ci2 starts bisection 2023-07-01 20:16:28.299315375 +0000 UTC m=+33739.265452865 bisecting fixing commit since ca57f02295f188d6c65ec02202402979880fa6d8 building syzkaller on ca9683b89903c4b91d1ccce66646d0673bd160a6 ensuring issue is reproducible on original commit ca57f02295f188d6c65ec02202402979880fa6d8 testing commit ca57f02295f188d6c65ec02202402979880fa6d8 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1949c593f304d6842cc90e0d9e0344cf8cf30d6416b1e0264ca4ae24f0e9f713 all runs: crashed: KASAN: use-after-free Read in reiserfs_release_objectid testing current HEAD f8566aa4f1766bb0267b7a0ed89c1d2c4a82ee1a testing commit f8566aa4f1766bb0267b7a0ed89c1d2c4a82ee1a gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: aa6fb173dff43620897c8385c9129c57d9db875fa253d42a0c73f352359068c1 run #0: crashed: KASAN: use-after-free Read in reiserfs_release_objectid run #1: crashed: KASAN: use-after-free Read in reiserfs_release_objectid run #2: crashed: UBSAN: array-index-out-of-bounds in do_journal_end run #3: crashed: UBSAN: array-index-out-of-bounds in do_journal_end run #4: crashed: KASAN: use-after-free Read in reiserfs_release_objectid run #5: crashed: KASAN: use-after-free Read in reiserfs_release_objectid run #6: crashed: UBSAN: array-index-out-of-bounds in do_journal_end run #7: crashed: KASAN: use-after-free Read in reiserfs_release_objectid run #8: crashed: KASAN: use-after-free Read in reiserfs_release_objectid run #9: crashed: KASAN: use-after-free Read in reiserfs_release_objectid crash still not fixed/happens on the oldest tested release revisions tested: 2, total time: 50m59.178434955s (build: 41m57.783942613s, test: 6m52.247775928s) crash still not fixed on HEAD or HEAD had kernel test errors commit msg: Merge tag 'x86-urgent-2023-07-01' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip crash: KASAN: use-after-free Read in reiserfs_release_objectid REISERFS (device loop0): checking transaction log (loop0) REISERFS (device loop0): Using r5 hash to sort names REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. ================================================================== BUG: KASAN: use-after-free in reiserfs_release_objectid+0x48f/0x8c0 Read of size 14568 at addr ffff88807010c0d0 by task syz-executor.0/5420 CPU: 1 PID: 5420 Comm: syz-executor.0 Not tainted 6.4.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: dump_stack_lvl+0x12e/0x1d0 print_report+0x163/0x510 kasan_report+0x107/0x140 kasan_check_range+0x27e/0x290 __asan_memmove+0x29/0x70 reiserfs_release_objectid+0x48f/0x8c0 remove_save_link+0x28d/0x460 reiserfs_evict_inode+0x292/0x390 evict+0x262/0x550 __dentry_kill+0x38b/0x560 dentry_kill+0xbb/0x1e0 dput+0x169/0x300 do_renameat2+0xa81/0x1260 __x64_sys_rename+0x81/0x90 do_syscall_64+0x41/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fed47a8c0d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fed48837168 EFLAGS: 00000246 ORIG_RAX: 0000000000000052 RAX: ffffffffffffffda RBX: 00007fed47babf80 RCX: 00007fed47a8c0d9 RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000020000140 RBP: 00007fed47ae7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffcfe32572f R14: 00007fed48837300 R15: 0000000000022000 The buggy address belongs to the physical page: page:ffffea0001c04300 refcount:2 mapcount:0 mapping:ffff888145412b00 index:0x10 pfn:0x7010c memcg:ffff88807c1bc000 aops:def_blk_aops ino:700000 flags: 0xfff00000022036(referenced|uptodate|lru|active|private|mappedtodisk|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000022036 ffffea0001b44a48 ffffea0001c04408 ffff888145412b00 raw: 0000000000000010 ffff8880738efe80 00000002ffffffff ffff88807c1bc000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5420, tgid 5419 (syz-executor.0), ts 71013969753, free_ts 71011952761 get_page_from_freelist+0x3187/0x3300 __alloc_pages+0x255/0x670 folio_alloc+0x13/0x30 filemap_alloc_folio+0xc6/0x3a0 __filemap_get_folio+0x17c/0x620 __getblk_gfp+0x1e4/0x560 __bread_gfp+0xe/0x220 read_super_block+0x84/0x700 reiserfs_fill_super+0x80d/0x20e0 mount_bdev+0x232/0x340 legacy_get_tree+0xe9/0x170 vfs_get_tree+0x7f/0x220 do_new_mount+0x1e5/0x940 __se_sys_mount+0x20d/0x2a0 do_syscall_64+0x41/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: free_unref_page_prepare+0x8fe/0xa10 free_unref_page_list+0x596/0x830 release_pages+0x1a07/0x1bc0 tlb_flush_mmu+0xe9/0x1e0 tlb_finish_mmu+0xb6/0x1c0 exit_mmap+0x33a/0x8a0 __mmput+0xcb/0x300 exit_mm+0x1bc/0x270 do_exit+0x4d0/0x1cf0 do_group_exit+0x1b9/0x280 __x64_sys_exit_group+0x3f/0x40 do_syscall_64+0x41/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff88807010cf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88807010cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88807010d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88807010d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88807010d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================