bisecting cause commit starting from 444565650a5fe9c63ddf153e6198e31705dedeb2 building syzkaller on 9682898d6f14dd27f95c419d059fd867bb91b22b testing commit 444565650a5fe9c63ddf153e6198e31705dedeb2 with gcc (GCC) 8.1.0 kernel signature: c4dd8988b44093daf2ed9eca0031b261d7654f8e124b31f337ed9496b2051780 all runs: crashed: WARNING: locking bug in dev_mc_seq_show testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: f2baa0542aa332e560fc618195cd6ae9d2c918463c1d3686097603d480bf8be6 run #0: crashed: WARNING in mark_lock run #1: crashed: WARNING in mark_lock run #2: crashed: WARNING in mark_lock run #3: crashed: WARNING in mark_lock run #4: crashed: WARNING in mark_lock run #5: crashed: WARNING in mark_lock run #6: crashed: WARNING in mark_lock run #7: crashed: WARNING in mark_lock run #8: OK run #9: crashed: WARNING in mark_lock testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: 100dcd5cef5498072ed1d0f8efe6a6a688a4a158f0b988141bd028371f7952c7 all runs: crashed: WARNING in mark_lock testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 86864c4e48f632291babd1562082c4bef5b5f9b25ed9c6c265a8055f9cf899d7 all runs: OK # git bisect start d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 219d54332a09e8d8741c1e1982f5eae56099de85 Bisecting: 8639 revisions left to test after this (roughly 13 steps) [8c39f71ee2019e77ee14f88b1321b2348db51820] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 8c39f71ee2019e77ee14f88b1321b2348db51820 with gcc (GCC) 8.1.0 kernel signature: 6ccff57f89415ea7205745d4dcd36722971e685554c3261133d9df874b743f76 run #0: crashed: WARNING in mark_lock run #1: crashed: WARNING in mark_lock run #2: crashed: WARNING in mark_lock run #3: crashed: WARNING in mark_lock run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 8c39f71ee2019e77ee14f88b1321b2348db51820 Bisecting: 3435 revisions left to test after this (roughly 12 steps) [3b397c7ccafe0624018cb09fc96729f8f6165573] Merge tag 'regmap-v5.5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap testing commit 3b397c7ccafe0624018cb09fc96729f8f6165573 with gcc (GCC) 8.1.0 kernel signature: ce794219330b6e8aa632715696efdb261b674b4e95c33dfd4aba432b5bf0f157 run #0: crashed: WARNING in mark_lock run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: crashed: WARNING in mark_lock # git bisect bad 3b397c7ccafe0624018cb09fc96729f8f6165573 Bisecting: 1709 revisions left to test after this (roughly 11 steps) [924ea58dadea23cc28b60d02b9c0896b7b168a6f] Merge tag 'mt76-for-kvalo-2019-11-20' of https://github.com/nbd168/wireless testing commit 924ea58dadea23cc28b60d02b9c0896b7b168a6f with gcc (GCC) 8.1.0 kernel signature: 63f1f05391314cace0fa3e7a75436994a3b182189bbbd89c73714542b70c0e7f run #0: crashed: WARNING in mark_lock run #1: crashed: WARNING in mark_lock run #2: crashed: WARNING in mark_lock run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 924ea58dadea23cc28b60d02b9c0896b7b168a6f Bisecting: 855 revisions left to test after this (roughly 10 steps) [3b7ad08b5153b0eda2f4d57ac53d815c30acd172] vsock: Simplify '__vsock_release()' testing commit 3b7ad08b5153b0eda2f4d57ac53d815c30acd172 with gcc (GCC) 8.1.0 kernel signature: 78c10c2b00f9e6b284954c33f4537aefc57ad6a33605612d24f908dd790e61b0 run #0: crashed: WARNING in mark_lock run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 3b7ad08b5153b0eda2f4d57ac53d815c30acd172 Bisecting: 427 revisions left to test after this (roughly 9 steps) [a3e09ded6a6d4b4cbdeb8c1ec4c7cf60798b3ce0] i40e: Extract detection of HW flags into a function testing commit a3e09ded6a6d4b4cbdeb8c1ec4c7cf60798b3ce0 with gcc (GCC) 8.1.0 kernel signature: 35b0700a411b56406e3723bc3098bc03c37b862ed4b5097666056feb58cbbe45 all runs: OK # git bisect good a3e09ded6a6d4b4cbdeb8c1ec4c7cf60798b3ce0 Bisecting: 215 revisions left to test after this (roughly 8 steps) [84e93d999a677ee3229e244e9eb29209c3bb6677] wimax: use DEFINE_DEBUGFS_ATTRIBUTE to define debugfs fops testing commit 84e93d999a677ee3229e244e9eb29209c3bb6677 with gcc (GCC) 8.1.0 kernel signature: 389c6ce575b7ebc9bd7fba135b501c519413ec628ec050464911744ede38bced all runs: OK # git bisect good 84e93d999a677ee3229e244e9eb29209c3bb6677 Bisecting: 107 revisions left to test after this (roughly 7 steps) [58ec1ea637ca2230c69d6972985ba619366c688b] net: bridge: fdb: restore unlikely() when taking over externally added entries testing commit 58ec1ea637ca2230c69d6972985ba619366c688b with gcc (GCC) 8.1.0 kernel signature: 1cb3ece04c98922651bb937815788de60af49a354c5abc2baca1e9f18fb6405b all runs: OK # git bisect good 58ec1ea637ca2230c69d6972985ba619366c688b Bisecting: 53 revisions left to test after this (roughly 6 steps) [3a6ba7dc7799355557938fbdc15a558236011429] ptp: Add a ptp clock driver for IDT ClockMatrix. testing commit 3a6ba7dc7799355557938fbdc15a558236011429 with gcc (GCC) 8.1.0 kernel signature: c82819a67ec74750f534d0fc1ea50faf05734982d17aa2aa265a12f2fb5321c8 run #0: crashed: WARNING in mark_lock run #1: crashed: WARNING in mark_lock run #2: crashed: WARNING in mark_lock run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 3a6ba7dc7799355557938fbdc15a558236011429 Bisecting: 26 revisions left to test after this (roughly 5 steps) [75a1a607bb7e6d918be3aca11ec2214a275392f4] uaccess: Add strict non-pagefault kernel-space read function testing commit 75a1a607bb7e6d918be3aca11ec2214a275392f4 with gcc (GCC) 8.1.0 kernel signature: 8a704318aae63f1495665f7b358439d972c6c4a703ef0a158d5fb86ceee74f2d run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: crashed: general protection fault in process_one_work run #9: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor421500434" "root@10.128.15.206:./syz-executor421500434"] Warning: Permanently added '10.128.15.206' (ECDSA) to the list of known hosts. # git bisect bad 75a1a607bb7e6d918be3aca11ec2214a275392f4 Bisecting: 12 revisions left to test after this (roughly 4 steps) [06087114606c416892bd67c5fde9f0d498afb287] Merge branch 'bpf-cleanup-btf-raw-tp' testing commit 06087114606c416892bd67c5fde9f0d498afb287 with gcc (GCC) 8.1.0 kernel signature: 07bd6a93f5ce2015191d891e91975e554547f503b56ebc3b2fbc439cb094ab6c all runs: OK # git bisect good 06087114606c416892bd67c5fde9f0d498afb287 Bisecting: 6 revisions left to test after this (roughly 3 steps) [d1b4574a4b86565325ef2e545eda8dfc9aa07c60] libbpf: Fix error handling in bpf_map__reuse_fd() testing commit d1b4574a4b86565325ef2e545eda8dfc9aa07c60 with gcc (GCC) 8.1.0 kernel signature: a7af36be728bc45ad08a0f7e084afc07662b95cc78c8f885563520caea71bffa all runs: OK # git bisect good d1b4574a4b86565325ef2e545eda8dfc9aa07c60 Bisecting: 3 revisions left to test after this (roughly 2 steps) [57a00f41644f20b11c12a27061d814655f633544] libbpf: Add auto-pinning of maps when loading BPF objects testing commit 57a00f41644f20b11c12a27061d814655f633544 with gcc (GCC) 8.1.0 kernel signature: c3d39255fc9ebe96d7b7a16dcf7f77a76aa0e4c0e836f8565cac2624de5e5dbb all runs: OK # git bisect good 57a00f41644f20b11c12a27061d814655f633544 Bisecting: 1 revision left to test after this (roughly 1 step) [e1cb7d2d60d536baf24d2f0fd58786324ce92331] Merge branch 'map-pinning' testing commit e1cb7d2d60d536baf24d2f0fd58786324ce92331 with gcc (GCC) 8.1.0 kernel signature: 6584d293a7d2c239c9dc36d03c51b38da60b9c46890179c45e1968e3672aba04 all runs: OK # git bisect good e1cb7d2d60d536baf24d2f0fd58786324ce92331 Bisecting: 0 revisions left to test after this (roughly 0 steps) [1d1585ca0f48fe7ed95c3571f3e4a82b2b5045dc] uaccess: Add non-pagefault user-space write function testing commit 1d1585ca0f48fe7ed95c3571f3e4a82b2b5045dc with gcc (GCC) 8.1.0 kernel signature: 9f0c76b8cc4d7e8413a8b8c1a87b72d4d2a34fb3fe369f995fc8b76101003ffb all runs: OK # git bisect good 1d1585ca0f48fe7ed95c3571f3e4a82b2b5045dc 75a1a607bb7e6d918be3aca11ec2214a275392f4 is the first bad commit commit 75a1a607bb7e6d918be3aca11ec2214a275392f4 Author: Daniel Borkmann Date: Sat Nov 2 00:17:57 2019 +0100 uaccess: Add strict non-pagefault kernel-space read function Add two new probe_kernel_read_strict() and strncpy_from_unsafe_strict() helpers which by default alias to the __probe_kernel_read() and the __strncpy_from_unsafe(), respectively, but can be overridden by archs which have non-overlapping address ranges for kernel space and user space in order to bail out with -EFAULT when attempting to probe user memory including non-canonical user access addresses [0]: 4-level page tables: user-space mem: 0x0000000000000000 - 0x00007fffffffffff non-canonical: 0x0000800000000000 - 0xffff7fffffffffff 5-level page tables: user-space mem: 0x0000000000000000 - 0x00ffffffffffffff non-canonical: 0x0100000000000000 - 0xfeffffffffffffff The idea is that these helpers are complementary to the probe_user_read() and strncpy_from_unsafe_user() which probe user-only memory. Both added helpers here do the same, but for kernel-only addresses. Both set of helpers are going to be used for BPF tracing. They also explicitly avoid throwing the splat for non-canonical user addresses from 00c42373d397 ("x86-64: add warning for non-canonical user access address dereferences"). For compat, the current probe_kernel_read() and strncpy_from_unsafe() are left as-is. [0] Documentation/x86/x86_64/mm.txt Signed-off-by: Daniel Borkmann Signed-off-by: Alexei Starovoitov Cc: Linus Torvalds Cc: Masami Hiramatsu Cc: x86@kernel.org Link: https://lore.kernel.org/bpf/eefeefd769aa5a013531f491a71f0936779e916b.1572649915.git.daniel@iogearbox.net arch/x86/mm/Makefile | 2 +- arch/x86/mm/maccess.c | 43 +++++++++++++++++++++++++++++++++++++++++++ include/linux/uaccess.h | 4 ++++ mm/maccess.c | 25 ++++++++++++++++++++++++- 4 files changed, 72 insertions(+), 2 deletions(-) create mode 100644 arch/x86/mm/maccess.c culprit signature: 8a704318aae63f1495665f7b358439d972c6c4a703ef0a158d5fb86ceee74f2d parent signature: 9f0c76b8cc4d7e8413a8b8c1a87b72d4d2a34fb3fe369f995fc8b76101003ffb revisions tested: 18, total time: 4h56m8.411947576s (build: 1h57m12.649596057s, test: 2h57m40.073235864s) first bad commit: 75a1a607bb7e6d918be3aca11ec2214a275392f4 uaccess: Add strict non-pagefault kernel-space read function cc: ["akpm@linux-foundation.org" "andriin@fb.com" "ast@kernel.org" "bp@alien8.de" "bpf@vger.kernel.org" "christian.brauner@ubuntu.com" "cyphar@cyphar.com" "daniel@iogearbox.net" "dave.hansen@linux.intel.com" "hpa@zytor.com" "kafai@fb.com" "keescook@chromium.org" "linux-kernel@vger.kernel.org" "linux-mm@kvack.org" "luto@kernel.org" "mhiramat@kernel.org" "mingo@redhat.com" "netdev@vger.kernel.org" "peterz@infradead.org" "rostedt@goodmis.org" "songliubraving@fb.com" "tglx@linutronix.de" "x86@kernel.org" "yhs@fb.com"] crash: general protection fault in process_one_work IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 31993 Comm: kworker/0:4 Not tainted 5.4.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events nsim_dev_trap_report_work RIP: 0010:nsim_dev_trap_report_work+0xba/0xa80 drivers/net/netdevsim/dev.c:409 Code: 48 3b 45 88 48 89 45 d0 0f 84 2f 07 00 00 49 bc 00 00 00 00 00 fc ff df 48 8b 45 d0 48 05 68 01 00 00 48 89 45 90 48 c1 e8 03 <42> 80 3c 20 00 0f 85 56 09 00 00 48 8b 45 d0 48 8b 98 68 01 00 00 RSP: 0018:ffff88808b78fcb8 EFLAGS: 00010a06 RAX: 1bd5a0000000004d RBX: ffff88809676cdc0 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffff8a903420 RBP: ffff88808b78fd58 R08: ffffed1014faa696 R09: ffffed1014faa696 R10: ffffed1014faa695 R11: ffff8880a7d534ab R12: dffffc0000000000 R13: ffff888092fe8000 R14: 0000000000000022 R15: 0000000000000022 FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9821e99000 CR3: 0000000094d11000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: process_one_work+0x856/0x1630 kernel/workqueue.c:2269 worker_thread+0x85/0xb60 kernel/workqueue.c:2415 kthread+0x331/0x3f0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Modules linked in: ---[ end trace f2d0294c1585ab44 ]--- RIP: 0010:nsim_dev_trap_report_work+0xba/0xa80 drivers/net/netdevsim/dev.c:409 Code: 48 3b 45 88 48 89 45 d0 0f 84 2f 07 00 00 49 bc 00 00 00 00 00 fc ff df 48 8b 45 d0 48 05 68 01 00 00 48 89 45 90 48 c1 e8 03 <42> 80 3c 20 00 0f 85 56 09 00 00 48 8b 45 d0 48 8b 98 68 01 00 00 RSP: 0018:ffff88808b78fcb8 EFLAGS: 00010a06 RAX: 1bd5a0000000004d RBX: ffff88809676cdc0 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffff8a903420 RBP: ffff88808b78fd58 R08: ffffed1014faa696 R09: ffffed1014faa696 R10: ffffed1014faa695 R11: ffff8880a7d534ab R12: dffffc0000000000 R13: ffff888092fe8000 R14: 0000000000000022 R15: 0000000000000022 FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9821e99000 CR3: 0000000094d11000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400