bisecting fixing commit since cd796ed3345030aa1bb332fe5c793b3dddaf56e7 building syzkaller on 51a9082e064119316893e12187cab2843283ed4d testing commit cd796ed3345030aa1bb332fe5c793b3dddaf56e7 with gcc (GCC) 10.2.1 20210217 kernel signature: a3d1e0db5d3df1d2d04a4fed646d6ed54cd282e955a02290f402acfa2f842b6e all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id testing current HEAD a74e6a014c9d4d4161061f770c9b4f98372ac778 testing commit a74e6a014c9d4d4161061f770c9b4f98372ac778 with gcc (GCC) 10.2.1 20210217 kernel signature: 62f168e24a4b4a9c79d9df06f9c299ec4347091749bb4cec395251d828396c96 all runs: OK # git bisect start a74e6a014c9d4d4161061f770c9b4f98372ac778 cd796ed3345030aa1bb332fe5c793b3dddaf56e7 Bisecting: 13992 revisions left to test after this (roughly 14 steps) [ec24e11e0817404ef9e04b50170e1a68793cd9f5] bpf: Replace fput with sockfd_put in sock map testing commit ec24e11e0817404ef9e04b50170e1a68793cd9f5 with gcc (GCC) 10.2.1 20210217 kernel signature: d63a0a05e71262cd41c9d6c29cf5f89cad680430403413e97eeaa4852efffeca all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id # git bisect good ec24e11e0817404ef9e04b50170e1a68793cd9f5 Bisecting: 7088 revisions left to test after this (roughly 13 steps) [66f73fb3facd42d0a7c899d7f4c712332b28499a] Merge tag 'for-linus-5.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs testing commit 66f73fb3facd42d0a7c899d7f4c712332b28499a with gcc (GCC) 10.2.1 20210217 kernel signature: 1979fa4ff9fe7c20232710c789edb0c55abe3127ec57cffa9cd11b6aaae5917e all runs: OK # git bisect bad 66f73fb3facd42d0a7c899d7f4c712332b28499a Bisecting: 3512 revisions left to test after this (roughly 12 steps) [9ec5eea5b6acfae7279203097eeec5d02d01d9b7] lib/parman: Delete newline testing commit 9ec5eea5b6acfae7279203097eeec5d02d01d9b7 with gcc (GCC) 10.2.1 20210217 kernel signature: ac02d29a09891d7bdaedec7e8a7ede6e02cf44a39f615fc4e32f658bc376f3d8 all runs: OK # git bisect bad 9ec5eea5b6acfae7279203097eeec5d02d01d9b7 Bisecting: 1699 revisions left to test after this (roughly 11 steps) [2db138bb9fa10f5652f55d3c3f427af54626a086] Merge tag 'kbuild-fixes-v5.11-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit 2db138bb9fa10f5652f55d3c3f427af54626a086 with gcc (GCC) 10.2.1 20210217 kernel signature: 26adb467893050728b7b06cb0ee91dbdd1fe866c178e54aa22410ceea88bae11 all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id # git bisect good 2db138bb9fa10f5652f55d3c3f427af54626a086 Bisecting: 849 revisions left to test after this (roughly 10 steps) [502c65af26697db49b6e456fe72fc10706a190e5] Merge branch 'dpaa2-add-1000base-x-support' testing commit 502c65af26697db49b6e456fe72fc10706a190e5 with gcc (GCC) 10.2.1 20210217 kernel signature: a9ce26c25f56a83a9f603fcec34ebb3f7df4b2dd55d6c32ed498ed33786a25bc all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id # git bisect good 502c65af26697db49b6e456fe72fc10706a190e5 Bisecting: 411 revisions left to test after this (roughly 9 steps) [0ae20159e88fece0e5f1e71fe1e5a62427f73b41] Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kern el/git/bluetooth/bluetooth-next testing commit 0ae20159e88fece0e5f1e71fe1e5a62427f73b41 with gcc (GCC) 10.2.1 20210217 kernel signature: a1b3bc000122073b007197db935033b063962d6a34febd515d97c89d2098c4a4 all runs: OK # git bisect bad 0ae20159e88fece0e5f1e71fe1e5a62427f73b41 Bisecting: 172 revisions left to test after this (roughly 8 steps) [dc9d87581d464e7b7d38853d6904b70b6c920d99] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit dc9d87581d464e7b7d38853d6904b70b6c920d99 with gcc (GCC) 10.2.1 20210217 kernel signature: 65fe5c0d8548d27a5e2b26fe2d9f3628b5f48389c8d173001dbe422c595a4695 all runs: OK # git bisect bad dc9d87581d464e7b7d38853d6904b70b6c920d99 Bisecting: 138 revisions left to test after this (roughly 7 steps) [3e566dacc9136ca67514bc347921186d00b0b9d6] Merge branch 'hns3-cleanups' testing commit 3e566dacc9136ca67514bc347921186d00b0b9d6 with gcc (GCC) 10.2.1 20210217 kernel signature: b4180f5d5b2508243b3c45160c4133da8a4b5f6ee7014279007b04b3f5401212 all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id # git bisect good 3e566dacc9136ca67514bc347921186d00b0b9d6 Bisecting: 84 revisions left to test after this (roughly 6 steps) [4b16b656b1ce04868a31af65c846cf97823d32c5] Merge branch 'akpm' (patches from Andrew) testing commit 4b16b656b1ce04868a31af65c846cf97823d32c5 with gcc (GCC) 10.2.1 20210217 kernel signature: 43a4e8379f9e2983daa3c040c6a3f45307dbc5954f19c684a366f8dbafca64ac all runs: OK # git bisect bad 4b16b656b1ce04868a31af65c846cf97823d32c5 Bisecting: 31 revisions left to test after this (roughly 5 steps) [ff92acb220c506f14aea384a07b130b87ac1489a] Merge tag 'dma-mapping-5.11-2' of git://git.infradead.org/users/hch/dma-mapping testing commit ff92acb220c506f14aea384a07b130b87ac1489a with gcc (GCC) 10.2.1 20210217 kernel signature: ad6f0694660b86b3bba7859a5b04dbfd6c3e48aeef1af36d91cb3b566a0fa0b6 all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id # git bisect good ff92acb220c506f14aea384a07b130b87ac1489a Bisecting: 15 revisions left to test after this (roughly 4 steps) [e812cbbbbbb15adbbbee176baa1e8bda53059bf0] squashfs: avoid out of bounds writes in decompressors testing commit e812cbbbbbb15adbbbee176baa1e8bda53059bf0 with gcc (GCC) 10.2.1 20210217 kernel signature: 211b9f186107c700a0cb31ff5e6cf65f22c1e927be371beb9976562b9da03a1b all runs: OK # git bisect bad e812cbbbbbb15adbbbee176baa1e8bda53059bf0 Bisecting: 7 revisions left to test after this (roughly 3 steps) [6fde2d4c8b25cec9589a4a58fd524b9d4e40c4b6] ndtest: Add regions and mappings to the test buses testing commit 6fde2d4c8b25cec9589a4a58fd524b9d4e40c4b6 with gcc (GCC) 10.2.1 20210217 kernel signature: aa945f50db017b975a3f1c5c043d9083b41ea8544bdfac6e3015e92f88ccbe11 all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id # git bisect good 6fde2d4c8b25cec9589a4a58fd524b9d4e40c4b6 Bisecting: 3 revisions left to test after this (roughly 2 steps) [b75dba7f472ca6c2dd0b8ee41f5a4b5a45539306] Merge tag 'libnvdimm-fixes-5.11-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm testing commit b75dba7f472ca6c2dd0b8ee41f5a4b5a45539306 with gcc (GCC) 10.2.1 20210217 kernel signature: 9a531491473f43d28d14b532aab5211ad0c95a8ce9090674bcaa10e0ee9429f4 all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id # git bisect good b75dba7f472ca6c2dd0b8ee41f5a4b5a45539306 Bisecting: 2 revisions left to test after this (roughly 1 step) [256cfdd6fdf70c6fcf0f7c8ddb0ebd73ce8f3bc9] tracing: Do not count ftrace events in top level enable output testing commit 256cfdd6fdf70c6fcf0f7c8ddb0ebd73ce8f3bc9 with gcc (GCC) 10.2.1 20210217 kernel signature: 4c9cace5a419fb46e22a84fd5e595afe6f8cd2c111916079ebad21697332cd06 all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id # git bisect good 256cfdd6fdf70c6fcf0f7c8ddb0ebd73ce8f3bc9 Bisecting: 0 revisions left to test after this (roughly 1 step) [e0756cfc7d7cd08c98a53b6009c091a3f6a50be6] Merge tag 'trace-v5.11-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit e0756cfc7d7cd08c98a53b6009c091a3f6a50be6 with gcc (GCC) 10.2.1 20210217 kernel signature: a7538289d33d6baf5b5bc1936c548040c698c6cdd94c4b546444a42d8961ac56 all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_get_id # git bisect good e0756cfc7d7cd08c98a53b6009c091a3f6a50be6 e812cbbbbbb15adbbbee176baa1e8bda53059bf0 is the first bad commit commit e812cbbbbbb15adbbbee176baa1e8bda53059bf0 Author: Phillip Lougher Date: Tue Feb 9 13:41:50 2021 -0800 squashfs: avoid out of bounds writes in decompressors Patch series "Squashfs: fix BIO migration regression and add sanity checks". Patch [1/4] fixes a regression introduced by the "migrate from ll_rw_block usage to BIO" patch, which has produced a number of Sysbot/Syzkaller reports. Patches [2/4], [3/4], and [4/4] fix a number of filesystem corruption issues which have produced Sysbot reports in the id, inode and xattr lookup code. Each patch has been tested against the Sysbot reproducers using the given kernel configuration. They have the appropriate "Reported-by:" lines added. Additionally, all of the reproducer filesystems are indirectly fixed by patch [4/4] due to the fact they all have xattr corruption which is now detected there. Additional testing with other configurations and architectures (32bit, big endian), and normal filesystems has also been done to trap any inadvertent regressions caused by the additional sanity checks. This patch (of 4): This is a regression introduced by the patch "migrate from ll_rw_block usage to BIO". Sysbot/Syskaller has reported a number of "out of bounds writes" and "unable to handle kernel paging request in squashfs_decompress" errors which have been identified as a regression introduced by the above patch. Specifically, the patch removed the following sanity check if (length < 0 || length > output->length || (index + length) > msblk->bytes_used) This check did two things: 1. It ensured any reads were not beyond the end of the filesystem 2. It ensured that the "length" field read from the filesystem was within the expected maximum length. Without this any corrupted values can over-run allocated buffers. Link: https://lkml.kernel.org/r/20210204130249.4495-1-phillip@squashfs.org.uk Link: https://lkml.kernel.org/r/20210204130249.4495-2-phillip@squashfs.org.uk Fixes: 93e72b3c612adc ("squashfs: migrate from ll_rw_block usage to BIO") Reported-by: syzbot+6fba78f99b9afd4b5634@syzkaller.appspotmail.com Signed-off-by: Phillip Lougher Cc: Philippe Liard Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/squashfs/block.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) culprit signature: 211b9f186107c700a0cb31ff5e6cf65f22c1e927be371beb9976562b9da03a1b parent signature: a7538289d33d6baf5b5bc1936c548040c698c6cdd94c4b546444a42d8961ac56 revisions tested: 17, total time: 3h11m6.409069439s (build: 1h36m23.502885062s, test: 1h33m3.028143138s) first good commit: e812cbbbbbb15adbbbee176baa1e8bda53059bf0 squashfs: avoid out of bounds writes in decompressors recipients (to): ["akpm@linux-foundation.org" "phillip@squashfs.org.uk" "torvalds@linux-foundation.org"] recipients (cc): []