ci2 starts bisection 2024-03-06 22:57:07.364275717 +0000 UTC m=+118568.442063238 bisecting fixing commit since d30b996835c08018a70dd52c588ba15de1c8378b building syzkaller on cb976f63e0177b96eb9ce1c631cc5e2c4b4b0759 ensuring issue is reproducible on original commit d30b996835c08018a70dd52c588ba15de1c8378b testing commit d30b996835c08018a70dd52c588ba15de1c8378b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f31f03383c5cd90800704014e437e7d5c1a31c04346d3a006324903ecb175a63 run #0: basic kernel testing failed: lost connection to test machine run #1: crashed: KASAN: use-after-free Read in ext4_search_dir run #2: crashed: KASAN: use-after-free Read in ext4_search_dir run #3: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #4: crashed: KASAN: use-after-free Read in ext4_search_dir run #5: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #6: crashed: KASAN: use-after-free Read in ext4_search_dir run #7: crashed: KASAN: use-after-free Read in ext4_search_dir run #8: crashed: KASAN: use-after-free Read in ext4_search_dir run #9: crashed: KASAN: use-after-free Read in ext4_search_dir run #10: crashed: KASAN: use-after-free Read in ext4_search_dir run #11: crashed: KASAN: use-after-free Read in ext4_search_dir run #12: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #13: crashed: KASAN: use-after-free Read in ext4_search_dir run #14: crashed: KASAN: use-after-free Read in ext4_search_dir run #15: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #16: crashed: KASAN: use-after-free Read in ext4_search_dir run #17: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #18: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #19: crashed: KASAN: use-after-free Read in ext4_search_dir representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit d30b996835c08018a70dd52c588ba15de1c8378b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e97e825ecbd4147973f3135acdde711744411121795764dcf4c6aa3b04b15400 run #0: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #1: crashed: KASAN: use-after-free Read in ext4_search_dir run #2: crashed: KASAN: use-after-free Read in ext4_search_dir run #3: crashed: KASAN: use-after-free Read in ext4_search_dir run #4: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #5: crashed: KASAN: use-after-free Read in ext4_search_dir run #6: crashed: KASAN: use-after-free Read in ext4_search_dir run #7: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #8: crashed: KASAN: use-after-free Read in ext4_search_dir run #9: crashed: KASAN: use-after-free Read in ext4_search_dir representative crash: KASAN: slab-out-of-bounds Read in ext4_search_dir, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed kconfig minimization: base=4789 full=6022 leaves diff=238 split chunks (needed=false): <238> split chunk #0 of len 238 into 5 parts testing without sub-chunk 1/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit d30b996835c08018a70dd52c588ba15de1c8378b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ad6149d94fe66adb635dbc593ca7efc64113df809e0dc84d35691518663b5630 run #0: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #1: crashed: KASAN: use-after-free Read in ext4_search_dir run #2: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #3: crashed: KASAN: use-after-free Read in ext4_search_dir run #4: crashed: KASAN: use-after-free Read in ext4_search_dir run #5: crashed: KASAN: use-after-free Read in ext4_search_dir run #6: crashed: KASAN: use-after-free Read in ext4_search_dir run #7: crashed: KASAN: use-after-free Read in ext4_search_dir run #8: crashed: KASAN: use-after-free Read in ext4_search_dir run #9: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir representative crash: KASAN: slab-out-of-bounds Read in ext4_search_dir, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit d30b996835c08018a70dd52c588ba15de1c8378b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a4423f5209f49f15057b3c7441eb093a5c37e0f350e4922b7bbb96780400b398 run #0: crashed: KASAN: use-after-free Read in ext4_search_dir run #1: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #2: crashed: KASAN: use-after-free Read in ext4_search_dir run #3: crashed: KASAN: use-after-free Read in ext4_search_dir run #4: crashed: KASAN: use-after-free Read in ext4_search_dir run #5: crashed: KASAN: use-after-free Read in ext4_search_dir run #6: crashed: KASAN: use-after-free Read in ext4_search_dir run #7: crashed: KASAN: use-after-free Read in ext4_search_dir run #8: crashed: KASAN: use-after-free Read in ext4_search_dir run #9: crashed: KASAN: use-after-free Read in ext4_search_dir representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit d30b996835c08018a70dd52c588ba15de1c8378b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 863f1e39c2c69bb359d6d02c63980777473455819d6276127ea6cfcb60532766 run #0: crashed: KASAN: use-after-free Read in ext4_search_dir run #1: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #2: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #3: crashed: KASAN: use-after-free Read in ext4_search_dir run #4: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #5: crashed: KASAN: use-after-free Read in ext4_search_dir run #6: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #7: crashed: KASAN: use-after-free Read in ext4_search_dir run #8: crashed: KASAN: use-after-free Read in ext4_search_dir run #9: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit d30b996835c08018a70dd52c588ba15de1c8378b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c9acca100886a321f6939869c1a382e589a5eb4d64a62ac1d017d35143cde0c3 all runs: crashed: KASAN: use-after-free Read in ext4_search_dir representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit d30b996835c08018a70dd52c588ba15de1c8378b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building d30b996835c08018a70dd52c588ba15de1c8378b: net/socket.c:1126: undefined reference to `wext_handle_ioctl' net/socket.c:3395: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:346: undefined reference to `wext_proc_exit' net/core/net-procfs.c:330: undefined reference to `wext_proc_init' minimized to 46 configs; suspects: [HID_ZEROPLUS USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF] disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing current HEAD dd976ecce2ce969d698599c84c8e7dcbb07c9aaf testing commit dd976ecce2ce969d698599c84c8e7dcbb07c9aaf gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4344612c01202b41f0197fa6103a5a5f3ee371db92095a311d6528126c632433 run #0: crashed: KASAN: use-after-free Read in ext4_search_dir run #1: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir run #2: crashed: KASAN: use-after-free Read in ext4_search_dir run #3: crashed: KASAN: use-after-free Read in ext4_search_dir run #4: crashed: KASAN: use-after-free Read in ext4_search_dir run #5: crashed: KASAN: use-after-free Read in ext4_search_dir run #6: crashed: KASAN: use-after-free Read in ext4_search_dir run #7: crashed: KASAN: use-after-free Read in ext4_search_dir run #8: crashed: KASAN: use-after-free Read in ext4_search_dir run #9: crashed: KASAN: use-after-free Read in ext4_search_dir representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN] crash still not fixed/happens on the oldest tested release revisions tested: 7, total time: 36m14.679021171s (build: 14m47.636150608s, test: 20m1.103596184s) crash still not fixed or there were kernel test errors commit msg: Merge "Merge branch 'android13-5.10' into branch 'android13-5.10-lts'" into android13-5.10-lts crash: KASAN: use-after-free Read in ext4_search_dir EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem EXT4-fs (loop0): 1 truncate cleaned up EXT4-fs (loop0): mounted filesystem without journal. Opts: jqfmt=vfsold,resgid=0x000000000000ee00,bh,noload,data_err=ignore,usrjquota=,,errors=continue ================================================================== BUG: KASAN: use-after-free in ext4_search_dir+0x18d/0x1c0 fs/ext4/namei.c:1515 Read of size 1 at addr ffff888103bffd23 by task syz-executor.0/353 CPU: 1 PID: 353 Comm: syz-executor.0 Not tainted 5.10.209-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack_lvl+0x81/0xac lib/dump_stack.c:118 print_address_description.constprop.0+0x24/0x160 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:435 [inline] kasan_report.cold+0x82/0xdb mm/kasan/report.c:452 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306 ext4_search_dir+0x18d/0x1c0 fs/ext4/namei.c:1515 ext4_find_inline_entry+0x20c/0x360 fs/ext4/inline.c:1700 __ext4_find_entry+0x8ec/0xdf0 fs/ext4/namei.c:1588 ext4_lookup_entry fs/ext4/namei.c:1743 [inline] ext4_lookup fs/ext4/namei.c:1811 [inline] ext4_lookup+0x153/0x6b0 fs/ext4/namei.c:1802 __lookup_hash+0xe5/0x150 fs/namei.c:1541 filename_create+0x16a/0x410 fs/namei.c:3614 user_path_create fs/namei.c:3671 [inline] do_mkdirat+0xb1/0x290 fs/namei.c:3811 __do_sys_mkdirat fs/namei.c:3829 [inline] __se_sys_mkdirat fs/namei.c:3827 [inline] __x64_sys_mkdirat+0x71/0xb0 fs/namei.c:3827 do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x61/0xc6 RIP: 0033:0x7f1f81121ae9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f1f80ca40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 00007f1f81240f80 RCX: 00007f1f81121ae9 RDX: 0000000000000000 RSI: 0000000020000040 RDI: ffffffffffffff9c RBP: 00007f1f8116d47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f1f81240f80 R15: 00007ffe806f5628 Allocated by task 1: kasan_save_stack+0x26/0x50 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:430 [inline] __kasan_slab_alloc+0x94/0xc0 mm/kasan/common.c:463 kasan_slab_alloc include/linux/kasan.h:244 [inline] slab_post_alloc_hook mm/slab.h:583 [inline] slab_alloc_node mm/slub.c:2947 [inline] slab_alloc mm/slub.c:2955 [inline] kmem_cache_alloc+0x15d/0x4f0 mm/slub.c:2960 kmem_cache_zalloc include/linux/slab.h:654 [inline] acpi_os_acquire_object include/acpi/platform/aclinuxex.h:67 [inline] acpi_ut_create_generic_state+0x48/0x90 drivers/acpi/acpica/utstate.c:90 acpi_ps_push_scope+0x1e/0x210 drivers/acpi/acpica/psscope.c:119 acpi_ps_parse_loop+0x7f0/0x18f0 drivers/acpi/acpica/psloop.c:459 acpi_ps_parse_aml+0x36c/0x9f0 drivers/acpi/acpica/psparse.c:475 acpi_ps_execute_method+0x4bb/0xa40 drivers/acpi/acpica/psxface.c:190 acpi_ns_evaluate+0x5b2/0xb80 drivers/acpi/acpica/nseval.c:205 acpi_ut_evaluate_object+0xbd/0x430 drivers/acpi/acpica/uteval.c:60 acpi_rs_get_method_data+0x67/0xc0 drivers/acpi/acpica/rsutils.c:650 acpi_walk_resources drivers/acpi/acpica/rsxface.c:616 [inline] acpi_walk_resources+0xf0/0x180 drivers/acpi/acpica/rsxface.c:594 acpi_pci_link_get_current+0x1a7/0x310 drivers/acpi/pci_link.c:256 acpi_pci_link_set+0x414/0x910 drivers/acpi/pci_link.c:364 acpi_pci_link_allocate drivers/acpi/pci_link.c:589 [inline] acpi_pci_link_allocate_irq+0x1ee/0x730 drivers/acpi/pci_link.c:640 acpi_pci_irq_enable+0x1f1/0x480 drivers/acpi/pci_irq.c:438 pcibios_enable_device+0x74/0x90 arch/x86/pci/common.c:691 do_pci_enable_device.part.0+0x15d/0x2b0 drivers/pci/pci.c:1816 do_pci_enable_device include/linux/pci.h:517 [inline] pci_enable_device_flags+0x246/0x2d0 drivers/pci/pci.c:1901 pci_enable_device+0xe/0x10 drivers/pci/pci.c:1948 virtio_pci_probe+0x190/0x2f0 drivers/virtio/virtio_pci_common.c:530 local_pci_probe drivers/pci/pci-driver.c:308 [inline] pci_call_probe drivers/pci/pci-driver.c:365 [inline] __pci_device_probe drivers/pci/pci-driver.c:390 [inline] pci_device_probe+0x2a4/0x4a0 drivers/pci/pci-driver.c:433 really_probe+0x209/0x920 drivers/base/dd.c:558 driver_probe_device+0xcf/0x1c0 drivers/base/dd.c:752 device_driver_attach+0x1f2/0x260 drivers/base/dd.c:1035 __driver_attach drivers/base/dd.c:1124 [inline] __driver_attach+0x96/0x1a0 drivers/base/dd.c:1066 bus_for_each_dev+0x119/0x1b0 drivers/base/bus.c:305 driver_attach+0x38/0x50 drivers/base/dd.c:1140 bus_add_driver+0x305/0x500 drivers/base/bus.c:622 driver_register+0x214/0x380 drivers/base/driver.c:240 __pci_register_driver+0x197/0x260 drivers/pci/pci-driver.c:1392 virtio_pci_driver_init+0x19/0x1b drivers/virtio/virtio_pci_common.c:636 do_one_initcall+0x92/0x2d0 init/main.c:1195 do_initcall_level init/main.c:1268 [inline] do_initcalls init/main.c:1284 [inline] do_basic_setup init/main.c:1304 [inline] kernel_init_freeable+0x48a/0x4e0 init/main.c:1508 kernel_init+0xd/0x10d init/main.c:1395 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:299 The buggy address belongs to the object at ffff888103bffd20 which belongs to the cache Acpi-State of size 80 The buggy address is located 3 bytes inside of 80-byte region [ffff888103bffd20, ffff888103bffd70) The buggy address belongs to the page: page:ffffea00040effc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888103bff310 pfn:0x103bff flags: 0x4000000000000200(slab) raw: 4000000000000200 ffffea00040eff00 0000000e0000000e ffff88810004d680 raw: ffff888103bff310 0000000080240000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 2113454565, free_ts 0 set_page_owner include/linux/page_owner.h:35 [inline] post_alloc_hook mm/page_alloc.c:2456 [inline] prep_new_page mm/page_alloc.c:2462 [inline] get_page_from_freelist+0x1fee/0x2ad0 mm/page_alloc.c:4254 __alloc_pages_nodemask+0x2ae/0x2360 mm/page_alloc.c:5346 __alloc_pages include/linux/gfp.h:544 [inline] __alloc_pages_node include/linux/gfp.h:557 [inline] alloc_pages_node include/linux/gfp.h:571 [inline] alloc_pages include/linux/gfp.h:590 [inline] alloc_slab_page mm/slub.c:1665 [inline] allocate_slab+0x30f/0x460 mm/slub.c:1808 new_slab mm/slub.c:1869 [inline] new_slab_objects mm/slub.c:2627 [inline] ___slab_alloc.constprop.0+0x32b/0x730 mm/slub.c:2791 __slab_alloc mm/slub.c:2831 [inline] slab_alloc_node mm/slub.c:2913 [inline] slab_alloc mm/slub.c:2955 [inline] kmem_cache_alloc+0x491/0x4f0 mm/slub.c:2960 kmem_cache_zalloc include/linux/slab.h:654 [inline] acpi_os_acquire_object include/acpi/platform/aclinuxex.h:67 [inline] acpi_ut_create_generic_state+0x48/0x90 drivers/acpi/acpica/utstate.c:90 acpi_ps_push_scope+0x1e/0x210 drivers/acpi/acpica/psscope.c:119 acpi_ps_parse_loop+0x7f0/0x18f0 drivers/acpi/acpica/psloop.c:459 acpi_ps_parse_aml+0x36c/0x9f0 drivers/acpi/acpica/psparse.c:475 acpi_ps_execute_method+0x4bb/0xa40 drivers/acpi/acpica/psxface.c:190 acpi_ns_evaluate+0x5b2/0xb80 drivers/acpi/acpica/nseval.c:205 acpi_evaluate_object+0x318/0x9d0 drivers/acpi/acpica/nsxfeval.c:354 acpi_evaluate_integer+0xaf/0x140 drivers/acpi/utils.c:279 acpi_bus_get_status_handle drivers/acpi/bus.c:83 [inline] acpi_bus_get_status+0x14b/0x220 drivers/acpi/bus.c:112 acpi_pci_link_set+0x3b2/0x910 drivers/acpi/pci_link.c:351 acpi_pci_link_allocate drivers/acpi/pci_link.c:589 [inline] acpi_pci_link_allocate_irq+0x1ee/0x730 drivers/acpi/pci_link.c:640 page_owner free stack trace missing Memory state around the buggy address: ffff888103bffc00: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb ffff888103bffc80: fb fb fc fc fc fc fb fb fb fb fb fb fb fb fb fb >ffff888103bffd00: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fc fc ^ ffff888103bffd80: fc fc fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888103bffe00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fb fb ================================================================== EXT4-fs error (device loop0): ext4_find_dest_de:2075: inode #12: block 7: comm syz-executor.0: bad entry in directory: rec_len % 4 != 0 - offset=0, inode=3089191003, rec_len=43069, size=56 fake=0