bisecting cause commit starting from 0f091e43310f5c292b7094f9f115e651358e8053 building syzkaller on d5a3ae1f760e7cb2cd5a721d9645ae22eae114fe testing commit 0f091e43310f5c292b7094f9f115e651358e8053 with gcc (GCC) 8.1.0 kernel signature: 40c7e216d0519b55f87882b615687d26acfc569a24e19a20bebea514e01c1424 all runs: crashed: WARNING in nla_get_range_unsigned testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: 349f45ceb15cc04d75d5ef13ad02dfba5d0c923d234a0b91fd3930e26358b2aa all runs: OK # git bisect start 0f091e43310f5c292b7094f9f115e651358e8053 bcf876870b95592b52519ed4aafcf9d95999bc9c Bisecting: 6084 revisions left to test after this (roughly 13 steps) [47ec5303d73ea344e84f46660fff693c57641386] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 47ec5303d73ea344e84f46660fff693c57641386 with gcc (GCC) 8.1.0 kernel signature: 025d8dc53aa6ef8ca154895a2cbc43ee7a51ed81c5c0e4e9dfc65e7f583381e4 all runs: OK # git bisect good 47ec5303d73ea344e84f46660fff693c57641386 Bisecting: 2954 revisions left to test after this (roughly 12 steps) [fa73e212318a3277ae1f304febbc617c75d4d2db] Merge tag 'media/v5.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit fa73e212318a3277ae1f304febbc617c75d4d2db with gcc (GCC) 8.1.0 kernel signature: 64f5fb303c328a97ffee2c09aa9f9d635145ab1f1f0bb8575e3cccbcdffef7df all runs: OK # git bisect good fa73e212318a3277ae1f304febbc617c75d4d2db Bisecting: 1452 revisions left to test after this (roughly 11 steps) [ea6ec774372740b024a6c27caac0d0af8960ea15] Merge tag 'drm-next-2020-08-12' of git://anongit.freedesktop.org/drm/drm testing commit ea6ec774372740b024a6c27caac0d0af8960ea15 with gcc (GCC) 8.1.0 kernel signature: e8d69891817b3135b719fb93ed355abee33f6731d4db3656024ec33d11709e81 all runs: boot failed: WARNING in mem_cgroup_css_alloc # git bisect skip ea6ec774372740b024a6c27caac0d0af8960ea15 Bisecting: 1452 revisions left to test after this (roughly 11 steps) [96cf2a2c75567ff56195fe3126d497a2e7e4379f] xfs: Fix UBSAN null-ptr-deref in xfs_sysfs_init testing commit 96cf2a2c75567ff56195fe3126d497a2e7e4379f with gcc (GCC) 8.1.0 kernel signature: 0bd81c38c75b1036b17e929417ffd921c669f3c5aa86c5b2f300e44e7a3f53b2 all runs: OK # git bisect good 96cf2a2c75567ff56195fe3126d497a2e7e4379f Bisecting: 1450 revisions left to test after this (roughly 11 steps) [a3e1c3bb24e2ff2927af5e30c2bebe669bb84196] x86/crash: Correct the address boundary of function parameters testing commit a3e1c3bb24e2ff2927af5e30c2bebe669bb84196 with gcc (GCC) 8.1.0 kernel signature: addf922a5a3b2ce00fcfa93c030c155e84d6f2e68ed8c3691542ab265c8dca59 all runs: OK # git bisect good a3e1c3bb24e2ff2927af5e30c2bebe669bb84196 Bisecting: 1447 revisions left to test after this (roughly 11 steps) [14f45bb7b1bf8e600c1e07cc9f2063910000a463] net: sctp: sm_make_chunk.c: delete duplicated words + fix typo testing commit 14f45bb7b1bf8e600c1e07cc9f2063910000a463 with gcc (GCC) 8.1.0 kernel signature: ceff87b098062b5dd72304bd49e54249bb4f9fb282d0bf8f940fb15edaed2e78 all runs: crashed: WARNING in nla_get_range_unsigned # git bisect bad 14f45bb7b1bf8e600c1e07cc9f2063910000a463 Bisecting: 1385 revisions left to test after this (roughly 11 steps) [9ad57f6dfc2345ed5d3a8bf4dabac0a34069c54c] Merge branch 'akpm' (patches from Andrew) testing commit 9ad57f6dfc2345ed5d3a8bf4dabac0a34069c54c with gcc (GCC) 8.1.0 kernel signature: 37e6981f508bbf4677f45ffec5b9b652115dc6c7b2255d61f8be7e62399d5a4a all runs: boot failed: WARNING in mem_cgroup_css_alloc # git bisect skip 9ad57f6dfc2345ed5d3a8bf4dabac0a34069c54c Bisecting: 1385 revisions left to test after this (roughly 11 steps) [070b3b5ad7bd077e673cad2c591a2ecf49c0b58a] perf metric: Add 'struct expr_id_data' to keep expr value testing commit 070b3b5ad7bd077e673cad2c591a2ecf49c0b58a with gcc (GCC) 8.1.0 kernel signature: c3b7069d24dcd3e9f079dcc9ce15e3d117042781b901b4b90d7ffe961ba5c835 all runs: OK # git bisect good 070b3b5ad7bd077e673cad2c591a2ecf49c0b58a Bisecting: 1385 revisions left to test after this (roughly 11 steps) [13c502c863df0ee50b50bcadb59895984248dc8b] pinctrl: aspeed: Describe the heartbeat function on ball Y23 testing commit 13c502c863df0ee50b50bcadb59895984248dc8b with gcc (GCC) 8.1.0 kernel signature: 71cda884d8d18641c45f419a4f15634a0b39911b031b722ccc811f344e0dc03d all runs: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks # git bisect skip 13c502c863df0ee50b50bcadb59895984248dc8b Bisecting: 1385 revisions left to test after this (roughly 11 steps) [8989f5f076051f3ceb1da083181b7d69808fff0e] perf stat: Update POWER9 metrics to utilize other metrics testing commit 8989f5f076051f3ceb1da083181b7d69808fff0e with gcc (GCC) 8.1.0 kernel signature: d14fe31c7aa5e9b0fc476b3de9349f955f9ecfd03ebbfb855a0df4ef124bc139 all runs: OK # git bisect good 8989f5f076051f3ceb1da083181b7d69808fff0e Bisecting: 753 revisions left to test after this (roughly 10 steps) [8c26544f5ace22ee159113a3300de077f2973519] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf testing commit 8c26544f5ace22ee159113a3300de077f2973519 with gcc (GCC) 8.1.0 kernel signature: 9904d04b69ec0d004ed711fe13b0f43ab72cdf64bedb35cfe9cdb84fc489ec4b all runs: OK # git bisect good 8c26544f5ace22ee159113a3300de077f2973519 Bisecting: 376 revisions left to test after this (roughly 9 steps) [38fa7d039fe095b5e516476694c4d5550e656b85] net: phy: dp83640: Use generic helper function testing commit 38fa7d039fe095b5e516476694c4d5550e656b85 with gcc (GCC) 8.1.0 kernel signature: bb6b4f5c102c834985ea1e5ddddbf7fbe1bbde745684a52594d301e2d93eb0b7 all runs: crashed: WARNING in nla_get_range_unsigned # git bisect bad 38fa7d039fe095b5e516476694c4d5550e656b85 Bisecting: 187 revisions left to test after this (roughly 8 steps) [884e0d3dd59dde1c1f0fbb5b9db2bcdc581982c7] Merge tag 'mfd-next-5.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd testing commit 884e0d3dd59dde1c1f0fbb5b9db2bcdc581982c7 with gcc (GCC) 8.1.0 kernel signature: f85d08360bbe0de8d6fcb80914d0b4b12e402d841246a2e490e0e347c7cdba1f all runs: OK # git bisect good 884e0d3dd59dde1c1f0fbb5b9db2bcdc581982c7 Bisecting: 103 revisions left to test after this (roughly 7 steps) [713eee84720e6525bc5b65954c5087604a15f5e8] Merge tag 'perf-tools-2020-08-14' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux testing commit 713eee84720e6525bc5b65954c5087604a15f5e8 with gcc (GCC) 8.1.0 kernel signature: b62fb7856c834b4f95973913fd0bc4222a5de5db4f11337144bd52acfca110cb all runs: OK # git bisect good 713eee84720e6525bc5b65954c5087604a15f5e8 Bisecting: 56 revisions left to test after this (roughly 6 steps) [6f6aea7e966cda5a817d091e938c2d9b52209893] parisc: fix PMD pages allocation by restoring pmd_alloc_one() testing commit 6f6aea7e966cda5a817d091e938c2d9b52209893 with gcc (GCC) 8.1.0 kernel signature: b94a57cda41b2b80328c63236fba6c29b0e389b44df5810104e558a2ddc811bc all runs: OK # git bisect good 6f6aea7e966cda5a817d091e938c2d9b52209893 Bisecting: 25 revisions left to test after this (roughly 5 steps) [4cf7562190c795f1f95be6ee0d161107d0dc5d49] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 4cf7562190c795f1f95be6ee0d161107d0dc5d49 with gcc (GCC) 8.1.0 kernel signature: 4842ede84cee1977af1fd0014fb8a547a060d5c197521d87d781b55dde922348 all runs: OK # git bisect good 4cf7562190c795f1f95be6ee0d161107d0dc5d49 Bisecting: 12 revisions left to test after this (roughly 4 steps) [487eb2b9087fd6c6c5a1a0607a9364defbbae252] Merge branch 'net-dsa-loop-Expose-VLAN-table-through-devlink' testing commit 487eb2b9087fd6c6c5a1a0607a9364defbbae252 with gcc (GCC) 8.1.0 kernel signature: 9f8578810b759532d45189f1fedd55e60a15bf1c3cb45b7d69bcf9cf4976432a all runs: crashed: WARNING in nla_get_range_unsigned # git bisect bad 487eb2b9087fd6c6c5a1a0607a9364defbbae252 Bisecting: 5 revisions left to test after this (roughly 3 steps) [396fc59e390429e87584d162462c1555fd64576a] Merge branch 'netlink-allow-NLA_BINARY-length-range-validation' testing commit 396fc59e390429e87584d162462c1555fd64576a with gcc (GCC) 8.1.0 kernel signature: 3b394b2f4963b8594eeb673f4bcb957668f1f0dc31225169e12382d64c098f1d all runs: crashed: WARNING in nla_get_range_unsigned # git bisect bad 396fc59e390429e87584d162462c1555fd64576a Bisecting: 3 revisions left to test after this (roughly 2 steps) [06a4ec1d9dc652e17ee3ac2ceb6c7cf6c2b75cdd] Merge tag 'pstore-v5.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux testing commit 06a4ec1d9dc652e17ee3ac2ceb6c7cf6c2b75cdd with gcc (GCC) 8.1.0 kernel signature: be208ebe7f359acb8d51095b04c99773c63cf8bb25a1aa5b4a97792e3672be3e all runs: OK # git bisect good 06a4ec1d9dc652e17ee3ac2ceb6c7cf6c2b75cdd Bisecting: 1 revision left to test after this (roughly 1 step) [bc0435855041d7fff0b83dd992fc4be34aa11afb] netlink: consistently use NLA_POLICY_MIN_LEN() testing commit bc0435855041d7fff0b83dd992fc4be34aa11afb with gcc (GCC) 8.1.0 kernel signature: 3b5acebb307b8ac5b5bda69acb69bf0a11f47ac857be2184f959853fd7d79139 all runs: OK # git bisect good bc0435855041d7fff0b83dd992fc4be34aa11afb Bisecting: 0 revisions left to test after this (roughly 0 steps) [8aa26c575fb343ebde810b30dad0cba7d8121efb] netlink: make NLA_BINARY validation more flexible testing commit 8aa26c575fb343ebde810b30dad0cba7d8121efb with gcc (GCC) 8.1.0 kernel signature: 082ca1423a68d7520314ba86402e41e1685240aed9b0e41516f9fc8cff89b5c8 all runs: crashed: WARNING in nla_get_range_unsigned # git bisect bad 8aa26c575fb343ebde810b30dad0cba7d8121efb 8aa26c575fb343ebde810b30dad0cba7d8121efb is the first bad commit commit 8aa26c575fb343ebde810b30dad0cba7d8121efb Author: Johannes Berg Date: Tue Aug 18 10:17:33 2020 +0200 netlink: make NLA_BINARY validation more flexible Add range validation for NLA_BINARY, allowing validation of any combination of combination minimum or maximum lengths, using the existing NLA_POLICY_RANGE()/NLA_POLICY_FULL_RANGE() macros, just like for integers where the value is checked. Also make NLA_POLICY_EXACT_LEN(), NLA_POLICY_EXACT_LEN_WARN() and NLA_POLICY_MIN_LEN() special cases of this, removing the old types NLA_EXACT_LEN and NLA_MIN_LEN. This allows us to save some code where both minimum and maximum lengths are requires, currently the policy only allows maximum (NLA_BINARY), minimum (NLA_MIN_LEN) or exact (NLA_EXACT_LEN), so a range of lengths cannot be accepted and must be checked by the code that consumes the attributes later. Also, this allows advertising the correct ranges in the policy export to userspace. Here, NLA_MIN_LEN and NLA_EXACT_LEN already were special cases of NLA_BINARY with min and min/max length respectively. Signed-off-by: Johannes Berg Signed-off-by: David S. Miller include/net/netlink.h | 58 ++++++++++++++++++++++++++----------------------- lib/nlattr.c | 60 +++++++++++++++++++++++++++++++++------------------ net/netlink/policy.c | 32 ++++++++++++++++----------- 3 files changed, 89 insertions(+), 61 deletions(-) culprit signature: 082ca1423a68d7520314ba86402e41e1685240aed9b0e41516f9fc8cff89b5c8 parent signature: 3b5acebb307b8ac5b5bda69acb69bf0a11f47ac857be2184f959853fd7d79139 revisions tested: 23, total time: 4h49m2.527825522s (build: 1h49m7.623597835s, test: 2h57m52.690889392s) first bad commit: 8aa26c575fb343ebde810b30dad0cba7d8121efb netlink: make NLA_BINARY validation more flexible recipients (to): ["davem@davemloft.net" "davem@davemloft.net" "johannes.berg@intel.com" "kuba@kernel.org" "netdev@vger.kernel.org"] recipients (cc): ["johannes.berg@intel.com" "linux-kernel@vger.kernel.org"] crash: WARNING in nla_get_range_unsigned ------------[ cut here ]------------ WARNING: CPU: 0 PID: 8299 at lib/nlattr.c:118 nla_get_range_unsigned+0x6a/0xb0 lib/nlattr.c:160 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 8299 Comm: syz-executor.3 Not tainted 5.9.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xb3/0xec lib/dump_stack.c:118 panic+0x115/0x2fa kernel/panic.c:231 __warn.cold.13+0x20/0x25 kernel/panic.c:600 report_bug+0xc0/0xf0 lib/bug.c:198 handle_bug+0x35/0x90 arch/x86/kernel/traps.c:234 exc_invalid_op+0x13/0x60 arch/x86/kernel/traps.c:254 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536 RIP: 0010:nla_get_range_unsigned+0x6a/0xb0 lib/nlattr.c:117 Code: ff 24 c5 60 fc 7b 83 b8 ff ff ff ff 48 89 46 08 eb e4 48 c7 46 08 ff 00 00 00 eb da 48 c7 46 08 ff ff 00 00 eb d0 0f 0b 5d c3 <0f> 0b eb aa 48 8b 47 08 5d 48 8b 50 08 48 8b 00 48 89 56 08 48 89 RSP: 0018:ffffc90002ca78d8 EFLAGS: 00010282 RAX: 000000000000000b RBX: ffff88812204ad00 RCX: 0000000000000000 RDX: 000000000000000b RSI: ffffc90002ca78f8 RDI: ffffffff839ad560 RBP: ffffc90002ca78d8 R08: 0000000000000004 R09: ffffc90002ca78f8 R10: ffffffff840af3e0 R11: 0000000000000004 R12: 000000000000000a R13: ffff88810f7a8368 R14: ffff88810f078800 R15: ffff88810f7a836c netlink_policy_dump_write+0x478/0x500 net/netlink/policy.c:267 ctrl_dumppolicy+0x182/0x280 net/netlink/genetlink.c:1099 genl_lock_dumpit+0x29/0x40 net/netlink/genetlink.c:553 netlink_dump+0x11a/0x370 net/netlink/af_netlink.c:2246 __netlink_dump_start+0x17b/0x230 net/netlink/af_netlink.c:2354 genl_family_rcv_msg_dumpit.isra.16+0x101/0x130 net/netlink/genetlink.c:616 genl_family_rcv_msg net/netlink/genetlink.c:711 [inline] genl_rcv_msg+0x271/0x2ef net/netlink/genetlink.c:731 netlink_rcv_skb+0x41/0x110 net/netlink/af_netlink.c:2470 genl_rcv+0x1f/0x30 net/netlink/genetlink.c:742 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x19a/0x270 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x248/0x480 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0x2b/0x40 net/socket.c:671 ____sys_sendmsg+0x1ed/0x230 net/socket.c:2353 ___sys_sendmsg+0x77/0xb0 net/socket.c:2407 __sys_sendmsg+0x52/0xa0 net/socket.c:2440 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45d5b9 Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f3aec1a0c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000002ce00 RCX: 000000000045d5b9 RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c R13: 00007ffe882cdfef R14: 00007f3aec1a19c0 R15: 000000000118cf4c Kernel Offset: disabled Rebooting in 86400 seconds..