ci2 starts bisection 2023-02-18 10:56:21.011092059 +0000 UTC m=+23384.925248594
bisecting fixing commit since 4ec71a9ec7698108e0ad7d59ef41df064cc72049
building syzkaller on 52fdf57a86cb556640e5ebcc234bc826ff249546
ensuring issue is reproducible on original commit 4ec71a9ec7698108e0ad7d59ef41df064cc72049

testing commit 4ec71a9ec7698108e0ad7d59ef41df064cc72049 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 1f17d3fe30b6a0e4f356f58da699eec4f6875443a3e33ab645632366c367975b
run #0: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #1: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #2: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #3: crashed: KASAN: use-after-free Read in process_one_work
run #4: crashed: KASAN: use-after-free Read in process_one_work
run #5: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #6: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #7: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #8: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #9: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #10: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #11: crashed: KASAN: use-after-free Read in worker_thread
run #12: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #13: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #14: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #15: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #16: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #17: crashed: KASAN: use-after-free Read in process_one_work
run #18: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #19: crashed: kernel BUG in cdc_ncm_fill_tx_frame
testing current HEAD 5448b2fda85f2d90de03f053226f721ba2f7e731
testing commit 5448b2fda85f2d90de03f053226f721ba2f7e731 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 1c77b426093f9a7c6e31f3d8b5495fd1f6af940e2e5580e7c833b7f288ad3355
run #0: crashed: KASAN: use-after-free Read in process_one_work
run #1: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #2: crashed: KASAN: use-after-free Read in worker_thread
run #3: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #4: crashed: KASAN: use-after-free Read in worker_thread
run #5: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #6: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #7: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #8: crashed: kernel BUG in cdc_ncm_fill_tx_frame
run #9: crashed: kernel BUG in cdc_ncm_fill_tx_frame
revisions tested: 2, total time: 31m48.99927008s (build: 11m17.323829354s, test: 17m25.901110958s)
the crash still happens on HEAD
commit msg: Merge 5.15.94 into android13-5.15-lts
crash: kernel BUG in cdc_ncm_fill_tx_frame
skbuff: skb_over_panic: text:ffffffff82dd0404 len:184 put:172 head:ffff888124749800 data:ffff888124749800 tail:0xb8 end:0x80 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:113!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 440 Comm: kworker/1:5 Not tainted 5.15.94-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
Workqueue: mld mld_ifc_work
RIP: 0010:skb_panic net/core/skbuff.c:113 [inline]
RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118
Code: c0 2b 30 85 48 c7 c6 00 3c 79 85 48 8b 55 c0 8b 4d d4 44 8b 45 d0 4c 8b 4d c8 53 41 55 41 54 41 57 e8 94 8b c7 00 48 83 c4 20 <0f> 0b 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 10 89
RSP: 0000:ffffc90000a26fb8 EFLAGS: 00010286
RAX: 0000000000000087 RBX: ffffffff85302c40 RCX: a23a01f537eee000
RDX: 1ffff92000144dbc RSI: 0000000000000008 RDI: 0000000000000001
RBP: ffffc90000a26ff8 R08: dffffc0000000000 R09: fffff52000144d29
R10: 0000000000000000 R11: dffffc0000000001 R12: 00000000000000b8
R13: 0000000000000080 R14: dffffc0000000000 R15: ffff888124749800
FS:  0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc7b3771028 CR3: 0000000127de9000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 skb_put+0x10c/0x200 net/core/skbuff.c:2047
 skb_put_zero include/linux/skbuff.h:2422 [inline]
 cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline]
 cdc_ncm_fill_tx_frame+0xff4/0x4460 drivers/net/usb/cdc_ncm.c:1308
 cdc_ncm_tx_fixup+0x83/0xd0
 usbnet_start_xmit+0x105/0x1a70 drivers/net/usb/usbnet.c:1368
 __netdev_start_xmit include/linux/netdevice.h:5057 [inline]
 netdev_start_xmit include/linux/netdevice.h:5071 [inline]
 xmit_one net/core/dev.c:3597 [inline]
 dev_hard_start_xmit+0x21b/0x530 net/core/dev.c:3613
 sch_direct_xmit+0x228/0x890 net/sched/sch_generic.c:342
 __dev_xmit_skb net/core/dev.c:3824 [inline]
 __dev_queue_xmit+0x1343/0x28e0 net/core/dev.c:4193
 dev_queue_xmit+0xb/0x10 net/core/dev.c:4261
 neigh_resolve_output+0x5ef/0x6c0 net/core/neighbour.c:1512
 neigh_output include/net/neighbour.h:524 [inline]
 ip6_finish_output2+0xdb4/0x16b0 net/ipv6/ip6_output.c:126
 __ip6_finish_output+0x541/0x740 net/ipv6/ip6_output.c:191
 ip6_finish_output+0x27/0x180 net/ipv6/ip6_output.c:201
 NF_HOOK_COND include/linux/netfilter.h:299 [inline]
 ip6_output+0x1aa/0x410 net/ipv6/ip6_output.c:224
 dst_output include/net/dst.h:450 [inline]
 NF_HOOK include/linux/netfilter.h:310 [inline]
 mld_sendpack+0x61b/0xb20 net/ipv6/mcast.c:1820
 mld_send_cr net/ipv6/mcast.c:2121 [inline]
 mld_ifc_work+0x73f/0xa70 net/ipv6/mcast.c:2653
 process_one_work+0x635/0xa70 kernel/workqueue.c:2313
 worker_thread+0x8bb/0xf40 kernel/workqueue.c:2460
 kthread+0x3a1/0x480 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 <unknown>:298
 </TASK>
Modules linked in:
---[ end trace a7032d99864b6bfe ]---
RIP: 0010:skb_panic net/core/skbuff.c:113 [inline]
RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118
Code: c0 2b 30 85 48 c7 c6 00 3c 79 85 48 8b 55 c0 8b 4d d4 44 8b 45 d0 4c 8b 4d c8 53 41 55 41 54 41 57 e8 94 8b c7 00 48 83 c4 20 <0f> 0b 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 10 89
RSP: 0000:ffffc90000a26fb8 EFLAGS: 00010286
RAX: 0000000000000087 RBX: ffffffff85302c40 RCX: a23a01f537eee000
RDX: 1ffff92000144dbc RSI: 0000000000000008 RDI: 0000000000000001
RBP: ffffc90000a26ff8 R08: dffffc0000000000 R09: fffff52000144d29
R10: 0000000000000000 R11: dffffc0000000001 R12: 00000000000000b8
R13: 0000000000000080 R14: dffffc0000000000 R15: ffff888124749800
FS:  0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc7b3771028 CR3: 0000000127de9000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400