ci starts bisection 2025-07-01 11:17:01.360233257 +0000 UTC m=+54541.632170803 bisecting fixing commit since 7367539ad4b0f8f9b396baf02110962333719a48 building syzkaller on 610f2a54d02f8cf4f2454c03bf679b602e6e59b6 ensuring issue is reproducible on original commit 7367539ad4b0f8f9b396baf02110962333719a48 testing commit 7367539ad4b0f8f9b396baf02110962333719a48 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: b002ef733d133512179e3fd5fe3768bcb73a4dd85c9d2eddbb327bf3b5e09c4f run #0: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #1: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #2: crashed: KASAN: use-after-free Read in poly1305_update_arch run #3: crashed: KASAN: use-after-free Read in poly1305_update_arch run #4: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #5: crashed: KASAN: slab-use-after-free Read in poly1305_update_arch run #6: crashed: KASAN: slab-use-after-free Read in poly1305_update_arch run #7: crashed: KASAN: use-after-free Read in poly1305_update_arch run #8: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #9: crashed: KASAN: use-after-free Read in poly1305_update_arch run #10: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #11: crashed: KASAN: slab-use-after-free Read in poly1305_update_arch run #12: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #13: crashed: KASAN: use-after-free Read in poly1305_update_arch run #14: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #15: crashed: KASAN: use-after-free Read in poly1305_update_arch run #16: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #17: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #18: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #19: crashed: KASAN: use-after-free Read in poly1305_update_arch representative crash: KASAN: slab-out-of-bounds Read in poly1305_update_arch, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 7367539ad4b0f8f9b396baf02110962333719a48 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 45f34ef776e72316c374abaff165167909f728d508282b2fb36f81fd06ccf1a0 run #0: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #1: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #2: crashed: KASAN: slab-use-after-free Read in poly1305_update_arch run #3: crashed: KASAN: use-after-free Read in poly1305_update_arch run #4: crashed: KASAN: slab-use-after-free Read in poly1305_update_arch run #5: crashed: KASAN: use-after-free Read in poly1305_update_arch run #6: crashed: KASAN: use-after-free Read in poly1305_update_arch run #7: crashed: KASAN: slab-use-after-free Read in poly1305_update_arch run #8: crashed: KASAN: use-after-free Read in poly1305_update_arch run #9: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch representative crash: KASAN: slab-out-of-bounds Read in poly1305_update_arch, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed kconfig minimization: base=4095 full=8007 leaves diff=2041 split chunks (needed=false): <2041> split chunk #0 of len 2041 into 5 parts testing without sub-chunk 1/5 disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 7367539ad4b0f8f9b396baf02110962333719a48 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 775213fdee3877e11925e06036935fcfc98eeae4c3d1bebe9a7fed1beb1384be all runs: OK false negative chance: 0.000 testing without sub-chunk 2/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 7367539ad4b0f8f9b396baf02110962333719a48 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 6269836d72a0481f14ad7295b3fbcaee1ae8fc8c06c6e1817fa64faa5cfacb75 run #0: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #1: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #2: crashed: KASAN: use-after-free Read in poly1305_update_arch run #3: crashed: KASAN: use-after-free Read in poly1305_update_arch run #4: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #5: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #6: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #7: crashed: KASAN: use-after-free Read in poly1305_update_arch run #8: crashed: KASAN: use-after-free Read in poly1305_update_arch run #9: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch representative crash: KASAN: slab-out-of-bounds Read in poly1305_update_arch, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 7367539ad4b0f8f9b396baf02110962333719a48 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: b98d842349bb17beb765a982d0e4ac79dfa7ce9931a065736398d054078641e4 run #0: crashed: KASAN: slab-use-after-free Read in poly1305_update_arch run #1: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #2: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #3: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #4: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #5: crashed: KASAN: slab-use-after-free Read in poly1305_update_arch run #6: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #7: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #8: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #9: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch representative crash: KASAN: slab-use-after-free Read in poly1305_update_arch, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit 7367539ad4b0f8f9b396baf02110962333719a48 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 25b86f6b74191e18f40412fdb36dd8346ca4207fdef4543f4b003e2471bf2989 run #0: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #1: crashed: KASAN: use-after-free Read in poly1305_update_arch run #2: crashed: KASAN: slab-use-after-free Read in poly1305_update_arch run #3: crashed: KASAN: slab-use-after-free Read in poly1305_update_arch run #4: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #5: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #6: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #7: crashed: KASAN: slab-use-after-free Read in poly1305_update_arch run #8: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #9: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch representative crash: KASAN: slab-out-of-bounds Read in poly1305_update_arch, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 7367539ad4b0f8f9b396baf02110962333719a48 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: f35551ac86d82561704335f6d47eca7ae5f67a718c36e7e026d5fc20e2748fb3 run #0: crashed: KASAN: slab-use-after-free Read in poly1305_update_arch run #1: crashed: KASAN: slab-use-after-free Read in poly1305_update_arch run #2: crashed: KASAN: slab-use-after-free Read in poly1305_update_arch run #3: crashed: KASAN: slab-use-after-free Read in poly1305_update_arch run #4: crashed: KASAN: use-after-free Read in poly1305_update_arch run #5: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #6: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #7: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch run #8: crashed: KASAN: use-after-free Read in poly1305_update_arch run #9: crashed: KASAN: slab-out-of-bounds Read in poly1305_update_arch representative crash: KASAN: slab-use-after-free Read in poly1305_update_arch, types: [KASAN] the chunk can be dropped minimized to 409 configs; suspects: [6LOWPAN 6LOWPAN_GHC_EXT_HDR_DEST 6LOWPAN_GHC_EXT_HDR_FRAG 6LOWPAN_GHC_EXT_HDR_HOP 6LOWPAN_GHC_EXT_HDR_ROUTE 6LOWPAN_GHC_ICMPV6 6LOWPAN_GHC_UDP 6LOWPAN_NHC 6LOWPAN_NHC_DEST 6LOWPAN_NHC_FRAGMENT 6LOWPAN_NHC_HOP 6LOWPAN_NHC_IPV6 6LOWPAN_NHC_MOBILITY 6LOWPAN_NHC_ROUTING 6LOWPAN_NHC_UDP 6PACK 842_COMPRESS 842_DECOMPRESS 9P_FSCACHE 9P_FS_POSIX_ACL 9P_FS_SECURITY ACORN_PARTITION ACORN_PARTITION_ADFS ACORN_PARTITION_CUMANA ACORN_PARTITION_EESOX ACORN_PARTITION_ICS ACORN_PARTITION_POWERTEC ACORN_PARTITION_RISCIX ACPI_NFIT ACPI_PLATFORM_PROFILE ADDRESS_MASKING ADFS_FS AFFS_FS AFS_FS AFS_FSCACHE AF_KCM AF_RXRPC AF_RXRPC_IPV6 AIX_PARTITION AMIGA_PARTITION ANDROID_BINDERFS ANDROID_BINDER_IPC ANON_VMA_NAME APERTURE_HELPERS AR5523 ARCH_ENABLE_MEMORY_HOTREMOVE ARCH_ENABLE_THP_MIGRATION ARCH_USES_PG_UNCACHED ARCH_WANT_PMD_MKWRITE ASM_MODVERSIONS ASYNC_CORE ASYNC_MEMCPY ASYNC_PQ ASYNC_RAID6_RECOV ASYNC_TX_DMA ASYNC_XOR AS_SHA1_NI AS_SHA256_NI AS_TPAUSE ATARI_PARTITION ATA_GENERIC ATA_OVER_ETH ATH10K ATH10K_CE ATH10K_PCI ATH10K_USB ATH11K ATH6KL ATH6KL_USB ATH9K ATH9K_AHB ATH9K_BTCOEX_SUPPORT ATH9K_CHANNEL_CONTEXT ATH9K_COMMON ATH9K_COMMON_DEBUG ATH9K_DEBUGFS ATH9K_DYNACK ATH9K_HTC ATH9K_HTC_DEBUGFS ATH9K_HW ATH9K_PCI ATH9K_PCOEM ATH9K_RFKILL ATH_COMMON ATM ATM_BR2684 ATM_CLIP ATM_DRIVERS ATM_LANE ATM_MPOA ATM_TCP AUXILIARY_BUS AX25 AX25_DAMA_SLAVE AX88796B_PHY BAREUDP BASE_FULL BATMAN_ADV BATMAN_ADV_BATMAN_V BATMAN_ADV_BLA BATMAN_ADV_DAT BATMAN_ADV_MCAST BATMAN_ADV_NC BCACHE BCACHEFS_DEBUG BCACHEFS_ERASURE_CODING BCACHEFS_FS BCACHEFS_POSIX_ACL BCACHEFS_QUOTA BCACHEFS_SIX_OPTIMISTIC_SPIN BCMA BCMA_HOST_PCI_POSSIBLE BEFS_FS BFQ_CGROUP_DEBUG BFQ_GROUP_IOSCHED BFS_FS BIG_KEYS BLK_CGROUP_PUNT_BIO BLK_CGROUP_RWSTAT BLK_DEBUG_FS_ZONED BLK_DEV_BSGLIB BLK_DEV_INTEGRITY BLK_DEV_INTEGRITY_T10 BLK_DEV_NBD BLK_DEV_NULL_BLK BLK_DEV_NULL_BLK_FAULT_INJECTION BLK_DEV_NVME BLK_DEV_PMEM BLK_DEV_RAM BLK_DEV_RNBD BLK_DEV_RNBD_CLIENT BLK_DEV_THROTTLING BLK_ICQ BLK_INLINE_ENCRYPTION BLK_INLINE_ENCRYPTION_FALLBACK BLK_MQ_PCI BLK_MQ_VIRTIO BLK_WBT BLK_WBT_MQ BONDING BOOT_VESA_SUPPORT BPF_EVENTS BPF_JIT BPF_JIT_ALWAYS_ON BPF_JIT_DEFAULT_ON BPF_LSM BPF_PRELOAD BPF_PRELOAD_UMD BPF_STREAM_PARSER BPF_SYSCALL BPQETHER BRIDGE BRIDGE_CFM BRIDGE_EBT_802_3 BRIDGE_EBT_AMONG BRIDGE_EBT_ARP BRIDGE_EBT_ARPREPLY BRIDGE_EBT_BROUTE BRIDGE_EBT_DNAT BRIDGE_EBT_IP BRIDGE_EBT_IP6 BRIDGE_EBT_LIMIT BRIDGE_EBT_LOG BRIDGE_EBT_MARK BRIDGE_EBT_MARK_T BRIDGE_EBT_NFLOG BRIDGE_EBT_PKTTYPE BRIDGE_EBT_REDIRECT BRIDGE_EBT_SNAT BRIDGE_EBT_STP BRIDGE_EBT_T_FILTER BRIDGE_EBT_T_NAT BRIDGE_EBT_VLAN BRIDGE_IGMP_SNOOPING BRIDGE_MRP BRIDGE_NF_EBTABLES BRIDGE_NF_EBTABLES_LEGACY BRIDGE_VLAN_FILTERING BSD_DISKLABEL BSD_PROCESS_ACCT_V3 BT BTRFS_ASSERT BTRFS_FS BTRFS_FS_POSIX_ACL BTRFS_FS_REF_VERIFY BTT BT_6LOWPAN BT_ATH3K BT_BCM BT_BNEP BT_BNEP_MC_FILTER BT_BNEP_PROTO_FILTER BT_BREDR BT_CMTP BT_HCIBCM203X BT_HCIBFUSB BT_HCIBPA10X BT_HCIBTUSB BT_HCIBTUSB_BCM BT_HCIBTUSB_MTK BT_HCIBTUSB_POLL_SYNC BT_HCIBTUSB_RTL BT_HCIUART BT_HCIUART_3WIRE BT_HCIUART_AG6XX BT_HCIUART_BCSP BT_HCIUART_H4 BT_HCIUART_LL BT_HCIUART_MRVL BT_HCIUART_QCA BT_HCIUART_SERDEV BT_HCIVHCI BT_HIDP BT_INTEL BT_LE BT_LEDS BT_LE_L2CAP_ECRED BT_MRVL BT_MRVL_SDIO BT_MSFTEXT BT_MTK BT_QCA BT_RFCOMM BT_RFCOMM_TTY BT_RTL CACHEFILES CAIF CAIF_DEBUG CAIF_DRIVERS CAIF_NETDEV CAIF_TTY CAIF_USB CAIF_VIRTIO CAN CAN_8DEV_USB CAN_BCM CAN_CALC_BITTIMING CAN_DEV CAN_EMS_USB CAN_GS_USB CAN_GW CAN_IFI_CANFD CAN_ISOTP CAN_J1939 CAN_KVASER_USB CAN_MCBA_USB CAN_NETLINK CAN_PEAK_USB CAN_RAW CAN_RX_OFFLOAD CAN_SLCAN CAN_VCAN CAN_VXCAN CAPI_TRACE CARL9170 CARL9170_HWRNG CARL9170_LEDS CARL9170_WPC CC_CAN_LINK_STATIC CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER CC_HAS_SANE_STACKPROTECTOR CEC_CORE CEPH_FS CEPH_FSCACHE CEPH_FS_POSIX_ACL CEPH_LIB CEPH_LIB_USE_DNS_RESOLVER CFG80211 CFG80211_CRDA_SUPPORT CFG80211_DEBUGFS CFG80211_DEFAULT_PS CFG80211_REQUIRE_SIGNED_REGDB CFG80211_USE_KERNEL_REGDB_KEYS CFG80211_WEXT CFS_BANDWIDTH CGROUP_BPF CHARGER_BQ24190 CHARGER_ISP1704 CHR_DEV_ST CIFS CIFS_ALLOW_INSECURE_LEGACY CIFS_DEBUG CIFS_DFS_UPCALL CIFS_FSCACHE CIFS_POSIX CIFS_SMB_DIRECT CIFS_SWN_UPCALL CIFS_UPCALL CIFS_XATTR CLOCKSOURCE_VALIDATE_LAST_CYCLE CLOSURES CLS_U32_MARK CLS_U32_PERF CMA CMA_SIZE_SEL_MBYTES CMDLINE_PARTITION COMEDI COMEDI_DT9812 COMEDI_NI_USB6501 COMEDI_USBDUX COMEDI_USBDUXFAST COMEDI_USBDUXSIGMA COMEDI_USB_DRIVERS COMEDI_VMK80XX COMPAT_NETLINK_MESSAGES COUNTER CRAMFS CRAMFS_BLOCKDEV CRAMFS_MTD CRC32_SLICEBY8 CRC4 CRC64 CRC64_ROCKSOFT CRC7 CRC8 CRC_CCITT CRC_ITU_T CRC_T10DIF CRYPTO_ADIANTUM CRYPTO_AEGIS128 CRYPTO_AEGIS128_AESNI_SSE2 CRYPTO_AES_NI_INTEL CRYPTO_AES_TI CRYPTO_ANSI_CPRNG CRYPTO_ANUBIS CRYPTO_ARC4 CRYPTO_ARCH_HAVE_LIB_BLAKE2S CRYPTO_ARCH_HAVE_LIB_CHACHA CRYPTO_ARCH_HAVE_LIB_CURVE25519 CRYPTO_ARCH_HAVE_LIB_POLY1305 CRYPTO_ARIA CRYPTO_ARIA_AESNI_AVX_X86_64 CRYPTO_BLAKE2B CRYPTO_BLAKE2S_X86 CRYPTO_BLOWFISH CRYPTO_BLOWFISH_COMMON CRYPTO_BLOWFISH_X86_64 CRYPTO_CAMELLIA CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 CRYPTO_CAMELLIA_AESNI_AVX_X86_64 CRYPTO_CAMELLIA_X86_64 CRYPTO_CAST5 CRYPTO_CAST5_AVX_X86_64 CRYPTO_CAST6 CRYPTO_CAST6_AVX_X86_64 CRYPTO_CAST_COMMON CRYPTO_CHACHA20 CRYPTO_CHACHA20POLY1305 CRYPTO_CHACHA20_X86_64 CRYPTO_CRC32 CRYPTO_CRC32C CRYPTO_CRC32C_INTEL CRYPTO_CRC32_PCLMUL CRYPTO_CRC64_ROCKSOFT CRYPTO_CRCT10DIF CRYPTO_CRCT10DIF_PCLMUL CRYPTO_CRYPTD CRYPTO_CTS CRYPTO_CURVE25519 CRYPTO_CURVE25519_X86 CRYPTO_DEFLATE CRYPTO_DES CRYPTO_DES3_EDE_X86_64 CRYPTO_DEV_CCP CRYPTO_DEV_CCP_DD CRYPTO_DEV_PADLOCK CRYPTO_DEV_PADLOCK_AES CRYPTO_DEV_PADLOCK_SHA CRYPTO_DEV_QAT CRYPTO_DEV_QAT_C3XXX CRYPTO_DEV_QAT_C3XXXVF CRYPTO_DEV_QAT_C62X CRYPTO_DEV_QAT_C62XVF CRYPTO_DEV_QAT_DH895xCC CRYPTO_DEV_QAT_DH895xCCVF CRYPTO_DEV_VIRTIO CRYPTO_DH CRYPTO_DRBG_CTR CRYPTO_DRBG_HASH CRYPTO_ECDH CRYPTO_ECRDSA CRYPTO_ENGINE CRYPTO_ESSIV CRYPTO_FCRYPT CRYPTO_GHASH_CLMUL_NI_INTEL CRYPTO_HCTR2 CRYPTO_KDF800108_CTR CRYPTO_KEYWRAP CRYPTO_KHAZAD CRYPTO_KPP CRYPTO_LIB_ARC4 CRYPTO_LIB_CHACHA CRYPTO_LIB_CHACHA20POLY1305 CRYPTO_LIB_CHACHA_GENERIC CRYPTO_LIB_CURVE25519 CRYPTO_LIB_CURVE25519_GENERIC CRYPTO_LIB_DES CRYPTO_LIB_POLY1305 CRYPTO_LIB_POLY1305_GENERIC CRYPTO_LRW CRYPTO_MANAGER_DISABLE_TESTS CRYPTO_MICHAEL_MIC CRYPTO_NHPOLY1305 CRYPTO_NHPOLY1305_AVX2 CRYPTO_NHPOLY1305_SSE2 CRYPTO_NULL CRYPTO_NULL2 CRYPTO_PCBC CRYPTO_PCRYPT CRYPTO_POLY1305 CRYPTO_POLY1305_X86_64 CRYPTO_POLYVAL CRYPTO_POLYVAL_CLMUL_NI CRYPTO_RMD160 CRYPTO_SEED CRYPTO_SERPENT CRYPTO_SERPENT_AVX2_X86_64 CRYPTO_SERPENT_AVX_X86_64 CRYPTO_SERPENT_SSE2_X86_64 CRYPTO_SHA1_SSSE3 CRYPTO_SHA256_SSSE3 CRYPTO_SHA512_SSSE3 CRYPTO_SIMD CRYPTO_SM2 CRYPTO_SM3 CRYPTO_SM3_AVX_X86_64 CRYPTO_SM4 CRYPTO_SM4_AESNI_AVX2_X86_64 CRYPTO_SM4_AESNI_AVX_X86_64 CRYPTO_SM4_GENERIC CRYPTO_STREEBOG CRYPTO_TEA CRYPTO_TWOFISH CRYPTO_TWOFISH_AVX_X86_64 CRYPTO_TWOFISH_COMMON CRYPTO_TWOFISH_X86_64 CRYPTO_TWOFISH_X86_64_3WAY CRYPTO_USER CRYPTO_USER_API CRYPTO_USER_API_AEAD CRYPTO_USER_API_ENABLE_OBSOLETE CRYPTO_USER_API_HASH CRYPTO_USER_API_RNG CRYPTO_USER_API_SKCIPHER CRYPTO_VMAC CRYPTO_WP512 CRYPTO_XCBC CRYPTO_XCTR CRYPTO_XTS CRYPTO_XXHASH CUSE CYPRESS_FIRMWARE DAMON DAMON_PADDR DAMON_RECLAIM DAMON_VADDR DAX DCA DCB DEBUG_TIMEKEEPING DEFAULT_PFIFO_FAST DEVICE_MIGRATION DEVICE_PRIVATE DEV_COREDUMP DEV_DAX DLN2_ADC DMABUF_HEAPS DMABUF_HEAPS_CMA DMABUF_HEAPS_SYSTEM DMABUF_MOVE_NOTIFY DMA_CMA DMA_ENGINE_RAID DMA_OPS DM_AUDIT DM_BIO_PRISON DM_BUFIO DM_CACHE DM_CACHE_SMQ DM_CLONE DM_CRYPT DM_FLAKEY DM_INTEGRITY DM_MULTIPATH DM_MULTIPATH_QL DM_MULTIPATH_ST ENCRYPTED_KEYS EXTCON FSCACHE FUSE_FS GPIOLIB HAMRADIO IIO INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_RTRS_CLIENT IOSCHED_BFQ ISDN ISDN_CAPI LIBNVDIMM MAC80211 MAC80211_DEBUGFS MAC80211_LEDS MCORE2 MEDIA_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MMC MTD NET_CLS_U32 NET_SCH_DEFAULT PARTITION_ADVANCED RFKILL SERIAL_DEV_BUS TLS TLS_DEVICE TRANSPARENT_HUGEPAGE TRUSTED_KEYS USB_GADGET USB_PHY VLAN_8021Q WANT_COMPAT_NETLINK_MESSAGES WEXT_CORE WIRELESS WIRELESS_EXT WLAN WLAN_VENDOR_ATH X86_X32_ABI ZONE_DEVICE] disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing current HEAD 66701750d5565c574af42bef0b789ce0203e3071 testing commit 66701750d5565c574af42bef0b789ce0203e3071 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 02e20fa1066766069ea35aac4d7461fb1a6e78407ee6ac614992e5c8726f58e1 all runs: OK false negative chance: 0.000 # git bisect start 66701750d5565c574af42bef0b789ce0203e3071 7367539ad4b0f8f9b396baf02110962333719a48 Bisecting: 50877 revisions left to test after this (roughly 16 steps) [071b34dcf71523a559b6c39f5d21a268a9531b50] Merge tag 'sound-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound determine whether the revision contains the guilty commit revision 7367539ad4b0f8f9b396baf02110962333719a48 crashed and is reachable testing commit 071b34dcf71523a559b6c39f5d21a268a9531b50 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 11c690e3f29e2e8743a70fc21763ca38f7cbcda4bd50415fc3510baec94583ea all runs: crashed: KASAN: use-after-free Read in crypto_poly1305_update representative crash: KASAN: use-after-free Read in crypto_poly1305_update, types: [KASAN] # git bisect good 071b34dcf71523a559b6c39f5d21a268a9531b50 Bisecting: 24848 revisions left to test after this (roughly 15 steps) [1a9239bb4253f9076b5b4b2a1a4e8d7defd77a95] Merge tag 'net-next-6.15' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next determine whether the revision contains the guilty commit revision 071b34dcf71523a559b6c39f5d21a268a9531b50 crashed and is reachable testing commit 1a9239bb4253f9076b5b4b2a1a4e8d7defd77a95 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: a30d9e406f8ffd54cad07943747c3e677c22030c6310e6d8cfc7f23ccebc5bb8 all runs: crashed: KASAN: use-after-free Read in crypto_poly1305_update representative crash: KASAN: use-after-free Read in crypto_poly1305_update, types: [KASAN] # git bisect good 1a9239bb4253f9076b5b4b2a1a4e8d7defd77a95 Bisecting: 12424 revisions left to test after this (roughly 14 steps) [3e443d167327b10966166c1953631936547b03d0] Merge tag 'docs-6.16' of git://git.lwn.net/linux determine whether the revision contains the guilty commit revision 7367539ad4b0f8f9b396baf02110962333719a48 crashed and is reachable testing commit 3e443d167327b10966166c1953631936547b03d0 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 24b56c0df7872a30801f31957675dabe6169299a1c84a6fa685ba8e827524362 all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN] # git bisect good 3e443d167327b10966166c1953631936547b03d0 Bisecting: 6297 revisions left to test after this (roughly 13 steps) [f66bc387efbee59978e076ce9bf123ac353b389c] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi determine whether the revision contains the guilty commit revision 3e443d167327b10966166c1953631936547b03d0 crashed and is reachable testing commit f66bc387efbee59978e076ce9bf123ac353b389c gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 3c3ad3903f71754f9851f9e7cc449452e31198b6b177e990a771393a78a6417a all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN] # git bisect good f66bc387efbee59978e076ce9bf123ac353b389c Bisecting: 3062 revisions left to test after this (roughly 12 steps) [0939bd2fcf337243133b0271335a2838857c319f] Merge tag 'perf-tools-for-v6.16-1-2025-06-03' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools determine whether the revision contains the guilty commit revision f66bc387efbee59978e076ce9bf123ac353b389c crashed and is reachable testing commit 0939bd2fcf337243133b0271335a2838857c319f gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: b44d0a3658b860f992b97d2c2e3eb9c587b3cdf0a982b4471f2b94cb787a7507 all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN] # git bisect good 0939bd2fcf337243133b0271335a2838857c319f Bisecting: 1488 revisions left to test after this (roughly 11 steps) [378ec25aec5a8444879f8696d580c94950a1f1df] Merge tag 'tty-6.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty determine whether the revision contains the guilty commit revision 7367539ad4b0f8f9b396baf02110962333719a48 crashed and is reachable testing commit 378ec25aec5a8444879f8696d580c94950a1f1df gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 20d9830990d0f73a2aedf92424a9646447801e26b5aeb845a25626068b026c5c all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN] # git bisect good 378ec25aec5a8444879f8696d580c94950a1f1df Bisecting: 742 revisions left to test after this (roughly 10 steps) [8c6bc74c7f8910ed4c969ccec52e98716f98700a] Merge tag 'v6.16-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 determine whether the revision contains the guilty commit revision f66bc387efbee59978e076ce9bf123ac353b389c crashed and is reachable testing commit 8c6bc74c7f8910ed4c969ccec52e98716f98700a gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: c9ca96f8f1fd7561304fd5475004ec0d6bf3f58852662f0813d65605e2886af4 all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN] # git bisect good 8c6bc74c7f8910ed4c969ccec52e98716f98700a Bisecting: 371 revisions left to test after this (roughly 9 steps) [33efa7dbabcf62491c2eac9631752d52b8e159f8] Merge tag 'irq_urgent_for_v6.16_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip determine whether the revision contains the guilty commit revision 071b34dcf71523a559b6c39f5d21a268a9531b50 crashed and is reachable testing commit 33efa7dbabcf62491c2eac9631752d52b8e159f8 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 481c3f6e2f2aca41019afa22f531e6b653b8587e530c68ed9167d9c01d603226 all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN] # git bisect good 33efa7dbabcf62491c2eac9631752d52b8e159f8 Bisecting: 171 revisions left to test after this (roughly 8 steps) [6f2a71a99ebd5dfaa7948a2e9c59eae94b741bd8] Merge tag 'bcachefs-2025-06-26' of git://evilpiepirate.org/bcachefs determine whether the revision contains the guilty commit revision 33efa7dbabcf62491c2eac9631752d52b8e159f8 crashed and is reachable testing commit 6f2a71a99ebd5dfaa7948a2e9c59eae94b741bd8 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 878e5aeeac2412e9aeceea439d0c872349255233ddfb72062c600d18cb6058fa all runs: OK false negative chance: 0.000 # git bisect bad 6f2a71a99ebd5dfaa7948a2e9c59eae94b741bd8 Bisecting: 115 revisions left to test after this (roughly 7 steps) [ee88bddf7f2f5d1f1da87dd7bedc734048b70e88] Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf determine whether the revision contains the guilty commit revision 1a9239bb4253f9076b5b4b2a1a4e8d7defd77a95 crashed and is reachable testing commit ee88bddf7f2f5d1f1da87dd7bedc734048b70e88 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 505ba5f06aed5f363dbaa22852efbf97e21740ea74fcc7a8a687ec63b81f30ba all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN] # git bisect good ee88bddf7f2f5d1f1da87dd7bedc734048b70e88 Bisecting: 51 revisions left to test after this (roughly 6 steps) [8a20830f2dd180064f25254d9c55beb243fe9223] Merge tag 'hid-for-linus-2025062701' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid determine whether the revision contains the guilty commit revision ee88bddf7f2f5d1f1da87dd7bedc734048b70e88 crashed and is reachable testing commit 8a20830f2dd180064f25254d9c55beb243fe9223 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: d663fccb28fa2d8d233f3919ce3bf889c799f198dbcdf9cff887630b9c97669d all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN] # git bisect good 8a20830f2dd180064f25254d9c55beb243fe9223 Bisecting: 25 revisions left to test after this (roughly 5 steps) [9fb09ace59b2beab312ec225630ce87ddbec6d79] bcachefs: fsck: Fix reattach_inode() for subvol roots determine whether the revision contains the guilty commit revision 7367539ad4b0f8f9b396baf02110962333719a48 crashed and is reachable testing commit 9fb09ace59b2beab312ec225630ce87ddbec6d79 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: f6045f664cccbef2ee75be0e3a9b3a41e0054edcead85edba79f3e060e77cd63 all runs: OK false negative chance: 0.000 # git bisect bad 9fb09ace59b2beab312ec225630ce87ddbec6d79 Bisecting: 12 revisions left to test after this (roughly 4 steps) [b17d7bdb128c50025fc3eb7a9e57b3c7caa4a5ac] bcachefs: fsck: fix add_inode() determine whether the revision contains the guilty commit revision 7367539ad4b0f8f9b396baf02110962333719a48 crashed and is reachable testing commit b17d7bdb128c50025fc3eb7a9e57b3c7caa4a5ac gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 5f1631189d84435712d4b23d77fdeb5f2f5e3f35ced3e156b7f2ac85d816b5ba all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN] # git bisect good b17d7bdb128c50025fc3eb7a9e57b3c7caa4a5ac Bisecting: 6 revisions left to test after this (roughly 3 steps) [56be92c63f02e0f6fd855075acb1471ea1c68539] bcachefs: Fix pool->alloc NULL pointer dereference determine whether the revision contains the guilty commit revision 1a9239bb4253f9076b5b4b2a1a4e8d7defd77a95 crashed and is reachable testing commit 56be92c63f02e0f6fd855075acb1471ea1c68539 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: adfdd5a27faab119d2f2d762246b6f162d094da05acd986f060f8abcefe57e86 all runs: OK false negative chance: 0.000 # git bisect bad 56be92c63f02e0f6fd855075acb1471ea1c68539 Bisecting: 2 revisions left to test after this (roughly 2 steps) [10dfe4926de30b550913409d107005278ab47911] bcachefs: Kill unused tracepoints determine whether the revision contains the guilty commit revision 1a9239bb4253f9076b5b4b2a1a4e8d7defd77a95 crashed and is reachable testing commit 10dfe4926de30b550913409d107005278ab47911 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: af40056722d585934d137133674c0a7b28438aca89b102b98bb135317f377d44 all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN] # git bisect good 10dfe4926de30b550913409d107005278ab47911 Bisecting: 0 revisions left to test after this (roughly 1 step) [d89a34b14df5c205de698c23c3950b2b947cdb97] bcachefs: Move bset size check before csum check determine whether the revision contains the guilty commit revision 1a9239bb4253f9076b5b4b2a1a4e8d7defd77a95 crashed and is reachable testing commit d89a34b14df5c205de698c23c3950b2b947cdb97 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: b51015dd3b3375a4535fc18b5c8d2ca22d6276ac30bb2a3412dcd3b5d272e908 all runs: OK false negative chance: 0.000 # git bisect bad d89a34b14df5c205de698c23c3950b2b947cdb97 Bisecting: 0 revisions left to test after this (roughly 0 steps) [7c9cef5f8bf10a803fd0937ea071a93778f1108a] bcachefs: mark more errors autofix determine whether the revision contains the guilty commit revision 1a9239bb4253f9076b5b4b2a1a4e8d7defd77a95 crashed and is reachable testing commit 7c9cef5f8bf10a803fd0937ea071a93778f1108a gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 6b94359614091e91ce60755c9c470ed0e6bbe4b4d50e315c82eca9a8ed4fab9d all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN] # git bisect good 7c9cef5f8bf10a803fd0937ea071a93778f1108a d89a34b14df5c205de698c23c3950b2b947cdb97 is the first bad commit commit d89a34b14df5c205de698c23c3950b2b947cdb97 Author: Alan Huang Date: Sat Jun 14 17:18:07 2025 +0800 bcachefs: Move bset size check before csum check In syzbot's crash, the bset's u64s is larger than the btree node. Reported-by: syzbot+bfaeaa8e26281970158d@syzkaller.appspotmail.com Signed-off-by: Alan Huang Signed-off-by: Kent Overstreet fs/bcachefs/btree_io.c | 42 ++++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 20 deletions(-) accumulated error probability: 0.00 culprit signature: b51015dd3b3375a4535fc18b5c8d2ca22d6276ac30bb2a3412dcd3b5d272e908 parent signature: 6b94359614091e91ce60755c9c470ed0e6bbe4b4d50e315c82eca9a8ed4fab9d revisions tested: 25, total time: 5h50m3.576633825s (build: 2h54m21.211333218s, test: 2h11m15.996506461s) first good commit: d89a34b14df5c205de698c23c3950b2b947cdb97 bcachefs: Move bset size check before csum check recipients (to): ["kent.overstreet@linux.dev" "kent.overstreet@linux.dev" "linux-bcachefs@vger.kernel.org" "mmpgouride@gmail.com"] recipients (cc): ["linux-kernel@vger.kernel.org"]