bisecting cause commit starting from b41dae061bbd722b9d7fa828f35d22035b218e18 building syzkaller on d96e88f3207d7ac7ad65e13b896f702ad04c46f7 testing commit b41dae061bbd722b9d7fa828f35d22035b218e18 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in xsk_map_update_elem testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 all runs: OK # git bisect start b41dae061bbd722b9d7fa828f35d22035b218e18 v5.3 Bisecting: 3807 revisions left to test after this (roughly 12 steps) [d2aaa49e281959828370667edbc1cdcc7fc4026a] Merge tag 'acpi-5.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit d2aaa49e281959828370667edbc1cdcc7fc4026a with gcc (GCC) 8.1.0 all runs: OK # git bisect good d2aaa49e281959828370667edbc1cdcc7fc4026a Bisecting: 1903 revisions left to test after this (roughly 11 steps) [0060c8783330ab60deb96f9d6bb7abfe4664765d] net: stmmac: implement support for passive mode converters via dt testing commit 0060c8783330ab60deb96f9d6bb7abfe4664765d with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in xsk_map_update_elem # git bisect bad 0060c8783330ab60deb96f9d6bb7abfe4664765d Bisecting: 951 revisions left to test after this (roughly 10 steps) [56dd918ff06e3ee24d8067e93ed12b2a39e71394] mac80211: minstrel_ht: fix per-group max throughput rate initialization testing commit 56dd918ff06e3ee24d8067e93ed12b2a39e71394 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 56dd918ff06e3ee24d8067e93ed12b2a39e71394 Bisecting: 475 revisions left to test after this (roughly 9 steps) [ee4c3deac70dcc8c727a4192d9a7a56593f02121] net: qed: Move static keyword to the front of declaration testing commit ee4c3deac70dcc8c727a4192d9a7a56593f02121 with gcc (GCC) 8.1.0 all runs: OK # git bisect good ee4c3deac70dcc8c727a4192d9a7a56593f02121 Bisecting: 287 revisions left to test after this (roughly 8 steps) [67e974c3ae21c8ced474eae3ce9261a6f827e95c] Merge tag 'iwlwifi-next-for-kalle-2019-09-06' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-next testing commit 67e974c3ae21c8ced474eae3ce9261a6f827e95c with gcc (GCC) 8.1.0 all runs: OK # git bisect good 67e974c3ae21c8ced474eae3ce9261a6f827e95c Bisecting: 140 revisions left to test after this (roughly 7 steps) [6938843dd8bba53147c12b625a567e2ea7e4e263] Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue testing commit 6938843dd8bba53147c12b625a567e2ea7e4e263 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in xsk_map_update_elem # git bisect bad 6938843dd8bba53147c12b625a567e2ea7e4e263 Bisecting: 73 revisions left to test after this (roughly 6 steps) [bc2796db5a0246acc998cc5ab2e7f8d6e4e4c146] nfp: bpf: rework MTU checking testing commit bc2796db5a0246acc998cc5ab2e7f8d6e4e4c146 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in xsk_map_update_elem # git bisect bad bc2796db5a0246acc998cc5ab2e7f8d6e4e4c146 Bisecting: 36 revisions left to test after this (roughly 5 steps) [ede6bc88d6bbe16a938de2b00f60f4e03768c988] bpf: Use PTR_ERR_OR_ZERO in xsk_map_inc() testing commit ede6bc88d6bbe16a938de2b00f60f4e03768c988 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in xsk_map_update_elem # git bisect bad ede6bc88d6bbe16a938de2b00f60f4e03768c988 Bisecting: 17 revisions left to test after this (roughly 4 steps) [3d0c5f1cd268fdd7d2e75eaf3e0d2fe460ac748b] i40e: add support for AF_XDP need_wakeup feature testing commit 3d0c5f1cd268fdd7d2e75eaf3e0d2fe460ac748b with gcc (GCC) 8.1.0 all runs: OK # git bisect good 3d0c5f1cd268fdd7d2e75eaf3e0d2fe460ac748b Bisecting: 8 revisions left to test after this (roughly 3 steps) [fae55527ac1164b66bee983a4d82ade2bfedb332] selftests/bpf: fix race in test_tcp_rtt test testing commit fae55527ac1164b66bee983a4d82ade2bfedb332 with gcc (GCC) 8.1.0 all runs: OK # git bisect good fae55527ac1164b66bee983a4d82ade2bfedb332 Bisecting: 4 revisions left to test after this (roughly 2 steps) [c3bbf176fbad5d7470f8a4f311f7c11126ad36c2] selftests/bpf: add sockopt clone/inheritance test testing commit c3bbf176fbad5d7470f8a4f311f7c11126ad36c2 with gcc (GCC) 8.1.0 all runs: OK # git bisect good c3bbf176fbad5d7470f8a4f311f7c11126ad36c2 Bisecting: 2 revisions left to test after this (roughly 1 step) [0402acd683c678874df6bdbc23530ca07ea19353] xsk: remove AF_XDP socket from map when the socket is released testing commit 0402acd683c678874df6bdbc23530ca07ea19353 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in xsk_map_update_elem # git bisect bad 0402acd683c678874df6bdbc23530ca07ea19353 Bisecting: 0 revisions left to test after this (roughly 0 steps) [8e46c3534a550782405206c5a1be8d8a721bf45a] Merge branch 'bpf-sk-storage-clone' testing commit 8e46c3534a550782405206c5a1be8d8a721bf45a with gcc (GCC) 8.1.0 all runs: OK # git bisect good 8e46c3534a550782405206c5a1be8d8a721bf45a 0402acd683c678874df6bdbc23530ca07ea19353 is the first bad commit commit 0402acd683c678874df6bdbc23530ca07ea19353 Author: Björn Töpel Date: Thu Aug 15 11:30:13 2019 +0200 xsk: remove AF_XDP socket from map when the socket is released When an AF_XDP socket is released/closed the XSKMAP still holds a reference to the socket in a "released" state. The socket will still use the netdev queue resource, and block newly created sockets from attaching to that queue, but no user application can access the fill/complete/rx/tx queues. This results in that all applications need to explicitly clear the map entry from the old "zombie state" socket. This should be done automatically. In this patch, the sockets tracks, and have a reference to, which maps it resides in. When the socket is released, it will remove itself from all maps. Suggested-by: Bruce Richardson Signed-off-by: Björn Töpel Signed-off-by: Daniel Borkmann :040000 040000 016cdd3c075c34dd9ab231cc4be2fb1f2e9d19b5 255bd3cef26c5e1f13b1f3e8037bc165113629de M include :040000 040000 68c254da1e7cb9197f3cab549a8dc17a32847b7a 40853bcc5a75a6ebb805e2af2fb696637e391040 M kernel :040000 040000 3e5a10731982970972326ed45dfc8972984d15f6 0e7918976f475024983cc9073796b0f791f1de92 M net revisions tested: 15, total time: 3h24m39.650092899s (build: 1h24m52.171358117s, test: 1h54m58.071923046s) first bad commit: 0402acd683c678874df6bdbc23530ca07ea19353 xsk: remove AF_XDP socket from map when the socket is released cc: ["ast@kernel.org" "bjorn.topel@intel.com" "bpf@vger.kernel.org" "daniel@iogearbox.net" "davem@davemloft.net" "hawk@kernel.org" "jakub.kicinski@netronome.com" "john.fastabend@gmail.com" "jonathan.lemon@gmail.com" "kafai@fb.com" "linux-kernel@vger.kernel.org" "magnus.karlsson@intel.com" "netdev@vger.kernel.org" "songliubraving@fb.com" "yhs@fb.com"] crash: general protection fault in xsk_map_update_elem kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 7427 Comm: syz-executor.5 Not tainted 5.3.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__list_add include/linux/list.h:64 [inline] RIP: 0010:list_add_tail include/linux/list.h:93 [inline] RIP: 0010:xsk_map_sock_add kernel/bpf/xskmap.c:62 [inline] RIP: 0010:xsk_map_update_elem+0x373/0x750 kernel/bpf/xskmap.c:261 Code: ff 4c 89 ca 48 c1 ea 03 80 3c 02 00 0f 85 a9 03 00 00 4c 89 f2 4d 89 b5 d8 05 00 00 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 5e 03 00 00 49 8d 7e 08 4d 89 16 48 b8 00 00 00 RSP: 0018:ffff88808ac07b18 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8151c703 RDX: 0000000000000000 RSI: ffff8880904e3190 RDI: ffff8880904e3198 RBP: ffff88808ac07bd0 R08: ffff8880904e3190 R09: ffff8880904e3198 R10: ffff8880904e3190 R11: 0000000000000003 R12: 1ffff11011580f69 R13: ffff8880904e2bc0 R14: 0000000000000000 R15: ffff888094d69500 FS: 00007f9ee53a1700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4821c3c518 CR3: 0000000097153000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: map_update_elem kernel/bpf/syscall.c:966 [inline] __do_sys_bpf+0x2a60/0x32b0 kernel/bpf/syscall.c:2847 __se_sys_bpf kernel/bpf/syscall.c:2818 [inline] __x64_sys_bpf+0x6e/0xb0 kernel/bpf/syscall.c:2818 do_syscall_64+0xd0/0x540 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x459a09 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f9ee53a0c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f9ee53a0c90 RCX: 0000000000459a09 RDX: 0000000000000020 RSI: 0000000020000100 RDI: 0000000000000002 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9ee53a16d4 R13: 00000000004bfdf7 R14: 00000000004d1bf8 R15: 0000000000000005 Modules linked in: ---[ end trace 51380d0a5efcc235 ]--- RIP: 0010:__list_add include/linux/list.h:64 [inline] RIP: 0010:list_add_tail include/linux/list.h:93 [inline] RIP: 0010:xsk_map_sock_add kernel/bpf/xskmap.c:62 [inline] RIP: 0010:xsk_map_update_elem+0x373/0x750 kernel/bpf/xskmap.c:261 Code: ff 4c 89 ca 48 c1 ea 03 80 3c 02 00 0f 85 a9 03 00 00 4c 89 f2 4d 89 b5 d8 05 00 00 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 5e 03 00 00 49 8d 7e 08 4d 89 16 48 b8 00 00 00 RSP: 0018:ffff88808ac07b18 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8151c703 RDX: 0000000000000000 RSI: ffff8880904e3190 RDI: ffff8880904e3198 RBP: ffff88808ac07bd0 R08: ffff8880904e3190 R09: ffff8880904e3198 R10: ffff8880904e3190 R11: 0000000000000003 R12: 1ffff11011580f69 R13: ffff8880904e2bc0 R14: 0000000000000000 R15: ffff888094d69500 FS: 00007f9ee53a1700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4821c3c518 CR3: 0000000097153000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400