ci2 starts bisection 2023-07-03 15:20:20.770822355 +0000 UTC m=+115.833863418 bisecting fixing commit since 43c801dc3325b9f07f8869e95ad87b05a9f21eb6 building syzkaller on 9668920024926d5a21c38fbc0d15d403d7c732ac ensuring issue is reproducible on original commit 43c801dc3325b9f07f8869e95ad87b05a9f21eb6 testing commit 43c801dc3325b9f07f8869e95ad87b05a9f21eb6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1a005875a117a67116fd3ae435abb965ee01817db9e0214db926a3a1df82924d all runs: crashed: kernel BUG in ext4_expand_extra_isize_ea testing current HEAD 28cc6246b5e756c8b9098ac213a761eac37692c4 testing commit 28cc6246b5e756c8b9098ac213a761eac37692c4 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e1a75b0846af0aaab429cb85be2f09d2ffc948c75cad92951a0688f1cc557119 all runs: OK # git bisect start 28cc6246b5e756c8b9098ac213a761eac37692c4 43c801dc3325b9f07f8869e95ad87b05a9f21eb6 Bisecting: 505 revisions left to test after this (roughly 9 steps) [ad87bd313f70b51e48019d5ce2d02d73152356b3] f2fs: fix to drop all dirty pages during umount() if cp_error is set testing commit ad87bd313f70b51e48019d5ce2d02d73152356b3 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a1b3980afd54182775712c12f26557d4ba309034caf2762361242886a2417159 all runs: OK # git bisect bad ad87bd313f70b51e48019d5ce2d02d73152356b3 Bisecting: 252 revisions left to test after this (roughly 8 steps) [cb71b24a89274d651dd1c569c2c03e3d87d250ec] netfilter: nf_tables: don't write table validation state without mutex testing commit cb71b24a89274d651dd1c569c2c03e3d87d250ec gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 90b686ec09e809f91edc98d25b240d8209f8df2723d198da29df8038cd1b1640 all runs: crashed: kernel BUG in ext4_expand_extra_isize_ea # git bisect good cb71b24a89274d651dd1c569c2c03e3d87d250ec Bisecting: 126 revisions left to test after this (roughly 7 steps) [d6f0687d506d74ff15701823b5223c4d07d91bc1] sit: update dev->needed_headroom in ipip6_tunnel_bind_dev() testing commit d6f0687d506d74ff15701823b5223c4d07d91bc1 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 376d4abc31182d1d62c9e3b7e5e435e089e8fbb3cf2b661560df186831f76b62 all runs: crashed: kernel BUG in ext4_expand_extra_isize_ea # git bisect good d6f0687d506d74ff15701823b5223c4d07d91bc1 Bisecting: 63 revisions left to test after this (roughly 6 steps) [4bffae22bec7e035e9d5a0c0db7286b6bd258f56] KVM: x86: revalidate steal time cache if MSR value changes testing commit 4bffae22bec7e035e9d5a0c0db7286b6bd258f56 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1ca79d4c77028bac0df3421c1490fd8c60dad009b24fc777b6523e5fb43015d0 all runs: OK # git bisect bad 4bffae22bec7e035e9d5a0c0db7286b6bd258f56 Bisecting: 31 revisions left to test after this (roughly 5 steps) [9245f34029b7c09d40442d20f4056a2ca5b53ae5] sh: init: use OF_EARLY_FLATTREE for early init testing commit 9245f34029b7c09d40442d20f4056a2ca5b53ae5 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 16736b5a988c4fcdaf37399bd8e1aa8e323a63c9e4770e4c8e8504c7c31a4056 all runs: crashed: kernel BUG in ext4_expand_extra_isize_ea # git bisect good 9245f34029b7c09d40442d20f4056a2ca5b53ae5 Bisecting: 15 revisions left to test after this (roughly 4 steps) [0dde3141c527b09b96bef1e7eeb18b8127810ce9] ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum testing commit 0dde3141c527b09b96bef1e7eeb18b8127810ce9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 351782b932b12c016065f4ad62dcf56906bf31672403ccb8b102b280dc553b80 all runs: crashed: kernel BUG in ext4_expand_extra_isize_ea # git bisect good 0dde3141c527b09b96bef1e7eeb18b8127810ce9 Bisecting: 7 revisions left to test after this (roughly 3 steps) [1a8822343e67432b658145d2760a524c884da9d4] ext4: fix invalid free tracking in ext4_xattr_move_to_block() testing commit 1a8822343e67432b658145d2760a524c884da9d4 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4deddbf0df0b70e56403fe1951bc76d300b3b7a9ddcb159340b57a0805a92f89 all runs: OK # git bisect bad 1a8822343e67432b658145d2760a524c884da9d4 Bisecting: 3 revisions left to test after this (roughly 2 steps) [5f8b55136ad787aed2c184f7cb3e93772ae637a3] ext4: fix deadlock when converting an inline directory in nojournal mode testing commit 5f8b55136ad787aed2c184f7cb3e93772ae637a3 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 38d804eb827f60431d3a3910d72f9526edd5c4637ff49922c48c3b3509657b61 all runs: crashed: kernel BUG in ext4_expand_extra_isize_ea # git bisect good 5f8b55136ad787aed2c184f7cb3e93772ae637a3 Bisecting: 1 revision left to test after this (roughly 1 step) [d88fe8e6112696238deeaf09820db183663eabca] ext4: bail out of ext4_xattr_ibody_get() fails for any reason testing commit d88fe8e6112696238deeaf09820db183663eabca gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 93208af9b168c21a113c02e51b6e7c6a9b204ec28065d6b308a78c9c6e681f62 run #0: crashed: kernel BUG in ext4_expand_extra_isize_ea run #1: crashed: kernel BUG in ext4_expand_extra_isize_ea run #2: crashed: kernel BUG in ext4_expand_extra_isize_ea run #3: crashed: kernel BUG in ext4_expand_extra_isize_ea run #4: crashed: kernel BUG in ext4_expand_extra_isize_ea run #5: crashed: kernel BUG in ext4_expand_extra_isize_ea run #6: crashed: kernel BUG in ext4_expand_extra_isize_ea run #7: crashed: kernel BUG in ext4_expand_extra_isize_ea run #8: crashed: kernel BUG in ext4_expand_extra_isize_ea run #9: crashed: no output from test machine # git bisect good d88fe8e6112696238deeaf09820db183663eabca Bisecting: 0 revisions left to test after this (roughly 0 steps) [b0fc279de4bf17e1710bb7e83906538ff8f11111] ext4: remove a BUG_ON in ext4_mb_release_group_pa() testing commit b0fc279de4bf17e1710bb7e83906538ff8f11111 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 04b6091db9f8975b9383a847170949b1626e8e746e4c1a4251d9b5f40556d96d all runs: crashed: kernel BUG in ext4_expand_extra_isize_ea # git bisect good b0fc279de4bf17e1710bb7e83906538ff8f11111 1a8822343e67432b658145d2760a524c884da9d4 is the first bad commit commit 1a8822343e67432b658145d2760a524c884da9d4 Author: Theodore Ts'o Date: Sun Apr 30 03:04:13 2023 -0400 ext4: fix invalid free tracking in ext4_xattr_move_to_block() commit b87c7cdf2bed4928b899e1ce91ef0d147017ba45 upstream. In ext4_xattr_move_to_block(), the value of the extended attribute which we need to move to an external block may be allocated by kvmalloc() if the value is stored in an external inode. So at the end of the function the code tried to check if this was the case by testing entry->e_value_inum. However, at this point, the pointer to the xattr entry is no longer valid, because it was removed from the original location where it had been stored. So we could end up calling kvfree() on a pointer which was not allocated by kvmalloc(); or we could also potentially leak memory by not freeing the buffer when it should be freed. Fix this by storing whether it should be freed in a separate variable. Cc: stable@kernel.org Link: https://lore.kernel.org/r/20230430160426.581366-1-tytso@mit.edu Link: https://syzkaller.appspot.com/bug?id=5c2aee8256e30b55ccf57312c16d88417adbd5e1 Link: https://syzkaller.appspot.com/bug?id=41a6b5d4917c0412eb3b3c3c604965bed7d7420b Reported-by: syzbot+64b645917ce07d89bde5@syzkaller.appspotmail.com Reported-by: syzbot+0d042627c4f2ad332195@syzkaller.appspotmail.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman fs/ext4/xattr.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) culprit signature: 4deddbf0df0b70e56403fe1951bc76d300b3b7a9ddcb159340b57a0805a92f89 parent signature: 04b6091db9f8975b9383a847170949b1626e8e746e4c1a4251d9b5f40556d96d revisions tested: 12, total time: 9h40m29.738149393s (build: 4h22m21.976403996s, test: 1h29m57.123561864s) first good commit: 1a8822343e67432b658145d2760a524c884da9d4 ext4: fix invalid free tracking in ext4_xattr_move_to_block() recipients (to): ["gregkh@linuxfoundation.org" "tytso@mit.edu"] recipients (cc): []