ci2 starts bisection 2025-09-08 01:10:34.531750749 +0000 UTC m=+342549.520724585 bisecting fixing commit since 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 building syzkaller on 803ce19b0a8969a6e25644dad041eb2cffcda94f ensuring issue is reproducible on original commit 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 testing commit 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 16ddcb89231bfa0452f88a2ee90676907d4da1d68241a9ce85df670a1c936a42 run #0: crashed: KASAN: slab-out-of-bounds Read in __switch_to run #1: crashed: possible deadlock in console_emit_next_record run #2: crashed: BUG: unable to handle kernel paging request in update_rq_clock run #3: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #4: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #5: crashed: BUG: unable to handle kernel paging request in preempt_schedule_irq run #6: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #7: crashed: BUG: unable to handle kernel paging request in preempt_schedule_irq run #8: crashed: possible deadlock in console_emit_next_record run #9: crashed: possible deadlock in console_emit_next_record run #10: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #11: crashed: possible deadlock in console_emit_next_record run #12: crashed: BUG: unable to handle kernel paging request in __schedule run #13: crashed: KASAN: slab-out-of-bounds Read in __switch_to run #14: OK run #15: crashed: BUG: unable to handle kernel paging request in psi_group_change run #16: crashed: WARNING in pick_next_task_fair run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel paging request in update_rq_clock, types: [MEMORY_SAFETY_BUG LOCKDEP KASAN-WRITE] check whether we can drop unnecessary instrumentation disabling configs for [atomic_sleep hang memleak ubsan], they are not needed testing commit 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: e75d0608a58e0b7935408cddbb640cbd1e54dcb19144a7511460e318e9b020c4 run #0: crashed: possible deadlock in console_emit_next_record run #1: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #2: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #3: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #4: crashed: BUG: unable to handle kernel paging request in preempt_schedule_irq run #5: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #6: crashed: kernel panic: stack is corrupted in __schedule run #7: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #8: OK run #9: OK representative crash: KASAN: out-of-bounds Write in end_buffer_read_sync, types: [KASAN-WRITE LOCKDEP] the bug reproduces without the instrumentation disabling configs for [hang memleak ubsan atomic_sleep], they are not needed kconfig minimization: base=3829 full=7502 leaves diff=2069 split chunks (needed=false): <2069> split chunk #0 of len 2069 into 5 parts testing without sub-chunk 1/5 disabling configs for [memleak ubsan atomic_sleep hang], they are not needed testing commit 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 70e670faacbbec8b5bb41e3c1b4e15fb3c8ad3abc5aadfcb29fc8fbf9d3df8ce run #0: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #1: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #2: crashed: possible deadlock in console_emit_next_record run #3: crashed: WARNING: nested lock was not taken in evict run #4: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #5: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #6: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #7: crashed: BUG: unable to handle kernel paging request in preempt_schedule_irq run #8: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #9: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync representative crash: KASAN: out-of-bounds Write in end_buffer_read_sync, types: [KASAN-WRITE LOCKDEP] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [ubsan atomic_sleep hang memleak], they are not needed testing commit 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 516ddf00d08c4b91f141df1715e084eecd12f95f14ae5f7d11e6dd6954af035d run #0: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #1: crashed: WARNING: nested lock was not taken in evict run #2: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #3: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #4: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #5: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #6: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #7: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #8: OK run #9: OK representative crash: KASAN: out-of-bounds Write in end_buffer_read_sync, types: [KASAN-WRITE] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [atomic_sleep hang memleak ubsan], they are not needed testing commit 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 6afabbdbd70da0def1d14381eb1f975697f259d982a256f18a70f81fe97e59b4 run #0: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #1: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #2: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #3: crashed: KASAN: wild-memory-access Read in evict run #4: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #5: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #6: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #7: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync representative crash: KASAN: out-of-bounds Write in end_buffer_read_sync, types: [KASAN-WRITE] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [hang memleak ubsan atomic_sleep], they are not needed testing commit 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: ea3ab91310327a1fe337e33887ad3e3dea75f5c1d3cae7fadc6c277114baf43b all runs: OK false negative chance: 0.000 testing without sub-chunk 5/5 disabling configs for [hang memleak ubsan atomic_sleep], they are not needed testing commit 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: bbb8a133a16c1e3ec379f11d6fb3878efab35eceba17b0ff484ef7cea123851d run #0: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #1: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: BUG: unable to handle kernel paging request in evict run #7: crashed: BUG: unable to handle kernel paging request in corrupted run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync representative crash: BUG: unable to handle kernel paging request in corrupted, types: [MEMORY_SAFETY_BUG KASAN-WRITE] the chunk can be dropped minimized to 414 configs; suspects: [AF_RXRPC ARCH_ENABLE_MEMORY_HOTREMOVE ATM AX25 BXT_WC_PMIC_OPREGION CFG80211 CMA DAX DLM DRM DVB_CORE ENCRYPTED_KEYS EXTCON GENEVE GPIOLIB HAMRADIO HAVE_CLK HID_PLAYSTATION HID_SENSOR_HUB HID_SMARTJOYPLUS HID_THRUSTMASTER IIO INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_IPOIB INFINIBAND_USER_ACCESS INFINIBAND_VIRT_DMA INPUT_TABLET INPUT_TOUCHSCREEN INTEL_SCU_IPC INTEL_SOC_PMIC_BXTWC IP_SCTP L2TP LEDS_CLASS_MULTICOLOR LIBNVDIMM MAC80211 MEDIA_COMMON_OPTIONS MEDIA_DIGITAL_TV_SUPPORT MEDIA_PLATFORM_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MFD_INTEL_PMC_BXT MFD_MT6360 MFD_MT6370 MFD_RETU MMC MTD MTD_UBI NETFILTER_CONNCOUNT NET_IPGRE NET_IPGRE_DEMUX NFS_V4_1 NLS_CODEPAGE_861 NLS_CODEPAGE_862 NLS_CODEPAGE_863 NLS_CODEPAGE_864 NLS_CODEPAGE_865 NLS_CODEPAGE_866 NLS_CODEPAGE_869 NLS_CODEPAGE_874 NLS_CODEPAGE_932 NLS_CODEPAGE_936 NLS_CODEPAGE_949 NLS_CODEPAGE_950 NLS_ISO8859_13 NLS_ISO8859_14 NLS_ISO8859_15 NLS_ISO8859_2 NLS_ISO8859_3 NLS_ISO8859_4 NLS_ISO8859_5 NLS_ISO8859_6 NLS_ISO8859_7 NLS_ISO8859_8 NLS_ISO8859_9 NLS_KOI8_R NLS_KOI8_U NLS_MAC_CELTIC NLS_MAC_CENTEURO NLS_MAC_CROATIAN NLS_MAC_CYRILLIC NLS_MAC_GAELIC NLS_MAC_GREEK NLS_MAC_ICELAND NLS_MAC_INUIT NLS_MAC_ROMAN NLS_MAC_ROMANIAN NLS_MAC_TURKISH NOP_USB_XCEIV NOZOMI NTFS3_FS NTFS3_FS_POSIX_ACL NTFS3_LZX_XPRESS NTFS_FS NTFS_RW NULL_TTY NUMA_BALANCING NUMA_BALANCING_DEFAULT_ENABLED NUMA_EMU NUMA_KEEP_MEMINFO NVDIMM_DAX NVDIMM_KEYS NVDIMM_PFN NVME_CORE NVME_FABRICS NVME_FC NVME_MULTIPATH NVME_RDMA NVME_TARGET NVME_TARGET_FC NVME_TARGET_FCLOOP NVME_TARGET_LOOP NVME_TARGET_RDMA NVME_TARGET_TCP NVME_TCP N_GSM N_HDLC OCFS2_DEBUG_FS OCFS2_FS OCFS2_FS_O2CB OCFS2_FS_STATS OCFS2_FS_USERSPACE_CLUSTER OF_GPIO OF_PMEM OMFS_FS OPENVSWITCH OPENVSWITCH_GENEVE OPENVSWITCH_GRE OPENVSWITCH_VXLAN ORANGEFS_FS OSF_PARTITION OVERLAY_FS OVERLAY_FS_INDEX OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW OVERLAY_FS_REDIRECT_DIR PACKET_DIAG PADATA PAGE_IDLE_FLAG PAGE_POOL PAGE_REPORTING PAHOLE_HAS_BTF_TAG PAHOLE_HAS_LANG_EXCLUDE PAHOLE_HAS_SPLIT_BTF PARPORT PARPORT_NOT_PC PARTITION_ADVANCED PCCARD PCCARD_NONSTATIC PCIEAER PCI_ENDPOINT PCI_IOV PCMCIA PCMCIA_LOAD_CIS PERCPU_STATS PERSISTENT_KEYRINGS PHONET PHYLINK PHY_CPCAP_USB PHY_QCOM_USB_HS PHY_QCOM_USB_HSIC PHY_SAMSUNG_USB2 PHY_TUSB1210 PKCS7_TEST_KEY PKCS8_PRIVATE_KEY_PARSER PLAYSTATION_FF PLFXLC PMIC_OPREGION PM_CLK PNFS_BLOCK PNFS_FILE_LAYOUT PNFS_FLEXFILE_LAYOUT PPP PPPOATM PPPOE PPPOL2TP PPP_ASYNC PPP_BSDCOMP PPP_DEFLATE PPP_FILTER PPP_MPPE PPP_MULTILINK PPP_SYNC_TTY PPTP PREEMPT PREEMPT_NOTIFIERS PRISM2_USB PROC_CHILDREN PROC_MEM_ALWAYS_FORCE PSI PSTORE PSTORE_842_COMPRESS PSTORE_COMPRESS PSTORE_DEFLATE_COMPRESS PSTORE_DEFLATE_COMPRESS_DEFAULT PSTORE_LZ4HC_COMPRESS PSTORE_LZ4_COMPRESS PSTORE_LZO_COMPRESS PSTORE_ZSTD_COMPRESS QCOM_QMI_HELPERS QNX4FS_FS QNX6FS_FS QRTR QRTR_TUN R8712U RADIO_ADAPTERS RADIO_SHARK RADIO_SHARK2 RADIO_TEA575X RAID6_PQ RAID_ATTRS RC_ATI_REMOTE RC_CORE RC_DEVICES RC_XBOX_DVD RDMA_RXE RDMA_SIW RDS RDS_RDMA RDS_TCP READ_ONLY_THP_FOR_FS REALTEK_AUTOPM REED_SOLOMON REED_SOLOMON_DEC8 REGMAP REGMAP_I2C REGMAP_IRQ REGMAP_MMIO REGULATOR REGULATOR_FIXED_VOLTAGE REGULATOR_TWL4030 REISERFS_FS REISERFS_FS_POSIX_ACL REISERFS_FS_SECURITY REISERFS_FS_XATTR REISERFS_PROC_INFO RESET_CONTROLLER RFKILL RFKILL_INPUT RFKILL_LEDS RMI4_2D_SENSOR RMI4_CORE RMI4_F03 RMI4_F03_SERIO RMI4_F11 RMI4_F12 RMI4_F30 ROMFS_BACKED_BY_BOTH ROMFS_FS ROMFS_ON_BLOCK ROMFS_ON_MTD ROSE RTC_DRV_HID_SENSOR_TIME RXKAD SCHED_CORE SCSI_FC_ATTRS SCSI_HPSA SCSI_ISCSI_ATTRS SCSI_LOGGING SCSI_NETLINK SCSI_SAS_ATA SCSI_SAS_ATTRS SCSI_SAS_LIBSAS SCSI_SCAN_ASYNC SCSI_SRP_ATTRS SCTP_COOKIE_HMAC_MD5 SCTP_COOKIE_HMAC_SHA1 SCTP_DEFAULT_COOKIE_HMAC_MD5 SECONDARY_TRUSTED_KEYRING SECURITY_INFINIBAND SECURITY_NETWORK_XFRM SENSORS_AQUACOMPUTER_D5NEXT SENSORS_CORSAIR_CPRO SENSORS_CORSAIR_PSU SENSORS_NZXT_KRAKEN2 SENSORS_NZXT_SMART2 SERIAL_DEV_BUS SERIAL_DEV_CTRL_TTYPORT SERIAL_MCTRL_GPIO SGI_PARTITION SIGNATURE SIGNED_PE_FILE_VERIFICATION SLHC SLIP SLIP_COMPRESSED SLIP_MODE_SLIP6 SLIP_SMART SMARTJOYPLUS_FF SMBFS SMB_SERVER SMC SMC_DIAG SMSC_PHY SMS_SDIO_DRV SMS_SIANO_DEBUGFS SMS_SIANO_MDTV SMS_SIANO_RC SMS_USB_DRV SND SND_ALOOP SND_BCD2000 SND_CTL_FAST_LOOKUP SND_CTL_LED SND_DEBUG SND_DMA_SGBUF SND_DRIVERS SND_DUMMY SND_DYNAMIC_MINORS SND_HDA SND_HDA_CODEC_ANALOG SND_HDA_CODEC_CA0110 SND_HDA_CODEC_CA0132 SND_HDA_CODEC_CIRRUS SND_HDA_CODEC_CMEDIA SND_HDA_CODEC_CONEXANT SND_HDA_CODEC_HDMI SND_HDA_CODEC_REALTEK SND_HDA_CODEC_SI3054 SND_HDA_CODEC_SIGMATEL SND_HDA_CODEC_VIA SND_HDA_COMPONENT SND_HDA_CORE SND_HDA_GENERIC SND_HDA_GENERIC_LEDS SND_HDA_HWDEP SND_HDA_I915 SND_HDA_INPUT_BEEP SND_HDA_INTEL SND_HDA_PATCH_LOADER SND_HDA_RECONFIG SND_HRTIMER SND_HWDEP SND_INTEL_DSP_CONFIG SND_INTEL_NHLT SND_INTEL_SOUNDWIRE_ACPI SND_JACK SND_JACK_INPUT_DEV SND_MIXER_OSS SND_OSSEMUL SND_PCI SND_PCM SND_PCMCIA SND_PCM_OSS SND_PCM_OSS_PLUGINS SND_PCM_TIMER SND_PCM_XRUN_DEBUG SND_PROC_FS SND_RAWMIDI SND_SEQUENCER SND_SEQUENCER_OSS SND_SEQ_DEVICE SND_SEQ_DUMMY SND_SEQ_HRTIMER_DEFAULT SND_SEQ_MIDI SND_SEQ_MIDI_EVENT SND_SEQ_VIRMIDI SND_SUPPORT_OLD_API SND_TIMER SND_USB SND_USB_6FIRE SND_USB_AUDIO SND_USB_AUDIO_USE_MEDIA_CONTROLLER SND_USB_CAIAQ SND_USB_CAIAQ_INPUT SND_USB_HIFACE SND_USB_LINE6 SND_USB_POD SND_USB_PODHD SND_USB_TONEPORT SND_USB_UA101 SND_USB_US122L SND_USB_USX2Y SND_USB_VARIAX SND_VERBOSE_PROCFS SND_VIRMIDI SND_VIRTIO SND_VMASTER SND_X86 SOCK_VALIDATE_XMIT SOLARIS_X86_PARTITION SONY_FF SOUND SOUND_OSS_CORE SOUND_OSS_CORE_PRECLAIM SPI SPI_DLN2 SPI_DYNAMIC SPI_MASTER SQUASHFS SQUASHFS_4K_DEVBLK_SIZE SQUASHFS_DECOMP_SINGLE SQUASHFS_FILE_DIRECT SQUASHFS_LZ4 SQUASHFS_LZO SQUASHFS_XATTR SQUASHFS_XZ SQUASHFS_ZLIB SQUASHFS_ZSTD SSB SSB_PCIHOST_POSSIBLE SSB_PCMCIAHOST_POSSIBLE SSB_SDIOHOST_POSSIBLE STAGING STAGING_MEDIA STP STREAM_PARSER SUNRPC_BACKCHANNEL SUN_PARTITION SW_SYNC SYSFB SYSV68_PARTITION SYSV_FS TABLET_USB_ACECAD TABLET_USB_AIPTEK TABLET_USB_HANWANG TABLET_USB_KBTAB TABLET_USB_PEGASUS TAHVO_USB TAHVO_USB_HOST_BY_DEFAULT TASKS_TRACE_RCU TCG_CRB TCG_TIS TCG_TIS_CORE TCG_TPM TCP_CONG_BBR TCP_CONG_BIC TCP_CONG_CDG TCP_CONG_DCTCP TCP_CONG_HSTCP TCP_CONG_HTCP TCP_CONG_HYBLA TCP_CONG_ILLINOIS TCP_CONG_LP TCP_CONG_NV TCP_CONG_SCALABLE TCP_CONG_VEGAS TCP_CONG_VENO TCP_CONG_WESTWOOD TCP_CONG_YEAH TEXTSEARCH TEXTSEARCH_BM TEXTSEARCH_FSM TEXTSEARCH_KMP THERMAL_NETLINK THP_SWAP THRUSTMASTER_FF TIPC TIPC_CRYPTO TIPC_DIAG TIPC_MEDIA_IB TIPC_MEDIA_UDP TLS TLS_TOE TOOLS_SUPPORT_RELR TOUCHSCREEN_SUR40 TOUCHSCREEN_USB_3M TOUCHSCREEN_USB_COMPOSITE TOUCHSCREEN_USB_DMC_TSC10 TOUCHSCREEN_USB_E2I TOUCHSCREEN_USB_EASYTOUCH TOUCHSCREEN_USB_EGALAX TOUCHSCREEN_USB_ELO TOUCHSCREEN_USB_ETT_TC45USB TOUCHSCREEN_USB_ETURBO TOUCHSCREEN_USB_GENERAL_TOUCH TOUCHSCREEN_USB_GOTOP TOUCHSCREEN_USB_GUNZE TOUCHSCREEN_USB_IDEALTEK TOUCHSCREEN_USB_IRTOUCH TOUCHSCREEN_USB_ITM TOUCHSCREEN_USB_JASTEC TOUCHSCREEN_USB_NEXIO TOUCHSCREEN_USB_PANJIT TOUCHSCREEN_USB_ZYTRONIC TRANSPARENT_HUGEPAGE TRANSPARENT_HUGEPAGE_MADVISE TTPCI_EEPROM TTY_PRINTK TUN_VNET_CROSS_LE TWL4030_CORE TYPEC TYPEC_ANX7411 TYPEC_DP_ALTMODE TYPEC_FUSB302 TYPEC_HD3SS3220 TYPEC_MT6360 TYPEC_MUX_FSA4480 TYPEC_MUX_INTEL_PMC TYPEC_NVIDIA_ALTMODE TYPEC_RT1711H TYPEC_RT1719 TYPEC_STUSB160X TYPEC_TCPCI TYPEC_TCPCI_MAXIM TYPEC_TCPCI_MT6370 TYPEC_TCPM TYPEC_TPS6598X TYPEC_UCSI TYPEC_WCOVE TYPEC_WUSB3801 UBIFS_ATIME_SUPPORT UBIFS_FS UBIFS_FS_ADVANCED_COMPR UBIFS_FS_LZO UBIFS_FS_SECURITY UBIFS_FS_XATTR UBIFS_FS_ZLIB UBIFS_FS_ZSTD UCSI_ACPI UCSI_CCG UCSI_STM32G0 UDF_FS UDMABUF UFS_FS UFS_FS_WRITE UHID ULTRIX_PARTITION UNICODE UNIXWARE_DISKLABEL UNIX_DIAG USB4 USB4_NET USBIP_CORE USBIP_HOST USBIP_VHCI_HCD USBIP_VUDC USBPCWATCHDOG USB_ACM USB_ADUTUX USB_AIRSPY USB_ALI_M5632 USB_AN2720 USB_APPLEDISPLAY USB_ARMLINUX USB_BDC_UDC USB_BELKIN USB_C67X00_HCD USB_CATC USB_CDC_PHONET USB_CDNS3 USB_CDNS3_GADGET USB_CDNS3_HOST USB_CDNS3_PCI_WRAP USB_CDNSP_GADGET USB_CDNSP_HOST USB_CDNSP_PCI USB_CDNS_HOST USB_CDNS_SUPPORT USB_CHAOSKEY USB_CHIPIDEA USB_CHIPIDEA_GENERIC USB_CHIPIDEA_HOST USB_CHIPIDEA_MSM USB_CHIPIDEA_PCI USB_CHIPIDEA_UDC USB_DWC2 USB_GADGET USB_MUSB_HDRC USB_NET_CDC_SUBSET USB_ROLE_SWITCH USB_STORAGE_REALTEK USB_ULPI_BUS USB_USBNET VIDEO_DEV VXLAN WIRELESS WLAN WLAN_VENDOR_PURELIFI ZONE_DEVICE] disabling configs for [atomic_sleep hang memleak ubsan], they are not needed testing current HEAD 28c695c365e10b534e6d01d15a2186098ab815d1 testing commit 28c695c365e10b534e6d01d15a2186098ab815d1 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: cd71ef55982e9cfedef80540b0639e2d47ac02ba52563c14c3e08c004f8aaf02 all runs: OK false negative chance: 0.000 # git bisect start 28c695c365e10b534e6d01d15a2186098ab815d1 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 Bisecting: 840 revisions left to test after this (roughly 10 steps) [a7ba7eb9abb45bf9b469b1cff55ce7644fc0c9ef] soc: aspeed: lpc-snoop: Cleanup resources in stack-order determine whether the revision contains the guilty commit revision 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 crashed and is reachable testing commit a7ba7eb9abb45bf9b469b1cff55ce7644fc0c9ef gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 07be18caf156082234f366585169db3902af119f54547b59df79f26e9d560137 run #0: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #1: crashed: BUG: unable to handle kernel paging request in corrupted run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: WARNING: locking bug in evict run #6: crashed: BUG: unable to handle kernel paging request in corrupted run #7: crashed: BUG: unable to handle kernel paging request in corrupted run #8: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #9: crashed: WARNING: still has locks held in alloc_super representative crash: BUG: unable to handle kernel paging request in corrupted, types: [MEMORY_SAFETY_BUG KASAN-WRITE] # git bisect good a7ba7eb9abb45bf9b469b1cff55ce7644fc0c9ef Bisecting: 420 revisions left to test after this (roughly 9 steps) [feb89ec6d53f1b1b3edeacac0280ae88cb52e41b] net: usb: cdc-ncm: check for filtering capability determine whether the revision contains the guilty commit revision 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 crashed and is reachable testing commit feb89ec6d53f1b1b3edeacac0280ae88cb52e41b gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: c241438ba7ede543c5f7362cfca2903b104761d21c3f6e5307c8307f4b138510 run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: BUG: unable to handle kernel paging request in corrupted run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: WARNING: bad unlock balance in corrupted run #7: crashed: WARNING: locking bug in evict run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync representative crash: BUG: unable to handle kernel paging request in corrupted, types: [MEMORY_SAFETY_BUG LOCKDEP] # git bisect good feb89ec6d53f1b1b3edeacac0280ae88cb52e41b Bisecting: 210 revisions left to test after this (roughly 8 steps) [ef9b3c22405192afaa279077ddd45a51db90b83d] media: usbtv: Lock resolution while streaming determine whether the revision contains the guilty commit revision 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 crashed and is reachable testing commit ef9b3c22405192afaa279077ddd45a51db90b83d gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: a30a75571dae01faeee36cf41b47bb8e9d0f790b48667d61c7a55e65569fd445 run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: BUG: unable to handle kernel paging request in corrupted run #7: crashed: BUG: unable to handle kernel paging request in corrupted run #8: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #9: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync representative crash: BUG: unable to handle kernel paging request in corrupted, types: [MEMORY_SAFETY_BUG KASAN-WRITE] # git bisect good ef9b3c22405192afaa279077ddd45a51db90b83d Bisecting: 105 revisions left to test after this (roughly 7 steps) [03cadd824e46166090c20861ef46ad82507fbcc7] PCI: rockchip: Use standard PCIe definitions determine whether the revision contains the guilty commit revision 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 crashed and is reachable testing commit 03cadd824e46166090c20861ef46ad82507fbcc7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: bf3ac87b53110a55b3c8836f014b644230cbcc1486c8dd49bc96e0539b6cf687 all runs: OK false negative chance: 0.000 # git bisect bad 03cadd824e46166090c20861ef46ad82507fbcc7 Bisecting: 52 revisions left to test after this (roughly 6 steps) [74c68b295b131897d1ff8b3537579b53978b44e4] btrfs: populate otime when logging an inode item determine whether the revision contains the guilty commit revision 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 crashed and is reachable testing commit 74c68b295b131897d1ff8b3537579b53978b44e4 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 6b0fea7bf043a9da0daf82341324393d931c0ea49ccd86201d848fd07560844e run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #6: crashed: BUG: unable to handle kernel paging request in corrupted run #7: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: BUG: unable to handle kernel paging request in corrupted representative crash: BUG: unable to handle kernel paging request in corrupted, types: [MEMORY_SAFETY_BUG KASAN-WRITE] # git bisect good 74c68b295b131897d1ff8b3537579b53978b44e4 Bisecting: 26 revisions left to test after this (roughly 5 steps) [bad3cf7fd2bfd250b881b260dc5d01a930bb85e6] drm/amd/display: Fix DP audio DTO1 clock source on DCE 6. determine whether the revision contains the guilty commit revision 74c68b295b131897d1ff8b3537579b53978b44e4 crashed and is reachable testing commit bad3cf7fd2bfd250b881b260dc5d01a930bb85e6 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: fe77d0eed029df39ed5093042c2a0dade8d8ad49eb50942e338de7c79170e258 run #0: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #1: crashed: BUG: unable to handle kernel paging request in corrupted run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #7: crashed: BUG: unable to handle kernel paging request in corrupted run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: BUG: unable to handle kernel paging request in corrupted representative crash: BUG: unable to handle kernel paging request in corrupted, types: [MEMORY_SAFETY_BUG] # git bisect good bad3cf7fd2bfd250b881b260dc5d01a930bb85e6 Bisecting: 13 revisions left to test after this (roughly 4 steps) [5a33d07c94ba91306093e823112a7aa9727549f6] comedi: pcl726: Prevent invalid irq number determine whether the revision contains the guilty commit revision 74c68b295b131897d1ff8b3537579b53978b44e4 crashed and is reachable testing commit 5a33d07c94ba91306093e823112a7aa9727549f6 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: c323e0f017988b1a28abc2691189cce1ebc2415ab6262fcc028140a5ccfcedec all runs: OK false negative chance: 0.000 # git bisect bad 5a33d07c94ba91306093e823112a7aa9727549f6 Bisecting: 6 revisions left to test after this (roughly 3 steps) [beeff8d850322f0a36b9c3f21c59c4274e4e02fe] fpga: zynq_fpga: Fix the wrong usage of dma_map_sgtable() determine whether the revision contains the guilty commit revision 74c68b295b131897d1ff8b3537579b53978b44e4 crashed and is reachable testing commit beeff8d850322f0a36b9c3f21c59c4274e4e02fe gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 7fb6003c2413f48133d7bf2d01a4bbd8990eeda4366dd726ce99c2373f4814ab all runs: OK false negative chance: 0.000 # git bisect bad beeff8d850322f0a36b9c3f21c59c4274e4e02fe Bisecting: 2 revisions left to test after this (roughly 2 steps) [524e90e58a267dad11e23351d9e4b1f941490976] smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy() determine whether the revision contains the guilty commit revision 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 crashed and is reachable testing commit 524e90e58a267dad11e23351d9e4b1f941490976 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 7a3bcd12ce6f9a72592daac12ea411ae8bfaa43f93e1484a13b251548f0c9b7d run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: BUG: unable to handle kernel paging request in corrupted run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #5: crashed: WARNING: locking bug in evict run #6: crashed: KASAN: out-of-bounds Write in end_buffer_read_sync run #7: crashed: BUG: unable to handle kernel paging request in corrupted run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: WARNING: still has locks held in alloc_super representative crash: BUG: unable to handle kernel paging request in corrupted, types: [MEMORY_SAFETY_BUG KASAN-WRITE] # git bisect good 524e90e58a267dad11e23351d9e4b1f941490976 Bisecting: 0 revisions left to test after this (roughly 1 step) [3100116850d791cfb86290736107ab4dfca69de4] use uniform permission checks for all mount propagation changes determine whether the revision contains the guilty commit revision 74c68b295b131897d1ff8b3537579b53978b44e4 crashed and is reachable testing commit 3100116850d791cfb86290736107ab4dfca69de4 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 397a47c1093c342b27b00498b6271be49473d3e3210151d3e40ca3abf994a0fa all runs: OK false negative chance: 0.000 # git bisect bad 3100116850d791cfb86290736107ab4dfca69de4 Bisecting: 0 revisions left to test after this (roughly 0 steps) [c58c6b532b7b69537cfd9ef701c7e37cdcf79dc4] fs/buffer: fix use-after-free when call bh_read() helper determine whether the revision contains the guilty commit revision 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 crashed and is reachable testing commit c58c6b532b7b69537cfd9ef701c7e37cdcf79dc4 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 0194fa7d641b0dfce6eee77a6ac15d1846dc90342eea497b28c204413afc82db all runs: OK false negative chance: 0.000 # git bisect bad c58c6b532b7b69537cfd9ef701c7e37cdcf79dc4 c58c6b532b7b69537cfd9ef701c7e37cdcf79dc4 is the first bad commit commit c58c6b532b7b69537cfd9ef701c7e37cdcf79dc4 Author: Ye Bin Date: Mon Aug 11 22:18:30 2025 +0800 fs/buffer: fix use-after-free when call bh_read() helper [ Upstream commit 7375f22495e7cd1c5b3b5af9dcc4f6dffe34ce49 ] There's issue as follows: BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110 Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0 CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: dump_stack_lvl+0x55/0x70 print_address_description.constprop.0+0x2c/0x390 print_report+0xb4/0x270 kasan_report+0xb8/0xf0 end_buffer_read_sync+0xe3/0x110 end_bio_bh_io_sync+0x56/0x80 blk_update_request+0x30a/0x720 scsi_end_request+0x51/0x2b0 scsi_io_completion+0xe3/0x480 ? scsi_device_unbusy+0x11e/0x160 blk_complete_reqs+0x7b/0x90 handle_softirqs+0xef/0x370 irq_exit_rcu+0xa5/0xd0 sysvec_apic_timer_interrupt+0x6e/0x90 Above issue happens when do ntfs3 filesystem mount, issue may happens as follows: mount IRQ ntfs_fill_super read_cache_page do_read_cache_folio filemap_read_folio mpage_read_folio do_mpage_readpage ntfs_get_block_vbo bh_read submit_bh wait_on_buffer(bh); blk_complete_reqs scsi_io_completion scsi_end_request blk_update_request end_bio_bh_io_sync end_buffer_read_sync __end_buffer_read_notouch unlock_buffer wait_on_buffer(bh);--> return will return to caller put_bh --> trigger stack-out-of-bounds In the mpage_read_folio() function, the stack variable 'map_bh' is passed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and wait_on_buffer() returns to continue processing, the stack variable is likely to be reclaimed. Consequently, during the end_buffer_read_sync() process, calling put_bh() may result in stack overrun. If the bh is not allocated on the stack, it belongs to a folio. Freeing a buffer head which belongs to a folio is done by drop_buffers() which will fail to free buffers which are still locked. So it is safe to call put_bh() before __end_buffer_read_notouch(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Ye Bin Link: https://lore.kernel.org/20250811141830.343774-1-yebin@huaweicloud.com Reviewed-by: Matthew Wilcox (Oracle) Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin fs/buffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) accumulated error probability: 0.00 culprit signature: 0194fa7d641b0dfce6eee77a6ac15d1846dc90342eea497b28c204413afc82db parent signature: 7a3bcd12ce6f9a72592daac12ea411ae8bfaa43f93e1484a13b251548f0c9b7d revisions tested: 19, total time: 6h40m59.345304594s (build: 2h40m21.741890597s, test: 3h31m55.354203503s) first good commit: c58c6b532b7b69537cfd9ef701c7e37cdcf79dc4 fs/buffer: fix use-after-free when call bh_read() helper recipients (to): ["brauner@kernel.org" "sashal@kernel.org" "willy@infradead.org" "yebin10@huawei.com"] recipients (cc): []