bisecting fixing commit since dce0f88600e49746b4bda873965b671a23ff4313 building syzkaller on 115e19300f73966554f176e2440fe79572a37c99 testing commit dce0f88600e49746b4bda873965b671a23ff4313 with gcc (GCC) 8.1.0 kernel signature: 994ef7371e736f7f979a05ac5e52654309c5328428d84ed9be90203759fdf8aa run #0: crashed: KASAN: slab-out-of-bounds Read in get_block run #1: crashed: KASAN: use-after-free Read in get_block run #2: crashed: KASAN: use-after-free Read in get_block run #3: crashed: KASAN: use-after-free Read in get_block run #4: crashed: KASAN: slab-out-of-bounds Read in get_block run #5: crashed: KASAN: slab-out-of-bounds Read in get_block run #6: crashed: KASAN: use-after-free Read in get_block run #7: crashed: KASAN: use-after-free Read in get_block run #8: crashed: KASAN: use-after-free Read in get_block run #9: crashed: KASAN: slab-out-of-bounds Read in get_block testing current HEAD 67957f12548c785d0e0b14fd104d2297f3a71835 testing commit 67957f12548c785d0e0b14fd104d2297f3a71835 with gcc (GCC) 8.1.0 kernel signature: 9e1c1a5ba62e697428221cc5b48aba51b105067cc314c167a12418230abbe467 all runs: OK # git bisect start 67957f12548c785d0e0b14fd104d2297f3a71835 dce0f88600e49746b4bda873965b671a23ff4313 Bisecting: 475 revisions left to test after this (roughly 9 steps) [5afc55c836e980d3dc3f1dda82c195a8d8b27dd3] scsi: powertec: Fix different dev_id between request_irq() and free_irq() testing commit 5afc55c836e980d3dc3f1dda82c195a8d8b27dd3 with gcc (GCC) 8.1.0 kernel signature: 04f9761261234f92072815a75a633e69c773cab379767d4fbd28c4eba2d1c71c run #0: crashed: KASAN: use-after-free Read in get_block run #1: crashed: KASAN: use-after-free Read in get_block run #2: crashed: KASAN: use-after-free Read in get_block run #3: crashed: KASAN: use-after-free Read in get_block run #4: crashed: KASAN: slab-out-of-bounds Read in get_block run #5: crashed: KASAN: use-after-free Read in get_block run #6: crashed: KASAN: use-after-free Read in get_block run #7: crashed: KASAN: use-after-free Read in get_block run #8: crashed: KASAN: use-after-free Read in get_block run #9: crashed: KASAN: slab-out-of-bounds Read in get_block # git bisect good 5afc55c836e980d3dc3f1dda82c195a8d8b27dd3 Bisecting: 237 revisions left to test after this (roughly 8 steps) [bd79b3b960f26209bf3c06067d8909bf93831564] ASoC: msm8916-wcd-analog: fix register Interrupt offset testing commit bd79b3b960f26209bf3c06067d8909bf93831564 with gcc (GCC) 8.1.0 kernel signature: a2900f64722bda1cb50e06e25a423df958d088dab4a2a98363183ba72239c7d1 all runs: OK # git bisect bad bd79b3b960f26209bf3c06067d8909bf93831564 Bisecting: 118 revisions left to test after this (roughly 7 steps) [6ffc89cadbd02b83f23e572bb7c43ad9638f441f] xtensa: fix xtensa_pmu_setup prototype testing commit 6ffc89cadbd02b83f23e572bb7c43ad9638f441f with gcc (GCC) 8.1.0 kernel signature: 74fe2967f8075f01a98379f7e8e40e6b4cfcf1ee2faab5324679d1677e9ea26a all runs: OK # git bisect bad 6ffc89cadbd02b83f23e572bb7c43ad9638f441f Bisecting: 59 revisions left to test after this (roughly 6 steps) [4331212e4a6329470dc480bd15ae5cd20a6f1093] x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task testing commit 4331212e4a6329470dc480bd15ae5cd20a6f1093 with gcc (GCC) 8.1.0 kernel signature: d4a797c59f4e27804e713b35b5083444067197e984fb38b812b6a217b52ca5c7 run #0: crashed: KASAN: use-after-free Read in get_block run #1: crashed: KASAN: slab-out-of-bounds Read in get_block run #2: crashed: KASAN: slab-out-of-bounds Read in get_block run #3: crashed: KASAN: slab-out-of-bounds Read in get_block run #4: crashed: KASAN: slab-out-of-bounds Read in get_block run #5: crashed: KASAN: use-after-free Read in get_block run #6: crashed: KASAN: use-after-free Read in get_block run #7: crashed: KASAN: use-after-free Read in get_block run #8: crashed: KASAN: use-after-free Read in get_block run #9: crashed: KASAN: slab-out-of-bounds Read in get_block # git bisect good 4331212e4a6329470dc480bd15ae5cd20a6f1093 Bisecting: 29 revisions left to test after this (roughly 5 steps) [5de7ab80c866b4e31907109cb1993ac7422e09ae] include/asm-generic/vmlinux.lds.h: align ro_after_init testing commit 5de7ab80c866b4e31907109cb1993ac7422e09ae with gcc (GCC) 8.1.0 kernel signature: e800e747b873462d8515453aac6f381fc9b1a3eb2b1fca3779b9f9607ca4e9da all runs: OK # git bisect bad 5de7ab80c866b4e31907109cb1993ac7422e09ae Bisecting: 14 revisions left to test after this (roughly 4 steps) [3b71aed505934d9fe4d30c07e7a2d55d9b8291b2] pstore: Fix linking when crypto API disabled testing commit 3b71aed505934d9fe4d30c07e7a2d55d9b8291b2 with gcc (GCC) 8.1.0 kernel signature: 694d2c80182f908f9323e9587c5e3d76f4d2731915da43e19e54cf497b55f86e run #0: crashed: KASAN: use-after-free Read in get_block run #1: crashed: KASAN: use-after-free Read in get_block run #2: crashed: KASAN: use-after-free Read in get_block run #3: crashed: KASAN: use-after-free Read in get_block run #4: crashed: KASAN: use-after-free Read in get_block run #5: crashed: KASAN: slab-out-of-bounds Read in get_block run #6: crashed: KASAN: slab-out-of-bounds Read in get_block run #7: crashed: KASAN: slab-out-of-bounds Read in get_block run #8: crashed: KASAN: use-after-free Read in get_block run #9: crashed: KASAN: slab-out-of-bounds Read in get_block # git bisect good 3b71aed505934d9fe4d30c07e7a2d55d9b8291b2 Bisecting: 7 revisions left to test after this (roughly 3 steps) [169f7f37bd6b0bb91242099cc261219791067d5c] fs/minix: don't allow getting deleted inodes testing commit 169f7f37bd6b0bb91242099cc261219791067d5c with gcc (GCC) 8.1.0 kernel signature: 7d179d60a4a773ec6bf8edba9c2a164709ab8c085e661e580007b815e8481536 run #0: crashed: KASAN: use-after-free Read in get_block run #1: crashed: KASAN: use-after-free Read in get_block run #2: crashed: KASAN: use-after-free Read in get_block run #3: crashed: KASAN: use-after-free Read in get_block run #4: crashed: KASAN: slab-out-of-bounds Read in get_block run #5: crashed: KASAN: use-after-free Read in get_block run #6: crashed: KASAN: slab-out-of-bounds Read in get_block run #7: crashed: KASAN: use-after-free Read in get_block run #8: crashed: KASAN: slab-out-of-bounds Read in get_block run #9: crashed: KASAN: use-after-free Read in get_block # git bisect good 169f7f37bd6b0bb91242099cc261219791067d5c Bisecting: 3 revisions left to test after this (roughly 2 steps) [10c8a526b2db1fcdf9e2d59d4885377b91939c55] drm/ttm/nouveau: don't call tt destroy callback on alloc failure. testing commit 10c8a526b2db1fcdf9e2d59d4885377b91939c55 with gcc (GCC) 8.1.0 kernel signature: 63372d2e82c9e3e048da7391d00bb9e689047cd4109eab7802ef95a42458f6b6 all runs: OK # git bisect bad 10c8a526b2db1fcdf9e2d59d4885377b91939c55 Bisecting: 1 revision left to test after this (roughly 1 step) [d22c224704b720887e3fad683281a2cf97b679ea] ALSA: usb-audio: add quirk for Pioneer DDJ-RB testing commit d22c224704b720887e3fad683281a2cf97b679ea with gcc (GCC) 8.1.0 kernel signature: 02791e59efd17d4549bbbcc7dc8e62dd2a96647ed03e2b2dccc8a50f1761c160 all runs: OK # git bisect bad d22c224704b720887e3fad683281a2cf97b679ea Bisecting: 0 revisions left to test after this (roughly 0 steps) [954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d] fs/minix: reject too-large maximum file size testing commit 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d with gcc (GCC) 8.1.0 kernel signature: 498654cd6b0434b74e82161516274d609320f6f9d2f5c698a3f02a3f2dfd5b38 all runs: OK # git bisect bad 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d is the first bad commit commit 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d Author: Eric Biggers Date: Tue Aug 11 18:35:30 2020 -0700 fs/minix: reject too-large maximum file size commit 270ef41094e9fa95273f288d7d785313ceab2ff3 upstream. If the minix filesystem tries to map a very large logical block number to its on-disk location, block_to_path() can return offsets that are too large, causing out-of-bounds memory accesses when accessing indirect index blocks. This should be prevented by the check against the maximum file size, but this doesn't work because the maximum file size is read directly from the on-disk superblock and isn't validated itself. Fix this by validating the maximum file size at mount time. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com Signed-off-by: Eric Biggers Signed-off-by: Andrew Morton Cc: Alexander Viro Cc: Qiujun Huang Cc: Link: http://lkml.kernel.org/r/20200628060846.682158-4-ebiggers@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman fs/minix/inode.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) culprit signature: 498654cd6b0434b74e82161516274d609320f6f9d2f5c698a3f02a3f2dfd5b38 parent signature: 7d179d60a4a773ec6bf8edba9c2a164709ab8c085e661e580007b815e8481536 revisions tested: 12, total time: 3h32m56.0722929s (build: 2h6m31.579791337s, test: 1h24m15.578432881s) first good commit: 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d fs/minix: reject too-large maximum file size recipients (to): ["akpm@linux-foundation.org" "ebiggers@google.com" "gregkh@linuxfoundation.org" "torvalds@linux-foundation.org"] recipients (cc): []