ci2 starts bisection 2023-12-19 10:36:51.305327552 +0000 UTC m=+12726.344627317
bisecting fixing commit since ea586874d2f9e501ef84b7e55036fc8965397d5d
building syzkaller on 0b6a67ac4b0dc26f43030c5edd01c9175f13b784
ensuring issue is reproducible on original commit ea586874d2f9e501ef84b7e55036fc8965397d5d

testing commit ea586874d2f9e501ef84b7e55036fc8965397d5d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5c7de6e811a97cecb3203776e4862d73b47f1274c1f52309be2f7ecef0454f30
all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit ea586874d2f9e501ef84b7e55036fc8965397d5d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a16afcfd27cf46780dc74437172369a920e14061c2698379607eb829a96003eb
all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
kconfig minimization: base=4920 full=6163 leaves diff=241
split chunks (needed=false): <241>
split chunk #0 of len 241 into 5 parts
testing without sub-chunk 1/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit ea586874d2f9e501ef84b7e55036fc8965397d5d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 8fd27c04f3916adb39769e6b05432f329a1ec495112814202545510d261f4d70
all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit ea586874d2f9e501ef84b7e55036fc8965397d5d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 8b64dcd7699790a774eaf06ae98aeb684ae219faa9d6b0127382a5d94d2ebd34
all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit ea586874d2f9e501ef84b7e55036fc8965397d5d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e5dcf13628e651a1e7d3e348607bafb5b6c4b06cc0b4f6e8951c63a61afe8e01
all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit ea586874d2f9e501ef84b7e55036fc8965397d5d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 9dc708b5edb18afff5ec38b3807fb9135593d5c63523e8078657f74a22f7822b
all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit ea586874d2f9e501ef84b7e55036fc8965397d5d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
failed building ea586874d2f9e501ef84b7e55036fc8965397d5d: net/socket.c:1172: undefined reference to `wext_handle_ioctl'
net/socket.c:3366: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:343: undefined reference to `wext_proc_exit'
net/core/net-procfs.c:327: undefined reference to `wext_proc_init'
minimized to 45 configs; suspects: [HID_ZEROPLUS USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF]
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing current HEAD 37769036560147b000f9a37a3a385269e413f8bf
testing commit 37769036560147b000f9a37a3a385269e413f8bf gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 0bbf530fba8bdb206518c6be210ad8139096fd70119daf31b6466f6c36cbfcc2
all runs: OK
false negative chance: 0.000
# git bisect start 37769036560147b000f9a37a3a385269e413f8bf ea586874d2f9e501ef84b7e55036fc8965397d5d
Bisecting: 982 revisions left to test after this (roughly 10 steps)
[f61c43be1eb96c0add4e629401508eb273130820] regmap: fix NULL deref on lookup

determine whether the revision contains the guilty commit
checking the merge base aff03380bda4d25717170b42c92b54143aec0a36
no existing result, test the revision
testing commit aff03380bda4d25717170b42c92b54143aec0a36 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 924e44e8700a3c809707746d8746f6dda5521bde12d2ec15005f2ddd82b7bed5
all runs: OK
false negative chance: 0.000
the bug was not introduced yet; pretend that kernel crashed
# git bisect good f61c43be1eb96c0add4e629401508eb273130820
Bisecting: 491 revisions left to test after this (roughly 9 steps)
[e89d0ed45a419c485bae999426ecf92697cbdda3] locking/ww_mutex/test: Fix potential workqueue corruption

determine whether the revision contains the guilty commit
checking the merge base aff03380bda4d25717170b42c92b54143aec0a36
the bug was not introduced yet; pretend that kernel crashed
# git bisect good e89d0ed45a419c485bae999426ecf92697cbdda3
Bisecting: 245 revisions left to test after this (roughly 8 steps)
[132670ae9ffb2cbd1a2395915b644412bc9ae83b] lsm: fix default return value for inode_getsecctx

determine whether the revision contains the guilty commit
checking the merge base aff03380bda4d25717170b42c92b54143aec0a36
the bug was not introduced yet; pretend that kernel crashed
# git bisect good 132670ae9ffb2cbd1a2395915b644412bc9ae83b
Bisecting: 122 revisions left to test after this (roughly 7 steps)
[6dcfedcb7cf5ac7ddd3c71ee1500d0e33384a489] UPSTREAM: kthread: dynamically allocate memory to store kthread's full name

determine whether the revision contains the guilty commit
checking the merge base 83c56fbab45dea6eb88e5e61fbfa390dfd2e0db7
no existing result, test the revision
testing commit 83c56fbab45dea6eb88e5e61fbfa390dfd2e0db7 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 576436d53899f906e9bb8199f9eeedeebb533dba7e222f38c76b13e302b7a9c1
run #0: failed: failed to run command in VM: broken console: Permission denied (publickey)
run #1: failed: failed to run command in VM: broken console: Permission denied (publickey)
run #2: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
run #3: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
run #4: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
run #5: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
run #6: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
run #7: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
run #8: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
run #9: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN]
testing commit 6dcfedcb7cf5ac7ddd3c71ee1500d0e33384a489 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 3f0441c913640709ea0130454088a64f8b553829c5d46523798fc982a42fc361
all runs: OK
false negative chance: 0.000
# git bisect bad 6dcfedcb7cf5ac7ddd3c71ee1500d0e33384a489
Bisecting: 61 revisions left to test after this (roughly 6 steps)
[d34029c8258b62fe6200e53e1b30039cab0cc527] UPSTREAM: tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux

determine whether the revision contains the guilty commit
checking the merge base 07610c78efc466811b0982c96b07f45fbcda7044
no existing result, test the revision
testing commit 07610c78efc466811b0982c96b07f45fbcda7044 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 928f64f5702aadb2f36b6fe57133db49533c01a274c824834121492f8825c617
all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN]
testing commit d34029c8258b62fe6200e53e1b30039cab0cc527 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 36af672f2353ab70b5524a78c2d17b6f175a1fd8cc6c485cd5253634fa9d3b66
all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN]
# git bisect good d34029c8258b62fe6200e53e1b30039cab0cc527
Bisecting: 30 revisions left to test after this (roughly 5 steps)
[313762931f88ba5777886f3b82ca2b53f9c3e889] BACKPORT: f2fs: fix to check return value of inc_valid_block_count()

determine whether the revision contains the guilty commit
revision 07610c78efc466811b0982c96b07f45fbcda7044 crashed and is reachable
testing commit 313762931f88ba5777886f3b82ca2b53f9c3e889 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c242612c474489969973c5b7c0dd06c1fa2173623e794271d06cb3fe69c4fbc1
all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN]
# git bisect good 313762931f88ba5777886f3b82ca2b53f9c3e889
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[d0a5b5f66ccaf4ef62226df42022ee565d1013e4] ANDROID: GKI: Update symbol list for Amlogic

determine whether the revision contains the guilty commit
revision 313762931f88ba5777886f3b82ca2b53f9c3e889 crashed and is reachable
testing commit d0a5b5f66ccaf4ef62226df42022ee565d1013e4 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: aa91ee5305c099c2e76f3b568ec3a078cfd08961b9562c62c8c8a451c5186041
all runs: OK
false negative chance: 0.000
# git bisect bad d0a5b5f66ccaf4ef62226df42022ee565d1013e4
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[488dcc05293fa902a842079e7ccebb8a1e8b0cca] BACKPORT: take care to handle NULL ->proc_lseek()

determine whether the revision contains the guilty commit
revision 07610c78efc466811b0982c96b07f45fbcda7044 crashed and is reachable
testing commit 488dcc05293fa902a842079e7ccebb8a1e8b0cca gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 125286b84520b1b74e537cce12195b57d25e8cc3805579c5eac2ca9daada25aa
all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN]
# git bisect good 488dcc05293fa902a842079e7ccebb8a1e8b0cca
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[f637dd4cd6f403cb09904ce4312972ba7cafffaf] UPSTREAM: net: xfrm: Fix xfrm_address_filter OOB read

determine whether the revision contains the guilty commit
revision 83c56fbab45dea6eb88e5e61fbfa390dfd2e0db7 crashed and is reachable
testing commit f637dd4cd6f403cb09904ce4312972ba7cafffaf gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 2ec0c87eb2fba42d854e8856e039b83af486fbd09497514a192068fcb63e9875
all runs: crashed: KASAN: null-ptr-deref Write in fuse_dentry_revalidate
representative crash: KASAN: null-ptr-deref Write in fuse_dentry_revalidate, types: [KASAN]
# git bisect good f637dd4cd6f403cb09904ce4312972ba7cafffaf
Bisecting: 1 revision left to test after this (roughly 1 step)
[50b7feda1560607de5eff3ddeca8450923a5af4e] UPSTREAM: netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP

determine whether the revision contains the guilty commit
revision 83c56fbab45dea6eb88e5e61fbfa390dfd2e0db7 crashed and is reachable
testing commit 50b7feda1560607de5eff3ddeca8450923a5af4e gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 3228b0e4191ea1196700109241662c95abf2f924aa6f0c319a60eb46284aa0c4
run #0: failed: failed to run command in VM: broken console: Permission denied (publickey)
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
false negative chance: 0.000
# git bisect bad 50b7feda1560607de5eff3ddeca8450923a5af4e
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[e89b1266f784b2271af2e72a5d04e3e39d0afcdc] ANDROID: fuse-bpf: Add NULL pointer check in fuse_entry_revalidate

determine whether the revision contains the guilty commit
revision 07610c78efc466811b0982c96b07f45fbcda7044 crashed and is reachable
testing commit e89b1266f784b2271af2e72a5d04e3e39d0afcdc gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: b39d317c15cb63804f7254a6350332f3bcf11075717638cf306bdf470f7c589f
all runs: OK
false negative chance: 0.000
# git bisect bad e89b1266f784b2271af2e72a5d04e3e39d0afcdc
e89b1266f784b2271af2e72a5d04e3e39d0afcdc is the first bad commit
commit e89b1266f784b2271af2e72a5d04e3e39d0afcdc
Author: liujinbao1 <liujinbao1@xiaomi.corp-partner.google.com>
Date:   Thu Oct 12 12:28:06 2023 +0800

    ANDROID: fuse-bpf: Add NULL pointer check in fuse_entry_revalidate
    
    If userspace tried to add a backing file in a fuse_dentry_revalidate
    where there wasn't one originally, this would trigger a crash. Disallow
    this operation for now.
    
    Bug: 296013218
    Fixes: 57f3ff964899 ("ANDROID: fuse-bpf v1.1")
    
    Test: fuse_test passes, following script no longer crashes:
    
    adb shell su root setenforce 0
    adb shell su root chmod ug+w /data/media
    adb shell su root rm /data/media/Android -rf
    adb shell su root mkdir -p /storage/emulated/Android/data/test
    adb shell su root ls -l /storage/emulated/Android/data/test
    
    Change-Id: Id8a67c43d1edfa010403d5f17e31109b796998cf
    Signed-off-by: liujinbao1 <liujinbao1@xiaomi.corp-partner.google.com>

 fs/fuse/dir.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

accumulated error probability: 0.00
culprit signature: b39d317c15cb63804f7254a6350332f3bcf11075717638cf306bdf470f7c589f
parent  signature: 2ec0c87eb2fba42d854e8856e039b83af486fbd09497514a192068fcb63e9875
revisions tested: 18, total time: 2h56m26.29539003s (build: 57m3.539845966s, test: 1h42m58.883525315s)
first good commit: e89b1266f784b2271af2e72a5d04e3e39d0afcdc ANDROID: fuse-bpf: Add NULL pointer check in fuse_entry_revalidate
recipients (to): ["liujinbao1@xiaomi.corp-partner.google.com"]
recipients (cc): []