bisecting fixing commit since dce0f88600e49746b4bda873965b671a23ff4313 building syzkaller on 9ebcc5b1a8145326065b932958d82ada85a5c224 testing commit dce0f88600e49746b4bda873965b671a23ff4313 with gcc (GCC) 8.1.0 kernel signature: 5e3103a8554bb767f9d383067af15142f9c1518595589298d810efeabe5fc8de run #0: crashed: KASAN: use-after-free Read in get_block run #1: crashed: KASAN: slab-out-of-bounds Read in get_block run #2: crashed: KASAN: use-after-free Read in get_block run #3: crashed: KASAN: slab-out-of-bounds Read in get_block run #4: crashed: KASAN: use-after-free Read in get_block run #5: crashed: KASAN: use-after-free Read in get_block run #6: crashed: KASAN: use-after-free Read in get_block run #7: crashed: KASAN: slab-out-of-bounds Read in get_block run #8: crashed: KASAN: use-after-free Read in get_block run #9: crashed: KASAN: slab-out-of-bounds Read in get_block testing current HEAD 67957f12548c785d0e0b14fd104d2297f3a71835 testing commit 67957f12548c785d0e0b14fd104d2297f3a71835 with gcc (GCC) 8.1.0 kernel signature: a8771f6daf94bb0873636d1a1b9014363526a70ed446618c5eeaf454b505e1c6 all runs: OK # git bisect start 67957f12548c785d0e0b14fd104d2297f3a71835 dce0f88600e49746b4bda873965b671a23ff4313 Bisecting: 475 revisions left to test after this (roughly 9 steps) [5afc55c836e980d3dc3f1dda82c195a8d8b27dd3] scsi: powertec: Fix different dev_id between request_irq() and free_irq() testing commit 5afc55c836e980d3dc3f1dda82c195a8d8b27dd3 with gcc (GCC) 8.1.0 kernel signature: 730120ce5fd73983878b846b4ab9df8464600fd8dc53553931c7a8b1a13f3919 run #0: crashed: KASAN: slab-out-of-bounds Read in get_block run #1: crashed: KASAN: use-after-free Read in get_block run #2: crashed: KASAN: use-after-free Read in get_block run #3: crashed: KASAN: slab-out-of-bounds Read in get_block run #4: crashed: KASAN: use-after-free Read in get_block run #5: crashed: KASAN: use-after-free Read in get_block run #6: crashed: KASAN: slab-out-of-bounds Read in get_block run #7: crashed: KASAN: slab-out-of-bounds Read in get_block run #8: crashed: KASAN: slab-out-of-bounds Read in get_block run #9: crashed: KASAN: use-after-free Read in get_block # git bisect good 5afc55c836e980d3dc3f1dda82c195a8d8b27dd3 Bisecting: 237 revisions left to test after this (roughly 8 steps) [bd79b3b960f26209bf3c06067d8909bf93831564] ASoC: msm8916-wcd-analog: fix register Interrupt offset testing commit bd79b3b960f26209bf3c06067d8909bf93831564 with gcc (GCC) 8.1.0 kernel signature: 9aa7d5b5b9d467a2022866b2f4f3305b91ea588b0bd2fb7e302a3913bd0100e2 all runs: OK # git bisect bad bd79b3b960f26209bf3c06067d8909bf93831564 Bisecting: 118 revisions left to test after this (roughly 7 steps) [6ffc89cadbd02b83f23e572bb7c43ad9638f441f] xtensa: fix xtensa_pmu_setup prototype testing commit 6ffc89cadbd02b83f23e572bb7c43ad9638f441f with gcc (GCC) 8.1.0 kernel signature: 5fea7d282e98dd6ebc65d7b3d115dd29b54c44945a652140ec410959ceb12b9a all runs: OK # git bisect bad 6ffc89cadbd02b83f23e572bb7c43ad9638f441f Bisecting: 59 revisions left to test after this (roughly 6 steps) [4331212e4a6329470dc480bd15ae5cd20a6f1093] x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task testing commit 4331212e4a6329470dc480bd15ae5cd20a6f1093 with gcc (GCC) 8.1.0 kernel signature: ad23c5b43845900e265a653f86603902122475abc8acce0aab1cc29998bf3516 run #0: crashed: KASAN: slab-out-of-bounds Read in get_block run #1: crashed: KASAN: slab-out-of-bounds Read in get_block run #2: crashed: KASAN: use-after-free Read in get_block run #3: crashed: KASAN: use-after-free Read in get_block run #4: crashed: KASAN: use-after-free Read in get_block run #5: crashed: KASAN: slab-out-of-bounds Read in get_block run #6: crashed: KASAN: use-after-free Read in get_block run #7: crashed: KASAN: slab-out-of-bounds Read in get_block run #8: crashed: KASAN: use-after-free Read in get_block run #9: crashed: KASAN: slab-out-of-bounds Read in get_block # git bisect good 4331212e4a6329470dc480bd15ae5cd20a6f1093 Bisecting: 29 revisions left to test after this (roughly 5 steps) [5de7ab80c866b4e31907109cb1993ac7422e09ae] include/asm-generic/vmlinux.lds.h: align ro_after_init testing commit 5de7ab80c866b4e31907109cb1993ac7422e09ae with gcc (GCC) 8.1.0 kernel signature: a06f5dd987b0bbb34530952ab8aa9a58f1d6fd9f0a6ab142e85c0dccde50ef82 all runs: OK # git bisect bad 5de7ab80c866b4e31907109cb1993ac7422e09ae Bisecting: 14 revisions left to test after this (roughly 4 steps) [3b71aed505934d9fe4d30c07e7a2d55d9b8291b2] pstore: Fix linking when crypto API disabled testing commit 3b71aed505934d9fe4d30c07e7a2d55d9b8291b2 with gcc (GCC) 8.1.0 kernel signature: bbee3a293f7a31940da6df8d82241dea99d76b37aa56b364399b58d80cb24917 run #0: crashed: KASAN: use-after-free Read in get_block run #1: crashed: KASAN: slab-out-of-bounds Read in get_block run #2: crashed: KASAN: use-after-free Read in get_block run #3: crashed: KASAN: use-after-free Read in get_block run #4: crashed: KASAN: use-after-free Read in get_block run #5: crashed: KASAN: use-after-free Read in get_block run #6: crashed: KASAN: use-after-free Read in get_block run #7: crashed: KASAN: use-after-free Read in get_block run #8: crashed: KASAN: use-after-free Read in get_block run #9: crashed: KASAN: slab-out-of-bounds Read in get_block # git bisect good 3b71aed505934d9fe4d30c07e7a2d55d9b8291b2 Bisecting: 7 revisions left to test after this (roughly 3 steps) [169f7f37bd6b0bb91242099cc261219791067d5c] fs/minix: don't allow getting deleted inodes testing commit 169f7f37bd6b0bb91242099cc261219791067d5c with gcc (GCC) 8.1.0 kernel signature: 47e86c3eb78aa735d50a553de600c1c556c762d07f5158c534eeff1d4c92ed5a run #0: crashed: KASAN: slab-out-of-bounds Read in get_block run #1: crashed: KASAN: use-after-free Read in get_block run #2: crashed: KASAN: use-after-free Read in get_block run #3: crashed: KASAN: slab-out-of-bounds Read in get_block run #4: crashed: KASAN: use-after-free Read in get_block run #5: crashed: KASAN: use-after-free Read in get_block run #6: crashed: KASAN: use-after-free Read in get_block run #7: crashed: KASAN: use-after-free Read in get_block run #8: crashed: KASAN: use-after-free Read in get_block run #9: crashed: KASAN: slab-out-of-bounds Read in get_block # git bisect good 169f7f37bd6b0bb91242099cc261219791067d5c Bisecting: 3 revisions left to test after this (roughly 2 steps) [10c8a526b2db1fcdf9e2d59d4885377b91939c55] drm/ttm/nouveau: don't call tt destroy callback on alloc failure. testing commit 10c8a526b2db1fcdf9e2d59d4885377b91939c55 with gcc (GCC) 8.1.0 kernel signature: 451f0e9ac057db2690b8c14d862f831a2267bfff3a0aea412f14058a1575ac75 all runs: OK # git bisect bad 10c8a526b2db1fcdf9e2d59d4885377b91939c55 Bisecting: 1 revision left to test after this (roughly 1 step) [d22c224704b720887e3fad683281a2cf97b679ea] ALSA: usb-audio: add quirk for Pioneer DDJ-RB testing commit d22c224704b720887e3fad683281a2cf97b679ea with gcc (GCC) 8.1.0 kernel signature: 2320402272ccb4b1629a3900606016d58a30b83b3b497519ba664bbbd8375941 all runs: OK # git bisect bad d22c224704b720887e3fad683281a2cf97b679ea Bisecting: 0 revisions left to test after this (roughly 0 steps) [954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d] fs/minix: reject too-large maximum file size testing commit 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d with gcc (GCC) 8.1.0 kernel signature: 9e2ba1af1d638cfded249d727059280383aba042e247509907a814abaad6375a all runs: OK # git bisect bad 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d is the first bad commit commit 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d Author: Eric Biggers Date: Tue Aug 11 18:35:30 2020 -0700 fs/minix: reject too-large maximum file size commit 270ef41094e9fa95273f288d7d785313ceab2ff3 upstream. If the minix filesystem tries to map a very large logical block number to its on-disk location, block_to_path() can return offsets that are too large, causing out-of-bounds memory accesses when accessing indirect index blocks. This should be prevented by the check against the maximum file size, but this doesn't work because the maximum file size is read directly from the on-disk superblock and isn't validated itself. Fix this by validating the maximum file size at mount time. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com Signed-off-by: Eric Biggers Signed-off-by: Andrew Morton Cc: Alexander Viro Cc: Qiujun Huang Cc: Link: http://lkml.kernel.org/r/20200628060846.682158-4-ebiggers@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman fs/minix/inode.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) culprit signature: 9e2ba1af1d638cfded249d727059280383aba042e247509907a814abaad6375a parent signature: 47e86c3eb78aa735d50a553de600c1c556c762d07f5158c534eeff1d4c92ed5a revisions tested: 12, total time: 3h38m10.555336007s (build: 2h5m39.038594731s, test: 1h30m25.568340534s) first good commit: 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d fs/minix: reject too-large maximum file size recipients (to): ["akpm@linux-foundation.org" "ebiggers@google.com" "gregkh@linuxfoundation.org" "torvalds@linux-foundation.org"] recipients (cc): []