ci2 starts bisection 2025-05-22 05:34:53.494700516 +0000 UTC m=+15124.632170642
bisecting fixing commit since ca24c52e3c25966dfb7d4f0784910cd661b44d43
building syzkaller on c53ea9c902c6745d750c5700631e1556716f4cd4
ensuring issue is reproducible on original commit ca24c52e3c25966dfb7d4f0784910cd661b44d43

testing commit ca24c52e3c25966dfb7d4f0784910cd661b44d43 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: d96e0588f9aade5bdcdaf8c4591bfcb7149a20ff3b4479630286bc5d2ab36bad
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit ca24c52e3c25966dfb7d4f0784910cd661b44d43 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 4afaf731ba96630f8d6be6f677675bd42684511a883e6b109f27dc20c710da47
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
kconfig minimization: base=5186 full=6549 leaves diff=266
split chunks (needed=false): <266>
split chunk #0 of len 266 into 5 parts
testing without sub-chunk 1/5
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit ca24c52e3c25966dfb7d4f0784910cd661b44d43 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 054a139bb849e30e06fd31102f86981c60855500ee3db35f69dc6c6f7c1594fa
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit ca24c52e3c25966dfb7d4f0784910cd661b44d43 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 3dc2c3e6a17bddbfe249b7721e2fca4228dd372403ed82d567101002446f592a
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit ca24c52e3c25966dfb7d4f0784910cd661b44d43 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 30efa064254e084b516abbbc76c175005b0f30ccba015783f7b194550a032d40
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit ca24c52e3c25966dfb7d4f0784910cd661b44d43 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 01b9a5bf3d9c1b15b586058acd5853e1d60ed972f2c4617c0ebc59fafa99db9a
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit ca24c52e3c25966dfb7d4f0784910cd661b44d43 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
failed building ca24c52e3c25966dfb7d4f0784910cd661b44d43: ld.lld: error: undefined symbol: wext_proc_init
ld.lld: error: undefined symbol: wext_proc_exit
ld.lld: error: undefined symbol: wext_handle_ioctl
ld.lld: error: undefined symbol: compat_wext_handle_ioctl
minimized to 50 configs; suspects: [HID_ZEROPLUS USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF]
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing current HEAD 3c6d0251e1fb722e884184d964421fe6f0586534
testing commit 3c6d0251e1fb722e884184d964421fe6f0586534 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 03a53ec6e8ee0ac5aafef6aa38be4b0695d7daffdc46bd8122ad5a3e8b06bf63
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
crash still not fixed/happens on the oldest tested release
revisions tested: 7, total time: 1h21m4.357809639s (build: 44m43.348949514s, test: 32m11.683263503s)
crash still not fixed or there were kernel test errors
commit msg: ANDROID: ABI: Update pixel symbol list
crash: KASAN: use-after-free Read in __ext4_check_dir_entry
EXT4-fs warning (device loop2): dx_probe:966: inode #2: comm syz.2.16: Corrupt directory, running e2fsck is recommended
==================================================================
BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x442/0x670 fs/ext4/dir.c:85
Read of size 2 at addr ffff88812e0df003 by task syz.2.16/469

CPU: 0 PID: 469 Comm: syz.2.16 Not tainted 6.1.134-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 __dump_stack+0x19/0x1c lib/dump_stack.c:88
 dump_stack_lvl+0xa3/0xec lib/dump_stack.c:106
 print_address_description+0x71/0x210 mm/kasan/report.c:316
 print_report+0x4a/0x60 mm/kasan/report.c:427
 kasan_report+0x122/0x150 mm/kasan/report.c:531
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report_generic.c:349
 __ext4_check_dir_entry+0x442/0x670 fs/ext4/dir.c:85
 ext4_readdir+0xbb6/0x31e0 fs/ext4/dir.c:261
 iterate_dir+0x221/0x540 fs/readdir.c:-1
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64+0xc9/0x190 fs/readdir.c:354
 __x64_sys_getdents64+0x76/0x80 fs/readdir.c:354
 x64_sys_call+0x15c/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:218
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f328e18d169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f328ef0e038 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f328e3a5fa0 RCX: 00007f328e18d169
RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 00007f328e20e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f328e3a5fa0 R15: 00007fff855ed2d8
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0004b837c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x12e0df
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea0004b83808 ffff8881f723c468 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x8140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO|__GFP_CMA), pid 469, tgid 468 (syz.2.16), ts 56727111021, free_ts 56729233631
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook mm/page_alloc.c:2637 [inline]
 prep_new_page+0x58c/0x650 mm/page_alloc.c:2644
 get_page_from_freelist+0x2f02/0x2f70 mm/page_alloc.c:4539
 __alloc_pages+0x19e/0x3a0 mm/page_alloc.c:5842
 __folio_alloc+0x12/0x40 mm/page_alloc.c:5874
 __folio_alloc_node include/linux/gfp.h:245 [inline]
 folio_alloc include/linux/gfp.h:274 [inline]
 alloc_page_vma include/linux/gfp.h:283 [inline]
 wp_page_copy+0x1fc/0x10e0 mm/memory.c:3204
 do_wp_page+0x9ef/0xc70 mm/memory.c:-1
 handle_pte_fault mm/memory.c:5178 [inline]
 __handle_mm_fault mm/memory.c:5302 [inline]
 handle_mm_fault+0xac6/0x1a80 mm/memory.c:5442
 do_user_addr_fault+0x5f8/0xa10 arch/x86/mm/fault.c:1323
 handle_page_fault arch/x86/mm/fault.c:1466 [inline]
 exc_page_fault+0x51/0xb0 arch/x86/mm/fault.c:1522
 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:608
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1545 [inline]
 free_pcp_prepare mm/page_alloc.c:1619 [inline]
 free_unref_page_prepare+0x645/0x650 mm/page_alloc.c:3581
 free_unref_page_list+0xba/0x790 mm/page_alloc.c:3729
 release_pages+0x904/0x960 mm/swap.c:1043
 free_pages_and_swap_cache+0x66/0x80 mm/swap_state.c:315
 tlb_batch_pages_flush mm/mmu_gather.c:59 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:254 [inline]
 tlb_flush_mmu mm/mmu_gather.c:261 [inline]
 tlb_finish_mmu+0x1af/0x380 mm/mmu_gather.c:361
 unmap_region+0x290/0x2e0 mm/mmap.c:2402
 do_mas_align_munmap+0x997/0xed0 mm/mmap.c:2668
 do_mas_munmap+0x182/0x1f0 mm/mmap.c:2726
 __vm_munmap+0x17f/0x290 mm/mmap.c:3025
 __do_sys_munmap mm/mmap.c:3051 [inline]
 __se_sys_munmap mm/mmap.c:3047 [inline]
 __x64_sys_munmap+0x66/0x70 mm/mmap.c:3047
 x64_sys_call+0x8a/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:12
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Memory state around the buggy address:
 ffff88812e0def00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88812e0def80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88812e0df000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff88812e0df080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88812e0df100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop2): ext4_readdir:263: inode #2: block 255: comm syz.2.16: path (unknown): bad entry in directory: rec_len is smaller than minimal - offset=1023, inode=0, rec_len=0, size=1024 fake=0