ci2 starts bisection 2023-10-25 09:50:44.79904112 +0000 UTC m=+58647.974928939
bisecting fixing commit since 09045dae0d902f9f78901a26c7ff1714976a38f9
building syzkaller on 0b6a67ac4b0dc26f43030c5edd01c9175f13b784
ensuring issue is reproducible on original commit 09045dae0d902f9f78901a26c7ff1714976a38f9

testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 13cb7687aa9ddb8b37f6891908d9805c7ea4a5a51b42521abf794168013ae0e8
run #0: crashed: KASAN: use-after-free Read in ext4_find_extent
run #1: crashed: KASAN: use-after-free Read in ext4_find_extent
run #2: crashed: KASAN: use-after-free Read in ext4_find_extent
run #3: crashed: KASAN: out-of-bounds Read in ext4_find_extent
run #4: crashed: KASAN: use-after-free Read in ext4_find_extent
run #5: crashed: KASAN: use-after-free Read in ext4_find_extent
run #6: crashed: KASAN: use-after-free Read in ext4_find_extent
run #7: crashed: KASAN: use-after-free Read in ext4_find_extent
run #8: crashed: KASAN: use-after-free Read in ext4_find_extent
run #9: crashed: KASAN: use-after-free Read in ext4_find_extent
run #10: crashed: KASAN: use-after-free Read in ext4_find_extent
run #11: crashed: KASAN: use-after-free Read in ext4_find_extent
run #12: crashed: KASAN: use-after-free Read in ext4_find_extent
run #13: crashed: KASAN: use-after-free Read in ext4_find_extent
run #14: crashed: KASAN: use-after-free Read in ext4_find_extent
run #15: crashed: KASAN: use-after-free Read in ext4_find_extent
run #16: crashed: KASAN: use-after-free Read in ext4_find_extent
run #17: crashed: KASAN: use-after-free Read in ext4_find_extent
run #18: crashed: KASAN: use-after-free Read in ext4_find_extent
run #19: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d0fec7803932e309266f23a90acbe66110ee1cbd84f7ab63a6846d4fca12028c
run #0: crashed: KASAN: use-after-free Read in ext4_find_extent
run #1: crashed: KASAN: use-after-free Read in ext4_find_extent
run #2: crashed: KASAN: use-after-free Read in ext4_find_extent
run #3: crashed: KASAN: use-after-free Read in ext4_find_extent
run #4: crashed: KASAN: use-after-free Read in ext4_find_extent
run #5: crashed: KASAN: use-after-free Read in ext4_find_extent
run #6: crashed: KASAN: out-of-bounds Read in ext4_find_extent
run #7: crashed: KASAN: use-after-free Read in ext4_find_extent
run #8: crashed: KASAN: use-after-free Read in ext4_find_extent
run #9: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
kconfig minimization: base=3820 full=7527 leaves diff=1999
split chunks (needed=false): <1999>
split chunk #0 of len 1999 into 5 parts
testing without sub-chunk 1/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e43a31868e556bb65aca6400ae46fd4fc929940a4c27192ae20c55bb52942b3d
all runs: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: f466925e245b052ce190e5d76a8dbd5a00f9c76a9c8fbe0864f7824c66f7139f
all runs: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 7cf07c5ee2c4d4430f9e8e453403ccd5b7bc5bd480172916f68f39f657e7c434
all runs: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 228db3f4ff74ade976f31dfe3f2640ff585272339cc93182bb828e1513fb8ca4
all runs: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: f4c907d34e4e39f293df0f4e7e50cf861baae77cce8156bc17e0d18b677b94fd
all runs: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN]
the chunk can be dropped
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing current HEAD 7d24402875c75ca6e43aa27ae3ce2042bde259a4
testing commit 7d24402875c75ca6e43aa27ae3ce2042bde259a4 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e406e6d15059fb0c3f579532822b406bc0569f2157f2ea643645e4f8a35dc51d
all runs: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN]
crash still not fixed/happens on the oldest tested release
revisions tested: 8, total time: 1h54m42.002401963s (build: 1h18m32.55795436s, test: 33m20.321856067s)
crash still not fixed or there were kernel test errors
commit msg: Linux 6.1.59
crash: KASAN: use-after-free Read in ext4_find_extent
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:837 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xb24/0xcd0 fs/ext4/extents.c:953
Read of size 4 at addr ffff8881255ea838 by task syz-executor.0/1523

CPU: 1 PID: 1523 Comm: syz-executor.0 Not tainted 6.1.59-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xf4/0x251 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x15f/0x4f0 mm/kasan/report.c:395
 kasan_report+0x136/0x160 mm/kasan/report.c:495
 ext4_ext_binsearch fs/ext4/extents.c:837 [inline]
 ext4_find_extent+0xb24/0xcd0 fs/ext4/extents.c:953
 ext4_ext_map_blocks+0x297/0x62f0 fs/ext4/extents.c:4103
 ext4_map_blocks+0x82a/0x1810 fs/ext4/inode.c:651
 _ext4_get_block+0x1d0/0x540 fs/ext4/inode.c:798
 __block_write_begin_int+0x32a/0x1150 fs/buffer.c:1991
 __block_write_begin fs/buffer.c:2041 [inline]
 block_page_mkwrite+0x218/0x400 fs/buffer.c:2510
 ext4_page_mkwrite+0x5d9/0xf20 fs/ext4/inode.c:6255
 do_page_mkwrite+0x149/0x410 mm/memory.c:2992
 wp_page_shared+0x146/0x540 mm/memory.c:3341
 handle_pte_fault mm/memory.c:5011 [inline]
 __handle_mm_fault mm/memory.c:5135 [inline]
 handle_mm_fault+0x91a/0x2bf0 mm/memory.c:5256
 do_user_addr_fault arch/x86/mm/fault.c:1380 [inline]
 handle_page_fault arch/x86/mm/fault.c:1471 [inline]
 exc_page_fault+0x22a/0x5e0 arch/x86/mm/fault.c:1527
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7f5363dc3cc7
Code: ce 48 ff c7 48 01 fe 48 8d 54 11 80 0f 1f 80 00 00 00 00 c5 fe 6f 0e c5 fe 6f 56 20 c5 fe 6f 5e 40 c5 fe 6f 66 60 48 83 ee 80 <c5> fd 7f 0f c5 fd 7f 57 20 c5 fd 7f 5f 40 c5 fd 7f 67 60 48 83 ef
RSP: 002b:00007fff9c14aac8 EFLAGS: 00010203
RAX: 0000000020003600 RBX: 00007fff9c14abd8 RCX: 0000000020003600
RDX: 00000000200036a9 RSI: 00007f53639867b0 RDI: 0000000020003620
RBP: 0000000000000001 R08: 0000000000000000 R09: 00007f5363f01f8c
R10: 00007fff9c14ac00 R11: 0000000000000246 R12: 00007f53639866f0
R13: fffffffffffffffe R14: 00007f5363966000 R15: 00007f53639866f8
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0004957a80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1255ea
flags: 0x200000000000000(node=0|zone=2)
raw: 0200000000000000 ffffea0004957ac8 ffffea0004957a48 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 1417, tgid 1417 (modprobe), ts 52404716437, free_ts 52414337233
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x286/0x2b0 mm/page_alloc.c:2513
 prep_new_page mm/page_alloc.c:2520 [inline]
 get_page_from_freelist+0x2ba7/0x2de0 mm/page_alloc.c:4279
 __alloc_pages+0x251/0x640 mm/page_alloc.c:5545
 vma_alloc_folio+0x689/0x870 mm/mempolicy.c:2241
 alloc_page_vma include/linux/gfp.h:284 [inline]
 do_cow_fault mm/memory.c:4611 [inline]
 do_fault mm/memory.c:4723 [inline]
 handle_pte_fault mm/memory.c:4993 [inline]
 __handle_mm_fault mm/memory.c:5135 [inline]
 handle_mm_fault+0x1343/0x2bf0 mm/memory.c:5256
 do_user_addr_fault arch/x86/mm/fault.c:1380 [inline]
 handle_page_fault arch/x86/mm/fault.c:1471 [inline]
 exc_page_fault+0x22a/0x5e0 arch/x86/mm/fault.c:1527
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1440 [inline]
 free_pcp_prepare mm/page_alloc.c:1490 [inline]
 free_unref_page_prepare+0xca9/0xd80 mm/page_alloc.c:3358
 free_unref_page_list+0xaa/0x690 mm/page_alloc.c:3499
 release_pages+0x1763/0x1900 mm/swap.c:1055
 tlb_batch_pages_flush mm/mmu_gather.c:59 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:254 [inline]
 tlb_flush_mmu+0x26f/0x3d0 mm/mmu_gather.c:261
 tlb_finish_mmu+0xb0/0x1b0 mm/mmu_gather.c:361
 exit_mmap+0x311/0x700 mm/mmap.c:3226
 __mmput+0x61/0x290 kernel/fork.c:1199
 exit_mm+0x122/0x1b0 kernel/exit.c:563
 do_exit+0x81e/0x23a0 kernel/exit.c:856
 do_group_exit+0x1b5/0x280 kernel/exit.c:1019
 __do_sys_exit_group kernel/exit.c:1030 [inline]
 __se_sys_exit_group kernel/exit.c:1028 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1028
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff8881255ea700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881255ea780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881255ea800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                        ^
 ffff8881255ea880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881255ea900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================