bisecting cause commit starting from bf9f243f23e6623f310ba03fbb14e10ec3a61290 building syzkaller on 5ae8508a2dd5f8e16a2b9830ae9a6f37d54ec8e7 testing commit bf9f243f23e6623f310ba03fbb14e10ec3a61290 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 0505ef76a3f814f491676fb8d8b1d54d11ea4f3c7eb09a534b04aeb9d17b0854 run #0: crashed: WARNING: kmalloc bug in hash_ipportip_create run #1: crashed: WARNING: kmalloc bug in hash_ipportip_create run #2: crashed: WARNING: kmalloc bug in hash_ipportip_create run #3: crashed: WARNING: kmalloc bug in hash_ipportip_create run #4: crashed: WARNING: kmalloc bug in hash_ipportip_create run #5: crashed: WARNING: kmalloc bug in hash_ipportip_create run #6: crashed: WARNING: kmalloc bug in hash_ipportip_create run #7: crashed: WARNING: kmalloc bug in hash_ipportip_create run #8: crashed: WARNING: kmalloc bug in hash_ipportip_create run #9: crashed: WARNING: kmalloc bug in hash_ipportip_create run #10: crashed: WARNING: kmalloc bug in hash_ipportip_create run #11: crashed: WARNING: kmalloc bug in hash_ipportip_create run #12: crashed: WARNING: kmalloc bug in hash_ipportip_create run #13: crashed: WARNING: kmalloc bug in hash_ipportip_create run #14: crashed: WARNING: kmalloc bug in hash_ipportip_create run #15: crashed: WARNING: kmalloc bug in hash_ipportip_create run #16: crashed: WARNING: kmalloc bug in hash_ipportip_create run #17: crashed: WARNING: kmalloc bug in hash_ipportip_create run #18: crashed: WARNING: kmalloc bug in hash_ipportip_create run #19: boot failed: KFENCE: use-after-free in kvm_fastop_exception testing release v5.14 testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: c7a96685f36d300f914d643ce230ea254f68b922997290f143876a9044cd0b7f all runs: OK # git bisect start bf9f243f23e6623f310ba03fbb14e10ec3a61290 7d2a07b769330c34b4deabeed939325c77a7ec2f Bisecting: 5382 revisions left to test after this (roughly 12 steps) [835d31d319d9c8c4eb6cac074643360ba0ecab10] Merge tag 'media/v5.15-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 835d31d319d9c8c4eb6cac074643360ba0ecab10 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: efd93694c7a9cb7e6c5a71f6992df02c511fd07744e8da5aabe95d5df4a70f37 all runs: OK # git bisect good 835d31d319d9c8c4eb6cac074643360ba0ecab10 Bisecting: 2690 revisions left to test after this (roughly 11 steps) [a180eab0b564a9dc149beb0517136ef7129f1260] Merge tag 'mailbox-v5.15' of git://git.linaro.org/landing-teams/working/fujitsu/integration testing commit a180eab0b564a9dc149beb0517136ef7129f1260 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: f6e3b0e21200ea555f17b26ff489715235ac0f7e3ce72dd675b2ac15599bdda7 all runs: crashed: WARNING: kmalloc bug in hash_ipportip_create # git bisect bad a180eab0b564a9dc149beb0517136ef7129f1260 Bisecting: 1337 revisions left to test after this (roughly 10 steps) [8f0284f190e6a0aa09015090568c03f18288231a] Merge tag 'amd-drm-next-5.15-2021-08-27' of https://gitlab.freedesktop.org/agd5f/linux into drm-next testing commit 8f0284f190e6a0aa09015090568c03f18288231a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 4f25cb9e151ab27120e513691480b180d8bcdcabeaa69bd919b3f47d452b6c10 all runs: OK # git bisect good 8f0284f190e6a0aa09015090568c03f18288231a Bisecting: 604 revisions left to test after this (roughly 9 steps) [7c636d4d20f8c5acfbfbc60f326fddb0e1cf5daa] Merge tag 'dt-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 7c636d4d20f8c5acfbfbc60f326fddb0e1cf5daa compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 1e4d4ff456f30a9d4e2a6082d4a5a609f76c29d6302d3d47e31723ca1ba7432a all runs: OK # git bisect good 7c636d4d20f8c5acfbfbc60f326fddb0e1cf5daa Bisecting: 304 revisions left to test after this (roughly 8 steps) [89594c746b00d3755e0792a2407f0b557a30ef37] Merge tag 'fscache-next-20210829' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs testing commit 89594c746b00d3755e0792a2407f0b557a30ef37 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 7c3fe48d61605762475444c8fe25e48639bcf9dee16edac3d6de4d375ca4db0e all runs: OK # git bisect good 89594c746b00d3755e0792a2407f0b557a30ef37 Bisecting: 154 revisions left to test after this (roughly 7 steps) [aa829778b16f15266fefe2640f04931b16ce39c0] Merge tag 'locking-debug-2021-09-01' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit aa829778b16f15266fefe2640f04931b16ce39c0 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: ddc8ba8f65ee92d8b8aa5f5c78a3cd18e8d0a71c53b98ec36cf7cfca22169e69 all runs: crashed: WARNING: kmalloc bug in hash_ipportip_create # git bisect bad aa829778b16f15266fefe2640f04931b16ce39c0 Bisecting: 75 revisions left to test after this (roughly 6 steps) [eceae1e7acaefc0a71e4dd4b8cd49270172b4731] Merge tag 'configfs-5.15' of git://git.infradead.org/users/hch/configfs testing commit eceae1e7acaefc0a71e4dd4b8cd49270172b4731 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 003bcd0ca18bc8fc289c7397f27a2f9208d3eb5b3e31db98d81844784318244b all runs: crashed: WARNING: kmalloc bug in hash_ipportip_create # git bisect bad eceae1e7acaefc0a71e4dd4b8cd49270172b4731 Bisecting: 46 revisions left to test after this (roughly 5 steps) [815409a12c0a9c0de17a910fd95fe11e1eb97f32] Merge tag 'ovl-update-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs testing commit 815409a12c0a9c0de17a910fd95fe11e1eb97f32 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 8bfcb95c3a0250b6037b4f96580e51c2a739b4753b877de450d7dc1f897d6e6a all runs: OK # git bisect good 815409a12c0a9c0de17a910fd95fe11e1eb97f32 Bisecting: 23 revisions left to test after this (roughly 5 steps) [baaae979b112642a41b71c71c599d875c067d257] ext4: make the updating inode data procedure atomic testing commit baaae979b112642a41b71c71c599d875c067d257 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: da76f918e1adf0323d9573ceb91df67f4a6a2fbb40d896a1d173a81392611105 all runs: OK # git bisect good baaae979b112642a41b71c71c599d875c067d257 Bisecting: 11 revisions left to test after this (roughly 4 steps) [62699b3f0a62435fceb8debf295e90a5ea259e04] fs: dlm: move receive loop into receive handler testing commit 62699b3f0a62435fceb8debf295e90a5ea259e04 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: c42f716bbbce7cc3c5f1041f2b669aeeae15dd0e700f82510075fa3dcf9e9ef4 all runs: OK # git bisect good 62699b3f0a62435fceb8debf295e90a5ea259e04 Bisecting: 4 revisions left to test after this (roughly 3 steps) [265113f70f3d63ae8b6eb1ce4303d14dbbd71b2d] Merge tag 'dlm-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm testing commit 265113f70f3d63ae8b6eb1ce4303d14dbbd71b2d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 2e7ff2e5b1c538206173a71c021b6a98b54f39f1ef8e5018f7e6479e368734fc all runs: crashed: WARNING: kmalloc bug in hash_ipportip_create # git bisect bad 265113f70f3d63ae8b6eb1ce4303d14dbbd71b2d Bisecting: 3 revisions left to test after this (roughly 2 steps) [ecd95673142ef80169a6c003b569b8a86d1e6329] fs: dlm: avoid comms shutdown delay in release_lockspace testing commit ecd95673142ef80169a6c003b569b8a86d1e6329 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: fa6d42726e8f1c5a671fcb717f535eaa942f09f0862641b12876ac539800a392 all runs: OK # git bisect good ecd95673142ef80169a6c003b569b8a86d1e6329 Bisecting: 1 revision left to test after this (roughly 1 step) [7661809d493b426e979f39ab512e3adf41fbcc69] mm: don't allow oversized kvmalloc() calls testing commit 7661809d493b426e979f39ab512e3adf41fbcc69 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 664f4638c15a6a6d9aa1453cfa8ae379b1ae788e70bab73d834bf1af2f68ba3e run #0: basic kernel testing failed: KFENCE: use-after-free in kvm_fastop_exception run #1: crashed: WARNING: kmalloc bug in hash_ipportip_create run #2: crashed: WARNING: kmalloc bug in hash_ipportip_create run #3: crashed: WARNING: kmalloc bug in hash_ipportip_create run #4: crashed: WARNING: kmalloc bug in hash_ipportip_create run #5: crashed: WARNING: kmalloc bug in hash_ipportip_create run #6: crashed: WARNING: kmalloc bug in hash_ipportip_create run #7: crashed: WARNING: kmalloc bug in hash_ipportip_create run #8: crashed: WARNING: kmalloc bug in hash_ipportip_create run #9: crashed: WARNING: kmalloc bug in hash_ipportip_create # git bisect bad 7661809d493b426e979f39ab512e3adf41fbcc69 Bisecting: 0 revisions left to test after this (roughly 0 steps) [111c1aa8cad4a0069dfe98fc093507b5b2cdfda7] Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 testing commit 111c1aa8cad4a0069dfe98fc093507b5b2cdfda7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 07d7d24f755b2933dc9de9be2a29b35647edcf5de5ead2b9df7ea95436e9a800 all runs: OK # git bisect good 111c1aa8cad4a0069dfe98fc093507b5b2cdfda7 7661809d493b426e979f39ab512e3adf41fbcc69 is the first bad commit commit 7661809d493b426e979f39ab512e3adf41fbcc69 Author: Linus Torvalds Date: Wed Jul 14 09:45:49 2021 -0700 mm: don't allow oversized kvmalloc() calls 'kvmalloc()' is a convenience function for people who want to do a kmalloc() but fall back on vmalloc() if there aren't enough physically contiguous pages, or if the allocation is larger than what kmalloc() supports. However, let's make sure it doesn't get _too_ easy to do crazy things with it. In particular, don't allow big allocations that could be due to integer overflow or underflow. So make sure the allocation size fits in an 'int', to protect against trivial integer conversion issues. Acked-by: Willy Tarreau Cc: Kees Cook Signed-off-by: Linus Torvalds mm/util.c | 4 ++++ 1 file changed, 4 insertions(+) culprit signature: 664f4638c15a6a6d9aa1453cfa8ae379b1ae788e70bab73d834bf1af2f68ba3e parent signature: 07d7d24f755b2933dc9de9be2a29b35647edcf5de5ead2b9df7ea95436e9a800 revisions tested: 16, total time: 3h46m15.174392848s (build: 1h49m19.345744693s, test: 1h55m5.545203664s) first bad commit: 7661809d493b426e979f39ab512e3adf41fbcc69 mm: don't allow oversized kvmalloc() calls recipients (to): ["akpm@linux-foundation.org" "linux-mm@kvack.org" "torvalds@linux-foundation.org" "w@1wt.eu"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: WARNING: kmalloc bug in hash_ipportip_create ------------[ cut here ]------------ WARNING: CPU: 1 PID: 10943 at mm/util.c:597 kvmalloc_node+0x7b/0x90 mm/util.c:600 Modules linked in: CPU: 1 PID: 10943 Comm: syz-executor.0 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:kvmalloc_node+0x7b/0x90 mm/util.c:597 Code: 2b 48 8b 3c 24 8b 54 24 0c 48 81 ff ff ff ff 7f 77 18 4c 8b 44 24 18 48 83 c4 10 89 d1 89 ea 5d be 01 00 00 00 e9 55 02 0b 00 <0f> 0b 48 83 c4 10 5d c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 55 RSP: 0018:ffffc9000c7272c8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: ffffc9000c7273c8 RCX: 0000000800000000 RDX: 00000000ffffffff RSI: 0000000000000000 RDI: 0000000400000018 RBP: 0000000000400dc0 R08: 0000000000412dc0 R09: 00000000ffffffff R10: fffffbfff1688ed8 R11: 000000000007a089 R12: 000000000000001f R13: ffff88802a26c000 R14: 000000000000001f R15: ffff888015952c00 FS: 00007fb9479db700(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005556bd181b20 CR3: 00000000257e2000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: hash_ipportip_create+0x2fc/0xf30 net/netfilter/ipset/ip_set_hash_gen.h:1524 ip_set_create+0x697/0x11a0 net/netfilter/ipset/ip_set_core.c:1100 nfnetlink_rcv_msg+0x928/0xf80 net/netfilter/nfnetlink.c:296 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2504 nfnetlink_rcv+0x143/0x340 net/netfilter/nfnetlink.c:654 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] netlink_unicast+0x42e/0x700 net/netlink/af_netlink.c:1340 netlink_sendmsg+0x704/0xbf0 net/netlink/af_netlink.c:1929 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xab/0xe0 net/socket.c:724 ____sys_sendmsg+0x5bf/0x7a0 net/socket.c:2409 ___sys_sendmsg+0xd3/0x150 net/socket.c:2463 __sys_sendmsg+0xb2/0x140 net/socket.c:2492 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665f9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb9479db188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665f9 RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 R13: 00007ffc395d2f5f R14: 00007fb9479db300 R15: 0000000000022000