ci2 starts bisection 2023-09-05 18:55:01.864469756 +0000 UTC m=+61113.971701948 bisecting fixing commit since 19c0ed55a470d1cd766484abab04871b648560fb building syzkaller on 76decb8275c764d309b8daf5ab9dc573b2411ddf ensuring issue is reproducible on original commit 19c0ed55a470d1cd766484abab04871b648560fb testing commit 19c0ed55a470d1cd766484abab04871b648560fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5aa6a8feec2c1747b537596a5d2274e93441214006aca6d383200ccec41c2fd9 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] check whether we can drop unnecessary instrumentation disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 19c0ed55a470d1cd766484abab04871b648560fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a62ed9215b2557956dc806485a07014a3c5a77c1dae95605f88ba8d3d8a40be6 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] the bug reproduces without the instrumentation disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed kconfig minimization: base=4920 full=6166 leaves diff=244 split chunks (needed=false): <244> split chunk #0 of len 244 into 5 parts testing without sub-chunk 1/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN KASAN LOCKDEP], they are not needed testing commit 19c0ed55a470d1cd766484abab04871b648560fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4838db6b7dcb2e97ef4bdec07740bb97032406c18e8f88ce2df51361f4fcbcdf all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN KASAN], they are not needed testing commit 19c0ed55a470d1cd766484abab04871b648560fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ac2dd5bab822d112026721cfa400e07f947a1b96682b624050f1fb4167c6dfcd all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 19c0ed55a470d1cd766484abab04871b648560fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 89dad3f8b54d4653e1c1a716c3222223212b4f9a8f5488a3be3159cd2398b0ef all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN KASAN], they are not needed testing commit 19c0ed55a470d1cd766484abab04871b648560fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ad4c5506a231595d68ab1d6b7b384c738a4b6062f8cda50cc485c1e8e65dcbac all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 19c0ed55a470d1cd766484abab04871b648560fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building 19c0ed55a470d1cd766484abab04871b648560fb: net/socket.c:1172: undefined reference to `wext_handle_ioctl' net/socket.c:3366: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:343: undefined reference to `wext_proc_exit' net/core/net-procfs.c:327: undefined reference to `wext_proc_init' minimized to 48 configs; suspects: [HID_ZEROPLUS USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF] disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing current HEAD 1317bd27a72f76b46e44e146c26202186c5fff6a testing commit 1317bd27a72f76b46e44e146c26202186c5fff6a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 450f7008b56d4265d9ccb9e1233e76cccac05ec7995906129e92a89612c43e7a all runs: OK false negative chance: 0.000 # git bisect start 1317bd27a72f76b46e44e146c26202186c5fff6a 19c0ed55a470d1cd766484abab04871b648560fb Bisecting: 1581 revisions left to test after this (roughly 11 steps) [cf78062aa9887e97f3d4f11adde92d1e56c6fe03] x86/mm: Fix __swp_entry_to_pte() for Xen PV guests determine whether the revision contains the guilty commit checking the merge base d86dfc4d95cd218246b10ca7adf22c8626547599 no existing result, test the revision testing commit d86dfc4d95cd218246b10ca7adf22c8626547599 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3655f6e0aac1e103c3b3bfc1f263f77d0b11139b74df479dc21137ab6ad024a6 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] testing commit cf78062aa9887e97f3d4f11adde92d1e56c6fe03 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4d4542cdfd3e6347ac3dd9211ad9ddc85b701dbdcff15b278b73caf32c85f403 all runs: OK false negative chance: 0.000 # git bisect bad cf78062aa9887e97f3d4f11adde92d1e56c6fe03 Bisecting: 789 revisions left to test after this (roughly 10 steps) [96b3233f42fbf789bcb0237cbf6dc108334205e6] fbdev: arcfb: Fix error handling in arcfb_probe() determine whether the revision contains the guilty commit revision d86dfc4d95cd218246b10ca7adf22c8626547599 crashed and is reachable testing commit 96b3233f42fbf789bcb0237cbf6dc108334205e6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 580ac1744ae5643a711cd58bd9955bd2f73c6ef11014d302d5ad4e40e91a06e3 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] # git bisect good 96b3233f42fbf789bcb0237cbf6dc108334205e6 Bisecting: 394 revisions left to test after this (roughly 9 steps) [7099a87cf5ee8bc0a74d92d90bfbd43146578cbe] net: usb: qmi_wwan: Set DTR quirk for BroadMobi BM818 determine whether the revision contains the guilty commit revision d86dfc4d95cd218246b10ca7adf22c8626547599 crashed and is reachable testing commit 7099a87cf5ee8bc0a74d92d90bfbd43146578cbe gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 925e4071624502ca32da9beb7a6cf87d814677d66cb08b8b560c3ae0b677fcbd all runs: OK false negative chance: 0.000 # git bisect bad 7099a87cf5ee8bc0a74d92d90bfbd43146578cbe Bisecting: 197 revisions left to test after this (roughly 8 steps) [9be921854e983a81a0aeeae5febcd87093086e46] net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize determine whether the revision contains the guilty commit revision 96b3233f42fbf789bcb0237cbf6dc108334205e6 crashed and is reachable testing commit 9be921854e983a81a0aeeae5febcd87093086e46 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b435a81644c7b37b9f6a0ce1d5382591a71620d7dd4da9f7b6f709557471364d all runs: OK false negative chance: 0.000 # git bisect bad 9be921854e983a81a0aeeae5febcd87093086e46 Bisecting: 98 revisions left to test after this (roughly 7 steps) [bbb5ac533ca6c4e2775a95388c9c0c610bb442b7] ALSA: firewire-digi00x: prevent potential use after free determine whether the revision contains the guilty commit revision 96b3233f42fbf789bcb0237cbf6dc108334205e6 crashed and is reachable testing commit bbb5ac533ca6c4e2775a95388c9c0c610bb442b7 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 87409563211c0a4a133a91cb0b8c42436798ae1e2aae225ba85afb5ee563289a all runs: OK false negative chance: 0.000 # git bisect bad bbb5ac533ca6c4e2775a95388c9c0c610bb442b7 Bisecting: 48 revisions left to test after this (roughly 6 steps) [3d3f8fe01a01d94a17fe1ae0d2e894049a972717] wifi: ath11k: Fix SKB corruption in REO destination ring determine whether the revision contains the guilty commit revision d86dfc4d95cd218246b10ca7adf22c8626547599 crashed and is reachable testing commit 3d3f8fe01a01d94a17fe1ae0d2e894049a972717 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 61b76ecfaaee71de53568ab88b5969b43d7121ada90ab69e5f1cca65c90b3f03 all runs: OK false negative chance: 0.000 # git bisect bad 3d3f8fe01a01d94a17fe1ae0d2e894049a972717 Bisecting: 24 revisions left to test after this (roughly 5 steps) [66acfe798cd08b36cfbb65a30fab3159811304a7] drm/amd: Fix an out of bounds error in BIOS parser determine whether the revision contains the guilty commit revision 96b3233f42fbf789bcb0237cbf6dc108334205e6 crashed and is reachable testing commit 66acfe798cd08b36cfbb65a30fab3159811304a7 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a0e87b5e4d6f1e166167cd26ba84e0fa7215b6dff8820f7234e20473edd63f71 all runs: OK false negative chance: 0.000 # git bisect bad 66acfe798cd08b36cfbb65a30fab3159811304a7 Bisecting: 11 revisions left to test after this (roughly 4 steps) [15856ab95617ec720167f55af8428ea1acc0a5a4] regmap: cache: Return error in cache sync operations for REGCACHE_NONE determine whether the revision contains the guilty commit revision 96b3233f42fbf789bcb0237cbf6dc108334205e6 crashed and is reachable testing commit 15856ab95617ec720167f55af8428ea1acc0a5a4 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: da78917310bc38b5f09ffb545afd513f95274a2f0c64c5b6ee67b252bcdbc813 all runs: OK false negative chance: 0.000 # git bisect bad 15856ab95617ec720167f55af8428ea1acc0a5a4 Bisecting: 5 revisions left to test after this (roughly 3 steps) [620a3c28221bb219b81bc0bffd065cc187494302] ext4: allow ext4_get_group_info() to fail determine whether the revision contains the guilty commit revision d86dfc4d95cd218246b10ca7adf22c8626547599 crashed and is reachable testing commit 620a3c28221bb219b81bc0bffd065cc187494302 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7f42423a7b07e978ad7862d902efb0940b57a6d3d5e6373501e1785931aa04d2 all runs: OK false negative chance: 0.000 # git bisect bad 620a3c28221bb219b81bc0bffd065cc187494302 Bisecting: 2 revisions left to test after this (roughly 2 steps) [c53936d9fb35287ed81ec412a5b494729268a64d] ext4: don't clear SB_RDONLY when remounting r/w until quota is re-enabled determine whether the revision contains the guilty commit revision 96b3233f42fbf789bcb0237cbf6dc108334205e6 crashed and is reachable testing commit c53936d9fb35287ed81ec412a5b494729268a64d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5698c6eca992f8b261b7db66a0cd16468243145d97286536cc4fb8573165de8c all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] # git bisect good c53936d9fb35287ed81ec412a5b494729268a64d Bisecting: 0 revisions left to test after this (roughly 1 step) [99f7ce0fac2205eb4d66100d3256b7da410efcb4] ext4: allow to find by goal if EXT4_MB_HINT_GOAL_ONLY is set determine whether the revision contains the guilty commit revision 96b3233f42fbf789bcb0237cbf6dc108334205e6 crashed and is reachable testing commit 99f7ce0fac2205eb4d66100d3256b7da410efcb4 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8bdac0323c53393eaf675f1204f6428288ee7cfec4266adc30fce8cc7e785f92 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] # git bisect good 99f7ce0fac2205eb4d66100d3256b7da410efcb4 620a3c28221bb219b81bc0bffd065cc187494302 is the first bad commit commit 620a3c28221bb219b81bc0bffd065cc187494302 Author: Theodore Ts'o Date: Sat Apr 29 00:06:28 2023 -0400 ext4: allow ext4_get_group_info() to fail [ Upstream commit 5354b2af34064a4579be8bc0e2f15a7b70f14b5f ] Previously, ext4_get_group_info() would treat an invalid group number as BUG(), since in theory it should never happen. However, if a malicious attaker (or fuzzer) modifies the superblock via the block device while it is the file system is mounted, it is possible for s_first_data_block to get set to a very large number. In that case, when calculating the block group of some block number (such as the starting block of a preallocation region), could result in an underflow and very large block group number. Then the BUG_ON check in ext4_get_group_info() would fire, resutling in a denial of service attack that can be triggered by root or someone with write access to the block device. For a quality of implementation perspective, it's best that even if the system administrator does something that they shouldn't, that it will not trigger a BUG. So instead of BUG'ing, ext4_get_group_info() will call ext4_error and return NULL. We also add fallback code in all of the callers of ext4_get_group_info() that it might NULL. Also, since ext4_get_group_info() was already borderline to be an inline function, un-inline it. The results in a next reduction of the compiled text size of ext4 by roughly 2k. Cc: stable@kernel.org Link: https://lore.kernel.org/r/20230430154311.579720-2-tytso@mit.edu Reported-by: syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=69b28112e098b070f639efb356393af3ffec4220 Signed-off-by: Theodore Ts'o Reviewed-by: Jan Kara Signed-off-by: Sasha Levin fs/ext4/balloc.c | 18 +++++++++++++++- fs/ext4/ext4.h | 15 ++----------- fs/ext4/ialloc.c | 12 +++++++---- fs/ext4/mballoc.c | 64 +++++++++++++++++++++++++++++++++++++++++++++---------- fs/ext4/super.c | 2 ++ 5 files changed, 82 insertions(+), 29 deletions(-) accumulated error probability: 0.00 culprit signature: 7f42423a7b07e978ad7862d902efb0940b57a6d3d5e6373501e1785931aa04d2 parent signature: 8bdac0323c53393eaf675f1204f6428288ee7cfec4266adc30fce8cc7e785f92 revisions tested: 19, total time: 3h52m21.093696431s (build: 49m53.82434734s, test: 2h57m53.617567964s) first good commit: 620a3c28221bb219b81bc0bffd065cc187494302 ext4: allow ext4_get_group_info() to fail recipients (to): ["jack@suse.cz" "sashal@kernel.org" "tytso@mit.edu"] recipients (cc): []