ci2 starts bisection 2023-12-01 02:52:45.015324531 +0000 UTC m=+93875.661901812 bisecting fixing commit since 8a427269c016a4b7a6c29a595f3c121030649818 building syzkaller on d216d8a03b50bef82eac746d227230835f061640 ensuring issue is reproducible on original commit 8a427269c016a4b7a6c29a595f3c121030649818 testing commit 8a427269c016a4b7a6c29a595f3c121030649818 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4f5eb769c3407af10b86bfeb570d4c65306fa4e7cc7edfcffae49819660f4936 all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 8a427269c016a4b7a6c29a595f3c121030649818 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 09294eda2916836e4ad94d562e1ab1fc88a0ad269322cc060e86b21874859384 all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed kconfig minimization: base=4789 full=6022 leaves diff=237 split chunks (needed=false): <237> split chunk #0 of len 237 into 5 parts testing without sub-chunk 1/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit 8a427269c016a4b7a6c29a595f3c121030649818 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 84c60ad552bbcaf2b99e52c4e7a8514f00074f5af8b3c29717e8efe181c9ec4c all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 8a427269c016a4b7a6c29a595f3c121030649818 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dda52b1816260716e64d39660c778da3da76916e85071e97b2c06351c01052a0 all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 8a427269c016a4b7a6c29a595f3c121030649818 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0176b8c076334ef97eedb646637e4170ee49548663dba7c16fae3015de79bbbc all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit 8a427269c016a4b7a6c29a595f3c121030649818 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3316b84abfb6ccd15dae7df26ce968eb35d37b338b6ab6f42c9c05631dadd1d3 all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 8a427269c016a4b7a6c29a595f3c121030649818 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building 8a427269c016a4b7a6c29a595f3c121030649818: net/socket.c:1109: undefined reference to `wext_handle_ioctl' net/socket.c:3378: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:346: undefined reference to `wext_proc_exit' net/core/net-procfs.c:330: undefined reference to `wext_proc_init' minimized to 45 configs; suspects: [HID_ZEROPLUS USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF] disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing current HEAD 0da9a7bcb7a258399e414fad32846139a47e3698 testing commit 0da9a7bcb7a258399e414fad32846139a47e3698 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 513b3e003aa7b62f7749ca55f5871f28c8e04d9c2c2f7df20857cbf1c85bc6a3 all runs: OK false negative chance: 0.000 # git bisect start 0da9a7bcb7a258399e414fad32846139a47e3698 8a427269c016a4b7a6c29a595f3c121030649818 Bisecting: 1111 revisions left to test after this (roughly 10 steps) [5101e2c8a5673d971065834d59eb997d4cdff114] Revert "net: macsec: preserve ingress frame ordering" determine whether the revision contains the guilty commit checking the merge base 140d69b4e41d185d886880460461fab70f3b5e84 no existing result, test the revision testing commit 140d69b4e41d185d886880460461fab70f3b5e84 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 709ab56b1f4276675b9e4ac1f5d754be46a4f95daf84021bbf74be3f2d7c41e1 all runs: OK false negative chance: 0.000 the bug was not introduced yet; pretend that kernel crashed # git bisect good 5101e2c8a5673d971065834d59eb997d4cdff114 Bisecting: 555 revisions left to test after this (roughly 9 steps) [97e148dcb97d2b1fefedc83bbc2238dada68d224] nvme-pci: factor out a nvme_pci_alloc_dev helper determine whether the revision contains the guilty commit checking the merge base 140d69b4e41d185d886880460461fab70f3b5e84 the bug was not introduced yet; pretend that kernel crashed # git bisect good 97e148dcb97d2b1fefedc83bbc2238dada68d224 Bisecting: 277 revisions left to test after this (roughly 8 steps) [3fb223086de9b51cf94e22fea9b2dfec3cbade51] USB: serial: option: add Telit LE910C4-WWX 0x1035 composition determine whether the revision contains the guilty commit checking the merge base 140d69b4e41d185d886880460461fab70f3b5e84 the bug was not introduced yet; pretend that kernel crashed # git bisect good 3fb223086de9b51cf94e22fea9b2dfec3cbade51 Bisecting: 130 revisions left to test after this (roughly 7 steps) [b9ea98aa2fd47cd8af31bb674d2de84d09251e09] Merge tag 'android13-5.10.198_r00' into android13-5.10 determine whether the revision contains the guilty commit revision 8a427269c016a4b7a6c29a595f3c121030649818 crashed and is reachable testing commit b9ea98aa2fd47cd8af31bb674d2de84d09251e09 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b8f7a4a8e0888aecdc61fc36d832651ad54b823ecd1b89f670edb6fa43538600 all runs: OK false negative chance: 0.000 # git bisect bad b9ea98aa2fd47cd8af31bb674d2de84d09251e09 Bisecting: 76 revisions left to test after this (roughly 6 steps) [5f70956c6efe35bd0e22878e9ef84041793b868c] UPSTREAM: net/sched: sch_hfsc: Ensure inner classes have fsc curve determine whether the revision contains the guilty commit checking the merge base ee5ff26eb7f5b4cd8874282267d48785d0868b70 no existing result, test the revision testing commit ee5ff26eb7f5b4cd8874282267d48785d0868b70 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 88e8a22152955b052b09842f2cf4a19dc41b0ca7c8696801e1e1ccfe6c6fc2b7 all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN] testing commit 5f70956c6efe35bd0e22878e9ef84041793b868c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7cdeb9488b3e395b4c6187fc095c1205ff3b6544beb1720b3b39d2f52478de92 all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN] # git bisect good 5f70956c6efe35bd0e22878e9ef84041793b868c Bisecting: 38 revisions left to test after this (roughly 5 steps) [974cdc3417177c55ed62880414ce48d8c75018d3] Revert "netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp" determine whether the revision contains the guilty commit revision 8a427269c016a4b7a6c29a595f3c121030649818 crashed and is reachable testing commit 974cdc3417177c55ed62880414ce48d8c75018d3 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6df96bd97abd0e156a0ff92430739d2f0cd66aeb1441fe5f8cdd171c6d2f276b all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN] # git bisect good 974cdc3417177c55ed62880414ce48d8c75018d3 Bisecting: 19 revisions left to test after this (roughly 4 steps) [3dc517bb4d91ccaf151edca3036a1f55e5810ba2] UPSTREAM: usb: gadget: uvc: clean up comments and styling in video_pump determine whether the revision contains the guilty commit revision 8a427269c016a4b7a6c29a595f3c121030649818 crashed and is reachable testing commit 3dc517bb4d91ccaf151edca3036a1f55e5810ba2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1abbcc3cdca1281116d32324664a0cab26e33f02e6cde83f99b654f761afaa23 all runs: OK false negative chance: 0.000 # git bisect bad 3dc517bb4d91ccaf151edca3036a1f55e5810ba2 Bisecting: 9 revisions left to test after this (roughly 3 steps) [d35d8fbdea9e5094a28d15e4b053e8f55b1a7e98] UPSTREAM: netfilter: xt_u32: validate user space input determine whether the revision contains the guilty commit revision 8a427269c016a4b7a6c29a595f3c121030649818 crashed and is reachable testing commit d35d8fbdea9e5094a28d15e4b053e8f55b1a7e98 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3f2ce7c01af43a696694d8772d8e8a8279d0c3e9991edde84061b276e3e0655e all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN] # git bisect good d35d8fbdea9e5094a28d15e4b053e8f55b1a7e98 Bisecting: 4 revisions left to test after this (roughly 2 steps) [79083beef4e0cff12d93b930dbaf806245fc4eaa] UPSTREAM: netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP determine whether the revision contains the guilty commit revision d35d8fbdea9e5094a28d15e4b053e8f55b1a7e98 crashed and is reachable testing commit 79083beef4e0cff12d93b930dbaf806245fc4eaa gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6f319991a7116da9ad2da41942546f92fe92e04344a91b57cc8cf102f43f6a11 all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN] # git bisect good 79083beef4e0cff12d93b930dbaf806245fc4eaa Bisecting: 2 revisions left to test after this (roughly 1 step) [44714c920d036214a739510876525841ab6decf1] ANDROID: fuse-bpf: Add NULL pointer check in fuse_entry_revalidate determine whether the revision contains the guilty commit revision 8a427269c016a4b7a6c29a595f3c121030649818 crashed and is reachable testing commit 44714c920d036214a739510876525841ab6decf1 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ee96ff40e1a97bc137c8501459f0b347d90521df2dc5353704521ad11f496e24 all runs: OK false negative chance: 0.000 # git bisect bad 44714c920d036214a739510876525841ab6decf1 Bisecting: 0 revisions left to test after this (roughly 0 steps) [90988912a1912991d47c5f0fbea766bcf170ef55] ANDROID: usb: gadget: fix cannot create multiple android instances determine whether the revision contains the guilty commit revision 8a427269c016a4b7a6c29a595f3c121030649818 crashed and is reachable testing commit 90988912a1912991d47c5f0fbea766bcf170ef55 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 45e460154688a43a08638a6e33d5f5ef9c0877729078267d33e92222a7abf3ad all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN] # git bisect good 90988912a1912991d47c5f0fbea766bcf170ef55 44714c920d036214a739510876525841ab6decf1 is the first bad commit commit 44714c920d036214a739510876525841ab6decf1 Author: liujinbao1 Date: Thu Oct 12 12:28:06 2023 +0800 ANDROID: fuse-bpf: Add NULL pointer check in fuse_entry_revalidate If userspace tried to add a backing file in a fuse_dentry_revalidate where there wasn't one originally, this would trigger a crash. Disallow this operation for now. Bug: 296013218 Fixes: 57f3ff964899 ("ANDROID: fuse-bpf v1.1") Test: fuse_test passes, following script no longer crashes: adb shell su root setenforce 0 adb shell su root chmod ug+w /data/media adb shell su root rm /data/media/Android -rf adb shell su root mkdir -p /storage/emulated/Android/data/test adb shell su root ls -l /storage/emulated/Android/data/test Change-Id: Id8a67c43d1edfa010403d5f17e31109b796998cf Signed-off-by: liujinbao1 (cherry picked from commit e89b1266f784b2271af2e72a5d04e3e39d0afcdc) fs/fuse/dir.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) accumulated error probability: 0.00 culprit signature: ee96ff40e1a97bc137c8501459f0b347d90521df2dc5353704521ad11f496e24 parent signature: 45e460154688a43a08638a6e33d5f5ef9c0877729078267d33e92222a7abf3ad revisions tested: 17, total time: 2h7m52.871082521s (build: 42m44.601789256s, test: 1h21m25.369615644s) first good commit: 44714c920d036214a739510876525841ab6decf1 ANDROID: fuse-bpf: Add NULL pointer check in fuse_entry_revalidate recipients (to): ["liujinbao1@xiaomi.corp-partner.google.com"] recipients (cc): []