bisecting cause commit starting from a1339d6355ac42e1bf4fcdfce8bfce61172f8891 building syzkaller on fd10362197975cb06b6b7c7616c35c6fd9821da2 testing commit a1339d6355ac42e1bf4fcdfce8bfce61172f8891 with gcc (GCC) 8.1.0 kernel signature: bbc2098b8a5c2ba8a8eea1efc0f78d8bd183ba8afb427356caaf31424d4bc34c all runs: crashed: WARNING in io_disable_sqo_submit testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 8.1.0 kernel signature: 395a614079c9030036488f72c030c4708fae86b9aba956ca15d15003efd3a593 run #0: crashed: WARNING in percpu_ref_kill_and_confirm run #1: crashed: WARNING in percpu_ref_kill_and_confirm run #2: crashed: WARNING in percpu_ref_kill_and_confirm run #3: crashed: WARNING in percpu_ref_kill_and_confirm run #4: crashed: WARNING in percpu_ref_kill_and_confirm run #5: crashed: WARNING in percpu_ref_kill_and_confirm run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0 kernel signature: 267e4e72ea6151d6ca484a7d3cc70be89ff7365b860f2a296ca76a677664b0bf all runs: OK # git bisect start 2c85ebc57b3e1817b6ce1a6b703928e113a90442 bbf5c979011a099af5dc76498918ed7df445635b Bisecting: 9594 revisions left to test after this (roughly 13 steps) [4d0e9df5e43dba52d38b251e3b909df8fa1110be] lib, uaccess: add failure injection to usercopy functions testing commit 4d0e9df5e43dba52d38b251e3b909df8fa1110be with gcc (GCC) 8.1.0 kernel signature: adf5c405dd67b7187b8c7a52cca0fc6cc5133c6871aaec8f932c63715200b76f all runs: OK # git bisect good 4d0e9df5e43dba52d38b251e3b909df8fa1110be Bisecting: 4874 revisions left to test after this (roughly 12 steps) [6694875ef8045cdb1e6712ee9b68fe08763507d8] ext4: indicate that fast_commit is available via /sys/fs/ext4/feature/... testing commit 6694875ef8045cdb1e6712ee9b68fe08763507d8 with gcc (GCC) 8.1.0 kernel signature: de5036e0667ef71f4416e498adf1d692b84b63e706eeeb6a14a442c45b88888c all runs: OK # git bisect good 6694875ef8045cdb1e6712ee9b68fe08763507d8 Bisecting: 2439 revisions left to test after this (roughly 11 steps) [cf9446cc8e6d85355642209538dde619f53770dc] Merge tag 'io_uring-5.10-2020-10-30' of git://git.kernel.dk/linux-block testing commit cf9446cc8e6d85355642209538dde619f53770dc with gcc (GCC) 8.1.0 kernel signature: 8539029707ac11619cd579ff5154d36c6ff9ea5ce769d903238fd2d6b39ca6d7 all runs: OK # git bisect good cf9446cc8e6d85355642209538dde619f53770dc Bisecting: 1221 revisions left to test after this (roughly 10 steps) [3be28e93cd88fbcbe97cabcbe92b1ccc9f830450] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 3be28e93cd88fbcbe97cabcbe92b1ccc9f830450 with gcc (GCC) 8.1.0 kernel signature: 7cc5f98663928a17d40255cac7d2f07957f060ff617018644addf8fdb2b9caf6 run #0: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky # git bisect bad 3be28e93cd88fbcbe97cabcbe92b1ccc9f830450 Bisecting: 609 revisions left to test after this (roughly 9 steps) [15a9844458cf3a7afcd720eca81ecb3a16213cb4] Merge tag 'irq-urgent-2020-11-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 15a9844458cf3a7afcd720eca81ecb3a16213cb4 with gcc (GCC) 8.1.0 kernel signature: 01eab7b9a8f1dbe325746084140d410a0b161f701733c84c5f501d1e29ca95ba run #0: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 15a9844458cf3a7afcd720eca81ecb3a16213cb4 Bisecting: 303 revisions left to test after this (roughly 8 steps) [6f3f374ac05d05cfa63d04f4479ead7e3cb6d087] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 6f3f374ac05d05cfa63d04f4479ead7e3cb6d087 with gcc (GCC) 8.1.0 kernel signature: 1dea74e9d4339eed4cc2fe37176a971d1161e12beee93289622cd51db1e267c7 all runs: OK # git bisect good 6f3f374ac05d05cfa63d04f4479ead7e3cb6d087 Bisecting: 180 revisions left to test after this (roughly 7 steps) [28ced768a4262bc81c61c8244e0e57048afc18d1] Merge tag 'tpmdd-next-v5.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd testing commit 28ced768a4262bc81c61c8244e0e57048afc18d1 with gcc (GCC) 8.1.0 kernel signature: a701f307cbbaef12915e34aba36d75e40fdd94703eeeb43a53baa0cb239bb2e3 run #0: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 28ced768a4262bc81c61c8244e0e57048afc18d1 Bisecting: 61 revisions left to test after this (roughly 6 steps) [ab07ff1c92fa60f29438e655a1b4abab860ed0b6] can: flexcan: flexcan_remove(): disable wakeup completely testing commit ab07ff1c92fa60f29438e655a1b4abab860ed0b6 with gcc (GCC) 8.1.0 kernel signature: 9386c0d75038c1c9f39896138c4f6d355fc7909e4b53e6bddf03771383b4d7e0 run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad ab07ff1c92fa60f29438e655a1b4abab860ed0b6 Bisecting: 30 revisions left to test after this (roughly 5 steps) [0a26ba0603d637eb6673a2ea79808cc73909ef3a] net: ethernet: ti: cpsw: disable PTPv1 hw timestamping advertisement testing commit 0a26ba0603d637eb6673a2ea79808cc73909ef3a with gcc (GCC) 8.1.0 kernel signature: ec7ab18a17b942ff170c1e8a2b1ab693c0fe426573b4688ebe1d8900c659b863 run #0: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 0a26ba0603d637eb6673a2ea79808cc73909ef3a Bisecting: 17 revisions left to test after this (roughly 4 steps) [20149e9eb68c003eaa09e7c9a49023df40779552] ip_tunnel: fix over-mtu packet send fail without TUNNEL_DONT_FRAGMENT flags testing commit 20149e9eb68c003eaa09e7c9a49023df40779552 with gcc (GCC) 8.1.0 kernel signature: 52dcd03c445142b570a73f0cfa955ccb74e2af66fad36bac274ca2b5f76567fc all runs: OK # git bisect good 20149e9eb68c003eaa09e7c9a49023df40779552 Bisecting: 10 revisions left to test after this (roughly 3 steps) [c2f46814521113f6699a74e0a0424cbc5b305479] mac80211: don't require VHT elements for HE on 2.4 GHz testing commit c2f46814521113f6699a74e0a0424cbc5b305479 with gcc (GCC) 8.1.0 kernel signature: 226cef48f9f00b50b50f443ce36d43d5709f850b9a2734d5ece89980543004da run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad c2f46814521113f6699a74e0a0424cbc5b305479 Bisecting: 3 revisions left to test after this (roughly 2 steps) [9bdaf3b91efd229dd272b228e13df10310c80d19] cfg80211: initialize wdev data earlier testing commit 9bdaf3b91efd229dd272b228e13df10310c80d19 with gcc (GCC) 8.1.0 kernel signature: 53dbb2563207360651d6bcf90bbd073058ef52b4f3096e95d01fc4d0f83bc53a all runs: OK # git bisect good 9bdaf3b91efd229dd272b228e13df10310c80d19 Bisecting: 1 revision left to test after this (roughly 1 step) [b1e8eb11fb9cf666d8ae36bbcf533233a504c921] mac80211: fix kernel-doc markups testing commit b1e8eb11fb9cf666d8ae36bbcf533233a504c921 with gcc (GCC) 8.1.0 kernel signature: 2137d56c546c3f43d1f17a1a1f8a270f8d92d5d1cf2ee2b9648df4308852b437 run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad b1e8eb11fb9cf666d8ae36bbcf533233a504c921 Bisecting: 0 revisions left to test after this (roughly 0 steps) [dcd479e10a0510522a5d88b29b8f79ea3467d501] mac80211: always wind down STA state testing commit dcd479e10a0510522a5d88b29b8f79ea3467d501 with gcc (GCC) 8.1.0 kernel signature: 871d3219af439d68733a58559a05f614333021b508e5a60f459b3e3a7076b84e run #0: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad dcd479e10a0510522a5d88b29b8f79ea3467d501 dcd479e10a0510522a5d88b29b8f79ea3467d501 is the first bad commit commit dcd479e10a0510522a5d88b29b8f79ea3467d501 Author: Johannes Berg Date: Fri Oct 9 14:17:11 2020 +0200 mac80211: always wind down STA state When (for example) an IBSS station is pre-moved to AUTHORIZED before it's inserted, and then the insertion fails, we don't clean up the fast RX/TX states that might already have been created, since we don't go through all the state transitions again on the way down. Do that, if it hasn't been done already, when the station is freed. I considered only freeing the fast TX/RX state there, but we might add more state so it's more robust to wind down the state properly. Note that we warn if the station was ever inserted, it should have been properly cleaned up in that case, and the driver will probably not like things happening out of order. Reported-by: syzbot+2e293dbd67de2836ba42@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20201009141710.7223b322a955.I95bd08b9ad0e039c034927cce0b75beea38e059b@changeid Signed-off-by: Johannes Berg net/mac80211/sta_info.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) culprit signature: 871d3219af439d68733a58559a05f614333021b508e5a60f459b3e3a7076b84e parent signature: 53dbb2563207360651d6bcf90bbd073058ef52b4f3096e95d01fc4d0f83bc53a Reproducer flagged being flaky revisions tested: 17, total time: 3h41m56.333393036s (build: 1h20m19.17232916s, test: 2h19m53.062655743s) first bad commit: dcd479e10a0510522a5d88b29b8f79ea3467d501 mac80211: always wind down STA state recipients (to): ["davem@davemloft.net" "johannes.berg@intel.com" "johannes@sipsolutions.net" "kuba@kernel.org" "linux-wireless@vger.kernel.org" "netdev@vger.kernel.org"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: BUG: sleeping function called from invalid context in sta_info_move_state BUG: sleeping function called from invalid context at net/mac80211/sta_info.c:1962 in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 21, name: kworker/u4:1 4 locks held by kworker/u4:1/21: #0: ffff88811e53ad38 ((wq_completion)phy16){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #0: ffff88811e53ad38 ((wq_completion)phy16){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff88811e53ad38 ((wq_completion)phy16){+.+.}-{0:0}, at: process_one_work+0x1ed/0x660 kernel/workqueue.c:2243 #1: ffffc90000d0be70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #1: ffffc90000d0be70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #1: ffffc90000d0be70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: process_one_work+0x1ed/0x660 kernel/workqueue.c:2243 #2: ffff88811eac0d00 (&wdev->mtx){+.+.}-{3:3}, at: sdata_lock net/mac80211/ieee80211_i.h:1021 [inline] #2: ffff88811eac0d00 (&wdev->mtx){+.+.}-{3:3}, at: ieee80211_ibss_work+0x36/0x480 net/mac80211/ibss.c:1683 #3: ffffffff850278a0 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_finish net/mac80211/sta_info.c:644 [inline] #3: ffffffff850278a0 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_rcu+0x1df/0xe80 net/mac80211/sta_info.c:732 Preemption disabled at: [] __mutex_lock_common kernel/locking/mutex.c:955 [inline] [] __mutex_lock+0x70/0xa30 kernel/locking/mutex.c:1103 CPU: 1 PID: 21 Comm: kworker/u4:1 Not tainted 5.10.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: phy16 ieee80211_iface_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x77/0x97 lib/dump_stack.c:118 ___might_sleep.cold.92+0x65/0x79 kernel/sched/core.c:7298 sta_info_move_state+0x1c/0x2d0 net/mac80211/sta_info.c:1962 sta_info_free+0x16/0xf0 net/mac80211/sta_info.c:274 sta_info_insert_rcu+0xcc/0xe80 net/mac80211/sta_info.c:738 ieee80211_ibss_finish_sta+0xad/0x130 net/mac80211/ibss.c:592 ieee80211_ibss_work+0x10e/0x480 net/mac80211/ibss.c:1700 process_one_work+0x27a/0x660 kernel/workqueue.c:2272 worker_thread+0x38/0x390 kernel/workqueue.c:2418 kthread+0x145/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ============================= [ BUG: Invalid wait context ] 5.10.0-rc1-syzkaller #0 Tainted: G W ----------------------------- kworker/u4:1/21 is trying to lock: ffff88811eeea9d0 (&local->chanctx_mtx){+.+.}-{3:3}, at: ieee80211_recalc_min_chandef+0x21/0xb0 net/mac80211/util.c:2740 other info that might help us debug this: context-{4:4} 4 locks held by kworker/u4:1/21: #0: ffff88811e53ad38 ((wq_completion)phy16){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #0: ffff88811e53ad38 ((wq_completion)phy16){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff88811e53ad38 ((wq_completion)phy16){+.+.}-{0:0}, at: process_one_work+0x1ed/0x660 kernel/workqueue.c:2243 #1: ffffc90000d0be70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #1: ffffc90000d0be70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #1: ffffc90000d0be70 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: process_one_work+0x1ed/0x660 kernel/workqueue.c:2243 #2: ffff88811eac0d00 (&wdev->mtx){+.+.}-{3:3}, at: sdata_lock net/mac80211/ieee80211_i.h:1021 [inline] #2: ffff88811eac0d00 (&wdev->mtx){+.+.}-{3:3}, at: ieee80211_ibss_work+0x36/0x480 net/mac80211/ibss.c:1683 #3: ffffffff850278a0 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_finish net/mac80211/sta_info.c:644 [inline] #3: ffffffff850278a0 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_rcu+0x1df/0xe80 net/mac80211/sta_info.c:732 stack backtrace: CPU: 1 PID: 21 Comm: kworker/u4:1 Tainted: G W 5.10.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: phy16 ieee80211_iface_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x77/0x97 lib/dump_stack.c:118 print_lock_invalid_wait_context kernel/locking/lockdep.c:4489 [inline] check_wait_context kernel/locking/lockdep.c:4550 [inline] __lock_acquire.cold.60+0xc4/0x2e8 kernel/locking/lockdep.c:4787 lock_acquire+0xd0/0x420 kernel/locking/lockdep.c:5442 __mutex_lock_common kernel/locking/mutex.c:956 [inline] __mutex_lock+0x94/0xa30 kernel/locking/mutex.c:1103 ieee80211_recalc_min_chandef+0x21/0xb0 net/mac80211/util.c:2740 sta_info_move_state+0x146/0x2d0 net/mac80211/sta_info.c:2019 sta_info_free+0x16/0xf0 net/mac80211/sta_info.c:274 sta_info_insert_rcu+0xcc/0xe80 net/mac80211/sta_info.c:738 ieee80211_ibss_finish_sta+0xad/0x130 net/mac80211/ibss.c:592 ieee80211_ibss_work+0x10e/0x480 net/mac80211/ibss.c:1700 process_one_work+0x27a/0x660 kernel/workqueue.c:2272 worker_thread+0x38/0x390 kernel/workqueue.c:2418 kthread+0x145/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296