bisecting cause commit starting from a9e26cb5f2615cd638f911ea96d4fff5b4d93690 building syzkaller on a7f7f4a49efe0adb56a41e1cc91aeb106d428eb2 testing commit a9e26cb5f2615cd638f911ea96d4fff5b4d93690 with gcc (GCC) 8.1.0 kernel signature: 92a38665aec38e5310ae8d24322b25579e2c7c12ea0e391081ba0b39f6db0dfa run #0: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #1: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0 kernel signature: 0a239a63f936e094afcdc973a4a1640a49766a3338df273434ed919c9d53b108 all runs: OK # git bisect start a9e26cb5f2615cd638f911ea96d4fff5b4d93690 bbf5c979011a099af5dc76498918ed7df445635b Bisecting: 14239 revisions left to test after this (roughly 14 steps) [e533cda12d8f0e7936354bafdc85c81741f805d2] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit e533cda12d8f0e7936354bafdc85c81741f805d2 with gcc (GCC) 8.1.0 kernel signature: 46bd581ae5af2566b74f193465b8f75b479a29428c1eaed980292d92d5c32bd2 all runs: OK # git bisect good e533cda12d8f0e7936354bafdc85c81741f805d2 Bisecting: 6433 revisions left to test after this (roughly 13 steps) [6daeb73797bbcf665b115770ae2ee5f688d813df] Merge remote-tracking branch 'net-next/master' testing commit 6daeb73797bbcf665b115770ae2ee5f688d813df with gcc (GCC) 8.1.0 kernel signature: f245206dd69cc8c973d2828431c54dd65b01b004472b2423fb492ae52bbed7e7 all runs: OK # git bisect good 6daeb73797bbcf665b115770ae2ee5f688d813df Bisecting: 3219 revisions left to test after this (roughly 12 steps) [f8135ca8fab7b32ed2f99380a7be699770cfc45d] Merge remote-tracking branch 'backlight/for-backlight-next' testing commit f8135ca8fab7b32ed2f99380a7be699770cfc45d with gcc (GCC) 8.1.0 kernel signature: 5eb076781af16ac3a6fefeb05a452ebe13d3ad89b42ec8149e0122f3fd3c20d7 all runs: OK # git bisect good f8135ca8fab7b32ed2f99380a7be699770cfc45d Bisecting: 1709 revisions left to test after this (roughly 11 steps) [aae9c7e32f54ca8282b132b094517e576da43899] Merge remote-tracking branch 'vfio/next' testing commit aae9c7e32f54ca8282b132b094517e576da43899 with gcc (GCC) 8.1.0 kernel signature: ab9cc7d1000a36d8a356f86da2ee06126998e84d974cfcb15bf17c3fca8f81c6 all runs: OK # git bisect good aae9c7e32f54ca8282b132b094517e576da43899 Bisecting: 880 revisions left to test after this (roughly 10 steps) [6eb25dbe3d3ee3c05e616b3a660cf6439513c816] Merge remote-tracking branch 'gpio-brgl/gpio/for-next' testing commit 6eb25dbe3d3ee3c05e616b3a660cf6439513c816 with gcc (GCC) 8.1.0 kernel signature: 1e48d0583403865b2aedd452d6fdddadf59e42630231e5fbdb5f4780c4799cc3 all runs: OK # git bisect good 6eb25dbe3d3ee3c05e616b3a660cf6439513c816 Bisecting: 481 revisions left to test after this (roughly 9 steps) [c26636d598da1890248ad157482e16c43b500ef9] scsi: block: fix for "scsi: block: Do not accept any requests while suspended" testing commit c26636d598da1890248ad157482e16c43b500ef9 with gcc (GCC) 8.1.0 kernel signature: 273f0ffc4d6e506d052bd0b45482329e9eeed6053b18a6d42c733a241eaeef88 all runs: OK # git bisect good c26636d598da1890248ad157482e16c43b500ef9 Bisecting: 240 revisions left to test after this (roughly 8 steps) [0dbd95515874b6b0fa0336018c89e9e83186342e] userfaultfd: add UFFD_USER_MODE_ONLY testing commit 0dbd95515874b6b0fa0336018c89e9e83186342e with gcc (GCC) 8.1.0 kernel signature: 9764a5bf4c92f3cbf1899f4491a65864a3bbc77aa5b687270afb9cdced4dcc58 all runs: OK # git bisect good 0dbd95515874b6b0fa0336018c89e9e83186342e Bisecting: 120 revisions left to test after this (roughly 7 steps) [186c3e18dba3f035b73149f6356f8c1c439288f4] ubsan: enable for all*config builds testing commit 186c3e18dba3f035b73149f6356f8c1c439288f4 with gcc (GCC) 8.1.0 kernel signature: 7dbc4f108930afce3b151aeffc50aaf1d8e387810a004b73961be6d0d95195e6 run #0: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 186c3e18dba3f035b73149f6356f8c1c439288f4 Bisecting: 59 revisions left to test after this (roughly 6 steps) [62f6ea788d4380d3646a947c8dc8d58bd6665206] lib: optimize cpumask_local_spread() testing commit 62f6ea788d4380d3646a947c8dc8d58bd6665206 with gcc (GCC) 8.1.0 kernel signature: 894beeba60bed9949cb010201b7611743864510dc8dc1a870b92be78a4d55e65 run #0: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #1: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #2: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #3: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #4: OK run #5: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 62f6ea788d4380d3646a947c8dc8d58bd6665206 Bisecting: 29 revisions left to test after this (roughly 5 steps) [6dc83cb06d457535348e80e1aa2fbc79c35384bd] kfence: add test suite testing commit 6dc83cb06d457535348e80e1aa2fbc79c35384bd with gcc (GCC) 8.1.0 kernel signature: b19a3de46b1c6b8b799229d0b88c85136ef5f8de269796032ef1d34ac12be577 run #0: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #1: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #2: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #3: OK run #4: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 6dc83cb06d457535348e80e1aa2fbc79c35384bd Bisecting: 14 revisions left to test after this (roughly 4 steps) [781eca5eeea7672f12d215f098f05b8d9e2605f0] mm: shmem: convert shmem_enabled_show to use sysfs_emit_at testing commit 781eca5eeea7672f12d215f098f05b8d9e2605f0 with gcc (GCC) 8.1.0 kernel signature: ac457895a782805a3b1ddeb1a18d0608f99156644954d5617ce6ac72416e907e all runs: OK # git bisect good 781eca5eeea7672f12d215f098f05b8d9e2605f0 Bisecting: 7 revisions left to test after this (roughly 3 steps) [122fdbfc323e9073c242f5922450c096df86b065] x86, kfence: enable KFENCE for x86 testing commit 122fdbfc323e9073c242f5922450c096df86b065 with gcc (GCC) 8.1.0 kernel signature: a0dd8191699d69c411253d8f09e06045315043dd11e1da3a1da73ac28d91b093 all runs: OK # git bisect good 122fdbfc323e9073c242f5922450c096df86b065 Bisecting: 3 revisions left to test after this (roughly 2 steps) [ab70d020f54afe28c226cd95e046230c72c04556] mm, kfence: insert KFENCE hooks for SLAB testing commit ab70d020f54afe28c226cd95e046230c72c04556 with gcc (GCC) 8.1.0 kernel signature: 943be61cf56b3898a6107eea60bd9363acf9003cab6d95821edfd81f4264ba8d all runs: OK # git bisect good ab70d020f54afe28c226cd95e046230c72c04556 Bisecting: 1 revision left to test after this (roughly 1 step) [589004acfc19b565f55cb74cf1438d580d5cc458] kfence, kasan: make KFENCE compatible with KASAN testing commit 589004acfc19b565f55cb74cf1438d580d5cc458 with gcc (GCC) 8.1.0 kernel signature: b19a3de46b1c6b8b799229d0b88c85136ef5f8de269796032ef1d34ac12be577 run #0: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #1: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #2: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #3: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #4: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 589004acfc19b565f55cb74cf1438d580d5cc458 Bisecting: 0 revisions left to test after this (roughly 0 steps) [555f63cd88404e122e8d31d0f925e430bd3f32d9] mm, kfence: insert KFENCE hooks for SLUB testing commit 555f63cd88404e122e8d31d0f925e430bd3f32d9 with gcc (GCC) 8.1.0 kernel signature: b19a3de46b1c6b8b799229d0b88c85136ef5f8de269796032ef1d34ac12be577 run #0: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #1: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #2: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #3: crashed: BUG: KFENCE: out-of-bounds in squashfs_export_iget run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 555f63cd88404e122e8d31d0f925e430bd3f32d9 555f63cd88404e122e8d31d0f925e430bd3f32d9 is the first bad commit commit 555f63cd88404e122e8d31d0f925e430bd3f32d9 Author: Alexander Potapenko Date: Fri Dec 4 14:19:29 2020 +1100 mm, kfence: insert KFENCE hooks for SLUB Inserts KFENCE hooks into the SLUB allocator. To pass the originally requested size to KFENCE, add an argument 'orig_size' to slab_alloc*(). The additional argument is required to preserve the requested original size for kmalloc() allocations, which uses size classes (e.g. an allocation of 272 bytes will return an object of size 512). Therefore, kmem_cache::size does not represent the kmalloc-caller's requested size, and we must introduce the argument 'orig_size' to propagate the originally requested size to KFENCE. Without the originally requested size, we would not be able to detect out-of-bounds accesses for objects placed at the end of a KFENCE object page if that object is not equal to the kmalloc-size class it was bucketed into. When KFENCE is disabled, there is no additional overhead, since slab_alloc*() functions are __always_inline. Link: https://lkml.kernel.org/r/20201103175841.3495947-6-elver@google.com Signed-off-by: Marco Elver Signed-off-by: Alexander Potapenko Reviewed-by: Dmitry Vyukov Reviewed-by: Jann Horn Co-developed-by: Marco Elver Cc: Andrey Konovalov Cc: Andrey Ryabinin Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Catalin Marinas Cc: Christopher Lameter Cc: Dave Hansen Cc: David Rientjes Cc: Eric Dumazet Cc: Greg Kroah-Hartman Cc: Hillf Danton Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: Joern Engel Cc: Jonathan Corbet Cc: Joonsoo Kim Cc: Kees Cook Cc: Mark Rutland Cc: Paul E. McKenney Cc: Pekka Enberg Cc: Peter Zijlstra Cc: SeongJae Park Cc: Thomas Gleixner Cc: Vlastimil Babka Cc: Will Deacon Signed-off-by: Andrew Morton Signed-off-by: Stephen Rothwell include/linux/slub_def.h | 3 +++ mm/kfence/core.c | 2 ++ mm/slub.c | 60 +++++++++++++++++++++++++++++++++++++----------- 3 files changed, 51 insertions(+), 14 deletions(-) culprit signature: b19a3de46b1c6b8b799229d0b88c85136ef5f8de269796032ef1d34ac12be577 parent signature: 943be61cf56b3898a6107eea60bd9363acf9003cab6d95821edfd81f4264ba8d Reproducer flagged being flaky revisions tested: 17, total time: 4h5m22.970995841s (build: 1h20m41.384109677s, test: 2h42m51.909101317s) first bad commit: 555f63cd88404e122e8d31d0f925e430bd3f32d9 mm, kfence: insert KFENCE hooks for SLUB recipients (to): ["akpm@linux-foundation.org" "dvyukov@google.com" "elver@google.com" "glider@google.com" "jannh@google.com" "sfr@canb.auug.org.au"] recipients (cc): [] crash: BUG: KFENCE: out-of-bounds in squashfs_export_iget ================================================================== BUG: KFENCE: out-of-bounds in squashfs_inode_lookup fs/squashfs/export.c:43 [inline] BUG: KFENCE: out-of-bounds in squashfs_export_iget+0x47/0x120 fs/squashfs/export.c:69 Out-of-bounds access at 0xffff88823bdafff8 (8B left of kfence-#215): squashfs_inode_lookup fs/squashfs/export.c:43 [inline] squashfs_export_iget+0x47/0x120 fs/squashfs/export.c:69 exportfs_decode_fh+0x53/0x2f0 fs/exportfs/expfs.c:434 do_handle_to_path fs/fhandle.c:152 [inline] handle_to_path fs/fhandle.c:207 [inline] do_handle_open+0x12e/0x350 fs/fhandle.c:223 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 kfence-#215 [0xffff88823bdb0000-0xffff88823bdb0007, size=8, cache=kmalloc-8] allocated by task 22961: kmalloc include/linux/slab.h:557 [inline] squashfs_read_table+0x36/0x120 fs/squashfs/cache.c:413 squashfs_read_inode_lookup_table+0x6c/0x90 fs/squashfs/export.c:131 squashfs_fill_super+0x3bf/0x8f0 fs/squashfs/super.c:255 get_tree_bdev+0x1b0/0x2a0 fs/super.c:1344 vfs_get_tree+0x1d/0xd0 fs/super.c:1549 do_new_mount fs/namespace.c:2875 [inline] path_mount+0x75e/0xac0 fs/namespace.c:3205 do_mount+0x70/0x90 fs/namespace.c:3218 __do_sys_mount fs/namespace.c:3426 [inline] __se_sys_mount fs/namespace.c:3403 [inline] __x64_sys_mount+0xbf/0xe0 fs/namespace.c:3403 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 CPU: 0 PID: 22961 Comm: syz-executor.0 Not tainted 5.10.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:squashfs_inode_lookup fs/squashfs/export.c:44 [inline] RIP: 0010:squashfs_export_iget+0x47/0x120 fs/squashfs/export.c:69 Code: 44 00 00 48 8b 93 78 06 00 00 8d 45 ff 48 98 48 c1 e0 03 89 c1 48 c1 f8 0d 48 8b 92 e8 00 00 00 81 e1 ff 1f 00 00 89 4c 24 04 <48> 8b 04 c2 48 89 44 24 08 0f 1f 44 00 00 48 8d 54 24 08 41 b8 08 RSP: 0018:ffffc9000123bd60 EFLAGS: 00010202 RAX: ffffffffffffffff RBX: ffff88811ebab000 RCX: 0000000000001ff8 RDX: ffff88823bdb0000 RSI: 0000000000000000 RDI: ffff88811ebab000 RBP: 0000000000000000 R08: ffffffff81563930 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff88810c9c7be8 R13: ffff88811eb09160 R14: 0000000000000002 R15: ffffffff81563930 FS: 00007f5e4c7ab700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88823bdafff8 CR3: 000000011eae0000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: exportfs_decode_fh+0x53/0x2f0 fs/exportfs/expfs.c:434 do_handle_to_path fs/fhandle.c:152 [inline] handle_to_path fs/fhandle.c:207 [inline] do_handle_open+0x12e/0x350 fs/fhandle.c:223 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e0f9 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f5e4c7aac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000130 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e0f9 RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000005 RBP: 000000000119bfc0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119bf8c R13: 00007ffd4cbea74f R14: 00007f5e4c7ab9c0 R15: 000000000119bf8c ==================================================================