ci starts bisection 2023-06-07 03:33:58.430740838 +0000 UTC m=+480791.928695395 bisecting fixing commit since 41c03ba9beea760bd2d2ac9250b09a2e192da2dc building syzkaller on 1dac8c7a01e2bdd35cb04eb4901ddb157291ac2d ensuring issue is reproducible on original commit 41c03ba9beea760bd2d2ac9250b09a2e192da2dc testing commit 41c03ba9beea760bd2d2ac9250b09a2e192da2dc gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 23f9ca24933d1b069c11d1ad9148c7170b01b574379eae48a1e2e7c486232c34 run #0: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #1: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #2: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #3: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #4: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #5: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #6: crashed: WARNING: nested lock was not taken in filemap_get_read_batch run #7: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #8: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #9: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #10: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #11: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #12: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #13: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #14: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #15: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #16: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #17: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #18: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #19: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync testing current HEAD a4d7d701121981e3c3fe69ade376fe9f26324161 testing commit a4d7d701121981e3c3fe69ade376fe9f26324161 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 49cd3f9340a4e3de323df798ff071559ff9ae5290bb8e129b5ccb2dfcfdc0b9c run #0: crashed: kernel panic: stack is corrupted in validate_chain run #1: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #2: crashed: KASAN: stack-out-of-bounds Write in is_bpf_text_address run #3: crashed: KASAN: stack-out-of-bounds Write in is_bpf_text_address run #4: crashed: KASAN: stack-out-of-bounds Write in is_bpf_text_address run #5: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #6: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #7: crashed: KASAN: stack-out-of-bounds Write in is_bpf_text_address run #8: crashed: UBSAN: array-index-out-of-bounds in lru_add_drain_cpu run #9: crashed: KASAN: stack-out-of-bounds Write in is_bpf_text_address crash still not fixed/happens on the oldest tested release revisions tested: 2, total time: 36m25.203132902s (build: 26m18.265754206s, test: 9m5.436262489s) crash still not fixed on HEAD or HEAD had kernel test errors commit msg: Merge tag 'spi-fix-v6.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi crash: KASAN: stack-out-of-bounds Write in is_bpf_text_address loop0: detected capacity change from 0 to 4096 ntfs3: loop0: Different NTFS sector size (4096) and media sector size (512). ================================================================== BUG: KASAN: stack-out-of-bounds in lock_acquire+0x21f/0x520 Write of size 8 at addr ffffc9000353f25f by task syz-executor.0/6717 CPU: 0 PID: 6717 Comm: syz-executor.0 Not tainted 6.4.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 Call Trace: dump_stack_lvl+0x167/0x220 print_report+0x163/0x540 kasan_report+0x176/0x1b0 lock_acquire+0x21f/0x520 rcu_lock_acquire+0x24/0x30 is_bpf_text_address+0x1c/0x1b0 kernel_text_address+0xa3/0xe0 __kernel_text_address+0xd/0x40 unwind_get_return_address+0x4d/0x90 arch_stack_walk+0xf7/0x140 stack_trace_save+0x117/0x1c0 kasan_set_track+0x4f/0x70 __kasan_kmalloc+0x98/0xb0 __kmalloc+0xb9/0x230 iter_file_splice_write+0x294/0xfc0 direct_splice_actor+0xe2/0x1a0 splice_direct_to_actor+0x42e/0xa60 do_splice_direct+0x268/0x3a0 do_sendfile+0x4f5/0xc20 __se_sys_sendfile64+0x143/0x190 do_syscall_64+0x41/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f5101c8c0c9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f5102ace168 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007f5101dabf80 RCX: 00007f5101c8c0c9 RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004 RBP: 00007f5101ce7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 00008400fffffffa R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe1f97e48f R14: 00007f5102ace300 R15: 0000000000022000 The buggy address belongs to stack of task syz-executor.0/6717 and is located at offset 31 in frame: lock_acquire+0x0/0x520 This frame has 3 objects: [32, 40) 'flags.i.i.i87' [64, 72) 'flags.i.i.i' [96, 136) 'hlock' The buggy address belongs to the virtual mapping at [ffffc90003538000, ffffc90003541000) created by: copy_process+0x40a/0x3bf0 The buggy address belongs to the physical page: page:ffffea000096cc80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25b32 memcg:ffff888025c0ab02 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff ffff888025c0ab02 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 6716, tgid 6716 (syz-executor.0), ts 209025975084, free_ts 208997007094 get_page_from_freelist+0x321c/0x33a0 __alloc_pages+0x255/0x670 __vmalloc_node_range+0x7cc/0x10d0 dup_task_struct+0x5c3/0x720 copy_process+0x40a/0x3bf0 kernel_clone+0x19a/0x5f0 __x64_sys_clone+0x253/0x2a0 do_syscall_64+0x41/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: free_unref_page_prepare+0x8fe/0xa10 free_unref_page_list+0x596/0x830 release_pages+0x1a0f/0x1bc0 tlb_flush_mmu+0xe9/0x1e0 tlb_finish_mmu+0xb6/0x1c0 exit_mmap+0x351/0x890 __mmput+0xcb/0x300 exit_mm+0x1de/0x290 do_exit+0x4f2/0x1d10 do_group_exit+0x1b9/0x280 get_signal+0x1234/0x12e0 arch_do_signal_or_restart+0x91/0x670 exit_to_user_mode_loop+0x6a/0x100 exit_to_user_mode_prepare+0xb1/0x140 syscall_exit_to_user_mode+0x64/0x280 do_syscall_64+0x4d/0xc0 Memory state around the buggy address: ffffc9000353f100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc9000353f180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc9000353f200: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 ^ ffffc9000353f280: 00 f2 f2 f2 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 ffffc9000353f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================