Hi,
We have seen a WARNING message while fuzzing with syzkaller.
Kernel 5.15.54 on an x86_64
localhost login: [ 104.557712] ------------[ cut here ]------------ [ 104.558404] WARNING: CPU: 1 PID: 15544 at mm/page_alloc.c:5358 __alloc_pages+0x38a/0x410 [ 104.559584] Modules linked in: [ 104.560030] CPU: 1 PID: 15544 Comm: repro Not tainted 5.15.54 #1 [ 104.560896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 [ 104.562190] RIP: 0010:__alloc_pages+0x38a/0x410 [ 104.562864] Code: ff 4c 89 fa 44 89 f6 89 ef 89 6c 24 48 c6 44 24 78 00 4c 89 6c 24 60 e8 c4 e5 ff ff 49 89 c4 e9 43 fe ff ff 40 80 e5 3f eb c5 <0f> 0b eb a5 4c 89 e7 44 89 f6 45 31 e4 e8 c4 9f ff ff e9 4a fe ff [ 104.565421] RSP: 0018:ffff88801b4577f0 EFLAGS: 00010246 [ 104.566182] RAX: 0000000000000000 RBX: 1ffff1100368aeff RCX: dffffc0000000000 [ 104.567177] RDX: 0000000000000000 RSI: 0000000000000012 RDI: 0000000000040cc0 [ 104.568185] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 104.569196] R10: fffffff900000000 R11: 0000000000000001 R12: 0000000000000001 [ 104.570194] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 104.571201] FS: 00007fda701c7740(0000) GS:ffff888107080000(0000) knlGS:0000000000000000 [ 104.572330] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 104.573146] CR2: 0000000020004640 CR3: 0000000020c34000 CR4: 00000000000006e0 [ 104.574149] Call Trace: [ 104.574503] <TASK> [ 104.574838] ? __sanitizer_cov_trace_cmp4+0x25/0x90 [ 104.575535] ? __alloc_pages_slowpath.constprop.0+0x16c0/0x16c0 [ 104.576391] ? bpf_ksym_find+0x171/0x1c0 [ 104.576985] ? selinux_socket_sendmsg+0x207/0x2d0 [ 104.577938] ? __sanitizer_cov_trace_const_cmp8+0x27/0x90 [ 104.578739] alloc_pages+0x191/0x3f0 [ 104.579258] kmalloc_order+0x34/0xb0 [ 104.579794] kmalloc_order_trace+0x19/0xa0 [ 104.580375] sco_sock_sendmsg+0x10f/0x300 [ 104.581228] ? security_socket_sendmsg+0x8e/0xc0
I have attached the report and the reproducer. A similar warning is seen on some testing previously.
Ref: https://lore.kernel.org/linux-mm/812dab5c-845d-df58-2752-abea7c07890@google....
Commit: 99c23da0eed4 ("Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()") is backported to LTS. So we have this bug on LTS branches.
The Fix commit is not backported to LTS. Commit: 0771cbb3b97d ("Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg")
I have tried backporting onto LTS locally.
Can you please backport the following commits to these branches. 4.14.y, 4.19.y, 5.4.y, 5.10.y, 5.15.y LTS. (applying from 1 to 7)
1. commit 38f64f650dc0e44c146ff88d15a7339efa325918 upstream ("Bluetooth: Add bt_skb_sendmsg helper") 2. commit 97e4e80299844bb5f6ce5a7540742ffbffae3d97 upstream ("Bluetooth: Add bt_skb_sendmmsg helper") 3. commit 0771cbb3b97d3c1d68eecd7f00055f599954c34e upstream ("Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg") 4. commit 81be03e026dc0c16dc1c64e088b2a53b73caa895 upstream ("Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg") 5. commit 266191aa8d14b84958aaeb5e96ee4e97839e3d87 upstream ("Bluetooth: Fix passing NULL to PTR_ERR") 6. commit 037ce005af6b8a3e40ee07c6e9266c8997e6a4d6 upstream ("Bluetooth: SCO: Fix sco_send_frame returning skb->len") 7. commit 29fb608396d6a62c1b85acc421ad7a4399085b9f upstream ("Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks")
Notes: 3 is the fix for the WARNING. 1,2 are prerequisites for applying 3. At this stage the WARNING is fixed. 4,5,6,7 are necessary as they are fixing newly introduced commits by us.
This is a clean cherry-pick series(7 commits) on all mentioned branches(LTS 4.14->5.15)
I have tested all mentioned LTS branches with the reproducer(only) and the WARNING is fixed after applying these 7 patches.
Please correct me if I am missing something.
Thanks, Harshit