bisecting fixing commit since 76bda503e6406539b1ad5adefe69d3df439ee97f building syzkaller on 0d27f508b6b35d3b12b9fafebd40a1f36950c8f3 testing commit 76bda503e6406539b1ad5adefe69d3df439ee97f with gcc (GCC) 8.1.0 kernel signature: 08709a022f034229d7b4164626bab84b43559624d4f61d1e7f852ca6ecbf30a9 run #0: crashed: BUG: sleeping function called from invalid context in corrupted run #1: crashed: BUG: sleeping function called from invalid context in corrupted run #2: crashed: BUG: sleeping function called from invalid context in corrupted run #3: crashed: BUG: sleeping function called from invalid context in corrupted run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: crashed: BUG: sleeping function called from invalid context in corrupted testing current HEAD 13d2ce42de8cb98ff952f8de6307f896203854c2 testing commit 13d2ce42de8cb98ff952f8de6307f896203854c2 with gcc (GCC) 8.1.0 kernel signature: 4a6a71d10ab5f0efd81739fd6891ddcb235a112b050e5871f54a0936fed9e1fc all runs: OK # git bisect start 13d2ce42de8cb98ff952f8de6307f896203854c2 76bda503e6406539b1ad5adefe69d3df439ee97f Bisecting: 111 revisions left to test after this (roughly 7 steps) [db42adcd476a6b9848c8bbf4a0d37f9a6ef0b239] x86/xen: don't unbind uninitialized lock_kicker_irq testing commit db42adcd476a6b9848c8bbf4a0d37f9a6ef0b239 with gcc (GCC) 8.1.0 kernel signature: 41fd5d861b44651fea0350c3eac2333d5218f8bad118000e5ca258c0a712beae all runs: OK # git bisect bad db42adcd476a6b9848c8bbf4a0d37f9a6ef0b239 Bisecting: 55 revisions left to test after this (roughly 6 steps) [e6f49ea48162b0c2fefcd499b7af1e102750e8e4] ASoC: qcom: lpass-platform: Fix memory leak testing commit e6f49ea48162b0c2fefcd499b7af1e102750e8e4 with gcc (GCC) 8.1.0 kernel signature: 30f9ef3e629d5174d168834e094caf90021d02d0d0c841b58be3f1116c569684 run #0: crashed: BUG: sleeping function called from invalid context in corrupted run #1: crashed: BUG: sleeping function called from invalid context in corrupted run #2: crashed: BUG: sleeping function called from invalid context in corrupted run #3: crashed: BUG: sleeping function called from invalid context in corrupted run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky # git bisect good e6f49ea48162b0c2fefcd499b7af1e102750e8e4 Bisecting: 27 revisions left to test after this (roughly 5 steps) [2216a93ce6841cde69fb6e59763ca029f15e4ddf] mac80211: minstrel: remove deferred sampling code testing commit 2216a93ce6841cde69fb6e59763ca029f15e4ddf with gcc (GCC) 8.1.0 kernel signature: 0ac434cf9208e76b1c79785fb6c78e07dcb19abbe05220d262a1430bf63ad4f4 run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in corrupted run #2: crashed: BUG: sleeping function called from invalid context in corrupted run #3: crashed: BUG: sleeping function called from invalid context in corrupted run #4: crashed: BUG: sleeping function called from invalid context in corrupted run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 2216a93ce6841cde69fb6e59763ca029f15e4ddf Bisecting: 13 revisions left to test after this (roughly 4 steps) [a6b9a7f781b88f1a1ddba93b504206d86bfbf68e] wireless: Use linux/stddef.h instead of stddef.h testing commit a6b9a7f781b88f1a1ddba93b504206d86bfbf68e with gcc (GCC) 8.1.0 kernel signature: a464d7a94182bb12cba439f431e6135bd39cd406649b2c61b940702da87c6dad all runs: OK # git bisect bad a6b9a7f781b88f1a1ddba93b504206d86bfbf68e Bisecting: 6 revisions left to test after this (roughly 3 steps) [526d963441acf60edb9f0d348eef2b24edfdbffe] x86/microcode/intel: Check patch signature before saving microcode for early loading testing commit 526d963441acf60edb9f0d348eef2b24edfdbffe with gcc (GCC) 8.1.0 kernel signature: b20f67779642a7e49066821662e93eb827082f67bc1435af3b0f2ab44c647853 all runs: OK # git bisect bad 526d963441acf60edb9f0d348eef2b24edfdbffe Bisecting: 3 revisions left to test after this (roughly 2 steps) [a1bf9efcf4a047c80662d5509806da4cf50cfaf6] s390/cpum_sf.c: fix file permission for cpum_sfb_size testing commit a1bf9efcf4a047c80662d5509806da4cf50cfaf6 with gcc (GCC) 8.1.0 kernel signature: 542e24b2d3125c5b8bba04ac09c20393d92d5f9a0b505b3f880738343972c1b1 all runs: OK # git bisect bad a1bf9efcf4a047c80662d5509806da4cf50cfaf6 Bisecting: 0 revisions left to test after this (roughly 1 step) [499b109be6889b4a5442b7652c32370bb2d741a2] mac80211: free sta in sta_info_insert_finish() on errors testing commit 499b109be6889b4a5442b7652c32370bb2d741a2 with gcc (GCC) 8.1.0 kernel signature: 542e24b2d3125c5b8bba04ac09c20393d92d5f9a0b505b3f880738343972c1b1 all runs: OK # git bisect bad 499b109be6889b4a5442b7652c32370bb2d741a2 Bisecting: 0 revisions left to test after this (roughly 0 steps) [b48b65efcdf698fb3118c44197b664f3e3bfe708] mac80211: minstrel: fix tx status processing corner case testing commit b48b65efcdf698fb3118c44197b664f3e3bfe708 with gcc (GCC) 8.1.0 kernel signature: 76cc144c9807e907191864c4063207635e472b2c3b00d6288e6a5393359459a9 run #0: crashed: BUG: sleeping function called from invalid context in corrupted run #1: crashed: BUG: sleeping function called from invalid context in corrupted run #2: crashed: BUG: sleeping function called from invalid context in corrupted run #3: crashed: BUG: sleeping function called from invalid context in corrupted run #4: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #5: crashed: BUG: sleeping function called from invalid context in corrupted run #6: crashed: BUG: sleeping function called from invalid context in corrupted run #7: crashed: BUG: sleeping function called from invalid context in corrupted run #8: OK run #9: OK # git bisect good b48b65efcdf698fb3118c44197b664f3e3bfe708 499b109be6889b4a5442b7652c32370bb2d741a2 is the first bad commit commit 499b109be6889b4a5442b7652c32370bb2d741a2 Author: Johannes Berg Date: Thu Nov 12 11:22:04 2020 +0100 mac80211: free sta in sta_info_insert_finish() on errors commit 7bc40aedf24d31d8bea80e1161e996ef4299fb10 upstream. If sta_info_insert_finish() fails, we currently keep the station around and free it only in the caller, but there's only one such caller and it always frees it immediately. As syzbot found, another consequence of this split is that we can put things that sleep only into __cleanup_single_sta() and not in sta_info_free(), but this is the only place that requires such of sta_info_free() now. Change this to free the station in sta_info_insert_finish(), in which case we can still sleep. This will also let us unify the cleanup code later. Cc: stable@vger.kernel.org Fixes: dcd479e10a05 ("mac80211: always wind down STA state") Reported-by: syzbot+32c6c38c4812d22f2f0b@syzkaller.appspotmail.com Reported-by: syzbot+4c81fe92e372d26c4246@syzkaller.appspotmail.com Reported-by: syzbot+6a7fe9faf0d1d61bc24a@syzkaller.appspotmail.com Reported-by: syzbot+abed06851c5ffe010921@syzkaller.appspotmail.com Reported-by: syzbot+b7aeb9318541a1c709f1@syzkaller.appspotmail.com Reported-by: syzbot+d5a9416c6cafe53b5dd0@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20201112112201.ee6b397b9453.I9c31d667a0ea2151441cc64ed6613d36c18a48e0@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman net/mac80211/sta_info.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) culprit signature: 542e24b2d3125c5b8bba04ac09c20393d92d5f9a0b505b3f880738343972c1b1 parent signature: 76cc144c9807e907191864c4063207635e472b2c3b00d6288e6a5393359459a9 Reproducer flagged being flaky revisions tested: 10, total time: 3h8m41.08534881s (build: 1h26m35.141887972s, test: 1h40m52.681832319s) first good commit: 499b109be6889b4a5442b7652c32370bb2d741a2 mac80211: free sta in sta_info_insert_finish() on errors recipients (to): ["davem@davemloft.net" "gregkh@linuxfoundation.org" "johannes.berg@intel.com" "johannes@sipsolutions.net" "linux-wireless@vger.kernel.org" "netdev@vger.kernel.org"] recipients (cc): ["linux-kernel@vger.kernel.org"]