bisecting cause commit starting from 28f9222138868899c53e00bc1f910faa55f88546 building syzkaller on a7dab6385c1d95547a88e22577fb56fbcd5c37eb testing commit 28f9222138868899c53e00bc1f910faa55f88546 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bcb682b7b460edf47f79f14844d52065080f3da13183580f2c01ef03f865c7e1 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: crashed: BUG: sleeping function called from invalid context in smc_pnet_add run #2: crashed: BUG: sleeping function called from invalid context in smc_pnet_add run #3: crashed: BUG: sleeping function called from invalid context in smc_pnet_add run #4: crashed: BUG: sleeping function called from invalid context in smc_pnet_add run #5: crashed: BUG: sleeping function called from invalid context in smc_pnet_add run #6: crashed: BUG: sleeping function called from invalid context in smc_pnet_add run #7: crashed: BUG: sleeping function called from invalid context in smc_pnet_add run #8: crashed: BUG: sleeping function called from invalid context in smc_pnet_add run #9: crashed: BUG: sleeping function called from invalid context in smc_pnet_add run #10: crashed: BUG: sleeping function called from invalid context in smc_pnet_add run #11: crashed: BUG: sleeping function called from invalid context in smc_pnet_add run #12: crashed: BUG: sleeping function called from invalid context in smc_pnet_add run #13: crashed: BUG: sleeping function called from invalid context in smc_pnet_add run #14: crashed: BUG: sleeping function called from invalid context in smc_pnet_add run #15: crashed: BUG: sleeping function called from invalid context in smc_pnet_add run #16: crashed: BUG: sleeping function called from invalid context in smc_pnet_add run #17: crashed: BUG: sleeping function called from invalid context in smc_pnet_add run #18: crashed: BUG: sleeping function called from invalid context in smc_pnet_add run #19: crashed: BUG: sleeping function called from invalid context in smc_pnet_add testing release v5.16 testing commit df0cc57e057f18e44dac8e6c18aba47ab53202f9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6392e7dc90e0a4647080a5029d93ca58348fb8a5852ea8aba24fe1cfc2cb5f6d all runs: OK # git bisect start 28f9222138868899c53e00bc1f910faa55f88546 df0cc57e057f18e44dac8e6c18aba47ab53202f9 Bisecting: 6268 revisions left to test after this (roughly 13 steps) [9149fe8ba7ff798ea1c6b1fa05eeb59f95f9a94a] Merge tag 'erofs-for-5.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs testing commit 9149fe8ba7ff798ea1c6b1fa05eeb59f95f9a94a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7f134a67b45cea8ba8f85ca9afab33d3d0f37a6b940dff276cc15dba9b187b11 all runs: OK # git bisect good 9149fe8ba7ff798ea1c6b1fa05eeb59f95f9a94a Bisecting: 3250 revisions left to test after this (roughly 12 steps) [aee101d7b95a03078945681dd7f7ea5e4a1e7686] powerpc/64s: Mask SRR0 before checking against the masked NIP testing commit aee101d7b95a03078945681dd7f7ea5e4a1e7686 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a68128aec9313dc64378d8a41d882039aeb0479f21fcf07352cd83677a6505f7 all runs: OK # git bisect good aee101d7b95a03078945681dd7f7ea5e4a1e7686 Bisecting: 1623 revisions left to test after this (roughly 11 steps) [6a8d7fbf1c65034b85e7676b42449a56e4206bd3] Merge tag 'acpi-5.17-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 6a8d7fbf1c65034b85e7676b42449a56e4206bd3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8caa6b82df1755ef1d2052bb842bc3b2c35032746f69a31601baa6d1c8276d94 all runs: OK # git bisect good 6a8d7fbf1c65034b85e7676b42449a56e4206bd3 Bisecting: 801 revisions left to test after this (roughly 10 steps) [0809edbae347a224ca1b59fb8be1c2d54389c2c6] Merge tag 'devicetree-fixes-for-5.17-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux testing commit 0809edbae347a224ca1b59fb8be1c2d54389c2c6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e44ba61d2b79657eb148db4afb2b720218b729781aafbd311f519c1ca03b434c all runs: OK # git bisect good 0809edbae347a224ca1b59fb8be1c2d54389c2c6 Bisecting: 400 revisions left to test after this (roughly 9 steps) [5623ef8a118838aae65363750dfafcba734dc8cb] net/mlx5e: TC, Reject rules with forward and drop actions testing commit 5623ef8a118838aae65363750dfafcba734dc8cb compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 36160dbc1b38ba7fbed67ff8bfcf180ee3d51c4cc3cdd6817dbe17a18f68f22a all runs: OK # git bisect good 5623ef8a118838aae65363750dfafcba734dc8cb Bisecting: 208 revisions left to test after this (roughly 8 steps) [cb323ee75d24e7acc2f188d123ba6df46159cf09] Merge tag 'block-5.17-2022-01-28' of git://git.kernel.dk/linux-block testing commit cb323ee75d24e7acc2f188d123ba6df46159cf09 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e6e9a72b30a2cf96036a4ddec0b7d1fabc74285bfc40e29a77056af7fdacec18 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good cb323ee75d24e7acc2f188d123ba6df46159cf09 Bisecting: 107 revisions left to test after this (roughly 7 steps) [9e155101c24adb32b26475ca09bab93cf8fd80c6] Merge tag 'regulator-fix-v5.17-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator testing commit 9e155101c24adb32b26475ca09bab93cf8fd80c6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 69069cdd58a2db73f044c6e3bd23fba598d01bdc572cc6e9eb1d25603376551f all runs: OK # git bisect good 9e155101c24adb32b26475ca09bab93cf8fd80c6 Bisecting: 48 revisions left to test after this (roughly 6 steps) [25b20ae8151b3d5289896f4f200ff790d2cdf4bf] Merge tag 'linux-kselftest-fixes-5.17-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest testing commit 25b20ae8151b3d5289896f4f200ff790d2cdf4bf compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 891dba45c1c996a67caa3dae384f03dc23c251639fe24c0284a64a042db83599 all runs: OK # git bisect good 25b20ae8151b3d5289896f4f200ff790d2cdf4bf Bisecting: 25 revisions left to test after this (roughly 5 steps) [0166556a12664ed3d91b58b0d3a4a78404c0e7c3] Merge branch 'net-ipa-enable-register-retention' testing commit 0166556a12664ed3d91b58b0d3a4a78404c0e7c3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9d11e4e341124f1a7b2be16e5182f41175fe782747c2c763c61024600a91073c all runs: OK # git bisect good 0166556a12664ed3d91b58b0d3a4a78404c0e7c3 Bisecting: 12 revisions left to test after this (roughly 4 steps) [dcb85f85fa6f142aae1fe86f399d4503d49f2b60] gcc-plugins/stackleak: Use noinstr in favor of notrace testing commit dcb85f85fa6f142aae1fe86f399d4503d49f2b60 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: cc999fe1f585aaab00a9619b288113d4916f43522908680d458666784761717a all runs: OK # git bisect good dcb85f85fa6f142aae1fe86f399d4503d49f2b60 Bisecting: 6 revisions left to test after this (roughly 3 steps) [1f6339e034d5780ad7097c8d8c11b26e0762afba] MAINTAINERS: netfilter: update git links testing commit 1f6339e034d5780ad7097c8d8c11b26e0762afba compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: cf2f8086d4904f57f9b738fe920130f78bd3ed0e924c71e835f1cca516a29d0c all runs: OK # git bisect good 1f6339e034d5780ad7097c8d8c11b26e0762afba Bisecting: 3 revisions left to test after this (roughly 2 steps) [40106e005bd9764f84ef9e6c0979fe1126d7ff02] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf testing commit 40106e005bd9764f84ef9e6c0979fe1126d7ff02 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 61ce56837180fc8560aed9375189f874f7d32428ec21ce35e8e93030a7f5a278 all runs: OK # git bisect good 40106e005bd9764f84ef9e6c0979fe1126d7ff02 Bisecting: 1 revision left to test after this (roughly 1 step) [59085208e4a2183998964844f8684fea0378128d] net: mscc: ocelot: fix all IP traffic getting trapped to CPU with PTP over IP testing commit 59085208e4a2183998964844f8684fea0378128d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d263060a4e5e137cdf4f19b2197db74f22d7e03407621794555ad5fd2c7ed4e5 all runs: OK # git bisect good 59085208e4a2183998964844f8684fea0378128d Bisecting: 0 revisions left to test after this (roughly 0 steps) [aec12836e7196e4d360b2cbf20cf7aa5139ad2ec] net: phy: marvell: Fix MDI-x polarity setting in 88e1118-compatible PHYs testing commit aec12836e7196e4d360b2cbf20cf7aa5139ad2ec compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e6497d05c55cbc37fc3d889d48a4cb554d8b297857d1c78a48d63393b4b260cf all runs: OK # git bisect good aec12836e7196e4d360b2cbf20cf7aa5139ad2ec 28f9222138868899c53e00bc1f910faa55f88546 is the first bad commit commit 28f9222138868899c53e00bc1f910faa55f88546 Author: Eric Dumazet Date: Sat Feb 5 21:05:16 2022 -0800 net/smc: fix ref_tracker issue in smc_pnet_add() I added the netdev_tracker_alloc() right after ndev was stored into the newly allocated object: new_pe->ndev = ndev; if (ndev) netdev_tracker_alloc(ndev, &new_pe->dev_tracker, GFP_KERNEL); But I missed that later, we could end up freeing new_pe, then calling dev_put(ndev) to release the reference on ndev. The new_pe->dev_tracker would not be freed. To solve this issue, move the netdev_tracker_alloc() call to the point we know for sure new_pe will be kept. syzbot report (on net-next tree, but the bug is present in net tree) WARNING: CPU: 0 PID: 6019 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31 Modules linked in: CPU: 0 PID: 6019 Comm: syz-executor.3 Not tainted 5.17.0-rc2-syzkaller-00650-g5a8fb33e5305 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31 Code: 1d f4 70 a0 09 31 ff 89 de e8 4d bc 99 fd 84 db 75 e0 e8 64 b8 99 fd 48 c7 c7 20 0c 06 8a c6 05 d4 70 a0 09 01 e8 9e 4e 28 05 <0f> 0b eb c4 e8 48 b8 99 fd 0f b6 1d c3 70 a0 09 31 ff 89 de e8 18 RSP: 0018:ffffc900043b7400 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000040000 RSI: ffffffff815fb318 RDI: fffff52000876e72 RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815f507e R11: 0000000000000000 R12: 1ffff92000876e85 R13: 0000000000000000 R14: ffff88805c1c6600 R15: 0000000000000000 FS: 00007f1ef6feb700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2d02b000 CR3: 00000000223f4000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __refcount_dec include/linux/refcount.h:344 [inline] refcount_dec include/linux/refcount.h:359 [inline] ref_tracker_free+0x53f/0x6c0 lib/ref_tracker.c:119 netdev_tracker_free include/linux/netdevice.h:3867 [inline] dev_put_track include/linux/netdevice.h:3884 [inline] dev_put_track include/linux/netdevice.h:3880 [inline] dev_put include/linux/netdevice.h:3910 [inline] smc_pnet_add_eth net/smc/smc_pnet.c:399 [inline] smc_pnet_enter net/smc/smc_pnet.c:493 [inline] smc_pnet_add+0x5fc/0x15f0 net/smc/smc_pnet.c:556 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:731 genl_family_rcv_msg net/netlink/genetlink.c:775 [inline] genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:792 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 genl_rcv+0x24/0x40 net/netlink/genetlink.c:803 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:725 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2413 ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2496 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: b60645248af3 ("net/smc: add net device tracker to struct smc_pnetentry") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller net/smc/smc_pnet.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) culprit signature: bcb682b7b460edf47f79f14844d52065080f3da13183580f2c01ef03f865c7e1 parent signature: e6497d05c55cbc37fc3d889d48a4cb554d8b297857d1c78a48d63393b4b260cf revisions tested: 16, total time: 2h46m29.727921641s (build: 2h0m39.518677126s, test: 44m23.076864147s) first bad commit: 28f9222138868899c53e00bc1f910faa55f88546 net/smc: fix ref_tracker issue in smc_pnet_add() recipients (to): ["davem@davemloft.net" "davem@davemloft.net" "edumazet@google.com" "kuba@kernel.org" "netdev@vger.kernel.org"] recipients (cc): ["kgraul@linux.ibm.com" "linux-kernel@vger.kernel.org" "linux-s390@vger.kernel.org"] crash: BUG: sleeping function called from invalid context in smc_pnet_add batman_adv: batadv0: Interface activated: batadv_slave_0 batman_adv: batadv0: Interface activated: batadv_slave_1 BUG: sleeping function called from invalid context at include/linux/sched/mm.h:256 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 4065, name: syz-executor336 preempt_count: 1, expected: 0 RCU nest depth: 0, expected: 0 3 locks held by syz-executor336/4065: #0: ffffffff8c4fc610 (cb_lock){++++}-{3:3}, at: genl_rcv+0x10/0x30 net/netlink/genetlink.c:802 #1: ffffffff8c4fc6c8 (genl_mutex){+.+.}-{3:3}, at: genl_lock net/netlink/genetlink.c:33 [inline] #1: ffffffff8c4fc6c8 (genl_mutex){+.+.}-{3:3}, at: genl_rcv_msg+0x315/0x4a0 net/netlink/genetlink.c:790 #2: ffff888019b32218 (&pnettable->lock){+.+.}-{2:2}, at: smc_pnet_add_eth net/smc/smc_pnet.c:373 [inline] #2: ffff888019b32218 (&pnettable->lock){+.+.}-{2:2}, at: smc_pnet_enter net/smc/smc_pnet.c:495 [inline] #2: ffff888019b32218 (&pnettable->lock){+.+.}-{2:2}, at: smc_pnet_add+0x3b7/0x1360 net/smc/smc_pnet.c:558 Preemption disabled at: [<0000000000000000>] 0x0 CPU: 1 PID: 4065 Comm: syz-executor336 Not tainted 5.17.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 __might_resched.cold+0x222/0x26b kernel/sched/core.c:9576 might_alloc include/linux/sched/mm.h:256 [inline] slab_pre_alloc_hook mm/slab.h:705 [inline] slab_alloc_node mm/slub.c:3144 [inline] slab_alloc mm/slub.c:3238 [inline] kmem_cache_alloc_trace+0x25d/0x2c0 mm/slub.c:3255 kmalloc include/linux/slab.h:581 [inline] kzalloc include/linux/slab.h:715 [inline] ref_tracker_alloc+0xd6/0x380 lib/ref_tracker.c:77 netdev_tracker_alloc include/linux/netdevice.h:3860 [inline] smc_pnet_add_eth net/smc/smc_pnet.c:384 [inline] smc_pnet_enter net/smc/smc_pnet.c:495 [inline] smc_pnet_add+0x62e/0x1360 net/smc/smc_pnet.c:558 genl_family_rcv_msg_doit+0x1e4/0x2f0 net/netlink/genetlink.c:731 genl_family_rcv_msg net/netlink/genetlink.c:775 [inline] genl_rcv_msg+0x27a/0x4a0 net/netlink/genetlink.c:792 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2494 genl_rcv+0x1f/0x30 net/netlink/genetlink.c:803 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x430/0x700 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x770/0xc10 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg+0xab/0xe0 net/socket.c:725 ____sys_sendmsg+0x5bf/0x7a0 net/socket.c:2413 ___sys_sendmsg+0xd3/0x150 net/socket.c:2467 __sys_sendmsg+0xb2/0x140 net/socket.c:2496 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f666434b499 Code: 28 c3 e8 4a 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc618fabb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007ffc618fabc8 RCX: 00007f666434b499 RDX: 0000000000000000 RSI: 0000000020000380 RDI: 0000000000000003 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc618fabd0 R13: 00007ffc618fabf0 R14: 0000000000000000 R15: 0000000000000000