ci2 starts bisection 2024-12-26 04:53:40.41128074 +0000 UTC m=+204332.358991163
bisecting fixing commit since 61cfd264993d07540f60a5c53d77a14c818e54a9
building syzkaller on cb976f63e0177b96eb9ce1c631cc5e2c4b4b0759
ensuring issue is reproducible on original commit 61cfd264993d07540f60a5c53d77a14c818e54a9

testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c9ca2db1fddf61cfa4d5f6ea33a4160a4a141c4e570b2c5fed0e73ce4d3090b4
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
run #10: crashed: KASAN: use-after-free Read in ext4_search_dir
run #11: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #12: crashed: KASAN: use-after-free Read in ext4_search_dir
run #13: crashed: KASAN: use-after-free Read in ext4_search_dir
run #14: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #15: crashed: KASAN: use-after-free Read in ext4_search_dir
run #16: crashed: KASAN: use-after-free Read in ext4_search_dir
run #17: crashed: KASAN: use-after-free Read in ext4_search_dir
run #18: crashed: KASAN: use-after-free Read in ext4_search_dir
run #19: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 508f5eba5c0e6780c087eddd935687922e26102d7b17e2c4ff83fe127e06452f
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
kconfig minimization: base=4920 full=6161 leaves diff=241
split chunks (needed=false): <241>
split chunk #0 of len 241 into 5 parts
testing without sub-chunk 1/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c29fe5dd2e84ee4739aed82ec443c31f3506f529a8c6fe795fd8d5f075879c55
all runs: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 855258c86a3a511d39f2863f39ae27aa2b227ce40c79e5e9c85d5019a7b37da6
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 466dfce281c6f067b42023931e689fa2f0ffedfa84da3dff54bab25cdd7c56cb
all runs: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 29d936d2adc0c7e342a43476b2658a76addba5df8d5ec53a1d5abe4b18b9ccd0
run #0: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
representative crash: KASAN: slab-out-of-bounds Read in ext4_search_dir, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
failed building 61cfd264993d07540f60a5c53d77a14c818e54a9: net/socket.c:1189: undefined reference to `wext_handle_ioctl'
net/socket.c:3383: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:343: undefined reference to `wext_proc_exit'
net/core/net-procfs.c:327: undefined reference to `wext_proc_init'
minimized to 45 configs; suspects: [HID_ZEROPLUS USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF]
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing current HEAD b4bd207b0380c89a7134705d0cddb3541912562b
testing commit b4bd207b0380c89a7134705d0cddb3541912562b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e59219cd414173b0536f24c606613e0b9496dd45b55ecffc52f02a0416427155
all runs: OK
false negative chance: 0.000
# git bisect start b4bd207b0380c89a7134705d0cddb3541912562b 61cfd264993d07540f60a5c53d77a14c818e54a9
Bisecting: 3863 revisions left to test after this (roughly 12 steps)
[5965bc7535fb87510b724e5465ccc1a1cf00916d] bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue

determine whether the revision contains the guilty commit
checking the merge base 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5
no existing result, test the revision
testing commit 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 418249be7796bc899e9a254f8094b8415913d8bb520d167fc6d90726ccf7764e
run #0: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
representative crash: KASAN: slab-out-of-bounds Read in ext4_search_dir, types: [KASAN]
testing commit 5965bc7535fb87510b724e5465ccc1a1cf00916d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 24d74fd5b96dbd81b6cda596a6dd801873a2590f32d042257a3a02ae55cef239
run #0: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: slab-out-of-bounds Read in ext4_search_dir, types: [KASAN]
# git bisect good 5965bc7535fb87510b724e5465ccc1a1cf00916d
Bisecting: 1932 revisions left to test after this (roughly 11 steps)
[8e73f8d6a4553b65b1783a4286036269ab61b1e8] mptcp: constify a bunch of of helpers

determine whether the revision contains the guilty commit
revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable
testing commit 8e73f8d6a4553b65b1783a4286036269ab61b1e8 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 2e32a17f591713c02142dd3594883fffd6a1cdb5d23b61e343c4d83a1221557e
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good 8e73f8d6a4553b65b1783a4286036269ab61b1e8
Bisecting: 966 revisions left to test after this (roughly 10 steps)
[399927f0f875b93f3d5a0336d382ba48b8671eb2] serial: protect uart_port_dtr_rts() in uart_shutdown() too

determine whether the revision contains the guilty commit
revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable
testing commit 399927f0f875b93f3d5a0336d382ba48b8671eb2 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d5632333104af05089dbef300401a0879023588d5008c2bb5552eb10395e5d95
all runs: OK
false negative chance: 0.000
# git bisect bad 399927f0f875b93f3d5a0336d382ba48b8671eb2
Bisecting: 482 revisions left to test after this (roughly 9 steps)
[84554d42ff532b2db5cfc9ae6875c85ad7bd7787] i2c: isch: Add missed 'else'

determine whether the revision contains the guilty commit
revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable
testing commit 84554d42ff532b2db5cfc9ae6875c85ad7bd7787 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 2da934e1e302d465b7dcf8549a27f5add5e836a7b2f67cd473e7404c20c374c6
all runs: OK
false negative chance: 0.000
# git bisect bad 84554d42ff532b2db5cfc9ae6875c85ad7bd7787
Bisecting: 241 revisions left to test after this (roughly 8 steps)
[bf090f4fe935294361eabd9dc5a949fdd77d3d1b] wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param

determine whether the revision contains the guilty commit
revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable
testing commit bf090f4fe935294361eabd9dc5a949fdd77d3d1b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: b2d5f293bfd8f879c6fb3278e4329c0b1545a375429e1e31bd492f5ec288f3b8
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good bf090f4fe935294361eabd9dc5a949fdd77d3d1b
Bisecting: 120 revisions left to test after this (roughly 7 steps)
[15bcd2dc26d7cb368e8dc93b4e5152f7f3fded33] RDMA/hns: Don't modify rq next block addr in HIP09 QPC

determine whether the revision contains the guilty commit
revision 5965bc7535fb87510b724e5465ccc1a1cf00916d crashed and is reachable
testing commit 15bcd2dc26d7cb368e8dc93b4e5152f7f3fded33 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 343b97d34ba645cf6ab388372ceb7f1536d47cad81e8aba60af7c96dc3b0e36e
all runs: OK
false negative chance: 0.000
# git bisect bad 15bcd2dc26d7cb368e8dc93b4e5152f7f3fded33
Bisecting: 60 revisions left to test after this (roughly 6 steps)
[b43f548e7593b86bb11db04fea564818e04ef754] drm/msm/a5xx: properly clear preemption records on resume

determine whether the revision contains the guilty commit
revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable
testing commit b43f548e7593b86bb11db04fea564818e04ef754 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 2dc2253b395018f60b25aca237aea0992e7357c2737ed037403453f275c22e4c
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: out-of-bounds Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good b43f548e7593b86bb11db04fea564818e04ef754
Bisecting: 30 revisions left to test after this (roughly 5 steps)
[42d44163d41b2caaef023a0df75fbf005af8afdc] nilfs2: determine empty node blocks as corrupted

determine whether the revision contains the guilty commit
revision b43f548e7593b86bb11db04fea564818e04ef754 crashed and is reachable
testing commit 42d44163d41b2caaef023a0df75fbf005af8afdc gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d133831e0e215ecdc787a9edcfb9c5611d1ad8f151b370559fc6e0ae2988a469
all runs: OK
false negative chance: 0.000
# git bisect bad 42d44163d41b2caaef023a0df75fbf005af8afdc
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[e0fcf564cb6cd56f3b84665fa52400a6bdd7a5bf] selftests/bpf: Fix compiling tcp_rtt.c with musl-libc

determine whether the revision contains the guilty commit
revision b43f548e7593b86bb11db04fea564818e04ef754 crashed and is reachable
testing commit e0fcf564cb6cd56f3b84665fa52400a6bdd7a5bf gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ab7438b6de1d4470885eb7f64846c921b2e9dcafe99b11d9e26a3267fef6db8d
all runs: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good e0fcf564cb6cd56f3b84665fa52400a6bdd7a5bf
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[38c0090658e0dae150189a39e221a3b8bafd65a3] ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard

determine whether the revision contains the guilty commit
revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable
testing commit 38c0090658e0dae150189a39e221a3b8bafd65a3 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 891dd1fe5d5c69c65a0c43fe697e38616b482ce0ddb4bde9734547825bf133df
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good 38c0090658e0dae150189a39e221a3b8bafd65a3
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[bf4cabdf3a86ebb39c343ebb498e19f033a631e7] ext4: avoid negative min_clusters in find_group_orlov()

determine whether the revision contains the guilty commit
revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable
testing commit bf4cabdf3a86ebb39c343ebb498e19f033a631e7 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 69a1cffdead76ac806a817e80e7a9824b7ee1f05a7019741da636e346bd423ef
all runs: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good bf4cabdf3a86ebb39c343ebb498e19f033a631e7
Bisecting: 1 revision left to test after this (roughly 1 step)
[be2e9b111e2790962cc66a177869b4e9717b4e29] ext4: avoid OOB when system.data xattr changes underneath the filesystem

determine whether the revision contains the guilty commit
revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable
testing commit be2e9b111e2790962cc66a177869b4e9717b4e29 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 77b5c1508b285f37c6e58d7abc92f089fccebd8dfa6bbf59aa92895cc808c280
all runs: OK
false negative chance: 0.000
# git bisect bad be2e9b111e2790962cc66a177869b4e9717b4e29
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[299d996f1031f60e539d3bfd34d1d9c9facf1e9c] ext4: return error on ext4_find_inline_entry

determine whether the revision contains the guilty commit
revision 5965bc7535fb87510b724e5465ccc1a1cf00916d crashed and is reachable
testing commit 299d996f1031f60e539d3bfd34d1d9c9facf1e9c gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 78d183f77f9ab9cbc77d52e6f7688be950a72c7eeab391f8d294195a7850b89f
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
# git bisect good 299d996f1031f60e539d3bfd34d1d9c9facf1e9c
be2e9b111e2790962cc66a177869b4e9717b4e29 is the first bad commit
commit be2e9b111e2790962cc66a177869b4e9717b4e29
Author: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Date:   Wed Aug 21 12:23:24 2024 -0300

    ext4: avoid OOB when system.data xattr changes underneath the filesystem
    
    [ Upstream commit c6b72f5d82b1017bad80f9ebf502832fc321d796 ]
    
    When looking up for an entry in an inlined directory, if e_value_offs is
    changed underneath the filesystem by some change in the block device, it
    will lead to an out-of-bounds access that KASAN detects as an UAF.
    
    EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
    loop0: detected capacity change from 2048 to 2047
    ==================================================================
    BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
    Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103
    
    CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:93 [inline]
     dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
     print_address_description mm/kasan/report.c:377 [inline]
     print_report+0x169/0x550 mm/kasan/report.c:488
     kasan_report+0x143/0x180 mm/kasan/report.c:601
     ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
     ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697
     __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573
     ext4_lookup_entry fs/ext4/namei.c:1727 [inline]
     ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795
     lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633
     filename_create+0x297/0x540 fs/namei.c:3980
     do_symlinkat+0xf9/0x3a0 fs/namei.c:4587
     __do_sys_symlinkat fs/namei.c:4610 [inline]
     __se_sys_symlinkat fs/namei.c:4607 [inline]
     __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    RIP: 0033:0x7f3e73ced469
    Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
    RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469
    RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0
    RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290
    R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c
    R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0
     </TASK>
    
    Calling ext4_xattr_ibody_find right after reading the inode with
    ext4_get_inode_loc will lead to a check of the validity of the xattrs,
    avoiding this problem.
    
    Reported-by: syzbot+0c2508114d912a54ee79@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=0c2508114d912a54ee79
    Fixes: e8e948e7802a ("ext4: let ext4_find_entry handle inline data")
    Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
    Link: https://patch.msgid.link/20240821152324.3621860-5-cascardo@igalia.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 fs/ext4/inline.c | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

accumulated error probability: 0.00
culprit signature: 77b5c1508b285f37c6e58d7abc92f089fccebd8dfa6bbf59aa92895cc808c280
parent  signature: 78d183f77f9ab9cbc77d52e6f7688be950a72c7eeab391f8d294195a7850b89f
revisions tested: 21, total time: 4h47m1.793667668s (build: 2h10m55.642059656s, test: 2h29m52.847869005s)
first good commit: be2e9b111e2790962cc66a177869b4e9717b4e29 ext4: avoid OOB when system.data xattr changes underneath the filesystem
recipients (to): ["cascardo@igalia.com" "sashal@kernel.org" "tytso@mit.edu"]
recipients (cc): []