ci2 starts bisection 2024-09-03 12:49:19.731187767 +0000 UTC m=+12399.195069792
bisecting fixing commit since 3802b45594e1e000cdf46d1ae48b07783a276418
building syzkaller on e66542d78f1cf0c783877440cd239a11fb73fb15
ensuring issue is reproducible on original commit 3802b45594e1e000cdf46d1ae48b07783a276418

testing commit 3802b45594e1e000cdf46d1ae48b07783a276418 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: f686a7a027c4af667ca79dca121dd1afec2c4a2244220887b05ddfcebdff6044
all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str
representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str, types: [UNKNOWN]
check whether we can drop unnecessary instrumentation
disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 3802b45594e1e000cdf46d1ae48b07783a276418 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: f7889cb27b36b645cd86d785badc943e46a20925cf1617e64cb6d2217a3246bb
all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str
representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str, types: [UNKNOWN]
the bug reproduces without the instrumentation
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed
kconfig minimization: base=4920 full=6159 leaves diff=241
split chunks (needed=false): <241>
split chunk #0 of len 241 into 5 parts
testing without sub-chunk 1/5
disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 3802b45594e1e000cdf46d1ae48b07783a276418 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 572c0a5a58916bd19eb45a669608f03571a4e7e8ab7c1baaac76b38bb81b193d
all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str
representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str, types: [UNKNOWN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 3802b45594e1e000cdf46d1ae48b07783a276418 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: b6d0313397d5ff42dd5302a0586e8b1452407aa6fd2fbb742381c6c8fa2b6bbb
all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str
representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str, types: [UNKNOWN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 3802b45594e1e000cdf46d1ae48b07783a276418 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: fdca82aaa231cb58d6cb3ec2fdc827db2e2afdb9caee19f8856766ab07888a69
all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str
representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str, types: [UNKNOWN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 3802b45594e1e000cdf46d1ae48b07783a276418 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 311893e105e00f2e89c8f493b941d2c7c053563b1574513fd91135e2cbec9087
all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str
representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str, types: [UNKNOWN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 3802b45594e1e000cdf46d1ae48b07783a276418 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
failed building 3802b45594e1e000cdf46d1ae48b07783a276418: net/socket.c:1191: undefined reference to `wext_handle_ioctl'
net/socket.c:3385: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:343: undefined reference to `wext_proc_exit'
net/core/net-procfs.c:327: undefined reference to `wext_proc_init'
minimized to 45 configs; suspects: [HID_ZEROPLUS USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF]
disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed
testing current HEAD 38761ec9fc9edec1a3c79db87fb6daeb05901432
testing commit 38761ec9fc9edec1a3c79db87fb6daeb05901432 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 963248c86189fbf8f5383d5d9629de61391e4fb68e90082c90bd9523737b0b04
all runs: OK
false negative chance: 0.000
# git bisect start 38761ec9fc9edec1a3c79db87fb6daeb05901432 3802b45594e1e000cdf46d1ae48b07783a276418
Bisecting: 1205 revisions left to test after this (roughly 10 steps)
[70e1a731d98699d85ada2cbdd4d487e51b2f7441] Revert "regmap: Add bulk read/write callbacks into regmap_config"

determine whether the revision contains the guilty commit
revision 3802b45594e1e000cdf46d1ae48b07783a276418 crashed and is reachable
testing commit 70e1a731d98699d85ada2cbdd4d487e51b2f7441 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: fa4cead4de0ee5c70cf239894311b5bc41cb6593d77c0210e427d84ad0e73ea2
all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str
representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str, types: [UNKNOWN]
# git bisect good 70e1a731d98699d85ada2cbdd4d487e51b2f7441
Bisecting: 602 revisions left to test after this (roughly 9 steps)
[5054f130f81f3960d7b4c19e5b37bb6a6b3b735d] fanotify: create helper fanotify_mark_user_flags()

determine whether the revision contains the guilty commit
checking the merge base 6139f2a02fe0ac7a08389b4eb786e0c659039ddd
no existing result, test the revision
testing commit 6139f2a02fe0ac7a08389b4eb786e0c659039ddd gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d4c1a4e75aac3dedab79458590680d28a1b20005a56cabd5ab4a7ec419d8282f
all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str
representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str, types: [UNKNOWN]
testing commit 5054f130f81f3960d7b4c19e5b37bb6a6b3b735d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 4de33bd999e13f5dbd349b0bc9f62b69b4526f534c5fae75529df2e039648644
all runs: OK
false negative chance: 0.000
# git bisect bad 5054f130f81f3960d7b4c19e5b37bb6a6b3b735d
Bisecting: 301 revisions left to test after this (roughly 8 steps)
[839308cf79579966dcdd9cc40cf4fcc1188dd4f2] net: dsa: mt7530: fix handling of all link-local frames

determine whether the revision contains the guilty commit
revision 6139f2a02fe0ac7a08389b4eb786e0c659039ddd crashed and is reachable
testing commit 839308cf79579966dcdd9cc40cf4fcc1188dd4f2 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 139134656f7e78c4655b86f16c3045ab32f7dc27ad2e8443bb23bdde9f425ddf
all runs: OK
false negative chance: 0.000
# git bisect bad 839308cf79579966dcdd9cc40cf4fcc1188dd4f2
Bisecting: 150 revisions left to test after this (roughly 7 steps)
[bfd52f7df6335429e9450bd7b25a9b451ef00bfc] drm/tegra: dsi: Fix missing pm_runtime_disable() in the error handling path of tegra_dsi_probe()

determine whether the revision contains the guilty commit
revision 6139f2a02fe0ac7a08389b4eb786e0c659039ddd crashed and is reachable
testing commit bfd52f7df6335429e9450bd7b25a9b451ef00bfc gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c5c59d0b4adccfd3a54f265b0db4746837d3d401b9ff4c16f92768bab9dae6db
all runs: OK
false negative chance: 0.000
# git bisect bad bfd52f7df6335429e9450bd7b25a9b451ef00bfc
Bisecting: 74 revisions left to test after this (roughly 6 steps)
[98b0d46939341efa61a5920d5ae36bbd0d9cd73f] arm64: dts: imx8mm-venice-gw71xx: fix USB OTG VBUS

determine whether the revision contains the guilty commit
revision 6139f2a02fe0ac7a08389b4eb786e0c659039ddd crashed and is reachable
testing commit 98b0d46939341efa61a5920d5ae36bbd0d9cd73f gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: f52c0562c3850040a9daf3e71aac3e61fc8a8e2fe8c6678d6be50097fffe36a5
all runs: OK
false negative chance: 0.000
# git bisect bad 98b0d46939341efa61a5920d5ae36bbd0d9cd73f
Bisecting: 37 revisions left to test after this (roughly 5 steps)
[98e60b538e66c90b9a856828c71d4e975ebfa797] nbd: null check for nla_nest_start

determine whether the revision contains the guilty commit
revision 6139f2a02fe0ac7a08389b4eb786e0c659039ddd crashed and is reachable
testing commit 98e60b538e66c90b9a856828c71d4e975ebfa797 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5fd2787c37f5724aac6f006cce013b737f144b3c4e7882132c0fc50b9f68936d
all runs: OK
false negative chance: 0.000
# git bisect bad 98e60b538e66c90b9a856828c71d4e975ebfa797
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[f6cbb4843c61025d61c0efd7cac014b059495c9c] block: sed-opal: handle empty atoms when parsing response

determine whether the revision contains the guilty commit
revision 6139f2a02fe0ac7a08389b4eb786e0c659039ddd crashed and is reachable
testing commit f6cbb4843c61025d61c0efd7cac014b059495c9c gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5b9624fc41e9ace2dd4d76ef6b67a32b6c6d42ec6571741d276067ecdeff23e5
all runs: OK
false negative chance: 0.000
# git bisect bad f6cbb4843c61025d61c0efd7cac014b059495c9c
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[802eb0254fc1a9e672088ab0f0f838aa2ef18b34] HID: multitouch: Add required quirk for Synaptics 0xcddc device

determine whether the revision contains the guilty commit
revision 6139f2a02fe0ac7a08389b4eb786e0c659039ddd crashed and is reachable
testing commit 802eb0254fc1a9e672088ab0f0f838aa2ef18b34 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 4873b46f869c57beb5cfc389ec5e2869abb802d66f782bf385c10a79aa84e8ce
all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str
representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str, types: [UNKNOWN]
# git bisect good 802eb0254fc1a9e672088ab0f0f838aa2ef18b34
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[7e13a78e2ba4b3c2afb28ae44c91882536f862a2] riscv: dts: sifive: add missing #interrupt-cells to pmic

determine whether the revision contains the guilty commit
revision 6139f2a02fe0ac7a08389b4eb786e0c659039ddd crashed and is reachable
testing commit 7e13a78e2ba4b3c2afb28ae44c91882536f862a2 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 62818dc28e2c8ddafda1dd95b1e328e18cae9036dd85750f0bc52542ae7a8148
all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str
representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str, types: [UNKNOWN]
# git bisect good 7e13a78e2ba4b3c2afb28ae44c91882536f862a2
Bisecting: 2 revisions left to test after this (roughly 1 step)
[e8a67fe34b76a49320b33032228a794f40b0316b] x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()

determine whether the revision contains the guilty commit
revision 6139f2a02fe0ac7a08389b4eb786e0c659039ddd crashed and is reachable
testing commit e8a67fe34b76a49320b33032228a794f40b0316b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d28f83e72f0dd70c03c0ebaed66538a814dc9a6c0266e49f3490b98beeb2efe2
all runs: OK
false negative chance: 0.000
# git bisect bad e8a67fe34b76a49320b33032228a794f40b0316b
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[e2d5cf0dcb9f824fe4e7244ddd24e3dddd7216f2] x86/mm: Move is_vsyscall_vaddr() into asm/vsyscall.h

determine whether the revision contains the guilty commit
revision 6139f2a02fe0ac7a08389b4eb786e0c659039ddd crashed and is reachable
testing commit e2d5cf0dcb9f824fe4e7244ddd24e3dddd7216f2 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 1d355b9f8055ff2864dbba824a537265856b1b5a188f512b05decd6b997450d9
all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str
representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_kernel_str, types: [UNKNOWN]
# git bisect good e2d5cf0dcb9f824fe4e7244ddd24e3dddd7216f2
e8a67fe34b76a49320b33032228a794f40b0316b is the first bad commit
commit e8a67fe34b76a49320b33032228a794f40b0316b
Author: Hou Tao <houtao1@huawei.com>
Date:   Fri Feb 2 18:39:34 2024 +0800

    x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()
    
    [ Upstream commit 32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58 ]
    
    When trying to use copy_from_kernel_nofault() to read vsyscall page
    through a bpf program, the following oops was reported:
    
      BUG: unable to handle page fault for address: ffffffffff600000
      #PF: supervisor read access in kernel mode
      #PF: error_code(0x0000) - not-present page
      PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0
      Oops: 0000 [#1] PREEMPT SMP PTI
      CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......
      RIP: 0010:copy_from_kernel_nofault+0x6f/0x110
      ......
      Call Trace:
       <TASK>
       ? copy_from_kernel_nofault+0x6f/0x110
       bpf_probe_read_kernel+0x1d/0x50
       bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d
       trace_call_bpf+0xc5/0x1c0
       perf_call_bpf_enter.isra.0+0x69/0xb0
       perf_syscall_enter+0x13e/0x200
       syscall_trace_enter+0x188/0x1c0
       do_syscall_64+0xb5/0xe0
       entry_SYSCALL_64_after_hwframe+0x6e/0x76
       </TASK>
      ......
      ---[ end trace 0000000000000000 ]---
    
    The oops is triggered when:
    
    1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall
    page and invokes copy_from_kernel_nofault() which in turn calls
    __get_user_asm().
    
    2) Because the vsyscall page address is not readable from kernel space,
    a page fault exception is triggered accordingly.
    
    3) handle_page_fault() considers the vsyscall page address as a user
    space address instead of a kernel space address. This results in the
    fix-up setup by bpf not being applied and a page_fault_oops() is invoked
    due to SMAP.
    
    Considering handle_page_fault() has already considered the vsyscall page
    address as a userspace address, fix the problem by disallowing vsyscall
    page read for copy_from_kernel_nofault().
    
    Originally-by: Thomas Gleixner <tglx@linutronix.de>
    Reported-by: syzbot+72aa0161922eba61b50e@syzkaller.appspotmail.com
    Closes: https://lore.kernel.org/bpf/CAG48ez06TZft=ATH1qh2c5mpS5BT8UakwNkzi6nvK5_djC-4Nw@mail.gmail.com
    Reported-by: xingwei lee <xrivendell7@gmail.com>
    Closes: https://lore.kernel.org/bpf/CABOYnLynjBoFZOf3Z4BhaZkc5hx_kHfsjiW+UWLoB=w33LvScw@mail.gmail.com
    Signed-off-by: Hou Tao <houtao1@huawei.com>
    Reviewed-by: Sohil Mehta <sohil.mehta@intel.com>
    Acked-by: Thomas Gleixner <tglx@linutronix.de>
    Link: https://lore.kernel.org/r/20240202103935.3154011-3-houtao@huaweicloud.com
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 arch/x86/mm/maccess.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

accumulated error probability: 0.00
culprit signature: d28f83e72f0dd70c03c0ebaed66538a814dc9a6c0266e49f3490b98beeb2efe2
parent  signature: 1d355b9f8055ff2864dbba824a537265856b1b5a188f512b05decd6b997450d9
revisions tested: 19, total time: 4h7m44.997493894s (build: 1h37m31.813465192s, test: 2h26m7.675733323s)
first good commit: e8a67fe34b76a49320b33032228a794f40b0316b x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()
recipients (to): ["ast@kernel.org" "houtao1@huawei.com" "sashal@kernel.org" "sohil.mehta@intel.com" "tglx@linutronix.de"]
recipients (cc): []