bisecting fixing commit since b850307b279cbd12ab8c654d1a3dfe55319cc475 building syzkaller on 9ebcc5b1a8145326065b932958d82ada85a5c224 testing commit b850307b279cbd12ab8c654d1a3dfe55319cc475 with gcc (GCC) 8.1.0 kernel signature: 9745dbdfdbb2953fe0054449a7f9f8bfd4f80cbbd9777f971ffb45f6d5ac8e09 run #0: crashed: KASAN: slab-out-of-bounds Read in get_block run #1: crashed: KASAN: out-of-bounds Read in get_block run #2: crashed: KASAN: use-after-free Read in get_block run #3: crashed: KASAN: slab-out-of-bounds Read in get_block run #4: crashed: KASAN: use-after-free Read in get_block run #5: crashed: KASAN: slab-out-of-bounds Read in get_block run #6: crashed: KASAN: slab-out-of-bounds Read in get_block run #7: crashed: KASAN: slab-out-of-bounds Read in get_block run #8: crashed: KASAN: use-after-free Read in get_block run #9: crashed: KASAN: use-after-free Read in get_block testing current HEAD 458a534cac0c808fce164cc961f8384ffc8c455e testing commit 458a534cac0c808fce164cc961f8384ffc8c455e with gcc (GCC) 8.1.0 kernel signature: ef94a7a9bdbede76fadc02ca8fde7c7ac05bacd5dfd22bc9f4a8019fd7b2b2d7 all runs: OK # git bisect start 458a534cac0c808fce164cc961f8384ffc8c455e b850307b279cbd12ab8c654d1a3dfe55319cc475 Bisecting: 566 revisions left to test after this (roughly 9 steps) [9255e73a4d372babdb3095561952696d0330bd74] mac80211: allow rx of mesh eapol frames with default rx key testing commit 9255e73a4d372babdb3095561952696d0330bd74 with gcc (GCC) 8.1.0 kernel signature: 0b904ee81860169cf0e2dba78ecb1dee62dc135db4ea2fe3638673b7720b3186 run #0: crashed: KASAN: use-after-free Read in get_block run #1: crashed: KASAN: slab-out-of-bounds Read in get_block run #2: crashed: KASAN: slab-out-of-bounds Read in get_block run #3: crashed: KASAN: out-of-bounds Read in get_block run #4: crashed: KASAN: slab-out-of-bounds Read in get_block run #5: crashed: KASAN: slab-out-of-bounds Read in get_block run #6: crashed: KASAN: slab-out-of-bounds Read in get_block run #7: crashed: KASAN: slab-out-of-bounds Read in get_block run #8: crashed: KASAN: use-after-free Read in get_block run #9: crashed: KASAN: slab-out-of-bounds Read in get_block # git bisect good 9255e73a4d372babdb3095561952696d0330bd74 Bisecting: 283 revisions left to test after this (roughly 8 steps) [99e69b921dae3ebe63d2c424ce00f91b4cab2826] crypto: ccp - Fix use of merged scatterlists testing commit 99e69b921dae3ebe63d2c424ce00f91b4cab2826 with gcc (GCC) 8.1.0 kernel signature: 920f76cdd421f592dc793e79e53868f4dd77109b60a91d7fe678428a2e18174c run #0: crashed: KASAN: use-after-free Read in get_block run #1: crashed: KASAN: use-after-free Read in get_block run #2: crashed: KASAN: slab-out-of-bounds Read in get_block run #3: crashed: KASAN: slab-out-of-bounds Read in get_block run #4: crashed: KASAN: use-after-free Read in get_block run #5: crashed: KASAN: out-of-bounds Read in get_block run #6: crashed: KASAN: use-after-free Read in get_block run #7: crashed: KASAN: slab-out-of-bounds Read in get_block run #8: crashed: KASAN: use-after-free Read in get_block run #9: crashed: KASAN: use-after-free Read in get_block # git bisect good 99e69b921dae3ebe63d2c424ce00f91b4cab2826 Bisecting: 141 revisions left to test after this (roughly 7 steps) [4704cd249f8d28c5cd9fe29148e6833f0dd54b02] drm/amdkfd: Fix reference count leaks. testing commit 4704cd249f8d28c5cd9fe29148e6833f0dd54b02 with gcc (GCC) 8.1.0 kernel signature: ef1b25e33cc8672e4b0d2fcd05f0833c14cc53fb8becac8fac2e9e6ea9c39e1c all runs: OK # git bisect bad 4704cd249f8d28c5cd9fe29148e6833f0dd54b02 Bisecting: 70 revisions left to test after this (roughly 6 steps) [da54edbe563866eb2bd57a12bc8f76ddc88fc369] genirq/affinity: Handle affinity setting on inactive interrupts correctly testing commit da54edbe563866eb2bd57a12bc8f76ddc88fc369 with gcc (GCC) 8.1.0 kernel signature: 7a2388e9e2954611912747e2c2aed5f116422da54955b07254a37af1f9a30208 all runs: OK # git bisect bad da54edbe563866eb2bd57a12bc8f76ddc88fc369 Bisecting: 35 revisions left to test after this (roughly 5 steps) [2b5858751a051fbd7ad7dc831fadf8bbed741ccc] ftrace: Setup correct FTRACE_FL_REGS flags for module testing commit 2b5858751a051fbd7ad7dc831fadf8bbed741ccc with gcc (GCC) 8.1.0 kernel signature: c7c8418bbd2961217abfb5d1193c3f5d2f0b4a3c6000205b6e5ce7ea17ad5f1c all runs: OK # git bisect bad 2b5858751a051fbd7ad7dc831fadf8bbed741ccc Bisecting: 17 revisions left to test after this (roughly 4 steps) [233f70bdb12800fce6b153c270ec987acbaa773b] smb3: warn on confusing error scenario with sec=krb5 testing commit 233f70bdb12800fce6b153c270ec987acbaa773b with gcc (GCC) 8.1.0 kernel signature: a01c57b7d1336b2e504ed9df5d4ab6bd7f8b0e54400ef08bee9c30b05f98cbca all runs: OK # git bisect bad 233f70bdb12800fce6b153c270ec987acbaa773b Bisecting: 8 revisions left to test after this (roughly 3 steps) [2fd8f313a9fdeb06986bd2bb8caa7c87602b9729] spi: spidev: Align buffers for DMA testing commit 2fd8f313a9fdeb06986bd2bb8caa7c87602b9729 with gcc (GCC) 8.1.0 kernel signature: 2deda49ae2115a83d90140cb248f5271f9ec48b3e4d1e5ffa9adf0da628a8169 all runs: OK # git bisect bad 2fd8f313a9fdeb06986bd2bb8caa7c87602b9729 Bisecting: 3 revisions left to test after this (roughly 2 steps) [12490f06ef084bc34f5e5dbda104aa034e376f2e] fs/minix: don't allow getting deleted inodes testing commit 12490f06ef084bc34f5e5dbda104aa034e376f2e with gcc (GCC) 8.1.0 kernel signature: 5d044696defe3f9d86254756ffcf349f3c0cf49a13c4cba39e29cde3c3551251 run #0: crashed: KASAN: slab-out-of-bounds Read in get_block run #1: crashed: KASAN: slab-out-of-bounds Read in get_block run #2: crashed: KASAN: use-after-free Read in get_block run #3: crashed: KASAN: slab-out-of-bounds Read in get_block run #4: crashed: KASAN: use-after-free Read in get_block run #5: crashed: KASAN: use-after-free Read in get_block run #6: crashed: KASAN: slab-out-of-bounds Read in get_block run #7: crashed: KASAN: slab-out-of-bounds Read in get_block run #8: crashed: KASAN: slab-out-of-bounds Read in get_block run #9: crashed: KASAN: use-after-free Read in get_block # git bisect good 12490f06ef084bc34f5e5dbda104aa034e376f2e Bisecting: 1 revision left to test after this (roughly 1 step) [ff114bcd7635211d051c6031fac800fd45424ece] ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109 testing commit ff114bcd7635211d051c6031fac800fd45424ece with gcc (GCC) 8.1.0 kernel signature: 707220991727d56854b53bfe9e9257f30a38b977f408302a370576fa83cf4a17 all runs: OK # git bisect bad ff114bcd7635211d051c6031fac800fd45424ece Bisecting: 0 revisions left to test after this (roughly 0 steps) [0900097ef667097b0a4afb0155a4f5add77ece19] fs/minix: reject too-large maximum file size testing commit 0900097ef667097b0a4afb0155a4f5add77ece19 with gcc (GCC) 8.1.0 kernel signature: 7d9a4b7e2445659d68b1e25320d0bcdfa1c8930167f4fdc310742f841e7076a5 all runs: OK # git bisect bad 0900097ef667097b0a4afb0155a4f5add77ece19 0900097ef667097b0a4afb0155a4f5add77ece19 is the first bad commit commit 0900097ef667097b0a4afb0155a4f5add77ece19 Author: Eric Biggers Date: Tue Aug 11 18:35:30 2020 -0700 fs/minix: reject too-large maximum file size commit 270ef41094e9fa95273f288d7d785313ceab2ff3 upstream. If the minix filesystem tries to map a very large logical block number to its on-disk location, block_to_path() can return offsets that are too large, causing out-of-bounds memory accesses when accessing indirect index blocks. This should be prevented by the check against the maximum file size, but this doesn't work because the maximum file size is read directly from the on-disk superblock and isn't validated itself. Fix this by validating the maximum file size at mount time. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com Signed-off-by: Eric Biggers Signed-off-by: Andrew Morton Cc: Alexander Viro Cc: Qiujun Huang Cc: Link: http://lkml.kernel.org/r/20200628060846.682158-4-ebiggers@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman fs/minix/inode.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) culprit signature: 7d9a4b7e2445659d68b1e25320d0bcdfa1c8930167f4fdc310742f841e7076a5 parent signature: 5d044696defe3f9d86254756ffcf349f3c0cf49a13c4cba39e29cde3c3551251 revisions tested: 12, total time: 3h49m12.932462677s (build: 2h8m54.198415995s, test: 1h38m10.242928695s) first good commit: 0900097ef667097b0a4afb0155a4f5add77ece19 fs/minix: reject too-large maximum file size recipients (to): ["akpm@linux-foundation.org" "ebiggers@google.com" "gregkh@linuxfoundation.org" "torvalds@linux-foundation.org"] recipients (cc): []