ci starts bisection 2024-10-01 15:31:56.252786304 +0000 UTC m=+1243.753983897 bisecting cause commit starting from cea5425829f77e476b03702426f6b3701299b925 building syzkaller on bbd4e0a400943c9e45e1249ace6c202162a23bae fetch other tags and check if the commit is present ensuring issue is reproducible on original commit cea5425829f77e476b03702426f6b3701299b925 testing commit cea5425829f77e476b03702426f6b3701299b925 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7654d51925b8848bab6372a62d3620b45c04428a33c970440a63966a8a416cf5 all runs: crashed: KASAN: out-of-bounds Read in copy_from_kernel_nofault representative crash: KASAN: out-of-bounds Read in copy_from_kernel_nofault, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit cea5425829f77e476b03702426f6b3701299b925 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2e2a9a5785e45a0f561b1e0d11d80e61364247ebfa3a411568ab3b2efa2bd2e0 all runs: crashed: KASAN: out-of-bounds Read in copy_from_kernel_nofault representative crash: KASAN: out-of-bounds Read in copy_from_kernel_nofault, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed kconfig minimization: base=4045 full=8194 leaves diff=2110 split chunks (needed=false): <2110> split chunk #0 of len 2110 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit cea5425829f77e476b03702426f6b3701299b925 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 69fd1b435e7f56aa0d28fd6904a71cf85777cc27df7554d735115f7cdec75819 all runs: crashed: KASAN: out-of-bounds Read in copy_from_kernel_nofault representative crash: KASAN: out-of-bounds Read in copy_from_kernel_nofault, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit cea5425829f77e476b03702426f6b3701299b925 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7516ffb5863510f2f73d7c4ea925a0e219ab0f3de1a692250709fb51f672be78 all runs: crashed: KASAN: out-of-bounds Read in copy_from_kernel_nofault representative crash: KASAN: out-of-bounds Read in copy_from_kernel_nofault, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit cea5425829f77e476b03702426f6b3701299b925 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f4ce5e47325cac33cca6edfdf2b9f3170f383fd203aa7d8ae34eaaf89b9fb9e1 all runs: crashed: KASAN: out-of-bounds Read in copy_from_kernel_nofault representative crash: KASAN: out-of-bounds Read in copy_from_kernel_nofault, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit cea5425829f77e476b03702426f6b3701299b925 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a59fe8fc7f9fa06d8e3a2828969f73d44d990d33f49b93d72264dae1131030b0 all runs: crashed: KASAN: out-of-bounds Read in copy_from_kernel_nofault representative crash: KASAN: out-of-bounds Read in copy_from_kernel_nofault, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit cea5425829f77e476b03702426f6b3701299b925 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4325526347a42dd0bdb772464356ab322fcdf49ccbbe22998e8170570ec474ce all runs: OK false negative chance: 0.000 minimized to 422 configs; suspects: [ARCH_ENABLE_MEMORY_HOTREMOVE ATM BCMA BLK_DEV_ZONED BPF_SYSCALL CARDBUS CFG80211 CFG80211_WEXT CMA COMMON_CLK CONTIG_ALLOC DVB_CORE EXTCON FB GPIOLIB HID_ZEROPLUS I2C_MUX IIO IOMMUFD IRQ_REMAP KVM KVM_INTEL LIBNVDIMM MEDIA_ANALOG_TV_SUPPORT MEDIA_CAMERA_SUPPORT MEDIA_CEC_SUPPORT MEDIA_CONTROLLER MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_TEST_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_VIPERBOARD NOP_USB_XCEIV PARPORT PCCARD PCMCIA PHONET RADIO_ADAPTERS RADIO_SI470X RADIO_SI4713 RC_CORE RFKILL SND SOUND SPI SSB TAP TARGET_CORE TUN USB_AMD5536UDC USB_ATM USB_CDNSP_HOST USB_CDNSP_PCI USB_CDNS_HOST USB_CDNS_SUPPORT USB_CHAOSKEY USB_CHIPIDEA USB_CHIPIDEA_GENERIC USB_CHIPIDEA_HOST USB_CHIPIDEA_MSM USB_CHIPIDEA_NPCM USB_CHIPIDEA_PCI USB_CHIPIDEA_UDC USB_CONFIGFS USB_CONFIGFS_ACM USB_CONFIGFS_ECM USB_CONFIGFS_ECM_SUBSET USB_CONFIGFS_EEM USB_CONFIGFS_F_FS USB_CONFIGFS_F_HID USB_CONFIGFS_F_LB_SS USB_CONFIGFS_F_MIDI USB_CONFIGFS_F_MIDI2 USB_CONFIGFS_F_PRINTER USB_CONFIGFS_F_TCM USB_CONFIGFS_F_UAC1 USB_CONFIGFS_F_UAC1_LEGACY USB_CONFIGFS_F_UAC2 USB_CONFIGFS_F_UVC USB_CONFIGFS_MASS_STORAGE USB_CONFIGFS_NCM USB_CONFIGFS_OBEX USB_CONFIGFS_PHONET USB_CONFIGFS_RNDIS USB_CONFIGFS_SERIAL USB_CONN_GPIO USB_CXACRU USB_CYPRESS_CY7C63 USB_CYTHERM USB_DSBR USB_DUMMY_HCD USB_DWC2 USB_DWC2_HOST USB_DWC2_PCI USB_DWC3 USB_DWC3_GADGET USB_DWC3_HAPS USB_DWC3_OF_SIMPLE USB_DWC3_PCI USB_DWC3_ULPI USB_DYNAMIC_MINORS USB_EG20T USB_EHCI_FSL USB_EHCI_HCD_PLATFORM USB_EHCI_ROOT_HUB_TT USB_EHSET_TEST_FIXTURE USB_EMI26 USB_EMI62 USB_EPSON2888 USB_EZUSB_FX2 USB_FEW_INIT_RETRIES USB_F_ACM USB_F_ECM USB_F_EEM USB_F_FS USB_F_HID USB_F_MASS_STORAGE USB_F_MIDI USB_F_MIDI2 USB_F_NCM USB_F_OBEX USB_F_PHONET USB_F_PRINTER USB_F_RNDIS USB_F_SERIAL USB_F_SS_LB USB_F_SUBSET USB_F_TCM USB_F_UAC1 USB_F_UAC1_LEGACY USB_F_UAC2 USB_F_UVC USB_GADGET USB_GADGETFS USB_GADGET_DEBUG_FILES USB_GADGET_DEBUG_FS USB_GL860 USB_GOKU USB_GR_UDC USB_GSPCA USB_GSPCA_BENQ USB_GSPCA_CONEX USB_GSPCA_CPIA1 USB_GSPCA_DTCS033 USB_GSPCA_ETOMS USB_GSPCA_FINEPIX USB_GSPCA_JEILINJ USB_GSPCA_JL2005BCD USB_GSPCA_KINECT USB_GSPCA_KONICA USB_GSPCA_MARS USB_GSPCA_MR97310A USB_GSPCA_NW80X USB_GSPCA_OV519 USB_GSPCA_OV534 USB_GSPCA_OV534_9 USB_GSPCA_PAC207 USB_GSPCA_PAC7302 USB_GSPCA_PAC7311 USB_GSPCA_SE401 USB_GSPCA_SN9C2028 USB_GSPCA_SN9C20X USB_GSPCA_SONIXB USB_GSPCA_SONIXJ USB_GSPCA_SPCA1528 USB_GSPCA_SPCA500 USB_GSPCA_SPCA501 USB_GSPCA_SPCA505 USB_GSPCA_SPCA506 USB_GSPCA_SPCA508 USB_GSPCA_SPCA561 USB_GSPCA_SQ905 USB_GSPCA_SQ905C USB_GSPCA_SQ930X USB_GSPCA_STK014 USB_GSPCA_STK1135 USB_GSPCA_STV0680 USB_GSPCA_SUNPLUS USB_GSPCA_T613 USB_GSPCA_TOPRO USB_GSPCA_TOUPTEK USB_GSPCA_TV8532 USB_GSPCA_VC032X USB_GSPCA_VICAM USB_GSPCA_XIRLINK_CIT USB_GSPCA_ZC3XX USB_HACKRF USB_HCD_BCMA USB_HCD_SSB USB_HSIC_USB3503 USB_HSIC_USB4604 USB_HSO USB_HUB_USB251XB USB_IDMOUSE USB_IOWARRIOR USB_IPHETH USB_ISIGHTFW USB_ISP116X_HCD USB_ISP1301 USB_ISP1760 USB_ISP1760_DUAL_ROLE USB_ISP1760_HCD USB_ISP1761_UDC USB_KAWETH USB_KC2190 USB_KEENE USB_LAN78XX USB_LCD USB_LD USB_LEDS_TRIGGER_USBPORT USB_LED_TRIG USB_LEGOTOWER USB_LGM_PHY USB_LIBCOMPOSITE USB_LINK_LAYER_TEST USB_M5602 USB_MA901 USB_MAX3420_UDC USB_MAX3421_HCD USB_MDC800 USB_MICROTEK USB_MR800 USB_MSI2500 USB_MUSB_DUAL_ROLE USB_MUSB_HDRC USB_MV_U3D USB_MV_UDC USB_NET2272 USB_NET2272_DMA USB_NET2280 USB_NET_AQC111 USB_NET_AX88179_178A USB_NET_AX8817X USB_NET_CDCETHER USB_NET_CDC_EEM USB_NET_CDC_MBIM USB_NET_CDC_NCM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_CH9200 USB_NET_CX82310_ETH USB_NET_DM9601 USB_NET_GL620A USB_NET_HUAWEI_CDC_NCM USB_NET_INT51X1 USB_NET_KALMIA USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_QMI_WWAN USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_OXU210HP_HCD USB_PEGASUS USB_PULSE8_CEC USB_PWC USB_PWC_INPUT_EVDEV USB_PXA27X USB_R8A66597 USB_R8A66597_HCD USB_RAINSHADOW_CEC USB_RAREMONO USB_RAW_GADGET USB_RTL8150 USB_RTL8152 USB_RTL8153_ECM USB_S2255 USB_SERIAL USB_SERIAL_AIRCABLE USB_SERIAL_ARK3116 USB_SERIAL_BELKIN USB_SERIAL_CH341 USB_SERIAL_CONSOLE USB_SERIAL_CP210X USB_SERIAL_CYBERJACK USB_SERIAL_CYPRESS_M8 USB_SERIAL_DEBUG USB_SERIAL_DIGI_ACCELEPORT USB_SERIAL_EDGEPORT USB_SERIAL_EDGEPORT_TI USB_SERIAL_EMPEG USB_SERIAL_F81232 USB_SERIAL_F8153X USB_SERIAL_FTDI_SIO USB_SERIAL_GARMIN USB_SERIAL_GENERIC USB_SERIAL_IPAQ USB_SERIAL_IPW USB_SERIAL_IR USB_SERIAL_IUU USB_SERIAL_KEYSPAN USB_SERIAL_KEYSPAN_PDA USB_SERIAL_KLSI USB_SERIAL_KOBIL_SCT USB_SERIAL_MCT_U232 USB_SERIAL_METRO USB_SERIAL_MOS7715_PARPORT USB_SERIAL_MOS7720 USB_SERIAL_MOS7840 USB_SERIAL_MXUPORT USB_SERIAL_NAVMAN USB_SERIAL_OMNINET USB_SERIAL_OPTICON USB_SERIAL_OPTION USB_SERIAL_OTI6858 USB_SERIAL_PL2303 USB_SERIAL_QCAUX USB_SERIAL_QT2 USB_SERIAL_QUALCOMM USB_SERIAL_SAFE USB_SERIAL_SIERRAWIRELESS USB_SERIAL_SIMPLE USB_SERIAL_SPCP8X5 USB_SERIAL_SSU100 USB_SERIAL_SYMBOL USB_SERIAL_TI USB_SERIAL_UPD78F0730 USB_SERIAL_VISOR USB_SERIAL_WHITEHEAT USB_SERIAL_WISHBONE USB_SERIAL_WWAN USB_SERIAL_XR USB_SERIAL_XSENS_MT USB_SEVSEG USB_SI470X USB_SI4713 USB_SIERRA_NET USB_SISUSBVGA USB_SL811_CS USB_SL811_HCD USB_SL811_HCD_ISO USB_SNP_CORE USB_SPEEDTOUCH USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_ENE_UB6250 USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_STV06XX USB_TEST USB_TMC USB_TRANCEVIBRATOR USB_UAS USB_UEAGLEATM USB_ULPI_BUS USB_USBNET USB_USS720 USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_VIDEO_CLASS USB_VIDEO_CLASS_INPUT_EVDEV USB_VL600 USB_WDM USB_XHCI_DBGCAP USB_XHCI_PCI_RENESAS USB_XHCI_PLATFORM USB_XUSBATM USB_YUREX USERFAULTFD USERIO USERMODE_DRIVER USER_RETURN_NOTIFIER UVC_COMMON U_SERIAL_CONSOLE V4L2_MEM2MEM_DEV V4L_TEST_DRIVERS VALIDATE_FS_PARSER VDPA VDPA_SIM VDPA_SIM_BLOCK VDPA_SIM_NET VETH VFIO VFIO_DEVICE_CDEV VFIO_PCI VFIO_PCI_CORE VFIO_PCI_INTX VFIO_PCI_MMAP VFIO_VIRQFD VGASTATE VHOST VHOST_CROSS_ENDIAN_LEGACY VHOST_IOTLB VHOST_NET VHOST_RING VHOST_TASK VHOST_VDPA VHOST_VSOCK VIDEO VIDEOBUF2_CORE VIDEOBUF2_DMA_CONTIG VIDEOBUF2_DMA_SG VIDEOBUF2_MEMOPS VIDEOBUF2_V4L2 VIDEOBUF2_VMALLOC VIDEOMODE_HELPERS VIDEO_AU0828 VIDEO_AU0828_RC VIDEO_AU0828_V4L2 VIDEO_CS53L32A VIDEO_CX231XX VIDEO_CX231XX_ALSA VIDEO_CX231XX_DVB VIDEO_CX231XX_RC VIDEO_CX2341X VIDEO_CX25840 VIDEO_DEV VIDEO_EM28XX VIDEO_EM28XX_ALSA VIDEO_EM28XX_DVB VIDEO_EM28XX_RC VIDEO_EM28XX_V4L2 VIDEO_GO7007 VIDEO_GO7007_LOADER VIDEO_GO7007_USB VIDEO_GO7007_USB_S2250_BOARD VIDEO_HDPVR VIDEO_MSP3400 VIDEO_PVRUSB2 VIDEO_PVRUSB2_DVB VIDEO_PVRUSB2_SYSFS VIDEO_SAA711X VIDEO_STK1160 VIDEO_TUNER VIDEO_TVEEPROM VIDEO_USBTV VIDEO_V4L2_I2C VIDEO_V4L2_SUBDEV_API VIDEO_V4L2_TPG VIDEO_VICODEC VIDEO_VIM2M VIDEO_VIMC VIDEO_VIVID VIDEO_VIVID_CEC VIDEO_WM8775 VIPERBOARD_ADC VIRTIO_BALLOON VIRTIO_DMA_SHARED_BUFFER VIRTIO_MEM VIRTIO_MMIO VIRTIO_MMIO_CMDLINE_DEVICES VIRTIO_PMEM VIRTIO_VDPA VIRTIO_VSOCKETS VIRTIO_VSOCKETS_COMMON VIRT_WIFI VLAN_8021Q VLAN_8021Q_GVRP VLAN_8021Q_MVRP VMAP_PFN VMWARE_VMCI VMXNET3 VP_VDPA VSOCKETS VSOCKETS_DIAG VSOCKETS_LOOPBACK VSOCKMON VT_HW_CONSOLE_BINDING VXFS_FS WANT_DEV_COREDUMP WEXT_CORE WEXT_PRIV WEXT_PROC WIREGUARD WIRELESS WIRELESS_EXT WLAN WLAN_VENDOR_ADMTEK WLAN_VENDOR_SILABS X86_SGX X86_SGX_KVM X86_USER_SHADOW_STACK X86_X2APIC X86_X32_ABI XDP_SOCKETS XDP_SOCKETS_DIAG XFRM_ESPINTCP XFRM_INTERFACE XFRM_IPCOMP XFRM_MIGRATE XFRM_OFFLOAD XFRM_STATISTICS XFRM_SUB_POLICY XFRM_USER_COMPAT XFS_FS XFS_POSIX_ACL XFS_QUOTA XFS_RT XILLYBUS_CLASS XILLYUSB XOR_BLOCKS YENTA YENTA_ENE_TUNE YENTA_O2 YENTA_RICOH YENTA_TI YENTA_TOSHIBA Z3FOLD Z3FOLD_DEPRECATED ZEROPLUS_FF ZLIB_DEFLATE ZONEFS_FS ZPOOL ZRAM ZRAM_BACKEND_FORCE_LZO ZRAM_BACKEND_LZO ZRAM_DEF_COMP_LZO ZSMALLOC ZSTD_COMPRESS ZSWAP ZSWAP_COMPRESSOR_DEFAULT_842 ZSWAP_DEFAULT_ON ZSWAP_SHRINKER_DEFAULT_ON ZSWAP_ZPOOL_DEFAULT_Z3FOLD_DEPRECATED] disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed picked [v6.11 v6.10 v6.9 v6.7 v6.5 v6.3 v6.1 v5.19 v5.16 v5.13 v5.10 v5.7 v5.4 v5.1 v4.19] out of 34 release tags testing release v6.11 testing commit 98f7e32f20d28ec452afb208f9cffc08448a2652 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b5cf3b4c5ff84256430d625dcdaa3392e6d2d894bdd45d9dd30a3239fc4ac867 all runs: OK false negative chance: 0.000 # git bisect start cea5425829f77e476b03702426f6b3701299b925 98f7e32f20d28ec452afb208f9cffc08448a2652 Bisecting: 5952 revisions left to test after this (roughly 13 steps) [de848da12f752170c2ebe114804a985314fd5a6a] Merge tag 'drm-next-2024-09-19' of https://gitlab.freedesktop.org/drm/kernel testing commit de848da12f752170c2ebe114804a985314fd5a6a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5482e0ce0f14715b99d73b615ee6e9ed25f785d25793209784c0cffc7c8cc82f all runs: OK false negative chance: 0.000 # git bisect good de848da12f752170c2ebe114804a985314fd5a6a Bisecting: 3019 revisions left to test after this (roughly 12 steps) [b830fe6702542c09f8b9f8cd7aa77ccc9a6b2353] io_uring/net: fix a multishot termination case for recv testing commit b830fe6702542c09f8b9f8cd7aa77ccc9a6b2353 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 48fe42ecdb38e83489c223b9551deb295bb4ee6ab10fabc8960f5a7846f3ec86 all runs: OK false negative chance: 0.000 # git bisect good b830fe6702542c09f8b9f8cd7aa77ccc9a6b2353 Bisecting: 1511 revisions left to test after this (roughly 11 steps) [d95412985f6b589660e73f0b6722190912998389] Merge branch 'i2c/for-current' into i2c/for-next testing commit d95412985f6b589660e73f0b6722190912998389 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c4ca31473f373d4a9206ddc8a31abb3d391f1dd0cc0f940ec12cd7a1b3e59492 all runs: OK false negative chance: 0.000 # git bisect good d95412985f6b589660e73f0b6722190912998389 Bisecting: 755 revisions left to test after this (roughly 10 steps) [10731d9ccbe6fb0a8b181694f1545b2d3db7bfc8] Merge branch 'perf-tools-next' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools-next.git testing commit 10731d9ccbe6fb0a8b181694f1545b2d3db7bfc8 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b3805c4c16f2feb645dc426f767231761481168d2a35b29d84cdfc644dc09ea0 all runs: crashed: KASAN: out-of-bounds Read in copy_from_kernel_nofault representative crash: KASAN: out-of-bounds Read in copy_from_kernel_nofault, types: [KASAN] # git bisect bad 10731d9ccbe6fb0a8b181694f1545b2d3db7bfc8 Bisecting: 320 revisions left to test after this (roughly 9 steps) [3efc57369a0ce8f76bf0804f7e673982384e4ac9] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit 3efc57369a0ce8f76bf0804f7e673982384e4ac9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0d4708b62251a6eb60ecf2357e901067c88766ffad838f24f09594e41a0bd5e0 all runs: OK false negative chance: 0.000 # git bisect good 3efc57369a0ce8f76bf0804f7e673982384e4ac9 Bisecting: 162 revisions left to test after this (roughly 7 steps) [0debc211c6bcf81b154dbebf200f9ea40e56bfc5] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git testing commit 0debc211c6bcf81b154dbebf200f9ea40e56bfc5 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 181c14e50942f3fbafeb9b5e95abb43e0a7d6fd084455ec9a512521e02c7bf9f all runs: OK false negative chance: 0.000 # git bisect good 0debc211c6bcf81b154dbebf200f9ea40e56bfc5 Bisecting: 94 revisions left to test after this (roughly 6 steps) [edf67a8d742eeca3293a20f641f4bb33a58c2fd9] foo testing commit edf67a8d742eeca3293a20f641f4bb33a58c2fd9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6564b6b5e8f679b7d594ffdbdd6f73466f629511ef3bd997d2bb4a30cc9c7e45 all runs: crashed: KASAN: out-of-bounds Read in copy_from_kernel_nofault representative crash: KASAN: out-of-bounds Read in copy_from_kernel_nofault, types: [KASAN] # git bisect bad edf67a8d742eeca3293a20f641f4bb33a58c2fd9 Bisecting: 33 revisions left to test after this (roughly 5 steps) [100ee26549380b391c2cf2389c92ba9895127b56] mm/madvise: unrestrict process_madvise() for current process testing commit 100ee26549380b391c2cf2389c92ba9895127b56 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 968d1103fdd461850a3659272e10367b7a64fd0585e7402180398d834b7de5a0 all runs: OK false negative chance: 0.000 # git bisect good 100ee26549380b391c2cf2389c92ba9895127b56 Bisecting: 16 revisions left to test after this (roughly 4 steps) [e8cbda979b59f6251db72ae7debeb3390729fe34] mm: optimize truncation of shadow entries testing commit e8cbda979b59f6251db72ae7debeb3390729fe34 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ad381364da820eeeff1321e8e46688ddbdffb8cc2e0f4a2db249093feda91d94 all runs: OK false negative chance: 0.000 # git bisect good e8cbda979b59f6251db72ae7debeb3390729fe34 Bisecting: 8 revisions left to test after this (roughly 3 steps) [22cbce3071193c0321aafdc20a14625922d35b29] resource: replace open coded resource_intersection() testing commit 22cbce3071193c0321aafdc20a14625922d35b29 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e17ffa18405202e75f6e964094dad3b66276f6f86513c47bfa51e7cfd0541a85 all runs: OK false negative chance: 0.000 # git bisect good 22cbce3071193c0321aafdc20a14625922d35b29 Bisecting: 4 revisions left to test after this (roughly 2 steps) [925323669b307445cd8defd0721c904d83731360] mm/hugetlb_cgroup: introduce peak and rsvd.peak to v2 testing commit 925323669b307445cd8defd0721c904d83731360 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b8cfe190a3e92ad513969938cc8f6eda4260a159a37d35ffdf944c262bb60b87 all runs: crashed: KASAN: out-of-bounds Read in copy_from_kernel_nofault representative crash: KASAN: out-of-bounds Read in copy_from_kernel_nofault, types: [KASAN] # git bisect bad 925323669b307445cd8defd0721c904d83731360 Bisecting: 1 revision left to test after this (roughly 1 step) [88ad9dc30bbf1b08bd1dddedf9ff39019f469b8f] mm, kasan: instrument copy_from/to_kernel_nofault testing commit 88ad9dc30bbf1b08bd1dddedf9ff39019f469b8f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 735015d760ef24b63113917f6bc10660f35e476a4afa198f7b588b921f397104 all runs: crashed: KASAN: out-of-bounds Read in copy_from_kernel_nofault representative crash: KASAN: out-of-bounds Read in copy_from_kernel_nofault, types: [KASAN] # git bisect bad 88ad9dc30bbf1b08bd1dddedf9ff39019f469b8f Bisecting: 0 revisions left to test after this (roughly 0 steps) [d7a814761076c73bfdeeea1df7e09687bb9dbe83] mm: optimize invalidation of shadow entries testing commit d7a814761076c73bfdeeea1df7e09687bb9dbe83 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: adec84500fa721ffd48482296775532e9b08c24b796b4a00185632e781e33522 all runs: OK false negative chance: 0.000 # git bisect good d7a814761076c73bfdeeea1df7e09687bb9dbe83 88ad9dc30bbf1b08bd1dddedf9ff39019f469b8f is the first bad commit commit 88ad9dc30bbf1b08bd1dddedf9ff39019f469b8f Author: Sabyrzhan Tasbolatov Date: Fri Sep 27 20:14:38 2024 +0500 mm, kasan: instrument copy_from/to_kernel_nofault Instrument copy_from_kernel_nofault(), copy_to_kernel_nofault() with instrument_memcpy_before() for KASAN, KCSAN checks and instrument_memcpy_after() for KMSAN. Tested on x86_64 and arm64 with CONFIG_KASAN_SW_TAGS. On arm64 with CONFIG_KASAN_HW_TAGS, kunit test currently fails. Need more clarification on it - currently, disabled in kunit test. Link: https://lkml.kernel.org/r/20240927151438.2143936-1-snovitoll@gmail.com Signed-off-by: Sabyrzhan Tasbolatov Reported-by: Andrey Konovalov Closes: https://bugzilla.kernel.org/show_bug.cgi?id=210505 Cc: Alexander Potapenko Cc: Andrey Ryabinin Cc: Dmitry Vyukov Cc: Vincenzo Frascino Signed-off-by: Andrew Morton mm/kasan/kasan_test.c | 31 +++++++++++++++++++++++++++++++ mm/maccess.c | 8 ++++++-- 2 files changed, 37 insertions(+), 2 deletions(-) accumulated error probability: 0.00 culprit signature: 735015d760ef24b63113917f6bc10660f35e476a4afa198f7b588b921f397104 parent signature: adec84500fa721ffd48482296775532e9b08c24b796b4a00185632e781e33522 revisions tested: 21, total time: 7h52m48.882264585s (build: 4h13m10.373280585s, test: 2h57m46.767259792s) first bad commit: 88ad9dc30bbf1b08bd1dddedf9ff39019f469b8f mm, kasan: instrument copy_from/to_kernel_nofault recipients (to): ["akpm@linux-foundation.org" "akpm@linux-foundation.org" "kasan-dev@googlegroups.com" "linux-mm@kvack.org" "ryabinin.a.a@gmail.com" "snovitoll@gmail.com"] recipients (cc): ["andreyknvl@gmail.com" "dvyukov@google.com" "glider@google.com" "linux-kernel@vger.kernel.org" "vincenzo.frascino@arm.com"] crash: KASAN: out-of-bounds Read in copy_from_kernel_nofault ================================================================== BUG: KASAN: out-of-bounds in instrument_memcpy_before include/linux/instrumented.h:163 [inline] BUG: KASAN: out-of-bounds in copy_from_kernel_nofault+0x83/0x240 mm/maccess.c:35 Read of size 6 at addr fffffffffffffffd by task syz.0.15/3341 CPU: 1 UID: 0 PID: 3341 Comm: syz.0.15 Not tainted 6.11.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x108/0x280 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 instrument_memcpy_before include/linux/instrumented.h:163 [inline] copy_from_kernel_nofault+0x83/0x240 mm/maccess.c:35 bpf_probe_read_kernel_common include/linux/bpf.h:2951 [inline] ____bpf_probe_read_kernel kernel/trace/bpf_trace.c:239 [inline] bpf_probe_read_kernel+0x1a/0x50 kernel/trace/bpf_trace.c:236 ___bpf_prog_run+0xe4a/0xa620 kernel/bpf/core.c:2010 __bpf_prog_run32+0xfa/0x150 kernel/bpf/core.c:2251 bpf_dispatcher_nop_func include/linux/bpf.h:1257 [inline] __bpf_prog_run include/linux/filter.h:701 [inline] bpf_prog_run_xdp include/net/xdp.h:514 [inline] bpf_test_run+0x3ae/0x860 net/bpf/test_run.c:431 bpf_prog_test_run_xdp+0x66b/0x1080 net/bpf/test_run.c:1319 bpf_prog_test_run+0x251/0x2c0 kernel/bpf/syscall.c:4320 __sys_bpf+0x3a0/0x650 kernel/bpf/syscall.c:5735 __do_sys_bpf kernel/bpf/syscall.c:5824 [inline] __se_sys_bpf kernel/bpf/syscall.c:5822 [inline] __x64_sys_bpf+0x77/0x90 kernel/bpf/syscall.c:5822 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x8d/0x190 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f425a29dff9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f4259d19038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f425a455f80 RCX: 00007f425a29dff9 RDX: 000000000000003b RSI: 0000000020000240 RDI: 000000000000000a RBP: 00007f425a310296 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f425a455f80 R15: 00007fffc2109748 Memory state around the buggy address: fffffffffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffffffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffffffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 UID: 0 PID: 3341 Comm: syz.0.15 Not tainted 6.11.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:kasan_metadata_fetch_row+0x12/0x30 mm/kasan/report_generic.c:186 Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ee 03 48 b8 00 00 00 00 00 fc ff df <48> 8b 0c 06 48 8b 44 06 08 48 89 47 08 48 89 0f c3 cc cc cc cc 66 RSP: 0018:ffffc9000616f518 EFLAGS: 00010046 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 9f11ed122c805800 RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffc9000616f550 RBP: ffffc9000616f5a0 R08: 0000000000000020 R09: 0000000000000020 R10: dffffc0000000000 R11: fffff52000c2dea9 R12: ffffc9000616f550 R13: 0000000000000080 R14: ffffffffffffff80 R15: ffffc9000616f530 FS: 00007f4259d196c0(0000) GS:ffff8881f6700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2e55ffff CR3: 0000000117a2a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: print_memory_metadata mm/kasan/report.c:464 [inline] print_report+0x4df/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 instrument_memcpy_before include/linux/instrumented.h:163 [inline] copy_from_kernel_nofault+0x83/0x240 mm/maccess.c:35 bpf_probe_read_kernel_common include/linux/bpf.h:2951 [inline] ____bpf_probe_read_kernel kernel/trace/bpf_trace.c:239 [inline] bpf_probe_read_kernel+0x1a/0x50 kernel/trace/bpf_trace.c:236 ___bpf_prog_run+0xe4a/0xa620 kernel/bpf/core.c:2010 __bpf_prog_run32+0xfa/0x150 kernel/bpf/core.c:2251 bpf_dispatcher_nop_func include/linux/bpf.h:1257 [inline] __bpf_prog_run include/linux/filter.h:701 [inline] bpf_prog_run_xdp include/net/xdp.h:514 [inline] bpf_test_run+0x3ae/0x860 net/bpf/test_run.c:431 bpf_prog_test_run_xdp+0x66b/0x1080 net/bpf/test_run.c:1319 bpf_prog_test_run+0x251/0x2c0 kernel/bpf/syscall.c:4320 __sys_bpf+0x3a0/0x650 kernel/bpf/syscall.c:5735 __do_sys_bpf kernel/bpf/syscall.c:5824 [inline] __se_sys_bpf kernel/bpf/syscall.c:5822 [inline] __x64_sys_bpf+0x77/0x90 kernel/bpf/syscall.c:5822 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x8d/0x190 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f425a29dff9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f4259d19038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f425a455f80 RCX: 00007f425a29dff9 RDX: 000000000000003b RSI: 0000000020000240 RDI: 000000000000000a RBP: 00007f425a310296 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f425a455f80 R15: 00007fffc2109748 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:kasan_metadata_fetch_row+0x12/0x30 mm/kasan/report_generic.c:186 Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ee 03 48 b8 00 00 00 00 00 fc ff df <48> 8b 0c 06 48 8b 44 06 08 48 89 47 08 48 89 0f c3 cc cc cc cc 66 RSP: 0018:ffffc9000616f518 EFLAGS: 00010046 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 9f11ed122c805800 RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffc9000616f550 RBP: ffffc9000616f5a0 R08: 0000000000000020 R09: 0000000000000020 R10: dffffc0000000000 R11: fffff52000c2dea9 R12: ffffc9000616f550 R13: 0000000000000080 R14: ffffffffffffff80 R15: ffffc9000616f530 FS: 00007f4259d196c0(0000) GS:ffff8881f6700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2e55ffff CR3: 0000000117a2a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1) 7: 00 8: 90 nop 9: 90 nop a: 90 nop b: 90 nop c: 90 nop d: 90 nop e: 90 nop f: 90 nop 10: 90 nop 11: 90 nop 12: 90 nop 13: 90 nop 14: 90 nop 15: 90 nop 16: 90 nop 17: 90 nop 18: 66 0f 1f 00 nopw (%rax) 1c: 48 c1 ee 03 shr $0x3,%rsi 20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 27: fc ff df * 2a: 48 8b 0c 06 mov (%rsi,%rax,1),%rcx <-- trapping instruction 2e: 48 8b 44 06 08 mov 0x8(%rsi,%rax,1),%rax 33: 48 89 47 08 mov %rax,0x8(%rdi) 37: 48 89 0f mov %rcx,(%rdi) 3a: c3 ret 3b: cc int3 3c: cc int3 3d: cc int3 3e: cc int3 3f: 66 data16