ci2 starts bisection 2025-08-11 03:29:47.094518206 +0000 UTC m=+220873.934817596
bisecting fixing commit since 3a8ababb8b6a0ced2be230b60b6e3ddbd8d67014
building syzkaller on c4a9548758bac1c6dc231afd7543b5e8c5b6a65e
ensuring issue is reproducible on original commit 3a8ababb8b6a0ced2be230b60b6e3ddbd8d67014

testing commit 3a8ababb8b6a0ced2be230b60b6e3ddbd8d67014 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: c0cd40e0adf1840aa246e8211b654a38a2ccd6e34e62696f6f8e3e488f3e7323
all runs: crashed: KASAN: slab-use-after-free Write in gfs2_qd_dealloc
representative crash: KASAN: slab-use-after-free Write in gfs2_qd_dealloc, types: [KASAN-USE-AFTER-FREE-WRITE]
check whether we can drop unnecessary instrumentation
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit 3a8ababb8b6a0ced2be230b60b6e3ddbd8d67014 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 8fd547d98f7e8b7c1f1f9e48918170b364bd5eb232e9b33dc0e11f91c2e5644e
all runs: crashed: KASAN: slab-use-after-free Write in gfs2_qd_dealloc
representative crash: KASAN: slab-use-after-free Write in gfs2_qd_dealloc, types: [KASAN-USE-AFTER-FREE-WRITE]
the bug reproduces without the instrumentation
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
kconfig minimization: base=3913 full=7800 leaves diff=2160
split chunks (needed=false): <2160>
split chunk #0 of len 2160 into 5 parts
testing without sub-chunk 1/5
disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 3a8ababb8b6a0ced2be230b60b6e3ddbd8d67014 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: e7501279e59ae2f7f704518dc4b534ac345d443d7a7b646c00db6abc2e3efc20
all runs: crashed: KASAN: slab-use-after-free Write in gfs2_qd_dealloc
representative crash: KASAN: slab-use-after-free Write in gfs2_qd_dealloc, types: [KASAN-USE-AFTER-FREE-WRITE]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 3a8ababb8b6a0ced2be230b60b6e3ddbd8d67014 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: fd6cc818219ff80c4e5eaba7d2d6475b89fbc616c7d92fdec6ac684465e76bf7
all runs: OK
false negative chance: 0.000
testing without sub-chunk 3/5
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit 3a8ababb8b6a0ced2be230b60b6e3ddbd8d67014 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 7a1f07cf9f3f01c2315ae37247900f0dc38ff96a357ebd7f034646f7b2baae41
all runs: crashed: KASAN: slab-use-after-free Write in gfs2_qd_dealloc
representative crash: KASAN: slab-use-after-free Write in gfs2_qd_dealloc, types: [KASAN-USE-AFTER-FREE-WRITE]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed
testing commit 3a8ababb8b6a0ced2be230b60b6e3ddbd8d67014 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 27d002909c35f7787513ceaa76e3ea906a755f17e7af5976ba8530ab3157c0d9
all runs: crashed: KASAN: slab-use-after-free Write in gfs2_qd_dealloc
representative crash: KASAN: slab-use-after-free Write in gfs2_qd_dealloc, types: [KASAN-USE-AFTER-FREE-WRITE]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed
testing commit 3a8ababb8b6a0ced2be230b60b6e3ddbd8d67014 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 3fe20c82fc6c773efd4903c9fad067d8ef209064ff947c363a80df2e7b39db07
all runs: crashed: KASAN: slab-use-after-free Write in gfs2_qd_dealloc
representative crash: KASAN: slab-use-after-free Write in gfs2_qd_dealloc, types: [KASAN-USE-AFTER-FREE-WRITE]
the chunk can be dropped
minimized to 432 configs; suspects: [6LOWPAN ARCH_ENABLE_MEMORY_HOTREMOVE ASUS_WMI BLK_DEV_ZONED CHARGER_BQ24190 CMA COMMON_CLK DAX DLM DLN2_ADC DMABUF_HEAPS DMABUF_HEAPS_CMA DMABUF_HEAPS_SYSTEM DMABUF_MOVE_NOTIFY DMA_CMA DMA_ENGINE_RAID DM_AUDIT DM_BIO_PRISON DM_BUFIO DM_CACHE DM_CACHE_SMQ DM_CLONE DM_CRYPT DM_FLAKEY DM_INTEGRITY DM_MULTIPATH DM_MULTIPATH_QL DM_MULTIPATH_ST DM_PERSISTENT_DATA DM_RAID DM_SNAPSHOT DM_THIN_PROVISIONING DM_UEVENT DM_VERITY DM_VERITY_FEC DM_WRITECACHE DM_ZONED DRAGONRISE_FF DRM DRM_BOCHS DRM_BRIDGE DRM_BUDDY DRM_CIRRUS_QEMU DRM_DEBUG_MM DRM_DISPLAY_DP_HELPER DRM_DISPLAY_HDCP_HELPER DRM_DISPLAY_HDMI_HELPER DRM_DISPLAY_HELPER DRM_DP_AUX_BUS DRM_DP_AUX_CHARDEV DRM_FBDEV_EMULATION DRM_GEM_SHMEM_HELPER DRM_GM12U320 DRM_GUD DRM_I915 DRM_I915_CAPTURE_ERROR DRM_I915_COMPRESS_ERROR DRM_I915_USERPTR DRM_KMS_HELPER DRM_MIPI_DSI DRM_PANEL DRM_PANEL_BRIDGE DRM_PANEL_EDP DRM_PANEL_ORIENTATION_QUIRKS DRM_SIMPLEDRM DRM_TTM DRM_TTM_HELPER DRM_UDL DRM_VGEM DRM_VIRTIO_GPU DRM_VIRTIO_GPU_KMS DRM_VKMS DRM_VMWGFX DRM_VRAM_HELPER DUMMY DVB_AF9013 DVB_AF9033 DVB_AS102 DVB_AS102_FE DVB_B2C2_FLEXCOP DVB_B2C2_FLEXCOP_USB DVB_CORE DVB_DIB3000MB DVB_DIB3000MC DVB_EC100 DVB_GP8PSK_FE DVB_RTL2830 DVB_RTL2832 DVB_RTL2832_SDR DVB_TEST_DRIVERS DVB_TTUSB_BUDGET DVB_TTUSB_DEC DVB_USB DVB_USB_A800 DVB_USB_AF9005 DVB_USB_AF9005_REMOTE DVB_USB_AF9015 DVB_USB_AF9035 DVB_USB_ANYSEE DVB_USB_AU6610 DVB_USB_AZ6007 DVB_USB_AZ6027 DVB_USB_CE6230 DVB_USB_CINERGY_T2 DVB_USB_CXUSB DVB_USB_CXUSB_ANALOG DVB_USB_DIB0700 DVB_USB_DIB3000MC DVB_USB_DIBUSB_MB DVB_USB_DIBUSB_MC DVB_USB_DIGITV DVB_USB_DTT200U DVB_USB_DTV5100 DVB_USB_DVBSKY DVB_USB_DW2102 DVB_USB_EC168 DVB_USB_GL861 DVB_USB_GP8PSK DVB_USB_LME2510 DVB_USB_M920X DVB_USB_MXL111SF DVB_USB_NOVA_T_USB2 DVB_USB_OPERA1 DVB_USB_PCTV452E DVB_USB_RTL28XXU DVB_USB_TECHNISAT_USB2 DVB_USB_TTUSB2 DVB_USB_UMT_010 DVB_USB_V2 DVB_USB_VP702X DVB_USB_VP7045 DVB_USB_ZD1301 DVB_VIDTV DVB_ZL10353 ECRYPT_FS ECRYPT_FS_MESSAGING EDAC EEPROM_93CX6 EFS_FS ENCRYPTED_KEYS EQUALIZER EROFS_FS EROFS_FS_POSIX_ACL EROFS_FS_SECURITY EROFS_FS_XATTR EROFS_FS_ZIP EVM EVM_ADD_XATTRS EVM_ATTR_FSUUID EXFAT_FS EXPORTFS_BLOCK_OPS EXT3_FS EXT3_FS_POSIX_ACL EXT3_FS_SECURITY EXTCON EXTCON_INTEL_CHT_WC EXTCON_PTN5150 EXTCON_USBC_TUSB320 F2FS_CHECK_FS F2FS_FAULT_INJECTION F2FS_FS F2FS_FS_COMPRESSION F2FS_FS_LZ4 F2FS_FS_LZ4HC F2FS_FS_LZO F2FS_FS_LZORLE F2FS_FS_POSIX_ACL F2FS_FS_SECURITY F2FS_FS_XATTR F2FS_FS_ZSTD F2FS_STAT_FS FANOTIFY FANOTIFY_ACCESS_PERMISSIONS FB FB_CFB_COPYAREA FB_CFB_FILLRECT FB_CFB_IMAGEBLIT FB_CORE FB_DEFERRED_IO FB_DEVICE FB_IOMEM_FOPS FB_IOMEM_HELPERS FB_NOTIFY FB_SYSMEM_HELPERS FB_SYSMEM_HELPERS_DEFERRED FB_SYS_COPYAREA FB_SYS_FILLRECT FB_SYS_FOPS FB_SYS_IMAGEBLIT FB_TILEBLITTING FB_VESA FB_VGA16 FB_VIRTUAL FDDI FIREWIRE FIREWIRE_NET FIREWIRE_OHCI FIREWIRE_SBP2 FONT_8x16 FONT_8x8 FONT_SUPPORT FRAMEBUFFER_CONSOLE FRAMEBUFFER_CONSOLE_DETECT_PRIMARY FRAMEBUFFER_CONSOLE_ROTATION FS_DAX FS_DAX_PMD FS_ENCRYPTION FS_ENCRYPTION_ALGS FS_VERITY FS_VERITY_BUILTIN_SIGNATURES FTL FUSE_DAX FUSE_FS FW_LOADER_COMPRESS FW_LOADER_PAGED_BUF FW_LOADER_SYSFS FW_LOADER_USER_HELPER FW_LOADER_USER_HELPER_FALLBACK GACT_PROB GARP GENERIC_PHY GET_FREE_REGION GFS2_FS GFS2_FS_LOCKING_DLM GNSS GNSS_USB GOOGLE_COREBOOT_TABLE GOOGLE_FIRMWARE GOOGLE_MEMCONSOLE GOOGLE_MEMCONSOLE_COREBOOT GOOGLE_VPD GPIOLIB GPIOLIB_IRQCHIP GPIO_ACPI GPIO_DLN2 GPIO_VIPERBOARD GREENASIA_FF GREYBUS GREYBUS_BRIDGED_PHY GREYBUS_ES2 GREYBUS_HID GREYBUS_USB GTP GUEST_PERF_EVENTS HAS_LTO_CLANG HAVE_ARCH_NODE_DEV_GROUP HAVE_ARCH_USERFAULTFD_MINOR HAVE_ARCH_USERFAULTFD_WP HAVE_BOOTMEM_INFO_NODE HAVE_CLK_PREPARE HAVE_KVM_CPU_RELAX_INTERCEPT HAVE_KVM_DIRTY_RING HAVE_KVM_DIRTY_RING_ACQ_REL HAVE_KVM_DIRTY_RING_TSO HAVE_KVM_EVENTFD HAVE_KVM_IRQCHIP HAVE_KVM_IRQFD HAVE_KVM_IRQ_BYPASS HAVE_KVM_IRQ_ROUTING HAVE_KVM_MSI HAVE_KVM_NO_POLL HAVE_KVM_PFNCACHE HAVE_KVM_PM_NOTIFIER HAVE_SCHED_AVG_IRQ HDLC HDLC_CISCO HDLC_FR HDLC_PPP HDLC_RAW HDLC_RAW_ETH HDLC_X25 HDMI HFSPLUS_FS HFS_FS HID_ACCUTOUCH HID_ACRUX HID_ACRUX_FF HID_ALPS HID_APPLEIR HID_ASUS HID_AUREAL HID_BATTERY_STRENGTH HID_BETOP_FF HID_BIGBEN_FF HID_CMEDIA HID_CORSAIR HID_COUGAR HID_CP2112 HID_CREATIVE_SB0540 HID_DRAGONRISE HID_ELAN HID_ELECOM HID_ELO HID_EMS_FF HID_EVISION HID_FT260 HID_GEMBIRD HID_GFRM HID_GLORIOUS HID_GOOGLE_STADIA_FF HID_GREENASIA HID_GT683R HID_HOLTEK HID_ICADE HID_JABRA HID_KEYTOUCH HID_KYE HID_LCPOWER HID_LED HID_LENOVO HID_LETSKETCH HID_LOGITECH_DJ HID_LOGITECH_HIDPP HID_MACALLY HID_MAGICMOUSE HID_MALTRON HID_MAYFLASH HID_MCP2200 HID_MCP2221 HID_MEGAWORLD_FF HID_MULTITOUCH HID_NTI HID_ORTEK HID_PENMOUNT HID_PICOLCD HID_PICOLCD_BACKLIGHT HID_PICOLCD_CIR HID_PICOLCD_FB HID_PICOLCD_LCD HID_PICOLCD_LEDS HID_PLANTRONICS HID_PRIMAX HID_PRODIKEYS HID_PXRC HID_RAZER HID_RETRODE HID_RMI HID_ROCCAT HID_SAITEK HID_SEMITEK HID_SENSOR_ACCEL_3D HID_SENSOR_ALS HID_SENSOR_CUSTOM_INTEL_HINGE HID_SENSOR_CUSTOM_SENSOR HID_SENSOR_DEVICE_ROTATION HID_SENSOR_GYRO_3D HID_SENSOR_HUB HID_SENSOR_HUMIDITY HID_SENSOR_IIO_COMMON HID_SENSOR_IIO_TRIGGER HID_SENSOR_INCLINOMETER_3D HID_SENSOR_MAGNETOMETER_3D HID_SENSOR_PRESS HID_SENSOR_PROX HID_SENSOR_TEMP HID_SIGMAMICRO HID_SPEEDLINK HID_STEELSERIES HID_THINGM HID_TIVO HID_TOPRE HID_TWINHAN HID_U2FZERO HID_UCLOGIC HID_UDRAW_PS3 HID_VIEWSONIC HID_VIVALDI HID_VIVALDI_COMMON HID_VRC2 HID_WACOM HID_WALTOP HID_WIIMOTE HID_XIAOMI HID_XINMO HID_ZYDACRON HMM_MIRROR HOLTEK_FF HOTPLUG_PCI_PCIE HPET_MMAP HPET_MMAP_DEFAULT HPFS_FS I2C_ALGOBIT I2C_CHARDEV I2C_CP2615 I2C_DESIGNWARE_CORE I2C_DESIGNWARE_PLATFORM I2C_DIOLAN_U2C I2C_DLN2 I2C_HID_ACPI I2C_HID_CORE I2C_HID_OF I2C_MUX I2C_MUX_REG I2C_ROBOTFUZZ_OSIF I2C_SI4713 I2C_SLAVE I2C_SLAVE_EEPROM I2C_TINY_USB I2C_VIPERBOARD IEEE802154 IEEE802154_6LOWPAN IEEE802154_ATUSB IEEE802154_DRIVERS IEEE802154_HWSIM IEEE802154_NL802154_EXPERIMENTAL IEEE802154_SOCKET IFB IIO IIO_BUFFER IIO_KFIFO_BUF IIO_TRIGGER IIO_TRIGGERED_BUFFER IKCONFIG IKCONFIG_PROC IMA IMA_APPRAISE IMA_APPRAISE_MODSIG IMA_DEFAULT_HASH_SHA256 IMA_LSM_RULES IMA_MEASURE_ASYMMETRIC_KEYS IMA_NG_TEMPLATE IMA_QUEUE_EARLY_BOOT_KEYS IMA_READ_POLICY IMA_WRITE_POLICY INET6_ESPINTCP INET6_ESP_OFFLOAD INET6_IPCOMP INET6_TUNNEL INET6_XFRM_TUNNEL INET_AH INET_DCCP_DIAG INET_DIAG INET_DIAG_DESTROY INET_ESP INET_ESPINTCP INET_ESP_OFFLOAD INET_IPCOMP INET_MPTCP_DIAG INET_RAW_DIAG INET_SCTP_DIAG INET_TCP_DIAG INET_UDP_DIAG INET_XFRM_TUNNEL INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_ADDR_TRANS_CONFIGFS INFINIBAND_IPOIB INFINIBAND_IPOIB_CM INFINIBAND_IPOIB_DEBUG INFINIBAND_ISER INFINIBAND_ON_DEMAND_PAGING INFINIBAND_RTRS INFINIBAND_SRP INFINIBAND_USER_ACCESS INFINIBAND_USER_MAD INFINIBAND_USER_MEM INPUT_ATI_REMOTE2 INPUT_CM109 INPUT_IMS_PCU INPUT_JOYDEV INPUT_KEYSPAN_REMOTE INPUT_LEDS INPUT_MOUSEDEV INPUT_MOUSEDEV_PSAUX INPUT_POWERMATE INPUT_UINPUT INPUT_YEALINK INTEGRITY INTEGRITY_ASYMMETRIC_KEYS INTEGRITY_AUDIT INTEGRITY_SIGNATURE INTEGRITY_TRUSTED_KEYRING INTEL_CHTWC_INT33FE INTEL_IDMA64 INTEL_IOATDMA INTEL_IOMMU_DEFAULT_ON INTEL_IOMMU_SVM INTEL_ISHTP_ECLITE INTEL_ISH_FIRMWARE_DOWNLOADER INTEL_ISH_HID INTEL_SOC_PMIC_CHTWC INTERVAL_TREE INTERVAL_TREE_SPAN_ITER IOMMUFD IOMMUFD_TEST IOMMU_SVA IP6_NF_MATCH_AH IP6_NF_MATCH_EUI64 IP6_NF_MATCH_FRAG IP6_NF_MATCH_HL IP6_NF_MATCH_MH IP6_NF_MATCH_OPTS IP6_NF_MATCH_RPFILTER IP6_NF_MATCH_RT IP6_NF_MATCH_SRH IP6_NF_NAT IP6_NF_RAW IP6_NF_SECURITY IP6_NF_TARGET_HL IP6_NF_TARGET_MASQUERADE IP6_NF_TARGET_NPT IP6_NF_TARGET_SYNPROXY IPV6_FOU IPV6_FOU_TUNNEL IPV6_GRE IPV6_ILA IPV6_MIP6 IPV6_MROUTE IPV6_MROUTE_MULTIPLE_TABLES IPV6_MULTIPLE_TABLES IPV6_OPTIMISTIC_DAD IPV6_PIMSM_V2 IPV6_ROUTER_PREF IPV6_ROUTE_INFO IPV6_RPL_LWTUNNEL IPV6_SEG6_BPF IPV6_SEG6_HMAC IPV6_SEG6_LWTUNNEL IPV6_SIT_6RD IPV6_SUBTREES IPV6_TUNNEL IPV6_VTI IPVLAN IPVLAN_L3S IPVTAP IP_DCCP IP_DCCP_CCID3 IP_DCCP_TFRC_LIB IP_FIB_TRIE_STATS IP_MROUTE_MULTIPLE_TABLES IP_NF_ARPFILTER IP_NF_ARPTABLES IP_NF_ARP_MANGLE IP_NF_MATCH_AH IP_NF_MATCH_ECN IP_SCTP IRQ_TIME_ACCOUNTING LAPB LCD_CLASS_DEVICE MAC802154 MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_TEST_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MFD_VIPERBOARD MPTCP MTD NETFILTER_ADVANCED NET_ACT_GACT NET_ACT_MIRRED NET_IPGRE_DEMUX NFT_FWD_NETDEV NF_TABLES NF_TABLES_NETDEV RADIO_ADAPTERS RADIO_SI4713 RAS RC_CORE REGULATOR RFKILL SND SOUND STAGING TRANSPARENT_HUGEPAGE TRUSTED_KEYS TYPEC TYPEC_MUX_PI3USB30532 USB_ROLES_INTEL_XHCI USB_ROLE_SWITCH VIDEO_DEV VIRTIO_FS WAN ZONE_DEVICE]
disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed
determining the merge base between 3a8ababb8b6a0ced2be230b60b6e3ddbd8d67014 and 8f5ae30d69d7543eee0d70083daf4de8fe15d585
ffc253263a1375a65fa6c9f62a893e9767fbebfa/Linux 6.6 is a merge base, check if it has the bug
testing commit ffc253263a1375a65fa6c9f62a893e9767fbebfa gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 6d9c24850f919c50e3172b69b694cabce90228ab7d08e261ad57066fe63d2bd9
all runs: crashed: KASAN: slab-use-after-free Write in gfs2_qd_dealloc
representative crash: KASAN: slab-use-after-free Write in gfs2_qd_dealloc, types: [KASAN-USE-AFTER-FREE-WRITE]
testing current HEAD 8f5ae30d69d7543eee0d70083daf4de8fe15d585
testing commit 8f5ae30d69d7543eee0d70083daf4de8fe15d585 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: f7721db74fd9da3cc21b907743b0af0e064d8f1f8ed5d88da0a11cb4a61de766
all runs: OK
false negative chance: 0.000
# git bisect start 8f5ae30d69d7543eee0d70083daf4de8fe15d585 ffc253263a1375a65fa6c9f62a893e9767fbebfa
Bisecting: 82278 revisions left to test after this (roughly 16 steps)
[c903327d3295b135eb8c81ebe0b68c1837718eb8] Merge tag 'printk-for-6.12' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux

determine whether the revision contains the guilty commit
revision ffc253263a1375a65fa6c9f62a893e9767fbebfa crashed and is reachable
testing commit c903327d3295b135eb8c81ebe0b68c1837718eb8 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: a14026cb62266d9725c247e40c205215725c030dc5caa6f9b7b6c18745acb7bc
all runs: crashed: invalid opcode in corrupted
representative crash: invalid opcode in corrupted, types: [DoS]
# git bisect good c903327d3295b135eb8c81ebe0b68c1837718eb8
Bisecting: 40790 revisions left to test after this (roughly 15 steps)
[e50da555ca4d42b1b98d0f26789db64f26a0919a] Merge tag 'sound-6.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

determine whether the revision contains the guilty commit
revision ffc253263a1375a65fa6c9f62a893e9767fbebfa crashed and is reachable
testing commit e50da555ca4d42b1b98d0f26789db64f26a0919a gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: ebaf47c4a73111d080d3b6a3d48b94a72f75a206d474ae3fdd6be176db9765c5
all runs: boot failed: general protection fault in msix_capability_init
unable to determine the verdict: 0 good runs (wanted 5), for bad wanted 5 in total, got 0
# git bisect skip e50da555ca4d42b1b98d0f26789db64f26a0919a
Bisecting: 41487 revisions left to test after this (roughly 15 steps)
[d48b663f410f8b35b8ba9bd597bafaa00f53293b] arm64/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()

determine whether the revision contains the guilty commit
revision ffc253263a1375a65fa6c9f62a893e9767fbebfa crashed and is reachable
testing commit d48b663f410f8b35b8ba9bd597bafaa00f53293b gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: db7409170bbc7c3554b0c1d8dbbd85e3443f1f2c38df573d2e60898caa08d292
all runs: boot failed: general protection fault in msix_capability_init
unable to determine the verdict: 0 good runs (wanted 5), for bad wanted 5 in total, got 0
# git bisect skip d48b663f410f8b35b8ba9bd597bafaa00f53293b
Bisecting: 41487 revisions left to test after this (roughly 15 steps)
[0ccd5d56e6b2f342096a362ac24785d4be9c64a2] watchdog: lenovo_se30_wdt: include io.h for devm_ioremap()

determine whether the revision contains the guilty commit
revision ffc253263a1375a65fa6c9f62a893e9767fbebfa crashed and is reachable
testing commit 0ccd5d56e6b2f342096a362ac24785d4be9c64a2 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: ecd2e0929a269cebb073116065198b0418df31ed7215c537af8c7ca3524401bc
all runs: crashed: KASAN: slab-use-after-free Write in gfs2_qd_dealloc
representative crash: KASAN: slab-use-after-free Write in gfs2_qd_dealloc, types: [KASAN-USE-AFTER-FREE-WRITE]
# git bisect good 0ccd5d56e6b2f342096a362ac24785d4be9c64a2
Bisecting: 22596 revisions left to test after this (roughly 15 steps)
[b08494a8f7416e5f09907318c5460ad6f6e2a548] Merge tag 'drm-next-2025-05-28' of https://gitlab.freedesktop.org/drm/kernel

determine whether the revision contains the guilty commit
revision e50da555ca4d42b1b98d0f26789db64f26a0919a crashed and is reachable
testing commit b08494a8f7416e5f09907318c5460ad6f6e2a548 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: edf446ec56fc491fa88a78cab65f0b0aad53d86d2f11aa869fb6a09aafd12033
all runs: crashed: KASAN: slab-use-after-free Write in gfs2_qd_dealloc
representative crash: KASAN: slab-use-after-free Write in gfs2_qd_dealloc, types: [KASAN-USE-AFTER-FREE-WRITE]
# git bisect good b08494a8f7416e5f09907318c5460ad6f6e2a548
Bisecting: 11297 revisions left to test after this (roughly 14 steps)
[00e6c61c5a0a8277e0cb3e1ec9fdaf79a5928819] selftests: drv-net: rss_api: test input-xfrm and hash fields

determine whether the revision contains the guilty commit
revision ffc253263a1375a65fa6c9f62a893e9767fbebfa crashed and is reachable
testing commit 00e6c61c5a0a8277e0cb3e1ec9fdaf79a5928819 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: da5748a7c7ad8a089f481da867fd5b0b0c7c10bf67e1eb577984d360544b80aa
all runs: crashed: KASAN: slab-use-after-free Write in gfs2_qd_dealloc
representative crash: KASAN: slab-use-after-free Write in gfs2_qd_dealloc, types: [KASAN-USE-AFTER-FREE-WRITE]
# git bisect good 00e6c61c5a0a8277e0cb3e1ec9fdaf79a5928819
Bisecting: 5654 revisions left to test after this (roughly 13 steps)
[7dff275c663178e9a12a0c0038e4b3be2f3edcba] Merge tag 'kcsan-20250728-v6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/melver/linux

determine whether the revision contains the guilty commit
revision c903327d3295b135eb8c81ebe0b68c1837718eb8 crashed and is reachable
testing commit 7dff275c663178e9a12a0c0038e4b3be2f3edcba gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 7d9b74f5a621aaa75c43f537dbcbbb0f865fc1bdcfb02c9da6e6b0e40fae7a65
all runs: OK
false negative chance: 0.000
# git bisect bad 7dff275c663178e9a12a0c0038e4b3be2f3edcba
Bisecting: 2851 revisions left to test after this (roughly 12 steps)
[0d5ec7919f3747193f051036b2301734a4b5e1d6] Merge tag 'char-misc-6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

determine whether the revision contains the guilty commit
revision ffc253263a1375a65fa6c9f62a893e9767fbebfa crashed and is reachable
testing commit 0d5ec7919f3747193f051036b2301734a4b5e1d6 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 5feb2c32232eb5f386ee635587521b8676e6652fd65f14ffd4c74953adf6fb24
all runs: OK
false negative chance: 0.000
# git bisect bad 0d5ec7919f3747193f051036b2301734a4b5e1d6
Bisecting: 1390 revisions left to test after this (roughly 11 steps)
[13150742b09e720fdf021de14cd2b98b37415a89] Merge tag 'libcrypto-updates-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux

determine whether the revision contains the guilty commit
revision b08494a8f7416e5f09907318c5460ad6f6e2a548 crashed and is reachable
testing commit 13150742b09e720fdf021de14cd2b98b37415a89 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 70df11ada73fb86baca542e312e74b974f59eb2817dd34a569bad7a70dd1654c
all runs: OK
false negative chance: 0.000
# git bisect bad 13150742b09e720fdf021de14cd2b98b37415a89
Bisecting: 683 revisions left to test after this (roughly 10 steps)
[ce3f5bb7504ca802efa710280a4601a06545bd2e] Merge tag 'nfsd-6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux

determine whether the revision contains the guilty commit
revision ffc253263a1375a65fa6c9f62a893e9767fbebfa crashed and is reachable
testing commit ce3f5bb7504ca802efa710280a4601a06545bd2e gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 4fb33a10da28657667f0075883c0177016b4d9eb2ff39fde27042b37aae2fa73
all runs: OK
false negative chance: 0.000
# git bisect bad ce3f5bb7504ca802efa710280a4601a06545bd2e
Bisecting: 357 revisions left to test after this (roughly 9 steps)
[bdd01fb0364725081d6e938b8b3e647ee48e97eb] btrfs: check BLOCK_GROUP_FLAG_NEEDS_FREE_SPACE at __add_block_group_free_space()

determine whether the revision contains the guilty commit
revision ffc253263a1375a65fa6c9f62a893e9767fbebfa crashed and is reachable
testing commit bdd01fb0364725081d6e938b8b3e647ee48e97eb gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 261b4c792f838d6b51faa15c82f592ba809ef62842ff6b6dbe0c7592bc1ff662
all runs: crashed: KASAN: slab-use-after-free Write in gfs2_qd_dealloc
representative crash: KASAN: slab-use-after-free Write in gfs2_qd_dealloc, types: [KASAN-USE-AFTER-FREE-WRITE]
# git bisect good bdd01fb0364725081d6e938b8b3e647ee48e97eb
Bisecting: 214 revisions left to test after this (roughly 8 steps)
[038d61fd642278bab63ee8ef722c50d10ab01e8f] Linux 6.16

determine whether the revision contains the guilty commit
revision ffc253263a1375a65fa6c9f62a893e9767fbebfa crashed and is reachable
testing commit 038d61fd642278bab63ee8ef722c50d10ab01e8f gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 7d95dc35b6ce23da9bd12af82b4ef94bb631325830b99575a85cd140c6b64731
all runs: crashed: KASAN: slab-use-after-free Write in gfs2_qd_dealloc
representative crash: KASAN: slab-use-after-free Write in gfs2_qd_dealloc, types: [KASAN-USE-AFTER-FREE-WRITE]
# git bisect good 038d61fd642278bab63ee8ef722c50d10ab01e8f
Bisecting: 106 revisions left to test after this (roughly 7 steps)
[005b0a0c24e1628313e951516b675109a92cacfe] btrfs: send: use fallocate for hole punching with send stream v2

determine whether the revision contains the guilty commit
revision 0ccd5d56e6b2f342096a362ac24785d4be9c64a2 crashed and is reachable
testing commit 005b0a0c24e1628313e951516b675109a92cacfe gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 7e9f17b98c3e6654363bfc7759b00885e51733ea43dd80c18c2768f99fcafec5
all runs: crashed: KASAN: slab-use-after-free Write in gfs2_qd_dealloc
representative crash: KASAN: slab-use-after-free Write in gfs2_qd_dealloc, types: [KASAN-USE-AFTER-FREE-WRITE]
# git bisect good 005b0a0c24e1628313e951516b675109a92cacfe
Bisecting: 62 revisions left to test after this (roughly 6 steps)
[ded74fddcaf685a9440c5612f7831d0c4c1473ca] xfs: don't use a xfs_log_iovec for ri_buf in log recovery

determine whether the revision contains the guilty commit
revision 0ccd5d56e6b2f342096a362ac24785d4be9c64a2 crashed and is reachable
testing commit ded74fddcaf685a9440c5612f7831d0c4c1473ca gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: e8c8116f4ad96ec1646d53d0696e516b1019cb9b0380c896298e80511699d6e7
all runs: crashed: KASAN: slab-use-after-free Write in gfs2_qd_dealloc
representative crash: KASAN: slab-use-after-free Write in gfs2_qd_dealloc, types: [KASAN-USE-AFTER-FREE-WRITE]
# git bisect good ded74fddcaf685a9440c5612f7831d0c4c1473ca
Bisecting: 31 revisions left to test after this (roughly 5 steps)
[24569f0249f800f8289ab690b99ab330ca6e425f] sunrpc: make svc_tcp_sendmsg() take a signed sentp pointer

determine whether the revision contains the guilty commit
revision c903327d3295b135eb8c81ebe0b68c1837718eb8 crashed and is reachable
testing commit 24569f0249f800f8289ab690b99ab330ca6e425f gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 082154471f9a153f668c0cd6c7c8bfd9dfc57d25f0bd21aea9b11951187f43ee
all runs: crashed: KASAN: slab-use-after-free Write in gfs2_qd_dealloc
representative crash: KASAN: slab-use-after-free Write in gfs2_qd_dealloc, types: [KASAN-USE-AFTER-FREE-WRITE]
# git bisect good 24569f0249f800f8289ab690b99ab330ca6e425f
Bisecting: 12 revisions left to test after this (roughly 4 steps)
[76a9701325d39d8602695b19c49a9d0828c897ca] Merge tag 'erofs-for-6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs

determine whether the revision contains the guilty commit
revision c903327d3295b135eb8c81ebe0b68c1837718eb8 crashed and is reachable
testing commit 76a9701325d39d8602695b19c49a9d0828c897ca gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: ff9b36b9ff6ac4c2068f70f0f4639ebd4db0795a80051fed83f24d3266e7ab89
all runs: crashed: KASAN: slab-use-after-free Write in gfs2_qd_dealloc
representative crash: KASAN: slab-use-after-free Write in gfs2_qd_dealloc, types: [KASAN-USE-AFTER-FREE-WRITE]
# git bisect good 76a9701325d39d8602695b19c49a9d0828c897ca
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[5c8f12cf1e64e0e8e6cb80b0c935389973e8be8d] gfs2: Set .migrate_folio in gfs2_{rgrp,meta}_aops

determine whether the revision contains the guilty commit
revision c903327d3295b135eb8c81ebe0b68c1837718eb8 crashed and is reachable
testing commit 5c8f12cf1e64e0e8e6cb80b0c935389973e8be8d gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 534ee8c307658252f0496e1f5060bff6ddece09e9692977467c3041fc429a985
all runs: crashed: KASAN: slab-use-after-free Write in gfs2_qd_dealloc
representative crash: KASAN: slab-use-after-free Write in gfs2_qd_dealloc, types: [KASAN-USE-AFTER-FREE-WRITE]
# git bisect good 5c8f12cf1e64e0e8e6cb80b0c935389973e8be8d
Bisecting: 1 revision left to test after this (roughly 2 steps)
[a90f1b6ad6649d553c9d76f50a42e4ba5783164b] Merge tag 'gfs2-for-6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2

determine whether the revision contains the guilty commit
revision 76a9701325d39d8602695b19c49a9d0828c897ca crashed and is reachable
testing commit a90f1b6ad6649d553c9d76f50a42e4ba5783164b gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: f3fa72c643d0107561a4afda8651f90c3cb37e0eaf0063bfc4b3fe067ab912fa
all runs: OK
false negative chance: 0.000
# git bisect bad a90f1b6ad6649d553c9d76f50a42e4ba5783164b
Bisecting: 1 revision left to test after this (roughly 1 step)
[deb016c1669002e48c431d6fd32ea1c20ef41756] gfs2: No more self recovery

determine whether the revision contains the guilty commit
revision e50da555ca4d42b1b98d0f26789db64f26a0919a crashed and is reachable
testing commit deb016c1669002e48c431d6fd32ea1c20ef41756 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: aa39f10bb75dc319e5edba84c485ebab499bddec80b03e14ada19623c0e8ded8
all runs: OK
false negative chance: 0.000
# git bisect bad deb016c1669002e48c431d6fd32ea1c20ef41756
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[557c024ca7250bb65ae60f16c02074106c2f197b] gfs2: Validate i_depth for exhash directories

determine whether the revision contains the guilty commit
revision ffc253263a1375a65fa6c9f62a893e9767fbebfa crashed and is reachable
testing commit 557c024ca7250bb65ae60f16c02074106c2f197b gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 9c46043e1cae47b286a461bf62f528f4445cd66b5baa9c851acd50c91aa69cb7
all runs: OK
false negative chance: 0.000
# git bisect bad 557c024ca7250bb65ae60f16c02074106c2f197b
557c024ca7250bb65ae60f16c02074106c2f197b is the first bad commit
commit 557c024ca7250bb65ae60f16c02074106c2f197b
Author: Andrew Price <anprice@redhat.com>
Date:   Wed Jul 16 14:12:07 2025 +0100

    gfs2: Validate i_depth for exhash directories
    
    A fuzzer test introduced corruption that ends up with a depth of 0 in
    dir_e_read(), causing an undefined shift by 32 at:
    
      index = hash >> (32 - dip->i_depth);
    
    As calculated in an open-coded way in dir_make_exhash(), the minimum
    depth for an exhash directory is ilog2(sdp->sd_hash_ptrs) and 0 is
    invalid as sdp->sd_hash_ptrs is fixed as sdp->bsize / 16 at mount time.
    
    So we can avoid the undefined behaviour by checking for depth values
    lower than the minimum in gfs2_dinode_in(). Values greater than the
    maximum are already being checked for there.
    
    Also switch the calculation in dir_make_exhash() to use ilog2() to
    clarify how the depth is calculated.
    
    Tested with the syzkaller repro.c and xfstests '-g quick'.
    
    Reported-by: syzbot+4708579bb230a0582a57@syzkaller.appspotmail.com
    Signed-off-by: Andrew Price <anprice@redhat.com>
    Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>

 fs/gfs2/dir.c   | 6 ++----
 fs/gfs2/glops.c | 6 ++++++
 2 files changed, 8 insertions(+), 4 deletions(-)

accumulated error probability: 0.00
culprit signature: 9c46043e1cae47b286a461bf62f528f4445cd66b5baa9c851acd50c91aa69cb7
parent  signature: 534ee8c307658252f0496e1f5060bff6ddece09e9692977467c3041fc429a985
revisions tested: 29, total time: 6h33m23.234334635s (build: 2h35m9.540952275s, test: 3h31m57.052743472s)
first good commit: 557c024ca7250bb65ae60f16c02074106c2f197b gfs2: Validate i_depth for exhash directories
recipients (to): ["agruenba@redhat.com" "anprice@redhat.com"]
recipients (cc): []