ci2 starts bisection 2025-01-20 01:12:27.535632828 +0000 UTC m=+171948.174311815 bisecting fixing commit since e4d90d63d385228b1e0bcf31cc15539bbbc28f7f building syzkaller on 65e8686b0e9e909b6ea5629f95a9b14e81927872 ensuring issue is reproducible on original commit e4d90d63d385228b1e0bcf31cc15539bbbc28f7f testing commit e4d90d63d385228b1e0bcf31cc15539bbbc28f7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 381ff8e688fb1420013d43257c616c78b402459090faddeaa733034bc30d6cec all runs: crashed: WARNING: kmalloc bug in __v4l2_ctrl_modify_dimensions representative crash: WARNING: kmalloc bug in __v4l2_ctrl_modify_dimensions, types: [WARNING] check whether we can drop unnecessary instrumentation disabling configs for [LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit e4d90d63d385228b1e0bcf31cc15539bbbc28f7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f2bc3f00c5a330f8940769e154ceb4836177b911202b20af8467f627787cd874 all runs: crashed: WARNING: kmalloc bug in __v4l2_ctrl_modify_dimensions representative crash: WARNING: kmalloc bug in __v4l2_ctrl_modify_dimensions, types: [WARNING] the bug reproduces without the instrumentation disabling configs for [LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed kconfig minimization: base=3824 full=7497 leaves diff=2068 split chunks (needed=false): <2068> split chunk #0 of len 2068 into 5 parts testing without sub-chunk 1/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit e4d90d63d385228b1e0bcf31cc15539bbbc28f7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2c62a4941cae52eba1634ba6f6cfb47f34a0a75494048dad4f58f933972291ec all runs: crashed: WARNING: kmalloc bug in __v4l2_ctrl_modify_dimensions representative crash: WARNING: kmalloc bug in __v4l2_ctrl_modify_dimensions, types: [WARNING] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN KASAN], they are not needed testing commit e4d90d63d385228b1e0bcf31cc15539bbbc28f7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 645c62ff47f80ae52cad4a283e7a5cfa2ece4411b3292bcabd89a6fa5fe5edae all runs: crashed: WARNING: kmalloc bug in __v4l2_ctrl_modify_dimensions representative crash: WARNING: kmalloc bug in __v4l2_ctrl_modify_dimensions, types: [WARNING] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit e4d90d63d385228b1e0bcf31cc15539bbbc28f7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 205fa69d87f31d704ca6057376c2c7dc7c2346c8b033e26505f590ab71ea3cf2 all runs: crashed: WARNING: kmalloc bug in __v4l2_ctrl_modify_dimensions representative crash: WARNING: kmalloc bug in __v4l2_ctrl_modify_dimensions, types: [WARNING] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit e4d90d63d385228b1e0bcf31cc15539bbbc28f7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c3f7de18865c7b85aadad8c0968c8d8f1313d665f4d21a58f9df37414517e006 all runs: crashed: WARNING: kmalloc bug in __v4l2_ctrl_modify_dimensions representative crash: WARNING: kmalloc bug in __v4l2_ctrl_modify_dimensions, types: [WARNING] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit e4d90d63d385228b1e0bcf31cc15539bbbc28f7f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2d311072577626351ec6908d0ada4240c50514141e9394f236eb30078add1681 all runs: OK false negative chance: 0.000 minimized to 412 configs; suspects: [ARCH_ENABLE_MEMORY_HOTREMOVE ATM BCMA BLK_DEV_ZONED BPF_SYSCALL CARDBUS CFG80211 CFG80211_WEXT CMA COMMON_CLK CONTIG_ALLOC CRYPTO_842 CRYPTO_LZ4 CRYPTO_LZ4HC CRYPTO_LZO CRYPTO_ZSTD DVB_CORE EXTCON FB GPIOLIB HID_ZEROPLUS I2C_MUX IIO IRQ_REMAP KVM KVM_INTEL LIBNVDIMM MEDIA_ANALOG_TV_SUPPORT MEDIA_CAMERA_SUPPORT MEDIA_CEC_SUPPORT MEDIA_CONTROLLER MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_TEST_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_VIPERBOARD PARPORT PCCARD PCMCIA PHONET RADIO_ADAPTERS RADIO_SI470X RADIO_SI4713 RC_CORE RFKILL SND SOUND SPI SSB TAP TARGET_CORE TUN USB_AMD5536UDC USB_ATM USB_CONFIGFS USB_CONFIGFS_ECM USB_CONFIGFS_ECM_SUBSET USB_CONFIGFS_EEM USB_CONFIGFS_F_FS USB_CONFIGFS_F_HID USB_CONFIGFS_F_LB_SS USB_CONFIGFS_F_MIDI USB_CONFIGFS_F_PRINTER USB_CONFIGFS_F_TCM USB_CONFIGFS_F_UAC1 USB_CONFIGFS_F_UAC1_LEGACY USB_CONFIGFS_F_UAC2 USB_CONFIGFS_F_UVC USB_CONFIGFS_MASS_STORAGE USB_CONFIGFS_NCM USB_CONFIGFS_OBEX USB_CONFIGFS_PHONET USB_CONFIGFS_RNDIS USB_CONFIGFS_SERIAL USB_CONN_GPIO USB_CXACRU USB_CYPRESS_CY7C63 USB_CYTHERM USB_DSBR USB_DUMMY_HCD USB_DWC2 USB_DWC2_HOST USB_DWC2_PCI USB_DWC3 USB_DWC3_GADGET USB_DWC3_HAPS USB_DWC3_OF_SIMPLE USB_DWC3_PCI USB_DWC3_ULPI USB_DYNAMIC_MINORS USB_EG20T USB_EHCI_FSL USB_EHCI_HCD_PLATFORM USB_EHCI_ROOT_HUB_TT USB_EHSET_TEST_FIXTURE USB_EMI26 USB_EMI62 USB_EPSON2888 USB_EZUSB_FX2 USB_FEW_INIT_RETRIES USB_FOTG210_HCD USB_FOTG210_UDC USB_FTDI_ELAN USB_F_ACM USB_F_ECM USB_F_EEM USB_F_FS USB_F_HID USB_F_MASS_STORAGE USB_F_MIDI USB_F_NCM USB_F_OBEX USB_F_PHONET USB_F_PRINTER USB_F_RNDIS USB_F_SERIAL USB_F_SS_LB USB_F_SUBSET USB_F_TCM USB_F_UAC1 USB_F_UAC1_LEGACY USB_F_UAC2 USB_F_UVC USB_GADGET USB_GADGETFS USB_GADGET_DEBUG_FILES USB_GADGET_DEBUG_FS USB_GL860 USB_GOKU USB_GPIO_VBUS USB_GR_UDC USB_GSPCA USB_GSPCA_BENQ USB_GSPCA_CONEX USB_GSPCA_CPIA1 USB_GSPCA_DTCS033 USB_GSPCA_ETOMS USB_GSPCA_FINEPIX USB_GSPCA_JEILINJ USB_GSPCA_JL2005BCD USB_GSPCA_KINECT USB_GSPCA_KONICA USB_GSPCA_MARS USB_GSPCA_MR97310A USB_GSPCA_NW80X USB_GSPCA_OV519 USB_GSPCA_OV534 USB_GSPCA_OV534_9 USB_GSPCA_PAC207 USB_GSPCA_PAC7302 USB_GSPCA_PAC7311 USB_GSPCA_SE401 USB_GSPCA_SN9C2028 USB_GSPCA_SN9C20X USB_GSPCA_SONIXB USB_GSPCA_SONIXJ USB_GSPCA_SPCA1528 USB_GSPCA_SPCA500 USB_GSPCA_SPCA501 USB_GSPCA_SPCA505 USB_GSPCA_SPCA506 USB_GSPCA_SPCA508 USB_GSPCA_SPCA561 USB_GSPCA_SQ905 USB_GSPCA_SQ905C USB_GSPCA_SQ930X USB_GSPCA_STK014 USB_GSPCA_STK1135 USB_GSPCA_STV0680 USB_GSPCA_SUNPLUS USB_GSPCA_T613 USB_GSPCA_TOPRO USB_GSPCA_TOUPTEK USB_GSPCA_TV8532 USB_GSPCA_VC032X USB_GSPCA_VICAM USB_GSPCA_XIRLINK_CIT USB_GSPCA_ZC3XX USB_HACKRF USB_HCD_BCMA USB_HCD_SSB USB_HSIC_USB3503 USB_HSIC_USB4604 USB_HSO USB_HUB_USB251XB USB_IDMOUSE USB_IOWARRIOR USB_IPHETH USB_ISIGHTFW USB_ISP116X_HCD USB_ISP1301 USB_ISP1760 USB_ISP1760_DUAL_ROLE USB_ISP1760_HCD USB_ISP1761_UDC USB_KAWETH USB_KC2190 USB_KEENE USB_LAN78XX USB_LCD USB_LD USB_LEDS_TRIGGER_USBPORT USB_LED_TRIG USB_LEGOTOWER USB_LGM_PHY USB_LIBCOMPOSITE USB_LINK_LAYER_TEST USB_M5602 USB_MA901 USB_MAX3420_UDC USB_MAX3421_HCD USB_MDC800 USB_MICROTEK USB_MR800 USB_MSI2500 USB_MUSB_DUAL_ROLE USB_MUSB_HDRC USB_MV_U3D USB_MV_UDC USB_NET2272 USB_NET2272_DMA USB_NET2280 USB_NET_AQC111 USB_NET_AX88179_178A USB_NET_AX8817X USB_NET_CDCETHER USB_NET_CDC_EEM USB_NET_CDC_MBIM USB_NET_CDC_NCM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_CH9200 USB_NET_CX82310_ETH USB_NET_DM9601 USB_NET_GL620A USB_NET_HUAWEI_CDC_NCM USB_NET_INT51X1 USB_NET_KALMIA USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_QMI_WWAN USB_NET_RNDIS_HOST USB_NET_RNDIS_WLAN USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_OXU210HP_HCD USB_PEGASUS USB_PULSE8_CEC USB_PWC USB_PWC_INPUT_EVDEV USB_PXA27X USB_R8A66597 USB_R8A66597_HCD USB_RAINSHADOW_CEC USB_RAREMONO USB_RAW_GADGET USB_RTL8150 USB_RTL8152 USB_RTL8153_ECM USB_S2255 USB_SERIAL USB_SERIAL_AIRCABLE USB_SERIAL_ARK3116 USB_SERIAL_BELKIN USB_SERIAL_CH341 USB_SERIAL_CONSOLE USB_SERIAL_CP210X USB_SERIAL_CYBERJACK USB_SERIAL_CYPRESS_M8 USB_SERIAL_DEBUG USB_SERIAL_DIGI_ACCELEPORT USB_SERIAL_EDGEPORT USB_SERIAL_EDGEPORT_TI USB_SERIAL_EMPEG USB_SERIAL_F81232 USB_SERIAL_F8153X USB_SERIAL_FTDI_SIO USB_SERIAL_GARMIN USB_SERIAL_GENERIC USB_SERIAL_IPAQ USB_SERIAL_IPW USB_SERIAL_IR USB_SERIAL_IUU USB_SERIAL_KEYSPAN USB_SERIAL_KEYSPAN_PDA USB_SERIAL_KLSI USB_SERIAL_KOBIL_SCT USB_SERIAL_MCT_U232 USB_SERIAL_METRO USB_SERIAL_MOS7715_PARPORT USB_SERIAL_MOS7720 USB_SERIAL_MOS7840 USB_SERIAL_MXUPORT USB_SERIAL_NAVMAN USB_SERIAL_OMNINET USB_SERIAL_OPTICON USB_SERIAL_OPTION USB_SERIAL_OTI6858 USB_SERIAL_PL2303 USB_SERIAL_QCAUX USB_SERIAL_QT2 USB_SERIAL_QUALCOMM USB_SERIAL_SAFE USB_SERIAL_SIERRAWIRELESS USB_SERIAL_SIMPLE USB_SERIAL_SPCP8X5 USB_SERIAL_SSU100 USB_SERIAL_SYMBOL USB_SERIAL_TI USB_SERIAL_UPD78F0730 USB_SERIAL_VISOR USB_SERIAL_WHITEHEAT USB_SERIAL_WISHBONE USB_SERIAL_WWAN USB_SERIAL_XR USB_SERIAL_XSENS_MT USB_SEVSEG USB_SI470X USB_SI4713 USB_SIERRA_NET USB_SISUSBVGA USB_SL811_CS USB_SL811_HCD USB_SL811_HCD_ISO USB_SNP_CORE USB_SPEEDTOUCH USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_ENE_UB6250 USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_STV06XX USB_TEST USB_TMC USB_TRANCEVIBRATOR USB_U132_HCD USB_UAS USB_UEAGLEATM USB_ULPI_BUS USB_USBNET USB_USS720 USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_VIDEO_CLASS USB_VIDEO_CLASS_INPUT_EVDEV USB_VL600 USB_WDM USB_XHCI_DBGCAP USB_XHCI_PCI_RENESAS USB_XHCI_PLATFORM USB_XUSBATM USB_YUREX USERFAULTFD USERIO USERMODE_DRIVER USER_RETURN_NOTIFIER U_SERIAL_CONSOLE V4L2_MEM2MEM_DEV V4L_TEST_DRIVERS VALIDATE_FS_PARSER VDPA VDPA_SIM VDPA_SIM_BLOCK VDPA_SIM_NET VDPA_USER VETH VFIO VFIO_IOMMU_TYPE1 VFIO_PCI VFIO_PCI_CORE VFIO_PCI_INTX VFIO_PCI_MMAP VFIO_VIRQFD VGASTATE VHOST VHOST_CROSS_ENDIAN_LEGACY VHOST_IOTLB VHOST_NET VHOST_RING VHOST_VDPA VHOST_VSOCK VIDEOBUF2_CORE VIDEOBUF2_DMA_CONTIG VIDEOBUF2_DMA_SG VIDEOBUF2_MEMOPS VIDEOBUF2_V4L2 VIDEOBUF2_VMALLOC VIDEOMODE_HELPERS VIDEO_AU0828 VIDEO_AU0828_RC VIDEO_AU0828_V4L2 VIDEO_CS53L32A VIDEO_CX231XX VIDEO_CX231XX_ALSA VIDEO_CX231XX_DVB VIDEO_CX231XX_RC VIDEO_CX2341X VIDEO_CX25840 VIDEO_DEV VIDEO_EM28XX VIDEO_EM28XX_ALSA VIDEO_EM28XX_DVB VIDEO_EM28XX_RC VIDEO_EM28XX_V4L2 VIDEO_GO7007 VIDEO_GO7007_LOADER VIDEO_GO7007_USB VIDEO_GO7007_USB_S2250_BOARD VIDEO_HDPVR VIDEO_MSP3400 VIDEO_PVRUSB2 VIDEO_PVRUSB2_DVB VIDEO_PVRUSB2_SYSFS VIDEO_SAA711X VIDEO_STK1160 VIDEO_STK1160_COMMON VIDEO_TUNER VIDEO_TVEEPROM VIDEO_USBTV VIDEO_V4L2_I2C VIDEO_V4L2_SUBDEV_API VIDEO_V4L2_TPG VIDEO_VICODEC VIDEO_VIM2M VIDEO_VIMC VIDEO_VIVID VIDEO_VIVID_CEC VIDEO_WM8775 VIPERBOARD_ADC VIRTIO_BALLOON VIRTIO_DMA_SHARED_BUFFER VIRTIO_MEM VIRTIO_MMIO VIRTIO_MMIO_CMDLINE_DEVICES VIRTIO_PMEM VIRTIO_VDPA VIRTIO_VSOCKETS VIRTIO_VSOCKETS_COMMON VIRT_WIFI VLAN_8021Q VLAN_8021Q_GVRP VLAN_8021Q_MVRP VMAP_PFN VMWARE_VMCI VMXNET3 VP_VDPA VSOCKETS VSOCKETS_DIAG VSOCKETS_LOOPBACK VSOCKMON VT_HW_CONSOLE_BINDING VXFS_FS WANT_DEV_COREDUMP WEXT_CORE WEXT_PRIV WEXT_PROC WIREGUARD WIRELESS WIRELESS_EXT WLAN WLAN_VENDOR_ADMTEK WLAN_VENDOR_SILABS X86_SGX X86_SGX_KVM X86_X2APIC X86_X32_ABI XARRAY_MULTI XDP_SOCKETS XDP_SOCKETS_DIAG XFRM_ESPINTCP XFRM_INTERFACE XFRM_IPCOMP XFRM_MIGRATE XFRM_OFFLOAD XFRM_STATISTICS XFRM_SUB_POLICY XFRM_USER_COMPAT XFS_FS XFS_POSIX_ACL XFS_QUOTA XFS_RT XILLYBUS_CLASS XILLYUSB XOR_BLOCKS YENTA YENTA_ENE_TUNE YENTA_O2 YENTA_RICOH YENTA_TI YENTA_TOSHIBA ZBUD ZEROPLUS_FF ZLIB_DEFLATE ZONEFS_FS ZPOOL ZRAM ZRAM_DEF_COMP_LZORLE ZSMALLOC ZSTD_COMPRESS ZSWAP ZSWAP_COMPRESSOR_DEFAULT_LZO ZSWAP_DEFAULT_ON ZSWAP_ZPOOL_DEFAULT_ZBUD] disabling configs for [UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed determining the merge base between e4d90d63d385228b1e0bcf31cc15539bbbc28f7f and ffd294d346d185b70e28b1a28abe367bbfe53c04 830b3c68c1fb1e9176028d02ef86f3cf76aa2476/Linux 6.1 is a merge base, check if it has the bug testing commit 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bf210ee3d4b6cbcf490641ea3590d756e1deb4d90ab7065d35cca5462c41d723 all runs: crashed: WARNING: kmalloc bug in __v4l2_ctrl_modify_dimensions representative crash: WARNING: kmalloc bug in __v4l2_ctrl_modify_dimensions, types: [WARNING] testing current HEAD ffd294d346d185b70e28b1a28abe367bbfe53c04 testing commit ffd294d346d185b70e28b1a28abe367bbfe53c04 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8b1150fc13f0cb2fc8be58d73034d650177f2cd73234494a5484708e31a26a90 all runs: OK false negative chance: 0.000 # git bisect start ffd294d346d185b70e28b1a28abe367bbfe53c04 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 Bisecting: 93149 revisions left to test after this (roughly 17 steps) [be3ca57cfb777ad820c6659d52e60bbdd36bf5ff] Merge tag 'media/v6.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit be3ca57cfb777ad820c6659d52e60bbdd36bf5ff gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1e19f18a861a850716150e487012e49b8fc7c314e16fbd4cacc364fedf3f3174 all runs: crashed: WARNING: kmalloc bug in __v4l2_ctrl_modify_dimensions representative crash: WARNING: kmalloc bug in __v4l2_ctrl_modify_dimensions, types: [WARNING] # git bisect good be3ca57cfb777ad820c6659d52e60bbdd36bf5ff Bisecting: 46538 revisions left to test after this (roughly 16 steps) [5f16eb0549ab502906fb2a10147dad4b9dc185c4] Merge tag 'char-misc-6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit 5f16eb0549ab502906fb2a10147dad4b9dc185c4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d9d2f0552eca2f211eab498d85cd6d8b332a0d954026527d74f253d06e8621da all runs: crashed: WARNING: kmalloc bug in __v4l2_ctrl_modify_dimensions representative crash: WARNING: kmalloc bug in __v4l2_ctrl_modify_dimensions, types: [WARNING] # git bisect good 5f16eb0549ab502906fb2a10147dad4b9dc185c4 Bisecting: 23263 revisions left to test after this (roughly 15 steps) [3a7101e9b27fe97240c2fd430c71e61262447dd1] Merge tag 'powerpc-6.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit 3a7101e9b27fe97240c2fd430c71e61262447dd1 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 62d45d2507e2f598b1dafe15c4813411758ff0dbc5c45960b02ce425ba73e201 all runs: crashed: WARNING in __v4l2_ctrl_modify_dimensions representative crash: WARNING in __v4l2_ctrl_modify_dimensions, types: [WARNING] # git bisect good 3a7101e9b27fe97240c2fd430c71e61262447dd1 Bisecting: 11546 revisions left to test after this (roughly 14 steps) [9f5a6a1fe690a43896e0235377c7eb0b657c05a9] Merge tag 'media/v6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit 9f5a6a1fe690a43896e0235377c7eb0b657c05a9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2570268360ddcf9728c618c8cfb495f8a47445a7ef5093ba0b92c0f331132cd7 all runs: OK false negative chance: 0.000 # git bisect bad 9f5a6a1fe690a43896e0235377c7eb0b657c05a9 Bisecting: 5765 revisions left to test after this (roughly 13 steps) [5e5466433d266046790c0af40a15af0a6be139a1] Merge tag 'char-misc-6.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit 5e5466433d266046790c0af40a15af0a6be139a1 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8966cefdfd1d0af27f43f0f6f1432a59675e29645d63fd78614619b9e4b6f2ab all runs: crashed: WARNING in __v4l2_ctrl_modify_dimensions representative crash: WARNING in __v4l2_ctrl_modify_dimensions, types: [WARNING] # git bisect good 5e5466433d266046790c0af40a15af0a6be139a1 Bisecting: 2885 revisions left to test after this (roughly 12 steps) [023d4fc00fdeac9c73b6c1da2d720eade48db020] Merge tag 'staging-6.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging determine whether the revision contains the guilty commit revision 5e5466433d266046790c0af40a15af0a6be139a1 crashed and is reachable testing commit 023d4fc00fdeac9c73b6c1da2d720eade48db020 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b0941723573097ca1e53e9842971fd7c1b78306d3b4bce30c7b043676f3a9470 all runs: crashed: WARNING in __v4l2_ctrl_modify_dimensions representative crash: WARNING in __v4l2_ctrl_modify_dimensions, types: [WARNING] # git bisect good 023d4fc00fdeac9c73b6c1da2d720eade48db020 Bisecting: 1450 revisions left to test after this (roughly 11 steps) [ad52c55e1d3a2e85e05e47b6d7056c662a9c0246] Merge tag 'pm-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm determine whether the revision contains the guilty commit revision be3ca57cfb777ad820c6659d52e60bbdd36bf5ff crashed and is reachable testing commit ad52c55e1d3a2e85e05e47b6d7056c662a9c0246 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 388164bf10da1a8e5fe379bd6a84e1b01d2c187863723e33e7bcee3667c708ea all runs: crashed: WARNING in __v4l2_ctrl_modify_dimensions representative crash: WARNING in __v4l2_ctrl_modify_dimensions, types: [WARNING] # git bisect good ad52c55e1d3a2e85e05e47b6d7056c662a9c0246 Bisecting: 728 revisions left to test after this (roughly 10 steps) [8f7c8b88bda4988f44e595a760438febf51c92c8] Merge tag 'sched_ext-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit 8f7c8b88bda4988f44e595a760438febf51c92c8 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0b911973b1811eff2683c2f9660cfe7dd093fb4c668278a225c1516c68c0b5ed all runs: crashed: WARNING in __v4l2_ctrl_modify_dimensions representative crash: WARNING in __v4l2_ctrl_modify_dimensions, types: [WARNING] # git bisect good 8f7c8b88bda4988f44e595a760438febf51c92c8 Bisecting: 329 revisions left to test after this (roughly 9 steps) [38556294b83f5c5818041c98a00e3a0e88fbb58c] Merge tag 'mmc-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc determine whether the revision contains the guilty commit revision 8f7c8b88bda4988f44e595a760438febf51c92c8 crashed and is reachable testing commit 38556294b83f5c5818041c98a00e3a0e88fbb58c gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b46e7ed99df816446bca1e087c58a6a366cff6c54040abc2aa4dba703cc715df all runs: crashed: WARNING in __v4l2_ctrl_modify_dimensions representative crash: WARNING in __v4l2_ctrl_modify_dimensions, types: [WARNING] # git bisect good 38556294b83f5c5818041c98a00e3a0e88fbb58c Bisecting: 164 revisions left to test after this (roughly 7 steps) [940ff4b41b982ad40d78573ddc89eb91f432e4bf] media: ipu6: use PFN_UP() and sg_virt() for code simplicity determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit 940ff4b41b982ad40d78573ddc89eb91f432e4bf gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8f410b22a2a8ccfc127039ba72a74cbe66461d29855bf7f94d8bf456fd03648d all runs: OK false negative chance: 0.000 # git bisect bad 940ff4b41b982ad40d78573ddc89eb91f432e4bf Bisecting: 82 revisions left to test after this (roughly 6 steps) [f35b2e24a7ad5742fd9017b2032598114ac90247] media: staging/intel-ipu3: css: Convert comma to semicolon determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit f35b2e24a7ad5742fd9017b2032598114ac90247 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b8a5da9f5ee58789bcc66061f742a23e8d99287d46d91a4a9514c6a2cc7a9365 all runs: crashed: WARNING in __v4l2_ctrl_modify_dimensions representative crash: WARNING in __v4l2_ctrl_modify_dimensions, types: [WARNING] # git bisect good f35b2e24a7ad5742fd9017b2032598114ac90247 Bisecting: 41 revisions left to test after this (roughly 5 steps) [c7f3bd38b543255ef0175469ad7e7895857a6934] media: rzg2l-cru: Remove `channel` member from `struct rzg2l_cru_csi` determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit c7f3bd38b543255ef0175469ad7e7895857a6934 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 74c82db9625383b3c14623ddf1cdb895ea0d030be1fe059b32a50138c71edb82 all runs: crashed: WARNING in __v4l2_ctrl_modify_dimensions representative crash: WARNING in __v4l2_ctrl_modify_dimensions, types: [WARNING] # git bisect good c7f3bd38b543255ef0175469ad7e7895857a6934 Bisecting: 20 revisions left to test after this (roughly 4 steps) [30e932f5d942e7ed1424596b44f947734fa36d94] media: usb: drop vb2_ops_wait_prepare/finish determine whether the revision contains the guilty commit revision c7f3bd38b543255ef0175469ad7e7895857a6934 crashed and is reachable testing commit 30e932f5d942e7ed1424596b44f947734fa36d94 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f8deed6809be16164d9781973a258ffb996fa5fdf97bf262a5a4669ab35fca0c all runs: crashed: WARNING in __v4l2_ctrl_modify_dimensions representative crash: WARNING in __v4l2_ctrl_modify_dimensions, types: [WARNING] # git bisect good 30e932f5d942e7ed1424596b44f947734fa36d94 Bisecting: 10 revisions left to test after this (roughly 3 steps) [fba1aff8d25d48190476891f1959213f9407c9b6] media: raspberrypi: rp1-cfe: Fix spelling mistake "Orphanded" -> "Orphaned" determine whether the revision contains the guilty commit revision be3ca57cfb777ad820c6659d52e60bbdd36bf5ff crashed and is reachable testing commit fba1aff8d25d48190476891f1959213f9407c9b6 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8d24f2e22a20f7323dbd8296f0abd814b12bcd5a832ac768ca20a4ab084788f0 all runs: OK false negative chance: 0.000 # git bisect bad fba1aff8d25d48190476891f1959213f9407c9b6 Bisecting: 4 revisions left to test after this (roughly 2 steps) [3576f817c5ee730a4567aff445f0f853a8adf53a] staging: media: drop vb2_ops_wait_prepare/finish determine whether the revision contains the guilty commit revision 30e932f5d942e7ed1424596b44f947734fa36d94 crashed and is reachable testing commit 3576f817c5ee730a4567aff445f0f853a8adf53a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 42a50c2c6d05174ac9b99d6e76be4d7d86356fdd04acdff7fb4f284c5fc9d9eb all runs: crashed: WARNING in __v4l2_ctrl_modify_dimensions representative crash: WARNING in __v4l2_ctrl_modify_dimensions, types: [WARNING] # git bisect good 3576f817c5ee730a4567aff445f0f853a8adf53a Bisecting: 2 revisions left to test after this (roughly 1 step) [2a45db41b8974f4b62fbf001feaffc7d3b699b8d] media: cx231xx: Remove some deadcode determine whether the revision contains the guilty commit revision 3a7101e9b27fe97240c2fd430c71e61262447dd1 crashed and is reachable testing commit 2a45db41b8974f4b62fbf001feaffc7d3b699b8d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 69804b0793c96c8ea0d4acd8c071a5ceba5c2d233ea17f3c68d7fa536af96594 all runs: crashed: WARNING in __v4l2_ctrl_modify_dimensions representative crash: WARNING in __v4l2_ctrl_modify_dimensions, types: [WARNING] # git bisect good 2a45db41b8974f4b62fbf001feaffc7d3b699b8d Bisecting: 0 revisions left to test after this (roughly 1 step) [2b744cb1a5a42d2428d9c39930be5c2fb89c588f] media: v4l2-core: constify the class struct determine whether the revision contains the guilty commit revision be3ca57cfb777ad820c6659d52e60bbdd36bf5ff crashed and is reachable testing commit 2b744cb1a5a42d2428d9c39930be5c2fb89c588f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5f6982e53153e4575b4db5ffa317ba6584d289ea8fd8df92c0dee65b12c83d37 all runs: OK false negative chance: 0.000 # git bisect bad 2b744cb1a5a42d2428d9c39930be5c2fb89c588f Bisecting: 0 revisions left to test after this (roughly 0 steps) [9f070b1862f3411b8bcdfd51a8eaad25286f9deb] media: v4l2-core: v4l2-dv-timings: check cvt/gtf result determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit 9f070b1862f3411b8bcdfd51a8eaad25286f9deb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 12b4487a83cec4abe7ab9b2b4d69de1640bc36c0bb83d46cee02e276b66cce18 all runs: OK false negative chance: 0.000 # git bisect bad 9f070b1862f3411b8bcdfd51a8eaad25286f9deb 9f070b1862f3411b8bcdfd51a8eaad25286f9deb is the first bad commit commit 9f070b1862f3411b8bcdfd51a8eaad25286f9deb Author: Hans Verkuil Date: Mon Oct 14 16:52:41 2024 +0200 media: v4l2-core: v4l2-dv-timings: check cvt/gtf result The v4l2_detect_cvt/gtf functions should check the result against the timing capabilities: these functions calculate the timings, so if they are out of bounds, they should be rejected. To do this, add the struct v4l2_dv_timings_cap as argument to those functions. This required updates to the adv7604 and adv7842 drivers since the prototype of these functions has now changed. The timings struct that is passed to v4l2_detect_cvt/gtf in those two drivers is filled with the timings detected by the hardware. The vivid driver was also updated, but an additional check was added: the width and height specified by VIDIOC_S_DV_TIMINGS has to match the calculated result, otherwise something went wrong. Note that vivid *emulates* hardware, so all the values passed to the v4l2_detect_cvt/gtf functions came from the timings struct that was filled by userspace and passed on to the driver via VIDIOC_S_DV_TIMINGS. So these fields can contain random data. Both the constraints check via struct v4l2_dv_timings_cap and the additional width/height check ensure that the resulting timings are sane and not messed up by the v4l2_detect_cvt/gtf calculations. Signed-off-by: Hans Verkuil Fixes: 2576415846bc ("[media] v4l2: move dv-timings related code to v4l2-dv-timings.c") Cc: stable@vger.kernel.org Reported-by: syzbot+a828133770f62293563e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-media/000000000000013050062127830a@google.com/ drivers/media/i2c/adv7604.c | 5 +- drivers/media/i2c/adv7842.c | 13 +-- drivers/media/test-drivers/vivid/vivid-vid-cap.c | 15 ++- drivers/media/v4l2-core/v4l2-dv-timings.c | 132 ++++++++++++----------- include/media/v4l2-dv-timings.h | 18 ++-- 5 files changed, 107 insertions(+), 76 deletions(-) accumulated error probability: 0.00 culprit signature: 12b4487a83cec4abe7ab9b2b4d69de1640bc36c0bb83d46cee02e276b66cce18 parent signature: 69804b0793c96c8ea0d4acd8c071a5ceba5c2d233ea17f3c68d7fa536af96594 revisions tested: 27, total time: 5h19m26.319596396s (build: 2h20m17.242555224s, test: 2h43m2.099049431s) first good commit: 9f070b1862f3411b8bcdfd51a8eaad25286f9deb media: v4l2-core: v4l2-dv-timings: check cvt/gtf result recipients (to): ["hverkuil@xs4all.nl"] recipients (cc): []