ci2 starts bisection 2024-08-09 07:25:38.237125256 +0000 UTC m=+57919.781277448
bisecting fixing commit since 1a72e2f692ac431f98e13d30ff78bf70b6d9a8d9
building syzkaller on edc5149ad2ab7a38db6b3bcb1b594e0264a92163
ensuring issue is reproducible on original commit 1a72e2f692ac431f98e13d30ff78bf70b6d9a8d9

testing commit 1a72e2f692ac431f98e13d30ff78bf70b6d9a8d9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e148efd07bcbdffe46781c6ca326a9dd0851e5ed9105fae27aa0f239a27d86cd
run #0: infra problem: failed to delete instance: googleapi: Error 503: Authentication backend unavailable., backendError
run #1: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #2: crashed: UBSAN: array-index-out-of-bounds in bpf_bprintf_prepare
run #3: crashed: BUG: scheduling while atomic in text_poke_set
run #4: crashed: BUG: scheduling while atomic in do_task_dead
run #5: crashed: BUG: scheduling while atomic in synchronize_rcu_expedited
run #6: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #7: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #8: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #9: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred
run #10: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #11: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #12: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #13: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #14: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #15: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #16: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #17: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #18: crashed: BUG: scheduling while atomic in text_poke_set
run #19: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
representative crash: BUG: scheduling while atomic in text_poke_set, types: [ATOMIC_SLEEP UNKNOWN]
check whether we can drop unnecessary instrumentation
disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed
testing commit 1a72e2f692ac431f98e13d30ff78bf70b6d9a8d9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 6ae7e5f65ea79d8f36108c7d8705f9902cb50f8f4acb83b4c1503f8381462647
run #0: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #1: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #2: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred
run #3: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #4: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #5: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #6: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred
run #7: crashed: BUG: scheduling while atomic in text_poke_set
run #8: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #9: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
representative crash: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred, types: [UNKNOWN]
the bug reproduces without the instrumentation
disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP HANG], they are not needed
kconfig minimization: base=5179 full=6493 leaves diff=257
split chunks (needed=false): <257>
split chunk #0 of len 257 into 5 parts
testing without sub-chunk 1/5
disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed
testing commit 1a72e2f692ac431f98e13d30ff78bf70b6d9a8d9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ed3dc0e16ea4cf9b58abbe049d0e3c6362496ce04168626280f406d48829e0b0
run #0: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #1: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #2: crashed: BUG: scheduling while atomic in synchronize_rcu_expedited
run #3: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred
run #4: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #6: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #7: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred
run #8: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #9: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
representative crash: BUG: scheduling while atomic in exit_to_user_mode_loop, types: [ATOMIC_SLEEP UNKNOWN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed
testing commit 1a72e2f692ac431f98e13d30ff78bf70b6d9a8d9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 116398ad985b66e1cd5ba08f3d67acc280c6b397c5c42f66d1e68863153e8731
run #0: crashed: BUG: scheduling while atomic in text_poke_set
run #1: crashed: BUG: scheduling while atomic in text_poke_set
run #2: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred
run #3: crashed: BUG: scheduling while atomic in text_poke_set
run #4: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #6: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred
run #7: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #8: crashed: BUG: scheduling while atomic in text_poke_set
run #9: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
representative crash: BUG: scheduling while atomic in text_poke_set, types: [ATOMIC_SLEEP UNKNOWN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed
testing commit 1a72e2f692ac431f98e13d30ff78bf70b6d9a8d9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 8aea65418a4641b7f3f9645ded81bc16457ca8d91dfbb42e3a6e750609a0dcfb
run #0: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #1: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #2: crashed: BUG: scheduling while atomic in text_poke_set
run #3: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred
run #4: crashed: BUG: scheduling while atomic in bpf_prog_pack_free
run #5: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #6: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #7: crashed: BUG: scheduling while atomic in text_poke_set
run #8: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #9: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
representative crash: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred, types: [UNKNOWN ATOMIC_SLEEP]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [KASAN LOCKDEP HANG LEAK UBSAN BUG], they are not needed
testing commit 1a72e2f692ac431f98e13d30ff78bf70b6d9a8d9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 6d557de89e62a62f4b486e3bb967058353a2aefe0768da1491b444758ce5375f
run #0: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #1: crashed: BUG: scheduling while atomic in bpf_prog_pack_free
run #2: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #3: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred
run #4: crashed: BUG: scheduling while atomic in text_poke_set
run #5: crashed: BUG: scheduling while atomic in text_poke_set
run #6: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #7: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred
run #8: crashed: BUG: workqueue leaked lock or atomic in free_work
run #9: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred
representative crash: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred, types: [UNKNOWN ATOMIC_SLEEP]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [UBSAN BUG KASAN LOCKDEP HANG LEAK], they are not needed
testing commit 1a72e2f692ac431f98e13d30ff78bf70b6d9a8d9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
failed building 1a72e2f692ac431f98e13d30ff78bf70b6d9a8d9: net/socket.c:1245: undefined reference to `wext_handle_ioctl'
net/socket.c:3442: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:329: undefined reference to `wext_proc_init'
net/core/net-procfs.c:345: undefined reference to `wext_proc_exit'
minimized to 49 configs; suspects: [HID_ZEROPLUS USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF]
disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP HANG], they are not needed
testing current HEAD be8ff39d2e99dcd594447dea26ed70d7e9ecced6
testing commit be8ff39d2e99dcd594447dea26ed70d7e9ecced6 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 23c4f8f3d2ad716f28c5ce614c3f936f4fa5fa62002c6e6a6a6e4ce249a3f2be
all runs: OK
false negative chance: 0.000
# git bisect start be8ff39d2e99dcd594447dea26ed70d7e9ecced6 1a72e2f692ac431f98e13d30ff78bf70b6d9a8d9
Bisecting: 1032 revisions left to test after this (roughly 10 steps)
[aaa8e143bfe14c0c08512d3eb94ef38285251045] RDMA/device: Fix a race between mad_client and cm_client init

determine whether the revision contains the guilty commit
checking the merge base 8b4118fabd6eb75fed19483b04dab3a036886489
no existing result, test the revision
testing commit 8b4118fabd6eb75fed19483b04dab3a036886489 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 6e0fade012daa29ffab1196756ef86fee0539cafb5e9ddd289fc2450ad07e5c2
run #0: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #1: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #2: crashed: BUG: scheduling while atomic in text_poke_copy
run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #4: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #6: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #7: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #8: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #9: crashed: BUG: workqueue lockup
representative crash: BUG: scheduling while atomic in exit_to_user_mode_loop, types: [ATOMIC_SLEEP UNKNOWN]
testing commit aaa8e143bfe14c0c08512d3eb94ef38285251045 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 704b4b369311dc44e09fb0a4aae0fc2edd718f4ddb3a29b26f6aa86f2c4d1e8c
all runs: OK
false negative chance: 0.000
# git bisect bad aaa8e143bfe14c0c08512d3eb94ef38285251045
Bisecting: 516 revisions left to test after this (roughly 9 steps)
[c577208f81c9ddbc5ab1418bfe810680a671fa84] x86/boot/compressed: Move efi32_pe_entry into .text section

determine whether the revision contains the guilty commit
revision 8b4118fabd6eb75fed19483b04dab3a036886489 crashed and is reachable
testing commit c577208f81c9ddbc5ab1418bfe810680a671fa84 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 7aedc7c9929740768e7af451a9e1f54f7fb1c33d6a97aaf1093cb56484871701
all runs: OK
false negative chance: 0.000
# git bisect bad c577208f81c9ddbc5ab1418bfe810680a671fa84
Bisecting: 257 revisions left to test after this (roughly 8 steps)
[f9eef0e495159b83e46bddd9e2409ad81b2f5f96] nvmet-fc: take ref count on tgtport before delete assoc

determine whether the revision contains the guilty commit
revision 8b4118fabd6eb75fed19483b04dab3a036886489 crashed and is reachable
testing commit f9eef0e495159b83e46bddd9e2409ad81b2f5f96 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d95a92f3c017c946e09f5914628d432131190f263ae3d60d987a0865f7cb5c0e
all runs: OK
false negative chance: 0.000
# git bisect bad f9eef0e495159b83e46bddd9e2409ad81b2f5f96
Bisecting: 128 revisions left to test after this (roughly 7 steps)
[eae748df18ed25fc155964a51a1533eea29baae7] io_uring/net: fix multishot accept overflow handling

determine whether the revision contains the guilty commit
revision 8b4118fabd6eb75fed19483b04dab3a036886489 crashed and is reachable
testing commit eae748df18ed25fc155964a51a1533eea29baae7 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 7a4b1a816a209593cb20a2a8614acfdab7d9fd2ca7f39d3a2df426e637af11a9
run #0: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #1: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #2: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #4: crashed: BUG: scheduling while atomic in text_poke_copy
run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #6: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #7: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #8: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #9: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
representative crash: BUG: scheduling while atomic in exit_to_user_mode_loop, types: [ATOMIC_SLEEP]
# git bisect good eae748df18ed25fc155964a51a1533eea29baae7
Bisecting: 64 revisions left to test after this (roughly 6 steps)
[95b7476f6f68d725c474e3348e89436b0abde62a] bpf: Do cleanup in bpf_bprintf_cleanup only when needed

determine whether the revision contains the guilty commit
revision eae748df18ed25fc155964a51a1533eea29baae7 crashed and is reachable
testing commit 95b7476f6f68d725c474e3348e89436b0abde62a gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 351e825b8579fda376b9e58dba0149841e37e26452d4504dc5ec4a404930b60e
all runs: OK
false negative chance: 0.000
# git bisect bad 95b7476f6f68d725c474e3348e89436b0abde62a
Bisecting: 31 revisions left to test after this (roughly 5 steps)
[4dd684d4bb3cd5454e0bf6e2a1bdfbd5c9c872ed] can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)

determine whether the revision contains the guilty commit
revision 8b4118fabd6eb75fed19483b04dab3a036886489 crashed and is reachable
testing commit 4dd684d4bb3cd5454e0bf6e2a1bdfbd5c9c872ed gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ad76976de68f9cfba4fe8e7e0d95f75ec1018b9a9f2f64ae6361a653ab4e4d58
run #0: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #1: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #2: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #4: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #6: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #7: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #8: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #9: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred
representative crash: BUG: scheduling while atomic in exit_to_user_mode_loop, types: [ATOMIC_SLEEP]
# git bisect good 4dd684d4bb3cd5454e0bf6e2a1bdfbd5c9c872ed
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[c0e41c8756eff4a1d2101b58e436237cd7e0a31b] arm64: dts: qcom: sdm845: fix USB SS wakeup

determine whether the revision contains the guilty commit
revision eae748df18ed25fc155964a51a1533eea29baae7 crashed and is reachable
testing commit c0e41c8756eff4a1d2101b58e436237cd7e0a31b gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: dc1b32de70db34d1a51b0a7e4809701e024a18d4b1b6aca1ed27a39cefdb3434
run #0: crashed: BUG: scheduling while atomic in synchronize_rcu_expedited
run #1: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #2: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #4: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #6: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #7: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #8: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #9: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
representative crash: BUG: scheduling while atomic in synchronize_rcu_expedited, types: [ATOMIC_SLEEP]
# git bisect good c0e41c8756eff4a1d2101b58e436237cd7e0a31b
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[e4cf8941664cae2f89f0189c29fe2ce8c6be0d03] nfsd: fix RELEASE_LOCKOWNER

determine whether the revision contains the guilty commit
revision 8b4118fabd6eb75fed19483b04dab3a036886489 crashed and is reachable
testing commit e4cf8941664cae2f89f0189c29fe2ce8c6be0d03 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: de8d14fee21854ae9d6555d02bf289476e62ae8faa91ad4a34278da961aa4317
run #0: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
run #1: crashed: BUG: workqueue leaked lock or atomic in bpf_map_free_deferred
run #2: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #4: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #6: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #7: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #8: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #9: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
representative crash: BUG: scheduling while atomic in exit_to_user_mode_loop, types: [ATOMIC_SLEEP]
# git bisect good e4cf8941664cae2f89f0189c29fe2ce8c6be0d03
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[1ae3c59355dc9882e09c020afe8ffbd895ad0f29] smb: client: fix potential OOBs in smb2_parse_contexts()

determine whether the revision contains the guilty commit
revision 8b4118fabd6eb75fed19483b04dab3a036886489 crashed and is reachable
testing commit 1ae3c59355dc9882e09c020afe8ffbd895ad0f29 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 026ed336da8be69d771afadee34560642048ab37bd6bafb1f47db7a4ca957f67
run #0: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #1: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #2: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #4: crashed: BUG: scheduling while atomic in text_poke_copy
run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #6: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #7: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #8: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #9: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
representative crash: BUG: scheduling while atomic in exit_to_user_mode_loop, types: [ATOMIC_SLEEP]
# git bisect good 1ae3c59355dc9882e09c020afe8ffbd895ad0f29
Bisecting: 1 revision left to test after this (roughly 1 step)
[989b0ff35fe5fc9652ee5bafbe8483db6f27b137] net: prevent mss overflow in skb_segment()

determine whether the revision contains the guilty commit
revision c0e41c8756eff4a1d2101b58e436237cd7e0a31b crashed and is reachable
testing commit 989b0ff35fe5fc9652ee5bafbe8483db6f27b137 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 74752cde2a951dff81e3773a30c50bb0c44842e85d7e7721548ccfe4afeac767
run #0: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #1: crashed: BUG: scheduling while atomic in do_task_dead
run #2: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #4: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #6: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #7: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #8: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #9: crashed: BUG: workqueue leaked lock or atomic in bpf_prog_free_deferred
representative crash: BUG: scheduling while atomic in exit_to_user_mode_loop, types: [ATOMIC_SLEEP]
# git bisect good 989b0ff35fe5fc9652ee5bafbe8483db6f27b137
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[f7bbad9561f32dda2c13f6c4d0ca77d301f1c123] bpf: Add struct for bin_args arg in bpf_bprintf_prepare

determine whether the revision contains the guilty commit
revision c0e41c8756eff4a1d2101b58e436237cd7e0a31b crashed and is reachable
testing commit f7bbad9561f32dda2c13f6c4d0ca77d301f1c123 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5582d3470dd2efa39d817eac82b8626d1a0b658163cc531b4eabf8d6f57f5480
run #0: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #1: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #2: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #3: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #4: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #5: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #6: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #7: crashed: BUG: scheduling while atomic in do_epoll_wait
run #8: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
run #9: crashed: BUG: scheduling while atomic in exit_to_user_mode_loop
representative crash: BUG: scheduling while atomic in exit_to_user_mode_loop, types: [ATOMIC_SLEEP]
# git bisect good f7bbad9561f32dda2c13f6c4d0ca77d301f1c123
95b7476f6f68d725c474e3348e89436b0abde62a is the first bad commit
commit 95b7476f6f68d725c474e3348e89436b0abde62a
Author: Jiri Olsa <jolsa@kernel.org>
Date:   Thu Dec 15 22:44:29 2022 +0100

    bpf: Do cleanup in bpf_bprintf_cleanup only when needed
    
    commit f19a4050455aad847fb93f18dc1fe502eb60f989 upstream.
    
    Currently we always cleanup/decrement bpf_bprintf_nest_level variable
    in bpf_bprintf_cleanup if it's > 0.
    
    There's possible scenario where this could cause a problem, when
    bpf_bprintf_prepare does not get bin_args buffer (because num_args is 0)
    and following bpf_bprintf_cleanup call decrements bpf_bprintf_nest_level
    variable, like:
    
      in task context:
        bpf_bprintf_prepare(num_args != 0) increments 'bpf_bprintf_nest_level = 1'
        -> first irq :
           bpf_bprintf_prepare(num_args == 0)
           bpf_bprintf_cleanup decrements 'bpf_bprintf_nest_level = 0'
        -> second irq:
           bpf_bprintf_prepare(num_args != 0) bpf_bprintf_nest_level = 1
           gets same buffer as task context above
    
    Adding check to bpf_bprintf_cleanup and doing the real cleanup only if we
    got bin_args data in the first place.
    
    Signed-off-by: Jiri Olsa <jolsa@kernel.org>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Acked-by: Yonghong Song <yhs@fb.com>
    Link: https://lore.kernel.org/bpf/20221215214430.1336195-3-jolsa@kernel.org
    Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 include/linux/bpf.h      |  2 +-
 kernel/bpf/helpers.c     | 16 +++++++++-------
 kernel/trace/bpf_trace.c |  6 +++---
 3 files changed, 13 insertions(+), 11 deletions(-)

accumulated error probability: 0.00
culprit signature: 351e825b8579fda376b9e58dba0149841e37e26452d4504dc5ec4a404930b60e
parent  signature: 5582d3470dd2efa39d817eac82b8626d1a0b658163cc531b4eabf8d6f57f5480
revisions tested: 19, total time: 3h18m41.268476001s (build: 59m31.968081741s, test: 2h13m7.467830915s)
first good commit: 95b7476f6f68d725c474e3348e89436b0abde62a bpf: Do cleanup in bpf_bprintf_cleanup only when needed
recipients (to): ["cascardo@igalia.com" "daniel@iogearbox.net" "gregkh@linuxfoundation.org" "jolsa@kernel.org" "yhs@fb.com"]
recipients (cc): []