ci2 starts bisection 2025-09-01 23:56:08.262808606 +0000 UTC m=+264593.899042993 bisecting fixing commit since 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c building syzkaller on 5d7e17caf7d0971d22446d8a81bcf1cd8c18a0dc ensuring issue is reproducible on original commit 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c testing commit 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: d24dd76fd2ba811ed6d1573788644c1b8515391c7a4f8504a79d896b6041a29f all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ] check whether we can drop unnecessary instrumentation disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 40d6ca63fc2c1dc9ac836049be2749a9e7a575e6b242a9266b29d6e7ea15b88e all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ] the bug reproduces without the instrumentation disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed kconfig minimization: base=5186 full=6555 leaves diff=264 split chunks (needed=false): <264> split chunk #0 of len 264 into 5 parts testing without sub-chunk 1/5 disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed testing commit 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: bae1246b305f038c9b446156db1ee6c7d97e8003ea5bcd8992d5e1b28e857a72 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: eaca9fc309960f0b1df42f13d97bc2f12ad10447fa872fcb6dbcbb5943869025 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: f7b2a61e74a7f371fb6711071b8bccf448f3a260e0809d8d11d430125860ae1d all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 08a0053208c24eb3eef674c32606a9a85ead44b0dfef818e7496a1fb382853a6 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed testing commit 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 failed building 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c: ld.lld: error: undefined symbol: wext_proc_init ld.lld: error: undefined symbol: wext_proc_exit ld.lld: error: undefined symbol: wext_handle_ioctl ld.lld: error: undefined symbol: compat_wext_handle_ioctl minimized to 52 configs; suspects: [HID_ZEROPLUS USB_NET_CDC_MBIM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS ZEROPLUS_FF] disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed testing current HEAD 684ae9bac393aeccf30e835397d9be784d1b26d3 testing commit 684ae9bac393aeccf30e835397d9be784d1b26d3 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 354e0d253ac4c29d8635167b69c4fea3fbd4e2bb2b99d18995d8755ceb6d642e all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ] crash still not fixed/happens on the oldest tested release revisions tested: 7, total time: 1h9m59.154533677s (build: 32m2.248585091s, test: 30m46.145655486s) crash still not fixed or there were kernel test errors commit msg: Merge tag 'android14-6.1.147_r00' into android14-6.1 crash: KASAN: use-after-free Read in __ext4_check_dir_entry EXT4-fs warning (device loop2): dx_probe:845: inode #2: comm syz.2.17: Hash code is SIPHASH, but hash not in dirent EXT4-fs warning (device loop2): dx_probe:966: inode #2: comm syz.2.17: Corrupt directory, running e2fsck is recommended ================================================================== BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x442/0x670 fs/ext4/dir.c:85 Read of size 2 at addr ffff88812437b003 by task syz.2.17/454 CPU: 0 PID: 454 Comm: syz.2.17 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 Call Trace: __dump_stack+0x19/0x1c lib/dump_stack.c:88 dump_stack_lvl+0xa3/0xec lib/dump_stack.c:106 print_address_description+0x71/0x1e0 mm/kasan/report.c:316 print_report+0x4a/0x60 mm/kasan/report.c:418 kasan_report+0x122/0x150 mm/kasan/report.c:522 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report_generic.c:349 __ext4_check_dir_entry+0x442/0x670 fs/ext4/dir.c:85 ext4_readdir+0xbb6/0x31e0 fs/ext4/dir.c:261 iterate_dir+0x221/0x540 fs/readdir.c:-1 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64+0xc9/0x190 fs/readdir.c:354 __x64_sys_getdents64+0x76/0x80 fs/readdir.c:354 x64_sys_call+0x15c/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:218 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7f164418e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f1645070038 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007f16443b5fa0 RCX: 00007f164418e929 RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00007f1644210b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f16443b5fa0 R15: 00007fff1470e918 The buggy address belongs to the physical page: page:ffffea000490dec0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x12437b flags: 0x4000000000000000(zone=1) raw: 4000000000000000 ffffea000490df08 ffff8881f723c568 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x8140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO|__GFP_CMA), pid 386, tgid 386 (udevd), ts 56241207813, free_ts 56242262491 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook mm/page_alloc.c:2643 [inline] prep_new_page+0x58c/0x650 mm/page_alloc.c:2650 get_page_from_freelist+0x2f0f/0x2f80 mm/page_alloc.c:4554 __alloc_pages+0x1c3/0x450 mm/page_alloc.c:5868 __folio_alloc+0x12/0x40 mm/page_alloc.c:5900 __folio_alloc_node include/linux/gfp.h:245 [inline] folio_alloc include/linux/gfp.h:274 [inline] alloc_page_vma include/linux/gfp.h:283 [inline] do_anonymous_page mm/memory.c:4283 [inline] handle_pte_fault mm/memory.c:5169 [inline] __handle_mm_fault mm/memory.c:5313 [inline] handle_mm_fault+0x1006/0x1a80 mm/memory.c:5453 do_user_addr_fault+0x34b/0xa10 arch/x86/mm/fault.c:1374 handle_page_fault arch/x86/mm/fault.c:1466 [inline] exc_page_fault+0x51/0xb0 arch/x86/mm/fault.c:1522 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:608 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1551 [inline] free_pcp_prepare mm/page_alloc.c:1625 [inline] free_unref_page_prepare+0x645/0x650 mm/page_alloc.c:3589 free_unref_page_list+0x112/0x890 mm/page_alloc.c:3740 release_pages+0x904/0x960 mm/swap.c:1043 free_pages_and_swap_cache+0x66/0x80 mm/swap_state.c:315 tlb_batch_pages_flush mm/mmu_gather.c:59 [inline] tlb_flush_mmu_free mm/mmu_gather.c:254 [inline] tlb_flush_mmu mm/mmu_gather.c:261 [inline] tlb_finish_mmu+0x1af/0x380 mm/mmu_gather.c:361 unmap_region+0x290/0x2e0 mm/mmap.c:2414 do_mas_align_munmap+0x9b4/0xf60 mm/mmap.c:2687 do_mas_munmap+0x182/0x1f0 mm/mmap.c:2745 __vm_munmap+0x17f/0x290 mm/mmap.c:3044 __do_sys_munmap mm/mmap.c:3070 [inline] __se_sys_munmap mm/mmap.c:3066 [inline] __x64_sys_munmap+0x66/0x70 mm/mmap.c:3066 x64_sys_call+0x8a/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:12 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Memory state around the buggy address: ffff88812437af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88812437af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88812437b000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88812437b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88812437b100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== EXT4-fs error (device loop2): ext4_readdir:263: inode #2: block 255: comm syz.2.17: path (unknown): bad entry in directory: directory entry overrun - offset=1023, inode=1885688576, rec_len=8224, size=1024 fake=0