ci2 starts bisection 2024-01-14 10:49:17.234026658 +0000 UTC m=+153589.135934888
bisecting fixing commit since 61cfd264993d07540f60a5c53d77a14c818e54a9
building syzkaller on 6d6dbf8ab21a52df701946afac2a86f93a88fdc8
ensuring issue is reproducible on original commit 61cfd264993d07540f60a5c53d77a14c818e54a9

testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: aa1260650d90757225a9ba118c9b0238060245aeb232e7bebd0eff1a9765c43a
run #0: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #1: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #2: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #3: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #4: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #5: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #6: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #7: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #9: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #10: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #11: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #12: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #13: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #14: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #15: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #16: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #17: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #18: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #19: crashed: KASAN: use-after-free Read in __skb_datagram_iter
representative crash: KASAN: use-after-free Read in unix_stream_read_actor, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 442dc3934939753a6f1d9993f9ad3f0fcdb541f1c3021ea74cace13c10d915e0
run #0: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #1: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #2: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #3: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #4: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #5: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #6: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #7: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #9: crashed: KASAN: use-after-free Read in unix_stream_read_actor
representative crash: KASAN: use-after-free Read in unix_stream_read_actor, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
kconfig minimization: base=4920 full=6161 leaves diff=241
split chunks (needed=false): <241>
split chunk #0 of len 241 into 5 parts
testing without sub-chunk 1/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 7e27eebadc47d3389a2c0147d9b32ca47163b97100542491cf5f9e6805ad14be
run #0: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #1: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #2: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #3: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #4: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #5: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #6: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #7: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #8: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #9: crashed: KASAN: use-after-free Read in unix_stream_read_actor
representative crash: KASAN: use-after-free Read in unix_stream_read_actor, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 778055a8d139ec07d91ff393f274cece625f165a11e925ca51eca7e11a508fd7
run #0: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #1: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #2: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #3: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #4: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #5: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #6: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #7: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #9: crashed: KASAN: use-after-free Read in unix_stream_read_actor
representative crash: KASAN: use-after-free Read in unix_stream_read_actor, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: b9ec1cdc2529071d3dc917ec930b9f03aa5a6a476d3d8eaab14eb1f641373e29
run #0: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #1: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #2: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #3: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #4: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #5: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #6: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #7: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #9: crashed: KASAN: use-after-free Read in unix_stream_read_actor
representative crash: KASAN: use-after-free Read in unix_stream_read_actor, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d156f376c3dc617a0b839b891bb13da7c067f9c16236b630ab3a417f3a5f30a2
run #0: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #1: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #2: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #3: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #4: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #5: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #6: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #7: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #9: crashed: KASAN: use-after-free Read in unix_stream_read_actor
representative crash: KASAN: use-after-free Read in unix_stream_read_actor, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit 61cfd264993d07540f60a5c53d77a14c818e54a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
failed building 61cfd264993d07540f60a5c53d77a14c818e54a9: net/socket.c:1189: undefined reference to `wext_handle_ioctl'
net/socket.c:3383: undefined reference to `compat_wext_handle_ioctl'
net/core/net-procfs.c:343: undefined reference to `wext_proc_exit'
net/core/net-procfs.c:327: undefined reference to `wext_proc_init'
minimized to 45 configs; suspects: [HID_ZEROPLUS USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF]
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing current HEAD ea2937bdd12f6ebc51e6698c5696a1b16507999b
testing commit ea2937bdd12f6ebc51e6698c5696a1b16507999b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a8c1d8a3ce69a479a0744d75b7ec7ef13fe0c5ee5e1978cbfd689231bd23853b
all runs: OK
false negative chance: 0.000
# git bisect start ea2937bdd12f6ebc51e6698c5696a1b16507999b 61cfd264993d07540f60a5c53d77a14c818e54a9
Bisecting: 680 revisions left to test after this (roughly 9 steps)
[e26c6febac43a2dd2c5fb993b2137489005d43bf] nvmet: nul-terminate the NQNs passed in the connect command

determine whether the revision contains the guilty commit
checking the merge base 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5
no existing result, test the revision
testing commit 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c5326b94fa9826deb2e6b9eb3d152cdff2912d9e3ca17e2f653ff69bd47d9c78
run #0: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #1: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #2: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #3: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #4: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #5: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #6: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #7: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #9: crashed: KASAN: use-after-free Read in unix_stream_read_actor
representative crash: KASAN: use-after-free Read in unix_stream_read_actor, types: [KASAN]
testing commit e26c6febac43a2dd2c5fb993b2137489005d43bf gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 78351bca05d7cf4a3fd7a4dd2a0924c625cc3c29f6040fa254862f80f36e7195
all runs: OK
false negative chance: 0.000
# git bisect bad e26c6febac43a2dd2c5fb993b2137489005d43bf
Bisecting: 339 revisions left to test after this (roughly 8 steps)
[d1b7e6562a4c9ec5a0ccc371041eb20124d201f5] octeontx2-pf: Fix holes in error code

determine whether the revision contains the guilty commit
revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable
testing commit d1b7e6562a4c9ec5a0ccc371041eb20124d201f5 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 52492a889d25804643810fd45168aae93a9a808361bf583e86c762d1e939ecf4
run #0: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #1: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #2: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #3: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #4: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #5: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #6: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #7: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #9: crashed: KASAN: use-after-free Read in unix_stream_read_actor
representative crash: KASAN: use-after-free Read in __skb_datagram_iter, types: [KASAN]
# git bisect good d1b7e6562a4c9ec5a0ccc371041eb20124d201f5
Bisecting: 169 revisions left to test after this (roughly 7 steps)
[76545c0e881b9c0fcd6ad50bb5ea3cee3bee7a5b] xfs: don't leak memory when attr fork loading fails

determine whether the revision contains the guilty commit
revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable
testing commit 76545c0e881b9c0fcd6ad50bb5ea3cee3bee7a5b gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 6df4419b97f4e25e48b05318401c0357e5579e110ff94b913daee29741f72c4e
all runs: OK
false negative chance: 0.000
# git bisect bad 76545c0e881b9c0fcd6ad50bb5ea3cee3bee7a5b
Bisecting: 84 revisions left to test after this (roughly 6 steps)
[c86a3007a68528db220c4e051e9552fb2446728d] HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W

determine whether the revision contains the guilty commit
revision d1b7e6562a4c9ec5a0ccc371041eb20124d201f5 crashed and is reachable
testing commit c86a3007a68528db220c4e051e9552fb2446728d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 844e8d9a4205a3c48a54050f807dd5e8cb5d3f9043773afa3e367223a64abfe2
run #0: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #1: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #2: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #3: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #4: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #5: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #6: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #7: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #9: crashed: KASAN: use-after-free Read in unix_stream_read_actor
representative crash: KASAN: use-after-free Read in unix_stream_read_actor, types: [KASAN]
# git bisect good c86a3007a68528db220c4e051e9552fb2446728d
Bisecting: 42 revisions left to test after this (roughly 5 steps)
[4b3b2541d40eea222c44fad97fabbe62a66275fa] tty: Fix uninit-value access in ppp_sync_receive()

determine whether the revision contains the guilty commit
revision c86a3007a68528db220c4e051e9552fb2446728d crashed and is reachable
testing commit 4b3b2541d40eea222c44fad97fabbe62a66275fa gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 360d024dd0a82e1cebd75454e03b232ae28edb0500ff84b2ac042cf06758adac
run #0: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #1: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #2: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #3: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #4: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #5: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #6: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #7: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #9: crashed: KASAN: use-after-free Read in __skb_datagram_iter
representative crash: KASAN: use-after-free Read in unix_stream_read_actor, types: [KASAN]
# git bisect good 4b3b2541d40eea222c44fad97fabbe62a66275fa
Bisecting: 21 revisions left to test after this (roughly 5 steps)
[b8b514b2a6cdfac24911e4910461bcb9db15ca8d] netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()

determine whether the revision contains the guilty commit
revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable
testing commit b8b514b2a6cdfac24911e4910461bcb9db15ca8d gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 67fa5de5d5f75a0f4bcd68dfdc2b2eb73a26869cabad62bcf8fae9c95cabc679
all runs: OK
false negative chance: 0.000
# git bisect bad b8b514b2a6cdfac24911e4910461bcb9db15ca8d
Bisecting: 10 revisions left to test after this (roughly 3 steps)
[8531a4194e59c57cd5043359a30e4925dbac4b38] ppp: limit MRU to 64K

determine whether the revision contains the guilty commit
revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable
testing commit 8531a4194e59c57cd5043359a30e4925dbac4b38 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5b4d2ce24d0d31238b687716eeca9a38b016d1494c785ad8fe24b950137bd064
run #0: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #1: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #2: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #3: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #4: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #5: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #6: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #7: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #9: crashed: KASAN: use-after-free Read in unix_stream_read_actor
representative crash: KASAN: use-after-free Read in unix_stream_read_actor, types: [KASAN]
# git bisect good 8531a4194e59c57cd5043359a30e4925dbac4b38
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[097588e20c6b70030f91fdac6c9251312222dda8] net: ethernet: cortina: Handle large frames

determine whether the revision contains the guilty commit
revision 8531a4194e59c57cd5043359a30e4925dbac4b38 crashed and is reachable
testing commit 097588e20c6b70030f91fdac6c9251312222dda8 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 2313028f0276d0c7b654b576947bc091eb555f70f0207a0c47dc09520e665273
run #0: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #1: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #2: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #3: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #4: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #5: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #6: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #7: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #9: crashed: KASAN: use-after-free Read in unix_stream_read_actor
representative crash: KASAN: use-after-free Read in unix_stream_read_actor, types: [KASAN]
# git bisect good 097588e20c6b70030f91fdac6c9251312222dda8
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[7d3901bf3baa7a5219f4ff79bff4721f465bf4f1] netfilter: nf_conntrack_bridge: initialize err to 0

determine whether the revision contains the guilty commit
revision c86a3007a68528db220c4e051e9552fb2446728d crashed and is reachable
testing commit 7d3901bf3baa7a5219f4ff79bff4721f465bf4f1 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 74173f5fd54af71f50aae6bdafe22926a6fde280ce646035fb9ba074fcaf3b1b
all runs: OK
false negative chance: 0.000
# git bisect bad 7d3901bf3baa7a5219f4ff79bff4721f465bf4f1
Bisecting: 0 revisions left to test after this (roughly 1 step)
[75bcfc188abf4fae9c1d5f5dc0a03540be602eef] af_unix: fix use-after-free in unix_stream_read_actor()

determine whether the revision contains the guilty commit
revision 097588e20c6b70030f91fdac6c9251312222dda8 crashed and is reachable
testing commit 75bcfc188abf4fae9c1d5f5dc0a03540be602eef gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d8255410c1af92e4d28a55e1b61444c379ceaaa3a5e1766407c6b98d6f53e10f
all runs: OK
false negative chance: 0.000
# git bisect bad 75bcfc188abf4fae9c1d5f5dc0a03540be602eef
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[0b480c654ef2f1bd09b29d6a6e79f24d8a35005e] net: ethernet: cortina: Fix MTU max setting

determine whether the revision contains the guilty commit
revision 12952a23a5da6459aaaaa3ae4bc8ce8fef952ef5 crashed and is reachable
testing commit 0b480c654ef2f1bd09b29d6a6e79f24d8a35005e gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a0026221a4f921ae2cd2c3222efe25aa7beadc6f6db90bfd087d8c860896a0e3
run #0: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #1: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #2: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #3: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #4: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #5: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #6: crashed: KASAN: use-after-free Read in __skb_datagram_iter
run #7: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor
run #9: crashed: KASAN: use-after-free Read in unix_stream_read_actor
representative crash: KASAN: use-after-free Read in __skb_datagram_iter, types: [KASAN]
# git bisect good 0b480c654ef2f1bd09b29d6a6e79f24d8a35005e
75bcfc188abf4fae9c1d5f5dc0a03540be602eef is the first bad commit
commit 75bcfc188abf4fae9c1d5f5dc0a03540be602eef
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Nov 13 13:49:38 2023 +0000

    af_unix: fix use-after-free in unix_stream_read_actor()
    
    [ Upstream commit 4b7b492615cf3017190f55444f7016812b66611d ]
    
    syzbot reported the following crash [1]
    
    After releasing unix socket lock, u->oob_skb can be changed
    by another thread. We must temporarily increase skb refcount
    to make sure this other thread will not free the skb under us.
    
    [1]
    
    BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866
    Read of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297
    
    CPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
    Call Trace:
    <TASK>
    __dump_stack lib/dump_stack.c:88 [inline]
    dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
    print_address_description mm/kasan/report.c:364 [inline]
    print_report+0xc4/0x620 mm/kasan/report.c:475
    kasan_report+0xda/0x110 mm/kasan/report.c:588
    unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866
    unix_stream_recv_urg net/unix/af_unix.c:2587 [inline]
    unix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666
    unix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903
    sock_recvmsg_nosec net/socket.c:1044 [inline]
    sock_recvmsg+0xe2/0x170 net/socket.c:1066
    ____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803
    ___sys_recvmsg+0x115/0x1a0 net/socket.c:2845
    __sys_recvmsg+0x114/0x1e0 net/socket.c:2875
    do_syscall_x64 arch/x86/entry/common.c:51 [inline]
    do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
    entry_SYSCALL_64_after_hwframe+0x63/0x6b
    RIP: 0033:0x7fc67492c559
    Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
    RAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559
    RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004
    RBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0
    R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340
    R13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388
    </TASK>
    
    Allocated by task 5295:
    kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
    kasan_set_track+0x25/0x30 mm/kasan/common.c:52
    __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328
    kasan_slab_alloc include/linux/kasan.h:188 [inline]
    slab_post_alloc_hook mm/slab.h:763 [inline]
    slab_alloc_node mm/slub.c:3478 [inline]
    kmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523
    __alloc_skb+0x287/0x330 net/core/skbuff.c:641
    alloc_skb include/linux/skbuff.h:1286 [inline]
    alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
    sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
    sock_alloc_send_skb include/net/sock.h:1884 [inline]
    queue_oob net/unix/af_unix.c:2147 [inline]
    unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301
    sock_sendmsg_nosec net/socket.c:730 [inline]
    __sock_sendmsg+0xd5/0x180 net/socket.c:745
    ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
    ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
    __sys_sendmsg+0x117/0x1e0 net/socket.c:2667
    do_syscall_x64 arch/x86/entry/common.c:51 [inline]
    do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
    entry_SYSCALL_64_after_hwframe+0x63/0x6b
    
    Freed by task 5295:
    kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
    kasan_set_track+0x25/0x30 mm/kasan/common.c:52
    kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
    ____kasan_slab_free mm/kasan/common.c:236 [inline]
    ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
    kasan_slab_free include/linux/kasan.h:164 [inline]
    slab_free_hook mm/slub.c:1800 [inline]
    slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
    slab_free mm/slub.c:3809 [inline]
    kmem_cache_free+0xf8/0x340 mm/slub.c:3831
    kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015
    __kfree_skb net/core/skbuff.c:1073 [inline]
    consume_skb net/core/skbuff.c:1288 [inline]
    consume_skb+0xdf/0x170 net/core/skbuff.c:1282
    queue_oob net/unix/af_unix.c:2178 [inline]
    unix_stream_sendmsg+0xd49/0x10a0 net/unix/af_unix.c:2301
    sock_sendmsg_nosec net/socket.c:730 [inline]
    __sock_sendmsg+0xd5/0x180 net/socket.c:745
    ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
    ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
    __sys_sendmsg+0x117/0x1e0 net/socket.c:2667
    do_syscall_x64 arch/x86/entry/common.c:51 [inline]
    do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
    entry_SYSCALL_64_after_hwframe+0x63/0x6b
    
    The buggy address belongs to the object at ffff88801f3b9c80
    which belongs to the cache skbuff_head_cache of size 240
    The buggy address is located 68 bytes inside of
    freed 240-byte region [ffff88801f3b9c80, ffff88801f3b9d70)
    
    The buggy address belongs to the physical page:
    page:ffffea00007cee40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f3b9
    flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
    page_type: 0xffffffff()
    raw: 00fff00000000800 ffff888142a60640 dead000000000122 0000000000000000
    raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
    page dumped because: kasan: bad access detected
    page_owner tracks the page as allocated
    page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5299, tgid 5283 (syz-executor107), ts 103803840339, free_ts 103600093431
    set_page_owner include/linux/page_owner.h:31 [inline]
    post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1537
    prep_new_page mm/page_alloc.c:1544 [inline]
    get_page_from_freelist+0xa25/0x36c0 mm/page_alloc.c:3312
    __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4568
    alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
    alloc_slab_page mm/slub.c:1870 [inline]
    allocate_slab+0x251/0x380 mm/slub.c:2017
    new_slab mm/slub.c:2070 [inline]
    ___slab_alloc+0x8c7/0x1580 mm/slub.c:3223
    __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
    __slab_alloc_node mm/slub.c:3375 [inline]
    slab_alloc_node mm/slub.c:3468 [inline]
    kmem_cache_alloc_node+0x132/0x3c0 mm/slub.c:3523
    __alloc_skb+0x287/0x330 net/core/skbuff.c:641
    alloc_skb include/linux/skbuff.h:1286 [inline]
    alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
    sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
    sock_alloc_send_skb include/net/sock.h:1884 [inline]
    queue_oob net/unix/af_unix.c:2147 [inline]
    unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301
    sock_sendmsg_nosec net/socket.c:730 [inline]
    __sock_sendmsg+0xd5/0x180 net/socket.c:745
    ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
    ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
    __sys_sendmsg+0x117/0x1e0 net/socket.c:2667
    page last free stack trace:
    reset_page_owner include/linux/page_owner.h:24 [inline]
    free_pages_prepare mm/page_alloc.c:1137 [inline]
    free_unref_page_prepare+0x4f8/0xa90 mm/page_alloc.c:2347
    free_unref_page+0x33/0x3b0 mm/page_alloc.c:2487
    __unfreeze_partials+0x21d/0x240 mm/slub.c:2655
    qlink_free mm/kasan/quarantine.c:168 [inline]
    qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
    kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294
    __kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
    kasan_slab_alloc include/linux/kasan.h:188 [inline]
    slab_post_alloc_hook mm/slab.h:763 [inline]
    slab_alloc_node mm/slub.c:3478 [inline]
    slab_alloc mm/slub.c:3486 [inline]
    __kmem_cache_alloc_lru mm/slub.c:3493 [inline]
    kmem_cache_alloc+0x15d/0x380 mm/slub.c:3502
    vm_area_dup+0x21/0x2f0 kernel/fork.c:500
    __split_vma+0x17d/0x1070 mm/mmap.c:2365
    split_vma mm/mmap.c:2437 [inline]
    vma_modify+0x25d/0x450 mm/mmap.c:2472
    vma_modify_flags include/linux/mm.h:3271 [inline]
    mprotect_fixup+0x228/0xc80 mm/mprotect.c:635
    do_mprotect_pkey+0x852/0xd60 mm/mprotect.c:809
    __do_sys_mprotect mm/mprotect.c:830 [inline]
    __se_sys_mprotect mm/mprotect.c:827 [inline]
    __x64_sys_mprotect+0x78/0xb0 mm/mprotect.c:827
    do_syscall_x64 arch/x86/entry/common.c:51 [inline]
    do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
    entry_SYSCALL_64_after_hwframe+0x63/0x6b
    
    Memory state around the buggy address:
    ffff88801f3b9b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ffff88801f3b9c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
    >ffff88801f3b9c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ^
    ffff88801f3b9d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
    ffff88801f3b9d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
    
    Fixes: 876c14ad014d ("af_unix: fix holding spinlock in oob handling")
    Reported-and-tested-by: syzbot+7a2d546fa43e49315ed3@syzkaller.appspotmail.com
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Rao Shoaib <rao.shoaib@oracle.com>
    Reviewed-by: Rao shoaib <rao.shoaib@oracle.com>
    Link: https://lore.kernel.org/r/20231113134938.168151-1-edumazet@google.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 net/unix/af_unix.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

accumulated error probability: 0.00
culprit signature: d8255410c1af92e4d28a55e1b61444c379ceaaa3a5e1766407c6b98d6f53e10f
parent  signature: a0026221a4f921ae2cd2c3222efe25aa7beadc6f6db90bfd087d8c860896a0e3
revisions tested: 19, total time: 4h19m25.554179741s (build: 1h9m34.191867878s, test: 3h1m3.872468291s)
first good commit: 75bcfc188abf4fae9c1d5f5dc0a03540be602eef af_unix: fix use-after-free in unix_stream_read_actor()
recipients (to): ["edumazet@google.com" "pabeni@redhat.com" "rao.shoaib@oracle.com" "sashal@kernel.org" "syzbot+7a2d546fa43e49315ed3@syzkaller.appspotmail.com"]
recipients (cc): []