ci2 starts bisection 2025-07-27 23:34:58.867221157 +0000 UTC m=+261516.572682202
bisecting fixing commit since 910bfc26d16d07df5a2bfcbc63f0aa9d1397e2ef
building syzkaller on 46eb10b79c61c4032281212d862c913683ab32a0
ensuring issue is reproducible on original commit 910bfc26d16d07df5a2bfcbc63f0aa9d1397e2ef

testing commit 910bfc26d16d07df5a2bfcbc63f0aa9d1397e2ef gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: d1786c5d23110c7497e232ff12790a5903ae49ed727a48f7b3a84baf49f0b34f
run #0: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_dir
run #1: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_dir
run #2: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_dir
run #3: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_dir
run #4: crashed: KASAN: use-after-free Read in ext4_read_inline_dir
run #5: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_dir
run #6: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_dir
run #7: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_dir
run #8: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_dir
run #9: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_dir
run #10: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_dir
run #11: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_dir
run #12: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_dir
run #13: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_dir
run #14: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_dir
run #15: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_dir
run #16: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_dir
run #17: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_dir
run #18: crashed: KASAN: use-after-free Read in ext4_read_inline_dir
run #19: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_dir
representative crash: KASAN: slab-use-after-free Read in ext4_read_inline_dir, types: [KASAN-USE-AFTER-FREE-READ KASAN-READ]
check whether we can drop unnecessary instrumentation
disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed
testing commit 910bfc26d16d07df5a2bfcbc63f0aa9d1397e2ef gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 17264e8dceb6259becfdea32648846ae25517c41ce6e75f3061eb51bb913db8b
run #0: crashed: KASAN: use-after-free Read in ext4_read_inline_dir
run #1: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_dir
run #2: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_dir
run #3: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_dir
run #4: crashed: KASAN: use-after-free Read in ext4_read_inline_dir
run #5: crashed: KASAN: use-after-free Read in ext4_read_inline_dir
run #6: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_dir
run #7: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_dir
run #8: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_dir
run #9: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_dir
representative crash: KASAN: use-after-free Read in ext4_read_inline_dir, types: [KASAN-USE-AFTER-FREE-READ KASAN-READ]
the bug reproduces without the instrumentation
disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed
kconfig minimization: base=4088 full=8128 leaves diff=2143
split chunks (needed=false): <2143>
split chunk #0 of len 2143 into 5 parts
testing without sub-chunk 1/5
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit 910bfc26d16d07df5a2bfcbc63f0aa9d1397e2ef gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 6907db6709070db3d41a521355dda77e3786588e5b4c108cfa831231452ea541
run #0: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #1: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #2: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #3: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #4: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #5: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #6: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #7: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #8: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #9: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
representative crash: KASAN: use-after-free Read in ext4_read_inline_data, types: [KASAN-USE-AFTER-FREE-READ KASAN-READ]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit 910bfc26d16d07df5a2bfcbc63f0aa9d1397e2ef gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 5f432dbca3e5fff1a78ee683554d51bd412ee8d0d11efa6e09aee448d92e1485
run #0: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #1: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #2: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #3: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #4: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #5: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #6: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #7: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #8: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #9: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
representative crash: KASAN: slab-out-of-bounds Read in ext4_read_inline_data, types: [KASAN-READ KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed
testing commit 910bfc26d16d07df5a2bfcbc63f0aa9d1397e2ef gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 1020168a46f42af3e06fc773ca82faa8353f51239649e112b99cd70e34b14f85
run #0: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #1: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #2: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #3: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #4: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #5: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #6: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #7: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #8: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #9: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
representative crash: KASAN: slab-use-after-free Read in ext4_read_inline_data, types: [KASAN-USE-AFTER-FREE-READ KASAN-READ]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit 910bfc26d16d07df5a2bfcbc63f0aa9d1397e2ef gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 8729f0db6f9b7f2d97af2dd18960e28846b4283c0097f2049f862ead75a15c46
run #0: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #1: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #2: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #3: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #4: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #5: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #6: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #7: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #8: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #9: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
representative crash: KASAN: slab-use-after-free Read in ext4_read_inline_data, types: [KASAN-USE-AFTER-FREE-READ KASAN-READ]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 910bfc26d16d07df5a2bfcbc63f0aa9d1397e2ef gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: b19f0d3586289099eeb45e05b027c403a6c9e25d8b45103a1d234ebd6bab79b7
run #0: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #1: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #2: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #3: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #4: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #5: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #6: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #7: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #8: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #9: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
representative crash: KASAN: slab-use-after-free Read in ext4_read_inline_data, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing current HEAD 038d61fd642278bab63ee8ef722c50d10ab01e8f
testing commit 038d61fd642278bab63ee8ef722c50d10ab01e8f gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: efce98f352a803b16cf3b3d3072ef06c4c469081bdf5e165ec21a6a5e472bda9
run #0: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #1: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #2: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #3: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #4: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #5: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #6: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #7: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #8: crashed: KASAN: slab-use-after-free Read in ext4_read_inline_data
run #9: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
representative crash: KASAN: slab-use-after-free Read in ext4_read_inline_data, types: [KASAN-USE-AFTER-FREE-READ KASAN-READ]
crash still not fixed/happens on the oldest tested release
revisions tested: 8, total time: 3h12m37.877280679s (build: 2h17m19.704353505s, test: 47m31.397346009s)
crash still not fixed or there were kernel test errors
commit msg: Linux 6.16
crash: KASAN: slab-use-after-free Read in ext4_read_inline_data
EXT4-fs error (device loop0): ext4_readdir:264: inode #2: block 16: comm syz-executor: path /1/bus: bad entry in directory: rec_len is smaller than minimal - offset=980, inode=0, rec_len=0, size=1024 fake=0
==================================================================
BUG: KASAN: slab-use-after-free in ext4_read_inline_data+0x18f/0x280 fs/ext4/inline.c:214
Read of size 68 at addr ffff888120ab651a by task syz-executor/1518

CPU: 1 UID: 0 PID: 1518 Comm: syz-executor Not tainted 6.16.0-syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0xf4/0x170 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:189
 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
 ext4_read_inline_data+0x18f/0x280 fs/ext4/inline.c:214
 ext4_read_inline_dir+0x2cd/0x940 fs/ext4/inline.c:1421
 ext4_readdir+0x252/0x2d10 fs/ext4/dir.c:162
 iterate_dir+0x1a7/0x4c0 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:410 [inline]
 __se_sys_getdents64+0xd3/0x1b0 fs/readdir.c:396
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7c57229333
Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 02 45 f8 ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 a8 ff ff ff f7 d8
RSP: 002b:00007fff1d9c66e8 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000555582a42520 RCX: 00007f7c57229333
RDX: 0000000000008000 RSI: 0000555582a42520 RDI: 0000000000000006
RBP: 0000555582a424f4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000001000 R11: 0000000000000293 R12: ffffffffffffffa8
R13: 0000000000000016 R14: 0000555582a424f0 R15: 00007fff1d9c9a80
 </TASK>

Allocated by task 1800:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4328 [inline]
 __kmalloc_noprof+0x263/0x500 mm/slub.c:4340
 kmalloc_noprof include/linux/slab.h:909 [inline]
 tomoyo_realpath_from_path+0xf5/0x550 security/tomoyo/realpath.c:251
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x1d3/0x460 security/tomoyo/file.c:822
 security_inode_getattr+0xb2/0x150 security/security.c:2377
 vfs_getattr fs/stat.c:259 [inline]
 vfs_fstat fs/stat.c:281 [inline]
 __do_sys_newfstat fs/stat.c:555 [inline]
 __se_sys_newfstat+0xcc/0x370 fs/stat.c:550
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 1800:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2381 [inline]
 slab_free mm/slub.c:4643 [inline]
 kfree+0x174/0x3e0 mm/slub.c:4842
 tomoyo_realpath_from_path+0x525/0x550 security/tomoyo/realpath.c:286
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x1d3/0x460 security/tomoyo/file.c:822
 security_inode_getattr+0xb2/0x150 security/security.c:2377
 vfs_getattr fs/stat.c:259 [inline]
 vfs_fstat fs/stat.c:281 [inline]
 __do_sys_newfstat fs/stat.c:555 [inline]
 __se_sys_newfstat+0xcc/0x370 fs/stat.c:550
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888120ab6000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 1306 bytes inside of
 freed 4096-byte region [ffff888120ab6000, ffff888120ab7000)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x120ab0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x200000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000040 ffff888100042140 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000040004 00000000f5000000 0000000000000000
head: 0200000000000040 ffff888100042140 dead000000000100 dead000000000122
head: 0000000000000000 0000000000040004 00000000f5000000 0000000000000000
head: 0200000000000003 ffffea000482ac01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 930, tgid 930 (kworker/u8:1), ts 45078630375, free_ts 34730239885
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x168/0x1a0 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x2c22/0x2de0 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x26b/0x460 mm/page_alloc.c:4959
 alloc_pages_mpol+0xcb/0x270 mm/mempolicy.c:2419
 alloc_slab_page mm/slub.c:2451 [inline]
 allocate_slab+0x8a/0x350 mm/slub.c:2619
 new_slab mm/slub.c:2673 [inline]
 ___slab_alloc+0x9dc/0x10e0 mm/slub.c:3859
 __slab_alloc mm/slub.c:3949 [inline]
 __slab_alloc_node mm/slub.c:4024 [inline]
 slab_alloc_node mm/slub.c:4185 [inline]
 __do_kmalloc_node mm/slub.c:4327 [inline]
 __kmalloc_noprof+0x2e8/0x500 mm/slub.c:4340
 kmalloc_noprof include/linux/slab.h:909 [inline]
 tomoyo_realpath_from_path+0xf5/0x550 security/tomoyo/realpath.c:251
 tomoyo_realpath_nofollow+0x96/0xe0 security/tomoyo/realpath.c:304
 tomoyo_find_next_domain+0x260/0x1a40 security/tomoyo/domain.c:730
 tomoyo_bprm_check_security+0x101/0x140 security/tomoyo/tomoyo.c:102
 security_bprm_check+0x2b/0xb0 security/security.c:1302
 search_binary_handler fs/exec.c:1660 [inline]
 exec_binprm fs/exec.c:1702 [inline]
 bprm_execve+0x610/0xe80 fs/exec.c:1754
 kernel_execve+0x4d3/0x5f0 fs/exec.c:1920
 call_usermodehelper_exec_async+0x1dd/0x2f0 kernel/umh.c:109
 ret_from_fork+0x139/0x2d0 arch/x86/kernel/process.c:148
page last free pid 882 tgid 882 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0xa1a/0xbf0 mm/page_alloc.c:2706
 __folio_put+0x1b9/0x240 mm/swap.c:112
 pipe_buf_release include/linux/pipe_fs_i.h:282 [inline]
 pipe_update_tail fs/pipe.c:242 [inline]
 anon_pipe_read+0x474/0xad0 fs/pipe.c:361
 new_sync_read fs/read_write.c:491 [inline]
 vfs_read+0x423/0x940 fs/read_write.c:572
 ksys_read+0x108/0x1f0 fs/read_write.c:715
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888120ab6400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888120ab6480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888120ab6500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff888120ab6580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888120ab6600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================