bisecting cause commit starting from df54228515593d1dc1df538786a94beb690f8cff building syzkaller on 07bfe8a540418c37449ef29dfc84ccf4d15ea0e0 testing commit df54228515593d1dc1df538786a94beb690f8cff with gcc (GCC) 8.1.0 kernel signature: 7e065444dca3efd7f18d93e46f3945ed6700a5aa8f8d64861c0799684da437a8 run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_recvmsg run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_recvmsg run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_recvmsg run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_recvmsg run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_recvmsg run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_recvmsg run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_recvmsg run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_recvmsg run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_recvmsg testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0 kernel signature: ae997c81c8480492441e712d3c127e3da959156d4e937c464609e101fa84e28c all runs: OK # git bisect start df54228515593d1dc1df538786a94beb690f8cff bbf5c979011a099af5dc76498918ed7df445635b Bisecting: 8683 revisions left to test after this (roughly 13 steps) [4d0e9df5e43dba52d38b251e3b909df8fa1110be] lib, uaccess: add failure injection to usercopy functions testing commit 4d0e9df5e43dba52d38b251e3b909df8fa1110be with gcc (GCC) 8.1.0 kernel signature: 19d651166031891e1c42f1a0518e05f408372acef30d76f75e5b6df6eabbfcd1 all runs: OK # git bisect good 4d0e9df5e43dba52d38b251e3b909df8fa1110be Bisecting: 4340 revisions left to test after this (roughly 12 steps) [4962a85696f9439970bfd84f7ce23b2721f13549] Merge tag 'io_uring-5.10-2020-10-20' of git://git.kernel.dk/linux-block testing commit 4962a85696f9439970bfd84f7ce23b2721f13549 with gcc (GCC) 8.1.0 kernel signature: cf3b52a414efb5bc639a656f64d02fa5a9af3c4fc0d2417b8860b3c18c2e53f8 all runs: OK # git bisect good 4962a85696f9439970bfd84f7ce23b2721f13549 Bisecting: 1967 revisions left to test after this (roughly 11 steps) [e533cda12d8f0e7936354bafdc85c81741f805d2] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit e533cda12d8f0e7936354bafdc85c81741f805d2 with gcc (GCC) 8.1.0 kernel signature: 891f88128917d7a0933492816761b4642621c40248483973cc1036b0060aa27f all runs: OK # git bisect good e533cda12d8f0e7936354bafdc85c81741f805d2 Bisecting: 984 revisions left to test after this (roughly 10 steps) [03f0f5ad58479ba1374f10680fc836aa21abe8f9] Merge tag 'linux-kselftest-fixes-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest testing commit 03f0f5ad58479ba1374f10680fc836aa21abe8f9 with gcc (GCC) 8.1.0 kernel signature: d0d9650fc0f435e2b6646e3d4ce961ea3bcdd1f0ed9ab78bf0575038c5ccedad run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky # git bisect bad 03f0f5ad58479ba1374f10680fc836aa21abe8f9 Bisecting: 487 revisions left to test after this (roughly 9 steps) [c2dc4c073fb71b50904493657a7622b481b346e3] Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost testing commit c2dc4c073fb71b50904493657a7622b481b346e3 with gcc (GCC) 8.1.0 kernel signature: 1a005b848a4682c041dcaecdb60869641aa243e6571b25a1b0a3b78e641ebe79 all runs: OK # git bisect good c2dc4c073fb71b50904493657a7622b481b346e3 Bisecting: 244 revisions left to test after this (roughly 8 steps) [cf26c714874c14941953f6658ef85d7ce3446a0a] Merge tag 'spi-fix-v5.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi testing commit cf26c714874c14941953f6658ef85d7ce3446a0a with gcc (GCC) 8.1.0 kernel signature: d35ee5dc43660784917255e78c1745f57632ea1cf0f53ea3e0b15ceb17502ce7 all runs: OK # git bisect good cf26c714874c14941953f6658ef85d7ce3446a0a Bisecting: 119 revisions left to test after this (roughly 7 steps) [02a2aa3500a993c9f0812b8564d36d63b8d49ce4] Merge tag 'iommu-fixes-v5.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu testing commit 02a2aa3500a993c9f0812b8564d36d63b8d49ce4 with gcc (GCC) 8.1.0 kernel signature: 4c8506ee8c1ea5fe1196b9bde8b551238277c975d71fe9aae91c5fc4195dca91 run #0: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 02a2aa3500a993c9f0812b8564d36d63b8d49ce4 Bisecting: 63 revisions left to test after this (roughly 6 steps) [ab07ff1c92fa60f29438e655a1b4abab860ed0b6] can: flexcan: flexcan_remove(): disable wakeup completely testing commit ab07ff1c92fa60f29438e655a1b4abab860ed0b6 with gcc (GCC) 8.1.0 kernel signature: e554163f74f3778fe120ab2b55ed3c0a83a9c93f306125d87d3c7d79a17248ac run #0: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad ab07ff1c92fa60f29438e655a1b4abab860ed0b6 Bisecting: 30 revisions left to test after this (roughly 5 steps) [0a26ba0603d637eb6673a2ea79808cc73909ef3a] net: ethernet: ti: cpsw: disable PTPv1 hw timestamping advertisement testing commit 0a26ba0603d637eb6673a2ea79808cc73909ef3a with gcc (GCC) 8.1.0 kernel signature: 7fa16ea843852b8df61a594f552fc9f907f7a67d2a11c4ea9741fbb621495c9c run #0: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 0a26ba0603d637eb6673a2ea79808cc73909ef3a Bisecting: 17 revisions left to test after this (roughly 4 steps) [20149e9eb68c003eaa09e7c9a49023df40779552] ip_tunnel: fix over-mtu packet send fail without TUNNEL_DONT_FRAGMENT flags testing commit 20149e9eb68c003eaa09e7c9a49023df40779552 with gcc (GCC) 8.1.0 kernel signature: a5b60c5f9ceadb8c1683444c0101b80f03864a09c0f0327126c9b64f56e845e9 all runs: OK # git bisect good 20149e9eb68c003eaa09e7c9a49023df40779552 Bisecting: 10 revisions left to test after this (roughly 3 steps) [c2f46814521113f6699a74e0a0424cbc5b305479] mac80211: don't require VHT elements for HE on 2.4 GHz testing commit c2f46814521113f6699a74e0a0424cbc5b305479 with gcc (GCC) 8.1.0 kernel signature: ad67bc7c3b2372729c8251ae641e7603190838e3563cb0dbb65108b4c0c9d0f1 run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad c2f46814521113f6699a74e0a0424cbc5b305479 Bisecting: 3 revisions left to test after this (roughly 2 steps) [9bdaf3b91efd229dd272b228e13df10310c80d19] cfg80211: initialize wdev data earlier testing commit 9bdaf3b91efd229dd272b228e13df10310c80d19 with gcc (GCC) 8.1.0 kernel signature: 6d5e6f737dcb87f4c9ed84a3208206494634afc8c6d0a8bb1f4e0aedf9c88dfe all runs: OK # git bisect good 9bdaf3b91efd229dd272b228e13df10310c80d19 Bisecting: 1 revision left to test after this (roughly 1 step) [b1e8eb11fb9cf666d8ae36bbcf533233a504c921] mac80211: fix kernel-doc markups testing commit b1e8eb11fb9cf666d8ae36bbcf533233a504c921 with gcc (GCC) 8.1.0 kernel signature: ffea488e6968d47883849a2af21d2e7c781a88425bb657260e045706339748d8 run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad b1e8eb11fb9cf666d8ae36bbcf533233a504c921 Bisecting: 0 revisions left to test after this (roughly 0 steps) [dcd479e10a0510522a5d88b29b8f79ea3467d501] mac80211: always wind down STA state testing commit dcd479e10a0510522a5d88b29b8f79ea3467d501 with gcc (GCC) 8.1.0 kernel signature: abf97f5c0b857e2220bad0669e781b0091da47389de49ca06d9f048f404f731d run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad dcd479e10a0510522a5d88b29b8f79ea3467d501 dcd479e10a0510522a5d88b29b8f79ea3467d501 is the first bad commit commit dcd479e10a0510522a5d88b29b8f79ea3467d501 Author: Johannes Berg Date: Fri Oct 9 14:17:11 2020 +0200 mac80211: always wind down STA state When (for example) an IBSS station is pre-moved to AUTHORIZED before it's inserted, and then the insertion fails, we don't clean up the fast RX/TX states that might already have been created, since we don't go through all the state transitions again on the way down. Do that, if it hasn't been done already, when the station is freed. I considered only freeing the fast TX/RX state there, but we might add more state so it's more robust to wind down the state properly. Note that we warn if the station was ever inserted, it should have been properly cleaned up in that case, and the driver will probably not like things happening out of order. Reported-by: syzbot+2e293dbd67de2836ba42@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20201009141710.7223b322a955.I95bd08b9ad0e039c034927cce0b75beea38e059b@changeid Signed-off-by: Johannes Berg net/mac80211/sta_info.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) culprit signature: abf97f5c0b857e2220bad0669e781b0091da47389de49ca06d9f048f404f731d parent signature: 6d5e6f737dcb87f4c9ed84a3208206494634afc8c6d0a8bb1f4e0aedf9c88dfe Reproducer flagged being flaky revisions tested: 16, total time: 3h38m42.995324996s (build: 1h10m19.46170523s, test: 2h26m29.191188112s) first bad commit: dcd479e10a0510522a5d88b29b8f79ea3467d501 mac80211: always wind down STA state recipients (to): ["davem@davemloft.net" "johannes.berg@intel.com" "johannes@sipsolutions.net" "kuba@kernel.org" "linux-wireless@vger.kernel.org" "netdev@vger.kernel.org"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: BUG: sleeping function called from invalid context in sta_info_move_state BUG: sleeping function called from invalid context at net/mac80211/sta_info.c:1962 in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 21, name: kworker/u4:1 4 locks held by kworker/u4:1/21: #0: ffff88811ef9e938 ((wq_completion)phy13){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #0: ffff88811ef9e938 ((wq_completion)phy13){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff88811ef9e938 ((wq_completion)phy13){+.+.}-{0:0}, at: process_one_work+0x1e6/0x600 kernel/workqueue.c:2243 #1: ffffc90000d0be70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #1: ffffc90000d0be70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #1: ffffc90000d0be70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: process_one_work+0x1e6/0x600 kernel/workqueue.c:2243 #2: ffff88811efccd00 (&wdev->mtx){+.+.}-{3:3}, at: sdata_lock net/mac80211/ieee80211_i.h:1021 [inline] #2: ffff88811efccd00 (&wdev->mtx){+.+.}-{3:3}, at: ieee80211_ibss_work+0x36/0x420 net/mac80211/ibss.c:1683 #3: ffffffff84bf1e40 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_finish net/mac80211/sta_info.c:644 [inline] #3: ffffffff84bf1e40 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_rcu+0x1c2/0xde0 net/mac80211/sta_info.c:732 Preemption disabled at: [] __mutex_lock_common kernel/locking/mutex.c:955 [inline] [] __mutex_lock+0x70/0x9f0 kernel/locking/mutex.c:1103 CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 5.10.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: phy13 ieee80211_iface_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x77/0x97 lib/dump_stack.c:118 ___might_sleep.cold.110+0xf2/0x106 kernel/sched/core.c:7298 sta_info_move_state+0x1a/0x2b0 net/mac80211/sta_info.c:1962 sta_info_free+0x11/0xd0 net/mac80211/sta_info.c:274 sta_info_insert_rcu+0xd4/0xde0 net/mac80211/sta_info.c:738 ieee80211_ibss_finish_sta+0x9e/0x120 net/mac80211/ibss.c:592 ieee80211_ibss_work+0x10a/0x420 net/mac80211/ibss.c:1700 process_one_work+0x273/0x600 kernel/workqueue.c:2272 worker_thread+0x38/0x380 kernel/workqueue.c:2418 kthread+0x144/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ============================= [ BUG: Invalid wait context ] 5.10.0-rc1-syzkaller #0 Tainted: G W ----------------------------- kworker/u4:1/21 is trying to lock: ffff88811efaa9d0 (&local->chanctx_mtx){+.+.}-{3:3}, at: ieee80211_recalc_min_chandef+0x1f/0x90 net/mac80211/util.c:2740 other info that might help us debug this: context-{4:4} 4 locks held by kworker/u4:1/21: #0: ffff88811ef9e938 ((wq_completion)phy13){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #0: ffff88811ef9e938 ((wq_completion)phy13){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff88811ef9e938 ((wq_completion)phy13){+.+.}-{0:0}, at: process_one_work+0x1e6/0x600 kernel/workqueue.c:2243 #1: ffffc90000d0be70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #1: ffffc90000d0be70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #1: ffffc90000d0be70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: process_one_work+0x1e6/0x600 kernel/workqueue.c:2243 #2: ffff88811efccd00 (&wdev->mtx){+.+.}-{3:3}, at: sdata_lock net/mac80211/ieee80211_i.h:1021 [inline] #2: ffff88811efccd00 (&wdev->mtx){+.+.}-{3:3}, at: ieee80211_ibss_work+0x36/0x420 net/mac80211/ibss.c:1683 #3: ffffffff84bf1e40 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_finish net/mac80211/sta_info.c:644 [inline] #3: ffffffff84bf1e40 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_rcu+0x1c2/0xde0 net/mac80211/sta_info.c:732 stack backtrace: CPU: 0 PID: 21 Comm: kworker/u4:1 Tainted: G W 5.10.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: phy13 ieee80211_iface_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x77/0x97 lib/dump_stack.c:118 print_lock_invalid_wait_context kernel/locking/lockdep.c:4489 [inline] check_wait_context kernel/locking/lockdep.c:4550 [inline] __lock_acquire.cold.73+0x160/0x2be kernel/locking/lockdep.c:4787 lock_acquire+0xd0/0x3d0 kernel/locking/lockdep.c:5442 __mutex_lock_common kernel/locking/mutex.c:956 [inline] __mutex_lock+0x94/0x9f0 kernel/locking/mutex.c:1103 ieee80211_recalc_min_chandef+0x1f/0x90 net/mac80211/util.c:2740 sta_info_move_state+0x140/0x2b0 net/mac80211/sta_info.c:2019 sta_info_free+0x11/0xd0 net/mac80211/sta_info.c:274 sta_info_insert_rcu+0xd4/0xde0 net/mac80211/sta_info.c:738 ieee80211_ibss_finish_sta+0x9e/0x120 net/mac80211/ibss.c:592 ieee80211_ibss_work+0x10a/0x420 net/mac80211/ibss.c:1700 process_one_work+0x273/0x600 kernel/workqueue.c:2272 worker_thread+0x38/0x380 kernel/workqueue.c:2418 kthread+0x144/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296