bisecting cause commit starting from 6c996e19949b34d7edebed4f6b0511145c036404 building syzkaller on 6a383ecfb767c80c9fa63c7708b25e568a4ebfec testing commit 6c996e19949b34d7edebed4f6b0511145c036404 with gcc (GCC) 10.2.1 20210217 kernel signature: 2e3ab420d6ee8358fb164b1b9dd98fb9ad113603e5f5a02cce18231b7d1143cf all runs: crashed: WARNING in xfrm_alloc_compat testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b with gcc (GCC) 10.2.1 20210217 kernel signature: 0060f998cf503ac1654a9c4262c8927768d9a752547f1a416fab09d8bbd9070a all runs: crashed: WARNING in xfrm_alloc_compat testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 10.2.1 20210217 kernel signature: 73961e71ca0efa6aafc5c641f8455fc41ee9bf52ff7223de6347538f53332939 all runs: crashed: WARNING in xfrm_alloc_compat testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 10.2.1 20210217 kernel signature: fe3639663fb9aae8e44209ef569e8c106ccddbf4461a180bc1d3dabcbb827a7f all runs: OK # git bisect start 2c85ebc57b3e1817b6ce1a6b703928e113a90442 bbf5c979011a099af5dc76498918ed7df445635b Bisecting: 9594 revisions left to test after this (roughly 13 steps) [4d0e9df5e43dba52d38b251e3b909df8fa1110be] lib, uaccess: add failure injection to usercopy functions testing commit 4d0e9df5e43dba52d38b251e3b909df8fa1110be with gcc (GCC) 10.2.1 20210217 kernel signature: e13c6b3828eaa3c8cf671deb236fe3074ecfa3f783196ad1c251998c79399b04 all runs: OK # git bisect good 4d0e9df5e43dba52d38b251e3b909df8fa1110be Bisecting: 4874 revisions left to test after this (roughly 12 steps) [6694875ef8045cdb1e6712ee9b68fe08763507d8] ext4: indicate that fast_commit is available via /sys/fs/ext4/feature/... testing commit 6694875ef8045cdb1e6712ee9b68fe08763507d8 with gcc (GCC) 10.2.1 20210217 kernel signature: 6b7070e4b056ca4cf80e654b402b9973acb31c16163b2c6d918d4e789f0a289f all runs: crashed: WARNING in xfrm_alloc_compat # git bisect bad 6694875ef8045cdb1e6712ee9b68fe08763507d8 Bisecting: 2342 revisions left to test after this (roughly 11 steps) [14c914fcb515c424177bb6848cc2858ebfe717a8] Merge tag 'wireless-drivers-next-2020-10-02' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit 14c914fcb515c424177bb6848cc2858ebfe717a8 with gcc (GCC) 8.4.1 20210217 kernel signature: 71fbad5f50adea8b77d50af41bb0947cba32066268d1f0827a065fbf221f600a all runs: crashed: WARNING in xfrm_alloc_compat # git bisect bad 14c914fcb515c424177bb6848cc2858ebfe717a8 Bisecting: 1188 revisions left to test after this (roughly 10 steps) [d134b78ee34823c607875c77426e18c762a911ea] Merge branch 'net-various-delete-duplicated-words' testing commit d134b78ee34823c607875c77426e18c762a911ea with gcc (GCC) 8.4.1 20210217 kernel signature: a9a6dbf522365708a6228ac81e1e154a9d19ca00f020eacbf39bb5e9f16d04d7 all runs: OK # git bisect good d134b78ee34823c607875c77426e18c762a911ea Bisecting: 594 revisions left to test after this (roughly 9 steps) [0189399cbb5eba6e98f02b61574b507062c476b7] vxlan: add unlikely to vxlan_remcsum check testing commit 0189399cbb5eba6e98f02b61574b507062c476b7 with gcc (GCC) 8.4.1 20210217 kernel signature: ee74bc7195ed50317c8ab8cde162c761a2ac8a4d9933b5c0cea811a0ed0e96ca all runs: OK # git bisect good 0189399cbb5eba6e98f02b61574b507062c476b7 Bisecting: 297 revisions left to test after this (roughly 8 steps) [97ffd895fe9c7b066f3e9c9ea10f5902ebcdbb11] net/mlx5: DR, Replace the check for valid STE entry testing commit 97ffd895fe9c7b066f3e9c9ea10f5902ebcdbb11 with gcc (GCC) 8.4.1 20210217 kernel signature: b72461dfe4764da0e8fd5888ea87aef75b2a0ff6ee8769ca62a7fd37bb360aa6 all runs: OK # git bisect good 97ffd895fe9c7b066f3e9c9ea10f5902ebcdbb11 Bisecting: 151 revisions left to test after this (roughly 7 steps) [4f359b653f7f598c29a1fbcf69fa975bf510061b] net/smscx5xx: change to of_get_mac_address() eth_platform_get_mac_address() testing commit 4f359b653f7f598c29a1fbcf69fa975bf510061b with gcc (GCC) 8.4.1 20210217 kernel signature: 83abfaed00a710472dc36eed045ed2aa8a81ddf512e805c0a891e33f0b7ac8fb all runs: crashed: WARNING in xfrm_alloc_compat # git bisect bad 4f359b653f7f598c29a1fbcf69fa975bf510061b Bisecting: 72 revisions left to test after this (roughly 6 steps) [4a1e7c0c63e02daad751842b7880f9bbcdfb6e89] bpf: Support attaching freplace programs to multiple attach points testing commit 4a1e7c0c63e02daad751842b7880f9bbcdfb6e89 with gcc (GCC) 8.4.1 20210217 kernel signature: 6ba923ce333ba46898a8511d07a14522eda1f5ec6ae2476897ee18add843d342 all runs: OK # git bisect good 4a1e7c0c63e02daad751842b7880f9bbcdfb6e89 Bisecting: 44 revisions left to test after this (roughly 5 steps) [6208689fb3e623d3576dd61866cb99b40f75dc53] Merge branch 'introduce BPF_F_PRESERVE_ELEMS' testing commit 6208689fb3e623d3576dd61866cb99b40f75dc53 with gcc (GCC) 8.4.1 20210217 kernel signature: d94cd859f9d66966af7f55555310504f2d90bda024eeac20570ad5a5035615cf all runs: OK # git bisect good 6208689fb3e623d3576dd61866cb99b40f75dc53 Bisecting: 22 revisions left to test after this (roughly 5 steps) [23a1f682a925c0e15443bd2ea01bd0cbbc70e66a] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit 23a1f682a925c0e15443bd2ea01bd0cbbc70e66a with gcc (GCC) 8.4.1 20210217 kernel signature: 90baefc3fb8e4dfd53bb251cc332c4b5ce47ec36bd5c23da1c2f3aead051551c all runs: OK # git bisect good 23a1f682a925c0e15443bd2ea01bd0cbbc70e66a Bisecting: 14 revisions left to test after this (roughly 4 steps) [61e7113e48d3ca1ea692b5c6376a4b545b312166] Merge 'xfrm: Add compat layer' testing commit 61e7113e48d3ca1ea692b5c6376a4b545b312166 with gcc (GCC) 8.4.1 20210217 kernel signature: 972f63edf3ef9b0820f6cf08a45f2d403fcf63e577cb7c03c2e80e49824809f4 all runs: crashed: WARNING in xfrm_alloc_compat # git bisect bad 61e7113e48d3ca1ea692b5c6376a4b545b312166 Bisecting: 3 revisions left to test after this (roughly 2 steps) [e11eb32de3a7854d6b366dee17dd36c9ab0c39de] netlink/compat: Append NLMSG_DONE/extack to frag_list testing commit e11eb32de3a7854d6b366dee17dd36c9ab0c39de with gcc (GCC) 8.4.1 20210217 kernel signature: 008af56f4d479522aac049b59a3197e768221c88ac3c6101743070e105fe3e94 all runs: crashed: WARNING in xfrm_alloc_compat # git bisect bad e11eb32de3a7854d6b366dee17dd36c9ab0c39de Bisecting: 1 revision left to test after this (roughly 1 step) [5461fc0c8d9f23956b99f5907f69726a293ccb67] xfrm/compat: Add 64=>32-bit messages translator testing commit 5461fc0c8d9f23956b99f5907f69726a293ccb67 with gcc (GCC) 8.4.1 20210217 kernel signature: 1316dce59e2251866482bb02bc53da5a5c1e1134844d429d85c3191fe92fb863 all runs: OK # git bisect good 5461fc0c8d9f23956b99f5907f69726a293ccb67 Bisecting: 0 revisions left to test after this (roughly 0 steps) [5f3eea6b7e8f58cf5c8a9d4b9679dc19e9e67ba3] xfrm/compat: Attach xfrm dumps to 64=>32 bit translator testing commit 5f3eea6b7e8f58cf5c8a9d4b9679dc19e9e67ba3 with gcc (GCC) 8.4.1 20210217 kernel signature: 813e47c412dfef16ba019c79f35636362f5bd4986794168f52e740138d61a2b6 all runs: crashed: WARNING in xfrm_alloc_compat # git bisect bad 5f3eea6b7e8f58cf5c8a9d4b9679dc19e9e67ba3 5f3eea6b7e8f58cf5c8a9d4b9679dc19e9e67ba3 is the first bad commit commit 5f3eea6b7e8f58cf5c8a9d4b9679dc19e9e67ba3 Author: Dmitry Safonov Date: Mon Sep 21 15:36:53 2020 +0100 xfrm/compat: Attach xfrm dumps to 64=>32 bit translator Currently nlmsg_unicast() is used by functions that dump structures that can be different in size for compat tasks, see dump_one_state() and dump_one_policy(). The following nlmsg_unicast() users exist today in xfrm: Function | Message can be different | in size on compat -------------------------------------------|------------------------------ xfrm_get_spdinfo() | N xfrm_get_sadinfo() | N xfrm_get_sa() | Y xfrm_alloc_userspi() | Y xfrm_get_policy() | Y xfrm_get_ae() | N Besides, dump_one_state() and dump_one_policy() can be used by filtered netlink dump for XFRM_MSG_GETSA, XFRM_MSG_GETPOLICY. Just as for xfrm multicast, allocate frag_list for compat skb journey down to recvmsg() which will give user the desired skb according to syscall bitness. Signed-off-by: Dmitry Safonov Signed-off-by: Steffen Klassert net/xfrm/xfrm_user.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) culprit signature: 813e47c412dfef16ba019c79f35636362f5bd4986794168f52e740138d61a2b6 parent signature: 1316dce59e2251866482bb02bc53da5a5c1e1134844d429d85c3191fe92fb863 revisions tested: 18, total time: 3h48m16.339408972s (build: 1h55m59.037324205s, test: 1h50m11.266577802s) first bad commit: 5f3eea6b7e8f58cf5c8a9d4b9679dc19e9e67ba3 xfrm/compat: Attach xfrm dumps to 64=>32 bit translator recipients (to): ["davem@davemloft.net" "dima@arista.com" "herbert@gondor.apana.org.au" "kuba@kernel.org" "netdev@vger.kernel.org" "steffen.klassert@secunet.com" "steffen.klassert@secunet.com"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: WARNING in xfrm_alloc_compat ------------[ cut here ]------------ unsupported nla_type 356 WARNING: CPU: 1 PID: 10114 at net/xfrm/xfrm_compat.c:246 xfrm_xlate64_attr net/xfrm/xfrm_compat.c:246 [inline] WARNING: CPU: 1 PID: 10114 at net/xfrm/xfrm_compat.c:246 xfrm_xlate64 net/xfrm/xfrm_compat.c:267 [inline] WARNING: CPU: 1 PID: 10114 at net/xfrm/xfrm_compat.c:246 xfrm_alloc_compat+0xe6d/0x12d1 net/xfrm/xfrm_compat.c:294 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 10114 Comm: syz-executor.1 Not tainted 5.9.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x99/0xd0 lib/dump_stack.c:118 panic+0x2a9/0x532 kernel/panic.c:231 __warn.cold.12+0x25/0x32 kernel/panic.c:600 report_bug+0x1af/0x260 lib/bug.c:198 handle_bug+0x3f/0x70 arch/x86/kernel/traps.c:234 exc_invalid_op+0x13/0x40 arch/x86/kernel/traps.c:254 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536 RIP: 0010:xfrm_xlate64_attr net/xfrm/xfrm_compat.c:246 [inline] RIP: 0010:xfrm_xlate64 net/xfrm/xfrm_compat.c:267 [inline] RIP: 0010:xfrm_alloc_compat+0xe6d/0x12d1 net/xfrm/xfrm_compat.c:294 Code: 03 0f b6 14 02 48 89 c8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 67 04 00 00 0f b7 73 02 48 c7 c7 80 58 a1 89 e8 a8 2e f7 f9 <0f> 0b b8 a1 ff ff ff e9 e7 fc ff ff 4c 89 f7 e8 9f 45 5f fa e9 bc RSP: 0018:ffffc9000a8674a8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff8880a0c908f8 RCX: 1ffffffff1d157ab RDX: 0000000000000000 RSI: ffffffff88aac260 RDI: ffffffff88fd3dc0 RBP: ffff8880b32dcc80 R08: 0000000000000001 R09: fffffbfff1d07f02 R10: ffffffff8e83f80f R11: fffffbfff1d07f01 R12: 0000000000000000 R13: 00000000000000d8 R14: ffff8880a0c91000 R15: dffffc0000000000 xfrm_alloc_userspi+0x5ed/0x9e0 net/xfrm/xfrm_user.c:1389 xfrm_user_rcv_msg+0x379/0x6f0 net/xfrm/xfrm_user.c:2735 netlink_rcv_skb+0x117/0x370 net/netlink/af_netlink.c:2470 xfrm_netlink_rcv+0x63/0x80 net/xfrm/xfrm_user.c:2743 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x766/0xc10 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xac/0xf0 net/socket.c:671 ____sys_sendmsg+0x57b/0x7a0 net/socket.c:2353 ___sys_sendmsg+0xe4/0x160 net/socket.c:2407 __sys_sendmsg+0xce/0x170 net/socket.c:2440 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x466459 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f1997084188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000466459 RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003 RBP: 00000000004bf9fb R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 R13: 00007ffde3eded2f R14: 00007f1997084300 R15: 0000000000022000 Kernel Offset: disabled Rebooting in 86400 seconds..