ci starts bisection 2023-03-13 16:10:53.37721013 +0000 UTC m=+5860.267333522 bisecting fixing commit since e8f60cd7db24f94f2dbed6bec30dd16a68fc0828 building syzkaller on 96166539c4c242fccd41c7316b7080377dca428b ensuring issue is reproducible on original commit e8f60cd7db24f94f2dbed6bec30dd16a68fc0828 testing commit e8f60cd7db24f94f2dbed6bec30dd16a68fc0828 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9c429f0e895d4b53e73f17c450edbcb29524deaf4586ac4860286ca59bebfb60 run #0: crashed: KASAN: slab-out-of-bounds Read in jfs_readdir run #1: crashed: KASAN: slab-out-of-bounds Read in jfs_readdir run #2: crashed: KASAN: slab-out-of-bounds Read in jfs_readdir run #3: crashed: KASAN: slab-out-of-bounds Read in jfs_readdir run #4: crashed: KASAN: slab-out-of-bounds Read in jfs_readdir run #5: crashed: KASAN: slab-out-of-bounds Read in jfs_readdir run #6: crashed: KASAN: use-after-free Read in jfs_readdir run #7: crashed: KASAN: use-after-free Read in jfs_readdir run #8: crashed: KASAN: use-after-free Read in jfs_readdir run #9: crashed: KASAN: use-after-free Read in jfs_readdir run #10: crashed: KASAN: use-after-free Read in jfs_readdir run #11: crashed: KASAN: slab-out-of-bounds Read in jfs_readdir run #12: crashed: KASAN: use-after-free Read in jfs_readdir run #13: crashed: KASAN: slab-out-of-bounds Read in jfs_readdir run #14: crashed: KASAN: use-after-free Read in jfs_readdir run #15: crashed: KASAN: use-after-free Read in jfs_readdir run #16: crashed: KASAN: use-after-free Read in jfs_readdir run #17: crashed: KASAN: slab-out-of-bounds Read in jfs_readdir run #18: crashed: KASAN: use-after-free Read in jfs_readdir run #19: crashed: KASAN: slab-out-of-bounds Read in jfs_readdir testing current HEAD eeac8ede17557680855031c6f305ece2378af326 testing commit eeac8ede17557680855031c6f305ece2378af326 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b4650fae60b705069c45959cc61830d207e0fc179826392f65c1c335c73defd4 run #0: crashed: KASAN: use-after-free Read in jfs_readdir run #1: crashed: KASAN: slab-out-of-bounds Read in jfs_readdir run #2: crashed: KASAN: slab-out-of-bounds Read in jfs_readdir run #3: crashed: KASAN: use-after-free Read in jfs_readdir run #4: crashed: KASAN: use-after-free Read in jfs_readdir run #5: crashed: KASAN: slab-use-after-free Read in jfs_readdir run #6: crashed: KASAN: slab-use-after-free Read in jfs_readdir run #7: crashed: KASAN: slab-out-of-bounds Read in jfs_readdir run #8: crashed: KASAN: use-after-free Read in jfs_readdir run #9: crashed: KASAN: slab-out-of-bounds Read in jfs_readdir revisions tested: 2, total time: 25m39.437777712s (build: 18m49.421785948s, test: 6m8.471220364s) the crash still happens on HEAD commit msg: Linux 6.3-rc2 crash: KASAN: slab-out-of-bounds Read in jfs_readdir loop0: detected capacity change from 0 to 32768 ================================================================== BUG: KASAN: slab-out-of-bounds in jfs_readdir+0x2a98/0x3610 fs/jfs/jfs_dtree.c:2889 Read of size 1 at addr ffff8880762cff75 by task syz-executor.0/5934 CPU: 0 PID: 5934 Comm: syz-executor.0 Not tainted 6.3.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x64/0xb0 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:319 print_report mm/kasan/report.c:430 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:536 jfs_readdir+0x2a98/0x3610 fs/jfs/jfs_dtree.c:2889 iterate_dir+0x1aa/0x6c0 fs/readdir.c:67 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64 fs/readdir.c:354 [inline] __x64_sys_getdents64+0x128/0x240 fs/readdir.c:354 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f22a1a8c0c9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f22a27e3168 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007f22a1babf80 RCX: 00007f22a1a8c0c9 RDX: 00000000000000c5 RSI: 0000000020000200 RDI: 0000000000000004 RBP: 00007f22a1ae7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd131375ff R14: 00007f22a27e3300 R15: 0000000000022000 Allocated by task 5342: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x7f/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook mm/slab.h:769 [inline] slab_alloc_node mm/slub.c:3452 [inline] slab_alloc mm/slub.c:3460 [inline] __kmem_cache_alloc_lru mm/slub.c:3467 [inline] kmem_cache_alloc_lru+0x209/0x580 mm/slub.c:3483 alloc_inode_sb include/linux/fs.h:2686 [inline] proc_alloc_inode+0x20/0x230 fs/proc/inode.c:67 alloc_inode+0x56/0x1e0 fs/inode.c:260 new_inode_pseudo fs/inode.c:1019 [inline] new_inode+0x1a/0x240 fs/inode.c:1047 proc_pid_make_inode+0x1b/0x210 fs/proc/base.c:1897 proc_pid_make_base_inode.constprop.0+0x14/0x150 fs/proc/base.c:1948 proc_pid_instantiate+0x45/0x1d0 fs/proc/base.c:3417 proc_pid_lookup+0x17d/0x300 fs/proc/base.c:3461 proc_root_lookup+0x1c/0x40 fs/proc/root.c:324 __lookup_slow+0x200/0x3f0 fs/namei.c:1686 lookup_slow fs/namei.c:1703 [inline] walk_component+0x2a3/0x4e0 fs/namei.c:1994 link_path_walk.part.0+0x492/0xac0 fs/namei.c:2318 link_path_walk fs/namei.c:2246 [inline] path_openat+0x1f8/0x2280 fs/namei.c:3711 do_filp_open+0x1a9/0x3e0 fs/namei.c:3742 do_sys_openat2+0x11e/0x3f0 fs/open.c:1348 do_sys_open fs/open.c:1364 [inline] __do_sys_openat fs/open.c:1380 [inline] __se_sys_openat fs/open.c:1375 [inline] __x64_sys_openat+0x11f/0x1d0 fs/open.c:1375 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Last potentially related work creation: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:491 __call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2622 proc_invalidate_siblings_dcache+0x1ce/0x4d0 fs/proc/inode.c:158 release_task+0xb3e/0x14f0 kernel/exit.c:278 wait_task_zombie kernel/exit.c:1205 [inline] wait_consider_task+0x28a6/0x3500 kernel/exit.c:1432 do_wait_thread kernel/exit.c:1495 [inline] do_wait+0x64b/0xaa0 kernel/exit.c:1612 kernel_wait4+0xf2/0x1c0 kernel/exit.c:1775 __do_sys_wait4+0xe8/0x100 kernel/exit.c:1803 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Second to last potentially related work creation: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:491 __call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2622 proc_invalidate_siblings_dcache+0x1ce/0x4d0 fs/proc/inode.c:158 release_task+0xb3e/0x14f0 kernel/exit.c:278 wait_task_zombie kernel/exit.c:1205 [inline] wait_consider_task+0x28a6/0x3500 kernel/exit.c:1432 do_wait_thread kernel/exit.c:1495 [inline] do_wait+0x64b/0xaa0 kernel/exit.c:1612 kernel_wait4+0xf2/0x1c0 kernel/exit.c:1775 __do_sys_wait4+0xe8/0x100 kernel/exit.c:1803 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff8880762cf590 which belongs to the cache proc_inode_cache of size 1240 The buggy address is located 1293 bytes to the right of allocated 1240-byte region [ffff8880762cf590, ffff8880762cfa68) The buggy address belongs to the physical page: page:ffffea0001d8b200 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880762cf590 pfn:0x762c8 head:ffffea0001d8b200 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff8880200ffe01 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 ffff888140132500 ffffea0000845200 0000000000000002 raw: ffff8880762cf590 0000000080170014 00000001ffffffff ffff8880200ffe01 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 5070, tgid 5070 (syz-executor), ts 30341568753, free_ts 6625773540 prep_new_page mm/page_alloc.c:2552 [inline] get_page_from_freelist+0x1190/0x2ec0 mm/page_alloc.c:4325 __alloc_pages+0x1cb/0x530 mm/page_alloc.c:5591 alloc_slab_page mm/slub.c:1851 [inline] allocate_slab+0x25f/0x390 mm/slub.c:1998 new_slab mm/slub.c:2051 [inline] ___slab_alloc+0xa91/0x1400 mm/slub.c:3193 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3292 __slab_alloc_node mm/slub.c:3345 [inline] slab_alloc_node mm/slub.c:3442 [inline] slab_alloc mm/slub.c:3460 [inline] __kmem_cache_alloc_lru mm/slub.c:3467 [inline] kmem_cache_alloc_lru+0x42d/0x580 mm/slub.c:3483 alloc_inode_sb include/linux/fs.h:2686 [inline] proc_alloc_inode+0x20/0x230 fs/proc/inode.c:67 alloc_inode+0x56/0x1e0 fs/inode.c:260 new_inode_pseudo fs/inode.c:1019 [inline] new_inode+0x1a/0x240 fs/inode.c:1047 proc_sys_make_inode+0x45/0x690 fs/proc/proc_sysctl.c:452 proc_sys_lookup+0x2be/0x580 fs/proc/proc_sysctl.c:541 __lookup_slow+0x200/0x3f0 fs/namei.c:1686 lookup_slow fs/namei.c:1703 [inline] walk_component+0x2a3/0x4e0 fs/namei.c:1994 link_path_walk.part.0+0x568/0xac0 fs/namei.c:2321 link_path_walk fs/namei.c:2246 [inline] path_openat+0x1f8/0x2280 fs/namei.c:3711 do_filp_open+0x1a9/0x3e0 fs/namei.c:3742 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1453 [inline] free_pcp_prepare+0x604/0xad0 mm/page_alloc.c:1503 free_unref_page_prepare mm/page_alloc.c:3387 [inline] free_unref_page+0x1d/0x490 mm/page_alloc.c:3482 free_contig_range+0xb5/0x180 mm/page_alloc.c:9531 destroy_args+0x50a/0x700 mm/debug_vm_pgtable.c:1023 debug_vm_pgtable+0x18fd/0x31a0 mm/debug_vm_pgtable.c:1403 do_one_initcall+0xc2/0x480 init/main.c:1306 do_initcall_level init/main.c:1379 [inline] do_initcalls init/main.c:1395 [inline] do_basic_setup init/main.c:1414 [inline] kernel_init_freeable+0x579/0xa50 init/main.c:1634 kernel_init+0x1a/0x1c0 init/main.c:1522 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 Memory state around the buggy address: ffff8880762cfe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880762cfe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880762cff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8880762cff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880762d0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================