bisecting cause commit starting from b85051e755b0e9d6dd8f17ef1da083851b83287d building syzkaller on 1f30020f856c65ba64fd0e7a663b1fb39c27c990 testing commit b85051e755b0e9d6dd8f17ef1da083851b83287d with gcc (GCC) 8.1.0 kernel signature: 381fa5d52d77375a0f1399834c17f1c8824a7259c2fe43f4e81db5c68c67ce00 all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: 622619cb30f6d772431ddbe5f4c76f20d3a5076809ac4b53588666dcc0fd95ad all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: 3835a39ce58f05f99922af435c870f8f6da271e5f2ca4acf3ab0565e819f6d91 all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: ffe67aa5fb55f9e8a504fd0d5d7b807de6929baea31f6c3fd8b841695d32e07b all runs: OK # git bisect start d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 219d54332a09e8d8741c1e1982f5eae56099de85 Bisecting: 8639 revisions left to test after this (roughly 13 steps) [8c39f71ee2019e77ee14f88b1321b2348db51820] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 8c39f71ee2019e77ee14f88b1321b2348db51820 with gcc (GCC) 8.1.0 kernel signature: 64f3ed5ed365ad03bac5a3e3bc7fd03750f19230e811a59f1aeb088b8fcfd6e7 all runs: OK # git bisect good 8c39f71ee2019e77ee14f88b1321b2348db51820 Bisecting: 4316 revisions left to test after this (roughly 12 steps) [76bb8b05960c3d1668e6bee7624ed886cbd135ba] Merge tag 'kbuild-v5.5' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit 76bb8b05960c3d1668e6bee7624ed886cbd135ba with gcc (GCC) 8.1.0 kernel signature: b2b357add3141e8f7d09f9803dc16aa3a58c4004491eedd518cb55444cd6157a all runs: OK # git bisect good 76bb8b05960c3d1668e6bee7624ed886cbd135ba Bisecting: 2158 revisions left to test after this (roughly 11 steps) [018e0e3594f7dcd029d258e368c485e742fa9cdb] habanalabs: rate limit error msg on waiting for CS testing commit 018e0e3594f7dcd029d258e368c485e742fa9cdb with gcc (GCC) 8.1.0 kernel signature: ee4bf28a7fe1647413d3281a4054d99bbaaedf4f72439eabbca07b772e4a0ade all runs: OK # git bisect good 018e0e3594f7dcd029d258e368c485e742fa9cdb Bisecting: 1079 revisions left to test after this (roughly 10 steps) [ec34c0157580a68c10dccbdd18c7701f0b317172] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf testing commit ec34c0157580a68c10dccbdd18c7701f0b317172 with gcc (GCC) 8.1.0 kernel signature: 784dd42f04a584d20687f498bbb385a8952a34df91d380541ba56738e9ab09c8 all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len # git bisect bad ec34c0157580a68c10dccbdd18c7701f0b317172 Bisecting: 539 revisions left to test after this (roughly 9 steps) [2abf193275768ac89f5d93eec7bcacb238168151] Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 2abf193275768ac89f5d93eec7bcacb238168151 with gcc (GCC) 8.1.0 kernel signature: ec64ceb152e4da0905d0a1014ee6f930cde6a44fc583d7a662cce40458d14832 all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len # git bisect bad 2abf193275768ac89f5d93eec7bcacb238168151 Bisecting: 273 revisions left to test after this (roughly 8 steps) [b61c56227bf5a2ca5e146cebcdf50b2e15e4c973] Merge tag 'sound-5.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit b61c56227bf5a2ca5e146cebcdf50b2e15e4c973 with gcc (GCC) 8.1.0 kernel signature: bc4a7c3d3dd765b4320cca1679f85b13ab870b0855684ba3ce08f2ccd5f7ccc7 all runs: OK # git bisect good b61c56227bf5a2ca5e146cebcdf50b2e15e4c973 Bisecting: 136 revisions left to test after this (roughly 7 steps) [510c9788991c58827373bca719d8cffa4d65f846] Merge tag 'Wimplicit-fallthrough-5.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gustavoars/linux testing commit 510c9788991c58827373bca719d8cffa4d65f846 with gcc (GCC) 8.1.0 kernel signature: 980722a546cfa4cc0d6c670c1f3e1075cfb9eb307864c84d17b8e7ec056180ef all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len # git bisect bad 510c9788991c58827373bca719d8cffa4d65f846 Bisecting: 60 revisions left to test after this (roughly 6 steps) [a1b85b3bf9f9922bdc1428cd2ac4528786a05da7] Merge tag 'usb-5.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit a1b85b3bf9f9922bdc1428cd2ac4528786a05da7 with gcc (GCC) 8.1.0 kernel signature: a8e1438f2f236b902e2f38ce15940e6a75a5cd04b47f10a868124accb880c33c all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len # git bisect bad a1b85b3bf9f9922bdc1428cd2ac4528786a05da7 Bisecting: 36 revisions left to test after this (roughly 5 steps) [81c64b0bd0900405b4e55f3d48a2fc7dd5e1676c] Merge tag 'ovl-fixes-5.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs testing commit 81c64b0bd0900405b4e55f3d48a2fc7dd5e1676c with gcc (GCC) 8.1.0 kernel signature: 7fb0ccbbc2f62a60384b723dd97273264d7ab34bab71a1d8afdbd07b47b396cd all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len # git bisect bad 81c64b0bd0900405b4e55f3d48a2fc7dd5e1676c Bisecting: 19 revisions left to test after this (roughly 4 steps) [1d76c0792a0a12529b4d7b052d511dff9cc1b273] Merge tag 'pci-v5.5-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci testing commit 1d76c0792a0a12529b4d7b052d511dff9cc1b273 with gcc (GCC) 8.1.0 kernel signature: 9a4561c1e386a6f081a5a4b030f5c049666670f1fac60413d3e47fc7e784c5be all runs: OK # git bisect good 1d76c0792a0a12529b4d7b052d511dff9cc1b273 Bisecting: 9 revisions left to test after this (roughly 3 steps) [1482e664fe353775c48d3f9d3e5059b9853d4d99] Merge tag 'devicetree-fixes-for-5.5' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux testing commit 1482e664fe353775c48d3f9d3e5059b9853d4d99 with gcc (GCC) 8.1.0 kernel signature: 2033b43005aa4a7331004e6f73f979ba840e6b85aa1b8b22405dc81be5c06186 all runs: OK # git bisect good 1482e664fe353775c48d3f9d3e5059b9853d4d99 Bisecting: 4 revisions left to test after this (roughly 2 steps) [6889ee5a53b8d969aa542047f5ac8acdc0e79a91] ovl: relax WARN_ON() on rename to self testing commit 6889ee5a53b8d969aa542047f5ac8acdc0e79a91 with gcc (GCC) 8.1.0 kernel signature: 0a710f9ee2f89ea3b10bc6ed0f213fb60b27977fe7b01bad914be9703522edae all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len # git bisect bad 6889ee5a53b8d969aa542047f5ac8acdc0e79a91 Bisecting: 2 revisions left to test after this (roughly 1 step) [cbe7fba8edfc8cb8e621599e376f8ac5c224fa72] ovl: make sure that real fid is 32bit aligned in memory testing commit cbe7fba8edfc8cb8e621599e376f8ac5c224fa72 with gcc (GCC) 8.1.0 kernel signature: aaf1f2420463564969d101135c278e43a2edd2997858fbecbd46563bcb158d95 all runs: crashed: KASAN: slab-out-of-bounds Read in ovl_check_fb_len # git bisect bad cbe7fba8edfc8cb8e621599e376f8ac5c224fa72 Bisecting: 0 revisions left to test after this (roughly 0 steps) [7e63c87fc2dcf3be9d3aab82d4a0ea085880bdca] ovl: fix lookup failure on multi lower squashfs testing commit 7e63c87fc2dcf3be9d3aab82d4a0ea085880bdca with gcc (GCC) 8.1.0 kernel signature: 4cf82a8f778e02840a4ce565ef62c5576836b3e8d562b9d3895514e42c44ae34 all runs: OK # git bisect good 7e63c87fc2dcf3be9d3aab82d4a0ea085880bdca cbe7fba8edfc8cb8e621599e376f8ac5c224fa72 is the first bad commit commit cbe7fba8edfc8cb8e621599e376f8ac5c224fa72 Author: Amir Goldstein Date: Fri Nov 15 13:33:03 2019 +0200 ovl: make sure that real fid is 32bit aligned in memory Seprate on-disk encoding from in-memory and on-wire resresentation of overlay file handle. In-memory and on-wire we only ever pass around pointers to struct ovl_fh, which encapsulates at offset 3 the on-disk format struct ovl_fb. struct ovl_fb encapsulates at offset 21 the real file handle. That makes sure that the real file handle is always 32bit aligned in-memory when passed down to the underlying filesystem. On-disk format remains the same and store/load are done into correctly aligned buffer. New nfs exported file handles are exported with aligned real fid. Old nfs file handles are copied to an aligned buffer before being decoded. Reported-by: Al Viro Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi fs/overlayfs/copy_up.c | 30 +++++++++--------- fs/overlayfs/export.c | 80 +++++++++++++++++++++++++++++------------------- fs/overlayfs/namei.c | 44 +++++++++++++------------- fs/overlayfs/overlayfs.h | 34 ++++++++++++++++---- 4 files changed, 115 insertions(+), 73 deletions(-) culprit signature: aaf1f2420463564969d101135c278e43a2edd2997858fbecbd46563bcb158d95 parent signature: 4cf82a8f778e02840a4ce565ef62c5576836b3e8d562b9d3895514e42c44ae34 revisions tested: 18, total time: 3h57m20.254722667s (build: 1h59m39.619016208s, test: 1h56m24.547902423s) first bad commit: cbe7fba8edfc8cb8e621599e376f8ac5c224fa72 ovl: make sure that real fid is 32bit aligned in memory cc: ["amir73il@gmail.com" "linux-kernel@vger.kernel.org" "linux-unionfs@vger.kernel.org" "miklos@szeredi.hu" "mszeredi@redhat.com"] crash: KASAN: slab-out-of-bounds Read in ovl_check_fb_len ================================================================== BUG: KASAN: slab-out-of-bounds in ovl_check_fb_len+0xf7/0x130 fs/overlayfs/namei.c:89 Read of size 1 at addr ffff888093cb788d by task syz-executor.1/10766 CPU: 0 PID: 10766 Comm: syz-executor.1 Not tainted 5.4.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:374 __kasan_report.cold.11+0x1c/0x37 mm/kasan/report.c:506 kasan_report+0xe/0x20 mm/kasan/common.c:634 ovl_check_fb_len+0xf7/0x130 fs/overlayfs/namei.c:89 ovl_check_fh_len fs/overlayfs/overlayfs.h:325 [inline] ovl_fh_to_dentry+0x199/0x777 fs/overlayfs/export.c:805 exportfs_decode_fh+0xfe/0x66d fs/exportfs/expfs.c:434 do_handle_to_path fs/fhandle.c:152 [inline] handle_to_path fs/fhandle.c:207 [inline] do_handle_open+0x244/0x580 fs/fhandle.c:223 do_syscall_64+0xc6/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45ca29 Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fe8165f5c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000130 RAX: ffffffffffffffda RBX: 00000000004f6d00 RCX: 000000000045ca29 RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 000000000000077b R14: 00000000004ca4e6 R15: 00007fe8165f66d4 Allocated by task 10766: save_stack+0x19/0x80 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc.constprop.13+0xc1/0xd0 mm/kasan/common.c:510 __do_kmalloc mm/slab.c:3655 [inline] __kmalloc+0x164/0x7b0 mm/slab.c:3664 kmalloc include/linux/slab.h:561 [inline] handle_to_path fs/fhandle.c:192 [inline] do_handle_open+0xc1/0x580 fs/fhandle.c:223 do_syscall_64+0xc6/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 10439: save_stack+0x19/0x80 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] kasan_set_free_info mm/kasan/common.c:332 [inline] __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:471 __cache_free mm/slab.c:3425 [inline] kfree+0x107/0x2b0 mm/slab.c:3756 tomoyo_mount_acl+0x40a/0x7b0 security/tomoyo/mount.c:173 tomoyo_mount_permission+0x115/0x2d0 security/tomoyo/mount.c:237 security_sb_mount+0x58/0xa0 security/security.c:860 do_mount+0x16a/0x1720 fs/namespace.c:3084 ksys_mount+0xb5/0xd0 fs/namespace.c:3351 __do_sys_mount fs/namespace.c:3365 [inline] __se_sys_mount fs/namespace.c:3362 [inline] __x64_sys_mount+0xb5/0x150 fs/namespace.c:3362 do_syscall_64+0xc6/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff888093cb7880 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 13 bytes inside of 32-byte region [ffff888093cb7880, ffff888093cb78a0) The buggy address belongs to the page: page:ffffea00024f2dc0 refcount:1 mapcount:0 mapping:ffff8880aa0001c0 index:0xffff888093cb7fc1 raw: 00fffe0000000200 ffffea0002645ac8 ffffea0002520588 ffff8880aa0001c0 raw: ffff888093cb7fc1 ffff888093cb7000 000000010000003d 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888093cb7780: 06 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc ffff888093cb7800: fb fb fb fb fc fc fc fc 00 00 00 05 fc fc fc fc >ffff888093cb7880: 00 02 fc fc fc fc fc fc fb fb fb fb fc fc fc fc ^ ffff888093cb7900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ffff888093cb7980: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ==================================================================