ci2 starts bisection 2025-02-21 20:30:06.540093054 +0000 UTC m=+8449.576521836
bisecting fixing commit since af361f9a1066ff9442eabafc458ff373481499a4
building syzkaller on 51c4dcff83b0574620c280cc5130ef59cc4a2e32
ensuring issue is reproducible on original commit af361f9a1066ff9442eabafc458ff373481499a4

testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c2a44ae0853bb97ae93ca138c845bd46a8e3166ed5ccf31de8223ddcc19ad8d8
all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt
representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 673cb221a4431b323988896e4b6dce14a42c9fcdbc8ea614c0d9fe35a2154a72
all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt
representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
kconfig minimization: base=5179 full=6491 leaves diff=256
split chunks (needed=false): <256>
split chunk #0 of len 256 into 5 parts
testing without sub-chunk 1/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e086b9369ed7f2d6b631ed4afd75314f2f73a129afa67872ae67366e996f3e71
all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt
representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 7c02c6bd1a14109477ba4703baca10300f402d75fc6f559a7a29c1a6b392a254
all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt
representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e200f42d19dc59cddff50c017d583a692586e76d402956a47ed246c00036a646
all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt
representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 9c3fcb90f68a40d5082ade03eff7341c7db726e6e6b2a2bfeb3b33783341d14b
all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt
representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
failed building af361f9a1066ff9442eabafc458ff373481499a4: net/socket.c:1245: undefined reference to `wext_handle_ioctl'
net/socket.c:3442: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:329: undefined reference to `wext_proc_init'
net/core/net-procfs.c:345: undefined reference to `wext_proc_exit'
minimized to 48 configs; suspects: [HID_ZEROPLUS USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF]
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing current HEAD 52a41f0bf15cddb56577b6b5ae22bfbfaee022e2
testing commit 52a41f0bf15cddb56577b6b5ae22bfbfaee022e2 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 991764156ef2e78a2cbdee74972caff52951bb77887983d5fd6b5b48a8b17455
all runs: crashed: general protection fault in vsock_stream_has_data
representative crash: general protection fault in vsock_stream_has_data, types: [UNKNOWN]
crash still not fixed/happens on the oldest tested release
revisions tested: 7, total time: 54m43.725871785s (build: 26m16.551083803s, test: 24m57.183411656s)
crash still not fixed or there were kernel test errors
commit msg: ANDROID: usb: typec: tcpci: Combine the parameters of set_auto_vbus_discharge_threshold
crash: general protection fault in vsock_stream_has_data
general protection fault, probably for non-canonical address 0xdffffc000000000c: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000060-0x0000000000000067]
CPU: 1 PID: 35 Comm: kworker/1:1 Not tainted 6.1.124-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: vsock-loopback vsock_loopback_work
RIP: 0010:vsock_stream_has_data+0x41/0x60 net/vmw_vsock/af_vsock.c:869
Code: 8d 9f 60 03 00 00 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 9d 9b 92 fd 48 8b 1b 48 83 c3 60 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 80 9b 92 fd 4c 89 f7 ff 13 5b 41
RSP: 0018:ffffc9000024f5b8 EFLAGS: 00010206
RAX: 000000000000000c RBX: 0000000000000060 RCX: ffffffff841193ff
RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff888110dfddc0
RBP: ffffc9000024f5d0 R08: dffffc0000000000 R09: ffffed10221bfbc5
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888110dfddc0
R13: dffffc0000000000 R14: ffff888110dfddc0 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff4059fef80 CR3: 000000011b5c1000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 virtio_transport_do_close+0x62/0x350 net/vmw_vsock/virtio_transport_common.c:910
 virtio_transport_recv_disconnecting net/vmw_vsock/virtio_transport_common.c:1138 [inline]
 virtio_transport_recv_pkt+0x113a/0x3f00 net/vmw_vsock/virtio_transport_common.c:1338
 vsock_loopback_work+0x376/0x3d0 net/vmw_vsock/vsock_loopback.c:137
 process_one_work+0x6de/0xd00 kernel/workqueue.c:2299
 worker_thread+0x892/0xf20 kernel/workqueue.c:2446
 kthread+0x215/0x270 kernel/kthread.c:386
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:vsock_stream_has_data+0x41/0x60 net/vmw_vsock/af_vsock.c:869
Code: 8d 9f 60 03 00 00 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 9d 9b 92 fd 48 8b 1b 48 83 c3 60 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 80 9b 92 fd 4c 89 f7 ff 13 5b 41
RSP: 0018:ffffc9000024f5b8 EFLAGS: 00010206
RAX: 000000000000000c RBX: 0000000000000060 RCX: ffffffff841193ff
RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff888110dfddc0
RBP: ffffc9000024f5d0 R08: dffffc0000000000 R09: ffffed10221bfbc5
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888110dfddc0
R13: dffffc0000000000 R14: ffff888110dfddc0 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f38e837c038 CR3: 000000011d442000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	8d 9f 60 03 00 00    	lea    0x360(%rdi),%ebx
   6:	48 89 d8             	mov    %rbx,%rax
   9:	48 c1 e8 03          	shr    $0x3,%rax
   d:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1)
  12:	74 08                	je     0x1c
  14:	48 89 df             	mov    %rbx,%rdi
  17:	e8 9d 9b 92 fd       	call   0xfd929bb9
  1c:	48 8b 1b             	mov    (%rbx),%rbx
  1f:	48 83 c3 60          	add    $0x60,%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 df             	mov    %rbx,%rdi
  34:	e8 80 9b 92 fd       	call   0xfd929bb9
  39:	4c 89 f7             	mov    %r14,%rdi
  3c:	ff 13                	call   *(%rbx)
  3e:	5b                   	pop    %rbx
  3f:	41                   	rex.B