bisecting cause commit starting from 0b6b8a3dd86db78c3f38587d667d77065c75e4f8 building syzkaller on 04cbdbd1ae105f4d9f11fda99b588168cec2b3a8 testing commit 0b6b8a3dd86db78c3f38587d667d77065c75e4f8 with gcc (GCC) 8.1.0 kernel signature: 017a4c74099a3f8b6ec901ad24cef05d42f6925c all runs: crashed: KASAN: stack-out-of-bounds Read in update_stack_state testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 kernel signature: 6937d408eb724127e88b5ab3e34a88713c0768fb all runs: crashed: KASAN: stack-out-of-bounds Read in update_stack_state testing release v4.14 testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0 kernel signature: 02aa397d6a108ab4bfb5737ceafe34e01c7b6faf all runs: OK # git bisect start d8a5b80568a9cb66810e75b182018e9edb68e8ff bebc6082da0a9f5d47a1ea2edc099bf671058bd4 Bisecting: 8497 revisions left to test after this (roughly 13 steps) [5d352e69c60e54b5f04d6e337a1d2bf0dbf3d94a] Merge tag 'media/v4.15-1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 5d352e69c60e54b5f04d6e337a1d2bf0dbf3d94a with gcc (GCC) 8.1.0 kernel signature: b6aaa679a44478504d578680dd5ebb06ff6992ee run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded. Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #1: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded. Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #2: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded. Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 5d352e69c60e54b5f04d6e337a1d2bf0dbf3d94a Bisecting: 3900 revisions left to test after this (roughly 12 steps) [f6705bf959efac87bca76d40050d342f1d212587] Merge tag 'drm-for-v4.15-amd-dc' of git://people.freedesktop.org/~airlied/linux testing commit f6705bf959efac87bca76d40050d342f1d212587 with gcc (GCC) 8.1.0 kernel signature: 8934dcdfc96809c32a6f7e8ad312e33e2a60349a all runs: OK # git bisect good f6705bf959efac87bca76d40050d342f1d212587 Bisecting: 1936 revisions left to test after this (roughly 11 steps) [4066aa72f9f2886105c6f747d7f9bd4f14f53c12] Merge tag 'drm-fixes-for-v4.15-rc3' of git://people.freedesktop.org/~airlied/linux testing commit 4066aa72f9f2886105c6f747d7f9bd4f14f53c12 with gcc (GCC) 8.1.0 kernel signature: 5820b29ede86c30cffa4c0286ebfe10d4151b8a2 all runs: crashed: KASAN: stack-out-of-bounds Read in update_stack_state # git bisect bad 4066aa72f9f2886105c6f747d7f9bd4f14f53c12 Bisecting: 981 revisions left to test after this (roughly 10 steps) [3d18cbb7fd0cfdf0b2ca18139950a4b0c1a0a220] rxrpc: Fix conn expiry timers testing commit 3d18cbb7fd0cfdf0b2ca18139950a4b0c1a0a220 with gcc (GCC) 8.1.0 kernel signature: fdb1773b46ef02a987ce1788d95038222e3fcc47 all runs: crashed: KASAN: stack-out-of-bounds Read in update_stack_state # git bisect bad 3d18cbb7fd0cfdf0b2ca18139950a4b0c1a0a220 Bisecting: 508 revisions left to test after this (roughly 9 steps) [c131187db2d3fa2f8bf32fdf4e9a4ef805168467] bpf: fix branch pruning logic testing commit c131187db2d3fa2f8bf32fdf4e9a4ef805168467 with gcc (GCC) 8.1.0 kernel signature: 53946682f2dca4694699102a12b719e1603effaa all runs: crashed: KASAN: stack-out-of-bounds Read in update_stack_state # git bisect bad c131187db2d3fa2f8bf32fdf4e9a4ef805168467 Bisecting: 272 revisions left to test after this (roughly 8 steps) [2ce079f04d5914dae14fdc8618f804cc0d2a1b8f] Merge tag 'kbuild-misc-v4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit 2ce079f04d5914dae14fdc8618f804cc0d2a1b8f with gcc (GCC) 8.1.0 kernel signature: fafcada3cb42b1a11038753dc6af5a2422d0a41a all runs: crashed: KASAN: stack-out-of-bounds Read in update_stack_state # git bisect bad 2ce079f04d5914dae14fdc8618f804cc0d2a1b8f Bisecting: 105 revisions left to test after this (roughly 7 steps) [d1b069f5febc850556cf49e9bb9092d3179c5be5] EXPERT Kconfig menu: fix broken EXPERT menu testing commit d1b069f5febc850556cf49e9bb9092d3179c5be5 with gcc (GCC) 8.1.0 kernel signature: 50c619b6ea610da599e6fe5eb899ab35f04c007b all runs: OK # git bisect good d1b069f5febc850556cf49e9bb9092d3179c5be5 Bisecting: 52 revisions left to test after this (roughly 6 steps) [2dcd9c71c1ffa9a036e09047f60e08383bb0abb6] Merge tag 'trace-v4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit 2dcd9c71c1ffa9a036e09047f60e08383bb0abb6 with gcc (GCC) 8.1.0 kernel signature: a90b44a120db7f665dc40625d5e1c57fc9bb26eb all runs: crashed: KASAN: stack-out-of-bounds Read in update_stack_state # git bisect bad 2dcd9c71c1ffa9a036e09047f60e08383bb0abb6 Bisecting: 26 revisions left to test after this (roughly 5 steps) [466c81c45b650deca213fda3d0ec4761667379a9] perf/ftrace: Fix function trace events testing commit 466c81c45b650deca213fda3d0ec4761667379a9 with gcc (GCC) 8.1.0 kernel signature: 3b2f3072bfe1657276ea187cfc5dd6d2dd42de4a run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded. Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 466c81c45b650deca213fda3d0ec4761667379a9 Bisecting: 13 revisions left to test after this (roughly 4 steps) [7d33d2b5b8581ed9f7b2ad93156cde223df718dc] selftests: memfd_test.c: fix compilation warning. testing commit 7d33d2b5b8581ed9f7b2ad93156cde223df718dc with gcc (GCC) 8.1.0 kernel signature: af7ca263fe2d63d1ba1d68f318bf859c32e0f448 run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded. Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 7d33d2b5b8581ed9f7b2ad93156cde223df718dc Bisecting: 7 revisions left to test after this (roughly 3 steps) [190b10367b0d311f68dc71e40b254fd4427affc2] Merge tag 'acpi-fix-4.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 190b10367b0d311f68dc71e40b254fd4427affc2 with gcc (GCC) 8.1.0 kernel signature: 9f2b88c6cb03882c3151e3d53112cb3deff43920 run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded. Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 190b10367b0d311f68dc71e40b254fd4427affc2 Bisecting: 3 revisions left to test after this (roughly 2 steps) [a96a5037ed0f52e2d86739f4a1ef985bd036e575] tracing, thermal: Hide cpu cooling trace events when not in use testing commit a96a5037ed0f52e2d86739f4a1ef985bd036e575 with gcc (GCC) 8.1.0 kernel signature: de38e978d29a6d63805b63011c1d996672704ea9 all runs: OK # git bisect good a96a5037ed0f52e2d86739f4a1ef985bd036e575 Bisecting: 1 revision left to test after this (roughly 1 step) [c3e0d179bff503cd56758579a2c33216b40b9b7b] selftests: firmware: skip unsupported custom firmware fallback tests testing commit c3e0d179bff503cd56758579a2c33216b40b9b7b with gcc (GCC) 8.1.0 kernel signature: 907e99bd1b1cfb17b887645ade4fe50b287d0bb9 all runs: OK # git bisect good c3e0d179bff503cd56758579a2c33216b40b9b7b Bisecting: 0 revisions left to test after this (roughly 0 steps) [b1c2a344cc19b40d2f1e7cbd9c2f4f205ae6d650] Merge tag 'linux-kselftest-4.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest testing commit b1c2a344cc19b40d2f1e7cbd9c2f4f205ae6d650 with gcc (GCC) 8.1.0 kernel signature: 1c55180c2df4ac8ebc19f2f24209a36ed4e065c8 all runs: OK # git bisect good b1c2a344cc19b40d2f1e7cbd9c2f4f205ae6d650 2dcd9c71c1ffa9a036e09047f60e08383bb0abb6 is the first bad commit commit 2dcd9c71c1ffa9a036e09047f60e08383bb0abb6 Merge: b1c2a344cc19 a96a5037ed0f Author: Linus Torvalds Date: Fri Nov 17 14:58:01 2017 -0800 Merge tag 'trace-v4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull tracing updates from - allow module init functions to be traced - clean up some unused or not used by config events (saves space) - clean up of trace histogram code - add support for preempt and interrupt enabled/disable events - other various clean ups * tag 'trace-v4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: (30 commits) tracing, thermal: Hide cpu cooling trace events when not in use tracing, thermal: Hide devfreq trace events when not in use ftrace: Kill FTRACE_OPS_FL_PER_CPU perf/ftrace: Small cleanup perf/ftrace: Fix function trace events perf/ftrace: Revert ("perf/ftrace: Fix double traces of perf on ftrace:function") tracing, dma-buf: Remove unused trace event dma_fence_annotate_wait_on tracing, memcg, vmscan: Hide trace events when not in use tracing/xen: Hide events that are not used when X86_PAE is not defined tracing: mark trace_test_buffer as __maybe_unused printk: Remove superfluous memory barriers from printk_safe ftrace: Clear hashes of stale ips of init memory tracing: Add support for preempt and irq enable/disable events tracing: Prepare to add preempt and irq trace events ftrace/kallsyms: Have /proc/kallsyms show saved mod init functions ftrace: Add freeing algorithm to free ftrace_mod_maps ftrace: Save module init functions kallsyms symbols for tracing ftrace: Allow module init functions to be traced ftrace: Add a ftrace_free_mem() function for modules to use tracing: Reimplement log2 ... drivers/dma-buf/dma-fence.c | 1 - include/linux/ftrace.h | 113 +++++------- include/linux/init.h | 4 +- include/linux/perf_event.h | 2 +- include/linux/trace_events.h | 9 +- include/trace/events/dma_fence.h | 40 ----- include/trace/events/preemptirq.h | 70 ++++++++ include/trace/events/thermal.h | 4 + include/trace/events/vmscan.h | 4 + include/trace/events/xen.h | 35 ++-- kernel/events/core.c | 13 +- kernel/kallsyms.c | 43 ++++- kernel/module.c | 2 + kernel/printk/printk_safe.c | 15 +- kernel/trace/Kconfig | 11 ++ kernel/trace/Makefile | 1 + kernel/trace/ftrace.c | 354 ++++++++++++++++++++++++++++++++------ kernel/trace/ring_buffer.c | 64 ++----- kernel/trace/trace.c | 91 ++++++++++ kernel/trace/trace.h | 9 +- kernel/trace/trace_event_perf.c | 82 +++++---- kernel/trace/trace_events.c | 31 ++-- kernel/trace/trace_events_hist.c | 128 +++++++++----- kernel/trace/trace_irqsoff.c | 133 +++++++++++--- kernel/trace/trace_kprobe.c | 22 +-- kernel/trace/trace_probe.c | 86 --------- kernel/trace/trace_probe.h | 7 - kernel/trace/trace_selftest.c | 34 +--- kernel/trace/trace_syscalls.c | 4 +- kernel/trace/trace_uprobe.c | 4 +- kernel/trace/tracing_map.c | 3 +- kernel/trace/tracing_map.h | 2 +- 32 files changed, 903 insertions(+), 518 deletions(-) create mode 100644 include/trace/events/preemptirq.h revisions tested: 17, total time: 3h16m34.734552084s (build: 1h2m55.023988091s, test: 2h8m35.473232438s) first bad commit: 2dcd9c71c1ffa9a036e09047f60e08383bb0abb6 Merge tag 'trace-v4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace cc: ["linux-kernel@vger.kernel.org" "mingo@redhat.com" "rostedt@goodmis.org" "torvalds@linux-foundation.org"] crash: KASAN: stack-out-of-bounds Read in update_stack_state IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 ================================================================== BUG: KASAN: stack-out-of-bounds in __read_once_size include/linux/compiler.h:178 [inline] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x5d9/0x670 arch/x86/kernel/unwind_frame.c:270 Read of size 8 at addr ffff8801d8266a18 by task syz-executor1/3788 CPU: 0 PID: 3788 Comm: syz-executor1 Not tainted 4.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x145/0x1f0 lib/dump_stack.c:53 print_address_description+0x6c/0x20b mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report.cold.7+0x11a/0x2d3 mm/kasan/report.c:409 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430 __read_once_size include/linux/compiler.h:178 [inline] update_stack_state+0x5d9/0x670 arch/x86/kernel/unwind_frame.c:270 __unwind_start+0xf9/0x330 arch/x86/kernel/unwind_frame.c:404 unwind_start arch/x86/include/asm/unwind.h:51 [inline] perf_callchain_kernel+0x23f/0x5a0 arch/x86/events/core.c:2350 get_perf_callchain+0x436/0xe10 kernel/events/callchain.c:220 perf_callchain+0x125/0x170 kernel/events/callchain.c:193 perf_prepare_sample+0xdb6/0x1940 kernel/events/core.c:6004 __perf_event_output kernel/events/core.c:6120 [inline] perf_event_output_forward+0xdb/0x210 kernel/events/core.c:6138 __perf_event_overflow+0x1f1/0x4d0 kernel/events/core.c:7370 perf_swevent_overflow+0x1e9/0x310 kernel/events/core.c:7446 perf_swevent_event+0x15e/0x2f0 kernel/events/core.c:7474 do_perf_sw_event kernel/events/core.c:7587 [inline] ___perf_sw_event+0x3e5/0x620 kernel/events/core.c:7618 perf_sw_event_sched include/linux/perf_event.h:1043 [inline] perf_event_task_sched_out include/linux/perf_event.h:1081 [inline] prepare_task_switch kernel/sched/core.c:2592 [inline] context_switch kernel/sched/core.c:2764 [inline] __schedule+0xff3/0x1f70 kernel/sched/core.c:3375 schedule+0xef/0x430 kernel/sched/core.c:3434 freezable_schedule include/linux/freezer.h:172 [inline] futex_wait_queue_me+0x3ce/0x850 kernel/futex.c:2494 futex_wait+0x3e7/0x930 kernel/futex.c:2609 do_futex+0x8b1/0x2620 kernel/futex.c:3491 SYSC_futex kernel/futex.c:3551 [inline] SyS_futex+0xf0/0x3e7 kernel/futex.c:3519 entry_SYSCALL_64_fastpath+0x23/0x9a RIP: 0033:0x453ef9 RSP: 002b:00007f97d0f81ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: ffffffffffffffda RBX: 000000000072bec8 RCX: 0000000000453ef9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000072bec8 RBP: 0000000000000086 R08: 0000000000000000 R09: 000000000072bea0 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc823a31df R14: 00007f97d0f829c0 R15: 0000000000000000 The buggy address belongs to the page: page:ffffea0007609980 count:0 mapcount:0 mapping: (null) index:0xffff8801d8266980 flags: 0x2fffc0000000000() raw: 02fffc0000000000 0000000000000000 ffff8801d8266980 00000000ffffffff raw: 0000000000000000 dead000000000200 ffff8801dac00dc0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801d8266900: 00 00 00 00 00 00 f2 f3 f3 f3 f3 00 00 00 00 00 ffff8801d8266980: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 >ffff8801d8266a00: f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 00 ^ ffff8801d8266a80: 00 f2 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 ffff8801d8266b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 ==================================================================