ci2 starts bisection 2024-10-30 16:19:15.750774458 +0000 UTC m=+14919.426698062 bisecting fixing commit since af361f9a1066ff9442eabafc458ff373481499a4 building syzkaller on 51c4dcff83b0574620c280cc5130ef59cc4a2e32 ensuring issue is reproducible on original commit af361f9a1066ff9442eabafc458ff373481499a4 testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 71fa2d550932c978986305954e58be4a0cb3eaf7345945b1c8ccefb3007567f5 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c17e25365be9689fcaaf61ff290180544274bb760ec7ed680fb2530a470ae164 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed kconfig minimization: base=5179 full=6491 leaves diff=256 split chunks (needed=false): <256> split chunk #0 of len 256 into 5 parts testing without sub-chunk 1/5 disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: eb3533c87b586d5579b6b2eff547e2b8aa347ada37b57bbfb08c440fc34b0488 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c0f57baeb176dac1e961ee5253043663347ad85c37edd6565d08c4b7580611cf all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 52d41bd42f4d608b19ec5b1a3e0f0f0d857bf754df0ff3905f4b754c8017df2c all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 41c56f2eec59116ccb54c92800f4e226930c54e92a4af6191f902b8b2bd981a8 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building af361f9a1066ff9442eabafc458ff373481499a4: net/socket.c:1245: undefined reference to `wext_handle_ioctl' net/socket.c:3442: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 48 configs; suspects: [HID_ZEROPLUS USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing current HEAD 19b68814b1cd60c40546f31f7cc5b7895c0b013b testing commit 19b68814b1cd60c40546f31f7cc5b7895c0b013b gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 156cf149f7c41c6bc103e0f98227db8ea57857f1bb33cda48a51ebf337366396 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] crash still not fixed/happens on the oldest tested release revisions tested: 7, total time: 1h25m24.422854402s (build: 42m13.938041187s, test: 37m2.497290316s) crash still not fixed or there were kernel test errors commit msg: Merge tag 'android14-6.1.112_r00' into android14-6.1 crash: KASAN: use-after-free Write in virtio_transport_recv_pkt ================================================================== BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline] BUG: KASAN: use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] BUG: KASAN: use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] BUG: KASAN: use-after-free in do_raw_spin_lock include/linux/spinlock.h:187 [inline] BUG: KASAN: use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x97/0x1b0 kernel/locking/spinlock.c:178 Write of size 4 at addr ffff88811ed34688 by task kworker/1:1/35 CPU: 1 PID: 35 Comm: kworker/1:1 Not tainted 6.1.112-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: vsock-loopback vsock_loopback_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x105/0x148 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x158/0x4e0 mm/kasan/report.c:427 kasan_report+0x13c/0x170 mm/kasan/report.c:531 kasan_check_range+0x294/0x2a0 mm/kasan/generic.c:189 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37 instrument_atomic_read_write include/linux/instrumented.h:102 [inline] atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] do_raw_spin_lock include/linux/spinlock.h:187 [inline] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] _raw_spin_lock_bh+0x97/0x1b0 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] virtio_transport_space_update net/vmw_vsock/virtio_transport_common.c:1171 [inline] virtio_transport_recv_pkt+0x4fb/0x3ca0 net/vmw_vsock/virtio_transport_common.c:1307 vsock_loopback_work+0x376/0x3d0 net/vmw_vsock/vsock_loopback.c:137 process_one_work+0x6de/0xd00 kernel/workqueue.c:2299 worker_thread+0x892/0xf20 kernel/workqueue.c:2446 kthread+0x215/0x270 kernel/kthread.c:386 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Allocated by task 386: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505 ____kasan_kmalloc mm/kasan/common.c:379 [inline] __kasan_kmalloc+0x9c/0xb0 mm/kasan/common.c:388 kasan_kmalloc include/linux/kasan.h:212 [inline] kmalloc_trace+0x44/0xa0 mm/slab_common.c:1033 kmalloc include/linux/slab.h:557 [inline] kzalloc include/linux/slab.h:693 [inline] virtio_transport_do_socket_init+0x51/0x290 net/vmw_vsock/virtio_transport_common.c:604 vsock_assign_transport+0x376/0x4f0 net/vmw_vsock/af_vsock.c:506 vsock_connect+0x3c7/0xb90 net/vmw_vsock/af_vsock.c:1361 __sys_connect_file net/socket.c:1996 [inline] __sys_connect+0x304/0x370 net/socket.c:2013 __do_sys_connect net/socket.c:2023 [inline] __se_sys_connect net/socket.c:2020 [inline] __x64_sys_connect+0x75/0x80 net/socket.c:2020 x64_sys_call+0x14e/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:43 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Freed by task 386: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516 ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249 kasan_slab_free include/linux/kasan.h:178 [inline] slab_free_hook mm/slub.c:1745 [inline] slab_free_freelist_hook mm/slub.c:1771 [inline] slab_free mm/slub.c:3684 [inline] __kmem_cache_free+0x1fa/0x370 mm/slub.c:3697 kfree+0x7a/0xf0 mm/slab_common.c:990 virtio_transport_destruct+0x36/0x40 net/vmw_vsock/virtio_transport_common.c:815 vsock_deassign_transport net/vmw_vsock/af_vsock.c:421 [inline] vsock_assign_transport+0x23f/0x4f0 net/vmw_vsock/af_vsock.c:489 vsock_connect+0x3c7/0xb90 net/vmw_vsock/af_vsock.c:1361 __sys_connect_file net/socket.c:1996 [inline] __sys_connect+0x304/0x370 net/socket.c:2013 __do_sys_connect net/socket.c:2023 [inline] __se_sys_connect net/socket.c:2020 [inline] __x64_sys_connect+0x75/0x80 net/socket.c:2020 x64_sys_call+0x14e/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:43 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 The buggy address belongs to the object at ffff88811ed34680 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 8 bytes inside of 96-byte region [ffff88811ed34680, ffff88811ed346e0) The buggy address belongs to the physical page: page:ffffea00047b4d00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11ed34 flags: 0x4000000000000200(slab|zone=1) raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100042900 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 320, tgid 320 (kworker/0:2), ts 48498377893, free_ts 40221441925 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook mm/page_alloc.c:2590 [inline] prep_new_page+0x512/0x5e0 mm/page_alloc.c:2597 get_page_from_freelist+0x29f1/0x2a70 mm/page_alloc.c:4439 __alloc_pages+0x234/0x610 mm/page_alloc.c:5728 alloc_slab_page+0x6c/0xf0 allocate_slab mm/slub.c:1962 [inline] new_slab+0x7b/0x370 mm/slub.c:2015 ___slab_alloc+0x611/0x9a0 mm/slub.c:3203 __slab_alloc+0x52/0x90 mm/slub.c:3302 slab_alloc_node mm/slub.c:3387 [inline] __kmem_cache_alloc_node+0x1af/0x250 mm/slub.c:3460 kmalloc_trace+0x2a/0xa0 mm/slab_common.c:1028 kmalloc include/linux/slab.h:557 [inline] dst_cow_metrics_generic+0x50/0x160 net/core/dst.c:199 dst_metrics_write_ptr include/net/dst.h:119 [inline] dst_metric_set include/net/dst.h:180 [inline] icmp6_dst_alloc+0x304/0x4c0 net/ipv6/route.c:3282 mld_sendpack+0x4d1/0xbb0 net/ipv6/mcast.c:1809 mld_send_cr net/ipv6/mcast.c:2121 [inline] mld_ifc_work+0x73f/0xa70 net/ipv6/mcast.c:2653 process_one_work+0x6de/0xd00 kernel/workqueue.c:2299 worker_thread+0x892/0xf20 kernel/workqueue.c:2446 kthread+0x215/0x270 kernel/kthread.c:386 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1498 [inline] free_pcp_prepare mm/page_alloc.c:1572 [inline] free_unref_page_prepare+0x794/0x7a0 mm/page_alloc.c:3511 free_unref_page+0xb2/0x5b0 mm/page_alloc.c:3607 __folio_put_small mm/swap.c:105 [inline] __folio_put+0x7c/0xa0 mm/swap.c:128 folio_put include/linux/mm.h:1431 [inline] put_page include/linux/mm.h:1483 [inline] anon_pipe_buf_release+0x10c/0x160 fs/pipe.c:138 pipe_buf_release include/linux/pipe_fs_i.h:199 [inline] pipe_read+0x4df/0xdb0 fs/pipe.c:324 call_read_iter include/linux/fs.h:2268 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x760/0x9b0 fs/read_write.c:470 ksys_read+0x15c/0x240 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline] __se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x76/0x80 fs/read_write.c:621 x64_sys_call+0x28/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:1 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Memory state around the buggy address: ffff88811ed34580: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88811ed34600: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff88811ed34680: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88811ed34700: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88811ed34780: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================