> That's an invalid command line. The correct syntax is:
>
> #syz test: git://
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
This crash does not have a reproducer. I cannot test it.
>
> From 5aaf6a3df1f83331c5ca2f6a653a2e21e3ae4f40 Mon Sep 17 00:00:00 2001
> From: Tetsuo Handa <
penguin...@I-love.SAKURA.ne.jp>
> Date: Sat, 15 Oct 2022 20:22:18 +0900
> Subject: [PATCH] cpumask: partially relax checking valid cpu range
>
> syzbot is hitting WARN_ON_ONCE(cpu >= nr_cpumask_bits) warning at
> cpu_max_bits_warn() [1], for commit 78e5a3399421 ("cpumask: fix checking
> valid cpu range") incremented "cpu" side but did not increment
> "nr_cpumask_bits" side.
>
> But incrementing "nr_cpumask_bits" side will be worse than reverting.
>
> Andrew Jones proposed a fix for x86 and riscv architectures [2]. But other
> architectures have the same problem. And fixing all callers will not be
> in time for this merge window.
>
> Regarding this merge window, let's use WARN_ON_ONCE(cpu > nr_cpumask_bits)
> for 4 callers which commit 78e5a3399421ad79 ("cpumask: fix checking valid
> cpu range") shifted. After we fixed all affected callers, we can again use
> WARN_ON_ONCE(cpu >= nr_cpumask_bits).
>
> Link:
https://syzkaller.appspot.com/bug?extid=d0fd2bf0dd6da72496dd [1]
> Link:
https://lkml.kernel.org/r/20221014155845....@ventanamicro.com [2]
> Reported-by: syzbot <
syzbot+d0fd2b...@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <
penguin...@I-love.SAKURA.ne.jp>
> Fixes: 78e5a3399421 ("cpumask: fix checking valid cpu range")
> ---
> This is urgent for syzbot and should be sent to linux.git before the merge window closes.
> I think that reverting 78e5a3399421ad79 or applying this patch is the safer choice.
>
> $ git grep -nF cpumask_next | grep -F -- '- 1'
> arch/openrisc/kernel/setup.c:371: *pos = cpumask_next(*pos - 1, cpu_online_mask);
> arch/powerpc/kernel/setup-common.c:346: *pos = cpumask_next(*pos - 1, cpu_online_mask);
> arch/riscv/kernel/cpu.c:216: *pos = cpumask_next(*pos - 1, cpu_online_mask);
> arch/s390/kernel/processor.c:338: *pos = cpumask_next(*pos - 1, cpu_online_mask);
> arch/x86/kernel/cpu/proc.c:156: *pos = cpumask_next(*pos - 1, cpu_online_mask);
> drivers/nvme/host/tcp.c:1475: queue->io_cpu = cpumask_next_wrap(n - 1, cpu_online_mask, -1, false);
> kernel/rcu/rcu.h:363: (cpu) = cpumask_next((rnp)->grplo - 1, cpu_possible_mask); \
> kernel/rcu/tasks.h:297: chosen_cpu = cpumask_next(ideal_cpu - 1, cpu_possible_mask);
> kernel/sched/debug.c:882: n = cpumask_next(n - 1, cpu_online_mask);
> kernel/sched/stats.c:196: n = cpumask_next(n - 1, cpu_online_mask);
> kernel/time/clocksource.c:314: cpu = cpumask_next(cpu - 1, cpu_online_mask);
> $ git grep -nF cpumask_next | grep -F -- '-1'
> arch/loongarch/kernel/acpi.c:92: cpu = cpumask_next_zero(-1, cpu_present_mask);
> drivers/nvme/host/tcp.c:1475: queue->io_cpu = cpumask_next_wrap(n - 1, cpu_online_mask, -1, false);
> kernel/padata.c:267: pd->cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false);
> lib/cpumask_kunit.c:103: KUNIT_EXPECT_EQ_MSG(test, 0, cpumask_next_zero(-1, &mask_empty), MASK_MSG(&mask_empty));
> lib/cpumask_kunit.c:104: KUNIT_EXPECT_LE_MSG(test, nr_cpu_ids, cpumask_next_zero(-1, cpu_possible_mask),
> lib/cpumask_kunit.c:107: KUNIT_EXPECT_LE_MSG(test, nr_cpu_ids, cpumask_next(-1, &mask_empty),
> lib/cpumask_kunit.c:109: KUNIT_EXPECT_EQ_MSG(test, 0, cpumask_next(-1, cpu_possible_mask),
>
> include/linux/cpumask.h | 16 ++++++++++++----
> 1 file changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h
> index 2f065ad97541..858741450567 100644
> --- a/include/linux/cpumask.h
> +++ b/include/linux/cpumask.h
> @@ -118,6 +118,14 @@ static __always_inline unsigned int cpumask_check(unsigned int cpu)
> return cpu;
> }
>
> +static __always_inline unsigned int cpumask_check2(unsigned int cpu)
> +{
> +#ifdef CONFIG_DEBUG_PER_CPU_MAPS
> + WARN_ON_ONCE(cpu > nr_cpumask_bits);
> +#endif /* CONFIG_DEBUG_PER_CPU_MAPS */
> + return cpu;
> +}
> +
> /**
> * cpumask_first - get the first cpu in a cpumask
> * @srcp: the cpumask pointer
> @@ -175,7 +183,7 @@ static inline
> unsigned int cpumask_next(int n, const struct cpumask *srcp)
> {
> /* n is a prior cpu */
> - cpumask_check(n + 1);
> + cpumask_check2(n + 1);
> return find_next_bit(cpumask_bits(srcp), nr_cpumask_bits, n + 1);
> }
>
> @@ -189,7 +197,7 @@ unsigned int cpumask_next(int n, const struct cpumask *srcp)
> static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp)
> {
> /* n is a prior cpu */
> - cpumask_check(n + 1);
> + cpumask_check2(n + 1);
> return find_next_zero_bit(cpumask_bits(srcp), nr_cpumask_bits, n+1);
> }
>
> @@ -230,7 +238,7 @@ unsigned int cpumask_next_and(int n, const struct cpumask *src1p,
> const struct cpumask *src2p)
> {
> /* n is a prior cpu */
> - cpumask_check(n + 1);
> + cpumask_check2(n + 1);
> return find_next_and_bit(cpumask_bits(src1p), cpumask_bits(src2p),
> nr_cpumask_bits, n + 1);
> }
> @@ -261,7 +269,7 @@ unsigned int cpumask_next_wrap(int n, const struct cpumask *mask, int start, boo
> {
> cpumask_check(start);
> /* n is a prior cpu */
> - cpumask_check(n + 1);
> + cpumask_check2(n + 1);
>
> /*
> * Return the first available CPU when wrapping, or when starting before cpu0,
> --
> 2.34.1
>
>