bisecting fixing commit since 399849e4654ea496a6217ba4e5ee3d304c995ab4 building syzkaller on f30c14bfec4b49e528a756b28cc010925e2f286b testing commit 399849e4654ea496a6217ba4e5ee3d304c995ab4 with gcc (GCC) 8.1.0 kernel signature: bcdc5333f5e28b8bffb7941cc227336e22290a09ea76a52c41e356e547e26513 run #0: crashed: kernel BUG at fs/buffer.c:LINE! run #1: crashed: kernel BUG at fs/buffer.c:LINE! run #2: crashed: kernel BUG at fs/buffer.c:LINE! run #3: crashed: kernel BUG at fs/buffer.c:LINE! run #4: crashed: kernel BUG at fs/buffer.c:LINE! run #5: crashed: kernel BUG at fs/buffer.c:LINE! run #6: crashed: kernel BUG at fs/buffer.c:LINE! run #7: crashed: kernel BUG at fs/buffer.c:LINE! run #8: OK run #9: OK testing current HEAD f6d5cb9e2c06f7d583dd9f4f7cca21d13d78c32a testing commit f6d5cb9e2c06f7d583dd9f4f7cca21d13d78c32a with gcc (GCC) 8.1.0 kernel signature: 5c347b2f5cfd22cb22ab821cc150c7cb0b571715b72489e868557ba0417c2556 all runs: OK # git bisect start f6d5cb9e2c06f7d583dd9f4f7cca21d13d78c32a 399849e4654ea496a6217ba4e5ee3d304c995ab4 Bisecting: 387 revisions left to test after this (roughly 9 steps) [29204c846894d73108f87e78aea4757a8ec52c74] random32: update the net random state on interrupt and activity testing commit 29204c846894d73108f87e78aea4757a8ec52c74 with gcc (GCC) 8.1.0 kernel signature: 853605c0a99129f3a67a407454f667d479f2d29297e9fde96a59d1ab266964af run #0: crashed: kernel BUG at fs/buffer.c:LINE! run #1: crashed: kernel BUG at fs/buffer.c:LINE! run #2: crashed: kernel BUG at fs/buffer.c:LINE! run #3: crashed: kernel BUG at fs/buffer.c:LINE! run #4: crashed: WARNING in unaccount_page_cache_page run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 29204c846894d73108f87e78aea4757a8ec52c74 Bisecting: 193 revisions left to test after this (roughly 8 steps) [6614bb86cec4d4e1dac5119199fe622efcdbd738] USB: serial: cp210x: enable usb generic throttle/unthrottle testing commit 6614bb86cec4d4e1dac5119199fe622efcdbd738 with gcc (GCC) 8.1.0 kernel signature: e6d0be4cc0c76348a3c1b8bde7cdf71a806ae496f14e04a4b8b82efff7971429 run #0: crashed: kernel BUG at fs/buffer.c:LINE! run #1: crashed: kernel BUG at fs/buffer.c:LINE! run #2: crashed: kernel BUG at fs/buffer.c:LINE! run #3: crashed: kernel BUG at fs/buffer.c:LINE! run #4: crashed: kernel BUG at fs/buffer.c:LINE! run #5: crashed: kernel BUG at fs/buffer.c:LINE! run #6: crashed: kernel BUG at fs/buffer.c:LINE! run #7: OK run #8: OK run #9: crashed: kernel BUG at fs/buffer.c:LINE! # git bisect good 6614bb86cec4d4e1dac5119199fe622efcdbd738 Bisecting: 96 revisions left to test after this (roughly 7 steps) [bb1da23aa45bbe1edb74379d5b541c62f0d2836a] tools build feature: Use CC and CXX from parent testing commit bb1da23aa45bbe1edb74379d5b541c62f0d2836a with gcc (GCC) 8.1.0 kernel signature: b7fc7abd83fde9f6547112651331e6462a4f895937f75c03df8cc1ab77cdb5b8 all runs: OK # git bisect bad bb1da23aa45bbe1edb74379d5b541c62f0d2836a Bisecting: 48 revisions left to test after this (roughly 6 steps) [0d4abc3512b0e79cd79c8d41dd3d7ed4a8bdbac1] dt-bindings: iio: io-channel-mux: Fix compatible string in example code testing commit 0d4abc3512b0e79cd79c8d41dd3d7ed4a8bdbac1 with gcc (GCC) 8.1.0 kernel signature: d0f29f27627afc63de7b527a52bab7f1c39afe862a8d4af8e134ed12dec7a761 all runs: OK # git bisect bad 0d4abc3512b0e79cd79c8d41dd3d7ed4a8bdbac1 Bisecting: 23 revisions left to test after this (roughly 5 steps) [2310f713e110b66e8ee61636e7d40b4fa9068c97] parisc: mask out enable and reserved bits from sba imask testing commit 2310f713e110b66e8ee61636e7d40b4fa9068c97 with gcc (GCC) 8.1.0 kernel signature: 37448f1327bb6dbe77bfdfe422f121d73303cc489ca1e3f0b001ce053cc34aa8 all runs: OK # git bisect bad 2310f713e110b66e8ee61636e7d40b4fa9068c97 Bisecting: 11 revisions left to test after this (roughly 4 steps) [169f7f37bd6b0bb91242099cc261219791067d5c] fs/minix: don't allow getting deleted inodes testing commit 169f7f37bd6b0bb91242099cc261219791067d5c with gcc (GCC) 8.1.0 kernel signature: 2e6737c774866f731634fd1417ae73a282e6b8c0020b38df5c8847f842487bac run #0: crashed: kernel BUG at fs/buffer.c:LINE! run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 169f7f37bd6b0bb91242099cc261219791067d5c Bisecting: 5 revisions left to test after this (roughly 3 steps) [5052b997592af482f29c5441b8bc39831015818c] NFS: Don't return layout segments that are in use testing commit 5052b997592af482f29c5441b8bc39831015818c with gcc (GCC) 8.1.0 kernel signature: 0158857cfbe18429a6ba0f42e18adb4b63b917ebbc7e181c5a30b540d95a5ec6 all runs: OK # git bisect bad 5052b997592af482f29c5441b8bc39831015818c Bisecting: 2 revisions left to test after this (roughly 2 steps) [ec41ee06e9e0c9a6dbc2cf420f199fc2a522aec8] 9p: Fix memory leak in v9fs_mount testing commit ec41ee06e9e0c9a6dbc2cf420f199fc2a522aec8 with gcc (GCC) 8.1.0 kernel signature: 6ad14dbdb4ff0eff8b5af89debb4440b86d79269a29e028ff0cae9a5ac0d87c6 all runs: OK # git bisect bad ec41ee06e9e0c9a6dbc2cf420f199fc2a522aec8 Bisecting: 0 revisions left to test after this (roughly 1 step) [d22c224704b720887e3fad683281a2cf97b679ea] ALSA: usb-audio: add quirk for Pioneer DDJ-RB testing commit d22c224704b720887e3fad683281a2cf97b679ea with gcc (GCC) 8.1.0 kernel signature: 512ba087f4a4fd90ff99606bab6957eff6bea4964143d00a1b72b8d3242132b2 all runs: OK # git bisect bad d22c224704b720887e3fad683281a2cf97b679ea Bisecting: 0 revisions left to test after this (roughly 0 steps) [954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d] fs/minix: reject too-large maximum file size testing commit 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d with gcc (GCC) 8.1.0 kernel signature: 78464372328f329e315834b88b93284b6d5b5b72fd6dfedcba49edd1401f2276 all runs: OK # git bisect bad 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d is the first bad commit commit 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d Author: Eric Biggers Date: Tue Aug 11 18:35:30 2020 -0700 fs/minix: reject too-large maximum file size commit 270ef41094e9fa95273f288d7d785313ceab2ff3 upstream. If the minix filesystem tries to map a very large logical block number to its on-disk location, block_to_path() can return offsets that are too large, causing out-of-bounds memory accesses when accessing indirect index blocks. This should be prevented by the check against the maximum file size, but this doesn't work because the maximum file size is read directly from the on-disk superblock and isn't validated itself. Fix this by validating the maximum file size at mount time. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com Signed-off-by: Eric Biggers Signed-off-by: Andrew Morton Cc: Alexander Viro Cc: Qiujun Huang Cc: Link: http://lkml.kernel.org/r/20200628060846.682158-4-ebiggers@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman fs/minix/inode.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) culprit signature: 78464372328f329e315834b88b93284b6d5b5b72fd6dfedcba49edd1401f2276 parent signature: 2e6737c774866f731634fd1417ae73a282e6b8c0020b38df5c8847f842487bac revisions tested: 12, total time: 4h2m55.92730573s (build: 2h4m59.504024713s, test: 1h55m50.331842132s) first good commit: 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d fs/minix: reject too-large maximum file size recipients (to): ["akpm@linux-foundation.org" "ebiggers@google.com" "gregkh@linuxfoundation.org" "torvalds@linux-foundation.org"] recipients (cc): []