bisecting fixing commit since 555161ee1b7a74e77ca70fd14ed8a5137c8108ac
building syzkaller on 2e29b534005e52c57d726201644ea28ba33a9a3d
testing commit 555161ee1b7a74e77ca70fd14ed8a5137c8108ac with gcc (GCC) 8.1.0
kernel signature: 2d5624d0cbb8114180a56f1c0eebd2c3a5fa9e81fb341fc8b68eeaa74fb1e97d
run #0: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
run #1: crashed: general protection fault in scatterwalk_copychunks
run #2: crashed: general protection fault in scatterwalk_copychunks
run #3: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
run #4: crashed: general protection fault in scatterwalk_copychunks
run #5: crashed: KASAN: slab-out-of-bounds in scatterwalk_copychunks
run #6: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
run #7: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
run #8: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
run #9: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
testing current HEAD 106fa147d3daa58d2c1ae5f41a29d07036fe7d0a
testing commit 106fa147d3daa58d2c1ae5f41a29d07036fe7d0a with gcc (GCC) 8.1.0
kernel signature: 35c509984961c098b2b4414f7c29f682e81da3f46507b53e467938a6eedbe355
run #0: crashed: general protection fault in scatterwalk_copychunks
run #1: crashed: general protection fault in scatterwalk_copychunks
run #2: crashed: general protection fault in scatterwalk_copychunks
run #3: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
run #4: crashed: general protection fault in scatterwalk_copychunks
run #5: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
run #6: crashed: KASAN: use-after-free Read in scatterwalk_copychunks
run #7: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
run #8: crashed: KASAN: use-after-free Read in scatterwalk_copychunks
run #9: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
revisions tested: 2, total time: 24m34.857013121s (build: 17m11.232705744s, test: 6m30.070346326s)
the crash still happens on HEAD
commit msg: Linux 4.19.127
crash: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 000000011d100000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fcdc26d16d4
R13: 00000000004c9478 R14: 00000000004dfdd8 R15: 0000000000000005
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:348 [inline]
BUG: KASAN: slab-out-of-bounds in memcpy_dir crypto/scatterwalk.c:28 [inline]
BUG: KASAN: slab-out-of-bounds in scatterwalk_copychunks+0x1e1/0x610 crypto/scatterwalk.c:43
Read of size 4096 at addr ffff8880a0f06000 by task syz-executor.2/7509

CPU: 0 PID: 7509 Comm: syz-executor.2 Not tainted 4.19.127-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x123/0x177 lib/dump_stack.c:118
 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
 memcpy+0x23/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:348 [inline]
 memcpy_dir crypto/scatterwalk.c:28 [inline]
 scatterwalk_copychunks+0x1e1/0x610 crypto/scatterwalk.c:43
 scatterwalk_map_and_copy+0x128/0x190 crypto/scatterwalk.c:72
 gcmaes_encrypt.constprop.15+0x6d6/0xda0 arch/x86/crypto/aesni-intel_glue.c:956
 generic_gcmaes_encrypt+0xfd/0x150 arch/x86/crypto/aesni-intel_glue.c:1297
 crypto_aead_encrypt include/crypto/aead.h:335 [inline]
 gcmaes_wrapper_encrypt+0x109/0x180 arch/x86/crypto/aesni-intel_glue.c:1130
 crypto_aead_encrypt include/crypto/aead.h:335 [inline]
 tls_do_encryption net/tls/tls_sw.c:193 [inline]
 tls_push_record+0x966/0x1720 net/tls/tls_sw.c:228
 tls_sw_sendpage+0x458/0xc00 net/tls/tls_sw.c:585
 inet_sendpage+0x122/0x600 net/ipv4/af_inet.c:815
 kernel_sendpage+0x60/0xd0 net/socket.c:3378
 sock_sendpage+0x6d/0xd0 net/socket.c:847
 pipe_to_sendpage+0x212/0x430 fs/splice.c:452
 splice_from_pipe_feed fs/splice.c:503 [inline]
 __splice_from_pipe+0x2cb/0x720 fs/splice.c:627
 splice_from_pipe+0xbb/0x120 fs/splice.c:662
 generic_splice_sendpage+0x10/0x20 fs/splice.c:833
 do_splice_from fs/splice.c:852 [inline]
 do_splice+0x4fd/0x12d0 fs/splice.c:1154
 __do_sys_splice fs/splice.c:1428 [inline]
 __se_sys_splice fs/splice.c:1408 [inline]
 __x64_sys_splice+0x248/0x300 fs/splice.c:1408
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459a29
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fef92c99c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007fef92c99c90 RCX: 0000000000459a29
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 000000011d100000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fef92c9a6d4
R13: 00000000004c9478 R14: 00000000004dfdd8 R15: 0000000000000005

Allocated by task 1:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
 kmem_cache_alloc+0x12e/0x730 mm/slab.c:3559
 kmem_cache_zalloc include/linux/slab.h:699 [inline]
 __alloc_file+0x2b/0x2f0 fs/file_table.c:100
 alloc_empty_file+0x45/0x110 fs/file_table.c:150
 path_openat+0x106/0x3c60 fs/namei.c:3526
 do_filp_open+0x177/0x250 fs/namei.c:3567
 do_sys_open+0x1dd/0x350 fs/open.c:1085
 __do_sys_open fs/open.c:1103 [inline]
 __se_sys_open fs/open.c:1098 [inline]
 __x64_sys_open+0x79/0xb0 fs/open.c:1098
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 9:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3503 [inline]
 kmem_cache_free+0x83/0x290 mm/slab.c:3765
 file_free_rcu+0x5d/0x90 fs/file_table.c:49
 __rcu_reclaim kernel/rcu/rcu.h:236 [inline]
 rcu_do_batch kernel/rcu/tree.c:2584 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
 rcu_process_callbacks+0xbcd/0x19a0 kernel/rcu/tree.c:2881
 __do_softirq+0x260/0x92d kernel/softirq.c:292

The buggy address belongs to the object at ffff8880a0f060c0
 which belongs to the cache filp of size 456
The buggy address is located 192 bytes to the left of
 456-byte region [ffff8880a0f060c0, ffff8880a0f06288)
The buggy address belongs to the page:
page:ffffea000283c180 count:1 mapcount:0 mapping:ffff8880aa44d540 index:0xffff8880a0f060c0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffffea000285a908 ffffea000283f548 ffff8880aa44d540
raw: ffff8880a0f060c0 ffff8880a0f060c0 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a0f05f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880a0f05f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a0f06000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff8880a0f06080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8880a0f06100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================