ci2 starts bisection 2025-01-22 04:41:30.524243953 +0000 UTC m=+43996.391817398
bisecting fixing commit since 5e4635681cf1a50f26f88af7a946375ec6908d58
building syzkaller on df3dc63b8ba0b52ca67025f5b55cd4356b3eda75
ensuring issue is reproducible on original commit 5e4635681cf1a50f26f88af7a946375ec6908d58

testing commit 5e4635681cf1a50f26f88af7a946375ec6908d58 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 64deb3b2816121dc57c4f37dbe165611ec5b8d1db1b79286b782033a801f40e8
run #0: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #1: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #2: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #3: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #4: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #5: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #6: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #7: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #8: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #9: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #10: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #11: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #12: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #13: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #14: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #15: crashed: KASAN: slab-out-of-bounds Read in ext4_xattr_delete_inode
run #16: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #17: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #18: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #19: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
representative crash: KASAN: use-after-free Read in ext4_xattr_delete_inode, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit 5e4635681cf1a50f26f88af7a946375ec6908d58 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: fb0f5bd149b79239f9a454589f57db606eeb72b580129a327a3983205a8db2e3
all runs: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
representative crash: KASAN: use-after-free Read in ext4_xattr_delete_inode, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
kconfig minimization: base=4920 full=6212 leaves diff=252
split chunks (needed=false): <252>
split chunk #0 of len 252 into 5 parts
testing without sub-chunk 1/5
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit 5e4635681cf1a50f26f88af7a946375ec6908d58 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: b3e896dcb211690d18d503604d71a0da44e56715613f7a21ed1bba5fd2cf2519
all runs: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
representative crash: KASAN: use-after-free Read in ext4_xattr_delete_inode, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit 5e4635681cf1a50f26f88af7a946375ec6908d58 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c6d89fca8e8f0193ac87d483eb3b950302fca4f38d926bb1626d165c9735b2a2
all runs: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
representative crash: KASAN: use-after-free Read in ext4_xattr_delete_inode, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit 5e4635681cf1a50f26f88af7a946375ec6908d58 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 14c7a92942b0bae0134f48fade47951f6a4b6c59c2d6e58cea0f0d0bd11c7a58
run #0: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #1: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #2: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #3: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #4: crashed: KASAN: slab-out-of-bounds Read in ext4_xattr_delete_inode
run #5: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #6: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #7: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #8: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #9: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
representative crash: KASAN: use-after-free Read in ext4_xattr_delete_inode, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit 5e4635681cf1a50f26f88af7a946375ec6908d58 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 4f17ecff9835f2ab279f8a0f3c73df74cef12f7f628d47a1aa92641e2d0cd38d
run #0: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #1: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #2: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #3: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #4: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #5: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #6: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #7: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
run #8: crashed: KASAN: slab-out-of-bounds Read in ext4_xattr_delete_inode
run #9: crashed: KASAN: slab-out-of-bounds Read in ext4_xattr_delete_inode
representative crash: KASAN: use-after-free Read in ext4_xattr_delete_inode, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit 5e4635681cf1a50f26f88af7a946375ec6908d58 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
failed building 5e4635681cf1a50f26f88af7a946375ec6908d58: net/socket.c:1191: undefined reference to `wext_handle_ioctl'
net/socket.c:3385: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:343: undefined reference to `wext_proc_exit'
net/core/net-procfs.c:327: undefined reference to `wext_proc_init'
minimized to 48 configs; suspects: [HID_ZEROPLUS USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM USB_XHCI_PCI_RENESAS WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF]
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing current HEAD 829d9f1385697bfbda55c9d272404b976503bdbe
testing commit 829d9f1385697bfbda55c9d272404b976503bdbe gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: afd1a980e29115f0a4cc38486f0942e6d212a1e0ca476710b8ca90d08bb3f3a2
all runs: crashed: KASAN: use-after-free Read in ext4_xattr_delete_inode
representative crash: KASAN: use-after-free Read in ext4_xattr_delete_inode, types: [KASAN]
crash still not fixed/happens on the oldest tested release
revisions tested: 7, total time: 41m16.752848265s (build: 18m31.509344902s, test: 20m25.416112563s)
crash still not fixed or there were kernel test errors
commit msg: Revert "tracing: Constify string literal data member in struct trace_event_call"
crash: KASAN: use-after-free Read in ext4_xattr_delete_inode
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_delete_inode+0xe4e/0xe80 fs/ext4/xattr.c:2911
Read of size 4 at addr ffff88811f752000 by task syz-executor/445

CPU: 0 PID: 445 Comm: syz-executor Not tainted 5.15.176-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x38/0x49 lib/dump_stack.c:106
 print_address_description.constprop.0+0x24/0x160 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report.cold+0x82/0xdb mm/kasan/report.c:444
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 ext4_xattr_delete_inode+0xe4e/0xe80 fs/ext4/xattr.c:2911
 ext4_evict_inode+0x8a0/0x1700 fs/ext4/inode.c:300
 evict+0x372/0x8b0 fs/inode.c:622
 iput_final fs/inode.c:1744 [inline]
 iput.part.0+0x334/0x640 fs/inode.c:1770
 iput+0x3f/0x50 fs/inode.c:1760
 d_delete_notify include/linux/fsnotify.h:278 [inline]
 vfs_rmdir.part.0+0x370/0x460 fs/namei.c:4162
 vfs_rmdir fs/namei.c:4135 [inline]
 do_rmdir+0x2e8/0x3f0 fs/namei.c:4210
 __do_sys_unlinkat fs/namei.c:4390 [inline]
 __se_sys_unlinkat fs/namei.c:4384 [inline]
 __x64_sys_unlinkat+0xad/0xe0 fs/namei.c:4384
 x64_sys_call+0x2c1/0x990 arch/x86/include/generated/asm/syscalls_64.h:264
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x33/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f066d85ccf7
Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 07 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcefd10c08 EFLAGS: 00000207 ORIG_RAX: 0000000000000107
RAX: ffffffffffffffda RBX: 0000000000000065 RCX: 00007f066d85ccf7
RDX: 0000000000000200 RSI: 00007ffcefd11db0 RDI: 00000000ffffff9c
RBP: 00007f066d8d023c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000207 R12: 00007ffcefd11db0
R13: 00007f066d8d023c R14: 000000000000e055 R15: 00007ffcefd13f60
 </TASK>

Allocated by task 280:
 kasan_save_stack+0x26/0x50 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:433 [inline]
 __kasan_slab_alloc+0x94/0xc0 mm/kasan/common.c:466
 kasan_slab_alloc include/linux/kasan.h:217 [inline]
 slab_post_alloc_hook mm/slab.h:550 [inline]
 kmem_cache_alloc_bulk+0x206/0x3b0 mm/slub.c:3738
 napi_skb_cache_get+0xd0/0x150 net/core/skbuff.c:179
 __alloc_skb+0x54/0x250 net/core/skbuff.c:414
 __napi_alloc_skb+0x48/0x2b0 net/core/skbuff.c:569
 napi_alloc_skb include/linux/skbuff.h:3079 [inline]
 page_to_skb+0x41a/0xa80 drivers/net/virtio_net.c:454
 receive_mergeable drivers/net/virtio_net.c:1070 [inline]
 receive_buf+0x21ee/0x5160 drivers/net/virtio_net.c:1180
 virtnet_receive drivers/net/virtio_net.c:1472 [inline]
 virtnet_poll+0x574/0x11c0 drivers/net/virtio_net.c:1585
 __napi_poll+0xa4/0x440 net/core/dev.c:7051
 napi_poll net/core/dev.c:7118 [inline]
 net_rx_action+0x2f3/0xb00 net/core/dev.c:7208
 handle_softirqs+0x1c5/0x510 kernel/softirq.c:565
 __do_softirq kernel/softirq.c:603 [inline]
 invoke_softirq kernel/softirq.c:425 [inline]
 __irq_exit_rcu kernel/softirq.c:652 [inline]
 irq_exit_rcu+0x66/0x110 kernel/softirq.c:664
 common_interrupt+0xc2/0xe0 arch/x86/kernel/irq.c:240
 asm_common_interrupt+0x27/0x40 arch/x86/include/asm/idtentry.h:667

Freed by task 278:
 kasan_save_stack+0x26/0x50 mm/kasan/common.c:38
 kasan_set_track+0x25/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x24/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:365 [inline]
 ____kasan_slab_free mm/kasan/common.c:327 [inline]
 __kasan_slab_free+0x111/0x150 mm/kasan/common.c:373
 kasan_slab_free include/linux/kasan.h:193 [inline]
 slab_free_hook mm/slub.c:1723 [inline]
 slab_free_freelist_hook+0x94/0x1a0 mm/slub.c:1749
 slab_free mm/slub.c:3521 [inline]
 kmem_cache_free+0x105/0x2a0 mm/slub.c:3539
 kfree_skbmem+0x95/0x140 net/core/skbuff.c:701
 __kfree_skb+0x48/0x60 net/core/skbuff.c:758
 sk_eat_skb include/net/sock.h:2740 [inline]
 tcp_recvmsg_locked+0x1000/0x2230 net/ipv4/tcp.c:2517
 tcp_recvmsg+0x117/0x470 net/ipv4/tcp.c:2563
 inet_recvmsg+0xf7/0x4c0 net/ipv4/af_inet.c:861
 sock_recvmsg_nosec net/socket.c:966 [inline]
 sock_recvmsg net/socket.c:984 [inline]
 sock_recvmsg net/socket.c:980 [inline]
 sock_read_iter+0x2da/0x510 net/socket.c:1057
 call_read_iter include/linux/fs.h:2200 [inline]
 new_sync_read+0x489/0x6d0 fs/read_write.c:404
 vfs_read+0x34a/0x4b0 fs/read_write.c:485
 ksys_read+0x192/0x210 fs/read_write.c:623
 __do_sys_read fs/read_write.c:633 [inline]
 __se_sys_read fs/read_write.c:631 [inline]
 __x64_sys_read+0x6e/0xb0 fs/read_write.c:631
 x64_sys_call+0x982/0x990 arch/x86/include/generated/asm/syscalls_64.h:1
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x33/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

The buggy address belongs to the object at ffff88811f752000
 which belongs to the cache skbuff_head_cache of size 240
The buggy address is located 0 bytes inside of
 240-byte region [ffff88811f752000, ffff88811f7520f0)
The buggy address belongs to the page:
page:ffffea00047dd480 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f752
flags: 0x4000000000000200(slab|zone=1)
raw: 4000000000000200 0000000000000000 dead000000000122 ffff888107fb8c00
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 280, ts 27930472260, free_ts 27929859905
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook mm/page_alloc.c:2605 [inline]
 prep_new_page+0x1a2/0x310 mm/page_alloc.c:2611
 get_page_from_freelist+0x1ce2/0x30a0 mm/page_alloc.c:4485
 __alloc_pages+0x2d5/0x2620 mm/page_alloc.c:5780
 __alloc_pages_node include/linux/gfp.h:591 [inline]
 alloc_pages_node include/linux/gfp.h:605 [inline]
 alloc_pages include/linux/gfp.h:618 [inline]
 alloc_slab_page mm/slub.c:1793 [inline]
 allocate_slab+0x39d/0x530 mm/slub.c:1932
 new_slab mm/slub.c:1995 [inline]
 ___slab_alloc.constprop.0+0x3ca/0x890 mm/slub.c:3028
 kmem_cache_alloc_bulk+0x14a/0x3b0 mm/slub.c:3714
 napi_skb_cache_get+0xd0/0x150 net/core/skbuff.c:179
 __alloc_skb+0x54/0x250 net/core/skbuff.c:414
 __napi_alloc_skb+0x48/0x2b0 net/core/skbuff.c:569
 napi_alloc_skb include/linux/skbuff.h:3079 [inline]
 page_to_skb+0x41a/0xa80 drivers/net/virtio_net.c:454
 receive_mergeable drivers/net/virtio_net.c:1070 [inline]
 receive_buf+0x21ee/0x5160 drivers/net/virtio_net.c:1180
 virtnet_receive drivers/net/virtio_net.c:1472 [inline]
 virtnet_poll+0x574/0x11c0 drivers/net/virtio_net.c:1585
 __napi_poll+0xa4/0x440 net/core/dev.c:7051
 napi_poll net/core/dev.c:7118 [inline]
 net_rx_action+0x2f3/0xb00 net/core/dev.c:7208
 handle_softirqs+0x1c5/0x510 kernel/softirq.c:565
 __do_softirq kernel/softirq.c:603 [inline]
 invoke_softirq kernel/softirq.c:425 [inline]
 __irq_exit_rcu kernel/softirq.c:652 [inline]
 irq_exit_rcu+0x66/0x110 kernel/softirq.c:664
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1472 [inline]
 free_pcp_prepare+0x1b6/0x4c0 mm/page_alloc.c:1544
 free_unref_page_prepare mm/page_alloc.c:3534 [inline]
 free_unref_page+0x84/0x760 mm/page_alloc.c:3616
 __put_single_page mm/swap.c:98 [inline]
 __put_page+0xdb/0x110 mm/swap.c:129
 put_page include/linux/mm.h:1295 [inline]
 anon_pipe_buf_release+0x128/0x1a0 fs/pipe.c:137
 pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
 pipe_read+0x574/0xdf0 fs/pipe.c:323
 call_read_iter include/linux/fs.h:2200 [inline]
 new_sync_read+0x489/0x6d0 fs/read_write.c:404
 vfs_read+0x34a/0x4b0 fs/read_write.c:485
 ksys_read+0x192/0x210 fs/read_write.c:623
 __do_sys_read fs/read_write.c:633 [inline]
 __se_sys_read fs/read_write.c:631 [inline]
 __x64_sys_read+0x6e/0xb0 fs/read_write.c:631
 x64_sys_call+0x982/0x990 arch/x86/include/generated/asm/syscalls_64.h:1
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x33/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Memory state around the buggy address:
 ffff88811f751f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88811f751f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88811f752000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88811f752080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
 ffff88811f752100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
==================================================================