BUG: sleeping function called from invalid context at drivers/usb/core/urb.c:705
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 17579, name: syz.5.2676
preempt_count: 101, expected: 0
RCU nest depth: 0, expected: 0
2 locks held by syz.5.2676/17579:
 #0: ffff888128f8b6c8 (vm_lock){++++}-{0:0}, at: lock_vma_under_rcu+0x11d/0x590 mm/mmap_lock.c:310
 #1: ffff8881f573aa00 (lock#8){+.+.}-{3:3}, at: local_trylock_acquire include/linux/local_lock_internal.h:53 [inline]
 #1: ffff8881f573aa00 (lock#8){+.+.}-{3:3}, at: consume_stock mm/memcontrol.c:1849 [inline]
 #1: ffff8881f573aa00 (lock#8){+.+.}-{3:3}, at: try_charge_memcg+0x165/0xdf0 mm/memcontrol.c:2371
irq event stamp: 1117
hardirqs last  enabled at (1116): [<ffffffff876c80e2>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:178 [inline]
hardirqs last  enabled at (1116): [<ffffffff876c80e2>] _raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194
hardirqs last disabled at (1117): [<ffffffff876c7df2>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:130 [inline]
hardirqs last disabled at (1117): [<ffffffff876c7df2>] _raw_spin_lock_irqsave+0x52/0x60 kernel/locking/spinlock.c:162
softirqs last  enabled at (1110): [<ffffffff8177002d>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last  enabled at (1110): [<ffffffff8177002d>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last  enabled at (1110): [<ffffffff8177002d>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
softirqs last disabled at (1113): [<ffffffff8177002d>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (1113): [<ffffffff8177002d>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (1113): [<ffffffff8177002d>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
Preemption disabled at:
[<ffffffff82198d7f>] consume_stock mm/memcontrol.c:1849 [inline]
[<ffffffff82198d7f>] try_charge_memcg+0xef/0xdf0 mm/memcontrol.c:2371
CPU: 1 UID: 0 PID: 17579 Comm: syz.5.2676 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 __might_resched.cold+0x1ec/0x232 kernel/sched/core.c:8888
 usb_kill_urb+0x8e/0x320 drivers/usb/core/urb.c:705
 usb_tx_block+0x91/0x320 drivers/net/wireless/marvell/libertas/if_usb.c:429
 if_usb_send_fw_pkt.isra.0+0x2e4/0x550 drivers/net/wireless/marvell/libertas/if_usb.c:366
 if_usb_receive_fwload+0x5d3/0x780 drivers/net/wireless/marvell/libertas/if_usb.c:592
 __usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
 usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
 dummy_timer+0xda1/0x36c0 drivers/usb/gadget/udc/dummy_hcd.c:2005
 __run_hrtimer kernel/time/hrtimer.c:1785 [inline]
 __hrtimer_run_queues+0x50e/0xa70 kernel/time/hrtimer.c:1849
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1866
 handle_softirqs+0x1de/0x9d0 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1056
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:consume_stock mm/memcontrol.c:1855 [inline]
RIP: 0010:try_charge_memcg+0x24f/0xdf0 mm/memcontrol.c:2371
Code: 00 0f 85 66 0a 00 00 4a 03 2c e5 e0 ab 1a 89 45 31 e4 48 8d 45 40 49 63 d4 48 83 fa 08 0f 83 dc 09 00 00 48 89 c1 48 c1 e9 03 <42> 80 3c 29 00 0f 85 a9 09 00 00 48 8d 4a 08 48 8b 4c cd 00 48 39
RSP: 0000:ffffc900078afb70 EFLAGS: 00000a02
RAX: ffff8881f573aa48 RBX: 0000000000000001 RCX: 1ffff1103eae7549
RDX: 0000000000000001 RSI: ffffffff87afd2a0 RDI: ffffffff891aabe8
RBP: ffff8881f573aa00 R08: 000000002d7f0212 R09: 000000000000053c
R10: 0000000000000000 R11: ffffffff82198df5 R12: 0000000000000001
R13: dffffc0000000000 R14: 0000000000000040 R15: ffff888115a35880
 try_charge mm/memcontrol.c:2556 [inline]
 charge_memcg+0xa6/0x280 mm/memcontrol.c:4744
 __mem_cgroup_charge+0x2b/0x1e0 mm/memcontrol.c:4761
 mem_cgroup_charge include/linux/memcontrol.h:664 [inline]
 folio_prealloc+0x65/0x180 mm/memory.c:1211
 alloc_anon_folio mm/memory.c:5209 [inline]
 do_anonymous_page mm/memory.c:5266 [inline]
 do_pte_missing mm/memory.c:4475 [inline]
 handle_pte_fault mm/memory.c:6317 [inline]
 __handle_mm_fault+0x16bb/0x2d60 mm/memory.c:6455
 handle_mm_fault+0x36d/0xa20 mm/memory.c:6624
 do_user_addr_fault+0x5ae/0x11d0 arch/x86/mm/fault.c:1334
 handle_page_fault arch/x86/mm/fault.c:1474 [inline]
 exc_page_fault+0x66/0xc0 arch/x86/mm/fault.c:1527
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0033:0x7f1edc53431a
Code: 4d 69 ff 68 08 00 00 b9 0c 01 00 00 4c 89 74 24 18 31 ed 4a 8d 54 3e 08 4e 8d 0c 3e 4c 89 fb 48 89 d7 4d 89 cf ba 01 00 00 00 <f3> 48 ab 49 8d 45 12 4d 89 69 08 49 89 41 10 41 0f b6 45 04 41 88
RSP: 002b:00007f1edb0bcf60 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000001938 RCX: 0000000000000098
RDX: 0000000000000001 RSI: 00007f1edca10320 RDI: 00007f1edca12000
RBP: 0000000000000000 R08: 0000000000000000 R09: 00007f1edca11c58
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000036
R13: 0000200000000100 R14: 0000000000000005 R15: 00007f1edca11c58
 </TASK>
BUG: scheduling while atomic: syz.5.2676/17579/0x00000102
2 locks held by syz.5.2676/17579:
 #0: ffff888128f8b6c8 (vm_lock){++++}-{0:0}, at: lock_vma_under_rcu+0x11d/0x590 mm/mmap_lock.c:310
 #1: ffff8881f573aa00 (lock#8){+.+.}-{3:3}, at: local_trylock_acquire include/linux/local_lock_internal.h:53 [inline]
 #1: ffff8881f573aa00 (lock#8){+.+.}-{3:3}, at: consume_stock mm/memcontrol.c:1849 [inline]
 #1: ffff8881f573aa00 (lock#8){+.+.}-{3:3}, at: try_charge_memcg+0x165/0xdf0 mm/memcontrol.c:2371
Modules linked in:
irq event stamp: 1117
hardirqs last  enabled at (1116): [<ffffffff876c80e2>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:178 [inline]
hardirqs last  enabled at (1116): [<ffffffff876c80e2>] _raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194
hardirqs last disabled at (1117): [<ffffffff876c7df2>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:130 [inline]
hardirqs last disabled at (1117): [<ffffffff876c7df2>] _raw_spin_lock_irqsave+0x52/0x60 kernel/locking/spinlock.c:162
softirqs last  enabled at (1110): [<ffffffff8177002d>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last  enabled at (1110): [<ffffffff8177002d>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last  enabled at (1110): [<ffffffff8177002d>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
softirqs last disabled at (1113): [<ffffffff8177002d>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (1113): [<ffffffff8177002d>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (1113): [<ffffffff8177002d>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
Preemption disabled at:
[<ffffffff82198d7f>] consume_stock mm/memcontrol.c:1849 [inline]
[<ffffffff82198d7f>] try_charge_memcg+0xef/0xdf0 mm/memcontrol.c:2371
----------------
Code disassembly (best guess):
   0:	00 0f                	add    %cl,(%rdi)
   2:	85 66 0a             	test   %esp,0xa(%rsi)
   5:	00 00                	add    %al,(%rax)
   7:	4a 03 2c e5 e0 ab 1a 	add    -0x76e55420(,%r12,8),%rbp
   e:	89
   f:	45 31 e4             	xor    %r12d,%r12d
  12:	48 8d 45 40          	lea    0x40(%rbp),%rax
  16:	49 63 d4             	movslq %r12d,%rdx
  19:	48 83 fa 08          	cmp    $0x8,%rdx
  1d:	0f 83 dc 09 00 00    	jae    0x9ff
  23:	48 89 c1             	mov    %rax,%rcx
  26:	48 c1 e9 03          	shr    $0x3,%rcx
* 2a:	42 80 3c 29 00       	cmpb   $0x0,(%rcx,%r13,1) <-- trapping instruction
  2f:	0f 85 a9 09 00 00    	jne    0x9de
  35:	48 8d 4a 08          	lea    0x8(%rdx),%rcx
  39:	48 8b 4c cd 00       	mov    0x0(%rbp,%rcx,8),%rcx
  3e:	48                   	rex.W
  3f:	39                   	.byte 0x39