bisecting cause commit starting from bc085f8fc88fc16796c9f2364e2bfb3fef305cad building syzkaller on d4f4eca56fbea6f58a4d5adfd19cb5e0dc32fe46 testing commit bc085f8fc88fc16796c9f2364e2bfb3fef305cad with gcc (GCC) 8.1.0 kernel signature: 28d3d293ddd68faf4c9a847e7ec6fa539c04442977c4b87b84100fca060e4b29 run #0: crashed: WARNING: bad unlock balance in ip6_output run #1: crashed: WARNING: bad unlock balance in ip6_output run #2: crashed: BUG: KFENCE: memory corruption in syslog_print run #3: crashed: BUG: KFENCE: out-of-bounds write in record_print_text run #4: crashed: WARNING: bad unlock balance in ip6_output run #5: crashed: BUG: KFENCE: out-of-bounds write in record_print_text run #6: crashed: BUG: KFENCE: out-of-bounds write in record_print_text run #7: crashed: WARNING: bad unlock balance in ip6_output run #8: crashed: WARNING: bad unlock balance in ip6_output run #9: crashed: WARNING: bad unlock balance in ip6_output testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 8.1.0 kernel signature: 395a614079c9030036488f72c030c4708fae86b9aba956ca15d15003efd3a593 all runs: OK # git bisect start bc085f8fc88fc16796c9f2364e2bfb3fef305cad 2c85ebc57b3e1817b6ce1a6b703928e113a90442 Bisecting: 9678 revisions left to test after this (roughly 13 steps) [f68e4041ef63f03091e44b4eebf1ab5c5d427e6f] Merge tag 'pinctrl-v5.11-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit f68e4041ef63f03091e44b4eebf1ab5c5d427e6f with gcc (GCC) 8.1.0 kernel signature: 0a83ac3e6d70b3baa3f2de4496029626335041d479761a0ba3b58d3a406973a5 all runs: OK # git bisect good f68e4041ef63f03091e44b4eebf1ab5c5d427e6f Bisecting: 4840 revisions left to test after this (roughly 12 steps) [20f6e1e637281ce712f07802e84bdff6310653b3] Merge remote-tracking branch 'drivers-x86-fixes/fixes' testing commit 20f6e1e637281ce712f07802e84bdff6310653b3 with gcc (GCC) 8.1.0 kernel signature: e0a8b04d4ee86ed056f8749d83cc21fba4ae3ed62dabc52d70ae6d2351f46834 all runs: OK # git bisect good 20f6e1e637281ce712f07802e84bdff6310653b3 Bisecting: 2759 revisions left to test after this (roughly 11 steps) [182b48db7c36428a18e00f143a481cb4366a0fd1] Merge remote-tracking branch 'crypto/master' testing commit 182b48db7c36428a18e00f143a481cb4366a0fd1 with gcc (GCC) 8.1.0 kernel signature: 695f9202e5fdd4d349f678c676a47bdd219b66780fe5e6611c482d78653574a4 run #0: crashed: WARNING: bad unlock balance in ip6_output run #1: crashed: WARNING: locking bug in ip6_finish_output2 run #2: crashed: WARNING: bad unlock balance in ip6_output run #3: crashed: WARNING: bad unlock balance in ip6_output run #4: crashed: WARNING: bad unlock balance in ip6_output run #5: crashed: WARNING: bad unlock balance in ip6_output run #6: crashed: WARNING: bad unlock balance in ip6_output run #7: crashed: WARNING: bad unlock balance in ip6_output run #8: crashed: WARNING: bad unlock balance in ip6_output run #9: crashed: WARNING: bad unlock balance in ip6_output # git bisect bad 182b48db7c36428a18e00f143a481cb4366a0fd1 Bisecting: 1049 revisions left to test after this (roughly 10 steps) [511926691daaafc88bd82c5162251a1f58b0bd60] Merge remote-tracking branch 'pci/next' testing commit 511926691daaafc88bd82c5162251a1f58b0bd60 with gcc (GCC) 8.1.0 kernel signature: f0003a7fed0b1e26274dd2e50b8d30066c433967ce489980ae9a57086f67216c run #0: crashed: WARNING: bad unlock balance in ip6_output run #1: crashed: WARNING: bad unlock balance in ip6_output run #2: crashed: WARNING: bad unlock balance in ip6_output run #3: crashed: WARNING: bad unlock balance in ip6_output run #4: crashed: BUG: unable to handle kernel paging request in alloc_counters run #5: crashed: WARNING: bad unlock balance in ip6_output run #6: crashed: WARNING: bad unlock balance in ip6_output run #7: crashed: WARNING: bad unlock balance in ip6_output run #8: crashed: WARNING: bad unlock balance in ip6_output run #9: crashed: WARNING: bad unlock balance in ip6_output # git bisect bad 511926691daaafc88bd82c5162251a1f58b0bd60 Bisecting: 494 revisions left to test after this (roughly 9 steps) [a4ec3c6252d9162f7c04e19afc551a30a6343ebb] Merge remote-tracking branch 'sunxi/sunxi/for-next' testing commit a4ec3c6252d9162f7c04e19afc551a30a6343ebb with gcc (GCC) 8.1.0 kernel signature: 6074ec44021eb03f311ff5b95a79defd92d8b010b814484d60028852da1095b2 all runs: OK # git bisect good a4ec3c6252d9162f7c04e19afc551a30a6343ebb Bisecting: 273 revisions left to test after this (roughly 8 steps) [603a73befe9a92399996797782641014a9085027] Merge remote-tracking branch 'xtensa/xtensa-for-next' testing commit 603a73befe9a92399996797782641014a9085027 with gcc (GCC) 8.1.0 kernel signature: 4def4142a2b957f88a1fb3f531ddaa46e3a6f4842f0bb5fc3927685cbec89e4f all runs: OK # git bisect good 603a73befe9a92399996797782641014a9085027 Bisecting: 152 revisions left to test after this (roughly 7 steps) [764b9b2310378d0c3d5fcb219e1cb928ddbc6973] Merge remote-tracking branch 'nfs-anna/linux-next' testing commit 764b9b2310378d0c3d5fcb219e1cb928ddbc6973 with gcc (GCC) 8.1.0 kernel signature: a91c4a2fc62b3facb6c9cbd64585e10f1e326d6d9a27eb0e7c507d15aca5e407 all runs: OK # git bisect good 764b9b2310378d0c3d5fcb219e1cb928ddbc6973 Bisecting: 58 revisions left to test after this (roughly 6 steps) [211adbbaccb11296356a9dc69978a6e760e7e777] Merge remote-tracking branch 'vfs/for-next' testing commit 211adbbaccb11296356a9dc69978a6e760e7e777 with gcc (GCC) 8.1.0 kernel signature: 278fb6f42794c0545db50a1593166e126f1a8333eab0aa7bdab22c1894c4873f all runs: OK # git bisect good 211adbbaccb11296356a9dc69978a6e760e7e777 Bisecting: 28 revisions left to test after this (roughly 5 steps) [c713db333c390b3480d4b1e246f9975f7ac91acb] Merge branch 'remotes/lorenzo/pci/ntb' testing commit c713db333c390b3480d4b1e246f9975f7ac91acb with gcc (GCC) 8.1.0 kernel signature: de3b9d7b2cdd8856cfe3f34cfd678732d85da6493a9d9b56dc611d137b6985df all runs: OK # git bisect good c713db333c390b3480d4b1e246f9975f7ac91acb Bisecting: 14 revisions left to test after this (roughly 4 steps) [2e9dda43cb06a5f1f5ebbbef0845a167a1cecf9d] Merge branch 'printk-rework' into for-next testing commit 2e9dda43cb06a5f1f5ebbbef0845a167a1cecf9d with gcc (GCC) 8.1.0 kernel signature: fcc35ca10b442626c3fd40144689aaa7aa88f3ab668fb25dbb473edbdf3f43c4 all runs: OK # git bisect good 2e9dda43cb06a5f1f5ebbbef0845a167a1cecf9d Bisecting: 7 revisions left to test after this (roughly 3 steps) [e103e8f1e0bfbab0f5753cfb7f55802e0ecc7188] Merge branch 'printk-rework' into for-next testing commit e103e8f1e0bfbab0f5753cfb7f55802e0ecc7188 with gcc (GCC) 8.1.0 kernel signature: e6807828375753b0c525f4a8fbdab0b2f60184f247b3fd03a92c5a7d3be9058c run #0: crashed: WARNING: bad unlock balance in ip6_output run #1: crashed: WARNING: bad unlock balance in ip6_output run #2: crashed: kernel BUG in fib_sync_up run #3: crashed: BUG: unable to handle kernel paging request in alloc_counters run #4: crashed: WARNING: bad unlock balance in ip6_output run #5: crashed: WARNING: bad unlock balance in ip6_output run #6: crashed: WARNING: bad unlock balance in ip6_output run #7: crashed: WARNING: bad unlock balance in ip6_output run #8: crashed: WARNING: bad unlock balance in ip6_output run #9: crashed: WARNING: bad unlock balance in ip6_output # git bisect bad e103e8f1e0bfbab0f5753cfb7f55802e0ecc7188 Bisecting: 3 revisions left to test after this (roughly 2 steps) [f0e386ee0c0b71ea6f7238506a4d0965a2dbef11] printk: fix buffer overflow potential for print_text() testing commit f0e386ee0c0b71ea6f7238506a4d0965a2dbef11 with gcc (GCC) 8.1.0 kernel signature: 571d1ddda85d4445662e9e8830938433f033a40e590eb0063c856f4ea5815f1b run #0: crashed: WARNING: bad unlock balance in ip6_output run #1: crashed: BUG: Bad page map run #2: crashed: WARNING: bad unlock balance in ip6_output run #3: crashed: WARNING: bad unlock balance in ip6_output run #4: crashed: WARNING: bad unlock balance in ip6_output run #5: crashed: WARNING: bad unlock balance in ip6_output run #6: crashed: WARNING: bad unlock balance in ip6_output run #7: crashed: WARNING: bad unlock balance in ip6_output run #8: crashed: WARNING: bad unlock balance in ip6_output run #9: crashed: WARNING: bad unlock balance in ip6_output # git bisect bad f0e386ee0c0b71ea6f7238506a4d0965a2dbef11 Bisecting: 0 revisions left to test after this (roughly 1 step) [89ccf18f032f26946e2ea6258120472eec6aa745] printk: fix kmsg_dump_get_buffer length calulations testing commit 89ccf18f032f26946e2ea6258120472eec6aa745 with gcc (GCC) 8.1.0 kernel signature: d1ef02974419c2634dedddfea0805755a2365990450e191eb57f41dbb5ed414b all runs: OK # git bisect good 89ccf18f032f26946e2ea6258120472eec6aa745 f0e386ee0c0b71ea6f7238506a4d0965a2dbef11 is the first bad commit commit f0e386ee0c0b71ea6f7238506a4d0965a2dbef11 Author: John Ogness Date: Thu Jan 14 18:10:12 2021 +0106 printk: fix buffer overflow potential for print_text() Before the commit 896fbe20b4e2333fb55 ("printk: use the lockless ringbuffer"), msg_print_text() would only write up to size-1 bytes into the provided buffer. Some callers expect this behavior and append a terminator to returned string. In particular: arch/powerpc/xmon/xmon.c:dump_log_buf() arch/um/kernel/kmsg_dump.c:kmsg_dumper_stdout() msg_print_text() has been replaced by record_print_text(), which currently fills the full size of the buffer. This causes a buffer overflow for the above callers. Change record_print_text() so that it will only use size-1 bytes for text data. Also, for paranoia sakes, add a terminator after the text data. And finally, document this behavior so that it is clear that only size-1 bytes are used and a terminator is added. Fixes: 896fbe20b4e2333fb55 ("printk: use the lockless ringbuffer") Cc: stable@vger.kernel.org # 5.10+ Signed-off-by: John Ogness Reviewed-by: Petr Mladek Acked-by: Sergey Senozhatsky Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20210114170412.4819-1-john.ogness@linutronix.de kernel/printk/printk.c | 36 +++++++++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 9 deletions(-) culprit signature: 571d1ddda85d4445662e9e8830938433f033a40e590eb0063c856f4ea5815f1b parent signature: d1ef02974419c2634dedddfea0805755a2365990450e191eb57f41dbb5ed414b revisions tested: 15, total time: 2h57m20.182277571s (build: 1h12m36.960944143s, test: 1h42m58.941406177s) first bad commit: f0e386ee0c0b71ea6f7238506a4d0965a2dbef11 printk: fix buffer overflow potential for print_text() recipients (to): ["john.ogness@linutronix.de" "pmladek@suse.com" "sergey.senozhatsky@gmail.com"] recipients (cc): [] crash: WARNING: bad unlock balance in ip6_output ===================================== WARNING: bad unlock balance detected! 5.10.0-rc5-syzkaller #0 Not tainted ------------------------------------- syz-executor.2/20514 is trying to release lock (&____s->seqcount) at: [] NF_HOOK_COND include/linux/netfilter.h:290 [inline] [] ip6_output+0x79/0x2c0 net/ipv6/ip6_output.c:176 but there are no more locks to release! other info that might help us debug this: 3 locks held by syz-executor.2/20514: #0: ffffc90000cf4e90 ((&ndev->rs_timer)){+.-.}-{0:0}, at: call_timer_fn+0x0/0x340 kernel/time/timer.c:2026 #1: ffffffff85027c20 (rcu_read_lock){....}-{1:2}, at: rcu_read_unlock include/linux/rcupdate.h:691 [inline] #1: ffffffff85027c20 (rcu_read_lock){....}-{1:2}, at: ip6_nd_hdr net/ipv6/ndisc.c:453 [inline] #1: ffffffff85027c20 (rcu_read_lock){....}-{1:2}, at: ndisc_send_skb+0x19b/0x5f0 net/ipv6/ndisc.c:502 #2: ffffffff85027be0 (rcu_read_lock_bh){....}-{1:2}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline] #2: ffffffff85027be0 (rcu_read_lock_bh){....}-{1:2}, at: ip6_finish_output2+0x7d/0xa60 net/ipv6/ip6_output.c:103 stack backtrace: CPU: 1 PID: 20514 Comm: syz-executor.2 Not tainted 5.10.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x77/0x97 lib/dump_stack.c:118 __lock_release kernel/locking/lockdep.c:5121 [inline] lock_release+0x1dc/0x2d0 kernel/locking/lockdep.c:5457 seqcount_lockdep_reader_access include/linux/seqlock.h:104 [inline] read_seqbegin include/linux/seqlock.h:838 [inline] neigh_hh_output include/net/neighbour.h:469 [inline] neigh_output include/net/neighbour.h:508 [inline] ip6_finish_output2+0x544/0xa60 net/ipv6/ip6_output.c:117 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip6_output+0x79/0x2c0 net/ipv6/ip6_output.c:176 dst_output include/net/dst.h:443 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ndisc_send_skb+0x4b2/0x5f0 net/ipv6/ndisc.c:508 addrconf_rs_timer+0xd3/0x220 net/ipv6/addrconf.c:3873 call_timer_fn+0xa5/0x340 kernel/time/timer.c:1410 expire_timers kernel/time/timer.c:1455 [inline] __run_timers kernel/time/timer.c:1747 [inline] run_timer_softirq+0x259/0x680 kernel/time/timer.c:1760 __do_softirq+0xf0/0x5f1 kernel/softirq.c:298 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0x7c/0xa0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu kernel/softirq.c:423 [inline] irq_exit_rcu+0xc9/0xf0 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0x57/0xf0 arch/x86/kernel/apic/apic.c:1091 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:631 RIP: 0010:__syscall_enter_from_user_work kernel/entry/common.c:79 [inline] RIP: 0010:syscall_enter_from_user_mode+0x26/0x50 kernel/entry/common.c:99 Code: cc cc cc cc 55 48 89 fd 53 48 8b 7c 24 10 48 89 f3 e8 5e f6 ff ff e8 39 2f 95 fd e8 f4 31 95 fd fb 65 48 8b 04 25 00 70 01 00 <48> 8b 30 f7 c6 c1 01 00 10 75 06 48 89 d8 5b 5d c3 48 89 ef 5b 5d RSP: 0018:ffffc90004b0bf30 EFLAGS: 00000206 RAX: ffff88811d35cbc0 RBX: 0000000000000003 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff84b0ffa9 RDI: ffffffff849b5b2e RBP: ffffc90004b0bf58 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 do_syscall_64+0xf/0x70 arch/x86/entry/common.c:41 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x417b71 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 a4 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007fff42a3e9b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000417b71 RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000004 RBP: 0000000000000000 R08: 00000000011a11e0 R09: 0000000000000000 R10: 00007fff42a3ea80 R11: 0000000000000293 R12: ffffffffffffffff R13: 0000000000000000 R14: 0000000000000003 R15: 000000000119bf8c