ci2 starts bisection 2025-03-04 12:26:21.200259024 +0000 UTC m=+245109.802220324 bisecting fixing commit since e4d90d63d385228b1e0bcf31cc15539bbbc28f7f building syzkaller on a4ae4f428721da42ac15f07d6f3b54584dedee27 ensuring issue is reproducible on original commit e4d90d63d385228b1e0bcf31cc15539bbbc28f7f testing commit e4d90d63d385228b1e0bcf31cc15539bbbc28f7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8fa89387c4f2b42e6715404a37af7792177a872822895b66173d4991814d6447 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit e4d90d63d385228b1e0bcf31cc15539bbbc28f7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cf5675aa6a1525f91c13c07f16dcf3b857db89f932d202c9cea606b1fa8359fb all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed kconfig minimization: base=3823 full=7523 leaves diff=1995 split chunks (needed=false): <1995> split chunk #0 of len 1995 into 5 parts testing without sub-chunk 1/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit e4d90d63d385228b1e0bcf31cc15539bbbc28f7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ca4045067de4d71b6cd0bfe1f787755552c1e2ac7726369313ea4506905e5c74 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit e4d90d63d385228b1e0bcf31cc15539bbbc28f7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5141354edf3b43e831ab14f10d380808fc9242aa98eff2ea5a70b64b6139d711 all runs: OK false negative chance: 0.000 testing without sub-chunk 3/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit e4d90d63d385228b1e0bcf31cc15539bbbc28f7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 01a46d87c6daecd8fae05c6d9395fefd991ae6376210ee85acb1123299182d14 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit e4d90d63d385228b1e0bcf31cc15539bbbc28f7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7a1e4735c9082121e4da16e0b30aae8ba3862a0ebcd6cfd3300fed7fe30e53d2 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit e4d90d63d385228b1e0bcf31cc15539bbbc28f7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 457c3fb014406bffbf1da2d595a195babdf15931e10ab77c6049f10eb8fc6d06 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] the chunk can be dropped minimized to 399 configs; suspects: [6LOWPAN ARCH_ENABLE_MEMORY_HOTREMOVE ASUS_WMI CMA COMMON_CLK DAX DLM DRM DRM_BRIDGE DRM_DISPLAY_DP_HELPER DRM_DISPLAY_HDCP_HELPER DRM_DISPLAY_HDMI_HELPER DRM_DISPLAY_HELPER DRM_DP_AUX_BUS DRM_DP_AUX_CHARDEV DRM_FBDEV_EMULATION DRM_GEM_SHMEM_HELPER DRM_I915 DRM_I915_CAPTURE_ERROR DRM_I915_COMPRESS_ERROR DRM_I915_USERPTR DRM_KMS_HELPER DRM_MIPI_DSI DRM_NOMODESET DRM_PANEL DRM_PANEL_BRIDGE DRM_PANEL_EDP DRM_PANEL_ORIENTATION_QUIRKS DRM_SIMPLEDRM DRM_TTM DRM_TTM_HELPER DRM_UDL DRM_VGEM DRM_VIRTIO_GPU DRM_VKMS DRM_VMWGFX DRM_VRAM_HELPER DUMMY DVB_AF9013 DVB_AF9033 DVB_AS102 DVB_AS102_FE DVB_B2C2_FLEXCOP DVB_B2C2_FLEXCOP_USB DVB_CORE DVB_DIB3000MB DVB_DIB3000MC DVB_EC100 DVB_GP8PSK_FE DVB_RTL2830 DVB_RTL2832 DVB_RTL2832_SDR DVB_TEST_DRIVERS DVB_TTUSB_BUDGET DVB_TTUSB_DEC DVB_USB DVB_USB_A800 DVB_USB_AF9005 DVB_USB_AF9005_REMOTE DVB_USB_AF9015 DVB_USB_AF9035 DVB_USB_ANYSEE DVB_USB_AU6610 DVB_USB_AZ6007 DVB_USB_AZ6027 DVB_USB_CE6230 DVB_USB_CINERGY_T2 DVB_USB_CXUSB DVB_USB_DIB0700 DVB_USB_DIB3000MC DVB_USB_DIBUSB_MB DVB_USB_DIBUSB_MC DVB_USB_DIGITV DVB_USB_DTT200U DVB_USB_DTV5100 DVB_USB_DVBSKY DVB_USB_DW2102 DVB_USB_EC168 DVB_USB_GL861 DVB_USB_GP8PSK DVB_USB_LME2510 DVB_USB_M920X DVB_USB_MXL111SF DVB_USB_NOVA_T_USB2 DVB_USB_OPERA1 DVB_USB_PCTV452E DVB_USB_RTL28XXU DVB_USB_TECHNISAT_USB2 DVB_USB_TTUSB2 DVB_USB_UMT_010 DVB_USB_V2 DVB_USB_VP702X DVB_USB_VP7045 DVB_USB_ZD1301 DVB_VIDTV DVB_ZL10353 ECRYPT_FS ECRYPT_FS_MESSAGING EDAC EEPROM_93CX6 EFS_FS ENCRYPTED_KEYS EQUALIZER EROFS_FS EROFS_FS_POSIX_ACL EROFS_FS_SECURITY EROFS_FS_XATTR EROFS_FS_ZIP EVM EVM_ADD_XATTRS EVM_ATTR_FSUUID EXFAT_FS EXPORTFS_BLOCK_OPS EXT3_FS EXT3_FS_POSIX_ACL EXT3_FS_SECURITY EXTCON EXTCON_INTEL_CHT_WC F2FS_CHECK_FS F2FS_FAULT_INJECTION F2FS_FS F2FS_FS_COMPRESSION F2FS_FS_LZ4 F2FS_FS_LZ4HC F2FS_FS_LZO F2FS_FS_LZORLE F2FS_FS_POSIX_ACL F2FS_FS_SECURITY F2FS_FS_XATTR F2FS_FS_ZSTD F2FS_STAT_FS FANOTIFY FANOTIFY_ACCESS_PERMISSIONS FB FB_CFB_COPYAREA FB_CFB_FILLRECT FB_CFB_IMAGEBLIT FB_CMDLINE FB_DEFERRED_IO FB_NOTIFY FB_SYS_COPYAREA FB_SYS_FILLRECT FB_SYS_FOPS FB_SYS_IMAGEBLIT FB_TILEBLITTING FB_VESA FB_VGA16 FB_VIRTUAL FDDI FIREWIRE FIREWIRE_NET FIREWIRE_OHCI FIREWIRE_SBP2 FONT_8x16 FONT_8x8 FONT_SUPPORT FRAMEBUFFER_CONSOLE FRAMEBUFFER_CONSOLE_DETECT_PRIMARY FRAMEBUFFER_CONSOLE_ROTATION FRONTSWAP FS_DAX FS_DAX_PMD FS_ENCRYPTION FS_ENCRYPTION_ALGS FS_VERITY FS_VERITY_BUILTIN_SIGNATURES FTL FUSE_DAX FUSE_FS FW_LOADER_COMPRESS FW_LOADER_PAGED_BUF FW_LOADER_SYSFS FW_LOADER_USER_HELPER FW_LOADER_USER_HELPER_FALLBACK GACT_PROB GARP GCC11_NO_ARRAY_BOUNDS GENERIC_PHY GET_FREE_REGION GFS2_FS GFS2_FS_LOCKING_DLM GOOGLE_COREBOOT_TABLE GOOGLE_FIRMWARE GOOGLE_MEMCONSOLE GOOGLE_MEMCONSOLE_COREBOOT GOOGLE_VPD GPIOLIB GPIOLIB_IRQCHIP GPIO_ACPI GPIO_DLN2 GPIO_VIPERBOARD GREENASIA_FF GREYBUS GREYBUS_BRIDGED_PHY GREYBUS_ES2 GREYBUS_HID GREYBUS_USB GTP GUEST_PERF_EVENTS GVE HAVE_ARCH_NODE_DEV_GROUP HAVE_ARCH_USERFAULTFD_MINOR HAVE_ARCH_USERFAULTFD_WP HAVE_BOOTMEM_INFO_NODE HAVE_CLK_PREPARE HAVE_KVM_CPU_RELAX_INTERCEPT HAVE_KVM_DIRTY_RING HAVE_KVM_DIRTY_RING_ACQ_REL HAVE_KVM_DIRTY_RING_TSO HAVE_KVM_EVENTFD HAVE_KVM_IRQCHIP HAVE_KVM_IRQFD HAVE_KVM_IRQ_BYPASS HAVE_KVM_IRQ_ROUTING HAVE_KVM_MSI HAVE_KVM_NO_POLL HAVE_KVM_PFNCACHE HAVE_KVM_PM_NOTIFIER HAVE_SCHED_AVG_IRQ HDLC HDLC_CISCO HDLC_FR HDLC_PPP HDLC_RAW HDLC_RAW_ETH HDLC_X25 HDMI HFSPLUS_FS HFS_FS HID_ACCUTOUCH HID_ACRUX HID_ACRUX_FF HID_ALPS HID_APPLEIR HID_ASUS HID_AUREAL HID_BATTERY_STRENGTH HID_BETOP_FF HID_CMEDIA HID_CORSAIR HID_CP2112 HID_ELECOM HID_ELO HID_EMS_FF HID_GEMBIRD HID_GFRM HID_GREENASIA HID_GT683R HID_HOLTEK HID_ICADE HID_KEYTOUCH HID_KYE HID_LCPOWER HID_LED HID_LENOVO HID_LOGITECH_DJ HID_LOGITECH_HIDPP HID_MAGICMOUSE HID_MAYFLASH HID_MULTITOUCH HID_NTI HID_ORTEK HID_PENMOUNT HID_PICOLCD HID_PICOLCD_BACKLIGHT HID_PICOLCD_CIR HID_PICOLCD_FB HID_PICOLCD_LCD HID_PICOLCD_LEDS HID_PLANTRONICS HID_PRIMAX HID_PRODIKEYS HID_RETRODE HID_RMI HID_ROCCAT HID_SAITEK HID_SENSOR_ACCEL_3D HID_SENSOR_ALS HID_SENSOR_CUSTOM_SENSOR HID_SENSOR_DEVICE_ROTATION HID_SENSOR_GYRO_3D HID_SENSOR_HUB HID_SENSOR_HUMIDITY HID_SENSOR_IIO_COMMON HID_SENSOR_IIO_TRIGGER HID_SENSOR_INCLINOMETER_3D HID_SENSOR_MAGNETOMETER_3D HID_SENSOR_PRESS HID_SENSOR_PROX HID_SENSOR_TEMP HID_SPEEDLINK HID_STEELSERIES HID_THINGM HID_TIVO HID_TWINHAN HID_UCLOGIC HID_UDRAW_PS3 HID_WACOM HID_WALTOP HID_WIIMOTE HID_XINMO HID_ZYDACRON HMM_MIRROR HOLTEK_FF HOTPLUG_PCI_PCIE HPET_MMAP HPET_MMAP_DEFAULT HPFS_FS I2C_ALGOBIT I2C_CHARDEV I2C_DESIGNWARE_CORE I2C_DESIGNWARE_PLATFORM I2C_DIOLAN_U2C I2C_DLN2 I2C_MUX I2C_MUX_REG I2C_ROBOTFUZZ_OSIF I2C_SI4713 I2C_SLAVE I2C_SLAVE_EEPROM I2C_TINY_USB I2C_VIPERBOARD IEEE802154 IEEE802154_6LOWPAN IEEE802154_ATUSB IEEE802154_DRIVERS IEEE802154_HWSIM IEEE802154_NL802154_EXPERIMENTAL IEEE802154_SOCKET IFB IIO IIO_BUFFER IIO_KFIFO_BUF IIO_TRIGGER IIO_TRIGGERED_BUFFER IKCONFIG IKCONFIG_PROC IMA IMA_APPRAISE IMA_APPRAISE_MODSIG IMA_DEFAULT_HASH_SHA256 IMA_LSM_RULES IMA_MEASURE_ASYMMETRIC_KEYS IMA_NG_TEMPLATE IMA_QUEUE_EARLY_BOOT_KEYS IMA_READ_POLICY IMA_WRITE_POLICY INET6_ESPINTCP INET6_ESP_OFFLOAD INET6_IPCOMP INET6_TUNNEL INET6_XFRM_TUNNEL INET_AH INET_DCCP_DIAG INET_DIAG INET_DIAG_DESTROY INET_ESP INET_ESPINTCP INET_ESP_OFFLOAD INET_IPCOMP INET_MPTCP_DIAG INET_RAW_DIAG INET_SCTP_DIAG INET_TCP_DIAG INET_UDP_DIAG INET_XFRM_TUNNEL INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_ADDR_TRANS_CONFIGFS INFINIBAND_IPOIB INFINIBAND_IPOIB_CM INFINIBAND_IPOIB_DEBUG INFINIBAND_ISER INFINIBAND_ON_DEMAND_PAGING INFINIBAND_RTRS INFINIBAND_SRP INFINIBAND_USER_ACCESS INFINIBAND_USER_MAD INFINIBAND_USER_MEM INPUT_ATI_REMOTE2 INPUT_CM109 INPUT_IMS_PCU INPUT_JOYDEV INPUT_KEYSPAN_REMOTE INPUT_LEDS INPUT_MOUSEDEV INPUT_MOUSEDEV_PSAUX INPUT_POWERMATE INPUT_UINPUT INPUT_YEALINK INTEGRITY INTEGRITY_ASYMMETRIC_KEYS INTEGRITY_AUDIT INTEGRITY_SIGNATURE INTEGRITY_TRUSTED_KEYRING INTEL_IDMA64 INTEL_IOATDMA INTEL_IOMMU_DEFAULT_ON INTEL_IOMMU_SVM INTEL_SOC_PMIC_CHTWC INTERVAL_TREE IOMMU_SVA IP6_NF_MATCH_AH IP6_NF_MATCH_EUI64 IP6_NF_MATCH_FRAG IP6_NF_MATCH_HL IP6_NF_MATCH_MH IP6_NF_MATCH_OPTS IP6_NF_MATCH_RPFILTER IP6_NF_MATCH_RT IP6_NF_MATCH_SRH IP6_NF_NAT IP6_NF_RAW IP6_NF_SECURITY IP6_NF_TARGET_HL IP6_NF_TARGET_MASQUERADE IP6_NF_TARGET_NPT IP6_NF_TARGET_SYNPROXY IPV6_FOU IPV6_FOU_TUNNEL IPV6_GRE IPV6_ILA IPV6_MIP6 IPV6_MROUTE IPV6_MROUTE_MULTIPLE_TABLES IPV6_MULTIPLE_TABLES IPV6_OPTIMISTIC_DAD IPV6_PIMSM_V2 IPV6_ROUTER_PREF IPV6_ROUTE_INFO IPV6_RPL_LWTUNNEL IPV6_SEG6_BPF IPV6_SEG6_HMAC IPV6_SEG6_LWTUNNEL IPV6_SIT_6RD IPV6_SUBTREES IPV6_TUNNEL IPV6_VTI IPVLAN IPVLAN_L3S IPVTAP IP_DCCP IP_DCCP_CCID3 IP_DCCP_TFRC_LIB IP_FIB_TRIE_STATS IP_MROUTE_MULTIPLE_TABLES IP_NF_ARPFILTER IP_NF_ARPTABLES IP_NF_ARP_MANGLE IP_NF_MATCH_AH IP_NF_MATCH_ECN IP_NF_MATCH_RPFILTER IP_NF_MATCH_TTL IP_NF_RAW IP_NF_SECURITY IP_NF_TARGET_CLUSTERIP IP_NF_TARGET_ECN IP_NF_TARGET_NETMAP IP_NF_TARGET_REDIRECT IP_NF_TARGET_SYNPROXY IP_NF_TARGET_TTL IP_ROUTE_CLASSID IP_SCTP IP_SET IP_SET_BITMAP_IP IP_SET_BITMAP_IPMAC IP_SET_BITMAP_PORT IP_SET_HASH_IP IP_SET_HASH_IPMAC IP_SET_HASH_IPMARK IP_SET_HASH_IPPORT IP_SET_HASH_IPPORTIP IP_SET_HASH_IPPORTNET IP_SET_HASH_MAC IP_SET_HASH_NET IP_SET_HASH_NETIFACE IP_SET_HASH_NETNET IP_SET_HASH_NETPORT IP_SET_HASH_NETPORTNET IP_SET_LIST_SET IP_VS IP_VS_DH IP_VS_FO IP_VS_FTP IP_VS_IPV6 IP_VS_LBLC IP_VS_LBLCR IP_VS_LC IP_VS_MH IP_VS_NFCT IP_VS_NQ IP_VS_OVF IP_VS_PROTO_TCP IRQ_TIME_ACCOUNTING LAPB LCD_CLASS_DEVICE MAC802154 MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_TEST_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MFD_VIPERBOARD MPTCP MTD NETFILTER_ADVANCED NET_ACT_GACT NET_ACT_MIRRED NET_IPGRE_DEMUX NFT_FWD_NETDEV NF_TABLES NF_TABLES_NETDEV RADIO_ADAPTERS RADIO_SI4713 RAS RC_CORE RFKILL SND SOUND STAGING TRANSPARENT_HUGEPAGE VIDEO_DEV VIRTIO_FS WAN ZONE_DEVICE] disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed determining the merge base between e4d90d63d385228b1e0bcf31cc15539bbbc28f7f and 99fa936e8e4f117d62f229003c9799686f74cebc 830b3c68c1fb1e9176028d02ef86f3cf76aa2476/Linux 6.1 is a merge base, check if it has the bug testing commit 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 25e990bc73cf6efe9f7542e8d5adec7c695a606d577c57cb6aa5f969826d8f05 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] testing current HEAD 99fa936e8e4f117d62f229003c9799686f74cebc testing commit 99fa936e8e4f117d62f229003c9799686f74cebc gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4a582b2f18f0f532e2b32df39dbe775603fdcd41e58e12d84df0dd79b490dbfd all runs: OK false negative chance: 0.000 # git bisect start 99fa936e8e4f117d62f229003c9799686f74cebc 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 Bisecting: 99057 revisions left to test after this (roughly 17 steps) [0c59ae1290741854b6cf597ef05bfa9bc811389f] Merge tag 'afs-fix-rotation-20240105' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit 0c59ae1290741854b6cf597ef05bfa9bc811389f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f02f5169e3df23096b32c65d295fba1aa29d70822cf14e41fddf8535edb67c95 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good 0c59ae1290741854b6cf597ef05bfa9bc811389f Bisecting: 49700 revisions left to test after this (roughly 16 steps) [280e36f0d5b997173d014c07484c03a7f7750668] nsfs: use cleanup guard determine whether the revision contains the guilty commit revision 0c59ae1290741854b6cf597ef05bfa9bc811389f crashed and is reachable testing commit 280e36f0d5b997173d014c07484c03a7f7750668 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 319266d7e22e64cda136ea391d4a42f0235901e99b348b0b3c9fd64142da3bda all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good 280e36f0d5b997173d014c07484c03a7f7750668 Bisecting: 24838 revisions left to test after this (roughly 15 steps) [30169bb64580bd7bce9290c1952bf0aa6cc37fe5] Backmerge v6.12-rc6 of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux into drm-next determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit 30169bb64580bd7bce9290c1952bf0aa6cc37fe5 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 44297bf3e0bd69008604ca3a5f167a1cfb2a9e3307ada8a3c026901b19cceb75 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good 30169bb64580bd7bce9290c1952bf0aa6cc37fe5 Bisecting: 12429 revisions left to test after this (roughly 14 steps) [2b9da35f48a552c158a8965a61f36a1aa62fca34] Merge branch 'support-some-features-for-the-hibmcge-driver' determine whether the revision contains the guilty commit revision 280e36f0d5b997173d014c07484c03a7f7750668 crashed and is reachable testing commit 2b9da35f48a552c158a8965a61f36a1aa62fca34 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: db12e2a5584cf05cf28c1677693d37cdd37b09a2e49daa6f48309579bd5ebbad all runs: OK false negative chance: 0.000 # git bisect bad 2b9da35f48a552c158a8965a61f36a1aa62fca34 Bisecting: 6208 revisions left to test after this (roughly 13 steps) [597861d6cd343a6ded4cf0302f6fc25ec548e1cc] Merge tag 'for_v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit 597861d6cd343a6ded4cf0302f6fc25ec548e1cc gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b5a6adc37a1a8ff2203158e0c7afb470d42908e8686a6be4a4c796f85a7d72d9 all runs: OK false negative chance: 0.000 # git bisect bad 597861d6cd343a6ded4cf0302f6fc25ec548e1cc Bisecting: 3031 revisions left to test after this (roughly 12 steps) [9f5a6a1fe690a43896e0235377c7eb0b657c05a9] Merge tag 'media/v6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit 9f5a6a1fe690a43896e0235377c7eb0b657c05a9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9fb2b38de84af678b0676824e3dc13ddb6fa17a6042194a3a05b73d6fb009007 all runs: OK false negative chance: 0.000 # git bisect bad 9f5a6a1fe690a43896e0235377c7eb0b657c05a9 Bisecting: 1629 revisions left to test after this (roughly 11 steps) [1af29b34ea7f63c3e7225c324ffa86c9748874e4] Merge tag 'chrome-platform-firmware-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux determine whether the revision contains the guilty commit revision 0c59ae1290741854b6cf597ef05bfa9bc811389f crashed and is reachable testing commit 1af29b34ea7f63c3e7225c324ffa86c9748874e4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e3f7820305229f050edd75e50c08da708371e4853d0c934e619242c6a7269d9c all runs: OK false negative chance: 0.000 # git bisect bad 1af29b34ea7f63c3e7225c324ffa86c9748874e4 Bisecting: 776 revisions left to test after this (roughly 10 steps) [82339c49119f5e38ca3c81d698b84134c342373f] Merge tag 'pull-xattr' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs determine whether the revision contains the guilty commit revision 0c59ae1290741854b6cf597ef05bfa9bc811389f crashed and is reachable testing commit 82339c49119f5e38ca3c81d698b84134c342373f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ed46a6f8479bfcf93c8c180fdb31f8086ddf89d6e2a37d92d5edf00b2bb803ea all runs: OK false negative chance: 0.000 # git bisect bad 82339c49119f5e38ca3c81d698b84134c342373f Bisecting: 377 revisions left to test after this (roughly 9 steps) [4b49c0ba4eeb31b44462303cac4162476b72c831] Merge tag 'mm-hotfixes-stable-2024-11-12-16-39' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm determine whether the revision contains the guilty commit revision 0c59ae1290741854b6cf597ef05bfa9bc811389f crashed and is reachable testing commit 4b49c0ba4eeb31b44462303cac4162476b72c831 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 392933c5c1bf25ac8f8b4ca685c8e1e45a988805fdfbf41ecca228eab7e4fb4f all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good 4b49c0ba4eeb31b44462303cac4162476b72c831 Bisecting: 186 revisions left to test after this (roughly 8 steps) [4eb98b7760e8078dbc984ee08b02b5b4c3cff088] Merge tag 'vfs-6.13.mount.api' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit 4eb98b7760e8078dbc984ee08b02b5b4c3cff088 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8fe9ba6337b8c0d59af033ce043a14292c0ad6a1e395437f89e0a408068f1170 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good 4eb98b7760e8078dbc984ee08b02b5b4c3cff088 Bisecting: 89 revisions left to test after this (roughly 7 steps) [a29835c9d0ba5365d64b56883692d0e8675fb615] Merge tag 'vfs-6.13.ovl' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs determine whether the revision contains the guilty commit revision 0c59ae1290741854b6cf597ef05bfa9bc811389f crashed and is reachable testing commit a29835c9d0ba5365d64b56883692d0e8675fb615 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2b34037c5b0a684b246f8676ed9663196a1408b4ca8c56da5bd9416c48e2cb39 run #0: infra problem: failed to create instance: googleapi: Error 503: Internal error. Please try again or contact Google Support. (Code: '62F86DDB065FB.934EB2D.C0058DA3'), backendError run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK false negative chance: 0.000 # git bisect bad a29835c9d0ba5365d64b56883692d0e8675fb615 Bisecting: 44 revisions left to test after this (roughly 6 steps) [5bb6ba448fe3598a7668838942db1f008beb581b] Merge tag 'vfs-6.13.rust.file' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs determine whether the revision contains the guilty commit revision 0c59ae1290741854b6cf597ef05bfa9bc811389f crashed and is reachable testing commit 5bb6ba448fe3598a7668838942db1f008beb581b gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 27bd872d7d6bc612df1e5d86aa0265a67365f77f8a29ee363a505ef895ca6a4a all runs: OK false negative chance: 0.000 # git bisect bad 5bb6ba448fe3598a7668838942db1f008beb581b Bisecting: 25 revisions left to test after this (roughly 5 steps) [cb80d9074f2a56c8226657b01f19656584fc3ab5] fs: optimize acl_permission_check() determine whether the revision contains the guilty commit revision 280e36f0d5b997173d014c07484c03a7f7750668 crashed and is reachable testing commit cb80d9074f2a56c8226657b01f19656584fc3ab5 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 18a60bd70c47b9e3cb05835ddf11a349e0036bc2f5ff9908eb0ee112718de8ca all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good cb80d9074f2a56c8226657b01f19656584fc3ab5 Bisecting: 12 revisions left to test after this (roughly 4 steps) [aefff51e1c2986e16f2780ca8e4c97b784800ab5] statmount: retrieve security mount options determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit aefff51e1c2986e16f2780ca8e4c97b784800ab5 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fb36bc7d8427114b2b51fb215ad86771372e12f766a4b6b611ef426b60f0bff8 all runs: OK false negative chance: 0.000 # git bisect bad aefff51e1c2986e16f2780ca8e4c97b784800ab5 Bisecting: 5 revisions left to test after this (roughly 3 steps) [3a6ffeb127973806704655fe5fcd92141a5e83d5] Merge patch series "fs: allow statmount to fetch the fs_subtype and sb_source" determine whether the revision contains the guilty commit revision 0c59ae1290741854b6cf597ef05bfa9bc811389f crashed and is reachable testing commit 3a6ffeb127973806704655fe5fcd92141a5e83d5 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5911f11f34f749ddf7b59051c065738e1bbdfae2aa2a915ccdb83e2e93854707 all runs: OK false negative chance: 0.000 # git bisect bad 3a6ffeb127973806704655fe5fcd92141a5e83d5 Bisecting: 3 revisions left to test after this (roughly 2 steps) [c4d7d90747f4e8b528c8cd0a2d9ac01dc4a9339e] fs:aio: Remove TODO comment suggesting hash or array usage in io_cancel() determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit c4d7d90747f4e8b528c8cd0a2d9ac01dc4a9339e gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2751ff9283c16d15666203f1a3ebc230bdf69e6592338ce1322b74f062d38d55 all runs: OK false negative chance: 0.000 # git bisect bad c4d7d90747f4e8b528c8cd0a2d9ac01dc4a9339e Bisecting: 0 revisions left to test after this (roughly 1 step) [1c82587cb57687de3f18ab4b98a8850c789bedcf] hfsplus: don't query the device logical block size multiple times determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit 1c82587cb57687de3f18ab4b98a8850c789bedcf gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5d622d58565d9aed81fa04c0521ee2703efc4c18f60a752106a120dc8297d73b all runs: OK false negative chance: 0.000 # git bisect bad 1c82587cb57687de3f18ab4b98a8850c789bedcf Bisecting: 0 revisions left to test after this (roughly 0 steps) [fdfa4c02e6dd6c67f5cef8d78c6204e1ff7e12ca] freevxfs: Replace one-element array with flexible array member determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit fdfa4c02e6dd6c67f5cef8d78c6204e1ff7e12ca gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 67d05a8f78002dc826178feee9f6607426b9a3db4c68b7bb7d7b7d643b25cbee all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good fdfa4c02e6dd6c67f5cef8d78c6204e1ff7e12ca 1c82587cb57687de3f18ab4b98a8850c789bedcf is the first bad commit commit 1c82587cb57687de3f18ab4b98a8850c789bedcf Author: Thadeu Lima de Souza Cascardo Date: Thu Nov 7 08:41:09 2024 -0300 hfsplus: don't query the device logical block size multiple times Devices block sizes may change. One of these cases is a loop device by using ioctl LOOP_SET_BLOCK_SIZE. While this may cause other issues like IO being rejected, in the case of hfsplus, it will allocate a block by using that size and potentially write out-of-bounds when hfsplus_read_wrapper calls hfsplus_submit_bio and the latter function reads a different io_size. Using a new min_io_size initally set to sb_min_blocksize works for the purposes of the original fix, since it will be set to the max between HFSPLUS_SECTOR_SIZE and the first seen logical block size. We still use the max between HFSPLUS_SECTOR_SIZE and min_io_size in case the latter is not initialized. Tested by mounting an hfsplus filesystem with loop block sizes 512, 1024 and 4096. The produced KASAN report before the fix looks like this: [ 419.944641] ================================================================== [ 419.945655] BUG: KASAN: slab-use-after-free in hfsplus_read_wrapper+0x659/0xa0a [ 419.946703] Read of size 2 at addr ffff88800721fc00 by task repro/10678 [ 419.947612] [ 419.947846] CPU: 0 UID: 0 PID: 10678 Comm: repro Not tainted 6.12.0-rc5-00008-gdf56e0f2f3ca #84 [ 419.949007] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 419.950035] Call Trace: [ 419.950384] [ 419.950676] dump_stack_lvl+0x57/0x78 [ 419.951212] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.951830] print_report+0x14c/0x49e [ 419.952361] ? __virt_addr_valid+0x267/0x278 [ 419.952979] ? kmem_cache_debug_flags+0xc/0x1d [ 419.953561] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.954231] kasan_report+0x89/0xb0 [ 419.954748] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.955367] hfsplus_read_wrapper+0x659/0xa0a [ 419.955948] ? __pfx_hfsplus_read_wrapper+0x10/0x10 [ 419.956618] ? do_raw_spin_unlock+0x59/0x1a9 [ 419.957214] ? _raw_spin_unlock+0x1a/0x2e [ 419.957772] hfsplus_fill_super+0x348/0x1590 [ 419.958355] ? hlock_class+0x4c/0x109 [ 419.958867] ? __pfx_hfsplus_fill_super+0x10/0x10 [ 419.959499] ? __pfx_string+0x10/0x10 [ 419.960006] ? lock_acquire+0x3e2/0x454 [ 419.960532] ? bdev_name.constprop.0+0xce/0x243 [ 419.961129] ? __pfx_bdev_name.constprop.0+0x10/0x10 [ 419.961799] ? pointer+0x3f0/0x62f [ 419.962277] ? __pfx_pointer+0x10/0x10 [ 419.962761] ? vsnprintf+0x6c4/0xfba [ 419.963178] ? __pfx_vsnprintf+0x10/0x10 [ 419.963621] ? setup_bdev_super+0x376/0x3b3 [ 419.964029] ? snprintf+0x9d/0xd2 [ 419.964344] ? __pfx_snprintf+0x10/0x10 [ 419.964675] ? lock_acquired+0x45c/0x5e9 [ 419.965016] ? set_blocksize+0x139/0x1c1 [ 419.965381] ? sb_set_blocksize+0x6d/0xae [ 419.965742] ? __pfx_hfsplus_fill_super+0x10/0x10 [ 419.966179] mount_bdev+0x12f/0x1bf [ 419.966512] ? __pfx_mount_bdev+0x10/0x10 [ 419.966886] ? vfs_parse_fs_string+0xce/0x111 [ 419.967293] ? __pfx_vfs_parse_fs_string+0x10/0x10 [ 419.967702] ? __pfx_hfsplus_mount+0x10/0x10 [ 419.968073] legacy_get_tree+0x104/0x178 [ 419.968414] vfs_get_tree+0x86/0x296 [ 419.968751] path_mount+0xba3/0xd0b [ 419.969157] ? __pfx_path_mount+0x10/0x10 [ 419.969594] ? kmem_cache_free+0x1e2/0x260 [ 419.970311] do_mount+0x99/0xe0 [ 419.970630] ? __pfx_do_mount+0x10/0x10 [ 419.971008] __do_sys_mount+0x199/0x1c9 [ 419.971397] do_syscall_64+0xd0/0x135 [ 419.971761] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 419.972233] RIP: 0033:0x7c3cb812972e [ 419.972564] Code: 48 8b 0d f5 46 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c2 46 0d 00 f7 d8 64 89 01 48 [ 419.974371] RSP: 002b:00007ffe30632548 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 419.975048] RAX: ffffffffffffffda RBX: 00007ffe306328d8 RCX: 00007c3cb812972e [ 419.975701] RDX: 0000000020000000 RSI: 0000000020000c80 RDI: 00007ffe306325d0 [ 419.976363] RBP: 00007ffe30632720 R08: 00007ffe30632610 R09: 0000000000000000 [ 419.977034] R10: 0000000000200008 R11: 0000000000000286 R12: 0000000000000000 [ 419.977713] R13: 00007ffe306328e8 R14: 00005a0eb298bc68 R15: 00007c3cb8356000 [ 419.978375] [ 419.978589] Fixes: 6596528e391a ("hfsplus: ensure bio requests are not smaller than the hardware sectors") Signed-off-by: Thadeu Lima de Souza Cascardo Link: https://lore.kernel.org/r/20241107114109.839253-1-cascardo@igalia.com Signed-off-by: Christian Brauner fs/hfsplus/hfsplus_fs.h | 3 ++- fs/hfsplus/wrapper.c | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) accumulated error probability: 0.00 culprit signature: 5d622d58565d9aed81fa04c0521ee2703efc4c18f60a752106a120dc8297d73b parent signature: 67d05a8f78002dc826178feee9f6607426b9a3db4c68b7bb7d7b7d643b25cbee revisions tested: 27, total time: 6h4m3.358299479s (build: 2h36m40.45265182s, test: 3h9m56.71189373s) first good commit: 1c82587cb57687de3f18ab4b98a8850c789bedcf hfsplus: don't query the device logical block size multiple times recipients (to): ["brauner@kernel.org" "cascardo@igalia.com"] recipients (cc): []