bisecting cause commit starting from ae46d2aa6a7fbe8ca0946f24b061b6ccdc6c3f25 building syzkaller on a8c6a3f8da30ccf825c6001c81a8adff21829c30 testing commit ae46d2aa6a7fbe8ca0946f24b061b6ccdc6c3f25 with gcc (GCC) 8.1.0 kernel signature: cac8e51df5bf62bd4572e5cea11ac79b3005fc373d9a99ee18b4fc9f8128603a all runs: crashed: WARNING: bad unlock balance in mptcp_poll testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: 6df2d6e70c7e2aa9a275909311d9ed9abee45dfc4380db4975902287d5efa89a all runs: OK # git bisect start ae46d2aa6a7fbe8ca0946f24b061b6ccdc6c3f25 7111951b8d4973bda27ff663f2cf18b663d15b48 Bisecting: 6225 revisions left to test after this (roughly 13 steps) [4646de87d32526ee87b46c2e0130413367fb5362] Merge tag 'mailbox-v5.7' of git://git.linaro.org/landing-teams/working/fujitsu/integration testing commit 4646de87d32526ee87b46c2e0130413367fb5362 with gcc (GCC) 8.1.0 kernel signature: cf9e72354860fa3adecbe5148335cf5bad5641941c5d5ad09685892bd65509dd all runs: OK # git bisect good 4646de87d32526ee87b46c2e0130413367fb5362 Bisecting: 3145 revisions left to test after this (roughly 12 steps) [5c8db3eb381745c010ba746373a279e92502bdc8] Merge branch 'i2c/for-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux testing commit 5c8db3eb381745c010ba746373a279e92502bdc8 with gcc (GCC) 8.1.0 kernel signature: 2081e5bd297ab306756afcd4b9258471e0a0aab2fc40b957e6bcaab47ddd8b37 all runs: OK # git bisect good 5c8db3eb381745c010ba746373a279e92502bdc8 Bisecting: 1463 revisions left to test after this (roughly 11 steps) [854e80bcfdafb8d99d308e21798cd0116338783d] Merge tag 'arm-dt-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 854e80bcfdafb8d99d308e21798cd0116338783d with gcc (GCC) 8.1.0 kernel signature: 12617c8ccab2036a5102747ffd595bf7e61e6f53a98b9186f6620da5b19ca23d all runs: OK # git bisect good 854e80bcfdafb8d99d308e21798cd0116338783d Bisecting: 755 revisions left to test after this (roughly 10 steps) [d5ca32738f8fbd3632928929cccb5789d44be390] Merge tag 'timers-urgent-2020-04-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit d5ca32738f8fbd3632928929cccb5789d44be390 with gcc (GCC) 8.1.0 kernel signature: 280565bdc9f27481766c1abf1172076d57cadf58f03cd17309008a3663dce934 all runs: OK # git bisect good d5ca32738f8fbd3632928929cccb5789d44be390 Bisecting: 345 revisions left to test after this (roughly 9 steps) [04de788e61a576820baf03ff8accc246ca146cb3] Merge tag 'nfs-for-5.7-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs testing commit 04de788e61a576820baf03ff8accc246ca146cb3 with gcc (GCC) 8.1.0 kernel signature: 5adde41aa5995861a01f1bcba7bff594cd822274334b352bd850e5d6aa2f0539 all runs: crashed: WARNING: bad unlock balance in mptcp_poll # git bisect bad 04de788e61a576820baf03ff8accc246ca146cb3 Bisecting: 200 revisions left to test after this (roughly 8 steps) [479a72c0c6d7c24aa8b8a0a467672b6a6bac5947] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 479a72c0c6d7c24aa8b8a0a467672b6a6bac5947 with gcc (GCC) 8.1.0 kernel signature: ae3a6de63c37f33071dbdcefd34c7acbe47303ce0f48f87c88affee10de84d92 all runs: crashed: WARNING: bad unlock balance in mptcp_poll # git bisect bad 479a72c0c6d7c24aa8b8a0a467672b6a6bac5947 Bisecting: 110 revisions left to test after this (roughly 7 steps) [74e934ba0d6edff10eefe6c40f48edb6ebdfadc1] Merge tag 'for_v5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs testing commit 74e934ba0d6edff10eefe6c40f48edb6ebdfadc1 with gcc (GCC) 8.1.0 kernel signature: d38129b86513c47361a5cfa23c82e43cc7d70bea11a8fd050cc1a66b9fc7b913 all runs: OK # git bisect good 74e934ba0d6edff10eefe6c40f48edb6ebdfadc1 Bisecting: 50 revisions left to test after this (roughly 6 steps) [7e63420847ae5f1036e4f7c42f0b3282e73efbc2] Merge tag 'acpi-5.7-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 7e63420847ae5f1036e4f7c42f0b3282e73efbc2 with gcc (GCC) 8.1.0 kernel signature: 0d7db41835964ffd0c699cecb29c0b3eb1a2de6e1e5161812a8e4b762aeddc71 all runs: OK # git bisect good 7e63420847ae5f1036e4f7c42f0b3282e73efbc2 Bisecting: 25 revisions left to test after this (roughly 5 steps) [19e16d220f0adbf899a652dfb1fde2e3a95153e9] neigh: support smaller retrans_time settting testing commit 19e16d220f0adbf899a652dfb1fde2e3a95153e9 with gcc (GCC) 8.1.0 kernel signature: 9f7173c998c32ad59b0bc0cf665939e3267e2342b26e30e9b283b50fe49d6cee all runs: crashed: WARNING: bad unlock balance in mptcp_poll # git bisect bad 19e16d220f0adbf899a652dfb1fde2e3a95153e9 Bisecting: 12 revisions left to test after this (roughly 4 steps) [86287543715ac2a6d92d561cc105d79306511457] net: atlantic: fix missing | operator when assigning rec->llc testing commit 86287543715ac2a6d92d561cc105d79306511457 with gcc (GCC) 8.1.0 kernel signature: ca641daa0d24763f548080b96454eeb280ddb0a40af71336740a71b939de0fa0 all runs: OK # git bisect good 86287543715ac2a6d92d561cc105d79306511457 Bisecting: 6 revisions left to test after this (roughly 3 steps) [de06f57392b60e4d92135fbbedad4aea7d1107e2] mptcp: re-check dsn before reading from subflow testing commit de06f57392b60e4d92135fbbedad4aea7d1107e2 with gcc (GCC) 8.1.0 kernel signature: 443e108c2f79e9b19d7a3bc24797c72304d1c4ef34c35cfbd8df2ed0068b29af all runs: crashed: WARNING: bad unlock balance in mptcp_poll # git bisect bad de06f57392b60e4d92135fbbedad4aea7d1107e2 Bisecting: 2 revisions left to test after this (roughly 2 steps) [d16fa759253ff7a42b5257d0db9784caef2da9c0] net: ipv6: rpl_iptunnel: remove redundant assignments to variable err testing commit d16fa759253ff7a42b5257d0db9784caef2da9c0 with gcc (GCC) 8.1.0 kernel signature: fbfe452cab7ae8e66d67c61b2350d7a870fb77bad5fe5e1fb3536cd0afe41109 all runs: OK # git bisect good d16fa759253ff7a42b5257d0db9784caef2da9c0 Bisecting: 0 revisions left to test after this (roughly 1 step) [59832e246515ab6a4f5aa878073e6f415aa35166] mptcp: subflow: check parent mptcp socket on subflow state change testing commit 59832e246515ab6a4f5aa878073e6f415aa35166 with gcc (GCC) 8.1.0 kernel signature: 14efd9bde1cbb1a01ac53fa182163be6a182e2627207db73db03fdf85ce48b65 all runs: crashed: WARNING: bad unlock balance in mptcp_poll # git bisect bad 59832e246515ab6a4f5aa878073e6f415aa35166 Bisecting: 0 revisions left to test after this (roughly 0 steps) [0b4f33def7bbde1ce2fea05f116639270e7acdc7] mptcp: fix tcp fallback crash testing commit 0b4f33def7bbde1ce2fea05f116639270e7acdc7 with gcc (GCC) 8.1.0 kernel signature: d4b4f2ea3e0f3676d035e7448dcf6c19bb225c7718ae8649f8abc0af19c79b72 all runs: OK # git bisect good 0b4f33def7bbde1ce2fea05f116639270e7acdc7 59832e246515ab6a4f5aa878073e6f415aa35166 is the first bad commit commit 59832e246515ab6a4f5aa878073e6f415aa35166 Author: Florian Westphal Date: Thu Apr 2 13:44:52 2020 +0200 mptcp: subflow: check parent mptcp socket on subflow state change This is needed at least until proper MPTCP-Level fin/reset signalling gets added: We wake parent when a subflow changes, but we should do this only when all subflows have closed, not just one. Schedule the mptcp worker and tell it to check eof state on all subflows. Only flag mptcp socket as closed and wake userspace processes blocking in poll if all subflows have closed. Co-developed-by: Paolo Abeni Signed-off-by: Paolo Abeni Signed-off-by: Florian Westphal Signed-off-by: David S. Miller net/mptcp/protocol.c | 33 +++++++++++++++++++++++++++++++++ net/mptcp/protocol.h | 2 ++ net/mptcp/subflow.c | 3 +-- 3 files changed, 36 insertions(+), 2 deletions(-) culprit signature: 14efd9bde1cbb1a01ac53fa182163be6a182e2627207db73db03fdf85ce48b65 parent signature: d4b4f2ea3e0f3676d035e7448dcf6c19bb225c7718ae8649f8abc0af19c79b72 revisions tested: 16, total time: 3h47m39.757503088s (build: 1h34m4.345333767s, test: 2h12m33.1167071s) first bad commit: 59832e246515ab6a4f5aa878073e6f415aa35166 mptcp: subflow: check parent mptcp socket on subflow state change cc: ["davem@davemloft.net" "fw@strlen.de" "pabeni@redhat.com"] crash: WARNING: bad unlock balance in mptcp_poll ===================================== WARNING: bad unlock balance detected! 5.6.0-syzkaller #0 Not tainted ------------------------------------- syz-executor.4/14410 is trying to release lock (sk_lock-AF_INET6) at: [] mptcp_poll+0xa9/0x490 net/mptcp/protocol.c:1830 but there are no more locks to release! other info that might help us debug this: 1 lock held by syz-executor.4/14410: #0: ffff88808fab6be0 (slock-AF_INET6){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:358 [inline] #0: ffff88808fab6be0 (slock-AF_INET6){+...}-{2:2}, at: release_sock+0x16/0x170 net/core/sock.c:2974 stack backtrace: CPU: 1 PID: 14410 Comm: syz-executor.4 Not tainted 5.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 __lock_release kernel/locking/lockdep.c:4633 [inline] lock_release+0x5aa/0x7f0 kernel/locking/lockdep.c:4941 sock_release_ownership include/net/sock.h:1539 [inline] release_sock+0x137/0x170 net/core/sock.c:2984 mptcp_poll+0xa9/0x490 net/mptcp/protocol.c:1830 sock_poll+0x12f/0x420 net/socket.c:1271 vfs_poll include/linux/poll.h:90 [inline] do_pollfd fs/select.c:859 [inline] do_poll fs/select.c:907 [inline] do_sys_poll+0x4a7/0xc20 fs/select.c:1001 __do_sys_ppoll fs/select.c:1101 [inline] __se_sys_ppoll fs/select.c:1081 [inline] __x64_sys_ppoll+0x1bf/0x230 fs/select.c:1081 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45c889 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f1581d55c78 EFLAGS: 00000246 ORIG_RAX: 000000000000010f RAX: ffffffffffffffda RBX: 00007f1581d566d4 RCX: 000000000045c889 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000020000080 RBP: 000000000076bf00 R08: 3f00000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000824 R14: 00000000004cadba R15: 000000000076bf0c