bisecting cause commit starting from 4477138fa0ae4e1b699786ef0600863ea6e6c61c
building syzkaller on bab43553a904660266fdcd8fb974c7bdd96b3f58
testing commit 4477138fa0ae4e1b699786ef0600863ea6e6c61c with gcc (GCC) 8.1.0
all runs: crashed: WARNING: lock held when returning to user space in tun_get_user
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
all runs: OK
# git bisect start 4477138fa0ae4e1b699786ef0600863ea6e6c61c v5.0
Bisecting: 5797 revisions left to test after this (roughly 13 steps)
[45763bf4bc1ebdf8eb95697607e1fd042a3e1221] Merge tag 'char-misc-5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
testing commit 45763bf4bc1ebdf8eb95697607e1fd042a3e1221 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 45763bf4bc1ebdf8eb95697607e1fd042a3e1221
Bisecting: 2899 revisions left to test after this (roughly 12 steps)
[cf2e8c544cd3b33e9e403b7b72404c221bf888d1] Merge tag 'mfd-next-5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd
testing commit cf2e8c544cd3b33e9e403b7b72404c221bf888d1 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good cf2e8c544cd3b33e9e403b7b72404c221bf888d1
Bisecting: 1448 revisions left to test after this (roughly 11 steps)
[d6075262969321bcb5d795de25595fc2a141ac02] Merge tag 'nios2-v5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/lftan/nios2
testing commit d6075262969321bcb5d795de25595fc2a141ac02 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good d6075262969321bcb5d795de25595fc2a141ac02
Bisecting: 724 revisions left to test after this (roughly 10 steps)
[a667cb7a94d48a483fb5d6006fe04a440f1a42ce] Merge branch 'akpm' (patches from Andrew)
testing commit a667cb7a94d48a483fb5d6006fe04a440f1a42ce with gcc (GCC) 8.1.0
all runs: OK
# git bisect good a667cb7a94d48a483fb5d6006fe04a440f1a42ce
Bisecting: 391 revisions left to test after this (roughly 9 steps)
[fa3d493f7a573b4e4e2538486e912093a0161c1b] Merge tag 'selinux-pr-20190312' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
testing commit fa3d493f7a573b4e4e2538486e912093a0161c1b with gcc (GCC) 8.1.0
all runs: OK
# git bisect good fa3d493f7a573b4e4e2538486e912093a0161c1b
Bisecting: 189 revisions left to test after this (roughly 8 steps)
[2f194646fecaa9fd4607b670ee9ef84d9ed04566] Merge tag 'rproc-v5.1' of git://github.com/andersson/remoteproc
testing commit 2f194646fecaa9fd4607b670ee9ef84d9ed04566 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 2f194646fecaa9fd4607b670ee9ef84d9ed04566
Bisecting: 96 revisions left to test after this (roughly 7 steps)
[31ef489a026ef2c07383ef336dc9b6601c7b9b93] Merge tag 'dmaengine-5.1-rc1' of git://git.infradead.org/users/vkoul/slave-dma
testing commit 31ef489a026ef2c07383ef336dc9b6601c7b9b93 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 31ef489a026ef2c07383ef336dc9b6601c7b9b93
Bisecting: 48 revisions left to test after this (roughly 6 steps)
[f3ca4c55a6581c46e9f4a592dd698a7c67a713dd] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
testing commit f3ca4c55a6581c46e9f4a592dd698a7c67a713dd with gcc (GCC) 8.1.0
all runs: OK
# git bisect good f3ca4c55a6581c46e9f4a592dd698a7c67a713dd
Bisecting: 23 revisions left to test after this (roughly 5 steps)
[9352ca585b2ac7b67d2119b9386573b2a4c0ef4b] Merge tag 'pm-5.1-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
testing commit 9352ca585b2ac7b67d2119b9386573b2a4c0ef4b with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 9352ca585b2ac7b67d2119b9386573b2a4c0ef4b
Bisecting: 10 revisions left to test after this (roughly 4 steps)
[f261c4e529dac5608a604d3dd3ae1cd2adf23c89] Merge branch 'akpm' (patches from Andrew)
testing commit f261c4e529dac5608a604d3dd3ae1cd2adf23c89 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good f261c4e529dac5608a604d3dd3ae1cd2adf23c89
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[eab2fc822af38f31fd5f4e731b5d10b94904d919] sch_cake: Interpret fwmark parameter as a bitmask
testing commit eab2fc822af38f31fd5f4e731b5d10b94904d919 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good eab2fc822af38f31fd5f4e731b5d10b94904d919
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[228cd2dba27cee9956c1af97e6445be056881e41] net: strparser: fix a missing check for create_singlethread_workqueue
testing commit 228cd2dba27cee9956c1af97e6445be056881e41 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 228cd2dba27cee9956c1af97e6445be056881e41
Bisecting: 0 revisions left to test after this (roughly 1 step)
[daa5c4d0167a308306525fd5ab9a5e18e21f4f74] net: phy: meson-gxl: fix interrupt support
testing commit daa5c4d0167a308306525fd5ab9a5e18e21f4f74 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good daa5c4d0167a308306525fd5ab9a5e18e21f4f74
4477138fa0ae4e1b699786ef0600863ea6e6c61c is the first bad commit
commit 4477138fa0ae4e1b699786ef0600863ea6e6c61c
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Mar 14 20:19:47 2019 -0700

    tun: properly test for IFF_UP
    
    Same reasons than the ones explained in commit 4179cb5a4c92
    ("vxlan: test dev->flags & IFF_UP before calling netif_rx()")
    
    netif_rx_ni() or napi_gro_frags() must be called under a strict contract.
    
    At device dismantle phase, core networking clears IFF_UP
    and flush_all_backlogs() is called after rcu grace period
    to make sure no incoming packet might be in a cpu backlog
    and still referencing the device.
    
    A similar protocol is used for gro layer.
    
    Most drivers call netif_rx() from their interrupt handler,
    and since the interrupts are disabled at device dismantle,
    netif_rx() does not have to check dev->flags & IFF_UP
    
    Virtual drivers do not have this guarantee, and must
    therefore make the check themselves.
    
    Fixes: 1bd4978a88ac ("tun: honor IFF_UP in tun_get_user()")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)
revisions tested: 15, total time: 3h36m38.151792868s (build: 1h14m46.386533372s, test: 2h18m45.20903862s)
first bad commit: 4477138fa0ae4e1b699786ef0600863ea6e6c61c tun: properly test for IFF_UP
cc: ["brouer@redhat.com" "davem@davemloft.net" "edumazet@google.com" "jasowang@redhat.com" "linux-kernel@vger.kernel.org" "lirongqing@baidu.com" "mst@redhat.com" "netdev@vger.kernel.org" "nicolas.dichtel@6wind.com" "sd@queasysnail.net" "wangli39@baidu.com"]
crash: WARNING: lock held when returning to user space in tun_get_user
================================================
WARNING: lock held when returning to user space!
5.0.0+ #1 Not tainted
------------------------------------------------
syz-executor.2/6721 is leaving the kernel with locks still held!
1 lock held by syz-executor.2/6721:
 #0: 000000005e2a33a4 (rcu_read_lock){....}, at: tun_get_user+0xaf4/0x39e0 drivers/net/tun.c:1956
WARNING: CPU: 0 PID: 6721 at kernel/rcu/tree_plugin.h:314 rcu_note_context_switch+0x183/0x1890 kernel/rcu/tree_plugin.h:314
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 6721 Comm: syz-executor.2 Not tainted 5.0.0+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
 panic+0x212/0x41d kernel/panic.c:214
 __warn.cold.8+0x1b/0x36 kernel/panic.c:571
 report_bug+0x1a4/0x200 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:179 [inline]
 do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272
 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:291
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
RIP: 0010:rcu_note_context_switch+0x183/0x1890 kernel/rcu/tree_plugin.h:314
Code: ea 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e 28 10 00 00 45 84 ff 41 8b 85 70 03 00 00 0f 85 a0 01 00 00 85 c0 0f 8e a0 01 00 00 <0f> 0b 4d 8d bd 74 03 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 fa
RSP: 0000:ffff888074f9fd68 EFLAGS: 00010002
RAX: 0000000000000001 RBX: ffff88802d82dd80 RCX: 1ffffffff0fb4e0c
RDX: 1ffff1100f3a7076 RSI: ffffffff86943e5f RDI: ffff888079d383b0
RBP: ffff888074f9fde0 R08: ffffed1005b05bc8 R09: ffffed1005b05bc7
R10: ffffed1005b05bc7 R11: ffff88802d82de3b R12: ffff888074f98000
R13: ffff888079d38040 R14: ffffffff88d3be98 R15: 0000000000000000
 __schedule+0x1ed/0x1c20 kernel/sched/core.c:3446
 schedule+0x7f/0x180 kernel/sched/core.c:3562
 exit_to_usermode_loop+0xf2/0x200 arch/x86/entry/common.c:152
 prepare_exit_to_usermode+0x1c5/0x210 arch/x86/entry/common.c:197
 retint_user+0x8/0x18
RIP: 0033:0x457651
Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 c4 b6 fb ff c3 48 83 ec 08 e8 ba 14 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 03 15 00 00 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007f1b3accfbc0 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff02
RAX: fffffffffffffffb RBX: 0000000000000032 RCX: 0000000000457651
RDX: 0000000000000001 RSI: 00007f1b3accfc10 RDI: 00000000000000f0
RBP: 0000000020000000 R08: 00000000000000f0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 00000000ffffffff
R13: 00000000006ef700 R14: 00000000004ad7c2 R15: 00007f1b3acd06d4
Kernel Offset: disabled
Rebooting in 86400 seconds..