ci2 starts bisection 2024-10-02 21:54:59.591150281 +0000 UTC m=+39361.959520508
bisecting cause commit starting from e32cde8d2bd7d251a8f9b434143977ddf13dcec6
building syzkaller on 02f9582a0f9c1ee913b11f71fda5b5698fc3fa2c
ensuring issue is reproducible on original commit e32cde8d2bd7d251a8f9b434143977ddf13dcec6

testing commit e32cde8d2bd7d251a8f9b434143977ddf13dcec6 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a9847aabcf7e214ed502411c8b9f83eafcacec8fd346c0261a490f7c0b87be84
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit e32cde8d2bd7d251a8f9b434143977ddf13dcec6 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ae742da50868224b162302e47f94db72959149d938f80913b6a71e7f6ffef772
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
kconfig minimization: base=4037 full=8186 leaves diff=2111
split chunks (needed=false): <2111>
split chunk #0 of len 2111 into 5 parts
testing without sub-chunk 1/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit e32cde8d2bd7d251a8f9b434143977ddf13dcec6 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: b092d19fdbe2a1d56f14ba769f84e3d170f42f181357cf57f0c0ce7e19415479
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit e32cde8d2bd7d251a8f9b434143977ddf13dcec6 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c8b3a9a6063b37a3cf75ad76c720ddf116d640cde2873292c0cfc54e5850467e
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit e32cde8d2bd7d251a8f9b434143977ddf13dcec6 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 603e492dbd99523f5c69e22ba2369cbb85197e17b253898b5036e1c53ca5e604
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit e32cde8d2bd7d251a8f9b434143977ddf13dcec6 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d655bbd1a2f7bc63cdb98abc10482e7ef46f316bcc1ef9da27d37ea517e533e1
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit e32cde8d2bd7d251a8f9b434143977ddf13dcec6 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a71888ccd5885be3b8d4750c5cd7caa50e2afb239ae5da0b4e001d5b31badcb7
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
picked [v6.11 v6.10 v6.9 v6.7 v6.5 v6.3 v6.1 v5.19 v5.16 v5.13 v5.10 v5.7 v5.4 v5.1 v4.19] out of 34 release tags
testing release v6.11
testing commit 98f7e32f20d28ec452afb208f9cffc08448a2652 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 990d680c8f6a41cd3b525e86ecc1d4ccddf0c8f87a13d7c9fd337a6211f1005e
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
testing release v6.10
testing commit 0c3836482481200ead7b416ca80c68a29cfdaabd gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 20c0e9e9c4afc7ade9fa81c231ecae085c8cef571f204caf9c76e454873d0631
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
testing release v6.9
testing commit a38297e3fb012ddfa7ce0321a7e5a8daeb1872b6 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: afcc7043321df7fdd132239491199a7aefa5e6430b83836f7498d3a12e5df207
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
testing release v6.7
testing commit 0dd3ee31125508cd67f7e7172247f05b7fd1753a gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5368349f96ae67b63756bacacab90f7a1dd23f3003654ef52c5be9a021a71820
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
testing release v6.5
testing commit 2dde18cd1d8fac735875f2e4987f11817cc0bc2c gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ec38c2e48d038292c082c5d05c0de4d062c82b403db486dafac98ee7d5fbc980
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
testing release v6.3
testing commit 457391b0380335d5e9a5babdec90ac53928b23b4 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 95a22b120159fc9d2783a67a867b515ca62c7dc44ade987789ae00c38b2b2b6c
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
testing release v6.1
testing commit 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 75ee0aa23698e3d12c751a4102706e7c146566afda9d407b27b8f3091d9757b5
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
testing release v5.19
testing commit 3d7cb6b04c3f3115719235cc6866b10326de34cd gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 8ed96b8747faadcfb8c07802c86b5b6e5ee241bd2e76838f2c5c9f95ab248298
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
testing release v5.16
testing commit df0cc57e057f18e44dac8e6c18aba47ab53202f9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 1712cbcedb396720d2b294b000bf24fc7b291991da0c25d011d003987415cd98
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
testing release v5.13
testing commit 62fb9874f5da54fdb243003b386128037319b219 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a0098fc1019498bdc9409388c3285cf8ef7720b5c13e5b1ba13e58696f2e84b3
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
testing release v5.10
testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e0e507665bcbec35645f23e5aa7924e47d7b34df094a94bacce60a39df8b80af
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 gcc
compiler: gcc version 8.4.1 20210217 (GCC), GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 54042d30a61457d4b775f92fdecdd27451be5a861161dac024a8f40ef24368da
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 gcc
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 8db3da0ca026ebc55fbd0c447c7d0860e427aa5b193db9b554062b5ad1c2baea
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd gcc
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: db9030fddf98f8112bb3d2cad2abf2c6b4dd5edac2dd3ee19d7b7de8c0ba421c
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d gcc
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 2e1109cdfe0ea5450dc9397d3b75447161904272eacca6bcf3562959db7891c4
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
crash still not fixed/happens on the oldest tested release
revisions tested: 22, total time: 4h21m36.442194259s (build: 2h48m20.873603168s, test: 1h23m55.677595417s)
oldest tested release already had the bug or it had kernel test errors
commit msg: Linux 4.19
crash: KASAN: use-after-free Read in __ext4_check_dir_entry
EXT4-fs warning (device loop0): dx_probe:754: inode #2: comm syz.0.19: Unrecognised inode hash code 4
EXT4-fs warning (device loop0): dx_probe:865: inode #2: comm syz.0.19: Corrupt directory, running e2fsck is recommended
==================================================================
BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x2bc/0x390 fs/ext4/dir.c:69
Read of size 2 at addr ffff8801dd7f0003 by task syz.0.19/3115

CPU: 0 PID: 3115 Comm: syz.0.19 Not tainted 4.19.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x10c/0x17a lib/dump_stack.c:113
 print_address_description.cold.6+0x9/0x244 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold.7+0x242/0x305 mm/kasan/report.c:396
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:431
 __ext4_check_dir_entry+0x2bc/0x390 fs/ext4/dir.c:69
 ext4_readdir+0x62d/0x2be0 fs/ext4/dir.c:235
 iterate_dir+0x3ad/0x5f0 fs/readdir.c:51
 ksys_getdents64+0x102/0x1d0 fs/readdir.c:314
 __do_sys_getdents64 fs/readdir.c:333 [inline]
 __se_sys_getdents64 fs/readdir.c:330 [inline]
 __x64_sys_getdents64+0x6e/0xb0 fs/readdir.c:330
 do_syscall_64+0xd0/0x340 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f8d47052ff9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8d46ad4038 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f8d4720af80 RCX: 00007f8d47052ff9
RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 00007f8d470c5296 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f8d4720af80 R15: 00007fff9ab68be8

The buggy address belongs to the page:
page:ffffea000775fc00 count:0 mapcount:0 mapping:0000000000000000 index:0x1
flags: 0x200000000000000()
raw: 0200000000000000 ffffea000775fa48 ffffea000775ff88 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not active (free page?)

Memory state around the buggy address:
 ffff8801dd7eff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801dd7eff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801dd7f0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff8801dd7f0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801dd7f0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================