bisecting fixing commit since 811218eceeaa7618652e1b8d11caeff67ab42072 building syzkaller on 98682e5e2aefc9aad61354f4f3ac93be96002a2a testing commit 811218eceeaa7618652e1b8d11caeff67ab42072 with gcc (GCC) 8.4.1 20210217 kernel signature: df5d7d7da4af8ca6c683f25c9cb94d298e522d83d4cf665c83a22501d42df877 all runs: crashed: general protection fault in hsr_netdev_notify testing current HEAD 9f84340f012ee60c12aacc03662bcdd67419a31a testing commit 9f84340f012ee60c12aacc03662bcdd67419a31a with gcc (GCC) 8.4.1 20210217 kernel signature: 644bf5bd7718e25cc868d25c0a8f6b5cf5dfc35af794fe46fca547519b01c2da all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested revisions tested: 2, total time: 22m42.033072834s (build: 16m6.944721087s, test: 6m4.217051281s) the crash still happens on HEAD commit msg: Linux 4.19.196 crash: BUG: sleeping function called from invalid context in lock_sock_nested device bond_slave_1 entered promiscuous mode device ip6gretap0 entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready IPVS: ftp: loaded support on port[0] = 21 wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 BUG: sleeping function called from invalid context at net/core/sock.c:2863 wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 in_atomic(): 1, irqs_disabled(): 0, pid: 8438, name: syz-executor.1 1 lock held by syz-executor.1/8438: #0: 00000000a9a9f518 (hci_sk_list.lock){++++}, at: hci_sock_dev_event+0x361/0x5e0 net/bluetooth/hci_sock.c:756 Preemption disabled at: [] hci_sock_dev_event+0x361/0x5e0 net/bluetooth/hci_sock.c:756 CPU: 0 PID: 8438 Comm: syz-executor.1 Not tainted 4.19.196-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x17c/0x226 lib/dump_stack.c:118 ___might_sleep.cold.15+0x1f1/0x265 kernel/sched/core.c:6192 __might_sleep+0x95/0x190 kernel/sched/core.c:6145 lock_sock_nested+0x24/0x100 net/core/sock.c:2863 lock_sock include/net/sock.h:1510 [inline] hci_sock_dev_event+0x3e4/0x5e0 net/bluetooth/hci_sock.c:758 hci_unregister_dev+0x20b/0x890 net/bluetooth/hci_core.c:3292 vhci_release+0x6b/0xe0 drivers/bluetooth/hci_vhci.c:354 __fput+0x249/0x7f0 fs/file_table.c:278 ____fput+0x9/0x10 fs/file_table.c:309 task_work_run+0x108/0x180 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0xa6a/0x2d90 kernel/exit.c:870 do_group_exit+0xf8/0x2c0 kernel/exit.c:967 __do_sys_exit_group kernel/exit.c:978 [inline] __se_sys_exit_group kernel/exit.c:976 [inline] __x64_sys_exit_group+0x39/0x40 kernel/exit.c:976 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x465d99 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffdb1f4ad08 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000064 RCX: 0000000000465d99 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: 00000000004bbdc6 R08: 000000000000000c R09: 00000000022203bc R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000016 R13: 00007ffdb1f4bfe0 R14: 00000000022203bc R15: 00007ffdb1f4d0f0 IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready bond0: This device is already a HSR slave. IPVS: ftp: loaded support on port[0] = 21 device bond0 entered promiscuous mode device bond_slave_0 entered promiscuous mode device bond_slave_1 entered promiscuous mode device ip6gretap0 entered promiscuous mode device bond0 entered promiscuous mode device bond_slave_0 entered promiscuous mode device bond_slave_1 entered promiscuous mode device ip6gretap0 entered promiscuous mode bond0: This device is already a HSR slave. bond0: This device is already a HSR slave. chnl_net:caif_netlink_parms(): no params data found batman_adv: batadv0: Interface deactivated: batadv_slave_0 batman_adv: batadv0: Removing interface: batadv_slave_0 batman_adv: batadv0: Interface deactivated: batadv_slave_1 batman_adv: batadv0: Removing interface: batadv_slave_1 device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state device veth1_macvtap left promiscuous mode device veth0_macvtap left promiscuous mode device veth1_vlan left promiscuous mode device veth0_vlan left promiscuous mode Bluetooth: hci3: command 0x0409 tx timeout Bluetooth: hci5: command 0x0409 tx timeout Bluetooth: hci3: command 0x041b tx timeout Bluetooth: hci0: command 0x0409 tx timeout Bluetooth: hci1: command 0x0409 tx timeout Bluetooth: hci5: command 0x041b tx timeout Bluetooth: hci3: command 0x040f tx timeout device hsr_slave_1 left promiscuous mode device hsr_slave_0 left promiscuous mode Bluetooth: hci0: command 0x041b tx timeout team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): Releasing backup interface bond_slave_1 device bond_slave_1 left promiscuous mode bond0 (unregistering): Releasing backup interface bond_slave_0 Bluetooth: hci1: command 0x041b tx timeout kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 122 Comm: kworker/u4:2 Tainted: G W 4.19.196-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net RIP: 0010:hsr_netdev_notify+0x2db/0xa40 net/hsr/hsr_main.c:64 Code: 42 80 3c 20 00 0f 85 83 05 00 00 48 8b 1b 4c 39 fb 75 c4 31 db 4c 8d 73 10 48 b8 00 00 00 00 00 fc ff df 4c 89 f6 48 c1 ee 03 <80> 3c 06 00 0f 85 e5 05 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b RSP: 0018:ffff8880b53ff5b0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff8880a1857080 RDX: 0000000000000001 RSI: 0000000000000002 RDI: ffff88809bb76220 RBP: ffff8880b53ff5e8 R08: 1ffff11016a30570 R09: fffffbfff14f2328 R10: fffffbfff14f2328 R11: ffffffff8a791947 R12: dffffc0000000000 R13: ffff8880ab478940 R14: 0000000000000010 R15: ffff8880a1857090 FS: 0000000000000000(0000) GS:ffff8880ba300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdc9994b000 CR3: 00000000a18c8000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: notifier_call_chain+0x8a/0x160 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401 call_netdevice_notifiers_info+0x28/0x60 net/core/dev.c:1744 call_netdevice_notifiers+0x67/0x90 net/core/dev.c:1762 __bond_release_one+0xead/0x1410 drivers/net/bonding/bond_main.c:1982 bond_slave_netdev_event drivers/net/bonding/bond_main.c:3154 [inline] bond_netdev_event+0x844/0x9b0 drivers/net/bonding/bond_main.c:3266 notifier_call_chain+0x8a/0x160 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401 call_netdevice_notifiers_info+0x28/0x60 net/core/dev.c:1744 call_netdevice_notifiers net/core/dev.c:1762 [inline] rollback_registered_many+0x5ca/0xbe0 net/core/dev.c:8188 unregister_netdevice_many+0x3e/0x1f0 net/core/dev.c:9316 default_device_exit_batch+0x2e4/0x3d0 net/core/dev.c:9787 ops_exit_list.isra.0+0xd3/0x120 net/core/net_namespace.c:156 cleanup_net+0x368/0x850 net/core/net_namespace.c:553 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153 worker_thread+0x85/0xb60 kernel/workqueue.c:2296 kthread+0x347/0x410 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Modules linked in: ---[ end trace dce4e4dbcaa9da67 ]--- Bluetooth: hci5: command 0x040f tx timeout RIP: 0010:hsr_netdev_notify+0x2db/0xa40 net/hsr/hsr_main.c:64 Code: 42 80 3c 20 00 0f 85 83 05 00 00 48 8b 1b 4c 39 fb 75 c4 31 db 4c 8d 73 10 48 b8 00 00 00 00 00 fc ff df 4c 89 f6 48 c1 ee 03 <80> 3c 06 00 0f 85 e5 05 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b RSP: 0018:ffff8880b53ff5b0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff8880a1857080 RDX: 0000000000000001 RSI: 0000000000000002 RDI: ffff88809bb76220 RBP: ffff8880b53ff5e8 R08: 1ffff11016a30570 R09: fffffbfff14f2328 R10: fffffbfff14f2328 R11: ffffffff8a791947 R12: dffffc0000000000 R13: ffff8880ab478940 R14: 0000000000000010 R15: ffff8880a1857090 FS: 0000000000000000(0000) GS:ffff8880ba300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdc9994b000 CR3: 00000000a18c8000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400