ci2 starts bisection 2025-03-24 01:44:46.454513887 +0000 UTC m=+9951.269625303 bisecting fixing commit since af361f9a1066ff9442eabafc458ff373481499a4 building syzkaller on 51c4dcff83b0574620c280cc5130ef59cc4a2e32 ensuring issue is reproducible on original commit af361f9a1066ff9442eabafc458ff373481499a4 testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4a31107b0158dd28f27d141a75d7c9aeacc536b4739af011676b6a4aa31c7f3d all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5be11f045bf15e750d23b37f746373e4759eecd1013475f1d0726bb19d47e236 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed kconfig minimization: base=5179 full=6491 leaves diff=256 split chunks (needed=false): <256> split chunk #0 of len 256 into 5 parts testing without sub-chunk 1/5 disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cf351d22233a9c4c7c01f0ddc5da116cf0a5a1738284efe3b28c5f5b0399efd9 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cdf1cdc5a1f56c68cc2653d5cc00e3a7903e9eae28eb479f12e53ed466f2a0e5 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f7949b1ee87c29e7fc90f29e17def80da6eb92f93460d5a8627214b0c6db02a4 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 426f1a4c33b3b63ee0ec143cc615e70bfd8923f050e4cfeacd72de16e856412a all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building af361f9a1066ff9442eabafc458ff373481499a4: net/socket.c:1245: undefined reference to `wext_handle_ioctl' net/socket.c:3442: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 48 configs; suspects: [HID_ZEROPLUS USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing current HEAD 5145d157731fcdde380e5da461c483b5080a8df5 testing commit 5145d157731fcdde380e5da461c483b5080a8df5 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f31e6739c428d19501b92dd5f1b2458d6c7e33a5b8af59ac61e4739de7d4efca all runs: OK false negative chance: 0.000 # git bisect start 5145d157731fcdde380e5da461c483b5080a8df5 af361f9a1066ff9442eabafc458ff373481499a4 Bisecting: 4617 revisions left to test after this (roughly 12 steps) [ce7172b0d54c2152e577d040194f858910299187] selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT determine whether the revision contains the guilty commit checking the merge base 883d1a9562083922c6d293e9adad8cca4626adf3 no existing result, test the revision testing commit 883d1a9562083922c6d293e9adad8cca4626adf3 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7ebb2c900a0348bf0f0250ca782ac00b6e4ee5f09032c7e429566c3fc3220147 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] testing commit ce7172b0d54c2152e577d040194f858910299187 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building ce7172b0d54c2152e577d040194f858910299187: ./include/linux/blk-integrity.h:181:9: error: returning 'struct bio_vec' from a function with incompatible result type 'struct bio_vec *'; take the address with & # git bisect skip ce7172b0d54c2152e577d040194f858910299187 Bisecting: 4613 revisions left to test after this (roughly 12 steps) [673e7132108febcd3e71a2b351843668d7524c08] wifi: nl80211: don't give key data to userspace determine whether the revision contains the guilty commit revision 883d1a9562083922c6d293e9adad8cca4626adf3 crashed and is reachable testing commit 673e7132108febcd3e71a2b351843668d7524c08 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building 673e7132108febcd3e71a2b351843668d7524c08: ./include/linux/blk-integrity.h:181:9: error: returning 'struct bio_vec' from a function with incompatible result type 'struct bio_vec *'; take the address with & # git bisect skip 673e7132108febcd3e71a2b351843668d7524c08 Bisecting: 4613 revisions left to test after this (roughly 12 steps) [e19c6fe81d8a35607bb325a32c3c85a673a538a1] clk: imx: composite-8m: Less function calls in __imx8m_clk_hw_composite() after error detection determine whether the revision contains the guilty commit revision ce7172b0d54c2152e577d040194f858910299187 crashed and is reachable testing commit e19c6fe81d8a35607bb325a32c3c85a673a538a1 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ee3a3f1478c2631bfab381d594e8a752f611a391eb0ed22c5562d6ed79bb56fc all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] # git bisect good e19c6fe81d8a35607bb325a32c3c85a673a538a1 Bisecting: 1724 revisions left to test after this (roughly 11 steps) [c1c2c835a0f83a370bb7b5f36f43b9d46127c266] net/mlx5e: Remove workaround to avoid syndrome for internal port determine whether the revision contains the guilty commit revision 673e7132108febcd3e71a2b351843668d7524c08 crashed and is reachable testing commit c1c2c835a0f83a370bb7b5f36f43b9d46127c266 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: be5424baa3963af1579c265c9a5b8895698bff0bbeb319ec7363c8a18cd1ee83 all runs: crashed: general protection fault in vsock_stream_has_data representative crash: general protection fault in vsock_stream_has_data, types: [UNKNOWN] # git bisect good c1c2c835a0f83a370bb7b5f36f43b9d46127c266 Bisecting: 861 revisions left to test after this (roughly 10 steps) [87f1720a7fcd86fc2de899ba0263b46e5caec508] Revert "device property: Constify device child node APIs" determine whether the revision contains the guilty commit revision 883d1a9562083922c6d293e9adad8cca4626adf3 crashed and is reachable testing commit 87f1720a7fcd86fc2de899ba0263b46e5caec508 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fd9e7381782b317ef64e8c0c93cde34141e1c55d998fc28aec880c1f594d5d6c all runs: crashed: general protection fault in vsock_stream_has_data representative crash: general protection fault in vsock_stream_has_data, types: [UNKNOWN] # git bisect good 87f1720a7fcd86fc2de899ba0263b46e5caec508 Bisecting: 430 revisions left to test after this (roughly 9 steps) [397383db9c69470642ac95beb04f2150928d663b] sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers determine whether the revision contains the guilty commit revision 883d1a9562083922c6d293e9adad8cca4626adf3 crashed and is reachable testing commit 397383db9c69470642ac95beb04f2150928d663b gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6c13a785013ac24412541c40df48e007fe7acef679044e18a2227947078a9d80 all runs: crashed: general protection fault in vsock_stream_has_data representative crash: general protection fault in vsock_stream_has_data, types: [UNKNOWN] # git bisect good 397383db9c69470642ac95beb04f2150928d663b Bisecting: 221 revisions left to test after this (roughly 8 steps) [0cbb5f65e52f3e66410a7fe0edf75e1b2bf41e80] Linux 6.1.128 determine whether the revision contains the guilty commit revision c1c2c835a0f83a370bb7b5f36f43b9d46127c266 crashed and is reachable testing commit 0cbb5f65e52f3e66410a7fe0edf75e1b2bf41e80 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 44664028b5ea93c51285c160fa7cc604f0c3d5cd2c85027fab09392c2eb7c5b7 all runs: OK false negative chance: 0.000 # git bisect bad 0cbb5f65e52f3e66410a7fe0edf75e1b2bf41e80 Bisecting: 104 revisions left to test after this (roughly 7 steps) [edb43b46a2b6a20a59478033ffa34d431988da47] net/mlx5: Fix RDMA TX steering prio determine whether the revision contains the guilty commit revision ce7172b0d54c2152e577d040194f858910299187 crashed and is reachable testing commit edb43b46a2b6a20a59478033ffa34d431988da47 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f6a55973bfcc321d218d48f151a97c8622a52661e71dd2effa451ead312c2075 all runs: crashed: general protection fault in vsock_stream_has_data representative crash: general protection fault in vsock_stream_has_data, types: [UNKNOWN] # git bisect good edb43b46a2b6a20a59478033ffa34d431988da47 Bisecting: 52 revisions left to test after this (roughly 6 steps) [060de3717c4a9831035d04a00b5bb224d0c89667] x86/xen: fix SLS mitigation in xen_hypercall_iret() determine whether the revision contains the guilty commit revision c1c2c835a0f83a370bb7b5f36f43b9d46127c266 crashed and is reachable testing commit 060de3717c4a9831035d04a00b5bb224d0c89667 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e1a1a09c3226dc1c3dc82cb4522aedb57763cd0385111955330e23443a9b9edd all runs: OK false negative chance: 0.000 # git bisect bad 060de3717c4a9831035d04a00b5bb224d0c89667 Bisecting: 25 revisions left to test after this (roughly 5 steps) [cc586af35b24824c60b95fd0b6c0667aded96b47] vsock: reset socket state when de-assigning the transport determine whether the revision contains the guilty commit revision c1c2c835a0f83a370bb7b5f36f43b9d46127c266 crashed and is reachable testing commit cc586af35b24824c60b95fd0b6c0667aded96b47 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 017834ac6f20b35f159d326dff1a4b38856d7443ee3dd341d21a2908149f08c5 all runs: OK false negative chance: 0.000 # git bisect bad cc586af35b24824c60b95fd0b6c0667aded96b47 Bisecting: 12 revisions left to test after this (roughly 4 steps) [435df80d4678a61c2f094e0cb3be5eeb30b3be03] scsi: ufs: core: Honor runtime/system PM levels if set by host controller drivers determine whether the revision contains the guilty commit revision 883d1a9562083922c6d293e9adad8cca4626adf3 crashed and is reachable testing commit 435df80d4678a61c2f094e0cb3be5eeb30b3be03 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0f2eda30dd2917f00356b68e395f81742c849e19fc7099711b128ab22c44292a all runs: crashed: general protection fault in vsock_stream_has_data representative crash: general protection fault in vsock_stream_has_data, types: [UNKNOWN] # git bisect good 435df80d4678a61c2f094e0cb3be5eeb30b3be03 Bisecting: 6 revisions left to test after this (roughly 3 steps) [f983099430c5c16c0eba069db4ce5350554cc9f5] ALSA: hda/realtek: Add support for Ayaneo System using CS35L41 HDA determine whether the revision contains the guilty commit revision c1c2c835a0f83a370bb7b5f36f43b9d46127c266 crashed and is reachable testing commit f983099430c5c16c0eba069db4ce5350554cc9f5 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 47d010d5943b45ea7750289300a291761a0bce32c7b6260191ca371e49b2f3ed all runs: crashed: general protection fault in vsock_stream_has_data representative crash: general protection fault in vsock_stream_has_data, types: [UNKNOWN] # git bisect good f983099430c5c16c0eba069db4ce5350554cc9f5 Bisecting: 2 revisions left to test after this (roughly 2 steps) [435349d49fcac3bc8d311f5425406403da986e03] net: ethernet: xgbe: re-add aneg to supported features in PHY quirks determine whether the revision contains the guilty commit revision 435df80d4678a61c2f094e0cb3be5eeb30b3be03 crashed and is reachable testing commit 435349d49fcac3bc8d311f5425406403da986e03 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e77db90da75645bf261676972c5c663a6eb3441259eaaa80260666a1056f5be6 all runs: crashed: general protection fault in vsock_stream_has_data representative crash: general protection fault in vsock_stream_has_data, types: [UNKNOWN] # git bisect good 435349d49fcac3bc8d311f5425406403da986e03 Bisecting: 1 revision left to test after this (roughly 1 step) [88244163bc7e7b0ce9dd7bf4c8a563b41525c3ee] vsock/virtio: discard packets if the transport changes determine whether the revision contains the guilty commit revision c1c2c835a0f83a370bb7b5f36f43b9d46127c266 crashed and is reachable testing commit 88244163bc7e7b0ce9dd7bf4c8a563b41525c3ee gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c283087d8216d2761fd1becc52de648cd025b08f2ac94c0e56597b6c83c770a2 all runs: crashed: general protection fault in vsock_stream_has_data representative crash: general protection fault in vsock_stream_has_data, types: [UNKNOWN] # git bisect good 88244163bc7e7b0ce9dd7bf4c8a563b41525c3ee Bisecting: 0 revisions left to test after this (roughly 0 steps) [a3c9390f14cc590ca71407a908ca0482af583fa0] vsock/virtio: cancel close work in the destructor determine whether the revision contains the guilty commit revision f983099430c5c16c0eba069db4ce5350554cc9f5 crashed and is reachable testing commit a3c9390f14cc590ca71407a908ca0482af583fa0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 272bd2bb25f1e89c0584a0e8b1703d2b3ca101b279dd981063226b7ec0dca343 all runs: OK false negative chance: 0.000 # git bisect bad a3c9390f14cc590ca71407a908ca0482af583fa0 a3c9390f14cc590ca71407a908ca0482af583fa0 is the first bad commit commit a3c9390f14cc590ca71407a908ca0482af583fa0 Author: Stefano Garzarella Date: Fri Jan 10 09:35:09 2025 +0100 vsock/virtio: cancel close work in the destructor commit df137da9d6d166e87e40980e36eb8e0bc90483ef upstream. During virtio_transport_release() we can schedule a delayed work to perform the closing of the socket before destruction. The destructor is called either when the socket is really destroyed (reference counter to zero), or it can also be called when we are de-assigning the transport. In the former case, we are sure the delayed work has completed, because it holds a reference until it completes, so the destructor will definitely be called after the delayed work is finished. But in the latter case, the destructor is called by AF_VSOCK core, just after the release(), so there may still be delayed work scheduled. Refactor the code, moving the code to delete the close work already in the do_close() to a new function. Invoke it during destruction to make sure we don't leave any pending work. Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") Cc: stable@vger.kernel.org Reported-by: Hyunwoo Kim Closes: https://lore.kernel.org/netdev/Z37Sh+utS+iV3+eb@v4bel-B760M-AORUS-ELITE-AX/ Signed-off-by: Stefano Garzarella Reviewed-by: Luigi Leonardi Tested-by: Hyunwoo Kim Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman net/vmw_vsock/virtio_transport_common.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) accumulated error probability: 0.00 culprit signature: 272bd2bb25f1e89c0584a0e8b1703d2b3ca101b279dd981063226b7ec0dca343 parent signature: c283087d8216d2761fd1becc52de648cd025b08f2ac94c0e56597b6c83c770a2 revisions tested: 21, total time: 4h4m58.34360115s (build: 1h45m22.02821381s, test: 2h6m46.83510109s) first good commit: a3c9390f14cc590ca71407a908ca0482af583fa0 vsock/virtio: cancel close work in the destructor recipients (to): ["gregkh@linuxfoundation.org" "leonardi@redhat.com" "pabeni@redhat.com" "sgarzare@redhat.com" "v4bel@theori.io"] recipients (cc): []