ci2 starts bisection 2025-12-31 01:43:57.072410551 +0000 UTC m=+2981649.249533618
bisecting fixing commit since 2ece552169c277a60a8b4ee62c478d6224db2db1
building syzkaller on 19568248c8bdb031004760d49df5045a85aa517b
ensuring issue is reproducible on original commit 2ece552169c277a60a8b4ee62c478d6224db2db1

testing commit 2ece552169c277a60a8b4ee62c478d6224db2db1 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e1db00547934769e1636c38c93fc33c6f2edc4088cd6db3f13a94a9473760b28
all runs: crashed: kernel BUG in __es_tree_search
representative crash: kernel BUG in __es_tree_search, types: [BUG]
check whether we can drop unnecessary instrumentation
disabling configs for [kasan locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 2ece552169c277a60a8b4ee62c478d6224db2db1 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 76cb100a4b4ecaf0cf886f46e1a625dfed211ee39fa7723bf7e16b93937a1bb9
run #0: crashed: kernel BUG in __es_tree_search
run #1: crashed: kernel BUG in __es_tree_search
run #2: crashed: kernel BUG in __es_tree_search
run #3: crashed: kernel BUG in __es_tree_search
run #4: crashed: kernel BUG in __es_tree_search
run #5: crashed: kernel BUG in __es_tree_search
run #6: crashed: kernel BUG in ext4_es_cache_extent
run #7: crashed: kernel BUG in __es_tree_search
run #8: crashed: kernel BUG in __es_tree_search
run #9: crashed: kernel BUG in __es_tree_search
representative crash: kernel BUG in __es_tree_search, types: [BUG]
the bug reproduces without the instrumentation
disabling configs for [ubsan kasan locking atomic_sleep hang memleak], they are not needed
kconfig minimization: base=4788 full=6026 leaves diff=248
split chunks (needed=false): <248>
split chunk #0 of len 248 into 5 parts
testing without sub-chunk 1/5
disabling configs for [hang memleak ubsan kasan locking atomic_sleep], they are not needed
testing commit 2ece552169c277a60a8b4ee62c478d6224db2db1 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ae06cb4e1087e2e02e096968ef5929f949010d0322f0990d6089ba2631530399
run #0: crashed: kernel BUG in __es_tree_search
run #1: crashed: kernel BUG in ext4_es_cache_extent
run #2: crashed: kernel BUG in __es_tree_search
run #3: crashed: kernel BUG in __es_tree_search
run #4: crashed: kernel BUG in __es_tree_search
run #5: crashed: kernel BUG in __es_tree_search
run #6: crashed: kernel BUG in __es_tree_search
run #7: crashed: kernel BUG in __es_tree_search
run #8: crashed: kernel BUG in __es_tree_search
run #9: crashed: kernel BUG in __es_tree_search
representative crash: kernel BUG in __es_tree_search, types: [BUG]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [atomic_sleep hang memleak ubsan kasan locking], they are not needed
testing commit 2ece552169c277a60a8b4ee62c478d6224db2db1 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 30d8fda2c9777a99c6a736a2e021ba3ef943e15d4dfd5c1ec4ffbe23b7cadd11
all runs: crashed: kernel BUG in __es_tree_search
representative crash: kernel BUG in __es_tree_search, types: [BUG]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [kasan locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 2ece552169c277a60a8b4ee62c478d6224db2db1 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 72ca5acd4a0b690f5082ea744dd869c975d213cfe57f6d1235d8d43a577f6262
all runs: crashed: kernel BUG in __es_tree_search
representative crash: kernel BUG in __es_tree_search, types: [BUG]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [kasan locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 2ece552169c277a60a8b4ee62c478d6224db2db1 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ac8f0951ad19948dead19f1732e0779b4b8f79756f2cf03bbd05d10acfa82298
all runs: crashed: kernel BUG in __es_tree_search
representative crash: kernel BUG in __es_tree_search, types: [BUG]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [hang memleak ubsan kasan locking atomic_sleep], they are not needed
testing commit 2ece552169c277a60a8b4ee62c478d6224db2db1 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
failed building 2ece552169c277a60a8b4ee62c478d6224db2db1: net/socket.c:1128: undefined reference to `wext_handle_ioctl'
net/socket.c:3397: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:346: undefined reference to `wext_proc_exit'
net/core/net-procfs.c:330: undefined reference to `wext_proc_init'
minimized to 48 configs; suspects: [HID_ZEROPLUS USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM USB_XHCI_PCI_RENESAS WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS ZEROPLUS_FF]
disabling configs for [memleak ubsan kasan locking atomic_sleep hang], they are not needed
testing current HEAD e253c52bbdfce1f214777784549a350a8f9ba3b8
testing commit e253c52bbdfce1f214777784549a350a8f9ba3b8 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 024672d1803d8f44eaf6e7c318c19dc5d145b6d6f93e769dcb18ef69ac0668b4
all runs: OK
false negative chance: 0.000
# git bisect start e253c52bbdfce1f214777784549a350a8f9ba3b8 2ece552169c277a60a8b4ee62c478d6224db2db1
Bisecting: 323 revisions left to test after this (roughly 8 steps)
[64da320252e43456cc9ec3055ff567f168467b37] arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()

determine whether the revision contains the guilty commit
checking the merge base d3d0b4e274d20103634bc7100cfb6d05ea3ec4d2
no existing result, test the revision
testing commit d3d0b4e274d20103634bc7100cfb6d05ea3ec4d2 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d9e9cbcdf591cad21547dd5a62ed8a8763923dbc30bd26ce120f68d6b76a8fb2
all runs: crashed: kernel BUG in __es_tree_search
representative crash: kernel BUG in __es_tree_search, types: [BUG]
testing commit 64da320252e43456cc9ec3055ff567f168467b37 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 31a5c5876258c2a74fec03e9f5e08283fd504d91caf5e423d2108390b6643930
all runs: OK
false negative chance: 0.000
# git bisect bad 64da320252e43456cc9ec3055ff567f168467b37
Bisecting: 161 revisions left to test after this (roughly 7 steps)
[a6f28754efd87806de3d5070911c1c5255aa0cd1] PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()

determine whether the revision contains the guilty commit
revision d3d0b4e274d20103634bc7100cfb6d05ea3ec4d2 crashed and is reachable
testing commit a6f28754efd87806de3d5070911c1c5255aa0cd1 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ccc279ad6443cf3412129d05be9e334e3bd2ba19dfc2db94ab35539ba44b27e3
all runs: crashed: kernel BUG in __es_tree_search
representative crash: kernel BUG in __es_tree_search, types: [BUG]
# git bisect good a6f28754efd87806de3d5070911c1c5255aa0cd1
Bisecting: 80 revisions left to test after this (roughly 6 steps)
[11f6066af3bfb8149aa16c42c0b0c5ea5b199a94] net/ip6_tunnel: Prevent perpetual tunnel growth

determine whether the revision contains the guilty commit
revision d3d0b4e274d20103634bc7100cfb6d05ea3ec4d2 crashed and is reachable
testing commit 11f6066af3bfb8149aa16c42c0b0c5ea5b199a94 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ff9faedb9fa7e9f4bc339a35564de62a554d1bfd314fdd0a8bff4511a38aeabd
all runs: OK
false negative chance: 0.000
# git bisect bad 11f6066af3bfb8149aa16c42c0b0c5ea5b199a94
Bisecting: 40 revisions left to test after this (roughly 5 steps)
[2b456469167b0912d0d72326679df3d3feeb17f5] minmax: allow min()/max()/clamp() if the arguments have the same signedness.

determine whether the revision contains the guilty commit
revision d3d0b4e274d20103634bc7100cfb6d05ea3ec4d2 crashed and is reachable
testing commit 2b456469167b0912d0d72326679df3d3feeb17f5 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5c1bb63e95582694bb5fd3499b50863643e06cb4f1cd3c6d8a6b99d2053cd79f
run #0: crashed: kernel BUG in __es_tree_search
run #1: crashed: kernel BUG in ext4_es_cache_extent
run #2: crashed: kernel BUG in __es_tree_search
run #3: crashed: kernel BUG in __es_tree_search
run #4: crashed: kernel BUG in __es_tree_search
run #5: crashed: kernel BUG in __es_tree_search
run #6: crashed: kernel BUG in __es_tree_search
run #7: crashed: kernel BUG in __es_tree_search
run #8: crashed: kernel BUG in __es_tree_search
run #9: crashed: kernel BUG in __es_tree_search
representative crash: kernel BUG in __es_tree_search, types: [BUG]
# git bisect good 2b456469167b0912d0d72326679df3d3feeb17f5
Bisecting: 20 revisions left to test after this (roughly 4 steps)
[d687458408b3ae1be50e691fb0c60c935463851d] media: pci: ivtv: Add missing check after DMA map

determine whether the revision contains the guilty commit
revision 2b456469167b0912d0d72326679df3d3feeb17f5 crashed and is reachable
testing commit d687458408b3ae1be50e691fb0c60c935463851d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: f0f66a96627d4ac8bc79a6b04636a831b5e6d81cf5be2ee5d3cc229b6201b03c
all runs: crashed: kernel BUG in __es_tree_search
representative crash: kernel BUG in __es_tree_search, types: [BUG]
# git bisect good d687458408b3ae1be50e691fb0c60c935463851d
Bisecting: 10 revisions left to test after this (roughly 3 steps)
[d76ef264701cf7971cfed96fe1376d823eeac5d0] bus: mhi: host: Do not use uninitialized 'dev' pointer in mhi_init_irq_setup()

determine whether the revision contains the guilty commit
revision 2b456469167b0912d0d72326679df3d3feeb17f5 crashed and is reachable
testing commit d76ef264701cf7971cfed96fe1376d823eeac5d0 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d4e9a45cd6d2b184185514d55b286b42a2f3a12d1733a7097c5cba848361c039
all runs: OK
false negative chance: 0.000
# git bisect bad d76ef264701cf7971cfed96fe1376d823eeac5d0
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[9c3bc3db4ae74afbbbace511c29f06260c6f113f] jbd2: ensure that all ongoing I/O complete before freeing blocks

determine whether the revision contains the guilty commit
revision d3d0b4e274d20103634bc7100cfb6d05ea3ec4d2 crashed and is reachable
testing commit 9c3bc3db4ae74afbbbace511c29f06260c6f113f gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a833ec53e51b0d61b3352d9f707e10d7d4f470a6386c70415feb9ddade291dd3
all runs: crashed: kernel BUG in __es_tree_search
representative crash: kernel BUG in __es_tree_search, types: [BUG]
# git bisect good 9c3bc3db4ae74afbbbace511c29f06260c6f113f
Bisecting: 2 revisions left to test after this (roughly 1 step)
[5419c86ea134b8a5b8126f55fa5bc1ad7b3ca444] pwm: berlin: Fix wrong register in suspend/resume

determine whether the revision contains the guilty commit
revision a6f28754efd87806de3d5070911c1c5255aa0cd1 crashed and is reachable
testing commit 5419c86ea134b8a5b8126f55fa5bc1ad7b3ca444 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: b98bbf045dcfc77c891c8fe48692109f0b53a165e6af178781f3c57695d65aec
all runs: OK
false negative chance: 0.000
# git bisect bad 5419c86ea134b8a5b8126f55fa5bc1ad7b3ca444
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[f061f7c331fc16250fc82aa68964f35821687217] ext4: detect invalid INLINE_DATA + EXTENTS flag combination

determine whether the revision contains the guilty commit
revision d3d0b4e274d20103634bc7100cfb6d05ea3ec4d2 crashed and is reachable
testing commit f061f7c331fc16250fc82aa68964f35821687217 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 06f0356a63a45880e4299765ea539ee8e7ee36076fcbde9b34bf3d21f160f5f1
all runs: OK
false negative chance: 0.000
# git bisect bad f061f7c331fc16250fc82aa68964f35821687217
f061f7c331fc16250fc82aa68964f35821687217 is the first bad commit
commit f061f7c331fc16250fc82aa68964f35821687217
Author: Deepanshu Kartikey <kartikey406@gmail.com>
Date:   Tue Sep 30 16:58:10 2025 +0530

    ext4: detect invalid INLINE_DATA + EXTENTS flag combination
    
    commit 1d3ad183943b38eec2acf72a0ae98e635dc8456b upstream.
    
    syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity
    file on a corrupted ext4 filesystem mounted without a journal.
    
    The issue is that the filesystem has an inode with both the INLINE_DATA
    and EXTENTS flags set:
    
        EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15:
        comm syz.0.17: corrupted extent tree: lblk 0 < prev 66
    
    Investigation revealed that the inode has both flags set:
        DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1
    
    This is an invalid combination since an inode should have either:
    - INLINE_DATA: data stored directly in the inode
    - EXTENTS: data stored in extent-mapped blocks
    
    Having both flags causes ext4_has_inline_data() to return true, skipping
    extent tree validation in __ext4_iget(). The unvalidated out-of-order
    extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer
    underflow when calculating hole sizes.
    
    Fix this by detecting this invalid flag combination early in ext4_iget()
    and rejecting the corrupted inode.
    
    Cc: stable@kernel.org
    Reported-and-tested-by: syzbot+038b7bf43423e132b308@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=038b7bf43423e132b308
    Suggested-by: Zhang Yi <yi.zhang@huawei.com>
    Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
    Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
    Message-ID: <20250930112810.315095-1-kartikey406@gmail.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 fs/ext4/inode.c | 8 ++++++++
 1 file changed, 8 insertions(+)

accumulated error probability: 0.00
culprit signature: 06f0356a63a45880e4299765ea539ee8e7ee36076fcbde9b34bf3d21f160f5f1
parent  signature: a833ec53e51b0d61b3352d9f707e10d7d4f470a6386c70415feb9ddade291dd3
revisions tested: 17, total time: 5h27m42.547499263s (build: 2h14m42.456527747s, test: 2h38m35.09687961s)
first good commit: f061f7c331fc16250fc82aa68964f35821687217 ext4: detect invalid INLINE_DATA + EXTENTS flag combination
recipients (to): ["gregkh@linuxfoundation.org" "kartikey406@gmail.com" "syzbot+038b7bf43423e132b308@syzkaller.appspotmail.com" "tytso@mit.edu" "yi.zhang@huawei.com"]
recipients (cc): []