ci2 starts bisection 2024-04-07 08:39:23.61368133 +0000 UTC m=+110411.571494757
bisecting fixing commit since 09045dae0d902f9f78901a26c7ff1714976a38f9
building syzkaller on 0b6a67ac4b0dc26f43030c5edd01c9175f13b784
ensuring issue is reproducible on original commit 09045dae0d902f9f78901a26c7ff1714976a38f9

testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: f64a12b49666878811909501ec5a413604794b9ffffba4a495ba0327271a78f2
run #0: crashed: KASAN: use-after-free Read in ext4_ext_insert_extent
run #1: crashed: KASAN: out-of-bounds Read in ext4_find_extent
run #2: crashed: KASAN: use-after-free Read in ext4_find_extent
run #3: crashed: KASAN: use-after-free Read in ext4_find_extent
run #4: crashed: KASAN: use-after-free Read in ext4_find_extent
run #5: crashed: KASAN: use-after-free Read in ext4_find_extent
run #6: crashed: KASAN: use-after-free Read in ext4_find_extent
run #7: crashed: KASAN: use-after-free Read in ext4_find_extent
run #8: crashed: KASAN: use-after-free Read in ext4_find_extent
run #9: crashed: KASAN: use-after-free Read in ext4_find_extent
run #10: crashed: KASAN: out-of-bounds Read in ext4_find_extent
run #11: crashed: KASAN: use-after-free Read in ext4_find_extent
run #12: crashed: KASAN: use-after-free Read in ext4_find_extent
run #13: crashed: KASAN: use-after-free Read in ext4_find_extent
run #14: crashed: KASAN: use-after-free Read in ext4_find_extent
run #15: crashed: KASAN: use-after-free Read in ext4_find_extent
run #16: crashed: KASAN: use-after-free Read in ext4_find_extent
run #17: crashed: KASAN: out-of-bounds Read in ext4_find_extent
run #18: crashed: KASAN: use-after-free Read in ext4_find_extent
run #19: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_ext_insert_extent, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 2c6457a6f31fcccc7d3f45be5d425f12d75cb6efdc31e355c2867bb2dd64e588
run #0: crashed: KASAN: out-of-bounds Read in ext4_find_extent
run #1: crashed: KASAN: use-after-free Read in ext4_find_extent
run #2: crashed: KASAN: use-after-free Read in ext4_find_extent
run #3: crashed: KASAN: use-after-free Read in ext4_find_extent
run #4: crashed: KASAN: use-after-free Read in ext4_find_extent
run #5: crashed: KASAN: use-after-free Read in ext4_find_extent
run #6: crashed: KASAN: use-after-free Read in ext4_find_extent
run #7: crashed: KASAN: use-after-free Read in ext4_find_extent
run #8: crashed: KASAN: use-after-free Read in ext4_find_extent
run #9: crashed: KASAN: out-of-bounds Read in ext4_find_extent
representative crash: KASAN: out-of-bounds Read in ext4_find_extent, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
kconfig minimization: base=3820 full=7527 leaves diff=1997
split chunks (needed=false): <1997>
split chunk #0 of len 1997 into 5 parts
testing without sub-chunk 1/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 67d1af66aca04770849e8d8b5fdfd4a5c01a678569748fd6f57b17ffffb0806b
run #0: crashed: KASAN: use-after-free Read in ext4_find_extent
run #1: crashed: KASAN: use-after-free Read in ext4_find_extent
run #2: crashed: KASAN: use-after-free Read in ext4_find_extent
run #3: crashed: KASAN: use-after-free Read in ext4_find_extent
run #4: crashed: KASAN: out-of-bounds Read in ext4_find_extent
run #5: crashed: KASAN: use-after-free Read in ext4_find_extent
run #6: crashed: KASAN: use-after-free Read in ext4_find_extent
run #7: crashed: KASAN: use-after-free Read in ext4_find_extent
run #8: crashed: KASAN: use-after-free Read in ext4_find_extent
run #9: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 13a17d5c27b199824ea4bc3ff6586b9df7143ad62484bd6eca9bcb68750c6975
run #0: crashed: KASAN: use-after-free Read in ext4_find_extent
run #1: crashed: KASAN: use-after-free Read in ext4_find_extent
run #2: crashed: KASAN: use-after-free Read in ext4_find_extent
run #3: crashed: KASAN: use-after-free Read in ext4_find_extent
run #4: crashed: KASAN: use-after-free Read in ext4_find_extent
run #5: crashed: KASAN: use-after-free Read in ext4_find_extent
run #6: crashed: KASAN: use-after-free Read in ext4_find_extent
run #7: crashed: KASAN: use-after-free Read in ext4_find_extent
run #8: crashed: KASAN: use-after-free Read in ext4_find_extent
run #9: OK
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: b99106ea72ea45ad7a2629f3f2413f2c7bf35775ea2a42987b5ba9b44d3fdad9
all runs: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c05331940c690999984af7ca6653027ecfc5d734e299589c8eaf34950be2461d
all runs: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit 09045dae0d902f9f78901a26c7ff1714976a38f9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 34ef247e20efd9606e8e6069ff266e2a26e806116cd5a600ef459660780dd00e
all runs: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN]
the chunk can be dropped
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing current HEAD 347385861c50adc8d4801d4b899eded38a2f04cd
testing commit 347385861c50adc8d4801d4b899eded38a2f04cd gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 7c9af15e49f7705833dad8e08d258b43b53ad05bc46acbabd504d01d5924bc54
run #0: crashed: KASAN: use-after-free Read in ext4_find_extent
run #1: crashed: KASAN: use-after-free Read in ext4_find_extent
run #2: crashed: KASAN: use-after-free Read in ext4_ext_insert_extent
run #3: crashed: KASAN: use-after-free Read in ext4_find_extent
run #4: crashed: KASAN: use-after-free Read in ext4_find_extent
run #5: crashed: KASAN: use-after-free Read in ext4_find_extent
run #6: crashed: KASAN: use-after-free Read in ext4_find_extent
run #7: crashed: KASAN: use-after-free Read in ext4_find_extent
run #8: crashed: KASAN: use-after-free Read in ext4_find_extent
run #9: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN]
crash still not fixed/happens on the oldest tested release
revisions tested: 8, total time: 1h19m25.40161637s (build: 31m32.808746016s, test: 44m10.282360601s)
crash still not fixed or there were kernel test errors
commit msg: Linux 6.1.84
crash: KASAN: use-after-free Read in ext4_find_extent
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:837 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xb24/0xcd0 fs/ext4/extents.c:953
Read of size 4 at addr ffff888125119070 by task syz-executor.0/1502

CPU: 1 PID: 1502 Comm: syz-executor.0 Not tainted 6.1.84-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xf4/0x251 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x15f/0x4f0 mm/kasan/report.c:395
 kasan_report+0x136/0x160 mm/kasan/report.c:495
 ext4_ext_binsearch fs/ext4/extents.c:837 [inline]
 ext4_find_extent+0xb24/0xcd0 fs/ext4/extents.c:953
 ext4_ext_map_blocks+0x28b/0x65c0 fs/ext4/extents.c:4142
 ext4_map_blocks+0x82a/0x1810 fs/ext4/inode.c:651
 _ext4_get_block+0x1d0/0x540 fs/ext4/inode.c:798
 __block_write_begin_int+0x32a/0x1150 fs/buffer.c:1991
 __block_write_begin fs/buffer.c:2041 [inline]
 block_page_mkwrite+0x218/0x400 fs/buffer.c:2510
 ext4_page_mkwrite+0x5d9/0xf20 fs/ext4/inode.c:6267
 do_page_mkwrite+0x149/0x410 mm/memory.c:2992
 wp_page_shared+0x146/0x540 mm/memory.c:3341
 handle_pte_fault mm/memory.c:5031 [inline]
 __handle_mm_fault mm/memory.c:5155 [inline]
 handle_mm_fault+0x91a/0x2bf0 mm/memory.c:5276
 do_user_addr_fault arch/x86/mm/fault.c:1371 [inline]
 handle_page_fault arch/x86/mm/fault.c:1462 [inline]
 exc_page_fault+0x22a/0x5e0 arch/x86/mm/fault.c:1518
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7f2b8aacacc7
Code: ce 48 ff c7 48 01 fe 48 8d 54 11 80 0f 1f 80 00 00 00 00 c5 fe 6f 0e c5 fe 6f 56 20 c5 fe 6f 5e 40 c5 fe 6f 66 60 48 83 ee 80 <c5> fd 7f 0f c5 fd 7f 57 20 c5 fd 7f 5f 40 c5 fd 7f 67 60 48 83 ef
RSP: 002b:00007ffdf4c13378 EFLAGS: 00010203
RAX: 0000000020003600 RBX: 00007ffdf4c13488 RCX: 0000000020003600
RDX: 00000000200036a9 RSI: 00007f2b8a68d7b0 RDI: 0000000020003620
RBP: 0000000000000001 R08: 0000000000000000 R09: 00007f2b8ac08f8c
R10: 00007ffdf4c134b0 R11: 0000000000000246 R12: 00007f2b8a68d6f0
R13: fffffffffffffffe R14: 00007f2b8a66d000 R15: 00007f2b8a68d6f8
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0004944640 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x125119
flags: 0x200000000000000(node=0|zone=2)
raw: 0200000000000000 ffffea0004944688 ffffea0004940b88 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 1475, tgid 1475 (modprobe), ts 56036413771, free_ts 56037584485
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x286/0x2b0 mm/page_alloc.c:2513
 prep_new_page mm/page_alloc.c:2520 [inline]
 get_page_from_freelist+0x2ba7/0x2de0 mm/page_alloc.c:4279
 __alloc_pages+0x251/0x640 mm/page_alloc.c:5547
 vma_alloc_folio+0x689/0x870 mm/mempolicy.c:2243
 alloc_page_vma include/linux/gfp.h:284 [inline]
 do_anonymous_page mm/memory.c:4172 [inline]
 handle_pte_fault mm/memory.c:5011 [inline]
 __handle_mm_fault mm/memory.c:5155 [inline]
 handle_mm_fault+0x184b/0x2bf0 mm/memory.c:5276
 do_user_addr_fault arch/x86/mm/fault.c:1371 [inline]
 handle_page_fault arch/x86/mm/fault.c:1462 [inline]
 exc_page_fault+0x22a/0x5e0 arch/x86/mm/fault.c:1518
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1440 [inline]
 free_pcp_prepare mm/page_alloc.c:1490 [inline]
 free_unref_page_prepare+0xca9/0xd80 mm/page_alloc.c:3358
 free_unref_page_list+0xaa/0x690 mm/page_alloc.c:3499
 release_pages+0x1763/0x1900 mm/swap.c:1055
 tlb_batch_pages_flush mm/mmu_gather.c:59 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:254 [inline]
 tlb_flush_mmu+0x26f/0x3d0 mm/mmu_gather.c:261
 tlb_finish_mmu+0xb0/0x1b0 mm/mmu_gather.c:361
 exit_mmap+0x311/0x700 mm/mmap.c:3239
 __mmput+0x61/0x290 kernel/fork.c:1199
 exit_mm+0x122/0x1b0 kernel/exit.c:563
 do_exit+0x81e/0x23a0 kernel/exit.c:856
 do_group_exit+0x1b5/0x280 kernel/exit.c:1019
 __do_sys_exit_group kernel/exit.c:1030 [inline]
 __se_sys_exit_group kernel/exit.c:1028 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1028
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3d/0x80 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff888125118f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888125118f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888125119000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                             ^
 ffff888125119080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888125119100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================