bisecting cause commit starting from 0fa8ee0d9ab95c9350b8b84574824d9a384a9f7d building syzkaller on 09323409cdbe048449a5a6819c076492c166f18a testing commit 0fa8ee0d9ab95c9350b8b84574824d9a384a9f7d with gcc (GCC) 8.1.0 kernel signature: d187ed7f37dfae3abea4c345866ab9d65ecc40f72b548346eed3d1e8fb9fb10d run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0 kernel signature: 934f0a134532bbbd345c7e8b605e59600f755e76ac937b8aa8fb348b839f419b all runs: OK # git bisect start 0fa8ee0d9ab95c9350b8b84574824d9a384a9f7d bbf5c979011a099af5dc76498918ed7df445635b Bisecting: 8306 revisions left to test after this (roughly 13 steps) [4d0e9df5e43dba52d38b251e3b909df8fa1110be] lib, uaccess: add failure injection to usercopy functions testing commit 4d0e9df5e43dba52d38b251e3b909df8fa1110be with gcc (GCC) 8.1.0 kernel signature: f516cdde94a64662621805b57d241f61efba079163a3e86b24d39afe19b15a4c all runs: OK # git bisect good 4d0e9df5e43dba52d38b251e3b909df8fa1110be Bisecting: 4144 revisions left to test after this (roughly 12 steps) [bbe85027ce8019c73ab99ad1c2603e2dcd1afa49] Merge tag 'xfs-5.10-merge-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux testing commit bbe85027ce8019c73ab99ad1c2603e2dcd1afa49 with gcc (GCC) 8.1.0 kernel signature: 1593d54330138d4ddab8a6248d5919a00659ac23442c46657920a6e594a49197 all runs: OK # git bisect good bbe85027ce8019c73ab99ad1c2603e2dcd1afa49 Bisecting: 2281 revisions left to test after this (roughly 11 steps) [2e368dd2bbeac6bfd50886371db185b1092067b4] Merge tag 'armsoc-drivers' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 2e368dd2bbeac6bfd50886371db185b1092067b4 with gcc (GCC) 8.1.0 kernel signature: b809db3aea8f366d3fa308c7acf7d6eb4639374d4802e7aef12b702306b45b1e all runs: OK # git bisect good 2e368dd2bbeac6bfd50886371db185b1092067b4 Bisecting: 1132 revisions left to test after this (roughly 10 steps) [5fc6b075e165f641fbc366b58b578055762d5f8c] Merge tag 'block-5.10-2020-10-30' of git://git.kernel.dk/linux-block testing commit 5fc6b075e165f641fbc366b58b578055762d5f8c with gcc (GCC) 8.1.0 kernel signature: a6184b797a8c5b44b0255f8d641dada5670e56175e436f2bddf62e45d16e7ca8 all runs: OK # git bisect good 5fc6b075e165f641fbc366b58b578055762d5f8c Bisecting: 566 revisions left to test after this (roughly 9 steps) [460cd17e9f7d60eaa22028baa6a056c478fa7dc6] net: switch to the kernel.org patchwork instance testing commit 460cd17e9f7d60eaa22028baa6a056c478fa7dc6 with gcc (GCC) 8.1.0 kernel signature: 2e17bb33ae9ab3ecb7aed903b32d91ec1addfa1c50a8da990908d49d563ac9a8 run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 460cd17e9f7d60eaa22028baa6a056c478fa7dc6 Bisecting: 280 revisions left to test after this (roughly 8 steps) [6f3f374ac05d05cfa63d04f4479ead7e3cb6d087] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 6f3f374ac05d05cfa63d04f4479ead7e3cb6d087 with gcc (GCC) 8.1.0 kernel signature: 6132b7e4f1ea1600527c9a2c6f823e51c0575bfd66a5d4d6e490dddbb39e980d all runs: OK # git bisect good 6f3f374ac05d05cfa63d04f4479ead7e3cb6d087 Bisecting: 157 revisions left to test after this (roughly 7 steps) [28ced768a4262bc81c61c8244e0e57048afc18d1] Merge tag 'tpmdd-next-v5.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd testing commit 28ced768a4262bc81c61c8244e0e57048afc18d1 with gcc (GCC) 8.1.0 kernel signature: 41ff6c5a6e375fe3f0ddaf5b716984cb744c8823b5926b93871378471f185743 run #0: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 28ced768a4262bc81c61c8244e0e57048afc18d1 Bisecting: 61 revisions left to test after this (roughly 6 steps) [ab07ff1c92fa60f29438e655a1b4abab860ed0b6] can: flexcan: flexcan_remove(): disable wakeup completely testing commit ab07ff1c92fa60f29438e655a1b4abab860ed0b6 with gcc (GCC) 8.1.0 kernel signature: eab15d77db57dcc04a0f4a07579b53038d0fbf4c59a9c7061768f69ada1f85b5 run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad ab07ff1c92fa60f29438e655a1b4abab860ed0b6 Bisecting: 30 revisions left to test after this (roughly 5 steps) [0a26ba0603d637eb6673a2ea79808cc73909ef3a] net: ethernet: ti: cpsw: disable PTPv1 hw timestamping advertisement testing commit 0a26ba0603d637eb6673a2ea79808cc73909ef3a with gcc (GCC) 8.1.0 kernel signature: 6fa6000a9611a5f67bc9954dca1a51e1a5b9ea53f9375458d8e76457a5616f05 run #0: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 0a26ba0603d637eb6673a2ea79808cc73909ef3a Bisecting: 17 revisions left to test after this (roughly 4 steps) [20149e9eb68c003eaa09e7c9a49023df40779552] ip_tunnel: fix over-mtu packet send fail without TUNNEL_DONT_FRAGMENT flags testing commit 20149e9eb68c003eaa09e7c9a49023df40779552 with gcc (GCC) 8.1.0 kernel signature: af14840802bb59bacc0a90653f83cf60aed9138e7c5c2a335bfe60b8fa00a456 all runs: OK # git bisect good 20149e9eb68c003eaa09e7c9a49023df40779552 Bisecting: 10 revisions left to test after this (roughly 3 steps) [c2f46814521113f6699a74e0a0424cbc5b305479] mac80211: don't require VHT elements for HE on 2.4 GHz testing commit c2f46814521113f6699a74e0a0424cbc5b305479 with gcc (GCC) 8.1.0 kernel signature: e2a67d5e24dd780d1783fa8b84f8d36876ba26504e53cb2e494e3682a5fd2a1c run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #4: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad c2f46814521113f6699a74e0a0424cbc5b305479 Bisecting: 3 revisions left to test after this (roughly 2 steps) [9bdaf3b91efd229dd272b228e13df10310c80d19] cfg80211: initialize wdev data earlier testing commit 9bdaf3b91efd229dd272b228e13df10310c80d19 with gcc (GCC) 8.1.0 kernel signature: 72a60f954afa4aca6874a5c19dd518c808ce22951a27a946d2aec91ac79a5015 all runs: OK # git bisect good 9bdaf3b91efd229dd272b228e13df10310c80d19 Bisecting: 1 revision left to test after this (roughly 1 step) [b1e8eb11fb9cf666d8ae36bbcf533233a504c921] mac80211: fix kernel-doc markups testing commit b1e8eb11fb9cf666d8ae36bbcf533233a504c921 with gcc (GCC) 8.1.0 kernel signature: 410c57b1ed781c7f0cb55143baa408b7ffe7e82dcf867f11d6082dc1a2bd352e run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad b1e8eb11fb9cf666d8ae36bbcf533233a504c921 Bisecting: 0 revisions left to test after this (roughly 0 steps) [dcd479e10a0510522a5d88b29b8f79ea3467d501] mac80211: always wind down STA state testing commit dcd479e10a0510522a5d88b29b8f79ea3467d501 with gcc (GCC) 8.1.0 kernel signature: 3088433d80284d394ed4d091db31eae5b2f6dc7bd7ee0e959a00d7de628039dd run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #4: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad dcd479e10a0510522a5d88b29b8f79ea3467d501 dcd479e10a0510522a5d88b29b8f79ea3467d501 is the first bad commit commit dcd479e10a0510522a5d88b29b8f79ea3467d501 Author: Johannes Berg Date: Fri Oct 9 14:17:11 2020 +0200 mac80211: always wind down STA state When (for example) an IBSS station is pre-moved to AUTHORIZED before it's inserted, and then the insertion fails, we don't clean up the fast RX/TX states that might already have been created, since we don't go through all the state transitions again on the way down. Do that, if it hasn't been done already, when the station is freed. I considered only freeing the fast TX/RX state there, but we might add more state so it's more robust to wind down the state properly. Note that we warn if the station was ever inserted, it should have been properly cleaned up in that case, and the driver will probably not like things happening out of order. Reported-by: syzbot+2e293dbd67de2836ba42@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20201009141710.7223b322a955.I95bd08b9ad0e039c034927cce0b75beea38e059b@changeid Signed-off-by: Johannes Berg net/mac80211/sta_info.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) culprit signature: 3088433d80284d394ed4d091db31eae5b2f6dc7bd7ee0e959a00d7de628039dd parent signature: 72a60f954afa4aca6874a5c19dd518c808ce22951a27a946d2aec91ac79a5015 Reproducer flagged being flaky revisions tested: 16, total time: 3h48m58.759176148s (build: 1h13m14.892866019s, test: 2h34m11.656204183s) first bad commit: dcd479e10a0510522a5d88b29b8f79ea3467d501 mac80211: always wind down STA state recipients (to): ["davem@davemloft.net" "johannes.berg@intel.com" "johannes@sipsolutions.net" "kuba@kernel.org" "linux-wireless@vger.kernel.org" "netdev@vger.kernel.org"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: BUG: sleeping function called from invalid context in sta_info_move_state BUG: sleeping function called from invalid context at net/mac80211/sta_info.c:1962 in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 841, name: kworker/u4:5 4 locks held by kworker/u4:5/841: #0: ffff88811ea98138 ((wq_completion)phy10){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #0: ffff88811ea98138 ((wq_completion)phy10){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff88811ea98138 ((wq_completion)phy10){+.+.}-{0:0}, at: process_one_work+0x1e6/0x600 kernel/workqueue.c:2243 #1: ffffc90001c13e70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #1: ffffc90001c13e70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #1: ffffc90001c13e70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: process_one_work+0x1e6/0x600 kernel/workqueue.c:2243 #2: ffff88811eafcd00 (&wdev->mtx){+.+.}-{3:3}, at: sdata_lock net/mac80211/ieee80211_i.h:1021 [inline] #2: ffff88811eafcd00 (&wdev->mtx){+.+.}-{3:3}, at: ieee80211_ibss_work+0x36/0x420 net/mac80211/ibss.c:1683 #3: ffffffff84bf1e40 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_finish net/mac80211/sta_info.c:644 [inline] #3: ffffffff84bf1e40 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_rcu+0x1c2/0xde0 net/mac80211/sta_info.c:732 Preemption disabled at: [] __mutex_lock_common kernel/locking/mutex.c:955 [inline] [] __mutex_lock+0x70/0x9f0 kernel/locking/mutex.c:1103 CPU: 0 PID: 841 Comm: kworker/u4:5 Not tainted 5.10.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: phy10 ieee80211_iface_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x77/0x97 lib/dump_stack.c:118 ___might_sleep.cold.110+0xf2/0x106 kernel/sched/core.c:7298 sta_info_move_state+0x1a/0x2b0 net/mac80211/sta_info.c:1962 sta_info_free+0x11/0xd0 net/mac80211/sta_info.c:274 sta_info_insert_rcu+0xd4/0xde0 net/mac80211/sta_info.c:738 ieee80211_ibss_finish_sta+0x9e/0x120 net/mac80211/ibss.c:592 ieee80211_ibss_work+0x10a/0x420 net/mac80211/ibss.c:1700 process_one_work+0x273/0x600 kernel/workqueue.c:2272 worker_thread+0x38/0x380 kernel/workqueue.c:2418 kthread+0x144/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ============================= [ BUG: Invalid wait context ] 5.10.0-rc1-syzkaller #0 Tainted: G W ----------------------------- kworker/u4:5/841 is trying to lock: ffff88811ea929d0 (&local->chanctx_mtx){+.+.}-{3:3}, at: ieee80211_recalc_min_chandef+0x1f/0x90 net/mac80211/util.c:2740 other info that might help us debug this: context-{4:4} 4 locks held by kworker/u4:5/841: #0: ffff88811ea98138 ((wq_completion)phy10){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #0: ffff88811ea98138 ((wq_completion)phy10){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff88811ea98138 ((wq_completion)phy10){+.+.}-{0:0}, at: process_one_work+0x1e6/0x600 kernel/workqueue.c:2243 #1: ffffc90001c13e70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #1: ffffc90001c13e70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #1: ffffc90001c13e70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: process_one_work+0x1e6/0x600 kernel/workqueue.c:2243 #2: ffff88811eafcd00 (&wdev->mtx){+.+.}-{3:3}, at: sdata_lock net/mac80211/ieee80211_i.h:1021 [inline] #2: ffff88811eafcd00 (&wdev->mtx){+.+.}-{3:3}, at: ieee80211_ibss_work+0x36/0x420 net/mac80211/ibss.c:1683 #3: ffffffff84bf1e40 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_finish net/mac80211/sta_info.c:644 [inline] #3: ffffffff84bf1e40 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_rcu+0x1c2/0xde0 net/mac80211/sta_info.c:732 stack backtrace: CPU: 0 PID: 841 Comm: kworker/u4:5 Tainted: G W 5.10.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: phy10 ieee80211_iface_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x77/0x97 lib/dump_stack.c:118 print_lock_invalid_wait_context kernel/locking/lockdep.c:4489 [inline] check_wait_context kernel/locking/lockdep.c:4550 [inline] __lock_acquire.cold.73+0x160/0x2be kernel/locking/lockdep.c:4787 lock_acquire+0xd0/0x3d0 kernel/locking/lockdep.c:5442 __mutex_lock_common kernel/locking/mutex.c:956 [inline] __mutex_lock+0x94/0x9f0 kernel/locking/mutex.c:1103 ieee80211_recalc_min_chandef+0x1f/0x90 net/mac80211/util.c:2740 sta_info_move_state+0x140/0x2b0 net/mac80211/sta_info.c:2019 sta_info_free+0x11/0xd0 net/mac80211/sta_info.c:274 sta_info_insert_rcu+0xd4/0xde0 net/mac80211/sta_info.c:738 ieee80211_ibss_finish_sta+0x9e/0x120 net/mac80211/ibss.c:592 ieee80211_ibss_work+0x10a/0x420 net/mac80211/ibss.c:1700 process_one_work+0x273/0x600 kernel/workqueue.c:2272 worker_thread+0x38/0x380 kernel/workqueue.c:2418 kthread+0x144/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296