bisecting cause commit starting from 618d919cae2fcaadc752f27ddac8b939da8b441a building syzkaller on 505ab413c77ce8c6bd4658ea5e68ea2534d47b39 testing commit 618d919cae2fcaadc752f27ddac8b939da8b441a with gcc (GCC) 8.1.0 kernel signature: 0a0090710fc1ddf317b562c07c8bca6d4b4287da all runs: crashed: INFO: task hung in aead_recvmsg testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 kernel signature: 8491268cb7cdd05efef8124303c5dc0879c3df4e all runs: crashed: INFO: task hung in aead_recvmsg testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 kernel signature: 39116c3079ec115d6e4a1262fdb0d839d7896851 all runs: crashed: INFO: task hung in aead_recvmsg testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 kernel signature: b0f3377934ca7d3830c9d7ed52e4d5c4a76627b4 all runs: crashed: INFO: task hung in aead_recvmsg testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 kernel signature: 657322d3f1a72ff452cc9ebf67631c9f8a9c40d5 all runs: crashed: INFO: task hung in aead_recvmsg testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 kernel signature: 75b19e11318ea01a3f7f8e8bbd50853542ac6da4 all runs: crashed: INFO: task hung in aead_recvmsg testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 kernel signature: 2ebff243297a46ee04656aef8ed9a4b0b02fba86 all runs: crashed: INFO: task hung in aead_recvmsg testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 kernel signature: ed5856a411c2be6b724de6fdf56855ea7cdc7036 all runs: crashed: INFO: task hung in aead_recvmsg testing release v4.14 testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0 kernel signature: 0a7fed6ea05c0167d4adf21e2d9fb637b5e8c36b all runs: crashed: INFO: task hung in aead_recvmsg testing release v4.13 testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0 kernel signature: 4e1edd27bc42d744eab496eed6874a3099ebb823 all runs: crashed: KASAN: slab-out-of-bounds Read in aead_recvmsg testing release v4.12 testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0 kernel signature: 8d018ce1c0e27a82af8c56ef20a9024610f77fc9 run #0: crashed: KASAN: slab-out-of-bounds Read in aead_recvmsg run #1: crashed: KASAN: slab-out-of-bounds Read in aead_recvmsg run #2: crashed: KASAN: slab-out-of-bounds Read in aead_recvmsg run #3: crashed: KASAN: slab-out-of-bounds Read in aead_recvmsg run #4: crashed: KASAN: slab-out-of-bounds Read in aead_recvmsg run #5: crashed: KASAN: slab-out-of-bounds Read in aead_recvmsg run #6: crashed: KASAN: slab-out-of-bounds Read in aead_recvmsg run #7: crashed: KASAN: slab-out-of-bounds Read in aead_recvmsg run #8: crashed: KASAN: slab-out-of-bounds Read in aead_recvmsg run #9: crashed: kernel BUG at ./include/linux/scatterlist.h:LINE! testing release v4.11 testing commit a351e9b9fc24e982ec2f0e76379a49826036da12 with gcc (GCC) 7.3.0 kernel signature: 45dcd60584c2766f80ab2fe59ec4f0779dbb0b91 all runs: crashed: KASAN: slab-out-of-bounds Read in aead_recvmsg testing release v4.10 testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd with gcc (GCC) 5.5.0 kernel signature: 0d7ad7653ffae8e65a2fe1110dbc6229eb5d210a all runs: crashed: KASAN: slab-out-of-bounds Read in aead_recvmsg testing release v4.9 testing commit 69973b830859bc6529a7a0468ba0d80ee5117826 with gcc (GCC) 5.5.0 kernel signature: 7649edf571e2a6f36e88e1f901e744a876cab978 all runs: crashed: KASAN: slab-out-of-bounds Read in aead_recvmsg testing release v4.8 testing commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 with gcc (GCC) 5.5.0 kernel signature: 22e45efc3166e27d186750f360b4e08391ee75f7 all runs: OK # git bisect start 69973b830859bc6529a7a0468ba0d80ee5117826 c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 Bisecting: 8695 revisions left to test after this (roughly 13 steps) [a5af7e1fc69a46f29b977fd4b570e0ac414c2338] rxrpc: Fix loss of PING RESPONSE ACK production due to PING ACKs testing commit a5af7e1fc69a46f29b977fd4b570e0ac414c2338 with gcc (GCC) 5.5.0 kernel signature: dda981cb533117fedf7a45389d72209c6e9675eb all runs: OK # git bisect good a5af7e1fc69a46f29b977fd4b570e0ac414c2338 Bisecting: 4759 revisions left to test after this (roughly 12 steps) [a379f71a30dddbd2e7393624e455ce53c87965d1] Merge branch 'akpm' (patches from Andrew) testing commit a379f71a30dddbd2e7393624e455ce53c87965d1 with gcc (GCC) 5.5.0 kernel signature: 3635f2768dca933ffca1a2bec857e79365e19cb3 all runs: OK # git bisect good a379f71a30dddbd2e7393624e455ce53c87965d1 Bisecting: 2340 revisions left to test after this (roughly 11 steps) [133d970e0dadf7b413db19893acc5b26664bf4a1] Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus testing commit 133d970e0dadf7b413db19893acc5b26664bf4a1 with gcc (GCC) 5.5.0 kernel signature: b5ababd896b758763888ec7a5c8032130b0ef909 all runs: OK # git bisect good 133d970e0dadf7b413db19893acc5b26664bf4a1 Bisecting: 1170 revisions left to test after this (roughly 10 steps) [94ea29b116652b8b08934493fae68a6b83e2bc45] Merge tag 'sunxi-drm-fixes-for-4.9' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux into drm-fixes testing commit 94ea29b116652b8b08934493fae68a6b83e2bc45 with gcc (GCC) 5.5.0 kernel signature: 4f54c5eb8143d9b4c7a1ff6bcfeba3caeec667b0 all runs: OK # git bisect good 94ea29b116652b8b08934493fae68a6b83e2bc45 Bisecting: 584 revisions left to test after this (roughly 9 steps) [697ed8d03909140d95484d46d277a4e46d89b0e5] Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm testing commit 697ed8d03909140d95484d46d277a4e46d89b0e5 with gcc (GCC) 5.5.0 kernel signature: 60b203accc358f0524443a4a4c8742117f63716e all runs: OK # git bisect good 697ed8d03909140d95484d46d277a4e46d89b0e5 Bisecting: 292 revisions left to test after this (roughly 8 steps) [f2ebf2a6ca94e78be179e8c99d34c87efc5e8bfb] Merge branch 'fixed-phy-phydev-leaks' testing commit f2ebf2a6ca94e78be179e8c99d34c87efc5e8bfb with gcc (GCC) 5.5.0 kernel signature: 5263f27b7ff48861c60434d4a8b18e7ea2c2e7f4 all runs: OK # git bisect good f2ebf2a6ca94e78be179e8c99d34c87efc5e8bfb Bisecting: 146 revisions left to test after this (roughly 7 steps) [14dd3e1b970feb125e4f453bc3b0569db5b2069b] net: af_mpls.c add space before open parenthesis testing commit 14dd3e1b970feb125e4f453bc3b0569db5b2069b with gcc (GCC) 5.5.0 kernel signature: 19dd8ce37c8e391925450cc72ee31e0107557447 all runs: OK # git bisect good 14dd3e1b970feb125e4f453bc3b0569db5b2069b Bisecting: 73 revisions left to test after this (roughly 6 steps) [9cecb138e54c54989375bceeb448affcdf03497f] net: ethernet: lantiq_etop: Call SET_NETDEV_DEV() testing commit 9cecb138e54c54989375bceeb448affcdf03497f with gcc (GCC) 5.5.0 kernel signature: 54b43e2d8fa28a4c1d7ee90e968c79d865821321 all runs: OK # git bisect good 9cecb138e54c54989375bceeb448affcdf03497f Bisecting: 35 revisions left to test after this (roughly 5 steps) [1ca17e97966aa4b651e56861f83695e3645bf954] Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux testing commit 1ca17e97966aa4b651e56861f83695e3645bf954 with gcc (GCC) 5.5.0 kernel signature: bd184b02b438023bd71af3a34cff432add5d9fec all runs: OK # git bisect good 1ca17e97966aa4b651e56861f83695e3645bf954 Bisecting: 16 revisions left to test after this (roughly 4 steps) [810ac7b7558d7830e72d8dbf34b851fce39e08b0] Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm testing commit 810ac7b7558d7830e72d8dbf34b851fce39e08b0 with gcc (GCC) 5.5.0 kernel signature: d15ca457ec6caa8843a977685177566e19e94b04 all runs: OK # git bisect good 810ac7b7558d7830e72d8dbf34b851fce39e08b0 Bisecting: 10 revisions left to test after this (roughly 3 steps) [678b5c6b22fed89a13d5b2267f423069a9b11c80] crypto: algif_aead - fix uninitialized variable warning testing commit 678b5c6b22fed89a13d5b2267f423069a9b11c80 with gcc (GCC) 5.5.0 kernel signature: 5a92d0881c953f526aa6507f959803b2b0047d2f all runs: crashed: KASAN: slab-out-of-bounds Read in aead_recvmsg # git bisect bad 678b5c6b22fed89a13d5b2267f423069a9b11c80 Bisecting: 2 revisions left to test after this (roughly 2 steps) [39eaf759466f4e3fbeaa39075512f4f345dffdc8] crypto: caam - fix pointer size for AArch64 boot loader, AArch32 kernel testing commit 39eaf759466f4e3fbeaa39075512f4f345dffdc8 with gcc (GCC) 5.5.0 kernel signature: 9464dcfe1cb081edac9a157478e5391560cce544 all runs: OK # git bisect good 39eaf759466f4e3fbeaa39075512f4f345dffdc8 Bisecting: 0 revisions left to test after this (roughly 1 step) [48a992727d82cb7db076fa15d372178743b1f4cd] crypto: mcryptd - Check mcryptd algorithm compatibility testing commit 48a992727d82cb7db076fa15d372178743b1f4cd with gcc (GCC) 5.5.0 kernel signature: 079432037440a633b22b6b293b9c05b784ebadac all runs: crashed: KASAN: slab-out-of-bounds Read in aead_recvmsg # git bisect bad 48a992727d82cb7db076fa15d372178743b1f4cd Bisecting: 0 revisions left to test after this (roughly 0 steps) [0c1e16cd1ec41987cc6671a2bff46ac958c41eb5] crypto: algif_aead - fix AEAD tag memory handling testing commit 0c1e16cd1ec41987cc6671a2bff46ac958c41eb5 with gcc (GCC) 5.5.0 kernel signature: a7e3d40cdb8d643be886409d28f5f1bd9822b1e1 all runs: crashed: KASAN: slab-out-of-bounds Read in aead_recvmsg # git bisect bad 0c1e16cd1ec41987cc6671a2bff46ac958c41eb5 0c1e16cd1ec41987cc6671a2bff46ac958c41eb5 is the first bad commit commit 0c1e16cd1ec41987cc6671a2bff46ac958c41eb5 Author: Stephan Mueller Date: Mon Dec 5 15:26:19 2016 +0100 crypto: algif_aead - fix AEAD tag memory handling For encryption, the AEAD ciphers require AAD || PT as input and generate AAD || CT || Tag as output and vice versa for decryption. Prior to this patch, the AF_ALG interface for AEAD ciphers requires the buffer to be present as input for encryption. Similarly, the output buffer for decryption required the presence of the tag buffer too. This implies that the kernel reads / writes data buffers from/to kernel space even though this operation is not required. This patch changes the AF_ALG AEAD interface to be consistent with the in-kernel AEAD cipher requirements. Due to this handling, he changes are transparent to user space with one exception: the return code of recv indicates the mount of output buffer. That output buffer has a different size compared to before the patch which implies that the return code of recv will also be different. For example, a decryption operation uses 16 bytes AAD, 16 bytes CT and 16 bytes tag, the AF_ALG AEAD interface before showed a recv return code of 48 (bytes) whereas after this patch, the return code is 32 since the tag is not returned any more. Reported-by: Mat Martineau Signed-off-by: Stephan Mueller Signed-off-by: Herbert Xu crypto/algif_aead.c | 57 +++++++++++++++++++++++++++++++++-------------------- 1 file changed, 36 insertions(+), 21 deletions(-) kernel signature: a7e3d40cdb8d643be886409d28f5f1bd9822b1e1 previous signature: 9464dcfe1cb081edac9a157478e5391560cce544 revisions tested: 29, total time: 5h59m33.390050776s (build: 2h13m19.661599684s, test: 3h38m16.450532238s) first bad commit: 0c1e16cd1ec41987cc6671a2bff46ac958c41eb5 crypto: algif_aead - fix AEAD tag memory handling cc: ["davem@davemloft.net" "herbert@gondor.apana.org.au" "linux-crypto@vger.kernel.org" "linux-kernel@vger.kernel.org" "smueller@chronox.de"] crash: KASAN: slab-out-of-bounds Read in aead_recvmsg IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready 8021q: adding VLAN 0 to HW filter on device team0 kobject: 'loop4' (ffff88012496e260): kobject_uevent_env kobject: 'loop4' (ffff88012496e260): fill_kobj_path: path = '/devices/virtual/block/loop4' ================================================================== BUG: KASAN: slab-out-of-bounds in crypto_aead_alg include/crypto/aead.h:198 [inline] at addr ffff88011721a820 BUG: KASAN: slab-out-of-bounds in crypto_aead_decrypt include/crypto/aead.h:362 [inline] at addr ffff88011721a820 BUG: KASAN: slab-out-of-bounds in aead_recvmsg_sync crypto/algif_aead.c:655 [inline] at addr ffff88011721a820 BUG: KASAN: slab-out-of-bounds in aead_recvmsg+0x19fa/0x2030 crypto/algif_aead.c:689 at addr ffff88011721a820 Read of size 8 by task syz-executor.4/6237 CPU: 1 PID: 6237 Comm: syz-executor.4 Not tainted 4.9.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801172178c0 ffffffff82ab8566 ffff88012bc00900 ffff88011721a840 ffff88011721b840 0000000000000010 ffff8801172178e8 ffffffff8177404c ffff880117217978 ffff88011721a820 ffff880117217b10 ffff880117217968 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1b0/0x480 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:324 [] crypto_aead_alg include/crypto/aead.h:198 [inline] [] crypto_aead_decrypt include/crypto/aead.h:362 [inline] [] aead_recvmsg_sync crypto/algif_aead.c:655 [inline] [] aead_recvmsg+0x19fa/0x2030 crypto/algif_aead.c:689 [] sock_recvmsg_nosec net/socket.c:708 [inline] [] sock_recvmsg+0xc2/0x100 net/socket.c:715 [] sock_read_iter+0x20e/0x3a0 net/socket.c:792 [] do_iter_readv_writev+0x297/0x630 fs/read_write.c:695 [] do_readv_writev+0x399/0x660 fs/read_write.c:872 [] vfs_readv+0x67/0xa0 fs/read_write.c:898 [] do_readv+0xd8/0x270 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0xb/0x10 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff88011721a840, in cache kmalloc-4096 size: 4096 Allocated: PID = 6237 [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:479 [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:582 [] __do_kmalloc mm/slab.c:3725 [inline] [] __kmalloc+0x189/0x760 mm/slab.c:3734 [] kmalloc include/linux/slab.h:495 [inline] [] sock_kmalloc+0x6d/0xb0 net/core/sock.c:1779 [] aead_accept_parent+0xb8/0x530 crypto/algif_aead.c:776 [] af_alg_accept+0x1f0/0x780 crypto/af_alg.c:293 [] alg_accept+0x30/0x50 crypto/af_alg.c:328 [] SYSC_accept4+0x2fb/0x5b0 net/socket.c:1465 [] SyS_accept4 net/socket.c:1415 [inline] [] SYSC_accept net/socket.c:1499 [inline] [] SyS_accept+0xb/0x10 net/socket.c:1496 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 0 (stack is not available) Memory state around the buggy address: ffff88011721a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88011721a780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88011721a800: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ^ ffff88011721a880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88011721a900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== ------------[ cut here ]------------ kernel BUG at ./include/linux/scatterlist.h:189! invalid opcode: 0000 [#1] PREEMPT SMP KASAN Modules linked in: CPU: 1 PID: 6237 Comm: syz-executor.4 Tainted: G B 4.9.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff88011720e200 task.stack: ffff880117210000 RIP: 0010:[] [] sg_mark_end include/linux/scatterlist.h:189 [inline] RIP: 0010:[] [] aead_recvmsg_sync crypto/algif_aead.c:650 [inline] RIP: 0010:[] [] aead_recvmsg+0x181f/0x2030 crypto/algif_aead.c:689 RSP: 0018:ffff8801172179b0 EFLAGS: 00010202 RAX: 0000000087654321 RBX: ffff88011721a820 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffffffff88788ba0 RBP: ffff880117217a80 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000010 R11: 0000000000000000 R12: ffff88011721a848 R13: ffff880117217b10 R14: 0000000000000010 R15: ffff88011721a840 FS: 00007f1e45ff1700(0000) GS:ffff88012c100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200002c0 CR3: 000000011c257000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffff88011720ea08 ffff88011720ea10 ffffffff881bf290 c52260d8680cb1aa 0000000041b58ab3 ffffffff868e3ed8 ffffffff81452520 ffff88011721ae86 ffff88011721ae88 ffff88011721aeb0 0000000000000000 ffff88011721ae10 Call Trace: [] sock_recvmsg_nosec net/socket.c:708 [inline] [] sock_recvmsg+0xc2/0x100 net/socket.c:715 [] sock_read_iter+0x20e/0x3a0 net/socket.c:792 [] do_iter_readv_writev+0x297/0x630 fs/read_write.c:695 [] do_readv_writev+0x399/0x660 fs/read_write.c:872 [] vfs_readv+0x67/0xa0 fs/read_write.c:898 [] do_readv+0xd8/0x270 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0xb/0x10 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Code: ff ff 41 89 c7 e9 f1 fc ff ff 49 8d 87 c8 05 00 00 41 bd ea ff ff ff 48 89 45 c8 49 8d 87 d0 05 00 00 48 89 45 88 e9 e6 f5 ff ff <0f> 0b 48 8b 95 48 ff ff ff 48 b8 00 00 00 00 00 fc ff df 48 c1 RIP [] aead_recvmsg_sync crypto/algif_aead.c:646 [inline] RIP [] aead_recvmsg+0x181f/0x2030 crypto/algif_aead.c:689 RSP ---[ end trace 30769b9a3cf6895b ]---