ci2 starts bisection 2025-11-10 09:18:28.201625562 +0000 UTC m=+319197.817089311 bisecting fixing commit since af1544b5d072514b219695b0a9fba0b1e0d5e289 building syzkaller on 67c375600e44473aafff4ce6ff7abb90e4f4fff4 ensuring issue is reproducible on original commit af1544b5d072514b219695b0a9fba0b1e0d5e289 testing commit af1544b5d072514b219695b0a9fba0b1e0d5e289 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: c89330354bd7f35b9d6c520f25787644cde3df2d1a8262d0f80e1ea23135c0a2 all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] check whether we can drop unnecessary instrumentation disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed testing commit af1544b5d072514b219695b0a9fba0b1e0d5e289 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 5c22ddc0a24902099956d6bddb2086f1b021baa1d060a8f0092686a68447b8b1 all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] the bug reproduces without the instrumentation disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed kconfig minimization: base=3913 full=7800 leaves diff=2160 split chunks (needed=false): <2160> split chunk #0 of len 2160 into 5 parts testing without sub-chunk 1/5 disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed testing commit af1544b5d072514b219695b0a9fba0b1e0d5e289 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 18b5337669b1f502fa914d3c781d28751d7da63f0a6efebd8ba2b1673cef2ba5 all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed testing commit af1544b5d072514b219695b0a9fba0b1e0d5e289 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 885f1fab529622d98adbd22fb0552f36174a1160f0384205d58526f5dc4510b0 all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [ubsan bug_or_warning locking atomic_sleep hang memleak], they are not needed testing commit af1544b5d072514b219695b0a9fba0b1e0d5e289 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 5301308dcfcf4fec38b2508ef5cab1fa53104e658a9951b3c3c9ab3e99e9fc25 all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed testing commit af1544b5d072514b219695b0a9fba0b1e0d5e289 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 202339c90e20b3466dded80fa3c27dede90014e9f278c8161cba5cddf76358ef all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit af1544b5d072514b219695b0a9fba0b1e0d5e289 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 29358ba03528a91f83c20fe18163d8b5c0b90d6949a9f58658c907e638cff270 all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing current HEAD 0a805b6ea8cda0caa268b396a2e5117f3772d849 testing commit 0a805b6ea8cda0caa268b396a2e5117f3772d849 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 42ec00ca4077d78c125c5efedf73f6efecc1fd3e1db39e53bdc185faca7625a0 all runs: OK false negative chance: 0.000 # git bisect start 0a805b6ea8cda0caa268b396a2e5117f3772d849 af1544b5d072514b219695b0a9fba0b1e0d5e289 Bisecting: 407 revisions left to test after this (roughly 9 steps) [1501f779e79434c52ad9816fef07f7a870a58be6] perf session: Fix handling when buffer exceeds 2 GiB determine whether the revision contains the guilty commit revision af1544b5d072514b219695b0a9fba0b1e0d5e289 crashed and is reachable testing commit 1501f779e79434c52ad9816fef07f7a870a58be6 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: eea5fdb7ed1baa6b3a64e08d6b93475621958d3ce19f0dec12bebd28195a69f1 all runs: OK false negative chance: 0.000 # git bisect bad 1501f779e79434c52ad9816fef07f7a870a58be6 Bisecting: 203 revisions left to test after this (roughly 8 steps) [379cae2cb982f571cda9493ac573ab71125fd299] perf: arm_spe: Prevent overflow in PERF_IDX2OFF() determine whether the revision contains the guilty commit revision af1544b5d072514b219695b0a9fba0b1e0d5e289 crashed and is reachable testing commit 379cae2cb982f571cda9493ac573ab71125fd299 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 283d630ffac1ba089825594400bd8e05762d12b2b5aab1cba7bfe5a8d3119048 all runs: OK false negative chance: 0.000 # git bisect bad 379cae2cb982f571cda9493ac573ab71125fd299 Bisecting: 101 revisions left to test after this (roughly 7 steps) [cbc1de71766f326a44bb798aeae4a7ef4a081cc9] can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow determine whether the revision contains the guilty commit revision af1544b5d072514b219695b0a9fba0b1e0d5e289 crashed and is reachable testing commit cbc1de71766f326a44bb798aeae4a7ef4a081cc9 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 2d1ec88df9443714d69795499e9ff9963d6ff57ecab0d50bc7cc97f56ad68e8a all runs: OK false negative chance: 0.000 # git bisect bad cbc1de71766f326a44bb798aeae4a7ef4a081cc9 Bisecting: 50 revisions left to test after this (roughly 6 steps) [7740da20a3a0c7152143c809c1de08d1c422a552] ASoC: wm8974: Correct PLL rate rounding determine whether the revision contains the guilty commit revision af1544b5d072514b219695b0a9fba0b1e0d5e289 crashed and is reachable testing commit 7740da20a3a0c7152143c809c1de08d1c422a552 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 1ce3f8eefbf9674c7f1a7766c24650a4e735a2ae66532784168938acd68b753a all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 7740da20a3a0c7152143c809c1de08d1c422a552 Bisecting: 25 revisions left to test after this (roughly 5 steps) [e8c605fece5b9b3402a1a4dd8c351a7ab7e6a42e] ALSA: usb-audio: Avoid multiple assignments in mixer_quirks determine whether the revision contains the guilty commit revision 7740da20a3a0c7152143c809c1de08d1c422a552 crashed and is reachable testing commit e8c605fece5b9b3402a1a4dd8c351a7ab7e6a42e gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 4fec1552121e828f80e39f1ec9c86a620f05ff980a9627a413267f7cff404fef all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good e8c605fece5b9b3402a1a4dd8c351a7ab7e6a42e Bisecting: 12 revisions left to test after this (roughly 4 steps) [4ed203f79821cb44d4070fce7cc0dc243d66b97f] mm/gup: revert "mm: gup: fix infinite loop within __get_longterm_locked" determine whether the revision contains the guilty commit revision 7740da20a3a0c7152143c809c1de08d1c422a552 crashed and is reachable testing commit 4ed203f79821cb44d4070fce7cc0dc243d66b97f gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 227fafc54cbe8a86de68cde07be65d63ec7c6598e963077494c710fcab512278 all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 4ed203f79821cb44d4070fce7cc0dc243d66b97f Bisecting: 6 revisions left to test after this (roughly 3 steps) [35bb271de241d1e0141ce66b874db7fc635d9f3e] ARM: dts: kirkwood: Fix sound DAI cells for OpenRD clients determine whether the revision contains the guilty commit revision 7740da20a3a0c7152143c809c1de08d1c422a552 crashed and is reachable testing commit 35bb271de241d1e0141ce66b874db7fc635d9f3e gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 2b6d024da586155d6ac57cac5d874476e8690061c24f70d2e9b5e2191d9d4f34 all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 35bb271de241d1e0141ce66b874db7fc635d9f3e Bisecting: 3 revisions left to test after this (roughly 2 steps) [210b91bfe355bc2a3fceb0c32c5f8cc7f1cb40a6] wifi: virt_wifi: Fix page fault on connect determine whether the revision contains the guilty commit revision af1544b5d072514b219695b0a9fba0b1e0d5e289 crashed and is reachable testing commit 210b91bfe355bc2a3fceb0c32c5f8cc7f1cb40a6 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 8b06e8cbeda88a4b4172793dc43d5e1107ff50727c34b8192f5f940db21f8587 all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 210b91bfe355bc2a3fceb0c32c5f8cc7f1cb40a6 Bisecting: 1 revision left to test after this (roughly 1 step) [f64abeebf763c3e1df52ff6e815238af384ac642] bpf: Reject bpf_timer for PREEMPT_RT determine whether the revision contains the guilty commit revision af1544b5d072514b219695b0a9fba0b1e0d5e289 crashed and is reachable testing commit f64abeebf763c3e1df52ff6e815238af384ac642 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: de8c76f7143a1bc05091fc89dae39747527b018468fad1d2048b14084addf604 run #0: infra problem: failed to get create instance operation operation-1762781264266-6433d7f12c521-bb78fe46-d550aec9: googleapi: Error 503: Visibility check was unavailable. Please retry the request and contact support if the problem persists, backendError run #1: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi run #2: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi run #3: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi run #4: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi run #5: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi run #6: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi run #7: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi run #8: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi run #9: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good f64abeebf763c3e1df52ff6e815238af384ac642 Bisecting: 0 revisions left to test after this (roughly 0 steps) [0baf92d0b1590b903c1f4ead75e61715e50e8146] xfrm: xfrm_alloc_spi shouldn't use 0 as SPI determine whether the revision contains the guilty commit revision 4ed203f79821cb44d4070fce7cc0dc243d66b97f crashed and is reachable testing commit 0baf92d0b1590b903c1f4ead75e61715e50e8146 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: b7c6d485c0aee8a9c367f2b272da638d251ba6c7ecf59e27eb76c61e2b2e22e6 all runs: OK false negative chance: 0.000 # git bisect bad 0baf92d0b1590b903c1f4ead75e61715e50e8146 0baf92d0b1590b903c1f4ead75e61715e50e8146 is the first bad commit commit 0baf92d0b1590b903c1f4ead75e61715e50e8146 Author: Sabrina Dubroca Date: Fri Aug 29 10:54:15 2025 +0200 xfrm: xfrm_alloc_spi shouldn't use 0 as SPI [ Upstream commit cd8ae32e4e4652db55bce6b9c79267d8946765a9 ] x->id.spi == 0 means "no SPI assigned", but since commit 94f39804d891 ("xfrm: Duplicate SPI Handling"), we now create states and add them to the byspi list with this value. __xfrm_state_delete doesn't remove those states from the byspi list, since they shouldn't be there, and this shows up as a UAF the next time we go through the byspi list. Reported-by: syzbot+a25ee9d20d31e483ba7b@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=a25ee9d20d31e483ba7b Fixes: 94f39804d891 ("xfrm: Duplicate SPI Handling") Signed-off-by: Sabrina Dubroca Reviewed-by: Simon Horman Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin net/xfrm/xfrm_state.c | 3 +++ 1 file changed, 3 insertions(+) accumulated error probability: 0.00 culprit signature: b7c6d485c0aee8a9c367f2b272da638d251ba6c7ecf59e27eb76c61e2b2e22e6 parent signature: de8c76f7143a1bc05091fc89dae39747527b018468fad1d2048b14084addf604 revisions tested: 18, total time: 4h35m51.083171417s (build: 2h8m58.819630296s, test: 2h15m17.552251073s) first good commit: 0baf92d0b1590b903c1f4ead75e61715e50e8146 xfrm: xfrm_alloc_spi shouldn't use 0 as SPI recipients (to): ["horms@kernel.org" "sashal@kernel.org" "sd@queasysnail.net" "steffen.klassert@secunet.com"] recipients (cc): []