bisecting cause commit starting from 04a55c944f151b3149b78beff5ff406faa84485d building syzkaller on cba33199be220cbf61f7c0c8223d88a25a913d6f testing commit 04a55c944f151b3149b78beff5ff406faa84485d with gcc (GCC) 8.1.0 kernel signature: 6fa6000a9611a5f67bc9954dca1a51e1a5b9ea53f9375458d8e76457a5616f05 run #0: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0 kernel signature: 934f0a134532bbbd345c7e8b605e59600f755e76ac937b8aa8fb348b839f419b all runs: OK # git bisect start 04a55c944f151b3149b78beff5ff406faa84485d bbf5c979011a099af5dc76498918ed7df445635b Bisecting: 7440 revisions left to test after this (roughly 13 steps) [c48b75b7271db23c1b2d1204d6e8496d91f27711] Merge tag 'sound-5.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit c48b75b7271db23c1b2d1204d6e8496d91f27711 with gcc (GCC) 8.1.0 kernel signature: 9a2381878bdc33ec4990e346935262c1106b44c9646045acec11e11fd34e7f55 all runs: OK # git bisect good c48b75b7271db23c1b2d1204d6e8496d91f27711 Bisecting: 3700 revisions left to test after this (roughly 12 steps) [09a31a7e3723afd79022d5d3ff3634c2630c2eeb] Merge tag 'mips_5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux testing commit 09a31a7e3723afd79022d5d3ff3634c2630c2eeb with gcc (GCC) 8.1.0 kernel signature: 92a4d6cfb3c64d294ab1bb910fd6cbd4a00f89af056b95c3a1a3a5892a7877cd all runs: OK # git bisect good 09a31a7e3723afd79022d5d3ff3634c2630c2eeb Bisecting: 1857 revisions left to test after this (roughly 11 steps) [9313f8026328d0309d093f6774be4b8f5340c0e5] Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost testing commit 9313f8026328d0309d093f6774be4b8f5340c0e5 with gcc (GCC) 8.1.0 kernel signature: fb8a376a59958002f372624fe6a14a7e17f0748bb35a1955c3b9af472c51664c all runs: OK # git bisect good 9313f8026328d0309d093f6774be4b8f5340c0e5 Bisecting: 1000 revisions left to test after this (roughly 10 steps) [2e368dd2bbeac6bfd50886371db185b1092067b4] Merge tag 'armsoc-drivers' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 2e368dd2bbeac6bfd50886371db185b1092067b4 with gcc (GCC) 8.1.0 kernel signature: b809db3aea8f366d3fa308c7acf7d6eb4639374d4802e7aef12b702306b45b1e all runs: OK # git bisect good 2e368dd2bbeac6bfd50886371db185b1092067b4 Bisecting: 490 revisions left to test after this (roughly 9 steps) [a1c259cdb02885f87c2f04a0127a01548330a42e] Merge tag 'qcom-arm64-for-5.10' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into arm/dt testing commit a1c259cdb02885f87c2f04a0127a01548330a42e with gcc (GCC) 8.1.0 kernel signature: 476bc4c7cfcc0354f86415287d2043db10094d7059be78f7704a047c70914071 all runs: OK # git bisect good a1c259cdb02885f87c2f04a0127a01548330a42e Bisecting: 245 revisions left to test after this (roughly 8 steps) [b6f96e75ae121ead54da3f58c545d68184079f90] Merge tag 'powerpc-5.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux testing commit b6f96e75ae121ead54da3f58c545d68184079f90 with gcc (GCC) 8.1.0 kernel signature: 8107ab059ff9dc68468a0cf8bdf190a48047c33e76284637e048dd336cfbe99b all runs: OK # git bisect good b6f96e75ae121ead54da3f58c545d68184079f90 Bisecting: 122 revisions left to test after this (roughly 7 steps) [41ba50b0572e90ed3d24fe4def54567e9050bc47] Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 testing commit 41ba50b0572e90ed3d24fe4def54567e9050bc47 with gcc (GCC) 8.1.0 kernel signature: 141931f319a14837087765ae99ac7b69fad462d63fc8b05b0e9856ddaa22a3ad all runs: OK # git bisect good 41ba50b0572e90ed3d24fe4def54567e9050bc47 Bisecting: 68 revisions left to test after this (roughly 6 steps) [b9c0f4bd5b8114ee1773734e07cda921b6e8248b] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit b9c0f4bd5b8114ee1773734e07cda921b6e8248b with gcc (GCC) 8.1.0 kernel signature: a7897cfc4a5ed5e90f14abad163e760186976165be42cc9ff0896c17787af4ff all runs: OK # git bisect good b9c0f4bd5b8114ee1773734e07cda921b6e8248b Bisecting: 34 revisions left to test after this (roughly 5 steps) [d6535dca28859d8d9ef80894eb287b2ac35a32e8] net: protect tcf_block_unbind with block lock testing commit d6535dca28859d8d9ef80894eb287b2ac35a32e8 with gcc (GCC) 8.1.0 kernel signature: e905ac58b317232bcb5d38e24089bb80cdbab31ee95b692a7594c9055509072c all runs: OK # git bisect good d6535dca28859d8d9ef80894eb287b2ac35a32e8 Bisecting: 17 revisions left to test after this (roughly 4 steps) [b59e286be280fa3c2e94a0716ddcee6ba02bc8ba] ICMPv6: Add ICMPv6 Parameter Problem, code 3 definition testing commit b59e286be280fa3c2e94a0716ddcee6ba02bc8ba with gcc (GCC) 8.1.0 kernel signature: 31de8fe46081687a2aa7ec5f7a8aa40f41f44a2359867dbc590076f89a1215ef all runs: OK # git bisect good b59e286be280fa3c2e94a0716ddcee6ba02bc8ba Bisecting: 7 revisions left to test after this (roughly 3 steps) [859191b234f86b5f36cbe384baca1067a2221eb7] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf testing commit 859191b234f86b5f36cbe384baca1067a2221eb7 with gcc (GCC) 8.1.0 kernel signature: c0cbd4ed772592c85cd3484367b60b34d6dea8bf6c0ba9087f26818008817ddc all runs: OK # git bisect good 859191b234f86b5f36cbe384baca1067a2221eb7 Bisecting: 3 revisions left to test after this (roughly 2 steps) [dcd479e10a0510522a5d88b29b8f79ea3467d501] mac80211: always wind down STA state testing commit dcd479e10a0510522a5d88b29b8f79ea3467d501 with gcc (GCC) 8.1.0 kernel signature: 3088433d80284d394ed4d091db31eae5b2f6dc7bd7ee0e959a00d7de628039dd run #0: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad dcd479e10a0510522a5d88b29b8f79ea3467d501 Bisecting: 1 revision left to test after this (roughly 1 step) [14f46c1e5108696ec1e5a129e838ecedf108c7bf] mac80211: fix use of skb payload instead of header testing commit 14f46c1e5108696ec1e5a129e838ecedf108c7bf with gcc (GCC) 8.1.0 kernel signature: 97b254c88c531878b822df6e6de31114b36f0d0a833b8a8a033f7ef0d20489fe all runs: OK # git bisect good 14f46c1e5108696ec1e5a129e838ecedf108c7bf Bisecting: 0 revisions left to test after this (roughly 0 steps) [9bdaf3b91efd229dd272b228e13df10310c80d19] cfg80211: initialize wdev data earlier testing commit 9bdaf3b91efd229dd272b228e13df10310c80d19 with gcc (GCC) 8.1.0 kernel signature: 72a60f954afa4aca6874a5c19dd518c808ce22951a27a946d2aec91ac79a5015 all runs: OK # git bisect good 9bdaf3b91efd229dd272b228e13df10310c80d19 dcd479e10a0510522a5d88b29b8f79ea3467d501 is the first bad commit commit dcd479e10a0510522a5d88b29b8f79ea3467d501 Author: Johannes Berg Date: Fri Oct 9 14:17:11 2020 +0200 mac80211: always wind down STA state When (for example) an IBSS station is pre-moved to AUTHORIZED before it's inserted, and then the insertion fails, we don't clean up the fast RX/TX states that might already have been created, since we don't go through all the state transitions again on the way down. Do that, if it hasn't been done already, when the station is freed. I considered only freeing the fast TX/RX state there, but we might add more state so it's more robust to wind down the state properly. Note that we warn if the station was ever inserted, it should have been properly cleaned up in that case, and the driver will probably not like things happening out of order. Reported-by: syzbot+2e293dbd67de2836ba42@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20201009141710.7223b322a955.I95bd08b9ad0e039c034927cce0b75beea38e059b@changeid Signed-off-by: Johannes Berg net/mac80211/sta_info.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) culprit signature: 3088433d80284d394ed4d091db31eae5b2f6dc7bd7ee0e959a00d7de628039dd parent signature: 72a60f954afa4aca6874a5c19dd518c808ce22951a27a946d2aec91ac79a5015 revisions tested: 16, total time: 3h46m51.061213692s (build: 1h8m52.117997342s, test: 2h36m26.866500315s) first bad commit: dcd479e10a0510522a5d88b29b8f79ea3467d501 mac80211: always wind down STA state recipients (to): ["davem@davemloft.net" "johannes.berg@intel.com" "johannes@sipsolutions.net" "kuba@kernel.org" "linux-wireless@vger.kernel.org" "netdev@vger.kernel.org"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: BUG: sleeping function called from invalid context in sta_info_move_state BUG: sleeping function called from invalid context at net/mac80211/sta_info.c:1962 in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 8, name: kworker/u4:0 4 locks held by kworker/u4:0/8: #0: ffff88811ebdf138 ((wq_completion)phy11){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #0: ffff88811ebdf138 ((wq_completion)phy11){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff88811ebdf138 ((wq_completion)phy11){+.+.}-{0:0}, at: process_one_work+0x1e6/0x600 kernel/workqueue.c:2243 #1: ffffc90000c97e70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #1: ffffc90000c97e70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #1: ffffc90000c97e70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: process_one_work+0x1e6/0x600 kernel/workqueue.c:2243 #2: ffff88811f0e8d00 (&wdev->mtx){+.+.}-{3:3}, at: sdata_lock net/mac80211/ieee80211_i.h:1021 [inline] #2: ffff88811f0e8d00 (&wdev->mtx){+.+.}-{3:3}, at: ieee80211_ibss_work+0x36/0x420 net/mac80211/ibss.c:1683 #3: ffffffff84bf1e40 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_finish net/mac80211/sta_info.c:644 [inline] #3: ffffffff84bf1e40 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_rcu+0x1c2/0xde0 net/mac80211/sta_info.c:732 Preemption disabled at: [] __mutex_lock_common kernel/locking/mutex.c:955 [inline] [] __mutex_lock+0x70/0x9f0 kernel/locking/mutex.c:1103 CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted 5.10.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: phy11 ieee80211_iface_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x77/0x97 lib/dump_stack.c:118 ___might_sleep.cold.110+0xf2/0x106 kernel/sched/core.c:7298 sta_info_move_state+0x1a/0x2b0 net/mac80211/sta_info.c:1962 sta_info_free+0x11/0xd0 net/mac80211/sta_info.c:274 sta_info_insert_rcu+0xd4/0xde0 net/mac80211/sta_info.c:738 ieee80211_ibss_finish_sta+0x9e/0x120 net/mac80211/ibss.c:592 ieee80211_ibss_work+0x10a/0x420 net/mac80211/ibss.c:1700 process_one_work+0x273/0x600 kernel/workqueue.c:2272 worker_thread+0x38/0x380 kernel/workqueue.c:2418 kthread+0x144/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ============================= [ BUG: Invalid wait context ] 5.10.0-rc1-syzkaller #0 Tainted: G W ----------------------------- kworker/u4:0/8 is trying to lock: ffff88811f0629d0 (&local->chanctx_mtx){+.+.}-{3:3}, at: ieee80211_recalc_min_chandef+0x1f/0x90 net/mac80211/util.c:2740 other info that might help us debug this: context-{4:4} 4 locks held by kworker/u4:0/8: #0: ffff88811ebdf138 ((wq_completion)phy11){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #0: ffff88811ebdf138 ((wq_completion)phy11){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff88811ebdf138 ((wq_completion)phy11){+.+.}-{0:0}, at: process_one_work+0x1e6/0x600 kernel/workqueue.c:2243 #1: ffffc90000c97e70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #1: ffffc90000c97e70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #1: ffffc90000c97e70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: process_one_work+0x1e6/0x600 kernel/workqueue.c:2243 #2: ffff88811f0e8d00 (&wdev->mtx){+.+.}-{3:3}, at: sdata_lock net/mac80211/ieee80211_i.h:1021 [inline] #2: ffff88811f0e8d00 (&wdev->mtx){+.+.}-{3:3}, at: ieee80211_ibss_work+0x36/0x420 net/mac80211/ibss.c:1683 #3: ffffffff84bf1e40 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_finish net/mac80211/sta_info.c:644 [inline] #3: ffffffff84bf1e40 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_rcu+0x1c2/0xde0 net/mac80211/sta_info.c:732 stack backtrace: CPU: 0 PID: 8 Comm: kworker/u4:0 Tainted: G W 5.10.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: phy11 ieee80211_iface_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x77/0x97 lib/dump_stack.c:118 print_lock_invalid_wait_context kernel/locking/lockdep.c:4489 [inline] check_wait_context kernel/locking/lockdep.c:4550 [inline] __lock_acquire.cold.73+0x160/0x2be kernel/locking/lockdep.c:4787 lock_acquire+0xd0/0x3d0 kernel/locking/lockdep.c:5442 __mutex_lock_common kernel/locking/mutex.c:956 [inline] __mutex_lock+0x94/0x9f0 kernel/locking/mutex.c:1103 ieee80211_recalc_min_chandef+0x1f/0x90 net/mac80211/util.c:2740 sta_info_move_state+0x140/0x2b0 net/mac80211/sta_info.c:2019 sta_info_free+0x11/0xd0 net/mac80211/sta_info.c:274 sta_info_insert_rcu+0xd4/0xde0 net/mac80211/sta_info.c:738 ieee80211_ibss_finish_sta+0x9e/0x120 net/mac80211/ibss.c:592 ieee80211_ibss_work+0x10a/0x420 net/mac80211/ibss.c:1700 process_one_work+0x273/0x600 kernel/workqueue.c:2272 worker_thread+0x38/0x380 kernel/workqueue.c:2418 kthread+0x144/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296