ci2 starts bisection 2025-09-04 15:15:40.443999196 +0000 UTC m=+47655.432973032 bisecting fixing commit since 98f47d0e9b8c557d3063d3ea661cbea1489af330 building syzkaller on 3d2f584ddab119da50e8a8d26765aa98d3b33c02 ensuring issue is reproducible on original commit 98f47d0e9b8c557d3063d3ea661cbea1489af330 testing commit 98f47d0e9b8c557d3063d3ea661cbea1489af330 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cd983098b5151a25e5c218e75c672bb01314b53d7b847462e0550e2f07991dd5 run #0: crashed: KASAN: use-after-free Write in diWrite run #1: crashed: KASAN: slab-out-of-bounds Write in diWrite run #2: crashed: KASAN: use-after-free Write in diWrite run #3: crashed: KASAN: slab-out-of-bounds Write in diWrite run #4: crashed: KASAN: use-after-free Write in diWrite run #5: crashed: KASAN: use-after-free Write in diWrite run #6: crashed: KASAN: use-after-free Write in diWrite run #7: crashed: KASAN: use-after-free Write in diWrite run #8: crashed: KASAN: use-after-free Write in diWrite run #9: crashed: KASAN: use-after-free Write in diWrite run #10: crashed: KASAN: use-after-free Write in diWrite run #11: crashed: KASAN: use-after-free Write in diWrite run #12: crashed: KASAN: slab-out-of-bounds Write in diWrite run #13: crashed: KASAN: use-after-free Write in diWrite run #14: crashed: KASAN: use-after-free Write in diWrite run #15: crashed: KASAN: use-after-free Write in diWrite run #16: crashed: KASAN: use-after-free Write in diWrite run #17: crashed: KASAN: use-after-free Write in diWrite run #18: crashed: KASAN: use-after-free Write in diWrite run #19: crashed: KASAN: use-after-free Write in diWrite representative crash: KASAN: use-after-free Write in diWrite, types: [KASAN-USE-AFTER-FREE-WRITE] check whether we can drop unnecessary instrumentation disabling configs for [ubsan bug_or_warning locking atomic_sleep hang memleak], they are not needed testing commit 98f47d0e9b8c557d3063d3ea661cbea1489af330 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 54646bbc9cd1458009e3d34a7a913367162d21aefcd18122711000f19a5abbf3 run #0: crashed: KASAN: use-after-free Write in diWrite run #1: crashed: KASAN: slab-out-of-bounds Read in diWrite run #2: crashed: KASAN: use-after-free Write in diWrite run #3: crashed: KASAN: slab-out-of-bounds Read in diWrite run #4: crashed: KASAN: use-after-free Write in diWrite run #5: crashed: KASAN: use-after-free Write in diWrite run #6: crashed: KASAN: slab-out-of-bounds Read in diWrite run #7: crashed: KASAN: slab-out-of-bounds Read in diWrite run #8: crashed: KASAN: slab-out-of-bounds Read in diWrite run #9: crashed: KASAN: slab-out-of-bounds Write in diWrite representative crash: KASAN: slab-out-of-bounds Read in diWrite, types: [KASAN-READ KASAN-USE-AFTER-FREE-WRITE] the bug reproduces without the instrumentation disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed kconfig minimization: base=3707 full=7306 leaves diff=2039 split chunks (needed=false): <2039> split chunk #0 of len 2039 into 5 parts testing without sub-chunk 1/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 98f47d0e9b8c557d3063d3ea661cbea1489af330 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: db44efde73a7a6219cc20c7f736cfc038d06a5cbc39d66238aa66749f8c57c8b run #0: crashed: KASAN: slab-out-of-bounds Read in diWrite run #1: crashed: KASAN: slab-out-of-bounds Write in diWrite run #2: crashed: KASAN: use-after-free Write in diWrite run #3: crashed: KASAN: use-after-free Write in diWrite run #4: crashed: KASAN: slab-out-of-bounds Write in diWrite run #5: crashed: KASAN: use-after-free Write in diWrite run #6: crashed: KASAN: slab-out-of-bounds Read in diWrite run #7: crashed: BUG: unable to handle kernel paging request in diWrite run #8: crashed: KASAN: slab-out-of-bounds Read in diWrite run #9: crashed: KASAN: slab-out-of-bounds Read in diWrite representative crash: KASAN: slab-out-of-bounds Read in diWrite, types: [KASAN-READ KASAN-USE-AFTER-FREE-WRITE KASAN-WRITE] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 98f47d0e9b8c557d3063d3ea661cbea1489af330 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0aa469627e36efa40e7afae555e2ab72df8f027ecf333b8bbbc5144a59fd5834 run #0: crashed: KASAN: use-after-free Write in diWrite run #1: crashed: KASAN: use-after-free Write in diWrite run #2: crashed: KASAN: slab-out-of-bounds Read in diWrite run #3: crashed: KASAN: use-after-free Write in diWrite run #4: crashed: KASAN: slab-out-of-bounds Read in diWrite run #5: crashed: KASAN: use-after-free Write in diWrite run #6: crashed: KASAN: use-after-free Write in diWrite run #7: crashed: KASAN: use-after-free Write in diWrite run #8: crashed: KASAN: slab-out-of-bounds Read in diWrite run #9: crashed: KASAN: use-after-free Write in diWrite representative crash: KASAN: use-after-free Write in diWrite, types: [KASAN-USE-AFTER-FREE-WRITE KASAN-READ] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 98f47d0e9b8c557d3063d3ea661cbea1489af330 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4034b4e11f57f8a53d3622b5b6437c4cb38e50d819a4693346d2e56fec3b7405 all runs: OK false negative chance: 0.000 testing without sub-chunk 4/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 98f47d0e9b8c557d3063d3ea661cbea1489af330 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dd4fa95b143a87f12ad2af6c11c6b51e386d9465e5bfa2ece2d09fce97f0dccb run #0: crashed: KASAN: slab-out-of-bounds Read in diWrite run #1: crashed: KASAN: slab-out-of-bounds Read in diWrite run #2: crashed: KASAN: slab-out-of-bounds Read in diWrite run #3: crashed: KASAN: slab-out-of-bounds Read in diWrite run #4: crashed: KASAN: use-after-free Write in diWrite run #5: crashed: KASAN: slab-out-of-bounds Write in diWrite run #6: crashed: KASAN: slab-out-of-bounds Read in diWrite run #7: crashed: KASAN: use-after-free Write in diWrite run #8: crashed: KASAN: slab-out-of-bounds Write in diWrite run #9: crashed: KASAN: global-out-of-bounds Read in pipe_write representative crash: KASAN: slab-out-of-bounds Read in diWrite, types: [KASAN-READ KASAN-USE-AFTER-FREE-WRITE] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [ubsan bug_or_warning locking atomic_sleep hang memleak], they are not needed testing commit 98f47d0e9b8c557d3063d3ea661cbea1489af330 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8b66b5dd098ed2f09f14e75f22fdb2a2b6f8a208ba5535d6c441981167125888 run #0: crashed: KASAN: slab-out-of-bounds Read in diWrite run #1: crashed: KASAN: slab-out-of-bounds Read in diWrite run #2: crashed: KASAN: slab-out-of-bounds Read in diWrite run #3: crashed: KASAN: use-after-free Write in diWrite run #4: crashed: KASAN: slab-out-of-bounds Read in diWrite run #5: crashed: KASAN: slab-out-of-bounds Read in diWrite run #6: crashed: KASAN: slab-out-of-bounds Read in diWrite run #7: crashed: KASAN: slab-out-of-bounds Read in diWrite run #8: crashed: KASAN: use-after-free Write in diWrite run #9: crashed: KASAN: use-after-free Write in diWrite representative crash: KASAN: slab-out-of-bounds Read in diWrite, types: [KASAN-READ KASAN-USE-AFTER-FREE-WRITE] the chunk can be dropped minimized to 408 configs; suspects: [AX25 BRIDGE BRIDGE_NETFILTER CAN CFG80211 CHECKPOINT_RESTORE DVB_CORE FB FSCACHE HAMRADIO HSR INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_USER_ACCESS INPUT_JOYSTICK INPUT_MOUSE IP6_NF_RAW IPV6_MULTIPLE_TABLES IP_NF_RAW IP_SET IP_VS IR_TOY IR_TTUSBIR ISDN ISDN_CAPI_MIDDLEWARE JFFS2_CMODE_PRIORITY JFFS2_COMPRESSION_OPTIONS JFFS2_FS JFFS2_FS_POSIX_ACL JFFS2_FS_SECURITY JFFS2_FS_WRITEBUFFER JFFS2_FS_XATTR JFFS2_LZO JFFS2_RTIME JFFS2_RUBIN JFFS2_SUMMARY JFFS2_ZLIB JFS_DEBUG JFS_FS JFS_POSIX_ACL JFS_SECURITY JOYSTICK_IFORCE JOYSTICK_IFORCE_USB JOYSTICK_PXRC JOYSTICK_XPAD JOYSTICK_XPAD_FF JOYSTICK_XPAD_LEDS KARMA_PARTITION KCOV KCOV_ENABLE_COMPARISONS KCOV_INSTRUMENT_ALL KEYS_REQUEST_CACHE KEY_DH_OPERATIONS KEY_NOTIFICATIONS KSM KVM KVM_AMD KVM_ASYNC_PF KVM_COMPAT KVM_GENERIC_DIRTYLOG_READ_PROTECT KVM_INTEL KVM_MMIO KVM_VFIO KVM_XEN KVM_XFER_TO_GUEST_WORK L2TP L2TP_ETH L2TP_IP L2TP_V3 LAPB LAPBETHER LDM_PARTITION LEDS_TRIGGER_AUDIO LEGACY_PTYS LIBNVDIMM LINEAR_RANGES LLC LLC2 LOGIG940_FF LOGIRUMBLEPAD2_FF LOGO LOGO_LINUX_MONO LOGO_LINUX_VGA16 LPC_ICH LWTUNNEL LWTUNNEL_BPF LZ4HC_COMPRESS LZ4_COMPRESS MAC80211 MAC80211_DEBUGFS MAC80211_HAS_RC MAC80211_HWSIM MAC80211_MESH MAC80211_RC_DEFAULT_MINSTREL MAC80211_RC_MINSTREL MACSEC MACVLAN MACVTAP MAC_PARTITION MAPPING_DIRTY_HELPERS MDIO_MVUSB MD_LINEAR MD_MULTIPATH MD_RAID0 MD_RAID1 MD_RAID10 MD_RAID456 MEDIA_ANALOG_TV_SUPPORT MEDIA_ATTACH MEDIA_CONTROLLER MEDIA_CONTROLLER_DVB MEDIA_CONTROLLER_REQUEST_API MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_SUPPORT_FILTER MEDIA_TUNER MEDIA_TUNER_MSI001 MEDIA_TUNER_XC2028 MEDIA_TUNER_XC5000 MEMORY_BALLOON MEMORY_HOTPLUG MEMORY_HOTPLUG_DEFAULT_ONLINE MEMORY_ISOLATION MEMREGION MEMSTICK MEMSTICK_REALTEK_USB MEM_SOFT_DIRTY MFD_CORE MFD_SYSCON MHI_BUS MHI_WWAN_CTRL MHP_MEMMAP_ON_MEMORY MICROCHIP_PHY MINIX_FS MINIX_SUBPARTITION MISC_RTSX MISC_RTSX_USB MISDN MISDN_DSP MISDN_HFCUSB MISDN_L1OIP MKISS MLX4_CORE MLX4_INFINIBAND MMC MMC_REALTEK_USB MMC_USHC MMC_VUB300 MMU_NOTIFIER MODULE_SRCVERSION_ALL MODVERSIONS MOST MOST_USB_HDM MOUSE_APPLETOUCH MOUSE_BCM5974 MOUSE_PS2 MOUSE_PS2_ALPS MOUSE_PS2_BYD MOUSE_PS2_CYPRESS MOUSE_PS2_FOCALTECH MOUSE_PS2_LIFEBOOK MOUSE_PS2_LOGIPS2PP MOUSE_PS2_SMBUS MOUSE_PS2_SYNAPTICS MOUSE_PS2_SYNAPTICS_SMBUS MOUSE_PS2_TRACKPOINT MOUSE_SYNAPTICS_USB MPLS MPLS_IPTUNNEL MPLS_ROUTING MPTCP MPTCP_IPV6 MRP MTD MTD_BLKDEVS MTD_BLOCK MTD_BLOCK2MTD MTD_CFI_I1 MTD_CFI_I2 MTD_MAP_BANK_WIDTH_1 MTD_MAP_BANK_WIDTH_2 MTD_MAP_BANK_WIDTH_4 MTD_MTDRAM MTD_PHRAM MTD_SLRAM MUSB_PIO_ONLY ND_BLK ND_BTT ND_CLAIM ND_PFN NETDEVSIM NETFILTER_ADVANCED NETFILTER_FAMILY_ARP NETFILTER_FAMILY_BRIDGE NETFILTER_NETLINK_ACCT NETFILTER_NETLINK_GLUE_CT NETFILTER_NETLINK_OSF NETFILTER_NETLINK_QUEUE NETFILTER_SYNPROXY NETFILTER_XT_CONNMARK NETFILTER_XT_MATCH_BPF NETFILTER_XT_MATCH_CGROUP NETFILTER_XT_MATCH_CLUSTER NETFILTER_XT_MATCH_COMMENT NETFILTER_XT_MATCH_CONNBYTES NETFILTER_XT_MATCH_CONNLABEL NETFILTER_XT_MATCH_CONNLIMIT NETFILTER_XT_MATCH_CONNMARK NETFILTER_XT_MATCH_CPU NETFILTER_XT_MATCH_DCCP NETFILTER_XT_MATCH_DEVGROUP NETFILTER_XT_MATCH_DSCP NETFILTER_XT_MATCH_ECN NETFILTER_XT_MATCH_ESP NETFILTER_XT_MATCH_HASHLIMIT NETFILTER_XT_MATCH_HELPER NETFILTER_XT_MATCH_HL NETFILTER_XT_MATCH_IPCOMP NETFILTER_XT_MATCH_IPRANGE NETFILTER_XT_MATCH_IPVS NETFILTER_XT_MATCH_L2TP NETFILTER_XT_MATCH_LENGTH NETFILTER_XT_MATCH_LIMIT NETFILTER_XT_MATCH_MAC NETFILTER_XT_MATCH_MARK NETFILTER_XT_MATCH_MULTIPORT NETFILTER_XT_MATCH_NFACCT NETFILTER_XT_MATCH_OSF NETFILTER_XT_MATCH_OWNER NETFILTER_XT_MATCH_PHYSDEV NETFILTER_XT_MATCH_PKTTYPE NETFILTER_XT_MATCH_QUOTA NETFILTER_XT_MATCH_RATEEST NETFILTER_XT_MATCH_REALM NETFILTER_XT_MATCH_RECENT NETFILTER_XT_MATCH_SCTP NETFILTER_XT_MATCH_SOCKET NETFILTER_XT_MATCH_STATISTIC NETFILTER_XT_MATCH_STRING NETFILTER_XT_MATCH_TCPMSS NETFILTER_XT_MATCH_TIME NETFILTER_XT_MATCH_U32 NETFILTER_XT_SET NETFILTER_XT_TARGET_AUDIT NETFILTER_XT_TARGET_CHECKSUM NETFILTER_XT_TARGET_CLASSIFY NETFILTER_XT_TARGET_CONNMARK NETFILTER_XT_TARGET_CT NETFILTER_XT_TARGET_DSCP NETFILTER_XT_TARGET_HL NETFILTER_XT_TARGET_HMARK NETFILTER_XT_TARGET_IDLETIMER NETFILTER_XT_TARGET_LED NETFILTER_XT_TARGET_MARK NETFILTER_XT_TARGET_NETMAP NETFILTER_XT_TARGET_NFQUEUE NETFILTER_XT_TARGET_NOTRACK NETFILTER_XT_TARGET_RATEEST NETFILTER_XT_TARGET_REDIRECT NETFILTER_XT_TARGET_TCPOPTSTRIP NETFILTER_XT_TARGET_TEE NETFILTER_XT_TARGET_TPROXY NETFILTER_XT_TARGET_TRACE NETFS_SUPPORT NETLABEL NETLINK_DIAG NETROM NET_9P_RDMA NET_ACT_BPF NET_ACT_CONNMARK NET_ACT_CSUM NET_ACT_CT NET_ACT_CTINFO NET_ACT_GATE NET_ACT_IFE NET_ACT_IPT NET_ACT_MPLS NET_ACT_NAT NET_ACT_PEDIT NET_ACT_POLICE NET_ACT_SAMPLE NET_ACT_SIMP NET_ACT_SKBEDIT NET_ACT_SKBMOD NET_ACT_TUNNEL_KEY NET_ACT_VLAN NET_CLS_BASIC NET_CLS_BPF NET_CLS_CGROUP NET_CLS_FLOW NET_CLS_FLOWER NET_CLS_FW NET_CLS_MATCHALL NET_CLS_ROUTE4 NET_DEVLINK NET_DROP_MONITOR NET_DSA NET_DSA_TAG_BRCM NET_DSA_TAG_BRCM_COMMON NET_DSA_TAG_BRCM_PREPEND NET_DSA_TAG_MTK NET_DSA_TAG_QCA NET_DSA_TAG_RTL4_A NET_EGRESS NET_EMATCH_CANID NET_EMATCH_CMP NET_EMATCH_IPSET NET_EMATCH_IPT NET_EMATCH_META NET_EMATCH_NBYTE NET_EMATCH_TEXT NET_EMATCH_U32 NET_FC NET_FOU NET_FOU_IP_TUNNELS NET_IFE NET_IFE_SKBMARK NET_IFE_SKBPRIO NET_IFE_SKBTCINDEX NET_IPGRE NET_IPGRE_BROADCAST NET_IPGRE_DEMUX NET_IPIP NET_IPVTI NET_KEY NET_KEY_MIGRATE NET_L3_MASTER_DEV NET_MPLS_GSO NET_NCSI NET_NSH NET_REDIRECT NET_SCH_CAKE NET_SCH_CBS NET_SCH_CHOKE NET_SCH_CODEL NET_SCH_DRR NET_SCH_ETF NET_SCH_ETS NET_SCH_FQ NET_SCH_FQ_CODEL NET_SCH_FQ_PIE NET_SCH_GRED NET_SCH_HFSC NET_SCH_HHF NET_SCH_HTB NET_SCH_INGRESS NET_SCH_MQPRIO NET_SCH_MULTIQ NET_SCH_NETEM NET_SCH_PIE NET_SCH_PLUG NET_SCH_PRIO NET_SCH_QFQ NET_SCH_RED NET_SCH_SFB NET_SCH_SFQ NET_SCH_SKBPRIO NET_SCH_TAPRIO NET_SCH_TBF NET_SCH_TEQL NET_SOCK_MSG NET_SWITCHDEV NET_TC_SKB_EXT NET_TEAM NET_TEAM_MODE_ACTIVEBACKUP NET_TEAM_MODE_BROADCAST NET_TEAM_MODE_LOADBALANCE NET_TEAM_MODE_RANDOM NET_TEAM_MODE_ROUNDROBIN NET_UDP_TUNNEL NET_VRF NFC NFC_DIGITAL NFC_FDP NFC_HCI NFC_MRVL NFC_MRVL_USB NFC_NCI NFC_NCI_UART NFC_PN533 NFC_PN533_USB NFC_PORT100 NFC_SHDLC NFC_SIM NFC_VIRTUAL_NCI NFSD NFSD_BLOCKLAYOUT NFSD_FLEXFILELAYOUT NFSD_PNFS NFSD_SCSILAYOUT NFSD_V3_ACL NFSD_V4 NFSD_V4_2_INTER_SSC NFSD_V4_SECURITY_LABEL NFS_FSCACHE NFS_V4_1 NFS_V4_2 NFS_V4_2_READ_PLUS NFS_V4_2_SSC_HELPER NFS_V4_SECURITY_LABEL NFT_BRIDGE_META NFT_BRIDGE_REJECT NFT_COMPAT NFT_CONNLIMIT NFT_COUNTER NFT_CT NFT_DUP_IPV4 NFT_DUP_IPV6 NFT_DUP_NETDEV NFT_FIB NFT_FIB_INET NFT_FIB_IPV4 NFT_FIB_IPV6 NFT_FIB_NETDEV NFT_FLOW_OFFLOAD NFT_HASH NFT_LIMIT NFT_LOG NFT_MASQ NFT_NAT NFT_NUMGEN NFT_OBJREF NFT_OSF NFT_QUEUE NFT_QUOTA NFT_REDIR NFT_REJECT NFT_REJECT_INET NFT_REJECT_IPV4 NFT_REJECT_IPV6 NFT_REJECT_NETDEV NFT_SOCKET NFT_SYNPROXY NFT_TPROXY NFT_TUNNEL NFT_XFRM NF_CONNTRACK_AMANDA NF_CONNTRACK_BRIDGE NF_CONNTRACK_BROADCAST NF_CONNTRACK_EVENTS NF_CONNTRACK_H323 NF_CONNTRACK_LABELS NF_CONNTRACK_MARK NF_CONNTRACK_NETBIOS_NS NF_CONNTRACK_PPTP NF_CONNTRACK_SANE NF_CONNTRACK_SNMP NF_CONNTRACK_TFTP NF_CONNTRACK_TIMEOUT NF_CONNTRACK_TIMESTAMP NF_CONNTRACK_ZONES NF_CT_NETLINK_HELPER NF_CT_NETLINK_TIMEOUT NF_CT_PROTO_DCCP NF_CT_PROTO_GRE NF_CT_PROTO_SCTP NF_CT_PROTO_UDPLITE NF_DUP_IPV4 NF_DUP_IPV6 NF_DUP_NETDEV NF_FLOW_TABLE NF_FLOW_TABLE_INET NF_FLOW_TABLE_IPV4 NF_FLOW_TABLE_IPV6 NF_NAT_AMANDA NF_NAT_H323 NF_NAT_PPTP NF_NAT_REDIRECT NF_NAT_SNMP_BASIC NF_NAT_TFTP NF_SOCKET_IPV4 NF_SOCKET_IPV6 NF_TABLES NF_TABLES_ARP NF_TABLES_BRIDGE NF_TABLES_INET NF_TABLES_IPV4 NF_TABLES_IPV6 NF_TABLES_NETDEV NF_TPROXY_IPV4 NF_TPROXY_IPV6 NILFS2_FS NLMON NLS_CODEPAGE_1250 NLS_CODEPAGE_1251 NLS_CODEPAGE_737 NLS_CODEPAGE_775 NLS_CODEPAGE_850 NLS_CODEPAGE_852 NLS_CODEPAGE_855 NLS_CODEPAGE_857 NLS_CODEPAGE_860 NLS_CODEPAGE_861 NLS_CODEPAGE_862 NLS_CODEPAGE_863 NLS_CODEPAGE_864 NLS_CODEPAGE_865 NLS_CODEPAGE_866 PARTITION_ADVANCED PSAMPLE RC_CORE RC_DEVICES RFKILL SPI USB_GADGET USB_MUSB_HDRC VIDEO_DEV VIDEO_V4L2 WAN WATCH_QUEUE WIRELESS WLAN WWAN X25] disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed testing current HEAD 7a6c2d093c4599727874a7e5e9b27fb313d2bd9c testing commit 7a6c2d093c4599727874a7e5e9b27fb313d2bd9c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6122e58664f49becc2fde3ffd796c1e6cb1966cd575d5cc62b6b60cb6e7ed448 all runs: OK false negative chance: 0.000 # git bisect start 7a6c2d093c4599727874a7e5e9b27fb313d2bd9c 98f47d0e9b8c557d3063d3ea661cbea1489af330 Bisecting: 763 revisions left to test after this (roughly 10 steps) [f2b75f1368af22bb290f128e29bc64b619a9d54d] x86/bugs: Add a Transient Scheduler Attacks mitigation determine whether the revision contains the guilty commit revision 98f47d0e9b8c557d3063d3ea661cbea1489af330 crashed and is reachable testing commit f2b75f1368af22bb290f128e29bc64b619a9d54d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 595cf64c6d467ac12aabb54f8327cf0decb36dd0a25d4ebef7f260f0c178544e run #0: crashed: KASAN: use-after-free Write in diWrite run #1: crashed: KASAN: slab-out-of-bounds Read in diWrite run #2: crashed: KASAN: slab-out-of-bounds Write in diWrite run #3: crashed: KASAN: slab-out-of-bounds Read in diWrite run #4: crashed: KASAN: slab-out-of-bounds Read in diWrite run #5: crashed: KASAN: slab-out-of-bounds Read in diWrite run #6: crashed: KASAN: use-after-free Write in diWrite run #7: crashed: KASAN: use-after-free Write in diWrite run #8: crashed: KASAN: use-after-free Write in diWrite run #9: crashed: KASAN: slab-out-of-bounds Read in diWrite representative crash: KASAN: slab-out-of-bounds Read in diWrite, types: [KASAN-READ KASAN-USE-AFTER-FREE-WRITE] # git bisect good f2b75f1368af22bb290f128e29bc64b619a9d54d Bisecting: 381 revisions left to test after this (roughly 9 steps) [5a164a725b9c6bc2b3d9ec6f5c66a8844898a7fe] usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default determine whether the revision contains the guilty commit revision f2b75f1368af22bb290f128e29bc64b619a9d54d crashed and is reachable testing commit 5a164a725b9c6bc2b3d9ec6f5c66a8844898a7fe gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3a6db1f7947e6ab9a833f3fd15c43efbb13f3d2edbf61eefaff6e355e017eb84 all runs: OK false negative chance: 0.000 # git bisect bad 5a164a725b9c6bc2b3d9ec6f5c66a8844898a7fe Bisecting: 190 revisions left to test after this (roughly 8 steps) [c53baa6a134c1478d4ee0a630e6483c8a3bdb837] usb: chipidea: add USB PHY event determine whether the revision contains the guilty commit revision 98f47d0e9b8c557d3063d3ea661cbea1489af330 crashed and is reachable testing commit c53baa6a134c1478d4ee0a630e6483c8a3bdb837 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5e94bd2d4a5f6f79b4b14a3d1fd0e89155882124f76eef00885f3e1486d7f0bd all runs: OK false negative chance: 0.000 # git bisect bad c53baa6a134c1478d4ee0a630e6483c8a3bdb837 Bisecting: 95 revisions left to test after this (roughly 7 steps) [aefa6e92d9b4363780e2f80f0c626ab89f74d1b2] HID: core: ensure __hid_request reserves the report ID as the first byte determine whether the revision contains the guilty commit revision f2b75f1368af22bb290f128e29bc64b619a9d54d crashed and is reachable testing commit aefa6e92d9b4363780e2f80f0c626ab89f74d1b2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dc814c6a1c4d61d718fd9db95129f93f5451b62e97c25039193ce257275d4aa7 all runs: OK false negative chance: 0.000 # git bisect bad aefa6e92d9b4363780e2f80f0c626ab89f74d1b2 Bisecting: 47 revisions left to test after this (roughly 6 steps) [982beb7582c193544eb9c6083937ec5ac1c9d651] virtio-net: ensure the received length does not exceed allocated size determine whether the revision contains the guilty commit revision f2b75f1368af22bb290f128e29bc64b619a9d54d crashed and is reachable testing commit 982beb7582c193544eb9c6083937ec5ac1c9d651 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2a115ba6b87155907cd4a520b5e9b83d618ea5a5d6cf1e07a6168f2c5215324b all runs: OK false negative chance: 0.000 # git bisect bad 982beb7582c193544eb9c6083937ec5ac1c9d651 Bisecting: 23 revisions left to test after this (roughly 5 steps) [32caa50275cc52a382ca77b53ce3d6204d509e14] fs/proc: do_task_stat: use __for_each_thread() determine whether the revision contains the guilty commit revision 98f47d0e9b8c557d3063d3ea661cbea1489af330 crashed and is reachable testing commit 32caa50275cc52a382ca77b53ce3d6204d509e14 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 316bae747497af021590e713dcf9402c77d5967d53f163136543709578be9551 run #0: crashed: KASAN: use-after-free Write in diWrite run #1: crashed: KASAN: slab-out-of-bounds Read in diWrite run #2: crashed: KASAN: slab-out-of-bounds Read in diWrite run #3: crashed: KASAN: slab-out-of-bounds Read in diWrite run #4: crashed: KASAN: use-after-free Write in diWrite run #5: crashed: KASAN: slab-out-of-bounds Read in diWrite run #6: crashed: KASAN: slab-out-of-bounds Read in diWrite run #7: crashed: KASAN: slab-out-of-bounds Read in diWrite run #8: crashed: KASAN: use-after-free Write in diWrite run #9: crashed: KASAN: slab-out-of-bounds Write in diWrite representative crash: KASAN: slab-out-of-bounds Read in diWrite, types: [KASAN-READ KASAN-USE-AFTER-FREE-WRITE] # git bisect good 32caa50275cc52a382ca77b53ce3d6204d509e14 Bisecting: 11 revisions left to test after this (roughly 4 steps) [0c1ad573852643ede497b95fbe5fead438a55732] gre: Fix IPv6 multicast route creation. determine whether the revision contains the guilty commit revision f2b75f1368af22bb290f128e29bc64b619a9d54d crashed and is reachable testing commit 0c1ad573852643ede497b95fbe5fead438a55732 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3916d00bae393585e17524fcf2ce8a7e07470ae98a1ea7978e7910592f1efeee all runs: OK false negative chance: 0.000 # git bisect bad 0c1ad573852643ede497b95fbe5fead438a55732 Bisecting: 5 revisions left to test after this (roughly 3 steps) [65ad600b9bde68d2d28709943ab00b51ca8f0a1d] bpf, sockmap: Fix skb refcnt race after locking changes determine whether the revision contains the guilty commit revision 98f47d0e9b8c557d3063d3ea661cbea1489af330 crashed and is reachable testing commit 65ad600b9bde68d2d28709943ab00b51ca8f0a1d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 316bae747497af021590e713dcf9402c77d5967d53f163136543709578be9551 run #0: crashed: KASAN: slab-out-of-bounds Write in diWrite run #1: crashed: KASAN: slab-out-of-bounds Read in diWrite run #2: crashed: KASAN: slab-out-of-bounds Read in diWrite run #3: crashed: KASAN: slab-out-of-bounds Read in diWrite run #4: crashed: KASAN: slab-out-of-bounds Write in diWrite run #5: crashed: KASAN: slab-out-of-bounds Read in diWrite run #6: crashed: KASAN: slab-out-of-bounds Write in diWrite run #7: crashed: KASAN: slab-out-of-bounds Read in diWrite run #8: crashed: KASAN: slab-out-of-bounds Write in diWrite run #9: crashed: KASAN: slab-out-of-bounds Read in diWrite representative crash: KASAN: slab-out-of-bounds Read in diWrite, types: [KASAN-READ KASAN-WRITE] # git bisect good 65ad600b9bde68d2d28709943ab00b51ca8f0a1d Bisecting: 2 revisions left to test after this (roughly 2 steps) [9cd4fa64814b18dfb62c0194bcf4e202c1ec026e] x86/mce/amd: Fix threshold limit reset determine whether the revision contains the guilty commit revision 98f47d0e9b8c557d3063d3ea661cbea1489af330 crashed and is reachable testing commit 9cd4fa64814b18dfb62c0194bcf4e202c1ec026e gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 54cb406f501dedb9ad26b720be6adb7463cef145066851c1aa5cafaea9080b2e all runs: OK false negative chance: 0.000 # git bisect bad 9cd4fa64814b18dfb62c0194bcf4e202c1ec026e Bisecting: 0 revisions left to test after this (roughly 1 step) [ae0e082687b2a657d9a322c8aa36630d568755ef] xen: replace xen_remap() with memremap() determine whether the revision contains the guilty commit revision 98f47d0e9b8c557d3063d3ea661cbea1489af330 crashed and is reachable testing commit ae0e082687b2a657d9a322c8aa36630d568755ef gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d5985be1cd8ef51d58c2da4b130d190655009f4e3f61e00d5df24d9c9c1d72dc all runs: OK false negative chance: 0.000 # git bisect bad ae0e082687b2a657d9a322c8aa36630d568755ef Bisecting: 0 revisions left to test after this (roughly 0 steps) [f98bf80b20f4a930589cda48a35f751a64fe0dc2] jfs: fix null ptr deref in dtInsertEntry determine whether the revision contains the guilty commit revision 98f47d0e9b8c557d3063d3ea661cbea1489af330 crashed and is reachable testing commit f98bf80b20f4a930589cda48a35f751a64fe0dc2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d5985be1cd8ef51d58c2da4b130d190655009f4e3f61e00d5df24d9c9c1d72dc all runs: OK false negative chance: 0.000 # git bisect bad f98bf80b20f4a930589cda48a35f751a64fe0dc2 f98bf80b20f4a930589cda48a35f751a64fe0dc2 is the first bad commit commit f98bf80b20f4a930589cda48a35f751a64fe0dc2 Author: Edward Adam Davis Date: Thu Apr 11 20:05:28 2024 +0800 jfs: fix null ptr deref in dtInsertEntry commit ce6dede912f064a855acf6f04a04cbb2c25b8c8c upstream. [syzbot reported] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713 ... [Analyze] In dtInsertEntry(), when the pointer h has the same value as p, after writing name in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the previously true judgment "p->header.flag & BT-LEAF" to change to no after writing the name operation, this leads to entering an incorrect branch and accessing the uninitialized object ih when judging this condition for the second time. [Fix] After got the page, check freelist first, if freelist == 0 then exit dtInsert() and return -EINVAL. Reported-by: syzbot+bba84aef3a26fb93deb9@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis Signed-off-by: Dave Kleikamp Signed-off-by: Aditya Dutt Signed-off-by: Greg Kroah-Hartman fs/jfs/jfs_dtree.c | 2 ++ 1 file changed, 2 insertions(+) accumulated error probability: 0.00 culprit signature: d5985be1cd8ef51d58c2da4b130d190655009f4e3f61e00d5df24d9c9c1d72dc parent signature: 316bae747497af021590e713dcf9402c77d5967d53f163136543709578be9551 revisions tested: 19, total time: 5h0m3.932638467s (build: 1h25m3.068993854s, test: 3h19m0.810502876s) first good commit: f98bf80b20f4a930589cda48a35f751a64fe0dc2 jfs: fix null ptr deref in dtInsertEntry recipients (to): ["dave.kleikamp@oracle.com" "duttaditya18@gmail.com" "eadavis@qq.com" "gregkh@linuxfoundation.org"] recipients (cc): []