bisecting cause commit starting from 2b94f5266c8452c01291f3b0370fcad28a357746 building syzkaller on 18e33098d58c8738cc3b678346141b74d34d4e30 testing commit 2b94f5266c8452c01291f3b0370fcad28a357746 with gcc (GCC) 8.1.0 kernel signature: 03d66c131a39da402a53dd2edf59052c83b6dda0fbd80d951b83ce8c10a9867a all runs: crashed: WARNING in xfrm_alloc_compat testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0 kernel signature: 934f0a134532bbbd345c7e8b605e59600f755e76ac937b8aa8fb348b839f419b all runs: OK # git bisect start 2b94f5266c8452c01291f3b0370fcad28a357746 bbf5c979011a099af5dc76498918ed7df445635b Bisecting: 7420 revisions left to test after this (roughly 13 steps) [c48b75b7271db23c1b2d1204d6e8496d91f27711] Merge tag 'sound-5.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit c48b75b7271db23c1b2d1204d6e8496d91f27711 with gcc (GCC) 8.1.0 kernel signature: 9a2381878bdc33ec4990e346935262c1106b44c9646045acec11e11fd34e7f55 all runs: OK # git bisect good c48b75b7271db23c1b2d1204d6e8496d91f27711 Bisecting: 3680 revisions left to test after this (roughly 12 steps) [09a31a7e3723afd79022d5d3ff3634c2630c2eeb] Merge tag 'mips_5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux testing commit 09a31a7e3723afd79022d5d3ff3634c2630c2eeb with gcc (GCC) 8.1.0 kernel signature: 92a4d6cfb3c64d294ab1bb910fd6cbd4a00f89af056b95c3a1a3a5892a7877cd all runs: crashed: WARNING in xfrm_alloc_compat # git bisect bad 09a31a7e3723afd79022d5d3ff3634c2630c2eeb Bisecting: 1869 revisions left to test after this (roughly 11 steps) [80ca25711380c8eabe51eed875ca9432b4f8939e] cfg80211: handle Association Response from S1G STA testing commit 80ca25711380c8eabe51eed875ca9432b4f8939e with gcc (GCC) 8.1.0 kernel signature: 28e84e0737bed0911efb0686dcc08eb8b9e868bf810d7871b4560fd548507778 all runs: OK # git bisect good 80ca25711380c8eabe51eed875ca9432b4f8939e Bisecting: 925 revisions left to test after this (roughly 10 steps) [2295cddf99e3f7c2be2b1160e2f5e53cc35b09be] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 2295cddf99e3f7c2be2b1160e2f5e53cc35b09be with gcc (GCC) 8.1.0 kernel signature: 244f9438493114f162ae2859b29f264b9164f50454142284cf6cd2e6d44fd801 all runs: crashed: WARNING in xfrm_alloc_compat # git bisect bad 2295cddf99e3f7c2be2b1160e2f5e53cc35b09be Bisecting: 436 revisions left to test after this (roughly 9 steps) [14c914fcb515c424177bb6848cc2858ebfe717a8] Merge tag 'wireless-drivers-next-2020-10-02' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit 14c914fcb515c424177bb6848cc2858ebfe717a8 with gcc (GCC) 8.1.0 kernel signature: 501ee6a81b4b1d472504310c6234e7ab06f5ef9dc2c4f556dd8c98d29813b711 all runs: crashed: WARNING in xfrm_alloc_compat # git bisect bad 14c914fcb515c424177bb6848cc2858ebfe717a8 Bisecting: 263 revisions left to test after this (roughly 8 steps) [7c89d9d9f90931f170e510e9e4b84d9dafdd616a] Merge branch 'net-ravb-Add-support-for-explicit-internal-clock-delay-c onfiguration' testing commit 7c89d9d9f90931f170e510e9e4b84d9dafdd616a with gcc (GCC) 8.1.0 kernel signature: f458d285e7688271438824eda1338971dcc608f1a47915d9838ba22fc2e89341 all runs: OK # git bisect good 7c89d9d9f90931f170e510e9e4b84d9dafdd616a Bisecting: 138 revisions left to test after this (roughly 7 steps) [4f359b653f7f598c29a1fbcf69fa975bf510061b] net/smscx5xx: change to of_get_mac_address() eth_platform_get_mac_address() testing commit 4f359b653f7f598c29a1fbcf69fa975bf510061b with gcc (GCC) 8.1.0 kernel signature: e5be73076c17829fd1c7ed6f0e83120285414a9997121468bdadc63f6a46b873 all runs: crashed: WARNING in xfrm_alloc_compat # git bisect bad 4f359b653f7f598c29a1fbcf69fa975bf510061b Bisecting: 61 revisions left to test after this (roughly 6 steps) [3aae4a38068a5a4fe1c7731eedf26a8a5f588732] Merge branch 'selftests/bpf: BTF-based kernel data display' testing commit 3aae4a38068a5a4fe1c7731eedf26a8a5f588732 with gcc (GCC) 8.1.0 kernel signature: dcd7ac760003da8e98d4c91a5d0d974afd800d461c282de9b32ed470aa014217 all runs: OK # git bisect good 3aae4a38068a5a4fe1c7731eedf26a8a5f588732 Bisecting: 30 revisions left to test after this (roughly 5 steps) [eef4a011f35d3aa657d4995c53ccb240d9eaea73] bpf, selftests: Add redirect_neigh selftest testing commit eef4a011f35d3aa657d4995c53ccb240d9eaea73 with gcc (GCC) 8.1.0 kernel signature: a9c96fc419b97e1a64f75748212130e5835e1c72f84382c1830339163b885724 all runs: OK # git bisect good eef4a011f35d3aa657d4995c53ccb240d9eaea73 Bisecting: 15 revisions left to test after this (roughly 4 steps) [949ca6b82e43b342dba153a9fd643fb1b5e9f034] netlink: fix policy dump leak testing commit 949ca6b82e43b342dba153a9fd643fb1b5e9f034 with gcc (GCC) 8.1.0 kernel signature: 33648cdbd45498269358fdad9b63d519f111af766a16cd0e29ee1869edfec511 all runs: OK # git bisect good 949ca6b82e43b342dba153a9fd643fb1b5e9f034 Bisecting: 7 revisions left to test after this (roughly 3 steps) [61e7113e48d3ca1ea692b5c6376a4b545b312166] Merge 'xfrm: Add compat layer' testing commit 61e7113e48d3ca1ea692b5c6376a4b545b312166 with gcc (GCC) 8.1.0 kernel signature: 59544b5c64d107705f923860a5ae77d60726d9e7cf333bdb9aa0d2b0ba48395d all runs: crashed: WARNING in xfrm_alloc_compat # git bisect bad 61e7113e48d3ca1ea692b5c6376a4b545b312166 Bisecting: 3 revisions left to test after this (roughly 2 steps) [e11eb32de3a7854d6b366dee17dd36c9ab0c39de] netlink/compat: Append NLMSG_DONE/extack to frag_list testing commit e11eb32de3a7854d6b366dee17dd36c9ab0c39de with gcc (GCC) 8.1.0 kernel signature: 956f625834aafec5031c0b110752d553569ee73224e3d509c1d9732d46cc83f3 all runs: crashed: WARNING in xfrm_alloc_compat # git bisect bad e11eb32de3a7854d6b366dee17dd36c9ab0c39de Bisecting: 1 revision left to test after this (roughly 1 step) [5461fc0c8d9f23956b99f5907f69726a293ccb67] xfrm/compat: Add 64=>32-bit messages translator testing commit 5461fc0c8d9f23956b99f5907f69726a293ccb67 with gcc (GCC) 8.1.0 kernel signature: 99c2af73f1c5d14c56488c397be8af69205ef06576e4302210cc535ef43eb121 all runs: OK # git bisect good 5461fc0c8d9f23956b99f5907f69726a293ccb67 Bisecting: 0 revisions left to test after this (roughly 0 steps) [5f3eea6b7e8f58cf5c8a9d4b9679dc19e9e67ba3] xfrm/compat: Attach xfrm dumps to 64=>32 bit translator testing commit 5f3eea6b7e8f58cf5c8a9d4b9679dc19e9e67ba3 with gcc (GCC) 8.1.0 kernel signature: d932f19b6c056d9ebf818a5320d69c30e359aeb19d0c9fa342d56f0267ffe42a all runs: crashed: WARNING in xfrm_alloc_compat # git bisect bad 5f3eea6b7e8f58cf5c8a9d4b9679dc19e9e67ba3 5f3eea6b7e8f58cf5c8a9d4b9679dc19e9e67ba3 is the first bad commit commit 5f3eea6b7e8f58cf5c8a9d4b9679dc19e9e67ba3 Author: Dmitry Safonov Date: Mon Sep 21 15:36:53 2020 +0100 xfrm/compat: Attach xfrm dumps to 64=>32 bit translator Currently nlmsg_unicast() is used by functions that dump structures that can be different in size for compat tasks, see dump_one_state() and dump_one_policy(). The following nlmsg_unicast() users exist today in xfrm: Function | Message can be different | in size on compat -------------------------------------------|------------------------------ xfrm_get_spdinfo() | N xfrm_get_sadinfo() | N xfrm_get_sa() | Y xfrm_alloc_userspi() | Y xfrm_get_policy() | Y xfrm_get_ae() | N Besides, dump_one_state() and dump_one_policy() can be used by filtered netlink dump for XFRM_MSG_GETSA, XFRM_MSG_GETPOLICY. Just as for xfrm multicast, allocate frag_list for compat skb journey down to recvmsg() which will give user the desired skb according to syscall bitness. Signed-off-by: Dmitry Safonov Signed-off-by: Steffen Klassert net/xfrm/xfrm_user.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) culprit signature: d932f19b6c056d9ebf818a5320d69c30e359aeb19d0c9fa342d56f0267ffe42a parent signature: 99c2af73f1c5d14c56488c397be8af69205ef06576e4302210cc535ef43eb121 revisions tested: 16, total time: 3h5m50.204566566s (build: 1h22m9.709883749s, test: 1h42m4.989834449s) first bad commit: 5f3eea6b7e8f58cf5c8a9d4b9679dc19e9e67ba3 xfrm/compat: Attach xfrm dumps to 64=>32 bit translator recipients (to): ["davem@davemloft.net" "dima@arista.com" "herbert@gondor.apana.org.au" "kuba@kernel.org" "netdev@vger.kernel.org" "steffen.klassert@secunet.com" "steffen.klassert@secunet.com"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: WARNING in xfrm_alloc_compat ------------[ cut here ]------------ unsupported nla_type 0 WARNING: CPU: 0 PID: 10248 at net/xfrm/xfrm_compat.c:246 xfrm_xlate64_attr net/xfrm/xfrm_compat.c:246 [inline] WARNING: CPU: 0 PID: 10248 at net/xfrm/xfrm_compat.c:246 xfrm_xlate64 net/xfrm/xfrm_compat.c:267 [inline] WARNING: CPU: 0 PID: 10248 at net/xfrm/xfrm_compat.c:246 xfrm_alloc_compat+0x486/0x530 net/xfrm/xfrm_compat.c:294 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 10248 Comm: syz-executor.1 Not tainted 5.9.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x77/0xa0 lib/dump_stack.c:118 panic+0x144/0x317 kernel/panic.c:231 __warn.cold.13+0x20/0x28 kernel/panic.c:600 report_bug+0xc0/0xf0 lib/bug.c:198 handle_bug+0x3f/0x70 arch/x86/kernel/traps.c:234 exc_invalid_op+0x13/0x60 arch/x86/kernel/traps.c:254 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536 RIP: 0010:xfrm_xlate64_attr net/xfrm/xfrm_compat.c:246 [inline] RIP: 0010:xfrm_xlate64 net/xfrm/xfrm_compat.c:267 [inline] RIP: 0010:xfrm_alloc_compat+0x486/0x530 net/xfrm/xfrm_compat.c:294 Code: ff 80 3d c2 c9 fc 01 00 b8 a1 ff ff ff 0f 85 8d fe ff ff 48 c7 c7 fc 94 73 84 89 44 24 04 c6 05 a5 c9 fc 01 01 e8 55 df 17 fe <0f> 0b 8b 44 24 04 e9 6b fe ff ff 0f b7 f2 48 c7 c7 e2 94 73 84 89 RSP: 0018:ffffc90002f6f8d8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88811cfa14f8 RCX: 0000000000000006 RDX: 0000000000000000 RSI: ffffffff8468ce95 RDI: ffffffff845383fe RBP: 000000000000000c R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000002808 R11: 0000000000000046 R12: ffff8881336cc300 R13: 00000000000000e8 R14: ffff8881336ccd00 R15: ffff88811cfa1c00 xfrm_alloc_userspi+0x1d9/0x2a0 net/xfrm/xfrm_user.c:1389 xfrm_user_rcv_msg+0x143/0x240 net/xfrm/xfrm_user.c:2735 netlink_rcv_skb+0x41/0x110 net/netlink/af_netlink.c:2470 xfrm_netlink_rcv+0x2d/0x40 net/xfrm/xfrm_user.c:2743 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x19a/0x270 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x248/0x480 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0x2b/0x40 net/socket.c:671 ____sys_sendmsg+0x124/0x230 net/socket.c:2353 ___sys_sendmsg+0x77/0xb0 net/socket.c:2407 __sys_sendmmsg+0xab/0x1e0 net/socket.c:2497 __do_sys_sendmmsg net/socket.c:2526 [inline] __se_sys_sendmmsg net/socket.c:2523 [inline] __x64_sys_sendmmsg+0x1b/0x20 net/socket.c:2523 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45deb9 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fe6651bac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 0000000000027f80 RCX: 000000000045deb9 RDX: 00000000000000f1 RSI: 0000000020000180 RDI: 0000000000000003 RBP: 000000000118bf68 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c R13: 00007ffca057c0ef R14: 00007fe6651bb9c0 R15: 000000000118bf2c Kernel Offset: disabled Rebooting in 86400 seconds..