ci2 starts bisection 2023-05-12 15:44:49.228798173 +0000 UTC m=+13577.134364280 bisecting fixing commit since 3a93e40326c8f470e71d20b4c42d36767450f38f building syzkaller on 47f3aaf18b57644f3c07714c9ce073a210f061b4 ensuring issue is reproducible on original commit 3a93e40326c8f470e71d20b4c42d36767450f38f testing commit 3a93e40326c8f470e71d20b4c42d36767450f38f gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a1ecc552f797475e6575be9c1ea5b2ed84ca0601dd0690a5e2529c8cbc03f9ea run #0: crashed: KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock run #1: crashed: KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock run #2: crashed: KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock run #3: crashed: KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock run #4: crashed: KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock run #5: crashed: KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock run #6: crashed: KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock run #7: crashed: KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock run #8: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #9: crashed: KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock run #10: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #11: crashed: KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock run #12: crashed: KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock run #13: crashed: KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock run #14: crashed: KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock run #15: crashed: KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock run #16: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #17: crashed: KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock run #18: crashed: KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock run #19: crashed: KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock testing current HEAD 47a2ee5d4a0bda05decdda7be0a77e792cdb09a3 testing commit 47a2ee5d4a0bda05decdda7be0a77e792cdb09a3 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ab5027724b151c203caf4b1e2c027fe8eddabd1d0e771c8bb875aae05240369b run #0: crashed: KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock run #1: crashed: KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock run #2: crashed: KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock run #3: crashed: KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock run #4: crashed: KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock run #5: crashed: KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock run #6: crashed: KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock run #7: crashed: KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock run #8: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock run #9: crashed: KASAN: use-after-free Read in ext4_convert_inline_data_nolock crash still not fixed/happens on the oldest tested release revisions tested: 2, total time: 55m50.641693241s (build: 48m42.092306348s, test: 6m30.998723461s) crash still not fixed on HEAD or HEAD had kernel test errors commit msg: Merge tag 'firewire-fixes-6.4-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394 crash: KASAN: use-after-free Read in ext4_convert_inline_data_nolock loop0: detected capacity change from 0 to 2048 EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none. ================================================================== BUG: KASAN: use-after-free in ext4_read_inline_data fs/ext4/inline.c:199 [inline] BUG: KASAN: use-after-free in ext4_convert_inline_data_nolock+0x286/0xbf0 fs/ext4/inline.c:1202 Read of size 20 at addr ffff88801cb021a3 by task syz-executor.0/5413 CPU: 0 PID: 5413 Comm: syz-executor.0 Not tainted 6.4.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x167/0x220 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:351 [inline] print_report+0x163/0x540 mm/kasan/report.c:462 kasan_report+0x176/0x1b0 mm/kasan/report.c:572 kasan_check_range+0x283/0x290 mm/kasan/generic.c:187 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 ext4_read_inline_data fs/ext4/inline.c:199 [inline] ext4_convert_inline_data_nolock+0x286/0xbf0 fs/ext4/inline.c:1202 ext4_convert_inline_data+0x3c4/0x4e0 fs/ext4/inline.c:2063 ext4_fallocate+0x13f/0x1a10 fs/ext4/extents.c:4708 vfs_fallocate+0x3ae/0x530 fs/open.c:324 ksys_fallocate fs/open.c:347 [inline] __do_sys_fallocate fs/open.c:355 [inline] __se_sys_fallocate fs/open.c:353 [inline] __x64_sys_fallocate+0xaa/0xe0 fs/open.c:353 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fd65668c0f9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd657429168 EFLAGS: 00000246 ORIG_RAX: 000000000000011d RAX: ffffffffffffffda RBX: 00007fd6567abf80 RCX: 00007fd65668c0f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00007fd6566e7b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000008000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffcdb9de7f R14: 00007fd657429300 R15: 0000000000022000 The buggy address belongs to the physical page: page:ffffea000072c080 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1cb02 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000000 0000000000000000 ffffea000072c088 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 56, tgid 56 (kworker/u4:3), ts 55114806598, free_ts 72757937864 prep_new_page mm/page_alloc.c:1738 [inline] get_page_from_freelist+0x321c/0x33a0 mm/page_alloc.c:3502 __alloc_pages+0x255/0x670 mm/page_alloc.c:4768 alloc_slab_page+0x6a/0x160 mm/slub.c:1851 allocate_slab mm/slub.c:1998 [inline] new_slab+0x84/0x2f0 mm/slub.c:2051 ___slab_alloc+0xa85/0x10a0 mm/slub.c:3192 __slab_alloc mm/slub.c:3291 [inline] __slab_alloc_node mm/slub.c:3344 [inline] slab_alloc_node mm/slub.c:3441 [inline] kmem_cache_alloc_node+0x1f3/0x350 mm/slub.c:3496 kmalloc_reserve+0x6f/0x1f0 net/core/skbuff.c:568 __alloc_skb+0x143/0x3b0 net/core/skbuff.c:654 alloc_skb include/linux/skbuff.h:1288 [inline] nlmsg_new include/net/netlink.h:1003 [inline] __neigh_notify+0x77/0x100 net/core/neighbour.c:3502 neigh_cleanup_and_release+0x5c/0x180 net/core/neighbour.c:101 neigh_flush_dev+0x14e/0x8f0 net/core/neighbour.c:421 __neigh_ifdown+0x40/0x350 net/core/neighbour.c:438 neigh_ifdown+0xb/0x10 net/core/neighbour.c:456 rt6_disable_ip+0x6e2/0x750 net/ipv6/route.c:4893 addrconf_ifdown+0x143/0x1690 net/ipv6/addrconf.c:3755 addrconf_notify+0x1b3/0xcf0 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1302 [inline] free_unref_page_prepare+0x8fe/0xa10 mm/page_alloc.c:2564 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2659 discard_slab mm/slub.c:2097 [inline] __unfreeze_partials+0x1b1/0x1f0 mm/slub.c:2636 put_cpu_partial+0x116/0x180 mm/slub.c:2712 qlist_free_all+0x22/0x60 mm/kasan/quarantine.c:185 kasan_quarantine_reduce+0x14b/0x160 mm/kasan/quarantine.c:292 __kasan_slab_alloc+0x23/0x70 mm/kasan/common.c:305 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook+0x68/0x3a0 mm/slab.h:711 slab_alloc_node mm/slub.c:3451 [inline] __kmem_cache_alloc_node+0x14c/0x290 mm/slub.c:3490 __do_kmalloc_node mm/slab_common.c:965 [inline] __kmalloc_node+0xa7/0x230 mm/slab_common.c:973 kmalloc_node include/linux/slab.h:579 [inline] kvmalloc_node+0x42/0xf0 mm/util.c:604 kvmalloc include/linux/slab.h:697 [inline] seq_buf_alloc fs/seq_file.c:38 [inline] seq_read_iter+0x1aa/0xb40 fs/seq_file.c:210 call_read_iter include/linux/fs.h:1862 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x791/0x9c0 fs/read_write.c:470 ksys_read+0x163/0x250 fs/read_write.c:613 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff88801cb02080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88801cb02100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88801cb02180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88801cb02200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88801cb02280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================