ci2 starts bisection 2023-08-16 20:52:20.494031875 +0000 UTC m=+109.687626250 bisecting fixing commit since 19c0ed55a470d1cd766484abab04871b648560fb building syzkaller on 11c89444716852a015f612f3b171a06781707777 ensuring issue is reproducible on original commit 19c0ed55a470d1cd766484abab04871b648560fb testing commit 19c0ed55a470d1cd766484abab04871b648560fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1c2a73dec21faa440433fa77c9f25605f5df7f04c4bbd6f12e8229402072d02b all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] check whether we can drop unnecessary instrumentation disabling configs for [LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 19c0ed55a470d1cd766484abab04871b648560fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 06b6fa63fd8f76e2171e4948ce98629adaa47ac01609e87b673aedf11c3da4df all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] the bug reproduces without the instrumentation disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed kconfig minimization: base=4920 full=6166 leaves diff=244 split chunks (needed=false): <244> split chunk #0 of len 244 into 5 parts testing without sub-chunk 1/5 disabling configs for [LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 19c0ed55a470d1cd766484abab04871b648560fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: aba86451a977e40c6a25a23f6c1a190bb1b11ba32da98ad3d754e84c6749d125 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 19c0ed55a470d1cd766484abab04871b648560fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2e3974a48e466e0fc180c4376b5cce121c3d9aec7348d71640f97d61572fa2b5 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN KASAN LOCKDEP], they are not needed testing commit 19c0ed55a470d1cd766484abab04871b648560fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dfdeedf590be3e709617d44e77c5cb07a10e4bcadb7ba0df553d0604d422c362 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN KASAN LOCKDEP], they are not needed testing commit 19c0ed55a470d1cd766484abab04871b648560fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: df53aa9ce9fbacf1dafa3642676c37061d143438dec5dcd13b819fe2e48cf4e0 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 19c0ed55a470d1cd766484abab04871b648560fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building 19c0ed55a470d1cd766484abab04871b648560fb: net/socket.c:1172: undefined reference to `wext_handle_ioctl' net/socket.c:3366: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:343: undefined reference to `wext_proc_exit' net/core/net-procfs.c:327: undefined reference to `wext_proc_init' minimized to 48 configs; suspects: [HID_ZEROPLUS USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF] disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing current HEAD 1463976ddc64e81b31046e7a2a09007263f54f10 testing commit 1463976ddc64e81b31046e7a2a09007263f54f10 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8dabc8c737069e6f69cce3dd3f1fb457954b24f41f9057c0b533543b0653905f all runs: OK false negative chance: 0.000 # git bisect start 1463976ddc64e81b31046e7a2a09007263f54f10 19c0ed55a470d1cd766484abab04871b648560fb Bisecting: 1198 revisions left to test after this (roughly 10 steps) [3eb4590bc37c2f90c5d16ed8a2b9d136d4a9c5d1] block/blk-iocost (gcc13): keep large values in a new enum determine whether the revision contains the guilty commit checking the merge base d86dfc4d95cd218246b10ca7adf22c8626547599 no existing result, test the revision testing commit d86dfc4d95cd218246b10ca7adf22c8626547599 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 413cd89a0545d394f25713db6ec927c06a9db84007862fa7460185ae6e61338d all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] testing commit 3eb4590bc37c2f90c5d16ed8a2b9d136d4a9c5d1 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fb72f62588f758b5892189e6f8fb548b4e8b7b5a290399f43bf13961c32c4f6b all runs: OK false negative chance: 0.000 # git bisect bad 3eb4590bc37c2f90c5d16ed8a2b9d136d4a9c5d1 Bisecting: 598 revisions left to test after this (roughly 9 steps) [388d2578c7d7165c1aeca76a0b5ae38e6d74b176] thermal/drivers/mediatek: Use devm_of_iomap to avoid resource leak in mtk_thermal_probe determine whether the revision contains the guilty commit revision d86dfc4d95cd218246b10ca7adf22c8626547599 crashed and is reachable testing commit 388d2578c7d7165c1aeca76a0b5ae38e6d74b176 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 82e03a7628e8e27f14c35bf55e1e63c76003ccd9b607c5aca9e35fa8dac5d998 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] # git bisect good 388d2578c7d7165c1aeca76a0b5ae38e6d74b176 Bisecting: 299 revisions left to test after this (roughly 8 steps) [8e37baf62181a45f752b48d655aaaf104afbfba1] net: hns3: fix reset delay time to avoid configuration timeout determine whether the revision contains the guilty commit revision d86dfc4d95cd218246b10ca7adf22c8626547599 crashed and is reachable testing commit 8e37baf62181a45f752b48d655aaaf104afbfba1 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9cbbeb0bea175a1df0b79951ad92654c36e416b840cdfc0c4f39691c219ca3c9 all runs: OK false negative chance: 0.000 # git bisect bad 8e37baf62181a45f752b48d655aaaf104afbfba1 Bisecting: 149 revisions left to test after this (roughly 7 steps) [4f9baa06674910876ce3e0b5fbe23214690d731d] ksmbd: fix deadlock in ksmbd_find_crypto_ctx() determine whether the revision contains the guilty commit revision 388d2578c7d7165c1aeca76a0b5ae38e6d74b176 crashed and is reachable testing commit 4f9baa06674910876ce3e0b5fbe23214690d731d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c61788dd8e22f9000e574c4d0383ebca88b7d96002477230bc2d4b53f7278bd1 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] # git bisect good 4f9baa06674910876ce3e0b5fbe23214690d731d Bisecting: 74 revisions left to test after this (roughly 6 steps) [a6f9f53d73bf01f9ac55812ae871dfe4619a5a71] net: Catch invalid index in XPS mapping determine whether the revision contains the guilty commit revision d86dfc4d95cd218246b10ca7adf22c8626547599 crashed and is reachable testing commit a6f9f53d73bf01f9ac55812ae871dfe4619a5a71 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2677df54b603c756187faea20eef14c26ce9e931b431c22b6154d789e42fc1d7 all runs: OK false negative chance: 0.000 # git bisect bad a6f9f53d73bf01f9ac55812ae871dfe4619a5a71 Bisecting: 37 revisions left to test after this (roughly 5 steps) [7c8be27727fe194b4625da442ee2b854db76b200] ipvlan:Fix out-of-bounds caused by unclear skb->cb determine whether the revision contains the guilty commit revision d86dfc4d95cd218246b10ca7adf22c8626547599 crashed and is reachable testing commit 7c8be27727fe194b4625da442ee2b854db76b200 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b4f7cc9a7d1a8b9f7f7b514e635f101844250f208e133301c0bcfd57e77d8e12 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] # git bisect good 7c8be27727fe194b4625da442ee2b854db76b200 Bisecting: 18 revisions left to test after this (roughly 4 steps) [f0a06203f2fe63f04311467200c99c4ee1926578] media: cx23885: Fix a null-ptr-deref bug in buffer_prepare() and buffer_finish() determine whether the revision contains the guilty commit revision 7c8be27727fe194b4625da442ee2b854db76b200 crashed and is reachable testing commit f0a06203f2fe63f04311467200c99c4ee1926578 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8ed108d3eba591daac413b5250aca6d07b09d48bd24b535c063235048c3e99e5 all runs: OK false negative chance: 0.000 # git bisect bad f0a06203f2fe63f04311467200c99c4ee1926578 Bisecting: 9 revisions left to test after this (roughly 3 steps) [1de53f2223eb79454a1898f422a49ca1605a20e6] ext4: fix lockdep warning when enabling MMP determine whether the revision contains the guilty commit revision 7c8be27727fe194b4625da442ee2b854db76b200 crashed and is reachable testing commit 1de53f2223eb79454a1898f422a49ca1605a20e6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 039ad6fffc2dc84897a3de27cc0ded2f37d0162bc804d322572c67f5154b257a all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] # git bisect good 1de53f2223eb79454a1898f422a49ca1605a20e6 Bisecting: 4 revisions left to test after this (roughly 2 steps) [37cab61a52d6f42b2d961c51bcf369f09e235fb5] fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() determine whether the revision contains the guilty commit revision 388d2578c7d7165c1aeca76a0b5ae38e6d74b176 crashed and is reachable testing commit 37cab61a52d6f42b2d961c51bcf369f09e235fb5 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ae126f61bc1887075dc99e6f41382bd60fd2bbb37ae47ed3731974d840bad409 all runs: OK false negative chance: 0.000 # git bisect bad 37cab61a52d6f42b2d961c51bcf369f09e235fb5 Bisecting: 2 revisions left to test after this (roughly 1 step) [620a3c28221bb219b81bc0bffd065cc187494302] ext4: allow ext4_get_group_info() to fail determine whether the revision contains the guilty commit revision 1de53f2223eb79454a1898f422a49ca1605a20e6 crashed and is reachable testing commit 620a3c28221bb219b81bc0bffd065cc187494302 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 446fe6e25d10a3129f036b6e50a21119ca20020dabfd0345adefbd18a2bd4500 all runs: OK false negative chance: 0.000 # git bisect bad 620a3c28221bb219b81bc0bffd065cc187494302 Bisecting: 0 revisions left to test after this (roughly 0 steps) [99f7ce0fac2205eb4d66100d3256b7da410efcb4] ext4: allow to find by goal if EXT4_MB_HINT_GOAL_ONLY is set determine whether the revision contains the guilty commit revision d86dfc4d95cd218246b10ca7adf22c8626547599 crashed and is reachable testing commit 99f7ce0fac2205eb4d66100d3256b7da410efcb4 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7ef7493577c728505f0951e4a172f5abf39dbbaccfdef018fae517688e80fc79 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] # git bisect good 99f7ce0fac2205eb4d66100d3256b7da410efcb4 620a3c28221bb219b81bc0bffd065cc187494302 is the first bad commit commit 620a3c28221bb219b81bc0bffd065cc187494302 Author: Theodore Ts'o Date: Sat Apr 29 00:06:28 2023 -0400 ext4: allow ext4_get_group_info() to fail [ Upstream commit 5354b2af34064a4579be8bc0e2f15a7b70f14b5f ] Previously, ext4_get_group_info() would treat an invalid group number as BUG(), since in theory it should never happen. However, if a malicious attaker (or fuzzer) modifies the superblock via the block device while it is the file system is mounted, it is possible for s_first_data_block to get set to a very large number. In that case, when calculating the block group of some block number (such as the starting block of a preallocation region), could result in an underflow and very large block group number. Then the BUG_ON check in ext4_get_group_info() would fire, resutling in a denial of service attack that can be triggered by root or someone with write access to the block device. For a quality of implementation perspective, it's best that even if the system administrator does something that they shouldn't, that it will not trigger a BUG. So instead of BUG'ing, ext4_get_group_info() will call ext4_error and return NULL. We also add fallback code in all of the callers of ext4_get_group_info() that it might NULL. Also, since ext4_get_group_info() was already borderline to be an inline function, un-inline it. The results in a next reduction of the compiled text size of ext4 by roughly 2k. Cc: stable@kernel.org Link: https://lore.kernel.org/r/20230430154311.579720-2-tytso@mit.edu Reported-by: syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=69b28112e098b070f639efb356393af3ffec4220 Signed-off-by: Theodore Ts'o Reviewed-by: Jan Kara Signed-off-by: Sasha Levin fs/ext4/balloc.c | 18 +++++++++++++++- fs/ext4/ext4.h | 15 ++----------- fs/ext4/ialloc.c | 12 +++++++---- fs/ext4/mballoc.c | 64 +++++++++++++++++++++++++++++++++++++++++++++---------- fs/ext4/super.c | 2 ++ 5 files changed, 82 insertions(+), 29 deletions(-) accumulated error probability: 0.00 culprit signature: 446fe6e25d10a3129f036b6e50a21119ca20020dabfd0345adefbd18a2bd4500 parent signature: 7ef7493577c728505f0951e4a172f5abf39dbbaccfdef018fae517688e80fc79 revisions tested: 19, total time: 5h26m30.754204556s (build: 3h9m42.631844118s, test: 2h7m31.270319179s) first good commit: 620a3c28221bb219b81bc0bffd065cc187494302 ext4: allow ext4_get_group_info() to fail recipients (to): ["jack@suse.cz" "sashal@kernel.org" "tytso@mit.edu"] recipients (cc): []