bisecting cause commit starting from b0d93b44641a83c28014ca38001e85bf6dc8501e building syzkaller on 1434eec0b84075b7246560cfa89f20cdb3d8077f testing commit b0d93b44641a83c28014ca38001e85bf6dc8501e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bca4c02f3733399aa9f1a2e123ca30d8f7b43467964d660a07ff809bcf2048ea all runs: crashed: general protection fault in do_check_common testing release v5.18 testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 11589c40a7ef6d076ccd08ebbb219b01924da922f0917e08e47af9ca0c73fdd5 all runs: OK # git bisect start b0d93b44641a83c28014ca38001e85bf6dc8501e 4b0986a3613c92f4ec1bdc7f60ec66fea135991f Bisecting: 7311 revisions left to test after this (roughly 13 steps) [d7227785e384d4422b3ca189aa5bf19f462337cc] Merge tag 'sound-5.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit d7227785e384d4422b3ca189aa5bf19f462337cc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 38bdb42c81ab4ca8c63ab384523451f9802136a88a32694660201117375f5601 all runs: OK # git bisect good d7227785e384d4422b3ca189aa5bf19f462337cc Bisecting: 3635 revisions left to test after this (roughly 12 steps) [76bfd3de34783ceda1fc1d73d0db87361de07ecb] Merge tag 'trace-v5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit 76bfd3de34783ceda1fc1d73d0db87361de07ecb compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4c097e2bac3d48e3d1f41f3213fd5ae15fbef56edbfb7b7d576af16d78dfc803 all runs: OK # git bisect good 76bfd3de34783ceda1fc1d73d0db87361de07ecb Bisecting: 1827 revisions left to test after this (roughly 11 steps) [932c2989b59008e530ffcc7c7e6ef507a28b28ca] Merge tag 'tty-5.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit 932c2989b59008e530ffcc7c7e6ef507a28b28ca compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 169e5c152cae3b701d1e8163fa502171d7ff5de03206dbe572cad832e57e33f3 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect good 932c2989b59008e530ffcc7c7e6ef507a28b28ca Bisecting: 922 revisions left to test after this (roughly 10 steps) [2981436374177f78539b026ce5bcbab8c251818e] Merge tag 'hte/for-5.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux testing commit 2981436374177f78539b026ce5bcbab8c251818e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ee922b79de07e1c613d0b3db7b523f59fa6014575614e2930184ced75b712702 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect good 2981436374177f78539b026ce5bcbab8c251818e Bisecting: 461 revisions left to test after this (roughly 9 steps) [6ac6dc746d70ef9b4ac835d98ac1baf63a810c57] Merge branch 'mlx5-next' of git://git.kernel.org/pub/scm/linux/kernel/git/mellanox/linux testing commit 6ac6dc746d70ef9b4ac835d98ac1baf63a810c57 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 51c4173c37c26d1950011c13d907449f51075e5fe443c13d26c3c2e3603add63 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: OK run #2: OK run #3: boot failed: INFO: task hung in add_early_randomness run #4: boot failed: INFO: task hung in add_early_randomness run #5: boot failed: INFO: task hung in add_early_randomness run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect skip 6ac6dc746d70ef9b4ac835d98ac1baf63a810c57 Bisecting: 460 revisions left to test after this (roughly 9 steps) [6a4b02b8fa402e85b7da9c380c90395b7129f6c0] mlxsw: Revert "Introduce initial XM router support" testing commit 6a4b02b8fa402e85b7da9c380c90395b7129f6c0 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5400540f229571d08552516e9015281e10533004fa07ff9003178d3e266a762e run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: INFO: task hung in add_early_randomness # git bisect good 6a4b02b8fa402e85b7da9c380c90395b7129f6c0 Bisecting: 230 revisions left to test after this (roughly 8 steps) [5c2d0a6a0701ba86a4bb0bf1876266c751e328bd] net: phy: dp83867: implement support for io_impedance_ctrl nvmem cell testing commit 5c2d0a6a0701ba86a4bb0bf1876266c751e328bd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8351ba3001a11a5940dc7daa570392a181586d81458655491b9b7f1f9b881b42 all runs: OK # git bisect good 5c2d0a6a0701ba86a4bb0bf1876266c751e328bd Bisecting: 107 revisions left to test after this (roughly 7 steps) [9fb424c4c29df0d7f39b686d4037cbc7e06ed7b5] Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit 9fb424c4c29df0d7f39b686d4037cbc7e06ed7b5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7e3e3f5ce1089179e1c73264a6ab445e823692d484feaa19f7bdce689dc02fdc all runs: OK # git bisect good 9fb424c4c29df0d7f39b686d4037cbc7e06ed7b5 Bisecting: 53 revisions left to test after this (roughly 6 steps) [73087489250def7cdda2dee5ba685bdeae73b8af] selftests/bpf: Add benchmark for local_storage get testing commit 73087489250def7cdda2dee5ba685bdeae73b8af compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fe9ac1464baba530f117babf0c506a5974f81b3297da0474cdae9bc4d2acc7d1 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 73087489250def7cdda2dee5ba685bdeae73b8af Bisecting: 26 revisions left to test after this (roughly 5 steps) [cf90a20db878fddedefbdfeaff6695a0ee20f690] libbpf: remove internal multi-instance prog support testing commit cf90a20db878fddedefbdfeaff6695a0ee20f690 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 86f6cef57c02ecb5a502d4c69d7759bddf6a077ea75be509ebd2b443c14a1f32 all runs: OK # git bisect good cf90a20db878fddedefbdfeaff6695a0ee20f690 Bisecting: 12 revisions left to test after this (roughly 4 steps) [a4b2f3cf699f8ec3964722e7ef3f37f809701172] libbpf: implement bpf_prog_query_opts testing commit a4b2f3cf699f8ec3964722e7ef3f37f809701172 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 02d70e3fea29402da2e13a70e7203456b3bc97b80aeda9e5687eee6ca344f313 all runs: crashed: general protection fault in do_check_common # git bisect bad a4b2f3cf699f8ec3964722e7ef3f37f809701172 Bisecting: 6 revisions left to test after this (roughly 3 steps) [00442143a2ab7f1da46fbf4d2a99c85df767d49a] bpf: convert cgroup_bpf.progs to hlist testing commit 00442143a2ab7f1da46fbf4d2a99c85df767d49a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e60aac986696088d089cd4412fb58c50b52e9375210ec1342b6ce02c8da0cb0e all runs: OK # git bisect good 00442143a2ab7f1da46fbf4d2a99c85df767d49a Bisecting: 2 revisions left to test after this (roughly 2 steps) [9113d7e48e9128522b9f5a54dfd30dff10509a92] bpf: expose bpf_{g,s}etsockopt to lsm cgroup testing commit 9113d7e48e9128522b9f5a54dfd30dff10509a92 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: dc6ae12fff48c8e23f430b558d902935da70c811de48fbfceb6ab385393f2a5d all runs: crashed: general protection fault in do_check_common # git bisect bad 9113d7e48e9128522b9f5a54dfd30dff10509a92 Bisecting: 1 revision left to test after this (roughly 1 step) [c0e19f2c9a3edd38e4b1bdae98eb44555d02bc31] bpf: minimize number of allocated lsm slots per program testing commit c0e19f2c9a3edd38e4b1bdae98eb44555d02bc31 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e195e9f968273f00ef5fe168b3843be587206b3b7c60a92f361149bd2c282f61 all runs: crashed: general protection fault in do_check_common # git bisect bad c0e19f2c9a3edd38e4b1bdae98eb44555d02bc31 Bisecting: 0 revisions left to test after this (roughly 0 steps) [69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e] bpf: per-cgroup lsm flavor testing commit 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 96a0bf1f5ab90f40cff4b0a4f84682a0aeee6709c2b3a79abe54824e36940968 all runs: crashed: general protection fault in do_check_common # git bisect bad 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e is the first bad commit commit 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e Author: Stanislav Fomichev Date: Tue Jun 28 10:43:06 2022 -0700 bpf: per-cgroup lsm flavor Allow attaching to lsm hooks in the cgroup context. Attaching to per-cgroup LSM works exactly like attaching to other per-cgroup hooks. New BPF_LSM_CGROUP is added to trigger new mode; the actual lsm hook we attach to is signaled via existing attach_btf_id. For the hooks that have 'struct socket' or 'struct sock' as its first argument, we use the cgroup associated with that socket. For the rest, we use 'current' cgroup (this is all on default hierarchy == v2 only). Note that for some hooks that work on 'struct sock' we still take the cgroup from 'current' because some of them work on the socket that hasn't been properly initialized yet. Behind the scenes, we allocate a shim program that is attached to the trampoline and runs cgroup effective BPF programs array. This shim has some rudimentary ref counting and can be shared between several programs attaching to the same lsm hook from different cgroups. Note that this patch bloats cgroup size because we add 211 cgroup_bpf_attach_type(s) for simplicity sake. This will be addressed in the subsequent patch. Also note that we only add non-sleepable flavor for now. To enable sleepable use-cases, bpf_prog_run_array_cg has to grab trace rcu, shim programs have to be freed via trace rcu, cgroup_bpf.effective should be also trace-rcu-managed + maybe some other changes that I'm not aware of. Reviewed-by: Martin KaFai Lau Signed-off-by: Stanislav Fomichev Link: https://lore.kernel.org/r/20220628174314.1216643-4-sdf@google.com Signed-off-by: Alexei Starovoitov arch/x86/net/bpf_jit_comp.c | 24 +++-- include/linux/bpf-cgroup-defs.h | 8 ++ include/linux/bpf-cgroup.h | 7 ++ include/linux/bpf.h | 24 +++++ include/linux/bpf_lsm.h | 13 +++ include/linux/btf_ids.h | 3 +- include/uapi/linux/bpf.h | 1 + kernel/bpf/bpf_lsm.c | 48 ++++++++++ kernel/bpf/btf.c | 11 +++ kernel/bpf/cgroup.c | 136 ++++++++++++++++++++++++--- kernel/bpf/core.c | 2 + kernel/bpf/syscall.c | 10 ++ kernel/bpf/trampoline.c | 198 ++++++++++++++++++++++++++++++++++++++++ kernel/bpf/verifier.c | 32 +++++++ tools/include/uapi/linux/bpf.h | 1 + 15 files changed, 498 insertions(+), 20 deletions(-) culprit signature: 96a0bf1f5ab90f40cff4b0a4f84682a0aeee6709c2b3a79abe54824e36940968 parent signature: e60aac986696088d089cd4412fb58c50b52e9375210ec1342b6ce02c8da0cb0e revisions tested: 17, total time: 4h2m18.021551144s (build: 1h56m25.420870264s, test: 2h4m19.038505158s) first bad commit: 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e bpf: per-cgroup lsm flavor recipients (to): ["ast@kernel.org" "kafai@fb.com" "sdf@google.com"] recipients (cc): [] crash: general protection fault in do_check_common general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 4099 Comm: syz-executor.0 Not tainted 5.19.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 RIP: 0010:check_return_code kernel/bpf/verifier.c:10575 [inline] RIP: 0010:do_check kernel/bpf/verifier.c:12346 [inline] RIP: 0010:do_check_common+0x7608/0xb8e0 kernel/bpf/verifier.c:14610 Code: 00 00 48 89 fa 48 c1 ea 03 80 3c 02 00 75 5c 48 8b 9b 00 01 00 00 b8 ff ff 37 00 48 c1 e0 2a 48 8d 7b 08 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 3d 83 RSP: 0018:ffffc900030d7628 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff8912cb80 RDI: 0000000000000008 RBP: ffffc900030d78a8 R08: 0000000000000001 R09: ffffffff89138cce R10: fffff5200061aeb1 R11: 0000000000000007 R12: ffff88807d0e7020 R13: 0000000000000005 R14: ffff88807d0e7000 R15: ffffc900015ce000 FS: 00007fbff0b6f700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fbfefb9c028 CR3: 00000000160f4000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: do_check_main kernel/bpf/verifier.c:14673 [inline] bpf_check+0x5f1f/0xa6c0 kernel/bpf/verifier.c:15243 bpf_prog_load+0xc57/0x1b70 kernel/bpf/syscall.c:2575 __sys_bpf+0x10a3/0x42e0 kernel/bpf/syscall.c:4928 __do_sys_bpf kernel/bpf/syscall.c:5032 [inline] __se_sys_bpf kernel/bpf/syscall.c:5030 [inline] __x64_sys_bpf+0x70/0xb0 kernel/bpf/syscall.c:5030 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fbfefa89109 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fbff0b6f168 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007fbfefb9bf60 RCX: 00007fbfefa89109 RDX: 0000000000000080 RSI: 00000000200004c0 RDI: 0000000000000005 RBP: 00007fbfefae305d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe8b4401af R14: 00007fbff0b6f300 R15: 0000000000022000 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:check_return_code kernel/bpf/verifier.c:10575 [inline] RIP: 0010:do_check kernel/bpf/verifier.c:12346 [inline] RIP: 0010:do_check_common+0x7608/0xb8e0 kernel/bpf/verifier.c:14610 Code: 00 00 48 89 fa 48 c1 ea 03 80 3c 02 00 75 5c 48 8b 9b 00 01 00 00 b8 ff ff 37 00 48 c1 e0 2a 48 8d 7b 08 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 3d 83 RSP: 0018:ffffc900030d7628 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff8912cb80 RDI: 0000000000000008 RBP: ffffc900030d78a8 R08: 0000000000000001 R09: ffffffff89138cce R10: fffff5200061aeb1 R11: 0000000000000007 R12: ffff88807d0e7020 R13: 0000000000000005 R14: ffff88807d0e7000 R15: ffffc900015ce000 FS: 00007fbff0b6f700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fbfefb9d090 CR3: 00000000160f4000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: 48 89 fa mov %rdi,%rdx 5: 48 c1 ea 03 shr $0x3,%rdx 9: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) d: 75 5c jne 0x6b f: 48 8b 9b 00 01 00 00 mov 0x100(%rbx),%rbx 16: b8 ff ff 37 00 mov $0x37ffff,%eax 1b: 48 c1 e0 2a shl $0x2a,%rax 1f: 48 8d 7b 08 lea 0x8(%rbx),%rdi 23: 48 89 fa mov %rdi,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx * 2a: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction 2e: 48 89 f8 mov %rdi,%rax 31: 83 e0 07 and $0x7,%eax 34: 83 c0 03 add $0x3,%eax 37: 38 d0 cmp %dl,%al 39: 7c 04 jl 0x3f 3b: 84 d2 test %dl,%dl 3d: 75 3d jne 0x7c 3f: 83 .byte 0x83