ci2 starts bisection 2024-08-14 23:39:20.02617342 +0000 UTC m=+36471.076812180 bisecting fixing commit since 347385861c50adc8d4801d4b899eded38a2f04cd building syzkaller on 0ee3535ea8ff21d50e44372bb1cfd147e299ab5b ensuring issue is reproducible on original commit 347385861c50adc8d4801d4b899eded38a2f04cd testing commit 347385861c50adc8d4801d4b899eded38a2f04cd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bf26551de6a16940e0f5f8e816ec37c322a9feec3f019c09103023a1032e26dc all runs: crashed: KASAN: stack-out-of-bounds Read in profile_pc representative crash: KASAN: stack-out-of-bounds Read in profile_pc, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 347385861c50adc8d4801d4b899eded38a2f04cd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c584595f53aad29acf877b59275bdffbfa617b89e7d04e50e082e25c71a4ebfe all runs: crashed: KASAN: stack-out-of-bounds Read in profile_pc representative crash: KASAN: stack-out-of-bounds Read in profile_pc, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed kconfig minimization: base=3822 full=7454 leaves diff=1988 split chunks (needed=false): <1988> split chunk #0 of len 1988 into 5 parts testing without sub-chunk 1/5 disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 347385861c50adc8d4801d4b899eded38a2f04cd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d1a2e81410dc5e2b93e7aa4e74d73040ec8be1a35cd832ce48ff75971481d22f all runs: crashed: KASAN: stack-out-of-bounds Read in profile_pc representative crash: KASAN: stack-out-of-bounds Read in profile_pc, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 347385861c50adc8d4801d4b899eded38a2f04cd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1009e666724ce02fc2d575a36d032b682e3b080f4406906eaa9d236ba742b2a5 all runs: crashed: KASAN: stack-out-of-bounds Read in profile_pc representative crash: KASAN: stack-out-of-bounds Read in profile_pc, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit 347385861c50adc8d4801d4b899eded38a2f04cd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8b50f5fa9fdb34fe6e46596a06d61eee656ee0ad1188a9653dc2c0778e64bc0b all runs: crashed: KASAN: stack-out-of-bounds Read in profile_pc representative crash: KASAN: stack-out-of-bounds Read in profile_pc, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 347385861c50adc8d4801d4b899eded38a2f04cd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4356b59a68006d5e64b141f647b46e512f3dca8860fdc5d08520ee3b3937fe63 all runs: crashed: KASAN: stack-out-of-bounds Read in profile_pc representative crash: KASAN: stack-out-of-bounds Read in profile_pc, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 347385861c50adc8d4801d4b899eded38a2f04cd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6877bca1421028a490714931a05e7e221858acb8a313f3cc51027c3b88975606 all runs: crashed: KASAN: stack-out-of-bounds Read in profile_pc representative crash: KASAN: stack-out-of-bounds Read in profile_pc, types: [KASAN] the chunk can be dropped disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing current HEAD 117ac406ba904da738fb79a3b2c96d4a385292c1 testing commit 117ac406ba904da738fb79a3b2c96d4a385292c1 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e1108367bea190ecd27dc641df4a9b170e7e32390845bf24ba37f67efa38e169 all runs: OK false negative chance: 0.000 # git bisect start 117ac406ba904da738fb79a3b2c96d4a385292c1 347385861c50adc8d4801d4b899eded38a2f04cd Bisecting: 1434 revisions left to test after this (roughly 11 steps) [fda68a7da8a86b7a080f63e51cb8c94fa08c072f] af_unix: Annotate data-race of sk->sk_state in unix_stream_read_skb(). determine whether the revision contains the guilty commit revision 347385861c50adc8d4801d4b899eded38a2f04cd crashed and is reachable testing commit fda68a7da8a86b7a080f63e51cb8c94fa08c072f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5838b0581ad8eec27d9e33e4283083c1f8849ec8179e403c2e0468f9634f10df all runs: crashed: KASAN: stack-out-of-bounds Read in profile_pc representative crash: KASAN: stack-out-of-bounds Read in profile_pc, types: [KASAN] # git bisect good fda68a7da8a86b7a080f63e51cb8c94fa08c072f Bisecting: 717 revisions left to test after this (roughly 10 steps) [4bc246d2d60d071314842fa448faa4ed39082aff] powerpc/eeh: avoid possible crash when edev->pdev changes determine whether the revision contains the guilty commit revision fda68a7da8a86b7a080f63e51cb8c94fa08c072f crashed and is reachable testing commit 4bc246d2d60d071314842fa448faa4ed39082aff gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f9c3497f13143c9ee57cf30a1a2256b6a1924df09d5de1f59ee98f6b10545924 all runs: OK false negative chance: 0.000 # git bisect bad 4bc246d2d60d071314842fa448faa4ed39082aff Bisecting: 358 revisions left to test after this (roughly 9 steps) [9e424deb9a4c7995a33246ad1f4c206daf744e77] soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message determine whether the revision contains the guilty commit revision 347385861c50adc8d4801d4b899eded38a2f04cd crashed and is reachable testing commit 9e424deb9a4c7995a33246ad1f4c206daf744e77 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8f8b82b57ace115324b2c20e8c3b77719adce4834ae2e96989c0d70fb3662298 all runs: crashed: KASAN: stack-out-of-bounds Read in profile_pc representative crash: KASAN: stack-out-of-bounds Read in profile_pc, types: [KASAN] # git bisect good 9e424deb9a4c7995a33246ad1f4c206daf744e77 Bisecting: 179 revisions left to test after this (roughly 8 steps) [a077a6cdb3454a6f3eea7ea178d8280ff0f04ef2] null_blk: Do not allow runt zone with zone capacity smaller then zone size determine whether the revision contains the guilty commit revision 347385861c50adc8d4801d4b899eded38a2f04cd crashed and is reachable testing commit a077a6cdb3454a6f3eea7ea178d8280ff0f04ef2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 15b00487cb850ca89ba7bb200b356ead71274a19954c9ed637d54a563e5803d5 run #0: crashed: lost connection to test machine run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK representative crash: lost connection to test machine, types: [UNKNOWN] unable to determine the verdict: 9 good runs (wanted 5), for bad wanted 5 in total, got 10 # git bisect skip a077a6cdb3454a6f3eea7ea178d8280ff0f04ef2 Bisecting: 178 revisions left to test after this (roughly 8 steps) [86e3ffeab54801dbba8a79d8486905e423d785b3] nilfs2: fix incorrect inode allocation from reserved inodes determine whether the revision contains the guilty commit revision 347385861c50adc8d4801d4b899eded38a2f04cd crashed and is reachable testing commit 86e3ffeab54801dbba8a79d8486905e423d785b3 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0deb7bb26f7de189fbc4c69ce95bca94e2dd286fd5ecbb12ac1597e8bd07f863 all runs: OK false negative chance: 0.000 # git bisect bad 86e3ffeab54801dbba8a79d8486905e423d785b3 Bisecting: 89 revisions left to test after this (roughly 7 steps) [28c8d274848feba552e95c5c2a7e3cfe8f15c534] crypto: aead,cipher - zeroize key buffer after use determine whether the revision contains the guilty commit revision fda68a7da8a86b7a080f63e51cb8c94fa08c072f crashed and is reachable testing commit 28c8d274848feba552e95c5c2a7e3cfe8f15c534 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9fdda9d427976c081e0c85037f77298f98e664d24034920e9705ac12d785af29 all runs: OK false negative chance: 0.000 # git bisect bad 28c8d274848feba552e95c5c2a7e3cfe8f15c534 Bisecting: 44 revisions left to test after this (roughly 6 steps) [26b18dd30e63d4fd777be429148e8e4ed66f60b2] net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new determine whether the revision contains the guilty commit revision fda68a7da8a86b7a080f63e51cb8c94fa08c072f crashed and is reachable testing commit 26b18dd30e63d4fd777be429148e8e4ed66f60b2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 12d4f24df9892675280ae0b9e17b79c35e5195ea27fda9f756f01e66e94b5380 all runs: OK false negative chance: 0.000 # git bisect bad 26b18dd30e63d4fd777be429148e8e4ed66f60b2 Bisecting: 21 revisions left to test after this (roughly 5 steps) [86826b1ffde7ff637b774439ed5af27f6a0966e1] i2c: testunit: don't erase registers after STOP determine whether the revision contains the guilty commit revision 347385861c50adc8d4801d4b899eded38a2f04cd crashed and is reachable testing commit 86826b1ffde7ff637b774439ed5af27f6a0966e1 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0e7e44df2eb7139cb753f313d0a2e1bd91c0cb76a868006b6f549ad2781848e6 all runs: OK false negative chance: 0.000 # git bisect bad 86826b1ffde7ff637b774439ed5af27f6a0966e1 Bisecting: 11 revisions left to test after this (roughly 4 steps) [161cef818545ecf980f0e2ebaf8ba7326ce53c2b] x86: stop playing stack games in profile_pc() determine whether the revision contains the guilty commit revision 347385861c50adc8d4801d4b899eded38a2f04cd crashed and is reachable testing commit 161cef818545ecf980f0e2ebaf8ba7326ce53c2b gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 621784273790c6ad905ca10b786bb5b733e8165000e64c818df86548ac9abe7d all runs: OK false negative chance: 0.000 # git bisect bad 161cef818545ecf980f0e2ebaf8ba7326ce53c2b Bisecting: 4 revisions left to test after this (roughly 3 steps) [09f64e7ad72bcd613faf27ebe7ea8613a11174a4] drm/amdgpu: Fix pci state save during mode-1 reset determine whether the revision contains the guilty commit revision 347385861c50adc8d4801d4b899eded38a2f04cd crashed and is reachable testing commit 09f64e7ad72bcd613faf27ebe7ea8613a11174a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 306046d0a0805013ddf8c16333b2d685d5575133d0bf4da2154781e29c488cfb all runs: crashed: KASAN: stack-out-of-bounds Read in profile_pc representative crash: KASAN: stack-out-of-bounds Read in profile_pc, types: [KASAN] # git bisect good 09f64e7ad72bcd613faf27ebe7ea8613a11174a4 Bisecting: 2 revisions left to test after this (roughly 1 step) [31594c5a420ec5b5b4b0e50df93f751171b95660] gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1) determine whether the revision contains the guilty commit revision 347385861c50adc8d4801d4b899eded38a2f04cd crashed and is reachable testing commit 31594c5a420ec5b5b4b0e50df93f751171b95660 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7b5ab168bac94395287d842e66fdca11777d62e0eaa55198346b9159ba74c9be all runs: crashed: KASAN: stack-out-of-bounds Read in profile_pc representative crash: KASAN: stack-out-of-bounds Read in profile_pc, types: [KASAN] # git bisect good 31594c5a420ec5b5b4b0e50df93f751171b95660 Bisecting: 0 revisions left to test after this (roughly 1 step) [7fb374981e31c193b1152ed8d3b0a95b671330d4] ima: Fix use-after-free on a dentry's dname.name determine whether the revision contains the guilty commit revision 347385861c50adc8d4801d4b899eded38a2f04cd crashed and is reachable testing commit 7fb374981e31c193b1152ed8d3b0a95b671330d4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 25566204a0f5379153d470d4b8ea04ea8c9582d02cecb69e77928b822ded5d8d all runs: crashed: KASAN: stack-out-of-bounds Read in profile_pc representative crash: KASAN: stack-out-of-bounds Read in profile_pc, types: [KASAN] # git bisect good 7fb374981e31c193b1152ed8d3b0a95b671330d4 161cef818545ecf980f0e2ebaf8ba7326ce53c2b is the first bad commit commit 161cef818545ecf980f0e2ebaf8ba7326ce53c2b Author: Linus Torvalds Date: Fri Jun 28 14:27:22 2024 -0700 x86: stop playing stack games in profile_pc() [ Upstream commit 093d9603b60093a9aaae942db56107f6432a5dca ] The 'profile_pc()' function is used for timer-based profiling, which isn't really all that relevant any more to begin with, but it also ends up making assumptions based on the stack layout that aren't necessarily valid. Basically, the code tries to account the time spent in spinlocks to the caller rather than the spinlock, and while I support that as a concept, it's not worth the code complexity or the KASAN warnings when no serious profiling is done using timers anyway these days. And the code really does depend on stack layout that is only true in the simplest of cases. We've lost the comment at some point (I think when the 32-bit and 64-bit code was unified), but it used to say: Assume the lock function has either no stack frame or a copy of eflags from PUSHF. which explains why it just blindly loads a word or two straight off the stack pointer and then takes a minimal look at the values to just check if they might be eflags or the return pc: Eflags always has bits 22 and up cleared unlike kernel addresses but that basic stack layout assumption assumes that there isn't any lock debugging etc going on that would complicate the code and cause a stack frame. It causes KASAN unhappiness reported for years by syzkaller [1] and others [2]. With no real practical reason for this any more, just remove the code. Just for historical interest, here's some background commits relating to this code from 2006: 0cb91a229364 ("i386: Account spinlocks to the caller during profiling for !FP kernels") 31679f38d886 ("Simplify profile_pc on x86-64") and a code unification from 2009: ef4512882dbe ("x86: time_32/64.c unify profile_pc") but the basics of this thing actually goes back to before the git tree. Link: https://syzkaller.appspot.com/bug?extid=84fe685c02cd112a2ac3 [1] Link: https://lore.kernel.org/all/CAK55_s7Xyq=nh97=K=G1sxueOFrJDAvPOJAL4TPTCAYvmxO9_A@mail.gmail.com/ [2] Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin arch/x86/kernel/time.c | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) accumulated error probability: 0.00 culprit signature: 621784273790c6ad905ca10b786bb5b733e8165000e64c818df86548ac9abe7d parent signature: 25566204a0f5379153d470d4b8ea04ea8c9582d02cecb69e77928b822ded5d8d revisions tested: 20, total time: 3h14m25.356720305s (build: 1h4m12.807574029s, test: 2h4m4.1694038s) first good commit: 161cef818545ecf980f0e2ebaf8ba7326ce53c2b x86: stop playing stack games in profile_pc() recipients (to): ["sashal@kernel.org" "torvalds@linux-foundation.org"] recipients (cc): []