bisecting fixing commit since 30b06abfb92bfd5f9b63ea6a2ffb0bd905d1a6da building syzkaller on 1376136672ebb6f7f1dd583f2fbf95e178eb3f09 testing commit 30b06abfb92bfd5f9b63ea6a2ffb0bd905d1a6da with gcc (GCC) 8.1.0 run #0: crashed: KASAN: stack-out-of-bounds Read in timerqueue_add run #1: crashed: WARNING: bad usercopy in corrupted run #2: crashed: BUG: MAX_LOCK_DEPTH too low! run #3: crashed: KASAN: stack-out-of-bounds Read in vma_interval_tree_insert run #4: crashed: KASAN: stack-out-of-bounds in __fput run #5: crashed: KASAN: stack-out-of-bounds Read in complete run #6: crashed: KASAN: use-after-scope Read in __enqueue_entity run #7: crashed: KASAN: stack-out-of-bounds in rb_erase run #8: crashed: kernel panic: stack is corrupted in __lock_acquire run #9: crashed: KASAN: stack-out-of-bounds Read in vma_interval_tree_insert testing current HEAD 1e78030e5e5b2d8b0cad7136caf9cfab986a6bff testing commit 1e78030e5e5b2d8b0cad7136caf9cfab986a6bff with gcc (GCC) 8.1.0 all runs: OK # git bisect start 1e78030e5e5b2d8b0cad7136caf9cfab986a6bff 30b06abfb92bfd5f9b63ea6a2ffb0bd905d1a6da Bisecting: 44037 revisions left to test after this (roughly 16 steps) [98cb621081705e2244ef6c265ff8a9f2208c7e2a] Merge branch 'perf/urgent' into perf/core, to pick up fixes testing commit 98cb621081705e2244ef6c265ff8a9f2208c7e2a with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 98cb621081705e2244ef6c265ff8a9f2208c7e2a Bisecting: 22089 revisions left to test after this (roughly 15 steps) [83c4087ce468601501ecde4d0ec5b2abd5f57c31] Merge branch 'for-4.20' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup testing commit 83c4087ce468601501ecde4d0ec5b2abd5f57c31 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 83c4087ce468601501ecde4d0ec5b2abd5f57c31 Bisecting: 11052 revisions left to test after this (roughly 14 steps) [2475c515d4031c494ff452508a8bf8c281ec6e56] Merge tag 'staging-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging testing commit 2475c515d4031c494ff452508a8bf8c281ec6e56 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 2475c515d4031c494ff452508a8bf8c281ec6e56 Bisecting: 4730 revisions left to test after this (roughly 12 steps) [9a76aba02a37718242d7cdc294f0a3901928aa57] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next testing commit 9a76aba02a37718242d7cdc294f0a3901928aa57 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 9a76aba02a37718242d7cdc294f0a3901928aa57 Bisecting: 3100 revisions left to test after this (roughly 12 steps) [b018fc9800557bd14a40d69501e19c340eb2c521] Merge tag 'pm-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit b018fc9800557bd14a40d69501e19c340eb2c521 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad b018fc9800557bd14a40d69501e19c340eb2c521 Bisecting: 1566 revisions left to test after this (roughly 11 steps) [13e091b6dd0e78a518a7d8756607d3acb8215768] Merge branch 'x86-timers-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 13e091b6dd0e78a518a7d8756607d3acb8215768 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 13e091b6dd0e78a518a7d8756607d3acb8215768 Bisecting: 748 revisions left to test after this (roughly 10 steps) [a32e236eb93e62a0f692e79b7c3c9636689559b9] Partially revert "block: fail op_is_write() requests to read-only partitions" testing commit a32e236eb93e62a0f692e79b7c3c9636689559b9 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad a32e236eb93e62a0f692e79b7c3c9636689559b9 Bisecting: 395 revisions left to test after this (roughly 9 steps) [ec837d620c750c0d4996a907c8c4f7febe1bbeee] arc: fix type warnings in arc/mm/cache.c testing commit ec837d620c750c0d4996a907c8c4f7febe1bbeee with gcc (GCC) 8.1.0 all runs: OK # git bisect bad ec837d620c750c0d4996a907c8c4f7febe1bbeee Bisecting: 175 revisions left to test after this (roughly 8 steps) [08239d43487b929471eda42b15fd61db1e078d88] Merge branch 'smc-fixes' testing commit 08239d43487b929471eda42b15fd61db1e078d88 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 08239d43487b929471eda42b15fd61db1e078d88 Bisecting: 88 revisions left to test after this (roughly 7 steps) [61d769807f273fda962866f3d4c677cda9974d3c] bpf: fix availability probing for seg6 helpers testing commit 61d769807f273fda962866f3d4c677cda9974d3c with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 61d769807f273fda962866f3d4c677cda9974d3c Bisecting: 43 revisions left to test after this (roughly 6 steps) [efdf75112d89e28c928a22c3a38456b49927f445] ravb: remove useless serialization in ravb_get_link_ksettings() testing commit efdf75112d89e28c928a22c3a38456b49927f445 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: stack-out-of-bounds Read in switch_mm_irqs_off run #1: crashed: KASAN: stack-out-of-bounds Read in complete run #2: crashed: unexpected kernel reboot run #3: crashed: KASAN: stack-out-of-bounds Read in rb_erase run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #5: crashed: KASAN: stack-out-of-bounds Read in __handle_mm_fault run #6: crashed: KASAN: use-after-scope Write in set_personality_64bit run #7: crashed: KASAN: stack-out-of-bounds Read in fixup_exception run #8: crashed: KASAN: stack-out-of-bounds Read in wait_consider_task run #9: crashed: KASAN: stack-out-of-bounds Read in corrupted # git bisect good efdf75112d89e28c928a22c3a38456b49927f445 Bisecting: 24 revisions left to test after this (roughly 5 steps) [d8d7218ad842e18fc6976b87c08ed749e8d56313] xdp: XDP_REDIRECT should check IFF_UP and MTU testing commit d8d7218ad842e18fc6976b87c08ed749e8d56313 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad d8d7218ad842e18fc6976b87c08ed749e8d56313 Bisecting: 9 revisions left to test after this (roughly 3 steps) [02a2f000a3629274bfad60bfc4de9edec49e63e7] samples/bpf: Check the error of write() and read() testing commit 02a2f000a3629274bfad60bfc4de9edec49e63e7 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: stack-out-of-bounds in __hrtimer_run_queues run #1: crashed: KASAN: stack-out-of-bounds Read in rb_erase run #2: crashed: KASAN: stack-out-of-bounds Read in corrupted run #3: crashed: KASAN: wild-memory-access Read in apparmor_sk_free_security run #4: crashed: KASAN: stack-out-of-bounds Read in rb_next run #5: crashed: KASAN: stack-out-of-bounds Read in switch_mm_irqs_off run #6: crashed: KASAN: stack-out-of-bounds Read in __d_lookup_rcu run #7: crashed: general protection fault in debug_check_no_obj_freed run #8: crashed: PANIC: double fault in mark_lock run #9: crashed: kernel panic: corrupted stack end in sys_exit_group # git bisect good 02a2f000a3629274bfad60bfc4de9edec49e63e7 Bisecting: 4 revisions left to test after this (roughly 2 steps) [0c6bc6e531a6db36f49622f1f115770160f7afb0] bpf: fix sk_skb programs without skb->dev assigned testing commit 0c6bc6e531a6db36f49622f1f115770160f7afb0 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: stack-out-of-bounds Read in unlink_anon_vmas run #1: crashed: KASAN: stack-out-of-bounds Read in do_ipt_get_ctl run #2: crashed: KASAN: stack-out-of-bounds Read in __hrtimer_run_queues run #3: crashed: KASAN: stack-out-of-bounds Read in apparmor_file_mprotect run #4: crashed: KASAN: stack-out-of-bounds Read in __schedule run #5: crashed: KASAN: stack-out-of-bounds in account_system_index_time run #6: crashed: KASAN: stack-out-of-bounds Read in readlink_copy run #7: crashed: KASAN: stack-out-of-bounds Read in dnotify_flush run #8: crashed: KASAN: stack-out-of-bounds Read in timerqueue_add run #9: crashed: general protection fault in corrupted # git bisect good 0c6bc6e531a6db36f49622f1f115770160f7afb0 Bisecting: 2 revisions left to test after this (roughly 1 step) [7ebc14d507b4b55105da8d1a1eda323381529cc7] bpf: sockmap, consume_skb in close path testing commit 7ebc14d507b4b55105da8d1a1eda323381529cc7 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 7ebc14d507b4b55105da8d1a1eda323381529cc7 Bisecting: 0 revisions left to test after this (roughly 0 steps) [99ba2b5aba24e022683a7db63204f9e306fe7ab9] bpf: sockhash, disallow bpf_tcp_close and update in parallel testing commit 99ba2b5aba24e022683a7db63204f9e306fe7ab9 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 99ba2b5aba24e022683a7db63204f9e306fe7ab9 99ba2b5aba24e022683a7db63204f9e306fe7ab9 is the first bad commit commit 99ba2b5aba24e022683a7db63204f9e306fe7ab9 Author: John Fastabend Date: Thu Jul 5 08:50:04 2018 -0700 bpf: sockhash, disallow bpf_tcp_close and update in parallel After latest lock updates there is no longer anything preventing a close and recvmsg call running in parallel. Additionally, we can race update with close if we close a socket and simultaneously update if via the BPF userspace API (note the cgroup ops are already run with sock_lock held). To resolve this take sock_lock in close and update paths. Reported-by: syzbot+b680e42077a0d7c9a0c4@syzkaller.appspotmail.com Fixes: e9db4ef6bf4c ("bpf: sockhash fix omitted bucket lock in sock_close") Signed-off-by: John Fastabend Signed-off-by: Alexei Starovoitov :040000 040000 73c190c674b79f1921299686deca297ea873a657 0ceb8adb0138ae6ab664369d9124ca9f1a1fa7cf M kernel revisions tested: 18, total time: 4h38m20.263673908s (build: 1h34m2.016751086s, test: 2h57m33.289131751s) first good commit: 99ba2b5aba24e022683a7db63204f9e306fe7ab9 bpf: sockhash, disallow bpf_tcp_close and update in parallel cc: ["ast@kernel.org" "bpf@vger.kernel.org" "daniel@iogearbox.net" "john.fastabend@gmail.com" "kafai@fb.com" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "songliubraving@fb.com" "yhs@fb.com"]