ci2 starts bisection 2025-06-01 23:49:41.443379506 +0000 UTC m=+374171.571256399
bisecting fixing commit since 0a51d2d4527b43c5e467ffa6897deefeaf499358
building syzkaller on 5df2386563cbffa1bbbb9d0b8ec1eebb98d051ae
ensuring issue is reproducible on original commit 0a51d2d4527b43c5e467ffa6897deefeaf499358

testing commit 0a51d2d4527b43c5e467ffa6897deefeaf499358 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 8aa0cbea8c8d9df6aa551826823eb0219b072d4b3e5b0199ab35c3a4f628f470
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit 0a51d2d4527b43c5e467ffa6897deefeaf499358 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: bba66703afd39d48b4a5d0ac58db591ee00a78c89af3b1f6a8a5a56abf6ba72e
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
kconfig minimization: base=3707 full=7305 leaves diff=2040
split chunks (needed=false): <2040>
split chunk #0 of len 2040 into 5 parts
testing without sub-chunk 1/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit 0a51d2d4527b43c5e467ffa6897deefeaf499358 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e4acf8e516b59e33bd2f84447a9567b43c3cd81371333fe41b7d66c3673fc562
run #0: crashed: KASAN: use-after-free Write in ext4_insert_dentry
run #1: crashed: KASAN: use-after-free Write in ext4_insert_dentry
run #2: crashed: KASAN: use-after-free Write in ext4_insert_dentry
run #3: crashed: KASAN: use-after-free Write in ext4_insert_dentry
run #4: crashed: KASAN: use-after-free Write in ext4_insert_dentry
run #5: crashed: KASAN: out-of-bounds Write in ext4_insert_dentry
run #6: crashed: KASAN: use-after-free Write in ext4_insert_dentry
run #7: crashed: KASAN: use-after-free Write in ext4_insert_dentry
run #8: crashed: KASAN: use-after-free Write in ext4_insert_dentry
run #9: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit 0a51d2d4527b43c5e467ffa6897deefeaf499358 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 39e885cd5ce522a4151af5a7a0d2ad2f83504cfbfa0f675a7ae6b3c3abaa329d
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit 0a51d2d4527b43c5e467ffa6897deefeaf499358 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: fda27a1f9c3aea326f5b9ba43a9e4776f39593f00afcdb63bef9335bb0964c7d
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit 0a51d2d4527b43c5e467ffa6897deefeaf499358 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ca04c1a970e3caa7bed812dee62ca14839debbf2d43138fa1a37811be0549291
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 0a51d2d4527b43c5e467ffa6897deefeaf499358 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 515bd9c32822fffe759ed782c7111afdfcecd06ec4da0b007ece7a580719fa7a
run #0: crashed: KASAN: out-of-bounds Write in ext4_insert_dentry
run #1: crashed: KASAN: use-after-free Write in ext4_insert_dentry
run #2: crashed: KASAN: use-after-free Write in ext4_insert_dentry
run #3: crashed: KASAN: use-after-free Write in ext4_insert_dentry
run #4: crashed: KASAN: use-after-free Write in ext4_insert_dentry
run #5: crashed: KASAN: out-of-bounds Write in ext4_insert_dentry
run #6: crashed: KASAN: use-after-free Write in ext4_insert_dentry
run #7: crashed: KASAN: use-after-free Write in ext4_insert_dentry
run #8: crashed: KASAN: use-after-free Write in ext4_insert_dentry
run #9: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: out-of-bounds Write in ext4_insert_dentry, types: [KASAN]
the chunk can be dropped
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing current HEAD 98f47d0e9b8c557d3063d3ea661cbea1489af330
testing commit 98f47d0e9b8c557d3063d3ea661cbea1489af330 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 97478ed5fbc99163df97dfb9a95e1fe4be56dc783c8706649cc063cdf027b2de
all runs: OK
false negative chance: 0.000
# git bisect start 98f47d0e9b8c557d3063d3ea661cbea1489af330 0a51d2d4527b43c5e467ffa6897deefeaf499358
Bisecting: 1187 revisions left to test after this (roughly 10 steps)
[20ecbadad51a79db3ff8c3f2bfe21bb7267ee0f0] m68k: vga: Fix I/O defines

determine whether the revision contains the guilty commit
revision 0a51d2d4527b43c5e467ffa6897deefeaf499358 crashed and is reachable
testing commit 20ecbadad51a79db3ff8c3f2bfe21bb7267ee0f0 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 83566e4eaea8fd521bbfe689654958f4f0e70e0a3062392116bc5a14105c7caf
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
# git bisect good 20ecbadad51a79db3ff8c3f2bfe21bb7267ee0f0
Bisecting: 593 revisions left to test after this (roughly 9 steps)
[46c66d975a58a9fc04cb340001b815d930643aa6] locking/semaphore: Use wake_q to wake up processes outside lock critical section

determine whether the revision contains the guilty commit
revision 20ecbadad51a79db3ff8c3f2bfe21bb7267ee0f0 crashed and is reachable
testing commit 46c66d975a58a9fc04cb340001b815d930643aa6 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: cf0f175adfd2f363980c4aa7b031b337129a323d5f44d562c5c6f07db0cbfbcf
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
# git bisect good 46c66d975a58a9fc04cb340001b815d930643aa6
Bisecting: 296 revisions left to test after this (roughly 8 steps)
[d154b333a5667b6c1b213a11a41ad7aaccd10c3d] dm cache: fix flushing uninitialized delayed_work on cache_ctr error

determine whether the revision contains the guilty commit
revision 0a51d2d4527b43c5e467ffa6897deefeaf499358 crashed and is reachable
testing commit d154b333a5667b6c1b213a11a41ad7aaccd10c3d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 01d880e53ee9464180af1cc2a4bf0c4e8f27df933a388bf0066b5082a52ac01f
all runs: OK
false negative chance: 0.000
# git bisect bad d154b333a5667b6c1b213a11a41ad7aaccd10c3d
Bisecting: 148 revisions left to test after this (roughly 7 steps)
[e7d6ceff95c55297f0ee8f9dbc4da5c558f30e9e] mtd: inftlcore: Add error check for inftl_read_oob()

determine whether the revision contains the guilty commit
revision 20ecbadad51a79db3ff8c3f2bfe21bb7267ee0f0 crashed and is reachable
testing commit e7d6ceff95c55297f0ee8f9dbc4da5c558f30e9e gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d9a8c39d26ba8c636d6028cb1174ac7a315ca255a6836a689ad1b17708452725
all runs: OK
false negative chance: 0.000
# git bisect bad e7d6ceff95c55297f0ee8f9dbc4da5c558f30e9e
Bisecting: 73 revisions left to test after this (roughly 6 steps)
[691d45955edae7b5aee607917ad8bed10446272e] ALSA: usb-audio: Fix CME quirk for UF series keyboards

determine whether the revision contains the guilty commit
revision 20ecbadad51a79db3ff8c3f2bfe21bb7267ee0f0 crashed and is reachable
testing commit 691d45955edae7b5aee607917ad8bed10446272e gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 4b7aaa90ad1367aee21fabaf5f32fd07b00ccbb3f5fbbbf40339a492d9419c74
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
# git bisect good 691d45955edae7b5aee607917ad8bed10446272e
Bisecting: 36 revisions left to test after this (roughly 5 steps)
[1b8fb257234e7d2d4b3f48af07c5aa5e11c71634] media: venus: hfi: add a check to handle OOB in sfr region

determine whether the revision contains the guilty commit
revision 46c66d975a58a9fc04cb340001b815d930643aa6 crashed and is reachable
testing commit 1b8fb257234e7d2d4b3f48af07c5aa5e11c71634 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 965bfd0f1cfd7455fd6ee06e6a1936f8dfc3e5744f65619aba7ec27ec23e3c5f
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
# git bisect good 1b8fb257234e7d2d4b3f48af07c5aa5e11c71634
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[f195e94c7af921d99abd79f57026a218d191d2c7] media: venus: hfi_parser: refactor hfi packet parsing logic

determine whether the revision contains the guilty commit
revision 1b8fb257234e7d2d4b3f48af07c5aa5e11c71634 crashed and is reachable
testing commit f195e94c7af921d99abd79f57026a218d191d2c7 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 965bfd0f1cfd7455fd6ee06e6a1936f8dfc3e5744f65619aba7ec27ec23e3c5f
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
# git bisect good f195e94c7af921d99abd79f57026a218d191d2c7
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[2883e9e74f73f9265e5f8d1aaaa89034b308e433] ext4: fix off-by-one error in do_split

determine whether the revision contains the guilty commit
revision 1b8fb257234e7d2d4b3f48af07c5aa5e11c71634 crashed and is reachable
testing commit 2883e9e74f73f9265e5f8d1aaaa89034b308e433 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 09f2ffa60e60474714a541b138b0313950be8f9d8ae0422bc6dd985b8d2cea28
all runs: OK
false negative chance: 0.000
# git bisect bad 2883e9e74f73f9265e5f8d1aaaa89034b308e433
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[8f80ade0f6ea8d4379f745d536912e23467cad58] clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup

determine whether the revision contains the guilty commit
revision 0a51d2d4527b43c5e467ffa6897deefeaf499358 crashed and is reachable
testing commit 8f80ade0f6ea8d4379f745d536912e23467cad58 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 965bfd0f1cfd7455fd6ee06e6a1936f8dfc3e5744f65619aba7ec27ec23e3c5f
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
# git bisect good 8f80ade0f6ea8d4379f745d536912e23467cad58
Bisecting: 2 revisions left to test after this (roughly 1 step)
[9ae11b06c5576bd149ae8ac666edb9de38b89531] wifi: mac80211: fix integer overflow in hwmp_route_info_get()

determine whether the revision contains the guilty commit
revision f195e94c7af921d99abd79f57026a218d191d2c7 crashed and is reachable
testing commit 9ae11b06c5576bd149ae8ac666edb9de38b89531 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 965bfd0f1cfd7455fd6ee06e6a1936f8dfc3e5744f65619aba7ec27ec23e3c5f
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
# git bisect good 9ae11b06c5576bd149ae8ac666edb9de38b89531
Bisecting: 0 revisions left to test after this (roughly 1 step)
[899d0353ea69681f474b6bc9de32c663b89672da] bus: mhi: host: Fix race between unprepare and queue_buf

determine whether the revision contains the guilty commit
revision 20ecbadad51a79db3ff8c3f2bfe21bb7267ee0f0 crashed and is reachable
testing commit 899d0353ea69681f474b6bc9de32c663b89672da gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 965bfd0f1cfd7455fd6ee06e6a1936f8dfc3e5744f65619aba7ec27ec23e3c5f
all runs: crashed: KASAN: use-after-free Write in ext4_insert_dentry
representative crash: KASAN: use-after-free Write in ext4_insert_dentry, types: [KASAN]
# git bisect good 899d0353ea69681f474b6bc9de32c663b89672da
2883e9e74f73f9265e5f8d1aaaa89034b308e433 is the first bad commit
commit 2883e9e74f73f9265e5f8d1aaaa89034b308e433
Author: Artem Sadovnikov <a.sadovnikov@ispras.ru>
Date:   Fri Apr 4 08:28:05 2025 +0000

    ext4: fix off-by-one error in do_split
    
    commit 94824ac9a8aaf2fb3c54b4bdde842db80ffa555d upstream.
    
    Syzkaller detected a use-after-free issue in ext4_insert_dentry that was
    caused by out-of-bounds access due to incorrect splitting in do_split.
    
    BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
    Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847
    
    CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:94 [inline]
     dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
     print_address_description mm/kasan/report.c:377 [inline]
     print_report+0x169/0x550 mm/kasan/report.c:488
     kasan_report+0x143/0x180 mm/kasan/report.c:601
     kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
     __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
     ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
     add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154
     make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351
     ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455
     ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796
     ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431
     vfs_symlink+0x137/0x2e0 fs/namei.c:4615
     do_symlinkat+0x222/0x3a0 fs/namei.c:4641
     __do_sys_symlink fs/namei.c:4662 [inline]
     __se_sys_symlink fs/namei.c:4660 [inline]
     __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
     </TASK>
    
    The following loop is located right above 'if' statement.
    
    for (i = count-1; i >= 0; i--) {
            /* is more than half of this entry in 2nd half of the block? */
            if (size + map[i].size/2 > blocksize/2)
                    break;
            size += map[i].size;
            move++;
    }
    
    'i' in this case could go down to -1, in which case sum of active entries
    wouldn't exceed half the block size, but previous behaviour would also do
    split in half if sum would exceed at the very last block, which in case of
    having too many long name files in a single block could lead to
    out-of-bounds access and following use-after-free.
    
    Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
    
    Cc: stable@vger.kernel.org
    Fixes: 5872331b3d91 ("ext4: fix potential negative array index in do_split()")
    Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://patch.msgid.link/20250404082804.2567-3-a.sadovnikov@ispras.ru
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 fs/ext4/namei.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

accumulated error probability: 0.00
culprit signature: 09f2ffa60e60474714a541b138b0313950be8f9d8ae0422bc6dd985b8d2cea28
parent  signature: 965bfd0f1cfd7455fd6ee06e6a1936f8dfc3e5744f65619aba7ec27ec23e3c5f
revisions tested: 19, total time: 5h23m41.984887355s (build: 3h19m51.333108788s, test: 1h57m6.983370881s)
first good commit: 2883e9e74f73f9265e5f8d1aaaa89034b308e433 ext4: fix off-by-one error in do_split
recipients (to): ["a.sadovnikov@ispras.ru" "gregkh@linuxfoundation.org" "jack@suse.cz" "tytso@mit.edu"]
recipients (cc): []