ci2 starts bisection 2025-03-19 00:24:43.03169104 +0000 UTC m=+36145.594587319 bisecting fixing commit since e2b9748880b939d8d99877b72cc4cc42951d49b6 building syzkaller on d3ccff6372e07c6aabd02b5da419aa6492b5f0ad ensuring issue is reproducible on original commit e2b9748880b939d8d99877b72cc4cc42951d49b6 testing commit e2b9748880b939d8d99877b72cc4cc42951d49b6 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c55481f7971684209ad360c4501af9547818fdaffaa09a38ab9b3d3d24980d63 all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_dir representative crash: KASAN: use-after-free Read in ext4_read_inline_dir, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit e2b9748880b939d8d99877b72cc4cc42951d49b6 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cc9683eb0755af81d109e9964ead51a771b0c4083b9a6dc5427499c334c29d14 all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_dir representative crash: KASAN: use-after-free Read in ext4_read_inline_dir, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed kconfig minimization: base=5179 full=6548 leaves diff=264 split chunks (needed=false): <264> split chunk #0 of len 264 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit e2b9748880b939d8d99877b72cc4cc42951d49b6 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1bd748cb5a74a0a8fff21262747991fe27b5ee0f52838d1919d193dfd25708c5 all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_dir representative crash: KASAN: use-after-free Read in ext4_read_inline_dir, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit e2b9748880b939d8d99877b72cc4cc42951d49b6 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 080e4dfd9aefc0aff8fa188eb4d4f8f444561a69d5b9f2d646fdc07f0c6b3322 all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_dir representative crash: KASAN: use-after-free Read in ext4_read_inline_dir, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit e2b9748880b939d8d99877b72cc4cc42951d49b6 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d9e04590d0fdac84379306c7f94017714b2c462bb84ea34c179a202ae6c2c209 all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_dir representative crash: KASAN: use-after-free Read in ext4_read_inline_dir, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit e2b9748880b939d8d99877b72cc4cc42951d49b6 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 69c3849ebd1432fafa13d4cf004b12c18c797aa1ebf3ba7f52d093b7e4ec2342 all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_dir representative crash: KASAN: use-after-free Read in ext4_read_inline_dir, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit e2b9748880b939d8d99877b72cc4cc42951d49b6 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building e2b9748880b939d8d99877b72cc4cc42951d49b6: net/socket.c:1245: undefined reference to `wext_handle_ioctl' net/socket.c:3447: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 52 configs; suspects: [HID_ZEROPLUS USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing current HEAD 6bd3e435f2e8eeada09275a24f3013801756edfb testing commit 6bd3e435f2e8eeada09275a24f3013801756edfb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 80f45ce5ffb9b89015fbad0670b9fe6aa8008adc6596028cc941d53062e712d3 all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_dir representative crash: KASAN: use-after-free Read in ext4_read_inline_dir, types: [KASAN] crash still not fixed/happens on the oldest tested release revisions tested: 7, total time: 59m53.817325876s (build: 21m22.999842698s, test: 35m0.987414805s) crash still not fixed or there were kernel test errors commit msg: UPSTREAM: f2fs: fix inconsistent dirty state of atomic file crash: KASAN: use-after-free Read in ext4_read_inline_dir ================================================================== BUG: KASAN: use-after-free in ext4_read_inline_data fs/ext4/inline.c:210 [inline] BUG: KASAN: use-after-free in ext4_read_inline_dir+0x42f/0xce0 fs/ext4/inline.c:1512 Read of size 68 at addr ffff88812b3aad05 by task syz-executor/460 CPU: 0 PID: 460 Comm: syz-executor Not tainted 6.1.128-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x105/0x148 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x158/0x4e0 mm/kasan/report.c:427 kasan_report+0x13c/0x170 mm/kasan/report.c:531 kasan_check_range+0x294/0x2a0 mm/kasan/generic.c:189 memcpy+0x2d/0x70 mm/kasan/shadow.c:65 ext4_read_inline_data fs/ext4/inline.c:210 [inline] ext4_read_inline_dir+0x42f/0xce0 fs/ext4/inline.c:1512 ext4_readdir+0x278/0x2d40 fs/ext4/dir.c:158 iterate_dir+0x215/0x510 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64+0x1af/0x3e0 fs/readdir.c:354 __x64_sys_getdents64+0x76/0x80 fs/readdir.c:354 x64_sys_call+0x5ae/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:218 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7f5cef1b8693 Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 82 3e f8 ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 a8 ff ff ff f7 d8 RSP: 002b:00007ffc2e93d1e8 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 000055556ba8d520 RCX: 00007f5cef1b8693 RDX: 0000000000008000 RSI: 000055556ba8d520 RDI: 0000000000000006 RBP: 000055556ba8d4f4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000001000 R11: 0000000000000293 R12: ffffffffffffffa8 R13: 0000000000000016 R14: 000055556ba8d4f0 R15: 0000000000000001 The buggy address belongs to the physical page: page:ffffea0004acea80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x12b3aa flags: 0x4000000000000000(zone=1) raw: 4000000000000000 ffffea0004a45b48 ffffea0004acec88 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 440, tgid 440 (syz-executor), ts 56194174252, free_ts 56276294944 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook mm/page_alloc.c:2637 [inline] prep_new_page+0x512/0x5e0 mm/page_alloc.c:2644 get_page_from_freelist+0x3b46/0x3bc0 mm/page_alloc.c:4539 __alloc_pages+0x234/0x610 mm/page_alloc.c:5837 __folio_alloc+0x15/0x40 mm/page_alloc.c:5869 __folio_alloc_node include/linux/gfp.h:245 [inline] folio_alloc include/linux/gfp.h:274 [inline] alloc_page_vma include/linux/gfp.h:283 [inline] wp_page_copy+0x239/0x1270 mm/memory.c:3208 do_wp_page+0x9ef/0xc80 handle_pte_fault mm/memory.c:5175 [inline] __handle_mm_fault mm/memory.c:5299 [inline] handle_mm_fault+0xffc/0x2550 mm/memory.c:5439 do_user_addr_fault arch/x86/mm/fault.c:1374 [inline] handle_page_fault arch/x86/mm/fault.c:1466 [inline] exc_page_fault+0x24d/0x6d0 arch/x86/mm/fault.c:1522 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:608 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1545 [inline] free_pcp_prepare mm/page_alloc.c:1619 [inline] free_unref_page_prepare+0x8c6/0x8d0 mm/page_alloc.c:3581 free_unref_page_list+0xf1/0x790 mm/page_alloc.c:3729 release_pages+0xca8/0xd00 mm/swap.c:1043 free_pages_and_swap_cache+0x68/0x80 mm/swap_state.c:315 tlb_batch_pages_flush mm/mmu_gather.c:59 [inline] tlb_flush_mmu_free mm/mmu_gather.c:254 [inline] tlb_flush_mmu mm/mmu_gather.c:261 [inline] tlb_finish_mmu+0x1ba/0x3b0 mm/mmu_gather.c:361 exit_mmap+0x3a5/0x890 mm/mmap.c:3359 __mmput+0x6b/0x2a0 kernel/fork.c:1299 mmput+0x2a/0xe0 kernel/fork.c:1322 exit_mm kernel/exit.c:568 [inline] do_exit+0x93e/0x2460 kernel/exit.c:864 do_group_exit+0x1ba/0x290 kernel/exit.c:1027 __do_sys_exit_group kernel/exit.c:1038 [inline] __se_sys_exit_group kernel/exit.c:1036 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036 x64_sys_call+0x610/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Memory state around the buggy address: ffff88812b3aac00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88812b3aac80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88812b3aad00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88812b3aad80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88812b3aae00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== EXT4-fs error (device loop1): ext4_read_inline_dir:1593: inode #12: block 5: comm syz-executor: path /0/file0/file0: bad entry in directory: rec_len % 4 != 0 - offset=24, inode=1633771873, rec_len=24929, size=148 fake=0 EXT4-fs error (device loop1): ext4_read_inline_dir:1593: inode #12: block 5: comm syz-executor: path /0/file0/file0: bad entry in directory: rec_len % 4 != 0 - offset=24, inode=1633771873, rec_len=24929, size=148 fake=0 EXT4-fs error (device loop1): empty_inline_dir:1877: inode #12: block 5: comm syz-executor: bad entry in directory: rec_len % 4 != 0 - offset=4, inode=1633771873, rec_len=24929, size=60 fake=0 EXT4-fs warning (device loop1): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs error (device loop1): ext4_read_inline_dir:1593: inode #12: block 5: comm syz-executor: path /0/file0/file0: bad entry in directory: rec_len % 4 != 0 - offset=24, inode=1633771873, rec_len=24929, size=148 fake=0 EXT4-fs error (device loop1): ext4_read_inline_dir:1593: inode #12: block 5: comm syz-executor: path /0/file0/file0: bad entry in directory: rec_len % 4 != 0 - offset=24, inode=1633771873, rec_len=24929, size=148 fake=0 EXT4-fs error (device loop1): empty_inline_dir:1877: inode #12: block 5: comm syz-executor: bad entry in directory: rec_len % 4 != 0 - offset=4, inode=1633771873, rec_len=24929, size=60 fake=0 EXT4-fs warning (device loop1): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs error (device loop1): ext4_read_inline_dir:1593: inode #12: block 5: comm syz-executor: path /0/file0/file0: bad entry in directory: rec_len % 4 != 0 - offset=24, inode=1633771873, rec_len=24929, size=148 fake=0 EXT4-fs error (device loop1): ext4_read_inline_dir:1593: inode #12: block 5: comm syz-executor: path /0/file0/file0: bad entry in directory: rec_len % 4 != 0 - offset=24, inode=1633771873, rec_len=24929, size=148 fake=0 EXT4-fs error (device loop1): empty_inline_dir:1877: inode #12: block 5: comm syz-executor: bad entry in directory: rec_len % 4 != 0 - offset=4, inode=1633771873, rec_len=24929, size=60 fake=0 EXT4-fs warning (device loop1): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop1): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop1): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop1): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop1): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop1): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop1): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop1): empty_inline_dir:1884: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs (loop1): unmounting filesystem.