bisecting cause commit starting from 51309b9d73f5de2d8cba2c850df0c3b5d9125bee building syzkaller on bc2c6e45b9f01fa6046cb3efa9d3aae9f05238a8 testing commit 51309b9d73f5de2d8cba2c850df0c3b5d9125bee with gcc (GCC) 8.1.0 run #0: crashed: WARNING in drm_mode_createblob_ioctl run #1: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor599429908" "root@10.128.10.45:./syz-executor599429908"]: exit status 1 Connection timed out during banner exchange lost connection run #2: crashed: WARNING in drm_mode_createblob_ioctl run #3: crashed: WARNING in drm_mode_createblob_ioctl run #4: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor803607398" "root@10.128.0.67:./syz-executor803607398"]: exit status 1 ssh: connect to host 10.128.0.67 port 22: Connection timed out lost connection run #5: crashed: WARNING in drm_mode_createblob_ioctl run #6: crashed: WARNING in drm_mode_createblob_ioctl run #7: crashed: WARNING in drm_mode_createblob_ioctl run #8: crashed: WARNING in drm_mode_createblob_ioctl run #9: crashed: WARNING in drm_mode_createblob_ioctl testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 51309b9d73f5de2d8cba2c850df0c3b5d9125bee 4d856f72c10ecb060868ed10ff1b1453943fc6c8 Bisecting: 12027 revisions left to test after this (roughly 14 steps) [aaa4dd61647b33bcf5e280e09304fa8cc3614cb9] Merge branch 'for-5.4/upstream-fixes' into for-next testing commit aaa4dd61647b33bcf5e280e09304fa8cc3614cb9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good aaa4dd61647b33bcf5e280e09304fa8cc3614cb9 Bisecting: 6046 revisions left to test after this (roughly 13 steps) [91e8b4d9dd90288047ea8ba34a24c65da0e34571] Merge remote-tracking branch 'swiotlb/linux-next' testing commit 91e8b4d9dd90288047ea8ba34a24c65da0e34571 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 91e8b4d9dd90288047ea8ba34a24c65da0e34571 Bisecting: 3019 revisions left to test after this (roughly 12 steps) [28aa46c4528b31f1f554f924ce9f81955b941d0a] Merge remote-tracking branch 'drm-misc/for-linux-next' testing commit 28aa46c4528b31f1f554f924ce9f81955b941d0a with gcc (GCC) 8.1.0 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor042423426" "root@10.128.0.47:./syz-executor042423426"]: exit status 1 Connection timed out during banner exchange lost connection run #9: OK # git bisect good 28aa46c4528b31f1f554f924ce9f81955b941d0a Bisecting: 1501 revisions left to test after this (roughly 11 steps) [12d486588bd6cd6b09450cd00e4bfcc39fbc5dd9] Merge remote-tracking branch 'usb/usb-next' testing commit 12d486588bd6cd6b09450cd00e4bfcc39fbc5dd9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 12d486588bd6cd6b09450cd00e4bfcc39fbc5dd9 Bisecting: 709 revisions left to test after this (roughly 10 steps) [83fc352798b015a72781bae99eba567ebf366faf] Merge remote-tracking branch 'scsi/for-next' testing commit 83fc352798b015a72781bae99eba567ebf366faf with gcc (GCC) 8.1.0 all runs: OK # git bisect good 83fc352798b015a72781bae99eba567ebf366faf Bisecting: 357 revisions left to test after this (roughly 9 steps) [5ae4da045f2b17b8d6c928cc329865ff3f45651c] Merge remote-tracking branch 'hyperv/hyperv-next' testing commit 5ae4da045f2b17b8d6c928cc329865ff3f45651c with gcc (GCC) 8.1.0 all runs: OK # git bisect good 5ae4da045f2b17b8d6c928cc329865ff3f45651c Bisecting: 178 revisions left to test after this (roughly 8 steps) [cb3fdfc387fbfa9cca70082dc268c6300c3bfa76] kcov: remote coverage support testing commit cb3fdfc387fbfa9cca70082dc268c6300c3bfa76 with gcc (GCC) 8.1.0 run #0: crashed: WARNING in drm_mode_createblob_ioctl run #1: crashed: WARNING in drm_mode_createblob_ioctl run #2: crashed: WARNING in drm_mode_createblob_ioctl run #3: crashed: WARNING in drm_mode_createblob_ioctl run #4: crashed: WARNING in drm_mode_createblob_ioctl run #5: crashed: WARNING in drm_mode_createblob_ioctl run #6: crashed: WARNING in drm_mode_createblob_ioctl run #7: crashed: WARNING in drm_mode_createblob_ioctl run #8: crashed: WARNING in drm_mode_createblob_ioctl run #9: crashed: kernel panic: System is deadlocked on memory # git bisect bad cb3fdfc387fbfa9cca70082dc268c6300c3bfa76 Bisecting: 89 revisions left to test after this (roughly 7 steps) [d458b5a062b665a5d033300b1ea52101e4d3d97c] mm/memory_hotplug: fix try_offline_node() testing commit d458b5a062b665a5d033300b1ea52101e4d3d97c with gcc (GCC) 8.1.0 all runs: OK # git bisect good d458b5a062b665a5d033300b1ea52101e4d3d97c Bisecting: 44 revisions left to test after this (roughly 6 steps) [a0e454395f64b8a2cf9114d77b3538ebf95db543] mm/hwpoison-inject: use DEFINE_DEBUGFS_ATTRIBUTE to define debugfs fops testing commit a0e454395f64b8a2cf9114d77b3538ebf95db543 with gcc (GCC) 8.1.0 mm/userfaultfd.c:262:40: error: ‘h’ undeclared (first use in this function) # git bisect skip a0e454395f64b8a2cf9114d77b3538ebf95db543 Bisecting: 44 revisions left to test after this (roughly 6 steps) [f39a69469de28f21cf1a6764e2a17594c099fbfe] kernel/profile.c: use cpumask_available to check for NULL cpumask testing commit f39a69469de28f21cf1a6764e2a17594c099fbfe with gcc (GCC) 8.1.0 all runs: OK # git bisect good f39a69469de28f21cf1a6764e2a17594c099fbfe Bisecting: 8 revisions left to test after this (roughly 3 steps) [317af674c67d8359eca99646bc132b9d2a0ab24c] lib/math/rational.c: fix possible incorrect result from rational fractions helper testing commit 317af674c67d8359eca99646bc132b9d2a0ab24c with gcc (GCC) 8.1.0 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor792535259" "root@10.128.15.208:./syz-executor792535259"]: exit status 1 ssh: connect to host 10.128.15.208 port 22: Connection timed out lost connection run #7: OK run #8: OK run #9: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor264684485" "root@10.128.10.61:./syz-executor264684485"]: exit status 1 ssh: connect to host 10.128.10.61 port 22: Connection timed out lost connection # git bisect good 317af674c67d8359eca99646bc132b9d2a0ab24c Bisecting: 4 revisions left to test after this (roughly 2 steps) [948b2fdece7e0413db6dabd873152d76d6661937] selftests: add epoll selftests testing commit 948b2fdece7e0413db6dabd873152d76d6661937 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 948b2fdece7e0413db6dabd873152d76d6661937 Bisecting: 2 revisions left to test after this (roughly 1 step) [32daaa987d44ddbfac35db57343d1095bf8494e8] fs/binfmt_elf.c: extract elf_read() function testing commit 32daaa987d44ddbfac35db57343d1095bf8494e8 with gcc (GCC) 8.1.0 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor806043891" "root@10.128.0.213:./syz-executor806043891"]: exit status 1 Connection timed out during banner exchange lost connection # git bisect good 32daaa987d44ddbfac35db57343d1095bf8494e8 Bisecting: 0 revisions left to test after this (roughly 1 step) [3fefb398a1e97abc8cc8dfa0c9cf90f635b5d384] aio: simplify read_events() testing commit 3fefb398a1e97abc8cc8dfa0c9cf90f635b5d384 with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor741427101" "root@10.128.0.215:./syz-executor741427101"]: exit status 1 Connection timed out during banner exchange lost connection run #1: crashed: WARNING in drm_mode_createblob_ioctl run #2: crashed: WARNING in drm_mode_createblob_ioctl run #3: crashed: WARNING in drm_mode_createblob_ioctl run #4: crashed: WARNING in drm_mode_createblob_ioctl run #5: crashed: WARNING in drm_mode_createblob_ioctl run #6: crashed: WARNING in drm_mode_createblob_ioctl run #7: crashed: WARNING in drm_mode_createblob_ioctl run #8: crashed: WARNING in drm_mode_createblob_ioctl run #9: crashed: WARNING in drm_mode_createblob_ioctl # git bisect bad 3fefb398a1e97abc8cc8dfa0c9cf90f635b5d384 Bisecting: 0 revisions left to test after this (roughly 0 steps) [9e5a64c71b2f70ba530f8156046dd7dfb8a7a0ba] uaccess: disallow > INT_MAX copy sizes testing commit 9e5a64c71b2f70ba530f8156046dd7dfb8a7a0ba with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor049027122" "root@10.128.0.112:./syz-executor049027122"]: exit status 1 Connection timed out during banner exchange lost connection run #1: crashed: WARNING in drm_mode_createblob_ioctl run #2: crashed: WARNING in drm_mode_createblob_ioctl run #3: crashed: WARNING in drm_mode_createblob_ioctl run #4: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor946060826" "root@10.128.1.39:./syz-executor946060826"]: exit status 1 ssh: connect to host 10.128.1.39 port 22: Connection timed out lost connection run #5: crashed: WARNING in drm_mode_createblob_ioctl run #6: crashed: WARNING in drm_mode_createblob_ioctl run #7: crashed: WARNING in drm_mode_createblob_ioctl run #8: crashed: WARNING in drm_mode_createblob_ioctl run #9: crashed: WARNING in drm_mode_createblob_ioctl # git bisect bad 9e5a64c71b2f70ba530f8156046dd7dfb8a7a0ba 9e5a64c71b2f70ba530f8156046dd7dfb8a7a0ba is the first bad commit commit 9e5a64c71b2f70ba530f8156046dd7dfb8a7a0ba Author: Kees Cook Date: Tue Nov 5 09:57:23 2019 +1100 uaccess: disallow > INT_MAX copy sizes As we've done with VFS, string operations, etc, reject usercopy sizes larger than INT_MAX, which would be nice to have for catching bugs related to size calculation overflows[1]. This adds 10 bytes to x86_64 defconfig text and 1980 bytes to the data section: text data bss dec hex filename 19691167 5134320 1646664 26472151 193eed7 vmlinux.before 19691177 5136300 1646664 26474141 193f69d vmlinux.after [1] https://marc.info/?l=linux-s390&m=156631939010493&w=2 Link: http://lkml.kernel.org/r/201908251612.F9902D7A@keescook Signed-off-by: Kees Cook Suggested-by: Dan Carpenter Cc: Alexander Viro Signed-off-by: Andrew Morton Signed-off-by: Stephen Rothwell :040000 040000 0bb4e53cbf10fa58ae55072013dc23e4f258d745 ffed198d080c26211bf2dfc91b78c94dd8967545 M include revisions tested: 17, total time: 2h46m29.0032567s (build: 1h35m55.818388258s, test: 1h5m13.808584812s) first bad commit: 9e5a64c71b2f70ba530f8156046dd7dfb8a7a0ba uaccess: disallow > INT_MAX copy sizes cc: ["akpm@linux-foundation.org" "keescook@chromium.org" "sfr@canb.auug.org.au" "viro@zeniv.linux.org.uk"] crash: WARNING in drm_mode_createblob_ioctl ------------[ cut here ]------------ WARNING: CPU: 0 PID: 7754 at include/linux/thread_info.h:150 drm_mode_createblob_ioctl+0x30b/0x420 drivers/gpu/drm/drm_property.c:820 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 7754 Comm: syz-executor618 Not tainted 5.4.0-rc5+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x12d/0x187 lib/dump_stack.c:118 panic+0x22a/0x4e3 kernel/panic.c:221 __warn.cold.11+0x25/0x30 kernel/panic.c:582 report_bug+0x1b0/0x270 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:179 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:291 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028 RIP: 0010:check_copy_size include/linux/thread_info.h:150 [inline] RIP: 0010:copy_from_user include/linux/uaccess.h:143 [inline] RIP: 0010:drm_mode_createblob_ioctl+0x30b/0x420 drivers/gpu/drm/drm_property.c:800 Code: c1 ea 03 80 3c 02 00 0f 85 17 01 00 00 4d 89 3c 24 48 89 df e8 e6 07 5f 03 31 c0 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 <0f> 0b 4d 85 ed b8 f2 ff ff ff 0f 84 c7 fd ff ff 4c 89 ef 89 45 d0 RSP: 0018:ffff88809a6e7a78 EFLAGS: 00010216 RAX: 0000000096e170d0 RBX: ffff8880a3848000 RCX: 1ffff92000bf220a RDX: dffffc0000000000 RSI: 58e934b246755f83 RDI: ffffc90005f91050 RBP: ffff88809a6e7ab0 R08: ffffed1014709110 R09: ffffed1014709110 R10: ffffed101470910f R11: ffff8880a384887f R12: ffff8880929c8000 R13: ffffc90005f91000 R14: ffff88809a70b800 R15: ffffc90005f91058 drm_ioctl_kernel+0x1e6/0x2a0 drivers/gpu/drm/drm_ioctl.c:786 drm_ioctl+0x484/0xa0a drivers/gpu/drm/drm_ioctl.c:886 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0x196/0x1150 fs/ioctl.c:696 ksys_ioctl+0x62/0x90 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x449649 Code: e8 fc b8 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 4b d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f1acb338db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000006dac38 RCX: 0000000000449649 RDX: 0000000020000000 RSI: ffffffffffffffbd RDI: 0000000000000004 RBP: 00000000006dac30 R08: 00007f1acb339700 R09: 0000000000000000 R10: 00007f1acb339700 R11: 0000000000000246 R12: 00000000006dac3c R13: 00007ffd036273cf R14: 00007f1acb3399c0 R15: 20c49ba5e353f7cf Kernel Offset: disabled Rebooting in 86400 seconds..