ci starts bisection 2023-03-24 00:53:25.446051427 +0000 UTC m=+26896.999486136 bisecting cause commit starting from 226bc6ae6405c46a6e9865835c36a1d45fc0b3bf building syzkaller on f94b4a29b579b3de9aab3b41915e3663e6f7094e ensuring issue is reproducible on original commit 226bc6ae6405c46a6e9865835c36a1d45fc0b3bf testing commit 226bc6ae6405c46a6e9865835c36a1d45fc0b3bf gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1bdb36d79a39d4dbb7b5db200b743c6fad787c597df62a3704d0f51449ba4318 all runs: crashed: general protection fault in bpf_struct_ops_link_create testing release v6.2 testing commit c9c3395d5e3dcc6daee66c6908354d47bf98cb0c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0e2f5d12cc15b732135fb32f1bed7158e6053939379dce18ddb6c5a14febb294 all runs: OK # git bisect start 226bc6ae6405c46a6e9865835c36a1d45fc0b3bf c9c3395d5e3dcc6daee66c6908354d47bf98cb0c Bisecting: 6536 revisions left to test after this (roughly 13 steps) [25ac8c12ff7886e3d9b99feb85c53302a3cc5556] Merge tag '6.3-rc-ksmbd-fixes' of git://git.samba.org/ksmbd testing commit 25ac8c12ff7886e3d9b99feb85c53302a3cc5556 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8ec128ca872e3fff7f7def4cb2c7fbe6f4c7f581d85eec08166ef698d44003ec all runs: OK # git bisect good 25ac8c12ff7886e3d9b99feb85c53302a3cc5556 Bisecting: 3232 revisions left to test after this (roughly 12 steps) [0601f25d1c4937c678db786961705ce56fbd6bb6] Merge tag 'staging-6.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging testing commit 0601f25d1c4937c678db786961705ce56fbd6bb6 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d27a3d86a2d4bdaafcc33366b9b51ae767ada5899b5d60457d1bdf6aa85df7e5 all runs: OK # git bisect good 0601f25d1c4937c678db786961705ce56fbd6bb6 Bisecting: 1603 revisions left to test after this (roughly 11 steps) [49d575926890e6ada930bf6f06d62b2fde8fce95] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit 49d575926890e6ada930bf6f06d62b2fde8fce95 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6ee63c172f9160ddfd289f2d0a3932c53df7b9250891324ac4246ca608c05ff4 all runs: OK # git bisect good 49d575926890e6ada930bf6f06d62b2fde8fce95 Bisecting: 763 revisions left to test after this (roughly 10 steps) [4b8c673b761e74add4fd185d806ac16c9b40158f] Merge tag 'media/v6.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 4b8c673b761e74add4fd185d806ac16c9b40158f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f1ae1e8eb305483aebaf54a529f46df87dbd143c62003d9ae2f8d0850bb1339f all runs: OK # git bisect good 4b8c673b761e74add4fd185d806ac16c9b40158f Bisecting: 332 revisions left to test after this (roughly 9 steps) [11c70529983e8136ea1bd5c32e4f9cd14503c644] Merge tag 'soc-drivers-6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 11c70529983e8136ea1bd5c32e4f9cd14503c644 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f6ac5a4a67062c9d9cc8990da6c97588ba26504611def6d574e15c2e28b76621 all runs: OK # git bisect good 11c70529983e8136ea1bd5c32e4f9cd14503c644 Bisecting: 161 revisions left to test after this (roughly 7 steps) [36e5e391a25af28dc1f4586f95d577b38ff4ed72] Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit 36e5e391a25af28dc1f4586f95d577b38ff4ed72 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 87dd8d492ab4777e247d06037cc65aa063669f8c1a028160a864a50722bb32e0 all runs: OK # git bisect good 36e5e391a25af28dc1f4586f95d577b38ff4ed72 Bisecting: 80 revisions left to test after this (roughly 6 steps) [7e30a8477b0bdd13dfd0b24e4f32b26d22b96e6c] bpf: Add bpf_local_storage_free() testing commit 7e30a8477b0bdd13dfd0b24e4f32b26d22b96e6c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7f562a7e41b47358cc5e1353d728327d6ddbd8ef3af117c960a04add6e060dc9 all runs: OK # git bisect good 7e30a8477b0bdd13dfd0b24e4f32b26d22b96e6c Bisecting: 40 revisions left to test after this (roughly 5 steps) [deb9fd64d145b42c0a15193507b4fea27514a559] Merge branch 'Make struct bpf_cpumask RCU safe' testing commit deb9fd64d145b42c0a15193507b4fea27514a559 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7f643ebe892d7243e1cd528e7d69837731ea8a91c8c7cff628950f31dbe8b47e all runs: OK # git bisect good deb9fd64d145b42c0a15193507b4fea27514a559 Bisecting: 20 revisions left to test after this (roughly 4 steps) [6a9f5cdba3c5b4e8c2af290fe6c9e3538652ab42] Merge branch 'net: skbuff: skb bitfield compaction - bpf' testing commit 6a9f5cdba3c5b4e8c2af290fe6c9e3538652ab42 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fad0d3c4e94f584a0c98ca2a56e4ea77dffe951aed7544032769bf57e9c8e48b all runs: OK # git bisect good 6a9f5cdba3c5b4e8c2af290fe6c9e3538652ab42 Bisecting: 10 revisions left to test after this (roughly 3 steps) [7be14c1c9030f73cc18b4ff23b78a0a081f16188] bpf: Fix __reg_bound_offset 64->32 var_off subreg propagation testing commit 7be14c1c9030f73cc18b4ff23b78a0a081f16188 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 68308253db6bea7c51e7736c4634300ba3b21bdf1d8e618980381542164633a9 all runs: OK # git bisect good 7be14c1c9030f73cc18b4ff23b78a0a081f16188 Bisecting: 5 revisions left to test after this (roughly 3 steps) [68b04864ca425d1894c96b8141d4fba1181f11cb] bpf: Create links for BPF struct_ops maps. testing commit 68b04864ca425d1894c96b8141d4fba1181f11cb gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e2f75ec520b503c69eae1950b7b2feb0a3143ea0687d6218a8be6b6503266be6 all runs: crashed: general protection fault in bpf_struct_ops_link_create # git bisect bad 68b04864ca425d1894c96b8141d4fba1181f11cb Bisecting: 2 revisions left to test after this (roughly 1 step) [b63cbc490e18d893632929b8faa55bb28da3fcd4] bpf: remember meta->iter info only for initialized iters testing commit b63cbc490e18d893632929b8faa55bb28da3fcd4 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e7e0751c5bf9ebfdad5e5114c8d304f0f5631ba68335028ee6b59c1713d65cc4 all runs: OK # git bisect good b63cbc490e18d893632929b8faa55bb28da3fcd4 Bisecting: 0 revisions left to test after this (roughly 1 step) [8fb1a76a0f35c45a424c9eb84b0f97ffd51e6052] net: Update an existing TCP congestion control algorithm. testing commit 8fb1a76a0f35c45a424c9eb84b0f97ffd51e6052 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2efa44b6427150c3438afbd85c8e4f2a8cc81f16af764cc6c493ccbe1b058be0 all runs: OK # git bisect good 8fb1a76a0f35c45a424c9eb84b0f97ffd51e6052 68b04864ca425d1894c96b8141d4fba1181f11cb is the first bad commit commit 68b04864ca425d1894c96b8141d4fba1181f11cb Author: Kui-Feng Lee Date: Wed Mar 22 20:24:00 2023 -0700 bpf: Create links for BPF struct_ops maps. Make bpf_link support struct_ops. Previously, struct_ops were always used alone without any associated links. Upon updating its value, a struct_ops would be activated automatically. Yet other BPF program types required to make a bpf_link with their instances before they could become active. Now, however, you can create an inactive struct_ops, and create a link to activate it later. With bpf_links, struct_ops has a behavior similar to other BPF program types. You can pin/unpin them from their links and the struct_ops will be deactivated when its link is removed while previously need someone to delete the value for it to be deactivated. bpf_links are responsible for registering their associated struct_ops. You can only use a struct_ops that has the BPF_F_LINK flag set to create a bpf_link, while a structs without this flag behaves in the same manner as before and is registered upon updating its value. The BPF_LINK_TYPE_STRUCT_OPS serves a dual purpose. Not only is it used to craft the links for BPF struct_ops programs, but also to create links for BPF struct_ops them-self. Since the links of BPF struct_ops programs are only used to create trampolines internally, they are never seen in other contexts. Thus, they can be reused for struct_ops themself. To maintain a reference to the map supporting this link, we add bpf_struct_ops_link as an additional type. The pointer of the map is RCU and won't be necessary until later in the patchset. Signed-off-by: Kui-Feng Lee Link: https://lore.kernel.org/r/20230323032405.3735486-4-kuifeng@meta.com Signed-off-by: Martin KaFai Lau include/linux/bpf.h | 7 ++ include/uapi/linux/bpf.h | 12 +++- kernel/bpf/bpf_struct_ops.c | 143 ++++++++++++++++++++++++++++++++++++++++- kernel/bpf/syscall.c | 23 ++++--- net/ipv4/bpf_tcp_ca.c | 8 ++- tools/include/uapi/linux/bpf.h | 12 +++- 6 files changed, 190 insertions(+), 15 deletions(-) culprit signature: e2f75ec520b503c69eae1950b7b2feb0a3143ea0687d6218a8be6b6503266be6 parent signature: 2efa44b6427150c3438afbd85c8e4f2a8cc81f16af764cc6c493ccbe1b058be0 revisions tested: 15, total time: 4h30m42.010748776s (build: 2h21m55.746502412s, test: 2h6m19.608377352s) first bad commit: 68b04864ca425d1894c96b8141d4fba1181f11cb bpf: Create links for BPF struct_ops maps. recipients (to): ["kuifeng@meta.com" "martin.lau@kernel.org"] recipients (cc): [] crash: general protection fault in bpf_struct_ops_link_create general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 5590 Comm: syz-executor.0 Not tainted 6.2.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 RIP: 0010:bpf_struct_ops_valid_to_reg kernel/bpf/bpf_struct_ops.c:762 [inline] RIP: 0010:bpf_struct_ops_link_create+0xa9/0x320 kernel/bpf/bpf_struct_ops.c:833 Code: 00 00 8b 3f e8 b8 9e ed ff 48 85 c0 48 89 c5 0f 84 2f 02 00 00 48 8d 78 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e f6 01 00 00 83 7d 18 1a 74 5e RSP: 0018:ffffc90004bc7c38 EFLAGS: 00010203 RAX: dffffc0000000000 RBX: 1ffff92000978f88 RCX: ffffc90004bc7b18 RDX: 0000000000000001 RSI: ffffffff898ba500 RDI: 000000000000000f RBP: fffffffffffffff7 R08: 0000000000000001 R09: ffffffff8d86edd7 R10: fffffbfff1b0ddba R11: 0000000000000000 R12: 0000000000000000 R13: ffffc90004bc7de8 R14: 0000000020001340 R15: 000000000000001c FS: 00007f8bb485d700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8bb3bad988 CR3: 000000006e57a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: link_create kernel/bpf/syscall.c:4585 [inline] __sys_bpf+0x2c2e/0x3d40 kernel/bpf/syscall.c:5095 __do_sys_bpf kernel/bpf/syscall.c:5129 [inline] __se_sys_bpf kernel/bpf/syscall.c:5127 [inline] __x64_sys_bpf+0x74/0xb0 kernel/bpf/syscall.c:5127 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f8bb3a8c0f9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8bb485d168 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f8bb3babf80 RCX: 00007f8bb3a8c0f9 RDX: 0000000000000010 RSI: 0000000020001340 RDI: 000000000000001c RBP: 00007f8bb3ae7b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc0c59fd1f R14: 00007f8bb485d300 R15: 0000000000022000 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:bpf_struct_ops_valid_to_reg kernel/bpf/bpf_struct_ops.c:762 [inline] RIP: 0010:bpf_struct_ops_link_create+0xa9/0x320 kernel/bpf/bpf_struct_ops.c:833 Code: 00 00 8b 3f e8 b8 9e ed ff 48 85 c0 48 89 c5 0f 84 2f 02 00 00 48 8d 78 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e f6 01 00 00 83 7d 18 1a 74 5e RSP: 0018:ffffc90004bc7c38 EFLAGS: 00010203 RAX: dffffc0000000000 RBX: 1ffff92000978f88 RCX: ffffc90004bc7b18 RDX: 0000000000000001 RSI: ffffffff898ba500 RDI: 000000000000000f RBP: fffffffffffffff7 R08: 0000000000000001 R09: ffffffff8d86edd7 R10: fffffbfff1b0ddba R11: 0000000000000000 R12: 0000000000000000 R13: ffffc90004bc7de8 R14: 0000000020001340 R15: 000000000000001c FS: 00007f8bb485d700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005647e782a000 CR3: 000000006e57a000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: 8b 3f mov (%rdi),%edi 4: e8 b8 9e ed ff callq 0xffed9ec1 9: 48 85 c0 test %rax,%rax c: 48 89 c5 mov %rax,%rbp f: 0f 84 2f 02 00 00 je 0x244 15: 48 8d 78 18 lea 0x18(%rax),%rdi 19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 20: fc ff df 23: 48 89 fa mov %rdi,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx * 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction 2e: 84 c0 test %al,%al 30: 74 08 je 0x3a 32: 3c 03 cmp $0x3,%al 34: 0f 8e f6 01 00 00 jle 0x230 3a: 83 7d 18 1a cmpl $0x1a,0x18(%rbp) 3e: 74 5e je 0x9e