ci2 starts bisection 2024-07-08 03:21:03.61503331 +0000 UTC m=+238610.275522256 bisecting fixing commit since 4d55129aea65ac23a34b9053f3f1ee4d92883032 building syzkaller on 9026e14289eaf45a00ddddb8730f2092b956d99a ensuring issue is reproducible on original commit 4d55129aea65ac23a34b9053f3f1ee4d92883032 testing commit 4d55129aea65ac23a34b9053f3f1ee4d92883032 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 794d07d0a837c47e8da95545dc4ee5b28479618cc3e24f37707d096fcfb23144 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 4d55129aea65ac23a34b9053f3f1ee4d92883032 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7b28509373b497bd10cce5b5ef48a286328df7787098cfb0b9134c34ea89250c all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed kconfig minimization: base=5179 full=6494 leaves diff=257 split chunks (needed=false): <257> split chunk #0 of len 257 into 5 parts testing without sub-chunk 1/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 4d55129aea65ac23a34b9053f3f1ee4d92883032 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8d8717a3e6df35a32ed6acf123e102e6023db80d65dd8920ad456b92c7f0e9ca all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 4d55129aea65ac23a34b9053f3f1ee4d92883032 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 37856b7ea039dac6ef3f18e0408d45d565b39195df81481c93f8afb35abe2299 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 4d55129aea65ac23a34b9053f3f1ee4d92883032 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: feb6ca50f6af3d36767600ccd8a471f9142b569cd899f933125b917a0b99d9f3 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 4d55129aea65ac23a34b9053f3f1ee4d92883032 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b4e0c09eedb6410ee06c0a4fcdf5669c60991c64a4a7d2cd21fa32379399e487 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 4d55129aea65ac23a34b9053f3f1ee4d92883032 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building 4d55129aea65ac23a34b9053f3f1ee4d92883032: net/socket.c:1245: undefined reference to `wext_handle_ioctl' net/socket.c:3442: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 49 configs; suspects: [HID_ZEROPLUS USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing current HEAD ce6f9cab9edca2712f312476ddc137f18c8ecfff testing commit ce6f9cab9edca2712f312476ddc137f18c8ecfff gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ea9ff862881c3b2effb1820fa2ffebdf60c40d0529f92e559d1845cf36f83620 run #0: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #1: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #2: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #3: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #4: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #5: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #6: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #7: crashed: KASAN: out-of-bounds Read in __ext4_check_dir_entry run #8: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #9: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] crash still not fixed/happens on the oldest tested release revisions tested: 7, total time: 42m2.811490655s (build: 19m9.861124471s, test: 20m29.667892154s) crash still not fixed or there were kernel test errors commit msg: ANDROID: GKI: Update symbol list for mtk crash: KASAN: use-after-free Read in __ext4_check_dir_entry EXT4-fs error (device loop0): ext4_find_inline_data_nolock:164: inode #12: comm syz-executor.0: inline data xattr refers to an external xattr inode EXT4-fs error (device loop0): ext4_orphan_get:1401: comm syz-executor.0: couldn't read orphan inode 12 (err -117) EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. EXT4-fs error (device loop0): make_indexed_dir:2284: inode #2: block 255: comm syz-executor.0: bad entry in directory: rec_len is smaller than minimal - offset=1024, inode=5120, rec_len=0, size=993 fake=0 EXT4-fs warning (device loop0): dx_probe:832: inode #2: comm syz-executor.0: Unrecognised inode hash code 49 EXT4-fs warning (device loop0): dx_probe:965: inode #2: comm syz-executor.0: Corrupt directory, running e2fsck is recommended ================================================================== BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x3fb/0x5f0 fs/ext4/dir.c:85 Read of size 2 at addr ffff888119714003 by task syz-executor.0/375 CPU: 0 PID: 375 Comm: syz-executor.0 Not tainted 6.1.84-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x105/0x148 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x158/0x4e0 mm/kasan/report.c:427 kasan_report+0x13c/0x170 mm/kasan/report.c:531 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report_generic.c:349 __ext4_check_dir_entry+0x3fb/0x5f0 fs/ext4/dir.c:85 ext4_readdir+0xdc1/0x2d20 fs/ext4/dir.c:258 iterate_dir+0x215/0x500 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64+0x1af/0x3e0 fs/readdir.c:354 __x64_sys_getdents64+0x76/0x80 fs/readdir.c:354 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fc5d687dd69 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc5d762b0c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007fc5d69abf80 RCX: 00007fc5d687dd69 RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000005 RBP: 00007fc5d68ca49e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fc5d69abf80 R15: 00007ffeaef06a08 The buggy address belongs to the physical page: page:ffffea000465c500 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x119714 flags: 0x4000000000000000(zone=1) raw: 4000000000000000 ffffea00046e8b08 ffffea00046ea348 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x8140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO|__GFP_CMA), pid 375, tgid 374 (syz-executor.0), ts 54322057743, free_ts 54323327483 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook mm/page_alloc.c:2590 [inline] prep_new_page+0x512/0x5e0 mm/page_alloc.c:2597 get_page_from_freelist+0x288b/0x2910 mm/page_alloc.c:4425 __alloc_pages+0x39f/0x780 mm/page_alloc.c:5714 __folio_alloc+0x15/0x40 mm/page_alloc.c:5746 __folio_alloc_node include/linux/gfp.h:245 [inline] folio_alloc include/linux/gfp.h:274 [inline] alloc_page_vma include/linux/gfp.h:283 [inline] wp_page_copy+0x218/0x1270 mm/memory.c:3178 do_wp_page+0x9ef/0xc80 handle_pte_fault mm/memory.c:5145 [inline] __handle_mm_fault mm/memory.c:5269 [inline] handle_mm_fault+0xffc/0x2550 mm/memory.c:5409 do_user_addr_fault arch/x86/mm/fault.c:1354 [inline] handle_page_fault arch/x86/mm/fault.c:1497 [inline] exc_page_fault+0x3b3/0x700 arch/x86/mm/fault.c:1553 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:570 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1498 [inline] free_pcp_prepare mm/page_alloc.c:1572 [inline] free_unref_page_prepare+0x794/0x7a0 mm/page_alloc.c:3498 free_unref_page_list+0xf1/0x790 mm/page_alloc.c:3646 release_pages+0xcfc/0xd50 mm/swap.c:1063 free_pages_and_swap_cache+0x68/0x80 mm/swap_state.c:314 tlb_batch_pages_flush mm/mmu_gather.c:59 [inline] tlb_flush_mmu_free mm/mmu_gather.c:254 [inline] tlb_flush_mmu mm/mmu_gather.c:261 [inline] tlb_finish_mmu+0x1ba/0x3b0 mm/mmu_gather.c:361 unmap_region+0x2a3/0x300 mm/mmap.c:2405 do_mas_align_munmap+0xb63/0x1150 mm/mmap.c:2672 do_mas_munmap+0x199/0x1e0 mm/mmap.c:2730 __vm_munmap+0x24e/0x360 mm/mmap.c:3020 __do_sys_munmap mm/mmap.c:3046 [inline] __se_sys_munmap mm/mmap.c:3042 [inline] __x64_sys_munmap+0x66/0x70 mm/mmap.c:3042 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff888119713f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888119713f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888119714000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888119714080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888119714100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== EXT4-fs error (device loop0): ext4_readdir:260: inode #2: block 255: comm syz-executor.0: path /root/syzkaller-testdir3654141372/syzkaller.RjWYYt/2/file0: bad entry in directory: rec_len is smaller than minimal - offset=1023, inode=0, rec_len=0, size=1024 fake=0