ci starts bisection 2022-12-28 17:17:04.313640247 +0000 UTC m=+88574.856345813 bisecting fixing commit since 8379c0b31fbc5d20946f617f8e2fe4791e6f58c1 building syzkaller on 071779164d7640bc97cdb04864e59dbb91db6469 ensuring issue is reproducible on original commit 8379c0b31fbc5d20946f617f8e2fe4791e6f58c1 testing commit 8379c0b31fbc5d20946f617f8e2fe4791e6f58c1 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8fafcd81c2d4d1a16f6da38d704907d6ca4a1e361119c2d4b48b0b7c67527093 all runs: crashed: KASAN: slab-out-of-bounds Read in __fscache_acquire_volume testing current HEAD 1b929c02afd37871d5afb9d498426f83432e71c2 testing commit 1b929c02afd37871d5afb9d498426f83432e71c2 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ebbf5fcd47ebc137145cd779f33d0e9768785fcc2546c4bff3455e24f9177de3 all runs: OK # git bisect start 1b929c02afd37871d5afb9d498426f83432e71c2 8379c0b31fbc5d20946f617f8e2fe4791e6f58c1 Bisecting: 15576 revisions left to test after this (roughly 14 steps) [0cb9ed57d5ad2e25b45ed5c3afbac6e875ac1754] Merge branch 'mlxsw-add-802-1x-and-mab-offload-support' testing commit 0cb9ed57d5ad2e25b45ed5c3afbac6e875ac1754 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 22131bbdea33621202702b5a323eacf8e7e7b188866ac8d81acb73e9932a53ec run #0: basic kernel testing failed: WARNING in devl_port_unregister run #1: basic kernel testing failed: failed to copy syz-execprog to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-execprog" "root@10.128.10.29:./syz-execprog"]: exit status 1 ssh: connect to host 10.128.10.29 port 22: Connection timed out lost connection run #2: basic kernel testing failed: failed to copy syz-execprog to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-execprog" "root@10.128.0.14:./syz-execprog"]: exit status 1 ssh: connect to host 10.128.0.14 port 22: Connection timed out lost connection run #3: basic kernel testing failed: failed to copy syz-execprog to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-execprog" "root@10.128.0.198:./syz-execprog"]: exit status 1 ssh: connect to host 10.128.0.198 port 22: Connection timed out lost connection run #4: basic kernel testing failed: failed to copy syz-execprog to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-execprog" "root@10.128.0.43:./syz-execprog"]: exit status 1 ssh: connect to host 10.128.0.43 port 22: Connection timed out lost connection run #5: basic kernel testing failed: failed to copy syz-execprog to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-execprog" "root@10.128.10.51:./syz-execprog"]: exit status 1 ssh: connect to host 10.128.10.51 port 22: Connection timed out lost connection run #6: basic kernel testing failed: failed to copy syz-execprog to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-execprog" "root@10.128.10.15:./syz-execprog"]: exit status 1 ssh: connect to host 10.128.10.15 port 22: Connection timed out lost connection run #7: basic kernel testing failed: failed to copy syz-execprog to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-execprog" "root@10.128.15.192:./syz-execprog"]: exit status 1 ssh: connect to host 10.128.15.192 port 22: Connection timed out lost connection run #8: basic kernel testing failed: failed to copy syz-execprog to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-execprog" "root@10.128.15.198:./syz-execprog"]: exit status 1 ssh: connect to host 10.128.15.198 port 22: Connection timed out lost connection run #9: basic kernel testing failed: failed to copy syz-execprog to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-execprog" "root@10.128.10.34:./syz-execprog"]: exit status 1 ssh: connect to host 10.128.10.34 port 22: Connection timed out lost connection # git bisect skip 0cb9ed57d5ad2e25b45ed5c3afbac6e875ac1754 Bisecting: 15576 revisions left to test after this (roughly 14 steps) [c1a731c71359407eae4fd0a5fd675ef25a582764] ASoC: SOF: compress: Add support for computing timestamps testing commit c1a731c71359407eae4fd0a5fd675ef25a582764 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 608fe858e430000da7e904c5f762da7acddc74fbd5f69c4cd8a11dc2ca781749 run #0: boot failed: general protection fault in driver_register run #1: boot failed: general protection fault in netdev_queue_update_kobjects run #2: boot failed: general protection fault in rcu_core run #3: boot failed: general protection fault in netdev_queue_update_kobjects run #4: boot failed: BUG: unable to handle kernel paging request in copy_namespaces run #5: boot failed: WARNING in corrupted run #6: boot failed: general protection fault in copy_process run #7: boot failed: general protection fault in netdev_queue_update_kobjects run #8: boot failed: general protection fault in netdev_queue_update_kobjects run #9: boot failed: general protection fault in netdev_queue_update_kobjects # git bisect skip c1a731c71359407eae4fd0a5fd675ef25a582764 Bisecting: 15576 revisions left to test after this (roughly 14 steps) [a0ab9c3160dfafece67ed39f43f35f533eeea428] wifi: mt76: mt7921: add chanctx parameter to mt76_connac_mcu_uni_add_bss signature testing commit a0ab9c3160dfafece67ed39f43f35f533eeea428 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 70ee4a08505a9868b3b3ed19b91e28a5ebdc08a0c44acbe154aa32c3c0151da0 all runs: crashed: KASAN: slab-out-of-bounds Read in __fscache_acquire_volume # git bisect good a0ab9c3160dfafece67ed39f43f35f533eeea428 Bisecting: 7191 revisions left to test after this (roughly 13 steps) [1e4fa020d574768445fca2d9bbfe473ec8bbd224] Merge tag 'mtd/for-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux testing commit 1e4fa020d574768445fca2d9bbfe473ec8bbd224 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 804354054d8dc93cb068fe651ac8c112eeca34956524af79af249c2ce8a734af all runs: OK # git bisect bad 1e4fa020d574768445fca2d9bbfe473ec8bbd224 Bisecting: 3620 revisions left to test after this (roughly 12 steps) [a7cacfb0688e3988660e90fad7017cc9a18ab390] Merge tag 'docs-6.2' of git://git.lwn.net/linux testing commit a7cacfb0688e3988660e90fad7017cc9a18ab390 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a4d9aab5f847d76f48510cbd0ab4d45e9bef3488964edf3d58b123de4f857547 all runs: OK # git bisect bad a7cacfb0688e3988660e90fad7017cc9a18ab390 Bisecting: 1937 revisions left to test after this (roughly 11 steps) [8e17b16a2c13406c56a4d292df3ca083f8729666] Merge tag 'soc-drivers-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 8e17b16a2c13406c56a4d292df3ca083f8729666 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5a52f8948ebcc8cf4e27e842ee4dd4d17a28c3dc15480954a35c34a5b9b6d36a all runs: OK # git bisect bad 8e17b16a2c13406c56a4d292df3ca083f8729666 Bisecting: 825 revisions left to test after this (roughly 10 steps) [f8bac7f9fdb0017b32157957ffffd490f95faa07] net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing() testing commit f8bac7f9fdb0017b32157957ffffd490f95faa07 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a59769ae7ee199759285343bfc46d21246464d7eba8a9d78c7ca74510f466c72 all runs: OK # git bisect bad f8bac7f9fdb0017b32157957ffffd490f95faa07 Bisecting: 386 revisions left to test after this (roughly 9 steps) [08ad43d554bacb9769c6a69d5f771f02f5ba411c] Merge tag 'net-6.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 08ad43d554bacb9769c6a69d5f771f02f5ba411c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 939a9d0b6a196159ff1df366551a79adcddd68daec5ee828e354cb6803aa611b all runs: OK # git bisect bad 08ad43d554bacb9769c6a69d5f771f02f5ba411c Bisecting: 219 revisions left to test after this (roughly 8 steps) [b6e7fdfd6f6a8bf88fcdb4a45da52c42ba238c25] Merge tag 'iommu-fixes-v6.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu testing commit b6e7fdfd6f6a8bf88fcdb4a45da52c42ba238c25 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c17fd240db9458dd1f8b49a28cc7ef9eafa23a5f1e306c41a0ad2d62629c390b all runs: crashed: KASAN: slab-out-of-bounds Read in __fscache_acquire_volume # git bisect good b6e7fdfd6f6a8bf88fcdb4a45da52c42ba238c25 Bisecting: 107 revisions left to test after this (roughly 7 steps) [cd89db60e22824b82f9458753fa6cb770cca8bde] Merge tag 'soc-fixes-6.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit cd89db60e22824b82f9458753fa6cb770cca8bde gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6fde4b55b2636864da5475ee6727cf896a291d6dce75063f72a1a165ad63f451 all runs: OK # git bisect bad cd89db60e22824b82f9458753fa6cb770cca8bde Bisecting: 55 revisions left to test after this (roughly 6 steps) [4312098baf37ee17a8350725e6e0d0e8590252d4] Merge tag 'spi-fix-v6.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi testing commit 4312098baf37ee17a8350725e6e0d0e8590252d4 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d233ed798e667521ae227c24fab3268bdb4205075ae62335e5c0579addef2d16 all runs: OK # git bisect bad 4312098baf37ee17a8350725e6e0d0e8590252d4 Bisecting: 20 revisions left to test after this (roughly 5 steps) [5239ddeb4872390856bb79655dba85350936681e] Merge tag 'trace-v6.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace testing commit 5239ddeb4872390856bb79655dba85350936681e gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 753dcfe9492c8fb8b426135cbad4135908a0ef5132b8f1b0894b1a77224cb7bc all runs: crashed: KASAN: slab-out-of-bounds Read in __fscache_acquire_volume # git bisect good 5239ddeb4872390856bb79655dba85350936681e Bisecting: 10 revisions left to test after this (roughly 3 steps) [9f0933ac026f7e54fe096797af9de20724e79097] fscache: fix OOB Read in __fscache_acquire_volume testing commit 9f0933ac026f7e54fe096797af9de20724e79097 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6d0ef9d4d04110d2a2913adbdc4d2a8814b4955e57a3d617e84699c47dd2064f all runs: OK # git bisect bad 9f0933ac026f7e54fe096797af9de20724e79097 Bisecting: 4 revisions left to test after this (roughly 2 steps) [5dd7caf0bdc5d0bae7cf9776b4d739fb09bd5ebb] kprobes: Skip clearing aggrprobe's post_handler in kprobe-on-ftrace case testing commit 5dd7caf0bdc5d0bae7cf9776b4d739fb09bd5ebb gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 17580c3b92015b2a1535d6fdc8f7418003cc0c0753655c018650b06328b3afff all runs: crashed: KASAN: slab-out-of-bounds Read in __fscache_acquire_volume # git bisect good 5dd7caf0bdc5d0bae7cf9776b4d739fb09bd5ebb Bisecting: 2 revisions left to test after this (roughly 1 step) [40adaf51cb318131073d1ba8233d473cc105ecbf] tracing/eprobe: Fix eprobe filter to make a filter correctly testing commit 40adaf51cb318131073d1ba8233d473cc105ecbf gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c01a3a51b35b14bc3d9ce89dea93bdf164c1d5bb1e0c716d1846c0415b5148ab all runs: crashed: KASAN: slab-out-of-bounds Read in __fscache_acquire_volume # git bisect good 40adaf51cb318131073d1ba8233d473cc105ecbf Bisecting: 1 revision left to test after this (roughly 1 step) [c6c67bf9bc2714d9c2c2e7ecfbf29d912b8c4f17] Merge tag 'trace-probes-v6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace testing commit c6c67bf9bc2714d9c2c2e7ecfbf29d912b8c4f17 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 62a604f86575a4090eb16fe3fc110e17b25918ed10dae68d4ae77e2db0990d95 all runs: crashed: KASAN: slab-out-of-bounds Read in __fscache_acquire_volume # git bisect good c6c67bf9bc2714d9c2c2e7ecfbf29d912b8c4f17 Bisecting: 0 revisions left to test after this (roughly 0 steps) [eb7081409f94a9a8608593d0fb63a1aa3d6f95d8] Linux 6.1-rc6 testing commit eb7081409f94a9a8608593d0fb63a1aa3d6f95d8 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ea9d8d777691cf8c8e3adf14520ef3a50834c64c2da8e685d5a8523cf1149f32 all runs: crashed: KASAN: slab-out-of-bounds Read in __fscache_acquire_volume # git bisect good eb7081409f94a9a8608593d0fb63a1aa3d6f95d8 9f0933ac026f7e54fe096797af9de20724e79097 is the first bad commit commit 9f0933ac026f7e54fe096797af9de20724e79097 Author: David Howells Date: Mon Nov 21 16:31:34 2022 +0000 fscache: fix OOB Read in __fscache_acquire_volume The type of a->key[0] is char in fscache_volume_same(). If the length of cache volume key is greater than 127, the value of a->key[0] is less than 0. In this case, klen becomes much larger than 255 after type conversion, because the type of klen is size_t. As a result, memcmp() is read out of bounds. This causes a slab-out-of-bounds Read in __fscache_acquire_volume(), as reported by Syzbot. Fix this by changing the type of the stored key to "u8 *" rather than "char *" (it isn't a simple string anyway). Also put in a check that the volume name doesn't exceed NAME_MAX. BUG: KASAN: slab-out-of-bounds in memcmp+0x16f/0x1c0 lib/string.c:757 Read of size 8 at addr ffff888016f3aa90 by task syz-executor344/3613 Call Trace: memcmp+0x16f/0x1c0 lib/string.c:757 memcmp include/linux/fortify-string.h:420 [inline] fscache_volume_same fs/fscache/volume.c:133 [inline] fscache_hash_volume fs/fscache/volume.c:171 [inline] __fscache_acquire_volume+0x76c/0x1080 fs/fscache/volume.c:328 fscache_acquire_volume include/linux/fscache.h:204 [inline] v9fs_cache_session_get_cookie+0x143/0x240 fs/9p/cache.c:34 v9fs_session_init+0x1166/0x1810 fs/9p/v9fs.c:473 v9fs_mount+0xba/0xc90 fs/9p/vfs_super.c:126 legacy_get_tree+0x105/0x220 fs/fs_context.c:610 vfs_get_tree+0x89/0x2f0 fs/super.c:1530 do_new_mount fs/namespace.c:3040 [inline] path_mount+0x1326/0x1e20 fs/namespace.c:3370 do_mount fs/namespace.c:3383 [inline] __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount fs/namespace.c:3568 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568 Fixes: 62ab63352350 ("fscache: Implement volume registration") Reported-by: syzbot+a76f6a6e524cf2080aa3@syzkaller.appspotmail.com Signed-off-by: David Howells Reviewed-by: Zhang Peng Reviewed-by: Jingbo Xu cc: Dominique Martinet cc: Jeff Layton cc: v9fs-developer@lists.sourceforge.net cc: linux-cachefs@redhat.com Link: https://lore.kernel.org/r/Y3OH+Dmi0QIOK18n@codewreck.org/ # Zhang Peng's v1 fix Link: https://lore.kernel.org/r/20221115140447.2971680-1-zhangpeng362@huawei.com/ # Zhang Peng's v2 fix Link: https://lore.kernel.org/r/166869954095.3793579.8500020902371015443.stgit@warthog.procyon.org.uk/ # v1 Signed-off-by: Linus Torvalds fs/fscache/volume.c | 7 +++++-- include/linux/fscache.h | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) culprit signature: 6d0ef9d4d04110d2a2913adbdc4d2a8814b4955e57a3d617e84699c47dd2064f parent signature: ea9d8d777691cf8c8e3adf14520ef3a50834c64c2da8e685d5a8523cf1149f32 revisions tested: 19, total time: 4h46m54.706639984s (build: 2h25m14.95864168s, test: 2h17m8.785156991s) first good commit: 9f0933ac026f7e54fe096797af9de20724e79097 fscache: fix OOB Read in __fscache_acquire_volume recipients (to): ["dhowells@redhat.com" "jefflexu@linux.alibaba.com" "torvalds@linux-foundation.org" "zhangpeng362@huawei.com"] recipients (cc): []