bisecting fixing commit since 14e8e0f6008865d823a8184a276702a6c3cbef3d building syzkaller on fc9fd31ee7998c8b747752791000ea4eef07b5c6 testing commit 14e8e0f6008865d823a8184a276702a6c3cbef3d with gcc (GCC) 10.2.1 20210217 kernel signature: eb4a561aab76b4d27c676f4f7ac421697a31bf5199baf6b1ea68be221646ecf6 run #0: crashed: INFO: task hung in addrconf_dad_work run #1: crashed: INFO: task hung in addrconf_dad_work run #2: crashed: INFO: task hung in linkwatch_event run #3: crashed: INFO: task hung in addrconf_dad_work run #4: crashed: INFO: task hung in linkwatch_event run #5: crashed: INFO: task hung in rsvp_delete_filter_work run #6: crashed: INFO: task hung in addrconf_dad_work run #7: crashed: INFO: task hung in addrconf_dad_work run #8: crashed: INFO: task hung in addrconf_dad_work run #9: crashed: INFO: task hung in addrconf_dad_work run #10: crashed: INFO: task hung in addrconf_dad_work run #11: crashed: INFO: task hung in addrconf_dad_work run #12: crashed: INFO: task hung in addrconf_dad_work run #13: crashed: INFO: task hung in addrconf_dad_work run #14: crashed: INFO: task hung in linkwatch_event run #15: crashed: INFO: task hung in linkwatch_event run #16: crashed: INFO: task hung in linkwatch_event run #17: crashed: INFO: task hung in addrconf_dad_work run #18: crashed: INFO: task hung in linkwatch_event run #19: crashed: INFO: task hung in rsvp_delete_filter_work testing current HEAD d310ec03a34e92a77302edb804f7d68ee4f01ba0 testing commit d310ec03a34e92a77302edb804f7d68ee4f01ba0 with gcc (GCC) 10.2.1 20210217 kernel signature: 297e8e213f56047ca360eb1ed1c035846851999ebcae7f5476d676f6b3d5dd10 all runs: OK # git bisect start d310ec03a34e92a77302edb804f7d68ee4f01ba0 14e8e0f6008865d823a8184a276702a6c3cbef3d Bisecting: 2500 revisions left to test after this (roughly 11 steps) [56bf6fc266ca14d2b9276c8a62e4ff6783bfe68b] Merge tag 'arm-defconfig-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 56bf6fc266ca14d2b9276c8a62e4ff6783bfe68b with gcc (GCC) 10.2.1 20210217 kernel signature: b0f5e5cffcd39abd195824a77be9a81b06579c5fadff0758d301d77ff052e480 all runs: OK # git bisect bad 56bf6fc266ca14d2b9276c8a62e4ff6783bfe68b Bisecting: 958 revisions left to test after this (roughly 10 steps) [205238f4ed3e14aed07a7b0121b94e404e65e78c] net: hns3: fix return of random stack value testing commit 205238f4ed3e14aed07a7b0121b94e404e65e78c with gcc (GCC) 10.2.1 20210217 kernel signature: 722bc73fd2d07fcb9896c06d465ab735c124e764fccbc983cf260bfe73474bc3 run #0: crashed: INFO: task hung in rsvp_delete_filter_work run #1: crashed: INFO: task hung in rsvp_delete_filter_work run #2: crashed: INFO: task hung in rsvp_delete_filter_work run #3: crashed: INFO: task hung in addrconf_dad_work run #4: crashed: INFO: task hung in linkwatch_event run #5: crashed: INFO: task hung in addrconf_dad_work run #6: crashed: INFO: task hung in linkwatch_event run #7: crashed: INFO: task hung in addrconf_dad_work run #8: crashed: INFO: task hung in linkwatch_event run #9: crashed: INFO: task hung in rsvp_delete_filter_work # git bisect good 205238f4ed3e14aed07a7b0121b94e404e65e78c Bisecting: 479 revisions left to test after this (roughly 9 steps) [40d3f295b5feda409784e569550057b5fbc2a295] net: mscc: ocelot: use common tag parsing code with DSA testing commit 40d3f295b5feda409784e569550057b5fbc2a295 with gcc (GCC) 10.2.1 20210217 kernel signature: d19d190a4f8813da81c9f349dd2538af7edf99a4714c0715a7cc26397926912e run #0: crashed: INFO: task hung in linkwatch_event run #1: crashed: INFO: task hung in linkwatch_event run #2: crashed: INFO: task hung in addrconf_dad_work run #3: crashed: INFO: task hung in rsvp_delete_filter_work run #4: crashed: INFO: task hung in addrconf_dad_work run #5: crashed: INFO: task hung in addrconf_dad_work run #6: crashed: INFO: task hung in addrconf_dad_work run #7: crashed: INFO: task hung in addrconf_dad_work run #8: crashed: INFO: task hung in addrconf_dad_work run #9: crashed: INFO: task hung in rsvp_delete_filter_work # git bisect good 40d3f295b5feda409784e569550057b5fbc2a295 Bisecting: 263 revisions left to test after this (roughly 8 steps) [86dd9868b8788a9063893a97649594af93cd5aa6] net: dsa: tag_rtl4_a: Support also egress tags testing commit 86dd9868b8788a9063893a97649594af93cd5aa6 with gcc (GCC) 10.2.1 20210217 kernel signature: 1ec390666cded0b0e89691a868774b3a04985cbc62deb67e386b4029ad9928da run #0: crashed: INFO: task hung in linkwatch_event run #1: crashed: INFO: task hung in rsvp_delete_filter_work run #2: crashed: INFO: task hung in addrconf_dad_work run #3: crashed: INFO: task hung in rsvp_delete_filter_work run #4: crashed: INFO: task hung in addrconf_dad_work run #5: crashed: INFO: task hung in rtnetlink_rcv_msg run #6: crashed: INFO: task hung in addrconf_dad_work run #7: crashed: INFO: task hung in addrconf_dad_work run #8: crashed: INFO: task hung in rsvp_delete_filter_work run #9: crashed: INFO: task hung in addrconf_dad_work # git bisect good 86dd9868b8788a9063893a97649594af93cd5aa6 Bisecting: 109 revisions left to test after this (roughly 7 steps) [51e6d17809c85e1934600ec4cdb85552e9bda254] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 51e6d17809c85e1934600ec4cdb85552e9bda254 with gcc (GCC) 10.2.1 20210217 kernel signature: b0f5e5cffcd39abd195824a77be9a81b06579c5fadff0758d301d77ff052e480 all runs: OK # git bisect bad 51e6d17809c85e1934600ec4cdb85552e9bda254 Bisecting: 76 revisions left to test after this (roughly 6 steps) [10c270cf25bd3ebffba9c2182d0c9eccecf10d97] ptp: ptp_clockmatrix: Remove unused header declarations. testing commit 10c270cf25bd3ebffba9c2182d0c9eccecf10d97 with gcc (GCC) 10.2.1 20210217 kernel signature: 712072fa34b5f7b3ce645e2277eb15a2bf678a33ffa997d12f1f5b8f127e81db all runs: OK # git bisect bad 10c270cf25bd3ebffba9c2182d0c9eccecf10d97 Bisecting: 38 revisions left to test after this (roughly 5 steps) [39935dccb21c60f9bbf1bb72d22ab6fd14ae7705] appletalk: Fix skb allocation size in loopback case testing commit 39935dccb21c60f9bbf1bb72d22ab6fd14ae7705 with gcc (GCC) 10.2.1 20210217 kernel signature: 5f149d04a52c0191e66d6580ce136aea75cad0049519809fcda1e2865a4a55e1 run #0: crashed: INFO: task hung in addrconf_dad_work run #1: crashed: INFO: task hung in addrconf_dad_work run #2: crashed: INFO: task hung in cfg80211_event_work run #3: crashed: INFO: task hung in addrconf_dad_work run #4: crashed: INFO: task hung in addrconf_dad_work run #5: crashed: INFO: task hung in linkwatch_event run #6: crashed: INFO: task hung in addrconf_dad_work run #7: crashed: INFO: task hung in addrconf_dad_work run #8: crashed: INFO: task hung in addrconf_dad_work run #9: crashed: INFO: task hung in addrconf_dad_work # git bisect good 39935dccb21c60f9bbf1bb72d22ab6fd14ae7705 Bisecting: 19 revisions left to test after this (roughly 4 steps) [17aff5389d4f46a2ed2f0760922ae6c06dc438f1] Merge branch 'amd-xgbe-fixes' testing commit 17aff5389d4f46a2ed2f0760922ae6c06dc438f1 with gcc (GCC) 10.2.1 20210217 kernel signature: d076b0193fa97854a33f7ed037d91c54be529f840724ac9d65444126e84e23e1 run #0: crashed: INFO: task hung in rsvp_delete_filter_work run #1: crashed: INFO: task hung in addrconf_dad_work run #2: crashed: INFO: task hung in addrconf_dad_work run #3: crashed: INFO: task hung in addrconf_dad_work run #4: crashed: INFO: task hung in addrconf_dad_work run #5: crashed: INFO: task hung in cfg80211_event_work run #6: crashed: INFO: task hung in rsvp_delete_filter_work run #7: crashed: INFO: task hung in addrconf_dad_work run #8: crashed: INFO: task hung in cfg80211_event_work run #9: crashed: INFO: task hung in rsvp_delete_filter_work # git bisect good 17aff5389d4f46a2ed2f0760922ae6c06dc438f1 Bisecting: 9 revisions left to test after this (roughly 3 steps) [32511f8e498045a82f603454b21b34ad892a79c6] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next testing commit 32511f8e498045a82f603454b21b34ad892a79c6 with gcc (GCC) 10.2.1 20210217 kernel signature: 712072fa34b5f7b3ce645e2277eb15a2bf678a33ffa997d12f1f5b8f127e81db all runs: OK # git bisect bad 32511f8e498045a82f603454b21b34ad892a79c6 Bisecting: 4 revisions left to test after this (roughly 2 steps) [597565556581d59641c0be50acaae87f7391a91b] net: mscc: ocelot: select PACKING in the Kconfig testing commit 597565556581d59641c0be50acaae87f7391a91b with gcc (GCC) 10.2.1 20210217 kernel signature: 87967eee47e930af590eb877c736d438d6d139b774041f3e0eaf19b754d6d1dd all runs: OK # git bisect bad 597565556581d59641c0be50acaae87f7391a91b Bisecting: 2 revisions left to test after this (roughly 1 step) [3af409ca278d4a8d50e91f9f7c4c33b175645cf3] net: enetc: fix destroyed phylink dereference during unbind testing commit 3af409ca278d4a8d50e91f9f7c4c33b175645cf3 with gcc (GCC) 10.2.1 20210217 kernel signature: 99f8bfbd52d2297fc77bb30393d47ef98ae7e75a595c2d144b38afc9032fb1b5 all runs: OK # git bisect bad 3af409ca278d4a8d50e91f9f7c4c33b175645cf3 Bisecting: 0 revisions left to test after this (roughly 0 steps) [396d7f23adf9e8c436dd81a69488b5b6a865acf8] net: sched: fix police ext initialization testing commit 396d7f23adf9e8c436dd81a69488b5b6a865acf8 with gcc (GCC) 10.2.1 20210217 kernel signature: 99f8bfbd52d2297fc77bb30393d47ef98ae7e75a595c2d144b38afc9032fb1b5 all runs: OK # git bisect bad 396d7f23adf9e8c436dd81a69488b5b6a865acf8 396d7f23adf9e8c436dd81a69488b5b6a865acf8 is the first bad commit commit 396d7f23adf9e8c436dd81a69488b5b6a865acf8 Author: Vlad Buslov Date: Tue Feb 16 18:22:00 2021 +0200 net: sched: fix police ext initialization When police action is created by cls API tcf_exts_validate() first conditional that calls tcf_action_init_1() directly, the action idr is not updated according to latest changes in action API that require caller to commit newly created action to idr with tcf_idr_insert_many(). This results such action not being accessible through act API and causes crash reported by syzbot: ================================================================== BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline] BUG: KASAN: null-ptr-deref in atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] BUG: KASAN: null-ptr-deref in __tcf_idr_release net/sched/act_api.c:178 [inline] BUG: KASAN: null-ptr-deref in tcf_idrinfo_destroy+0x129/0x1d0 net/sched/act_api.c:598 Read of size 4 at addr 0000000000000010 by task kworker/u4:5/204 CPU: 0 PID: 204 Comm: kworker/u4:5 Not tainted 5.11.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 __kasan_report mm/kasan/report.c:400 [inline] kasan_report.cold+0x5f/0xd5 mm/kasan/report.c:413 check_memory_region_inline mm/kasan/generic.c:179 [inline] check_memory_region+0x13d/0x180 mm/kasan/generic.c:185 instrument_atomic_read include/linux/instrumented.h:71 [inline] atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] __tcf_idr_release net/sched/act_api.c:178 [inline] tcf_idrinfo_destroy+0x129/0x1d0 net/sched/act_api.c:598 tc_action_net_exit include/net/act_api.h:151 [inline] police_exit_net+0x168/0x360 net/sched/act_police.c:390 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:190 cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:604 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ================================================================== Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 204 Comm: kworker/u4:5 Tainted: G B 5.11.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 panic+0x306/0x73d kernel/panic.c:231 end_report+0x58/0x5e mm/kasan/report.c:100 __kasan_report mm/kasan/report.c:403 [inline] kasan_report.cold+0x67/0xd5 mm/kasan/report.c:413 check_memory_region_inline mm/kasan/generic.c:179 [inline] check_memory_region+0x13d/0x180 mm/kasan/generic.c:185 instrument_atomic_read include/linux/instrumented.h:71 [inline] atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] __tcf_idr_release net/sched/act_api.c:178 [inline] tcf_idrinfo_destroy+0x129/0x1d0 net/sched/act_api.c:598 tc_action_net_exit include/net/act_api.h:151 [inline] police_exit_net+0x168/0x360 net/sched/act_police.c:390 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:190 cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:604 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Kernel Offset: disabled Fix the issue by calling tcf_idr_insert_many() after successful action initialization. Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together") Reported-by: syzbot+151e3e714d34ae4ce7e8@syzkaller.appspotmail.com Signed-off-by: Vlad Buslov Reviewed-by: Cong Wang Signed-off-by: David S. Miller include/net/act_api.h | 1 + net/sched/act_api.c | 2 +- net/sched/cls_api.c | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) culprit signature: 99f8bfbd52d2297fc77bb30393d47ef98ae7e75a595c2d144b38afc9032fb1b5 parent signature: d076b0193fa97854a33f7ed037d91c54be529f840724ac9d65444126e84e23e1 revisions tested: 14, total time: 3h30m59.006911325s (build: 1h18m40.256536507s, test: 2h11m7.685515301s) first good commit: 396d7f23adf9e8c436dd81a69488b5b6a865acf8 net: sched: fix police ext initialization recipients (to): ["davem@davemloft.net" "vladbu@nvidia.com" "xiyou.wangcong@gmail.com"] recipients (cc): []