ci2 starts bisection 2024-09-05 04:05:21.540110986 +0000 UTC m=+33297.389353863 bisecting fixing commit since 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde building syzkaller on de979bc20b2b73242b7d6fbbdf614a8cb4c574f4 ensuring issue is reproducible on original commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dfa4db54a4f2b14506e4b2b9130b91fe9fc3b4fb1e26724c8e24f4f685717015 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e1cff89aa99f703efa69bbb719055f1080e88381d8465465c8e58b01fc3c503e all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed kconfig minimization: base=4789 full=6018 leaves diff=238 split chunks (needed=false): <238> split chunk #0 of len 238 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 903da98378f149979bdef48fa7e6fe37ea038cf70c1e0daf75ee1b8cd2f0e87a all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b69c775d1a0e2ce347b4494187a681b7a4f99cf5ab2ce3bab961f022d9ef29d8 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1c6e0cba5a014712a538b45e5a4c7e59381826f287e9d1956db97286754cd454 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e0f3c66e738b2eae04f0a352b96023f019dc3fd08c08e90f4995e180a5df8517 all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building 70b6ab09a34b4cbcada982b2f5c68a408a5c0cde: net/socket.c:1128: undefined reference to `wext_handle_ioctl' net/socket.c:3397: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:346: undefined reference to `wext_proc_exit' net/core/net-procfs.c:330: undefined reference to `wext_proc_init' minimized to 46 configs; suspects: [HID_ZEROPLUS USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF] disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing current HEAD 1c5354a314ea97f0a5371eaa59d5710bf76d8eb6 testing commit 1c5354a314ea97f0a5371eaa59d5710bf76d8eb6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5e0a4adfe82369d46b84d6738e7c304cf010fe7d4d7d2663b2860136e8d13aea all runs: crashed: KASAN: use-after-free Read in __ext4_check_dir_entry representative crash: KASAN: use-after-free Read in __ext4_check_dir_entry, types: [KASAN] crash still not fixed/happens on the oldest tested release revisions tested: 7, total time: 1h8m34.96285523s (build: 18m5.67743174s, test: 49m9.640179937s) crash still not fixed or there were kernel test errors commit msg: Merge branch 'android13-5.10' into android13-5.10-lts crash: KASAN: use-after-free Read in __ext4_check_dir_entry EXT4-fs warning (device loop0): dx_probe:804: inode #2: comm syz-executor.0: Unrecognised inode hash code 49 EXT4-fs warning (device loop0): dx_probe:944: inode #2: comm syz-executor.0: Corrupt directory, running e2fsck is recommended ================================================================== BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x5df/0x890 fs/ext4/dir.c:85 Read of size 2 at addr ffff88811fcc3003 by task syz-executor.0/374 CPU: 1 PID: 374 Comm: syz-executor.0 Not tainted 5.10.223-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack_lvl+0x81/0xac lib/dump_stack.c:118 print_address_description.constprop.0+0x24/0x160 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:435 [inline] kasan_report.cold+0x82/0xdb mm/kasan/report.c:452 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report_generic.c:307 __ext4_check_dir_entry+0x5df/0x890 fs/ext4/dir.c:85 ext4_readdir+0x8d1/0x33e0 fs/ext4/dir.c:258 iterate_dir+0x407/0x690 fs/readdir.c:65 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64 fs/readdir.c:354 [inline] __x64_sys_getdents64+0x12f/0x230 fs/readdir.c:354 do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe238facd69 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fe238b2e0c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007fe2390daf80 RCX: 00007fe238facd69 RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000005 RBP: 00007fe238ff949e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fe2390daf80 R15: 00007ffebf77f428 The buggy address belongs to the page: page:ffffea00047f30c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x11fcc3 flags: 0x4000000000000000() raw: 4000000000000000 ffffea00047f3108 ffff8881f755acb0 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner info is not present (never set?) Memory state around the buggy address: ffff88811fcc2f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88811fcc2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88811fcc3000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88811fcc3080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88811fcc3100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== EXT4-fs error (device loop0): ext4_readdir:258: inode #2: block 255: comm syz-executor.0: path /root/syzkaller-testdir1070646725/syzkaller.oNSGDK/0/file0: bad entry in directory: rec_len is smaller than minimal - offset=1023, inode=0, rec_len=0, size=1024 fake=0