ci2 starts bisection 2023-06-20 23:46:56.405757675 +0000 UTC m=+11000.634715927
bisecting fixing commit since fa74641fb6b93a19ccb50579886ecc98320230f9
building syzkaller on 4bce1a3e705a8b62de8194bdb28f5eef89c8feec
ensuring issue is reproducible on original commit fa74641fb6b93a19ccb50579886ecc98320230f9

testing commit fa74641fb6b93a19ccb50579886ecc98320230f9 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 7ec20e664d3ed9ae90651139e5b356d7f1cec6fda8d90f1466c9d66ccff5e4c2
all runs: crashed: KASAN: slab-out-of-bounds Read in xfs_btree_lookup_get_block
testing current HEAD ca87e77a2ef8b298aa9f69658d5898e72ee450fe
testing commit ca87e77a2ef8b298aa9f69658d5898e72ee450fe gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 8690a0b19d4c726da7e577b39b87079c86f0082b6d261592567b2dadea2f9b49
all runs: OK
too many neither good nor bad results, skipping this commit
# git bisect start ca87e77a2ef8b298aa9f69658d5898e72ee450fe fa74641fb6b93a19ccb50579886ecc98320230f9
Bisecting: 404 revisions left to test after this (roughly 9 steps)
[eaa365c10459052cbe3e44caa4ad760cb93bd435] net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device

testing commit eaa365c10459052cbe3e44caa4ad760cb93bd435 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: c7c98a427b1f4e31f02d112366ac4f5e4a6750807ba0305f9686309538560c77
all runs: crashed: KASAN: slab-out-of-bounds Read in xfs_btree_lookup_get_block
# git bisect good eaa365c10459052cbe3e44caa4ad760cb93bd435
Bisecting: 202 revisions left to test after this (roughly 8 steps)
[ef12610ff5fa957f42293e964d0af551b240b0b8] net: usb: qmi_wwan: Set DTR quirk for BroadMobi BM818

testing commit ef12610ff5fa957f42293e964d0af551b240b0b8 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 04a59808a1dcda3bfd3377e24f8ebcbbaf4aeba75d44d23b4e70d7a0bc33c04f
all runs: crashed: KASAN: slab-out-of-bounds Read in xfs_btree_lookup_get_block
# git bisect good ef12610ff5fa957f42293e964d0af551b240b0b8
Bisecting: 101 revisions left to test after this (roughly 7 steps)
[4a64e92846faa2ccbda9d2b8a04a8a4d3de94af0] qed/qede: Fix scheduling while atomic

testing commit 4a64e92846faa2ccbda9d2b8a04a8a4d3de94af0 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: f33ad1ca976aef2b9ee01a8b8a2a69b13238f79e5678e51d7a2be27488d16948
all runs: OK
too many neither good nor bad results, skipping this commit
# git bisect bad 4a64e92846faa2ccbda9d2b8a04a8a4d3de94af0
Bisecting: 50 revisions left to test after this (roughly 6 steps)
[0659aee089daf1bee14fa8e386e667d04b2e923a] test_firmware: fix the memory leak of the allocated firmware buffer

testing commit 0659aee089daf1bee14fa8e386e667d04b2e923a gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 030604b1e57245a3f80827ca4c05ae1efabc085a7a37e69ce656cc6854bddaeb
all runs: crashed: KASAN: slab-out-of-bounds Read in xfs_btree_lookup_get_block
# git bisect good 0659aee089daf1bee14fa8e386e667d04b2e923a
Bisecting: 25 revisions left to test after this (roughly 5 steps)
[24845da026b8696134aa491339fdc6eecd19d466] platform/surface: aggregator: Allow completion work-items to be executed in parallel

testing commit 24845da026b8696134aa491339fdc6eecd19d466 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: dc4e096cd55ebed940a32df9af9b5eec02045682664caff74afe3bc6c0ada2af
all runs: OK
too many neither good nor bad results, skipping this commit
# git bisect bad 24845da026b8696134aa491339fdc6eecd19d466
Bisecting: 12 revisions left to test after this (roughly 4 steps)
[4a9d63181f8d72d789d799afbb30ddc1173bc4ab] iommu/amd/pgtbl_v2: Fix domain max address

testing commit 4a9d63181f8d72d789d799afbb30ddc1173bc4ab gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: a5e38f57cff7a3d2ed17f5e03800f374de89b5eb253ee6d67edf385ca090262b
all runs: crashed: KASAN: slab-out-of-bounds Read in xfs_btree_lookup_get_block
# git bisect good 4a9d63181f8d72d789d799afbb30ddc1173bc4ab
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[fbb6db561dd48c7958dc18d1eccbcaaaea126691] selftests: mptcp: simult flows: skip if MPTCP is not supported

testing commit fbb6db561dd48c7958dc18d1eccbcaaaea126691 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 173489a553051fbd9de06560b470a1f36752b8f1268251ebc0724be10e805db8
all runs: OK
too many neither good nor bad results, skipping this commit
# git bisect bad fbb6db561dd48c7958dc18d1eccbcaaaea126691
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[b026755cc9a8920cc07ceca7d91c0597ba554a1e] tls: rx: strp: don't use GFP_KERNEL in softirq context

testing commit b026755cc9a8920cc07ceca7d91c0597ba554a1e gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: fd3201bf27ce27de626f84bd1fddbe222db88108e6457734ed9d0d2849c8d15b
all runs: OK
too many neither good nor bad results, skipping this commit
# git bisect bad b026755cc9a8920cc07ceca7d91c0597ba554a1e
Bisecting: 0 revisions left to test after this (roughly 1 step)
[a2961463d74f5c86a8dda3b41c484c28ccc4c289] xfs: verify buffer contents when we skip log replay

testing commit a2961463d74f5c86a8dda3b41c484c28ccc4c289 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 8bbc0614fcb031d0fcc8c545762d168b32dc61bc71e88eefcb85252b431e9cc1
all runs: OK
too many neither good nor bad results, skipping this commit
# git bisect bad a2961463d74f5c86a8dda3b41c484c28ccc4c289
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[4042d7ad40f1c3182225461c62926f217a3d0ede] drm/amd/display: Have Payload Properly Created After Resume

testing commit 4042d7ad40f1c3182225461c62926f217a3d0ede gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: f00cc242f8cfa1f613be9fb0be9dad4236feb260c9d0a90855b0581bf88d6907
all runs: crashed: KASAN: slab-out-of-bounds Read in xfs_btree_lookup_get_block
# git bisect good 4042d7ad40f1c3182225461c62926f217a3d0ede
a2961463d74f5c86a8dda3b41c484c28ccc4c289 is the first bad commit
commit a2961463d74f5c86a8dda3b41c484c28ccc4c289
Author: Darrick J. Wong <djwong@kernel.org>
Date:   Wed Apr 12 15:49:23 2023 +1000

    xfs: verify buffer contents when we skip log replay
    
    commit 22ed903eee23a5b174e240f1cdfa9acf393a5210 upstream.
    
    syzbot detected a crash during log recovery:
    
    XFS (loop0): Mounting V5 Filesystem bfdc47fc-10d8-4eed-a562-11a831b3f791
    XFS (loop0): Torn write (CRC failure) detected at log block 0x180. Truncating head block from 0x200.
    XFS (loop0): Starting recovery (logdev: internal)
    ==================================================================
    BUG: KASAN: slab-out-of-bounds in xfs_btree_lookup_get_block+0x15c/0x6d0 fs/xfs/libxfs/xfs_btree.c:1813
    Read of size 8 at addr ffff88807e89f258 by task syz-executor132/5074
    
    CPU: 0 PID: 5074 Comm: syz-executor132 Not tainted 6.2.0-rc1-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:88 [inline]
     dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
     print_address_description+0x74/0x340 mm/kasan/report.c:306
     print_report+0x107/0x1f0 mm/kasan/report.c:417
     kasan_report+0xcd/0x100 mm/kasan/report.c:517
     xfs_btree_lookup_get_block+0x15c/0x6d0 fs/xfs/libxfs/xfs_btree.c:1813
     xfs_btree_lookup+0x346/0x12c0 fs/xfs/libxfs/xfs_btree.c:1913
     xfs_btree_simple_query_range+0xde/0x6a0 fs/xfs/libxfs/xfs_btree.c:4713
     xfs_btree_query_range+0x2db/0x380 fs/xfs/libxfs/xfs_btree.c:4953
     xfs_refcount_recover_cow_leftovers+0x2d1/0xa60 fs/xfs/libxfs/xfs_refcount.c:1946
     xfs_reflink_recover_cow+0xab/0x1b0 fs/xfs/xfs_reflink.c:930
     xlog_recover_finish+0x824/0x920 fs/xfs/xfs_log_recover.c:3493
     xfs_log_mount_finish+0x1ec/0x3d0 fs/xfs/xfs_log.c:829
     xfs_mountfs+0x146a/0x1ef0 fs/xfs/xfs_mount.c:933
     xfs_fs_fill_super+0xf95/0x11f0 fs/xfs/xfs_super.c:1666
     get_tree_bdev+0x400/0x620 fs/super.c:1282
     vfs_get_tree+0x88/0x270 fs/super.c:1489
     do_new_mount+0x289/0xad0 fs/namespace.c:3145
     do_mount fs/namespace.c:3488 [inline]
     __do_sys_mount fs/namespace.c:3697 [inline]
     __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x63/0xcd
    RIP: 0033:0x7f89fa3f4aca
    Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007fffd5fb5ef8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
    RAX: ffffffffffffffda RBX: 00646975756f6e2c RCX: 00007f89fa3f4aca
    RDX: 0000000020000100 RSI: 0000000020009640 RDI: 00007fffd5fb5f10
    RBP: 00007fffd5fb5f10 R08: 00007fffd5fb5f50 R09: 000000000000970d
    R10: 0000000000200800 R11: 0000000000000206 R12: 0000000000000004
    R13: 0000555556c6b2c0 R14: 0000000000200800 R15: 00007fffd5fb5f50
     </TASK>
    
    The fuzzed image contains an AGF with an obviously garbage
    agf_refcount_level value of 32, and a dirty log with a buffer log item
    for that AGF.  The ondisk AGF has a higher LSN than the recovered log
    item.  xlog_recover_buf_commit_pass2 reads the buffer, compares the
    LSNs, and decides to skip replay because the ondisk buffer appears to be
    newer.
    
    Unfortunately, the ondisk buffer is corrupt, but recovery just read the
    buffer with no buffer ops specified:
    
            error = xfs_buf_read(mp->m_ddev_targp, buf_f->blf_blkno,
                            buf_f->blf_len, buf_flags, &bp, NULL);
    
    Skipping the buffer leaves its contents in memory unverified.  This sets
    us up for a kernel crash because xfs_refcount_recover_cow_leftovers
    reads the buffer (which is still around in XBF_DONE state, so no read
    verification) and creates a refcountbt cursor of height 32.  This is
    impossible so we run off the end of the cursor object and crash.
    
    Fix this by invoking the verifier on all skipped buffers and aborting
    log recovery if the ondisk buffer is corrupt.  It might be smarter to
    force replay the log item atop the buffer and then see if it'll pass the
    write verifier (like ext4 does) but for now let's go with the
    conservative option where we stop immediately.
    
    Link: https://syzkaller.appspot.com/bug?extid=7e9494b8b399902e994e
    Signed-off-by: Darrick J. Wong <djwong@kernel.org>
    Reviewed-by: Dave Chinner <dchinner@redhat.com>
    Signed-off-by: Dave Chinner <david@fromorbit.com>
    Reported-by: Danila Chernetsov <listdansp@mail.ru>
    Link: https://lore.kernel.org/linux-xfs/20230601164439.15404-1-listdansp@mail.ru
    Signed-off-by: Amir Goldstein <amir73il@gmail.com>
    Acked-by: Darrick J. Wong <djwong@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 fs/xfs/xfs_buf_item_recover.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

culprit signature: 8bbc0614fcb031d0fcc8c545762d168b32dc61bc71e88eefcb85252b431e9cc1
parent  signature: f00cc242f8cfa1f613be9fb0be9dad4236feb260c9d0a90855b0581bf88d6907
revisions tested: 12, total time: 5h44m23.587062525s (build: 4h29m52.779279695s, test: 1h11m32.428816147s)
first good commit: a2961463d74f5c86a8dda3b41c484c28ccc4c289 xfs: verify buffer contents when we skip log replay
recipients (to): ["amir73il@gmail.com" "david@fromorbit.com" "dchinner@redhat.com" "djwong@kernel.org" "gregkh@linuxfoundation.org"]
recipients (cc): []