bisecting cause commit starting from fc3abb53250a90ba2150eebd182137c136f4d25a
building syzkaller on abf9ba4fc75d9b29af15625d44dcfc1360fad3b7
testing commit fc3abb53250a90ba2150eebd182137c136f4d25a with gcc (GCC) 8.1.0
kernel signature: 11dc373728ee8f58eed56e3c6974bb90ea7d95bc72e3e4dce7778d403796ae66
run #0: crashed: stack segment fault in dump_schedule
run #1: crashed: BUG: sleeping function called from invalid context in exc_page_fault
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: a8e34de4c9afa492aab3d3eacc499ed681a0ca31cb728390630aa06e96afa6c0
run #0: crashed: BUG: sleeping function called from invalid context in exc_page_fault
run #1: crashed: BUG: sleeping function called from invalid context in exc_page_fault
run #2: crashed: WARNING: ODEBUG bug in tomoyo_path_perm
run #3: crashed: BUG: sleeping function called from invalid context in exc_page_fault
run #4: crashed: BUG: sleeping function called from invalid context in exc_page_fault
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0
kernel signature: c37fd4eafd8173b64f28497b18201ba3eb3de9ea09cf351a484b9f3d0b1676e8
run #0: crashed: KASAN: use-after-free Read in dump_schedule
run #1: crashed: KASAN: use-after-free Read in dump_schedule
run #2: crashed: KASAN: use-after-free Read in dump_schedule
run #3: crashed: KASAN: use-after-free Read in dump_schedule
run #4: crashed: KASAN: use-after-free Read in dump_schedule
run #5: crashed: KASAN: use-after-free Read in dump_schedule
run #6: crashed: KASAN: use-after-free Read in dump_schedule
run #7: OK
run #8: OK
run #9: OK
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: f81772ad65e9f0fd9beebf31c8a5f871ea6a1638d9d9555d1a68d1cfe445a98f
run #0: crashed: KASAN: use-after-free Read in dump_schedule
run #1: crashed: KASAN: use-after-free Read in dump_schedule
run #2: crashed: KASAN: use-after-free Read in dump_schedule
run #3: crashed: KASAN: use-after-free Read in dump_schedule
run #4: crashed: KASAN: use-after-free Read in dump_schedule
run #5: crashed: KASAN: use-after-free Read in dump_schedule
run #6: crashed: KASAN: use-after-free Read in dump_schedule
run #7: OK
run #8: OK
run #9: OK
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: e6fb40a4715198497e33433bddce13ff420bc3162f97709b2f148f8c14a72239
all runs: crashed: BUG: sleeping function called from invalid context in cpus_read_lock
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: b00ee4f1f9c789dc2933188eaead420e9c46705d417518ae2d1c3123eb22476a
all runs: crashed: BUG: sleeping function called from invalid context in cpus_read_lock
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: 751ca0f541a669e4c96951a7d0764bc8a271ec60256e69b2e34394737a1a2780
all runs: crashed: BUG: sleeping function called from invalid context in cpus_read_lock
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: c38834b455ac9ade615888b45ca712be4124106976b30fa02b5fe746612b8e59
all runs: crashed: BUG: sleeping function called from invalid context in cpus_read_lock
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
kernel signature: dd54f0db16c5634aa92cf5d02283659251c4302fe9125dadec95b385b0bc6abb
all runs: OK
# git bisect start 0ecfebd2b52404ae0c54a878c872bb93363ada36 e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd
Bisecting: 6966 revisions left to test after this (roughly 13 steps)
[a2d635decbfa9c1e4ae15cb05b68b2559f7f827c] Merge tag 'drm-next-2019-05-09' of git://anongit.freedesktop.org/drm/drm
testing commit a2d635decbfa9c1e4ae15cb05b68b2559f7f827c with gcc (GCC) 8.1.0
kernel signature: 67b938cfddab7bec56814fbf0fa65aaa40e4d62188ff23e4ed7d3f420bca384e
all runs: crashed: BUG: sleeping function called from invalid context in cpus_read_lock
# git bisect bad a2d635decbfa9c1e4ae15cb05b68b2559f7f827c
Bisecting: 4612 revisions left to test after this (roughly 12 steps)
[82efe439599439a5e1e225ce5740e6cfb777a7dd] Merge tag 'devicetree-for-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux
testing commit 82efe439599439a5e1e225ce5740e6cfb777a7dd with gcc (GCC) 8.1.0
kernel signature: 19e338114ea5c59bb5045b190a19c3ef9a88587c972406855d3ce544f9af1409
all runs: OK
# git bisect good 82efe439599439a5e1e225ce5740e6cfb777a7dd
Bisecting: 2416 revisions left to test after this (roughly 11 steps)
[b3a5e648f5917ea508ecab9a629028b186d38eae] Merge tag 'tty-5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
testing commit b3a5e648f5917ea508ecab9a629028b186d38eae with gcc (GCC) 8.1.0
kernel signature: 82b90edfb1797ded393daf7152c7c6049706b09cbe7482ed14883406e2566108
all runs: crashed: BUG: sleeping function called from invalid context in cpus_read_lock
# git bisect bad b3a5e648f5917ea508ecab9a629028b186d38eae
Bisecting: 1097 revisions left to test after this (roughly 10 steps)
[0e33d334df1310d0697f2595833f723e5380359c] Merge branch 'libbpf-fixes'
testing commit 0e33d334df1310d0697f2595833f723e5380359c with gcc (GCC) 8.1.0
kernel signature: 640e8de9078c9331c8da4d2ce66761acb57d3d6015e2d29f8e77eae428e4ba84
all runs: crashed: WARNING in taprio_dequeue
# git bisect bad 0e33d334df1310d0697f2595833f723e5380359c
Bisecting: 548 revisions left to test after this (roughly 9 steps)
[4339ef396ab65a61f7f22f36d7ba94b6e9e0939b] net: hns3: add error handler for initializing command queue
testing commit 4339ef396ab65a61f7f22f36d7ba94b6e9e0939b with gcc (GCC) 8.1.0
kernel signature: e5d546aa401fdea5f3361511aa6ab8026a7cdfa6eccc561155e2c5b1671680d9
all runs: OK
# git bisect good 4339ef396ab65a61f7f22f36d7ba94b6e9e0939b
Bisecting: 273 revisions left to test after this (roughly 8 steps)
[cea29a70727e7885b3fdf0d266a57818652a89c1] Merge branch 'ipv6-Use-fib6_result-for-fib_lookups'
testing commit cea29a70727e7885b3fdf0d266a57818652a89c1 with gcc (GCC) 8.1.0
kernel signature: 827120d4ac3a74a894c9ce271317fadb88095b0181244fc4fdcfa5fb532d1b81
all runs: crashed: WARNING in taprio_dequeue
# git bisect bad cea29a70727e7885b3fdf0d266a57818652a89c1
Bisecting: 137 revisions left to test after this (roughly 7 steps)
[38f58c972334833e0e0804a32e8cee8d8d475cb7] netdevsim: move sdev specific bpf debugfs files to sdev dir
testing commit 38f58c972334833e0e0804a32e8cee8d8d475cb7 with gcc (GCC) 8.1.0
kernel signature: ddc6e4d3cd101221b04652a73149ca7593583c406a9572247a5ba1a53e28544b
all runs: crashed: WARNING in taprio_dequeue
# git bisect bad 38f58c972334833e0e0804a32e8cee8d8d475cb7
Bisecting: 69 revisions left to test after this (roughly 6 steps)
[947e8b595b82d3551750641445d0a97b8f29b536] bpf: explicitly prohibit ctx_{in, out} in non-skb BPF_PROG_TEST_RUN
testing commit 947e8b595b82d3551750641445d0a97b8f29b536 with gcc (GCC) 8.1.0
kernel signature: 7d4b0cfcf4c5647c6e860ed691b9bb48523ce35872ea70c02af6772570fdbee3
all runs: OK
# git bisect good 947e8b595b82d3551750641445d0a97b8f29b536
Bisecting: 34 revisions left to test after this (roughly 5 steps)
[1ba9a8951794751ea3bcbcc5df700d42d525a130] ipv6: Only call rt6_check_neigh for nexthop with gateway
testing commit 1ba9a8951794751ea3bcbcc5df700d42d525a130 with gcc (GCC) 8.1.0
kernel signature: c5d50af4385dce97fc73e4e2c0301daa01ee801e44e138d5178e93d11836883b
all runs: crashed: WARNING in taprio_dequeue
# git bisect bad 1ba9a8951794751ea3bcbcc5df700d42d525a130
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[4c75be07f9385364be3a5033ff3a20faf3f3bce0] net: phy: remove unnecessary callback settings in C45 drivers
testing commit 4c75be07f9385364be3a5033ff3a20faf3f3bce0 with gcc (GCC) 8.1.0
kernel signature: a6248b7bf6b662fa415817bec37ad8e0cb6a7abc2675d17327a8763e3505d193
all runs: OK
# git bisect good 4c75be07f9385364be3a5033ff3a20faf3f3bce0
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[7b9eba7ba0c1b24df42b70b62d154b284befbccf] net/sched: taprio: fix picos_per_byte miscalculation
testing commit 7b9eba7ba0c1b24df42b70b62d154b284befbccf with gcc (GCC) 8.1.0
kernel signature: 63aba40dd63f9d339fed6dab5d22b97192ecb31565c85567e9c10b1b3c518215
all runs: crashed: WARNING in taprio_dequeue
# git bisect bad 7b9eba7ba0c1b24df42b70b62d154b284befbccf
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[8a53e616de294873fec1a75ddb77ecb3d225cee0] net: sched: when clearing NOLOCK, clear TCQ_F_CPUSTATS, too
testing commit 8a53e616de294873fec1a75ddb77ecb3d225cee0 with gcc (GCC) 8.1.0
kernel signature: 5278a87cc09f14ded44a89a2364c9dde6a139a7e39135a6383a5069fbf390586
all runs: OK
# git bisect good 8a53e616de294873fec1a75ddb77ecb3d225cee0
Bisecting: 2 revisions left to test after this (roughly 1 step)
[44b9b6ca251c0dabb9013339c4fef7f1f57be37a] Merge branch 'net-sched-move-back-qlen-to-per-CPU-accounting'
testing commit 44b9b6ca251c0dabb9013339c4fef7f1f57be37a with gcc (GCC) 8.1.0
kernel signature: 19f257d22f5a192049dda79c3a2b9f34e57b15df0860313293519072af1ec789
all runs: OK
# git bisect good 44b9b6ca251c0dabb9013339c4fef7f1f57be37a
Bisecting: 0 revisions left to test after this (roughly 1 step)
[93e2125477006a98200628940e66c922572c0e73] net: strparser: fix comment
testing commit 93e2125477006a98200628940e66c922572c0e73 with gcc (GCC) 8.1.0
kernel signature: 1f8126eac6fe75b7338ca7b6af2f48937c911f1d320d947e8b49209111f66486
all runs: OK
# git bisect good 93e2125477006a98200628940e66c922572c0e73
7b9eba7ba0c1b24df42b70b62d154b284befbccf is the first bad commit
commit 7b9eba7ba0c1b24df42b70b62d154b284befbccf
Author: Leandro Dorileo <leandro.maciel.dorileo@intel.com>
Date:   Mon Apr 8 10:12:17 2019 -0700

    net/sched: taprio: fix picos_per_byte miscalculation
    
    The Time Aware Priority Scheduler is heavily dependent to link speed,
    it relies on it to calculate transmission bytes per cycle, we can't
    properly calculate the so called budget if the device has failed
    to report the link speed.
    
    In that case we can't dequeue packets assuming a wrong budget.
    This patch makes sure we fail to dequeue case:
    
    1) __ethtool_get_link_ksettings() reports error or 2) the ethernet
    driver failed to set the ksettings' speed value (setting link speed
    to SPEED_UNKNOWN).
    
    Additionally we re calculate the budget whenever the link speed is
    changed.
    
    Fixes: 5a781ccbd19e4 ("tc: Add support for configuring the taprio scheduler")
    Signed-off-by: Leandro Dorileo <leandro.maciel.dorileo@intel.com>
    Reviewed-by: Vedang Patel <vedang.patel@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sched/sch_taprio.c | 97 +++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 81 insertions(+), 16 deletions(-)
culprit signature: 63aba40dd63f9d339fed6dab5d22b97192ecb31565c85567e9c10b1b3c518215
parent  signature: 1f8126eac6fe75b7338ca7b6af2f48937c911f1d320d947e8b49209111f66486
revisions tested: 23, total time: 5h4m4.63934456s (build: 2h16m20.057839277s, test: 2h45m17.276428785s)
first bad commit: 7b9eba7ba0c1b24df42b70b62d154b284befbccf net/sched: taprio: fix picos_per_byte miscalculation
recipients (to): ["davem@davemloft.net" "leandro.maciel.dorileo@intel.com" "vedang.patel@intel.com"]
recipients (cc): []
crash: WARNING in taprio_dequeue
------------[ cut here ]------------
taprio: dequeue() called with unknown picos per byte.
WARNING: CPU: 0 PID: 8346 at net/sched/sch_taprio.c:137 taprio_dequeue+0x7a9/0x9a0 net/sched/sch_taprio.c:137
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 8346 Comm: syz-executor.0 Not tainted 5.1.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x165/0x21a lib/dump_stack.c:113
 panic+0x212/0x40b kernel/panic.c:214
 __warn.cold.7+0x1b/0x38 kernel/panic.c:571
 report_bug+0x1a4/0x200 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:179 [inline]
 do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272
 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:291
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
RIP: 0010:taprio_dequeue+0x7a9/0x9a0 net/sched/sch_taprio.c:137
Code: e8 7c bb b3 fb e9 40 f9 ff ff 80 3d 10 5c a4 03 00 0f 85 28 ff ff ff 48 c7 c7 40 71 e4 87 c6 05 fc 5b a4 03 01 e8 7a ef 9f fb <0f> 0b 31 c0 e9 0e ff ff ff 48 89 45 98 e8 35 83 fa fb ba ff ff 37
RSP: 0000:ffff8880ae807db0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88808de92940 RCX: 1ffff1101360593b
RDX: 1ffffffff10e473e RSI: ffff88809b02c9b8 RDI: 0000000000000286
RBP: ffff8880ae807e20 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888084aadd80
R13: ffff88808de92c20 R14: ffff888099dac480 R15: ffff88808de92940
 dequeue_skb net/sched/sch_generic.c:261 [inline]
 qdisc_restart net/sched/sch_generic.c:364 [inline]
 __qdisc_run+0x163/0x1590 net/sched/sch_generic.c:382
 qdisc_run include/net/pkt_sched.h:121 [inline]
 net_tx_action+0x432/0x9e0 net/core/dev.c:4636
 __do_softirq+0x25e/0x958 kernel/softirq.c:293
 invoke_softirq kernel/softirq.c:374 [inline]
 irq_exit+0x17f/0x1c0 kernel/softirq.c:414
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0x13e/0x540 arch/x86/kernel/apic/apic.c:1062
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
 </IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:767 [inline]
RIP: 0010:lock_acquire+0x1f5/0x3a0 kernel/locking/lockdep.c:4214
Code: 00 00 00 00 00 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 99 01 00 00 48 83 3d 17 14 23 07 00 0f 84 1c 01 00 00 48 8b 7d c0 57 9d <0f> 1f 44 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 65 8b
RSP: 0000:ffff888076d4f878 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: dffffc0000000000 RBX: ffff88809b02c0c0 RCX: 0000000000000000
RDX: 1ffffffff10e473e RSI: 0000000000000001 RDI: 0000000000000286
RBP: ffff888076d4f8c0 R08: 0000000000004954 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000001 R14: 0000000000000000 R15: ffff88809b02c0c0
 __fs_reclaim_acquire mm/page_alloc.c:3950 [inline]
 fs_reclaim_acquire.part.22+0x24/0x30 mm/page_alloc.c:3961
 fs_reclaim_acquire+0x14/0x20 mm/page_alloc.c:3962
 prepare_alloc_pages mm/page_alloc.c:4538 [inline]
 __alloc_pages_nodemask+0x1c5/0x26d0 mm/page_alloc.c:4590
 alloc_pages_current+0xd6/0x1b0 mm/mempolicy.c:2132
 alloc_pages include/linux/gfp.h:509 [inline]
 pte_alloc_one+0x14/0x130 arch/x86/mm/pgtable.c:35
 __pte_alloc+0x1a/0x280 mm/memory.c:407
 do_anonymous_page+0xdae/0x2000 mm/memory.c:2920
 handle_pte_fault mm/memory.c:3808 [inline]
 __handle_mm_fault+0x1ca2/0x4240 mm/memory.c:3934
 handle_mm_fault+0x3dd/0x8b9 mm/memory.c:3971
 do_user_addr_fault arch/x86/mm/fault.c:1475 [inline]
 __do_page_fault+0x438/0xa60 arch/x86/mm/fault.c:1541
 do_page_fault+0x64/0x3a7 arch/x86/mm/fault.c:1572
 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1143
RIP: 0033:0x41089c
Code: 48 24 8b 4c 24 38 89 48 2c 31 c0 48 8b 8c 04 30 01 00 00 48 89 8c 02 70 cf 18 01 48 83 c0 08 48 83 f8 48 75 e6 e8 d4 36 ff ff <83> 05 61 f7 17 01 01 80 7c 24 0b 00 74 11 f6 44 24 0c 01 75 0a 48
RSP: 002b:00007ffd13a0bbe0 EFLAGS: 00010217
RAX: 0000000000000000 RBX: 000000000118cf4c RCX: 000000000045d5b9
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 000000000118cf48
RBP: 000000000118cf40 R08: 00007fabdd2a9700 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000064
R13: 0000000000000000 R14: 0000000000000924 R15: 000000000118cf4c
Kernel Offset: disabled
Rebooting in 86400 seconds..