bisecting fixing commit since fdc072324f3c66190a20f57490b4842a391d8233 building syzkaller on 58da4c35b15200b7279f18ea15bc8644618aae78 testing commit fdc072324f3c66190a20f57490b4842a391d8233 with gcc (GCC) 8.1.0 kernel signature: 5aa27d9cf9de27956813c29c46b621e1a507f686e035be4abae223d4e4fc2881 run #0: crashed: KASAN: use-after-free Write in get_block run #1: crashed: KASAN: use-after-free Write in get_block run #2: crashed: KASAN: use-after-free Write in get_block run #3: crashed: KASAN: use-after-free Write in get_block run #4: crashed: KASAN: use-after-free Write in get_block run #5: crashed: KASAN: use-after-free Write in get_block run #6: crashed: KASAN: use-after-free Write in get_block run #7: crashed: KASAN: use-after-free Write in get_block run #8: crashed: KASAN: out-of-bounds Write in get_block run #9: crashed: KASAN: use-after-free Write in get_block testing current HEAD a87f96283793d58b042618c689630db264715274 testing commit a87f96283793d58b042618c689630db264715274 with gcc (GCC) 8.1.0 kernel signature: 7774e06ef61088ca027b65365226d64c7cd774a7759229959107ea238fdcab14 all runs: OK # git bisect start a87f96283793d58b042618c689630db264715274 fdc072324f3c66190a20f57490b4842a391d8233 Bisecting: 1013 revisions left to test after this (roughly 10 steps) [0f4e2d6b65e265894342b10a1fd7a1f1a2c96381] ocfs2: load global_inode_alloc testing commit 0f4e2d6b65e265894342b10a1fd7a1f1a2c96381 with gcc (GCC) 8.1.0 kernel signature: 4186f48717fa2fd4984a8b99cb77ba5c459a3aff54f44d686a5f73043dc2e59e all runs: crashed: KASAN: use-after-free Write in get_block # git bisect good 0f4e2d6b65e265894342b10a1fd7a1f1a2c96381 Bisecting: 506 revisions left to test after this (roughly 9 steps) [fec3ffe702a0a407586fdcccdb4bf3918cf18fb3] usb: gadget: net2280: fix memory leak on probe error handling paths testing commit fec3ffe702a0a407586fdcccdb4bf3918cf18fb3 with gcc (GCC) 8.1.0 kernel signature: 9dd54cbbb55a3ff6eaa61b0e8f0a9ab43b4451bd92dac3c2c73c5e08f04afd6f all runs: crashed: KASAN: use-after-free Write in get_block # git bisect good fec3ffe702a0a407586fdcccdb4bf3918cf18fb3 Bisecting: 253 revisions left to test after this (roughly 8 steps) [04efb368bc0bd90cbb07b8e9fa79dcea11f5b8ce] i40e: Set RX_ONLY mode for unicast promiscuous on VLAN testing commit 04efb368bc0bd90cbb07b8e9fa79dcea11f5b8ce with gcc (GCC) 8.1.0 kernel signature: 0f5cd797c00676dbbc40e01857a7ccd946e2b105bda1dc45cf0e4ec9d2a9dffb all runs: OK # git bisect bad 04efb368bc0bd90cbb07b8e9fa79dcea11f5b8ce Bisecting: 126 revisions left to test after this (roughly 7 steps) [ae33b1ebbce825c85dbabfdbbea7db72f51298d5] PCI: Add device even if driver attach failed testing commit ae33b1ebbce825c85dbabfdbbea7db72f51298d5 with gcc (GCC) 8.1.0 kernel signature: 5029a054928b649086ea8a5982cd90c71b252e3eff3ba167b7842e3422ff941d all runs: OK # git bisect bad ae33b1ebbce825c85dbabfdbbea7db72f51298d5 Bisecting: 62 revisions left to test after this (roughly 6 steps) [88106a1039032405b738e8da72c4061cb79aa4e1] PCI: Release IVRS table in AMD ACS quirk testing commit 88106a1039032405b738e8da72c4061cb79aa4e1 with gcc (GCC) 8.1.0 kernel signature: 0b59b0207a2050297184b9cca1e2bb898afdcab831a1da5b102b867c1acb6e6b all runs: crashed: KASAN: use-after-free Write in get_block # git bisect good 88106a1039032405b738e8da72c4061cb79aa4e1 Bisecting: 31 revisions left to test after this (roughly 5 steps) [7f496a7224b1a70a07ed7ed0d5b329980730816e] ALSA: usb-audio: fix overeager device match for MacroSilicon MS2109 testing commit 7f496a7224b1a70a07ed7ed0d5b329980730816e with gcc (GCC) 8.1.0 kernel signature: 2fb1b84c45ce0655d59d4d2b31f423d3b4d18523f6f951c530c7283a3d1b56b4 all runs: crashed: KASAN: use-after-free Write in get_block # git bisect good 7f496a7224b1a70a07ed7ed0d5b329980730816e Bisecting: 15 revisions left to test after this (roughly 4 steps) [93a64a8d27e8285144b82897f5f930a8c7d34019] cpufreq: dt: fix oops on armada37xx testing commit 93a64a8d27e8285144b82897f5f930a8c7d34019 with gcc (GCC) 8.1.0 kernel signature: 9ed3d296290099d3c8eb1931c548c0ee7c6e6e818f0effd41d99f6d4b8a45464 all runs: OK # git bisect bad 93a64a8d27e8285144b82897f5f930a8c7d34019 Bisecting: 7 revisions left to test after this (roughly 3 steps) [b846b77fba7b62246a6538618498bf13f5c148a7] fs/minix: check return value of sb_getblk() testing commit b846b77fba7b62246a6538618498bf13f5c148a7 with gcc (GCC) 8.1.0 kernel signature: 00576f43df43f57b2b735375e85e2c2782edc77af0648da14b460d4fe94f974f run #0: crashed: KASAN: use-after-free Write in get_block run #1: crashed: KASAN: use-after-free Write in get_block run #2: crashed: KASAN: use-after-free Write in get_block run #3: crashed: KASAN: use-after-free Write in get_block run #4: crashed: KASAN: use-after-free Write in get_block run #5: crashed: KASAN: use-after-free Write in get_block run #6: crashed: KASAN: use-after-free Write in get_block run #7: crashed: KASAN: out-of-bounds Write in get_block run #8: crashed: KASAN: use-after-free Write in get_block run #9: crashed: KASAN: use-after-free Write in get_block # git bisect good b846b77fba7b62246a6538618498bf13f5c148a7 Bisecting: 3 revisions left to test after this (roughly 2 steps) [ec41ee06e9e0c9a6dbc2cf420f199fc2a522aec8] 9p: Fix memory leak in v9fs_mount testing commit ec41ee06e9e0c9a6dbc2cf420f199fc2a522aec8 with gcc (GCC) 8.1.0 kernel signature: 7827cca2cc66c20eda26de6ea386edbf88f72066ad0bb241b890bafbd4ee0d10 all runs: OK # git bisect bad ec41ee06e9e0c9a6dbc2cf420f199fc2a522aec8 Bisecting: 1 revision left to test after this (roughly 1 step) [954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d] fs/minix: reject too-large maximum file size testing commit 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d with gcc (GCC) 8.1.0 kernel signature: be921135415403170979b845f814fbbde5f0d7f62c6f3ff5089a0c1497924f3f all runs: OK # git bisect bad 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d Bisecting: 0 revisions left to test after this (roughly 0 steps) [169f7f37bd6b0bb91242099cc261219791067d5c] fs/minix: don't allow getting deleted inodes testing commit 169f7f37bd6b0bb91242099cc261219791067d5c with gcc (GCC) 8.1.0 kernel signature: d1a0df985ad8556a30df826f37dd42c7576d1309cd98a0075acd438c3531a405 all runs: crashed: KASAN: use-after-free Write in get_block # git bisect good 169f7f37bd6b0bb91242099cc261219791067d5c 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d is the first bad commit commit 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d Author: Eric Biggers Date: Tue Aug 11 18:35:30 2020 -0700 fs/minix: reject too-large maximum file size commit 270ef41094e9fa95273f288d7d785313ceab2ff3 upstream. If the minix filesystem tries to map a very large logical block number to its on-disk location, block_to_path() can return offsets that are too large, causing out-of-bounds memory accesses when accessing indirect index blocks. This should be prevented by the check against the maximum file size, but this doesn't work because the maximum file size is read directly from the on-disk superblock and isn't validated itself. Fix this by validating the maximum file size at mount time. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com Signed-off-by: Eric Biggers Signed-off-by: Andrew Morton Cc: Alexander Viro Cc: Qiujun Huang Cc: Link: http://lkml.kernel.org/r/20200628060846.682158-4-ebiggers@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman fs/minix/inode.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) culprit signature: be921135415403170979b845f814fbbde5f0d7f62c6f3ff5089a0c1497924f3f parent signature: d1a0df985ad8556a30df826f37dd42c7576d1309cd98a0075acd438c3531a405 revisions tested: 13, total time: 3h15m12.230899627s (build: 1h47m0.100822275s, test: 1h27m0.099973409s) first good commit: 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d fs/minix: reject too-large maximum file size recipients (to): ["akpm@linux-foundation.org" "ebiggers@google.com" "gregkh@linuxfoundation.org" "torvalds@linux-foundation.org"] recipients (cc): []