ci2 starts bisection 2024-06-01 10:25:28.408002848 +0000 UTC m=+45563.442362823
bisecting fixing commit since 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde
building syzkaller on f10afd6936523834f5b3297e9771b19a8f0edcb5
ensuring issue is reproducible on original commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde

testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 717235c799d8adb42c2c975511c2db237f7d0161fc328c85e50d759550cc5568
all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_data
representative crash: KASAN: use-after-free Read in ext4_read_inline_data, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: df946e8e9734087c463415503898a49685efe562960f56144d7906888301683c
all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_data
representative crash: KASAN: use-after-free Read in ext4_read_inline_data, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
kconfig minimization: base=4789 full=6018 leaves diff=238
split chunks (needed=false): <238>
split chunk #0 of len 238 into 5 parts
testing without sub-chunk 1/5
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: eb8e67522547c5dbff2566e7f633e24715afe756a4dda0ccd2d01fe9366570b9
all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_data
representative crash: KASAN: use-after-free Read in ext4_read_inline_data, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 99b4615a86a8d977325339743fb3956ec7f8e8fd614c2bb680de945436c78ed4
all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_data
representative crash: KASAN: use-after-free Read in ext4_read_inline_data, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 0c0ac2eb7daa401405729a42e531b946ccc0ea243241fdf7f7542edb59cd6f6e
all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_data
representative crash: KASAN: use-after-free Read in ext4_read_inline_data, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 05254273213da5be474af9ce82fca59b1e7adf7effe7502061a30a86b2c71fbf
all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_data
representative crash: KASAN: use-after-free Read in ext4_read_inline_data, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
failed building 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde: net/socket.c:1128: undefined reference to `wext_handle_ioctl'
net/socket.c:3397: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:346: undefined reference to `wext_proc_exit'
net/core/net-procfs.c:330: undefined reference to `wext_proc_init'
minimized to 46 configs; suspects: [HID_ZEROPLUS USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF]
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing current HEAD a8e7f812fbc15d931311179614ea38730b6bcf09
testing commit a8e7f812fbc15d931311179614ea38730b6bcf09 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 18586c0ec6f962bfe7f907f5bfc6faeb0fcc57dd8530cd5c79d4919144ee228c
all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_data
representative crash: KASAN: use-after-free Read in ext4_read_inline_data, types: [KASAN]
crash still not fixed/happens on the oldest tested release
revisions tested: 7, total time: 1h20m8.616016899s (build: 59m7.984164081s, test: 19m41.815232412s)
crash still not fixed or there were kernel test errors
commit msg: ANDROID: cpufreq: brcmstb-avs-cpufreq: fix build error
crash: KASAN: use-after-free Read in ext4_read_inline_data
==================================================================
BUG: KASAN: use-after-free in ext4_read_inline_data fs/ext4/inline.c:209 [inline]
BUG: KASAN: use-after-free in ext4_read_inline_data+0x1f3/0x2d0 fs/ext4/inline.c:177
Read of size 68 at addr ffff88811eeb60cf by task syz-executor.0/348

CPU: 1 PID: 348 Comm: syz-executor.0 Not tainted 5.10.214-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack_lvl+0x81/0xac lib/dump_stack.c:118
 print_address_description.constprop.0+0x24/0x160 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report.cold+0x82/0xdb mm/kasan/report.c:452
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x148/0x190 mm/kasan/generic.c:189
 memcpy+0x24/0x60 mm/kasan/shadow.c:65
 ext4_read_inline_data fs/ext4/inline.c:209 [inline]
 ext4_read_inline_data+0x1f3/0x2d0 fs/ext4/inline.c:177
 ext4_convert_inline_data_nolock+0x100/0xc10 fs/ext4/inline.c:1224
 ext4_try_add_inline_entry+0x4a5/0x5f0 fs/ext4/inline.c:1349
 ext4_add_entry+0x7f1/0x11f0 fs/ext4/namei.c:2365
 ext4_mkdir+0x381/0x890 fs/ext4/namei.c:2970
 vfs_mkdir+0x463/0x700 fs/namei.c:3790
 do_mkdirat+0x12a/0x290 fs/namei.c:3812
 __do_sys_mkdirat fs/namei.c:3823 [inline]
 __se_sys_mkdirat fs/namei.c:3821 [inline]
 __x64_sys_mkdirat+0x71/0xb0 fs/namei.c:3821
 do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fb2e62ba9a7
Code: 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 02 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb2e5e3cef8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007fb2e5e3cf80 RCX: 00007fb2e62ba9a7
RDX: 00000000000001ff RSI: 0000000020000580 RDI: 00000000ffffff9c
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000580
R13: 00007fb2e5e3cf40 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea00047bad80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x11eeb6
flags: 0x4000000000000000()
raw: 4000000000000000 ffffea00047badc8 ffffea00047bad48 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x8100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|0x8000000), pid 348, ts 42905340203, free_ts 42905759450
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page mm/page_alloc.c:2462 [inline]
 get_page_from_freelist+0x1fee/0x2ad0 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x2ae/0x2360 mm/page_alloc.c:5346
 __alloc_pages include/linux/gfp.h:544 [inline]
 __alloc_pages_node include/linux/gfp.h:557 [inline]
 alloc_pages_node include/linux/gfp.h:571 [inline]
 alloc_pages include/linux/gfp.h:590 [inline]
 wp_page_copy+0x3a7/0x14c0 mm/memory.c:3137
 do_wp_page+0x200/0x1250 mm/memory.c:3456
 handle_pte_fault+0xea1/0x31d0 mm/memory.c:4788
 ___handle_speculative_fault+0xd23/0x1470 mm/memory.c:5190
 __handle_speculative_fault+0xa9/0x280 mm/memory.c:5239
 handle_speculative_fault include/linux/mm.h:1824 [inline]
 do_user_addr_fault+0x21a/0xa30 arch/x86/mm/fault.c:1310
 handle_page_fault arch/x86/mm/fault.c:1453 [inline]
 exc_page_fault+0x65/0xc0 arch/x86/mm/fault.c:1509
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:571
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1349 [inline]
 free_pcp_prepare+0x1a7/0x230 mm/page_alloc.c:1421
 free_unref_page_prepare mm/page_alloc.c:3336 [inline]
 free_unref_page_list+0x18a/0xae0 mm/page_alloc.c:3443
 release_pages+0x374/0xb00 mm/swap.c:1103
 free_pages_and_swap_cache+0x180/0x1e0 mm/swap_state.c:356
 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
 tlb_flush_mmu mm/mmu_gather.c:247 [inline]
 tlb_finish_mmu+0x129/0x790 mm/mmu_gather.c:326
 unmap_region+0x2ee/0x400 mm/mmap.c:2807
 __do_munmap+0x48b/0x1050 mm/mmap.c:3036
 __vm_munmap+0xfb/0x1a0 mm/mmap.c:3059
 __do_sys_munmap mm/mmap.c:3085 [inline]
 __se_sys_munmap mm/mmap.c:3081 [inline]
 __x64_sys_munmap+0x62/0x80 mm/mmap.c:3081
 do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xc6

Memory state around the buggy address:
 ffff88811eeb5f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88811eeb6000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88811eeb6080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                              ^
 ffff88811eeb6100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88811eeb6180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop0): ext4_check_all_de:655: inode #12: block 5: comm syz-executor.0: bad entry in directory: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, size=124 fake=0