ci2 starts bisection 2026-01-10 14:59:14.871797184 +0000 UTC m=+3893367.048920261 bisecting fixing commit since 72761a7e31225971d0b29d9195e0ffa986b77867 building syzkaller on c0460fcde7051a8d07612ec2a17718d3c3019bb0 ensuring issue is reproducible on original commit 72761a7e31225971d0b29d9195e0ffa986b77867 testing commit 72761a7e31225971d0b29d9195e0ffa986b77867 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: e6ce78663d9af2f99f7585fd84f97521346b6ce3d81b55ec5d5a064d02b88e3b run #0: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #1: crashed: KASAN: slab-use-after-free Read in hpfs_count_dnodes run #2: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #3: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #4: crashed: KASAN: slab-out-of-bounds Read in hpfs_count_dnodes run #5: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #6: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #7: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #8: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #9: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #10: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #11: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #12: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #13: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #14: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #15: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #16: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #17: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #18: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #19: crashed: KASAN: use-after-free Read in hpfs_count_dnodes representative crash: KASAN: use-after-free Read in hpfs_count_dnodes, types: [KASAN-USE-AFTER-FREE-READ] check whether we can drop unnecessary instrumentation disabling configs for [ubsan bug_or_warning locking atomic_sleep hang memleak], they are not needed testing commit 72761a7e31225971d0b29d9195e0ffa986b77867 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: b063a3d4322971daecd2dd96f9118b1e0028b8ebacdadcc9448fab3a778def65 run #0: crashed: WARNING: [ NUM.ADDR][ T6666] ======================================================= run #1: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #2: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #3: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #4: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #5: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #6: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #7: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #8: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #9: crashed: KASAN: use-after-free Read in hpfs_count_dnodes representative crash: KASAN: use-after-free Read in hpfs_count_dnodes, types: [KASAN-USE-AFTER-FREE-READ] the bug reproduces without the instrumentation disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed kconfig minimization: base=4109 full=8337 leaves diff=2116 split chunks (needed=false): <2116> split chunk #0 of len 2116 into 5 parts testing without sub-chunk 1/5 disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed testing commit 72761a7e31225971d0b29d9195e0ffa986b77867 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 6d55223eb811a0eb0b83cf5ebc0b3ec58556121d2b5394b7b649fed3c0a7eaa1 all runs: crashed: KASAN: use-after-free Read in hpfs_count_dnodes representative crash: KASAN: use-after-free Read in hpfs_count_dnodes, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 72761a7e31225971d0b29d9195e0ffa986b77867 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 01f83cbe56c348b91f062e6547eca284ce5c9a9b53cfbbd38375a029ca954ffb all runs: OK false negative chance: 0.000 testing without sub-chunk 3/5 disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed testing commit 72761a7e31225971d0b29d9195e0ffa986b77867 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 0bdd0546e1794f72888581499c7978433cbcb3223147aa9d73b63f171efc5724 all runs: crashed: KASAN: use-after-free Read in hpfs_count_dnodes representative crash: KASAN: use-after-free Read in hpfs_count_dnodes, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed testing commit 72761a7e31225971d0b29d9195e0ffa986b77867 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: baf660947e181ef7b31eb580b52702e5c117d1ec3e5fbb4e5bc6114033f49554 run #0: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #1: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #2: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #3: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #4: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #5: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #6: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #7: crashed: BUG: workqueue lockup run #8: crashed: BUG: workqueue lockup run #9: crashed: BUG: workqueue lockup representative crash: KASAN: use-after-free Read in hpfs_count_dnodes, types: [KASAN-USE-AFTER-FREE-READ UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 72761a7e31225971d0b29d9195e0ffa986b77867 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: ff6fdf0c00e00bbd20dbe5e04861e59c509dcf459b013e30c67c5332adca79d9 run #0: crashed: KASAN: slab-out-of-bounds Read in hpfs_count_dnodes run #1: crashed: KASAN: slab-out-of-bounds Read in hpfs_count_dnodes run #2: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #3: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #4: crashed: KASAN: out-of-bounds Read in hpfs_count_dnodes run #5: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #6: crashed: BUG: workqueue lockup run #7: crashed: BUG: workqueue lockup run #8: crashed: BUG: workqueue lockup run #9: basic kernel testing failed: failed to copy binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syz-executor111417451" "root@10.128.1.80:./syz-executor111417451"]: exit status 255 representative crash: KASAN: slab-out-of-bounds Read in hpfs_count_dnodes, types: [KASAN-READ KASAN-USE-AFTER-FREE-READ UNKNOWN] the chunk can be dropped minimized to 424 configs; suspects: [6LOWPAN ARCH_ENABLE_MEMORY_HOTREMOVE ASUS_WMI BLK_DEV_ZONED CHARGER_BQ24190 CMA COMMON_CLK DAX DLM DM_FLAKEY DM_INTEGRITY DM_MULTIPATH DM_MULTIPATH_QL DM_MULTIPATH_ST DM_PERSISTENT_DATA DM_RAID DM_SNAPSHOT DM_THIN_PROVISIONING DM_UEVENT DM_VERITY DM_VERITY_FEC DM_WRITECACHE DM_ZONED DRAGONRISE_FF DRM DRM_AUX_BRIDGE DRM_BOCHS DRM_BRIDGE DRM_CIRRUS_QEMU DRM_CLIENT DRM_CLIENT_DEFAULT_FBDEV DRM_CLIENT_LIB DRM_CLIENT_SELECTION DRM_CLIENT_SETUP DRM_DEBUG_MM DRM_DISPLAY_DP_AUX_BUS DRM_DISPLAY_DP_HELPER DRM_DISPLAY_HELPER DRM_FBDEV_EMULATION DRM_GEM_SHMEM_HELPER DRM_GM12U320 DRM_GUD DRM_KMS_HELPER DRM_PANEL DRM_PANEL_BRIDGE DRM_PANEL_EDP DRM_PANEL_ORIENTATION_QUIRKS DRM_SIMPLEDRM DRM_SYSFB_HELPER DRM_TTM DRM_TTM_HELPER DRM_UDL DRM_VGEM DRM_VIRTIO_GPU DRM_VIRTIO_GPU_KMS DRM_VKMS DRM_VMWGFX DUMMY DVB_AF9013 DVB_AF9033 DVB_AS102 DVB_AS102_FE DVB_B2C2_FLEXCOP DVB_B2C2_FLEXCOP_USB DVB_CORE DVB_DIB3000MB DVB_DIB3000MC DVB_EC100 DVB_GP8PSK_FE DVB_RTL2830 DVB_RTL2832 DVB_RTL2832_SDR DVB_TEST_DRIVERS DVB_TTUSB_BUDGET DVB_TTUSB_DEC DVB_USB DVB_USB_A800 DVB_USB_AF9005 DVB_USB_AF9005_REMOTE DVB_USB_AF9015 DVB_USB_AF9035 DVB_USB_ANYSEE DVB_USB_AU6610 DVB_USB_AZ6007 DVB_USB_AZ6027 DVB_USB_CE6230 DVB_USB_CINERGY_T2 DVB_USB_CXUSB DVB_USB_CXUSB_ANALOG DVB_USB_DIB0700 DVB_USB_DIB3000MC DVB_USB_DIBUSB_MB DVB_USB_DIBUSB_MC DVB_USB_DIGITV DVB_USB_DTT200U DVB_USB_DTV5100 DVB_USB_DVBSKY DVB_USB_DW2102 DVB_USB_EC168 DVB_USB_GL861 DVB_USB_GP8PSK DVB_USB_LME2510 DVB_USB_M920X DVB_USB_MXL111SF DVB_USB_NOVA_T_USB2 DVB_USB_OPERA1 DVB_USB_PCTV452E DVB_USB_RTL28XXU DVB_USB_TECHNISAT_USB2 DVB_USB_TTUSB2 DVB_USB_UMT_010 DVB_USB_V2 DVB_USB_VP702X DVB_USB_VP7045 DVB_USB_ZD1301 DVB_VIDTV DVB_ZL10353 ECRYPT_FS ECRYPT_FS_MESSAGING EDAC EFS_FS ENCRYPTED_KEYS EQUALIZER EROFS_FS EROFS_FS_POSIX_ACL EROFS_FS_SECURITY EROFS_FS_XATTR EROFS_FS_ZIP EVM EVM_ADD_XATTRS EVM_ATTR_FSUUID EVM_EXTRA_SMACK_XATTRS EXFAT_FS EXPORTFS_BLOCK_OPS EXTCON EXTCON_INTEL_CHT_WC EXTCON_PTN5150 EXTCON_USBC_TUSB320 F2FS_CHECK_FS F2FS_FAULT_INJECTION F2FS_FS F2FS_FS_COMPRESSION F2FS_FS_LZ4 F2FS_FS_LZ4HC F2FS_FS_LZO F2FS_FS_LZORLE F2FS_FS_POSIX_ACL F2FS_FS_SECURITY F2FS_FS_XATTR F2FS_FS_ZSTD F2FS_STAT_FS FANOTIFY FANOTIFY_ACCESS_PERMISSIONS FB FB_CFB_COPYAREA FB_CFB_FILLRECT FB_CFB_IMAGEBLIT FB_CORE FB_DEFERRED_IO FB_DEVICE FB_IOMEM_FOPS FB_IOMEM_HELPERS FB_NOTIFY FB_SYSMEM_FOPS FB_SYSMEM_HELPERS FB_SYSMEM_HELPERS_DEFERRED FB_SYS_COPYAREA FB_SYS_FILLRECT FB_SYS_IMAGEBLIT FB_TILEBLITTING FB_VESA FB_VGA16 FB_VIRTUAL FDDI FIREWIRE FIREWIRE_NET FIREWIRE_OHCI FIREWIRE_SBP2 FONT_8x16 FONT_8x8 FONT_SUPPORT FRAMEBUFFER_CONSOLE FRAMEBUFFER_CONSOLE_DETECT_PRIMARY FRAMEBUFFER_CONSOLE_ROTATION FS_DAX FS_ENCRYPTION FS_ENCRYPTION_ALGS FS_STACK FS_VERITY FS_VERITY_BUILTIN_SIGNATURES FTL FUSE_DAX FUSE_FS FW_LOADER_COMPRESS FW_LOADER_PAGED_BUF FW_LOADER_SYSFS FW_LOADER_USER_HELPER FW_LOADER_USER_HELPER_FALLBACK GACT_PROB GARP GENDWARFKSYMS GENERIC_PHY GET_FREE_REGION GFS2_FS GFS2_FS_LOCKING_DLM GNSS GNSS_USB GOOGLE_COREBOOT_TABLE GOOGLE_FIRMWARE GOOGLE_MEMCONSOLE GOOGLE_MEMCONSOLE_COREBOOT GOOGLE_VPD GPIOLIB GPIOLIB_IRQCHIP GPIO_ACPI GPIO_DLN2 GPIO_LJCA GPIO_VIPERBOARD GREENASIA_FF GREYBUS GREYBUS_BRIDGED_PHY GREYBUS_ES2 GREYBUS_HID GREYBUS_USB GROUP_SCHED_BANDWIDTH GTP GUEST_PERF_EVENTS HAS_LTO_CLANG HAVE_ARCH_NODE_DEV_GROUP HAVE_ARCH_USERFAULTFD_MINOR HAVE_ARCH_USERFAULTFD_WP HAVE_BOOTMEM_INFO_NODE HAVE_CLK_PREPARE HAVE_KVM_CPU_RELAX_INTERCEPT HAVE_KVM_DIRTY_RING HAVE_KVM_DIRTY_RING_ACQ_REL HAVE_KVM_DIRTY_RING_TSO HAVE_KVM_IRQCHIP HAVE_KVM_IRQ_BYPASS HAVE_KVM_IRQ_ROUTING HAVE_KVM_MSI HAVE_KVM_NO_POLL HAVE_KVM_PFNCACHE HAVE_KVM_PM_NOTIFIER HAVE_KVM_READONLY_MEM HAVE_SCHED_AVG_IRQ HDLC HDLC_CISCO HDLC_FR HDLC_PPP HDLC_RAW HDLC_RAW_ETH HDLC_X25 HDMI HFSPLUS_FS HFS_FS HID_ACCUTOUCH HID_ACRUX HID_ACRUX_FF HID_ALPS HID_APPLEIR HID_ASUS HID_AUREAL HID_BATTERY_STRENGTH HID_BETOP_FF HID_BIGBEN_FF HID_CMEDIA HID_CORSAIR HID_COUGAR HID_CP2112 HID_CREATIVE_SB0540 HID_DRAGONRISE HID_ELAN HID_ELECOM HID_ELO HID_EMS_FF HID_EVISION HID_FT260 HID_GEMBIRD HID_GFRM HID_GLORIOUS HID_GOOGLE_STADIA_FF HID_GREENASIA HID_GT683R HID_HAPTIC HID_HOLTEK HID_ICADE HID_JABRA HID_KEYTOUCH HID_KYE HID_LCPOWER HID_LED HID_LENOVO HID_LETSKETCH HID_LOGITECH HID_LOGITECH_DJ HID_LOGITECH_HIDPP HID_MACALLY HID_MAGICMOUSE HID_MALTRON HID_MAYFLASH HID_MCP2200 HID_MCP2221 HID_MEGAWORLD_FF HID_MULTITOUCH HID_NTI HID_ORTEK HID_PENMOUNT HID_PICOLCD HID_PICOLCD_BACKLIGHT HID_PICOLCD_CIR HID_PICOLCD_FB HID_PICOLCD_LCD HID_PICOLCD_LEDS HID_PLANTRONICS HID_PRIMAX HID_PRODIKEYS HID_PXRC HID_RAZER HID_RETRODE HID_RMI HID_ROCCAT HID_SAITEK HID_SEMITEK HID_SENSOR_ACCEL_3D HID_SENSOR_ALS HID_SENSOR_CUSTOM_INTEL_HINGE HID_SENSOR_CUSTOM_SENSOR HID_SENSOR_DEVICE_ROTATION HID_SENSOR_GYRO_3D HID_SENSOR_HUB HID_SENSOR_HUMIDITY HID_SENSOR_IIO_COMMON HID_SENSOR_IIO_TRIGGER HID_SENSOR_INCLINOMETER_3D HID_SENSOR_MAGNETOMETER_3D HID_SENSOR_PRESS HID_SENSOR_PROX HID_SENSOR_TEMP HID_SIGMAMICRO HID_SPEEDLINK HID_STEELSERIES HID_THINGM HID_TIVO HID_TOPRE HID_TWINHAN HID_U2FZERO HID_UCLOGIC HID_UDRAW_PS3 HID_VIEWSONIC HID_VIVALDI HID_VIVALDI_COMMON HID_VRC2 HID_WACOM HID_WALTOP HID_WIIMOTE HID_XIAOMI HID_XINMO HID_ZYDACRON HMM_MIRROR HOLTEK_FF HOTPLUG_PCI_PCIE HPET_MMAP HPET_MMAP_DEFAULT HPFS_FS I2C_ALGOBIT I2C_CHARDEV I2C_CP2615 I2C_DESIGNWARE_CORE I2C_DESIGNWARE_PLATFORM I2C_DIOLAN_U2C I2C_DLN2 I2C_HID_ACPI I2C_HID_CORE I2C_HID_OF I2C_LJCA I2C_MUX I2C_MUX_REG I2C_ROBOTFUZZ_OSIF I2C_SI4713 I2C_SLAVE I2C_SLAVE_EEPROM I2C_TINY_USB I2C_VIPERBOARD IEEE802154 IEEE802154_6LOWPAN IEEE802154_ATUSB IEEE802154_DRIVERS IEEE802154_HWSIM IEEE802154_NL802154_EXPERIMENTAL IEEE802154_SOCKET IFB IIO IIO_BUFFER IIO_KFIFO_BUF IIO_TRIGGER IIO_TRIGGERED_BUFFER IKCONFIG IKCONFIG_PROC IMA IMA_APPRAISE IMA_APPRAISE_MODSIG IMA_DEFAULT_HASH_SHA256 IMA_LSM_RULES IMA_MEASURE_ASYMMETRIC_KEYS IMA_NG_TEMPLATE IMA_QUEUE_EARLY_BOOT_KEYS IMA_READ_POLICY IMA_WRITE_POLICY INET6_ESPINTCP INET6_ESP_OFFLOAD INET6_IPCOMP INET6_TUNNEL INET6_XFRM_TUNNEL INET_AH INET_DIAG INET_DIAG_DESTROY INET_ESP INET_ESPINTCP INET_ESP_OFFLOAD INET_IPCOMP INET_MPTCP_DIAG INET_PSP INET_RAW_DIAG INET_SCTP_DIAG INET_TCP_DIAG INET_UDP_DIAG INET_XFRM_TUNNEL INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_ADDR_TRANS_CONFIGFS INFINIBAND_IPOIB INFINIBAND_IPOIB_CM INFINIBAND_IPOIB_DEBUG INFINIBAND_ISER INFINIBAND_ON_DEMAND_PAGING INFINIBAND_RTRS INFINIBAND_SRP INFINIBAND_USER_ACCESS INFINIBAND_USER_MAD INFINIBAND_USER_MEM INPUT_ATI_REMOTE2 INPUT_CM109 INPUT_IMS_PCU INPUT_JOYDEV INPUT_KEYSPAN_REMOTE INPUT_LEDS INPUT_MOUSEDEV INPUT_MOUSEDEV_PSAUX INPUT_POWERMATE INPUT_UINPUT INPUT_YEALINK INTEGRITY INTEGRITY_ASYMMETRIC_KEYS INTEGRITY_AUDIT INTEGRITY_SIGNATURE INTEGRITY_TRUSTED_KEYRING INTEL_CHTWC_INT33FE INTEL_IDMA64 INTEL_IOATDMA INTEL_IOMMU_DEFAULT_ON INTEL_IOMMU_SVM INTEL_ISHTP_ECLITE INTEL_ISH_FIRMWARE_DOWNLOADER INTEL_ISH_HID INTEL_SOC_PMIC_CHTWC INTERVAL_TREE_SPAN_ITER IOMMUFD IOMMUFD_DRIVER IOMMUFD_DRIVER_CORE IOMMUFD_TEST IO_URING_MOCK_FILE IP6_NF_MATCH_AH IP6_NF_MATCH_EUI64 IP6_NF_MATCH_FRAG IP6_NF_MATCH_HL IP6_NF_MATCH_MH IP6_NF_MATCH_OPTS IP6_NF_MATCH_RPFILTER IP6_NF_MATCH_RT IP6_NF_MATCH_SRH IP6_NF_TARGET_NPT IP6_NF_TARGET_REJECT IP6_NF_TARGET_SYNPROXY IPV6_FOU IPV6_FOU_TUNNEL IPV6_GRE IPV6_ILA IPV6_MIP6 IPV6_MROUTE IPV6_MROUTE_MULTIPLE_TABLES IPV6_MULTIPLE_TABLES IPV6_OPTIMISTIC_DAD IPV6_PIMSM_V2 IPV6_ROUTER_PREF IPV6_ROUTE_INFO IPV6_RPL_LWTUNNEL IPV6_SEG6_BPF IPV6_SEG6_HMAC IPV6_SEG6_LWTUNNEL IPV6_SIT_6RD IPV6_SUBTREES IPV6_TUNNEL IPV6_VTI IPVLAN IPVLAN_L3S IPVTAP IP_FIB_TRIE_STATS IP_MROUTE_MULTIPLE_TABLES IP_NF_ARP_MANGLE IP_NF_MATCH_AH IP_NF_MATCH_ECN IP_NF_MATCH_RPFILTER IP_NF_MATCH_TTL IP_NF_TARGET_ECN IP_NF_TARGET_REJECT IP_NF_TARGET_SYNPROXY IP_ROUTE_CLASSID IP_SCTP IP_SET IP_SET_BITMAP_IP IP_SET_BITMAP_IPMAC IRQ_TIME_ACCOUNTING LAPB LCD_CLASS_DEVICE LEDS_CLASS_MULTICOLOR MAC802154 MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_TEST_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MFD_VIPERBOARD MODVERSIONS MPTCP MTD NETFILTER_ADVANCED NET_ACT_GACT NET_ACT_MIRRED NET_IPGRE_DEMUX NFT_COMPAT NFT_COMPAT_ARP NFT_FWD_NETDEV NF_TABLES NF_TABLES_ARP NF_TABLES_NETDEV RADIO_ADAPTERS RADIO_SI4713 RAS RC_CORE REGULATOR RFKILL SND SOUND STAGING TYPEC TYPEC_MUX_PI3USB30532 USB_LJCA USB_ROLES_INTEL_XHCI USB_ROLE_SWITCH VIDEO_DEV VIRTIO_FS WAN ZONE_DEVICE] disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing current HEAD b6151c4e60e5f695fac8b5c3e011cfcfd6e27cba testing commit b6151c4e60e5f695fac8b5c3e011cfcfd6e27cba gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 21ee6322a8a7fa20616de988696e70e4500fb185c5a3b7f5fd3b5ff10edbed5f run #0: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #1: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #2: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #3: crashed: KASAN: slab-use-after-free Read in hpfs_count_dnodes run #4: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #5: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #6: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #7: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #8: crashed: KASAN: use-after-free Read in hpfs_count_dnodes run #9: basic kernel testing failed: failed to copy binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syz-executor3767528814" "root@10.128.10.4:./syz-executor3767528814"]: exit status 255 representative crash: KASAN: use-after-free Read in hpfs_count_dnodes, types: [KASAN-USE-AFTER-FREE-READ] crash still not fixed/happens on the oldest tested release revisions tested: 8, total time: 2h38m50.150279908s (build: 1h14m45.863746085s, test: 1h15m25.00362958s) crash still not fixed or there were kernel test errors commit msg: Merge tag 'erofs-for-6.19-rc5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs crash: KASAN: use-after-free Read in hpfs_count_dnodes hpfs: You really don't want any checks? You are crazy... hpfs: hpfs_map_sector(): read error hpfs: code page support is disabled HPFS: de_next_de: de->length = 84ba HPFS: dnode_end_de: dnode->first_free = 7b3184b6 HPFS: de_next_de: de->length = 7b31 HPFS: dnode_end_de: dnode->first_free = 7b3184b6 ================================================================== BUG: KASAN: use-after-free in de_down_pointer fs/hpfs/hpfs_fn.h:109 [inline] BUG: KASAN: use-after-free in hpfs_count_dnodes+0x95c/0x9f0 fs/hpfs/dnode.c:775 Read of size 4 at addr ffff8881368b4576 by task syz.3.17/3578 CPU: 0 UID: 0 PID: 3578 Comm: syz.3.17 Not tainted syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: dump_stack_lvl+0x52/0x80 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 de_down_pointer fs/hpfs/hpfs_fn.h:109 [inline] hpfs_count_dnodes+0x95c/0x9f0 fs/hpfs/dnode.c:775 hpfs_read_inode+0xa75/0xe40 fs/hpfs/inode.c:128 hpfs_fill_super+0xfdd/0x1f50 fs/hpfs/super.c:651 get_tree_bdev_flags+0x3d4/0x470 fs/super.c:1691 vfs_get_tree+0x87/0x1a0 fs/super.c:1751 fc_mount fs/namespace.c:1199 [inline] do_new_mount_fc fs/namespace.c:3636 [inline] do_new_mount+0x2b5/0x840 fs/namespace.c:3712 do_mount fs/namespace.c:4035 [inline] __do_sys_mount fs/namespace.c:4224 [inline] __se_sys_mount+0x218/0x2b0 fs/namespace.c:4201 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x85/0x2e0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f70b6a1076a Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f70b687ee68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f70b687eef0 RCX: 00007f70b6a1076a RDX: 000020000000a000 RSI: 0000200000009ec0 RDI: 00007f70b687eeb0 RBP: 000020000000a000 R08: 00007f70b687eef0 R09: 0000000003200041 R10: 0000000003200041 R11: 0000000000000246 R12: 0000200000009ec0 R13: 00007f70b687eeb0 R14: 0000000000009e21 R15: 0000200000000000 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7f00c4073 pfn:0x1368b4 flags: 0x100000000000000(node=0|zone=2) raw: 0100000000000000 ffffea0004da2d48 ffffea0004da2cc8 0000000000000000 raw: 00000007f00c4073 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 1753, tgid 1753 (syz-executor), ts 38370295295, free_ts 38616349745 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x15a/0x190 mm/page_alloc.c:1857 prep_new_page mm/page_alloc.c:1865 [inline] get_page_from_freelist+0x366b/0x3770 mm/page_alloc.c:3915 __alloc_frozen_pages_noprof+0x26b/0x460 mm/page_alloc.c:5210 alloc_pages_mpol+0xcb/0x270 mm/mempolicy.c:2486 folio_alloc_mpol_noprof mm/mempolicy.c:2505 [inline] vma_alloc_folio_noprof+0x288/0x400 mm/mempolicy.c:2540 folio_prealloc+0x24/0xf0 mm/memory.c:-1 alloc_anon_folio mm/memory.c:5165 [inline] do_anonymous_page mm/memory.c:5222 [inline] do_pte_missing mm/memory.c:4399 [inline] handle_pte_fault mm/memory.c:6273 [inline] __handle_mm_fault mm/memory.c:6411 [inline] handle_mm_fault+0x12d8/0x2320 mm/memory.c:6580 do_user_addr_fault+0x31a/0xc30 arch/x86/mm/fault.c:1336 handle_page_fault arch/x86/mm/fault.c:1476 [inline] exc_page_fault+0x62/0xa0 arch/x86/mm/fault.c:1532 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618 page last free pid 1753 tgid 1753 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1406 [inline] free_unref_folios+0xd03/0x1350 mm/page_alloc.c:3000 folios_put_refs+0x3c3/0x4a0 mm/swap.c:1002 free_pages_and_swap_cache+0x20d/0x3c0 mm/swap_state.c:355 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline] tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] tlb_flush_mmu_free mm/mmu_gather.c:397 [inline] tlb_flush_mmu+0x2ba/0x500 mm/mmu_gather.c:404 tlb_finish_mmu+0xaa/0x190 mm/mmu_gather.c:497 vms_clear_ptes+0x465/0x5a0 mm/vma.c:1238 vms_complete_munmap_vmas+0x1ad/0x680 mm/vma.c:1280 do_vmi_align_munmap+0x30e/0x360 mm/vma.c:1539 do_vmi_munmap+0x192/0x210 mm/vma.c:1587 __vm_munmap+0x18e/0x300 mm/vma.c:3203 __do_sys_munmap mm/mmap.c:1077 [inline] __se_sys_munmap mm/mmap.c:1074 [inline] __x64_sys_munmap+0x5b/0x70 mm/mmap.c:1074 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x85/0x2e0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff8881368b4400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881368b4480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8881368b4500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881368b4580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881368b4600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================