ci starts bisection 2023-06-17 05:20:28.151031046 +0000 UTC m=+88812.113870412 bisecting cause commit starting from c08afcdcf95288c627267bb20002e8baaf3394e1 building syzkaller on f3921d4d63f97d1f1fb49a69ea85744bb7ef184b ensuring issue is reproducible on original commit c08afcdcf95288c627267bb20002e8baaf3394e1 testing commit c08afcdcf95288c627267bb20002e8baaf3394e1 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7c4da95d2b29d2507d9fb2ae90cb6aad27889dc3e019b5f67f4ff60abaec17fb all runs: crashed: KASAN: stack-out-of-bounds Read in ipmr_ioctl testing release v6.3 testing commit 457391b0380335d5e9a5babdec90ac53928b23b4 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 782ce5874f07f076c7e9e43cca87cecef334427d4e5c67a4c74af888be0d4d54 all runs: OK too many neither good nor bad results, skipping this commit # git bisect start c08afcdcf95288c627267bb20002e8baaf3394e1 457391b0380335d5e9a5babdec90ac53928b23b4 Bisecting: 8689 revisions left to test after this (roughly 13 steps) [34b62f186db9614e55d021f8c58d22fc44c57911] Merge tag 'pci-v6.4-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci testing commit 34b62f186db9614e55d021f8c58d22fc44c57911 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 66f23c34d4f6b5c47ccf9e8b933884d6bf9a31375beb1ae6e1341dd974ab105e all runs: OK too many neither good nor bad results, skipping this commit # git bisect good 34b62f186db9614e55d021f8c58d22fc44c57911 Bisecting: 4343 revisions left to test after this (roughly 12 steps) [c5eb8bf76718cf2e2f36aac216a99014f00927de] Merge tag 'leds-next-6.4' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/leds testing commit c5eb8bf76718cf2e2f36aac216a99014f00927de gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5753e3d589506933a6b05aad9d85fa1f47f9ea496f24973ccbe94514a01e3d0d all runs: OK too many neither good nor bad results, skipping this commit # git bisect good c5eb8bf76718cf2e2f36aac216a99014f00927de Bisecting: 2172 revisions left to test after this (roughly 11 steps) [1f94ba198bda5738bd26cb7633dca4b33a43dff2] net: pcs: xpcs: correct lp_advertising contents testing commit 1f94ba198bda5738bd26cb7633dca4b33a43dff2 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b9053a91be1103b13e0984ccdb4a85ca1d98a2d969be14448478c8a70f2a0e77 all runs: OK too many neither good nor bad results, skipping this commit # git bisect good 1f94ba198bda5738bd26cb7633dca4b33a43dff2 Bisecting: 1086 revisions left to test after this (roughly 10 steps) [863199199713908afaa47ba09332b87621c12496] net: usb: qmi_wwan: add support for Compal RXM-G1 testing commit 863199199713908afaa47ba09332b87621c12496 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 65a45ab8b6736b50cc52e48268ef1ecb6bfb98f68372136b4c5c2db4dad92100 all runs: OK too many neither good nor bad results, skipping this commit # git bisect good 863199199713908afaa47ba09332b87621c12496 Bisecting: 519 revisions left to test after this (roughly 9 steps) [cde11936cffb7280eb48b5e118ea8f5a03aad0ae] Merge tag 'wireless-next-2023-06-09' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next testing commit cde11936cffb7280eb48b5e118ea8f5a03aad0ae gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 685af28f41aa200f52d2539c224ad609e0540a74b4ad869a0c80a2404dfdc08c all runs: OK too many neither good nor bad results, skipping this commit # git bisect good cde11936cffb7280eb48b5e118ea8f5a03aad0ae Bisecting: 257 revisions left to test after this (roughly 8 steps) [93fd8eb053800a241d09c00ef075cae0b5b03ecf] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 93fd8eb053800a241d09c00ef075cae0b5b03ecf gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: dec303f87049e83851d28d124d217d2b63ed624512fa197157bf7254a6a7ae64 all runs: OK too many neither good nor bad results, skipping this commit # git bisect good 93fd8eb053800a241d09c00ef075cae0b5b03ecf Bisecting: 128 revisions left to test after this (roughly 7 steps) [473f5e13b38b9533bd3ae0758418581eabf69b50] Merge branch 'netdev-tracking' testing commit 473f5e13b38b9533bd3ae0758418581eabf69b50 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2d0f28092df51f74fe400b0c0f735cb17c60e1b9f03fc8cf84fdced582da5bff all runs: OK too many neither good nor bad results, skipping this commit # git bisect good 473f5e13b38b9533bd3ae0758418581eabf69b50 Bisecting: 64 revisions left to test after this (roughly 6 steps) [07b1cc841b4f283f3bc34d228690f88b17e57008] Merge branch 'fix-small-bugs-and-annoyances-in-tc-testing' testing commit 07b1cc841b4f283f3bc34d228690f88b17e57008 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b6f1a24be2af39e1a61f820e936d1bc010162e5277bb65cf0eef2390aa1dd682 all runs: OK too many neither good nor bad results, skipping this commit # git bisect good 07b1cc841b4f283f3bc34d228690f88b17e57008 Bisecting: 32 revisions left to test after this (roughly 5 steps) [be28c14ac8bbe1ff0b2a18a06cd10981f90fc741] udplite: Print deprecation notice. testing commit be28c14ac8bbe1ff0b2a18a06cd10981f90fc741 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c5f30cd7fee59faeb4b719adf8d8a5936984acbecf265e83600f8b9838f5f983 all runs: OK too many neither good nor bad results, skipping this commit # git bisect good be28c14ac8bbe1ff0b2a18a06cd10981f90fc741 Bisecting: 18 revisions left to test after this (roughly 4 steps) [40f71e7cd3c6ac04293556ab0504a372393838ff] Merge tag 'net-6.4-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 40f71e7cd3c6ac04293556ab0504a372393838ff gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 597ff4faf4a80924bea49269ecdcb41c3f4cf24a72472de29a8ba12c4c20b5cb all runs: OK too many neither good nor bad results, skipping this commit # git bisect good 40f71e7cd3c6ac04293556ab0504a372393838ff Bisecting: 9 revisions left to test after this (roughly 3 steps) [f7d625adeb7bc6a9ec83d32d9615889969d64484] net: ena: Add dynamic recycling mechanism for rx buffers testing commit f7d625adeb7bc6a9ec83d32d9615889969d64484 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3e3931f539cc9692b6f6ddbe769f6eb67153259a98a33d519ef9efaa39171592 all runs: crashed: KASAN: stack-out-of-bounds Read in ipmr_ioctl # git bisect bad f7d625adeb7bc6a9ec83d32d9615889969d64484 Bisecting: 4 revisions left to test after this (roughly 2 steps) [ed3c9a2fcab3b60b0766eb5d7566fd3b10df9a8e] net: tls: make the offload check helper take skb not socket testing commit ed3c9a2fcab3b60b0766eb5d7566fd3b10df9a8e gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 13a89ae176af1dbfa3b537257c184b805f92b8baf493e1d5472f648dd8c7f9c5 all runs: OK too many neither good nor bad results, skipping this commit # git bisect good ed3c9a2fcab3b60b0766eb5d7566fd3b10df9a8e Bisecting: 2 revisions left to test after this (roughly 1 step) [97c5209b3d374a25ebdb4c2ea9e9c1b121768da0] leds: trigger: netdev: uninitialized variable in netdev_trig_activate() testing commit 97c5209b3d374a25ebdb4c2ea9e9c1b121768da0 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 41ac99354a2747947c072f207d2131dd951e6c7f496f523affa661a7a9e0e622 all runs: OK too many neither good nor bad results, skipping this commit # git bisect good 97c5209b3d374a25ebdb4c2ea9e9c1b121768da0 Bisecting: 0 revisions left to test after this (roughly 1 step) [e1d001fa5b477c4da46a29be1fcece91db7c7c6f] net: ioctl: Use kernel memory on protocol ioctl callbacks testing commit e1d001fa5b477c4da46a29be1fcece91db7c7c6f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 189228a777d0f46d59a80009ef0b683e65c769553c95f67c2a413c39b991afbe all runs: crashed: KASAN: stack-out-of-bounds Read in ipmr_ioctl # git bisect bad e1d001fa5b477c4da46a29be1fcece91db7c7c6f Bisecting: 0 revisions left to test after this (roughly 0 steps) [173780ff18a93298ca84224cc79df69f9cc198ce] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 173780ff18a93298ca84224cc79df69f9cc198ce gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e98065a4a1c4bfc1a660042ec1e89d9996844aea53c987c4dab50e2fb2e258d6 all runs: OK too many neither good nor bad results, skipping this commit # git bisect good 173780ff18a93298ca84224cc79df69f9cc198ce e1d001fa5b477c4da46a29be1fcece91db7c7c6f is the first bad commit commit e1d001fa5b477c4da46a29be1fcece91db7c7c6f Author: Breno Leitao Date: Fri Jun 9 08:27:42 2023 -0700 net: ioctl: Use kernel memory on protocol ioctl callbacks Most of the ioctls to net protocols operates directly on userspace argument (arg). Usually doing get_user()/put_user() directly in the ioctl callback. This is not flexible, because it is hard to reuse these functions without passing userspace buffers. Change the "struct proto" ioctls to avoid touching userspace memory and operate on kernel buffers, i.e., all protocol's ioctl callbacks is adapted to operate on a kernel memory other than on userspace (so, no more {put,get}_user() and friends being called in the ioctl callback). This changes the "struct proto" ioctl format in the following way: int (*ioctl)(struct sock *sk, int cmd, - unsigned long arg); + int *karg); (Important to say that this patch does not touch the "struct proto_ops" protocols) So, the "karg" argument, which is passed to the ioctl callback, is a pointer allocated to kernel space memory (inside a function wrapper). This buffer (karg) may contain input argument (copied from userspace in a prep function) and it might return a value/buffer, which is copied back to userspace if necessary. There is not one-size-fits-all format (that is I am using 'may' above), but basically, there are three type of ioctls: 1) Do not read from userspace, returns a result to userspace 2) Read an input parameter from userspace, and does not return anything to userspace 3) Read an input from userspace, and return a buffer to userspace. The default case (1) (where no input parameter is given, and an "int" is returned to userspace) encompasses more than 90% of the cases, but there are two other exceptions. Here is a list of exceptions: * Protocol RAW: * cmd = SIOCGETVIFCNT: * input and output = struct sioc_vif_req * cmd = SIOCGETSGCNT * input and output = struct sioc_sg_req * Explanation: for the SIOCGETVIFCNT case, userspace passes the input argument, which is struct sioc_vif_req. Then the callback populates the struct, which is copied back to userspace. * Protocol RAW6: * cmd = SIOCGETMIFCNT_IN6 * input and output = struct sioc_mif_req6 * cmd = SIOCGETSGCNT_IN6 * input and output = struct sioc_sg_req6 * Protocol PHONET: * cmd == SIOCPNADDRESOURCE | SIOCPNDELRESOURCE * input int (4 bytes) * Nothing is copied back to userspace. For the exception cases, functions sock_sk_ioctl_inout() will copy the userspace input, and copy it back to kernel space. The wrapper that prepare the buffer and put the buffer back to user is sk_ioctl(), so, instead of calling sk->sk_prot->ioctl(), the callee now calls sk_ioctl(), which will handle all cases. Signed-off-by: Breno Leitao Reviewed-by: Willem de Bruijn Reviewed-by: David Ahern Reviewed-by: Kuniyuki Iwashima Link: https://lore.kernel.org/r/20230609152800.830401-1-leitao@debian.org Signed-off-by: Jakub Kicinski include/linux/icmpv6.h | 6 +++++ include/linux/mroute.h | 22 ++++++++++++++-- include/linux/mroute6.h | 31 ++++++++++++++++++++-- include/net/phonet/phonet.h | 21 +++++++++++++++ include/net/sock.h | 5 +++- include/net/tcp.h | 2 +- include/net/udp.h | 2 +- net/core/sock.c | 64 +++++++++++++++++++++++++++++++++++++++++++++ net/dccp/dccp.h | 2 +- net/dccp/proto.c | 12 ++++----- net/ieee802154/socket.c | 15 +++++------ net/ipv4/af_inet.c | 2 +- net/ipv4/ipmr.c | 63 +++++++++++++++++++++++++++----------------- net/ipv4/raw.c | 16 ++++++------ net/ipv4/tcp.c | 5 ++-- net/ipv4/udp.c | 12 ++++----- net/ipv6/af_inet6.c | 2 +- net/ipv6/ip6mr.c | 44 +++++++++++++------------------ net/ipv6/raw.c | 16 ++++++------ net/l2tp/l2tp_core.h | 2 +- net/l2tp/l2tp_ip.c | 9 +++---- net/mptcp/protocol.c | 11 ++++---- net/phonet/datagram.c | 11 +++----- net/phonet/pep.c | 11 ++++---- net/phonet/socket.c | 2 +- net/sctp/socket.c | 8 +++--- 26 files changed, 267 insertions(+), 129 deletions(-) culprit signature: 189228a777d0f46d59a80009ef0b683e65c769553c95f67c2a413c39b991afbe parent signature: e98065a4a1c4bfc1a660042ec1e89d9996844aea53c987c4dab50e2fb2e258d6 revisions tested: 17, total time: 6h23m10.126928315s (build: 3h56m36.799672537s, test: 2h20m26.423130102s) first bad commit: e1d001fa5b477c4da46a29be1fcece91db7c7c6f net: ioctl: Use kernel memory on protocol ioctl callbacks recipients (to): ["dsahern@kernel.org" "kuba@kernel.org" "kuniyu@amazon.com" "leitao@debian.org" "willemb@google.com"] recipients (cc): [] crash: KASAN: stack-out-of-bounds Read in ipmr_ioctl ================================================================== BUG: KASAN: stack-out-of-bounds in ipmr_ioctl+0x8ef/0x9b0 net/ipv4/ipmr.c:1654 Read of size 4 at addr ffffc90004dffafc by task syz-executor.0/5428 CPU: 1 PID: 5428 Comm: syz-executor.0 Not tainted 6.4.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x64/0xb0 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:572 ipmr_ioctl+0x8ef/0x9b0 net/ipv4/ipmr.c:1654 sock_ioctl_out net/core/sock.c:4186 [inline] sk_ioctl+0x10e/0x340 net/core/sock.c:4214 inet_ioctl+0x171/0x300 net/ipv4/af_inet.c:1001 sock_do_ioctl+0xc9/0x1c0 net/socket.c:1189 sock_ioctl+0x1b1/0x550 net/socket.c:1306 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x123/0x190 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f8a83e8c389 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8a84b29168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f8a83fabf80 RCX: 00007f8a83e8c389 RDX: 0000000000000000 RSI: 00000000000089e1 RDI: 0000000000000003 RBP: 00007f8a83ed7493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff15e5935f R14: 00007f8a84b29300 R15: 0000000000022000 The buggy address belongs to stack of task syz-executor.0/5428 and is located at offset 36 in frame: sk_ioctl+0x0/0x340 net/core/sock.c:4172 This frame has 2 objects: [32, 36) 'karg' [48, 88) 'buffer' The buggy address belongs to the virtual mapping at [ffffc90004df8000, ffffc90004e01000) created by: kernel_clone+0xbc/0x640 kernel/fork.c:2915 The buggy address belongs to the physical page: page:ffffea0000808a80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2022a memcg:ffff88801eb62602 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff ffff88801eb62602 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 5427, tgid 5427 (syz-executor.0), ts 72682059050, free_ts 72613482273 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x2db/0x350 mm/page_alloc.c:1731 prep_new_page mm/page_alloc.c:1738 [inline] get_page_from_freelist+0xf41/0x2c00 mm/page_alloc.c:3502 __alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4768 vm_area_alloc_pages mm/vmalloc.c:3009 [inline] __vmalloc_area_node mm/vmalloc.c:3085 [inline] __vmalloc_node_range+0x7ff/0x1070 mm/vmalloc.c:3257 alloc_thread_stack_node kernel/fork.c:313 [inline] dup_task_struct kernel/fork.c:1116 [inline] copy_process+0x1181/0x6bf0 kernel/fork.c:2333 kernel_clone+0xbc/0x640 kernel/fork.c:2915 __do_sys_clone+0xa1/0xe0 kernel/fork.c:3058 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1302 [inline] free_unref_page_prepare+0x62e/0xcb0 mm/page_alloc.c:2564 free_unref_page+0x33/0x370 mm/page_alloc.c:2659 __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2636 qlink_free mm/kasan/quarantine.c:166 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185 kasan_quarantine_reduce+0x195/0x220 mm/kasan/quarantine.c:292 __kasan_slab_alloc+0x63/0x90 mm/kasan/common.c:305 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook mm/slab.h:711 [inline] kmem_cache_alloc_bulk+0x424/0x860 mm/slub.c:4033 mt_alloc_bulk lib/maple_tree.c:164 [inline] mas_alloc_nodes+0x27c/0x700 lib/maple_tree.c:1309 mas_node_count_gfp lib/maple_tree.c:1367 [inline] mas_preallocate+0x236/0x300 lib/maple_tree.c:5775 vma_iter_prealloc mm/internal.h:1029 [inline] __split_vma+0x16e/0x710 mm/mmap.c:2253 do_vmi_align_munmap+0x364/0x1230 mm/mmap.c:2398 do_vmi_munmap+0x1ba/0x210 mm/mmap.c:2530 mmap_region+0x1b5/0x24b0 mm/mmap.c:2578 do_mmap+0x5a4/0xd60 mm/mmap.c:1394 vm_mmap_pgoff+0x164/0x350 mm/util.c:543 ksys_mmap_pgoff+0x2eb/0x4a0 mm/mmap.c:1440 Memory state around the buggy address: ffffc90004dff980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90004dffa00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f3 f3 f3 >ffffc90004dffa80: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 ^ ffffc90004dffb00: f2 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 ffffc90004dffb80: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 ==================================================================