bisecting fixing commit since b98aebd298246df37b472c52a2ee1023256d02e3 building syzkaller on d0686497a9ccb558957ad69ffc9577dd80031b29 testing commit b98aebd298246df37b472c52a2ee1023256d02e3 with gcc (GCC) 8.1.0 kernel signature: 4b2abf8a4742c0e6efcb982afef0822852e852bfee8715716178994f1b3449a5 all runs: crashed: BUG: sleeping function called from invalid context in htb_destroy testing current HEAD 4520f06b03ae667e442da1ab9351fd28cd7ac598 testing commit 4520f06b03ae667e442da1ab9351fd28cd7ac598 with gcc (GCC) 8.1.0 kernel signature: 758cb320e0cf3285d6b2b7463d6b0fae65a33a00e5bfab94a4f7b5d9d17d20c3 run #0: crashed: BUG: sleeping function called from invalid context in htb_destroy run #1: crashed: BUG: sleeping function called from invalid context in htb_destroy run #2: crashed: BUG: sleeping function called from invalid context in htb_destroy run #3: crashed: BUG: sleeping function called from invalid context in htb_destroy run #4: crashed: BUG: sleeping function called from invalid context in htb_destroy run #5: crashed: BUG: sleeping function called from invalid context in htb_destroy run #6: crashed: BUG: sleeping function called from invalid context in htb_destroy run #7: crashed: BUG: sleeping function called from invalid context in htb_destroy run #8: crashed: BUG: sleeping function called from invalid context in htb_destroy run #9: OK revisions tested: 2, total time: 37m2.381412976s (build: 16m26.350698716s, test: 19m58.1000419s) the crash still happens on HEAD commit msg: Linux 4.14.175 crash: BUG: sleeping function called from invalid context in htb_destroy bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves IPVS: ftp: loaded support on port[0] = 21 BUG: sleeping function called from invalid context at kernel/workqueue.c:2824 in_atomic(): 1, irqs_disabled(): 0, pid: 17811, name: syz-executor401 2 locks held by syz-executor401/17811: #0: (rtnl_mutex){+.+.}, at: [] rtnl_lock net/core/rtnetlink.c:72 [inline] #0: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x2c1/0x9d0 net/core/rtnetlink.c:4310 #1: (&qdisc_rx_lock){+...}, at: [] spin_lock_bh include/linux/spinlock.h:322 [inline] #1: (&qdisc_rx_lock){+...}, at: [] sch_tree_lock include/net/sch_generic.h:360 [inline] #1: (&qdisc_rx_lock){+...}, at: [] red_change+0x373/0x1740 net/sched/sch_red.c:199 Preemption disabled at: [] spin_lock_bh include/linux/spinlock.h:322 [inline] [] sch_tree_lock include/net/sch_generic.h:360 [inline] [] red_change+0x373/0x1740 net/sched/sch_red.c:199 CPU: 1 PID: 17811 Comm: syz-executor401 Not tainted 4.14.175-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xf7/0x13b lib/dump_stack.c:58 ___might_sleep.cold.86+0x1bb/0x1f4 kernel/sched/core.c:6041 __might_sleep+0x93/0xb0 kernel/sched/core.c:5994 start_flush_work kernel/workqueue.c:2824 [inline] flush_work+0xc4/0x720 kernel/workqueue.c:2892 __cancel_work_timer+0x286/0x420 kernel/workqueue.c:2964 cancel_work_sync+0xb/0x10 kernel/workqueue.c:3000 htb_destroy+0x20/0x480 net/sched/sch_htb.c:1246 qdisc_destroy+0x123/0x2d0 net/sched/sch_generic.c:725 red_change+0x6fb/0x1740 net/sched/sch_red.c:205 qdisc_change net/sched/sch_api.c:1144 [inline] tc_modify_qdisc+0xb55/0x13eb net/sched/sch_api.c:1410 rtnetlink_rcv_msg+0x34f/0x9d0 net/core/rtnetlink.c:4315 netlink_rcv_skb+0x133/0x370 net/netlink/af_netlink.c:2433 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:4327 netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline] netlink_unicast+0x40d/0x5f0 net/netlink/af_netlink.c:1313 netlink_sendmsg+0x730/0xbd0 net/netlink/af_netlink.c:1878 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:656 ___sys_sendmsg+0x625/0x920 net/socket.c:2062 __sys_sendmsg+0xc1/0x140 net/socket.c:2096 SYSC_sendmsg net/socket.c:2107 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2103 do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x4464c9 RSP: 002b:00007f4d3cbf4d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 00000000004464c9 RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000004 RBP: 00000000006dbc50 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000006dbc5c R13: 00000000004aea84 R14: b35d2484a6425def R15: 10eb52a57aaf8377