bisecting cause commit starting from b7892f7d5cb2b8187c603dd8ea3a7c44059ccfc2 building syzkaller on 4ebb27982f8984ed57466f87099acc0b250a1b5c testing commit b7892f7d5cb2b8187c603dd8ea3a7c44059ccfc2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ce0484054315128232bc6a6705b7bed024279d25f4f602698b5e0d1b16147839 all runs: crashed: general protection fault in btf_decl_tag_resolve testing release v5.16 testing commit df0cc57e057f18e44dac8e6c18aba47ab53202f9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 49399300f4e6791586a9b5d086e2b76e43dee0c429d7818321fc927b7e200a85 all runs: crashed: general protection fault in btf_decl_tag_resolve testing release v5.15 testing commit 8bb7eca972ad531c9b149c0a51ab43a417385813 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 089e11fd11d17a86865a0ae5297795314d4ea95ca25e4ccd738d1fce853b943e all runs: OK # git bisect start df0cc57e057f18e44dac8e6c18aba47ab53202f9 8bb7eca972ad531c9b149c0a51ab43a417385813 Bisecting: 7870 revisions left to test after this (roughly 13 steps) [2219b0ceefe835b92a8a74a73fe964aa052742a2] Merge tag 'soc-5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 2219b0ceefe835b92a8a74a73fe964aa052742a2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 63ab1cf4e91ac62b91adb6d3455bdfa596d1800df4022dc29830d6bb411f3d0d all runs: crashed: general protection fault in btf_decl_tag_resolve # git bisect bad 2219b0ceefe835b92a8a74a73fe964aa052742a2 Bisecting: 2946 revisions left to test after this (roughly 12 steps) [fc02cb2b37fe2cbf1d3334b9f0f0eab9431766c4] Merge tag 'net-next-for-5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit fc02cb2b37fe2cbf1d3334b9f0f0eab9431766c4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 613e417bb501dbc098115f2aafe81806f5aacac8841f3139aa4b7ee359f572d0 all runs: crashed: general protection fault in btf_decl_tag_resolve # git bisect bad fc02cb2b37fe2cbf1d3334b9f0f0eab9431766c4 Bisecting: 2251 revisions left to test after this (roughly 11 steps) [b7b98f868987cd3e86c9bd9a6db048614933d7a0] Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit b7b98f868987cd3e86c9bd9a6db048614933d7a0 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9e4615f81da95e2b4cac04cc3b3ad5bc46d96e472fa9f44d40e95ccd30a1336f all runs: crashed: general protection fault in btf_decl_tag_resolve # git bisect bad b7b98f868987cd3e86c9bd9a6db048614933d7a0 Bisecting: 1156 revisions left to test after this (roughly 10 steps) [9fd3d5dced976640f588e0a866b9611db2d2cb37] net: ethernet: ave: Add compatible string and SoC-dependent data for NX1 SoC testing commit 9fd3d5dced976640f588e0a866b9611db2d2cb37 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9e6e2f49875def5f8702e22f4a013e50ca871d3646aaf9025af60f79e77b268a all runs: crashed: general protection fault in btf_tag_resolve # git bisect bad 9fd3d5dced976640f588e0a866b9611db2d2cb37 Bisecting: 578 revisions left to test after this (roughly 9 steps) [a96d317fb1a30b9f323548eb2ff05d4e4600ead9] ethernet: use eth_hw_addr_set() testing commit a96d317fb1a30b9f323548eb2ff05d4e4600ead9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0ea96ec300232be29e7b2f427b4a56517f56d81e606438985dcc792e616243e9 all runs: crashed: general protection fault in btf_tag_resolve # git bisect bad a96d317fb1a30b9f323548eb2ff05d4e4600ead9 Bisecting: 288 revisions left to test after this (roughly 8 steps) [6c2509d4463640c4b91d5937b5b2ff5ca07f6567] net/mlx5e: Add error flow for ethtool -X command testing commit 6c2509d4463640c4b91d5937b5b2ff5ca07f6567 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: df58b5322c7cfa954e53c53e0e579c94198d4a8ebefdc2190cea9a4b6ca042a0 all runs: crashed: general protection fault in btf_tag_resolve # git bisect bad 6c2509d4463640c4b91d5937b5b2ff5ca07f6567 Bisecting: 163 revisions left to test after this (roughly 7 steps) [f68d08c437f98ee19a14142b9de2d7afe2032d5c] net: phy: bcm7xxx: Add EPHY entry for 72165 testing commit f68d08c437f98ee19a14142b9de2d7afe2032d5c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fd10d10365f9cf1040211e7c907972efcb1370323f3cb55795cd8e13599ea84e all runs: OK # git bisect good f68d08c437f98ee19a14142b9de2d7afe2032d5c Bisecting: 81 revisions left to test after this (roughly 6 steps) [ce9979129a0ba700112151a83a6d4cf09c7a1158] selftests: mptcp: add mptcp getsockopt test cases testing commit ce9979129a0ba700112151a83a6d4cf09c7a1158 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 341082d4857d8f2bcbbcd3c5454bd26f8ec837e73634813af3db55edcfb3dc42 all runs: crashed: general protection fault in btf_tag_resolve # git bisect bad ce9979129a0ba700112151a83a6d4cf09c7a1158 Bisecting: 40 revisions left to test after this (roughly 5 steps) [5532dfd42e4846e84d346a6dfe01e477e35baa65] libbpf: Simplify BPF program auto-attach code testing commit 5532dfd42e4846e84d346a6dfe01e477e35baa65 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 256f19440ecb1326dec76dc1e97760340ffa0516c84831137d2209100c8b21a6 all runs: OK # git bisect good 5532dfd42e4846e84d346a6dfe01e477e35baa65 Bisecting: 20 revisions left to test after this (roughly 4 steps) [f11f86a3931b5d533aed1be1720fbd55bd63174d] libbpf: Use pre-setup sec_def in libbpf_find_attach_btf_id() testing commit f11f86a3931b5d533aed1be1720fbd55bd63174d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b975aa158445ceff6a9a3af93e70bcc8728de9fff295bc1f23c53caf32c4a338 all runs: crashed: general protection fault in btf_tag_resolve # git bisect bad f11f86a3931b5d533aed1be1720fbd55bd63174d Bisecting: 9 revisions left to test after this (roughly 3 steps) [71d29c2d47d112404fe23e31cf33f7cccde75a8c] selftests/bpf: Test libbpf API function btf__add_tag() testing commit 71d29c2d47d112404fe23e31cf33f7cccde75a8c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a6ab0cc9e8dbf74cf7966b646e36d376fb360f57c913347faeb4f3880c4782e0 all runs: crashed: general protection fault in btf_tag_resolve # git bisect bad 71d29c2d47d112404fe23e31cf33f7cccde75a8c Bisecting: 4 revisions left to test after this (roughly 2 steps) [41ced4cd88020c9d4b71ff7c50d020f081efa4a0] btf: Change BTF_KIND_* macros to enums testing commit 41ced4cd88020c9d4b71ff7c50d020f081efa4a0 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f4fbee6b82332ea9912bd027412cf4c1baff1e4890e8be23fbf13c09471a5843 all runs: OK # git bisect good 41ced4cd88020c9d4b71ff7c50d020f081efa4a0 Bisecting: 2 revisions left to test after this (roughly 1 step) [30025e8bd80fdc5a4159ec7f9511121ea561f456] libbpf: Rename btf_{hash,equal}_int to btf_{hash,equal}_int_tag testing commit 30025e8bd80fdc5a4159ec7f9511121ea561f456 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 71551aa97f5fba747313916731f2dd4054226d681dc7097b44083dd28d0d5f90 all runs: crashed: general protection fault in btf_tag_resolve # git bisect bad 30025e8bd80fdc5a4159ec7f9511121ea561f456 Bisecting: 0 revisions left to test after this (roughly 0 steps) [b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef] bpf: Support for new btf kind BTF_KIND_TAG testing commit b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3ebc612bf8f30c630b5529093981043741afa1d663141797371905f50c32a2c0 all runs: crashed: general protection fault in btf_tag_resolve # git bisect bad b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef is the first bad commit commit b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef Author: Yonghong Song Date: Tue Sep 14 15:30:15 2021 -0700 bpf: Support for new btf kind BTF_KIND_TAG LLVM14 added support for a new C attribute ([1]) __attribute__((btf_tag("arbitrary_str"))) This attribute will be emitted to dwarf ([2]) and pahole will convert it to BTF. Or for bpf target, this attribute will be emitted to BTF directly ([3], [4]). The attribute is intended to provide additional information for - struct/union type or struct/union member - static/global variables - static/global function or function parameter. For linux kernel, the btf_tag can be applied in various places to specify user pointer, function pre- or post- condition, function allow/deny in certain context, etc. Such information will be encoded in vmlinux BTF and can be used by verifier. The btf_tag can also be applied to bpf programs to help global verifiable functions, e.g., specifying preconditions, etc. This patch added basic parsing and checking support in kernel for new BTF_KIND_TAG kind. [1] https://reviews.llvm.org/D106614 [2] https://reviews.llvm.org/D106621 [3] https://reviews.llvm.org/D106622 [4] https://reviews.llvm.org/D109560 Signed-off-by: Yonghong Song Signed-off-by: Alexei Starovoitov Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20210914223015.245546-1-yhs@fb.com include/uapi/linux/btf.h | 14 ++++- kernel/bpf/btf.c | 128 +++++++++++++++++++++++++++++++++++++++++ tools/include/uapi/linux/btf.h | 14 ++++- 3 files changed, 154 insertions(+), 2 deletions(-) culprit signature: 3ebc612bf8f30c630b5529093981043741afa1d663141797371905f50c32a2c0 parent signature: f4fbee6b82332ea9912bd027412cf4c1baff1e4890e8be23fbf13c09471a5843 revisions tested: 17, total time: 3h41m8.93904393s (build: 2h49m13.566209319s, test: 50m6.933883643s) first bad commit: b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef bpf: Support for new btf kind BTF_KIND_TAG recipients (to): ["andrii@kernel.org" "ast@kernel.org" "yhs@fb.com"] recipients (cc): [] crash: general protection fault in btf_tag_resolve general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 5845 Comm: syz-executor591 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:btf_type_vlen include/linux/btf.h:183 [inline] RIP: 0010:btf_tag_resolve+0x65c/0x990 kernel/bpf/btf.c:3898 Code: df 48 89 d9 48 c1 e9 03 80 3c 01 00 0f 85 35 03 00 00 48 8b 1b 48 8d 7b 04 48 b8 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 <0f> b6 0c 01 48 89 f8 83 e0 07 83 c0 03 38 c8 7c 08 84 c9 0f 85 92 RSP: 0018:ffffc9000169fa48 EFLAGS: 00010247 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000004 RSI: ffff8880175210c0 RDI: 0000000000000004 RBP: ffff888016dc3c00 R08: 0000000000000000 R09: 0000000000000001 R10: fffffbfff1689388 R11: dffffc0000000000 R12: ffff88802087e000 R13: ffff88802087e010 R14: 0000000000000008 R15: 0000000000000000 FS: 0000555556a0f300(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000001c433000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: btf_resolve+0x223/0xf40 kernel/bpf/btf.c:4185 btf_check_all_types kernel/bpf/btf.c:4226 [inline] btf_parse_type_sec kernel/bpf/btf.c:4267 [inline] btf_parse kernel/bpf/btf.c:4501 [inline] btf_new_fd+0x1364/0x2040 kernel/bpf/btf.c:5982 bpf_btf_load kernel/bpf/syscall.c:3993 [inline] __sys_bpf+0x2c1/0x44a0 kernel/bpf/syscall.c:4632 __do_sys_bpf kernel/bpf/syscall.c:4691 [inline] __se_sys_bpf kernel/bpf/syscall.c:4689 [inline] __x64_sys_bpf+0x70/0xb0 kernel/bpf/syscall.c:4689 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f76e5cd2bc9 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc99bcd7b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f76e5cd2bc9 RDX: 0000000000000020 RSI: 0000000020000000 RDI: 0000000000000012 RBP: 00007f76e5c96d70 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000ffffffff R11: 0000000000000246 R12: 00007f76e5c96e00 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Modules linked in: ---[ end trace 8e1a3c36005d1b92 ]--- RIP: 0010:btf_type_vlen include/linux/btf.h:183 [inline] RIP: 0010:btf_tag_resolve+0x65c/0x990 kernel/bpf/btf.c:3898 Code: df 48 89 d9 48 c1 e9 03 80 3c 01 00 0f 85 35 03 00 00 48 8b 1b 48 8d 7b 04 48 b8 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 <0f> b6 0c 01 48 89 f8 83 e0 07 83 c0 03 38 c8 7c 08 84 c9 0f 85 92 RSP: 0018:ffffc9000169fa48 EFLAGS: 00010247 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000004 RSI: ffff8880175210c0 RDI: 0000000000000004 RBP: ffff888016dc3c00 R08: 0000000000000000 R09: 0000000000000001 R10: fffffbfff1689388 R11: dffffc0000000000 R12: ffff88802087e000 R13: ffff88802087e010 R14: 0000000000000008 R15: 0000000000000000 FS: 0000555556a0f300(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055684eb26038 CR3: 000000001c433000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: df 48 89 fisttps -0x77(%rax) 3: d9 48 c1 (bad) -0x3f(%rax) 6: e9 03 80 3c 01 jmpq 0x13c800e b: 00 0f add %cl,(%rdi) d: 85 35 03 00 00 48 test %esi,0x48000003(%rip) # 0x48000016 13: 8b 1b mov (%rbx),%ebx 15: 48 8d 7b 04 lea 0x4(%rbx),%rdi 19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 20: fc ff df 23: 48 89 f9 mov %rdi,%rcx 26: 48 c1 e9 03 shr $0x3,%rcx * 2a: 0f b6 0c 01 movzbl (%rcx,%rax,1),%ecx <-- trapping instruction 2e: 48 89 f8 mov %rdi,%rax 31: 83 e0 07 and $0x7,%eax 34: 83 c0 03 add $0x3,%eax 37: 38 c8 cmp %cl,%al 39: 7c 08 jl 0x43 3b: 84 c9 test %cl,%cl 3d: 0f .byte 0xf 3e: 85 .byte 0x85 3f: 92 xchg %eax,%edx