bisecting fixing commit since cbfa1702aaf69b2311ea1b35e04f113c48368c67 building syzkaller on fea47c014be7a00a32ab016b946c0a77f32c1f40 testing commit cbfa1702aaf69b2311ea1b35e04f113c48368c67 with gcc (GCC) 8.1.0 kernel signature: 933a0617b39bfa8eebd79580401391b46f562be20ec2e0f35604b3affc1006b7 run #0: crashed: KASAN: use-after-free Read in ntfs_attr_find run #1: crashed: KASAN: use-after-free Read in ntfs_attr_find run #2: crashed: KASAN: slab-out-of-bounds Read in ntfs_attr_find run #3: crashed: KASAN: use-after-free Read in ntfs_attr_find run #4: crashed: KASAN: use-after-free Read in ntfs_attr_find run #5: crashed: KASAN: use-after-free Read in ntfs_attr_find run #6: crashed: KASAN: slab-out-of-bounds Read in ntfs_attr_find run #7: crashed: KASAN: use-after-free Read in ntfs_attr_find run #8: crashed: KASAN: slab-out-of-bounds Read in ntfs_attr_find run #9: crashed: KASAN: use-after-free Read in ntfs_attr_find testing current HEAD 8961076ed318dfd22aa357b41589f07bf67e73b6 testing commit 8961076ed318dfd22aa357b41589f07bf67e73b6 with gcc (GCC) 8.1.0 kernel signature: 5d9ddfc511d144c5e902b4b7d75d52f233130e724668b33794c2b36130cfd08c all runs: OK # git bisect start 8961076ed318dfd22aa357b41589f07bf67e73b6 cbfa1702aaf69b2311ea1b35e04f113c48368c67 Bisecting: 402 revisions left to test after this (roughly 9 steps) [17b50b33f64f3895d58fb496360428684f5c105d] scsi: qla4xxx: Fix an error handling path in 'qla4xxx_get_host_stats()' testing commit 17b50b33f64f3895d58fb496360428684f5c105d with gcc (GCC) 8.1.0 kernel signature: fdc29264c91204c1f840e1fe51503936f18606cb7463a3dcdb899f235f76d0ad run #0: crashed: KASAN: use-after-free Read in ntfs_attr_find run #1: crashed: KASAN: use-after-free Read in ntfs_attr_find run #2: crashed: KASAN: slab-out-of-bounds Read in ntfs_attr_find run #3: crashed: KASAN: use-after-free Read in ntfs_attr_find run #4: crashed: KASAN: use-after-free Read in ntfs_attr_find run #5: crashed: KASAN: use-after-free Read in ntfs_attr_find run #6: crashed: KASAN: use-after-free Read in ntfs_attr_find run #7: crashed: KASAN: slab-out-of-bounds Read in ntfs_attr_find run #8: crashed: KASAN: slab-out-of-bounds Read in ntfs_attr_find run #9: crashed: KASAN: use-after-free Read in ntfs_attr_find # git bisect good 17b50b33f64f3895d58fb496360428684f5c105d Bisecting: 201 revisions left to test after this (roughly 8 steps) [f1750073adfee2cc0c27440114f8f62a599d1aad] nvme-rdma: fix crash when connect rejected testing commit f1750073adfee2cc0c27440114f8f62a599d1aad with gcc (GCC) 8.1.0 kernel signature: ca69bc37447c1814aa2cbc183df4cb8a2288c4a478a435adfcd466b21d3e4c64 all runs: OK # git bisect bad f1750073adfee2cc0c27440114f8f62a599d1aad Bisecting: 100 revisions left to test after this (roughly 7 steps) [03d78253277aa4a44e4c97736756f8523798eca7] media: saa7134: avoid a shift overflow testing commit 03d78253277aa4a44e4c97736756f8523798eca7 with gcc (GCC) 8.1.0 kernel signature: 03c7ef1542aa98112f94333a012d954d310f6fa312701ee2534fdd39f77d5cbe run #0: crashed: KASAN: slab-out-of-bounds Read in ntfs_attr_find run #1: crashed: KASAN: slab-out-of-bounds Read in ntfs_attr_find run #2: crashed: KASAN: use-after-free Read in ntfs_attr_find run #3: crashed: KASAN: slab-out-of-bounds Read in ntfs_attr_find run #4: crashed: KASAN: use-after-free Read in ntfs_attr_find run #5: crashed: KASAN: slab-out-of-bounds Read in ntfs_attr_find run #6: crashed: KASAN: use-after-free Read in ntfs_attr_find run #7: crashed: KASAN: use-after-free Read in ntfs_attr_find run #8: crashed: KASAN: slab-out-of-bounds Read in ntfs_attr_find run #9: crashed: KASAN: slab-out-of-bounds Read in ntfs_attr_find # git bisect good 03d78253277aa4a44e4c97736756f8523798eca7 Bisecting: 50 revisions left to test after this (roughly 6 steps) [d23fef2d05fba40d2fbb31a7e068a5eb543ec228] x86/xen: disable Firmware First mode for correctable memory errors testing commit d23fef2d05fba40d2fbb31a7e068a5eb543ec228 with gcc (GCC) 8.1.0 kernel signature: 6a0d74ac2209c7c6301f215ed1585eddb8f036d70ea66e5b27e18437050c249f all runs: OK # git bisect bad d23fef2d05fba40d2fbb31a7e068a5eb543ec228 Bisecting: 24 revisions left to test after this (roughly 5 steps) [7de217b9e5874945f5619770ee26bcfa95f740c7] scsi: qedi: Protect active command list to avoid list corruption testing commit 7de217b9e5874945f5619770ee26bcfa95f740c7 with gcc (GCC) 8.1.0 kernel signature: 0dbe1f62387d524ac8e16a229f96e74525adcc83ce277050d9c03be7d42e96d9 all runs: OK # git bisect bad 7de217b9e5874945f5619770ee26bcfa95f740c7 Bisecting: 12 revisions left to test after this (roughly 4 steps) [c4e3e0824e355a67cd339fe5ce3935f80b2f62ec] udf: Avoid accessing uninitialized data on failed inode read testing commit c4e3e0824e355a67cd339fe5ce3935f80b2f62ec with gcc (GCC) 8.1.0 kernel signature: 1dfb159cbd5ed40f632aff18a0bfff7d82c917f583f66b02e7be3915d91af578 all runs: OK # git bisect bad c4e3e0824e355a67cd339fe5ce3935f80b2f62ec Bisecting: 5 revisions left to test after this (roughly 3 steps) [e9d7903412d246ec0c78e518fd96b135a61c9c22] scsi: mvumi: Fix error return in mvumi_io_attach() testing commit e9d7903412d246ec0c78e518fd96b135a61c9c22 with gcc (GCC) 8.1.0 kernel signature: 1501a4f37ac398add3829201fe3ba9b75a572d22045a042a9ed10678934cbf3c all runs: OK # git bisect bad e9d7903412d246ec0c78e518fd96b135a61c9c22 Bisecting: 2 revisions left to test after this (roughly 2 steps) [d2918cca649f7457018f2c94176a8302e7a9f311] ntfs: add check for mft record size in superblock testing commit d2918cca649f7457018f2c94176a8302e7a9f311 with gcc (GCC) 8.1.0 kernel signature: 28b233e7dca4173b2f0f47d1c02509d778267f0bffcb97f7a506be7cca39a8ba all runs: OK # git bisect bad d2918cca649f7457018f2c94176a8302e7a9f311 Bisecting: 0 revisions left to test after this (roughly 1 step) [699cbe4895d54792114e7231e0d4195b3ec8d986] media: venus: core: Fix runtime PM imbalance in venus_probe testing commit 699cbe4895d54792114e7231e0d4195b3ec8d986 with gcc (GCC) 8.1.0 kernel signature: 534f8a1c203a9254e69138685bbb907d1e8e6b9b61be801b13b0dafc97a530d2 run #0: crashed: KASAN: use-after-free Read in ntfs_attr_find run #1: crashed: KASAN: slab-out-of-bounds Read in ntfs_attr_find run #2: crashed: KASAN: use-after-free Read in ntfs_attr_find run #3: crashed: KASAN: use-after-free Read in ntfs_attr_find run #4: crashed: KASAN: slab-out-of-bounds Read in ntfs_attr_find run #5: crashed: KASAN: slab-out-of-bounds Read in ntfs_attr_find run #6: crashed: KASAN: use-after-free Read in ntfs_attr_find run #7: crashed: KASAN: use-after-free Read in ntfs_attr_find run #8: crashed: KASAN: use-after-free Read in ntfs_attr_find run #9: crashed: KASAN: slab-out-of-bounds Read in ntfs_attr_find # git bisect good 699cbe4895d54792114e7231e0d4195b3ec8d986 d2918cca649f7457018f2c94176a8302e7a9f311 is the first bad commit commit d2918cca649f7457018f2c94176a8302e7a9f311 Author: Rustam Kovhaev Date: Tue Oct 13 16:48:17 2020 -0700 ntfs: add check for mft record size in superblock [ Upstream commit 4f8c94022f0bc3babd0a124c0a7dcdd7547bd94e ] Number of bytes allocated for mft record should be equal to the mft record size stored in ntfs superblock as reported by syzbot, userspace might trigger out-of-bounds read by dereferencing ctx->attr in ntfs_attr_find() Reported-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com Signed-off-by: Rustam Kovhaev Signed-off-by: Andrew Morton Tested-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com Acked-by: Anton Altaparmakov Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e Link: https://lkml.kernel.org/r/20200824022804.226242-1-rkovhaev@gmail.com Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin fs/ntfs/inode.c | 6 ++++++ 1 file changed, 6 insertions(+) culprit signature: 28b233e7dca4173b2f0f47d1c02509d778267f0bffcb97f7a506be7cca39a8ba parent signature: 534f8a1c203a9254e69138685bbb907d1e8e6b9b61be801b13b0dafc97a530d2 revisions tested: 11, total time: 2h50m7.784269573s (build: 1h30m59.583728412s, test: 1h17m52.678586196s) first good commit: d2918cca649f7457018f2c94176a8302e7a9f311 ntfs: add check for mft record size in superblock recipients (to): ["akpm@linux-foundation.org" "anton@tuxera.com" "rkovhaev@gmail.com" "sashal@kernel.org" "syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com" "torvalds@linux-foundation.org"] recipients (cc): []