bisecting cause commit starting from 03c312cc5f473c220fd2c80f7f5d32ed24005dd4 building syzkaller on b270611864ec905fee493d0535175fc614201850 testing commit 03c312cc5f473c220fd2c80f7f5d32ed24005dd4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e27fafb14cf54e4dc326b3c381fd3d42f50aadcd859d2693ebc026cd6fec84ae run #0: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #1: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #2: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #3: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #4: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #5: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #6: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #7: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #8: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #9: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #10: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #11: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #12: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #13: boot failed: INFO: task hung in add_early_randomness run #14: boot failed: INFO: task hung in add_early_randomness run #15: boot failed: INFO: task hung in add_early_randomness run #16: boot failed: INFO: task hung in add_early_randomness run #17: boot failed: INFO: task hung in add_early_randomness run #18: boot failed: INFO: task hung in add_early_randomness run #19: boot failed: INFO: task hung in add_early_randomness testing release v5.18 testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3308eaddc1950d0619b4781f850a9c755ea28dcaccf6737f697c689c0f240fb6 all runs: OK # git bisect start 03c312cc5f473c220fd2c80f7f5d32ed24005dd4 4b0986a3613c92f4ec1bdc7f60ec66fea135991f Bisecting: 7920 revisions left to test after this (roughly 13 steps) [c011dd537ffe47462051930413fed07dbdc80313] Merge tag 'arm-soc-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit c011dd537ffe47462051930413fed07dbdc80313 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9f73d19cc34f154c50c5e717b440a17280304a6204ebab6971fbf430b60ca433 all runs: OK # git bisect good c011dd537ffe47462051930413fed07dbdc80313 Bisecting: 3966 revisions left to test after this (roughly 12 steps) [176882156ae6d63a81fe7f01ea6fe65ab6b52105] Merge tag 'vfio-v5.19-rc1' of https://github.com/awilliam/linux-vfio testing commit 176882156ae6d63a81fe7f01ea6fe65ab6b52105 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9b1fb52aee5ea1b0da992a052e2ec5c660d75b894dcb35d10e3346648d2c6da8 all runs: OK # git bisect good 176882156ae6d63a81fe7f01ea6fe65ab6b52105 Bisecting: 1983 revisions left to test after this (roughly 11 steps) [952923ddc01120190dcf671e7b354364ce1d1362] Merge tag 'pull-18-rc1-work.namei' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 952923ddc01120190dcf671e7b354364ce1d1362 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7d01942ca84207b19f482af85fc05f5b2bb94f793cc4892f0c81fbcb50a68170 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect good 952923ddc01120190dcf671e7b354364ce1d1362 Bisecting: 989 revisions left to test after this (roughly 10 steps) [2b0812a4ee4b428fa8171c4b911efb1e02b59987] Merge branch 'for-linux-next' of git://anongit.freedesktop.org/drm-intel testing commit 2b0812a4ee4b428fa8171c4b911efb1e02b59987 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 032bf4dd55a4c9262f9a08be9bec53d429f2ec0ab941a4e44851b1fee576cb89 run #0: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #1: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #2: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #3: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #4: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #5: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect bad 2b0812a4ee4b428fa8171c4b911efb1e02b59987 Bisecting: 496 revisions left to test after this (roughly 9 steps) [7ad0bde50005ec4c11e99b5759b1b2ccbe986ea9] Merge branch 'fscache-next' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git testing commit 7ad0bde50005ec4c11e99b5759b1b2ccbe986ea9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4a37662f682cc427483ccbb8946342bd82546eed5342cee3a9911c501530abd3 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect good 7ad0bde50005ec4c11e99b5759b1b2ccbe986ea9 Bisecting: 233 revisions left to test after this (roughly 8 steps) [f2f6675da8fe5e90ec57ea7ac4a6cf81218df0bd] Merge branch 'hwmon-next' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging.git testing commit f2f6675da8fe5e90ec57ea7ac4a6cf81218df0bd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 44d110f452987e527b6fa062bafb13bfe62bfd2db48713b143de15a2c409a20e run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect good f2f6675da8fe5e90ec57ea7ac4a6cf81218df0bd Bisecting: 103 revisions left to test after this (roughly 7 steps) [d5ad937caa33a7f89824f60741313564ea4e1b60] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git testing commit d5ad937caa33a7f89824f60741313564ea4e1b60 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7b82290827a92033d13c4f7d7967a06651a75f9e3db6344186b5f066f1318647 run #0: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #1: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #2: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #3: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #4: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #5: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #6: crashed: BUG: sleeping function called from invalid context in sock_map_destroy run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect bad d5ad937caa33a7f89824f60741313564ea4e1b60 Bisecting: 53 revisions left to test after this (roughly 6 steps) [b17c59f5e54a8f6b340044c7b41b13089b220fdd] Merge branch 'thermal/linux-next' of git://git.kernel.org/pub/scm/linux/kernel/git/thermal/linux.git testing commit b17c59f5e54a8f6b340044c7b41b13089b220fdd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4b646b9605988c5f626a0860d56d14f4f4f1e5f02dd0e0eb258e403ec41509fa run #0: OK run #1: OK run #2: OK run #3: OK run #4: boot failed: INFO: task hung in add_early_randomness run #5: boot failed: INFO: task hung in add_early_randomness run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect good b17c59f5e54a8f6b340044c7b41b13089b220fdd Bisecting: 26 revisions left to test after this (roughly 5 steps) [611edf1bacc51355ccb497915695db7f869cb382] libbpf: Fix is_pow_of_2 testing commit 611edf1bacc51355ccb497915695db7f869cb382 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a83e20877751c9486575f086bd7d9d48cf63fe595c7bde277ddd65d1f3d08f22 all runs: crashed: BUG: sleeping function called from invalid context in sock_map_destroy # git bisect bad 611edf1bacc51355ccb497915695db7f869cb382 Bisecting: 13 revisions left to test after this (roughly 4 steps) [1ba5ad36e00f46e3f7676f5de6b87f5a2f57f1f1] bpftool: Use libbpf_bpf_attach_type_str testing commit 1ba5ad36e00f46e3f7676f5de6b87f5a2f57f1f1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7f458b7cdc4afeb4745f7d526069d1ac4117b513955bf7ce8551a9257556d721 all runs: OK # git bisect good 1ba5ad36e00f46e3f7676f5de6b87f5a2f57f1f1 Bisecting: 6 revisions left to test after this (roughly 3 steps) [4c46091ee985ae84c60c5e95055d779fcd291d87] bpf: Fix KASAN use-after-free Read in compute_effective_progs testing commit 4c46091ee985ae84c60c5e95055d779fcd291d87 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1af5fcb2f707c56d7f9ecbaf9d67261f6df053a622ca19bc1b98f3ca8ea60066 all runs: OK # git bisect good 4c46091ee985ae84c60c5e95055d779fcd291d87 Bisecting: 3 revisions left to test after this (roughly 2 steps) [d8616ee2affcff37c5d315310da557a694a3303d] bpf, sockmap: Fix sk->sk_forward_alloc warn_on in sk_stream_kill_queues testing commit d8616ee2affcff37c5d315310da557a694a3303d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 26ec9d21a60725cac555e7bd8432e6bb4afa4e59b228abf48e3fd7f7aae78ec4 all runs: crashed: BUG: sleeping function called from invalid context in sock_map_destroy # git bisect bad d8616ee2affcff37c5d315310da557a694a3303d Bisecting: 0 revisions left to test after this (roughly 1 step) [200a89e3e88786b52bc1dd5f26a310c097f4c6a7] sample: bpf: xdp_router_ipv4: Allow the kernel to send arp requests testing commit 200a89e3e88786b52bc1dd5f26a310c097f4c6a7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 30fbf01d595e970e25c9903487d919096e4074360ebd1da87af9c73a84547d44 all runs: OK # git bisect good 200a89e3e88786b52bc1dd5f26a310c097f4c6a7 d8616ee2affcff37c5d315310da557a694a3303d is the first bad commit commit d8616ee2affcff37c5d315310da557a694a3303d Author: Wang Yufen Date: Tue May 24 15:53:11 2022 +0800 bpf, sockmap: Fix sk->sk_forward_alloc warn_on in sk_stream_kill_queues During TCP sockmap redirect pressure test, the following warning is triggered: WARNING: CPU: 3 PID: 2145 at net/core/stream.c:205 sk_stream_kill_queues+0xbc/0xd0 CPU: 3 PID: 2145 Comm: iperf Kdump: loaded Tainted: G W 5.10.0+ #9 Call Trace: inet_csk_destroy_sock+0x55/0x110 inet_csk_listen_stop+0xbb/0x380 tcp_close+0x41b/0x480 inet_release+0x42/0x80 __sock_release+0x3d/0xa0 sock_close+0x11/0x20 __fput+0x9d/0x240 task_work_run+0x62/0x90 exit_to_user_mode_prepare+0x110/0x120 syscall_exit_to_user_mode+0x27/0x190 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The reason we observed is that: When the listener is closing, a connection may have completed the three-way handshake but not accepted, and the client has sent some packets. The child sks in accept queue release by inet_child_forget()->inet_csk_destroy_sock(), but psocks of child sks have not released. To fix, add sock_map_destroy to release psocks. Signed-off-by: Wang Yufen Signed-off-by: Daniel Borkmann Signed-off-by: Andrii Nakryiko Acked-by: Jakub Sitnicki Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20220524075311.649153-1-wangyufen@huawei.com include/linux/bpf.h | 1 + include/linux/skmsg.h | 1 + net/core/skmsg.c | 1 + net/core/sock_map.c | 23 +++++++++++++++++++++++ net/ipv4/tcp_bpf.c | 1 + 5 files changed, 27 insertions(+) culprit signature: 26ec9d21a60725cac555e7bd8432e6bb4afa4e59b228abf48e3fd7f7aae78ec4 parent signature: 30fbf01d595e970e25c9903487d919096e4074360ebd1da87af9c73a84547d44 revisions tested: 15, total time: 3h51m5.888690774s (build: 1h39m53.722098194s, test: 2h9m37.939727632s) first bad commit: d8616ee2affcff37c5d315310da557a694a3303d bpf, sockmap: Fix sk->sk_forward_alloc warn_on in sk_stream_kill_queues recipients (to): ["andrii@kernel.org" "daniel@iogearbox.net" "jakub@cloudflare.com" "john.fastabend@gmail.com" "wangyufen@huawei.com"] recipients (cc): [] crash: BUG: sleeping function called from invalid context in sock_map_destroy BUG: sleeping function called from invalid context at kernel/workqueue.c:3010 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 4097, name: syz-executor.0 preempt_count: 201, expected: 0 RCU nest depth: 0, expected: 0 3 locks held by syz-executor.0/4097: #0: ffff8880757bc410 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:741 [inline] #0: ffff8880757bc410 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: __sock_release+0x76/0x270 net/socket.c:649 #1: ffff888078cca770 (sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline] #1: ffff888078cca770 (sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_close+0x10/0x70 net/ipv4/tcp.c:2908 #2: ffff888078cca6f0 (slock-AF_INET6){+...}-{2:2}, at: spin_lock include/linux/spinlock.h:349 [inline] #2: ffff888078cca6f0 (slock-AF_INET6){+...}-{2:2}, at: __tcp_close+0x65d/0x1200 net/ipv4/tcp.c:2830 Preemption disabled at: [] local_bh_disable include/linux/bottom_half.h:20 [inline] [] __tcp_close+0x655/0x1200 net/ipv4/tcp.c:2829 CPU: 1 PID: 4097 Comm: syz-executor.0 Not tainted 5.18.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 __might_resched.cold+0x222/0x26b kernel/sched/core.c:9794 start_flush_work kernel/workqueue.c:3010 [inline] __flush_work+0xdd/0xa30 kernel/workqueue.c:3074 __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3162 sock_map_destroy+0x242/0x520 net/core/sock_map.c:1581 inet_csk_destroy_sock+0x156/0x380 net/ipv4/inet_connection_sock.c:1130 __tcp_close+0xc06/0x1200 net/ipv4/tcp.c:2897 tcp_close+0x1b/0x70 net/ipv4/tcp.c:2909 sock_map_close+0x292/0x530 net/core/sock_map.c:1607 inet_release+0xef/0x210 net/ipv4/af_inet.c:428 __sock_release+0xbb/0x270 net/socket.c:650 sock_close+0xf/0x20 net/socket.c:1365 __fput+0x1f5/0x8c0 fs/file_table.c:317 task_work_run+0xc0/0x160 kernel/task_work.c:177 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:169 [inline] exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fd53fc3bd4b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffcde2d24a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007fd53fc3bd4b RDX: 00007fd53fda0608 RSI: ffffffffffffffff RDI: 0000000000000004 RBP: 00007fd53fd9d960 R08: 0000000000000000 R09: 00007fd53fda0610 R10: 00007ffcde2d25a0 R11: 0000000000000293 R12: 0000000000013bbc R13: 00007ffcde2d25a0 R14: 00007fd53fd9bf60 R15: 0000000000000032