bisecting cause commit starting from dc0f3ed1973f101508957b59e529e03da1349e09 building syzkaller on ec1531937e016c0a7b21e885a3f3a8a9bf9986ff testing commit dc0f3ed1973f101508957b59e529e03da1349e09 with gcc (GCC) 8.1.0 kernel signature: c006c19ea9a99dfdf4a31637e58e2c9a0375f2794aa24bdd40dfa15ca3ae1d2e all runs: crashed: general protection fault in inet_unhash testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: c5dd462d59266ed13c8121e605ac134fb66e3b6a1fc8bda4b06bb1874d729a42 all runs: OK # git bisect start dc0f3ed1973f101508957b59e529e03da1349e09 7111951b8d4973bda27ff663f2cf18b663d15b48 Bisecting: 8583 revisions left to test after this (roughly 13 steps) [bc3b3f4bfbded031a11c4284106adddbfacd05bb] Merge tag 'pinctrl-v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit bc3b3f4bfbded031a11c4284106adddbfacd05bb with gcc (GCC) 8.1.0 kernel signature: d3427d43a680bb045d8ff3abda41035ef8a1ba2df1492b167f2e84e015f96e53 all runs: crashed: general protection fault in inet_unhash # git bisect bad bc3b3f4bfbded031a11c4284106adddbfacd05bb Bisecting: 5130 revisions left to test after this (roughly 12 steps) [56a451b780676bc1cdac011735fe2869fa2e9abf] Merge tag 'ntb-5.7' of git://github.com/jonmason/ntb testing commit 56a451b780676bc1cdac011735fe2869fa2e9abf with gcc (GCC) 8.1.0 kernel signature: 6d3b1b42aa79427ed435d9241160aef36c00acce8039058bd87ef53d481acceb all runs: OK # git bisect good 56a451b780676bc1cdac011735fe2869fa2e9abf Bisecting: 2587 revisions left to test after this (roughly 11 steps) [4646de87d32526ee87b46c2e0130413367fb5362] Merge tag 'mailbox-v5.7' of git://git.linaro.org/landing-teams/working/fujitsu/integration testing commit 4646de87d32526ee87b46c2e0130413367fb5362 with gcc (GCC) 8.1.0 kernel signature: d9ff701996f8fe54065e633ddf6a8e07156842152b79e18cf5d6a7d2c3c17570 all runs: crashed: general protection fault in inet_unhash # git bisect bad 4646de87d32526ee87b46c2e0130413367fb5362 Bisecting: 1275 revisions left to test after this (roughly 10 steps) [8d4ccd7770e795e03c217624507ce17b5ab1c156] rtl8xxxu: Fix sparse warning: cast from restricted __le16 testing commit 8d4ccd7770e795e03c217624507ce17b5ab1c156 with gcc (GCC) 8.1.0 kernel signature: b6b63a96902c13f8368e84ade6cd957dd156f1b0fe2af8b0fd42298aca85b908 all runs: OK # git bisect good 8d4ccd7770e795e03c217624507ce17b5ab1c156 Bisecting: 637 revisions left to test after this (roughly 9 steps) [612509d6bd4a37d21a97187448d7811a54d6b5c3] iwlwifi: convert QnJ with Jf devices to new config table testing commit 612509d6bd4a37d21a97187448d7811a54d6b5c3 with gcc (GCC) 8.1.0 kernel signature: 804237ef08ad27089ec32f0bd2175038d32f6595922e3ffde906ee187d1a89af all runs: OK # git bisect good 612509d6bd4a37d21a97187448d7811a54d6b5c3 Bisecting: 325 revisions left to test after this (roughly 8 steps) [f87238d30c0d550553a37585d0e27a8052952bb4] hv_netvsc: Remove unnecessary round_up for recv_completion_cnt testing commit f87238d30c0d550553a37585d0e27a8052952bb4 with gcc (GCC) 8.1.0 kernel signature: 3d35565c946c6c4f79acea2dafced46d83ff11f093d92c2fd34508d7b905a7c3 all runs: OK # git bisect good f87238d30c0d550553a37585d0e27a8052952bb4 Bisecting: 163 revisions left to test after this (roughly 7 steps) [fcb90d51c375d09a034993cda262b68499e233a4] crypto: af_alg - bool type cosmetics testing commit fcb90d51c375d09a034993cda262b68499e233a4 with gcc (GCC) 8.1.0 kernel signature: 3b652dc2ed00c17f6e242968e76cdfa424617b6053e537c664bc01ec6b70592c all runs: OK # git bisect good fcb90d51c375d09a034993cda262b68499e233a4 Bisecting: 81 revisions left to test after this (roughly 6 steps) [d7a0b1f7652f9f6b7ba0c9d8ad8edd6b8c0c1511] net: dsa: b53: Restore VLAN entries upon (re)configuration testing commit d7a0b1f7652f9f6b7ba0c9d8ad8edd6b8c0c1511 with gcc (GCC) 8.1.0 kernel signature: 9144dff8adbc7d15a70028b594c76b4949b6a4f834b1e7571d991274ea531c96 all runs: crashed: general protection fault in inet_unhash # git bisect bad d7a0b1f7652f9f6b7ba0c9d8ad8edd6b8c0c1511 Bisecting: 40 revisions left to test after this (roughly 5 steps) [87854a0b57b34c52e172109b1d3949fc639b6474] selftests/bpf: Add tests for attaching XDP programs testing commit 87854a0b57b34c52e172109b1d3949fc639b6474 with gcc (GCC) 8.1.0 kernel signature: b081ffff3016c6c68303abbdc44120c833086a413c30080af4461ecf9f863e82 all runs: OK # git bisect good 87854a0b57b34c52e172109b1d3949fc639b6474 Bisecting: 20 revisions left to test after this (roughly 4 steps) [71489e21d720a09388b565d60ef87ae993c10528] net: Track socket refcounts in skb_steal_sock() testing commit 71489e21d720a09388b565d60ef87ae993c10528 with gcc (GCC) 8.1.0 kernel signature: 31e631686a0f1667af85cc522984b247d7613c94abc36c1539d5caa58c373afb all runs: OK # git bisect good 71489e21d720a09388b565d60ef87ae993c10528 Bisecting: 10 revisions left to test after this (roughly 3 steps) [9ac26e9973bac5716a2a542e32f380c84db2b88c] bpf: Test_verifier, bpf_get_stack return value add <0 testing commit 9ac26e9973bac5716a2a542e32f380c84db2b88c with gcc (GCC) 8.1.0 kernel signature: f2157ea4c086a06ede70dd1f66a5bf5f2e73baec8b82e85a76ba14be7855945c all runs: OK # git bisect good 9ac26e9973bac5716a2a542e32f380c84db2b88c Bisecting: 5 revisions left to test after this (roughly 3 steps) [0c991ebc8c69d29b7fc44db17075c5aa5253e2ab] bpf: Implement bpf_prog replacement for an active bpf_cgroup_link testing commit 0c991ebc8c69d29b7fc44db17075c5aa5253e2ab with gcc (GCC) 8.1.0 kernel signature: 05c7b41f05412c2d9021882c3b72cff641537e140faf8baf15df1b647a0905b6 all runs: crashed: general protection fault in inet_unhash # git bisect bad 0c991ebc8c69d29b7fc44db17075c5aa5253e2ab Bisecting: 2 revisions left to test after this (roughly 1 step) [41f70fe0649dddf02046315dc566e06da5a2dc91] bpf: Test_verifier, add alu32 bounds tracking tests testing commit 41f70fe0649dddf02046315dc566e06da5a2dc91 with gcc (GCC) 8.1.0 kernel signature: 571c0271fc4c8180853d84dfd52c665f3a16eae3033af091c446200c23ea2a50 all runs: OK # git bisect good 41f70fe0649dddf02046315dc566e06da5a2dc91 Bisecting: 0 revisions left to test after this (roughly 1 step) [af6eea57437a830293eab56246b6025cc7d46ee7] bpf: Implement bpf_link-based cgroup BPF program attachment testing commit af6eea57437a830293eab56246b6025cc7d46ee7 with gcc (GCC) 8.1.0 kernel signature: 9650e14b168b934d79d8d0b901b69a452d646516bb1a221d4f089238194c3e84 all runs: crashed: general protection fault in inet_unhash # git bisect bad af6eea57437a830293eab56246b6025cc7d46ee7 Bisecting: 0 revisions left to test after this (roughly 0 steps) [e5ffcc9191ca72ddf1c999a80ae9165705ac4790] Merge branch 'subreg-bounds' testing commit e5ffcc9191ca72ddf1c999a80ae9165705ac4790 with gcc (GCC) 8.1.0 kernel signature: 67f1945c12ec056c5cc6a3b634ffc1b8e2ea37422cf6ee5df32a33714b19ec85 all runs: OK # git bisect good e5ffcc9191ca72ddf1c999a80ae9165705ac4790 af6eea57437a830293eab56246b6025cc7d46ee7 is the first bad commit commit af6eea57437a830293eab56246b6025cc7d46ee7 Author: Andrii Nakryiko Date: Sun Mar 29 19:59:58 2020 -0700 bpf: Implement bpf_link-based cgroup BPF program attachment Implement new sub-command to attach cgroup BPF programs and return FD-based bpf_link back on success. bpf_link, once attached to cgroup, cannot be replaced, except by owner having its FD. Cgroup bpf_link supports only BPF_F_ALLOW_MULTI semantics. Both link-based and prog-based BPF_F_ALLOW_MULTI attachments can be freely intermixed. To prevent bpf_cgroup_link from keeping cgroup alive past the point when no BPF program can be executed, implement auto-detachment of link. When cgroup_bpf_release() is called, all attached bpf_links are forced to release cgroup refcounts, but they leave bpf_link otherwise active and allocated, as well as still owning underlying bpf_prog. This is because user-space might still have FDs open and active, so bpf_link as a user-referenced object can't be freed yet. Once last active FD is closed, bpf_link will be freed and underlying bpf_prog refcount will be dropped. But cgroup refcount won't be touched, because cgroup is released already. The inherent race between bpf_cgroup_link release (from closing last FD) and cgroup_bpf_release() is resolved by both operations taking cgroup_mutex. So the only additional check required is when bpf_cgroup_link attempts to detach itself from cgroup. At that time we need to check whether there is still cgroup associated with that link. And if not, exit with success, because bpf_cgroup_link was already successfully detached. Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Acked-by: Roman Gushchin Link: https://lore.kernel.org/bpf/20200330030001.2312810-2-andriin@fb.com include/linux/bpf-cgroup.h | 29 +++- include/linux/bpf.h | 10 +- include/uapi/linux/bpf.h | 10 +- kernel/bpf/cgroup.c | 315 +++++++++++++++++++++++++++++++---------- kernel/bpf/syscall.c | 64 +++++++-- kernel/cgroup/cgroup.c | 14 +- tools/include/uapi/linux/bpf.h | 10 +- 7 files changed, 354 insertions(+), 98 deletions(-) culprit signature: 9650e14b168b934d79d8d0b901b69a452d646516bb1a221d4f089238194c3e84 parent signature: 67f1945c12ec056c5cc6a3b634ffc1b8e2ea37422cf6ee5df32a33714b19ec85 revisions tested: 17, total time: 4h7m47.422614439s (build: 1h43m5.254931947s, test: 2h23m0.981927099s) first bad commit: af6eea57437a830293eab56246b6025cc7d46ee7 bpf: Implement bpf_link-based cgroup BPF program attachment cc: ["andriin@fb.com" "ast@kernel.org" "guro@fb.com"] crash: general protection fault in inet_unhash general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 8403 Comm: syz-executor.4 Not tainted 5.6.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:inet_unhash+0xfc/0x6f0 net/ipv4/inet_hashtables.c:600 Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e 53 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9d 04 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00 RSP: 0018:ffffc90004677d48 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffff8880a0b89880 RCX: 00000000ffffffff RDX: 0000000000000001 RSI: ffffffff88ba63c0 RDI: 0000000000000008 RBP: 0000000000000000 R08: fffffbfff1335171 R09: fffffbfff1335171 R10: fffffbfff1335170 R11: ffffffff899a8b87 R12: ffff8880a0b898f0 R13: ffff8880a0b89880 R14: 0000000000000000 R15: ffff8880a0b898a8 FS: 00007f610c80d700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000005072d0 CR3: 00000000a2abc000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: sk_common_release+0xa1/0x2f0 net/core/sock.c:3203 inet_create+0x797/0xca0 net/ipv4/af_inet.c:389 __sock_create+0x25d/0x540 net/socket.c:1433 sock_create net/socket.c:1484 [inline] __sys_socket+0xd1/0x1a0 net/socket.c:1526 __do_sys_socket net/socket.c:1535 [inline] __se_sys_socket net/socket.c:1533 [inline] __x64_sys_socket+0x6a/0xb0 net/socket.c:1533 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45ca29 Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f610c80cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000029 RAX: ffffffffffffffda RBX: 00000000005072c0 RCX: 000000000045ca29 RDX: 0000000000000073 RSI: 0000000000000002 RDI: 0000000000000002 RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000b92 R14: 00000000004cde6d R15: 00007f610c80d6d4 Modules linked in: ---[ end trace 6d9bac48a05b293c ]--- RIP: 0010:inet_unhash+0xfc/0x6f0 net/ipv4/inet_hashtables.c:600 Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e 53 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9d 04 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00 RSP: 0018:ffffc90004677d48 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffff8880a0b89880 RCX: 00000000ffffffff RDX: 0000000000000001 RSI: ffffffff88ba63c0 RDI: 0000000000000008 RBP: 0000000000000000 R08: fffffbfff1335171 R09: fffffbfff1335171 R10: fffffbfff1335170 R11: ffffffff899a8b87 R12: ffff8880a0b898f0 R13: ffff8880a0b89880 R14: 0000000000000000 R15: ffff8880a0b898a8 FS: 00007f610c80d700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb18c03c0c8 CR3: 00000000a2abc000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400