ci2 starts bisection 2024-03-07 21:47:19.812995653 +0000 UTC m=+31030.367861470 bisecting fixing commit since 09045dae0d902f9f78901a26c7ff1714976a38f9 building syzkaller on 0b6a67ac4b0dc26f43030c5edd01c9175f13b784 ensuring issue is reproducible on original commit 09045dae0d902f9f78901a26c7ff1714976a38f9 testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 21c4b8b7fb79b3db3e40e6a303cf3008f58fa43d5b3371306e5c9e84e575dd3c run #0: crashed: KASAN: use-after-free Read in ext4_find_extent run #1: crashed: KASAN: use-after-free Read in ext4_find_extent run #2: crashed: KASAN: use-after-free Read in ext4_find_extent run #3: crashed: KASAN: use-after-free Read in ext4_find_extent run #4: crashed: KASAN: use-after-free Read in ext4_find_extent run #5: crashed: KASAN: use-after-free Read in ext4_find_extent run #6: crashed: KASAN: use-after-free Read in ext4_find_extent run #7: crashed: KASAN: use-after-free Read in ext4_find_extent run #8: crashed: KASAN: use-after-free Read in ext4_find_extent run #9: crashed: KASAN: use-after-free Read in ext4_find_extent run #10: crashed: KASAN: use-after-free Read in ext4_find_extent run #11: crashed: KASAN: use-after-free Read in ext4_find_extent run #12: crashed: KASAN: use-after-free Read in ext4_find_extent run #13: crashed: KASAN: use-after-free Read in ext4_find_extent run #14: crashed: KASAN: use-after-free Read in ext4_find_extent run #15: crashed: KASAN: use-after-free Read in ext4_find_extent run #16: crashed: KASAN: use-after-free Read in ext4_find_extent run #17: crashed: KASAN: use-after-free Read in ext4_ext_insert_extent run #18: crashed: KASAN: use-after-free Read in ext4_find_extent run #19: crashed: KASAN: use-after-free Read in ext4_find_extent representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b2bc329db94324ed5fdade2868b7e1fdd6aaa38057e4e3f510a976b193e9a5a4 all runs: crashed: KASAN: use-after-free Read in ext4_find_extent representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed kconfig minimization: base=3820 full=7527 leaves diff=1997 split chunks (needed=false): <1997> split chunk #0 of len 1997 into 5 parts testing without sub-chunk 1/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 57ce495499c6745710eb50f261e32a75fbdad5f42ad87283fce4eac5d26074be all runs: crashed: KASAN: use-after-free Read in ext4_find_extent representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2f12331ba3aa5210d013b2b3699ca80bd481e3867497306904c9e7832815f33d run #0: crashed: KASAN: use-after-free Read in ext4_find_extent run #1: crashed: KASAN: use-after-free Read in ext4_find_extent run #2: crashed: KASAN: use-after-free Read in ext4_find_extent run #3: crashed: KASAN: use-after-free Read in ext4_find_extent run #4: crashed: KASAN: use-after-free Read in ext4_find_extent run #5: crashed: KASAN: use-after-free Read in ext4_find_extent run #6: crashed: KASAN: use-after-free Read in ext4_find_extent run #7: crashed: KASAN: use-after-free Read in ext4_find_extent run #8: crashed: KASAN: use-after-free Read in ext4_find_extent run #9: crashed: KASAN: out-of-bounds Read in ext4_find_extent representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e1ba25d2ada884234c014cc31644333f98e51eaa65d83ae003df004c119e19ec all runs: crashed: KASAN: use-after-free Read in ext4_find_extent representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 356f01b62edcd6b565d5a86b7355b7acbbd7e684e32333fc364e7e8961fc5ef5 all runs: crashed: KASAN: use-after-free Read in ext4_find_extent representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dbf8ef07c20c8c7e67e0a511e89dd2fd34a0f5a5d518fd310a6b0f43313d8f19 all runs: crashed: KASAN: use-after-free Read in ext4_find_extent representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN] the chunk can be dropped disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing current HEAD 61adba85cc40287232a539e607164f273260e0fe testing commit 61adba85cc40287232a539e607164f273260e0fe gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 85be114867ce6e1901e0eb1f1d506d349d806de550a5faae77d51ee8c5d220c6 run #0: crashed: KASAN: use-after-free Read in ext4_find_extent run #1: crashed: KASAN: use-after-free Read in ext4_find_extent run #2: crashed: KASAN: use-after-free Read in ext4_find_extent run #3: crashed: KASAN: use-after-free Read in ext4_find_extent run #4: crashed: KASAN: use-after-free Read in ext4_find_extent run #5: crashed: KASAN: use-after-free Read in ext4_find_extent run #6: crashed: KASAN: use-after-free Read in ext4_find_extent run #7: crashed: KASAN: use-after-free Read in ext4_find_extent run #8: crashed: KASAN: use-after-free Read in ext4_ext_insert_extent run #9: crashed: KASAN: use-after-free Read in ext4_find_extent representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN] crash still not fixed/happens on the oldest tested release revisions tested: 8, total time: 58m54.103810393s (build: 29m53.683099766s, test: 26m26.903449879s) crash still not fixed or there were kernel test errors commit msg: Linux 6.1.81 crash: KASAN: use-after-free Read in ext4_find_extent ================================================================== BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:837 [inline] BUG: KASAN: use-after-free in ext4_find_extent+0xb24/0xcd0 fs/ext4/extents.c:953 Read of size 4 at addr ffff888124dd5070 by task syz-executor.0/1509 CPU: 0 PID: 1509 Comm: syz-executor.0 Not tainted 6.1.81-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xf4/0x251 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15f/0x4f0 mm/kasan/report.c:395 kasan_report+0x136/0x160 mm/kasan/report.c:495 ext4_ext_binsearch fs/ext4/extents.c:837 [inline] ext4_find_extent+0xb24/0xcd0 fs/ext4/extents.c:953 ext4_ext_map_blocks+0x28b/0x65c0 fs/ext4/extents.c:4142 ext4_map_blocks+0x82a/0x1810 fs/ext4/inode.c:651 _ext4_get_block+0x1d0/0x540 fs/ext4/inode.c:798 __block_write_begin_int+0x32a/0x1150 fs/buffer.c:1991 __block_write_begin fs/buffer.c:2041 [inline] block_page_mkwrite+0x218/0x400 fs/buffer.c:2510 ext4_page_mkwrite+0x5d9/0xf20 fs/ext4/inode.c:6267 do_page_mkwrite+0x149/0x410 mm/memory.c:2992 wp_page_shared+0x146/0x540 mm/memory.c:3341 handle_pte_fault mm/memory.c:5031 [inline] __handle_mm_fault mm/memory.c:5155 [inline] handle_mm_fault+0x91a/0x2bf0 mm/memory.c:5276 do_user_addr_fault arch/x86/mm/fault.c:1380 [inline] handle_page_fault arch/x86/mm/fault.c:1471 [inline] exc_page_fault+0x22a/0x5e0 arch/x86/mm/fault.c:1527 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570 RIP: 0033:0x7f03f00e4cc7 Code: ce 48 ff c7 48 01 fe 48 8d 54 11 80 0f 1f 80 00 00 00 00 c5 fe 6f 0e c5 fe 6f 56 20 c5 fe 6f 5e 40 c5 fe 6f 66 60 48 83 ee 80 fd 7f 0f c5 fd 7f 57 20 c5 fd 7f 5f 40 c5 fd 7f 67 60 48 83 ef RSP: 002b:00007ffc0d145d18 EFLAGS: 00010203 RAX: 0000000020003600 RBX: 00007ffc0d145e28 RCX: 0000000020003600 RDX: 00000000200036a9 RSI: 00007f03efca77b0 RDI: 0000000020003620 RBP: 0000000000000001 R08: 0000000000000000 R09: 00007f03f0222f8c R10: 00007ffc0d145e50 R11: 0000000000000246 R12: 00007f03efca76f0 R13: fffffffffffffffe R14: 00007f03efc87000 R15: 00007f03efca76f8 The buggy address belongs to the physical page: page:ffffea0004937540 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x124dd5 flags: 0x200000000000000(node=0|zone=2) raw: 0200000000000000 ffffea0004937588 ffffea0004937508 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 1449, tgid 1449 (modprobe), ts 55265911326, free_ts 55274125851 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x286/0x2b0 mm/page_alloc.c:2513 prep_new_page mm/page_alloc.c:2520 [inline] get_page_from_freelist+0x2ba7/0x2de0 mm/page_alloc.c:4279 __alloc_pages+0x251/0x640 mm/page_alloc.c:5545 vma_alloc_folio+0x689/0x870 mm/mempolicy.c:2243 alloc_page_vma include/linux/gfp.h:284 [inline] do_anonymous_page mm/memory.c:4172 [inline] handle_pte_fault mm/memory.c:5011 [inline] __handle_mm_fault mm/memory.c:5155 [inline] handle_mm_fault+0x184b/0x2bf0 mm/memory.c:5276 do_user_addr_fault arch/x86/mm/fault.c:1380 [inline] handle_page_fault arch/x86/mm/fault.c:1471 [inline] exc_page_fault+0x22a/0x5e0 arch/x86/mm/fault.c:1527 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1440 [inline] free_pcp_prepare mm/page_alloc.c:1490 [inline] free_unref_page_prepare+0xca9/0xd80 mm/page_alloc.c:3358 free_unref_page_list+0xaa/0x690 mm/page_alloc.c:3499 release_pages+0x1763/0x1900 mm/swap.c:1055 tlb_batch_pages_flush mm/mmu_gather.c:59 [inline] tlb_flush_mmu_free mm/mmu_gather.c:254 [inline] tlb_flush_mmu+0x26f/0x3d0 mm/mmu_gather.c:261 tlb_finish_mmu+0xb0/0x1b0 mm/mmu_gather.c:361 exit_mmap+0x311/0x700 mm/mmap.c:3239 __mmput+0x61/0x290 kernel/fork.c:1199 exit_mm+0x122/0x1b0 kernel/exit.c:563 do_exit+0x81e/0x23a0 kernel/exit.c:856 do_group_exit+0x1b5/0x280 kernel/exit.c:1019 __do_sys_exit_group kernel/exit.c:1030 [inline] __se_sys_exit_group kernel/exit.c:1028 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1028 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3d/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff888124dd4f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888124dd4f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888124dd5000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888124dd5080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888124dd5100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================