ci starts bisection 2025-06-26 12:18:23.12740154 +0000 UTC m=+161410.639521541 bisecting cause commit starting from a9b24b3583ae1da7dbda031f141264f2da260219 building syzkaller on 26d77996cd6057592f0d7212c9017e8b62be66e8 ensuring issue is reproducible on original commit a9b24b3583ae1da7dbda031f141264f2da260219 testing commit a9b24b3583ae1da7dbda031f141264f2da260219 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: b7d858c787682c89876691f5f02d4cd46508fe22bbff2654be85380bbe7ec1ca all runs: crashed: KASAN: slab-out-of-bounds Read in pause_parse_request representative crash: KASAN: slab-out-of-bounds Read in pause_parse_request, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit a9b24b3583ae1da7dbda031f141264f2da260219 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 0c2b9b7bc02e3d55750a6f3e28b26a9a189bcfdeb33f3f0fc78200ca7c1aa31b all runs: crashed: KASAN: slab-out-of-bounds Read in pause_parse_request representative crash: KASAN: slab-out-of-bounds Read in pause_parse_request, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed kconfig minimization: base=4095 full=8364 leaves diff=2126 split chunks (needed=false): <2126> split chunk #0 of len 2126 into 5 parts testing without sub-chunk 1/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit a9b24b3583ae1da7dbda031f141264f2da260219 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 4109499b46051195d26ae3da167b99abb9bb3ff86fe226d4a0486dce9e5ec834 all runs: crashed: KASAN: slab-out-of-bounds Read in pause_parse_request representative crash: KASAN: slab-out-of-bounds Read in pause_parse_request, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit a9b24b3583ae1da7dbda031f141264f2da260219 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: ccb57563ea39eefe3b9464b60e6e7492261260f5041b0d1ff24994c18b183026 all runs: crashed: KASAN: slab-out-of-bounds Read in pause_parse_request representative crash: KASAN: slab-out-of-bounds Read in pause_parse_request, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit a9b24b3583ae1da7dbda031f141264f2da260219 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: ed13e7242e683cbb7b4c1d319a78d19f36da45976a38b115dd1bd8a685418e11 all runs: OK false negative chance: 0.000 testing without sub-chunk 4/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit a9b24b3583ae1da7dbda031f141264f2da260219 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 7efdc8c5dacf810be4b24a9136eacc127c9a02165c28ec21db49cd33fb296b52 all runs: crashed: KASAN: slab-out-of-bounds Read in pause_parse_request representative crash: KASAN: slab-out-of-bounds Read in pause_parse_request, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit a9b24b3583ae1da7dbda031f141264f2da260219 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 4d98ad0ea9ebe5fec40ecd94abd1cf7c25a4866044f229b560b698f8bcb893e8 all runs: crashed: KASAN: slab-out-of-bounds Read in pause_parse_request representative crash: KASAN: slab-out-of-bounds Read in pause_parse_request, types: [KASAN] the chunk can be dropped minimized to 426 configs; suspects: [AX25 BRIDGE BRIDGE_NETFILTER CAN CFG80211 CHECKPOINT_RESTORE DVB_CORE FB_CORE HAMRADIO HID_LOGITECH HSR INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_USER_ACCESS INPUT_JOYSTICK INPUT_MOUSE IP6_NF_RAW IPV6_MULTIPLE_TABLES IP_NF_RAW IP_SET IP_VS IP_VS_DH IP_VS_FO IP_VS_FTP IP_VS_IPV6 IP_VS_LBLC IP_VS_LBLCR IP_VS_LC IP_VS_MH IP_VS_NFCT IP_VS_NQ IP_VS_OVF IP_VS_PE_SIP IP_VS_PROTO_AH IP_VS_PROTO_AH_ESP IP_VS_PROTO_ESP IP_VS_PROTO_SCTP IP_VS_PROTO_TCP IP_VS_PROTO_UDP IP_VS_RR IP_VS_SED IP_VS_SH IP_VS_TWOS IP_VS_WLC IP_VS_WRR IRQ_BYPASS_MANAGER IRQ_POLL IR_IGORPLUGUSB IR_IGUANA IR_IMON IR_IMON_RAW IR_MCEUSB IR_REDRAT3 IR_STREAMZAP IR_TOY IR_TTUSBIR ISDN ISDN_CAPI JFFS2_CMODE_PRIORITY JFFS2_COMPRESSION_OPTIONS JFFS2_FS JFFS2_FS_POSIX_ACL JFFS2_FS_SECURITY JFFS2_FS_WRITEBUFFER JFFS2_FS_XATTR JFFS2_LZO JFFS2_RTIME JFFS2_RUBIN JFFS2_SUMMARY JFFS2_ZLIB JFS_DEBUG JFS_FS JFS_POSIX_ACL JFS_SECURITY JOYSTICK_IFORCE JOYSTICK_IFORCE_USB JOYSTICK_PXRC JOYSTICK_XPAD JOYSTICK_XPAD_FF JOYSTICK_XPAD_LEDS KARMA_PARTITION KCOV KCOV_ENABLE_COMPARISONS KCOV_INSTRUMENT_ALL KEYS_REQUEST_CACHE KEY_DH_OPERATIONS KEY_NOTIFICATIONS KSM KVM KVM_AMD KVM_ASYNC_PF KVM_COMMON KVM_COMPAT KVM_ELIDE_TLB_FLUSH_IF_YOUNG KVM_GENERIC_DIRTYLOG_READ_PROTECT KVM_GENERIC_HARDWARE_ENABLING KVM_GENERIC_MEMORY_ATTRIBUTES KVM_GENERIC_MMU_NOTIFIER KVM_GENERIC_PRE_FAULT_MEMORY KVM_GENERIC_PRIVATE_MEM KVM_HYPERV KVM_MMIO KVM_MMU_LOCKLESS_AGING KVM_PRIVATE_MEM KVM_PROVE_MMU KVM_SW_PROTECTED_VM KVM_VFIO KVM_X86 KVM_XEN KVM_XFER_TO_GUEST_WORK L2TP L2TP_ETH L2TP_IP L2TP_V3 LAPB LAPBETHER LDM_PARTITION LEDS_CLASS_MULTICOLOR LEGACY_PTYS LIBNVDIMM LINEAR_RANGES LLC LLC2 LOGIG940_FF LOGIRUMBLEPAD2_FF LOGITECH_FF LOGIWHEELS_FF LOGO LOGO_LINUX_MONO LOGO_LINUX_VGA16 LPC_ICH LWTUNNEL LWTUNNEL_BPF LZ4HC_COMPRESS LZ4_COMPRESS MAC80211 MAC80211_HAS_RC MAC80211_HWSIM MAC80211_MESH MAC80211_RC_DEFAULT_MINSTREL MAC80211_RC_MINSTREL MACSEC MACVLAN MACVTAP MAC_PARTITION MAPPING_DIRTY_HELPERS MCTP MDIO_MVUSB MD_RAID0 MD_RAID1 MD_RAID10 MD_RAID456 MEDIA_ANALOG_TV_SUPPORT MEDIA_ATTACH MEDIA_CONTROLLER MEDIA_CONTROLLER_DVB MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_SUPPORT_FILTER MEDIA_TUNER MEDIA_TUNER_MSI001 MEMORY_BALLOON MEMORY_HOTPLUG MEMORY_ISOLATION MEMREGION MEMSTICK MEMSTICK_REALTEK_USB MEM_SOFT_DIRTY MFD_CORE MFD_SYSCON MHI_BUS MHI_WWAN_CTRL MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO MHP_MEMMAP_ON_MEMORY MICROCHIP_PHY MINIX_FS MINIX_SUBPARTITION MIN_HEAP MISC_RTSX MISC_RTSX_USB MISDN MISDN_DSP MISDN_HFCUSB MISDN_L1OIP MKISS MLX4_CORE MLX4_INFINIBAND MMC MMC_REALTEK_USB MMC_USHC MMC_VUB300 MM_ID MODULE_SRCVERSION_ALL MOST MOST_USB_HDM MOUSE_APPLETOUCH MOUSE_BCM5974 MOUSE_PS2 MOUSE_PS2_ALPS MOUSE_PS2_BYD MOUSE_PS2_CYPRESS MOUSE_PS2_FOCALTECH MOUSE_PS2_LIFEBOOK MOUSE_PS2_LOGIPS2PP MOUSE_PS2_SMBUS MOUSE_PS2_SYNAPTICS MOUSE_PS2_SYNAPTICS_SMBUS MOUSE_PS2_TRACKPOINT MOUSE_SYNAPTICS_USB MPLS MPLS_IPTUNNEL MPLS_ROUTING MPTCP MPTCP_IPV6 MRP MTD MTD_BLKDEVS MTD_BLOCK MTD_BLOCK2MTD MTD_CFI_I1 MTD_CFI_I2 MTD_MAP_BANK_WIDTH_1 MTD_MAP_BANK_WIDTH_2 MTD_MAP_BANK_WIDTH_4 MTD_MTDRAM MTD_PHRAM MTD_SLRAM MUSB_PIO_ONLY ND_BTT ND_CLAIM ND_PFN NETDEVSIM NETFILTER_ADVANCED NETFILTER_BPF_LINK NETFILTER_FAMILY_ARP NETFILTER_FAMILY_BRIDGE NETFILTER_NETLINK_ACCT NETFILTER_NETLINK_GLUE_CT NETFILTER_NETLINK_OSF NETFILTER_NETLINK_QUEUE NETFILTER_SYNPROXY NETFILTER_XTABLES_COMPAT NETFILTER_XT_CONNMARK NETFILTER_XT_MATCH_BPF NETFILTER_XT_MATCH_CGROUP NETFILTER_XT_MATCH_CLUSTER NETFILTER_XT_MATCH_COMMENT NETFILTER_XT_MATCH_CONNBYTES NETFILTER_XT_MATCH_CONNLABEL NETFILTER_XT_MATCH_CONNLIMIT NETFILTER_XT_MATCH_CONNMARK NETFILTER_XT_MATCH_CPU NETFILTER_XT_MATCH_DCCP NETFILTER_XT_MATCH_DEVGROUP NETFILTER_XT_MATCH_DSCP NETFILTER_XT_MATCH_ECN NETFILTER_XT_MATCH_ESP NETFILTER_XT_MATCH_HASHLIMIT NETFILTER_XT_MATCH_HELPER NETFILTER_XT_MATCH_HL NETFILTER_XT_MATCH_IPCOMP NETFILTER_XT_MATCH_IPRANGE NETFILTER_XT_MATCH_IPVS NETFILTER_XT_MATCH_L2TP NETFILTER_XT_MATCH_LENGTH NETFILTER_XT_MATCH_LIMIT NETFILTER_XT_MATCH_MAC NETFILTER_XT_MATCH_MARK NETFILTER_XT_MATCH_MULTIPORT NETFILTER_XT_MATCH_NFACCT NETFILTER_XT_MATCH_OSF NETFILTER_XT_MATCH_OWNER NETFILTER_XT_MATCH_PHYSDEV NETFILTER_XT_MATCH_PKTTYPE NETFILTER_XT_MATCH_QUOTA NETFILTER_XT_MATCH_RATEEST NETFILTER_XT_MATCH_REALM NETFILTER_XT_MATCH_RECENT NETFILTER_XT_MATCH_SCTP NETFILTER_XT_MATCH_SOCKET NETFILTER_XT_MATCH_STATISTIC NETFILTER_XT_MATCH_STRING NETFILTER_XT_MATCH_TCPMSS NETFILTER_XT_MATCH_TIME NETFILTER_XT_MATCH_U32 NETFILTER_XT_SET NETFILTER_XT_TARGET_AUDIT NETFILTER_XT_TARGET_CHECKSUM NETFILTER_XT_TARGET_CLASSIFY NETFILTER_XT_TARGET_CONNMARK NETFILTER_XT_TARGET_CT NETFILTER_XT_TARGET_DSCP NETFILTER_XT_TARGET_HL NETFILTER_XT_TARGET_HMARK NETFILTER_XT_TARGET_IDLETIMER NETFILTER_XT_TARGET_LED NETFILTER_XT_TARGET_MARK NETFILTER_XT_TARGET_NETMAP NETFILTER_XT_TARGET_NFQUEUE NETFILTER_XT_TARGET_NOTRACK NETFILTER_XT_TARGET_RATEEST NETFILTER_XT_TARGET_REDIRECT NETFILTER_XT_TARGET_TCPOPTSTRIP NETFILTER_XT_TARGET_TEE NETFILTER_XT_TARGET_TPROXY NETFILTER_XT_TARGET_TRACE NETLABEL NETLINK_DIAG NETROM NET_9P_RDMA NET_ACT_BPF NET_ACT_CONNMARK NET_ACT_CSUM NET_ACT_CT NET_ACT_CTINFO NET_ACT_GATE NET_ACT_IFE NET_ACT_MPLS NET_ACT_NAT NET_ACT_PEDIT NET_ACT_POLICE NET_ACT_SAMPLE NET_ACT_SIMP NET_ACT_SKBEDIT NET_ACT_SKBMOD NET_ACT_TUNNEL_KEY NET_ACT_VLAN NET_CLS_BASIC NET_CLS_BPF NET_CLS_FLOW NET_CLS_FLOWER NET_CLS_FW NET_CLS_MATCHALL NET_CLS_ROUTE4 NET_CRC32C NET_DEVLINK NET_DEVMEM NET_DROP_MONITOR NET_DSA NET_DSA_TAG_BRCM NET_DSA_TAG_BRCM_COMMON NET_DSA_TAG_BRCM_PREPEND NET_DSA_TAG_MTK NET_DSA_TAG_QCA NET_DSA_TAG_RTL4_A NET_EMATCH_CANID NET_EMATCH_CMP NET_EMATCH_IPSET NET_EMATCH_IPT NET_EMATCH_META NET_EMATCH_NBYTE NET_EMATCH_TEXT NET_EMATCH_U32 NET_FC NET_FOU NET_FOU_IP_TUNNELS NET_IFE NET_IFE_SKBMARK NET_IFE_SKBPRIO NET_IFE_SKBTCINDEX NET_IPGRE NET_IPGRE_BROADCAST NET_IPGRE_DEMUX NET_IPIP NET_IPVTI NET_KEY NET_KEY_MIGRATE NET_L3_MASTER_DEV NET_MPLS_GSO NET_NCSI NET_NSH NET_REDIRECT NET_SCH_CAKE NET_SCH_CBS NET_SCH_CHOKE NET_SCH_CODEL NET_SCH_DRR NET_SCH_ETF NET_SCH_ETS NET_SCH_FQ NET_SCH_FQ_CODEL NET_SCH_FQ_PIE NET_SCH_GRED NET_SCH_HFSC NET_SCH_HHF NET_SCH_HTB NET_SCH_INGRESS NET_SCH_MQPRIO NET_SCH_MQPRIO_LIB NET_SCH_MULTIQ NET_SCH_NETEM NET_SCH_PIE NET_SCH_PLUG NET_SCH_PRIO NET_SCH_QFQ NET_SCH_RED NET_SCH_SFB NET_SCH_SFQ NET_SCH_SKBPRIO NET_SCH_TAPRIO NET_SCH_TBF NET_SCH_TEQL NET_SHAPER NET_SOCK_MSG NET_SWITCHDEV NET_TC_SKB_EXT NET_TEAM NET_TEAM_MODE_ACTIVEBACKUP NET_TEAM_MODE_BROADCAST NET_TEAM_MODE_LOADBALANCE NET_TEAM_MODE_RANDOM NET_TEAM_MODE_ROUNDROBIN NET_UDP_TUNNEL NET_VRF NFC NFC_DIGITAL NFC_FDP NFC_HCI NFC_MRVL NFC_MRVL_USB NFC_NCI NFC_NCI_UART NFC_PN533 NFC_PN533_USB NFC_PORT100 NFC_SHDLC NFC_SIM NFC_VIRTUAL_NCI NFSD NFSD_BLOCKLAYOUT NFSD_FLEXFILELAYOUT NFSD_PNFS NFSD_SCSILAYOUT NFSD_V3_ACL NFSD_V4 NFSD_V4_2_INTER_SSC NFSD_V4_SECURITY_LABEL NFS_FSCACHE NFS_V4_1 NFS_V4_2 NFS_V4_2_READ_PLUS NFS_V4_2_SSC_HELPER NFS_V4_SECURITY_LABEL NFT_BRIDGE_META NFT_BRIDGE_REJECT NFT_COMPAT NFT_CONNLIMIT NFT_CT NFT_DUP_IPV4 NFT_DUP_IPV6 NFT_DUP_NETDEV NFT_FIB NFT_FIB_INET NFT_FIB_IPV4 NFT_FIB_IPV6 NFT_FIB_NETDEV NFT_FLOW_OFFLOAD NFT_HASH NFT_LIMIT NFT_LOG NFT_MASQ NFT_NAT NFT_NUMGEN NFT_OSF NFT_QUEUE NFT_QUOTA NFT_REDIR NFT_REJECT NFT_REJECT_INET NFT_REJECT_IPV4 NFT_REJECT_IPV6 NFT_REJECT_NETDEV NFT_SOCKET NFT_SYNPROXY NFT_TPROXY NFT_TUNNEL NFT_XFRM NF_CONNTRACK_AMANDA NF_CONNTRACK_BRIDGE NF_CONNTRACK_BROADCAST NF_CONNTRACK_EVENTS NF_CONNTRACK_H323 NF_CONNTRACK_LABELS NF_CONNTRACK_MARK NF_CONNTRACK_NETBIOS_NS NF_CONNTRACK_OVS NF_CONNTRACK_PPTP NF_CONNTRACK_SANE NF_CONNTRACK_SNMP NF_CONNTRACK_TFTP NF_CONNTRACK_TIMEOUT NF_CONNTRACK_TIMESTAMP NF_CONNTRACK_ZONES NF_CT_NETLINK_HELPER NF_CT_NETLINK_TIMEOUT NF_CT_PROTO_DCCP NF_CT_PROTO_GRE NF_CT_PROTO_SCTP NF_CT_PROTO_UDPLITE NF_DUP_IPV4 NF_DUP_IPV6 NF_DUP_NETDEV NF_FLOW_TABLE NF_FLOW_TABLE_INET NF_NAT_AMANDA NF_NAT_H323 NF_NAT_OVS NF_NAT_PPTP NF_NAT_REDIRECT NF_NAT_SNMP_BASIC NF_NAT_TFTP NF_SOCKET_IPV4 NF_SOCKET_IPV6 NF_TABLES NF_TABLES_BRIDGE NF_TABLES_INET NF_TABLES_IPV4 NF_TABLES_IPV6 NF_TABLES_NETDEV NF_TPROXY_IPV4 NF_TPROXY_IPV6 NILFS2_FS PAGE_POOL PARTITION_ADVANCED PSAMPLE RC_CORE RC_DEVICES RFKILL SPI USB_GADGET USB_MUSB_HDRC VIDEO_DEV WAN WATCH_QUEUE WIRELESS WLAN WWAN X25] disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed picked [v6.15 v6.14 v6.13 v6.11 v6.9 v6.7 v6.5 v6.3 v6.0 v5.17 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 38 release tags testing release v6.15 testing commit 0ff41df1cb268fc69e703a08a57ee14ae967d0ca gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: b8166c4be5fe52d6f0b191ea1270811fefb4451a9be8b00cb0b2bf5fe2535669 all runs: OK false negative chance: 0.000 # git bisect start a9b24b3583ae1da7dbda031f141264f2da260219 0ff41df1cb268fc69e703a08a57ee14ae967d0ca Bisecting: 7298 revisions left to test after this (roughly 13 steps) [1b98f357dadd6ea613a435fbaef1a5dd7b35fd21] Merge tag 'net-next-6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 1b98f357dadd6ea613a435fbaef1a5dd7b35fd21 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 407f6ca9656c0196a6e28f64ccb497c74b0792dfc0d989f87ee48af60217c5a1 all runs: OK false negative chance: 0.000 # git bisect good 1b98f357dadd6ea613a435fbaef1a5dd7b35fd21 Bisecting: 3642 revisions left to test after this (roughly 12 steps) [76c21d225469780a005140037b6248e648f41ae4] Merge tag 'hwmon-for-v6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging testing commit 76c21d225469780a005140037b6248e648f41ae4 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: ccaf5c0bc09e5d52fa82ec00f3d5c147f1046124d7b6cf831841249f4b63ce14 all runs: OK false negative chance: 0.000 # git bisect good 76c21d225469780a005140037b6248e648f41ae4 Bisecting: 1723 revisions left to test after this (roughly 11 steps) [c26f4fbd58375bd6ef74f95eb73d61762ad97c59] Merge tag 'char-misc-6.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit c26f4fbd58375bd6ef74f95eb73d61762ad97c59 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: d5917e813d8423bbe74f505c6e414d63f409c08863fe33c25ee1f267095e12a2 all runs: OK false negative chance: 0.000 # git bisect good c26f4fbd58375bd6ef74f95eb73d61762ad97c59 Bisecting: 861 revisions left to test after this (roughly 10 steps) [7768c5f417336fa58dbfef9bb7ecd7eeec6d8886] net: mana: Add handler for hardware servicing events testing commit 7768c5f417336fa58dbfef9bb7ecd7eeec6d8886 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 78475577e9222d9a14d3204d56d5221a9caf9b1b8376e6b8538c789191bcfbee all runs: OK false negative chance: 0.000 # git bisect good 7768c5f417336fa58dbfef9bb7ecd7eeec6d8886 Bisecting: 326 revisions left to test after this (roughly 9 steps) [62deb67fc519ee3b394f094982851d1ff3992731] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 62deb67fc519ee3b394f094982851d1ff3992731 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 437c65ace3113004d073d1248e18ff9d6f9bba6048767dfef1745992b0fe8fbd all runs: OK false negative chance: 0.000 # git bisect good 62deb67fc519ee3b394f094982851d1ff3992731 Bisecting: 152 revisions left to test after this (roughly 7 steps) [c73ebc0dbb6ed968cb58d04d82ede3b5fb95e8bf] Merge tag 'iwlwifi-next-2025-06-25' of https://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-next testing commit c73ebc0dbb6ed968cb58d04d82ede3b5fb95e8bf gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: ba7b4f2765052c5369f625ec1e62ac0278a1c300fec012233dc786282c145108 all runs: OK false negative chance: 0.000 # git bisect good c73ebc0dbb6ed968cb58d04d82ede3b5fb95e8bf Bisecting: 78 revisions left to test after this (roughly 6 steps) [99aa0bbb082e7c0660751832acca897493c3082c] net: pse-pd: Fix ethnl_pse_send_ntf() stub parameter type testing commit 99aa0bbb082e7c0660751832acca897493c3082c gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 3f6fa8ccc95ca4fb410919dfc7393885e6f9409f23c98666e33671d573f7b64e all runs: OK false negative chance: 0.000 # git bisect good 99aa0bbb082e7c0660751832acca897493c3082c Bisecting: 39 revisions left to test after this (roughly 5 steps) [3b180b227eb19fb37714293d601ad49dcc7cf08f] fbnic: Do not consider mailbox "initialized" until we have verified fw version testing commit 3b180b227eb19fb37714293d601ad49dcc7cf08f gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: b14daabd08e9827546465f6a8e04a26c94ba0b6d3629fa387914b84f425e18cd run #0: ignore: lost connection to test machine run #1: ignore: lost connection to test machine run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK false negative chance: 0.000 # git bisect good 3b180b227eb19fb37714293d601ad49dcc7cf08f Bisecting: 19 revisions left to test after this (roughly 4 steps) [a19e5812dc96e6ad3ba6740a22d0ae45b4c059d8] Merge branch 'there-are-some-cleanup-for-hns3-driver' testing commit a19e5812dc96e6ad3ba6740a22d0ae45b4c059d8 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 9f27be845a439c115b5be6fa2e04becd25e6a9ba71a669191ee2d828413a8930 all runs: OK false negative chance: 0.000 # git bisect good a19e5812dc96e6ad3ba6740a22d0ae45b4c059d8 Bisecting: 9 revisions left to test after this (roughly 3 steps) [46837be5afc6ea70bc827ca4439410e069e2ee37] net: ethtool: rss: add notifications testing commit 46837be5afc6ea70bc827ca4439410e069e2ee37 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 75ed7b209d35edba471b95dec7526034295d5eec862e07ad70ede7431b3781d1 all runs: crashed: KASAN: slab-out-of-bounds Read in pause_parse_request representative crash: KASAN: slab-out-of-bounds Read in pause_parse_request, types: [KASAN] # git bisect bad 46837be5afc6ea70bc827ca4439410e069e2ee37 Bisecting: 4 revisions left to test after this (roughly 2 steps) [826334359eacc1b70e9752ebc4954ed775dd40ca] netlink: specs: add the multicast group name to spec testing commit 826334359eacc1b70e9752ebc4954ed775dd40ca gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 8df3bbf2cb7ef69609b97250907b034e6bc0cb0a16890720d6c815ef8b4a7ad6 all runs: OK false negative chance: 0.000 # git bisect good 826334359eacc1b70e9752ebc4954ed775dd40ca Bisecting: 2 revisions left to test after this (roughly 1 step) [963781bdfe2007e062e05b6b8a263ae9340bd523] net: ethtool: call .parse_request for SET handlers testing commit 963781bdfe2007e062e05b6b8a263ae9340bd523 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: aad54582c54685f2a3fae3d578b3cbf1cad4436d4015bf8adbc34ad2396117b9 all runs: crashed: KASAN: slab-out-of-bounds Read in pause_parse_request representative crash: KASAN: slab-out-of-bounds Read in pause_parse_request, types: [KASAN] # git bisect bad 963781bdfe2007e062e05b6b8a263ae9340bd523 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ceca0769e87ff4e33e8dab9c0277646da6d422fe] net: ethtool: dynamically allocate full req size req testing commit ceca0769e87ff4e33e8dab9c0277646da6d422fe gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 7ba0da2788b108bef8723c8b1e010dd535aad4f9d4d96dd9f466ed1a65926c25 all runs: OK false negative chance: 0.000 # git bisect good ceca0769e87ff4e33e8dab9c0277646da6d422fe 963781bdfe2007e062e05b6b8a263ae9340bd523 is the first bad commit commit 963781bdfe2007e062e05b6b8a263ae9340bd523 Author: Jakub Kicinski Date: Mon Jun 23 16:17:15 2025 -0700 net: ethtool: call .parse_request for SET handlers In preparation for using req_info to carry parameters between SET and NTF - call .parse_request during ethnl_default_set_doit(). The main question here is whether .parse_request is intended to be GET-specific. Originally the SET handling was delegated to each subcommand directly - ethnl_default_set_doit() and .set callbacks in ethnl_request_ops did not exist. Looking at existing users does not shed much light, all of the following subcommands use .parse_request but have no SET handler (and no NTF): net/ethtool/eeprom.c net/ethtool/rss.c net/ethtool/stats.c net/ethtool/strset.c net/ethtool/tsinfo.c There's only one which does have a SET: net/ethtool/pause.c where .parse_request handling is used to select which statistics to query. Not relevant for SET but also harmless. Going back to RSS (which doesn't have SET today) .parse_request parses the rss_context ID. Using the req_info struct to pass the context ID from SET to NTF will be very useful. Switch to ethnl_default_parse(), effectively adding the .parse_request for SET handlers. Reviewed-by: Maxime Chevallier Tested-by: Maxime Chevallier Link: https://patch.msgid.link/20250623231720.3124717-4-kuba@kernel.org Signed-off-by: Jakub Kicinski net/ethtool/netlink.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) accumulated error probability: 0.00 culprit signature: aad54582c54685f2a3fae3d578b3cbf1cad4436d4015bf8adbc34ad2396117b9 parent signature: 7ba0da2788b108bef8723c8b1e010dd535aad4f9d4d96dd9f466ed1a65926c25 revisions tested: 21, total time: 6h31m2.413191883s (build: 3h20m51.294156109s, test: 2h45m3.939431898s) first bad commit: 963781bdfe2007e062e05b6b8a263ae9340bd523 net: ethtool: call .parse_request for SET handlers recipients (to): ["andrew@lunn.ch" "davem@davemloft.net" "edumazet@google.com" "kuba@kernel.org" "kuba@kernel.org" "maxime.chevallier@bootlin.com" "netdev@vger.kernel.org" "pabeni@redhat.com"] recipients (cc): ["danieller@nvidia.com" "horms@kernel.org" "kory.maincent@bootlin.com" "linux-kernel@vger.kernel.org" "maxime.chevallier@bootlin.com"] crash: KASAN: slab-out-of-bounds Read in pause_parse_request ================================================================== BUG: KASAN: slab-out-of-bounds in pause_parse_request+0x40/0x160 net/ethtool/pause.c:37 Read of size 8 at addr ffff888111a60830 by task syz.2.16/4861 CPU: 0 UID: 0 PID: 4861 Comm: syz.2.16 Not tainted 6.16.0-rc2-syzkaller #0 PREEMPT(undef) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: dump_stack_lvl+0x18a/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 pause_parse_request+0x40/0x160 net/ethtool/pause.c:37 ethnl_default_parse net/ethtool/netlink.c:456 [inline] ethnl_default_set_doit+0x295/0x9d0 net/ethtool/netlink.c:881 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x609/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2534 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x71f/0x890 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x7e8/0xb00 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:729 ____sys_sendmsg+0x505/0x7e0 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fa87d78e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fa87d1ff038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fa87d9b5fa0 RCX: 00007fa87d78e929 RDX: 0000000000000040 RSI: 0000200000000000 RDI: 0000000000000003 RBP: 00007fa87d810b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fa87d9b5fa0 R15: 00007ffd37ba7178 Allocated by task 4861: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4328 [inline] __kmalloc_noprof+0x263/0x500 mm/slub.c:4340 kmalloc_noprof include/linux/slab.h:909 [inline] kmalloc_array_noprof include/linux/slab.h:948 [inline] genl_family_rcv_msg_attrs_parse+0xa3/0x2a0 net/netlink/genetlink.c:940 genl_family_rcv_msg_doit+0xb8/0x300 net/netlink/genetlink.c:1093 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x609/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2534 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x71f/0x890 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x7e8/0xb00 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:729 ____sys_sendmsg+0x505/0x7e0 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888111a60800 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 8 bytes to the right of allocated 40-byte region [ffff888111a60800, ffff888111a60828) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x111a60 anon flags: 0x200000000000000(node=0|zone=2) page_type: f5(slab) raw: 0200000000000000 ffff8881000418c0 ffffea0004768780 dead000000000005 raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 12, tgid 12 (kworker/u8:0), ts 6843562714, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x168/0x1a0 mm/page_alloc.c:1704 prep_new_page mm/page_alloc.c:1712 [inline] get_page_from_freelist+0x260e/0x2710 mm/page_alloc.c:3669 __alloc_frozen_pages_noprof+0x26b/0x460 mm/page_alloc.c:4959 alloc_pages_mpol+0xd1/0x330 mm/mempolicy.c:2419 alloc_slab_page mm/slub.c:2451 [inline] allocate_slab+0x8a/0x350 mm/slub.c:2619 new_slab mm/slub.c:2673 [inline] ___slab_alloc+0x9dc/0x10e0 mm/slub.c:3859 __slab_alloc mm/slub.c:3949 [inline] __slab_alloc_node mm/slub.c:4024 [inline] slab_alloc_node mm/slub.c:4185 [inline] __do_kmalloc_node mm/slub.c:4327 [inline] __kmalloc_noprof+0x2e8/0x500 mm/slub.c:4340 kmalloc_noprof include/linux/slab.h:909 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] lsm_blob_alloc security/security.c:684 [inline] lsm_task_alloc security/security.c:771 [inline] security_task_alloc+0x4d/0x280 security/security.c:3160 copy_process+0x132c/0x3700 kernel/fork.c:2151 kernel_clone+0x21c/0x8c0 kernel/fork.c:2599 user_mode_thread+0xdd/0x140 kernel/fork.c:2677 call_usermodehelper_exec_work+0x5c/0x230 kernel/umh.c:171 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xa3a/0x1530 kernel/workqueue.c:3321 worker_thread+0xa03/0xeb0 kernel/workqueue.c:3402 kthread+0x667/0x760 kernel/kthread.c:464 ret_from_fork+0x1b7/0x380 arch/x86/kernel/process.c:148 page_owner free stack trace missing Memory state around the buggy address: ffff888111a60700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888111a60780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff888111a60800: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc ^ ffff888111a60880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888111a60900: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ==================================================================