ci2 starts bisection 2023-11-07 14:00:17.650423763 +0000 UTC m=+45992.142986514 bisecting fixing commit since d3212c2dbababf849d940f5f7001f4fde222b888 building syzkaller on 0b6a67ac4b0dc26f43030c5edd01c9175f13b784 ensuring issue is reproducible on original commit d3212c2dbababf849d940f5f7001f4fde222b888 testing commit d3212c2dbababf849d940f5f7001f4fde222b888 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 73108e38be6ebea735cb687700b63d7435d0e275e58f9e1835c85d9ff2688802 all runs: crashed: KASAN: use-after-free Read in consume_skb representative crash: KASAN: use-after-free Read in consume_skb, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit d3212c2dbababf849d940f5f7001f4fde222b888 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0c3d7d71c795a00ef9eb75944b60e838626171449844123839d53855205b11fc all runs: crashed: KASAN: use-after-free Read in consume_skb representative crash: KASAN: use-after-free Read in consume_skb, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed kconfig minimization: base=5179 full=6487 leaves diff=250 split chunks (needed=false): <250> split chunk #0 of len 250 into 5 parts testing without sub-chunk 1/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit d3212c2dbababf849d940f5f7001f4fde222b888 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e254fe6c25247cdc66f44584ce29a8b0e31a3e3e2bf2e5cd54868a6f5944b3a9 all runs: crashed: KASAN: use-after-free Read in consume_skb representative crash: KASAN: use-after-free Read in consume_skb, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit d3212c2dbababf849d940f5f7001f4fde222b888 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d8af044a1fe849f03e24a66371e9e125026acf38c55f6341ceebd3766c3996ea all runs: crashed: KASAN: use-after-free Read in consume_skb representative crash: KASAN: use-after-free Read in consume_skb, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit d3212c2dbababf849d940f5f7001f4fde222b888 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 11e3bb607833f073ce9fff5326975ea3acd5ecad2d91cfcacd2fe720e125225a all runs: crashed: KASAN: use-after-free Read in consume_skb representative crash: KASAN: use-after-free Read in consume_skb, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit d3212c2dbababf849d940f5f7001f4fde222b888 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 738ff434eb08d6ca27716b8f6371dce8f994bdf38b1d6491bec7fbad804b511b all runs: crashed: KASAN: use-after-free Read in consume_skb representative crash: KASAN: use-after-free Read in consume_skb, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit d3212c2dbababf849d940f5f7001f4fde222b888 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building d3212c2dbababf849d940f5f7001f4fde222b888: net/socket.c:1225: undefined reference to `wext_handle_ioctl' net/socket.c:3420: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 50 configs; suspects: [HID_ZEROPLUS USB_NET_CDC_MBIM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing current HEAD 230d34da33c54e2c3dec0bfb18cb945e6db02941 testing commit 230d34da33c54e2c3dec0bfb18cb945e6db02941 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f00ca2d4778a56d422be15f898c58f45a346d628fa9ab3a735f791cba8a859de all runs: crashed: KASAN: use-after-free Read in consume_skb representative crash: KASAN: use-after-free Read in consume_skb, types: [KASAN] crash still not fixed/happens on the oldest tested release revisions tested: 7, total time: 1h8m55.168384887s (build: 44m14.446177027s, test: 21m10.986220827s) crash still not fixed or there were kernel test errors commit msg: UPSTREAM: scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW major version > 5 crash: KASAN: use-after-free Read in consume_skb ================================================================== BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline] BUG: KASAN: use-after-free in atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:147 [inline] BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:1207 [inline] BUG: KASAN: use-after-free in consume_skb+0x2f/0x180 net/core/skbuff.c:1029 Read of size 4 at addr ffff8881258a4eac by task kworker/1:3/300 CPU: 1 PID: 300 Comm: kworker/1:3 Not tainted 6.1.43-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 Workqueue: events sk_psock_destroy Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x105/0x148 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x158/0x4e0 mm/kasan/report.c:427 kasan_report+0x13c/0x170 mm/kasan/report.c:531 kasan_check_range+0x294/0x2a0 mm/kasan/generic.c:189 __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31 instrument_atomic_read include/linux/instrumented.h:72 [inline] atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] refcount_read include/linux/refcount.h:147 [inline] skb_unref include/linux/skbuff.h:1207 [inline] consume_skb+0x2f/0x180 net/core/skbuff.c:1029 __sk_msg_free net/core/skmsg.c:205 [inline] sk_msg_free net/core/skmsg.c:218 [inline] __sk_psock_purge_ingress_msg net/core/skmsg.c:769 [inline] __sk_psock_zap_ingress net/core/skmsg.c:782 [inline] sk_psock_destroy+0x489/0xaf0 net/core/skmsg.c:814 process_one_work+0x6de/0xd00 kernel/workqueue.c:2299 worker_thread+0x892/0xf20 kernel/workqueue.c:2446 kthread+0x215/0x270 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 Allocated by task 352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:333 kasan_slab_alloc include/linux/kasan.h:202 [inline] slab_post_alloc_hook+0x59/0x270 mm/slab.h:768 slab_alloc_node mm/slub.c:3418 [inline] kmem_cache_alloc_node+0x18a/0x2d0 mm/slub.c:3463 __alloc_skb+0x13a/0x6b0 net/core/skbuff.c:497 alloc_skb include/linux/skbuff.h:1275 [inline] alloc_skb_with_frags+0x7f/0x520 net/core/skbuff.c:6148 sock_alloc_send_pskb+0x7ef/0x8f0 net/core/sock.c:2732 unix_dgram_sendmsg+0x4c6/0x1cd0 net/unix/af_unix.c:1943 sock_sendmsg_nosec net/socket.c:716 [inline] sock_sendmsg net/socket.c:736 [inline] ____sys_sendmsg+0x495/0x7c0 net/socket.c:2482 ___sys_sendmsg+0x223/0x2a0 net/socket.c:2536 __sys_sendmmsg+0x220/0x3a0 net/socket.c:2622 __do_sys_sendmmsg net/socket.c:2651 [inline] __se_sys_sendmmsg net/socket.c:2648 [inline] __x64_sys_sendmmsg+0x9b/0xb0 net/socket.c:2648 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 300: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516 ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249 kasan_slab_free include/linux/kasan.h:178 [inline] slab_free_hook mm/slub.c:1744 [inline] slab_free_freelist_hook mm/slub.c:1770 [inline] slab_free mm/slub.c:3681 [inline] kmem_cache_free+0x264/0x450 mm/slub.c:3703 kfree_skbmem+0xb6/0x110 __kfree_skb net/core/skbuff.c:869 [inline] kfree_skb_reason+0x8f/0x170 net/core/skbuff.c:891 kfree_skb include/linux/skbuff.h:1224 [inline] sock_drop include/linux/skmsg.h:306 [inline] __sk_psock_zap_ingress net/core/skmsg.c:780 [inline] sk_psock_destroy+0x13c/0xaf0 net/core/skmsg.c:814 process_one_work+0x6de/0xd00 kernel/workqueue.c:2299 worker_thread+0x892/0xf20 kernel/workqueue.c:2446 kthread+0x215/0x270 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 The buggy address belongs to the object at ffff8881258a4dc0 which belongs to the cache skbuff_head_cache of size 248 The buggy address is located 236 bytes inside of 248-byte region [ffff8881258a4dc0, ffff8881258a4eb8) The buggy address belongs to the physical page: page:ffffea0004962900 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1258a4 flags: 0x4000000000000200(slab|zone=1) raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100b6de00 raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 352, tgid 350 (syz-executor.0), ts 41039237617, free_ts 41038194716 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook mm/page_alloc.c:2586 [inline] prep_new_page+0x512/0x5e0 mm/page_alloc.c:2593 get_page_from_freelist+0x2900/0x2990 mm/page_alloc.c:4410 __alloc_pages+0x39f/0x780 mm/page_alloc.c:5698 allocate_slab mm/slub.c:1959 [inline] new_slab+0xcb/0x440 mm/slub.c:2012 ___slab_alloc+0x611/0x9a0 mm/slub.c:3200 __slab_alloc+0x52/0x90 mm/slub.c:3299 slab_alloc_node mm/slub.c:3384 [inline] kmem_cache_alloc_node+0x1c9/0x2d0 mm/slub.c:3463 __alloc_skb+0x13a/0x6b0 net/core/skbuff.c:497 alloc_skb include/linux/skbuff.h:1275 [inline] alloc_skb_with_frags+0x7f/0x520 net/core/skbuff.c:6148 sock_alloc_send_pskb+0x7ef/0x8f0 net/core/sock.c:2732 unix_dgram_sendmsg+0x4c6/0x1cd0 net/unix/af_unix.c:1943 sock_sendmsg_nosec net/socket.c:716 [inline] sock_sendmsg net/socket.c:736 [inline] ____sys_sendmsg+0x495/0x7c0 net/socket.c:2482 ___sys_sendmsg+0x223/0x2a0 net/socket.c:2536 __sys_sendmmsg+0x220/0x3a0 net/socket.c:2622 __do_sys_sendmmsg net/socket.c:2651 [inline] __se_sys_sendmmsg net/socket.c:2648 [inline] __x64_sys_sendmmsg+0x9b/0xb0 net/socket.c:2648 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1494 [inline] free_pcp_prepare mm/page_alloc.c:1568 [inline] free_unref_page_prepare+0x794/0x7a0 mm/page_alloc.c:3500 free_unref_page+0xbc/0x630 mm/page_alloc.c:3597 free_the_page mm/page_alloc.c:794 [inline] __free_pages+0x67/0xd0 mm/page_alloc.c:5787 __vunmap+0x401/0x7b0 mm/vmalloc.c:2728 __vfree mm/vmalloc.c:2776 [inline] vfree+0x28/0x40 mm/vmalloc.c:2807 adjust_insn_aux_data kernel/bpf/verifier.c:13263 [inline] bpf_patch_insn_data+0x601/0xd90 kernel/bpf/verifier.c:13316 convert_ctx_accesses kernel/bpf/verifier.c:13856 [inline] bpf_check+0x7fa7/0x16210 kernel/bpf/verifier.c:15595 bpf_prog_load+0xf54/0x19f0 kernel/bpf/syscall.c:2605 __sys_bpf+0x3b7/0x570 kernel/bpf/syscall.c:4972 __do_sys_bpf kernel/bpf/syscall.c:5076 [inline] __se_sys_bpf kernel/bpf/syscall.c:5074 [inline] __x64_sys_bpf+0x77/0x90 kernel/bpf/syscall.c:5074 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff8881258a4d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff8881258a4e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881258a4e80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc ^ ffff8881258a4f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881258a4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================