bisecting cause commit starting from d467d80dc399ba77875d647f2f37b7d1a70d94c2 building syzkaller on 04201c0669446145fd9c347c5538da0ca13ff29b testing commit d467d80dc399ba77875d647f2f37b7d1a70d94c2 with gcc (GCC) 8.1.0 kernel signature: 8da3f62c1730275c11ec7ac2d3a79ef726b6913dca3fb370acd11f04afec5b16 all runs: crashed: BUG: sleeping function called from invalid context in exc_page_fault testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 8.1.0 kernel signature: 9f7ee37df1f5159c178319ac6d760be4cf8970cf3ad3effff01a6e796678e0fe all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in bpf_prog_ADDR testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0 kernel signature: 41ee7347d2b4f48fd2ff9893d666d87c1152ec2bfa99d206a68ced3dabb4e527 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in bpf_prog_ADDR testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: f1cea027ae24ed5e796a8b49046854de2b74b84b51790aac3c3f961e2d01ea26 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in bpf_prog_ADDR testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: e0d6713bbc6fdac511d2cb5fa6acab3a79ff3277196d40ec13be63b37bc7dc9b all runs: OK # git bisect start bcf876870b95592b52519ed4aafcf9d95999bc9c 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 Bisecting: 8752 revisions left to test after this (roughly 13 steps) [694b5a5d313f3997764b67d52bab66ec7e59e714] Merge tag 'arm-soc-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 694b5a5d313f3997764b67d52bab66ec7e59e714 with gcc (GCC) 8.1.0 kernel signature: 708876090e4bee369eece502394242538901768e76da6a0c2b00eeb39a6aae30 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in bpf_prog_ADDR # git bisect bad 694b5a5d313f3997764b67d52bab66ec7e59e714 Bisecting: 4417 revisions left to test after this (roughly 12 steps) [2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63] Merge branch 'uaccess.comedi' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63 with gcc (GCC) 8.1.0 kernel signature: c265038e2ac7deb46435502db60538f4b668e484725ec4e87eedff597a58e323 all runs: OK # git bisect good 2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63 Bisecting: 2208 revisions left to test after this (roughly 11 steps) [5df42c8267418bfb8da54cc4772b397ea4c88aea] ice: fix MAC write command testing commit 5df42c8267418bfb8da54cc4772b397ea4c88aea with gcc (GCC) 8.1.0 kernel signature: a1b37329b9e1c90464b9cbc8abcd41ee67e797ba81de2502e3491a8ca34e235d all runs: OK # git bisect good 5df42c8267418bfb8da54cc4772b397ea4c88aea Bisecting: 1032 revisions left to test after this (roughly 10 steps) [a98f670e41a99f53acb1fb33cee9c6abbb2e6f23] Merge tag 'media/v5.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit a98f670e41a99f53acb1fb33cee9c6abbb2e6f23 with gcc (GCC) 8.1.0 kernel signature: a8012633f63f94f567528a81fd40d33e471320fff8345535dc98c4aa24275706 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in bpf_prog_ADDR # git bisect bad a98f670e41a99f53acb1fb33cee9c6abbb2e6f23 Bisecting: 636 revisions left to test after this (roughly 9 steps) [c444eb564fb16645c172d550359cb3d75fe8a040] mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked() testing commit c444eb564fb16645c172d550359cb3d75fe8a040 with gcc (GCC) 8.1.0 kernel signature: 7fa818d73c8b2e71e160138e063e14f8b0c4ed204b96f87a535fdf176a02b0e8 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in bpf_prog_ADDR # git bisect bad c444eb564fb16645c172d550359cb3d75fe8a040 Bisecting: 266 revisions left to test after this (roughly 8 steps) [d7ad1415bda5cd0a7a948720bf154ecb62a0e9c4] Merge tag 'wireless-drivers-next-2020-05-30' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit d7ad1415bda5cd0a7a948720bf154ecb62a0e9c4 with gcc (GCC) 8.1.0 kernel signature: f50085dd4c130e41eb28e5f673ebc833be6fb39724b5181e4920230dba6f1495 all runs: OK # git bisect good d7ad1415bda5cd0a7a948720bf154ecb62a0e9c4 Bisecting: 133 revisions left to test after this (roughly 7 steps) [1897936744f0ab366102170d7c76bfc8f7aeb2ba] netdevsim: Register control traps testing commit 1897936744f0ab366102170d7c76bfc8f7aeb2ba with gcc (GCC) 8.1.0 kernel signature: 25af697e1561be5e59175597b270f67c1f910cd0c3db8e53345a623c75a958bb all runs: OK # git bisect good 1897936744f0ab366102170d7c76bfc8f7aeb2ba Bisecting: 66 revisions left to test after this (roughly 6 steps) [97abb2b396821f21c21cee2d537bb4e0a0eef31b] docs/bpf: Add BPF ring buffer design notes testing commit 97abb2b396821f21c21cee2d537bb4e0a0eef31b with gcc (GCC) 8.1.0 kernel signature: 4ab02b910d4942b6e6f7d1b26f96c25ddf02d186b3bd6b861ad17acc3421e5ac all runs: OK # git bisect good 97abb2b396821f21c21cee2d537bb4e0a0eef31b Bisecting: 33 revisions left to test after this (roughly 5 steps) [b8215dce7dfd817ca38807f55165bf502146cd68] selftests/bpf, flow_dissector: Close TAP device FD after the test testing commit b8215dce7dfd817ca38807f55165bf502146cd68 with gcc (GCC) 8.1.0 kernel signature: a2bb5e1adc77bfe89825d931e29dc8dab6b83805eb14868e9aceedbee25db70b all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in bpf_prog_ADDR # git bisect bad b8215dce7dfd817ca38807f55165bf502146cd68 Bisecting: 16 revisions left to test after this (roughly 4 steps) [8ea204c2b658eaef55b4716fde469fb66c589a3d] net: Make locking in sock_bindtoindex optional testing commit 8ea204c2b658eaef55b4716fde469fb66c589a3d with gcc (GCC) 8.1.0 kernel signature: 94442e5e2db5b84371659880d81cf20611089cbad90fb226984aab087c47b121 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in bpf_prog_ADDR # git bisect bad 8ea204c2b658eaef55b4716fde469fb66c589a3d Bisecting: 7 revisions left to test after this (roughly 3 steps) [d39aec79e5923bf984df991ffe51d4a2b7a9e746] selftest: Add tests for XDP programs in devmap entries testing commit d39aec79e5923bf984df991ffe51d4a2b7a9e746 with gcc (GCC) 8.1.0 kernel signature: 830d1db683864731ddc797f410caa32c4d971778175cc8581e8a5a1d4ab74a42 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in bpf_prog_ADDR # git bisect bad d39aec79e5923bf984df991ffe51d4a2b7a9e746 Bisecting: 3 revisions left to test after this (roughly 2 steps) [7f1c04269fe7b3293dea38ea65da4fd6614d6f80] devmap: Formalize map value as a named struct testing commit 7f1c04269fe7b3293dea38ea65da4fd6614d6f80 with gcc (GCC) 8.1.0 kernel signature: 86f9a1b8722d2b280ffcd3b41b0ee4781bf7ce2e66663b4e66d0759a2dc09fe5 all runs: OK # git bisect good 7f1c04269fe7b3293dea38ea65da4fd6614d6f80 Bisecting: 1 revision left to test after this (roughly 1 step) [64b59025c15b244c0954cf52b24fbabfcf5ed8f6] xdp: Add xdp_txq_info to xdp_buff testing commit 64b59025c15b244c0954cf52b24fbabfcf5ed8f6 with gcc (GCC) 8.1.0 kernel signature: 830d1db683864731ddc797f410caa32c4d971778175cc8581e8a5a1d4ab74a42 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in bpf_prog_ADDR # git bisect bad 64b59025c15b244c0954cf52b24fbabfcf5ed8f6 Bisecting: 0 revisions left to test after this (roughly 0 steps) [fbee97feed9b3e4acdf9590e1f6b4a2eefecfffe] bpf: Add support to attach bpf program to a devmap entry testing commit fbee97feed9b3e4acdf9590e1f6b4a2eefecfffe with gcc (GCC) 8.1.0 kernel signature: fbcd2605d4dca137cda27a1f1f38aaa2bf3b80a1235a14f80f42ca14e97bdcfa all runs: OK # git bisect good fbee97feed9b3e4acdf9590e1f6b4a2eefecfffe 64b59025c15b244c0954cf52b24fbabfcf5ed8f6 is the first bad commit commit 64b59025c15b244c0954cf52b24fbabfcf5ed8f6 Author: David Ahern Date: Fri May 29 16:07:14 2020 -0600 xdp: Add xdp_txq_info to xdp_buff Add xdp_txq_info as the Tx counterpart to xdp_rxq_info. At the moment only the device is added. Other fields (queue_index) can be added as use cases arise. >From a UAPI perspective, add egress_ifindex to xdp context for bpf programs to see the Tx device. Update the verifier to only allow accesses to egress_ifindex by XDP programs with BPF_XDP_DEVMAP expected attach type. Signed-off-by: David Ahern Signed-off-by: Alexei Starovoitov Acked-by: Toke Høiland-Jørgensen Link: https://lore.kernel.org/bpf/20200529220716.75383-4-dsahern@kernel.org Signed-off-by: Alexei Starovoitov include/net/xdp.h | 5 +++++ include/uapi/linux/bpf.h | 2 ++ kernel/bpf/devmap.c | 3 +++ net/core/filter.c | 17 +++++++++++++++++ tools/include/uapi/linux/bpf.h | 2 ++ 5 files changed, 29 insertions(+) culprit signature: 830d1db683864731ddc797f410caa32c4d971778175cc8581e8a5a1d4ab74a42 parent signature: fbcd2605d4dca137cda27a1f1f38aaa2bf3b80a1235a14f80f42ca14e97bdcfa revisions tested: 19, total time: 3h39m40.772221132s (build: 1h48m10.076467222s, test: 1h49m29.151543587s) first bad commit: 64b59025c15b244c0954cf52b24fbabfcf5ed8f6 xdp: Add xdp_txq_info to xdp_buff recipients (to): ["ast@kernel.org" "dsahern@kernel.org" "toke@redhat.com"] recipients (cc): [] crash: BUG: unable to handle kernel NULL pointer dereference in bpf_prog_ADDR BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD a0c1d067 P4D a0c1d067 PUD a60c4067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 10982 Comm: syz-executor.2 Not tainted 5.7.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:bpf_prog_e48ebe87b99394c4+0x1f/0x42c Code: cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 55 48 89 e5 48 81 ec 00 00 00 00 53 41 55 41 56 41 57 6a 00 31 c0 48 8b 47 28 <48> 8b 40 00 8b 80 00 01 00 00 5b 41 5f 41 5e 41 5d 5b c9 c3 cc cc RSP: 0018:ffffc9000a45f968 EFLAGS: 00010246 RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000032950 RDX: ffffffffa0054bd4 RSI: ffffc90000eec038 RDI: ffffc9000a45fb78 RBP: ffffc9000a45f990 R08: fffffbfff17308f9 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffffc90000eec000 R14: ffff8880b42e6000 R15: ffffc9000a45faf8 FS: 00007f5b2f1bd700(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000a7e87000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: bpf_prog_run_xdp include/linux/filter.h:734 [inline] bpf_test_run+0x213/0xae0 net/bpf/test_run.c:47 bpf_prog_test_run_xdp+0x2fa/0x4f0 net/bpf/test_run.c:507 bpf_prog_test_run kernel/bpf/syscall.c:2994 [inline] __do_sys_bpf+0xd6a/0x3b30 kernel/bpf/syscall.c:4131 do_syscall_64+0x8e/0x4e0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45e149 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f5b2f1bcc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e149 RDX: 0000000000000028 RSI: 00000000200000c0 RDI: 000000000000000a RBP: 000000000119bfc0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119bf8c R13: 00007fffc83c3c5f R14: 00007f5b2f1bd9c0 R15: 000000000119bf8c Modules linked in: CR2: 0000000000000000 ---[ end trace bab98122a49e2858 ]--- RIP: 0010:bpf_prog_e48ebe87b99394c4+0x1f/0x42c Code: cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 55 48 89 e5 48 81 ec 00 00 00 00 53 41 55 41 56 41 57 6a 00 31 c0 48 8b 47 28 <48> 8b 40 00 8b 80 00 01 00 00 5b 41 5f 41 5e 41 5d 5b c9 c3 cc cc RSP: 0018:ffffc9000a45f968 EFLAGS: 00010246 RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000032950 RDX: ffffffffa0054bd4 RSI: ffffc90000eec038 RDI: ffffc9000a45fb78 RBP: ffffc9000a45f990 R08: fffffbfff17308f9 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffffc90000eec000 R14: ffff8880b42e6000 R15: ffffc9000a45faf8 FS: 00007f5b2f1bd700(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000a7e87000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400