ci2 starts bisection 2025-06-15 02:03:44.694092839 +0000 UTC m=+35848.482760156 bisecting cause commit starting from 02adc1490e6d8681cc81057ed86d123d0240909b building syzkaller on 98683f8f094a4a5418f62711143436a99522360e ensuring issue is reproducible on original commit 02adc1490e6d8681cc81057ed86d123d0240909b testing commit 02adc1490e6d8681cc81057ed86d123d0240909b gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: f601da6682f9083eeee7e102f3da8f5c16235c592a82948e4efe357ea800d42c run #0: crashed: KASAN: use-after-free Read in poly1305_update run #1: crashed: KASAN: use-after-free Read in poly1305_update run #2: crashed: KASAN: use-after-free Read in poly1305_update run #3: crashed: KASAN: slab-use-after-free Read in poly1305_update run #4: crashed: KASAN: use-after-free Read in poly1305_update run #5: crashed: KASAN: use-after-free Read in poly1305_update run #6: crashed: KASAN: use-after-free Read in poly1305_update run #7: crashed: KASAN: use-after-free Read in poly1305_update run #8: crashed: KASAN: use-after-free Read in poly1305_update run #9: crashed: KASAN: use-after-free Read in poly1305_update run #10: crashed: KASAN: use-after-free Read in poly1305_update run #11: crashed: KASAN: use-after-free Read in poly1305_update run #12: crashed: KASAN: use-after-free Read in poly1305_update run #13: crashed: KASAN: use-after-free Read in poly1305_update run #14: crashed: KASAN: use-after-free Read in poly1305_update run #15: crashed: KASAN: slab-use-after-free Read in poly1305_update run #16: crashed: KASAN: use-after-free Read in poly1305_update run #17: crashed: KASAN: use-after-free Read in poly1305_update run #18: crashed: KASAN: use-after-free Read in poly1305_update run #19: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 02adc1490e6d8681cc81057ed86d123d0240909b gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: cebfbe87118d3d5764d92285ec136056d036f12f333fd8abe4fe7a3bd40de7c5 all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed kconfig minimization: base=4088 full=8356 leaves diff=2127 split chunks (needed=false): <2127> split chunk #0 of len 2127 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 02adc1490e6d8681cc81057ed86d123d0240909b gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: a23e184017906bb25f821d837997f4e49d1163942236c89baf1055cb520f1268 all runs: OK false negative chance: 0.000 testing without sub-chunk 2/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit 02adc1490e6d8681cc81057ed86d123d0240909b gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: bf426d9a7daeab2e8cf312720267b1e8e3d440e7f75d9c5e6c993a1669f09d4e all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 02adc1490e6d8681cc81057ed86d123d0240909b gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: ed28d02439fcb07f00d63ada5423961802dca1632c117494201f2870472e802d all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 02adc1490e6d8681cc81057ed86d123d0240909b gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 162965c213e222a0bca877ad6aad6a351d45e527b83f36e865e2218ce9a1b047 all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 02adc1490e6d8681cc81057ed86d123d0240909b gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 0d9ccca9e6f6ba48a20b254d12c931c623610daae490a4615c30c2fc4a2fd174 all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN] the chunk can be dropped minimized to 426 configs; suspects: [6LOWPAN 6LOWPAN_GHC_EXT_HDR_DEST 6LOWPAN_GHC_EXT_HDR_FRAG 6LOWPAN_GHC_EXT_HDR_HOP 6LOWPAN_GHC_EXT_HDR_ROUTE 6LOWPAN_GHC_ICMPV6 6LOWPAN_GHC_UDP 6LOWPAN_NHC 6LOWPAN_NHC_DEST 6LOWPAN_NHC_FRAGMENT 6LOWPAN_NHC_HOP 6LOWPAN_NHC_IPV6 6LOWPAN_NHC_MOBILITY 6LOWPAN_NHC_ROUTING 6LOWPAN_NHC_UDP 6PACK 842_COMPRESS 842_DECOMPRESS 9P_FSCACHE 9P_FS_POSIX_ACL 9P_FS_SECURITY ACORN_PARTITION ACORN_PARTITION_ADFS ACORN_PARTITION_CUMANA ACORN_PARTITION_EESOX ACORN_PARTITION_ICS ACORN_PARTITION_POWERTEC ACORN_PARTITION_RISCIX ACPI_NFIT ACPI_NHLT ACPI_PLATFORM_PROFILE ADFS_FS AFFS_FS AFS_FS AFS_FSCACHE AF_KCM AF_RXRPC AF_RXRPC_IPV6 AIX_PARTITION AMD_SFH_HID AMIGA_PARTITION ANDROID_BINDERFS ANDROID_BINDER_IPC ANON_VMA_NAME APERTURE_HELPERS APPLE_MFI_FASTCHARGE AR5523 ARCH_ENABLE_MEMORY_HOTREMOVE ARCH_ENABLE_THP_MIGRATION ARCH_HAS_CRC32 ARCH_HAS_CRC64 ARCH_HAS_CRC_T10DIF ARCH_HAS_USER_SHADOW_STACK ARCH_SUPPORTS_HUGE_PFNMAP ARCH_SUPPORTS_PMD_PFNMAP ARCH_SUPPORTS_PUD_PFNMAP ARCH_WANT_PMD_MKWRITE ASM_MODVERSIONS ASUS_TF103C_DOCK ASYNC_CORE ASYNC_MEMCPY ASYNC_PQ ASYNC_RAID6_RECOV ASYNC_TX_DMA ASYNC_XOR ATARI_PARTITION ATA_GENERIC ATA_OVER_ETH ATH10K ATH10K_CE ATH10K_LEDS ATH10K_PCI ATH10K_USB ATH11K ATH6KL ATH6KL_USB ATH9K ATH9K_AHB ATH9K_BTCOEX_SUPPORT ATH9K_CHANNEL_CONTEXT ATH9K_COMMON ATH9K_COMMON_DEBUG ATH9K_COMMON_SPECTRAL ATH9K_DEBUGFS ATH9K_DYNACK ATH9K_HTC ATH9K_HTC_DEBUGFS ATH9K_HW ATH9K_PCI ATH9K_PCOEM ATH9K_RFKILL ATH_COMMON ATM ATM_BR2684 ATM_CLIP ATM_DRIVERS ATM_LANE ATM_MPOA ATM_TCP AUXILIARY_BUS AX25 AX25_DAMA_SLAVE AX88796B_PHY BAREUDP BATMAN_ADV BATMAN_ADV_BATMAN_V BATMAN_ADV_BLA BATMAN_ADV_DAT BATMAN_ADV_MCAST BATMAN_ADV_NC BCACHE BCACHEFS_DEBUG BCACHEFS_ERASURE_CODING BCACHEFS_FS BCACHEFS_POSIX_ACL BCACHEFS_QUOTA BCACHEFS_SIX_OPTIMISTIC_SPIN BCMA BCMA_HOST_PCI_POSSIBLE BEFS_FS BFQ_CGROUP_DEBUG BFQ_GROUP_IOSCHED BFS_FS BIG_KEYS BLK_CGROUP_PUNT_BIO BLK_CGROUP_RWSTAT BLK_DEV_BSGLIB BLK_DEV_INTEGRITY BLK_DEV_NBD BLK_DEV_NULL_BLK BLK_DEV_NULL_BLK_FAULT_INJECTION BLK_DEV_NVME BLK_DEV_PMEM BLK_DEV_RAM BLK_DEV_RNBD BLK_DEV_RNBD_CLIENT BLK_DEV_THROTTLING BLK_DEV_ZONED BLK_ICQ BLK_INLINE_ENCRYPTION BLK_INLINE_ENCRYPTION_FALLBACK BLK_WBT BLK_WBT_MQ BONDING BOOT_VESA_SUPPORT BPF_EVENTS BPF_JIT BPF_JIT_ALWAYS_ON BPF_JIT_DEFAULT_ON BPF_LSM BPF_PRELOAD BPF_PRELOAD_UMD BPF_STREAM_PARSER BPF_SYSCALL BPQETHER BRIDGE BRIDGE_CFM BRIDGE_EBT_802_3 BRIDGE_EBT_AMONG BRIDGE_EBT_ARP BRIDGE_EBT_ARPREPLY BRIDGE_EBT_BROUTE BRIDGE_EBT_DNAT BRIDGE_EBT_IP BRIDGE_EBT_IP6 BRIDGE_EBT_LIMIT BRIDGE_EBT_LOG BRIDGE_EBT_MARK BRIDGE_EBT_MARK_T BRIDGE_EBT_NFLOG BRIDGE_EBT_PKTTYPE BRIDGE_EBT_REDIRECT BRIDGE_EBT_SNAT BRIDGE_EBT_STP BRIDGE_EBT_T_FILTER BRIDGE_EBT_T_NAT BRIDGE_EBT_VLAN BRIDGE_IGMP_SNOOPING BRIDGE_MRP BRIDGE_NF_EBTABLES BRIDGE_NF_EBTABLES_LEGACY BRIDGE_VLAN_FILTERING BSD_DISKLABEL BSD_PROCESS_ACCT_V3 BT BTRFS_ASSERT BTRFS_FS BTRFS_FS_POSIX_ACL BTRFS_FS_REF_VERIFY BTT BT_6LOWPAN BT_ATH3K BT_BCM BT_BNEP BT_BNEP_MC_FILTER BT_BNEP_PROTO_FILTER BT_BREDR BT_HCIBCM203X BT_HCIBFUSB BT_HCIBPA10X BT_HCIBTUSB BT_HCIBTUSB_AUTOSUSPEND BT_HCIBTUSB_BCM BT_HCIBTUSB_MTK BT_HCIBTUSB_POLL_SYNC BT_HCIBTUSB_RTL BT_HCIUART BT_HCIUART_3WIRE BT_HCIUART_AG6XX BT_HCIUART_BCSP BT_HCIUART_H4 BT_HCIUART_LL BT_HCIUART_MRVL BT_HCIUART_QCA BT_HCIUART_SERDEV BT_HCIVHCI BT_INTEL BT_LE BT_LEDS BT_LE_L2CAP_ECRED BT_MRVL BT_MRVL_SDIO BT_MSFTEXT BT_MTK BT_MTKSDIO BT_MTKUART BT_QCA BT_RFCOMM BT_RFCOMM_TTY BT_RTL CACHEFILES CAIF CAIF_DEBUG CAIF_DRIVERS CAIF_NETDEV CAIF_TTY CAIF_USB CAIF_VIRTIO CAN CAN_8DEV_USB CAN_BCM CAN_CALC_BITTIMING CAN_DEV CAN_EMS_USB CAN_ESD_USB CAN_ETAS_ES58X CAN_F81604 CAN_GS_USB CAN_GW CAN_IFI_CANFD CAN_ISOTP CAN_J1939 CAN_KVASER_USB CAN_MCBA_USB CAN_NETLINK CAN_PEAK_USB CAN_RAW CAN_RX_OFFLOAD CAN_SLCAN CAN_UCAN CAN_VCAN CAN_VXCAN CARL9170 CARL9170_HWRNG CARL9170_LEDS CARL9170_WPC CEC_CORE CEPH_FS CEPH_FSCACHE CEPH_FS_POSIX_ACL CEPH_LIB CEPH_LIB_USE_DNS_RESOLVER CFG80211 CFG80211_CRDA_SUPPORT CFG80211_DEBUGFS CFG80211_DEFAULT_PS CFG80211_REQUIRE_SIGNED_REGDB CFG80211_USE_KERNEL_REGDB_KEYS CFG80211_WEXT CFS_BANDWIDTH CGROUP_BPF CHARGER_ISP1704 CHR_DEV_ST CIFS CIFS_ALLOW_INSECURE_LEGACY CIFS_DEBUG CIFS_DFS_UPCALL CIFS_FSCACHE CIFS_POSIX CIFS_SMB_DIRECT CIFS_SWN_UPCALL CIFS_UPCALL CIFS_XATTR CLOSURES CLS_U32_MARK CLS_U32_PERF CMA CMA_SIZE_SEL_MAX CMDLINE_PARTITION COMEDI COMEDI_DT9812 COMEDI_NI_USB6501 COMEDI_USBDUX COMEDI_USBDUXFAST COMEDI_USBDUXSIGMA COMEDI_USB_DRIVERS COMEDI_VMK80XX COMPAT_NETLINK_MESSAGES COUNTER CRAMFS CRAMFS_BLOCKDEV CRAMFS_MTD CRC64 CRC64_ARCH CRC8 CRC_ITU_T CRC_T10DIF CRC_T10DIF_ARCH CRYPTO_842 CRYPTO_ADIANTUM CRYPTO_AEGIS128 CRYPTO_AEGIS128_AESNI_SSE2 CRYPTO_AES_NI_INTEL CRYPTO_AES_TI CRYPTO_ANSI_CPRNG CRYPTO_ANUBIS CRYPTO_ARC4 CRYPTO_ARCH_HAVE_LIB_BLAKE2S CRYPTO_ARCH_HAVE_LIB_CHACHA CRYPTO_ARCH_HAVE_LIB_CURVE25519 CRYPTO_ARCH_HAVE_LIB_POLY1305 CRYPTO_ARIA CRYPTO_ARIA_AESNI_AVX_X86_64 CRYPTO_BLAKE2B CRYPTO_BLAKE2S_X86 CRYPTO_BLOWFISH CRYPTO_BLOWFISH_COMMON CRYPTO_BLOWFISH_X86_64 CRYPTO_CAMELLIA CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 CRYPTO_CAMELLIA_AESNI_AVX_X86_64 CRYPTO_CAMELLIA_X86_64 CRYPTO_CAST5 CRYPTO_CAST5_AVX_X86_64 CRYPTO_CAST6 CRYPTO_CAST6_AVX_X86_64 CRYPTO_CAST_COMMON CRYPTO_CHACHA20 CRYPTO_CHACHA20POLY1305 CRYPTO_CHACHA20_X86_64 CRYPTO_CRC32C CRYPTO_CRYPTD CRYPTO_CTS CRYPTO_CURVE25519 CRYPTO_CURVE25519_X86 CRYPTO_DEFLATE CRYPTO_DES CRYPTO_DES3_EDE_X86_64 CRYPTO_DEV_CCP CRYPTO_DEV_CCP_DD CRYPTO_DEV_PADLOCK CRYPTO_DEV_PADLOCK_AES CRYPTO_DEV_PADLOCK_SHA CRYPTO_DEV_QAT CRYPTO_DEV_QAT_C3XXX CRYPTO_DEV_QAT_C3XXXVF CRYPTO_DEV_QAT_C62X CRYPTO_DEV_QAT_C62XVF CRYPTO_DEV_QAT_DH895xCC CRYPTO_DEV_QAT_DH895xCCVF CRYPTO_DEV_VIRTIO CRYPTO_DH CRYPTO_DRBG_CTR CRYPTO_DRBG_HASH CRYPTO_ECDH CRYPTO_ECRDSA CRYPTO_ENGINE CRYPTO_ESSIV CRYPTO_FCRYPT CRYPTO_GHASH_CLMUL_NI_INTEL CRYPTO_HCTR2 CRYPTO_HKDF CRYPTO_KDF800108_CTR CRYPTO_KHAZAD CRYPTO_KPP CRYPTO_KRB5 CRYPTO_KRB5ENC CRYPTO_LIB_ARC4 CRYPTO_LIB_CHACHA CRYPTO_LIB_CHACHA20POLY1305 CRYPTO_LIB_CHACHA_GENERIC CRYPTO_LIB_CURVE25519 CRYPTO_LIB_CURVE25519_GENERIC CRYPTO_LIB_CURVE25519_INTERNAL CRYPTO_LIB_DES CRYPTO_LIB_POLY1305 CRYPTO_LIB_POLY1305_GENERIC CRYPTO_LIB_SM3 CRYPTO_LRW CRYPTO_LZ4 CRYPTO_LZ4HC CRYPTO_MICHAEL_MIC CRYPTO_NHPOLY1305 CRYPTO_NHPOLY1305_AVX2 CRYPTO_NHPOLY1305_SSE2 CRYPTO_NULL CRYPTO_PCBC CRYPTO_PCRYPT CRYPTO_POLY1305_X86_64 CRYPTO_POLYVAL CRYPTO_POLYVAL_CLMUL_NI CRYPTO_RMD160 CRYPTO_SEED CRYPTO_SERPENT CRYPTO_SERPENT_AVX2_X86_64 CRYPTO_SERPENT_AVX_X86_64 CRYPTO_SERPENT_SSE2_X86_64 CRYPTO_SHA1_SSSE3 CRYPTO_SHA512_SSSE3 CRYPTO_SM3_AVX_X86_64 CRYPTO_SM4 CRYPTO_SM4_AESNI_AVX2_X86_64 CRYPTO_SM4_AESNI_AVX_X86_64 CRYPTO_SM4_GENERIC CRYPTO_STREEBOG CRYPTO_TEA CRYPTO_TWOFISH CRYPTO_TWOFISH_AVX_X86_64 CRYPTO_TWOFISH_COMMON CRYPTO_TWOFISH_X86_64 CRYPTO_TWOFISH_X86_64_3WAY CRYPTO_USER CRYPTO_USER_API CRYPTO_USER_API_AEAD CRYPTO_USER_API_ENABLE_OBSOLETE CRYPTO_USER_API_HASH CRYPTO_USER_API_RNG CRYPTO_USER_API_SKCIPHER CRYPTO_WP512 CRYPTO_XCBC CRYPTO_XCTR CRYPTO_XTS CRYPTO_XXHASH CRYPTO_ZSTD CUSE CYPRESS_FIRMWARE DAMON DAMON_PADDR DAMON_RECLAIM DAMON_VADDR DAX DCA DCB DEBUG_VFS DEFAULT_CODEL DEVICE_MIGRATION DEVICE_PRIVATE DEV_COREDUMP DEV_DAX DLN2_ADC DMABUF_HEAPS DMABUF_HEAPS_CMA DMABUF_HEAPS_SYSTEM DMABUF_MOVE_NOTIFY DMA_CMA DMA_ENGINE_RAID DM_AUDIT DM_BIO_PRISON DM_BUFIO DM_CACHE DM_CACHE_SMQ DM_CLONE DM_CRYPT DM_FLAKEY DM_INTEGRITY DM_MULTIPATH DM_MULTIPATH_QL DM_MULTIPATH_ST DM_PERSISTENT_DATA DM_RAID DM_SNAPSHOT DM_THIN_PROVISIONING DM_UEVENT DM_VERITY DM_VERITY_FEC DM_WRITECACHE DM_ZONED DRAGONRISE_FF DRM DRM_AUX_BRIDGE DRM_BOCHS DRM_BRIDGE DRM_BUDDY DRM_CIRRUS_QEMU DRM_CLIENT DRM_CLIENT_DEFAULT_FBDEV DRM_CLIENT_LIB DRM_CLIENT_SELECTION DRM_CLIENT_SETUP DRM_DEBUG_MM DRM_DISPLAY_DP_AUX_BUS DRM_DISPLAY_DP_HELPER DRM_DISPLAY_DSC_HELPER DRM_DISPLAY_HELPER DRM_FBDEV_EMULATION ENCRYPTED_KEYS FSCACHE FUSE_FS GPIOLIB HAMRADIO HID_DRAGONRISE IIO INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_RTRS_CLIENT IOSCHED_BFQ LIBNVDIMM MAC80211 MAC80211_DEBUGFS MAC80211_LEDS MEDIA_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MMC MTD NET_CLS_U32 NET_SCH_DEFAULT PARTITION_ADVANCED RFKILL SERIAL_DEV_BUS TLS TLS_DEVICE TRANSPARENT_HUGEPAGE TRUSTED_KEYS USB_GADGET USB_PHY VLAN_8021Q WANT_COMPAT_NETLINK_MESSAGES WEXT_CORE WIRELESS WLAN WLAN_VENDOR_ATH ZONE_DEVICE] disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed picked [v6.15 v6.14 v6.13 v6.11 v6.9 v6.7 v6.5 v6.3 v6.0 v5.17 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 38 release tags testing release v6.15 testing commit 0ff41df1cb268fc69e703a08a57ee14ae967d0ca gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: f52a62f4ce2016bdccf11d6109237a8a9f785111b78326ce91fa8fc11ee5fe9e all runs: crashed: KASAN: use-after-free Read in bch2_checksum representative crash: KASAN: use-after-free Read in bch2_checksum, types: [KASAN] testing release v6.14 testing commit 38fec10eb60d687e30c8c6b5420d86e8149f7557 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: c04ddbb3d984b6c38b2a505ce000d7c3e967c4238b08fc28c49a537df194a459 all runs: crashed: KASAN: use-after-free Read in crypto_poly1305_update representative crash: KASAN: use-after-free Read in crypto_poly1305_update, types: [KASAN] testing release v6.13 testing commit ffd294d346d185b70e28b1a28abe367bbfe53c04 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: bf96337a4f473e2989f5ca91aaa5793781ac8923094ea344e1790e203892d3e5 all runs: crashed: KASAN: use-after-free Read in crypto_poly1305_update representative crash: KASAN: use-after-free Read in crypto_poly1305_update, types: [KASAN] testing release v6.11 testing commit 98f7e32f20d28ec452afb208f9cffc08448a2652 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 304af180a4d9a7026ac56efdcf21397d352bf3bfbef43a3e001f519e8e2eec4d run #0: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #1: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #2: crashed: KASAN: slab-use-after-free Read in scatterwalk_copychunks run #3: crashed: KASAN: slab-use-after-free Read in crypto_poly1305_update run #4: crashed: KASAN: slab-use-after-free Read in scatterwalk_copychunks run #5: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #6: crashed: KASAN: slab-use-after-free Read in crypto_poly1305_update run #7: crashed: KASAN: slab-use-after-free Read in crypto_poly1305_update run #8: crashed: KASAN: slab-use-after-free Read in crypto_poly1305_update run #9: crashed: KASAN: slab-use-after-free Read in scatterwalk_copychunks representative crash: KASAN: use-after-free Read in crypto_poly1305_update, types: [KASAN] testing release v6.9 testing commit a38297e3fb012ddfa7ce0321a7e5a8daeb1872b6 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 1d84249438ac44837b01b2e7aeeef40e593b4fcd97ba60d14eed32bc3c139bef all runs: OK false negative chance: 0.000 # git bisect start 98f7e32f20d28ec452afb208f9cffc08448a2652 a38297e3fb012ddfa7ce0321a7e5a8daeb1872b6 Bisecting: 14849 revisions left to test after this (roughly 14 steps) [1c5fc27bc48a7f33302536c42184e5208ee66783] Merge tag 'nf-next-24-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next into main testing commit 1c5fc27bc48a7f33302536c42184e5208ee66783 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: d5b05e53dd28d7602a0e685ea9eb47d9ba617abd8488b9f1fb56421334373bcd all runs: OK false negative chance: 0.000 # git bisect good 1c5fc27bc48a7f33302536c42184e5208ee66783 Bisecting: 7076 revisions left to test after this (roughly 13 steps) [b3ce7a30847a54a7f96a35e609303d8afecd460b] Merge tag 'drm-next-2024-07-18' of https://gitlab.freedesktop.org/drm/kernel testing commit b3ce7a30847a54a7f96a35e609303d8afecd460b gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: cb6d3afd37128a3b37fa00b150e046f8c3d14a2b1aa2636b2c1d0efa154b971d all runs: OK false negative chance: 0.000 # git bisect good b3ce7a30847a54a7f96a35e609303d8afecd460b Bisecting: 3385 revisions left to test after this (roughly 12 steps) [fbc90c042cd1dc7258ebfebe6d226017e5b5ac8c] Merge tag 'mm-stable-2024-07-21-14-50' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit fbc90c042cd1dc7258ebfebe6d226017e5b5ac8c gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: c81966d19ad6b8c92ee3a00fc91ff4a1ebee9e5b05c46a4dab09e252c39e2812 all runs: OK false negative chance: 0.000 # git bisect good fbc90c042cd1dc7258ebfebe6d226017e5b5ac8c Bisecting: 1693 revisions left to test after this (roughly 11 steps) [fa63c6434b6f6aaf9d8d599dc899bc0a074cc0ad] net: dsa: vsc73xx: check busy flag in MDIO operations testing commit fa63c6434b6f6aaf9d8d599dc899bc0a074cc0ad gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 5de31b5688eb0d8798de54ab91adf4ae4ba76183ecd8951b1bf4eb07d7656ad2 all runs: OK false negative chance: 0.000 # git bisect good fa63c6434b6f6aaf9d8d599dc899bc0a074cc0ad Bisecting: 843 revisions left to test after this (roughly 10 steps) [72bea05cb1ad486b1a850f584cc93b651579ad2f] Merge tag 'bcachefs-2024-08-24' of git://evilpiepirate.org/bcachefs testing commit 72bea05cb1ad486b1a850f584cc93b651579ad2f gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: ebbcaa42bd3390af6df80488d525eb7ecda3a5c6522ff83c862a1d87c927aa69 run #0: crashed: KASAN: slab-use-after-free Read in scatterwalk_copychunks run #1: crashed: KASAN: slab-use-after-free Read in scatterwalk_copychunks run #2: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #3: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #4: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #5: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #6: crashed: KASAN: slab-use-after-free Read in scatterwalk_copychunks run #7: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #8: crashed: KASAN: slab-use-after-free Read in scatterwalk_copychunks run #9: crashed: KASAN: use-after-free Read in scatterwalk_copychunks representative crash: KASAN: slab-use-after-free Read in scatterwalk_copychunks, types: [KASAN] # git bisect bad 72bea05cb1ad486b1a850f584cc93b651579ad2f Bisecting: 424 revisions left to test after this (roughly 9 steps) [e4a55b555db6d2a006551605ef4404529e878cd2] Merge tag 'libnvdimm-fixes-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm testing commit e4a55b555db6d2a006551605ef4404529e878cd2 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: c691b0572e26c1445de2860e5f47b6d7b4b96c41d7d56bb6928b51e77547a8fe all runs: OK false negative chance: 0.000 # git bisect good e4a55b555db6d2a006551605ef4404529e878cd2 Bisecting: 167 revisions left to test after this (roughly 8 steps) [aa0743a229366e8c1963f1b72a1c974a9d15f08f] Merge tag 'net-6.11-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit aa0743a229366e8c1963f1b72a1c974a9d15f08f gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: a93802505846fb6afbbd27d856c1530fd7adcdf3e69a300b0272b1345f16fbd1 run #0: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #1: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #2: crashed: KASAN: slab-use-after-free Read in crypto_poly1305_update run #3: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #4: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #5: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #6: crashed: KASAN: slab-use-after-free Read in scatterwalk_copychunks run #7: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #8: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #9: crashed: KASAN: use-after-free Read in scatterwalk_copychunks representative crash: KASAN: use-after-free Read in scatterwalk_copychunks, types: [KASAN] # git bisect bad aa0743a229366e8c1963f1b72a1c974a9d15f08f Bisecting: 126 revisions left to test after this (roughly 7 steps) [6e4436539ae182dc86d57d13849862bcafaa4709] Merge tag 'hid-for-linus-2024081901' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid testing commit 6e4436539ae182dc86d57d13849862bcafaa4709 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: c4490a763df63a832bc5d9e162e5203476ba5af3a78697e3d4ed55d48b372561 run #0: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #1: crashed: KASAN: slab-use-after-free Read in crypto_poly1305_update run #2: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #3: crashed: KASAN: slab-use-after-free Read in crypto_poly1305_update run #4: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #5: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #6: crashed: KASAN: slab-use-after-free Read in crypto_poly1305_update run #7: crashed: KASAN: slab-use-after-free Read in crypto_poly1305_update run #8: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #9: crashed: KASAN: slab-use-after-free Read in scatterwalk_copychunks representative crash: KASAN: use-after-free Read in crypto_poly1305_update, types: [KASAN] # git bisect bad 6e4436539ae182dc86d57d13849862bcafaa4709 Bisecting: 65 revisions left to test after this (roughly 6 steps) [98a1b2d71f9fac01c7aba80f30235b1b2e8234da] Merge tag 'i2c-for-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux testing commit 98a1b2d71f9fac01c7aba80f30235b1b2e8234da gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: e7574a7a76ab6e7f8ad7885bbe7a7e2e9cd0ffa6bae4da431fdacf6aeda668f8 run #0: crashed: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks run #1: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #2: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #3: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #4: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #5: crashed: KASAN: slab-use-after-free Read in crypto_poly1305_update run #6: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #7: crashed: KASAN: slab-use-after-free Read in crypto_poly1305_update run #8: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #9: crashed: KASAN: use-after-free Read in scatterwalk_copychunks representative crash: KASAN: slab-out-of-bounds Read in scatterwalk_copychunks, types: [KASAN] # git bisect bad 98a1b2d71f9fac01c7aba80f30235b1b2e8234da Bisecting: 31 revisions left to test after this (roughly 5 steps) [e5fa841af679cb830da6c609c740a37bdc0b8b35] Merge tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit e5fa841af679cb830da6c609c740a37bdc0b8b35 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 7acd6d04207a26a89460e72731bbc56c8f72bc8a856a9557ec5a55f5245d59d8 all runs: OK false negative chance: 0.000 # git bisect good e5fa841af679cb830da6c609c740a37bdc0b8b35 Bisecting: 15 revisions left to test after this (roughly 4 steps) [075cabf324c3fd790d6ba39ff9db33a30b954fe2] bcachefs: Fix forgetting to pass trans to fsck_err() testing commit 075cabf324c3fd790d6ba39ff9db33a30b954fe2 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 810d59651c9b99267edd4473b19919a06d66594478acb4e6ae0e54aa966d170f run #0: crashed: KASAN: slab-use-after-free Read in scatterwalk_copychunks run #1: crashed: KASAN: slab-use-after-free Read in scatterwalk_copychunks run #2: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #3: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #4: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #5: crashed: KASAN: slab-use-after-free Read in crypto_poly1305_update run #6: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #7: crashed: KASAN: slab-use-after-free Read in crypto_poly1305_update run #8: crashed: KASAN: slab-use-after-free Read in crypto_poly1305_update run #9: crashed: KASAN: use-after-free Read in scatterwalk_copychunks representative crash: KASAN: slab-use-after-free Read in scatterwalk_copychunks, types: [KASAN] # git bisect bad 075cabf324c3fd790d6ba39ff9db33a30b954fe2 Bisecting: 7 revisions left to test after this (roughly 3 steps) [7254555c440ff6b136aa97fb3c33fd5e0bb4fb9f] bcachefs: Add hysteresis to waiting on btree key cache flush testing commit 7254555c440ff6b136aa97fb3c33fd5e0bb4fb9f gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 8b97e7d31b440ec663c712e5891211bd8f3d6e6abc1c99316de28f455d6998b5 all runs: OK false negative chance: 0.000 # git bisect good 7254555c440ff6b136aa97fb3c33fd5e0bb4fb9f Bisecting: 3 revisions left to test after this (roughly 2 steps) [d97de0d017cde0d442c3d144b4f969f43064cc0f] bcachefs: Make bkey_fsck_err() a wrapper around fsck_err() testing commit d97de0d017cde0d442c3d144b4f969f43064cc0f gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: fec6320aa43151cd436864d2219ff2034af6681f9ba4a2f802e1dfe1c3af18fc run #0: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #1: crashed: KASAN: slab-use-after-free Read in crypto_poly1305_update run #2: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #3: crashed: KASAN: slab-use-after-free Read in crypto_poly1305_update run #4: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #5: crashed: KASAN: slab-use-after-free Read in crypto_poly1305_update run #6: crashed: KASAN: slab-use-after-free Read in scatterwalk_copychunks run #7: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #8: crashed: KASAN: use-after-free Read in scatterwalk_copychunks run #9: crashed: KASAN: use-after-free Read in scatterwalk_copychunks representative crash: KASAN: use-after-free Read in crypto_poly1305_update, types: [KASAN] # git bisect bad d97de0d017cde0d442c3d144b4f969f43064cc0f Bisecting: 1 revision left to test after this (roughly 1 step) [06a8693b890c0cf7d94bf7c6f0e2adf3a3aaa346] bcachefs: Add a time_stat for blocked on key cache flush testing commit 06a8693b890c0cf7d94bf7c6f0e2adf3a3aaa346 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 6f6e72dd7749ea851f2acd38c8bca845df374c26b20527b95a037df82ae1b1fd all runs: OK false negative chance: 0.000 # git bisect good 06a8693b890c0cf7d94bf7c6f0e2adf3a3aaa346 Bisecting: 0 revisions left to test after this (roughly 0 steps) [c99471024f24b3cbafc02bf5b112ecf34b0dbd40] bcachefs: Fix warning in __bch2_fsck_err() for trans not passed in testing commit c99471024f24b3cbafc02bf5b112ecf34b0dbd40 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 7a1a1d0d9fc29400d66833500955824b0bb7a3572983dfed5c6d7634df2f5a86 all runs: OK false negative chance: 0.000 # git bisect good c99471024f24b3cbafc02bf5b112ecf34b0dbd40 d97de0d017cde0d442c3d144b4f969f43064cc0f is the first bad commit commit d97de0d017cde0d442c3d144b4f969f43064cc0f Author: Kent Overstreet Date: Mon Aug 12 21:31:25 2024 -0400 bcachefs: Make bkey_fsck_err() a wrapper around fsck_err() bkey_fsck_err() was added as an interface that looks like fsck_err(), but previously all it did was ensure that the appropriate error counter was incremented in the superblock. This is a cleanup and bugfix patch that converts it to a wrapper around fsck_err(). This is needed to fix an issue with the upgrade path to disk_accounting_v3, where the "silent fix" error list now includes bkey_fsck errors; fsck_err() handles this in a unified way, and since we need to change printing of bkey fsck errors from the caller to the inner bkey_fsck_err() calls, this ends up being a pretty big change. Als,, rename .invalid() methods to .validate(), for clarity, while we're changing the function signature anyways (to drop the printbuf argument). Signed-off-by: Kent Overstreet fs/bcachefs/alloc_background.c | 63 ++++++++-------- fs/bcachefs/alloc_background.h | 26 +++---- fs/bcachefs/backpointers.c | 8 +- fs/bcachefs/backpointers.h | 5 +- fs/bcachefs/bkey.h | 7 +- fs/bcachefs/bkey_methods.c | 109 +++++++++++++-------------- fs/bcachefs/bkey_methods.h | 21 +++--- fs/bcachefs/btree_io.c | 67 +++++------------ fs/bcachefs/btree_node_scan.c | 2 +- fs/bcachefs/btree_trans_commit.c | 72 ++++-------------- fs/bcachefs/btree_update_interior.c | 16 +--- fs/bcachefs/data_update.c | 6 +- fs/bcachefs/dirent.c | 33 ++++----- fs/bcachefs/dirent.h | 5 +- fs/bcachefs/disk_accounting.c | 13 ++-- fs/bcachefs/disk_accounting.h | 5 +- fs/bcachefs/ec.c | 15 ++-- fs/bcachefs/ec.h | 5 +- fs/bcachefs/errcode.h | 1 + fs/bcachefs/error.c | 22 ++++++ fs/bcachefs/error.h | 39 ++++++---- fs/bcachefs/extents.c | 144 ++++++++++++++++++------------------ fs/bcachefs/extents.h | 24 +++--- fs/bcachefs/inode.c | 77 +++++++++---------- fs/bcachefs/inode.h | 24 +++--- fs/bcachefs/journal_io.c | 24 ++---- fs/bcachefs/lru.c | 9 +-- fs/bcachefs/lru.h | 5 +- fs/bcachefs/quota.c | 8 +- fs/bcachefs/quota.h | 5 +- fs/bcachefs/reflink.c | 19 ++--- fs/bcachefs/reflink.h | 22 +++--- fs/bcachefs/snapshot.c | 42 +++++------ fs/bcachefs/snapshot.h | 11 ++- fs/bcachefs/subvolume.c | 16 ++-- fs/bcachefs/subvolume.h | 5 +- fs/bcachefs/xattr.c | 21 +++--- fs/bcachefs/xattr.h | 5 +- 38 files changed, 448 insertions(+), 553 deletions(-) accumulated error probability: 0.00 culprit signature: fec6320aa43151cd436864d2219ff2034af6681f9ba4a2f802e1dfe1c3af18fc parent signature: 7a1a1d0d9fc29400d66833500955824b0bb7a3572983dfed5c6d7634df2f5a86 revisions tested: 27, total time: 7h51m43.275507714s (build: 3h10m34.273927504s, test: 4h18m30.091990553s) first bad commit: d97de0d017cde0d442c3d144b4f969f43064cc0f bcachefs: Make bkey_fsck_err() a wrapper around fsck_err() recipients (to): ["kent.overstreet@linux.dev"] recipients (cc): [] crash: KASAN: use-after-free Read in crypto_poly1305_update Doing incompatible version upgrade from 0.32: (unknown version) to 1.10: disk_accounting_v3 running recovery passes: check_allocations,check_snapshots,check_subvols,check_inodes,check_dirents,set_fs_needs_rebalance ================================================================== BUG: KASAN: use-after-free in crypto_poly1305_update+0xd/0x20 arch/x86/crypto/poly1305_glue.c:230 Read of size 8 at addr ffff8881689e0070 by task syz.2.16/3338 CPU: 0 UID: 0 PID: 3338 Comm: syz.2.16 Not tainted 6.11.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: dump_stack_lvl+0xf5/0x170 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0xca/0x250 mm/kasan/report.c:488 kasan_report+0x118/0x150 mm/kasan/report.c:601 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:189 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 crypto_poly1305_update+0xd/0x20 arch/x86/crypto/poly1305_glue.c:230 bch2_checksum+0x2eb/0x4f0 fs/bcachefs/checksum.c:230 bch2_btree_node_read_done+0x13e9/0x4c80 fs/bcachefs/btree_io.c:1060 btree_node_read_work+0x507/0xcc0 fs/bcachefs/btree_io.c:1323 bch2_btree_node_read+0x1d4a/0x21e0 fs/bcachefs/btree_io.c:1708 __bch2_btree_root_read fs/bcachefs/btree_io.c:1749 [inline] bch2_btree_root_read+0x296/0x830 fs/bcachefs/btree_io.c:1773 read_btree_roots+0x30c/0x6d0 fs/bcachefs/recovery.c:516 bch2_fs_recovery+0x1640/0x27f0 fs/bcachefs/recovery.c:844 bch2_fs_start+0x2fa/0x4d0 fs/bcachefs/super.c:1036 bch2_fs_get_tree+0x467/0xf90 fs/bcachefs/fs.c:1946 vfs_get_tree+0x84/0x1a0 fs/super.c:1800 do_new_mount+0x1c9/0x850 fs/namespace.c:3472 do_mount fs/namespace.c:3812 [inline] __do_sys_mount fs/namespace.c:4020 [inline] __se_sys_mount+0x21c/0x2c0 fs/namespace.c:3997 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x8f/0x180 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff9217900ca Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ff9225d1e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007ff9225d1ef0 RCX: 00007ff9217900ca RDX: 000020000000f640 RSI: 000020000000f680 RDI: 00007ff9225d1eb0 RBP: 000020000000f640 R08: 00007ff9225d1ef0 R09: 0000000000000180 R10: 0000000000000180 R11: 0000000000000246 R12: 000020000000f680 R13: 00007ff9225d1eb0 R14: 000000000000f63b R15: 0000200000000080 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1689e0 flags: 0x100000000000000(node=0|zone=2) page_type: 0xbfffffff(buddy) raw: 0100000000000000 ffffea0005a28c08 ffffea0005c9f008 0000000000000000 raw: 0000000000000000 0000000000000004 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x500cc2(GFP_HIGHUSER|__GFP_ACCOUNT), pid 2426, tgid 2426 (sshd-session), ts 60020722378, free_ts 60020866109 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x16e/0x1a0 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x29f2/0x2ac0 mm/page_alloc.c:3442 __alloc_pages_noprof+0x1e4/0x450 mm/page_alloc.c:4700 alloc_pages_mpol_noprof+0x1d5/0x380 mm/mempolicy.c:2263 pipe_write+0x519/0x1520 fs/pipe.c:513 new_sync_write fs/read_write.c:497 [inline] vfs_write+0x85d/0xb30 fs/read_write.c:590 ksys_write+0x100/0x1c0 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x8f/0x180 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 2427 tgid 2427 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1094 [inline] free_unref_page+0xbf1/0xca0 mm/page_alloc.c:2612 __folio_put+0x19b/0x280 mm/swap.c:128 pipe_buf_release include/linux/pipe_fs_i.h:219 [inline] pipe_update_tail fs/pipe.c:224 [inline] pipe_read+0x4e4/0xde0 fs/pipe.c:344 new_sync_read fs/read_write.c:395 [inline] vfs_read+0x6aa/0x8b0 fs/read_write.c:476 ksys_read+0x100/0x1c0 fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x8f/0x180 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff8881689dff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881689dff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881689e0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881689e0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881689e0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================