ci2 starts bisection 2025-06-29 19:46:10.137463647 +0000 UTC m=+164569.843384425
bisecting fixing commit since 61cfd264993d07540f60a5c53d77a14c818e54a9
building syzkaller on 5b429f39ae82dfd954322d3f42c830cf560f51d2
ensuring issue is reproducible on original commit 61cfd264993d07540f60a5c53d77a14c818e54a9

testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 1449bcf54e3829c5c753e33dc0dae8a3d958f0d6e2542cfa32737f1e401a12df
run #0: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
run #1: crashed: general protection fault in vma_interval_tree_insert_after
run #2: crashed: general protection fault in vma_interval_tree_insert_after
run #3: crashed: general protection fault in vma_interval_tree_insert_after
run #4: crashed: KASAN: invalid-free in anon_vma_name_free
run #5: crashed: general protection fault in vma_interval_tree_insert_after
run #6: crashed: KASAN: invalid-free in anon_vma_name_free
run #7: crashed: KASAN: invalid-free in anon_vma_name_free
run #8: crashed: general protection fault in vma_interval_tree_insert_after
run #9: crashed: general protection fault in vma_interval_tree_insert_after
run #10: crashed: KASAN: invalid-free in anon_vma_name_free
run #11: crashed: general protection fault in vma_interval_tree_insert_after
run #12: crashed: KASAN: invalid-free in anon_vma_name_free
run #13: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
run #14: crashed: KASAN: invalid-free in anon_vma_name_free
run #15: crashed: KASAN: null-ptr-deref Write in vm_area_free_no_check
run #16: crashed: KASAN: invalid-free in anon_vma_name_free
run #17: crashed: KASAN: invalid-free in anon_vma_name_free
run #18: crashed: general protection fault in vma_interval_tree_insert_after
run #19: crashed: KASAN: invalid-free in anon_vma_name_free
representative crash: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after, types: [UNKNOWN KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: fa7ae8dad0b48671d8cff63e90f0c6bc9ef41e46429c44add1500b8cbcbfa7d9
run #0: crashed: general protection fault in vma_interval_tree_insert_after
run #1: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
run #2: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
run #3: crashed: general protection fault in vma_interval_tree_insert_after
run #4: crashed: general protection fault in vma_interval_tree_insert_after
run #5: crashed: KASAN: invalid-free in anon_vma_name_free
run #6: crashed: general protection fault in vma_interval_tree_insert_after
run #7: crashed: general protection fault in vma_interval_tree_insert_after
run #8: crashed: general protection fault in vma_interval_tree_insert_after
run #9: crashed: KASAN: invalid-free in anon_vma_name_free
representative crash: general protection fault in vma_interval_tree_insert_after, types: [UNKNOWN]
the bug reproduces without the instrumentation
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
kconfig minimization: base=4921 full=6161 leaves diff=243
split chunks (needed=false): <243>
split chunk #0 of len 243 into 5 parts
testing without sub-chunk 1/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 8e14dc84f9bc819aafeb1e78d578dd08d4cccc379173d666ef61c3739e1dfd98
run #0: crashed: KASAN: invalid-free in anon_vma_name_free
run #1: crashed: general protection fault in vma_interval_tree_insert_after
run #2: crashed: general protection fault in vma_interval_tree_insert_after
run #3: crashed: general protection fault in vma_interval_tree_insert_after
run #4: crashed: general protection fault in vma_interval_tree_remove
run #5: crashed: general protection fault in vma_interval_tree_insert_after
run #6: crashed: general protection fault in vma_interval_tree_insert_after
run #7: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
run #8: crashed: KASAN: invalid-free in anon_vma_name_free
run #9: crashed: KASAN: invalid-free in anon_vma_name_free
representative crash: general protection fault in vma_interval_tree_insert_after, types: [UNKNOWN KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5871b4655ee93b558bb5ba31112cb47866d6c5b246ffd972276f5e72ae358c5b
run #0: crashed: general protection fault in vma_interval_tree_insert_after
run #1: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
run #2: crashed: general protection fault in vma_interval_tree_insert_after
run #3: crashed: general protection fault in vma_interval_tree_insert_after
run #4: crashed: general protection fault in vma_interval_tree_insert_after
run #5: crashed: general protection fault in vma_interval_tree_insert_after
run #6: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
run #7: crashed: KASAN: invalid-free in anon_vma_name_free
run #8: crashed: KASAN: invalid-free in anon_vma_name_free
run #9: crashed: KASAN: invalid-free in anon_vma_name_free
representative crash: general protection fault in vma_interval_tree_insert_after, types: [UNKNOWN KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: fdacc6bce07945bec4f91d24428172ebf5eee0137023537819e80defcadab3f9
run #0: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
run #1: crashed: general protection fault in vma_interval_tree_insert_after
run #2: crashed: KASAN: invalid-free in anon_vma_name_free
run #3: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
run #4: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
run #5: crashed: general protection fault in vma_interval_tree_insert_after
run #6: crashed: general protection fault in vma_interval_tree_insert_after
run #7: crashed: KASAN: invalid-free in anon_vma_name_free
run #8: crashed: general protection fault in vma_interval_tree_insert_after
run #9: crashed: KASAN: invalid-free in anon_vma_name_free
representative crash: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after, types: [UNKNOWN KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: eb289f80d245b9f669320c83c394345e070706181f62d01d532f6ce034175d66
run #0: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
run #1: crashed: KASAN: invalid-free in anon_vma_name_free
run #2: crashed: general protection fault in vma_interval_tree_insert_after
run #3: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
run #4: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
run #5: crashed: general protection fault in vma_interval_tree_insert_after
run #6: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
run #7: crashed: general protection fault in vma_interval_tree_remove
run #8: crashed: KASAN: invalid-free in anon_vma_name_free
run #9: crashed: KASAN: invalid-free in anon_vma_name_free
representative crash: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after, types: [UNKNOWN KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
failed building 61cfd264993d07540f60a5c53d77a14c818e54a9: net/socket.c:1189: undefined reference to `wext_handle_ioctl'
net/socket.c:3383: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:343: undefined reference to `wext_proc_exit'
net/core/net-procfs.c:327: undefined reference to `wext_proc_init'
minimized to 47 configs; suspects: [HID_ZEROPLUS USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF]
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing current HEAD 0d918fa8e88d750d62041e720012efb22d89728e
testing commit 0d918fa8e88d750d62041e720012efb22d89728e gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: f5a7699653354ca3e2f1c811ed98529829b75f575bb31db5010cc3de040f0f84
run #0: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
run #1: crashed: general protection fault in vma_interval_tree_insert_after
run #2: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
run #3: crashed: KASAN: invalid-free in anon_vma_name_free
run #4: crashed: general protection fault in vma_interval_tree_insert_after
run #5: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
run #6: crashed: general protection fault in vma_interval_tree_insert_after
run #7: crashed: general protection fault in vma_interval_tree_insert_after
run #8: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
run #9: crashed: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
representative crash: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after, types: [UNKNOWN]
crash still not fixed/happens on the oldest tested release
revisions tested: 7, total time: 1h48m52.088467038s (build: 25m51.373473891s, test: 1h20m32.890998328s)
crash still not fixed or there were kernel test errors
commit msg: Merge android13-5.15 into android13-5.15-lts
crash: BUG: unable to handle kernel paging request in vma_interval_tree_insert_after
BUG: unable to handle page fault for address: ffffed1800000019
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 23fff2067 P4D 23fff2067 PUD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 410 Comm: syz-executor.0 Not tainted 5.15.185-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:__rb_insert lib/rbtree.c:115 [inline]
RIP: 0010:__rb_insert_augmented+0x73/0x9a0 lib/rbtree.c:459
Code: 89 e1 48 c1 e9 03 42 80 3c 31 00 0f 85 83 05 00 00 4d 8b 2c 24 41 f6 c5 01 0f 85 88 01 00 00 4d 8d 45 08 4c 89 c1 48 c1 e9 03 <42> 80 3c 31 00 0f 85 7c 05 00 00 4d 8b 7d 08 4d 39 e7 0f 84 74 01
RSP: 0018:ffffc90000757a90 EFLAGS: 00010a02
RAX: ffff8881094df828 RBX: ffff88811f24d3d0 RCX: 1ffff11800000019
RDX: ffffffff81895da0 RSI: 1ffff11023e4a6e9 RDI: ffff88811f24d3e0
RBP: ffffc90000757ad8 R08: ffff88c0000000c8 R09: ffff8881094df847
R10: ffffed102129bf08 R11: 0000000000000000 R12: ffff88811f8cf620
R13: ffff88c0000000c0 R14: dffffc0000000000 R15: ffff88811f8e84f8
FS:  00007f63e41a16c0(0000) GS:ffff8881f7500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed1800000019 CR3: 00000001209b3000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 rb_insert_augmented include/linux/rbtree_augmented.h:50 [inline]
 vma_interval_tree_insert_after+0x22e/0x350 mm/interval_tree.c:57
 dup_mmap kernel/fork.c:632 [inline]
 dup_mm kernel/fork.c:1522 [inline]
 copy_mm kernel/fork.c:1574 [inline]
 copy_process+0x5d7c/0x74a0 kernel/fork.c:2348
 kernel_clone+0xc1/0x950 kernel/fork.c:2737
 __do_sys_clone+0xc9/0x100 kernel/fork.c:2863
 __se_sys_clone kernel/fork.c:2847 [inline]
 __x64_sys_clone+0xb9/0x140 kernel/fork.c:2847
 x64_sys_call+0x7fa/0x990 arch/x86/include/generated/asm/syscalls_64.h:57
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x33/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f63e461eae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f63e41a1078 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007f63e473df80 RCX: 00007f63e461eae9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007f63e41a1120 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 000000000000000b R14: 00007f63e473df80 R15: 00007ffe21116558
 </TASK>
Modules linked in:
CR2: ffffed1800000019
---[ end trace 530edd1f728d611d ]---
RIP: 0010:__rb_insert lib/rbtree.c:115 [inline]
RIP: 0010:__rb_insert_augmented+0x73/0x9a0 lib/rbtree.c:459
Code: 89 e1 48 c1 e9 03 42 80 3c 31 00 0f 85 83 05 00 00 4d 8b 2c 24 41 f6 c5 01 0f 85 88 01 00 00 4d 8d 45 08 4c 89 c1 48 c1 e9 03 <42> 80 3c 31 00 0f 85 7c 05 00 00 4d 8b 7d 08 4d 39 e7 0f 84 74 01
RSP: 0018:ffffc90000757a90 EFLAGS: 00010a02
RAX: ffff8881094df828 RBX: ffff88811f24d3d0 RCX: 1ffff11800000019
RDX: ffffffff81895da0 RSI: 1ffff11023e4a6e9 RDI: ffff88811f24d3e0
RBP: ffffc90000757ad8 R08: ffff88c0000000c8 R09: ffff8881094df847
R10: ffffed102129bf08 R11: 0000000000000000 R12: ffff88811f8cf620
R13: ffff88c0000000c0 R14: dffffc0000000000 R15: ffff88811f8e84f8
FS:  00007f63e41a16c0(0000) GS:ffff8881f7500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed1800000019 CR3: 00000001209b3000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	89 e1                	mov    %esp,%ecx
   2:	48 c1 e9 03          	shr    $0x3,%rcx
   6:	42 80 3c 31 00       	cmpb   $0x0,(%rcx,%r14,1)
   b:	0f 85 83 05 00 00    	jne    0x594
  11:	4d 8b 2c 24          	mov    (%r12),%r13
  15:	41 f6 c5 01          	test   $0x1,%r13b
  19:	0f 85 88 01 00 00    	jne    0x1a7
  1f:	4d 8d 45 08          	lea    0x8(%r13),%r8
  23:	4c 89 c1             	mov    %r8,%rcx
  26:	48 c1 e9 03          	shr    $0x3,%rcx
* 2a:	42 80 3c 31 00       	cmpb   $0x0,(%rcx,%r14,1) <-- trapping instruction
  2f:	0f 85 7c 05 00 00    	jne    0x5b1
  35:	4d 8b 7d 08          	mov    0x8(%r13),%r15
  39:	4d 39 e7             	cmp    %r12,%r15
  3c:	0f                   	.byte 0xf
  3d:	84                   	.byte 0x84
  3e:	74 01                	je     0x41