bisecting fixing commit since f25804f389846835535db255e7ba80eeed967ed7
building syzkaller on 251aabb77ec4d86b9374b6f999fbb8e1ea70963f
testing commit f25804f389846835535db255e7ba80eeed967ed7 with gcc (GCC) 8.1.0
kernel signature: d6707c2d61186a79cdb79b2c2b4bd65e9d5275ae8baa948b0026732e4f7a0dd5
all runs: crashed: inconsistent lock state in rxrpc_put_client_conn
testing current HEAD 54b4fa6d39551639cb10664f6ac78b01993a1d7e
testing commit 54b4fa6d39551639cb10664f6ac78b01993a1d7e with gcc (GCC) 8.1.0
kernel signature: 95b68c95dbba1bdf9c284fb62c31e5703b2cecc81becccd24496d8f2fd620c44
all runs: OK
# git bisect start 54b4fa6d39551639cb10664f6ac78b01993a1d7e f25804f389846835535db255e7ba80eeed967ed7
Bisecting: 234 revisions left to test after this (roughly 8 steps)
[b0c95d336123de55faf3528c97718a4e7607b54c] dmaengine: tegra-apb: Fix use-after-free
testing commit b0c95d336123de55faf3528c97718a4e7607b54c with gcc (GCC) 8.1.0
kernel signature: 50889e225b34f16b9eeb94188065fa054fa0668927001a1d6f63429515efeee3
all runs: OK
# git bisect bad b0c95d336123de55faf3528c97718a4e7607b54c
Bisecting: 117 revisions left to test after this (roughly 7 steps)
[2c3b6d7c25cda181481e28294b678327fc0e8be9] net: ena: ethtool: use correct value for crc32 hash
testing commit 2c3b6d7c25cda181481e28294b678327fc0e8be9 with gcc (GCC) 8.1.0
kernel signature: 19f246b17196c6c54f07355dbd89de7732c161e4917ce02ef2e7d079e4d7ec2f
all runs: OK
# git bisect bad 2c3b6d7c25cda181481e28294b678327fc0e8be9
Bisecting: 58 revisions left to test after this (roughly 6 steps)
[56ad5b4b7405ec08ef3f2b33cd59f5b3bca6577c] tty: serial: qcom_geni_serial: Fix RX cancel command failure
testing commit 56ad5b4b7405ec08ef3f2b33cd59f5b3bca6577c with gcc (GCC) 8.1.0
kernel signature: c3085d069516582f8f53edb4138ac763748e168cd97c55db1422966adfecaada
all runs: crashed: inconsistent lock state in rxrpc_put_client_conn
# git bisect good 56ad5b4b7405ec08ef3f2b33cd59f5b3bca6577c
Bisecting: 29 revisions left to test after this (roughly 5 steps)
[bf3043d27755a8cb53cb99e4f04139a5279761e0] bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill
testing commit bf3043d27755a8cb53cb99e4f04139a5279761e0 with gcc (GCC) 8.1.0
kernel signature: 62cfea540c65ef63f642f8a2ac59695b01964cf535a29c073bf2909c15b19c31
all runs: crashed: inconsistent lock state in rxrpc_put_client_conn
# git bisect good bf3043d27755a8cb53cb99e4f04139a5279761e0
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[5195d8c4a4988109fc16a433ebdb64a5acf88c90] dax: pass NOWAIT flag to iomap_apply
testing commit 5195d8c4a4988109fc16a433ebdb64a5acf88c90 with gcc (GCC) 8.1.0
kernel signature: b095ee21af9681302ac1f6b8d1fe5063a29bc589a5ac4416ab7e53bf72bb7591
all runs: OK
# git bisect bad 5195d8c4a4988109fc16a433ebdb64a5acf88c90
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[fee87e931cc58435463975730a892d83af21d98c] xen: Enable interrupts when calling _cond_resched()
testing commit fee87e931cc58435463975730a892d83af21d98c with gcc (GCC) 8.1.0
kernel signature: 86566c7cc81138a4564009a8c679d2a9b7a3d30d9dc1f4ce3c91181e4c92776f
all runs: OK
# git bisect bad fee87e931cc58435463975730a892d83af21d98c
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[5a2972600a2f845d860f2a4c51b979c608cb1e9b] ALSA: seq: Fix concurrent access to queue current tick/time
testing commit 5a2972600a2f845d860f2a4c51b979c608cb1e9b with gcc (GCC) 8.1.0
kernel signature: 56b619059e2b4b7bc96046b2cdb869d6518292f6ceb72309a0597c1cbc87aa50
all runs: crashed: inconsistent lock state in rxrpc_put_client_conn
# git bisect good 5a2972600a2f845d860f2a4c51b979c608cb1e9b
Bisecting: 1 revision left to test after this (roughly 1 step)
[43cac315bec132e962e04c31fe888caac257ec0a] rxrpc: Fix call RCU cleanup using non-bh-safe locks
testing commit 43cac315bec132e962e04c31fe888caac257ec0a with gcc (GCC) 8.1.0
kernel signature: 74f6d2f82203b4d36ef05270beec3ddf411e20c545d542349c5d32271c963817
all runs: OK
# git bisect bad 43cac315bec132e962e04c31fe888caac257ec0a
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[acbc5071f073bc368d7d4f63902adf536cf37772] netfilter: xt_hashlimit: limit the max size of hashtable
testing commit acbc5071f073bc368d7d4f63902adf536cf37772 with gcc (GCC) 8.1.0
kernel signature: f9813d875928707044599bfd7719b00ff12d44eb0a83b61c31d646a4f00bf1b3
all runs: crashed: inconsistent lock state in rxrpc_put_client_conn
# git bisect good acbc5071f073bc368d7d4f63902adf536cf37772
43cac315bec132e962e04c31fe888caac257ec0a is the first bad commit
commit 43cac315bec132e962e04c31fe888caac257ec0a
Author: David Howells <dhowells@redhat.com>
Date:   Thu Feb 6 13:57:40 2020 +0000

    rxrpc: Fix call RCU cleanup using non-bh-safe locks
    
    commit 963485d436ccc2810177a7b08af22336ec2af67b upstream.
    
    rxrpc_rcu_destroy_call(), which is called as an RCU callback to clean up a
    put call, calls rxrpc_put_connection() which, deep in its bowels, takes a
    number of spinlocks in a non-BH-safe way, including rxrpc_conn_id_lock and
    local->client_conns_lock.  RCU callbacks, however, are normally called from
    softirq context, which can cause lockdep to notice the locking
    inconsistency.
    
    To get lockdep to detect this, it's necessary to have the connection
    cleaned up on the put at the end of the last of its calls, though normally
    the clean up is deferred.  This can be induced, however, by starting a call
    on an AF_RXRPC socket and then closing the socket without reading the
    reply.
    
    Fix this by having rxrpc_rcu_destroy_call() punt the destruction to a
    workqueue if in softirq-mode and defer the destruction to process context.
    
    Note that another way to fix this could be to add a bunch of bh-disable
    annotations to the spinlocks concerned - and there might be more than just
    those two - but that means spending more time with BHs disabled.
    
    Note also that some of these places were covered by bh-disable spinlocks
    belonging to the rxrpc_transport object, but these got removed without the
    _bh annotation being retained on the next lock in.
    
    Fixes: 999b69f89241 ("rxrpc: Kill the client connection bundle concept")
    Reported-by: syzbot+d82f3ac8d87e7ccbb2c9@syzkaller.appspotmail.com
    Reported-by: syzbot+3f1fd6b8cbf8702d134e@syzkaller.appspotmail.com
    Signed-off-by: David Howells <dhowells@redhat.com>
    cc: Hillf Danton <hdanton@sina.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 net/rxrpc/call_object.c | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)
culprit signature: 74f6d2f82203b4d36ef05270beec3ddf411e20c545d542349c5d32271c963817
parent  signature: f9813d875928707044599bfd7719b00ff12d44eb0a83b61c31d646a4f00bf1b3
revisions tested: 11, total time: 2h53m9.365959541s (build: 1h36m13.360852654s, test: 1h15m53.586502551s)
first good commit: 43cac315bec132e962e04c31fe888caac257ec0a rxrpc: Fix call RCU cleanup using non-bh-safe locks
cc: ["davem@davemloft.net" "dhowells@redhat.com" "gregkh@linuxfoundation.org"]