bisecting cause commit starting from 6abab1b81b657ca74b7c443e832d95c87901e75b building syzkaller on 4ebb27982f8984ed57466f87099acc0b250a1b5c testing commit 6abab1b81b657ca74b7c443e832d95c87901e75b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 53afe3c77e93dfd1377123720dc623dfb67281e999ded39311a613488d8dc47d all runs: crashed: KASAN: vmalloc-out-of-bounds Write in ringbuf_map_alloc testing release v5.16 testing commit df0cc57e057f18e44dac8e6c18aba47ab53202f9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6392e7dc90e0a4647080a5029d93ca58348fb8a5852ea8aba24fe1cfc2cb5f6d run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect start 6abab1b81b657ca74b7c443e832d95c87901e75b df0cc57e057f18e44dac8e6c18aba47ab53202f9 Bisecting: 7959 revisions left to test after this (roughly 13 steps) [455e73a07f6e288b0061dfcf4fcf54fa9fe06458] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux testing commit 455e73a07f6e288b0061dfcf4fcf54fa9fe06458 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 688a0317b34949a2fa1a03a23354cdcff72b3cd85e39730081264c9410b248f1 all runs: OK # git bisect good 455e73a07f6e288b0061dfcf4fcf54fa9fe06458 Bisecting: 3979 revisions left to test after this (roughly 12 steps) [82b550fa99f2c73636ca3f84900117c3c3272ef7] Merge tag 'drm-fixes-2022-01-28' of git://anongit.freedesktop.org/drm/drm testing commit 82b550fa99f2c73636ca3f84900117c3c3272ef7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2dd16dc294b5748af9e342109c50722856771899351f78d59fae128735b82d2a all runs: OK # git bisect good 82b550fa99f2c73636ca3f84900117c3c3272ef7 Bisecting: 2016 revisions left to test after this (roughly 11 steps) [ab4cdccffff704568beed9d26308479fe34e9008] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git testing commit ab4cdccffff704568beed9d26308479fe34e9008 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5d6eabdc22056d55ab3d5548e4a7716ed0d615ad585f7fa909142ed342248448 all runs: OK # git bisect good ab4cdccffff704568beed9d26308479fe34e9008 Bisecting: 1023 revisions left to test after this (roughly 10 steps) [1aa0ca1db219920c65cd75ed92a3b11175ac3a11] Merge branch 'for-mfd-next' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd.git testing commit 1aa0ca1db219920c65cd75ed92a3b11175ac3a11 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c92df4e111ce4ede004f6c037110cd22c32e23489f8165bcec56f8288fa64156 all runs: OK # git bisect good 1aa0ca1db219920c65cd75ed92a3b11175ac3a11 Bisecting: 435 revisions left to test after this (roughly 9 steps) [1bf2060c2b997a0b351735918f72ad5dab2c54c4] Merge branch 'staging-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git testing commit 1bf2060c2b997a0b351735918f72ad5dab2c54c4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 60e5787790f2e5c0de11eeb194b73104f21316e48f799ce998791b531ef68d4f all runs: OK # git bisect good 1bf2060c2b997a0b351735918f72ad5dab2c54c4 Bisecting: 217 revisions left to test after this (roughly 8 steps) [f49f98cea3416208b90fc4d7038a60c7c9b13aeb] ipc/mqueue: use get_tree_nodev() in mqueue_get_tree() testing commit f49f98cea3416208b90fc4d7038a60c7c9b13aeb compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fa37a64fd6ccf8399061925cde3048a90e9392ecdbd62f91a081eec46fd32242 all runs: crashed: KASAN: vmalloc-out-of-bounds Write in ringbuf_map_alloc # git bisect bad f49f98cea3416208b90fc4d7038a60c7c9b13aeb Bisecting: 108 revisions left to test after this (roughly 7 steps) [f573e1561f1be918395038e4ecaa996c63b18f00] mm/sparse: make mminit_validate_memmodel_limits() static testing commit f573e1561f1be918395038e4ecaa996c63b18f00 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: cb78a1abc09c719b5d09ed384b7d043f0066cce4c6ed93e8786159fdc9920cb8 all runs: crashed: KASAN: vmalloc-out-of-bounds Write in ringbuf_map_alloc # git bisect bad f573e1561f1be918395038e4ecaa996c63b18f00 Bisecting: 54 revisions left to test after this (roughly 6 steps) [bcf2a082c3307a0757c7250b21747e1f63234641] kasan, arm64: reset pointer tags of vmapped stacks testing commit bcf2a082c3307a0757c7250b21747e1f63234641 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 29abe6d4330e4fe34b7fd8e0d3be38ff618e45ba1168615ef7354473e2ad6b3c all runs: OK # git bisect good bcf2a082c3307a0757c7250b21747e1f63234641 Bisecting: 27 revisions left to test after this (roughly 5 steps) [45f77a222e9459538f769b7c7101eb9dec1438ac] documentation-vm-page_ownerrst-update-the-documentation-fix testing commit 45f77a222e9459538f769b7c7101eb9dec1438ac compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1938117c5da260abea3d7d774f12d0960fd64705fbc61fe59272425bcc891a99 all runs: crashed: KASAN: vmalloc-out-of-bounds Write in ringbuf_map_alloc # git bisect bad 45f77a222e9459538f769b7c7101eb9dec1438ac Bisecting: 13 revisions left to test after this (roughly 4 steps) [2d97dab7d7abfaa6153b32d4f4b000cb19bf4a3a] kasan: allow enabling KASAN_VMALLOC and SW/HW_TAGS testing commit 2d97dab7d7abfaa6153b32d4f4b000cb19bf4a3a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 19dcb323ddd143b450ffaa06b7ecbaaaffab4726ef07d579f91b19f3d0659215 all runs: crashed: KASAN: vmalloc-out-of-bounds Write in ringbuf_map_alloc # git bisect bad 2d97dab7d7abfaa6153b32d4f4b000cb19bf4a3a Bisecting: 6 revisions left to test after this (roughly 3 steps) [61e10c516fe7fba3a51e0191826a29fba8191be1] kasan, page_alloc: allow skipping memory init for HW_TAGS testing commit 61e10c516fe7fba3a51e0191826a29fba8191be1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f99eb34dba2f16fb01208a4fd0fd62f2dbc3e9810bcca64302531c6b52a25247 all runs: crashed: KASAN: vmalloc-out-of-bounds Write in ringbuf_map_alloc # git bisect bad 61e10c516fe7fba3a51e0191826a29fba8191be1 Bisecting: 2 revisions left to test after this (roughly 2 steps) [c34cdf846c1298de1c0f7fbe04820fe96c45068c] kasan, vmalloc: unpoison VM_ALLOC pages after mapping testing commit c34cdf846c1298de1c0f7fbe04820fe96c45068c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 21acd5d97803ec54b13035d7436fc6362c0e4b15670e14a79071466f22e98ee8 all runs: crashed: KASAN: vmalloc-out-of-bounds Write in ringbuf_map_alloc # git bisect bad c34cdf846c1298de1c0f7fbe04820fe96c45068c Bisecting: 0 revisions left to test after this (roughly 1 step) [8f6c95ad08da115f1fba15a5ef4c095c347a76fb] kasan, vmalloc, arm64: mark vmalloc mappings as pgprot_tagged testing commit 8f6c95ad08da115f1fba15a5ef4c095c347a76fb compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7615378d618672dceeb3414c12aac89de1a2b7721521492144016792a762f81d all runs: OK # git bisect good 8f6c95ad08da115f1fba15a5ef4c095c347a76fb c34cdf846c1298de1c0f7fbe04820fe96c45068c is the first bad commit commit c34cdf846c1298de1c0f7fbe04820fe96c45068c Author: Andrey Konovalov Date: Wed Feb 2 12:04:27 2022 +1100 kasan, vmalloc: unpoison VM_ALLOC pages after mapping Make KASAN unpoison vmalloc mappings after they have been mapped in when it's possible: for vmalloc() (indentified via VM_ALLOC) and vm_map_ram(). The reasons for this are: - For vmalloc() and vm_map_ram(): pages don't get unpoisoned in case mapping them fails. - For vmalloc(): HW_TAGS KASAN needs pages to be mapped to set tags via kasan_unpoison_vmalloc(). As a part of these changes, the return value of __vmalloc_node_range() is changed to area->addr. This is a non-functional change, as __vmalloc_area_node() returns area->addr anyway. Link: https://lkml.kernel.org/r/fcb98980e6fcd3c4be6acdcb5d6110898ef28548.1643047180.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov Reviewed-by: Alexander Potapenko Acked-by: Marco Elver Cc: Andrey Ryabinin Cc: Catalin Marinas Cc: Dmitry Vyukov Cc: Evgenii Stepanov Cc: Mark Rutland Cc: Peter Collingbourne Cc: Vincenzo Frascino Cc: Will Deacon Signed-off-by: Andrew Morton Signed-off-by: Stephen Rothwell mm/vmalloc.c | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) culprit signature: 21acd5d97803ec54b13035d7436fc6362c0e4b15670e14a79071466f22e98ee8 parent signature: 7615378d618672dceeb3414c12aac89de1a2b7721521492144016792a762f81d revisions tested: 15, total time: 2h24m49.84522616s (build: 1h40m21.668502631s, test: 42m57.042622218s) first bad commit: c34cdf846c1298de1c0f7fbe04820fe96c45068c kasan, vmalloc: unpoison VM_ALLOC pages after mapping recipients (to): ["akpm@linux-foundation.org" "andreyknvl@google.com" "elver@google.com" "glider@google.com" "sfr@canb.auug.org.au"] recipients (cc): [] crash: KASAN: vmalloc-out-of-bounds Write in ringbuf_map_alloc ================================================================== BUG: KASAN: vmalloc-out-of-bounds in bpf_ringbuf_area_alloc kernel/bpf/ringbuf.c:110 [inline] BUG: KASAN: vmalloc-out-of-bounds in bpf_ringbuf_alloc kernel/bpf/ringbuf.c:133 [inline] BUG: KASAN: vmalloc-out-of-bounds in ringbuf_map_alloc kernel/bpf/ringbuf.c:172 [inline] BUG: KASAN: vmalloc-out-of-bounds in ringbuf_map_alloc+0x618/0x6a0 kernel/bpf/ringbuf.c:148 Write of size 8 at addr ffffc9000c4b9078 by task syz-executor383/4048 CPU: 0 PID: 4048 Comm: syz-executor383 Not tainted 5.17.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 bpf_ringbuf_area_alloc kernel/bpf/ringbuf.c:110 [inline] bpf_ringbuf_alloc kernel/bpf/ringbuf.c:133 [inline] ringbuf_map_alloc kernel/bpf/ringbuf.c:172 [inline] ringbuf_map_alloc+0x618/0x6a0 kernel/bpf/ringbuf.c:148 find_and_alloc_map kernel/bpf/syscall.c:128 [inline] map_create kernel/bpf/syscall.c:865 [inline] __sys_bpf+0x8bd/0x4400 kernel/bpf/syscall.c:4616 __do_sys_bpf kernel/bpf/syscall.c:4738 [inline] __se_sys_bpf kernel/bpf/syscall.c:4736 [inline] __x64_sys_bpf+0x70/0xb0 kernel/bpf/syscall.c:4736 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f31c3a41b49 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd6ca26ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f31c3a41b49 RDX: 0000000000000048 RSI: 0000000020000280 RDI: 0000000000000000 RBP: 00007f31c3a05cf0 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000ffffffff R11: 0000000000000246 R12: 00007f31c3a05d80 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Memory state around the buggy address: ffffc9000c4b8f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc9000c4b8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >ffffc9000c4b9000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc9000c4b9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc9000c4b9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ==================================================================