ci starts bisection 2023-07-22 15:33:41.346456559 +0000 UTC m=+63125.634891691 bisecting cause commit starting from d192f5382581d972c4ae1b4d72e0b59b34cadeb9 building syzkaller on 27cbe77f4f2a8de98c3d540ef77796263555fe6b ensuring issue is reproducible on original commit d192f5382581d972c4ae1b4d72e0b59b34cadeb9 testing commit d192f5382581d972c4ae1b4d72e0b59b34cadeb9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e061a8bf4784318087d43f97fecc7b9a173c917856370a1775ac28ae656ec0e2 all runs: crashed: KASAN: stack-out-of-bounds Write in __nla_validate_parse representative crash: KASAN: stack-out-of-bounds Write in __nla_validate_parse, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit d192f5382581d972c4ae1b4d72e0b59b34cadeb9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 77628a9e3a5ff0ad6cfd5f4768b3a483c25b2a309ade71e616482914523b36f8 all runs: crashed: KASAN: stack-out-of-bounds Write in __nla_validate_parse representative crash: KASAN: stack-out-of-bounds Write in __nla_validate_parse, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed kconfig minimization: base=3876 full=7645 leaves diff=1998 split chunks (needed=false): <1998> split chunk #0 of len 1998 into 5 parts testing without sub-chunk 1/5 testing commit d192f5382581d972c4ae1b4d72e0b59b34cadeb9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b1ad0386bd55ef7e01dd91d0a41664bfde1e249733fc082d412b6ac516686136 all runs: crashed: KASAN: stack-out-of-bounds Write in __nla_validate_parse representative crash: KASAN: stack-out-of-bounds Write in __nla_validate_parse, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 testing commit d192f5382581d972c4ae1b4d72e0b59b34cadeb9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6d356dc8337ab860735ea4c9449ec47f793cf4e9320c7821c387a3bda96762b1 all runs: crashed: KASAN: stack-out-of-bounds Write in __nla_validate_parse representative crash: KASAN: stack-out-of-bounds Write in __nla_validate_parse, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 testing commit d192f5382581d972c4ae1b4d72e0b59b34cadeb9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8026c8925b8f81dfcd586a06640d9cf88e8282c28f4798fa4bb78df9bd788a00 all runs: OK false negative chance: 0.000 testing without sub-chunk 4/5 testing commit d192f5382581d972c4ae1b4d72e0b59b34cadeb9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5fccfd8ba0675201f14be3239343aaede5f50b9d1924bad08dfa2eafdad5d8f3 all runs: crashed: KASAN: stack-out-of-bounds Write in __nla_validate_parse representative crash: KASAN: stack-out-of-bounds Write in __nla_validate_parse, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 testing commit d192f5382581d972c4ae1b4d72e0b59b34cadeb9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 48b310619ad526a821bd882605b54f6aa6cc421e23e9b2a82d14e4b9daa04029 all runs: crashed: KASAN: stack-out-of-bounds Write in __nla_validate_parse representative crash: KASAN: stack-out-of-bounds Write in __nla_validate_parse, types: [KASAN] the chunk can be dropped minimized to 400 configs; suspects: [AX25 BRIDGE BRIDGE_NETFILTER CAN CFG80211 CHECKPOINT_RESTORE DVB_CORE FB FSCACHE HAMRADIO HSR INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_USER_ACCESS INPUT_JOYSTICK INPUT_MOUSE IP6_NF_RAW IPV6_MULTIPLE_TABLES IP_NF_RAW IP_SET IP_VS IP_VS_OVF IP_VS_PE_SIP IP_VS_PROTO_AH IP_VS_PROTO_AH_ESP IP_VS_PROTO_ESP IP_VS_PROTO_SCTP IP_VS_PROTO_UDP IP_VS_RR IP_VS_SED IP_VS_SH IP_VS_TWOS IP_VS_WLC IP_VS_WRR IRQ_BYPASS_MANAGER IRQ_POLL IR_IGORPLUGUSB IR_IGUANA IR_IMON IR_MCEUSB IR_REDRAT3 IR_STREAMZAP IR_TTUSBIR ISDN ISDN_CAPI_MIDDLEWARE JFFS2_CMODE_PRIORITY JFFS2_COMPRESSION_OPTIONS JFFS2_FS JFFS2_FS_POSIX_ACL JFFS2_FS_SECURITY JFFS2_FS_WRITEBUFFER JFFS2_FS_XATTR JFFS2_LZO JFFS2_RTIME JFFS2_RUBIN JFFS2_SUMMARY JFFS2_ZLIB JFS_DEBUG JFS_FS JFS_POSIX_ACL JFS_SECURITY JOYSTICK_IFORCE JOYSTICK_IFORCE_USB JOYSTICK_XPAD JOYSTICK_XPAD_FF JOYSTICK_XPAD_LEDS KARMA_PARTITION KCOV KCOV_ENABLE_COMPARISONS KCOV_INSTRUMENT_ALL KEYS_REQUEST_CACHE KEY_DH_OPERATIONS KEY_NOTIFICATIONS KSM KVM KVM_AMD KVM_ASYNC_PF KVM_COMPAT KVM_GENERIC_DIRTYLOG_READ_PROTECT KVM_GENERIC_HARDWARE_ENABLING KVM_MMIO KVM_VFIO KVM_XEN KVM_XFER_TO_GUEST_WORK L2TP L2TP_ETH L2TP_IP L2TP_V3 LAPB LAPBETHER LDM_PARTITION LEDS_TRIGGER_AUDIO LEGACY_PTYS LIBCRC32C LIBNVDIMM LINEAR_RANGES LLC LLC2 LOGIG940_FF LOGIRUMBLEPAD2_FF LOGO LOGO_LINUX_MONO LOGO_LINUX_VGA16 LPC_ICH LWTUNNEL LWTUNNEL_BPF LZ4HC_COMPRESS LZ4_COMPRESS MAC80211 MAC80211_DEBUGFS MAC80211_HAS_RC MAC80211_HWSIM MAC80211_MESH MAC80211_RC_DEFAULT_MINSTREL MAC80211_RC_MINSTREL MACSEC MACVLAN MACVTAP MAC_PARTITION MAPPING_DIRTY_HELPERS MD_LINEAR MD_MULTIPATH MD_RAID0 MD_RAID1 MD_RAID10 MD_RAID456 MEDIA_ANALOG_TV_SUPPORT MEDIA_ATTACH MEDIA_CONTROLLER MEDIA_CONTROLLER_DVB MEDIA_CONTROLLER_REQUEST_API MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_SUPPORT_FILTER MEDIA_TUNER MEDIA_TUNER_MSI001 MEMORY_BALLOON MEMORY_HOTPLUG MEMORY_HOTPLUG_DEFAULT_ONLINE MEMORY_ISOLATION MEMREGION MEMSTICK MEMSTICK_REALTEK_USB MEM_SOFT_DIRTY MFD_CORE MFD_SYSCON MHI_BUS MHI_WWAN_CTRL MHP_MEMMAP_ON_MEMORY MICROCHIP_PHY MINIX_FS MINIX_SUBPARTITION MISC_RTSX MISC_RTSX_USB MISDN MISDN_DSP MISDN_HFCUSB MISDN_L1OIP MKISS MLX4_CORE MLX4_INFINIBAND MMC MMC_REALTEK_USB MMC_USHC MMC_VUB300 MMU_NOTIFIER MODULE_SRCVERSION_ALL MODVERSIONS MOST MOUSE_APPLETOUCH MOUSE_BCM5974 MOUSE_PS2 MOUSE_PS2_ALPS MOUSE_PS2_BYD MOUSE_PS2_CYPRESS MOUSE_PS2_FOCALTECH MOUSE_PS2_LIFEBOOK MOUSE_PS2_LOGIPS2PP MOUSE_PS2_SMBUS MOUSE_PS2_SYNAPTICS MOUSE_PS2_SYNAPTICS_SMBUS MOUSE_PS2_TRACKPOINT MOUSE_SYNAPTICS_USB MPLS MPLS_IPTUNNEL MPLS_ROUTING MPTCP MPTCP_IPV6 MRP MTD MTD_BLKDEVS MTD_BLOCK MTD_BLOCK2MTD MTD_CFI_I1 MTD_CFI_I2 MTD_MAP_BANK_WIDTH_1 MTD_MAP_BANK_WIDTH_2 MTD_MAP_BANK_WIDTH_4 MTD_MTDRAM MTD_PHRAM MTD_SLRAM MUSB_PIO_ONLY ND_BTT ND_CLAIM ND_PFN NETDEVSIM NETFILTER_ADVANCED NETFILTER_BPF_LINK NETFILTER_FAMILY_ARP NETFILTER_FAMILY_BRIDGE NETFILTER_NETLINK_ACCT NETFILTER_NETLINK_GLUE_CT NETFILTER_NETLINK_OSF NETFILTER_NETLINK_QUEUE NETFILTER_SYNPROXY NETFILTER_XTABLES_COMPAT NETFILTER_XT_CONNMARK NETFILTER_XT_MATCH_BPF NETFILTER_XT_MATCH_CGROUP NETFILTER_XT_MATCH_CLUSTER NETFILTER_XT_MATCH_COMMENT NETFILTER_XT_MATCH_CONNBYTES NETFILTER_XT_MATCH_CONNLABEL NETFILTER_XT_MATCH_CONNLIMIT NETFILTER_XT_MATCH_CONNMARK NETFILTER_XT_MATCH_CPU NETFILTER_XT_MATCH_DCCP NETFILTER_XT_MATCH_DEVGROUP NETFILTER_XT_MATCH_DSCP NETFILTER_XT_MATCH_ECN NETFILTER_XT_MATCH_ESP NETFILTER_XT_MATCH_HASHLIMIT NETFILTER_XT_MATCH_HELPER NETFILTER_XT_MATCH_HL NETFILTER_XT_MATCH_IPCOMP NETFILTER_XT_MATCH_IPRANGE NETFILTER_XT_MATCH_IPVS NETFILTER_XT_MATCH_L2TP NETFILTER_XT_MATCH_LENGTH NETFILTER_XT_MATCH_LIMIT NETFILTER_XT_MATCH_MAC NETFILTER_XT_MATCH_MARK NETFILTER_XT_MATCH_MULTIPORT NETFILTER_XT_MATCH_NFACCT NETFILTER_XT_MATCH_OSF NETFILTER_XT_MATCH_OWNER NETFILTER_XT_MATCH_PHYSDEV NETFILTER_XT_MATCH_PKTTYPE NETFILTER_XT_MATCH_QUOTA NETFILTER_XT_MATCH_RATEEST NETFILTER_XT_MATCH_REALM NETFILTER_XT_MATCH_RECENT NETFILTER_XT_MATCH_SCTP NETFILTER_XT_MATCH_SOCKET NETFILTER_XT_MATCH_STATISTIC NETFILTER_XT_MATCH_STRING NETFILTER_XT_MATCH_TCPMSS NETFILTER_XT_MATCH_TIME NETFILTER_XT_MATCH_U32 NETFILTER_XT_SET NETFILTER_XT_TARGET_AUDIT NETFILTER_XT_TARGET_CHECKSUM NETFILTER_XT_TARGET_CLASSIFY NETFILTER_XT_TARGET_CONNMARK NETFILTER_XT_TARGET_CT NETFILTER_XT_TARGET_DSCP NETFILTER_XT_TARGET_HL NETFILTER_XT_TARGET_HMARK NETFILTER_XT_TARGET_IDLETIMER NETFILTER_XT_TARGET_LED NETFILTER_XT_TARGET_MARK NETFILTER_XT_TARGET_NETMAP NETFILTER_XT_TARGET_NFQUEUE NETFILTER_XT_TARGET_NOTRACK NETFILTER_XT_TARGET_RATEEST NETFILTER_XT_TARGET_REDIRECT NETFILTER_XT_TARGET_TCPOPTSTRIP NETFILTER_XT_TARGET_TEE NETFILTER_XT_TARGET_TPROXY NETFILTER_XT_TARGET_TRACE NETLINK_DIAG NETROM NET_9P_RDMA NET_ACT_BPF NET_ACT_CONNMARK NET_ACT_CSUM NET_ACT_CT NET_ACT_CTINFO NET_ACT_GATE NET_ACT_IFE NET_ACT_IPT NET_ACT_MPLS NET_ACT_NAT NET_ACT_PEDIT NET_ACT_POLICE NET_ACT_SAMPLE NET_ACT_SIMP NET_ACT_SKBEDIT NET_ACT_SKBMOD NET_ACT_TUNNEL_KEY NET_ACT_VLAN NET_CLS_BASIC NET_CLS_BPF NET_CLS_FLOW NET_CLS_FLOWER NET_CLS_FW NET_CLS_MATCHALL NET_CLS_ROUTE4 NET_DEVLINK NET_DROP_MONITOR NET_DSA NET_DSA_TAG_BRCM NET_DSA_TAG_BRCM_COMMON NET_DSA_TAG_BRCM_PREPEND NET_DSA_TAG_MTK NET_DSA_TAG_QCA NET_DSA_TAG_RTL4_A NET_EMATCH_CANID NET_EMATCH_CMP NET_EMATCH_IPSET NET_EMATCH_IPT NET_EMATCH_META NET_EMATCH_NBYTE NET_EMATCH_TEXT NET_EMATCH_U32 NET_FC NET_FOU NET_FOU_IP_TUNNELS NET_IFE NET_IFE_SKBMARK NET_IFE_SKBPRIO NET_IFE_SKBTCINDEX NET_IPGRE NET_IPGRE_BROADCAST NET_IPGRE_DEMUX NET_IPIP NET_IPVTI NET_KEY NET_KEY_MIGRATE NET_L3_MASTER_DEV NET_MPLS_GSO NET_NCSI NET_NSH NET_REDIRECT NET_SCH_CAKE NET_SCH_CBS NET_SCH_CHOKE NET_SCH_CODEL NET_SCH_DRR NET_SCH_ETF NET_SCH_ETS NET_SCH_FQ NET_SCH_FQ_CODEL NET_SCH_FQ_PIE NET_SCH_GRED NET_SCH_HFSC NET_SCH_HHF NET_SCH_HTB NET_SCH_INGRESS NET_SCH_MQPRIO NET_SCH_MQPRIO_LIB NET_SCH_MULTIQ NET_SCH_NETEM NET_SCH_PIE NET_SCH_PLUG NET_SCH_PRIO NET_SCH_QFQ NET_SCH_RED NET_SCH_SFB NET_SCH_SFQ NET_SCH_SKBPRIO NET_SCH_TAPRIO NET_SCH_TBF NET_SCH_TEQL NET_SOCK_MSG NET_SWITCHDEV NET_TC_SKB_EXT NET_TEAM NET_TEAM_MODE_ACTIVEBACKUP NET_TEAM_MODE_BROADCAST NET_TEAM_MODE_LOADBALANCE NET_TEAM_MODE_RANDOM NET_TEAM_MODE_ROUNDROBIN NET_UDP_TUNNEL NET_VRF NFC NFC_DIGITAL NFC_FDP NFC_HCI NFC_MRVL NFC_MRVL_USB NFC_NCI NFC_NCI_UART NFC_PN533 NFC_PN533_USB NFC_PORT100 NFC_SHDLC NFC_SIM NFC_VIRTUAL_NCI NFSD NFSD_BLOCKLAYOUT NFSD_FLEXFILELAYOUT NFSD_PNFS NFSD_SCSILAYOUT NFSD_V3_ACL NFSD_V4 NFSD_V4_2_INTER_SSC NFSD_V4_SECURITY_LABEL NFS_FSCACHE NFS_V4_1 NFS_V4_2 NFS_V4_2_READ_PLUS NFS_V4_2_SSC_HELPER NFS_V4_SECURITY_LABEL NFT_BRIDGE_META NFT_BRIDGE_REJECT NFT_COMPAT NFT_CONNLIMIT NFT_CT NFT_DUP_IPV4 NFT_DUP_IPV6 NFT_DUP_NETDEV NFT_FIB NFT_FIB_INET NFT_FIB_IPV4 NFT_FIB_IPV6 NFT_FIB_NETDEV NFT_FLOW_OFFLOAD NFT_HASH NFT_LIMIT NFT_LOG NFT_MASQ NFT_NAT NFT_NUMGEN NFT_OSF NFT_QUEUE NFT_QUOTA NFT_REDIR NFT_REJECT NFT_REJECT_INET NFT_REJECT_IPV4 NFT_REJECT_IPV6 NFT_REJECT_NETDEV NFT_SOCKET NFT_SYNPROXY NFT_TPROXY NFT_TUNNEL NFT_XFRM NF_CONNTRACK_AMANDA NF_CONNTRACK_BRIDGE NF_CONNTRACK_BROADCAST NF_CONNTRACK_EVENTS NF_CONNTRACK_H323 NF_CONNTRACK_LABELS NF_CONNTRACK_MARK NF_CONNTRACK_NETBIOS_NS NF_CONNTRACK_OVS NF_CONNTRACK_PPTP NF_CONNTRACK_SANE NF_CONNTRACK_SNMP NF_CONNTRACK_TFTP NF_CONNTRACK_TIMEOUT NF_CONNTRACK_TIMESTAMP NF_CONNTRACK_ZONES NF_CT_NETLINK_HELPER NF_CT_NETLINK_TIMEOUT NF_CT_PROTO_DCCP NF_CT_PROTO_GRE NF_CT_PROTO_SCTP NF_CT_PROTO_UDPLITE NF_DUP_IPV4 NF_DUP_IPV6 NF_DUP_NETDEV NF_FLOW_TABLE NF_FLOW_TABLE_INET NF_NAT_AMANDA NF_NAT_H323 NF_NAT_OVS NF_NAT_PPTP NF_NAT_REDIRECT NF_NAT_SNMP_BASIC NF_NAT_TFTP NF_SOCKET_IPV4 NF_SOCKET_IPV6 NF_TABLES NF_TABLES_BRIDGE NF_TABLES_INET NF_TABLES_IPV4 NF_TABLES_IPV6 NF_TABLES_NETDEV PARTITION_ADVANCED PSAMPLE RC_CORE RC_DEVICES RFKILL SPI USB_GADGET USB_MUSB_HDRC VIDEO_DEV WAN WATCH_QUEUE WIRELESS WLAN WWAN X25 X86_X32_ABI] disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing release v6.4 testing commit 6995e2de6891c724bfeb2db33d7b87775f913ad1 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2762dc7167e2477f91368c72215fac9704902103af341261b3f6697d16a1342c all runs: OK false negative chance: 0.000 # git bisect start d192f5382581d972c4ae1b4d72e0b59b34cadeb9 6995e2de6891c724bfeb2db33d7b87775f913ad1 Bisecting: 6035 revisions left to test after this (roughly 13 steps) [1b722407a13b7f8658d2e26917791f32805980a2] Merge tag 'drm-next-2023-06-29' of git://anongit.freedesktop.org/drm/drm testing commit 1b722407a13b7f8658d2e26917791f32805980a2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2211b1f4b0f9ebdf77cf294305c42dd028adb4ef2c1432b89b956f01265916b6 all runs: OK false negative chance: 0.000 # git bisect good 1b722407a13b7f8658d2e26917791f32805980a2 Bisecting: 3005 revisions left to test after this (roughly 12 steps) [dfab92f27c600fea3cadc6e2cb39f092024e1fef] Merge tag 'nfs-for-6.5-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs testing commit dfab92f27c600fea3cadc6e2cb39f092024e1fef gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6cec56a92a15c27ac10399cb7bb87d533a5ae02d4c9ff8b7f32f5ee780420027 all runs: OK false negative chance: 0.000 # git bisect good dfab92f27c600fea3cadc6e2cb39f092024e1fef Bisecting: 1603 revisions left to test after this (roughly 11 steps) [2784d74bcc811e9d743398da38552e6f9c73e96b] Merge tag 'trace-tools-v6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace testing commit 2784d74bcc811e9d743398da38552e6f9c73e96b gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 54dd892740c2b0fb99c6189e231e70c7ad00995a5cf70626ebc28517cc6b7d24 all runs: OK false negative chance: 0.000 # git bisect good 2784d74bcc811e9d743398da38552e6f9c73e96b Bisecting: 811 revisions left to test after this (roughly 10 steps) [22dcc7d77fa463914bc2a2fb4580e6d183ca415d] Merge tag 'powerpc-6.5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux testing commit 22dcc7d77fa463914bc2a2fb4580e6d183ca415d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f6e941249b8fee319a9af9b246ec56e520c7397a09a958a5dda81540381de668 all runs: OK false negative chance: 0.000 # git bisect good 22dcc7d77fa463914bc2a2fb4580e6d183ca415d Bisecting: 406 revisions left to test after this (roughly 9 steps) [ec17f16432058e1406c763a81acfc1394578bc8c] Merge tag 'io_uring-6.5-2023-07-14' of git://git.kernel.dk/linux testing commit ec17f16432058e1406c763a81acfc1394578bc8c gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5924048d035eaa2aa9a1e87cd9910b3fe3a071a47193b889033962552757bee3 all runs: crashed: KASAN: stack-out-of-bounds Write in __nla_validate_parse representative crash: KASAN: stack-out-of-bounds Write in __nla_validate_parse, types: [KASAN] # git bisect bad ec17f16432058e1406c763a81acfc1394578bc8c Bisecting: 202 revisions left to test after this (roughly 8 steps) [06c2afb862f9da8dc5efa4b6076a0e48c3fbaaa5] Linux 6.5-rc1 testing commit 06c2afb862f9da8dc5efa4b6076a0e48c3fbaaa5 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ea9baa63bec4a42fbb510818a09d413ed03fe0d56cfe541500b50f081ba92e85 all runs: crashed: KASAN: stack-out-of-bounds Write in __nla_validate_parse representative crash: KASAN: stack-out-of-bounds Write in __nla_validate_parse, types: [KASAN] # git bisect bad 06c2afb862f9da8dc5efa4b6076a0e48c3fbaaa5 Bisecting: 119 revisions left to test after this (roughly 7 steps) [ad8258e87729e4337569c4b7d30cfdd4b299179d] Merge tag 'bitmap-6.5-rc1' of https://github.com/norov/linux testing commit ad8258e87729e4337569c4b7d30cfdd4b299179d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c875475430c8bd2e7e9aa2a98dced4e2485065794a52e3f158bf19225c5f41d9 all runs: OK false negative chance: 0.000 # git bisect good ad8258e87729e4337569c4b7d30cfdd4b299179d Bisecting: 59 revisions left to test after this (roughly 6 steps) [33313a747e81af9f31d0d45de78c9397fa3655eb] mm: lock newly mapped VMA which can be modified after it becomes visible testing commit 33313a747e81af9f31d0d45de78c9397fa3655eb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ddb0cf1103202c4facd267f1674b6450196a466f4237b05972feef513cff8a93 all runs: OK false negative chance: 0.000 # git bisect good 33313a747e81af9f31d0d45de78c9397fa3655eb Bisecting: 22 revisions left to test after this (roughly 5 steps) [cff068739688791cf7a8f427b7ca6230d798914a] Merge tag 'ntb-6.5' of https://github.com/jonmason/ntb testing commit cff068739688791cf7a8f427b7ca6230d798914a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e843d4287895497cfb2167755b695ebc3748fe0317c22d06753dfe7a5a5f222f all runs: crashed: KASAN: stack-out-of-bounds Write in __nla_validate_parse representative crash: KASAN: stack-out-of-bounds Write in __nla_validate_parse, types: [KASAN] # git bisect bad cff068739688791cf7a8f427b7ca6230d798914a Bisecting: 18 revisions left to test after this (roughly 4 steps) [fdb54d96600aafe45951f549866cd6fc1af59954] kasan, slub: fix HW_TAGS zeroing with slub_debug testing commit fdb54d96600aafe45951f549866cd6fc1af59954 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 589a0f6959a0c5f2ee82be5333a04389579b1df931020929019522670afa7aa8 all runs: crashed: KASAN: stack-out-of-bounds Write in __nla_validate_parse representative crash: KASAN: stack-out-of-bounds Write in __nla_validate_parse, types: [KASAN] # git bisect bad fdb54d96600aafe45951f549866cd6fc1af59954 Bisecting: 8 revisions left to test after this (roughly 3 steps) [08bab74ae653b57bb2bfcec7d499bfe7ff0efe4f] squashfs: fix cache race with migration testing commit 08bab74ae653b57bb2bfcec7d499bfe7ff0efe4f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 116bc0930235cc6fed1e0c6d651918053d11e00a2bdfe5b7853f247162fd1b9e all runs: OK false negative chance: 0.000 # git bisect good 08bab74ae653b57bb2bfcec7d499bfe7ff0efe4f Bisecting: 4 revisions left to test after this (roughly 2 steps) [0d707cdefb3b7f52d23967e1473d24d591329e13] MAINTAINERS: add linux-next info testing commit 0d707cdefb3b7f52d23967e1473d24d591329e13 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f63ca77fd40ab35e422591f99a264179fe57e198b4200888d51bc29246bdbb8c all runs: OK false negative chance: 0.000 # git bisect good 0d707cdefb3b7f52d23967e1473d24d591329e13 Bisecting: 2 revisions left to test after this (roughly 1 step) [ddcd91f4cb42fcc833b0a5e00d4e9f034da95249] mailmap: update manpage link testing commit ddcd91f4cb42fcc833b0a5e00d4e9f034da95249 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d45a076e69880428593c67ee73fe8e3d0560bbb7577ec6fc5e07df5aac2dcfe0 all runs: OK false negative chance: 0.000 # git bisect good ddcd91f4cb42fcc833b0a5e00d4e9f034da95249 Bisecting: 0 revisions left to test after this (roughly 1 step) [05c56e7b4319d7f6352f27da876a1acdc8fa5cc4] kasan: fix type cast in memory_is_poisoned_n testing commit 05c56e7b4319d7f6352f27da876a1acdc8fa5cc4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 95a722431b2d0572441c5c395b9b9dfb1df8df044d0f438437de869836339359 all runs: crashed: KASAN: stack-out-of-bounds Write in __nla_validate_parse representative crash: KASAN: stack-out-of-bounds Write in __nla_validate_parse, types: [KASAN] # git bisect bad 05c56e7b4319d7f6352f27da876a1acdc8fa5cc4 Bisecting: 0 revisions left to test after this (roughly 0 steps) [d3a808ec787e8cbfee053405f95105b3be3c7743] mailmap: add entries for Heiko Stuebner testing commit d3a808ec787e8cbfee053405f95105b3be3c7743 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 23ab2b02a2e7f8cb11d98471259031b8ae6f044454aff678a891eae5b6f1d1af all runs: OK false negative chance: 0.000 # git bisect good d3a808ec787e8cbfee053405f95105b3be3c7743 05c56e7b4319d7f6352f27da876a1acdc8fa5cc4 is the first bad commit commit 05c56e7b4319d7f6352f27da876a1acdc8fa5cc4 Author: Andrey Konovalov Date: Tue Jul 4 02:52:05 2023 +0200 kasan: fix type cast in memory_is_poisoned_n Commit bb6e04a173f0 ("kasan: use internal prototypes matching gcc-13 builtins") introduced a bug into the memory_is_poisoned_n implementation: it effectively removed the cast to a signed integer type after applying KASAN_GRANULE_MASK. As a result, KASAN started failing to properly check memset, memcpy, and other similar functions. Fix the bug by adding the cast back (through an additional signed integer variable to make the code more readable). Link: https://lkml.kernel.org/r/8c9e0251c2b8b81016255709d4ec42942dcaf018.1688431866.git.andreyknvl@google.com Fixes: bb6e04a173f0 ("kasan: use internal prototypes matching gcc-13 builtins") Signed-off-by: Andrey Konovalov Cc: Alexander Potapenko Cc: Andrey Ryabinin Cc: Arnd Bergmann Cc: Dmitry Vyukov Cc: Marco Elver Cc: Signed-off-by: Andrew Morton mm/kasan/generic.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) accumulated error probability: 0.00 culprit signature: 95a722431b2d0572441c5c395b9b9dfb1df8df044d0f438437de869836339359 parent signature: 23ab2b02a2e7f8cb11d98471259031b8ae6f044454aff678a891eae5b6f1d1af revisions tested: 23, total time: 8h34m1.302164335s (build: 5h13m16.818421847s, test: 3h5m36.299252518s) first bad commit: 05c56e7b4319d7f6352f27da876a1acdc8fa5cc4 kasan: fix type cast in memory_is_poisoned_n recipients (to): ["akpm@linux-foundation.org" "andreyknvl@google.com"] recipients (cc): [] crash: KASAN: stack-out-of-bounds Write in __nla_validate_parse netlink: 'syz-executor.0': attribute type 8 has an invalid length. ================================================================== BUG: KASAN: stack-out-of-bounds in __nla_validate_parse+0x13c/0x2c90 lib/nlattr.c:588 Write of size 32 at addr ffffc90001df6d00 by task syz-executor.0/3351 CPU: 0 PID: 3351 Comm: syz-executor.0 Not tainted 6.4.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x214/0x300 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x163/0x540 mm/kasan/report.c:475 kasan_report+0x175/0x1b0 mm/kasan/report.c:588 kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187 __asan_memset+0x23/0x40 mm/kasan/shadow.c:84 __nla_validate_parse+0x13c/0x2c90 lib/nlattr.c:588 __nla_parse+0x40/0x50 lib/nlattr.c:700 nla_parse_nested include/net/netlink.h:1262 [inline] fl_set_key_cfm+0x1e3/0x440 net/sched/cls_flower.c:1708 fl_set_key+0x21de/0x6790 net/sched/cls_flower.c:1874 fl_tmplt_create+0x1fe/0x510 net/sched/cls_flower.c:2661 tc_chain_tmplt_add net/sched/cls_api.c:2959 [inline] tc_ctl_chain+0x130e/0x19d0 net/sched/cls_api.c:3068 rtnetlink_rcv_msg+0xbdc/0xe00 net/core/rtnetlink.c:6424 netlink_rcv_skb+0x1df/0x430 net/netlink/af_netlink.c:2549 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x79d/0x960 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x93a/0xcf0 net/netlink/af_netlink.c:1914 sock_sendmsg_nosec net/socket.c:725 [inline] sock_sendmsg net/socket.c:748 [inline] ____sys_sendmsg+0x592/0x890 net/socket.c:2494 ___sys_sendmsg+0x27a/0x300 net/socket.c:2548 __sys_sendmsg net/socket.c:2577 [inline] __do_sys_sendmsg net/socket.c:2586 [inline] __se_sys_sendmsg+0x1b3/0x290 net/socket.c:2584 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f424516db29 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f4244cf00c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f424528cf80 RCX: 00007f424516db29 RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 RBP: 00007f42451b947a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000006 R14: 00007f424528cf80 R15: 00007ffd0e008618 The buggy address belongs to stack of task syz-executor.0/3351 and is located at offset 32 in frame: fl_set_key_cfm+0x0/0x440 This frame has 1 object: [32, 56) 'nla_cfm_opt' The buggy address belongs to the virtual mapping at [ffffc90001df0000, ffffc90001df9000) created by: copy_process+0x5bc/0x3a00 kernel/fork.c:2335 The buggy address belongs to the physical page: page:ffffea0004119cc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104673 memcg:ffff88810ead8c82 flags: 0x200000000000000(node=0|zone=2) page_type: 0xffffffff() raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff ffff88810ead8c82 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 3350, tgid 3350 (syz-executor.0), ts 65038340943, free_ts 64847026574 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x26e/0x290 mm/page_alloc.c:1570 prep_new_page mm/page_alloc.c:1577 [inline] get_page_from_freelist+0x2dbd/0x2f40 mm/page_alloc.c:3221 __alloc_pages+0x255/0x650 mm/page_alloc.c:4477 vm_area_alloc_pages mm/vmalloc.c:3059 [inline] __vmalloc_area_node mm/vmalloc.c:3135 [inline] __vmalloc_node_range+0x992/0x1460 mm/vmalloc.c:3316 alloc_thread_stack_node kernel/fork.c:309 [inline] dup_task_struct+0x67d/0xa80 kernel/fork.c:1118 copy_process+0x5bc/0x3a00 kernel/fork.c:2335 kernel_clone+0x21a/0x830 kernel/fork.c:2917 __do_sys_clone3 kernel/fork.c:3218 [inline] __se_sys_clone3+0x2cb/0x340 kernel/fork.c:3202 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1161 [inline] free_unref_page_prepare+0x800/0x920 mm/page_alloc.c:2348 free_unref_page_list+0x54b/0x7e0 mm/page_alloc.c:2489 release_pages+0x2015/0x2300 mm/swap.c:1042 tlb_batch_pages_flush mm/mmu_gather.c:97 [inline] tlb_flush_mmu_free mm/mmu_gather.c:292 [inline] tlb_flush_mmu+0x100/0x200 mm/mmu_gather.c:299 tlb_finish_mmu+0xd4/0x1f0 mm/mmu_gather.c:391 exit_mmap+0x3d3/0x900 mm/mmap.c:3211 __mmput+0xc9/0x360 kernel/fork.c:1353 exit_mm+0x131/0x200 kernel/exit.c:567 do_exit+0x91c/0x29c0 kernel/exit.c:861 do_group_exit+0x206/0x2c0 kernel/exit.c:1024 __do_sys_exit_group kernel/exit.c:1035 [inline] __se_sys_exit_group kernel/exit.c:1033 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1033 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffffc90001df6c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90001df6c80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 >ffffc90001df6d00: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 ^ ffffc90001df6d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90001df6e00: 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 ==================================================================