ci2 starts bisection 2025-02-11 20:22:24.599377976 +0000 UTC m=+20191.024160764 bisecting fixing commit since e5e5644ea27f86a29c84df744a01ea7de65ef800 building syzkaller on 666f77ed02b98b834393ff84c646a8d611605f6f ensuring issue is reproducible on original commit e5e5644ea27f86a29c84df744a01ea7de65ef800 testing commit e5e5644ea27f86a29c84df744a01ea7de65ef800 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2983e67e5c94eedbde21ba15672f91e953cddccba3599cc379acf11d6d84fb7a all runs: crashed: kernel BUG in vlan_get_protocol_dgram representative crash: kernel BUG in vlan_get_protocol_dgram, types: [BUG] check whether we can drop unnecessary instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN KASAN], they are not needed testing commit e5e5644ea27f86a29c84df744a01ea7de65ef800 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 38e015e64856358994ca448a0c8555ef1f98023ca3109feb8a7506b18ae80722 all runs: crashed: kernel BUG in vlan_get_protocol_dgram representative crash: kernel BUG in vlan_get_protocol_dgram, types: [BUG] the bug reproduces without the instrumentation disabling configs for [LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed kconfig minimization: base=4789 full=6020 leaves diff=243 split chunks (needed=false): <243> split chunk #0 of len 243 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit e5e5644ea27f86a29c84df744a01ea7de65ef800 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f2c6de32af8cf13f00e68ea150611f8c80080448f0530bafdd65779e93d4e640 all runs: crashed: kernel BUG in vlan_get_protocol_dgram representative crash: kernel BUG in vlan_get_protocol_dgram, types: [BUG] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit e5e5644ea27f86a29c84df744a01ea7de65ef800 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c968b8c2a2e05bf498baba768ca50392a52c13009b3819660cbd1935cce61bc0 all runs: crashed: kernel BUG in vlan_get_protocol_dgram representative crash: kernel BUG in vlan_get_protocol_dgram, types: [BUG] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit e5e5644ea27f86a29c84df744a01ea7de65ef800 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 74db76e9310ab3ddc86b2cbbce086665be5f93c8741b99c314f97051d292bcef all runs: crashed: kernel BUG in vlan_get_protocol_dgram representative crash: kernel BUG in vlan_get_protocol_dgram, types: [BUG] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit e5e5644ea27f86a29c84df744a01ea7de65ef800 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 29fe0597e6cbffa856a8878cbb4d20f265fab5d5d945f5e72240a6140d497696 all runs: crashed: kernel BUG in vlan_get_protocol_dgram representative crash: kernel BUG in vlan_get_protocol_dgram, types: [BUG] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN KASAN LOCKDEP], they are not needed testing commit e5e5644ea27f86a29c84df744a01ea7de65ef800 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building e5e5644ea27f86a29c84df744a01ea7de65ef800: net/socket.c:1128: undefined reference to `wext_handle_ioctl' net/socket.c:3397: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:346: undefined reference to `wext_proc_exit' net/core/net-procfs.c:330: undefined reference to `wext_proc_init' minimized to 47 configs; suspects: [HID_ZEROPLUS USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM USB_XHCI_PCI_RENESAS WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF] disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN KASAN LOCKDEP], they are not needed testing current HEAD 6686f2996d23ab0b94151843024f466a3a264f34 testing commit 6686f2996d23ab0b94151843024f466a3a264f34 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9986c5fcb7bd964cb02f690b3759ac9462641339a651a3945aa6117ff2700297 all runs: OK false negative chance: 0.000 # git bisect start 6686f2996d23ab0b94151843024f466a3a264f34 e5e5644ea27f86a29c84df744a01ea7de65ef800 Bisecting: 826 revisions left to test after this (roughly 10 steps) [ff01ac3e766c4d79ea1498c8427600c5a7520a53] m68k: mvme147: Reinstate early console determine whether the revision contains the guilty commit checking the merge base ceb091e2c4ccf93b1ee0e0e8a202476a433784ff no existing result, test the revision testing commit ceb091e2c4ccf93b1ee0e0e8a202476a433784ff gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 86c2f5bad0878fa0777e944bde6fdcbdf52cb2e5290094f9bf15a9ac55caa0e4 all runs: crashed: kernel BUG in vlan_get_protocol_dgram representative crash: kernel BUG in vlan_get_protocol_dgram, types: [BUG] testing commit ff01ac3e766c4d79ea1498c8427600c5a7520a53 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0fe5d5b842ce68dce5580ec9ef008878217fbac09351ab835c8ef8363b9ef10b all runs: crashed: kernel BUG in vlan_get_protocol_dgram representative crash: kernel BUG in vlan_get_protocol_dgram, types: [BUG] # git bisect good ff01ac3e766c4d79ea1498c8427600c5a7520a53 Bisecting: 413 revisions left to test after this (roughly 9 steps) [784fc67079494b070f10f228d161af2f092348c5] batman-adv: Do not let TT changes list grows indefinitely determine whether the revision contains the guilty commit revision ff01ac3e766c4d79ea1498c8427600c5a7520a53 crashed and is reachable testing commit 784fc67079494b070f10f228d161af2f092348c5 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5888ef2c20a6a7bc2ad2aba24670693c99e7591f2765fc3dfe43c99dff447309 all runs: crashed: kernel BUG in vlan_get_protocol_dgram representative crash: kernel BUG in vlan_get_protocol_dgram, types: [BUG] # git bisect good 784fc67079494b070f10f228d161af2f092348c5 Bisecting: 206 revisions left to test after this (roughly 8 steps) [3bf8d1e87939b8a19c9b738564fddf5b73322f2f] iio: adc: ti-ads8688: fix information leak in triggered buffer determine whether the revision contains the guilty commit revision ceb091e2c4ccf93b1ee0e0e8a202476a433784ff crashed and is reachable testing commit 3bf8d1e87939b8a19c9b738564fddf5b73322f2f gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f519cb84fed7fe799ff9883690b4d06dee97fa23898247fce058c7bc82f6ed24 all runs: OK false negative chance: 0.000 # git bisect bad 3bf8d1e87939b8a19c9b738564fddf5b73322f2f Bisecting: 103 revisions left to test after this (roughly 7 steps) [221109ba2127eabd0aa64718543638b58b15df56] bpf: fix recursive lock when verdict program return SK_PASS determine whether the revision contains the guilty commit revision ceb091e2c4ccf93b1ee0e0e8a202476a433784ff crashed and is reachable testing commit 221109ba2127eabd0aa64718543638b58b15df56 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a42b548680a800983670f6b0a4026db699a83fbf4ca4d897f015c8455b3bce07 all runs: crashed: kernel BUG in vlan_get_protocol_dgram representative crash: kernel BUG in vlan_get_protocol_dgram, types: [BUG] # git bisect good 221109ba2127eabd0aa64718543638b58b15df56 Bisecting: 51 revisions left to test after this (roughly 6 steps) [42a6eb4ed7a9a41ba0b83eb0c7e0225b5fca5608] RDMA/uverbs: Prevent integer overflow issue determine whether the revision contains the guilty commit revision ceb091e2c4ccf93b1ee0e0e8a202476a433784ff crashed and is reachable testing commit 42a6eb4ed7a9a41ba0b83eb0c7e0225b5fca5608 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e26a02474bde4ff06dfa7f3d3901429d4527e008895d47032953c6c57b08ecfa all runs: OK false negative chance: 0.000 # git bisect bad 42a6eb4ed7a9a41ba0b83eb0c7e0225b5fca5608 Bisecting: 25 revisions left to test after this (roughly 5 steps) [6a14b46052eeb83175a95baf399283860b9d94c4] netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext determine whether the revision contains the guilty commit revision ceb091e2c4ccf93b1ee0e0e8a202476a433784ff crashed and is reachable testing commit 6a14b46052eeb83175a95baf399283860b9d94c4 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b83f24e82dbca2ae51db1adcd232f9317a92f21c6b4c77e7a42193b773748451 all runs: crashed: kernel BUG in vlan_get_protocol_dgram representative crash: kernel BUG in vlan_get_protocol_dgram, types: [BUG] # git bisect good 6a14b46052eeb83175a95baf399283860b9d94c4 Bisecting: 12 revisions left to test after this (roughly 4 steps) [1bf53a2145fa416e3c6825c7d3c267f4b7e32e24] kernel: Initialize cpumask before parsing determine whether the revision contains the guilty commit revision 6a14b46052eeb83175a95baf399283860b9d94c4 crashed and is reachable testing commit 1bf53a2145fa416e3c6825c7d3c267f4b7e32e24 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 07168ab65917a2acddcf166a7507a1d976984bf56834654d6b35382437b5ecf0 all runs: OK false negative chance: 0.000 # git bisect bad 1bf53a2145fa416e3c6825c7d3c267f4b7e32e24 Bisecting: 6 revisions left to test after this (roughly 3 steps) [0d3fa6c3c9ca7aa255696150f5b759ac4a4974e1] af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK determine whether the revision contains the guilty commit revision ceb091e2c4ccf93b1ee0e0e8a202476a433784ff crashed and is reachable testing commit 0d3fa6c3c9ca7aa255696150f5b759ac4a4974e1 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 46b1db3639d6098ffc322f0bcb22a19f50a36c8fc2b8daa4c3fda486ba2d6dd9 all runs: OK false negative chance: 0.000 # git bisect bad 0d3fa6c3c9ca7aa255696150f5b759ac4a4974e1 Bisecting: 2 revisions left to test after this (roughly 2 steps) [925f2be402f92736a43bc0fba0f41a93a9a3d43f] eth: bcmsysport: fix call balance of priv->clk handling routines determine whether the revision contains the guilty commit revision 6a14b46052eeb83175a95baf399283860b9d94c4 crashed and is reachable testing commit 925f2be402f92736a43bc0fba0f41a93a9a3d43f gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 96df56ad9877730247bfedc66e300313b3c3e101417b1e2d06d0904da96aef1b all runs: crashed: kernel BUG in vlan_get_protocol_dgram representative crash: kernel BUG in vlan_get_protocol_dgram, types: [BUG] # git bisect good 925f2be402f92736a43bc0fba0f41a93a9a3d43f Bisecting: 0 revisions left to test after this (roughly 1 step) [fa57f07ba0622c8692f40e1300adca59277b0044] af_packet: fix vlan_get_tci() vs MSG_PEEK determine whether the revision contains the guilty commit revision 6a14b46052eeb83175a95baf399283860b9d94c4 crashed and is reachable testing commit fa57f07ba0622c8692f40e1300adca59277b0044 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 16f2b73d4fda3f4317f746121901d7f04c4a8bd2269400ee4f4a6529e37500d1 all runs: crashed: kernel BUG in vlan_get_protocol_dgram representative crash: kernel BUG in vlan_get_protocol_dgram, types: [BUG] # git bisect good fa57f07ba0622c8692f40e1300adca59277b0044 0d3fa6c3c9ca7aa255696150f5b759ac4a4974e1 is the first bad commit commit 0d3fa6c3c9ca7aa255696150f5b759ac4a4974e1 Author: Eric Dumazet Date: Mon Dec 30 16:10:04 2024 +0000 af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK [ Upstream commit f91a5b8089389eb408501af2762f168c3aaa7b79 ] Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found by syzbot. Rework vlan_get_protocol_dgram() to not touch skb at all, so that it can be used from many cpus on the same skb. Add a const qualifier to skb argument. [1] skbuff: skb_under_panic: text:ffffffff8a8ccd05 len:29 put:14 head:ffff88807fc8e400 data:ffff88807fc8e3f4 tail:0x11 end:0x140 dev: ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 5892 Comm: syz-executor883 Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 Code: 0b 8d 48 c7 c6 86 d5 25 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 5a 69 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 RSP: 0018:ffffc900038d7638 EFLAGS: 00010282 RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 609ffd18ea660600 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffff88802483c8d0 R08: ffffffff817f0a8c R09: 1ffff9200071ae60 R10: dffffc0000000000 R11: fffff5200071ae61 R12: 0000000000000140 R13: ffff88807fc8e400 R14: ffff88807fc8e3f4 R15: 0000000000000011 FS: 00007fbac5e006c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fbac5e00d58 CR3: 000000001238e000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_push+0xe5/0x100 net/core/skbuff.c:2636 vlan_get_protocol_dgram+0x165/0x290 net/packet/af_packet.c:585 packet_recvmsg+0x948/0x1ef0 net/packet/af_packet.c:3552 sock_recvmsg_nosec net/socket.c:1033 [inline] sock_recvmsg+0x22f/0x280 net/socket.c:1055 ____sys_recvmsg+0x1c6/0x480 net/socket.c:2803 ___sys_recvmsg net/socket.c:2845 [inline] do_recvmmsg+0x426/0xab0 net/socket.c:2940 __sys_recvmmsg net/socket.c:3014 [inline] __do_sys_recvmmsg net/socket.c:3037 [inline] __se_sys_recvmmsg net/socket.c:3030 [inline] __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3030 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 79eecf631c14 ("af_packet: Handle outgoing VLAN packets without hardware offloading") Reported-by: syzbot+74f70bb1cb968bf09e4f@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6772c485.050a0220.2f3838.04c5.GAE@google.com/T/#u Signed-off-by: Eric Dumazet Cc: Chengen Du Reviewed-by: Willem de Bruijn Link: https://patch.msgid.link/20241230161004.2681892-2-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin include/linux/if_vlan.h | 16 +++++++++++++--- net/packet/af_packet.c | 16 ++++------------ 2 files changed, 17 insertions(+), 15 deletions(-) accumulated error probability: 0.00 culprit signature: 46b1db3639d6098ffc322f0bcb22a19f50a36c8fc2b8daa4c3fda486ba2d6dd9 parent signature: 16f2b73d4fda3f4317f746121901d7f04c4a8bd2269400ee4f4a6529e37500d1 revisions tested: 18, total time: 3h41m48.774954488s (build: 1h38m11.012331835s, test: 2h0m37.887125252s) first good commit: 0d3fa6c3c9ca7aa255696150f5b759ac4a4974e1 af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK recipients (to): ["edumazet@google.com" "kuba@kernel.org" "sashal@kernel.org" "willemb@google.com"] recipients (cc): []