bisecting cause commit starting from 6147c83fd749d19a0d3ccc2f64d12138ab010b47 building syzkaller on 1d2b823edd7b3936545a8b4d9901d53640334ee6 testing commit 6147c83fd749d19a0d3ccc2f64d12138ab010b47 with gcc (GCC) 8.1.0 kernel signature: e6a22db5b4868bb2a728c7d4717908beb7c1df9380ba01e7838ab901ae522019 run #0: crashed: WARNING in sk_stream_kill_queues run #1: crashed: WARNING in sk_stream_kill_queues run #2: crashed: WARNING in sk_stream_kill_queues run #3: crashed: WARNING in sk_stream_kill_queues run #4: crashed: WARNING in sk_stream_kill_queues run #5: OK run #6: crashed: WARNING in sk_stream_kill_queues run #7: OK run #8: OK run #9: crashed: WARNING in sk_stream_kill_queues testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0 kernel signature: ae997c81c8480492441e712d3c127e3da959156d4e937c464609e101fa84e28c all runs: OK # git bisect start 6147c83fd749d19a0d3ccc2f64d12138ab010b47 bbf5c979011a099af5dc76498918ed7df445635b Bisecting: 12698 revisions left to test after this (roughly 14 steps) [6694875ef8045cdb1e6712ee9b68fe08763507d8] ext4: indicate that fast_commit is available via /sys/fs/ext4/feature/... testing commit 6694875ef8045cdb1e6712ee9b68fe08763507d8 with gcc (GCC) 8.1.0 kernel signature: 2799b9d4540100cd9bf08c21a4326827de42a26f883d88092a41e6542540360c all runs: OK # git bisect good 6694875ef8045cdb1e6712ee9b68fe08763507d8 Bisecting: 6441 revisions left to test after this (roughly 13 steps) [8b68716691ee46819173cdc6715cbf8b331a2e98] Merge remote-tracking branch 'jc_docs/docs-next' testing commit 8b68716691ee46819173cdc6715cbf8b331a2e98 with gcc (GCC) 8.1.0 kernel signature: 0a7513d3df62518e2ff3b118081113d525dfeec788cf153be05bba8ccad5e6cd all runs: OK # git bisect good 8b68716691ee46819173cdc6715cbf8b331a2e98 Bisecting: 3228 revisions left to test after this (roughly 12 steps) [eaae9bf3840991c31082d4b52f27529549fc11ad] Merge remote-tracking branch 'drm-tegra/drm/tegra/for-next' testing commit eaae9bf3840991c31082d4b52f27529549fc11ad with gcc (GCC) 8.1.0 kernel signature: be642d7e6bb23b4740e63904d0f20d311c383aab796c957dc539b66e48c0ab99 all runs: OK # git bisect good eaae9bf3840991c31082d4b52f27529549fc11ad Bisecting: 1622 revisions left to test after this (roughly 11 steps) [26146838dcc55cb7a813a5f3a8f0f4d6a0c486d1] Merge remote-tracking branch 'usb/usb-next' testing commit 26146838dcc55cb7a813a5f3a8f0f4d6a0c486d1 with gcc (GCC) 8.1.0 kernel signature: 5ed3eefc4cefa05f8d678f0db12a30f04a268a8c554c2a25ef32bf4678596845 all runs: OK # git bisect good 26146838dcc55cb7a813a5f3a8f0f4d6a0c486d1 Bisecting: 824 revisions left to test after this (roughly 10 steps) [048a79783d3fdc5f107f57e38de75edc4a063647] Merge remote-tracking branch 'gpio-brgl/gpio/for-next' testing commit 048a79783d3fdc5f107f57e38de75edc4a063647 with gcc (GCC) 8.1.0 kernel signature: 6c45023bd6c65e9c305584dff564355ed3a557d2c0cf9dbddc68b2900ee130b2 all runs: OK # git bisect good 048a79783d3fdc5f107f57e38de75edc4a063647 Bisecting: 424 revisions left to test after this (roughly 9 steps) [e65dba0fc2e3ba6435a55d0d8727bfa664a51c54] Merge remote-tracking branch 'memblock/for-next' testing commit e65dba0fc2e3ba6435a55d0d8727bfa664a51c54 with gcc (GCC) 8.1.0 kernel signature: 7b41e2f2848307fd710bb3c570f06880797ed8fbb3bfb75546930815a6ba4a24 all runs: OK # git bisect good e65dba0fc2e3ba6435a55d0d8727bfa664a51c54 Bisecting: 212 revisions left to test after this (roughly 8 steps) [659316014bab138170ee07e585e7b4e5314562fb] mm, page_alloc: do not rely on the order of page_poison and init_on_alloc/free parameters testing commit 659316014bab138170ee07e585e7b4e5314562fb with gcc (GCC) 8.1.0 kernel signature: 4961b9da66f7988cb8eb09eca36807d59c74308636c84f43d0a72d34413bec71 all runs: OK # git bisect good 659316014bab138170ee07e585e7b4e5314562fb Bisecting: 106 revisions left to test after this (roughly 7 steps) [5edf0cf01b6f5a388ea1f7a96beb4c9658a18224] relay: allow the use of const callback structs testing commit 5edf0cf01b6f5a388ea1f7a96beb4c9658a18224 with gcc (GCC) 8.1.0 kernel signature: 2c5e8837aee8c90f3cedd050c3157b4703e56e7b47cf63973c83bd09704316c6 run #0: crashed: WARNING in sk_stream_kill_queues run #1: crashed: WARNING in sk_stream_kill_queues run #2: crashed: WARNING in sk_stream_kill_queues run #3: crashed: WARNING in sk_stream_kill_queues run #4: crashed: WARNING in sk_stream_kill_queues run #5: crashed: WARNING in sk_stream_kill_queues run #6: crashed: WARNING in sk_stream_kill_queues run #7: crashed: WARNING in sk_stream_kill_queues run #8: crashed: WARNING in sk_stream_kill_queues run #9: OK # git bisect bad 5edf0cf01b6f5a388ea1f7a96beb4c9658a18224 Bisecting: 52 revisions left to test after this (roughly 6 steps) [c7fdaae3a9fdad4a6579b9272841c71c5ee32515] lib/stackdepot.c: replace one-element array with flexible-array member testing commit c7fdaae3a9fdad4a6579b9272841c71c5ee32515 with gcc (GCC) 8.1.0 kernel signature: 8d15eeca8c5fd9cfa33a52d5fade4cabf3ca7ca3ee19f9b778610dbcb3219681 run #0: crashed: WARNING in sk_stream_kill_queues run #1: crashed: WARNING in sk_stream_kill_queues run #2: crashed: WARNING in sk_stream_kill_queues run #3: crashed: WARNING in sk_stream_kill_queues run #4: crashed: WARNING in sk_stream_kill_queues run #5: crashed: WARNING in sk_stream_kill_queues run #6: crashed: WARNING in sk_stream_kill_queues run #7: OK run #8: OK run #9: OK # git bisect bad c7fdaae3a9fdad4a6579b9272841c71c5ee32515 Bisecting: 26 revisions left to test after this (roughly 5 steps) [87887bd2b926a42b488f294d7b8732fb2f0bf369] kfence: avoid stalling work queue task without allocations testing commit 87887bd2b926a42b488f294d7b8732fb2f0bf369 with gcc (GCC) 8.1.0 kernel signature: 9bd03c73f682fccdccc551b8480250f25e8ed698d838cda8bb095ea9bbe33006 all runs: OK # git bisect good 87887bd2b926a42b488f294d7b8732fb2f0bf369 Bisecting: 13 revisions left to test after this (roughly 4 steps) [7d9f31c3e3b212704c9eeb892714a198a301b650] alpha: Replace bogus in_interrupt() testing commit 7d9f31c3e3b212704c9eeb892714a198a301b650 with gcc (GCC) 8.1.0 kernel signature: c598b49155bea9f7635bb0f93043751659fc37107d2e4cb85351c3770111d5d4 run #0: crashed: WARNING in sk_stream_kill_queues run #1: crashed: WARNING in sk_stream_kill_queues run #2: crashed: WARNING in sk_stream_kill_queues run #3: crashed: WARNING in sk_stream_kill_queues run #4: crashed: WARNING in sk_stream_kill_queues run #5: crashed: WARNING in sk_stream_kill_queues run #6: crashed: WARNING in sk_stream_kill_queues run #7: crashed: WARNING in sk_stream_kill_queues run #8: OK run #9: crashed: WARNING in sk_stream_kill_queues # git bisect bad 7d9f31c3e3b212704c9eeb892714a198a301b650 Bisecting: 6 revisions left to test after this (roughly 3 steps) [06f8efd3022328115dda914e3f7f0c7d7dbcba5b] kfence, kasan: make KFENCE compatible with KASAN testing commit 06f8efd3022328115dda914e3f7f0c7d7dbcba5b with gcc (GCC) 8.1.0 kernel signature: 0af04e83a09ccb38066d925dd7461e1062ee8d52f251eb4fda28ea0f10e0af77 run #0: crashed: WARNING in sk_stream_kill_queues run #1: crashed: WARNING in sk_stream_kill_queues run #2: crashed: WARNING in sk_stream_kill_queues run #3: crashed: WARNING in sk_stream_kill_queues run #4: crashed: WARNING in sk_stream_kill_queues run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 06f8efd3022328115dda914e3f7f0c7d7dbcba5b Bisecting: 2 revisions left to test after this (roughly 2 steps) [a7554721b37b28f6e5c9c8edd096abe8c4147760] kfence: use pt_regs to generate stack trace on faults testing commit a7554721b37b28f6e5c9c8edd096abe8c4147760 with gcc (GCC) 8.1.0 kernel signature: 1c7e683faf10b4329d2e32e067198995ccc25b1f1003000e016d34e60ee9e22f all runs: OK # git bisect good a7554721b37b28f6e5c9c8edd096abe8c4147760 Bisecting: 0 revisions left to test after this (roughly 1 step) [145cd60fb481328faafba76842aa0fd242e2b163] mm, kfence: insert KFENCE hooks for SLUB testing commit 145cd60fb481328faafba76842aa0fd242e2b163 with gcc (GCC) 8.1.0 kernel signature: 0af04e83a09ccb38066d925dd7461e1062ee8d52f251eb4fda28ea0f10e0af77 run #0: crashed: WARNING in sk_stream_kill_queues run #1: crashed: WARNING in sk_stream_kill_queues run #2: crashed: WARNING in sk_stream_kill_queues run #3: crashed: WARNING in sk_stream_kill_queues run #4: crashed: WARNING in sk_stream_kill_queues run #5: OK run #6: crashed: WARNING in sk_stream_kill_queues run #7: OK run #8: OK run #9: OK # git bisect bad 145cd60fb481328faafba76842aa0fd242e2b163 Bisecting: 0 revisions left to test after this (roughly 0 steps) [121e45b24d61b5fda94b2fb623758b043d5e0140] mm, kfence: insert KFENCE hooks for SLAB testing commit 121e45b24d61b5fda94b2fb623758b043d5e0140 with gcc (GCC) 8.1.0 kernel signature: 974ab499b0fcec694d098beab02cc4b952ea02cee50043ca1d9099ff6505139b all runs: OK # git bisect good 121e45b24d61b5fda94b2fb623758b043d5e0140 145cd60fb481328faafba76842aa0fd242e2b163 is the first bad commit commit 145cd60fb481328faafba76842aa0fd242e2b163 Author: Alexander Potapenko Date: Tue Nov 24 16:38:44 2020 +1100 mm, kfence: insert KFENCE hooks for SLUB Inserts KFENCE hooks into the SLUB allocator. To pass the originally requested size to KFENCE, add an argument 'orig_size' to slab_alloc*(). The additional argument is required to preserve the requested original size for kmalloc() allocations, which uses size classes (e.g. an allocation of 272 bytes will return an object of size 512). Therefore, kmem_cache::size does not represent the kmalloc-caller's requested size, and we must introduce the argument 'orig_size' to propagate the originally requested size to KFENCE. Without the originally requested size, we would not be able to detect out-of-bounds accesses for objects placed at the end of a KFENCE object page if that object is not equal to the kmalloc-size class it was bucketed into. When KFENCE is disabled, there is no additional overhead, since slab_alloc*() functions are __always_inline. Link: https://lkml.kernel.org/r/20201103175841.3495947-6-elver@google.com Signed-off-by: Marco Elver Signed-off-by: Alexander Potapenko Reviewed-by: Dmitry Vyukov Reviewed-by: Jann Horn Co-developed-by: Marco Elver Cc: Andrey Konovalov Cc: Andrey Ryabinin Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Catalin Marinas Cc: Christopher Lameter Cc: Dave Hansen Cc: David Rientjes Cc: Eric Dumazet Cc: Greg Kroah-Hartman Cc: Hillf Danton Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: Joern Engel Cc: Jonathan Corbet Cc: Joonsoo Kim Cc: Kees Cook Cc: Mark Rutland Cc: Paul E. McKenney Cc: Pekka Enberg Cc: Peter Zijlstra Cc: SeongJae Park Cc: Thomas Gleixner Cc: Vlastimil Babka Cc: Will Deacon Signed-off-by: Andrew Morton Signed-off-by: Stephen Rothwell include/linux/slub_def.h | 3 +++ mm/kfence/core.c | 2 ++ mm/slub.c | 60 +++++++++++++++++++++++++++++++++++++----------- 3 files changed, 51 insertions(+), 14 deletions(-) culprit signature: 0af04e83a09ccb38066d925dd7461e1062ee8d52f251eb4fda28ea0f10e0af77 parent signature: 974ab499b0fcec694d098beab02cc4b952ea02cee50043ca1d9099ff6505139b revisions tested: 17, total time: 4h17m0.193686017s (build: 1h16m14.098121711s, test: 2h59m4.421354225s) first bad commit: 145cd60fb481328faafba76842aa0fd242e2b163 mm, kfence: insert KFENCE hooks for SLUB recipients (to): ["akpm@linux-foundation.org" "dvyukov@google.com" "elver@google.com" "glider@google.com" "jannh@google.com" "sfr@canb.auug.org.au"] recipients (cc): [] crash: WARNING in sk_stream_kill_queues ------------[ cut here ]------------ WARNING: CPU: 0 PID: 29390 at net/core/stream.c:207 sk_stream_kill_queues+0x108/0x120 net/core/stream.c:207 Modules linked in: CPU: 0 PID: 29390 Comm: syz-executor184 Not tainted 5.10.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:sk_stream_kill_queues+0x108/0x120 net/core/stream.c:207 Code: 11 8b 83 68 02 00 00 85 c0 75 1f 85 f6 75 21 5b 5d c3 48 89 df e8 e8 e2 fe ff 8b 83 68 02 00 00 8b b3 20 02 00 00 85 c0 74 e1 <0f> 0b 85 f6 74 df 0f 0b 5b 5d c3 0f 0b eb ac 66 0f 1f 84 00 00 00 RSP: 0018:ffffc900023dfd38 EFLAGS: 00010282 RAX: 00000000fffffe80 RBX: ffff88810c6ec380 RCX: 0000000000000202 RDX: 0000000080000202 RSI: 0000000000000180 RDI: ffff88810c6ec4d0 RBP: ffff88810c6ec4d0 R08: 0000000000000001 R09: 0000000000000001 R10: ffff88811e2e7700 R11: 0000000000000004 R12: ffff88810c6ec400 R13: 0000000000000007 R14: ffff88810ef75000 R15: 0000000000000000 FS: 00007fdb7e800700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004d1970 CR3: 000000011d5e4000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: inet_csk_destroy_sock+0x4a/0x110 net/ipv4/inet_connection_sock.c:885 tcp_close+0x388/0x520 net/ipv4/tcp.c:2571 inet_release+0x37/0x70 net/ipv4/af_inet.c:431 __sock_release+0x32/0xa0 net/socket.c:596 sock_close+0xf/0x20 net/socket.c:1277 __fput+0xaa/0x250 fs/file_table.c:281 task_work_run+0x68/0xb0 kernel/task_work.c:151 get_signal+0x600/0xc70 kernel/signal.c:2562 arch_do_signal+0x2b/0x8d0 arch/x86/kernel/signal.c:811 exit_to_user_mode_loop kernel/entry/common.c:161 [inline] exit_to_user_mode_prepare+0xec/0x1c0 kernel/entry/common.c:191 syscall_exit_to_user_mode+0x38/0x260 kernel/entry/common.c:266 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x44ea39 Code: e8 8c e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab c7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fdb7e7ffd98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: 0000000000012255 RBX: 00000000006e6a18 RCX: 000000000044ea39 RDX: 00000001000001bd RSI: 00000000200001c0 RDI: 0000000000000003 RBP: 00000000006e6a10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006e6a1c R13: 3030303030303030 R14: 3030303030303d65 R15: 2b74d0dd4a6f722c