bisecting fixing commit since b850307b279cbd12ab8c654d1a3dfe55319cc475
building syzkaller on 9ebcc5b1a8145326065b932958d82ada85a5c224
testing commit b850307b279cbd12ab8c654d1a3dfe55319cc475 with gcc (GCC) 8.1.0
kernel signature: 9745dbdfdbb2953fe0054449a7f9f8bfd4f80cbbd9777f971ffb45f6d5ac8e09
run #0: crashed: KASAN: slab-out-of-bounds Read in get_block
run #1: crashed: KASAN: out-of-bounds Read in get_block
run #2: crashed: KASAN: use-after-free Read in get_block
run #3: crashed: KASAN: slab-out-of-bounds Read in get_block
run #4: crashed: KASAN: use-after-free Read in get_block
run #5: crashed: KASAN: slab-out-of-bounds Read in get_block
run #6: crashed: KASAN: slab-out-of-bounds Read in get_block
run #7: crashed: KASAN: slab-out-of-bounds Read in get_block
run #8: crashed: KASAN: use-after-free Read in get_block
run #9: crashed: KASAN: use-after-free Read in get_block
testing current HEAD 458a534cac0c808fce164cc961f8384ffc8c455e
testing commit 458a534cac0c808fce164cc961f8384ffc8c455e with gcc (GCC) 8.1.0
kernel signature: ef94a7a9bdbede76fadc02ca8fde7c7ac05bacd5dfd22bc9f4a8019fd7b2b2d7
all runs: OK
# git bisect start 458a534cac0c808fce164cc961f8384ffc8c455e b850307b279cbd12ab8c654d1a3dfe55319cc475
Bisecting: 566 revisions left to test after this (roughly 9 steps)
[9255e73a4d372babdb3095561952696d0330bd74] mac80211: allow rx of mesh eapol frames with default rx key
testing commit 9255e73a4d372babdb3095561952696d0330bd74 with gcc (GCC) 8.1.0
kernel signature: 0b904ee81860169cf0e2dba78ecb1dee62dc135db4ea2fe3638673b7720b3186
run #0: crashed: KASAN: use-after-free Read in get_block
run #1: crashed: KASAN: slab-out-of-bounds Read in get_block
run #2: crashed: KASAN: slab-out-of-bounds Read in get_block
run #3: crashed: KASAN: out-of-bounds Read in get_block
run #4: crashed: KASAN: slab-out-of-bounds Read in get_block
run #5: crashed: KASAN: slab-out-of-bounds Read in get_block
run #6: crashed: KASAN: slab-out-of-bounds Read in get_block
run #7: crashed: KASAN: slab-out-of-bounds Read in get_block
run #8: crashed: KASAN: use-after-free Read in get_block
run #9: crashed: KASAN: slab-out-of-bounds Read in get_block
# git bisect good 9255e73a4d372babdb3095561952696d0330bd74
Bisecting: 283 revisions left to test after this (roughly 8 steps)
[99e69b921dae3ebe63d2c424ce00f91b4cab2826] crypto: ccp - Fix use of merged scatterlists
testing commit 99e69b921dae3ebe63d2c424ce00f91b4cab2826 with gcc (GCC) 8.1.0
kernel signature: 920f76cdd421f592dc793e79e53868f4dd77109b60a91d7fe678428a2e18174c
run #0: crashed: KASAN: use-after-free Read in get_block
run #1: crashed: KASAN: use-after-free Read in get_block
run #2: crashed: KASAN: slab-out-of-bounds Read in get_block
run #3: crashed: KASAN: slab-out-of-bounds Read in get_block
run #4: crashed: KASAN: use-after-free Read in get_block
run #5: crashed: KASAN: out-of-bounds Read in get_block
run #6: crashed: KASAN: use-after-free Read in get_block
run #7: crashed: KASAN: slab-out-of-bounds Read in get_block
run #8: crashed: KASAN: use-after-free Read in get_block
run #9: crashed: KASAN: use-after-free Read in get_block
# git bisect good 99e69b921dae3ebe63d2c424ce00f91b4cab2826
Bisecting: 141 revisions left to test after this (roughly 7 steps)
[4704cd249f8d28c5cd9fe29148e6833f0dd54b02] drm/amdkfd: Fix reference count leaks.
testing commit 4704cd249f8d28c5cd9fe29148e6833f0dd54b02 with gcc (GCC) 8.1.0
kernel signature: ef1b25e33cc8672e4b0d2fcd05f0833c14cc53fb8becac8fac2e9e6ea9c39e1c
all runs: OK
# git bisect bad 4704cd249f8d28c5cd9fe29148e6833f0dd54b02
Bisecting: 70 revisions left to test after this (roughly 6 steps)
[da54edbe563866eb2bd57a12bc8f76ddc88fc369] genirq/affinity: Handle affinity setting on inactive interrupts correctly
testing commit da54edbe563866eb2bd57a12bc8f76ddc88fc369 with gcc (GCC) 8.1.0
kernel signature: 7a2388e9e2954611912747e2c2aed5f116422da54955b07254a37af1f9a30208
all runs: OK
# git bisect bad da54edbe563866eb2bd57a12bc8f76ddc88fc369
Bisecting: 35 revisions left to test after this (roughly 5 steps)
[2b5858751a051fbd7ad7dc831fadf8bbed741ccc] ftrace: Setup correct FTRACE_FL_REGS flags for module
testing commit 2b5858751a051fbd7ad7dc831fadf8bbed741ccc with gcc (GCC) 8.1.0
kernel signature: c7c8418bbd2961217abfb5d1193c3f5d2f0b4a3c6000205b6e5ce7ea17ad5f1c
all runs: OK
# git bisect bad 2b5858751a051fbd7ad7dc831fadf8bbed741ccc
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[233f70bdb12800fce6b153c270ec987acbaa773b] smb3: warn on confusing error scenario with sec=krb5
testing commit 233f70bdb12800fce6b153c270ec987acbaa773b with gcc (GCC) 8.1.0
kernel signature: a01c57b7d1336b2e504ed9df5d4ab6bd7f8b0e54400ef08bee9c30b05f98cbca
all runs: OK
# git bisect bad 233f70bdb12800fce6b153c270ec987acbaa773b
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[2fd8f313a9fdeb06986bd2bb8caa7c87602b9729] spi: spidev: Align buffers for DMA
testing commit 2fd8f313a9fdeb06986bd2bb8caa7c87602b9729 with gcc (GCC) 8.1.0
kernel signature: 2deda49ae2115a83d90140cb248f5271f9ec48b3e4d1e5ffa9adf0da628a8169
all runs: OK
# git bisect bad 2fd8f313a9fdeb06986bd2bb8caa7c87602b9729
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[12490f06ef084bc34f5e5dbda104aa034e376f2e] fs/minix: don't allow getting deleted inodes
testing commit 12490f06ef084bc34f5e5dbda104aa034e376f2e with gcc (GCC) 8.1.0
kernel signature: 5d044696defe3f9d86254756ffcf349f3c0cf49a13c4cba39e29cde3c3551251
run #0: crashed: KASAN: slab-out-of-bounds Read in get_block
run #1: crashed: KASAN: slab-out-of-bounds Read in get_block
run #2: crashed: KASAN: use-after-free Read in get_block
run #3: crashed: KASAN: slab-out-of-bounds Read in get_block
run #4: crashed: KASAN: use-after-free Read in get_block
run #5: crashed: KASAN: use-after-free Read in get_block
run #6: crashed: KASAN: slab-out-of-bounds Read in get_block
run #7: crashed: KASAN: slab-out-of-bounds Read in get_block
run #8: crashed: KASAN: slab-out-of-bounds Read in get_block
run #9: crashed: KASAN: use-after-free Read in get_block
# git bisect good 12490f06ef084bc34f5e5dbda104aa034e376f2e
Bisecting: 1 revision left to test after this (roughly 1 step)
[ff114bcd7635211d051c6031fac800fd45424ece] ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109
testing commit ff114bcd7635211d051c6031fac800fd45424ece with gcc (GCC) 8.1.0
kernel signature: 707220991727d56854b53bfe9e9257f30a38b977f408302a370576fa83cf4a17
all runs: OK
# git bisect bad ff114bcd7635211d051c6031fac800fd45424ece
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[0900097ef667097b0a4afb0155a4f5add77ece19] fs/minix: reject too-large maximum file size
testing commit 0900097ef667097b0a4afb0155a4f5add77ece19 with gcc (GCC) 8.1.0
kernel signature: 7d9a4b7e2445659d68b1e25320d0bcdfa1c8930167f4fdc310742f841e7076a5
all runs: OK
# git bisect bad 0900097ef667097b0a4afb0155a4f5add77ece19
0900097ef667097b0a4afb0155a4f5add77ece19 is the first bad commit
commit 0900097ef667097b0a4afb0155a4f5add77ece19
Author: Eric Biggers <ebiggers@google.com>
Date:   Tue Aug 11 18:35:30 2020 -0700

    fs/minix: reject too-large maximum file size
    
    commit 270ef41094e9fa95273f288d7d785313ceab2ff3 upstream.
    
    If the minix filesystem tries to map a very large logical block number to
    its on-disk location, block_to_path() can return offsets that are too
    large, causing out-of-bounds memory accesses when accessing indirect index
    blocks.  This should be prevented by the check against the maximum file
    size, but this doesn't work because the maximum file size is read directly
    from the on-disk superblock and isn't validated itself.
    
    Fix this by validating the maximum file size at mount time.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com
    Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com
    Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: Qiujun Huang <anenbupt@gmail.com>
    Cc: <stable@vger.kernel.org>
    Link: http://lkml.kernel.org/r/20200628060846.682158-4-ebiggers@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 fs/minix/inode.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)
culprit signature: 7d9a4b7e2445659d68b1e25320d0bcdfa1c8930167f4fdc310742f841e7076a5
parent  signature: 5d044696defe3f9d86254756ffcf349f3c0cf49a13c4cba39e29cde3c3551251
revisions tested: 12, total time: 3h49m12.932462677s (build: 2h8m54.198415995s, test: 1h38m10.242928695s)
first good commit: 0900097ef667097b0a4afb0155a4f5add77ece19 fs/minix: reject too-large maximum file size
recipients (to): ["akpm@linux-foundation.org" "ebiggers@google.com" "gregkh@linuxfoundation.org" "torvalds@linux-foundation.org"]
recipients (cc): []