ci2 starts bisection 2026-05-09 10:01:20.054851559 +0000 UTC m=+31744.894917164
bisecting fixing commit since e8b14e1cefe8a3049a46a48685bf937ca244949d
building syzkaller on 41d2fa6acff3c67933b109c27d013d1ad890115c
ensuring issue is reproducible on original commit e8b14e1cefe8a3049a46a48685bf937ca244949d

testing commit e8b14e1cefe8a3049a46a48685bf937ca244949d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.44
kernel signature: 1d3347b043a4ba3ccf5084d4bfde3061d9628aa7395cec652107fa4393fd87b4
all runs: crashed: KASAN: use-after-free Read in xattr_find_entry
representative crash: KASAN: use-after-free Read in xattr_find_entry, types: [KASAN-USE-AFTER-FREE-READ]
check whether we can drop unnecessary instrumentation
disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed
testing commit e8b14e1cefe8a3049a46a48685bf937ca244949d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.44
kernel signature: 9d83b8cdc81d101d0a2b175ea83eb1dd98d59c58c023f170aef6df2197f4cbb2
run #0: crashed: KASAN: use-after-free Read in xattr_find_entry
run #1: crashed: KASAN: use-after-free Read in xattr_find_entry
run #2: crashed: KASAN: use-after-free Read in xattr_find_entry
run #3: crashed: KASAN: slab-out-of-bounds Read in xattr_find_entry
run #4: crashed: KASAN: use-after-free Read in xattr_find_entry
run #5: crashed: KASAN: slab-out-of-bounds Read in xattr_find_entry
run #6: crashed: KASAN: slab-out-of-bounds Read in xattr_find_entry
run #7: crashed: KASAN: use-after-free Read in xattr_find_entry
run #8: crashed: KASAN: use-after-free Read in xattr_find_entry
run #9: crashed: KASAN: use-after-free Read in xattr_find_entry
representative crash: KASAN: use-after-free Read in xattr_find_entry, types: [KASAN-USE-AFTER-FREE-READ KASAN-READ]
the bug reproduces without the instrumentation
disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed
kconfig minimization: base=4788 full=6025 leaves diff=248
split chunks (needed=false): <248>
split chunk #0 of len 248 into 5 parts
testing without sub-chunk 1/5
disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed
testing commit e8b14e1cefe8a3049a46a48685bf937ca244949d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.44
kernel signature: e8b4853a0e3ffd338552dba9d44535a56845ee083a916d2a526d58a1fdf5dd0d
run #0: crashed: KASAN: slab-out-of-bounds Read in xattr_find_entry
run #1: crashed: KASAN: use-after-free Read in xattr_find_entry
run #2: crashed: KASAN: use-after-free Read in xattr_find_entry
run #3: crashed: KASAN: use-after-free Read in xattr_find_entry
run #4: crashed: KASAN: use-after-free Read in xattr_find_entry
run #5: crashed: KASAN: use-after-free Read in xattr_find_entry
run #6: crashed: KASAN: use-after-free Read in xattr_find_entry
run #7: crashed: KASAN: use-after-free Read in xattr_find_entry
run #8: crashed: KASAN: use-after-free Read in xattr_find_entry
run #9: crashed: KASAN: use-after-free Read in xattr_find_entry
representative crash: KASAN: use-after-free Read in xattr_find_entry, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed
testing commit e8b14e1cefe8a3049a46a48685bf937ca244949d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.44
kernel signature: 7d46561382c46798f3da659260095a9e99a72e1981f91e02bf921ba671ea08bd
all runs: crashed: KASAN: use-after-free Read in xattr_find_entry
representative crash: KASAN: use-after-free Read in xattr_find_entry, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed
testing commit e8b14e1cefe8a3049a46a48685bf937ca244949d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.44
kernel signature: 302867798d2524653aab664e17e93a7d66e5ae1f74caad7cc55df05f375d7d81
all runs: crashed: KASAN: use-after-free Read in xattr_find_entry
representative crash: KASAN: use-after-free Read in xattr_find_entry, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit e8b14e1cefe8a3049a46a48685bf937ca244949d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.44
kernel signature: 1045f39b230a03445cf2ab4389f8fb3340f7191de6085c823e87d5437cc71680
run #0: crashed: KASAN: use-after-free Read in xattr_find_entry
run #1: crashed: KASAN: use-after-free Read in xattr_find_entry
run #2: crashed: KASAN: use-after-free Read in xattr_find_entry
run #3: crashed: KASAN: use-after-free Read in xattr_find_entry
run #4: crashed: KASAN: slab-out-of-bounds Read in xattr_find_entry
run #5: crashed: KASAN: slab-out-of-bounds Read in xattr_find_entry
run #6: crashed: KASAN: use-after-free Read in xattr_find_entry
run #7: crashed: KASAN: use-after-free Read in xattr_find_entry
run #8: crashed: KASAN: use-after-free Read in xattr_find_entry
run #9: crashed: KASAN: use-after-free Read in xattr_find_entry
representative crash: KASAN: use-after-free Read in xattr_find_entry, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed
testing commit e8b14e1cefe8a3049a46a48685bf937ca244949d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.44
failed building e8b14e1cefe8a3049a46a48685bf937ca244949d: net/socket.c:1128:(.text+0x1307): undefined reference to `wext_handle_ioctl'
net/socket.c:3397:(.text+0x17c7): undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:346:(.text+0x33b): undefined reference to `wext_proc_exit'
net/core/net-procfs.c:330:(.text+0x4e2): undefined reference to `wext_proc_init'
minimized to 48 configs; suspects: [HID_ZEROPLUS USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM USB_XHCI_PCI_RENESAS WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS ZEROPLUS_FF]
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing current HEAD 5feb5545d40a606710dea0c26c732f3050ee29cd
testing commit 5feb5545d40a606710dea0c26c732f3050ee29cd gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.44
kernel signature: a458573141ddaa0823088cf209150c8e82b9d59faca53ac28233508cc0284cd6
run #0: crashed: KASAN: use-after-free Read in xattr_find_entry
run #1: crashed: KASAN: use-after-free Read in xattr_find_entry
run #2: crashed: KASAN: use-after-free Read in xattr_find_entry
run #3: crashed: KASAN: use-after-free Read in xattr_find_entry
run #4: crashed: KASAN: use-after-free Read in xattr_find_entry
run #5: crashed: KASAN: slab-out-of-bounds Read in xattr_find_entry
run #6: crashed: KASAN: use-after-free Read in xattr_find_entry
run #7: crashed: KASAN: use-after-free Read in xattr_find_entry
run #8: crashed: KASAN: use-after-free Read in xattr_find_entry
run #9: crashed: KASAN: use-after-free Read in xattr_find_entry
representative crash: KASAN: use-after-free Read in xattr_find_entry, types: [KASAN-USE-AFTER-FREE-READ]
crash still not fixed/happens on the oldest tested release
revisions tested: 7, total time: 2h3m49.553923307s (build: 1h4m53.292551315s, test: 41m51.170603597s)
crash still not fixed or there were kernel test errors
commit msg: Merge 0f37d1e65c6d ("Bluetooth: MGMT: validate LTK enc_size on load") into android13-5.10-lts
crash: KASAN: use-after-free Read in xattr_find_entry
EXT4-fs (loop2): Ignoring removed orlov option
EXT4-fs (loop2): mounted filesystem without journal. Opts: block_validity,bsddf,nombcache,inode_readahead_blks=0x0000000000000000,debug_want_extra_isize=0x0000000000000080,orlov,nogrpid,noauto_da_alloc,grpjquota=,,errors=continue
==================================================================
BUG: KASAN: use-after-free in xattr_find_entry+0x237/0x260 fs/ext4/xattr.c:294
Read of size 4 at addr ffff888114e18004 by task syz.2.20/486

CPU: 0 PID: 486 Comm: syz.2.20 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack_lvl+0x81/0xac lib/dump_stack.c:118
 print_address_description.constprop.0+0x24/0x160 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report.cold+0x82/0xdb mm/kasan/report.c:452
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 xattr_find_entry+0x237/0x260 fs/ext4/xattr.c:294
 ext4_xattr_ibody_get+0x241/0x500 fs/ext4/xattr.c:601
 ext4_xattr_get+0x149/0xa00 fs/ext4/xattr.c:655
 ext4_get_acl+0x42/0x590 fs/ext4/acl.c:162
 get_acl.part.0+0xae/0x1e0 fs/posix_acl.c:141
 get_acl fs/posix_acl.c:112 [inline]
 posix_acl_chmod fs/posix_acl.c:565 [inline]
 posix_acl_chmod+0x180/0x350 fs/posix_acl.c:555
 ext4_setattr+0x62c/0x2030 fs/ext4/inode.c:5734
 notify_change+0x7b0/0xd90 fs/attr.c:410
 chmod_common+0x1ca/0x400 fs/open.c:584
 do_fchmodat+0xa4/0x110 fs/open.c:622
 __do_sys_fchmodat fs/open.c:635 [inline]
 __se_sys_fchmodat fs/open.c:632 [inline]
 __x64_sys_fchmodat+0x71/0xb0 fs/open.c:632
 do_syscall_64+0x32/0x50 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fa9b651a629
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa9b637d028 EFLAGS: 00000246 ORIG_RAX: 000000000000010c
RAX: ffffffffffffffda RBX: 00007fa9b6793fa0 RCX: 00007fa9b651a629
RDX: 000000000000017f RSI: 0000200000000300 RDI: ffffffffffffff9c
RBP: 00007fa9b65b0b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa9b6794038 R14: 00007fa9b6793fa0 R15: 00007fffd7442738

Allocated by task 0:
(stack is not available)

The buggy address belongs to the object at ffff888114e18000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 4 bytes inside of
 1024-byte region [ffff888114e18000, ffff888114e18400)
The buggy address belongs to the page:
page:ffffea0004538600 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888114e18800 pfn:0x114e18
head:ffffea0004538600 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 ffffea000451d208 ffff888100040b10 ffff888100042f00
raw: ffff888114e18800 0000000000100000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 91, ts 3889097797, free_ts 0
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page mm/page_alloc.c:2462 [inline]
 get_page_from_freelist+0x1fee/0x2ad0 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x2ae/0x2540 mm/page_alloc.c:5384
 __alloc_pages include/linux/gfp.h:544 [inline]
 __alloc_pages_node include/linux/gfp.h:557 [inline]
 alloc_pages_node include/linux/gfp.h:571 [inline]
 alloc_pages include/linux/gfp.h:590 [inline]
 alloc_slab_page mm/slub.c:1670 [inline]
 allocate_slab+0x30f/0x460 mm/slub.c:1813
 new_slab mm/slub.c:1874 [inline]
 new_slab_objects mm/slub.c:2632 [inline]
 ___slab_alloc.constprop.0+0x32b/0x730 mm/slub.c:2796
 __slab_alloc mm/slub.c:2836 [inline]
 slab_alloc_node mm/slub.c:2918 [inline]
 slab_alloc mm/slub.c:2960 [inline]
 __kmalloc_track_caller+0x325/0x360 mm/slub.c:4541
 __kmalloc_reserve net/core/skbuff.c:144 [inline]
 __alloc_skb+0x74/0x4d0 net/core/skbuff.c:212
 alloc_skb include/linux/skbuff.h:1126 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1178 [inline]
 netlink_sendmsg+0x8a4/0xd10 net/netlink/af_netlink.c:1889
 sock_sendmsg_nosec net/socket.c:652 [inline]
 __sock_sendmsg+0xb5/0xf0 net/socket.c:664
 ____sys_sendmsg+0x694/0x990 net/socket.c:2376
 ___sys_sendmsg+0xfc/0x190 net/socket.c:2430
 __sys_sendmsg+0xc3/0x160 net/socket.c:2459
 __do_sys_sendmsg net/socket.c:2468 [inline]
 __se_sys_sendmsg net/socket.c:2466 [inline]
 __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2466
 do_syscall_64+0x32/0x50 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888114e17f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888114e17f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888114e18000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888114e18080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888114e18100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
EXT4-fs error (device loop2): xattr_find_entry:297: inode #12: comm syz.2.20: corrupted xattr entries