ci2 starts bisection 2024-12-14 01:40:45.667099728 +0000 UTC m=+19265.782144964 bisecting fixing commit since af361f9a1066ff9442eabafc458ff373481499a4 building syzkaller on 51c4dcff83b0574620c280cc5130ef59cc4a2e32 ensuring issue is reproducible on original commit af361f9a1066ff9442eabafc458ff373481499a4 testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c04465a9c73596b98392ac6c5b0e16107dde5a94a58b312d5f33ce2abe5b5b43 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c6a1566dfa2de18c6ff573213b7603d8f65dceeabb168a070e100b4d5f9744ff all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed kconfig minimization: base=5179 full=6491 leaves diff=256 split chunks (needed=false): <256> split chunk #0 of len 256 into 5 parts testing without sub-chunk 1/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cbead78020f69c1d03a86ffb879fb3ac0ac333abf6cbf6d11def2862538a6c84 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: accc326dce1997bb764193c4974c21a45c97f825bcbdb0fd7a0fd61915cabebc all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 43324a88f68958aebb57229b03f0f2f0f8f90d19fd4d61e41d5d995bf437a199 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c059824b3040414766ef70e78936cad40063e3be517f1f96c37fbd8e14d92b5e all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit af361f9a1066ff9442eabafc458ff373481499a4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building af361f9a1066ff9442eabafc458ff373481499a4: net/socket.c:1245: undefined reference to `wext_handle_ioctl' net/socket.c:3442: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 48 configs; suspects: [HID_ZEROPLUS USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing current HEAD 22b7ded8b55bf28ae8d1214bba61b8d8403330da testing commit 22b7ded8b55bf28ae8d1214bba61b8d8403330da gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f0cd0089b494fbbfdc2548b3287a2cf0703807a02d98452aa5ab69170b29a8b3 all runs: crashed: KASAN: use-after-free Write in virtio_transport_recv_pkt representative crash: KASAN: use-after-free Write in virtio_transport_recv_pkt, types: [KASAN] crash still not fixed/happens on the oldest tested release revisions tested: 7, total time: 1h28m29.284755283s (build: 58m20.976980449s, test: 26m14.947658652s) crash still not fixed or there were kernel test errors commit msg: ANDROID: ABI: update symbol list for honor crash: KASAN: use-after-free Write in virtio_transport_recv_pkt ================================================================== BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline] BUG: KASAN: use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] BUG: KASAN: use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] BUG: KASAN: use-after-free in do_raw_spin_lock include/linux/spinlock.h:187 [inline] BUG: KASAN: use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x97/0x1b0 kernel/locking/spinlock.c:178 Write of size 4 at addr ffff88812607f088 by task kworker/1:0/23 CPU: 1 PID: 23 Comm: kworker/1:0 Not tainted 6.1.115-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: vsock-loopback vsock_loopback_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x105/0x148 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x158/0x4e0 mm/kasan/report.c:427 kasan_report+0x13c/0x170 mm/kasan/report.c:531 kasan_check_range+0x294/0x2a0 mm/kasan/generic.c:189 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37 instrument_atomic_read_write include/linux/instrumented.h:102 [inline] atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] do_raw_spin_lock include/linux/spinlock.h:187 [inline] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] _raw_spin_lock_bh+0x97/0x1b0 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] virtio_transport_space_update net/vmw_vsock/virtio_transport_common.c:1171 [inline] virtio_transport_recv_pkt+0x4fb/0x3ca0 net/vmw_vsock/virtio_transport_common.c:1307 vsock_loopback_work+0x376/0x3d0 net/vmw_vsock/vsock_loopback.c:137 process_one_work+0x6de/0xd00 kernel/workqueue.c:2299 worker_thread+0x892/0xf20 kernel/workqueue.c:2446 kthread+0x215/0x270 kernel/kthread.c:386 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Allocated by task 449: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505 ____kasan_kmalloc mm/kasan/common.c:379 [inline] __kasan_kmalloc+0x9c/0xb0 mm/kasan/common.c:388 kasan_kmalloc include/linux/kasan.h:212 [inline] kmalloc_trace+0x44/0xa0 mm/slab_common.c:1033 kmalloc include/linux/slab.h:557 [inline] kzalloc include/linux/slab.h:693 [inline] virtio_transport_do_socket_init+0x51/0x290 net/vmw_vsock/virtio_transport_common.c:604 vsock_assign_transport+0x376/0x4f0 net/vmw_vsock/af_vsock.c:506 vsock_connect+0x3c7/0xb90 net/vmw_vsock/af_vsock.c:1361 __sys_connect_file net/socket.c:2001 [inline] __sys_connect+0x304/0x370 net/socket.c:2018 __do_sys_connect net/socket.c:2028 [inline] __se_sys_connect net/socket.c:2025 [inline] __x64_sys_connect+0x75/0x80 net/socket.c:2025 x64_sys_call+0x14e/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:43 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Freed by task 449: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516 ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249 kasan_slab_free include/linux/kasan.h:178 [inline] slab_free_hook mm/slub.c:1745 [inline] slab_free_freelist_hook mm/slub.c:1771 [inline] slab_free mm/slub.c:3686 [inline] __kmem_cache_free+0x1fa/0x3c0 mm/slub.c:3702 kfree+0x7a/0xf0 mm/slab_common.c:990 virtio_transport_destruct+0x36/0x40 net/vmw_vsock/virtio_transport_common.c:815 vsock_deassign_transport net/vmw_vsock/af_vsock.c:421 [inline] vsock_assign_transport+0x23f/0x4f0 net/vmw_vsock/af_vsock.c:489 vsock_connect+0x3c7/0xb90 net/vmw_vsock/af_vsock.c:1361 __sys_connect_file net/socket.c:2001 [inline] __sys_connect+0x304/0x370 net/socket.c:2018 __do_sys_connect net/socket.c:2028 [inline] __se_sys_connect net/socket.c:2025 [inline] __x64_sys_connect+0x75/0x80 net/socket.c:2025 x64_sys_call+0x14e/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:43 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 The buggy address belongs to the object at ffff88812607f080 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 8 bytes inside of 96-byte region [ffff88812607f080, ffff88812607f0e0) The buggy address belongs to the physical page: page:ffffea0004981fc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12607f flags: 0x4000000000000200(slab|zone=1) raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100042900 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 23, tgid 23 (kworker/1:0), ts 48242012133, free_ts 48236047331 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook mm/page_alloc.c:2590 [inline] prep_new_page+0x512/0x5e0 mm/page_alloc.c:2597 get_page_from_freelist+0x29f1/0x2a70 mm/page_alloc.c:4439 __alloc_pages+0x234/0x610 mm/page_alloc.c:5728 alloc_slab_page+0x6c/0xf0 allocate_slab mm/slub.c:1962 [inline] new_slab+0x7b/0x370 mm/slub.c:2015 ___slab_alloc+0x611/0x9a0 mm/slub.c:3203 __slab_alloc+0x52/0x90 mm/slub.c:3302 slab_alloc_node mm/slub.c:3387 [inline] __kmem_cache_alloc_node+0x207/0x2a0 mm/slub.c:3462 kmalloc_trace+0x2a/0xa0 mm/slab_common.c:1028 kmalloc include/linux/slab.h:557 [inline] dst_cow_metrics_generic+0x50/0x160 net/core/dst.c:199 dst_metrics_write_ptr include/net/dst.h:119 [inline] dst_metric_set include/net/dst.h:180 [inline] icmp6_dst_alloc+0x304/0x4c0 net/ipv6/route.c:3282 mld_sendpack+0x4d1/0xbb0 net/ipv6/mcast.c:1809 mld_send_initial_cr net/ipv6/mcast.c:2239 [inline] ipv6_mc_dad_complete+0x201/0x490 net/ipv6/mcast.c:2247 addrconf_dad_completed+0x3ff/0xaf0 net/ipv6/addrconf.c:4282 addrconf_dad_work+0x80b/0x1360 process_one_work+0x6de/0xd00 kernel/workqueue.c:2299 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1498 [inline] free_pcp_prepare mm/page_alloc.c:1572 [inline] free_unref_page_prepare+0x794/0x7a0 mm/page_alloc.c:3511 free_unref_page_list+0xf1/0x790 mm/page_alloc.c:3659 release_pages+0xcfc/0xd50 mm/swap.c:1063 free_pages_and_swap_cache+0x68/0x80 mm/swap_state.c:315 tlb_batch_pages_flush mm/mmu_gather.c:59 [inline] tlb_flush_mmu_free mm/mmu_gather.c:254 [inline] tlb_flush_mmu mm/mmu_gather.c:261 [inline] tlb_finish_mmu+0x1ba/0x3b0 mm/mmu_gather.c:361 exit_mmap+0x3a5/0x8d0 mm/mmap.c:3348 __mmput+0x6b/0x2a0 kernel/fork.c:1298 mmput+0x2a/0xe0 kernel/fork.c:1321 exit_mm kernel/exit.c:568 [inline] do_exit+0x943/0x2470 kernel/exit.c:864 do_group_exit+0x1ba/0x290 kernel/exit.c:1027 get_signal+0xf0b/0x1000 kernel/signal.c:2888 arch_do_signal_or_restart+0xb0/0x16f0 arch/x86/kernel/signal.c:871 exit_to_user_mode_loop+0x74/0xa0 kernel/entry/common.c:174 exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:210 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline] syscall_exit_to_user_mode+0x26/0x130 kernel/entry/common.c:303 do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:87 Memory state around the buggy address: ffff88812607ef80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc ffff88812607f000: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff88812607f080: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88812607f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88812607f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================