bisecting fixing commit since 4d552acf337038028f7e2f63a927afb7adf65fc1 building syzkaller on 505ab413c77ce8c6bd4658ea5e68ea2534d47b39 testing commit 4d552acf337038028f7e2f63a927afb7adf65fc1 with gcc (GCC) 8.1.0 kernel signature: e28d903ceb691aabb40bedc28e5727506c0d66d3 all runs: crashed: WARNING in xfrm6_tunnel_net_exit testing current HEAD dcd888983542055210f5e68f1b1f1f8fe11a369a testing commit dcd888983542055210f5e68f1b1f1f8fe11a369a with gcc (GCC) 8.1.0 kernel signature: 626d5cb433b23e726513b9b54374a68e1cf4a7e4 all runs: OK # git bisect start dcd888983542055210f5e68f1b1f1f8fe11a369a 4d552acf337038028f7e2f63a927afb7adf65fc1 Bisecting: 3409 revisions left to test after this (roughly 12 steps) [780f3aadee1e84aba46f7dec0f5bcda26b409a06] platform/x86: pmc_atom: Add CB4063 Beckhoff Automation board to critclk_systems DMI table testing commit 780f3aadee1e84aba46f7dec0f5bcda26b409a06 with gcc (GCC) 8.1.0 kernel signature: 73d48fb173f074c95632f59c72937c3787d3d5f1 all runs: OK # git bisect bad 780f3aadee1e84aba46f7dec0f5bcda26b409a06 Bisecting: 1704 revisions left to test after this (roughly 11 steps) [8e5666cdb36b4d7ab427e537fc370b33ddd11714] mISDN: make sure device name is NUL terminated testing commit 8e5666cdb36b4d7ab427e537fc370b33ddd11714 with gcc (GCC) 8.1.0 kernel signature: a44bbf6865d6dde7e3e289e58dd833e42b3e2ec7 all runs: OK # git bisect bad 8e5666cdb36b4d7ab427e537fc370b33ddd11714 Bisecting: 851 revisions left to test after this (roughly 10 steps) [b7d2adfd0512a10757d216f60ecee50a1aa15b91] crypto: rockchip - update IV buffer to contain the next IV testing commit b7d2adfd0512a10757d216f60ecee50a1aa15b91 with gcc (GCC) 8.1.0 kernel signature: 5de1524b6c5e266e07834322b4d733a0c7526ee0 all runs: OK # git bisect bad b7d2adfd0512a10757d216f60ecee50a1aa15b91 Bisecting: 425 revisions left to test after this (roughly 9 steps) [947bd0d9bdbc3191835612c2a69eab7d8cebf746] xsk: fix umem memory leak on cleanup testing commit 947bd0d9bdbc3191835612c2a69eab7d8cebf746 with gcc (GCC) 8.1.0 kernel signature: 029905bbcf293f6809f20f7939f125107193872b all runs: OK # git bisect bad 947bd0d9bdbc3191835612c2a69eab7d8cebf746 Bisecting: 212 revisions left to test after this (roughly 8 steps) [2a458eddc4c270a435c26f0d22c46da36cbf00d2] bonding: fix event handling for stacked bonds testing commit 2a458eddc4c270a435c26f0d22c46da36cbf00d2 with gcc (GCC) 8.1.0 kernel signature: 941963c544299f55b839f057944579e1d6a36801 all runs: OK # git bisect bad 2a458eddc4c270a435c26f0d22c46da36cbf00d2 Bisecting: 106 revisions left to test after this (roughly 7 steps) [673e23ce80a60adc09e1dc68e957f7ae6c2b6603] perf/core: Restore mmap record type correctly testing commit 673e23ce80a60adc09e1dc68e957f7ae6c2b6603 with gcc (GCC) 8.1.0 kernel signature: e4304d62eeb39f4e1d8641aeaa4f156818f8022c all runs: crashed: WARNING in xfrm6_tunnel_net_exit # git bisect good 673e23ce80a60adc09e1dc68e957f7ae6c2b6603 Bisecting: 53 revisions left to test after this (roughly 6 steps) [4369f8a38085347d9cf78fe6261b1296f664132c] 9p locks: add mount option for lock retry interval testing commit 4369f8a38085347d9cf78fe6261b1296f664132c with gcc (GCC) 8.1.0 kernel signature: 2b731e74df463fec6fc2aebe85b5d7d19242ef1f all runs: crashed: WARNING in xfrm6_tunnel_net_exit # git bisect good 4369f8a38085347d9cf78fe6261b1296f664132c Bisecting: 26 revisions left to test after this (roughly 5 steps) [1f52fa127898f74158b081a5127cc775a00239c8] crypto: sha256/arm - fix crash bug in Thumb2 build testing commit 1f52fa127898f74158b081a5127cc775a00239c8 with gcc (GCC) 8.1.0 kernel signature: 2bc912f837f5404f43a729e36e995b1bf912b344 all runs: OK # git bisect bad 1f52fa127898f74158b081a5127cc775a00239c8 Bisecting: 13 revisions left to test after this (roughly 4 steps) [3d11fc93aa2813ec82883638425b8d6c82b132ad] HID: usbhid: Add quirk for Redragon/Dragonrise Seymur 2 testing commit 3d11fc93aa2813ec82883638425b8d6c82b132ad with gcc (GCC) 8.1.0 kernel signature: f5ff0aefa97384cadc6853eabccea860a1e06425 all runs: crashed: WARNING in xfrm6_tunnel_net_exit # git bisect good 3d11fc93aa2813ec82883638425b8d6c82b132ad Bisecting: 6 revisions left to test after this (roughly 3 steps) [491dee743d6bc62b5629b985bf768994276afb7c] kernel: hung_task.c: disable on suspend testing commit 491dee743d6bc62b5629b985bf768994276afb7c with gcc (GCC) 8.1.0 kernel signature: d5e99c25a408ecb77359a95934f5e0a8b7cd20a4 all runs: crashed: WARNING in xfrm6_tunnel_net_exit # git bisect good 491dee743d6bc62b5629b985bf768994276afb7c Bisecting: 3 revisions left to test after this (roughly 2 steps) [e434fbf4f04975a36d4fd0a7e7e6c425cb2ebbe6] ALSA: hda: fix front speakers on Huawei MBXP testing commit e434fbf4f04975a36d4fd0a7e7e6c425cb2ebbe6 with gcc (GCC) 8.1.0 kernel signature: c26502279c50d21f3a48755ba2cb9dd8a0605d79 all runs: crashed: WARNING in xfrm6_tunnel_net_exit # git bisect good e434fbf4f04975a36d4fd0a7e7e6c425cb2ebbe6 Bisecting: 1 revision left to test after this (roughly 1 step) [5be4bb315de29ad3ae558a8f6b92f13a1b4bfb84] net/rds: fix warn in rds_message_alloc_sgs testing commit 5be4bb315de29ad3ae558a8f6b92f13a1b4bfb84 with gcc (GCC) 8.1.0 kernel signature: 2111917202a9af8ffad2018ba4ef5fbe02592347 all runs: crashed: WARNING in xfrm6_tunnel_net_exit # git bisect good 5be4bb315de29ad3ae558a8f6b92f13a1b4bfb84 Bisecting: 0 revisions left to test after this (roughly 0 steps) [bbbe47463da924160966d528c40182264b869a61] xfrm: destroy xfrm_state synchronously on net exit path testing commit bbbe47463da924160966d528c40182264b869a61 with gcc (GCC) 8.1.0 kernel signature: 12752aaf5bf3155f1823bebc8da9244b93fd7194 all runs: OK # git bisect bad bbbe47463da924160966d528c40182264b869a61 bbbe47463da924160966d528c40182264b869a61 is the first bad commit commit bbbe47463da924160966d528c40182264b869a61 Author: Cong Wang Date: Thu Jan 31 13:05:49 2019 -0800 xfrm: destroy xfrm_state synchronously on net exit path [ Upstream commit f75a2804da391571563c4b6b29e7797787332673 ] xfrm_state_put() moves struct xfrm_state to the GC list and schedules the GC work to clean it up. On net exit call path, xfrm_state_flush() is called to clean up and xfrm_flush_gc() is called to wait for the GC work to complete before exit. However, this doesn't work because one of the ->destructor(), ipcomp_destroy(), schedules the same GC work again inside the GC work. It is hard to wait for such a nested async callback. This is also why syzbot still reports the following warning: WARNING: CPU: 1 PID: 33 at net/ipv6/xfrm6_tunnel.c:351 xfrm6_tunnel_net_exit+0x2cb/0x500 net/ipv6/xfrm6_tunnel.c:351 ... ops_exit_list.isra.0+0xb0/0x160 net/core/net_namespace.c:153 cleanup_net+0x51d/0xb10 net/core/net_namespace.c:551 process_one_work+0xd0c/0x1ce0 kernel/workqueue.c:2153 worker_thread+0x143/0x14a0 kernel/workqueue.c:2296 kthread+0x357/0x430 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 In fact, it is perfectly fine to bypass GC and destroy xfrm_state synchronously on net exit call path, because it is in process context and doesn't need a work struct to do any blocking work. This patch introduces xfrm_state_put_sync() which simply bypasses GC, and lets its callers to decide whether to use this synchronous version. On net exit path, xfrm_state_fini() and xfrm6_tunnel_net_exit() use it. And, as ipcomp_destroy() itself is blocking, it can use xfrm_state_put_sync() directly too. Also rename xfrm_state_gc_destroy() to ___xfrm_state_destroy() to reflect this change. Fixes: b48c05ab5d32 ("xfrm: Fix warning in xfrm6_tunnel_net_exit.") Reported-and-tested-by: syzbot+e9aebef558e3ed673934@syzkaller.appspotmail.com Cc: Steffen Klassert Signed-off-by: Cong Wang Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin include/net/xfrm.h | 12 +++++++++--- net/ipv6/xfrm6_tunnel.c | 2 +- net/key/af_key.c | 2 +- net/xfrm/xfrm_state.c | 30 +++++++++++++++++++----------- net/xfrm/xfrm_user.c | 2 +- 5 files changed, 31 insertions(+), 17 deletions(-) culprit signature: 12752aaf5bf3155f1823bebc8da9244b93fd7194 parent signature: 2111917202a9af8ffad2018ba4ef5fbe02592347 revisions tested: 15, total time: 4h14m41.395460903s (build: 2h9m19.701913224s, test: 2h3m53.397600545s) first good commit: bbbe47463da924160966d528c40182264b869a61 xfrm: destroy xfrm_state synchronously on net exit path cc: ["sashal@kernel.org" "steffen.klassert@secunet.com" "syzbot+e9aebef558e3ed673934@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"]