ci2 starts bisection 2023-11-21 10:33:22.156993307 +0000 UTC m=+663469.265024060 bisecting fixing commit since 5e7421101fe26bf133be95cfbe59d1567ba80392 building syzkaller on d624500f3877323fae8eb084872c5ef9a8ce3ef9 ensuring issue is reproducible on original commit 5e7421101fe26bf133be95cfbe59d1567ba80392 testing commit 5e7421101fe26bf133be95cfbe59d1567ba80392 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4c2b55f87f1aadf9b54df33873dd14ac9c8f3ff26882ca23fec7a29ed9e35c5a all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] check whether we can drop unnecessary instrumentation disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN KASAN LOCKDEP], they are not needed testing commit 5e7421101fe26bf133be95cfbe59d1567ba80392 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 24372190cb37be5eea3d2bd9273cc70eca0001a8cbdaa5dd229c6985b09e54ef all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] the bug reproduces without the instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN KASAN], they are not needed kconfig minimization: base=5179 full=6485 leaves diff=248 split chunks (needed=false): <248> split chunk #0 of len 248 into 5 parts testing without sub-chunk 1/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 5e7421101fe26bf133be95cfbe59d1567ba80392 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6e6eaf673fa7910d1e7a9a5fd89376a3bcbbc0225b57e4bb655b1e30d9189245 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN KASAN LOCKDEP], they are not needed testing commit 5e7421101fe26bf133be95cfbe59d1567ba80392 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 12fc5c1411517b25df0efbc4b6b7e34d7a1468d061668aef21b3a08aa5f10ea7 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN KASAN LOCKDEP], they are not needed testing commit 5e7421101fe26bf133be95cfbe59d1567ba80392 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a6a54d8d76d25ba4571d5eac10891b35d316678fe7bb6006ad6bd04e4101244e all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 5e7421101fe26bf133be95cfbe59d1567ba80392 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6916b7478f12897473415c08e9d2cafca49787c3dc971d9816dff97e832f8254 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN KASAN LOCKDEP], they are not needed testing commit 5e7421101fe26bf133be95cfbe59d1567ba80392 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building 5e7421101fe26bf133be95cfbe59d1567ba80392: net/socket.c:1225: undefined reference to `wext_handle_ioctl' net/socket.c:3420: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 48 configs; suspects: [HID_ZEROPLUS USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing current HEAD 8f46c34931781e92d02eca56f64304e30a66dca5 testing commit 8f46c34931781e92d02eca56f64304e30a66dca5 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c20558657b61bc5411cc70d3af26c7b6b107f7642d2eafeb071bd1e5dda1fc9c all runs: OK false negative chance: 0.000 # git bisect start 8f46c34931781e92d02eca56f64304e30a66dca5 5e7421101fe26bf133be95cfbe59d1567ba80392 Bisecting: 1924 revisions left to test after this (roughly 11 steps) [5c09925b187931f4106edb7a70d6c23ab0b802c5] PCI: hv: Remove the useless hv_pcichild_state from struct hv_pci_dev determine whether the revision contains the guilty commit checking the merge base b1644a0031cfb3ca2cbd84c92f771f8ebb62302d no existing result, test the revision testing commit b1644a0031cfb3ca2cbd84c92f771f8ebb62302d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 63d6a1588539b5030830608b8a9eaffc0e4db62192f2158258e411824a3979f5 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] testing commit 5c09925b187931f4106edb7a70d6c23ab0b802c5 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5f612b7ebbf1db52afc1833c04afc87d3dafcdffc71fcbe9225015f6fa6999bd all runs: OK false negative chance: 0.000 # git bisect bad 5c09925b187931f4106edb7a70d6c23ab0b802c5 Bisecting: 961 revisions left to test after this (roughly 10 steps) [cf180afea303c01a64806705c9fa20422578b8b1] ACPI: video: Remove desktops without backlight DMI quirks determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit cf180afea303c01a64806705c9fa20422578b8b1 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f3095a326080bb478aceb1755fb1c4c6e77623e178f7f00d3f83f5a1dbcffdb5 all runs: OK false negative chance: 0.000 # git bisect bad cf180afea303c01a64806705c9fa20422578b8b1 Bisecting: 480 revisions left to test after this (roughly 9 steps) [402299cca89273b62384b5f9645ea49cd5fc4a57] ASoC: fsl_mqs: move of_node_put() to the correct location determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit 402299cca89273b62384b5f9645ea49cd5fc4a57 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d3b0ed2af4a5b11127e3699889277fb97e4e5a72c8e454b0aaade6b6c00bb332 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] # git bisect good 402299cca89273b62384b5f9645ea49cd5fc4a57 Bisecting: 240 revisions left to test after this (roughly 8 steps) [e92399f527445ba244f76fbb94ff19658a2d3297] octeontx2-af: Secure APR table update with the lock determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit e92399f527445ba244f76fbb94ff19658a2d3297 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 61b072a41f350d0856616bca62a0ba3aaec9f538329aa1fcc615093c41681ef9 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] # git bisect good e92399f527445ba244f76fbb94ff19658a2d3297 Bisecting: 120 revisions left to test after this (roughly 7 steps) [3af09dee7f9b3b50ce98387c8fa7ccaac8f54037] f2fs: remove unnecessary __init_extent_tree determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit 3af09dee7f9b3b50ce98387c8fa7ccaac8f54037 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2c41d73c22d7a12f85d3753fc364a040e23bb316e821e89f49e2beed4a7bbd3a all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] # git bisect good 3af09dee7f9b3b50ce98387c8fa7ccaac8f54037 Bisecting: 60 revisions left to test after this (roughly 6 steps) [262841702603e8a0285c95476aa2ee7b27edd80b] scsi: ufs: core: Fix I/O hang that occurs when BKOPS fails in W-LUN suspend determine whether the revision contains the guilty commit revision 402299cca89273b62384b5f9645ea49cd5fc4a57 crashed and is reachable testing commit 262841702603e8a0285c95476aa2ee7b27edd80b gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 50a1704762ff7ce6a3ad829dc7d54ce72dce258ec6e64215cdb4c60252a96116 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] # git bisect good 262841702603e8a0285c95476aa2ee7b27edd80b Bisecting: 30 revisions left to test after this (roughly 5 steps) [522c441faf82ab88636d66be8e25b8b7dfa2e001] refscale: Move shutdown from wait_event() to wait_event_idle() determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit 522c441faf82ab88636d66be8e25b8b7dfa2e001 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2baf63953e9e67ff52ae92093ce9f749e75654257019cacda07c49117d9c7e80 all runs: OK false negative chance: 0.000 # git bisect bad 522c441faf82ab88636d66be8e25b8b7dfa2e001 Bisecting: 14 revisions left to test after this (roughly 4 steps) [610a433810b277b3b77389733c07d22e8af68de2] ipvlan:Fix out-of-bounds caused by unclear skb->cb determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit 610a433810b277b3b77389733c07d22e8af68de2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8236d6b9859121581069811e84cc1673adee6f9d1b4eefde50764728ffa39c69 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] # git bisect good 610a433810b277b3b77389733c07d22e8af68de2 Bisecting: 7 revisions left to test after this (roughly 3 steps) [86d73b1f98a81f3ecfc19dfe6f8d50daf5707330] drm/i915/dp: prevent potential div-by-zero determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit 86d73b1f98a81f3ecfc19dfe6f8d50daf5707330 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 52f084f8055a16cc0fe06c6185d228866f1c75d8a41e24a923819b43f4a336b3 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] # git bisect good 86d73b1f98a81f3ecfc19dfe6f8d50daf5707330 Bisecting: 3 revisions left to test after this (roughly 2 steps) [cc4086759fda39d0b590951fafbc4f12e3159944] ext4: reflect error codes from ext4_multi_mount_protect() to its callers determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit cc4086759fda39d0b590951fafbc4f12e3159944 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d311090f351cd9cb0de4c043b38482efefb360925c41e573d628f39b813be874 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] # git bisect good cc4086759fda39d0b590951fafbc4f12e3159944 Bisecting: 1 revision left to test after this (roughly 1 step) [f12aa035e81438b4b005b4916bf68edf540cb4a9] ext4: allow to find by goal if EXT4_MB_HINT_GOAL_ONLY is set determine whether the revision contains the guilty commit revision 3af09dee7f9b3b50ce98387c8fa7ccaac8f54037 crashed and is reachable testing commit f12aa035e81438b4b005b4916bf68edf540cb4a9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a0f19e1ba1a2154d3fcdb9f4d11156ef37eb842e0543c20fd873b9f06bab1fa5 all runs: crashed: kernel BUG in ext4_mb_load_buddy_gfp representative crash: kernel BUG in ext4_mb_load_buddy_gfp, types: [BUG] # git bisect good f12aa035e81438b4b005b4916bf68edf540cb4a9 Bisecting: 0 revisions left to test after this (roughly 0 steps) [b4319e457d6e3fb33e443efeaf4634fc36e8a9ed] ext4: allow ext4_get_group_info() to fail determine whether the revision contains the guilty commit revision cc4086759fda39d0b590951fafbc4f12e3159944 crashed and is reachable testing commit b4319e457d6e3fb33e443efeaf4634fc36e8a9ed gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 537ed3a30beb7849f73c43743dfc2bc04ab7f65ebe2fcd32411fb5080439987b all runs: OK false negative chance: 0.000 # git bisect bad b4319e457d6e3fb33e443efeaf4634fc36e8a9ed b4319e457d6e3fb33e443efeaf4634fc36e8a9ed is the first bad commit commit b4319e457d6e3fb33e443efeaf4634fc36e8a9ed Author: Theodore Ts'o Date: Sat Apr 29 00:06:28 2023 -0400 ext4: allow ext4_get_group_info() to fail [ Upstream commit 5354b2af34064a4579be8bc0e2f15a7b70f14b5f ] Previously, ext4_get_group_info() would treat an invalid group number as BUG(), since in theory it should never happen. However, if a malicious attaker (or fuzzer) modifies the superblock via the block device while it is the file system is mounted, it is possible for s_first_data_block to get set to a very large number. In that case, when calculating the block group of some block number (such as the starting block of a preallocation region), could result in an underflow and very large block group number. Then the BUG_ON check in ext4_get_group_info() would fire, resutling in a denial of service attack that can be triggered by root or someone with write access to the block device. For a quality of implementation perspective, it's best that even if the system administrator does something that they shouldn't, that it will not trigger a BUG. So instead of BUG'ing, ext4_get_group_info() will call ext4_error and return NULL. We also add fallback code in all of the callers of ext4_get_group_info() that it might NULL. Also, since ext4_get_group_info() was already borderline to be an inline function, un-inline it. The results in a next reduction of the compiled text size of ext4 by roughly 2k. Cc: stable@kernel.org Link: https://lore.kernel.org/r/20230430154311.579720-2-tytso@mit.edu Reported-by: syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=69b28112e098b070f639efb356393af3ffec4220 Signed-off-by: Theodore Ts'o Reviewed-by: Jan Kara Signed-off-by: Sasha Levin fs/ext4/balloc.c | 18 +++++++++++++++- fs/ext4/ext4.h | 15 ++----------- fs/ext4/ialloc.c | 12 +++++++---- fs/ext4/mballoc.c | 64 +++++++++++++++++++++++++++++++++++++++++++++---------- fs/ext4/super.c | 2 ++ 5 files changed, 82 insertions(+), 29 deletions(-) accumulated error probability: 0.00 culprit signature: 537ed3a30beb7849f73c43743dfc2bc04ab7f65ebe2fcd32411fb5080439987b parent signature: a0f19e1ba1a2154d3fcdb9f4d11156ef37eb842e0543c20fd873b9f06bab1fa5 revisions tested: 20, total time: 2h21m1.531659601s (build: 46m32.426637945s, test: 1h26m56.954765011s) first good commit: b4319e457d6e3fb33e443efeaf4634fc36e8a9ed ext4: allow ext4_get_group_info() to fail recipients (to): ["jack@suse.cz" "sashal@kernel.org" "tytso@mit.edu"] recipients (cc): []