ci starts bisection 2023-11-16 12:07:27.730646621 +0000 UTC m=+239410.705812468 bisecting fixing commit since a5e505a99ca748583dbe558b691be1b26f05d678 building syzkaller on 4d7ae7ab1c3ef41cc0e71fb19799dcec94213101 ensuring issue is reproducible on original commit a5e505a99ca748583dbe558b691be1b26f05d678 testing commit a5e505a99ca748583dbe558b691be1b26f05d678 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d6e478c7e5a511533aeb87a9b3394c3d4192a7096a38858b5f477200adb6eb13 run #0: crashed: BUG: unable to handle kernel paging request in generic_file_write_iter run #1: crashed: general protection fault in process_one_work run #2: crashed: general protection fault in mm_update_next_owner run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in rcu_core run #4: crashed: general protection fault in update_curr run #5: crashed: BUG: corrupted list in css_set_move_task run #6: crashed: BUG: corrupted list in move_linked_works run #7: crashed: general protection fault in clear_buddies run #8: crashed: general protection fault in mm_update_next_owner run #9: crashed: kernel BUG in io_serial_out run #10: crashed: BUG: unable to handle kernel paging request in generic_file_write_iter run #11: crashed: WARNING: locking bug in psi_group_change run #12: crashed: kernel BUG in __phys_addr run #13: crashed: general protection fault in corrupted run #14: crashed: general protection fault in rcu_core run #15: crashed: general protection fault in locks_remove_posix run #16: crashed: no output from test machine run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel paging request in generic_file_write_iter, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit a5e505a99ca748583dbe558b691be1b26f05d678 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c6a6cbdc7e07c49ff8ffa23b64160232bc048b6eb45b9d303015698ccd0fe3d8 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in account_kernel_stack run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK representative crash: BUG: unable to handle kernel NULL pointer dereference in account_kernel_stack, types: [UNKNOWN] kconfig minimization: base=3923 full=7652 leaves diff=2002 split chunks (needed=false): <2002> split chunk #0 of len 2002 into 5 parts testing without sub-chunk 1/5 testing commit a5e505a99ca748583dbe558b691be1b26f05d678 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d1db1307654a725c6760c498e65599c96f36b2dbd69ebec534f320cf08044087 run #0: crashed: WARNING: locking bug in psi_account_irqtime run #1: crashed: BUG: unable to handle kernel paging request in ext4_ext_remove_space run #2: crashed: general protection fault in __hrtimer_run_queues run #3: crashed: WARNING: locking bug in do_notify_parent run #4: crashed: general protection fault in locks_remove_posix run #5: crashed: go runtime error run #6: crashed: kernel panic: corrupted stack end in vfs_fallocate run #7: crashed: general protection fault in refill_obj_stock run #8: crashed: general protection fault in debug_check_no_obj_freed run #9: crashed: general protection fault in __bfs run #10: crashed: BUG: unable to handle kernel paging request in __tlb_remove_page_size run #11: crashed: WARNING in corrupted run #12: crashed: general protection fault in will_become_orphaned_pgrp run #13: crashed: general protection fault in do_iter_write run #14: crashed: general protection fault in pid_task run #15: crashed: general protection fault in rcu_core run #16: crashed: general protection fault in psi_task_change run #17: crashed: BUG: unable to handle kernel paging request in ext4_ext_remove_space run #18: crashed: general protection fault in wait_consider_task run #19: crashed: BUG: unable to handle kernel paging request in ext4_ext_remove_space representative crash: BUG: unable to handle kernel paging request in ext4_ext_remove_space, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 testing commit a5e505a99ca748583dbe558b691be1b26f05d678 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c8433d77808252fe98ae2a503aa93295ab70c4bc874185e3f500aa15095ed8e2 run #0: crashed: KASAN: wild-memory-access Read in fsync_buffers_list run #1: crashed: general protection fault in debug_check_no_obj_freed run #2: crashed: general protection fault in inode_permission run #3: crashed: general protection fault in locks_remove_posix run #4: crashed: general protection fault in corrupted run #5: crashed: KASAN: stack-out-of-bounds Read in timerqueue_del run #6: crashed: kernel panic: corrupted stack end in vfs_fallocate run #7: crashed: general protection fault in __switch_to run #8: crashed: general protection fault in update_curr run #9: crashed: possible deadlock in task_fork_fair run #10: crashed: kernel BUG in corrupted run #11: crashed: general protection fault in get_super run #12: crashed: general protection fault in end_bio_bh_io_sync run #13: crashed: general protection fault in wait_consider_task run #14: crashed: kernel BUG in corrupted run #15: crashed: general protection fault in list_lru_del run #16: crashed: general protection fault in update_blocked_averages run #17: basic kernel testing failed: failed to copy binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syz-executor4280027451" "root@10.128.10.36:./syz-executor4280027451"]: exit status 255 Executing: program /usr/bin/ssh host 10.128.10.36, user root, command sftp OpenSSH_9.2p1 Debian-2, OpenSSL 3.0.9 30 May 2023 debug1: Reading configuration data /dev/null debug1: Connecting to 10.128.10.36 [10.128.10.36] port 22. debug1: connect to address 10.128.10.36 port 22: Connection timed out ssh: connect to host 10.128.10.36 port 22: Connection timed out scp: Connection closed run #18: crashed: kernel BUG in __phys_addr run #19: OK representative crash: general protection fault in debug_check_no_obj_freed, types: [UNKNOWN BUG] the chunk can be dropped testing without sub-chunk 3/5 testing commit a5e505a99ca748583dbe558b691be1b26f05d678 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 98e519e425378e5f7cb647fe1a3d236589a411ac467249165dec649e79704b22 run #0: crashed: general protection fault in __fput run #1: crashed: kernel BUG in corrupted run #2: crashed: BUG: unable to handle kernel paging request in inode_to_bdi run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: general protection fault in process_one_work run #5: crashed: general protection fault in cgroup_rstat_updated run #6: crashed: general protection fault in rcu_core run #7: crashed: general protection fault in io_serial_in run #8: crashed: general protection fault in locks_remove_posix run #9: crashed: kernel panic: corrupted stack end in sys_clock_nanosleep run #10: crashed: general protection fault in folio_flags run #11: crashed: general protection fault in lock_vma_under_rcu run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: crashed: kernel BUG in corrupted run #18: OK run #19: OK representative crash: general protection fault in __fput, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 testing commit a5e505a99ca748583dbe558b691be1b26f05d678 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 055b4129c9c0af829703b38ac37973f04dff26ae15b837686c8ad54b0d2e2f5d run #0: crashed: general protection fault in cpuacct_account_field run #1: crashed: go runtime error run #2: crashed: general protection fault in __hrtimer_run_queues run #3: crashed: kernel BUG in __phys_addr run #4: crashed: go runtime error run #5: crashed: general protection fault in debug_check_no_obj_freed run #6: crashed: general protection fault in ext4_es_lookup_extent run #7: crashed: general protection fault in d_path run #8: crashed: general protection fault in unlink_anon_vmas run #9: crashed: go runtime error run #10: crashed: general protection fault in loop_queue_rq run #11: crashed: general protection fault in cpuacct_account_field run #12: crashed: general protection fault in io_serial_in run #13: crashed: WARNING in update_curr run #14: crashed: general protection fault in timerqueue_del run #15: crashed: general protection fault in list_lru_del run #16: crashed: general protection fault in corrupted run #17: OK run #18: OK run #19: OK representative crash: general protection fault in cpuacct_account_field, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 testing commit a5e505a99ca748583dbe558b691be1b26f05d678 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 217c87b6f82c7254a77bf4989487a9e7108bc7dad5bfb426dbad5aa6b03ac0cd run #0: crashed: go runtime error run #1: crashed: general protection fault in ext4_add_entry run #2: crashed: go runtime error run #3: crashed: general protection fault in cpuacct_charge run #4: crashed: BUG: unable to handle kernel paging request in __stack_depot_save run #5: crashed: general protection fault in refill_obj_stock run #6: crashed: BUG: unable to handle kernel paging request in __stack_depot_save run #7: crashed: general protection fault in __d_lookup_rcu run #8: crashed: BUG: unable to handle kernel paging request in __stack_depot_save run #9: crashed: general protection fault in __d_lookup run #10: crashed: general protection fault in corrupted run #11: crashed: go runtime error run #12: crashed: general protection fault in timerqueue_del run #13: crashed: general protection fault in ext4_inode_table run #14: crashed: general protection fault in timerqueue_add run #15: crashed: general protection fault in rcu_core run #16: crashed: WARNING: locking bug in ext4_finish_bio run #17: crashed: general protection fault in refill_obj_stock run #18: OK run #19: OK representative crash: go runtime error, types: [UNKNOWN] the chunk can be dropped testing current HEAD c42d9eeef8e5ba9292eda36fd8e3c11f35ee065c testing commit c42d9eeef8e5ba9292eda36fd8e3c11f35ee065c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 50aba226de22c707b95f6895a19e90bb03f0fea5143f2a130d128869ac5b9271 run #0: crashed: general protection fault in truncate_cleanup_folio run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in rcu_core run #2: crashed: BUG: unable to handle kernel paging request in pid_task run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in rcu_core run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in rcu_core run #5: crashed: general protection fault in __es_tree_search run #6: crashed: general protection fault in pid_task run #7: crashed: general protection fault in d_path run #8: crashed: general protection fault in rcu_core run #9: crashed: general protection fault in rcu_core run #10: crashed: BUG: unable to handle kernel paging request in lockref_get run #11: crashed: BUG: unable to handle kernel NULL pointer dereference in rcu_core run #12: crashed: general protection fault in fsnotify run #13: crashed: BUG: unable to handle kernel NULL pointer dereference in rcu_core run #14: OK run #15: OK run #16: OK run #17: OK run #18: crashed: general protection fault in __d_lookup_rcu run #19: OK representative crash: general protection fault in truncate_cleanup_folio, types: [UNKNOWN] crash still not fixed/happens on the oldest tested release reproducer is flaky (0.90 repro chance estimate) revisions tested: 8, total time: 6h2m22.210911105s (build: 3h29m36.87831543s, test: 2h5m56.244117095s) crash still not fixed or there were kernel test errors commit msg: Merge tag 'hardening-v6.7-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux crash: general protection fault in truncate_cleanup_folio general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047] CPU: 0 PID: 4399 Comm: syz-executor.1 Not tainted 6.7.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 RIP: 0010:folio_invalidate mm/truncate.c:157 [inline] RIP: 0010:truncate_cleanup_folio+0x1f2/0x330 mm/truncate.c:178 Code: ea 03 80 3c 02 00 0f 85 32 01 00 00 4d 8b a4 24 18 01 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 40 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 e9 00 00 00 49 8b 44 24 40 48 85 c0 0f 84 a3 fe RSP: 0018:ffffc9000230f7f0 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: ffffea00049ebf00 RCX: ffffffff815a85ac RDX: 0000000000000008 RSI: 0000000000000008 RDI: 0000000000000040 RBP: 0000000000001000 R08: 0000000000000000 R09: fffff9400093d7e0 R10: ffffea00049ebf07 R11: 0000000000024000 R12: 0000000000000000 R13: ffff888127c42290 R14: ffffc9000230f998 R15: 0000000000001000 FS: 00007f80041196c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020040000 CR3: 0000000114f8c000 CR4: 0000000000350ef0 Call Trace: truncate_inode_pages_range+0x204/0xba0 mm/truncate.c:367 ext4_punch_hole+0x460/0xf70 fs/ext4/inode.c:3985 ext4_fallocate+0x3af/0x3190 fs/ext4/extents.c:4707 vfs_fallocate+0x296/0xba0 fs/open.c:324 ioctl_preallocate+0x15b/0x1d0 fs/ioctl.c:291 file_ioctl fs/ioctl.c:334 [inline] do_vfs_ioctl+0x1336/0x14d0 fs/ioctl.c:850 __do_sys_ioctl fs/ioctl.c:869 [inline] __se_sys_ioctl fs/ioctl.c:857 [inline] __x64_sys_ioctl+0xcc/0x1a0 fs/ioctl.c:857 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x40/0xe0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7f800c9b9ae9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f80041190c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f800cad91f0 RCX: 00007f800c9b9ae9 RDX: 0000000020000080 RSI: 000000004030582b RDI: 0000000000000003 RBP: 00007f800ca0547a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f800cad91f0 R15: 00007ffdc69a31f8 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:folio_invalidate mm/truncate.c:157 [inline] RIP: 0010:truncate_cleanup_folio+0x1f2/0x330 mm/truncate.c:178 Code: ea 03 80 3c 02 00 0f 85 32 01 00 00 4d 8b a4 24 18 01 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 40 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 e9 00 00 00 49 8b 44 24 40 48 85 c0 0f 84 a3 fe RSP: 0018:ffffc9000230f7f0 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: ffffea00049ebf00 RCX: ffffffff815a85ac RDX: 0000000000000008 RSI: 0000000000000008 RDI: 0000000000000040 RBP: 0000000000001000 R08: 0000000000000000 R09: fffff9400093d7e0 R10: ffffea00049ebf07 R11: 0000000000024000 R12: 0000000000000000 R13: ffff888127c42290 R14: ffffc9000230f998 R15: 0000000000001000 FS: 00007f80041196c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020040000 CR3: 0000000114f8c000 CR4: 0000000000350ef0 ---------------- Code disassembly (best guess), 2 bytes skipped: 0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 4: 0f 85 32 01 00 00 jne 0x13c a: 4d 8b a4 24 18 01 00 mov 0x118(%r12),%r12 11: 00 12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 19: fc ff df 1c: 49 8d 7c 24 40 lea 0x40(%r12),%rdi 21: 48 89 fa mov %rdi,%rdx 24: 48 c1 ea 03 shr $0x3,%rdx * 28: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction 2c: 0f 85 e9 00 00 00 jne 0x11b 32: 49 8b 44 24 40 mov 0x40(%r12),%rax 37: 48 85 c0 test %rax,%rax 3a: 0f .byte 0xf 3b: 84 .byte 0x84 3c: a3 .byte 0xa3 3d: fe .byte 0xfe