ci2 starts bisection 2023-05-02 18:35:26.659816709 +0000 UTC m=+31986.605738702 bisecting fixing commit since ca57f02295f188d6c65ec02202402979880fa6d8 building syzkaller on ca9683b89903c4b91d1ccce66646d0673bd160a6 ensuring issue is reproducible on original commit ca57f02295f188d6c65ec02202402979880fa6d8 testing commit ca57f02295f188d6c65ec02202402979880fa6d8 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 975f29fbb1c404b18e2c91512c5dedf03ff2c91d14675b870d2e7a39e565e9bd all runs: crashed: KASAN: use-after-free Read in reiserfs_release_objectid testing current HEAD 21d2be646007a1c5461f4233749c368693aa6d9f testing commit 21d2be646007a1c5461f4233749c368693aa6d9f gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 98bf83e19203719943643fb9b946c5f1198d5affb0ff0a007d003eb6034d5e07 all runs: crashed: KASAN: use-after-free Read in reiserfs_release_objectid revisions tested: 2, total time: 47m14.623915441s (build: 38m45.760107411s, test: 7m16.278247915s) the crash still happens on HEAD commit msg: Merge tag 'afs-fixes-20230502' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs crash: KASAN: use-after-free Read in reiserfs_release_objectid REISERFS (device loop0): checking transaction log (loop0) REISERFS (device loop0): Using r5 hash to sort names REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. ================================================================== BUG: KASAN: use-after-free in reiserfs_release_objectid+0x48f/0x8c0 Read of size 14568 at addr ffff88806e0360d0 by task syz-executor.0/5754 CPU: 1 PID: 5754 Comm: syz-executor.0 Not tainted 6.3.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 Call Trace: dump_stack_lvl+0x12e/0x1d0 print_report+0x163/0x510 kasan_report+0x108/0x140 kasan_check_range+0x283/0x290 __asan_memmove+0x29/0x70 reiserfs_release_objectid+0x48f/0x8c0 remove_save_link+0x28d/0x460 reiserfs_evict_inode+0x292/0x390 evict+0x262/0x550 __dentry_kill+0x38b/0x560 dentry_kill+0xbb/0x1e0 dput+0x169/0x300 do_renameat2+0xa81/0x1260 __x64_sys_rename+0x81/0x90 do_syscall_64+0x41/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdb4208c0d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdb42ed1168 EFLAGS: 00000246 ORIG_RAX: 0000000000000052 RAX: ffffffffffffffda RBX: 00007fdb421abf80 RCX: 00007fdb4208c0d9 RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000020000140 RBP: 00007fdb420e7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff863cbc0f R14: 00007fdb42ed1300 R15: 0000000000022000 The buggy address belongs to the physical page: page:ffffea0001b80d80 refcount:3 mapcount:0 mapping:ffff888015486ae8 index:0x10 pfn:0x6e036 memcg:ffff88807c0d2000 aops:def_blk_aops ino:700000 flags: 0xfff00000022026(referenced|uptodate|active|private|mappedtodisk|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000022026 0000000000000000 dead000000000122 ffff888015486ae8 raw: 0000000000000010 ffff8880737d4ae0 00000003ffffffff ffff88807c0d2000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5754, tgid 5753 (syz-executor.0), ts 77703994463, free_ts 72444926705 get_page_from_freelist+0x31bf/0x3340 __alloc_pages+0x255/0x670 folio_alloc+0x13/0x30 filemap_alloc_folio+0xc6/0x3a0 __filemap_get_folio+0x17c/0x620 pagecache_get_page+0x13/0x160 __getblk_gfp+0x1bf/0x900 __bread_gfp+0xe/0x220 read_super_block+0x84/0x700 reiserfs_fill_super+0x80d/0x20e0 mount_bdev+0x282/0x370 legacy_get_tree+0xe9/0x170 vfs_get_tree+0x7f/0x220 do_new_mount+0x1e5/0x940 __se_sys_mount+0x20d/0x2a0 do_syscall_64+0x41/0xc0 page last free stack trace: free_unref_page_prepare+0x8fe/0xa10 free_unref_page_list+0x596/0x830 release_pages+0x1a07/0x1bc0 __pagevec_release+0x66/0xe0 shmem_undo_range+0x507/0x1520 shmem_evict_inode+0x368/0x890 evict+0x262/0x550 __dentry_kill+0x38b/0x560 dentry_kill+0xbb/0x1e0 dput+0x169/0x300 __fput+0x4d6/0x720 task_work_run+0x20a/0x290 do_exit+0x543/0x1cf0 do_group_exit+0x1b9/0x280 __x64_sys_exit_group+0x3f/0x40 do_syscall_64+0x41/0xc0 Memory state around the buggy address: ffff88806e037f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88806e037f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88806e038000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88806e038080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88806e038100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================