ci2 starts bisection 2024-01-23 17:08:16.986167937 +0000 UTC m=+107.040151110
bisecting fixing commit since 38968376776141850596561821e8c3fa30fe9fdb
building syzkaller on 28b24332d95f2f7df44ec7e7a5e0025bcadc6277
ensuring issue is reproducible on original commit 38968376776141850596561821e8c3fa30fe9fdb

testing commit 38968376776141850596561821e8c3fa30fe9fdb gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 66d2a85b7fe347d8c3eefbe2693a3569f32ebebdc1dcb181164fae339676645c
all runs: crashed: general protection fault in skb_segment
representative crash: general protection fault in skb_segment, types: [UNKNOWN]
check whether we can drop unnecessary instrumentation
disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit 38968376776141850596561821e8c3fa30fe9fdb gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 9ab34d516fb085885ffc799c054f04e33d8572f99ecbca6866ca0f7a06ad731c
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment
representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN]
the bug reproduces without the instrumentation
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed
kconfig minimization: base=4789 full=6022 leaves diff=238
split chunks (needed=false): <238>
split chunk #0 of len 238 into 5 parts
testing without sub-chunk 1/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed
testing commit 38968376776141850596561821e8c3fa30fe9fdb gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a3ce2655a7e468e79ac70b08b850252d03b46bd31f98869a6b0dc3d40872aee2
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment
representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit 38968376776141850596561821e8c3fa30fe9fdb gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 516039ae1d193fa985e05b9e4336c917e5a1f5fdc93d0f96fe54e74b036d2f43
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment
representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit 38968376776141850596561821e8c3fa30fe9fdb gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e2ab124dac1dab1ab52c2b859a55df073bd2551a571a21e1b38c1142665a8a78
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment
representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 38968376776141850596561821e8c3fa30fe9fdb gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 7e4ef7c2bb6df2bdbbe6cae8d95aaf683341d6a36fd37670c06ec07a27daee64
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment
representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed
testing commit 38968376776141850596561821e8c3fa30fe9fdb gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
failed building 38968376776141850596561821e8c3fa30fe9fdb: net/socket.c:1126: undefined reference to `wext_handle_ioctl'
net/socket.c:3395: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:346: undefined reference to `wext_proc_exit'
net/core/net-procfs.c:330: undefined reference to `wext_proc_init'
minimized to 46 configs; suspects: [HID_ZEROPLUS USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF]
disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed
testing current HEAD 1a7db4583e18ca49cb3babc08be65afcb4f32925
testing commit 1a7db4583e18ca49cb3babc08be65afcb4f32925 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 840629c7ab2eb810142b6dba5c169744e9e79ab1832ada442b2316f17f25c366
all runs: OK
false negative chance: 0.000
# git bisect start 1a7db4583e18ca49cb3babc08be65afcb4f32925 38968376776141850596561821e8c3fa30fe9fdb
Bisecting: 312 revisions left to test after this (roughly 8 steps)
[7f4c89400d2997939f6971c7981cc780a219e36b] hrtimers: Push pending hrtimers away from outgoing CPU earlier

determine whether the revision contains the guilty commit
checking the merge base 6db6caba87efcfbcf57d68b540a1f0a4c0a5539b
no existing result, test the revision
testing commit 6db6caba87efcfbcf57d68b540a1f0a4c0a5539b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 6a81f9454db8072b43c65fa7de07810b89c658810d56342157e46c81bba3ed95
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment
representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN]
testing commit 7f4c89400d2997939f6971c7981cc780a219e36b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a1b1774aec9e7830c01d330ba7cb4c631391914398f70526ab3203090bf04c9b
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment
representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN]
# git bisect good 7f4c89400d2997939f6971c7981cc780a219e36b
Bisecting: 156 revisions left to test after this (roughly 7 steps)
[e30e62f0e17884b5723f64ba93e58a7efbda2cf4] powerpc/ftrace: Create a dummy stackframe to fix stack unwind

determine whether the revision contains the guilty commit
revision 6db6caba87efcfbcf57d68b540a1f0a4c0a5539b crashed and is reachable
testing commit e30e62f0e17884b5723f64ba93e58a7efbda2cf4 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: bb855882bef1a7fb82572199c9c4d57666b17a9db23fac7deefbdc92136602fc
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment
representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN]
# git bisect good e30e62f0e17884b5723f64ba93e58a7efbda2cf4
Bisecting: 78 revisions left to test after this (roughly 6 steps)
[cea19678bf55f8d087bf617478f249208432156c] Revert "scsi: core: Use a structure member to track the SCSI command submitter"

determine whether the revision contains the guilty commit
revision 6db6caba87efcfbcf57d68b540a1f0a4c0a5539b crashed and is reachable
testing commit cea19678bf55f8d087bf617478f249208432156c gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 6c9f24f02f2f1b51d7f8583996a086632c84db1ba87cca328eee7cdbabfa41f7
all runs: OK
false negative chance: 0.000
# git bisect bad cea19678bf55f8d087bf617478f249208432156c
Bisecting: 38 revisions left to test after this (roughly 5 steps)
[d521896bcc0bc3656bce0bb4a5f38ed1774b5870] USB: serial: option: add Foxconn T99W265 with new baseline

determine whether the revision contains the guilty commit
revision 6db6caba87efcfbcf57d68b540a1f0a4c0a5539b crashed and is reachable
testing commit d521896bcc0bc3656bce0bb4a5f38ed1774b5870 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: dd6362e2818eee8859e3db989b01c8e665a28d91bb15dd2a54ff065791e2a50e
all runs: OK
false negative chance: 0.000
# git bisect bad d521896bcc0bc3656bce0bb4a5f38ed1774b5870
Bisecting: 19 revisions left to test after this (roughly 4 steps)
[59dc16ce095d4bd4c806128e9a664c97e081dbc1] net: warn if gso_type isn't set for a GSO SKB

determine whether the revision contains the guilty commit
revision 6db6caba87efcfbcf57d68b540a1f0a4c0a5539b crashed and is reachable
testing commit 59dc16ce095d4bd4c806128e9a664c97e081dbc1 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 0aaa01836e5ae279a8aa4b7bd552a167679390e8c66d949f8008115baf96c8bb
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment
representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN]
# git bisect good 59dc16ce095d4bd4c806128e9a664c97e081dbc1
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[505df1c0abe6ed90e9d6920f44b3c5374effbf71] interconnect: Treat xlate() returning NULL node as an error

determine whether the revision contains the guilty commit
revision 59dc16ce095d4bd4c806128e9a664c97e081dbc1 crashed and is reachable
testing commit 505df1c0abe6ed90e9d6920f44b3c5374effbf71 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: fa07c1130fc898bb332837d572a4479b571cdb918c219d7679c6c62b43e172a4
all runs: OK
false negative chance: 0.000
# git bisect bad 505df1c0abe6ed90e9d6920f44b3c5374effbf71
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[e032ddb0e387cc9139147e9b335d86a81df8b8c4] pinctrl: at91-pio4: use dedicated lock class for IRQ

determine whether the revision contains the guilty commit
revision 59dc16ce095d4bd4c806128e9a664c97e081dbc1 crashed and is reachable
testing commit e032ddb0e387cc9139147e9b335d86a81df8b8c4 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 0ee33bb20243e0d0961ec6ee574ab2def4a6d2cd05680f74f8de8ef0cd58f669
all runs: OK
false negative chance: 0.000
# git bisect bad e032ddb0e387cc9139147e9b335d86a81df8b8c4
Bisecting: 2 revisions left to test after this (roughly 1 step)
[97be1e865e70e5a0ad0a5b5f5dca5031ca0b53ac] keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry

determine whether the revision contains the guilty commit
revision 59dc16ce095d4bd4c806128e9a664c97e081dbc1 crashed and is reachable
testing commit 97be1e865e70e5a0ad0a5b5f5dca5031ca0b53ac gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: f17057a9cb6e45234cb57cfdf2ce2b1daee254509389537b6972c319e4340faf
all runs: OK
false negative chance: 0.000
# git bisect bad 97be1e865e70e5a0ad0a5b5f5dca5031ca0b53ac
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[9e0d18f946b2209dffd5bbe213d20bc4b0ca5684] net: check dev->gso_max_size in gso_features_check()

determine whether the revision contains the guilty commit
revision 59dc16ce095d4bd4c806128e9a664c97e081dbc1 crashed and is reachable
testing commit 9e0d18f946b2209dffd5bbe213d20bc4b0ca5684 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 2281f1a7bf661a7b5232cedb05373ecf9b34243b99129495e5ee67b808cc30b0
all runs: OK
false negative chance: 0.000
# git bisect bad 9e0d18f946b2209dffd5bbe213d20bc4b0ca5684
9e0d18f946b2209dffd5bbe213d20bc4b0ca5684 is the first bad commit
commit 9e0d18f946b2209dffd5bbe213d20bc4b0ca5684
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Dec 19 12:53:31 2023 +0000

    net: check dev->gso_max_size in gso_features_check()
    
    [ Upstream commit 24ab059d2ebd62fdccc43794796f6ffbabe49ebc ]
    
    Some drivers might misbehave if TSO packets get too big.
    
    GVE for instance uses a 16bit field in its TX descriptor,
    and will do bad things if a packet is bigger than 2^16 bytes.
    
    Linux TCP stack honors dev->gso_max_size, but there are
    other ways for too big packets to reach an ndo_start_xmit()
    handler : virtio_net, af_packet, GRO...
    
    Add a generic check in gso_features_check() and fallback
    to GSO when needed.
    
    gso_max_size was added in the blamed commit.
    
    Fixes: 82cc1a7a5687 ("[NET]: Add per-connection option to set max TSO frame size")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Link: https://lore.kernel.org/r/20231219125331.4127498-1-edumazet@google.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 net/core/dev.c | 3 +++
 1 file changed, 3 insertions(+)

accumulated error probability: 0.00
culprit signature: 2281f1a7bf661a7b5232cedb05373ecf9b34243b99129495e5ee67b808cc30b0
parent  signature: 0aaa01836e5ae279a8aa4b7bd552a167679390e8c66d949f8008115baf96c8bb
revisions tested: 17, total time: 3h13m55.123601747s (build: 43m44.840609664s, test: 1h38m57.247778164s)
first good commit: 9e0d18f946b2209dffd5bbe213d20bc4b0ca5684 net: check dev->gso_max_size in gso_features_check()
recipients (to): ["edumazet@google.com" "pabeni@redhat.com" "sashal@kernel.org"]
recipients (cc): []