bisecting fixing commit since 2762b48e9611529239da2e68cba908dbbec9805f building syzkaller on 52e3731913ab2677be27c29ed8142b04e8f28521 testing commit 2762b48e9611529239da2e68cba908dbbec9805f with gcc (GCC) 8.4.1 20210217 kernel signature: d5a9c6237ecb2066fa61f01c638d9e88af6af661f57f26b7a2722c7a37de4990 all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_export_iget testing current HEAD 3242aa3a635c0958671ee1e4b0958dcc7c4e5c79 testing commit 3242aa3a635c0958671ee1e4b0958dcc7c4e5c79 with gcc (GCC) 8.4.1 20210217 kernel signature: 8d9082443ba73a32102f20a8b5410b4d7e4d40ab4e592d3853f7726616175604 all runs: OK # git bisect start 3242aa3a635c0958671ee1e4b0958dcc7c4e5c79 2762b48e9611529239da2e68cba908dbbec9805f Bisecting: 117 revisions left to test after this (roughly 7 steps) [8ef6c49a63057962a009338f9f00f9c8c53bc640] RDMA/cxgb4: Fix the reported max_recv_sge value testing commit 8ef6c49a63057962a009338f9f00f9c8c53bc640 with gcc (GCC) 8.4.1 20210217 kernel signature: 43caa42c1b85bce070f8f17116e1653a0225264ffe187be2a7cdd613893ad67e all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_export_iget # git bisect good 8ef6c49a63057962a009338f9f00f9c8c53bc640 Bisecting: 58 revisions left to test after this (roughly 6 steps) [6e0e334c03366d81ad466fc735fbf309b1edac5f] net: dsa: mv88e6xxx: override existent unicast portvec in port_fdb_add testing commit 6e0e334c03366d81ad466fc735fbf309b1edac5f with gcc (GCC) 8.4.1 20210217 kernel signature: 5c81fd1bae78cd1f0a212380cc10ad44ff67ca3cdc17a2adcf8ba5ccb447657e all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_export_iget # git bisect good 6e0e334c03366d81ad466fc735fbf309b1edac5f Bisecting: 29 revisions left to test after this (roughly 5 steps) [6c8acb4ef560bba93bbbf1459b74f16a7a34e511] memblock: do not start bottom-up allocations with kernel_end testing commit 6c8acb4ef560bba93bbbf1459b74f16a7a34e511 with gcc (GCC) 8.4.1 20210217 kernel signature: d018401ae2e853623b28fdef052630beb606e6399b9903faad637ad12c905729 all runs: OK # git bisect bad 6c8acb4ef560bba93bbbf1459b74f16a7a34e511 Bisecting: 14 revisions left to test after this (roughly 4 steps) [d24cf6d0d72a871f7fc6d96970bd4745ec59ac77] memcg: fix a crash in wb_workfn when a device disappears testing commit d24cf6d0d72a871f7fc6d96970bd4745ec59ac77 with gcc (GCC) 8.4.1 20210217 kernel signature: 55fbf620986cde8d03f13b7ecfdddfaf27f490bfec8af24119c389b7ff04c4a9 all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_export_iget # git bisect good d24cf6d0d72a871f7fc6d96970bd4745ec59ac77 Bisecting: 7 revisions left to test after this (roughly 3 steps) [5c780be5180bc49a66b8640da604661d4c83a559] MIPS: BMIPS: Fix section mismatch warning testing commit 5c780be5180bc49a66b8640da604661d4c83a559 with gcc (GCC) 8.4.1 20210217 kernel signature: 629b6d45941c2cd46f46685d8ca7003433f03b42c04d21a90ad26eaf4a206b41 all runs: OK # git bisect bad 5c780be5180bc49a66b8640da604661d4c83a559 Bisecting: 3 revisions left to test after this (roughly 2 steps) [ff49cace7b8cf00d27665f7536a863d406963d06] squashfs: add more sanity checks in xattr id lookup testing commit ff49cace7b8cf00d27665f7536a863d406963d06 with gcc (GCC) 8.4.1 20210217 kernel signature: f938c2a25b9bc0148e7ade16f63bc7cffc51d400ee21f79c89b1ad429b56a6c1 all runs: OK # git bisect bad ff49cace7b8cf00d27665f7536a863d406963d06 Bisecting: 0 revisions left to test after this (roughly 1 step) [69396cfd7908dee7a833068bcc2d7122ce9264f9] squashfs: add more sanity checks in inode lookup testing commit 69396cfd7908dee7a833068bcc2d7122ce9264f9 with gcc (GCC) 8.4.1 20210217 kernel signature: 2334f65260a9dfdfe5497f905c1960d4a96330a9e04d1a98efa8a1f6db845644 all runs: OK # git bisect bad 69396cfd7908dee7a833068bcc2d7122ce9264f9 Bisecting: 0 revisions left to test after this (roughly 0 steps) [8d9ca7e328ef7a0625f50e3033bda4666c783133] squashfs: add more sanity checks in id lookup testing commit 8d9ca7e328ef7a0625f50e3033bda4666c783133 with gcc (GCC) 8.4.1 20210217 kernel signature: 13cdf89418bdcd3d901c14118ec564aa70e4999663976e83a1290ce12b86be4c all runs: crashed: KASAN: slab-out-of-bounds Read in squashfs_export_iget # git bisect good 8d9ca7e328ef7a0625f50e3033bda4666c783133 69396cfd7908dee7a833068bcc2d7122ce9264f9 is the first bad commit commit 69396cfd7908dee7a833068bcc2d7122ce9264f9 Author: Phillip Lougher Date: Tue Feb 9 13:41:56 2021 -0800 squashfs: add more sanity checks in inode lookup commit eabac19e40c095543def79cb6ffeb3a8588aaff4 upstream. Sysbot has reported an "slab-out-of-bounds read" error which has been identified as being caused by a corrupted "ino_num" value read from the inode. This could be because the metadata block is uncompressed, or because the "compression" bit has been corrupted (turning a compressed block into an uncompressed block). This patch adds additional sanity checks to detect this, and the following corruption. 1. It checks against corruption of the inodes count. This can either lead to a larger table to be read, or a smaller than expected table to be read. In the case of a too large inodes count, this would often have been trapped by the existing sanity checks, but this patch introduces a more exact check, which can identify too small values. 2. It checks the contents of the index table for corruption. [phillip@squashfs.org.uk: fix checkpatch issue] Link: https://lkml.kernel.org/r/527909353.754618.1612769948607@webmail.123-reg.co.uk Link: https://lkml.kernel.org/r/20210204130249.4495-4-phillip@squashfs.org.uk Signed-off-by: Phillip Lougher Reported-by: syzbot+04419e3ff19d2970ea28@syzkaller.appspotmail.com Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman fs/squashfs/export.c | 41 +++++++++++++++++++++++++++++++++-------- 1 file changed, 33 insertions(+), 8 deletions(-) culprit signature: 2334f65260a9dfdfe5497f905c1960d4a96330a9e04d1a98efa8a1f6db845644 parent signature: 13cdf89418bdcd3d901c14118ec564aa70e4999663976e83a1290ce12b86be4c revisions tested: 10, total time: 2h15m53.976648699s (build: 1h13m19.9357061s, test: 58m21.312213287s) first good commit: 69396cfd7908dee7a833068bcc2d7122ce9264f9 squashfs: add more sanity checks in inode lookup recipients (to): ["akpm@linux-foundation.org" "gregkh@linuxfoundation.org" "phillip@squashfs.org.uk" "torvalds@linux-foundation.org"] recipients (cc): []