bisecting fixing commit since 13d2ce42de8cb98ff952f8de6307f896203854c2 building syzkaller on 04201c0669446145fd9c347c5538da0ca13ff29b testing commit 13d2ce42de8cb98ff952f8de6307f896203854c2 with gcc (GCC) 8.1.0 kernel signature: 033bfda208b8fdab92f67f9b6d15f84ea2d4ee7835ac08a90533231ced8c9ba9 all runs: crashed: KASAN: out-of-bounds Read in leaf_paste_entries testing current HEAD c110fed0e606ff922d5cad8ab74ba9410ca41694 testing commit c110fed0e606ff922d5cad8ab74ba9410ca41694 with gcc (GCC) 8.1.0 kernel signature: 25f24cd110e779d021b5001c886617df81e8d66d1ad306bcd15293bdcf31255f all runs: OK # git bisect start c110fed0e606ff922d5cad8ab74ba9410ca41694 13d2ce42de8cb98ff952f8de6307f896203854c2 Bisecting: 252 revisions left to test after this (roughly 8 steps) [78a73f9556a17efedae85cc769c3c8913a732858] Input: cros_ec_keyb - send 'scancodes' in addition to key events testing commit 78a73f9556a17efedae85cc769c3c8913a732858 with gcc (GCC) 8.1.0 kernel signature: 8001c2c0a002122218ca430ed7efaae11d596770b6348a0efa4b7b945fe918d3 all runs: crashed: KASAN: out-of-bounds Read in leaf_paste_entries # git bisect good 78a73f9556a17efedae85cc769c3c8913a732858 Bisecting: 126 revisions left to test after this (roughly 7 steps) [7d543d23fec75c13facaf64cf7c69813835fc638] dmaengine: at_hdmac: add missing kfree() call in at_dma_xlate() testing commit 7d543d23fec75c13facaf64cf7c69813835fc638 with gcc (GCC) 8.1.0 kernel signature: ff0e1abd8d69bebc3e7219eb5088626e8c7bbcc8e8123e07ee994043e1731c5a all runs: OK # git bisect bad 7d543d23fec75c13facaf64cf7c69813835fc638 Bisecting: 62 revisions left to test after this (roughly 6 steps) [a33642f95269d9390d38d699a7e458dade819fc6] spi: sc18is602: Don't leak SPI master in probe error path testing commit a33642f95269d9390d38d699a7e458dade819fc6 with gcc (GCC) 8.1.0 kernel signature: b6af1ed73d0f901146c99d9ef6d316e5262b4219f706d9e618c97c08d0e26421 all runs: crashed: KASAN: out-of-bounds Read in leaf_paste_entries # git bisect good a33642f95269d9390d38d699a7e458dade819fc6 Bisecting: 31 revisions left to test after this (roughly 5 steps) [1227ffc9d73d78e036f6f166fbdaf7dfe4c7b88b] fscrypt: add fscrypt_is_nokey_name() testing commit 1227ffc9d73d78e036f6f166fbdaf7dfe4c7b88b with gcc (GCC) 8.1.0 kernel signature: 2e6173c5857aafa82646fdb6086275c4f6821847c755a448c37535e463f892ff all runs: crashed: KASAN: out-of-bounds Read in leaf_paste_entries # git bisect good 1227ffc9d73d78e036f6f166fbdaf7dfe4c7b88b Bisecting: 15 revisions left to test after this (roughly 4 steps) [fd4f2a5151e6c6294169d983303c485beade5b37] media: gp8psk: initialize stats at power control logic testing commit fd4f2a5151e6c6294169d983303c485beade5b37 with gcc (GCC) 8.1.0 kernel signature: 715ae551ea3606dd17e5e7d852d2aa5026ad009a8f8d0a53013b475515e55128 all runs: OK # git bisect bad fd4f2a5151e6c6294169d983303c485beade5b37 Bisecting: 7 revisions left to test after this (roughly 3 steps) [a37ec98270486828123face45fa811a6b85a0980] KVM: x86: reinstate vendor-agnostic check on SPEC_CTRL cpuid bits testing commit a37ec98270486828123face45fa811a6b85a0980 with gcc (GCC) 8.1.0 kernel signature: ae6421176d32ffc7dc9a2a4e83f61b00e31f29fba43f10b4dd7579171386b087 run #0: basic kernel testing failed: BUG: program execution failed: executor 0: failed to write control pipe: write |1: broken pipe run #1: crashed: KASAN: out-of-bounds Read in leaf_paste_entries run #2: crashed: KASAN: out-of-bounds Read in leaf_paste_entries run #3: crashed: KASAN: out-of-bounds Read in leaf_paste_entries run #4: crashed: KASAN: out-of-bounds Read in leaf_paste_entries run #5: crashed: KASAN: out-of-bounds Read in leaf_paste_entries run #6: crashed: KASAN: out-of-bounds Read in leaf_paste_entries run #7: crashed: KASAN: out-of-bounds Read in leaf_paste_entries run #8: crashed: KASAN: out-of-bounds Read in leaf_paste_entries run #9: crashed: KASAN: out-of-bounds Read in leaf_paste_entries # git bisect good a37ec98270486828123face45fa811a6b85a0980 Bisecting: 3 revisions left to test after this (roughly 2 steps) [2f6668bfe30a952f29f12499ad5c038cb1f6653c] of: fix linker-section match-table corruption testing commit 2f6668bfe30a952f29f12499ad5c038cb1f6653c with gcc (GCC) 8.1.0 kernel signature: 2fafd63e607f1d326530e54e59bf9cf20329f1fe66cd5df4b9be6b5241d0370c all runs: crashed: KASAN: out-of-bounds Read in leaf_paste_entries # git bisect good 2f6668bfe30a952f29f12499ad5c038cb1f6653c Bisecting: 1 revision left to test after this (roughly 1 step) [b8590c82b3ccf9fb4d9f0b0b097be10736869333] reiserfs: add check for an invalid ih_entry_count testing commit b8590c82b3ccf9fb4d9f0b0b097be10736869333 with gcc (GCC) 8.1.0 kernel signature: 10f6dfd71e64d6db06687e534fcfd72c762e04e28d1086683b68721fb2a1b5a7 all runs: OK # git bisect bad b8590c82b3ccf9fb4d9f0b0b097be10736869333 Bisecting: 0 revisions left to test after this (roughly 0 steps) [88520a207121c3f7c513ac69a7392da89ed0955f] Bluetooth: hci_h5: close serdev device and free hu in h5_close testing commit 88520a207121c3f7c513ac69a7392da89ed0955f with gcc (GCC) 8.1.0 kernel signature: 56444c6a5105569ce81ae9bf5701ed91576a43138e4f068065c09d0937a00d24 run #0: crashed: KASAN: use-after-free Read in leaf_paste_entries run #1: crashed: KASAN: out-of-bounds Read in leaf_paste_entries run #2: crashed: KASAN: out-of-bounds Read in leaf_paste_entries run #3: crashed: KASAN: out-of-bounds Read in leaf_paste_entries run #4: crashed: KASAN: out-of-bounds Read in leaf_paste_entries run #5: crashed: KASAN: out-of-bounds Read in leaf_paste_entries run #6: crashed: KASAN: out-of-bounds Read in leaf_paste_entries run #7: crashed: KASAN: out-of-bounds Read in leaf_paste_entries run #8: crashed: KASAN: out-of-bounds Read in leaf_paste_entries run #9: crashed: KASAN: out-of-bounds Read in leaf_paste_entries # git bisect good 88520a207121c3f7c513ac69a7392da89ed0955f b8590c82b3ccf9fb4d9f0b0b097be10736869333 is the first bad commit commit b8590c82b3ccf9fb4d9f0b0b097be10736869333 Author: Rustam Kovhaev Date: Sun Nov 1 06:09:58 2020 -0800 reiserfs: add check for an invalid ih_entry_count commit d24396c5290ba8ab04ba505176874c4e04a2d53c upstream. when directory item has an invalid value set for ih_entry_count it might trigger use-after-free or out-of-bounds read in bin_search_in_dir_item() ih_entry_count * IH_SIZE for directory item should not be larger than ih_item_len Link: https://lore.kernel.org/r/20201101140958.3650143-1-rkovhaev@gmail.com Reported-and-tested-by: syzbot+83b6f7cf9922cae5c4d7@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=83b6f7cf9922cae5c4d7 Signed-off-by: Rustam Kovhaev Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman fs/reiserfs/stree.c | 6 ++++++ 1 file changed, 6 insertions(+) culprit signature: 10f6dfd71e64d6db06687e534fcfd72c762e04e28d1086683b68721fb2a1b5a7 parent signature: 56444c6a5105569ce81ae9bf5701ed91576a43138e4f068065c09d0937a00d24 revisions tested: 11, total time: 2h37m52.329625027s (build: 1h31m7.801196906s, test: 1h5m44.134351364s) first good commit: b8590c82b3ccf9fb4d9f0b0b097be10736869333 reiserfs: add check for an invalid ih_entry_count recipients (to): ["gregkh@linuxfoundation.org" "jack@suse.cz" "rkovhaev@gmail.com" "syzbot+83b6f7cf9922cae5c4d7@syzkaller.appspotmail.com"] recipients (cc): []