ci2 starts bisection 2025-04-25 04:32:52.224290282 +0000 UTC m=+67.779599266 bisecting fixing commit since c276c53965a80f3568fcbd5e31bfe5b4cbbcc490 building syzkaller on 9ac0fdc66500475f1914254ef369b32d51adbff9 ensuring issue is reproducible on original commit c276c53965a80f3568fcbd5e31bfe5b4cbbcc490 testing commit c276c53965a80f3568fcbd5e31bfe5b4cbbcc490 gcc compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2 kernel signature: 5660fa56cd28a081ffe87b29d74dc632f30e08580d16d9d75caf6d9db94f3394 all runs: crashed: general protection fault in update_sit_entry representative crash: general protection fault in update_sit_entry, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit c276c53965a80f3568fcbd5e31bfe5b4cbbcc490 gcc compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2 kernel signature: 935785ef5f802bcc7fcd6063cd242568c3a51a706c8cb215806d81b198cedf56 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in update_sit_entry representative crash: BUG: unable to handle kernel NULL pointer dereference in update_sit_entry, types: [UNKNOWN] the bug reproduces without the instrumentation disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed kconfig minimization: base=5178 full=6547 leaves diff=265 split chunks (needed=false): <265> split chunk #0 of len 265 into 5 parts testing without sub-chunk 1/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit c276c53965a80f3568fcbd5e31bfe5b4cbbcc490 gcc compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2 kernel signature: 82059372b7f29eff565012652b50b77793f6daa3e7b78a313335070ed1fbbd30 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in update_sit_entry representative crash: BUG: unable to handle kernel NULL pointer dereference in update_sit_entry, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit c276c53965a80f3568fcbd5e31bfe5b4cbbcc490 gcc compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2 kernel signature: e55f5245418d4dec9e6016a50ad6c63c042467872b613d98df2846ae6ee832cd all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in update_sit_entry representative crash: BUG: unable to handle kernel NULL pointer dereference in update_sit_entry, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit c276c53965a80f3568fcbd5e31bfe5b4cbbcc490 gcc compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2 kernel signature: 9e03b3b23847ea3a8c0e39c2d59dd754dee2bb48ed828677460cdf5f9d82d727 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in update_sit_entry representative crash: BUG: unable to handle kernel NULL pointer dereference in update_sit_entry, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit c276c53965a80f3568fcbd5e31bfe5b4cbbcc490 gcc compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2 kernel signature: 02c8d9c62695a2a961099d9c9b77629a5feb4e8dc1899f92bb0e7e747f0ea944 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in update_sit_entry representative crash: BUG: unable to handle kernel NULL pointer dereference in update_sit_entry, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit c276c53965a80f3568fcbd5e31bfe5b4cbbcc490 gcc compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2 failed building c276c53965a80f3568fcbd5e31bfe5b4cbbcc490: ld.lld: error: undefined symbol: wext_proc_init ld.lld: error: undefined symbol: wext_proc_exit ld.lld: error: undefined symbol: wext_handle_ioctl ld.lld: error: undefined symbol: compat_wext_handle_ioctl minimized to 53 configs; suspects: [HID_ZEROPLUS USB_NET_CDC_MBIM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing current HEAD 70d648657b1e26cf030406c6afd33c72f442a45d testing commit 70d648657b1e26cf030406c6afd33c72f442a45d gcc compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2 kernel signature: 3f844a8e91bd127656585a10fd32961bf7fbace40faf7d2d047779605395e529 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in update_sit_entry representative crash: BUG: unable to handle kernel NULL pointer dereference in update_sit_entry, types: [UNKNOWN] crash still not fixed/happens on the oldest tested release revisions tested: 7, total time: 2h46m17.142746224s (build: 58m24.73918749s, test: 50m13.568435105s) crash still not fixed or there were kernel test errors commit msg: ANDROID: userfaultfd: adjust MOVE ioctl mode to confirm bug-fix crash: BUG: unable to handle kernel NULL pointer dereference in update_sit_entry loop2: rw=2049, sector=45224, nr_sectors = 128 limit=40427 syz.2.15: attempt to access beyond end of device loop2: rw=2049, sector=45352, nr_sectors = 128 limit=40427 BUG: kernel NULL pointer dereference, address: 0000000000000006 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 11bc15067 P4D 11bc15067 PUD 11bc19067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 0 PID: 448 Comm: syz.2.15 Not tainted 6.1.129-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 RIP: 0010:f2fs_test_and_set_bit fs/f2fs/f2fs.h:2940 [inline] RIP: 0010:update_sit_entry_for_alloc fs/f2fs/segment.c:2396 [inline] RIP: 0010:update_sit_entry+0x1c5/0x4e0 fs/f2fs/segment.c:2440 Code: 03 42 0f b6 34 29 41 89 f0 45 0f ab f8 46 88 04 29 83 e0 07 0f a3 c6 0f 82 d9 02 00 00 83 bf 28 08 00 00 00 75 1c 49 8b 43 18 <42> 0f b6 0c 28 89 ce 40 08 de 42 88 34 28 85 cb 75 06 ff 8f b0 06 RSP: 0018:ffffc90000853438 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000004 RCX: ffff88811b17c180 RDX: 0000000000000001 RSI: 00000000000000f8 RDI: ffff88811b184000 RBP: ffffc90000853498 R08: 00000000000000fc R09: 0000000000000007 R10: 0000000000001435 R11: ffff8881197f0c78 R12: ffffc900008536fc R13: 0000000000000006 R14: ffff888116550c78 R15: 0000000000000002 FS: 00007fd4b0dff6c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000006 CR3: 000000011654e000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: f2fs_allocate_data_block+0x714/0xcf0 fs/f2fs/segment.c:3430 do_write_page+0xee/0x250 fs/f2fs/segment.c:3532 f2fs_outplace_write_data+0x68/0xb0 fs/f2fs/segment.c:3605 f2fs_do_write_data_page+0x41a/0x4b0 fs/f2fs/data.c:2796 f2fs_write_single_data_page+0x401/0x7f0 fs/f2fs/data.c:2913 f2fs_write_cache_pages fs/f2fs/data.c:3165 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3315 [inline] f2fs_write_data_pages+0x6bc/0xbe0 fs/f2fs/data.c:3342 do_writepages+0xc9/0x210 mm/page-writeback.c:2494 filemap_fdatawrite_wbc+0x62/0x80 mm/filemap.c:408 __filemap_fdatawrite_range mm/filemap.c:441 [inline] filemap_write_and_wait_range+0xc0/0x150 mm/filemap.c:694 f2fs_flush_buffered_write fs/f2fs/file.c:4756 [inline] f2fs_file_write_iter+0x9d9/0xbf0 fs/f2fs/file.c:4964 do_iter_readv_writev fs/read_write.c:-1 [inline] do_iter_write+0x1c9/0x2d0 fs/read_write.c:861 vfs_iter_write+0x14/0x20 fs/read_write.c:902 iter_file_splice_write+0x252/0x3e0 fs/splice.c:685 do_splice_from fs/splice.c:763 [inline] direct_splice_actor+0x29/0x40 fs/splice.c:930 splice_direct_to_actor+0x12e/0x270 fs/splice.c:885 do_splice_direct+0x7f/0xc0 fs/splice.c:973 do_sendfile+0x244/0x470 fs/read_write.c:1255 __do_sys_sendfile64 fs/read_write.c:1323 [inline] __se_sys_sendfile64 fs/read_write.c:1309 [inline] __x64_sys_sendfile64+0x8f/0xc0 fs/read_write.c:1309 x64_sys_call+0x62c/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:41 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7fd4b0f7fed9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd4b0dff058 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007fd4b1145fa0 RCX: 00007fd4b0f7fed9 RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000005 RBP: 00007fd4b0ff3cc8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000fffe80 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fd4b1145fa0 R15: 00007fff47fdaac8 Modules linked in: CR2: 0000000000000006 ---[ end trace 0000000000000000 ]--- RIP: 0010:f2fs_test_and_set_bit fs/f2fs/f2fs.h:2940 [inline] RIP: 0010:update_sit_entry_for_alloc fs/f2fs/segment.c:2396 [inline] RIP: 0010:update_sit_entry+0x1c5/0x4e0 fs/f2fs/segment.c:2440 Code: 03 42 0f b6 34 29 41 89 f0 45 0f ab f8 46 88 04 29 83 e0 07 0f a3 c6 0f 82 d9 02 00 00 83 bf 28 08 00 00 00 75 1c 49 8b 43 18 <42> 0f b6 0c 28 89 ce 40 08 de 42 88 34 28 85 cb 75 06 ff 8f b0 06 RSP: 0018:ffffc90000853438 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000004 RCX: ffff88811b17c180 RDX: 0000000000000001 RSI: 00000000000000f8 RDI: ffff88811b184000 RBP: ffffc90000853498 R08: 00000000000000fc R09: 0000000000000007 R10: 0000000000001435 R11: ffff8881197f0c78 R12: ffffc900008536fc R13: 0000000000000006 R14: ffff888116550c78 R15: 0000000000000002 FS: 00007fd4b0dff6c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000006 CR3: 000000011654e000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 03 42 0f add 0xf(%rdx),%eax 3: b6 34 mov $0x34,%dh 5: 29 41 89 sub %eax,-0x77(%rcx) 8: f0 45 0f ab f8 lock bts %r15d,%r8d d: 46 88 04 29 mov %r8b,(%rcx,%r13,1) 11: 83 e0 07 and $0x7,%eax 14: 0f a3 c6 bt %eax,%esi 17: 0f 82 d9 02 00 00 jb 0x2f6 1d: 83 bf 28 08 00 00 00 cmpl $0x0,0x828(%rdi) 24: 75 1c jne 0x42 26: 49 8b 43 18 mov 0x18(%r11),%rax * 2a: 42 0f b6 0c 28 movzbl (%rax,%r13,1),%ecx <-- trapping instruction 2f: 89 ce mov %ecx,%esi 31: 40 08 de or %bl,%sil 34: 42 88 34 28 mov %sil,(%rax,%r13,1) 38: 85 cb test %ecx,%ebx 3a: 75 06 jne 0x42 3c: ff .byte 0xff 3d: 8f (bad) 3e: b0 06 mov $0x6,%al