ci2 starts bisection 2024-02-23 03:54:29.431317079 +0000 UTC m=+40265.303653880 bisecting fixing commit since 61cfd264993d07540f60a5c53d77a14c818e54a9 building syzkaller on 7ec6c0443c90a3b37b815249619172c60d3ef557 ensuring issue is reproducible on original commit 61cfd264993d07540f60a5c53d77a14c818e54a9 testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 26a35c923430f9dcabff582f5294861564a157752782f15e9d854f041a689bc2 all runs: crashed: kernel BUG in prog_array_map_poke_run representative crash: kernel BUG in prog_array_map_poke_run, types: [BUG] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dd53f2ea0437ac1f03ddb7e5bbb27aa5719773fbc22e85ed92e1d5290909b877 all runs: crashed: kernel BUG in prog_array_map_poke_run representative crash: kernel BUG in prog_array_map_poke_run, types: [BUG] the bug reproduces without the instrumentation disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed kconfig minimization: base=4920 full=6161 leaves diff=241 split chunks (needed=false): <241> split chunk #0 of len 241 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cd6badebfa3118251fd19a288eed214f8881b303fc9f21e402ec34cd11ac33ae all runs: crashed: kernel BUG in prog_array_map_poke_run representative crash: kernel BUG in prog_array_map_poke_run, types: [BUG] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN KASAN LOCKDEP], they are not needed testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e73b5ba0b3645911a2dbed8daabcd6781e2024bd1c7c37e052ff19829900a2bd all runs: crashed: kernel BUG in prog_array_map_poke_run representative crash: kernel BUG in prog_array_map_poke_run, types: [BUG] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 84fb1525c69ee9a2f86060bd48a4ae8bc098b4233262ac365efb3eb623144511 all runs: crashed: kernel BUG in prog_array_map_poke_run representative crash: kernel BUG in prog_array_map_poke_run, types: [BUG] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ab8305abc63b6fa704a0117efddea0224cede3ad94e3f2108e3a4cf708d275e4 all runs: crashed: kernel BUG in prog_array_map_poke_run representative crash: kernel BUG in prog_array_map_poke_run, types: [BUG] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building 61cfd264993d07540f60a5c53d77a14c818e54a9: net/socket.c:1189: undefined reference to `wext_handle_ioctl' net/socket.c:3383: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:343: undefined reference to `wext_proc_exit' net/core/net-procfs.c:327: undefined reference to `wext_proc_init' minimized to 45 configs; suspects: [HID_ZEROPLUS USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF] disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing current HEAD 993bed180178156a70afdafe8aaf23a117107352 testing commit 993bed180178156a70afdafe8aaf23a117107352 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a4c3364f04d9213908484658f3e73dac38a6f562ada0e3cb2e2e2edd725a89ed all runs: OK false negative chance: 0.000 # git bisect start 993bed180178156a70afdafe8aaf23a117107352 61cfd264993d07540f60a5c53d77a14c818e54a9 Bisecting: 1009 revisions left to test after this (roughly 10 steps) [fa5f992dcf89452229ecca7e3c5e9c883242bf0b] powerpc/ftrace: Fix stack teardown in ftrace_no_trace determine whether the revision contains the guilty commit checking the merge base 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 no existing result, test the revision testing commit 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2c498aae8d60f0022f8cf65e5c5c2bd41f20caab026fdde9bd5e513df92ed8fa run #0: crashed: kernel BUG in prog_array_map_poke_run run #1: crashed: kernel BUG in prog_array_map_poke_run run #2: crashed: kernel BUG in prog_array_map_poke_run run #3: crashed: kernel BUG in prog_array_map_poke_run run #4: crashed: kernel BUG in prog_array_map_poke_run run #5: crashed: kernel BUG in prog_array_map_poke_run run #6: crashed: kernel BUG in prog_array_map_poke_run run #7: crashed: kernel BUG in prog_array_map_poke_run run #8: crashed: kernel BUG in prog_array_map_poke_run run #9: boot failed: can't ssh into the instance representative crash: kernel BUG in prog_array_map_poke_run, types: [BUG] testing commit fa5f992dcf89452229ecca7e3c5e9c883242bf0b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0e9a1d65be0ee8ef4156e30df1201cdd6e29cf6e7ed1a1765cd4c85ae23fd412 all runs: crashed: kernel BUG in prog_array_map_poke_run representative crash: kernel BUG in prog_array_map_poke_run, types: [BUG] # git bisect good fa5f992dcf89452229ecca7e3c5e9c883242bf0b Bisecting: 504 revisions left to test after this (roughly 9 steps) [f100ba617d8be6c98a68f3744ef7617082975b77] f2fs: fix to avoid dirent corruption determine whether the revision contains the guilty commit revision fa5f992dcf89452229ecca7e3c5e9c883242bf0b crashed and is reachable testing commit f100ba617d8be6c98a68f3744ef7617082975b77 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 42921683afb4d1dcef51f7a99a777005fb3d545235381d09e2410c192a75bdb3 all runs: OK false negative chance: 0.000 # git bisect bad f100ba617d8be6c98a68f3744ef7617082975b77 Bisecting: 252 revisions left to test after this (roughly 8 steps) [53bed9b9f43100e5e98af3cd21fcbb9a7f9b2d2a] ring-buffer: Remove useless update to write_stamp in rb_try_to_discard() determine whether the revision contains the guilty commit revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable testing commit 53bed9b9f43100e5e98af3cd21fcbb9a7f9b2d2a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9f15751e3d535960284ead62c070cc1c981e5fab18a80f97a7d9a60bf5f49dfc all runs: crashed: kernel BUG in prog_array_map_poke_run representative crash: kernel BUG in prog_array_map_poke_run, types: [BUG] # git bisect good 53bed9b9f43100e5e98af3cd21fcbb9a7f9b2d2a Bisecting: 126 revisions left to test after this (roughly 7 steps) [5cf604ee538ed0c467abe3b4cda5308a6398f0f7] uio: Fix use-after-free in uio_open determine whether the revision contains the guilty commit revision fa5f992dcf89452229ecca7e3c5e9c883242bf0b crashed and is reachable testing commit 5cf604ee538ed0c467abe3b4cda5308a6398f0f7 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e3f80e76f9659ddf8d7b266a1f6f32a2edea00ff9d575e85ef19b20677df6901 all runs: OK false negative chance: 0.000 # git bisect bad 5cf604ee538ed0c467abe3b4cda5308a6398f0f7 Bisecting: 62 revisions left to test after this (roughly 6 steps) [ccb7eef5f2f3ab3a4c3bb00f06933cb691e21516] kallsyms: Make module_kallsyms_on_each_symbol generally available determine whether the revision contains the guilty commit revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable testing commit ccb7eef5f2f3ab3a4c3bb00f06933cb691e21516 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b9c8bd9a497fab5193dfbf6fa6ec96f679ee8fde3f1008f7f8bd49946ca3a513 all runs: OK false negative chance: 0.000 # git bisect bad ccb7eef5f2f3ab3a4c3bb00f06933cb691e21516 Bisecting: 31 revisions left to test after this (roughly 5 steps) [51976846f20232a26d9ea15841abcf492b40c070] net: bcmgenet: Fix FCS generation for fragmented skbuffs determine whether the revision contains the guilty commit revision 53bed9b9f43100e5e98af3cd21fcbb9a7f9b2d2a crashed and is reachable testing commit 51976846f20232a26d9ea15841abcf492b40c070 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 521721ef6bf8b2b4482c4a148d513a49d1af7f8869ceecfdae695bf234e4fb24 all runs: OK false negative chance: 0.000 # git bisect bad 51976846f20232a26d9ea15841abcf492b40c070 Bisecting: 15 revisions left to test after this (roughly 4 steps) [a7b67635de1a0c4168c9b91877d7ecab1d2a3438] octeontx2-af: Fix marking couple of structure as __packed determine whether the revision contains the guilty commit revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable testing commit a7b67635de1a0c4168c9b91877d7ecab1d2a3438 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f459f3d1f6b5ce95066266bcfbc00227a1e6fce98686dfc34f583d87af407511 all runs: OK false negative chance: 0.000 # git bisect bad a7b67635de1a0c4168c9b91877d7ecab1d2a3438 Bisecting: 7 revisions left to test after this (roughly 3 steps) [26c690eff0a56293e0b6911a38e406c211b35547] Linux 5.15.146 determine whether the revision contains the guilty commit revision 53bed9b9f43100e5e98af3cd21fcbb9a7f9b2d2a crashed and is reachable testing commit 26c690eff0a56293e0b6911a38e406c211b35547 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: da16eed44c41d25f77df95ab4e0a7ca1cc26d7a7f011cdc7f617e8ecb0ff56a5 all runs: OK false negative chance: 0.000 # git bisect bad 26c690eff0a56293e0b6911a38e406c211b35547 Bisecting: 3 revisions left to test after this (roughly 2 steps) [a033bb82a10cfc312a4d9655fc878ef501c96b95] ring-buffer: Fix slowpath of interrupted event determine whether the revision contains the guilty commit revision fa5f992dcf89452229ecca7e3c5e9c883242bf0b crashed and is reachable testing commit a033bb82a10cfc312a4d9655fc878ef501c96b95 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bef73fe5c95f0e8ece2c244e2bf642c20ae5854166a69f6ce5791990c00858a7 all runs: crashed: kernel BUG in prog_array_map_poke_run representative crash: kernel BUG in prog_array_map_poke_run, types: [BUG] # git bisect good a033bb82a10cfc312a4d9655fc878ef501c96b95 Bisecting: 1 revision left to test after this (roughly 1 step) [339add0430e7cc94a483179ed2b2cc8d2eec0b4f] device property: Allow const parameter to dev_fwnode() determine whether the revision contains the guilty commit revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable testing commit 339add0430e7cc94a483179ed2b2cc8d2eec0b4f gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 61283ee29fea70cc991052cd9bb7b422d797ce842d1f252438c7ba1a5cfa453b all runs: crashed: kernel BUG in prog_array_map_poke_run representative crash: kernel BUG in prog_array_map_poke_run, types: [BUG] # git bisect good 339add0430e7cc94a483179ed2b2cc8d2eec0b4f Bisecting: 0 revisions left to test after this (roughly 0 steps) [13578b4ea461da333b863e7a2f732f0f8e0ffbd0] bpf: Fix prog_array_map_poke_run map poke update determine whether the revision contains the guilty commit revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable testing commit 13578b4ea461da333b863e7a2f732f0f8e0ffbd0 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8d46d6e2daa47d329ee9bd59c1452907517d09c4d47b6844eac055e7c54087c6 all runs: OK false negative chance: 0.000 # git bisect bad 13578b4ea461da333b863e7a2f732f0f8e0ffbd0 13578b4ea461da333b863e7a2f732f0f8e0ffbd0 is the first bad commit commit 13578b4ea461da333b863e7a2f732f0f8e0ffbd0 Author: Jiri Olsa Date: Wed Dec 6 09:30:40 2023 +0100 bpf: Fix prog_array_map_poke_run map poke update commit 4b7de801606e504e69689df71475d27e35336fb3 upstream. Lee pointed out issue found by syscaller [0] hitting BUG in prog array map poke update in prog_array_map_poke_run function due to error value returned from bpf_arch_text_poke function. There's race window where bpf_arch_text_poke can fail due to missing bpf program kallsym symbols, which is accounted for with check for -EINVAL in that BUG_ON call. The problem is that in such case we won't update the tail call jump and cause imbalance for the next tail call update check which will fail with -EBUSY in bpf_arch_text_poke. I'm hitting following race during the program load: CPU 0 CPU 1 bpf_prog_load bpf_check do_misc_fixups prog_array_map_poke_track map_update_elem bpf_fd_array_map_update_elem prog_array_map_poke_run bpf_arch_text_poke returns -EINVAL bpf_prog_kallsyms_add After bpf_arch_text_poke (CPU 1) fails to update the tail call jump, the next poke update fails on expected jump instruction check in bpf_arch_text_poke with -EBUSY and triggers the BUG_ON in prog_array_map_poke_run. Similar race exists on the program unload. Fixing this by moving the update to bpf_arch_poke_desc_update function which makes sure we call __bpf_arch_text_poke that skips the bpf address check. Each architecture has slightly different approach wrt looking up bpf address in bpf_arch_text_poke, so instead of splitting the function or adding new 'checkip' argument in previous version, it seems best to move the whole map_poke_run update as arch specific code. [0] https://syzkaller.appspot.com/bug?extid=97a4fe20470e9bc30810 Fixes: ebf7d1f508a7 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT") Reported-by: syzbot+97a4fe20470e9bc30810@syzkaller.appspotmail.com Signed-off-by: Jiri Olsa Signed-off-by: Daniel Borkmann Acked-by: Yonghong Song Cc: Lee Jones Cc: Maciej Fijalkowski Link: https://lore.kernel.org/bpf/20231206083041.1306660-2-jolsa@kernel.org Signed-off-by: Greg Kroah-Hartman arch/x86/net/bpf_jit_comp.c | 46 +++++++++++++++++++++++++++++++++++ include/linux/bpf.h | 3 +++ kernel/bpf/arraymap.c | 58 ++++++++------------------------------------- 3 files changed, 59 insertions(+), 48 deletions(-) accumulated error probability: 0.00 culprit signature: 8d46d6e2daa47d329ee9bd59c1452907517d09c4d47b6844eac055e7c54087c6 parent signature: 61283ee29fea70cc991052cd9bb7b422d797ce842d1f252438c7ba1a5cfa453b revisions tested: 19, total time: 3h2m0.391305925s (build: 46m39.688204868s, test: 2h11m6.944577964s) first good commit: 13578b4ea461da333b863e7a2f732f0f8e0ffbd0 bpf: Fix prog_array_map_poke_run map poke update recipients (to): ["daniel@iogearbox.net" "gregkh@linuxfoundation.org" "jolsa@kernel.org" "yonghong.song@linux.dev"] recipients (cc): []