ci starts bisection 2024-12-09 08:35:38.39553938 +0000 UTC m=+238661.395795423 bisecting fixing commit since 48cf398f15fc3b2af11c78fed548355d3b66ca11 building syzkaller on af24b0505c748561efb50f1d03c824d6642f6c0b ensuring issue is reproducible on original commit 48cf398f15fc3b2af11c78fed548355d3b66ca11 testing commit 48cf398f15fc3b2af11c78fed548355d3b66ca11 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 95473446925f496267a70910ea626be853222bf6030217d5970774710f9fb7d7 run #0: crashed: general protection fault in refill_obj_stock run #1: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #2: crashed: general protection fault in find_match run #3: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #4: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #5: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #6: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #7: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #8: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #9: crashed: general protection fault in bio_uninit run #10: crashed: general protection fault in refill_obj_stock run #11: crashed: possible deadlock in console_flush_all run #12: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #13: crashed: KASAN: use-after-free Read in hfsplus_read_wrapper run #14: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #15: crashed: WARNING in __run_timers run #16: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #17: crashed: general protection fault in ipv6_chk_mcast_addr run #18: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #19: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper representative crash: KASAN: slab-use-after-free Read in hfsplus_read_wrapper, types: [KASAN UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 48cf398f15fc3b2af11c78fed548355d3b66ca11 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 79270f209d9d478787f32a618c3c16e336a4804c5309e5a65ff32be84fef9c35 run #0: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #1: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #2: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #3: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #4: crashed: KASAN: wild-memory-access Write in mmput run #5: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #6: crashed: general protection fault in ip6_dst_check run #7: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #8: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #9: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper representative crash: KASAN: slab-use-after-free Read in hfsplus_read_wrapper, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed kconfig minimization: base=4047 full=8008 leaves diff=2003 split chunks (needed=false): <2003> split chunk #0 of len 2003 into 5 parts testing without sub-chunk 1/5 disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 48cf398f15fc3b2af11c78fed548355d3b66ca11 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b3d701354c94715aedac8ef32583c63b9bbbc481b91abd6f6f6f71fc7eb14b7e run #0: crashed: general protection fault in refill_obj_stock run #1: crashed: general protection fault in fib6_ifup run #2: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #3: crashed: KASAN: slab-out-of-bounds Read in hfsplus_read_wrapper run #4: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #5: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #6: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #7: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #8: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #9: crashed: KASAN: use-after-free Read in hfsplus_read_wrapper representative crash: KASAN: slab-use-after-free Read in hfsplus_read_wrapper, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 48cf398f15fc3b2af11c78fed548355d3b66ca11 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 34dc0283ad80dc417cd957e1ad27a2d6e14cfcdf563f6578d0e2254f43514050 all runs: OK false negative chance: 0.000 testing without sub-chunk 3/5 disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 48cf398f15fc3b2af11c78fed548355d3b66ca11 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a563dd2f8231b6ace916fa404d3e645c89d86bc997ccd0dd92d25ab4a3458f7b run #0: crashed: general protection fault in bio_uninit run #1: crashed: general protection fault in __rht_bucket_nested run #2: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #3: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #4: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #5: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #6: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #7: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #8: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #9: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper representative crash: KASAN: slab-use-after-free Read in hfsplus_read_wrapper, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 48cf398f15fc3b2af11c78fed548355d3b66ca11 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d011eaa1b20ccfcd1648534b9925fe5855a2d9477e7def9f701c4ae8edf3408e run #0: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #1: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #2: crashed: general protection fault in bio_uninit run #3: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #4: crashed: general protection fault in bio_uninit run #5: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #6: crashed: general protection fault in bio_uninit run #7: crashed: general protection fault in bio_uninit run #8: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #9: crashed: KASAN: use-after-free Read in hfsplus_read_wrapper representative crash: KASAN: slab-use-after-free Read in hfsplus_read_wrapper, types: [KASAN UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 48cf398f15fc3b2af11c78fed548355d3b66ca11 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4f10ba32b5b6b2ac7cdcaf979800227e523fa94c5fb26ce3ad6e519ce39d22ad run #0: crashed: general protection fault in bio_uninit run #1: crashed: general protection fault in bio_uninit run #2: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #3: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #4: crashed: general protection fault in bio_uninit run #5: crashed: general protection fault in bio_uninit run #6: crashed: general protection fault in update_load_avg run #7: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #8: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper run #9: crashed: KASAN: slab-use-after-free Read in hfsplus_read_wrapper representative crash: general protection fault in bio_uninit, types: [UNKNOWN KASAN] the chunk can be dropped minimized to 401 configs; suspects: [6LOWPAN ARCH_ENABLE_MEMORY_HOTREMOVE ASUS_WMI CC_HAS_ASM_GOTO_OUTPUT CMA COMMON_CLK DAX DLM DRM DRM_BRIDGE DRM_FBDEV_EMULATION DRM_GEM_SHMEM_HELPER DRM_I915 DRM_I915_CAPTURE_ERROR DRM_I915_COMPRESS_ERROR DRM_I915_USERPTR DRM_KMS_HELPER DRM_MIPI_DSI DRM_PANEL DRM_PANEL_BRIDGE DRM_PANEL_EDP DRM_PANEL_ORIENTATION_QUIRKS DRM_SIMPLEDRM DRM_TTM DRM_TTM_HELPER DRM_UDL DRM_VGEM DRM_VIRTIO_GPU DRM_VIRTIO_GPU_KMS DRM_VKMS DRM_VMWGFX DRM_VRAM_HELPER DUMMY DVB_AF9013 DVB_AF9033 DVB_AS102 DVB_AS102_FE DVB_B2C2_FLEXCOP DVB_B2C2_FLEXCOP_USB DVB_CORE DVB_DIB3000MB DVB_DIB3000MC DVB_EC100 DVB_GP8PSK_FE DVB_RTL2830 DVB_RTL2832 DVB_RTL2832_SDR DVB_TEST_DRIVERS DVB_TTUSB_BUDGET DVB_TTUSB_DEC DVB_USB DVB_USB_A800 DVB_USB_AF9005 DVB_USB_AF9005_REMOTE DVB_USB_AF9015 DVB_USB_AF9035 DVB_USB_ANYSEE DVB_USB_AU6610 DVB_USB_AZ6007 DVB_USB_AZ6027 DVB_USB_CE6230 DVB_USB_CINERGY_T2 DVB_USB_CXUSB DVB_USB_DIB0700 DVB_USB_DIB3000MC DVB_USB_DIBUSB_MB DVB_USB_DIBUSB_MC DVB_USB_DIGITV DVB_USB_DTT200U DVB_USB_DTV5100 DVB_USB_DVBSKY DVB_USB_DW2102 DVB_USB_EC168 DVB_USB_GL861 DVB_USB_GP8PSK DVB_USB_LME2510 DVB_USB_M920X DVB_USB_MXL111SF DVB_USB_NOVA_T_USB2 DVB_USB_OPERA1 DVB_USB_PCTV452E DVB_USB_RTL28XXU DVB_USB_TECHNISAT_USB2 DVB_USB_TTUSB2 DVB_USB_UMT_010 DVB_USB_V2 DVB_USB_VP702X DVB_USB_VP7045 DVB_USB_ZD1301 DVB_VIDTV DVB_ZL10353 ECRYPT_FS ECRYPT_FS_MESSAGING EDAC EEPROM_93CX6 EFS_FS ENCRYPTED_KEYS EQUALIZER EROFS_FS EROFS_FS_POSIX_ACL EROFS_FS_SECURITY EROFS_FS_XATTR EROFS_FS_ZIP EVM EVM_ADD_XATTRS EVM_ATTR_FSUUID EXFAT_FS EXPORTFS_BLOCK_OPS EXT3_FS EXT3_FS_POSIX_ACL EXT3_FS_SECURITY EXTCON EXTCON_INTEL_CHT_WC F2FS_CHECK_FS F2FS_FAULT_INJECTION F2FS_FS F2FS_FS_COMPRESSION F2FS_FS_LZ4 F2FS_FS_LZ4HC F2FS_FS_LZO F2FS_FS_LZORLE F2FS_FS_POSIX_ACL F2FS_FS_SECURITY F2FS_FS_XATTR F2FS_FS_ZSTD F2FS_STAT_FS FANOTIFY FANOTIFY_ACCESS_PERMISSIONS FB FB_CFB_COPYAREA FB_CFB_FILLRECT FB_CFB_IMAGEBLIT FB_CORE FB_DEFERRED_IO FB_IOMEM_FOPS FB_IOMEM_HELPERS FB_NOTIFY FB_SYSMEM_FOPS FB_SYSMEM_HELPERS FB_SYSMEM_HELPERS_DEFERRED FB_SYS_COPYAREA FB_SYS_FILLRECT FB_SYS_IMAGEBLIT FB_TILEBLITTING FB_VESA FB_VGA16 FB_VIRTUAL FDDI FIREWIRE FIREWIRE_NET FIREWIRE_OHCI FIREWIRE_SBP2 FONT_8x16 FONT_8x8 FONT_SUPPORT FRAMEBUFFER_CONSOLE FRAMEBUFFER_CONSOLE_DETECT_PRIMARY FRAMEBUFFER_CONSOLE_ROTATION FS_DAX FS_DAX_PMD FS_ENCRYPTION FS_ENCRYPTION_ALGS FS_STACK FS_VERITY FS_VERITY_BUILTIN_SIGNATURES FTL FUSE_DAX FUSE_FS FW_LOADER_COMPRESS FW_LOADER_PAGED_BUF FW_LOADER_SYSFS FW_LOADER_USER_HELPER FW_LOADER_USER_HELPER_FALLBACK GACT_PROB GARP GCC_ASM_GOTO_OUTPUT_WORKAROUND GENERIC_PHY GET_FREE_REGION GFS2_FS GFS2_FS_LOCKING_DLM GOOGLE_COREBOOT_TABLE GOOGLE_FIRMWARE GOOGLE_MEMCONSOLE GOOGLE_MEMCONSOLE_COREBOOT GOOGLE_VPD GPIOLIB GPIOLIB_IRQCHIP GPIO_ACPI GPIO_DLN2 GPIO_VIPERBOARD GREENASIA_FF GREYBUS GREYBUS_BRIDGED_PHY GREYBUS_ES2 GREYBUS_HID GREYBUS_USB GTP GUEST_PERF_EVENTS GVE HAVE_ARCH_NODE_DEV_GROUP HAVE_ARCH_USERFAULTFD_MINOR HAVE_ARCH_USERFAULTFD_WP HAVE_BOOTMEM_INFO_NODE HAVE_CLK_PREPARE HAVE_FAST_GUP HAVE_KVM_CPU_RELAX_INTERCEPT HAVE_KVM_DIRTY_RING HAVE_KVM_DIRTY_RING_ACQ_REL HAVE_KVM_DIRTY_RING_TSO HAVE_KVM_IRQCHIP HAVE_KVM_IRQ_BYPASS HAVE_KVM_IRQ_ROUTING HAVE_KVM_MSI HAVE_KVM_NO_POLL HAVE_KVM_PFNCACHE HAVE_KVM_PM_NOTIFIER HAVE_KVM_READONLY_MEM HAVE_SCHED_AVG_IRQ HDLC HDLC_CISCO HDLC_FR HDLC_PPP HDLC_RAW HDLC_RAW_ETH HDLC_X25 HDMI HFSPLUS_FS HFS_FS HID_ACCUTOUCH HID_ACRUX HID_ACRUX_FF HID_ALPS HID_APPLEIR HID_ASUS HID_AUREAL HID_BATTERY_STRENGTH HID_BETOP_FF HID_CMEDIA HID_CORSAIR HID_CP2112 HID_ELECOM HID_ELO HID_EMS_FF HID_GEMBIRD HID_GFRM HID_GREENASIA HID_GT683R HID_HOLTEK HID_ICADE HID_KEYTOUCH HID_KYE HID_LCPOWER HID_LED HID_LENOVO HID_LOGITECH_DJ HID_LOGITECH_HIDPP HID_MAGICMOUSE HID_MAYFLASH HID_MULTITOUCH HID_NTI HID_ORTEK HID_PENMOUNT HID_PICOLCD HID_PICOLCD_BACKLIGHT HID_PICOLCD_CIR HID_PICOLCD_FB HID_PICOLCD_LCD HID_PICOLCD_LEDS HID_PLANTRONICS HID_PRIMAX HID_PRODIKEYS HID_RETRODE HID_RMI HID_ROCCAT HID_SAITEK HID_SENSOR_ACCEL_3D HID_SENSOR_ALS HID_SENSOR_CUSTOM_SENSOR HID_SENSOR_DEVICE_ROTATION HID_SENSOR_GYRO_3D HID_SENSOR_HUB HID_SENSOR_HUMIDITY HID_SENSOR_IIO_COMMON HID_SENSOR_IIO_TRIGGER HID_SENSOR_INCLINOMETER_3D HID_SENSOR_MAGNETOMETER_3D HID_SENSOR_PRESS HID_SENSOR_PROX HID_SENSOR_TEMP HID_SPEEDLINK HID_STEELSERIES HID_THINGM HID_TIVO HID_TWINHAN HID_UCLOGIC HID_UDRAW_PS3 HID_WACOM HID_WALTOP HID_WIIMOTE HID_XINMO HID_ZYDACRON HMM_MIRROR HOLTEK_FF HOTPLUG_PCI_PCIE HPET_MMAP HPET_MMAP_DEFAULT HPFS_FS I2C_ALGOBIT I2C_CHARDEV I2C_DESIGNWARE_CORE I2C_DESIGNWARE_PLATFORM I2C_DIOLAN_U2C I2C_DLN2 I2C_MUX I2C_MUX_REG I2C_ROBOTFUZZ_OSIF I2C_SI4713 I2C_SLAVE I2C_SLAVE_EEPROM I2C_TINY_USB I2C_VIPERBOARD IEEE802154 IEEE802154_6LOWPAN IEEE802154_ATUSB IEEE802154_DRIVERS IEEE802154_HWSIM IEEE802154_NL802154_EXPERIMENTAL IEEE802154_SOCKET IFB IIO IIO_BUFFER IIO_KFIFO_BUF IIO_TRIGGER IIO_TRIGGERED_BUFFER IKCONFIG IKCONFIG_PROC IMA IMA_DEFAULT_HASH_SHA256 IMA_LSM_RULES IMA_MEASURE_ASYMMETRIC_KEYS IMA_NG_TEMPLATE IMA_QUEUE_EARLY_BOOT_KEYS IMA_READ_POLICY IMA_WRITE_POLICY INET6_ESPINTCP INET6_ESP_OFFLOAD INET6_IPCOMP INET6_TUNNEL INET6_XFRM_TUNNEL INET_AH INET_DCCP_DIAG INET_DIAG INET_DIAG_DESTROY INET_ESP INET_ESPINTCP INET_ESP_OFFLOAD INET_IPCOMP INET_MPTCP_DIAG INET_RAW_DIAG INET_SCTP_DIAG INET_TCP_DIAG INET_UDP_DIAG INET_XFRM_TUNNEL INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_ADDR_TRANS_CONFIGFS INFINIBAND_IPOIB INFINIBAND_IPOIB_CM INFINIBAND_IPOIB_DEBUG INFINIBAND_ISER INFINIBAND_ON_DEMAND_PAGING INFINIBAND_RTRS INFINIBAND_SRP INFINIBAND_USER_ACCESS INFINIBAND_USER_MAD INFINIBAND_USER_MEM INPUT_ATI_REMOTE2 INPUT_CM109 INPUT_IMS_PCU INPUT_JOYDEV INPUT_KEYSPAN_REMOTE INPUT_LEDS INPUT_MOUSEDEV INPUT_MOUSEDEV_PSAUX INPUT_POWERMATE INPUT_UINPUT INPUT_YEALINK INTEGRITY INTEGRITY_ASYMMETRIC_KEYS INTEGRITY_AUDIT INTEGRITY_SIGNATURE INTEGRITY_TRUSTED_KEYRING INTEL_IDMA64 INTEL_IOATDMA INTEL_IOMMU_DEFAULT_ON INTEL_IOMMU_SVM INTEL_ISH_HID INTEL_SOC_PMIC_CHTWC INTERVAL_TREE_SPAN_ITER IOMMUFD IOMMUFD_DRIVER IOMMUFD_TEST IP6_NF_MATCH_AH IP6_NF_MATCH_EUI64 IP6_NF_MATCH_FRAG IP6_NF_MATCH_HL IP6_NF_MATCH_MH IP6_NF_MATCH_OPTS IP6_NF_MATCH_RPFILTER IP6_NF_MATCH_RT IP6_NF_MATCH_SRH IP6_NF_NAT IP6_NF_RAW IP6_NF_SECURITY IP6_NF_TARGET_HL IP6_NF_TARGET_MASQUERADE IP6_NF_TARGET_NPT IP6_NF_TARGET_SYNPROXY IPV6_FOU IPV6_FOU_TUNNEL IPV6_GRE IPV6_ILA IPV6_MIP6 IPV6_MROUTE IPV6_MROUTE_MULTIPLE_TABLES IPV6_MULTIPLE_TABLES IPV6_OPTIMISTIC_DAD IPV6_PIMSM_V2 IPV6_ROUTER_PREF IPV6_ROUTE_INFO IPV6_RPL_LWTUNNEL IPV6_SEG6_BPF IPV6_SEG6_HMAC IPV6_SEG6_LWTUNNEL IPV6_SIT_6RD IPV6_SUBTREES IPV6_TUNNEL IPV6_VTI IPVLAN IPVLAN_L3S IPVTAP IP_DCCP IP_DCCP_CCID3 IP_DCCP_TFRC_LIB IP_FIB_TRIE_STATS IP_MROUTE_MULTIPLE_TABLES IP_NF_ARPFILTER IP_NF_ARPTABLES IP_NF_ARP_MANGLE IP_NF_MATCH_AH IP_NF_MATCH_ECN IP_NF_MATCH_RPFILTER IP_NF_MATCH_TTL IP_NF_RAW IP_NF_SECURITY IP_NF_TARGET_ECN IP_NF_TARGET_NETMAP IP_NF_TARGET_REDIRECT IP_NF_TARGET_SYNPROXY IP_NF_TARGET_TTL IP_ROUTE_CLASSID IP_SCTP IP_SET IP_SET_BITMAP_IP IP_SET_BITMAP_IPMAC IP_SET_BITMAP_PORT IP_SET_HASH_IP IP_SET_HASH_IPMAC IP_SET_HASH_IPMARK IP_SET_HASH_IPPORT IP_SET_HASH_IPPORTIP IP_SET_HASH_IPPORTNET IP_SET_HASH_MAC IP_SET_HASH_NET IP_SET_HASH_NETIFACE IP_SET_HASH_NETNET IP_SET_HASH_NETPORT IP_SET_HASH_NETPORTNET IP_SET_LIST_SET IP_VS IP_VS_DH IP_VS_FO IP_VS_FTP IP_VS_IPV6 IP_VS_LBLC IP_VS_LBLCR IP_VS_LC IP_VS_MH IP_VS_NFCT IP_VS_NQ IP_VS_OVF IP_VS_PE_SIP IP_VS_PROTO_AH IP_VS_PROTO_AH_ESP IP_VS_PROTO_ESP IP_VS_PROTO_TCP IP_VS_PROTO_UDP IRQ_TIME_ACCOUNTING LAPB LCD_CLASS_DEVICE MAC802154 MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_TEST_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MFD_VIPERBOARD MPTCP MTD NETFILTER_ADVANCED NET_ACT_GACT NET_ACT_MIRRED NET_IPGRE_DEMUX NFT_COMPAT NFT_COMPAT_ARP NFT_FWD_NETDEV NF_TABLES NF_TABLES_ARP NF_TABLES_NETDEV RADIO_ADAPTERS RADIO_SI4713 RAS RC_CORE RFKILL SND SOUND STAGING TRANSPARENT_HUGEPAGE VIDEO_DEV VIRTIO_FS WAN ZONE_DEVICE] disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing current HEAD fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 testing commit fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 833f377a7308e3220748efb2c3265cd8442f0b0c14ee5f95fa76c4e93636ad7d all runs: OK false negative chance: 0.000 # git bisect start fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 48cf398f15fc3b2af11c78fed548355d3b66ca11 Bisecting: 28893 revisions left to test after this (roughly 15 steps) [ee9a43b7cfe2d8a3520335fea7d8ce71b8cabd9d] Merge tag 'net-6.11-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net determine whether the revision contains the guilty commit revision 48cf398f15fc3b2af11c78fed548355d3b66ca11 crashed and is reachable testing commit ee9a43b7cfe2d8a3520335fea7d8ce71b8cabd9d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 436d3da565c68604c2aeb472b4a2811f7c83297f10741a730caccd2b921d28fc all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good ee9a43b7cfe2d8a3520335fea7d8ce71b8cabd9d Bisecting: 14457 revisions left to test after this (roughly 14 steps) [c2d2547783444a8c18d8c35a7ceffea85b02b0f6] Merge wireless-next into staging-next determine whether the revision contains the guilty commit revision 48cf398f15fc3b2af11c78fed548355d3b66ca11 crashed and is reachable testing commit c2d2547783444a8c18d8c35a7ceffea85b02b0f6 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5e43981d6c2ab35b79f07e25c670d69bd98a8e52125d54bead1ca194132e3f2b all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good c2d2547783444a8c18d8c35a7ceffea85b02b0f6 Bisecting: 7084 revisions left to test after this (roughly 13 steps) [fcc79e1714e8c2b8e216dc3149812edd37884eef] Merge tag 'net-next-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next determine whether the revision contains the guilty commit revision 48cf398f15fc3b2af11c78fed548355d3b66ca11 crashed and is reachable testing commit fcc79e1714e8c2b8e216dc3149812edd37884eef gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 15aad25a5161fbae6dba8673a8438701c6c0b617aafcfe415a61ae4a32a53923 all runs: OK false negative chance: 0.000 # git bisect bad fcc79e1714e8c2b8e216dc3149812edd37884eef Bisecting: 3667 revisions left to test after this (roughly 12 steps) [5c2b050848337f393011ee7fcd2e9f2663eec40d] Merge tag 'irq-core-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip determine whether the revision contains the guilty commit revision 48cf398f15fc3b2af11c78fed548355d3b66ca11 crashed and is reachable testing commit 5c2b050848337f393011ee7fcd2e9f2663eec40d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f5c0bd51fbc41198bc097b2fb2a1157f1555153f8c5b8ae685272e0415dc0fe1 all runs: OK false negative chance: 0.000 # git bisect bad 5c2b050848337f393011ee7fcd2e9f2663eec40d Bisecting: 1846 revisions left to test after this (roughly 11 steps) [a558cc34936b48909c0c54f7efac8b6a2c1120a4] Merge tag 'usb-6.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb determine whether the revision contains the guilty commit revision 48cf398f15fc3b2af11c78fed548355d3b66ca11 crashed and is reachable testing commit a558cc34936b48909c0c54f7efac8b6a2c1120a4 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 77172b0d94959e3712e2fcddb33737105e351200c172e88ecd7eb6c3e3d2aaeb all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good a558cc34936b48909c0c54f7efac8b6a2c1120a4 Bisecting: 961 revisions left to test after this (roughly 10 steps) [5591fd5e034819a89ac93c0ccc6be2a930042f71] Merge tag 'lsm-pr-20241112' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm determine whether the revision contains the guilty commit revision a558cc34936b48909c0c54f7efac8b6a2c1120a4 crashed and is reachable testing commit 5591fd5e034819a89ac93c0ccc6be2a930042f71 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3fcf79fe9245e142c36f4ea8ba4691ad36fff67e00d665a0f0adb503bb00bb89 all runs: OK false negative chance: 0.000 # git bisect bad 5591fd5e034819a89ac93c0ccc6be2a930042f71 Bisecting: 432 revisions left to test after this (roughly 9 steps) [0f25f0e4efaeb68086f7e65c442f2d648b21736f] Merge tag 'pull-fd' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs determine whether the revision contains the guilty commit revision a558cc34936b48909c0c54f7efac8b6a2c1120a4 crashed and is reachable testing commit 0f25f0e4efaeb68086f7e65c442f2d648b21736f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 41d6826cce86fa12759168a6307ad1b4a1ca9f0484b2bf6e80817dabc5b86bc0 all runs: OK false negative chance: 0.000 # git bisect bad 0f25f0e4efaeb68086f7e65c442f2d648b21736f Bisecting: 224 revisions left to test after this (roughly 8 steps) [b5a24181e461e8bfa8cdf35e1804679dc1bebcdd] Merge tag 'trace-ringbuffer-v6.12-rc7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace determine whether the revision contains the guilty commit revision ee9a43b7cfe2d8a3520335fea7d8ce71b8cabd9d crashed and is reachable testing commit b5a24181e461e8bfa8cdf35e1804679dc1bebcdd gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1a44116f1cd2894b7374f5bdbaf149edebc202f7547e53bfba220b3a9374f295 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good b5a24181e461e8bfa8cdf35e1804679dc1bebcdd Bisecting: 112 revisions left to test after this (roughly 7 steps) [56be9aaf98d58bf69e2c948c183001d77e63fbbb] Merge tag 'vfs-6.13.pagecache' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs determine whether the revision contains the guilty commit revision b5a24181e461e8bfa8cdf35e1804679dc1bebcdd crashed and is reachable testing commit 56be9aaf98d58bf69e2c948c183001d77e63fbbb gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 207f6b32e42097ffb78d2f35af5de9e22eb6d6f0cd96a287dedc786e91d7faeb all runs: OK false negative chance: 0.000 # git bisect bad 56be9aaf98d58bf69e2c948c183001d77e63fbbb Bisecting: 59 revisions left to test after this (roughly 6 steps) [4eb98b7760e8078dbc984ee08b02b5b4c3cff088] Merge tag 'vfs-6.13.mount.api' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs determine whether the revision contains the guilty commit revision b5a24181e461e8bfa8cdf35e1804679dc1bebcdd crashed and is reachable testing commit 4eb98b7760e8078dbc984ee08b02b5b4c3cff088 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cb6c8b9ab981882ee57a05056778dfdb50d312bef9a43df0bdb410fa6e744716 all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good 4eb98b7760e8078dbc984ee08b02b5b4c3cff088 Bisecting: 29 revisions left to test after this (roughly 5 steps) [75ead69a717332efa70303fba85e1876793c74a9] fs: don't let statmount return empty strings determine whether the revision contains the guilty commit revision ee9a43b7cfe2d8a3520335fea7d8ce71b8cabd9d crashed and is reachable testing commit 75ead69a717332efa70303fba85e1876793c74a9 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f0a4aab85c4c02d5427d3e0a788c3405df893836f3bb73063d2013a1f2be62e6 all runs: OK false negative chance: 0.000 # git bisect bad 75ead69a717332efa70303fba85e1876793c74a9 Bisecting: 14 revisions left to test after this (roughly 4 steps) [c2986387430ae6a98e46094bbe669454656f873a] vfs: inode insertion kdoc corrections determine whether the revision contains the guilty commit revision ee9a43b7cfe2d8a3520335fea7d8ce71b8cabd9d crashed and is reachable testing commit c2986387430ae6a98e46094bbe669454656f873a gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 569dd25ef2999c398a640674eb6f283e33a4c5d68f5fc3034c05feb9c6128815 run #0: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write run #1: crashed: KASAN: slab-out-of-bounds Write in shmem_file_read_iter run #2: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write run #3: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write run #4: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write run #5: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write run #6: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write run #7: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write run #8: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write run #9: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good c2986387430ae6a98e46094bbe669454656f873a Bisecting: 7 revisions left to test after this (roughly 3 steps) [99bdadbde9c418f29b78b7241732268dbc0a05cc] acl: Realign struct posix_acl to save 8 bytes determine whether the revision contains the guilty commit revision ee9a43b7cfe2d8a3520335fea7d8ce71b8cabd9d crashed and is reachable testing commit 99bdadbde9c418f29b78b7241732268dbc0a05cc gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4a5389bc1e4534a10999a9654a46730d01a0f0de151e9c5231b10fd7945e54cd all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good 99bdadbde9c418f29b78b7241732268dbc0a05cc Bisecting: 3 revisions left to test after this (roughly 2 steps) [cb80d9074f2a56c8226657b01f19656584fc3ab5] fs: optimize acl_permission_check() determine whether the revision contains the guilty commit revision c2986387430ae6a98e46094bbe669454656f873a crashed and is reachable testing commit cb80d9074f2a56c8226657b01f19656584fc3ab5 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 235806e8163ef5e946db74971f1806b2a0f555f55cb5c6a1b0854f27f9d3494b run #0: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write run #1: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write run #2: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write run #3: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write run #4: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write run #5: crashed: KASAN: slab-out-of-bounds Write in shmem_file_read_iter run #6: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write run #7: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write run #8: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write run #9: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good cb80d9074f2a56c8226657b01f19656584fc3ab5 Bisecting: 1 revision left to test after this (roughly 1 step) [1c82587cb57687de3f18ab4b98a8850c789bedcf] hfsplus: don't query the device logical block size multiple times determine whether the revision contains the guilty commit revision c2986387430ae6a98e46094bbe669454656f873a crashed and is reachable testing commit 1c82587cb57687de3f18ab4b98a8850c789bedcf gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f43fb297dc8970b82aac78a9838531425fd897805939ed95b1faef980a498662 all runs: OK false negative chance: 0.000 # git bisect bad 1c82587cb57687de3f18ab4b98a8850c789bedcf Bisecting: 0 revisions left to test after this (roughly 0 steps) [fdfa4c02e6dd6c67f5cef8d78c6204e1ff7e12ca] freevxfs: Replace one-element array with flexible array member determine whether the revision contains the guilty commit revision 99bdadbde9c418f29b78b7241732268dbc0a05cc crashed and is reachable testing commit fdfa4c02e6dd6c67f5cef8d78c6204e1ff7e12ca gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 88cff011cddfee2f8932704014c5108d8d81af13788effdb37d9a76935c9793a all runs: crashed: KASAN: slab-out-of-bounds Read in generic_perform_write representative crash: KASAN: slab-out-of-bounds Read in generic_perform_write, types: [KASAN] # git bisect good fdfa4c02e6dd6c67f5cef8d78c6204e1ff7e12ca 1c82587cb57687de3f18ab4b98a8850c789bedcf is the first bad commit commit 1c82587cb57687de3f18ab4b98a8850c789bedcf Author: Thadeu Lima de Souza Cascardo Date: Thu Nov 7 08:41:09 2024 -0300 hfsplus: don't query the device logical block size multiple times Devices block sizes may change. One of these cases is a loop device by using ioctl LOOP_SET_BLOCK_SIZE. While this may cause other issues like IO being rejected, in the case of hfsplus, it will allocate a block by using that size and potentially write out-of-bounds when hfsplus_read_wrapper calls hfsplus_submit_bio and the latter function reads a different io_size. Using a new min_io_size initally set to sb_min_blocksize works for the purposes of the original fix, since it will be set to the max between HFSPLUS_SECTOR_SIZE and the first seen logical block size. We still use the max between HFSPLUS_SECTOR_SIZE and min_io_size in case the latter is not initialized. Tested by mounting an hfsplus filesystem with loop block sizes 512, 1024 and 4096. The produced KASAN report before the fix looks like this: [ 419.944641] ================================================================== [ 419.945655] BUG: KASAN: slab-use-after-free in hfsplus_read_wrapper+0x659/0xa0a [ 419.946703] Read of size 2 at addr ffff88800721fc00 by task repro/10678 [ 419.947612] [ 419.947846] CPU: 0 UID: 0 PID: 10678 Comm: repro Not tainted 6.12.0-rc5-00008-gdf56e0f2f3ca #84 [ 419.949007] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 419.950035] Call Trace: [ 419.950384] [ 419.950676] dump_stack_lvl+0x57/0x78 [ 419.951212] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.951830] print_report+0x14c/0x49e [ 419.952361] ? __virt_addr_valid+0x267/0x278 [ 419.952979] ? kmem_cache_debug_flags+0xc/0x1d [ 419.953561] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.954231] kasan_report+0x89/0xb0 [ 419.954748] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.955367] hfsplus_read_wrapper+0x659/0xa0a [ 419.955948] ? __pfx_hfsplus_read_wrapper+0x10/0x10 [ 419.956618] ? do_raw_spin_unlock+0x59/0x1a9 [ 419.957214] ? _raw_spin_unlock+0x1a/0x2e [ 419.957772] hfsplus_fill_super+0x348/0x1590 [ 419.958355] ? hlock_class+0x4c/0x109 [ 419.958867] ? __pfx_hfsplus_fill_super+0x10/0x10 [ 419.959499] ? __pfx_string+0x10/0x10 [ 419.960006] ? lock_acquire+0x3e2/0x454 [ 419.960532] ? bdev_name.constprop.0+0xce/0x243 [ 419.961129] ? __pfx_bdev_name.constprop.0+0x10/0x10 [ 419.961799] ? pointer+0x3f0/0x62f [ 419.962277] ? __pfx_pointer+0x10/0x10 [ 419.962761] ? vsnprintf+0x6c4/0xfba [ 419.963178] ? __pfx_vsnprintf+0x10/0x10 [ 419.963621] ? setup_bdev_super+0x376/0x3b3 [ 419.964029] ? snprintf+0x9d/0xd2 [ 419.964344] ? __pfx_snprintf+0x10/0x10 [ 419.964675] ? lock_acquired+0x45c/0x5e9 [ 419.965016] ? set_blocksize+0x139/0x1c1 [ 419.965381] ? sb_set_blocksize+0x6d/0xae [ 419.965742] ? __pfx_hfsplus_fill_super+0x10/0x10 [ 419.966179] mount_bdev+0x12f/0x1bf [ 419.966512] ? __pfx_mount_bdev+0x10/0x10 [ 419.966886] ? vfs_parse_fs_string+0xce/0x111 [ 419.967293] ? __pfx_vfs_parse_fs_string+0x10/0x10 [ 419.967702] ? __pfx_hfsplus_mount+0x10/0x10 [ 419.968073] legacy_get_tree+0x104/0x178 [ 419.968414] vfs_get_tree+0x86/0x296 [ 419.968751] path_mount+0xba3/0xd0b [ 419.969157] ? __pfx_path_mount+0x10/0x10 [ 419.969594] ? kmem_cache_free+0x1e2/0x260 [ 419.970311] do_mount+0x99/0xe0 [ 419.970630] ? __pfx_do_mount+0x10/0x10 [ 419.971008] __do_sys_mount+0x199/0x1c9 [ 419.971397] do_syscall_64+0xd0/0x135 [ 419.971761] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 419.972233] RIP: 0033:0x7c3cb812972e [ 419.972564] Code: 48 8b 0d f5 46 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c2 46 0d 00 f7 d8 64 89 01 48 [ 419.974371] RSP: 002b:00007ffe30632548 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 419.975048] RAX: ffffffffffffffda RBX: 00007ffe306328d8 RCX: 00007c3cb812972e [ 419.975701] RDX: 0000000020000000 RSI: 0000000020000c80 RDI: 00007ffe306325d0 [ 419.976363] RBP: 00007ffe30632720 R08: 00007ffe30632610 R09: 0000000000000000 [ 419.977034] R10: 0000000000200008 R11: 0000000000000286 R12: 0000000000000000 [ 419.977713] R13: 00007ffe306328e8 R14: 00005a0eb298bc68 R15: 00007c3cb8356000 [ 419.978375] [ 419.978589] Fixes: 6596528e391a ("hfsplus: ensure bio requests are not smaller than the hardware sectors") Signed-off-by: Thadeu Lima de Souza Cascardo Link: https://lore.kernel.org/r/20241107114109.839253-1-cascardo@igalia.com Signed-off-by: Christian Brauner fs/hfsplus/hfsplus_fs.h | 3 ++- fs/hfsplus/wrapper.c | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) accumulated error probability: 0.00 culprit signature: f43fb297dc8970b82aac78a9838531425fd897805939ed95b1faef980a498662 parent signature: 88cff011cddfee2f8932704014c5108d8d81af13788effdb37d9a76935c9793a revisions tested: 24, total time: 8h55m53.703536969s (build: 5h11m19.117860655s, test: 2h56m0.787959724s) first good commit: 1c82587cb57687de3f18ab4b98a8850c789bedcf hfsplus: don't query the device logical block size multiple times recipients (to): ["brauner@kernel.org" "cascardo@igalia.com" "linux-fsdevel@vger.kernel.org"] recipients (cc): ["brauner@kernel.org" "bvanassche@acm.org" "cascardo@igalia.com" "chao@kernel.org" "jack@suse.cz" "josef@toxicpanda.com" "linux-kernel@vger.kernel.org" "rdunlap@infradead.org" "sandeen@redhat.com" "viro@zeniv.linux.org.uk" "willy@infradead.org"]