bisecting cause commit starting from 7b1b868e1d9156484ccce9bf11122c053de82617
building syzkaller on bca53db974f570410921f59b8c2c59a3d263cb44
testing commit 7b1b868e1d9156484ccce9bf11122c053de82617 with gcc (GCC) 8.1.0
kernel signature: 6c67bc70a0e314730382cace95639d0b95fa84e0ade1b0611a815e1051c6cca2
all runs: crashed: WARNING in percpu_ref_kill_and_confirm
testing release v5.9
testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0
kernel signature: ae997c81c8480492441e712d3c127e3da959156d4e937c464609e101fa84e28c
all runs: OK
# git bisect start 7b1b868e1d9156484ccce9bf11122c053de82617 bbf5c979011a099af5dc76498918ed7df445635b
Bisecting: 9566 revisions left to test after this (roughly 13 steps)
[4d0e9df5e43dba52d38b251e3b909df8fa1110be] lib, uaccess: add failure injection to usercopy functions

testing commit 4d0e9df5e43dba52d38b251e3b909df8fa1110be with gcc (GCC) 8.1.0
kernel signature: 19d651166031891e1c42f1a0518e05f408372acef30d76f75e5b6df6eabbfcd1
all runs: crashed: BUG: using __this_cpu_read() in preemptible code in trace_hardirqs_on
# git bisect bad 4d0e9df5e43dba52d38b251e3b909df8fa1110be
Bisecting: 3935 revisions left to test after this (roughly 12 steps)
[f888bdf9823c85fe945c4eb3ba353f749dec3856] Merge tag 'devicetree-for-5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux

testing commit f888bdf9823c85fe945c4eb3ba353f749dec3856 with gcc (GCC) 8.1.0
kernel signature: 380506a17205c0f6ebc50411e3c2c3f5322dc2f2d915cb86cb02fabae50d49d3
all runs: crashed: BUG: using __this_cpu_read() in preemptible code in trace_hardirqs_on
# git bisect bad f888bdf9823c85fe945c4eb3ba353f749dec3856
Bisecting: 1997 revisions left to test after this (roughly 11 steps)
[57218d7f2e87069f73c7a841b6ed6c1cc7acf616] Merge tag 'regmap-v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap

testing commit 57218d7f2e87069f73c7a841b6ed6c1cc7acf616 with gcc (GCC) 8.1.0
kernel signature: 2122c4728350db5a8b65268cb76043df2bca3142fb24ad47216fa0e3b461d7d7
all runs: crashed: BUG: using __this_cpu_read() in preemptible code in trace_hardirqs_on
# git bisect bad 57218d7f2e87069f73c7a841b6ed6c1cc7acf616
Bisecting: 873 revisions left to test after this (roughly 10 steps)
[39a5101f989e8d2be557136704d53990f9b402c8] Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6

testing commit 39a5101f989e8d2be557136704d53990f9b402c8 with gcc (GCC) 8.1.0
kernel signature: 1f73da9c24c6cd6e358faf36f3de66b45706a82b6bbe5c484b2c3feeb8ee67d4
all runs: crashed: BUG: using __this_cpu_read() in preemptible code in trace_hardirqs_on
# git bisect bad 39a5101f989e8d2be557136704d53990f9b402c8
Bisecting: 521 revisions left to test after this (roughly 9 steps)
[ed016af52ee3035b4799ebd7d53f9ae59d5782c4] Merge tag 'locking-core-2020-10-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

testing commit ed016af52ee3035b4799ebd7d53f9ae59d5782c4 with gcc (GCC) 8.1.0
kernel signature: 8684ac24fb35a0bc25f8e326780c8c1a4a5eac5ab4f77e8e331834672a4961bd
all runs: crashed: BUG: using __this_cpu_read() in preemptible code in trace_hardirqs_on
# git bisect bad ed016af52ee3035b4799ebd7d53f9ae59d5782c4
Bisecting: 274 revisions left to test after this (roughly 8 steps)
[f94ab231136c53ee26b1ddda76b29218018834ff] Merge tag 'x86_cleanups_for_v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

testing commit f94ab231136c53ee26b1ddda76b29218018834ff with gcc (GCC) 8.1.0
kernel signature: 53e7e3673b71f28ee2de951082d0e97f4993567811bda1d6344ff7b5e0560695
all runs: OK
# git bisect good f94ab231136c53ee26b1ddda76b29218018834ff
Bisecting: 125 revisions left to test after this (roughly 7 steps)
[cc7343724eb77ce0752b1097a275f22f6fe47057] Merge tag 'x86-irq-2020-10-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

testing commit cc7343724eb77ce0752b1097a275f22f6fe47057 with gcc (GCC) 8.1.0
kernel signature: e4c556038d6ac10c01e606507c4087127618ba6349839dcc841448097cd15995
all runs: OK
# git bisect good cc7343724eb77ce0752b1097a275f22f6fe47057
Bisecting: 61 revisions left to test after this (roughly 6 steps)
[d6c4c11348816fb4d16e33bf47d559d7aa59350a] Merge branch 'kcsan' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu into locking/core

testing commit d6c4c11348816fb4d16e33bf47d559d7aa59350a with gcc (GCC) 8.1.0
kernel signature: 403e80aa19ac26b21835f6db0ca77f9a9085613f849524b12bd462222146906a
all runs: crashed: BUG: using __this_cpu_read() in preemptible code in trace_hardirqs_on
# git bisect bad d6c4c11348816fb4d16e33bf47d559d7aa59350a
Bisecting: 31 revisions left to test after this (roughly 5 steps)
[6dd699b13d53f26a7603702d8bada3482312df74] seqlock: seqcount_LOCKNAME_t: Standardize naming convention

testing commit 6dd699b13d53f26a7603702d8bada3482312df74 with gcc (GCC) 8.1.0
kernel signature: 3232b06c18182478cb224ad34117f8ddb5de38531250e3b51566f66440b0b2bf
all runs: OK
# git bisect good 6dd699b13d53f26a7603702d8bada3482312df74
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[178a1877d782c034f466edd80e30a107af5469df] kcsan: Use pr_fmt for consistency

testing commit 178a1877d782c034f466edd80e30a107af5469df with gcc (GCC) 8.1.0
kernel signature: 37ccb0a7381ec1b422a09adafa60b0210be501ea0aec0d6ed35ed69588779b16
all runs: OK
# git bisect good 178a1877d782c034f466edd80e30a107af5469df
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[d89d5f855f84ccf3f7e648813b4bb95c780bd7cd] locking/atomics: Check atomic-arch-fallback.h too

testing commit d89d5f855f84ccf3f7e648813b4bb95c780bd7cd with gcc (GCC) 8.1.0
kernel signature: e341e399ddc178fec42f666f43326be3ea2299bae63e1e67b5fc14dd937eecf0
all runs: OK
# git bisect good d89d5f855f84ccf3f7e648813b4bb95c780bd7cd
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[e705d397965811ac528d7213b42d74ffe43caf38] Merge branch 'locking/urgent' into locking/core, to pick up fixes

testing commit e705d397965811ac528d7213b42d74ffe43caf38 with gcc (GCC) 8.1.0
kernel signature: ef309669b251d01f1e6d713a814f022e5cc61efff275af9c3ae57c1c7e6e1147
all runs: crashed: BUG: using __this_cpu_read() in preemptible code in trace_hardirqs_on
# git bisect bad e705d397965811ac528d7213b42d74ffe43caf38
Bisecting: 1 revision left to test after this (roughly 1 step)
[4d004099a668c41522242aa146a38cc4eb59cb1e] lockdep: Fix lockdep recursion

testing commit 4d004099a668c41522242aa146a38cc4eb59cb1e with gcc (GCC) 8.1.0
kernel signature: 18239ed3b96c7645f2873062a97ea4f24dcb3493113e40995a25ef7fe2bb96bb
all runs: crashed: BUG: using __this_cpu_read() in preemptible code in trace_hardirqs_on
# git bisect bad 4d004099a668c41522242aa146a38cc4eb59cb1e
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[2bb8945bcc1a768f2bc402a16c9610bba8d5187d] lockdep: Fix usage_traceoverflow

testing commit 2bb8945bcc1a768f2bc402a16c9610bba8d5187d with gcc (GCC) 8.1.0
kernel signature: 5f4185eee518bf1204e5582dae12588b3f76db1259eab9fb33cf92f5dd0c26b4
all runs: OK
# git bisect good 2bb8945bcc1a768f2bc402a16c9610bba8d5187d
4d004099a668c41522242aa146a38cc4eb59cb1e is the first bad commit
commit 4d004099a668c41522242aa146a38cc4eb59cb1e
Author: Peter Zijlstra <peterz@infradead.org>
Date:   Fri Oct 2 11:04:21 2020 +0200

    lockdep: Fix lockdep recursion
    
    Steve reported that lockdep_assert*irq*(), when nested inside lockdep
    itself, will trigger a false-positive.
    
    One example is the stack-trace code, as called from inside lockdep,
    triggering tracing, which in turn calls RCU, which then uses
    lockdep_assert_irqs_disabled().
    
    Fixes: a21ee6055c30 ("lockdep: Change hardirq{s_enabled,_context} to per-cpu variables")
    Reported-by: Steven Rostedt <rostedt@goodmis.org>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 include/linux/lockdep.h  | 13 ++++---
 kernel/locking/lockdep.c | 99 +++++++++++++++++++++++++++++-------------------
 2 files changed, 67 insertions(+), 45 deletions(-)

culprit signature: 18239ed3b96c7645f2873062a97ea4f24dcb3493113e40995a25ef7fe2bb96bb
parent  signature: 5f4185eee518bf1204e5582dae12588b3f76db1259eab9fb33cf92f5dd0c26b4
revisions tested: 16, total time: 2h49m17.767447635s (build: 1h9m21.567007318s, test: 1h38m25.323336979s)
first bad commit: 4d004099a668c41522242aa146a38cc4eb59cb1e lockdep: Fix lockdep recursion
recipients (to): ["linux-kernel@vger.kernel.org" "mingo@kernel.org" "mingo@redhat.com" "peterz@infradead.org" "peterz@infradead.org" "will@kernel.org"]
recipients (cc): []
crash: BUG: using __this_cpu_read() in preemptible code in trace_hardirqs_on
BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor.3/10190
caller is lockdep_hardirqs_on_prepare+0x2f/0x1a0 kernel/locking/lockdep.c:3684
CPU: 1 PID: 10190 Comm: syz-executor.3 Not tainted 5.9.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x77/0xa0 lib/dump_stack.c:118
 check_preemption_disabled+0xab/0xc0 lib/smp_processor_id.c:48
 lockdep_hardirqs_on_prepare+0x2f/0x1a0 kernel/locking/lockdep.c:3684
 trace_hardirqs_on+0x1c/0x100 kernel/trace/trace_preemptirq.c:49
 __bad_area_nosemaphore+0x5e/0x1c0 arch/x86/mm/fault.c:797
 do_user_addr_fault arch/x86/mm/fault.c:1345 [inline]
 handle_page_fault arch/x86/mm/fault.c:1429 [inline]
 exc_page_fault+0x587/0x690 arch/x86/mm/fault.c:1482
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:538
RIP: 0033:0x40260b
Code: 40 41 89 e8 4c 89 ef b9 11 80 00 00 c1 e6 04 03 73 64 8d 14 90 39 f2 48 0f 43 f2 45 31 c9 ba 03 00 00 00 e8 67 bb 05 00 8b 33 <49> 89 07 41 89 e8 4c 89 e7 41 b9 00 00 00 10 b9 11 80 00 00 ba 03
RSP: 002b:00007f0e1d9cfbf0 EFLAGS: 00010207
RAX: 0000000020000000 RBX: 00000000200000c0 RCX: 000000000045e1aa
RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000020000000
RBP: 0000000000000004 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000008011 R11: 0000000000000206 R12: 0000000020000000
R13: 0000000020000000 R14: 0000000000000000 R15: 0000000000000000
BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor.3/10190
caller is lockdep_hardirqs_on+0x38/0x110 kernel/locking/lockdep.c:3753
CPU: 1 PID: 10190 Comm: syz-executor.3 Not tainted 5.9.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x77/0xa0 lib/dump_stack.c:118
 check_preemption_disabled+0xab/0xc0 lib/smp_processor_id.c:48
 lockdep_hardirqs_on+0x38/0x110 kernel/locking/lockdep.c:3753
 __bad_area_nosemaphore+0x5e/0x1c0 arch/x86/mm/fault.c:797
 do_user_addr_fault arch/x86/mm/fault.c:1345 [inline]
 handle_page_fault arch/x86/mm/fault.c:1429 [inline]
 exc_page_fault+0x587/0x690 arch/x86/mm/fault.c:1482
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:538
RIP: 0033:0x40260b
Code: 40 41 89 e8 4c 89 ef b9 11 80 00 00 c1 e6 04 03 73 64 8d 14 90 39 f2 48 0f 43 f2 45 31 c9 ba 03 00 00 00 e8 67 bb 05 00 8b 33 <49> 89 07 41 89 e8 4c 89 e7 41 b9 00 00 00 10 b9 11 80 00 00 ba 03
RSP: 002b:00007f0e1d9cfbf0 EFLAGS: 00010207
RAX: 0000000020000000 RBX: 00000000200000c0 RCX: 000000000045e1aa
RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000020000000
RBP: 0000000000000004 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000008011 R11: 0000000000000206 R12: 0000000020000000
R13: 0000000020000000 R14: 0000000000000000 R15: 0000000000000000
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 1
CPU: 1 PID: 10190 Comm: syz-executor.3 Not tainted 5.9.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x77/0xa0 lib/dump_stack.c:118
 fail_dump lib/fault-inject.c:52 [inline]
 should_fail.cold.6+0x32/0x3a lib/fault-inject.c:146
 should_failslab+0x5/0xf mm/slab_common.c:1194
 slab_pre_alloc_hook.constprop.95+0x3a/0x110 mm/slab.h:500
 slab_alloc_node mm/slub.c:2812 [inline]
 slab_alloc mm/slub.c:2896 [inline]
 kmem_cache_alloc+0x42/0x2c0 mm/slub.c:2901
 __sigqueue_alloc+0xfa/0x240 kernel/signal.c:434
 __send_signal+0x326/0x700 kernel/signal.c:1115
 force_sig_info_to_task+0xaf/0xd0 kernel/signal.c:1333
 force_sig_fault_to_task kernel/signal.c:1672 [inline]
 force_sig_fault+0x4e/0x70 kernel/signal.c:1679
 __bad_area_nosemaphore+0x12c/0x1c0 arch/x86/mm/fault.c:825
 do_user_addr_fault arch/x86/mm/fault.c:1345 [inline]
 handle_page_fault arch/x86/mm/fault.c:1429 [inline]
 exc_page_fault+0x587/0x690 arch/x86/mm/fault.c:1482
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:538
RIP: 0033:0x40260b
Code: 40 41 89 e8 4c 89 ef b9 11 80 00 00 c1 e6 04 03 73 64 8d 14 90 39 f2 48 0f 43 f2 45 31 c9 ba 03 00 00 00 e8 67 bb 05 00 8b 33 <49> 89 07 41 89 e8 4c 89 e7 41 b9 00 00 00 10 b9 11 80 00 00 ba 03
RSP: 002b:00007f0e1d9cfbf0 EFLAGS: 00010207
RAX: 0000000020000000 RBX: 00000000200000c0 RCX: 000000000045e1aa
RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000020000000
RBP: 0000000000000004 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000008011 R11: 0000000000000206 R12: 0000000020000000
R13: 0000000020000000 R14: 0000000000000000 R15: 0000000000000000