Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2489792imu;
        Thu, 10 Jan 2019 15:17:34 -0800 (PST)
X-Google-Smtp-Source: ALg8bN49zzOOEPoCbFF6BYPfo9M8Dxt558zjd0ZszX3WU2zzVdW+83XG3qZkbNtNRiFEQLwQd3ps
X-Received: by 2002:a63:ac1a:: with SMTP id v26mr11356606pge.293.1547162254521;
        Thu, 10 Jan 2019 15:17:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1547162254; cv=none;
        d=google.com; s=arc-20160816;
        b=0kRSkQ1BVqQmioI9Oz68kBlppR1oT5ljAeEB2JGshRQaLHaWImYzYaD/lYH51tUAGg
         ASaxoEWMZIHIQg1xt/+MU1w5eePAyO51HgV7EGTd2K2RPw0Dw9cXRCNzFE+QPohuoWE4
         Q3GIPaaHq1GQCJXkxMKWXTsDqBjI4WOarGDSyg6fnACcCMgkelNsgYuWJQSfGCHjelbo
         cJz/lejOLBXe4EwTNc7zwkJHe4tTADKx2fK/euq9jDgHq6GDu2sXRfUli2BptPpra8mb
         QuwMf7ga2alZU3FYvw7KPbGVQkVy+1vNZW/SJ2UYDIaXaW9+fGQM4NfgP+a0yIDnImvV
         6SaQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:date:to:from:subject:message-id
         :dkim-signature;
        bh=LiawR9Y4EId2HmnEiWWnQVQHGhE1inrk85t73A47gpM=;
        b=U5LZ6BoUZbtFuvDAG2LS6AppH/3ig0PGQyiJIFrkgHf+HlTw+f2WOtbNy7VYngmS/j
         y8aOoia56xM7WbBaUM5q+eJ/+M+NKYNAuvK14iiN/xNf7w3oXHTQ8IIP6fRwi02rimxU
         W2p7XCPX4XzoOw29zpLEpHUWPpP+EfYmn3KTlInmoIbm0i/RmaYsrhpC4mFdjKqyPeA7
         TkT29gX8oDHecWd9/dIgbLgHUK9v9cEJtz2FhPE9TsMziasf0n5QpUxgsD7i2F/lA0IN
         AAUzJViUORWyLK/nUNrmsrdSIKeOwAn26CX59zEdzRwJxWQAHXGtowvuc3MTrzG2GBXz
         JdUg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lca.pw header.s=google header.b=TAC164qN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v9si28239742pgt.464.2019.01.10.15.17.19;
        Thu, 10 Jan 2019 15:17:34 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lca.pw header.s=google header.b=TAC164qN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730596AbfAJUoh (ORCPT <rfc822;0330sisy@gmail.com> + 99 others);
        Thu, 10 Jan 2019 15:44:37 -0500
Received: from mail-qt1-f194.google.com ([209.85.160.194]:47064 "EHLO
        mail-qt1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729533AbfAJUog (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 10 Jan 2019 15:44:36 -0500
Received: by mail-qt1-f194.google.com with SMTP id y20so15269984qtm.13
        for <linux-kernel@vger.kernel.org>; Thu, 10 Jan 2019 12:44:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=lca.pw; s=google;
        h=message-id:subject:from:to:date:in-reply-to:references:mime-version
         :content-transfer-encoding;
        bh=LiawR9Y4EId2HmnEiWWnQVQHGhE1inrk85t73A47gpM=;
        b=TAC164qNxX6pCF470izPjspwoGJ8My6MxL3m/OGJcygmVV/w3PXD33j8Lz3o9N7c3Y
         YivpqTsPh3x/uNt83i5CdFVZBFhNVGCpqlQS91hDS/2owIoEoijbgTg1Ssw/xEb3+0l6
         GvPMle0s+pQvvgO1rnE473g9TNjJ3o5QkDkVTNcMlavW1BPuqEqwPtGRKl2v7Y3QZdVS
         rUOWSb7XhPNWGSVs+E7DQp4BRGD3KfXZZMpZPfgNkufVQbWd1UZKvkDKAiZbHmyE5e99
         C2xyoMSUIK1zFbaX0bYCbsA0WPhJXkyOpOlenpoXoxgeBpEfknRHe60avw65pSwQaFZd
         CHLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=LiawR9Y4EId2HmnEiWWnQVQHGhE1inrk85t73A47gpM=;
        b=AQosrGuSA/cuBTKme1m0hrlqJtOjkeHB32TeIwM18P9KJIxPWjqmhmuphLHljgZ3HI
         Lt6Mr3ldDk+5ejjFpx3SQKMQ5NUXz6h8HcSUzjvyypxBVXuY2NycUKgTKnx4TM+SlDAn
         BhkLaKLzactwPAHOWRzJqS8WvN+iH72Dg3ehHo44x9x+nXuxRAEoT9qz4qwten534ijC
         Uj00sA+vRMqOb2uP4iGSyTEwnbrmstz2wQeRfQifmC0F5j2mRMyuw7Cas7Xa0ZMI5BKk
         LTeI31FAg8XxR7R4Iokciv4C7wkFyGaMeKtAVAioL9sv5LcLQzJnR+kpJVobbkFk9/eP
         5P/Q==
X-Gm-Message-State: AJcUukfofvBx7HcJC9TN63iHwbTJOoB6DAgUBcDgIIyBpovmKK/U2D4K
        dqDOEisRJ4raaHaUleOZYshckA==
X-Received: by 2002:a37:8c04:: with SMTP id o4mr10270933qkd.165.1547153075405;
        Thu, 10 Jan 2019 12:44:35 -0800 (PST)
Received: from dhcp-41-57.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206])
        by smtp.gmail.com with ESMTPSA id y14sm47282899qky.83.2019.01.10.12.44.34
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 10 Jan 2019 12:44:35 -0800 (PST)
Message-ID: <1547153074.6911.8.camel@lca.pw>
Subject: Re: PROBLEM: syzkaller found / pool corruption-overwrite / page in
 user-area or NULL
From:   Qian Cai <cai@lca.pw>
To:     James Bottomley <jejb@linux.ibm.com>, Esme <esploit@protonmail.ch>,
        "dgilbert@interlog.com" <dgilbert@interlog.com>,
        "martin.petersen@oracle.com" <martin.petersen@oracle.com>,
        "linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        linux-mm@kvack.org
Date:   Thu, 10 Jan 2019 15:44:34 -0500
In-Reply-To: <1547150339.2814.9.camel@linux.ibm.com>
References: <t78EEfgpy3uIwPUvqvmuQEYEWKG9avWzjUD3EyR93Qaf_tfx1gqt4XplrqMgdxR1U9SsrVdA7G9XeUZacgUin0n6lBzoxJHVJ9Ko0yzzrxI=@protonmail.ch>
         <1547150339.2814.9.camel@linux.ibm.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.22.6 (3.22.6-10.el7) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 2019-01-10 at 11:58 -0800, James Bottomley wrote:
> On Thu, 2019-01-10 at 19:12 +0000, Esme wrote:
> > Sorry for the resend some mail servers rejected the mime type.
> > 
> > Hi, I've been getting more into Kernel stuff lately and forged ahead
> > with some syzkaller bug finding.  I played with reducing it further
> > as you can see from the attached c code but am moving on and hope to
> > get better about this process moving forward as I'm still building
> > out my test systems/debugging tools.
> > 
> > Attached is the report and C repro that still triggers on a fresh git
> > pull as of a few minutes ago, if you need anything else please let me
> > know.
> > Esme
> > 
> > Linux syzkaller 5.0.0-rc1+ #5 SMP Tue Jan 8 20:39:33 EST 2019 x86_64
> > GNU/Linux
> 
> I'm not sure I'm reading this right, but it seems that a simple
> allocation inside block/scsi_ioctl.h
> 
> 	buffer = kzalloc(bytes, q->bounce_gfp | GFP_USER| __GFP_NOWARN);
> 
> (where bytes is < 4k) caused a slub padding check failure on free. 
> From the internal details, the freeing entity seems to be KASAN as part
> of its quarantine reduction (albeit triggered by this kzalloc).  I'm
> not remotely familiar with what KASAN is doing, but it seems the memory
> corruption problem is somewhere within the KASAN tracking?
> 
> I added linux-mm in case they can confirm this diagnosis or give me a
> pointer to what might be wrong in scsi.
> 

Well, need your .config and /proc/cmdline then.