bisecting cause commit starting from f1583cb1be35c23df60b1c39e3e7e6704d749d0b building syzkaller on d236a457274375e5273ac4e958722659929c469f testing commit f1583cb1be35c23df60b1c39e3e7e6704d749d0b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: a19fbff060f74628c620011e69305989743466ade0c7f7b18858fd34ddb65a76 run #0: crashed: WARNING: kmalloc bug in hash_mac_create run #1: crashed: WARNING: kmalloc bug in hash_mac_create run #2: crashed: WARNING: kmalloc bug in hash_mac_create run #3: crashed: WARNING: kmalloc bug in hash_mac_create run #4: crashed: WARNING: kmalloc bug in hash_mac_create run #5: crashed: WARNING: kmalloc bug in hash_mac_create run #6: crashed: WARNING: kmalloc bug in hash_mac_create run #7: crashed: WARNING: kmalloc bug in hash_mac_create run #8: crashed: WARNING: kmalloc bug in hash_mac_create run #9: crashed: WARNING: kmalloc bug in hash_mac_create run #10: crashed: WARNING: kmalloc bug in hash_mac_create run #11: crashed: WARNING: kmalloc bug in hash_mac_create run #12: crashed: WARNING: kmalloc bug in hash_mac_create run #13: crashed: WARNING: kmalloc bug in hash_mac_create run #14: crashed: WARNING: kmalloc bug in hash_mac_create run #15: crashed: WARNING: kmalloc bug in hash_mac_create run #16: crashed: WARNING: kmalloc bug in hash_mac_create run #17: crashed: WARNING: kmalloc bug in hash_mac_create run #18: crashed: WARNING: kmalloc bug in hash_mac_create run #19: boot failed: possible deadlock in blktrans_open testing release v5.14 testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 42ab57fc9434604be7336d8d442f9783c66c96a21b1e995b8854978c9dcd9fa5 all runs: OK # git bisect start f1583cb1be35c23df60b1c39e3e7e6704d749d0b 7d2a07b769330c34b4deabeed939325c77a7ec2f Bisecting: 4672 revisions left to test after this (roughly 12 steps) [7c314bdfb64e4bb8d2f829376ed56ce663483752] Merge tag 'tty-5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit 7c314bdfb64e4bb8d2f829376ed56ce663483752 arch/x86/kernel/setup.c:916:6: error: implicit declaration of function 'acpi_mps_check' [-Werror=implicit-function-declaration] arch/x86/kernel/setup.c:1110:2: error: implicit declaration of function 'acpi_table_upgrade' [-Werror=implicit-function-declaration] arch/x86/kernel/setup.c:1112:2: error: implicit declaration of function 'acpi_boot_table_init' [-Werror=implicit-function-declaration] arch/x86/kernel/setup.c:1120:2: error: implicit declaration of function 'early_acpi_boot_init'; did you mean 'early_cpu_init'? [-Werror=implicit-function-declaration] arch/x86/kernel/setup.c:1162:2: error: implicit declaration of function 'acpi_boot_init' [-Werror=implicit-function-declaration] # git bisect skip 7c314bdfb64e4bb8d2f829376ed56ce663483752 Bisecting: 4672 revisions left to test after this (roughly 12 steps) [c3fb3698f935381161101d2479d66dd48c106183] net: bridge: mcast: consolidate querier selection for ipv4 and ipv6 testing commit c3fb3698f935381161101d2479d66dd48c106183 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: b8056db3a63ac45965dd066a583e641cd86d2dcc7b5b6e6ae92bdf4f18375d5e all runs: OK # git bisect good c3fb3698f935381161101d2479d66dd48c106183 Bisecting: 4057 revisions left to test after this (roughly 12 steps) [0d290223a6c77107b1c3988959e49279a8dafaba] Merge tag 'sound-5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit 0d290223a6c77107b1c3988959e49279a8dafaba compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 6eb68362d4f6bd67c0c037ad9b6cfb3573833a06dd45cb351583a5befec4f6d6 all runs: OK # git bisect good 0d290223a6c77107b1c3988959e49279a8dafaba Bisecting: 2219 revisions left to test after this (roughly 11 steps) [32b47072f319bb65e9afad59e78153d83496f1f5] Merge tag 'defconfig-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 32b47072f319bb65e9afad59e78153d83496f1f5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: d1798a073760782facfd92ea8ae29ff38c407547ff5edb5392afaae5af24adf4 all runs: OK # git bisect good 32b47072f319bb65e9afad59e78153d83496f1f5 Bisecting: 1167 revisions left to test after this (roughly 10 steps) [a180eab0b564a9dc149beb0517136ef7129f1260] Merge tag 'mailbox-v5.15' of git://git.linaro.org/landing-teams/working/fujitsu/integration testing commit a180eab0b564a9dc149beb0517136ef7129f1260 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: cae399eaf34307f827489285fcfb45f21d96c4d8e2b929456313382947716096 all runs: crashed: WARNING: kmalloc bug in hash_mac_create # git bisect bad a180eab0b564a9dc149beb0517136ef7129f1260 Bisecting: 503 revisions left to test after this (roughly 9 steps) [9e5f3ffcf1cb34e7c7beb3f79a96f58536730924] Merge tag 'devicetree-for-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux testing commit 9e5f3ffcf1cb34e7c7beb3f79a96f58536730924 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: b265d3d7c11dcca0fb6fe8d42b6163bb3adf77f03684d07c189b3111642aebed all runs: OK # git bisect good 9e5f3ffcf1cb34e7c7beb3f79a96f58536730924 Bisecting: 251 revisions left to test after this (roughly 8 steps) [b0cfcdd9b9672ea90642f33d6c0dd8516553adf2] d_path: make 'prepend()' fill up the buffer exactly on overflow testing commit b0cfcdd9b9672ea90642f33d6c0dd8516553adf2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: b1646c9c90875b8979ce52d885f659d52152b09787f8305a2062dcdf9b1ff4e0 run #0: crashed: WARNING: kmalloc bug in hash_mac_create run #1: crashed: WARNING: kmalloc bug in hash_mac_create run #2: crashed: WARNING: kmalloc bug in hash_mac_create run #3: crashed: WARNING: kmalloc bug in hash_mac_create run #4: crashed: WARNING: kmalloc bug in hash_mac_create run #5: crashed: WARNING: kmalloc bug in hash_mac_create run #6: crashed: WARNING: kmalloc bug in hash_mac_create run #7: crashed: WARNING: kmalloc bug in hash_mac_create run #8: crashed: WARNING: kmalloc bug in hash_mac_create run #9: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-fuzzer" "root@10.128.1.101:./syz-fuzzer"] Warning: Permanently added '10.128.1.101' (ECDSA) to the list of known hosts. # git bisect bad b0cfcdd9b9672ea90642f33d6c0dd8516553adf2 Bisecting: 148 revisions left to test after this (roughly 7 steps) [f38a032b165d812b0ba8378a5cd237c0888ff65f] xfs: fix I_DONTCACHE testing commit f38a032b165d812b0ba8378a5cd237c0888ff65f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 1a1579dc3bc5cd254318c98c616d8ddb245ac695fa4ab71f6722a7c6010e3bb5 all runs: OK # git bisect good f38a032b165d812b0ba8378a5cd237c0888ff65f Bisecting: 67 revisions left to test after this (roughly 6 steps) [4ac6d90867a4de2e12117e755dbd76e08d88697f] Merge tag 'docs-5.15' of git://git.lwn.net/linux testing commit 4ac6d90867a4de2e12117e755dbd76e08d88697f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 063ced1db60e4f016139388bf2e6d8970739ed020e53e106bba194d248acf850 all runs: OK # git bisect good 4ac6d90867a4de2e12117e755dbd76e08d88697f Bisecting: 40 revisions left to test after this (roughly 5 steps) [412106c203b759fa7fbcc4f855a90ab18e681ccb] Merge tag 'erofs-for-5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs testing commit 412106c203b759fa7fbcc4f855a90ab18e681ccb compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 5392719c2f96d5c5e31e1c74e1d67172b8462eb26452b8219456af66abce0c90 all runs: OK # git bisect good 412106c203b759fa7fbcc4f855a90ab18e681ccb Bisecting: 19 revisions left to test after this (roughly 4 steps) [0904c9ae3465c7acc066a564a76b75c0af83e6c7] ext4: move inode eio simulation behind io completeion testing commit 0904c9ae3465c7acc066a564a76b75c0af83e6c7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: a07d496afbc8ef03fed326275fa04d1511a11dca644ce3924d252110a6421498 all runs: OK # git bisect good 0904c9ae3465c7acc066a564a76b75c0af83e6c7 Bisecting: 9 revisions left to test after this (roughly 3 steps) [d8991e8622e758b718e2e4291d31dd0bea4e14a4] ovl: update ctime when changing fileattr testing commit d8991e8622e758b718e2e4291d31dd0bea4e14a4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 297585c95033cadeef0b97bc1cf531160cd5ea7eccdaed88f89bcb4b3990dd28 all runs: OK # git bisect good d8991e8622e758b718e2e4291d31dd0bea4e14a4 Bisecting: 4 revisions left to test after this (roughly 2 steps) [815409a12c0a9c0de17a910fd95fe11e1eb97f32] Merge tag 'ovl-update-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs testing commit 815409a12c0a9c0de17a910fd95fe11e1eb97f32 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 49e8901dc0096c04cedf2a8d72c74767b4919d2afc0b59408018e5afa83d377d all runs: OK # git bisect good 815409a12c0a9c0de17a910fd95fe11e1eb97f32 Bisecting: 1 revision left to test after this (roughly 1 step) [111c1aa8cad4a0069dfe98fc093507b5b2cdfda7] Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 testing commit 111c1aa8cad4a0069dfe98fc093507b5b2cdfda7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: e0aa7ed45d85e19051d2cd214cfcee17b9d87427c8ac9a19dfb1a282b8fecba7 all runs: OK # git bisect good 111c1aa8cad4a0069dfe98fc093507b5b2cdfda7 Bisecting: 0 revisions left to test after this (roughly 0 steps) [7661809d493b426e979f39ab512e3adf41fbcc69] mm: don't allow oversized kvmalloc() calls testing commit 7661809d493b426e979f39ab512e3adf41fbcc69 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 2656fe371266ee140c25bc2f1f40c3db725b6b11c5e41461e212592c4b2e4c77 all runs: crashed: WARNING: kmalloc bug in hash_mac_create # git bisect bad 7661809d493b426e979f39ab512e3adf41fbcc69 7661809d493b426e979f39ab512e3adf41fbcc69 is the first bad commit commit 7661809d493b426e979f39ab512e3adf41fbcc69 Author: Linus Torvalds Date: Wed Jul 14 09:45:49 2021 -0700 mm: don't allow oversized kvmalloc() calls 'kvmalloc()' is a convenience function for people who want to do a kmalloc() but fall back on vmalloc() if there aren't enough physically contiguous pages, or if the allocation is larger than what kmalloc() supports. However, let's make sure it doesn't get _too_ easy to do crazy things with it. In particular, don't allow big allocations that could be due to integer overflow or underflow. So make sure the allocation size fits in an 'int', to protect against trivial integer conversion issues. Acked-by: Willy Tarreau Cc: Kees Cook Signed-off-by: Linus Torvalds mm/util.c | 4 ++++ 1 file changed, 4 insertions(+) culprit signature: 2656fe371266ee140c25bc2f1f40c3db725b6b11c5e41461e212592c4b2e4c77 parent signature: e0aa7ed45d85e19051d2cd214cfcee17b9d87427c8ac9a19dfb1a282b8fecba7 revisions tested: 16, total time: 4h6m53.360622114s (build: 1h56m33.114999386s, test: 2h7m58.431434707s) first bad commit: 7661809d493b426e979f39ab512e3adf41fbcc69 mm: don't allow oversized kvmalloc() calls recipients (to): ["akpm@linux-foundation.org" "linux-mm@kvack.org" "torvalds@linux-foundation.org" "w@1wt.eu"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: WARNING: kmalloc bug in hash_mac_create ------------[ cut here ]------------ WARNING: CPU: 1 PID: 10930 at mm/util.c:597 kvmalloc_node+0x7b/0x90 mm/util.c:600 Modules linked in: CPU: 1 PID: 10930 Comm: syz-executor.3 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:kvmalloc_node+0x7b/0x90 mm/util.c:597 Code: 2b 48 8b 3c 24 8b 54 24 0c 48 81 ff ff ff ff 7f 77 18 4c 8b 44 24 18 48 83 c4 10 89 d1 89 ea 5d be 01 00 00 00 e9 15 02 0b 00 <0f> 0b 48 83 c4 10 5d c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 55 RSP: 0018:ffffc9000c6872d8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: ffffc9000c6873c8 RCX: 000000000000001f RDX: 00000000ffffffff RSI: 0000000000412dc0 RDI: 0000000400000018 RBP: 0000000000400dc0 R08: 0000000000000dc0 R09: 0000000000000000 R10: fffffbfff1688a84 R11: 000000000007a089 R12: ffff888018ba4000 R13: 000000005fffffff R14: 000000000000001f R15: 000000000000001f FS: 00007fab7dafc700(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9a1308d740 CR3: 00000000318b4000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: hash_mac_create+0x2f6/0xcc0 net/netfilter/ipset/ip_set_hash_gen.h:1524 ip_set_create+0x697/0x11a0 net/netfilter/ipset/ip_set_core.c:1100 nfnetlink_rcv_msg+0x928/0xf80 net/netfilter/nfnetlink.c:296 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2504 nfnetlink_rcv+0x143/0x340 net/netfilter/nfnetlink.c:654 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] netlink_unicast+0x42e/0x700 net/netlink/af_netlink.c:1340 netlink_sendmsg+0x704/0xbf0 net/netlink/af_netlink.c:1929 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xab/0xe0 net/socket.c:724 ____sys_sendmsg+0x5bf/0x7a0 net/socket.c:2409 ___sys_sendmsg+0xd3/0x150 net/socket.c:2463 __sys_sendmsg+0xb2/0x140 net/socket.c:2492 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665f9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fab7dafc188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665f9 RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 R13: 00007fffdca3648f R14: 00007fab7dafc300 R15: 0000000000022000