bisecting cause commit starting from b85051e755b0e9d6dd8f17ef1da083851b83287d
building syzkaller on 1f30020f856c65ba64fd0e7a663b1fb39c27c990
testing commit b85051e755b0e9d6dd8f17ef1da083851b83287d with gcc (GCC) 8.1.0
kernel signature: 381fa5d52d77375a0f1399834c17f1c8824a7259c2fe43f4e81db5c68c67ce00
all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 622619cb30f6d772431ddbe5f4c76f20d3a5076809ac4b53588666dcc0fd95ad
all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: 3835a39ce58f05f99922af435c870f8f6da271e5f2ca4acf3ab0565e819f6d91
all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: ffe67aa5fb55f9e8a504fd0d5d7b807de6929baea31f6c3fd8b841695d32e07b
all runs: OK
# git bisect start d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 219d54332a09e8d8741c1e1982f5eae56099de85
Bisecting: 8639 revisions left to test after this (roughly 13 steps)
[8c39f71ee2019e77ee14f88b1321b2348db51820] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
testing commit 8c39f71ee2019e77ee14f88b1321b2348db51820 with gcc (GCC) 8.1.0
kernel signature: 64f3ed5ed365ad03bac5a3e3bc7fd03750f19230e811a59f1aeb088b8fcfd6e7
all runs: OK
# git bisect good 8c39f71ee2019e77ee14f88b1321b2348db51820
Bisecting: 4316 revisions left to test after this (roughly 12 steps)
[76bb8b05960c3d1668e6bee7624ed886cbd135ba] Merge tag 'kbuild-v5.5' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
testing commit 76bb8b05960c3d1668e6bee7624ed886cbd135ba with gcc (GCC) 8.1.0
kernel signature: b2b357add3141e8f7d09f9803dc16aa3a58c4004491eedd518cb55444cd6157a
all runs: OK
# git bisect good 76bb8b05960c3d1668e6bee7624ed886cbd135ba
Bisecting: 2158 revisions left to test after this (roughly 11 steps)
[018e0e3594f7dcd029d258e368c485e742fa9cdb] habanalabs: rate limit error msg on waiting for CS
testing commit 018e0e3594f7dcd029d258e368c485e742fa9cdb with gcc (GCC) 8.1.0
kernel signature: ee4bf28a7fe1647413d3281a4054d99bbaaedf4f72439eabbca07b772e4a0ade
all runs: OK
# git bisect good 018e0e3594f7dcd029d258e368c485e742fa9cdb
Bisecting: 1079 revisions left to test after this (roughly 10 steps)
[ec34c0157580a68c10dccbdd18c7701f0b317172] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
testing commit ec34c0157580a68c10dccbdd18c7701f0b317172 with gcc (GCC) 8.1.0
kernel signature: 784dd42f04a584d20687f498bbb385a8952a34df91d380541ba56738e9ab09c8
all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len
# git bisect bad ec34c0157580a68c10dccbdd18c7701f0b317172
Bisecting: 539 revisions left to test after this (roughly 9 steps)
[2abf193275768ac89f5d93eec7bcacb238168151] Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit 2abf193275768ac89f5d93eec7bcacb238168151 with gcc (GCC) 8.1.0
kernel signature: ec64ceb152e4da0905d0a1014ee6f930cde6a44fc583d7a662cce40458d14832
all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len
# git bisect bad 2abf193275768ac89f5d93eec7bcacb238168151
Bisecting: 273 revisions left to test after this (roughly 8 steps)
[b61c56227bf5a2ca5e146cebcdf50b2e15e4c973] Merge tag 'sound-5.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
testing commit b61c56227bf5a2ca5e146cebcdf50b2e15e4c973 with gcc (GCC) 8.1.0
kernel signature: bc4a7c3d3dd765b4320cca1679f85b13ab870b0855684ba3ce08f2ccd5f7ccc7
all runs: OK
# git bisect good b61c56227bf5a2ca5e146cebcdf50b2e15e4c973
Bisecting: 136 revisions left to test after this (roughly 7 steps)
[510c9788991c58827373bca719d8cffa4d65f846] Merge tag 'Wimplicit-fallthrough-5.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gustavoars/linux
testing commit 510c9788991c58827373bca719d8cffa4d65f846 with gcc (GCC) 8.1.0
kernel signature: 980722a546cfa4cc0d6c670c1f3e1075cfb9eb307864c84d17b8e7ec056180ef
all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len
# git bisect bad 510c9788991c58827373bca719d8cffa4d65f846
Bisecting: 60 revisions left to test after this (roughly 6 steps)
[a1b85b3bf9f9922bdc1428cd2ac4528786a05da7] Merge tag 'usb-5.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
testing commit a1b85b3bf9f9922bdc1428cd2ac4528786a05da7 with gcc (GCC) 8.1.0
kernel signature: a8e1438f2f236b902e2f38ce15940e6a75a5cd04b47f10a868124accb880c33c
all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len
# git bisect bad a1b85b3bf9f9922bdc1428cd2ac4528786a05da7
Bisecting: 36 revisions left to test after this (roughly 5 steps)
[81c64b0bd0900405b4e55f3d48a2fc7dd5e1676c] Merge tag 'ovl-fixes-5.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs
testing commit 81c64b0bd0900405b4e55f3d48a2fc7dd5e1676c with gcc (GCC) 8.1.0
kernel signature: 7fb0ccbbc2f62a60384b723dd97273264d7ab34bab71a1d8afdbd07b47b396cd
all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len
# git bisect bad 81c64b0bd0900405b4e55f3d48a2fc7dd5e1676c
Bisecting: 19 revisions left to test after this (roughly 4 steps)
[1d76c0792a0a12529b4d7b052d511dff9cc1b273] Merge tag 'pci-v5.5-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci
testing commit 1d76c0792a0a12529b4d7b052d511dff9cc1b273 with gcc (GCC) 8.1.0
kernel signature: 9a4561c1e386a6f081a5a4b030f5c049666670f1fac60413d3e47fc7e784c5be
all runs: OK
# git bisect good 1d76c0792a0a12529b4d7b052d511dff9cc1b273
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[1482e664fe353775c48d3f9d3e5059b9853d4d99] Merge tag 'devicetree-fixes-for-5.5' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux
testing commit 1482e664fe353775c48d3f9d3e5059b9853d4d99 with gcc (GCC) 8.1.0
kernel signature: 2033b43005aa4a7331004e6f73f979ba840e6b85aa1b8b22405dc81be5c06186
all runs: OK
# git bisect good 1482e664fe353775c48d3f9d3e5059b9853d4d99
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[6889ee5a53b8d969aa542047f5ac8acdc0e79a91] ovl: relax WARN_ON() on rename to self
testing commit 6889ee5a53b8d969aa542047f5ac8acdc0e79a91 with gcc (GCC) 8.1.0
kernel signature: 0a710f9ee2f89ea3b10bc6ed0f213fb60b27977fe7b01bad914be9703522edae
all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len
# git bisect bad 6889ee5a53b8d969aa542047f5ac8acdc0e79a91
Bisecting: 2 revisions left to test after this (roughly 1 step)
[cbe7fba8edfc8cb8e621599e376f8ac5c224fa72] ovl: make sure that real fid is 32bit aligned in memory
testing commit cbe7fba8edfc8cb8e621599e376f8ac5c224fa72 with gcc (GCC) 8.1.0
kernel signature: aaf1f2420463564969d101135c278e43a2edd2997858fbecbd46563bcb158d95
all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len
# git bisect bad cbe7fba8edfc8cb8e621599e376f8ac5c224fa72
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[7e63c87fc2dcf3be9d3aab82d4a0ea085880bdca] ovl: fix lookup failure on multi lower squashfs
testing commit 7e63c87fc2dcf3be9d3aab82d4a0ea085880bdca with gcc (GCC) 8.1.0
kernel signature: 4cf82a8f778e02840a4ce565ef62c5576836b3e8d562b9d3895514e42c44ae34
all runs: OK
# git bisect good 7e63c87fc2dcf3be9d3aab82d4a0ea085880bdca
cbe7fba8edfc8cb8e621599e376f8ac5c224fa72 is the first bad commit
commit cbe7fba8edfc8cb8e621599e376f8ac5c224fa72
Author: Amir Goldstein <amir73il@gmail.com>
Date:   Fri Nov 15 13:33:03 2019 +0200

    ovl: make sure that real fid is 32bit aligned in memory
    
    Seprate on-disk encoding from in-memory and on-wire resresentation
    of overlay file handle.
    
    In-memory and on-wire we only ever pass around pointers to struct
    ovl_fh, which encapsulates at offset 3 the on-disk format struct
    ovl_fb. struct ovl_fb encapsulates at offset 21 the real file handle.
    That makes sure that the real file handle is always 32bit aligned
    in-memory when passed down to the underlying filesystem.
    
    On-disk format remains the same and store/load are done into
    correctly aligned buffer.
    
    New nfs exported file handles are exported with aligned real fid.
    Old nfs file handles are copied to an aligned buffer before being
    decoded.
    
    Reported-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Amir Goldstein <amir73il@gmail.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

 fs/overlayfs/copy_up.c   | 30 +++++++++---------
 fs/overlayfs/export.c    | 80 +++++++++++++++++++++++++++++-------------------
 fs/overlayfs/namei.c     | 44 +++++++++++++-------------
 fs/overlayfs/overlayfs.h | 34 ++++++++++++++++----
 4 files changed, 115 insertions(+), 73 deletions(-)
culprit signature: aaf1f2420463564969d101135c278e43a2edd2997858fbecbd46563bcb158d95
parent  signature: 4cf82a8f778e02840a4ce565ef62c5576836b3e8d562b9d3895514e42c44ae34
revisions tested: 18, total time: 3h57m20.254722667s (build: 1h59m39.619016208s, test: 1h56m24.547902423s)
first bad commit: cbe7fba8edfc8cb8e621599e376f8ac5c224fa72 ovl: make sure that real fid is 32bit aligned in memory
cc: ["amir73il@gmail.com" "linux-kernel@vger.kernel.org" "linux-unionfs@vger.kernel.org" "miklos@szeredi.hu" "mszeredi@redhat.com"]
crash: KASAN: slab-out-of-bounds Read in ovl_check_fb_len
==================================================================
BUG: KASAN: slab-out-of-bounds in ovl_check_fb_len+0xf7/0x130 fs/overlayfs/namei.c:89
Read of size 1 at addr ffff888093cb788d by task syz-executor.1/10766

CPU: 0 PID: 10766 Comm: syz-executor.1 Not tainted 5.4.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x128/0x182 lib/dump_stack.c:118
 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:374
 __kasan_report.cold.11+0x1c/0x37 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:634
 ovl_check_fb_len+0xf7/0x130 fs/overlayfs/namei.c:89
 ovl_check_fh_len fs/overlayfs/overlayfs.h:325 [inline]
 ovl_fh_to_dentry+0x199/0x777 fs/overlayfs/export.c:805
 exportfs_decode_fh+0xfe/0x66d fs/exportfs/expfs.c:434
 do_handle_to_path fs/fhandle.c:152 [inline]
 handle_to_path fs/fhandle.c:207 [inline]
 do_handle_open+0x244/0x580 fs/fhandle.c:223
 do_syscall_64+0xc6/0x5d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45ca29
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fe8165f5c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000130
RAX: ffffffffffffffda RBX: 00000000004f6d00 RCX: 000000000045ca29
RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000077b R14: 00000000004ca4e6 R15: 00007fe8165f66d4

Allocated by task 10766:
 save_stack+0x19/0x80 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc.constprop.13+0xc1/0xd0 mm/kasan/common.c:510
 __do_kmalloc mm/slab.c:3655 [inline]
 __kmalloc+0x164/0x7b0 mm/slab.c:3664
 kmalloc include/linux/slab.h:561 [inline]
 handle_to_path fs/fhandle.c:192 [inline]
 do_handle_open+0xc1/0x580 fs/fhandle.c:223
 do_syscall_64+0xc6/0x5d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 10439:
 save_stack+0x19/0x80 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:471
 __cache_free mm/slab.c:3425 [inline]
 kfree+0x107/0x2b0 mm/slab.c:3756
 tomoyo_mount_acl+0x40a/0x7b0 security/tomoyo/mount.c:173
 tomoyo_mount_permission+0x115/0x2d0 security/tomoyo/mount.c:237
 security_sb_mount+0x58/0xa0 security/security.c:860
 do_mount+0x16a/0x1720 fs/namespace.c:3084
 ksys_mount+0xb5/0xd0 fs/namespace.c:3351
 __do_sys_mount fs/namespace.c:3365 [inline]
 __se_sys_mount fs/namespace.c:3362 [inline]
 __x64_sys_mount+0xb5/0x150 fs/namespace.c:3362
 do_syscall_64+0xc6/0x5d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888093cb7880
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 13 bytes inside of
 32-byte region [ffff888093cb7880, ffff888093cb78a0)
The buggy address belongs to the page:
page:ffffea00024f2dc0 refcount:1 mapcount:0 mapping:ffff8880aa0001c0 index:0xffff888093cb7fc1
raw: 00fffe0000000200 ffffea0002645ac8 ffffea0002520588 ffff8880aa0001c0
raw: ffff888093cb7fc1 ffff888093cb7000 000000010000003d 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888093cb7780: 06 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
 ffff888093cb7800: fb fb fb fb fc fc fc fc 00 00 00 05 fc fc fc fc
>ffff888093cb7880: 00 02 fc fc fc fc fc fc fb fb fb fb fc fc fc fc
                      ^
 ffff888093cb7900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
 ffff888093cb7980: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================