bisecting fixing commit since f25804f389846835535db255e7ba80eeed967ed7 building syzkaller on 1253d6f07f7f40d2835e0d1e061dcbad49ae28ee testing commit f25804f389846835535db255e7ba80eeed967ed7 with gcc (GCC) 8.1.0 kernel signature: 3d80f45785b7ce0d99ba95a528fa37ac526dcc2295d426a26bef6b7c71e87d88 all runs: crashed: inconsistent lock state in rxrpc_put_client_connection_id testing current HEAD 54b4fa6d39551639cb10664f6ac78b01993a1d7e testing commit 54b4fa6d39551639cb10664f6ac78b01993a1d7e with gcc (GCC) 8.1.0 kernel signature: 4c60e264d9fed971ae00b84d4a7b9b4be2072f8054929ee4ac4905a600c643d4 all runs: OK # git bisect start 54b4fa6d39551639cb10664f6ac78b01993a1d7e f25804f389846835535db255e7ba80eeed967ed7 Bisecting: 234 revisions left to test after this (roughly 8 steps) [b0c95d336123de55faf3528c97718a4e7607b54c] dmaengine: tegra-apb: Fix use-after-free testing commit b0c95d336123de55faf3528c97718a4e7607b54c with gcc (GCC) 8.1.0 kernel signature: 14a9f9b3e45d335701faef6c863efab52a98ee8d9a6729687e8424653626f607 all runs: OK # git bisect bad b0c95d336123de55faf3528c97718a4e7607b54c Bisecting: 117 revisions left to test after this (roughly 7 steps) [2c3b6d7c25cda181481e28294b678327fc0e8be9] net: ena: ethtool: use correct value for crc32 hash testing commit 2c3b6d7c25cda181481e28294b678327fc0e8be9 with gcc (GCC) 8.1.0 kernel signature: 390fd60530cc7b736bb109b23080c42eecb82031368535e2a712f0d5a30ed693 all runs: OK # git bisect bad 2c3b6d7c25cda181481e28294b678327fc0e8be9 Bisecting: 58 revisions left to test after this (roughly 6 steps) [56ad5b4b7405ec08ef3f2b33cd59f5b3bca6577c] tty: serial: qcom_geni_serial: Fix RX cancel command failure testing commit 56ad5b4b7405ec08ef3f2b33cd59f5b3bca6577c with gcc (GCC) 8.1.0 kernel signature: bfe9eed89b6b5972f462c05c6cf8183956375f2c465c1a7db0203245e83758b4 all runs: crashed: inconsistent lock state in rxrpc_put_client_connection_id # git bisect good 56ad5b4b7405ec08ef3f2b33cd59f5b3bca6577c Bisecting: 29 revisions left to test after this (roughly 5 steps) [bf3043d27755a8cb53cb99e4f04139a5279761e0] bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill testing commit bf3043d27755a8cb53cb99e4f04139a5279761e0 with gcc (GCC) 8.1.0 kernel signature: 1ff8137a3d72c5a054528c06ebfeffd3767205d99f695c8a4fbccbdaadf9b661 all runs: crashed: inconsistent lock state in rxrpc_put_client_connection_id # git bisect good bf3043d27755a8cb53cb99e4f04139a5279761e0 Bisecting: 14 revisions left to test after this (roughly 4 steps) [5195d8c4a4988109fc16a433ebdb64a5acf88c90] dax: pass NOWAIT flag to iomap_apply testing commit 5195d8c4a4988109fc16a433ebdb64a5acf88c90 with gcc (GCC) 8.1.0 kernel signature: ccce0b6863ecbdd9ba2dcace3227922652b5580f21db676a519b584634cea297 all runs: OK # git bisect bad 5195d8c4a4988109fc16a433ebdb64a5acf88c90 Bisecting: 7 revisions left to test after this (roughly 3 steps) [fee87e931cc58435463975730a892d83af21d98c] xen: Enable interrupts when calling _cond_resched() testing commit fee87e931cc58435463975730a892d83af21d98c with gcc (GCC) 8.1.0 kernel signature: ca8059fd0ee40cb168c0c4785c28c1f84d614123ffdc9cc2205bfeccb583dde2 all runs: OK # git bisect bad fee87e931cc58435463975730a892d83af21d98c Bisecting: 3 revisions left to test after this (roughly 2 steps) [5a2972600a2f845d860f2a4c51b979c608cb1e9b] ALSA: seq: Fix concurrent access to queue current tick/time testing commit 5a2972600a2f845d860f2a4c51b979c608cb1e9b with gcc (GCC) 8.1.0 kernel signature: 74af80e8ba52421d4fa3e03db85b888d4e4c09d3888da0515c9e0c2053d82cdb all runs: crashed: inconsistent lock state in rxrpc_put_client_connection_id # git bisect good 5a2972600a2f845d860f2a4c51b979c608cb1e9b Bisecting: 1 revision left to test after this (roughly 1 step) [43cac315bec132e962e04c31fe888caac257ec0a] rxrpc: Fix call RCU cleanup using non-bh-safe locks testing commit 43cac315bec132e962e04c31fe888caac257ec0a with gcc (GCC) 8.1.0 kernel signature: 65b02c45c729d8c5198e26d4d34318a6473e70a2480c156e73e22073c2003e4d all runs: OK # git bisect bad 43cac315bec132e962e04c31fe888caac257ec0a Bisecting: 0 revisions left to test after this (roughly 0 steps) [acbc5071f073bc368d7d4f63902adf536cf37772] netfilter: xt_hashlimit: limit the max size of hashtable testing commit acbc5071f073bc368d7d4f63902adf536cf37772 with gcc (GCC) 8.1.0 kernel signature: fc41f346462848b900fd6d2d33f4ad4b0af00d117b3d67501cd50df78c78f1ac all runs: crashed: inconsistent lock state in rxrpc_put_client_connection_id # git bisect good acbc5071f073bc368d7d4f63902adf536cf37772 43cac315bec132e962e04c31fe888caac257ec0a is the first bad commit commit 43cac315bec132e962e04c31fe888caac257ec0a Author: David Howells Date: Thu Feb 6 13:57:40 2020 +0000 rxrpc: Fix call RCU cleanup using non-bh-safe locks commit 963485d436ccc2810177a7b08af22336ec2af67b upstream. rxrpc_rcu_destroy_call(), which is called as an RCU callback to clean up a put call, calls rxrpc_put_connection() which, deep in its bowels, takes a number of spinlocks in a non-BH-safe way, including rxrpc_conn_id_lock and local->client_conns_lock. RCU callbacks, however, are normally called from softirq context, which can cause lockdep to notice the locking inconsistency. To get lockdep to detect this, it's necessary to have the connection cleaned up on the put at the end of the last of its calls, though normally the clean up is deferred. This can be induced, however, by starting a call on an AF_RXRPC socket and then closing the socket without reading the reply. Fix this by having rxrpc_rcu_destroy_call() punt the destruction to a workqueue if in softirq-mode and defer the destruction to process context. Note that another way to fix this could be to add a bunch of bh-disable annotations to the spinlocks concerned - and there might be more than just those two - but that means spending more time with BHs disabled. Note also that some of these places were covered by bh-disable spinlocks belonging to the rxrpc_transport object, but these got removed without the _bh annotation being retained on the next lock in. Fixes: 999b69f89241 ("rxrpc: Kill the client connection bundle concept") Reported-by: syzbot+d82f3ac8d87e7ccbb2c9@syzkaller.appspotmail.com Reported-by: syzbot+3f1fd6b8cbf8702d134e@syzkaller.appspotmail.com Signed-off-by: David Howells cc: Hillf Danton Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman net/rxrpc/call_object.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) culprit signature: 65b02c45c729d8c5198e26d4d34318a6473e70a2480c156e73e22073c2003e4d parent signature: fc41f346462848b900fd6d2d33f4ad4b0af00d117b3d67501cd50df78c78f1ac revisions tested: 11, total time: 2h52m43.079440697s (build: 1h36m29.534464432s, test: 1h15m12.382191075s) first good commit: 43cac315bec132e962e04c31fe888caac257ec0a rxrpc: Fix call RCU cleanup using non-bh-safe locks cc: ["davem@davemloft.net" "dhowells@redhat.com" "gregkh@linuxfoundation.org"]