ci2 starts bisection 2024-09-30 00:18:41.367090295 +0000 UTC m=+138790.411153495 bisecting fixing commit since af361f9a1066ff9442eabafc458ff373481499a4 building syzkaller on 51c4dcff83b0574620c280cc5130ef59cc4a2e32 ensuring issue is reproducible on original commit af361f9a1066ff9442eabafc458ff373481499a4 testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4712ccbd694a0c849c21f50ecc77ca572bf1e570b46c076a5b9736e615434748 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6c2c026fd34f33f42c3441a1c3764cb9a8c1687b114bd3125d7b77d782ab1600 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed kconfig minimization: base=5179 full=6491 leaves diff=256 split chunks (needed=false): <256> split chunk #0 of len 256 into 5 parts testing without sub-chunk 1/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5ba6ed911ceb86458f52d797d14bd848ae0240330f73cc5853a58e740151a7ab all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7b2af600acdf8bb89c0d192cfdc982883e7c874f47d50445ee05558e4e83bc83 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8bd21b3c5892a2c902323b208898a4bc3725fdc59a2b202095d079db24fbd8b4 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1dac4a1692db79cebfc2ed3f6760773ad03b22e1dabf24ddb16a73008eac995a all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building af361f9a1066ff9442eabafc458ff373481499a4: net/socket.c:1245: undefined reference to `wext_handle_ioctl' net/socket.c:3442: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 48 configs; suspects: [HID_ZEROPLUS USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing current HEAD 1105954181599e104121e3563c15f11dcb1c9ed0 testing commit 1105954181599e104121e3563c15f11dcb1c9ed0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 21ad6bf1647100fe0d91bacd6d1c485ec2b5d4e26817d1989fb0403559845d37 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] crash still not fixed/happens on the oldest tested release revisions tested: 7, total time: 41m57.383783862s (build: 19m15.046860581s, test: 20m8.684398602s) crash still not fixed or there were kernel test errors commit msg: UPSTREAM: usb: dwc3: core: update LC timer as per USB Spec V3.2 crash: KASAN: use-after-free Write in virtio_transport_recv_pkt ================================================================== BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline] BUG: KASAN: use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] BUG: KASAN: use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] BUG: KASAN: use-after-free in do_raw_spin_lock include/linux/spinlock.h:187 [inline] BUG: KASAN: use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x97/0x1b0 kernel/locking/spinlock.c:178 Write of size 4 at addr ffff88811de8d808 by task kworker/1:0/23 CPU: 1 PID: 23 Comm: kworker/1:0 Not tainted 6.1.99-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: vsock-loopback vsock_loopback_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x105/0x148 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x158/0x4e0 mm/kasan/report.c:427 kasan_report+0x13c/0x170 mm/kasan/report.c:531 kasan_check_range+0x294/0x2a0 mm/kasan/generic.c:189 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37 instrument_atomic_read_write include/linux/instrumented.h:102 [inline] atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] do_raw_spin_lock include/linux/spinlock.h:187 [inline] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] _raw_spin_lock_bh+0x97/0x1b0 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] virtio_transport_space_update net/vmw_vsock/virtio_transport_common.c:1171 [inline] virtio_transport_recv_pkt+0x4fb/0x3ca0 net/vmw_vsock/virtio_transport_common.c:1307 vsock_loopback_work+0x376/0x3d0 net/vmw_vsock/vsock_loopback.c:137 process_one_work+0x6de/0xd00 kernel/workqueue.c:2299 worker_thread+0x892/0xf20 kernel/workqueue.c:2446 kthread+0x215/0x270 kernel/kthread.c:386 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 Allocated by task 593: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505 ____kasan_kmalloc mm/kasan/common.c:379 [inline] __kasan_kmalloc+0x9c/0xb0 mm/kasan/common.c:388 kasan_kmalloc include/linux/kasan.h:212 [inline] kmalloc_trace+0x44/0xa0 mm/slab_common.c:1052 kmalloc include/linux/slab.h:556 [inline] kzalloc include/linux/slab.h:692 [inline] virtio_transport_do_socket_init+0x51/0x290 net/vmw_vsock/virtio_transport_common.c:604 vsock_assign_transport+0x376/0x4f0 net/vmw_vsock/af_vsock.c:506 vsock_connect+0x3c7/0xb90 net/vmw_vsock/af_vsock.c:1361 __sys_connect_file net/socket.c:1996 [inline] __sys_connect+0x304/0x370 net/socket.c:2013 __do_sys_connect net/socket.c:2023 [inline] __se_sys_connect net/socket.c:2020 [inline] __x64_sys_connect+0x75/0x80 net/socket.c:2020 x64_sys_call+0x14e/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:43 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Freed by task 593: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516 ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249 kasan_slab_free include/linux/kasan.h:178 [inline] slab_free_hook mm/slub.c:1745 [inline] slab_free_freelist_hook mm/slub.c:1771 [inline] slab_free mm/slub.c:3684 [inline] __kmem_cache_free+0x1fa/0x370 mm/slub.c:3697 kfree+0x7a/0xf0 mm/slab_common.c:1009 virtio_transport_destruct+0x36/0x40 net/vmw_vsock/virtio_transport_common.c:815 vsock_deassign_transport net/vmw_vsock/af_vsock.c:421 [inline] vsock_assign_transport+0x23f/0x4f0 net/vmw_vsock/af_vsock.c:489 vsock_connect+0x3c7/0xb90 net/vmw_vsock/af_vsock.c:1361 __sys_connect_file net/socket.c:1996 [inline] __sys_connect+0x304/0x370 net/socket.c:2013 __do_sys_connect net/socket.c:2023 [inline] __se_sys_connect net/socket.c:2020 [inline] __x64_sys_connect+0x75/0x80 net/socket.c:2020 x64_sys_call+0x14e/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:43 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 The buggy address belongs to the object at ffff88811de8d800 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 8 bytes inside of 96-byte region [ffff88811de8d800, ffff88811de8d860) The buggy address belongs to the physical page: page:ffffea000477a340 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11de8d flags: 0x4000000000000200(slab|zone=1) raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100042900 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 445, tgid 445 (udevd), ts 49201377485, free_ts 46946586931 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook mm/page_alloc.c:2590 [inline] prep_new_page+0x512/0x5e0 mm/page_alloc.c:2597 get_page_from_freelist+0x288b/0x2910 mm/page_alloc.c:4425 __alloc_pages+0x39f/0x780 mm/page_alloc.c:5714 alloc_slab_page+0x6c/0xf0 allocate_slab mm/slub.c:1962 [inline] new_slab+0x7b/0x370 mm/slub.c:2015 ___slab_alloc+0x611/0x9a0 mm/slub.c:3203 __slab_alloc+0x52/0x90 mm/slub.c:3302 slab_alloc_node mm/slub.c:3387 [inline] __kmem_cache_alloc_node+0x1af/0x250 mm/slub.c:3460 kmalloc_trace+0x2a/0xa0 mm/slab_common.c:1047 kmalloc include/linux/slab.h:556 [inline] kzalloc include/linux/slab.h:692 [inline] kernfs_get_open_node fs/kernfs/file.c:568 [inline] kernfs_fop_open+0x60b/0xa40 fs/kernfs/file.c:736 do_dentry_open+0x620/0xdc0 fs/open.c:884 vfs_open+0x6e/0x80 fs/open.c:1015 do_open fs/namei.c:3627 [inline] path_openat+0x1eb0/0x2440 fs/namei.c:3784 do_filp_open+0x226/0x430 fs/namei.c:3811 do_sys_openat2+0x103/0x6e0 fs/open.c:1341 do_sys_open fs/open.c:1357 [inline] __do_sys_openat fs/open.c:1373 [inline] __se_sys_openat fs/open.c:1368 [inline] __x64_sys_openat+0x209/0x250 fs/open.c:1368 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1498 [inline] free_pcp_prepare mm/page_alloc.c:1572 [inline] free_unref_page_prepare+0x794/0x7a0 mm/page_alloc.c:3498 free_unref_page+0xb2/0x5b0 mm/page_alloc.c:3594 free_the_page mm/page_alloc.c:798 [inline] __free_pages+0x67/0xd0 mm/page_alloc.c:5803 __vunmap+0x401/0x7b0 mm/vmalloc.c:2728 free_work+0x41/0x70 mm/vmalloc.c:98 process_one_work+0x6de/0xd00 kernel/workqueue.c:2299 worker_thread+0x892/0xf20 kernel/workqueue.c:2446 kthread+0x215/0x270 kernel/kthread.c:386 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 Memory state around the buggy address: ffff88811de8d700: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc ffff88811de8d780: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff88811de8d800: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88811de8d880: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88811de8d900: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc ==================================================================