bisecting fixing commit since 38e406f600a2b6dca9c262603f6e2a31cfb792b8 building syzkaller on 0159583c3bcfe4ece6b839712327cd955aabee66 testing commit 38e406f600a2b6dca9c262603f6e2a31cfb792b8 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in class_equal run #1: crashed: KASAN: use-after-free Read in class_equal run #2: crashed: KASAN: slab-out-of-bounds Read in class_equal run #3: crashed: WARNING in corrupted run #4: crashed: KASAN: use-after-free Read in class_equal run #5: crashed: KASAN: use-after-free Read in class_equal run #6: crashed: KASAN: slab-out-of-bounds Read in class_equal run #7: crashed: KASAN: use-after-free Read in class_equal run #8: crashed: KASAN: slab-out-of-bounds Read in class_equal run #9: crashed: BUG: unable to handle kernel paging request in tls_prots testing current HEAD cfef46d692efd852a0da6803f920cc756eea2855 testing commit cfef46d692efd852a0da6803f920cc756eea2855 with gcc (GCC) 8.1.0 all runs: OK # git bisect start cfef46d692efd852a0da6803f920cc756eea2855 38e406f600a2b6dca9c262603f6e2a31cfb792b8 Bisecting: 7805 revisions left to test after this (roughly 13 steps) [e786741ff1b52769b044b7f4407f39cd13ee5d2d] Merge tag 'staging-5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging testing commit e786741ff1b52769b044b7f4407f39cd13ee5d2d with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in class_equal run #1: crashed: KASAN: stack-out-of-bounds Write in __unwind_start run #2: crashed: KASAN: use-after-free Read in class_equal run #3: crashed: kernel panic: corrupted stack end in corrupted run #4: crashed: KASAN: use-after-free Read in class_equal run #5: crashed: general protection fault in rb_next run #6: crashed: KASAN: slab-out-of-bounds Read in class_equal run #7: crashed: KASAN: use-after-free Read in class_equal run #8: crashed: KASAN: use-after-free Read in class_equal run #9: crashed: kernel panic: corrupted stack end in corrupted # git bisect good e786741ff1b52769b044b7f4407f39cd13ee5d2d Bisecting: 3851 revisions left to test after this (roughly 12 steps) [fb4da215ed92f564f7ca090bb81a199b0d6cab8a] Merge tag 'pci-v5.3-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci testing commit fb4da215ed92f564f7ca090bb81a199b0d6cab8a with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in class_equal run #1: crashed: KASAN: slab-out-of-bounds Read in class_equal run #2: crashed: KASAN: use-after-free Read in class_equal run #3: crashed: KASAN: slab-out-of-bounds Read in class_equal run #4: crashed: KASAN: use-after-free Read in class_equal run #5: crashed: KASAN: slab-out-of-bounds Read in class_equal run #6: crashed: KASAN: slab-out-of-bounds Read in class_equal run #7: crashed: KASAN: slab-out-of-bounds Read in class_equal run #8: crashed: KASAN: slab-out-of-bounds Read in class_equal run #9: crashed: no output from test machine # git bisect good fb4da215ed92f564f7ca090bb81a199b0d6cab8a Bisecting: 2058 revisions left to test after this (roughly 11 steps) [8362fd64f07eaef7155c94fca8dee91c4f99a666] Merge tag 'armsoc-drivers' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 8362fd64f07eaef7155c94fca8dee91c4f99a666 with gcc (GCC) 8.1.0 run #0: crashed: kernel panic: stack is corrupted in printk_safe_log_store run #1: crashed: KASAN: use-after-free Read in class_equal run #2: crashed: KASAN: use-after-free Read in class_equal run #3: crashed: KASAN: use-after-free Read in class_equal run #4: crashed: KASAN: use-after-free Read in class_equal run #5: crashed: KASAN: slab-out-of-bounds Read in class_equal run #6: crashed: KASAN: global-out-of-bounds Read in wait_consider_task run #7: crashed: KASAN: slab-out-of-bounds Read in tick_sched_handle run #8: crashed: KASAN: use-after-free Read in class_equal run #9: crashed: no output from test machine # git bisect good 8362fd64f07eaef7155c94fca8dee91c4f99a666 Bisecting: 1029 revisions left to test after this (roughly 10 steps) [e6f4051123fd33901e9655a675b22aefcdc5d277] {nl,mac}80211: fix interface combinations on crypto controlled devices testing commit e6f4051123fd33901e9655a675b22aefcdc5d277 with gcc (GCC) 8.1.0 all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect skip e6f4051123fd33901e9655a675b22aefcdc5d277 Bisecting: 1028 revisions left to test after this (roughly 10 steps) [05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced] mac80211: don't WARN on short WMM parameters from AP testing commit 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced with gcc (GCC) 8.1.0 all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect skip 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced Bisecting: 1028 revisions left to test after this (roughly 10 steps) [eef347f846ee8f7296a6f84e3866c057ca6bcce0] Revert "mac80211: set NETIF_F_LLTX when using intermediate tx queues" testing commit eef347f846ee8f7296a6f84e3866c057ca6bcce0 with gcc (GCC) 8.1.0 all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect skip eef347f846ee8f7296a6f84e3866c057ca6bcce0 Bisecting: 1028 revisions left to test after this (roughly 10 steps) [315c69261dd3fa12dbc830d4fa00d1fad98d3b03] coredump: split pipe command whitespace before expanding template testing commit 315c69261dd3fa12dbc830d4fa00d1fad98d3b03 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in class_equal run #1: crashed: KASAN: slab-out-of-bounds Read in class_equal run #2: crashed: KASAN: slab-out-of-bounds Read in class_equal run #3: crashed: KASAN: slab-out-of-bounds Read in class_equal run #4: crashed: KASAN: use-after-free Read in class_equal run #5: crashed: kernel panic: corrupted stack end in corrupted run #6: crashed: KASAN: slab-out-of-bounds Read in class_equal run #7: crashed: KASAN: use-after-free Read in class_equal run #8: crashed: KASAN: slab-out-of-bounds Read in class_equal run #9: crashed: KASAN: slab-out-of-bounds Read in class_equal # git bisect good 315c69261dd3fa12dbc830d4fa00d1fad98d3b03 Bisecting: 351 revisions left to test after this (roughly 8 steps) [76d7961ff4ee02cc70365600a52fb59ca544dc7c] Merge tag 'mips_fixes_5.3_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux testing commit 76d7961ff4ee02cc70365600a52fb59ca544dc7c with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in class_equal run #1: crashed: BUG: unable to handle kernel paging request in corrupted run #2: crashed: KASAN: use-after-free Read in sk_psock_unlink run #3: crashed: KASAN: slab-out-of-bounds Read in corrupted run #4: crashed: KASAN: slab-out-of-bounds Read in class_equal run #5: crashed: KASAN: use-after-free Read in class_equal run #6: crashed: kernel panic: corrupted stack end in corrupted run #7: crashed: KASAN: slab-out-of-bounds Read in class_equal run #8: crashed: KASAN: use-after-free Read in class_equal run #9: crashed: KASAN: use-after-free Read in class_equal # git bisect good 76d7961ff4ee02cc70365600a52fb59ca544dc7c Bisecting: 175 revisions left to test after this (roughly 8 steps) [5d92e631b8be8965a90c144320f06e096081a551] net/tls: partially revert fix transition through disconnect with close testing commit 5d92e631b8be8965a90c144320f06e096081a551 with gcc (GCC) 8.1.0 all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect skip 5d92e631b8be8965a90c144320f06e096081a551 Bisecting: 175 revisions left to test after this (roughly 8 steps) [d4b890aec4bea7334ca2ca56fd3b12fb48a00cd1] can: rcar_canfd: fix possible IRQ storm on high load testing commit d4b890aec4bea7334ca2ca56fd3b12fb48a00cd1 with gcc (GCC) 8.1.0 all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect skip d4b890aec4bea7334ca2ca56fd3b12fb48a00cd1 Bisecting: 175 revisions left to test after this (roughly 8 steps) [0efedbf11f07adee555e0c4ba9c6eb58760aa94f] net: stmmac: xgmac: Fix XGMAC selftests testing commit 0efedbf11f07adee555e0c4ba9c6eb58760aa94f with gcc (GCC) 8.1.0 all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect skip 0efedbf11f07adee555e0c4ba9c6eb58760aa94f Bisecting: 175 revisions left to test after this (roughly 8 steps) [d9b8aadaffa65809d146cf0f8632a22a946367d7] bpf: fix narrower loads on s390 testing commit d9b8aadaffa65809d146cf0f8632a22a946367d7 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad d9b8aadaffa65809d146cf0f8632a22a946367d7 Bisecting: 10 revisions left to test after this (roughly 3 steps) [0e858739c2d2eedeeac1d35bfa0ec3cc2a7190d8] bpf: sockmap, only create entry if ulp is not already enabled testing commit 0e858739c2d2eedeeac1d35bfa0ec3cc2a7190d8 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: slab-out-of-bounds Read in class_equal run #1: crashed: KASAN: slab-out-of-bounds Read in class_equal run #2: crashed: KASAN: slab-out-of-bounds Read in class_equal run #3: crashed: KASAN: slab-out-of-bounds Read in class_equal run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 0e858739c2d2eedeeac1d35bfa0ec3cc2a7190d8 Bisecting: 5 revisions left to test after this (roughly 3 steps) [8051bb7f2cbf68ec1289753616703791dd004b5c] selftests/tls: close the socket with open record testing commit 8051bb7f2cbf68ec1289753616703791dd004b5c with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 8051bb7f2cbf68ec1289753616703791dd004b5c Bisecting: 1 revision left to test after this (roughly 1 step) [78b5dc3d68dcb1d18d805e8f4e565f19ed6d976a] selftests/tls: test error codes around TLS ULP installation testing commit 78b5dc3d68dcb1d18d805e8f4e565f19ed6d976a with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 78b5dc3d68dcb1d18d805e8f4e565f19ed6d976a Bisecting: 1 revision left to test after this (roughly 1 step) [95fa145479fbc0a0c1fd3274ceb42ec03c042a4a] bpf: sockmap/tls, close can race with map free testing commit 95fa145479fbc0a0c1fd3274ceb42ec03c042a4a with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 95fa145479fbc0a0c1fd3274ceb42ec03c042a4a 95fa145479fbc0a0c1fd3274ceb42ec03c042a4a is the first bad commit commit 95fa145479fbc0a0c1fd3274ceb42ec03c042a4a Author: John Fastabend Date: Fri Jul 19 10:29:22 2019 -0700 bpf: sockmap/tls, close can race with map free When a map free is called and in parallel a socket is closed we have two paths that can potentially reset the socket prot ops, the bpf close() path and the map free path. This creates a problem with which prot ops should be used from the socket closed side. If the map_free side completes first then we want to call the original lowest level ops. However, if the tls path runs first we want to call the sockmap ops. Additionally there was no locking around prot updates in TLS code paths so the prot ops could be changed multiple times once from TLS path and again from sockmap side potentially leaving ops pointed at either TLS or sockmap when psock and/or tls context have already been destroyed. To fix this race first only update ops inside callback lock so that TLS, sockmap and lowest level all agree on prot state. Second and a ULP callback update() so that lower layers can inform the upper layer when they are being removed allowing the upper layer to reset prot ops. This gets us close to allowing sockmap and tls to be stacked in arbitrary order but will save that patch for *next trees. v4: - make sure we don't free things for device; - remove the checks which swap the callbacks back only if TLS is at the top. Reported-by: syzbot+06537213db7ba2745c4a@syzkaller.appspotmail.com Fixes: 02c558b2d5d6 ("bpf: sockmap, support for msg_peek in sk_msg with redirect ingress") Signed-off-by: John Fastabend Signed-off-by: Jakub Kicinski Reviewed-by: Dirk van der Merwe Signed-off-by: Daniel Borkmann :040000 040000 f4f84ff0a870164b457e3d8b7fa3ceea97dde7f0 93a2b278e313b1703542290335add7c22eaaac73 M include :040000 040000 3e73c6d30c0cab2b91a975295ec008a2869b9997 7985956f4eba51176377d85f9a17d04276648223 M net revisions tested: 18, total time: 4h42m35.406294362s (build: 1h49m15.976076533s, test: 2h47m11.581346505s) first good commit: 95fa145479fbc0a0c1fd3274ceb42ec03c042a4a bpf: sockmap/tls, close can race with map free cc: ["daniel@iogearbox.net" "dirk.vandermerwe@netronome.com" "jakub.kicinski@netronome.com" "john.fastabend@gmail.com"]