ci2 starts bisection 2025-01-14 00:47:57.418159232 +0000 UTC m=+119.570224169 bisecting fixing commit since 0a51d2d4527b43c5e467ffa6897deefeaf499358 building syzkaller on cf1845599c0bdab59c69518eaa0ecb960ec7ddf0 ensuring issue is reproducible on original commit 0a51d2d4527b43c5e467ffa6897deefeaf499358 testing commit 0a51d2d4527b43c5e467ffa6897deefeaf499358 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ce9b9600f66fbb50752bca699c0494177774423d886a8c32b9bda3274055d2b9 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 0a51d2d4527b43c5e467ffa6897deefeaf499358 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7bc1d302b2add29a6500a5bea5f8feb9d6538f7de54e26acd272a9d07ad7668a all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed kconfig minimization: base=3706 full=7271 leaves diff=1988 split chunks (needed=false): <1988> split chunk #0 of len 1988 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 0a51d2d4527b43c5e467ffa6897deefeaf499358 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8d862907cc418402591573c3c61cff19c74418cbdf8ff55b4476cfb3e1505e7e all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 0a51d2d4527b43c5e467ffa6897deefeaf499358 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 567281cd55031a0ea5e1dc40eb99085890255685b6772039a82bfbf810a5e7ef all runs: OK false negative chance: 0.000 testing without sub-chunk 3/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 0a51d2d4527b43c5e467ffa6897deefeaf499358 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2e460150d233bed2c27d2ecb3aa959d9585c9d7888be2844f6d33e12707920c7 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 0a51d2d4527b43c5e467ffa6897deefeaf499358 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 26c4bbee3460041e85ad98b467b6a2d494c1c20aae9a94328f36b915e33e42af all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 0a51d2d4527b43c5e467ffa6897deefeaf499358 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7f12b88db2539d4ee54240b64a4abc123accf61fa4df19a99ee9b5d625e5cd5f all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] the chunk can be dropped minimized to 398 configs; suspects: [6LOWPAN ACPI_WMI ARCH_ENABLE_MEMORY_HOTREMOVE ASUS_WMI CMA DAX_DRIVER DLM DRM DRM_BRIDGE DRM_FBDEV_EMULATION DRM_MIPI_DSI DRM_PANEL DRM_PANEL_BRIDGE DRM_PANEL_ORIENTATION_QUIRKS DRM_SIMPLEDRM DRM_TTM DRM_TTM_HELPER DRM_UDL DRM_VGEM DRM_VIRTIO_GPU DRM_VKMS DRM_VMWGFX DRM_VMWGFX_FBCON DRM_VRAM_HELPER DUMMY DVB_AF9013 DVB_AF9033 DVB_AS102 DVB_AS102_FE DVB_B2C2_FLEXCOP DVB_B2C2_FLEXCOP_USB DVB_CORE DVB_DIB3000MB DVB_DIB3000MC DVB_EC100 DVB_GP8PSK_FE DVB_RTL2830 DVB_RTL2832 DVB_RTL2832_SDR DVB_TEST_DRIVERS DVB_TTUSB_BUDGET DVB_TTUSB_DEC DVB_USB DVB_USB_A800 DVB_USB_AF9005 DVB_USB_AF9005_REMOTE DVB_USB_AF9015 DVB_USB_AF9035 DVB_USB_ANYSEE DVB_USB_AU6610 DVB_USB_AZ6007 DVB_USB_AZ6027 DVB_USB_CE6230 DVB_USB_CINERGY_T2 DVB_USB_CXUSB DVB_USB_DIB0700 DVB_USB_DIB3000MC DVB_USB_DIBUSB_MB DVB_USB_DIBUSB_MC DVB_USB_DIGITV DVB_USB_DTT200U DVB_USB_DTV5100 DVB_USB_DVBSKY DVB_USB_DW2102 DVB_USB_EC168 DVB_USB_GL861 DVB_USB_GP8PSK DVB_USB_LME2510 DVB_USB_M920X DVB_USB_MXL111SF DVB_USB_NOVA_T_USB2 DVB_USB_OPERA1 DVB_USB_PCTV452E DVB_USB_RTL28XXU DVB_USB_TECHNISAT_USB2 DVB_USB_TTUSB2 DVB_USB_UMT_010 DVB_USB_V2 DVB_USB_VP702X DVB_USB_VP7045 DVB_USB_ZD1301 DVB_VIDTV DVB_ZL10353 ECRYPT_FS ECRYPT_FS_MESSAGING EDAC EEPROM_93CX6 EFS_FS ENCRYPTED_KEYS EQUALIZER EROFS_FS EROFS_FS_POSIX_ACL EROFS_FS_SECURITY EROFS_FS_XATTR EROFS_FS_ZIP EVM EVM_ADD_XATTRS EVM_ATTR_FSUUID EXFAT_FS EXPORTFS_BLOCK_OPS EXT3_FS EXT3_FS_POSIX_ACL EXT3_FS_SECURITY F2FS_CHECK_FS F2FS_FAULT_INJECTION F2FS_FS F2FS_FS_COMPRESSION F2FS_FS_LZ4 F2FS_FS_LZ4HC F2FS_FS_LZO F2FS_FS_LZORLE F2FS_FS_POSIX_ACL F2FS_FS_SECURITY F2FS_FS_XATTR F2FS_FS_ZSTD F2FS_STAT_FS FANOTIFY FANOTIFY_ACCESS_PERMISSIONS FB FB_BOOT_VESA_SUPPORT FB_CFB_COPYAREA FB_CFB_FILLRECT FB_CFB_IMAGEBLIT FB_CMDLINE FB_DEFERRED_IO FB_NOTIFY FB_SYS_COPYAREA FB_SYS_FILLRECT FB_SYS_FOPS FB_SYS_IMAGEBLIT FB_TILEBLITTING FB_VESA FB_VGA16 FB_VIRTUAL FDDI FIREWIRE FIREWIRE_NET FIREWIRE_OHCI FIREWIRE_SBP2 FONT_8x16 FONT_8x8 FONT_SUPPORT FRAMEBUFFER_CONSOLE FRAMEBUFFER_CONSOLE_DETECT_PRIMARY FRAMEBUFFER_CONSOLE_ROTATION FS_DAX FS_DAX_PMD FS_ENCRYPTION FS_ENCRYPTION_ALGS FS_VERITY FS_VERITY_BUILTIN_SIGNATURES FTL FUSE_DAX FUSE_FS FW_LOADER_COMPRESS FW_LOADER_PAGED_BUF FW_LOADER_USER_HELPER FW_LOADER_USER_HELPER_FALLBACK GACT_PROB GARP GENERIC_PHY GFS2_FS GFS2_FS_LOCKING_DLM GOOGLE_COREBOOT_TABLE GOOGLE_FIRMWARE GOOGLE_MEMCONSOLE GOOGLE_MEMCONSOLE_COREBOOT GOOGLE_VPD GPIOLIB GPIOLIB_IRQCHIP GPIO_ACPI GPIO_DLN2 GPIO_VIPERBOARD GREENASIA_FF GREYBUS GREYBUS_BRIDGED_PHY GREYBUS_ES2 GREYBUS_HID GREYBUS_USB GTP GVE HAVE_ARCH_USERFAULTFD_MINOR HAVE_ARCH_USERFAULTFD_WP HAVE_BOOTMEM_INFO_NODE HAVE_KVM_CPU_RELAX_INTERCEPT HAVE_KVM_EVENTFD HAVE_KVM_IRQCHIP HAVE_KVM_IRQFD HAVE_KVM_IRQ_BYPASS HAVE_KVM_IRQ_ROUTING HAVE_KVM_MSI HAVE_KVM_NO_POLL HAVE_KVM_PM_NOTIFIER HAVE_SCHED_AVG_IRQ HDLC HDLC_CISCO HDLC_FR HDLC_PPP HDLC_RAW HDLC_RAW_ETH HDLC_X25 HDMI HFSPLUS_FS HFS_FS HID_ACCUTOUCH HID_ACRUX HID_ACRUX_FF HID_ALPS HID_APPLEIR HID_ASUS HID_AUREAL HID_BATTERY_STRENGTH HID_BETOP_FF HID_CMEDIA HID_CORSAIR HID_CP2112 HID_ELECOM HID_ELO HID_EMS_FF HID_GEMBIRD HID_GFRM HID_GREENASIA HID_GT683R HID_HOLTEK HID_ICADE HID_KEYTOUCH HID_KYE HID_LCPOWER HID_LED HID_LENOVO HID_LOGITECH_DJ HID_LOGITECH_HIDPP HID_MAGICMOUSE HID_MAYFLASH HID_MULTITOUCH HID_NTI HID_ORTEK HID_PENMOUNT HID_PICOLCD HID_PICOLCD_BACKLIGHT HID_PICOLCD_CIR HID_PICOLCD_FB HID_PICOLCD_LCD HID_PICOLCD_LEDS HID_PLANTRONICS HID_PRIMAX HID_PRODIKEYS HID_RETRODE HID_RMI HID_ROCCAT HID_SAITEK HID_SENSOR_ACCEL_3D HID_SENSOR_ALS HID_SENSOR_CUSTOM_SENSOR HID_SENSOR_DEVICE_ROTATION HID_SENSOR_GYRO_3D HID_SENSOR_HUB HID_SENSOR_HUMIDITY HID_SENSOR_IIO_COMMON HID_SENSOR_IIO_TRIGGER HID_SENSOR_INCLINOMETER_3D HID_SENSOR_MAGNETOMETER_3D HID_SENSOR_PRESS HID_SENSOR_PROX HID_SENSOR_TEMP HID_SPEEDLINK HID_STEELSERIES HID_THINGM HID_TIVO HID_TWINHAN HID_UCLOGIC HID_UDRAW_PS3 HID_WACOM HID_WALTOP HID_WIIMOTE HID_XINMO HID_ZYDACRON HMM_MIRROR HOLTEK_FF HOTPLUG_PCI_PCIE HPET_MMAP HPET_MMAP_DEFAULT HPFS_FS I2C_ALGOBIT I2C_CHARDEV I2C_DIOLAN_U2C I2C_DLN2 I2C_MUX I2C_MUX_REG I2C_ROBOTFUZZ_OSIF I2C_SI4713 I2C_SLAVE I2C_SLAVE_EEPROM I2C_TINY_USB I2C_VIPERBOARD IEEE802154 IEEE802154_6LOWPAN IEEE802154_ATUSB IEEE802154_DRIVERS IEEE802154_HWSIM IEEE802154_NL802154_EXPERIMENTAL IEEE802154_SOCKET IFB IIO IIO_BUFFER IIO_KFIFO_BUF IIO_TRIGGER IIO_TRIGGERED_BUFFER IKCONFIG IKCONFIG_PROC IMA IMA_APPRAISE IMA_APPRAISE_MODSIG IMA_DEFAULT_HASH_SHA256 IMA_LSM_RULES IMA_MEASURE_ASYMMETRIC_KEYS IMA_NG_TEMPLATE IMA_QUEUE_EARLY_BOOT_KEYS IMA_READ_POLICY IMA_WRITE_POLICY INET6_ESPINTCP INET6_ESP_OFFLOAD INET6_IPCOMP INET6_TUNNEL INET6_XFRM_TUNNEL INET_AH INET_DCCP_DIAG INET_DIAG INET_DIAG_DESTROY INET_ESP INET_ESPINTCP INET_ESP_OFFLOAD INET_IPCOMP INET_MPTCP_DIAG INET_RAW_DIAG INET_SCTP_DIAG INET_TCP_DIAG INET_UDP_DIAG INET_XFRM_TUNNEL INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_ADDR_TRANS_CONFIGFS INFINIBAND_IPOIB INFINIBAND_IPOIB_CM INFINIBAND_IPOIB_DEBUG INFINIBAND_ISER INFINIBAND_ON_DEMAND_PAGING INFINIBAND_RTRS INFINIBAND_SRP INFINIBAND_USER_ACCESS INFINIBAND_USER_MAD INFINIBAND_USER_MEM INPUT_ATI_REMOTE2 INPUT_CM109 INPUT_IMS_PCU INPUT_JOYDEV INPUT_KEYSPAN_REMOTE INPUT_LEDS INPUT_MOUSEDEV INPUT_MOUSEDEV_PSAUX INPUT_POWERMATE INPUT_UINPUT INPUT_YEALINK INTEGRITY INTEGRITY_ASYMMETRIC_KEYS INTEGRITY_AUDIT INTEGRITY_SIGNATURE INTEGRITY_TRUSTED_KEYRING INTEL_IDMA64 INTEL_IOATDMA INTEL_IOMMU_DEFAULT_ON INTEL_IOMMU_SVM INTERVAL_TREE IOMMU_SVA_LIB IP6_NF_MATCH_AH IP6_NF_MATCH_EUI64 IP6_NF_MATCH_FRAG IP6_NF_MATCH_HL IP6_NF_MATCH_MH IP6_NF_MATCH_OPTS IP6_NF_MATCH_RPFILTER IP6_NF_MATCH_RT IP6_NF_MATCH_SRH IP6_NF_NAT IP6_NF_RAW IP6_NF_SECURITY IP6_NF_TARGET_HL IP6_NF_TARGET_MASQUERADE IP6_NF_TARGET_NPT IP6_NF_TARGET_SYNPROXY IPV6_FOU IPV6_FOU_TUNNEL IPV6_GRE IPV6_ILA IPV6_MIP6 IPV6_MROUTE IPV6_MROUTE_MULTIPLE_TABLES IPV6_MULTIPLE_TABLES IPV6_OPTIMISTIC_DAD IPV6_PIMSM_V2 IPV6_ROUTER_PREF IPV6_ROUTE_INFO IPV6_RPL_LWTUNNEL IPV6_SEG6_BPF IPV6_SEG6_HMAC IPV6_SEG6_LWTUNNEL IPV6_SIT_6RD IPV6_SUBTREES IPV6_TUNNEL IPV6_VTI IPVLAN IPVLAN_L3S IPVTAP IP_DCCP IP_DCCP_CCID3 IP_DCCP_TFRC_LIB IP_FIB_TRIE_STATS IP_MROUTE_MULTIPLE_TABLES IP_NF_ARPFILTER IP_NF_ARPTABLES IP_NF_ARP_MANGLE IP_NF_MATCH_AH IP_NF_MATCH_ECN IP_NF_MATCH_RPFILTER IP_NF_MATCH_TTL IP_NF_RAW IP_NF_SECURITY IP_NF_TARGET_CLUSTERIP IP_NF_TARGET_ECN IP_NF_TARGET_NETMAP IP_NF_TARGET_REDIRECT IP_NF_TARGET_SYNPROXY IP_NF_TARGET_TTL IP_ROUTE_CLASSID IP_SCTP IP_SET IP_SET_BITMAP_IP IP_SET_BITMAP_IPMAC IP_SET_BITMAP_PORT IP_SET_HASH_IP IP_SET_HASH_IPMAC IP_SET_HASH_IPMARK IP_SET_HASH_IPPORT IP_SET_HASH_IPPORTIP IP_SET_HASH_IPPORTNET IP_SET_HASH_MAC IP_SET_HASH_NET IP_SET_HASH_NETIFACE IP_SET_HASH_NETNET IP_SET_HASH_NETPORT IP_SET_HASH_NETPORTNET IP_SET_LIST_SET IP_VS IP_VS_DH IP_VS_FO IP_VS_FTP IP_VS_IPV6 IP_VS_LBLC IP_VS_LBLCR IP_VS_LC IP_VS_MH IP_VS_NFCT IP_VS_NQ IP_VS_OVF IP_VS_PE_SIP IP_VS_PROTO_AH IP_VS_PROTO_AH_ESP IP_VS_PROTO_ESP IP_VS_PROTO_SCTP IP_VS_PROTO_TCP IP_VS_PROTO_UDP IP_VS_RR IP_VS_SED IP_VS_SH IP_VS_TWOS IP_VS_WLC IP_VS_WRR IRQ_BYPASS_MANAGER IRQ_POLL IRQ_TIME_ACCOUNTING IR_IGORPLUGUSB IR_IGUANA IR_IMON IR_MCEUSB IR_REDRAT3 IR_STREAMZAP IR_TTUSBIR ISDN ISDN_CAPI_MIDDLEWARE LAPB LCD_CLASS_DEVICE MAC802154 MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_TEST_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MFD_VIPERBOARD MPTCP MTD NETFILTER_ADVANCED NET_ACT_GACT NET_ACT_MIRRED NET_IPGRE_DEMUX NFT_FWD_NETDEV NF_TABLES NF_TABLES_NETDEV RADIO_ADAPTERS RADIO_SI4713 RAS RC_CORE RC_DEVICES RFKILL SND SOUND STAGING TRANSPARENT_HUGEPAGE VIDEO_DEV VIDEO_V4L2 VIRTIO_FS WAN ZONE_DEVICE] disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed determining the merge base between 0a51d2d4527b43c5e467ffa6897deefeaf499358 and c45323b7560ec87c37c729b703c86ee65f136d75 8bb7eca972ad531c9b149c0a51ab43a417385813/Linux 5.15 is a merge base, check if it has the bug testing commit 8bb7eca972ad531c9b149c0a51ab43a417385813 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1c35d9ade5536140933ca938bb7069b3d36d4ce7785d86df780ce2ac6e4e5fe5 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] testing current HEAD c45323b7560ec87c37c729b703c86ee65f136d75 testing commit c45323b7560ec87c37c729b703c86ee65f136d75 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dc7ac4d366aa5a112fc4ddab616692dc47696adbbf48641a6779a456718ba4a4 all runs: OK false negative chance: 0.000 # git bisect start c45323b7560ec87c37c729b703c86ee65f136d75 8bb7eca972ad531c9b149c0a51ab43a417385813 Bisecting: 140091 revisions left to test after this (roughly 17 steps) [f085df1be60abf670315c11036261cfaec16b2eb] Merge tag 'perf-tools-for-v6.4-3-2023-05-06' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux determine whether the revision contains the guilty commit revision 8bb7eca972ad531c9b149c0a51ab43a417385813 crashed and is reachable testing commit f085df1be60abf670315c11036261cfaec16b2eb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 398022fb929939886d9203983c18383df095b8ce3d85ddfdd3ce152da9963515 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good f085df1be60abf670315c11036261cfaec16b2eb Bisecting: 71207 revisions left to test after this (roughly 16 steps) [1f440397665f4241346e4cc6d93f8b73880815d1] Merge tag 'docs-6.9' of git://git.lwn.net/linux determine whether the revision contains the guilty commit revision 8bb7eca972ad531c9b149c0a51ab43a417385813 crashed and is reachable testing commit 1f440397665f4241346e4cc6d93f8b73880815d1 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1eefc4d41ebf7265f78c9f10102418f90b1dadf001591c51e313f025c8485993 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good 1f440397665f4241346e4cc6d93f8b73880815d1 Bisecting: 35635 revisions left to test after this (roughly 15 steps) [cb273eb7c8390c70a484db6c79a797e377db09b5] Merge tag 'fbdev-for-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev determine whether the revision contains the guilty commit revision f085df1be60abf670315c11036261cfaec16b2eb crashed and is reachable testing commit cb273eb7c8390c70a484db6c79a797e377db09b5 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8d9f2a6aff1af581f06b04576930a15b8c753c816012d794ffafa1e37d12b6fb all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good cb273eb7c8390c70a484db6c79a797e377db09b5 Bisecting: 17851 revisions left to test after this (roughly 14 steps) [220d83b52c7d16ec3c168b82f4e6ce59c645f7ab] smb: client: make SHA-512 TFM ephemeral determine whether the revision contains the guilty commit revision 1f440397665f4241346e4cc6d93f8b73880815d1 crashed and is reachable testing commit 220d83b52c7d16ec3c168b82f4e6ce59c645f7ab gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 63d8a39bc3a33fe48f84e1d0fd4a2637119351d7505abb0eb0ddd9bda764478b all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good 220d83b52c7d16ec3c168b82f4e6ce59c645f7ab Bisecting: 8496 revisions left to test after this (roughly 13 steps) [fcc79e1714e8c2b8e216dc3149812edd37884eef] Merge tag 'net-next-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next determine whether the revision contains the guilty commit revision cb273eb7c8390c70a484db6c79a797e377db09b5 crashed and is reachable testing commit fcc79e1714e8c2b8e216dc3149812edd37884eef gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 63eb1f72c28efa0443b99b03ede9496e4bc3f134b2b4e5f42dc0eb2360397e7e all runs: OK false negative chance: 0.000 # git bisect bad fcc79e1714e8c2b8e216dc3149812edd37884eef Bisecting: 4676 revisions left to test after this (roughly 12 steps) [544070db6c8b0c403e4c6befbc76b52831b897da] Merge branch 'mlx5-esw-qos-refactor-and-shampo-cleanup' determine whether the revision contains the guilty commit revision 8bb7eca972ad531c9b149c0a51ab43a417385813 crashed and is reachable testing commit 544070db6c8b0c403e4c6befbc76b52831b897da gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7c5330ed5df7c8807be25a3a9a00180fe87e493be6fa40b7f21c58c63aa19731 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good 544070db6c8b0c403e4c6befbc76b52831b897da Bisecting: 2337 revisions left to test after this (roughly 11 steps) [37c7d3538af469c2ac8d2d379f699e71aa3c6f37] Merge tag 'regmap-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap determine whether the revision contains the guilty commit revision cb273eb7c8390c70a484db6c79a797e377db09b5 crashed and is reachable testing commit 37c7d3538af469c2ac8d2d379f699e71aa3c6f37 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0532a00953afee29367eab3b414ccd9f1da3ab72852934c16b2bf2d3cdee33b4 all runs: OK false negative chance: 0.000 # git bisect bad 37c7d3538af469c2ac8d2d379f699e71aa3c6f37 Bisecting: 1173 revisions left to test after this (roughly 10 steps) [ae4336e20b8acb4d67205273645d27bd4d4392d4] Merge tag 'mips_6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux determine whether the revision contains the guilty commit revision cb273eb7c8390c70a484db6c79a797e377db09b5 crashed and is reachable testing commit ae4336e20b8acb4d67205273645d27bd4d4392d4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1aa79899a84ddbe7691233d9bd1d7bda10d392e1008000cec571ecf0cf6fb17a all runs: OK false negative chance: 0.000 # git bisect bad ae4336e20b8acb4d67205273645d27bd4d4392d4 Bisecting: 581 revisions left to test after this (roughly 9 steps) [0f25f0e4efaeb68086f7e65c442f2d648b21736f] Merge tag 'pull-fd' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs determine whether the revision contains the guilty commit revision cb273eb7c8390c70a484db6c79a797e377db09b5 crashed and is reachable testing commit 0f25f0e4efaeb68086f7e65c442f2d648b21736f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8e2681b6d19391e73ad85671162954ee0ea3b1b0909fb82f8e7e02ca2ea56590 all runs: OK false negative chance: 0.000 # git bisect bad 0f25f0e4efaeb68086f7e65c442f2d648b21736f Bisecting: 291 revisions left to test after this (roughly 8 steps) [cfaaa7d010d1fc58f9717fcc8591201e741d2d49] Merge tag 'net-6.12-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net determine whether the revision contains the guilty commit revision 8bb7eca972ad531c9b149c0a51ab43a417385813 crashed and is reachable testing commit cfaaa7d010d1fc58f9717fcc8591201e741d2d49 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9421417cec259967f4e77724f6523a8682ca489ff9553d400a63eb7c5f9207a1 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good cfaaa7d010d1fc58f9717fcc8591201e741d2d49 Bisecting: 132 revisions left to test after this (roughly 7 steps) [70e7730c2a78313e3ccc932410c939816e3ba1bc] Merge tag 'vfs-6.13.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs determine whether the revision contains the guilty commit revision 8bb7eca972ad531c9b149c0a51ab43a417385813 crashed and is reachable testing commit 70e7730c2a78313e3ccc932410c939816e3ba1bc gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 45b19e39319f8d48b8e7cb2751ec7856df78c4681d2be8035c8f89cb88d9c081 all runs: OK false negative chance: 0.000 # git bisect bad 70e7730c2a78313e3ccc932410c939816e3ba1bc Bisecting: 82 revisions left to test after this (roughly 6 steps) [b84eeed05a8823074866924f4c072bdf2d533f5d] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rmk/linux determine whether the revision contains the guilty commit revision 220d83b52c7d16ec3c168b82f4e6ce59c645f7ab crashed and is reachable testing commit b84eeed05a8823074866924f4c072bdf2d533f5d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dfa7d38bd5059b60795c4ad5499eddd44573b2695fdcd9931b26ee2447c7f150 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good b84eeed05a8823074866924f4c072bdf2d533f5d Bisecting: 39 revisions left to test after this (roughly 5 steps) [4eb98b7760e8078dbc984ee08b02b5b4c3cff088] Merge tag 'vfs-6.13.mount.api' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs determine whether the revision contains the guilty commit revision cb273eb7c8390c70a484db6c79a797e377db09b5 crashed and is reachable testing commit 4eb98b7760e8078dbc984ee08b02b5b4c3cff088 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4172dddb16c5c7ef0c59f3ff891e4ed1ac843547cb7b470a474b77cfde323b14 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good 4eb98b7760e8078dbc984ee08b02b5b4c3cff088 Bisecting: 19 revisions left to test after this (roughly 4 steps) [0dfcb72d33c767bbe63f4a6872108515594154d9] coredump: add cond_resched() to dump_user_range determine whether the revision contains the guilty commit revision f085df1be60abf670315c11036261cfaec16b2eb crashed and is reachable testing commit 0dfcb72d33c767bbe63f4a6872108515594154d9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7a63c32bf8734bb4bfc3a425982d93c239fec7026bf4939c4d0378ca645809cb all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good 0dfcb72d33c767bbe63f4a6872108515594154d9 Bisecting: 9 revisions left to test after this (roughly 3 steps) [75ead69a717332efa70303fba85e1876793c74a9] fs: don't let statmount return empty strings determine whether the revision contains the guilty commit revision 0dfcb72d33c767bbe63f4a6872108515594154d9 crashed and is reachable testing commit 75ead69a717332efa70303fba85e1876793c74a9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 242ef004ba0f1ab3e7e94d9e65998bedce3f5924b621a1310343f6ab3fdb7690 all runs: OK false negative chance: 0.000 # git bisect bad 75ead69a717332efa70303fba85e1876793c74a9 Bisecting: 4 revisions left to test after this (roughly 2 steps) [e017671f534dd3f568db9e47b0583e853d2da9b5] initramfs: avoid filename buffer overrun determine whether the revision contains the guilty commit revision f085df1be60abf670315c11036261cfaec16b2eb crashed and is reachable testing commit e017671f534dd3f568db9e47b0583e853d2da9b5 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8b36923a20f5937ecceb2e86a53303220f1b2b8392ee3bacfa3249d560750a9e all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good e017671f534dd3f568db9e47b0583e853d2da9b5 Bisecting: 2 revisions left to test after this (roughly 1 step) [fdfa4c02e6dd6c67f5cef8d78c6204e1ff7e12ca] freevxfs: Replace one-element array with flexible array member determine whether the revision contains the guilty commit revision cb273eb7c8390c70a484db6c79a797e377db09b5 crashed and is reachable testing commit fdfa4c02e6dd6c67f5cef8d78c6204e1ff7e12ca gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 32fee405a29b306dd7d022ecf83b36cd4c5babac5f00e1c3b799ecb56fad49e0 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good fdfa4c02e6dd6c67f5cef8d78c6204e1ff7e12ca Bisecting: 0 revisions left to test after this (roughly 1 step) [c4d7d90747f4e8b528c8cd0a2d9ac01dc4a9339e] fs:aio: Remove TODO comment suggesting hash or array usage in io_cancel() determine whether the revision contains the guilty commit revision f085df1be60abf670315c11036261cfaec16b2eb crashed and is reachable testing commit c4d7d90747f4e8b528c8cd0a2d9ac01dc4a9339e gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 096f47437406a7ae4db3724a3d034d23a8823ed560a11e4ef0ba7c15446518ab all runs: OK false negative chance: 0.000 # git bisect bad c4d7d90747f4e8b528c8cd0a2d9ac01dc4a9339e Bisecting: 0 revisions left to test after this (roughly 0 steps) [1c82587cb57687de3f18ab4b98a8850c789bedcf] hfsplus: don't query the device logical block size multiple times determine whether the revision contains the guilty commit revision 8bb7eca972ad531c9b149c0a51ab43a417385813 crashed and is reachable testing commit 1c82587cb57687de3f18ab4b98a8850c789bedcf gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ff266c62a96f44bfb8580dc1ada838eccfb3e083bf1f2f4eef43120fd48a3462 all runs: OK false negative chance: 0.000 # git bisect bad 1c82587cb57687de3f18ab4b98a8850c789bedcf 1c82587cb57687de3f18ab4b98a8850c789bedcf is the first bad commit commit 1c82587cb57687de3f18ab4b98a8850c789bedcf Author: Thadeu Lima de Souza Cascardo Date: Thu Nov 7 08:41:09 2024 -0300 hfsplus: don't query the device logical block size multiple times Devices block sizes may change. One of these cases is a loop device by using ioctl LOOP_SET_BLOCK_SIZE. While this may cause other issues like IO being rejected, in the case of hfsplus, it will allocate a block by using that size and potentially write out-of-bounds when hfsplus_read_wrapper calls hfsplus_submit_bio and the latter function reads a different io_size. Using a new min_io_size initally set to sb_min_blocksize works for the purposes of the original fix, since it will be set to the max between HFSPLUS_SECTOR_SIZE and the first seen logical block size. We still use the max between HFSPLUS_SECTOR_SIZE and min_io_size in case the latter is not initialized. Tested by mounting an hfsplus filesystem with loop block sizes 512, 1024 and 4096. The produced KASAN report before the fix looks like this: [ 419.944641] ================================================================== [ 419.945655] BUG: KASAN: slab-use-after-free in hfsplus_read_wrapper+0x659/0xa0a [ 419.946703] Read of size 2 at addr ffff88800721fc00 by task repro/10678 [ 419.947612] [ 419.947846] CPU: 0 UID: 0 PID: 10678 Comm: repro Not tainted 6.12.0-rc5-00008-gdf56e0f2f3ca #84 [ 419.949007] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 419.950035] Call Trace: [ 419.950384] [ 419.950676] dump_stack_lvl+0x57/0x78 [ 419.951212] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.951830] print_report+0x14c/0x49e [ 419.952361] ? __virt_addr_valid+0x267/0x278 [ 419.952979] ? kmem_cache_debug_flags+0xc/0x1d [ 419.953561] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.954231] kasan_report+0x89/0xb0 [ 419.954748] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.955367] hfsplus_read_wrapper+0x659/0xa0a [ 419.955948] ? __pfx_hfsplus_read_wrapper+0x10/0x10 [ 419.956618] ? do_raw_spin_unlock+0x59/0x1a9 [ 419.957214] ? _raw_spin_unlock+0x1a/0x2e [ 419.957772] hfsplus_fill_super+0x348/0x1590 [ 419.958355] ? hlock_class+0x4c/0x109 [ 419.958867] ? __pfx_hfsplus_fill_super+0x10/0x10 [ 419.959499] ? __pfx_string+0x10/0x10 [ 419.960006] ? lock_acquire+0x3e2/0x454 [ 419.960532] ? bdev_name.constprop.0+0xce/0x243 [ 419.961129] ? __pfx_bdev_name.constprop.0+0x10/0x10 [ 419.961799] ? pointer+0x3f0/0x62f [ 419.962277] ? __pfx_pointer+0x10/0x10 [ 419.962761] ? vsnprintf+0x6c4/0xfba [ 419.963178] ? __pfx_vsnprintf+0x10/0x10 [ 419.963621] ? setup_bdev_super+0x376/0x3b3 [ 419.964029] ? snprintf+0x9d/0xd2 [ 419.964344] ? __pfx_snprintf+0x10/0x10 [ 419.964675] ? lock_acquired+0x45c/0x5e9 [ 419.965016] ? set_blocksize+0x139/0x1c1 [ 419.965381] ? sb_set_blocksize+0x6d/0xae [ 419.965742] ? __pfx_hfsplus_fill_super+0x10/0x10 [ 419.966179] mount_bdev+0x12f/0x1bf [ 419.966512] ? __pfx_mount_bdev+0x10/0x10 [ 419.966886] ? vfs_parse_fs_string+0xce/0x111 [ 419.967293] ? __pfx_vfs_parse_fs_string+0x10/0x10 [ 419.967702] ? __pfx_hfsplus_mount+0x10/0x10 [ 419.968073] legacy_get_tree+0x104/0x178 [ 419.968414] vfs_get_tree+0x86/0x296 [ 419.968751] path_mount+0xba3/0xd0b [ 419.969157] ? __pfx_path_mount+0x10/0x10 [ 419.969594] ? kmem_cache_free+0x1e2/0x260 [ 419.970311] do_mount+0x99/0xe0 [ 419.970630] ? __pfx_do_mount+0x10/0x10 [ 419.971008] __do_sys_mount+0x199/0x1c9 [ 419.971397] do_syscall_64+0xd0/0x135 [ 419.971761] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 419.972233] RIP: 0033:0x7c3cb812972e [ 419.972564] Code: 48 8b 0d f5 46 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c2 46 0d 00 f7 d8 64 89 01 48 [ 419.974371] RSP: 002b:00007ffe30632548 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 419.975048] RAX: ffffffffffffffda RBX: 00007ffe306328d8 RCX: 00007c3cb812972e [ 419.975701] RDX: 0000000020000000 RSI: 0000000020000c80 RDI: 00007ffe306325d0 [ 419.976363] RBP: 00007ffe30632720 R08: 00007ffe30632610 R09: 0000000000000000 [ 419.977034] R10: 0000000000200008 R11: 0000000000000286 R12: 0000000000000000 [ 419.977713] R13: 00007ffe306328e8 R14: 00005a0eb298bc68 R15: 00007c3cb8356000 [ 419.978375] [ 419.978589] Fixes: 6596528e391a ("hfsplus: ensure bio requests are not smaller than the hardware sectors") Signed-off-by: Thadeu Lima de Souza Cascardo Link: https://lore.kernel.org/r/20241107114109.839253-1-cascardo@igalia.com Signed-off-by: Christian Brauner fs/hfsplus/hfsplus_fs.h | 3 ++- fs/hfsplus/wrapper.c | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) accumulated error probability: 0.00 culprit signature: ff266c62a96f44bfb8580dc1ada838eccfb3e083bf1f2f4eef43120fd48a3462 parent signature: 32fee405a29b306dd7d022ecf83b36cd4c5babac5f00e1c3b799ecb56fad49e0 revisions tested: 28, total time: 6h7m32.065545246s (build: 2h1m36.381783888s, test: 3h2m58.086260147s) first good commit: 1c82587cb57687de3f18ab4b98a8850c789bedcf hfsplus: don't query the device logical block size multiple times recipients (to): ["brauner@kernel.org" "cascardo@igalia.com"] recipients (cc): []