ci starts bisection 2023-09-30 20:39:06.236253732 +0000 UTC m=+89551.878241426 bisecting fixing commit since a4412fdd49dc011bcc2c0d81ac4cab7457092650 building syzkaller on e080de16713b9dbf308cdd7bcb85b58293e46e33 ensuring issue is reproducible on original commit a4412fdd49dc011bcc2c0d81ac4cab7457092650 testing commit a4412fdd49dc011bcc2c0d81ac4cab7457092650 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 02e227369ca4e975ef3607224fd167acf4171d5702503447d6f4a7ac65e2ec6e all runs: crashed: KASAN: use-after-free Read in gsm_cleanup_mux representative crash: KASAN: use-after-free Read in gsm_cleanup_mux, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit a4412fdd49dc011bcc2c0d81ac4cab7457092650 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 848462276696af2c6740e591268adbbe67dc055e07750f629657d73e783cbf88 all runs: crashed: KASAN: use-after-free Read in gsm_cleanup_mux representative crash: KASAN: use-after-free Read in gsm_cleanup_mux, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed kconfig minimization: base=3883 full=7509 leaves diff=2002 split chunks (needed=false): <2002> split chunk #0 of len 2002 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit a4412fdd49dc011bcc2c0d81ac4cab7457092650 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: db635427c0a19015fa00386db8ee6bb86fbceca83f95b72e90253c26009696e8 all runs: crashed: KASAN: use-after-free Read in gsm_cleanup_mux representative crash: KASAN: use-after-free Read in gsm_cleanup_mux, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit a4412fdd49dc011bcc2c0d81ac4cab7457092650 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 563153f39e37e877137e66e6fe511e8dc3d559948f296130bba0cb45d334c1d9 all runs: crashed: KASAN: use-after-free Read in gsm_cleanup_mux representative crash: KASAN: use-after-free Read in gsm_cleanup_mux, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit a4412fdd49dc011bcc2c0d81ac4cab7457092650 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c4f9be6d3bbf20bea2fa63a6486bf9d1d1d9b78087829bacf97444d3b857123a all runs: crashed: KASAN: use-after-free Read in gsm_cleanup_mux representative crash: KASAN: use-after-free Read in gsm_cleanup_mux, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit a4412fdd49dc011bcc2c0d81ac4cab7457092650 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d1f6299b026df1db6ec403d880ca1c4c5f491a907cbed7187f003accca167171 all runs: OK false negative chance: 0.000 testing without sub-chunk 5/5 disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit a4412fdd49dc011bcc2c0d81ac4cab7457092650 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 08b1efa36f1ed8d311ab07793c3d2352b3a1a677fafb0737e4661703a395425d all runs: crashed: KASAN: use-after-free Read in gsm_cleanup_mux representative crash: KASAN: use-after-free Read in gsm_cleanup_mux, types: [KASAN] the chunk can be dropped minimized to 401 configs; suspects: [AF_RXRPC ARCH_ENABLE_MEMORY_HOTREMOVE ATM AX25 CC_HAS_UBSAN_BOUNDS CFG80211 CMA DAX DLM DVB_CORE ENCRYPTED_KEYS EXTCON GENEVE GPIOLIB HAMRADIO HAVE_CLK HID_SENSOR_HUB HID_SMARTJOYPLUS HID_THRUSTMASTER IIO INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_IPOIB INFINIBAND_USER_ACCESS INFINIBAND_VIRT_DMA INPUT_TABLET INPUT_TOUCHSCREEN IP_SCTP L2TP LIBNVDIMM MEDIA_COMMON_OPTIONS MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MFD_RETU MMC MTD MTD_UBI NETFILTER_CONNCOUNT NET_IPGRE NET_IPGRE_DEMUX NFS_V4_1 NILFS2_FS NLMON NLS_CODEPAGE_1250 NLS_CODEPAGE_1251 NLS_CODEPAGE_737 NLS_CODEPAGE_775 NLS_CODEPAGE_850 NLS_CODEPAGE_852 NLS_CODEPAGE_855 NLS_CODEPAGE_857 NLS_CODEPAGE_860 NLS_CODEPAGE_861 NLS_CODEPAGE_862 NLS_CODEPAGE_863 NLS_CODEPAGE_864 NLS_CODEPAGE_865 NLS_CODEPAGE_866 NLS_CODEPAGE_869 NLS_CODEPAGE_874 NLS_CODEPAGE_932 NLS_CODEPAGE_936 NLS_CODEPAGE_949 NLS_CODEPAGE_950 NLS_ISO8859_13 NLS_ISO8859_14 NLS_ISO8859_15 NLS_ISO8859_2 NLS_ISO8859_3 NLS_ISO8859_4 NLS_ISO8859_5 NLS_ISO8859_6 NLS_ISO8859_7 NLS_ISO8859_8 NLS_ISO8859_9 NLS_KOI8_R NLS_KOI8_U NLS_MAC_CELTIC NLS_MAC_CENTEURO NLS_MAC_CROATIAN NLS_MAC_CYRILLIC NLS_MAC_GAELIC NLS_MAC_GREEK NLS_MAC_ICELAND NLS_MAC_INUIT NLS_MAC_ROMAN NLS_MAC_ROMANIAN NLS_MAC_TURKISH NOP_USB_XCEIV NOZOMI NTFS3_FS NTFS3_FS_POSIX_ACL NTFS3_LZX_XPRESS NTFS_FS NTFS_RW NULL_TTY NUMA_BALANCING NUMA_BALANCING_DEFAULT_ENABLED NUMA_EMU NUMA_KEEP_MEMINFO NVDIMM_DAX NVDIMM_KEYS NVDIMM_PFN NVME_CORE NVME_FABRICS NVME_FC NVME_MULTIPATH NVME_RDMA NVME_TARGET NVME_TARGET_FC NVME_TARGET_FCLOOP NVME_TARGET_LOOP NVME_TARGET_RDMA NVME_TARGET_TCP NVME_TCP N_GSM N_HDLC OCFS2_DEBUG_FS OCFS2_FS OCFS2_FS_O2CB OCFS2_FS_STATS OCFS2_FS_USERSPACE_CLUSTER OF_GPIO OF_PMEM OMFS_FS OPENVSWITCH OPENVSWITCH_GENEVE OPENVSWITCH_GRE OPENVSWITCH_VXLAN ORANGEFS_FS OSF_PARTITION OVERLAY_FS OVERLAY_FS_INDEX OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW OVERLAY_FS_REDIRECT_DIR PACKET_DIAG PADATA PAGE_IDLE_FLAG PAGE_POOL PAGE_REPORTING PAHOLE_HAS_SPLIT_BTF PARPORT PARPORT_NOT_PC PARTITION_ADVANCED PCCARD PCCARD_NONSTATIC PCIEAER PCI_ENDPOINT PCI_IOV PCI_MSI_IRQ_DOMAIN PCMCIA PCMCIA_LOAD_CIS PERCPU_STATS PERSISTENT_KEYRINGS PHONET PHYLINK PHY_CPCAP_USB PHY_QCOM_USB_HS PHY_QCOM_USB_HSIC PHY_SAMSUNG_USB2 PHY_TUSB1210 PKCS7_TEST_KEY PKCS8_PRIVATE_KEY_PARSER PM_CLK PNFS_BLOCK PNFS_FILE_LAYOUT PNFS_FLEXFILE_LAYOUT PPP PPPOATM PPPOE PPPOL2TP PPP_ASYNC PPP_BSDCOMP PPP_DEFLATE PPP_FILTER PPP_MPPE PPP_MULTILINK PPP_SYNC_TTY PPTP PREEMPT PREEMPT_NOTIFIERS PRISM2_USB PROC_CHILDREN PSI PSTORE PSTORE_842_COMPRESS PSTORE_COMPRESS PSTORE_DEFLATE_COMPRESS PSTORE_DEFLATE_COMPRESS_DEFAULT PSTORE_LZ4HC_COMPRESS PSTORE_LZ4_COMPRESS PSTORE_LZO_COMPRESS PSTORE_ZSTD_COMPRESS QCOM_QMI_HELPERS QNX4FS_FS QNX6FS_FS QRTR QRTR_TUN R8712U RADIO_ADAPTERS RADIO_SHARK RADIO_SHARK2 RADIO_TEA575X RAID6_PQ RAID_ATTRS RANDOM_TRUST_BOOTLOADER RANDOM_TRUST_CPU RC_ATI_REMOTE RC_CORE RC_DEVICES RDMA_RXE RDMA_SIW RDS RDS_RDMA RDS_TCP READ_ONLY_THP_FOR_FS REALTEK_AUTOPM REED_SOLOMON REED_SOLOMON_DEC8 REGMAP REGMAP_I2C REGMAP_IRQ REGMAP_MMIO REGULATOR REGULATOR_TWL4030 REISERFS_FS REISERFS_FS_POSIX_ACL REISERFS_FS_SECURITY REISERFS_FS_XATTR REISERFS_PROC_INFO RESET_CONTROLLER RFKILL RFKILL_INPUT RFKILL_LEDS RMI4_2D_SENSOR RMI4_CORE RMI4_F03 RMI4_F03_SERIO RMI4_F11 RMI4_F12 RMI4_F30 ROMFS_BACKED_BY_BOTH ROMFS_FS ROMFS_ON_BLOCK ROMFS_ON_MTD ROSE RTC_DRV_HID_SENSOR_TIME RXKAD SCHED_CORE SCSI_FC_ATTRS SCSI_HPSA SCSI_ISCSI_ATTRS SCSI_LOGGING SCSI_NETLINK SCSI_SAS_ATA SCSI_SAS_ATTRS SCSI_SAS_LIBSAS SCSI_SCAN_ASYNC SCSI_SRP_ATTRS SCTP_COOKIE_HMAC_MD5 SCTP_COOKIE_HMAC_SHA1 SCTP_DEFAULT_COOKIE_HMAC_MD5 SECONDARY_TRUSTED_KEYRING SECURITY_INFINIBAND SECURITY_NETWORK_XFRM SERIAL_DEV_BUS SERIAL_DEV_CTRL_TTYPORT SERIAL_MCTRL_GPIO SGI_PARTITION SIGNATURE SIGNED_PE_FILE_VERIFICATION SLHC SLIP SLIP_COMPRESSED SLIP_MODE_SLIP6 SLIP_SMART SMARTJOYPLUS_FF SMBFS_COMMON SMC SMC_DIAG SMSC_PHY SMS_SIANO_MDTV SMS_SIANO_RC SMS_USB_DRV SND SND_ALOOP SND_BCD2000 SND_CTL_FAST_LOOKUP SND_CTL_LED SND_DEBUG SND_DMA_SGBUF SND_DRIVERS SND_DUMMY SND_DYNAMIC_MINORS SND_HDA SND_HDA_CODEC_ANALOG SND_HDA_CODEC_CA0110 SND_HDA_CODEC_CA0132 SND_HDA_CODEC_CIRRUS SND_HDA_CODEC_CMEDIA SND_HDA_CODEC_CONEXANT SND_HDA_CODEC_HDMI SND_HDA_CODEC_REALTEK SND_HDA_CODEC_SI3054 SND_HDA_CODEC_SIGMATEL SND_HDA_CODEC_VIA SND_HDA_COMPONENT SND_HDA_CORE SND_HDA_GENERIC SND_HDA_GENERIC_LEDS SND_HDA_HWDEP SND_HDA_I915 SND_HDA_INPUT_BEEP SND_HDA_INTEL SND_HDA_PATCH_LOADER SND_HDA_RECONFIG SND_HRTIMER SND_HWDEP SND_INTEL_DSP_CONFIG SND_INTEL_NHLT SND_INTEL_SOUNDWIRE_ACPI SND_JACK SND_JACK_INPUT_DEV SND_MIXER_OSS SND_OSSEMUL SND_PCI SND_PCM SND_PCMCIA SND_PCM_OSS SND_PCM_OSS_PLUGINS SND_PCM_TIMER SND_PCM_XRUN_DEBUG SND_PROC_FS SND_RAWMIDI SND_SEQUENCER SND_SEQUENCER_OSS SND_SEQ_DEVICE SND_SEQ_DUMMY SND_SEQ_HRTIMER_DEFAULT SND_SEQ_MIDI SND_SEQ_MIDI_EVENT SND_SEQ_VIRMIDI SND_SUPPORT_OLD_API SND_TIMER SND_USB SND_USB_6FIRE SND_USB_AUDIO SND_USB_AUDIO_USE_MEDIA_CONTROLLER SND_USB_CAIAQ SND_USB_CAIAQ_INPUT SND_USB_HIFACE SND_USB_LINE6 SND_USB_POD SND_USB_PODHD SND_USB_TONEPORT SND_USB_UA101 SND_USB_US122L SND_USB_USX2Y SND_USB_VARIAX SND_VERBOSE_PROCFS SND_VIRMIDI SND_VIRTIO SND_VMASTER SND_X86 SOCK_VALIDATE_XMIT SOLARIS_X86_PARTITION SONY_FF SOUND SOUND_OSS_CORE SOUND_OSS_CORE_PRECLAIM SPI SPI_DLN2 SPI_DYNAMIC SPI_MASTER SQUASHFS SQUASHFS_4K_DEVBLK_SIZE SQUASHFS_DECOMP_SINGLE SQUASHFS_FILE_DIRECT SQUASHFS_LZ4 SQUASHFS_LZO SQUASHFS_XATTR SQUASHFS_XZ SQUASHFS_ZLIB SQUASHFS_ZSTD SRCU SSB SSB_PCIHOST_POSSIBLE SSB_PCMCIAHOST_POSSIBLE SSB_SDIOHOST_POSSIBLE STAGING STAGING_MEDIA STP STREAM_PARSER SUNRPC_BACKCHANNEL SUN_PARTITION SW_SYNC SYSFB SYSV68_PARTITION SYSV_FS TABLET_USB_ACECAD TABLET_USB_AIPTEK TABLET_USB_HANWANG TABLET_USB_KBTAB TABLET_USB_PEGASUS TAHVO_USB TAHVO_USB_HOST_BY_DEFAULT TASKS_TRACE_RCU TCG_CRB TCG_TIS TCG_TIS_CORE TCG_TPM TCP_CONG_BBR TCP_CONG_BIC TCP_CONG_CDG TCP_CONG_DCTCP TCP_CONG_HSTCP TCP_CONG_HTCP TCP_CONG_HYBLA TCP_CONG_ILLINOIS TCP_CONG_LP TCP_CONG_NV TCP_CONG_SCALABLE TCP_CONG_VEGAS TCP_CONG_VENO TCP_CONG_WESTWOOD TCP_CONG_YEAH TEXTSEARCH TEXTSEARCH_BM TEXTSEARCH_FSM TEXTSEARCH_KMP THERMAL_NETLINK THP_SWAP THRUSTMASTER_FF TIPC TIPC_CRYPTO TIPC_DIAG TIPC_MEDIA_IB TIPC_MEDIA_UDP TLS TLS_TOE TOUCHSCREEN_SUR40 TOUCHSCREEN_USB_3M TOUCHSCREEN_USB_COMPOSITE TOUCHSCREEN_USB_DMC_TSC10 TOUCHSCREEN_USB_E2I TOUCHSCREEN_USB_EASYTOUCH TOUCHSCREEN_USB_EGALAX TOUCHSCREEN_USB_ELO TOUCHSCREEN_USB_ETT_TC45USB TOUCHSCREEN_USB_ETURBO TOUCHSCREEN_USB_GENERAL_TOUCH TOUCHSCREEN_USB_GOTOP TOUCHSCREEN_USB_GUNZE TOUCHSCREEN_USB_IDEALTEK TOUCHSCREEN_USB_IRTOUCH TOUCHSCREEN_USB_ITM TOUCHSCREEN_USB_JASTEC TOUCHSCREEN_USB_NEXIO TOUCHSCREEN_USB_PANJIT TOUCHSCREEN_USB_ZYTRONIC TRANSPARENT_HUGEPAGE TRANSPARENT_HUGEPAGE_MADVISE TTPCI_EEPROM TTY_PRINTK TUN_VNET_CROSS_LE TWL4030_CORE TYPEC TYPEC_FUSB302 TYPEC_TCPCI TYPEC_TCPM TYPEC_TPS6598X TYPEC_UCSI UBIFS_ATIME_SUPPORT UBIFS_FS UBIFS_FS_ADVANCED_COMPR UBIFS_FS_LZO UBIFS_FS_SECURITY UBIFS_FS_XATTR UBIFS_FS_ZLIB UBIFS_FS_ZSTD UBSAN_ONLY_BOUNDS UCSI_ACPI UDF_FS UDMABUF UFS_FS UFS_FS_WRITE UHID ULTRIX_PARTITION UNICODE UNIXWARE_DISKLABEL UNIX_DIAG USB4 USB4_NET USBIP_CORE USBIP_HOST USBIP_VHCI_HCD USBIP_VUDC USBPCWATCHDOG USB_ACM USB_ADUTUX USB_AIRSPY USB_ALI_M5632 USB_AN2720 USB_APPLEDISPLAY USB_ARMLINUX USB_BDC_UDC USB_BELKIN USB_C67X00_HCD USB_CATC USB_CDC_PHONET USB_CHAOSKEY USB_CHIPIDEA USB_CHIPIDEA_HOST USB_CHIPIDEA_PCI USB_CHIPIDEA_UDC USB_CONFIGFS USB_CONFIGFS_ACM USB_CONFIGFS_ECM USB_CONFIGFS_ECM_SUBSET USB_CONFIGFS_EEM USB_CONFIGFS_F_FS USB_CONFIGFS_F_HID USB_CONFIGFS_F_LB_SS USB_CONFIGFS_F_MIDI USB_DWC2 USB_GADGET USB_MUSB_HDRC USB_NET_CDC_SUBSET USB_ROLE_SWITCH USB_STORAGE_REALTEK USB_ULPI_BUS USB_USBNET VIDEO_DEV VXLAN WIRELESS WLAN ZONE_DEVICE] disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing current HEAD 3b517966c5616ac011081153482a5ba0e91b17ff testing commit 3b517966c5616ac011081153482a5ba0e91b17ff gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 868be6c5e9f1b0177cca141a34997499892af7b80dac96cd47576a4741475c81 all runs: OK false negative chance: 0.000 # git bisect start 3b517966c5616ac011081153482a5ba0e91b17ff a4412fdd49dc011bcc2c0d81ac4cab7457092650 Bisecting: 39055 revisions left to test after this (roughly 15 steps) [b68ee1c6131c540a62ecd443be89c406401df091] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi determine whether the revision contains the guilty commit revision a4412fdd49dc011bcc2c0d81ac4cab7457092650 crashed and is reachable testing commit b68ee1c6131c540a62ecd443be89c406401df091 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5d6a597a018ff67c9080bc87809d01c523a6d04446b56241998142101b5c1677 all runs: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux representative crash: KASAN: slab-use-after-free Read in gsm_cleanup_mux, types: [KASAN] # git bisect good b68ee1c6131c540a62ecd443be89c406401df091 Bisecting: 19498 revisions left to test after this (roughly 14 steps) [b30d7a77c53ec04a6d94683d7680ec406b7f3ac8] Merge tag 'perf-tools-for-v6.5-1-2023-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools-next determine whether the revision contains the guilty commit revision a4412fdd49dc011bcc2c0d81ac4cab7457092650 crashed and is reachable testing commit b30d7a77c53ec04a6d94683d7680ec406b7f3ac8 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 82897458e3f1c2c05a4f52405f201e8e6549ab933eafaef20a57f8f984e79015 all runs: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux representative crash: KASAN: slab-use-after-free Read in gsm_cleanup_mux, types: [KASAN] # git bisect good b30d7a77c53ec04a6d94683d7680ec406b7f3ac8 Bisecting: 9929 revisions left to test after this (roughly 13 steps) [e8dbde59ca3fe925d0105bfb380e8429928b16dd] selftests: netfilter: Test nf_tables audit logging determine whether the revision contains the guilty commit revision a4412fdd49dc011bcc2c0d81ac4cab7457092650 crashed and is reachable testing commit e8dbde59ca3fe925d0105bfb380e8429928b16dd gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4b6e26a97c026cffe5e8ded0a56601feed8e6bb69c45011bfd5680da5ae8167a all runs: OK false negative chance: 0.000 # git bisect bad e8dbde59ca3fe925d0105bfb380e8429928b16dd Bisecting: 4787 revisions left to test after this (roughly 12 steps) [f85b1c7da776d0cb2b4509bdd7f406fe5607930b] net: switchdev: Remove unused typedef switchdev_obj_dump_cb_t() determine whether the revision contains the guilty commit revision b68ee1c6131c540a62ecd443be89c406401df091 crashed and is reachable testing commit f85b1c7da776d0cb2b4509bdd7f406fe5607930b gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1a0894f8e6a32a72b3bceffd419a6c2dca35d9f3e0877135bf376388927cc3ce all runs: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux representative crash: KASAN: slab-use-after-free Read in gsm_cleanup_mux, types: [KASAN] # git bisect good f85b1c7da776d0cb2b4509bdd7f406fe5607930b Bisecting: 2389 revisions left to test after this (roughly 11 steps) [ccc5e9817719f59b3dea7b7a168861b4bf0b4ff4] Merge tag 'pm-6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm determine whether the revision contains the guilty commit revision b68ee1c6131c540a62ecd443be89c406401df091 crashed and is reachable testing commit ccc5e9817719f59b3dea7b7a168861b4bf0b4ff4 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 89ccd20ce4b82ed7fcb3b0cdfe47510e09363233a856b9c9dad4d339c625e864 all runs: OK false negative chance: 0.000 # git bisect bad ccc5e9817719f59b3dea7b7a168861b4bf0b4ff4 Bisecting: 1198 revisions left to test after this (roughly 10 steps) [98efb4eb310d0d72e663924adc7b5b6e14813f9d] btrfs: use helper sizeof_field in struct accessors determine whether the revision contains the guilty commit revision a4412fdd49dc011bcc2c0d81ac4cab7457092650 crashed and is reachable testing commit 98efb4eb310d0d72e663924adc7b5b6e14813f9d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7c1f7b68e46f40b331ecfbe63492c2edbf20b13036ad97adc850b0171c15740f all runs: OK false negative chance: 0.000 # git bisect bad 98efb4eb310d0d72e663924adc7b5b6e14813f9d Bisecting: 601 revisions left to test after this (roughly 9 steps) [30813656c6b827947be024484d6da8b18e50c186] Merge tag 'dmaengine-fix-6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine determine whether the revision contains the guilty commit revision a4412fdd49dc011bcc2c0d81ac4cab7457092650 crashed and is reachable testing commit 30813656c6b827947be024484d6da8b18e50c186 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a2ca350f49da646d64e55e64d92654ba93b3e3a0039daaa6d3d7ef1329d76f18 all runs: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux representative crash: KASAN: slab-use-after-free Read in gsm_cleanup_mux, types: [KASAN] # git bisect good 30813656c6b827947be024484d6da8b18e50c186 Bisecting: 300 revisions left to test after this (roughly 8 steps) [7308e92756d5891d58e7bcae01a516514583921d] Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi determine whether the revision contains the guilty commit revision b30d7a77c53ec04a6d94683d7680ec406b7f3ac8 crashed and is reachable testing commit 7308e92756d5891d58e7bcae01a516514583921d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 74dcd5f4e1e53562f737b0c541b31e659088ef6046ecfd1edf1983010d912ff0 all runs: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux representative crash: KASAN: slab-use-after-free Read in gsm_cleanup_mux, types: [KASAN] # git bisect good 7308e92756d5891d58e7bcae01a516514583921d Bisecting: 167 revisions left to test after this (roughly 7 steps) [eabeef9054fdd317e58387ed0ab1a32fe9eb5909] Merge tag 'asm-generic-fix-6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic determine whether the revision contains the guilty commit revision b30d7a77c53ec04a6d94683d7680ec406b7f3ac8 crashed and is reachable testing commit eabeef9054fdd317e58387ed0ab1a32fe9eb5909 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9aed74db30b7e625728dc9e0e5c26459d9b5422e4249cb19688237b9893c273c all runs: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux representative crash: KASAN: slab-use-after-free Read in gsm_cleanup_mux, types: [KASAN] # git bisect good eabeef9054fdd317e58387ed0ab1a32fe9eb5909 Bisecting: 84 revisions left to test after this (roughly 6 steps) [4e7ffde6984a7fa842489be7055570e5f5a4f0b5] Merge tag 'powerpc-6.5-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux determine whether the revision contains the guilty commit revision a4412fdd49dc011bcc2c0d81ac4cab7457092650 crashed and is reachable testing commit 4e7ffde6984a7fa842489be7055570e5f5a4f0b5 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e19a5f4430f493e757a52868b6399cfc495b6f14be58e165e0f4a87419a1daa4 all runs: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux representative crash: KASAN: slab-use-after-free Read in gsm_cleanup_mux, types: [KASAN] # git bisect good 4e7ffde6984a7fa842489be7055570e5f5a4f0b5 Bisecting: 43 revisions left to test after this (roughly 5 steps) [12e6ccedb311b32b16f767fdd606cc84630e45ae] Merge tag 'for-6.5-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux determine whether the revision contains the guilty commit revision b30d7a77c53ec04a6d94683d7680ec406b7f3ac8 crashed and is reachable testing commit 12e6ccedb311b32b16f767fdd606cc84630e45ae gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 37d79e72243185730c44b8aabf6a5acbe5585c1fec2e456dbae938c237642735 all runs: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux representative crash: KASAN: slab-use-after-free Read in gsm_cleanup_mux, types: [KASAN] # git bisect good 12e6ccedb311b32b16f767fdd606cc84630e45ae Bisecting: 16 revisions left to test after this (roughly 5 steps) [b320441c04c9bea76cbee1196ae55c20288fd7a6] Merge tag 'tty-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty determine whether the revision contains the guilty commit revision b30d7a77c53ec04a6d94683d7680ec406b7f3ac8 crashed and is reachable testing commit b320441c04c9bea76cbee1196ae55c20288fd7a6 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ad13e7239d254e6518290fc8c4ebb48657a3b9413523e93ddec538b8851e2103 all runs: OK false negative chance: 0.000 # git bisect bad b320441c04c9bea76cbee1196ae55c20288fd7a6 Bisecting: 13 revisions left to test after this (roughly 4 steps) [3d9e6f556e235ddcdc9f73600fdd46fe1736b090] serial: 8250: drop lockdep annotation from serial8250_clear_IER() determine whether the revision contains the guilty commit revision a4412fdd49dc011bcc2c0d81ac4cab7457092650 crashed and is reachable testing commit 3d9e6f556e235ddcdc9f73600fdd46fe1736b090 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 06ad2c257615bbc2c17d00a413ad91a4892a8e747e4e9925f02fde94adde4172 all runs: OK false negative chance: 0.000 # git bisect bad 3d9e6f556e235ddcdc9f73600fdd46fe1736b090 Bisecting: 6 revisions left to test after this (roughly 3 steps) [238500e2d67c0463ec83a43a083dc25db6520acd] MAINTAINERS: Merge TTY layer and serial drivers determine whether the revision contains the guilty commit revision b68ee1c6131c540a62ecd443be89c406401df091 crashed and is reachable testing commit 238500e2d67c0463ec83a43a083dc25db6520acd gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 49af425c39af76cf0a5114270cbb463d2ff3fa7190201eefb1b85c5c4c5fa164 all runs: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux representative crash: KASAN: slab-use-after-free Read in gsm_cleanup_mux, types: [KASAN] # git bisect good 238500e2d67c0463ec83a43a083dc25db6520acd Bisecting: 3 revisions left to test after this (roughly 2 steps) [dfe2aeb226fd5e19b0ee795f4f6ed8bc494c1534] serial: 8250: Fix oops for port->pm on uart_change_pm() determine whether the revision contains the guilty commit revision b30d7a77c53ec04a6d94683d7680ec406b7f3ac8 crashed and is reachable testing commit dfe2aeb226fd5e19b0ee795f4f6ed8bc494c1534 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0c5660bd72fcab637d1f7b616da2d4f0b9f1a9c7ebb53861f5e285212b38c907 all runs: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux representative crash: KASAN: slab-use-after-free Read in gsm_cleanup_mux, types: [KASAN] # git bisect good dfe2aeb226fd5e19b0ee795f4f6ed8bc494c1534 Bisecting: 1 revision left to test after this (roughly 1 step) [a4a79e03bab57729bd8046d22bf3666912e586fb] serial: core: Revert port_id use determine whether the revision contains the guilty commit revision b30d7a77c53ec04a6d94683d7680ec406b7f3ac8 crashed and is reachable testing commit a4a79e03bab57729bd8046d22bf3666912e586fb gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 66e9639063798ca0394b06cc6c0cd82717c4ac76922ec7a173aa462439949ada run #0: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux run #1: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux run #2: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux run #3: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux run #4: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux run #5: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux run #6: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux run #7: crashed: KFENCE: use-after-free in gsm_cleanup_mux run #8: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux run #9: crashed: KASAN: slab-use-after-free Read in gsm_cleanup_mux representative crash: KASAN: slab-use-after-free Read in gsm_cleanup_mux, types: [KASAN] # git bisect good a4a79e03bab57729bd8046d22bf3666912e586fb Bisecting: 0 revisions left to test after this (roughly 0 steps) [3c4f8333b582487a2d1e02171f1465531cde53e3] tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux determine whether the revision contains the guilty commit revision a4412fdd49dc011bcc2c0d81ac4cab7457092650 crashed and is reachable testing commit 3c4f8333b582487a2d1e02171f1465531cde53e3 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cfe89c708dee1e131917be9f7c122d117dac79880e4894a8fe1e626e6f1e42c0 all runs: OK false negative chance: 0.000 # git bisect bad 3c4f8333b582487a2d1e02171f1465531cde53e3 3c4f8333b582487a2d1e02171f1465531cde53e3 is the first bad commit commit 3c4f8333b582487a2d1e02171f1465531cde53e3 Author: Yi Yang Date: Fri Aug 11 11:11:21 2023 +0800 tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux In commit 9b9c8195f3f0 ("tty: n_gsm: fix UAF in gsm_cleanup_mux"), the UAF problem is not completely fixed. There is a race condition in gsm_cleanup_mux(), which caused this UAF. The UAF problem is triggered by the following race: task[5046] task[5054] ----------------------- ----------------------- gsm_cleanup_mux(); dlci = gsm->dlci[0]; mutex_lock(&gsm->mutex); gsm_cleanup_mux(); dlci = gsm->dlci[0]; //Didn't take the lock gsm_dlci_release(gsm->dlci[i]); gsm->dlci[i] = NULL; mutex_unlock(&gsm->mutex); mutex_lock(&gsm->mutex); dlci->dead = true; //UAF Fix it by assigning values after mutex_lock(). Link: https://syzkaller.appspot.com/text?tag=CrashReport&x=176188b5a80000 Cc: stable Fixes: 9b9c8195f3f0 ("tty: n_gsm: fix UAF in gsm_cleanup_mux") Fixes: aa371e96f05d ("tty: n_gsm: fix restart handling via CLD command") Signed-off-by: Yi Yang Co-developed-by: Qiumiao Zhang Signed-off-by: Qiumiao Zhang Link: https://lore.kernel.org/r/20230811031121.153237-1-yiyang13@huawei.com Signed-off-by: Greg Kroah-Hartman drivers/tty/n_gsm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) accumulated error probability: 0.00 culprit signature: cfe89c708dee1e131917be9f7c122d117dac79880e4894a8fe1e626e6f1e42c0 parent signature: 66e9639063798ca0394b06cc6c0cd82717c4ac76922ec7a173aa462439949ada revisions tested: 25, total time: 7h49m42.357183334s (build: 5h6m11.143536972s, test: 2h26m0.507113153s) first good commit: 3c4f8333b582487a2d1e02171f1465531cde53e3 tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux recipients (to): ["gregkh@linuxfoundation.org" "yiyang13@huawei.com" "zhangqiumiao1@huawei.com"] recipients (cc): []