bisecting fixing commit since 1c27f1fc1549f0e470429f5497a76ad28a37f21a building syzkaller on 0d5abf15b74358009a02efb629f7bc7c84841a1f testing commit 1c27f1fc1549f0e470429f5497a76ad28a37f21a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c840b0faddb744827ee15bdce1d2abb195fcc785658f5d4a9ff06ca3da8dcbc2 run #0: crashed: KASAN: use-after-free Read in search_by_entry_key run #1: crashed: KASAN: use-after-free Read in search_by_entry_key run #2: crashed: KASAN: use-after-free Read in search_by_entry_key run #3: crashed: KASAN: use-after-free Read in search_by_entry_key run #4: crashed: KASAN: use-after-free Read in search_by_entry_key run #5: crashed: KASAN: use-after-free Read in search_by_entry_key run #6: crashed: KASAN: use-after-free Read in search_by_entry_key run #7: crashed: KASAN: use-after-free Read in search_by_entry_key run #8: crashed: KASAN: use-after-free Read in search_by_entry_key run #9: crashed: KASAN: use-after-free Read in search_by_entry_key run #10: crashed: KASAN: use-after-free Read in search_by_entry_key run #11: crashed: KASAN: use-after-free Read in search_by_entry_key run #12: boot failed: INFO: task hung in add_early_randomness run #13: boot failed: INFO: task hung in add_early_randomness run #14: boot failed: INFO: task hung in add_early_randomness run #15: boot failed: INFO: task hung in add_early_randomness run #16: boot failed: INFO: task hung in add_early_randomness run #17: boot failed: INFO: task hung in add_early_randomness run #18: boot failed: INFO: task hung in add_early_randomness run #19: boot failed: INFO: task hung in add_early_randomness testing current HEAD 72a8e05d4f66b5af7854df4490e3135168694b6b testing commit 72a8e05d4f66b5af7854df4490e3135168694b6b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4b6f7534bbc92d8022ce1a5b9a017ef1d5969594fccfe661fe181af1d196174b all runs: crashed: KASAN: use-after-free Read in search_by_entry_key revisions tested: 2, total time: 27m49.459421794s (build: 13m40.107667282s, test: 13m45.648964547s) the crash still happens on HEAD commit msg: Merge tag 'ovl-fixes-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs crash: KASAN: use-after-free Read in search_by_entry_key REISERFS (device loop0): checking transaction log (loop0) REISERFS (device loop0): Using r5 hash to sort names REISERFS (device loop0): using 3.5.x disk format ================================================================== BUG: KASAN: use-after-free in bin_search_in_dir_item fs/reiserfs/namei.c:40 [inline] BUG: KASAN: use-after-free in search_by_entry_key+0x776/0x980 fs/reiserfs/namei.c:165 Read of size 4 at addr ffff88806dd3d014 by task syz-executor.0/4094 CPU: 1 PID: 4094 Comm: syz-executor.0 Not tainted 5.19.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 bin_search_in_dir_item fs/reiserfs/namei.c:40 [inline] search_by_entry_key+0x776/0x980 fs/reiserfs/namei.c:165 reiserfs_find_entry.part.0+0x133/0xcb0 fs/reiserfs/namei.c:322 reiserfs_find_entry fs/reiserfs/namei.c:368 [inline] reiserfs_lookup+0x1ff/0x3e0 fs/reiserfs/namei.c:368 __lookup_slow+0x1fe/0x3c0 fs/namei.c:1701 lookup_one_len+0x12a/0x150 fs/namei.c:2730 reiserfs_lookup_privroot+0x8d/0x260 fs/reiserfs/xattr.c:980 reiserfs_fill_super+0x1c45/0x27a0 fs/reiserfs/super.c:2176 mount_bdev+0x2cb/0x3b0 fs/super.c:1367 legacy_get_tree+0xfa/0x1f0 fs/fs_context.c:610 vfs_get_tree+0x7f/0x2c0 fs/super.c:1497 do_new_mount fs/namespace.c:3040 [inline] path_mount+0x7e8/0x1a40 fs/namespace.c:3370 do_mount fs/namespace.c:3383 [inline] __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount fs/namespace.c:3568 [inline] __x64_sys_mount+0x1f5/0x260 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f409d88a63a Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f409e98ef88 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000020000040 RCX: 00007f409d88a63a RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f409e98efe0 RBP: 00007f409e98f020 R08: 00007f409e98f020 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000 R13: 0000000020000100 R14: 00007f409e98efe0 R15: 0000000020000580 The buggy address belongs to the physical page: page:ffffea0001b74f40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x6dd3d flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001b751c8 ffffea0001b7ccc8 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 4090, tgid 4090 (syz-executor.0), ts 60417297014, free_ts 60578832705 prep_new_page mm/page_alloc.c:2456 [inline] get_page_from_freelist+0x19d3/0x3b30 mm/page_alloc.c:4198 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5426 __folio_alloc+0x12/0x40 mm/page_alloc.c:5457 vma_alloc_folio+0xbc/0x630 mm/mempolicy.c:2233 alloc_page_vma include/linux/gfp.h:634 [inline] do_anonymous_page mm/memory.c:4076 [inline] handle_pte_fault mm/memory.c:4902 [inline] __handle_mm_fault+0x13f1/0x3110 mm/memory.c:5043 handle_mm_fault+0x166/0x5e0 mm/memory.c:5141 do_user_addr_fault+0x2da/0xcd0 arch/x86/mm/fault.c:1397 handle_page_fault arch/x86/mm/fault.c:1484 [inline] exc_page_fault+0x5a/0xc0 arch/x86/mm/fault.c:1540 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1371 [inline] free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1421 free_unref_page_prepare mm/page_alloc.c:3343 [inline] free_unref_page_list+0x16f/0xf80 mm/page_alloc.c:3475 release_pages+0x6f1/0x1780 mm/swap.c:980 tlb_batch_pages_flush+0x85/0x160 mm/mmu_gather.c:58 zap_pte_range mm/memory.c:1518 [inline] zap_pmd_range mm/memory.c:1567 [inline] zap_pud_range mm/memory.c:1596 [inline] zap_p4d_range mm/memory.c:1617 [inline] unmap_page_range+0x15af/0x29c0 mm/memory.c:1638 unmap_vmas+0x170/0x2b0 mm/memory.c:1723 exit_mmap+0x183/0x3f0 mm/mmap.c:3162 __mmput+0xed/0x430 kernel/fork.c:1187 exit_mm kernel/exit.c:510 [inline] do_exit+0x8c8/0x2440 kernel/exit.c:782 do_group_exit+0xb2/0x2a0 kernel/exit.c:925 get_signal+0x1c76/0x2030 kernel/signal.c:2857 arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869 exit_to_user_mode_loop kernel/entry/common.c:166 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff88806dd3cf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88806dd3cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88806dd3d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88806dd3d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88806dd3d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================