================================
WARNING: inconsistent lock state
syzkaller #0 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
modprobe/6540 [HC0[0]:SC1[1]:HE1:SE0] takes:
ffff88810df49098 (&p->tcfa_lock){+.?.}-{3:3}, at: est_timer+0xd4/0x9f0
{SOFTIRQ-ON-W} state was registered at:
  lock_acquire+0x120/0x360
  _raw_spin_lock+0x2e/0x40
  tunnel_key_init+0xd10/0x14d0
  tcf_action_init_1+0x463/0x6d0
  tcf_action_init+0x2cf/0xab0
  tc_ctl_action+0x430/0xbd0
  rtnetlink_rcv_msg+0x77c/0xb70
  netlink_rcv_skb+0x208/0x470
  netlink_unicast+0x82f/0x9e0
  netlink_sendmsg+0x805/0xb30
  __sock_sendmsg+0x21c/0x270
  ____sys_sendmsg+0x505/0x830
  ___sys_sendmsg+0x21f/0x2a0
  __x64_sys_sendmsg+0x19b/0x260
  do_syscall_64+0xfa/0x3b0
  entry_SYSCALL_64_after_hwframe+0x77/0x7f
irq event stamp: 1052
hardirqs last  enabled at (1052): [<ffffffff8b7cceb3>] _raw_spin_unlock_irq+0x23/0x50
hardirqs last disabled at (1051): [<ffffffff8b7ccc2d>] _raw_spin_lock_irq+0x7d/0xf0
softirqs last  enabled at (186): [<ffffffff8168818c>] fpu_flush_thread+0x2bc/0x510
softirqs last disabled at (1033): [<ffffffff8184f4da>] __irq_exit_rcu+0xca/0x1f0

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&p->tcfa_lock);
  <Interrupt>
    lock(&p->tcfa_lock);

 *** DEADLOCK ***

4 locks held by modprobe/6540:
 #0: ffff8881076ba220 (&mm->mmap_lock){++++}-{4:4}, at: vm_mmap_pgoff+0x211/0x4d0
 #1: ffff888108166650 (&mapping->i_mmap_rwsem){++++}-{4:4}, at: vma_prepare+0x12f/0x4b0
 #2: ffffffff8e139ee0 (rcu_read_lock){....}-{1:3}, at: unwind_next_frame+0xa5/0x2390
 #3: ffffc900001e0be0 ((&est->timer)){+.-.}-{0:0}, at: call_timer_fn+0xbe/0x5f0

stack backtrace:
CPU: 1 UID: 0 PID: 6540 Comm: modprobe Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250
 print_usage_bug+0x297/0x2e0
 valid_state+0xc3/0xf0
 mark_lock_irq+0x36/0x390
 mark_lock+0x11b/0x190
 __lock_acquire+0x680/0xd20
 lock_acquire+0x120/0x360
 _raw_spin_lock+0x2e/0x40
 est_timer+0xd4/0x9f0
 call_timer_fn+0x17e/0x5f0
 __run_timer_base+0x61a/0x860
 run_timer_softirq+0xb7/0x180
 handle_softirqs+0x286/0x870
 __irq_exit_rcu+0xca/0x1f0
 irq_exit_rcu+0x9/0x30
 sysvec_apic_timer_interrupt+0xa6/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:lock_acquire+0x175/0x360
Code: 00 00 00 00 9c 8f 44 24 30 f7 44 24 30 00 02 00 00 0f 85 cd 00 00 00 f7 44 24 08 00 02 00 00 74 01 fb 65 48 8b 05 3b 64 03 11 <48> 3b 44 24 58 0f 85 f2 00 00 00 48 83 c4 60 5b 41 5c 41 5d 41 5e
RSP: 0018:ffffc900066867b8 EFLAGS: 00000206
RAX: e6a2c6fd1cdc2400 RBX: 0000000000000000 RCX: e6a2c6fd1cdc2400
RDX: 0000000000000000 RSI: ffffffff8dba8aa6 RDI: ffffffff8be33800
RBP: ffffffff8172c195 R08: 0000000000000000 R09: ffffffff8172c195
R10: ffffc90006686978 R11: ffffffff81ac3820 R12: 0000000000000002
R13: ffffffff8e139ee0 R14: 0000000000000000 R15: 0000000000000246
 unwind_next_frame+0xc2/0x2390
 arch_stack_walk+0x11c/0x150
 stack_trace_save+0x9c/0xe0
 kasan_save_stack+0x3e/0x60
 kasan_record_aux_stack+0xbd/0xd0
 call_rcu+0x157/0x9c0
 mas_wr_store_entry+0x1f1b/0x25b0
 mas_store_prealloc+0xb00/0xf60
 commit_merge+0x5fc/0x700
 vma_expand+0x40c/0x7e0
 vma_merge_new_range+0x6a3/0x860
 mmap_region+0xd46/0x20c0
 do_mmap+0xc45/0x10d0
 vm_mmap_pgoff+0x2a6/0x4d0
 ksys_mmap_pgoff+0x51f/0x760
 do_syscall_64+0xfa/0x3b0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff83165bb74
Code: 63 08 44 89 e8 5b 41 5c 41 5d c3 41 89 ca 41 f7 c1 ff 0f 00 00 74 0c c7 05 f5 46 01 00 16 00 00 00 eb 17 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 0c f7 d8 89 05 dc 46 01 00 48 83 c8 ff c3 0f
RSP: 002b:00007ffcc4ae15a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007ffcc4ae1620 RCX: 00007ff83165bb74
RDX: 0000000000000001 RSI: 0000000000028000 RDI: 00007ff83160a000
RBP: 00007ffcc4ae1910 R08: 0000000000000000 R09: 0000000000097000
R10: 0000000000000812 R11: 0000000000000246 R12: 00007ff831636000
R13: 00007ffcc4ae1998 R14: 0000000000096066 R15: 0000000000000000
 </TASK>
