bisecting fixing commit since f8788d86ab28f61f7b46eb6be375f8a726783636 building syzkaller on 59b57593586656c1d5be820aeed0e751087e6ac6 testing commit f8788d86ab28f61f7b46eb6be375f8a726783636 with gcc (GCC) 8.1.0 kernel signature: 29dd580a09c191fb9f09df118a3ae745925c080dfa30fa941abfa21e67cf93c2 all runs: crashed: WARNING in sk_stream_kill_queues testing current HEAD 7111951b8d4973bda27ff663f2cf18b663d15b48 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: 41474d548422f69ec9f864a3c687eb35ca82e9f11344ee669782d1628a3ff5aa run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect start 7111951b8d4973bda27ff663f2cf18b663d15b48 f8788d86ab28f61f7b46eb6be375f8a726783636 Bisecting: 748 revisions left to test after this (roughly 10 steps) [807f030b44ccbb26a346df6f6438628315d9ad98] Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 807f030b44ccbb26a346df6f6438628315d9ad98 with gcc (GCC) 8.1.0 kernel signature: 92e3b9d27ae0348f3a90e80ee590b19b563e00e40d97fab9c7eff4c56b174be3 all runs: OK # git bisect bad 807f030b44ccbb26a346df6f6438628315d9ad98 Bisecting: 329 revisions left to test after this (roughly 8 steps) [c87cbc1f007c4b46165f05ceca04e1973cda0b9c] mm, hotplug: fix page online with DEBUG_PAGEALLOC compiled but not enabled testing commit c87cbc1f007c4b46165f05ceca04e1973cda0b9c with gcc (GCC) 8.1.0 kernel signature: 7fbb7e0aa7c9370e77a5fe74d7d292de9d734cd50177c88345bd8773a5e117c8 all runs: OK # git bisect bad c87cbc1f007c4b46165f05ceca04e1973cda0b9c Bisecting: 163 revisions left to test after this (roughly 7 steps) [7058b837899fc978c9f8a033fa29ab07360a85c8] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 7058b837899fc978c9f8a033fa29ab07360a85c8 with gcc (GCC) 8.1.0 kernel signature: cdce63cf0a746637ab0d66cc20a485324a4c21db827033550d2a5a93f95695e9 all runs: OK # git bisect bad 7058b837899fc978c9f8a033fa29ab07360a85c8 Bisecting: 87 revisions left to test after this (roughly 6 steps) [e46bfaba593c36de591a1153746af6bcb40ef67c] Merge tag 'docs-5.6-fixes' of git://git.lwn.net/linux testing commit e46bfaba593c36de591a1153746af6bcb40ef67c with gcc (GCC) 8.1.0 kernel signature: 22ff39eab9e15d8ba1df41344c60d24c37875fa1cefef5a35bdfcc8822b77d0e all runs: crashed: WARNING in sk_stream_kill_queues # git bisect good e46bfaba593c36de591a1153746af6bcb40ef67c Bisecting: 43 revisions left to test after this (roughly 6 steps) [c87a9d6fc6d555e4981f2ded77d9a8cce950743e] net: phy: mscc: fix firmware paths testing commit c87a9d6fc6d555e4981f2ded77d9a8cce950743e with gcc (GCC) 8.1.0 kernel signature: 77300d1bf3e935fd487bcbcefc0ffdb0b7fd72ce29fc5fe7f939c8aed6102c7e all runs: OK # git bisect bad c87a9d6fc6d555e4981f2ded77d9a8cce950743e Bisecting: 21 revisions left to test after this (roughly 5 steps) [3614d05b5e6baf487e88fb114d884da172edd61a] Merge tag 'mac80211-for-net-2020-02-24' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 testing commit 3614d05b5e6baf487e88fb114d884da172edd61a with gcc (GCC) 8.1.0 kernel signature: 7df840645de647f40f2e74d5e3d2ed5c4e5e0c162a6750e0e8423f371dbac9dd all runs: crashed: WARNING in sk_stream_kill_queues # git bisect good 3614d05b5e6baf487e88fb114d884da172edd61a Bisecting: 9 revisions left to test after this (roughly 4 steps) [574b238f64594cc0d87aad3f716ebab49fb663fa] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf testing commit 574b238f64594cc0d87aad3f716ebab49fb663fa with gcc (GCC) 8.1.0 kernel signature: 8b352ea9ac4171138364d8748a4e8fc594c2caca93d2465be6062acbeeb45627 all runs: crashed: WARNING in sk_stream_kill_queues # git bisect good 574b238f64594cc0d87aad3f716ebab49fb663fa Bisecting: 4 revisions left to test after this (roughly 2 steps) [51e3dfa8906ace90c809235b3d3afebc166b6433] net/smc: fix cleanup for linkgroup setup failures testing commit 51e3dfa8906ace90c809235b3d3afebc166b6433 with gcc (GCC) 8.1.0 kernel signature: 45a389de3632fa017824a376d75c39156fe996eb36f9260d42c159cf155ebd67 all runs: crashed: WARNING in sk_stream_kill_queues # git bisect good 51e3dfa8906ace90c809235b3d3afebc166b6433 Bisecting: 2 revisions left to test after this (roughly 1 step) [f596c87005f7b1baeb7d62d9a9e25d68c3dfae10] slip: not call free_netdev before rtnl_unlock in slip_open testing commit f596c87005f7b1baeb7d62d9a9e25d68c3dfae10 with gcc (GCC) 8.1.0 kernel signature: 9d7001cfd56e9641b7ab051b969e2acfd25cb50257fb232814deb32a493502e0 all runs: OK # git bisect bad f596c87005f7b1baeb7d62d9a9e25d68c3dfae10 Bisecting: 0 revisions left to test after this (roughly 0 steps) [b6f6118901d1e867ac9177bbff3b00b185bd4fdc] ipv6: restrict IPV6_ADDRFORM operation testing commit b6f6118901d1e867ac9177bbff3b00b185bd4fdc with gcc (GCC) 8.1.0 kernel signature: 1df0ed9f85272f5712e40995f66bba0613c2547b28ccfecf93f4d750c9a61fe2 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect bad b6f6118901d1e867ac9177bbff3b00b185bd4fdc b6f6118901d1e867ac9177bbff3b00b185bd4fdc is the first bad commit commit b6f6118901d1e867ac9177bbff3b00b185bd4fdc Author: Eric Dumazet Date: Tue Feb 25 11:52:29 2020 -0800 ipv6: restrict IPV6_ADDRFORM operation IPV6_ADDRFORM is able to transform IPv6 socket to IPv4 one. While this operation sounds illogical, we have to support it. One of the things it does for TCP socket is to switch sk->sk_prot to tcp_prot. We now have other layers playing with sk->sk_prot, so we should make sure to not interfere with them. This patch makes sure sk_prot is the default pointer for TCP IPv6 socket. syzbot reported : BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD a0113067 P4D a0113067 PUD a8771067 PMD 0 Oops: 0010 [#1] PREEMPT SMP KASAN CPU: 0 PID: 10686 Comm: syz-executor.0 Not tainted 5.6.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:0x0 Code: Bad RIP value. RSP: 0018:ffffc9000281fce0 EFLAGS: 00010246 RAX: 1ffffffff15f48ac RBX: ffffffff8afa4560 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8880a69a8f40 RBP: ffffc9000281fd10 R08: ffffffff86ed9b0c R09: ffffed1014d351f5 R10: ffffed1014d351f5 R11: 0000000000000000 R12: ffff8880920d3098 R13: 1ffff1101241a613 R14: ffff8880a69a8f40 R15: 0000000000000000 FS: 00007f2ae75db700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 00000000a3b85000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: inet_release+0x165/0x1c0 net/ipv4/af_inet.c:427 __sock_release net/socket.c:605 [inline] sock_close+0xe1/0x260 net/socket.c:1283 __fput+0x2e4/0x740 fs/file_table.c:280 ____fput+0x15/0x20 fs/file_table.c:313 task_work_run+0x176/0x1b0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop arch/x86/entry/common.c:164 [inline] prepare_exit_to_usermode+0x480/0x5b0 arch/x86/entry/common.c:195 syscall_return_slowpath+0x113/0x4a0 arch/x86/entry/common.c:278 do_syscall_64+0x11f/0x1c0 arch/x86/entry/common.c:304 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45c429 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f2ae75dac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: 0000000000000000 RBX: 00007f2ae75db6d4 RCX: 000000000045c429 RDX: 0000000000000001 RSI: 000000000000011a RDI: 0000000000000004 RBP: 000000000076bf20 R08: 0000000000000038 R09: 0000000000000000 R10: 0000000020000180 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000a9d R14: 00000000004ccfb4 R15: 000000000076bf2c Modules linked in: CR2: 0000000000000000 ---[ end trace 82567b5207e87bae ]--- RIP: 0010:0x0 Code: Bad RIP value. RSP: 0018:ffffc9000281fce0 EFLAGS: 00010246 RAX: 1ffffffff15f48ac RBX: ffffffff8afa4560 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8880a69a8f40 RBP: ffffc9000281fd10 R08: ffffffff86ed9b0c R09: ffffed1014d351f5 R10: ffffed1014d351f5 R11: 0000000000000000 R12: ffff8880920d3098 R13: 1ffff1101241a613 R14: ffff8880a69a8f40 R15: 0000000000000000 FS: 00007f2ae75db700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 00000000a3b85000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Eric Dumazet Reported-by: syzbot+1938db17e275e85dc328@syzkaller.appspotmail.com Cc: Daniel Borkmann Signed-off-by: David S. Miller net/ipv6/ipv6_sockglue.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) culprit signature: 1df0ed9f85272f5712e40995f66bba0613c2547b28ccfecf93f4d750c9a61fe2 parent signature: 45a389de3632fa017824a376d75c39156fe996eb36f9260d42c159cf155ebd67 revisions tested: 12, total time: 2h46m12.822587611s (build: 1h14m58.35604591s, test: 1h30m29.676435099s) first good commit: b6f6118901d1e867ac9177bbff3b00b185bd4fdc ipv6: restrict IPV6_ADDRFORM operation cc: ["andriin@fb.com" "ast@kernel.org" "bpf@vger.kernel.org" "daniel@iogearbox.net" "davem@davemloft.net" "edumazet@google.com" "kafai@fb.com" "kuba@kernel.org" "kuznet@ms2.inr.ac.ru" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "songliubraving@fb.com" "yhs@fb.com" "yoshfuji@linux-ipv6.org"]