bisecting fixing commit since 32ef9553635ab1236c33951a8bd9b5af1c3b1646 building syzkaller on a76bf83ffac5c0bed0a686f8ebc98c74bfb34a0c testing commit 32ef9553635ab1236c33951a8bd9b5af1c3b1646 with gcc (GCC) 8.1.0 kernel signature: 048ea63348cfcb9b694e920dfe32e949ddb90595 all runs: crashed: general protection fault in j1939_jsk_del testing current HEAD 575966e080270b7574175da35f7f7dd5ecd89ff4 testing commit 575966e080270b7574175da35f7f7dd5ecd89ff4 with gcc (GCC) 8.1.0 kernel signature: e18bcfef9babd7c6b5eefbef0c941395a81e06ce all runs: OK # git bisect start 575966e080270b7574175da35f7f7dd5ecd89ff4 32ef9553635ab1236c33951a8bd9b5af1c3b1646 Bisecting: 2907 revisions left to test after this (roughly 12 steps) [ec939e4c94bd3ef2fd4f34c15f8aaf79bd0c5ee1] Merge tag 'armsoc-drivers' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit ec939e4c94bd3ef2fd4f34c15f8aaf79bd0c5ee1 with gcc (GCC) 8.1.0 kernel signature: a0ab156f1e13361b319019180c5c5c56778bcd14 all runs: crashed: general protection fault in j1939_jsk_del # git bisect good ec939e4c94bd3ef2fd4f34c15f8aaf79bd0c5ee1 Bisecting: 1453 revisions left to test after this (roughly 11 steps) [7c68fa2bddda6d942bd387c9ba5b4300737fd991] net: annotate lockless accesses to sk->sk_pacing_shift testing commit 7c68fa2bddda6d942bd387c9ba5b4300737fd991 with gcc (GCC) 8.1.0 kernel signature: 2cec4b2632e10cd52083d31e0f15d233d9d5ffb9 all runs: OK # git bisect bad 7c68fa2bddda6d942bd387c9ba5b4300737fd991 Bisecting: 744 revisions left to test after this (roughly 10 steps) [eb275167d18684e07ee43bdc0e09a18326540461] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit eb275167d18684e07ee43bdc0e09a18326540461 with gcc (GCC) 8.1.0 kernel signature: f8f44a60a20ae6ffe6f92f3ee3e3481df8323938 all runs: crashed: general protection fault in j1939_jsk_del # git bisect good eb275167d18684e07ee43bdc0e09a18326540461 Bisecting: 373 revisions left to test after this (roughly 9 steps) [f74fd13f4585e418a3e630a82468be58bf1d98c1] Merge tag 'for-linus-5.5b-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip testing commit f74fd13f4585e418a3e630a82468be58bf1d98c1 with gcc (GCC) 8.1.0 kernel signature: 0ebaee14944baf75a94d6f7bad8899b4916a9432 all runs: crashed: general protection fault in j1939_jsk_del # git bisect good f74fd13f4585e418a3e630a82468be58bf1d98c1 Bisecting: 216 revisions left to test after this (roughly 8 steps) [138f371ddf4ff50207dbe33ebfc237e756cd6222] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit 138f371ddf4ff50207dbe33ebfc237e756cd6222 with gcc (GCC) 8.1.0 kernel signature: 84d8cfb66bdaabf4503e2eb117a46b3364fa9cd1 all runs: crashed: general protection fault in j1939_jsk_del # git bisect good 138f371ddf4ff50207dbe33ebfc237e756cd6222 Bisecting: 107 revisions left to test after this (roughly 7 steps) [43aad8104bdaa7176a8f87143ac0e559bc891293] Merge tag 'linux-can-fixes-for-5.5-20191208' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can testing commit 43aad8104bdaa7176a8f87143ac0e559bc891293 with gcc (GCC) 8.1.0 kernel signature: d5436d86d9cd382be240ed2127c573e90e27ec3d all runs: OK # git bisect bad 43aad8104bdaa7176a8f87143ac0e559bc891293 Bisecting: 51 revisions left to test after this (roughly 6 steps) [ae72555b410410568b493f8735324f8e9bd7c051] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf testing commit ae72555b410410568b493f8735324f8e9bd7c051 with gcc (GCC) 8.1.0 kernel signature: 2ae9cdd7e29c7553c18f30e147db12732e8e7a3b all runs: crashed: general protection fault in j1939_jsk_del # git bisect good ae72555b410410568b493f8735324f8e9bd7c051 Bisecting: 25 revisions left to test after this (roughly 5 steps) [721c8dafad26ccfa90ff659ee19755e3377b829d] tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE() testing commit 721c8dafad26ccfa90ff659ee19755e3377b829d with gcc (GCC) 8.1.0 kernel signature: 502ceb222cd6edb0ec5a7d2574c319b247dc0c61 all runs: crashed: general protection fault in j1939_jsk_del # git bisect good 721c8dafad26ccfa90ff659ee19755e3377b829d Bisecting: 12 revisions left to test after this (roughly 4 steps) [00d4e14d2e4caf5f7254a505fee5eeca8cd37bd4] can: j1939: j1939_sk_bind(): take priv after lock is held testing commit 00d4e14d2e4caf5f7254a505fee5eeca8cd37bd4 with gcc (GCC) 8.1.0 kernel signature: 49067d543d57daec5cf41aa6b3efb575d037b4c6 all runs: OK # git bisect bad 00d4e14d2e4caf5f7254a505fee5eeca8cd37bd4 Bisecting: 6 revisions left to test after this (roughly 3 steps) [fafc5db28a2ff39092bafe8ac9b8b19c4904f633] net: phy: dp83867: fix hfs boot in rgmii mode testing commit fafc5db28a2ff39092bafe8ac9b8b19c4904f633 with gcc (GCC) 8.1.0 kernel signature: cc8223e1b6664ed0649687c3a9873e0081477756 all runs: crashed: general protection fault in j1939_jsk_del # git bisect good fafc5db28a2ff39092bafe8ac9b8b19c4904f633 Bisecting: 3 revisions left to test after this (roughly 2 steps) [2dd5616ecdcebdf5a8d007af64e040d4e9214efe] net_sched: validate TCA_KIND attribute in tc_chain_tmplt_add() testing commit 2dd5616ecdcebdf5a8d007af64e040d4e9214efe with gcc (GCC) 8.1.0 kernel signature: 86c58a1d44172018999e57c31f86bc7a2fc8de6a all runs: crashed: general protection fault in j1939_jsk_del # git bisect good 2dd5616ecdcebdf5a8d007af64e040d4e9214efe Bisecting: 1 revision left to test after this (roughly 1 step) [fd230ffaa48b28954cde1bf1121aedcbb8db3883] MAINTAINERS: Add myself as a maintainer for MMIO m_can testing commit fd230ffaa48b28954cde1bf1121aedcbb8db3883 with gcc (GCC) 8.1.0 kernel signature: 8f4ed54a81aa527dff63546839258df478ad5e26 all runs: crashed: general protection fault in j1939_jsk_del # git bisect good fd230ffaa48b28954cde1bf1121aedcbb8db3883 Bisecting: 0 revisions left to test after this (roughly 0 steps) [1a2e9d2f794e8789d8b4503340ea3465163db2f8] MAINTAINERS: Add myself as a maintainer for TCAN4x5x testing commit 1a2e9d2f794e8789d8b4503340ea3465163db2f8 with gcc (GCC) 8.1.0 kernel signature: b3fa17afe0f8ae79a2e0cf58ed2b462d79c8b73c all runs: crashed: general protection fault in j1939_jsk_del # git bisect good 1a2e9d2f794e8789d8b4503340ea3465163db2f8 00d4e14d2e4caf5f7254a505fee5eeca8cd37bd4 is the first bad commit commit 00d4e14d2e4caf5f7254a505fee5eeca8cd37bd4 Author: Oleksij Rempel Date: Fri Dec 6 15:18:35 2019 +0100 can: j1939: j1939_sk_bind(): take priv after lock is held syzbot reproduced following crash: =============================================================================== kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 9844 Comm: syz-executor.0 Not tainted 5.4.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__lock_acquire+0x1254/0x4a00 kernel/locking/lockdep.c:3828 Code: 00 0f 85 96 24 00 00 48 81 c4 f0 00 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 0b 28 00 00 49 81 3e 20 19 78 8a 0f 84 5f ee ff RSP: 0018:ffff888099c3fb48 EFLAGS: 00010006 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000218 RSI: 0000000000000000 RDI: 0000000000000001 RBP: ffff888099c3fc60 R08: 0000000000000001 R09: 0000000000000001 R10: fffffbfff146e1d0 R11: ffff888098720400 R12: 00000000000010c0 R13: 0000000000000000 R14: 00000000000010c0 R15: 0000000000000000 FS: 00007f0559e98700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe4d89e0000 CR3: 0000000099606000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x33/0x50 kernel/locking/spinlock.c:175 spin_lock_bh include/linux/spinlock.h:343 [inline] j1939_jsk_del+0x32/0x210 net/can/j1939/socket.c:89 j1939_sk_bind+0x2ea/0x8f0 net/can/j1939/socket.c:448 __sys_bind+0x239/0x290 net/socket.c:1648 __do_sys_bind net/socket.c:1659 [inline] __se_sys_bind net/socket.c:1657 [inline] __x64_sys_bind+0x73/0xb0 net/socket.c:1657 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a679 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f0559e97c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 RDX: 0000000000000018 RSI: 0000000020000240 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0559e986d4 R13: 00000000004c09e9 R14: 00000000004d37d0 R15: 00000000ffffffff Modules linked in: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 9844 at kernel/locking/mutex.c:1419 mutex_trylock+0x279/0x2f0 kernel/locking/mutex.c:1427 =============================================================================== This issues was caused by null pointer deference. Where j1939_sk_bind() was using currently not existing priv. Possible scenario may look as following: cpu0 cpu1 bind() bind() j1939_sk_bind() j1939_sk_bind() priv = jsk->priv; priv = jsk->priv; lock_sock(sock->sk); priv = j1939_netdev_start(ndev); j1939_jsk_add(priv, jsk); jsk->priv = priv; relase_sock(sock->sk); lock_sock(sock->sk); j1939_jsk_del(priv, jsk); ..... ooops ...... With this patch we move "priv = jsk->priv;" after the lock, to avoid assigning of wrong priv pointer. Reported-by: syzbot+99e9e1b200a1e363237d@syzkaller.appspotmail.com Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") Signed-off-by: Oleksij Rempel Cc: linux-stable # >= v5.4 Signed-off-by: Marc Kleine-Budde net/can/j1939/socket.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) culprit signature: 49067d543d57daec5cf41aa6b3efb575d037b4c6 parent signature: b3fa17afe0f8ae79a2e0cf58ed2b462d79c8b73c revisions tested: 15, total time: 3h5m35.265839879s (build: 1h39m35.633032579s, test: 1h24m42.316828473s) first good commit: 00d4e14d2e4caf5f7254a505fee5eeca8cd37bd4 can: j1939: j1939_sk_bind(): take priv after lock is held cc: ["davem@davemloft.net" "kernel@pengutronix.de" "linux-can@vger.kernel.org" "linux-kernel@vger.kernel.org" "linux@rempel-privat.de" "mkl@pengutronix.de" "netdev@vger.kernel.org" "o.rempel@pengutronix.de" "robin@protonic.nl" "socketcan@hartkopp.net"]