bisecting cause commit starting from e31736d9fae841e8a1612f263136454af10f476a
building syzkaller on eef6e5808d6507716d331b9eff67fdd991be891a
testing commit e31736d9fae841e8a1612f263136454af10f476a with gcc (GCC) 8.1.0
kernel signature: ec4d862ac72e5c0de3ce4bea9bf7e8a6803ab428
all runs: crashed: KASAN: vmalloc-out-of-bounds Read in compat_copy_entries
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 1240d4c9613738e5fa9f60f66acd4fe1c67a969e
all runs: OK
# git bisect start e31736d9fae841e8a1612f263136454af10f476a 219d54332a09e8d8741c1e1982f5eae56099de85
Bisecting: 6793 revisions left to test after this (roughly 13 steps)
[95f1fa9e3418d50ce099e67280b5497b9c93843b] Merge tag 'trace-v5.5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
testing commit 95f1fa9e3418d50ce099e67280b5497b9c93843b with gcc (GCC) 8.1.0
kernel signature: f332f5be6500ebfa6f20912ca268b1b96720f599
all runs: OK
# git bisect good 95f1fa9e3418d50ce099e67280b5497b9c93843b
Bisecting: 3355 revisions left to test after this (roughly 12 steps)
[596cf45cbf6e4fa7bcb0df33e373a7d062b644b5] Merge branch 'akpm' (patches from Andrew)
testing commit 596cf45cbf6e4fa7bcb0df33e373a7d062b644b5 with gcc (GCC) 8.1.0
kernel signature: d2f6bd616e8f65a775fbb0dd4ae78a0d87cee4f1
all runs: crashed: KASAN: vmalloc-out-of-bounds Read in compat_copy_entries
# git bisect bad 596cf45cbf6e4fa7bcb0df33e373a7d062b644b5
Bisecting: 1692 revisions left to test after this (roughly 11 steps)
[8a86b00a437ec06b298477463c7a9b8774570507] Merge tag 'drm-next-5.5-2019-11-01' of git://people.freedesktop.org/~agd5f/linux into drm-next
testing commit 8a86b00a437ec06b298477463c7a9b8774570507 with gcc (GCC) 8.1.0
kernel signature: 8e99aba2ed0b75d18e923e253767cdf1d7d5619d
all runs: OK
# git bisect good 8a86b00a437ec06b298477463c7a9b8774570507
Bisecting: 872 revisions left to test after this (roughly 10 steps)
[ceb307474506f888e8f16dab183405ff01dffa08] Merge tag 'y2038-cleanups-5.5' of git://git.kernel.org:/pub/scm/linux/kernel/git/arnd/playground
testing commit ceb307474506f888e8f16dab183405ff01dffa08 with gcc (GCC) 8.1.0
kernel signature: 5fe8891d7faf17bb5100df65c5ba83d047736df9
all runs: OK
# git bisect good ceb307474506f888e8f16dab183405ff01dffa08
Bisecting: 452 revisions left to test after this (roughly 9 steps)
[d004701d1cc5a036b1f2dec34dd5973064c72eab] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid
testing commit d004701d1cc5a036b1f2dec34dd5973064c72eab with gcc (GCC) 8.1.0
kernel signature: b155d983e62cec7ae96b03e03f54bf456649a1d3
all runs: OK
# git bisect good d004701d1cc5a036b1f2dec34dd5973064c72eab
Bisecting: 204 revisions left to test after this (roughly 8 steps)
[72c0870e3a05d9cd5466d08c3d2a3069ed0a2f9f] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
testing commit 72c0870e3a05d9cd5466d08c3d2a3069ed0a2f9f with gcc (GCC) 8.1.0
kernel signature: 261b9f2780261313b64b073bdbed581bb6902953
all runs: OK
# git bisect good 72c0870e3a05d9cd5466d08c3d2a3069ed0a2f9f
Bisecting: 102 revisions left to test after this (roughly 7 steps)
[997cdcb068eb58d37f9f9b1d219368000066d272] powerpc/mm: remove pmd_huge/pud_huge stubs and include hugetlb.h
testing commit 997cdcb068eb58d37f9f9b1d219368000066d272 with gcc (GCC) 8.1.0
kernel signature: 9669340fdc9da209824a4376dd21bd135d37f3ec
all runs: crashed: KASAN: vmalloc-out-of-bounds Read in compat_copy_entries
# git bisect bad 997cdcb068eb58d37f9f9b1d219368000066d272
Bisecting: 50 revisions left to test after this (roughly 6 steps)
[32d1fe8fcb32130733b59fc447e35753dc87fd40] mm/hotplug: reorder memblock_[free|remove]() calls in try_remove_memory()
testing commit 32d1fe8fcb32130733b59fc447e35753dc87fd40 with gcc (GCC) 8.1.0
kernel signature: b0bfd3a55f13eb49ad776b2ba5ba52ef48f39225
all runs: OK
# git bisect good 32d1fe8fcb32130733b59fc447e35753dc87fd40
Bisecting: 25 revisions left to test after this (roughly 5 steps)
[68265390f9aa625e2ce94ed1bcff8906db702d79] mm, pcpu: make zone pcp updates and reset internal to the mm
testing commit 68265390f9aa625e2ce94ed1bcff8906db702d79 with gcc (GCC) 8.1.0
kernel signature: 0c9cde1c7bd44c4ad1d813b33fe6a7310a3230ee
all runs: crashed: KASAN: vmalloc-out-of-bounds Read in compat_copy_entries
# git bisect bad 68265390f9aa625e2ce94ed1bcff8906db702d79
Bisecting: 12 revisions left to test after this (roughly 4 steps)
[09dbcf422e9b791d2d43cad8c283d9bdaef019a9] mm/sparse.c: do not waste pre allocated memmap space
testing commit 09dbcf422e9b791d2d43cad8c283d9bdaef019a9 with gcc (GCC) 8.1.0
kernel signature: 8a3aab7c68126ef160a4fe783f2c29653b6d8a5c
all runs: OK
# git bisect good 09dbcf422e9b791d2d43cad8c283d9bdaef019a9
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[e36176be1c3920a487681e37158849b9f50189c4] mm/vmalloc: rework vmap_area_lock
testing commit e36176be1c3920a487681e37158849b9f50189c4 with gcc (GCC) 8.1.0
kernel signature: df24d06b8af7f036a4feb676bd56866b37f69dae
all runs: OK
# git bisect good e36176be1c3920a487681e37158849b9f50189c4
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[eafb149ed73a8bb8359c0ce027b98acd4e95b070] fork: support VMAP_STACK with KASAN_VMALLOC
testing commit eafb149ed73a8bb8359c0ce027b98acd4e95b070 with gcc (GCC) 8.1.0
kernel signature: a17a9de00d1915b9137989ebc79d3f92a440a0fb
all runs: OK
# git bisect good eafb149ed73a8bb8359c0ce027b98acd4e95b070
Bisecting: 1 revision left to test after this (roughly 1 step)
[5e27a2df03b8933aa7c1579816ecb6a071bb0e0d] mm/page_alloc: add alloc_contig_pages()
testing commit 5e27a2df03b8933aa7c1579816ecb6a071bb0e0d with gcc (GCC) 8.1.0
kernel signature: d48abb8c3babbeec9f15e8c42ac40328b43de36f
all runs: crashed: KASAN: vmalloc-out-of-bounds Read in compat_copy_entries
# git bisect bad 5e27a2df03b8933aa7c1579816ecb6a071bb0e0d
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[0609ae011deb41c9629b7f5fd626dfa1ac9d16b0] x86/kasan: support KASAN_VMALLOC
testing commit 0609ae011deb41c9629b7f5fd626dfa1ac9d16b0 with gcc (GCC) 8.1.0
kernel signature: bdd3b79fdb8e97b3a0cda8a619d66690c3de1997
all runs: crashed: KASAN: vmalloc-out-of-bounds Read in compat_copy_entries
# git bisect bad 0609ae011deb41c9629b7f5fd626dfa1ac9d16b0
0609ae011deb41c9629b7f5fd626dfa1ac9d16b0 is the first bad commit
commit 0609ae011deb41c9629b7f5fd626dfa1ac9d16b0
Author: Daniel Axtens <dja@axtens.net>
Date:   Sat Nov 30 17:55:00 2019 -0800

    x86/kasan: support KASAN_VMALLOC
    
    In the case where KASAN directly allocates memory to back vmalloc space,
    don't map the early shadow page over it.
    
    We prepopulate pgds/p4ds for the range that would otherwise be empty.
    This is required to get it synced to hardware on boot, allowing the
    lower levels of the page tables to be filled dynamically.
    
    Link: http://lkml.kernel.org/r/20191031093909.9228-5-dja@axtens.net
    Signed-off-by: Daniel Axtens <dja@axtens.net>
    Acked-by: Dmitry Vyukov <dvyukov@google.com>
    Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
    Cc: Alexander Potapenko <glider@google.com>
    Cc: Christophe Leroy <christophe.leroy@c-s.fr>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: Vasily Gorbik <gor@linux.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/x86/Kconfig            |  1 +
 arch/x86/mm/kasan_init_64.c | 61 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)
culprit signature: bdd3b79fdb8e97b3a0cda8a619d66690c3de1997
parent  signature: a17a9de00d1915b9137989ebc79d3f92a440a0fb
revisions tested: 16, total time: 3h52m38.447535762s (build: 1h49m31.06976795s, test: 2h1m50.80060201s)
first bad commit: 0609ae011deb41c9629b7f5fd626dfa1ac9d16b0 x86/kasan: support KASAN_VMALLOC
cc: ["akpm@linux-foundation.org" "aryabinin@virtuozzo.com" "dja@axtens.net" "dvyukov@google.com" "torvalds@linux-foundation.org"]
crash: KASAN: vmalloc-out-of-bounds Read in compat_copy_entries
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
BUG: KASAN: vmalloc-out-of-bounds in compat_copy_entries+0xdfa/0xfd0 net/bridge/netfilter/ebtables.c:2155
Read of size 4 at addr ffffc900014d61f4 by task syz-executor.2/7981

CPU: 1 PID: 7981 Comm: syz-executor.2 Not tainted 5.4.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x12d/0x187 lib/dump_stack.c:118
 print_address_description.constprop.8.cold.10+0x58/0x31d mm/kasan/report.c:374
 __kasan_report.cold.11+0x1b/0x3a mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:638
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134
 size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
 compat_copy_entries+0xdfa/0xfd0 net/bridge/netfilter/ebtables.c:2155
 compat_do_replace+0x2c8/0x530 net/bridge/netfilter/ebtables.c:2249
 compat_do_ebt_set_ctl+0x18b/0x1c5 net/bridge/netfilter/ebtables.c:2333
 compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
 compat_nf_setsockopt+0x68/0x100 net/netfilter/nf_sockopt.c:156
 compat_ip_setsockopt+0x65/0xa0 net/ipv4/ip_sockglue.c:1286
 compat_udp_setsockopt+0x16/0x30 net/ipv4/udp.c:2649
 compat_sock_common_setsockopt+0x82/0x160 net/core/sock.c:3160
 __compat_sys_setsockopt+0x131/0x2a0 net/compat.c:384
 __do_compat_sys_setsockopt net/compat.c:397 [inline]
 __se_compat_sys_setsockopt net/compat.c:394 [inline]
 __ia32_compat_sys_setsockopt+0xb8/0x140 net/compat.c:394
 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
 do_fast_syscall_32+0x235/0xb68 arch/x86/entry/common.c:408
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f54a09
Code: 00 00 00 89 d3 eb dd b8 80 96 98 00 eb c7 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000f7f500cc EFLAGS: 00000296 ORIG_RAX: 000000000000016e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000080 RSI: 0000000020000240 RDI: 0000000000000212
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000


Memory state around the buggy address:
 ffffc900014d6080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc900014d6100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc900014d6180: 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9
                                                             ^
 ffffc900014d6200: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 ffffc900014d6280: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
==================================================================