ci2 starts bisection 2024-08-04 13:35:32.429490823 +0000 UTC m=+139891.047023696
bisecting fixing commit since 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde
building syzkaller on de979bc20b2b73242b7d6fbbdf614a8cb4c574f4
ensuring issue is reproducible on original commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde

testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 3a6d150e1994bd7a78821534551246445ca34f361f8af15a30db92b100888077
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: bda22e3122adfb981bd87f7dac032d829d08bd0b0e7962db41d055daf36b56f8
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
kconfig minimization: base=4789 full=6018 leaves diff=238
split chunks (needed=false): <238>
split chunk #0 of len 238 into 5 parts
testing without sub-chunk 1/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 8e28d3df0823695532eb50d152a6a605f4705d642824b6b8ad1ce1a79ec0286e
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 96de2ed6bb30d5bbf75fb1d946ab4619b86a2bebe05d6960c5c13d9a39b6dc07
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 3a7abb9cb901439df23aefdd1dbe3f945a2d8a833cc8c5f9d249a3b75a52b686
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 366f8cc3474f1bb8f8ce0fccb59e71530db2331722c40b730e8b03bbd8fbfae6
run #0: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
run #1: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
run #2: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
run #3: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
run #4: crashed: KASAN: out-of-bounds Read in __ext4_check_dir_entry
run #5: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
run #6: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
run #7: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
run #8: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
run #9: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
failed building 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde: net/socket.c:1128: undefined reference to `wext_handle_ioctl'
net/socket.c:3397: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:346: undefined reference to `wext_proc_exit'
net/core/net-procfs.c:330: undefined reference to `wext_proc_init'
minimized to 46 configs; suspects: [HID_ZEROPLUS USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF]
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing current HEAD fd58936f3c1fc207ff2edb2f4fcae4f781e21d01
testing commit fd58936f3c1fc207ff2edb2f4fcae4f781e21d01 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5b2980a8c789bcbb6d9bd428480f4d39d47ac884e03fe698de2d122e930b82bc
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
crash still not fixed/happens on the oldest tested release
revisions tested: 7, total time: 47m34.919795658s (build: 21m39.874185846s, test: 24m37.157066876s)
crash still not fixed or there were kernel test errors
commit msg: Merge 5.10.222 into android13-5.10-lts
crash: KASAN: use-after-free Read in __ext4_check_dir_entry
EXT4-fs warning (device loop0): dx_probe:944: inode #2: comm syz-executor.0: Corrupt directory, running e2fsck is recommended
==================================================================
BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x5df/0x890 fs/ext4/dir.c:85
Read of size 2 at addr ffff88811b946003 by task syz-executor.0/347

CPU: 0 PID: 347 Comm: syz-executor.0 Not tainted 5.10.222-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack_lvl+0x81/0xac lib/dump_stack.c:118
 print_address_description.constprop.0+0x24/0x160 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report.cold+0x82/0xdb mm/kasan/report.c:452
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report_generic.c:307
 __ext4_check_dir_entry+0x5df/0x890 fs/ext4/dir.c:85
 ext4_readdir+0x8d1/0x33e0 fs/ext4/dir.c:258
 iterate_dir+0x407/0x690 fs/readdir.c:65
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64 fs/readdir.c:354 [inline]
 __x64_sys_getdents64+0x12f/0x230 fs/readdir.c:354
 do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f9fc4ec5d69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9fc4a470c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f9fc4ff3f80 RCX: 00007f9fc4ec5d69
RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 00007f9fc4f1249e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f9fc4ff3f80 R15: 00007fffbf7de348

The buggy address belongs to the page:
page:ffffea00046e5180 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x11b946
flags: 0x4000000000000000()
raw: 4000000000000000 ffffea00046e51c8 ffff8881f745acb0 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x8100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|0x8000000), pid 280, ts 23491402920, free_ts 24769685651
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page mm/page_alloc.c:2462 [inline]
 get_page_from_freelist+0x1fee/0x2ad0 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x2ae/0x23d0 mm/page_alloc.c:5348
 __alloc_pages include/linux/gfp.h:544 [inline]
 __alloc_pages_node include/linux/gfp.h:557 [inline]
 alloc_pages_node include/linux/gfp.h:571 [inline]
 alloc_pages include/linux/gfp.h:590 [inline]
 do_anonymous_page mm/memory.c:3935 [inline]
 handle_pte_fault+0x16ac/0x3140 mm/memory.c:4758
 ___handle_speculative_fault+0xd21/0x1480 mm/memory.c:5191
 __handle_speculative_fault+0xa9/0x280 mm/memory.c:5240
 handle_speculative_fault include/linux/mm.h:1838 [inline]
 do_user_addr_fault+0x21a/0xa20 arch/x86/mm/fault.c:1285
 handle_page_fault arch/x86/mm/fault.c:1428 [inline]
 exc_page_fault+0x65/0xc0 arch/x86/mm/fault.c:1484
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:571
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1349 [inline]
 free_pcp_prepare+0x1a7/0x230 mm/page_alloc.c:1421
 free_unref_page_prepare mm/page_alloc.c:3336 [inline]
 free_unref_page_list+0x18a/0xae0 mm/page_alloc.c:3443
 release_pages+0x374/0xb00 mm/swap.c:1103
 free_pages_and_swap_cache+0x180/0x1e0 mm/swap_state.c:356
 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
 tlb_flush_mmu mm/mmu_gather.c:247 [inline]
 tlb_finish_mmu+0x129/0x790 mm/mmu_gather.c:326
 exit_mmap+0x294/0x570 mm/mmap.c:3357
 __mmput kernel/fork.c:1153 [inline]
 mmput kernel/fork.c:1176 [inline]
 mmput+0x99/0x430 kernel/fork.c:1170
 exit_mm kernel/exit.c:539 [inline]
 do_exit+0x86b/0x2330 kernel/exit.c:850
 do_group_exit+0xe6/0x290 kernel/exit.c:985
 get_signal+0x350/0x1990 kernel/signal.c:2782
 arch_do_signal_or_restart+0x2ad/0x2510 arch/x86/kernel/signal.c:805
 handle_signal_work kernel/entry/common.c:145 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
 exit_to_user_mode_prepare+0xd1/0x120 kernel/entry/common.c:199
 syscall_exit_to_user_mode+0x27/0x160 kernel/entry/common.c:274
 do_syscall_64+0x3f/0x80 arch/x86/entry/common.c:56
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Memory state around the buggy address:
 ffff88811b945f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88811b945f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88811b946000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff88811b946080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88811b946100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop0): ext4_readdir:258: inode #2: block 255: comm syz-executor.0: path /root/syzkaller-testdir3102910025/syzkaller.DhwGSv/0/file0: bad entry in directory: rec_len is smaller than minimal - offset=1023, inode=3660808192, rec_len=1, size=1024 fake=0