ci starts bisection 2022-08-22 21:49:22.903366763 +0000 UTC m=+280069.539401173 bisecting fixing commit since 3f667b5d4053ad54aee13dab5c94f04ff75ddfdf building syzkaller on 44068e196185e2f5a7c94629b6245cdde008b140 testing commit 3f667b5d4053ad54aee13dab5c94f04ff75ddfdf compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 744602bfb222fe11225906746effb2aacff1282c5462dd91e94efff3004833ae all runs: crashed: KASAN: slab-out-of-bounds Read in __htab_map_lookup_and_delete_batch testing current HEAD 072e51356cd5a4a1c12c1020bc054c99b98333df testing commit 072e51356cd5a4a1c12c1020bc054c99b98333df compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f9ec33195b5ce0574e5575dc18adacddc4a3a3c7eca2ad122c9ade42c999df87 all runs: crashed: KASAN: slab-out-of-bounds Read in __htab_map_lookup_and_delete_batch revisions tested: 2, total time: 22m1.418835832s (build: 13m45.377842058s, test: 7m20.953639544s) the crash still happens on HEAD commit msg: Merge tag 'nfs-for-5.20-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs crash: KASAN: slab-out-of-bounds Read in __htab_map_lookup_and_delete_batch ================================================================== BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user include/linux/instrumented.h:118 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user lib/usercopy.c:32 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x9c/0xc0 lib/usercopy.c:26 Read of size 42 at addr ffff888073e60100 by task syz-executor.1/4238 CPU: 0 PID: 4238 Comm: syz-executor.1 Not tainted 6.0.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 instrument_copy_to_user include/linux/instrumented.h:118 [inline] _copy_to_user lib/usercopy.c:32 [inline] _copy_to_user+0x9c/0xc0 lib/usercopy.c:26 copy_to_user include/linux/uaccess.h:160 [inline] __htab_map_lookup_and_delete_batch+0xaa4/0x1810 kernel/bpf/hashtab.c:1805 bpf_map_do_batch+0x1f5/0x420 kernel/bpf/syscall.c:4497 __sys_bpf+0x1d84/0x4e30 kernel/bpf/syscall.c:5013 __do_sys_bpf kernel/bpf/syscall.c:5057 [inline] __se_sys_bpf kernel/bpf/syscall.c:5055 [inline] __x64_sys_bpf+0x70/0xb0 kernel/bpf/syscall.c:5055 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7ffb54088e99 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffb5510e168 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007ffb5419c030 RCX: 00007ffb54088e99 RDX: 0000000000000038 RSI: 0000000020000080 RDI: 0000000000000019 RBP: 00007ffb540e2ff1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffff00ae13f R14: 00007ffb5510e300 R15: 0000000000022000 Allocated by task 4238: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:437 [inline] ____kasan_kmalloc mm/kasan/common.c:516 [inline] ____kasan_kmalloc mm/kasan/common.c:475 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525 kvmalloc include/linux/slab.h:750 [inline] kvmalloc_array include/linux/slab.h:768 [inline] __htab_map_lookup_and_delete_batch+0x46b/0x1810 kernel/bpf/hashtab.c:1676 bpf_map_do_batch+0x1f5/0x420 kernel/bpf/syscall.c:4497 __sys_bpf+0x1d84/0x4e30 kernel/bpf/syscall.c:5013 __do_sys_bpf kernel/bpf/syscall.c:5057 [inline] __se_sys_bpf kernel/bpf/syscall.c:5055 [inline] __x64_sys_bpf+0x70/0xb0 kernel/bpf/syscall.c:5055 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff888073e60100 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888073e60100, ffff888073e60140) The buggy address belongs to the physical page: page:ffffea0001cf9800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x73e60 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea0000908780 dead000000000002 ffff888010041640 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 4071, tgid 4071 (syz-executor.2), ts 62503049127, free_ts 62491282925 prep_new_page mm/page_alloc.c:2532 [inline] get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5515 alloc_slab_page mm/slub.c:1824 [inline] allocate_slab+0x27e/0x3d0 mm/slub.c:1969 new_slab mm/slub.c:2029 [inline] ___slab_alloc+0x7f1/0xe00 mm/slub.c:3031 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118 slab_alloc_node mm/slub.c:3209 [inline] slab_alloc mm/slub.c:3251 [inline] kmem_cache_alloc_trace+0x323/0x3e0 mm/slub.c:3282 kmalloc include/linux/slab.h:600 [inline] __netdev_adjacent_dev_insert+0x1ac/0x960 net/core/dev.c:7482 __netdev_adjacent_dev_link_lists net/core/dev.c:7579 [inline] __netdev_adjacent_dev_link_neighbour net/core/dev.c:7603 [inline] __netdev_upper_dev_link+0x2ec/0x700 net/core/dev.c:7663 netdev_upper_dev_link+0x70/0xa0 net/core/dev.c:7709 macsec_newlink+0x6ee/0x1820 drivers/net/macsec.c:4106 rtnl_newlink_create net/core/rtnetlink.c:3363 [inline] __rtnl_newlink+0xd70/0x14c0 net/core/rtnetlink.c:3580 rtnl_newlink+0x5a/0x90 net/core/rtnetlink.c:3593 rtnetlink_rcv_msg+0x32d/0x9a0 net/core/rtnetlink.c:6090 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2501 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x433/0x710 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x782/0xc30 net/netlink/af_netlink.c:1921 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1449 [inline] free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499 free_unref_page_prepare mm/page_alloc.c:3380 [inline] free_unref_page+0x19/0x4d0 mm/page_alloc.c:3476 __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2548 qlink_free mm/kasan/quarantine.c:168 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:447 kasan_slab_alloc include/linux/kasan.h:224 [inline] slab_post_alloc_hook mm/slab.h:727 [inline] slab_alloc_node mm/slub.c:3243 [inline] slab_alloc mm/slub.c:3251 [inline] kmem_cache_alloc_trace+0x2c0/0x3e0 mm/slub.c:3282 kmalloc include/linux/slab.h:600 [inline] netdevice_queue_work drivers/infiniband/core/roce_gid_mgmt.c:643 [inline] netdevice_event+0x16a/0x7c0 drivers/infiniband/core/roce_gid_mgmt.c:802 notifier_call_chain+0x94/0x170 kernel/notifier.c:87 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] call_netdevice_notifiers net/core/dev.c:1997 [inline] register_netdevice+0xe13/0x13f0 net/core/dev.c:10103 veth_newlink+0x2c0/0x820 drivers/net/veth.c:1764 rtnl_newlink_create net/core/rtnetlink.c:3363 [inline] __rtnl_newlink+0xd70/0x14c0 net/core/rtnetlink.c:3580 rtnl_newlink+0x5a/0x90 net/core/rtnetlink.c:3593 rtnetlink_rcv_msg+0x32d/0x9a0 net/core/rtnetlink.c:6090 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2501 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x433/0x710 net/netlink/af_netlink.c:1345 Memory state around the buggy address: ffff888073e60000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ffff888073e60080: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc >ffff888073e60100: 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc fc ^ ffff888073e60180: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ffff888073e60200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ==================================================================