bisecting cause commit starting from 96a233e600df351bcb06e3c20efe048855552926 building syzkaller on 5d921b0849eb1958da5e91793b7795131d28b54c testing commit 96a233e600df351bcb06e3c20efe048855552926 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bd4a18ba0955cad9155ec457db6462dee1b831f8a70eae921b2c69e2093bca7a all runs: crashed: general protection fault in check_helper_call testing release v5.18 testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3611693bd97168481f4ef96d42c8fc6295e685d5b1e44545eafcb3a049c2a675 all runs: OK # git bisect start 96a233e600df351bcb06e3c20efe048855552926 4b0986a3613c92f4ec1bdc7f60ec66fea135991f Bisecting: 8503 revisions left to test after this (roughly 13 steps) [c011dd537ffe47462051930413fed07dbdc80313] Merge tag 'arm-soc-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit c011dd537ffe47462051930413fed07dbdc80313 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ddd016e4a14db02c1e75eb11085e052c146000d3b0c946692d7453cc561fab0e all runs: OK # git bisect good c011dd537ffe47462051930413fed07dbdc80313 Bisecting: 4251 revisions left to test after this (roughly 12 steps) [96479c09803b21d195c95fd4b145cd3a5a591ba0] Merge tag 'arm-multiplatform-5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 96479c09803b21d195c95fd4b145cd3a5a591ba0 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 08db2d30d0e7daa2a90151b008a83d8766e961b60e246b27ace1fd747d9a2fef all runs: OK # git bisect good 96479c09803b21d195c95fd4b145cd3a5a591ba0 Bisecting: 2123 revisions left to test after this (roughly 11 steps) [3cae0d84756aea1c563f0cf9f668cf13e281e8a5] Merge tag 'random-5.19-rc2-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random testing commit 3cae0d84756aea1c563f0cf9f668cf13e281e8a5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8775fe33d8382cdd53e44cd243b793d03697ab8b4097205f762c428f61162963 all runs: OK # git bisect good 3cae0d84756aea1c563f0cf9f668cf13e281e8a5 Bisecting: 1060 revisions left to test after this (roughly 10 steps) [e35e5b6f695d241ffb1d223207da58a1fbcdff4b] Merge tag 'xsa-5.19-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip testing commit e35e5b6f695d241ffb1d223207da58a1fbcdff4b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 31c8ef22e77c6cfa492ef9742743d8c0657a61a4c8f7d109a1557bf49c6a682e all runs: OK # git bisect good e35e5b6f695d241ffb1d223207da58a1fbcdff4b Bisecting: 530 revisions left to test after this (roughly 9 steps) [957b96e35b9c4bb9526d90de9888c347d9a85fcb] Merge branch 'net-phylink-cleanup-pcs-code' testing commit 957b96e35b9c4bb9526d90de9888c347d9a85fcb compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a14dee8e1eff73630e5f905a9d505de360d848abce02fbcecf90b072e7d9edca all runs: OK # git bisect good 957b96e35b9c4bb9526d90de9888c347d9a85fcb Bisecting: 288 revisions left to test after this (roughly 8 steps) [cf21b355ccb39b0de0b6a7362532bb5584c84a80] af_unix: Optimise hash table layout. testing commit cf21b355ccb39b0de0b6a7362532bb5584c84a80 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 514fc603fdf1c20131a07e83dff9e66b25065da97091c2eddc379d24bc938cd2 all runs: OK # git bisect good cf21b355ccb39b0de0b6a7362532bb5584c84a80 Bisecting: 144 revisions left to test after this (roughly 7 steps) [b89fec54fd614ffa4b7567edfae8b9e56c07ff69] tls: rx: wrap decrypt params in a struct testing commit b89fec54fd614ffa4b7567edfae8b9e56c07ff69 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8943a597ca24e944d7b5ae76a0eafa83772cf8a529820dd46b425cd7114e2d19 all runs: OK # git bisect good b89fec54fd614ffa4b7567edfae8b9e56c07ff69 Bisecting: 72 revisions left to test after this (roughly 6 steps) [990a6194f7e16cc23334892287f32899e241b1a9] bpftool: Rename "bpftool feature list" into "... feature list_builtins" testing commit 990a6194f7e16cc23334892287f32899e241b1a9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c40cab6dd0561e26b97dcc318dcf278d9bd60d1dce5042f6c5293405d0becd39 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: crashed: general protection fault in check_helper_call run #2: crashed: general protection fault in check_helper_call run #3: crashed: general protection fault in check_helper_call run #4: crashed: general protection fault in check_helper_call run #5: crashed: general protection fault in check_helper_call run #6: crashed: general protection fault in check_helper_call run #7: crashed: general protection fault in check_helper_call run #8: crashed: general protection fault in check_helper_call run #9: crashed: general protection fault in check_helper_call # git bisect bad 990a6194f7e16cc23334892287f32899e241b1a9 Bisecting: 35 revisions left to test after this (roughly 5 steps) [d320fad217b79849d66b53d7fdb361020ab4f64c] libbpf: remove deprecated probing APIs testing commit d320fad217b79849d66b53d7fdb361020ab4f64c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bb83f6332cf48d80033e720c584887bc585850dd2fb3e42180a3d8ac44bb1eb2 all runs: OK # git bisect good d320fad217b79849d66b53d7fdb361020ab4f64c Bisecting: 17 revisions left to test after this (roughly 4 steps) [9113d7e48e9128522b9f5a54dfd30dff10509a92] bpf: expose bpf_{g,s}etsockopt to lsm cgroup testing commit 9113d7e48e9128522b9f5a54dfd30dff10509a92 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 44148af6c79defdca31b226c331113106e99b1a29f7db1f3c7abd2fb17edfffe all runs: crashed: general protection fault in check_helper_call # git bisect bad 9113d7e48e9128522b9f5a54dfd30dff10509a92 Bisecting: 8 revisions left to test after this (roughly 3 steps) [31e42721976b9c445477038f8a4006150cd27a60] selftests/bpf: remove last tests with legacy BPF map definitions testing commit 31e42721976b9c445477038f8a4006150cd27a60 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bf2072766583dd22901bd8c8ca9d3e5bde62f54a5d493775ade7b2a768b44f0d all runs: OK # git bisect good 31e42721976b9c445477038f8a4006150cd27a60 Bisecting: 4 revisions left to test after this (roughly 2 steps) [af3f4134006bf3bf894179c08aaf98ed5938cf4e] bpf: add bpf_func_t and trampoline helpers testing commit af3f4134006bf3bf894179c08aaf98ed5938cf4e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0345d2198dc0aa030566aaa9c66753a30fa47307ef6ba90b21af62ff8a00f228 all runs: OK # git bisect good af3f4134006bf3bf894179c08aaf98ed5938cf4e Bisecting: 2 revisions left to test after this (roughly 1 step) [69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e] bpf: per-cgroup lsm flavor testing commit 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ba2d99edb563ffe283b9cf776c52150a50fa1632a86485f6e804b8675cae0b91 all runs: crashed: general protection fault in check_helper_call # git bisect bad 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e Bisecting: 0 revisions left to test after this (roughly 0 steps) [00442143a2ab7f1da46fbf4d2a99c85df767d49a] bpf: convert cgroup_bpf.progs to hlist testing commit 00442143a2ab7f1da46fbf4d2a99c85df767d49a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9b9fac64b4b48b9096971c338499d54a5e67655ad81f618fbafe1a5e547f95eb all runs: OK # git bisect good 00442143a2ab7f1da46fbf4d2a99c85df767d49a 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e is the first bad commit commit 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e Author: Stanislav Fomichev Date: Tue Jun 28 10:43:06 2022 -0700 bpf: per-cgroup lsm flavor Allow attaching to lsm hooks in the cgroup context. Attaching to per-cgroup LSM works exactly like attaching to other per-cgroup hooks. New BPF_LSM_CGROUP is added to trigger new mode; the actual lsm hook we attach to is signaled via existing attach_btf_id. For the hooks that have 'struct socket' or 'struct sock' as its first argument, we use the cgroup associated with that socket. For the rest, we use 'current' cgroup (this is all on default hierarchy == v2 only). Note that for some hooks that work on 'struct sock' we still take the cgroup from 'current' because some of them work on the socket that hasn't been properly initialized yet. Behind the scenes, we allocate a shim program that is attached to the trampoline and runs cgroup effective BPF programs array. This shim has some rudimentary ref counting and can be shared between several programs attaching to the same lsm hook from different cgroups. Note that this patch bloats cgroup size because we add 211 cgroup_bpf_attach_type(s) for simplicity sake. This will be addressed in the subsequent patch. Also note that we only add non-sleepable flavor for now. To enable sleepable use-cases, bpf_prog_run_array_cg has to grab trace rcu, shim programs have to be freed via trace rcu, cgroup_bpf.effective should be also trace-rcu-managed + maybe some other changes that I'm not aware of. Reviewed-by: Martin KaFai Lau Signed-off-by: Stanislav Fomichev Link: https://lore.kernel.org/r/20220628174314.1216643-4-sdf@google.com Signed-off-by: Alexei Starovoitov arch/x86/net/bpf_jit_comp.c | 24 +++-- include/linux/bpf-cgroup-defs.h | 8 ++ include/linux/bpf-cgroup.h | 7 ++ include/linux/bpf.h | 24 +++++ include/linux/bpf_lsm.h | 13 +++ include/linux/btf_ids.h | 3 +- include/uapi/linux/bpf.h | 1 + kernel/bpf/bpf_lsm.c | 48 ++++++++++ kernel/bpf/btf.c | 11 +++ kernel/bpf/cgroup.c | 136 ++++++++++++++++++++++++--- kernel/bpf/core.c | 2 + kernel/bpf/syscall.c | 10 ++ kernel/bpf/trampoline.c | 198 ++++++++++++++++++++++++++++++++++++++++ kernel/bpf/verifier.c | 32 +++++++ tools/include/uapi/linux/bpf.h | 1 + 15 files changed, 498 insertions(+), 20 deletions(-) culprit signature: ba2d99edb563ffe283b9cf776c52150a50fa1632a86485f6e804b8675cae0b91 parent signature: 9b9fac64b4b48b9096971c338499d54a5e67655ad81f618fbafe1a5e547f95eb revisions tested: 16, total time: 3h51m17.234196088s (build: 1h52m47.830185391s, test: 1h56m47.256254209s) first bad commit: 69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e bpf: per-cgroup lsm flavor recipients (to): ["ast@kernel.org" "kafai@fb.com" "sdf@google.com"] recipients (cc): [] crash: general protection fault in check_helper_call general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 4092 Comm: syz-executor.0 Not tainted 5.19.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 RIP: 0010:check_helper_call+0x2aa4/0x83e0 kernel/bpf/verifier.c:7328 Code: 48 c1 ea 03 80 3c 02 00 0f 85 be 40 00 00 48 8b 9b 00 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 08 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7f RSP: 0018:ffffc90002c0f420 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 00000000000000bb RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000008 RBP: ffffc90002c0f618 R08: ffffc900015d0058 R09: 0000000000000000 R10: dffffc0000000000 R11: ffffffff8914a604 R12: ffff88801b4e9800 R13: 0000000000000000 R14: 0000000000000070 R15: ffff88801b28c000 FS: 00007ff9461fe700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ff946b9c028 CR3: 00000000725aa000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: do_check kernel/bpf/verifier.c:12302 [inline] do_check_common+0x4fdc/0xb8e0 kernel/bpf/verifier.c:14610 do_check_main kernel/bpf/verifier.c:14673 [inline] bpf_check+0x5f1f/0xa6c0 kernel/bpf/verifier.c:15243 bpf_prog_load+0xc57/0x1b70 kernel/bpf/syscall.c:2575 __sys_bpf+0x10a3/0x42e0 kernel/bpf/syscall.c:4928 __do_sys_bpf kernel/bpf/syscall.c:5032 [inline] __se_sys_bpf kernel/bpf/syscall.c:5030 [inline] __x64_sys_bpf+0x70/0xb0 kernel/bpf/syscall.c:5030 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7ff946a89109 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ff9461fe168 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007ff946b9bf60 RCX: 00007ff946a89109 RDX: 0000000000000080 RSI: 0000000020000a00 RDI: 0000000000000005 RBP: 00007ff946ae30ed R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc5a2f812f R14: 00007ff9461fe300 R15: 0000000000022000 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:check_helper_call+0x2aa4/0x83e0 kernel/bpf/verifier.c:7328 Code: 48 c1 ea 03 80 3c 02 00 0f 85 be 40 00 00 48 8b 9b 00 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 08 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7f RSP: 0018:ffffc90002c0f420 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 00000000000000bb RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000008 RBP: ffffc90002c0f618 R08: ffffc900015d0058 R09: 0000000000000000 R10: dffffc0000000000 R11: ffffffff8914a604 R12: ffff88801b4e9800 R13: 0000000000000000 R14: 0000000000000070 R15: ffff88801b28c000 FS: 00007ff9461fe700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ff946b9c028 CR3: 00000000725aa000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 48 c1 ea 03 shr $0x3,%rdx 4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 8: 0f 85 be 40 00 00 jne 0x40cc e: 48 8b 9b 00 01 00 00 mov 0x100(%rbx),%rbx 15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 1c: fc ff df 1f: 48 8d 7b 08 lea 0x8(%rbx),%rdi 23: 48 89 fa mov %rdi,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx * 2a: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction 2e: 48 89 f8 mov %rdi,%rax 31: 83 e0 07 and $0x7,%eax 34: 83 c0 03 add $0x3,%eax 37: 38 d0 cmp %dl,%al 39: 7c 08 jl 0x43 3b: 84 d2 test %dl,%dl 3d: 0f .byte 0xf 3e: 85 .byte 0x85 3f: 7f .byte 0x7f