bisecting fixing commit since 3ffe1e79c174b2093f7ee3df589a7705572c9620 building syzkaller on ef801a3eab3f5c84fa7f61fd739c9fcb45925caa testing commit 3ffe1e79c174b2093f7ee3df589a7705572c9620 with gcc (GCC) 8.1.0 kernel signature: c0e427804ac7c2b926563fc848dcf0baa2ae6e2d all runs: crashed: general protection fault in packet_lookup_frame testing current HEAD fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f testing commit fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f with gcc (GCC) 8.1.0 kernel signature: b7ca951a85569a1b87d0a3df30f664aa9a78affb all runs: OK # git bisect start fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f 3ffe1e79c174b2093f7ee3df589a7705572c9620 Bisecting: 905 revisions left to test after this (roughly 10 steps) [f991b1fa0ded689f980cc25312b5003f35add8bf] drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 testing commit f991b1fa0ded689f980cc25312b5003f35add8bf with gcc (GCC) 8.1.0 kernel signature: 4f0d0bea8242c6ab9c0cffd6c73e8e578244f845 all runs: OK # git bisect bad f991b1fa0ded689f980cc25312b5003f35add8bf Bisecting: 452 revisions left to test after this (roughly 9 steps) [5d9d31116f623c87e12363aab35c3aaafeff9097] irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices testing commit 5d9d31116f623c87e12363aab35c3aaafeff9097 with gcc (GCC) 8.1.0 kernel signature: 73dc7bc85f20895e603052f7304f9847bd4f50b6 all runs: OK # git bisect bad 5d9d31116f623c87e12363aab35c3aaafeff9097 Bisecting: 226 revisions left to test after this (roughly 8 steps) [564e2b87491c615a95d9a200fb4ad267e403db4d] tcp: make sure EPOLLOUT wont be missed testing commit 564e2b87491c615a95d9a200fb4ad267e403db4d with gcc (GCC) 8.1.0 kernel signature: 3fb08b8d2f8785bf83adcdd8f134d5ac233e79c3 all runs: OK # git bisect bad 564e2b87491c615a95d9a200fb4ad267e403db4d Bisecting: 112 revisions left to test after this (roughly 7 steps) [5c8b1c3659c75c83bd48e8d3b0b8a24a3f29052b] staging: comedi: dt3000: Fix signed integer overflow 'divider * base' testing commit 5c8b1c3659c75c83bd48e8d3b0b8a24a3f29052b with gcc (GCC) 8.1.0 kernel signature: 2202840f327d1fc8f50ff07666ba92c74551b7a7 all runs: crashed: general protection fault in packet_lookup_frame # git bisect good 5c8b1c3659c75c83bd48e8d3b0b8a24a3f29052b Bisecting: 56 revisions left to test after this (roughly 6 steps) [9e47a7963485c636a0e75b192c898d72d16bac38] net: hisilicon: Fix dma_map_single failed on arm64 testing commit 9e47a7963485c636a0e75b192c898d72d16bac38 with gcc (GCC) 8.1.0 kernel signature: 477e53d95bfa0286c5c07d22c1f92245ebae1eee all runs: OK # git bisect bad 9e47a7963485c636a0e75b192c898d72d16bac38 Bisecting: 27 revisions left to test after this (roughly 5 steps) [64d1cec408bfcbfedd7bc33887b0a0a610435da9] xfrm: policy: remove pcpu policy cache testing commit 64d1cec408bfcbfedd7bc33887b0a0a610435da9 with gcc (GCC) 8.1.0 kernel signature: 693157d81bd540440831782c53cbd35268760374 all runs: OK # git bisect bad 64d1cec408bfcbfedd7bc33887b0a0a610435da9 Bisecting: 13 revisions left to test after this (roughly 4 steps) [209479bfff8da8a53a460591b89007e4254d5245] arm64: ftrace: Ensure module ftrace trampoline is coherent with I-side testing commit 209479bfff8da8a53a460591b89007e4254d5245 with gcc (GCC) 8.1.0 kernel signature: 73af202536fc314f1a97b1315dd9ffc05d6cfa8b all runs: crashed: general protection fault in packet_lookup_frame # git bisect good 209479bfff8da8a53a460591b89007e4254d5245 Bisecting: 6 revisions left to test after this (roughly 3 steps) [382d8991832ff838b08257a6355edbfc28106043] sctp: fix the transport error_count check testing commit 382d8991832ff838b08257a6355edbfc28106043 with gcc (GCC) 8.1.0 kernel signature: 2351382b420d2b0a8aba91ccea7a0169eac8bc6f all runs: OK # git bisect bad 382d8991832ff838b08257a6355edbfc28106043 Bisecting: 3 revisions left to test after this (roughly 2 steps) [37bc6f45e8dcec51eb162da618b96fc96b291f26] iommu/amd: Move iommu_init_pci() to .init section testing commit 37bc6f45e8dcec51eb162da618b96fc96b291f26 with gcc (GCC) 8.1.0 kernel signature: 0fd285e1b6398cdee100bb901dfce4dc83521b58 all runs: crashed: general protection fault in packet_lookup_frame # git bisect good 37bc6f45e8dcec51eb162da618b96fc96b291f26 Bisecting: 1 revision left to test after this (roughly 1 step) [fbaae3105ff1f12a7f2a565ef4e9cd18dc83d0f1] net/mlx4_en: fix a memory leak bug testing commit fbaae3105ff1f12a7f2a565ef4e9cd18dc83d0f1 with gcc (GCC) 8.1.0 kernel signature: 063452a593227a84baac57b21c5e9e7d368670d3 all runs: crashed: general protection fault in packet_lookup_frame # git bisect good fbaae3105ff1f12a7f2a565ef4e9cd18dc83d0f1 Bisecting: 0 revisions left to test after this (roughly 0 steps) [5ac73816dda7d2d33ef89177b3d095b3cf5777fb] net/packet: fix race in tpacket_snd() testing commit 5ac73816dda7d2d33ef89177b3d095b3cf5777fb with gcc (GCC) 8.1.0 kernel signature: 9de5fb5a40b1eb199971e85a0014367f207e9019 all runs: OK # git bisect bad 5ac73816dda7d2d33ef89177b3d095b3cf5777fb 5ac73816dda7d2d33ef89177b3d095b3cf5777fb is the first bad commit commit 5ac73816dda7d2d33ef89177b3d095b3cf5777fb Author: Eric Dumazet Date: Wed Aug 14 02:11:57 2019 -0700 net/packet: fix race in tpacket_snd() [ Upstream commit 32d3182cd2cd29b2e7e04df7b0db350fbe11289f ] packet_sendmsg() checks tx_ring.pg_vec to decide if it must call tpacket_snd(). Problem is that the check is lockless, meaning another thread can issue a concurrent setsockopt(PACKET_TX_RING ) to flip tx_ring.pg_vec back to NULL. Given that tpacket_snd() grabs pg_vec_lock mutex, we can perform the check again to solve the race. syzbot reported : kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474 Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00 RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50 R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000 R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000 FS: 00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: packet_current_frame net/packet/af_packet.c:487 [inline] tpacket_snd net/packet/af_packet.c:2667 [inline] packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0xd7/0x130 net/socket.c:657 ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311 __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413 __do_sys_sendmmsg net/socket.c:2442 [inline] __se_sys_sendmmsg net/socket.c:2439 [inline] __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman net/packet/af_packet.c | 7 +++++++ 1 file changed, 7 insertions(+) kernel signature: 9de5fb5a40b1eb199971e85a0014367f207e9019 previous signature: 063452a593227a84baac57b21c5e9e7d368670d3 revisions tested: 13, total time: 3h34m50.291416785s (build: 1h44m9.06033319s, test: 1h46m40.233874566s) first good commit: 5ac73816dda7d2d33ef89177b3d095b3cf5777fb net/packet: fix race in tpacket_snd() cc: ["davem@davemloft.net" "edumazet@google.com" "gregkh@linuxfoundation.org" "jgg@mellanox.com" "kal.conley@dectris.com" "linux-kernel@vger.kernel.org" "maxime.chevallier@bootlin.com" "netdev@vger.kernel.org" "nhorman@tuxdriver.com" "willemb@google.com" "yuehaibing@huawei.com"]