ci2 starts bisection 2025-01-21 21:49:54.495461566 +0000 UTC m=+19300.363035011
bisecting fixing commit since af361f9a1066ff9442eabafc458ff373481499a4
building syzkaller on 51c4dcff83b0574620c280cc5130ef59cc4a2e32
ensuring issue is reproducible on original commit af361f9a1066ff9442eabafc458ff373481499a4

testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 95375b1a7fdf11c5420697d43ecdd240c2d75154d19060385ae58705b55e8454
all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt
representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 8aa10a12f9ffe955afec7313e278083e1e4c22a6dd9e5a60ae4599b6e31ccd26
all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt
representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
kconfig minimization: base=5179 full=6491 leaves diff=256
split chunks (needed=false): <256>
split chunk #0 of len 256 into 5 parts
testing without sub-chunk 1/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 3b6224ae4c416cae706502c1b4898c3a3aa1cbe00512af2f3c9e5f38e27b2f8c
all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt
representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 25e09fcedd161f3556601f936442b9aa31d5578add86030ffd0d36f32fcb91f3
all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt
representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: b8932fcea385b4cd40d802d176517f4dc475f3da51309be160333101d58d8408
all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt
representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 186542d8cc332974c99106fce9a4b021379cdd1530f5deeceb96f4b2186ba1ec
all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt
representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
failed building af361f9a1066ff9442eabafc458ff373481499a4: net/socket.c:1245: undefined reference to `wext_handle_ioctl'
net/socket.c:3442: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:329: undefined reference to `wext_proc_init'
net/core/net-procfs.c:345: undefined reference to `wext_proc_exit'
minimized to 48 configs; suspects: [HID_ZEROPLUS USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF]
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing current HEAD d12538e9da376795d1aba2d36e88fb83aba269f5
testing commit d12538e9da376795d1aba2d36e88fb83aba269f5 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d1977ce772e2a569d363a0282f3f11312478b8684be34f9c769cfa3b310613ed
all runs: crashed: general protection fault in vsock_stream_has_data
representative crash: general protection fault in vsock_stream_has_data, types: [UNKNOWN]
crash still not fixed/happens on the oldest tested release
revisions tested: 7, total time: 44m32.746029702s (build: 20m46.10837852s, test: 20m41.466029438s)
crash still not fixed or there were kernel test errors
commit msg: BACKPORT: PCI/portdrv: Prevent LS7A Bus Master clearing on shutdown
crash: general protection fault in vsock_stream_has_data
general protection fault, probably for non-canonical address 0xdffffc000000000c: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000060-0x0000000000000067]
CPU: 0 PID: 6 Comm: kworker/0:0 Not tainted 6.1.118-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: vsock-loopback vsock_loopback_work
RIP: 0010:vsock_stream_has_data+0x41/0x60 net/vmw_vsock/af_vsock.c:869
Code: 8d 9f 60 03 00 00 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 3d c7 92 fd 48 8b 1b 48 83 c3 60 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 20 c7 92 fd 4c 89 f7 ff 13 5b 41
RSP: 0018:ffffc900000675b8 EFLAGS: 00010206
RAX: 000000000000000c RBX: 0000000000000060 RCX: ffffffff84112f4f
RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88810fe75780
RBP: ffffc900000675d0 R08: dffffc0000000000 R09: ffffed1021fceafd
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: dffffc0000000000 R14: ffff88810fe75780 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f212f5fef80 CR3: 0000000126634000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 virtio_transport_do_close+0x62/0x350 net/vmw_vsock/virtio_transport_common.c:910
 virtio_transport_recv_disconnecting net/vmw_vsock/virtio_transport_common.c:1138 [inline]
 virtio_transport_recv_pkt+0x10ae/0x3ca0 net/vmw_vsock/virtio_transport_common.c:1330
 vsock_loopback_work+0x376/0x3d0 net/vmw_vsock/vsock_loopback.c:137
 process_one_work+0x6de/0xd00 kernel/workqueue.c:2299
 worker_thread+0x892/0xf20 kernel/workqueue.c:2446
 kthread+0x215/0x270 kernel/kthread.c:386
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:vsock_stream_has_data+0x41/0x60 net/vmw_vsock/af_vsock.c:869
Code: 8d 9f 60 03 00 00 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 3d c7 92 fd 48 8b 1b 48 83 c3 60 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 20 c7 92 fd 4c 89 f7 ff 13 5b 41
RSP: 0018:ffffc900000675b8 EFLAGS: 00010206
RAX: 000000000000000c RBX: 0000000000000060 RCX: ffffffff84112f4f
RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88810fe75780
RBP: ffffc900000675d0 R08: dffffc0000000000 R09: ffffed1021fceafd
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: dffffc0000000000 R14: ffff88810fe75780 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff012ffdf00 CR3: 0000000122b17000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	8d 9f 60 03 00 00    	lea    0x360(%rdi),%ebx
   6:	48 89 d8             	mov    %rbx,%rax
   9:	48 c1 e8 03          	shr    $0x3,%rax
   d:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1)
  12:	74 08                	je     0x1c
  14:	48 89 df             	mov    %rbx,%rdi
  17:	e8 3d c7 92 fd       	call   0xfd92c759
  1c:	48 8b 1b             	mov    (%rbx),%rbx
  1f:	48 83 c3 60          	add    $0x60,%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 df             	mov    %rbx,%rdi
  34:	e8 20 c7 92 fd       	call   0xfd92c759
  39:	4c 89 f7             	mov    %r14,%rdi
  3c:	ff 13                	call   *(%rbx)
  3e:	5b                   	pop    %rbx
  3f:	41                   	rex.B