Re: [syzbot] [x86?] BUG: soft lockup in xfrm_timer_handler

[Steffen Klassert <steffen.klassert@secunet.com>]

On Tue, Aug 19, 2025 at 07:46:35AM -0700, Dave Hansen wrote:
> On 8/18/25 00:59, syzbot wrote:
> > Call Trace:
> >  <IRQ>
> ...
> >  spin_lock include/linux/spinlock.h:351 [inline]
> >  __xfrm_state_delete+0xba/0xca0 net/xfrm/xfrm_state.c:818
> >  xfrm_timer_handler+0x18f/0xa00 net/xfrm/xfrm_state.c:716
> >  __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
> >  __hrtimer_run_queues+0x52c/0xc60 kernel/time/hrtimer.c:1825
> >  hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1842
> >  handle_softirqs+0x283/0x870 kernel/softirq.c:579
> >  __do_softirq kernel/softirq.c:613 [inline]
> >  invoke_softirq kernel/softirq.c:453 [inline]
> >  __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
> >  irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
> >  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
> >  sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
> 
> >From that call trace, I'd suspect a deadlock from the xfrm code not
> releasing the lock somewhere, not x86 code.
> 
> One thing that stands out is that of the ~20 or so uses of
> '->xfrm.xfrm_state_lock', the call site in the trace is the only one
> that uses spin_lock() instead of spin_lock_bh(). I didn't look at it for
> long, so maybe there's a good reason for it. But it did catch my eye.

That's the one in __xfrm_state_delete. This function has 3 callers,
one ist xfrm_timer_handler itself and two others that disabled
bottom halves bevore calling. That should be save.

We had a recent patch that changed xfrm_alloc_spi, this function
changed the locking behaviour and shows up in the trace:

commit 94f39804d891 ("xfrm: Duplicate SPI Handling")

I don't see an obvious problem, but it changed the locking
used here.

I've Cced the author.