ci starts bisection 2023-12-20 11:06:27.966321786 +0000 UTC m=+155.225463316
bisecting fixing commit since 28f20a19294da7df158dfca259d0e2b5866baaf9
building syzkaller on 03d9c195daed8fca30b642783f35657aa7e32209
ensuring issue is reproducible on original commit 28f20a19294da7df158dfca259d0e2b5866baaf9
testing commit 28f20a19294da7df158dfca259d0e2b5866baaf9 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 45cedcd4693e6063b24cb5d985f3b9f671e3283b0ab389bac63a20a9ee619fa3
run #0: crashed: BUG: rwlock bad magic in ext4_es_insert_extent
run #1: crashed: general protection fault in rcu_core
run #2: crashed: general protection fault in wait_consider_task
run #3: crashed: general protection fault in hrtimer_nanosleep
run #4: crashed: general protection fault in refill_obj_stock
run #5: crashed: BUG: unable to handle kernel paging request in corrupted
run #6: crashed: BUG: unable to handle kernel paging request in __run_timers
run #7: crashed: general protection fault in mm_update_next_owner
run #8: crashed: general protection fault in __switch_to
run #9: crashed: BUG: unable to handle kernel paging request in corrupted
run #10: crashed: BUG: unable to handle kernel paging request in generic_file_write_iter
run #11: crashed: general protection fault in __hrtimer_run_queues
run #12: crashed: BUG: unable to handle kernel paging request in ext4_ext_remove_space
run #13: crashed: general protection fault in do_iter_write
run #14: crashed: general protection fault in update_blocked_averages
run #15: crashed: general protection fault in vma_interval_tree_remove
run #16: crashed: kernel BUG in corrupted
run #17: crashed: no output from test machine
run #18: crashed: general protection fault in fsnotify
run #19: crashed: BUG: unable to handle kernel paging request in jbd2__journal_start
representative crash: general protection fault in rcu_core, types: [UNKNOWN]
check whether we can drop unnecessary instrumentation
disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 28f20a19294da7df158dfca259d0e2b5866baaf9 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d02f92e28eaf754598162078c08918aa9288ef9a26dea26ed51bd19589bbb54e
run #0: crashed: no output from test machine
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in tomoyo_init_request_info
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
representative crash: no output from test machine, types: [UNKNOWN]
kconfig minimization: base=3923 full=7652 leaves diff=2002
split chunks (needed=false): <2002>
split chunk #0 of len 2002 into 5 parts
testing without sub-chunk 1/5
testing commit 28f20a19294da7df158dfca259d0e2b5866baaf9 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 46f564914d0728dcc761617cd350fccaae9f79257dcd8ae3548b6064e60d878d
run #0: failed: failed to run command in VM: broken console: Permission denied (publickey)
run #1: crashed: general protection fault in lookup_object_or_alloc
run #2: crashed: BUG: unable to handle kernel paging request in corrupted
run #3: crashed: general protection fault,SeaBIOS (version NUM.NUM.NUM-google)
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in rcu_core
run #5: crashed: general protection fault in inode_permission
run #6: crashed: general protection fault in end_bio_bh_io_sync
run #7: crashed: general protection fault in __get_obj_cgroup_from_memcg
run #8: crashed: general protection fault in lookup_object_or_alloc
run #9: crashed: general protection fault in __rhashtable_lookup
run #10: crashed: stack segment fault in __stack_depot_save
run #11: crashed: general protection fault in refill_obj_stock
run #12: crashed: BUG: unable to handle kernel NULL pointer dereference in rcu_core
run #13: crashed: general protection fault in timerqueue_add
run #14: crashed: general protection fault in mm_update_next_owner
run #15: crashed: general protection fault in rcu_core
run #16: crashed: general protection fault in psi_account_irqtime
run #17: crashed: panic: nil [recovered]
run #18: crashed: BUG: unable to handle kernel paging request in ext4_ext_remove_space
run #19: crashed: general protection fault in rcu_core
representative crash: general protection fault in lookup_object_or_alloc, types: [UNKNOWN]
the chunk can be dropped
testing without sub-chunk 2/5
testing commit 28f20a19294da7df158dfca259d0e2b5866baaf9 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 1d8164c7c7527206320a80492066d3d02468eab01a96f5143e700bdf7af0b339
run #0: crashed: general protection fault in psi_task_change
run #1: crashed: BUG: unable to handle kernel paging request in corrupted
run #2: crashed: general protection fault in __ext4_mark_inode_dirty
run #3: crashed: general protection fault in debug_check_no_obj_freed
run #4: crashed: general protection fault in sock_poll
run #5: crashed: BUG: unable to handle kernel paging request in ext4_ext_remove_space
run #6: crashed: general protection fault in __hrtimer_run_queues
run #7: crashed: KASAN: stack-out-of-bounds Read in timerqueue_add
run #8: crashed: general protection fault in update_curr
run #9: crashed: general protection fault in get_super
run #10: crashed: general protection fault in put_prev_entity
run #11: crashed: general protection fault in __call_rcu_common
run #12: crashed: general protection fault in enqueue_task_fair
run #13: crashed: stack segment fault in __stack_depot_save
run #14: crashed: BUG: unable to handle kernel paging request in __alloc_skb
run #15: crashed: general protection fault in io_serial_in
run #16: crashed: general protection fault in ext4_mark_iloc_dirty
run #17: crashed: general protection fault in locks_remove_posix
run #18: crashed: general protection fault in wg_packet_send_keepalive
run #19: OK
representative crash: general protection fault in psi_task_change, types: [UNKNOWN]
the chunk can be dropped
testing without sub-chunk 3/5
testing commit 28f20a19294da7df158dfca259d0e2b5866baaf9 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 8acd708196d4a5ddf18d6ae5ec78579c5bc13f30410a40ac3e6dcfec512e83c9
run #0: crashed: WARNING: locking bug in calculate_sigpending
run #1: crashed: general protection fault in update_blocked_averages
run #2: crashed: stack segment fault in __stack_depot_save
run #3: crashed: general protection fault in debug_check_no_obj_freed
run #4: crashed: general protection fault in locks_remove_posix
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in rcu_core
run #6: crashed: general protection fault in __hrtimer_run_queues
run #7: crashed: general protection fault in psi_task_change
run #8: crashed: BUG: unable to handle kernel paging request in ext4_ext_remove_space
run #9: crashed: WARNING: locking bug in ext4_quota_off
run #10: crashed: general protection fault in vfs_write
run #11: crashed: general protection fault in pid_task
run #12: crashed: kernel BUG in corrupted
run #13: crashed: BUG: unable to handle kernel paging request in ext4_ext_remove_space
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
representative crash: general protection fault in update_blocked_averages, types: [UNKNOWN]
the chunk can be dropped
testing without sub-chunk 4/5
testing commit 28f20a19294da7df158dfca259d0e2b5866baaf9 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 392cfd97bbd46e27309322fa5b32594e0804d83b5236aee0f77f1ca146fc2f4b
run #0: crashed: KASAN: wild-memory-access Write in filemap_get_entry
run #1: crashed: KASAN: wild-memory-access Write in filemap_get_read_batch
run #2: crashed: general protection fault in pid_task
run #3: crashed: WARNING: locking bug in dquot_add_space
run #4: crashed: general protection fault in __cgroup_account_cputime
run #5: crashed: kernel BUG in corrupted
run #6: crashed: general protection fault in pid_task
run #7: crashed: kernel panic: Fatal exception
run #8: crashed: general protection fault in inode_permission
run #9: crashed: general protection fault in corrupted
run #10: crashed: general protection fault in fsnotify
run #11: crashed: KFENCE: invalid read in ext4_ext_remove_space
run #12: crashed: general protection fault in cpuacct_account_field
run #13: crashed: WARNING in update_curr
run #14: basic kernel testing failed: failed to copy binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syz-executor88630345" "root@10.128.10.54:./syz-executor88630345"]: exit status 255
Executing: program /usr/bin/ssh host 10.128.10.54, user root, command sftp
OpenSSH_9.2p1 Debian-2+deb12u1, OpenSSL 3.0.11 19 Sep 2023
debug1: Reading configuration data /dev/null
debug1: Connecting to 10.128.10.54 [10.128.10.54] port 22.
debug1: connect to address 10.128.10.54 port 22: Connection timed out
ssh: connect to host 10.128.10.54 port 22: Connection timed out
scp: Connection closed
run #15: crashed: WARNING in workingset_update_node
run #16: OK
run #17: OK
run #18: OK
run #19: OK
representative crash: general protection fault in pid_task, types: [UNKNOWN KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
testing commit 28f20a19294da7df158dfca259d0e2b5866baaf9 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d400d30c21643dfa7c9711d868c56f244bf7d811a80592d36fc27fc92e95c72c
run #0: crashed: general protection fault in timerqueue_del
run #1: crashed: general protection fault in cpuacct_account_field
run #2: crashed: UBSAN: shift-out-of-bounds in __radix_tree_lookup
run #3: crashed: general protection fault in __cgroup_account_cputime_field
run #4: crashed: general protection fault in end_bio_bh_io_sync
run #5: crashed: general protection fault in pid_task
run #6: crashed: kernel BUG in radix_tree_insert
run #7: crashed: stack segment fault in __stack_depot_save
run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in rcu_core
run #9: crashed: general protection fault in end_bio_bh_io_sync
run #10: crashed: general protection fault in corrupted
run #11: crashed: BUG: unable to handle kernel NULL pointer dereference in rcu_core
run #12: crashed: general protection fault in __fget_files
run #13: crashed: general protection fault in do_iter_write
run #14: crashed: KASAN: stack-out-of-bounds Read in __futex_unqueue
run #15: crashed: general protection fault in unlink_anon_vmas
run #16: crashed: BUG: corrupted list in list_lru_del
run #17: crashed: general protection fault in io_serial_in
run #18: crashed: no output from test machine
run #19: crashed: BUG: unable to handle kernel paging request in mempool_alloc
representative crash: general protection fault in timerqueue_del, types: [UNKNOWN]
the chunk can be dropped
testing current HEAD 55cb5f43689d7a9ea5bf35ef050f12334f197347
testing commit 55cb5f43689d7a9ea5bf35ef050f12334f197347 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 959e5c421337304da3c54d5d67d15ba1d751eaa06ec05eea1defcf426a6b8135
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in rcu_core
run #1: crashed: BUG: corrupted list in mntput_no_expire
run #2: crashed: KFENCE: invalid read in ext4_ext_remove_space
run #3: crashed: general protection fault in end_bio_bh_io_sync
run #4: crashed: BUG: unable to handle kernel paging request in pid_task
run #5: crashed: BUG: unable to handle kernel paging request in ext4_ext_remove_space
run #6: crashed: general protection fault in rcu_core
run #7: crashed: KFENCE: invalid read in ext4_ext_remove_space
run #8: crashed: kernel BUG in __phys_addr
run #9: crashed: general protection fault in rcu_core
run #10: crashed: UBSAN: shift-out-of-bounds in __block_write_full_folio
run #11: crashed: UBSAN: shift-out-of-bounds in __radix_tree_lookup
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
representative crash: BUG: unable to handle kernel NULL pointer dereference in rcu_core, types: [UNKNOWN BUG]
crash still not fixed/happens on the oldest tested release
reproducer is flaky (1.00 repro chance estimate)
revisions tested: 8, total time: 3h46m53.741123506s (build: 1h47m35.926892836s, test: 1h52m4.316238247s)
crash still not fixed or there were kernel test errors
commit msg: Merge tag 'trace-v6.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
crash: BUG: unable to handle kernel NULL pointer dereference in rcu_core
slab radix_tree_node start ffff88812571ec00 pointer offset 24 size 576
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 0 P4D 0
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 722 Comm: udevd Not tainted 6.7.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90000198e10 EFLAGS: 00010246
RAX: 1ffff11024ae3d84 RBX: ffff8881f7139f80 RCX: 0000000000000000
RDX: ffff88812571ec20 RSI: 0000000000000000 RDI: ffff88812571ec18
RBP: 0000000000000004 R08: 0000000000000001 R09: fffff52000033140
R10: ffffc90000198a07 R11: 0000000000000001 R12: dffffc0000000000
R13: ffffffff813103b9 R14: 0000000000000000 R15: 0000000000000003
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000010535a000 CR4: 0000000000350ef0
Call Trace:
rcu_do_batch kernel/rcu/tree.c:2158 [inline]
rcu_core+0x81b/0x1550 kernel/rcu/tree.c:2431
__do_softirq+0x20a/0x8c1 kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xa7/0x110 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1076
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:PageCompound include/linux/page-flags.h:292 [inline]
RIP: 0010:page_mapcount include/linux/mm.h:1204 [inline]
RIP: 0010:zap_pte_range mm/memory.c:1466 [inline]
RIP: 0010:zap_pmd_range mm/memory.c:1583 [inline]
RIP: 0010:zap_pud_range mm/memory.c:1612 [inline]
RIP: 0010:zap_p4d_range mm/memory.c:1633 [inline]
RIP: 0010:unmap_page_range+0x1133/0x19e0 mm/memory.c:1654
Code: 24 58 01 00 00 00 c7 44 24 74 01 00 00 00 e9 42 f7 ff ff 48 8b 84 24 80 00 00 00 48 c1 e8 03 42 80 3c 20 00 0f 85 23 07 00 00 <48> 8b 45 08 a8 01 0f 85 65 fc ff ff 8b 84 24 88 00 00 00 83 c0 01
RSP: 0018:ffffc900003577d0 EFLAGS: 00000246
RAX: 1ffffd400089cbf1 RBX: 00007f9841309000 RCX: ffffffff8163bb56
RDX: fffff9400089cbf1 RSI: 0000000000000008 RDI: ffffea00044e5f80
RBP: ffffea00044e5f80 R08: 0000000000000000 R09: fffff9400089cbf0
R10: ffffea00044e5f87 R11: 0000000000000003 R12: dffffc0000000000
R13: ffff88810538b840 R14: 00007f9841308000 R15: ffffc90000357af0
unmap_vmas+0xe1/0x1e0 mm/memory.c:1744
exit_mmap+0x163/0x850 mm/mmap.c:3308
__mmput kernel/fork.c:1349 [inline]
mmput+0xaf/0x3b0 kernel/fork.c:1371
exit_mm kernel/exit.c:567 [inline]
do_exit+0x83b/0x2790 kernel/exit.c:856
do_group_exit+0xb4/0x250 kernel/exit.c:1018
get_signal+0x1de3/0x21c0 kernel/signal.c:2904
arch_do_signal_or_restart+0x89/0x5d0 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x118/0x1f0 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1e/0x60 kernel/entry/common.c:296
do_syscall_64+0x4d/0xe0 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f98411d33cd
Code: Unable to access opcode bytes at 0x7f98411d33a3.
RSP: 002b:00007ffdd2ea2e80 EFLAGS: 00000246
ORIG_RAX: 00000000000000ea
RAX: 0000000000000000 RBX: 00007f9841100c80 RCX: 00007f98411d33cd
RDX: 0000000000000006 RSI: 00000000000002d2 RDI: 00000000000002d2
RBP: 00000000000002d2 R08: 0000000000000000 R09: 0000000000000002
R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000006
R13: 00007ffdd2ea3090 R14: 0000000000001000 R15: 0000000000000000
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90000198e10 EFLAGS: 00010246
RAX: 1ffff11024ae3d84 RBX: ffff8881f7139f80 RCX: 0000000000000000
RDX: ffff88812571ec20 RSI: 0000000000000000 RDI: ffff88812571ec18
RBP: 0000000000000004 R08: 0000000000000001 R09: fffff52000033140
R10: ffffc90000198a07 R11: 0000000000000001 R12: dffffc0000000000
R13: ffffffff813103b9 R14: 0000000000000000 R15: 0000000000000003
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000010535a000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess):
0: 24 58 and $0x58,%al
2: 01 00 add %eax,(%rax)
4: 00 00 add %al,(%rax)
6: c7 44 24 74 01 00 00 movl $0x1,0x74(%rsp)
d: 00
e: e9 42 f7 ff ff jmp 0xfffff755
13: 48 8b 84 24 80 00 00 mov 0x80(%rsp),%rax
1a: 00
1b: 48 c1 e8 03 shr $0x3,%rax
1f: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1)
24: 0f 85 23 07 00 00 jne 0x74d
* 2a: 48 8b 45 08 mov 0x8(%rbp),%rax <-- trapping instruction
2e: a8 01 test $0x1,%al
30: 0f 85 65 fc ff ff jne 0xfffffc9b
36: 8b 84 24 88 00 00 00 mov 0x88(%rsp),%eax
3d: 83 c0 01 add $0x1,%eax