ci2 starts bisection 2024-08-04 19:43:07.471071209 +0000 UTC m=+161946.088604062 bisecting fixing commit since fa87a072a7fccf51d1c23869af2cb6b423e7b38a building syzkaller on 07b455f928ae5c2cd07f4d61c1b499f56ea3dd08 ensuring issue is reproducible on original commit fa87a072a7fccf51d1c23869af2cb6b423e7b38a testing commit fa87a072a7fccf51d1c23869af2cb6b423e7b38a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b1139f85debad755b21778e1acf8ffd6847f95f94529362cb785f1950d8f279e run #0: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #1: crashed: BUG: scheduling while atomic in text_poke_set run #2: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #4: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #5: crashed: BUG: workqueue leaked lock or atomic in free_work run #6: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #7: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #8: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #9: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #10: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #11: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #12: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #13: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #14: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #15: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #16: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #17: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #18: crashed: BUG: scheduling while atomic in text_poke_set run #19: crashed: BUG: scheduling while atomic in do_epoll_wait representative crash: BUG: scheduling while atomic in exit_to_user_mode_loop, types: [ATOMIC_SLEEP UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed testing commit fa87a072a7fccf51d1c23869af2cb6b423e7b38a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0a3f171fbfd2db7fb12ef231c245541d24a889d0d164af1afc4b2c4bd28fe95e run #0: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #1: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #2: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #4: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #6: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #7: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #8: crashed: BUG: scheduling while atomic in text_poke_set run #9: crashed: BUG: scheduling while atomic in text_poke_set representative crash: BUG: scheduling while atomic in exit_to_user_mode_loop, types: [ATOMIC_SLEEP UNKNOWN] the bug reproduces without the instrumentation disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed kconfig minimization: base=5179 full=6494 leaves diff=257 split chunks (needed=false): <257> split chunk #0 of len 257 into 5 parts testing without sub-chunk 1/5 disabling configs for [KASAN LOCKDEP HANG LEAK UBSAN BUG], they are not needed testing commit fa87a072a7fccf51d1c23869af2cb6b423e7b38a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a1d6eda2a5c5732518d4a1d6ccd8a793105352359226a37db3d6292a2b9c0f52 run #0: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #1: crashed: BUG: scheduling while atomic in text_poke_set run #2: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #4: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #5: crashed: BUG: scheduling while atomic in text_poke_set run #6: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred run #7: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #8: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #9: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred representative crash: BUG: scheduling while atomic in text_poke_set, types: [ATOMIC_SLEEP UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed testing commit fa87a072a7fccf51d1c23869af2cb6b423e7b38a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 36b2f17cc76befaab1d9536bdcf50889f907799f4a051a6688a412e4a0b834c0 run #0: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred run #1: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #2: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #3: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred run #4: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #5: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #6: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #7: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #8: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred run #9: crashed: BUG: scheduling while atomic in bpf_prog_pack_free representative crash: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [KASAN LOCKDEP HANG LEAK UBSAN BUG], they are not needed testing commit fa87a072a7fccf51d1c23869af2cb6b423e7b38a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 134a00f04b3f38ef540a0d5ea2de7f62ce28c521e2e1d9a5804c837ee9acc1c5 run #0: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #1: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #2: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred run #3: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred run #4: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #5: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #6: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred run #7: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #8: crashed: BUG: scheduling while atomic in text_poke_set run #9: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred representative crash: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [KASAN LOCKDEP HANG LEAK UBSAN BUG], they are not needed testing commit fa87a072a7fccf51d1c23869af2cb6b423e7b38a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3f22ff3b1644ce2e258419b0452cb3ea7eccf34ce73313a194296d8e079c79dc run #0: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred run #1: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #2: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #3: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #4: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #5: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #6: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred run #7: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #8: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #9: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred representative crash: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP HANG], they are not needed testing commit fa87a072a7fccf51d1c23869af2cb6b423e7b38a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building fa87a072a7fccf51d1c23869af2cb6b423e7b38a: net/socket.c:1245: undefined reference to `wext_handle_ioctl' net/socket.c:3442: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 49 configs; suspects: [HID_ZEROPLUS USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed testing current HEAD 6aafd06a463b5af31c4e652571f59995bf93c6d5 testing commit 6aafd06a463b5af31c4e652571f59995bf93c6d5 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b0a9fbe348a3cfcc826ec9414ac3803f1da08988de78ba34a7002aa7074af01e all runs: OK false negative chance: 0.000 # git bisect start 6aafd06a463b5af31c4e652571f59995bf93c6d5 fa87a072a7fccf51d1c23869af2cb6b423e7b38a Bisecting: 1345 revisions left to test after this (roughly 10 steps) [1b6cfa4c760e5f3729e21b725c89f6ddb9be5abf] Bluetooth: hci_core: Cancel request on command timeout determine whether the revision contains the guilty commit checking the merge base 883d1a9562083922c6d293e9adad8cca4626adf3 no existing result, test the revision testing commit 883d1a9562083922c6d293e9adad8cca4626adf3 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dc7b66bb3907b5f8cdaeefccc9da8a940ad3a3a63aeb4928a4fe27705ae3d1e4 run #0: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #1: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #2: crashed: BUG: scheduling while atomic in do_epoll_wait run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #4: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #6: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #7: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #8: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #9: OK representative crash: BUG: scheduling while atomic in exit_to_user_mode_loop, types: [ATOMIC_SLEEP] testing commit 1b6cfa4c760e5f3729e21b725c89f6ddb9be5abf gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e3bb4e0f935eb9363742248acfa70f27a98455f9582da591d436e685028e0f47 all runs: OK false negative chance: 0.000 # git bisect bad 1b6cfa4c760e5f3729e21b725c89f6ddb9be5abf Bisecting: 672 revisions left to test after this (roughly 9 steps) [579cfab21b59fbf4bba2a564c5810ad72e7f868a] apparmor: Free up __cleanup() name determine whether the revision contains the guilty commit revision 883d1a9562083922c6d293e9adad8cca4626adf3 crashed and is reachable testing commit 579cfab21b59fbf4bba2a564c5810ad72e7f868a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3be903e0b727a6e896937cbb2241847a929f986ad7307e30595659be86ebab5b all runs: OK false negative chance: 0.000 # git bisect bad 579cfab21b59fbf4bba2a564c5810ad72e7f868a Bisecting: 336 revisions left to test after this (roughly 8 steps) [d8264ce2f875b3e0bdadc4ab8256a236ffd1342e] um: Don't use vfprintf() for os_info() determine whether the revision contains the guilty commit revision 883d1a9562083922c6d293e9adad8cca4626adf3 crashed and is reachable testing commit d8264ce2f875b3e0bdadc4ab8256a236ffd1342e gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b96e521d222e6c1643bcbe71cc192f897121bf4f0125fa14832bec3ad9d1a3fd run #0: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #1: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #2: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #4: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #6: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #7: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #8: crashed: BUG: scheduling while atomic in synchronize_rcu_expedited run #9: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop representative crash: BUG: scheduling while atomic in exit_to_user_mode_loop, types: [ATOMIC_SLEEP] # git bisect good d8264ce2f875b3e0bdadc4ab8256a236ffd1342e Bisecting: 168 revisions left to test after this (roughly 7 steps) [1f0d7792e9023e8658e901b7b76a555f6aa052ec] ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work() determine whether the revision contains the guilty commit revision 883d1a9562083922c6d293e9adad8cca4626adf3 crashed and is reachable testing commit 1f0d7792e9023e8658e901b7b76a555f6aa052ec gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3500481040268a6fa59ab3a7a6e5792655951d3ecbab339667073c33d7f9e2ad run #0: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #1: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #2: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #4: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #6: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #7: crashed: BUG: scheduling while atomic in bpf_prog_pack_alloc run #8: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #9: OK representative crash: BUG: scheduling while atomic in exit_to_user_mode_loop, types: [ATOMIC_SLEEP] # git bisect good 1f0d7792e9023e8658e901b7b76a555f6aa052ec Bisecting: 84 revisions left to test after this (roughly 6 steps) [8c22b23a2778c9ab47f030b5eacf8d8c156115a7] drm/prime: Support page array >= 4GB determine whether the revision contains the guilty commit revision d8264ce2f875b3e0bdadc4ab8256a236ffd1342e crashed and is reachable testing commit 8c22b23a2778c9ab47f030b5eacf8d8c156115a7 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 86147ccdd7dc6b6517838c90edbbed3f3f4e6643670cd4ad32fe9a878482d746 run #0: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #1: crashed: BUG: scheduling while atomic in bpf_prog_pack_alloc run #2: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #4: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #6: crashed: BUG: scheduling while atomic in text_poke_copy run #7: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #8: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred run #9: OK representative crash: BUG: scheduling while atomic in exit_to_user_mode_loop, types: [ATOMIC_SLEEP] # git bisect good 8c22b23a2778c9ab47f030b5eacf8d8c156115a7 Bisecting: 42 revisions left to test after this (roughly 5 steps) [309ef7de5d840e17607e7d65cbf297c0564433ef] hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed determine whether the revision contains the guilty commit revision 883d1a9562083922c6d293e9adad8cca4626adf3 crashed and is reachable testing commit 309ef7de5d840e17607e7d65cbf297c0564433ef gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: df73f3965143dad7f4bf113931c1cafdb3af597b58cb81bf632cd5743aa8064b run #0: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #1: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #2: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #4: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #6: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #7: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #8: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #9: OK representative crash: BUG: scheduling while atomic in exit_to_user_mode_loop, types: [ATOMIC_SLEEP] # git bisect good 309ef7de5d840e17607e7d65cbf297c0564433ef Bisecting: 21 revisions left to test after this (roughly 5 steps) [9c84d580de3c6f816ab43373e21e421e5687e52e] arm64: dts: qcom: msm8916: Enable blsp_dma by default determine whether the revision contains the guilty commit revision 1f0d7792e9023e8658e901b7b76a555f6aa052ec crashed and is reachable testing commit 9c84d580de3c6f816ab43373e21e421e5687e52e gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4c20ab7481166fdfd80972159c05009bf4ebf469a56a9d0e2dad444b6c616c78 run #0: crashed: BUG: scheduling while atomic in __skb_wait_for_more_packets run #1: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #2: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #4: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #6: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #7: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #8: crashed: BUG: scheduling while atomic in do_epoll_wait run #9: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop representative crash: BUG: scheduling while atomic in __skb_wait_for_more_packets, types: [ATOMIC_SLEEP] # git bisect good 9c84d580de3c6f816ab43373e21e421e5687e52e Bisecting: 10 revisions left to test after this (roughly 4 steps) [51a8f31b939c21994f43e2d01e1a97719c8685df] nfsd: don't take fi_lock in nfsd_break_deleg_cb() determine whether the revision contains the guilty commit revision 1f0d7792e9023e8658e901b7b76a555f6aa052ec crashed and is reachable testing commit 51a8f31b939c21994f43e2d01e1a97719c8685df gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 69f80ae4ae473256cbdf873c681053c4385625bf0cbbbe90e08fc3760ba8ade1 run #0: crashed: BUG: scheduling while atomic in text_poke_copy run #1: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #2: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #4: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #5: crashed: BUG: scheduling while atomic in synchronize_rcu_expedited run #6: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #7: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #8: OK run #9: OK representative crash: BUG: scheduling while atomic in text_poke_copy, types: [ATOMIC_SLEEP] # git bisect good 51a8f31b939c21994f43e2d01e1a97719c8685df Bisecting: 5 revisions left to test after this (roughly 3 steps) [989b0ff35fe5fc9652ee5bafbe8483db6f27b137] net: prevent mss overflow in skb_segment() determine whether the revision contains the guilty commit revision 883d1a9562083922c6d293e9adad8cca4626adf3 crashed and is reachable testing commit 989b0ff35fe5fc9652ee5bafbe8483db6f27b137 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5783b1f44847a13d46563cd921c529a3a92ab53358df018821630066510b321c run #0: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #1: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #2: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #4: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #6: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #7: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #8: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #9: basic kernel testing failed: failed to copy binary to VM: timedout after 1m0s ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syz-executor2892612127" "root@10.128.1.21:./syz-executor2892612127"] Executing: program /usr/bin/ssh host 10.128.1.21, user root, command sftp OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.11 19 Sep 2023 debug1: Reading configuration data /dev/null debug1: Connecting to 10.128.1.21 [10.128.1.21] port 22. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2 debug1: Remote protocol version 2.0, remote software version OpenSSH_9.1 debug1: compat_banner: match: OpenSSH_9.1 pat OpenSSH* compat 0x04000000 debug1: Authenticating to 10.128.1.21:22 as 'root' debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:88IuL3orPAmVsyjIy2DvkKzVRHqGoDXxazNYOfOHasg debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory Warning: Permanently added '10.128.1.21' (ED25519) to the list of known hosts. debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /root/.ssh/id_rsa debug1: Will attempt key: /root/.ssh/id_ecdsa debug1: Will attempt key: /root/.ssh/id_ecdsa_sk debug1: Will attempt key: /root/.ssh/id_ed25519 debug1: Will attempt key: /root/.ssh/id_ed25519_sk debug1: Will attempt key: /root/.ssh/id_xmss debug1: Will attempt key: /root/.ssh/id_dsa debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs= debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0> debug1: SSH2_MSG_SERVICE_ACCEPT received Authenticated to 10.128.1.21 ([10.128.1.21]:22) using "none". debug1: channel 0: new session [client-session] (inactive timeout: 0) debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug1: Sending subsystem: sftp debug1: pledge: fork scp: debug1: stat remote: No such file or directory representative crash: BUG: scheduling while atomic in exit_to_user_mode_loop, types: [ATOMIC_SLEEP] # git bisect good 989b0ff35fe5fc9652ee5bafbe8483db6f27b137 Bisecting: 2 revisions left to test after this (roughly 2 steps) [f3e975828636794a9d4cc27adb14a2f66592d414] bpf: Remove trace_printk_lock determine whether the revision contains the guilty commit revision 8c22b23a2778c9ab47f030b5eacf8d8c156115a7 crashed and is reachable testing commit f3e975828636794a9d4cc27adb14a2f66592d414 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 72f90e609b4e922be1962f54b1392ea972abaf5b10f93bed438303e3c8aa6ca9 all runs: OK false negative chance: 0.000 # git bisect bad f3e975828636794a9d4cc27adb14a2f66592d414 Bisecting: 0 revisions left to test after this (roughly 1 step) [95b7476f6f68d725c474e3348e89436b0abde62a] bpf: Do cleanup in bpf_bprintf_cleanup only when needed determine whether the revision contains the guilty commit revision 9c84d580de3c6f816ab43373e21e421e5687e52e crashed and is reachable testing commit 95b7476f6f68d725c474e3348e89436b0abde62a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 84b7c23becd43a8a7f5e370a71a222a8853287ebda895ad2640d0a6e5c8322b0 all runs: OK false negative chance: 0.000 # git bisect bad 95b7476f6f68d725c474e3348e89436b0abde62a Bisecting: 0 revisions left to test after this (roughly 0 steps) [f7bbad9561f32dda2c13f6c4d0ca77d301f1c123] bpf: Add struct for bin_args arg in bpf_bprintf_prepare determine whether the revision contains the guilty commit revision 309ef7de5d840e17607e7d65cbf297c0564433ef crashed and is reachable testing commit f7bbad9561f32dda2c13f6c4d0ca77d301f1c123 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 41862102383860268a2607bd4555b0d65bf9aac29f26b6ce7435a23a95b0b68e run #0: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #1: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #2: crashed: BUG: scheduling while atomic in bit_wait_io run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #4: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #6: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #7: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop run #8: OK run #9: OK representative crash: BUG: scheduling while atomic in exit_to_user_mode_loop, types: [ATOMIC_SLEEP] # git bisect good f7bbad9561f32dda2c13f6c4d0ca77d301f1c123 95b7476f6f68d725c474e3348e89436b0abde62a is the first bad commit commit 95b7476f6f68d725c474e3348e89436b0abde62a Author: Jiri Olsa Date: Thu Dec 15 22:44:29 2022 +0100 bpf: Do cleanup in bpf_bprintf_cleanup only when needed commit f19a4050455aad847fb93f18dc1fe502eb60f989 upstream. Currently we always cleanup/decrement bpf_bprintf_nest_level variable in bpf_bprintf_cleanup if it's > 0. There's possible scenario where this could cause a problem, when bpf_bprintf_prepare does not get bin_args buffer (because num_args is 0) and following bpf_bprintf_cleanup call decrements bpf_bprintf_nest_level variable, like: in task context: bpf_bprintf_prepare(num_args != 0) increments 'bpf_bprintf_nest_level = 1' -> first irq : bpf_bprintf_prepare(num_args == 0) bpf_bprintf_cleanup decrements 'bpf_bprintf_nest_level = 0' -> second irq: bpf_bprintf_prepare(num_args != 0) bpf_bprintf_nest_level = 1 gets same buffer as task context above Adding check to bpf_bprintf_cleanup and doing the real cleanup only if we got bin_args data in the first place. Signed-off-by: Jiri Olsa Signed-off-by: Daniel Borkmann Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20221215214430.1336195-3-jolsa@kernel.org Signed-off-by: Thadeu Lima de Souza Cascardo Signed-off-by: Greg Kroah-Hartman include/linux/bpf.h | 2 +- kernel/bpf/helpers.c | 16 +++++++++------- kernel/trace/bpf_trace.c | 6 +++--- 3 files changed, 13 insertions(+), 11 deletions(-) accumulated error probability: 0.00 culprit signature: 84b7c23becd43a8a7f5e370a71a222a8853287ebda895ad2640d0a6e5c8322b0 parent signature: 41862102383860268a2607bd4555b0d65bf9aac29f26b6ce7435a23a95b0b68e revisions tested: 20, total time: 3h45m14.920326165s (build: 49m48.904783026s, test: 2h48m57.223884082s) first good commit: 95b7476f6f68d725c474e3348e89436b0abde62a bpf: Do cleanup in bpf_bprintf_cleanup only when needed recipients (to): ["cascardo@igalia.com" "daniel@iogearbox.net" "gregkh@linuxfoundation.org" "jolsa@kernel.org" "yhs@fb.com"] recipients (cc): []