bisecting cause commit starting from b94ae8ad9fe79da61231999f347f79645b909bda
building syzkaller on f879db37f90dcefb681897d2e486c11d8298cb72
testing commit b94ae8ad9fe79da61231999f347f79645b909bda with gcc (GCC) 8.1.0
kernel signature: 7a2878e0ed44b655eb370a0b79c967d0f281bdc8
all runs: crashed: KASAN: slab-out-of-bounds Write in pipe_write
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: b825048a3d434acd93587d044f404ed51266bba4
all runs: OK
# git bisect start b94ae8ad9fe79da61231999f347f79645b909bda 219d54332a09e8d8741c1e1982f5eae56099de85
Bisecting: 4915 revisions left to test after this (roughly 12 steps)
[361b0d286afea0d867537536977a695b5557d133] Merge tag 'devprop-5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
testing commit 361b0d286afea0d867537536977a695b5557d133 with gcc (GCC) 8.1.0
kernel signature: 0c607338ddf2e7b37e29e4c524264d7af270e0bf
all runs: OK
# git bisect good 361b0d286afea0d867537536977a695b5557d133
Bisecting: 2468 revisions left to test after this (roughly 11 steps)
[8c39f71ee2019e77ee14f88b1321b2348db51820] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
testing commit 8c39f71ee2019e77ee14f88b1321b2348db51820 with gcc (GCC) 8.1.0
kernel signature: 0c2f10153a095225d133e5a951d26e7a7ccfd5d1
all runs: OK
# git bisect good 8c39f71ee2019e77ee14f88b1321b2348db51820
Bisecting: 1215 revisions left to test after this (roughly 10 steps)
[60845e34f0c5c19a9e86af477b429993952f585b] Merge tag 'drm-next-5.5-2019-10-25' of git://people.freedesktop.org/~agd5f/linux into drm-next
testing commit 60845e34f0c5c19a9e86af477b429993952f585b with gcc (GCC) 8.1.0
kernel signature: 3f3776159bd5d7db2d3e8fac5372a2c508b24a55
all runs: OK
# git bisect good 60845e34f0c5c19a9e86af477b429993952f585b
Bisecting: 607 revisions left to test after this (roughly 9 steps)
[17eee668b3cad423a47c090fe2275733c55db910] Merge tag 'drm-misc-next-fixes-2019-11-20' of git://anongit.freedesktop.org/drm/drm-misc into drm-next
testing commit 17eee668b3cad423a47c090fe2275733c55db910 with gcc (GCC) 8.1.0
kernel signature: 78442ad2ac9197240e2d708d508cf469180cc951
all runs: OK
# git bisect good 17eee668b3cad423a47c090fe2275733c55db910
Bisecting: 292 revisions left to test after this (roughly 8 steps)
[21b26d2679584c6a60e861aa3e5ca09a6bab0633] Merge tag '5.5-rc-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6
testing commit 21b26d2679584c6a60e861aa3e5ca09a6bab0633 with gcc (GCC) 8.1.0
kernel signature: 90a97ebfbad8809a17e0ef48b3389221c27422de
all runs: OK
# git bisect good 21b26d2679584c6a60e861aa3e5ca09a6bab0633
Bisecting: 146 revisions left to test after this (roughly 7 steps)
[c9029ef9c95765e7b63c4d9aa780674447db1ec0] powerpc: Avoid clang warnings around setjmp and longjmp
testing commit c9029ef9c95765e7b63c4d9aa780674447db1ec0 with gcc (GCC) 8.1.0
kernel signature: 052d1700cb7eb71b6ec59e022dda1445b8fea7bc
all runs: OK
# git bisect good c9029ef9c95765e7b63c4d9aa780674447db1ec0
Bisecting: 85 revisions left to test after this (roughly 6 steps)
[2309d0768237476c3144aa296264ad9e19598461] Merge tag 'nds32-for-linus-5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/greentime/linux
testing commit 2309d0768237476c3144aa296264ad9e19598461 with gcc (GCC) 8.1.0
kernel signature: ed552bb51eeeb7896a8370d602b509e96e826e69
all runs: crashed: KASAN: slab-out-of-bounds Write in pipe_write
# git bisect bad 2309d0768237476c3144aa296264ad9e19598461
Bisecting: 31 revisions left to test after this (roughly 5 steps)
[545886fead7abfdbeb46d3ac62256e1db72739a3] ext2: code cleanup for descriptor_loc()
testing commit 545886fead7abfdbeb46d3ac62256e1db72739a3 with gcc (GCC) 8.1.0
kernel signature: 5188c429ad38e0450eec2fc6ca4d4cde94020b6b
all runs: OK
# git bisect good 545886fead7abfdbeb46d3ac62256e1db72739a3
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[32ef9553635ab1236c33951a8bd9b5af1c3b1646] Merge tag 'fsnotify_for_v5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
testing commit 32ef9553635ab1236c33951a8bd9b5af1c3b1646 with gcc (GCC) 8.1.0
kernel signature: dedd87239b1ca46ff3b8502627104c42a0b8ec10
all runs: OK
# git bisect good 32ef9553635ab1236c33951a8bd9b5af1c3b1646
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[7e25a73f1a52b58fc8206557e40d990cd791ad25] pipe: Remove redundant wakeup from pipe_write()
testing commit 7e25a73f1a52b58fc8206557e40d990cd791ad25 with gcc (GCC) 8.1.0
kernel signature: c7b79db0d66f2e5e7f2a324da1fa9e18af92ab0b
all runs: basic kernel testing failed: timed out
# git bisect skip 7e25a73f1a52b58fc8206557e40d990cd791ad25
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[b6378caf829e9e3b4d61c0901f4d6c1e6819716f] nds32: Move static keyword to the front of declaration
testing commit b6378caf829e9e3b4d61c0901f4d6c1e6819716f with gcc (GCC) 8.1.0
kernel signature: 2296ac90685eb8c152004f1924bc03b083ada353
all runs: OK
# git bisect good b6378caf829e9e3b4d61c0901f4d6c1e6819716f
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[8446487feba988a92e7649c60367510f0b0445a8] pipe: Conditionalise wakeup in pipe_read()
testing commit 8446487feba988a92e7649c60367510f0b0445a8 with gcc (GCC) 8.1.0
kernel signature: 81741511ce199a8b0ddb0eab6ce7955373897a93
all runs: OK
# git bisect good 8446487feba988a92e7649c60367510f0b0445a8
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[cefa80ced57a29179313da7ab3cbb26afb040b6f] pipe: Increase the writer-wakeup threshold to reduce context-switch count
testing commit cefa80ced57a29179313da7ab3cbb26afb040b6f with gcc (GCC) 8.1.0
kernel signature: a5532c8be275dee49064661d72f0b1867ab76131
all runs: crashed: KASAN: slab-out-of-bounds Write in pipe_write
# git bisect bad cefa80ced57a29179313da7ab3cbb26afb040b6f
Bisecting: 1 revision left to test after this (roughly 1 step)
[8df441294dd34fb0b16b45f550f55e96db6af4dc] pipe: Check for ring full inside of the spinlock in pipe_write()
testing commit 8df441294dd34fb0b16b45f550f55e96db6af4dc with gcc (GCC) 8.1.0
kernel signature: d74ff1abbd2dbe464d12d71744b53dc576424bee
all runs: crashed: KASAN: slab-out-of-bounds Write in pipe_write
# git bisect bad 8df441294dd34fb0b16b45f550f55e96db6af4dc
Bisecting: 0 revisions left to test after this (roughly 1 step)
[a194dfe6e6f6f7205eea850a420f2bc6a1541209] pipe: Rearrange sequence in pipe_write() to preallocate slot
testing commit a194dfe6e6f6f7205eea850a420f2bc6a1541209 with gcc (GCC) 8.1.0
kernel signature: 9cf9976fa8a9a5174842a5ef539fc3c69a6f7ef9
all runs: crashed: KASAN: slab-out-of-bounds Write in pipe_write
# git bisect bad a194dfe6e6f6f7205eea850a420f2bc6a1541209
a194dfe6e6f6f7205eea850a420f2bc6a1541209 is the first bad commit
commit a194dfe6e6f6f7205eea850a420f2bc6a1541209
Author: David Howells <dhowells@redhat.com>
Date:   Fri Sep 20 16:32:19 2019 +0100

    pipe: Rearrange sequence in pipe_write() to preallocate slot
    
    Rearrange the sequence in pipe_write() so that the allocation of the new
    buffer, the allocation of a ring slot and the attachment to the ring is
    done under the pipe wait spinlock and then the lock is dropped and the
    buffer can be filled.
    
    The data copy needs to be done with the spinlock unheld and irqs enabled,
    so the lock needs to be dropped first.  However, the reader can't progress
    as we're holding pipe->mutex.
    
    We also need to drop the lock as that would impact others looking at the
    pipe waitqueue, such as poll(), the consumer and a future kernel message
    writer.
    
    We just abandon the preallocated slot if we get a copy error.  Future
    writes may continue it and a future read will eventually recycle it.
    
    Signed-off-by: David Howells <dhowells@redhat.com>

 fs/pipe.c | 51 +++++++++++++++++++++++++++++++++------------------
 1 file changed, 33 insertions(+), 18 deletions(-)
kernel signature:   9cf9976fa8a9a5174842a5ef539fc3c69a6f7ef9
previous signature: 81741511ce199a8b0ddb0eab6ce7955373897a93
revisions tested: 17, total time: 4h24m39.984869313s (build: 1h52m4.928205517s, test: 2h27m6.990568678s)
first bad commit: a194dfe6e6f6f7205eea850a420f2bc6a1541209 pipe: Rearrange sequence in pipe_write() to preallocate slot
cc: ["dhowells@redhat.com" "linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "viro@zeniv.linux.org.uk"]
crash: KASAN: slab-out-of-bounds Write in pipe_write
==================================================================
BUG: KASAN: slab-out-of-bounds in pipe_write+0xc25/0xe10 fs/pipe.c:481
Write of size 8 at addr ffff8880771167a8 by task syz-executor.3/7987

CPU: 1 PID: 7987 Comm: syz-executor.3 Not tainted 5.4.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:374
 __kasan_report.cold.11+0x1b/0x3a mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:634
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:137
 pipe_write+0xc25/0xe10 fs/pipe.c:481
 call_write_iter include/linux/fs.h:1895 [inline]
 new_sync_write+0x3fd/0x7e0 fs/read_write.c:483
 __vfs_write+0x94/0x110 fs/read_write.c:496
 vfs_write+0x18a/0x520 fs/read_write.c:558
 ksys_write+0x105/0x220 fs/read_write.c:611
 __do_sys_write fs/read_write.c:623 [inline]
 __se_sys_write fs/read_write.c:620 [inline]
 __x64_sys_write+0x6e/0xb0 fs/read_write.c:620
 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45a679
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f494e010c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679
RDX: 00000000fffffef3 RSI: 00000000200001c0 RDI: 0000000000000004
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f494e0116d4
R13: 00000000004c7830 R14: 00000000004e44b0 R15: 00000000ffffffff

Allocated by task 7989:
 save_stack+0x21/0x90 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc.constprop.13+0xc7/0xd0 mm/kasan/common.c:510
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524
 __do_kmalloc mm/slab.c:3655 [inline]
 __kmalloc+0x164/0x790 mm/slab.c:3664
 kmalloc_array include/linux/slab.h:614 [inline]
 kcalloc include/linux/slab.h:625 [inline]
 pipe_set_size fs/pipe.c:1139 [inline]
 pipe_fcntl+0x30c/0x7b0 fs/pipe.c:1205
 do_fcntl+0x177/0xff0 fs/fcntl.c:417
 __do_sys_fcntl fs/fcntl.c:463 [inline]
 __se_sys_fcntl fs/fcntl.c:448 [inline]
 __x64_sys_fcntl+0x11f/0x170 fs/fcntl.c:448
 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff888077116780
 which belongs to the cache kmalloc-64(17:syz3) of size 64
The buggy address is located 40 bytes inside of
 64-byte region [ffff888077116780, ffff8880771167c0)
The buggy address belongs to the page:
page:ffffea0001dc4580 refcount:1 mapcount:0 mapping:ffff88809b9e2540 index:0xffff888077116f80
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffff8880a5cd2a38 ffff8880a5cd2a38 ffff88809b9e2540
raw: ffff888077116f80 ffff888077116000 0000000100000010 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888077116680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888077116700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888077116780: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
                                  ^
 ffff888077116800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888077116880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================