bisecting fixing commit since 555161ee1b7a74e77ca70fd14ed8a5137c8108ac building syzkaller on 2e29b534005e52c57d726201644ea28ba33a9a3d testing commit 555161ee1b7a74e77ca70fd14ed8a5137c8108ac with gcc (GCC) 8.1.0 kernel signature: 2d5624d0cbb8114180a56f1c0eebd2c3a5fa9e81fb341fc8b68eeaa74fb1e97d run #0: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks run #1: crashed: general protection fault in scatterwalk_copychunks run #2: crashed: general protection fault in scatterwalk_copychunks run #3: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks run #4: crashed: general protection fault in scatterwalk_copychunks run #5: crashed: KASAN: slab-out-of-bounds in scatterwalk_copychunks run #6: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks run #7: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks run #8: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks run #9: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks testing current HEAD 106fa147d3daa58d2c1ae5f41a29d07036fe7d0a testing commit 106fa147d3daa58d2c1ae5f41a29d07036fe7d0a with gcc (GCC) 8.1.0 kernel signature: 35c509984961c098b2b4414f7c29f682e81da3f46507b53e467938a6eedbe355 run #0: crashed: general protection fault in scatterwalk_copychunks run #1: crashed: general protection fault in scatterwalk_copychunks run #2: crashed: general protection fault in scatterwalk_copychunks run #3: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks run #4: crashed: general protection fault in scatterwalk_copychunks run #5: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks run #6: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #7: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks run #8: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #9: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks revisions tested: 2, total time: 24m34.857013121s (build: 17m11.232705744s, test: 6m30.070346326s) the crash still happens on HEAD commit msg: Linux 4.19.127 crash: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 000000011d100000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fcdc26d16d4 R13: 00000000004c9478 R14: 00000000004dfdd8 R15: 0000000000000005 ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:348 [inline] BUG: KASAN: slab-out-of-bounds in memcpy_dir crypto/scatterwalk.c:28 [inline] BUG: KASAN: slab-out-of-bounds in scatterwalk_copychunks+0x1e1/0x610 crypto/scatterwalk.c:43 Read of size 4096 at addr ffff8880a0f06000 by task syz-executor.2/7509 CPU: 0 PID: 7509 Comm: syz-executor.2 Not tainted 4.19.127-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x123/0x177 lib/dump_stack.c:118 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 memcpy+0x23/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:348 [inline] memcpy_dir crypto/scatterwalk.c:28 [inline] scatterwalk_copychunks+0x1e1/0x610 crypto/scatterwalk.c:43 scatterwalk_map_and_copy+0x128/0x190 crypto/scatterwalk.c:72 gcmaes_encrypt.constprop.15+0x6d6/0xda0 arch/x86/crypto/aesni-intel_glue.c:956 generic_gcmaes_encrypt+0xfd/0x150 arch/x86/crypto/aesni-intel_glue.c:1297 crypto_aead_encrypt include/crypto/aead.h:335 [inline] gcmaes_wrapper_encrypt+0x109/0x180 arch/x86/crypto/aesni-intel_glue.c:1130 crypto_aead_encrypt include/crypto/aead.h:335 [inline] tls_do_encryption net/tls/tls_sw.c:193 [inline] tls_push_record+0x966/0x1720 net/tls/tls_sw.c:228 tls_sw_sendpage+0x458/0xc00 net/tls/tls_sw.c:585 inet_sendpage+0x122/0x600 net/ipv4/af_inet.c:815 kernel_sendpage+0x60/0xd0 net/socket.c:3378 sock_sendpage+0x6d/0xd0 net/socket.c:847 pipe_to_sendpage+0x212/0x430 fs/splice.c:452 splice_from_pipe_feed fs/splice.c:503 [inline] __splice_from_pipe+0x2cb/0x720 fs/splice.c:627 splice_from_pipe+0xbb/0x120 fs/splice.c:662 generic_splice_sendpage+0x10/0x20 fs/splice.c:833 do_splice_from fs/splice.c:852 [inline] do_splice+0x4fd/0x12d0 fs/splice.c:1154 __do_sys_splice fs/splice.c:1428 [inline] __se_sys_splice fs/splice.c:1408 [inline] __x64_sys_splice+0x248/0x300 fs/splice.c:1408 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x459a29 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fef92c99c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 00007fef92c99c90 RCX: 0000000000459a29 RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 000000011d100000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fef92c9a6d4 R13: 00000000004c9478 R14: 00000000004dfdd8 R15: 0000000000000005 Allocated by task 1: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc+0x12e/0x730 mm/slab.c:3559 kmem_cache_zalloc include/linux/slab.h:699 [inline] __alloc_file+0x2b/0x2f0 fs/file_table.c:100 alloc_empty_file+0x45/0x110 fs/file_table.c:150 path_openat+0x106/0x3c60 fs/namei.c:3526 do_filp_open+0x177/0x250 fs/namei.c:3567 do_sys_open+0x1dd/0x350 fs/open.c:1085 __do_sys_open fs/open.c:1103 [inline] __se_sys_open fs/open.c:1098 [inline] __x64_sys_open+0x79/0xb0 fs/open.c:1098 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3503 [inline] kmem_cache_free+0x83/0x290 mm/slab.c:3765 file_free_rcu+0x5d/0x90 fs/file_table.c:49 __rcu_reclaim kernel/rcu/rcu.h:236 [inline] rcu_do_batch kernel/rcu/tree.c:2584 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline] rcu_process_callbacks+0xbcd/0x19a0 kernel/rcu/tree.c:2881 __do_softirq+0x260/0x92d kernel/softirq.c:292 The buggy address belongs to the object at ffff8880a0f060c0 which belongs to the cache filp of size 456 The buggy address is located 192 bytes to the left of 456-byte region [ffff8880a0f060c0, ffff8880a0f06288) The buggy address belongs to the page: page:ffffea000283c180 count:1 mapcount:0 mapping:ffff8880aa44d540 index:0xffff8880a0f060c0 flags: 0x1fffc0000000100(slab) raw: 01fffc0000000100 ffffea000285a908 ffffea000283f548 ffff8880aa44d540 raw: ffff8880a0f060c0 ffff8880a0f060c0 0000000100000003 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a0f05f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880a0f05f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880a0f06000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8880a0f06080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8880a0f06100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================