Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2384971imu; Thu, 10 Jan 2019 13:15:06 -0800 (PST) X-Google-Smtp-Source: ALg8bN78jUwMln2sOW0gUkAnOZhmzml5FW3ZvLlW0u3qBszzVbMkfGIuFEwKx6csndSqvViKDXLc X-Received: by 2002:a17:902:f64:: with SMTP id 91mr11875368ply.132.1547154906366; Thu, 10 Jan 2019 13:15:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547154906; cv=none; d=google.com; s=arc-20160816; b=yHuajiDh846+DyNmg7m97d3juboTnO1d+KgiBRTzYUiJnLoviMHtqXcB4m7Kfbran9 pV2wh04RUwfI3yHaAu5BGoZ31TGdM9USTt7/X55CYiS13BaritTZMbqh/NO0tmFu0BOj pS74Jznro2Wmo/zhHIWRphffxcCbcjiHWoMunFL4UKdIbyrgCWK7dzHXFeuHNEgSTwTi Vn03G4Tq63NE55dfX8h4q2ff5QsE9Tg5A+YOh/ygE2JR4Xd62XSKBZtLGQshVWtNUrxo EvIRbNEOLNOA7OD+vubl4ZOaas+/z4CmM51+OFlkuywnfrlFYIytO76/isP0O8+xIIJd 1pfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject; bh=1gwTluziBeI721v/jIxPP34k4opPlA4YlXhQJSnkt2c=; b=HlAx1X8TCVOWzeqY9B6PXjKDEBcnVp4a8hyz9AWe7mde5SzvXVp/n1yhIOu94klFPP lPaV+a2nuN4W0QOx0BTgVuot4Dd75POLOTPfxP73ConV807v5ponH+UUg9y8z5aWJcdT HYL8iRHApQypde5+kWUzd2ItH0fsYDF0wkgLXGluupaA2/emkyBuKZeluGrwZS/s2MYz 01AtjMQCaVT5AUUyU3NSr8NyiEo1mBstk1Z2YxAfRW164pdPzL4ydkHHgpA5GdyHpSGl w0NTUBzuMK53UGDNpOsfFvYLM2k8enoOVIIKTdQh2mtj0Sou/8UIcw6kxDH+8LBRL5zr icSg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b14si17935990plk.333.2019.01.10.13.14.51; Thu, 10 Jan 2019 13:15:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729795AbfAJT7K (ORCPT + 99 others); Thu, 10 Jan 2019 14:59:10 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:48296 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726369AbfAJT7I (ORCPT ); Thu, 10 Jan 2019 14:59:08 -0500 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id x0AJrXJ8080213 for ; Thu, 10 Jan 2019 14:59:07 -0500 Received: from e34.co.us.ibm.com (e34.co.us.ibm.com [32.97.110.152]) by mx0a-001b2d01.pphosted.com with ESMTP id 2pxbw1swnf-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 10 Jan 2019 14:59:07 -0500 Received: from localhost by e34.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 10 Jan 2019 19:59:06 -0000 Received: from b03cxnp08025.gho.boulder.ibm.com (9.17.130.17) by e34.co.us.ibm.com (192.168.1.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 10 Jan 2019 19:59:03 -0000 Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x0AJx2RQ29163636 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 10 Jan 2019 19:59:02 GMT Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0A1B57805E; Thu, 10 Jan 2019 19:59:02 +0000 (GMT) Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 78B8D7805C; Thu, 10 Jan 2019 19:59:00 +0000 (GMT) Received: from [153.66.254.194] (unknown [9.85.186.19]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP; Thu, 10 Jan 2019 19:59:00 +0000 (GMT) Subject: Re: PROBLEM: syzkaller found / pool corruption-overwrite / page in user-area or NULL From: James Bottomley To: Esme , "dgilbert@interlog.com" , "martin.petersen@oracle.com" , "linux-scsi@vger.kernel.org" , "linux-kernel@vger.kernel.org" , linux-mm@kvack.org Cc: "security@kernel.org" Date: Thu, 10 Jan 2019 11:58:59 -0800 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 x-cbid: 19011019-0016-0000-0000-00000972EB19 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00010380; HX=3.00000242; KW=3.00000007; PH=3.00000004; SC=3.00000274; SDB=6.01144587; UDB=6.00595975; IPR=6.00924852; MB=3.00025072; MTD=3.00000008; XFM=3.00000015; UTC=2019-01-10 19:59:04 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19011019-0017-0000-0000-000041B91A3C Message-Id: <1547150339.2814.9.camel@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-01-10_07:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=2 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901100154 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2019-01-10 at 19:12 +0000, Esme wrote: > Sorry for the resend some mail servers rejected the mime type. > > Hi, I've been getting more into Kernel stuff lately and forged ahead > with some syzkaller bug finding. I played with reducing it further > as you can see from the attached c code but am moving on and hope to > get better about this process moving forward as I'm still building > out my test systems/debugging tools. > > Attached is the report and C repro that still triggers on a fresh git > pull as of a few minutes ago, if you need anything else please let me > know. > Esme > > Linux syzkaller 5.0.0-rc1+ #5 SMP Tue Jan 8 20:39:33 EST 2019 x86_64 > GNU/Linux I'm not sure I'm reading this right, but it seems that a simple allocation inside block/scsi_ioctl.h buffer = kzalloc(bytes, q->bounce_gfp | GFP_USER| __GFP_NOWARN); (where bytes is < 4k) caused a slub padding check failure on free. From the internal details, the freeing entity seems to be KASAN as part of its quarantine reduction (albeit triggered by this kzalloc). I'm not remotely familiar with what KASAN is doing, but it seems the memory corruption problem is somewhere within the KASAN tracking? I added linux-mm in case they can confirm this diagnosis or give me a pointer to what might be wrong in scsi. James