bisecting cause commit starting from ff539ac73ea559a8c146d99ab14bfcaddd30547a
building syzkaller on 0d5abf15b74358009a02efb629f7bc7c84841a1f
testing commit ff539ac73ea559a8c146d99ab14bfcaddd30547a
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b1f78ee4b065f3ba856096c6a0f8474175c07b84d3101a845a3fbac4ccf60b1b
run #0: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #1: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #2: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #3: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe
run #4: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #5: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #6: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #7: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #8: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #9: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #10: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #11: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #12: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #13: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #14: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #15: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #16: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #17: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #18: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #19: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
testing release v5.18
testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d2615d99f24b33b2036722e04132e61d475eba48248c769be10c1bbf7b289312
all runs: OK
# git bisect start ff539ac73ea559a8c146d99ab14bfcaddd30547a 4b0986a3613c92f4ec1bdc7f60ec66fea135991f
Bisecting: 8209 revisions left to test after this (roughly 13 steps)
[c011dd537ffe47462051930413fed07dbdc80313] Merge tag 'arm-soc-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

testing commit c011dd537ffe47462051930413fed07dbdc80313
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 745614c49559d03ded521f2b0bbef9bee92f79bb2b963e8ca8a99ff15a6b25c8
all runs: OK
# git bisect good c011dd537ffe47462051930413fed07dbdc80313
Bisecting: 4107 revisions left to test after this (roughly 12 steps)
[17d8e3d90b6989419806c1926b894d7d7483a25b] Merge tag 'ceph-for-5.19-rc1' of https://github.com/ceph/ceph-client

testing commit 17d8e3d90b6989419806c1926b894d7d7483a25b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: ff352e46e9762140557069acca9598ebd5cfedf1b8a2f37162a66dda8425579d
all runs: OK
# git bisect good 17d8e3d90b6989419806c1926b894d7d7483a25b
Bisecting: 2053 revisions left to test after this (roughly 11 steps)
[1bd8965d7bbb6fdf92cb67ade3e4357ed5daeac1] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git

testing commit 1bd8965d7bbb6fdf92cb67ade3e4357ed5daeac1
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 375c887fad9e0e1b8c8744dd14df3c262eb8c7d45b1ec4878cbfef19597d838c
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe
run #1: boot failed: INFO: task hung in add_early_randomness
run #2: boot failed: INFO: task hung in add_early_randomness
run #3: boot failed: INFO: task hung in add_early_randomness
run #4: boot failed: INFO: task hung in add_early_randomness
run #5: boot failed: INFO: task hung in add_early_randomness
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good 1bd8965d7bbb6fdf92cb67ade3e4357ed5daeac1
Bisecting: 971 revisions left to test after this (roughly 10 steps)
[58bd6da6f44bde76216a6c33eafa5bfed66737be] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git

testing commit 58bd6da6f44bde76216a6c33eafa5bfed66737be
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 963569eefd52a41094012da477de6f1c7a5fbbb590d4c332e5d7b578f2439579
run #0: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #1: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #2: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #3: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #4: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #5: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #6: boot failed: INFO: task hung in add_early_randomness
run #7: boot failed: INFO: task hung in add_early_randomness
run #8: boot failed: INFO: task hung in add_early_randomness
run #9: boot failed: INFO: task hung in add_early_randomness
# git bisect bad 58bd6da6f44bde76216a6c33eafa5bfed66737be
Bisecting: 551 revisions left to test after this (roughly 9 steps)
[906a46499d453204f2f5a936193413eb3893e0e1] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux.git

testing commit 906a46499d453204f2f5a936193413eb3893e0e1
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 6559cc27e882f5362b1f2c56cc690d1b408cf22259ac0a3a057eac0ed3aba172
run #0: boot failed: INFO: task hung in add_early_randomness
run #1: boot failed: INFO: task hung in add_early_randomness
run #2: boot failed: INFO: task hung in add_early_randomness
run #3: boot failed: INFO: task hung in add_early_randomness
run #4: boot failed: INFO: task hung in add_early_randomness
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good 906a46499d453204f2f5a936193413eb3893e0e1
Bisecting: 271 revisions left to test after this (roughly 8 steps)
[622d59012467db8da78d1066f68a1b5f6774ede0] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git

testing commit 622d59012467db8da78d1066f68a1b5f6774ede0
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 22521f603d7e26d48940e08de9f94cca769d941d1f23b0bafc75d75f1579ffdf
run #0: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #1: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #2: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #3: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #4: boot failed: INFO: task hung in add_early_randomness
run #5: boot failed: INFO: task hung in add_early_randomness
run #6: boot failed: INFO: task hung in add_early_randomness
run #7: boot failed: INFO: task hung in add_early_randomness
run #8: boot failed: INFO: task hung in add_early_randomness
run #9: boot failed: INFO: task hung in add_early_randomness
# git bisect bad 622d59012467db8da78d1066f68a1b5f6774ede0
Bisecting: 138 revisions left to test after this (roughly 7 steps)
[33e7381b578448b0bf5be5612db83c8661d4ca97] Merge branch 'hwmon-next' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging.git

testing commit 33e7381b578448b0bf5be5612db83c8661d4ca97
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: aeca41caa0b2b9d7386bf8c4b0dd19d1b7983c04ae750adbabd19e5068c84625
run #0: boot failed: INFO: task hung in add_early_randomness
run #1: boot failed: INFO: task hung in add_early_randomness
run #2: boot failed: INFO: task hung in add_early_randomness
run #3: boot failed: INFO: task hung in add_early_randomness
run #4: boot failed: INFO: task hung in add_early_randomness
run #5: boot failed: INFO: task hung in add_early_randomness
run #6: boot failed: INFO: task hung in add_early_randomness
run #7: boot failed: INFO: task hung in add_early_randomness
run #8: OK
run #9: OK
# git bisect skip 33e7381b578448b0bf5be5612db83c8661d4ca97
Bisecting: 138 revisions left to test after this (roughly 7 steps)
[6131a03c08282b9f84f757382e968b792837f105] OPP: ti: Migrate to config_regulators()

testing commit 6131a03c08282b9f84f757382e968b792837f105
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 279f1b89eec05c2d2c13505b4885f1f9a65b8e9364ba6e5b85694966cd067807
run #0: boot failed: INFO: task hung in add_early_randomness
run #1: boot failed: INFO: task hung in add_early_randomness
run #2: boot failed: INFO: task hung in add_early_randomness
run #3: boot failed: INFO: task hung in add_early_randomness
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good 6131a03c08282b9f84f757382e968b792837f105
Bisecting: 101 revisions left to test after this (roughly 7 steps)
[58a53978fdf65d12dae1798e44120efb992a3615] bpftool: Add btf enum64 support

testing commit 58a53978fdf65d12dae1798e44120efb992a3615
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: c9fd24f260470e6b67033505075ede6a9a123f3d8a9fadf42bd725a682c0c93c
all runs: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
# git bisect bad 58a53978fdf65d12dae1798e44120efb992a3615
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[4c46091ee985ae84c60c5e95055d779fcd291d87] bpf: Fix KASAN use-after-free Read in compute_effective_progs

testing commit 4c46091ee985ae84c60c5e95055d779fcd291d87
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3e4b28e694193af3b2bcb2b73623f2b21ac43acca2bfeec325a0208a6c705f67
all runs: OK
# git bisect good 4c46091ee985ae84c60c5e95055d779fcd291d87
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[6089fb325cf737eeb2c4d236c94697112ca860da] bpf: Add btf enum64 support

testing commit 6089fb325cf737eeb2c4d236c94697112ca860da
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: ec115e1e427f2d5bc2aed88757f30a96ef31cfa762c363812c92ff4ad1c876f4
all runs: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
# git bisect bad 6089fb325cf737eeb2c4d236c94697112ca860da
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[988d0d5899248b758d2f2eae3b57708fe78a8618] bpf, test_run: Remove unnecessary prog type checks

testing commit 988d0d5899248b758d2f2eae3b57708fe78a8618
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 69e688fcca505937d76f83b567d3b2fe81c7a8dcb19e01c5afcf68b9096c255c
all runs: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
# git bisect bad 988d0d5899248b758d2f2eae3b57708fe78a8618
Bisecting: 2 revisions left to test after this (roughly 1 step)
[200a89e3e88786b52bc1dd5f26a310c097f4c6a7] sample: bpf: xdp_router_ipv4: Allow the kernel to send arp requests

testing commit 200a89e3e88786b52bc1dd5f26a310c097f4c6a7
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 53ffcbc80ef73d3a7cdcf146dd3688718383eb43c3a18cf02e5a3f32a172efe5
all runs: OK
# git bisect good 200a89e3e88786b52bc1dd5f26a310c097f4c6a7
Bisecting: 0 revisions left to test after this (roughly 1 step)
[9bbdfad8a5192cfa698994dd8db3a52b137e7478] libbpf: Fix a couple of typos

testing commit 9bbdfad8a5192cfa698994dd8db3a52b137e7478
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3f0edc4cd16c504613b14e9fe36c7396e58e4f765fcdaf95025738cd7461d76e
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe
run #1: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #2: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #3: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #4: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #5: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #6: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #7: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #8: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
run #9: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
# git bisect bad 9bbdfad8a5192cfa698994dd8db3a52b137e7478
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[d8616ee2affcff37c5d315310da557a694a3303d] bpf, sockmap: Fix sk->sk_forward_alloc warn_on in sk_stream_kill_queues

testing commit d8616ee2affcff37c5d315310da557a694a3303d
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d05e06b409c760a7b3f02e381e4ad0f1f921b1f8541e26c8cb5eeacd54b6f959
all runs: crashed: BUG: sleeping function called from invalid context in sock_map_destroy
# git bisect bad d8616ee2affcff37c5d315310da557a694a3303d
d8616ee2affcff37c5d315310da557a694a3303d is the first bad commit
commit d8616ee2affcff37c5d315310da557a694a3303d
Author: Wang Yufen <wangyufen@huawei.com>
Date:   Tue May 24 15:53:11 2022 +0800

    bpf, sockmap: Fix sk->sk_forward_alloc warn_on in sk_stream_kill_queues
    
    During TCP sockmap redirect pressure test, the following warning is triggered:
    
    WARNING: CPU: 3 PID: 2145 at net/core/stream.c:205 sk_stream_kill_queues+0xbc/0xd0
    CPU: 3 PID: 2145 Comm: iperf Kdump: loaded Tainted: G        W         5.10.0+ #9
    Call Trace:
     inet_csk_destroy_sock+0x55/0x110
     inet_csk_listen_stop+0xbb/0x380
     tcp_close+0x41b/0x480
     inet_release+0x42/0x80
     __sock_release+0x3d/0xa0
     sock_close+0x11/0x20
     __fput+0x9d/0x240
     task_work_run+0x62/0x90
     exit_to_user_mode_prepare+0x110/0x120
     syscall_exit_to_user_mode+0x27/0x190
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    The reason we observed is that:
    
    When the listener is closing, a connection may have completed the three-way
    handshake but not accepted, and the client has sent some packets. The child
    sks in accept queue release by inet_child_forget()->inet_csk_destroy_sock(),
    but psocks of child sks have not released.
    
    To fix, add sock_map_destroy to release psocks.
    
    Signed-off-by: Wang Yufen <wangyufen@huawei.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
    Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
    Acked-by: John Fastabend <john.fastabend@gmail.com>
    Link: https://lore.kernel.org/bpf/20220524075311.649153-1-wangyufen@huawei.com

 include/linux/bpf.h   |  1 +
 include/linux/skmsg.h |  1 +
 net/core/skmsg.c      |  1 +
 net/core/sock_map.c   | 23 +++++++++++++++++++++++
 net/ipv4/tcp_bpf.c    |  1 +
 5 files changed, 27 insertions(+)

culprit signature: d05e06b409c760a7b3f02e381e4ad0f1f921b1f8541e26c8cb5eeacd54b6f959
parent  signature: 53ffcbc80ef73d3a7cdcf146dd3688718383eb43c3a18cf02e5a3f32a172efe5
revisions tested: 17, total time: 4h16m2.002780306s (build: 1h51m26.113786898s, test: 2h22m55.545735841s)
first bad commit: d8616ee2affcff37c5d315310da557a694a3303d bpf, sockmap: Fix sk->sk_forward_alloc warn_on in sk_stream_kill_queues
recipients (to): ["andrii@kernel.org" "daniel@iogearbox.net" "jakub@cloudflare.com" "john.fastabend@gmail.com" "wangyufen@huawei.com"]
recipients (cc): []
crash: BUG: sleeping function called from invalid context in sock_map_destroy
BUG: sleeping function called from invalid context at kernel/workqueue.c:3010
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 9192, name: syz-executor.0
preempt_count: 201, expected: 0
RCU nest depth: 0, expected: 0
3 locks held by syz-executor.0/9192:
 #0: ffff8880737cfa10 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:741 [inline]
 #0: ffff8880737cfa10 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: __sock_release+0x76/0x270 net/socket.c:649
 #1: ffff88807736e730 (sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]
 #1: ffff88807736e730 (sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_close+0x10/0x70 net/ipv4/tcp.c:2908
 #2: ffff88807736e6b0 (slock-AF_INET6){+...}-{2:2}, at: spin_lock include/linux/spinlock.h:349 [inline]
 #2: ffff88807736e6b0 (slock-AF_INET6){+...}-{2:2}, at: __tcp_close+0x65d/0x1200 net/ipv4/tcp.c:2830
Preemption disabled at:
[<ffffffff872ad505>] local_bh_disable include/linux/bottom_half.h:20 [inline]
[<ffffffff872ad505>] __tcp_close+0x655/0x1200 net/ipv4/tcp.c:2829
CPU: 0 PID: 9192 Comm: syz-executor.0 Not tainted 5.18.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106
 __might_resched.cold+0x222/0x26b kernel/sched/core.c:9794
 start_flush_work kernel/workqueue.c:3010 [inline]
 __flush_work+0xdd/0xa30 kernel/workqueue.c:3074
 __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3162
 sock_map_destroy+0x242/0x520 net/core/sock_map.c:1581
 inet_csk_destroy_sock+0x156/0x380 net/ipv4/inet_connection_sock.c:1130
 __tcp_close+0xc06/0x1200 net/ipv4/tcp.c:2897
 tcp_close+0x1b/0x70 net/ipv4/tcp.c:2909
 sock_map_close+0x292/0x530 net/core/sock_map.c:1607
 inet_release+0xef/0x210 net/ipv4/af_inet.c:428
 __sock_release+0xbb/0x270 net/socket.c:650
 sock_close+0xf/0x20 net/socket.c:1365
 __fput+0x1f5/0x8c0 fs/file_table.c:317
 task_work_run+0xc0/0x160 kernel/task_work.c:177
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
 exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f8f17a3bd4b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffdefdf15e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007f8f17a3bd4b
RDX: 00007f8f17ba05c8 RSI: ffffffffffffffff RDI: 0000000000000004
RBP: 00007f8f17b9d960 R08: 0000000000000000 R09: 00007f8f17ba05d0
R10: 00007ffdefdf16e0 R11: 0000000000000293 R12: 00000000000160ab
R13: 00007ffdefdf16e0 R14: 00007f8f17b9bf60 R15: 0000000000000032
 </TASK>