bisecting cause commit starting from dc1a9bf2c8169d9f607502162af1858a73a18cb8 building syzkaller on abf9ba4fc75d9b29af15625d44dcfc1360fad3b7 testing commit dc1a9bf2c8169d9f607502162af1858a73a18cb8 with gcc (GCC) 8.1.0 kernel signature: f169211732b7a0f4bb1d646852bbc085048e5029a9b8eb7e9714bdc90ad4ce17 all runs: crashed: WARNING: refcount bug in __sk_destruct testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: a394cb744642db0019ee79dc773e146a26d36aeaa8b915cde861509461f20280 all runs: OK # git bisect start dc1a9bf2c8169d9f607502162af1858a73a18cb8 bcf876870b95592b52519ed4aafcf9d95999bc9c Bisecting: 6277 revisions left to test after this (roughly 13 steps) [47ec5303d73ea344e84f46660fff693c57641386] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 47ec5303d73ea344e84f46660fff693c57641386 with gcc (GCC) 8.1.0 kernel signature: bdf79be867fb334a1ef50cd0b54d49c73e9de601257a7d6f9372db5e04256ff1 all runs: OK # git bisect good 47ec5303d73ea344e84f46660fff693c57641386 Bisecting: 3147 revisions left to test after this (roughly 12 steps) [fa73e212318a3277ae1f304febbc617c75d4d2db] Merge tag 'media/v5.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit fa73e212318a3277ae1f304febbc617c75d4d2db with gcc (GCC) 8.1.0 kernel signature: 4207a424c7219ea6a1f0256f40b07314b41986d3a7291ca4c664205f1a7b690f all runs: OK # git bisect good fa73e212318a3277ae1f304febbc617c75d4d2db Bisecting: 1599 revisions left to test after this (roughly 11 steps) [4586039427fab2b8c4edd49c73002e13e04315cf] Merge tag 'linux-watchdog-5.9-rc1' of git://www.linux-watchdog.org/linux-watchdog testing commit 4586039427fab2b8c4edd49c73002e13e04315cf with gcc (GCC) 8.1.0 kernel signature: 6bbefe9f5a717213601002ea2a698b1afddcf34f2eaeb38b55847f3e69f3a5b0 all runs: boot failed: WARNING in mem_cgroup_css_alloc # git bisect skip 4586039427fab2b8c4edd49c73002e13e04315cf Bisecting: 1599 revisions left to test after this (roughly 11 steps) [f9e7ff9c6fc758b6f25674a9a4451db30344ce1e] sh: use generic strncpy() testing commit f9e7ff9c6fc758b6f25674a9a4451db30344ce1e with gcc (GCC) 8.1.0 kernel signature: 539180394ff4c8a2c10f588d516f55f18dbcbc93473d84e8c3be006b6f8dc523 all runs: OK # git bisect good f9e7ff9c6fc758b6f25674a9a4451db30344ce1e Bisecting: 569 revisions left to test after this (roughly 9 steps) [f22c5579a7d600fa03f8c1d150cf78188f8709b6] Merge tag 'riscv-for-linus-5.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux testing commit f22c5579a7d600fa03f8c1d150cf78188f8709b6 with gcc (GCC) 8.1.0 kernel signature: 32fe8f2c1c391a3da7f571e593bd6b9bf32524aea5b7a4900fbff4c14eca0034 all runs: OK # git bisect good f22c5579a7d600fa03f8c1d150cf78188f8709b6 Bisecting: 284 revisions left to test after this (roughly 8 steps) [343d8c6014db5b3397b3eedcb845fdd361c7e665] net: clean up codestyle for net/ipv4 testing commit 343d8c6014db5b3397b3eedcb845fdd361c7e665 with gcc (GCC) 8.1.0 kernel signature: 20a0ef996f33ebda3116ee2d5a615a10cb9470337a4006134ff16aeb19c3f423 all runs: OK # git bisect good 343d8c6014db5b3397b3eedcb845fdd361c7e665 Bisecting: 142 revisions left to test after this (roughly 7 steps) [ebc4ecd48ca6552b223047839f66e9a9c09aea4c] bpf: {cpu,dev}map: Change various functions return type from int to void testing commit ebc4ecd48ca6552b223047839f66e9a9c09aea4c with gcc (GCC) 8.1.0 kernel signature: 727caff4635f938161ea3e934f9dc0800991b374d06ab7655e0fb3913cef3897 all runs: crashed: WARNING: refcount bug in __sk_destruct # git bisect bad ebc4ecd48ca6552b223047839f66e9a9c09aea4c Bisecting: 70 revisions left to test after this (roughly 6 steps) [3418c56de81fd73f2265c8915f4b910bcc141cb7] libbpf: Avoid false unuinitialized variable warning in bpf_core_apply_relo testing commit 3418c56de81fd73f2265c8915f4b910bcc141cb7 with gcc (GCC) 8.1.0 kernel signature: 1040cf08d4722210e284d02f1a845dea5b0325a0a5bf68fa3e0d19650c187837 all runs: OK # git bisect good 3418c56de81fd73f2265c8915f4b910bcc141cb7 Bisecting: 35 revisions left to test after this (roughly 5 steps) [1fc0e18b6e06cbc174a814d8fe69d37212287d1f] Merge branch 'resolve_prog_type' testing commit 1fc0e18b6e06cbc174a814d8fe69d37212287d1f with gcc (GCC) 8.1.0 kernel signature: 22de4119446e9f18fe78a5f5a67258d5ecc23e163826d4ac8db830a066605076 all runs: OK # git bisect good 1fc0e18b6e06cbc174a814d8fe69d37212287d1f Bisecting: 17 revisions left to test after this (roughly 4 steps) [1742b3d528690ae7773cf7bf2f01a90ee1de2fe0] xsk: i40e: ice: ixgbe: mlx5: Pass buffer pool to driver instead of umem testing commit 1742b3d528690ae7773cf7bf2f01a90ee1de2fe0 with gcc (GCC) 8.1.0 kernel signature: dc7bde01b9906da181eb871cbfe9c8177db817a3e9eab9a97c55b21c4bcb4238 all runs: OK # git bisect good 1742b3d528690ae7773cf7bf2f01a90ee1de2fe0 Bisecting: 8 revisions left to test after this (roughly 3 steps) [9647c57b11e563f5b33a49ef72b347753917c21c] xsk: i40e: ice: ixgbe: mlx5: Test for dma_need_sync earlier for better performance testing commit 9647c57b11e563f5b33a49ef72b347753917c21c with gcc (GCC) 8.1.0 kernel signature: fa4fe2bcfca4f4dc21be258a820b5ce6598487084d8a129c9750bf39bb598d91 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor392512981" "root@10.128.10.42:./syz-executor392512981"]: exit status 1 Connection timed out during banner exchange lost connection run #9: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor553503024" "root@10.128.15.199:./syz-executor553503024"]: exit status 1 Connection timed out during banner exchange lost connection # git bisect good 9647c57b11e563f5b33a49ef72b347753917c21c Bisecting: 4 revisions left to test after this (roughly 2 steps) [35149b2c048e43562a598fd8ff91467d429bc666] samples/bpf: Add new sample xsk_fwd.c testing commit 35149b2c048e43562a598fd8ff91467d429bc666 with gcc (GCC) 8.1.0 kernel signature: 7a1a185cc3e6c6ad58b866dead834f26a41f3585a230f9c83cadd9833271847d run #0: crashed: WARNING: refcount bug in xp_release_deferred run #1: crashed: WARNING: refcount bug in __sk_destruct run #2: crashed: WARNING: refcount bug in __sk_destruct run #3: crashed: WARNING: refcount bug in __sk_destruct run #4: crashed: WARNING: refcount bug in __sk_destruct run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in xp_disable_drv_zc run #6: crashed: WARNING: refcount bug in __sk_destruct run #7: crashed: WARNING: refcount bug in __sk_destruct run #8: crashed: WARNING: refcount bug in __sk_destruct run #9: crashed: WARNING: refcount bug in __sk_destruct # git bisect bad 35149b2c048e43562a598fd8ff91467d429bc666 Bisecting: 1 revision left to test after this (roughly 1 step) [a1132430c2c55af62d13e9fca752d46f14d548b3] xsk: Add shared umem support between devices testing commit a1132430c2c55af62d13e9fca752d46f14d548b3 with gcc (GCC) 8.1.0 kernel signature: af455b1ca385cc7e71323689bfe8d34f805d3f7b42c71db3860ddcf423103ccb all runs: crashed: WARNING: refcount bug in __sk_destruct # git bisect bad a1132430c2c55af62d13e9fca752d46f14d548b3 Bisecting: 0 revisions left to test after this (roughly 0 steps) [b5aea28dca13456c1a08b9b2ef8a8b92598ac426] xsk: Add shared umem support between queue ids testing commit b5aea28dca13456c1a08b9b2ef8a8b92598ac426 with gcc (GCC) 8.1.0 kernel signature: 2c870617db1a35f11d6c4648a15cfd86b97363b5b6239e3fc369a63817b6db39 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor167118935" "root@10.128.0.187:./syz-executor167118935"]: exit status 1 Connection timed out during banner exchange lost connection run #6: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor512325066" "root@10.128.1.31:./syz-executor512325066"]: exit status 1 Connection timed out during banner exchange lost connection run #7: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor337786764" "root@10.128.15.197:./syz-executor337786764"]: exit status 1 Connection timed out during banner exchange lost connection run #8: OK run #9: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor358531963" "root@10.128.15.198:./syz-executor358531963"]: exit status 1 Connection timed out during banner exchange lost connection # git bisect good b5aea28dca13456c1a08b9b2ef8a8b92598ac426 a1132430c2c55af62d13e9fca752d46f14d548b3 is the first bad commit commit a1132430c2c55af62d13e9fca752d46f14d548b3 Author: Magnus Karlsson Date: Fri Aug 28 10:26:26 2020 +0200 xsk: Add shared umem support between devices Add support to share a umem between different devices. This mode can be invoked with the XDP_SHARED_UMEM bind flag. Previously, sharing was only supported within the same device. Note that when sharing a umem between devices, just as in the case of sharing a umem between queue ids, you need to create a fill ring and a completion ring and tie them to the socket (with two setsockopts, one for each ring) before you do the bind with the XDP_SHARED_UMEM flag. This so that the single-producer single-consumer semantics of the rings can be upheld. Signed-off-by: Magnus Karlsson Signed-off-by: Daniel Borkmann Acked-by: Björn Töpel Link: https://lore.kernel.org/bpf/1598603189-32145-13-git-send-email-magnus.karlsson@intel.com net/xdp/xsk.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) culprit signature: af455b1ca385cc7e71323689bfe8d34f805d3f7b42c71db3860ddcf423103ccb parent signature: 2c870617db1a35f11d6c4648a15cfd86b97363b5b6239e3fc369a63817b6db39 revisions tested: 16, total time: 3h27m57.81560214s (build: 1h15m16.294257779s, test: 2h11m18.429692684s) first bad commit: a1132430c2c55af62d13e9fca752d46f14d548b3 xsk: Add shared umem support between devices recipients (to): ["bjorn.topel@intel.com" "daniel@iogearbox.net" "magnus.karlsson@intel.com"] recipients (cc): [] crash: WARNING: refcount bug in __sk_destruct ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 16 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0 lib/refcount.c:28 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.9.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xb3/0xec lib/dump_stack.c:118 panic+0x115/0x2fa kernel/panic.c:231 __warn.cold.13+0x20/0x25 kernel/panic.c:600 report_bug+0xc0/0xf0 lib/bug.c:198 handle_bug+0x35/0x90 arch/x86/kernel/traps.c:234 exc_invalid_op+0x13/0x60 arch/x86/kernel/traps.c:254 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536 RIP: 0010:refcount_warn_saturate+0xd8/0xe0 lib/refcount.c:28 Code: ff 48 c7 c7 a0 90 f1 83 c6 05 5a 2b 91 02 01 e8 d9 84 4f ff 0f 0b c3 48 c7 c7 48 90 f1 83 c6 05 46 2b 91 02 01 e8 c3 84 4f ff <0f> 0b c3 0f 1f 44 00 00 8b 07 3d 00 00 00 c0 74 12 83 f8 01 74 46 RSP: 0018:ffffc90000cf3de0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888110fa8ca8 RCX: 0000000000000101 RDX: 0000000080000101 RSI: ffffffff8401fc29 RDI: 00000000ffffffff RBP: ffff888110fa8800 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 8de418ac461b6a33 R12: ffffffff842f5ba0 R13: ffff888110fa8ca8 R14: 0000000000000000 R15: ffffffff81260806 __sk_destruct+0x1c/0x250 net/core/sock.c:1778 rcu_do_batch kernel/rcu/tree.c:2428 [inline] rcu_core+0x481/0x7f0 kernel/rcu/tree.c:2656 __do_softirq+0xf6/0x508 kernel/softirq.c:298 run_ksoftirqd+0x4b/0x80 kernel/softirq.c:652 smpboot_thread_fn+0x1c5/0x280 kernel/smpboot.c:165 kthread+0x148/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Kernel Offset: disabled Rebooting in 86400 seconds..