ci2 starts bisection 2023-11-22 20:27:58.551421782 +0000 UTC m=+20284.933083257 bisecting fixing commit since fa9645687ea537ad8e29287f3ef08396bc4baaba building syzkaller on 79782afcff30fd0c0af8c2725d508b2c7150f3ed ensuring issue is reproducible on original commit fa9645687ea537ad8e29287f3ef08396bc4baaba testing commit fa9645687ea537ad8e29287f3ef08396bc4baaba gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ebad88d8cae6f1f0518442eb062f3ad0c333eb2bca7758956db09721bfd9aad3 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] check whether we can drop unnecessary instrumentation disabling configs for [UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit fa9645687ea537ad8e29287f3ef08396bc4baaba gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f02046cc5228d11b6843c64b9ebea91444898cf7bc0b92810f6b9aec9cf8bcc8 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] the bug reproduces without the instrumentation disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed kconfig minimization: base=5179 full=6523 leaves diff=250 split chunks (needed=false): <250> split chunk #0 of len 250 into 5 parts testing without sub-chunk 1/5 disabling configs for [UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit fa9645687ea537ad8e29287f3ef08396bc4baaba gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f4cdffcc0494dc272362484d1e45f3a2576379f2a20354f8c99968a5260d1464 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit fa9645687ea537ad8e29287f3ef08396bc4baaba gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ed1626c8ea8914560e1b270e4bdde8d7685d630ac1a7152d0fe638238ad44206 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit fa9645687ea537ad8e29287f3ef08396bc4baaba gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9bf80111717b470c9036201699e0ce37cdcbf2586adf863fdb975a9c6a3fd24f all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN KASAN], they are not needed testing commit fa9645687ea537ad8e29287f3ef08396bc4baaba gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9690c21323cc6a0667b447069ed8bd70c42a19467f8cab26754f014a13df959f all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit fa9645687ea537ad8e29287f3ef08396bc4baaba gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building fa9645687ea537ad8e29287f3ef08396bc4baaba: net/socket.c:1225: undefined reference to `wext_handle_ioctl' net/socket.c:3420: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 50 configs; suspects: [HID_ZEROPLUS USB_NET_CDC_MBIM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing current HEAD 5c8e593916ad29763e34d609b6a8c7fe9293368f testing commit 5c8e593916ad29763e34d609b6a8c7fe9293368f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d8b0939d8c9e6b0519997ffd7ee9cb7120e2588ba7702879f2420c170adcb66c all runs: OK false negative chance: 0.000 # git bisect start 5c8e593916ad29763e34d609b6a8c7fe9293368f fa9645687ea537ad8e29287f3ef08396bc4baaba Bisecting: 1964 revisions left to test after this (roughly 11 steps) [fff9a18e01286116991e82d95f89e99ffa764bed] selftests: net: fcnal-test: check if FIPS mode is enabled determine whether the revision contains the guilty commit checking the merge base b1644a0031cfb3ca2cbd84c92f771f8ebb62302d no existing result, test the revision testing commit b1644a0031cfb3ca2cbd84c92f771f8ebb62302d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 04d244da5d306e015d9d2830878145898076770ad022a5c1ec4416ca35d63ee3 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] testing commit fff9a18e01286116991e82d95f89e99ffa764bed gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 239367bfa513a68de8a363aa67f85dd85b6488ee495cd899a053221de67a43ab all runs: OK false negative chance: 0.000 # git bisect bad fff9a18e01286116991e82d95f89e99ffa764bed Bisecting: 981 revisions left to test after this (roughly 10 steps) [d485903231868b01f961c09eeab48f73179ce937] gfs2: Fix inode height consistency check determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit d485903231868b01f961c09eeab48f73179ce937 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8063a02df02fead009016c6f136068ee8828634819d9a8543d6aa57c588309e1 all runs: OK false negative chance: 0.000 # git bisect bad d485903231868b01f961c09eeab48f73179ce937 Bisecting: 490 revisions left to test after this (roughly 9 steps) [17993a13b5f654070f63b3dd36099a94e52118d8] usb: chipidea: fix missing goto in `ci_hdrc_probe` determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit 17993a13b5f654070f63b3dd36099a94e52118d8 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bf8adfd1edaf5dbcba14672b81b0ddaed1ba89c0ed5fd160a3ffe1b37b3be28e all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] # git bisect good 17993a13b5f654070f63b3dd36099a94e52118d8 Bisecting: 245 revisions left to test after this (roughly 8 steps) [7887397338a55a2439ba8db6d9a93cbe4094d912] drm/amdgpu: add a missing lock for AMDGPU_SCHED determine whether the revision contains the guilty commit revision 17993a13b5f654070f63b3dd36099a94e52118d8 crashed and is reachable testing commit 7887397338a55a2439ba8db6d9a93cbe4094d912 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bceac0d8adfcec46024ac5efb1dbb2c5fe8ecb2bf49bef457b7a718dafbc3ef5 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] # git bisect good 7887397338a55a2439ba8db6d9a93cbe4094d912 Bisecting: 122 revisions left to test after this (roughly 7 steps) [e6332695d48434582f1d8e02350a45c8a390dc13] drm/amd/display: Update minimum stutter residency for DCN314 Z8 determine whether the revision contains the guilty commit revision 7887397338a55a2439ba8db6d9a93cbe4094d912 crashed and is reachable testing commit e6332695d48434582f1d8e02350a45c8a390dc13 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8bb0d4a4018817dd910d55497073974d9bfe038e65c346be1a2a1fafef355ddf all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] # git bisect good e6332695d48434582f1d8e02350a45c8a390dc13 Bisecting: 61 revisions left to test after this (roughly 6 steps) [e410895892f99700ce54347d42c8dbe962eea9f4] af_unix: Fix data races around sk->sk_shutdown. determine whether the revision contains the guilty commit revision 7887397338a55a2439ba8db6d9a93cbe4094d912 crashed and is reachable testing commit e410895892f99700ce54347d42c8dbe962eea9f4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8186148d0af23bed7ca1b47aad84d588e1e58241a195d1f149f7c3f0e32e50d3 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] # git bisect good e410895892f99700ce54347d42c8dbe962eea9f4 Bisecting: 30 revisions left to test after this (roughly 5 steps) [b963e1b7066f0af03e16e4960c0a0aa9a798c191] arm64: dts: imx8mq-librem5: Remove dis_u3_susphy_quirk from usb_dwc3_0 determine whether the revision contains the guilty commit revision 17993a13b5f654070f63b3dd36099a94e52118d8 crashed and is reachable testing commit b963e1b7066f0af03e16e4960c0a0aa9a798c191 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e360b662509ce0ae18f2778ca4ec01d58b14de89be37f999ed39d4f765d36f3a all runs: OK false negative chance: 0.000 # git bisect bad b963e1b7066f0af03e16e4960c0a0aa9a798c191 Bisecting: 15 revisions left to test after this (roughly 4 steps) [48960a503fcec76d3f72347b7e679dda08ca43be] fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() determine whether the revision contains the guilty commit revision e6332695d48434582f1d8e02350a45c8a390dc13 crashed and is reachable testing commit 48960a503fcec76d3f72347b7e679dda08ca43be gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d3dbe47bfc18776c5f40778d087658f831cd85100d0f0759d86860913f1ad6c3 all runs: OK false negative chance: 0.000 # git bisect bad 48960a503fcec76d3f72347b7e679dda08ca43be Bisecting: 7 revisions left to test after this (roughly 3 steps) [cc4086759fda39d0b590951fafbc4f12e3159944] ext4: reflect error codes from ext4_multi_mount_protect() to its callers determine whether the revision contains the guilty commit revision 17993a13b5f654070f63b3dd36099a94e52118d8 crashed and is reachable testing commit cc4086759fda39d0b590951fafbc4f12e3159944 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2f3fb9ae9d3cab45ee31c40c21a879bca46143290537d1a6105d437090ec0cb0 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] # git bisect good cc4086759fda39d0b590951fafbc4f12e3159944 Bisecting: 3 revisions left to test after this (roughly 2 steps) [522c441faf82ab88636d66be8e25b8b7dfa2e001] refscale: Move shutdown from wait_event() to wait_event_idle() determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit 522c441faf82ab88636d66be8e25b8b7dfa2e001 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4d1b80b8c24fa189f19754f75f2cb7425fd03bdb947227c273b74f4e342b676d all runs: OK false negative chance: 0.000 # git bisect bad 522c441faf82ab88636d66be8e25b8b7dfa2e001 Bisecting: 1 revision left to test after this (roughly 1 step) [f12aa035e81438b4b005b4916bf68edf540cb4a9] ext4: allow to find by goal if EXT4_MB_HINT_GOAL_ONLY is set determine whether the revision contains the guilty commit revision 17993a13b5f654070f63b3dd36099a94e52118d8 crashed and is reachable testing commit f12aa035e81438b4b005b4916bf68edf540cb4a9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 71647301631c2c9cd82a9b83d53a161c94b95a0b465c56101a69540cb4282bc8 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] # git bisect good f12aa035e81438b4b005b4916bf68edf540cb4a9 Bisecting: 0 revisions left to test after this (roughly 0 steps) [b4319e457d6e3fb33e443efeaf4634fc36e8a9ed] ext4: allow ext4_get_group_info() to fail determine whether the revision contains the guilty commit revision 17993a13b5f654070f63b3dd36099a94e52118d8 crashed and is reachable testing commit b4319e457d6e3fb33e443efeaf4634fc36e8a9ed gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b10d52a51e62779785015273aa205a5798e6ab9f164b5cbe6f5fc644fa868572 all runs: OK false negative chance: 0.000 # git bisect bad b4319e457d6e3fb33e443efeaf4634fc36e8a9ed b4319e457d6e3fb33e443efeaf4634fc36e8a9ed is the first bad commit commit b4319e457d6e3fb33e443efeaf4634fc36e8a9ed Author: Theodore Ts'o Date: Sat Apr 29 00:06:28 2023 -0400 ext4: allow ext4_get_group_info() to fail [ Upstream commit 5354b2af34064a4579be8bc0e2f15a7b70f14b5f ] Previously, ext4_get_group_info() would treat an invalid group number as BUG(), since in theory it should never happen. However, if a malicious attaker (or fuzzer) modifies the superblock via the block device while it is the file system is mounted, it is possible for s_first_data_block to get set to a very large number. In that case, when calculating the block group of some block number (such as the starting block of a preallocation region), could result in an underflow and very large block group number. Then the BUG_ON check in ext4_get_group_info() would fire, resutling in a denial of service attack that can be triggered by root or someone with write access to the block device. For a quality of implementation perspective, it's best that even if the system administrator does something that they shouldn't, that it will not trigger a BUG. So instead of BUG'ing, ext4_get_group_info() will call ext4_error and return NULL. We also add fallback code in all of the callers of ext4_get_group_info() that it might NULL. Also, since ext4_get_group_info() was already borderline to be an inline function, un-inline it. The results in a next reduction of the compiled text size of ext4 by roughly 2k. Cc: stable@kernel.org Link: https://lore.kernel.org/r/20230430154311.579720-2-tytso@mit.edu Reported-by: syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=69b28112e098b070f639efb356393af3ffec4220 Signed-off-by: Theodore Ts'o Reviewed-by: Jan Kara Signed-off-by: Sasha Levin fs/ext4/balloc.c | 18 +++++++++++++++- fs/ext4/ext4.h | 15 ++----------- fs/ext4/ialloc.c | 12 +++++++---- fs/ext4/mballoc.c | 64 +++++++++++++++++++++++++++++++++++++++++++++---------- fs/ext4/super.c | 2 ++ 5 files changed, 82 insertions(+), 29 deletions(-) accumulated error probability: 0.00 culprit signature: b10d52a51e62779785015273aa205a5798e6ab9f164b5cbe6f5fc644fa868572 parent signature: 71647301631c2c9cd82a9b83d53a161c94b95a0b465c56101a69540cb4282bc8 revisions tested: 20, total time: 4h10m28.545607441s (build: 1h22m57.837019278s, test: 2h39m46.212701386s) first good commit: b4319e457d6e3fb33e443efeaf4634fc36e8a9ed ext4: allow ext4_get_group_info() to fail recipients (to): ["jack@suse.cz" "sashal@kernel.org" "tytso@mit.edu"] recipients (cc): []