ci2 starts bisection 2025-09-18 16:03:50.177295577 +0000 UTC m=+593342.052110694 bisecting fixing commit since 61cfd264993d07540f60a5c53d77a14c818e54a9 building syzkaller on 5b429f39ae82dfd954322d3f42c830cf560f51d2 ensuring issue is reproducible on original commit 61cfd264993d07540f60a5c53d77a14c818e54a9 testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e445e13f5ce77ac82ec812d72cdd96a4a576d49b6a2d6bce6496d12cfed134f7 run #0: crashed: general protection fault in vma_interval_tree_insert_after run #1: crashed: KASAN: invalid-free in anon_vma_name_free run #2: crashed: general protection fault in vma_interval_tree_insert_after run #3: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #4: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #5: crashed: general protection fault in vma_interval_tree_insert_after run #6: crashed: general protection fault in vma_interval_tree_insert_after run #7: crashed: general protection fault in vma_interval_tree_insert_after run #8: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #9: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #10: crashed: general protection fault in vma_interval_tree_insert_after run #11: crashed: general protection fault in vma_interval_tree_insert_after run #12: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #13: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #14: crashed: KASAN: invalid-free in anon_vma_name_free run #15: crashed: KASAN: invalid-free in anon_vma_name_free run #16: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #17: crashed: KASAN: invalid-free in anon_vma_name_free run #18: crashed: general protection fault in vma_interval_tree_insert_after run #19: basic kernel testing failed: failed to copy binary to VM: timedout after 1m0s ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syz-executor3765090099" "root@10.128.1.183:./syz-executor3765090099"] Executing: program /usr/bin/ssh host 10.128.1.183, user root, command sftp OpenSSH_9.2p1 Debian-2+deb12u7, OpenSSL 3.0.17 1 Jul 2025 debug1: Reading configuration data /dev/null debug1: Connecting to 10.128.1.183 [10.128.1.183] port 22. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7 debug1: Remote protocol version 2.0, remote software version OpenSSH_9.9 debug1: compat_banner: match: OpenSSH_9.9 pat OpenSSH* compat 0x04000000 debug1: Authenticating to 10.128.1.183:22 as 'root' debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: sntrup761x25519-sha512 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:EAvWV3GG8odMD+k20F251zjwXNDbyLo/P7N2oY0DvFQ debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory Warning: Permanently added '10.128.1.183' (ED25519) to the list of known hosts. debug1: ssh_packet_send2_wrapped: resetting send seqnr 3 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: ssh_packet_read_poll2: resetting read seqnr 3 debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /root/.ssh/id_rsa debug1: Will attempt key: /root/.ssh/id_ecdsa debug1: Will attempt key: /root/.ssh/id_ecdsa_sk debug1: Will attempt key: /root/.ssh/id_ed25519 debug1: Will attempt key: /root/.ssh/id_ed25519_sk debug1: Will attempt key: /root/.ssh/id_xmss debug1: Will attempt key: /root/.ssh/id_dsa debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs= debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0> debug1: kex_input_ext_info: ping@openssh.com (unrecognised) debug1: SSH2_MSG_SERVICE_ACCEPT received Authenticated to 10.128.1.183 ([10.128.1.183]:22) using "none". debug1: channel 0: new session [client-session] (inactive timeout: 0) debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug1: Sending subsystem: sftp debug1: pledge: fork scp: debug1: stat remote: No such file or directory representative crash: general protection fault in vma_interval_tree_insert_after, types: [DoS MEMORY_SAFETY_BUG] check whether we can drop unnecessary instrumentation disabling configs for [atomic_sleep hang memleak ubsan kasan locking], they are not needed testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8e943f1076fb91ae9e683dc8b377433b8901c38b10048001031fe315f0ce253f all runs: OK false negative chance: 0.000 kconfig minimization: base=4921 full=6161 leaves diff=245 split chunks (needed=false): <245> split chunk #0 of len 245 into 5 parts testing without sub-chunk 1/5 testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 22f206cb894d483fd30a48772f25c8a4cce7aa3bccdc4d51a0647839bafabd7d run #0: crashed: general protection fault in vma_interval_tree_insert_after run #1: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #2: crashed: general protection fault in vma_interval_tree_insert_after run #3: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #4: crashed: general protection fault in vma_interval_tree_insert_after run #5: crashed: general protection fault in vma_interval_tree_insert_after run #6: crashed: KASAN: invalid-free in anon_vma_name_free run #7: crashed: general protection fault in vma_interval_tree_insert_after run #8: crashed: KASAN: invalid-free in anon_vma_name_free run #9: crashed: KASAN: invalid-free in anon_vma_name_free representative crash: general protection fault in vma_interval_tree_insert_after, types: [DoS KASAN-INVALID-FREE] the chunk can be dropped testing without sub-chunk 2/5 testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dcdc8ce364f05d416aa0861666cfc816d16b1e1b0b382423cc24c809d47efe2b run #0: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #1: crashed: general protection fault in vma_interval_tree_insert_after run #2: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #3: crashed: general protection fault in vma_interval_tree_insert_after run #4: crashed: KASAN: invalid-free in anon_vma_name_free run #5: crashed: general protection fault in vma_interval_tree_insert_after run #6: crashed: general protection fault in vma_interval_tree_insert_after run #7: crashed: general protection fault in vma_interval_tree_insert_after run #8: crashed: general protection fault in vma_interval_tree_insert_after run #9: crashed: KASAN: invalid-free in anon_vma_name_free representative crash: general protection fault in vma_interval_tree_insert_after, types: [DoS MEMORY_SAFETY_BUG] the chunk can be dropped testing without sub-chunk 3/5 testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fa26789716e7fab94f1da9da388d3a6c8d6b2d34552e63793fa20a7f9cdde319 run #0: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #1: crashed: general protection fault in vma_interval_tree_insert_after run #2: crashed: KASAN: invalid-free in anon_vma_name_free run #3: crashed: general protection fault in vma_interval_tree_insert_after run #4: crashed: KASAN: invalid-free in anon_vma_name_free run #5: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #6: crashed: general protection fault in vma_interval_tree_insert_after run #7: crashed: general protection fault in vma_interval_tree_remove run #8: crashed: KASAN: invalid-free in anon_vma_name_free run #9: crashed: KASAN: invalid-free in anon_vma_name_free representative crash: general protection fault in vma_interval_tree_insert_after, types: [DoS KASAN-INVALID-FREE] the chunk can be dropped testing without sub-chunk 4/5 testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b4bcaef21539ac6c44fdc31318297e0c0a3a905a780d1d583695a7eb5d8e47ad run #0: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #1: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #2: crashed: general protection fault in vma_interval_tree_remove run #3: crashed: KASAN: invalid-free in anon_vma_name_free run #4: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #5: crashed: general protection fault in vma_interval_tree_insert_after run #6: crashed: KASAN: invalid-free in anon_vma_name_free run #7: crashed: KASAN: invalid-free in anon_vma_name_free run #8: crashed: general protection fault in vma_interval_tree_insert_after run #9: crashed: general protection fault in vma_interval_tree_remove representative crash: general protection fault in vma_interval_tree_remove, types: [DoS MEMORY_SAFETY_BUG KASAN-INVALID-FREE] the chunk can be dropped testing without sub-chunk 5/5 testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building 61cfd264993d07540f60a5c53d77a14c818e54a9: net/socket.c:1189: undefined reference to `wext_handle_ioctl' net/socket.c:3383: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:343: undefined reference to `wext_proc_exit' net/core/net-procfs.c:327: undefined reference to `wext_proc_init' minimized to 49 configs; suspects: [HID_ZEROPLUS USB_NET_CDC_MBIM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF] testing current HEAD 8d934e0056f7a129143e3553ecd5e99dfac57ac8 testing commit 8d934e0056f7a129143e3553ecd5e99dfac57ac8 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: afa1b8a6005eec164f4efe57a5bbb84c89a8e42800a01829989f2d9bafaf7599 run #0: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #1: crashed: general protection fault in vma_interval_tree_insert_after run #2: crashed: general protection fault in vma_interval_tree_insert_after run #3: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #4: crashed: general protection fault in vma_interval_tree_insert_after run #5: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after run #6: crashed: general protection fault in vma_interval_tree_insert_after run #7: crashed: general protection fault in vma_interval_tree_insert_after run #8: crashed: KASAN: invalid-free in anon_vma_name_free run #9: crashed: KASAN: invalid-free in anon_vma_name_free representative crash: general protection fault in vma_interval_tree_insert_after, types: [DoS MEMORY_SAFETY_BUG] crash still not fixed/happens on the oldest tested release revisions tested: 7, total time: 1h59m49.827155078s (build: 33m49.962225932s, test: 1h23m59.054662876s) crash still not fixed or there were kernel test errors commit msg: Merge 5.15.193 into android13-5.15-lts crash: general protection fault in vma_interval_tree_insert_after general protection fault, probably for non-canonical address 0xdffffc1800000000: 0000 [#1] PREEMPT SMP KASAN KASAN: probably user-memory-access in range [0x000000c000000000-0x000000c000000007] CPU: 0 PID: 378 Comm: syz-executor.0 Tainted: G W syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:__rb_insert lib/rbtree.c:110 [inline] RIP: 0010:__rb_insert_augmented+0x4f/0x9a0 lib/rbtree.c:459 Code: 83 ec 20 80 3c 0e 00 0f 85 ed 05 00 00 49 be 00 00 00 00 00 fc ff df 4c 8b 23 4d 85 e4 0f 84 2e 05 00 00 4c 89 e1 48 c1 e9 03 <42> 80 3c 31 00 0f 85 83 05 00 00 4d 8b 2c 24 41 f6 c5 01 0f 85 88 RSP: 0018:ffffc900006b7a88 EFLAGS: 00010206 RAX: ffff888117227828 RBX: ffff88811acd84f8 RCX: 0000001800000000 RDX: ffffffff818dcf60 RSI: 1ffff110217b01c7 RDI: ffff88811acd8508 RBP: ffffc900006b7ad0 R08: ffff88811acd8500 R09: ffff888117227847 R10: ffffed1022e44f08 R11: 0000000000000000 R12: 000000c000000000 R13: ffff88811acd84f8 R14: dffffc0000000000 R15: ffff88811ad0bbe8 FS: 000055556c656480(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fcbab3d26be CR3: 000000011ac7f000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rb_insert_augmented include/linux/rbtree_augmented.h:50 [inline] vma_interval_tree_insert_after+0x22e/0x350 mm/interval_tree.c:57 dup_mmap kernel/fork.c:632 [inline] dup_mm kernel/fork.c:1522 [inline] copy_mm kernel/fork.c:1574 [inline] copy_process+0x5e68/0x7530 kernel/fork.c:2348 kernel_clone+0xc1/0x960 kernel/fork.c:2737 __do_sys_clone+0xc9/0x100 kernel/fork.c:2863 __se_sys_clone kernel/fork.c:2847 [inline] __x64_sys_clone+0xb9/0x140 kernel/fork.c:2847 x64_sys_call+0x7fa/0x990 arch/x86/include/generated/asm/syscalls_64.h:57 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x33/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 RIP: 0033:0x7fcbaa786b13 Code: 1f 84 00 00 00 00 00 64 48 8b 04 25 10 00 00 00 45 31 c0 31 d2 31 f6 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 89 c2 85 c0 75 2c 64 48 8b 04 25 10 00 00 RSP: 002b:00007ffebfc74458 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcbaa786b13 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 000055556c656750 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000 Modules linked in: ---[ end trace 7b6991d0e77fb525 ]--- RIP: 0010:__rb_insert lib/rbtree.c:110 [inline] RIP: 0010:__rb_insert_augmented+0x4f/0x9a0 lib/rbtree.c:459 Code: 83 ec 20 80 3c 0e 00 0f 85 ed 05 00 00 49 be 00 00 00 00 00 fc ff df 4c 8b 23 4d 85 e4 0f 84 2e 05 00 00 4c 89 e1 48 c1 e9 03 <42> 80 3c 31 00 0f 85 83 05 00 00 4d 8b 2c 24 41 f6 c5 01 0f 85 88 RSP: 0018:ffffc900006b7a88 EFLAGS: 00010206 RAX: ffff888117227828 RBX: ffff88811acd84f8 RCX: 0000001800000000 RDX: ffffffff818dcf60 RSI: 1ffff110217b01c7 RDI: ffff88811acd8508 RBP: ffffc900006b7ad0 R08: ffff88811acd8500 R09: ffff888117227847 R10: ffffed1022e44f08 R11: 0000000000000000 R12: 000000c000000000 R13: ffff88811acd84f8 R14: dffffc0000000000 R15: ffff88811ad0bbe8 FS: 000055556c656480(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fcbaa8a5000 CR3: 000000011ac7f000 CR4: 00000000003506a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 83 ec 20 sub $0x20,%esp 3: 80 3c 0e 00 cmpb $0x0,(%rsi,%rcx,1) 7: 0f 85 ed 05 00 00 jne 0x5fa d: 49 be 00 00 00 00 00 movabs $0xdffffc0000000000,%r14 14: fc ff df 17: 4c 8b 23 mov (%rbx),%r12 1a: 4d 85 e4 test %r12,%r12 1d: 0f 84 2e 05 00 00 je 0x551 23: 4c 89 e1 mov %r12,%rcx 26: 48 c1 e9 03 shr $0x3,%rcx * 2a: 42 80 3c 31 00 cmpb $0x0,(%rcx,%r14,1) <-- trapping instruction 2f: 0f 85 83 05 00 00 jne 0x5b8 35: 4d 8b 2c 24 mov (%r12),%r13 39: 41 f6 c5 01 test $0x1,%r13b 3d: 0f .byte 0xf 3e: 85 .byte 0x85 3f: 88 .byte 0x88