ci starts bisection 2023-12-17 06:34:19.429097023 +0000 UTC m=+296788.778783606 bisecting cause commit starting from 358105ab92fc588aee0f37402f5705b031dc6f6f building syzkaller on 3222d10cbe77bbedb5a7c455e5bcb6b7081a63b7 ensuring issue is reproducible on original commit 358105ab92fc588aee0f37402f5705b031dc6f6f testing commit 358105ab92fc588aee0f37402f5705b031dc6f6f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a08b06853471d37494bec3f3d53e5921b63cdec9f6f68a2b1165557b9ca5afe3 run #0: crashed: KASAN: slab-out-of-bounds Read in nla_find run #1: crashed: KASAN: slab-out-of-bounds Read in nla_find run #2: crashed: KASAN: slab-use-after-free Read in nla_find run #3: crashed: KASAN: slab-out-of-bounds Read in nla_find run #4: crashed: KASAN: slab-use-after-free Read in nla_find run #5: crashed: KASAN: slab-out-of-bounds Read in nla_find run #6: crashed: KASAN: slab-out-of-bounds Read in nla_find run #7: crashed: KASAN: slab-out-of-bounds Read in nla_find run #8: crashed: KASAN: slab-use-after-free Read in nla_find run #9: crashed: KASAN: slab-out-of-bounds Read in nla_find run #10: crashed: KASAN: slab-out-of-bounds Read in nla_find run #11: crashed: KASAN: slab-use-after-free Read in nla_find run #12: crashed: KASAN: slab-use-after-free Read in nla_find run #13: crashed: KASAN: slab-use-after-free Read in nla_find run #14: crashed: KASAN: slab-out-of-bounds Read in nla_find run #15: crashed: KASAN: slab-out-of-bounds Read in nla_find run #16: crashed: KASAN: slab-use-after-free Read in nla_find run #17: crashed: KASAN: slab-out-of-bounds Read in nla_find run #18: crashed: KASAN: slab-out-of-bounds Read in nla_find run #19: crashed: KASAN: slab-use-after-free Read in nla_find representative crash: KASAN: slab-out-of-bounds Read in nla_find, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 358105ab92fc588aee0f37402f5705b031dc6f6f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8b0dded4577989592b4779f1c10819dfbf758a20fa4c15203e41d503c2f707fd run #0: crashed: KASAN: slab-use-after-free Read in nla_find run #1: crashed: KASAN: slab-use-after-free Read in nla_find run #2: crashed: KASAN: slab-out-of-bounds Read in nla_find run #3: crashed: KASAN: slab-out-of-bounds Read in nla_find run #4: crashed: KASAN: slab-use-after-free Read in nla_find run #5: crashed: KASAN: slab-use-after-free Read in nla_find run #6: crashed: KASAN: slab-use-after-free Read in nla_find run #7: crashed: KASAN: slab-out-of-bounds Read in nla_find run #8: crashed: KASAN: slab-use-after-free Read in nla_find run #9: crashed: KASAN: slab-use-after-free Read in nla_find representative crash: KASAN: slab-use-after-free Read in nla_find, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed kconfig minimization: base=3923 full=7657 leaves diff=2004 split chunks (needed=false): <2004> split chunk #0 of len 2004 into 5 parts testing without sub-chunk 1/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 358105ab92fc588aee0f37402f5705b031dc6f6f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fc24e12caabb6b517a94ee9d985563139893911e0f168e60c76e06b56aec0ab0 run #0: crashed: KASAN: slab-use-after-free Read in nla_find run #1: crashed: KASAN: slab-out-of-bounds Read in nla_find run #2: crashed: KASAN: slab-out-of-bounds Read in nla_find run #3: crashed: KASAN: slab-out-of-bounds Read in nla_find run #4: crashed: KASAN: slab-out-of-bounds Read in nla_find run #5: crashed: KASAN: slab-use-after-free Read in nla_find run #6: crashed: KASAN: slab-out-of-bounds Read in nla_find run #7: crashed: KASAN: slab-out-of-bounds Read in nla_find run #8: crashed: KASAN: slab-out-of-bounds Read in nla_find run #9: crashed: KASAN: slab-use-after-free Read in nla_find representative crash: KASAN: slab-use-after-free Read in nla_find, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 358105ab92fc588aee0f37402f5705b031dc6f6f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e4e102a8ab01dae145adaff6617ad964bc18f15ed7ce7294f8c2edf4bd45f76d run #0: crashed: KASAN: slab-use-after-free Read in nla_find run #1: crashed: KASAN: slab-out-of-bounds Read in nla_find run #2: crashed: KASAN: slab-out-of-bounds Read in nla_find run #3: crashed: KASAN: slab-use-after-free Read in nla_find run #4: crashed: KASAN: slab-out-of-bounds Read in nla_find run #5: crashed: KASAN: slab-use-after-free Read in nla_find run #6: crashed: KASAN: slab-use-after-free Read in nla_find run #7: crashed: KASAN: slab-out-of-bounds Read in nla_find run #8: crashed: KASAN: slab-use-after-free Read in nla_find run #9: crashed: KASAN: slab-use-after-free Read in nla_find representative crash: KASAN: slab-use-after-free Read in nla_find, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 358105ab92fc588aee0f37402f5705b031dc6f6f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: df6183b0a2b34d89e9b7ec08686b714a1ca8e0c1eb5e526c128899c76b6e78e4 run #0: crashed: KASAN: slab-use-after-free Read in nla_find run #1: crashed: KASAN: slab-use-after-free Read in nla_find run #2: crashed: KASAN: slab-out-of-bounds Read in nla_find run #3: crashed: KASAN: slab-use-after-free Read in nla_find run #4: crashed: KASAN: slab-use-after-free Read in nla_find run #5: crashed: KASAN: slab-out-of-bounds Read in nla_find run #6: crashed: KASAN: slab-out-of-bounds Read in nla_find run #7: crashed: KASAN: slab-out-of-bounds Read in nla_find run #8: crashed: KASAN: slab-out-of-bounds Read in nla_find run #9: crashed: KASAN: slab-out-of-bounds Read in nla_find representative crash: KASAN: slab-use-after-free Read in nla_find, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 358105ab92fc588aee0f37402f5705b031dc6f6f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 72060dca4f187fed98bf708943e1131049dd9b0cba90710ae98c974aa22dc91d run #0: crashed: KASAN: slab-use-after-free Read in nla_find run #1: crashed: KASAN: slab-use-after-free Read in nla_find run #2: crashed: KASAN: slab-use-after-free Read in nla_find run #3: crashed: KASAN: slab-out-of-bounds Read in nla_find run #4: crashed: KASAN: slab-use-after-free Read in nla_find run #5: crashed: KASAN: slab-out-of-bounds Read in nla_find run #6: crashed: KASAN: slab-use-after-free Read in nla_find run #7: crashed: KASAN: slab-use-after-free Read in nla_find run #8: crashed: KASAN: slab-use-after-free Read in nla_find run #9: crashed: KASAN: slab-out-of-bounds Read in nla_find representative crash: KASAN: slab-use-after-free Read in nla_find, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 358105ab92fc588aee0f37402f5705b031dc6f6f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5acb2ad002f844b8ad2231e404465a6b461c10e41e980346635567069af63180 run #0: crashed: KASAN: slab-out-of-bounds Read in nla_find run #1: crashed: KASAN: slab-use-after-free Read in nla_find run #2: crashed: KASAN: slab-use-after-free Read in nla_find run #3: crashed: KASAN: slab-out-of-bounds Read in nla_find run #4: crashed: KASAN: slab-out-of-bounds Read in nla_find run #5: crashed: KASAN: slab-out-of-bounds Read in nla_find run #6: crashed: KASAN: slab-out-of-bounds Read in nla_find run #7: crashed: KASAN: slab-use-after-free Read in nla_find run #8: crashed: KASAN: slab-use-after-free Read in nla_find run #9: crashed: KASAN: slab-out-of-bounds Read in nla_find representative crash: KASAN: slab-out-of-bounds Read in nla_find, types: [KASAN] the chunk can be dropped disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed picked [v6.6 v6.5 v6.4 v6.2 v6.0 v5.18 v5.16 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 29 release tags testing release v6.6 testing commit ffc253263a1375a65fa6c9f62a893e9767fbebfa gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 505041cfa3931c0ffc7c8d6f406ae471c611d0fe93ed05d142b5d5e3e4b39a2d all runs: OK false negative chance: 0.000 # git bisect start 358105ab92fc588aee0f37402f5705b031dc6f6f ffc253263a1375a65fa6c9f62a893e9767fbebfa Bisecting: 9506 revisions left to test after this (roughly 13 steps) [deefd5024f0772cf56052ace9a8c347dc70bcaf3] Merge tag 'vfio-v6.7-rc1' of https://github.com/awilliam/linux-vfio testing commit deefd5024f0772cf56052ace9a8c347dc70bcaf3 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 49abbcc45127f685c36cd1cea61ac7d886666e1f62d6571dfa15a50b40eee9f0 all runs: OK false negative chance: 0.000 # git bisect good deefd5024f0772cf56052ace9a8c347dc70bcaf3 Bisecting: 4780 revisions left to test after this (roughly 12 steps) [2c40c1c6adab90ee4660caf03722b3a3ec67767b] Merge tag 'usb-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit 2c40c1c6adab90ee4660caf03722b3a3ec67767b gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 135fcf866b8cf455f64227a30548f0010e5649a2d982c6451593d4bed3a44c9c all runs: OK false negative chance: 0.000 # git bisect good 2c40c1c6adab90ee4660caf03722b3a3ec67767b Bisecting: 2393 revisions left to test after this (roughly 11 steps) [c6d3ab9e76dc01011392cf8309f7e684b94ec464] Merge tag 'md-fixes-20231207-1' of https://git.kernel.org/pub/scm/linux/kernel/git/song/md into block-6.7 testing commit c6d3ab9e76dc01011392cf8309f7e684b94ec464 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a052deeb9b3fac078b8728259cd0c1a9098ac6207fe4de55878031ba278c625b all runs: OK false negative chance: 0.000 # git bisect good c6d3ab9e76dc01011392cf8309f7e684b94ec464 Bisecting: 1188 revisions left to test after this (roughly 10 steps) [b8b68d2fd41c1068554290fdf2c5adc6b03d40ce] Merge tag 'sound-6.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit b8b68d2fd41c1068554290fdf2c5adc6b03d40ce gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c95a250c2a36d872b029696a1077e6c6b3c5b7dcc5a6b900c502aae7fca079ed all runs: OK false negative chance: 0.000 # git bisect good b8b68d2fd41c1068554290fdf2c5adc6b03d40ce Bisecting: 594 revisions left to test after this (roughly 9 steps) [397d44bf17216f7da6ea7c703e9124c065a61697] bnxt_en: Update firmware interface to 1.10.3.15 testing commit 397d44bf17216f7da6ea7c703e9124c065a61697 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0bb8341c14359dcb8e35b182cf79df49d77263ebc1583c700cd8bc1735a0f9fe all runs: OK false negative chance: 0.000 # git bisect good 397d44bf17216f7da6ea7c703e9124c065a61697 Bisecting: 340 revisions left to test after this (roughly 8 steps) [d96f04e05f2634b2dea3cdfc9651f5704d829292] ice: add documentation for FW logging testing commit d96f04e05f2634b2dea3cdfc9651f5704d829292 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c0b672ce7b36a2034f87b666ed1fb38f0d553ee83a5d1c23b9bc20b5d419495c run #0: crashed: KASAN: slab-out-of-bounds Read in nla_find run #1: crashed: KASAN: slab-out-of-bounds Read in nla_find run #2: crashed: KASAN: slab-use-after-free Read in nla_find run #3: crashed: KASAN: slab-out-of-bounds Read in nla_find run #4: crashed: KASAN: slab-out-of-bounds Read in nla_find run #5: crashed: KASAN: slab-out-of-bounds Read in nla_find run #6: crashed: KASAN: slab-use-after-free Read in nla_find run #7: crashed: KASAN: slab-out-of-bounds Read in nla_find run #8: crashed: KASAN: slab-out-of-bounds Read in nla_find run #9: crashed: KASAN: slab-out-of-bounds Read in nla_find representative crash: KASAN: slab-out-of-bounds Read in nla_find, types: [KASAN] # git bisect bad d96f04e05f2634b2dea3cdfc9651f5704d829292 Bisecting: 126 revisions left to test after this (roughly 7 steps) [bedc99abcaf88df25b044fc4e3c80d69d0dbfc9b] selftests/net: convert vrf_route_leaking.sh to run it in unique namespace testing commit bedc99abcaf88df25b044fc4e3c80d69d0dbfc9b gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b476420e3645eab0a8aa3170f5f7f7a2988e8f5f400c27360d3562e7c8a5d2fb all runs: OK false negative chance: 0.000 # git bisect good bedc99abcaf88df25b044fc4e3c80d69d0dbfc9b Bisecting: 63 revisions left to test after this (roughly 6 steps) [4f7aa122bc9219baca0bfface5917062d6c45ee8] dpll: remove leftover mode_supported() op and use mode_get() instead testing commit 4f7aa122bc9219baca0bfface5917062d6c45ee8 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2a18913e52fd9f496e3fb4bf0a779d5e45c1ec48edfa148386b975d724fcc686 run #0: crashed: KASAN: slab-use-after-free Read in nla_find run #1: crashed: KASAN: slab-use-after-free Read in nla_find run #2: crashed: KASAN: slab-out-of-bounds Read in nla_find run #3: crashed: KASAN: slab-out-of-bounds Read in nla_find run #4: crashed: KASAN: slab-use-after-free Read in nla_find run #5: crashed: KASAN: slab-out-of-bounds Read in nla_find run #6: crashed: KASAN: slab-out-of-bounds Read in nla_find run #7: crashed: KASAN: slab-use-after-free Read in nla_find run #8: crashed: KASAN: slab-use-after-free Read in nla_find run #9: crashed: KASAN: slab-out-of-bounds Read in nla_find representative crash: KASAN: slab-use-after-free Read in nla_find, types: [KASAN] # git bisect bad 4f7aa122bc9219baca0bfface5917062d6c45ee8 Bisecting: 31 revisions left to test after this (roughly 5 steps) [8d4390f51920c1edb2d09d44d918c7940ac51e54] net/sched: act_api: conditional notification of events testing commit 8d4390f51920c1edb2d09d44d918c7940ac51e54 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ae9d0f1ac56832bafe493835814ed3e8643dff8c378213b6b47637ae8b015774 run #0: crashed: KASAN: slab-out-of-bounds Read in nla_find run #1: crashed: KASAN: slab-out-of-bounds Read in nla_find run #2: crashed: KASAN: slab-use-after-free Read in nla_find run #3: crashed: KASAN: slab-use-after-free Read in nla_find run #4: crashed: KASAN: slab-use-after-free Read in nla_find run #5: crashed: KASAN: slab-use-after-free Read in nla_find run #6: crashed: KASAN: slab-out-of-bounds Read in nla_find run #7: crashed: KASAN: slab-out-of-bounds Read in nla_find run #8: crashed: KASAN: slab-use-after-free Read in nla_find run #9: crashed: KASAN: slab-use-after-free Read in nla_find representative crash: KASAN: slab-out-of-bounds Read in nla_find, types: [KASAN] # git bisect bad 8d4390f51920c1edb2d09d44d918c7940ac51e54 Bisecting: 15 revisions left to test after this (roughly 4 steps) [271e015b91535dd87fd0f5df0cc3b906c2eddef9] net: rswitch: Add unmap_addrs instead of dma address in each desc testing commit 271e015b91535dd87fd0f5df0cc3b906c2eddef9 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a7fc4de1dc6b4d622adf865f75f32da8b7878e77bce03849a128d06559ec5a78 run #0: crashed: KASAN: slab-use-after-free Read in nla_find run #1: crashed: KASAN: slab-use-after-free Read in nla_find run #2: crashed: KASAN: slab-out-of-bounds Read in nla_find run #3: crashed: KASAN: slab-use-after-free Read in nla_find run #4: crashed: KASAN: slab-use-after-free Read in nla_find run #5: crashed: KASAN: slab-use-after-free Read in nla_find run #6: crashed: KASAN: slab-out-of-bounds Read in nla_find run #7: crashed: KASAN: slab-use-after-free Read in nla_find run #8: crashed: KASAN: slab-use-after-free Read in nla_find run #9: crashed: KASAN: slab-use-after-free Read in nla_find representative crash: KASAN: slab-use-after-free Read in nla_find, types: [KASAN] # git bisect bad 271e015b91535dd87fd0f5df0cc3b906c2eddef9 Bisecting: 7 revisions left to test after this (roughly 3 steps) [bf17b36ccdd5b7b9dd482d7753bcb9aff2d21d39] net: sysfs: fix locking in carrier read testing commit bf17b36ccdd5b7b9dd482d7753bcb9aff2d21d39 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b0b0bdfd0059a8c4a391f9419e6ece4a607ba7ab96edac5b6355b5f8a18b9999 run #0: crashed: KASAN: slab-out-of-bounds Read in nla_find run #1: crashed: KASAN: slab-out-of-bounds Read in nla_find run #2: crashed: KASAN: slab-use-after-free Read in nla_find run #3: crashed: KASAN: slab-out-of-bounds Read in nla_find run #4: crashed: KASAN: slab-use-after-free Read in nla_find run #5: crashed: KASAN: slab-use-after-free Read in nla_find run #6: crashed: KASAN: slab-use-after-free Read in nla_find run #7: crashed: KASAN: slab-out-of-bounds Read in nla_find run #8: crashed: KASAN: slab-out-of-bounds Read in nla_find run #9: crashed: KASAN: slab-out-of-bounds Read in nla_find representative crash: KASAN: slab-out-of-bounds Read in nla_find, types: [KASAN] # git bisect bad bf17b36ccdd5b7b9dd482d7753bcb9aff2d21d39 Bisecting: 3 revisions left to test after this (roughly 2 steps) [36b0bdb6d330fe0546fc7f97d93e8cfa57421ad9] Merge branch 'net-selftests-unique-namespace' testing commit 36b0bdb6d330fe0546fc7f97d93e8cfa57421ad9 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 287f541770115065f76974ff3863b61da2da15da54b164a041647971ae02873b all runs: OK false negative chance: 0.000 # git bisect good 36b0bdb6d330fe0546fc7f97d93e8cfa57421ad9 Bisecting: 1 revision left to test after this (roughly 1 step) [cf02bea7c1714466dca53124797612c9e9d74994] net: dsa: microchip: use DSA_TAG_PROTO without _VALUE define testing commit cf02bea7c1714466dca53124797612c9e9d74994 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8aab969a278573bd69270607e3899dcba25969f1cd0955a667201039cb03e9be run #0: OK run #1: boot failed: can't ssh into the instance run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK false negative chance: 0.000 # git bisect good cf02bea7c1714466dca53124797612c9e9d74994 Bisecting: 0 revisions left to test after this (roughly 0 steps) [172db56d90d29e47e7d0d64885d5dbd92c87ec42] netlink: Return unsigned value for nla_len() testing commit 172db56d90d29e47e7d0d64885d5dbd92c87ec42 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c7ab29ea29fb23acb7f5f5bdc844977a66e3323bc8d296ddc75798edc8b2cad2 run #0: crashed: KASAN: slab-out-of-bounds Read in nla_find run #1: crashed: KASAN: slab-use-after-free Read in nla_find run #2: crashed: KASAN: slab-out-of-bounds Read in nla_find run #3: crashed: KASAN: slab-use-after-free Read in nla_find run #4: crashed: KASAN: slab-use-after-free Read in nla_find run #5: crashed: KASAN: slab-out-of-bounds Read in nla_find run #6: crashed: KASAN: slab-out-of-bounds Read in nla_find run #7: crashed: KASAN: slab-out-of-bounds Read in nla_find run #8: crashed: KASAN: slab-out-of-bounds Read in nla_find run #9: crashed: KASAN: slab-use-after-free Read in nla_find representative crash: KASAN: slab-out-of-bounds Read in nla_find, types: [KASAN] # git bisect bad 172db56d90d29e47e7d0d64885d5dbd92c87ec42 172db56d90d29e47e7d0d64885d5dbd92c87ec42 is the first bad commit commit 172db56d90d29e47e7d0d64885d5dbd92c87ec42 Author: Kees Cook Date: Wed Dec 6 12:59:07 2023 -0800 netlink: Return unsigned value for nla_len() The return value from nla_len() is never expected to be negative, and can never be more than struct nlattr::nla_len (a u16). Adjust the prototype on the function. This will let GCC's value range optimization passes know that the return can never be negative, and can never be larger than u16. As recently discussed[1], this silences the following warning in GCC 12+: net/wireless/nl80211.c: In function 'nl80211_set_cqm_rssi.isra': net/wireless/nl80211.c:12892:17: warning: 'memcpy' specified bound 18446744073709551615 exceeds maximum object size 9223372036854775807 [-Wstringop-overflow=] 12892 | memcpy(cqm_config->rssi_thresholds, thresholds, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 12893 | flex_array_size(cqm_config, rssi_thresholds, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 12894 | n_thresholds)); | ~~~~~~~~~~~~~~ A future change would be to clamp the subtraction to make sure it never wraps around if nla_len is somehow less than NLA_HDRLEN, which would have the additional benefit of being defensive in the face of nlattr corruption or logic errors. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202311090752.hWcJWAHL-lkp@intel.com/ [1] Cc: Johannes Berg Cc: Jeff Johnson Cc: Michael Walle Cc: Max Schulze Link: https://lore.kernel.org/r/20231202202539.it.704-kees@kernel.org Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20231206205904.make.018-kees@kernel.org Signed-off-by: Jakub Kicinski include/net/netlink.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) accumulated error probability: 0.00 culprit signature: c7ab29ea29fb23acb7f5f5bdc844977a66e3323bc8d296ddc75798edc8b2cad2 parent signature: 8aab969a278573bd69270607e3899dcba25969f1cd0955a667201039cb03e9be revisions tested: 22, total time: 4h14m36.098642765s (build: 1h50m38.666533531s, test: 2h0m56.912013359s) first bad commit: 172db56d90d29e47e7d0d64885d5dbd92c87ec42 netlink: Return unsigned value for nla_len() recipients (to): ["davem@davemloft.net" "edumazet@google.com" "keescook@chromium.org" "kuba@kernel.org" "kuba@kernel.org" "netdev@vger.kernel.org" "pabeni@redhat.com"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: KASAN: slab-out-of-bounds Read in nla_find ================================================================== BUG: KASAN: slab-out-of-bounds in nla_ok include/net/netlink.h:1230 [inline] BUG: KASAN: slab-out-of-bounds in nla_find+0xb2/0xe0 lib/nlattr.c:746 Read of size 2 at addr ffff888104eafca0 by task syz-executor.0/1863 CPU: 0 PID: 1863 Comm: syz-executor.0 Not tainted 6.7.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x3d/0x60 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc4/0x620 mm/kasan/report.c:475 kasan_report+0xda/0x110 mm/kasan/report.c:588 nla_ok include/net/netlink.h:1230 [inline] nla_find+0xb2/0xe0 lib/nlattr.c:746 nla_find_nested include/net/netlink.h:1260 [inline] ____bpf_skb_get_nlattr_nest net/core/filter.c:209 [inline] bpf_skb_get_nlattr_nest+0x101/0x1d0 net/core/filter.c:192 ___bpf_prog_run+0x3910/0x9c10 kernel/bpf/core.c:1962 __bpf_prog_run32+0xb1/0xf0 kernel/bpf/core.c:2201 bpf_dispatcher_nop_func include/linux/bpf.h:1196 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] __bpf_prog_run_save_cb include/linux/filter.h:781 [inline] bpf_prog_run_save_cb include/linux/filter.h:795 [inline] sk_filter_trim_cap+0x241/0x670 net/core/filter.c:157 sk_filter include/linux/filter.h:903 [inline] unix_dgram_sendmsg+0x858/0x1850 net/unix/af_unix.c:2008 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xbc/0x150 net/socket.c:745 sock_write_iter+0x225/0x390 net/socket.c:1158 call_write_iter include/linux/fs.h:2020 [inline] do_iter_readv_writev+0x1a8/0x2f0 fs/read_write.c:735 do_iter_write+0x132/0x7a0 fs/read_write.c:860 vfs_writev+0x1e0/0x4e0 fs/read_write.c:933 do_writev+0x200/0x2b0 fs/read_write.c:976 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0xe0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7f4878cb7ba9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f487883a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007f4878dd6f80 RCX: 00007f4878cb7ba9 RDX: 0000000000000004 RSI: 0000000020000140 RDI: 0000000000000003 RBP: 00007f4878d0347a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000006 R14: 00007f4878dd6f80 R15: 00007ffe36e33378 Allocated by task 811: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:198 [inline] __do_kmalloc_node mm/slab_common.c:1007 [inline] __kmalloc+0x60/0x160 mm/slab_common.c:1020 kmalloc_array include/linux/slab.h:637 [inline] kcalloc include/linux/slab.h:668 [inline] alloc_pipe_info+0x15e/0x460 fs/pipe.c:818 get_pipe_inode fs/pipe.c:892 [inline] create_pipe_files+0x82/0x730 fs/pipe.c:924 __do_pipe_flags fs/pipe.c:973 [inline] do_pipe2+0x93/0x170 fs/pipe.c:1024 __do_sys_pipe2 fs/pipe.c:1042 [inline] __se_sys_pipe2 fs/pipe.c:1040 [inline] __x64_sys_pipe2+0x4f/0x70 fs/pipe.c:1040 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0xe0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b The buggy address belongs to the object at ffff888104eaf800 which belongs to the cache kmalloc-cg-1k of size 1024 The buggy address is located 160 bytes to the right of allocated 1024-byte region [ffff888104eaf800, ffff888104eafc00) The buggy address belongs to the physical page: page:ffffea000413aa00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888104eab800 pfn:0x104ea8 head:ffffea000413aa00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff8881033ce001 anon flags: 0x200000000000840(slab|head|node=0|zone=2) page_type: 0xffffffff() raw: 0200000000000840 ffff88810004f280 0000000000000000 0000000000000001 raw: ffff888104eab800 000000008010000b 00000001ffffffff ffff8881033ce001 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 757, tgid 757 (dhcpcd), ts 5848167548, free_ts 5333610876 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x27f/0x2f0 mm/page_alloc.c:1544 prep_new_page mm/page_alloc.c:1551 [inline] get_page_from_freelist+0xeb8/0x36a0 mm/page_alloc.c:3319 __alloc_pages+0x342/0x5e0 mm/page_alloc.c:4575 alloc_pages_mpol+0xbf/0x370 mm/mempolicy.c:2133 alloc_slab_page mm/slub.c:1870 [inline] allocate_slab+0x24b/0x360 mm/slub.c:2017 new_slab mm/slub.c:2070 [inline] ___slab_alloc+0x8ce/0x10e0 mm/slub.c:3223 __slab_alloc.constprop.0+0x4d/0x90 mm/slub.c:3322 __slab_alloc_node mm/slub.c:3375 [inline] slab_alloc_node mm/slub.c:3468 [inline] __kmem_cache_alloc_node+0x150/0x350 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc_node_track_caller+0x50/0x160 mm/slab_common.c:1027 kmalloc_reserve+0xbb/0x1e0 net/core/skbuff.c:582 __alloc_skb+0xd4/0x270 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1298 [inline] alloc_skb_with_frags+0x83/0x620 net/core/skbuff.c:6331 sock_alloc_send_pskb+0x6a3/0x840 net/core/sock.c:2780 unix_dgram_sendmsg+0x36a/0x1850 net/unix/af_unix.c:1974 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xbc/0x150 net/socket.c:745 sock_write_iter+0x225/0x390 net/socket.c:1158 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1144 [inline] free_unref_page_prepare+0x562/0xbd0 mm/page_alloc.c:2354 free_unref_page+0x33/0x2a0 mm/page_alloc.c:2494 qlink_free mm/kasan/quarantine.c:168 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x180/0x1b0 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:763 [inline] slab_alloc_node mm/slub.c:3478 [inline] __kmem_cache_alloc_node+0x1bd/0x350 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc+0x4f/0x160 mm/slab_common.c:1020 kmalloc include/linux/slab.h:604 [inline] tomoyo_add_entry security/tomoyo/common.c:2023 [inline] tomoyo_supervisor+0xa94/0xc40 security/tomoyo/common.c:2095 tomoyo_audit_path_log security/tomoyo/file.c:168 [inline] tomoyo_path_permission security/tomoyo/file.c:587 [inline] tomoyo_path_permission+0x23d/0x330 security/tomoyo/file.c:573 tomoyo_path_perm+0x2af/0x350 security/tomoyo/file.c:838 security_inode_getattr+0xc6/0x110 security/security.c:2153 vfs_getattr fs/stat.c:173 [inline] vfs_fstat+0x36/0x80 fs/stat.c:198 __do_sys_newfstatat+0x85/0xe0 fs/stat.c:463 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0xe0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Memory state around the buggy address: ffff888104eafb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888104eafc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888104eafc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888104eafd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888104eafd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================