ci2 starts bisection 2024-09-14 22:42:57.362448494 +0000 UTC m=+9374.839152186 bisecting fixing commit since 9044d25b8ff5cb55bf57542a8457cd1e4e37646d building syzkaller on 6ef39602f449b25d12299bddb48d9d1b56c4cbca ensuring issue is reproducible on original commit 9044d25b8ff5cb55bf57542a8457cd1e4e37646d testing commit 9044d25b8ff5cb55bf57542a8457cd1e4e37646d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fea5dbb0c3e43556d72f2d5dbb65e277190bdc0730baf815fe7d33a4951b8a4f all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 9044d25b8ff5cb55bf57542a8457cd1e4e37646d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8467cecbb32fc940b0dda65f03f91cc5c9bf202ea481369d29b7a56bdedc6c36 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed kconfig minimization: base=4920 full=6158 leaves diff=242 split chunks (needed=false): <242> split chunk #0 of len 242 into 5 parts testing without sub-chunk 1/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 9044d25b8ff5cb55bf57542a8457cd1e4e37646d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2dd9fed110bdfca9a4f998af9f36279003192cde6d7e6055e36b718eeb89094f all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit 9044d25b8ff5cb55bf57542a8457cd1e4e37646d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f187ec7a5e137c2c001a184590e8f328c2e0f3894399ded718530780900ffae3 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 9044d25b8ff5cb55bf57542a8457cd1e4e37646d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d8ab91e8c0fc1c5bf15cb3ce9f18a86cb84f1c528c6ab6bfec6caa4582b4d315 run #0: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #1: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #2: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #3: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #4: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #5: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #6: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #7: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #8: crashed: KASAN: out-of-bounds Read in __ext4_check_dir_entry run #9: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 9044d25b8ff5cb55bf57542a8457cd1e4e37646d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 67581a0fcb625116ffb57b84fbddd013c23667bcccce4f4900e393bfef7d33bd all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 9044d25b8ff5cb55bf57542a8457cd1e4e37646d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building 9044d25b8ff5cb55bf57542a8457cd1e4e37646d: net/socket.c:1191: undefined reference to `wext_handle_ioctl' net/socket.c:3385: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:343: undefined reference to `wext_proc_exit' net/core/net-procfs.c:327: undefined reference to `wext_proc_init' minimized to 46 configs; suspects: [HID_ZEROPLUS USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF] disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing current HEAD e6fb3b0fa87f1fe127bc20a5038d8e8e08e57cf7 testing commit e6fb3b0fa87f1fe127bc20a5038d8e8e08e57cf7 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0e32981162d23a5ffebab48c19d480f3ec03fd024ba9b261e3cd11c2692da9b6 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] crash still not fixed/happens on the oldest tested release revisions tested: 7, total time: 51m16.932713937s (build: 17m2.893827648s, test: 32m17.769584573s) crash still not fixed or there were kernel test errors commit msg: Revert "binder: fix max_thread type inconsistency" crash: KASAN: use-after-free Read in __ext4_check_dir_entry EXT4-fs error (device loop0): make_indexed_dir:2282: inode #2: block 255: comm syz.0.16: bad entry in directory: rec_len is smaller than minimal - offset=1024, inode=5120, rec_len=0, size=993 fake=0 EXT4-fs warning (device loop0): dx_probe:831: inode #2: comm syz.0.16: Unrecognised inode hash code 49 EXT4-fs warning (device loop0): dx_probe:964: inode #2: comm syz.0.16: Corrupt directory, running e2fsck is recommended ================================================================== BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x5df/0x890 fs/ext4/dir.c:85 Read of size 2 at addr ffff8881246ac003 by task syz.0.16/441 CPU: 1 PID: 441 Comm: syz.0.16 Not tainted 5.15.160-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x38/0x49 lib/dump_stack.c:106 print_address_description.constprop.0+0x24/0x160 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:427 [inline] kasan_report.cold+0x82/0xdb mm/kasan/report.c:444 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report_generic.c:307 __ext4_check_dir_entry+0x5df/0x890 fs/ext4/dir.c:85 ext4_readdir+0x8e6/0x3430 fs/ext4/dir.c:258 iterate_dir+0x495/0x730 fs/readdir.c:65 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64 fs/readdir.c:354 [inline] __x64_sys_getdents64+0x12f/0x230 fs/readdir.c:354 x64_sys_call+0x3fc/0x990 arch/x86/include/generated/asm/syscalls_64.h:218 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x33/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 RIP: 0033:0x7ff0d3f63b29 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ff0d39ed048 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007ff0d40f1fa0 RCX: 00007ff0d3f63b29 RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000005 RBP: 00007ff0d3fe4756 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007ff0d40f1fa0 R15: 00007fff4a47f048 The buggy address belongs to the page: page:ffffea000491ab00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1246ac flags: 0x4000000000000000(zone=1) raw: 4000000000000000 ffffea000491ab48 ffff8881f743c680 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner info is not present (never set?) Memory state around the buggy address: ffff8881246abf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881246abf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881246ac000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881246ac080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881246ac100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== EXT4-fs error (device loop0): ext4_readdir:258: inode #2: block 255: comm syz.0.16: path /root/syzkaller.6C2XlX/1/file0: bad entry in directory: rec_len is smaller than minimal - offset=1023, inode=0, rec_len=0, size=1024 fake=0