ci starts bisection 2024-04-27 04:50:17.92842024 +0000 UTC m=+19969.319053160
bisecting cause commit starting from bb7a2467e6beef44a80a17d45ebf2931e7631083
building syzkaller on 059e99634d85e743d0e9fc4ca38805b8248a049f
ensuring issue is reproducible on original commit bb7a2467e6beef44a80a17d45ebf2931e7631083

testing commit bb7a2467e6beef44a80a17d45ebf2931e7631083 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 6bfd7025d721dda2dbb414c312dc65894968779abc25bac2983d4ddfc96fbeba
all runs: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
representative crash: KASAN: slab-use-after-free Read in vhost_task_fn, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit bb7a2467e6beef44a80a17d45ebf2931e7631083 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 82ea19c04549c4586051bc2332732bf82be98a8b370168d7a2427f3fa32045ab
all runs: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
representative crash: KASAN: slab-use-after-free Read in vhost_task_fn, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
kconfig minimization: base=3976 full=8032 leaves diff=2015
split chunks (needed=false): <2015>
split chunk #0 of len 2015 into 5 parts
testing without sub-chunk 1/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit bb7a2467e6beef44a80a17d45ebf2931e7631083 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5bb02001285a1feb45c60ee7eeda898e29c37279c14eaee0fb334cc8123a84bf
all runs: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
representative crash: KASAN: slab-use-after-free Read in vhost_task_fn, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit bb7a2467e6beef44a80a17d45ebf2931e7631083 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 75a1e1f7431b6f9a98a481140151bd7973d4cfd3ffcb485d36642b8355d23ec6
all runs: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
representative crash: KASAN: slab-use-after-free Read in vhost_task_fn, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit bb7a2467e6beef44a80a17d45ebf2931e7631083 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 0734d4a8c92cf25e87a8e633795c5cdeea15361189792015f687a92d60445731
all runs: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
representative crash: KASAN: slab-use-after-free Read in vhost_task_fn, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit bb7a2467e6beef44a80a17d45ebf2931e7631083 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 3c83ea1863f932ba68f666d5fc3f46f7df95b551f42297c30f3293fef3ad425b
run #0: crashed: KASAN: slab-use-after-free Write in vhost_task_fn
run #1: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
run #2: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
run #3: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
run #4: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
run #5: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
run #6: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
run #7: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
run #8: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
run #9: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
representative crash: KASAN: slab-use-after-free Write in vhost_task_fn, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit bb7a2467e6beef44a80a17d45ebf2931e7631083 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 772f36acd479a7c34ebc7ed01391483f5fd0ea47ca12a9ee01e08612d545f1b0
all runs: OK
false negative chance: 0.000
minimized to 403 configs; suspects: [ARCH_ENABLE_MEMORY_HOTREMOVE ATM BCMA BLK_DEV_ZONED BPF_SYSCALL CARDBUS CFG80211 CFG80211_WEXT CMA COMMON_CLK CONTIG_ALLOC CRYPTO_842 CRYPTO_LZ4 CRYPTO_LZ4HC CRYPTO_ZSTD DVB_CORE EXTCON FB GPIOLIB HID_ZEROPLUS I2C_MUX IIO IOMMUFD IRQ_REMAP KVM KVM_INTEL LIBNVDIMM MEDIA_ANALOG_TV_SUPPORT MEDIA_CAMERA_SUPPORT MEDIA_CEC_SUPPORT MEDIA_CONTROLLER MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_TEST_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_VIPERBOARD PARPORT PCCARD PCMCIA PHONET RADIO_ADAPTERS RADIO_SI470X RADIO_SI4713 RC_CORE RFKILL SND SOUND SPI SSB TAP TARGET_CORE TUN USB_AMD5536UDC USB_ATM USB_CONFIGFS USB_CONFIGFS_ACM USB_CONFIGFS_ECM USB_CONFIGFS_ECM_SUBSET USB_CONFIGFS_EEM USB_CONFIGFS_F_FS USB_CONFIGFS_F_HID USB_CONFIGFS_F_LB_SS USB_CONFIGFS_F_MIDI USB_CONFIGFS_F_PRINTER USB_CONFIGFS_F_TCM USB_CONFIGFS_F_UAC1 USB_CONFIGFS_F_UAC1_LEGACY USB_CONFIGFS_F_UAC2 USB_CONFIGFS_F_UVC USB_CONFIGFS_MASS_STORAGE USB_CONFIGFS_NCM USB_CONFIGFS_OBEX USB_CONFIGFS_PHONET USB_CONFIGFS_RNDIS USB_CONFIGFS_SERIAL USB_CXACRU USB_CYPRESS_CY7C63 USB_CYTHERM USB_DSBR USB_DUMMY_HCD USB_DWC2 USB_DWC2_HOST USB_DWC2_PCI USB_DWC3 USB_DWC3_GADGET USB_DWC3_OF_SIMPLE USB_DWC3_PCI USB_DWC3_ULPI USB_DYNAMIC_MINORS USB_EG20T USB_EHCI_HCD_PLATFORM USB_EHCI_ROOT_HUB_TT USB_EHSET_TEST_FIXTURE USB_EMI26 USB_EMI62 USB_EPSON2888 USB_EZUSB_FX2 USB_FEW_INIT_RETRIES USB_F_ACM USB_F_ECM USB_F_EEM USB_F_FS USB_F_HID USB_F_MASS_STORAGE USB_F_MIDI USB_F_NCM USB_F_OBEX USB_F_PHONET USB_F_PRINTER USB_F_RNDIS USB_F_SERIAL USB_F_SS_LB USB_F_SUBSET USB_F_TCM USB_F_UAC1 USB_F_UAC1_LEGACY USB_F_UAC2 USB_F_UVC USB_GADGET USB_GADGETFS USB_GADGET_DEBUG_FILES USB_GADGET_DEBUG_FS USB_GL860 USB_GOKU USB_GPIO_VBUS USB_GR_UDC USB_GSPCA USB_GSPCA_BENQ USB_GSPCA_CONEX USB_GSPCA_CPIA1 USB_GSPCA_DTCS033 USB_GSPCA_ETOMS USB_GSPCA_FINEPIX USB_GSPCA_JEILINJ USB_GSPCA_JL2005BCD USB_GSPCA_KINECT USB_GSPCA_KONICA USB_GSPCA_MARS USB_GSPCA_MR97310A USB_GSPCA_NW80X USB_GSPCA_OV519 USB_GSPCA_OV534 USB_GSPCA_OV534_9 USB_GSPCA_PAC207 USB_GSPCA_PAC7302 USB_GSPCA_PAC7311 USB_GSPCA_SE401 USB_GSPCA_SN9C2028 USB_GSPCA_SN9C20X USB_GSPCA_SONIXB USB_GSPCA_SONIXJ USB_GSPCA_SPCA1528 USB_GSPCA_SPCA500 USB_GSPCA_SPCA501 USB_GSPCA_SPCA505 USB_GSPCA_SPCA506 USB_GSPCA_SPCA508 USB_GSPCA_SPCA561 USB_GSPCA_SQ905 USB_GSPCA_SQ905C USB_GSPCA_SQ930X USB_GSPCA_STK014 USB_GSPCA_STK1135 USB_GSPCA_STV0680 USB_GSPCA_SUNPLUS USB_GSPCA_T613 USB_GSPCA_TOPRO USB_GSPCA_TOUPTEK USB_GSPCA_TV8532 USB_GSPCA_VC032X USB_GSPCA_VICAM USB_GSPCA_XIRLINK_CIT USB_GSPCA_ZC3XX USB_HACKRF USB_HCD_BCMA USB_HCD_SSB USB_HSIC_USB3503 USB_HSIC_USB4604 USB_HSO USB_HUB_USB251XB USB_IDMOUSE USB_IOWARRIOR USB_IPHETH USB_ISIGHTFW USB_ISP116X_HCD USB_ISP1301 USB_ISP1760 USB_ISP1760_DUAL_ROLE USB_ISP1760_HCD USB_ISP1761_UDC USB_KAWETH USB_KC2190 USB_KEENE USB_LAN78XX USB_LCD USB_LD USB_LEDS_TRIGGER_USBPORT USB_LED_TRIG USB_LEGOTOWER USB_LIBCOMPOSITE USB_LINK_LAYER_TEST USB_M5602 USB_MA901 USB_MAX3421_HCD USB_MDC800 USB_MICROTEK USB_MR800 USB_MSI2500 USB_MUSB_DUAL_ROLE USB_MUSB_HDRC USB_MV_U3D USB_MV_UDC USB_NET2272 USB_NET2272_DMA USB_NET2280 USB_NET_AX88179_178A USB_NET_AX8817X USB_NET_CDCETHER USB_NET_CDC_EEM USB_NET_CDC_MBIM USB_NET_CDC_NCM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_CH9200 USB_NET_CX82310_ETH USB_NET_DM9601 USB_NET_GL620A USB_NET_HUAWEI_CDC_NCM USB_NET_INT51X1 USB_NET_KALMIA USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_QMI_WWAN USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_OXU210HP_HCD USB_PEGASUS USB_PULSE8_CEC USB_PWC USB_PWC_INPUT_EVDEV USB_PXA27X USB_R8A66597 USB_R8A66597_HCD USB_RAINSHADOW_CEC USB_RAREMONO USB_RAW_GADGET USB_RTL8150 USB_RTL8152 USB_RTL8153_ECM USB_S2255 USB_SERIAL USB_SERIAL_AIRCABLE USB_SERIAL_ARK3116 USB_SERIAL_BELKIN USB_SERIAL_CH341 USB_SERIAL_CONSOLE USB_SERIAL_CP210X USB_SERIAL_CYBERJACK USB_SERIAL_CYPRESS_M8 USB_SERIAL_DEBUG USB_SERIAL_DIGI_ACCELEPORT USB_SERIAL_EDGEPORT USB_SERIAL_EDGEPORT_TI USB_SERIAL_EMPEG USB_SERIAL_F81232 USB_SERIAL_F8153X USB_SERIAL_FTDI_SIO USB_SERIAL_GARMIN USB_SERIAL_GENERIC USB_SERIAL_IPAQ USB_SERIAL_IPW USB_SERIAL_IR USB_SERIAL_IUU USB_SERIAL_KEYSPAN USB_SERIAL_KEYSPAN_PDA USB_SERIAL_KLSI USB_SERIAL_KOBIL_SCT USB_SERIAL_MCT_U232 USB_SERIAL_METRO USB_SERIAL_MOS7715_PARPORT USB_SERIAL_MOS7720 USB_SERIAL_MOS7840 USB_SERIAL_MXUPORT USB_SERIAL_NAVMAN USB_SERIAL_OMNINET USB_SERIAL_OPTICON USB_SERIAL_OPTION USB_SERIAL_OTI6858 USB_SERIAL_PL2303 USB_SERIAL_QCAUX USB_SERIAL_QT2 USB_SERIAL_QUALCOMM USB_SERIAL_SAFE USB_SERIAL_SIERRAWIRELESS USB_SERIAL_SIMPLE USB_SERIAL_SPCP8X5 USB_SERIAL_SSU100 USB_SERIAL_SYMBOL USB_SERIAL_TI USB_SERIAL_UPD78F0730 USB_SERIAL_VISOR USB_SERIAL_WHITEHEAT USB_SERIAL_WISHBONE USB_SERIAL_WWAN USB_SERIAL_XR USB_SERIAL_XSENS_MT USB_SEVSEG USB_SI470X USB_SI4713 USB_SIERRA_NET USB_SISUSBVGA USB_SL811_CS USB_SL811_HCD USB_SL811_HCD_ISO USB_SNP_CORE USB_SPEEDTOUCH USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_ENE_UB6250 USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_STV06XX USB_TEST USB_TMC USB_TRANCEVIBRATOR USB_UAS USB_UEAGLEATM USB_ULPI_BUS USB_USBNET USB_USS720 USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_VIDEO_CLASS USB_VIDEO_CLASS_INPUT_EVDEV USB_VL600 USB_WDM USB_XHCI_DBGCAP USB_XHCI_PLATFORM USB_XUSBATM USB_YUREX USERFAULTFD USERIO USERMODE_DRIVER USER_RETURN_NOTIFIER UVC_COMMON U_SERIAL_CONSOLE V4L2_MEM2MEM_DEV V4L_TEST_DRIVERS VALIDATE_FS_PARSER VDPA VDPA_SIM VDPA_SIM_BLOCK VDPA_SIM_NET VDPA_USER VETH VFIO VFIO_DEVICE_CDEV VFIO_PCI VFIO_PCI_CORE VFIO_PCI_INTX VFIO_PCI_MMAP VFIO_VIRQFD VGASTATE VHOST VHOST_CROSS_ENDIAN_LEGACY VHOST_IOTLB VHOST_NET VHOST_RING VHOST_TASK VHOST_VDPA VHOST_VSOCK VIDEO VIDEOBUF2_CORE VIDEOBUF2_DMA_CONTIG VIDEOBUF2_DMA_SG VIDEOBUF2_MEMOPS VIDEOBUF2_V4L2 VIDEOBUF2_VMALLOC VIDEOMODE_HELPERS VIDEO_AU0828 VIDEO_AU0828_RC VIDEO_AU0828_V4L2 VIDEO_CS53L32A VIDEO_CX231XX VIDEO_CX231XX_ALSA VIDEO_CX231XX_DVB VIDEO_CX231XX_RC VIDEO_CX2341X VIDEO_CX25840 VIDEO_DEV VIDEO_EM28XX VIDEO_EM28XX_ALSA VIDEO_EM28XX_DVB VIDEO_EM28XX_RC VIDEO_EM28XX_V4L2 VIDEO_GO7007 VIDEO_GO7007_LOADER VIDEO_GO7007_USB VIDEO_GO7007_USB_S2250_BOARD VIDEO_HDPVR VIDEO_MSP3400 VIDEO_PVRUSB2 VIDEO_PVRUSB2_DVB VIDEO_PVRUSB2_SYSFS VIDEO_SAA711X VIDEO_STK1160 VIDEO_TUNER VIDEO_TVEEPROM VIDEO_USBTV VIDEO_V4L2_I2C VIDEO_V4L2_SUBDEV_API VIDEO_V4L2_TPG VIDEO_VICODEC VIDEO_VIM2M VIDEO_VIMC VIDEO_VIVID VIDEO_VIVID_CEC VIDEO_WM8775 VIPERBOARD_ADC VIRTIO_BALLOON VIRTIO_DMA_SHARED_BUFFER VIRTIO_MEM VIRTIO_MMIO VIRTIO_MMIO_CMDLINE_DEVICES VIRTIO_PMEM VIRTIO_VDPA VIRTIO_VSOCKETS VIRTIO_VSOCKETS_COMMON VIRT_WIFI VLAN_8021Q VLAN_8021Q_GVRP VLAN_8021Q_MVRP VMAP_PFN VMWARE_VMCI VMXNET3 VP_VDPA VSOCKETS VSOCKETS_DIAG VSOCKETS_LOOPBACK VSOCKMON VT_HW_CONSOLE_BINDING VXFS_FS WANT_DEV_COREDUMP WEXT_CORE WEXT_PRIV WEXT_PROC WIREGUARD WIRELESS WIRELESS_EXT WLAN WLAN_VENDOR_ADMTEK WLAN_VENDOR_PURELIFI WLAN_VENDOR_SILABS X86_SGX X86_SGX_KVM X86_USER_SHADOW_STACK X86_X2APIC X86_X32_ABI XDP_SOCKETS XDP_SOCKETS_DIAG XFRM_ESPINTCP XFRM_INTERFACE XFRM_IPCOMP XFRM_MIGRATE XFRM_OFFLOAD XFRM_STATISTICS XFRM_SUB_POLICY XFRM_USER_COMPAT XFS_FS XFS_POSIX_ACL XFS_QUOTA XFS_RT XOR_BLOCKS YENTA YENTA_ENE_TUNE YENTA_O2 YENTA_RICOH YENTA_TI YENTA_TOSHIBA ZEROPLUS_FF ZLIB_DEFLATE ZONEFS_FS ZPOOL ZRAM ZRAM_DEF_COMP_LZORLE ZSMALLOC ZSTD_COMPRESS ZSWAP ZSWAP_COMPRESSOR_DEFAULT_LZO ZSWAP_DEFAULT_ON ZSWAP_SHRINKER_DEFAULT_ON ZSWAP_ZPOOL_DEFAULT_ZSMALLOC]
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
picked [v6.8 v6.7 v6.6 v6.4 v6.2 v6.0 v5.18 v5.16 v5.13 v5.10 v5.7 v5.4 v5.1 v4.19] out of 31 release tags
testing release v6.8
testing commit e8f897f4afef0031fe618a8e94127a0934896aba gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 2d1e0a65f595bb2a85c661a76dc935572bdf2b2d8c56087397b9bf149001e2d2
all runs: OK
false negative chance: 0.000
# git bisect start bb7a2467e6beef44a80a17d45ebf2931e7631083 e8f897f4afef0031fe618a8e94127a0934896aba
Bisecting: 11850 revisions left to test after this (roughly 14 steps)
[2ac2b1665d3fbec6ca709dd6ef3ea05f4a51ee4c] Merge tag 'hwlock-v6.9' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux

testing commit 2ac2b1665d3fbec6ca709dd6ef3ea05f4a51ee4c gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 155e21f23c4a8c24bf6d06ced73912d7d4541446b232cdd9d33a1b238a0ee744
all runs: OK
false negative chance: 0.000
# git bisect good 2ac2b1665d3fbec6ca709dd6ef3ea05f4a51ee4c
Bisecting: 5924 revisions left to test after this (roughly 13 steps)
[7bef702cd64e4040de38187efc17fb51e79ed3f6] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git

testing commit 7bef702cd64e4040de38187efc17fb51e79ed3f6 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: f88065e0ae3619c759f3e93d31a8c12010a4873a3897653d606f93ba9149d144
all runs: OK
false negative chance: 0.000
# git bisect good 7bef702cd64e4040de38187efc17fb51e79ed3f6
Bisecting: 2917 revisions left to test after this (roughly 12 steps)
[b07b22e1b67370efc65035f4d9bb5a8d52fcba36] Merge branch 'drm-next' of https://gitlab.freedesktop.org/agd5f/linux

testing commit b07b22e1b67370efc65035f4d9bb5a8d52fcba36 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 21f09e468b8f6171b46b3cc81d5f3d2c734657014e5f3fb69bf860f67ad43883
all runs: OK
false negative chance: 0.000
# git bisect good b07b22e1b67370efc65035f4d9bb5a8d52fcba36
Bisecting: 1458 revisions left to test after this (roughly 11 steps)
[8f7e394e3381d01a85a2475986bc1ed025aff47d] Merge branch 'rcu/next' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu.git

testing commit 8f7e394e3381d01a85a2475986bc1ed025aff47d gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 455ac2485e5df38b37bf2a21b3bc7ad40155df0c7f0e717aba7b57a382dee77c
all runs: OK
false negative chance: 0.000
# git bisect good 8f7e394e3381d01a85a2475986bc1ed025aff47d
Bisecting: 727 revisions left to test after this (roughly 10 steps)
[554a7eb6c6686de62dcfba8d7e9535c78e5a9cb6] Merge branch 'spmi-next' of git://git.kernel.org/pub/scm/linux/kernel/git/sboyd/spmi.git

testing commit 554a7eb6c6686de62dcfba8d7e9535c78e5a9cb6 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c60cfd3036501cb42a4567e734763d0b2cbe9d6143a1e6e99faae0af133d4213
all runs: OK
false negative chance: 0.000
# git bisect good 554a7eb6c6686de62dcfba8d7e9535c78e5a9cb6
Bisecting: 368 revisions left to test after this (roughly 9 steps)
[03720688793007f909af50d3120061248cf4848a] Merge branch 'gpio/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux.git

testing commit 03720688793007f909af50d3120061248cf4848a gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5852a07e58a7d5435bf15ef2475a08b8cb32bf42b8a1701106893a6753f44474
all runs: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
representative crash: KASAN: slab-use-after-free Read in vhost_task_fn, types: [KASAN]
# git bisect bad 03720688793007f909af50d3120061248cf4848a
Bisecting: 225 revisions left to test after this (roughly 8 steps)
[aca061774bc412c1415242f0d2579143dd642b46] scsi: mpi3mr: Fix some kernel-doc warnings in scsi_bsg_mpi3mr.h

testing commit aca061774bc412c1415242f0d2579143dd642b46 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 686359cc78ac65aa832bcb41479e7dd0129b92abed7c6f3a50f5dd988b47726f
all runs: OK
false negative chance: 0.000
# git bisect good aca061774bc412c1415242f0d2579143dd642b46
Bisecting: 111 revisions left to test after this (roughly 7 steps)
[be68a08014fba531f35fb6eb068c0761e4ea2c47] Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine.git

testing commit be68a08014fba531f35fb6eb068c0761e4ea2c47 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: df89ad276b6159ccdd2d939f56b04c7559d10426f89bb486340c456ac24aef43
all runs: OK
false negative chance: 0.000
# git bisect good be68a08014fba531f35fb6eb068c0761e4ea2c47
Bisecting: 56 revisions left to test after this (roughly 6 steps)
[24ddee0ff8c34256891323c92beeaa3bd55a0d30] Merge tag 'stable/vduse-virtio-net' into vhost

testing commit 24ddee0ff8c34256891323c92beeaa3bd55a0d30 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: b90bc360f441f693cbcfd917620513f7f8931e61707dbbc0863f9e67a6d3838f
all runs: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
representative crash: KASAN: slab-use-after-free Read in vhost_task_fn, types: [KASAN]
# git bisect bad 24ddee0ff8c34256891323c92beeaa3bd55a0d30
Bisecting: 27 revisions left to test after this (roughly 5 steps)
[80d54bcb6b1d8dc4d10b231222212da91356f39b] virtio: input: drop owner assignment

testing commit 80d54bcb6b1d8dc4d10b231222212da91356f39b gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d3c7fb5ca54a339520495bc14693faeda91f0e90dda2f1bcb64943367a047deb
all runs: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
representative crash: KASAN: slab-use-after-free Read in vhost_task_fn, types: [KASAN]
# git bisect bad 80d54bcb6b1d8dc4d10b231222212da91356f39b
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[bfc23fb6adefecbd86d780cea90c6e2df9520611] vdpa: Convert sprintf/snprintf to sysfs_emit

testing commit bfc23fb6adefecbd86d780cea90c6e2df9520611 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 16ff90a372731cc37f331cee362689542de67d8a738de7a36ead938975fc6f48
all runs: OK
false negative chance: 0.000
# git bisect good bfc23fb6adefecbd86d780cea90c6e2df9520611
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[3df86ff660659b5a9d2d71abf45b5ba3f573de29] vhost: Release worker mutex during flushes

testing commit 3df86ff660659b5a9d2d71abf45b5ba3f573de29 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 4796c3d8f5cdefcd454117644f6498917427f3ea66fde6cf332ca11f6a3d0f46
all runs: OK
false negative chance: 0.000
# git bisect good 3df86ff660659b5a9d2d71abf45b5ba3f573de29
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[4ba509048975850714bf9ba880444ddb338892d3] virtio-mem: support suspend+resume

testing commit 4ba509048975850714bf9ba880444ddb338892d3 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 073ed87ddc99cca78fd8c4ba23d9f7e726d80978c244380722c10a820ccbf526
all runs: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
representative crash: KASAN: slab-use-after-free Read in vhost_task_fn, types: [KASAN]
# git bisect bad 4ba509048975850714bf9ba880444ddb338892d3
Bisecting: 0 revisions left to test after this (roughly 1 step)
[ec7806041f9e804de6431cf74567d3f0c6824606] kernel: Remove signal hacks for vhost_tasks

testing commit ec7806041f9e804de6431cf74567d3f0c6824606 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 4660013391b19952a056f21188362dc8bc401108eb8936a8f4df46c34968db9b
run #0: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
run #1: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
run #2: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
run #3: crashed: KASAN: slab-use-after-free Write in vhost_task_fn
run #4: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
run #5: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
run #6: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
run #7: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
run #8: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
run #9: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
representative crash: KASAN: slab-use-after-free Read in vhost_task_fn, types: [KASAN]
# git bisect bad ec7806041f9e804de6431cf74567d3f0c6824606
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[a3df30984f4faf82d63d2a96f8ac773403ce935d] vhost_task: Handle SIGKILL by flushing work and exiting

testing commit a3df30984f4faf82d63d2a96f8ac773403ce935d gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 8c31d65a43be48d4778bb771392aee1427cf767dc30c5cae6e5f039e44f5c87d
all runs: crashed: KASAN: slab-use-after-free Read in vhost_task_fn
representative crash: KASAN: slab-use-after-free Read in vhost_task_fn, types: [KASAN]
# git bisect bad a3df30984f4faf82d63d2a96f8ac773403ce935d
a3df30984f4faf82d63d2a96f8ac773403ce935d is the first bad commit
commit a3df30984f4faf82d63d2a96f8ac773403ce935d
Author: Mike Christie <michael.christie@oracle.com>
Date:   Fri Mar 15 19:47:06 2024 -0500

    vhost_task: Handle SIGKILL by flushing work and exiting
    
    Instead of lingering until the device is closed, this has us handle
    SIGKILL by:
    
    1. marking the worker as killed so we no longer try to use it with
    new virtqueues and new flush operations.
    2. setting the virtqueue to worker mapping so no new works are queued.
    3. running all the exiting works.
    
    Signed-off-by: Mike Christie <michael.christie@oracle.com>
    Message-Id: <20240316004707.45557-9-michael.christie@oracle.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

 drivers/vhost/vhost.c            | 54 +++++++++++++++++++++++++++++++++++++---
 drivers/vhost/vhost.h            |  2 ++
 include/linux/sched/vhost_task.h |  3 ++-
 kernel/vhost_task.c              | 53 +++++++++++++++++++++++++--------------
 4 files changed, 88 insertions(+), 24 deletions(-)

accumulated error probability: 0.00
culprit signature: 8c31d65a43be48d4778bb771392aee1427cf767dc30c5cae6e5f039e44f5c87d
parent  signature: 4796c3d8f5cdefcd454117644f6498917427f3ea66fde6cf332ca11f6a3d0f46
revisions tested: 23, total time: 8h48m58.758399318s (build: 4h15m57.959123427s, test: 4h9m44.131078494s)
first bad commit: a3df30984f4faf82d63d2a96f8ac773403ce935d vhost_task: Handle SIGKILL by flushing work and exiting
recipients (to): ["linux-kernel@vger.kernel.org" "michael.christie@oracle.com" "mst@redhat.com"]
recipients (cc): ["jasowang@redhat.com" "kvm@vger.kernel.org" "mst@redhat.com" "netdev@vger.kernel.org" "virtualization@lists.linux.dev"]
crash: KASAN: slab-use-after-free Read in vhost_task_fn
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in atomic_long_read include/linux/atomic/atomic-instrumented.h:3188 [inline]
BUG: KASAN: slab-use-after-free in __mutex_unlock_slowpath+0xef/0x5c0 kernel/locking/mutex.c:921
Read of size 8 at addr ffff888116331880 by task vhost-3430/3431

CPU: 1 PID: 3431 Comm: vhost-3430 Not tainted 6.9.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x280 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 atomic_long_read include/linux/atomic/atomic-instrumented.h:3188 [inline]
 __mutex_unlock_slowpath+0xef/0x5c0 kernel/locking/mutex.c:921
 vhost_task_fn+0x2b1/0x2e0 kernel/vhost_task.c:65
 ret_from_fork+0x32/0x60 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 3430:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 kmalloc_trace+0x1c9/0x3a0 mm/slub.c:3997
 kmalloc include/linux/slab.h:628 [inline]
 kzalloc include/linux/slab.h:749 [inline]
 vhost_task_create+0x142/0x2e0 kernel/vhost_task.c:134
 vhost_worker_create+0x172/0x360 drivers/vhost/vhost.c:667
 vhost_dev_set_owner+0x3b3/0x8a0 drivers/vhost/vhost.c:945
 vhost_dev_ioctl+0xbd/0xba0 drivers/vhost/vhost.c:2108
 vhost_vsock_dev_ioctl+0x6af/0xd10 drivers/vhost/vsock.c:875
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:904 [inline]
 __se_sys_ioctl+0xab/0xf0 fs/ioctl.c:890
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x8f/0x1a0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 3429:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xee/0x1a0 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2106 [inline]
 slab_free mm/slub.c:4280 [inline]
 kfree+0x139/0x350 mm/slub.c:4390
 vhost_worker_destroy drivers/vhost/vhost.c:629 [inline]
 vhost_workers_free drivers/vhost/vhost.c:648 [inline]
 vhost_dev_cleanup+0x83d/0xa30 drivers/vhost/vhost.c:1051
 vhost_vsock_dev_release+0x33b/0x3a0 drivers/vhost/vsock.c:751
 __fput+0x301/0x670 fs/file_table.c:422
 __do_sys_close fs/open.c:1556 [inline]
 __se_sys_close+0x11d/0x170 fs/open.c:1541
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x8f/0x1a0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888116331800
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 128 bytes inside of
 freed 512-byte region [ffff888116331800, ffff888116331a00)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x116330
head: order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x200000000000840(slab|head|node=0|zone=2)
page_type: 0xffffffff()
raw: 0200000000000840 ffff888100041c80 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
head: 0200000000000840 ffff888100041c80 dead000000000100 dead000000000122
head: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
head: 0200000000000002 ffffea000458cc01 dead000000000122 00000000ffffffff
head: 0000000400000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1958, tgid 1958 (udevd), ts 7849636983, free_ts 5697807279
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x10f/0x130 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0x33de/0x3580 mm/page_alloc.c:3317
 __alloc_pages+0x256/0x670 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page+0x5f/0x160 mm/slub.c:2175
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0x70/0x270 mm/slub.c:2391
 ___slab_alloc+0xb0d/0x1040 mm/slub.c:3525
 __slab_alloc mm/slub.c:3610 [inline]
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 kmalloc_trace+0x254/0x3a0 mm/slub.c:3992
 kmalloc include/linux/slab.h:628 [inline]
 kzalloc include/linux/slab.h:749 [inline]
 kernfs_fop_open+0x309/0xaf0 fs/kernfs/file.c:623
 do_dentry_open+0x74c/0x11c0 fs/open.c:955
 do_open fs/namei.c:3642 [inline]
 path_openat+0x225a/0x27f0 fs/namei.c:3799
 do_filp_open+0x22b/0x440 fs/namei.c:3826
 do_sys_openat2+0xf6/0x180 fs/open.c:1406
 do_sys_open fs/open.c:1421 [inline]
 __do_sys_openat fs/open.c:1437 [inline]
 __se_sys_openat fs/open.c:1432 [inline]
 __x64_sys_openat+0x20d/0x260 fs/open.c:1432
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x8f/0x1a0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 9 tgid 9 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x87f/0x9a0 mm/page_alloc.c:2347
 free_unref_page+0x37/0x3a0 mm/page_alloc.c:2487
 vfree+0x10e/0x210 mm/vmalloc.c:3340
 delayed_vfree_work+0x3c/0x70 mm/vmalloc.c:3261
 process_one_work kernel/workqueue.c:3254 [inline]
 process_scheduled_works+0x8b6/0x12f0 kernel/workqueue.c:3335
 worker_thread+0x869/0xca0 kernel/workqueue.c:3416
 kthread+0x268/0x2c0 kernel/kthread.c:388
 ret_from_fork+0x32/0x60 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff888116331780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888116331800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888116331880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888116331900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888116331980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================