ci2 starts bisection 2025-04-03 05:31:29.221224905 +0000 UTC m=+39.617719011
bisecting cause commit starting from acc4d5ff0b61eb1715c498b6536c38c1feb7f3c1
building syzkaller on c799dfdd5648677612604d10e2c13075eda21582
ensuring issue is reproducible on original commit acc4d5ff0b61eb1715c498b6536c38c1feb7f3c1

testing commit acc4d5ff0b61eb1715c498b6536c38c1feb7f3c1 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 978fe954c8f15227837a3d5a22c06ed1ed5d19f0d665d2f6e31c290f27be38a9
all runs: crashed: KASAN: slab-use-after-free Read in bchfs_read
representative crash: KASAN: slab-use-after-free Read in bchfs_read, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit acc4d5ff0b61eb1715c498b6536c38c1feb7f3c1 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 4dd9d1852b45d03ddb460dad688f641d2a084808a54fd8af1223586be601d090
all runs: crashed: KASAN: slab-use-after-free Read in bchfs_read
representative crash: KASAN: slab-use-after-free Read in bchfs_read, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
kconfig minimization: base=4071 full=8314 leaves diff=2128
split chunks (needed=false): <2128>
split chunk #0 of len 2128 into 5 parts
testing without sub-chunk 1/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit acc4d5ff0b61eb1715c498b6536c38c1feb7f3c1 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: fc37e8f24da90dca8648532995072963035d429850ca7ef69cc1d4807bc40c6b
all runs: OK
false negative chance: 0.000
testing without sub-chunk 2/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit acc4d5ff0b61eb1715c498b6536c38c1feb7f3c1 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 597cf0bf57c780f9dc54c7f0465f910baaabad54f3a8fc27f16efc28029390c9
all runs: crashed: KASAN: slab-use-after-free Read in bchfs_read
representative crash: KASAN: slab-use-after-free Read in bchfs_read, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit acc4d5ff0b61eb1715c498b6536c38c1feb7f3c1 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: b5fe1c8f2c599dc87bd7da73d63cd5d5885c72628effcec1b8169744af9c1d2c
all runs: crashed: KASAN: slab-use-after-free Read in bchfs_read
representative crash: KASAN: slab-use-after-free Read in bchfs_read, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit acc4d5ff0b61eb1715c498b6536c38c1feb7f3c1 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ccf491fb1690f7b8e64d9385bcda3efdbfdfd0ab632187a507171cb34c5332cf
all runs: crashed: KASAN: slab-use-after-free Read in bchfs_read
representative crash: KASAN: slab-use-after-free Read in bchfs_read, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit acc4d5ff0b61eb1715c498b6536c38c1feb7f3c1 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 7f45f24b2f3b238152690d59c3d77da7d42cb977b4b0da0d6262d92eff5d64da
all runs: crashed: KASAN: slab-use-after-free Read in bchfs_read
representative crash: KASAN: slab-use-after-free Read in bchfs_read, types: [KASAN]
the chunk can be dropped
minimized to 426 configs; suspects: [6LOWPAN 6LOWPAN_GHC_EXT_HDR_DEST 6LOWPAN_GHC_EXT_HDR_FRAG 6LOWPAN_GHC_EXT_HDR_HOP 6LOWPAN_GHC_EXT_HDR_ROUTE 6LOWPAN_GHC_ICMPV6 6LOWPAN_GHC_UDP 6LOWPAN_NHC 6LOWPAN_NHC_DEST 6LOWPAN_NHC_FRAGMENT 6LOWPAN_NHC_HOP 6LOWPAN_NHC_IPV6 6LOWPAN_NHC_MOBILITY 6LOWPAN_NHC_ROUTING 6LOWPAN_NHC_UDP 6PACK 842_COMPRESS 842_DECOMPRESS 9P_FSCACHE 9P_FS_POSIX_ACL 9P_FS_SECURITY ACORN_PARTITION ACORN_PARTITION_ADFS ACORN_PARTITION_CUMANA ACORN_PARTITION_EESOX ACORN_PARTITION_ICS ACORN_PARTITION_POWERTEC ACORN_PARTITION_RISCIX ACPI_NFIT ACPI_NHLT ACPI_PLATFORM_PROFILE ADFS_FS AFFS_FS AFS_FS AFS_FSCACHE AF_KCM AF_RXRPC AF_RXRPC_IPV6 AIX_PARTITION AMD_SFH_HID AMIGA_PARTITION ANDROID_BINDER_IPC ANON_VMA_NAME APERTURE_HELPERS APPLE_MFI_FASTCHARGE AR5523 ARCH_ENABLE_MEMORY_HOTREMOVE ARCH_ENABLE_THP_MIGRATION ARCH_HAS_USER_SHADOW_STACK ARCH_SUPPORTS_HUGE_PFNMAP ARCH_SUPPORTS_PMD_PFNMAP ARCH_SUPPORTS_PUD_PFNMAP ARCH_WANT_PMD_MKWRITE ASM_MODVERSIONS ASUS_TF103C_DOCK ASYNC_CORE ASYNC_MEMCPY ASYNC_PQ ASYNC_RAID6_RECOV ASYNC_TX_DMA ASYNC_XOR ATARI_PARTITION ATA_GENERIC ATA_OVER_ETH ATH10K ATH10K_CE ATH10K_LEDS ATH10K_PCI ATH10K_USB ATH11K ATH6KL ATH6KL_USB ATH9K ATH9K_AHB ATH9K_BTCOEX_SUPPORT ATH9K_CHANNEL_CONTEXT ATH9K_COMMON ATH9K_COMMON_DEBUG ATH9K_COMMON_SPECTRAL ATH9K_DEBUGFS ATH9K_DYNACK ATH9K_HTC ATH9K_HTC_DEBUGFS ATH9K_HW ATH9K_PCI ATH9K_PCOEM ATH9K_RFKILL ATH_COMMON ATM ATM_BR2684 ATM_CLIP ATM_DRIVERS ATM_LANE ATM_MPOA ATM_TCP AUXILIARY_BUS AX25 AX25_DAMA_SLAVE AX88796B_PHY BAREUDP BATMAN_ADV BATMAN_ADV_BATMAN_V BATMAN_ADV_BLA BATMAN_ADV_DAT BATMAN_ADV_MCAST BATMAN_ADV_NC BCACHE BCACHEFS_DEBUG BCACHEFS_ERASURE_CODING BCACHEFS_FS BCACHEFS_POSIX_ACL BCACHEFS_QUOTA BCACHEFS_SIX_OPTIMISTIC_SPIN BCMA BCMA_HOST_PCI_POSSIBLE BEFS_FS BFQ_CGROUP_DEBUG BFQ_GROUP_IOSCHED BFS_FS BIG_KEYS BLK_CGROUP_PUNT_BIO BLK_CGROUP_RWSTAT BLK_DEV_BSGLIB BLK_DEV_INTEGRITY BLK_DEV_NBD BLK_DEV_NULL_BLK BLK_DEV_NULL_BLK_FAULT_INJECTION BLK_DEV_NVME BLK_DEV_PMEM BLK_DEV_RAM BLK_DEV_RNBD BLK_DEV_RNBD_CLIENT BLK_DEV_THROTTLING BLK_DEV_ZONED BLK_ICQ BLK_INLINE_ENCRYPTION BLK_INLINE_ENCRYPTION_FALLBACK BLK_WBT BLK_WBT_MQ BONDING BOOT_VESA_SUPPORT BPF_EVENTS BPF_JIT BPF_JIT_ALWAYS_ON BPF_JIT_DEFAULT_ON BPF_LSM BPF_PRELOAD BPF_PRELOAD_UMD BPF_STREAM_PARSER BPF_SYSCALL BPQETHER BRIDGE BRIDGE_CFM BRIDGE_EBT_802_3 BRIDGE_EBT_AMONG BRIDGE_EBT_ARP BRIDGE_EBT_ARPREPLY BRIDGE_EBT_BROUTE BRIDGE_EBT_DNAT BRIDGE_EBT_IP BRIDGE_EBT_IP6 BRIDGE_EBT_LIMIT BRIDGE_EBT_LOG BRIDGE_EBT_MARK BRIDGE_EBT_MARK_T BRIDGE_EBT_NFLOG BRIDGE_EBT_PKTTYPE BRIDGE_EBT_REDIRECT BRIDGE_EBT_SNAT BRIDGE_EBT_STP BRIDGE_EBT_T_FILTER BRIDGE_EBT_T_NAT BRIDGE_EBT_VLAN BRIDGE_IGMP_SNOOPING BRIDGE_MRP BRIDGE_NF_EBTABLES BRIDGE_NF_EBTABLES_LEGACY BRIDGE_VLAN_FILTERING BSD_DISKLABEL BSD_PROCESS_ACCT_V3 BT BTRFS_ASSERT BTRFS_FS BTRFS_FS_POSIX_ACL BTRFS_FS_REF_VERIFY BTT BT_6LOWPAN BT_ATH3K BT_BCM BT_BNEP BT_BNEP_MC_FILTER BT_BNEP_PROTO_FILTER BT_BREDR BT_HCIBCM203X BT_HCIBFUSB BT_HCIBPA10X BT_HCIBTUSB BT_HCIBTUSB_AUTOSUSPEND BT_HCIBTUSB_BCM BT_HCIBTUSB_MTK BT_HCIBTUSB_POLL_SYNC BT_HCIBTUSB_RTL BT_HCIUART BT_HCIUART_3WIRE BT_HCIUART_AG6XX BT_HCIUART_BCSP BT_HCIUART_H4 BT_HCIUART_LL BT_HCIUART_MRVL BT_HCIUART_QCA BT_HCIUART_SERDEV BT_HCIVHCI BT_INTEL BT_LE BT_LEDS BT_LE_L2CAP_ECRED BT_MRVL BT_MRVL_SDIO BT_MSFTEXT BT_MTK BT_MTKSDIO BT_MTKUART BT_QCA BT_RFCOMM BT_RFCOMM_TTY BT_RTL CACHEFILES CAIF CAIF_DEBUG CAIF_DRIVERS CAIF_NETDEV CAIF_TTY CAIF_USB CAIF_VIRTIO CAN CAN_8DEV_USB CAN_BCM CAN_CALC_BITTIMING CAN_DEV CAN_EMS_USB CAN_ESD_USB CAN_ETAS_ES58X CAN_F81604 CAN_GS_USB CAN_GW CAN_IFI_CANFD CAN_ISOTP CAN_J1939 CAN_KVASER_USB CAN_MCBA_USB CAN_NETLINK CAN_PEAK_USB CAN_RAW CAN_RX_OFFLOAD CAN_SLCAN CAN_UCAN CAN_VCAN CAN_VXCAN CARL9170 CARL9170_HWRNG CARL9170_LEDS CARL9170_WPC CEC_CORE CEPH_FS CEPH_FSCACHE CEPH_FS_POSIX_ACL CEPH_LIB CEPH_LIB_USE_DNS_RESOLVER CFG80211 CFG80211_CRDA_SUPPORT CFG80211_DEBUGFS CFG80211_DEFAULT_PS CFG80211_REQUIRE_SIGNED_REGDB CFG80211_USE_KERNEL_REGDB_KEYS CFG80211_WEXT CFS_BANDWIDTH CGROUP_BPF CHARGER_ISP1704 CHR_DEV_ST CIFS CIFS_ALLOW_INSECURE_LEGACY CIFS_DEBUG CIFS_DFS_UPCALL CIFS_FSCACHE CIFS_POSIX CIFS_SMB_DIRECT CIFS_SWN_UPCALL CIFS_UPCALL CIFS_XATTR CLOSURES CLS_U32_MARK CLS_U32_PERF CMA CMA_SIZE_SEL_MAX CMDLINE_PARTITION COMEDI COMEDI_DT9812 COMEDI_NI_USB6501 COMEDI_USBDUX COMEDI_USBDUXFAST COMEDI_USBDUXSIGMA COMEDI_USB_DRIVERS COMEDI_VMK80XX COMPAT_NETLINK_MESSAGES COUNTER CRAMFS CRAMFS_BLOCKDEV CRAMFS_MTD CRC64 CRC64_ARCH CRC8 CRC_ITU_T CRC_T10DIF CRC_T10DIF_ARCH CRYPTO_842 CRYPTO_ADIANTUM CRYPTO_AEGIS128 CRYPTO_AEGIS128_AESNI_SSE2 CRYPTO_AES_NI_INTEL CRYPTO_AES_TI CRYPTO_ANSI_CPRNG CRYPTO_ANUBIS CRYPTO_ARC4 CRYPTO_ARCH_HAVE_LIB_BLAKE2S CRYPTO_ARCH_HAVE_LIB_CHACHA CRYPTO_ARCH_HAVE_LIB_CURVE25519 CRYPTO_ARCH_HAVE_LIB_POLY1305 CRYPTO_ARIA CRYPTO_ARIA_AESNI_AVX_X86_64 CRYPTO_BLAKE2B CRYPTO_BLAKE2S_X86 CRYPTO_BLOWFISH CRYPTO_BLOWFISH_COMMON CRYPTO_BLOWFISH_X86_64 CRYPTO_CAMELLIA CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 CRYPTO_CAMELLIA_AESNI_AVX_X86_64 CRYPTO_CAMELLIA_X86_64 CRYPTO_CAST5 CRYPTO_CAST5_AVX_X86_64 CRYPTO_CAST6 CRYPTO_CAST6_AVX_X86_64 CRYPTO_CAST_COMMON CRYPTO_CHACHA20 CRYPTO_CHACHA20POLY1305 CRYPTO_CHACHA20_X86_64 CRYPTO_CRC32C CRYPTO_CRYPTD CRYPTO_CTS CRYPTO_CURVE25519 CRYPTO_CURVE25519_X86 CRYPTO_DEFLATE CRYPTO_DES CRYPTO_DES3_EDE_X86_64 CRYPTO_DEV_CCP CRYPTO_DEV_CCP_DD CRYPTO_DEV_PADLOCK CRYPTO_DEV_PADLOCK_AES CRYPTO_DEV_PADLOCK_SHA CRYPTO_DEV_QAT CRYPTO_DEV_QAT_C3XXX CRYPTO_DEV_QAT_C3XXXVF CRYPTO_DEV_QAT_C62X CRYPTO_DEV_QAT_C62XVF CRYPTO_DEV_QAT_DH895xCC CRYPTO_DEV_QAT_DH895xCCVF CRYPTO_DEV_VIRTIO CRYPTO_DH CRYPTO_DRBG_CTR CRYPTO_DRBG_HASH CRYPTO_ECDH CRYPTO_ECRDSA CRYPTO_ENGINE CRYPTO_ESSIV CRYPTO_FCRYPT CRYPTO_GHASH_CLMUL_NI_INTEL CRYPTO_HCTR2 CRYPTO_HKDF CRYPTO_KDF800108_CTR CRYPTO_KHAZAD CRYPTO_KPP CRYPTO_LIB_ARC4 CRYPTO_LIB_CHACHA CRYPTO_LIB_CHACHA20POLY1305 CRYPTO_LIB_CHACHA_GENERIC CRYPTO_LIB_CHACHA_INTERNAL CRYPTO_LIB_CURVE25519 CRYPTO_LIB_CURVE25519_GENERIC CRYPTO_LIB_CURVE25519_INTERNAL CRYPTO_LIB_DES CRYPTO_LIB_POLY1305 CRYPTO_LIB_POLY1305_GENERIC CRYPTO_LIB_POLY1305_INTERNAL CRYPTO_LRW CRYPTO_LZ4 CRYPTO_LZ4HC CRYPTO_MICHAEL_MIC CRYPTO_NHPOLY1305 CRYPTO_NHPOLY1305_AVX2 CRYPTO_NHPOLY1305_SSE2 CRYPTO_PCBC CRYPTO_PCRYPT CRYPTO_POLY1305 CRYPTO_POLY1305_X86_64 CRYPTO_POLYVAL CRYPTO_POLYVAL_CLMUL_NI CRYPTO_RMD160 CRYPTO_SEED CRYPTO_SERPENT CRYPTO_SERPENT_AVX2_X86_64 CRYPTO_SERPENT_AVX_X86_64 CRYPTO_SERPENT_SSE2_X86_64 CRYPTO_SHA1_SSSE3 CRYPTO_SHA256_SSSE3 CRYPTO_SHA512_SSSE3 CRYPTO_SIMD CRYPTO_SM3 CRYPTO_SM3_AVX_X86_64 CRYPTO_SM4 CRYPTO_SM4_AESNI_AVX2_X86_64 CRYPTO_SM4_AESNI_AVX_X86_64 CRYPTO_SM4_GENERIC CRYPTO_STREEBOG CRYPTO_TEA CRYPTO_TWOFISH CRYPTO_TWOFISH_AVX_X86_64 CRYPTO_TWOFISH_COMMON CRYPTO_TWOFISH_X86_64 CRYPTO_TWOFISH_X86_64_3WAY CRYPTO_USER CRYPTO_USER_API CRYPTO_USER_API_AEAD CRYPTO_USER_API_ENABLE_OBSOLETE CRYPTO_USER_API_HASH CRYPTO_USER_API_RNG CRYPTO_USER_API_SKCIPHER CRYPTO_WP512 CRYPTO_XCBC CRYPTO_XCTR CRYPTO_XTS CRYPTO_XXHASH CRYPTO_ZSTD CUSE CYPRESS_FIRMWARE DAMON DAMON_PADDR DAMON_RECLAIM DAMON_VADDR DAX DCA DCB DEBUG_VFS DEFAULT_CODEL DEVICE_MIGRATION DEVICE_PRIVATE DEV_COREDUMP DEV_DAX DLN2_ADC DMABUF_HEAPS DMABUF_HEAPS_CMA DMABUF_HEAPS_SYSTEM DMABUF_MOVE_NOTIFY DMA_CMA DMA_ENGINE_RAID DM_AUDIT DM_BIO_PRISON DM_BUFIO DM_CACHE DM_CACHE_SMQ DM_CLONE DM_CRYPT DM_FLAKEY DM_INTEGRITY DM_MULTIPATH DM_MULTIPATH_QL DM_MULTIPATH_ST DM_PERSISTENT_DATA DM_RAID DM_SNAPSHOT DM_THIN_PROVISIONING DM_UEVENT DM_VERITY DM_VERITY_FEC DM_WRITECACHE DM_ZONED DRAGONRISE_FF DRM DRM_AUX_BRIDGE DRM_BOCHS DRM_BRIDGE DRM_BUDDY DRM_CIRRUS_QEMU DRM_CLIENT DRM_CLIENT_DEFAULT_FBDEV DRM_CLIENT_LIB DRM_CLIENT_SELECTION DRM_CLIENT_SETUP DRM_DEBUG_MM DRM_DISPLAY_DP_AUX_BUS DRM_DISPLAY_DP_HELPER DRM_DISPLAY_DSC_HELPER DRM_DISPLAY_HDCP_HELPER DRM_DISPLAY_HELPER DRM_FBDEV_EMULATION ENCRYPTED_KEYS FSCACHE FUSE_FS GPIOLIB HAMRADIO HID_DRAGONRISE IIO INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_RTRS_CLIENT IOSCHED_BFQ LIBNVDIMM MAC80211 MAC80211_DEBUGFS MAC80211_LEDS MEDIA_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MMC MTD NET_CLS_U32 NET_SCH_DEFAULT PARTITION_ADVANCED RFKILL SERIAL_DEV_BUS TLS TLS_DEVICE TRANSPARENT_HUGEPAGE TRUSTED_KEYS USB_GADGET USB_PHY VLAN_8021Q WANT_COMPAT_NETLINK_MESSAGES WEXT_CORE WIRELESS WLAN WLAN_VENDOR_ATH X86_X32_ABI ZONE_DEVICE]
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
picked [v6.14 v6.13 v6.12 v6.10 v6.8 v6.6 v6.4 v6.2 v5.19 v5.16 v5.13 v5.10 v5.7 v5.4 v5.1 v4.19] out of 37 release tags
testing release v6.14
testing commit 38fec10eb60d687e30c8c6b5420d86e8149f7557 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 9b4aac25205636ad6d7bfdd2c8547bb133e1f5412357b8979ad07acc9fc4f56a
all runs: OK
false negative chance: 0.000
# git bisect start acc4d5ff0b61eb1715c498b6536c38c1feb7f3c1 38fec10eb60d687e30c8c6b5420d86e8149f7557
Bisecting: 6002 revisions left to test after this (roughly 13 steps)
[2f24482304ebd32c5aa374f31465b9941a860b92] Merge tag 'soc-dt-6.15' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

testing commit 2f24482304ebd32c5aa374f31465b9941a860b92 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 8f29b298d09584070670bf50a1bdc76d8288edd6f304ae76e8eacdca0b2bd216
all runs: OK
false negative chance: 0.000
# git bisect good 2f24482304ebd32c5aa374f31465b9941a860b92
Bisecting: 3103 revisions left to test after this (roughly 12 steps)
[0c86b42439b6c11d758b3392a21117934fef00c1] Merge tag 'drm-next-2025-03-28' of https://gitlab.freedesktop.org/drm/kernel

testing commit 0c86b42439b6c11d758b3392a21117934fef00c1 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 90178fb60fefe4d88776c5df97c3aac15c4c35332b0cf1dae4a8bb2240da95e5
all runs: OK
false negative chance: 0.000
# git bisect good 0c86b42439b6c11d758b3392a21117934fef00c1
Bisecting: 1562 revisions left to test after this (roughly 11 steps)
[c1f4534b213d7be41b5d8b815a42d201a8f2978f] scripts: generate_rust_analyzer: fix pin-init name in kernel deps

testing commit c1f4534b213d7be41b5d8b815a42d201a8f2978f gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: fbb3183bc4f418688d31d5c2ee3fb2fbea354a55b380dc8b6fd62c18bb88f3dc
all runs: OK
false negative chance: 0.000
# git bisect good c1f4534b213d7be41b5d8b815a42d201a8f2978f
Bisecting: 752 revisions left to test after this (roughly 10 steps)
[eb0ece16027f8223d5dc9aaf90124f70577bd22a] Merge tag 'mm-stable-2025-03-30-16-52' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

testing commit eb0ece16027f8223d5dc9aaf90124f70577bd22a gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 4c195f59af9a51164afbc84ea693ab293153078ef336d47c015b73cec6e69600
all runs: crashed: KASAN: slab-use-after-free Read in bchfs_read
representative crash: KASAN: slab-use-after-free Read in bchfs_read, types: [KASAN]
# git bisect bad eb0ece16027f8223d5dc9aaf90124f70577bd22a
Bisecting: 404 revisions left to test after this (roughly 9 steps)
[09bdc4fe700d1c499d94452d7a20e69c26a8c007] mm/mm_init: rename __init_reserved_page_zone to __init_page_from_nid

testing commit 09bdc4fe700d1c499d94452d7a20e69c26a8c007 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 95c181f69a66c4dcfbc98cd2e452c62d567fc6f59410c5b8f2bfa58ffb6658e4
all runs: OK
false negative chance: 0.000
# git bisect good 09bdc4fe700d1c499d94452d7a20e69c26a8c007
Bisecting: 202 revisions left to test after this (roughly 8 steps)
[f1794ecb0c04085906d9694db7e398e5d5cd6536] perf dso: Move libunwind dso_data variables into ifdef

testing commit f1794ecb0c04085906d9694db7e398e5d5cd6536 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 681ee6d163991b4335f37d2f4d1edac5112ad2125f5cde5265d90db835c11a4d
all runs: OK
false negative chance: 0.000
# git bisect good f1794ecb0c04085906d9694db7e398e5d5cd6536
Bisecting: 106 revisions left to test after this (roughly 7 steps)
[b6dde1e5275ed82e4c89844e95a03f95ca48be13] Merge tag 'nfsd-6.15' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux

testing commit b6dde1e5275ed82e4c89844e95a03f95ca48be13 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 78555e6bbddd898bf64fc1916350433c60022463a7d161bb1a3a8947d5ab2ba6
all runs: OK
false negative chance: 0.000
# git bisect good b6dde1e5275ed82e4c89844e95a03f95ca48be13
Bisecting: 64 revisions left to test after this (roughly 6 steps)
[4080cf02f11e337c5031013f77e0ba1a475985ee] Merge tag 'fs_for_v6.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs

testing commit 4080cf02f11e337c5031013f77e0ba1a475985ee gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 903d658bfd008b2eb5fd95907e9b18c31dfe514236bf2cb3ec25e19c7870bb5d
all runs: OK
false negative chance: 0.000
# git bisect good 4080cf02f11e337c5031013f77e0ba1a475985ee
Bisecting: 32 revisions left to test after this (roughly 5 steps)
[2b47102b933a5f28a08f4811835cc3a7cdb1b324] bcachefs: Reorder error messages that include journal debug

testing commit 2b47102b933a5f28a08f4811835cc3a7cdb1b324 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 3026f160d75999ac260bba15cb26cedcf116543998eee7f25a1507e77472999f
all runs: crashed: KASAN: slab-use-after-free Read in bchfs_read
representative crash: KASAN: slab-use-after-free Read in bchfs_read, types: [KASAN]
# git bisect bad 2b47102b933a5f28a08f4811835cc3a7cdb1b324
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[35a11506a341cca48900570f68abdaefc9b84646] bcachefs: print_string_as_lines: fix extra newline

testing commit 35a11506a341cca48900570f68abdaefc9b84646 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e73dd0d1279ad80022e00d9efbe8157b57bda5c5d6ed278071f3960f64dbb51c
all runs: crashed: KASAN: slab-use-after-free Read in bchfs_read
representative crash: KASAN: slab-use-after-free Read in bchfs_read, types: [KASAN]
# git bisect bad 35a11506a341cca48900570f68abdaefc9b84646
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[9314e2fb260570d64eef0141ad49526c6637e36f] bcachefs: Fix btree iter flags in data move (2)

testing commit 9314e2fb260570d64eef0141ad49526c6637e36f gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: bed68f5d77d19383c7b78b0f205b15a88464bed175823df2fe7e1153e4aa9081
all runs: crashed: KASAN: slab-use-after-free Read in bchfs_read
representative crash: KASAN: slab-use-after-free Read in bchfs_read, types: [KASAN]
# git bisect bad 9314e2fb260570d64eef0141ad49526c6637e36f
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[e1e50a63308f5f97587e89a17084a7fd65d4958f] bcachefs: Use print_string_as_lines() for journal stuck messages

testing commit e1e50a63308f5f97587e89a17084a7fd65d4958f gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a6f351ad0a5e369c7af0041963400cbd1aa7d03f78b627ec64290318b0533276
all runs: crashed: KASAN: slab-use-after-free Read in bchfs_read
representative crash: KASAN: slab-use-after-free Read in bchfs_read, types: [KASAN]
# git bisect bad e1e50a63308f5f97587e89a17084a7fd65d4958f
Bisecting: 1 revision left to test after this (roughly 1 step)
[3ba0240a8789f8c059990b81c6f34c29769a5a49] bcachefs: Fix silent short reads in data read retry path

testing commit 3ba0240a8789f8c059990b81c6f34c29769a5a49 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c4a141b6ae2f1f00b95a1a1d665f5d875884250e63d9d0cab216a85a74cc611c
all runs: crashed: KASAN: slab-use-after-free Read in bchfs_read
representative crash: KASAN: slab-use-after-free Read in bchfs_read, types: [KASAN]
# git bisect bad 3ba0240a8789f8c059990b81c6f34c29769a5a49
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[5af61dbd96275e184adcfe615507b0f04ed7b328] bcachefs: Fix nonce inconsistency in bch2_write_prep_encoded_data()

testing commit 5af61dbd96275e184adcfe615507b0f04ed7b328 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 077247cb4ac002e9558f2d9391ec2e27cfa3d6804ba81d2bfba289ae036e0f70
all runs: OK
false negative chance: 0.000
# git bisect good 5af61dbd96275e184adcfe615507b0f04ed7b328
3ba0240a8789f8c059990b81c6f34c29769a5a49 is the first bad commit
commit 3ba0240a8789f8c059990b81c6f34c29769a5a49
Author: Kent Overstreet <kent.overstreet@linux.dev>
Date:   Mon Mar 24 11:51:01 2025 -0400

    bcachefs: Fix silent short reads in data read retry path
    
    __bch2_read, before calling __bch2_read_extent(), sets bvec_iter.bi_size
    to "the size we can read from the current extent" with a swap, and
    restores it to "the size for the total read" after the read_extent call
    with another swap.
    
    But we neglected to do the restore before the "if (ret) goto err;" -
    which is a problem if we're retrying those errors.
    
    Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

 fs/bcachefs/fs-io-buffered.c | 2 +-
 fs/bcachefs/io_read.c        | 3 ++-
 fs/bcachefs/io_read.h        | 6 ++++--
 3 files changed, 7 insertions(+), 4 deletions(-)

accumulated error probability: 0.00
culprit signature: c4a141b6ae2f1f00b95a1a1d665f5d875884250e63d9d0cab216a85a74cc611c
parent  signature: 077247cb4ac002e9558f2d9391ec2e27cfa3d6804ba81d2bfba289ae036e0f70
revisions tested: 22, total time: 7h32m48.38819786s (build: 3h15m56.408423597s, test: 2h48m4.583016189s)
first bad commit: 3ba0240a8789f8c059990b81c6f34c29769a5a49 bcachefs: Fix silent short reads in data read retry path
recipients (to): ["kent.overstreet@linux.dev"]
recipients (cc): []
crash: KASAN: slab-use-after-free Read in bchfs_read
bcachefs (loop2): marking superblocks
bcachefs (loop2): initializing freespace
bcachefs (loop2): done initializing freespace
bcachefs (loop2): reading snapshots table
bcachefs (loop2): reading snapshots done
bcachefs (loop2): done starting filesystem
==================================================================
BUG: KASAN: slab-use-after-free in bchfs_read+0x256a/0x2da0 fs/bcachefs/fs-io-buffered.c:228
Read of size 4 at addr ffff888103b5e148 by task syz.2.17/3369

CPU: 0 UID: 0 PID: 3369 Comm: syz.2.17 Not tainted 6.14.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x108/0x280 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0x16e/0x5b0 mm/kasan/report.c:521
 kasan_report+0x143/0x180 mm/kasan/report.c:634
 bchfs_read+0x256a/0x2da0 fs/bcachefs/fs-io-buffered.c:228
 bch2_readahead+0xc87/0x1020 fs/bcachefs/fs-io-buffered.c:301
 read_pages+0x135/0x3f0 mm/readahead.c:161
 page_cache_ra_order+0x315/0x970 mm/readahead.c:516
 filemap_get_pages+0x51e/0x1920 mm/filemap.c:2580
 filemap_read+0x3c4/0xd30 mm/filemap.c:2691
 bch2_read_iter+0x454/0x1280 fs/bcachefs/fs-io-direct.c:221
 new_sync_read fs/read_write.c:484 [inline]
 vfs_read+0x874/0xbd0 fs/read_write.c:565
 ksys_read+0x149/0x230 fs/read_write.c:708
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x8d/0x190 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4563f8d169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4564e1a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00007f45641a5fa0 RCX: 00007f4563f8d169
RDX: 0000000000002020 RSI: 0000200000000800 RDI: 0000000000000004
RBP: 00007f4564e1a090 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 0000000000000000 R14: 00007f45641a5fa0 R15: 00007ffe765f37e8
 </TASK>

Allocated by task 3369:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_mempool_unpoison_object+0x9e/0x170 mm/kasan/common.c:547
 kasan_unpoison_element mm/mempool.c:-1 [inline]
 remove_element+0x12f/0x160 mm/mempool.c:150
 mempool_alloc_noprof+0x456/0x490 mm/mempool.c:408
 bio_alloc_bioset+0x62e/0x11a0 block/bio.c:554
 bch2_readahead+0xa06/0x1020 fs/bcachefs/fs-io-buffered.c:290
 read_pages+0x135/0x3f0 mm/readahead.c:161
 page_cache_ra_order+0x315/0x970 mm/readahead.c:516
 filemap_get_pages+0x51e/0x1920 mm/filemap.c:2580
 filemap_read+0x3c4/0xd30 mm/filemap.c:2691
 bch2_read_iter+0x454/0x1280 fs/bcachefs/fs-io-direct.c:221
 new_sync_read fs/read_write.c:484 [inline]
 vfs_read+0x874/0xbd0 fs/read_write.c:565
 ksys_read+0x149/0x230 fs/read_write.c:708
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x8d/0x190 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 3369:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_mempool_poison_object+0xaa/0x120 mm/kasan/common.c:522
 kasan_mempool_poison_object include/linux/kasan.h:360 [inline]
 kasan_poison_element mm/mempool.c:118 [inline]
 add_element mm/mempool.c:141 [inline]
 mempool_free+0x1a6/0x340 mm/mempool.c:541
 bch2_readpages_end_io+0x138/0x190 fs/bcachefs/fs-io-buffered.c:36
 bch2_rbio_done fs/bcachefs/io_read.c:429 [inline]
 __bch2_read_extent+0xf0a/0x3d10 fs/bcachefs/io_read.c:1256
 bch2_read_extent fs/bcachefs/io_read.h:140 [inline]
 bchfs_read+0x1ebe/0x2da0 fs/bcachefs/fs-io-buffered.c:226
 bch2_readahead+0xc87/0x1020 fs/bcachefs/fs-io-buffered.c:301
 read_pages+0x135/0x3f0 mm/readahead.c:161
 page_cache_ra_order+0x315/0x970 mm/readahead.c:516
 filemap_get_pages+0x51e/0x1920 mm/filemap.c:2580
 filemap_read+0x3c4/0xd30 mm/filemap.c:2691
 bch2_read_iter+0x454/0x1280 fs/bcachefs/fs-io-direct.c:221
 new_sync_read fs/read_write.c:484 [inline]
 vfs_read+0x874/0xbd0 fs/read_write.c:565
 ksys_read+0x149/0x230 fs/read_write.c:708
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x8d/0x190 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888103b5e000
 which belongs to the cache bio-488 of size 488
The buggy address is located 328 bytes inside of
 freed 488-byte region [ffff888103b5e000, ffff888103b5e1e8)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103b5e
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x100000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0100000000000040 ffff88817b65b780 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000
head: 0100000000000040 ffff88817b65b780 dead000000000122 0000000000000000
head: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000
head: 0100000000000001 ffffea00040ed781 ffffffffffffffff 0000000000000000
head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3369, tgid 3368 (syz.2.17), ts 69905412076, free_ts 69002157583
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x108/0x120 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0x4725/0x4900 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x256/0x650 mm/page_alloc.c:4740
 alloc_pages_mpol+0x224/0x4e0 mm/mempolicy.c:2270
 alloc_slab_page mm/slub.c:2423 [inline]
 allocate_slab+0x8b/0x350 mm/slub.c:2587
 new_slab mm/slub.c:2640 [inline]
 ___slab_alloc+0xa19/0x1160 mm/slub.c:3826
 __slab_alloc mm/slub.c:3916 [inline]
 __slab_alloc_node mm/slub.c:3991 [inline]
 slab_alloc_node mm/slub.c:4152 [inline]
 kmem_cache_alloc_noprof+0x279/0x410 mm/slub.c:4171
 mempool_init_node+0x1d5/0x460 mm/mempool.c:217
 mempool_init_noprof+0x11/0x20 mm/mempool.c:246
 bioset_init+0x2fb/0x7c0 block/bio.c:1707
 bch2_fs_io_read_init+0x23/0x90 fs/bcachefs/io_read.c:1376
 bch2_fs_alloc+0x1774/0x1d90 fs/bcachefs/super.c:942
 bch2_fs_open+0x62d/0xc30 fs/bcachefs/super.c:2182
 bch2_fs_get_tree+0x6ed/0x1600 fs/bcachefs/fs.c:2172
 vfs_get_tree+0x86/0x1a0 fs/super.c:1814
 do_new_mount+0x21e/0x9b0 fs/namespace.c:3560
page last free pid 1422 tgid 1422 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0xc14/0xe90 mm/page_alloc.c:2660
 discard_slab mm/slub.c:2684 [inline]
 __put_partials+0x156/0x1b0 mm/slub.c:3153
 put_cpu_partial+0x155/0x1b0 mm/slub.c:3228
 __slab_free+0x265/0x360 mm/slub.c:4479
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4115 [inline]
 slab_alloc_node mm/slub.c:4164 [inline]
 kmem_cache_alloc_noprof+0x1b9/0x410 mm/slub.c:4171
 getname_flags+0x9d/0x440 fs/namei.c:139
 do_sys_openat2+0xb0/0x180 fs/open.c:1422
 do_sys_open fs/open.c:1443 [inline]
 __do_sys_openat fs/open.c:1459 [inline]
 __se_sys_openat fs/open.c:1454 [inline]
 __x64_sys_openat+0x20d/0x260 fs/open.c:1454
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x8d/0x190 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888103b5e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888103b5e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888103b5e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff888103b5e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
 ffff888103b5e200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================