bisecting fixing commit since ddec8ed2d4905d0967ce2ec432e440e582aa52c6 building syzkaller on 2ca0d3855c36da0994766801f4b5067a74824437 testing commit ddec8ed2d4905d0967ce2ec432e440e582aa52c6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7ae99a8c6ebefca0e874e223db1e63f4f5d22ff2b18be00283b0a88a308b2536 all runs: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal testing current HEAD 42e7a03d3badebd4e70aea5362d6914dfc7c220b testing commit 42e7a03d3badebd4e70aea5362d6914dfc7c220b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0c4e6748c6caad7c5b8156727c3a9d166c90ad43af2b200c833b0c42a1b725e1 all runs: crashed: KASAN: slab-out-of-bounds Read in decrypt_internal revisions tested: 2, total time: 18m34.770703784s (build: 12m0.53165626s, test: 5m55.277897208s) the crash still happens on HEAD commit msg: Merge tag 'hyperv-fixes-signed-20220407' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux crash: KASAN: slab-out-of-bounds Read in decrypt_internal ================================================================== BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x79e/0x1c20 net/tls/tls_sw.c:1498 Read of size 16 at addr ffff88801da018a0 by task syz-executor413/4030 CPU: 1 PID: 4030 Comm: syz-executor413 Not tainted 5.18.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 memcpy+0x20/0x60 mm/kasan/shadow.c:65 decrypt_internal+0x79e/0x1c20 net/tls/tls_sw.c:1498 decrypt_skb_update+0xf9/0xa90 net/tls/tls_sw.c:1578 tls_sw_recvmsg+0x496/0x1270 net/tls/tls_sw.c:1849 inet6_recvmsg+0xf2/0x490 net/ipv6/af_inet6.c:671 sock_recvmsg_nosec net/socket.c:948 [inline] sock_recvmsg net/socket.c:966 [inline] sock_recvmsg net/socket.c:962 [inline] ____sys_recvmsg+0x258/0x620 net/socket.c:2632 ___sys_recvmsg+0xe2/0x1a0 net/socket.c:2674 do_recvmmsg+0x1c8/0x550 net/socket.c:2768 __sys_recvmmsg net/socket.c:2847 [inline] __do_sys_recvmmsg net/socket.c:2870 [inline] __se_sys_recvmmsg net/socket.c:2863 [inline] __x64_sys_recvmmsg+0x19a/0x200 net/socket.c:2863 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7efe0c9caf29 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffda264fa98 EFLAGS: 00000246 ORIG_RAX: 000000000000012b RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007efe0c9caf29 RDX: 0000000000000001 RSI: 0000000020002900 RDI: 0000000000000003 RBP: 00007efe0c98f0d0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007efe0c98f160 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 4030: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524 kmalloc include/linux/slab.h:586 [inline] tls_set_sw_offload+0x78f/0x13e0 net/tls/tls_sw.c:2526 do_tls_setsockopt_conf net/tls/tls_main.c:652 [inline] do_tls_setsockopt net/tls/tls_main.c:687 [inline] tls_setsockopt+0x921/0xda0 net/tls/tls_main.c:707 __sys_setsockopt+0x198/0x4f0 net/socket.c:2180 __do_sys_setsockopt net/socket.c:2191 [inline] __se_sys_setsockopt net/socket.c:2188 [inline] __x64_sys_setsockopt+0xb5/0x150 net/socket.c:2188 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88801da018a0 which belongs to the cache kmalloc-16 of size 16 The buggy address is located 0 bytes inside of 16-byte region [ffff88801da018a0, ffff88801da018b0) The buggy address belongs to the physical page: page:ffffea0000768040 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801da01520 pfn:0x1da01 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 dead000000000100 dead000000000122 ffff8880100413c0 raw: ffff88801da01520 0000000080800077 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY), pid 91, tgid 91 (kworker/u4:3), ts 5309010208, free_ts 0 prep_new_page mm/page_alloc.c:2441 [inline] get_page_from_freelist+0x178d/0x3da0 mm/page_alloc.c:4182 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408 __alloc_pages_node include/linux/gfp.h:587 [inline] alloc_slab_page mm/slub.c:1801 [inline] allocate_slab+0x80/0x3c0 mm/slub.c:1944 new_slab mm/slub.c:2004 [inline] ___slab_alloc+0x8e1/0xf20 mm/slub.c:3005 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092 slab_alloc_node mm/slub.c:3183 [inline] __kmalloc_node+0x2cb/0x390 mm/slub.c:4458 kmalloc_array_node include/linux/slab.h:676 [inline] blk_mq_alloc_hctx block/blk-mq.c:3548 [inline] blk_mq_alloc_and_init_hctx+0x901/0x10d0 block/blk-mq.c:3958 blk_mq_realloc_hw_ctxs+0x26d/0x340 block/blk-mq.c:3991 blk_mq_init_allocated_queue+0x3f9/0x12b0 block/blk-mq.c:4053 blk_mq_init_queue_data block/blk-mq.c:3906 [inline] blk_mq_init_queue+0x9e/0x100 block/blk-mq.c:3916 scsi_alloc_sdev+0x827/0xc00 drivers/scsi/scsi_scan.c:330 scsi_probe_and_add_lun+0x17ae/0x2e30 drivers/scsi/scsi_scan.c:1167 __scsi_scan_target+0x1ab/0xad0 drivers/scsi/scsi_scan.c:1649 scsi_scan_channel drivers/scsi/scsi_scan.c:1737 [inline] scsi_scan_channel+0xdf/0x160 drivers/scsi/scsi_scan.c:1713 scsi_scan_host_selected+0x1ef/0x2a0 drivers/scsi/scsi_scan.c:1766 do_scan_async+0x3a/0x450 drivers/scsi/scsi_scan.c:1915 page_owner free stack trace missing Memory state around the buggy address: ffff88801da01780: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc ffff88801da01800: 00 00 fc fc fb fb fc fc fb fb fc fc fb fb fc fc >ffff88801da01880: fa fb fc fc 00 04 fc fc fa fb fc fc fa fb fc fc ^ ffff88801da01900: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc ffff88801da01980: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc ==================================================================