ci2 starts bisection 2024-01-27 16:13:35.080011391 +0000 UTC m=+163368.954205171 bisecting fixing commit since b1355f1607d546ef23bbfd26dbd426910effb806 building syzkaller on 28b24332d95f2f7df44ec7e7a5e0025bcadc6277 ensuring issue is reproducible on original commit b1355f1607d546ef23bbfd26dbd426910effb806 testing commit b1355f1607d546ef23bbfd26dbd426910effb806 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ea0f4595c7d0ce5d8396edade27756f9ddbd5ecf125ea1341a9b6abe4d5cab6c all runs: crashed: general protection fault in skb_segment representative crash: general protection fault in skb_segment, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit b1355f1607d546ef23bbfd26dbd426910effb806 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6c4d1adabfc6a2f725eec9f4bfc8ebaa7768dc16a4083b7b27888452d7f692be all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] the bug reproduces without the instrumentation disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed kconfig minimization: base=4920 full=6161 leaves diff=241 split chunks (needed=false): <241> split chunk #0 of len 241 into 5 parts testing without sub-chunk 1/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed testing commit b1355f1607d546ef23bbfd26dbd426910effb806 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a835989bae0313b3159ed48e031c374e06ded94c4d4ea944b5be5b9f74037b55 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit b1355f1607d546ef23bbfd26dbd426910effb806 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cb0310f5ea183642fedc56707062be4b9d195e695394b5d82c054f4396f37551 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit b1355f1607d546ef23bbfd26dbd426910effb806 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: deece776d5133705979bbe19bc66d6b993d84eeabf444b57b8c2b051d401194e all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit b1355f1607d546ef23bbfd26dbd426910effb806 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 14435fcfd57680a05fcb70848cb289deb3fb85ecf7555275bb45edeffe9e4a74 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit b1355f1607d546ef23bbfd26dbd426910effb806 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building b1355f1607d546ef23bbfd26dbd426910effb806: net/socket.c:1189: undefined reference to `wext_handle_ioctl' net/socket.c:3383: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:343: undefined reference to `wext_proc_exit' net/core/net-procfs.c:327: undefined reference to `wext_proc_init' minimized to 45 configs; suspects: [HID_ZEROPLUS USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF] disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed testing current HEAD 1c3a1f32bcbdc0591d0eab67b745f1f4d3ecef6b testing commit 1c3a1f32bcbdc0591d0eab67b745f1f4d3ecef6b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0a44d1f8317673d2d2a76554ce0c2b09508472be4be5fab8f57803b3f8b01227 all runs: OK false negative chance: 0.000 # git bisect start 1c3a1f32bcbdc0591d0eab67b745f1f4d3ecef6b b1355f1607d546ef23bbfd26dbd426910effb806 Bisecting: 621 revisions left to test after this (roughly 9 steps) [a8604a90e1dbdbb00b60d1df5159ed8025059dcc] Input: xpad - add HyperX Clutch Gladiate Support determine whether the revision contains the guilty commit checking the merge base 80529b4968a8052f894d00021a576d8a2d89aa08 no existing result, test the revision testing commit 80529b4968a8052f894d00021a576d8a2d89aa08 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 931122bc0de3fa5787ec32692b27f4db4a595c824866b468399cf5fc02e1e402 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] testing commit a8604a90e1dbdbb00b60d1df5159ed8025059dcc gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a188973a958d6af2a2d175352c0f7c0acefe2eb9fe4dfd726924376c4796f670 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] # git bisect good a8604a90e1dbdbb00b60d1df5159ed8025059dcc Bisecting: 310 revisions left to test after this (roughly 8 steps) [ebb8c616574adf715093f2fcdbd7afe54c4481a1] ksmbd: request update to stale share config determine whether the revision contains the guilty commit revision 80529b4968a8052f894d00021a576d8a2d89aa08 crashed and is reachable testing commit ebb8c616574adf715093f2fcdbd7afe54c4481a1 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 447b8b8752fabe68c466d3318a26b2610eea754be527ba1f9290f22481484541 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] # git bisect good ebb8c616574adf715093f2fcdbd7afe54c4481a1 Bisecting: 155 revisions left to test after this (roughly 7 steps) [5a16bb60b8cec4b428565eeb2d041bb3c395ef84] iio: triggered-buffer: prevent possible freeing of wrong buffer determine whether the revision contains the guilty commit revision 80529b4968a8052f894d00021a576d8a2d89aa08 crashed and is reachable testing commit 5a16bb60b8cec4b428565eeb2d041bb3c395ef84 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f0101f56d8bfabe8341794e2cd79b8ad93dfb9ddd12dfc8596e122a345da3824 all runs: OK false negative chance: 0.000 # git bisect bad 5a16bb60b8cec4b428565eeb2d041bb3c395ef84 Bisecting: 77 revisions left to test after this (roughly 6 steps) [7019440463dfd38b1c41774d7ad771f9cc6cf0ce] ksmbd: Fix one kernel-doc comment determine whether the revision contains the guilty commit revision 80529b4968a8052f894d00021a576d8a2d89aa08 crashed and is reachable testing commit 7019440463dfd38b1c41774d7ad771f9cc6cf0ce gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 245d2583e04662025c13e0532111ac80b6ed7351a3539d0ca8dc1e4cb7523a13 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] # git bisect good 7019440463dfd38b1c41774d7ad771f9cc6cf0ce Bisecting: 38 revisions left to test after this (roughly 5 steps) [52c69a070b942cae778333282cbf36bec8a330e3] ARM: OMAP2+: Fix null pointer dereference and memory leak in omap_soc_device_init determine whether the revision contains the guilty commit revision 80529b4968a8052f894d00021a576d8a2d89aa08 crashed and is reachable testing commit 52c69a070b942cae778333282cbf36bec8a330e3 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 178addd5c4fb17902489c35bb284376475e86d20e8746bb8cf56c2ca5c15acef all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] # git bisect good 52c69a070b942cae778333282cbf36bec8a330e3 Bisecting: 19 revisions left to test after this (roughly 4 steps) [2552b32b0b349df160a509fe49f5f308cb922f2b] keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry determine whether the revision contains the guilty commit revision a8604a90e1dbdbb00b60d1df5159ed8025059dcc crashed and is reachable testing commit 2552b32b0b349df160a509fe49f5f308cb922f2b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 510934213bb899da877eecc82b5b88010b2b1de0935b8cdc89c53c587aff5c9c all runs: OK false negative chance: 0.000 # git bisect bad 2552b32b0b349df160a509fe49f5f308cb922f2b Bisecting: 9 revisions left to test after this (roughly 3 steps) [da2396b54625079e0ee1817bdea97ef88fac86e7] net/mlx5: Fix fw tracer first block check determine whether the revision contains the guilty commit revision 80529b4968a8052f894d00021a576d8a2d89aa08 crashed and is reachable testing commit da2396b54625079e0ee1817bdea97ef88fac86e7 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e5b52cf14627150bcc48bfde264f8b38ff6429d2c836a9a5fd0d5f81292937f4 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] # git bisect good da2396b54625079e0ee1817bdea97ef88fac86e7 Bisecting: 4 revisions left to test after this (roughly 2 steps) [c124a75b2497f93353194fac29f1e890034d903c] net: mana: select PAGE_POOL determine whether the revision contains the guilty commit revision 80529b4968a8052f894d00021a576d8a2d89aa08 crashed and is reachable testing commit c124a75b2497f93353194fac29f1e890034d903c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0e262a2c571e5b72adbac3e3ef64fc0b7096eeaf8c5a0be57f4a9c8285ab5a48 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] # git bisect good c124a75b2497f93353194fac29f1e890034d903c Bisecting: 2 revisions left to test after this (roughly 1 step) [3f85785bc4ac744fc500094690d9f1470d8cfa53] afs: Fix the dynamic root's d_delete to always delete unused dentries determine whether the revision contains the guilty commit revision 52c69a070b942cae778333282cbf36bec8a330e3 crashed and is reachable testing commit 3f85785bc4ac744fc500094690d9f1470d8cfa53 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c8755657c2be473982e9fa14e5d7ce91dd86505e377c72c56d13bebd0b33a021 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] # git bisect good 3f85785bc4ac744fc500094690d9f1470d8cfa53 Bisecting: 0 revisions left to test after this (roughly 1 step) [a1ab650f1421af85657b436ec10e6cd7b9e43b0c] net: check dev->gso_max_size in gso_features_check() determine whether the revision contains the guilty commit revision 7019440463dfd38b1c41774d7ad771f9cc6cf0ce crashed and is reachable testing commit a1ab650f1421af85657b436ec10e6cd7b9e43b0c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 38658505ddc12da4a2037b863eeea919af91b055834b6901a52a4e8b05bf2494 all runs: OK false negative chance: 0.000 # git bisect bad a1ab650f1421af85657b436ec10e6cd7b9e43b0c Bisecting: 0 revisions left to test after this (roughly 0 steps) [56eaa3ec314098a18ed935313268679a1e3ccd9a] afs: Fix dynamic root lookup DNS check determine whether the revision contains the guilty commit revision 52c69a070b942cae778333282cbf36bec8a330e3 crashed and is reachable testing commit 56eaa3ec314098a18ed935313268679a1e3ccd9a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ad0cfe0dc8d51f08afdc9f52922347da9e7cde6a149c48957a416c3587883655 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] # git bisect good 56eaa3ec314098a18ed935313268679a1e3ccd9a a1ab650f1421af85657b436ec10e6cd7b9e43b0c is the first bad commit commit a1ab650f1421af85657b436ec10e6cd7b9e43b0c Author: Eric Dumazet Date: Tue Dec 19 12:53:31 2023 +0000 net: check dev->gso_max_size in gso_features_check() [ Upstream commit 24ab059d2ebd62fdccc43794796f6ffbabe49ebc ] Some drivers might misbehave if TSO packets get too big. GVE for instance uses a 16bit field in its TX descriptor, and will do bad things if a packet is bigger than 2^16 bytes. Linux TCP stack honors dev->gso_max_size, but there are other ways for too big packets to reach an ndo_start_xmit() handler : virtio_net, af_packet, GRO... Add a generic check in gso_features_check() and fallback to GSO when needed. gso_max_size was added in the blamed commit. Fixes: 82cc1a7a5687 ("[NET]: Add per-connection option to set max TSO frame size") Signed-off-by: Eric Dumazet Link: https://lore.kernel.org/r/20231219125331.4127498-1-edumazet@google.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin net/core/dev.c | 3 +++ 1 file changed, 3 insertions(+) accumulated error probability: 0.00 culprit signature: 38658505ddc12da4a2037b863eeea919af91b055834b6901a52a4e8b05bf2494 parent signature: ad0cfe0dc8d51f08afdc9f52922347da9e7cde6a149c48957a416c3587883655 revisions tested: 19, total time: 1h56m15.148822105s (build: 31m1.146361947s, test: 1h21m12.883764484s) first good commit: a1ab650f1421af85657b436ec10e6cd7b9e43b0c net: check dev->gso_max_size in gso_features_check() recipients (to): ["edumazet@google.com" "pabeni@redhat.com" "sashal@kernel.org"] recipients (cc): []