ci2 starts bisection 2023-03-08 06:28:53.100365244 +0000 UTC m=+12178.069039399 bisecting fixing commit since c3eb11fbb826879be773c137f281569efce67aa8 building syzkaller on 74a66371788c1eb22bde25c9c422c7754596d7f5 ensuring issue is reproducible on original commit c3eb11fbb826879be773c137f281569efce67aa8 testing commit c3eb11fbb826879be773c137f281569efce67aa8 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c2311caa38360bae19394a04370b906e8e37fff89ad727d3972ce2d5501a0dce run #0: crashed: KASAN: out-of-bounds Read in set_de_name_and_namelen run #1: crashed: KASAN: use-after-free Read in set_de_name_and_namelen run #2: crashed: KASAN: use-after-free Read in set_de_name_and_namelen run #3: crashed: KASAN: use-after-free Read in set_de_name_and_namelen run #4: crashed: KASAN: use-after-free Read in set_de_name_and_namelen run #5: crashed: KASAN: use-after-free Read in set_de_name_and_namelen run #6: crashed: KASAN: use-after-free Read in set_de_name_and_namelen run #7: crashed: KASAN: use-after-free Read in set_de_name_and_namelen run #8: crashed: KASAN: use-after-free Read in set_de_name_and_namelen run #9: crashed: KASAN: use-after-free Read in set_de_name_and_namelen run #10: crashed: KASAN: use-after-free Read in set_de_name_and_namelen run #11: crashed: KASAN: use-after-free Read in set_de_name_and_namelen run #12: crashed: KASAN: use-after-free Read in set_de_name_and_namelen run #13: crashed: KASAN: use-after-free Read in set_de_name_and_namelen run #14: crashed: KASAN: use-after-free Read in set_de_name_and_namelen run #15: crashed: KASAN: use-after-free Read in set_de_name_and_namelen run #16: crashed: KASAN: use-after-free Read in set_de_name_and_namelen run #17: crashed: KASAN: use-after-free Read in set_de_name_and_namelen run #18: crashed: KASAN: use-after-free Read in set_de_name_and_namelen run #19: crashed: KASAN: use-after-free Read in set_de_name_and_namelen testing current HEAD 63355b9884b3d1677de6bd1517cd2b8a9bf53978 testing commit 63355b9884b3d1677de6bd1517cd2b8a9bf53978 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 65b864f25f67cc745eb22ed3fca1822765acdbb1e70b8bed63bacb96857929c7 all runs: crashed: KASAN: use-after-free Read in set_de_name_and_namelen revisions tested: 2, total time: 41m16.420069765s (build: 30m43.632213588s, test: 6m33.696943231s) the crash still happens on HEAD commit msg: cpumask: be more careful with 'cpumask_setall()' crash: KASAN: use-after-free Read in set_de_name_and_namelen REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop0): checking transaction log (loop0) REISERFS (device loop0): Using r5 hash to sort names REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. ================================================================== BUG: KASAN: use-after-free in strlen+0x58/0x70 Read of size 1 at addr ffff8880702ab9cc by task syz-executor.0/5618 CPU: 1 PID: 5618 Comm: syz-executor.0 Not tainted 6.3.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call Trace: dump_stack_lvl+0x12e/0x1d0 print_report+0x163/0x510 kasan_report+0x108/0x140 strlen+0x58/0x70 set_de_name_and_namelen+0x37b/0x610 search_by_entry_key+0x5ab/0xc00 reiserfs_readdir_inode+0x23a/0x1300 iterate_dir+0x1fe/0x500 __se_sys_getdents64+0x1ce/0x420 do_syscall_64+0x41/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7feb9be8c0d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007feb9ccba168 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007feb9bfabf80 RCX: 00007feb9be8c0d9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00007feb9bee7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff8aea335f R14: 00007feb9ccba300 R15: 0000000000022000 The buggy address belongs to the physical page: page:ffffea0001c0aac0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x702ab flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001c0ab08 ffffea0001c0aa88 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 9, migratetype Movable, gfp_mask 0x3d24ca(GFP_TRANSHUGE|__GFP_NORETRY|__GFP_THISNODE), pid 5076, tgid 5070 (syz-fuzzer), ts 47841624403, free_ts 49682244355 get_page_from_freelist+0x3792/0x3910 __alloc_pages+0x291/0x7f0 __folio_alloc+0x13/0x30 __folio_alloc_node+0xf1/0x160 vma_alloc_folio+0x421/0x680 do_huge_pmd_anonymous_page+0x25b/0x1100 handle_mm_fault+0xcfe/0x3d50 exc_page_fault+0x67c/0x890 asm_exc_page_fault+0x26/0x30 page last free stack trace: free_unref_page_prepare+0xf0e/0xf70 free_unref_page+0x37/0x3f0 release_pages+0x4e5/0x1bc0 tlb_flush_mmu+0xe9/0x1e0 tlb_finish_mmu+0xb6/0x1c0 exit_mmap+0x267/0x750 __mmput+0xcb/0x300 exit_mm+0x1c4/0x280 do_exit+0x4d0/0x1cf0 do_group_exit+0x1b9/0x280 get_signal+0x11d1/0x1280 arch_do_signal_or_restart+0x7f/0x660 exit_to_user_mode_loop+0x6a/0xf0 exit_to_user_mode_prepare+0xb1/0x140 syscall_exit_to_user_mode+0x54/0x2d0 do_syscall_64+0x4d/0xc0 Memory state around the buggy address: ffff8880702ab880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880702ab900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8880702ab980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8880702aba00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880702aba80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================