ci starts bisection 2024-07-04 06:49:10.565211796 +0000 UTC m=+68915.191119526 bisecting fixing commit since fe46a7dd189e25604716c03576d05ac8a5209743 building syzkaller on c8349e48534ea6d8f01515335d95de8ebf5da8df ensuring issue is reproducible on original commit fe46a7dd189e25604716c03576d05ac8a5209743 testing commit fe46a7dd189e25604716c03576d05ac8a5209743 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 995637b8dcb330b98c4dd05957917678ecb298ebe443b66855b3fcac231ac0a8 run #0: crashed: kernel BUG in jffs2_sum_write_sumnode run #1: crashed: kernel BUG in jffs2_sum_write_sumnode run #2: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #3: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #4: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #5: crashed: kernel BUG in jffs2_sum_write_sumnode run #6: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #7: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #8: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #9: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #10: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #11: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #12: crashed: kernel BUG in jffs2_sum_write_sumnode run #13: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #14: crashed: kernel BUG in jffs2_sum_write_sumnode run #15: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #16: crashed: kernel BUG in jffs2_sum_write_sumnode run #17: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #18: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #19: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec representative crash: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit fe46a7dd189e25604716c03576d05ac8a5209743 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fbbcfb2bacfe16e3c73de5168990b8ed5ef489f1b72974e124a05e4c34f82b02 run #0: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #1: crashed: invalid opcode in jffs2_sum_write_sumnode run #2: crashed: invalid opcode in jffs2_sum_write_sumnode run #3: crashed: invalid opcode in jffs2_sum_write_sumnode run #4: crashed: invalid opcode in jffs2_sum_write_sumnode run #5: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #6: crashed: invalid opcode in jffs2_sum_write_sumnode run #7: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #8: crashed: invalid opcode in jffs2_sum_write_sumnode run #9: crashed: invalid opcode in jffs2_sum_write_sumnode representative crash: invalid opcode in jffs2_sum_write_sumnode, types: [UNKNOWN KASAN] the bug reproduces without the instrumentation disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed kconfig minimization: base=4001 full=7986 leaves diff=2009 split chunks (needed=false): <2009> split chunk #0 of len 2009 into 5 parts testing without sub-chunk 1/5 disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit fe46a7dd189e25604716c03576d05ac8a5209743 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6c220b35b84ae15f68ded19a547ec44aa032d574c897d9920d2553dd2c90621e run #0: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #1: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #2: crashed: invalid opcode in jffs2_sum_write_sumnode run #3: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #4: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #5: crashed: invalid opcode in jffs2_sum_write_sumnode run #6: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #7: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec run #8: crashed: invalid opcode in jffs2_sum_write_sumnode run #9: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec representative crash: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec, types: [KASAN UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit fe46a7dd189e25604716c03576d05ac8a5209743 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0bdf626b06a579258c4d8f70038b92ae9c9a4bb21b5ce90e236bf68641058d98 all runs: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec representative crash: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit fe46a7dd189e25604716c03576d05ac8a5209743 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cf9fdb77dcc21e1f7619000c1c2900f73852e2bbf256faf763a925bc99dd6802 all runs: OK false negative chance: 0.000 testing without sub-chunk 4/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit fe46a7dd189e25604716c03576d05ac8a5209743 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6f761650b67fa4b2b8b5058b8d0670e86b4d8eb33e843c916f265605b0cdeee8 all runs: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec representative crash: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit fe46a7dd189e25604716c03576d05ac8a5209743 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 813214e0cbb3da34fe5f50fbcaa69cb1f3cf9e15a8270a24909be55f71e6204a all runs: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec representative crash: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec, types: [KASAN] the chunk can be dropped minimized to 402 configs; suspects: [AX25 BRIDGE BRIDGE_NETFILTER CAN CFG80211 CHECKPOINT_RESTORE DVB_CORE FB_CORE HAMRADIO HAVE_KVM HSR IMA IMA_APPRAISE IMA_APPRAISE_MODSIG INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_USER_ACCESS INPUT_JOYSTICK INPUT_MOUSE INTEGRITY INTEGRITY_ASYMMETRIC_KEYS INTEGRITY_SIGNATURE IP6_NF_RAW IPV6_MULTIPLE_TABLES IP_NF_RAW IP_SET IP_VS IP_VS_PROTO_AH IP_VS_PROTO_AH_ESP IP_VS_PROTO_ESP IP_VS_PROTO_SCTP IP_VS_RR IP_VS_SED IP_VS_SH IP_VS_TWOS IP_VS_WLC IP_VS_WRR IRQ_BYPASS_MANAGER IRQ_POLL IR_IGORPLUGUSB IR_IGUANA IR_IMON IR_MCEUSB IR_REDRAT3 IR_STREAMZAP IR_TTUSBIR ISDN ISDN_CAPI_MIDDLEWARE JFFS2_CMODE_PRIORITY JFFS2_COMPRESSION_OPTIONS JFFS2_FS JFFS2_FS_POSIX_ACL JFFS2_FS_SECURITY JFFS2_FS_WRITEBUFFER JFFS2_FS_XATTR JFFS2_LZO JFFS2_RTIME JFFS2_RUBIN JFFS2_SUMMARY JFFS2_ZLIB JFS_DEBUG JFS_FS JFS_POSIX_ACL JFS_SECURITY JOYSTICK_IFORCE JOYSTICK_IFORCE_USB JOYSTICK_XPAD JOYSTICK_XPAD_FF JOYSTICK_XPAD_LEDS KARMA_PARTITION KCOV KCOV_ENABLE_COMPARISONS KCOV_INSTRUMENT_ALL KEYS_REQUEST_CACHE KEY_DH_OPERATIONS KEY_NOTIFICATIONS KSM KVM KVM_AMD KVM_ASYNC_PF KVM_COMMON KVM_COMPAT KVM_GENERIC_DIRTYLOG_READ_PROTECT KVM_GENERIC_HARDWARE_ENABLING KVM_GENERIC_MEMORY_ATTRIBUTES KVM_GENERIC_MMU_NOTIFIER KVM_GENERIC_PRIVATE_MEM KVM_HYPERV KVM_MMIO KVM_PRIVATE_MEM KVM_PROVE_MMU KVM_SW_PROTECTED_VM KVM_VFIO KVM_XEN KVM_XFER_TO_GUEST_WORK L2TP L2TP_ETH L2TP_IP L2TP_V3 LAPB LAPBETHER LDM_PARTITION LEDS_TRIGGER_AUDIO LEGACY_PTYS LIBCRC32C LIBNVDIMM LINEAR_RANGES LLC LLC2 LOGIG940_FF LOGIRUMBLEPAD2_FF LOGO LOGO_LINUX_MONO LOGO_LINUX_VGA16 LPC_ICH LRU_GEN LRU_GEN_ENABLED LRU_GEN_WALKS_MMU LWTUNNEL LWTUNNEL_BPF LZ4HC_COMPRESS LZ4_COMPRESS MAC80211 MAC80211_HAS_RC MAC80211_HWSIM MAC80211_MESH MAC80211_RC_DEFAULT_MINSTREL MAC80211_RC_MINSTREL MACSEC MACVLAN MACVTAP MAC_PARTITION MAPPING_DIRTY_HELPERS MD_RAID0 MD_RAID1 MD_RAID10 MD_RAID456 MEDIA_ANALOG_TV_SUPPORT MEDIA_ATTACH MEDIA_CONTROLLER MEDIA_CONTROLLER_DVB MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_SUPPORT_FILTER MEDIA_TUNER MEDIA_TUNER_MSI001 MEMORY_BALLOON MEMORY_HOTPLUG MEMORY_HOTPLUG_DEFAULT_ONLINE MEMORY_ISOLATION MEMREGION MEMSTICK MEMSTICK_REALTEK_USB MEM_SOFT_DIRTY MFD_CORE MFD_SYSCON MHI_BUS MHI_WWAN_CTRL MHP_MEMMAP_ON_MEMORY MICROCHIP_PHY MINIX_FS MINIX_SUBPARTITION MISC_RTSX MISC_RTSX_USB MISDN MISDN_DSP MISDN_HFCUSB MISDN_L1OIP MKISS MLX4_CORE MLX4_INFINIBAND MMC MMC_REALTEK_USB MMC_USHC MMC_VUB300 MODULE_SIG_SHA256 MODULE_SRCVERSION_ALL MODVERSIONS MOST MOUSE_APPLETOUCH MOUSE_BCM5974 MOUSE_PS2 MOUSE_PS2_ALPS MOUSE_PS2_BYD MOUSE_PS2_CYPRESS MOUSE_PS2_FOCALTECH MOUSE_PS2_LIFEBOOK MOUSE_PS2_LOGIPS2PP MOUSE_PS2_SMBUS MOUSE_PS2_SYNAPTICS MOUSE_PS2_SYNAPTICS_SMBUS MOUSE_PS2_TRACKPOINT MOUSE_SYNAPTICS_USB MPLS MPLS_IPTUNNEL MPLS_ROUTING MPTCP MPTCP_IPV6 MRP MTD MTD_BLKDEVS MTD_BLOCK MTD_BLOCK2MTD MTD_CFI_I1 MTD_CFI_I2 MTD_MAP_BANK_WIDTH_1 MTD_MAP_BANK_WIDTH_2 MTD_MAP_BANK_WIDTH_4 MTD_MTDRAM MTD_PHRAM MTD_SLRAM MUSB_PIO_ONLY ND_BTT ND_CLAIM ND_PFN NETDEVSIM NETFILTER_ADVANCED NETFILTER_BPF_LINK NETFILTER_FAMILY_ARP NETFILTER_FAMILY_BRIDGE NETFILTER_NETLINK_ACCT NETFILTER_NETLINK_GLUE_CT NETFILTER_NETLINK_OSF NETFILTER_NETLINK_QUEUE NETFILTER_SYNPROXY NETFILTER_XTABLES_COMPAT NETFILTER_XT_CONNMARK NETFILTER_XT_MATCH_BPF NETFILTER_XT_MATCH_CGROUP NETFILTER_XT_MATCH_CLUSTER NETFILTER_XT_MATCH_COMMENT NETFILTER_XT_MATCH_CONNBYTES NETFILTER_XT_MATCH_CONNLABEL NETFILTER_XT_MATCH_CONNLIMIT NETFILTER_XT_MATCH_CONNMARK NETFILTER_XT_MATCH_CPU NETFILTER_XT_MATCH_DCCP NETFILTER_XT_MATCH_DEVGROUP NETFILTER_XT_MATCH_DSCP NETFILTER_XT_MATCH_ECN NETFILTER_XT_MATCH_ESP NETFILTER_XT_MATCH_HASHLIMIT NETFILTER_XT_MATCH_HELPER NETFILTER_XT_MATCH_HL NETFILTER_XT_MATCH_IPCOMP NETFILTER_XT_MATCH_IPRANGE NETFILTER_XT_MATCH_IPVS NETFILTER_XT_MATCH_L2TP NETFILTER_XT_MATCH_LENGTH NETFILTER_XT_MATCH_LIMIT NETFILTER_XT_MATCH_MAC NETFILTER_XT_MATCH_MARK NETFILTER_XT_MATCH_MULTIPORT NETFILTER_XT_MATCH_NFACCT NETFILTER_XT_MATCH_OSF NETFILTER_XT_MATCH_OWNER NETFILTER_XT_MATCH_PHYSDEV NETFILTER_XT_MATCH_PKTTYPE NETFILTER_XT_MATCH_QUOTA NETFILTER_XT_MATCH_RATEEST NETFILTER_XT_MATCH_REALM NETFILTER_XT_MATCH_RECENT NETFILTER_XT_MATCH_SCTP NETFILTER_XT_MATCH_SOCKET NETFILTER_XT_MATCH_STATISTIC NETFILTER_XT_MATCH_STRING NETFILTER_XT_MATCH_TCPMSS NETFILTER_XT_MATCH_TIME NETFILTER_XT_MATCH_U32 NETFILTER_XT_SET NETFILTER_XT_TARGET_AUDIT NETFILTER_XT_TARGET_CHECKSUM NETFILTER_XT_TARGET_CLASSIFY NETFILTER_XT_TARGET_CONNMARK NETFILTER_XT_TARGET_CT NETFILTER_XT_TARGET_DSCP NETFILTER_XT_TARGET_HL NETFILTER_XT_TARGET_HMARK NETFILTER_XT_TARGET_IDLETIMER NETFILTER_XT_TARGET_LED NETFILTER_XT_TARGET_MARK NETFILTER_XT_TARGET_NETMAP NETFILTER_XT_TARGET_NFQUEUE NETFILTER_XT_TARGET_NOTRACK NETFILTER_XT_TARGET_RATEEST NETFILTER_XT_TARGET_REDIRECT NETFILTER_XT_TARGET_TCPOPTSTRIP NETFILTER_XT_TARGET_TEE NETFILTER_XT_TARGET_TPROXY NETFILTER_XT_TARGET_TRACE NETLABEL NETLINK_DIAG NETROM NET_9P_RDMA NET_ACT_BPF NET_ACT_CONNMARK NET_ACT_CSUM NET_ACT_CT NET_ACT_CTINFO NET_ACT_GATE NET_ACT_IFE NET_ACT_MPLS NET_ACT_NAT NET_ACT_PEDIT NET_ACT_POLICE NET_ACT_SAMPLE NET_ACT_SIMP NET_ACT_SKBEDIT NET_ACT_SKBMOD NET_ACT_TUNNEL_KEY NET_ACT_VLAN NET_CLS_BASIC NET_CLS_BPF NET_CLS_FLOW NET_CLS_FLOWER NET_CLS_FW NET_CLS_MATCHALL NET_CLS_ROUTE4 NET_DEVLINK NET_DROP_MONITOR NET_DSA NET_DSA_TAG_BRCM NET_DSA_TAG_BRCM_COMMON NET_DSA_TAG_BRCM_PREPEND NET_DSA_TAG_MTK NET_DSA_TAG_QCA NET_DSA_TAG_RTL4_A NET_EMATCH_CANID NET_EMATCH_CMP NET_EMATCH_IPSET NET_EMATCH_IPT NET_EMATCH_META NET_EMATCH_NBYTE NET_EMATCH_TEXT NET_EMATCH_U32 NET_FC NET_FOU NET_FOU_IP_TUNNELS NET_IFE NET_IFE_SKBMARK NET_IFE_SKBPRIO NET_IFE_SKBTCINDEX NET_IPGRE NET_IPGRE_BROADCAST NET_IPGRE_DEMUX NET_IPIP NET_IPVTI NET_KEY NET_KEY_MIGRATE NET_L3_MASTER_DEV NET_MPLS_GSO NET_NCSI NET_NSH NET_REDIRECT NET_SCH_CAKE NET_SCH_CBS NET_SCH_CHOKE NET_SCH_CODEL NET_SCH_DRR NET_SCH_ETF NET_SCH_ETS NET_SCH_FQ NET_SCH_FQ_CODEL NET_SCH_FQ_PIE NET_SCH_GRED NET_SCH_HFSC NET_SCH_HHF NET_SCH_HTB NET_SCH_INGRESS NET_SCH_MQPRIO NET_SCH_MQPRIO_LIB NET_SCH_MULTIQ NET_SCH_NETEM NET_SCH_PIE NET_SCH_PLUG NET_SCH_PRIO NET_SCH_QFQ NET_SCH_RED NET_SCH_SFB NET_SCH_SFQ NET_SCH_SKBPRIO NET_SCH_TAPRIO NET_SCH_TBF NET_SCH_TEQL NET_SOCK_MSG NET_SWITCHDEV NET_TC_SKB_EXT NET_TEAM NET_TEAM_MODE_ACTIVEBACKUP NET_TEAM_MODE_BROADCAST NET_TEAM_MODE_LOADBALANCE NET_TEAM_MODE_RANDOM NET_TEAM_MODE_ROUNDROBIN NET_UDP_TUNNEL NET_VRF NFC NFC_DIGITAL NFC_FDP NFC_HCI NFC_MRVL NFC_MRVL_USB NFC_NCI NFC_NCI_UART NFC_PN533 NFC_PN533_USB NFC_PORT100 NFC_SHDLC NFC_SIM NFC_VIRTUAL_NCI NFSD NFSD_BLOCKLAYOUT NFSD_FLEXFILELAYOUT NFSD_PNFS NFSD_SCSILAYOUT NFSD_V3_ACL NFSD_V4 NFSD_V4_2_INTER_SSC NFSD_V4_SECURITY_LABEL NFS_FSCACHE NFS_V2 NFS_V4_1 NFS_V4_2 NFS_V4_2_READ_PLUS NFS_V4_2_SSC_HELPER NFS_V4_SECURITY_LABEL NFT_BRIDGE_META NFT_BRIDGE_REJECT NFT_COMPAT NFT_CONNLIMIT NFT_CT NFT_DUP_IPV4 NFT_DUP_IPV6 NFT_DUP_NETDEV NFT_FIB NFT_FIB_INET NFT_FIB_IPV4 NFT_FIB_IPV6 NFT_FIB_NETDEV NFT_FLOW_OFFLOAD NFT_HASH NFT_LIMIT NFT_LOG NFT_MASQ NFT_NAT NFT_NUMGEN NFT_OSF NFT_QUEUE NFT_QUOTA NFT_REDIR NFT_REJECT NFT_REJECT_INET NFT_REJECT_IPV4 NFT_REJECT_IPV6 NFT_REJECT_NETDEV NFT_SOCKET NFT_SYNPROXY NFT_TPROXY NFT_TUNNEL NFT_XFRM NF_CONNTRACK_AMANDA NF_CONNTRACK_BRIDGE NF_CONNTRACK_BROADCAST NF_CONNTRACK_EVENTS NF_CONNTRACK_H323 NF_CONNTRACK_LABELS NF_CONNTRACK_MARK NF_CONNTRACK_NETBIOS_NS NF_CONNTRACK_OVS NF_CONNTRACK_PPTP NF_CONNTRACK_SANE NF_CONNTRACK_SNMP NF_CONNTRACK_TFTP NF_CONNTRACK_TIMEOUT NF_CONNTRACK_TIMESTAMP NF_CONNTRACK_ZONES NF_CT_NETLINK_HELPER NF_CT_NETLINK_TIMEOUT NF_CT_PROTO_DCCP NF_CT_PROTO_GRE NF_CT_PROTO_SCTP NF_CT_PROTO_UDPLITE NF_DUP_IPV4 NF_DUP_IPV6 NF_DUP_NETDEV NF_FLOW_TABLE NF_FLOW_TABLE_INET NF_NAT_AMANDA NF_NAT_H323 NF_NAT_OVS NF_NAT_PPTP NF_NAT_REDIRECT NF_NAT_SNMP_BASIC NF_NAT_TFTP NF_SOCKET_IPV4 NF_TABLES NF_TABLES_BRIDGE NF_TABLES_INET NF_TABLES_IPV4 NF_TABLES_IPV6 NF_TABLES_NETDEV PARTITION_ADVANCED PSAMPLE RC_CORE RC_DEVICES RFKILL SPI USB_GADGET USB_MUSB_HDRC VIDEO_DEV WAN WATCH_QUEUE WIRELESS WLAN WWAN X25 X86_X32_ABI] disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing current HEAD 795c58e4c7fc6163d8fb9f2baa86cfe898fa4b19 testing commit 795c58e4c7fc6163d8fb9f2baa86cfe898fa4b19 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 52e8a0933d4206bebee664553f76a02a4b2855df0d412859c91524a112de1ed8 all runs: OK false negative chance: 0.000 # git bisect start 795c58e4c7fc6163d8fb9f2baa86cfe898fa4b19 fe46a7dd189e25604716c03576d05ac8a5209743 Bisecting: 11002 revisions left to test after this (roughly 13 steps) [b850dc206a57ae272c639e31ac202ec0c2f46960] Merge tag 'firewire-updates-6.10' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394 determine whether the revision contains the guilty commit revision fe46a7dd189e25604716c03576d05ac8a5209743 crashed and is reachable testing commit b850dc206a57ae272c639e31ac202ec0c2f46960 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5ec67a829779203cd574aeafffa00c498b374365a0d83574e932e3b3ee6c3582 all runs: OK false negative chance: 0.000 # git bisect bad b850dc206a57ae272c639e31ac202ec0c2f46960 Bisecting: 4923 revisions left to test after this (roughly 12 steps) [186abfcda0f59710a127fb40d4f6f1e5c0b40f17] Merge branch 'mlx5-misc-fixes' determine whether the revision contains the guilty commit revision fe46a7dd189e25604716c03576d05ac8a5209743 crashed and is reachable testing commit 186abfcda0f59710a127fb40d4f6f1e5c0b40f17 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 284ea98a519c00b29caf1162a0bcb21ee780463644c6a52dea05c78675593295 all runs: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec representative crash: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec, types: [KASAN] # git bisect good 186abfcda0f59710a127fb40d4f6f1e5c0b40f17 Bisecting: 2413 revisions left to test after this (roughly 11 steps) [6c60000f0b9ae7da630a5715a9ba33042d87e7fd] Merge tag 'soc-dt-6.10' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc determine whether the revision contains the guilty commit revision 186abfcda0f59710a127fb40d4f6f1e5c0b40f17 crashed and is reachable testing commit 6c60000f0b9ae7da630a5715a9ba33042d87e7fd gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1b576cbe598c90d515b3d2cfd6102ae9253f8e2b5c4e76e22c773f2d84918651 all runs: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec representative crash: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec, types: [KASAN] # git bisect good 6c60000f0b9ae7da630a5715a9ba33042d87e7fd Bisecting: 1209 revisions left to test after this (roughly 10 steps) [9776dd36095be19f5a0ad9f07a4fc221d2a0609a] Merge tag 'x86-irq-2024-05-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip determine whether the revision contains the guilty commit revision 186abfcda0f59710a127fb40d4f6f1e5c0b40f17 crashed and is reachable testing commit 9776dd36095be19f5a0ad9f07a4fc221d2a0609a gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 27cfcbad93a374462fd56980a7ee16a8f2895fa2d19185f8f69847bab4e3d689 all runs: OK false negative chance: 0.000 # git bisect bad 9776dd36095be19f5a0ad9f07a4fc221d2a0609a Bisecting: 566 revisions left to test after this (roughly 9 steps) [0c9f4ac808b017a0013cee92a30de980550145d5] Merge tag 'for-6.10/block-20240511' of git://git.kernel.dk/linux determine whether the revision contains the guilty commit revision fe46a7dd189e25604716c03576d05ac8a5209743 crashed and is reachable testing commit 0c9f4ac808b017a0013cee92a30de980550145d5 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6d0992aa147d5606490be71f3c6760c52aa80b0cb72df4dfac5b6eeb6af2d1d9 all runs: OK false negative chance: 0.000 # git bisect bad 0c9f4ac808b017a0013cee92a30de980550145d5 Bisecting: 333 revisions left to test after this (roughly 8 steps) [25c73642cc5baea5b91bbb9b1f5fcd93672bfa08] Merge tag 'keys-next-6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd determine whether the revision contains the guilty commit revision 186abfcda0f59710a127fb40d4f6f1e5c0b40f17 crashed and is reachable testing commit 25c73642cc5baea5b91bbb9b1f5fcd93672bfa08 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b17e83768863e07b7b55a2f060fb2c53801f0efb28b1ba90c5ac5f7d4462bfd1 all runs: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec representative crash: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec, types: [KASAN] # git bisect good 25c73642cc5baea5b91bbb9b1f5fcd93672bfa08 Bisecting: 185 revisions left to test after this (roughly 7 steps) [f4e8d80292859809ea135e9f4c43bae47e4f58bc] Merge tag 'vfs-6.10.rw' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs determine whether the revision contains the guilty commit revision fe46a7dd189e25604716c03576d05ac8a5209743 crashed and is reachable testing commit f4e8d80292859809ea135e9f4c43bae47e4f58bc gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 40fd728117e2c14c921db08249b38c98aa1d98222bce203b6a38d3c011c41531 all runs: OK false negative chance: 0.000 # git bisect bad f4e8d80292859809ea135e9f4c43bae47e4f58bc Bisecting: 54 revisions left to test after this (roughly 6 steps) [1b0aabcc9a35e729a6c7ce71e725fd63513b35de] Merge tag 'vfs-6.10.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs determine whether the revision contains the guilty commit revision 6c60000f0b9ae7da630a5715a9ba33042d87e7fd crashed and is reachable testing commit 1b0aabcc9a35e729a6c7ce71e725fd63513b35de gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0ef2153a6ae4eb6ccbd70e46c74449cdd4840d9800263c306ddbfb0dc2ece137 all runs: OK false negative chance: 0.000 # git bisect bad 1b0aabcc9a35e729a6c7ce71e725fd63513b35de Bisecting: 49 revisions left to test after this (roughly 6 steps) [8815da98e06a930ce7e6a1ffaf1b1590e79fd94f] Merge tag 'docs-6.10' of git://git.lwn.net/linux determine whether the revision contains the guilty commit revision fe46a7dd189e25604716c03576d05ac8a5209743 crashed and is reachable testing commit 8815da98e06a930ce7e6a1ffaf1b1590e79fd94f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 79be5a8d0c9dd9a495097c830521ddbdb4f6feb388368ca73ba9ae6d993c0bca all runs: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec representative crash: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec, types: [KASAN] # git bisect good 8815da98e06a930ce7e6a1ffaf1b1590e79fd94f Bisecting: 24 revisions left to test after this (roughly 5 steps) [e964fc77577a9afe528e54b50527cf49e24aa211] vfs, swap: compile out IS_SWAPFILE() on swapless configs determine whether the revision contains the guilty commit revision fe46a7dd189e25604716c03576d05ac8a5209743 crashed and is reachable testing commit e964fc77577a9afe528e54b50527cf49e24aa211 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5892718564428959d76abe5f1a45fb4ed6859a40950f87b9669b7accaf8164dd all runs: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec representative crash: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec, types: [KASAN] # git bisect good e964fc77577a9afe528e54b50527cf49e24aa211 Bisecting: 12 revisions left to test after this (roughly 4 steps) [e035af9f6ebacd98774b1be2af58a5afd6d0d291] seq_file: Simplify __seq_puts() determine whether the revision contains the guilty commit revision fe46a7dd189e25604716c03576d05ac8a5209743 crashed and is reachable testing commit e035af9f6ebacd98774b1be2af58a5afd6d0d291 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 32acbe1252c895996a8b3aa5d6297bbd14d9bec9dc47d5946c88233699278705 all runs: OK false negative chance: 0.000 # git bisect bad e035af9f6ebacd98774b1be2af58a5afd6d0d291 Bisecting: 5 revisions left to test after this (roughly 3 steps) [19e048641bc6e29a4c3ba1427481f86305f3b960] xfs: fix overly long line in the file_operations determine whether the revision contains the guilty commit revision e964fc77577a9afe528e54b50527cf49e24aa211 crashed and is reachable testing commit 19e048641bc6e29a4c3ba1427481f86305f3b960 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 542ea0cc7d91c08b3ff6480e08658c70824bb502ba904ce4789d9d9eedbcffca all runs: OK false negative chance: 0.000 # git bisect bad 19e048641bc6e29a4c3ba1427481f86305f3b960 Bisecting: 2 revisions left to test after this (roughly 2 steps) [ad191eb6d6942bb835a0b20b647f7c53c1d99ca4] shmem: Fix shmem_rename2() determine whether the revision contains the guilty commit revision fe46a7dd189e25604716c03576d05ac8a5209743 crashed and is reachable testing commit ad191eb6d6942bb835a0b20b647f7c53c1d99ca4 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9b2fd2608ae210273f8535fe7ff87f63aab34c2b7f01e8efbd9189653429d4d6 all runs: crashed: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec representative crash: KASAN: slab-out-of-bounds Read in jffs2_sum_add_kvec, types: [KASAN] # git bisect good ad191eb6d6942bb835a0b20b647f7c53c1d99ca4 Bisecting: 0 revisions left to test after this (roughly 1 step) [193feb69af4c8c8c2e2a178b9f9c2bffff10b860] Merge patch series 'Fix shmem_rename2 directory offset calculation' of https://lore.kernel.org/r/20240415152057.4605-1-cel@kernel.org determine whether the revision contains the guilty commit revision fe46a7dd189e25604716c03576d05ac8a5209743 crashed and is reachable testing commit 193feb69af4c8c8c2e2a178b9f9c2bffff10b860 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1212d7bc464188d1c4267a847d4afbdac79d64149cd459a217b01f32b112a800 all runs: OK false negative chance: 0.000 # git bisect bad 193feb69af4c8c8c2e2a178b9f9c2bffff10b860 Bisecting: 0 revisions left to test after this (roughly 0 steps) [c6854e5a267c28300ff045480b5a7ee7f6f1d913] jffs2: prevent xattr node from overflowing the eraseblock determine whether the revision contains the guilty commit revision fe46a7dd189e25604716c03576d05ac8a5209743 crashed and is reachable testing commit c6854e5a267c28300ff045480b5a7ee7f6f1d913 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7219fbc39901b4bde74d4c2c65bb09995075ae233e7e76d2c24dbcf416f90cfa all runs: OK false negative chance: 0.000 # git bisect bad c6854e5a267c28300ff045480b5a7ee7f6f1d913 c6854e5a267c28300ff045480b5a7ee7f6f1d913 is the first bad commit commit c6854e5a267c28300ff045480b5a7ee7f6f1d913 Author: Ilya Denisyev Date: Fri Apr 12 18:53:54 2024 +0300 jffs2: prevent xattr node from overflowing the eraseblock Add a check to make sure that the requested xattr node size is no larger than the eraseblock minus the cleanmarker. Unlike the usual inode nodes, the xattr nodes aren't split into parts and spread across multiple eraseblocks, which means that a xattr node must not occupy more than one eraseblock. If the requested xattr value is too large, the xattr node can spill onto the next eraseblock, overwriting the nodes and causing errors such as: jffs2: argh. node added in wrong place at 0x0000b050(2) jffs2: nextblock 0x0000a000, expected at 0000b00c jffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050, read=0xfc892c93, calc=0x000000 jffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed at 0x01e00c. {848f,2fc4,0fef511f,59a3d171} jffs2: Node at 0x0000000c with length 0x00001044 would run over the end of the erase block jffs2: Perhaps the file system was created with the wrong erase size? jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000010: 0x1044 instead This breaks the filesystem and can lead to KASAN crashes such as: BUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0 Read of size 4 at addr ffff88802c31e914 by task repro/830 CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Call Trace: dump_stack_lvl+0xc6/0x120 print_report+0xc4/0x620 ? __virt_addr_valid+0x308/0x5b0 kasan_report+0xc1/0xf0 ? jffs2_sum_add_kvec+0x125e/0x15d0 ? jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_flash_direct_writev+0xa8/0xd0 jffs2_flash_writev+0x9c9/0xef0 ? __x64_sys_setxattr+0xc4/0x160 ? do_syscall_64+0x69/0x140 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: aa98d7cf59b5 ("[JFFS2][XATTR] XATTR support on JFFS2 (version. 5)") Signed-off-by: Ilya Denisyev Link: https://lore.kernel.org/r/20240412155357.237803-1-dev@elkcl.ru Signed-off-by: Christian Brauner fs/jffs2/xattr.c | 3 +++ 1 file changed, 3 insertions(+) accumulated error probability: 0.00 culprit signature: 7219fbc39901b4bde74d4c2c65bb09995075ae233e7e76d2c24dbcf416f90cfa parent signature: 5892718564428959d76abe5f1a45fb4ed6859a40950f87b9669b7accaf8164dd revisions tested: 23, total time: 7h13m45.112811759s (build: 3h59m34.669420353s, test: 2h59m29.327709261s) first good commit: c6854e5a267c28300ff045480b5a7ee7f6f1d913 jffs2: prevent xattr node from overflowing the eraseblock recipients (to): ["brauner@kernel.org" "dev@elkcl.ru" "linux-kernel@vger.kernel.org"] recipients (cc): ["brauner@kernel.org" "chengzhihao1@huawei.com" "dev@elkcl.ru" "dwmw2@infradead.org" "linux-mtd@lists.infradead.org" "richard@nod.at" "walmeida@microsoft.com"]