# git rev-parse -q --verify fa520c47eaa15b9baa8ad66ac18da4a31679693b^{commit}
fa520c47eaa15b9baa8ad66ac18da4a31679693b
already have revision, skipping fetch
# git checkout -q -f -B kisskb fa520c47eaa15b9baa8ad66ac18da4a31679693b
# git clean -qxdf
# < git log -1
# commit fa520c47eaa15b9baa8ad66ac18da4a31679693b
# Author: Eric Sandeen <sandeen@redhat.com>
# Date:   Wed Oct 17 15:23:59 2018 +0100
# 
#     fscache: Fix out of bound read in long cookie keys
#     
#     fscache_set_key() can incur an out-of-bounds read, reported by KASAN:
#     
#      BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x5b3/0x680 [fscache]
#      Read of size 4 at addr ffff88084ff056d4 by task mount.nfs/32615
#     
#     and also reported by syzbot at https://lkml.org/lkml/2018/7/8/236
#     
#       BUG: KASAN: slab-out-of-bounds in fscache_set_key fs/fscache/cookie.c:120 [inline]
#       BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x7a9/0x880 fs/fscache/cookie.c:171
#       Read of size 4 at addr ffff8801d3cc8bb4 by task syz-executor907/4466
#     
#     This happens for any index_key_len which is not divisible by 4 and is
#     larger than the size of the inline key, because the code allocates exactly
#     index_key_len for the key buffer, but the hashing loop is stepping through
#     it 4 bytes (u32) at a time in the buf[] array.
#     
#     Fix this by calculating how many u32 buffers we'll need by using
#     DIV_ROUND_UP, and then using kcalloc() to allocate a precleared allocation
#     buffer to hold the index_key, then using that same count as the hashing
#     index limit.
#     
#     Fixes: ec0328e46d6e ("fscache: Maintain a catalogue of allocated cookies")
#     Reported-by: syzbot+a95b989b2dde8e806af8@syzkaller.appspotmail.com
#     Signed-off-by: Eric Sandeen <sandeen@redhat.com>
#     Cc: stable <stable@vger.kernel.org>
#     Signed-off-by: David Howells <dhowells@redhat.com>
#     Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
# < /opt/cross/kisskb/gcc-4.6.3-nolibc/sh4-linux/bin/sh4-linux-gcc --version
# < git log --format=%s --max-count=1 fa520c47eaa15b9baa8ad66ac18da4a31679693b
# < make -s -j 48 ARCH=sh O=/kisskb/build/linus_shx3_defconfig_sh4 CROSS_COMPILE=/opt/cross/kisskb/gcc-4.6.3-nolibc/sh4-linux/bin/sh4-linux-  shx3_defconfig
# make -s -j 48 ARCH=sh O=/kisskb/build/linus_shx3_defconfig_sh4 CROSS_COMPILE=/opt/cross/kisskb/gcc-4.6.3-nolibc/sh4-linux/bin/sh4-linux-  
  Generating include/generated/machtypes.h
<stdin>:1317:2: warning: #warning syscall pkey_mprotect not implemented [-Wcpp]
<stdin>:1320:2: warning: #warning syscall pkey_alloc not implemented [-Wcpp]
<stdin>:1323:2: warning: #warning syscall pkey_free not implemented [-Wcpp]
<stdin>:1326:2: warning: #warning syscall statx not implemented [-Wcpp]
<stdin>:1332:2: warning: #warning syscall io_pgetevents not implemented [-Wcpp]
<stdin>:1335:2: warning: #warning syscall rseq not implemented [-Wcpp]
/kisskb/src/arch/sh/kernel/cpu/sh4/../sh3/../../entry-common.S: Assembler messages:
/kisskb/src/arch/sh/kernel/cpu/sh4/../sh3/../../entry-common.S:389: Warning: overflow in branch to syscall_exit_work; converted into longer instruction sequence
/kisskb/src/arch/sh/kernel/cpu/sh4/../sh3/../../entry-common.S:392: Warning: overflow in branch to syscall_exit_work; converted into longer instruction sequence
/kisskb/src/kernel/cgroup/cgroup-v1.c: In function 'cgroup1_mount':
/kisskb/src/kernel/cgroup/cgroup-v1.c:1256:20: warning: 'root' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/kernel/rcu/srcutree.c: In function 'init_srcu_struct_fields':
/kisskb/src/kernel/rcu/srcutree.c:148:32: warning: 'levelspread[<U 3c0>]' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/kernel/rcu/srcutree.c:96:6: note: 'levelspread[<U 3c0>]' was declared here
/kisskb/src/kernel/printk/printk.c: In function 'devkmsg_sysctl_set_loglvl':
/kisskb/src/kernel/printk/printk.c:185:16: warning: 'old' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/fs/proc/inode.c: In function 'proc_reg_open':
/kisskb/src/include/linux/list.h:65:12: warning: 'pdeo' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/fs/proc/inode.c:341:21: note: 'pdeo' was declared here
/kisskb/src/mm/vmstat.c: In function 'sysctl_vm_numa_stat_handler':
/kisskb/src/mm/vmstat.c:89:5: warning: 'oldval' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/mm/hugetlb.c: In function 'alloc_pool_huge_page':
/kisskb/src/mm/hugetlb.c:1433:5: warning: 'page' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/fs/mpage.c: In function 'do_mpage_readpage':
/kisskb/src/fs/mpage.c:338:1: warning: the frame size of 1108 bytes is larger than 1024 bytes [-Wframe-larger-than=]
/kisskb/src/fs/mpage.c: In function '__mpage_writepage':
/kisskb/src/fs/mpage.c:690:1: warning: the frame size of 1148 bytes is larger than 1024 bytes [-Wframe-larger-than=]
/kisskb/src/drivers/base/regmap/regmap.c: In function 'regmap_raw_read':
/kisskb/src/drivers/base/regmap/regmap.c:2511:6: warning: 'ret' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/base/regmap/regmap.c: In function '_regmap_raw_write':
/kisskb/src/drivers/base/regmap/regmap.c:1833:6: warning: 'ret' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/fs/ext4/readpage.c: In function 'ext4_mpage_readpages':
/kisskb/src/fs/ext4/readpage.c:295:1: warning: the frame size of 1200 bytes is larger than 1024 bytes [-Wframe-larger-than=]
/kisskb/src/drivers/i2c/i2c-core-base.c: In function 'i2c_generic_scl_recovery':
/kisskb/src/drivers/i2c/i2c-core-base.c:235:5: warning: 'ret' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/sh/clk/cpg.c: In function 'r8':
/kisskb/src/drivers/sh/clk/cpg.c:41:2: warning: passing argument 1 of 'ioread8' discards 'const' qualifier from pointer target type [enabled by default]
/kisskb/src/include/asm-generic/iomap.h:29:21: note: expected 'void *' but argument is of type 'const void *'
/kisskb/src/drivers/sh/clk/cpg.c: In function 'r16':
/kisskb/src/drivers/sh/clk/cpg.c:46:2: warning: passing argument 1 of 'ioread16' discards 'const' qualifier from pointer target type [enabled by default]
/kisskb/src/include/asm-generic/iomap.h:30:21: note: expected 'void *' but argument is of type 'const void *'
/kisskb/src/drivers/sh/clk/cpg.c: In function 'r32':
/kisskb/src/drivers/sh/clk/cpg.c:51:2: warning: passing argument 1 of 'ioread32' discards 'const' qualifier from pointer target type [enabled by default]
/kisskb/src/include/asm-generic/iomap.h:32:21: note: expected 'void *' but argument is of type 'const void *'
  Kernel: arch/sh/boot/zImage is ready
Completed OK
# rm -rf /kisskb/build/linus_shx3_defconfig_sh4
# Build took: 0:00:38.487063