ci2 starts bisection 2025-03-05 14:18:16.056547339 +0000 UTC m=+19829.436453852
bisecting fixing commit since fbe98d68b6b391887a690d6f212fdc2ff29f1eb7
building syzkaller on f2cb035c8f931efff4a020b164e657f16f51934b
ensuring issue is reproducible on original commit fbe98d68b6b391887a690d6f212fdc2ff29f1eb7

testing commit fbe98d68b6b391887a690d6f212fdc2ff29f1eb7 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 2cc713673d673cebe8760b1ac8db856b54581dd1f2fe0aed2f5e3c7c2ee65dfa
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit fbe98d68b6b391887a690d6f212fdc2ff29f1eb7 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: acab970c9011b28fa6b12aae22055dc65d498eaf06098a630d0fc16bb4388b79
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
kconfig minimization: base=4789 full=6023 leaves diff=244
split chunks (needed=false): <244>
split chunk #0 of len 244 into 5 parts
testing without sub-chunk 1/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit fbe98d68b6b391887a690d6f212fdc2ff29f1eb7 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 8054eecabe2f99ce989ed39dfe58e1f25585f8c502ac7174af6cca1633f19f15
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit fbe98d68b6b391887a690d6f212fdc2ff29f1eb7 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 3a4693a91dffa1e328842200ac5587733e6d72682a2574b18e07cc684f8a5453
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit fbe98d68b6b391887a690d6f212fdc2ff29f1eb7 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 0341997b9211022f85fdef1bca611082fb09bc1e21b887eb62cd15919d073710
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit fbe98d68b6b391887a690d6f212fdc2ff29f1eb7 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: b0b991a2beba473d08c45ba06c88dfbfc1c8d798acc5711802d675325158b923
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit fbe98d68b6b391887a690d6f212fdc2ff29f1eb7 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
failed building fbe98d68b6b391887a690d6f212fdc2ff29f1eb7: net/socket.c:1128: undefined reference to `wext_handle_ioctl'
net/socket.c:3397: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:346: undefined reference to `wext_proc_exit'
net/core/net-procfs.c:330: undefined reference to `wext_proc_init'
minimized to 48 configs; suspects: [HID_ZEROPLUS USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM USB_XHCI_PCI_RENESAS WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF]
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing current HEAD 3f5f2283d6843bde6658e93fc50f5f00e5bd3595
testing commit 3f5f2283d6843bde6658e93fc50f5f00e5bd3595 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ca0506128aeffa41539aebf529e8a83107a03f7a51025204c0e6ffbf48d8a377
all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry
representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN]
crash still not fixed/happens on the oldest tested release
revisions tested: 7, total time: 1h47m31.886826952s (build: 1h13m39.026029036s, test: 32m10.116584463s)
crash still not fixed or there were kernel test errors
commit msg: Merge branch 'android13-5.10' into android13-5.10-lts
crash: KASAN: use-after-free Read in __ext4_check_dir_entry
EXT4-fs warning (device loop2): dx_probe:805: inode #2: comm syz.2.17: Unrecognised inode hash code 4
EXT4-fs warning (device loop2): dx_probe:945: inode #2: comm syz.2.17: Corrupt directory, running e2fsck is recommended
==================================================================
BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x5df/0x890 fs/ext4/dir.c:85
Read of size 2 at addr ffff888122c59003 by task syz.2.17/475

CPU: 1 PID: 475 Comm: syz.2.17 Not tainted 5.10.234-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack_lvl+0x81/0xac lib/dump_stack.c:118
 print_address_description.constprop.0+0x24/0x160 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report.cold+0x82/0xdb mm/kasan/report.c:452
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report_generic.c:307
 __ext4_check_dir_entry+0x5df/0x890 fs/ext4/dir.c:85
 ext4_readdir+0x8d1/0x33e0 fs/ext4/dir.c:258
 iterate_dir+0x407/0x690 fs/readdir.c:65
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64 fs/readdir.c:354 [inline]
 __x64_sys_getdents64+0x12f/0x230 fs/readdir.c:354
 do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f5ebf577d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5ebeff1038 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f5ebf767fa0 RCX: 00007f5ebf577d29
RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 00007f5ebf5f3b08 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f5ebf767fa0 R15: 00007fff47d02188

The buggy address belongs to the page:
page:ffffea00048b1640 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x122c59
flags: 0x4000000000000000()
raw: 4000000000000000 ffffea00048b1688 ffffea00048a0b08 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 470, ts 55663753315, free_ts 55942340727
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page mm/page_alloc.c:2462 [inline]
 get_page_from_freelist+0x1fee/0x2ad0 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x2ae/0x23d0 mm/page_alloc.c:5348
 __alloc_pages include/linux/gfp.h:544 [inline]
 __alloc_pages_node include/linux/gfp.h:557 [inline]
 alloc_pages_node include/linux/gfp.h:571 [inline]
 alloc_pages include/linux/gfp.h:590 [inline]
 shmem_alloc_page.part.0+0x121/0x180 mm/shmem.c:1580
 shmem_alloc_page+0x8a/0x190 mm/shmem.c:1576
 shmem_alloc_and_acct_page+0xf6/0x620 mm/shmem.c:1605
 shmem_getpage_gfp+0x3a3/0x16e0 mm/shmem.c:1918
 shmem_getpage mm/shmem.c:161 [inline]
 shmem_write_begin+0xd5/0x1a0 mm/shmem.c:2497
 generic_perform_write+0x202/0x4a0 mm/filemap.c:3509
 __generic_file_write_iter+0x309/0x540 mm/filemap.c:3638
 generic_file_write_iter+0xc2/0x1d0 mm/filemap.c:3670
 call_write_iter include/linux/fs.h:2058 [inline]
 new_sync_write+0x358/0x6d0 fs/read_write.c:518
 vfs_write+0x4e4/0x750 fs/read_write.c:605
 ksys_write+0x111/0x210 fs/read_write.c:658
 __do_sys_write fs/read_write.c:670 [inline]
 __se_sys_write fs/read_write.c:667 [inline]
 __x64_sys_write+0x6e/0xb0 fs/read_write.c:667
 do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1349 [inline]
 free_pcp_prepare+0x1a7/0x230 mm/page_alloc.c:1421
 free_unref_page_prepare mm/page_alloc.c:3336 [inline]
 free_unref_page_list+0x18a/0xae0 mm/page_alloc.c:3443
 release_pages+0x374/0xb00 mm/swap.c:1103
 __pagevec_release+0x5e/0xe0 mm/swap.c:1123
 pagevec_release include/linux/pagevec.h:88 [inline]
 shmem_undo_range+0x56a/0xe50 mm/shmem.c:965
 shmem_truncate_range mm/shmem.c:1069 [inline]
 shmem_evict_inode+0x30d/0xa00 mm/shmem.c:1169
 evict+0x372/0x940 fs/inode.c:612
 iput_final fs/inode.c:1736 [inline]
 iput.part.0+0x33b/0x640 fs/inode.c:1762
 iput+0x3f/0x50 fs/inode.c:1752
 dentry_unlink_inode+0x28a/0x390 fs/dcache.c:378
 __dentry_kill+0x326/0x620 fs/dcache.c:583
 dentry_kill fs/dcache.c:709 [inline]
 dput+0x3ec/0x8c0 fs/dcache.c:883
 __fput+0x306/0x760 fs/file_table.c:294
 ____fput+0x9/0x10 fs/file_table.c:314
 task_work_run+0xc2/0x140 kernel/task_work.c:189
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
 exit_to_user_mode_prepare+0x112/0x120 kernel/entry/common.c:199

Memory state around the buggy address:
 ffff888122c58f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888122c58f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888122c59000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff888122c59080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888122c59100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop2): ext4_readdir:258: inode #2: block 255: comm syz.2.17: path (unknown): bad entry in directory: rec_len is smaller than minimal - offset=1023, inode=0, rec_len=0, size=1024 fake=0