bisecting cause commit starting from b3c424eb6a1a3c485de64619418a471dee6ce849 building syzkaller on ae13a849e613cd929bbcf98bec83e1bdb30a62b1 testing commit b3c424eb6a1a3c485de64619418a471dee6ce849 with gcc (GCC) 8.1.0 kernel signature: 03a655f5203738ad52304ba7b62b8c6f556dc355 run #0: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #1: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #2: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #3: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #4: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #5: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #6: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #7: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #8: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #9: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 4e78fec280ae9fa10ddcf1ba39b5383fc2e1cefa all runs: OK # git bisect start b3c424eb6a1a3c485de64619418a471dee6ce849 219d54332a09e8d8741c1e1982f5eae56099de85 Bisecting: 5002 revisions left to test after this (roughly 12 steps) [89d57dddd7d319ded00415790a0bb3c954b7e386] Merge tag 'media/v5.5-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 89d57dddd7d319ded00415790a0bb3c954b7e386 with gcc (GCC) 8.1.0 kernel signature: d27ad3ffc17ce3c425c590240612f5794273606f all runs: OK # git bisect good 89d57dddd7d319ded00415790a0bb3c954b7e386 Bisecting: 3102 revisions left to test after this (roughly 11 steps) [0a6cad5df541108cfd3fbd79eef48eb824c89bdc] Merge branch 'vmwgfx-coherent' of git://people.freedesktop.org/~thomash/linux into drm-next testing commit 0a6cad5df541108cfd3fbd79eef48eb824c89bdc with gcc (GCC) 8.1.0 kernel signature: 7296b02d542d58a5f6180129cb29a0ab1b14df53 all runs: OK # git bisect good 0a6cad5df541108cfd3fbd79eef48eb824c89bdc Bisecting: 1549 revisions left to test after this (roughly 11 steps) [95f1fa9e3418d50ce099e67280b5497b9c93843b] Merge tag 'trace-v5.5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit 95f1fa9e3418d50ce099e67280b5497b9c93843b with gcc (GCC) 8.1.0 kernel signature: 2457b8f7a0fd855f43be8916b12701b42fdb5603 all runs: OK # git bisect good 95f1fa9e3418d50ce099e67280b5497b9c93843b Bisecting: 704 revisions left to test after this (roughly 10 steps) [ddebe839c6013ab42f376bdeaaaf66bd0c0d68d6] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux testing commit ddebe839c6013ab42f376bdeaaaf66bd0c0d68d6 with gcc (GCC) 8.1.0 kernel signature: 7037b2f958ae74a90a51522e1a0a2e5766b407f9 all runs: OK # git bisect good ddebe839c6013ab42f376bdeaaaf66bd0c0d68d6 Bisecting: 357 revisions left to test after this (roughly 9 steps) [3265568db8c37d391ee8ad2afa8b0fd7257f4526] Merge branch 'i2c/for-5.5' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux testing commit 3265568db8c37d391ee8ad2afa8b0fd7257f4526 with gcc (GCC) 8.1.0 kernel signature: 7a2c7b10d826ade3a2ab7f3852def522a298fb47 all runs: OK # git bisect good 3265568db8c37d391ee8ad2afa8b0fd7257f4526 Bisecting: 175 revisions left to test after this (roughly 8 steps) [e5b3fc125d768eacd73bb4dc5019f0ce95635af4] Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit e5b3fc125d768eacd73bb4dc5019f0ce95635af4 with gcc (GCC) 8.1.0 kernel signature: ac944083cfdd338c439e4d444d6170850da74554 all runs: OK # git bisect good e5b3fc125d768eacd73bb4dc5019f0ce95635af4 Bisecting: 87 revisions left to test after this (roughly 7 steps) [1b05117df78e035afb5f66ef50bf8750d976ef08] mm: vmscan: harmonize writeback congestion tracking for nodes & memcgs testing commit 1b05117df78e035afb5f66ef50bf8750d976ef08 with gcc (GCC) 8.1.0 kernel signature: 029896b706fb1171a186a81df6110536263f30dd run #0: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #1: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #2: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #3: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #4: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #5: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #6: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #7: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #8: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #9: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc # git bisect bad 1b05117df78e035afb5f66ef50bf8750d976ef08 Bisecting: 43 revisions left to test after this (roughly 6 steps) [bf1a12a8095615c9486f5463ca473d2d69ff6952] mm: move the backup x_devmap() functions to asm-generic/pgtable.h testing commit bf1a12a8095615c9486f5463ca473d2d69ff6952 with gcc (GCC) 8.1.0 kernel signature: bd2447707a734d7ec75002c1aed0163cdd3c0d42 all runs: OK # git bisect good bf1a12a8095615c9486f5463ca473d2d69ff6952 Bisecting: 21 revisions left to test after this (roughly 5 steps) [f07116d77b5b9a4fecdcb470fc6ea08378b98ff7] mm/vmalloc: respect passed gfp_mask when doing preloading testing commit f07116d77b5b9a4fecdcb470fc6ea08378b98ff7 with gcc (GCC) 8.1.0 kernel signature: 8383b0cc162fa4039a445ae72d65ac03db1a702c all runs: OK # git bisect good f07116d77b5b9a4fecdcb470fc6ea08378b98ff7 Bisecting: 10 revisions left to test after this (roughly 4 steps) [653e003d7f37716f84c17edcad3c228497888bfc] include/linux/mmzone.h: fix comment for ISOLATE_UNMAPPED macro testing commit 653e003d7f37716f84c17edcad3c228497888bfc with gcc (GCC) 8.1.0 kernel signature: ddaada2cd03f46de57c9dfa9423447dde7337cab run #0: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #1: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #2: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #3: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #4: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #5: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #6: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #7: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #8: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #9: crashed: BUG: unable to handle kernel paging request in pcpu_alloc # git bisect bad 653e003d7f37716f84c17edcad3c228497888bfc Bisecting: 5 revisions left to test after this (roughly 3 steps) [06513916930125cdb4d0662f8b675d719abe7f32] kasan: add test for vmalloc testing commit 06513916930125cdb4d0662f8b675d719abe7f32 with gcc (GCC) 8.1.0 kernel signature: 3781f794febb89e5ebf890839b68a84d3cd5d93a all runs: OK # git bisect good 06513916930125cdb4d0662f8b675d719abe7f32 Bisecting: 2 revisions left to test after this (roughly 2 steps) [5e27a2df03b8933aa7c1579816ecb6a071bb0e0d] mm/page_alloc: add alloc_contig_pages() testing commit 5e27a2df03b8933aa7c1579816ecb6a071bb0e0d with gcc (GCC) 8.1.0 kernel signature: a2edd8d68acd161f29227de5307d2cdc5c37b3d4 run #0: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #1: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #2: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #3: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #4: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #5: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #6: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #7: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #8: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #9: crashed: BUG: unable to handle kernel paging request in pcpu_alloc # git bisect bad 5e27a2df03b8933aa7c1579816ecb6a071bb0e0d Bisecting: 0 revisions left to test after this (roughly 1 step) [0609ae011deb41c9629b7f5fd626dfa1ac9d16b0] x86/kasan: support KASAN_VMALLOC testing commit 0609ae011deb41c9629b7f5fd626dfa1ac9d16b0 with gcc (GCC) 8.1.0 kernel signature: 621f19e260b94ed8f00f2d49441d3c62b8f264d0 run #0: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #1: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #2: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #3: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #4: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #5: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #6: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #7: crashed: KASAN: vmalloc-out-of-bounds Write in pcpu_alloc run #8: crashed: BUG: unable to handle kernel paging request in pcpu_alloc run #9: crashed: BUG: unable to handle kernel paging request in pcpu_alloc # git bisect bad 0609ae011deb41c9629b7f5fd626dfa1ac9d16b0 Bisecting: 0 revisions left to test after this (roughly 0 steps) [eafb149ed73a8bb8359c0ce027b98acd4e95b070] fork: support VMAP_STACK with KASAN_VMALLOC testing commit eafb149ed73a8bb8359c0ce027b98acd4e95b070 with gcc (GCC) 8.1.0 kernel signature: 7047b29b5b8050216e758cb70bb69fac77081ec5 all runs: OK # git bisect good eafb149ed73a8bb8359c0ce027b98acd4e95b070 0609ae011deb41c9629b7f5fd626dfa1ac9d16b0 is the first bad commit commit 0609ae011deb41c9629b7f5fd626dfa1ac9d16b0 Author: Daniel Axtens Date: Sat Nov 30 17:55:00 2019 -0800 x86/kasan: support KASAN_VMALLOC In the case where KASAN directly allocates memory to back vmalloc space, don't map the early shadow page over it. We prepopulate pgds/p4ds for the range that would otherwise be empty. This is required to get it synced to hardware on boot, allowing the lower levels of the page tables to be filled dynamically. Link: http://lkml.kernel.org/r/20191031093909.9228-5-dja@axtens.net Signed-off-by: Daniel Axtens Acked-by: Dmitry Vyukov Reviewed-by: Andrey Ryabinin Cc: Alexander Potapenko Cc: Christophe Leroy Cc: Mark Rutland Cc: Vasily Gorbik Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds arch/x86/Kconfig | 1 + arch/x86/mm/kasan_init_64.c | 61 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+) kernel signature: 621f19e260b94ed8f00f2d49441d3c62b8f264d0 previous signature: 7047b29b5b8050216e758cb70bb69fac77081ec5 revisions tested: 16, total time: 4h0m54.603718128s (build: 1h39m59.419764259s, test: 2h19m25.132905456s) first bad commit: 0609ae011deb41c9629b7f5fd626dfa1ac9d16b0 x86/kasan: support KASAN_VMALLOC cc: ["akpm@linux-foundation.org" "aryabinin@virtuozzo.com" "christophe.leroy@c-s.fr" "dja@axtens.net" "dvyukov@google.com" "glider@google.com" "gor@linux.ibm.com" "mark.rutland@arm.com" "torvalds@linux-foundation.org"] crash: BUG: unable to handle kernel paging request in pcpu_alloc BUG: unable to handle page fault for address: fffff91ffff02000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 21ffe6067 P4D 21ffe6067 PUD aa56b067 PMD aa56c067 PTE 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 7844 Comm: syz-executor.2 Not tainted 5.4.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:memory_is_nonzero mm/kasan/generic.c:121 [inline] RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:135 [inline] RIP: 0010:memory_is_poisoned mm/kasan/generic.c:166 [inline] RIP: 0010:check_memory_region_inline mm/kasan/generic.c:182 [inline] RIP: 0010:check_memory_region+0x83/0x1d0 mm/kasan/generic.c:192 Code: 83 fb 10 0f 8e a9 00 00 00 45 89 c8 41 83 e0 07 75 66 4c 8d 43 07 48 85 db 4c 0f 49 c3 49 c1 f8 03 45 85 c0 0f 84 3f 01 00 00 <48> 83 38 00 75 1c 41 83 e8 01 4e 8d 44 c0 08 48 83 c0 08 49 39 c0 RSP: 0018:ffffc90002a77960 EFLAGS: 00010206 RAX: fffff91ffff02000 RBX: 0000000000001000 RCX: ffffffff818d210f RDX: 0000000000000001 RSI: 0000000000008000 RDI: ffffe8ffff810000 RBP: ffffc90002a77978 R08: 0000000000000200 R09: fffff91ffff02000 R10: fffff91ffff02fff R11: ffffe8ffff817fff R12: fffff91ffff03000 R13: 0000000000000000 R14: fffffbfff1359c00 R15: 0000000000000000 FS: 00007fba9e18e700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffff91ffff02000 CR3: 000000007eab6000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: memset+0x23/0x40 mm/kasan/common.c:107 memset include/linux/string.h:365 [inline] pcpu_alloc+0x47f/0xed0 mm/percpu.c:1734 __alloc_percpu_gfp+0xd/0x10 mm/percpu.c:1783 prealloc_init kernel/bpf/hashtab.c:154 [inline] htab_map_alloc+0x92e/0xfb0 kernel/bpf/hashtab.c:378 find_and_alloc_map kernel/bpf/syscall.c:123 [inline] map_create kernel/bpf/syscall.c:654 [inline] __do_sys_bpf+0x339/0x35c0 kernel/bpf/syscall.c:3012 __se_sys_bpf kernel/bpf/syscall.c:2989 [inline] __x64_sys_bpf+0x6e/0xb0 kernel/bpf/syscall.c:2989 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a679 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fba9e18dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007fba9e18dc90 RCX: 000000000045a679 RDX: 000000000000003c RSI: 0000000020000380 RDI: 0000000000000000 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fba9e18e6d4 R13: 00000000004c0c65 R14: 00000000004d4730 R15: 0000000000000003 Modules linked in: CR2: fffff91ffff02000 ---[ end trace bc3dfae4ad0c5bb2 ]--- RIP: 0010:memory_is_nonzero mm/kasan/generic.c:121 [inline] RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:135 [inline] RIP: 0010:memory_is_poisoned mm/kasan/generic.c:166 [inline] RIP: 0010:check_memory_region_inline mm/kasan/generic.c:182 [inline] RIP: 0010:check_memory_region+0x83/0x1d0 mm/kasan/generic.c:192 Code: 83 fb 10 0f 8e a9 00 00 00 45 89 c8 41 83 e0 07 75 66 4c 8d 43 07 48 85 db 4c 0f 49 c3 49 c1 f8 03 45 85 c0 0f 84 3f 01 00 00 <48> 83 38 00 75 1c 41 83 e8 01 4e 8d 44 c0 08 48 83 c0 08 49 39 c0 RSP: 0018:ffffc90002a77960 EFLAGS: 00010206 RAX: fffff91ffff02000 RBX: 0000000000001000 RCX: ffffffff818d210f RDX: 0000000000000001 RSI: 0000000000008000 RDI: ffffe8ffff810000 RBP: ffffc90002a77978 R08: 0000000000000200 R09: fffff91ffff02000 R10: fffff91ffff02fff R11: ffffe8ffff817fff R12: fffff91ffff03000 R13: 0000000000000000 R14: fffffbfff1359c00 R15: 0000000000000000 FS: 00007fba9e18e700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffff91ffff02000 CR3: 000000007eab6000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400