[syzbot] BUG: sleeping function called from invalid context in blk_release_queue

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: f9006d9269ea Add linux-next specific files for 20220321
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=147292eb700000
kernel config: https://syzkaller.appspot.com/x/.config?x=c1619ffa2b0259a1
dashboard link: https://syzkaller.appspot.com/bug?extid=bbea00057d3d55c4889b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1034ac25700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1746535d700000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bbea00...@syzkaller.appspotmail.com

BUG: sleeping function called from invalid context at block/blk-sysfs.c:766
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 0, name: swapper/1
preempt_count: 101, expected: 0
RCU nest depth: 0, expected: 0
INFO: lockdep is turned off.
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 1 PID: 0 Comm: swapper/1 Tainted: G W 5.17.0-next-20220321-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
__might_resched.cold+0x222/0x26b kernel/sched/core.c:9766
blk_release_queue+0x1f/0x320 block/blk-sysfs.c:766
kobject_cleanup lib/kobject.c:705 [inline]
kobject_release lib/kobject.c:736 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1c8/0x540 lib/kobject.c:753
blkg_free.part.0+0x112/0x1f0 block/blk-cgroup.c:86
blkg_free block/blk-cgroup.c:78 [inline]
__blkg_release+0x105/0x160 block/blk-cgroup.c:102
rcu_do_batch kernel/rcu/tree.c:2535 [inline]
rcu_core+0x7b1/0x1880 kernel/rcu/tree.c:2786
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline]
RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline]
RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:130 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:116 [inline]
RIP: 0010:acpi_idle_do_entry+0x1c6/0x250 drivers/acpi/processor_idle.c:556
Code: 89 de e8 4d bf 17 f8 84 db 75 ac e8 64 bb 17 f8 e8 cf 02 1e f8 eb 0c e8 58 bb 17 f8 0f 00 2d e1 3a d1 00 e8 4c bb 17 f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 c7 bd 17 f8 48 85 db
RSP: 0018:ffffc90000177d18 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888010fe9d40 RSI: ffffffff8960ede4 RDI: ffffffff8960edd1
RBP: ffff88814566f864 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff817ef0d8 R11: 0000000000000000 R12: 0000000000000001
R13: ffff88814566f800 R14: ffff88814566f864 R15: ffff8880192fe804
acpi_idle_enter+0x361/0x500 drivers/acpi/processor_idle.c:692
cpuidle_enter_state+0x1b1/0xc80 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x4a/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:155 [inline]
cpuidle_idle_call kernel/sched/idle.c:236 [inline]
do_idle+0x3e8/0x590 kernel/sched/idle.c:303
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:400
start_secondary+0x265/0x340 arch/x86/kernel/smpboot.c:266
secondary_startup_64_no_verify+0xc3/0xcb
</TASK>
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: e8 4d bf 17 f8 callq 0xf817bf54
7: 84 db test %bl,%bl
9: 75 ac jne 0xffffffb7
b: e8 64 bb 17 f8 callq 0xf817bb74
10: e8 cf 02 1e f8 callq 0xf81e02e4
15: eb 0c jmp 0x23
17: e8 58 bb 17 f8 callq 0xf817bb74
1c: 0f 00 2d e1 3a d1 00 verw 0xd13ae1(%rip) # 0xd13b04
23: e8 4c bb 17 f8 callq 0xf817bb74
28: fb sti
29: f4 hlt
* 2a: 9c pushfq <-- trapping instruction
2b: 5b pop %rbx
2c: 81 e3 00 02 00 00 and $0x200,%ebx
32: fa cli
33: 31 ff xor %edi,%edi
35: 48 89 de mov %rbx,%rsi
38: e8 c7 bd 17 f8 callq 0xf817be04
3d: 48 85 db test %rbx,%rbx


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[Hillf Danton]

On Mon, 21 Mar 2022 13:37:33 -0700

Fix 0a9a25ca7843 ("block: let blkcg_gq grab request queue's refcnt")
by defering freeing blkg to workqueue from rcu context.

Hillf

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/ f9006d9269ea

--- x/block/blk-cgroup.c
+++ y/block/blk-cgroup.c
@@ -89,9 +89,9 @@ static void blkg_free(struct blkcg_gq *b
kfree(blkg);
}

-static void __blkg_release(struct rcu_head *rcu)
+static void blkg_free_workfn(struct work_struct *work)
{
- struct blkcg_gq *blkg = container_of(rcu, struct blkcg_gq, rcu_head);
+ struct blkcg_gq *blkg = container_of(work, struct blkcg_gq, async_bio_work);

WARN_ON(!bio_list_empty(&blkg->async_bios));

@@ -102,6 +102,15 @@ static void __blkg_release(struct rcu_he
blkg_free(blkg);
}

+static void __blkg_release(struct rcu_head *rcu)
+{
+ struct blkcg_gq *blkg = container_of(rcu, struct blkcg_gq, rcu_head);
+
+ /* reuse work to avoid putting blkg->q in rcu context */
+ INIT_WORK(&blkg->async_bio_work, blkg_free_workfn);
+ schedule_work(&blkg->async_bio_work);
+}
+
/*
* A group is RCU protected, but having an rcu lock does not mean that one
* can access all the fields of blkg and assume these are valid. For
--

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

00000000 R09: 0000000000000001
R10: ffffffff873c1678 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8880b9c00000 R14: 000000000003b180 R15: ffff88806f8f8ec0
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056420cdd2db0 CR3: 000000006a719000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
napi_schedule include/linux/netdevice.h:465 [inline]
wg_queue_enqueue_per_peer_rx drivers/net/wireguard/queueing.h:204 [inline]
wg_packet_decrypt_worker+0x408/0x5d0 drivers/net/wireguard/receive.c:510
process_one_work+0x996/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>


[ 32.467287][ T3174] 8021q: adding VLAN 0 to HW filter on device bond0
[ 32.481614][ T3174] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
syzkaller login: [ 43.713954][ T27] kauditd_printk_skb: 37 callbacks suppressed
[ 43.713966][ T27] audit: type=1400 audit(1647971762.505:73): avc: denied { transition } for pid=3381 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 43.744491][ T27] audit: type=1400 audit(1647971762.535:74): avc: denied { write } for pid=3381 comm="sh" path="pipe:[718]" dev="pipefs" ino=718 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1
Warning: Permanently added '10.128.0.110' (ECDSA) to the list of known hosts.
2022/03/22 17:56:12 fuzzer started
2022/03/22 17:56:12 connecting to host at 10.128.0.169:44989
2022/03/22 17:56:12 checking machine...
2022/03/22 17:56:12 checking revisions...
2022/03/22 17:56:12 testing simple program...
[ 54.135544][ T27] audit: type=1400 audit(1647971772.925:75): avc: denied { getattr } for pid=3585 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 54.159389][ T27] audit: type=1400 audit(1647971772.935:76): avc: denied { read } for pid=3585 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 54.182001][ T27] audit: type=1400 audit(1647971772.935:77): avc: denied { open } for pid=3585 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 54.206388][ T27] audit: type=1400 audit(1647971772.955:78): avc: denied { read } for pid=3585 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=730 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 54.211078][ T3594] cgroup: Unknown subsys name 'net'
[ 54.229939][ T27] audit: type=1400 audit(1647971772.955:79): avc: denied { open } for pid=3585 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=730 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 54.258611][ T27] audit: type=1400 audit(1647971772.955:80): avc: denied { read } for pid=3585 comm="syz-fuzzer" name="vhci" dev="devtmpfs" ino=1072 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1
[ 54.282401][ T27] audit: type=1400 audit(1647971772.955:81): avc: denied { open } for pid=3585 comm="syz-fuzzer" path="/dev/vhci" dev="devtmpfs" ino=1072 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1
[ 54.306043][ T27] audit: type=1400 audit(1647971772.995:82): avc: denied { mounton } for pid=3594 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 54.329350][ T27] audit: type=1400 audit(1647971772.995:83): avc: denied { mount } for pid=3594 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 54.352653][ T27] audit: type=1400 audit(1647971773.035:84): avc: denied { unmount } for pid=3594 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 54.465100][ T3594] cgroup: Unknown subsys name 'rlimit'
[ 55.749146][ T3597] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 55.757962][ T3597] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 55.765791][ T3597] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 55.774317][ T3597] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 55.782335][ T3597] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 55.790024][ T3597] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 55.888732][ T3596] chnl_net:caif_netlink_parms(): no params data found
[ 55.935296][ T3596] bridge0: port 1(bridge_slave_0) entered blocking state
[ 55.942935][ T3596] bridge0: port 1(bridge_slave_0) entered disabled state
[ 55.951228][ T3596] device bridge_slave_0 entered promiscuous mode
[ 55.960805][ T3596] bridge0: port 2(bridge_slave_1) entered blocking state
[ 55.968208][ T3596] bridge0: port 2(bridge_slave_1) entered disabled state
[ 55.977002][ T3596] device bridge_slave_1 entered promiscuous mode
[ 56.001058][ T3596] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 56.012334][ T3596] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 56.036313][ T3596] team0: Port device team_slave_0 added
[ 56.043980][ T3596] team0: Port device team_slave_1 added
[ 56.062964][ T3596] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 56.070197][ T3596] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 56.096244][ T3596] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 56.109529][ T3596] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 56.116590][ T3596] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 56.142881][ T3596] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 56.169447][ T3596] device hsr_slave_0 entered promiscuous mode
[ 56.176134][ T3596] device hsr_slave_1 entered promiscuous mode
[ 56.269761][ T3596] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 56.280937][ T3596] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 56.290761][ T3596] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 56.301238][ T3596] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 56.323697][ T3596] bridge0: port 2(bridge_slave_1) entered blocking state
[ 56.330921][ T3596] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 56.339194][ T3596] bridge0: port 1(bridge_slave_0) entered blocking state
[ 56.346413][ T3596] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 56.396709][ T3596] 8021q: adding VLAN 0 to HW filter on device bond0
[ 56.410674][ T2978] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 56.422814][ T2978] bridge0: port 1(bridge_slave_0) entered disabled state
[ 56.432014][ T2978] bridge0: port 2(bridge_slave_1) entered disabled state
[ 56.440155][ T2978] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 56.456015][ T3596] 8021q: adding VLAN 0 to HW filter on device team0
[ 56.469551][ T3606] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 56.478037][ T3606] bridge0: port 1(bridge_slave_0) entered blocking state
[ 56.485116][ T3606] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 56.497293][ T2978] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 56.506617][ T2978] bridge0: port 2(bridge_slave_1) entered blocking state
[ 56.514201][ T2978] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 56.539518][ T2978] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 56.549352][ T2978] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 56.559707][ T2978] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 56.568764][ T2978] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 56.579092][ T3596] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 56.590204][ T3607] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 56.611807][ T3596] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 56.619341][ T3607] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 56.626779][ T3607] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 56.740702][ T918] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 56.755262][ T3607] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 56.765895][ T3596] device veth0_vlan entered promiscuous mode
[ 56.774072][ T918] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 56.782437][ T918] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 56.795036][ T3596] device veth1_vlan entered promiscuous mode
[ 56.815649][ T918] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 56.823912][ T918] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 56.832252][ T918] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 56.843344][ T3596] device veth0_macvtap entered promiscuous mode
[ 56.854010][ T3596] device veth1_macvtap entered promiscuous mode
[ 56.870540][ T3596] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 56.881039][ T918] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 56.892621][ T918] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 56.903247][ T3596] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 56.911688][ T3607] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[ 56.920911][ T3607] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 56.931905][ T3596] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
executing program
[ 56.948659][ T3596] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 56.957369][ T3596] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 56.966522][ T3596] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 56.999871][ T3606] ------------[ cut here ]------------
[ 57.005683][ T3606] WARNING: CPU: 0 PID: 3606 at net/core/dev.c:4280 __napi_schedule+0xe2/0x440
[ 57.014591][ T3606] Modules linked in:
[ 57.018588][ T3606] CPU: 0 PID: 3606 Comm: kworker/0:3 Not tainted 5.17.0-next-20220321-syzkaller-dirty #0
[ 57.018624][ T3606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 57.018640][ T3606] Workqueue: wg-crypt-wg0 wg_packet_decrypt_worker
[ 57.045433][ T3606] RIP: 0010:__napi_schedule+0xe2/0x440
[ 57.051066][ T3606] Code: 74 4a e8 d1 c1 3b fa 31 ff 65 44 8b 25 57 59 c6 78 41 81 e4 00 ff 0f 00 44 89 e6 e8 d8 c3 3b fa 45 85 e4 75 07 e8 ae c1 3b fa <0f> 0b e8 a7 c1 3b fa 65 44 8b 25 77 63 c6 78 31 ff 44 89 e6 e8 b5
[ 57.067042][ T1084] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 57.070904][ T3606] RSP: 0018:ffffc9000345fc78 EFLAGS: 00010093
[ 57.070928][ T3606] RAX: 0000000000000000 RBX: ffff888070589a48 RCX: 0000000000000000
[ 57.070941][ T3606] RDX: ffff88802199c180 RSI: ffffffff873c1682 RDI: 0000000000000003
[ 57.070956][ T3606] RBP: 0000000000000200 R08: 0000000000000000 R09: 0000000000000001
[ 57.070970][ T3606] R10: ffffffff873c1678 R11: 0000000000000000 R12: 0000000000000000
[ 57.070984][ T3606] R13: ffff8880b9c00000 R14: 000000000003b180 R15: ffff88806f8f8ec0
[ 57.093188][ T3606] FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
[ 57.093215][ T3606] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 57.093230][ T3606] CR2: 000056420cdd2db0 CR3: 000000006a719000 CR4: 00000000003506f0
[ 57.093245][ T3606] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 57.157189][ T3606] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 57.165160][ T3606] Call Trace:
[ 57.168447][ T3606] <TASK>
[ 57.171387][ T3606] wg_packet_decrypt_worker+0x408/0x5d0
[ 57.177231][ T3606] process_one_work+0x996/0x1610
[ 57.182468][ T3606] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 57.187872][ T3606] ? rwlock_bug.part.0+0x90/0x90
[ 57.192808][ T3606] ? _raw_spin_lock_irq+0x41/0x50
[ 57.197846][ T3606] worker_thread+0x665/0x1080
[ 57.202550][ T3606] ? __kthread_parkme+0x15f/0x220
[ 57.207663][ T3606] ? process_one_work+0x1610/0x1610
[ 57.213043][ T3606] kthread+0x2e9/0x3a0
[ 57.217131][ T3606] ? kthread_complete_and_exit+0x40/0x40
[ 57.222861][ T3606] ret_from_fork+0x1f/0x30
[ 57.227279][ T3606] </TASK>
[ 57.230291][ T3606] Kernel panic - not syncing: panic_on_warn set ...
[ 57.237581][ T3606] CPU: 0 PID: 3606 Comm: kworker/0:3 Not tainted 5.17.0-next-20220321-syzkaller-dirty #0
[ 57.247421][ T3606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 57.257570][ T3606] Workqueue: wg-crypt-wg0 wg_packet_decrypt_worker
[ 57.264122][ T3606] Call Trace:
[ 57.267432][ T3606] <TASK>
[ 57.270626][ T3606] dump_stack_lvl+0xcd/0x134
[ 57.275394][ T3606] panic+0x2d7/0x636
[ 57.279292][ T3606] ? panic_print_sys_info.part.0+0x10b/0x10b
[ 57.285286][ T3606] ? __warn.cold+0x1d1/0x2c5
[ 57.289883][ T3606] ? __napi_schedule+0xe2/0x440
[ 57.294944][ T3606] __warn.cold+0x1e2/0x2c5
[ 57.299540][ T3606] ? __napi_schedule+0xe2/0x440
[ 57.304419][ T3606] report_bug+0x1bd/0x210
[ 57.309008][ T3606] handle_bug+0x3c/0x60
[ 57.313427][ T3606] exc_invalid_op+0x14/0x40
[ 57.318035][ T3606] asm_exc_invalid_op+0x12/0x20
[ 57.322984][ T3606] RIP: 0010:__napi_schedule+0xe2/0x440
[ 57.328448][ T3606] Code: 74 4a e8 d1 c1 3b fa 31 ff 65 44 8b 25 57 59 c6 78 41 81 e4 00 ff 0f 00 44 89 e6 e8 d8 c3 3b fa 45 85 e4 75 07 e8 ae c1 3b fa <0f> 0b e8 a7 c1 3b fa 65 44 8b 25 77 63 c6 78 31 ff 44 89 e6 e8 b5
[ 57.348960][ T3606] RSP: 0018:ffffc9000345fc78 EFLAGS: 00010093
[ 57.355050][ T3606] RAX: 0000000000000000 RBX: ffff888070589a48 RCX: 0000000000000000
[ 57.363106][ T3606] RDX: ffff88802199c180 RSI: ffffffff873c1682 RDI: 0000000000000003
[ 57.371088][ T3606] RBP: 0000000000000200 R08: 0000000000000000 R09: 0000000000000001
[ 57.379069][ T3606] R10: ffffffff873c1678 R11: 0000000000000000 R12: 0000000000000000
[ 57.387122][ T3606] R13: ffff8880b9c00000 R14: 000000000003b180 R15: ffff88806f8f8ec0
[ 57.395350][ T3606] ? __napi_schedule+0xd8/0x440
[ 57.400222][ T3606] ? __napi_schedule+0xe2/0x440
[ 57.405107][ T3606] ? __napi_schedule+0xe2/0x440
[ 57.410057][ T3606] wg_packet_decrypt_worker+0x408/0x5d0
[ 57.415803][ T3606] process_one_work+0x996/0x1610
[ 57.420847][ T3606] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 57.426230][ T3606] ? rwlock_bug.part.0+0x90/0x90
[ 57.431256][ T3606] ? _raw_spin_lock_irq+0x41/0x50
[ 57.436372][ T3606] worker_thread+0x665/0x1080
[ 57.441055][ T3606] ? __kthread_parkme+0x15f/0x220
[ 57.446101][ T3606] ? process_one_work+0x1610/0x1610
[ 57.451565][ T3606] kthread+0x2e9/0x3a0
[ 57.455724][ T3606] ? kthread_complete_and_exit+0x40/0x40
[ 57.461364][ T3606] ret_from_fork+0x1f/0x30
[ 57.465912][ T3606] </TASK>
[ 57.469667][ T3606] Kernel Offset: disabled
[ 57.474426][ T3606] Rebooting in 86400 seconds..


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=17aae1a3700000


Tested on:

commit: f9006d92 Add linux-next specific files for 20220321
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/
kernel config: https://syzkaller.appspot.com/x/.config?x=988d5d4e5a475e90

dashboard link: https://syzkaller.appspot.com/bug?extid=bbea00057d3d55c4889b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=17f20eeb700000

[Hillf Danton]

On Tue, 22 Mar 2022 10:57:08 -0700

> Hello,
>
> syzbot tried to test the proposed patch but the build/boot failed:
>
> 00000000 R09: 0000000000000001
> R10: ffffffff873c1678 R11: 0000000000000000 R12: 0000000000000000
> R13: ffff8880b9c00000 R14: 000000000003b180 R15: ffff88806f8f8ec0
> FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000056420cdd2db0 CR3: 000000006a719000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> napi_schedule include/linux/netdevice.h:465 [inline]
> wg_queue_enqueue_per_peer_rx drivers/net/wireguard/queueing.h:204 [inline]
> wg_packet_decrypt_worker+0x408/0x5d0 drivers/net/wireguard/receive.c:510
> process_one_work+0x996/0x1610 kernel/workqueue.c:2289
> worker_thread+0x665/0x1080 kernel/workqueue.c:2436
> kthread+0x2e9/0x3a0 kernel/kthread.c:376
> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
> </TASK>

Fix 0a9a25ca7843 ("block: let blkcg_gq grab request queue's refcnt")

by defering freeing blkg to workqueue from rcu context and reverting
the second half of fbd9a2ceba5c7 ("net: Add lockdep asserts to ____napi_schedule().")

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4277,7 +4277,6 @@ static inline void ____napi_schedule(str
{
struct task_struct *thread;

- lockdep_assert_softirq_will_run();
lockdep_assert_irqs_disabled();

if (test_bit(NAPI_STATE_THREADED, &napi->state)) {
--

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+bbea00...@syzkaller.appspotmail.com

Tested on:

commit: f9006d92 Add linux-next specific files for 20220321
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/

kernel config: https://syzkaller.appspot.com/x/.config?x=949ef165e81e8114

dashboard link: https://syzkaller.appspot.com/bug?extid=bbea00057d3d55c4889b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=13d673db700000

Note: testing is done by a robot and is best-effort only.

[Tetsuo Handa]

#syz dup: BUG: sleeping function called from invalid context in blk_mq_release