syzbot


possible deadlock in xfrm_policy_lookup_inexact_addr

Status: closed as dup on 2020/09/24 04:14
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+0c9fc3836c6c057a975a@syzkaller.appspotmail.com
First crash: 1280d, last: 1279d
Duplicate of
Title Repro Cause bisect Fix bisect Count Last Reported
inconsistent lock state in xfrm_policy_lookup_inexact_addr net 11 1279d 1280d
Discussions (1)
Title Replies (including bot) Last reply
possible deadlock in xfrm_policy_lookup_inexact_addr 1 (2) 2020/09/24 04:14

Sample crash report:
=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
5.9.0-rc5-next-20200916-syzkaller #0 Not tainted
-----------------------------------------------------
syz-executor.1/14205 [HC0[0]:SC0[6]:HE0:SE0] is trying to acquire:
ffff8880a735de28 (&s->seqcount#10){+.+.}-{0:0}, at: xfrm_policy_lookup_inexact_addr+0x57/0x200 net/xfrm/xfrm_policy.c:1909

and this task is already holding:
ffff8880a62081a0 (k-slock-AF_INET6){+.-.}-{2:2}, at: spin_trylock include/linux/spinlock.h:364 [inline]
ffff8880a62081a0 (k-slock-AF_INET6){+.-.}-{2:2}, at: icmpv6_xmit_lock net/ipv6/icmp.c:117 [inline]
ffff8880a62081a0 (k-slock-AF_INET6){+.-.}-{2:2}, at: icmp6_send+0xe82/0x2670 net/ipv6/icmp.c:538
which would create a new lock dependency:
 (k-slock-AF_INET6){+.-.}-{2:2} -> (&s->seqcount#10){+.+.}-{0:0}

but this new dependency connects a SOFTIRQ-irq-safe lock:
 (k-slock-AF_INET6
){+.-.}-{2:2}

... which became SOFTIRQ-irq-safe at:
  lock_acquire+0x1f2/0xaa0 kernel/locking/lockdep.c:5398
  __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
  _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
  spin_lock include/linux/spinlock.h:354 [inline]
  sk_clone_lock+0x2a1/0x10b0 net/core/sock.c:1881
  inet_csk_clone_lock+0x21/0x480 net/ipv4/inet_connection_sock.c:830
  tcp_create_openreq_child+0x2d/0x1700 net/ipv4/tcp_minisocks.c:460
  tcp_v6_syn_recv_sock+0x192/0x2240 net/ipv6/tcp_ipv6.c:1270
  tcp_check_req+0x607/0x17b0 net/ipv4/tcp_minisocks.c:773
  tcp_v6_rcv+0x1f15/0x3480 net/ipv6/tcp_ipv6.c:1632
  ip6_protocol_deliver_rcu+0x2e8/0x1680 net/ipv6/ip6_input.c:433
  ip6_input_finish+0x7f/0x160 net/ipv6/ip6_input.c:474
  NF_HOOK include/linux/netfilter.h:301 [inline]
  NF_HOOK include/linux/netfilter.h:295 [inline]
  ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:483
  dst_input include/net/dst.h:449 [inline]
  ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
  NF_HOOK include/linux/netfilter.h:301 [inline]
  NF_HOOK include/linux/netfilter.h:295 [inline]
  ipv6_rcv+0x28e/0x3c0 net/ipv6/ip6_input.c:307
  __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5287
  __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5401
  process_backlog+0x2e1/0x8e0 net/core/dev.c:6286
  napi_poll net/core/dev.c:6730 [inline]
  net_rx_action+0x587/0x1320 net/core/dev.c:6800
  __do_softirq+0x203/0xab6 kernel/softirq.c:298
  asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:786
  __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
  run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
  do_softirq_own_stack+0x9d/0xd0 arch/x86/kernel/irq_64.c:77
  do_softirq kernel/softirq.c:343 [inline]
  do_softirq+0x154/0x1b0 kernel/softirq.c:330
  __local_bh_enable_ip+0x196/0x1f0 kernel/softirq.c:195
  local_bh_enable include/linux/bottom_half.h:32 [inline]
  rcu_read_unlock_bh include/linux/rcupdate.h:730 [inline]
  ip6_finish_output2+0x953/0x1770 net/ipv6/ip6_output.c:118
  __ip6_finish_output net/ipv6/ip6_output.c:143 [inline]
  __ip6_finish_output+0x447/0xab0 net/ipv6/ip6_output.c:128
  ip6_finish_output+0x34/0x1f0 net/ipv6/ip6_output.c:153
  NF_HOOK_COND include/linux/netfilter.h:290 [inline]
  ip6_output+0x1db/0x520 net/ipv6/ip6_output.c:176
  dst_output include/net/dst.h:443 [inline]
  NF_HOOK include/linux/netfilter.h:301 [inline]
  NF_HOOK include/linux/netfilter.h:295 [inline]
  ip6_xmit+0x1258/0x1e80 net/ipv6/ip6_output.c:280
  inet6_csk_xmit+0x339/0x610 net/ipv6/inet6_connection_sock.c:135
  __tcp_transmit_skb+0x18cc/0x3760 net/ipv4/tcp_output.c:1404
  __tcp_send_ack.part.0+0x3e0/0x5d0 net/ipv4/tcp_output.c:3965
  __tcp_send_ack net/ipv4/tcp_output.c:3971 [inline]
  tcp_send_ack+0x7d/0xa0 net/ipv4/tcp_output.c:3971
  tcp_rcv_synsent_state_process net/ipv4/tcp_input.c:6159 [inline]
  tcp_rcv_state_process+0x389b/0x4ca0 net/ipv4/tcp_input.c:6328
  tcp_v6_do_rcv+0x7ad/0x1290 net/ipv6/tcp_ipv6.c:1483
  sk_backlog_rcv include/net/sock.h:1010 [inline]
  __release_sock+0x134/0x3a0 net/core/sock.c:2528
  release_sock+0x54/0x1b0 net/core/sock.c:3051
  inet_wait_for_connect net/ipv4/af_inet.c:594 [inline]
  __inet_stream_connect+0x579/0xe30 net/ipv4/af_inet.c:686
  inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:725
  mptcp_stream_connect+0x156/0x7a0 net/mptcp/protocol.c:2495
  __sys_connect_file+0x155/0x1a0 net/socket.c:1852
  __sys_connect+0x161/0x190 net/socket.c:1869
  __do_sys_connect net/socket.c:1879 [inline]
  __se_sys_connect net/socket.c:1876 [inline]
  __x64_sys_connect+0x6f/0xb0 net/socket.c:1876
  do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

to a SOFTIRQ-irq-unsafe lock:
 (
&s->seqcount#10){+.+.}-{0:0}

... which became SOFTIRQ-irq-unsafe at:
...
  lock_acquire+0x1f2/0xaa0 kernel/locking/lockdep.c:5398
  write_seqcount_t_begin_nested include/linux/seqlock.h:509 [inline]
  write_seqcount_t_begin include/linux/seqlock.h:535 [inline]
  write_seqlock include/linux/seqlock.h:883 [inline]
  xfrm_set_spdinfo+0x302/0x660 net/xfrm/xfrm_user.c:1185
  xfrm_user_rcv_msg+0x41e/0x720 net/xfrm/xfrm_user.c:2684
  netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2470
  xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2692
  netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
  netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
  netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919
  sock_sendmsg_nosec net/socket.c:651 [inline]
  sock_sendmsg+0xcf/0x120 net/socket.c:671
  ____sys_sendmsg+0x6e8/0x810 net/socket.c:2362
  ___sys_sendmsg+0xf3/0x170 net/socket.c:2416
  __sys_sendmsg+0xe5/0x1b0 net/socket.c:2449
  do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

other info that might help us debug this:

 Possible interrupt unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&s->seqcount#10);
                               local_irq_disable();
                               lock(k-slock-AF_INET6);
                               lock(&s->seqcount#10);
  <Interrupt>
    lock(k-slock-AF_INET6);

 *** DEADLOCK ***

4 locks held by syz-executor.1/14205:
 #0: ffffffff8a1034a0 (rcu_read_lock_bh){....}-{1:2}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline]
 #0: ffffffff8a1034a0 (rcu_read_lock_bh){....}-{1:2}, at: ip6_finish_output2+0x190/0x1770 net/ipv6/ip6_output.c:103
 #1: ffffffff8a1034a0 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x1d7/0x2d30 net/core/dev.c:4072
 #2: ffff8880a62081a0 (k-slock-AF_INET6){+.-.}-{2:2}, at: spin_trylock include/linux/spinlock.h:364 [inline]
 #2: ffff8880a62081a0 (k-slock-AF_INET6){+.-.}-{2:2}, at: icmpv6_xmit_lock net/ipv6/icmp.c:117 [inline]
 #2: ffff8880a62081a0 (k-slock-AF_INET6){+.-.}-{2:2}, at: icmp6_send+0xe82/0x2670 net/ipv6/icmp.c:538
 #3: ffffffff8a103500 (rcu_read_lock){....}-{1:2}, at: xfrm_policy_lookup_bytype+0x104/0xa40 net/xfrm/xfrm_policy.c:2082

the dependencies between SOFTIRQ-irq-safe lock and the holding lock:
-> (k-slock-AF_INET6){+.-.}-{2:2} {
   HARDIRQ-ON-W at:
                    lock_acquire+0x1f2/0xaa0 kernel/locking/lockdep.c:5398
                    __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
                    _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175
                    spin_lock_bh include/linux/spinlock.h:359 [inline]
                    lock_sock_nested+0x3b/0x110 net/core/sock.c:3034
                    lock_sock include/net/sock.h:1581 [inline]
                    tcp_sock_set_nodelay+0x18/0xe0 net/ipv4/tcp.c:2916
                    rds_tcp_listen_init+0x132/0x4d0 net/rds/tcp_listen.c:275
                    rds_tcp_init_net+0x265/0x4e0 net/rds/tcp.c:559
                    ops_init+0xaf/0x470 net/core/net_namespace.c:151
                    __register_pernet_operations net/core/net_namespace.c:1140 [inline]
                    register_pernet_operations+0x35a/0x850 net/core/net_namespace.c:1217
                    register_pernet_device+0x26/0x70 net/core/net_namespace.c:1304
                    rds_tcp_init+0x77/0xe0 net/rds/tcp.c:717
                    do_one_initcall+0x103/0x6f0 init/main.c:1204
                    do_initcall_level init/main.c:1277 [inline]
                    do_initcalls init/main.c:1293 [inline]
                    do_basic_setup init/main.c:1313 [inline]
                    kernel_init_freeable+0x652/0x6d6 init/main.c:1512
                    kernel_init+0xd/0x1b8 init/main.c:1402
                    ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
   IN-SOFTIRQ-W at:
                    lock_acquire+0x1f2/0xaa0 kernel/locking/lockdep.c:5398
                    __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
                    _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
                    spin_lock include/linux/spinlock.h:354 [inline]
                    sk_clone_lock+0x2a1/0x10b0 net/core/sock.c:1881
                    inet_csk_clone_lock+0x21/0x480 net/ipv4/inet_connection_sock.c:830
                    tcp_create_openreq_child+0x2d/0x1700 net/ipv4/tcp_minisocks.c:460
                    tcp_v6_syn_recv_sock+0x192/0x2240 net/ipv6/tcp_ipv6.c:1270
                    tcp_check_req+0x607/0x17b0 net/ipv4/tcp_minisocks.c:773
                    tcp_v6_rcv+0x1f15/0x3480 net/ipv6/tcp_ipv6.c:1632
                    ip6_protocol_deliver_rcu+0x2e8/0x1680 net/ipv6/ip6_input.c:433
                    ip6_input_finish+0x7f/0x160 net/ipv6/ip6_input.c:474
                    NF_HOOK include/linux/netfilter.h:301 [inline]
                    NF_HOOK include/linux/netfilter.h:295 [inline]
                    ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:483
                    dst_input include/net/dst.h:449 [inline]
                    ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
                    NF_HOOK include/linux/netfilter.h:301 [inline]
                    NF_HOOK include/linux/netfilter.h:295 [inline]
                    ipv6_rcv+0x28e/0x3c0 net/ipv6/ip6_input.c:307
                    __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5287
                    __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5401
                    process_backlog+0x2e1/0x8e0 net/core/dev.c:6286
                    napi_poll net/core/dev.c:6730 [inline]
                    net_rx_action+0x587/0x1320 net/core/dev.c:6800
                    __do_softirq+0x203/0xab6 kernel/softirq.c:298
                    asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:786
                    __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
                    run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
                    do_softirq_own_stack+0x9d/0xd0 arch/x86/kernel/irq_64.c:77
                    do_softirq kernel/softirq.c:343 [inline]
                    do_softirq+0x154/0x1b0 kernel/softirq.c:330
                    __local_bh_enable_ip+0x196/0x1f0 kernel/softirq.c:195
                    local_bh_enable include/linux/bottom_half.h:32 [inline]
                    rcu_read_unlock_bh include/linux/rcupdate.h:730 [inline]
                    ip6_finish_output2+0x953/0x1770 net/ipv6/ip6_output.c:118
                    __ip6_finish_output net/ipv6/ip6_output.c:143 [inline]
                    __ip6_finish_output+0x447/0xab0 net/ipv6/ip6_output.c:128
                    ip6_finish_output+0x34/0x1f0 net/ipv6/ip6_output.c:153
                    NF_HOOK_COND include/linux/netfilter.h:290 [inline]
                    ip6_output+0x1db/0x520 net/ipv6/ip6_output.c:176
                    dst_output include/net/dst.h:443 [inline]
                    NF_HOOK include/linux/netfilter.h:301 [inline]
                    NF_HOOK include/linux/netfilter.h:295 [inline]
                    ip6_xmit+0x1258/0x1e80 net/ipv6/ip6_output.c:280
                    inet6_csk_xmit+0x339/0x610 net/ipv6/inet6_connection_sock.c:135
                    __tcp_transmit_skb+0x18cc/0x3760 net/ipv4/tcp_output.c:1404
                    __tcp_send_ack.part.0+0x3e0/0x5d0 net/ipv4/tcp_output.c:3965
                    __tcp_send_ack net/ipv4/tcp_output.c:3971 [inline]
                    tcp_send_ack+0x7d/0xa0 net/ipv4/tcp_output.c:3971
                    tcp_rcv_synsent_state_process net/ipv4/tcp_input.c:6159 [inline]
                    tcp_rcv_state_process+0x389b/0x4ca0 net/ipv4/tcp_input.c:6328
                    tcp_v6_do_rcv+0x7ad/0x1290 net/ipv6/tcp_ipv6.c:1483
                    sk_backlog_rcv include/net/sock.h:1010 [inline]
                    __release_sock+0x134/0x3a0 net/core/sock.c:2528
                    release_sock+0x54/0x1b0 net/core/sock.c:3051
                    inet_wait_for_connect net/ipv4/af_inet.c:594 [inline]
                    __inet_stream_connect+0x579/0xe30 net/ipv4/af_inet.c:686
                    inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:725
                    mptcp_stream_connect+0x156/0x7a0 net/mptcp/protocol.c:2495
                    __sys_connect_file+0x155/0x1a0 net/socket.c:1852
                    __sys_connect+0x161/0x190 net/socket.c:1869
                    __do_sys_connect net/socket.c:1879 [inline]
                    __se_sys_connect net/socket.c:1876 [inline]
                    __x64_sys_connect+0x6f/0xb0 net/socket.c:1876
                    do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
                    entry_SYSCALL_64_after_hwframe+0x44/0xa9
   INITIAL USE at:
                   lock_acquire+0x1f2/0xaa0 kernel/locking/lockdep.c:5398
                   __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
                   _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175
                   spin_lock_bh include/linux/spinlock.h:359 [inline]
                   lock_sock_nested+0x3b/0x110 net/core/sock.c:3034
                   lock_sock include/net/sock.h:1581 [inline]
                   tcp_sock_set_nodelay+0x18/0xe0 net/ipv4/tcp.c:2916
                   rds_tcp_listen_init+0x132/0x4d0 net/rds/tcp_listen.c:275
                   rds_tcp_init_net+0x265/0x4e0 net/rds/tcp.c:559
                   ops_init+0xaf/0x470 net/core/net_namespace.c:151
                   __register_pernet_operations net/core/net_namespace.c:1140 [inline]
                   register_pernet_operations+0x35a/0x850 net/core/net_namespace.c:1217
                   register_pernet_device+0x26/0x70 net/core/net_namespace.c:1304
                   rds_tcp_init+0x77/0xe0 net/rds/tcp.c:717
                   do_one_initcall+0x103/0x6f0 init/main.c:1204
                   do_initcall_level init/main.c:1277 [inline]
                   do_initcalls init/main.c:1293 [inline]
                   do_basic_setup init/main.c:1313 [inline]
                   kernel_init_freeable+0x652/0x6d6 init/main.c:1512
                   kernel_init+0xd/0x1b8 init/main.c:1402
                   ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
 }
 ... key      at: [<ffffffff8e18f680>] af_family_kern_slock_keys+0xa0/0x300
 ... acquired at:
   lock_acquire+0x1f2/0xaa0 kernel/locking/lockdep.c:5398
   seqcount_lockdep_reader_access+0x139/0x1a0 include/linux/seqlock.h:103
   xfrm_policy_lookup_inexact_addr+0x57/0x200 net/xfrm/xfrm_policy.c:1909
   xfrm_policy_find_inexact_candidates+0xac/0x1d0 net/xfrm/xfrm_policy.c:1953
   xfrm_policy_lookup_bytype+0x4b8/0xa40 net/xfrm/xfrm_policy.c:2108
   xfrm_policy_lookup net/xfrm/xfrm_policy.c:2144 [inline]
   xfrm_bundle_lookup net/xfrm/xfrm_policy.c:2944 [inline]
   xfrm_lookup_with_ifid+0xab3/0x2130 net/xfrm/xfrm_policy.c:3085
   icmpv6_route_lookup+0x2af/0x470 net/ipv6/icmp.c:377
   icmp6_send+0x12f2/0x2670 net/ipv6/icmp.c:588
   icmpv6_send include/linux/icmpv6.h:24 [inline]
   ip6_link_failure+0x29/0x510 net/ipv6/route.c:2669
   dst_link_failure include/net/dst.h:426 [inline]
   vti_xmit net/ipv4/ip_vti.c:273 [inline]
   vti_tunnel_xmit+0xa53/0x1980 net/ipv4/ip_vti.c:309
   __netdev_start_xmit include/linux/netdevice.h:4656 [inline]
   netdev_start_xmit include/linux/netdevice.h:4670 [inline]
   xmit_one net/core/dev.c:3562 [inline]
   dev_hard_start_xmit+0x188/0x880 net/core/dev.c:3578
   __dev_queue_xmit+0x2062/0x2d30 net/core/dev.c:4137
   neigh_connected_output+0x299/0x370 net/core/neighbour.c:1518
   neigh_output include/net/neighbour.h:509 [inline]
   ip6_finish_output2+0x8ec/0x1770 net/ipv6/ip6_output.c:117
   __ip6_finish_output net/ipv6/ip6_output.c:143 [inline]
   __ip6_finish_output+0x447/0xab0 net/ipv6/ip6_output.c:128
   ip6_finish_output+0x34/0x1f0 net/ipv6/ip6_output.c:153
   NF_HOOK_COND include/linux/netfilter.h:290 [inline]
   ip6_output+0x1db/0x520 net/ipv6/ip6_output.c:176
   dst_output include/net/dst.h:443 [inline]
   ip6_local_out+0xaf/0x1a0 net/ipv6/output_core.c:179
   ip6_send_skb+0xb7/0x340 net/ipv6/ip6_output.c:1867
   udp_v6_send_skb+0x7c2/0x15d0 net/ipv6/udp.c:1233
   udpv6_sendmsg+0x2300/0x2b90 net/ipv6/udp.c:1531
   inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:638
   sock_sendmsg_nosec net/socket.c:651 [inline]
   sock_sendmsg+0xcf/0x120 net/socket.c:671
   ____sys_sendmsg+0x331/0x810 net/socket.c:2362
   ___sys_sendmsg+0xf3/0x170 net/socket.c:2416
   __sys_sendmmsg+0x196/0x4b0 net/socket.c:2506
   __do_sys_sendmmsg net/socket.c:2535 [inline]
   __se_sys_sendmmsg net/socket.c:2532 [inline]
   __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2532
   do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
   entry_SYSCALL_64_after_hwframe+0x44/0xa9


the dependencies between the lock to be acquired
 and SOFTIRQ-irq-unsafe lock:
-> (&s->seqcount#10){+.+.}-{0:0} {
   HARDIRQ-ON-W at:
                    lock_acquire+0x1f2/0xaa0 kernel/locking/lockdep.c:5398
                    write_seqcount_t_begin_nested include/linux/seqlock.h:509 [inline]
                    write_seqcount_t_begin include/linux/seqlock.h:535 [inline]
                    write_seqlock include/linux/seqlock.h:883 [inline]
                    xfrm_set_spdinfo+0x302/0x660 net/xfrm/xfrm_user.c:1185
                    xfrm_user_rcv_msg+0x41e/0x720 net/xfrm/xfrm_user.c:2684
                    netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2470
                    xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2692
                    netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
                    netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
                    netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919
                    sock_sendmsg_nosec net/socket.c:651 [inline]
                    sock_sendmsg+0xcf/0x120 net/socket.c:671
                    ____sys_sendmsg+0x6e8/0x810 net/socket.c:2362
                    ___sys_sendmsg+0xf3/0x170 net/socket.c:2416
                    __sys_sendmsg+0xe5/0x1b0 net/socket.c:2449
                    do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
                    entry_SYSCALL_64_after_hwframe+0x44/0xa9
   SOFTIRQ-ON-W at:
                    lock_acquire+0x1f2/0xaa0 kernel/locking/lockdep.c:5398
                    write_seqcount_t_begin_nested include/linux/seqlock.h:509 [inline]
                    write_seqcount_t_begin include/linux/seqlock.h:535 [inline]
                    write_seqlock include/linux/seqlock.h:883 [inline]
                    xfrm_set_spdinfo+0x302/0x660 net/xfrm/xfrm_user.c:1185
                    xfrm_user_rcv_msg+0x41e/0x720 net/xfrm/xfrm_user.c:2684
                    netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2470
                    xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2692
                    netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
                    netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
                    netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919
                    sock_sendmsg_nosec net/socket.c:651 [inline]
                    sock_sendmsg+0xcf/0x120 net/socket.c:671
                    ____sys_sendmsg+0x6e8/0x810 net/socket.c:2362
                    ___sys_sendmsg+0xf3/0x170 net/socket.c:2416
                    __sys_sendmsg+0xe5/0x1b0 net/socket.c:2449
                    do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
                    entry_SYSCALL_64_after_hwframe+0x44/0xa9
   INITIAL USE at:
                   lock_acquire+0x1f2/0xaa0 kernel/locking/lockdep.c:5398
                   write_seqcount_t_begin_nested include/linux/seqlock.h:509 [inline]
                   write_seqcount_t_begin include/linux/seqlock.h:535 [inline]
                   write_seqlock include/linux/seqlock.h:883 [inline]
                   xfrm_set_spdinfo+0x302/0x660 net/xfrm/xfrm_user.c:1185
                   xfrm_user_rcv_msg+0x41e/0x720 net/xfrm/xfrm_user.c:2684
                   netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2470
                   xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2692
                   netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
                   netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
                   netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919
                   sock_sendmsg_nosec net/socket.c:651 [inline]
                   sock_sendmsg+0xcf/0x120 net/socket.c:671
                   ____sys_sendmsg+0x6e8/0x810 net/socket.c:2362
                   ___sys_sendmsg+0xf3/0x170 net/socket.c:2416
                   __sys_sendmsg+0xe5/0x1b0 net/socket.c:2449
                   do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
                   entry_SYSCALL_64_after_hwframe+0x44/0xa9
   (null) at:
================================================================================
UBSAN: array-index-out-of-bounds in kernel/locking/lockdep.c:2240:40
index 9 is out of range for type 'lock_trace *[9]'
CPU: 0 PID: 14205 Comm: syz-executor.1 Not tainted 5.9.0-rc5-next-20200916-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fb lib/dump_stack.c:118
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:356
 print_lock_class_header kernel/locking/lockdep.c:2240 [inline]
 print_shortest_lock_dependencies.cold+0x11c/0x2e2 kernel/locking/lockdep.c:2263
 print_bad_irq_dependency kernel/locking/lockdep.c:2402 [inline]
 check_irq_usage.cold+0x49c/0x613 kernel/locking/lockdep.c:2634
 check_prev_add kernel/locking/lockdep.c:2823 [inline]
 check_prevs_add kernel/locking/lockdep.c:2944 [inline]
 validate_chain kernel/locking/lockdep.c:3562 [inline]
 __lock_acquire+0x2873/0x56d0 kernel/locking/lockdep.c:4796
 lock_acquire+0x1f2/0xaa0 kernel/locking/lockdep.c:5398
 seqcount_lockdep_reader_access+0x139/0x1a0 include/linux/seqlock.h:103
 xfrm_policy_lookup_inexact_addr+0x57/0x200 net/xfrm/xfrm_policy.c:1909
 xfrm_policy_find_inexact_candidates+0xac/0x1d0 net/xfrm/xfrm_policy.c:1953
 xfrm_policy_lookup_bytype+0x4b8/0xa40 net/xfrm/xfrm_policy.c:2108
 xfrm_policy_lookup net/xfrm/xfrm_policy.c:2144 [inline]
 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:2944 [inline]
 xfrm_lookup_with_ifid+0xab3/0x2130 net/xfrm/xfrm_policy.c:3085
 icmpv6_route_lookup+0x2af/0x470 net/ipv6/icmp.c:377
 icmp6_send+0x12f2/0x2670 net/ipv6/icmp.c:588
 icmpv6_send include/linux/icmpv6.h:24 [inline]
 ip6_link_failure+0x29/0x510 net/ipv6/route.c:2669
 dst_link_failure include/net/dst.h:426 [inline]
 vti_xmit net/ipv4/ip_vti.c:273 [inline]
 vti_tunnel_xmit+0xa53/0x1980 net/ipv4/ip_vti.c:309
 __netdev_start_xmit include/linux/netdevice.h:4656 [inline]
 netdev_start_xmit include/linux/netdevice.h:4670 [inline]
 xmit_one net/core/dev.c:3562 [inline]
 dev_hard_start_xmit+0x188/0x880 net/core/dev.c:3578
 __dev_queue_xmit+0x2062/0x2d30 net/core/dev.c:4137
 neigh_connected_output+0x299/0x370 net/core/neighbour.c:1518
 neigh_output include/net/neighbour.h:509 [inline]
 ip6_finish_output2+0x8ec/0x1770 net/ipv6/ip6_output.c:117
 __ip6_finish_output net/ipv6/ip6_output.c:143 [inline]
 __ip6_finish_output+0x447/0xab0 net/ipv6/ip6_output.c:128
 ip6_finish_output+0x34/0x1f0 net/ipv6/ip6_output.c:153
 NF_HOOK_COND include/linux/netfilter.h:290 [inline]
 ip6_output+0x1db/0x520 net/ipv6/ip6_output.c:176
 dst_output include/net/dst.h:443 [inline]
 ip6_local_out+0xaf/0x1a0 net/ipv6/output_core.c:179
 ip6_send_skb+0xb7/0x340 net/ipv6/ip6_output.c:1867
 udp_v6_send_skb+0x7c2/0x15d0 net/ipv6/udp.c:1233
 udpv6_sendmsg+0x2300/0x2b90 net/ipv6/udp.c:1531
 inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:638
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:671
 ____sys_sendmsg+0x331/0x810 net/socket.c:2362
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2416
 __sys_sendmmsg+0x196/0x4b0 net/socket.c:2506
 __do_sys_sendmmsg net/socket.c:2535 [inline]
 __se_sys_sendmmsg net/socket.c:2532 [inline]
 __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2532
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45d5f9
Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f5d88496c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000027a40 RCX: 000000000045d5f9
RDX: 0000000000000066 RSI: 000000002000ac80 RDI: 0000000000000005
RBP: 000000000118cf88 R08: 0000000000000000 R09: 0000000000000000
R10: 2000000000000000 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007fff6a887eaf R14: 00007f5d884979c0 R15: 000000000118cf4c
================================================================================

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/09/16 23:04 linux-next 5fa35f247b56 8247808b .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/09/16 16:32 linux-next 5fa35f247b56 18d7d030 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/09/16 13:55 linux-next 5fa35f247b56 18d7d030 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/09/16 08:51 linux-next 5fa35f247b56 18d7d030 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/09/16 05:02 linux-next 6b02addb1d17 18d7d030 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/09/15 18:58 linux-next 6b02addb1d17 6989d6f6 .config console log report info ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.