bisecting cause commit starting from b01f250d83f6c3af5c77699dd14e7b48ee0b5383 building syzkaller on fc9fd31ee7998c8b747752791000ea4eef07b5c6 testing commit b01f250d83f6c3af5c77699dd14e7b48ee0b5383 with gcc (GCC) 8.1.0 kernel signature: b1e103ff4b9b3e9de737ae96297ca821db7f9024b17ead150185e931efb98d21 run #0: crashed: possible deadlock in cfg80211_netdev_notifier_call run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 8.1.0 kernel signature: 0ac21c7bec8a01fc2233fe2faf9cb6641f5d6068f7226445cdb28206bf6f01d9 all runs: OK # git bisect start b01f250d83f6c3af5c77699dd14e7b48ee0b5383 2c85ebc57b3e1817b6ce1a6b703928e113a90442 Bisecting: 11010 revisions left to test after this (roughly 14 steps) [be695ee29e8fc0af266d9f1882868c47da01a790] Merge tag 'ceph-for-5.11-rc1' of git://github.com/ceph/ceph-client testing commit be695ee29e8fc0af266d9f1882868c47da01a790 with gcc (GCC) 8.1.0 kernel signature: c899b7f47930248b3cde8210023736481485121c7ddac3754a9c08c5a8da6fde all runs: OK # git bisect good be695ee29e8fc0af266d9f1882868c47da01a790 Bisecting: 5509 revisions left to test after this (roughly 13 steps) [0652bd53e0c0575dc41543bcc51a1076768d3872] Merge remote-tracking branch 'pci/next' testing commit 0652bd53e0c0575dc41543bcc51a1076768d3872 with gcc (GCC) 8.1.0 kernel signature: 699c8f551ef801018cf493b90c3cf92df39164588129c4bd1ed86f11971b0aab all runs: OK # git bisect good 0652bd53e0c0575dc41543bcc51a1076768d3872 Bisecting: 2737 revisions left to test after this (roughly 12 steps) [f435e1394249cacaf0fa6cd172d76254ceb071a3] Merge remote-tracking branch 'amdgpu/drm-next' testing commit f435e1394249cacaf0fa6cd172d76254ceb071a3 with gcc (GCC) 8.1.0 kernel signature: a9e90cc45015cb75f895e4214967d8467a141217fffb1b258a916c293d3a21c5 all runs: OK # git bisect good f435e1394249cacaf0fa6cd172d76254ceb071a3 Bisecting: 1377 revisions left to test after this (roughly 11 steps) [589e25c6dfdd535e8eba052f7314054f6d75be4a] Merge remote-tracking branch 'drivers-x86/for-next' testing commit 589e25c6dfdd535e8eba052f7314054f6d75be4a with gcc (GCC) 8.1.0 kernel signature: a44fc8028eea84612fee1e7ebcc3c432bf2c27d10066d3e6a90b92516f6911c9 all runs: OK # git bisect good 589e25c6dfdd535e8eba052f7314054f6d75be4a Bisecting: 638 revisions left to test after this (roughly 10 steps) [dffa1670056fe42a75f02f303f20cca1e1ef8e00] Merge remote-tracking branch 'scsi/for-next' testing commit dffa1670056fe42a75f02f303f20cca1e1ef8e00 with gcc (GCC) 8.1.0 kernel signature: 1804b2139e393682f9107681916910b79ac792252180d9f37350afa77f2bddba all runs: OK # git bisect good dffa1670056fe42a75f02f303f20cca1e1ef8e00 Bisecting: 318 revisions left to test after this (roughly 8 steps) [97780161bb7f54af249611e3e24f1abe6f1d9558] Merge remote-tracking branch 'memblock/for-next' testing commit 97780161bb7f54af249611e3e24f1abe6f1d9558 with gcc (GCC) 8.1.0 kernel signature: 3bb8cbe41bf72565665b3b8664ae4ab9b35a32f000240bca7bd8e87d0e2da1f5 all runs: OK # git bisect good 97780161bb7f54af249611e3e24f1abe6f1d9558 Bisecting: 159 revisions left to test after this (roughly 7 steps) [5099896fe3ea17ae84919aedfc23006613ecfcf3] hugetlbfs: remove meaningless variable avoid_reserve testing commit 5099896fe3ea17ae84919aedfc23006613ecfcf3 with gcc (GCC) 8.1.0 kernel signature: 7eb5f03fef95bd8e2a52cc2b0765ab520f55c063a49cf3ed2e553321cc9dff26 all runs: OK # git bisect good 5099896fe3ea17ae84919aedfc23006613ecfcf3 Bisecting: 79 revisions left to test after this (roughly 6 steps) [f10623faf244590a8113fc150ed1fd148dabb3f0] kfence: use error_report_end tracepoint testing commit f10623faf244590a8113fc150ed1fd148dabb3f0 with gcc (GCC) 8.1.0 kernel signature: 53eb22890ac345d123d2546d8102ac2e879c74d06847e0fea3c729b24f5f4fa0 all runs: OK # git bisect good f10623faf244590a8113fc150ed1fd148dabb3f0 Bisecting: 45 revisions left to test after this (roughly 5 steps) [8c6158474df0a2f5de406ef58c3ca9da8841d1c1] initramfs-panic-with-memory-information-fix testing commit 8c6158474df0a2f5de406ef58c3ca9da8841d1c1 with gcc (GCC) 8.1.0 kernel signature: 79a970283ea7429bd0d018c727fa3d3a624b0e0303eae68b647647a3911b8922 all runs: OK # git bisect good 8c6158474df0a2f5de406ef58c3ca9da8841d1c1 Bisecting: 27 revisions left to test after this (roughly 5 steps) [be65de6b03aa638c46ea51e9d11a92e4914d8103] fs: Remove dcookies support testing commit be65de6b03aa638c46ea51e9d11a92e4914d8103 with gcc (GCC) 8.1.0 kernel signature: 637289a4e4050f3e965f063eaa7d93beb99b62e17141fcc10341764875ceff34 all runs: OK # git bisect good be65de6b03aa638c46ea51e9d11a92e4914d8103 Bisecting: 13 revisions left to test after this (roughly 4 steps) [09e02afa75ce44b790d0a0ac33b6fe5589bab123] Merge branch 'akpm-current/current' testing commit 09e02afa75ce44b790d0a0ac33b6fe5589bab123 with gcc (GCC) 8.1.0 kernel signature: 5af4d445041f56051ef1d17c8a5b08318f424f501d79488191877f12ed8b2485 all runs: OK # git bisect good 09e02afa75ce44b790d0a0ac33b6fe5589bab123 Bisecting: 6 revisions left to test after this (roughly 3 steps) [cc9327f3b085ba5be5639a5ec3ce5b08a0f14a7c] mm: introduce memfd_secret system call to create "secret" memory areas testing commit cc9327f3b085ba5be5639a5ec3ce5b08a0f14a7c with gcc (GCC) 8.1.0 kernel signature: d3b6c3fc615d35631a96ec85e4cb97f5ce660de981f73317245ac779fad68f9d run #0: crashed: possible deadlock in cfg80211_netdev_notifier_call run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad cc9327f3b085ba5be5639a5ec3ce5b08a0f14a7c Bisecting: 3 revisions left to test after this (roughly 2 steps) [287b85d33757d595780e63cfc0744743d70a8180] riscv/Kconfig: make direct map manipulation options depend on MMU testing commit 287b85d33757d595780e63cfc0744743d70a8180 with gcc (GCC) 8.1.0 kernel signature: 16e5bb09a45b0ed761b42a124241bf601161d2722369c399ca807ffccc74f626 all runs: OK # git bisect good 287b85d33757d595780e63cfc0744743d70a8180 Bisecting: 1 revision left to test after this (roughly 1 step) [471f26f46ded3b8f2e0336e56bfaa98172bbcd74] set_memory: allow querying whether set_direct_map_*() is actually enabled testing commit 471f26f46ded3b8f2e0336e56bfaa98172bbcd74 with gcc (GCC) 8.1.0 kernel signature: db1c0deb644e22ce360b8bb591ab20fb63db1df415da8e8db88266d56fbe9e1c all runs: OK # git bisect good 471f26f46ded3b8f2e0336e56bfaa98172bbcd74 Bisecting: 0 revisions left to test after this (roughly 0 steps) [5afa819bb5e9ae2b8bf655e0ac13f9563faf93e0] arm64: kfence: fix header inclusion testing commit 5afa819bb5e9ae2b8bf655e0ac13f9563faf93e0 with gcc (GCC) 8.1.0 kernel signature: db1c0deb644e22ce360b8bb591ab20fb63db1df415da8e8db88266d56fbe9e1c all runs: OK # git bisect good 5afa819bb5e9ae2b8bf655e0ac13f9563faf93e0 cc9327f3b085ba5be5639a5ec3ce5b08a0f14a7c is the first bad commit commit cc9327f3b085ba5be5639a5ec3ce5b08a0f14a7c Author: Mike Rapoport Date: Thu Jan 28 18:42:40 2021 +1100 mm: introduce memfd_secret system call to create "secret" memory areas Introduce "memfd_secret" system call with the ability to create memory areas visible only in the context of the owning process and not mapped not only to other processes but in the kernel page tables as well. The user will create a file descriptor using the memfd_secret() system call. The memory areas created by mmap() calls from this file descriptor will be unmapped from the kernel direct map and they will be only mapped in the page table of the owning mm. The secret memory remains accessible in the process context using uaccess primitives, but it is not accessible using direct/linear map addresses. Functions in the follow_page()/get_user_page() family will refuse to return a page that belongs to the secret memory area. A page that was a part of the secret memory area is cleared when it is freed. The following example demonstrates creation of a secret mapping (error handling is omitted): fd = memfd_secret(0); ftruncate(fd, MAP_SIZE); ptr = mmap(NULL, MAP_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); Link: https://lkml.kernel.org/r/20210121122723.3446-7-rppt@kernel.org Signed-off-by: Mike Rapoport Acked-by: Hagen Paul Pfeifer Cc: Alexander Viro Cc: Andy Lutomirski Cc: Arnd Bergmann Cc: Borislav Petkov Cc: Catalin Marinas Cc: Christopher Lameter Cc: Dan Williams Cc: Dave Hansen Cc: David Hildenbrand Cc: Elena Reshetova Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: James Bottomley Cc: "Kirill A. Shutemov" Cc: Mark Rutland Cc: Matthew Wilcox Cc: Michael Kerrisk Cc: Palmer Dabbelt Cc: Palmer Dabbelt Cc: Paul Walmsley Cc: Peter Zijlstra Cc: Rick Edgecombe Cc: Roman Gushchin Cc: Shakeel Butt Cc: Shuah Khan Cc: Thomas Gleixner Cc: Tycho Andersen Cc: Will Deacon Signed-off-by: Andrew Morton Signed-off-by: Stephen Rothwell include/linux/secretmem.h | 24 ++++ include/uapi/linux/magic.h | 1 + kernel/sys_ni.c | 2 + mm/Kconfig | 3 + mm/Makefile | 1 + mm/gup.c | 10 ++ mm/secretmem.c | 278 +++++++++++++++++++++++++++++++++++++++++++++ 7 files changed, 319 insertions(+) create mode 100644 include/linux/secretmem.h create mode 100644 mm/secretmem.c culprit signature: d3b6c3fc615d35631a96ec85e4cb97f5ce660de981f73317245ac779fad68f9d parent signature: db1c0deb644e22ce360b8bb591ab20fb63db1df415da8e8db88266d56fbe9e1c Reproducer flagged being flaky revisions tested: 17, total time: 3h47m30.512800513s (build: 1h20m42.51409596s, test: 2h24m39.99569733s) first bad commit: cc9327f3b085ba5be5639a5ec3ce5b08a0f14a7c mm: introduce memfd_secret system call to create "secret" memory areas recipients (to): ["akpm@linux-foundation.org" "hagen@jauu.net" "rppt@linux.ibm.com" "sfr@canb.auug.org.au"] recipients (cc): [] crash: possible deadlock in cfg80211_netdev_notifier_call netlink: 'syz-executor.3': attribute type 11 has an invalid length. ============================================ WARNING: possible recursive locking detected 5.11.0-rc5-syzkaller #0 Not tainted -------------------------------------------- syz-executor.3/750 is trying to acquire lock: ffff88811f6085e8 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: wiphy_lock include/net/cfg80211.h:5267 [inline] ffff88811f6085e8 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: cfg80211_netdev_notifier_call+0x28a/0x5b0 net/wireless/core.c:1407 but task is already holding lock: ffff88811f6085e8 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: wiphy_lock include/net/cfg80211.h:5267 [inline] ffff88811f6085e8 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: nl80211_pre_doit+0xc1/0x160 net/wireless/nl80211.c:14837 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&rdev->wiphy.mtx); lock(&rdev->wiphy.mtx); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by syz-executor.3/750: #0: ffffffff852a2eb0 (cb_lock){++++}-{3:3}, at: genl_rcv+0x10/0x30 net/netlink/genetlink.c:810 #1: ffffffff85288d48 (rtnl_mutex){+.+.}-{3:3}, at: nl80211_pre_doit+0x13/0x160 net/wireless/nl80211.c:14793 #2: ffff88811f6085e8 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: wiphy_lock include/net/cfg80211.h:5267 [inline] #2: ffff88811f6085e8 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: nl80211_pre_doit+0xc1/0x160 net/wireless/nl80211.c:14837 stack backtrace: CPU: 0 PID: 750 Comm: syz-executor.3 Not tainted 5.11.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x77/0x97 lib/dump_stack.c:120 print_deadlock_bug kernel/locking/lockdep.c:2829 [inline] check_deadlock kernel/locking/lockdep.c:2872 [inline] validate_chain kernel/locking/lockdep.c:3661 [inline] __lock_acquire.cold.75+0x165/0x2be kernel/locking/lockdep.c:4899 lock_acquire+0xd0/0x3e0 kernel/locking/lockdep.c:5509 __mutex_lock_common kernel/locking/mutex.c:956 [inline] __mutex_lock+0x94/0xa00 kernel/locking/mutex.c:1103 wiphy_lock include/net/cfg80211.h:5267 [inline] cfg80211_netdev_notifier_call+0x28a/0x5b0 net/wireless/core.c:1407 notifier_call_chain+0x2f/0x90 kernel/notifier.c:83 call_netdevice_notifiers_extack net/core/dev.c:2052 [inline] call_netdevice_notifiers net/core/dev.c:2066 [inline] unregister_netdevice_many+0x11d/0x6d0 net/core/dev.c:10704 unregister_netdevice_queue+0xc6/0x100 net/core/dev.c:10638 register_netdevice+0x55a/0x630 net/core/dev.c:10013 cfg80211_register_netdevice+0x4f/0x110 net/wireless/core.c:1349 ieee80211_if_add+0x571/0x9e0 net/mac80211/iface.c:1990 ieee80211_add_iface+0x38/0x90 net/mac80211/cfg.c:125 rdev_add_virtual_intf net/wireless/rdev-ops.h:45 [inline] nl80211_new_interface+0x1b4/0x540 net/wireless/nl80211.c:3977 genl_family_rcv_msg_doit.isra.17+0x102/0x140 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0xd8/0x1e0 net/netlink/genetlink.c:800 netlink_rcv_skb+0x49/0xf0 net/netlink/af_netlink.c:2494 genl_rcv+0x1f/0x30 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x19a/0x270 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x248/0x480 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0x2b/0x40 net/socket.c:674 ____sys_sendmsg+0x1ed/0x230 net/socket.c:2350 ___sys_sendmsg+0x77/0xb0 net/socket.c:2404 __sys_sendmsg+0x52/0xa0 net/socket.c:2437 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e219 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fdfbd3afc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e219 RDX: 0000000000000000 RSI: 0000000020000400 RDI: 0000000000000004 RBP: 000000000119c110 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c0dc R13: 00007ffd1315af0f R14: 00007fdfbd3b09c0 R15: 000000000119c0dc