bisecting cause commit starting from 75e6a83b189c5edd5c0a5409cfd8de98126a2bae building syzkaller on 46264c32592e5b2b959e3290bd0b8305ecec58db testing commit 75e6a83b189c5edd5c0a5409cfd8de98126a2bae with gcc (GCC) 8.1.0 all runs: crashed: WARNING: suspicious RCU usage in xfrm_get_policy testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 75e6a83b189c5edd5c0a5409cfd8de98126a2bae v5.0 Bisecting: 7061 revisions left to test after this (roughly 13 steps) [b5dd0c658c31b469ccff1b637e5124851e7a4a1c] Merge branch 'akpm' (patches from Andrew) testing commit b5dd0c658c31b469ccff1b637e5124851e7a4a1c with gcc (GCC) 8.1.0 all runs: OK # git bisect good b5dd0c658c31b469ccff1b637e5124851e7a4a1c Bisecting: 3560 revisions left to test after this (roughly 12 steps) [4f0237062ca70c8e34e16e518aee4b84c30d1832] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input testing commit 4f0237062ca70c8e34e16e518aee4b84c30d1832 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 4f0237062ca70c8e34e16e518aee4b84c30d1832 Bisecting: 1784 revisions left to test after this (roughly 11 steps) [c7089c3c7d04856157d63ccd631ea64ba987ec2e] Merge remote-tracking branch 'qcom/for-next' testing commit c7089c3c7d04856157d63ccd631ea64ba987ec2e with gcc (GCC) 8.1.0 all runs: crashed: WARNING: suspicious RCU usage in xfrm_get_policy # git bisect bad c7089c3c7d04856157d63ccd631ea64ba987ec2e Bisecting: 879 revisions left to test after this (roughly 10 steps) [f3ca4c55a6581c46e9f4a592dd698a7c67a713dd] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit f3ca4c55a6581c46e9f4a592dd698a7c67a713dd with gcc (GCC) 8.1.0 all runs: OK # git bisect good f3ca4c55a6581c46e9f4a592dd698a7c67a713dd Bisecting: 437 revisions left to test after this (roughly 9 steps) [465c209db83e2cdaeb4a52f4e107a9fc636704db] Merge tag 'nfs-for-5.1-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs testing commit 465c209db83e2cdaeb4a52f4e107a9fc636704db with gcc (GCC) 8.1.0 all runs: OK # git bisect good 465c209db83e2cdaeb4a52f4e107a9fc636704db Bisecting: 224 revisions left to test after this (roughly 8 steps) [89423a5f0b4a30851f4560763bc803ec4638c1f9] Merge remote-tracking branch 'netfilter/master' testing commit 89423a5f0b4a30851f4560763bc803ec4638c1f9 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: suspicious RCU usage in xfrm_get_policy # git bisect bad 89423a5f0b4a30851f4560763bc803ec4638c1f9 Bisecting: 105 revisions left to test after this (roughly 7 steps) [28d747f266fb73cd28a1b9a174cc3738fc177b00] Merge tag 'kbuild-v5.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit 28d747f266fb73cd28a1b9a174cc3738fc177b00 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 28d747f266fb73cd28a1b9a174cc3738fc177b00 Bisecting: 54 revisions left to test after this (roughly 6 steps) [96e570a165537401294c1c1359b0c17fdfe88e87] Merge remote-tracking branch 'powerpc-fixes/fixes' testing commit 96e570a165537401294c1c1359b0c17fdfe88e87 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 96e570a165537401294c1c1359b0c17fdfe88e87 Bisecting: 20 revisions left to test after this (roughly 5 steps) [0aedadcf6b4863a0d6eaad05a26425cc52944027] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf testing commit 0aedadcf6b4863a0d6eaad05a26425cc52944027 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 0aedadcf6b4863a0d6eaad05a26425cc52944027 Bisecting: 12 revisions left to test after this (roughly 3 steps) [99d3ecc9f6ca067bf4e80b98c3c5eae0768a375b] Merge remote-tracking branch 'bpf/master' testing commit 99d3ecc9f6ca067bf4e80b98c3c5eae0768a375b with gcc (GCC) 8.1.0 all runs: OK # git bisect good 99d3ecc9f6ca067bf4e80b98c3c5eae0768a375b Bisecting: 6 revisions left to test after this (roughly 3 steps) [8ffcd32f64633926163cdd07a7d295c500a947d1] netfilter: nf_tables: bogus EBUSY in helper removal from transaction testing commit 8ffcd32f64633926163cdd07a7d295c500a947d1 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 8ffcd32f64633926163cdd07a7d295c500a947d1 Bisecting: 3 revisions left to test after this (roughly 2 steps) [f10e0010fae8174dc20bdc872bcaa85baa925cb7] net: xfrm: Add '_rcu' tag for rcu protected pointer in netns_xfrm testing commit f10e0010fae8174dc20bdc872bcaa85baa925cb7 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: suspicious RCU usage in xfrm_get_policy # git bisect bad f10e0010fae8174dc20bdc872bcaa85baa925cb7 Bisecting: 0 revisions left to test after this (roughly 1 step) [6ed69184ed9c43873b8a1ee721e3bf3c08c2c6be] xfrm: Reset secpath in xfrm failure testing commit 6ed69184ed9c43873b8a1ee721e3bf3c08c2c6be with gcc (GCC) 8.1.0 all runs: OK # git bisect good 6ed69184ed9c43873b8a1ee721e3bf3c08c2c6be f10e0010fae8174dc20bdc872bcaa85baa925cb7 is the first bad commit commit f10e0010fae8174dc20bdc872bcaa85baa925cb7 Author: Su Yanjun Date: Wed Mar 6 20:54:08 2019 -0500 net: xfrm: Add '_rcu' tag for rcu protected pointer in netns_xfrm For rcu protected pointers, we'd better add '__rcu' for them. Once added '__rcu' tag for rcu protected pointer, the sparse tool reports warnings. net/xfrm/xfrm_user.c:1198:39: sparse: expected struct sock *sk net/xfrm/xfrm_user.c:1198:39: sparse: got struct sock [noderef] *nlsk [...] So introduce a new wrapper function of nlmsg_unicast to handle type conversions. This patch also fixes a direct access of a rcu protected socket. Fixes: be33690d8fcf("[XFRM]: Fix aevent related crash") Signed-off-by: Su Yanjun Signed-off-by: Steffen Klassert include/net/netns/xfrm.h | 2 +- net/xfrm/xfrm_user.c | 30 +++++++++++++++++++++++------- 2 files changed, 24 insertions(+), 8 deletions(-) revisions tested: 15, total time: 3h19m49.789210105s (build: 1h18m13.303332104s, test: 1h58m38.071024089s) first bad commit: f10e0010fae8174dc20bdc872bcaa85baa925cb7 net: xfrm: Add '_rcu' tag for rcu protected pointer in netns_xfrm cc: ["davem@davemloft.net" "fw@strlen.de" "herbert@gondor.apana.org.au" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "steffen.klassert@secunet.com" "suyj.fnst@cn.fujitsu.com"] crash: WARNING: suspicious RCU usage in xfrm_get_policy IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready netlink: 104 bytes leftover after parsing attributes in process `syz-executor.3'. IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready ============================= WARNING: suspicious RCU usage IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready 5.0.0-rc7+ #1 Not tainted IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready bridge0: port 1(bridge_slave_0) entered blocking state bridge0: port 1(bridge_slave_0) entered forwarding state ----------------------------- IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready net/xfrm/xfrm_user.c:1080 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready bridge0: port 2(bridge_slave_1) entered blocking state 1 lock held by syz-executor.3/6715: bridge0: port 2(bridge_slave_1) entered forwarding state #0: 00000000d10b421c (&net->xfrm.xfrm_cfg_mutex){+.+.}, at: xfrm_netlink_rcv+0x5a/0x90 net/xfrm/xfrm_user.c:2691 IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready stack backtrace: IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready CPU: 1 PID: 6715 Comm: syz-executor.3 Not tainted 5.0.0-rc7+ #1 IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 Call Trace: IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready lockdep_rcu_suspicious+0x14a/0x153 kernel/locking/lockdep.c:4490 IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready xfrm_nlmsg_unicast net/xfrm/xfrm_user.c:1080 [inline] xfrm_get_policy+0x8e7/0xdb0 net/xfrm/xfrm_user.c:1922 IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready xfrm_user_rcv_msg+0x34f/0x760 net/xfrm/xfrm_user.c:2684 IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready netlink_rcv_skb+0x13f/0x380 net/netlink/af_netlink.c:2477 IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready xfrm_netlink_rcv+0x69/0x90 net/xfrm/xfrm_user.c:2692 IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x444/0x640 net/netlink/af_netlink.c:1336 IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready netlink_sendmsg+0x765/0xc50 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xb7/0xf0 net/socket.c:632 ___sys_sendmsg+0x649/0x950 net/socket.c:2115 __sys_sendmsg+0xd9/0x180 net/socket.c:2153 __do_sys_sendmsg net/socket.c:2162 [inline] __se_sys_sendmsg net/socket.c:2160 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2160 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457799 Code: 8d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f0b0d82bc88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000071bf00 RCX: 0000000000457799 RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000006 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000006ed110 R14: 00000000004ac804 R15: 00007f0b0d82c6d4 IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready 8021q: adding VLAN 0 to HW filter on device batadv0 8021q: adding VLAN 0 to HW filter on device batadv0 IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready netlink: 104 bytes leftover after parsing attributes in process `syz-executor.0'. IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready bridge0: port 1(bridge_slave_0) entered blocking state bridge0: port 1(bridge_slave_0) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready netlink: 104 bytes leftover after parsing attributes in process `syz-executor.3'. IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready netlink: 104 bytes leftover after parsing attributes in process `syz-executor.0'. bridge0: port 2(bridge_slave_1) entered blocking state bridge0: port 2(bridge_slave_1) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready netlink: 104 bytes leftover after parsing attributes in process `syz-executor.3'. IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready 8021q: adding VLAN 0 to HW filter on device batadv0 hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network 8021q: adding VLAN 0 to HW filter on device batadv0 netlink: 104 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 104 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 104 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 104 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 104 bytes leftover after parsing attributes in process `syz-executor.2'. IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state device hsr_slave_1 left promiscuous mode device hsr_slave_0 left promiscuous mode team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state device hsr_slave_1 left promiscuous mode device hsr_slave_0 left promiscuous mode team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves device hsr_slave_1 left promiscuous mode device hsr_slave_0 left promiscuous mode team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves device hsr_slave_1 left promiscuous mode device hsr_slave_0 left promiscuous mode team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves device hsr_slave_1 left promiscuous mode device hsr_slave_0 left promiscuous mode team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves device hsr_slave_1 left promiscuous mode device hsr_slave_0 left promiscuous mode team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves