ci2 starts bisection 2024-07-14 10:28:29.621566577 +0000 UTC m=+232234.169198033 bisecting fixing commit since 424f92bcbe8fa613ada7aec5ebe4ef434d5e50e4 building syzkaller on 34889ee3b09e7b4d381828377aa6173bfcc36cc7 ensuring issue is reproducible on original commit 424f92bcbe8fa613ada7aec5ebe4ef434d5e50e4 testing commit 424f92bcbe8fa613ada7aec5ebe4ef434d5e50e4 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5641fb37b3170302539c57e965193bc614cb827fbe951f0fd1f8d267f60bbfdd run #0: crashed: BUG: scheduling while atomic in do_nanosleep run #1: crashed: BUG: scheduling while atomic in do_nanosleep run #2: crashed: BUG: scheduling while atomic in do_nanosleep run #3: crashed: BUG: scheduling while atomic in do_nanosleep run #4: crashed: BUG: scheduling while atomic in futex_wait_queue_me run #5: crashed: BUG: scheduling while atomic in do_nanosleep run #6: crashed: BUG: scheduling while atomic in do_nanosleep run #7: crashed: BUG: scheduling while atomic in do_nanosleep run #8: crashed: BUG: scheduling while atomic in do_nanosleep run #9: crashed: BUG: scheduling while atomic in do_nanosleep run #10: crashed: BUG: scheduling while atomic in do_nanosleep run #11: crashed: BUG: scheduling while atomic in do_nanosleep run #12: crashed: BUG: scheduling while atomic in do_nanosleep run #13: crashed: BUG: scheduling while atomic in do_nanosleep run #14: crashed: BUG: scheduling while atomic in do_nanosleep run #15: crashed: BUG: scheduling while atomic in do_nanosleep run #16: crashed: BUG: scheduling while atomic in do_nanosleep run #17: crashed: BUG: scheduling while atomic in do_nanosleep run #18: crashed: BUG: scheduling while atomic in do_nanosleep run #19: crashed: BUG: scheduling while atomic in do_nanosleep representative crash: BUG: scheduling while atomic in do_nanosleep, types: [ATOMIC_SLEEP] check whether we can drop unnecessary instrumentation disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP HANG], they are not needed testing commit 424f92bcbe8fa613ada7aec5ebe4ef434d5e50e4 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9c94ac33a22642d77494277927b63e7ae16f1e97dd5ef14c6651bc4ea5d9703e all runs: crashed: BUG: scheduling while atomic in do_nanosleep representative crash: BUG: scheduling while atomic in do_nanosleep, types: [ATOMIC_SLEEP] the bug reproduces without the instrumentation disabling configs for [BUG KASAN LOCKDEP HANG LEAK UBSAN], they are not needed kconfig minimization: base=4920 full=6160 leaves diff=242 split chunks (needed=false): <242> split chunk #0 of len 242 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed testing commit 424f92bcbe8fa613ada7aec5ebe4ef434d5e50e4 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 94a60f24001aac18472b9e328882db1ecb39b0fa3ee6ebcbcddbee01e9958bc8 all runs: crashed: BUG: scheduling while atomic in do_nanosleep representative crash: BUG: scheduling while atomic in do_nanosleep, types: [ATOMIC_SLEEP] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP HANG LEAK UBSAN BUG KASAN], they are not needed testing commit 424f92bcbe8fa613ada7aec5ebe4ef434d5e50e4 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1de9f9eb8f22676c67079905b8e1025f6282cb998f2391f7d34400edf9e8db61 all runs: crashed: BUG: scheduling while atomic in do_nanosleep representative crash: BUG: scheduling while atomic in do_nanosleep, types: [ATOMIC_SLEEP] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [UBSAN BUG KASAN LOCKDEP HANG LEAK], they are not needed testing commit 424f92bcbe8fa613ada7aec5ebe4ef434d5e50e4 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0e468a91ca9ad50b2d905c850900a75a9d270ba3edcbaadff8c0e19a621191a0 run #0: crashed: invalid opcode in vfree run #1: crashed: BUG: scheduling while atomic in do_nanosleep run #2: crashed: BUG: scheduling while atomic in do_nanosleep run #3: crashed: BUG: scheduling while atomic in do_nanosleep run #4: crashed: BUG: scheduling while atomic in do_nanosleep run #5: crashed: BUG: scheduling while atomic in do_nanosleep run #6: crashed: BUG: scheduling while atomic in do_nanosleep run #7: crashed: BUG: scheduling while atomic in do_nanosleep run #8: crashed: BUG: scheduling while atomic in exit_to_user_mode_prepare run #9: crashed: BUG: scheduling while atomic in do_nanosleep representative crash: BUG: scheduling while atomic in do_nanosleep, types: [ATOMIC_SLEEP] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LOCKDEP HANG LEAK UBSAN BUG KASAN], they are not needed testing commit 424f92bcbe8fa613ada7aec5ebe4ef434d5e50e4 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e2da93fc4e6952d2e30d9c8f73de34e864a788c41fd6bc73c81b157e414dfe60 all runs: crashed: BUG: scheduling while atomic in do_nanosleep representative crash: BUG: scheduling while atomic in do_nanosleep, types: [ATOMIC_SLEEP] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP HANG], they are not needed testing commit 424f92bcbe8fa613ada7aec5ebe4ef434d5e50e4 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building 424f92bcbe8fa613ada7aec5ebe4ef434d5e50e4: net/socket.c:1191: undefined reference to `wext_handle_ioctl' net/socket.c:3385: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:343: undefined reference to `wext_proc_exit' net/core/net-procfs.c:327: undefined reference to `wext_proc_init' minimized to 46 configs; suspects: [HID_ZEROPLUS USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF] disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed testing current HEAD db06c48ab67eb5db1ac64a0210d77742e335537a testing commit db06c48ab67eb5db1ac64a0210d77742e335537a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5ab7ac734743850c0ce0c9766a745e95e0d6ff9e2f955d62fb059e2942774dfe all runs: OK false negative chance: 0.000 # git bisect start db06c48ab67eb5db1ac64a0210d77742e335537a 424f92bcbe8fa613ada7aec5ebe4ef434d5e50e4 Bisecting: 179 revisions left to test after this (roughly 8 steps) [16f653776cafc4fd8dad5014e52eb8196fd9c318] wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point() determine whether the revision contains the guilty commit checking the merge base 458ce51d0356ee60c93f9f807d9827cf2a41643d no existing result, test the revision testing commit 458ce51d0356ee60c93f9f807d9827cf2a41643d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 58314a99e1d8a4bb191fe384e42560e05add0a205e119861b8c5d094737003a5 all runs: crashed: BUG: scheduling while atomic in do_nanosleep representative crash: BUG: scheduling while atomic in do_nanosleep, types: [ATOMIC_SLEEP] testing commit 16f653776cafc4fd8dad5014e52eb8196fd9c318 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8eae27e16b99d972cee5cbf55a8bfb5fcba06d8f17fea6427c95e31d59e9f30b all runs: OK false negative chance: 0.000 # git bisect bad 16f653776cafc4fd8dad5014e52eb8196fd9c318 Bisecting: 89 revisions left to test after this (roughly 7 steps) [b9d69bfff6fdad3ebde0fd6fce5a2c5f9830ceba] x86/ibt,paravirt: Use text_gen_insn() for paravirt_patch() determine whether the revision contains the guilty commit revision 458ce51d0356ee60c93f9f807d9827cf2a41643d crashed and is reachable testing commit b9d69bfff6fdad3ebde0fd6fce5a2c5f9830ceba gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 30671f72f1f003a699c8c8f3ad0243b4634abe15ec1dd79d7838efc5e3743ccd all runs: OK false negative chance: 0.000 # git bisect bad b9d69bfff6fdad3ebde0fd6fce5a2c5f9830ceba Bisecting: 44 revisions left to test after this (roughly 6 steps) [8fd604d4b0d7e6cef59b7fa8f43d07314e522097] nvmet-fc: defer cleanup using RCU properly determine whether the revision contains the guilty commit revision 458ce51d0356ee60c93f9f807d9827cf2a41643d crashed and is reachable testing commit 8fd604d4b0d7e6cef59b7fa8f43d07314e522097 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e36d81256c72ff7c1a7b65e9139bea013d0350ef5d150aa6747c602730062ef0 all runs: OK false negative chance: 0.000 # git bisect bad 8fd604d4b0d7e6cef59b7fa8f43d07314e522097 Bisecting: 22 revisions left to test after this (roughly 5 steps) [88c18fd06608b3adee547102505d715f21075c9d] wifi: mac80211: fix race condition on enabling fast-xmit determine whether the revision contains the guilty commit revision 458ce51d0356ee60c93f9f807d9827cf2a41643d crashed and is reachable testing commit 88c18fd06608b3adee547102505d715f21075c9d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b8a17ca6c457b0ab42a8131b8d64ac20a2a965b5f25272fa473e1ebd9b79f7ff all runs: OK false negative chance: 0.000 # git bisect bad 88c18fd06608b3adee547102505d715f21075c9d Bisecting: 10 revisions left to test after this (roughly 4 steps) [4b349c55bbd33c8918dbac13876d6842af571505] bpf: Do cleanup in bpf_bprintf_cleanup only when needed determine whether the revision contains the guilty commit revision 458ce51d0356ee60c93f9f807d9827cf2a41643d crashed and is reachable testing commit 4b349c55bbd33c8918dbac13876d6842af571505 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b4b5c001014802ea5458c6d346e79cc06d32808b15b4f52380483ffdf634e846 all runs: OK false negative chance: 0.000 # git bisect bad 4b349c55bbd33c8918dbac13876d6842af571505 Bisecting: 5 revisions left to test after this (roughly 3 steps) [890bc4fac3c0973a49cac35f634579bebba7fe48] smb: client: fix potential OOBs in smb2_parse_contexts() determine whether the revision contains the guilty commit revision 458ce51d0356ee60c93f9f807d9827cf2a41643d crashed and is reachable testing commit 890bc4fac3c0973a49cac35f634579bebba7fe48 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c1935cede9b7f7a94b47f063b4f8d22a5546cbf09ac4a62bcd278ead18541d11 all runs: crashed: BUG: scheduling while atomic in do_nanosleep representative crash: BUG: scheduling while atomic in do_nanosleep, types: [ATOMIC_SLEEP] # git bisect good 890bc4fac3c0973a49cac35f634579bebba7fe48 Bisecting: 2 revisions left to test after this (roughly 2 steps) [ab2e127896a2432e2b0d02ea48e1c7e57278a5aa] PCI: dwc: Fix a 64bit bug in dw_pcie_ep_raise_msix_irq() determine whether the revision contains the guilty commit revision 458ce51d0356ee60c93f9f807d9827cf2a41643d crashed and is reachable testing commit ab2e127896a2432e2b0d02ea48e1c7e57278a5aa gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a6759a1fbbb2015e41655fdfb3d17fec9fbb835e1c1f41317dbcb109f59f9ea5 all runs: crashed: BUG: scheduling while atomic in do_nanosleep representative crash: BUG: scheduling while atomic in do_nanosleep, types: [ATOMIC_SLEEP] # git bisect good ab2e127896a2432e2b0d02ea48e1c7e57278a5aa Bisecting: 0 revisions left to test after this (roughly 1 step) [bcbaeb081ad846ae7f824ecf2df3d21de17608ea] bpf: Add struct for bin_args arg in bpf_bprintf_prepare determine whether the revision contains the guilty commit revision 458ce51d0356ee60c93f9f807d9827cf2a41643d crashed and is reachable testing commit bcbaeb081ad846ae7f824ecf2df3d21de17608ea gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7d2e758d26cf7bce0a2d59f212bfbb72d5dac68674ab9893e7bb08ff532daee7 all runs: crashed: BUG: scheduling while atomic in do_nanosleep representative crash: BUG: scheduling while atomic in do_nanosleep, types: [ATOMIC_SLEEP] # git bisect good bcbaeb081ad846ae7f824ecf2df3d21de17608ea 4b349c55bbd33c8918dbac13876d6842af571505 is the first bad commit commit 4b349c55bbd33c8918dbac13876d6842af571505 Author: Jiri Olsa Date: Sat Feb 17 09:13:20 2024 -0300 bpf: Do cleanup in bpf_bprintf_cleanup only when needed commit f19a4050455aad847fb93f18dc1fe502eb60f989 upstream. Currently we always cleanup/decrement bpf_bprintf_nest_level variable in bpf_bprintf_cleanup if it's > 0. There's possible scenario where this could cause a problem, when bpf_bprintf_prepare does not get bin_args buffer (because num_args is 0) and following bpf_bprintf_cleanup call decrements bpf_bprintf_nest_level variable, like: in task context: bpf_bprintf_prepare(num_args != 0) increments 'bpf_bprintf_nest_level = 1' -> first irq : bpf_bprintf_prepare(num_args == 0) bpf_bprintf_cleanup decrements 'bpf_bprintf_nest_level = 0' -> second irq: bpf_bprintf_prepare(num_args != 0) bpf_bprintf_nest_level = 1 gets same buffer as task context above Adding check to bpf_bprintf_cleanup and doing the real cleanup only if we got bin_args data in the first place. Signed-off-by: Jiri Olsa Signed-off-by: Daniel Borkmann Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20221215214430.1336195-3-jolsa@kernel.org [cascardo: there is no bpf_trace_vprintk in 5.15] Signed-off-by: Thadeu Lima de Souza Cascardo Signed-off-by: Greg Kroah-Hartman include/linux/bpf.h | 2 +- kernel/bpf/helpers.c | 16 +++++++++------- kernel/trace/bpf_trace.c | 4 ++-- 3 files changed, 12 insertions(+), 10 deletions(-) accumulated error probability: 0.00 culprit signature: b4b5c001014802ea5458c6d346e79cc06d32808b15b4f52380483ffdf634e846 parent signature: 7d2e758d26cf7bce0a2d59f212bfbb72d5dac68674ab9893e7bb08ff532daee7 revisions tested: 16, total time: 3h29m19.912273408s (build: 1h8m17.500842977s, test: 2h17m37.987197625s) first good commit: 4b349c55bbd33c8918dbac13876d6842af571505 bpf: Do cleanup in bpf_bprintf_cleanup only when needed recipients (to): ["cascardo@igalia.com" "daniel@iogearbox.net" "gregkh@linuxfoundation.org" "jolsa@kernel.org" "yhs@fb.com"] recipients (cc): []