bisecting cause commit starting from f13d783a184e4868c5fdbdf20c90a8e323f66dd7
building syzkaller on 9564d2e9821aea842b6ab213174aabd4b578b039
testing commit f13d783a184e4868c5fdbdf20c90a8e323f66dd7 with gcc (GCC) 8.1.0
kernel signature: 4a70dcefec97143b02f0075b5e0e17deef0903def03304e80fa3935ac956c2c6
all runs: crashed: WARNING: suspicious RCU usage in bond_ipsec_add_sa
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: e4ba44df7fe858e4b53d7206a2b1570a11f7fef0e0aef9375c5326716a7ca0ea
all runs: OK
# git bisect start f13d783a184e4868c5fdbdf20c90a8e323f66dd7 bcf876870b95592b52519ed4aafcf9d95999bc9c
Bisecting: 6695 revisions left to test after this (roughly 13 steps)
[47ec5303d73ea344e84f46660fff693c57641386] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
testing commit 47ec5303d73ea344e84f46660fff693c57641386 with gcc (GCC) 8.1.0
kernel signature: 8bc886802f633094d4489cf864ea907ffe45a424424bf0209957a0d3d799449e
all runs: crashed: WARNING: suspicious RCU usage in bond_ipsec_add_sa
# git bisect bad 47ec5303d73ea344e84f46660fff693c57641386
Bisecting: 4088 revisions left to test after this (roughly 12 steps)
[8f7be6291529011a58856bf178f52ed5751c68ac] Merge tag 'mmc-v5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc
testing commit 8f7be6291529011a58856bf178f52ed5751c68ac with gcc (GCC) 8.1.0
kernel signature: c984c80c236744f827decbe7d3c6e6e5b872b7c6a422c0acf5d25b41bf45aced
all runs: OK
# git bisect good 8f7be6291529011a58856bf178f52ed5751c68ac
Bisecting: 2043 revisions left to test after this (roughly 11 steps)
[76769c38b45d94f5492ff9be363ac7007fd8e58b] Merge tag 'mlx5-updates-2020-08-03' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux
testing commit 76769c38b45d94f5492ff9be363ac7007fd8e58b with gcc (GCC) 8.1.0
kernel signature: b6e8b0c75b15d2344f4bb58c73ca9ebf02ff1aab766d29fcbb9f8757040234b5
all runs: crashed: WARNING: suspicious RCU usage in bond_ipsec_add_sa
# git bisect bad 76769c38b45d94f5492ff9be363ac7007fd8e58b
Bisecting: 1022 revisions left to test after this (roughly 10 steps)
[94d9f78f4d64b967273a676167bd34ddad2f978c] docs: networking: timestamping: add section for stacked PHC devices
testing commit 94d9f78f4d64b967273a676167bd34ddad2f978c with gcc (GCC) 8.1.0
kernel signature: 505c6a638632cafbfc5d80a0a5c67731461a5eedc0001b3e7fbe21da76c805fc
all runs: crashed: WARNING: suspicious RCU usage in bond_ipsec_add_sa
# git bisect bad 94d9f78f4d64b967273a676167bd34ddad2f978c
Bisecting: 514 revisions left to test after this (roughly 9 steps)
[11a20c7152823efe17e282e11cdfcc683d5e2a06] Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue
testing commit 11a20c7152823efe17e282e11cdfcc683d5e2a06 with gcc (GCC) 8.1.0
kernel signature: 598d9619649070c7f2984e1f7cc6c01a068cc3cf66fec7a45c52fa5ac9851bdf
all runs: crashed: WARNING: suspicious RCU usage in bond_ipsec_add_sa
# git bisect bad 11a20c7152823efe17e282e11cdfcc683d5e2a06
Bisecting: 257 revisions left to test after this (roughly 8 steps)
[18c955b730002afdb0f86be39c0d202450acbbfc] bonding: Remove extraneous parentheses in bond_setup
testing commit 18c955b730002afdb0f86be39c0d202450acbbfc with gcc (GCC) 8.1.0
kernel signature: 2b489e3e31cdc69c20c3cf75be7e5918473a7ab975e02b5b0f3c31a974b8db67
all runs: OK
# git bisect good 18c955b730002afdb0f86be39c0d202450acbbfc
Bisecting: 128 revisions left to test after this (roughly 7 steps)
[53e1f21abd89bde46ed30061c58370b8a079f6f5] sfc: commonise FC advertising
testing commit 53e1f21abd89bde46ed30061c58370b8a079f6f5 with gcc (GCC) 8.1.0
kernel signature: d612625d782e65c402edc172d9470ad12f35c3e07fbcbdd711275d0fbaf4c364
all runs: OK
# git bisect good 53e1f21abd89bde46ed30061c58370b8a079f6f5
Bisecting: 64 revisions left to test after this (roughly 6 steps)
[a6ed3ebca49b62d7a917287b9986feff4e9fa7b1] net/tls: fix sign extension issue when left shifting u16 value
testing commit a6ed3ebca49b62d7a917287b9986feff4e9fa7b1 with gcc (GCC) 8.1.0
kernel signature: e0776be6c32036c5329e61e790305bb0fb6f1aeb08c0c4c9db2627b05ff79e1b
all runs: OK
# git bisect good a6ed3ebca49b62d7a917287b9986feff4e9fa7b1
Bisecting: 32 revisions left to test after this (roughly 5 steps)
[33b7a252c8dc66ad4abd01a50f23a0d59d95d06d] ne2k-pci: use generic power management
testing commit 33b7a252c8dc66ad4abd01a50f23a0d59d95d06d with gcc (GCC) 8.1.0
kernel signature: 9107aa9a555ae0132f4caca917c4d4381ed3920f09e1fab38b8a0a1d04398e7d
all runs: OK
# git bisect good 33b7a252c8dc66ad4abd01a50f23a0d59d95d06d
Bisecting: 16 revisions left to test after this (roughly 4 steps)
[1d86652b13e8404ee42b6575d97ed228e92547d6] net: ipa: reduce aggregation time limit
testing commit 1d86652b13e8404ee42b6575d97ed228e92547d6 with gcc (GCC) 8.1.0
kernel signature: e7b00a11992c1be05a3e77cf4f81fce89d72e38c2bd8a91ca05384f3c42dcb59
all runs: OK
# git bisect good 1d86652b13e8404ee42b6575d97ed228e92547d6
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[9b63f09378ff9df220d154a89910a3c0f8e036e6] net: ipa: metadata_mask register is RX only
testing commit 9b63f09378ff9df220d154a89910a3c0f8e036e6 with gcc (GCC) 8.1.0
kernel signature: 289a6027cb2c5b1db792783f402c5ed4006f762b77ab5ad87bd5558433e78506
all runs: OK
# git bisect good 9b63f09378ff9df220d154a89910a3c0f8e036e6
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[651f8bd4da93612a630626faf58fc894ef9443de] Merge branch 'net-ipa-endpoint-configuration-updates'
testing commit 651f8bd4da93612a630626faf58fc894ef9443de with gcc (GCC) 8.1.0
kernel signature: bff0e94dbb9063405b8851eb45183d2e42b0409d2fb42527883ae9129f94dc46
all runs: OK
# git bisect good 651f8bd4da93612a630626faf58fc894ef9443de
Bisecting: 2 revisions left to test after this (roughly 1 step)
[b3c3890489f6d3794916958d1663ab6aecb0290b] ice: avoid unnecessary single-member variable-length structs
testing commit b3c3890489f6d3794916958d1663ab6aecb0290b with gcc (GCC) 8.1.0
kernel signature: 017766001898bbdd56f01ca9c3c293f477f9faeb31a3489520ac69fc7a19ef36
all runs: OK
# git bisect good b3c3890489f6d3794916958d1663ab6aecb0290b
Bisecting: 1 revision left to test after this (roughly 1 step)
[a3b658cfb66497525278cbf852913a04dbaae992] bonding: allow xfrm offload setup post-module-load
testing commit a3b658cfb66497525278cbf852913a04dbaae992 with gcc (GCC) 8.1.0
kernel signature: 91f3b3f447ff1427b4f23a644a91a57e2583b6e858f3669c771501f4ba65fdcf
all runs: crashed: WARNING: suspicious RCU usage in bond_ipsec_add_sa
# git bisect bad a3b658cfb66497525278cbf852913a04dbaae992
a3b658cfb66497525278cbf852913a04dbaae992 is the first bad commit
commit a3b658cfb66497525278cbf852913a04dbaae992
Author: Jarod Wilson <jarod@redhat.com>
Date:   Tue Jun 30 14:49:41 2020 -0400

    bonding: allow xfrm offload setup post-module-load
    
    At the moment, bonding xfrm crypto offload can only be set up if the bonding
    module is loaded with active-backup mode already set. We need to be able to
    make this work with bonds set to AB after the bonding driver has already
    been loaded.
    
    So what's done here is:
    
    1) move #define BOND_XFRM_FEATURES to net/bonding.h so it can be used
    by both bond_main.c and bond_options.c
    2) set BOND_XFRM_FEATURES in bond_dev->hw_features universally, rather than
    only when loading in AB mode
    3) wire up xfrmdev_ops universally too
    4) disable BOND_XFRM_FEATURES in bond_dev->features if not AB
    5) exit early (non-AB case) from bond_ipsec_offload_ok, to prevent a
    performance hit from traversing into the underlying drivers
    5) toggle BOND_XFRM_FEATURES in bond_dev->wanted_features and call
    netdev_change_features() from bond_option_mode_set()
    
    In my local testing, I can change bonding modes back and forth on the fly,
    have hardware offload work when I'm in AB, and see no performance penalty
    to non-AB software encryption, despite having xfrm bits all wired up for
    all modes now.
    
    Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
    Reported-by: Huy Nguyen <huyn@mellanox.com>
    CC: Saeed Mahameed <saeedm@mellanox.com>
    CC: Jay Vosburgh <j.vosburgh@gmail.com>
    CC: Veaceslav Falico <vfalico@gmail.com>
    CC: Andy Gospodarek <andy@greyhouse.net>
    CC: "David S. Miller" <davem@davemloft.net>
    CC: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    CC: Jakub Kicinski <kuba@kernel.org>
    CC: Steffen Klassert <steffen.klassert@secunet.com>
    CC: Herbert Xu <herbert@gondor.apana.org.au>
    CC: netdev@vger.kernel.org
    CC: intel-wired-lan@lists.osuosl.org
    Signed-off-by: Jarod Wilson <jarod@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/bonding/bond_main.c    | 19 ++++++++++---------
 drivers/net/bonding/bond_options.c |  8 ++++++++
 include/net/bonding.h              |  5 +++++
 3 files changed, 23 insertions(+), 9 deletions(-)
culprit signature: 91f3b3f447ff1427b4f23a644a91a57e2583b6e858f3669c771501f4ba65fdcf
parent  signature: bff0e94dbb9063405b8851eb45183d2e42b0409d2fb42527883ae9129f94dc46
revisions tested: 16, total time: 3h40m57.183036118s (build: 1h41m6.023908865s, test: 1h57m27.728649155s)
first bad commit: a3b658cfb66497525278cbf852913a04dbaae992 bonding: allow xfrm offload setup post-module-load
recipients (to): ["andy@greyhouse.net" "davem@davemloft.net" "davem@davemloft.net" "j.vosburgh@gmail.com" "jarod@redhat.com" "kuba@kernel.org" "netdev@vger.kernel.org" "vfalico@gmail.com"]
recipients (cc): ["linux-kernel@vger.kernel.org"]
crash: WARNING: suspicious RCU usage in bond_ipsec_add_sa
=============================
WARNING: suspicious RCU usage
5.8.0-rc2-syzkaller #0 Not tainted
-----------------------------
drivers/net/bonding/bond_main.c:387 suspicious rcu_dereference_protected() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
1 lock held by syz-executor.3/8285:
 #0: ffff88809fd73b28 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{3:3}, at: xfrm_netlink_rcv+0x54/0x80 net/xfrm/xfrm_user.c:2687

stack backtrace:
CPU: 0 PID: 8285 Comm: syz-executor.3 Not tainted 5.8.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x12f/0x192 lib/dump_stack.c:118
 bond_ipsec_add_sa+0x173/0x1d0 drivers/net/bonding/bond_main.c:387
 xfrm_dev_state_add+0x29f/0x770 net/xfrm/xfrm_device.c:268
 xfrm_state_construct net/xfrm/xfrm_user.c:655 [inline]
 xfrm_add_sa+0x1f69/0x32ec net/xfrm/xfrm_user.c:684
 xfrm_user_rcv_msg+0x354/0x690 net/xfrm/xfrm_user.c:2680
 netlink_rcv_skb+0x117/0x370 net/netlink/af_netlink.c:2469
 xfrm_netlink_rcv+0x63/0x80 net/xfrm/xfrm_user.c:2688
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xac/0xe0 net/socket.c:672
 ____sys_sendmsg+0x57b/0x790 net/socket.c:2352
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2406
 __sys_sendmsg+0xce/0x170 net/socket.c:2439
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:359
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45d5f9
Code: Bad RIP value.
RSP: 002b:00007fd92ce85c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000002cf80 RCX: 000000000045d5f9
RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffef4a91d7f R14: 00007fd92ce869c0 R15: 000000000118cf4c
bond0: (slave bond_slave_0): Slave does not support ipsec offload