ci starts bisection 2022-07-29 23:32:14.693441023 +0000 UTC m=+45918.861925305 bisecting cause commit starting from cb71b93c2dc36d18a8b05245973328d018272cdf building syzkaller on fef302b1a60baa1f93300b6744d9e08788133e77 testing commit cb71b93c2dc36d18a8b05245973328d018272cdf compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3f0f7adb3416bc078f04b13b5878e9a4971429973570951c0f3f032c590eb247 run #0: crashed: possible deadlock in blkcg_deactivate_policy run #1: crashed: possible deadlock in blkcg_deactivate_policy run #2: crashed: possible deadlock in blkcg_deactivate_policy run #3: crashed: possible deadlock in throtl_pending_timer_fn run #4: crashed: possible deadlock in blkcg_deactivate_policy run #5: crashed: possible deadlock in blkcg_deactivate_policy run #6: crashed: possible deadlock in blkcg_deactivate_policy run #7: crashed: possible deadlock in blkcg_deactivate_policy run #8: crashed: possible deadlock in blkcg_deactivate_policy run #9: crashed: possible deadlock in blkcg_deactivate_policy run #10: crashed: possible deadlock in blkcg_deactivate_policy run #11: crashed: possible deadlock in blkcg_deactivate_policy run #12: crashed: possible deadlock in blkcg_deactivate_policy run #13: crashed: possible deadlock in blkcg_deactivate_policy run #14: crashed: possible deadlock in blkcg_deactivate_policy run #15: crashed: possible deadlock in throtl_pending_timer_fn run #16: crashed: possible deadlock in blkcg_deactivate_policy run #17: crashed: possible deadlock in blkcg_deactivate_policy run #18: crashed: possible deadlock in blkcg_deactivate_policy run #19: crashed: possible deadlock in blkcg_deactivate_policy testing release v5.18 testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 86effa0ebb4c0c25c8c633b3e6359bacb1e2783526631e9496f3d4c5d41c8136 all runs: crashed: possible deadlock in blkcg_deactivate_policy testing release v5.17 testing commit f443e374ae131c168a065ea1748feac6b2e76613 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8c0b2a44cee8a84bf47b99d48e9e021be975b5dbab6db7b55a504266d5b89fa0 all runs: OK # git bisect start 4b0986a3613c92f4ec1bdc7f60ec66fea135991f f443e374ae131c168a065ea1748feac6b2e76613 Bisecting: 8498 revisions left to test after this (roughly 13 steps) [25fd2d41b505d0640bdfe67aa77c549de2d3c18a] selftests: kselftest framework: provide "finished" helper testing commit 25fd2d41b505d0640bdfe67aa77c549de2d3c18a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8960cdafa7bfae46ea2d2bf174e58acb7d37a4bb81fb9335a53ba84d623c0d0b run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #2: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #3: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #4: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #5: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #6: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #7: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #8: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #9: crashed: BUG: sleeping function called from invalid context in blk_release_queue # git bisect bad 25fd2d41b505d0640bdfe67aa77c549de2d3c18a Bisecting: 3943 revisions left to test after this (roughly 12 steps) [b4bc93bd76d4da32600795cd323c971f00a2e788] Merge tag 'arm-drivers-5.18' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit b4bc93bd76d4da32600795cd323c971f00a2e788 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9df1a3dd7eee401774d8c995e2335466dc8b2d3a3b92ad8de079b70fc7317c47 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #2: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #3: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #4: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #5: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #6: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #7: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #8: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #9: crashed: BUG: sleeping function called from invalid context in blk_release_queue # git bisect bad b4bc93bd76d4da32600795cd323c971f00a2e788 Bisecting: 1986 revisions left to test after this (roughly 11 steps) [3fe2f7446f1e029b220f7f650df6d138f91651f2] Merge tag 'sched-core-2022-03-22' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 3fe2f7446f1e029b220f7f650df6d138f91651f2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fbe4059d4fe97d767b7ecba9c3e73b5798daaa2606f9ba20cd0691194ba68910 all runs: crashed: BUG: sleeping function called from invalid context in blk_release_queue # git bisect bad 3fe2f7446f1e029b220f7f650df6d138f91651f2 Bisecting: 898 revisions left to test after this (roughly 10 steps) [b080cee72ef355669cbc52ff55dc513d37433600] Merge tag 'for-5.18/io_uring-statx-2022-03-18' of git://git.kernel.dk/linux-block testing commit b080cee72ef355669cbc52ff55dc513d37433600 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 901ce9e6da0e990fbc29d8ae6323732ddf5422ccd7d48eb92b8b52dd5271b0ac all runs: OK # git bisect good b080cee72ef355669cbc52ff55dc513d37433600 Bisecting: 420 revisions left to test after this (roughly 9 steps) [ad9c6ee642a61adae93dfa35582b5af16dc5173a] Merge tag 'spi-v5.18' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi testing commit ad9c6ee642a61adae93dfa35582b5af16dc5173a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fbd67743b96cb20e9c2341fc57438961883a580f6fc2f744271b96523ab9850c all runs: crashed: BUG: sleeping function called from invalid context in blk_release_queue # git bisect bad ad9c6ee642a61adae93dfa35582b5af16dc5173a Bisecting: 261 revisions left to test after this (roughly 8 steps) [d347ee54a70e45c082ca7a373fbdf0c34109d575] Merge tag 'for-5.18/alloc-cleanups-2022-03-18' of git://git.kernel.dk/linux-block testing commit d347ee54a70e45c082ca7a373fbdf0c34109d575 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 53c8f0af563a85fc91b665c649b6c05d3b7d0e9156e8274b929df020f7e085fe all runs: crashed: BUG: sleeping function called from invalid context in blk_release_queue # git bisect bad d347ee54a70e45c082ca7a373fbdf0c34109d575 Bisecting: 107 revisions left to test after this (roughly 7 steps) [44f331a630bdc7c61de9c6760c4eec0133ee9f04] nvmet-tcp: replace ida_simple[get|remove] with the simler ida_[alloc|free] testing commit 44f331a630bdc7c61de9c6760c4eec0133ee9f04 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4769db302939fbc535f71ffa8272b50b4d4e3205fbca684ede4bce15aca71e1b all runs: OK # git bisect good 44f331a630bdc7c61de9c6760c4eec0133ee9f04 Bisecting: 53 revisions left to test after this (roughly 6 steps) [ae53aea611b7a532a52ba966281a8b7a8cfd008a] Merge tag 'nvme-5.18-2022-03-17' of git://git.infradead.org/nvme into for-5.18/drivers testing commit ae53aea611b7a532a52ba966281a8b7a8cfd008a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 998f79c6a72d066c4973ec8a8f725dd532fe0751469e37d10e7f875d942c188e all runs: OK # git bisect good ae53aea611b7a532a52ba966281a8b7a8cfd008a Bisecting: 26 revisions left to test after this (roughly 5 steps) [c76c46fa04c42f7d3a494c526ce5f030da36b553] sd: call sd_zbc_release_disk before releasing the scsi_device reference testing commit c76c46fa04c42f7d3a494c526ce5f030da36b553 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6a781701370fd6a4263976da620920ae2666ee7d99fb361827139aa49d0d1ad9 all runs: OK # git bisect good c76c46fa04c42f7d3a494c526ce5f030da36b553 Bisecting: 13 revisions left to test after this (roughly 4 steps) [6b2b04590b51aa4cf395fcd185ce439cab5961dc] block: don't merge across cgroup boundaries if blkcg is enabled testing commit 6b2b04590b51aa4cf395fcd185ce439cab5961dc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b22b07abff66d417c3c4b724702eaa4532b9b8c1633c859e09f155abc45df2ab all runs: OK # git bisect good 6b2b04590b51aa4cf395fcd185ce439cab5961dc Bisecting: 6 revisions left to test after this (roughly 3 steps) [616355cc818c6ddadc393fdfd4491f94458cb715] Merge tag 'for-5.18/block-2022-03-18' of git://git.kernel.dk/linux-block testing commit 616355cc818c6ddadc393fdfd4491f94458cb715 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c4558c20113d552ee8575df65b41eed54c4bb6e90166f2fa7773893321200687 all runs: crashed: BUG: sleeping function called from invalid context in blk_release_queue # git bisect bad 616355cc818c6ddadc393fdfd4491f94458cb715 Bisecting: 3 revisions left to test after this (roughly 2 steps) [572299f03afd676dd4e20669cdaf5ed0fe1379d4] block: limit request dispatch loop duration testing commit 572299f03afd676dd4e20669cdaf5ed0fe1379d4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5ee14612795b9aa65f368663fb96632ad80e5843217fa206f1c5b2bfea268daa run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 572299f03afd676dd4e20669cdaf5ed0fe1379d4 Bisecting: 1 revision left to test after this (roughly 1 step) [0a9a25ca78437b39e691bcc3dc8240455b803d8d] block: let blkcg_gq grab request queue's refcnt testing commit 0a9a25ca78437b39e691bcc3dc8240455b803d8d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 095e310a9478f93e5f0500a08153d3d32ad5d56eccbdda0302bbe95251933e6a run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #2: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #3: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #4: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #5: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #6: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #7: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #8: crashed: BUG: sleeping function called from invalid context in blk_release_queue run #9: crashed: BUG: sleeping function called from invalid context in blk_release_queue # git bisect bad 0a9a25ca78437b39e691bcc3dc8240455b803d8d Bisecting: 0 revisions left to test after this (roughly 0 steps) [ee37eddbfa9e0401f13a01691cf4bbbacd2d16c9] block: avoid use-after-free on throttle data testing commit ee37eddbfa9e0401f13a01691cf4bbbacd2d16c9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d39463ebab2349f046787239433f93b97a8f59ddc7d70ad1ac3477c698a87065 all runs: OK # git bisect good ee37eddbfa9e0401f13a01691cf4bbbacd2d16c9 0a9a25ca78437b39e691bcc3dc8240455b803d8d is the first bad commit commit 0a9a25ca78437b39e691bcc3dc8240455b803d8d Author: Ming Lei Date: Fri Mar 18 21:01:43 2022 +0800 block: let blkcg_gq grab request queue's refcnt In the whole lifetime of blkcg_gq instance, ->q will be referred, such as, ->pd_free_fn() is called in blkg_free, and throtl_pd_free() still may touch the request queue via &tg->service_queue.pending_timer which is handled by throtl_pending_timer_fn(), so it is reasonable to grab request queue's refcnt by blkcg_gq instance. Previously blkcg_exit_queue() is called from blk_release_queue, and it is hard to avoid the use-after-free. But recently commit 1059699f87eb ("block: move blkcg initialization/destroy into disk allocation/release handler") is merged to for-5.18/block, it becomes simple to fix the issue by simply grabbing request queue's refcnt. Reported-by: Christoph Hellwig Signed-off-by: Ming Lei Link: https://lore.kernel.org/r/20220318130144.1066064-3-ming.lei@redhat.com Signed-off-by: Jens Axboe block/blk-cgroup.c | 5 +++++ 1 file changed, 5 insertions(+) culprit signature: 095e310a9478f93e5f0500a08153d3d32ad5d56eccbdda0302bbe95251933e6a parent signature: d39463ebab2349f046787239433f93b97a8f59ddc7d70ad1ac3477c698a87065 revisions tested: 17, total time: 3h52m28.6584598s (build: 1h53m48.910687604s, test: 1h56m45.745062971s) first bad commit: 0a9a25ca78437b39e691bcc3dc8240455b803d8d block: let blkcg_gq grab request queue's refcnt recipients (to): ["axboe@kernel.dk" "linux-kernel@vger.kernel.org" "ming.lei@redhat.com"] recipients (cc): ["axboe@kernel.dk" "cgroups@vger.kernel.org" "linux-block@vger.kernel.org" "tj@kernel.org"] crash: BUG: sleeping function called from invalid context in blk_release_queue BUG: sleeping function called from invalid context at block/blk-sysfs.c:767 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 13, name: ksoftirqd/0 preempt_count: 100, expected: 0 RCU nest depth: 0, expected: 0 INFO: lockdep is turned off. Preemption disabled at: [] softirq_handle_begin kernel/softirq.c:396 [inline] [] __do_softirq+0xe1/0x9c2 kernel/softirq.c:534 CPU: 0 PID: 13 Comm: ksoftirqd/0 Tainted: G W 5.17.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 __might_resched.cold+0x222/0x26b kernel/sched/core.c:9573 blk_release_queue+0x21/0x2e0 block/blk-sysfs.c:767 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x139/0x410 lib/kobject.c:753 blkg_free.part.0+0xde/0x1b0 block/blk-cgroup.c:86 rcu_do_batch kernel/rcu/tree.c:2527 [inline] rcu_core+0x7b8/0x1540 kernel/rcu/tree.c:2778 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 run_ksoftirqd kernel/softirq.c:921 [inline] run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913 smpboot_thread_fn+0x548/0x8c0 kernel/smpboot.c:164 kthread+0x299/0x340 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 BUG: sleeping function called from invalid context at block/blk-sysfs.c:767 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 0, name: swapper/0 preempt_count: 101, expected: 0 RCU nest depth: 0, expected: 0 INFO: lockdep is turned off. Preemption disabled at: [] schedule_preempt_disabled+0x19/0x20 kernel/sched/core.c:6427 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.17.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 __might_resched.cold+0x222/0x26b kernel/sched/core.c:9573 blk_release_queue+0x21/0x2e0 block/blk-sysfs.c:767 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x139/0x410 lib/kobject.c:753 blkg_free.part.0+0xde/0x1b0 block/blk-cgroup.c:86 rcu_do_batch kernel/rcu/tree.c:2527 [inline] rcu_core+0x7b8/0x1540 kernel/rcu/tree.c:2778 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 RIP: 0010:cpuidle_enter_state+0x281/0xb40 drivers/cpuidle/cpuidle.c:271 Code: f2 06 00 00 49 8d 7d 01 48 ba 00 00 00 00 00 fc ff df 48 c1 e7 06 48 01 df 48 89 f9 48 c1 e9 03 80 3c 11 00 0f 85 ba 06 00 00 <4d> 89 ef 49 c1 e7 06 49 01 df 49 83 fd 09 49 8b 57 40 0f 87 7c 06 RSP: 0018:ffffffff8aa07de0 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ffff8881463f8800 RCX: 1ffff11028c7f110 RDX: dffffc0000000000 RSI: ffffffff8942c2e0 RDI: ffff8881463f8880 RBP: ffffffff8b73d640 R08: 0000000000000000 R09: 0000000000000000 R10: fffffbfff194ac02 R11: 0000000000000001 R12: 0000000000103f3c R13: 0000000000000001 R14: 0000000000000001 R15: ffff8881463f8804 cpuidle_enter+0x45/0xa0 drivers/cpuidle/cpuidle.c:351 call_cpuidle kernel/sched/idle.c:158 [inline] cpuidle_idle_call kernel/sched/idle.c:239 [inline] do_idle+0x3e8/0x590 kernel/sched/idle.c:306 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:403 start_kernel+0x33e/0x35c init/main.c:1138 secondary_startup_64_no_verify+0xc3/0xcb BUG: sleeping function called from invalid context at block/blk-sysfs.c:767 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 658, name: kworker/u4:4 preempt_count: 101, expected: 0 RCU nest depth: 0, expected: 0 INFO: lockdep is turned off. Preemption disabled at: [] on_each_cpu_cond_mask+0x2b/0x70 kernel/smp.c:1134 CPU: 0 PID: 658 Comm: kworker/u4:4 Tainted: G W 5.17.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 Workqueue: events_unbound toggle_allocation_gate Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 __might_resched.cold+0x222/0x26b kernel/sched/core.c:9573 blk_release_queue+0x21/0x2e0 block/blk-sysfs.c:767 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x139/0x410 lib/kobject.c:753 blkg_free.part.0+0xde/0x1b0 block/blk-cgroup.c:86 rcu_do_batch kernel/rcu/tree.c:2527 [inline] rcu_core+0x7b8/0x1540 kernel/rcu/tree.c:2778 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 RIP: 0010:_flat_send_IPI_mask+0x2d/0x60 arch/x86/kernel/apic/apic_flat_64.c:58 Code: ec 10 9c 58 fa 25 00 02 00 00 48 89 c3 75 1d ba 00 08 00 00 e8 e4 03 ff ff 9c 58 f6 c4 02 75 32 48 85 db 74 01 fb 48 83 c4 10 <5b> c3 89 74 24 0c 48 89 3c 24 e8 04 8d 44 00 8b 74 24 0c ba 00 08 RSP: 0018:ffffc9000301f9c0 EFLAGS: 00000286 RAX: 0000000000000046 RBX: 0000000000000200 RCX: 1ffffffff194b27d RDX: 0000000000000000 RSI: 00000000000000fb RDI: ffffffff812d5383 RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000000 R10: ffffed10173875aa R11: 0000000000000000 R12: 0000000000000001 R13: ffff8880b9d3e9c0 R14: 0000000000000000 R15: ffff8880b9c3ad50 smp_call_function_many_cond+0xab0/0xd30 kernel/smp.c:949 on_each_cpu_cond_mask+0x3f/0x70 kernel/smp.c:1135 on_each_cpu include/linux/smp.h:71 [inline] text_poke_sync arch/x86/kernel/alternative.c:1112 [inline] text_poke_bp_batch+0x440/0x520 arch/x86/kernel/alternative.c:1369 text_poke_flush arch/x86/kernel/alternative.c:1470 [inline] text_poke_flush arch/x86/kernel/alternative.c:1467 [inline] text_poke_finish+0x16/0x30 arch/x86/kernel/alternative.c:1477 arch_jump_label_transform_apply+0x13/0x20 arch/x86/kernel/jump_label.c:146 static_key_disable_cpuslocked+0x100/0x160 kernel/jump_label.c:207 static_key_disable+0x11/0x20 kernel/jump_label.c:215 toggle_allocation_gate mm/kfence/core.c:748 [inline] toggle_allocation_gate+0x154/0x310 mm/kfence/core.c:726 process_one_work+0x879/0x1410 kernel/workqueue.c:2307 worker_thread+0x5a0/0xf60 kernel/workqueue.c:2454 kthread+0x299/0x340 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 BUG: sleeping function called from invalid context at block/blk-sysfs.c:767 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 0, name: swapper/0 preempt_count: 101, expected: 0 RCU nest depth: 0, expected: 0 INFO: lockdep is turned off. Preemption disabled at: [] schedule_preempt_disabled+0x19/0x20 kernel/sched/core.c:6427 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.17.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 __might_resched.cold+0x222/0x26b kernel/sched/core.c:9573 blk_release_queue+0x21/0x2e0 block/blk-sysfs.c:767 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x139/0x410 lib/kobject.c:753 blkg_free.part.0+0xde/0x1b0 block/blk-cgroup.c:86 rcu_do_batch kernel/rcu/tree.c:2527 [inline] rcu_core+0x7b8/0x1540 kernel/rcu/tree.c:2778 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline] RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline] RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:130 [inline] RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline] RIP: 0010:acpi_idle_do_entry+0x15e/0x1c0 drivers/acpi/processor_idle.c:551 Code: 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 6a 48 8b 45 00 a8 08 75 c9 e8 cd 8e eb f8 eb 07 0f 00 2d 24 c8 c6 00 fb f4 <9c> 58 fa f6 c4 02 74 b1 5d e9 44 8b eb f8 48 89 ef 5d e9 ab f9 ff RSP: 0018:ffffffff8aa07d88 EFLAGS: 00000246 RAX: 0000000000000007 RBX: ffff888014d9f065 RCX: 1ffffffff194b27d RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff88865513 RBP: ffffffff8aabb480 R08: 0000000000000000 R09: 0000000000000000 ---------------- Code disassembly (best guess): 0: f2 06 repnz (bad) 2: 00 00 add %al,(%rax) 4: 49 8d 7d 01 lea 0x1(%r13),%rdi 8: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx f: fc ff df 12: 48 c1 e7 06 shl $0x6,%rdi 16: 48 01 df add %rbx,%rdi 19: 48 89 f9 mov %rdi,%rcx 1c: 48 c1 e9 03 shr $0x3,%rcx 20: 80 3c 11 00 cmpb $0x0,(%rcx,%rdx,1) 24: 0f 85 ba 06 00 00 jne 0x6e4 * 2a: 4d 89 ef mov %r13,%r15 <-- trapping instruction 2d: 49 c1 e7 06 shl $0x6,%r15 31: 49 01 df add %rbx,%r15 34: 49 83 fd 09 cmp $0x9,%r13 38: 49 8b 57 40 mov 0x40(%r15),%rdx 3c: 0f .byte 0xf 3d: 87 .byte 0x87 3e: 7c 06 jl 0x46