ci2 starts bisection 2025-05-25 02:13:23.281767509 +0000 UTC m=+81556.368256396 bisecting fixing commit since 094fc3778d6b9c795d8075cf20171fe70ace5af2 building syzkaller on 1c65791efe9456a21463647b20027e6f8c2c21af ensuring issue is reproducible on original commit 094fc3778d6b9c795d8075cf20171fe70ace5af2 testing commit 094fc3778d6b9c795d8075cf20171fe70ace5af2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a145a457e72fc8a49d088ff06b4a9cc94e2fd86008f8e4f491c35f4a9d9c6018 all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit 094fc3778d6b9c795d8075cf20171fe70ace5af2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 49a4f6665558c0f41eee5ba9ef703b34f8106e8a8430ab541366824d2c725688 all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed kconfig minimization: base=4788 full=6023 leaves diff=246 split chunks (needed=false): <246> split chunk #0 of len 246 into 5 parts testing without sub-chunk 1/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 094fc3778d6b9c795d8075cf20171fe70ace5af2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 405d5217215211950b41275587c0d75f3995ded1d2d3b1eff112384dc6820994 all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 094fc3778d6b9c795d8075cf20171fe70ace5af2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c5bf3432cbd1e0c91e0688f614e05c0e5790ad4e15f62a2ee4a9f3b002454878 all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 094fc3778d6b9c795d8075cf20171fe70ace5af2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bb3558170359a95acf588d571f180a935e197c4dc8001e492d254c61314c2818 all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 094fc3778d6b9c795d8075cf20171fe70ace5af2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d7bf1db2e69dfbcabd97dfd87258f3ebef8459e234275fecaaad74db18210c07 all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit 094fc3778d6b9c795d8075cf20171fe70ace5af2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building 094fc3778d6b9c795d8075cf20171fe70ace5af2: net/socket.c:1128: undefined reference to `wext_handle_ioctl' net/socket.c:3397: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:346: undefined reference to `wext_proc_exit' net/core/net-procfs.c:330: undefined reference to `wext_proc_init' minimized to 46 configs; suspects: [HID_ZEROPLUS USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM USB_XHCI_PCI_RENESAS WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF] disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing current HEAD 7e2543346ff7ecc2e4fff0c95767c72c5ac165c6 testing commit 7e2543346ff7ecc2e4fff0c95767c72c5ac165c6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f1489df576747e49a94374282ff4b1174824920913b65328d1fcfffbca5eaaea all runs: OK false negative chance: 0.000 # git bisect start 7e2543346ff7ecc2e4fff0c95767c72c5ac165c6 094fc3778d6b9c795d8075cf20171fe70ace5af2 Bisecting: 492 revisions left to test after this (roughly 9 steps) [369b1017006f084230dcf82bef9367c9f1a1889f] i2c: ali15x3: Fix an error handling path in ali15x3_probe() determine whether the revision contains the guilty commit checking the merge base 9d091e874b660fb70feb5e69ac34c66fcda4eea5 no existing result, test the revision testing commit 9d091e874b660fb70feb5e69ac34c66fcda4eea5 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3042954b7962d998b99ec9ba224681c2fd5751814e43b270e6255e6ffd0502dc all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN] testing commit 369b1017006f084230dcf82bef9367c9f1a1889f gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0856c5616a2c1ca43976d3bb635c8f5a2f21290eaf8475c6b8baba92c42c972e all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN] # git bisect good 369b1017006f084230dcf82bef9367c9f1a1889f Bisecting: 246 revisions left to test after this (roughly 8 steps) [6dc88993ee3fa8365ff6a5d6514702f70ba6863a] mfd: ene-kb3930: Fix a potential NULL pointer dereference determine whether the revision contains the guilty commit revision 9d091e874b660fb70feb5e69ac34c66fcda4eea5 crashed and is reachable testing commit 6dc88993ee3fa8365ff6a5d6514702f70ba6863a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a1188201e28d2d2f84a69767124d3cfc66382ea455c67a8e93a0bd304a9c7a96 all runs: OK false negative chance: 0.000 # git bisect bad 6dc88993ee3fa8365ff6a5d6514702f70ba6863a Bisecting: 122 revisions left to test after this (roughly 7 steps) [448302d21157442369bd783fba12667757349112] nvme-tcp: fix possible UAF in nvme_tcp_poll determine whether the revision contains the guilty commit revision 9d091e874b660fb70feb5e69ac34c66fcda4eea5 crashed and is reachable testing commit 448302d21157442369bd783fba12667757349112 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dcbfeeeaeb5cfa5e4d7be09602e775370e313337e91c1a87f8e597a23e234921 all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN] # git bisect good 448302d21157442369bd783fba12667757349112 Bisecting: 61 revisions left to test after this (roughly 6 steps) [3fac73afcb96f0e2013bcaf1121bbf5bd38761a6] xen/mcelog: Add __nonstring annotations for unterminated strings determine whether the revision contains the guilty commit revision 9d091e874b660fb70feb5e69ac34c66fcda4eea5 crashed and is reachable testing commit 3fac73afcb96f0e2013bcaf1121bbf5bd38761a6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 86ca56eac0a17d637abdb67853755db7e99f1a02db0dfcf88d9cd4ffa25496c4 all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN] # git bisect good 3fac73afcb96f0e2013bcaf1121bbf5bd38761a6 Bisecting: 30 revisions left to test after this (roughly 5 steps) [9b6aa900cb569a30df63e347322c67054b9c0b1c] pwm: rcar: Simplify multiplication/shift logic determine whether the revision contains the guilty commit revision 9d091e874b660fb70feb5e69ac34c66fcda4eea5 crashed and is reachable testing commit 9b6aa900cb569a30df63e347322c67054b9c0b1c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ee66ee2a12c5712ddfcd83d9f22ebd14a924aa607da1dcfe42ac8a5a681dfa57 all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN] # git bisect good 9b6aa900cb569a30df63e347322c67054b9c0b1c Bisecting: 15 revisions left to test after this (roughly 4 steps) [9582b1e06dc8cfb5f39b998248e9fed1e3d604cd] spi: cadence-qspi: Fix probe on AM62A LP SK determine whether the revision contains the guilty commit revision 3fac73afcb96f0e2013bcaf1121bbf5bd38761a6 crashed and is reachable testing commit 9582b1e06dc8cfb5f39b998248e9fed1e3d604cd gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bcb97dbbf09b600427eb951ede17f465558fd2559d234bdfdd40c652827b371b all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN] # git bisect good 9582b1e06dc8cfb5f39b998248e9fed1e3d604cd Bisecting: 7 revisions left to test after this (roughly 3 steps) [9ef3a0921a9523ddf55c0128ac5bb79f529aa83e] mtd: Replace kcalloc() with devm_kcalloc() determine whether the revision contains the guilty commit revision 448302d21157442369bd783fba12667757349112 crashed and is reachable testing commit 9ef3a0921a9523ddf55c0128ac5bb79f529aa83e gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 17724ba51a7bd4eba0e6e817ec33f9ef9d062d9bd5023ab78ae8009001cb571e all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN] # git bisect good 9ef3a0921a9523ddf55c0128ac5bb79f529aa83e Bisecting: 3 revisions left to test after this (roughly 2 steps) [515c34cff899eb5dae6aa7eee01c1295b07d81af] ext4: fix off-by-one error in do_split determine whether the revision contains the guilty commit revision 3fac73afcb96f0e2013bcaf1121bbf5bd38761a6 crashed and is reachable testing commit 515c34cff899eb5dae6aa7eee01c1295b07d81af gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f08bc535fa86c5782d34a1dab181e1f75b2fa00d1a71ab9fa062d2854bc22b6f all runs: OK false negative chance: 0.000 # git bisect bad 515c34cff899eb5dae6aa7eee01c1295b07d81af Bisecting: 1 revision left to test after this (roughly 1 step) [06e7606002963998e0bb1778a09b3bda21f43a09] wifi: mac80211: fix integer overflow in hwmp_route_info_get() determine whether the revision contains the guilty commit revision 3fac73afcb96f0e2013bcaf1121bbf5bd38761a6 crashed and is reachable testing commit 06e7606002963998e0bb1778a09b3bda21f43a09 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 43de7aeadc3cb345256b27ff95c03f0626b05761613eb4b90dcaa99ebbfb4a7d all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN] # git bisect good 06e7606002963998e0bb1778a09b3bda21f43a09 Bisecting: 0 revisions left to test after this (roughly 0 steps) [887ccb6bc6a5993bafe7ec651a0c1893ba437d10] ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path determine whether the revision contains the guilty commit revision 9d091e874b660fb70feb5e69ac34c66fcda4eea5 crashed and is reachable testing commit 887ccb6bc6a5993bafe7ec651a0c1893ba437d10 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 21f8acb3c92c35e388a7ad6ce238050245e75dd3d2d52d3fabada66f17b4c5b5 all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN] # git bisect good 887ccb6bc6a5993bafe7ec651a0c1893ba437d10 515c34cff899eb5dae6aa7eee01c1295b07d81af is the first bad commit commit 515c34cff899eb5dae6aa7eee01c1295b07d81af Author: Artem Sadovnikov Date: Fri Apr 4 08:28:05 2025 +0000 ext4: fix off-by-one error in do_split commit 94824ac9a8aaf2fb3c54b4bdde842db80ffa555d upstream. Syzkaller detected a use-after-free issue in ext4_insert_dentry that was caused by out-of-bounds access due to incorrect splitting in do_split. BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847 CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154 make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351 ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455 ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796 ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431 vfs_symlink+0x137/0x2e0 fs/namei.c:4615 do_symlinkat+0x222/0x3a0 fs/namei.c:4641 __do_sys_symlink fs/namei.c:4662 [inline] __se_sys_symlink fs/namei.c:4660 [inline] __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The following loop is located right above 'if' statement. for (i = count-1; i >= 0; i--) { /* is more than half of this entry in 2nd half of the block? */ if (size + map[i].size/2 > blocksize/2) break; size += map[i].size; move++; } 'i' in this case could go down to -1, in which case sum of active entries wouldn't exceed half the block size, but previous behaviour would also do split in half if sum would exceed at the very last block, which in case of having too many long name files in a single block could lead to out-of-bounds access and following use-after-free. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Cc: stable@vger.kernel.org Fixes: 5872331b3d91 ("ext4: fix potential negative array index in do_split()") Signed-off-by: Artem Sadovnikov Reviewed-by: Jan Kara Link: https://patch.msgid.link/20250404082804.2567-3-a.sadovnikov@ispras.ru Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman fs/ext4/namei.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) accumulated error probability: 0.00 culprit signature: f08bc535fa86c5782d34a1dab181e1f75b2fa00d1a71ab9fa062d2854bc22b6f parent signature: 21f8acb3c92c35e388a7ad6ce238050245e75dd3d2d52d3fabada66f17b4c5b5 revisions tested: 18, total time: 4h54m36.851270409s (build: 2h38m0.497244312s, test: 2h13m8.674914516s) first good commit: 515c34cff899eb5dae6aa7eee01c1295b07d81af ext4: fix off-by-one error in do_split recipients (to): ["a.sadovnikov@ispras.ru" "gregkh@linuxfoundation.org" "jack@suse.cz" "tytso@mit.edu"] recipients (cc): []