ci2 starts bisection 2025-07-06 14:45:48.061646179 +0000 UTC m=+115689.529787744 bisecting fixing commit since 642656a3679169a2157ea569389d8af27e4d3511 building syzkaller on 2a20f901dbd7922a27b5625a8a442587c8c3df2c ensuring issue is reproducible on original commit 642656a3679169a2157ea569389d8af27e4d3511 testing commit 642656a3679169a2157ea569389d8af27e4d3511 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: ccc22801629fdd79ebce6e886a16e4a4f731100780d117595f3f09e65b1358f8 all runs: crashed: KASAN: use-after-free Read in f2fs_inode_synced representative crash: KASAN: use-after-free Read in f2fs_inode_synced, types: [KASAN-USE-AFTER-FREE-READ] check whether we can drop unnecessary instrumentation disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 642656a3679169a2157ea569389d8af27e4d3511 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 67c7b9ac56795f43cd6496a8aa219820b52903f6bac8be3a0ad534a2bec1e686 run #0: crashed: KASAN: use-after-free Write in igrab run #1: crashed: KASAN: use-after-free Write in igrab run #2: crashed: KASAN: use-after-free Write in igrab run #3: crashed: KASAN: use-after-free Write in igrab run #4: crashed: KASAN: use-after-free Write in igrab run #5: crashed: KASAN: use-after-free Write in igrab run #6: crashed: KASAN: use-after-free Write in igrab run #7: crashed: KASAN: use-after-free Read in f2fs_inode_synced run #8: crashed: KASAN: use-after-free Write in igrab run #9: crashed: KASAN: use-after-free Write in igrab representative crash: KASAN: use-after-free Write in igrab, types: [KASAN-USE-AFTER-FREE-WRITE] the bug reproduces without the instrumentation disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed kconfig minimization: base=5186 full=6549 leaves diff=265 split chunks (needed=false): <265> split chunk #0 of len 265 into 5 parts testing without sub-chunk 1/5 disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed testing commit 642656a3679169a2157ea569389d8af27e4d3511 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: bbc89e91e641f465b1a967164577ed9bf14c4e97638a4b9e507e833e094151f5 run #0: crashed: KASAN: use-after-free Write in igrab run #1: crashed: KASAN: use-after-free Write in igrab run #2: crashed: KASAN: use-after-free Write in igrab run #3: crashed: KASAN: use-after-free Write in igrab run #4: crashed: KASAN: use-after-free Write in igrab run #5: crashed: KASAN: use-after-free Write in igrab run #6: crashed: KASAN: use-after-free Write in igrab run #7: crashed: KASAN: use-after-free Read in igrab run #8: crashed: KASAN: use-after-free Write in igrab run #9: crashed: KASAN: use-after-free Write in igrab representative crash: KASAN: use-after-free Write in igrab, types: [KASAN-USE-AFTER-FREE-WRITE] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 642656a3679169a2157ea569389d8af27e4d3511 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: e80a59ed862d4aab133fb18271cca8972b92e6daed027788e5d3b4947a9a6abe all runs: crashed: KASAN: use-after-free Write in igrab representative crash: KASAN: use-after-free Write in igrab, types: [KASAN-USE-AFTER-FREE-WRITE] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed testing commit 642656a3679169a2157ea569389d8af27e4d3511 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 9e933ceaae34b5741d64fda10a6d68c3c9556ff9a688b1730b05de944794bfbf all runs: crashed: KASAN: use-after-free Write in igrab representative crash: KASAN: use-after-free Write in igrab, types: [KASAN-USE-AFTER-FREE-WRITE] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 642656a3679169a2157ea569389d8af27e4d3511 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 92e76ef212f64dacc56e51aec133c37773dfc65c435f94f50c7ddcbc3c3e09d4 all runs: crashed: KASAN: use-after-free Write in igrab representative crash: KASAN: use-after-free Write in igrab, types: [KASAN-USE-AFTER-FREE-WRITE] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [ubsan bug_or_warning locking atomic_sleep hang memleak], they are not needed testing commit 642656a3679169a2157ea569389d8af27e4d3511 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 failed building 642656a3679169a2157ea569389d8af27e4d3511: ld.lld: error: undefined symbol: wext_proc_init ld.lld: error: undefined symbol: wext_proc_exit ld.lld: error: undefined symbol: wext_handle_ioctl ld.lld: error: undefined symbol: compat_wext_handle_ioctl minimized to 53 configs; suspects: [HID_ZEROPLUS USB_MON USB_NET_CDC_MBIM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS ZEROPLUS_FF] disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing current HEAD 7011769d221c685bebb9686326ac1ab6fea9058a testing commit 7011769d221c685bebb9686326ac1ab6fea9058a gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 0c14c104f38622463c747548297a8e1462734851c0334d490c40fca7c6701577 run #0: crashed: KASAN: use-after-free Write in igrab run #1: crashed: KASAN: use-after-free Write in igrab run #2: crashed: KASAN: use-after-free Write in igrab run #3: crashed: KASAN: use-after-free Write in igrab run #4: crashed: KASAN: use-after-free Write in igrab run #5: crashed: KASAN: use-after-free Write in igrab run #6: crashed: KASAN: use-after-free Write in igrab run #7: crashed: KASAN: use-after-free Write in igrab run #8: crashed: KASAN: use-after-free Read in f2fs_inode_synced run #9: crashed: KASAN: use-after-free Write in igrab representative crash: KASAN: use-after-free Write in igrab, types: [KASAN-USE-AFTER-FREE-WRITE] crash still not fixed/happens on the oldest tested release revisions tested: 7, total time: 1h21m58.658920398s (build: 40m31.517563934s, test: 32m50.724790809s) crash still not fixed or there were kernel test errors commit msg: ANDROID: virt: gunyah: Replace arm_smccc_1_1_smc with arm_smccc_1_1_invoke crash: KASAN: use-after-free Write in igrab ================================================================== BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline] BUG: KASAN: use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] BUG: KASAN: use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] BUG: KASAN: use-after-free in do_raw_spin_lock include/linux/spinlock.h:187 [inline] BUG: KASAN: use-after-free in __raw_spin_lock include/linux/spinlock_api_smp.h:134 [inline] BUG: KASAN: use-after-free in _raw_spin_lock+0x81/0x110 kernel/locking/spinlock.c:154 Write of size 4 at addr ffff888112e5a938 by task syz.2.16/477 CPU: 0 PID: 477 Comm: syz.2.16 Not tainted 6.1.141-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: __dump_stack+0x19/0x1c lib/dump_stack.c:88 dump_stack_lvl+0xa3/0xec lib/dump_stack.c:106 print_address_description+0x71/0x210 mm/kasan/report.c:316 print_report+0x4a/0x60 mm/kasan/report.c:427 kasan_report+0x122/0x150 mm/kasan/report.c:531 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x280/0x290 mm/kasan/generic.c:189 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37 instrument_atomic_read_write include/linux/instrumented.h:102 [inline] atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] do_raw_spin_lock include/linux/spinlock.h:187 [inline] __raw_spin_lock include/linux/spinlock_api_smp.h:134 [inline] _raw_spin_lock+0x81/0x110 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] igrab+0x1b/0x80 fs/inode.c:1475 f2fs_sync_inode_meta fs/f2fs/checkpoint.c:1159 [inline] block_operations fs/f2fs/checkpoint.c:1272 [inline] f2fs_write_checkpoint+0xbcb/0x20e0 fs/f2fs/checkpoint.c:1660 kill_f2fs_super+0x1d7/0x310 fs/f2fs/super.c:4769 deactivate_locked_super+0x92/0xf0 fs/super.c:334 deactivate_super+0x5f/0x80 fs/super.c:365 cleanup_mnt+0x159/0x340 fs/namespace.c:1182 __cleanup_mnt+0xd/0x10 fs/namespace.c:1189 task_work_run+0x153/0x1e0 kernel/task_work.c:203 exit_task_work include/linux/task_work.h:39 [inline] do_exit+0x81e/0x1fe0 kernel/exit.c:877 do_group_exit+0x1a1/0x280 kernel/exit.c:1027 get_signal+0xeb4/0xfc0 kernel/signal.c:2889 arch_do_signal_or_restart+0xb0/0x1030 arch/x86/kernel/signal.c:871 exit_to_user_mode_loop+0x7a/0xb0 kernel/entry/common.c:174 exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:210 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:303 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:87 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7fdda6fc0a25 Code: Unable to access opcode bytes at 0x7fdda6fc09fb. RSP: 002b:00007fdda7d2df80 EFLAGS: 00000293 ORIG_RAX: 00000000000000e6 RAX: fffffffffffffdfc RBX: 00007fdda71b5fa0 RCX: 00007fdda6fc0a25 RDX: 00007fdda7d2dfc0 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007fdda7010a68 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fdda71b5fa0 R15: 00007ffe2cceae18 Allocated by task 472: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505 __kasan_slab_alloc+0x72/0x80 mm/kasan/common.c:333 kasan_slab_alloc include/linux/kasan.h:202 [inline] slab_post_alloc_hook+0x4f/0x280 mm/slab.h:768 slab_alloc_node mm/slub.c:3421 [inline] slab_alloc mm/slub.c:3431 [inline] __kmem_cache_alloc_lru mm/slub.c:3438 [inline] kmem_cache_alloc_lru+0x104/0x280 mm/slub.c:3454 alloc_inode_sb include/linux/fs.h:3263 [inline] f2fs_alloc_inode+0x28/0x330 fs/f2fs/super.c:1437 alloc_inode fs/inode.c:261 [inline] iget_locked+0x168/0x6e0 fs/inode.c:1373 f2fs_iget+0x53/0x47a0 fs/f2fs/inode.c:486 f2fs_lookup+0x1f2/0x800 fs/f2fs/namei.c:484 __lookup_slow+0x24e/0x330 fs/namei.c:1689 lookup_slow+0x52/0x70 fs/namei.c:1706 walk_component+0x261/0x370 fs/namei.c:1997 lookup_last fs/namei.c:2454 [inline] path_lookupat+0x85/0x320 fs/namei.c:2478 filename_lookup+0x1bc/0x420 fs/namei.c:2507 vfs_statx+0xf4/0x580 fs/stat.c:229 vfs_fstatat fs/stat.c:267 [inline] vfs_lstat include/linux/fs.h:3444 [inline] __do_sys_newlstat fs/stat.c:423 [inline] __se_sys_newlstat+0xd2/0x320 fs/stat.c:417 __x64_sys_newlstat+0x56/0x60 fs/stat.c:417 x64_sys_call+0x393/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Freed by task 477: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x31/0x50 mm/kasan/generic.c:516 ____kasan_slab_free+0x132/0x180 mm/kasan/common.c:241 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249 kasan_slab_free include/linux/kasan.h:178 [inline] slab_free_hook mm/slub.c:1745 [inline] slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1771 slab_free mm/slub.c:3686 [inline] kmem_cache_free+0x12f/0x2a0 mm/slub.c:3711 f2fs_free_inode+0x1c/0x20 fs/f2fs/super.c:1584 i_callback+0x4f/0x70 fs/inode.c:250 rcu_do_batch+0x512/0xb50 kernel/rcu/tree.c:2297 rcu_core+0x547/0xe30 kernel/rcu/tree.c:2557 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2574 handle_softirqs+0x1d7/0x5b0 kernel/softirq.c:642 __do_softirq kernel/softirq.c:680 [inline] invoke_softirq kernel/softirq.c:497 [inline] __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:729 irq_exit_rcu+0x9/0x10 kernel/softirq.c:741 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline] sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691 Last potentially related work creation: kasan_save_stack+0x3a/0x60 mm/kasan/common.c:45 __kasan_record_aux_stack+0xb6/0xc0 mm/kasan/generic.c:486 kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:496 __call_rcu_common kernel/rcu/tree.c:2807 [inline] call_rcu+0xd0/0xfb0 kernel/rcu/tree.c:2926 destroy_inode fs/inode.c:316 [inline] evict+0x7a9/0x820 fs/inode.c:720 iput_final fs/inode.c:1834 [inline] iput+0x4c1/0x4f0 fs/inode.c:1860 do_unlinkat+0x36a/0x5d0 fs/namei.c:4396 __do_sys_unlink fs/namei.c:4437 [inline] __se_sys_unlink fs/namei.c:4435 [inline] __x64_sys_unlink+0x44/0x50 fs/namei.c:4435 x64_sys_call+0x958/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:88 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 The buggy address belongs to the object at ffff888112e5a8b0 which belongs to the cache f2fs_inode_cache of size 1360 The buggy address is located 136 bytes inside of 1360-byte region [ffff888112e5a8b0, ffff888112e5ae00) The buggy address belongs to the physical page: page:ffffea00044b9600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112e58 head:ffffea00044b9600 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x4000000000010200(slab|head|zone=1) raw: 4000000000010200 0000000000000000 dead000000000122 ffff888111e5c480 raw: 0000000000000000 0000000080160016 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 472, tgid 471 (syz.2.16), ts 58138015528, free_ts 0 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook mm/page_alloc.c:2637 [inline] prep_new_page+0x58c/0x650 mm/page_alloc.c:2644 get_page_from_freelist+0x2f0f/0x2f80 mm/page_alloc.c:4539 __alloc_pages+0x19e/0x3a0 mm/page_alloc.c:5850 alloc_slab_page+0x6e/0xf0 include/linux/gfp.h:-1 allocate_slab mm/slub.c:1962 [inline] new_slab+0x7c/0x360 mm/slub.c:2015 ___slab_alloc+0x5d2/0x970 mm/slub.c:3203 __slab_alloc+0x53/0x90 mm/slub.c:3302 slab_alloc_node mm/slub.c:3387 [inline] slab_alloc mm/slub.c:3431 [inline] __kmem_cache_alloc_lru mm/slub.c:3438 [inline] kmem_cache_alloc_lru+0x144/0x280 mm/slub.c:3454 alloc_inode_sb include/linux/fs.h:3263 [inline] f2fs_alloc_inode+0x28/0x330 fs/f2fs/super.c:1437 alloc_inode fs/inode.c:261 [inline] iget_locked+0x168/0x6e0 fs/inode.c:1373 f2fs_iget+0x53/0x47a0 fs/f2fs/inode.c:486 f2fs_fill_super+0x3c4b/0x65e0 fs/f2fs/super.c:4386 mount_bdev+0x265/0x340 fs/super.c:1445 f2fs_mount+0x10/0x20 fs/f2fs/super.c:4743 legacy_get_tree+0xf9/0x190 fs/fs_context.c:632 vfs_get_tree+0x8f/0x190 fs/super.c:1575 page_owner free stack trace missing Memory state around the buggy address: ffff888112e5a800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888112e5a880: fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb >ffff888112e5a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888112e5a980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888112e5aa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================