bisecting cause commit starting from 68453767131a5deec1e8f9ac92a9042f929e585d building syzkaller on 9e8eaa75a18a5cf8102e862be692c0781759e51b testing commit 68453767131a5deec1e8f9ac92a9042f929e585d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 284237e8bcff8b4a48f27f6372da35d45bd6a1a7f9de194be889355418ea2e62 all runs: crashed: WARNING: kmalloc bug in snd_pcm_plugin_alloc testing release v5.16 testing commit df0cc57e057f18e44dac8e6c18aba47ab53202f9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1fd9ab6ec52dc5d6eec160897ae3403fe7938723519a9996a423afd6588ef1fc all runs: crashed: WARNING: kmalloc bug in snd_pcm_plugin_alloc testing release v5.15 testing commit 8bb7eca972ad531c9b149c0a51ab43a417385813 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d129517d67eba16b8ed6fc5963dd9e6a424ece301dd97a6d5aff57914402ade6 run #0: crashed: WARNING: kmalloc bug in snd_pcm_plugin_alloc run #1: crashed: WARNING: kmalloc bug in snd_pcm_plugin_alloc run #2: crashed: WARNING: kmalloc bug in snd_pcm_plugin_alloc run #3: crashed: WARNING: kmalloc bug in snd_pcm_plugin_alloc run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: crashed: WARNING: kmalloc bug in snd_pcm_plugin_alloc testing release v5.14 testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8968156e146a2a4e506d0355e4d33e5e5359412795c9c99374bd41ed27e5b9ba all runs: OK # git bisect start 8bb7eca972ad531c9b149c0a51ab43a417385813 7d2a07b769330c34b4deabeed939325c77a7ec2f Bisecting: 6693 revisions left to test after this (roughly 13 steps) [477f70cd2a67904e04c2c2b9bd0fa2e95222f2f6] Merge tag 'drm-next-2021-08-31-1' of git://anongit.freedesktop.org/drm/drm testing commit 477f70cd2a67904e04c2c2b9bd0fa2e95222f2f6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3a778f845119037504f64addc8c2029d4689d7df37049d45dc1801fd1a56e1a6 all runs: OK # git bisect good 477f70cd2a67904e04c2c2b9bd0fa2e95222f2f6 Bisecting: 3317 revisions left to test after this (roughly 12 steps) [626bf91a292e2035af5b9d9cce35c5c138dfe06d] Merge tag 'net-5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 626bf91a292e2035af5b9d9cce35c5c138dfe06d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7a93ee87bc2e2a4cc5b2affb14259feb860ae84fe2159158cd5fd9190ef38ccd run #0: crashed: WARNING: kmalloc bug in snd_pcm_plugin_alloc run #1: crashed: WARNING: kmalloc bug in snd_pcm_plugin_alloc run #2: crashed: WARNING: kmalloc bug in snd_pcm_plugin_alloc run #3: crashed: WARNING: kmalloc bug in snd_pcm_plugin_alloc run #4: crashed: WARNING: kmalloc bug in snd_pcm_plugin_alloc run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 626bf91a292e2035af5b9d9cce35c5c138dfe06d Bisecting: 1702 revisions left to test after this (roughly 11 steps) [23852bec534a1633dc08f4df88b8493ae99953a9] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 23852bec534a1633dc08f4df88b8493ae99953a9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4d1986d5f68a078f039c2dd7b4728c80a2577955956408c91ead82afbf1ff6a6 all runs: crashed: WARNING: kmalloc bug in snd_pcm_plugin_alloc # git bisect bad 23852bec534a1633dc08f4df88b8493ae99953a9 Bisecting: 839 revisions left to test after this (roughly 10 steps) [9e5f3ffcf1cb34e7c7beb3f79a96f58536730924] Merge tag 'devicetree-for-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux testing commit 9e5f3ffcf1cb34e7c7beb3f79a96f58536730924 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f5fecfbf7d48d479f62f6c314667ecfbcf6f58aca0badc3e474cd9342bd722ca all runs: OK # git bisect good 9e5f3ffcf1cb34e7c7beb3f79a96f58536730924 Bisecting: 417 revisions left to test after this (roughly 9 steps) [89b6b8cd92c068cd1bdf877ec7fb1392568ef35d] Merge tag 'vfio-v5.15-rc1' of git://github.com/awilliam/linux-vfio testing commit 89b6b8cd92c068cd1bdf877ec7fb1392568ef35d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 19c33c6fee17f1b99ba4963645b32fdfa22ac61207c34eb12807905dbe4aaf81 all runs: crashed: WARNING: kmalloc bug in snd_pcm_plugin_alloc # git bisect bad 89b6b8cd92c068cd1bdf877ec7fb1392568ef35d Bisecting: 210 revisions left to test after this (roughly 8 steps) [412106c203b759fa7fbcc4f855a90ab18e681ccb] Merge tag 'erofs-for-5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs testing commit 412106c203b759fa7fbcc4f855a90ab18e681ccb compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bc66865f949b3336287524101313522ceb456ed1e5dd82751972369dd7663482 all runs: OK # git bisect good 412106c203b759fa7fbcc4f855a90ab18e681ccb Bisecting: 107 revisions left to test after this (roughly 7 steps) [c815f04ba94940fbc303a6ea9669e7da87f8e77d] Merge tag 'linux-kselftest-kunit-5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest testing commit c815f04ba94940fbc303a6ea9669e7da87f8e77d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8bdd1220a1dc0f75dad9b2e93065d6d365b7cc5fb3249278cb9a0ab0938de5fa all runs: crashed: WARNING: kmalloc bug in snd_pcm_plugin_alloc # git bisect bad c815f04ba94940fbc303a6ea9669e7da87f8e77d Bisecting: 45 revisions left to test after this (roughly 6 steps) [265113f70f3d63ae8b6eb1ce4303d14dbbd71b2d] Merge tag 'dlm-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm testing commit 265113f70f3d63ae8b6eb1ce4303d14dbbd71b2d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b7121def25906b92a0c454a2968e4b5bffa25a3dc891bc81b64d0012acd446b5 all runs: crashed: WARNING: kmalloc bug in snd_pcm_plugin_alloc # git bisect bad 265113f70f3d63ae8b6eb1ce4303d14dbbd71b2d Bisecting: 33 revisions left to test after this (roughly 5 steps) [baaae979b112642a41b71c71c599d875c067d257] ext4: make the updating inode data procedure atomic testing commit baaae979b112642a41b71c71c599d875c067d257 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 97ba66fc00107acc9ff0719e8742a83765e53866e439cd7b2dc6efea771604a8 all runs: OK # git bisect good baaae979b112642a41b71c71c599d875c067d257 Bisecting: 16 revisions left to test after this (roughly 4 steps) [7661809d493b426e979f39ab512e3adf41fbcc69] mm: don't allow oversized kvmalloc() calls testing commit 7661809d493b426e979f39ab512e3adf41fbcc69 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: dd737442cd8bc1f2d9d490899fd86caaf3abf9f9a7b230ac594ff9cc3fe92356 all runs: crashed: WARNING: kmalloc bug in snd_pcm_plugin_alloc # git bisect bad 7661809d493b426e979f39ab512e3adf41fbcc69 Bisecting: 8 revisions left to test after this (roughly 3 steps) [ffb24e3c657869b256c3f90792d262fe09f49628] ovl: relax lookup error on mismatch origin ftype testing commit ffb24e3c657869b256c3f90792d262fe09f49628 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 868bba44b66019292ded03ee42e87087efe586e6aa7b42756b5c6716039d3854 all runs: OK # git bisect good ffb24e3c657869b256c3f90792d262fe09f49628 Bisecting: 4 revisions left to test after this (roughly 2 steps) [52d5a0c6bd8a89f460243ed937856354f8f253a3] ovl: fix BUG_ON() in may_delete() when called from ovl_cleanup() testing commit 52d5a0c6bd8a89f460243ed937856354f8f253a3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 38d7b33c479d973c10a7a57f24245f90bfbeae36e1fa1ed5c1605ad3419188ed all runs: OK # git bisect good 52d5a0c6bd8a89f460243ed937856354f8f253a3 Bisecting: 2 revisions left to test after this (roughly 1 step) [332f606b32b6291a944c8cf23b91f53a6e676525] ovl: enable RCU'd ->get_acl() testing commit 332f606b32b6291a944c8cf23b91f53a6e676525 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 17872c509347c6fe6594d422604256843dca2e756b5aa3b9c4d8a5a9bb5efada all runs: OK # git bisect good 332f606b32b6291a944c8cf23b91f53a6e676525 Bisecting: 0 revisions left to test after this (roughly 1 step) [111c1aa8cad4a0069dfe98fc093507b5b2cdfda7] Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 testing commit 111c1aa8cad4a0069dfe98fc093507b5b2cdfda7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8c88ace9d6d4b783f56c30f9024d78119f3cfed153e5e976fd38fdf6f7282312 all runs: OK # git bisect good 111c1aa8cad4a0069dfe98fc093507b5b2cdfda7 7661809d493b426e979f39ab512e3adf41fbcc69 is the first bad commit commit 7661809d493b426e979f39ab512e3adf41fbcc69 Author: Linus Torvalds Date: Wed Jul 14 09:45:49 2021 -0700 mm: don't allow oversized kvmalloc() calls 'kvmalloc()' is a convenience function for people who want to do a kmalloc() but fall back on vmalloc() if there aren't enough physically contiguous pages, or if the allocation is larger than what kmalloc() supports. However, let's make sure it doesn't get _too_ easy to do crazy things with it. In particular, don't allow big allocations that could be due to integer overflow or underflow. So make sure the allocation size fits in an 'int', to protect against trivial integer conversion issues. Acked-by: Willy Tarreau Cc: Kees Cook Signed-off-by: Linus Torvalds mm/util.c | 4 ++++ 1 file changed, 4 insertions(+) culprit signature: dd737442cd8bc1f2d9d490899fd86caaf3abf9f9a7b230ac594ff9cc3fe92356 parent signature: 8c88ace9d6d4b783f56c30f9024d78119f3cfed153e5e976fd38fdf6f7282312 revisions tested: 18, total time: 3h35m46.282327743s (build: 2h9m19.77807556s, test: 1h24m27.782243106s) first bad commit: 7661809d493b426e979f39ab512e3adf41fbcc69 mm: don't allow oversized kvmalloc() calls recipients (to): ["akpm@linux-foundation.org" "linux-mm@kvack.org" "torvalds@linux-foundation.org" "w@1wt.eu"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: WARNING: kmalloc bug in snd_pcm_plugin_alloc ------------[ cut here ]------------ WARNING: CPU: 1 PID: 8336 at mm/util.c:597 kvmalloc_node+0x7b/0x90 mm/util.c:600 Modules linked in: CPU: 1 PID: 8336 Comm: syz-executor807 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:kvmalloc_node+0x7b/0x90 mm/util.c:597 Code: 2b 48 8b 3c 24 8b 54 24 0c 48 81 ff ff ff ff 7f 77 18 4c 8b 44 24 18 48 83 c4 10 89 d1 89 ea 5d be 01 00 00 00 e9 55 02 0b 00 <0f> 0b 48 83 c4 10 5d c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 55 RSP: 0018:ffffc900017afb70 EFLAGS: 00010212 RAX: 0000000000000000 RBX: ffff888015764588 RCX: 0000000100000000 RDX: 00000000ffffffff RSI: 0000000000000000 RDI: 00000000c0c0c100 RBP: 0000000000000dc0 R08: 0000000000012dc0 R09: 00000000ffffffff R10: ffffed1028ed5d1e R11: 000000000007a089 R12: ffff888015764500 R13: 00000000c0c0c100 R14: ffff88801576450c R15: 0000000000000010 FS: 00007ff44ca0d700(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ff44cab1898 CR3: 00000000a3af4000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: kvmalloc include/linux/mm.h:806 [inline] kvzalloc include/linux/mm.h:814 [inline] snd_pcm_plugin_alloc+0x444/0x8c0 sound/core/oss/pcm_plugin.c:71 snd_pcm_plug_alloc+0x1b1/0x260 sound/core/oss/pcm_plugin.c:118 snd_pcm_oss_change_params_locked+0x1865/0x3050 sound/core/oss/pcm_oss.c:1028 snd_pcm_oss_change_params sound/core/oss/pcm_oss.c:1091 [inline] snd_pcm_oss_get_active_substream+0xe9/0x140 sound/core/oss/pcm_oss.c:1108 snd_pcm_oss_get_rate sound/core/oss/pcm_oss.c:1765 [inline] snd_pcm_oss_set_rate sound/core/oss/pcm_oss.c:1757 [inline] snd_pcm_oss_ioctl+0xfdd/0x2d10 sound/core/oss/pcm_oss.c:2619 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x11f/0x190 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7ff44ca5c1e9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ff44ca0d2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ff44cae54a8 RCX: 00007ff44ca5c1e9 RDX: 0000000020000140 RSI: 00000000c0045002 RDI: 0000000000000003 RBP: 00007ff44cae54a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff44cae54ac R13: 00007ff44cab2074 R14: 7364612f7665642f R15: 0000000000022000