ci2 starts bisection 2024-08-18 11:58:28.548017305 +0000 UTC m=+128978.163449704 bisecting fixing commit since c61bd26ae81a896c8660150b4e356153da30880a building syzkaller on 3113787fe7a0c96998737e520aa95c303fdd41ef ensuring issue is reproducible on original commit c61bd26ae81a896c8660150b4e356153da30880a testing commit c61bd26ae81a896c8660150b4e356153da30880a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6a2a5b324429d38a599a273497482c0473639e26eaf8e464491581cc40071a84 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit c61bd26ae81a896c8660150b4e356153da30880a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0f55987e793b4909b497906a01dd5ceb036e03c01bb8e7df2a1e43d8c3a50f1d all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed kconfig minimization: base=3703 full=7269 leaves diff=1983 split chunks (needed=false): <1983> split chunk #0 of len 1983 into 5 parts testing without sub-chunk 1/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit c61bd26ae81a896c8660150b4e356153da30880a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 411735744a4a4cd8eff99d589ea084f5864f691891746e441664e485ec1aca33 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit c61bd26ae81a896c8660150b4e356153da30880a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f28242d0fa05d1c6334f2786d5635b854bc650134ddb4c8a3f5f89ab835adb06 run #0: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #1: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #2: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #3: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #4: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #5: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #6: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #7: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #8: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry run #9: crashed: KASAN: out-of-bounds Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit c61bd26ae81a896c8660150b4e356153da30880a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 59cde5c0270066a67f728b4eaea9ce4778fe259f2b0a2545387bdc43e473f043 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit c61bd26ae81a896c8660150b4e356153da30880a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 87eef2c09297279adc4651940987cc2d59634b465760300f4a63858dfb599a04 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit c61bd26ae81a896c8660150b4e356153da30880a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 117dbb796f87a34fb6a341fb2d61ec2a96d91553e7e8bedf2785fd6ca710a58d all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the chunk can be dropped disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing current HEAD 7e89efd3ae1cfa05fe918588a92628b9bbeda4b2 testing commit 7e89efd3ae1cfa05fe918588a92628b9bbeda4b2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: df4128886a7223de581f43be87c03b977dbdc446792f1911c0753658a6781579 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] crash still not fixed/happens on the oldest tested release revisions tested: 8, total time: 48m29.826389148s (build: 21m52.453412496s, test: 25m3.693007422s) crash still not fixed or there were kernel test errors commit msg: Linux 5.15.164 crash: KASAN: use-after-free Read in __ext4_check_dir_entry EXT4-fs warning (device loop4): dx_probe:890: inode #2: comm syz-executor.4: dx entry: limit 0 != root limit 124 EXT4-fs warning (device loop4): dx_probe:964: inode #2: comm syz-executor.4: Corrupt directory, running e2fsck is recommended ================================================================== BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x5ee/0x920 fs/ext4/dir.c:85 Read of size 2 at addr ffff8881191d0003 by task syz-executor.4/4325 CPU: 0 PID: 4325 Comm: syz-executor.4 Not tainted 5.15.164-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x41/0x5e lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:451 __ext4_check_dir_entry+0x5ee/0x920 fs/ext4/dir.c:85 ext4_readdir+0xd2c/0x2780 fs/ext4/dir.c:258 iterate_dir+0x48a/0x6d0 fs/readdir.c:65 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64 fs/readdir.c:354 [inline] __x64_sys_getdents64+0x122/0x220 fs/readdir.c:354 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x33/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 RIP: 0033:0x7f6a46367ee9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6a45eea0c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007f6a4649efa0 RCX: 00007f6a46367ee9 RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000008 RBP: 00007f6a463b447f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000006 R14: 00007f6a4649efa0 R15: 00007fff42eda038 Allocated by task 4003: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc+0x7c/0x90 mm/kasan/common.c:522 kmalloc include/linux/slab.h:596 [inline] tomoyo_realpath_from_path+0xb0/0x6d0 security/tomoyo/realpath.c:254 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x1ed/0x320 security/tomoyo/file.c:822 security_inode_getattr+0xab/0x100 security/security.c:1348 vfs_getattr fs/stat.c:157 [inline] vfs_statx+0xe8/0x2e0 fs/stat.c:225 vfs_fstatat fs/stat.c:243 [inline] __do_sys_newfstatat+0x7d/0xd0 fs/stat.c:411 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x33/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 Freed by task 4003: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free mm/kasan/common.c:328 [inline] __kasan_slab_free+0xe0/0x110 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:1705 [inline] slab_free_freelist_hook mm/slub.c:1731 [inline] slab_free mm/slub.c:3499 [inline] kfree+0xd0/0x4c0 mm/slub.c:4559 tomoyo_realpath_from_path+0x16b/0x6d0 security/tomoyo/realpath.c:291 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x1ed/0x320 security/tomoyo/file.c:822 security_inode_getattr+0xab/0x100 security/security.c:1348 vfs_getattr fs/stat.c:157 [inline] vfs_statx+0xe8/0x2e0 fs/stat.c:225 vfs_fstatat fs/stat.c:243 [inline] __do_sys_newfstatat+0x7d/0xd0 fs/stat.c:411 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x33/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 The buggy address belongs to the object at ffff8881191d0000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 3 bytes inside of 4096-byte region [ffff8881191d0000, ffff8881191d1000) The buggy address belongs to the page: page:ffffea0004647400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1191d0 head:ffffea0004647400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x200000000010200(slab|head|node=0|zone=2) raw: 0200000000010200 0000000000000000 0000000100000001 ffff888100042140 raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 417, ts 4847752367, free_ts 0 prep_new_page mm/page_alloc.c:2426 [inline] get_page_from_freelist+0x166f/0x2910 mm/page_alloc.c:4159 __alloc_pages+0x2b3/0x590 mm/page_alloc.c:5423 alloc_slab_page mm/slub.c:1775 [inline] allocate_slab+0x2eb/0x430 mm/slub.c:1912 new_slab mm/slub.c:1975 [inline] ___slab_alloc+0xb1c/0xf80 mm/slub.c:3008 __slab_alloc mm/slub.c:3095 [inline] slab_alloc_node mm/slub.c:3186 [inline] slab_alloc mm/slub.c:3228 [inline] __kmalloc+0x2da/0x2f0 mm/slub.c:4403 kmalloc include/linux/slab.h:596 [inline] tomoyo_realpath_from_path+0xb0/0x6d0 security/tomoyo/realpath.c:254 tomoyo_realpath_nofollow+0x9c/0xc0 security/tomoyo/realpath.c:309 tomoyo_find_next_domain+0x24b/0x1bf0 security/tomoyo/domain.c:727 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:101 [inline] tomoyo_bprm_check_security+0xfb/0x170 security/tomoyo/tomoyo.c:91 security_bprm_check+0x34/0x70 security/security.c:868 search_binary_handler fs/exec.c:1726 [inline] exec_binprm fs/exec.c:1779 [inline] bprm_execve fs/exec.c:1848 [inline] bprm_execve+0x59b/0x1330 fs/exec.c:1810 do_execveat_common+0x5fd/0x7b0 fs/exec.c:1953 do_execve fs/exec.c:2023 [inline] __do_sys_execve fs/exec.c:2099 [inline] __se_sys_execve fs/exec.c:2094 [inline] __x64_sys_execve+0x8a/0xb0 fs/exec.c:2094 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x33/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 page_owner free stack trace missing Memory state around the buggy address: ffff8881191cff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881191cff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881191d0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881191d0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881191d0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================