bisecting cause commit starting from 3bfe1fc46794631366faa3ef075e1b0ff7ba120a building syzkaller on 1656845f45f284c574eb4f8bfe85dd7916a47a3a testing commit 3bfe1fc46794631366faa3ef075e1b0ff7ba120a with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 all runs: OK # git bisect start v5.1 v5.0 Bisecting: 7074 revisions left to test after this (roughly 13 steps) [b5dd0c658c31b469ccff1b637e5124851e7a4a1c] Merge branch 'akpm' (patches from Andrew) testing commit b5dd0c658c31b469ccff1b637e5124851e7a4a1c with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR # git bisect bad b5dd0c658c31b469ccff1b637e5124851e7a4a1c Bisecting: 3569 revisions left to test after this (roughly 12 steps) [3478588b5136966c80c571cf0006f08e9e5b8f04] Merge branch 'locking-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 3478588b5136966c80c571cf0006f08e9e5b8f04 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR # git bisect bad 3478588b5136966c80c571cf0006f08e9e5b8f04 Bisecting: 1673 revisions left to test after this (roughly 11 steps) [1a2566085650be593d464c4d73ac2d20ff67c058] Merge tag 'wireless-drivers-next-for-davem-2019-02-22' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit 1a2566085650be593d464c4d73ac2d20ff67c058 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR # git bisect bad 1a2566085650be593d464c4d73ac2d20ff67c058 Bisecting: 920 revisions left to test after this (roughly 10 steps) [deedf1feb255c7a390309f615e50de37cb82fb61] r8169: Avoid pointer aliasing testing commit deedf1feb255c7a390309f615e50de37cb82fb61 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR # git bisect bad deedf1feb255c7a390309f615e50de37cb82fb61 Bisecting: 432 revisions left to test after this (roughly 9 steps) [ec7146db150082737cbfeacaae0f33e42c95cf18] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit ec7146db150082737cbfeacaae0f33e42c95cf18 with gcc (GCC) 8.1.0 all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect skip ec7146db150082737cbfeacaae0f33e42c95cf18 Bisecting: 432 revisions left to test after this (roughly 9 steps) [6e6b904ad4f9aed43ec320afbd5a52ed8461ab41] ip_tunnel: Fix route fl4 init in ip_md_tunnel_xmit testing commit 6e6b904ad4f9aed43ec320afbd5a52ed8461ab41 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 6e6b904ad4f9aed43ec320afbd5a52ed8461ab41 Bisecting: 267 revisions left to test after this (roughly 8 steps) [beb73559bf57b0151dba0c27c4f866599f57bb0b] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit beb73559bf57b0151dba0c27c4f866599f57bb0b with gcc (GCC) 8.1.0 run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #2: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #3: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #4: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #5: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #6: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #7: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #8: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #9: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR # git bisect bad beb73559bf57b0151dba0c27c4f866599f57bb0b Bisecting: 149 revisions left to test after this (roughly 7 steps) [782a624d00fa22e7499f5abc29747501ec671313] bnxt_en: Add bnxt_en initial port params table and register it testing commit 782a624d00fa22e7499f5abc29747501ec671313 with gcc (GCC) 8.1.0 run #0: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #1: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #2: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #3: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #4: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #7: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #8: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #9: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR # git bisect bad 782a624d00fa22e7499f5abc29747501ec671313 Bisecting: 74 revisions left to test after this (roughly 6 steps) [b7a1848e8398b8396c990279e6a10272d818577e] bpf: add BPF_PROG_TEST_RUN support for flow dissector testing commit b7a1848e8398b8396c990279e6a10272d818577e with gcc (GCC) 8.1.0 run #0: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #1: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #2: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #3: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #4: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #7: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #8: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #9: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR # git bisect bad b7a1848e8398b8396c990279e6a10272d818577e Bisecting: 36 revisions left to test after this (roughly 5 steps) [e90287f3aaf666c9e18e60f889f82ecfb0ee3c5d] nfp: bpf: don't use instruction number for jump target testing commit e90287f3aaf666c9e18e60f889f82ecfb0ee3c5d with gcc (GCC) 8.1.0 all runs: OK # git bisect good e90287f3aaf666c9e18e60f889f82ecfb0ee3c5d Bisecting: 18 revisions left to test after this (roughly 4 steps) [503a8865a47752d0ac2ff642f07e96e8b2103178] bpf: interpreter support for JMP32 testing commit 503a8865a47752d0ac2ff642f07e96e8b2103178 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR # git bisect bad 503a8865a47752d0ac2ff642f07e96e8b2103178 Bisecting: 8 revisions left to test after this (roughly 3 steps) [1d0dc06930a917eaca4156193c6c49f798b95ce7] net: xsk: track AF_XDP sockets on a per-netns list testing commit 1d0dc06930a917eaca4156193c6c49f798b95ce7 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR # git bisect bad 1d0dc06930a917eaca4156193c6c49f798b95ce7 Bisecting: 3 revisions left to test after this (roughly 2 steps) [923cefe3f90148b5da26433f6affbce7908e528d] Merge branch 'dead-code-elimination' testing commit 923cefe3f90148b5da26433f6affbce7908e528d with gcc (GCC) 8.1.0 all runs: OK # git bisect good 923cefe3f90148b5da26433f6affbce7908e528d Bisecting: 1 revision left to test after this (roughly 1 step) [d9ff286a0f59fa7843549e49bd240393dd7d8b87] bpf: allow BPF programs access skb_shared_info->gso_segs field testing commit d9ff286a0f59fa7843549e49bd240393dd7d8b87 with gcc (GCC) 8.1.0 run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: BUG: unable to handle kernel paging request in corrupted run #2: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #3: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #4: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #5: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #6: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #7: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #8: crashed: BUG: unable to handle kernel paging request in bpf_prog_ADDR run #9: crashed: BUG: unable to handle kernel paging request in corrupted # git bisect bad d9ff286a0f59fa7843549e49bd240393dd7d8b87 Bisecting: 0 revisions left to test after this (roughly 0 steps) [866e6ac47409f0bd12398b777fef61fb51ce3680] bpftool: feature probing, change default action testing commit 866e6ac47409f0bd12398b777fef61fb51ce3680 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 866e6ac47409f0bd12398b777fef61fb51ce3680 d9ff286a0f59fa7843549e49bd240393dd7d8b87 is the first bad commit commit d9ff286a0f59fa7843549e49bd240393dd7d8b87 Author: Eric Dumazet Date: Wed Jan 23 09:22:27 2019 -0800 bpf: allow BPF programs access skb_shared_info->gso_segs field This adds the ability to read gso_segs from a BPF program. v3: Use BPF_REG_AX instead of BPF_REG_TMP for the temporary register, as suggested by Martin. v2: refined Eddie Hao patch to address Alexei feedback. Signed-off-by: Eric Dumazet Cc: Eddie Hao Cc: Martin KaFai Lau Acked-by: Martin KaFai Lau Signed-off-by: Daniel Borkmann :040000 040000 6dedce79464c38eb4842d6ffaa8e88f346c1ee81 02d5e80d81a356f4d871e037b2838506c34a9b42 M include :040000 040000 980b88eb05e83168fd31690be7bf1f69259bd78e dbf799a1cbeabdf17bd95abb8a59fc5fdb9614af M net :040000 040000 28ed3762e3c90e992c6a9bc04de88dadd2ec091b 2ef6aaa34ed55341bcec91767b3c1097d8e0048e M tools revisions tested: 19, total time: 3h47m36.770042633s (build: 1h47m14.376311398s, test: 1h54m44.043248352s) first bad commit: d9ff286a0f59fa7843549e49bd240393dd7d8b87 bpf: allow BPF programs access skb_shared_info->gso_segs field cc: ["daniel@iogearbox.net" "eddieh@google.com" "edumazet@google.com" "kafai@fb.com"] crash: BUG: unable to handle kernel paging request in corrupted IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready BUG: unable to handle kernel paging request at ffff8880c420d66a ------------[ cut here ]------------ #PF error: [normal kernel read fault] downgrading a read lock WARNING: CPU: 1 PID: 6670 at kernel/locking/lockdep.c:3553 __lock_downgrade /kernel/locking/lockdep.c:3553 [inline] WARNING: CPU: 1 PID: 6670 at kernel/locking/lockdep.c:3553 lock_downgrade+0x47b/0x7f0 /kernel/locking/lockdep.c:3816 PGD a801067 P4D a801067 PUD 0 Kernel panic - not syncing: panic_on_warn set ... Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 7147 Comm: syz-executor.3 Not tainted 5.0.0-rc2+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:bpf_prog_9e69188709424cd0+0xcfe/0x1000 Code: 28 48 89 5d 00 4c 89 6d 08 4c 89 75 10 4c 89 7d 18 31 c0 48 89 45 20 31 c0 48 8b bf c0 00 00 00 44 8b 97 bc 00 00 00 4c 01 d7 <48> 0f b7 7f 06 48 8b 5d 00 4c 8b 6d 08 4c 8b 75 10 4c 8b 7d 18 48 RSP: 0018:ffff88808b7779b0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff8155b5b4 RDX: 0000000000000000 RSI: ffffc90005e6b038 RDI: ffff8880c420d664 RBP: ffff88808b7779b0 R08: ffffed1015d45bc8 R09: ffffed1015d45bc7 R10: 00000000316abb64 R11: ffff8880aea2de3b R12: 0000000000000000 R13: ffff88808b777ab8 R14: 0000000000028130 R15: ffff88808b777e20 FS: 00007f504cb5a700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8880c420d66a CR3: 0000000093550000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: Modules linked in: CR2: ffff8880c420d66a ---[ end trace 2a7d0ddda47f508b ]--- RIP: 0010:bpf_prog_9e69188709424cd0+0xcfe/0x1000 Code: 28 48 89 5d 00 4c 89 6d 08 4c 89 75 10 4c 89 7d 18 31 c0 48 89 45 20 31 c0 48 8b bf c0 00 00 00 44 8b 97 bc 00 00 00 4c 01 d7 <48> 0f b7 7f 06 48 8b 5d 00 4c 8b 6d 08 4c 8b 75 10 4c 8b 7d 18 48 RSP: 0018:ffff88808b7779b0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff8155b5b4 RDX: 0000000000000000 RSI: ffffc90005e6b038 RDI: ffff8880c420d664 RBP: ffff88808b7779b0 R08: ffffed1015d45bc8 R09: ffffed1015d45bc7 R10: 00000000316abb64 R11: ffff8880aea2de3b R12: 0000000000000000 R13: ffff88808b777ab8 R14: 0000000000028130 R15: ffff88808b777e20 FS: 00007f504cb5a700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8880c420d66a CR3: 0000000093550000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Shutting down cpus with NMI Kernel Offset: disabled Rebooting in 86400 seconds..