ci2 starts bisection 2023-12-31 12:51:51.690194336 +0000 UTC m=+766915.014079897 bisecting fixing commit since b496cc3115440c46f376c759f29d3397f54da070 building syzkaller on cb976f63e0177b96eb9ce1c631cc5e2c4b4b0759 ensuring issue is reproducible on original commit b496cc3115440c46f376c759f29d3397f54da070 testing commit b496cc3115440c46f376c759f29d3397f54da070 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5925bb68b0d01939d4a85e293eedbc6c82489082cc877731bbbbd73812558def run #0: crashed: KASAN: use-after-free Read in ext4_search_dir run #1: crashed: KASAN: use-after-free Read in ext4_search_dir run #2: crashed: KASAN: use-after-free Read in ext4_search_dir run #3: crashed: KASAN: use-after-free Read in ext4_search_dir run #4: crashed: KASAN: use-after-free Read in ext4_search_dir run #5: crashed: KASAN: use-after-free Read in ext4_search_dir run #6: crashed: KASAN: use-after-free Read in ext4_search_dir run #7: crashed: KASAN: use-after-free Read in ext4_search_dir run #8: crashed: KASAN: use-after-free Read in ext4_search_dir run #9: crashed: KASAN: use-after-free Read in ext4_search_dir run #10: crashed: KASAN: use-after-free Read in ext4_search_dir run #11: crashed: KASAN: use-after-free Read in ext4_search_dir run #12: crashed: KASAN: use-after-free Read in ext4_search_dir run #13: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #14: crashed: KASAN: use-after-free Read in ext4_search_dir run #15: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #16: crashed: KASAN: use-after-free Read in ext4_search_dir run #17: crashed: KASAN: use-after-free Read in ext4_search_dir run #18: crashed: KASAN: use-after-free Read in ext4_search_dir run #19: crashed: KASAN: use-after-free Read in ext4_search_dir representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit b496cc3115440c46f376c759f29d3397f54da070 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2464055a726520a97a61ab90dfba92b7144af42756b017adba448781bdfbff40 all runs: crashed: KASAN: use-after-free Read in ext4_search_dir representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed kconfig minimization: base=5179 full=6485 leaves diff=250 split chunks (needed=false): <250> split chunk #0 of len 250 into 5 parts testing without sub-chunk 1/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit b496cc3115440c46f376c759f29d3397f54da070 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 26f3cc4fa4da4ee4aa77194e010eb544ea1a338b4986288e1f1ac86bbdec29a4 all runs: crashed: KASAN: use-after-free Read in ext4_search_dir representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit b496cc3115440c46f376c759f29d3397f54da070 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8d4279e16151dea0bb5b45bdce3c4cfa8aca630bd0cb73925759f27b58cc773a all runs: crashed: KASAN: use-after-free Read in ext4_search_dir representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit b496cc3115440c46f376c759f29d3397f54da070 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c2f752a4a3445fe00e4b6377a88be6547d52674edf9942e5bd3f2073cb758deb all runs: crashed: KASAN: use-after-free Read in ext4_search_dir representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit b496cc3115440c46f376c759f29d3397f54da070 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2c29fd961a80418d3bf842ee3f72eb5fbfc158e6fe0782bfaa5257af1634813c all runs: crashed: KASAN: use-after-free Read in ext4_search_dir representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit b496cc3115440c46f376c759f29d3397f54da070 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building b496cc3115440c46f376c759f29d3397f54da070: net/socket.c:1225: undefined reference to `wext_handle_ioctl' net/socket.c:3420: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 50 configs; suspects: [HID_ZEROPLUS USB_NET_CDC_MBIM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing current HEAD d3006fb9449d46b3c7733d5baa30c7a0e944cc5e testing commit d3006fb9449d46b3c7733d5baa30c7a0e944cc5e gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1d31da9cd0b16395e43bc894578d43c654941ada4ac72e5ef4f3c1864bf51e0a run #0: crashed: KASAN: use-after-free Read in ext4_search_dir run #1: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #2: crashed: KASAN: use-after-free Read in ext4_search_dir run #3: crashed: KASAN: use-after-free Read in ext4_search_dir run #4: crashed: KASAN: use-after-free Read in ext4_search_dir run #5: crashed: KASAN: use-after-free Read in ext4_search_dir run #6: crashed: KASAN: use-after-free Read in ext4_search_dir run #7: crashed: KASAN: use-after-free Read in ext4_search_dir run #8: crashed: KASAN: use-after-free Read in ext4_search_dir run #9: crashed: KASAN: use-after-free Read in ext4_search_dir representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN] crash still not fixed/happens on the oldest tested release revisions tested: 7, total time: 1h0m57.372493702s (build: 38m2.68565809s, test: 20m12.4499765s) crash still not fixed or there were kernel test errors commit msg: ANDROID: ABI: Update oplus symbol list crash: KASAN: use-after-free Read in ext4_search_dir EXT4-fs: Ignoring removed bh option EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem EXT4-fs (loop0): 1 truncate cleaned up EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. ================================================================== BUG: KASAN: use-after-free in ext4_search_dir+0xd6/0x180 fs/ext4/namei.c:1543 Read of size 1 at addr ffff88811f15ad23 by task syz-executor.0/374 CPU: 0 PID: 374 Comm: syz-executor.0 Not tainted 6.1.57-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x105/0x148 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x158/0x4e0 mm/kasan/report.c:427 kasan_report+0x13c/0x170 mm/kasan/report.c:531 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:348 ext4_search_dir+0xd6/0x180 fs/ext4/namei.c:1543 ext4_find_inline_entry+0x367/0x540 fs/ext4/inline.c:1722 __ext4_find_entry+0x2c5/0x15f0 fs/ext4/namei.c:1616 ext4_lookup_entry fs/ext4/namei.c:1771 [inline] ext4_lookup+0x14a/0x5f0 fs/ext4/namei.c:1839 __lookup_hash+0x194/0x1f0 fs/namei.c:1601 filename_create+0x24e/0x490 fs/namei.c:3808 do_mkdirat+0x128/0x390 fs/namei.c:4051 __do_sys_mkdirat fs/namei.c:4076 [inline] __se_sys_mkdirat fs/namei.c:4074 [inline] __x64_sys_mkdirat+0x84/0x90 fs/namei.c:4074 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f76e5a7cae9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f76e67230c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 00007f76e5b9bf80 RCX: 00007f76e5a7cae9 RDX: 0000000000000000 RSI: 0000000020000040 RDI: ffffffffffffff9c RBP: 00007f76e5ac847a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f76e5b9bf80 R15: 00007ffc16827d38 The buggy address belongs to the physical page: page:ffffea00047c5680 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x11f15a flags: 0x4000000000000000(zone=1) raw: 4000000000000000 ffffea00047c56c8 ffffea00047c5648 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x8140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO|__GFP_CMA), pid 288, tgid 281 (syz-fuzzer), ts 22341803527, free_ts 22767635997 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook mm/page_alloc.c:2566 [inline] prep_new_page+0x512/0x5e0 mm/page_alloc.c:2573 get_page_from_freelist+0x288b/0x2910 mm/page_alloc.c:4397 __alloc_pages+0x39f/0x780 mm/page_alloc.c:5684 __folio_alloc+0x15/0x40 mm/page_alloc.c:5716 __folio_alloc_node include/linux/gfp.h:245 [inline] folio_alloc include/linux/gfp.h:274 [inline] alloc_page_vma include/linux/gfp.h:283 [inline] do_anonymous_page mm/memory.c:4186 [inline] handle_pte_fault mm/memory.c:5065 [inline] __handle_mm_fault mm/memory.c:5209 [inline] handle_mm_fault+0x187a/0x2490 mm/memory.c:5349 do_user_addr_fault arch/x86/mm/fault.c:1363 [inline] handle_page_fault arch/x86/mm/fault.c:1504 [inline] exc_page_fault+0x3a6/0x6e0 arch/x86/mm/fault.c:1560 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:570 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1474 [inline] free_pcp_prepare mm/page_alloc.c:1548 [inline] free_unref_page_prepare+0x794/0x7a0 mm/page_alloc.c:3470 free_unref_page_list+0xf1/0x790 mm/page_alloc.c:3618 release_pages+0xcfc/0xd50 mm/swap.c:1063 free_pages_and_swap_cache+0x68/0x80 mm/swap_state.c:314 tlb_batch_pages_flush mm/mmu_gather.c:59 [inline] tlb_flush_mmu_free mm/mmu_gather.c:254 [inline] tlb_flush_mmu+0xe9/0x1b0 mm/mmu_gather.c:261 zap_pte_range mm/memory.c:1531 [inline] zap_pmd_range mm/memory.c:1580 [inline] zap_pud_range mm/memory.c:1609 [inline] zap_p4d_range mm/memory.c:1630 [inline] unmap_page_range+0x7d4/0x18e0 mm/memory.c:1651 unmap_single_vma mm/memory.c:1697 [inline] unmap_vmas+0x461/0x590 mm/memory.c:1737 exit_mmap+0x25c/0x730 mm/mmap.c:3317 __mmput+0x6b/0x2a0 kernel/fork.c:1280 mmput+0x2a/0xe0 kernel/fork.c:1303 exit_mm kernel/exit.c:566 [inline] do_exit+0x943/0x2470 kernel/exit.c:862 do_group_exit+0x1ba/0x290 kernel/exit.c:1025 get_signal+0xf0b/0x1000 kernel/signal.c:2879 arch_do_signal_or_restart+0xb0/0x16f0 arch/x86/kernel/signal.c:871 exit_to_user_mode_loop+0x74/0xa0 kernel/entry/common.c:168 exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:204 Memory state around the buggy address: ffff88811f15ac00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88811f15ac80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88811f15ad00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88811f15ad80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88811f15ae00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== EXT4-fs error (device loop0): ext4_find_dest_de:2112: inode #12: block 7: comm syz-executor.0: bad entry in directory: rec_len % 4 != 0 - offset=0, inode=3089191003, rec_len=43069, size=56 fake=0