ci starts bisection 2023-01-18 07:39:21.407368917 +0000 UTC m=+37957.619660986 bisecting cause commit starting from 010a74f52203eae037dd6aa111ba371f6a2dedc5 building syzkaller on 42660d9e113db4d2fa3b56b27eb9e5209219da64 ensuring issue is reproducible on original commit 010a74f52203eae037dd6aa111ba371f6a2dedc5 testing commit 010a74f52203eae037dd6aa111ba371f6a2dedc5 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f79cff30bff982eddd2d10cc2fb8553fd953a8ff74b79a2d9f6e3f8db70b34d5 all runs: crashed: BUG: scheduling while atomic in msleep testing release v6.1 testing commit 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6cf387d22f1ed7ffe9f6b204374c400b799e386075f6882f8e7057d503d65427 all runs: OK # git bisect start 010a74f52203eae037dd6aa111ba371f6a2dedc5 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 Bisecting: 7841 revisions left to test after this (roughly 13 steps) [1ca06f1c1acecbe02124f14a37cce347b8c1a90c] Merge tag 'xtensa-20221213' of https://github.com/jcmvbkbc/linux-xtensa testing commit 1ca06f1c1acecbe02124f14a37cce347b8c1a90c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 07bff96950bd6a8378e316e4bbde729ae46ae30c47d5e7926e0b03400928a79e all runs: OK # git bisect good 1ca06f1c1acecbe02124f14a37cce347b8c1a90c Bisecting: 3741 revisions left to test after this (roughly 12 steps) [8fa590bf344816c925810331eea8387627bbeb40] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit 8fa590bf344816c925810331eea8387627bbeb40 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7659fbab2d1ea8791d5e7269bf3e62b3baf8e004691d782be716f57af169619e all runs: OK # git bisect good 8fa590bf344816c925810331eea8387627bbeb40 Bisecting: 1869 revisions left to test after this (roughly 11 steps) [96bab5b926e4c2d970f70495f4554f905babd09d] Merge tag 'csky-for-linus-6.2-rc1' of https://github.com/c-sky/csky-linux testing commit 96bab5b926e4c2d970f70495f4554f905babd09d gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ea733b9b783dcdc53608bd88a024db02814da1af7c695180726174e8165fd745 all runs: OK # git bisect good 96bab5b926e4c2d970f70495f4554f905babd09d Bisecting: 931 revisions left to test after this (roughly 10 steps) [0a924817d2ed9396401e0557c6134276d2e26382] Merge tag '6.2-rc-smb3-client-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6 testing commit 0a924817d2ed9396401e0557c6134276d2e26382 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0454cd126da986bb849bde45725b9ae69c8c27c9105200b4aadf0648b0b9039a all runs: OK # git bisect good 0a924817d2ed9396401e0557c6134276d2e26382 Bisecting: 469 revisions left to test after this (roughly 9 steps) [aa01a183924fdf2ab05eb6e44c256aaf8a786d3c] Merge tag 'gpio-fixes-for-v6.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux testing commit aa01a183924fdf2ab05eb6e44c256aaf8a786d3c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1f917ad70fd79908855de2829932fd878aa2e139f4ef197128d3a7e54222e1a3 all runs: OK # git bisect good aa01a183924fdf2ab05eb6e44c256aaf8a786d3c Bisecting: 231 revisions left to test after this (roughly 8 steps) [f18fca98ac1622220dfdf795fefa91dc52d3707d] Merge tag '6.2-rc2-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 testing commit f18fca98ac1622220dfdf795fefa91dc52d3707d gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8f877279022d62ead3fc59b8a4177191357a3212533192a2961fb6fd2e56da90 all runs: OK # git bisect good f18fca98ac1622220dfdf795fefa91dc52d3707d Bisecting: 123 revisions left to test after this (roughly 7 steps) [5be413a6e2a16e08c8f0f1b59794a7203b5eca2c] Merge tag 's390-6.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux testing commit 5be413a6e2a16e08c8f0f1b59794a7203b5eca2c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 failed to run ["make" "-j" "64" "ARCH=x86_64" "bzImage"]: exit status 2 # git bisect skip 5be413a6e2a16e08c8f0f1b59794a7203b5eca2c Bisecting: 123 revisions left to test after this (roughly 7 steps) [ea44242bbfcde2993fb27ec7c3ad5ab5cc39e438] scsi: hisi_sas: Fix tag freeing for reserved tags testing commit ea44242bbfcde2993fb27ec7c3ad5ab5cc39e438 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 21eff90abbaa67dc866a944a79a1467a9000b02d8fd49bc9518ddd7bea09bd44 all runs: OK # git bisect good ea44242bbfcde2993fb27ec7c3ad5ab5cc39e438 Bisecting: 123 revisions left to test after this (roughly 7 steps) [a7b19c603e0ca156fb2422017a053d5d48fc769b] Merge tag 'perf-urgent-2023-01-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit a7b19c603e0ca156fb2422017a053d5d48fc769b gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0bb8c2adb5c9036e6ed1967fbaa5fcca328b935cd2e652ee3eb22ed48b2460e4 all runs: OK # git bisect good a7b19c603e0ca156fb2422017a053d5d48fc769b Bisecting: 71 revisions left to test after this (roughly 6 steps) [be53771c87f4e322a9835d3faa9cd73a4ecdec5b] r8152: add vendor/device ID pair for Microsoft Devkit testing commit be53771c87f4e322a9835d3faa9cd73a4ecdec5b gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2407203fb379578f7abb51aa5d997c55e78124646831aa730f8d1a74097b7284 all runs: OK # git bisect good be53771c87f4e322a9835d3faa9cd73a4ecdec5b Bisecting: 35 revisions left to test after this (roughly 5 steps) [6bc1fe7dd748ba5e76e7917d110837cafe7b931c] mptcp: explicitly specify sock family at subflow creation time testing commit 6bc1fe7dd748ba5e76e7917d110837cafe7b931c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 119a8e02eded1ab1799e34706ab8abeec14b2a54a56be51ddcec526815c7b345 all runs: OK # git bisect good 6bc1fe7dd748ba5e76e7917d110837cafe7b931c Bisecting: 17 revisions left to test after this (roughly 4 steps) [2185e0fdbb2137f22a9dd9fcbf6481400d56299b] Bluetooth: Fix a buffer overflow in mgmt_mesh_add() testing commit 2185e0fdbb2137f22a9dd9fcbf6481400d56299b gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 88a2c9d8e4978f4350cec951500e233cc32057a35ac2bbaff93f99a5cb676eab all runs: crashed: BUG: scheduling while atomic in msleep # git bisect bad 2185e0fdbb2137f22a9dd9fcbf6481400d56299b Bisecting: 8 revisions left to test after this (roughly 3 steps) [21705c771934f24cab8beb554e3b7f40e3511ad7] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf testing commit 21705c771934f24cab8beb554e3b7f40e3511ad7 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1d50f679b313716fee17088af124123342463b706b1a89a570815ef548974ffc all runs: OK # git bisect good 21705c771934f24cab8beb554e3b7f40e3511ad7 Bisecting: 4 revisions left to test after this (roughly 2 steps) [4101971aaf0989b9ad04ea4c37c72645a6cc3ce4] Merge branch 'l2tp-races' testing commit 4101971aaf0989b9ad04ea4c37c72645a6cc3ce4 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: cfca7ba8d557f0f82b7fe8e849adcb7546ee40f55c48d028efaa65f512c0ee68 all runs: crashed: BUG: scheduling while atomic in msleep # git bisect bad 4101971aaf0989b9ad04ea4c37c72645a6cc3ce4 Bisecting: 1 revision left to test after this (roughly 1 step) [c4d48a58f32c5972174a1d01c33b296fe378cce0] l2tp: convert l2tp_tunnel_list to idr testing commit c4d48a58f32c5972174a1d01c33b296fe378cce0 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 064173eb87a803c5863a008f232081f563862afce3adef025c5c4fe5d55eabe8 all runs: crashed: BUG: scheduling while atomic in msleep # git bisect bad c4d48a58f32c5972174a1d01c33b296fe378cce0 Bisecting: 0 revisions left to test after this (roughly 0 steps) [3a415d59c1dbec9d772dbfab2d2520d98360caae] net/sched: sch_taprio: fix possible use-after-free testing commit 3a415d59c1dbec9d772dbfab2d2520d98360caae gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8dd9495368bcc933c28c9aad0b854c4ae854b0831009370a3b4dac908150de86 all runs: crashed: BUG: scheduling while atomic in msleep # git bisect bad 3a415d59c1dbec9d772dbfab2d2520d98360caae 3a415d59c1dbec9d772dbfab2d2520d98360caae is the first bad commit commit 3a415d59c1dbec9d772dbfab2d2520d98360caae Author: Eric Dumazet Date: Fri Jan 13 16:48:49 2023 +0000 net/sched: sch_taprio: fix possible use-after-free syzbot reported a nasty crash [1] in net_tx_action() which made little sense until we got a repro. This repro installs a taprio qdisc, but providing an invalid TCA_RATE attribute. qdisc_create() has to destroy the just initialized taprio qdisc, and taprio_destroy() is called. However, the hrtimer used by taprio had already fired, therefore advance_sched() called __netif_schedule(). Then net_tx_action was trying to use a destroyed qdisc. We can not undo the __netif_schedule(), so we must wait until one cpu serviced the qdisc before we can proceed. Many thanks to Alexander Potapenko for his help. [1] BUG: KMSAN: uninit-value in queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline] BUG: KMSAN: uninit-value in do_raw_spin_trylock include/linux/spinlock.h:191 [inline] BUG: KMSAN: uninit-value in __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline] BUG: KMSAN: uninit-value in _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138 queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline] do_raw_spin_trylock include/linux/spinlock.h:191 [inline] __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline] _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138 spin_trylock include/linux/spinlock.h:359 [inline] qdisc_run_begin include/net/sch_generic.h:187 [inline] qdisc_run+0xee/0x540 include/net/pkt_sched.h:125 net_tx_action+0x77c/0x9a0 net/core/dev.c:5086 __do_softirq+0x1cc/0x7fb kernel/softirq.c:571 run_ksoftirqd+0x2c/0x50 kernel/softirq.c:934 smpboot_thread_fn+0x554/0x9f0 kernel/smpboot.c:164 kthread+0x31b/0x430 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 Uninit was created at: slab_post_alloc_hook mm/slab.h:732 [inline] slab_alloc_node mm/slub.c:3258 [inline] __kmalloc_node_track_caller+0x814/0x1250 mm/slub.c:4970 kmalloc_reserve net/core/skbuff.c:358 [inline] __alloc_skb+0x346/0xcf0 net/core/skbuff.c:430 alloc_skb include/linux/skbuff.h:1257 [inline] nlmsg_new include/net/netlink.h:953 [inline] netlink_ack+0x5f3/0x12b0 net/netlink/af_netlink.c:2436 netlink_rcv_skb+0x55d/0x6c0 net/netlink/af_netlink.c:2507 rtnetlink_rcv+0x30/0x40 net/core/rtnetlink.c:6108 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0xabc/0xe90 net/socket.c:2482 ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2536 __sys_sendmsg net/socket.c:2565 [inline] __do_sys_sendmsg net/socket.c:2574 [inline] __se_sys_sendmsg net/socket.c:2572 [inline] __x64_sys_sendmsg+0x367/0x540 net/socket.c:2572 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler") Reported-by: syzbot Signed-off-by: Eric Dumazet Cc: Alexander Potapenko Cc: Vinicius Costa Gomes Signed-off-by: David S. Miller include/net/sch_generic.h | 7 +++++++ net/sched/sch_taprio.c | 3 +++ 2 files changed, 10 insertions(+) culprit signature: 8dd9495368bcc933c28c9aad0b854c4ae854b0831009370a3b4dac908150de86 parent signature: 1d50f679b313716fee17088af124123342463b706b1a89a570815ef548974ffc revisions tested: 17, total time: 5h20m52.645276765s (build: 2h46m17.198513846s, test: 2h29m56.724256048s) first bad commit: 3a415d59c1dbec9d772dbfab2d2520d98360caae net/sched: sch_taprio: fix possible use-after-free recipients (to): ["davem@davemloft.net" "davem@davemloft.net" "edumazet@google.com" "edumazet@google.com" "jhs@mojatatu.com" "jiri@resnulli.us" "kuba@kernel.org" "netdev@vger.kernel.org" "pabeni@redhat.com" "vinicius.gomes@intel.com" "xiyou.wangcong@gmail.com"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: BUG: scheduling while atomic in msleep BUG: scheduling while atomic: syz-executor.0/5608/0x00000202 2 locks held by syz-executor.0/5608: #0: ffffffff8cfee0a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:75 [inline] #0: ffffffff8cfee0a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x2e6/0x9a0 net/core/rtnetlink.c:6138 #1: ffff88807938f108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:355 [inline] #1: ffff88807938f108 (&sch->q.lock){+.-.}-{2:2}, at: dev_reset_queue+0x6f/0x120 net/sched/sch_generic.c:1283 Modules linked in: Preemption disabled at: [<0000000000000000>] 0x0 Kernel panic - not syncing: scheduling while atomic: panic_on_warn set ... CPU: 1 PID: 5608 Comm: syz-executor.0 Not tainted 6.2.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x5b/0x81 lib/dump_stack.c:106 panic+0x21d/0x457 kernel/panic.c:318 check_panic_on_warn.cold+0x14/0x2b kernel/panic.c:238 __schedule_bug.cold+0xd5/0xfe kernel/sched/core.c:5836 schedule_debug kernel/sched/core.c:5865 [inline] __schedule+0x3658/0x5410 kernel/sched/core.c:6500 schedule+0xde/0x1b0 kernel/sched/core.c:6682 schedule_timeout+0x121/0x260 kernel/time/timer.c:2167 schedule_timeout_uninterruptible kernel/time/timer.c:2201 [inline] msleep+0x90/0xc0 kernel/time/timer.c:2322 qdisc_synchronize include/net/sch_generic.h:1295 [inline] taprio_reset+0x8a/0x210 net/sched/sch_taprio.c:1703 qdisc_reset+0xd8/0x8a0 net/sched/sch_generic.c:1022 dev_reset_queue+0x77/0x120 net/sched/sch_generic.c:1285 netdev_for_each_tx_queue include/linux/netdevice.h:2464 [inline] dev_deactivate_many+0x2c8/0x7e0 net/sched/sch_generic.c:1351 dev_deactivate+0xcf/0x180 net/sched/sch_generic.c:1374 qdisc_graft+0xac7/0xf90 net/sched/sch_api.c:1080 tc_modify_qdisc+0x8ed/0x1630 net/sched/sch_api.c:1689 rtnetlink_rcv_msg+0x331/0x9a0 net/core/rtnetlink.c:6141 netlink_rcv_skb+0x12a/0x390 net/netlink/af_netlink.c:2564 netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline] netlink_unicast+0x437/0x710 net/netlink/af_netlink.c:1356 netlink_sendmsg+0x786/0xc30 net/netlink/af_netlink.c:1932 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xaf/0xe0 net/socket.c:734 ____sys_sendmsg+0x5f7/0x8a0 net/socket.c:2476 ___sys_sendmsg+0xdb/0x160 net/socket.c:2530 __sys_sendmsg+0xc7/0x160 net/socket.c:2559 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7ff24508c0c9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ff245d76168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007ff2451abf80 RCX: 00007ff24508c0c9 RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000004 RBP: 00007ff2450e7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffedb2be51f R14: 00007ff245d76300 R15: 0000000000022000 Kernel Offset: disabled Rebooting in 86400 seconds..