bisecting cause commit starting from a3c0e7b1fe1fc62bba5f591c4bc404eea96823b8 building syzkaller on c1ad54410059a5d34da928d4544aaa4ec894a8b1 testing commit a3c0e7b1fe1fc62bba5f591c4bc404eea96823b8 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_poll testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 all runs: OK # git bisect start a3c0e7b1fe1fc62bba5f591c4bc404eea96823b8 v5.3 Bisecting: 5846 revisions left to test after this (roughly 13 steps) [81160dda9a7aad13c04e78bb2cfd3c4630e3afab] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 81160dda9a7aad13c04e78bb2cfd3c4630e3afab with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_poll # git bisect bad 81160dda9a7aad13c04e78bb2cfd3c4630e3afab Bisecting: 3707 revisions left to test after this (roughly 12 steps) [04cbfba6208592999d7bfe6609ec01dc3fde73f5] Merge tag 'dmaengine-5.4-rc1' of git://git.infradead.org/users/vkoul/slave-dma testing commit 04cbfba6208592999d7bfe6609ec01dc3fde73f5 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 04cbfba6208592999d7bfe6609ec01dc3fde73f5 Bisecting: 1853 revisions left to test after this (roughly 11 steps) [e69e9db9031b2ef4897cfafb9a496f8eb6724e14] nfp: nsp: add support for hwinfo set operation testing commit e69e9db9031b2ef4897cfafb9a496f8eb6724e14 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_poll # git bisect bad e69e9db9031b2ef4897cfafb9a496f8eb6724e14 Bisecting: 918 revisions left to test after this (roughly 10 steps) [8c40f3b212a373be843a29db608b462af5c3ed5d] Merge tag 'mlx5-updates-2019-08-15' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux testing commit 8c40f3b212a373be843a29db608b462af5c3ed5d with gcc (GCC) 8.1.0 all runs: OK # git bisect good 8c40f3b212a373be843a29db608b462af5c3ed5d Bisecting: 459 revisions left to test after this (roughly 9 steps) [58d3bef4163b40147058649b225fddcdd9de7e82] iwlwifi: remove all the d0i3 references testing commit 58d3bef4163b40147058649b225fddcdd9de7e82 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 58d3bef4163b40147058649b225fddcdd9de7e82 Bisecting: 184 revisions left to test after this (roughly 8 steps) [1e46c09ec10049a9e366153b32e41cc557383fdb] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit 1e46c09ec10049a9e366153b32e41cc557383fdb with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_poll # git bisect bad 1e46c09ec10049a9e366153b32e41cc557383fdb Bisecting: 137 revisions left to test after this (roughly 7 steps) [7d993c5f86aa308b00c2fd420fe5208da18125e2] gianfar: remove forward declarations testing commit 7d993c5f86aa308b00c2fd420fe5208da18125e2 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 7d993c5f86aa308b00c2fd420fe5208da18125e2 Bisecting: 68 revisions left to test after this (roughly 6 steps) [45c5589d07158eb1d0b5b313314706024bf451c5] tools: bpftool: improve and check builds for different make invocations testing commit 45c5589d07158eb1d0b5b313314706024bf451c5 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_poll # git bisect bad 45c5589d07158eb1d0b5b313314706024bf451c5 Bisecting: 33 revisions left to test after this (roughly 5 steps) [1f7267232711dd2453f9ceccd41906657afbd825] Merge branch 'bpf-af-xdp-xskmap-improvements' testing commit 1f7267232711dd2453f9ceccd41906657afbd825 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_poll # git bisect bad 1f7267232711dd2453f9ceccd41906657afbd825 Bisecting: 17 revisions left to test after this (roughly 4 steps) [77cd0d7b3f257fd0e3096b4fdcff1a7d38e99e10] xsk: add support for need_wakeup flag in AF_XDP rings testing commit 77cd0d7b3f257fd0e3096b4fdcff1a7d38e99e10 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in xsk_poll # git bisect bad 77cd0d7b3f257fd0e3096b4fdcff1a7d38e99e10 Bisecting: 8 revisions left to test after this (roughly 3 steps) [9def249dc8409ffc1f5a1d7195f1c462f2b49c07] tools: bpftool: fix arguments for p_err() in do_event_pipe() testing commit 9def249dc8409ffc1f5a1d7195f1c462f2b49c07 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 9def249dc8409ffc1f5a1d7195f1c462f2b49c07 Bisecting: 4 revisions left to test after this (roughly 2 steps) [b0ead6d75a5b335287337e602e6b815e1115481c] tools: bpftool: fix format string for p_err() in detect_common_prefix() testing commit b0ead6d75a5b335287337e602e6b815e1115481c with gcc (GCC) 8.1.0 all runs: OK # git bisect good b0ead6d75a5b335287337e602e6b815e1115481c Bisecting: 2 revisions left to test after this (roughly 1 step) [82c4c3b7c76720672b84c849ffe7367801278b26] Merge branch 'fix-printf' testing commit 82c4c3b7c76720672b84c849ffe7367801278b26 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 82c4c3b7c76720672b84c849ffe7367801278b26 Bisecting: 0 revisions left to test after this (roughly 1 step) [9116e5e2b1fff71dce501d971e86a3695acc3dba] xsk: replace ndo_xsk_async_xmit with ndo_xsk_wakeup testing commit 9116e5e2b1fff71dce501d971e86a3695acc3dba with gcc (GCC) 8.1.0 all runs: OK # git bisect good 9116e5e2b1fff71dce501d971e86a3695acc3dba 77cd0d7b3f257fd0e3096b4fdcff1a7d38e99e10 is the first bad commit commit 77cd0d7b3f257fd0e3096b4fdcff1a7d38e99e10 Author: Magnus Karlsson Date: Wed Aug 14 09:27:17 2019 +0200 xsk: add support for need_wakeup flag in AF_XDP rings This commit adds support for a new flag called need_wakeup in the AF_XDP Tx and fill rings. When this flag is set, it means that the application has to explicitly wake up the kernel Rx (for the bit in the fill ring) or kernel Tx (for bit in the Tx ring) processing by issuing a syscall. Poll() can wake up both depending on the flags submitted and sendto() will wake up tx processing only. The main reason for introducing this new flag is to be able to efficiently support the case when application and driver is executing on the same core. Previously, the driver was just busy-spinning on the fill ring if it ran out of buffers in the HW and there were none on the fill ring. This approach works when the application is running on another core as it can replenish the fill ring while the driver is busy-spinning. Though, this is a lousy approach if both of them are running on the same core as the probability of the fill ring getting more entries when the driver is busy-spinning is zero. With this new feature the driver now sets the need_wakeup flag and returns to the application. The application can then replenish the fill queue and then explicitly wake up the Rx processing in the kernel using the syscall poll(). For Tx, the flag is only set to one if the driver has no outstanding Tx completion interrupts. If it has some, the flag is zero as it will be woken up by a completion interrupt anyway. As a nice side effect, this new flag also improves the performance of the case where application and driver are running on two different cores as it reduces the number of syscalls to the kernel. The kernel tells user space if it needs to be woken up by a syscall, and this eliminates many of the syscalls. This flag needs some simple driver support. If the driver does not support this, the Rx flag is always zero and the Tx flag is always one. This makes any application relying on this feature default to the old behaviour of not requiring any syscalls in the Rx path and always having to call sendto() in the Tx path. For backwards compatibility reasons, this feature has to be explicitly turned on using a new bind flag (XDP_USE_NEED_WAKEUP). I recommend that you always turn it on as it so far always have had a positive performance impact. The name and inspiration of the flag has been taken from io_uring by Jens Axboe. Details about this feature in io_uring can be found in http://kernel.dk/io_uring.pdf, section 8.3. Signed-off-by: Magnus Karlsson Acked-by: Jonathan Lemon Signed-off-by: Daniel Borkmann :040000 040000 f84341ae23b3a56a61d67480fb002c92ca2cb5a5 98b7fb54071092ee2f38521396c74119f3a07d42 M include :040000 040000 b096c35aed881ef00b9a4a843d5d189140d8b5ac 2a0b78d17027de6da38061385e61b023c7b92536 M net revisions tested: 16, total time: 3h41m44.168424611s (build: 1h31m18.822446903s, test: 2h5m26.776172282s) first bad commit: 77cd0d7b3f257fd0e3096b4fdcff1a7d38e99e10 xsk: add support for need_wakeup flag in AF_XDP rings cc: ["ast@kernel.org" "bjorn.topel@intel.com" "bpf@vger.kernel.org" "daniel@iogearbox.net" "davem@davemloft.net" "hawk@kernel.org" "jakub.kicinski@netronome.com" "john.fastabend@gmail.com" "jonathan.lemon@gmail.com" "linux-kernel@vger.kernel.org" "magnus.karlsson@intel.com" "maximmi@mellanox.com" "netdev@vger.kernel.org" "saeedm@mellanox.com" "tariqt@mellanox.com"] crash: BUG: unable to handle kernel NULL pointer dereference in xsk_poll BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 8fc74067 P4D 8fc74067 PUD 8fc75067 PMD 0 Oops: 0010 [#1] PREEMPT SMP KASAN CPU: 0 PID: 7403 Comm: syz-executor.0 Not tainted 5.3.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:0x0 Code: Bad RIP value. RSP: 0018:ffff88807aa578a8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8880982368c0 RCX: 1ffff11013046dac RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffff888085e46200 RBP: ffff88807aa578e0 R08: ffffed1013046d61 R09: ffffed1013046d61 R10: ffffed1013046d60 R11: ffff888098236b07 R12: ffff888085e46200 R13: 0000000000000304 R14: 0000000000000000 R15: ffff8880951bf0a0 FS: 00007fe078c49700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000096ab5000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: xsk_poll+0x15a/0x4d0 net/xdp/xsk.c:387 sock_poll+0x137/0x430 net/socket.c:1256 vfs_poll include/linux/poll.h:90 [inline] do_pollfd fs/select.c:859 [inline] do_poll fs/select.c:907 [inline] do_sys_poll+0x4a7/0xc20 fs/select.c:1001 __do_sys_ppoll fs/select.c:1101 [inline] __se_sys_ppoll fs/select.c:1081 [inline] __x64_sys_ppoll+0x1e1/0x2a0 fs/select.c:1081 do_syscall_64+0xd0/0x540 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x459a29 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fe078c48c78 EFLAGS: 00000246 ORIG_RAX: 000000000000010f RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000459a29 RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000020000040 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe078c496d4 R13: 00000000004c691d R14: 00000000004dbbf8 R15: 00000000ffffffff Modules linked in: CR2: 0000000000000000 ---[ end trace a401238f5cd54ec2 ]--- RIP: 0010:0x0 Code: Bad RIP value. RSP: 0018:ffff88807aa578a8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8880982368c0 RCX: 1ffff11013046dac RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffff888085e46200 RBP: ffff88807aa578e0 R08: ffffed1013046d61 R09: ffffed1013046d61 R10: ffffed1013046d60 R11: ffff888098236b07 R12: ffff888085e46200 R13: 0000000000000304 R14: 0000000000000000 R15: ffff8880951bf0a0 FS: 00007fe078c49700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe078c06db8 CR3: 0000000096ab5000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400