ci2 starts bisection 2023-11-04 08:22:10.46824808 +0000 UTC m=+47977.373686916 bisecting fixing commit since 1e114e6efac1254b0a5c11c1a8f9b6d7bdec0d7f building syzkaller on 41fe1bae463b32861fb14e967372da7e318bc6e1 ensuring issue is reproducible on original commit 1e114e6efac1254b0a5c11c1a8f9b6d7bdec0d7f testing commit 1e114e6efac1254b0a5c11c1a8f9b6d7bdec0d7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f0cd3dce13b28a26c2dacc21308c5fe1dd1cb95c6c646c4f12564aaa21912bf2 all runs: crashed: kernel BUG in ext4_trim_fs representative crash: kernel BUG in ext4_trim_fs, types: [BUG] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 1e114e6efac1254b0a5c11c1a8f9b6d7bdec0d7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e5ea609f737b5f718200d7f294a8d3d0bd247f79621b4bfe1c877cb231c43300 all runs: crashed: kernel BUG in ext4_trim_fs representative crash: kernel BUG in ext4_trim_fs, types: [BUG] the bug reproduces without the instrumentation disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN KASAN LOCKDEP], they are not needed kconfig minimization: base=5179 full=6486 leaves diff=249 split chunks (needed=false): <249> split chunk #0 of len 249 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 1e114e6efac1254b0a5c11c1a8f9b6d7bdec0d7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f4275163d2622881c9c2e4c83ccf63c03e7fe06b14934a166e48dae0f0ee3016 all runs: crashed: kernel BUG in ext4_trim_fs representative crash: kernel BUG in ext4_trim_fs, types: [BUG] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 1e114e6efac1254b0a5c11c1a8f9b6d7bdec0d7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 33d47cfb3f5184d7fd2e9929ea839a3739c5de28f73dc39b544557b9030ca926 all runs: crashed: kernel BUG in ext4_trim_fs representative crash: kernel BUG in ext4_trim_fs, types: [BUG] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN KASAN LOCKDEP], they are not needed testing commit 1e114e6efac1254b0a5c11c1a8f9b6d7bdec0d7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b653f11da1b1b7626d1436d69b111b424ede0ba158d481b9848271b722d484ac all runs: crashed: kernel BUG in ext4_trim_fs representative crash: kernel BUG in ext4_trim_fs, types: [BUG] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 1e114e6efac1254b0a5c11c1a8f9b6d7bdec0d7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2a686b8be6f29526333ff09fa0f0da7f6d3d5d9857f842542907483fe6ec2aa9 all runs: crashed: kernel BUG in ext4_trim_fs representative crash: kernel BUG in ext4_trim_fs, types: [BUG] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 1e114e6efac1254b0a5c11c1a8f9b6d7bdec0d7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building 1e114e6efac1254b0a5c11c1a8f9b6d7bdec0d7f: net/socket.c:1225: undefined reference to `wext_handle_ioctl' net/socket.c:3420: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 49 configs; suspects: [HID_ZEROPLUS USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing current HEAD 7bec8a8180669a95c44a767fa76f2a3dd3c46220 testing commit 7bec8a8180669a95c44a767fa76f2a3dd3c46220 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a6623d5ff60cb8879e3426912f3495659425863a9ae2f352953d83161650df6d all runs: OK false negative chance: 0.000 # git bisect start 7bec8a8180669a95c44a767fa76f2a3dd3c46220 1e114e6efac1254b0a5c11c1a8f9b6d7bdec0d7f Bisecting: 1883 revisions left to test after this (roughly 11 steps) [c86211159bc3178b891e0d60e586a32c7b6a231b] ksmbd: fix out-of-bound read in smb2_write determine whether the revision contains the guilty commit checking the merge base b1644a0031cfb3ca2cbd84c92f771f8ebb62302d no existing result, test the revision testing commit b1644a0031cfb3ca2cbd84c92f771f8ebb62302d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d9c460f4ad69523059fde9fca11dd44be18ad58fc711ba33cab60c7b6781d11e all runs: crashed: kernel BUG in ext4_trim_fs representative crash: kernel BUG in ext4_trim_fs, types: [BUG] testing commit c86211159bc3178b891e0d60e586a32c7b6a231b gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2c517b9b5621630924c1a01c9bda527116a8630e2455ad07290baefbe7b225f8 all runs: OK false negative chance: 0.000 # git bisect bad c86211159bc3178b891e0d60e586a32c7b6a231b Bisecting: 941 revisions left to test after this (roughly 10 steps) [34813f041d0e627905f47ccadc94a7fc566104d0] drm/amd/display: Use DC_LOG_DC in the trasform pixel function determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit 34813f041d0e627905f47ccadc94a7fc566104d0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5f920e5391727f160bbd829b7f56913a2ed2cb00a6638766fb90a64989d694f3 all runs: OK false negative chance: 0.000 # git bisect bad 34813f041d0e627905f47ccadc94a7fc566104d0 Bisecting: 470 revisions left to test after this (roughly 9 steps) [7035d8b73af22a2cf82ec8055af0577464b533e4] scripts/gdb: bail early if there are no generic PD determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit 7035d8b73af22a2cf82ec8055af0577464b533e4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 76e098080789c061e11272f7f1c838b888cade8aba7f257e5d89e019ad67c637 all runs: crashed: kernel BUG in ext4_trim_fs representative crash: kernel BUG in ext4_trim_fs, types: [BUG] # git bisect good 7035d8b73af22a2cf82ec8055af0577464b533e4 Bisecting: 235 revisions left to test after this (roughly 8 steps) [1f274d53165b0a5c2c24a831ad72bae4c81aa5ca] net: ipv6: fix skb hash for some RST packets determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit 1f274d53165b0a5c2c24a831ad72bae4c81aa5ca gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: aa7b3e06998007a2aee8bf90d682e40772cdcc5eb71d4665caa9c7f59a0b3a31 all runs: crashed: kernel BUG in ext4_trim_fs representative crash: kernel BUG in ext4_trim_fs, types: [BUG] # git bisect good 1f274d53165b0a5c2c24a831ad72bae4c81aa5ca Bisecting: 117 revisions left to test after this (roughly 7 steps) [f661ad53658a1ea35c004af1f5fbe25c4d1cdb08] drm/amdgpu/gfx: disable gfx9 cp_ecc_error_irq only when enabling legacy gfx ras determine whether the revision contains the guilty commit revision 1f274d53165b0a5c2c24a831ad72bae4c81aa5ca crashed and is reachable testing commit f661ad53658a1ea35c004af1f5fbe25c4d1cdb08 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 76082ba7506d6efa751587fba1ed65706c5e0c0790a97cf39efcc26d9bd6a18c all runs: crashed: kernel BUG in ext4_trim_fs representative crash: kernel BUG in ext4_trim_fs, types: [BUG] # git bisect good f661ad53658a1ea35c004af1f5fbe25c4d1cdb08 Bisecting: 58 revisions left to test after this (roughly 6 steps) [1d2caddbeeee56fbbc36b428c5b909c3ad88eb7f] ext4: add bounds checking in get_max_inline_xattr_value_size() determine whether the revision contains the guilty commit revision 7035d8b73af22a2cf82ec8055af0577464b533e4 crashed and is reachable testing commit 1d2caddbeeee56fbbc36b428c5b909c3ad88eb7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1e97a71cfd0417039224032c762f0ad32fc6dfe9240f2350335b63aba482bc00 all runs: crashed: kernel BUG in ext4_trim_fs representative crash: kernel BUG in ext4_trim_fs, types: [BUG] # git bisect good 1d2caddbeeee56fbbc36b428c5b909c3ad88eb7f Bisecting: 29 revisions left to test after this (roughly 5 steps) [bd0f360ee86494037fbffcac28dbb47c438b33df] net: annotate sk->sk_err write from do_recvmmsg() determine whether the revision contains the guilty commit revision f661ad53658a1ea35c004af1f5fbe25c4d1cdb08 crashed and is reachable testing commit bd0f360ee86494037fbffcac28dbb47c438b33df gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c101c16023dabbb49fe8faf51b492094cefca143ad309b4edaefbd03220c81fc all runs: crashed: kernel BUG in ext4_trim_fs representative crash: kernel BUG in ext4_trim_fs, types: [BUG] # git bisect good bd0f360ee86494037fbffcac28dbb47c438b33df Bisecting: 14 revisions left to test after this (roughly 4 steps) [5a08a72da35bf2dd6ba63bd6ee7210a1d25dbefd] fbdev: arcfb: Fix error handling in arcfb_probe() determine whether the revision contains the guilty commit revision bd0f360ee86494037fbffcac28dbb47c438b33df crashed and is reachable testing commit 5a08a72da35bf2dd6ba63bd6ee7210a1d25dbefd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 439c5efd5fb3a47d275e1d298323facfe3394865016f4f5aa35566cf83f59ef9 all runs: crashed: kernel BUG in ext4_trim_fs representative crash: kernel BUG in ext4_trim_fs, types: [BUG] # git bisect good 5a08a72da35bf2dd6ba63bd6ee7210a1d25dbefd Bisecting: 7 revisions left to test after this (roughly 3 steps) [d0a8c0e31a09ec1efd53079083e2a677956b4d91] rcu: Protect rcu_print_task_exp_stall() ->exp_tasks access determine whether the revision contains the guilty commit revision 7035d8b73af22a2cf82ec8055af0577464b533e4 crashed and is reachable testing commit d0a8c0e31a09ec1efd53079083e2a677956b4d91 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 465ce658f01d9bee4c4da5818dae10d96968118a6e0b3a21e6f82b9292919fca all runs: OK false negative chance: 0.000 # git bisect bad d0a8c0e31a09ec1efd53079083e2a677956b4d91 Bisecting: 3 revisions left to test after this (roughly 2 steps) [f12aa035e81438b4b005b4916bf68edf540cb4a9] ext4: allow to find by goal if EXT4_MB_HINT_GOAL_ONLY is set determine whether the revision contains the guilty commit revision 1d2caddbeeee56fbbc36b428c5b909c3ad88eb7f crashed and is reachable testing commit f12aa035e81438b4b005b4916bf68edf540cb4a9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: de3ecc229fbe6ae99daa492bce56fa8e93fffe106c64c04627e4876136f165a6 all runs: crashed: kernel BUG in ext4_trim_fs representative crash: kernel BUG in ext4_trim_fs, types: [BUG] # git bisect good f12aa035e81438b4b005b4916bf68edf540cb4a9 Bisecting: 1 revision left to test after this (roughly 1 step) [522c441faf82ab88636d66be8e25b8b7dfa2e001] refscale: Move shutdown from wait_event() to wait_event_idle() determine whether the revision contains the guilty commit revision f661ad53658a1ea35c004af1f5fbe25c4d1cdb08 crashed and is reachable testing commit 522c441faf82ab88636d66be8e25b8b7dfa2e001 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 023764c9673a424a56880dce2c4f08a9f1b9b4e0cd2e060106c01937e260314b all runs: OK false negative chance: 0.000 # git bisect bad 522c441faf82ab88636d66be8e25b8b7dfa2e001 Bisecting: 0 revisions left to test after this (roughly 0 steps) [b4319e457d6e3fb33e443efeaf4634fc36e8a9ed] ext4: allow ext4_get_group_info() to fail determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit b4319e457d6e3fb33e443efeaf4634fc36e8a9ed gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5f1e618c6077e89179b78a40442d85af6fbc7fbbfba02a2885ffd5197e3e4b5f all runs: OK false negative chance: 0.000 # git bisect bad b4319e457d6e3fb33e443efeaf4634fc36e8a9ed b4319e457d6e3fb33e443efeaf4634fc36e8a9ed is the first bad commit commit b4319e457d6e3fb33e443efeaf4634fc36e8a9ed Author: Theodore Ts'o Date: Sat Apr 29 00:06:28 2023 -0400 ext4: allow ext4_get_group_info() to fail [ Upstream commit 5354b2af34064a4579be8bc0e2f15a7b70f14b5f ] Previously, ext4_get_group_info() would treat an invalid group number as BUG(), since in theory it should never happen. However, if a malicious attaker (or fuzzer) modifies the superblock via the block device while it is the file system is mounted, it is possible for s_first_data_block to get set to a very large number. In that case, when calculating the block group of some block number (such as the starting block of a preallocation region), could result in an underflow and very large block group number. Then the BUG_ON check in ext4_get_group_info() would fire, resutling in a denial of service attack that can be triggered by root or someone with write access to the block device. For a quality of implementation perspective, it's best that even if the system administrator does something that they shouldn't, that it will not trigger a BUG. So instead of BUG'ing, ext4_get_group_info() will call ext4_error and return NULL. We also add fallback code in all of the callers of ext4_get_group_info() that it might NULL. Also, since ext4_get_group_info() was already borderline to be an inline function, un-inline it. The results in a next reduction of the compiled text size of ext4 by roughly 2k. Cc: stable@kernel.org Link: https://lore.kernel.org/r/20230430154311.579720-2-tytso@mit.edu Reported-by: syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=69b28112e098b070f639efb356393af3ffec4220 Signed-off-by: Theodore Ts'o Reviewed-by: Jan Kara Signed-off-by: Sasha Levin fs/ext4/balloc.c | 18 +++++++++++++++- fs/ext4/ext4.h | 15 ++----------- fs/ext4/ialloc.c | 12 +++++++---- fs/ext4/mballoc.c | 64 +++++++++++++++++++++++++++++++++++++++++++++---------- fs/ext4/super.c | 2 ++ 5 files changed, 82 insertions(+), 29 deletions(-) accumulated error probability: 0.00 culprit signature: 5f1e618c6077e89179b78a40442d85af6fbc7fbbfba02a2885ffd5197e3e4b5f parent signature: de3ecc229fbe6ae99daa492bce56fa8e93fffe106c64c04627e4876136f165a6 revisions tested: 20, total time: 2h50m46.490049527s (build: 1h2m45.202650103s, test: 1h40m19.951811094s) first good commit: b4319e457d6e3fb33e443efeaf4634fc36e8a9ed ext4: allow ext4_get_group_info() to fail recipients (to): ["jack@suse.cz" "sashal@kernel.org" "tytso@mit.edu"] recipients (cc): []