bisecting fixing commit since 030194a5b292bb7613407668d85af0b987bb9839
building syzkaller on 4a003785c5484e99127a20e069a5edddcb8c24d5
testing commit 030194a5b292bb7613407668d85af0b987bb9839
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 672b7f903ab9ae27f1347a305cf690481b9b2192f6575b44ca90222cedb59999
all runs: crashed: KASAN: use-after-free Read in search_by_entry_key
testing current HEAD b172b44fcb1771e083aad806fa96f3f60e2ddfac
testing commit b172b44fcb1771e083aad806fa96f3f60e2ddfac
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: df6a315be085c62a88dae2b75ead540788ec7f019a605ca7f4a4131c63cacdc1
all runs: OK
# git bisect start b172b44fcb1771e083aad806fa96f3f60e2ddfac 030194a5b292bb7613407668d85af0b987bb9839
Bisecting: 1064 revisions left to test after this (roughly 10 steps)
[a92212ef6326c8dc09003c7af4e1ba7da0b77e44] hugetlbfs: hugetlb_fault_mutex_hash() cleanup

testing commit a92212ef6326c8dc09003c7af4e1ba7da0b77e44
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 831b18f35b8ebd32eb67fd9b87977f3edc6841c57a600f6cd4ad83415d87d4d9
all runs: crashed: KASAN: use-after-free Read in search_by_entry_key
# git bisect good a92212ef6326c8dc09003c7af4e1ba7da0b77e44
Bisecting: 532 revisions left to test after this (roughly 9 steps)
[cba5008c8581a5cdebf62b1d4699148c606ab423] net: fix mistake path for netdev_features_strings

testing commit cba5008c8581a5cdebf62b1d4699148c606ab423
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 1a8409a2a8054f9962492ce76abe1af3ca0e95ebf80a24482bebf2b4931f7310
run #0: crashed: KASAN: use-after-free Read in search_by_entry_key
run #1: crashed: KASAN: use-after-free Read in search_by_entry_key
run #2: crashed: KASAN: out-of-bounds Read in search_by_entry_key
run #3: crashed: KASAN: use-after-free Read in search_by_entry_key
run #4: crashed: KASAN: use-after-free Read in search_by_entry_key
run #5: crashed: KASAN: use-after-free Read in search_by_entry_key
run #6: crashed: KASAN: use-after-free Read in search_by_entry_key
run #7: crashed: KASAN: use-after-free Read in search_by_entry_key
run #8: crashed: KASAN: use-after-free Read in search_by_entry_key
run #9: crashed: KASAN: use-after-free Read in search_by_entry_key
# git bisect good cba5008c8581a5cdebf62b1d4699148c606ab423
Bisecting: 266 revisions left to test after this (roughly 8 steps)
[6a99bfee7f5625d2577a5c3b09a2bd2a845feb8a] tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop.

testing commit 6a99bfee7f5625d2577a5c3b09a2bd2a845feb8a
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 186991668e919ffe57be69a5ae56ed77dfa19287a9700009057f1aca4952bc3a
all runs: crashed: KASAN: use-after-free Read in search_by_entry_key
# git bisect good 6a99bfee7f5625d2577a5c3b09a2bd2a845feb8a
Bisecting: 133 revisions left to test after this (roughly 7 steps)
[4d7ee5d0a6a960f1790be3c9a0c71573405df63a] reiserfs: check directory items on read from disk

testing commit 4d7ee5d0a6a960f1790be3c9a0c71573405df63a
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 281cfe988b5cdc3dcdedb9c276fcdf55b6ff7a2326250e60ad2e539d9fe7b21a
all runs: OK
# git bisect bad 4d7ee5d0a6a960f1790be3c9a0c71573405df63a
Bisecting: 66 revisions left to test after this (roughly 6 steps)
[6ca2f514c57864e3085a65c5e9d2adca4144bc4c] Linux 4.19.201

testing commit 6ca2f514c57864e3085a65c5e9d2adca4144bc4c
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: f69711e67f21f203ad38ca2d8d2f2b92932f840d38a2ece1ae7d73b7f69b702d
run #0: crashed: KASAN: out-of-bounds Read in search_by_entry_key
run #1: crashed: KASAN: use-after-free Read in search_by_entry_key
run #2: crashed: KASAN: use-after-free Read in search_by_entry_key
run #3: crashed: KASAN: use-after-free Read in search_by_entry_key
run #4: crashed: KASAN: use-after-free Read in search_by_entry_key
run #5: crashed: KASAN: use-after-free Read in search_by_entry_key
run #6: crashed: KASAN: use-after-free Read in search_by_entry_key
run #7: crashed: KASAN: use-after-free Read in search_by_entry_key
run #8: crashed: KASAN: use-after-free Read in search_by_entry_key
run #9: crashed: KASAN: use-after-free Read in search_by_entry_key
# git bisect good 6ca2f514c57864e3085a65c5e9d2adca4144bc4c
Bisecting: 33 revisions left to test after this (roughly 5 steps)
[423cbae7ee2a70ea8dd0bc129aa3aa32c54e0f12] net: pegasus: fix uninit-value in get_interrupt_interval

testing commit 423cbae7ee2a70ea8dd0bc129aa3aa32c54e0f12
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: aa19a775bffcb016347e9e460b0b60bccdab90a5af1c3385fc27c9047bfec57a
all runs: crashed: KASAN: use-after-free Read in search_by_entry_key
# git bisect good 423cbae7ee2a70ea8dd0bc129aa3aa32c54e0f12
Bisecting: 16 revisions left to test after this (roughly 4 steps)
[43cba13ff1e793c0e1e1e317c951dea63710290e] tracing / histogram: Give calculation hist_fields a size

testing commit 43cba13ff1e793c0e1e1e317c951dea63710290e
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 89ce722585abb70124330ada46f08e4af7e41cfbe5e4b9ab73534613f14af1b2
run #0: crashed: KASAN: use-after-free Read in search_by_entry_key
run #1: crashed: KASAN: use-after-free Read in search_by_entry_key
run #2: crashed: KASAN: use-after-free Read in search_by_entry_key
run #3: crashed: KASAN: use-after-free Read in search_by_entry_key
run #4: crashed: KASAN: use-after-free Read in search_by_entry_key
run #5: crashed: KASAN: out-of-bounds Read in search_by_entry_key
run #6: crashed: KASAN: use-after-free Read in search_by_entry_key
run #7: crashed: KASAN: use-after-free Read in search_by_entry_key
run #8: crashed: KASAN: use-after-free Read in search_by_entry_key
run #9: crashed: KASAN: use-after-free Read in search_by_entry_key
# git bisect good 43cba13ff1e793c0e1e1e317c951dea63710290e
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[0d631eeedf40ab717f8472fb5d743a16416e5218] MIPS: Malta: Do not byte-swap accesses to the CBUS UART

testing commit 0d631eeedf40ab717f8472fb5d743a16416e5218
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 0903a88bc9f68a629408cec7fbfb01d0c851e8bec8b32c4a35d20ca388124871
run #0: crashed: KASAN: use-after-free Read in search_by_entry_key
run #1: crashed: KASAN: use-after-free Read in search_by_entry_key
run #2: crashed: KASAN: out-of-bounds Read in search_by_entry_key
run #3: crashed: KASAN: use-after-free Read in search_by_entry_key
run #4: crashed: KASAN: use-after-free Read in search_by_entry_key
run #5: crashed: KASAN: use-after-free Read in search_by_entry_key
run #6: crashed: KASAN: use-after-free Read in search_by_entry_key
run #7: crashed: KASAN: use-after-free Read in search_by_entry_key
run #8: crashed: KASAN: use-after-free Read in search_by_entry_key
run #9: crashed: KASAN: use-after-free Read in search_by_entry_key
# git bisect good 0d631eeedf40ab717f8472fb5d743a16416e5218
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[683b47d0ebb10ba0d272604b09686e023d10d40c] spi: meson-spicc: fix memory leak in meson_spicc_remove

testing commit 683b47d0ebb10ba0d272604b09686e023d10d40c
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: c9d4aee494db57c3e36c60efe8038d22a6b5d1301e35e81b6251f5e4c27e3374
run #0: crashed: KASAN: use-after-free Read in search_by_entry_key
run #1: crashed: KASAN: use-after-free Read in search_by_entry_key
run #2: crashed: KASAN: out-of-bounds Read in search_by_entry_key
run #3: crashed: KASAN: use-after-free Read in search_by_entry_key
run #4: crashed: KASAN: use-after-free Read in search_by_entry_key
run #5: crashed: KASAN: use-after-free Read in search_by_entry_key
run #6: crashed: KASAN: use-after-free Read in search_by_entry_key
run #7: crashed: KASAN: use-after-free Read in search_by_entry_key
run #8: crashed: KASAN: use-after-free Read in search_by_entry_key
run #9: crashed: KASAN: use-after-free Read in search_by_entry_key
# git bisect good 683b47d0ebb10ba0d272604b09686e023d10d40c
Bisecting: 2 revisions left to test after this (roughly 1 step)
[8d0f60617bc108e866c26fbd1a9f11cc5f3c3014] qmi_wwan: add network device usage statistics for qmimux devices

testing commit 8d0f60617bc108e866c26fbd1a9f11cc5f3c3014
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 8bccf7f9ec6f74904ad72f12c995ad1c0cd039c00875ea5e0d533e1761fbad34
all runs: crashed: KASAN: use-after-free Read in search_by_entry_key
# git bisect good 8d0f60617bc108e866c26fbd1a9f11cc5f3c3014
Bisecting: 0 revisions left to test after this (roughly 1 step)
[df2f583b63637f9f882ba604cf23e0336de82220] reiserfs: add check for root_inode in reiserfs_fill_super

testing commit df2f583b63637f9f882ba604cf23e0336de82220
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 5e38f12654fb602611c688f84075e09473d17d6401f562f52d16ec22517945f0
all runs: OK
# git bisect bad df2f583b63637f9f882ba604cf23e0336de82220
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[5d4f303010b717a05ec560dc1228918116f58637] libata: fix ata_pio_sector for CONFIG_HIGHMEM

testing commit 5d4f303010b717a05ec560dc1228918116f58637
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 30ada7de3ef8bc04ccc87f727d91e9f8264f3a1726e45f86006290fa5966a7d3
all runs: crashed: KASAN: use-after-free Read in search_by_entry_key
# git bisect good 5d4f303010b717a05ec560dc1228918116f58637
df2f583b63637f9f882ba604cf23e0336de82220 is the first bad commit
commit df2f583b63637f9f882ba604cf23e0336de82220
Author: Yu Kuai <yukuai3@huawei.com>
Date:   Fri Jul 2 12:07:43 2021 +0800

    reiserfs: add check for root_inode in reiserfs_fill_super
    
    [ Upstream commit 2acf15b94d5b8ea8392c4b6753a6ffac3135cd78 ]
    
    Our syzcaller report a NULL pointer dereference:
    
    BUG: kernel NULL pointer dereference, address: 0000000000000000
    PGD 116e95067 P4D 116e95067 PUD 1080b5067 PMD 0
    Oops: 0010 [#1] SMP KASAN
    CPU: 7 PID: 592 Comm: a.out Not tainted 5.13.0-next-20210629-dirty #67
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-p4
    RIP: 0010:0x0
    Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
    RSP: 0018:ffff888114e779b8 EFLAGS: 00010246
    RAX: 0000000000000000 RBX: 1ffff110229cef39 RCX: ffffffffaa67e1aa
    RDX: 0000000000000000 RSI: ffff88810a58ee00 RDI: ffff8881233180b0
    RBP: ffffffffac38e9c0 R08: ffffffffaa67e17e R09: 0000000000000001
    R10: ffffffffb91c5557 R11: fffffbfff7238aaa R12: ffff88810a58ee00
    R13: ffff888114e77aa0 R14: 0000000000000000 R15: ffff8881233180b0
    FS:  00007f946163c480(0000) GS:ffff88839f1c0000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: ffffffffffffffd6 CR3: 00000001099c1000 CR4: 00000000000006e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     __lookup_slow+0x116/0x2d0
     ? page_put_link+0x120/0x120
     ? __d_lookup+0xfc/0x320
     ? d_lookup+0x49/0x90
     lookup_one_len+0x13c/0x170
     ? __lookup_slow+0x2d0/0x2d0
     ? reiserfs_schedule_old_flush+0x31/0x130
     reiserfs_lookup_privroot+0x64/0x150
     reiserfs_fill_super+0x158c/0x1b90
     ? finish_unfinished+0xb10/0xb10
     ? bprintf+0xe0/0xe0
     ? __mutex_lock_slowpath+0x30/0x30
     ? __kasan_check_write+0x20/0x30
     ? up_write+0x51/0xb0
     ? set_blocksize+0x9f/0x1f0
     mount_bdev+0x27c/0x2d0
     ? finish_unfinished+0xb10/0xb10
     ? reiserfs_kill_sb+0x120/0x120
     get_super_block+0x19/0x30
     legacy_get_tree+0x76/0xf0
     vfs_get_tree+0x49/0x160
     ? capable+0x1d/0x30
     path_mount+0xacc/0x1380
     ? putname+0x97/0xd0
     ? finish_automount+0x450/0x450
     ? kmem_cache_free+0xf8/0x5a0
     ? putname+0x97/0xd0
     do_mount+0xe2/0x110
     ? path_mount+0x1380/0x1380
     ? copy_mount_options+0x69/0x140
     __x64_sys_mount+0xf0/0x190
     do_syscall_64+0x35/0x80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    This is because 'root_inode' is initialized with wrong mode, and
    it's i_op is set to 'reiserfs_special_inode_operations'. Thus add
    check for 'root_inode' to fix the problem.
    
    Link: https://lore.kernel.org/r/20210702040743.1918552-1-yukuai3@huawei.com
    Signed-off-by: Yu Kuai <yukuai3@huawei.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 fs/reiserfs/super.c | 8 ++++++++
 1 file changed, 8 insertions(+)

culprit signature: 5e38f12654fb602611c688f84075e09473d17d6401f562f52d16ec22517945f0
parent  signature: 30ada7de3ef8bc04ccc87f727d91e9f8264f3a1726e45f86006290fa5966a7d3
revisions tested: 14, total time: 3h12m10.870579118s (build: 2h3m13.530089161s, test: 1h7m38.824916267s)
first good commit: df2f583b63637f9f882ba604cf23e0336de82220 reiserfs: add check for root_inode in reiserfs_fill_super
recipients (to): ["jack@suse.cz" "sashal@kernel.org" "yukuai3@huawei.com"]
recipients (cc): []