ci2 starts bisection 2025-10-07 08:22:56.849639086 +0000 UTC m=+33934.227403876 bisecting fixing commit since 7fa70ede91bb2bd1b4f2501f460445c3bba772e4 building syzkaller on 5187fc86b2d7b0366e226f6040391e9744441831 ensuring issue is reproducible on original commit 7fa70ede91bb2bd1b4f2501f460445c3bba772e4 testing commit 7fa70ede91bb2bd1b4f2501f460445c3bba772e4 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 11af7304fd10437ecdb57c8d4168d2cf71073c3f14a69ca6f0d4758d2beeba6f run #0: crashed: KASAN: use-after-free Read in ext4_search_dir run #1: crashed: KASAN: use-after-free Read in ext4_search_dir run #2: crashed: KASAN: use-after-free Read in ext4_search_dir run #3: crashed: KASAN: use-after-free Read in ext4_search_dir run #4: crashed: KASAN: use-after-free Read in ext4_search_dir run #5: crashed: KASAN: use-after-free Read in ext4_search_dir run #6: crashed: KASAN: use-after-free Read in ext4_search_dir run #7: crashed: KASAN: use-after-free Read in ext4_search_dir run #8: crashed: KASAN: use-after-free Read in ext4_search_dir run #9: crashed: KASAN: use-after-free Read in ext4_search_dir run #10: crashed: KASAN: use-after-free Read in ext4_search_dir run #11: crashed: KASAN: use-after-free Read in ext4_search_dir run #12: crashed: KASAN: use-after-free Read in ext4_search_dir run #13: crashed: KASAN: use-after-free Read in ext4_search_dir run #14: crashed: KASAN: use-after-free Read in ext4_search_dir run #15: crashed: KASAN: use-after-free Read in ext4_search_dir run #16: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #17: crashed: KASAN: use-after-free Read in ext4_search_dir run #18: crashed: KASAN: use-after-free Read in ext4_search_dir run #19: crashed: KASAN: use-after-free Read in ext4_search_dir representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN-USE-AFTER-FREE-READ] check whether we can drop unnecessary instrumentation disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 7fa70ede91bb2bd1b4f2501f460445c3bba772e4 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 30c380ba0690f981f4691567e4eca3859d72cd0f74bce0927e0aa3a582eeea78 run #0: crashed: KASAN: use-after-free Read in ext4_search_dir run #1: crashed: KASAN: use-after-free Read in ext4_search_dir run #2: crashed: KASAN: use-after-free Read in ext4_search_dir run #3: crashed: KASAN: use-after-free Read in ext4_search_dir run #4: crashed: KASAN: use-after-free Read in ext4_search_dir run #5: crashed: KASAN: use-after-free Read in ext4_search_dir run #6: crashed: KASAN: use-after-free Read in ext4_search_dir run #7: crashed: KASAN: use-after-free Read in ext4_match run #8: crashed: KASAN: use-after-free Read in ext4_search_dir run #9: crashed: KASAN: use-after-free Read in ext4_search_dir representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN-USE-AFTER-FREE-READ] the bug reproduces without the instrumentation disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed kconfig minimization: base=5186 full=6542 leaves diff=264 split chunks (needed=false): <264> split chunk #0 of len 264 into 5 parts testing without sub-chunk 1/5 disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed testing commit 7fa70ede91bb2bd1b4f2501f460445c3bba772e4 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 6715e8650d973f0c64cf665d1798cfb59ea49c30776f1eefe758a7708609eac5 all runs: crashed: KASAN: use-after-free Read in ext4_search_dir representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 7fa70ede91bb2bd1b4f2501f460445c3bba772e4 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: c420a3956681241d6ac6f6a99477c0e6d587bd18d70896d6d5a8c75e73d34613 run #0: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #1: crashed: KASAN: use-after-free Read in ext4_search_dir run #2: crashed: KASAN: use-after-free Read in ext4_search_dir run #3: crashed: KASAN: use-after-free Read in ext4_search_dir run #4: crashed: KASAN: use-after-free Read in ext4_search_dir run #5: crashed: KASAN: use-after-free Read in ext4_search_dir run #6: crashed: KASAN: use-after-free Read in ext4_search_dir run #7: crashed: KASAN: use-after-free Read in ext4_search_dir run #8: crashed: KASAN: use-after-free Read in ext4_search_dir run #9: crashed: KASAN: use-after-free Read in ext4_search_dir representative crash: KASAN: use-after-free Read in ext4_read_inline_dir, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 7fa70ede91bb2bd1b4f2501f460445c3bba772e4 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: ff34b1774c2f15778ba6054b13a27fb7ed5a31b37eed444f3aa8f3a6ec18b379 all runs: crashed: KASAN: use-after-free Read in ext4_search_dir representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed testing commit 7fa70ede91bb2bd1b4f2501f460445c3bba772e4 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: e70b6fea5deab61f893b3c6fc0fd3eeeda628455d8f8eeb7a0bd618eee47e049 run #0: crashed: KASAN: use-after-free Read in ext4_search_dir run #1: crashed: KASAN: use-after-free Read in ext4_search_dir run #2: crashed: KASAN: use-after-free Read in ext4_read_inline_dir run #3: crashed: KASAN: use-after-free Read in ext4_search_dir run #4: crashed: KASAN: use-after-free Read in ext4_search_dir run #5: crashed: KASAN: use-after-free Read in ext4_search_dir run #6: crashed: KASAN: use-after-free Read in ext4_search_dir run #7: crashed: KASAN: use-after-free Read in ext4_search_dir run #8: crashed: KASAN: use-after-free Read in ext4_search_dir run #9: crashed: KASAN: use-after-free Read in ext4_search_dir representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [ubsan bug_or_warning locking atomic_sleep hang memleak], they are not needed testing commit 7fa70ede91bb2bd1b4f2501f460445c3bba772e4 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 failed building 7fa70ede91bb2bd1b4f2501f460445c3bba772e4: ld.lld: error: undefined symbol: wext_proc_init ld.lld: error: undefined symbol: wext_proc_exit ld.lld: error: undefined symbol: wext_handle_ioctl ld.lld: error: undefined symbol: compat_wext_handle_ioctl minimized to 52 configs; suspects: [HID_ZEROPLUS USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed testing current HEAD 1257aa4519ee5d49e465b0dcc85cc7e4a24619d5 testing commit 1257aa4519ee5d49e465b0dcc85cc7e4a24619d5 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: a16a8fc0ebd1b0437c3784b3d8b88ceea536bf14afe424f10ac88ff77feaea15 all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_dir representative crash: KASAN: use-after-free Read in ext4_read_inline_dir, types: [KASAN-USE-AFTER-FREE-READ] crash still not fixed/happens on the oldest tested release revisions tested: 7, total time: 2h11m7.371137663s (build: 1h26m27.944672517s, test: 40m24.60139612s) crash still not fixed or there were kernel test errors commit msg: UPSTREAM: tls: make sure to abort the stream if headers are bogus crash: KASAN: use-after-free Read in ext4_read_inline_dir ================================================================== BUG: KASAN: use-after-free in ext4_read_inline_data fs/ext4/inline.c:210 [inline] BUG: KASAN: use-after-free in ext4_read_inline_dir+0x344/0xbe0 fs/ext4/inline.c:1520 Read of size 68 at addr ffff888121011d05 by task syz-executor/492 CPU: 0 PID: 492 Comm: syz-executor Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Call Trace: __dump_stack+0x19/0x1c lib/dump_stack.c:88 dump_stack_lvl+0xa3/0xec lib/dump_stack.c:106 print_address_description+0x71/0x200 mm/kasan/report.c:316 print_report+0x4a/0x60 mm/kasan/report.c:420 kasan_report+0x122/0x150 mm/kasan/report.c:524 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x280/0x290 mm/kasan/generic.c:189 memcpy+0x2d/0x70 mm/kasan/shadow.c:65 ext4_read_inline_data fs/ext4/inline.c:210 [inline] ext4_read_inline_dir+0x344/0xbe0 fs/ext4/inline.c:1520 ext4_readdir+0x256/0x31e0 fs/ext4/dir.c:161 iterate_dir+0x221/0x540 fs/readdir.c:-1 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64+0xc9/0x190 fs/readdir.c:354 __x64_sys_getdents64+0x76/0x80 fs/readdir.c:354 x64_sys_call+0x15c/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:218 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7f1d4a7a9333 Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 02 45 f8 ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 a8 ff ff ff f7 d8 RSP: 002b:00007ffddef2c0f8 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 000055558f23a520 RCX: 00007f1d4a7a9333 RDX: 0000000000008000 RSI: 000055558f23a520 RDI: 0000000000000006 RBP: 000055558f23a4f4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000001000 R11: 0000000000000293 R12: ffffffffffffffa8 R13: 0000000000000016 R14: 000055558f23a4f0 R15: 00007ffddef2f490 The buggy address belongs to the physical page: page:ffffea0004840440 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x121011 flags: 0x4000000000000000(zone=1) raw: 4000000000000000 ffffea0004840488 ffffea00048f0488 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 451, tgid 451 (syz-executor), ts 50808070767, free_ts 50809585452 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook mm/page_alloc.c:2643 [inline] prep_new_page+0x58c/0x650 mm/page_alloc.c:2650 get_page_from_freelist+0x2f0f/0x2f80 mm/page_alloc.c:4554 __alloc_pages+0x1c3/0x450 mm/page_alloc.c:5868 __folio_alloc+0x12/0x40 mm/page_alloc.c:5900 __folio_alloc_node include/linux/gfp.h:245 [inline] folio_alloc include/linux/gfp.h:274 [inline] alloc_page_vma include/linux/gfp.h:283 [inline] do_cow_fault mm/memory.c:4761 [inline] do_fault+0x6f6/0x17a0 mm/memory.c:4877 handle_pte_fault mm/memory.c:5171 [inline] __handle_mm_fault mm/memory.c:5313 [inline] handle_mm_fault+0xba9/0x1a80 mm/memory.c:5453 do_user_addr_fault+0x5f8/0xa10 arch/x86/mm/fault.c:1323 handle_page_fault arch/x86/mm/fault.c:1466 [inline] exc_page_fault+0x51/0xb0 arch/x86/mm/fault.c:1522 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:608 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1551 [inline] free_pcp_prepare mm/page_alloc.c:1625 [inline] free_unref_page_prepare+0x645/0x650 mm/page_alloc.c:3589 free_unref_page_list+0x112/0x890 mm/page_alloc.c:3740 release_pages+0x904/0x960 mm/swap.c:1043 free_pages_and_swap_cache+0x66/0x80 mm/swap_state.c:315 tlb_batch_pages_flush mm/mmu_gather.c:59 [inline] tlb_flush_mmu_free mm/mmu_gather.c:254 [inline] tlb_flush_mmu mm/mmu_gather.c:261 [inline] tlb_finish_mmu+0x1af/0x380 mm/mmu_gather.c:361 exit_mmap+0x333/0x8c0 mm/mmap.c:3382 __mmput+0x6b/0x2a0 kernel/fork.c:1300 mmput+0x2a/0xe0 kernel/fork.c:1323 exit_mm kernel/exit.c:568 [inline] do_exit+0x7b5/0x1fe0 kernel/exit.c:873 do_group_exit+0x1a1/0x280 kernel/exit.c:1028 __do_sys_exit_group kernel/exit.c:1039 [inline] __se_sys_exit_group kernel/exit.c:1037 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1037 x64_sys_call+0x7b4/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Memory state around the buggy address: ffff888121011c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888121011c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888121011d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888121011d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888121011e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== EXT4-fs error (device loop0): ext4_read_inline_dir:1601: inode #12: block 5: comm syz-executor: path /0/file0/file0: bad entry in directory: rec_len % 4 != 0 - offset=24, inode=1633771873, rec_len=24929, size=148 fake=0 EXT4-fs error (device loop0): ext4_read_inline_dir:1601: inode #12: block 5: comm syz-executor: path /0/file0/file0: bad entry in directory: rec_len % 4 != 0 - offset=24, inode=1633771873, rec_len=24929, size=148 fake=0 EXT4-fs error (device loop0): empty_inline_dir:1885: inode #12: block 5: comm syz-executor: bad entry in directory: rec_len % 4 != 0 - offset=4, inode=1633771873, rec_len=24929, size=60 fake=0 EXT4-fs warning (device loop0): empty_inline_dir:1892: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs error (device loop0): ext4_read_inline_dir:1601: inode #12: block 5: comm syz-executor: path /0/file0/file0: bad entry in directory: rec_len % 4 != 0 - offset=24, inode=1633771873, rec_len=24929, size=148 fake=0 EXT4-fs error (device loop0): ext4_read_inline_dir:1601: inode #12: block 5: comm syz-executor: path /0/file0/file0: bad entry in directory: rec_len % 4 != 0 - offset=24, inode=1633771873, rec_len=24929, size=148 fake=0 EXT4-fs error (device loop0): empty_inline_dir:1885: inode #12: block 5: comm syz-executor: bad entry in directory: rec_len % 4 != 0 - offset=4, inode=1633771873, rec_len=24929, size=60 fake=0 EXT4-fs warning (device loop0): empty_inline_dir:1892: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs error (device loop0): ext4_read_inline_dir:1601: inode #12: block 5: comm syz-executor: path /0/file0/file0: bad entry in directory: rec_len % 4 != 0 - offset=24, inode=1633771873, rec_len=24929, size=148 fake=0 EXT4-fs error (device loop0): ext4_read_inline_dir:1601: inode #12: block 5: comm syz-executor: path /0/file0/file0: bad entry in directory: rec_len % 4 != 0 - offset=24, inode=1633771873, rec_len=24929, size=148 fake=0 EXT4-fs error (device loop0): empty_inline_dir:1885: inode #12: block 5: comm syz-executor: bad entry in directory: rec_len % 4 != 0 - offset=4, inode=1633771873, rec_len=24929, size=60 fake=0 EXT4-fs warning (device loop0): empty_inline_dir:1892: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop0): empty_inline_dir:1892: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop0): empty_inline_dir:1892: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop0): empty_inline_dir:1892: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop0): empty_inline_dir:1892: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop0): empty_inline_dir:1892: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop0): empty_inline_dir:1892: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs warning (device loop0): empty_inline_dir:1892: bad inline directory (dir #12) - inode 1633771873, rec_len 24929, name_len 97inline size 60 EXT4-fs (loop0): unmounting filesystem.