bisecting cause commit starting from 27bba9c532a8d21050b94224ffd310ad0058c353
building syzkaller on 680688040fc26d17a49a9663fbbd6a716c6247b6
testing commit 27bba9c532a8d21050b94224ffd310ad0058c353 with gcc (GCC) 8.1.0
kernel signature: 9ec59a4abdb1d3fa26c2a65bd8918d601297071294524262693bb44b01510637
all runs: crashed: inconsistent lock state in io_file_data_ref_zero
testing release v5.9
testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0
kernel signature: 934f0a134532bbbd345c7e8b605e59600f755e76ac937b8aa8fb348b839f419b
all runs: OK
# git bisect start 27bba9c532a8d21050b94224ffd310ad0058c353 bbf5c979011a099af5dc76498918ed7df445635b
Bisecting: 8583 revisions left to test after this (roughly 13 steps)
[4d0e9df5e43dba52d38b251e3b909df8fa1110be] lib, uaccess: add failure injection to usercopy functions
testing commit 4d0e9df5e43dba52d38b251e3b909df8fa1110be with gcc (GCC) 8.1.0
kernel signature: f516cdde94a64662621805b57d241f61efba079163a3e86b24d39afe19b15a4c
all runs: OK
# git bisect good 4d0e9df5e43dba52d38b251e3b909df8fa1110be
Bisecting: 4262 revisions left to test after this (roughly 12 steps)
[38525c6919e2f6b27c1855905f342a0def3cbdcf] Merge tag 'for-v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply
testing commit 38525c6919e2f6b27c1855905f342a0def3cbdcf with gcc (GCC) 8.1.0
kernel signature: 7bf74169b52180b2f8671dd7c70ae64605d6fabac4484d8f35318d60f15aeea5
all runs: OK
# git bisect good 38525c6919e2f6b27c1855905f342a0def3cbdcf
Bisecting: 1867 revisions left to test after this (roughly 11 steps)
[e533cda12d8f0e7936354bafdc85c81741f805d2] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
testing commit e533cda12d8f0e7936354bafdc85c81741f805d2 with gcc (GCC) 8.1.0
kernel signature: b809db3aea8f366d3fa308c7acf7d6eb4639374d4802e7aef12b702306b45b1e
all runs: OK
# git bisect good e533cda12d8f0e7936354bafdc85c81741f805d2
Bisecting: 939 revisions left to test after this (roughly 10 steps)
[fc7b66ef076644dd646eb9f11563684edc479649] Merge tag 'drm-fixes-2020-11-06-1' of git://anongit.freedesktop.org/drm/drm
testing commit fc7b66ef076644dd646eb9f11563684edc479649 with gcc (GCC) 8.1.0
kernel signature: d92fd9e94b6062860ee7f50ca8c8a8776a96d9a3b9f16981ebecb10b1684e510
run #0: crashed: BUG: sleeping function called from invalid context in sta_info_move_state
run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
reproducer seems to be flaky
# git bisect bad fc7b66ef076644dd646eb9f11563684edc479649
Bisecting: 463 revisions left to test after this (roughly 9 steps)
[67ff377bc30cd4eb91f0454adb9dcb1f4de280f2] Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
testing commit 67ff377bc30cd4eb91f0454adb9dcb1f4de280f2 with gcc (GCC) 8.1.0
kernel signature: 1229582cdd8e627ce625f021c0fa483dba75c4c8e734838b872ad64f250afd09
all runs: OK
# git bisect good 67ff377bc30cd4eb91f0454adb9dcb1f4de280f2
Bisecting: 226 revisions left to test after this (roughly 8 steps)
[4ef8451b332662d004df269d4cdeb7d9f31419b5] Merge tag 'perf-tools-for-v5.10-2020-11-03' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux
testing commit 4ef8451b332662d004df269d4cdeb7d9f31419b5 with gcc (GCC) 8.1.0
kernel signature: 02d55375427ef8360271ef0636931afac1d7740ea323df1bf33488b1379ef55c
all runs: OK
# git bisect good 4ef8451b332662d004df269d4cdeb7d9f31419b5
Bisecting: 94 revisions left to test after this (roughly 7 steps)
[41f16530241405819ae5644b6544965ab124bbda] Merge tag 'net-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
testing commit 41f16530241405819ae5644b6544965ab124bbda with gcc (GCC) 8.1.0
kernel signature: 1a6f5171b58aea90e19e8ae2f5dd00f6efed8c8283cc37f0cdbda5adad57495c
run #0: crashed: BUG: sleeping function called from invalid context in sta_info_move_state
run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 41f16530241405819ae5644b6544965ab124bbda
Bisecting: 61 revisions left to test after this (roughly 6 steps)
[ac6f929d74bad5e9e352aec936aeba0638bf560c] Merge tag 'linux-can-fixes-for-5.10-20201103' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
testing commit ac6f929d74bad5e9e352aec936aeba0638bf560c with gcc (GCC) 8.1.0
kernel signature: 2f00250e1910b6858d16b3ded2832a445f791fdf479ab3c4c8491a05d18b79da
run #0: crashed: BUG: sleeping function called from invalid context in sta_info_move_state
run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state
run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad ac6f929d74bad5e9e352aec936aeba0638bf560c
Bisecting: 34 revisions left to test after this (roughly 5 steps)
[e16b874ee87aa70cd0a7145346ff5f41349b514c] mptcp: token: fix unititialized variable
testing commit e16b874ee87aa70cd0a7145346ff5f41349b514c with gcc (GCC) 8.1.0
kernel signature: 493c0e51f6f6bc6e788c6e7fb793c86a635e0311f7aa510ce4439aa310f04933
run #0: crashed: BUG: sleeping function called from invalid context in sta_info_move_state
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad e16b874ee87aa70cd0a7145346ff5f41349b514c
Bisecting: 16 revisions left to test after this (roughly 4 steps)
[859191b234f86b5f36cbe384baca1067a2221eb7] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
testing commit 859191b234f86b5f36cbe384baca1067a2221eb7 with gcc (GCC) 8.1.0
kernel signature: c0cbd4ed772592c85cd3484367b60b34d6dea8bf6c0ba9087f26818008817ddc
all runs: OK
# git bisect good 859191b234f86b5f36cbe384baca1067a2221eb7
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[04a55c944f151b3149b78beff5ff406faa84485d] Merge tag 'mac80211-for-net-2020-10-30' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
testing commit 04a55c944f151b3149b78beff5ff406faa84485d with gcc (GCC) 8.1.0
kernel signature: 6fa6000a9611a5f67bc9954dca1a51e1a5b9ea53f9375458d8e76457a5616f05
run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state
run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state
run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state
run #3: crashed: BUG: sleeping function called from invalid context in sta_info_move_state
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 04a55c944f151b3149b78beff5ff406faa84485d
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[dcd479e10a0510522a5d88b29b8f79ea3467d501] mac80211: always wind down STA state
testing commit dcd479e10a0510522a5d88b29b8f79ea3467d501 with gcc (GCC) 8.1.0
kernel signature: 3088433d80284d394ed4d091db31eae5b2f6dc7bd7ee0e959a00d7de628039dd
run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state
run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state
run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad dcd479e10a0510522a5d88b29b8f79ea3467d501
Bisecting: 1 revision left to test after this (roughly 1 step)
[14f46c1e5108696ec1e5a129e838ecedf108c7bf] mac80211: fix use of skb payload instead of header
testing commit 14f46c1e5108696ec1e5a129e838ecedf108c7bf with gcc (GCC) 8.1.0
kernel signature: 97b254c88c531878b822df6e6de31114b36f0d0a833b8a8a033f7ef0d20489fe
all runs: OK
# git bisect good 14f46c1e5108696ec1e5a129e838ecedf108c7bf
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[9bdaf3b91efd229dd272b228e13df10310c80d19] cfg80211: initialize wdev data earlier
testing commit 9bdaf3b91efd229dd272b228e13df10310c80d19 with gcc (GCC) 8.1.0
kernel signature: 72a60f954afa4aca6874a5c19dd518c808ce22951a27a946d2aec91ac79a5015
all runs: OK
# git bisect good 9bdaf3b91efd229dd272b228e13df10310c80d19
dcd479e10a0510522a5d88b29b8f79ea3467d501 is the first bad commit
commit dcd479e10a0510522a5d88b29b8f79ea3467d501
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Fri Oct 9 14:17:11 2020 +0200

    mac80211: always wind down STA state
    
    When (for example) an IBSS station is pre-moved to AUTHORIZED
    before it's inserted, and then the insertion fails, we don't
    clean up the fast RX/TX states that might already have been
    created, since we don't go through all the state transitions
    again on the way down.
    
    Do that, if it hasn't been done already, when the station is
    freed. I considered only freeing the fast TX/RX state there,
    but we might add more state so it's more robust to wind down
    the state properly.
    
    Note that we warn if the station was ever inserted, it should
    have been properly cleaned up in that case, and the driver
    will probably not like things happening out of order.
    
    Reported-by: syzbot+2e293dbd67de2836ba42@syzkaller.appspotmail.com
    Link: https://lore.kernel.org/r/20201009141710.7223b322a955.I95bd08b9ad0e039c034927cce0b75beea38e059b@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>

 net/mac80211/sta_info.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
culprit signature: 3088433d80284d394ed4d091db31eae5b2f6dc7bd7ee0e959a00d7de628039dd
parent  signature: 72a60f954afa4aca6874a5c19dd518c808ce22951a27a946d2aec91ac79a5015
Reproducer flagged being flaky
revisions tested: 16, total time: 3h37m45.9041878s (build: 1h9m24.396763504s, test: 2h26m54.348939061s)
first bad commit: dcd479e10a0510522a5d88b29b8f79ea3467d501 mac80211: always wind down STA state
recipients (to): ["davem@davemloft.net" "johannes.berg@intel.com" "johannes@sipsolutions.net" "kuba@kernel.org" "linux-wireless@vger.kernel.org" "netdev@vger.kernel.org"]
recipients (cc): ["linux-kernel@vger.kernel.org"]
crash: BUG: sleeping function called from invalid context in sta_info_move_state
BUG: sleeping function called from invalid context at net/mac80211/sta_info.c:1962
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 465, name: kworker/u4:4
4 locks held by kworker/u4:4/465:
 #0: ffff8881423e2538 ((wq_completion)phy12){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline]
 #0: ffff8881423e2538 ((wq_completion)phy12){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
 #0: ffff8881423e2538 ((wq_completion)phy12){+.+.}-{0:0}, at: process_one_work+0x1e6/0x600 kernel/workqueue.c:2243
 #1: ffffc90000e03e70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline]
 #1: ffffc90000e03e70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
 #1: ffffc90000e03e70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: process_one_work+0x1e6/0x600 kernel/workqueue.c:2243
 #2: ffff88811f304d00 (&wdev->mtx){+.+.}-{3:3}, at: sdata_lock net/mac80211/ieee80211_i.h:1021 [inline]
 #2: ffff88811f304d00 (&wdev->mtx){+.+.}-{3:3}, at: ieee80211_ibss_work+0x36/0x420 net/mac80211/ibss.c:1683
 #3: ffffffff84bf1e40 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_finish net/mac80211/sta_info.c:644 [inline]
 #3: ffffffff84bf1e40 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_rcu+0x1c2/0xde0 net/mac80211/sta_info.c:732
Preemption disabled at:
[<ffffffff835f28c0>] __mutex_lock_common kernel/locking/mutex.c:955 [inline]
[<ffffffff835f28c0>] __mutex_lock+0x70/0x9f0 kernel/locking/mutex.c:1103
CPU: 1 PID: 465 Comm: kworker/u4:4 Not tainted 5.10.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: phy12 ieee80211_iface_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x77/0x97 lib/dump_stack.c:118
 ___might_sleep.cold.110+0xf2/0x106 kernel/sched/core.c:7298
 sta_info_move_state+0x1a/0x2b0 net/mac80211/sta_info.c:1962
 sta_info_free+0x11/0xd0 net/mac80211/sta_info.c:274
 sta_info_insert_rcu+0xd4/0xde0 net/mac80211/sta_info.c:738
 ieee80211_ibss_finish_sta+0x9e/0x120 net/mac80211/ibss.c:592
 ieee80211_ibss_work+0x10a/0x420 net/mac80211/ibss.c:1700
 process_one_work+0x273/0x600 kernel/workqueue.c:2272
 worker_thread+0x38/0x380 kernel/workqueue.c:2418
 kthread+0x144/0x170 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296