ci2 starts bisection 2025-06-03 11:48:56.89367035 +0000 UTC m=+42106.661899928 bisecting fixing commit since e2b9748880b939d8d99877b72cc4cc42951d49b6 building syzkaller on d3ccff6372e07c6aabd02b5da419aa6492b5f0ad ensuring issue is reproducible on original commit e2b9748880b939d8d99877b72cc4cc42951d49b6 testing commit e2b9748880b939d8d99877b72cc4cc42951d49b6 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 98a3b51154fc383036c7313425b91bcb13cf0627847cc3c3ac74e8a51a69372d run #0: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #1: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #2: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #3: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #4: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #5: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #6: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #7: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #8: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #9: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #10: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #11: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #12: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #13: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #14: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #15: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #16: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #17: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #18: crashed: KASAN: out-of-bounds Read in ext4_read_inline_dir run #19: crashed: KASAN: use-after-free Read in ext4_read_inline_dir representative crash: KASAN: use-after-free Read in ext4_read_inline_dir, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit e2b9748880b939d8d99877b72cc4cc42951d49b6 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: d42cd6fa0eebf8933f2923a6d69f14973e4b21fc31d29ada52bcd181688152b8 all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_dir representative crash: KASAN: use-after-free Read in ext4_read_inline_dir, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed kconfig minimization: base=5186 full=6548 leaves diff=266 split chunks (needed=false): <266> split chunk #0 of len 266 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit e2b9748880b939d8d99877b72cc4cc42951d49b6 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 19d5d6b127a77ea572dcf0814763e49b3b5a2673fe029c4afd87873874f91612 all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_dir representative crash: KASAN: use-after-free Read in ext4_read_inline_dir, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit e2b9748880b939d8d99877b72cc4cc42951d49b6 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 9526cb71c3e25408b99405a34df10307d75ce1c01a56a9cd75717774124915ab all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_dir representative crash: KASAN: use-after-free Read in ext4_read_inline_dir, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit e2b9748880b939d8d99877b72cc4cc42951d49b6 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 796ce5ecdcb4011ddd1cba3b817eeb9104a4c4131cfa6b1ad45d2656cea9295c run #0: crashed: KASAN: out-of-bounds Read in ext4_read_inline_dir run #1: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #2: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #3: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #4: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #5: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #6: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #7: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #8: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #9: crashed: KASAN: use-after-free Read in ext4_read_inline_dir representative crash: KASAN: out-of-bounds Read in ext4_read_inline_dir, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit e2b9748880b939d8d99877b72cc4cc42951d49b6 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 69f0ca7a9cc6cd10be9261b878a1abbedd6efa0b5fdda8b93dfd4e02bb93e84c all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_dir representative crash: KASAN: use-after-free Read in ext4_read_inline_dir, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit e2b9748880b939d8d99877b72cc4cc42951d49b6 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 failed building e2b9748880b939d8d99877b72cc4cc42951d49b6: ld.lld: error: undefined symbol: wext_proc_init ld.lld: error: undefined symbol: wext_proc_exit ld.lld: error: undefined symbol: wext_handle_ioctl ld.lld: error: undefined symbol: compat_wext_handle_ioctl minimized to 50 configs; suspects: [HID_ZEROPLUS USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing current HEAD 5b87067cdd87affdb34f233e8fdd7805249335e2 testing commit 5b87067cdd87affdb34f233e8fdd7805249335e2 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 943fb72c091e91c739cfd68c32d55933d749802f3b50870f137d9663766f3336 all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_dir representative crash: KASAN: use-after-free Read in ext4_read_inline_dir, types: [KASAN] crash still not fixed/happens on the oldest tested release revisions tested: 7, total time: 1h10m55.056609777s (build: 35m20.052962517s, test: 31m39.3619115s) crash still not fixed or there were kernel test errors commit msg: UPSTREAM: mm/memcg: use kmem_cache when alloc memcg pernode info crash: KASAN: use-after-free Read in ext4_read_inline_dir ================================================================== BUG: KASAN: use-after-free in ext4_read_inline_data fs/ext4/inline.c:210 [inline] BUG: KASAN: use-after-free in ext4_read_inline_dir+0x344/0xbe0 fs/ext4/inline.c:1512 Read of size 68 at addr ffff88812d8cfd05 by task syz-executor/475 CPU: 0 PID: 475 Comm: syz-executor Not tainted 6.1.138-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: __dump_stack+0x19/0x1c lib/dump_stack.c:88 dump_stack_lvl+0xa3/0xec lib/dump_stack.c:106 print_address_description+0x71/0x210 mm/kasan/report.c:316 print_report+0x4a/0x60 mm/kasan/report.c:427 kasan_report+0x122/0x150 mm/kasan/report.c:531 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x280/0x290 mm/kasan/generic.c:189 memcpy+0x2d/0x70 mm/kasan/shadow.c:65 ext4_read_inline_data fs/ext4/inline.c:210 [inline] ext4_read_inline_dir+0x344/0xbe0 fs/ext4/inline.c:1512 ext4_readdir+0x256/0x31e0 fs/ext4/dir.c:161 iterate_dir+0x221/0x540 fs/readdir.c:-1 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64+0xc9/0x190 fs/readdir.c:354 __x64_sys_getdents64+0x76/0x80 fs/readdir.c:354 x64_sys_call+0x15c/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:218 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7f33cc7b8693 Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 82 3e f8 ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 a8 ff ff ff f7 d8 RSP: 002b:00007ffcd64f83e8 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 000055555de9f520 RCX: 00007f33cc7b8693 RDX: 0000000000008000 RSI: 000055555de9f520 RDI: 0000000000000006 RBP: 000055555de9f4f4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000001000 R11: 0000000000000293 R12: ffffffffffffffa8 R13: 0000000000000016 R14: 000055555de9f4f0 R15: 0000000000000001 The buggy address belongs to the physical page: page:ffffea0004b633c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x12d8cf flags: 0x4000000000000000(zone=1) raw: 4000000000000000 ffffea0004b63408 ffffea0004b63388 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner info is not present (never set?) Memory state around the buggy address: ffff88812d8cfc00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88812d8cfc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88812d8cfd00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88812d8cfd80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88812d8cfe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== EXT4-fs error (device loop2): ext4_read_inline_dir:1593: inode #12: block 5: comm syz-executor: path /0/file0/file0: bad entry in directory: rec_len % 4 != 0 - offset=24, inode=1633771873, rec_len=24929, size=148 fake=0 EXT4-fs error (device loop2): ext4_read_inline_dir:1593: inode #12: block 5: comm syz-executor: path /0/file0/file0: bad entry in directory: rec_len % 4 != 0 - offset=24, inode=1633771873, rec_len=24929, size=148 fake=0 EXT4-fs error (device loop2): empty_inline_dir:1877: inode #12: block 5: comm syz-executor: bad entry in directory: rec_len % 4 != 0 - offset=4, inode=1633771873, rec_len=24929, size=60 fake=0 EXT4-fs warning (device loop2): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs error (device loop2): ext4_read_inline_dir:1593: inode #12: block 5: comm syz-executor: path /0/file0/file0: bad entry in directory: rec_len % 4 != 0 - offset=24, inode=1633771873, rec_len=24929, size=148 fake=0 EXT4-fs error (device loop2): ext4_read_inline_dir:1593: inode #12: block 5: comm syz-executor: path /0/file0/file0: bad entry in directory: rec_len % 4 != 0 - offset=24, inode=1633771873, rec_len=24929, size=148 fake=0 EXT4-fs error (device loop2): empty_inline_dir:1877: inode #12: block 5: comm syz-executor: bad entry in directory: rec_len % 4 != 0 - offset=4, inode=1633771873, rec_len=24929, size=60 fake=0 EXT4-fs warning (device loop2): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs error (device loop2): ext4_read_inline_dir:1593: inode #12: block 5: comm syz-executor: path /0/file0/file0: bad entry in directory: rec_len % 4 != 0 - offset=24, inode=1633771873, rec_len=24929, size=148 fake=0 EXT4-fs error (device loop2): ext4_read_inline_dir:1593: inode #12: block 5: comm syz-executor: path /0/file0/file0: bad entry in directory: rec_len % 4 != 0 - offset=24, inode=1633771873, rec_len=24929, size=148 fake=0 EXT4-fs error (device loop2): empty_inline_dir:1877: inode #12: block 5: comm syz-executor: bad entry in directory: rec_len % 4 != 0 - offset=4, inode=1633771873, rec_len=24929, size=60 fake=0 EXT4-fs warning (device loop2): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop2): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop2): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop2): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop2): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop2): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop2): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop2): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs (loop2): unmounting filesystem.