bisecting cause commit starting from a0c61bf1c773bfe510d125606253857f02c58797
building syzkaller on 662cf49ae315772e243d80a1c87dcdee1a304196
testing commit a0c61bf1c773bfe510d125606253857f02c58797 with gcc (GCC) 8.1.0
kernel signature: 649175fa876f9a1d4849a61d90477840a83f03b70e21bc08b0dfef7e47f3bae8
all runs: crashed: KASAN: slab-out-of-bounds Read in suffix_kstrtoint
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: 4652076ce42ea6a7438ec0267c6bb795e5fd89dbfa85ce599856a64353436de3
all runs: OK
# git bisect start a0c61bf1c773bfe510d125606253857f02c58797 d5226fa6dbae0569ee43ecfc08bdcd6770fc4755
Bisecting: 6972 revisions left to test after this (roughly 13 steps)
[4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb] Merge tag 'for-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply
testing commit 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb with gcc (GCC) 8.1.0
kernel signature: ae3bbc32f4d72544b235bc87c43c036192ad0588f392790b5b13d2c654c609ac
all runs: OK
# git bisect good 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb
Bisecting: 3470 revisions left to test after this (roughly 12 steps)
[eadc4e40e68832fc61ae5e3ef2ef5cfcd9308b2c] Merge tag 'rtc-5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux
testing commit eadc4e40e68832fc61ae5e3ef2ef5cfcd9308b2c with gcc (GCC) 8.1.0
kernel signature: f5f12fbbf118c6d53c65289636dbfb1931b6c4dfda51bd85526354812d6b2fbc
all runs: OK
# git bisect good eadc4e40e68832fc61ae5e3ef2ef5cfcd9308b2c
Bisecting: 1734 revisions left to test after this (roughly 11 steps)
[0995cfe39b8ef23e2c66b55b2939124e9ba3b2e8] Merge remote-tracking branch 'keystone/next'
testing commit 0995cfe39b8ef23e2c66b55b2939124e9ba3b2e8 with gcc (GCC) 8.1.0
kernel signature: b0f5259f76814f20715f8e4341992ae8ba5168a244cf954d01c0dbd938631715
all runs: OK
# git bisect good 0995cfe39b8ef23e2c66b55b2939124e9ba3b2e8
Bisecting: 862 revisions left to test after this (roughly 10 steps)
[b67df520ae551f2e513a7343bcaaff9b2fc7c302] Merge remote-tracking branch 'hid/for-next'
testing commit b67df520ae551f2e513a7343bcaaff9b2fc7c302 with gcc (GCC) 8.1.0
kernel signature: bbbb8de602223ea28952ab312887603ede646fe40a36ca5d9e251c6a994ea9b0
all runs: crashed: KASAN: slab-out-of-bounds Read in suffix_kstrtoint
# git bisect bad b67df520ae551f2e513a7343bcaaff9b2fc7c302
Bisecting: 470 revisions left to test after this (roughly 9 steps)
[c20537fd143b7667025536a9b3707dde8a4b6f1b] Merge remote-tracking branch 'ext3/for_next'
testing commit c20537fd143b7667025536a9b3707dde8a4b6f1b with gcc (GCC) 8.1.0
kernel signature: a81af2b8ff4a251afdad22f6b157b046bfa80e1af09b6dd9444f4551dcb8c7ea
all runs: OK
# git bisect good c20537fd143b7667025536a9b3707dde8a4b6f1b
Bisecting: 235 revisions left to test after this (roughly 8 steps)
[bf528f0f6dd1ae50b1513c7fa898e335042880e3] Merge remote-tracking branch 'printk/for-next'
testing commit bf528f0f6dd1ae50b1513c7fa898e335042880e3 with gcc (GCC) 8.1.0
kernel signature: 039a6fce3d266aa190c000809b9a6fe92d07303012b6ebe64a4a07f5d0a26260
all runs: crashed: KASAN: slab-out-of-bounds Read in suffix_kstrtoint
# git bisect bad bf528f0f6dd1ae50b1513c7fa898e335042880e3
Bisecting: 117 revisions left to test after this (roughly 7 steps)
[23cae65210e631a1912f1789958567995e5a154a] Merge branch 'merge.nfs-fs_parse' into for-next
testing commit 23cae65210e631a1912f1789958567995e5a154a with gcc (GCC) 8.1.0
kernel signature: 94c8625fe4c2db00978c94e724754eea2e4aa47304b75291a700ba2836aa378c
all runs: crashed: KASAN: slab-out-of-bounds Read in suffix_kstrtoint
# git bisect bad 23cae65210e631a1912f1789958567995e5a154a
Bisecting: 58 revisions left to test after this (roughly 6 steps)
[118b6292195cfb86a9f43cb65610fc6d980c65f4] NFS: Fix fix of show_nfs_errors
testing commit 118b6292195cfb86a9f43cb65610fc6d980c65f4 with gcc (GCC) 8.1.0
kernel signature: a25fb7a70eb62a5538adfcc5a1d79a086166b93d2ba96aa704bb2278e2b2758a
all runs: OK
# git bisect good 118b6292195cfb86a9f43cb65610fc6d980c65f4
Bisecting: 32 revisions left to test after this (roughly 5 steps)
[c73b4d73da45ee4226988504f79017a2238e4588] restore the lost export of lookup_constant()
testing commit c73b4d73da45ee4226988504f79017a2238e4588 with gcc (GCC) 8.1.0
kernel signature: 11ca0ec94d79b0ce583f85d8ea9373e0d9e55211a2a22e467f07f6f49fd0c60a
all runs: crashed: KASAN: slab-out-of-bounds Read in suffix_kstrtoint
# git bisect bad c73b4d73da45ee4226988504f79017a2238e4588
Bisecting: 12 revisions left to test after this (roughly 4 steps)
[98101bf97d6eb2f45fb35bbba4b5ac00cbee357e] fs_parser: remove fs_parameter_description name field
testing commit 98101bf97d6eb2f45fb35bbba4b5ac00cbee357e with gcc (GCC) 8.1.0
kernel signature: 1a569003477f662e678899474372173e8039bc489bd3039888a5e4466c8dd42e
all runs: crashed: KASAN: slab-out-of-bounds Read in suffix_kstrtoint
# git bisect bad 98101bf97d6eb2f45fb35bbba4b5ac00cbee357e
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[7318edfa7039e7eb039c4090f27eb9225f0b1f7f] get rid of cg_invalf()
testing commit 7318edfa7039e7eb039c4090f27eb9225f0b1f7f with gcc (GCC) 8.1.0
kernel signature: ecb75c0ea3ac7790b076a9a203b2c67ae49cad07256cb6bea66e0e324362a317
all runs: crashed: KASAN: slab-out-of-bounds Read in suffix_kstrtoint
# git bisect bad 7318edfa7039e7eb039c4090f27eb9225f0b1f7f
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[6b94420195f598422e2ad85492b157dd20b215d9] fold struct fs_parameter_enum into struct constant_table
testing commit 6b94420195f598422e2ad85492b157dd20b215d9 with gcc (GCC) 8.1.0
kernel signature: 34eae4289d3c7b4e6980612cfd166e4295808116dba813f88e447b71e6751663
all runs: crashed: KASAN: slab-out-of-bounds Read in suffix_kstrtoint
# git bisect bad 6b94420195f598422e2ad85492b157dd20b215d9
Bisecting: 0 revisions left to test after this (roughly 1 step)
[91f2f56785ffe215e74ffdfb5ff5435ec5774810] fs_parse: get rid of ->enums
testing commit 91f2f56785ffe215e74ffdfb5ff5435ec5774810 with gcc (GCC) 8.1.0
kernel signature: 186e6216cd03f542e80dfe7f2112f8e1e86f4a07a6ef095d2b6895b698e5cf42
all runs: crashed: KASAN: slab-out-of-bounds Read in suffix_kstrtoint
# git bisect bad 91f2f56785ffe215e74ffdfb5ff5435ec5774810
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[61dff92158775e70c0183f4f52c3a5a071dbc24b] Pass consistent param->type to fs_parse()
testing commit 61dff92158775e70c0183f4f52c3a5a071dbc24b with gcc (GCC) 8.1.0
kernel signature: c6306f771ab55deb12b377a9c2d7335c5c6c2bf003c3c228bf85649c1f3edd3a
all runs: crashed: KASAN: slab-out-of-bounds Read in suffix_kstrtoint
# git bisect bad 61dff92158775e70c0183f4f52c3a5a071dbc24b
61dff92158775e70c0183f4f52c3a5a071dbc24b is the first bad commit
commit 61dff92158775e70c0183f4f52c3a5a071dbc24b
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Tue Dec 17 14:15:04 2019 -0500

    Pass consistent param->type to fs_parse()
    
    As it is, vfs_parse_fs_string() makes "foo" and "foo=" indistinguishable;
    both get fs_value_is_string for ->type and NULL for ->string.  To make
    it even more unpleasant, that combination is impossible to produce with
    fsconfig().
    
    Much saner rules would be
            "foo"           => fs_value_is_flag, NULL
            "foo="          => fs_value_is_string, ""
            "foo=bar"       => fs_value_is_string, "bar"
    All cases are distinguishable, all results are expressable by fsconfig(),
    ->has_value checks are much simpler that way (to the point of the field
    being useless) and quite a few regressions go away (gfs2 has no business
    accepting -o nodebug=, for example).
    
    Partially based upon patches from Miklos.
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 drivers/block/rbd.c       |  7 ++-----
 fs/fs_context.c           |  5 +++--
 fs/fs_parser.c            | 18 ++++++------------
 include/linux/fs_parser.h |  1 -
 4 files changed, 11 insertions(+), 20 deletions(-)
parent commit e42617b825f8073569da76dc4510bfa019b1c35a wasn't tested
testing commit e42617b825f8073569da76dc4510bfa019b1c35a with gcc (GCC) 8.1.0
kernel signature: 8a3bdde9b78aea7ec12bf888d9331611da6515499c340ddc15afc3694cb55c41
culprit signature: c6306f771ab55deb12b377a9c2d7335c5c6c2bf003c3c228bf85649c1f3edd3a
parent  signature: 8a3bdde9b78aea7ec12bf888d9331611da6515499c340ddc15afc3694cb55c41
revisions tested: 16, total time: 3h33m45.099910837s (build: 1h55m44.436347476s, test: 1h36m27.457440226s)
first bad commit: 61dff92158775e70c0183f4f52c3a5a071dbc24b Pass consistent param->type to fs_parse()
cc: ["axboe@kernel.dk" "ceph-devel@vger.kernel.org" "dhowells@redhat.com" "dongsheng.yang@easystack.cn" "gregkh@linuxfoundation.org" "idryomov@gmail.com" "kstewart@linuxfoundation.org" "linux-block@vger.kernel.org" "linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "sage@redhat.com" "tglx@linutronix.de" "viro@zeniv.linux.org.uk"]
crash: KASAN: slab-out-of-bounds Read in suffix_kstrtoint
==================================================================
BUG: KASAN: slab-out-of-bounds in suffix_kstrtoint.constprop.14+0x17e/0x1d0 fs/xfs/xfs_super.c:1114
Read of size 1 at addr ffff88809c4b437f by task syz-executor.0/8256

CPU: 1 PID: 8256 Comm: syz-executor.0 Not tainted 5.5.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x12d/0x187 lib/dump_stack.c:118
 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:374
 __kasan_report.cold.11+0x1b/0x3a mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:639
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 suffix_kstrtoint.constprop.14+0x17e/0x1d0 fs/xfs/xfs_super.c:1114
 xfs_fc_parse_param+0x82d/0xbe0 fs/xfs/xfs_super.c:1158
 vfs_parse_fs_param+0x245/0x490 fs/fs_context.c:145
 vfs_parse_fs_string+0xbc/0x110 fs/fs_context.c:189
 generic_parse_monolithic+0x11a/0x190 fs/fs_context.c:229
 parse_monolithic_mount_data+0x5c/0x90 fs/fs_context.c:705
 do_new_mount fs/namespace.c:2818 [inline]
 do_mount+0x122d/0x1b60 fs/namespace.c:3142
 ksys_mount+0xba/0xe0 fs/namespace.c:3351
 __do_sys_mount fs/namespace.c:3365 [inline]
 __se_sys_mount fs/namespace.c:3362 [inline]
 __x64_sys_mount+0xb9/0x150 fs/namespace.c:3362
 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45ddea
Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 4d 8c fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 2a 8c fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:00007f48fff2ba68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f48fff2c6d4 RCX: 000000000045ddea
RDX: 00007f48fff2bae0 RSI: 0000000020000080 RDI: 00007f48fff2bb00
RBP: 000000000075bf20 R08: 00007f48fff2bb40 R09: 00007f48fff2bae0
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000bb4 R14: 00000000004cc91e R15: 000000000075bf2c

Allocated by task 4723:
 save_stack+0x21/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc.constprop.17+0xc7/0xd0 mm/kasan/common.c:513
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527
 kmem_cache_alloc_trace+0x15b/0x780 mm/slab.c:3551
 kmalloc include/linux/slab.h:556 [inline]
 single_open+0x50/0x1d0 fs/seq_file.c:569
 proc_single_open+0x16/0x20 fs/proc/base.c:764
 do_dentry_open+0x3fa/0x1100 fs/open.c:797
 vfs_open+0x9a/0xc0 fs/open.c:914
 do_last fs/namei.c:3420 [inline]
 path_openat+0xb08/0x3bd0 fs/namei.c:3537
 do_filp_open+0x177/0x250 fs/namei.c:3567
 do_sys_open+0x1dd/0x370 fs/open.c:1097
 __do_sys_open fs/open.c:1115 [inline]
 __se_sys_open fs/open.c:1110 [inline]
 __x64_sys_open+0x79/0xb0 fs/open.c:1110
 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 4723:
 save_stack+0x21/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:335 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x108/0x2c0 mm/slab.c:3757
 single_release+0x8b/0xc0 fs/seq_file.c:609
 __fput+0x25a/0x770 fs/file_table.c:280
 ____fput+0x9/0x10 fs/file_table.c:313
 task_work_run+0x108/0x180 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x24e/0x2e0 arch/x86/entry/common.c:164
 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:278 [inline]
 do_syscall_64+0x4ff/0x5f0 arch/x86/entry/common.c:304
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88809c4b4340
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 31 bytes to the right of
 32-byte region [ffff88809c4b4340, ffff88809c4b4360)
The buggy address belongs to the page:
page:ffffea0002712d00 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff88809c4b4fc1
raw: 00fffe0000000200 ffffea00027d9288 ffff8880aa401238 ffff8880aa4001c0
raw: ffff88809c4b4fc1 ffff88809c4b4000 000000010000002e 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809c4b4200: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc
 ffff88809c4b4280: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc
>ffff88809c4b4300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
                                                                ^
 ffff88809c4b4380: 01 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
 ffff88809c4b4400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================