ci2 starts bisection 2023-08-12 00:41:28.476013817 +0000 UTC m=+35582.174582714 bisecting fixing commit since 571f442f6752c71b8b477916cdd5380ceef5ea44 building syzkaller on 79782afcff30fd0c0af8c2725d508b2c7150f3ed ensuring issue is reproducible on original commit 571f442f6752c71b8b477916cdd5380ceef5ea44 testing commit 571f442f6752c71b8b477916cdd5380ceef5ea44 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9c62d0aec4bb3ad2f9b0a3ee87ea5062b457da43171580912319c6de90d59e6b all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] check whether we can drop unnecessary instrumentation disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 571f442f6752c71b8b477916cdd5380ceef5ea44 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c77015aadb1dd66739703f4c5f2a661c8c81f73235331b3bdc24e5fe605272a4 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] the bug reproduces without the instrumentation disabling configs for [UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed kconfig minimization: base=4789 full=6024 leaves diff=237 split chunks (needed=false): <237> split chunk #0 of len 237 into 5 parts testing without sub-chunk 1/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 571f442f6752c71b8b477916cdd5380ceef5ea44 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8c218c0c8fef37b025d4fd46458aaf692ae2d94f98e92e2478c987ece3c83917 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 571f442f6752c71b8b477916cdd5380ceef5ea44 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ad9502e189ec382903738ad70ad19826bfc3e3af80551831f80753d22542cea1 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 571f442f6752c71b8b477916cdd5380ceef5ea44 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 58499f3ae973b7b01b283f05a5c9e885444319fcb9422f57b67f205dd37f1250 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN KASAN], they are not needed testing commit 571f442f6752c71b8b477916cdd5380ceef5ea44 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a02e5181e0c23f6031be9b503423feb9ad50b1d966dca17ed8863d034a2c921c all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN KASAN LOCKDEP], they are not needed testing commit 571f442f6752c71b8b477916cdd5380ceef5ea44 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building 571f442f6752c71b8b477916cdd5380ceef5ea44: net/socket.c:1109: undefined reference to `wext_handle_ioctl' net/socket.c:3378: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:346: undefined reference to `wext_proc_exit' net/core/net-procfs.c:330: undefined reference to `wext_proc_init' minimized to 45 configs; suspects: [HID_ZEROPLUS USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF] disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN KASAN LOCKDEP], they are not needed testing current HEAD 8a427269c016a4b7a6c29a595f3c121030649818 testing commit 8a427269c016a4b7a6c29a595f3c121030649818 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5eb063d34cdaf0b55895899bb58bc2b8d645c7ea04cc3d4854b2dca3890ad0a6 all runs: OK false negative chance: 0.000 # git bisect start 8a427269c016a4b7a6c29a595f3c121030649818 571f442f6752c71b8b477916cdd5380ceef5ea44 Bisecting: 529 revisions left to test after this (roughly 9 steps) [dfd419db0391b65d0a711229c07d8a6c4b7b09ac] HID: wacom: Add new Intuos Pro Small (PTH-460) device IDs determine whether the revision contains the guilty commit checking the merge base f1b32fda06d2cfb8eea9680b0ba7a8b0d5b81eeb no existing result, test the revision testing commit f1b32fda06d2cfb8eea9680b0ba7a8b0d5b81eeb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 36684903d0a97f5ed1248ad67b8a53601630737a7619b9ca6a88b31a6caaf69c all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] testing commit dfd419db0391b65d0a711229c07d8a6c4b7b09ac gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a6ba5e08a2e5e99edfe4f61a1f569857090a49c09faf52ae122f2c77aded3e80 all runs: OK false negative chance: 0.000 # git bisect bad dfd419db0391b65d0a711229c07d8a6c4b7b09ac Bisecting: 264 revisions left to test after this (roughly 8 steps) [45e4c00940beecc3a81934d8e4d58ce67d9f88c2] pwm: mtk-disp: Disable shadow registers before setting backlight values determine whether the revision contains the guilty commit revision f1b32fda06d2cfb8eea9680b0ba7a8b0d5b81eeb crashed and is reachable testing commit 45e4c00940beecc3a81934d8e4d58ce67d9f88c2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 63ec71cb5938db366fd147bcdca025abca388f54563fd7e31492f322a0ef20c8 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] # git bisect good 45e4c00940beecc3a81934d8e4d58ce67d9f88c2 Bisecting: 132 revisions left to test after this (roughly 7 steps) [8307e372e7445ec7d3cd2ff107ce5078eaa02815] af_unix: Fix data races around sk->sk_shutdown. determine whether the revision contains the guilty commit revision f1b32fda06d2cfb8eea9680b0ba7a8b0d5b81eeb crashed and is reachable testing commit 8307e372e7445ec7d3cd2ff107ce5078eaa02815 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 558c5b4b0b84ef4b2fd4a7a2bdc0710575aa0d696bc1b0fd353887c2be565dfe all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] # git bisect good 8307e372e7445ec7d3cd2ff107ce5078eaa02815 Bisecting: 66 revisions left to test after this (roughly 6 steps) [9c69a9d05824521e2e3a615283e8158772a1a5f7] btrfs: move btrfs_find_highest_objectid/btrfs_find_free_objectid to disk-io.c determine whether the revision contains the guilty commit revision f1b32fda06d2cfb8eea9680b0ba7a8b0d5b81eeb crashed and is reachable testing commit 9c69a9d05824521e2e3a615283e8158772a1a5f7 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8d5e809895f768d308dc3e571648b4c5ef0dd769c9d3952e8c5e1272e5c36e63 all runs: OK false negative chance: 0.000 # git bisect bad 9c69a9d05824521e2e3a615283e8158772a1a5f7 Bisecting: 32 revisions left to test after this (roughly 5 steps) [4621e24c9257c6379343bf0c11b473817cf7edcd] scsi: target: iscsit: Free cmds before session free determine whether the revision contains the guilty commit revision f1b32fda06d2cfb8eea9680b0ba7a8b0d5b81eeb crashed and is reachable testing commit 4621e24c9257c6379343bf0c11b473817cf7edcd gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: aa8deb40f87c7692f29ebbff9425d5e38237040e7d2b448efae6103021b28b84 all runs: OK false negative chance: 0.000 # git bisect bad 4621e24c9257c6379343bf0c11b473817cf7edcd Bisecting: 16 revisions left to test after this (roughly 4 steps) [bb1616e1057dfbb427f3594111608d7d573c6e1c] regmap: cache: Return error in cache sync operations for REGCACHE_NONE determine whether the revision contains the guilty commit revision f1b32fda06d2cfb8eea9680b0ba7a8b0d5b81eeb crashed and is reachable testing commit bb1616e1057dfbb427f3594111608d7d573c6e1c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d3fab029754d22de53fdc492482c6716c87c4b72fd7571b8fbab59ff3eae3040 all runs: OK false negative chance: 0.000 # git bisect bad bb1616e1057dfbb427f3594111608d7d573c6e1c Bisecting: 7 revisions left to test after this (roughly 3 steps) [9b6a0c140e2790b5418560cc3c97bb23773cff8d] ext4: drop s_mb_bal_lock and convert protected fields to atomic determine whether the revision contains the guilty commit revision f1b32fda06d2cfb8eea9680b0ba7a8b0d5b81eeb crashed and is reachable testing commit 9b6a0c140e2790b5418560cc3c97bb23773cff8d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4f5a51a7850acb7cda625500ba4bff606ae4e4213b8a563bf2ecf693cee9b8e8 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] # git bisect good 9b6a0c140e2790b5418560cc3c97bb23773cff8d Bisecting: 3 revisions left to test after this (roughly 2 steps) [e4842de4ec13d60e042d915b64c9134e135e0d11] refscale: Move shutdown from wait_event() to wait_event_idle() determine whether the revision contains the guilty commit revision 45e4c00940beecc3a81934d8e4d58ce67d9f88c2 crashed and is reachable testing commit e4842de4ec13d60e042d915b64c9134e135e0d11 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 83935da005753a2e0d6bdaa37d0d57e198bb610186c1509912eade0c11345ebb all runs: OK false negative chance: 0.000 # git bisect bad e4842de4ec13d60e042d915b64c9134e135e0d11 Bisecting: 1 revision left to test after this (roughly 1 step) [371d8b8ea0cb48de9777aaf7193abd544c200297] ext4: allow to find by goal if EXT4_MB_HINT_GOAL_ONLY is set determine whether the revision contains the guilty commit revision 9b6a0c140e2790b5418560cc3c97bb23773cff8d crashed and is reachable testing commit 371d8b8ea0cb48de9777aaf7193abd544c200297 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ebad35074af31798fb522af275a214815932ce326a70d843bc51f456eb9fcba5 all runs: crashed: kernel BUG in ext4_mb_find_by_goal representative crash: kernel BUG in ext4_mb_find_by_goal, types: [BUG] # git bisect good 371d8b8ea0cb48de9777aaf7193abd544c200297 Bisecting: 0 revisions left to test after this (roughly 0 steps) [100c0ad6c04597fefeaaba2bb1827cc015d95067] ext4: allow ext4_get_group_info() to fail determine whether the revision contains the guilty commit revision f1b32fda06d2cfb8eea9680b0ba7a8b0d5b81eeb crashed and is reachable testing commit 100c0ad6c04597fefeaaba2bb1827cc015d95067 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b8c48cd063d75bb5fda947b579efb38ecf9a1aa51f60cf8db75481b38129ed45 all runs: OK false negative chance: 0.000 # git bisect bad 100c0ad6c04597fefeaaba2bb1827cc015d95067 100c0ad6c04597fefeaaba2bb1827cc015d95067 is the first bad commit commit 100c0ad6c04597fefeaaba2bb1827cc015d95067 Author: Theodore Ts'o Date: Sat Apr 29 00:06:28 2023 -0400 ext4: allow ext4_get_group_info() to fail [ Upstream commit 5354b2af34064a4579be8bc0e2f15a7b70f14b5f ] Previously, ext4_get_group_info() would treat an invalid group number as BUG(), since in theory it should never happen. However, if a malicious attaker (or fuzzer) modifies the superblock via the block device while it is the file system is mounted, it is possible for s_first_data_block to get set to a very large number. In that case, when calculating the block group of some block number (such as the starting block of a preallocation region), could result in an underflow and very large block group number. Then the BUG_ON check in ext4_get_group_info() would fire, resutling in a denial of service attack that can be triggered by root or someone with write access to the block device. For a quality of implementation perspective, it's best that even if the system administrator does something that they shouldn't, that it will not trigger a BUG. So instead of BUG'ing, ext4_get_group_info() will call ext4_error and return NULL. We also add fallback code in all of the callers of ext4_get_group_info() that it might NULL. Also, since ext4_get_group_info() was already borderline to be an inline function, un-inline it. The results in a next reduction of the compiled text size of ext4 by roughly 2k. Cc: stable@kernel.org Link: https://lore.kernel.org/r/20230430154311.579720-2-tytso@mit.edu Reported-by: syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=69b28112e098b070f639efb356393af3ffec4220 Signed-off-by: Theodore Ts'o Reviewed-by: Jan Kara Signed-off-by: Sasha Levin fs/ext4/balloc.c | 18 +++++++++++++++- fs/ext4/ext4.h | 15 ++----------- fs/ext4/ialloc.c | 12 +++++++---- fs/ext4/mballoc.c | 64 +++++++++++++++++++++++++++++++++++++++++++++---------- fs/ext4/super.c | 2 ++ 5 files changed, 82 insertions(+), 29 deletions(-) accumulated error probability: 0.00 culprit signature: b8c48cd063d75bb5fda947b579efb38ecf9a1aa51f60cf8db75481b38129ed45 parent signature: ebad35074af31798fb522af275a214815932ce326a70d843bc51f456eb9fcba5 revisions tested: 18, total time: 9h53m45.387224862s (build: 5h55m27.107186691s, test: 3h47m17.378809115s) first good commit: 100c0ad6c04597fefeaaba2bb1827cc015d95067 ext4: allow ext4_get_group_info() to fail recipients (to): ["jack@suse.cz" "sashal@kernel.org" "tytso@mit.edu"] recipients (cc): []