ci2 starts bisection 2023-12-31 11:12:09.392264527 +0000 UTC m=+760932.716150089
bisecting fixing commit since d30b996835c08018a70dd52c588ba15de1c8378b
building syzkaller on cb976f63e0177b96eb9ce1c631cc5e2c4b4b0759
ensuring issue is reproducible on original commit d30b996835c08018a70dd52c588ba15de1c8378b

testing commit d30b996835c08018a70dd52c588ba15de1c8378b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 96d2bacd39d23112239654133d110aa190be95a36cfba00dfc1c16c10a405d78
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #7: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #10: crashed: KASAN: use-after-free Read in ext4_search_dir
run #11: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #12: crashed: KASAN: use-after-free Read in ext4_search_dir
run #13: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #14: crashed: KASAN: use-after-free Read in ext4_search_dir
run #15: crashed: KASAN: use-after-free Read in ext4_search_dir
run #16: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #17: crashed: KASAN: use-after-free Read in ext4_search_dir
run #18: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #19: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit d30b996835c08018a70dd52c588ba15de1c8378b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 37d414be7f8b91241f43a54e415b8ff7a59427c1fde935dfce062f887159c4e6
all runs: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
kconfig minimization: base=4789 full=6022 leaves diff=238
split chunks (needed=false): <238>
split chunk #0 of len 238 into 5 parts
testing without sub-chunk 1/5
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit d30b996835c08018a70dd52c588ba15de1c8378b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 4e6b23b9dabfc68178366fa6cf765879236c4d7ddb58686627feae7d4ebdfa37
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit d30b996835c08018a70dd52c588ba15de1c8378b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 27983844735e84b78c64cf4d757842f234378ed82a7d6e318eaa6bf843fef2a3
run #0: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: slab-out-of-bounds Read in ext4_search_dir, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit d30b996835c08018a70dd52c588ba15de1c8378b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 6c31eb42d4fd863144c6f0fc58c161a6178233e002c39284e2d010e699ec8130
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #6: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #7: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit d30b996835c08018a70dd52c588ba15de1c8378b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 751c47dfad4429d38abafb3ea516e394d3b7ee24fc5ab2cf46cbb40de73b5a42
run #0: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
representative crash: KASAN: slab-out-of-bounds Read in ext4_search_dir, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit d30b996835c08018a70dd52c588ba15de1c8378b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
failed building d30b996835c08018a70dd52c588ba15de1c8378b: net/socket.c:1126: undefined reference to `wext_handle_ioctl'
net/socket.c:3395: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:346: undefined reference to `wext_proc_exit'
net/core/net-procfs.c:330: undefined reference to `wext_proc_init'
minimized to 46 configs; suspects: [HID_ZEROPLUS USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF]
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing current HEAD f7977422e132104c98e139e0e071b2a45bc37066
testing commit f7977422e132104c98e139e0e071b2a45bc37066 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 4ba46b03aab4dde28adef4dabef546a5e1d000ad65ebf714820dbfa542eeb0ab
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #4: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #7: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
crash still not fixed/happens on the oldest tested release
revisions tested: 7, total time: 34m55.344490079s (build: 14m17.549757193s, test: 19m11.277811359s)
crash still not fixed or there were kernel test errors
commit msg: Revert "psample: Require 'CAP_NET_ADMIN' when joining "packets" group"
crash: KASAN: use-after-free Read in ext4_search_dir
EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem
EXT4-fs (loop0): 1 truncate cleaned up
EXT4-fs (loop0): mounted filesystem without journal. Opts: jqfmt=vfsold,resgid=0x000000000000ee00,bh,noload,data_err=ignore,usrjquota=,,errors=continue
==================================================================
BUG: KASAN: use-after-free in ext4_search_dir+0x18d/0x1c0 fs/ext4/namei.c:1515
Read of size 1 at addr ffff8881211efd23 by task syz-executor.0/343

CPU: 1 PID: 343 Comm: syz-executor.0 Not tainted 5.10.204-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack_lvl+0x81/0xac lib/dump_stack.c:118
 print_address_description.constprop.0+0x24/0x160 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report.cold+0x82/0xdb mm/kasan/report.c:452
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306
 ext4_search_dir+0x18d/0x1c0 fs/ext4/namei.c:1515
 ext4_find_inline_entry+0x20c/0x360 fs/ext4/inline.c:1700
 __ext4_find_entry+0x8ec/0xdf0 fs/ext4/namei.c:1588
 ext4_lookup_entry fs/ext4/namei.c:1743 [inline]
 ext4_lookup fs/ext4/namei.c:1811 [inline]
 ext4_lookup+0x153/0x6b0 fs/ext4/namei.c:1802
 __lookup_hash+0xe5/0x150 fs/namei.c:1541
 filename_create+0x16a/0x410 fs/namei.c:3614
 user_path_create fs/namei.c:3671 [inline]
 do_mkdirat+0xb1/0x290 fs/namei.c:3811
 __do_sys_mkdirat fs/namei.c:3829 [inline]
 __se_sys_mkdirat fs/namei.c:3827 [inline]
 __x64_sys_mkdirat+0x71/0xb0 fs/namei.c:3827
 do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fc94e040ae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc94dbc30c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007fc94e15ff80 RCX: 00007fc94e040ae9
RDX: 0000000000000000 RSI: 0000000020000040 RDI: ffffffffffffff9c
RBP: 00007fc94e08c47a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fc94e15ff80 R15: 00007ffd918198e8

Allocated by task 0:
(stack is not available)

Freed by task 337:
 kasan_save_stack+0x26/0x50 mm/kasan/common.c:38
 kasan_set_track+0x25/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x24/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:362 [inline]
 ____kasan_slab_free mm/kasan/common.c:324 [inline]
 __kasan_slab_free+0x111/0x150 mm/kasan/common.c:370
 kasan_slab_free include/linux/kasan.h:220 [inline]
 slab_free_hook mm/slub.c:1595 [inline]
 slab_free_freelist_hook+0x9b/0x1a0 mm/slub.c:1621
 slab_free mm/slub.c:3203 [inline]
 kfree+0xc2/0x4e0 mm/slub.c:4191
 skb_free_head net/core/skbuff.c:605 [inline]
 skb_release_data+0x4c0/0x6d0 net/core/skbuff.c:625
 skb_release_all net/core/skbuff.c:679 [inline]
 __kfree_skb net/core/skbuff.c:693 [inline]
 consume_skb net/core/skbuff.c:850 [inline]
 consume_skb+0xa6/0x1d0 net/core/skbuff.c:844
 skb_free_datagram+0x12/0xd0 net/core/datagram.c:325
 netlink_recvmsg+0x51a/0xf40 net/netlink/af_netlink.c:1994
 sock_recvmsg_nosec net/socket.c:903 [inline]
 sock_recvmsg net/socket.c:921 [inline]
 sock_recvmsg net/socket.c:917 [inline]
 __sys_recvfrom+0x1fd/0x320 net/socket.c:2061
 __do_sys_recvfrom net/socket.c:2079 [inline]
 __se_sys_recvfrom net/socket.c:2075 [inline]
 __x64_sys_recvfrom+0xdc/0x1a0 net/socket.c:2075
 do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xc6

The buggy address belongs to the object at ffff8881211efc00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 291 bytes inside of
 512-byte region [ffff8881211efc00, ffff8881211efe00)
The buggy address belongs to the page:
page:ffffea0004847b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1211ec
head:ffffea0004847b00 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100043080
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 337, ts 39020981962, free_ts 0
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page mm/page_alloc.c:2462 [inline]
 get_page_from_freelist+0x1fee/0x2ad0 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x2ae/0x2360 mm/page_alloc.c:5346
 __alloc_pages include/linux/gfp.h:544 [inline]
 __alloc_pages_node include/linux/gfp.h:557 [inline]
 alloc_pages_node include/linux/gfp.h:571 [inline]
 alloc_pages include/linux/gfp.h:590 [inline]
 alloc_slab_page mm/slub.c:1665 [inline]
 allocate_slab+0x30f/0x460 mm/slub.c:1808
 new_slab mm/slub.c:1869 [inline]
 new_slab_objects mm/slub.c:2627 [inline]
 ___slab_alloc.constprop.0+0x32b/0x730 mm/slub.c:2791
 __slab_alloc mm/slub.c:2831 [inline]
 slab_alloc_node mm/slub.c:2913 [inline]
 slab_alloc mm/slub.c:2955 [inline]
 __kmalloc_track_caller+0x325/0x360 mm/slub.c:4536
 __kmalloc_reserve net/core/skbuff.c:143 [inline]
 __alloc_skb+0x74/0x4d0 net/core/skbuff.c:211
 alloc_skb include/linux/skbuff.h:1126 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1194 [inline]
 netlink_sendmsg+0x8a4/0xd10 net/netlink/af_netlink.c:1891
 sock_sendmsg_nosec net/socket.c:652 [inline]
 __sock_sendmsg+0xb5/0xf0 net/socket.c:664
 __sys_sendto+0x1e3/0x2f0 net/socket.c:2004
 __do_sys_sendto net/socket.c:2016 [inline]
 __se_sys_sendto net/socket.c:2012 [inline]
 __x64_sys_sendto+0xdc/0x1a0 net/socket.c:2012
 do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xc6
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8881211efc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881211efc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881211efd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff8881211efd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881211efe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
EXT4-fs error (device loop0): ext4_find_dest_de:2075: inode #12: block 7: comm syz-executor.0: bad entry in directory: rec_len % 4 != 0 - offset=0, inode=3089191003, rec_len=43069, size=56 fake=0