Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp393085img;
        Wed, 20 Mar 2019 02:57:37 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyIM6w06o9jXeMn5aN0gfyiN2EtAfWcUAoly8h17+gGxraLgYJle98VJr2lKkChwgS1M9ZC
X-Received: by 2002:a65:62c5:: with SMTP id m5mr27232870pgv.77.1553075857491;
        Wed, 20 Mar 2019 02:57:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553075857; cv=none;
        d=google.com; s=arc-20160816;
        b=DTqJU1ECW8WF3jaBPCRY+FvCDjE4z2jUU13Mk1sJ9MQ/FGO+UemERKDaGjeOTHOLf9
         2UVld9tKMFNtvMAONoUpHlFywCTllVO4nHJweQdKY2Y64NY+6IYhwefR3PxTMW2ukwSr
         EXdkI2D+Q5aVh4etTjVpeMq4R7AyzN9pO93yxT7e5Ylrl4qyZQ40gE907rFm5AMro9Mq
         t9xKHCVWpGd4Aq1Vw/oDCj5CNnSVtZxG3dyIskQm/R7V+LXSvxky0UpdPGGmwMfPByeR
         eDdwjAzlaWr6lS/QrAGtTm9oo4+ioaF5p1JyT9Gr66uC2BioY5pP3zfMpTO/5qgRhpvW
         BduQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:cc:from:references:to:subject;
        bh=+7rzd8TIkczZq2kBjY7Bs6oUvOtuK6x6OhyPFei2NIo=;
        b=usyKfFoYBXSVTSdsKOlr/WY2mHma7cwi2xRQYCf2P+ddCwpEJ/JuiGYLvT+mWlF60h
         shZjj6bwWcKxkuxILVBy3sZPjYKw7mBpTN7QvPmPZmHTuOeoefLtuc2ySNbJxdEFWWu3
         8xIw8/MXR+n96kRy09QEuI3mF14TJJtfIebwMd9i8szO+p3O5DJc5U6aiZTT8VV1dSvr
         wLve/3s+LqLFg9dNk8GHI8bokADEDg2+M/DzCsJKSAIXq6bFutxweaLG8kqtDWNlDy7A
         cdefK40AEyMXzPsZpCJqRHWEdQSJCuL5DjfluWzuTBGDBhE5OVPxCvadliifDroXeinF
         pkXg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k25si1263161pfo.254.2019.03.20.02.57.21;
        Wed, 20 Mar 2019 02:57:37 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727268AbfCTJ4o (ORCPT <rfc822;hououinredflag@gmail.com>
        + 99 others); Wed, 20 Mar 2019 05:56:44 -0400
Received: from relay.sw.ru ([185.231.240.75]:52770 "EHLO relay.sw.ru"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725905AbfCTJ4n (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 20 Mar 2019 05:56:43 -0400
Received: from [172.16.25.12]
        by relay.sw.ru with esmtp (Exim 4.91)
        (envelope-from <aryabinin@virtuozzo.com>)
        id 1h6XxM-0007BT-M9; Wed, 20 Mar 2019 12:56:20 +0300
Subject: Re: kernel panic: corrupted stack end in wb_workfn
To:     syzbot <syzbot+ec1b7575afef85a0e5ca@syzkaller.appspotmail.com>,
        akpm@linux-foundation.org, cai@lca.pw, davem@davemloft.net,
        dvyukov@google.com, guro@fb.com, hannes@cmpxchg.org, jbacik@fb.com,
        ktkhai@virtuozzo.com, linux-kernel@vger.kernel.org,
        linux-mm@kvack.org, linux-sctp@vger.kernel.org,
        mgorman@techsingularity.net, mhocko@suse.com,
        netdev@vger.kernel.org, nhorman@tuxdriver.com, shakeelb@google.com,
        syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk,
        vyasevich@gmail.com, willy@infradead.org
References: <000000000000db3d130584506672@google.com>
From:   Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc:     Xin Long <lucien.xin@gmail.com>
Message-ID: <d9e4e36d-1e7a-caaf-f96e-b05592405b5f@virtuozzo.com>
Date:   Wed, 20 Mar 2019 12:56:50 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.5.3
MIME-Version: 1.0
In-Reply-To: <000000000000db3d130584506672@google.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On 3/17/19 11:49 PM, syzbot wrote:
> syzbot has bisected this bug to:
> 
> commit c981f254cc82f50f8cb864ce6432097b23195b9c
> Author: Al Viro <viro@zeniv.linux.org.uk>
> Date:   Sun Jan 7 18:19:09 2018 +0000
> 
>     sctp: use vmemdup_user() rather than badly open-coding memdup_user()
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=137bcecf200000
> start commit:   c981f254 sctp: use vmemdup_user() rather than badly open-c..
> git tree:       upstream
> final crash:    https://syzkaller.appspot.com/x/report.txt?x=10fbcecf200000
> console output: https://syzkaller.appspot.com/x/log.txt?x=177bcecf200000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=5e7dc790609552d7
> dashboard link: https://syzkaller.appspot.com/bug?extid=ec1b7575afef85a0e5ca
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16a9a84b400000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17199bb3400000
> 
> Reported-by: syzbot+ec1b7575afef85a0e5ca@syzkaller.appspotmail.com
> Fixes: c981f254 ("sctp: use vmemdup_user() rather than badly open-coding memdup_user()")

From bisection log:

	testing release v4.17
	testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0
	run #0: crashed: kernel panic: corrupted stack end in wb_workfn
	run #1: crashed: kernel panic: corrupted stack end in worker_thread
	run #2: crashed: kernel panic: Out of memory and no killable processes...
	run #3: crashed: kernel panic: corrupted stack end in wb_workfn
	run #4: crashed: kernel panic: corrupted stack end in wb_workfn
	run #5: crashed: kernel panic: corrupted stack end in wb_workfn
	run #6: crashed: kernel panic: corrupted stack end in wb_workfn
	run #7: crashed: kernel panic: corrupted stack end in wb_workfn
	run #8: crashed: kernel panic: Out of memory and no killable processes...
	run #9: crashed: kernel panic: corrupted stack end in wb_workfn
	testing release v4.16
	testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0
	run #0: OK
	run #1: OK
	run #2: OK
	run #3: OK
	run #4: OK
	run #5: crashed: kernel panic: Out of memory and no killable processes...
	run #6: OK
	run #7: crashed: kernel panic: Out of memory and no killable processes...
	run #8: OK
	run #9: OK
	testing release v4.15
	testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0
	all runs: OK
	# git bisect start v4.16 v4.15

Why bisect started between 4.16 4.15 instead of 4.17 4.16?


	testing commit c14376de3a1befa70d9811ca2872d47367b48767 with gcc (GCC) 8.1.0
	run #0: crashed: kernel panic: Out of memory and no killable processes...
	run #1: crashed: kernel panic: Out of memory and no killable processes...
	run #2: crashed: kernel panic: Out of memory and no killable processes...
	run #3: crashed: kernel panic: Out of memory and no killable processes...
	run #4: OK
	run #5: OK
	run #6: crashed: WARNING: ODEBUG bug in netdev_freemem
	run #7: crashed: no output from test machine
	run #8: OK
	run #9: OK
	# git bisect bad c14376de3a1befa70d9811ca2872d47367b48767

Why c14376de3a1befa70d9811ca2872d47367b48767 is bad? There was no stack corruption.
It looks like the syzbot were bisecting a different bug - "kernel panic: Out of memory and no killable processes..."
And bisection for that bug seems to be correct. kvmalloc() in vmemdup_user() may eat up all memory unlike kmalloc which is limited by KMALLOC_MAX_SIZE (4MB usually).