bisecting cause commit starting from d2b6f8a179194de0ffc4886ffc2c4358d86047b8 building syzkaller on bc5434be1a615eca6d901c20b026712bd9697fd4 testing commit d2b6f8a179194de0ffc4886ffc2c4358d86047b8 with gcc (GCC) 10.2.1 20210217 kernel signature: 3c04afd770a2f1f821894d330f2526e57d5fac52539e0a87b640264acd6602bf run #0: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #1: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #2: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #3: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #4: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #5: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #6: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #7: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #8: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #9: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #10: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #11: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #12: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #13: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #14: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #15: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #16: OK run #17: OK run #18: OK run #19: OK testing release v5.12 testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 with gcc (GCC) 10.2.1 20210217 kernel signature: 06d2d0bea0b9c4a85004274604d24d9d476b2a74afa1d7b16d4f673061ab09e4 run #0: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #1: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #2: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #3: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #4: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #5: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #6: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #7: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #8: OK run #9: OK testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b with gcc (GCC) 10.2.1 20210217 kernel signature: ed90fbb8ff18de84ceffab28070c9539de2fa57b28f317575a02ec2d2c6a6d41 run #0: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #1: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #2: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #3: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #4: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #5: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 10.2.1 20210217 kernel signature: ef92a060df42786263300f4a2cafd312bd07f5ca1370e570de7b21a72c052aa1 run #0: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #1: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #2: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #3: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #4: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 10.2.1 20210217 kernel signature: 4dc80a12cd84814119c6351fdb15081a2461c01ef19cac3e80fa178e7ba063cf all runs: OK # git bisect start 2c85ebc57b3e1817b6ce1a6b703928e113a90442 bbf5c979011a099af5dc76498918ed7df445635b Bisecting: 9594 revisions left to test after this (roughly 13 steps) [4d0e9df5e43dba52d38b251e3b909df8fa1110be] lib, uaccess: add failure injection to usercopy functions testing commit 4d0e9df5e43dba52d38b251e3b909df8fa1110be with gcc (GCC) 10.2.1 20210217 kernel signature: 636a51dcac48f13a6fa2a5407615f79a2cb0873c4da032b21a7c1504baa5c949 all runs: OK # git bisect good 4d0e9df5e43dba52d38b251e3b909df8fa1110be Bisecting: 4874 revisions left to test after this (roughly 12 steps) [6694875ef8045cdb1e6712ee9b68fe08763507d8] ext4: indicate that fast_commit is available via /sys/fs/ext4/feature/... testing commit 6694875ef8045cdb1e6712ee9b68fe08763507d8 with gcc (GCC) 10.2.1 20210217 kernel signature: 15b364e9bf71978fde9dab72eb4ddef50716abee076bebc780a436a6e25431b1 all runs: OK # git bisect good 6694875ef8045cdb1e6712ee9b68fe08763507d8 Bisecting: 2439 revisions left to test after this (roughly 11 steps) [cf9446cc8e6d85355642209538dde619f53770dc] Merge tag 'io_uring-5.10-2020-10-30' of git://git.kernel.dk/linux-block testing commit cf9446cc8e6d85355642209538dde619f53770dc with gcc (GCC) 10.2.1 20210217 kernel signature: dd9619a5784a63b65683fcecb1e6f98974b35525e55f4eeffcc51afdb012aa64 all runs: OK # git bisect good cf9446cc8e6d85355642209538dde619f53770dc Bisecting: 1221 revisions left to test after this (roughly 10 steps) [3be28e93cd88fbcbe97cabcbe92b1ccc9f830450] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 3be28e93cd88fbcbe97cabcbe92b1ccc9f830450 with gcc (GCC) 10.2.1 20210217 kernel signature: 04a667d63f0090dcc8a376ef17b510689e1529990d28b443715b116bf6545e9e run #0: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #1: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: crashed: UBSAN: shift-out-of-bounds in do_mpage_readpage run #4: OK run #5: OK run #6: OK run #7: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #8: OK run #9: OK # git bisect bad 3be28e93cd88fbcbe97cabcbe92b1ccc9f830450 Bisecting: 609 revisions left to test after this (roughly 9 steps) [15a9844458cf3a7afcd720eca81ecb3a16213cb4] Merge tag 'irq-urgent-2020-11-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 15a9844458cf3a7afcd720eca81ecb3a16213cb4 with gcc (GCC) 10.2.1 20210217 kernel signature: 6dc16481f8c23495df804dab2bb3a1aacda9125295769ca417059048c69d4dd2 run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #4: OK run #5: OK run #6: OK run #7: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #8: OK run #9: OK reproducer seems to be flaky # git bisect bad 15a9844458cf3a7afcd720eca81ecb3a16213cb4 Bisecting: 303 revisions left to test after this (roughly 8 steps) [6f3f374ac05d05cfa63d04f4479ead7e3cb6d087] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 6f3f374ac05d05cfa63d04f4479ead7e3cb6d087 with gcc (GCC) 10.2.1 20210217 kernel signature: c87a0c1a3eebc452ac699b58a2c9128360b2386ec81cfd1704fd40f34f7cf1b0 all runs: OK # git bisect good 6f3f374ac05d05cfa63d04f4479ead7e3cb6d087 Bisecting: 180 revisions left to test after this (roughly 7 steps) [28ced768a4262bc81c61c8244e0e57048afc18d1] Merge tag 'tpmdd-next-v5.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd testing commit 28ced768a4262bc81c61c8244e0e57048afc18d1 with gcc (GCC) 10.2.1 20210217 kernel signature: 601e93479ef23de12965adee36e6040e5b16b54c1da32d9d305e067879e3cf71 run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #4: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #5: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #6: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #7: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #17: OK run #18: OK run #19: OK # git bisect bad 28ced768a4262bc81c61c8244e0e57048afc18d1 Bisecting: 61 revisions left to test after this (roughly 6 steps) [ab07ff1c92fa60f29438e655a1b4abab860ed0b6] can: flexcan: flexcan_remove(): disable wakeup completely testing commit ab07ff1c92fa60f29438e655a1b4abab860ed0b6 with gcc (GCC) 10.2.1 20210217 kernel signature: d35bc29a9306fe9172c13cdbee1e09ad4c22d459d281d14e53cf85f55113dc95 run #0: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad ab07ff1c92fa60f29438e655a1b4abab860ed0b6 Bisecting: 30 revisions left to test after this (roughly 5 steps) [0a26ba0603d637eb6673a2ea79808cc73909ef3a] net: ethernet: ti: cpsw: disable PTPv1 hw timestamping advertisement testing commit 0a26ba0603d637eb6673a2ea79808cc73909ef3a with gcc (GCC) 10.2.1 20210217 kernel signature: 71e208a9f847ca01ec0afefa40959be95e4b72f97977bbaf5653b604fc678391 run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #4: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #15: OK run #16: OK run #17: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #18: OK run #19: OK # git bisect bad 0a26ba0603d637eb6673a2ea79808cc73909ef3a Bisecting: 17 revisions left to test after this (roughly 4 steps) [20149e9eb68c003eaa09e7c9a49023df40779552] ip_tunnel: fix over-mtu packet send fail without TUNNEL_DONT_FRAGMENT flags testing commit 20149e9eb68c003eaa09e7c9a49023df40779552 with gcc (GCC) 10.2.1 20210217 kernel signature: 704fa90751024f2dc3b805212681076e7431f32d6da4f0fa96e5168ceb336f88 all runs: OK # git bisect good 20149e9eb68c003eaa09e7c9a49023df40779552 Bisecting: 10 revisions left to test after this (roughly 3 steps) [c2f46814521113f6699a74e0a0424cbc5b305479] mac80211: don't require VHT elements for HE on 2.4 GHz testing commit c2f46814521113f6699a74e0a0424cbc5b305479 with gcc (GCC) 10.2.1 20210217 kernel signature: 1d9f7e61e74d2fb1d6bedeae667bd2cdbd179e0436605305a848fee46627b6a5 run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #4: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #5: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #6: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #7: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #8: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad c2f46814521113f6699a74e0a0424cbc5b305479 Bisecting: 3 revisions left to test after this (roughly 2 steps) [9bdaf3b91efd229dd272b228e13df10310c80d19] cfg80211: initialize wdev data earlier testing commit 9bdaf3b91efd229dd272b228e13df10310c80d19 with gcc (GCC) 10.2.1 20210217 kernel signature: 200f812c021c91f347c4f8646ba1549e6f0a49b9fb7c2d9fe1c80badb2aca479 all runs: OK # git bisect good 9bdaf3b91efd229dd272b228e13df10310c80d19 Bisecting: 1 revision left to test after this (roughly 1 step) [b1e8eb11fb9cf666d8ae36bbcf533233a504c921] mac80211: fix kernel-doc markups testing commit b1e8eb11fb9cf666d8ae36bbcf533233a504c921 with gcc (GCC) 10.2.1 20210217 kernel signature: e3f1b5ad2a301fc7c795b9c5be1b771b72add8a95f92ac72a997bf62cc2ef0cd run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #4: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #5: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #6: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #7: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #8: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #9: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #10: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #11: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #12: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad b1e8eb11fb9cf666d8ae36bbcf533233a504c921 Bisecting: 0 revisions left to test after this (roughly 0 steps) [dcd479e10a0510522a5d88b29b8f79ea3467d501] mac80211: always wind down STA state testing commit dcd479e10a0510522a5d88b29b8f79ea3467d501 with gcc (GCC) 10.2.1 20210217 kernel signature: e399d06bda0763738ee2455f4cd748109712e099ede0612e93e594937e8aeb6f run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #4: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #5: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #6: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #7: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #8: OK run #9: OK run #10: OK run #11: OK run #12: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad dcd479e10a0510522a5d88b29b8f79ea3467d501 dcd479e10a0510522a5d88b29b8f79ea3467d501 is the first bad commit commit dcd479e10a0510522a5d88b29b8f79ea3467d501 Author: Johannes Berg Date: Fri Oct 9 14:17:11 2020 +0200 mac80211: always wind down STA state When (for example) an IBSS station is pre-moved to AUTHORIZED before it's inserted, and then the insertion fails, we don't clean up the fast RX/TX states that might already have been created, since we don't go through all the state transitions again on the way down. Do that, if it hasn't been done already, when the station is freed. I considered only freeing the fast TX/RX state there, but we might add more state so it's more robust to wind down the state properly. Note that we warn if the station was ever inserted, it should have been properly cleaned up in that case, and the driver will probably not like things happening out of order. Reported-by: syzbot+2e293dbd67de2836ba42@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20201009141710.7223b322a955.I95bd08b9ad0e039c034927cce0b75beea38e059b@changeid Signed-off-by: Johannes Berg net/mac80211/sta_info.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) culprit signature: e399d06bda0763738ee2455f4cd748109712e099ede0612e93e594937e8aeb6f parent signature: 200f812c021c91f347c4f8646ba1549e6f0a49b9fb7c2d9fe1c80badb2aca479 Reproducer flagged being flaky revisions tested: 19, total time: 5h10m49.715348322s (build: 2h12m5.32994208s, test: 2h56m7.634951743s) first bad commit: dcd479e10a0510522a5d88b29b8f79ea3467d501 mac80211: always wind down STA state recipients (to): ["davem@davemloft.net" "johannes.berg@intel.com" "johannes@sipsolutions.net" "kuba@kernel.org" "linux-wireless@vger.kernel.org" "netdev@vger.kernel.org"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: BUG: sleeping function called from invalid context in sta_info_move_state wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 BUG: sleeping function called from invalid context at net/mac80211/sta_info.c:1962 in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 190, name: kworker/u4:4 4 locks held by kworker/u4:4/190: #0: ffff8880318da938 ((wq_completion)phy17){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff8880318da938 ((wq_completion)phy17){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline] #0: ffff8880318da938 ((wq_completion)phy17){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline] #0: ffff8880318da938 ((wq_completion)phy17){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:616 [inline] #0: ffff8880318da938 ((wq_completion)phy17){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff8880318da938 ((wq_completion)phy17){+.+.}-{0:0}, at: process_one_work+0x680/0x1230 kernel/workqueue.c:2243 #1: ffffc900014c7db0 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: process_one_work+0x6ad/0x1230 kernel/workqueue.c:2247 #2: ffff8880327a0d00 (&wdev->mtx){+.+.}-{3:3}, at: sdata_lock net/mac80211/ieee80211_i.h:1021 [inline] #2: ffff8880327a0d00 (&wdev->mtx){+.+.}-{3:3}, at: ieee80211_ibss_work+0x8d/0xcc0 net/mac80211/ibss.c:1683 #3: ffffffff8aa08280 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_finish net/mac80211/sta_info.c:644 [inline] #3: ffffffff8aa08280 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_rcu+0x5a1/0x2700 net/mac80211/sta_info.c:732 Preemption disabled at: [] __mutex_lock_common kernel/locking/mutex.c:955 [inline] [] __mutex_lock+0x10f/0x1210 kernel/locking/mutex.c:1103 CPU: 1 PID: 190 Comm: kworker/u4:4 Not tainted 5.10.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: phy17 ieee80211_iface_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x9a/0xcc lib/dump_stack.c:118 ___might_sleep.cold+0x65/0x79 kernel/sched/core.c:7298 sta_info_move_state+0x2b/0x9d0 net/mac80211/sta_info.c:1962 sta_info_free+0x5c/0x340 net/mac80211/sta_info.c:274 sta_info_insert_rcu+0x2a5/0x2700 net/mac80211/sta_info.c:738 ieee80211_ibss_finish_sta+0x1af/0x2d0 net/mac80211/ibss.c:592 ieee80211_ibss_work+0x265/0xcc0 net/mac80211/ibss.c:1700 process_one_work+0x75b/0x1230 kernel/workqueue.c:2272 worker_thread+0x598/0xf80 kernel/workqueue.c:2418 kthread+0x36d/0x450 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ============================= [ BUG: Invalid wait context ] 5.10.0-rc1-syzkaller #0 Tainted: G W ----------------------------- kworker/u4:4/190 is trying to lock: ffff88802fc229d0 (&local->chanctx_mtx){+.+.}-{3:3}, at: ieee80211_recalc_min_chandef+0x43/0x100 net/mac80211/util.c:2740 other info that might help us debug this: context-{4:4} 4 locks held by kworker/u4:4/190: #0: ffff8880318da938 ((wq_completion)phy17){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff8880318da938 ((wq_completion)phy17){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline] #0: ffff8880318da938 ((wq_completion)phy17){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline] #0: ffff8880318da938 ((wq_completion)phy17){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:616 [inline] #0: ffff8880318da938 ((wq_completion)phy17){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff8880318da938 ((wq_completion)phy17){+.+.}-{0:0}, at: process_one_work+0x680/0x1230 kernel/workqueue.c:2243 #1: ffffc900014c7db0 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: process_one_work+0x6ad/0x1230 kernel/workqueue.c:2247 #2: ffff8880327a0d00 (&wdev->mtx){+.+.}-{3:3}, at: sdata_lock net/mac80211/ieee80211_i.h:1021 [inline] #2: ffff8880327a0d00 (&wdev->mtx){+.+.}-{3:3}, at: ieee80211_ibss_work+0x8d/0xcc0 net/mac80211/ibss.c:1683 #3: ffffffff8aa08280 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_finish net/mac80211/sta_info.c:644 [inline] #3: ffffffff8aa08280 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_rcu+0x5a1/0x2700 net/mac80211/sta_info.c:732 stack backtrace: CPU: 0 PID: 190 Comm: kworker/u4:4 Tainted: G W 5.10.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: phy17 ieee80211_iface_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x9a/0xcc lib/dump_stack.c:118 print_lock_invalid_wait_context kernel/locking/lockdep.c:4489 [inline] check_wait_context kernel/locking/lockdep.c:4550 [inline] __lock_acquire.cold+0x333/0x3cc kernel/locking/lockdep.c:4787 lock_acquire kernel/locking/lockdep.c:5442 [inline] lock_acquire+0x2a3/0x910 kernel/locking/lockdep.c:5407 __mutex_lock_common kernel/locking/mutex.c:956 [inline] __mutex_lock+0x134/0x1210 kernel/locking/mutex.c:1103 ieee80211_recalc_min_chandef+0x43/0x100 net/mac80211/util.c:2740 sta_info_move_state+0x140/0x9d0 net/mac80211/sta_info.c:2019 sta_info_free+0x5c/0x340 net/mac80211/sta_info.c:274 sta_info_insert_rcu+0x2a5/0x2700 net/mac80211/sta_info.c:738 ieee80211_ibss_finish_sta+0x1af/0x2d0 net/mac80211/ibss.c:592 ieee80211_ibss_work+0x265/0xcc0 net/mac80211/ibss.c:1700 process_one_work+0x75b/0x1230 kernel/workqueue.c:2272 worker_thread+0x598/0xf80 kernel/workqueue.c:2418 kthread+0x36d/0x450 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296