bisecting fixing commit since 4b972a01a7da614b4796475f933094751a295a2f building syzkaller on 82c13b6b49369ae3f3846e867fe1b8e0c21eefc0 testing commit 4b972a01a7da614b4796475f933094751a295a2f with gcc (GCC) 8.1.0 run #0: crashed: kernel panic: corrupted stack end in corrupted run #1: crashed: kernel panic: corrupted stack end in corrupted run #2: crashed: KASAN: slab-out-of-bounds Read in class_equal run #3: crashed: KASAN: slab-out-of-bounds Read in class_equal run #4: crashed: KASAN: slab-out-of-bounds Read in class_equal run #5: crashed: KASAN: use-after-free Read in class_equal run #6: crashed: KASAN: use-after-free Read in class_equal run #7: crashed: KASAN: slab-out-of-bounds Read in class_equal run #8: crashed: KASAN: slab-out-of-bounds Read in class_equal run #9: crashed: KASAN: slab-out-of-bounds Read in class_equal testing current HEAD bb7ba8069de933d69cb45dd0a5806b61033796a3 testing commit bb7ba8069de933d69cb45dd0a5806b61033796a3 with gcc (GCC) 8.1.0 all runs: OK # git bisect start bb7ba8069de933d69cb45dd0a5806b61033796a3 4b972a01a7da614b4796475f933094751a295a2f Bisecting: 7657 revisions left to test after this (roughly 13 steps) [a50a3f4b6a313dc76912bd4ad3b8b4f4b479c801] sched/rt, Kconfig: Introduce CONFIG_PREEMPT_RT testing commit a50a3f4b6a313dc76912bd4ad3b8b4f4b479c801 with gcc (GCC) 8.1.0 run #0: crashed: BUG: unable to handle kernel paging request in stack_depot_fetch run #1: crashed: KASAN: use-after-free Read in tick_sched_handle run #2: crashed: KASAN: slab-out-of-bounds Read in __bad_area_nosemaphore run #3: crashed: KASAN: slab-out-of-bounds Read in tick_sched_handle run #4: crashed: general protection fault in tomoyo_get_name run #5: crashed: kernel BUG at arch/x86/mm/physaddr.c:LINE! run #6: crashed: KASAN: slab-out-of-bounds Read in tick_sched_handle run #7: crashed: BUG: Bad page map run #8: crashed: general protection fault in tomoyo_check_acl run #9: crashed: KASAN: slab-out-of-bounds Read in tomoyo_check_acl # git bisect good a50a3f4b6a313dc76912bd4ad3b8b4f4b479c801 Bisecting: 3836 revisions left to test after this (roughly 12 steps) [fa121bb3fed6313b1f0af23952301e06cf6d32ed] Merge tag 'mips_5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux testing commit fa121bb3fed6313b1f0af23952301e06cf6d32ed with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in class_equal run #1: crashed: KASAN: use-after-free Read in class_equal run #2: crashed: KASAN: use-after-free Read in class_equal run #3: crashed: KASAN: use-after-free Read in class_equal run #4: crashed: KASAN: slab-out-of-bounds Read in class_equal run #5: crashed: KASAN: slab-out-of-bounds Read in class_equal run #6: crashed: KASAN: use-after-free Read in class_equal run #7: crashed: KASAN: use-after-free Read in class_equal run #8: crashed: kernel panic: corrupted stack end in corrupted run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in qlist_free_all # git bisect good fa121bb3fed6313b1f0af23952301e06cf6d32ed Bisecting: 1918 revisions left to test after this (roughly 11 steps) [af6af87d7e4ff67324425daa699b9cda32e3161d] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit af6af87d7e4ff67324425daa699b9cda32e3161d with gcc (GCC) 8.1.0 run #0: crashed: KASAN: slab-out-of-bounds Read in class_equal run #1: crashed: KASAN: use-after-free Read in class_equal run #2: crashed: KASAN: use-after-free Read in class_equal run #3: crashed: KASAN: use-after-free Read in class_equal run #4: crashed: KASAN: slab-out-of-bounds Write in __unwind_start run #5: crashed: kernel panic: corrupted stack end in corrupted run #6: crashed: KASAN: slab-out-of-bounds Read in class_equal run #7: crashed: KASAN: use-after-free Read in class_equal run #8: crashed: KASAN: slab-out-of-bounds Read in class_equal run #9: crashed: KASAN: slab-out-of-bounds Read in class_equal # git bisect good af6af87d7e4ff67324425daa699b9cda32e3161d Bisecting: 961 revisions left to test after this (roughly 10 steps) [e12b243de76dcc24a904a48a2efda94fdc4cdf07] Merge tag 'xfs-5.3-fixes-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux testing commit e12b243de76dcc24a904a48a2efda94fdc4cdf07 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in class_equal run #1: crashed: kernel panic: corrupted stack end in corrupted run #2: crashed: KASAN: use-after-free Read in class_equal run #3: crashed: KASAN: slab-out-of-bounds Read in class_equal run #4: crashed: kernel panic: corrupted stack end in corrupted run #5: crashed: KASAN: use-after-free Read in class_equal run #6: crashed: KASAN: slab-out-of-bounds Read in class_equal run #7: crashed: KASAN: use-after-free Read in class_equal run #8: crashed: KASAN: slab-out-of-bounds Read in class_equal run #9: crashed: kernel panic: corrupted stack end in corrupted # git bisect good e12b243de76dcc24a904a48a2efda94fdc4cdf07 Bisecting: 479 revisions left to test after this (roughly 9 steps) [15abf14202a2fe7e5c5fc0e815587f45de4fd500] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input testing commit 15abf14202a2fe7e5c5fc0e815587f45de4fd500 with gcc (GCC) 8.1.0 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect bad 15abf14202a2fe7e5c5fc0e815587f45de4fd500 Bisecting: 244 revisions left to test after this (roughly 8 steps) [feac1d680233a48603213d52230f92222462a1c8] Merge branch 'sja1105-fixes' testing commit feac1d680233a48603213d52230f92222462a1c8 with gcc (GCC) 8.1.0 all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect skip feac1d680233a48603213d52230f92222462a1c8 Bisecting: 244 revisions left to test after this (roughly 8 steps) [4130741736d4bc27add2ab4f7e53bc401846ce27] Merge branch 'net-fix-regressions-for-generic-XDP' testing commit 4130741736d4bc27add2ab4f7e53bc401846ce27 with gcc (GCC) 8.1.0 all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect skip 4130741736d4bc27add2ab4f7e53bc401846ce27 Bisecting: 244 revisions left to test after this (roughly 8 steps) [87e7e25aee6b59fef740856f4e86d4b60496c9e1] iwlwifi: don't unmap as page memory that was mapped as single testing commit 87e7e25aee6b59fef740856f4e86d4b60496c9e1 with gcc (GCC) 8.1.0 all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect skip 87e7e25aee6b59fef740856f4e86d4b60496c9e1 Bisecting: 244 revisions left to test after this (roughly 8 steps) [f7813d5c637e43209ffdc20a9b25a13fcbb86eef] Merge tag 'linux-can-fixes-for-5.3-20190802' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can testing commit f7813d5c637e43209ffdc20a9b25a13fcbb86eef with gcc (GCC) 8.1.0 all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect skip f7813d5c637e43209ffdc20a9b25a13fcbb86eef Bisecting: 244 revisions left to test after this (roughly 8 steps) [34a2a80ff30b5d2330abfa8980c7f0cc15a8158a] ASoC: ti: davinci-mcasp: Fix clk PDIR handling for i2s master mode testing commit 34a2a80ff30b5d2330abfa8980c7f0cc15a8158a with gcc (GCC) 8.1.0 run #0: crashed: KASAN: slab-out-of-bounds Read in class_equal run #1: crashed: KASAN: slab-out-of-bounds Read in class_equal run #2: crashed: KASAN: use-after-free Read in class_equal run #3: crashed: KASAN: slab-out-of-bounds Read in class_equal run #4: crashed: general protection fault in rb_erase run #5: crashed: KASAN: use-after-free Read in class_equal run #6: crashed: KASAN: use-after-free Read in class_equal run #7: crashed: KASAN: use-after-free Read in class_equal run #8: crashed: KASAN: use-after-free Read in class_equal run #9: crashed: KASAN: slab-out-of-bounds Read in class_equal # git bisect good 34a2a80ff30b5d2330abfa8980c7f0cc15a8158a Bisecting: 228 revisions left to test after this (roughly 8 steps) [443bfb4acb83a6f0b7d9b11ac32f17c67f14e995] Merge branch 'flow_offload-action-fixes' testing commit 443bfb4acb83a6f0b7d9b11ac32f17c67f14e995 with gcc (GCC) 8.1.0 all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect skip 443bfb4acb83a6f0b7d9b11ac32f17c67f14e995 Bisecting: 228 revisions left to test after this (roughly 8 steps) [5b31f3e39a6c4be55ede49da0dd352017f09e8cf] drop_monitor: Add missing uAPI file to MAINTAINERS file testing commit 5b31f3e39a6c4be55ede49da0dd352017f09e8cf with gcc (GCC) 8.1.0 all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect skip 5b31f3e39a6c4be55ede49da0dd352017f09e8cf Bisecting: 228 revisions left to test after this (roughly 8 steps) [c093de6bd3c50d3dd597ff9fa5cf7a30acbb3eb7] tools headers UAPI: Sync sched.h with the kernel testing commit c093de6bd3c50d3dd597ff9fa5cf7a30acbb3eb7 with gcc (GCC) 8.1.0 all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect skip c093de6bd3c50d3dd597ff9fa5cf7a30acbb3eb7 Bisecting: 228 revisions left to test after this (roughly 8 steps) [944a83a2669ae8aa2c7664e79376ca7468eb0a2b] mvpp2: fix panic on module removal testing commit 944a83a2669ae8aa2c7664e79376ca7468eb0a2b with gcc (GCC) 8.1.0 all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect skip 944a83a2669ae8aa2c7664e79376ca7468eb0a2b Bisecting: 228 revisions left to test after this (roughly 8 steps) [4b3e30ed3ec7864e798403a63ff2e96bd0c19ab0] Revert "drm/amdkfd: New IOCTL to allocate queue GWS" testing commit 4b3e30ed3ec7864e798403a63ff2e96bd0c19ab0 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in class_equal run #1: crashed: KASAN: use-after-free Read in class_equal run #2: crashed: KASAN: slab-out-of-bounds Read in class_equal run #3: crashed: KASAN: use-after-free Read in tick_sched_handle run #4: crashed: kernel panic: corrupted stack end in corrupted run #5: crashed: kernel panic: corrupted stack end in corrupted run #6: crashed: KASAN: use-after-free Read in class_equal run #7: crashed: KASAN: use-after-free Read in class_equal run #8: crashed: KASAN: use-after-free Read in class_equal run #9: crashed: KASAN: use-after-free Read in class_equal # git bisect good 4b3e30ed3ec7864e798403a63ff2e96bd0c19ab0 Bisecting: 224 revisions left to test after this (roughly 8 steps) [96a50c0d907ac8f5c3d6b051031a19eb8a2b53e3] net: hisilicon: Fix dma_map_single failed on arm64 testing commit 96a50c0d907ac8f5c3d6b051031a19eb8a2b53e3 with gcc (GCC) 8.1.0 all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect skip 96a50c0d907ac8f5c3d6b051031a19eb8a2b53e3 Bisecting: 224 revisions left to test after this (roughly 8 steps) [d0d006a43e9a7a796f6f178839c92fcc222c564d] be2net: disable bh with spin_lock in be_process_mcc testing commit d0d006a43e9a7a796f6f178839c92fcc222c564d with gcc (GCC) 8.1.0 all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect skip d0d006a43e9a7a796f6f178839c92fcc222c564d Bisecting: 224 revisions left to test after this (roughly 8 steps) [decb705e01a5d325c9876b9674043cde4b54f0db] libbpf: fix using uninitialized ioctl results testing commit decb705e01a5d325c9876b9674043cde4b54f0db with gcc (GCC) 8.1.0 all runs: OK # git bisect bad decb705e01a5d325c9876b9674043cde4b54f0db Bisecting: 11 revisions left to test after this (roughly 4 steps) [78b5dc3d68dcb1d18d805e8f4e565f19ed6d976a] selftests/tls: test error codes around TLS ULP installation testing commit 78b5dc3d68dcb1d18d805e8f4e565f19ed6d976a with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 78b5dc3d68dcb1d18d805e8f4e565f19ed6d976a Bisecting: 6 revisions left to test after this (roughly 3 steps) [313ab004805cf52a42673b15852b3842474ccd87] net/tls: remove sock unlock/lock around strp_done() testing commit 313ab004805cf52a42673b15852b3842474ccd87 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in class_equal run #1: crashed: KASAN: slab-out-of-bounds Read in class_equal run #2: crashed: KASAN: slab-out-of-bounds Read in class_equal run #3: crashed: KASAN: slab-out-of-bounds Read in class_equal run #4: crashed: invalid opcode in tls_prots run #5: crashed: KASAN: slab-out-of-bounds Read in class_equal run #6: crashed: KASAN: slab-out-of-bounds Read in class_equal run #7: crashed: unexpected kernel reboot run #8: crashed: BUG: unable to handle kernel paging request in hrtimer_interrupt run #9: crashed: no output from test machine # git bisect good 313ab004805cf52a42673b15852b3842474ccd87 Bisecting: 2 revisions left to test after this (roughly 2 steps) [0e858739c2d2eedeeac1d35bfa0ec3cc2a7190d8] bpf: sockmap, only create entry if ulp is not already enabled testing commit 0e858739c2d2eedeeac1d35bfa0ec3cc2a7190d8 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in class_equal run #1: crashed: no output from test machine run #2: crashed: no output from test machine run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 0e858739c2d2eedeeac1d35bfa0ec3cc2a7190d8 Bisecting: 1 revision left to test after this (roughly 1 step) [95fa145479fbc0a0c1fd3274ceb42ec03c042a4a] bpf: sockmap/tls, close can race with map free testing commit 95fa145479fbc0a0c1fd3274ceb42ec03c042a4a with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 95fa145479fbc0a0c1fd3274ceb42ec03c042a4a 95fa145479fbc0a0c1fd3274ceb42ec03c042a4a is the first bad commit commit 95fa145479fbc0a0c1fd3274ceb42ec03c042a4a Author: John Fastabend Date: Fri Jul 19 10:29:22 2019 -0700 bpf: sockmap/tls, close can race with map free When a map free is called and in parallel a socket is closed we have two paths that can potentially reset the socket prot ops, the bpf close() path and the map free path. This creates a problem with which prot ops should be used from the socket closed side. If the map_free side completes first then we want to call the original lowest level ops. However, if the tls path runs first we want to call the sockmap ops. Additionally there was no locking around prot updates in TLS code paths so the prot ops could be changed multiple times once from TLS path and again from sockmap side potentially leaving ops pointed at either TLS or sockmap when psock and/or tls context have already been destroyed. To fix this race first only update ops inside callback lock so that TLS, sockmap and lowest level all agree on prot state. Second and a ULP callback update() so that lower layers can inform the upper layer when they are being removed allowing the upper layer to reset prot ops. This gets us close to allowing sockmap and tls to be stacked in arbitrary order but will save that patch for *next trees. v4: - make sure we don't free things for device; - remove the checks which swap the callbacks back only if TLS is at the top. Reported-by: syzbot+06537213db7ba2745c4a@syzkaller.appspotmail.com Fixes: 02c558b2d5d6 ("bpf: sockmap, support for msg_peek in sk_msg with redirect ingress") Signed-off-by: John Fastabend Signed-off-by: Jakub Kicinski Reviewed-by: Dirk van der Merwe Signed-off-by: Daniel Borkmann :040000 040000 f4f84ff0a870164b457e3d8b7fa3ceea97dde7f0 93a2b278e313b1703542290335add7c22eaaac73 M include :040000 040000 3e73c6d30c0cab2b91a975295ec008a2869b9997 7985956f4eba51176377d85f9a17d04276648223 M net revisions tested: 24, total time: 6h9m28.729364405s (build: 2h19m22.701535789s, test: 3h42m57.187388072s) first good commit: 95fa145479fbc0a0c1fd3274ceb42ec03c042a4a bpf: sockmap/tls, close can race with map free cc: ["daniel@iogearbox.net" "dirk.vandermerwe@netronome.com" "jakub.kicinski@netronome.com" "john.fastabend@gmail.com"]