bisecting fixing commit since 7cc2a8ea104820dd9e702202621e8fd4d9f6c8cf building syzkaller on 510951950dc0ee69cfdaf746061d3dbe31b49fd8 testing commit 7cc2a8ea104820dd9e702202621e8fd4d9f6c8cf with gcc (GCC) 8.1.0 kernel signature: 36ce9278cee21af2273a3ac92ce0823645e0173e6dea905d6447bb63fec4bcd5 run #0: crashed: WARNING in rxrpc_recvmsg run #1: crashed: kernel BUG at net/rxrpc/recvmsg.c:LINE! run #2: crashed: WARNING in rxrpc_recvmsg run #3: crashed: WARNING in rxrpc_recvmsg run #4: crashed: WARNING in rxrpc_recvmsg run #5: crashed: WARNING in rxrpc_recvmsg run #6: crashed: WARNING in rxrpc_recvmsg run #7: crashed: WARNING in rxrpc_recvmsg run #8: crashed: WARNING in rxrpc_recvmsg run #9: crashed: WARNING in rxrpc_recvmsg testing current HEAD fffe3ae0ee84e25d2befe2ae59bc32aa2b6bc77b testing commit fffe3ae0ee84e25d2befe2ae59bc32aa2b6bc77b with gcc (GCC) 8.1.0 kernel signature: c0187938901cf1459a38217a6a44d947b9f01b26417b0d4dc6aac61efa25fb9c all runs: OK # git bisect start fffe3ae0ee84e25d2befe2ae59bc32aa2b6bc77b 7cc2a8ea104820dd9e702202621e8fd4d9f6c8cf Bisecting: 2895 revisions left to test after this (roughly 12 steps) [92c59e126b21fd212195358a0d296e787e444087] Merge tag 'arm-defconfig-5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 92c59e126b21fd212195358a0d296e787e444087 with gcc (GCC) 8.1.0 kernel signature: 9a16fbc8e5872cbca2907669044e05744cc48cc673d9ba9050dc89f6fbbc07b0 all runs: OK # git bisect bad 92c59e126b21fd212195358a0d296e787e444087 Bisecting: 1363 revisions left to test after this (roughly 10 steps) [c1cc4784ce6e8cceff1013709abd74bcbf7fbf24] Merge branch 'for-mingo' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu into core/rcu testing commit c1cc4784ce6e8cceff1013709abd74bcbf7fbf24 with gcc (GCC) 8.1.0 kernel signature: da2f8afd7139656bf95a5838843307d6a862d582312babea5699453cf69b5e7e all runs: crashed: WARNING in rxrpc_recvmsg # git bisect good c1cc4784ce6e8cceff1013709abd74bcbf7fbf24 Bisecting: 659 revisions left to test after this (roughly 9 steps) [382625d0d4325fb14a29444eb8dce8dcc2eb9b51] Merge tag 'for-5.9/block-20200802' of git://git.kernel.dk/linux-block testing commit 382625d0d4325fb14a29444eb8dce8dcc2eb9b51 with gcc (GCC) 8.1.0 kernel signature: 58d0d49ab81c69fe01bee3c9db91644fb42295256b66fefbb7a2c3028a164500 all runs: OK # git bisect bad 382625d0d4325fb14a29444eb8dce8dcc2eb9b51 Bisecting: 315 revisions left to test after this (roughly 9 steps) [6dec9f406c1f2de6d750de0fc9d19872d9c4bf0d] Merge tag 'for-5.9-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit 6dec9f406c1f2de6d750de0fc9d19872d9c4bf0d with gcc (GCC) 8.1.0 kernel signature: dc9675d560d57574a4c399927052271c9f8f87fd8f040ce55feaf6845cd067fb all runs: OK # git bisect bad 6dec9f406c1f2de6d750de0fc9d19872d9c4bf0d Bisecting: 180 revisions left to test after this (roughly 8 steps) [ac3a0c8472969a03c0496ae774b3a29eb26c8d5a] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit ac3a0c8472969a03c0496ae774b3a29eb26c8d5a with gcc (GCC) 8.1.0 kernel signature: 23ae8c7263288d770502274a92050a71bdd03119d98173ec769762435f2cc01f run #0: OK run #1: OK run #2: boot failed: can't ssh into the instance run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad ac3a0c8472969a03c0496ae774b3a29eb26c8d5a Bisecting: 101 revisions left to test after this (roughly 7 steps) [bf121a0bda29daa67a1fcedbdf479f6b03c9f977] Merge tag 'perf-tools-fixes-2020-08-01' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux testing commit bf121a0bda29daa67a1fcedbdf479f6b03c9f977 with gcc (GCC) 8.1.0 kernel signature: ec2a3d3e3aff236e9b43d5e45b2c1c803810ebccf980305236cebe29003159d6 run #0: crashed: kernel BUG at net/rxrpc/recvmsg.c:LINE! run #1: crashed: WARNING in rxrpc_recvmsg run #2: crashed: kernel BUG at net/rxrpc/recvmsg.c:LINE! run #3: crashed: kernel BUG at net/rxrpc/recvmsg.c:LINE! run #4: crashed: kernel BUG at net/rxrpc/recvmsg.c:LINE! run #5: crashed: WARNING in rxrpc_recvmsg run #6: crashed: WARNING in rxrpc_recvmsg run #7: crashed: WARNING in rxrpc_recvmsg run #8: crashed: WARNING in rxrpc_recvmsg run #9: crashed: WARNING in rxrpc_recvmsg # git bisect good bf121a0bda29daa67a1fcedbdf479f6b03c9f977 Bisecting: 50 revisions left to test after this (roughly 6 steps) [10fef9ca6a879e7bee090b8e51c9812d438d3fb1] selftests: ethtool: Fix test when only two speeds are supported testing commit 10fef9ca6a879e7bee090b8e51c9812d438d3fb1 with gcc (GCC) 8.1.0 kernel signature: 273e852a711ceaf18195f84c223affcb83acaeea380820a1c888c44fcd0c07e4 run #0: crashed: kernel BUG at net/rxrpc/recvmsg.c:LINE! run #1: crashed: WARNING in rxrpc_recvmsg run #2: crashed: WARNING in rxrpc_recvmsg run #3: crashed: WARNING in rxrpc_recvmsg run #4: crashed: WARNING in rxrpc_recvmsg run #5: crashed: WARNING in rxrpc_recvmsg run #6: crashed: WARNING in rxrpc_recvmsg run #7: crashed: WARNING in rxrpc_recvmsg run #8: crashed: WARNING in rxrpc_recvmsg run #9: boot failed: can't ssh into the instance # git bisect good 10fef9ca6a879e7bee090b8e51c9812d438d3fb1 Bisecting: 26 revisions left to test after this (roughly 5 steps) [bbc8a99e952226c585ac17477a85ef1194501762] rds: Prevent kernel-infoleak in rds_notify_queue_get() testing commit bbc8a99e952226c585ac17477a85ef1194501762 with gcc (GCC) 8.1.0 kernel signature: e2f33911a55dd03fd657b2989d91728967265f7be0eb7b8b61f56156498816fb all runs: OK # git bisect bad bbc8a99e952226c585ac17477a85ef1194501762 Bisecting: 11 revisions left to test after this (roughly 4 steps) [85496a29224188051b6135eb38da8afd4c584765] net: gemini: Fix missing clk_disable_unprepare() in error path of gemini_ethernet_port_probe() testing commit 85496a29224188051b6135eb38da8afd4c584765 with gcc (GCC) 8.1.0 kernel signature: 871175e5122a133ccdabdb62532760f32c27ab272caac95c959a3a8f0f6129c8 run #0: boot failed: can't ssh into the instance run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 85496a29224188051b6135eb38da8afd4c584765 Bisecting: 5 revisions left to test after this (roughly 3 steps) [65550098c1c4db528400c73acf3e46bfa78d9264] rxrpc: Fix race between recvmsg and sendmsg on immediate call failure testing commit 65550098c1c4db528400c73acf3e46bfa78d9264 with gcc (GCC) 8.1.0 kernel signature: 9f09f483299616665bda9f41e7c2433142e3daad2b5415c800d2fd39421926e1 all runs: OK # git bisect bad 65550098c1c4db528400c73acf3e46bfa78d9264 Bisecting: 2 revisions left to test after this (roughly 2 steps) [8c0de6e96c9794cb523a516c465991a70245da1c] ipv6: fix memory leaks on IPV6_ADDRFORM path testing commit 8c0de6e96c9794cb523a516c465991a70245da1c with gcc (GCC) 8.1.0 kernel signature: 951b2f47b4a9fbfb50f8db0a501ac38e427c85a31aa76c924aa05524daa21213 run #0: crashed: kernel BUG at net/rxrpc/recvmsg.c:LINE! run #1: crashed: WARNING in rxrpc_recvmsg run #2: crashed: WARNING in rxrpc_recvmsg run #3: crashed: WARNING in rxrpc_recvmsg run #4: crashed: WARNING in rxrpc_recvmsg run #5: crashed: WARNING in rxrpc_recvmsg run #6: crashed: WARNING in rxrpc_recvmsg run #7: crashed: WARNING in rxrpc_recvmsg run #8: crashed: WARNING in rxrpc_recvmsg run #9: crashed: kernel BUG at net/rxrpc/recvmsg.c:LINE! # git bisect good 8c0de6e96c9794cb523a516c465991a70245da1c Bisecting: 0 revisions left to test after this (roughly 1 step) [591eee6d0783d4a0d7f0e7c4effdba9cf6c1e2c5] MAINTAINERS: Replace Thor Thayer as Altera Triple Speed Ethernet maintainer testing commit 591eee6d0783d4a0d7f0e7c4effdba9cf6c1e2c5 with gcc (GCC) 8.1.0 kernel signature: e1803ea1c5c59456b0fc9fa1f2afbf7961537e9b6f66821c9dcc8931d0a7c822 all runs: crashed: WARNING in rxrpc_recvmsg # git bisect good 591eee6d0783d4a0d7f0e7c4effdba9cf6c1e2c5 65550098c1c4db528400c73acf3e46bfa78d9264 is the first bad commit commit 65550098c1c4db528400c73acf3e46bfa78d9264 Author: David Howells Date: Wed Jul 29 00:03:56 2020 +0100 rxrpc: Fix race between recvmsg and sendmsg on immediate call failure There's a race between rxrpc_sendmsg setting up a call, but then failing to send anything on it due to an error, and recvmsg() seeing the call completion occur and trying to return the state to the user. An assertion fails in rxrpc_recvmsg() because the call has already been released from the socket and is about to be released again as recvmsg deals with it. (The recvmsg_q queue on the socket holds a ref, so there's no problem with use-after-free.) We also have to be careful not to end up reporting an error twice, in such a way that both returns indicate to userspace that the user ID supplied with the call is no longer in use - which could cause the client to malfunction if it recycles the user ID fast enough. Fix this by the following means: (1) When sendmsg() creates a call after the point that the call has been successfully added to the socket, don't return any errors through sendmsg(), but rather complete the call and let recvmsg() retrieve them. Make sendmsg() return 0 at this point. Further calls to sendmsg() for that call will fail with ESHUTDOWN. Note that at this point, we haven't send any packets yet, so the server doesn't yet know about the call. (2) If sendmsg() returns an error when it was expected to create a new call, it means that the user ID wasn't used. (3) Mark the call disconnected before marking it completed to prevent an oops in rxrpc_release_call(). (4) recvmsg() will then retrieve the error and set MSG_EOR to indicate that the user ID is no longer known by the kernel. An oops like the following is produced: kernel BUG at net/rxrpc/recvmsg.c:605! ... RIP: 0010:rxrpc_recvmsg+0x256/0x5ae ... Call Trace: ? __init_waitqueue_head+0x2f/0x2f ____sys_recvmsg+0x8a/0x148 ? import_iovec+0x69/0x9c ? copy_msghdr_from_user+0x5c/0x86 ___sys_recvmsg+0x72/0xaa ? __fget_files+0x22/0x57 ? __fget_light+0x46/0x51 ? fdget+0x9/0x1b do_recvmmsg+0x15e/0x232 ? _raw_spin_unlock+0xa/0xb ? vtime_delta+0xf/0x25 __x64_sys_recvmmsg+0x2c/0x2f do_syscall_64+0x4c/0x78 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 357f5ef64628 ("rxrpc: Call rxrpc_release_call() on error in rxrpc_new_client_call()") Reported-by: syzbot+b54969381df354936d96@syzkaller.appspotmail.com Signed-off-by: David Howells Reviewed-by: Marc Dionne Signed-off-by: David S. Miller net/rxrpc/call_object.c | 27 +++++++++++++++++++-------- net/rxrpc/conn_object.c | 8 +++++--- net/rxrpc/recvmsg.c | 2 +- net/rxrpc/sendmsg.c | 3 +++ 4 files changed, 28 insertions(+), 12 deletions(-) culprit signature: 9f09f483299616665bda9f41e7c2433142e3daad2b5415c800d2fd39421926e1 parent signature: e1803ea1c5c59456b0fc9fa1f2afbf7961537e9b6f66821c9dcc8931d0a7c822 revisions tested: 14, total time: 3h17m37.411188026s (build: 1h8m37.149731456s, test: 2h7m48.193069095s) first good commit: 65550098c1c4db528400c73acf3e46bfa78d9264 rxrpc: Fix race between recvmsg and sendmsg on immediate call failure recipients (to): ["davem@davemloft.net" "dhowells@redhat.com" "marc.dionne@auristor.com"] recipients (cc): []