ci2 starts bisection 2024-12-29 08:24:24.285574209 +0000 UTC m=+254486.020683286 bisecting fixing commit since 6364d594125d5489b4f160c055505ec08c68c4eb building syzkaller on 3ce4924c386b24ce0dea10478efdecc852cda540 ensuring issue is reproducible on original commit 6364d594125d5489b4f160c055505ec08c68c4eb testing commit 6364d594125d5489b4f160c055505ec08c68c4eb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f8e6dd9de09fbfa9e450c64af6d6e4e88981d4b262f7f2fa13a23a9918410e66 all runs: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock representative crash: KASAN: use-after-free Read in ext4_convert_inline_data_nolock, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 6364d594125d5489b4f160c055505ec08c68c4eb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0794151ce2ef76dc6935124b2fcd30755c99bdbfca8535e1ae5e82bcd5c95d74 run #0: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #1: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #2: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #3: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #4: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #5: crashed: KASAN: out-of-bounds Read in ext4_convert_inline_data_nolock run #6: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #7: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #8: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #9: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock representative crash: KASAN: use-after-free Read in ext4_convert_inline_data_nolock, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed kconfig minimization: base=5179 full=6494 leaves diff=257 split chunks (needed=false): <257> split chunk #0 of len 257 into 5 parts testing without sub-chunk 1/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 6364d594125d5489b4f160c055505ec08c68c4eb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5f34a88417863495a3efa2bc88c9e39bd5035a3d7a47b568deabdb9fcd7c2893 all runs: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock representative crash: KASAN: use-after-free Read in ext4_convert_inline_data_nolock, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 6364d594125d5489b4f160c055505ec08c68c4eb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 90238a2d25b31bdc56172b3299c1108b01438342a7e6eb4a28fb00b8875e3471 all runs: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock representative crash: KASAN: use-after-free Read in ext4_convert_inline_data_nolock, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 6364d594125d5489b4f160c055505ec08c68c4eb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 585345f04f59c617c88d307e641d6e0ee484b0ed7fb6996e2a9be0799a3f345b all runs: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock representative crash: KASAN: use-after-free Read in ext4_convert_inline_data_nolock, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 6364d594125d5489b4f160c055505ec08c68c4eb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6a35d2d5578b47395ca9429f30f6f2f03e9c76231c827bfdc4d0c6e95245029b all runs: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock representative crash: KASAN: use-after-free Read in ext4_convert_inline_data_nolock, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 6364d594125d5489b4f160c055505ec08c68c4eb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building 6364d594125d5489b4f160c055505ec08c68c4eb: net/socket.c:1245: undefined reference to `wext_handle_ioctl' net/socket.c:3442: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 49 configs; suspects: [HID_ZEROPLUS USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing current HEAD 3f924195e2221970e40c33cdca57933f4b63bf31 testing commit 3f924195e2221970e40c33cdca57933f4b63bf31 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 17151c6b4903c466dfe86c6cd05fda5492901204a7d392dd1a8ecb102c215099 all runs: OK false negative chance: 0.000 # git bisect start 3f924195e2221970e40c33cdca57933f4b63bf31 6364d594125d5489b4f160c055505ec08c68c4eb Bisecting: 3802 revisions left to test after this (roughly 12 steps) [fae1959d6ab2c52677b113935e36ab4e25df37ea] nilfs2: fix inode number range checks determine whether the revision contains the guilty commit checking the merge base 883d1a9562083922c6d293e9adad8cca4626adf3 no existing result, test the revision testing commit 883d1a9562083922c6d293e9adad8cca4626adf3 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: eb500f2b95241df37f9e524490f1b3df31217dd0f9873aa760c47dbc5bba726d run #0: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #1: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #2: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #3: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #4: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #5: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #6: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #7: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #8: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #9: crashed: KASAN: out-of-bounds Read in ext4_convert_inline_data_nolock representative crash: KASAN: use-after-free Read in ext4_convert_inline_data_nolock, types: [KASAN] testing commit fae1959d6ab2c52677b113935e36ab4e25df37ea gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 917c0df65f266122ea3f30e329a5b01787784cc38d60d2d90c8511620133f0ed all runs: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock representative crash: KASAN: use-after-free Read in ext4_convert_inline_data_nolock, types: [KASAN] # git bisect good fae1959d6ab2c52677b113935e36ab4e25df37ea Bisecting: 1901 revisions left to test after this (roughly 11 steps) [6c444fb529ff4219d3eeecd3641c929b1043cc5e] drm/stm: Fix an error handling path in stm_drm_platform_probe() determine whether the revision contains the guilty commit revision 883d1a9562083922c6d293e9adad8cca4626adf3 crashed and is reachable testing commit 6c444fb529ff4219d3eeecd3641c929b1043cc5e gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0972186d00be5e32de914f43bee72bc3bdab6a5917ef990e7b1b593f2b3cb4c4 all runs: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock representative crash: KASAN: use-after-free Read in ext4_convert_inline_data_nolock, types: [KASAN] # git bisect good 6c444fb529ff4219d3eeecd3641c929b1043cc5e Bisecting: 950 revisions left to test after this (roughly 10 steps) [5d9054b9f769a8e124c4fa02072437c864726baf] Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs determine whether the revision contains the guilty commit revision 883d1a9562083922c6d293e9adad8cca4626adf3 crashed and is reachable testing commit 5d9054b9f769a8e124c4fa02072437c864726baf gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 24efcbfb3842a1a14ff58c70001a1718479893e31b249997ac35879476edc800 all runs: OK false negative chance: 0.000 # git bisect bad 5d9054b9f769a8e124c4fa02072437c864726baf Bisecting: 475 revisions left to test after this (roughly 9 steps) [f07c20c6eeb0bcc421c0a8481e9c9fcd98f40954] NFSD: Fix NFSv4's PUTPUBFH operation determine whether the revision contains the guilty commit revision fae1959d6ab2c52677b113935e36ab4e25df37ea crashed and is reachable testing commit f07c20c6eeb0bcc421c0a8481e9c9fcd98f40954 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a0f49899f94467e7d63b16fca33674cf644c92224d8b24321eb65c4499f22d99 all runs: OK false negative chance: 0.000 # git bisect bad f07c20c6eeb0bcc421c0a8481e9c9fcd98f40954 Bisecting: 237 revisions left to test after this (roughly 8 steps) [ab205e1c3846326f162180e56825b4ba38ce9c30] padata: use integer wrap around to prevent deadlock on seq_nr overflow determine whether the revision contains the guilty commit revision 883d1a9562083922c6d293e9adad8cca4626adf3 crashed and is reachable testing commit ab205e1c3846326f162180e56825b4ba38ce9c30 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 71cd2ae395136212b41296e87366382f67c6d1aea72ca0c3baaf80e6cbcb9c29 all runs: OK false negative chance: 0.000 # git bisect bad ab205e1c3846326f162180e56825b4ba38ce9c30 Bisecting: 118 revisions left to test after this (roughly 7 steps) [ac4818b0965eac7dcd61a9d6080545333623b03d] RDMA/hns: Fix the overflow risk of hem_list_calc_ba_range() determine whether the revision contains the guilty commit revision 883d1a9562083922c6d293e9adad8cca4626adf3 crashed and is reachable testing commit ac4818b0965eac7dcd61a9d6080545333623b03d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 44fb6eb4a31b3e7f0024214137b932778ca46b66503a4cb6807ef2cc68a69546 all runs: OK false negative chance: 0.000 # git bisect bad ac4818b0965eac7dcd61a9d6080545333623b03d Bisecting: 58 revisions left to test after this (roughly 6 steps) [d18b3b18821c96acc22449cff5ad49570c8496f2] xz: cleanup CRC32 edits from 2018 determine whether the revision contains the guilty commit revision 6c444fb529ff4219d3eeecd3641c929b1043cc5e crashed and is reachable testing commit d18b3b18821c96acc22449cff5ad49570c8496f2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d73f86f221242d2090ef1a0ad44d44b52a3aa1f04fa40a717ef85c114cc8bb16 run #0: crashed: KASAN: out-of-bounds Read in ext4_convert_inline_data_nolock run #1: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #2: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #3: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #4: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #5: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #6: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #7: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #8: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #9: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock representative crash: KASAN: out-of-bounds Read in ext4_convert_inline_data_nolock, types: [KASAN] # git bisect good d18b3b18821c96acc22449cff5ad49570c8496f2 Bisecting: 29 revisions left to test after this (roughly 5 steps) [e947b2546a7c934bc16a5c5315c57e1d64c78ff0] remoteproc: imx_rproc: Correct ddr alias for i.MX8M determine whether the revision contains the guilty commit revision 6c444fb529ff4219d3eeecd3641c929b1043cc5e crashed and is reachable testing commit e947b2546a7c934bc16a5c5315c57e1d64c78ff0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6572145ca810838b9b87bf9ebb72e4bbb1a8eefea05a49fe8b507346bf001a51 all runs: OK false negative chance: 0.000 # git bisect bad e947b2546a7c934bc16a5c5315c57e1d64c78ff0 Bisecting: 14 revisions left to test after this (roughly 4 steps) [8397bf78988f3ae9dbebb0200189a62a57264980] bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error determine whether the revision contains the guilty commit revision 6c444fb529ff4219d3eeecd3641c929b1043cc5e crashed and is reachable testing commit 8397bf78988f3ae9dbebb0200189a62a57264980 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 633e8839e347c99779d17fee2dc2e083b4be3a4bb2379bb86ef6be414594bd6f all runs: OK false negative chance: 0.000 # git bisect bad 8397bf78988f3ae9dbebb0200189a62a57264980 Bisecting: 6 revisions left to test after this (roughly 3 steps) [f595035794f923157ce077df6031a88fa55ad9fb] ext4: return error on ext4_find_inline_entry determine whether the revision contains the guilty commit revision d18b3b18821c96acc22449cff5ad49570c8496f2 crashed and is reachable testing commit f595035794f923157ce077df6031a88fa55ad9fb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8f215e465edd401efb5b8979be1477fd8eb32dc6ae4198c20eeaf06e1e6e9d63 all runs: OK false negative chance: 0.000 # git bisect bad f595035794f923157ce077df6031a88fa55ad9fb Bisecting: 3 revisions left to test after this (roughly 2 steps) [c328bf681e68d6276a1ee075d9be5c86aa9314e9] smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso determine whether the revision contains the guilty commit revision 6c444fb529ff4219d3eeecd3641c929b1043cc5e crashed and is reachable testing commit c328bf681e68d6276a1ee075d9be5c86aa9314e9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a19f3f51daab82719855f0ece6a3ff3147e34e55f48e2ccd0a710e4f412e0843 all runs: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock representative crash: KASAN: use-after-free Read in ext4_convert_inline_data_nolock, types: [KASAN] # git bisect good c328bf681e68d6276a1ee075d9be5c86aa9314e9 Bisecting: 1 revision left to test after this (roughly 1 step) [b08c3ede3a55b9c6239f1c60253935379e93c1a7] ext4: avoid potential buffer_head leak in __ext4_new_inode() determine whether the revision contains the guilty commit revision fae1959d6ab2c52677b113935e36ab4e25df37ea crashed and is reachable testing commit b08c3ede3a55b9c6239f1c60253935379e93c1a7 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9fb09389891ef6c913656c225f0a5de519a9f65f257e64ade96a62d003c251ca all runs: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock representative crash: KASAN: use-after-free Read in ext4_convert_inline_data_nolock, types: [KASAN] # git bisect good b08c3ede3a55b9c6239f1c60253935379e93c1a7 Bisecting: 0 revisions left to test after this (roughly 0 steps) [e953cb3f6d93e0b1a6d347a15eb3f07eba420851] ext4: avoid negative min_clusters in find_group_orlov() determine whether the revision contains the guilty commit revision fae1959d6ab2c52677b113935e36ab4e25df37ea crashed and is reachable testing commit e953cb3f6d93e0b1a6d347a15eb3f07eba420851 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c25aec0a9426e909e6c55bbaf51a9dfadb217d1dde96f9df2bdffc3af5963804 all runs: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock representative crash: KASAN: use-after-free Read in ext4_convert_inline_data_nolock, types: [KASAN] # git bisect good e953cb3f6d93e0b1a6d347a15eb3f07eba420851 f595035794f923157ce077df6031a88fa55ad9fb is the first bad commit commit f595035794f923157ce077df6031a88fa55ad9fb Author: Thadeu Lima de Souza Cascardo Date: Wed Aug 21 12:23:22 2024 -0300 ext4: return error on ext4_find_inline_entry [ Upstream commit 4d231b91a944f3cab355fce65af5871fb5d7735b ] In case of errors when reading an inode from disk or traversing inline directory entries, return an error-encoded ERR_PTR instead of returning NULL. ext4_find_inline_entry only caller, __ext4_find_entry already returns such encoded errors. Signed-off-by: Thadeu Lima de Souza Cascardo Link: https://patch.msgid.link/20240821152324.3621860-3-cascardo@igalia.com Signed-off-by: Theodore Ts'o Stable-dep-of: c6b72f5d82b1 ("ext4: avoid OOB when system.data xattr changes underneath the filesystem") Signed-off-by: Sasha Levin fs/ext4/inline.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) accumulated error probability: 0.00 culprit signature: 8f215e465edd401efb5b8979be1477fd8eb32dc6ae4198c20eeaf06e1e6e9d63 parent signature: c25aec0a9426e909e6c55bbaf51a9dfadb217d1dde96f9df2bdffc3af5963804 revisions tested: 21, total time: 6h12m21.615526912s (build: 2h52m30.301366341s, test: 3h9m52.029368128s) first good commit: f595035794f923157ce077df6031a88fa55ad9fb ext4: return error on ext4_find_inline_entry recipients (to): ["cascardo@igalia.com" "sashal@kernel.org" "tytso@mit.edu"] recipients (cc): []