bisecting cause commit starting from fca4fe890ea0352f7e9e4bf33ffed287946ff59e building syzkaller on a6bc9c88b9c64a9b25f560ee6c4d784ff27d0c7d testing commit fca4fe890ea0352f7e9e4bf33ffed287946ff59e with gcc (GCC) 8.1.0 kernel signature: c320d2b83e744f223b02f8ec67882edd3cae001b all runs: crashed: KASAN: slab-out-of-bounds Write in watch_queue_ioctl testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 623ef22e3396d8f5f8fa0991443be9dcef9060a1 all runs: OK # git bisect start fca4fe890ea0352f7e9e4bf33ffed287946ff59e 219d54332a09e8d8741c1e1982f5eae56099de85 Bisecting: 8909 revisions left to test after this (roughly 13 steps) [f112a2fd1f5999c6029551f901952392d900cf99] Merge tag 'vfs-5.5-merge-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux testing commit f112a2fd1f5999c6029551f901952392d900cf99 with gcc (GCC) 8.1.0 kernel signature: 9305d2f5e30123374eaf56f06dd034e42d150895 all runs: OK # git bisect good f112a2fd1f5999c6029551f901952392d900cf99 Bisecting: 4453 revisions left to test after this (roughly 12 steps) [138f371ddf4ff50207dbe33ebfc237e756cd6222] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit 138f371ddf4ff50207dbe33ebfc237e756cd6222 with gcc (GCC) 8.1.0 kernel signature: eba45031969c00be9e0221481e4553390753c3f7 all runs: OK # git bisect good 138f371ddf4ff50207dbe33ebfc237e756cd6222 Bisecting: 2252 revisions left to test after this (roughly 11 steps) [582951fad81ba66708e7cea2e405f6df4286ac60] Merge remote-tracking branch 'crypto/master' testing commit 582951fad81ba66708e7cea2e405f6df4286ac60 with gcc (GCC) 8.1.0 kernel signature: 5300183e019e3d7efa198f3160b4e321a1748d61 all runs: OK # git bisect good 582951fad81ba66708e7cea2e405f6df4286ac60 Bisecting: 1112 revisions left to test after this (roughly 10 steps) [b8dfe831ef41f7c58c22dfa42bb2c8447859ca89] Merge remote-tracking branch 'drm-misc/for-linux-next' testing commit b8dfe831ef41f7c58c22dfa42bb2c8447859ca89 with gcc (GCC) 8.1.0 kernel signature: 2d629853ff531fb990bc1cc2e1bc5305ce37eb62 all runs: OK # git bisect good b8dfe831ef41f7c58c22dfa42bb2c8447859ca89 Bisecting: 557 revisions left to test after this (roughly 9 steps) [3fc1c8477d9cf57928a987dfc7d9ffb383406920] Merge remote-tracking branch 'edac/edac-for-next' testing commit 3fc1c8477d9cf57928a987dfc7d9ffb383406920 with gcc (GCC) 8.1.0 kernel signature: 48aa95ff7932911aa0b27789cb004b45afe9c8e3 all runs: crashed: KASAN: slab-out-of-bounds Write in watch_queue_ioctl # git bisect bad 3fc1c8477d9cf57928a987dfc7d9ffb383406920 Bisecting: 276 revisions left to test after this (roughly 8 steps) [cb7a394d7b33bffcb76795e9c9e7e9d54cfca177] Merge remote-tracking branch 'sound-asoc/for-next' testing commit cb7a394d7b33bffcb76795e9c9e7e9d54cfca177 with gcc (GCC) 8.1.0 kernel signature: 62773b7c0c9e4c8290057cdc2a4dbd91283c4100 all runs: OK # git bisect good cb7a394d7b33bffcb76795e9c9e7e9d54cfca177 Bisecting: 141 revisions left to test after this (roughly 7 steps) [abb55f1478c385fbd400058d7b375f4f148f3621] Merge branch 'WIP.x86/mm' testing commit abb55f1478c385fbd400058d7b375f4f148f3621 with gcc (GCC) 8.1.0 kernel signature: db0247eb2f179e31eb09ac9b0cd8c58a0a81aaae all runs: OK # git bisect good abb55f1478c385fbd400058d7b375f4f148f3621 Bisecting: 66 revisions left to test after this (roughly 6 steps) [4d7a2fc73f553abab109ce1482c6963e08766ced] next-20191211/keys testing commit 4d7a2fc73f553abab109ce1482c6963e08766ced with gcc (GCC) 8.1.0 kernel signature: 7891b2bfb55bb6a83789af763273c85985178802 all runs: crashed: KASAN: slab-out-of-bounds Write in watch_queue_ioctl # git bisect bad 4d7a2fc73f553abab109ce1482c6963e08766ced Bisecting: 46 revisions left to test after this (roughly 5 steps) [4b0abba48352eec461096f5c006c1bc699a9bc5a] Merge remote-tracking branch 'pcmcia/pcmcia-next' testing commit 4b0abba48352eec461096f5c006c1bc699a9bc5a with gcc (GCC) 8.1.0 kernel signature: 10f10ff08c66669045ec64648101bc906fa88fb9 all runs: OK # git bisect good 4b0abba48352eec461096f5c006c1bc699a9bc5a Bisecting: 22 revisions left to test after this (roughly 5 steps) [4edf6f7008b22e89e969d556ab7b162015615755] Merge branch 'mmc_pinctrl' into next testing commit 4edf6f7008b22e89e969d556ab7b162015615755 with gcc (GCC) 8.1.0 kernel signature: 238400e34872d38ae1ca5d6eeeeb69fe0289377f all runs: boot failed: general protection fault in do_mount_root # git bisect skip 4edf6f7008b22e89e969d556ab7b162015615755 Bisecting: 22 revisions left to test after this (roughly 5 steps) [7871ca053dd8ec5f5ae5a9427cd5ef72a828264f] keys: Add a notification facility testing commit 7871ca053dd8ec5f5ae5a9427cd5ef72a828264f with gcc (GCC) 8.1.0 kernel signature: 13aa535c7bf8909f580d441b50afc54bd14b9b3a all runs: crashed: KASAN: slab-out-of-bounds Write in watch_queue_ioctl # git bisect bad 7871ca053dd8ec5f5ae5a9427cd5ef72a828264f Bisecting: 2 revisions left to test after this (roughly 1 step) [a8fff581d7e47563242dd05273c49d356f280b11] security: Add hooks to rule on setting a watch testing commit a8fff581d7e47563242dd05273c49d356f280b11 with gcc (GCC) 8.1.0 kernel signature: 90311843dd4dcd7b52fcd00d3ccd3b36612ba942 all runs: OK # git bisect good a8fff581d7e47563242dd05273c49d356f280b11 Bisecting: 1 revision left to test after this (roughly 1 step) [e278da96273e00e831c3dafa8ca1600a88e98712] security: Add a hook for the point of notification insertion testing commit e278da96273e00e831c3dafa8ca1600a88e98712 with gcc (GCC) 8.1.0 kernel signature: b684a594a50822a58d0fb5ab2a458dfffb2ac423 all runs: OK # git bisect good e278da96273e00e831c3dafa8ca1600a88e98712 Bisecting: 0 revisions left to test after this (roughly 0 steps) [fe78d401ca6b3639385cf7a9a1597b9cd48f64eb] General notification queue with user mmap()'able ring buffer testing commit fe78d401ca6b3639385cf7a9a1597b9cd48f64eb with gcc (GCC) 8.1.0 kernel signature: 98a27e3b76ed82f33e70c050dffef821425c029b all runs: crashed: KASAN: slab-out-of-bounds Write in watch_queue_ioctl # git bisect bad fe78d401ca6b3639385cf7a9a1597b9cd48f64eb fe78d401ca6b3639385cf7a9a1597b9cd48f64eb is the first bad commit commit fe78d401ca6b3639385cf7a9a1597b9cd48f64eb Author: David Howells Date: Fri Oct 11 08:48:08 2019 +0100 General notification queue with user mmap()'able ring buffer Implement a misc device that implements a general notification queue as a ring buffer that can be mmap()'d from userspace. The way this is done is: (1) An application opens the device and indicates the size of the ring buffer that it wants to reserve in pages (this can only be set once): fd = open("/dev/watch_queue", O_RDWR); ioctl(fd, IOC_WATCH_QUEUE_NR_PAGES, nr_of_pages); (2) The application should then map the pages that the device has reserved. Each instance of the device created by open() allocates separate pages so that maps of different fds don't interfere with one another. Multiple mmap() calls on the same fd, however, will all work together. page_size = sysconf(_SC_PAGESIZE); mapping_size = nr_of_pages * page_size; char *buf = mmap(NULL, mapping_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); The ring is divided into 8-byte slots. Entries written into the ring are variable size and can use between 1 and 63 slots. A special entry is maintained in the first two slots of the ring that contains the head and tail pointers. This is skipped when the ring wraps round. Note that multislot entries, therefore, aren't allowed to be broken over the end of the ring, but instead "skip" entries are inserted to pad out the buffer. Each entry has a 1-slot header that describes it: struct watch_notification { __u32 type:24; __u32 subtype:8; __u32 info; }; The type indicates the source (eg. mount tree changes, superblock events, keyring changes, block layer events) and the subtype indicates the event type (eg. mount, unmount; EIO, EDQUOT; link, unlink). The info field indicates a number of things, including the entry length, an ID assigned to a watchpoint contributing to this buffer, type-specific flags and meta flags, such as an overrun indicator. Supplementary data, such as the key ID that generated an event, are attached in additional slots. Signed-off-by: David Howells Reviewed-by: Greg Kroah-Hartman Documentation/ioctl/ioctl-number.rst | 1 + Documentation/watch_queue.rst | 429 +++++++++++++++++ drivers/misc/Kconfig | 13 + drivers/misc/Makefile | 1 + drivers/misc/watch_queue.c | 898 +++++++++++++++++++++++++++++++++++ include/linux/sched/user.h | 3 +- include/linux/watch_queue.h | 94 ++++ include/uapi/linux/watch_queue.h | 34 ++ 8 files changed, 1472 insertions(+), 1 deletion(-) create mode 100644 Documentation/watch_queue.rst create mode 100644 drivers/misc/watch_queue.c create mode 100644 include/linux/watch_queue.h culprit signature: 98a27e3b76ed82f33e70c050dffef821425c029b parent signature: b684a594a50822a58d0fb5ab2a458dfffb2ac423 revisions tested: 16, total time: 3h47m28.148795681s (build: 1h34m52.479822753s, test: 2h10m33.946911287s) first bad commit: fe78d401ca6b3639385cf7a9a1597b9cd48f64eb General notification queue with user mmap()'able ring buffer cc: ["arnd@arndb.de" "axboe@kernel.dk" "corbet@lwn.net" "derek.kiernan@xilinx.com" "dhowells@redhat.com" "dragan.cvetic@xilinx.com" "ebiggers@google.com" "gregkh@linuxfoundation.org" "hare@suse.com" "jaegeuk@kernel.org" "james.morris@microsoft.com" "jannh@google.com" "linux-doc@vger.kernel.org" "linux-kernel@vger.kernel.org" "mchehab+samsung@kernel.org" "tytso@mit.edu"] crash: KASAN: slab-out-of-bounds Write in watch_queue_ioctl ================================================================== BUG: KASAN: slab-out-of-bounds in watch_queue_set_filter drivers/misc/watch_queue.c:516 [inline] BUG: KASAN: slab-out-of-bounds in watch_queue_ioctl+0x137a/0x15e0 drivers/misc/watch_queue.c:555 Write of size 4 at addr ffff8880a5c6585c by task syz-executor.1/7948 CPU: 1 PID: 7948 Comm: syz-executor.1 Not tainted 5.4.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:374 __kasan_report.cold.11+0x1b/0x3a mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:634 __asan_report_store4_noabort+0x17/0x20 mm/kasan/generic_report.c:136 watch_queue_set_filter drivers/misc/watch_queue.c:516 [inline] watch_queue_ioctl+0x137a/0x15e0 drivers/misc/watch_queue.c:555 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0x196/0x1150 fs/ioctl.c:696 ksys_ioctl+0x62/0x90 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a919 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f58f2da1c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a919 RDX: 0000000020000240 RSI: 0000000000005761 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f58f2da26d4 R13: 00000000004cfb90 R14: 00000000004d8eb8 R15: 00000000ffffffff Allocated by task 7948: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc.constprop.13+0xc7/0xd0 mm/kasan/common.c:510 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524 __do_kmalloc mm/slab.c:3655 [inline] __kmalloc+0x164/0x790 mm/slab.c:3664 kmalloc include/linux/slab.h:561 [inline] kzalloc include/linux/slab.h:690 [inline] watch_queue_set_filter drivers/misc/watch_queue.c:505 [inline] watch_queue_ioctl+0x2c4/0x15e0 drivers/misc/watch_queue.c:555 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0x196/0x1150 fs/ioctl.c:696 ksys_ioctl+0x62/0x90 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 7844: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] kasan_set_free_info mm/kasan/common.c:332 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:471 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480 __cache_free mm/slab.c:3425 [inline] kfree+0x108/0x2c0 mm/slab.c:3756 tomoyo_check_open_permission+0x15f/0x2f0 security/tomoyo/file.c:786 tomoyo_file_open+0x81/0xa0 security/tomoyo/tomoyo.c:319 security_file_open+0x46/0x240 security/security.c:1497 do_dentry_open+0x2db/0x1100 fs/open.c:784 vfs_open+0x9a/0xc0 fs/open.c:914 do_last fs/namei.c:3408 [inline] path_openat+0xb76/0x3d00 fs/namei.c:3525 do_filp_open+0x177/0x250 fs/namei.c:3555 do_sys_open+0x1dd/0x370 fs/open.c:1097 __do_sys_open fs/open.c:1115 [inline] __se_sys_open fs/open.c:1110 [inline] __x64_sys_open+0x79/0xb0 fs/open.c:1110 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880a5c65840 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 28 bytes inside of 32-byte region [ffff8880a5c65840, ffff8880a5c65860) The buggy address belongs to the page: page:ffffea0002971940 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff8880a5c65fc1 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00029e7348 ffffea00025908c8 ffff8880aa4001c0 raw: ffff8880a5c65fc1 ffff8880a5c65000 000000010000003f 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a5c65700: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ffff8880a5c65780: fb fb fb fb fc fc fc fc 00 00 05 fc fc fc fc fc >ffff8880a5c65800: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc ^ ffff8880a5c65880: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ffff8880a5c65900: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc ==================================================================