bisecting cause commit starting from aa2b8820968613a5c9e747c6f87c9ed8fde398f1 building syzkaller on 2ce644fcea660c78bc6a3ce7e05079a730743671 testing commit aa2b8820968613a5c9e747c6f87c9ed8fde398f1 with gcc (GCC) 10.2.1 20210217 kernel signature: 3937c6dcc15083e27595df3bc37161dc61a89f2418be4c312d3c05574853627a all runs: crashed: KASAN: global-out-of-bounds Read in netlink_policy_dump_add_policy testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 10.2.1 20210217 kernel signature: ccb46cd5022654fdd1c3a3ae12fb162cdd37a09310b7a37ba52c22c25230c8c8 all runs: OK # git bisect start aa2b8820968613a5c9e747c6f87c9ed8fde398f1 2c85ebc57b3e1817b6ce1a6b703928e113a90442 Bisecting: 11915 revisions left to test after this (roughly 14 steps) [c59c7588fc922e27c378a7e2a920b889bd6bf872] Merge tag 'drm-next-2020-12-18' of git://anongit.freedesktop.org/drm/drm testing commit c59c7588fc922e27c378a7e2a920b889bd6bf872 with gcc (GCC) 10.2.1 20210217 kernel signature: 147129db59696c59e94a7d4325a1725d6f9030bbbfc070c4ff96944c0d5f1695 all runs: OK # git bisect good c59c7588fc922e27c378a7e2a920b889bd6bf872 Bisecting: 5956 revisions left to test after this (roughly 13 steps) [9402a2c04e4d95ae4e3359cff329a31473699fd2] Merge remote-tracking branch 'cpupower/cpupower' testing commit 9402a2c04e4d95ae4e3359cff329a31473699fd2 with gcc (GCC) 10.2.1 20210217 kernel signature: d80b8625ac40469b4a3e2a2f15cd1e802845242c72bac1819f21e4119ddc27b3 all runs: OK # git bisect good 9402a2c04e4d95ae4e3359cff329a31473699fd2 Bisecting: 3035 revisions left to test after this (roughly 12 steps) [05fccaf93593ab500d0cdb6ca7e40a0883ac7a34] Merge remote-tracking branch 'sound/for-next' testing commit 05fccaf93593ab500d0cdb6ca7e40a0883ac7a34 with gcc (GCC) 10.2.1 20210217 kernel signature: 25bfa2845b3496c81e00cf6b25a15dbdcc5083cbe756f4a76e8b7bd1df61147b all runs: OK # git bisect good 05fccaf93593ab500d0cdb6ca7e40a0883ac7a34 Bisecting: 1574 revisions left to test after this (roughly 11 steps) [2c5603389d661a9b3cb1280a43dc97d92e65a52e] Merge remote-tracking branch 'driver-core/driver-core-next' testing commit 2c5603389d661a9b3cb1280a43dc97d92e65a52e with gcc (GCC) 10.2.1 20210217 kernel signature: a421638190df36aa830be5be6427adbe46cc7d49619e06ebba5643d3f1b6b765 all runs: OK # git bisect good 2c5603389d661a9b3cb1280a43dc97d92e65a52e Bisecting: 707 revisions left to test after this (roughly 10 steps) [6859d03c6a97188eb382b254126735e56c2ae84c] Merge remote-tracking branch 'scsi/for-next' testing commit 6859d03c6a97188eb382b254126735e56c2ae84c with gcc (GCC) 10.2.1 20210217 kernel signature: 43ebf4908c2adc5e6092c1888908b11bb6d298d4593b5ef46b6b5a442d9fe724 all runs: OK # git bisect good 6859d03c6a97188eb382b254126735e56c2ae84c Bisecting: 356 revisions left to test after this (roughly 9 steps) [05a848e917a2f007c00b823e700404ed28c76e51] Merge remote-tracking branch 'iomem-mmap-vs-gup/topic/iomem-mmap-vs-gup' testing commit 05a848e917a2f007c00b823e700404ed28c76e51 with gcc (GCC) 10.2.1 20210217 kernel signature: be47be1007b7e95f9daa18020e83c71e24e01074b74da5f0f61f1d61fd4b58fa all runs: crashed: KASAN: global-out-of-bounds Read in netlink_policy_dump_add_policy # git bisect bad 05a848e917a2f007c00b823e700404ed28c76e51 Bisecting: 195 revisions left to test after this (roughly 8 steps) [38be796ebbf7703753b7b2dd0a54aa88d9bf15a1] Merge remote-tracking branch 'userns/for-next' testing commit 38be796ebbf7703753b7b2dd0a54aa88d9bf15a1 with gcc (GCC) 10.2.1 20210217 kernel signature: 28ecdf2555405086d7cb5c419d4a16e5bb8f580f6cae70c8bb7d0f9586691d42 all runs: crashed: KASAN: global-out-of-bounds Read in netlink_policy_dump_add_policy # git bisect bad 38be796ebbf7703753b7b2dd0a54aa88d9bf15a1 Bisecting: 82 revisions left to test after this (roughly 6 steps) [8e16e49187aca4fa33f4a74ec2f8a8dece5252e8] Merge remote-tracking branch 'gpio-brgl/gpio/for-next' testing commit 8e16e49187aca4fa33f4a74ec2f8a8dece5252e8 with gcc (GCC) 10.2.1 20210217 kernel signature: 3d66a957fa0bfaa95754d5cf971073e2fb93c676212b5af900b646008f911447 all runs: crashed: KASAN: global-out-of-bounds Read in netlink_policy_dump_add_policy # git bisect bad 8e16e49187aca4fa33f4a74ec2f8a8dece5252e8 Bisecting: 35 revisions left to test after this (roughly 5 steps) [6a7f303209f83b0da771605263be1c7421f276f6] gpio: mvebu: improve pwm period calculation accuracy testing commit 6a7f303209f83b0da771605263be1c7421f276f6 with gcc (GCC) 10.2.1 20210217 kernel signature: 9b8ba8ff95c5fbea7235d6d382e35cb425fb15b5cc47b9d9f8364cc827f601a0 all runs: OK # git bisect good 6a7f303209f83b0da771605263be1c7421f276f6 Bisecting: 21 revisions left to test after this (roughly 4 steps) [82050c6d636c95bae0dba6af0b50aa2c9c1eac14] Merge remote-tracking branch 'vhost/linux-next' testing commit 82050c6d636c95bae0dba6af0b50aa2c9c1eac14 with gcc (GCC) 10.2.1 20210217 kernel signature: 3d66a957fa0bfaa95754d5cf971073e2fb93c676212b5af900b646008f911447 all runs: crashed: KASAN: global-out-of-bounds Read in netlink_policy_dump_add_policy # git bisect bad 82050c6d636c95bae0dba6af0b50aa2c9c1eac14 Bisecting: 6 revisions left to test after this (roughly 3 steps) [79991caf5202c7989928be534727805f8f68bb8d] vdpa_sim_net: Add support for user supported devices testing commit 79991caf5202c7989928be534727805f8f68bb8d with gcc (GCC) 10.2.1 20210217 kernel signature: 1797b3955d3146541b85c8b6ef84d47747a024f19e8daac3d38b24cf25c2c8ef all runs: crashed: KASAN: global-out-of-bounds Read in netlink_policy_dump_add_policy # git bisect bad 79991caf5202c7989928be534727805f8f68bb8d Bisecting: 3 revisions left to test after this (roughly 2 steps) [5588575f680c74e650d50e123d5a2ba3b25f8a16] vdpa: Extend routine to accept vdpa device name testing commit 5588575f680c74e650d50e123d5a2ba3b25f8a16 with gcc (GCC) 10.2.1 20210217 kernel signature: 2481943d0b87ae84251e0b0c42bf2a8ac6d9250bd547a95133f6401b584278e3 all runs: OK # git bisect good 5588575f680c74e650d50e123d5a2ba3b25f8a16 Bisecting: 1 revision left to test after this (roughly 1 step) [508cc779e0f22580e16e4c5209fb01cadea47c15] vdpa: Enable a user to add and delete a vdpa device testing commit 508cc779e0f22580e16e4c5209fb01cadea47c15 with gcc (GCC) 10.2.1 20210217 kernel signature: 85f11a4f8a7012f6c48154f887cf0cb85b7c8010fa5c7c8e04865933428b98cb all runs: crashed: KASAN: global-out-of-bounds Read in netlink_policy_dump_add_policy # git bisect bad 508cc779e0f22580e16e4c5209fb01cadea47c15 Bisecting: 0 revisions left to test after this (roughly 0 steps) [001e0804a6bb8de48f2a2967240bb9d0d67fcb18] vdpa: Define vdpa mgmt device, ops and a netlink interface testing commit 001e0804a6bb8de48f2a2967240bb9d0d67fcb18 with gcc (GCC) 10.2.1 20210217 kernel signature: 56bb6f770deb9f8e7b3e98f9f83035a1f67a058a657e3d0d49e2136fb07cbaa0 all runs: crashed: KASAN: global-out-of-bounds Read in netlink_policy_dump_add_policy # git bisect bad 001e0804a6bb8de48f2a2967240bb9d0d67fcb18 001e0804a6bb8de48f2a2967240bb9d0d67fcb18 is the first bad commit commit 001e0804a6bb8de48f2a2967240bb9d0d67fcb18 Author: Parav Pandit Date: Tue Jan 5 12:32:00 2021 +0200 vdpa: Define vdpa mgmt device, ops and a netlink interface To add one or more VDPA devices, define a management device which allows adding or removing vdpa device. A management device defines set of callbacks to manage vdpa devices. To begin with, it defines add and remove callbacks through which a user defined vdpa device can be added or removed. A unique management device is identified by its unique handle identified by management device name and optionally the bus name. Hence, introduce routine through which driver can register a management device and its callback operations for adding and remove a vdpa device. Introduce vdpa netlink socket family so that user can query management device and its attributes. Example of show vdpa management device which allows creating vdpa device of networking class (device id = 0x1) of virtio specification 1.1 section 5.1.1. $ vdpa mgmtdev show vdpasim_net: supported_classes: net Example of showing vdpa management device in JSON format. $ vdpa mgmtdev show -jp { "show": { "vdpasim_net": { "supported_classes": [ "net" ] } } } Signed-off-by: Parav Pandit Reviewed-by: Eli Cohen Reviewed-by: Jason Wang Link: https://lore.kernel.org/r/20210105103203.82508-4-parav@nvidia.com Signed-off-by: Michael S. Tsirkin drivers/vdpa/Kconfig | 1 + drivers/vdpa/vdpa.c | 213 +++++++++++++++++++++++++++++++++++++++++++++- include/linux/vdpa.h | 31 +++++++ include/uapi/linux/vdpa.h | 31 +++++++ 4 files changed, 275 insertions(+), 1 deletion(-) create mode 100644 include/uapi/linux/vdpa.h culprit signature: 56bb6f770deb9f8e7b3e98f9f83035a1f67a058a657e3d0d49e2136fb07cbaa0 parent signature: 2481943d0b87ae84251e0b0c42bf2a8ac6d9250bd547a95133f6401b584278e3 revisions tested: 16, total time: 3h27m22.96954859s (build: 1h45m22.224770478s, test: 1h40m8.836192721s) first bad commit: 001e0804a6bb8de48f2a2967240bb9d0d67fcb18 vdpa: Define vdpa mgmt device, ops and a netlink interface recipients (to): ["elic@nvidia.com" "jasowang@redhat.com" "mst@redhat.com" "parav@nvidia.com"] recipients (cc): [] crash: KASAN: global-out-of-bounds Read in netlink_policy_dump_add_policy ================================================================== BUG: KASAN: global-out-of-bounds in netlink_policy_dump_add_policy+0x309/0x3a0 net/netlink/policy.c:160 Read of size 1 at addr ffffffff88e71600 by task syz-executor.0/10204 CPU: 0 PID: 10204 Comm: syz-executor.0 Not tainted 5.11.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x9a/0xcc lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5/0x2f8 mm/kasan/report.c:230 __kasan_report mm/kasan/report.c:396 [inline] kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413 netlink_policy_dump_add_policy+0x309/0x3a0 net/netlink/policy.c:160 ctrl_dumppolicy_start+0x384/0x6c0 net/netlink/genetlink.c:1181 genl_start+0x359/0x630 net/netlink/genetlink.c:604 __netlink_dump_start+0x4c4/0x810 net/netlink/af_netlink.c:2363 genl_family_rcv_msg_dumpit+0x262/0x2f0 net/netlink/genetlink.c:686 genl_family_rcv_msg net/netlink/genetlink.c:780 [inline] genl_rcv_msg+0x362/0x4a0 net/netlink/genetlink.c:800 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2494 genl_rcv+0x1f/0x30 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x42e/0x700 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x70e/0xbe0 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xab/0xe0 net/socket.c:672 ____sys_sendmsg+0x5bf/0x7a0 net/socket.c:2345 ___sys_sendmsg+0xd3/0x150 net/socket.c:2399 __sys_sendmsg+0xb2/0x140 net/socket.c:2432 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x465b09 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f26c6bc5188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465b09 RDX: 0000000000000000 RSI: 00000000200029c0 RDI: 0000000000000003 RBP: 00000000004b069f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 R13: 00007fffdc8cad7f R14: 00007f26c6bc5300 R15: 0000000000022000 The buggy address belongs to the variable: vdpa_nl_policy+0x40/0x3620 Memory state around the buggy address: ffffffff88e71500: 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 00 00 00 00 ffffffff88e71580: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 >ffffffff88e71600: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 05 f9 f9 f9 ^ ffffffff88e71680: f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 00 00 00 01 ffffffff88e71700: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 01 f9 f9 ==================================================================