bisecting cause commit starting from 594e31bcebd6b8127ab8bcf37068ecef6c996459
building syzkaller on 1d2b823edd7b3936545a8b4d9901d53640334ee6
testing commit 594e31bcebd6b8127ab8bcf37068ecef6c996459 with gcc (GCC) 8.1.0
kernel signature: 1a660f7bcdc4b9735ec3c29212ca2868685d23c47d9059f109dc1a2a406673f9
all runs: crashed: BUG: stack guard page was hit in bitmap_from_arr32
testing release v5.9
testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0
kernel signature: ae997c81c8480492441e712d3c127e3da959156d4e937c464609e101fa84e28c
all runs: crashed: BUG: stack guard page was hit in bitmap_from_arr32
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: 564d400b258121a59fd078dbf7c8b7f09da4cfb1512f654dcb1a9f98d3676daf
all runs: crashed: BUG: stack guard page was hit in bitmap_from_arr32
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0
kernel signature: 03e471e8cd8d84e16a9ff6a3dbcec09c579b68cfa125584dcae4b629d7261e28
all runs: crashed: KASAN: stack-out-of-bounds Write in bitmap_from_arr32
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 5593ee453513c7b19de6d8c0de3a01d6226d3129b2cf07a7d02882efb811b071
all runs: OK
# git bisect start 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 7111951b8d4973bda27ff663f2cf18b663d15b48
Bisecting: 7542 revisions left to test after this (roughly 13 steps)
[50a5de895dbe5df947b3a695777db5b2c313e065] Merge tag 'for-linus-hmm' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma
testing commit 50a5de895dbe5df947b3a695777db5b2c313e065 with gcc (GCC) 8.1.0
kernel signature: eda66ce765a2250127d16e2f549c8615271323f977c8ca082dd8c6ef760e77ed
all runs: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(8,1)
# git bisect skip 50a5de895dbe5df947b3a695777db5b2c313e065
Bisecting: 7542 revisions left to test after this (roughly 13 steps)
[422c032afcf57d5e8109a54912e22ffc53d99068] netfilter: flowtable: Use rw sem as flow block lock
testing commit 422c032afcf57d5e8109a54912e22ffc53d99068 with gcc (GCC) 8.1.0
kernel signature: e2c5c6735bb6e5a685dce89eade4b91ca58637b12a0df64401a1368dbeaf7f88
all runs: crashed: KASAN: stack-out-of-bounds Write in bitmap_from_arr32
# git bisect bad 422c032afcf57d5e8109a54912e22ffc53d99068
Bisecting: 771 revisions left to test after this (roughly 10 steps)
[6349021701d0ba2e84e2be440258d81e198c3392] Merge branch 'mlxsw-Offload-FIFO'
testing commit 6349021701d0ba2e84e2be440258d81e198c3392 with gcc (GCC) 8.1.0
kernel signature: ddb86c312068052e8728e7cf5b45ef6efb979a6665d9b3fcf9a4a489613d36f9
all runs: OK
# git bisect good 6349021701d0ba2e84e2be440258d81e198c3392
Bisecting: 385 revisions left to test after this (roughly 9 steps)
[d5e3c87d302cd08d01ac041cc3f8049c979cb97d] net: fec: reject unsupported coalescing params
testing commit d5e3c87d302cd08d01ac041cc3f8049c979cb97d with gcc (GCC) 8.1.0
kernel signature: dcc90ed711e92884f04c91504560b0dd2d59d2d187b23900ff96108a405b5161
all runs: OK
# git bisect good d5e3c87d302cd08d01ac041cc3f8049c979cb97d
Bisecting: 192 revisions left to test after this (roughly 8 steps)
[fa83820e5c58d200f41d08003ecb5f61cad3113b] Merge branch 'net-phy-XLGMII-define-and-usage-in-PHYLINK'
testing commit fa83820e5c58d200f41d08003ecb5f61cad3113b with gcc (GCC) 8.1.0
kernel signature: ec1218b60d620e7894345fc5ae903cb6ee236896805f578b91416b2282a09ad0
all runs: crashed: KASAN: stack-out-of-bounds Write in bitmap_from_arr32
# git bisect bad fa83820e5c58d200f41d08003ecb5f61cad3113b
Bisecting: 98 revisions left to test after this (roughly 7 steps)
[832165d225f71040a2c1fc2407752e462d00de1f] Merge branch 'bpf-core-fixes'
testing commit 832165d225f71040a2c1fc2407752e462d00de1f with gcc (GCC) 8.1.0
kernel signature: dbeb81d6aff0dfd9bfc46857a9fc4110ce58d97418b91d7dce22650d31b87537
all runs: OK
# git bisect good 832165d225f71040a2c1fc2407752e462d00de1f
Bisecting: 48 revisions left to test after this (roughly 6 steps)
[1ef3018f5af3da6376fae546e4dfc3f05f063815] net/mlx5e: CT: Support clear action
testing commit 1ef3018f5af3da6376fae546e4dfc3f05f063815 with gcc (GCC) 8.1.0
kernel signature: f063e1925cc4f66245457aecaa1d1c7d4b4d569a7cb1b0a157100c0e15edc355
all runs: OK
# git bisect good 1ef3018f5af3da6376fae546e4dfc3f05f063815
Bisecting: 23 revisions left to test after this (roughly 5 steps)
[14c844cbf3503076de6e2e48d575216f1600b19f] net/mlx5: E-Switch, Hold mutex when querying drop counter in legacy mode
testing commit 14c844cbf3503076de6e2e48d575216f1600b19f with gcc (GCC) 8.1.0
kernel signature: 4d4b49eefe4c54920c09156008944cdd3bc7f21bcc8739d11b175af4d15ec145
all runs: crashed: KASAN: stack-out-of-bounds Write in bitmap_from_arr32
# git bisect bad 14c844cbf3503076de6e2e48d575216f1600b19f
Bisecting: 12 revisions left to test after this (roughly 4 steps)
[2fc2929e807211a9535a6541f24b57fa1c469728] ethtool: set device ring sizes with RINGS_SET request
testing commit 2fc2929e807211a9535a6541f24b57fa1c469728 with gcc (GCC) 8.1.0
kernel signature: 1904ecca54b51bbb43b4d0010515e99f8971a6af42488075f9599d5624c23d2a
all runs: crashed: KASAN: stack-out-of-bounds Write in bitmap_from_arr32
# git bisect bad 2fc2929e807211a9535a6541f24b57fa1c469728
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[0980bfcd6954f124e40a000b85335c197764de14] ethtool: set netdev features with FEATURES_SET request
testing commit 0980bfcd6954f124e40a000b85335c197764de14 with gcc (GCC) 8.1.0
kernel signature: 3dd35e3560c6e0e0661b55244d07467e032b6ed5e308e56694cebdee660845f2
all runs: crashed: KASAN: stack-out-of-bounds Write in bitmap_from_arr32
# git bisect bad 0980bfcd6954f124e40a000b85335c197764de14
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[f70bb06563ed07e4ba064f2785dba0bef96cd449] ethtool: update mapping of features to legacy ioctl requests
testing commit f70bb06563ed07e4ba064f2785dba0bef96cd449 with gcc (GCC) 8.1.0
kernel signature: 7b63bee33fdc44baafe242c6fd8fe03e833a5ec7fab605523bd5fde95515c009
all runs: OK
# git bisect good f70bb06563ed07e4ba064f2785dba0bef96cd449
Bisecting: 1 revision left to test after this (roughly 1 step)
[0524399d4612f5af38b8383680dde4df4bc4eea2] ethtool: provide netdev features with FEATURES_GET request
testing commit 0524399d4612f5af38b8383680dde4df4bc4eea2 with gcc (GCC) 8.1.0
kernel signature: 390eae798107771efa1cdf876d49f33d2a6409606cae62a959255ea42f1d5b44
all runs: OK
# git bisect good 0524399d4612f5af38b8383680dde4df4bc4eea2
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[88db6d1e4f6222d22c1c4b4d4d7166cfa9d2fe0e] ethtool: add ethnl_parse_bitset() helper
testing commit 88db6d1e4f6222d22c1c4b4d4d7166cfa9d2fe0e with gcc (GCC) 8.1.0
kernel signature: ce92d25c1c9f3faca250667db1ca9282633695199acb53b8599b3f3ec2ccd61d
all runs: OK
# git bisect good 88db6d1e4f6222d22c1c4b4d4d7166cfa9d2fe0e
0980bfcd6954f124e40a000b85335c197764de14 is the first bad commit
commit 0980bfcd6954f124e40a000b85335c197764de14
Author: Michal Kubecek <mkubecek@suse.cz>
Date:   Thu Mar 12 21:07:58 2020 +0100

    ethtool: set netdev features with FEATURES_SET request
    
    Implement FEATURES_SET netlink request to set network device features.
    These are traditionally set using ETHTOOL_SFEATURES ioctl request.
    
    Actual change is subject to netdev_change_features() sanity checks so that
    it can differ from what was requested. Unlike with most other SET requests,
    in addition to error code and optional extack, kernel provides an optional
    reply message (ETHTOOL_MSG_FEATURES_SET_REPLY) in the same format but with
    different semantics: information about difference between user request and
    actual result and difference between old and new state of dev->features.
    This reply message can be suppressed by setting ETHTOOL_FLAG_OMIT_REPLY
    flag in request header.
    
    Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 Documentation/networking/ethtool-netlink.rst |  56 +++++++--
 include/uapi/linux/ethtool_netlink.h         |   2 +
 net/ethtool/features.c                       | 169 +++++++++++++++++++++++++++
 net/ethtool/netlink.c                        |   5 +
 net/ethtool/netlink.h                        |   1 +
 5 files changed, 224 insertions(+), 9 deletions(-)
culprit signature: 3dd35e3560c6e0e0661b55244d07467e032b6ed5e308e56694cebdee660845f2
parent  signature: ce92d25c1c9f3faca250667db1ca9282633695199acb53b8599b3f3ec2ccd61d
revisions tested: 18, total time: 3h37m56.945087316s (build: 1h40m35.596462251s, test: 1h55m22.723198096s)
first bad commit: 0980bfcd6954f124e40a000b85335c197764de14 ethtool: set netdev features with FEATURES_SET request
recipients (to): ["corbet@lwn.net" "davem@davemloft.net" "davem@davemloft.net" "kuba@kernel.org" "linux-doc@vger.kernel.org" "mkubecek@suse.cz" "netdev@vger.kernel.org"]
recipients (cc): ["andrew@lunn.ch" "dan.carpenter@oracle.com" "f.fainelli@gmail.com" "linux-kernel@vger.kernel.org" "mkubecek@suse.cz"]
crash: KASAN: stack-out-of-bounds Write in bitmap_from_arr32
==================================================================
BUG: KASAN: stack-out-of-bounds in bitmap_from_arr32+0x14b/0x1d0 lib/bitmap.c:1272
Write of size 8 at addr ffffc9000a1075a0 by task syz-executor.5/10891

CPU: 0 PID: 10891 Comm: syz-executor.5 Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x96/0xe0 lib/dump_stack.c:118
 print_address_description.constprop.4.cold.6+0x62/0x373 mm/kasan/report.c:374
 __kasan_report.cold.7+0x7a/0x92 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:641
 bitmap_from_arr32+0x14b/0x1d0 lib/bitmap.c:1272
 ethnl_parse_bitset+0x3ea/0x680 net/ethtool/bitset.c:633
 ethnl_set_features+0x293/0x8e8 net/ethtool/features.c:252
 genl_family_rcv_msg_doit net/netlink/genetlink.c:673 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:718 [inline]
 genl_rcv_msg+0x5e7/0xf10 net/netlink/genetlink.c:735
 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2478
 genl_rcv+0x1f/0x30 net/netlink/genetlink.c:746
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x761/0xc90 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:672
 ____sys_sendmsg+0x54e/0x760 net/socket.c:2343
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2397
 __sys_sendmsg+0xce/0x170 net/socket.c:2430
 do_syscall_64+0x8e/0x4f0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45deb9
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fbc90d73c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000000291c0 RCX: 000000000045deb9
RDX: 0000000000000000 RSI: 0000000020000440 RDI: 0000000000000003
RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007fff8001026f R14: 00007fbc90d749c0 R15: 000000000118bf2c


addr ffffc9000a1075a0 is located in stack of task syz-executor.5/10891 at offset 360 in frame:
 ethnl_set_features+0x0/0x8e8 net/ethtool/features.c:51

this frame has 8 objects:
 [32, 40) 'reply_payload'
 [96, 112) 'req_info'
 [160, 168) 'wanted_diff_mask'
 [224, 232) 'active_diff_mask'
 [288, 296) 'new_active'
 [352, 360) 'req_wanted'
 [416, 424) 'req_mask'
 [480, 528) 'tb'

Memory state around the buggy address:
 ffffc9000a107480: f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2
 ffffc9000a107500: f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2
>ffffc9000a107580: f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2
                               ^
 ffffc9000a107600: f2 f2 f2 00 00 00 00 00 00 f2 f2 00 00 00 00 00
 ffffc9000a107680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
==================================================================