bisecting cause commit starting from 3fc826f121d89c5aa4afd7b3408b07e0ff59466b
building syzkaller on 54289b0835634ca07a8117613c48b73e9e647d13
testing commit 3fc826f121d89c5aa4afd7b3408b07e0ff59466b with gcc (GCC) 8.1.0
kernel signature: 548163e89b403ee7ea350396aee96de97cf1482537261c1c0c65c37c3f0260b8
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_unbind_dev
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: b24efe7ef2ff44c179882097bd3ded71e742ba2b3c5313f8388c85991ffc09a4
all runs: OK
# git bisect start 3fc826f121d89c5aa4afd7b3408b07e0ff59466b bcf876870b95592b52519ed4aafcf9d95999bc9c
Bisecting: 8539 revisions left to test after this (roughly 13 steps)
[921d2597abfc05e303f08baa6ead8f9ab8a723e1] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
testing commit 921d2597abfc05e303f08baa6ead8f9ab8a723e1 with gcc (GCC) 8.1.0
kernel signature: ddcb72cfb5a70710d07571bd80ab41b899cd3fbe3d9d65c72490deaf5c1e5245
all runs: OK
# git bisect good 921d2597abfc05e303f08baa6ead8f9ab8a723e1
Bisecting: 4236 revisions left to test after this (roughly 12 steps)
[ea6ec774372740b024a6c27caac0d0af8960ea15] Merge tag 'drm-next-2020-08-12' of git://anongit.freedesktop.org/drm/drm
testing commit ea6ec774372740b024a6c27caac0d0af8960ea15 with gcc (GCC) 8.1.0
kernel signature: 32a482aa87940abbcee1a60b9eaa6bf13de55b6a1c7d83450edccd3b8b5f2d28
all runs: boot failed: WARNING in mem_cgroup_css_alloc
# git bisect skip ea6ec774372740b024a6c27caac0d0af8960ea15
Bisecting: 4236 revisions left to test after this (roughly 12 steps)
[a16f58bf154cdf589cf72cb1596b6217da5872a1] watchdog: dw_wdt: Support devices with asynch clocks
testing commit a16f58bf154cdf589cf72cb1596b6217da5872a1 with gcc (GCC) 8.1.0
kernel signature: 1e561b3eb80c4a9a039393ddff2e12a4f51db8b530358ec2f937307f237d82a7
all runs: OK
# git bisect good a16f58bf154cdf589cf72cb1596b6217da5872a1
Bisecting: 4299 revisions left to test after this (roughly 12 steps)
[9ad57f6dfc2345ed5d3a8bf4dabac0a34069c54c] Merge branch 'akpm' (patches from Andrew)
testing commit 9ad57f6dfc2345ed5d3a8bf4dabac0a34069c54c with gcc (GCC) 8.1.0
kernel signature: 8d104af01150dcd2e4d7c56d55c845d20eac34158d7d86df4df5bf2acc499094
all runs: boot failed: WARNING in mem_cgroup_css_alloc
# git bisect skip 9ad57f6dfc2345ed5d3a8bf4dabac0a34069c54c
Bisecting: 4299 revisions left to test after this (roughly 12 steps)
[fc26f5bbf19459930b7290c87b65a9ae6a274650] riscv: Add SiFive drivers to rv32_defconfig
testing commit fc26f5bbf19459930b7290c87b65a9ae6a274650 with gcc (GCC) 8.1.0
kernel signature: 2772fdb2c1b1b6b36ee292f2b01725b83c8f0a57141e361bfebf951950ec1df0
all runs: OK
# git bisect good fc26f5bbf19459930b7290c87b65a9ae6a274650
Bisecting: 1700 revisions left to test after this (roughly 11 steps)
[219d9aef6d838626c7143da790776b2ffd2949a1] s390/net: add SMC config as one of the defaults of CCWGROUP
testing commit 219d9aef6d838626c7143da790776b2ffd2949a1 with gcc (GCC) 8.1.0
kernel signature: 9d3c6aab5186a3a123a4e4c801a506b36861473ab7a03f94b7c817f739429016
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_unbind_dev
# git bisect bad 219d9aef6d838626c7143da790776b2ffd2949a1
Bisecting: 850 revisions left to test after this (roughly 10 steps)
[e8f259651f03649b3ecd5cced54c05d7203f69ea] Merge branch 'net-systemport-Clock-support'
testing commit e8f259651f03649b3ecd5cced54c05d7203f69ea with gcc (GCC) 8.1.0
kernel signature: 5070aeb60e1b8f4cc2a5e5797bf05b2274a5b455ba384c627b5bcb1c339e90cf
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_unbind_dev
# git bisect bad e8f259651f03649b3ecd5cced54c05d7203f69ea
Bisecting: 437 revisions left to test after this (roughly 9 steps)
[cb95712138ec5e480db5160b41172bbc6f6494cc] Merge tag 'powerpc-5.9-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux
testing commit cb95712138ec5e480db5160b41172bbc6f6494cc with gcc (GCC) 8.1.0
kernel signature: cd3c8b0f9d868cad253c6b0305b8f37b3f8fd1d4828a3384b1103aef907e9330
all runs: OK
# git bisect good cb95712138ec5e480db5160b41172bbc6f6494cc
Bisecting: 218 revisions left to test after this (roughly 8 steps)
[35ff765f8d508e56d09ef470395324298550c415] sfc: fix W=1 warnings in efx_farch_handle_rx_not_ok
testing commit 35ff765f8d508e56d09ef470395324298550c415 with gcc (GCC) 8.1.0
kernel signature: 1d42c8bcc773737c1942fd8ee4bb427626bb84f35efb11c6d74a1306621fb28e
all runs: OK
# git bisect good 35ff765f8d508e56d09ef470395324298550c415
Bisecting: 108 revisions left to test after this (roughly 7 steps)
[2e80be60c465a4f8559327340eaf40845dd7797a] libbpf: Fix compilation warnings for 64-bit printf args
testing commit 2e80be60c465a4f8559327340eaf40845dd7797a with gcc (GCC) 8.1.0
kernel signature: 853593d65783ab680e11db702555ab33dffcd4471c19c8cc7bb135bbcda39078
all runs: OK
# git bisect good 2e80be60c465a4f8559327340eaf40845dd7797a
Bisecting: 46 revisions left to test after this (roughly 6 steps)
[150f29f5e6ea55d8a7d368b162a4e9947a95d2f5] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next
testing commit 150f29f5e6ea55d8a7d368b162a4e9947a95d2f5 with gcc (GCC) 8.1.0
kernel signature: 1ed8317b555ddc85869db54f05aa4108f86fd78bf6d21599c02249850045652b
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_unbind_dev
# git bisect bad 150f29f5e6ea55d8a7d368b162a4e9947a95d2f5
Bisecting: 30 revisions left to test after this (roughly 5 steps)
[f56407fa6e69499a06bf1e0543fa93be6922acba] bpf: Remove bpf_lsm_file_mprotect from sleepable list.
testing commit f56407fa6e69499a06bf1e0543fa93be6922acba with gcc (GCC) 8.1.0
kernel signature: 4be1c47677092bcb6cddf23299b9eefe795729ee92e3073b073d22c7c875a29f
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_unbind_dev
# git bisect bad f56407fa6e69499a06bf1e0543fa93be6922acba
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[1c1efc2af158869795d3334a12fed2afd9c51539] xsk: Create and free buffer pool independently from umem
testing commit 1c1efc2af158869795d3334a12fed2afd9c51539 with gcc (GCC) 8.1.0
kernel signature: 9143080ff6f6e794aaa814d09aaa7e4709dc61d7e72885428cb231fdfc4a685d
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in xp_set_fq
# git bisect bad 1c1efc2af158869795d3334a12fed2afd9c51539
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[07be4c4a3e7a0db148e44b16c5190e753d1c8569] bpf: Add bpf_copy_from_user() helper.
testing commit 07be4c4a3e7a0db148e44b16c5190e753d1c8569 with gcc (GCC) 8.1.0
kernel signature: 915466597a6d10482c7580daa23dddc1d8b87455cb4d5b316fd051bb1288ddb3
all runs: OK
# git bisect good 07be4c4a3e7a0db148e44b16c5190e753d1c8569
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[9667305c6374df8672be46bc496f52f040999531] bpf: Fix build without BPF_SYSCALL, but with BPF_JIT.
testing commit 9667305c6374df8672be46bc496f52f040999531 with gcc (GCC) 8.1.0
kernel signature: 6837a076179f573d31436ac5e0049bdf174fe66521482752544957020f7001ee
all runs: OK
# git bisect good 9667305c6374df8672be46bc496f52f040999531
Bisecting: 1 revision left to test after this (roughly 1 step)
[1742b3d528690ae7773cf7bf2f01a90ee1de2fe0] xsk: i40e: ice: ixgbe: mlx5: Pass buffer pool to driver instead of umem
testing commit 1742b3d528690ae7773cf7bf2f01a90ee1de2fe0 with gcc (GCC) 8.1.0
kernel signature: 624a3dea2c1b8e123b699063c5613bc10cea55a4cf758c943d3ee98a975057dd
all runs: OK
# git bisect good 1742b3d528690ae7773cf7bf2f01a90ee1de2fe0
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[c4655761d3cf62bf5f86650e79349c1bfa5c6285] xsk: i40e: ice: ixgbe: mlx5: Rename xsk zero-copy driver interfaces
testing commit c4655761d3cf62bf5f86650e79349c1bfa5c6285 with gcc (GCC) 8.1.0
kernel signature: 7ecfac28526218078c0bb5e9d0cd94015afce3e645c8b924181c31e0e291428d
all runs: OK
# git bisect good c4655761d3cf62bf5f86650e79349c1bfa5c6285
1c1efc2af158869795d3334a12fed2afd9c51539 is the first bad commit
commit 1c1efc2af158869795d3334a12fed2afd9c51539
Author: Magnus Karlsson <magnus.karlsson@intel.com>
Date:   Fri Aug 28 10:26:17 2020 +0200

    xsk: Create and free buffer pool independently from umem
    
    Create and free the buffer pool independently from the umem. Move
    these operations that are performed on the buffer pool from the
    umem create and destroy functions to new create and destroy
    functions just for the buffer pool. This so that in later commits
    we can instantiate multiple buffer pools per umem when sharing a
    umem between HW queues and/or devices. We also erradicate the
    back pointer from the umem to the buffer pool as this will not
    work when we introduce the possibility to have multiple buffer
    pools per umem.
    
    Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Acked-by: Björn Töpel <bjorn.topel@intel.com>
    Link: https://lore.kernel.org/bpf/1598603189-32145-4-git-send-email-magnus.karlsson@intel.com

 include/net/xdp_sock.h      |   3 +-
 include/net/xsk_buff_pool.h |  13 +++-
 net/xdp/xdp_umem.c          | 164 ++++----------------------------------------
 net/xdp/xdp_umem.h          |   4 +-
 net/xdp/xsk.c               |  74 +++++++++++++++++---
 net/xdp/xsk.h               |   3 +
 net/xdp/xsk_buff_pool.c     | 150 ++++++++++++++++++++++++++++++++++++----
 net/xdp/xsk_queue.h         |  12 ++--
 8 files changed, 236 insertions(+), 187 deletions(-)
culprit signature: 9143080ff6f6e794aaa814d09aaa7e4709dc61d7e72885428cb231fdfc4a685d
parent  signature: 7ecfac28526218078c0bb5e9d0cd94015afce3e645c8b924181c31e0e291428d
revisions tested: 19, total time: 4h5m23.34132903s (build: 1h37m26.92714018s, test: 2h26m6.225482694s)
first bad commit: 1c1efc2af158869795d3334a12fed2afd9c51539 xsk: Create and free buffer pool independently from umem
recipients (to): ["bjorn.topel@intel.com" "daniel@iogearbox.net" "magnus.karlsson@intel.com"]
recipients (cc): []
crash: BUG: unable to handle kernel NULL pointer dereference in xp_set_fq
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 10ddd2067 P4D 10ddd2067 PUD 10ddd3067 PMD 0 
Oops: 0002 [#1] PREEMPT SMP
CPU: 0 PID: 8369 Comm: syz-executor.0 Not tainted 5.9.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:xp_set_fq+0x0/0x10 net/xdp/xsk_buff_pool.c:86
Code: cb 1e fe 48 85 c0 48 89 43 60 74 06 48 89 d8 5b 5d c3 48 89 df 31 db e8 be fe ff ff 48 89 d8 5b 5d c3 0f 1f 84 00 00 00 00 00 <48> 89 37 c3 66 90 66 2e 0f 1f 84 00 00 00 00 00 41 57 41 56 41 55
RSP: 0018:ffffc9000281fe90 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000000
RDX: ffff888000000000 RSI: ffff88810e2fb880 RDI: 0000000000000000
RBP: ffffc9000281fee8 R08: 0000000000100000 R09: 0000000000000001
R10: 0000000000000001 R11: 51feefc827ddeceb R12: ffff88810dc2acc0
R13: ffff88810e351000 R14: ffff88810e3514f0 R15: 0000000000000000
FS:  00007f60c6817700(0000) GS:ffff88812c000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000010ddd1000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 xsk_setsockopt+0x2c6/0x340 net/xdp/xsk.c:856
 __sys_setsockopt+0xdc/0x1e0 net/socket.c:2132
 __do_sys_setsockopt net/socket.c:2143 [inline]
 __se_sys_setsockopt net/socket.c:2140 [inline]
 __x64_sys_setsockopt+0x1b/0x20 net/socket.c:2140
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45e179
Code: 3d b2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b b2 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f60c6816c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 000000000002ebc0 RCX: 000000000045e179
RDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000005
RBP: 000000000118cf90 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000020000800 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffd192337df R14: 00007f60c68179c0 R15: 000000000118cf4c
Modules linked in:
CR2: 0000000000000000
---[ end trace debf66389510b23b ]---
RIP: 0010:xp_set_fq+0x0/0x10 net/xdp/xsk_buff_pool.c:86
Code: cb 1e fe 48 85 c0 48 89 43 60 74 06 48 89 d8 5b 5d c3 48 89 df 31 db e8 be fe ff ff 48 89 d8 5b 5d c3 0f 1f 84 00 00 00 00 00 <48> 89 37 c3 66 90 66 2e 0f 1f 84 00 00 00 00 00 41 57 41 56 41 55
RSP: 0018:ffffc9000281fe90 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000000
RDX: ffff888000000000 RSI: ffff88810e2fb880 RDI: 0000000000000000
RBP: ffffc9000281fee8 R08: 0000000000100000 R09: 0000000000000001
R10: 0000000000000001 R11: 51feefc827ddeceb R12: ffff88810dc2acc0
R13: ffff88810e351000 R14: ffff88810e3514f0 R15: 0000000000000000
FS:  00007f60c6817700(0000) GS:ffff88812c100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555c280ae668 CR3: 000000010ddd1000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400