ci2 starts bisection 2024-09-13 04:14:33.836319213 +0000 UTC m=+10322.781453999 bisecting fixing commit since 993bed180178156a70afdafe8aaf23a117107352 building syzkaller on 352ab9047be19ed1d8367b9113b7bde280c90124 ensuring issue is reproducible on original commit 993bed180178156a70afdafe8aaf23a117107352 testing commit 993bed180178156a70afdafe8aaf23a117107352 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2122a692ecd4d0286669fc32402e64da94ed5b60ddf46cbca4b93665ff7f2acf all runs: crashed: BUG: unable to handle kernel paging request in copy_from_kernel_nofault representative crash: BUG: unable to handle kernel paging request in copy_from_kernel_nofault, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 993bed180178156a70afdafe8aaf23a117107352 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c037cb63e35f33ebcf2fe3aa19ac60f3fb67377ab7beedfaa0ea5ab331cc0868 all runs: crashed: BUG: unable to handle kernel paging request in copy_from_kernel_nofault representative crash: BUG: unable to handle kernel paging request in copy_from_kernel_nofault, types: [UNKNOWN] the bug reproduces without the instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed kconfig minimization: base=4920 full=6159 leaves diff=242 split chunks (needed=false): <242> split chunk #0 of len 242 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 993bed180178156a70afdafe8aaf23a117107352 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bf0e1ca6cbc094113a6f2cf3b5a9097e3f6413879a8f5541c5e081423a668772 all runs: crashed: BUG: unable to handle kernel paging request in copy_from_kernel_nofault representative crash: BUG: unable to handle kernel paging request in copy_from_kernel_nofault, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 993bed180178156a70afdafe8aaf23a117107352 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 209340420dc5b45b788f10919bfe368da16eb4276677b2f9986f23382205fd7c all runs: crashed: BUG: unable to handle kernel paging request in copy_from_kernel_nofault representative crash: BUG: unable to handle kernel paging request in copy_from_kernel_nofault, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 993bed180178156a70afdafe8aaf23a117107352 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f12d6aeade0aefa5b6db1b0654e976c947dba4094fa0a8fbaaf881732386766e all runs: crashed: BUG: unable to handle kernel paging request in copy_from_kernel_nofault representative crash: BUG: unable to handle kernel paging request in copy_from_kernel_nofault, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 993bed180178156a70afdafe8aaf23a117107352 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 322ff49350946d534cbd57c40e77b38a2a806d05076af3ba4925687c3e111925 all runs: crashed: BUG: unable to handle kernel paging request in copy_from_kernel_nofault representative crash: BUG: unable to handle kernel paging request in copy_from_kernel_nofault, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 993bed180178156a70afdafe8aaf23a117107352 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building 993bed180178156a70afdafe8aaf23a117107352: net/socket.c:1191: undefined reference to `wext_handle_ioctl' net/socket.c:3385: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:343: undefined reference to `wext_proc_exit' net/core/net-procfs.c:327: undefined reference to `wext_proc_init' minimized to 46 configs; suspects: [HID_ZEROPLUS USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF] disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing current HEAD e6fb3b0fa87f1fe127bc20a5038d8e8e08e57cf7 testing commit e6fb3b0fa87f1fe127bc20a5038d8e8e08e57cf7 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 75ffc9fb766134f8866e25ae8c39b6bc998fe9234c9856daf6e18ae0c416d820 all runs: OK false negative chance: 0.000 # git bisect start e6fb3b0fa87f1fe127bc20a5038d8e8e08e57cf7 993bed180178156a70afdafe8aaf23a117107352 Bisecting: 1288 revisions left to test after this (roughly 10 steps) [5d5f1a7f3b1039925f79c7894f153c2a905201fb] drm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag determine whether the revision contains the guilty commit checking the merge base 6139f2a02fe0ac7a08389b4eb786e0c659039ddd no existing result, test the revision testing commit 6139f2a02fe0ac7a08389b4eb786e0c659039ddd gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bc768d18aed0399c519f9fa1bc2d631a95859d37400df0a977cc85f09660e726 all runs: crashed: BUG: unable to handle kernel paging request in copy_from_kernel_nofault representative crash: BUG: unable to handle kernel paging request in copy_from_kernel_nofault, types: [UNKNOWN] testing commit 5d5f1a7f3b1039925f79c7894f153c2a905201fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 593948be814dfc0cee0c5e84e98427ee649515e058c8c456e9cdafa77f76dada all runs: OK false negative chance: 0.000 # git bisect bad 5d5f1a7f3b1039925f79c7894f153c2a905201fb Bisecting: 643 revisions left to test after this (roughly 9 steps) [621619f626cbe702ddbdc54117f3868b8ebd8129] arm64: mm: fix VA-range sanity check determine whether the revision contains the guilty commit revision 6139f2a02fe0ac7a08389b4eb786e0c659039ddd crashed and is reachable testing commit 621619f626cbe702ddbdc54117f3868b8ebd8129 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 99b5f79c9b59a0419e1f0ad9c68b67d705b0d5e64042c7ed839010a846fa3c1f all runs: crashed: BUG: unable to handle kernel paging request in copy_from_kernel_nofault representative crash: BUG: unable to handle kernel paging request in copy_from_kernel_nofault, types: [UNKNOWN] # git bisect good 621619f626cbe702ddbdc54117f3868b8ebd8129 Bisecting: 321 revisions left to test after this (roughly 8 steps) [6a87552d0a81e7d1af18a23c53a37e28803f9391] bus: tegra-aconnect: Update dependency to ARCH_TEGRA determine whether the revision contains the guilty commit revision 6139f2a02fe0ac7a08389b4eb786e0c659039ddd crashed and is reachable testing commit 6a87552d0a81e7d1af18a23c53a37e28803f9391 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 593db9eae4574b0f926de4c397a903b9a43c2d953e2e7c55ccbfc5e89962d81f all runs: OK false negative chance: 0.000 # git bisect bad 6a87552d0a81e7d1af18a23c53a37e28803f9391 Bisecting: 160 revisions left to test after this (roughly 7 steps) [e72b4e5e16f6a835a5c127aa4edf156268c77378] i40e: disable NAPI right after disabling irqs when handling xsk_pool determine whether the revision contains the guilty commit revision 6139f2a02fe0ac7a08389b4eb786e0c659039ddd crashed and is reachable testing commit e72b4e5e16f6a835a5c127aa4edf156268c77378 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ddc00cdafc933ab27dafea62fbf228ecbef2e34ffa62e310bc7ee2fa3767c892 all runs: crashed: BUG: unable to handle kernel paging request in copy_from_kernel_nofault representative crash: BUG: unable to handle kernel paging request in copy_from_kernel_nofault, types: [UNKNOWN] # git bisect good e72b4e5e16f6a835a5c127aa4edf156268c77378 Bisecting: 80 revisions left to test after this (roughly 6 steps) [7e13a78e2ba4b3c2afb28ae44c91882536f862a2] riscv: dts: sifive: add missing #interrupt-cells to pmic determine whether the revision contains the guilty commit revision 6139f2a02fe0ac7a08389b4eb786e0c659039ddd crashed and is reachable testing commit 7e13a78e2ba4b3c2afb28ae44c91882536f862a2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 04ab00ce57d71fff0be56f9db4c051e99044d8be39a07c2aeeee9010052f5970 all runs: crashed: BUG: unable to handle kernel paging request in copy_from_kernel_nofault representative crash: BUG: unable to handle kernel paging request in copy_from_kernel_nofault, types: [UNKNOWN] # git bisect good 7e13a78e2ba4b3c2afb28ae44c91882536f862a2 Bisecting: 40 revisions left to test after this (roughly 5 steps) [11b564991b5346fc5945e8289d7307b95589a30b] wifi: wilc1000: fix declarations ordering determine whether the revision contains the guilty commit revision 6139f2a02fe0ac7a08389b4eb786e0c659039ddd crashed and is reachable testing commit 11b564991b5346fc5945e8289d7307b95589a30b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f4804deb69640bc652bb2f5c60b615e9270be3315e0454c8c2d0c2d700b9d16d all runs: OK false negative chance: 0.000 # git bisect bad 11b564991b5346fc5945e8289d7307b95589a30b Bisecting: 19 revisions left to test after this (roughly 4 steps) [932600a295cc299d470ca7f5d6491bd0dfc99ea7] s390/dasd: add copy pair setup determine whether the revision contains the guilty commit revision 621619f626cbe702ddbdc54117f3868b8ebd8129 crashed and is reachable testing commit 932600a295cc299d470ca7f5d6491bd0dfc99ea7 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 363f6f9fc9b3eb4664d9292506f2e8708bb200b44394d215867dd727256b9481 all runs: OK false negative chance: 0.000 # git bisect bad 932600a295cc299d470ca7f5d6491bd0dfc99ea7 Bisecting: 9 revisions left to test after this (roughly 3 steps) [8d1753973f598531baaa2c1033cf7f7b5bb004b0] Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security determine whether the revision contains the guilty commit revision 6139f2a02fe0ac7a08389b4eb786e0c659039ddd crashed and is reachable testing commit 8d1753973f598531baaa2c1033cf7f7b5bb004b0 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c2763f7d88bc153dcf8a32b54d7aabc73b6bff7b7fd133a84a1e54f3dccc3493 all runs: OK false negative chance: 0.000 # git bisect bad 8d1753973f598531baaa2c1033cf7f7b5bb004b0 Bisecting: 4 revisions left to test after this (roughly 2 steps) [f6cbb4843c61025d61c0efd7cac014b059495c9c] block: sed-opal: handle empty atoms when parsing response determine whether the revision contains the guilty commit revision 621619f626cbe702ddbdc54117f3868b8ebd8129 crashed and is reachable testing commit f6cbb4843c61025d61c0efd7cac014b059495c9c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bc90e6568f5f81bf5b2da4a665e15ec67b6df218a14a4b2bbc7a96fa42f2b42a all runs: OK false negative chance: 0.000 # git bisect bad f6cbb4843c61025d61c0efd7cac014b059495c9c Bisecting: 2 revisions left to test after this (roughly 1 step) [e8a67fe34b76a49320b33032228a794f40b0316b] x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() determine whether the revision contains the guilty commit revision e72b4e5e16f6a835a5c127aa4edf156268c77378 crashed and is reachable testing commit e8a67fe34b76a49320b33032228a794f40b0316b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c5ad462be68132147579fafbffc13ab7f1c17a879adc9b00bd2df514874659c3 all runs: OK false negative chance: 0.000 # git bisect bad e8a67fe34b76a49320b33032228a794f40b0316b Bisecting: 0 revisions left to test after this (roughly 0 steps) [e2d5cf0dcb9f824fe4e7244ddd24e3dddd7216f2] x86/mm: Move is_vsyscall_vaddr() into asm/vsyscall.h determine whether the revision contains the guilty commit revision e72b4e5e16f6a835a5c127aa4edf156268c77378 crashed and is reachable testing commit e2d5cf0dcb9f824fe4e7244ddd24e3dddd7216f2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ec63ce438d4b691d266b0ac4da39f79627367edcc61489368883ebcbba36a0d3 all runs: crashed: BUG: unable to handle kernel paging request in copy_from_kernel_nofault representative crash: BUG: unable to handle kernel paging request in copy_from_kernel_nofault, types: [UNKNOWN] # git bisect good e2d5cf0dcb9f824fe4e7244ddd24e3dddd7216f2 e8a67fe34b76a49320b33032228a794f40b0316b is the first bad commit commit e8a67fe34b76a49320b33032228a794f40b0316b Author: Hou Tao Date: Fri Feb 2 18:39:34 2024 +0800 x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() [ Upstream commit 32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58 ] When trying to use copy_from_kernel_nofault() to read vsyscall page through a bpf program, the following oops was reported: BUG: unable to handle page fault for address: ffffffffff600000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:copy_from_kernel_nofault+0x6f/0x110 ...... Call Trace: ? copy_from_kernel_nofault+0x6f/0x110 bpf_probe_read_kernel+0x1d/0x50 bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d trace_call_bpf+0xc5/0x1c0 perf_call_bpf_enter.isra.0+0x69/0xb0 perf_syscall_enter+0x13e/0x200 syscall_trace_enter+0x188/0x1c0 do_syscall_64+0xb5/0xe0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 ...... ---[ end trace 0000000000000000 ]--- The oops is triggered when: 1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall page and invokes copy_from_kernel_nofault() which in turn calls __get_user_asm(). 2) Because the vsyscall page address is not readable from kernel space, a page fault exception is triggered accordingly. 3) handle_page_fault() considers the vsyscall page address as a user space address instead of a kernel space address. This results in the fix-up setup by bpf not being applied and a page_fault_oops() is invoked due to SMAP. Considering handle_page_fault() has already considered the vsyscall page address as a userspace address, fix the problem by disallowing vsyscall page read for copy_from_kernel_nofault(). Originally-by: Thomas Gleixner Reported-by: syzbot+72aa0161922eba61b50e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/bpf/CAG48ez06TZft=ATH1qh2c5mpS5BT8UakwNkzi6nvK5_djC-4Nw@mail.gmail.com Reported-by: xingwei lee Closes: https://lore.kernel.org/bpf/CABOYnLynjBoFZOf3Z4BhaZkc5hx_kHfsjiW+UWLoB=w33LvScw@mail.gmail.com Signed-off-by: Hou Tao Reviewed-by: Sohil Mehta Acked-by: Thomas Gleixner Link: https://lore.kernel.org/r/20240202103935.3154011-3-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin arch/x86/mm/maccess.c | 10 ++++++++++ 1 file changed, 10 insertions(+) accumulated error probability: 0.00 culprit signature: c5ad462be68132147579fafbffc13ab7f1c17a879adc9b00bd2df514874659c3 parent signature: ec63ce438d4b691d266b0ac4da39f79627367edcc61489368883ebcbba36a0d3 revisions tested: 19, total time: 4h29m19.800631152s (build: 2h17m52.491642652s, test: 2h3m43.936608883s) first good commit: e8a67fe34b76a49320b33032228a794f40b0316b x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() recipients (to): ["ast@kernel.org" "houtao1@huawei.com" "sashal@kernel.org" "sohil.mehta@intel.com" "tglx@linutronix.de"] recipients (cc): []