Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp393085img; Wed, 20 Mar 2019 02:57:37 -0700 (PDT) X-Google-Smtp-Source: APXvYqyIM6w06o9jXeMn5aN0gfyiN2EtAfWcUAoly8h17+gGxraLgYJle98VJr2lKkChwgS1M9ZC X-Received: by 2002:a65:62c5:: with SMTP id m5mr27232870pgv.77.1553075857491; Wed, 20 Mar 2019 02:57:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553075857; cv=none; d=google.com; s=arc-20160816; b=DTqJU1ECW8WF3jaBPCRY+FvCDjE4z2jUU13Mk1sJ9MQ/FGO+UemERKDaGjeOTHOLf9 2UVld9tKMFNtvMAONoUpHlFywCTllVO4nHJweQdKY2Y64NY+6IYhwefR3PxTMW2ukwSr EXdkI2D+Q5aVh4etTjVpeMq4R7AyzN9pO93yxT7e5Ylrl4qyZQ40gE907rFm5AMro9Mq t9xKHCVWpGd4Aq1Vw/oDCj5CNnSVtZxG3dyIskQm/R7V+LXSvxky0UpdPGGmwMfPByeR eDdwjAzlaWr6lS/QrAGtTm9oo4+ioaF5p1JyT9Gr66uC2BioY5pP3zfMpTO/5qgRhpvW BduQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:cc:from:references:to:subject; bh=+7rzd8TIkczZq2kBjY7Bs6oUvOtuK6x6OhyPFei2NIo=; b=usyKfFoYBXSVTSdsKOlr/WY2mHma7cwi2xRQYCf2P+ddCwpEJ/JuiGYLvT+mWlF60h shZjj6bwWcKxkuxILVBy3sZPjYKw7mBpTN7QvPmPZmHTuOeoefLtuc2ySNbJxdEFWWu3 8xIw8/MXR+n96kRy09QEuI3mF14TJJtfIebwMd9i8szO+p3O5DJc5U6aiZTT8VV1dSvr wLve/3s+LqLFg9dNk8GHI8bokADEDg2+M/DzCsJKSAIXq6bFutxweaLG8kqtDWNlDy7A cdefK40AEyMXzPsZpCJqRHWEdQSJCuL5DjfluWzuTBGDBhE5OVPxCvadliifDroXeinF pkXg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k25si1263161pfo.254.2019.03.20.02.57.21; Wed, 20 Mar 2019 02:57:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727268AbfCTJ4o (ORCPT + 99 others); Wed, 20 Mar 2019 05:56:44 -0400 Received: from relay.sw.ru ([185.231.240.75]:52770 "EHLO relay.sw.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725905AbfCTJ4n (ORCPT ); Wed, 20 Mar 2019 05:56:43 -0400 Received: from [172.16.25.12] by relay.sw.ru with esmtp (Exim 4.91) (envelope-from ) id 1h6XxM-0007BT-M9; Wed, 20 Mar 2019 12:56:20 +0300 Subject: Re: kernel panic: corrupted stack end in wb_workfn To: syzbot , akpm@linux-foundation.org, cai@lca.pw, davem@davemloft.net, dvyukov@google.com, guro@fb.com, hannes@cmpxchg.org, jbacik@fb.com, ktkhai@virtuozzo.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-sctp@vger.kernel.org, mgorman@techsingularity.net, mhocko@suse.com, netdev@vger.kernel.org, nhorman@tuxdriver.com, shakeelb@google.com, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk, vyasevich@gmail.com, willy@infradead.org References: <000000000000db3d130584506672@google.com> From: Andrey Ryabinin Cc: Xin Long Message-ID: Date: Wed, 20 Mar 2019 12:56:50 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 MIME-Version: 1.0 In-Reply-To: <000000000000db3d130584506672@google.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/17/19 11:49 PM, syzbot wrote: > syzbot has bisected this bug to: > > commit c981f254cc82f50f8cb864ce6432097b23195b9c > Author: Al Viro > Date:   Sun Jan 7 18:19:09 2018 +0000 > >     sctp: use vmemdup_user() rather than badly open-coding memdup_user() > > bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=137bcecf200000 > start commit:   c981f254 sctp: use vmemdup_user() rather than badly open-c.. > git tree:       upstream > final crash:    https://syzkaller.appspot.com/x/report.txt?x=10fbcecf200000 > console output: https://syzkaller.appspot.com/x/log.txt?x=177bcecf200000 > kernel config:  https://syzkaller.appspot.com/x/.config?x=5e7dc790609552d7 > dashboard link: https://syzkaller.appspot.com/bug?extid=ec1b7575afef85a0e5ca > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16a9a84b400000 > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17199bb3400000 > > Reported-by: syzbot+ec1b7575afef85a0e5ca@syzkaller.appspotmail.com > Fixes: c981f254 ("sctp: use vmemdup_user() rather than badly open-coding memdup_user()") From bisection log: testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 run #0: crashed: kernel panic: corrupted stack end in wb_workfn run #1: crashed: kernel panic: corrupted stack end in worker_thread run #2: crashed: kernel panic: Out of memory and no killable processes... run #3: crashed: kernel panic: corrupted stack end in wb_workfn run #4: crashed: kernel panic: corrupted stack end in wb_workfn run #5: crashed: kernel panic: corrupted stack end in wb_workfn run #6: crashed: kernel panic: corrupted stack end in wb_workfn run #7: crashed: kernel panic: corrupted stack end in wb_workfn run #8: crashed: kernel panic: Out of memory and no killable processes... run #9: crashed: kernel panic: corrupted stack end in wb_workfn testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: crashed: kernel panic: Out of memory and no killable processes... run #6: OK run #7: crashed: kernel panic: Out of memory and no killable processes... run #8: OK run #9: OK testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 all runs: OK # git bisect start v4.16 v4.15 Why bisect started between 4.16 4.15 instead of 4.17 4.16? testing commit c14376de3a1befa70d9811ca2872d47367b48767 with gcc (GCC) 8.1.0 run #0: crashed: kernel panic: Out of memory and no killable processes... run #1: crashed: kernel panic: Out of memory and no killable processes... run #2: crashed: kernel panic: Out of memory and no killable processes... run #3: crashed: kernel panic: Out of memory and no killable processes... run #4: OK run #5: OK run #6: crashed: WARNING: ODEBUG bug in netdev_freemem run #7: crashed: no output from test machine run #8: OK run #9: OK # git bisect bad c14376de3a1befa70d9811ca2872d47367b48767 Why c14376de3a1befa70d9811ca2872d47367b48767 is bad? There was no stack corruption. It looks like the syzbot were bisecting a different bug - "kernel panic: Out of memory and no killable processes..." And bisection for that bug seems to be correct. kvmalloc() in vmemdup_user() may eat up all memory unlike kmalloc which is limited by KMALLOC_MAX_SIZE (4MB usually).