ci2 starts bisection 2025-06-16 12:39:01.788909579 +0000 UTC m=+62.925074736
bisecting fixing commit since d2bafcf224f3911b183113b2fcb536c9e90684a3
building syzkaller on d7d323527f8e6073ec1da024a08c26f50626254f
ensuring issue is reproducible on original commit d2bafcf224f3911b183113b2fcb536c9e90684a3

testing commit d2bafcf224f3911b183113b2fcb536c9e90684a3 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 2ae2ccf517c140f474daae100cb2c4c91858859b0caa1af51edb7358e50b7f15
run #0: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
run #1: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
run #2: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
run #3: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
run #4: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
run #5: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
run #6: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
run #7: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
run #8: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
run #9: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
run #10: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
run #11: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
run #12: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
run #13: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
run #14: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
run #15: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
run #16: crashed: KASAN: slab-use-after-free Read in ext4_inlinedir_to_tree
run #17: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
run #18: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
run #19: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
representative crash: KASAN: use-after-free Read in ext4_inlinedir_to_tree, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit d2bafcf224f3911b183113b2fcb536c9e90684a3 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 7fbf18e19a53231203f1e6ca2402061871ddac1723660c4ada7ee3e308a1c43f
all runs: crashed: KASAN: use-after-free Read in ext4_inlinedir_to_tree
representative crash: KASAN: use-after-free Read in ext4_inlinedir_to_tree, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
kconfig minimization: base=4088 full=8129 leaves diff=2143
split chunks (needed=false): <2143>
split chunk #0 of len 2143 into 5 parts
testing without sub-chunk 1/5
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit d2bafcf224f3911b183113b2fcb536c9e90684a3 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 5673fa71591a2b02f883836a05f3c156eafb8a78047c9321cda255ed8f2da531
run #0: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #1: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #2: crashed: KASAN: out-of-bounds Read in ext4_read_inline_data
run #3: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #4: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #5: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #6: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #7: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #8: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #9: crashed: KASAN: use-after-free Read in ext4_read_inline_data
representative crash: KASAN: use-after-free Read in ext4_read_inline_data, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit d2bafcf224f3911b183113b2fcb536c9e90684a3 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 531e82097c55cb7bdae1c870b28bb3385626c93b88738fd339d52898e261ee89
run #0: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #1: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #2: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #3: crashed: KASAN: slab-out-of-bounds Read in ext4_read_inline_data
run #4: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #5: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #6: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #7: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #8: crashed: KASAN: use-after-free Read in ext4_read_inline_data
run #9: crashed: KASAN: use-after-free Read in ext4_read_inline_data
representative crash: KASAN: use-after-free Read in ext4_read_inline_data, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit d2bafcf224f3911b183113b2fcb536c9e90684a3 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 4f79a24ce113852961f2f72daf89a808ce648b7e46a86351830d89a28b38d416
all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_data
representative crash: KASAN: use-after-free Read in ext4_read_inline_data, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit d2bafcf224f3911b183113b2fcb536c9e90684a3 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: f32f2cf26d799db73b9c313ef881935e29597066ea1b301d47f68737b885a41c
all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_data
representative crash: KASAN: use-after-free Read in ext4_read_inline_data, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit d2bafcf224f3911b183113b2fcb536c9e90684a3 gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 6bf57bca2556799b0c154512d8f645ccbdc6960bd5f799b007b5a9b2cd86b1eb
all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_data
representative crash: KASAN: use-after-free Read in ext4_read_inline_data, types: [KASAN]
the chunk can be dropped
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing current HEAD e04c78d86a9699d136910cfc0bdcf01087e3267e
testing commit e04c78d86a9699d136910cfc0bdcf01087e3267e gcc
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
kernel signature: 8cf86f084c7a503d76bcc0ee3ff635befb81d3cf7c1a2304e6bc4dd9ebab63a0
all runs: crashed: KASAN: use-after-free Read in ext4_read_inline_data
representative crash: KASAN: use-after-free Read in ext4_read_inline_data, types: [KASAN]
crash still not fixed/happens on the oldest tested release
revisions tested: 8, total time: 4h56m46.44139952s (build: 1h55m42.628830787s, test: 49m44.413697592s)
crash still not fixed or there were kernel test errors
commit msg: Linux 6.16-rc2
crash: KASAN: use-after-free Read in ext4_read_inline_data
EXT4-fs error (device loop0): htree_dirblock_to_tree:1080: inode #2: block 21: comm syz-executor: bad entry in directory: directory entry overrun - offset=1004, inode=0, rec_len=1000, size=1024 fake=0
==================================================================
BUG: KASAN: use-after-free in ext4_read_inline_data+0x18f/0x280 fs/ext4/inline.c:214
Read of size 324 at addr ffff88812d0e9c05 by task syz-executor/2426

CPU: 1 UID: 0 PID: 2426 Comm: syz-executor Not tainted 6.16.0-rc2-syzkaller #0 PREEMPT(undef) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0xf4/0x170 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xd2/0x2b0 mm/kasan/report.c:521
 kasan_report+0x118/0x150 mm/kasan/report.c:634
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:189
 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
 ext4_read_inline_data+0x18f/0x280 fs/ext4/inline.c:214
 ext4_inlinedir_to_tree+0x2db/0xac0 fs/ext4/inline.c:1302
 ext4_htree_fill_tree+0x3cb/0xef0 fs/ext4/namei.c:1179
 ext4_dx_readdir fs/ext4/dir.c:601 [inline]
 ext4_readdir+0x233a/0x2d10 fs/ext4/dir.c:146
 iterate_dir+0x1aa/0x4c0 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:410 [inline]
 __se_sys_getdents64+0xd3/0x1b0 fs/readdir.c:396
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efe535ec013
Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 52 43 f8 ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 a8 ff ff ff f7 d8
RSP: 002b:00007ffdd7304c88 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 000055557ce63520 RCX: 00007efe535ec013
RDX: 0000000000008000 RSI: 000055557ce63520 RDI: 0000000000000006
RBP: 000055557ce634f4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000001000 R11: 0000000000000293 R12: ffffffffffffffa8
R13: 0000000000000016 R14: 000055557ce634f0 R15: 00007ffdd7308020
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x12d0e9
flags: 0x200000000000000(node=0|zone=2)
raw: 0200000000000000 ffffea0004b44308 ffffea0004540b88 0000000000000000
raw: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 2283, tgid 2283 (modprobe), ts 80163392773, free_ts 80175051462
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x168/0x1a0 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x2c22/0x2de0 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x26b/0x460 mm/page_alloc.c:4959
 alloc_pages_mpol+0xcb/0x270 mm/mempolicy.c:2419
 folio_alloc_mpol_noprof mm/mempolicy.c:2438 [inline]
 vma_alloc_folio_noprof+0x288/0x400 mm/mempolicy.c:2473
 folio_prealloc+0x24/0xf0 mm/memory.c:-1
 wp_page_copy mm/memory.c:3569 [inline]
 do_wp_page+0xb0d/0x2ec0 mm/memory.c:4030
 handle_pte_fault mm/memory.c:6105 [inline]
 __handle_mm_fault mm/memory.c:6232 [inline]
 handle_mm_fault+0x851/0x2310 mm/memory.c:6401
 do_user_addr_fault+0x31a/0xc30 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x62/0xa0 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
page last free pid 2283 tgid 2283 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 free_unref_folios+0xb30/0x1290 mm/page_alloc.c:2763
 folios_put_refs+0x319/0x400 mm/swap.c:992
 free_pages_and_swap_cache+0x35f/0x3c0 mm/swap_state.c:267
 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
 tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
 tlb_flush_mmu+0x2ba/0x500 mm/mmu_gather.c:404
 tlb_finish_mmu+0xaa/0x190 mm/mmu_gather.c:497
 exit_mmap+0x382/0x850 mm/mmap.c:1297
 __mmput+0x62/0x290 kernel/fork.c:1121
 exit_mm+0x11b/0x1b0 kernel/exit.c:581
 do_exit+0x4fa/0x1d40 kernel/exit.c:943
 do_group_exit+0x1b1/0x280 kernel/exit.c:1104
 __do_sys_exit_group kernel/exit.c:1115 [inline]
 __se_sys_exit_group kernel/exit.c:1113 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1113
 x64_sys_call+0x21ba/0x21c0 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88812d0e9b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88812d0e9b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88812d0e9c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff88812d0e9c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88812d0e9d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================