bisecting fixing commit since 811218eceeaa7618652e1b8d11caeff67ab42072 building syzkaller on fc9fd31ee7998c8b747752791000ea4eef07b5c6 testing commit 811218eceeaa7618652e1b8d11caeff67ab42072 with gcc (GCC) 8.4.1 20210217 kernel signature: d15304f6613a1c7b5bbf4f19b51ba7f46d18a83634cd48c2851107785168cf7c all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_export_iget testing current HEAD 2d19be4653f5e74ed95560b69f94eb6791d49af3 testing commit 2d19be4653f5e74ed95560b69f94eb6791d49af3 with gcc (GCC) 8.4.1 20210217 kernel signature: d85dcdd2a60f2c2bccfe6c01583a5aa8b95bc3ebbd510ac4c6fbb56981261270 all runs: OK # git bisect start 2d19be4653f5e74ed95560b69f94eb6791d49af3 811218eceeaa7618652e1b8d11caeff67ab42072 Bisecting: 86 revisions left to test after this (roughly 7 steps) [081438440a6e0787d0e4c933bc9e447ac5d217bb] mm: thp: fix MADV_REMOVE deadlock on shmem THP testing commit 081438440a6e0787d0e4c933bc9e447ac5d217bb with gcc (GCC) 8.4.1 20210217 kernel signature: 7ebaaee931dd74746f41238f99a944dada8e1621e89ddb46601a49f5b54f144e all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_export_iget # git bisect good 081438440a6e0787d0e4c933bc9e447ac5d217bb Bisecting: 43 revisions left to test after this (roughly 6 steps) [31a8d90f7cda828e1b48d8eb40ec1c6345ef5b7e] cap: fix conversions on getxattr testing commit 31a8d90f7cda828e1b48d8eb40ec1c6345ef5b7e with gcc (GCC) 8.4.1 20210217 kernel signature: 0a2e294a1c57851a749f490e31690aa79468d1f4ce1a63d9748be7540e09e530 all runs: OK # git bisect bad 31a8d90f7cda828e1b48d8eb40ec1c6345ef5b7e Bisecting: 21 revisions left to test after this (roughly 5 steps) [45115259782a6b18566f378c8d9b16b25869444c] iwlwifi: mvm: guard against device removal in reprobe testing commit 45115259782a6b18566f378c8d9b16b25869444c with gcc (GCC) 8.4.1 20210217 kernel signature: ec5651d6b4138b455bee22b4bf5eebcc3cf7077015dae48e79f95e0e6f389d21 all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_export_iget # git bisect good 45115259782a6b18566f378c8d9b16b25869444c Bisecting: 10 revisions left to test after this (roughly 4 steps) [a8717b34003f4f7353b23826617ad872f85d85d8] squashfs: add more sanity checks in xattr id lookup testing commit a8717b34003f4f7353b23826617ad872f85d85d8 with gcc (GCC) 8.4.1 20210217 kernel signature: 43c757ad4152b37270d0ad3d348194e8c0274e8ce2ac36eb6ee99dde6cd789de all runs: OK # git bisect bad a8717b34003f4f7353b23826617ad872f85d85d8 Bisecting: 5 revisions left to test after this (roughly 3 steps) [050462f040b9cdb92b63f35aca76c6c873b0b5ab] memcg: fix a crash in wb_workfn when a device disappears testing commit 050462f040b9cdb92b63f35aca76c6c873b0b5ab with gcc (GCC) 8.4.1 20210217 kernel signature: b54eb34468f373ae44af361912d887fd7c792c1d1987d3f65c211a34f095709f all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_export_iget # git bisect good 050462f040b9cdb92b63f35aca76c6c873b0b5ab Bisecting: 2 revisions left to test after this (roughly 2 steps) [6ff18507a7c165b90f1fe51822c65d10265f5714] blk-mq: don't hold q->sysfs_lock in blk_mq_map_swqueue testing commit 6ff18507a7c165b90f1fe51822c65d10265f5714 with gcc (GCC) 8.4.1 20210217 kernel signature: 886569d8a7e4470c1e05918b28aad0452a999d7213704e8b1e5863df301472f8 all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_export_iget # git bisect good 6ff18507a7c165b90f1fe51822c65d10265f5714 Bisecting: 0 revisions left to test after this (roughly 1 step) [a6f933a3036313a3c4b56c68eccbf84d7546b49e] squashfs: add more sanity checks in inode lookup testing commit a6f933a3036313a3c4b56c68eccbf84d7546b49e with gcc (GCC) 8.4.1 20210217 kernel signature: e2864d7da45072d6b45e38cb9845ec3bbf3af358246ed40afed761dc3d4fff08 all runs: OK # git bisect bad a6f933a3036313a3c4b56c68eccbf84d7546b49e Bisecting: 0 revisions left to test after this (roughly 0 steps) [e5099c0e851a801d04831db64d140bd4f3a014db] squashfs: add more sanity checks in id lookup testing commit e5099c0e851a801d04831db64d140bd4f3a014db with gcc (GCC) 8.4.1 20210217 kernel signature: 1c49266abf3a56c14863bc1e6d4496d72ff5d1d8d3fd0902fede869c903e946e all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_export_iget # git bisect good e5099c0e851a801d04831db64d140bd4f3a014db a6f933a3036313a3c4b56c68eccbf84d7546b49e is the first bad commit commit a6f933a3036313a3c4b56c68eccbf84d7546b49e Author: Phillip Lougher Date: Tue Feb 9 13:41:56 2021 -0800 squashfs: add more sanity checks in inode lookup commit eabac19e40c095543def79cb6ffeb3a8588aaff4 upstream. Sysbot has reported an "slab-out-of-bounds read" error which has been identified as being caused by a corrupted "ino_num" value read from the inode. This could be because the metadata block is uncompressed, or because the "compression" bit has been corrupted (turning a compressed block into an uncompressed block). This patch adds additional sanity checks to detect this, and the following corruption. 1. It checks against corruption of the inodes count. This can either lead to a larger table to be read, or a smaller than expected table to be read. In the case of a too large inodes count, this would often have been trapped by the existing sanity checks, but this patch introduces a more exact check, which can identify too small values. 2. It checks the contents of the index table for corruption. [phillip@squashfs.org.uk: fix checkpatch issue] Link: https://lkml.kernel.org/r/527909353.754618.1612769948607@webmail.123-reg.co.uk Link: https://lkml.kernel.org/r/20210204130249.4495-4-phillip@squashfs.org.uk Signed-off-by: Phillip Lougher Reported-by: syzbot+04419e3ff19d2970ea28@syzkaller.appspotmail.com Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman fs/squashfs/export.c | 41 +++++++++++++++++++++++++++++++++-------- 1 file changed, 33 insertions(+), 8 deletions(-) culprit signature: e2864d7da45072d6b45e38cb9845ec3bbf3af358246ed40afed761dc3d4fff08 parent signature: 1c49266abf3a56c14863bc1e6d4496d72ff5d1d8d3fd0902fede869c903e946e revisions tested: 10, total time: 2h14m46.603312689s (build: 1h16m24.455131284s, test: 53m59.935949923s) first good commit: a6f933a3036313a3c4b56c68eccbf84d7546b49e squashfs: add more sanity checks in inode lookup recipients (to): ["akpm@linux-foundation.org" "gregkh@linuxfoundation.org" "phillip@squashfs.org.uk" "torvalds@linux-foundation.org"] recipients (cc): []