bisecting cause commit starting from 2015a28f2cd57fc46ad14d1a763ca658d82ebc68 building syzkaller on cb93629971b93f04dfa44e2ef3a517a36ba32a8e testing commit 2015a28f2cd57fc46ad14d1a763ca658d82ebc68 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_prog_create testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 2015a28f2cd57fc46ad14d1a763ca658d82ebc68 v5.2 Bisecting: 14378 revisions left to test after this (roughly 14 steps) [33920f1ec5bf47c5c0a1d2113989bdd9dfb3fae9] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 33920f1ec5bf47c5c0a1d2113989bdd9dfb3fae9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 33920f1ec5bf47c5c0a1d2113989bdd9dfb3fae9 Bisecting: 6619 revisions left to test after this (roughly 13 steps) [204034c5e4648cf4e5899c5b1d539dd7f47bf1dc] Merge remote-tracking branch 'net-next/master' testing commit 204034c5e4648cf4e5899c5b1d539dd7f47bf1dc with gcc (GCC) 8.1.0 all runs: OK # git bisect good 204034c5e4648cf4e5899c5b1d539dd7f47bf1dc Bisecting: 3314 revisions left to test after this (roughly 12 steps) [1a0fd49c7b3c28ad6f9dc9b72687cdd62b6d4591] Merge remote-tracking branch 'iommu/next' testing commit 1a0fd49c7b3c28ad6f9dc9b72687cdd62b6d4591 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 1a0fd49c7b3c28ad6f9dc9b72687cdd62b6d4591 Bisecting: 1602 revisions left to test after this (roughly 11 steps) [a58feb6446edc6c8693a5a623fb37cea062d327f] Merge commit 'ec13c78d7b45' (char-misc/char-misc-next from previous -next) testing commit a58feb6446edc6c8693a5a623fb37cea062d327f with gcc (GCC) 8.1.0 all runs: OK # git bisect good a58feb6446edc6c8693a5a623fb37cea062d327f Bisecting: 780 revisions left to test after this (roughly 10 steps) [eaad93459898fc6cd012dbf7180e7cbbc8bac3ce] Merge remote-tracking branch 'scsi/for-next' testing commit eaad93459898fc6cd012dbf7180e7cbbc8bac3ce with gcc (GCC) 8.1.0 all runs: OK # git bisect good eaad93459898fc6cd012dbf7180e7cbbc8bac3ce Bisecting: 368 revisions left to test after this (roughly 9 steps) [76cac67fb0713142154d02c6c36c6336f258b99a] Merge remote-tracking branch 'rtc/rtc-next' testing commit 76cac67fb0713142154d02c6c36c6336f258b99a with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_prog_create # git bisect bad 76cac67fb0713142154d02c6c36c6336f258b99a Bisecting: 190 revisions left to test after this (roughly 8 steps) [70be3be17567ae5856a266113a1f05eac01aa4a7] Merge remote-tracking branch 'pinctrl/for-next' testing commit 70be3be17567ae5856a266113a1f05eac01aa4a7 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 70be3be17567ae5856a266113a1f05eac01aa4a7 Bisecting: 90 revisions left to test after this (roughly 7 steps) [9337b494e613ff91f0154e606984307895c2cf65] Merge remote-tracking branch 'y2038/y2038' testing commit 9337b494e613ff91f0154e606984307895c2cf65 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_prog_create # git bisect bad 9337b494e613ff91f0154e606984307895c2cf65 Bisecting: 55 revisions left to test after this (roughly 6 steps) [846e9b1099139020c60ce64ffe40d488ff73f0b9] scsi: sd: enable compat ioctls for sed-opal testing commit 846e9b1099139020c60ce64ffe40d488ff73f0b9 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_prog_create # git bisect bad 846e9b1099139020c60ce64ffe40d488ff73f0b9 Bisecting: 21 revisions left to test after this (roughly 5 steps) [884b02a348eb0655be017344f058e1eec9a94088] compat_ioctl: remove IGNORE_IOCTL() testing commit 884b02a348eb0655be017344f058e1eec9a94088 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 884b02a348eb0655be017344f058e1eec9a94088 Bisecting: 10 revisions left to test after this (roughly 4 steps) [4f45155c29fdeb84f82abd1de27222393ea8a421] compat_ioctl: reimplement SG_IO handling testing commit 4f45155c29fdeb84f82abd1de27222393ea8a421 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 4f45155c29fdeb84f82abd1de27222393ea8a421 Bisecting: 5 revisions left to test after this (roughly 3 steps) [2f4fa2db75e26995709043c8d3de4632ebed5c4b] compat_ioctl: unify copy-in of ppp filters testing commit 2f4fa2db75e26995709043c8d3de4632ebed5c4b with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_prog_create # git bisect bad 2f4fa2db75e26995709043c8d3de4632ebed5c4b Bisecting: 2 revisions left to test after this (roughly 1 step) [41a31dde55ac4f20d1c5f9743308cf9be964b260] compat_ioctl: handle SIOCOUTQNSD testing commit 41a31dde55ac4f20d1c5f9743308cf9be964b260 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 41a31dde55ac4f20d1c5f9743308cf9be964b260 Bisecting: 0 revisions left to test after this (roughly 1 step) [18213ccaad760eb5d1eed1b0cc45f36ff447ef0d] tty: handle compat PPP ioctls testing commit 18213ccaad760eb5d1eed1b0cc45f36ff447ef0d with gcc (GCC) 8.1.0 all runs: OK # git bisect good 18213ccaad760eb5d1eed1b0cc45f36ff447ef0d 2f4fa2db75e26995709043c8d3de4632ebed5c4b is the first bad commit commit 2f4fa2db75e26995709043c8d3de4632ebed5c4b Author: Al Viro Date: Wed Apr 17 23:48:01 2019 -0400 compat_ioctl: unify copy-in of ppp filters Now that isdn4linux is gone, the is only one implementation of PPPIOCSPASS and PPPIOCSACTIVE in ppp_generic.c, so this is where the compat_ioctl support should be implemented. The two commands are implemented in very similar ways, so introduce new helpers to allow sharing between the two and between native and compat mode. Signed-off-by: Al Viro [arnd: rebased, and added changelog text] Signed-off-by: Arnd Bergmann :040000 040000 ba949fc7a4e16834c1d1b7ddfd0a4908ee364fd9 f4ec319dd6c2cf31cf35e146cfcd5203c1a703b2 M drivers :040000 040000 651b460a1259ab196ece4161f11a9b04fee52609 56e021d5c3b1884ee7a32ee71b3093bbf3e3043e M fs revisions tested: 16, total time: 3h47m7.804404455s (build: 1h29m24.044386509s, test: 2h11m56.51909472s) first bad commit: 2f4fa2db75e26995709043c8d3de4632ebed5c4b compat_ioctl: unify copy-in of ppp filters cc: ["arnd@arndb.de" "ast@kernel.org" "bpf@vger.kernel.org" "daniel@iogearbox.net" "davem@davemloft.net" "kafai@fb.com" "linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "linux-ppp@vger.kernel.org" "netdev@vger.kernel.org" "paulus@samba.org" "songliubraving@fb.com" "viro@zeniv.linux.org.uk" "yhs@fb.com"] crash: KASAN: slab-out-of-bounds Read in bpf_prog_create ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:359 [inline] BUG: KASAN: slab-out-of-bounds in bpf_prog_create+0xca/0x1f0 net/core/filter.c:1351 Read of size 32768 at addr ffff88809403e1c0 by task syz-executor.2/8864 CPU: 0 PID: 8864 Comm: syz-executor.2 Not tainted 5.3.0-rc6+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x318 mm/kasan/report.c:351 __kasan_report.cold.9+0x1b/0x3f mm/kasan/report.c:482 kasan_report+0x12/0x17 mm/kasan/common.c:618 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x153/0x1d0 mm/kasan/generic.c:192 memcpy+0x23/0x50 mm/kasan/common.c:122 memcpy include/linux/string.h:359 [inline] bpf_prog_create+0xca/0x1f0 net/core/filter.c:1351 get_filter.isra.26+0xfd/0x140 drivers/net/ppp/ppp_generic.c:572 ppp_get_filter drivers/net/ppp/ppp_generic.c:584 [inline] ppp_ioctl+0x11db/0x2811 drivers/net/ppp/ppp_generic.c:787 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:539 [inline] do_vfs_ioctl+0x196/0x1150 fs/ioctl.c:726 ksys_ioctl+0x62/0x90 fs/ioctl.c:743 __do_sys_ioctl fs/ioctl.c:750 [inline] __se_sys_ioctl fs/ioctl.c:748 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:748 do_syscall_64+0xd0/0x540 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4598e9 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f7571313c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004598e9 RDX: 00000000200000c0 RSI: 0000000040107447 RDI: 0000000000000003 RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f75713146d4 R13: 00000000004c3579 R14: 00000000004d6e40 R15: 00000000ffffffff Allocated by task 8864: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc.constprop.9+0xc7/0xd0 mm/kasan/common.c:493 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:507 __do_kmalloc mm/slab.c:3655 [inline] __kmalloc_track_caller+0x160/0x780 mm/slab.c:3670 memdup_user+0x27/0x80 mm/util.c:165 get_filter.isra.26+0xab/0x140 drivers/net/ppp/ppp_generic.c:568 ppp_get_filter drivers/net/ppp/ppp_generic.c:584 [inline] ppp_ioctl+0x11db/0x2811 drivers/net/ppp/ppp_generic.c:787 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:539 [inline] do_vfs_ioctl+0x196/0x1150 fs/ioctl.c:726 ksys_ioctl+0x62/0x90 fs/ioctl.c:743 __do_sys_ioctl fs/ioctl.c:750 [inline] __se_sys_ioctl fs/ioctl.c:748 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:748 do_syscall_64+0xd0/0x540 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 8470: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:455 kasan_slab_free+0xe/0x10 mm/kasan/common.c:463 __cache_free mm/slab.c:3425 [inline] kfree+0x108/0x2c0 mm/slab.c:3756 tomoyo_realpath_from_path+0x173/0x7a0 security/tomoyo/realpath.c:319 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x203/0x380 security/tomoyo/file.c:822 tomoyo_inode_getattr+0x13/0x20 security/tomoyo/tomoyo.c:129 security_inode_getattr+0xb0/0x100 security/security.c:1182 vfs_getattr+0x1c/0x40 fs/stat.c:115 vfs_statx_fd+0x45/0x90 fs/stat.c:145 vfs_fstat include/linux/fs.h:3211 [inline] __do_sys_newfstat+0x79/0xd0 fs/stat.c:378 __se_sys_newfstat fs/stat.c:375 [inline] __x64_sys_newfstat+0x4f/0x70 fs/stat.c:375 do_syscall_64+0xd0/0x540 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff88809403e1c0 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 0 bytes inside of 4096-byte region [ffff88809403e1c0, ffff88809403f1c0) The buggy address belongs to the page: page:ffffea0002500f80 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 flags: 0x1fffc0000010200(slab|head) raw: 01fffc0000010200 ffffea00024fec08 ffffea00024f9088 ffff8880aa402000 raw: 0000000000000000 ffff88809403e1c0 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809403f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88809403f100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88809403f180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff88809403f200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88809403f280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================