bisecting fixing commit since b850307b279cbd12ab8c654d1a3dfe55319cc475 building syzkaller on 115e19300f73966554f176e2440fe79572a37c99 testing commit b850307b279cbd12ab8c654d1a3dfe55319cc475 with gcc (GCC) 8.1.0 kernel signature: 9def7abfb721185784f81a93a67dfa604b69abc6d2a0967454304d598d91442a run #0: crashed: KASAN: use-after-free Read in get_block run #1: crashed: KASAN: slab-out-of-bounds Read in V1_minix_truncate run #2: crashed: KASAN: slab-out-of-bounds Read in get_block run #3: crashed: KASAN: slab-out-of-bounds Read in get_block run #4: crashed: KASAN: use-after-free Read in get_block run #5: crashed: KASAN: use-after-free Read in get_block run #6: crashed: KASAN: use-after-free Read in get_block run #7: crashed: KASAN: use-after-free Read in get_block run #8: crashed: KASAN: slab-out-of-bounds Read in get_block run #9: crashed: KASAN: use-after-free Read in get_block testing current HEAD 458a534cac0c808fce164cc961f8384ffc8c455e testing commit 458a534cac0c808fce164cc961f8384ffc8c455e with gcc (GCC) 8.1.0 kernel signature: b09fa960df6e8fdcdd37e01a2cd6955491fcc21af825e71a146ce3aded9fba14 all runs: OK # git bisect start 458a534cac0c808fce164cc961f8384ffc8c455e b850307b279cbd12ab8c654d1a3dfe55319cc475 Bisecting: 566 revisions left to test after this (roughly 9 steps) [9255e73a4d372babdb3095561952696d0330bd74] mac80211: allow rx of mesh eapol frames with default rx key testing commit 9255e73a4d372babdb3095561952696d0330bd74 with gcc (GCC) 8.1.0 kernel signature: f0875d705507be38a72c2f9019085819f656fd4a72ad929ffc014490640ccfba run #0: crashed: KASAN: slab-out-of-bounds Read in get_block run #1: crashed: KASAN: use-after-free Read in get_block run #2: crashed: KASAN: use-after-free Read in get_block run #3: crashed: KASAN: use-after-free Read in get_block run #4: crashed: KASAN: slab-out-of-bounds Read in get_block run #5: crashed: KASAN: slab-out-of-bounds Read in get_block run #6: crashed: KASAN: use-after-free Read in get_block run #7: crashed: KASAN: use-after-free Read in get_block run #8: crashed: KASAN: use-after-free Read in get_block run #9: crashed: KASAN: use-after-free Read in get_block # git bisect good 9255e73a4d372babdb3095561952696d0330bd74 Bisecting: 283 revisions left to test after this (roughly 8 steps) [99e69b921dae3ebe63d2c424ce00f91b4cab2826] crypto: ccp - Fix use of merged scatterlists testing commit 99e69b921dae3ebe63d2c424ce00f91b4cab2826 with gcc (GCC) 8.1.0 kernel signature: 9267208c9dbb3cba20c6ea044cd70c53664a7c7d0d897c11b4eeba62975487f2 run #0: crashed: KASAN: slab-out-of-bounds Read in get_block run #1: crashed: KASAN: use-after-free Read in get_block run #2: crashed: KASAN: use-after-free Read in get_block run #3: crashed: KASAN: slab-out-of-bounds Read in get_block run #4: crashed: KASAN: slab-out-of-bounds Read in get_block run #5: crashed: KASAN: use-after-free Read in get_block run #6: crashed: KASAN: slab-out-of-bounds Read in get_block run #7: crashed: KASAN: use-after-free Read in get_block run #8: crashed: KASAN: use-after-free Read in get_block run #9: crashed: KASAN: slab-out-of-bounds Read in get_block # git bisect good 99e69b921dae3ebe63d2c424ce00f91b4cab2826 Bisecting: 141 revisions left to test after this (roughly 7 steps) [4704cd249f8d28c5cd9fe29148e6833f0dd54b02] drm/amdkfd: Fix reference count leaks. testing commit 4704cd249f8d28c5cd9fe29148e6833f0dd54b02 with gcc (GCC) 8.1.0 kernel signature: a8dbddf8cc46b157e544e5f2d7445568879bf5de1891ac7a96b390a7d0ab5bda all runs: OK # git bisect bad 4704cd249f8d28c5cd9fe29148e6833f0dd54b02 Bisecting: 70 revisions left to test after this (roughly 6 steps) [da54edbe563866eb2bd57a12bc8f76ddc88fc369] genirq/affinity: Handle affinity setting on inactive interrupts correctly testing commit da54edbe563866eb2bd57a12bc8f76ddc88fc369 with gcc (GCC) 8.1.0 kernel signature: 58b28daaae72f9f26da24af7e378fae5558430d8645a310772aa07087492a1ec all runs: OK # git bisect bad da54edbe563866eb2bd57a12bc8f76ddc88fc369 Bisecting: 35 revisions left to test after this (roughly 5 steps) [2b5858751a051fbd7ad7dc831fadf8bbed741ccc] ftrace: Setup correct FTRACE_FL_REGS flags for module testing commit 2b5858751a051fbd7ad7dc831fadf8bbed741ccc with gcc (GCC) 8.1.0 kernel signature: 09fb3930b34ddb228a2ffc06bdd13c5800f06b661b8cb11b869f3252bda4e172 all runs: OK # git bisect bad 2b5858751a051fbd7ad7dc831fadf8bbed741ccc Bisecting: 17 revisions left to test after this (roughly 4 steps) [233f70bdb12800fce6b153c270ec987acbaa773b] smb3: warn on confusing error scenario with sec=krb5 testing commit 233f70bdb12800fce6b153c270ec987acbaa773b with gcc (GCC) 8.1.0 kernel signature: c05bf4a392d96080a11eecaad10b1696aa1f16b103c0d681dbb2268a6cad1782 all runs: OK # git bisect bad 233f70bdb12800fce6b153c270ec987acbaa773b Bisecting: 8 revisions left to test after this (roughly 3 steps) [2fd8f313a9fdeb06986bd2bb8caa7c87602b9729] spi: spidev: Align buffers for DMA testing commit 2fd8f313a9fdeb06986bd2bb8caa7c87602b9729 with gcc (GCC) 8.1.0 kernel signature: 7f318d2232dea6d1edf6485ee9bb61a9afa967c7bb7c03af4dea8f267608349a all runs: OK # git bisect bad 2fd8f313a9fdeb06986bd2bb8caa7c87602b9729 Bisecting: 3 revisions left to test after this (roughly 2 steps) [12490f06ef084bc34f5e5dbda104aa034e376f2e] fs/minix: don't allow getting deleted inodes testing commit 12490f06ef084bc34f5e5dbda104aa034e376f2e with gcc (GCC) 8.1.0 kernel signature: b68cd6809f4aa6b33ad98bc723ed7181d98134793b79b2a38e3887f9f406b137 run #0: crashed: KASAN: use-after-free Read in get_block run #1: crashed: KASAN: slab-out-of-bounds Read in get_block run #2: crashed: KASAN: slab-out-of-bounds Read in get_block run #3: crashed: KASAN: use-after-free Read in get_block run #4: crashed: KASAN: use-after-free Read in get_block run #5: crashed: KASAN: slab-out-of-bounds Read in get_block run #6: crashed: KASAN: slab-out-of-bounds Read in get_block run #7: crashed: KASAN: use-after-free Read in get_block run #8: crashed: KASAN: slab-out-of-bounds Read in get_block run #9: crashed: KASAN: use-after-free Read in get_block # git bisect good 12490f06ef084bc34f5e5dbda104aa034e376f2e Bisecting: 1 revision left to test after this (roughly 1 step) [ff114bcd7635211d051c6031fac800fd45424ece] ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109 testing commit ff114bcd7635211d051c6031fac800fd45424ece with gcc (GCC) 8.1.0 kernel signature: 3eb97b6f756a3833b7e9a7cdb6b5169af504e50cf4bf144d6a0afd54169882c3 all runs: OK # git bisect bad ff114bcd7635211d051c6031fac800fd45424ece Bisecting: 0 revisions left to test after this (roughly 0 steps) [0900097ef667097b0a4afb0155a4f5add77ece19] fs/minix: reject too-large maximum file size testing commit 0900097ef667097b0a4afb0155a4f5add77ece19 with gcc (GCC) 8.1.0 kernel signature: ea1a28f11d33eb1fdcaa2309ffcece93df5b510455db7738085b9c7d2c9a1d51 all runs: OK # git bisect bad 0900097ef667097b0a4afb0155a4f5add77ece19 0900097ef667097b0a4afb0155a4f5add77ece19 is the first bad commit commit 0900097ef667097b0a4afb0155a4f5add77ece19 Author: Eric Biggers Date: Tue Aug 11 18:35:30 2020 -0700 fs/minix: reject too-large maximum file size commit 270ef41094e9fa95273f288d7d785313ceab2ff3 upstream. If the minix filesystem tries to map a very large logical block number to its on-disk location, block_to_path() can return offsets that are too large, causing out-of-bounds memory accesses when accessing indirect index blocks. This should be prevented by the check against the maximum file size, but this doesn't work because the maximum file size is read directly from the on-disk superblock and isn't validated itself. Fix this by validating the maximum file size at mount time. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com Signed-off-by: Eric Biggers Signed-off-by: Andrew Morton Cc: Alexander Viro Cc: Qiujun Huang Cc: Link: http://lkml.kernel.org/r/20200628060846.682158-4-ebiggers@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman fs/minix/inode.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) culprit signature: ea1a28f11d33eb1fdcaa2309ffcece93df5b510455db7738085b9c7d2c9a1d51 parent signature: b68cd6809f4aa6b33ad98bc723ed7181d98134793b79b2a38e3887f9f406b137 revisions tested: 12, total time: 3h43m17.69164855s (build: 2h9m35.067887204s, test: 1h31m28.763079039s) first good commit: 0900097ef667097b0a4afb0155a4f5add77ece19 fs/minix: reject too-large maximum file size recipients (to): ["akpm@linux-foundation.org" "ebiggers@google.com" "gregkh@linuxfoundation.org" "torvalds@linux-foundation.org"] recipients (cc): []