bisecting cause commit starting from 626bf91a292e2035af5b9d9cce35c5c138dfe06d building syzkaller on e2776ee417c18d6e0056b058f3b6055f65206ee9 testing commit 626bf91a292e2035af5b9d9cce35c5c138dfe06d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 22fb9faceffcd867893e5c664539fa7299270525b6a452a8730953281f6e76c5 all runs: crashed: WARNING: kmalloc bug in hash_ipport_create testing release v5.14 testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: c7a96685f36d300f914d643ce230ea254f68b922997290f143876a9044cd0b7f all runs: OK # git bisect start 626bf91a292e2035af5b9d9cce35c5c138dfe06d 7d2a07b769330c34b4deabeed939325c77a7ec2f Bisecting: 4928 revisions left to test after this (roughly 12 steps) [0d290223a6c77107b1c3988959e49279a8dafaba] Merge tag 'sound-5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit 0d290223a6c77107b1c3988959e49279a8dafaba compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: f4243446c6be4122cedba8356676b2daeb98ac82b6dc6ae803a8d37389f348f1 all runs: OK # git bisect good 0d290223a6c77107b1c3988959e49279a8dafaba Bisecting: 2461 revisions left to test after this (roughly 11 steps) [4ac6d90867a4de2e12117e755dbd76e08d88697f] Merge tag 'docs-5.15' of git://git.lwn.net/linux testing commit 4ac6d90867a4de2e12117e755dbd76e08d88697f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 89402a1caffe59308ad3801a2fc77ddd22eab9634924084f0f3eb8ab29c0cc2c all runs: OK # git bisect good 4ac6d90867a4de2e12117e755dbd76e08d88697f Bisecting: 1233 revisions left to test after this (roughly 10 steps) [14726903c835101cd8d0a703b609305094350d61] Merge branch 'akpm' (patches from Andrew) testing commit 14726903c835101cd8d0a703b609305094350d61 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: db7da4c2c497811df1886c8d8c80492dac0af82cd04a330351520773943ef233 all runs: crashed: WARNING: kmalloc bug in hash_ipport_create # git bisect bad 14726903c835101cd8d0a703b609305094350d61 Bisecting: 604 revisions left to test after this (roughly 9 steps) [c793011242d182e5f12800c12dbaf37af80be735] Merge tag 'pinctrl-v5.15-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit c793011242d182e5f12800c12dbaf37af80be735 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: adca9358128a4cf6c33e604b793e76c619ea651b071aeafe01129a7e62d04025 all runs: crashed: WARNING: kmalloc bug in hash_ipport_create # git bisect bad c793011242d182e5f12800c12dbaf37af80be735 Bisecting: 320 revisions left to test after this (roughly 8 steps) [9ae5fceb9a20154d74586fe17d1096b981b23e34] Merge tag 'for-linus-5.15-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip testing commit 9ae5fceb9a20154d74586fe17d1096b981b23e34 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: ddc8ba8f65ee92d8b8aa5f5c78a3cd18e8d0a71c53b98ec36cf7cfca22169e69 all runs: crashed: WARNING: kmalloc bug in hash_ipport_create # git bisect bad 9ae5fceb9a20154d74586fe17d1096b981b23e34 Bisecting: 156 revisions left to test after this (roughly 7 steps) [815409a12c0a9c0de17a910fd95fe11e1eb97f32] Merge tag 'ovl-update-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs testing commit 815409a12c0a9c0de17a910fd95fe11e1eb97f32 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 8bfcb95c3a0250b6037b4f96580e51c2a739b4753b877de450d7dc1f897d6e6a run #0: basic kernel testing failed: KFENCE: use-after-free in kvm_fastop_exception run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 815409a12c0a9c0de17a910fd95fe11e1eb97f32 Bisecting: 77 revisions left to test after this (roughly 6 steps) [4a3bb4200a5958d76cc26ebe4db4257efa56812b] Merge tag 'dma-mapping-5.15' of git://git.infradead.org/users/hch/dma-mapping testing commit 4a3bb4200a5958d76cc26ebe4db4257efa56812b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: ae197062eabfca4245ac50d7d55beb3347d6e83cf89282c713c752c5790ba97a all runs: crashed: WARNING: kmalloc bug in hash_ipport_create # git bisect bad 4a3bb4200a5958d76cc26ebe4db4257efa56812b Bisecting: 36 revisions left to test after this (roughly 5 steps) [265113f70f3d63ae8b6eb1ce4303d14dbbd71b2d] Merge tag 'dlm-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm testing commit 265113f70f3d63ae8b6eb1ce4303d14dbbd71b2d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 2e7ff2e5b1c538206173a71c021b6a98b54f39f1ef8e5018f7e6479e368734fc run #0: crashed: WARNING: kmalloc bug in hash_ipport_create run #1: crashed: WARNING: kmalloc bug in hash_ipport_create run #2: crashed: WARNING: kmalloc bug in hash_ipport_create run #3: crashed: WARNING: kmalloc bug in hash_ipport_create run #4: crashed: WARNING: kmalloc bug in hash_ipport_create run #5: crashed: WARNING: kmalloc bug in hash_ipport_create run #6: crashed: WARNING: kmalloc bug in hash_ipport_create run #7: crashed: WARNING: kmalloc bug in hash_ipport_create run #8: crashed: WARNING: kmalloc bug in hash_ipport_create run #9: boot failed: possible deadlock in blktrans_open # git bisect bad 265113f70f3d63ae8b6eb1ce4303d14dbbd71b2d Bisecting: 20 revisions left to test after this (roughly 4 steps) [0904c9ae3465c7acc066a564a76b75c0af83e6c7] ext4: move inode eio simulation behind io completeion testing commit 0904c9ae3465c7acc066a564a76b75c0af83e6c7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 951baf34263bee133b1900250646245c8370f4f82a3cae1c9403523afa893c67 all runs: OK # git bisect good 0904c9ae3465c7acc066a564a76b75c0af83e6c7 Bisecting: 10 revisions left to test after this (roughly 3 steps) [8728a455d20ddadecd767337475fc1371e031d79] fs: dlm: generic connect func testing commit 8728a455d20ddadecd767337475fc1371e031d79 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: c9094bb7b75e188359491178feaec03033b0a7a5bb06ab3fbe7be56c47ff30b9 all runs: OK # git bisect good 8728a455d20ddadecd767337475fc1371e031d79 Bisecting: 5 revisions left to test after this (roughly 3 steps) [ecd95673142ef80169a6c003b569b8a86d1e6329] fs: dlm: avoid comms shutdown delay in release_lockspace testing commit ecd95673142ef80169a6c003b569b8a86d1e6329 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: fa6d42726e8f1c5a671fcb717f535eaa942f09f0862641b12876ac539800a392 all runs: OK # git bisect good ecd95673142ef80169a6c003b569b8a86d1e6329 Bisecting: 2 revisions left to test after this (roughly 2 steps) [111c1aa8cad4a0069dfe98fc093507b5b2cdfda7] Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 testing commit 111c1aa8cad4a0069dfe98fc093507b5b2cdfda7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 07d7d24f755b2933dc9de9be2a29b35647edcf5de5ead2b9df7ea95436e9a800 all runs: OK # git bisect good 111c1aa8cad4a0069dfe98fc093507b5b2cdfda7 Bisecting: 0 revisions left to test after this (roughly 1 step) [b0cfcdd9b9672ea90642f33d6c0dd8516553adf2] d_path: make 'prepend()' fill up the buffer exactly on overflow testing commit b0cfcdd9b9672ea90642f33d6c0dd8516553adf2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 9bf6ca302e83228c468301b02da179a2a20b6aedafde6e1658c0e7f3b2d00dfd all runs: crashed: WARNING: kmalloc bug in hash_ipport_create # git bisect bad b0cfcdd9b9672ea90642f33d6c0dd8516553adf2 Bisecting: 0 revisions left to test after this (roughly 0 steps) [7661809d493b426e979f39ab512e3adf41fbcc69] mm: don't allow oversized kvmalloc() calls testing commit 7661809d493b426e979f39ab512e3adf41fbcc69 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 664f4638c15a6a6d9aa1453cfa8ae379b1ae788e70bab73d834bf1af2f68ba3e run #0: crashed: WARNING: kmalloc bug in hash_ipport_create run #1: crashed: WARNING: kmalloc bug in hash_ipport_create run #2: crashed: WARNING: kmalloc bug in hash_ipport_create run #3: crashed: WARNING: kmalloc bug in hash_ipport_create run #4: crashed: WARNING: kmalloc bug in hash_ipport_create run #5: crashed: WARNING: kmalloc bug in hash_ipport_create run #6: crashed: WARNING: kmalloc bug in hash_ipport_create run #7: crashed: WARNING: kmalloc bug in hash_ipport_create run #8: crashed: WARNING: kmalloc bug in hash_ipport_create run #9: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-fuzzer" "root@10.128.0.166:./syz-fuzzer"] # git bisect bad 7661809d493b426e979f39ab512e3adf41fbcc69 7661809d493b426e979f39ab512e3adf41fbcc69 is the first bad commit commit 7661809d493b426e979f39ab512e3adf41fbcc69 Author: Linus Torvalds Date: Wed Jul 14 09:45:49 2021 -0700 mm: don't allow oversized kvmalloc() calls 'kvmalloc()' is a convenience function for people who want to do a kmalloc() but fall back on vmalloc() if there aren't enough physically contiguous pages, or if the allocation is larger than what kmalloc() supports. However, let's make sure it doesn't get _too_ easy to do crazy things with it. In particular, don't allow big allocations that could be due to integer overflow or underflow. So make sure the allocation size fits in an 'int', to protect against trivial integer conversion issues. Acked-by: Willy Tarreau Cc: Kees Cook Signed-off-by: Linus Torvalds mm/util.c | 4 ++++ 1 file changed, 4 insertions(+) culprit signature: 664f4638c15a6a6d9aa1453cfa8ae379b1ae788e70bab73d834bf1af2f68ba3e parent signature: 07d7d24f755b2933dc9de9be2a29b35647edcf5de5ead2b9df7ea95436e9a800 revisions tested: 16, total time: 3h34m45.204383974s (build: 1h45m47.357568103s, test: 1h47m9.49948397s) first bad commit: 7661809d493b426e979f39ab512e3adf41fbcc69 mm: don't allow oversized kvmalloc() calls recipients (to): ["akpm@linux-foundation.org" "linux-mm@kvack.org" "torvalds@linux-foundation.org" "w@1wt.eu"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: WARNING: kmalloc bug in hash_ipport_create ------------[ cut here ]------------ WARNING: CPU: 0 PID: 10972 at mm/util.c:597 kvmalloc_node+0x7b/0x90 mm/util.c:600 Modules linked in: CPU: 1 PID: 10972 Comm: syz-executor.4 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:kvmalloc_node+0x7b/0x90 mm/util.c:597 Code: 2b 48 8b 3c 24 8b 54 24 0c 48 81 ff ff ff ff 7f 77 18 4c 8b 44 24 18 48 83 c4 10 89 d1 89 ea 5d be 01 00 00 00 e9 55 02 0b 00 <0f> 0b 48 83 c4 10 5d c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 55 RSP: 0018:ffffc9000d2f72c8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: ffffc9000d2f73c8 RCX: 0000000400000000 RDX: 00000000ffffffff RSI: 0000000000000000 RDI: 0000000200000018 RBP: 0000000000400dc0 R08: 0000000000412dc0 R09: 00000000ffffffff R10: fffffbfff1688ed8 R11: 000000000007a089 R12: 000000000000001e R13: ffff888020c16200 R14: 000000000000001e R15: ffff8880266c5200 FS: 00007fd10ff5a700(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d788814a20 CR3: 00000000461b1000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: hash_ipport_create+0x2fc/0xf30 net/netfilter/ipset/ip_set_hash_gen.h:1524 ip_set_create+0x697/0x11a0 net/netfilter/ipset/ip_set_core.c:1100 nfnetlink_rcv_msg+0x928/0xf80 net/netfilter/nfnetlink.c:296 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2504 nfnetlink_rcv+0x143/0x340 net/netfilter/nfnetlink.c:654 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] netlink_unicast+0x42e/0x700 net/netlink/af_netlink.c:1340 netlink_sendmsg+0x704/0xbf0 net/netlink/af_netlink.c:1929 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xab/0xe0 net/socket.c:724 ____sys_sendmsg+0x5bf/0x7a0 net/socket.c:2409 ___sys_sendmsg+0xd3/0x150 net/socket.c:2463 __sys_sendmsg+0xb2/0x140 net/socket.c:2492 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665f9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd10ff5a188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665f9 RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 R13: 00007fff35a3361f R14: 00007fd10ff5a300 R15: 0000000000022000