ci starts bisection 2023-09-12 19:01:33.876873175 +0000 UTC m=+107950.613860205 bisecting cause commit starting from 0bb80ecc33a8fb5a682236443c1e740d5c917d1d building syzkaller on 59da83662ae7076f1369c8a5b9dd1245223039df ensuring issue is reproducible on original commit 0bb80ecc33a8fb5a682236443c1e740d5c917d1d testing commit 0bb80ecc33a8fb5a682236443c1e740d5c917d1d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 69295bda73f60f2b96112912a73d64eba7ce9b181645e3e3fbf66bf4dad6f63b all runs: crashed: UBSAN: array-index-out-of-bounds in io_setup_async_msg representative crash: UBSAN: array-index-out-of-bounds in io_setup_async_msg, types: [UBSAN] check whether we can drop unnecessary instrumentation disabling configs for [ATOMIC_SLEEP HANG LEAK BUG KASAN LOCKDEP], they are not needed testing commit 0bb80ecc33a8fb5a682236443c1e740d5c917d1d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 102e3c40fe0ed73d4754cb49fb50509735681976996fcd3cb2ff8699db7a6704 all runs: crashed: UBSAN: array-index-out-of-bounds in io_setup_async_msg representative crash: UBSAN: array-index-out-of-bounds in io_setup_async_msg, types: [UBSAN] the bug reproduces without the instrumentation disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed kconfig minimization: base=3883 full=7693 leaves diff=2018 split chunks (needed=false): <2018> split chunk #0 of len 2018 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 0bb80ecc33a8fb5a682236443c1e740d5c917d1d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3dd9499c296e40327a5d92c0b53c6a9dcc219ef9f89e97c496af8226fe77c2d7 all runs: OK false negative chance: 0.000 testing without sub-chunk 2/5 disabling configs for [ATOMIC_SLEEP HANG LEAK BUG KASAN LOCKDEP], they are not needed testing commit 0bb80ecc33a8fb5a682236443c1e740d5c917d1d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 05bb6318d4c4ce35adcc6c21405af22a83f4653acfde2fade879916ae0bc1aea all runs: crashed: UBSAN: array-index-out-of-bounds in io_setup_async_msg representative crash: UBSAN: array-index-out-of-bounds in io_setup_async_msg, types: [UBSAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [HANG LEAK BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 0bb80ecc33a8fb5a682236443c1e740d5c917d1d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 022236cb50dc87a327b50dce996eb576b757ec530db829554528122a1605567c all runs: crashed: UBSAN: array-index-out-of-bounds in io_setup_async_msg representative crash: UBSAN: array-index-out-of-bounds in io_setup_async_msg, types: [UBSAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK BUG], they are not needed testing commit 0bb80ecc33a8fb5a682236443c1e740d5c917d1d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3d677e57599d1056551fd526fec0f0c1a046c9bf52ae483a363891603d7705bb all runs: crashed: UBSAN: array-index-out-of-bounds in io_setup_async_msg representative crash: UBSAN: array-index-out-of-bounds in io_setup_async_msg, types: [UBSAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 0bb80ecc33a8fb5a682236443c1e740d5c917d1d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a36aa3ca4c64988bb09e774f930443c2aa4dcf67ac1e48c0b990c86b7f7d5ab9 all runs: crashed: UBSAN: array-index-out-of-bounds in io_setup_async_msg representative crash: UBSAN: array-index-out-of-bounds in io_setup_async_msg, types: [UBSAN] the chunk can be dropped minimized to 404 configs; suspects: [6LOWPAN 6LOWPAN_GHC_EXT_HDR_DEST 6LOWPAN_GHC_EXT_HDR_FRAG 6LOWPAN_GHC_EXT_HDR_HOP 6LOWPAN_GHC_EXT_HDR_ROUTE 6LOWPAN_GHC_ICMPV6 6LOWPAN_GHC_UDP 6LOWPAN_NHC 6LOWPAN_NHC_DEST 6LOWPAN_NHC_FRAGMENT 6LOWPAN_NHC_HOP 6LOWPAN_NHC_IPV6 6LOWPAN_NHC_MOBILITY 6LOWPAN_NHC_ROUTING 6LOWPAN_NHC_UDP 6PACK 842_COMPRESS 842_DECOMPRESS 9P_FSCACHE 9P_FS_POSIX_ACL 9P_FS_SECURITY ACORN_PARTITION ACORN_PARTITION_ADFS ACORN_PARTITION_CUMANA ACORN_PARTITION_EESOX ACORN_PARTITION_ICS ACORN_PARTITION_POWERTEC ACORN_PARTITION_RISCIX ACPI_NFIT ACPI_PLATFORM_PROFILE ADDRESS_MASKING ADFS_FS AFFS_FS AFS_FS AFS_FSCACHE AF_KCM AF_RXRPC AF_RXRPC_IPV6 AIX_PARTITION AMIGA_PARTITION ANDROID_BINDERFS ANDROID_BINDER_IPC ANON_VMA_NAME APERTURE_HELPERS AR5523 ARCH_ENABLE_MEMORY_HOTREMOVE ARCH_ENABLE_THP_MIGRATION ARCH_SUPPORTS_CRASH_DUMP ARCH_SUPPORTS_CRASH_HOTPLUG ARCH_SUPPORTS_KEXEC ARCH_SUPPORTS_KEXEC_BZIMAGE_VERIFY_SIG ARCH_SUPPORTS_KEXEC_FILE ARCH_SUPPORTS_KEXEC_JUMP ARCH_SUPPORTS_KEXEC_SIG ARCH_SUPPORTS_KEXEC_SIG_FORCE ARCH_WANT_OPTIMIZE_DAX_VMEMMAP ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP ARCH_WANT_PMD_MKWRITE ASM_MODVERSIONS ASYNC_CORE ASYNC_MEMCPY ASYNC_PQ ASYNC_RAID6_RECOV ASYNC_TX_DMA ASYNC_XOR ATARI_PARTITION ATA_GENERIC ATA_OVER_ETH ATH10K ATH10K_CE ATH10K_PCI ATH10K_USB ATH11K ATH6KL ATH6KL_USB ATH9K ATH9K_AHB ATH9K_BTCOEX_SUPPORT ATH9K_CHANNEL_CONTEXT ATH9K_COMMON ATH9K_COMMON_DEBUG ATH9K_DEBUGFS ATH9K_DYNACK ATH9K_HTC ATH9K_HTC_DEBUGFS ATH9K_HW ATH9K_PCI ATH9K_PCOEM ATH9K_RFKILL ATH_COMMON ATM ATM_BR2684 ATM_CLIP ATM_DRIVERS ATM_LANE ATM_MPOA ATM_TCP AUXILIARY_BUS AX25 AX25_DAMA_SLAVE AX88796B_PHY BAREUDP BATMAN_ADV BATMAN_ADV_BATMAN_V BATMAN_ADV_BLA BATMAN_ADV_DAT BATMAN_ADV_MCAST BATMAN_ADV_NC BCACHE BCMA BCMA_HOST_PCI_POSSIBLE BEFS_FS BFQ_CGROUP_DEBUG BFQ_GROUP_IOSCHED BFS_FS BIG_KEYS BLK_CGROUP_PUNT_BIO BLK_CGROUP_RWSTAT BLK_DEBUG_FS_ZONED BLK_DEV_BSGLIB BLK_DEV_FD BLK_DEV_INTEGRITY BLK_DEV_INTEGRITY_T10 BLK_DEV_NBD BLK_DEV_NULL_BLK BLK_DEV_NULL_BLK_FAULT_INJECTION BLK_DEV_NVME BLK_DEV_PMEM BLK_DEV_RAM BLK_DEV_RNBD BLK_DEV_RNBD_CLIENT BLK_DEV_THROTTLING BLK_ICQ BLK_INLINE_ENCRYPTION BLK_INLINE_ENCRYPTION_FALLBACK BLK_WBT BLK_WBT_MQ BONDING BOOT_VESA_SUPPORT BPF_EVENTS BPF_JIT BPF_JIT_ALWAYS_ON BPF_JIT_DEFAULT_ON BPF_LSM BPF_PRELOAD BPF_PRELOAD_UMD BPF_STREAM_PARSER BPF_SYSCALL BPQETHER BRIDGE BRIDGE_CFM BRIDGE_EBT_802_3 BRIDGE_EBT_AMONG BRIDGE_EBT_ARP BRIDGE_EBT_ARPREPLY BRIDGE_EBT_BROUTE BRIDGE_EBT_DNAT BRIDGE_EBT_IP BRIDGE_EBT_IP6 BRIDGE_EBT_LIMIT BRIDGE_EBT_LOG BRIDGE_EBT_MARK BRIDGE_EBT_MARK_T BRIDGE_EBT_NFLOG BRIDGE_EBT_PKTTYPE BRIDGE_EBT_REDIRECT BRIDGE_EBT_SNAT BRIDGE_EBT_STP BRIDGE_EBT_T_FILTER BRIDGE_EBT_T_NAT BRIDGE_EBT_VLAN BRIDGE_IGMP_SNOOPING BRIDGE_MRP BRIDGE_NF_EBTABLES BRIDGE_VLAN_FILTERING BSD_DISKLABEL BSD_PROCESS_ACCT_V3 BT BTRFS_ASSERT BTRFS_FS BTRFS_FS_POSIX_ACL BTRFS_FS_REF_VERIFY BTT BT_6LOWPAN BT_ATH3K BT_BCM BT_BNEP BT_BNEP_MC_FILTER BT_BNEP_PROTO_FILTER BT_BREDR BT_CMTP BT_HCIBCM203X BT_HCIBFUSB BT_HCIBPA10X BT_HCIBTUSB BT_HCIBTUSB_BCM BT_HCIBTUSB_MTK BT_HCIBTUSB_POLL_SYNC BT_HCIBTUSB_RTL BT_HCIUART BT_HCIUART_3WIRE BT_HCIUART_AG6XX BT_HCIUART_BCSP BT_HCIUART_H4 BT_HCIUART_LL BT_HCIUART_MRVL BT_HCIUART_QCA BT_HCIUART_SERDEV BT_HCIVHCI BT_HIDP BT_HS BT_INTEL BT_LE BT_LEDS BT_LE_L2CAP_ECRED BT_MSFTEXT BT_MTK BT_QCA BT_RFCOMM BT_RFCOMM_TTY BT_RTL BUFFER_HEAD CACHEFILES CAIF CAIF_DEBUG CAIF_DRIVERS CAIF_NETDEV CAIF_TTY CAIF_USB CAIF_VIRTIO CAN CAN_8DEV_USB CAN_BCM CAN_CALC_BITTIMING CAN_DEV CAN_EMS_USB CAN_GS_USB CAN_GW CAN_IFI_CANFD CAN_ISOTP CAN_J1939 CAN_KVASER_USB CAN_MCBA_USB CAN_NETLINK CAN_PEAK_USB CAN_RAW CAN_RX_OFFLOAD CAN_SLCAN CAN_VCAN CAN_VXCAN CAPI_TRACE CARL9170 CARL9170_HWRNG CARL9170_LEDS CARL9170_WPC CEC_CORE CEPH_FS CEPH_FSCACHE CEPH_FS_POSIX_ACL CEPH_LIB CEPH_LIB_USE_DNS_RESOLVER CFG80211 CFG80211_CRDA_SUPPORT CFG80211_DEBUGFS CFG80211_DEFAULT_PS CFG80211_REQUIRE_SIGNED_REGDB CFG80211_USE_KERNEL_REGDB_KEYS CFG80211_WEXT CFS_BANDWIDTH CGROUP_BPF CHARGER_BQ24190 CHARGER_ISP1704 CHR_DEV_ST CIFS CIFS_ALLOW_INSECURE_LEGACY CIFS_DEBUG CIFS_DFS_UPCALL CIFS_FSCACHE CIFS_POSIX CIFS_SMB_DIRECT CIFS_SWN_UPCALL CIFS_UPCALL CIFS_XATTR CLS_U32_MARK CLS_U32_PERF CMA CMA_SIZE_SEL_MBYTES CMDLINE_PARTITION COMEDI COMEDI_DT9812 COMEDI_NI_USB6501 COMEDI_USBDUX COMEDI_USBDUXFAST COMEDI_USBDUXSIGMA COMEDI_USB_DRIVERS COMEDI_VMK80XX COMPAT_NETLINK_MESSAGES COUNTER CRAMFS CRAMFS_BLOCKDEV CRAMFS_MTD CRASH_HOTPLUG CRC4 CRC64 CRC64_ROCKSOFT CRC7 CRC8 CRC_ITU_T CRC_T10DIF CRYPTO_ADIANTUM CRYPTO_AEGIS128 CRYPTO_AEGIS128_AESNI_SSE2 CRYPTO_AES_NI_INTEL CRYPTO_AES_TI CRYPTO_ANSI_CPRNG CRYPTO_ANUBIS CRYPTO_ARC4 CRYPTO_ARCH_HAVE_LIB_BLAKE2S CRYPTO_ARCH_HAVE_LIB_CHACHA CRYPTO_ARCH_HAVE_LIB_CURVE25519 CRYPTO_ARCH_HAVE_LIB_POLY1305 CRYPTO_ARIA CRYPTO_ARIA_AESNI_AVX_X86_64 CRYPTO_BLAKE2B CRYPTO_BLAKE2S_X86 CRYPTO_BLOWFISH CRYPTO_BLOWFISH_COMMON CRYPTO_BLOWFISH_X86_64 CRYPTO_CAMELLIA CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 CRYPTO_CAMELLIA_AESNI_AVX_X86_64 CRYPTO_CAMELLIA_X86_64 CRYPTO_CAST5 CRYPTO_CAST5_AVX_X86_64 CRYPTO_CAST6 CRYPTO_CAST6_AVX_X86_64 CRYPTO_CAST_COMMON CRYPTO_CFB CRYPTO_CHACHA20 CRYPTO_CHACHA20POLY1305 CRYPTO_CHACHA20_X86_64 CRYPTO_CRC32 CRYPTO_CRC32C_INTEL CRYPTO_CRC32_PCLMUL CRYPTO_CRC64_ROCKSOFT CRYPTO_CRCT10DIF CRYPTO_CRCT10DIF_PCLMUL CRYPTO_CRYPTD CRYPTO_CTS CRYPTO_CURVE25519 CRYPTO_CURVE25519_X86 CRYPTO_DEFLATE CRYPTO_DES CRYPTO_DES3_EDE_X86_64 CRYPTO_DEV_CCP CRYPTO_DEV_CCP_DD CRYPTO_DEV_PADLOCK CRYPTO_DEV_PADLOCK_AES CRYPTO_DEV_PADLOCK_SHA CRYPTO_DEV_QAT CRYPTO_DEV_QAT_C3XXX CRYPTO_DEV_QAT_C3XXXVF CRYPTO_DEV_QAT_C62X CRYPTO_DEV_QAT_C62XVF CRYPTO_DEV_QAT_DH895xCC CRYPTO_DEV_QAT_DH895xCCVF CRYPTO_DEV_VIRTIO CRYPTO_DH CRYPTO_DRBG_CTR CRYPTO_DRBG_HASH CRYPTO_ECB CRYPTO_ECC CRYPTO_ECDH CRYPTO_ECRDSA CRYPTO_ENGINE CRYPTO_ESSIV CRYPTO_FCRYPT CRYPTO_GHASH_CLMUL_NI_INTEL CRYPTO_HCTR2 CRYPTO_KDF800108_CTR CRYPTO_KEYWRAP CRYPTO_KHAZAD CRYPTO_KPP CRYPTO_LIB_ARC4 CRYPTO_LIB_CHACHA CRYPTO_LIB_CHACHA20POLY1305 CRYPTO_LIB_CHACHA_GENERIC CRYPTO_LIB_CURVE25519 CRYPTO_LIB_CURVE25519_GENERIC CRYPTO_LIB_DES CRYPTO_LIB_POLY1305 CRYPTO_LIB_POLY1305_GENERIC CRYPTO_LRW CRYPTO_MICHAEL_MIC CRYPTO_NHPOLY1305 CRYPTO_NHPOLY1305_AVX2 CRYPTO_NHPOLY1305_SSE2 CRYPTO_OFB CRYPTO_PCBC CRYPTO_PCRYPT CRYPTO_POLY1305 CRYPTO_POLY1305_X86_64 CRYPTO_POLYVAL CRYPTO_POLYVAL_CLMUL_NI CRYPTO_RMD160 CRYPTO_SEED CRYPTO_SERPENT CRYPTO_SERPENT_AVX2_X86_64 CRYPTO_SERPENT_AVX_X86_64 CRYPTO_SERPENT_SSE2_X86_64 CRYPTO_SHA1_SSSE3 CRYPTO_SHA256_SSSE3 CRYPTO_SHA512_SSSE3 CRYPTO_SIMD CRYPTO_SM2 CRYPTO_SM3 CRYPTO_SM3_AVX_X86_64 CRYPTO_SM4 CRYPTO_SM4_AESNI_AVX2_X86_64 CRYPTO_SM4_AESNI_AVX_X86_64 CRYPTO_SM4_GENERIC CRYPTO_STREEBOG CRYPTO_TEA CRYPTO_TWOFISH CRYPTO_TWOFISH_AVX_X86_64 CRYPTO_TWOFISH_COMMON CRYPTO_TWOFISH_X86_64 CRYPTO_TWOFISH_X86_64_3WAY CRYPTO_USER CRYPTO_USER_API CRYPTO_USER_API_AEAD CRYPTO_USER_API_ENABLE_OBSOLETE CRYPTO_USER_API_HASH CRYPTO_USER_API_RNG CRYPTO_USER_API_SKCIPHER CRYPTO_VMAC CRYPTO_WP512 CRYPTO_XCBC CRYPTO_XCTR CRYPTO_XTS CRYPTO_XXHASH CUSE CYPRESS_FIRMWARE DAMON DAMON_DBGFS DAMON_PADDR DAMON_RECLAIM DAMON_VADDR DAX DCA DCB DEFAULT_PFIFO_FAST DEVICE_MIGRATION DEVICE_PRIVATE DEV_COREDUMP DEV_DAX DIMLIB DLN2_ADC DMABUF_HEAPS DMABUF_HEAPS_CMA DMABUF_HEAPS_SYSTEM DMABUF_MOVE_NOTIFY DMA_CMA DMA_ENGINE_RAID DM_AUDIT DM_BIO_PRISON DM_BUFIO DM_CACHE DM_CACHE_SMQ DM_CLONE DM_CRYPT DM_FLAKEY DM_INTEGRITY DM_MULTIPATH DM_MULTIPATH_QL DM_MULTIPATH_ST DM_PERSISTENT_DATA DM_RAID DM_SNAPSHOT DM_THIN_PROVISIONING DM_UEVENT DM_VERITY DM_VERITY_FEC ENCRYPTED_KEYS EXTCON FSCACHE FUSE_FS GPIOLIB HAMRADIO IIO INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_RTRS_CLIENT IOSCHED_BFQ ISDN ISDN_CAPI LIBNVDIMM MAC80211 MAC80211_LEDS MEDIA_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MTD NET_CLS_U32 NET_SCH_DEFAULT PARTITION_ADVANCED RFKILL SERIAL_DEV_BUS TLS TLS_DEVICE TRANSPARENT_HUGEPAGE TRUSTED_KEYS USB_GADGET USB_PHY VLAN_8021Q WANT_COMPAT_NETLINK_MESSAGES WEXT_CORE WIRELESS WIRELESS_EXT WLAN WLAN_VENDOR_ATH X86_X32_ABI ZONE_DEVICE] disabling configs for [HANG LEAK BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed picked [v6.5 v6.4 v6.3 v6.1 v5.19 v5.17 v5.15 v5.13 v5.10 v5.7 v5.4 v5.1 v4.19] out of 28 release tags testing release v6.5 testing commit 2dde18cd1d8fac735875f2e4987f11817cc0bc2c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 85c2086edded8f98e41cf05e553df4f72caebe8a5b4531de25fb412d70d64da6 all runs: OK false negative chance: 0.000 # git bisect start 0bb80ecc33a8fb5a682236443c1e740d5c917d1d 2dde18cd1d8fac735875f2e4987f11817cc0bc2c Bisecting: 6784 revisions left to test after this (roughly 13 steps) [461f35f014466c4e26dca6be0f431f57297df3f2] Merge tag 'drm-next-2023-08-30' of git://anongit.freedesktop.org/drm/drm testing commit 461f35f014466c4e26dca6be0f431f57297df3f2 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cfd72d4a236b523570b7f650d276705a72eab8c766031f33b9505ea918446137 all runs: crashed: UBSAN: array-index-out-of-bounds in io_setup_async_msg representative crash: UBSAN: array-index-out-of-bounds in io_setup_async_msg, types: [UBSAN] # git bisect bad 461f35f014466c4e26dca6be0f431f57297df3f2 Bisecting: 2408 revisions left to test after this (roughly 12 steps) [bd6c11bc43c496cddfc6cf603b5d45365606dbd5] Merge tag 'net-next-6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit bd6c11bc43c496cddfc6cf603b5d45365606dbd5 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 70ea43024b5d9ffeab0d27af075c7542bf5220963b32a47b369dac2ce4ea14ef all runs: OK false negative chance: 0.000 # git bisect good bd6c11bc43c496cddfc6cf603b5d45365606dbd5 Bisecting: 1205 revisions left to test after this (roughly 10 steps) [ef35c7ba60410926d0501e45aad299656a83826c] Revert "Revert "drm/amdgpu/display: change pipe policy for DCN 2.0"" testing commit ef35c7ba60410926d0501e45aad299656a83826c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6915f42ae86444e8732d61e72ef4c08950124d45e4b47a5d3de33b380f79a11b all runs: OK false negative chance: 0.000 # git bisect good ef35c7ba60410926d0501e45aad299656a83826c Bisecting: 580 revisions left to test after this (roughly 9 steps) [d68b4b6f307d155475cce541f2aee938032ed22e] Merge tag 'mm-nonmm-stable-2023-08-28-22-48' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit d68b4b6f307d155475cce541f2aee938032ed22e gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7ab0e8282ff20ada4cb4d60ee5d3d0f6de859da6d35eb339a7acea035f289d08 all runs: OK false negative chance: 0.000 # git bisect good d68b4b6f307d155475cce541f2aee938032ed22e Bisecting: 295 revisions left to test after this (roughly 8 steps) [87fa732dc5ff9ea6a2e75b630f7931899e845eb1] Merge tag 'x86-core-2023-08-30-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 87fa732dc5ff9ea6a2e75b630f7931899e845eb1 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 888e1741c6f54b60f95eb64177d5a1289cd58cb2648882f512cd43e1aedfb35a all runs: crashed: UBSAN: array-index-out-of-bounds in io_setup_async_msg representative crash: UBSAN: array-index-out-of-bounds in io_setup_async_msg, types: [UBSAN] # git bisect bad 87fa732dc5ff9ea6a2e75b630f7931899e845eb1 Bisecting: 168 revisions left to test after this (roughly 7 steps) [146afeb235ccec10c17ad8ea26327c0c79dbd968] block: use strscpy() to instead of strncpy() testing commit 146afeb235ccec10c17ad8ea26327c0c79dbd968 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5fe942e8176cb36af48eb15f7c94d60a1e8c001e9d8a1b4c31b5ff91130d190f all runs: OK false negative chance: 0.000 # git bisect good 146afeb235ccec10c17ad8ea26327c0c79dbd968 Bisecting: 87 revisions left to test after this (roughly 6 steps) [3d3dfeb3aec7b612d266d500c82054f1fded4980] Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux testing commit 3d3dfeb3aec7b612d266d500c82054f1fded4980 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 58ef3178443b5fafd0f02a585ba251c90123364d0747f0aa03a0735dd0082b53 all runs: crashed: UBSAN: array-index-out-of-bounds in io_setup_async_msg representative crash: UBSAN: array-index-out-of-bounds in io_setup_async_msg, types: [UBSAN] # git bisect bad 3d3dfeb3aec7b612d266d500c82054f1fded4980 Bisecting: 40 revisions left to test after this (roughly 5 steps) [093a650b757210bc856ca7f5349fb5a4bb9d4bd6] io_uring: force inline io_fill_cqe_req testing commit 093a650b757210bc856ca7f5349fb5a4bb9d4bd6 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3988acb740ed4ad728eee0821abf259f69b75d31aa73af298b498e81e79f80ee all runs: OK false negative chance: 0.000 # git bisect good 093a650b757210bc856ca7f5349fb5a4bb9d4bd6 Bisecting: 23 revisions left to test after this (roughly 4 steps) [daa22f5a78c27412e88d31780c4a6262cda559cd] Merge tag 'modules-6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux testing commit daa22f5a78c27412e88d31780c4a6262cda559cd gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7a4e3b0fd9ae66787230445189d5e8677404acf0568668e132a60051c7f6d7fa all runs: OK false negative chance: 0.000 # git bisect good daa22f5a78c27412e88d31780c4a6262cda559cd Bisecting: 11 revisions left to test after this (roughly 4 steps) [3ca9aa74a89507348ae5776eb40f1265c691feca] vrf: Update to register_net_sysctl_sz testing commit 3ca9aa74a89507348ae5776eb40f1265c691feca gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 78484673eaa95d683b765777d7adc7959a09323775000ea48b7ba0ce37b3fdba all runs: OK false negative chance: 0.000 # git bisect good 3ca9aa74a89507348ae5776eb40f1265c691feca Bisecting: 5 revisions left to test after this (roughly 3 steps) [0aa7aa5f766933d4f91b22d9658cd688e1f15dab] io_uring: move multishot cqe cache in ctx testing commit 0aa7aa5f766933d4f91b22d9658cd688e1f15dab gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 76bc8047e51b348a21952387c454fafba5133a9c70eb60fdaea5a4650dfe1845 all runs: crashed: UBSAN: array-index-out-of-bounds in io_setup_async_msg representative crash: UBSAN: array-index-out-of-bounds in io_setup_async_msg, types: [UBSAN] # git bisect bad 0aa7aa5f766933d4f91b22d9658cd688e1f15dab Bisecting: 2 revisions left to test after this (roughly 2 steps) [d7f06fea5d6be78403d42c9637f67bc883870094] io_uring: move non aligned field to the end testing commit d7f06fea5d6be78403d42c9637f67bc883870094 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bfcf6152bf345ae8689dd98e0395f2c8eb49f87ff41fde613abe2ff61edc6089 all runs: crashed: UBSAN: array-index-out-of-bounds in io_setup_async_msg representative crash: UBSAN: array-index-out-of-bounds in io_setup_async_msg, types: [UBSAN] # git bisect bad d7f06fea5d6be78403d42c9637f67bc883870094 Bisecting: 0 revisions left to test after this (roughly 1 step) [2af89abda7d9c2aeb573677e2c498ddb09f8058a] io_uring: add option to remove SQ indirection testing commit 2af89abda7d9c2aeb573677e2c498ddb09f8058a gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7f32b1c86bd9f1efca89859a963c1d13902d93aa36d41eae659e3b35231c0dcd all runs: crashed: UBSAN: array-index-out-of-bounds in io_setup_async_msg representative crash: UBSAN: array-index-out-of-bounds in io_setup_async_msg, types: [UBSAN] # git bisect bad 2af89abda7d9c2aeb573677e2c498ddb09f8058a Bisecting: 0 revisions left to test after this (roughly 0 steps) [e5598d6ae62626d261b046a2f19347c38681ff51] io_uring: compact SQ/CQ heads/tails testing commit e5598d6ae62626d261b046a2f19347c38681ff51 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 011559da5788342b88d5f194ae63b39bc6e41189c2bb7147df9ca1dbbc8f00ae all runs: OK false negative chance: 0.000 # git bisect good e5598d6ae62626d261b046a2f19347c38681ff51 2af89abda7d9c2aeb573677e2c498ddb09f8058a is the first bad commit commit 2af89abda7d9c2aeb573677e2c498ddb09f8058a Author: Pavel Begunkov Date: Thu Aug 24 23:53:32 2023 +0100 io_uring: add option to remove SQ indirection Not many aware, but io_uring submission queue has two levels. The first level usually appears as sq_array and stores indexes into the actual SQ. To my knowledge, no one has ever seriously used it, nor liburing exposes it to users. Add IORING_SETUP_NO_SQARRAY, when set we don't bother creating and using the sq_array and SQ heads/tails will be pointing directly into the SQ. Improves memory footprint, in term of both allocations as well as cache usage, and also should make io_get_sqe() less branchy in the end. Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/0ffa3268a5ef61d326201ff43a233315c96312e0.1692916914.git.asml.silence@gmail.com Signed-off-by: Jens Axboe include/uapi/linux/io_uring.h | 5 +++++ io_uring/io_uring.c | 52 ++++++++++++++++++++++++++----------------- 2 files changed, 37 insertions(+), 20 deletions(-) accumulated error probability: 0.00 culprit signature: 7f32b1c86bd9f1efca89859a963c1d13902d93aa36d41eae659e3b35231c0dcd parent signature: 011559da5788342b88d5f194ae63b39bc6e41189c2bb7147df9ca1dbbc8f00ae revisions tested: 22, total time: 6h48m31.453540305s (build: 3h39m52.688928226s, test: 2h50m37.89954998s) first bad commit: 2af89abda7d9c2aeb573677e2c498ddb09f8058a io_uring: add option to remove SQ indirection recipients (to): ["asml.silence@gmail.com" "axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org"] recipients (cc): ["asml.silence@gmail.com" "linux-kernel@vger.kernel.org"] crash: UBSAN: array-index-out-of-bounds in io_setup_async_msg ================================================================================ UBSAN: array-index-out-of-bounds in io_uring/net.c:189:55 index 3779569494077 is out of range for type 'iovec [8]' CPU: 0 PID: 1956 Comm: syz-executor.0 Not tainted 6.5.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x3d/0x60 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline] __ubsan_handle_out_of_bounds+0xcb/0x100 lib/ubsan.c:348 io_setup_async_msg+0xba/0xc0 io_uring/net.c:189 io_recvmsg+0x624/0x850 io_uring/net.c:833 io_issue_sqe+0x1b3/0x490 io_uring/io_uring.c:1853 io_queue_sqe io_uring/io_uring.c:2028 [inline] io_submit_sqe io_uring/io_uring.c:2288 [inline] io_submit_sqes+0x220/0x710 io_uring/io_uring.c:2403 __do_sys_io_uring_enter+0x5d5/0xc30 io_uring/io_uring.c:3610 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f85aea7cae9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f85af7630c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa RAX: ffffffffffffffda RBX: 00007f85aeb9bf80 RCX: 00007f85aea7cae9 RDX: 0000000000000000 RSI: 0000000000007689 RDI: 0000000000000003 RBP: 00007f85aeac847a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000006 R14: 00007f85aeb9bf80 R15: 00007ffec63f18b8 ================================================================================