ci2 starts bisection 2025-11-16 00:12:28.515386092 +0000 UTC m=+129081.184085691
bisecting fixing commit since 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c
building syzkaller on 5d7e17caf7d0971d22446d8a81bcf1cd8c18a0dc
ensuring issue is reproducible on original commit 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c

testing commit 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 9ab289548495c8a94425943525f9f6819bf43c65f37ec2cea2eedad8905cd6f5
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ]
check whether we can drop unnecessary instrumentation
disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed
testing commit 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 1ddcd43e51e886da76895085b8a1e09333f349fcc0888e4f09cb74d5e5d0a306
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ]
the bug reproduces without the instrumentation
disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed
kconfig minimization: base=5186 full=6555 leaves diff=264
split chunks (needed=false): <264>
split chunk #0 of len 264 into 5 parts
testing without sub-chunk 1/5
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 933b5cd11926261a4a99a303ccfbb611845775bb876dab2709f36158fba5d2b7
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: a34fe46a8cdb7b45113f810922b5af05e80a6b4298fb00700142e36be23d3ec2
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [ubsan bug_or_warning locking atomic_sleep hang memleak], they are not needed
testing commit 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 23fa075c7854e2acc94a7a1d97a5acae78a83859a40aaa5d74cacaa2c8302245
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: deeddc0d0c2f81d8a460d9b56c8abcf9a462f912915cb80386de42095473e173
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed
testing commit 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
failed building 47e5d7e917782dd01d2ddb37de9a37b33ab19a6c: ld.lld: error: undefined symbol: wext_proc_init
ld.lld: error: undefined symbol: wext_proc_exit
ld.lld: error: undefined symbol: wext_handle_ioctl
ld.lld: error: undefined symbol: compat_wext_handle_ioctl
minimized to 52 configs; suspects: [HID_ZEROPLUS USB_NET_CDC_MBIM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS ZEROPLUS_FF]
disabling configs for [ubsan bug_or_warning locking atomic_sleep hang memleak], they are not needed
testing current HEAD f090d4b083a9ef4831f99e692c239542dd385cb4
testing commit f090d4b083a9ef4831f99e692c239542dd385cb4 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 64bf736178174a8c666b1d8ace2bc67b05e687bffe7b11ad20f788f67871f003
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN-USE-AFTER-FREE-READ]
crash still not fixed/happens on the oldest tested release
revisions tested: 7, total time: 1h26m31.08768002s (build: 48m34.299555679s, test: 28m22.724048401s)
crash still not fixed or there were kernel test errors
commit msg: ANDROID: KVM: arm64: Disable Memory Tagging for all guests if not supported
crash: KASAN: use-after-free Read in __ext4_check_dir_entry
EXT4-fs (loop2): encrypted files will use data=ordered instead of data journaling mode
EXT4-fs (loop2): 1 truncate cleaned up
EXT4-fs (loop2): mounted filesystem without journal. Quota mode: none.
EXT4-fs warning (device loop2): __ext4fs_dirhash:270: inode #2: comm syz.2.17: Siphash requires key
EXT4-fs warning (device loop2): dx_probe:845: inode #2: comm syz.2.17: Hash code is SIPHASH, but hash not in dirent
EXT4-fs warning (device loop2): dx_probe:966: inode #2: comm syz.2.17: Corrupt directory, running e2fsck is recommended
==================================================================
BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x442/0x670 fs/ext4/dir.c:85
Read of size 2 at addr ffff88812b90d003 by task syz.2.17/454

CPU: 0 PID: 454 Comm: syz.2.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 __dump_stack+0x19/0x1c lib/dump_stack.c:88
 dump_stack_lvl+0xa3/0xec lib/dump_stack.c:106
 print_address_description+0x71/0x200 mm/kasan/report.c:316
 print_report+0x4a/0x60 mm/kasan/report.c:420
 kasan_report+0x122/0x150 mm/kasan/report.c:524
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report_generic.c:349
 __ext4_check_dir_entry+0x442/0x670 fs/ext4/dir.c:85
 ext4_readdir+0xbb6/0x31e0 fs/ext4/dir.c:261
 iterate_dir+0x221/0x540 fs/readdir.c:-1
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64+0xc9/0x190 fs/readdir.c:354
 __x64_sys_getdents64+0x76/0x80 fs/readdir.c:354
 x64_sys_call+0x15c/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:218
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7faf6118e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007faf61fd2038 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007faf613b5fa0 RCX: 00007faf6118e929
RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007faf61210b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007faf613b5fa0 R15: 00007ffde50517a8
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0004ae4340 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x12b90d
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea0004ae4388 ffff8881f733c568 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff88812b90cf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88812b90cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88812b90d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff88812b90d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88812b90d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop2): ext4_readdir:263: inode #2: block 255: comm syz.2.17: path (unknown): bad entry in directory: directory entry overrun - offset=1023, inode=1987005952, rec_len=12576, size=1024 fake=0