bisecting cause commit starting from ed6d9b0228132fee03314b276d946fc3f0cc9e4f
building syzkaller on 6989d6f61d7d7db02083998790f6dd247d8d7307
testing commit ed6d9b0228132fee03314b276d946fc3f0cc9e4f with gcc (GCC) 8.1.0
kernel signature: f01bf0f44ab769e045779f75499cc9984c15572721545c21503d95715298768f
run #0: crashed: WARNING: locking bug in rxrpc_unbundle_conn
run #1: crashed: WARNING: locking bug in rxrpc_unbundle_conn
run #2: crashed: WARNING: locking bug in rxrpc_unbundle_conn
run #3: crashed: WARNING: locking bug in rxrpc_unbundle_conn
run #4: crashed: WARNING: locking bug in rxrpc_unbundle_conn
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in rxrpc_disconnect_client_call
run #6: crashed: kernel BUG at net/ipv4/fib_trie.c:LINE!
run #7: crashed: WARNING: locking bug in rxrpc_unbundle_conn
run #8: crashed: WARNING: locking bug in rxrpc_unbundle_conn
run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in rxrpc_disconnect_client_call
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: e32f801a681f12bb1d76f9123c0d760c1c91e307c0bfbbab51e41afa415e6700
all runs: OK
# git bisect start ed6d9b0228132fee03314b276d946fc3f0cc9e4f bcf876870b95592b52519ed4aafcf9d95999bc9c
Bisecting: 7606 revisions left to test after this (roughly 13 steps)
[47ec5303d73ea344e84f46660fff693c57641386] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
testing commit 47ec5303d73ea344e84f46660fff693c57641386 with gcc (GCC) 8.1.0
kernel signature: 526112b11dec9ae341fb723952459dc81aac68094f1b19d2ae2c87f9d4fe23be
all runs: OK
# git bisect good 47ec5303d73ea344e84f46660fff693c57641386
Bisecting: 3803 revisions left to test after this (roughly 12 steps)
[35556bed836f8dc07ac55f69c8d17dce3e7f0e25] HID: core: Sanitize event code and type when mapping input
testing commit 35556bed836f8dc07ac55f69c8d17dce3e7f0e25 with gcc (GCC) 8.1.0
kernel signature: 3a8a2a43084e705090eb4a02e25e8fd84bfcbc9636e631af3893bf9742ebcffb
all runs: OK
# git bisect good 35556bed836f8dc07ac55f69c8d17dce3e7f0e25
Bisecting: 1901 revisions left to test after this (roughly 11 steps)
[d723b99ec9e502a414a96a51ec229333f807b47e] Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
testing commit d723b99ec9e502a414a96a51ec229333f807b47e with gcc (GCC) 8.1.0
kernel signature: ed63bdd6b0eb3e13e0b2a7299dc0a27a1e75eaeb82ea4bde452da5eb2e0094f9
all runs: OK
# git bisect good d723b99ec9e502a414a96a51ec229333f807b47e
Bisecting: 1055 revisions left to test after this (roughly 10 steps)
[c70672d8d316ebd46ea447effadfe57ab7a30a50] Merge tag 's390-5.9-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
testing commit c70672d8d316ebd46ea447effadfe57ab7a30a50 with gcc (GCC) 8.1.0
kernel signature: b646e4a3d169fa1973c0aea908040523f65533bec3d31659bd093860520e99d5
all runs: OK
# git bisect good c70672d8d316ebd46ea447effadfe57ab7a30a50
Bisecting: 531 revisions left to test after this (roughly 9 steps)
[ac99a822c67b960c17e165a01c00c6813e496f1c] net: ethernet/neterion/vxge: fix spelling of "functionality"
testing commit ac99a822c67b960c17e165a01c00c6813e496f1c with gcc (GCC) 8.1.0
kernel signature: 3ddb1dcbdee259f96d78e2f2ef5612179ba3b0365cdad91df8e922a6f2814d06
all runs: crashed: kernel BUG at net/rxrpc/conn_object.c:LINE!
# git bisect bad ac99a822c67b960c17e165a01c00c6813e496f1c
Bisecting: 275 revisions left to test after this (roughly 8 steps)
[8aa639e1483bbdc0615796801829c773724f6645] liquidio: Remove unneeded cast from memory allocation
testing commit 8aa639e1483bbdc0615796801829c773724f6645 with gcc (GCC) 8.1.0
kernel signature: 98dbbb5228582f2f5bbf9efa6e9ba30a024f657a3ba3b0bacd71288c40d331fb
all runs: OK
# git bisect good 8aa639e1483bbdc0615796801829c773724f6645
Bisecting: 137 revisions left to test after this (roughly 7 steps)
[acabf32805f79df6a8433f1392ed6ed8371722e5] xsk: Documentation for XDP_SHARED_UMEM between queues and netdevs
testing commit acabf32805f79df6a8433f1392ed6ed8371722e5 with gcc (GCC) 8.1.0
kernel signature: a461028e40f4c55064a109eb88af00defff2a1e70ab02663a9e653798cace867
all runs: OK
# git bisect good acabf32805f79df6a8433f1392ed6ed8371722e5
Bisecting: 68 revisions left to test after this (roughly 6 steps)
[0f7c5317b89058e432d3e97efa19467ff4c3b86b] of: Export of_remove_property() to modules
testing commit 0f7c5317b89058e432d3e97efa19467ff4c3b86b with gcc (GCC) 8.1.0
kernel signature: b150db44abc01c3cd86962cb051b5e7f0d6cbd192cedc1d7df893cdf3bdaa7a4
all runs: OK
# git bisect good 0f7c5317b89058e432d3e97efa19467ff4c3b86b
Bisecting: 34 revisions left to test after this (roughly 5 steps)
[7dcc9d8a40f85cbd76acdebcc45ccdfe4a84337f] sfc: don't double-down() filters in ef100_reset()
testing commit 7dcc9d8a40f85cbd76acdebcc45ccdfe4a84337f with gcc (GCC) 8.1.0
kernel signature: 42c3c229176c02e90f7220d9ebcaf887dff93c51ad81056a6f02e395e0010993
all runs: OK
# git bisect good 7dcc9d8a40f85cbd76acdebcc45ccdfe4a84337f
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[3d93fda0bf799fd06fe6f105fdf2d73fbdd40476] net: hns3: remove some unused macros related to queue
testing commit 3d93fda0bf799fd06fe6f105fdf2d73fbdd40476 with gcc (GCC) 8.1.0
kernel signature: 8807fa6b3684b1742e4bb5ae9536b48d29c63aa9203ee29bdc65440bc222c757
all runs: OK
# git bisect good 3d93fda0bf799fd06fe6f105fdf2d73fbdd40476
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[161c4e88b720c0ef2e3bc2cd524fc9ea3615ec22] sfc: coding style cleanups in mcdi_port_common.c
testing commit 161c4e88b720c0ef2e3bc2cd524fc9ea3615ec22 with gcc (GCC) 8.1.0
kernel signature: a19c5507c5134d6cdadb680caccb54502eead53be63f6a0e56539cce8b39089f
all runs: OK
# git bisect good 161c4e88b720c0ef2e3bc2cd524fc9ea3615ec22
Bisecting: 5 revisions left to test after this (roughly 2 steps)
[288827d53e8edcca94caf6a507105fcbd20f419d] rxrpc: Allow multiple client connections to the same peer
testing commit 288827d53e8edcca94caf6a507105fcbd20f419d with gcc (GCC) 8.1.0
kernel signature: ad468b10cd0068c7a9a054c6c5df56e63684a683d7c15e7f2942cbfcbc96e984
all runs: crashed: kernel BUG at net/rxrpc/conn_object.c:LINE!
# git bisect bad 288827d53e8edcca94caf6a507105fcbd20f419d
Bisecting: 0 revisions left to test after this (roughly 1 step)
[245500d853e9f20036cec7df4f6984ece4c6bf26] rxrpc: Rewrite the client connection manager
testing commit 245500d853e9f20036cec7df4f6984ece4c6bf26 with gcc (GCC) 8.1.0
kernel signature: 0363c666094cfba91e74d32db5957642d6b944c8f34099123cebc54907901036
all runs: crashed: kernel BUG at net/rxrpc/conn_object.c:LINE!
# git bisect bad 245500d853e9f20036cec7df4f6984ece4c6bf26
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[b7a7d67408032843c14071711d6259aada9392f0] rxrpc: Impose a maximum number of client calls
testing commit b7a7d67408032843c14071711d6259aada9392f0 with gcc (GCC) 8.1.0
kernel signature: 3ff87031cfc8f4d80a35eb9807ab08957b1bc5d20ce812171b722cbf41d02ab4
all runs: OK
# git bisect good b7a7d67408032843c14071711d6259aada9392f0
245500d853e9f20036cec7df4f6984ece4c6bf26 is the first bad commit
commit 245500d853e9f20036cec7df4f6984ece4c6bf26
Author: David Howells <dhowells@redhat.com>
Date:   Wed Jul 1 11:15:32 2020 +0100

    rxrpc: Rewrite the client connection manager
    
    Rewrite the rxrpc client connection manager so that it can support multiple
    connections for a given security key to a peer.  The following changes are
    made:
    
     (1) For each open socket, the code currently maintains an rbtree with the
         connections placed into it, keyed by communications parameters.  This
         is tricky to maintain as connections can be culled from the tree or
         replaced within it.  Connections can require replacement for a number
         of reasons, e.g. their IDs span too great a range for the IDR data
         type to represent efficiently, the call ID numbers on that conn would
         overflow or the conn got aborted.
    
         This is changed so that there's now a connection bundle object placed
         in the tree, keyed on the same parameters.  The bundle, however, does
         not need to be replaced.
    
     (2) An rxrpc_bundle object can now manage the available channels for a set
         of parallel connections.  The lock that manages this is moved there
         from the rxrpc_connection struct (channel_lock).
    
     (3) There'a a dummy bundle for all incoming connections to share so that
         they have a channel_lock too.  It might be better to give each
         incoming connection its own bundle.  This bundle is not needed to
         manage which channels incoming calls are made on because that's the
         solely at whim of the client.
    
     (4) The restrictions on how many client connections are around are
         removed.  Instead, a previous patch limits the number of client calls
         that can be allocated.  Ordinarily, client connections are reaped
         after 2 minutes on the idle queue, but when more than a certain number
         of connections are in existence, the reaper starts reaping them after
         2s of idleness instead to get the numbers back down.
    
         It could also be made such that new call allocations are forced to
         wait until the number of outstanding connections subsides.
    
    Signed-off-by: David Howells <dhowells@redhat.com>

 include/trace/events/rxrpc.h |   33 +-
 net/rxrpc/ar-internal.h      |   68 ++-
 net/rxrpc/conn_client.c      | 1081 +++++++++++++++++++-----------------------
 net/rxrpc/conn_event.c       |   14 +-
 net/rxrpc/conn_object.c      |   12 +-
 net/rxrpc/conn_service.c     |    7 +
 net/rxrpc/local_object.c     |    4 +-
 net/rxrpc/net_ns.c           |    5 +-
 net/rxrpc/output.c           |    6 +
 net/rxrpc/proc.c             |    2 +-
 net/rxrpc/rxkad.c            |    8 +-
 net/rxrpc/sysctl.c           |   10 +-
 12 files changed, 559 insertions(+), 691 deletions(-)
culprit signature: 0363c666094cfba91e74d32db5957642d6b944c8f34099123cebc54907901036
parent  signature: 3ff87031cfc8f4d80a35eb9807ab08957b1bc5d20ce812171b722cbf41d02ab4
revisions tested: 16, total time: 3h52m39.929098198s (build: 1h20m31.630581846s, test: 2h30m7.810373632s)
first bad commit: 245500d853e9f20036cec7df4f6984ece4c6bf26 rxrpc: Rewrite the client connection manager
recipients (to): ["davem@davemloft.net" "dhowells@redhat.com" "kuba@kernel.org" "mingo@redhat.com" "netdev@vger.kernel.org" "rostedt@goodmis.org"]
recipients (cc): ["dhowells@redhat.com" "linux-afs@lists.infradead.org" "linux-kernel@vger.kernel.org"]
crash: kernel BUG at net/rxrpc/conn_object.c:LINE!
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
bond0 (unregistering): Released all slaves
rxrpc: Assertion failed
------------[ cut here ]------------
kernel BUG at net/rxrpc/conn_object.c:481!
invalid opcode: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 226 Comm: kworker/u4:3 Not tainted 5.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
RIP: 0010:rxrpc_destroy_all_connections.cold.17+0x59/0x69 net/rxrpc/conn_object.c:481
Code: 83 c0 01 00 00 48 89 de 4c 39 e0 48 8d 9a 40 fe ff ff 75 d8 48 89 ef e8 7e 14 31 00 0f 0b 48 c7 c7 8a 52 08 84 e8 79 db 4f fe <0f> 0b cc cc cc cc cc cc cc cc cc cc cc cc cc cc 41 57 41 56 45 31
RSP: 0018:ffffc90001347d48 EFLAGS: 00010246
RAX: 0000000000000017 RBX: ffff888120dd4000 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff84021f41 RDI: 00000000ffffffff
RBP: ffff888120dd4088 R08: 0000000000000001 R09: 0000000000000001
R10: ffff88812af30140 R11: 79ca7834c8b2ce98 R12: ffff888120dd4078
R13: ffff888120dd4064 R14: ffff8881108cac00 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88812c100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffca461b290 CR3: 0000000122ade000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 rxrpc_exit_net+0xc9/0x180 net/rxrpc/net_ns.c:119
 ops_exit_list.isra.9+0x31/0x60 net/core/net_namespace.c:186
 cleanup_net+0x273/0x3d0 net/core/net_namespace.c:603
 process_one_work+0x26a/0x5f0 kernel/workqueue.c:2269
 worker_thread+0x38/0x380 kernel/workqueue.c:2415
 kthread+0x148/0x170 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Modules linked in:
---[ end trace 8fc6f11aa8799298 ]---
RIP: 0010:rxrpc_destroy_all_connections.cold.17+0x59/0x69 net/rxrpc/conn_object.c:481
Code: 83 c0 01 00 00 48 89 de 4c 39 e0 48 8d 9a 40 fe ff ff 75 d8 48 89 ef e8 7e 14 31 00 0f 0b 48 c7 c7 8a 52 08 84 e8 79 db 4f fe <0f> 0b cc cc cc cc cc cc cc cc cc cc cc cc cc cc 41 57 41 56 45 31
RSP: 0018:ffffc90001347d48 EFLAGS: 00010246
RAX: 0000000000000017 RBX: ffff888120dd4000 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff84021f41 RDI: 00000000ffffffff
RBP: ffff888120dd4088 R08: 0000000000000001 R09: 0000000000000001
R10: ffff88812af30140 R11: 79ca7834c8b2ce98 R12: ffff888120dd4078
R13: ffff888120dd4064 R14: ffff8881108cac00 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88812c100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffca461b290 CR3: 0000000122ade000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400