bisecting cause commit starting from 1609d7604b847a9820e63393d1a3b6cac7286d40 building syzkaller on 32d593576a7ee67f588218d3a44a0b69fe31b0a0 testing commit 1609d7604b847a9820e63393d1a3b6cac7286d40 with gcc (GCC) 8.1.0 all runs: crashed: BUG: sleeping function called from invalid context in tcf_chain0_head_change_cb_del testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 all runs: crashed: BUG: sleeping function called from invalid context in tcf_chain0_head_change_cb_del testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 all runs: crashed: BUG: sleeping function called from invalid context in tcf_chain0_head_change_cb_del testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 all runs: OK # git bisect start v5.1 v5.0 Bisecting: 7074 revisions left to test after this (roughly 13 steps) [b5dd0c658c31b469ccff1b637e5124851e7a4a1c] Merge branch 'akpm' (patches from Andrew) testing commit b5dd0c658c31b469ccff1b637e5124851e7a4a1c with gcc (GCC) 8.1.0 all runs: crashed: BUG: sleeping function called from invalid context in tcf_chain0_head_change_cb_del # git bisect bad b5dd0c658c31b469ccff1b637e5124851e7a4a1c Bisecting: 3569 revisions left to test after this (roughly 12 steps) [3478588b5136966c80c571cf0006f08e9e5b8f04] Merge branch 'locking-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 3478588b5136966c80c571cf0006f08e9e5b8f04 with gcc (GCC) 8.1.0 all runs: crashed: BUG: sleeping function called from invalid context in tcf_chain0_head_change_cb_del # git bisect bad 3478588b5136966c80c571cf0006f08e9e5b8f04 Bisecting: 1673 revisions left to test after this (roughly 11 steps) [1a2566085650be593d464c4d73ac2d20ff67c058] Merge tag 'wireless-drivers-next-for-davem-2019-02-22' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit 1a2566085650be593d464c4d73ac2d20ff67c058 with gcc (GCC) 8.1.0 all runs: crashed: BUG: sleeping function called from invalid context in tcf_chain0_head_change_cb_del # git bisect bad 1a2566085650be593d464c4d73ac2d20ff67c058 Bisecting: 920 revisions left to test after this (roughly 10 steps) [deedf1feb255c7a390309f615e50de37cb82fb61] r8169: Avoid pointer aliasing testing commit deedf1feb255c7a390309f615e50de37cb82fb61 with gcc (GCC) 8.1.0 all runs: OK # git bisect good deedf1feb255c7a390309f615e50de37cb82fb61 Bisecting: 460 revisions left to test after this (roughly 9 steps) [8b58d12f4ae1a10037b824b1fb409cf424d6aaac] net: sched: cgroup: verify that filter is not NULL during walk testing commit 8b58d12f4ae1a10037b824b1fb409cf424d6aaac with gcc (GCC) 8.1.0 all runs: crashed: BUG: sleeping function called from invalid context in tcf_chain0_head_change_cb_del # git bisect bad 8b58d12f4ae1a10037b824b1fb409cf424d6aaac Bisecting: 229 revisions left to test after this (roughly 8 steps) [54daaca7024d5419dad64db8a3e65f6b38f24b7f] s390/qeth: cancel cmd on early error testing commit 54daaca7024d5419dad64db8a3e65f6b38f24b7f with gcc (GCC) 8.1.0 all runs: OK # git bisect good 54daaca7024d5419dad64db8a3e65f6b38f24b7f Bisecting: 114 revisions left to test after this (roughly 7 steps) [fa8ba2cba7f9c75b84f82d174658d959d25d4561] lib: objagg: fix handling of object with 0 users when assembling hints testing commit fa8ba2cba7f9c75b84f82d174658d959d25d4561 with gcc (GCC) 8.1.0 all runs: crashed: BUG: sleeping function called from invalid context in tcf_chain0_head_change_cb_del # git bisect bad fa8ba2cba7f9c75b84f82d174658d959d25d4561 Bisecting: 58 revisions left to test after this (roughly 6 steps) [e7c2e3b570442d2a50d43ba0da951329ed0c3c19] test_objagg: Uninitialized variable in error handling testing commit e7c2e3b570442d2a50d43ba0da951329ed0c3c19 with gcc (GCC) 8.1.0 all runs: crashed: BUG: sleeping function called from invalid context in tcf_chain0_head_change_cb_del # git bisect bad e7c2e3b570442d2a50d43ba0da951329ed0c3c19 Bisecting: 27 revisions left to test after this (roughly 5 steps) [fd80a14363eec09cef018dc8a1074efc298a0a07] staging: fsl-dpaa2: ethsw: Remove unused port_priv variable testing commit fd80a14363eec09cef018dc8a1074efc298a0a07 with gcc (GCC) 8.1.0 all runs: crashed: BUG: sleeping function called from invalid context in tcf_chain0_head_change_cb_del # git bisect bad fd80a14363eec09cef018dc8a1074efc298a0a07 Bisecting: 13 revisions left to test after this (roughly 4 steps) [ed76f5edccc98fa66f2337f0b3b255d6e1a568b7] net: sched: protect filter_chain list with filter_chain_lock mutex testing commit ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 with gcc (GCC) 8.1.0 all runs: crashed: BUG: sleeping function called from invalid context in tcf_chain0_head_change_cb_del # git bisect bad ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 Bisecting: 6 revisions left to test after this (roughly 3 steps) [b67de691f60b471401798498c1bc68e63b00708d] isdn_v110: mark expected switch fall-through testing commit b67de691f60b471401798498c1bc68e63b00708d with gcc (GCC) 8.1.0 all runs: OK # git bisect good b67de691f60b471401798498c1bc68e63b00708d Bisecting: 3 revisions left to test after this (roughly 2 steps) [2cbfab07c69657a5a60323f86143f4ce8a829fa9] net: sched: refactor tc_ctl_chain() to use block->lock testing commit 2cbfab07c69657a5a60323f86143f4ce8a829fa9 with gcc (GCC) 8.1.0 all runs: crashed: BUG: sleeping function called from invalid context in __tcf_block_put # git bisect bad 2cbfab07c69657a5a60323f86143f4ce8a829fa9 Bisecting: 0 revisions left to test after this (roughly 1 step) [91052fa1c657d83d570a3ab0ca0ddf87713b5cc8] net: sched: protect chain->explicitly_created with block->lock testing commit 91052fa1c657d83d570a3ab0ca0ddf87713b5cc8 with gcc (GCC) 8.1.0 all runs: crashed: BUG: sleeping function called from invalid context in __tcf_block_put # git bisect bad 91052fa1c657d83d570a3ab0ca0ddf87713b5cc8 Bisecting: 0 revisions left to test after this (roughly 0 steps) [c266f64dbfa2a970a13b0574246c0ddfec492365] net: sched: protect block state with mutex testing commit c266f64dbfa2a970a13b0574246c0ddfec492365 with gcc (GCC) 8.1.0 all runs: crashed: BUG: sleeping function called from invalid context in __tcf_block_put # git bisect bad c266f64dbfa2a970a13b0574246c0ddfec492365 c266f64dbfa2a970a13b0574246c0ddfec492365 is the first bad commit commit c266f64dbfa2a970a13b0574246c0ddfec492365 Author: Vlad Buslov Date: Mon Feb 11 10:55:32 2019 +0200 net: sched: protect block state with mutex Currently, tcf_block doesn't use any synchronization mechanisms to protect critical sections that manage lifetime of its chains. block->chain_list and multiple variables in tcf_chain that control its lifetime assume external synchronization provided by global rtnl lock. Converting chain reference counting to atomic reference counters is not possible because cls API uses multiple counters and flags to control chain lifetime, so all of them must be synchronized in chain get/put code. Use single per-block lock to protect block data and manage lifetime of all chains on the block. Always take block->lock when accessing chain_list. Chain get and put modify chain lifetime-management data and parent block's chain_list, so take the lock in these functions. Verify block->lock state with assertions in functions that expect to be called with the lock taken and are called from multiple places. Take block->lock when accessing filter_chain_list. In order to allow parallel update of rules on single block, move all calls to classifiers outside of critical sections protected by new block->lock. Rearrange chain get and put functions code to only access protected chain data while holding block lock: - Rearrange code to only access chain reference counter and chain action reference counter while holding block lock. - Extract code that requires block->lock from tcf_chain_destroy() into standalone tcf_chain_destroy() function that is called by __tcf_chain_put() in same critical section that changes chain reference counters. Signed-off-by: Vlad Buslov Acked-by: Jiri Pirko Signed-off-by: David S. Miller :040000 040000 8bfd913b216f5e2828979b0cddbcae68f327de7e 473cd87f8f3a90727c0834e83c5a9cda779c0ecd M include :040000 040000 890efad0cbb59df1d5adb87df30ff1f9f5172d21 2453ec4723e7af19e88abf3d069d713bbaac3943 M net revisions tested: 18, total time: 3h12m54.602352595s (build: 1h38m0.085934077s, test: 1h29m32.326545774s) first bad commit: c266f64dbfa2a970a13b0574246c0ddfec492365 net: sched: protect block state with mutex cc: ["davem@davemloft.net" "jhs@mojatatu.com" "jiri@mellanox.com" "jiri@resnulli.us" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "vladbu@mellanox.com" "xiyou.wangcong@gmail.com"] crash: BUG: sleeping function called from invalid context in __tcf_block_put IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready 8021q: adding VLAN 0 to HW filter on device batadv0 BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908 in_atomic(): 1, irqs_disabled(): 0, pid: 7148, name: syz-executor.5 2 locks held by syz-executor.5/7148: #0: 0000000060b6dcca (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:76 [inline] #0: 0000000060b6dcca (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x301/0x8f0 net/core/rtnetlink.c:5189 #1: 00000000c0de33e4 (&(&sch->q.lock)->rlock){+...}, at: spin_lock_bh include/linux/spinlock.h:334 [inline] #1: 00000000c0de33e4 (&(&sch->q.lock)->rlock){+...}, at: sch_tree_lock include/net/sch_generic.h:505 [inline] #1: 00000000c0de33e4 (&(&sch->q.lock)->rlock){+...}, at: sfb_change+0x1b2/0xb20 net/sched/sch_sfb.c:522 Preemption disabled at: [] spin_lock_bh include/linux/spinlock.h:334 [inline] [] sch_tree_lock include/net/sch_generic.h:505 [inline] [] sfb_change+0x1b2/0xb20 net/sched/sch_sfb.c:522 CPU: 0 PID: 7148 Comm: syz-executor.5 Not tainted 5.0.0-rc5+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 ___might_sleep.cold.87+0x1bb/0x1f4 kernel/sched/core.c:6161 __might_sleep+0x95/0x190 kernel/sched/core.c:6114 __mutex_lock_common kernel/locking/mutex.c:908 [inline] __mutex_lock+0xc7/0x1210 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 refcount_dec_and_mutex_lock+0x29/0x50 lib/refcount.c:311 __tcf_block_put+0x29/0x5e0 net/sched/cls_api.c:895 tcf_block_put_ext.part.51+0x57/0x70 net/sched/cls_api.c:1193 tcf_block_put_ext net/sched/cls_api.c:1188 [inline] tcf_block_put+0xae/0xf0 net/sched/cls_api.c:1203 sfb_destroy+0x32/0x70 net/sched/sch_sfb.c:471 qdisc_destroy+0xe4/0x610 net/sched/sch_generic.c:977 qdisc_put+0x47/0x60 net/sched/sch_generic.c:1001 sfb_change+0x270/0xb20 net/sched/sch_sfb.c:526 qdisc_change net/sched/sch_api.c:1314 [inline] tc_modify_qdisc+0xc31/0x1950 net/sched/sch_api.c:1616 rtnetlink_rcv_msg+0x34f/0x8f0 net/core/rtnetlink.c:5192 netlink_rcv_skb+0x13c/0x380 net/netlink/af_netlink.c:2485 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:5210 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x43f/0x630 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x765/0xc50 net/netlink/af_netlink.c:1925 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:631 ___sys_sendmsg+0x647/0x950 net/socket.c:2136 __sys_sendmsg+0xd9/0x180 net/socket.c:2174 __do_sys_sendmsg net/socket.c:2183 [inline] __se_sys_sendmsg net/socket.c:2181 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2181 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4598e9 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f237013cc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004598e9 RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000007 RBP: 000000000075c118 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f237013d6d4 R13: 00000000004c77fb R14: 00000000004dd098 R15: 00000000ffffffff BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908 in_atomic(): 1, irqs_disabled(): 0, pid: 7192, name: syz-executor.0 2 locks held by syz-executor.0/7192: #0: 0000000060b6dcca (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:76 [inline] #0: 0000000060b6dcca (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x301/0x8f0 net/core/rtnetlink.c:5189 #1: 00000000fab55196 (&(&sch->q.lock)->rlock){+...}, at: spin_lock_bh include/linux/spinlock.h:334 [inline] #1: 00000000fab55196 (&(&sch->q.lock)->rlock){+...}, at: sch_tree_lock include/net/sch_generic.h:505 [inline] #1: 00000000fab55196 (&(&sch->q.lock)->rlock){+...}, at: sfb_change+0x1b2/0xb20 net/sched/sch_sfb.c:522 Preemption disabled at: [] spin_lock_bh include/linux/spinlock.h:334 [inline] [] sch_tree_lock include/net/sch_generic.h:505 [inline] [] sfb_change+0x1b2/0xb20 net/sched/sch_sfb.c:522 CPU: 0 PID: 7192 Comm: syz-executor.0 Tainted: G W 5.0.0-rc5+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 ___might_sleep.cold.87+0x1bb/0x1f4 kernel/sched/core.c:6161 __might_sleep+0x95/0x190 kernel/sched/core.c:6114 __mutex_lock_common kernel/locking/mutex.c:908 [inline] __mutex_lock+0xc7/0x1210 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 refcount_dec_and_mutex_lock+0x29/0x50 lib/refcount.c:311 __tcf_block_put+0x29/0x5e0 net/sched/cls_api.c:895 tcf_block_put_ext.part.51+0x57/0x70 net/sched/cls_api.c:1193 tcf_block_put_ext net/sched/cls_api.c:1188 [inline] tcf_block_put+0xae/0xf0 net/sched/cls_api.c:1203 sfb_destroy+0x32/0x70 net/sched/sch_sfb.c:471 qdisc_destroy+0xe4/0x610 net/sched/sch_generic.c:977 qdisc_put+0x47/0x60 net/sched/sch_generic.c:1001 sfb_change+0x270/0xb20 net/sched/sch_sfb.c:526 qdisc_change net/sched/sch_api.c:1314 [inline] tc_modify_qdisc+0xc31/0x1950 net/sched/sch_api.c:1616 rtnetlink_rcv_msg+0x34f/0x8f0 net/core/rtnetlink.c:5192 netlink_rcv_skb+0x13c/0x380 net/netlink/af_netlink.c:2485 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:5210 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x43f/0x630 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x765/0xc50 net/netlink/af_netlink.c:1925 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:631 ___sys_sendmsg+0x647/0x950 net/socket.c:2136 __sys_sendmsg+0xd9/0x180 net/socket.c:2174 __do_sys_sendmsg net/socket.c:2183 [inline] __se_sys_sendmsg net/socket.c:2181 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2181 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4598e9 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fb0eacc0c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004598e9 RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000007 RBP: 000000000075c118 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb0eacc16d4 R13: 00000000004c77fb R14: 00000000004dd098 R15: 00000000ffffffff BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908 in_atomic(): 1, irqs_disabled(): 0, pid: 7241, name: syz-executor.2 2 locks held by syz-executor.2/7241: #0: 0000000060b6dcca (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:76 [inline] #0: 0000000060b6dcca (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x301/0x8f0 net/core/rtnetlink.c:5189 #1: 00000000ce2672a5 (&(&sch->q.lock)->rlock){+...}, at: spin_lock_bh include/linux/spinlock.h:334 [inline] #1: 00000000ce2672a5 (&(&sch->q.lock)->rlock){+...}, at: sch_tree_lock include/net/sch_generic.h:505 [inline] #1: 00000000ce2672a5 (&(&sch->q.lock)->rlock){+...}, at: sfb_change+0x1b2/0xb20 net/sched/sch_sfb.c:522 Preemption disabled at: [] spin_lock_bh include/linux/spinlock.h:334 [inline] [] sch_tree_lock include/net/sch_generic.h:505 [inline] [] sfb_change+0x1b2/0xb20 net/sched/sch_sfb.c:522 CPU: 1 PID: 7241 Comm: syz-executor.2 Tainted: G W 5.0.0-rc5+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 ___might_sleep.cold.87+0x1bb/0x1f4 kernel/sched/core.c:6161 __might_sleep+0x95/0x190 kernel/sched/core.c:6114 __mutex_lock_common kernel/locking/mutex.c:908 [inline] __mutex_lock+0xc7/0x1210 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 refcount_dec_and_mutex_lock+0x29/0x50 lib/refcount.c:311 __tcf_block_put+0x29/0x5e0 net/sched/cls_api.c:895 tcf_block_put_ext.part.51+0x57/0x70 net/sched/cls_api.c:1193 tcf_block_put_ext net/sched/cls_api.c:1188 [inline] tcf_block_put+0xae/0xf0 net/sched/cls_api.c:1203 sfb_destroy+0x32/0x70 net/sched/sch_sfb.c:471 qdisc_destroy+0xe4/0x610 net/sched/sch_generic.c:977 qdisc_put+0x47/0x60 net/sched/sch_generic.c:1001 sfb_change+0x270/0xb20 net/sched/sch_sfb.c:526 qdisc_change net/sched/sch_api.c:1314 [inline] tc_modify_qdisc+0xc31/0x1950 net/sched/sch_api.c:1616 rtnetlink_rcv_msg+0x34f/0x8f0 net/core/rtnetlink.c:5192 netlink_rcv_skb+0x13c/0x380 net/netlink/af_netlink.c:2485 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:5210 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x43f/0x630 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x765/0xc50 net/netlink/af_netlink.c:1925 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:631 ___sys_sendmsg+0x647/0x950 net/socket.c:2136 __sys_sendmsg+0xd9/0x180 net/socket.c:2174 __do_sys_sendmsg net/socket.c:2183 [inline] __se_sys_sendmsg net/socket.c:2181 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2181 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4598e9 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fb00f5f4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004598e9 RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000007 RBP: 000000000075c118 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb00f5f56d4 R13: 00000000004c77fb R14: 00000000004dd098 R15: 00000000ffffffff BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908 in_atomic(): 1, irqs_disabled(): 0, pid: 7333, name: syz-executor.3 2 locks held by syz-executor.3/7333: #0: 0000000060b6dcca (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:76 [inline] #0: 0000000060b6dcca (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x301/0x8f0 net/core/rtnetlink.c:5189 #1: 00000000d5a7c725 (&(&sch->q.lock)->rlock){+...}, at: spin_lock_bh include/linux/spinlock.h:334 [inline] #1: 00000000d5a7c725 (&(&sch->q.lock)->rlock){+...}, at: sch_tree_lock include/net/sch_generic.h:505 [inline] #1: 00000000d5a7c725 (&(&sch->q.lock)->rlock){+...}, at: sfb_change+0x1b2/0xb20 net/sched/sch_sfb.c:522 Preemption disabled at: [] spin_lock_bh include/linux/spinlock.h:334 [inline] [] sch_tree_lock include/net/sch_generic.h:505 [inline] [] sfb_change+0x1b2/0xb20 net/sched/sch_sfb.c:522 CPU: 1 PID: 7333 Comm: syz-executor.3 Tainted: G W 5.0.0-rc5+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 ___might_sleep.cold.87+0x1bb/0x1f4 kernel/sched/core.c:6161 __might_sleep+0x95/0x190 kernel/sched/core.c:6114 __mutex_lock_common kernel/locking/mutex.c:908 [inline] __mutex_lock+0xc7/0x1210 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 refcount_dec_and_mutex_lock+0x29/0x50 lib/refcount.c:311 __tcf_block_put+0x29/0x5e0 net/sched/cls_api.c:895 tcf_block_put_ext.part.51+0x57/0x70 net/sched/cls_api.c:1193 tcf_block_put_ext net/sched/cls_api.c:1188 [inline] tcf_block_put+0xae/0xf0 net/sched/cls_api.c:1203 sfb_destroy+0x32/0x70 net/sched/sch_sfb.c:471 qdisc_destroy+0xe4/0x610 net/sched/sch_generic.c:977 qdisc_put+0x47/0x60 net/sched/sch_generic.c:1001 sfb_change+0x270/0xb20 net/sched/sch_sfb.c:526 qdisc_change net/sched/sch_api.c:1314 [inline] tc_modify_qdisc+0xc31/0x1950 net/sched/sch_api.c:1616 rtnetlink_rcv_msg+0x34f/0x8f0 net/core/rtnetlink.c:5192 netlink_rcv_skb+0x13c/0x380 net/netlink/af_netlink.c:2485 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:5210 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x43f/0x630 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x765/0xc50 net/netlink/af_netlink.c:1925 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:631 ___sys_sendmsg+0x647/0x950 net/socket.c:2136 __sys_sendmsg+0xd9/0x180 net/socket.c:2174 __do_sys_sendmsg net/socket.c:2183 [inline] __se_sys_sendmsg net/socket.c:2181 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2181 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4598e9 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fbd0dbb1c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004598e9 RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000007 RBP: 000000000075c1c0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbd0dbb26d4 R13: 00000000004c77fb R14: 00000000004dd098 R15: 00000000ffffffff BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908 in_atomic(): 1, irqs_disabled(): 0, pid: 7374, name: syz-executor.5 2 locks held by syz-executor.5/7374: #0: 0000000060b6dcca (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:76 [inline] #0: 0000000060b6dcca (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x301/0x8f0 net/core/rtnetlink.c:5189 #1: 00000000ea9038c2 (&(&sch->q.lock)->rlock){+...}, at: spin_lock_bh include/linux/spinlock.h:334 [inline] #1: 00000000ea9038c2 (&(&sch->q.lock)->rlock){+...}, at: sch_tree_lock include/net/sch_generic.h:505 [inline] #1: 00000000ea9038c2 (&(&sch->q.lock)->rlock){+...}, at: sfb_change+0x1b2/0xb20 net/sched/sch_sfb.c:522 Preemption disabled at: [] spin_lock_bh include/linux/spinlock.h:334 [inline] [] sch_tree_lock include/net/sch_generic.h:505 [inline] [] sfb_change+0x1b2/0xb20 net/sched/sch_sfb.c:522 CPU: 0 PID: 7374 Comm: syz-executor.5 Tainted: G W 5.0.0-rc5+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 ___might_sleep.cold.87+0x1bb/0x1f4 kernel/sched/core.c:6161 __might_sleep+0x95/0x190 kernel/sched/core.c:6114 __mutex_lock_common kernel/locking/mutex.c:908 [inline] __mutex_lock+0xc7/0x1210 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 refcount_dec_and_mutex_lock+0x29/0x50 lib/refcount.c:311 __tcf_block_put+0x29/0x5e0 net/sched/cls_api.c:895 tcf_block_put_ext.part.51+0x57/0x70 net/sched/cls_api.c:1193 tcf_block_put_ext net/sched/cls_api.c:1188 [inline] tcf_block_put+0xae/0xf0 net/sched/cls_api.c:1203 sfb_destroy+0x32/0x70 net/sched/sch_sfb.c:471 qdisc_destroy+0xe4/0x610 net/sched/sch_generic.c:977 qdisc_put+0x47/0x60 net/sched/sch_generic.c:1001 sfb_change+0x270/0xb20 net/sched/sch_sfb.c:526 qdisc_change net/sched/sch_api.c:1314 [inline] tc_modify_qdisc+0xc31/0x1950 net/sched/sch_api.c:1616 rtnetlink_rcv_msg+0x34f/0x8f0 net/core/rtnetlink.c:5192 netlink_rcv_skb+0x13c/0x380 net/netlink/af_netlink.c:2485 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:5210 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x43f/0x630 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x765/0xc50 net/netlink/af_netlink.c:1925 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:631 ___sys_sendmsg+0x647/0x950 net/socket.c:2136 __sys_sendmsg+0xd9/0x180 net/socket.c:2174 __do_sys_sendmsg net/socket.c:2183 [inline] __se_sys_sendmsg net/socket.c:2181 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2181 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4598e9 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f237013cc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004598e9 RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000007 RBP: 000000000075c118 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f237013d6d4 R13: 00000000004c77fb R14: 00000000004dd098 R15: 00000000ffffffff BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908 in_atomic(): 1, irqs_disabled(): 0, pid: 7441, name: syz-executor.3 2 locks held by syz-executor.3/7441: #0: 0000000060b6dcca (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:76 [inline] #0: 0000000060b6dcca (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x301/0x8f0 net/core/rtnetlink.c:5189 #1: 0000000042c37553 (&(&sch->q.lock)->rlock){+...}, at: spin_lock_bh include/linux/spinlock.h:334 [inline] #1: 0000000042c37553 (&(&sch->q.lock)->rlock){+...}, at: sch_tree_lock include/net/sch_generic.h:505 [inline] #1: 0000000042c37553 (&(&sch->q.lock)->rlock){+...}, at: sfb_change+0x1b2/0xb20 net/sched/sch_sfb.c:522 Preemption disabled at: [] spin_lock_bh include/linux/spinlock.h:334 [inline] [] sch_tree_lock include/net/sch_generic.h:505 [inline] [] sfb_change+0x1b2/0xb20 net/sched/sch_sfb.c:522 CPU: 1 PID: 7441 Comm: syz-executor.3 Tainted: G W 5.0.0-rc5+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 ___might_sleep.cold.87+0x1bb/0x1f4 kernel/sched/core.c:6161 __might_sleep+0x95/0x190 kernel/sched/core.c:6114 __mutex_lock_common kernel/locking/mutex.c:908 [inline] __mutex_lock+0xc7/0x1210 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 refcount_dec_and_mutex_lock+0x29/0x50 lib/refcount.c:311 __tcf_block_put+0x29/0x5e0 net/sched/cls_api.c:895 tcf_block_put_ext.part.51+0x57/0x70 net/sched/cls_api.c:1193 tcf_block_put_ext net/sched/cls_api.c:1188 [inline] tcf_block_put+0xae/0xf0 net/sched/cls_api.c:1203 sfb_destroy+0x32/0x70 net/sched/sch_sfb.c:471 qdisc_destroy+0xe4/0x610 net/sched/sch_generic.c:977 qdisc_put+0x47/0x60 net/sched/sch_generic.c:1001 sfb_change+0x270/0xb20 net/sched/sch_sfb.c:526 qdisc_change net/sched/sch_api.c:1314 [inline] tc_modify_qdisc+0xc31/0x1950 net/sched/sch_api.c:1616 rtnetlink_rcv_msg+0x34f/0x8f0 net/core/rtnetlink.c:5192 netlink_rcv_skb+0x13c/0x380 net/netlink/af_netlink.c:2485 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:5210 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x43f/0x630 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x765/0xc50 net/netlink/af_netlink.c:1925 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:631 ___sys_sendmsg+0x647/0x950 net/socket.c:2136 __sys_sendmsg+0xd9/0x180 net/socket.c:2174 __do_sys_sendmsg net/socket.c:2183 [inline] __se_sys_sendmsg net/socket.c:2181 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2181 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4598e9 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fbd0dbd2c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004598e9 RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000007 RBP: 000000000075c118 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbd0dbd36d4 R13: 00000000004c77fb R14: 00000000004dd098 R15: 00000000ffffffff