bisecting cause commit starting from eaf2aaec0be4623b1d19f5c6ef770a78a91cf460 building syzkaller on be2c130d4c0c511da96ce278486cf0564aeadcea testing commit eaf2aaec0be4623b1d19f5c6ef770a78a91cf460 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 91aff65afb53ff82ea2e2948d02889c224c8d6e11fe043ce36fbe5e9af253e7b all runs: crashed: UBSAN: shift-out-of-bounds in xfrm_get_default testing release v5.13 testing commit 62fb9874f5da54fdb243003b386128037319b219 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 909f5b513362d755e99068620c19525cb2afd91ca8725228219fd46574a48866 all runs: OK # git bisect start eaf2aaec0be4623b1d19f5c6ef770a78a91cf460 62fb9874f5da54fdb243003b386128037319b219 Bisecting: 8768 revisions left to test after this (roughly 13 steps) [bd31b9efbf549d9630bf2f269a3a56dcb29fcac1] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit bd31b9efbf549d9630bf2f269a3a56dcb29fcac1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 56673a77ac99a441e9d153e12b74b50705d838b711d4c61681eae09f8053c62c run #0: boot failed: possible deadlock in fs_reclaim_acquire run #1: boot failed: BUG: sleeping function called from invalid context in stack_depot_save run #2: boot failed: BUG: sleeping function called from invalid context in stack_depot_save run #3: boot failed: BUG: sleeping function called from invalid context in stack_depot_save run #4: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) run #5: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) run #6: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) run #7: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) run #8: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) run #9: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) # git bisect skip bd31b9efbf549d9630bf2f269a3a56dcb29fcac1 Bisecting: 8768 revisions left to test after this (roughly 13 steps) [122e093c1734361dedb64f65c99b93e28e4624f4] mm/page_alloc: fix memory map initialization for descending nodes testing commit 122e093c1734361dedb64f65c99b93e28e4624f4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: a6d08478d4fee780652864fac027df52b541fc6141156c14bf7c909bfae9ebfc all runs: OK # git bisect good 122e093c1734361dedb64f65c99b93e28e4624f4 Bisecting: 8768 revisions left to test after this (roughly 13 steps) [bf68fdfdec6cd9a14323a61612ae9d7c510fbbdc] clk: lmk04832: Use of match table testing commit bf68fdfdec6cd9a14323a61612ae9d7c510fbbdc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 9083c94635b971d398964cae03126f84df7cdb7767078957ad1f0a019ef1826f all runs: OK # git bisect good bf68fdfdec6cd9a14323a61612ae9d7c510fbbdc Bisecting: 8768 revisions left to test after this (roughly 13 steps) [deebea0ae3f7c1f812ff6b3581dc51445e1be942] mac80211: Reject zero MAC address in sta_info_insert_check() testing commit deebea0ae3f7c1f812ff6b3581dc51445e1be942 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: aac025fe7b677b1fe98d4837cf0641ff4feaaf6e82a8cfadb85507b8717bbb0a all runs: OK # git bisect good deebea0ae3f7c1f812ff6b3581dc51445e1be942 Bisecting: 785 revisions left to test after this (roughly 10 steps) [1a6d80ff2419e8ad627b4bf4775a8b4c70af535d] Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux testing commit 1a6d80ff2419e8ad627b4bf4775a8b4c70af535d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 5bfa253dc4db96c154af83d9e89148ebb6a54272ae82e4ef0d2b84dc265cc077 all runs: OK # git bisect good 1a6d80ff2419e8ad627b4bf4775a8b4c70af535d Bisecting: 406 revisions left to test after this (roughly 9 steps) [056b29ae071bffc4ed6108a943f7d2929ab61ea1] net: sunhme: Remove unused macros testing commit 056b29ae071bffc4ed6108a943f7d2929ab61ea1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 3cd6b9b2fa155037acfb49d4ea2010f0c97e75a1fac25dd26ec0a55f6623d304 all runs: OK # git bisect good 056b29ae071bffc4ed6108a943f7d2929ab61ea1 Bisecting: 203 revisions left to test after this (roughly 8 steps) [2a8084147bff7a1fe9f567ed39c340a6a3fc27ef] iwlwifi: acpi: support reading and storing WRDS revision 1 and 2 testing commit 2a8084147bff7a1fe9f567ed39c340a6a3fc27ef compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 4533266cb99b07e8ae1ffe6c5889b2c7349d549bc05681c1b2d9556428dfb2b1 all runs: OK # git bisect good 2a8084147bff7a1fe9f567ed39c340a6a3fc27ef Bisecting: 97 revisions left to test after this (roughly 7 steps) [a550409378d2aea4d2104a551c192e7a65ddd6c0] Merge tag 'mlx5-updates-2021-08-26' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux testing commit a550409378d2aea4d2104a551c192e7a65ddd6c0 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 7ef1a216dc6bfcae57e91164abadcdaccd59cc9e92a2629d5f631106081943fa all runs: OK # git bisect good a550409378d2aea4d2104a551c192e7a65ddd6c0 Bisecting: 48 revisions left to test after this (roughly 6 steps) [8d4be124062bddbb2bcb887702a0601b790b9a83] ssb: fix boolreturn.cocci warning testing commit 8d4be124062bddbb2bcb887702a0601b790b9a83 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 8de580d81e5161ed9ad902d3ac50d4a19be419735fab8bb19e0079608c9ab7c2 all runs: OK # git bisect good 8d4be124062bddbb2bcb887702a0601b790b9a83 Bisecting: 23 revisions left to test after this (roughly 5 steps) [81414ba71356b174d62370195a2bb99592e1b2a2] net: hns3: refactor function hclgevf_parse_capability() testing commit 81414ba71356b174d62370195a2bb99592e1b2a2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: bc8f343410c60daf5f882cd918eb7c2bab7e3bdce85d76a8b2a907137e85794b all runs: crashed: UBSAN: shift-out-of-bounds in xfrm_get_default # git bisect bad 81414ba71356b174d62370195a2bb99592e1b2a2 Bisecting: 12 revisions left to test after this (roughly 4 steps) [0c5c135cdbdacdf82ca537c433db07e4a1664065] net: hns3: uniform type of function parameter cmd testing commit 0c5c135cdbdacdf82ca537c433db07e4a1664065 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 8eade641b43adde76c6a8bd00639acda4eb3ea4e604b4f99ec3592123ac7c318 all runs: crashed: UBSAN: shift-out-of-bounds in xfrm_get_default # git bisect bad 0c5c135cdbdacdf82ca537c433db07e4a1664065 Bisecting: 5 revisions left to test after this (roughly 3 steps) [c511dfff4b655685d7341962a76d9a340150e0ac] net: hns3: add hns3_state_init() to do state initialization testing commit c511dfff4b655685d7341962a76d9a340150e0ac compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 8eade641b43adde76c6a8bd00639acda4eb3ea4e604b4f99ec3592123ac7c318 all runs: crashed: UBSAN: shift-out-of-bounds in xfrm_get_default # git bisect bad c511dfff4b655685d7341962a76d9a340150e0ac Bisecting: 2 revisions left to test after this (roughly 2 steps) [5d8dbb7fb82b8661c16d496644b931c0e2e3a12e] net: xfrm: fix shift-out-of-bounce testing commit 5d8dbb7fb82b8661c16d496644b931c0e2e3a12e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 7b9a4cbc702a220dd83770ca81a7d552f962a012c429c8f8b01bc6ea854b0189 all runs: crashed: UBSAN: shift-out-of-bounds in xfrm_get_default # git bisect bad 5d8dbb7fb82b8661c16d496644b931c0e2e3a12e Bisecting: 0 revisions left to test after this (roughly 1 step) [2d151d39073aff498358543801fca0f670fea981] xfrm: Add possibility to set the default to block if we have no policy testing commit 2d151d39073aff498358543801fca0f670fea981 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 83f5aafc1bf7317b49226d249c2d154a4b87bda3289f9c2cc0327a91fc7e1b50 all runs: crashed: UBSAN: shift-out-of-bounds in xfrm_get_default # git bisect bad 2d151d39073aff498358543801fca0f670fea981 Bisecting: 0 revisions left to test after this (roughly 0 steps) [f8fdadef92b7a39e9a9a83bc2df68731ac6c298b] ipsec: Remove unneeded extra variable in esp4 esp_ssg_unref() testing commit f8fdadef92b7a39e9a9a83bc2df68731ac6c298b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 9a7bfff3823987a6f659bf2e271df2c4aacbbf325d12ce7d3d83adb09ea47681 all runs: OK # git bisect good f8fdadef92b7a39e9a9a83bc2df68731ac6c298b 2d151d39073aff498358543801fca0f670fea981 is the first bad commit commit 2d151d39073aff498358543801fca0f670fea981 Author: Steffen Klassert Date: Sun Jul 18 09:11:06 2021 +0200 xfrm: Add possibility to set the default to block if we have no policy As the default we assume the traffic to pass, if we have no matching IPsec policy. With this patch, we have a possibility to change this default from allow to block. It can be configured via netlink. Each direction (input/output/forward) can be configured separately. With the default to block configuered, we need allow policies for all packet flows we accept. We do not use default policy lookup for the loopback device. v1->v2 - fix compiling when XFRM is disabled - Reported-by: kernel test robot Co-developed-by: Christian Langrock Signed-off-by: Christian Langrock Co-developed-by: Antony Antony Signed-off-by: Antony Antony Signed-off-by: Steffen Klassert include/net/netns/xfrm.h | 7 +++++++ include/net/xfrm.h | 36 ++++++++++++++++++++++++++------ include/uapi/linux/xfrm.h | 10 +++++++++ net/xfrm/xfrm_policy.c | 16 +++++++++++++++ net/xfrm/xfrm_user.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 115 insertions(+), 6 deletions(-) culprit signature: 83f5aafc1bf7317b49226d249c2d154a4b87bda3289f9c2cc0327a91fc7e1b50 parent signature: 9a7bfff3823987a6f659bf2e271df2c4aacbbf325d12ce7d3d83adb09ea47681 revisions tested: 17, total time: 3h53m16.710629959s (build: 1h52m18.761200981s, test: 1h58m51.140172719s) first bad commit: 2d151d39073aff498358543801fca0f670fea981 xfrm: Add possibility to set the default to block if we have no policy recipients (to): ["antony.antony@secunet.com" "christian.langrock@secunet.com" "steffen.klassert@secunet.com"] recipients (cc): [] crash: UBSAN: shift-out-of-bounds in xfrm_get_default netlink: 172 bytes leftover after parsing attributes in process `syz-executor.2'. ================================================================================ UBSAN: shift-out-of-bounds in net/xfrm/xfrm_user.c:2005:49 shift exponent 224 is too large for 32-bit type 'int' CPU: 0 PID: 10966 Comm: syz-executor.2 Not tainted 5.14.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:105 ubsan_epilogue+0x5/0x40 lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0x61/0xe9 lib/ubsan.c:327 xfrm_get_default.cold+0x26/0xb8 net/xfrm/xfrm_user.c:2005 xfrm_user_rcv_msg+0x35e/0x7a0 net/xfrm/xfrm_user.c:2864 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2504 xfrm_netlink_rcv+0x66/0x80 net/xfrm/xfrm_user.c:2876 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] netlink_unicast+0x42e/0x700 net/netlink/af_netlink.c:1340 netlink_sendmsg+0x704/0xbf0 net/netlink/af_netlink.c:1929 sock_sendmsg_nosec net/socket.c:703 [inline] sock_sendmsg+0xab/0xe0 net/socket.c:723 sock_no_sendpage+0xe7/0x120 net/core/sock.c:2959 kernel_sendpage.part.0+0x11e/0x240 net/socket.c:3673 kernel_sendpage net/socket.c:3670 [inline] sock_sendpage+0xc7/0x1a0 net/socket.c:1002 pipe_to_sendpage+0x245/0x410 fs/splice.c:364 splice_from_pipe_feed fs/splice.c:418 [inline] __splice_from_pipe+0x362/0x810 fs/splice.c:562 splice_from_pipe fs/splice.c:597 [inline] generic_splice_sendpage+0xba/0x120 fs/splice.c:746 do_splice_from fs/splice.c:767 [inline] direct_splice_actor+0xfb/0x1c0 fs/splice.c:936 splice_direct_to_actor+0x2dd/0x7c0 fs/splice.c:891 do_splice_direct+0x154/0x260 fs/splice.c:979 do_sendfile+0x821/0xfd0 fs/read_write.c:1260 __do_sys_sendfile64 fs/read_write.c:1325 [inline] __se_sys_sendfile64 fs/read_write.c:1311 [inline] __x64_sys_sendfile64+0x186/0x1d0 fs/read_write.c:1311 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665f9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f529dd24188 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665f9 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005 RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000100000002 R11: 0000000000000246 R12: 000000000056bf80 R13: 00007ffe0634226f R14: 00007f529dd24300 R15: 0000000000022000 ================================================================================