ci starts bisection 2022-11-13 05:13:06.794288015 +0000 UTC m=+220950.851811992
bisecting cause commit starting from f8f60f322f0640c8edda2942ca5f84b7a27c417a
building syzkaller on 3ead01ade920906b89aff0066a9d5e922ee270c8
ensuring issue is reproducible on original commit f8f60f322f0640c8edda2942ca5f84b7a27c417a

testing commit f8f60f322f0640c8edda2942ca5f84b7a27c417a gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: bb7f41261ec09c7980d5abb6b7f9499d9cc65e5280ea4a648dfc59e71564dca7
all runs: crashed: UBSAN: shift-out-of-bounds in dbMount
testing release v6.0
testing commit 4fe89d07dcc2804c8b562f6c7896a45643d34b2f gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 2b4beee895b9c3a8b01839ecda9044442d31dc268aff282b0226b857762261da
all runs: OK
# git bisect start f8f60f322f0640c8edda2942ca5f84b7a27c417a 4fe89d07dcc2804c8b562f6c7896a45643d34b2f
Bisecting: 10347 revisions left to test after this (roughly 13 steps)
[27bc50fc90647bbf7b734c3fc306a5e61350da53] Merge tag 'mm-stable-2022-10-08' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

testing commit 27bc50fc90647bbf7b734c3fc306a5e61350da53 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: eced02fe3c997b03292da0b9b14b8a5c33be125b1d5e12b8e3d8db7b54992309
all runs: boot failed: WARNING in cpumask_next_wrap
# git bisect skip 27bc50fc90647bbf7b734c3fc306a5e61350da53
Bisecting: 10347 revisions left to test after this (roughly 13 steps)
[c52f0935ef5f5ade564a8ff1c32a7df2ea279811] dt-bindings: mmc: mtk-sd: add Inline Crypto Engine clock

testing commit c52f0935ef5f5ade564a8ff1c32a7df2ea279811 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: ef2563d1bf450a267acaada893a86c5e3b16d733fddb4457e333d11cb29f4d46
run #0: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
reproducer seems to be flaky
# git bisect bad c52f0935ef5f5ade564a8ff1c32a7df2ea279811
Bisecting: 6851 revisions left to test after this (roughly 13 steps)
[4078aa68509746d0c1a70c50ab22a761ad7c2e0d] Merge tag 'ata-6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata

testing commit 4078aa68509746d0c1a70c50ab22a761ad7c2e0d gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d867830fff0a64ad03d2e3b5816179b889aaa5a3370b7a28ef746463d0325739
run #0: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic
run #1: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
# git bisect bad 4078aa68509746d0c1a70c50ab22a761ad7c2e0d
Bisecting: 3566 revisions left to test after this (roughly 12 steps)
[a47e60729d9624e931f988709ab76e043e2ee8b9] Merge tag 'backlight-next-6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight

testing commit a47e60729d9624e931f988709ab76e043e2ee8b9 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 31f2f28a989591811166b771464b38eb3204127b317b18a1b8f11d6252a83b9a
run #0: crashed: KASAN: use-after-free Read in lbmIODone
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
# git bisect bad a47e60729d9624e931f988709ab76e043e2ee8b9
Bisecting: 1573 revisions left to test after this (roughly 11 steps)
[915b96c52763e2988e6368b538b487a7138b8fa4] Merge tag 'wireless-next-2022-09-30' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next

testing commit 915b96c52763e2988e6368b538b487a7138b8fa4 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 4a69409c3fd95a0b1380173837b809c241fcb756897cda6a47d52efaa8eb7e87
run #0: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic
run #1: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
# git bisect bad 915b96c52763e2988e6368b538b487a7138b8fa4
Bisecting: 837 revisions left to test after this (roughly 10 steps)
[2c119d9982b1aba54a2eca59c2455cd09f3bc749] net: dsa: microchip: add the support for set_ageing_time

testing commit 2c119d9982b1aba54a2eca59c2455cd09f3bc749 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 274f8fab17b100cdf25b311a90252433c9ef42c1e14e69f580b833c940b91fe2
all runs: OK
# git bisect good 2c119d9982b1aba54a2eca59c2455cd09f3bc749
Bisecting: 418 revisions left to test after this (roughly 9 steps)
[454b20e19322e6a9375cbaad68fff3c93bd27716] net: ethernet: mtk_eth_soc: fix usage of foe_entry_size

testing commit 454b20e19322e6a9375cbaad68fff3c93bd27716 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 5cc958e8b2cc364960152d26a306e824e0b86da1d4da1aa13a7e5cbee91db1c6
run #0: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic
run #1: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
# git bisect bad 454b20e19322e6a9375cbaad68fff3c93bd27716
Bisecting: 210 revisions left to test after this (roughly 8 steps)
[393d34cb862e6de0c283408149da2b9093d5a5c4] ethernet: tundra: Drop forward declaration of static functions

testing commit 393d34cb862e6de0c283408149da2b9093d5a5c4 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: ac95889cf6ea102f9d078dc5b73e0fcac8f0da2af9bb33fa5147cee17360d6ce
run #0: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic
run #1: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
# git bisect bad 393d34cb862e6de0c283408149da2b9093d5a5c4
Bisecting: 103 revisions left to test after this (roughly 7 steps)
[848f3c0d47694924536e2894cb349613201321c6] seg6: add NEXT-C-SID support for SRv6 End behavior

testing commit 848f3c0d47694924536e2894cb349613201321c6 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: bc785994d50d4c6185799d177ee6148fd11969c2033431fc141f8976bf64a831
all runs: OK
# git bisect good 848f3c0d47694924536e2894cb349613201321c6
Bisecting: 51 revisions left to test after this (roughly 6 steps)
[caddb4e0d63980315772e3c6f4e92624d0dd193f] net: make NET_(DEV|NS)_REFCNT_TRACKER depend on NET

testing commit caddb4e0d63980315772e3c6f4e92624d0dd193f gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 41e80360b32a6aa156209f2491028e19e5924d396d8bf55860e541b444ce74d1
all runs: OK
# git bisect good caddb4e0d63980315772e3c6f4e92624d0dd193f
Bisecting: 25 revisions left to test after this (roughly 5 steps)
[75ae8c284c00dc3584b7c173f6fcf96ee15bd02c] net: ll_temac: Switch to use dev_err_probe() helper

testing commit 75ae8c284c00dc3584b7c173f6fcf96ee15bd02c gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 6caa9a1d376db9a2f11dc8cd48c50f94b42c929bd9325a19b63736ab59720ca5
all runs: OK
# git bisect good 75ae8c284c00dc3584b7c173f6fcf96ee15bd02c
Bisecting: 12 revisions left to test after this (roughly 4 steps)
[75124116520b7c94313c1e46493bee964317fa9e] net: ll_temac: fix the format of block comments

testing commit 75124116520b7c94313c1e46493bee964317fa9e gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 6096c3546464be8296ccc069d15a56fcec66d24e1544cab8dffd8d8b1353d5e9
run #0: crashed: kernel BUG in lbmIODone
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
# git bisect bad 75124116520b7c94313c1e46493bee964317fa9e
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[236b8f5dc75d59ce970d1c1368f2935bcc6ca224] net: hns3: add judge fd ability for sync and clear process of flow director

testing commit 236b8f5dc75d59ce970d1c1368f2935bcc6ca224 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 0efa2623ea4018a0369aded02e80d6cff0804529d8505f0a83d5bdb9ed8802b5
run #0: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
# git bisect bad 236b8f5dc75d59ce970d1c1368f2935bcc6ca224
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[04b6ba143521f4485b7f2c36c655b262a79dae97] net: hns3: add support for external loopback test

testing commit 04b6ba143521f4485b7f2c36c655b262a79dae97 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 534f802a4ef9f6cff42f0e3fe4b86235d51ea4b20e57ae8e00fd2402bbd5a703
run #0: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
# git bisect bad 04b6ba143521f4485b7f2c36c655b262a79dae97
Bisecting: 1 revision left to test after this (roughly 1 step)
[01bf246a20c7664ae41cdbefd0314d0fb67d63e9] Merge branch 'net-dev_err_probe'

testing commit 01bf246a20c7664ae41cdbefd0314d0fb67d63e9 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 0633209b5d856a052a6476e140b811acf4f5fd5638d1f82ed5ccc828a94a44a0
run #0: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
# git bisect bad 01bf246a20c7664ae41cdbefd0314d0fb67d63e9
01bf246a20c7664ae41cdbefd0314d0fb67d63e9 is the first bad commit
commit 01bf246a20c7664ae41cdbefd0314d0fb67d63e9
Merge: 63b7c2ebcc1d 75ae8c284c00
Author: David S. Miller <davem@davemloft.net>
Date:   Wed Sep 21 13:50:03 2022 +0100

    Merge branch 'net-dev_err_probe'
    
    Yang Yingliang says:
    
    ====================
    net: drivers: Switch to use dev_err_probe() helper
    
    In the probe path, dev_err() can be replace with dev_err_probe()
    which will check if error code is -EPROBE_DEFER. It will print
    error code in a human readable way and simplify the code.
    ====================
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/dsa/lantiq_gswip.c                          |  8 +++-----
 drivers/net/ethernet/ibm/emac/core.c                    |  8 +++-----
 drivers/net/ethernet/stmicro/stmmac/dwmac-dwc-qos-eth.c |  4 +---
 drivers/net/ethernet/ti/am65-cpts.c                     |  7 ++-----
 drivers/net/ethernet/ti/cpsw.c                          |  3 +--
 drivers/net/ethernet/ti/cpsw_new.c                      |  5 ++---
 drivers/net/ethernet/xilinx/ll_temac_main.c             | 16 ++++++----------
 7 files changed, 18 insertions(+), 33 deletions(-)

Reproducer flagged being flaky
revisions tested: 17, total time: 4h39m44.119999961s (build: 2h3m10.726732135s, test: 2h34m34.702244705s)
first bad commit: 01bf246a20c7664ae41cdbefd0314d0fb67d63e9 Merge branch 'net-dev_err_probe'
recipients (to): ["davem@davemloft.net"]
recipients (cc): []
crash: KASAN: use-after-free Read in copy_page_from_iter_atomic
==================================================================
BUG: KASAN: use-after-free in copy_page_from_iter_atomic+0xc54/0x14d0 lib/iov_iter.c:817
Read of size 4096 at addr ffff8880721ff000 by task kworker/u4:1/11

CPU: 0 PID: 11 Comm: kworker/u4:1 Not tainted 6.0.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: loop0 loop_workfn
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:317 [inline]
 print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 memcpy+0x20/0x60 mm/kasan/shadow.c:65
 copy_page_from_iter_atomic+0xc54/0x14d0 lib/iov_iter.c:817
 generic_perform_write+0x25f/0x480 mm/filemap.c:3746
 __generic_file_write_iter+0x20e/0x400 mm/filemap.c:3866
 generic_file_write_iter+0xc1/0x2c0 mm/filemap.c:3898
 call_write_iter include/linux/fs.h:2187 [inline]
 do_iter_readv_writev+0x191/0x2e0 fs/read_write.c:729
 do_iter_write+0x124/0x620 fs/read_write.c:855
 lo_write_bvec drivers/block/loop.c:249 [inline]
 lo_write_simple drivers/block/loop.c:271 [inline]
 do_req_filebacked drivers/block/loop.c:495 [inline]
 loop_handle_cmd drivers/block/loop.c:1864 [inline]
 loop_process_work+0xb4f/0x1bb0 drivers/block/loop.c:1899
 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289
 worker_thread+0x598/0xec0 kernel/workqueue.c:2436
 kthread+0x294/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0001c87fc0 refcount:1 mapcount:0 mapping:ffff8880111549f8 index:0x11 pfn:0x721ff
memcg:ffff88813fe68000
aops:def_blk_aops ino:700000
flags: 0xfff00000020016(referenced|uptodate|lru|mappedtodisk|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000020016 ffffea0000808dc8 ffffea0000808d88 ffff8880111549f8
raw: 0000000000000011 0000000000000000 00000001ffffffff ffff88813fe68000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 4056, tgid 4056 (udevd), ts 209222327733, free_ts 209214820340
 prep_new_page mm/page_alloc.c:2532 [inline]
 get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5515
 folio_alloc+0x12/0x40 mm/mempolicy.c:2280
 page_cache_ra_unbounded+0x173/0x470 mm/readahead.c:242
 do_page_cache_ra mm/readahead.c:293 [inline]
 force_page_cache_ra+0x284/0x440 mm/readahead.c:324
 page_cache_sync_readahead include/linux/pagemap.h:1215 [inline]
 filemap_get_pages+0x267/0x1490 mm/filemap.c:2566
 filemap_read+0x28f/0xb30 mm/filemap.c:2660
 blkdev_read_iter+0x2d5/0x5f0 block/fops.c:598
 call_read_iter include/linux/fs.h:2181 [inline]
 new_sync_read fs/read_write.c:389 [inline]
 vfs_read+0x55f/0x7c0 fs/read_write.c:470
 ksys_read+0xee/0x1c0 fs/read_write.c:607
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1449 [inline]
 free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499
 free_unref_page_prepare mm/page_alloc.c:3380 [inline]
 free_unref_page+0x19/0x4d0 mm/page_alloc.c:3476
 lbmLogShutdown fs/jfs/jfs_logmgr.c:1864 [inline]
 lmLogShutdown+0x2ff/0x590 fs/jfs/jfs_logmgr.c:1684
 lmLogClose+0x4a5/0x670 fs/jfs/jfs_logmgr.c:1460
 jfs_umount+0x2ac/0x3c0 fs/jfs/jfs_umount.c:116
 jfs_put_super+0x69/0x160 fs/jfs/super.c:194
 generic_shutdown_super+0x12e/0x3a0 fs/super.c:491
 kill_block_super+0x90/0xd0 fs/super.c:1427
 deactivate_locked_super+0x7b/0x130 fs/super.c:332
 cleanup_mnt+0x253/0x360 fs/namespace.c:1186
 task_work_run+0xc0/0x160 kernel/task_work.c:177
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
 exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff8880721fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880721fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888072200000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff888072200080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888072200100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================