bisecting fixing commit since 662f11d55ffd02933e1bd275d732b97eddccf870
building syzkaller on 021b36cb024795a0e0098dd09a56214438422951
testing commit 662f11d55ffd02933e1bd275d732b97eddccf870
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 4a00b13fd9aae76bb67e65d158e4ad518d6a2cf81b3af1e8a9e3b846d1dcce64
all runs: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put
testing current HEAD d15c7e875d44367005370e6a82e8f3a382a04f9b
testing commit d15c7e875d44367005370e6a82e8f3a382a04f9b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 687d542a08f78607cf61d0c7d1ebdc11f0f6328833e49708135a4355cb89f694
all runs: OK
# git bisect start d15c7e875d44367005370e6a82e8f3a382a04f9b 662f11d55ffd02933e1bd275d732b97eddccf870
Bisecting: 5928 revisions left to test after this (roughly 13 steps)
[6f38be8f2ccd9babf04b9b23539108542a59fcb8] Merge tag 'docs-5.17' of git://git.lwn.net/linux

testing commit 6f38be8f2ccd9babf04b9b23539108542a59fcb8
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d6d6d8446e026b76b3139aebf148808a131d4d739d44dbd3b0962ef3c9e5aece
all runs: OK
# git bisect bad 6f38be8f2ccd9babf04b9b23539108542a59fcb8
Bisecting: 3014 revisions left to test after this (roughly 12 steps)
[75b950ef6166e4ef52e43e7ec80985c5705f7e81] Revert "drm/amd/display: Fix for otg synchronization logic"

testing commit 75b950ef6166e4ef52e43e7ec80985c5705f7e81
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 846b86b0a9cccb00cc79410397f405cb624be39c0d7c9f672b99e1d059d72049
all runs: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put
# git bisect good 75b950ef6166e4ef52e43e7ec80985c5705f7e81
Bisecting: 1550 revisions left to test after this (roughly 11 steps)
[d430dffbe9dd30759f3c64b65bf85b0245c8d8ab] mt76: mt7921: fix a possible race enabling/disabling runtime-pm

testing commit d430dffbe9dd30759f3c64b65bf85b0245c8d8ab
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: ad4c74900599777df620357a40660c5d97336d5380bbc6469ef7c68d408b73c3
all runs: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put
# git bisect good d430dffbe9dd30759f3c64b65bf85b0245c8d8ab
Bisecting: 772 revisions left to test after this (roughly 10 steps)
[8aaaf2f3af2ae212428f4db1af34214225f5cec3] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

testing commit 8aaaf2f3af2ae212428f4db1af34214225f5cec3
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 53e364faa060da3d6c72ff6ecd10d5054d74e1dd081d00a588265a9adb8cbce1
all runs: OK
# git bisect bad 8aaaf2f3af2ae212428f4db1af34214225f5cec3
Bisecting: 388 revisions left to test after this (roughly 9 steps)
[1aae5cc0a55c097f16ccce1493415c63d60babc9] chelsio: cxgb: Use dma_set_mask_and_coherent() and simplify code

testing commit 1aae5cc0a55c097f16ccce1493415c63d60babc9
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 5cc3b72646c18bfffaade115db174b1bc9c08ff8df6c55bb0501aba3cdd15687
all runs: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put
# git bisect good 1aae5cc0a55c097f16ccce1493415c63d60babc9
Bisecting: 187 revisions left to test after this (roughly 8 steps)
[26abf15c49e0fbbcb6dbd70c52ecbde221f1b0fa] Merge tag 'mlx5-updates-2022-01-06' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux

testing commit 26abf15c49e0fbbcb6dbd70c52ecbde221f1b0fa
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 2fdd333126b9fa4e42759d63917e1a242d96d701d5332ed70da22e62afb291c7
all runs: OK
# git bisect bad 26abf15c49e0fbbcb6dbd70c52ecbde221f1b0fa
Bisecting: 102 revisions left to test after this (roughly 7 steps)
[4e023b44d5cec470df1366a93112293cceddc3e8] Merge branch 'net-lantiq_xrx200-improve-ethernet-performance'

testing commit 4e023b44d5cec470df1366a93112293cceddc3e8
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: c8910ff3f79b34fc991d5d5fd116c5c37745d4990e2dff091269420bf77f7953
all runs: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put
# git bisect good 4e023b44d5cec470df1366a93112293cceddc3e8
Bisecting: 59 revisions left to test after this (roughly 6 steps)
[eff14fcd032bc1b403c1716f6823b3c72c58096a] Merge branch 'net: bpf: handle return value of post_bind{4,6} and add selftests for it'

testing commit eff14fcd032bc1b403c1716f6823b3c72c58096a
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 453eba476c09c8f40b8292dfdcf63351b1d887655a384883ac8430528e6fd432
all runs: OK
# git bisect bad eff14fcd032bc1b403c1716f6823b3c72c58096a
Bisecting: 21 revisions left to test after this (roughly 5 steps)
[51a33c60f1c22c0d2dafad774315ba1537765442] libbpf: Support repeated legacy kprobes on same function

testing commit 51a33c60f1c22c0d2dafad774315ba1537765442
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 0dc963724fe1dd910158f755f4658bd69ed952b6c717e91f17f298779ef78e31
all runs: OK
# git bisect bad 51a33c60f1c22c0d2dafad774315ba1537765442
Bisecting: 10 revisions left to test after this (roughly 3 steps)
[62e4683849b6516c71e91f36e4fc0393a5883cfb] bpf, docs: Add a setion to explain the basic instruction encoding

testing commit 62e4683849b6516c71e91f36e4fc0393a5883cfb
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e283009966de13dbc0bfcce8dd587cd6c9059f1587363cf5d8032287ac28b5d2
all runs: OK
# git bisect bad 62e4683849b6516c71e91f36e4fc0393a5883cfb
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[e4a41c2c1fa916547e63440c73a51a5eb06247af] bpf, arm64: Use emit_addr_mov_i64() for BPF_PSEUDO_FUNC

testing commit e4a41c2c1fa916547e63440c73a51a5eb06247af
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 97540665aab70019a4c0432a570129450dbd5414e9446384d1a73fcecbfee486
all runs: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put
# git bisect good e4a41c2c1fa916547e63440c73a51a5eb06247af
Bisecting: 2 revisions left to test after this (roughly 1 step)
[218d747a4142f281a256687bb513a135c905867b] bpf, sockmap: Fix double bpf_prog_put on error case in map_link

testing commit 218d747a4142f281a256687bb513a135c905867b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b50b7ed1fb86da0020ca01850a8fe333dfc74e64d86cd1dd90d7f6acaccf552e
all runs: OK
# git bisect bad 218d747a4142f281a256687bb513a135c905867b
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[5b2c5540b8110eea0d67a78fb0ddb9654c58daeb] bpf, sockmap: Fix return codes from tcp_bpf_recvmsg_parser()

testing commit 5b2c5540b8110eea0d67a78fb0ddb9654c58daeb
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 80dec5212dc5bdfd97165e3ac4b19bbe41c685e4fc495f04cb78388c440d42f2
all runs: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put
# git bisect good 5b2c5540b8110eea0d67a78fb0ddb9654c58daeb
218d747a4142f281a256687bb513a135c905867b is the first bad commit
commit 218d747a4142f281a256687bb513a135c905867b
Author: John Fastabend <john.fastabend@gmail.com>
Date:   Tue Jan 4 13:46:45 2022 -0800

    bpf, sockmap: Fix double bpf_prog_put on error case in map_link
    
    sock_map_link() is called to update a sockmap entry with a sk. But, if the
    sock_map_init_proto() call fails then we return an error to the map_update
    op against the sockmap. In the error path though we need to cleanup psock
    and dec the refcnt on any programs associated with the map, because we
    refcnt them early in the update process to ensure they are pinned for the
    psock. (This avoids a race where user deletes programs while also updating
    the map with new socks.)
    
    In current code we do the prog refcnt dec explicitely by calling
    bpf_prog_put() when the program was found in the map. But, after commit
    '38207a5e81230' in this error path we've already done the prog to psock
    assignment so the programs have a reference from the psock as well. This
    then causes the psock tear down logic, invoked by sk_psock_put() in the
    error path, to similarly call bpf_prog_put on the programs there.
    
    To be explicit this logic does the prog->psock assignment:
    
      if (msg_*)
        psock_set_prog(...)
    
    Then the error path under the out_progs label does a similar check and
    dec with:
    
      if (msg_*)
         bpf_prog_put(...)
    
    And the teardown logic sk_psock_put() does ...
    
      psock_set_prog(msg_*, NULL)
    
    ... triggering another bpf_prog_put(...). Then KASAN gives us this splat,
    found by syzbot because we've created an inbalance between bpf_prog_inc and
    bpf_prog_put calling put twice on the program.
    
      BUG: KASAN: vmalloc-out-of-bounds in __bpf_prog_put kernel/bpf/syscall.c:1812 [inline]
      BUG: KASAN: vmalloc-out-of-bounds in __bpf_prog_put kernel/bpf/syscall.c:1812 [inline] kernel/bpf/syscall.c:1829
      BUG: KASAN: vmalloc-out-of-bounds in bpf_prog_put+0x8c/0x4f0 kernel/bpf/syscall.c:1829 kernel/bpf/syscall.c:1829
      Read of size 8 at addr ffffc90000e76038 by task syz-executor020/3641
    
    To fix clean up error path so it doesn't try to do the bpf_prog_put in the
    error path once progs are assigned then it relies on the normal psock
    tear down logic to do complete cleanup.
    
    For completness we also cover the case whereh sk_psock_init_strp() fails,
    but this is not expected because it indicates an incorrect socket type
    and should be caught earlier.
    
    Fixes: 38207a5e8123 ("bpf, sockmap: Attach map progs to psock early for feature probes")
    Reported-by: syzbot+bb73e71cf4b8fd376a4f@syzkaller.appspotmail.com
    Signed-off-by: John Fastabend <john.fastabend@gmail.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Link: https://lore.kernel.org/bpf/20220104214645.290900-1-john.fastabend@gmail.com

 net/core/sock_map.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

culprit signature: b50b7ed1fb86da0020ca01850a8fe333dfc74e64d86cd1dd90d7f6acaccf552e
parent  signature: 80dec5212dc5bdfd97165e3ac4b19bbe41c685e4fc495f04cb78388c440d42f2
revisions tested: 15, total time: 2h41m57.446653451s (build: 1h37m49.359986644s, test: 1h2m32.669128195s)
first good commit: 218d747a4142f281a256687bb513a135c905867b bpf, sockmap: Fix double bpf_prog_put on error case in map_link
recipients (to): ["bpf@vger.kernel.org" "daniel@iogearbox.net" "daniel@iogearbox.net" "davem@davemloft.net" "jakub@cloudflare.com" "john.fastabend@gmail.com" "john.fastabend@gmail.com" "kuba@kernel.org" "lmb@cloudflare.com" "netdev@vger.kernel.org"]
recipients (cc): ["andrii@kernel.org" "ast@kernel.org" "kafai@fb.com" "kpsingh@kernel.org" "linux-kernel@vger.kernel.org" "songliubraving@fb.com" "yhs@fb.com"]