ci starts bisection 2023-06-21 08:59:52.913824931 +0000 UTC m=+94658.575311346 bisecting cause commit starting from c08afcdcf95288c627267bb20002e8baaf3394e1 building syzkaller on f3921d4d63f97d1f1fb49a69ea85744bb7ef184b ensuring issue is reproducible on original commit c08afcdcf95288c627267bb20002e8baaf3394e1 testing commit c08afcdcf95288c627267bb20002e8baaf3394e1 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2ef8921ccd78465dbb9ec5704f2acb4cddb29c4edd16be4de9d6e39df13de1f4 all runs: crashed: KASAN: stack-out-of-bounds Read in ip6mr_ioctl testing release v6.3 testing commit 457391b0380335d5e9a5babdec90ac53928b23b4 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b3d62b73c841650bb5f9fc177b2e72bec60ea084aa73a4b031760b5094fcea87 all runs: OK too many neither good nor bad results, skipping this commit # git bisect start c08afcdcf95288c627267bb20002e8baaf3394e1 457391b0380335d5e9a5babdec90ac53928b23b4 Bisecting: 8689 revisions left to test after this (roughly 13 steps) [34b62f186db9614e55d021f8c58d22fc44c57911] Merge tag 'pci-v6.4-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci testing commit 34b62f186db9614e55d021f8c58d22fc44c57911 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ef548ce2e9f47a1810361b90fdf21f77f204d79259e142f931271cfa8b4ae072 all runs: OK too many neither good nor bad results, skipping this commit # git bisect good 34b62f186db9614e55d021f8c58d22fc44c57911 Bisecting: 4343 revisions left to test after this (roughly 12 steps) [c5eb8bf76718cf2e2f36aac216a99014f00927de] Merge tag 'leds-next-6.4' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/leds testing commit c5eb8bf76718cf2e2f36aac216a99014f00927de gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d72ee3fd84e36fd98ad82a181507074a09096e118a50620261c59afccdc5d31a all runs: OK too many neither good nor bad results, skipping this commit # git bisect good c5eb8bf76718cf2e2f36aac216a99014f00927de Bisecting: 2172 revisions left to test after this (roughly 11 steps) [1f94ba198bda5738bd26cb7633dca4b33a43dff2] net: pcs: xpcs: correct lp_advertising contents testing commit 1f94ba198bda5738bd26cb7633dca4b33a43dff2 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9399d997ddc69bd96d1bdaa6cf7f9c8b82e919c247173cc096f6c05fcbf2ee6c all runs: OK too many neither good nor bad results, skipping this commit # git bisect good 1f94ba198bda5738bd26cb7633dca4b33a43dff2 Bisecting: 1086 revisions left to test after this (roughly 10 steps) [863199199713908afaa47ba09332b87621c12496] net: usb: qmi_wwan: add support for Compal RXM-G1 testing commit 863199199713908afaa47ba09332b87621c12496 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5fed19c883547f66fcb80bcc25da16252eb03027db8afcb5eaecfb30776071aa all runs: OK too many neither good nor bad results, skipping this commit # git bisect good 863199199713908afaa47ba09332b87621c12496 Bisecting: 519 revisions left to test after this (roughly 9 steps) [cde11936cffb7280eb48b5e118ea8f5a03aad0ae] Merge tag 'wireless-next-2023-06-09' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next testing commit cde11936cffb7280eb48b5e118ea8f5a03aad0ae gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1441c34c4714fcef7198162e67c2daef6377a9c60fb7ca72311accf34e5855b4 all runs: OK too many neither good nor bad results, skipping this commit # git bisect good cde11936cffb7280eb48b5e118ea8f5a03aad0ae Bisecting: 257 revisions left to test after this (roughly 8 steps) [93fd8eb053800a241d09c00ef075cae0b5b03ecf] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 93fd8eb053800a241d09c00ef075cae0b5b03ecf gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 65a8c9a663c6bedada196257cf0b5bfecd6df85bd8e66dc067dace278da15473 all runs: OK too many neither good nor bad results, skipping this commit # git bisect good 93fd8eb053800a241d09c00ef075cae0b5b03ecf Bisecting: 128 revisions left to test after this (roughly 7 steps) [473f5e13b38b9533bd3ae0758418581eabf69b50] Merge branch 'netdev-tracking' testing commit 473f5e13b38b9533bd3ae0758418581eabf69b50 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 22dc1427c2285f6c550f4d7d2f89f0c0f196e93921cebe7bc502fae73afc425d all runs: OK too many neither good nor bad results, skipping this commit # git bisect good 473f5e13b38b9533bd3ae0758418581eabf69b50 Bisecting: 64 revisions left to test after this (roughly 6 steps) [07b1cc841b4f283f3bc34d228690f88b17e57008] Merge branch 'fix-small-bugs-and-annoyances-in-tc-testing' testing commit 07b1cc841b4f283f3bc34d228690f88b17e57008 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a633455b1b7a4c33ba69cc2af39b9a3d09574b798d46e994af3d5de2441f157e all runs: OK too many neither good nor bad results, skipping this commit # git bisect good 07b1cc841b4f283f3bc34d228690f88b17e57008 Bisecting: 32 revisions left to test after this (roughly 5 steps) [be28c14ac8bbe1ff0b2a18a06cd10981f90fc741] udplite: Print deprecation notice. testing commit be28c14ac8bbe1ff0b2a18a06cd10981f90fc741 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6e86e994dbf5213cdf6a00fefad31eef3c8aa5c09b4bec02019bc73379d8801c all runs: OK too many neither good nor bad results, skipping this commit # git bisect good be28c14ac8bbe1ff0b2a18a06cd10981f90fc741 Bisecting: 18 revisions left to test after this (roughly 4 steps) [40f71e7cd3c6ac04293556ab0504a372393838ff] Merge tag 'net-6.4-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 40f71e7cd3c6ac04293556ab0504a372393838ff gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c426696021db969b017f454d79996a89de44d687e7f33580c69e1ead500c1147 all runs: OK too many neither good nor bad results, skipping this commit # git bisect good 40f71e7cd3c6ac04293556ab0504a372393838ff Bisecting: 9 revisions left to test after this (roughly 3 steps) [f7d625adeb7bc6a9ec83d32d9615889969d64484] net: ena: Add dynamic recycling mechanism for rx buffers testing commit f7d625adeb7bc6a9ec83d32d9615889969d64484 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f358b975a334efe8bec913c85ee4a13681054dda6e22aa3a0f1ed8214957d148 all runs: crashed: KASAN: stack-out-of-bounds Read in ip6mr_ioctl # git bisect bad f7d625adeb7bc6a9ec83d32d9615889969d64484 Bisecting: 4 revisions left to test after this (roughly 2 steps) [ed3c9a2fcab3b60b0766eb5d7566fd3b10df9a8e] net: tls: make the offload check helper take skb not socket testing commit ed3c9a2fcab3b60b0766eb5d7566fd3b10df9a8e gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bf9b99a08cef4df3ec39862462ca7a7bced0f6c7e32569d17ca758e7f527fe99 all runs: OK too many neither good nor bad results, skipping this commit # git bisect good ed3c9a2fcab3b60b0766eb5d7566fd3b10df9a8e Bisecting: 2 revisions left to test after this (roughly 1 step) [97c5209b3d374a25ebdb4c2ea9e9c1b121768da0] leds: trigger: netdev: uninitialized variable in netdev_trig_activate() testing commit 97c5209b3d374a25ebdb4c2ea9e9c1b121768da0 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8f3bde25e9c4483d74d34225d6167ebfd0b691475a8c10f6f59a6d4114009e9a all runs: OK too many neither good nor bad results, skipping this commit # git bisect good 97c5209b3d374a25ebdb4c2ea9e9c1b121768da0 Bisecting: 0 revisions left to test after this (roughly 1 step) [e1d001fa5b477c4da46a29be1fcece91db7c7c6f] net: ioctl: Use kernel memory on protocol ioctl callbacks testing commit e1d001fa5b477c4da46a29be1fcece91db7c7c6f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ea2ce404f415d790452614a88a352e46682a5c3044a2d844f8cb92985149c453 all runs: crashed: KASAN: stack-out-of-bounds Read in ip6mr_ioctl # git bisect bad e1d001fa5b477c4da46a29be1fcece91db7c7c6f Bisecting: 0 revisions left to test after this (roughly 0 steps) [173780ff18a93298ca84224cc79df69f9cc198ce] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 173780ff18a93298ca84224cc79df69f9cc198ce gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0cfab87f55875fcc93e8796d8d3a1da3b0f3b4ea074a9b89e804d93f1c022ea6 all runs: OK too many neither good nor bad results, skipping this commit # git bisect good 173780ff18a93298ca84224cc79df69f9cc198ce e1d001fa5b477c4da46a29be1fcece91db7c7c6f is the first bad commit commit e1d001fa5b477c4da46a29be1fcece91db7c7c6f Author: Breno Leitao Date: Fri Jun 9 08:27:42 2023 -0700 net: ioctl: Use kernel memory on protocol ioctl callbacks Most of the ioctls to net protocols operates directly on userspace argument (arg). Usually doing get_user()/put_user() directly in the ioctl callback. This is not flexible, because it is hard to reuse these functions without passing userspace buffers. Change the "struct proto" ioctls to avoid touching userspace memory and operate on kernel buffers, i.e., all protocol's ioctl callbacks is adapted to operate on a kernel memory other than on userspace (so, no more {put,get}_user() and friends being called in the ioctl callback). This changes the "struct proto" ioctl format in the following way: int (*ioctl)(struct sock *sk, int cmd, - unsigned long arg); + int *karg); (Important to say that this patch does not touch the "struct proto_ops" protocols) So, the "karg" argument, which is passed to the ioctl callback, is a pointer allocated to kernel space memory (inside a function wrapper). This buffer (karg) may contain input argument (copied from userspace in a prep function) and it might return a value/buffer, which is copied back to userspace if necessary. There is not one-size-fits-all format (that is I am using 'may' above), but basically, there are three type of ioctls: 1) Do not read from userspace, returns a result to userspace 2) Read an input parameter from userspace, and does not return anything to userspace 3) Read an input from userspace, and return a buffer to userspace. The default case (1) (where no input parameter is given, and an "int" is returned to userspace) encompasses more than 90% of the cases, but there are two other exceptions. Here is a list of exceptions: * Protocol RAW: * cmd = SIOCGETVIFCNT: * input and output = struct sioc_vif_req * cmd = SIOCGETSGCNT * input and output = struct sioc_sg_req * Explanation: for the SIOCGETVIFCNT case, userspace passes the input argument, which is struct sioc_vif_req. Then the callback populates the struct, which is copied back to userspace. * Protocol RAW6: * cmd = SIOCGETMIFCNT_IN6 * input and output = struct sioc_mif_req6 * cmd = SIOCGETSGCNT_IN6 * input and output = struct sioc_sg_req6 * Protocol PHONET: * cmd == SIOCPNADDRESOURCE | SIOCPNDELRESOURCE * input int (4 bytes) * Nothing is copied back to userspace. For the exception cases, functions sock_sk_ioctl_inout() will copy the userspace input, and copy it back to kernel space. The wrapper that prepare the buffer and put the buffer back to user is sk_ioctl(), so, instead of calling sk->sk_prot->ioctl(), the callee now calls sk_ioctl(), which will handle all cases. Signed-off-by: Breno Leitao Reviewed-by: Willem de Bruijn Reviewed-by: David Ahern Reviewed-by: Kuniyuki Iwashima Link: https://lore.kernel.org/r/20230609152800.830401-1-leitao@debian.org Signed-off-by: Jakub Kicinski include/linux/icmpv6.h | 6 +++++ include/linux/mroute.h | 22 ++++++++++++++-- include/linux/mroute6.h | 31 ++++++++++++++++++++-- include/net/phonet/phonet.h | 21 +++++++++++++++ include/net/sock.h | 5 +++- include/net/tcp.h | 2 +- include/net/udp.h | 2 +- net/core/sock.c | 64 +++++++++++++++++++++++++++++++++++++++++++++ net/dccp/dccp.h | 2 +- net/dccp/proto.c | 12 ++++----- net/ieee802154/socket.c | 15 +++++------ net/ipv4/af_inet.c | 2 +- net/ipv4/ipmr.c | 63 +++++++++++++++++++++++++++----------------- net/ipv4/raw.c | 16 ++++++------ net/ipv4/tcp.c | 5 ++-- net/ipv4/udp.c | 12 ++++----- net/ipv6/af_inet6.c | 2 +- net/ipv6/ip6mr.c | 44 +++++++++++++------------------ net/ipv6/raw.c | 16 ++++++------ net/l2tp/l2tp_core.h | 2 +- net/l2tp/l2tp_ip.c | 9 +++---- net/mptcp/protocol.c | 11 ++++---- net/phonet/datagram.c | 11 +++----- net/phonet/pep.c | 11 ++++---- net/phonet/socket.c | 2 +- net/sctp/socket.c | 8 +++--- 26 files changed, 267 insertions(+), 129 deletions(-) culprit signature: ea2ce404f415d790452614a88a352e46682a5c3044a2d844f8cb92985149c453 parent signature: 0cfab87f55875fcc93e8796d8d3a1da3b0f3b4ea074a9b89e804d93f1c022ea6 revisions tested: 17, total time: 7h10m57.194477502s (build: 4h46m2.505112333s, test: 2h18m31.661894287s) first bad commit: e1d001fa5b477c4da46a29be1fcece91db7c7c6f net: ioctl: Use kernel memory on protocol ioctl callbacks recipients (to): ["dsahern@kernel.org" "kuba@kernel.org" "kuniyu@amazon.com" "leitao@debian.org" "willemb@google.com"] recipients (cc): [] crash: KASAN: stack-out-of-bounds Read in ip6mr_ioctl ================================================================== BUG: KASAN: stack-out-of-bounds in ip6mr_ioctl+0x9a5/0xab0 net/ipv6/ip6mr.c:1917 Read of size 16 at addr ffffc90004c07b80 by task syz-executor.0/5426 CPU: 0 PID: 5426 Comm: syz-executor.0 Not tainted 6.4.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x64/0xb0 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:572 ip6mr_ioctl+0x9a5/0xab0 net/ipv6/ip6mr.c:1917 sock_ioctl_out net/core/sock.c:4186 [inline] sk_ioctl+0x10e/0x340 net/core/sock.c:4214 inet6_ioctl+0x185/0x220 net/ipv6/af_inet6.c:582 sock_do_ioctl+0xc9/0x1c0 net/socket.c:1189 sock_ioctl+0x1b1/0x550 net/socket.c:1306 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x123/0x190 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f84b408c389 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f84b4e07168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f84b41abf80 RCX: 00007f84b408c389 RDX: 0000000000000000 RSI: 00000000000089e1 RDI: 0000000000000003 RBP: 00007f84b40d7493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffcd4b12baf R14: 00007f84b4e07300 R15: 0000000000022000 The buggy address belongs to stack of task syz-executor.0/5426 and is located at offset 40 in frame: sk_ioctl+0x0/0x340 net/core/sock.c:4172 This frame has 2 objects: [32, 36) 'karg' [48, 88) 'buffer' The buggy address belongs to the virtual mapping at [ffffc90004c00000, ffffc90004c09000) created by: kernel_clone+0xbc/0x640 kernel/fork.c:2915 The buggy address belongs to the physical page: page:ffffea0000743240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d0c9 memcg:ffff88802b4ff682 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff ffff88802b4ff682 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 5425, tgid 5425 (syz-executor.0), ts 72770934376, free_ts 72756787104 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x2db/0x350 mm/page_alloc.c:1731 prep_new_page mm/page_alloc.c:1738 [inline] get_page_from_freelist+0xf41/0x2c00 mm/page_alloc.c:3502 __alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4768 vm_area_alloc_pages mm/vmalloc.c:3009 [inline] __vmalloc_area_node mm/vmalloc.c:3085 [inline] __vmalloc_node_range+0x7ff/0x1070 mm/vmalloc.c:3257 alloc_thread_stack_node kernel/fork.c:313 [inline] dup_task_struct kernel/fork.c:1116 [inline] copy_process+0x1181/0x6bf0 kernel/fork.c:2333 kernel_clone+0xbc/0x640 kernel/fork.c:2915 __do_sys_clone+0xa1/0xe0 kernel/fork.c:3058 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1302 [inline] free_unref_page_prepare+0x62e/0xcb0 mm/page_alloc.c:2564 free_unref_page+0x33/0x370 mm/page_alloc.c:2659 __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2636 qlink_free mm/kasan/quarantine.c:166 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185 kasan_quarantine_reduce+0x195/0x220 mm/kasan/quarantine.c:292 __kasan_slab_alloc+0x63/0x90 mm/kasan/common.c:305 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook mm/slab.h:711 [inline] slab_alloc_node mm/slub.c:3451 [inline] __kmem_cache_alloc_node+0x17c/0x320 mm/slub.c:3490 __do_kmalloc_node mm/slab_common.c:965 [inline] __kmalloc_node+0x51/0x1a0 mm/slab_common.c:973 translate_table+0x396/0x17f0 net/ipv6/netfilter/ip6_tables.c:695 ip6t_register_table+0x100/0x410 net/ipv6/netfilter/ip6_tables.c:1743 ip6table_security_table_init+0x37/0x60 net/ipv6/netfilter/ip6table_security.c:45 xt_find_table_lock+0x22f/0x380 net/netfilter/x_tables.c:1259 xt_request_find_table_lock+0x1b/0xb0 net/netfilter/x_tables.c:1284 get_info+0x129/0x610 net/ipv4/netfilter/ip_tables.c:963 do_ip6t_get_ctl+0x129/0x800 net/ipv6/netfilter/ip6_tables.c:1660 nf_getsockopt+0x5b/0xb0 net/netfilter/nf_sockopt.c:116 Memory state around the buggy address: ffffc90004c07a80: 00 00 f1 f1 f1 f1 00 00 00 00 f3 f3 f3 f3 00 00 ffffc90004c07b00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 >ffffc90004c07b80: f2 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 ^ ffffc90004c07c00: 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 ffffc90004c07c80: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 ==================================================================