bisecting fixing commit since bf3e76289cd28b87f679cd53e26d67fd708d718a
building syzkaller on 64069d48f293e0be98d4a78a6f7be23861cc1e06
testing commit bf3e76289cd28b87f679cd53e26d67fd708d718a with gcc (GCC) 8.1.0
kernel signature: aa2c0b69bc7fcb5916408a51cfeda429901207cf8a39c1fb0bb88c1c4090a869
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in jffs2_parse_param
testing current HEAD 0da0a8a0a0e1845f495431c3d8d733d2bbf9e9e5
testing commit 0da0a8a0a0e1845f495431c3d8d733d2bbf9e9e5 with gcc (GCC) 8.1.0
kernel signature: 5843ae72715e3617756f649808eea474b9231fb14cf97669d85a5d1f1beeab2f
all runs: OK
# git bisect start 0da0a8a0a0e1845f495431c3d8d733d2bbf9e9e5 bf3e76289cd28b87f679cd53e26d67fd708d718a
Bisecting: 8067 revisions left to test after this (roughly 13 steps)
[0cee54c890a40051928991072e5d1cd279611dfd] Merge tag 'usb-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

testing commit 0cee54c890a40051928991072e5d1cd279611dfd with gcc (GCC) 8.1.0
kernel signature: db38aea2b00c94bce8cab2a904c7b06e37e14f9e765850f80759f7a7e4d55426
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in jffs2_parse_param
# git bisect good 0cee54c890a40051928991072e5d1cd279611dfd
Bisecting: 4393 revisions left to test after this (roughly 12 steps)
[b0a6cd29e00a317d7fd823e0db57abbbd9bbb610] Merge tag 'arm-soc-defconfig-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

testing commit b0a6cd29e00a317d7fd823e0db57abbbd9bbb610 with gcc (GCC) 8.1.0
kernel signature: b2d2ea8cbc35dc79becb3aaf792b8b4f176593ee71e41e96e43e941519c267fb
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in jffs2_parse_param
# git bisect good b0a6cd29e00a317d7fd823e0db57abbbd9bbb610
Bisecting: 2200 revisions left to test after this (roughly 11 steps)
[1db98bcf56b1126428d59e71b815c310f73e44ab] Merge branch 'akpm' (patches from Andrew)

testing commit 1db98bcf56b1126428d59e71b815c310f73e44ab with gcc (GCC) 8.1.0
kernel signature: 70e6b1fbea6a55e07c29eab58c40e81fea3549d8d185affeaa13a6313485d8df
all runs: OK
# git bisect bad 1db98bcf56b1126428d59e71b815c310f73e44ab
Bisecting: 1102 revisions left to test after this (roughly 10 steps)
[ff49c86f27e4726a86f5034543e6e684daf41955] Merge tag 'f2fs-for-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs

testing commit ff49c86f27e4726a86f5034543e6e684daf41955 with gcc (GCC) 8.1.0
kernel signature: 8d8ef00a1e9e78f8a2be8821951b787aecba4a1f2197641cd68fa08e8a1c259e
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in jffs2_parse_param
# git bisect good ff49c86f27e4726a86f5034543e6e684daf41955
Bisecting: 475 revisions left to test after this (roughly 9 steps)
[8a5be36b9303ae167468d4f5e1b3c090b9981396] Merge tag 'powerpc-5.11-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux

testing commit 8a5be36b9303ae167468d4f5e1b3c090b9981396 with gcc (GCC) 8.1.0
kernel signature: c5f60c0ffd4da5f199ba2f37ffffac74bdf8f00a4000ec1f8999cc8868fcc24e
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in jffs2_parse_param
# git bisect good 8a5be36b9303ae167468d4f5e1b3c090b9981396
Bisecting: 226 revisions left to test after this (roughly 8 steps)
[a409ed156a90093a03fe6a93721ddf4c591eac87] Merge tag 'gpio-v5.11-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio

testing commit a409ed156a90093a03fe6a93721ddf4c591eac87 with gcc (GCC) 8.1.0
kernel signature: 4de647a7722dd51e9d09ebf23e0933617a1fee757235638c3dbab3ebec9ec782
all runs: OK
# git bisect bad a409ed156a90093a03fe6a93721ddf4c591eac87
Bisecting: 125 revisions left to test after this (roughly 7 steps)
[787fec8ac15cc693b9a7bc1b4a338b92483d993c] Merge tag 'for-linus-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs

testing commit 787fec8ac15cc693b9a7bc1b4a338b92483d993c with gcc (GCC) 8.1.0
kernel signature: 18655d9ec96c780fa9693456b4d605b126f52dfa09d838e61512cb047a66f011
all runs: OK
# git bisect bad 787fec8ac15cc693b9a7bc1b4a338b92483d993c
Bisecting: 67 revisions left to test after this (roughly 6 steps)
[afee4410bc6c50e1422c5a45d633ad0e478ea960] cifs: update internal module version number

testing commit afee4410bc6c50e1422c5a45d633ad0e478ea960 with gcc (GCC) 8.1.0
kernel signature: 4115d54261bfe51b414b58fe905ea994486ece464cd16ab83b450636d9992bdf
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in jffs2_parse_param
# git bisect good afee4410bc6c50e1422c5a45d633ad0e478ea960
Bisecting: 33 revisions left to test after this (roughly 5 steps)
[d8a4ea350f1fff71c9988ea3da3c913ec30bbfbe] octeontx2-af: Fix undetected unmap PF error check

testing commit d8a4ea350f1fff71c9988ea3da3c913ec30bbfbe with gcc (GCC) 8.1.0
kernel signature: b77cab7335e6ee2fb8b133ec0c383ab490f3e245697b1b6d1f795efebc4ae594
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in jffs2_parse_param
# git bisect good d8a4ea350f1fff71c9988ea3da3c913ec30bbfbe
Bisecting: 16 revisions left to test after this (roughly 4 steps)
[c8be097530a82e004f98378c3afc5cd35efc4f57] Revert "ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len"

testing commit c8be097530a82e004f98378c3afc5cd35efc4f57 with gcc (GCC) 8.1.0
fs/ubifs/journal.c:1562:5: error: too few arguments to function 'ubifs_dump_node'
fs/ubifs/file.c:95:2: error: too few arguments to function 'ubifs_dump_node'
fs/ubifs/super.c:256:2: error: too few arguments to function 'ubifs_dump_node'
fs/ubifs/sb.c:506:2: error: too few arguments to function 'ubifs_dump_node'
fs/ubifs/io.c:284:3: error: too few arguments to function 'ubifs_dump_node'
fs/ubifs/io.c:890:2: error: too few arguments to function 'ubifs_dump_node'
fs/ubifs/io.c:933:3: error: too few arguments to function 'ubifs_dump_node'
fs/ubifs/io.c:1032:2: error: too few arguments to function 'ubifs_dump_node'
fs/ubifs/io.c:1090:3: error: too few arguments to function 'ubifs_dump_node'
# git bisect skip c8be097530a82e004f98378c3afc5cd35efc4f57
Bisecting: 16 revisions left to test after this (roughly 4 steps)
[5b33afee93a1e7665a5ffae027fc66f9376f4ea7] nfp: move indirect block cleanup to flower app stop callback

testing commit 5b33afee93a1e7665a5ffae027fc66f9376f4ea7 with gcc (GCC) 8.1.0
kernel signature: b77cab7335e6ee2fb8b133ec0c383ab490f3e245697b1b6d1f795efebc4ae594
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in jffs2_parse_param
# git bisect good 5b33afee93a1e7665a5ffae027fc66f9376f4ea7
Bisecting: 16 revisions left to test after this (roughly 4 steps)
[c4c0d19d39d26c5f58633f8fcca75f03b2854fc0] ubifs: Limit dumping length by size of memory which is allocated for the node

testing commit c4c0d19d39d26c5f58633f8fcca75f03b2854fc0 with gcc (GCC) 8.1.0
fs/ubifs/journal.c:1562:5: error: too few arguments to function 'ubifs_dump_node'
# git bisect skip c4c0d19d39d26c5f58633f8fcca75f03b2854fc0
Bisecting: 16 revisions left to test after this (roughly 4 steps)
[8fdaaf4cf3cea64aed8265a62c4ea7158ac0aa09] jffs2: Fix if/else empty body warnings

testing commit 8fdaaf4cf3cea64aed8265a62c4ea7158ac0aa09 with gcc (GCC) 8.1.0
kernel signature: d3a46f41ae4ae55d1b6e41c6022d402b20c82bdc1221dc969fafb131c15d2c61
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in jffs2_parse_param
# git bisect good 8fdaaf4cf3cea64aed8265a62c4ea7158ac0aa09
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[a33e30a0e023e9d1866866ca895c7789f48445e7] ubifs: Pass node length in all node dumping callers

testing commit a33e30a0e023e9d1866866ca895c7789f48445e7 with gcc (GCC) 8.1.0
fs/ubifs/debug.c:843:3: error: too few arguments to function 'ubifs_dump_node'
# git bisect skip a33e30a0e023e9d1866866ca895c7789f48445e7
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[d64c6f96ba86bd8b97ed8d6762a8c8cc1770d214] Merge tag 'net-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

testing commit d64c6f96ba86bd8b97ed8d6762a8c8cc1770d214 with gcc (GCC) 8.1.0
kernel signature: b658d7ccb9c13009f0c2ecec90e8795ebbbebfdb9e9cc572f6bb781c3f907a1a
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in jffs2_parse_param
# git bisect good d64c6f96ba86bd8b97ed8d6762a8c8cc1770d214
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[f669e74be820386244290d5824938969d397b8fb] ubi: Do not zero out EC and VID on ECC-ed NOR flashes

testing commit f669e74be820386244290d5824938969d397b8fb with gcc (GCC) 8.1.0
kernel signature: 64281f0c2657345542dcff4028815e2a0c42b207e114faefd3201ab481922e86
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in jffs2_parse_param
# git bisect good f669e74be820386244290d5824938969d397b8fb
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[b80a974b8c58164ed57b0f025a47b8f003198d9e] ubifs: ubifs_dump_node: Dump all branches of the index node

testing commit b80a974b8c58164ed57b0f025a47b8f003198d9e with gcc (GCC) 8.1.0
kernel signature: eacbec7436d56c9a41983de445ee74b00646708a47ccb640b5937e542381b7a9
all runs: OK
# git bisect bad b80a974b8c58164ed57b0f025a47b8f003198d9e
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[a61df3c413e49b0042f9caf774c58512d1cc71b7] jffs2: Fix NULL pointer dereference in rp_size fs option parsing

testing commit a61df3c413e49b0042f9caf774c58512d1cc71b7 with gcc (GCC) 8.1.0
kernel signature: ec81d30ce808cb4ce4509d2f2b75546d68a91b13e3e23fc9030d35bb54066c24
all runs: OK
# git bisect bad a61df3c413e49b0042f9caf774c58512d1cc71b7
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[89f40d0a9656aa73bf4a6d905d28952381b6cb53] ubifs: Fixed print foramt mismatch in ubifs

testing commit 89f40d0a9656aa73bf4a6d905d28952381b6cb53 with gcc (GCC) 8.1.0
kernel signature: 8f59839c6e6d03b26f460f1b658b35eab7b3eea1798c58412e0707ccfd573bcc
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in jffs2_parse_param
# git bisect good 89f40d0a9656aa73bf4a6d905d28952381b6cb53
a61df3c413e49b0042f9caf774c58512d1cc71b7 is the first bad commit
commit a61df3c413e49b0042f9caf774c58512d1cc71b7
Author: Jamie Iles <jamie@nuviainc.com>
Date:   Mon Oct 12 14:12:04 2020 +0100

    jffs2: Fix NULL pointer dereference in rp_size fs option parsing
    
    syzkaller found the following JFFS2 splat:
    
      Unable to handle kernel paging request at virtual address dfffa00000000001
      Mem abort info:
        ESR = 0x96000004
        EC = 0x25: DABT (current EL), IL = 32 bits
        SET = 0, FnV = 0
        EA = 0, S1PTW = 0
      Data abort info:
        ISV = 0, ISS = 0x00000004
        CM = 0, WnR = 0
      [dfffa00000000001] address between user and kernel address ranges
      Internal error: Oops: 96000004 [#1] SMP
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 0 PID: 12745 Comm: syz-executor.5 Tainted: G S                5.9.0-rc8+ #98
      Hardware name: linux,dummy-virt (DT)
      pstate: 20400005 (nzCv daif +PAN -UAO BTYPE=--)
      pc : jffs2_parse_param+0x138/0x308 fs/jffs2/super.c:206
      lr : jffs2_parse_param+0x108/0x308 fs/jffs2/super.c:205
      sp : ffff000022a57910
      x29: ffff000022a57910 x28: 0000000000000000
      x27: ffff000057634008 x26: 000000000000d800
      x25: 000000000000d800 x24: ffff0000271a9000
      x23: ffffa0001adb5dc0 x22: ffff000023fdcf00
      x21: 1fffe0000454af2c x20: ffff000024cc9400
      x19: 0000000000000000 x18: 0000000000000000
      x17: 0000000000000000 x16: ffffa000102dbdd0
      x15: 0000000000000000 x14: ffffa000109e44bc
      x13: ffffa00010a3a26c x12: ffff80000476e0b3
      x11: 1fffe0000476e0b2 x10: ffff80000476e0b2
      x9 : ffffa00010a3ad60 x8 : ffff000023b70593
      x7 : 0000000000000003 x6 : 00000000f1f1f1f1
      x5 : ffff000023fdcf00 x4 : 0000000000000002
      x3 : ffffa00010000000 x2 : 0000000000000001
      x1 : dfffa00000000000 x0 : 0000000000000008
      Call trace:
       jffs2_parse_param+0x138/0x308 fs/jffs2/super.c:206
       vfs_parse_fs_param+0x234/0x4e8 fs/fs_context.c:117
       vfs_parse_fs_string+0xe8/0x148 fs/fs_context.c:161
       generic_parse_monolithic+0x17c/0x208 fs/fs_context.c:201
       parse_monolithic_mount_data+0x7c/0xa8 fs/fs_context.c:649
       do_new_mount fs/namespace.c:2871 [inline]
       path_mount+0x548/0x1da8 fs/namespace.c:3192
       do_mount+0x124/0x138 fs/namespace.c:3205
       __do_sys_mount fs/namespace.c:3413 [inline]
       __se_sys_mount fs/namespace.c:3390 [inline]
       __arm64_sys_mount+0x164/0x238 fs/namespace.c:3390
       __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]
       invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]
       el0_svc_common.constprop.0+0x15c/0x598 arch/arm64/kernel/syscall.c:149
       do_el0_svc+0x60/0x150 arch/arm64/kernel/syscall.c:195
       el0_svc+0x34/0xb0 arch/arm64/kernel/entry-common.c:226
       el0_sync_handler+0xc8/0x5b4 arch/arm64/kernel/entry-common.c:236
       el0_sync+0x15c/0x180 arch/arm64/kernel/entry.S:663
      Code: d2d40001 f2fbffe1 91002260 d343fc02 (38e16841)
      ---[ end trace 4edf690313deda44 ]---
    
    This is because since ec10a24f10c8, the option parsing happens before
    fill_super and so the MTD device isn't associated with the filesystem.
    Defer the size check until there is a valid association.
    
    Fixes: ec10a24f10c8 ("vfs: Convert jffs2 to use the new mount API")
    Cc: <stable@vger.kernel.org>
    Cc: David Howells <dhowells@redhat.com>
    Signed-off-by: Jamie Iles <jamie@nuviainc.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>

 fs/jffs2/super.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

culprit signature: ec81d30ce808cb4ce4509d2f2b75546d68a91b13e3e23fc9030d35bb54066c24
parent  signature: 8f59839c6e6d03b26f460f1b658b35eab7b3eea1798c58412e0707ccfd573bcc
revisions tested: 18, total time: 3h2m40.650346425s (build: 1h36m13.247984076s, test: 1h24m28.222939533s)
first good commit: a61df3c413e49b0042f9caf774c58512d1cc71b7 jffs2: Fix NULL pointer dereference in rp_size fs option parsing
recipients (to): ["jamie@nuviainc.com" "linux-kernel@vger.kernel.org" "richard@nod.at"]
recipients (cc): ["dwmw2@infradead.org" "linux-mtd@lists.infradead.org" "lizhe67@huawei.com" "richard@nod.at" "viro@zeniv.linux.org.uk"]