ci2 starts bisection 2024-07-21 04:33:46.593718766 +0000 UTC m=+79579.179436811 bisecting fixing commit since bf1e3b1cb1e002ed1590c91f1a24433b59322368 building syzkaller on 27de0a5cccaebe20ffd8fce48c2c5ec9d4b358fa ensuring issue is reproducible on original commit bf1e3b1cb1e002ed1590c91f1a24433b59322368 testing commit bf1e3b1cb1e002ed1590c91f1a24433b59322368 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e14e0a103914d1cb1e3f1df8b12615a4e65989c3197b6fdbaf0a2470984de473 run #0: infra problem: create instance operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc0033b2780] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 125.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #1: infra problem: create instance operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc005a643c0] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 125.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #2: infra problem: create instance operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc0033b29b0] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 125.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #3: infra problem: create instance operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc0033b2be0] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 125.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #4: infra problem: create instance operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc0033b2d70] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 125.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #5: infra problem: create instance operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc005a64960] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 125.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #6: infra problem: create instance operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc0015120f0] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 125.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #7: crashed: KASAN: use-after-free Read in try_to_wake_up run #8: crashed: KASAN: use-after-free Read in try_to_wake_up run #9: crashed: KASAN: use-after-free Read in try_to_wake_up run #10: crashed: KASAN: use-after-free Read in try_to_wake_up run #11: crashed: KASAN: use-after-free Read in try_to_wake_up run #12: crashed: KASAN: use-after-free Read in try_to_wake_up run #13: crashed: KASAN: use-after-free Read in try_to_wake_up run #14: crashed: KASAN: use-after-free Read in try_to_wake_up run #15: crashed: KASAN: use-after-free Read in try_to_wake_up run #16: crashed: KASAN: use-after-free Read in try_to_wake_up run #17: crashed: KASAN: use-after-free Read in try_to_wake_up run #18: crashed: KASAN: use-after-free Read in try_to_wake_up run #19: OK representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit bf1e3b1cb1e002ed1590c91f1a24433b59322368 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9adacaf8b7d169698f1915195e22923170c2da09446ea464f4d912c442452dd4 all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed kconfig minimization: base=7495 full=9693 leaves diff=1929 split chunks (needed=false): <1929> split chunk #0 of len 1929 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit bf1e3b1cb1e002ed1590c91f1a24433b59322368 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 212a2f889f4a54188acdd1c788245c6da9c9f25c38830d527dd9fb877c71a5f5 run #0: crashed: KASAN: use-after-free Read in try_to_wake_up run #1: crashed: KASAN: use-after-free Read in try_to_wake_up run #2: crashed: KASAN: use-after-free Read in try_to_wake_up run #3: crashed: KASAN: use-after-free Read in try_to_wake_up run #4: crashed: KASAN: use-after-free Read in try_to_wake_up run #5: crashed: KASAN: use-after-free Read in try_to_wake_up run #6: crashed: KASAN: use-after-free Read in try_to_wake_up run #7: crashed: KASAN: use-after-free Read in try_to_wake_up run #8: crashed: KASAN: use-after-free Read in try_to_wake_up run #9: OK representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit bf1e3b1cb1e002ed1590c91f1a24433b59322368 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 175cbf0193adf64cc1b9985f6ae5524099c6a63621ce13fc5f131f50ffa6a69d all runs: boot failed: can't ssh into the instance unable to determine the verdict: 0 good runs (wanted 5), for bad wanted 5 in total, got 0 testing without sub-chunk 3/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit bf1e3b1cb1e002ed1590c91f1a24433b59322368 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 864fd50fbee4a54adcbbbda45a2c3d82e8bb9c87e59283d302bae8be038c6c00 all runs: OK false negative chance: 0.000 testing without sub-chunk 4/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit bf1e3b1cb1e002ed1590c91f1a24433b59322368 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6ce4374d83e91757b9fd1bd313a4ed9d96e06f45c00fa925eb7e2b18468e9123 all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit bf1e3b1cb1e002ed1590c91f1a24433b59322368 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ea1f3dd7e9c1528de2fe335f9156c8f3d723914f053bb2d31feec44bf0fa8cb9 all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] the chunk can be dropped minimized to 772 configs; suspects: [6LOWPAN ACPI_VIDEO AX25 CFG80211 DLM DRM DRM_NOUVEAU DRM_TTM DRM_TTM_HELPER DRM_UDL DRM_V3D DRM_VC4 DRM_VGEM DRM_VIRTIO_GPU DRM_VKMS DRM_VRAM_HELPER DUMMY DVB_AF9013 DVB_AF9033 DVB_AS102 DVB_AS102_FE DVB_B2C2_FLEXCOP DVB_B2C2_FLEXCOP_USB DVB_DIB3000MB DVB_DIB3000MC DVB_EC100 DVB_GP8PSK_FE DVB_RTL2830 DVB_RTL2832 DVB_RTL2832_SDR DVB_TEST_DRIVERS DVB_TTUSB_BUDGET DVB_TTUSB_DEC DVB_USB DVB_USB_A800 DVB_USB_AF9005 DVB_USB_AF9005_REMOTE DVB_USB_AF9015 DVB_USB_AF9035 DVB_USB_ANYSEE DVB_USB_AU6610 DVB_USB_AZ6007 DVB_USB_AZ6027 DVB_USB_CE6230 DVB_USB_CINERGY_T2 DVB_USB_CXUSB DVB_USB_DIB0700 DVB_USB_DIB3000MC DVB_USB_DIBUSB_MB DVB_USB_DIBUSB_MC DVB_USB_DIGITV DVB_USB_DTT200U DVB_USB_DTV5100 DVB_USB_DVBSKY DVB_USB_DW2102 DVB_USB_EC168 DVB_USB_GL861 DVB_USB_GP8PSK DVB_USB_LME2510 DVB_USB_M920X DVB_USB_MXL111SF DVB_USB_NOVA_T_USB2 DVB_USB_OPERA1 DVB_USB_PCTV452E DVB_USB_RTL28XXU DVB_USB_TECHNISAT_USB2 DVB_USB_TTUSB2 DVB_USB_UMT_010 DVB_USB_V2 DVB_USB_VP702X DVB_USB_VP7045 DVB_USB_ZD1301 DVB_VIDTV DVB_ZL10353 E100 ECRYPT_FS ECRYPT_FS_MESSAGING EEPROM_93CX6 EFS_FS ENCRYPTED_KEYS EQUALIZER EROFS_FS EROFS_FS_POSIX_ACL EROFS_FS_SECURITY EROFS_FS_XATTR EROFS_FS_ZIP EVM EVM_ADD_XATTRS EVM_ATTR_FSUUID EXFAT_FS EXPORTFS_BLOCK_OPS EXT3_FS_POSIX_ACL EXT3_FS_SECURITY EXT4_FS_SECURITY F2FS_CHECK_FS F2FS_FAULT_INJECTION F2FS_FS F2FS_FS_COMPRESSION F2FS_FS_LZ4 F2FS_FS_LZ4HC F2FS_FS_LZO F2FS_FS_LZORLE F2FS_FS_POSIX_ACL F2FS_FS_SECURITY F2FS_FS_XATTR F2FS_FS_ZSTD F2FS_STAT_FS FB_DEFERRED_IO FB_SYS_COPYAREA FB_SYS_FILLRECT FB_SYS_FOPS FB_SYS_IMAGEBLIT FB_TILEBLITTING FB_VIRTUAL FDDI FIB_RULES FIREWIRE FIREWIRE_NET FIREWIRE_OHCI FIREWIRE_SBP2 FRAMEBUFFER_CONSOLE_ROTATION FRONTSWAP FSCACHE FS_DAX FS_DAX_PMD FS_ENCRYPTION FS_ENCRYPTION_ALGS FS_VERITY FS_VERITY_BUILTIN_SIGNATURES FTL FW_LOADER_COMPRESS FW_LOADER_USER_HELPER_FALLBACK GACT_PROB GCC10_NO_ARRAY_BOUNDS GET_FREE_REGION GFS2_FS GFS2_FS_LOCKING_DLM GOOGLE_COREBOOT_TABLE GOOGLE_FIRMWARE GOOGLE_MEMCONSOLE GOOGLE_MEMCONSOLE_COREBOOT GOOGLE_VPD GPIO_DLN2 GPIO_VIPERBOARD GREENASIA_FF GREYBUS GREYBUS_BRIDGED_PHY GREYBUS_ES2 GREYBUS_HID GREYBUS_USB GTP GVE HAMRADIO HAVE_ARCH_USERFAULTFD_MINOR HAVE_IMA_KEXEC HDLC HDLC_CISCO HDLC_FR HDLC_PPP HDLC_RAW HDLC_RAW_ETH HDLC_X25 HDMI HFSPLUS_FS HFS_FS HIDRAW HID_ACCUTOUCH HID_ACRUX HID_ACRUX_FF HID_ALPS HID_APPLEIR HID_ASUS HID_AUREAL HID_BATTERY_STRENGTH HID_BETOP_FF HID_CMEDIA HID_CORSAIR HID_CP2112 HID_ELECOM HID_ELO HID_EMS_FF HID_GEMBIRD HID_GFRM HID_GREENASIA HID_GT683R HID_GYRATION HID_HOLTEK HID_ICADE HID_KEYTOUCH HID_KYE HID_LCPOWER HID_LED HID_LENOVO HID_LOGITECH_DJ HID_LOGITECH_HIDPP HID_MAGICMOUSE HID_MAYFLASH HID_NTI HID_NTRIG HID_ORTEK HID_PENMOUNT HID_PETALYNX HID_PICOLCD HID_PICOLCD_BACKLIGHT HID_PICOLCD_CIR HID_PICOLCD_FB HID_PICOLCD_LCD HID_PICOLCD_LEDS HID_PID HID_PLANTRONICS HID_PRIMAX HID_PRODIKEYS HID_RETRODE HID_RMI HID_ROCCAT HID_SAITEK HID_SAMSUNG HID_SENSOR_ACCEL_3D HID_SENSOR_ALS HID_SENSOR_CUSTOM_SENSOR HID_SENSOR_DEVICE_ROTATION HID_SENSOR_GYRO_3D HID_SENSOR_HUB HID_SENSOR_HUMIDITY HID_SENSOR_IIO_COMMON HID_SENSOR_IIO_TRIGGER HID_SENSOR_INCLINOMETER_3D HID_SENSOR_MAGNETOMETER_3D HID_SENSOR_PRESS HID_SENSOR_PROX HID_SENSOR_TEMP HID_SPEEDLINK HID_STEELSERIES HID_SUNPLUS HID_THINGM HID_TIVO HID_TOPSEED HID_TWINHAN HID_UCLOGIC HID_UDRAW_PS3 HID_WACOM HID_WALTOP HID_WIIMOTE HID_XINMO HID_ZYDACRON HMM_MIRROR HOLTEK_FF HOTPLUG_PCI_PCIE HPFS_FS HSR I2C_DIOLAN_U2C I2C_DLN2 I2C_MUX_REG I2C_ROBOTFUZZ_OSIF I2C_SI4713 I2C_SLAVE_EEPROM I2C_TINY_USB I2C_VIPERBOARD IEEE802154 IEEE802154_6LOWPAN IEEE802154_ATUSB IEEE802154_DRIVERS IEEE802154_HWSIM IEEE802154_NL802154_EXPERIMENTAL IEEE802154_SOCKET IFB IMA IMA_APPRAISE IMA_APPRAISE_MODSIG IMA_DEFAULT_HASH_SHA256 IMA_LSM_RULES IMA_MEASURE_ASYMMETRIC_KEYS IMA_NG_TEMPLATE IMA_QUEUE_EARLY_BOOT_KEYS IMA_READ_POLICY IMA_WRITE_POLICY INET6_AH INET6_ESP INET6_ESPINTCP INET6_ESP_OFFLOAD INET6_IPCOMP INET6_TUNNEL INET6_XFRM_TUNNEL INET_AH INET_DCCP_DIAG INET_DIAG_DESTROY INET_ESP INET_ESPINTCP INET_ESP_OFFLOAD INET_IPCOMP INET_MPTCP_DIAG INET_RAW_DIAG INET_SCTP_DIAG INET_UDP_DIAG INET_XFRM_TUNNEL INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_ADDR_TRANS_CONFIGFS INFINIBAND_IPOIB INFINIBAND_IPOIB_CM INFINIBAND_IPOIB_DEBUG INFINIBAND_ISER INFINIBAND_ON_DEMAND_PAGING INFINIBAND_RTRS INFINIBAND_SRP INFINIBAND_USER_ACCESS INFINIBAND_USER_MAD INFINIBAND_USER_MEM INPUT_ATI_REMOTE2 INPUT_CM109 INPUT_IMS_PCU INPUT_JOYDEV INPUT_JOYSTICK INPUT_KEYSPAN_REMOTE INPUT_LEDS INPUT_MOUSE INPUT_MOUSEDEV INPUT_MOUSEDEV_PSAUX INPUT_POWERMATE INPUT_UINPUT INPUT_YEALINK INTEGRITY INTEGRITY_ASYMMETRIC_KEYS INTEGRITY_AUDIT INTEGRITY_SIGNATURE INTEGRITY_TRUSTED_KEYRING IP6_NF_MATCH_AH IP6_NF_MATCH_EUI64 IP6_NF_MATCH_FRAG IP6_NF_MATCH_HL IP6_NF_MATCH_IPV6HEADER IP6_NF_MATCH_MH IP6_NF_MATCH_OPTS IP6_NF_MATCH_RPFILTER IP6_NF_MATCH_RT IP6_NF_MATCH_SRH IP6_NF_RAW IP6_NF_SECURITY IP6_NF_TARGET_HL IP6_NF_TARGET_NPT IP6_NF_TARGET_SYNPROXY IPV6_FOU IPV6_FOU_TUNNEL IPV6_GRE IPV6_ILA IPV6_MIP6 IPV6_MROUTE IPV6_MROUTE_MULTIPLE_TABLES IPV6_MULTIPLE_TABLES IPV6_OPTIMISTIC_DAD IPV6_PIMSM_V2 IPV6_ROUTER_PREF IPV6_ROUTE_INFO IPV6_RPL_LWTUNNEL IPV6_SEG6_BPF IPV6_SEG6_HMAC IPV6_SEG6_LWTUNNEL IPV6_SIT_6RD IPV6_SUBTREES IPV6_TUNNEL IPV6_VTI IPVLAN IPVLAN_L3S IPVTAP IP_ADVANCED_ROUTER IP_DCCP IP_DCCP_CCID3 IP_DCCP_TFRC_LIB IP_FIB_TRIE_STATS IP_MROUTE IP_MROUTE_COMMON IP_MROUTE_MULTIPLE_TABLES IP_MULTIPLE_TABLES IP_NF_ARPFILTER IP_NF_ARPTABLES IP_NF_ARP_MANGLE IP_NF_MATCH_AH IP_NF_MATCH_ECN IP_NF_MATCH_RPFILTER IP_NF_MATCH_TTL IP_NF_RAW IP_NF_SECURITY IP_NF_TARGET_CLUSTERIP IP_NF_TARGET_ECN IP_NF_TARGET_NETMAP IP_NF_TARGET_REDIRECT IP_NF_TARGET_SYNPROXY IP_NF_TARGET_TTL IP_PIMSM_V1 IP_PIMSM_V2 IP_PNP_RARP IP_ROUTE_CLASSID IP_ROUTE_MULTIPATH IP_ROUTE_VERBOSE IP_SCTP IP_SET IP_SET_BITMAP_IP IP_SET_BITMAP_IPMAC IP_SET_BITMAP_PORT IP_SET_HASH_IP IP_SET_HASH_IPMAC IP_SET_HASH_IPMARK IP_SET_HASH_IPPORT IP_SET_HASH_IPPORTIP IP_SET_HASH_IPPORTNET IP_SET_HASH_MAC IP_SET_HASH_NET IP_SET_HASH_NETIFACE IP_SET_HASH_NETNET IP_SET_HASH_NETPORT IP_SET_HASH_NETPORTNET IP_SET_LIST_SET IP_VS_DH IP_VS_FO IP_VS_FTP IP_VS_IPV6 IP_VS_LBLC IP_VS_LBLCR IP_VS_LC IP_VS_MH IP_VS_NFCT IP_VS_NQ IP_VS_OVF IP_VS_PE_SIP IP_VS_PROTO_AH IP_VS_PROTO_AH_ESP IP_VS_PROTO_ESP IP_VS_PROTO_SCTP IP_VS_PROTO_TCP IP_VS_PROTO_UDP IP_VS_RR IP_VS_SED IP_VS_SH IP_VS_TWOS IP_VS_WLC IP_VS_WRR IR_IGORPLUGUSB IR_IGUANA IR_IMON IR_MCEUSB IR_REDRAT3 IR_STREAMZAP IR_TTUSBIR ISDN ISDN_CAPI_MIDDLEWARE ISO9660_FS JFFS2_CMODE_PRIORITY JFFS2_COMPRESSION_OPTIONS JFFS2_FS JFFS2_FS_POSIX_ACL JFFS2_FS_SECURITY JFFS2_FS_WRITEBUFFER JFFS2_FS_XATTR JFFS2_LZO JFFS2_RTIME JFFS2_RUBIN JFFS2_SUMMARY JFFS2_ZLIB JFS_DEBUG JFS_FS JFS_POSIX_ACL JFS_SECURITY JOLIET JOYSTICK_IFORCE JOYSTICK_IFORCE_USB JOYSTICK_XPAD JOYSTICK_XPAD_FF JOYSTICK_XPAD_LEDS KARMA_PARTITION KCOV KCOV_ENABLE_COMPARISONS KCOV_INSTRUMENT_ALL KEYS_REQUEST_CACHE KEY_DH_OPERATIONS KEY_NOTIFICATIONS L2TP L2TP_ETH L2TP_IP L2TP_V3 LAPB LAPBETHER LCD_CLASS_DEVICE LDM_PARTITION LEDS_TRIGGER_AUDIO LLC2 LOGIG940_FF LOGIRUMBLEPAD2_FF LOGITECH_FF LOGIWHEELS_FF LOGO_LINUX_MONO LOGO_LINUX_VGA16 LPC_ICH LWTUNNEL LWTUNNEL_BPF LZ4HC_COMPRESS LZ4_COMPRESS MAC80211 MAC80211_DEBUGFS MAC80211_HAS_RC MAC80211_HWSIM MAC80211_MESH MAC80211_RC_DEFAULT_MINSTREL MAC80211_RC_MINSTREL MAC802154 MACSEC MAC_PARTITION MD_LINEAR MD_MULTIPATH MD_RAID0 MD_RAID1 MD_RAID10 MD_RAID456 MEDIA_CONTROLLER_DVB MEDIA_RADIO_SUPPORT MEDIA_TEST_SUPPORT MEDIA_TUNER_MSI001 MEMORY_HOTPLUG_DEFAULT_ONLINE MEMSTICK MEMSTICK_REALTEK_USB MFD_DLN2 MFD_VIPERBOARD MHI_WWAN_CTRL MINIX_FS MINIX_SUBPARTITION MISC_RTSX MISC_RTSX_USB MISDN MISDN_DSP MISDN_HFCUSB MISDN_L1OIP MKISS MLX4_INFINIBAND MMC_REALTEK_USB MMC_USHC MMC_VUB300 MODULE_FORCE_UNLOAD MODULE_SRCVERSION_ALL MODVERSIONS MOST MOUSE_APPLETOUCH MOUSE_BCM5974 MOUSE_PS2 MOUSE_PS2_ALPS MOUSE_PS2_BYD MOUSE_PS2_CYPRESS MOUSE_PS2_FOCALTECH MOUSE_PS2_LOGIPS2PP MOUSE_PS2_SMBUS MOUSE_PS2_SYNAPTICS MOUSE_PS2_SYNAPTICS_SMBUS MOUSE_PS2_TRACKPOINT MOUSE_SYNAPTICS_USB MPLS MPLS_IPTUNNEL MPLS_ROUTING MPTCP MPTCP_IPV6 MSDOS_FS MTD_BLOCK2MTD MTD_MTDRAM MTD_PHRAM MTD_SLRAM MUSB_PIO_ONLY NETCONSOLE NETDEVSIM NETFILTER_FAMILY_ARP NETFILTER_NETLINK NETFILTER_NETLINK_ACCT NETFILTER_NETLINK_GLUE_CT NETFILTER_NETLINK_LOG NETFILTER_NETLINK_OSF NETFILTER_NETLINK_QUEUE NETFILTER_SYNPROXY NETFILTER_XT_CONNMARK NETFILTER_XT_MATCH_BPF NETFILTER_XT_MATCH_CGROUP NETFILTER_XT_MATCH_CLUSTER NETFILTER_XT_MATCH_COMMENT NETFILTER_XT_MATCH_CONNBYTES NETFILTER_XT_MATCH_CONNLABEL NETFILTER_XT_MATCH_CONNLIMIT NETFILTER_XT_MATCH_CONNMARK NETFILTER_XT_MATCH_CPU NETFILTER_XT_MATCH_DCCP NETFILTER_XT_MATCH_DEVGROUP NETFILTER_XT_MATCH_DSCP NETFILTER_XT_MATCH_ECN NETFILTER_XT_MATCH_ESP NETFILTER_XT_MATCH_HASHLIMIT NETFILTER_XT_MATCH_HELPER NETFILTER_XT_MATCH_HL NETFILTER_XT_MATCH_IPCOMP NETFILTER_XT_MATCH_IPRANGE NETFILTER_XT_MATCH_L2TP NETFILTER_XT_MATCH_LENGTH NETFILTER_XT_MATCH_LIMIT NETFILTER_XT_MATCH_MAC NETFILTER_XT_MATCH_MARK NETFILTER_XT_MATCH_MULTIPORT NETFILTER_XT_MATCH_NFACCT NETFILTER_XT_MATCH_OSF NETFILTER_XT_MATCH_OWNER NETFILTER_XT_MATCH_PHYSDEV NETFILTER_XT_MATCH_PKTTYPE NETFILTER_XT_MATCH_POLICY NETFILTER_XT_MATCH_QUOTA NETFILTER_XT_MATCH_RATEEST NETFILTER_XT_MATCH_REALM NETFILTER_XT_MATCH_RECENT NETFILTER_XT_MATCH_SCTP NETFILTER_XT_MATCH_SOCKET NETFILTER_XT_MATCH_STATE NETFILTER_XT_MATCH_STATISTIC NETFILTER_XT_MATCH_STRING NETFILTER_XT_MATCH_TCPMSS NETFILTER_XT_MATCH_TIME NETFILTER_XT_MATCH_U32 NETFILTER_XT_SET NETFILTER_XT_TARGET_AUDIT NETFILTER_XT_TARGET_CLASSIFY NETFILTER_XT_TARGET_CONNMARK NETFILTER_XT_TARGET_CONNSECMARK NETFILTER_XT_TARGET_CT NETFILTER_XT_TARGET_DSCP NETFILTER_XT_TARGET_HL NETFILTER_XT_TARGET_HMARK NETFILTER_XT_TARGET_IDLETIMER NETFILTER_XT_TARGET_LED NETFILTER_XT_TARGET_MARK NETFILTER_XT_TARGET_NETMAP NETFILTER_XT_TARGET_NFLOG NETFILTER_XT_TARGET_NFQUEUE NETFILTER_XT_TARGET_NOTRACK NETFILTER_XT_TARGET_RATEEST NETFILTER_XT_TARGET_REDIRECT NETFILTER_XT_TARGET_SECMARK NETFILTER_XT_TARGET_TCPMSS NETFILTER_XT_TARGET_TCPOPTSTRIP NETFILTER_XT_TARGET_TEE NETFILTER_XT_TARGET_TPROXY NETFILTER_XT_TARGET_TRACE NETLABEL NETLINK_DIAG NETPOLL NETROM NETWORK_SECMARK NET_9P_RDMA NET_ACT_BPF NET_ACT_CONNMARK NET_ACT_CSUM NET_ACT_CT NET_ACT_CTINFO NET_ACT_IFE NET_ACT_IPT NET_ACT_MPLS NET_ACT_NAT NET_ACT_PEDIT NET_ACT_POLICE NET_ACT_SAMPLE NET_ACT_SIMP NET_ACT_SKBEDIT NET_ACT_SKBMOD NET_ACT_TUNNEL_KEY NET_ACT_VLAN NET_CLS_BPF NET_CLS_CGROUP NET_CLS_FLOW NET_CLS_FW NET_CLS_MATCHALL NET_CLS_ROUTE4 NET_DSA_TAG_MTK NET_DSA_TAG_QCA NET_DSA_TAG_RTL4_A NET_EMATCH NET_EMATCH_CANID NET_EMATCH_CMP NET_EMATCH_IPSET NET_EMATCH_IPT NET_EMATCH_META NET_EMATCH_NBYTE NET_EMATCH_TEXT NET_EMATCH_U32 NET_FC NET_FOU NET_FOU_IP_TUNNELS NET_IFE NET_IFE_SKBMARK NET_IFE_SKBPRIO NET_IFE_SKBTCINDEX NET_IPGRE NET_IPGRE_BROADCAST NET_IPGRE_DEMUX NET_IPIP NET_IPVTI NET_KEY NET_KEY_MIGRATE NET_L3_MASTER_DEV NET_MPLS_GSO NET_NCSI NET_NSH NET_POLL_CONTROLLER NET_REDIRECT NET_SCH_CAKE NET_SCH_CHOKE NET_SCH_CODEL NET_SCH_DRR NET_SCH_ETS NET_SCH_FQ NET_SCH_FQ_CODEL NET_SCH_FQ_PIE NET_SCH_GRED NET_SCH_HFSC NET_SCH_HHF NET_SCH_HTB NET_SCH_MULTIQ NET_SCH_NETEM NET_SCH_PIE NET_SCH_PLUG NET_SCH_PRIO NET_SCH_QFQ NET_SCH_RED NET_SCH_SFB NET_SCH_SFQ NET_SCH_SKBPRIO NET_SCH_TBF NET_SCH_TEQL NET_TC_SKB_EXT NET_TEAM NET_TEAM_MODE_ACTIVEBACKUP NET_TEAM_MODE_BROADCAST NET_TEAM_MODE_LOADBALANCE NET_TEAM_MODE_RANDOM NET_TEAM_MODE_ROUNDROBIN NET_UDP_TUNNEL NET_VRF NFC_DIGITAL NFC_FDP NFC_HCI NFC_MRVL NFC_MRVL_USB NFC_NCI_UART NFC_PN533 NFC_PN533_USB NFC_PORT100 NFC_SHDLC NFC_SIM NFC_VIRTUAL_NCI NFSD NFSD_BLOCKLAYOUT NFSD_FLEXFILELAYOUT NFSD_PNFS NFSD_SCSILAYOUT NFSD_V3_ACL NFSD_V4 NFSD_V4_2_INTER_SSC NFSD_V4_SECURITY_LABEL NFS_ACL_SUPPORT NFS_FSCACHE NFS_V3_ACL NFS_V4_2_READ_PLUS NFT_BRIDGE_META NFT_BRIDGE_REJECT NFT_COMPAT NFT_CONNLIMIT NFT_CT NFT_DUP_IPV4 NFT_DUP_IPV6 NFT_DUP_NETDEV NFT_FIB NFT_FIB_INET NFT_FIB_IPV4 NFT_FIB_IPV6 NFT_FIB_NETDEV NFT_FLOW_OFFLOAD NFT_FWD_NETDEV NFT_HASH NFT_LIMIT NFT_LOG NFT_MASQ NFT_NAT NFT_NUMGEN NFT_OSF NFT_QUEUE NFT_QUOTA NFT_REDIR NFT_REJECT NFT_REJECT_INET NFT_REJECT_IPV4 NFT_REJECT_IPV6 NFT_REJECT_NETDEV NFT_SOCKET NFT_SYNPROXY NFT_TPROXY NFT_TUNNEL NFT_XFRM NF_CONNTRACK_AMANDA NF_CONNTRACK_BRIDGE NF_CONNTRACK_BROADCAST NF_CONNTRACK_FTP NF_CONNTRACK_H323 NF_CONNTRACK_IRC NF_CONNTRACK_LABELS NF_CONNTRACK_MARK NF_CONNTRACK_NETBIOS_NS NF_CONNTRACK_PPTP NF_CONNTRACK_SANE NF_CONNTRACK_SECMARK NF_CONNTRACK_SIP NF_CONNTRACK_SNMP NF_CONNTRACK_TFTP NF_CONNTRACK_TIMEOUT NF_CONNTRACK_TIMESTAMP NF_CONNTRACK_ZONES NF_CT_NETLINK NF_CT_NETLINK_HELPER NF_CT_NETLINK_TIMEOUT NF_CT_PROTO_GRE NF_DUP_IPV4 NF_DUP_IPV6 NF_DUP_NETDEV NF_FLOW_TABLE NF_FLOW_TABLE_INET NF_LOG_ARP NF_NAT_AMANDA NF_NAT_FTP NF_NAT_H323 NF_NAT_IRC NF_NAT_PPTP NF_NAT_REDIRECT NF_NAT_SIP NF_NAT_SNMP_BASIC NF_NAT_TFTP NF_SOCKET_IPV4 NF_SOCKET_IPV6 NF_TABLES NF_TABLES_ARP NF_TABLES_BRIDGE NF_TABLES_INET NF_TABLES_IPV4 NF_TABLES_IPV6 NF_TABLES_NETDEV NF_TPROXY_IPV4 NF_TPROXY_IPV6 NILFS2_FS NLMON NLS_ASCII NLS_CODEPAGE_1250 NLS_CODEPAGE_1251 NLS_CODEPAGE_737 NLS_CODEPAGE_775 NLS_CODEPAGE_850 NLS_CODEPAGE_852 NLS_CODEPAGE_855 NLS_CODEPAGE_857 NLS_CODEPAGE_860 NLS_CODEPAGE_861 NLS_CODEPAGE_862 NLS_CODEPAGE_863 NLS_CODEPAGE_864 NLS_CODEPAGE_865 NLS_CODEPAGE_866 NLS_CODEPAGE_869 NLS_CODEPAGE_874 NLS_CODEPAGE_932 NLS_CODEPAGE_936 NLS_CODEPAGE_949 NLS_CODEPAGE_950 NLS_ISO8859_13 NLS_ISO8859_14 NLS_ISO8859_15 NLS_ISO8859_2 NLS_ISO8859_3 NLS_ISO8859_4 NLS_ISO8859_5 NLS_ISO8859_6 NLS_ISO8859_7 NLS_ISO8859_8 NLS_ISO8859_9 NLS_KOI8_R NLS_KOI8_U NLS_MAC_CELTIC NLS_MAC_CENTEURO NLS_MAC_CROATIAN NLS_MAC_CYRILLIC NLS_MAC_GAELIC NLS_MAC_GREEK NLS_MAC_ICELAND NLS_MAC_INUIT NLS_MAC_ROMAN NLS_MAC_ROMANIAN NLS_MAC_TURKISH NLS_UTF8 NOUVEAU_LEGACY_CTX_SUPPORT NOUVEAU_PLATFORM_DRIVER NOZOMI NO_HZ NTFS3_FS NTFS3_FS_POSIX_ACL NTFS3_LZX_XPRESS NTFS_FS NTFS_RW NULL_TTY NVME_FABRICS NVME_FC NVME_MULTIPATH NVME_RDMA NVME_TARGET NVME_TARGET_FC NVME_TARGET_FCLOOP NVME_TARGET_LOOP NVME_TARGET_RDMA NVME_TARGET_TCP NVME_TCP N_GSM N_HDLC OCFS2_DEBUG_FS OCFS2_FS OCFS2_FS_O2CB OCFS2_FS_STATS OCFS2_FS_USERSPACE_CLUSTER PARTITION_ADVANCED PSAMPLE RADIO_ADAPTERS RADIO_SI4713 RFKILL SERIAL_NONSTANDARD SND SND_SOC SOUND WAN WATCH_QUEUE WIRELESS WLAN WWAN X25 XFRM ZONE_DEVICE] disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing current HEAD 9b3f9a5b12dc96965b2fcc9d7d8342f1b63e29c4 testing commit 9b3f9a5b12dc96965b2fcc9d7d8342f1b63e29c4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2231d8e89db3421f3b7aed89f87970c8de99aea8f163760ff8fa92ef00267482 all runs: OK false negative chance: 0.000 # git bisect start 9b3f9a5b12dc96965b2fcc9d7d8342f1b63e29c4 bf1e3b1cb1e002ed1590c91f1a24433b59322368 Bisecting: 965 revisions left to test after this (roughly 10 steps) [f3ffa269a46c76aee52400eb706a53a93199e958] selftests: net: bridge: increase IGMP/MLD exclude timeout membership interval determine whether the revision contains the guilty commit revision bf1e3b1cb1e002ed1590c91f1a24433b59322368 crashed and is reachable testing commit f3ffa269a46c76aee52400eb706a53a93199e958 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 68f4c528df433eb51c969774a785d17dd8b9e06f30ed1253dbb3005c5ed08d05 all runs: OK false negative chance: 0.000 # git bisect bad f3ffa269a46c76aee52400eb706a53a93199e958 Bisecting: 482 revisions left to test after this (roughly 9 steps) [d03a82f4f8144befdc10518e732e2a60b34c870e] tipc: fix a possible memleak in tipc_buf_append determine whether the revision contains the guilty commit revision bf1e3b1cb1e002ed1590c91f1a24433b59322368 crashed and is reachable testing commit d03a82f4f8144befdc10518e732e2a60b34c870e gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 48a7552134e64287f985dc9dd6c1327a1b06007ebcde151738a485e96d543e5f all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] # git bisect good d03a82f4f8144befdc10518e732e2a60b34c870e Bisecting: 241 revisions left to test after this (roughly 8 steps) [f5273fe5f64071fc9c895123372ee205152b0588] wifi: mac80211: ensure beacon is non-S1G prior to extracting the beacon timestamp field determine whether the revision contains the guilty commit revision d03a82f4f8144befdc10518e732e2a60b34c870e crashed and is reachable testing commit f5273fe5f64071fc9c895123372ee205152b0588 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7deed990ab3373f64263866160c6b8018c08e3a59e1cbc42525e3fe8fd8f99bd all runs: OK false negative chance: 0.000 # git bisect bad f5273fe5f64071fc9c895123372ee205152b0588 Bisecting: 120 revisions left to test after this (roughly 7 steps) [d9efd3c899ec924f9f8bc6eead68c76c8025c058] usb: dwc3: core: Prevent phy suspend during init determine whether the revision contains the guilty commit revision bf1e3b1cb1e002ed1590c91f1a24433b59322368 crashed and is reachable testing commit d9efd3c899ec924f9f8bc6eead68c76c8025c058 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1282ae62dc13bdb3738c7fb6bd9b4b6b339d15ef7bb55f342516f0633a23e2ac run #0: crashed: KASAN: use-after-free Read in try_to_wake_up run #1: crashed: KASAN: use-after-free Read in try_to_wake_up run #2: crashed: KASAN: use-after-free Read in try_to_wake_up run #3: crashed: KASAN: use-after-free Read in try_to_wake_up run #4: crashed: KASAN: use-after-free Read in try_to_wake_up run #5: crashed: KASAN: use-after-free Read in try_to_wake_up run #6: crashed: KASAN: use-after-free Read in try_to_wake_up run #7: crashed: KASAN: use-after-free Read in try_to_wake_up run #8: crashed: KASAN: use-after-free Read in try_to_wake_up run #9: OK representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] # git bisect good d9efd3c899ec924f9f8bc6eead68c76c8025c058 Bisecting: 60 revisions left to test after this (roughly 6 steps) [38be53c3fd7f4f4bd5de319a323d72f9f6beb16d] iomap: buffered write failure should not truncate the page cache determine whether the revision contains the guilty commit revision d03a82f4f8144befdc10518e732e2a60b34c870e crashed and is reachable testing commit 38be53c3fd7f4f4bd5de319a323d72f9f6beb16d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 51b5cfe9008da5629b934b805cf4fc5f6306e88a11d4486a6cc9275514a5dd2e run #0: crashed: lost connection to test machine run #1: crashed: KASAN: use-after-free Read in try_to_wake_up run #2: crashed: KASAN: use-after-free Read in try_to_wake_up run #3: crashed: KASAN: use-after-free Read in try_to_wake_up run #4: crashed: KASAN: use-after-free Read in try_to_wake_up run #5: crashed: KASAN: use-after-free Read in try_to_wake_up run #6: crashed: KASAN: use-after-free Read in try_to_wake_up run #7: crashed: KASAN: use-after-free Read in try_to_wake_up run #8: crashed: KASAN: use-after-free Read in try_to_wake_up run #9: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] # git bisect good 38be53c3fd7f4f4bd5de319a323d72f9f6beb16d Bisecting: 30 revisions left to test after this (roughly 5 steps) [cd82e9620e23244c40037a724318f75aa9e23aae] admin-guide/hw-vuln/core-scheduling: fix return type of PR_SCHED_CORE_GET determine whether the revision contains the guilty commit revision d03a82f4f8144befdc10518e732e2a60b34c870e crashed and is reachable testing commit cd82e9620e23244c40037a724318f75aa9e23aae gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9277b0cf751fb571f86961c3a9b8b313d4bb71576005123f7d3a80f455953db8 all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] # git bisect good cd82e9620e23244c40037a724318f75aa9e23aae Bisecting: 15 revisions left to test after this (roughly 4 steps) [b7a0a5cf9e5837323fe8dc00299273885ea00f4a] tools/latency-collector: Fix -Wformat-security compile warns determine whether the revision contains the guilty commit revision d03a82f4f8144befdc10518e732e2a60b34c870e crashed and is reachable testing commit b7a0a5cf9e5837323fe8dc00299273885ea00f4a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 051c6ba486fbb06a00230a98764e0bac794b20784cf835a77bfac30919fbd3db all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] # git bisect good b7a0a5cf9e5837323fe8dc00299273885ea00f4a Bisecting: 7 revisions left to test after this (roughly 3 steps) [8f54c5f3c6f15e223a6a93de79ba81654916bc39] fs/ntfs3: Break dir enumeration if directory contents error determine whether the revision contains the guilty commit revision bf1e3b1cb1e002ed1590c91f1a24433b59322368 crashed and is reachable testing commit 8f54c5f3c6f15e223a6a93de79ba81654916bc39 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 08914a82883df0b69d8c8e893dfa7f9e52b1359d0df57a43806dae5de7ff6f48 all runs: OK false negative chance: 0.000 # git bisect bad 8f54c5f3c6f15e223a6a93de79ba81654916bc39 Bisecting: 3 revisions left to test after this (roughly 2 steps) [1c3844c5f4eac043954ebf6403fa9fd1f0e9c1c0] nilfs2: fix potential hang in nilfs_detach_log_writer() determine whether the revision contains the guilty commit revision d03a82f4f8144befdc10518e732e2a60b34c870e crashed and is reachable testing commit 1c3844c5f4eac043954ebf6403fa9fd1f0e9c1c0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d34db563f8a0260038ecff8ab1d3c2227f3659b8779488fcd1e94495cb73737b all runs: OK false negative chance: 0.000 # git bisect bad 1c3844c5f4eac043954ebf6403fa9fd1f0e9c1c0 Bisecting: 1 revision left to test after this (roughly 1 step) [35471c0ff1e9b95429438907d9468bd518b18c54] net: smc91x: Fix m68k kernel compilation for ColdFire CPU determine whether the revision contains the guilty commit revision d03a82f4f8144befdc10518e732e2a60b34c870e crashed and is reachable testing commit 35471c0ff1e9b95429438907d9468bd518b18c54 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b0f4a4dff6d36088a01aed7650014fdc6dbb364a33c7a0aab8e5c73f0af34930 all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] # git bisect good 35471c0ff1e9b95429438907d9468bd518b18c54 Bisecting: 0 revisions left to test after this (roughly 0 steps) [61196139d74d8b59b16a9d6d18b862a521713928] nilfs2: fix unexpected freezing of nilfs_segctor_sync() determine whether the revision contains the guilty commit revision d03a82f4f8144befdc10518e732e2a60b34c870e crashed and is reachable testing commit 61196139d74d8b59b16a9d6d18b862a521713928 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0894c7587890301e31f0818ce87ea45db0886ffeeacf112b393cf3837e1ed617 all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] # git bisect good 61196139d74d8b59b16a9d6d18b862a521713928 1c3844c5f4eac043954ebf6403fa9fd1f0e9c1c0 is the first bad commit commit 1c3844c5f4eac043954ebf6403fa9fd1f0e9c1c0 Author: Ryusuke Konishi Date: Mon May 20 22:26:21 2024 +0900 nilfs2: fix potential hang in nilfs_detach_log_writer() commit eb85dace897c5986bc2f36b3c783c6abb8a4292e upstream. Syzbot has reported a potential hang in nilfs_detach_log_writer() called during nilfs2 unmount. Analysis revealed that this is because nilfs_segctor_sync(), which synchronizes with the log writer thread, can be called after nilfs_segctor_destroy() terminates that thread, as shown in the call trace below: nilfs_detach_log_writer nilfs_segctor_destroy nilfs_segctor_kill_thread --> Shut down log writer thread flush_work nilfs_iput_work_func nilfs_dispose_list iput nilfs_evict_inode nilfs_transaction_commit nilfs_construct_segment (if inode needs sync) nilfs_segctor_sync --> Attempt to synchronize with log writer thread *** DEADLOCK *** Fix this issue by changing nilfs_segctor_sync() so that the log writer thread returns normally without synchronizing after it terminates, and by forcing tasks that are already waiting to complete once after the thread terminates. The skipped inode metadata flushout will then be processed together in the subsequent cleanup work in nilfs_segctor_destroy(). Link: https://lkml.kernel.org/r/20240520132621.4054-4-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi Reported-by: syzbot+e3973c409251e136fdd0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=e3973c409251e136fdd0 Tested-by: Ryusuke Konishi Cc: Cc: "Bai, Shuangpeng" Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman fs/nilfs2/segment.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) accumulated error probability: 0.00 culprit signature: d34db563f8a0260038ecff8ab1d3c2227f3659b8779488fcd1e94495cb73737b parent signature: 0894c7587890301e31f0818ce87ea45db0886ffeeacf112b393cf3837e1ed617 revisions tested: 19, total time: 5h54m16.383823815s (build: 2h19m30.335906938s, test: 3h26m33.188059384s) first good commit: 1c3844c5f4eac043954ebf6403fa9fd1f0e9c1c0 nilfs2: fix potential hang in nilfs_detach_log_writer() recipients (to): ["akpm@linux-foundation.org" "gregkh@linuxfoundation.org" "konishi.ryusuke@gmail.com"] recipients (cc): []