bisecting fixing commit since 1245008122d7311683d70c05b2eea167a314fb5f building syzkaller on 3e8f6c27551f163a2fd2661e4b3cac126a5e7ef2 testing commit 1245008122d7311683d70c05b2eea167a314fb5f with gcc (GCC) 8.4.1 20210217 kernel signature: 61bdfc4b0bd552e263eb7ad5670ad6aa252f263efe58e217c41171381d213ad1 run #0: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #1: crashed: BUG: unable to handle kernel paging request in __bpf_trace_sys_enter run #2: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #3: crashed: BUG: unable to handle kernel paging request in __bpf_trace_sys_enter run #4: crashed: BUG: unable to handle kernel paging request in __bpf_trace_sys_enter run #5: crashed: BUG: unable to handle kernel paging request in __bpf_trace_sys_enter run #6: crashed: BUG: unable to handle kernel paging request in __bpf_trace_sys_enter run #7: crashed: BUG: unable to handle kernel paging request in __bpf_trace_sys_enter run #8: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #9: crashed: BUG: unable to handle kernel paging request in __bpf_trace_sys_enter run #10: crashed: BUG: unable to handle kernel paging request in __bpf_trace_sys_enter run #11: crashed: BUG: unable to handle kernel paging request in __bpf_trace_sys_enter run #12: crashed: BUG: unable to handle kernel paging request in __bpf_trace_sys_enter run #13: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #14: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #15: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #16: crashed: BUG: unable to handle kernel paging request in __bpf_trace_sys_enter run #17: crashed: BUG: unable to handle kernel paging request in __bpf_trace_sys_enter run #18: crashed: BUG: unable to handle kernel paging request in __bpf_trace_sys_enter run #19: crashed: BUG: unable to handle kernel paging request in __bpf_trace_sys_enter testing current HEAD 861de02e5f3f2a104eecc5af1d248cb7bf8c5f75 testing commit 861de02e5f3f2a104eecc5af1d248cb7bf8c5f75 with gcc (GCC) 10.2.1 20210217 kernel signature: 9180c86138c62c7907cf02f81e28f9543190c4f37d952b475100af2c4ce6139a all runs: OK # git bisect start 861de02e5f3f2a104eecc5af1d248cb7bf8c5f75 1245008122d7311683d70c05b2eea167a314fb5f Bisecting: 23159 revisions left to test after this (roughly 15 steps) [d635a69dd4981cc51f90293f5f64268620ed1565] Merge tag 'net-next-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit d635a69dd4981cc51f90293f5f64268620ed1565 with gcc (GCC) 10.2.1 20210217 kernel signature: 4e63f16dd395eff380c36b24baca0754423252e179bbeb7628b77d4f32def60b run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: BUG: unable to handle kernel paging request in corrupted run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run2 run #7: crashed: BUG: unable to handle kernel paging request in corrupted run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run2 # git bisect good d635a69dd4981cc51f90293f5f64268620ed1565 Bisecting: 11579 revisions left to test after this (roughly 14 steps) [a94306cea56fe49d74cd36950858c2bcbb5de6c8] net: mscc: ocelot: better error handling in ocelot_xtr_irq_handler testing commit a94306cea56fe49d74cd36950858c2bcbb5de6c8 with gcc (GCC) 10.2.1 20210217 kernel signature: 38d5fbddd91697308c5a47d2447dd57b45642355b7b7eb69e5f530786037a82d run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: BUG: unable to handle kernel paging request in corrupted run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run2 run #6: crashed: BUG: unable to handle kernel paging request in corrupted run #7: crashed: BUG: unable to handle kernel paging request in corrupted run #8: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #9: crashed: BUG: unable to handle kernel paging request in corrupted # git bisect good a94306cea56fe49d74cd36950858c2bcbb5de6c8 Bisecting: 5796 revisions left to test after this (roughly 13 steps) [e210761fb3ba172ecb44b717711af1d1b5d27cbf] Merge tag 'tomoyo-pr-20210215' of git://git.osdn.net/gitroot/tomoyo/tomoyo-test1 testing commit e210761fb3ba172ecb44b717711af1d1b5d27cbf with gcc (GCC) 10.2.1 20210217 kernel signature: 9a233a9cf2129bd4b0657be36fb25e7637232d0f9ef3d2444964807bddd08931 run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: BUG: unable to handle kernel paging request in corrupted run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #7: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 # git bisect good e210761fb3ba172ecb44b717711af1d1b5d27cbf Bisecting: 2898 revisions left to test after this (roughly 12 steps) [802f1d522d5fdaefc2b935141bc8fe03d43a99ab] mm: page_counter: re-layout structure to reduce false sharing testing commit 802f1d522d5fdaefc2b935141bc8fe03d43a99ab with gcc (GCC) 10.2.1 20210217 kernel signature: 0d35772738626dfe5e629c72fa4da32a63a254be6957c3afd875b58f20c04f12 all runs: OK # git bisect bad 802f1d522d5fdaefc2b935141bc8fe03d43a99ab Bisecting: 1470 revisions left to test after this (roughly 11 steps) [bdb39c9509e6d31943cb29dbb6ccd1b64013fb98] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit bdb39c9509e6d31943cb29dbb6ccd1b64013fb98 with gcc (GCC) 10.2.1 20210217 kernel signature: 0fb0233f7f7bf122e305e2cab5c352fcdccd32242c27737f0bbe06670656e329 run #0: crashed: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run2 run #1: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #2: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #6: crashed: BUG: unable to handle kernel paging request in corrupted run #7: crashed: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run2 run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: BUG: unable to handle kernel paging request in corrupted # git bisect good bdb39c9509e6d31943cb29dbb6ccd1b64013fb98 Bisecting: 773 revisions left to test after this (roughly 10 steps) [6ff6f86bc4d02949b5688d69de1c89c310d62c44] Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm testing commit 6ff6f86bc4d02949b5688d69de1c89c310d62c44 with gcc (GCC) 10.2.1 20210217 kernel signature: b2a8af6be0766987f307d72de7a00c459f16ebfe8fb73123d03dec4705c14260 all runs: OK # git bisect bad 6ff6f86bc4d02949b5688d69de1c89c310d62c44 Bisecting: 384 revisions left to test after this (roughly 9 steps) [ae42c3173ba5cbe12fab0dad330e997c4ff9f68a] Merge tag 'for-5.12/block-ipi-2021-02-21' of git://git.kernel.dk/linux-block testing commit ae42c3173ba5cbe12fab0dad330e997c4ff9f68a with gcc (GCC) 10.2.1 20210217 kernel signature: e6dce36f4681757173c9d41bb9047226f741c8f49ed3d912ab3667c09de81419 run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run2 run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #4: crashed: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run2 run #5: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #6: crashed: BUG: unable to handle kernel paging request in corrupted run #7: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run2 # git bisect good ae42c3173ba5cbe12fab0dad330e997c4ff9f68a Bisecting: 215 revisions left to test after this (roughly 8 steps) [7c70f3a7488d2fa62d32849d138bf2b8420fe788] Merge tag 'nfsd-5.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux testing commit 7c70f3a7488d2fa62d32849d138bf2b8420fe788 with gcc (GCC) 10.2.1 20210217 kernel signature: 632e55ebfbe8ecb2a81e839fdee8f1ad006ceb89a4dee6f8b1e6e3399bf4da3f run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #4: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: BUG: unable to handle kernel paging request in corrupted run #7: crashed: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run2 run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 # git bisect good 7c70f3a7488d2fa62d32849d138bf2b8420fe788 Bisecting: 108 revisions left to test after this (roughly 7 steps) [a89dbc9b988f3ba8700df3c58614744de0c5043f] perf arm-spe: Set sample's data source field testing commit a89dbc9b988f3ba8700df3c58614744de0c5043f with gcc (GCC) 10.2.1 20210217 kernel signature: 468e5cb90900f1631efeac617c1a66aa2d4d7e40165ee8603141bce28645b469 run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: BUG: unable to handle kernel paging request in corrupted run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #7: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #8: crashed: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run2 run #9: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 # git bisect good a89dbc9b988f3ba8700df3c58614744de0c5043f Bisecting: 61 revisions left to test after this (roughly 6 steps) [3a36281a17199737b468befb826d4a23eb774445] Merge tag 'perf-tools-for-v5.12-2020-02-19' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux testing commit 3a36281a17199737b468befb826d4a23eb774445 with gcc (GCC) 10.2.1 20210217 kernel signature: 632e55ebfbe8ecb2a81e839fdee8f1ad006ceb89a4dee6f8b1e6e3399bf4da3f run #0: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #1: crashed: BUG: unable to handle kernel paging request in corrupted run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: BUG: unable to handle kernel paging request in corrupted run #7: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 # git bisect good 3a36281a17199737b468befb826d4a23eb774445 Bisecting: 30 revisions left to test after this (roughly 5 steps) [99e22ce73c59ac2d6d08893af376483ca7d62850] tracing: Make hash-ptr option default testing commit 99e22ce73c59ac2d6d08893af376483ca7d62850 with gcc (GCC) 10.2.1 20210217 kernel signature: 31e13de15e5bac195690decd549a50e234cb2dfac2ed19cc9982b52ec9655e57 all runs: OK # git bisect bad 99e22ce73c59ac2d6d08893af376483ca7d62850 Bisecting: 15 revisions left to test after this (roughly 4 steps) [4b9091e1c1948dea3b0b097496f308ede897d665] kernel: trace: preemptirq_delay_test: add cpu affinity testing commit 4b9091e1c1948dea3b0b097496f308ede897d665 with gcc (GCC) 10.2.1 20210217 kernel signature: f4eb26fc15e23ed7f753c75998d6c437fb415958134a978b38c1ef655eeb6f8c run #0: boot failed: KASAN: global-out-of-bounds Write in record_print_text run #1: boot failed: KASAN: global-out-of-bounds Write in record_print_text run #2: boot failed: KASAN: global-out-of-bounds Write in record_print_text run #3: boot failed: KASAN: global-out-of-bounds Write in record_print_text run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 4b9091e1c1948dea3b0b097496f308ede897d665 Bisecting: 7 revisions left to test after this (roughly 3 steps) [0c02006e6f5b0a3e73499bbf5943d9174c5ed640] tracing: Inline tracing_gen_ctx_flags() testing commit 0c02006e6f5b0a3e73499bbf5943d9174c5ed640 with gcc (GCC) 10.2.1 20210217 kernel signature: eeec231bcc64fde597aa3b3f4a7391f840704311329da68b3bce2d2a80ff1ba5 run #0: crashed: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run2 run #1: crashed: BUG: unable to handle kernel paging request in corrupted run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run2 run #6: crashed: BUG: unable to handle kernel paging request in corrupted run #7: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run2 # git bisect good 0c02006e6f5b0a3e73499bbf5943d9174c5ed640 Bisecting: 3 revisions left to test after this (roughly 2 steps) [39bcdd6a964b2d80fcec2f70f11896b1db6fb572] tracing: Fix spelling of controlling in uprobes testing commit 39bcdd6a964b2d80fcec2f70f11896b1db6fb572 with gcc (GCC) 10.2.1 20210217 kernel signature: 37d8f106130fdf1781c29b3ab3f14ce20b1468dcf724cfcafb1b65236b0060c7 run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run2 run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #7: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #8: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #9: crashed: BUG: unable to handle kernel paging request in corrupted # git bisect good 39bcdd6a964b2d80fcec2f70f11896b1db6fb572 Bisecting: 1 revision left to test after this (roughly 1 step) [f2a99ddfd0aaff5f5c53ea1f652b5160ba5ee9b7] tracing: Remove definition of DEBUG in trace_mmiotrace.c testing commit f2a99ddfd0aaff5f5c53ea1f652b5160ba5ee9b7 with gcc (GCC) 10.2.1 20210217 kernel signature: f22e0bd17c2cc28a7e1f8ee47149c46d2ea23514dba4437fe5ed98479f2654cc run #0: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #1: crashed: BUG: unable to handle kernel paging request in corrupted run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: BUG: unable to handle kernel paging request in bpf_trace_run2 run #7: crashed: BUG: unable to handle kernel paging request in corrupted run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run2 # git bisect good f2a99ddfd0aaff5f5c53ea1f652b5160ba5ee9b7 Bisecting: 0 revisions left to test after this (roughly 0 steps) [befe6d946551d65cddbd32b9cb0170b0249fd5ed] tracepoint: Do not fail unregistering a probe due to memory failure testing commit befe6d946551d65cddbd32b9cb0170b0249fd5ed with gcc (GCC) 10.2.1 20210217 kernel signature: f4eb26fc15e23ed7f753c75998d6c437fb415958134a978b38c1ef655eeb6f8c all runs: OK # git bisect bad befe6d946551d65cddbd32b9cb0170b0249fd5ed befe6d946551d65cddbd32b9cb0170b0249fd5ed is the first bad commit commit befe6d946551d65cddbd32b9cb0170b0249fd5ed Author: Steven Rostedt (VMware) Date: Wed Nov 18 09:34:05 2020 -0500 tracepoint: Do not fail unregistering a probe due to memory failure The list of tracepoint callbacks is managed by an array that is protected by RCU. To update this array, a new array is allocated, the updates are copied over to the new array, and then the list of functions for the tracepoint is switched over to the new array. After a completion of an RCU grace period, the old array is freed. This process happens for both adding a callback as well as removing one. But on removing a callback, if the new array fails to be allocated, the callback is not removed, and may be used after it is freed by the clients of the tracepoint. There's really no reason to fail if the allocation for a new array fails when removing a function. Instead, the function can simply be replaced by a stub function that could be cleaned up on the next modification of the array. That is, instead of calling the function registered to the tracepoint, it would call a stub function in its place. Link: https://lore.kernel.org/r/20201115055256.65625-1-mmullins@mmlx.us Link: https://lore.kernel.org/r/20201116175107.02db396d@gandalf.local.home Link: https://lore.kernel.org/r/20201117211836.54acaef2@oasis.local.home Link: https://lkml.kernel.org/r/20201118093405.7a6d2290@gandalf.local.home [ Note, this version does use undefined compiler behavior (assuming that a stub function with no parameters or return, can be called by a location that thinks it has parameters but still no return value. Static calls do the same thing, so this trick is not without precedent. There's another solution that uses RCU tricks and is more complex, but can be an alternative if this solution becomes an issue. Link: https://lore.kernel.org/lkml/20210127170721.58bce7cc@gandalf.local.home/ ] Cc: Peter Zijlstra Cc: Josh Poimboeuf Cc: Mathieu Desnoyers Cc: Ingo Molnar Cc: Alexei Starovoitov Cc: Daniel Borkmann Cc: Dmitry Vyukov Cc: Martin KaFai Lau Cc: Song Liu Cc: Yonghong Song Cc: Andrii Nakryiko Cc: John Fastabend Cc: KP Singh Cc: netdev Cc: bpf Cc: Kees Cook Cc: Florian Weimer Fixes: 97e1c18e8d17b ("tracing: Kernel Tracepoints") Reported-by: syzbot+83aa762ef23b6f0d1991@syzkaller.appspotmail.com Reported-by: syzbot+d29e58bb557324e55e5e@syzkaller.appspotmail.com Reported-by: Matt Mullins Signed-off-by: Steven Rostedt (VMware) Tested-by: Matt Mullins kernel/tracepoint.c | 80 ++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 64 insertions(+), 16 deletions(-) culprit signature: f4eb26fc15e23ed7f753c75998d6c437fb415958134a978b38c1ef655eeb6f8c parent signature: f22e0bd17c2cc28a7e1f8ee47149c46d2ea23514dba4437fe5ed98479f2654cc revisions tested: 18, total time: 4h16m37.379208796s (build: 2h4m50.896388159s, test: 2h8m59.557713335s) first good commit: befe6d946551d65cddbd32b9cb0170b0249fd5ed tracepoint: Do not fail unregistering a probe due to memory failure recipients (to): ["linux-kernel@vger.kernel.org" "mmullins@mmlx.us" "rostedt@goodmis.org"] recipients (cc): ["andrii@kernel.org" "ast@kernel.org" "bpf@vger.kernel.org" "daniel@iogearbox.net" "john.fastabend@gmail.com" "kafai@fb.com" "kpsingh@kernel.org" "mathieu.desnoyers@efficios.com" "mingo@kernel.org" "netdev@vger.kernel.org" "peterz@infradead.org" "rostedt@goodmis.org" "songliubraving@fb.com" "yhs@fb.com"]