bisecting fixing commit since b850307b279cbd12ab8c654d1a3dfe55319cc475
building syzkaller on eabcced43245881efa7769d938bcaf795ed48742
testing commit b850307b279cbd12ab8c654d1a3dfe55319cc475 with gcc (GCC) 8.1.0
kernel signature: e3982a20de2ec484e70e1ce5f9a7a8cdac46d5af5db5b4a32a0c00f23a77f662
run #0: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
run #1: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
run #2: crashed: KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry
run #3: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
run #4: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
run #5: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
run #6: crashed: KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry
run #7: crashed: KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry
run #8: OK
run #9: OK
testing current HEAD 2d2791fce891fc20709232d49a6bae075b9a77f8
testing commit 2d2791fce891fc20709232d49a6bae075b9a77f8 with gcc (GCC) 8.1.0
kernel signature: 326895e649b218a9c34fe2ee4ded6c6b46e2f16aa15f554542820666a58cf1d3
run #0: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
run #1: crashed: KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry
run #2: crashed: KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry
run #3: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
run #4: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
run #5: crashed: KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry
run #6: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
run #7: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
run #8: crashed: KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry
run #9: OK
revisions tested: 2, total time: 34m16.059501547s (build: 16m37.425617721s, test: 17m1.787978374s)
the crash still happens on HEAD
commit msg: Linux 4.14.217
crash: KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
==================================================================
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x2c6/0x3f0 fs/ext4/dir.c:82
Read of size 1 at addr ffff8881d7cb9001 by task syz-executor.3/7141

CPU: 1 PID: 7141 Comm: syz-executor.3 Not tainted 4.14.217-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x14b/0x1e7 lib/dump_stack.c:58
 print_address_description.cold.6+0x9/0x1ca mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report.cold.7+0x11a/0x2d3 mm/kasan/report.c:409
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
 __ext4_check_dir_entry+0x2c6/0x3f0 fs/ext4/dir.c:82
 ext4_readdir+0x72a/0x2e00 fs/ext4/dir.c:240
 iterate_dir+0x188/0x660 fs/readdir.c:52
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
 SYSC_getdents fs/readdir.c:269 [inline]
 SyS_getdents+0x111/0x1d0 fs/readdir.c:250
 do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45cad9
RSP: 002b:00007f6a59025c78 EFLAGS: 00000246 ORIG_RAX: 000000000000004e
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
RAX: ffffffffffffffda RBX: 00000000004dd0a0 RCX: 000000000045cad9
IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
batman_adv: batadv0: Interface activated: batadv_slave_1
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
device veth1_macvtap entered promiscuous mode
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000000f6 R14: 00000000004c3a80 R15: 00007f6a590266d4

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8881d7cb9040
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 63 bytes to the left of
 512-byte region [ffff8881d7cb9040, ffff8881d7cb9240)
The buggy address belongs to the page:
page:ffffea00075f2e40 count:1 mapcount:0 mapping:ffff8881d7cb9040 index:0x0
flags: 0x17ffe0000000100(slab)
raw: 017ffe0000000100 ffff8881d7cb9040 0000000000000000 0000000100000006
raw: ffffea00075f2ce0 ffffea00076965a0 ffff8881f6000940 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881d7cb8f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881d7cb8f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881d7cb9000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready
                   ^
IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
 ffff8881d7cb9080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
 ffff8881d7cb9100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================