bisecting cause commit starting from 2172e358cd1713c5b7c31361ac465edfe55e455c
building syzkaller on 1a3f94087169f62f9a5832828f62b4900e98b781
testing commit 2172e358cd1713c5b7c31361ac465edfe55e455c with gcc (GCC) 8.1.0
kernel signature: c504bcc534793cb5deaf09d528ac94a7a46ce3441ebb5b5d932dfcbdc370ae06
all runs: crashed: BUG: unable to handle kernel paging request in tcf_action_dump_terse
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: 2469c7a64cc7900988825ae71c59310e26e22cfb98ace9abad69566b79f7ec6a
all runs: OK
# git bisect start 2172e358cd1713c5b7c31361ac465edfe55e455c bcf876870b95592b52519ed4aafcf9d95999bc9c
Bisecting: 14415 revisions left to test after this (roughly 14 steps)
[e43327c706f28d9e66fc4242af4aefdd69e8ff24] Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
testing commit e43327c706f28d9e66fc4242af4aefdd69e8ff24 with gcc (GCC) 8.1.0
kernel signature: b56efec79cda049bedf365085c9573a6d253fcdd9b78145b8291c10ef0337b01
all runs: OK
# git bisect good e43327c706f28d9e66fc4242af4aefdd69e8ff24
Bisecting: 6671 revisions left to test after this (roughly 13 steps)
[8be537d2b947115cac3fcc2f0820406a20d64eb3] Merge remote-tracking branch 'net-next/master' into master
testing commit 8be537d2b947115cac3fcc2f0820406a20d64eb3 with gcc (GCC) 8.1.0
kernel signature: a52e815655757d642c40a8c8bd0653755961312461851aa04bc285841d252a65
all runs: crashed: BUG: unable to handle kernel paging request in tcf_action_dump_terse
# git bisect bad 8be537d2b947115cac3fcc2f0820406a20d64eb3
Bisecting: 3872 revisions left to test after this (roughly 12 steps)
[2664e263bae149b9117b6a9c3b3941bfec9106bb] Merge remote-tracking branch 'zonefs/for-next' into master
testing commit 2664e263bae149b9117b6a9c3b3941bfec9106bb with gcc (GCC) 8.1.0
kernel signature: 16780cd776c0e675e716d5d895b72935e6be970cced1658aba602290e1930167
all runs: crashed: BUG: unable to handle kernel paging request in tcf_action_dump_terse
# git bisect bad 2664e263bae149b9117b6a9c3b3941bfec9106bb
Bisecting: 2031 revisions left to test after this (roughly 11 steps)
[86beb64c6551873df2571da140e0a6e32ae315a7] Merge remote-tracking branch 'arm64/for-next/core' into master
testing commit 86beb64c6551873df2571da140e0a6e32ae315a7 with gcc (GCC) 8.1.0
kernel signature: 80142525c5f4aa60a2f7fa7ccb98169b23cfa580b25ee53d9a91949581748d2f
all runs: crashed: BUG: unable to handle kernel paging request in tcf_action_dump_terse
# git bisect bad 86beb64c6551873df2571da140e0a6e32ae315a7
Bisecting: 919 revisions left to test after this (roughly 10 steps)
[720777c5be95a9e51288c8157b561febf9052e55] BackMerge commit '98477740630f270aecf648f1d6a9dbc6027d4ff1' into drm-fixes
testing commit 720777c5be95a9e51288c8157b561febf9052e55 with gcc (GCC) 8.1.0
kernel signature: da7c33c9c408fe4b036397f108ffbd619365a36cec7fc9e71492e4a01430e36c
all runs: OK
# git bisect good 720777c5be95a9e51288c8157b561febf9052e55
Bisecting: 494 revisions left to test after this (roughly 9 steps)
[5dc4a525f6918e0c6b419c9ea539361f5c70a0f6] Merge remote-tracking branch 'sparc/master' into master
testing commit 5dc4a525f6918e0c6b419c9ea539361f5c70a0f6 with gcc (GCC) 8.1.0
kernel signature: 4f8edf627ffb71e19bb37db2ee2bef5c7d818c6882d1935d8ab5e70b043cfcdb
all runs: OK
# git bisect good 5dc4a525f6918e0c6b419c9ea539361f5c70a0f6
Bisecting: 242 revisions left to test after this (roughly 8 steps)
[226291040a0967e86371798ce288148e4ffeedc0] Merge remote-tracking branch 'kspp-gustavo/for-next/kspp' into master
testing commit 226291040a0967e86371798ce288148e4ffeedc0 with gcc (GCC) 8.1.0
kernel signature: 3c06b2edad54ab6596f6e2d41c2fde4a469089268ec154ac989898dfa69ebdac
all runs: crashed: BUG: unable to handle kernel paging request in tcf_action_dump_terse
# git bisect bad 226291040a0967e86371798ce288148e4ffeedc0
Bisecting: 125 revisions left to test after this (roughly 7 steps)
[2ce0fd11ce013212d5002fdf1f82f8fd5daf448f] Merge remote-tracking branch 'sound-asoc-fixes/for-linus' into master
testing commit 2ce0fd11ce013212d5002fdf1f82f8fd5daf448f with gcc (GCC) 8.1.0
kernel signature: a9b7ce5a6ab8ec787a40522e1987de52321537ddc7270e56e9ab5d2aa6198473
all runs: crashed: BUG: unable to handle kernel paging request in tcf_action_dump_terse
# git bisect bad 2ce0fd11ce013212d5002fdf1f82f8fd5daf448f
Bisecting: 62 revisions left to test after this (roughly 6 steps)
[eaa0355c668d2793e6ced32926fa22d518752845] net: dsa: seville: fix VCAP IS2 action width
testing commit eaa0355c668d2793e6ced32926fa22d518752845 with gcc (GCC) 8.1.0
kernel signature: 464afcea6b994a617db83c8b92e0769baf6f0dac9df952a46b1e1f7cfbe7e860
all runs: crashed: BUG: unable to handle kernel paging request in tcf_action_dump_terse
# git bisect bad eaa0355c668d2793e6ced32926fa22d518752845
Bisecting: 31 revisions left to test after this (roughly 5 steps)
[dc171dcf8a93db642bcbf246a7bddd6d4e0ff84a] Merge branch 'bonding-team-basic-dev-needed_headroom-support'
testing commit dc171dcf8a93db642bcbf246a7bddd6d4e0ff84a with gcc (GCC) 8.1.0
kernel signature: 4789604a842f9e063e97f951a5d1fdf50dd8c25c0b6077d5bfe35dd6cab27067
all runs: crashed: BUG: unable to handle kernel paging request in tcf_action_dump_terse
# git bisect bad dc171dcf8a93db642bcbf246a7bddd6d4e0ff84a
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[38f7e1c0c43dd25b06513137bb6fd35476f9ec6d] net/tls: race causes kernel panic
testing commit 38f7e1c0c43dd25b06513137bb6fd35476f9ec6d with gcc (GCC) 8.1.0
kernel signature: 052942c5b3ed1a052213e2f9e42e47a658649379199303be5f88b79f994355b2
all runs: crashed: BUG: unable to handle kernel paging request in tcf_action_dump_terse
# git bisect bad 38f7e1c0c43dd25b06513137bb6fd35476f9ec6d
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[6d8899962afdf789f6ec8407ffdf3130724a7005] Merge branch 'net_sched-fix-a-UAF-in-tcf_action_init'
testing commit 6d8899962afdf789f6ec8407ffdf3130724a7005 with gcc (GCC) 8.1.0
kernel signature: 291c9b2bb66ad7b27b37229d77608cec82bbb0768f1e7de4ea1fa9f49e8af7e5
all runs: crashed: BUG: unable to handle kernel paging request in tcf_action_dump_terse
# git bisect bad 6d8899962afdf789f6ec8407ffdf3130724a7005
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[f9317ae5523f99999fb54c513ebabbb2bc887ddf] net: lantiq: Add locking for TX DMA channel
testing commit f9317ae5523f99999fb54c513ebabbb2bc887ddf with gcc (GCC) 8.1.0
kernel signature: 33cbdc501e7bf99065b977d6d28174b7536ecd4ddda6d4f27016f0aa99f0147d
all runs: OK
# git bisect good f9317ae5523f99999fb54c513ebabbb2bc887ddf
Bisecting: 1 revision left to test after this (roughly 1 step)
[e49d8c22f1261c43a986a7fdbf677ac309682a07] net_sched: defer tcf_idr_insert() in tcf_action_init_1()
testing commit e49d8c22f1261c43a986a7fdbf677ac309682a07 with gcc (GCC) 8.1.0
kernel signature: 0794ea6cc09bce306c12a2334c1d2205821acb1a29dd806bedc73c09ca3c8ce5
all runs: OK
# git bisect good e49d8c22f1261c43a986a7fdbf677ac309682a07
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[0fedc63fadf0404a729e73a35349481c8009c02f] net_sched: commit action insertions together
testing commit 0fedc63fadf0404a729e73a35349481c8009c02f with gcc (GCC) 8.1.0
kernel signature: 77347690709beeaeed13b6f8d623a5d4d9b673dc423504101d113d0e5a77de30
all runs: crashed: BUG: unable to handle kernel paging request in tcf_action_dump_terse
# git bisect bad 0fedc63fadf0404a729e73a35349481c8009c02f
0fedc63fadf0404a729e73a35349481c8009c02f is the first bad commit
commit 0fedc63fadf0404a729e73a35349481c8009c02f
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date:   Tue Sep 22 20:56:24 2020 -0700

    net_sched: commit action insertions together
    
    syzbot is able to trigger a failure case inside the loop in
    tcf_action_init(), and when this happens we clean up with
    tcf_action_destroy(). But, as these actions are already inserted
    into the global IDR, other parallel process could free them
    before tcf_action_destroy(), then we will trigger a use-after-free.
    
    Fix this by deferring the insertions even later, after the loop,
    and committing all the insertions in a separate loop, so we will
    never fail in the middle of the insertions any more.
    
    One side effect is that the window between alloction and final
    insertion becomes larger, now it is more likely that the loop in
    tcf_del_walker() sees the placeholder -EBUSY pointer. So we have
    to check for error pointer in tcf_del_walker().
    
    Reported-and-tested-by: syzbot+2287853d392e4b42374a@syzkaller.appspotmail.com
    Fixes: 0190c1d452a9 ("net: sched: atomically check-allocate action")
    Cc: Vlad Buslov <vladbu@mellanox.com>
    Cc: Jamal Hadi Salim <jhs@mojatatu.com>
    Cc: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sched/act_api.c | 32 +++++++++++++++++++++++---------
 1 file changed, 23 insertions(+), 9 deletions(-)
culprit signature: 77347690709beeaeed13b6f8d623a5d4d9b673dc423504101d113d0e5a77de30
parent  signature: 0794ea6cc09bce306c12a2334c1d2205821acb1a29dd806bedc73c09ca3c8ce5
revisions tested: 17, total time: 3h9m14.766409202s (build: 1h29m11.701817584s, test: 1h38m4.749297204s)
first bad commit: 0fedc63fadf0404a729e73a35349481c8009c02f net_sched: commit action insertions together
recipients (to): ["davem@davemloft.net" "syzbot+2287853d392e4b42374a@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"]
recipients (cc): []
crash: BUG: unable to handle kernel paging request in tcf_action_dump_terse
BUG: unable to handle page fault for address: fffffffffffffff0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 448c067 P4D 448c067 PUD 448e067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 8376 Comm: syz-executor.5 Not tainted 5.9.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:tcf_action_dump_terse+0x10/0x240 net/sched/act_api.c:766
Code: ff b8 ff ff ff ff e9 21 ff ff ff e8 ca e3 77 00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 49 89 f4 53 <48> 8b 06 48 89 fb 44 8b b7 b8 00 00 00 4c 8b af c0 00 00 00 4c 8d
RSP: 0018:ffffc9000318f858 EFLAGS: 00010246
RAX: ffff88812387e000 RBX: ffff88811fda4200 RCX: 0000000000000000
RDX: 0000000000000000 RSI: fffffffffffffff0 RDI: ffff88811fda4200
RBP: ffffc9000318f880 R08: 0000000000000004 R09: ffff88812387e024
R10: ffffc9000318f898 R11: 0000000000000000 R12: fffffffffffffff0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000024
FS:  00007f38d9978700(0000) GS:ffff88812c100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff0 CR3: 000000010deb6000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 tcf_action_dump_1+0x41/0x1b0 net/sched/act_api.c:795
 tcf_dump_walker net/sched/act_api.c:249 [inline]
 tcf_generic_walker+0xba/0x410 net/sched/act_api.c:343
 tc_dump_action+0x1b7/0x300 net/sched/act_api.c:1623
 netlink_dump+0x11a/0x370 net/netlink/af_netlink.c:2246
 __netlink_dump_start+0x17b/0x230 net/netlink/af_netlink.c:2354
 netlink_dump_start include/linux/netlink.h:246 [inline]
 rtnetlink_rcv_msg+0x2ba/0x480 net/core/rtnetlink.c:5526
 netlink_rcv_skb+0x41/0x110 net/netlink/af_netlink.c:2470
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x19a/0x270 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x248/0x480 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0x2b/0x40 net/socket.c:671
 ____sys_sendmsg+0x124/0x230 net/socket.c:2353
 ___sys_sendmsg+0x77/0xb0 net/socket.c:2407
 __sys_sendmmsg+0xab/0x1e0 net/socket.c:2497
 __do_sys_sendmmsg net/socket.c:2526 [inline]
 __se_sys_sendmmsg net/socket.c:2523 [inline]
 __x64_sys_sendmmsg+0x1b/0x20 net/socket.c:2523
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45de89
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f38d9977c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000027f40 RCX: 000000000045de89
RDX: 010efe10675dec16 RSI: 0000000020000200 RDI: 0000000000000003
RBP: 000000000118c010 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bfd4
R13: 00007ffe6461995f R14: 00007f38d99789c0 R15: 000000000118bfd4
Modules linked in:
CR2: fffffffffffffff0
---[ end trace 6faeb99d1e430e04 ]---
RIP: 0010:tcf_action_dump_terse+0x10/0x240 net/sched/act_api.c:766
Code: ff b8 ff ff ff ff e9 21 ff ff ff e8 ca e3 77 00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 49 89 f4 53 <48> 8b 06 48 89 fb 44 8b b7 b8 00 00 00 4c 8b af c0 00 00 00 4c 8d
RSP: 0018:ffffc9000318f858 EFLAGS: 00010246
RAX: ffff88812387e000 RBX: ffff88811fda4200 RCX: 0000000000000000
RDX: 0000000000000000 RSI: fffffffffffffff0 RDI: ffff88811fda4200
RBP: ffffc9000318f880 R08: 0000000000000004 R09: ffff88812387e024
R10: ffffc9000318f898 R11: 0000000000000000 R12: fffffffffffffff0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000024
FS:  00007f38d9978700(0000) GS:ffff88812c100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff0 CR3: 000000010deb6000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400