bisecting cause commit starting from 75e6a83b189c5edd5c0a5409cfd8de98126a2bae
building syzkaller on 46264c32592e5b2b959e3290bd0b8305ecec58db
testing commit 75e6a83b189c5edd5c0a5409cfd8de98126a2bae with gcc (GCC) 8.1.0
all runs: crashed: WARNING: suspicious RCU usage in xfrm_get_policy
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
all runs: OK
# git bisect start 75e6a83b189c5edd5c0a5409cfd8de98126a2bae v5.0
Bisecting: 7061 revisions left to test after this (roughly 13 steps)
[b5dd0c658c31b469ccff1b637e5124851e7a4a1c] Merge branch 'akpm' (patches from Andrew)
testing commit b5dd0c658c31b469ccff1b637e5124851e7a4a1c with gcc (GCC) 8.1.0
all runs: OK
# git bisect good b5dd0c658c31b469ccff1b637e5124851e7a4a1c
Bisecting: 3560 revisions left to test after this (roughly 12 steps)
[4f0237062ca70c8e34e16e518aee4b84c30d1832] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
testing commit 4f0237062ca70c8e34e16e518aee4b84c30d1832 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 4f0237062ca70c8e34e16e518aee4b84c30d1832
Bisecting: 1784 revisions left to test after this (roughly 11 steps)
[c7089c3c7d04856157d63ccd631ea64ba987ec2e] Merge remote-tracking branch 'qcom/for-next'
testing commit c7089c3c7d04856157d63ccd631ea64ba987ec2e with gcc (GCC) 8.1.0
all runs: crashed: WARNING: suspicious RCU usage in xfrm_get_policy
# git bisect bad c7089c3c7d04856157d63ccd631ea64ba987ec2e
Bisecting: 879 revisions left to test after this (roughly 10 steps)
[f3ca4c55a6581c46e9f4a592dd698a7c67a713dd] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
testing commit f3ca4c55a6581c46e9f4a592dd698a7c67a713dd with gcc (GCC) 8.1.0
all runs: OK
# git bisect good f3ca4c55a6581c46e9f4a592dd698a7c67a713dd
Bisecting: 437 revisions left to test after this (roughly 9 steps)
[465c209db83e2cdaeb4a52f4e107a9fc636704db] Merge tag 'nfs-for-5.1-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs
testing commit 465c209db83e2cdaeb4a52f4e107a9fc636704db with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 465c209db83e2cdaeb4a52f4e107a9fc636704db
Bisecting: 224 revisions left to test after this (roughly 8 steps)
[89423a5f0b4a30851f4560763bc803ec4638c1f9] Merge remote-tracking branch 'netfilter/master'
testing commit 89423a5f0b4a30851f4560763bc803ec4638c1f9 with gcc (GCC) 8.1.0
all runs: crashed: WARNING: suspicious RCU usage in xfrm_get_policy
# git bisect bad 89423a5f0b4a30851f4560763bc803ec4638c1f9
Bisecting: 105 revisions left to test after this (roughly 7 steps)
[28d747f266fb73cd28a1b9a174cc3738fc177b00] Merge tag 'kbuild-v5.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
testing commit 28d747f266fb73cd28a1b9a174cc3738fc177b00 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 28d747f266fb73cd28a1b9a174cc3738fc177b00
Bisecting: 54 revisions left to test after this (roughly 6 steps)
[96e570a165537401294c1c1359b0c17fdfe88e87] Merge remote-tracking branch 'powerpc-fixes/fixes'
testing commit 96e570a165537401294c1c1359b0c17fdfe88e87 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 96e570a165537401294c1c1359b0c17fdfe88e87
Bisecting: 20 revisions left to test after this (roughly 5 steps)
[0aedadcf6b4863a0d6eaad05a26425cc52944027] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
testing commit 0aedadcf6b4863a0d6eaad05a26425cc52944027 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 0aedadcf6b4863a0d6eaad05a26425cc52944027
Bisecting: 12 revisions left to test after this (roughly 3 steps)
[99d3ecc9f6ca067bf4e80b98c3c5eae0768a375b] Merge remote-tracking branch 'bpf/master'
testing commit 99d3ecc9f6ca067bf4e80b98c3c5eae0768a375b with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 99d3ecc9f6ca067bf4e80b98c3c5eae0768a375b
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[8ffcd32f64633926163cdd07a7d295c500a947d1] netfilter: nf_tables: bogus EBUSY in helper removal from transaction
testing commit 8ffcd32f64633926163cdd07a7d295c500a947d1 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 8ffcd32f64633926163cdd07a7d295c500a947d1
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[f10e0010fae8174dc20bdc872bcaa85baa925cb7] net: xfrm: Add '_rcu' tag for rcu protected pointer in netns_xfrm
testing commit f10e0010fae8174dc20bdc872bcaa85baa925cb7 with gcc (GCC) 8.1.0
all runs: crashed: WARNING: suspicious RCU usage in xfrm_get_policy
# git bisect bad f10e0010fae8174dc20bdc872bcaa85baa925cb7
Bisecting: 0 revisions left to test after this (roughly 1 step)
[6ed69184ed9c43873b8a1ee721e3bf3c08c2c6be] xfrm: Reset secpath in xfrm failure
testing commit 6ed69184ed9c43873b8a1ee721e3bf3c08c2c6be with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 6ed69184ed9c43873b8a1ee721e3bf3c08c2c6be
f10e0010fae8174dc20bdc872bcaa85baa925cb7 is the first bad commit
commit f10e0010fae8174dc20bdc872bcaa85baa925cb7
Author: Su Yanjun <suyj.fnst@cn.fujitsu.com>
Date:   Wed Mar 6 20:54:08 2019 -0500

    net: xfrm: Add '_rcu' tag for rcu protected pointer in netns_xfrm
    
    For rcu protected pointers, we'd better add '__rcu' for them.
    
    Once added '__rcu' tag for rcu protected pointer, the sparse tool reports
    warnings.
    
    net/xfrm/xfrm_user.c:1198:39: sparse:    expected struct sock *sk
    net/xfrm/xfrm_user.c:1198:39: sparse:    got struct sock [noderef] <asn:4> *nlsk
    [...]
    
    So introduce a new wrapper function of nlmsg_unicast  to handle type
    conversions.
    
    This patch also fixes a direct access of a rcu protected socket.
    
    Fixes: be33690d8fcf("[XFRM]: Fix aevent related crash")
    Signed-off-by: Su Yanjun <suyj.fnst@cn.fujitsu.com>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

 include/net/netns/xfrm.h |  2 +-
 net/xfrm/xfrm_user.c     | 30 +++++++++++++++++++++++-------
 2 files changed, 24 insertions(+), 8 deletions(-)
revisions tested: 15, total time: 3h19m49.789210105s (build: 1h18m13.303332104s, test: 1h58m38.071024089s)
first bad commit: f10e0010fae8174dc20bdc872bcaa85baa925cb7 net: xfrm: Add '_rcu' tag for rcu protected pointer in netns_xfrm
cc: ["davem@davemloft.net" "fw@strlen.de" "herbert@gondor.apana.org.au" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "steffen.klassert@secunet.com" "suyj.fnst@cn.fujitsu.com"]
crash: WARNING: suspicious RCU usage in xfrm_get_policy
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
netlink: 104 bytes leftover after parsing attributes in process `syz-executor.3'.
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
=============================
WARNING: suspicious RCU usage
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
5.0.0-rc7+ #1 Not tainted
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
bridge0: port 1(bridge_slave_0) entered blocking state
bridge0: port 1(bridge_slave_0) entered forwarding state
-----------------------------
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
net/xfrm/xfrm_user.c:1080 suspicious rcu_dereference_check() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
bridge0: port 2(bridge_slave_1) entered blocking state
1 lock held by syz-executor.3/6715:
bridge0: port 2(bridge_slave_1) entered forwarding state
 #0: 00000000d10b421c (&net->xfrm.xfrm_cfg_mutex){+.+.}, at: xfrm_netlink_rcv+0x5a/0x90 net/xfrm/xfrm_user.c:2691
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready

stack backtrace:
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
CPU: 1 PID: 6715 Comm: syz-executor.3 Not tainted 5.0.0-rc7+ #1
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Call Trace:
IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
 lockdep_rcu_suspicious+0x14a/0x153 kernel/locking/lockdep.c:4490
IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
 xfrm_nlmsg_unicast net/xfrm/xfrm_user.c:1080 [inline]
 xfrm_get_policy+0x8e7/0xdb0 net/xfrm/xfrm_user.c:1922
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
 xfrm_user_rcv_msg+0x34f/0x760 net/xfrm/xfrm_user.c:2684
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
 netlink_rcv_skb+0x13f/0x380 net/netlink/af_netlink.c:2477
IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
 xfrm_netlink_rcv+0x69/0x90 net/xfrm/xfrm_user.c:2692
IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x444/0x640 net/netlink/af_netlink.c:1336
IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
 netlink_sendmsg+0x765/0xc50 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xb7/0xf0 net/socket.c:632
 ___sys_sendmsg+0x649/0x950 net/socket.c:2115
 __sys_sendmsg+0xd9/0x180 net/socket.c:2153
 __do_sys_sendmsg net/socket.c:2162 [inline]
 __se_sys_sendmsg net/socket.c:2160 [inline]
 __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2160
 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457799
Code: 8d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f0b0d82bc88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000071bf00 RCX: 0000000000457799
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000006ed110 R14: 00000000004ac804 R15: 00007f0b0d82c6d4
IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
8021q: adding VLAN 0 to HW filter on device batadv0
8021q: adding VLAN 0 to HW filter on device batadv0
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
netlink: 104 bytes leftover after parsing attributes in process `syz-executor.0'.
IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
bridge0: port 1(bridge_slave_0) entered blocking state
bridge0: port 1(bridge_slave_0) entered forwarding state
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
netlink: 104 bytes leftover after parsing attributes in process `syz-executor.3'.
IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
netlink: 104 bytes leftover after parsing attributes in process `syz-executor.0'.
bridge0: port 2(bridge_slave_1) entered blocking state
bridge0: port 2(bridge_slave_1) entered forwarding state
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
netlink: 104 bytes leftover after parsing attributes in process `syz-executor.3'.
IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
8021q: adding VLAN 0 to HW filter on device batadv0
hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
8021q: adding VLAN 0 to HW filter on device batadv0
netlink: 104 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 104 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 104 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 104 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 104 bytes leftover after parsing attributes in process `syz-executor.2'.
IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device hsr_slave_1 left promiscuous mode
device hsr_slave_0 left promiscuous mode
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): Releasing backup interface bond_slave_1
bond0 (unregistering): Releasing backup interface bond_slave_0
bond0 (unregistering): Released all slaves
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device hsr_slave_1 left promiscuous mode
device hsr_slave_0 left promiscuous mode
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): Releasing backup interface bond_slave_1
bond0 (unregistering): Releasing backup interface bond_slave_0
bond0 (unregistering): Released all slaves
device hsr_slave_1 left promiscuous mode
device hsr_slave_0 left promiscuous mode
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): Releasing backup interface bond_slave_1
bond0 (unregistering): Releasing backup interface bond_slave_0
bond0 (unregistering): Released all slaves
device hsr_slave_1 left promiscuous mode
device hsr_slave_0 left promiscuous mode
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): Releasing backup interface bond_slave_1
bond0 (unregistering): Releasing backup interface bond_slave_0
bond0 (unregistering): Released all slaves
device hsr_slave_1 left promiscuous mode
device hsr_slave_0 left promiscuous mode
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): Releasing backup interface bond_slave_1
bond0 (unregistering): Releasing backup interface bond_slave_0
bond0 (unregistering): Released all slaves
device hsr_slave_1 left promiscuous mode
device hsr_slave_0 left promiscuous mode
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): Releasing backup interface bond_slave_1
bond0 (unregistering): Releasing backup interface bond_slave_0
bond0 (unregistering): Released all slaves