bisecting cause commit starting from ddef1e8e3f6eb26034833b7255e3fa584d54a230 building syzkaller on 5ea87a6638e52a94361b26b8576a1605585815fb testing commit ddef1e8e3f6eb26034833b7255e3fa584d54a230 with gcc (GCC) 8.1.0 kernel signature: 6459f089634851a4b1663b0cb1e534760bde2b2e all runs: crashed: WARNING: suspicious RCU usage in shmem_add_seals testing release v4.14.150 testing commit b98aebd298246df37b472c52a2ee1023256d02e3 with gcc (GCC) 8.1.0 kernel signature: 565c372e5bbf41d1aafbf1116f4751949c9cfd0a all runs: OK # git bisect start ddef1e8e3f6eb26034833b7255e3fa584d54a230 b98aebd298246df37b472c52a2ee1023256d02e3 Bisecting: 58 revisions left to test after this (roughly 6 steps) [41b3073644e3b694439ff737e92decb670aceda2] arm64: capabilities: Clean up midr range helpers testing commit 41b3073644e3b694439ff737e92decb670aceda2 with gcc (GCC) 8.1.0 kernel signature: 9f6c3f0dee8364fed252dccb4ed1d604d0f787da all runs: crashed: WARNING: suspicious RCU usage in shmem_add_seals # git bisect bad 41b3073644e3b694439ff737e92decb670aceda2 Bisecting: 29 revisions left to test after this (roughly 5 steps) [ffe87d720053202713f9f2a02bb888e8d97015bc] ALSA: hda/realtek - Add support for ALC711 testing commit ffe87d720053202713f9f2a02bb888e8d97015bc with gcc (GCC) 8.1.0 kernel signature: 51b8f92abab587f70fba649407c4564b912b4a82 all runs: crashed: WARNING: suspicious RCU usage in shmem_add_seals # git bisect bad ffe87d720053202713f9f2a02bb888e8d97015bc Bisecting: 14 revisions left to test after this (roughly 4 steps) [e74a4dc8f2dbcf7819a0c3209db9147a63d82e99] r8152: Set macpassthru in reset_resume callback testing commit e74a4dc8f2dbcf7819a0c3209db9147a63d82e99 with gcc (GCC) 8.1.0 kernel signature: 5e6235ee888dca6d8003079e7a18087c03c364d0 all runs: OK # git bisect good e74a4dc8f2dbcf7819a0c3209db9147a63d82e99 Bisecting: 7 revisions left to test after this (roughly 3 steps) [0f99c6bbe277bfb6836d9345630a8f23d3aeac9e] net: bcmgenet: Set phydev->dev_flags only for internal PHYs testing commit 0f99c6bbe277bfb6836d9345630a8f23d3aeac9e with gcc (GCC) 8.1.0 kernel signature: fea5b92aacbc63864185c6c9348ce0c4b69746d8 all runs: OK # git bisect good 0f99c6bbe277bfb6836d9345630a8f23d3aeac9e Bisecting: 3 revisions left to test after this (roughly 2 steps) [eccfa2109a545a16f0feace4b60da881b3a23082] net: avoid potential infinite loop in tc_ctl_action() testing commit eccfa2109a545a16f0feace4b60da881b3a23082 with gcc (GCC) 8.1.0 kernel signature: 718e2ca09be805caab273204d147dd43817e8283 all runs: OK # git bisect good eccfa2109a545a16f0feace4b60da881b3a23082 Bisecting: 1 revision left to test after this (roughly 1 step) [391d4ee568b546c9900cc058b82d290e2f71a99c] memfd: Fix locking when tagging pins testing commit 391d4ee568b546c9900cc058b82d290e2f71a99c with gcc (GCC) 8.1.0 kernel signature: 3293a9cc1a609d3bb4cf4fbc19d19e401c98cca7 all runs: crashed: WARNING: suspicious RCU usage in shmem_add_seals # git bisect bad 391d4ee568b546c9900cc058b82d290e2f71a99c Bisecting: 0 revisions left to test after this (roughly 0 steps) [48a8f3c2081e83fcaa0ff7c4340f955eb9c55409] loop: Add LOOP_SET_DIRECT_IO to compat ioctl testing commit 48a8f3c2081e83fcaa0ff7c4340f955eb9c55409 with gcc (GCC) 8.1.0 kernel signature: 06e1a8b1c5c12b74e46463a9dd60dec8af5db6d4 all runs: OK # git bisect good 48a8f3c2081e83fcaa0ff7c4340f955eb9c55409 391d4ee568b546c9900cc058b82d290e2f71a99c is the first bad commit commit 391d4ee568b546c9900cc058b82d290e2f71a99c Author: Matthew Wilcox (Oracle) Date: Fri Oct 25 09:58:35 2019 -0700 memfd: Fix locking when tagging pins The RCU lock is insufficient to protect the radix tree iteration as a deletion from the tree can occur before we take the spinlock to tag the entry. In 4.19, this has manifested as a bug with the following trace: kernel BUG at lib/radix-tree.c:1429! invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 7 PID: 6935 Comm: syz-executor.2 Not tainted 4.19.36 #25 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 RIP: 0010:radix_tree_tag_set+0x200/0x2f0 lib/radix-tree.c:1429 Code: 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 89 44 24 10 e8 a3 29 7e fe 48 8b 44 24 10 48 0f ab 03 e9 d2 fe ff ff e8 90 29 7e fe <0f> 0b 48 c7 c7 e0 5a 87 84 e8 f0 e7 08 ff 4c 89 ef e8 4a ff ac fe RSP: 0018:ffff88837b13fb60 EFLAGS: 00010016 RAX: 0000000000040000 RBX: ffff8883c5515d58 RCX: ffffffff82cb2ef0 RDX: 0000000000000b72 RSI: ffffc90004cf2000 RDI: ffff8883c5515d98 RBP: ffff88837b13fb98 R08: ffffed106f627f7e R09: ffffed106f627f7e R10: 0000000000000001 R11: ffffed106f627f7d R12: 0000000000000004 R13: ffffea000d7fea80 R14: 1ffff1106f627f6f R15: 0000000000000002 FS: 00007fa1b8df2700(0000) GS:ffff8883e2fc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa1b8df1db8 CR3: 000000037d4d2001 CR4: 0000000000160ee0 Call Trace: memfd_tag_pins mm/memfd.c:51 [inline] memfd_wait_for_pins+0x2c5/0x12d0 mm/memfd.c:81 memfd_add_seals mm/memfd.c:215 [inline] memfd_fcntl+0x33d/0x4a0 mm/memfd.c:247 do_fcntl+0x589/0xeb0 fs/fcntl.c:421 __do_sys_fcntl fs/fcntl.c:463 [inline] __se_sys_fcntl fs/fcntl.c:448 [inline] __x64_sys_fcntl+0x12d/0x180 fs/fcntl.c:448 do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:293 The problem does not occur in mainline due to the XArray rewrite which changed the locking to exclude modification of the tree during iteration. At the time, nobody realised this was a bugfix. Backport the locking changes to stable. Cc: stable@vger.kernel.org Reported-by: zhong jiang Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Sasha Levin mm/shmem.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) kernel signature: 3293a9cc1a609d3bb4cf4fbc19d19e401c98cca7 previous signature: 06e1a8b1c5c12b74e46463a9dd60dec8af5db6d4 revisions tested: 9, total time: 2h17m16.396882734s (build: 1h11m38.788225167s, test: 1h2m53.843627826s) first bad commit: 391d4ee568b546c9900cc058b82d290e2f71a99c memfd: Fix locking when tagging pins cc: ["hughd@google.com" "linux-kernel@vger.kernel.org" "linux-mm@kvack.org" "sashal@kernel.org" "willy@infradead.org"] crash: WARNING: suspicious RCU usage in shmem_add_seals IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready ============================= IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready WARNING: suspicious RCU usage 4.14.150-syzkaller #0 Not tainted bridge0: port 2(bridge_slave_1) entered blocking state ----------------------------- bridge0: port 2(bridge_slave_1) entered forwarding state ./include/linux/radix-tree.h:238 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by syz-executor.4/6780: #0: (&sb->s_type->i_mutex_key#12){+.+.}, at: [] inode_lock include/linux/fs.h:718 [inline] #0: (&sb->s_type->i_mutex_key#12){+.+.}, at: [] shmem_add_seals+0x12d/0xe80 mm/shmem.c:2810 #1: (&(&mapping->tree_lock)->rlock){-...}, at: [] spin_lock_irq include/linux/spinlock.h:342 [inline] #1: (&(&mapping->tree_lock)->rlock){-...}, at: [] shmem_tag_pins mm/shmem.c:2665 [inline] #1: (&(&mapping->tree_lock)->rlock){-...}, at: [] shmem_wait_for_pins mm/shmem.c:2706 [inline] #1: (&(&mapping->tree_lock)->rlock){-...}, at: [] shmem_add_seals+0x2a5/0xe80 mm/shmem.c:2822 stack backtrace: CPU: 0 PID: 6780 Comm: syz-executor.4 Not tainted 4.14.150-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xed/0x13b lib/dump_stack.c:53 lockdep_rcu_suspicious+0x14a/0x153 kernel/locking/lockdep.c:4665 radix_tree_deref_slot include/linux/radix-tree.h:238 [inline] shmem_tag_pins mm/shmem.c:2667 [inline] shmem_wait_for_pins mm/shmem.c:2706 [inline] shmem_add_seals+0x9de/0xe80 mm/shmem.c:2822 shmem_fcntl+0xa9/0xd0 mm/shmem.c:2857 do_fcntl+0x5b3/0xfa0 fs/fcntl.c:421 SYSC_fcntl fs/fcntl.c:463 [inline] SyS_fcntl+0xb9/0xf0 fs/fcntl.c:448 do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x459f49 RSP: 002b:00007fdbc5369c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000048 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459f49 RDX: 0000000000000008 RSI: 0000000000000409 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fdbc536a6d4 R13: 00000000004c0904 R14: 00000000004d31f0 R15: 00000000ffffffff device hsr_slave_0 entered promiscuous mode device hsr_slave_1 entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready 8021q: adding VLAN 0 to HW filter on device batadv0 IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready 8021q: adding VLAN 0 to HW filter on device bond0 IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready 8021q: adding VLAN 0 to HW filter on device team0 IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready bridge0: port 1(bridge_slave_0) entered blocking state bridge0: port 1(bridge_slave_0) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready bridge0: port 2(bridge_slave_1) entered blocking state bridge0: port 2(bridge_slave_1) entered forwarding state IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready 8021q: adding VLAN 0 to HW filter on device batadv0 IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready 8021q: adding VLAN 0 to HW filter on device bond0 IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready 8021q: adding VLAN 0 to HW filter on device team0 IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready bridge0: port 1(bridge_slave_0) entered blocking state bridge0: port 1(bridge_slave_0) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready bridge0: port 2(bridge_slave_1) entered blocking state bridge0: port 2(bridge_slave_1) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready 8021q: adding VLAN 0 to HW filter on device batadv0 IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready 8021q: adding VLAN 0 to HW filter on device batadv0