ci2 starts bisection 2023-10-18 11:52:46.25071279 +0000 UTC m=+149958.224495247
bisecting fixing commit since c8ca447a86a2b6cef9bcd6f6d8fd8233f61430fd
building syzkaller on 696ea0d2f4fdaa17db929e152edba19bf7666d84
ensuring issue is reproducible on original commit c8ca447a86a2b6cef9bcd6f6d8fd8233f61430fd

testing commit c8ca447a86a2b6cef9bcd6f6d8fd8233f61430fd gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: f03138152ca25b8bdf6ffb7523e75c4a505748fd28d4da2665ef159fd0ffa527
all runs: crashed: KASAN: out-of-bounds Read in ext4_ext_remove_space
representative crash: KASAN: out-of-bounds Read in ext4_ext_remove_space, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit c8ca447a86a2b6cef9bcd6f6d8fd8233f61430fd gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 62d12c11fbeadeb8e02cb237ed1c07e64cdc7c7f9cfa77b347b2b0adb4c313ab
all runs: crashed: KASAN: out-of-bounds Read in ext4_ext_remove_space
representative crash: KASAN: out-of-bounds Read in ext4_ext_remove_space, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
kconfig minimization: base=4789 full=6024 leaves diff=238
split chunks (needed=false): <238>
split chunk #0 of len 238 into 5 parts
testing without sub-chunk 1/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit c8ca447a86a2b6cef9bcd6f6d8fd8233f61430fd gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: f589f794c93ab616050c5a5be7630825c4842730f44547646de4fa701799dc2d
all runs: crashed: KASAN: out-of-bounds Read in ext4_ext_remove_space
representative crash: KASAN: out-of-bounds Read in ext4_ext_remove_space, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit c8ca447a86a2b6cef9bcd6f6d8fd8233f61430fd gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e36a4fe8322eaa8fd3cd2efc739622d6cdb6ebe5b3c67e85cf3bfc70f9941ef4
all runs: crashed: KASAN: out-of-bounds Read in ext4_ext_remove_space
representative crash: KASAN: out-of-bounds Read in ext4_ext_remove_space, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit c8ca447a86a2b6cef9bcd6f6d8fd8233f61430fd gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: fd5ea8b206c2f9912cec98b9eb0de3cd39246d92ad6e66c2c30544a4d370c13c
all runs: crashed: KASAN: out-of-bounds Read in ext4_ext_remove_space
representative crash: KASAN: out-of-bounds Read in ext4_ext_remove_space, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit c8ca447a86a2b6cef9bcd6f6d8fd8233f61430fd gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e55a066ad81bc5574086b361d2e07ca1b548f1a01bad44c184d1976a1f28ec9f
all runs: crashed: KASAN: out-of-bounds Read in ext4_ext_remove_space
representative crash: KASAN: out-of-bounds Read in ext4_ext_remove_space, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit c8ca447a86a2b6cef9bcd6f6d8fd8233f61430fd gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
failed building c8ca447a86a2b6cef9bcd6f6d8fd8233f61430fd: net/socket.c:1109: undefined reference to `wext_handle_ioctl'
net/socket.c:3378: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:346: undefined reference to `wext_proc_exit'
net/core/net-procfs.c:330: undefined reference to `wext_proc_init'
minimized to 46 configs; suspects: [HID_ZEROPLUS USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF]
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing current HEAD a27512601c2d65569fdd5a843246dc8da96b6408
testing commit a27512601c2d65569fdd5a843246dc8da96b6408 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a836c9b1b473c4781afcbcd4c95a27473c1b7be2cd49788f7f962f7acc2ffee6
all runs: crashed: KASAN: out-of-bounds Read in ext4_ext_remove_space
representative crash: KASAN: out-of-bounds Read in ext4_ext_remove_space, types: [KASAN]
crash still not fixed/happens on the oldest tested release
revisions tested: 7, total time: 34m56.815944387s (build: 14m20.979053984s, test: 19m14.370217743s)
crash still not fixed or there were kernel test errors
commit msg: Merge 5.10.194 into android13-5.10-lts
crash: KASAN: out-of-bounds Read in ext4_ext_remove_space
EXT4-fs (loop0): Remounting filesystem read-only
EXT4-fs error (device loop0) in ext4_mb_clear_bb:5614: Corrupt filesystem
==================================================================
BUG: KASAN: out-of-bounds in ext4_ext_rm_leaf fs/ext4/extents.c:2730 [inline]
BUG: KASAN: out-of-bounds in ext4_ext_remove_space+0xfae/0x3c70 fs/ext4/extents.c:2952
Read of size 18446744073709551544 at addr ffff88812147f054 by task syz-executor.0/363

CPU: 1 PID: 363 Comm: syz-executor.0 Not tainted 5.10.194-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack_lvl+0x81/0xac lib/dump_stack.c:118
 print_address_description.constprop.0+0x24/0x160 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report.cold+0x82/0xdb mm/kasan/report.c:452
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x148/0x190 mm/kasan/generic.c:189
 memmove+0x24/0x60 mm/kasan/shadow.c:54
 ext4_ext_rm_leaf fs/ext4/extents.c:2730 [inline]
 ext4_ext_remove_space+0xfae/0x3c70 fs/ext4/extents.c:2952
 ext4_punch_hole+0x783/0xf90 fs/ext4/inode.c:4205
 ext4_fallocate+0x6fb/0x2c90 fs/ext4/extents.c:4704
 vfs_fallocate+0x2b1/0xb10 fs/open.c:310
 ioctl_preallocate+0x149/0x1c0 fs/ioctl.c:494
 file_ioctl fs/ioctl.c:537 [inline]
 do_vfs_ioctl+0xaec/0xd10 fs/ioctl.c:732
 __do_sys_ioctl fs/ioctl.c:751 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0xce/0x1a0 fs/ioctl.c:739
 do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7f99357e1ae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f992cf830c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f9935901050 RCX: 00007f99357e1ae9
RDX: 0000000020000080 RSI: 000000004030582b RDI: 0000000000000004
RBP: 00007f993582d47a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f9935901050 R15: 00007ffc7bb72d08

The buggy address belongs to the page:
page:ffffea0004851fc0 refcount:2 mapcount:0 mapping:ffff888108fb2490 index:0x3a pfn:0x12147f
aops:def_blk_aops ino:0
flags: 0x4000000000002036(referenced|uptodate|lru|active|private)
raw: 4000000000002036 ffffea000480fac8 ffffea0004838b48 ffff888108fb2490
raw: 000000000000003a ffff88812103c690 00000002ffffffff ffff88811c9da000
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff88811c9da000
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Movable, gfp_mask 0x108c48(GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE), pid 358, ts 42266999680, free_ts 0
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page mm/page_alloc.c:2462 [inline]
 get_page_from_freelist+0x1fee/0x2ad0 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x2ae/0x2360 mm/page_alloc.c:5346
 __alloc_pages include/linux/gfp.h:544 [inline]
 __alloc_pages_node include/linux/gfp.h:557 [inline]
 alloc_pages_node include/linux/gfp.h:571 [inline]
 alloc_pages include/linux/gfp.h:590 [inline]
 __page_cache_alloc include/linux/pagemap.h:290 [inline]
 pagecache_get_page+0x169/0x6f0 mm/filemap.c:1848
 find_or_create_page include/linux/pagemap.h:402 [inline]
 grow_dev_page fs/buffer.c:976 [inline]
 grow_buffers fs/buffer.c:1045 [inline]
 __getblk_slow+0x1ad/0x580 fs/buffer.c:1072
 __getblk_gfp+0x3d/0x50 fs/buffer.c:1370
 sb_getblk_gfp include/linux/buffer_head.h:368 [inline]
 ext4_ext_grow_indepth fs/ext4/extents.c:1325 [inline]
 ext4_ext_create_new_leaf fs/ext4/extents.c:1424 [inline]
 ext4_ext_insert_extent+0xe97/0x3ff0 fs/ext4/extents.c:2094
 ext4_ext_map_blocks+0xf09/0x5100 fs/ext4/extents.c:4302
 ext4_map_blocks+0x593/0x1450 fs/ext4/inode.c:646
 _ext4_get_block+0x206/0x5b0 fs/ext4/inode.c:793
 ext4_get_block+0x11/0x20 fs/ext4/inode.c:810
 ext4_block_write_begin+0x3b9/0xdc0 fs/ext4/inode.c:1077
 ext4_write_begin+0x484/0xf00 fs/ext4/inode.c:1219
 ext4_da_write_begin+0x52b/0xc30 fs/ext4/inode.c:3021
 generic_perform_write+0x202/0x4a0 mm/filemap.c:3506
 ext4_buffered_write_iter+0x1e5/0x420 fs/ext4/file.c:271
 ext4_file_write_iter+0x358/0x18e0 fs/ext4/file.c:685
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88812147ef00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88812147ef80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88812147f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                 ^
 ffff88812147f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88812147f100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
EXT4-fs error (device loop0): __ext4_get_inode_loc:4425: comm syz-executor.0: Invalid inode table block 0 in block_group 0
EXT4-fs error (device loop0) in ext4_reserve_inode_write:5886: Corrupt filesystem
EXT4-fs error (device loop0): ext4_punch_hole:4218: inode #16: comm syz-executor.0: mark_inode_dirty error