ci2 starts bisection 2023-12-02 00:57:50.97597138 +0000 UTC m=+173381.622548670
bisecting fixing commit since ca87e77a2ef8b298aa9f69658d5898e72ee450fe
building syzkaller on f3921d4d63f97d1f1fb49a69ea85744bb7ef184b
ensuring issue is reproducible on original commit ca87e77a2ef8b298aa9f69658d5898e72ee450fe

testing commit ca87e77a2ef8b298aa9f69658d5898e72ee450fe gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 0ec7b4d86a2f12992aca1baf3206c8d8e108cf127251d568b844fdc9c92301c4
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
run #10: crashed: KASAN: use-after-free Read in ext4_search_dir
run #11: crashed: KASAN: out-of-bounds Read in ext4_search_dir
run #12: crashed: KASAN: use-after-free Read in ext4_search_dir
run #13: crashed: KASAN: use-after-free Read in ext4_search_dir
run #14: crashed: KASAN: use-after-free Read in ext4_search_dir
run #15: crashed: KASAN: use-after-free Read in ext4_search_dir
run #16: crashed: KASAN: use-after-free Read in ext4_search_dir
run #17: crashed: KASAN: out-of-bounds Read in ext4_search_dir
run #18: crashed: KASAN: use-after-free Read in ext4_search_dir
run #19: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit ca87e77a2ef8b298aa9f69658d5898e72ee450fe gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c312720369a3a6b79066cbd251edb186663a3e9ca05ffbbb6cf52db0a8858624
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: out-of-bounds Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
kconfig minimization: base=3820 full=7523 leaves diff=1995
split chunks (needed=false): <1995>
split chunk #0 of len 1995 into 5 parts
testing without sub-chunk 1/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit ca87e77a2ef8b298aa9f69658d5898e72ee450fe gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 0e047a62f7bdeb3d6f2dad680a80ef8b33ecbde80610c829a44b40aa2e76089e
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: out-of-bounds Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: use-after-free Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit ca87e77a2ef8b298aa9f69658d5898e72ee450fe gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 040cf7a1c4360eb0729bd33708e0b1359ad2fd10cb91682b6673b4f17edb7213
all runs: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit ca87e77a2ef8b298aa9f69658d5898e72ee450fe gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 6330c403774b55fe03bb3fc55f97c6cb3be95224071cbef5d604920c56181db8
run #0: crashed: KASAN: use-after-free Read in ext4_search_dir
run #1: crashed: KASAN: use-after-free Read in ext4_search_dir
run #2: crashed: KASAN: use-after-free Read in ext4_search_dir
run #3: crashed: KASAN: slab-out-of-bounds Read in ext4_search_dir
run #4: crashed: KASAN: use-after-free Read in ext4_search_dir
run #5: crashed: KASAN: use-after-free Read in ext4_search_dir
run #6: crashed: KASAN: use-after-free Read in ext4_search_dir
run #7: crashed: KASAN: use-after-free Read in ext4_search_dir
run #8: crashed: KASAN: use-after-free Read in ext4_search_dir
run #9: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit ca87e77a2ef8b298aa9f69658d5898e72ee450fe gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 9655654a581dbb82050be0183af5e8e4167219f3eda56bad5a8ec224555aeec8
all runs: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit ca87e77a2ef8b298aa9f69658d5898e72ee450fe gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 0c60efd0ae3562a47ea63127e75f3f1b6f1a94c1c6df88d87b29b38a2ada88c3
all runs: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
the chunk can be dropped
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing current HEAD 6ac30d748bb080752d4078d482534b68d62f685f
testing commit 6ac30d748bb080752d4078d482534b68d62f685f gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 90d236ce66a7dbf7f20fe35c35bf2ca9c59b7cd87e5b2b04319603dc2f5890ad
all runs: crashed: KASAN: use-after-free Read in ext4_search_dir
representative crash: KASAN: use-after-free Read in ext4_search_dir, types: [KASAN]
crash still not fixed/happens on the oldest tested release
revisions tested: 8, total time: 1h1m26.46526002s (build: 33m55.026501039s, test: 24m38.400849196s)
crash still not fixed or there were kernel test errors
commit msg: Linux 6.1.64
crash: KASAN: use-after-free Read in ext4_search_dir
loop0: detected capacity change from 0 to 512
EXT4-fs: Ignoring removed bh option
EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem
EXT4-fs (loop0): 1 truncate cleaned up
EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none.
==================================================================
BUG: KASAN: use-after-free in ext4_search_dir+0x148/0x250 fs/ext4/namei.c:1543
Read of size 1 at addr ffff8881255b43ed by task syz-executor.0/1512

CPU: 0 PID: 1512 Comm: syz-executor.0 Not tainted 6.1.64-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xf4/0x251 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x15f/0x4f0 mm/kasan/report.c:395
 kasan_report+0x136/0x160 mm/kasan/report.c:495
 ext4_search_dir+0x148/0x250 fs/ext4/namei.c:1543
 ext4_find_inline_entry+0x367/0x540 fs/ext4/inline.c:1722
 __ext4_find_entry+0x2dc/0x1a10 fs/ext4/namei.c:1616
 ext4_lookup_entry fs/ext4/namei.c:1771 [inline]
 ext4_lookup+0x1ab/0x5f0 fs/ext4/namei.c:1839
 lookup_open fs/namei.c:3392 [inline]
 open_last_lookups fs/namei.c:3482 [inline]
 path_openat+0xdb6/0x2410 fs/namei.c:3712
 do_filp_open+0x226/0x430 fs/namei.c:3742
 do_sys_openat2+0x10b/0x420 fs/open.c:1318
 do_sys_open fs/open.c:1334 [inline]
 __do_sys_open fs/open.c:1342 [inline]
 __se_sys_open fs/open.c:1338 [inline]
 __x64_sys_open+0x1eb/0x240 fs/open.c:1338
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f9d00842b29
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9d003c50c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007f9d00961f80 RCX: 00007f9d00842b29
RDX: 0000000000000000 RSI: 0000000000141042 RDI: 0000000020000100
RBP: 00007f9d0088e47a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000006 R14: 00007f9d00961f80 R15: 00007ffc0c4df6b8
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0004956d00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1255b4
flags: 0x200000000000000(node=0|zone=2)
raw: 0200000000000000 ffffea0004959088 ffffea0004956f48 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 1298, tgid 1298 (modprobe), ts 51288082000, free_ts 51292858252
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x286/0x2b0 mm/page_alloc.c:2513
 prep_new_page mm/page_alloc.c:2520 [inline]
 get_page_from_freelist+0x2ba7/0x2de0 mm/page_alloc.c:4279
 __alloc_pages+0x251/0x640 mm/page_alloc.c:5545
 vma_alloc_folio+0x689/0x870 mm/mempolicy.c:2243
 alloc_page_vma include/linux/gfp.h:284 [inline]
 wp_page_copy+0x1e6/0x1610 mm/memory.c:3134
 handle_pte_fault mm/memory.c:5011 [inline]
 __handle_mm_fault mm/memory.c:5135 [inline]
 handle_mm_fault+0x91a/0x2bf0 mm/memory.c:5256
 do_user_addr_fault arch/x86/mm/fault.c:1380 [inline]
 handle_page_fault arch/x86/mm/fault.c:1471 [inline]
 exc_page_fault+0x22a/0x5e0 arch/x86/mm/fault.c:1527
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1440 [inline]
 free_pcp_prepare mm/page_alloc.c:1490 [inline]
 free_unref_page_prepare+0xca9/0xd80 mm/page_alloc.c:3358
 free_unref_page_list+0xaa/0x690 mm/page_alloc.c:3499
 release_pages+0x1763/0x1900 mm/swap.c:1055
 tlb_batch_pages_flush mm/mmu_gather.c:59 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:254 [inline]
 tlb_flush_mmu+0x26f/0x3d0 mm/mmu_gather.c:261
 tlb_finish_mmu+0xb0/0x1b0 mm/mmu_gather.c:361
 exit_mmap+0x311/0x700 mm/mmap.c:3239
 __mmput+0x61/0x290 kernel/fork.c:1199
 exit_mm+0x122/0x1b0 kernel/exit.c:563
 do_exit+0x81e/0x23a0 kernel/exit.c:856
 do_group_exit+0x1b5/0x280 kernel/exit.c:1019
 __do_sys_exit_group kernel/exit.c:1030 [inline]
 __se_sys_exit_group kernel/exit.c:1028 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1028
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff8881255b4280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881255b4300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881255b4380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                          ^
 ffff8881255b4400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881255b4480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================