ci2 starts bisection 2023-04-03 02:23:32.976696913 +0000 UTC m=+406513.990355895 bisecting fixing commit since 1b929c02afd37871d5afb9d498426f83432e71c2 building syzkaller on 9da18ae8fa827d046ef8da48cc23c97418553c23 ensuring issue is reproducible on original commit 1b929c02afd37871d5afb9d498426f83432e71c2 testing commit 1b929c02afd37871d5afb9d498426f83432e71c2 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1516103889388101f6b7fb39fc14d94ab39186cfdc4797d58e055acfcafead17 run #0: crashed: KASAN: use-after-free Read in ext4_find_extent run #1: crashed: KASAN: use-after-free Read in ext4_find_extent run #2: crashed: KASAN: use-after-free Read in ext4_find_extent run #3: crashed: KASAN: use-after-free Read in ext4_find_extent run #4: crashed: KASAN: use-after-free Read in ext4_find_extent run #5: crashed: KASAN: slab-out-of-bounds Read in ext4_find_extent run #6: crashed: KASAN: use-after-free Read in ext4_find_extent run #7: crashed: KASAN: use-after-free Read in ext4_find_extent run #8: crashed: KASAN: slab-out-of-bounds Read in ext4_find_extent run #9: crashed: KASAN: use-after-free Read in ext4_find_extent run #10: crashed: KASAN: use-after-free Read in ext4_find_extent run #11: crashed: KASAN: use-after-free Read in ext4_find_extent run #12: crashed: KASAN: use-after-free Read in ext4_find_extent run #13: crashed: KASAN: slab-out-of-bounds Read in ext4_find_extent run #14: crashed: KASAN: use-after-free Read in ext4_find_extent run #15: crashed: KASAN: slab-out-of-bounds Read in ext4_find_extent run #16: crashed: KASAN: use-after-free Read in ext4_find_extent run #17: crashed: KASAN: slab-out-of-bounds Read in ext4_find_extent run #18: crashed: KASAN: slab-out-of-bounds Read in ext4_find_extent run #19: crashed: KASAN: use-after-free Read in ext4_find_extent testing current HEAD 7e364e56293bb98cae1b55fd835f5991c4e96e7d testing commit 7e364e56293bb98cae1b55fd835f5991c4e96e7d gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0cdfbd5668e7bda23c018fd3a7313e7b3a8dc49f0b49f15b273687e6355b57ef run #0: crashed: KASAN: slab-out-of-bounds Read in ext4_find_extent run #1: crashed: KASAN: slab-use-after-free Read in ext4_find_extent run #2: crashed: KASAN: slab-use-after-free Read in ext4_find_extent run #3: crashed: KASAN: use-after-free Read in ext4_find_extent run #4: crashed: KASAN: slab-out-of-bounds Read in ext4_find_extent run #5: crashed: KASAN: use-after-free Read in ext4_find_extent run #6: crashed: KASAN: use-after-free Read in ext4_find_extent run #7: crashed: KASAN: use-after-free Read in ext4_find_extent run #8: crashed: KASAN: slab-use-after-free Read in ext4_find_extent run #9: crashed: KASAN: slab-out-of-bounds Read in ext4_find_extent revisions tested: 2, total time: 1h2m18.675989728s (build: 54m37.719831673s, test: 6m8.559047202s) the crash still happens on HEAD commit msg: Linux 6.3-rc5 crash: KASAN: slab-out-of-bounds Read in ext4_find_extent loop0: detected capacity change from 0 to 2048 EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none. ================================================================== BUG: KASAN: slab-out-of-bounds in ext4_find_extent+0x7a2/0xcd0 Read of size 4 at addr ffff888075a6df30 by task syz-executor.0/5616 CPU: 0 PID: 5616 Comm: syz-executor.0 Not tainted 6.3.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call Trace: dump_stack_lvl+0x12e/0x1d0 print_report+0x163/0x510 kasan_report+0x108/0x140 ext4_find_extent+0x7a2/0xcd0 ext4_clu_mapped+0xd0/0x7c0 ext4_da_get_block_prep+0x8b3/0x1110 ext4_block_write_begin+0x3f9/0xd30 ext4_da_write_begin+0x47f/0x730 generic_perform_write+0x2b6/0x500 ext4_buffered_write_iter+0xf5/0x2e0 ext4_file_write_iter+0x199/0x14e0 vfs_write+0x7be/0xb10 ksys_write+0x122/0x200 do_syscall_64+0x41/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f98b608c0a9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f98b6e35168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f98b61abf80 RCX: 00007f98b608c0a9 RDX: 00000000175d9003 RSI: 0000000020000200 RDI: 0000000000000004 RBP: 00007f98b60e7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff8854657f R14: 00007f98b6e35300 R15: 0000000000022000 Allocated by task 5341: kasan_set_track+0x40/0x60 __kasan_slab_alloc+0x66/0x70 slab_post_alloc_hook+0x69/0x3a0 kmem_cache_alloc+0x11f/0x2e0 alloc_buffer_head+0x23/0x1e0 alloc_page_buffers+0x26a/0x690 create_empty_buffers+0x2d/0x570 ext4_block_write_begin+0x24f/0xd30 ext4_da_write_begin+0x47f/0x730 generic_perform_write+0x2b6/0x500 ext4_buffered_write_iter+0xf5/0x2e0 ext4_file_write_iter+0x199/0x14e0 vfs_write+0x7be/0xb10 ksys_write+0x122/0x200 do_syscall_64+0x41/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff888075a6de80 which belongs to the cache buffer_head of size 168 The buggy address is located 8 bytes to the right of allocated 168-byte region [ffff888075a6de80, ffff888075a6df28) The buggy address belongs to the physical page: page:ffffea0001d69b40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x75a6d flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffff88814016bb40 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000110011 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5341, tgid 5341 (scp), ts 58838883426, free_ts 52292391174 get_page_from_freelist+0x31e9/0x3360 __alloc_pages+0x255/0x670 alloc_slab_page+0x6a/0x160 new_slab+0x84/0x2f0 ___slab_alloc+0xa07/0x1000 kmem_cache_alloc+0x1b9/0x2e0 alloc_buffer_head+0x23/0x1e0 alloc_page_buffers+0x26a/0x690 create_empty_buffers+0x2d/0x570 ext4_block_write_begin+0x24f/0xd30 ext4_da_write_begin+0x47f/0x730 generic_perform_write+0x2b6/0x500 ext4_buffered_write_iter+0xf5/0x2e0 ext4_file_write_iter+0x199/0x14e0 vfs_write+0x7be/0xb10 ksys_write+0x122/0x200 page last free stack trace: free_unref_page_prepare+0xe2f/0xe70 free_unref_page+0x37/0x3f0 __unfreeze_partials+0x1b1/0x1f0 put_cpu_partial+0x106/0x170 qlist_free_all+0x22/0x60 kasan_quarantine_reduce+0x14b/0x160 __kasan_slab_alloc+0x23/0x70 slab_post_alloc_hook+0x69/0x3a0 kmem_cache_alloc+0x11f/0x2e0 __anon_vma_prepare+0x63/0x3c0 handle_mm_fault+0x366b/0x3d50 exc_page_fault+0x5a4/0x7b0 asm_exc_page_fault+0x26/0x30 Memory state around the buggy address: ffff888075a6de00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff888075a6de80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888075a6df00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc ^ ffff888075a6df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888075a6e000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================