ci2 starts bisection 2025-06-02 07:00:04.581115311 +0000 UTC m=+399994.708992214
bisecting fixing commit since b4bd207b0380c89a7134705d0cddb3541912562b
building syzkaller on a0626d3a05d5e31af100787b6749f0b89416c171
ensuring issue is reproducible on original commit b4bd207b0380c89a7134705d0cddb3541912562b

testing commit b4bd207b0380c89a7134705d0cddb3541912562b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c6235cc543a20b1256336cf87e4bbee7cc9f082169547cf5617b3bc0a9173a49
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit b4bd207b0380c89a7134705d0cddb3541912562b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 3e4ba9979f67702d06cf1ee670ec898b3e80bd87ebb587f1ae56553995ea3229
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
kconfig minimization: base=4921 full=6215 leaves diff=255
split chunks (needed=false): <255>
split chunk #0 of len 255 into 5 parts
testing without sub-chunk 1/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit b4bd207b0380c89a7134705d0cddb3541912562b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 52b21b43488fb55cbc6490a413953c6bd8e21f793626e797ac105aa29a56b063
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit b4bd207b0380c89a7134705d0cddb3541912562b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c25b54cf66a6425b32f103d893dda76e7d77a67efb0b3088e2d6918372bc392a
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit b4bd207b0380c89a7134705d0cddb3541912562b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 7e14c9318b587ce63e2acffdfa579143f903e9773b316b9f3252f4f5c07e7003
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit b4bd207b0380c89a7134705d0cddb3541912562b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: b9e6174db8761c45dac267b51b37c8dbb1e46fa7de9346e0f110d63930783bb9
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit b4bd207b0380c89a7134705d0cddb3541912562b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
failed building b4bd207b0380c89a7134705d0cddb3541912562b: net/socket.c:1191: undefined reference to `wext_handle_ioctl'
net/socket.c:3390: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:343: undefined reference to `wext_proc_exit'
net/core/net-procfs.c:327: undefined reference to `wext_proc_init'
minimized to 51 configs; suspects: [HID_ZEROPLUS USB_MON USB_NET_CDC_MBIM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM USB_XHCI_PCI_RENESAS WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF]
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing current HEAD 4032a894ccb2cf50824f8f9be583e515ec22be87
testing commit 4032a894ccb2cf50824f8f9be583e515ec22be87 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 03b5ce9eeb464898e28e4a67aa1360062d2ed794b102071029f6eeff9408ee97
all runs: OK
false negative chance: 0.000
# git bisect start 4032a894ccb2cf50824f8f9be583e515ec22be87 b4bd207b0380c89a7134705d0cddb3541912562b
Bisecting: 1270 revisions left to test after this (roughly 10 steps)
[f443687ad20c70320d1248f35f57bf46cac8df0a] team: better TEAM_OPTION_TYPE_STRING validation

determine whether the revision contains the guilty commit
checking the merge base 0a51d2d4527b43c5e467ffa6897deefeaf499358
no existing result, test the revision
testing commit 0a51d2d4527b43c5e467ffa6897deefeaf499358 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a64533e3d591c92928a343f4dc1f66383cbc9896669983043f7f131eea7608a9
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
testing commit f443687ad20c70320d1248f35f57bf46cac8df0a gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 8634a83ec5933261cc4fd1d086bffbeff6abad1bfa300f812d7ed7bc87cc325d
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
# git bisect good f443687ad20c70320d1248f35f57bf46cac8df0a
Bisecting: 635 revisions left to test after this (roughly 9 steps)
[7c3118db4998c92ec171c9f592d99085752ea789] media: i2c: ccs: Set the device's runtime PM status correctly in probe

determine whether the revision contains the guilty commit
revision 0a51d2d4527b43c5e467ffa6897deefeaf499358 crashed and is reachable
testing commit 7c3118db4998c92ec171c9f592d99085752ea789 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 3c5290b49880be0f983a42e5f9381bc327a94156156d0ff8f93d03fe0a1f61b1
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
# git bisect good 7c3118db4998c92ec171c9f592d99085752ea789
Bisecting: 317 revisions left to test after this (roughly 8 steps)
[bedd287fdd3142dffad7ae2ac6ef15f4a2ad0629] net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll

determine whether the revision contains the guilty commit
revision 0a51d2d4527b43c5e467ffa6897deefeaf499358 crashed and is reachable
testing commit bedd287fdd3142dffad7ae2ac6ef15f4a2ad0629 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: dec8f05c426427dc91cd563f783bcdef599990d0c55777011125c658c2ed6cac
all runs: OK
false negative chance: 0.000
# git bisect bad bedd287fdd3142dffad7ae2ac6ef15f4a2ad0629
Bisecting: 158 revisions left to test after this (roughly 7 steps)
[d20f28f0077024f9c71cf34451f7a95378f67e0d] blk-cgroup: support to track if policy is online

determine whether the revision contains the guilty commit
revision 0a51d2d4527b43c5e467ffa6897deefeaf499358 crashed and is reachable
testing commit d20f28f0077024f9c71cf34451f7a95378f67e0d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 4f04f15aa7761fdfb9d8400a79791ea6dde6d6c3c56b87e336ad7b84d6b9e3ed
all runs: OK
false negative chance: 0.000
# git bisect bad d20f28f0077024f9c71cf34451f7a95378f67e0d
Bisecting: 79 revisions left to test after this (roughly 6 steps)
[6bc390b02d4b700b3c3fa0264dc34fab5d4ace6d] riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break

determine whether the revision contains the guilty commit
revision 0a51d2d4527b43c5e467ffa6897deefeaf499358 crashed and is reachable
testing commit 6bc390b02d4b700b3c3fa0264dc34fab5d4ace6d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 160b9b169243c990cf87db04f122ddb94887f9903758198dd598343ae8d8c862
all runs: OK
false negative chance: 0.000
# git bisect bad 6bc390b02d4b700b3c3fa0264dc34fab5d4ace6d
Bisecting: 39 revisions left to test after this (roughly 5 steps)
[8730a3c6f0f1291cb009825289fd4c9e5cd2402b] PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe()

determine whether the revision contains the guilty commit
revision 0a51d2d4527b43c5e467ffa6897deefeaf499358 crashed and is reachable
testing commit 8730a3c6f0f1291cb009825289fd4c9e5cd2402b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e946bb8a96f2cde47871f0190811995f8542490c3fe9d5868c82a21cc1e36e86
all runs: OK
false negative chance: 0.000
# git bisect bad 8730a3c6f0f1291cb009825289fd4c9e5cd2402b
Bisecting: 19 revisions left to test after this (roughly 4 steps)
[031b53078e889dcbcda87a8d57954600589cae5d] locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class()

determine whether the revision contains the guilty commit
revision 0a51d2d4527b43c5e467ffa6897deefeaf499358 crashed and is reachable
testing commit 031b53078e889dcbcda87a8d57954600589cae5d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 2e82c285815ce9712e4c18ddf0a5db83aef626787854c5bdfbdd63a181026d7d
all runs: OK
false negative chance: 0.000
# git bisect bad 031b53078e889dcbcda87a8d57954600589cae5d
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[977fb8126e5c7dc8aeacc92042ce79730b6efa52] wifi: mt76: Add check for devm_kstrdup()

determine whether the revision contains the guilty commit
revision 0a51d2d4527b43c5e467ffa6897deefeaf499358 crashed and is reachable
testing commit 977fb8126e5c7dc8aeacc92042ce79730b6efa52 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 8a3bcbe1ef14fe72a1be9d1a7fbc5c5c1e81054819ec90a0f5f95f02081ab573
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
# git bisect good 977fb8126e5c7dc8aeacc92042ce79730b6efa52
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[5d74f8a5fb3c51ee6034b0f57297f1686e787e6d] vdpa/mlx5: Fix oversized null mkey longer than 32bit

determine whether the revision contains the guilty commit
revision 977fb8126e5c7dc8aeacc92042ce79730b6efa52 crashed and is reachable
testing commit 5d74f8a5fb3c51ee6034b0f57297f1686e787e6d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 2676011b8c3a4b49c0e08e94788ee17ad24b8a5b81e2bbbd0d25775c2da1547f
all runs: OK
false negative chance: 0.000
# git bisect bad 5d74f8a5fb3c51ee6034b0f57297f1686e787e6d
Bisecting: 2 revisions left to test after this (roughly 1 step)
[65cc93278f69de3dd0c806699648e701982d0784] ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path

determine whether the revision contains the guilty commit
revision 977fb8126e5c7dc8aeacc92042ce79730b6efa52 crashed and is reachable
testing commit 65cc93278f69de3dd0c806699648e701982d0784 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 6129c847b45312153ca3dde9636c0d57f8693437bb32e398a04eae07cbc2dcbd
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
# git bisect good 65cc93278f69de3dd0c806699648e701982d0784
Bisecting: 0 revisions left to test after this (roughly 1 step)
[2883e9e74f73f9265e5f8d1aaaa89034b308e433] ext4: fix off-by-one error in do_split

determine whether the revision contains the guilty commit
revision 977fb8126e5c7dc8aeacc92042ce79730b6efa52 crashed and is reachable
testing commit 2883e9e74f73f9265e5f8d1aaaa89034b308e433 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 0ca82eeddbab82e45cb6532a14e13b667063b207b48713967ee2393555d156ef
all runs: OK
false negative chance: 0.000
# git bisect bad 2883e9e74f73f9265e5f8d1aaaa89034b308e433
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[899d0353ea69681f474b6bc9de32c663b89672da] bus: mhi: host: Fix race between unprepare and queue_buf

determine whether the revision contains the guilty commit
revision 7c3118db4998c92ec171c9f592d99085752ea789 crashed and is reachable
testing commit 899d0353ea69681f474b6bc9de32c663b89672da gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c2e503722d7b49f8615d3cc552b8ae6bdbda0a0c28b5a1d194cd4ccd516fda6c
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
# git bisect good 899d0353ea69681f474b6bc9de32c663b89672da
2883e9e74f73f9265e5f8d1aaaa89034b308e433 is the first bad commit
commit 2883e9e74f73f9265e5f8d1aaaa89034b308e433
Author: Artem Sadovnikov <a.sadovnikov@ispras.ru>
Date:   Fri Apr 4 08:28:05 2025 +0000

    ext4: fix off-by-one error in do_split
    
    commit 94824ac9a8aaf2fb3c54b4bdde842db80ffa555d upstream.
    
    Syzkaller detected a use-after-free issue in ext4_insert_dentry that was
    caused by out-of-bounds access due to incorrect splitting in do_split.
    
    BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
    Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847
    
    CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:94 [inline]
     dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
     print_address_description mm/kasan/report.c:377 [inline]
     print_report+0x169/0x550 mm/kasan/report.c:488
     kasan_report+0x143/0x180 mm/kasan/report.c:601
     kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
     __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
     ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
     add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154
     make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351
     ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455
     ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796
     ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431
     vfs_symlink+0x137/0x2e0 fs/namei.c:4615
     do_symlinkat+0x222/0x3a0 fs/namei.c:4641
     __do_sys_symlink fs/namei.c:4662 [inline]
     __se_sys_symlink fs/namei.c:4660 [inline]
     __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
     </TASK>
    
    The following loop is located right above 'if' statement.
    
    for (i = count-1; i >= 0; i--) {
            /* is more than half of this entry in 2nd half of the block? */
            if (size + map[i].size/2 > blocksize/2)
                    break;
            size += map[i].size;
            move++;
    }
    
    'i' in this case could go down to -1, in which case sum of active entries
    wouldn't exceed half the block size, but previous behaviour would also do
    split in half if sum would exceed at the very last block, which in case of
    having too many long name files in a single block could lead to
    out-of-bounds access and following use-after-free.
    
    Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
    
    Cc: stable@vger.kernel.org
    Fixes: 5872331b3d91 ("ext4: fix potential negative array index in do_split()")
    Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://patch.msgid.link/20250404082804.2567-3-a.sadovnikov@ispras.ru
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 fs/ext4/namei.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

accumulated error probability: 0.00
culprit signature: 0ca82eeddbab82e45cb6532a14e13b667063b207b48713967ee2393555d156ef
parent  signature: c2e503722d7b49f8615d3cc552b8ae6bdbda0a0c28b5a1d194cd4ccd516fda6c
revisions tested: 20, total time: 3h45m8.337425061s (build: 1h0m27.354183091s, test: 2h38m34.446493153s)
first good commit: 2883e9e74f73f9265e5f8d1aaaa89034b308e433 ext4: fix off-by-one error in do_split
recipients (to): ["a.sadovnikov@ispras.ru" "gregkh@linuxfoundation.org" "jack@suse.cz" "tytso@mit.edu"]
recipients (cc): []