bisecting cause commit starting from 3d80c653f99658af6af3ac1b74f70bf9a069e71f
building syzkaller on 93e5e33559b98e47f3743e6d907ca8444fbba5d4
testing commit 3d80c653f99658af6af3ac1b74f70bf9a069e71f with gcc (GCC) 8.1.0
kernel signature: 0df7b88116e677b387fbfbf1dced5be9a6ba0dbb47698014cc39808e646d7848
all runs: crashed: inconsistent lock state in rxrpc_put_client_conn
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: 67a8c9dee0d7575ed2dd7fce0e8af419a71994a1c67ac6708b5c1e6a49e21323
all runs: OK
# git bisect start 3d80c653f99658af6af3ac1b74f70bf9a069e71f d5226fa6dbae0569ee43ecfc08bdcd6770fc4755
Bisecting: 3715 revisions left to test after this (roughly 12 steps)
[fb95aae6e67c4e319a24b3eea32032d4246a5335] Merge tag 'sound-5.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
testing commit fb95aae6e67c4e319a24b3eea32032d4246a5335 with gcc (GCC) 8.1.0
kernel signature: 66186544fad8b873c8fd02a835eaeb6fa15b1f0140106c40cea014729d7f47b6
all runs: OK
# git bisect good fb95aae6e67c4e319a24b3eea32032d4246a5335
Bisecting: 1866 revisions left to test after this (roughly 11 steps)
[b20414252068263c736d008e536658f9ce13d74a] drm/vmwgfx: Use VM_PFNMAP instead of VM_MIXEDMAP when possible
testing commit b20414252068263c736d008e536658f9ce13d74a with gcc (GCC) 8.1.0
kernel signature: 44ad1240953c5351725a629609fb6a166f243fb6236d068838bf0354c678e477
all runs: boot failed: general protection fault in do_mount_root
# git bisect skip b20414252068263c736d008e536658f9ce13d74a
Bisecting: 1866 revisions left to test after this (roughly 11 steps)
[cb92a3235956442c5ff211291865e219dc4cf4a0] drm/vmwgfx: add ioctl for messaging from/to guest userspace to/from host
testing commit cb92a3235956442c5ff211291865e219dc4cf4a0 with gcc (GCC) 8.1.0
kernel signature: a8afaf15fc0b93f45bb716140392b7cadd7d040bf3d37999f4a9345eba33138f
all runs: boot failed: general protection fault in do_mount_root
# git bisect skip cb92a3235956442c5ff211291865e219dc4cf4a0
Bisecting: 1866 revisions left to test after this (roughly 11 steps)
[0e29be9e0bbbf9cb3d718c5c48382b1420ce0749] drm/amd/display: re-enable wait in pipelock, but add timeout
testing commit 0e29be9e0bbbf9cb3d718c5c48382b1420ce0749 with gcc (GCC) 8.1.0
kernel signature: fa8a4e67f87815760d0661e40956734a76011d4284316981ed3e244906dbc2bc
all runs: OK
# git bisect good 0e29be9e0bbbf9cb3d718c5c48382b1420ce0749
Bisecting: 1718 revisions left to test after this (roughly 11 steps)
[d7ca2d19c751b6715e9cb899a6b94f47b3499d02] Merge tag 'drm-msm-next-2020-01-14' of https://gitlab.freedesktop.org/drm/msm into drm-next
testing commit d7ca2d19c751b6715e9cb899a6b94f47b3499d02 with gcc (GCC) 8.1.0
kernel signature: 28429769d0850500dcdaa774101795946cb2aec1e9373ae9219b0d5786c67da7
all runs: OK
# git bisect good d7ca2d19c751b6715e9cb899a6b94f47b3499d02
Bisecting: 737 revisions left to test after this (roughly 10 steps)
[7ba31c3f2f1ee095d8126f4d3757fc3b2bc3c838] Merge tag 'staging-5.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
testing commit 7ba31c3f2f1ee095d8126f4d3757fc3b2bc3c838 with gcc (GCC) 8.1.0
kernel signature: 17a75649b77c2bb8ab0ad4956ea3a8efa2e8e99696e6ffc7c6c3e788ccbd8f96
all runs: OK
# git bisect good 7ba31c3f2f1ee095d8126f4d3757fc3b2bc3c838
Bisecting: 440 revisions left to test after this (roughly 9 steps)
[e9f8ca0ae7b7bc9a032b429929431c626a69dd5e] Merge tag 'for-5.6/dm-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
testing commit e9f8ca0ae7b7bc9a032b429929431c626a69dd5e with gcc (GCC) 8.1.0
kernel signature: eb66862d44e18aaa4239cec0003c537242a898b3eaa8c487265535accb8d641a
all runs: OK
# git bisect good e9f8ca0ae7b7bc9a032b429929431c626a69dd5e
Bisecting: 222 revisions left to test after this (roughly 8 steps)
[896f8d23d0cb5889021d66eab6107e97109c5459] Merge tag 'for-5.6/io_uring-vfs-2020-01-29' of git://git.kernel.dk/linux-block
testing commit 896f8d23d0cb5889021d66eab6107e97109c5459 with gcc (GCC) 8.1.0
kernel signature: 4486cc8e3b8901b38c1b6f7931b7ca59b809bf1ef297219d3a2bbca9de379f9f
all runs: OK
# git bisect good 896f8d23d0cb5889021d66eab6107e97109c5459
Bisecting: 105 revisions left to test after this (roughly 7 steps)
[893e591b59036f9bc629f55bce715d67bdd266a2] Merge tag 'devicetree-for-5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux
testing commit 893e591b59036f9bc629f55bce715d67bdd266a2 with gcc (GCC) 8.1.0
kernel signature: 03065d5a2e51e694cd0b81c4fb77777cf8a4b14cc9d4089eff19662df48808ba
all runs: OK
# git bisect good 893e591b59036f9bc629f55bce715d67bdd266a2
Bisecting: 60 revisions left to test after this (roughly 6 steps)
[4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb] Merge tag 'for-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply
testing commit 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb with gcc (GCC) 8.1.0
kernel signature: d0344c3c2b20c41a26560d7471f3b79123bb53645995573f6431bc146fb530d6
all runs: OK
# git bisect good 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb
Bisecting: 29 revisions left to test after this (roughly 5 steps)
[d47c7f06268082bc0082a15297a07c0da59b0fc4] Merge branch 'linux-5.6' of git://github.com/skeggsb/linux into drm-next
testing commit d47c7f06268082bc0082a15297a07c0da59b0fc4 with gcc (GCC) 8.1.0
kernel signature: 1cbf17b32c1a208dbdb98442129ea08118ffa4986181d1290b740a105994b971
all runs: OK
# git bisect good d47c7f06268082bc0082a15297a07c0da59b0fc4
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[cb3c0e6bdf64d0d124e94ce43cbe4ccbb9b37f51] cls_rsvp: fix rsvp_policy
testing commit cb3c0e6bdf64d0d124e94ce43cbe4ccbb9b37f51 with gcc (GCC) 8.1.0
kernel signature: ac697c7ee708bb42ceeef7551b61827fcb2f948232fca3362c5880ed3a939761
all runs: OK
# git bisect good cb3c0e6bdf64d0d124e94ce43cbe4ccbb9b37f51
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[dff6bc1bfd462b76dc13ec19dedc2c134a62ac59] MAINTAINERS: correct entries for ISDN/mISDN section
testing commit dff6bc1bfd462b76dc13ec19dedc2c134a62ac59 with gcc (GCC) 8.1.0
kernel signature: eb122afd2cc478b7bfc8a9ae56d1c794ae07d0bd189a74e8dcc365c43d4675be
all runs: OK
# git bisect good dff6bc1bfd462b76dc13ec19dedc2c134a62ac59
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[5273a191dca65a675dc0bcf3909e59c6933e2831] rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect
testing commit 5273a191dca65a675dc0bcf3909e59c6933e2831 with gcc (GCC) 8.1.0
kernel signature: 0f8f4fba1e4dc278d3c28a4fd866442da9c0a603cb9adb81a100d1012a153b3f
all runs: crashed: inconsistent lock state in rxrpc_put_client_conn
# git bisect bad 5273a191dca65a675dc0bcf3909e59c6933e2831
Bisecting: 1 revision left to test after this (roughly 1 step)
[f71dbf2fb28489a79bde0dca1c8adfb9cdb20a6b] rxrpc: Fix insufficient receive notification generation
testing commit f71dbf2fb28489a79bde0dca1c8adfb9cdb20a6b with gcc (GCC) 8.1.0
kernel signature: 3ec8422da46d610a0afee78bf541a99e76af420a97c5969ebf9f959a48903f60
all runs: OK
# git bisect good f71dbf2fb28489a79bde0dca1c8adfb9cdb20a6b
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[04d36d748fac349b068ef621611f454010054c58] rxrpc: Fix missing active use pinning of rxrpc_local object
testing commit 04d36d748fac349b068ef621611f454010054c58 with gcc (GCC) 8.1.0
kernel signature: 8d0dd4a6277e984ff4f769e09473b86989a1a1a496616b380e6e4ef4907a0d06
all runs: OK
# git bisect good 04d36d748fac349b068ef621611f454010054c58
5273a191dca65a675dc0bcf3909e59c6933e2831 is the first bad commit
commit 5273a191dca65a675dc0bcf3909e59c6933e2831
Author: David Howells <dhowells@redhat.com>
Date:   Thu Jan 30 21:50:36 2020 +0000

    rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect
    
    When a call is disconnected, the connection pointer from the call is
    cleared to make sure it isn't used again and to prevent further attempted
    transmission for the call.  Unfortunately, there might be a daemon trying
    to use it at the same time to transmit a packet.
    
    Fix this by keeping call->conn set, but setting a flag on the call to
    indicate disconnection instead.
    
    Remove also the bits in the transmission functions where the conn pointer is
    checked and a ref taken under spinlock as this is now redundant.
    
    Fixes: 8d94aa381dab ("rxrpc: Calls shouldn't hold socket refs")
    Signed-off-by: David Howells <dhowells@redhat.com>

 net/rxrpc/ar-internal.h |  1 +
 net/rxrpc/call_object.c |  4 ++--
 net/rxrpc/conn_client.c |  3 +--
 net/rxrpc/conn_object.c |  4 ++--
 net/rxrpc/output.c      | 27 +++++++++------------------
 5 files changed, 15 insertions(+), 24 deletions(-)
culprit signature: 0f8f4fba1e4dc278d3c28a4fd866442da9c0a603cb9adb81a100d1012a153b3f
parent  signature: 8d0dd4a6277e984ff4f769e09473b86989a1a1a496616b380e6e4ef4907a0d06
revisions tested: 18, total time: 5h2m3.795676313s (build: 2h3m16.943835295s, test: 2h57m15.973606199s)
first bad commit: 5273a191dca65a675dc0bcf3909e59c6933e2831 rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect
cc: ["davem@davemloft.net" "dhowells@redhat.com" "kuba@kernel.org" "linux-afs@lists.infradead.org" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org"]
crash: inconsistent lock state in rxrpc_put_client_conn
================================
WARNING: inconsistent lock state
5.5.0-syzkaller #0 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
ksoftirqd/1/16 [HC0[0]:SC1[1]:HE1:SE0] takes:
ffff8880a27d41c8 (&(&local->client_conns_lock)->rlock){+.?.}, at: spin_lock include/linux/spinlock.h:338 [inline]
ffff8880a27d41c8 (&(&local->client_conns_lock)->rlock){+.?.}, at: rxrpc_put_one_client_conn net/rxrpc/conn_client.c:948 [inline]
ffff8880a27d41c8 (&(&local->client_conns_lock)->rlock){+.?.}, at: rxrpc_put_client_conn+0x4f4/0x8f0 net/rxrpc/conn_client.c:1001
{SOFTIRQ-ON-W} state was registered at:
  lock_acquire+0x194/0x410 kernel/locking/lockdep.c:4484
  __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
  _raw_spin_lock+0x2d/0x40 kernel/locking/spinlock.c:151
  spin_lock include/linux/spinlock.h:338 [inline]
  rxrpc_get_client_conn net/rxrpc/conn_client.c:304 [inline]
  rxrpc_connect_call+0x2d5/0x4700 net/rxrpc/conn_client.c:701
  rxrpc_new_client_call+0x82c/0x1670 net/rxrpc/call_object.c:290
  rxrpc_new_client_call_for_sendmsg net/rxrpc/sendmsg.c:595 [inline]
  rxrpc_do_sendmsg+0x886/0x186d net/rxrpc/sendmsg.c:652
  rxrpc_sendmsg+0x47e/0x5d0 net/rxrpc/af_rxrpc.c:586
  sock_sendmsg_nosec net/socket.c:652 [inline]
  sock_sendmsg+0xb5/0xf0 net/socket.c:672
  ____sys_sendmsg+0x3b0/0x950 net/socket.c:2343
  ___sys_sendmsg+0xe4/0x160 net/socket.c:2397
  __sys_sendmmsg+0x160/0x370 net/socket.c:2487
  __do_sys_sendmmsg net/socket.c:2516 [inline]
  __se_sys_sendmmsg net/socket.c:2513 [inline]
  __x64_sys_sendmmsg+0x98/0x100 net/socket.c:2513
  do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
irq event stamp: 616960
hardirqs last  enabled at (616960): [<ffffffff8742805d>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
hardirqs last  enabled at (616960): [<ffffffff8742805d>] _raw_spin_unlock_irqrestore+0x7d/0xd0 kernel/locking/spinlock.c:191
hardirqs last disabled at (616959): [<ffffffff874281f4>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (616959): [<ffffffff874281f4>] _raw_spin_lock_irqsave+0x74/0xd0 kernel/locking/spinlock.c:159
softirqs last  enabled at (616890): [<ffffffff878006ea>] __do_softirq+0x6ea/0x9a8 kernel/softirq.c:319
softirqs last disabled at (616895): [<ffffffff8140b924>] run_ksoftirqd+0x94/0x100 kernel/softirq.c:603

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&(&local->client_conns_lock)->rlock);
  <Interrupt>
    lock(&(&local->client_conns_lock)->rlock);

 *** DEADLOCK ***

1 lock held by ksoftirqd/1/16:
 #0: ffffffff88fa4bc0 (rcu_callback){....}, at: rcu_do_batch kernel/rcu/tree.c:2176 [inline]
 #0: ffffffff88fa4bc0 (rcu_callback){....}, at: rcu_core+0x53e/0x1340 kernel/rcu/tree.c:2410

stack backtrace:
CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.5.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x12d/0x187 lib/dump_stack.c:118
 print_usage_bug.cold.63+0x31b/0x36c kernel/locking/lockdep.c:3100
 valid_state kernel/locking/lockdep.c:3111 [inline]
 mark_lock_irq kernel/locking/lockdep.c:3308 [inline]
 mark_lock+0xb2c/0x11d0 kernel/locking/lockdep.c:3665
 mark_usage kernel/locking/lockdep.c:3565 [inline]
 __lock_acquire+0x1974/0x4ef0 kernel/locking/lockdep.c:3908
 lock_acquire+0x194/0x410 kernel/locking/lockdep.c:4484
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x2d/0x40 kernel/locking/spinlock.c:151
 spin_lock include/linux/spinlock.h:338 [inline]
 rxrpc_put_one_client_conn net/rxrpc/conn_client.c:948 [inline]
 rxrpc_put_client_conn+0x4f4/0x8f0 net/rxrpc/conn_client.c:1001
 rxrpc_put_connection net/rxrpc/ar-internal.h:965 [inline]
 rxrpc_rcu_destroy_call+0x9b/0x1a0 net/rxrpc/call_object.c:572
 rcu_do_batch kernel/rcu/tree.c:2186 [inline]
 rcu_core+0x5bd/0x1340 kernel/rcu/tree.c:2410
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2419
 __do_softirq+0x262/0x9a8 kernel/softirq.c:292
 run_ksoftirqd+0x94/0x100 kernel/softirq.c:603
 smpboot_thread_fn+0x55f/0x8b0 kernel/smpboot.c:165
 kthread+0x331/0x3f0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352