bisecting fixing commit since 555161ee1b7a74e77ca70fd14ed8a5137c8108ac
building syzkaller on 2e29b534005e52c57d726201644ea28ba33a9a3d
testing commit 555161ee1b7a74e77ca70fd14ed8a5137c8108ac with gcc (GCC) 8.1.0
kernel signature: 1888a2880787e14337e7e2ca8cb2fc504f21b80c135eeb64a1f8db342ca1fe26
run #0: crashed: general protection fault in scatterwalk_copychunks
run #1: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
run #2: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
run #3: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
run #4: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
run #5: crashed: KASAN: use-after-free Read in scatterwalk_copychunks
run #6: crashed: general protection fault in scatterwalk_copychunks
run #7: crashed: general protection fault in corrupted
run #8: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
run #9: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
testing current HEAD 0c88e405c97ed1828443b67891e6d4bb6e56cd4e
testing commit 0c88e405c97ed1828443b67891e6d4bb6e56cd4e with gcc (GCC) 8.1.0
kernel signature: 31c41d7f74b8cfe162cca3f7b647ad5627b87af4701a75e35dbc7c07f7431198
run #0: crashed: KASAN: use-after-free Read in scatterwalk_copychunks
run #1: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
run #2: crashed: general protection fault in scatterwalk_copychunks
run #3: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
run #4: crashed: general protection fault in scatterwalk_copychunks
run #5: crashed: general protection fault in scatterwalk_copychunks
run #6: crashed: KASAN: use-after-free Read in scatterwalk_copychunks
run #7: crashed: general protection fault in scatterwalk_copychunks
run #8: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
run #9: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
revisions tested: 2, total time: 25m20.915020714s (build: 18m12.509920111s, test: 6m17.359998713s)
the crash still happens on HEAD
commit msg: Linux 4.19.160
crash: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 000000000075bfc8 R08: 000000011d100000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f25328c16d4
R13: 00000000004c94f8 R14: 00000000004dfe58 R15: 0000000000000005
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:373 [inline]
BUG: KASAN: slab-out-of-bounds in memcpy_dir crypto/scatterwalk.c:28 [inline]
BUG: KASAN: slab-out-of-bounds in scatterwalk_copychunks+0x1e1/0x610 crypto/scatterwalk.c:43
Read of size 4096 at addr ffff8881f3a23000 by task syz-executor.2/7447
CPU: 1 PID: 7433 Comm: syz-executor.1 Not tainted 4.19.160-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x123/0x177 lib/dump_stack.c:118
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail.cold.4+0x5/0x13 lib/fault-inject.c:149
 __should_failslab+0xba/0xf0 mm/failslab.c:32
 should_failslab+0x9/0x14 mm/slab_common.c:1588
 slab_pre_alloc_hook mm/slab.h:424 [inline]
 slab_alloc_node mm/slab.c:3304 [inline]
 kmem_cache_alloc_node_trace+0x26d/0x730 mm/slab.c:3666
 __do_kmalloc_node mm/slab.c:3688 [inline]
 __kmalloc_node_track_caller+0x3c/0x70 mm/slab.c:3703
 __kmalloc_reserve.isra.39+0x2c/0xc0 net/core/skbuff.c:137
 __alloc_skb+0xd7/0x580 net/core/skbuff.c:205
 alloc_skb_fclone include/linux/skbuff.h:1037 [inline]
 sk_stream_alloc_skb+0x9e/0x810 net/ipv4/tcp.c:884
 do_tcp_sendpages+0x772/0x1e10 net/ipv4/tcp.c:1003
 tcp_sendpage_locked+0x63/0xa0 net/ipv4/tcp.c:1106
 tcp_sendpage+0x37/0x50 net/ipv4/tcp.c:1116
 inet_sendpage+0x122/0x600 net/ipv4/af_inet.c:815
 kernel_sendpage+0x60/0xd0 net/socket.c:3378
 sock_sendpage+0x6d/0xd0 net/socket.c:847
 pipe_to_sendpage+0x212/0x430 fs/splice.c:452
 splice_from_pipe_feed fs/splice.c:503 [inline]
 __splice_from_pipe+0x2cb/0x720 fs/splice.c:627
 splice_from_pipe+0xbb/0x120 fs/splice.c:662
 generic_splice_sendpage+0x10/0x20 fs/splice.c:833
 do_splice_from fs/splice.c:852 [inline]
 do_splice+0x4fd/0x12d0 fs/splice.c:1154
 __do_sys_splice fs/splice.c:1428 [inline]
 __se_sys_splice fs/splice.c:1408 [inline]
 __x64_sys_splice+0x248/0x300 fs/splice.c:1408
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459aa9
Code: 7d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 4b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f37732adc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007f37732adc90 RCX: 0000000000459aa9
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 000000000075bfc8 R08: 000000011d100000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f37732ae6d4
R13: 00000000004c94f8 R14: 00000000004dfe58 R15: 0000000000000005
CPU: 0 PID: 7447 Comm: syz-executor.2 Not tainted 4.19.160-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x123/0x177 lib/dump_stack.c:118
 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
 memcpy+0x23/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:373 [inline]
 memcpy_dir crypto/scatterwalk.c:28 [inline]
 scatterwalk_copychunks+0x1e1/0x610 crypto/scatterwalk.c:43
 scatterwalk_map_and_copy+0x128/0x190 crypto/scatterwalk.c:72
 gcmaes_encrypt.constprop.15+0x6d6/0xda0 arch/x86/crypto/aesni-intel_glue.c:956
 generic_gcmaes_encrypt+0xfd/0x150 arch/x86/crypto/aesni-intel_glue.c:1297
 crypto_aead_encrypt include/crypto/aead.h:335 [inline]
 gcmaes_wrapper_encrypt+0x109/0x180 arch/x86/crypto/aesni-intel_glue.c:1130
 crypto_aead_encrypt include/crypto/aead.h:335 [inline]
 tls_do_encryption net/tls/tls_sw.c:193 [inline]
 tls_push_record+0x9ae/0x1600 net/tls/tls_sw.c:228
 tls_sw_sendpage+0x458/0xc00 net/tls/tls_sw.c:585
 inet_sendpage+0x122/0x600 net/ipv4/af_inet.c:815
 kernel_sendpage+0x60/0xd0 net/socket.c:3378
 sock_sendpage+0x6d/0xd0 net/socket.c:847
 pipe_to_sendpage+0x212/0x430 fs/splice.c:452
 splice_from_pipe_feed fs/splice.c:503 [inline]
 __splice_from_pipe+0x2cb/0x720 fs/splice.c:627
 splice_from_pipe+0xbb/0x120 fs/splice.c:662
 generic_splice_sendpage+0x10/0x20 fs/splice.c:833
 do_splice_from fs/splice.c:852 [inline]
 do_splice+0x4fd/0x12d0 fs/splice.c:1154
 __do_sys_splice fs/splice.c:1428 [inline]
 __se_sys_splice fs/splice.c:1408 [inline]
 __x64_sys_splice+0x248/0x300 fs/splice.c:1408
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459aa9
Code: 7d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 4b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f429d0e4c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007f429d0e4c90 RCX: 0000000000459aa9
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 000000011d100000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f429d0e56d4
R13: 00000000004c94f8 R14: 00000000004dfe58 R15: 0000000000000005

CPU: 1 PID: 7446 Comm: syz-executor.5 Not tainted 4.19.160-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Allocated by task 5729:
Call Trace:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x123/0x177 lib/dump_stack.c:118
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail.cold.4+0x5/0x13 lib/fault-inject.c:149
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node_track_caller+0x50/0x70 mm/slab.c:3703
 __kmalloc_reserve.isra.39+0x2c/0xc0 net/core/skbuff.c:137
 __alloc_skb+0xd7/0x580 net/core/skbuff.c:205
 __should_failslab+0xba/0xf0 mm/failslab.c:32
 alloc_skb include/linux/skbuff.h:995 [inline]
 alloc_uevent_skb+0x84/0x220 lib/kobject_uevent.c:288
 should_failslab+0x9/0x14 mm/slab_common.c:1588
 uevent_net_broadcast_tagged lib/kobject_uevent.c:349 [inline]
 kobject_uevent_net_broadcast lib/kobject_uevent.c:409 [inline]
 kobject_uevent_env+0xc21/0xf20 lib/kobject_uevent.c:590
 slab_pre_alloc_hook mm/slab.h:424 [inline]
 slab_alloc mm/slab.c:3383 [inline]
 __do_kmalloc mm/slab.c:3725 [inline]
 __kmalloc+0x2dd/0x770 mm/slab.c:3736
 kobject_uevent+0xb/0x10 lib/kobject_uevent.c:639
 netdev_queue_add_kobject net/core/net-sysfs.c:1492 [inline]
 netdev_queue_update_kobjects+0x271/0x330 net/core/net-sysfs.c:1509
 register_queue_kobjects net/core/net-sysfs.c:1551 [inline]
 netdev_register_kobject+0x261/0x360 net/core/net-sysfs.c:1769
 register_netdevice+0x6f4/0xfb0 net/core/dev.c:8717
 kmalloc include/linux/slab.h:520 [inline]
 aead_request_alloc include/crypto/aead.h:425 [inline]
 tls_push_record+0xff/0x1600 net/tls/tls_sw.c:209
 bond_newlink+0x29/0x60 drivers/net/bonding/bond_netlink.c:453
 rtnl_newlink+0xc7d/0x1330 net/core/rtnetlink.c:3141
 rtnetlink_rcv_msg+0x34f/0x8f0 net/core/rtnetlink.c:4778
 tls_sw_sendpage+0x458/0xc00 net/tls/tls_sw.c:585
 netlink_rcv_skb+0x13e/0x3d0 net/netlink/af_netlink.c:2455
 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:4796
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x445/0x640 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x765/0xc50 net/netlink/af_netlink.c:1909
 inet_sendpage+0x122/0x600 net/ipv4/af_inet.c:815
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:632
 __sys_sendto+0x1f2/0x2e0 net/socket.c:1787
 kernel_sendpage+0x60/0xd0 net/socket.c:3378
 __do_sys_sendto net/socket.c:1799 [inline]
 __se_sys_sendto net/socket.c:1795 [inline]
 __x64_sys_sendto+0xdc/0x1a0 net/socket.c:1795
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 sock_sendpage+0x6d/0xd0 net/socket.c:847
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
 pipe_to_sendpage+0x212/0x430 fs/splice.c:452

Freed by task 5729:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 splice_from_pipe_feed fs/splice.c:503 [inline]
 __splice_from_pipe+0x2cb/0x720 fs/splice.c:627
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcf/0x220 mm/slab.c:3822
 skb_free_head+0x74/0x90 net/core/skbuff.c:554
 skb_release_data+0x481/0x6c0 net/core/skbuff.c:574
 skb_release_all+0x3d/0x50 net/core/skbuff.c:631
 splice_from_pipe+0xbb/0x120 fs/splice.c:662
 __kfree_skb net/core/skbuff.c:645 [inline]
 consume_skb+0x91/0x270 net/core/skbuff.c:705
 netlink_broadcast_filtered+0x287/0x930 net/netlink/af_netlink.c:1520
 netlink_broadcast+0xe/0x10 net/netlink/af_netlink.c:1542
 generic_splice_sendpage+0x10/0x20 fs/splice.c:833
 uevent_net_broadcast_tagged lib/kobject_uevent.c:370 [inline]
 kobject_uevent_net_broadcast lib/kobject_uevent.c:409 [inline]
 kobject_uevent_env+0xccb/0xf20 lib/kobject_uevent.c:590
 do_splice_from fs/splice.c:852 [inline]
 do_splice+0x4fd/0x12d0 fs/splice.c:1154
 kobject_uevent+0xb/0x10 lib/kobject_uevent.c:639
 netdev_queue_add_kobject net/core/net-sysfs.c:1492 [inline]
 netdev_queue_update_kobjects+0x271/0x330 net/core/net-sysfs.c:1509
 register_queue_kobjects net/core/net-sysfs.c:1551 [inline]
 netdev_register_kobject+0x261/0x360 net/core/net-sysfs.c:1769
 register_netdevice+0x6f4/0xfb0 net/core/dev.c:8717
 bond_newlink+0x29/0x60 drivers/net/bonding/bond_netlink.c:453
 __do_sys_splice fs/splice.c:1428 [inline]
 __se_sys_splice fs/splice.c:1408 [inline]
 __x64_sys_splice+0x248/0x300 fs/splice.c:1408
 rtnl_newlink+0xc7d/0x1330 net/core/rtnetlink.c:3141
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 rtnetlink_rcv_msg+0x34f/0x8f0 net/core/rtnetlink.c:4778
 netlink_rcv_skb+0x13e/0x3d0 net/netlink/af_netlink.c:2455
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:4796
RIP: 0033:0x459aa9
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x445/0x640 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x765/0xc50 net/netlink/af_netlink.c:1909
Code: 7d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 4b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:632
RSP: 002b:00007ff0f09ffc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
 __sys_sendto+0x1f2/0x2e0 net/socket.c:1787
RAX: ffffffffffffffda RBX: 00007ff0f09ffc90 RCX: 0000000000459aa9
 __do_sys_sendto net/socket.c:1799 [inline]
 __se_sys_sendto net/socket.c:1795 [inline]
 __x64_sys_sendto+0xdc/0x1a0 net/socket.c:1795
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
RBP: 000000000075bf20 R08: 000000011d100000 R09: 0000000000000000
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff0f0a006d4

R13: 00000000004c94f8 R14: 00000000004dfe58 R15: 0000000000000005
The buggy address belongs to the object at ffff8881f3a23080
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 128 bytes to the left of
 512-byte region [ffff8881f3a23080, ffff8881f3a23280)
The buggy address belongs to the page:
page:ffffea0007ce88c0 count:1 mapcount:0 mapping:ffff8881f6400940 index:0xffff8881f3a23300
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea0007cfb808 ffffea00079a77c8 ffff8881f6400940
raw: ffff8881f3a23300 ffff8881f3a23080 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881f3a22f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881f3a22f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881f3a23000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff8881f3a23080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881f3a23100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================