bisecting cause commit starting from 9eaa88c7036eda3f6c215f87ca693594cf90559b building syzkaller on 44068e196185e2f5a7c94629b6245cdde008b140 testing commit 9eaa88c7036eda3f6c215f87ca693594cf90559b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f71a74672a84da2839cb085045dbf1718ef712314473a6dbb4f110fab86a31e6 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #2: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #3: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #4: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #5: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #6: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #7: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #8: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #9: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #10: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #11: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #12: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #13: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #14: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #15: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #16: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #17: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #18: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #19: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put testing release v5.15 testing commit 8bb7eca972ad531c9b149c0a51ab43a417385813 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0bb7d7ced7b6e0d18e2743ecb85bf26839c3639241359921393534900576f97a all runs: OK # git bisect start 9eaa88c7036eda3f6c215f87ca693594cf90559b 8bb7eca972ad531c9b149c0a51ab43a417385813 Bisecting: 7433 revisions left to test after this (roughly 13 steps) warning: unable to access '/syzkaller/.config/git/ignore': Permission denied warning: unable to access '/syzkaller/.config/git/attributes': Permission denied [43e1b12927276cde8052122a24ff796649f09d60] Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost testing commit 43e1b12927276cde8052122a24ff796649f09d60 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5a3c3f081f35e6960a4c6ed0c07db6de9fbbe712f972a199cce90b25fbff8d49 all runs: OK # git bisect good 43e1b12927276cde8052122a24ff796649f09d60 Bisecting: 3718 revisions left to test after this (roughly 12 steps) warning: unable to access '/syzkaller/.config/git/ignore': Permission denied warning: unable to access '/syzkaller/.config/git/attributes': Permission denied [a4119be4370eea352df0dad294488e60e67321cf] Merge tag 'coresight-fixes-v5.16' of gitolite.kernel.org:pub/scm/linux/kernel/git/coresight/linux into char-misc-linus testing commit a4119be4370eea352df0dad294488e60e67321cf compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8c447e5f14de3589e5b701aed2fcfaccb61b943acd99192c10666a32baba3742 all runs: OK # git bisect good a4119be4370eea352df0dad294488e60e67321cf Bisecting: 1843 revisions left to test after this (roughly 11 steps) warning: unable to access '/syzkaller/.config/git/ignore': Permission denied warning: unable to access '/syzkaller/.config/git/attributes': Permission denied [35c8fad4a703fdfa009ed274f80bb64b49314cde] Merge tag 'perf-tools-for-v5.16-2021-11-13' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux testing commit 35c8fad4a703fdfa009ed274f80bb64b49314cde compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6639816f8e128f04829b54d86e207fe80bf0ae4c7d5e5764d8baffd2c3aa81ce all runs: OK # git bisect good 35c8fad4a703fdfa009ed274f80bb64b49314cde Bisecting: 921 revisions left to test after this (roughly 10 steps) warning: unable to access '/syzkaller/.config/git/ignore': Permission denied warning: unable to access '/syzkaller/.config/git/attributes': Permission denied [7c602f5d04f44f590c2ab06efbd2869936960db0] Merge tag 'iio-fixes-for-5.16b' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into char-misc-next testing commit 7c602f5d04f44f590c2ab06efbd2869936960db0 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6f67debced9fe85a21dbc7d71a718503aec414aea2595c31e786956dbce08b43 all runs: OK # git bisect good 7c602f5d04f44f590c2ab06efbd2869936960db0 Bisecting: 442 revisions left to test after this (roughly 9 steps) warning: unable to access '/syzkaller/.config/git/ignore': Permission denied warning: unable to access '/syzkaller/.config/git/attributes': Permission denied [ded746bfc94398d2ee9de315a187677b207b2004] Merge tag 'net-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit ded746bfc94398d2ee9de315a187677b207b2004 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a12e483e6d58d94c4030fb713149badfe4224fa6479d77571682f0048351783e all runs: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put # git bisect bad ded746bfc94398d2ee9de315a187677b207b2004 Bisecting: 238 revisions left to test after this (roughly 8 steps) warning: unable to access '/syzkaller/.config/git/ignore': Permission denied warning: unable to access '/syzkaller/.config/git/attributes': Permission denied [f66062c7491b0f861ba1ee9c767c860fd615b2c3] Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux testing commit f66062c7491b0f861ba1ee9c767c860fd615b2c3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ee89dfe8c28db7297e9a6634ae676c0290eba5ea55fb173c93722790ce71c929 all runs: OK # git bisect good f66062c7491b0f861ba1ee9c767c860fd615b2c3 Bisecting: 116 revisions left to test after this (roughly 7 steps) warning: unable to access '/syzkaller/.config/git/ignore': Permission denied warning: unable to access '/syzkaller/.config/git/attributes': Permission denied [2a987e65025e2b79c6d453b78cb5985ac6e5eb26] Merge tag 'perf-tools-fixes-for-v5.16-2021-12-07' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux testing commit 2a987e65025e2b79c6d453b78cb5985ac6e5eb26 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 43105a726c205217166fad54bf48864b8c46e18ece137dea7d464c4874754849 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 2a987e65025e2b79c6d453b78cb5985ac6e5eb26 Bisecting: 61 revisions left to test after this (roughly 6 steps) warning: unable to access '/syzkaller/.config/git/ignore': Permission denied warning: unable to access '/syzkaller/.config/git/attributes': Permission denied [6efcdadc157fcb2e9dfbcc797ed036df7498b35a] Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf testing commit 6efcdadc157fcb2e9dfbcc797ed036df7498b35a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 54dcf09511fa828c6dc98844843e821e37898957b5556ad50eef94f64ed9deee all runs: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put # git bisect bad 6efcdadc157fcb2e9dfbcc797ed036df7498b35a Bisecting: 26 revisions left to test after this (roughly 5 steps) warning: unable to access '/syzkaller/.config/git/ignore': Permission denied warning: unable to access '/syzkaller/.config/git/attributes': Permission denied [56a271be062afb007675e199e1e25b22d28cdd0a] Merge branch 'net-tls-cover-all-ciphers-with-tests' testing commit 56a271be062afb007675e199e1e25b22d28cdd0a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: acee314a87ac3293a53f37467770b6bbe5016c52a3308a181c96bf9cb0325079 all runs: OK # git bisect good 56a271be062afb007675e199e1e25b22d28cdd0a Bisecting: 13 revisions left to test after this (roughly 4 steps) warning: unable to access '/syzkaller/.config/git/ignore': Permission denied warning: unable to access '/syzkaller/.config/git/attributes': Permission denied [b560b21f71eb4ef9dfc7c8ec1d0e4d7f9aa54b51] bpf: Add selftests to cover packet access corner cases testing commit b560b21f71eb4ef9dfc7c8ec1d0e4d7f9aa54b51 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9fc5ca21ebbeb91580b8801b7f1bd6069cf6b5545f7ee31dc35b9955f28abda6 all runs: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put # git bisect bad b560b21f71eb4ef9dfc7c8ec1d0e4d7f9aa54b51 Bisecting: 6 revisions left to test after this (roughly 3 steps) warning: unable to access '/syzkaller/.config/git/ignore': Permission denied warning: unable to access '/syzkaller/.config/git/attributes': Permission denied [099f83aa2d06680d5987e43fed1afeda14b5037e] mips, bpf: Fix reference to non-existing Kconfig symbol testing commit 099f83aa2d06680d5987e43fed1afeda14b5037e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e03c3458175accf53423c9c1aa6cd3452489ade6ceadd46f0caab36136e03022 all runs: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put # git bisect bad 099f83aa2d06680d5987e43fed1afeda14b5037e Bisecting: 2 revisions left to test after this (roughly 2 steps) warning: unable to access '/syzkaller/.config/git/ignore': Permission denied warning: unable to access '/syzkaller/.config/git/attributes': Permission denied [c0d95d3380ee099d735e08618c0d599e72f6c8b0] bpf, sockmap: Re-evaluate proto ops when psock is removed from sockmap testing commit c0d95d3380ee099d735e08618c0d599e72f6c8b0 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 31192805ab28e3384d11967317f9967a792ec8b4f82741dff745c71b573fb8cd run #0: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #1: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #2: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #3: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #4: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #5: crashed: general protection fault in bpf_ksym_del run #6: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #7: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #8: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put run #9: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put # git bisect bad c0d95d3380ee099d735e08618c0d599e72f6c8b0 Bisecting: 0 revisions left to test after this (roughly 1 step) warning: unable to access '/syzkaller/.config/git/ignore': Permission denied warning: unable to access '/syzkaller/.config/git/attributes': Permission denied [38207a5e81230d6ffbdd51e5fa5681be5116dcae] bpf, sockmap: Attach map progs to psock early for feature probes testing commit 38207a5e81230d6ffbdd51e5fa5681be5116dcae compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2dd5768c55d1965a96cefe452d4167cf7a35f0c7176f7af56f6df1e4c70ced05 all runs: crashed: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put # git bisect bad 38207a5e81230d6ffbdd51e5fa5681be5116dcae Bisecting: 0 revisions left to test after this (roughly 0 steps) warning: unable to access '/syzkaller/.config/git/ignore': Permission denied warning: unable to access '/syzkaller/.config/git/attributes': Permission denied [f45b2974cc0ae959a4c503a071e38a56bd64372f] bpf, x86: Fix "no previous prototype" warning testing commit f45b2974cc0ae959a4c503a071e38a56bd64372f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a13a80e6877de9b60b5b798326db707c5fe9b10a5d934df08017ceddcba788ad all runs: OK # git bisect good f45b2974cc0ae959a4c503a071e38a56bd64372f warning: unable to access '/syzkaller/.config/git/attributes': Permission denied 38207a5e81230d6ffbdd51e5fa5681be5116dcae is the first bad commit commit 38207a5e81230d6ffbdd51e5fa5681be5116dcae Author: John Fastabend Date: Fri Nov 19 10:14:17 2021 -0800 bpf, sockmap: Attach map progs to psock early for feature probes When a TCP socket is added to a sock map we look at the programs attached to the map to determine what proto op hooks need to be changed. Before the patch in the 'fixes' tag there were only two categories -- the empty set of programs or a TX policy. In any case the base set handled the receive case. After the fix we have an optimized program for receive that closes a small, but possible, race on receive. This program is loaded only when the map the psock is being added to includes a RX policy. Otherwise, the race is not possible so we don't need to handle the race condition. In order for the call to sk_psock_init() to correctly evaluate the above conditions all progs need to be set in the psock before the call. However, in the current code this is not the case. We end up evaluating the requirements on the old prog state. If your psock is attached to multiple maps -- for example a tx map and rx map -- then the second update would pull in the correct maps. But, the other pattern with a single rx enabled map the correct receive hooks are not used. The result is the race fixed by the patch in the fixes tag below may still be seen in this case. To fix we simply set all psock->progs before doing the call into sock_map_init(). With this the init() call gets the full list of programs and chooses the correct proto ops on the first iteration instead of requiring the second update to pull them in. This fixes the race case when only a single map is used. Fixes: c5d2177a72a16 ("bpf, sockmap: Fix race in ingress receive verdict with redirect to self") Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20211119181418.353932-2-john.fastabend@gmail.com net/core/sock_map.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) culprit signature: 2dd5768c55d1965a96cefe452d4167cf7a35f0c7176f7af56f6df1e4c70ced05 parent signature: a13a80e6877de9b60b5b798326db707c5fe9b10a5d934df08017ceddcba788ad revisions tested: 16, total time: 3h17m11.351745067s (build: 2h8m47.454277422s, test: 1h6m52.472708984s) first bad commit: 38207a5e81230d6ffbdd51e5fa5681be5116dcae bpf, sockmap: Attach map progs to psock early for feature probes recipients (to): ["bpf@vger.kernel.org" "daniel@iogearbox.net" "daniel@iogearbox.net" "davem@davemloft.net" "jakub@cloudflare.com" "john.fastabend@gmail.com" "john.fastabend@gmail.com" "kuba@kernel.org" "lmb@cloudflare.com" "netdev@vger.kernel.org"] recipients (cc): ["andrii@kernel.org" "ast@kernel.org" "kafai@fb.com" "kpsingh@kernel.org" "linux-kernel@vger.kernel.org" "songliubraving@fb.com" "yhs@fb.com"] crash: KASAN: vmalloc-out-of-bounds Read in __bpf_prog_put ================================================================== BUG: KASAN: vmalloc-out-of-bounds in __bpf_prog_put.constprop.0+0x189/0x1d0 kernel/bpf/syscall.c:1812 Read of size 8 at addr ffffc90001186038 by task syz-executor558/6310 CPU: 0 PID: 6310 Comm: syz-executor558 Not tainted 5.15.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xf/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 __bpf_prog_put.constprop.0+0x189/0x1d0 kernel/bpf/syscall.c:1812 bpf_prog_put kernel/bpf/syscall.c:1829 [inline] bpf_prog_release+0x2e/0x50 kernel/bpf/syscall.c:1837 __fput+0x204/0x8d0 fs/file_table.c:280 task_work_run+0xc0/0x160 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0xa47/0x25c0 kernel/exit.c:832 do_group_exit+0xe7/0x290 kernel/exit.c:929 __do_sys_exit_group kernel/exit.c:940 [inline] __se_sys_exit_group kernel/exit.c:938 [inline] __x64_sys_exit_group+0x35/0x40 kernel/exit.c:938 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fc321d011b9 Code: Unable to access opcode bytes at RIP 0x7fc321d0118f. RSP: 002b:00007ffd1c4bed58 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007fc321d75330 RCX: 00007fc321d011b9 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffffffffffffffc4 R09: 00007ffd1c4bedd0 R10: 00007ffd1c4bedd0 R11: 0000000000000246 R12: 00007fc321d75330 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 Memory state around the buggy address: ffffc90001185f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc90001185f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >ffffc90001186000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc90001186080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc90001186100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ==================================================================