bisecting cause commit starting from b9998194591467dc562c23ecefb63af4eff7530b building syzkaller on 4656becafbd6c9a181ee8516f6b2a26103668273 testing commit b9998194591467dc562c23ecefb63af4eff7530b with gcc (GCC) 8.1.0 all runs: crashed: WARNING: suspicious RCU usage in xfrm_get_sadinfo testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 all runs: OK # git bisect start b9998194591467dc562c23ecefb63af4eff7530b v5.0 Bisecting: 6574 revisions left to test after this (roughly 13 steps) [b1e243957e9b3ba8e820fb8583bdf18e7c737aa2] Merge tag 'for-5.1-part1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit b1e243957e9b3ba8e820fb8583bdf18e7c737aa2 with gcc (GCC) 8.1.0 all runs: OK # git bisect good b1e243957e9b3ba8e820fb8583bdf18e7c737aa2 Bisecting: 3298 revisions left to test after this (roughly 12 steps) [a50243b1ddcdd766d0d17fbfeeb1a22e62fdc461] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit a50243b1ddcdd766d0d17fbfeeb1a22e62fdc461 with gcc (GCC) 8.1.0 all runs: OK # git bisect good a50243b1ddcdd766d0d17fbfeeb1a22e62fdc461 Bisecting: 1626 revisions left to test after this (roughly 11 steps) [f3ca4c55a6581c46e9f4a592dd698a7c67a713dd] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit f3ca4c55a6581c46e9f4a592dd698a7c67a713dd with gcc (GCC) 8.1.0 all runs: OK # git bisect good f3ca4c55a6581c46e9f4a592dd698a7c67a713dd Bisecting: 814 revisions left to test after this (roughly 10 steps) [fad9c2835f9b523c24399f1670e258e02b741450] Merge remote-tracking branch 'renesas/next' testing commit fad9c2835f9b523c24399f1670e258e02b741450 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: suspicious RCU usage in xfrm_get_sadinfo # git bisect bad fad9c2835f9b523c24399f1670e258e02b741450 Bisecting: 410 revisions left to test after this (roughly 9 steps) [6c83d0d5eb62846b8591884e246ab67d70b651ef] Merge branch 'for-linus-5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml testing commit 6c83d0d5eb62846b8591884e246ab67d70b651ef with gcc (GCC) 8.1.0 all runs: OK # git bisect good 6c83d0d5eb62846b8591884e246ab67d70b651ef Bisecting: 214 revisions left to test after this (roughly 8 steps) [76754fe6a16f50a731a358d7844463292b8ccdb5] Merge remote-tracking branch 'arc-current/for-curr' testing commit 76754fe6a16f50a731a358d7844463292b8ccdb5 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 76754fe6a16f50a731a358d7844463292b8ccdb5 Bisecting: 118 revisions left to test after this (roughly 7 steps) [8de78184e36b6b93cec08e61096a243db094590e] Merge remote-tracking branch 'drm-misc-fixes/for-linux-next-fixes' testing commit 8de78184e36b6b93cec08e61096a243db094590e with gcc (GCC) 8.1.0 all runs: crashed: WARNING: suspicious RCU usage in xfrm_get_sadinfo # git bisect bad 8de78184e36b6b93cec08e61096a243db094590e Bisecting: 53 revisions left to test after this (roughly 6 steps) [72cf79669693c2a775c76fa4d81c06177fcc0214] Merge remote-tracking branch 'ipsec/master' testing commit 72cf79669693c2a775c76fa4d81c06177fcc0214 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: suspicious RCU usage in xfrm_get_sadinfo # git bisect bad 72cf79669693c2a775c76fa4d81c06177fcc0214 Bisecting: 23 revisions left to test after this (roughly 4 steps) [86be36f6502c52ddb4b85938145324fd07332da1] powerpc: bpf: Fix generation of load/store DW instructions testing commit 86be36f6502c52ddb4b85938145324fd07332da1 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 86be36f6502c52ddb4b85938145324fd07332da1 Bisecting: 11 revisions left to test after this (roughly 4 steps) [6f19893b644a9454d85e593b5e90914e7a72b7dd] net: openvswitch: fix a NULL pointer dereference testing commit 6f19893b644a9454d85e593b5e90914e7a72b7dd with gcc (GCC) 8.1.0 all runs: OK # git bisect good 6f19893b644a9454d85e593b5e90914e7a72b7dd Bisecting: 5 revisions left to test after this (roughly 3 steps) [517ccc2aa50dbd7767a9eb8e1d9987a3ed7ced3e] net: tipc: fix a missing check for nla_nest_start testing commit 517ccc2aa50dbd7767a9eb8e1d9987a3ed7ced3e with gcc (GCC) 8.1.0 all runs: OK # git bisect good 517ccc2aa50dbd7767a9eb8e1d9987a3ed7ced3e Bisecting: 2 revisions left to test after this (roughly 2 steps) [f10e0010fae8174dc20bdc872bcaa85baa925cb7] net: xfrm: Add '_rcu' tag for rcu protected pointer in netns_xfrm testing commit f10e0010fae8174dc20bdc872bcaa85baa925cb7 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: suspicious RCU usage in xfrm_get_sadinfo # git bisect bad f10e0010fae8174dc20bdc872bcaa85baa925cb7 Bisecting: 0 revisions left to test after this (roughly 1 step) [6ed69184ed9c43873b8a1ee721e3bf3c08c2c6be] xfrm: Reset secpath in xfrm failure testing commit 6ed69184ed9c43873b8a1ee721e3bf3c08c2c6be with gcc (GCC) 8.1.0 all runs: OK # git bisect good 6ed69184ed9c43873b8a1ee721e3bf3c08c2c6be f10e0010fae8174dc20bdc872bcaa85baa925cb7 is the first bad commit commit f10e0010fae8174dc20bdc872bcaa85baa925cb7 Author: Su Yanjun Date: Wed Mar 6 20:54:08 2019 -0500 net: xfrm: Add '_rcu' tag for rcu protected pointer in netns_xfrm For rcu protected pointers, we'd better add '__rcu' for them. Once added '__rcu' tag for rcu protected pointer, the sparse tool reports warnings. net/xfrm/xfrm_user.c:1198:39: sparse: expected struct sock *sk net/xfrm/xfrm_user.c:1198:39: sparse: got struct sock [noderef] *nlsk [...] So introduce a new wrapper function of nlmsg_unicast to handle type conversions. This patch also fixes a direct access of a rcu protected socket. Fixes: be33690d8fcf("[XFRM]: Fix aevent related crash") Signed-off-by: Su Yanjun Signed-off-by: Steffen Klassert include/net/netns/xfrm.h | 2 +- net/xfrm/xfrm_user.c | 30 +++++++++++++++++++++++------- 2 files changed, 24 insertions(+), 8 deletions(-) revisions tested: 15, total time: 3h9m55.056587312s (build: 1h13m43.374912428s, test: 1h52m38.07170513s) first bad commit: f10e0010fae8174dc20bdc872bcaa85baa925cb7 net: xfrm: Add '_rcu' tag for rcu protected pointer in netns_xfrm cc: ["davem@davemloft.net" "fw@strlen.de" "herbert@gondor.apana.org.au" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "steffen.klassert@secunet.com" "suyj.fnst@cn.fujitsu.com"] crash: WARNING: suspicious RCU usage in xfrm_get_sadinfo hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network 8021q: adding VLAN 0 to HW filter on device batadv0 hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network ============================= WARNING: suspicious RCU usage 5.0.0-rc7+ #1 Not tainted ----------------------------- net/xfrm/xfrm_user.c:1080 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz-executor.0/6729: #0: 000000003db5f70b (&net->xfrm.xfrm_cfg_mutex){+.+.}, at: xfrm_netlink_rcv+0x5a/0x90 net/xfrm/xfrm_user.c:2691 stack backtrace: CPU: 0 PID: 6729 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 lockdep_rcu_suspicious+0x14a/0x153 kernel/locking/lockdep.c:4490 xfrm_nlmsg_unicast net/xfrm/xfrm_user.c:1080 [inline] xfrm_get_sadinfo+0x4c4/0x5e0 net/xfrm/xfrm_user.c:1273 xfrm_user_rcv_msg+0x34f/0x760 net/xfrm/xfrm_user.c:2684 netlink_rcv_skb+0x13f/0x380 net/netlink/af_netlink.c:2477 hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network xfrm_netlink_rcv+0x69/0x90 net/xfrm/xfrm_user.c:2692 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x444/0x640 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x765/0xc50 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xb7/0xf0 net/socket.c:632 ___sys_sendmsg+0x649/0x950 net/socket.c:2115 __sys_sendmsg+0xd9/0x180 net/socket.c:2153 __do_sys_sendmsg net/socket.c:2162 [inline] __se_sys_sendmsg net/socket.c:2160 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2160 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457799 Code: 8d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f1006767c88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000071bf00 RCX: 0000000000457799 RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000006ed110 R14: 00000000004ac804 R15: 00007f10067686d4 8021q: adding VLAN 0 to HW filter on device batadv0 IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready bridge0: port 2(bridge_slave_1) entered blocking state bridge0: port 2(bridge_slave_1) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready 8021q: adding VLAN 0 to HW filter on device bond0 IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 8021q: adding VLAN 0 to HW filter on device batadv0 8021q: adding VLAN 0 to HW filter on device batadv0 8021q: adding VLAN 0 to HW filter on device team0 IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready bridge0: port 1(bridge_slave_0) entered blocking state bridge0: port 1(bridge_slave_0) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready bridge0: port 2(bridge_slave_1) entered blocking state bridge0: port 2(bridge_slave_1) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready 8021q: adding VLAN 0 to HW filter on device batadv0 device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state device hsr_slave_1 left promiscuous mode device hsr_slave_0 left promiscuous mode team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state device hsr_slave_1 left promiscuous mode device hsr_slave_0 left promiscuous mode team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves device hsr_slave_1 left promiscuous mode device hsr_slave_0 left promiscuous mode team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves device hsr_slave_1 left promiscuous mode device hsr_slave_0 left promiscuous mode team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves device hsr_slave_1 left promiscuous mode device hsr_slave_0 left promiscuous mode team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves device hsr_slave_1 left promiscuous mode device hsr_slave_0 left promiscuous mode team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves