include/linux/percpu-refcount.h:330 [inline] #1: ffffffff8e5c10a0 (rcu_read_lock){....}-{1:3}, at: percpu_ref_put include/linux/percpu-refcount.h:351 [inline] #1: ffffffff8e5c10a0 (rcu_read_lock){....}-{1:3}, at: css_put include/linux/cgroup_refcnt.h:79 [inline] #1: ffffffff8e5c10a0 (rcu_read_lock){....}-{1:3}, at: css_put include/linux/cgroup_refcnt.h:76 [inline] #1: ffffffff8e5c10a0 (rcu_read_lock){....}-{1:3}, at: __mem_cgroup_charge+0x84/0x1e0 mm/memcontrol.c:4720 Preemption disabled at: [] preempt_schedule_irq+0x41/0x90 kernel/sched/core.c:7286 CPU: 1 UID: 0 PID: 15183 Comm: syz.6.2314 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 __might_resched+0x3c0/0x5e0 kernel/sched/core.c:8957 vfree+0x75/0xb50 mm/vmalloc.c:3409 futex_hash_free+0x98/0xc0 kernel/futex/core.c:1742 __mmdrop+0x33f/0x580 kernel/fork.c:692 mmdrop include/linux/sched/mm.h:55 [inline] mmdrop_sched include/linux/sched/mm.h:83 [inline] mmdrop_lazy_tlb_sched include/linux/sched/mm.h:110 [inline] finish_task_switch.isra.0+0x7a4/0xc10 kernel/sched/core.c:5250 context_switch kernel/sched/core.c:5360 [inline] __schedule+0x1198/0x5de0 kernel/sched/core.c:6961 preempt_schedule_irq+0x51/0x90 kernel/sched/core.c:7288 irqentry_exit+0x36/0x90 kernel/entry/common.c:197 asm_sysvec_reschedule_ipi+0x1a/0x20 arch/x86/include/asm/idtentry.h:707 RIP: 0010:lock_acquire+0x62/0x350 kernel/locking/lockdep.c:5872 Code: 6f 3e 12 83 f8 07 0f 87 bc 02 00 00 89 c0 48 0f a3 05 e2 18 14 0f 0f 82 74 02 00 00 8b 35 7a 4a 14 0f 85 f6 0f 85 8d 00 00 00 <48> 8b 44 24 30 65 48 2b 05 39 6f 3e 12 0f 85 c7 02 00 00 48 83 c4 RSP: 0018:ffffc90004faf468 EFLAGS: 00000206 RAX: 0000000000000046 RBX: ffffffff8e5c10a0 RCX: 000000009857470f RDX: 0000000000000000 RSI: ffffffff8de2713d RDI: ffffffff8c162d00 RBP: 0000000000000002 R08: 221910f6eea81161 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 rcu_lock_acquire include/linux/rcupdate.h:331 [inline] rcu_read_lock include/linux/rcupdate.h:841 [inline] percpu_ref_put_many include/linux/percpu-refcount.h:330 [inline] percpu_ref_put include/linux/percpu-refcount.h:351 [inline] css_put include/linux/cgroup_refcnt.h:79 [inline] css_put include/linux/cgroup_refcnt.h:76 [inline] __mem_cgroup_charge+0x98/0x1e0 mm/memcontrol.c:4720 mem_cgroup_charge include/linux/memcontrol.h:654 [inline] shmem_alloc_and_add_folio+0x514/0xc20 mm/shmem.c:1957 shmem_get_folio_gfp+0x67f/0x1600 mm/shmem.c:2597 shmem_fault+0x1fe/0xa30 mm/shmem.c:2798 __do_fault+0x10d/0x490 mm/memory.c:5152 do_read_fault mm/memory.c:5573 [inline] do_fault mm/memory.c:5707 [inline] do_pte_missing+0xf50/0x3ba0 mm/memory.c:4234 handle_pte_fault mm/memory.c:6052 [inline] __handle_mm_fault+0x152a/0x2a50 mm/memory.c:6195 handle_mm_fault+0x589/0xd10 mm/memory.c:6364 faultin_page mm/gup.c:1144 [inline] __get_user_pages+0x551/0x34a0 mm/gup.c:1446 populate_vma_page_range+0x267/0x3f0 mm/gup.c:1880 __mm_populate+0x1d8/0x380 mm/gup.c:1983 mm_populate include/linux/mm.h:3367 [inline] vm_mmap_pgoff+0x37f/0x470 mm/util.c:585 ksys_mmap_pgoff+0x7d/0x5c0 mm/mmap.c:604 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0x7c/0x3a0 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf708e579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000f547e55c EFLAGS: 00000296 ORIG_RAX: 00000000000000c0 RAX: ffffffffffffffda RBX: 0000000080000000 RCX: 0000000000b36000 RDX: 0000000006ebbeef RSI: 0000000000008031 RDI: 00000000ffffffff RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ---------------- Code disassembly (best guess): 0: 6f outsl %ds:(%rsi),(%dx) 1: 3e 12 83 f8 07 0f 87 ds adc -0x78f0f808(%rbx),%al 8: bc 02 00 00 89 mov $0x89000002,%esp d: c0 48 0f a3 rorb $0xa3,0xf(%rax) 11: 05 e2 18 14 0f add $0xf1418e2,%eax 16: 0f 82 74 02 00 00 jb 0x290 1c: 8b 35 7a 4a 14 0f mov 0xf144a7a(%rip),%esi # 0xf144a9c 22: 85 f6 test %esi,%esi 24: 0f 85 8d 00 00 00 jne 0xb7 * 2a: 48 8b 44 24 30 mov 0x30(%rsp),%rax <-- trapping instruction 2f: 65 48 2b 05 39 6f 3e sub %gs:0x123e6f39(%rip),%rax # 0x123e6f70 36: 12 37: 0f 85 c7 02 00 00 jne 0x304 3d: 48 rex.W 3e: 83 .byte 0x83 3f: c4 .byte 0xc4