ci2 starts bisection 2026-01-04 00:54:31.23446689 +0000 UTC m=+3324283.411589947 bisecting fixing commit since 535ec20c50273d81b2cc7985fed2108dee0e65d7 building syzkaller on c6b4fb399236b655a39701fd51c33522caa06811 ensuring issue is reproducible on original commit 535ec20c50273d81b2cc7985fed2108dee0e65d7 testing commit 535ec20c50273d81b2cc7985fed2108dee0e65d7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 859cf07c9d5e645ea0945575c60d9280d898cd1fcf1889c63e2d6178a815b71e run #0: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #1: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #2: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #3: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #4: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #5: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #6: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #7: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #8: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #9: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #10: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #11: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #12: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #13: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #14: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #15: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #16: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #17: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #18: OK run #19: OK representative crash: BUG: unable to handle kernel paging request in bcsp_recv, types: [MEMORY_SAFETY_BUG] check whether we can drop unnecessary instrumentation disabling configs for [atomic_sleep hang memleak ubsan kasan locking], they are not needed testing commit 535ec20c50273d81b2cc7985fed2108dee0e65d7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: e16cb933fd7337413d880ec9930417f8a0cffad908c67e684f56eb9ecef23d9a run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in bcsp_recv run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK representative crash: BUG: unable to handle kernel NULL pointer dereference in bcsp_recv, types: [NULL-POINTER-DEREFERENCE] unable to determine the verdict: 9 good runs (wanted 5), for bad wanted 5 in total, got 10 kconfig minimization: base=7505 full=9720 leaves diff=1998 split chunks (needed=false): <1998> split chunk #0 of len 1998 into 5 parts testing without sub-chunk 1/5 testing commit 535ec20c50273d81b2cc7985fed2108dee0e65d7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 5212f52fc422952d9d566b98da2e140ec03f98e272ececbef37bad43ec4fe253 all runs: OK false negative chance: 0.000 testing without sub-chunk 2/5 testing commit 535ec20c50273d81b2cc7985fed2108dee0e65d7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 0490023d58ffaa9bdfd34d94e8d4049953cc7e32144954dc023ae34d9a4dcee3 all runs: crashed: BUG: unable to handle kernel paging request in bcsp_recv representative crash: BUG: unable to handle kernel paging request in bcsp_recv, types: [MEMORY_SAFETY_BUG] the chunk can be dropped testing without sub-chunk 3/5 testing commit 535ec20c50273d81b2cc7985fed2108dee0e65d7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: c582f46afcacf437e5e3bd9b5938459cf380718c181c18cb317b49e12151a4fd run #0: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #1: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #2: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #3: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #4: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #5: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #6: OK run #7: OK run #8: OK run #9: OK representative crash: BUG: unable to handle kernel paging request in bcsp_recv, types: [MEMORY_SAFETY_BUG] the chunk can be dropped testing without sub-chunk 4/5 testing commit 535ec20c50273d81b2cc7985fed2108dee0e65d7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 7801729b5fd57ef470ebc0bbe7577f302cb7d898d2c0c1fcd33436154b688b73 run #0: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #1: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #2: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK representative crash: BUG: unable to handle kernel paging request in bcsp_recv, types: [MEMORY_SAFETY_BUG] testing without sub-chunk 5/5 testing commit 535ec20c50273d81b2cc7985fed2108dee0e65d7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: e92b5ab1e2256644a3cf869e193dcb3ab1c704d9ed9f9aa82da99e74d8e68a34 run #0: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #1: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #2: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #3: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #4: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #5: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #6: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel paging request in bcsp_recv, types: [MEMORY_SAFETY_BUG] the chunk can be dropped minimized to 800 configs; suspects: [6LOWPAN 6LOWPAN_GHC_EXT_HDR_DEST 6LOWPAN_GHC_EXT_HDR_FRAG 6LOWPAN_GHC_EXT_HDR_HOP 6LOWPAN_GHC_EXT_HDR_ROUTE 6LOWPAN_GHC_ICMPV6 6LOWPAN_GHC_UDP 6LOWPAN_NHC 6LOWPAN_NHC_DEST 6LOWPAN_NHC_FRAGMENT 6LOWPAN_NHC_HOP 6LOWPAN_NHC_IPV6 6LOWPAN_NHC_MOBILITY 6LOWPAN_NHC_ROUTING 6LOWPAN_NHC_UDP 6PACK 842_COMPRESS 842_DECOMPRESS 9P_FSCACHE 9P_FS_POSIX_ACL 9P_FS_SECURITY ACORN_PARTITION ACORN_PARTITION_ADFS ACORN_PARTITION_CUMANA ACORN_PARTITION_EESOX ACORN_PARTITION_ICS ACORN_PARTITION_POWERTEC ACORN_PARTITION_RISCIX ACPI_DOCK ADFS_FS AFFS_FS AFS_FS AFS_FSCACHE AF_KCM AF_RXRPC AF_RXRPC_IPV6 AIX_PARTITION AMIGA_PARTITION ANDROID_BINDERFS ANDROID_BINDER_IPC ANON_VMA_NAME APPLE_MFI_FASTCHARGE AR5523 ASM_MODVERSIONS ASYNC_CORE ASYNC_MEMCPY ASYNC_PQ ASYNC_RAID6_RECOV ASYNC_TX_DMA ASYNC_XOR ATARI_PARTITION ATA_GENERIC ATA_OVER_ETH ATA_PIIX ATH10K ATH10K_CE ATH10K_PCI ATH10K_SNOC ATH10K_USB ATH11K ATH11K_AHB ATH11K_PCI ATH6KL ATH6KL_USB ATH9K ATH9K_AHB ATH9K_BTCOEX_SUPPORT ATH9K_CHANNEL_CONTEXT ATH9K_COMMON ATH9K_COMMON_DEBUG ATH9K_COMMON_SPECTRAL ATH9K_DEBUGFS ATH9K_DYNACK ATH9K_HTC ATH9K_HTC_DEBUGFS ATH9K_HW ATH9K_PCI ATH9K_PCOEM ATH9K_RFKILL ATH_COMMON ATM ATM_BR2684 ATM_CLIP ATM_DRIVERS ATM_LANE ATM_MPOA ATM_TCP AX25 AX25_DAMA_SLAVE BAREUDP BATMAN_ADV BATMAN_ADV_BATMAN_V BATMAN_ADV_BLA BATMAN_ADV_DAT BATMAN_ADV_MCAST BATMAN_ADV_NC BCACHE BCMA BCMA_HOST_PCI_POSSIBLE BEFS_FS BFQ_CGROUP_DEBUG BFQ_GROUP_IOSCHED BFS_FS BIG_KEYS BINFMT_MISC BLK_CGROUP_IOCOST BLK_CGROUP_IOLATENCY BLK_CGROUP_RWSTAT BLK_DEBUG_FS_ZONED BLK_DEV_INITRD BLK_DEV_NULL_BLK BLK_DEV_NULL_BLK_FAULT_INJECTION BLK_DEV_RAM BLK_DEV_RNBD BLK_DEV_RNBD_CLIENT BLK_DEV_SR BLK_DEV_THROTTLING BLK_DEV_ZONED BLK_ICQ BLK_INLINE_ENCRYPTION BLK_INLINE_ENCRYPTION_FALLBACK BLK_MQ_RDMA BLK_RQ_ALLOC_TIME BLK_WBT BLK_WBT_MQ BONDING BPF_JIT_ALWAYS_ON BPF_STREAM_PARSER BPQETHER BRIDGE_CFM BRIDGE_EBT_802_3 BRIDGE_EBT_AMONG BRIDGE_EBT_ARP BRIDGE_EBT_ARPREPLY BRIDGE_EBT_BROUTE BRIDGE_EBT_DNAT BRIDGE_EBT_IP BRIDGE_EBT_IP6 BRIDGE_EBT_LIMIT BRIDGE_EBT_LOG BRIDGE_EBT_MARK BRIDGE_EBT_MARK_T BRIDGE_EBT_NFLOG BRIDGE_EBT_PKTTYPE BRIDGE_EBT_REDIRECT BRIDGE_EBT_SNAT BRIDGE_EBT_STP BRIDGE_EBT_T_FILTER BRIDGE_EBT_T_NAT BRIDGE_EBT_VLAN BRIDGE_MRP BRIDGE_NF_EBTABLES BSD_DISKLABEL BTRFS_ASSERT BTRFS_FS_REF_VERIFY BT_6LOWPAN BT_ATH3K BT_BNEP BT_BNEP_MC_FILTER BT_BNEP_PROTO_FILTER BT_CMTP BT_HCIBCM203X BT_HCIBFUSB BT_HCIBPA10X BT_HCIBTUSB_AUTOSUSPEND BT_HCIBTUSB_MTK BT_HCIUART_3WIRE BT_HCIUART_AG6XX BT_HCIUART_BCSP BT_HCIVHCI BT_HS BT_LE BT_MSFTEXT BT_MTK BT_RFCOMM BT_RFCOMM_TTY CACHEFILES CAIF CAIF_DEBUG CAIF_DRIVERS CAIF_NETDEV CAIF_TTY CAIF_USB CAIF_VIRTIO CAN_8DEV_USB CAN_EMS_USB CAN_ESD_USB CAN_ETAS_ES58X CAN_GS_USB CAN_IFI_CANFD CAN_ISOTP CAN_J1939 CAN_KVASER_USB CAN_MCBA_USB CAN_PEAK_USB CAN_SLCAN CAN_UCAN CAN_VCAN CAN_VXCAN CAPI_TRACE CARL9170 CARL9170_HWRNG CARL9170_LEDS CARL9170_WPC CDROM CEC_CORE CEC_NOTIFIER CEPH_FS CEPH_FSCACHE CEPH_FS_POSIX_ACL CEPH_LIB CEPH_LIB_USE_DNS_RESOLVER CFG80211 CFG80211_CRDA_SUPPORT CFG80211_DEBUGFS CFG80211_DEFAULT_PS CFG80211_REQUIRE_SIGNED_REGDB CFG80211_USE_KERNEL_REGDB_KEYS CFG80211_WEXT CFS_BANDWIDTH CGROUP_NET_CLASSID CGROUP_NET_PRIO CGROUP_RDMA CHARGER_BQ24190 CHARGER_ISP1704 CHECKPOINT_RESTORE CHECK_SIGNATURE CHR_DEV_SG CHR_DEV_ST CIFS CIFS_ALLOW_INSECURE_LEGACY CIFS_DEBUG CIFS_DFS_UPCALL CIFS_FSCACHE CIFS_POSIX CIFS_SMB_DIRECT CIFS_SWN_UPCALL CIFS_UPCALL CIFS_XATTR CLS_U32_MARK CLS_U32_PERF CMDLINE_PARTITION COMEDI COMEDI_DT9812 COMEDI_NI_USB6501 COMEDI_USBDUX COMEDI_USBDUXFAST COMEDI_USBDUXSIGMA COMEDI_USB_DRIVERS COMEDI_VMK80XX COMPAT_NETLINK_MESSAGES CONNECTOR COUNTER CPU_FREQ_DEFAULT_GOV_USERSPACE CRAMFS CRAMFS_BLOCKDEV CRAMFS_MTD CRC4 CRYPTO_ADIANTUM CRYPTO_AEGIS128 CRYPTO_AES_ARM64 CRYPTO_AES_TI CRYPTO_ANUBIS CRYPTO_ARC4 CRYPTO_ARCH_HAVE_LIB_POLY1305 CRYPTO_ARIA CRYPTO_BLOWFISH CRYPTO_BLOWFISH_COMMON CRYPTO_CAMELLIA CRYPTO_CHACHA20 CRYPTO_CHACHA20POLY1305 CRYPTO_CRC32 CRYPTO_CTS CRYPTO_DEV_CCP CRYPTO_DEV_CCP_DD CRYPTO_DEV_VIRTIO CRYPTO_DRBG_CTR CRYPTO_DRBG_HASH CRYPTO_ECRDSA CRYPTO_ESSIV CRYPTO_FCRYPT CRYPTO_HCTR2 CRYPTO_KDF800108_CTR CRYPTO_KEYWRAP CRYPTO_KHAZAD CRYPTO_LIB_ARC4 CRYPTO_LIB_CHACHA CRYPTO_LIB_CHACHA20POLY1305 CRYPTO_LIB_CURVE25519 CRYPTO_LIB_POLY1305 CRYPTO_LIB_POLY1305_GENERIC CRYPTO_LRW CRYPTO_NHPOLY1305 CRYPTO_PCBC CRYPTO_PCRYPT CRYPTO_POLY1305 CRYPTO_POLY1305_NEON CRYPTO_POLYVAL CRYPTO_RMD160 CRYPTO_SEED CRYPTO_SEQIV CRYPTO_SM2 CRYPTO_SM4_ARM64_CE CRYPTO_SM4_ARM64_CE_BLK CRYPTO_SM4_ARM64_NEON_BLK CRYPTO_STREEBOG CRYPTO_TEA CRYPTO_TWOFISH CRYPTO_TWOFISH_COMMON CRYPTO_USER CRYPTO_USER_API_AEAD CRYPTO_USER_API_HASH CRYPTO_USER_API_SKCIPHER CRYPTO_VMAC CRYPTO_WP512 CRYPTO_XCBC CRYPTO_XCTR CYPRESS_FIRMWARE DAMON DAMON_DBGFS DAMON_PADDR DAMON_RECLAIM DAMON_VADDR DAX DCB DEFAULT_CUBIC DEFAULT_PFIFO_FAST DEVICE_MIGRATION DEVICE_PRIVATE DLN2_ADC DMABUF_HEAPS DMABUF_HEAPS_CMA DMABUF_HEAPS_SYSTEM DMABUF_MOVE_NOTIFY DM_AUDIT DM_BIO_PRISON DM_BUFIO DM_CACHE DM_CACHE_SMQ DM_CLONE DM_CRYPT DM_FLAKEY DM_INTEGRITY DM_MULTIPATH DM_MULTIPATH_QL DM_MULTIPATH_ST DM_PERSISTENT_DATA DM_RAID DM_SNAPSHOT DM_THIN_PROVISIONING DM_UEVENT DM_VERITY DM_VERITY_FEC DM_WRITECACHE DM_ZONED DRAGONRISE_FF DRM DRM_ANALOGIX_DP DRM_BOCHS DRM_BRIDGE DRM_CDNS_MHDP8546 DRM_CDNS_MHDP8546_J721E DRM_CIRRUS_QEMU DRM_DEBUG_MM DRM_DISPLAY_CONNECTOR DRM_DISPLAY_DP_HELPER DRM_DISPLAY_HDCP_HELPER DRM_DISPLAY_HDMI_HELPER DRM_DISPLAY_HELPER DRM_DP_AUX_BUS DRM_DW_HDMI DRM_DW_HDMI_AHB_AUDIO DRM_DW_HDMI_CEC DRM_DW_HDMI_I2S_AUDIO DRM_DW_MIPI_DSI DRM_ETNAVIV DRM_ETNAVIV_THERMAL DRM_EXYNOS DRM_EXYNOS5433_DECON DRM_EXYNOS7_DECON DRM_EXYNOS_DSI DRM_EXYNOS_HDMI DRM_EXYNOS_MIC DRM_FBDEV_EMULATION DRM_GEM_DMA_HELPER DRM_GEM_SHMEM_HELPER DRM_GM12U320 DRM_GUD DRM_HDLCD DRM_HISI_HIBMC DRM_HISI_KIRIN DRM_I2C_ADV7511 DRM_I2C_ADV7511_AUDIO DRM_I2C_ADV7511_CEC DRM_I2C_CH7006 DRM_I2C_NXP_TDA998X DRM_I2C_SIL164 DRM_IMX_DCSS DRM_KMS_HELPER DRM_KOMEDA DRM_LEGACY DRM_LIMA DRM_LONTIUM_LT8912B DRM_LONTIUM_LT9611 DRM_LONTIUM_LT9611UXC DRM_MALI_DISPLAY DRM_MEDIATEK DRM_MEDIATEK_HDMI DRM_MESON DRM_MESON_DW_HDMI DRM_MIPI_DSI DRM_MSM DRM_MSM_DP DRM_MSM_DPU DRM_MSM_DSI DRM_MSM_DSI_10NM_PHY DRM_MSM_DSI_14NM_PHY DRM_MSM_DSI_20NM_PHY DRM_MSM_DSI_28NM_8960_PHY DRM_MSM_DSI_28NM_PHY DRM_MSM_DSI_7NM_PHY DRM_MSM_GPU_STATE DRM_MSM_HDMI DRM_MSM_HDMI_HDCP DRM_MSM_MDP4 DRM_MSM_MDP5 DRM_MSM_MDSS DRM_MXS DRM_MXSFB DRM_NOMODESET DRM_NOUVEAU DRM_NOUVEAU_BACKLIGHT DRM_NWL_MIPI_DSI DRM_PANEL DRM_PANEL_BOE_TV101WUM_NL6 DRM_PANEL_BRIDGE DRM_PANEL_EDP DRM_PANEL_LVDS DRM_PANEL_MANTIX_MLAF057WE51 DRM_PANEL_RAYDIUM_RM67191 DRM_PANEL_SIMPLE DRM_PANEL_SITRONIX_ST7703 DRM_PANEL_TRULY_NT35597_WQXGA DRM_PANFROST DRM_PARADE_PS8640 DRM_PL111 DRM_RCAR_CMM DRM_RCAR_DU DRM_RCAR_DW_HDMI DRM_RCAR_LVDS DRM_RCAR_MIPI_DSI DRM_RCAR_USE_CMM DRM_RCAR_USE_LVDS DRM_RCAR_USE_MIPI_DSI DRM_RCAR_VSP DRM_RCAR_WRITEBACK DRM_ROCKCHIP DRM_SCHED DRM_SII902X DRM_SIMPLEDRM DRM_SIMPLE_BRIDGE DRM_SUN4I DRM_SUN6I_DSI DRM_SUN8I_DW_HDMI DRM_SUN8I_MIXER DRM_SUN8I_TCON_TOP DRM_TEGRA DRM_THINE_THC63LVD1024 DRM_TIDSS DRM_TI_SN65DSI86 DRM_TTM DRM_TTM_HELPER DRM_UDL DRM_V3D DRM_VC4 DRM_VGEM DRM_VIRTIO_GPU DRM_VKMS ENCRYPTED_KEYS FSCACHE HAMRADIO HID_DRAGONRISE HID_PANTHERLORD HID_PLAYSTATION HID_SENSOR_HUB HID_SMARTJOYPLUS HID_SONY HID_THRUSTMASTER INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_IPOIB INFINIBAND_RTRS_CLIENT INFINIBAND_USER_ACCESS INFINIBAND_VIRT_DMA INPUT_TABLET INPUT_TOUCHSCREEN IOSCHED_BFQ IP_SCTP ISDN ISDN_CAPI L2TP MAC80211 MAC80211_LEDS MEDIA_COMMON_OPTIONS MEDIA_RADIO_SUPPORT MFD_DLN2 MFD_RETU NET_CLS_U32 NET_IPGRE_DEMUX NET_SCH_DEFAULT OSF_PARTITION OVERLAY_FS_INDEX OVERLAY_FS_REDIRECT_DIR PACKET_DIAG PADATA PAGE_IDLE_FLAG PAHOLE_HAS_BTF_TAG PAHOLE_HAS_LANG_EXCLUDE PAHOLE_HAS_SPLIT_BTF PANTHERLORD_FF PARPORT PARPORT_NOT_PC PARTITION_ADVANCED PATA_AMD PATA_OLDPIIX PATA_SCH PCCARD PCMCIA PERCPU_STATS PERSISTENT_KEYRINGS PHY_CPCAP_USB PHY_QCOM_USB_HSIC PHY_TUSB1210 PKCS7_TEST_KEY PKCS8_PRIVATE_KEY_PARSER PLAYSTATION_FF PLFXLC PMIC_OPREGION PM_DEBUG PM_SLEEP_DEBUG PPP PPPOATM PPPOE PPPOL2TP PPP_ASYNC PPP_BSDCOMP PPP_DEFLATE PPP_FILTER PPP_MPPE PPP_MULTILINK PPP_SYNC_TTY PPTP PRISM2_USB PROC_CHILDREN PROC_KCORE PROC_MEM_ALWAYS_FORCE PSI PSTORE_842_COMPRESS PSTORE_LZ4HC_COMPRESS PSTORE_LZ4_COMPRESS PSTORE_LZO_COMPRESS PSTORE_ZSTD_COMPRESS QFMT_V2 QNX4FS_FS QNX6FS_FS QUOTA_NETLINK_INTERFACE QUOTA_TREE R8712U RADIO_ADAPTERS RADIO_SHARK RADIO_SHARK2 RADIO_TEA575X RC_ATI_REMOTE RC_XBOX_DVD RDMA_RXE RDMA_SIW RDS RDS_RDMA RDS_TCP READ_ONLY_THP_FOR_FS REALTEK_AUTOPM REED_SOLOMON REED_SOLOMON_DEC8 REGMAP_SOUNDWIRE REGULATOR_TWL4030 REISERFS_FS REISERFS_FS_POSIX_ACL REISERFS_FS_SECURITY REISERFS_FS_XATTR REISERFS_PROC_INFO RELAY RFKILL RFKILL_INPUT RFKILL_LEDS RMI4_2D_SENSOR RMI4_CORE RMI4_F03 RMI4_F03_SERIO RMI4_F11 RMI4_F12 RMI4_F30 ROCKCHIP_ANALOGIX_DP ROCKCHIP_CDN_DP ROCKCHIP_DW_HDMI ROCKCHIP_DW_MIPI_DSI ROCKCHIP_INNO_HDMI ROCKCHIP_LVDS ROCKCHIP_VOP ROMFS_BACKED_BY_BOTH ROMFS_FS ROMFS_ON_BLOCK ROMFS_ON_MTD ROSE RTC_DRV_HID_SENSOR_TIME RXKAD SCHEDSTATS SCSI_CONSTANTS SCSI_FC_ATTRS SCSI_HPSA SCSI_ISCSI_ATTRS SCSI_LOGGING SCSI_NETLINK SCSI_SCAN_ASYNC SCSI_SPI_ATTRS SCSI_SRP_ATTRS SCTP_COOKIE_HMAC_MD5 SCTP_COOKIE_HMAC_SHA1 SCTP_DEFAULT_COOKIE_HMAC_MD5 SECONDARY_TRUSTED_KEYRING SECURITY_INFINIBAND SECURITY_NETWORK_XFRM SENSORS_AQUACOMPUTER_D5NEXT SENSORS_CORSAIR_CPRO SENSORS_CORSAIR_PSU SENSORS_NZXT_KRAKEN2 SENSORS_NZXT_SMART2 SERIAL_8250_DETECT_IRQ SERIAL_8250_MANY_PORTS SERIAL_8250_RSA SERIO_SERPORT SGI_PARTITION SIGNATURE SIGNED_PE_FILE_VERIFICATION SLHC SLIP SLIP_COMPRESSED SLIP_MODE_SLIP6 SLIP_SMART SMARTJOYPLUS_FF SMBFS SMB_SERVER SMC SMC_DIAG SMS_SDIO_DRV SMS_SIANO_DEBUGFS SMS_SIANO_MDTV SMS_SIANO_RC SMS_USB_DRV SND SND_ALOOP SND_AUDIO_GRAPH_CARD SND_AUDIO_GRAPH_CARD2 SND_BCD2000 SND_BCM2835_SOC_I2S SND_COMPRESS_OFFLOAD SND_CTL_FAST_LOOKUP SND_CTL_LED SND_DEBUG SND_DMAENGINE_PCM SND_DRIVERS SND_DUMMY SND_DYNAMIC_MINORS SND_HDA SND_HDA_ALIGNED_MMIO SND_HDA_CODEC_ANALOG SND_HDA_CODEC_CA0110 SND_HDA_CODEC_CA0132 SND_HDA_CODEC_CIRRUS SND_HDA_CODEC_CMEDIA SND_HDA_CODEC_CONEXANT SND_HDA_CODEC_HDMI SND_HDA_CODEC_REALTEK SND_HDA_CODEC_SI3054 SND_HDA_CODEC_SIGMATEL SND_HDA_CODEC_VIA SND_HDA_COMPONENT SND_HDA_CORE SND_HDA_GENERIC SND_HDA_GENERIC_LEDS SND_HDA_HWDEP SND_HDA_INPUT_BEEP SND_HDA_INTEL SND_HDA_PATCH_LOADER SND_HDA_RECONFIG SND_HDA_TEGRA SND_HRTIMER SND_HWDEP SND_IMX_SOC SND_INTEL_DSP_CONFIG SND_INTEL_NHLT SND_INTEL_SOUNDWIRE_ACPI SND_JACK SND_JACK_INPUT_DEV SND_MESON_AIU SND_MESON_AXG_FIFO SND_MESON_AXG_FRDDR SND_MESON_AXG_PDM SND_MESON_AXG_SOUND_CARD SND_MESON_AXG_SPDIFIN SND_MESON_AXG_SPDIFOUT SND_MESON_AXG_TDMIN SND_MESON_AXG_TDMOUT SND_MESON_AXG_TDM_FORMATTER SND_MESON_AXG_TDM_INTERFACE SND_MESON_AXG_TODDR SND_MESON_CARD_UTILS SND_MESON_CODEC_GLUE SND_MESON_G12A_TOACODEC SND_MESON_G12A_TOHDMITX SND_MESON_GX_SOUND_CARD SND_MIXER_OSS SND_OSSEMUL SND_PCI SND_PCM SND_PCM_ELD SND_PCM_IEC958 SND_PCM_OSS SND_PCM_OSS_PLUGINS SND_PCM_TIMER SND_PCM_XRUN_DEBUG SND_PROC_FS SND_RAWMIDI SND_SEQUENCER SND_SEQUENCER_OSS SND_SEQ_DEVICE SND_SEQ_DUMMY SND_SEQ_MIDI SND_SEQ_MIDI_EVENT SND_SEQ_VIRMIDI SND_SIMPLE_CARD SND_SIMPLE_CARD_UTILS SND_SOC SND_SOC_ADAU7002 SND_SOC_AK4613 SND_SOC_APPLE_MCA SND_SOC_APQ8016_SBC SND_SOC_COMPRESS SND_SOC_DA7219 SND_SOC_DMIC SND_SOC_ES7134 SND_SOC_ES7241 SND_SOC_FSL_ASOC_CARD SND_SOC_FSL_ASRC SND_SOC_FSL_AUDMIX SND_SOC_FSL_EASRC SND_SOC_FSL_ESAI SND_SOC_FSL_MICFIL SND_SOC_FSL_SAI SND_SOC_FSL_SPDIF SND_SOC_FSL_SSI SND_SOC_FSL_UTILS SND_SOC_GENERIC_DMAENGINE_PCM SND_SOC_GTM601 SND_SOC_HDMI_CODEC SND_SOC_I2C_AND_SPI SND_SOC_IMX_AUDMIX SND_SOC_IMX_AUDMUX SND_SOC_IMX_PCM_DMA SND_SOC_IMX_SGTL5000 SND_SOC_IMX_SPDIF SND_SOC_LPASS_APQ8016 SND_SOC_LPASS_CDC_DMA SND_SOC_LPASS_CPU SND_SOC_LPASS_HDMI SND_SOC_LPASS_MACRO_COMMON SND_SOC_LPASS_PLATFORM SND_SOC_LPASS_RX_MACRO SND_SOC_LPASS_SC7180 SND_SOC_LPASS_SC7280 SND_SOC_LPASS_TX_MACRO SND_SOC_LPASS_VA_MACRO SND_SOC_LPASS_WSA_MACRO SND_SOC_MAX98357A SND_SOC_MAX98927 SND_SOC_MESON_T9015 SND_SOC_MSM8916_WCD_ANALOG SND_SOC_MSM8916_WCD_DIGITAL SND_SOC_MSM8996 SND_SOC_NAU8822 SND_SOC_PCM3168A SND_SOC_PCM3168A_I2C SND_SOC_QCOM SND_SOC_QCOM_COMMON SND_SOC_QCOM_SDW SND_SOC_QDSP6 SND_SOC_QDSP6_ADM SND_SOC_QDSP6_AFE SND_SOC_QDSP6_AFE_CLOCKS SND_SOC_QDSP6_AFE_DAI SND_SOC_QDSP6_APM SND_SOC_QDSP6_APM_DAI SND_SOC_QDSP6_APM_LPASS_DAI SND_SOC_QDSP6_ASM SND_SOC_QDSP6_ASM_DAI SND_SOC_QDSP6_COMMON SND_SOC_QDSP6_CORE SND_SOC_QDSP6_PRM SND_SOC_QDSP6_PRM_LPASS_CLOCKS SND_SOC_QDSP6_ROUTING SND_SOC_RCAR SND_SOC_RK3399_GRU_SOUND SND_SOC_RL6231 SND_SOC_ROCKCHIP SND_SOC_ROCKCHIP_I2S SND_SOC_ROCKCHIP_RT5645 SND_SOC_ROCKCHIP_SPDIF SND_SOC_RT5514 SND_SOC_RT5514_SPI SND_SOC_RT5645 SND_SOC_RT5659 SND_SOC_RT5663 SND_SOC_RT5682 SND_SOC_RT5682S SND_SOC_RT5682_I2C SND_SOC_RZ SND_SOC_SAMSUNG SND_SOC_SC7180 SND_SOC_SC7280 SND_SOC_SDM845 SND_SOC_SGTL5000 SND_SOC_SIMPLE_AMPLIFIER SND_SOC_SIMPLE_MUX SND_SOC_SM8250 SND_SOC_SPDIF SND_SOC_TAS571X SND_SOC_TEGRA SND_SOC_TEGRA186_ASRC SND_SOC_TEGRA186_DSPK SND_SOC_TEGRA210_ADMAIF SND_SOC_TEGRA210_ADX SND_SOC_TEGRA210_AHUB SND_SOC_TEGRA210_AMX SND_SOC_TEGRA210_DMIC SND_SOC_TEGRA210_I2S SND_SOC_TEGRA210_MIXER SND_SOC_TEGRA210_MVC SND_SOC_TEGRA210_OPE SND_SOC_TEGRA210_SFC SND_SOC_TEGRA_AUDIO_GRAPH_CARD SND_SOC_TLV320AIC31XX SND_SOC_TLV320AIC32X4 SND_SOC_TLV320AIC32X4_I2C SND_SOC_TOPOLOGY SND_SOC_WCD9335 SND_SOC_WCD934X SND_SOC_WCD938X SND_SOC_WCD938X_SDW SND_SOC_WCD_MBHC SND_SOC_WM8524 SND_SOC_WM8904 SND_SOC_WM8960 SND_SOC_WM8962 SND_SOC_WM8978 SND_SOC_WM8994 SND_SOC_WM_HUBS SND_SOC_WSA881X SND_SPI SND_SUN4I_I2S SND_SUN4I_SPDIF SND_SUN50I_CODEC_ANALOG SND_SUN8I_ADDA_PR_REGMAP SND_SUN8I_CODEC SND_SUN8I_CODEC_ANALOG SND_SUPPORT_OLD_API SND_TIMER SND_USB SND_USB_6FIRE SND_USB_AUDIO SND_USB_AUDIO_USE_MEDIA_CONTROLLER SND_USB_CAIAQ SND_USB_CAIAQ_INPUT SND_USB_HIFACE SND_USB_LINE6 SND_USB_POD SND_USB_PODHD SND_USB_TONEPORT SND_USB_UA101 SND_USB_VARIAX SND_VERBOSE_PROCFS SND_VIRMIDI SND_VIRTIO SND_VMASTER SOCK_VALIDATE_XMIT SOLARIS_X86_PARTITION SONY_FF SOUND SOUNDWIRE_QCOM SOUND_OSS_CORE SOUND_OSS_CORE_PRECLAIM SPI_DLN2 SQUASHFS_4K_DEVBLK_SIZE SQUASHFS_FILE_DIRECT SQUASHFS_LZ4 SQUASHFS_LZO SQUASHFS_XATTR SQUASHFS_XZ SQUASHFS_ZSTD SSB SSB_PCIHOST_POSSIBLE SSB_PCMCIAHOST_POSSIBLE SSB_SDIOHOST_POSSIBLE STREAM_PARSER SUN_PARTITION SW_SYNC SYN_COOKIES SYSV68_PARTITION SYSV_FS TABLET_USB_ACECAD TABLET_USB_AIPTEK TABLET_USB_HANWANG TABLET_USB_KBTAB TABLET_USB_PEGASUS TAHVO_USB TAHVO_USB_HOST_BY_DEFAULT TCG_CRB TCG_TIS_I2C_INFINEON TCG_TPM TCP_CONG_ADVANCED TCP_CONG_BBR TCP_CONG_BIC TCP_CONG_CDG TCP_CONG_DCTCP TCP_CONG_HSTCP TCP_CONG_HTCP TCP_CONG_HYBLA TCP_CONG_ILLINOIS TCP_CONG_LP TCP_CONG_NV TCP_CONG_SCALABLE TCP_CONG_VEGAS TCP_CONG_VENO TCP_CONG_WESTWOOD TCP_CONG_YEAH TCP_MD5SIG TEXTSEARCH TEXTSEARCH_BM TEXTSEARCH_FSM TEXTSEARCH_KMP THERMAL_NETLINK THRUSTMASTER_FF TIPC TIPC_CRYPTO TIPC_DIAG TIPC_MEDIA_IB TIPC_MEDIA_UDP TLS TLS_DEVICE TLS_TOE TOOLS_SUPPORT_RELR TOUCHSCREEN_ATMEL_MXT TRUSTED_KEYS TWL4030_CORE USB_STORAGE_REALTEK WEXT_CORE WIRELESS WIRELESS_EXT WLAN WLAN_VENDOR_ATH WLAN_VENDOR_PURELIFI XFRM ZONE_DEVICE] testing current HEAD 50cbba13faa294918f0e1a9cb2b0aba19f4e6fba testing commit 50cbba13faa294918f0e1a9cb2b0aba19f4e6fba gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: ddc5b234d6921eee56670334f58ce77b3bdf02a8db8898af8dd685244b159d89 all runs: OK false negative chance: 0.000 # git bisect start 50cbba13faa294918f0e1a9cb2b0aba19f4e6fba 535ec20c50273d81b2cc7985fed2108dee0e65d7 Bisecting: 1931 revisions left to test after this (roughly 11 steps) [9bdb8e98a0073c73ab3e6c631ec78877ceb64565] smb3: fix for slab out of bounds on mount to ksmbd determine whether the revision contains the guilty commit revision 535ec20c50273d81b2cc7985fed2108dee0e65d7 crashed and is reachable testing commit 9bdb8e98a0073c73ab3e6c631ec78877ceb64565 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: bacf9dc502037bb174f35b5f94f317e4b0a21ebc7a6ef39775f30c2129c02c71 run #0: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #1: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #2: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #3: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #4: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #5: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #6: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #7: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #8: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #9: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel paging request in bcsp_recv, types: [MEMORY_SAFETY_BUG] # git bisect good 9bdb8e98a0073c73ab3e6c631ec78877ceb64565 Bisecting: 965 revisions left to test after this (roughly 10 steps) [3ac37e100385b59ac821a62118494442238aaac4] fs: ntfs3: Fix integer overflow in run_unpack() determine whether the revision contains the guilty commit revision 535ec20c50273d81b2cc7985fed2108dee0e65d7 crashed and is reachable testing commit 3ac37e100385b59ac821a62118494442238aaac4 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: c1f6dff549f09443e2b94782fa097180ec539c93e1762c66f60b1ed4d8395ec5 run #0: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #1: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #2: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #3: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #4: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #5: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #6: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #7: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #8: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #9: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel paging request in bcsp_recv, types: [MEMORY_SAFETY_BUG] # git bisect good 3ac37e100385b59ac821a62118494442238aaac4 Bisecting: 482 revisions left to test after this (roughly 9 steps) [577c99b479bc9f4a862daa0ce0927166a777abe4] drm/sched: Fix race in drm_sched_entity_select_rq() determine whether the revision contains the guilty commit revision 9bdb8e98a0073c73ab3e6c631ec78877ceb64565 crashed and is reachable testing commit 577c99b479bc9f4a862daa0ce0927166a777abe4 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: d99f3b13fbf867adf060676261067479c9a7d9245a99b9d9cdfadbe61dced03d run #0: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #1: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #2: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #3: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #4: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #5: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #6: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #7: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #8: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #9: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel paging request in bcsp_recv, types: [MEMORY_SAFETY_BUG] # git bisect good 577c99b479bc9f4a862daa0ce0927166a777abe4 Bisecting: 241 revisions left to test after this (roughly 8 steps) [bd1469f0d99578f03c3294571b70879ff307569b] lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC determine whether the revision contains the guilty commit revision 535ec20c50273d81b2cc7985fed2108dee0e65d7 crashed and is reachable testing commit bd1469f0d99578f03c3294571b70879ff307569b gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: a3722c3e0a6e1d79c84129269f2d6fff7a995f0422aad1b26c862d1b6f96332d all runs: OK false negative chance: 0.000 # git bisect bad bd1469f0d99578f03c3294571b70879ff307569b Bisecting: 120 revisions left to test after this (roughly 7 steps) [ec61fb9ccc3c9697385b6e70e8883751b4b58f99] scsi: ufs: host: mediatek: Enhance recovery on resume failure determine whether the revision contains the guilty commit revision 535ec20c50273d81b2cc7985fed2108dee0e65d7 crashed and is reachable testing commit ec61fb9ccc3c9697385b6e70e8883751b4b58f99 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 3201cb434460e41593ecedaae5ee66923dd632193508deb9027d4941a8ab101e run #0: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #1: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #2: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #3: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #4: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #5: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #6: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel paging request in bcsp_recv, types: [MEMORY_SAFETY_BUG] # git bisect good ec61fb9ccc3c9697385b6e70e8883751b4b58f99 Bisecting: 60 revisions left to test after this (roughly 6 steps) [2f7fa94671652d4f0c20e8e8a2c6fc72e7a385bd] ALSA: usb-audio: add mono main switch to Presonus S1824c determine whether the revision contains the guilty commit revision 3ac37e100385b59ac821a62118494442238aaac4 crashed and is reachable testing commit 2f7fa94671652d4f0c20e8e8a2c6fc72e7a385bd gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 8c7dca65056544af548a0243e1d14da0c036e0b60032aea5f270d7157ec7c072 all runs: OK false negative chance: 0.000 # git bisect bad 2f7fa94671652d4f0c20e8e8a2c6fc72e7a385bd Bisecting: 29 revisions left to test after this (roughly 5 steps) [3b1ba87ed9fccfd2d3f8e3459c27060ae8a3c39f] usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs determine whether the revision contains the guilty commit revision ec61fb9ccc3c9697385b6e70e8883751b4b58f99 crashed and is reachable testing commit 3b1ba87ed9fccfd2d3f8e3459c27060ae8a3c39f gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: e00ee7bcce8bc502f19dfb71cfb8be446f703fb207a341b2304d106bd0537c67 run #0: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #1: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #2: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #3: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #4: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #5: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #6: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #7: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #8: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #9: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #10: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #11: OK run #12: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel paging request in bcsp_recv, types: [MEMORY_SAFETY_BUG] # git bisect good 3b1ba87ed9fccfd2d3f8e3459c27060ae8a3c39f Bisecting: 14 revisions left to test after this (roughly 4 steps) [f78f69d740e658408c8e19c3387ba0ba4983e959] PCI/PM: Skip resuming to D0 if device is disconnected determine whether the revision contains the guilty commit revision 535ec20c50273d81b2cc7985fed2108dee0e65d7 crashed and is reachable testing commit f78f69d740e658408c8e19c3387ba0ba4983e959 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: ed11aae5d8d39ca3cc8610bbf0ffde2642246bb369283083f34838e594b0d362 run #0: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #1: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #2: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #3: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #4: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #5: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #6: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #7: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel paging request in bcsp_recv, types: [MEMORY_SAFETY_BUG] # git bisect good f78f69d740e658408c8e19c3387ba0ba4983e959 Bisecting: 7 revisions left to test after this (roughly 3 steps) [70ef849ca52bd0fe10a508168f90f0f9610ee204] scsi: mpt3sas: Add support for 22.5 Gbps SAS link rate determine whether the revision contains the guilty commit revision 3ac37e100385b59ac821a62118494442238aaac4 crashed and is reachable testing commit 70ef849ca52bd0fe10a508168f90f0f9610ee204 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: f0a6d2985835433a8b4d2a8be24d84745bde30781fb0e23d1fae666223ad8a6f run #0: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #1: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #2: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #3: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #4: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #5: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #6: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #7: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #8: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #9: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #10: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #11: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #12: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #13: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #14: OK run #15: OK run #16: OK run #17: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #18: OK run #19: OK representative crash: BUG: unable to handle kernel paging request in bcsp_recv, types: [MEMORY_SAFETY_BUG] # git bisect good 70ef849ca52bd0fe10a508168f90f0f9610ee204 Bisecting: 3 revisions left to test after this (roughly 2 steps) [3784bcd73670b70bceef67a4953ba5dfa2f538f4] net: macb: avoid dealing with endianness in macb_set_hwaddr() determine whether the revision contains the guilty commit revision 535ec20c50273d81b2cc7985fed2108dee0e65d7 crashed and is reachable testing commit 3784bcd73670b70bceef67a4953ba5dfa2f538f4 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 2082265b8cb81876ad1abde474801746b746a89517ec8c0bcd1c7196764d1299 run #0: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #1: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #2: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #3: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #4: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #5: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #6: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #7: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #8: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #9: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel paging request in bcsp_recv, types: [MEMORY_SAFETY_BUG] # git bisect good 3784bcd73670b70bceef67a4953ba5dfa2f538f4 Bisecting: 1 revision left to test after this (roughly 1 step) [c419674cc74309ffaabc591e7200efb49a18fccd] Bluetooth: SCO: Fix UAF on sco_conn_free determine whether the revision contains the guilty commit revision 535ec20c50273d81b2cc7985fed2108dee0e65d7 crashed and is reachable testing commit c419674cc74309ffaabc591e7200efb49a18fccd gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: d85090967cda3fac4283c75a418f09eda610437c4c912c70da562d1ccb20aa3b run #0: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #1: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #2: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #3: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #4: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #5: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #6: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #7: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #8: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #9: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #10: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: crashed: BUG: unable to handle kernel paging request in bcsp_recv run #18: OK run #19: OK representative crash: BUG: unable to handle kernel paging request in bcsp_recv, types: [MEMORY_SAFETY_BUG] # git bisect good c419674cc74309ffaabc591e7200efb49a18fccd Bisecting: 0 revisions left to test after this (roughly 0 steps) [8b892dbef3887dbe9afdc7176d1a5fd90e1636aa] Bluetooth: bcsp: receive data only if registered determine whether the revision contains the guilty commit revision 9bdb8e98a0073c73ab3e6c631ec78877ceb64565 crashed and is reachable testing commit 8b892dbef3887dbe9afdc7176d1a5fd90e1636aa gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 3afd922f6d65a24db5ab18c7ed0b4cec8d85df5d200b87fcd6dfa7fc59156465 all runs: OK false negative chance: 0.000 # git bisect bad 8b892dbef3887dbe9afdc7176d1a5fd90e1636aa 8b892dbef3887dbe9afdc7176d1a5fd90e1636aa is the first bad commit commit 8b892dbef3887dbe9afdc7176d1a5fd90e1636aa Author: Ivan Pravdin Date: Sat Aug 30 16:03:40 2025 -0400 Bluetooth: bcsp: receive data only if registered [ Upstream commit ca94b2b036c22556c3a66f1b80f490882deef7a6 ] Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH. Reported-by: syzbot+4ed6852d4da4606c93da@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4ed6852d4da4606c93da Tested-by: syzbot+4ed6852d4da4606c93da@syzkaller.appspotmail.com Signed-off-by: Ivan Pravdin Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin drivers/bluetooth/hci_bcsp.c | 3 +++ 1 file changed, 3 insertions(+) accumulated error probability: 0.00 culprit signature: 3afd922f6d65a24db5ab18c7ed0b4cec8d85df5d200b87fcd6dfa7fc59156465 parent signature: d85090967cda3fac4283c75a418f09eda610437c4c912c70da562d1ccb20aa3b reproducer is flaky (0.35 repro chance estimate) revisions tested: 20, total time: 7h8m47.633774028s (build: 3h9m7.627563889s, test: 3h47m40.900250121s) first good commit: 8b892dbef3887dbe9afdc7176d1a5fd90e1636aa Bluetooth: bcsp: receive data only if registered recipients (to): ["ipravdin.official@gmail.com" "luiz.von.dentz@intel.com" "sashal@kernel.org" "syzbot+4ed6852d4da4606c93da@syzkaller.appspotmail.com"] recipients (cc): []