ci2 starts bisection 2025-05-27 07:11:42.488275831 +0000 UTC m=+58587.677737118
bisecting fixing commit since 760764029c6d2bb6f2473f7d043e08fb1f161f8c
building syzkaller on 47d015b159b8ac137567fbb64a3a22cd84bdf027
ensuring issue is reproducible on original commit 760764029c6d2bb6f2473f7d043e08fb1f161f8c

testing commit 760764029c6d2bb6f2473f7d043e08fb1f161f8c gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: aa6d73d3033fe686427c2301a883023c86f440158f368f6305c6c601646bac92
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit 760764029c6d2bb6f2473f7d043e08fb1f161f8c gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5009080c3eb35c5c9072f601f99052f0e1467754da9178a922fc304e2335b576
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
kconfig minimization: base=4921 full=6216 leaves diff=255
split chunks (needed=false): <255>
split chunk #0 of len 255 into 5 parts
testing without sub-chunk 1/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit 760764029c6d2bb6f2473f7d043e08fb1f161f8c gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 98ea43f792181c2122c27eda6049e169f3a6cd5a500b33c90ea58d81ea719c56
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit 760764029c6d2bb6f2473f7d043e08fb1f161f8c gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d8aeb4cd471efce02c22c6fbcd0466f0f66fecadb09929fc970c4fbbc20739b5
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 760764029c6d2bb6f2473f7d043e08fb1f161f8c gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 490f86de71ebbbd9104b2a75e37374a6db325692f5b0042b5629abfe2a179cc9
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit 760764029c6d2bb6f2473f7d043e08fb1f161f8c gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5a904b4a5b8b2b2313e61e49dd4dfc988d15a1244218a60b2f87bc80d6702258
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit 760764029c6d2bb6f2473f7d043e08fb1f161f8c gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
failed building 760764029c6d2bb6f2473f7d043e08fb1f161f8c: net/socket.c:1191: undefined reference to `wext_handle_ioctl'
net/socket.c:3390: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:343: undefined reference to `wext_proc_exit'
net/core/net-procfs.c:327: undefined reference to `wext_proc_init'
minimized to 51 configs; suspects: [HID_ZEROPLUS USB_MON USB_NET_CDC_MBIM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM USB_XHCI_PCI_RENESAS WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF]
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing current HEAD 4b77ae0e7f585e2328b34ab26cd66556574aaf61
testing commit 4b77ae0e7f585e2328b34ab26cd66556574aaf61 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: cf8ef1d5c323fdea82db77227c907aec9fa418fd4b34a760ca698d9e31a1896d
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
crash still not fixed/happens on the oldest tested release
revisions tested: 7, total time: 1h38m12.811521948s (build: 51m21.961830456s, test: 42m28.968648905s)
crash still not fixed or there were kernel test errors
commit msg: Merge 5.15.184 into android13-5.15-lts
crash: KASAN: use-after-free Read in __ext4_check_dir_entry
EXT4-fs warning (device loop2): dx_probe:832: inode #2: comm syz.2.18: Unrecognised inode hash code 4
EXT4-fs warning (device loop2): dx_probe:965: inode #2: comm syz.2.18: Corrupt directory, running e2fsck is recommended
==================================================================
BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x643/0x960 fs/ext4/dir.c:85
Read of size 2 at addr ffff888123574003 by task syz.2.18/476

CPU: 1 PID: 476 Comm: syz.2.18 Not tainted 5.15.184-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x38/0x49 lib/dump_stack.c:106
 print_address_description.constprop.0+0x24/0x160 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report.cold+0x82/0xdb mm/kasan/report.c:444
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report_generic.c:307
 __ext4_check_dir_entry+0x643/0x960 fs/ext4/dir.c:85
 ext4_readdir+0x8f4/0x33d0 fs/ext4/dir.c:261
 iterate_dir+0x498/0x730 fs/readdir.c:65
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64 fs/readdir.c:354 [inline]
 __x64_sys_getdents64+0x12f/0x230 fs/readdir.c:354
 x64_sys_call+0x3fc/0x990 arch/x86/include/generated/asm/syscalls_64.h:218
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x33/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fe0cd69d169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe0cd10f038 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007fe0cd8b5fa0 RCX: 00007fe0cd69d169
RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 00007fe0cd71e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fe0cd8b5fa0 R15: 00007ffc4c1e82c8
 </TASK>

The buggy address belongs to the page:
page:ffffea00048d5d00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x123574
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea00048d5d48 ffff8881f753c680 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 472, ts 57669670281, free_ts 57963939339
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook mm/page_alloc.c:2605 [inline]
 prep_new_page+0x1a2/0x310 mm/page_alloc.c:2611
 get_page_from_freelist+0x1ce2/0x30a0 mm/page_alloc.c:4485
 __alloc_pages+0x2d5/0x2630 mm/page_alloc.c:5781
 __alloc_pages_node include/linux/gfp.h:591 [inline]
 alloc_pages_node include/linux/gfp.h:605 [inline]
 alloc_pages include/linux/gfp.h:618 [inline]
 shmem_alloc_page+0x121/0x180 mm/shmem.c:1587
 shmem_alloc_and_acct_page+0xf6/0x620 mm/shmem.c:1612
 shmem_getpage_gfp+0x9f9/0x1500 mm/shmem.c:1908
 shmem_getpage mm/shmem.c:152 [inline]
 shmem_write_begin+0xd5/0x1a0 mm/shmem.c:2476
 generic_perform_write+0x217/0x650 mm/filemap.c:3857
 __generic_file_write_iter+0x309/0x580 mm/filemap.c:3985
 generic_file_write_iter+0xc2/0x1d0 mm/filemap.c:4017
 call_write_iter include/linux/fs.h:2204 [inline]
 new_sync_write+0x358/0x6d0 fs/read_write.c:507
 vfs_write+0x5cf/0x8e0 fs/read_write.c:594
 ksys_write+0x111/0x210 fs/read_write.c:647
 __do_sys_write fs/read_write.c:659 [inline]
 __se_sys_write fs/read_write.c:656 [inline]
 __x64_sys_write+0x6e/0xb0 fs/read_write.c:656
 x64_sys_call+0x97b/0x990 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x33/0xb0 arch/x86/entry/common.c:80
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1472 [inline]
 free_pcp_prepare+0x1b6/0x4c0 mm/page_alloc.c:1544
 free_unref_page_prepare mm/page_alloc.c:3534 [inline]
 free_unref_page_list+0x1e3/0xcd0 mm/page_alloc.c:3671
 release_pages+0x37f/0xff0 mm/swap.c:1009
 __pagevec_release+0x5e/0xe0 mm/swap.c:1029
 pagevec_release include/linux/pagevec.h:81 [inline]
 shmem_undo_range+0x550/0xdc0 mm/shmem.c:965
 shmem_truncate_range mm/shmem.c:1064 [inline]
 shmem_evict_inode+0x30d/0xa00 mm/shmem.c:1146
 evict+0x372/0x8b0 fs/inode.c:647
 iput_final fs/inode.c:1769 [inline]
 iput.part.0+0x334/0x640 fs/inode.c:1795
 iput+0x3f/0x50 fs/inode.c:1785
 dentry_unlink_inode+0x28a/0x400 fs/dcache.c:380
 __dentry_kill+0x326/0x610 fs/dcache.c:586
 dentry_kill fs/dcache.c:712 [inline]
 dput+0x3f1/0x8c0 fs/dcache.c:893
 __fput+0x410/0x960 fs/file_table.c:319
 ____fput+0x9/0x10 fs/file_table.c:339
 task_work_run+0xc2/0x150 kernel/task_work.c:188
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:181 [inline]
 exit_to_user_mode_prepare+0x143/0x150 kernel/entry/common.c:214

Memory state around the buggy address:
 ffff888123573f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888123573f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888123574000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff888123574080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888123574100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop2): ext4_readdir:261: inode #2: block 255: comm syz.2.18: path (unknown): bad entry in directory: rec_len is smaller than minimal - offset=1023, inode=0, rec_len=0, size=1024 fake=0