bisecting fixing commit since 3e968c9f1401088abc9a19ae6ff571644d37a355 building syzkaller on 676bd07e7e80f8a270af7f0276443c68f4a99e25 testing commit 3e968c9f1401088abc9a19ae6ff571644d37a355 with gcc (GCC) 8.1.0 kernel signature: 6b0d75e4f278c60eda2c6e522968cc3332b54466c6073e1d130fee5354a2d130 run #0: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode run #1: crashed: KASAN: use-after-free Read in __ntfs_write_inode run #2: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode run #3: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode run #4: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode run #5: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode run #6: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode run #7: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode run #8: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode run #9: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode testing current HEAD 2ac69819ba9e3d8d550bb5d2d2df74848e556812 testing commit 2ac69819ba9e3d8d550bb5d2d2df74848e556812 with gcc (GCC) 8.1.0 kernel signature: 601478e0a97db591ecae6d0c719a4e818a2352a662599c51e48b44ecea451f3e all runs: OK # git bisect start 2ac69819ba9e3d8d550bb5d2d2df74848e556812 3e968c9f1401088abc9a19ae6ff571644d37a355 Bisecting: 101863 revisions left to test after this (roughly 17 steps) [237f83dfbe668443b5e31c3c7576125871cca674] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next testing commit 237f83dfbe668443b5e31c3c7576125871cca674 with gcc (GCC) 8.1.0 kernel signature: 471a5d91819785d09f8f2c24ff8436805480f763e69a626b30e4d646710bd7ce run #0: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode run #1: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode run #2: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode run #3: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode run #4: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode run #5: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode run #6: crashed: KASAN: use-after-free Read in __ntfs_write_inode run #7: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode run #8: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode run #9: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode # git bisect good 237f83dfbe668443b5e31c3c7576125871cca674 Bisecting: 50945 revisions left to test after this (roughly 16 steps) [18ea671ba40bcbb15c47118e20010240186da33b] Merge tag 'dmaengine-fix-5.6-rc1' of git://git.infradead.org/users/vkoul/slave-dma testing commit 18ea671ba40bcbb15c47118e20010240186da33b with gcc (GCC) 8.1.0 kernel signature: 2397c8a13cd66691fd6953365019477a98151af6703f629528ad082aa7f7cc21 all runs: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode # git bisect good 18ea671ba40bcbb15c47118e20010240186da33b Bisecting: 24580 revisions left to test after this (roughly 15 steps) [cb8e59cc87201af93dfbb6c3dccc8fcad72a09c2] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit cb8e59cc87201af93dfbb6c3dccc8fcad72a09c2 with gcc (GCC) 8.1.0 kernel signature: fb0a70574c186f08ce11dcb3c592778f2e57bdfc2f6a2b82c475ad10b30afeb2 all runs: crashed: KASAN: use-after-free Read in ntfs_read_locked_inode # git bisect good cb8e59cc87201af93dfbb6c3dccc8fcad72a09c2 Bisecting: 12314 revisions left to test after this (roughly 14 steps) [62975d27d647a40c58d3b96c29b911fc4f33c310] drm/ttm: revert "drm/ttm: make TT creation purely optional v3" testing commit 62975d27d647a40c58d3b96c29b911fc4f33c310 with gcc (GCC) 8.1.0 kernel signature: 34f018211c368ff202b6738b94a7b03c177d56b24fe8d79e643382b6b79e5094 run #0: crashed: panic: bad group arg size 2137, should be <= 1 for &prog.GroupArg{ArgCommon:prog.ArgCommon{typ:(*prog.StructType)(ADDR)} run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 62975d27d647a40c58d3b96c29b911fc4f33c310 Bisecting: 5860 revisions left to test after this (roughly 13 steps) [47ec5303d73ea344e84f46660fff693c57641386] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 47ec5303d73ea344e84f46660fff693c57641386 with gcc (GCC) 8.1.0 kernel signature: 74f31673b5294ce384b9db544171ef15f5baf1f1b1657b7ad6d41fcc8a82f4a7 run #0: OK run #1: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor297075790" "root@10.128.10.58:./syz-executor297075790"]: exit status 1 Connection timed out during banner exchange lost connection run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 47ec5303d73ea344e84f46660fff693c57641386 Bisecting: 3297 revisions left to test after this (roughly 12 steps) [060a72a268577cf27733d9e8eb03b3ca427f45e6] Merge tag 'for-5.9/block-merge-20200804' of git://git.kernel.dk/linux-block testing commit 060a72a268577cf27733d9e8eb03b3ca427f45e6 with gcc (GCC) 8.1.0 kernel signature: 500775fadb6d42b48cd07428ad4b644f91f4432b4117da264fbd2ed782a0d49f run #0: crashed: panic: bad group arg size 2137, should be <= 1 for &prog.GroupArg{ArgCommon:prog.ArgCommon{typ:(*prog.StructType)(ADDR)} run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 060a72a268577cf27733d9e8eb03b3ca427f45e6 Bisecting: 1648 revisions left to test after this (roughly 11 steps) [a02d26fe48f580ba1e9f88ad6f22aae9a6eca0db] Merge branch '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue testing commit a02d26fe48f580ba1e9f88ad6f22aae9a6eca0db with gcc (GCC) 8.1.0 kernel signature: 68b3ee39b7e1b608cf3f651f8165ea13202849684fb7ce0210d2784c4c9da9aa run #0: crashed: panic: bad group arg size 2137, should be <= 1 for &prog.GroupArg{ArgCommon:prog.ArgCommon{typ:(*prog.StructType)(ADDR)} run #1: OK run #2: crashed: panic: bad group arg size 2137, should be <= 1 for &prog.GroupArg{ArgCommon:prog.ArgCommon{typ:(*prog.StructType)(ADDR)} run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good a02d26fe48f580ba1e9f88ad6f22aae9a6eca0db Bisecting: 831 revisions left to test after this (roughly 10 steps) [1d8ce0e09301920454234a4096dee96a670a8e32] Merge tag 'gpio-v5.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio testing commit 1d8ce0e09301920454234a4096dee96a670a8e32 with gcc (GCC) 8.1.0 kernel signature: af3d5f1c034c7366924076f3ca2c129ed6799374da677a819d7a27bd1e8e27d3 run #0: crashed: WARNING: ODEBUG bug in __do_softirq run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 1d8ce0e09301920454234a4096dee96a670a8e32 Bisecting: 435 revisions left to test after this (roughly 9 steps) [76769c38b45d94f5492ff9be363ac7007fd8e58b] Merge tag 'mlx5-updates-2020-08-03' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux testing commit 76769c38b45d94f5492ff9be363ac7007fd8e58b with gcc (GCC) 8.1.0 kernel signature: 7214aaf699ea529c590876ce4357597ec4e63557c9ad25c1d37d62a46d5abc89 run #0: crashed: panic: bad group arg size 2137, should be <= 1 for &prog.GroupArg{ArgCommon:prog.ArgCommon{typ:(*prog.StructType)(ADDR)} run #1: crashed: BUG: corrupted list in evict run #2: crashed: panic: bad group arg size 2137, should be <= 1 for &prog.GroupArg{ArgCommon:prog.ArgCommon{typ:(*prog.StructType)(ADDR)} run #3: OK run #4: OK run #5: crashed: BUG: Bad rss-counter state run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 76769c38b45d94f5492ff9be363ac7007fd8e58b Bisecting: 217 revisions left to test after this (roughly 8 steps) [72f70c159b53e1363191953875e0223ed959e143] selftests: rtnetlink: make kci_test_encap() return sub-test result testing commit 72f70c159b53e1363191953875e0223ed959e143 with gcc (GCC) 8.1.0 kernel signature: 5f24dc6e097d05de1dffdaf76f4858cd984a05fddb5e38b0cef1ff1fbd1a591d all runs: OK # git bisect bad 72f70c159b53e1363191953875e0223ed959e143 Bisecting: 113 revisions left to test after this (roughly 7 steps) [2cfd71f1a43e9e1053db6c84f2dc33fe88128f67] Merge git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git testing commit 2cfd71f1a43e9e1053db6c84f2dc33fe88128f67 with gcc (GCC) 8.1.0 kernel signature: 9ee6b60db5d8b7e4448a81cda7579d8937591222e277e90c3525545bd88194a3 run #0: crashed: panic: bad group arg size 2137, should be <= 1 for &prog.GroupArg{ArgCommon:prog.ArgCommon{typ:(*prog.StructType)(ADDR)} run #1: crashed: panic: runtime error: invalid memory address or nil pointer dereference run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 2cfd71f1a43e9e1053db6c84f2dc33fe88128f67 Bisecting: 56 revisions left to test after this (roughly 6 steps) [dfdb0d93e5bc351af5b286ae9c630d3cf869b810] selftests/bpf: Add xdpdrv mode for test_xdp_redirect testing commit dfdb0d93e5bc351af5b286ae9c630d3cf869b810 with gcc (GCC) 8.1.0 kernel signature: 4f3db18ddf144f87bd5933180690c7f07c6596a7f401bd48dca6d8d1e0c45ecd all runs: OK # git bisect bad dfdb0d93e5bc351af5b286ae9c630d3cf869b810 Bisecting: 28 revisions left to test after this (roughly 5 steps) [7d9c3427894fe70d1347b4820476bf37736d2ff0] bpf: Make cgroup storages shared between programs on the same cgroup testing commit 7d9c3427894fe70d1347b4820476bf37736d2ff0 with gcc (GCC) 8.1.0 kernel signature: bfacf15f3812a07167846f77e65d9cc452d8623bacddcbb8dce53a3aae477887 run #0: crashed: panic: close of closed channel run #1: crashed: panic: broken gate run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 7d9c3427894fe70d1347b4820476bf37736d2ff0 Bisecting: 13 revisions left to test after this (roughly 4 steps) [47960ad614d0c162e03f8ec10bca7086fde284ed] Merge branch 'bpf_link-XDP' testing commit 47960ad614d0c162e03f8ec10bca7086fde284ed with gcc (GCC) 8.1.0 kernel signature: d08062d86e5de27641c0bde5dbf7154e1748955dd75c3e05195e2b56b84c4619 run #0: crashed: panic: runtime error: invalid memory address or nil pointer dereference run #1: crashed: panic: bad group arg size 2137, should be <= 1 for &prog.GroupArg{ArgCommon:prog.ArgCommon{typ:(*prog.StructType)(ADDR)} run #2: crashed: WARNING: ODEBUG bug in asm_call_on_stack run #3: crashed: BUG: Bad rss-counter state run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 47960ad614d0c162e03f8ec10bca7086fde284ed Bisecting: 6 revisions left to test after this (roughly 3 steps) [ca5cd355b7f0372da0d50fce5b12a3367e417290] bpf, selftests: use :: 1 for localhost in tcp_server.py testing commit ca5cd355b7f0372da0d50fce5b12a3367e417290 with gcc (GCC) 8.1.0 kernel signature: ad46f10b326ada0c97938a3accf7917f1570616c557b670c21214df9d1ff29dc run #0: crashed: panic: runtime error: invalid memory address or nil pointer dereference run #1: crashed: panic: bad group arg size 2137, should be <= 1 for &prog.GroupArg{ArgCommon:prog.ArgCommon{typ:(*prog.StructType)(ADDR)} run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good ca5cd355b7f0372da0d50fce5b12a3367e417290 Bisecting: 3 revisions left to test after this (roughly 2 steps) [4fc00b79b85d4c34bef06ad49f109ad7cd9e5d83] bpf: Add missing newline characters in verifier error messages testing commit 4fc00b79b85d4c34bef06ad49f109ad7cd9e5d83 with gcc (GCC) 8.1.0 kernel signature: 2b1cb2252eb95f9e77653b06ef14d3ce97d033cf0e45e941f284c6c6df8b3077 run #0: OK run #1: OK run #2: crashed: panic: runtime error: invalid memory address or nil pointer dereference run #3: crashed: panic: runtime error: invalid memory address or nil pointer dereference run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 4fc00b79b85d4c34bef06ad49f109ad7cd9e5d83 Bisecting: 1 revision left to test after this (roughly 1 step) [f7c6cb1d9728dea9d9f131ef57303d6821afb0f8] bpf: Expose socket storage to BPF_PROG_TYPE_CGROUP_SOCK testing commit f7c6cb1d9728dea9d9f131ef57303d6821afb0f8 with gcc (GCC) 8.1.0 kernel signature: 919b9207e03d470a495cb578574ef7c6d728c7e3ad5aa661c7e47cad86a136e4 all runs: OK # git bisect bad f7c6cb1d9728dea9d9f131ef57303d6821afb0f8 Bisecting: 0 revisions left to test after this (roughly 0 steps) [12e6196fb15953605be54ac9320ac54371aecab7] selftests/bpf: Test bpf_iter buffer access with negative offset testing commit 12e6196fb15953605be54ac9320ac54371aecab7 with gcc (GCC) 8.1.0 kernel signature: 474e5bfb95d88fb2c46ddaf94af3abfac17ec21a906e93df1ad0d882e72a02e4 run #0: OK run #1: crashed: panic: bad group arg size 2137, should be <= 1 for &prog.GroupArg{ArgCommon:prog.ArgCommon{typ:(*prog.StructType)(ADDR)} run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 12e6196fb15953605be54ac9320ac54371aecab7 f7c6cb1d9728dea9d9f131ef57303d6821afb0f8 is the first bad commit commit f7c6cb1d9728dea9d9f131ef57303d6821afb0f8 Author: Stanislav Fomichev Date: Tue Jul 28 17:31:03 2020 -0700 bpf: Expose socket storage to BPF_PROG_TYPE_CGROUP_SOCK This lets us use socket storage from the following hooks: * BPF_CGROUP_INET_SOCK_CREATE * BPF_CGROUP_INET_SOCK_RELEASE * BPF_CGROUP_INET4_POST_BIND * BPF_CGROUP_INET6_POST_BIND Using existing 'bpf_sk_storage_get_proto' doesn't work because second argument is ARG_PTR_TO_SOCKET. Even though BPF_PROG_TYPE_CGROUP_SOCK hooks operate on 'struct bpf_sock', the verifier still considers it as a PTR_TO_CTX. That's why I'm adding another 'bpf_sk_storage_get_cg_sock_proto' definition strictly for BPF_PROG_TYPE_CGROUP_SOCK which accepts ARG_PTR_TO_CTX which is really 'struct sock' for this program type. Signed-off-by: Stanislav Fomichev Signed-off-by: Daniel Borkmann Acked-by: Song Liu Link: https://lore.kernel.org/bpf/20200729003104.1280813-1-sdf@google.com net/core/bpf_sk_storage.c | 10 ++++++++++ net/core/filter.c | 3 +++ 2 files changed, 13 insertions(+) culprit signature: 919b9207e03d470a495cb578574ef7c6d728c7e3ad5aa661c7e47cad86a136e4 parent signature: 474e5bfb95d88fb2c46ddaf94af3abfac17ec21a906e93df1ad0d882e72a02e4 revisions tested: 20, total time: 4h23m0.363730939s (build: 1h17m31.648557254s, test: 3h1m12.400880457s) first good commit: f7c6cb1d9728dea9d9f131ef57303d6821afb0f8 bpf: Expose socket storage to BPF_PROG_TYPE_CGROUP_SOCK recipients (to): ["daniel@iogearbox.net" "sdf@google.com" "songliubraving@fb.com"] recipients (cc): []