ci starts bisection 2023-12-31 10:12:57.036774931 +0000 UTC m=+747604.633540116 bisecting fixing commit since b6e6cc1f78c772e952495b7416c9ac9029f9390c building syzkaller on 35d9ecc508aef508b67ee7986a7abb0864e74f8e ensuring issue is reproducible on original commit b6e6cc1f78c772e952495b7416c9ac9029f9390c testing commit b6e6cc1f78c772e952495b7416c9ac9029f9390c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7c6c43fdab3562a56d1555d36707ac9c6bbb5d2c89dfdf2253ecf66ccea40f6f run #0: crashed: general protection fault in debug_check_no_obj_freed run #1: crashed: general protection fault in rcu_core run #2: crashed: general protection fault in __run_timers run #3: crashed: KASAN: user-memory-access Read in __find_get_block run #4: crashed: general protection fault in locks_remove_posix run #5: crashed: stack segment fault in __stack_depot_save run #6: crashed: BUG: unable to handle kernel paging request in task_active_pid_ns run #7: crashed: general protection fault in psi_account_irqtime run #8: crashed: BUG: Bad rss-counter state run #9: crashed: BUG: unable to handle kernel paging request in jbd2__journal_start run #10: crashed: kernel BUG in corrupted run #11: crashed: BUG: unable to handle kernel paging request in corrupted run #12: crashed: general protection fault in clear_buddies run #13: crashed: kernel BUG in corrupted run #14: crashed: kernel BUG in corrupted run #15: crashed: general protection fault in psi_account_irqtime run #16: crashed: general protection fault in inode_permission run #17: crashed: general protection fault in __hrtimer_run_queues run #18: crashed: general protection fault in tomoyo_encode2 run #19: OK representative crash: general protection fault in debug_check_no_obj_freed, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit b6e6cc1f78c772e952495b7416c9ac9029f9390c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5a4223cb6cac51f1f7420512f4bf009ed6e5f4f359b9341648a9c60f3d9ee44f run #0: crashed: general protection fault in timerqueue_add run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK representative crash: general protection fault in timerqueue_add, types: [UNKNOWN] kconfig minimization: base=3923 full=7652 leaves diff=2003 split chunks (needed=false): <2003> split chunk #0 of len 2003 into 5 parts testing without sub-chunk 1/5 testing commit b6e6cc1f78c772e952495b7416c9ac9029f9390c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b5db0689dc9665875531b66d849a188d1274da1514ab3849f0077384bbfe5b0a run #0: crashed: general protection fault, probably for non-canonical address ADDRSeaBIOS (version NUM.NUM.NUM-google) run #1: crashed: general protection fault in kernfs_dop_revalidate run #2: crashed: general protection fault in debug_check_no_obj_freed run #3: crashed: KASAN: stack-out-of-bounds Write in timerqueue_del run #4: crashed: general protection fault in cpuacct_account_field run #5: crashed: stack segment fault in __stack_depot_save run #6: crashed: general protection fault in mm_update_next_owner run #7: crashed: general protection fault in __ext4_iget run #8: crashed: general protection fault in debug_check_no_obj_freed run #9: crashed: general protection fault in enqueue_task_fair run #10: crashed: kernel BUG in corrupted run #11: crashed: kernel BUG in corrupted run #12: crashed: general protection fault in rcu_core run #13: crashed: BUG: unable to handle kernel paging request in corrupted run #14: crashed: general protection fault in lookup_object_or_alloc run #15: crashed: general protection fault in psi_account_irqtime run #16: crashed: general protection fault in pipe_write run #17: basic kernel testing failed: failed to copy binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syz-executor3696951244" "root@10.128.0.192:./syz-executor3696951244"]: exit status 255 Executing: program /usr/bin/ssh host 10.128.0.192, user root, command sftp OpenSSH_9.2p1 Debian-2+deb12u1, OpenSSL 3.0.11 19 Sep 2023 debug1: Reading configuration data /dev/null debug1: Connecting to 10.128.0.192 [10.128.0.192] port 22. debug1: connect to address 10.128.0.192 port 22: Connection timed out ssh: connect to host 10.128.0.192 port 22: Connection timed out scp: Connection closed run #18: crashed: general protection fault in rcu_core run #19: crashed: BUG: unable to handle kernel paging request in ext4_ext_remove_space representative crash: general protection fault, probably for non-canonical address ADDRSeaBIOS (version NUM.NUM.NUM-google), types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 testing commit b6e6cc1f78c772e952495b7416c9ac9029f9390c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8a1bd9052d1b24419a71407f7055bf85bdab82d3102915cc48404b4021655d5b run #0: crashed: general protection fault in folio_lruvec_lock_irqsave run #1: crashed: general protection fault in locks_remove_posix run #2: crashed: general protection fault in __call_rcu_common run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: general protection fault in debug_check_no_obj_freed run #5: crashed: general protection fault in loop_queue_rq run #6: crashed: general protection fault in inode_permission run #7: crashed: general protection fault in debug_check_no_obj_freed run #8: crashed: BUG: unable to handle kernel paging request in force_sig_info_to_task run #9: crashed: general protection fault in loop_queue_rq run #10: crashed: general protection fault in __cgroup_account_cputime_field run #11: crashed: BUG: unable to handle kernel NULL pointer dereference in rcu_core run #12: crashed: general protection fault in __hrtimer_run_queues run #13: crashed: general protection fault in percpu_counter_destroy run #14: crashed: general protection fault in mm_update_next_owner run #15: crashed: stack segment fault in __stack_depot_save run #16: crashed: general protection fault in anon_vma_interval_tree_remove run #17: crashed: no output from test machine run #18: crashed: general protection fault in corrupted run #19: crashed: BUG: unable to handle kernel paging request in ext4_ext_remove_space representative crash: general protection fault in folio_lruvec_lock_irqsave, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 testing commit b6e6cc1f78c772e952495b7416c9ac9029f9390c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 99ff6df1d2f3fdb7a6e955336768f2aa3e7be9c2882744915508cd45dd62a301 run #0: crashed: general protection fault in rcu_core run #1: crashed: general protection fault in pid_task run #2: crashed: UBSAN: shift-out-of-bounds in __radix_tree_lookup run #3: crashed: possible deadlock in rpm_suspend run #4: crashed: general protection fault in ext4_sync_file run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in rcu_core run #6: crashed: general protection fault in rcu_core run #7: crashed: BUG: unable to handle kernel paging request in corrupted run #8: crashed: KASAN: stack-out-of-bounds Read in timerqueue_del run #9: crashed: no output from test machine run #10: crashed: WARNING: locking bug in dput run #11: crashed: general protection fault in ext4_handle_error run #12: crashed: general protection fault in __ext4_error_inode run #13: crashed: BUG: unable to handle kernel NULL pointer dereference in rcu_core run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: general protection fault in rcu_core, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 testing commit b6e6cc1f78c772e952495b7416c9ac9029f9390c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5cce4ed8f949417db66fc61bf23abb3d6aa9a9469a7f20a992b6c3a8041d28d7 run #0: crashed: general protection fault in ip6t_do_table run #1: crashed: KFENCE: invalid read in ext4_ext_remove_space run #2: crashed: general protection fault in vfs_write run #3: crashed: WARNING in ext4_invalidate_folio run #4: crashed: general protection fault in scan_positives run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in rcu_core run #6: crashed: general protection fault in kmmpd run #7: crashed: general protection fault in fsnotify_perm run #8: crashed: kernel BUG in __phys_addr run #9: crashed: general protection fault in rcu_core run #10: crashed: general protection fault in do_iter_write run #11: crashed: BUG: unable to handle kernel paging request in loop_queue_rq run #12: crashed: KFENCE: invalid read in ext4_ext_remove_space run #13: crashed: general protection fault in __d_alloc run #14: crashed: general protection fault in rcu_core run #15: crashed: kernel BUG in __phys_addr run #16: crashed: general protection fault in end_bio_bh_io_sync run #17: crashed: general protection fault in __mod_memcg_lruvec_state run #18: crashed: general protection fault in locks_remove_posix run #19: OK representative crash: general protection fault in ip6t_do_table, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 testing commit b6e6cc1f78c772e952495b7416c9ac9029f9390c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1d040337570c2d28075f90b02ec31e34822b5fc7d4894e7d33a84fa40262bc6c run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in rcu_core run #1: crashed: go runtime error run #2: crashed: general protection fault in end_bio_bh_io_sync run #3: crashed: WARNING: locking bug in d_set_mounted run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in rcu_core run #5: crashed: KASAN: wild-memory-access Write in find_get_entry run #6: crashed: UBSAN: shift-out-of-bounds in __radix_tree_lookup run #7: crashed: KFENCE: invalid read in ext4_ext_remove_space run #8: crashed: kernel BUG in __phys_addr run #9: crashed: KFENCE: invalid read in ext4_ext_remove_space run #10: crashed: stack segment fault in __stack_depot_save run #11: crashed: general protection fault in __cgroup_account_cputime_field run #12: crashed: KFENCE: invalid read in ext4_ext_remove_space run #13: crashed: general protection fault in do_iter_write run #14: basic kernel testing failed: failed to copy binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syz-executor502578904" "root@10.128.15.193:./syz-executor502578904"]: exit status 255 Executing: program /usr/bin/ssh host 10.128.15.193, user root, command sftp OpenSSH_9.2p1 Debian-2+deb12u1, OpenSSL 3.0.11 19 Sep 2023 debug1: Reading configuration data /dev/null debug1: Connecting to 10.128.15.193 [10.128.15.193] port 22. debug1: connect to address 10.128.15.193 port 22: Connection timed out ssh: connect to host 10.128.15.193 port 22: Connection timed out scp: Connection closed run #15: crashed: general protection fault in rcu_core run #16: crashed: BUG: unable to handle kernel paging request in ext4_ext_remove_space run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel NULL pointer dereference in rcu_core, types: [UNKNOWN] the chunk can be dropped testing current HEAD 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 testing commit 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 94d82d7cfabdcaa7167a426c6132bc6426951f7c16992fd1cf410d499ef5615b run #0: crashed: general protection fault in ext4_fill_raw_inode run #1: crashed: general protection fault in rcu_core run #2: crashed: KASAN: wild-memory-access Write in filemap_get_folios_tag run #3: crashed: general protection fault in dquot_disable run #4: crashed: UBSAN: shift-out-of-bounds in xas_descend run #5: crashed: general protection fault in pid_task run #6: crashed: general protection fault in inode_permission run #7: crashed: general protection fault in rcu_core run #8: crashed: general protection fault in dquot_disable run #9: crashed: general protection fault in statfs_by_dentry run #10: crashed: BUG: unable to handle kernel paging request in __block_write_begin_int run #11: crashed: WARNING in ext4_punch_hole run #12: crashed: general protection fault in __remove_assoc_queue run #13: crashed: WARNING: locking bug in lockref_get run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: general protection fault in ext4_fill_raw_inode, types: [UNKNOWN] crash still not fixed/happens on the oldest tested release reproducer is flaky (0.84 repro chance estimate) revisions tested: 8, total time: 2h23m58.148689151s (build: 47m25.19745646s, test: 1h31m58.687685673s) crash still not fixed or there were kernel test errors commit msg: Merge tag 'trace-v6.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace crash: general protection fault in ext4_fill_raw_inode general protection fault, probably for non-canonical address 0xe164ecb91ffff1d1: 0000 [#1] PREEMPT SMP KASAN KASAN: maybe wild-memory-access in range [0x0b2785c8ffff8e88-0x0b2785c8ffff8e8f] CPU: 1 PID: 4601 Comm: syz-executor.2 Not tainted 6.7.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 RIP: 0010:EXT4_SB fs/ext4/ext4.h:1758 [inline] RIP: 0010:ext4_fill_raw_inode+0x34c/0x1cd0 fs/ext4/inode.c:4269 Code: 00 00 e8 77 7a a0 ff 8b 54 24 10 48 b9 00 00 00 00 00 fc ff df 41 89 c4 49 8b 47 28 48 8d b8 08 06 00 00 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 f8 12 00 00 48 8b 80 08 06 00 00 48 b9 00 00 00 RSP: 0018:ffffc900024bf818 EFLAGS: 00010216 RAX: 0b2785c8ffff8881 RBX: 0000000000000000 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0164f0b91ffff1d1 RDI: 0b2785c8ffff8e89 RBP: ffff888125733e48 R08: 0000000000000000 R09: ffffed1024ae6778 R10: ffff888125733bc7 R11: 0000000000000003 R12: 0000000000000000 R13: ffff888125733bc0 R14: ffff8881283d0780 R15: ffff888125733e20 FS: 00007fa39b41b6c0(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020012000 CR3: 0000000104bf0000 CR4: 0000000000350ef0 Call Trace: ext4_do_update_inode fs/ext4/inode.c:5102 [inline] ext4_mark_iloc_dirty+0x4ad/0x1930 fs/ext4/inode.c:5732 __ext4_mark_inode_dirty+0x1e4/0x690 fs/ext4/inode.c:5936 ext4_write_end+0x424/0x9f0 fs/ext4/inode.c:1309 generic_perform_write+0x2e7/0x590 mm/filemap.c:3938 ext4_buffered_write_iter+0xea/0x320 fs/ext4/file.c:299 ext4_file_write_iter+0x2ea/0x13c0 fs/ext4/file.c:698 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x52c/0xd30 fs/read_write.c:584 ksys_write+0xf6/0x1d0 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0xe0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7fa39b898b29 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fa39b41b0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fa39b9b7f80 RCX: 00007fa39b898b29 RDX: 00000000fffffea1 RSI: 00000000200002c0 RDI: 0000000000000004 RBP: 00007fa39b8e447a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000006 R14: 00007fa39b9b7f80 R15: 00007ffd62ce88f8 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:EXT4_SB fs/ext4/ext4.h:1758 [inline] RIP: 0010:ext4_fill_raw_inode+0x34c/0x1cd0 fs/ext4/inode.c:4269 Code: 00 00 e8 77 7a a0 ff 8b 54 24 10 48 b9 00 00 00 00 00 fc ff df 41 89 c4 49 8b 47 28 48 8d b8 08 06 00 00 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 f8 12 00 00 48 8b 80 08 06 00 00 48 b9 00 00 00 RSP: 0018:ffffc900024bf818 EFLAGS: 00010216 RAX: 0b2785c8ffff8881 RBX: 0000000000000000 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0164f0b91ffff1d1 RDI: 0b2785c8ffff8e89 RBP: ffff888125733e48 R08: 0000000000000000 R09: ffffed1024ae6778 R10: ffff888125733bc7 R11: 0000000000000003 R12: 0000000000000000 R13: ffff888125733bc0 R14: ffff8881283d0780 R15: ffff888125733e20 FS: 00007fa39b41b6c0(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020012000 CR3: 0000000104bf0000 CR4: 0000000000350ef0 ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: e8 77 7a a0 ff call 0xffa07a7e 7: 8b 54 24 10 mov 0x10(%rsp),%edx b: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx 12: fc ff df 15: 41 89 c4 mov %eax,%r12d 18: 49 8b 47 28 mov 0x28(%r15),%rax 1c: 48 8d b8 08 06 00 00 lea 0x608(%rax),%rdi 23: 48 89 fe mov %rdi,%rsi 26: 48 c1 ee 03 shr $0x3,%rsi * 2a: 80 3c 0e 00 cmpb $0x0,(%rsi,%rcx,1) <-- trapping instruction 2e: 0f 85 f8 12 00 00 jne 0x132c 34: 48 8b 80 08 06 00 00 mov 0x608(%rax),%rax 3b: 48 rex.W 3c: b9 .byte 0xb9 3d: 00 00 add %al,(%rax)