ci2 starts bisection 2025-11-24 21:46:54.935914058 +0000 UTC m=+35980.491811621
bisecting fixing commit since 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6
building syzkaller on 03fcfc4b7385b545a89a3fc62bef4e1ec7532e0d
ensuring issue is reproducible on original commit 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6

testing commit 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 0a2d88f4072b6971f522df79e05df310bbaca1eb2513d5d82b7ed5a8a3799bd9
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ]
check whether we can drop unnecessary instrumentation
disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed
testing commit 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 6f348185e07bb805e1f4c9205aaf89a81e72c5080977a8b0b99c19a901dfe936
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ]
the bug reproduces without the instrumentation
disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed
kconfig minimization: base=4921 full=6219 leaves diff=255
split chunks (needed=false): <255>
split chunk #0 of len 255 into 5 parts
testing without sub-chunk 1/5
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 09f3dca8dbb8b8682c3625f72f09b8d95574bf745d1324af2d7202addb10d1e9
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed
testing commit 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 3b6cf370f8b7194dad53e0e25314c376bd01251c416cd43fce331211bcbfd579
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 04ee8267abc92e054e9a4e6377e31c856604608b98bd14d5ffddc6579c441a1a
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 761c83d18836dd0c4bcbcdad9c57d682b13ff62f74c34ee38345ebc03a0a52a6
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed
testing commit 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
failed building 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6: net/socket.c:1191: undefined reference to `wext_handle_ioctl'
net/socket.c:3390: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:343: undefined reference to `wext_proc_exit'
net/core/net-procfs.c:327: undefined reference to `wext_proc_init'
minimized to 51 configs; suspects: [HID_ZEROPLUS USB_LINK_LAYER_TEST USB_MON USB_NET_CDC_MBIM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM USB_XHCI_PCI_RENESAS WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS ZEROPLUS_FF]
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing current HEAD 057fdbf6d3c79123ad58eb55aa2428b2d951b04d
testing commit 057fdbf6d3c79123ad58eb55aa2428b2d951b04d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: fd736c5dc907c6c70aa38f53938cdf5f2553a9d255e7abb56a3ad28610bd1e13
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ]
crash still not fixed/happens on the oldest tested release
revisions tested: 7, total time: 1h11m12.052203941s (build: 38m12.841230621s, test: 30m42.287727174s)
crash still not fixed or there were kernel test errors
commit msg: Merge 5.15.196 into android13-5.15-lts
crash: KASAN: use-after-free Read in __ext4_check_dir_entry
EXT4-fs warning (device loop2): dx_probe:965: inode #2: comm syz.2.19: Corrupt directory, running e2fsck is recommended
EXT4-fs warning (device loop2): dx_probe:832: inode #2: comm syz.2.19: Unrecognised inode hash code 4
EXT4-fs warning (device loop2): dx_probe:965: inode #2: comm syz.2.19: Corrupt directory, running e2fsck is recommended
==================================================================
BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x643/0x960 fs/ext4/dir.c:85
Read of size 2 at addr ffff8881243eb003 by task syz.2.19/456

CPU: 0 PID: 456 Comm: syz.2.19 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x38/0x49 lib/dump_stack.c:106
 print_address_description.constprop.0+0x24/0x160 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report.cold+0x82/0xdb mm/kasan/report.c:444
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report_generic.c:307
 __ext4_check_dir_entry+0x643/0x960 fs/ext4/dir.c:85
 ext4_readdir+0xaf8/0x2fd0 fs/ext4/dir.c:261
 iterate_dir+0x498/0x730 fs/readdir.c:65
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64 fs/readdir.c:354 [inline]
 __x64_sys_getdents64+0x12f/0x230 fs/readdir.c:354
 x64_sys_call+0x3fc/0x990 arch/x86/include/generated/asm/syscalls_64.h:218
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x33/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fcdaa333929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcda9da4038 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007fcdaa55afa0 RCX: 00007fcdaa333929
RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 00007fcdaa3b5b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fcdaa55afa0 R15: 00007ffe3bd93ff8
 </TASK>

The buggy address belongs to the page:
page:ffffea000490fac0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1243eb
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea000490fb08 ffff8881f753c680 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 456, ts 53056141739, free_ts 53057477615
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook mm/page_alloc.c:2605 [inline]
 prep_new_page+0x1a2/0x310 mm/page_alloc.c:2611
 get_page_from_freelist+0x1ce2/0x30a0 mm/page_alloc.c:4485
 __alloc_pages+0x300/0x2d50 mm/page_alloc.c:5808
 __alloc_pages_node include/linux/gfp.h:595 [inline]
 alloc_pages_node include/linux/gfp.h:609 [inline]
 alloc_pages include/linux/gfp.h:622 [inline]
 wp_page_copy+0x337/0x16f0 mm/memory.c:3221
 do_wp_page+0x27c/0x1390 mm/memory.c:3567
 handle_pte_fault+0xbf7/0x30a0 mm/memory.c:4932
 __handle_mm_fault+0x4ea/0x1480 mm/memory.c:5207
 do_handle_mm_fault+0x33b/0x690 mm/memory.c:5333
 do_user_addr_fault+0x726/0x1120 arch/x86/mm/fault.c:1325
 handle_page_fault arch/x86/mm/fault.c:1509 [inline]
 exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1565
 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:606
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1472 [inline]
 free_pcp_prepare+0x1b6/0x4c0 mm/page_alloc.c:1544
 free_unref_page_prepare mm/page_alloc.c:3534 [inline]
 free_unref_page_list+0x1e3/0xcd0 mm/page_alloc.c:3671
 release_pages+0x37f/0xff0 mm/swap.c:1014
 free_pages_and_swap_cache+0x5d/0x80 mm/swap_state.c:320
 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
 tlb_flush_mmu mm/mmu_gather.c:247 [inline]
 tlb_finish_mmu+0x129/0x790 mm/mmu_gather.c:338
 unmap_region+0x2cd/0x3d0 mm/mmap.c:2692
 __do_munmap+0x481/0x1000 mm/mmap.c:2925
 __vm_munmap+0x117/0x240 mm/mmap.c:2978
 __do_sys_munmap mm/mmap.c:3004 [inline]
 __se_sys_munmap mm/mmap.c:3000 [inline]
 __x64_sys_munmap+0x62/0x80 mm/mmap.c:3000
 x64_sys_call+0x935/0x990 arch/x86/include/generated/asm/syscalls_64.h:12
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x33/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Memory state around the buggy address:
 ffff8881243eaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881243eaf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881243eb000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff8881243eb080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881243eb100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop2): ext4_readdir:261: inode #2: block 255: comm syz.2.19: path (unknown): bad entry in directory: rec_len is smaller than minimal - offset=1023, inode=0, rec_len=0, size=1024 fake=0