ci2 starts bisection 2024-08-13 17:24:18.008947805 +0000 UTC m=+15101.093347470 bisecting fixing commit since 61cfd264993d07540f60a5c53d77a14c818e54a9 building syzkaller on cb976f63e0177b96eb9ce1c631cc5e2c4b4b0759 ensuring issue is reproducible on original commit 61cfd264993d07540f60a5c53d77a14c818e54a9 testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8c5515b85552af5d3d4f5be85e7728d87e3c1e1efe5312626fd68efbfd8816a5 run #0: crashed: general protection fault in hrtimer_active run #1: crashed: general protection fault in hrtimer_active run #2: crashed: general protection fault in hrtimer_active run #3: crashed: general protection fault in hrtimer_active run #4: crashed: general protection fault in hrtimer_active run #5: crashed: general protection fault in hrtimer_active run #6: crashed: general protection fault in hrtimer_active run #7: crashed: general protection fault in hrtimer_active run #8: crashed: general protection fault in hrtimer_active run #9: crashed: general protection fault in hrtimer_active run #10: crashed: general protection fault in hrtimer_active run #11: crashed: general protection fault in hrtimer_active run #12: crashed: general protection fault in hrtimer_active run #13: crashed: general protection fault in hrtimer_active run #14: crashed: no output from test machine run #15: crashed: no output from test machine run #16: crashed: no output from test machine run #17: crashed: no output from test machine run #18: crashed: no output from test machine run #19: crashed: no output from test machine representative crash: general protection fault in hrtimer_active, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4543297f4690f548a931991da604d2db77bf4370e51f437547fff582da40c271 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #7: crashed: no output from test machine run #8: crashed: no output from test machine run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active, types: [UNKNOWN] the bug reproduces without the instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed kconfig minimization: base=4920 full=6161 leaves diff=241 split chunks (needed=false): <241> split chunk #0 of len 241 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b44a8d8c37e7f513c05ce2fdfee22faf120231e0f2ede4a804dc1d836ebd11e6 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #8: crashed: no output from test machine run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2c4e8c38f43eef2b2e79cbb87d03d218ec34427b4f8e3aabcf49dc02dbbb64ca run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #8: crashed: no output from test machine run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f3d995401d7d95ea02a1cd704b88c1e40ee3b1205d64ebdb04b665555b198f13 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #8: crashed: no output from test machine run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: de183d39da10d1b18b1fb292fda6f69cd9848c34d274c59f555bd7ce45e2d252 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #8: crashed: no output from test machine run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building 61cfd264993d07540f60a5c53d77a14c818e54a9: net/socket.c:1189: undefined reference to `wext_handle_ioctl' net/socket.c:3383: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:343: undefined reference to `wext_proc_exit' net/core/net-procfs.c:327: undefined reference to `wext_proc_init' minimized to 45 configs; suspects: [HID_ZEROPLUS USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF] disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed testing current HEAD e787d6ac4af04c06a0120ad773820d43f9b851a9 testing commit e787d6ac4af04c06a0120ad773820d43f9b851a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0e142028e114d0bbddab1982a659471d74e53ad31bfbf73b3365ceabbbd3bf77 all runs: OK false negative chance: 0.000 # git bisect start e787d6ac4af04c06a0120ad773820d43f9b851a9 61cfd264993d07540f60a5c53d77a14c818e54a9 Bisecting: 1709 revisions left to test after this (roughly 11 steps) [6ef852a43090d86e50c6176064aa51c357d3d19f] iio: adc: ad7091r: Set alert bit in config register determine whether the revision contains the guilty commit checking the merge base 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 no existing result, test the revision testing commit 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 09f5f5dc901a7915db4e8cfea75625b3d2df2680187c4e423917c802bb0cfc90 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active, types: [UNKNOWN] testing commit 6ef852a43090d86e50c6176064aa51c357d3d19f gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 34216a58ac1fb2bffb96f924b73fcf70edb8fe0579ff4b994b8dabe7e88ebefb run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #8: crashed: no output from test machine run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active, types: [UNKNOWN] # git bisect good 6ef852a43090d86e50c6176064aa51c357d3d19f Bisecting: 854 revisions left to test after this (roughly 10 steps) [3c1b2776ef19117f76b698d70784677eb8549b8d] getrusage: use sig->stats_lock rather than lock_task_sighand() determine whether the revision contains the guilty commit revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable testing commit 3c1b2776ef19117f76b698d70784677eb8549b8d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c3dff15468bf9077217c9d77d7270caf10956057fe3d10527dac2985e95f4520 all runs: OK false negative chance: 0.000 # git bisect bad 3c1b2776ef19117f76b698d70784677eb8549b8d Bisecting: 427 revisions left to test after this (roughly 9 steps) [89353c8864779c146ec46c895ac65257ca83620c] usb: dwc3: gadget: Refactor EP0 forced stall/restart into a separate API determine whether the revision contains the guilty commit revision 6ef852a43090d86e50c6176064aa51c357d3d19f crashed and is reachable testing commit 89353c8864779c146ec46c895ac65257ca83620c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8044eb07107f9ae614b2b6e5c0fe202939893930ebd4387739ce4cffe75be485 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active, types: [UNKNOWN] # git bisect good 89353c8864779c146ec46c895ac65257ca83620c Bisecting: 213 revisions left to test after this (roughly 8 steps) [819ca25444b377935faa2dbb0aa3547519b5c80f] bpf: Address KCSAN report on bpf_lru_list determine whether the revision contains the guilty commit revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable testing commit 819ca25444b377935faa2dbb0aa3547519b5c80f gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0ca1565abaebf8efd140931a37fa54969d04ffc64e563c398d8375ff8dbc0a77 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #8: crashed: no output from test machine run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active, types: [UNKNOWN] # git bisect good 819ca25444b377935faa2dbb0aa3547519b5c80f Bisecting: 106 revisions left to test after this (roughly 7 steps) [bdb7fb29236a52c21c6f2b76354c1699ce19050d] tls: rx: assume crypto always calls our callback determine whether the revision contains the guilty commit revision 819ca25444b377935faa2dbb0aa3547519b5c80f crashed and is reachable testing commit bdb7fb29236a52c21c6f2b76354c1699ce19050d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1b5fcc802b63f9cf81cdfc30cc8ce25155ad90a5ce85675d74cc3067f081adcb all runs: OK false negative chance: 0.000 # git bisect bad bdb7fb29236a52c21c6f2b76354c1699ce19050d Bisecting: 53 revisions left to test after this (roughly 6 steps) [664264a5c55bf97a9c571c557d477b75416199be] netfilter: nf_tables: set dormant flag on hook register failure determine whether the revision contains the guilty commit revision 89353c8864779c146ec46c895ac65257ca83620c crashed and is reachable testing commit 664264a5c55bf97a9c571c557d477b75416199be gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 401469ca83eb7716a2945bacd331459a2fd9dd421061267d314aa0af3f0426f3 run #0: basic kernel testing failed: lost connection to test machine run #1: basic kernel testing failed: lost connection to test machine run #2: basic kernel testing failed: lost connection to test machine run #3: basic kernel testing failed: lost connection to test machine run #4: basic kernel testing failed: lost connection to test machine run #5: basic kernel testing failed: lost connection to test machine run #6: basic kernel testing failed: lost connection to test machine run #7: basic kernel testing failed: lost connection to test machine run #8: basic kernel testing failed: lost connection to test machine run #9: basic kernel testing failed: failed to copy prog to VM: timedout after 1m0s ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syzkaller241377209" "root@10.128.0.203:./syzkaller241377209"] Executing: program /usr/bin/ssh host 10.128.0.203, user root, command sftp OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.11 19 Sep 2023 debug1: Reading configuration data /dev/null debug1: Connecting to 10.128.0.203 [10.128.0.203] port 22. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2 debug1: Remote protocol version 2.0, remote software version OpenSSH_9.1 debug1: compat_banner: match: OpenSSH_9.1 pat OpenSSH* compat 0x04000000 debug1: Authenticating to 10.128.0.203:22 as 'root' debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:88IuL3orPAmVsyjIy2DvkKzVRHqGoDXxazNYOfOHasg debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory Warning: Permanently added '10.128.0.203' (ED25519) to the list of known hosts. debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /root/.ssh/id_rsa debug1: Will attempt key: /root/.ssh/id_ecdsa debug1: Will attempt key: /root/.ssh/id_ecdsa_sk debug1: Will attempt key: /root/.ssh/id_ed25519 debug1: Will attempt key: /root/.ssh/id_ed25519_sk debug1: Will attempt key: /root/.ssh/id_xmss debug1: Will attempt key: /root/.ssh/id_dsa debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs= debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0> debug1: SSH2_MSG_SERVICE_ACCEPT received Authenticated to 10.128.0.203 ([10.128.0.203]:22) using "none". debug1: channel 0: new session [client-session] (inactive timeout: 0) debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug1: Sending subsystem: sftp debug1: pledge: fork unable to determine the verdict: 0 good runs (wanted 5), for bad wanted 5 in total, got 0 # git bisect skip 664264a5c55bf97a9c571c557d477b75416199be Bisecting: 53 revisions left to test after this (roughly 6 steps) [2a7b878a7dada5ca646d2d0feb71232a89efbc0a] net: stmmac: Fix incorrect dereference in interrupt handlers determine whether the revision contains the guilty commit revision 89353c8864779c146ec46c895ac65257ca83620c crashed and is reachable testing commit 2a7b878a7dada5ca646d2d0feb71232a89efbc0a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 96c9f901a20f8f1a08f67657995c94339efbc4ec19a3290f1aa2b805ae73f725 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #7: crashed: no output from test machine run #8: crashed: no output from test machine run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active, types: [UNKNOWN] # git bisect good 2a7b878a7dada5ca646d2d0feb71232a89efbc0a Bisecting: 35 revisions left to test after this (roughly 5 steps) [386bb2537e9b45a96b2e190b9c96f17dbd0a1405] mtd: spinand: gigadevice: Fix the get ecc status issue determine whether the revision contains the guilty commit revision 664264a5c55bf97a9c571c557d477b75416199be crashed and is reachable testing commit 386bb2537e9b45a96b2e190b9c96f17dbd0a1405 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f08d0ced28004b7b6672d6aa066d53a14f7b4c89ae02e0114741b247b08c338e run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #7: crashed: no output from test machine run #8: crashed: no output from test machine run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active, types: [UNKNOWN] # git bisect good 386bb2537e9b45a96b2e190b9c96f17dbd0a1405 Bisecting: 17 revisions left to test after this (roughly 4 steps) [84d3baab4b8945b8143fcffab21d5e93ed7f9672] netfilter: nfnetlink_queue: silence bogus compiler warning determine whether the revision contains the guilty commit revision 664264a5c55bf97a9c571c557d477b75416199be crashed and is reachable testing commit 84d3baab4b8945b8143fcffab21d5e93ed7f9672 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ac22cc72b1110924e16e4e5ea22c8cb47e9af32b8afdab9861ef30657fe2af36 all runs: OK false negative chance: 0.000 # git bisect bad 84d3baab4b8945b8143fcffab21d5e93ed7f9672 Bisecting: 8 revisions left to test after this (roughly 3 steps) [9b1f5c00328459af6f59d926b9d841ec9e541b58] veth: try harder when allocating queue memory determine whether the revision contains the guilty commit revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable testing commit 9b1f5c00328459af6f59d926b9d841ec9e541b58 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7d1ebcd42aa63dcb4aecd724e76e57312bd9ee8ab6283c3107defb2a28bfd13f all runs: OK false negative chance: 0.000 # git bisect bad 9b1f5c00328459af6f59d926b9d841ec9e541b58 Bisecting: 4 revisions left to test after this (roughly 2 steps) [bf3f0c4169bed60ca4d5869707aa4c386bfe048d] cpufreq: intel_pstate: fix pstate limits enforcement for adjust_perf call back determine whether the revision contains the guilty commit revision 819ca25444b377935faa2dbb0aa3547519b5c80f crashed and is reachable testing commit bf3f0c4169bed60ca4d5869707aa4c386bfe048d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2d79139debd6cdd5922d67ce254cc9c209052c71334c18e7143e7b2040099fd8 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_active, types: [UNKNOWN] # git bisect good bf3f0c4169bed60ca4d5869707aa4c386bfe048d Bisecting: 2 revisions left to test after this (roughly 1 step) [8a54834c03c30e549c33d5da0975f3e1454ec906] ipv6: fix potential "struct net" leak in inet6_rtm_getaddr() determine whether the revision contains the guilty commit revision 819ca25444b377935faa2dbb0aa3547519b5c80f crashed and is reachable testing commit 8a54834c03c30e549c33d5da0975f3e1454ec906 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2d6e151086d2d0dd7353e47fa897e36a775155a0feae61dea68e1eeffab48f34 all runs: OK false negative chance: 0.000 # git bisect bad 8a54834c03c30e549c33d5da0975f3e1454ec906 Bisecting: 0 revisions left to test after this (roughly 0 steps) [f011c103e654d83dc85f057a7d1bd0960d02831c] net: veth: clear GRO when clearing XDP even when down determine whether the revision contains the guilty commit revision 89353c8864779c146ec46c895ac65257ca83620c crashed and is reachable testing commit f011c103e654d83dc85f057a7d1bd0960d02831c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e918d0b7cde3923f97abd2685896a4c6d4a6a164601e54e97cd0427bb77b58b3 all runs: OK false negative chance: 0.000 # git bisect bad f011c103e654d83dc85f057a7d1bd0960d02831c f011c103e654d83dc85f057a7d1bd0960d02831c is the first bad commit commit f011c103e654d83dc85f057a7d1bd0960d02831c Author: Jakub Kicinski Date: Wed Feb 21 15:12:10 2024 -0800 net: veth: clear GRO when clearing XDP even when down [ Upstream commit fe9f801355f0b47668419f30f1fac1cf4539e736 ] veth sets NETIF_F_GRO automatically when XDP is enabled, because both features use the same NAPI machinery. The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which is called both on ndo_stop and when XDP is turned off. To avoid the flag from being cleared when the device is brought down, the clearing is skipped when IFF_UP is not set. Bringing the device down should indeed not modify its features. Unfortunately, this means that clearing is also skipped when XDP is disabled _while_ the device is down. And there's nothing on the open path to bring the device features back into sync. IOW if user enables XDP, disables it and then brings the device up we'll end up with a stray GRO flag set but no NAPI instances. We don't depend on the GRO flag on the datapath, so the datapath won't crash. We will crash (or hang), however, next time features are sync'ed (either by user via ethtool or peer changing its config). The GRO flag will go away, and veth will try to disable the NAPIs. But the open path never created them since XDP was off, the GRO flag was a stray. If NAPI was initialized before we'll hang in napi_disable(). If it never was we'll crash trying to stop uninitialized hrtimer. Move the GRO flag updates to the XDP enable / disable paths, instead of mixing them with the ndo_open / ndo_close paths. Fixes: d3256efd8e8b ("veth: allow enabling NAPI even without XDP") Reported-by: Thomas Gleixner Reported-by: syzbot+039399a9b96297ddedca@syzkaller.appspotmail.com Signed-off-by: Jakub Kicinski Reviewed-by: Toke Høiland-Jørgensen Signed-off-by: David S. Miller Signed-off-by: Sasha Levin drivers/net/veth.c | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) accumulated error probability: 0.00 culprit signature: e918d0b7cde3923f97abd2685896a4c6d4a6a164601e54e97cd0427bb77b58b3 parent signature: 2d79139debd6cdd5922d67ce254cc9c209052c71334c18e7143e7b2040099fd8 revisions tested: 21, total time: 6h9m38.129613699s (build: 2h29m5.585872217s, test: 3h36m1.841813841s) first good commit: f011c103e654d83dc85f057a7d1bd0960d02831c net: veth: clear GRO when clearing XDP even when down recipients (to): ["davem@davemloft.net" "kuba@kernel.org" "sashal@kernel.org" "toke@redhat.com"] recipients (cc): []