ci2 starts bisection 2024-09-30 03:36:08.633694729 +0000 UTC m=+150637.677757929
bisecting fixing commit since e526b12bf9169887f8cfe5afed2b10e56bdca4c3
building syzkaller on f3921d4d63f97d1f1fb49a69ea85744bb7ef184b
ensuring issue is reproducible on original commit e526b12bf9169887f8cfe5afed2b10e56bdca4c3

testing commit e526b12bf9169887f8cfe5afed2b10e56bdca4c3 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5913689c036decab329f522728aa12e8218a6ba6b19ee98aefd470308671be08
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
run #10: crashed: KASAN: use-after-free Read in ext4_search_dir
run #11: crashed: KASAN: use-after-free Read in ext4_search_dir
run #12: crashed: KASAN: use-after-free Read in ext4_search_dir
run #13: crashed: KASAN: use-after-free Read in ext4_search_dir
run #14: crashed: KASAN: use-after-free Read in ext4_search_dir
run #15: crashed: KASAN: use-after-free Read in ext4_search_dir
run #16: crashed: KASAN: use-after-free Read in ext4_search_dir
run #17: crashed: KASAN: use-after-free Read in ext4_search_dir
run #18: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #19: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit e526b12bf9169887f8cfe5afed2b10e56bdca4c3 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e3b23917985559a91f47fad03e576a3755e34ba6751f476fad3dcc7606ec2bf3
all runs: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
kconfig minimization: base=3824 full=7523 leaves diff=1996
split chunks (needed=false): <1996>
split chunk #0 of len 1996 into 5 parts
testing without sub-chunk 1/5
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit e526b12bf9169887f8cfe5afed2b10e56bdca4c3 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 6ca0a3108b9c44d376684aeb155beb6d30b0739ab545e9252a811eb3d1db295a
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: out-of-bounds Read in ext4_search_dir
run #9: crashed: KASAN: out-of-bounds Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit e526b12bf9169887f8cfe5afed2b10e56bdca4c3 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 9e75ff2021a1cd26333db55bad695672b5ea869752f6ee972695cf8e14c5e380
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit e526b12bf9169887f8cfe5afed2b10e56bdca4c3 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: bc65689c1927e35bb9d2782eec7c025ac4290884de295aaba9d37335e4957c0f
all runs: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit e526b12bf9169887f8cfe5afed2b10e56bdca4c3 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 1d3055a5525016495cd7ff27c36ba34a4a31c5b0982de5b1fd8fc298f3b1bbd6
all runs: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit e526b12bf9169887f8cfe5afed2b10e56bdca4c3 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 68152ca22d90a60e6e60cb1555094cf46cf74cb293bf983f5f54553f02b95efe
all runs: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the chunk can be dropped
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
determining the merge base between e526b12bf9169887f8cfe5afed2b10e56bdca4c3 and 9852d85ec9d492ebef56dc5f229416c925758edc
830b3c68c1fb1e9176028d02ef86f3cf76aa2476/Linux 6.1 is a merge base, check if it has the bug
testing commit 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 705b6758df741a6f08c9a1650137bb64ddc2e0cd3155f39998b71a8a24a21aa3
all runs: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
testing current HEAD 9852d85ec9d492ebef56dc5f229416c925758edc
testing commit 9852d85ec9d492ebef56dc5f229416c925758edc gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ecee851388cd8b99b24e089985defbe54c0db4a5c76648c82d1519f76cd6fb7a
all runs: OK
false negative chance: 0.000
# git bisect start 9852d85ec9d492ebef56dc5f229416c925758edc 830b3c68c1fb1e9176028d02ef86f3cf76aa2476
Bisecting: 85057 revisions left to test after this (roughly 16 steps)
[3475b91ff258b998b891964e8c263cff48384c01] Merge tag 'tag-chrome-platform-for-v6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux

determine whether the revision contains the guilty commit
revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable
testing commit 3475b91ff258b998b891964e8c263cff48384c01 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 7e4c0c241ed04589cdaa063c7c38d256fe71ea49ec24ec1929dcb8419add61d7
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: slab-use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: slab-use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: slab-use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good 3475b91ff258b998b891964e8c263cff48384c01
Bisecting: 42559 revisions left to test after this (roughly 15 steps)
[444cde13826bb4d3f9fdf829bf5e2f7bb03d9c32] Merge branch 'cpsw-xdp'

determine whether the revision contains the guilty commit
revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable
testing commit 444cde13826bb4d3f9fdf829bf5e2f7bb03d9c32 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 903b009f294f2d6483700f70236f99275b6e1424578434050c94c3aa08f91d6d
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: slab-use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good 444cde13826bb4d3f9fdf829bf5e2f7bb03d9c32
Bisecting: 21729 revisions left to test after this (roughly 14 steps)
[280e36f0d5b997173d014c07484c03a7f7750668] nsfs: use cleanup guard

determine whether the revision contains the guilty commit
revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable
testing commit 280e36f0d5b997173d014c07484c03a7f7750668 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 03039f436b2e8c272adc1831920a7ea8cc1de3d218d94fc1070b6a4016cdbc5f
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: out-of-bounds Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: out-of-bounds Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good 280e36f0d5b997173d014c07484c03a7f7750668
Bisecting: 10870 revisions left to test after this (roughly 13 steps)
[46ae4d0a489741565520195bddebc3414781e603] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

determine whether the revision contains the guilty commit
revision 280e36f0d5b997173d014c07484c03a7f7750668 crashed and is reachable
testing commit 46ae4d0a489741565520195bddebc3414781e603 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
failed building 46ae4d0a489741565520195bddebc3414781e603: ./include/trace/events/page_pool.h:68: undefined reference to `__tracepoint_page_pool_state_hold'
ld: ./include/trace/events/page_pool.h:68: undefined reference to `__tracepoint_page_pool_state_hold'
ld: ./include/trace/events/page_pool.h:68: undefined reference to `__SCT__tp_func_page_pool_state_hold'
ld: net/core/devmem.o:(__jump_table+0x8): undefined reference to `__tracepoint_page_pool_state_hold'
ld: net/core/devmem.o:(.static_call_sites+0x14): undefined reference to `__SCK__tp_func_page_pool_state_hold'
# git bisect skip 46ae4d0a489741565520195bddebc3414781e603
Bisecting: 10864 revisions left to test after this (roughly 13 steps)
[54b86443fd4437c051aefd3f462cfff4defd420c] drm/amdgpu: explicitely set the AMDGPU_GEM_CREATE_VRAM_CONTIGUOUS flag

determine whether the revision contains the guilty commit
revision 3475b91ff258b998b891964e8c263cff48384c01 crashed and is reachable
testing commit 54b86443fd4437c051aefd3f462cfff4defd420c gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d2f4cafc5f83d2df10a90c2d0143dc1ba4f4584857cb9c54f5bf10ac3fdf57fc
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: slab-use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good 54b86443fd4437c051aefd3f462cfff4defd420c
Bisecting: 5441 revisions left to test after this (roughly 12 steps)
[c8d8a35d094626808cd07ed0758e14c7e4cf61ac] Merge tag 'livepatching-for-6.12' of git://git.kernel.org/pub/scm/linux/kernel/git/livepatching/livepatching

determine whether the revision contains the guilty commit
revision 444cde13826bb4d3f9fdf829bf5e2f7bb03d9c32 crashed and is reachable
testing commit c8d8a35d094626808cd07ed0758e14c7e4cf61ac gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 73ed149f32f3d84a9ad86f8c6e10fb6396c4947037d32c54ec153b53c17ff9dc
all runs: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good c8d8a35d094626808cd07ed0758e14c7e4cf61ac
Bisecting: 2731 revisions left to test after this (roughly 11 steps)
[7116747a686e3d5decc354e6812f078dd0c44c6e] Merge tag 'soundwire-6.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire

determine whether the revision contains the guilty commit
revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable
testing commit 7116747a686e3d5decc354e6812f078dd0c44c6e gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a0338f5be688e47bd3da4201e2b33710e57745842bf73974ded878049c00e5ff
all runs: OK
false negative chance: 0.000
# git bisect bad 7116747a686e3d5decc354e6812f078dd0c44c6e
Bisecting: 1353 revisions left to test after this (roughly 10 steps)
[7856a565416e0cf091f825b0e25c7a1b7abb650e] Merge tag 'mm-nonmm-stable-2024-09-21-07-52' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

determine whether the revision contains the guilty commit
revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable
testing commit 7856a565416e0cf091f825b0e25c7a1b7abb650e gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: dc6c23dabfa76f1f67387cc724a47893bb21d093428c35e320e2648ed1685ce3
all runs: OK
false negative chance: 0.000
# git bisect bad 7856a565416e0cf091f825b0e25c7a1b7abb650e
Bisecting: 645 revisions left to test after this (roughly 9 steps)
[2004cef11ea072838f99bd95cefa5c8e45df0847] Merge tag 'sched-core-2024-09-19' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

determine whether the revision contains the guilty commit
revision 3475b91ff258b998b891964e8c263cff48384c01 crashed and is reachable
testing commit 2004cef11ea072838f99bd95cefa5c8e45df0847 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 4ae1eff58c8b7dcfa50f32dd3efd83da2418bc25873e2eeee46da5d180b983ab
run #0: crashed: KASAN: slab-use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: slab-use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good 2004cef11ea072838f99bd95cefa5c8e45df0847
Bisecting: 322 revisions left to test after this (roughly 8 steps)
[dafff3f4c850c98e15501bc6ee20581f9a013dcc] mm: split underused THPs

determine whether the revision contains the guilty commit
revision 3475b91ff258b998b891964e8c263cff48384c01 crashed and is reachable
testing commit dafff3f4c850c98e15501bc6ee20581f9a013dcc gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 379d2ee7d211229e76432dbe5a1bff9824b1ff7b0983eabb8202ddd52e14beef
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: slab-use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good dafff3f4c850c98e15501bc6ee20581f9a013dcc
Bisecting: 197 revisions left to test after this (roughly 7 steps)
[1868f9d0260e9afaf7c6436d14923ae12eaea465] Merge tag 'for-linux-6.12-ofs1' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux

determine whether the revision contains the guilty commit
revision 280e36f0d5b997173d014c07484c03a7f7750668 crashed and is reachable
testing commit 1868f9d0260e9afaf7c6436d14923ae12eaea465 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ca8998b8633df5a69e5dcfaa636708d0225f0ccd27ee46ebdc8519a5eee98f43
all runs: OK
false negative chance: 0.000
# git bisect bad 1868f9d0260e9afaf7c6436d14923ae12eaea465
Bisecting: 61 revisions left to test after this (roughly 6 steps)
[4e2524ba2ca5f54bdbb9e5153bea00421ef653f5] ext4: avoid use-after-free in ext4_ext_show_leaf()

determine whether the revision contains the guilty commit
revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable
testing commit 4e2524ba2ca5f54bdbb9e5153bea00421ef653f5 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: f375c2e9f18ae3d22baadd71b3744310989f9fc19552fdede1426f92144408d2
all runs: OK
false negative chance: 0.000
# git bisect bad 4e2524ba2ca5f54bdbb9e5153bea00421ef653f5
Bisecting: 31 revisions left to test after this (roughly 5 steps)
[1862304b062acb15e05b4e51270dc92de4b7635b] jbd2: correct comment jbd2_mark_journal_empty

determine whether the revision contains the guilty commit
revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable
testing commit 1862304b062acb15e05b4e51270dc92de4b7635b gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 0b85c32e538a8274d7b66d802d52ec75d1175c9b4961b0324d86f008f7128c56
all runs: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good 1862304b062acb15e05b4e51270dc92de4b7635b
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[2046657e64a11b61d5ed07e0d60befd86303125e] ext4: drop all delonly descriptions

determine whether the revision contains the guilty commit
revision 444cde13826bb4d3f9fdf829bf5e2f7bb03d9c32 crashed and is reachable
testing commit 2046657e64a11b61d5ed07e0d60befd86303125e gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 384f6e8d1e6ae6c0e550b417cad9ce5edd634099cb72b9097793877ad7c86e9b
all runs: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good 2046657e64a11b61d5ed07e0d60befd86303125e
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[7d2b48881877ace14ea85a7e3a17ff8f80f3d8e6] ext4: check buffer_verified in advance to avoid unneeded ext4_get_group_info()

determine whether the revision contains the guilty commit
revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable
testing commit 7d2b48881877ace14ea85a7e3a17ff8f80f3d8e6 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 735f4bfad65d550a83bb2ca3659badb713818b42470abe80a1e9de48c200dada
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: out-of-bounds Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good 7d2b48881877ace14ea85a7e3a17ff8f80f3d8e6
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[c6b72f5d82b1017bad80f9ebf502832fc321d796] ext4: avoid OOB when system.data xattr changes underneath the filesystem

determine whether the revision contains the guilty commit
revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable
testing commit c6b72f5d82b1017bad80f9ebf502832fc321d796 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e8a5d06568f09fae02584c0baa1cca75d970339f6234bf31ad6de6c6dfe8fe60
all runs: OK
false negative chance: 0.000
# git bisect bad c6b72f5d82b1017bad80f9ebf502832fc321d796
Bisecting: 1 revision left to test after this (roughly 1 step)
[4d231b91a944f3cab355fce65af5871fb5d7735b] ext4: return error on ext4_find_inline_entry

determine whether the revision contains the guilty commit
revision 3475b91ff258b998b891964e8c263cff48384c01 crashed and is reachable
testing commit 4d231b91a944f3cab355fce65af5871fb5d7735b gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 6d738450c91612d8d05b74cbf8ff42115e4567c4da8387a972c021a87268149a
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #2: crashed: KASAN: slab-use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good 4d231b91a944f3cab355fce65af5871fb5d7735b
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[51e14e78b5fb3e6f839393cd2d34386ee7b69af3] ext4: explicitly exit when ext4_find_inline_entry returns an error

determine whether the revision contains the guilty commit
revision 3475b91ff258b998b891964e8c263cff48384c01 crashed and is reachable
testing commit 51e14e78b5fb3e6f839393cd2d34386ee7b69af3 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 78c881abe9c4acec5671c7e6bbfe70f7128e4c6b744e0f9797c919caaae9ac53
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: slab-use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good 51e14e78b5fb3e6f839393cd2d34386ee7b69af3
c6b72f5d82b1017bad80f9ebf502832fc321d796 is the first bad commit
commit c6b72f5d82b1017bad80f9ebf502832fc321d796
Author: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Date:   Wed Aug 21 12:23:24 2024 -0300

    ext4: avoid OOB when system.data xattr changes underneath the filesystem
    
    When looking up for an entry in an inlined directory, if e_value_offs is
    changed underneath the filesystem by some change in the block device, it
    will lead to an out-of-bounds access that KASAN detects as an UAF.
    
    EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
    loop0: detected capacity change from 2048 to 2047
    ==================================================================
    BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
    Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103
    
    CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:93 [inline]
     dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
     print_address_description mm/kasan/report.c:377 [inline]
     print_report+0x169/0x550 mm/kasan/report.c:488
     kasan_report+0x143/0x180 mm/kasan/report.c:601
     ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
     ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697
     __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573
     ext4_lookup_entry fs/ext4/namei.c:1727 [inline]
     ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795
     lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633
     filename_create+0x297/0x540 fs/namei.c:3980
     do_symlinkat+0xf9/0x3a0 fs/namei.c:4587
     __do_sys_symlinkat fs/namei.c:4610 [inline]
     __se_sys_symlinkat fs/namei.c:4607 [inline]
     __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    RIP: 0033:0x7f3e73ced469
    Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
    RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469
    RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0
    RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290
    R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c
    R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0
     </TASK>
    
    Calling ext4_xattr_ibody_find right after reading the inode with
    ext4_get_inode_loc will lead to a check of the validity of the xattrs,
    avoiding this problem.
    
    Reported-by: syzbot+0c2508114d912a54ee79@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=0c2508114d912a54ee79
    Fixes: e8e948e7802a ("ext4: let ext4_find_entry handle inline data")
    Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
    Link: https://patch.msgid.link/20240821152324.3621860-5-cascardo@igalia.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>

 fs/ext4/inline.c | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

accumulated error probability: 0.00
culprit signature: e8a5d06568f09fae02584c0baa1cca75d970339f6234bf31ad6de6c6dfe8fe60
parent  signature: 78c881abe9c4acec5671c7e6bbfe70f7128e4c6b744e0f9797c919caaae9ac53
revisions tested: 26, total time: 5h53m39.200119099s (build: 2h48m34.217935945s, test: 2h52m52.693097367s)
first good commit: c6b72f5d82b1017bad80f9ebf502832fc321d796 ext4: avoid OOB when system.data xattr changes underneath the filesystem
recipients (to): ["cascardo@igalia.com" "tytso@mit.edu"]
recipients (cc): []