ci2 starts bisection 2023-05-10 21:27:40.721504329 +0000 UTC m=+42056.440834090
bisecting fixing commit since d9b4a0c83a2d405dd85bf32d672686146b9bedff
building syzkaller on f08b59ac0d8759f409d594ddca4f08c920e23237
ensuring issue is reproducible on original commit d9b4a0c83a2d405dd85bf32d672686146b9bedff

testing commit d9b4a0c83a2d405dd85bf32d672686146b9bedff gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 9f11b24ee637fb2ea9fffd15c16685c9b8227f4fd864f1873e8923b608b413b3
all runs: crashed: general protection fault in sctp_outq_tail
testing current HEAD 8a7f2a5c5aa1648edb4f2029c6ec33870afb7a95
testing commit 8a7f2a5c5aa1648edb4f2029c6ec33870afb7a95 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: dfc5ce5b9f8a9fe92123e014eac29db48633e4677f24603843a33ef7773582fd
all runs: OK
# git bisect start 8a7f2a5c5aa1648edb4f2029c6ec33870afb7a95 d9b4a0c83a2d405dd85bf32d672686146b9bedff
Bisecting: 736 revisions left to test after this (roughly 10 steps)
[30e29af746ee83276525357ff637f878da91f92d] fs: dlm: start midcomms before scand

testing commit 30e29af746ee83276525357ff637f878da91f92d gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 98eccc0d77bb5990c38bde92b6bbee82d58993b45ed8ac8b3caa63fdc12a522f
all runs: crashed: general protection fault in sctp_outq_tail
# git bisect good 30e29af746ee83276525357ff637f878da91f92d
Bisecting: 368 revisions left to test after this (roughly 9 steps)
[443c9d522397511a4328dc2ec3c9c63c73049756] dm stats: check for and propagate alloc_percpu failure

testing commit 443c9d522397511a4328dc2ec3c9c63c73049756 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: eb8c3392e88cd9fa9600445d4cf721e192ab47d31ea4a5bc949cf4ec3971fd42
all runs: crashed: general protection fault in sctp_outq_tail
# git bisect good 443c9d522397511a4328dc2ec3c9c63c73049756
Bisecting: 184 revisions left to test after this (roughly 8 steps)
[33d5d4e67a0e13c3ca6257fa67bf6503bc000878] tracing: Free error logs of tracing instances

testing commit 33d5d4e67a0e13c3ca6257fa67bf6503bc000878 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: a9db4f086ff92d76e1e47316a6611bfa6837d30844d7ee2d84fbfe9640687ac6
all runs: OK
# git bisect bad 33d5d4e67a0e13c3ca6257fa67bf6503bc000878
Bisecting: 91 revisions left to test after this (roughly 7 steps)
[9097ba15ea5c469dcf29f00b82b54b1885b5d103] xtensa: fix KASAN report for show_stack

testing commit 9097ba15ea5c469dcf29f00b82b54b1885b5d103 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 345cb6ae473874830bbda3df430e8279429d91db2422f90c8e84c86fe5c1260d
all runs: crashed: general protection fault in sctp_outq_tail
# git bisect good 9097ba15ea5c469dcf29f00b82b54b1885b5d103
Bisecting: 45 revisions left to test after this (roughly 6 steps)
[cccdb30935c82be805d3362a15680b95d5cb3ee0] platform/x86: think-lmi: Fix memory leaks when parsing ThinkStation WMI strings

testing commit cccdb30935c82be805d3362a15680b95d5cb3ee0 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: fbba45824f4464b2135cebcab4a6230980365a6326a70264ae2e239c32cf80e9
all runs: OK
# git bisect bad cccdb30935c82be805d3362a15680b95d5cb3ee0
Bisecting: 22 revisions left to test after this (roughly 5 steps)
[7798cd69cfc31910409a61748d6cbe926e243bd6] platform/x86: int3472: Split into 2 drivers

testing commit 7798cd69cfc31910409a61748d6cbe926e243bd6 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 62328f37aff01bfe5219c0421cfe12a9eb4afe0b0a28e83efd2c3ba7842aa9a5
all runs: crashed: general protection fault in sctp_outq_tail
# git bisect good 7798cd69cfc31910409a61748d6cbe926e243bd6
Bisecting: 11 revisions left to test after this (roughly 4 steps)
[32a8dc8d9ebe80eb352cf80d33c6c4a32aa1e18d] KVM: s390: pv: fix external interruption loop not always detected

testing commit 32a8dc8d9ebe80eb352cf80d33c6c4a32aa1e18d gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: edef042973a85f57d9bffd6a41248259179dd3708678c576b5517f6487154a08
all runs: crashed: general protection fault in sctp_outq_tail
# git bisect good 32a8dc8d9ebe80eb352cf80d33c6c4a32aa1e18d
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[5d1007e81fb6c58104cc9a01d4f54a6bd95fea94] net: don't let netpoll invoke NAPI if in xmit context

testing commit 5d1007e81fb6c58104cc9a01d4f54a6bd95fea94 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: dd7a3277936fa8a90f64a0cf484df29666fe885ec59acdeb71e095785675a40a
all runs: crashed: general protection fault in sctp_outq_tail
# git bisect good 5d1007e81fb6c58104cc9a01d4f54a6bd95fea94
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[926c8299ac3d4e9a6f3c9ec3ae8d00b17956d667] net: qrtr: Do not do DEL_SERVER broadcast after DEL_CLIENT

testing commit 926c8299ac3d4e9a6f3c9ec3ae8d00b17956d667 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: a1989b30521c70a7975a3bef5d0dea7d986bc0c6823aa70d27f67b0d34b8669a
all runs: OK
# git bisect bad 926c8299ac3d4e9a6f3c9ec3ae8d00b17956d667
Bisecting: 0 revisions left to test after this (roughly 1 step)
[667eb99cf7c15fe5b0ecefe75cf658e20ef20c9f] sctp: check send stream number after wait_for_sndbuf

testing commit 667eb99cf7c15fe5b0ecefe75cf658e20ef20c9f gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 71a22bcad96a16b98c8cd381ed249961b989a32f7801334aad886ddfab3e86f5
all runs: OK
# git bisect bad 667eb99cf7c15fe5b0ecefe75cf658e20ef20c9f
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[9692e16b5991e3a4ef701eaa0e13b028f95c3608] net: dsa: mv88e6xxx: Reset mv88e6393x force WD event bit

testing commit 9692e16b5991e3a4ef701eaa0e13b028f95c3608 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: dd7a3277936fa8a90f64a0cf484df29666fe885ec59acdeb71e095785675a40a
all runs: crashed: general protection fault in sctp_outq_tail
# git bisect good 9692e16b5991e3a4ef701eaa0e13b028f95c3608
667eb99cf7c15fe5b0ecefe75cf658e20ef20c9f is the first bad commit
commit 667eb99cf7c15fe5b0ecefe75cf658e20ef20c9f
Author: Xin Long <lucien.xin@gmail.com>
Date:   Sat Apr 1 19:09:57 2023 -0400

    sctp: check send stream number after wait_for_sndbuf
    
    [ Upstream commit 2584024b23552c00d95b50255e47bd18d306d31a ]
    
    This patch fixes a corner case where the asoc out stream count may change
    after wait_for_sndbuf.
    
    When the main thread in the client starts a connection, if its out stream
    count is set to N while the in stream count in the server is set to N - 2,
    another thread in the client keeps sending the msgs with stream number
    N - 1, and waits for sndbuf before processing INIT_ACK.
    
    However, after processing INIT_ACK, the out stream count in the client is
    shrunk to N - 2, the same to the in stream count in the server. The crash
    occurs when the thread waiting for sndbuf is awake and sends the msg in a
    non-existing stream(N - 1), the call trace is as below:
    
      KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
      Call Trace:
       <TASK>
       sctp_cmd_send_msg net/sctp/sm_sideeffect.c:1114 [inline]
       sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1777 [inline]
       sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline]
       sctp_do_sm+0x197d/0x5310 net/sctp/sm_sideeffect.c:1170
       sctp_primitive_SEND+0x9f/0xc0 net/sctp/primitive.c:163
       sctp_sendmsg_to_asoc+0x10eb/0x1a30 net/sctp/socket.c:1868
       sctp_sendmsg+0x8d4/0x1d90 net/sctp/socket.c:2026
       inet_sendmsg+0x9d/0xe0 net/ipv4/af_inet.c:825
       sock_sendmsg_nosec net/socket.c:722 [inline]
       sock_sendmsg+0xde/0x190 net/socket.c:745
    
    The fix is to add an unlikely check for the send stream number after the
    thread wakes up from the wait_for_sndbuf.
    
    Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations")
    Reported-by: syzbot+47c24ca20a2fa01f082e@syzkaller.appspotmail.com
    Signed-off-by: Xin Long <lucien.xin@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 net/sctp/socket.c | 4 ++++
 1 file changed, 4 insertions(+)

culprit signature: 71a22bcad96a16b98c8cd381ed249961b989a32f7801334aad886ddfab3e86f5
parent  signature: dd7a3277936fa8a90f64a0cf484df29666fe885ec59acdeb71e095785675a40a
revisions tested: 13, total time: 6h59m54.424815257s (build: 5h26m26.622939993s, test: 1h30m38.035692441s)
first good commit: 667eb99cf7c15fe5b0ecefe75cf658e20ef20c9f sctp: check send stream number after wait_for_sndbuf
recipients (to): ["davem@davemloft.net" "lucien.xin@gmail.com" "sashal@kernel.org"]
recipients (cc): []