ci starts bisection 2023-02-28 13:37:21.738955784 +0000 UTC m=+36567.686843526
bisecting fixing commit since eb7081409f94a9a8608593d0fb63a1aa3d6f95d8
building syzkaller on 9da37ae85383e0dda5fc114ec808909f72fe038d
ensuring issue is reproducible on original commit eb7081409f94a9a8608593d0fb63a1aa3d6f95d8
testing commit eb7081409f94a9a8608593d0fb63a1aa3d6f95d8 gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: bea5bad8f921a832663ecbe78730b3d79cefc314cd4f059378d96912f09013d6
run #0: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #1: crashed: BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
run #2: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #3: crashed: BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
run #4: crashed: BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
run #5: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #6: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #7: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #8: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #9: crashed: BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
run #10: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #11: crashed: BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
run #12: crashed: BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
run #13: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #14: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #15: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #16: crashed: BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
run #17: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #18: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #19: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
testing current HEAD ae3419fbac845b4d3f3a9fae4cc80c68d82cdf6e
testing commit ae3419fbac845b4d3f3a9fae4cc80c68d82cdf6e gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: ac62c9047074739ed1a0989d83b0cb9cb4d50ae37eec2d66afea218a2a92f72d
run #0: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #1: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #2: crashed: BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
run #3: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #4: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #5: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #6: crashed: BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
run #7: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #8: crashed: BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx
run #9: crashed: BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
revisions tested: 2, total time: 24m23.4349836s (build: 16m59.734760846s, test: 6m29.703570352s)
the crash still happens on HEAD
commit msg: vc_screen: don't clobber return value in vcs_read
crash: BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
Negotiation of local Allow Short Seqnos failed in state CHANGING at net/dccp/feat.c:1537/dccp_feat_activate_values()
BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:691/ccid3_first_li()
CPU: 0 PID: 5733 Comm: syz-executor.0 Not tainted 6.2.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
dump_stack_lvl+0x167/0x220
ccid3_first_li+0x27c/0x340
tfrc_lh_interval_add+0x4e7/0x6f0
tfrc_rx_handle_loss+0x673/0x1720
ccid3_hc_rx_packet_recv+0x28a/0xe60
dccp_rcv_established+0x153/0x250
dccp_v4_do_rcv+0xc6/0x190
__sk_receive_skb+0x36e/0x880
ip_protocol_deliver_rcu+0x62/0xa20
ip_local_deliver_finish+0x21d/0x460
NF_HOOK+0x255/0x300
NF_HOOK+0x255/0x300
__netif_receive_skb+0x1b7/0x4f0
process_backlog+0x2dd/0x640
__napi_poll+0x94/0x380
net_rx_action+0x65c/0xd60
__do_softirq+0x311/0xb1a
do_softirq+0x166/0x250
__local_bh_enable_ip+0x1b5/0x1f0
ip_finish_output2+0x998/0xd80
__ip_queue_xmit+0xf82/0x1be0
dccp_transmit_skb+0xbf9/0x1410
__dccp_rcv_established+0xe9/0x310
dccp_rcv_established+0x1f6/0x250
dccp_v4_do_rcv+0xc6/0x190
__release_sock+0x17f/0x410
release_sock+0x55/0x180
dccp_sendmsg+0x4ec/0x8f0
____sys_sendmsg+0x4aa/0x780
__sys_sendmmsg+0x336/0x650
__x64_sys_sendmmsg+0x9b/0xb0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f346de8c189
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f346eb26168 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f346dfabf80 RCX: 00007f346de8c189
RDX: 000000000000ffc3 RSI: 0000000020001e80 RDI: 0000000000000006
RBP: 00007f346dee7b01 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd34fefcff R14: 00007f346eb26300 R15: 0000000000022000
BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:417/tfrc_rx_hist_sample_rtt()
CPU: 0 PID: 5965 Comm: syz-executor.0 Not tainted 6.2.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
dump_stack_lvl+0x167/0x220
tfrc_rx_hist_sample_rtt+0x2d6/0x3e0
ccid3_hc_rx_packet_recv+0x56f/0xe60
dccp_rcv_established+0x153/0x250
dccp_v4_do_rcv+0xc6/0x190
__sk_receive_skb+0x36e/0x880
ip_protocol_deliver_rcu+0x62/0xa20
ip_local_deliver_finish+0x21d/0x460
NF_HOOK+0x255/0x300
NF_HOOK+0x255/0x300
__netif_receive_skb+0x1b7/0x4f0
process_backlog+0x2dd/0x640
__napi_poll+0x94/0x380
net_rx_action+0x65c/0xd60
__do_softirq+0x311/0xb1a
do_softirq+0x166/0x250
__local_bh_enable_ip+0x1b5/0x1f0
ip_finish_output2+0x998/0xd80
__ip_queue_xmit+0xf82/0x1be0
dccp_transmit_skb+0xbf9/0x1410
dccp_rcv_established+0x153/0x250
dccp_v4_do_rcv+0xc6/0x190
__release_sock+0x17f/0x410
release_sock+0x55/0x180
dccp_sendmsg+0x4ec/0x8f0
____sys_sendmsg+0x4aa/0x780
__sys_sendmmsg+0x336/0x650
__x64_sys_sendmmsg+0x9b/0xb0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f346de8c189
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f346eb26168 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f346dfabf80 RCX: 00007f346de8c189
RDX: 000000000000ffc3 RSI: 0000000020001e80 RDI: 0000000000000006
RBP: 00007f346dee7b01 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd34fefcff R14: 00007f346eb26300 R15: 0000000000022000
BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:417/tfrc_rx_hist_sample_rtt()
CPU: 0 PID: 6206 Comm: syz-executor.0 Not tainted 6.2.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
dump_stack_lvl+0x167/0x220
tfrc_rx_hist_sample_rtt+0x2d6/0x3e0
ccid3_hc_rx_packet_recv+0x56f/0xe60
dccp_rcv_established+0x153/0x250
dccp_v4_do_rcv+0xc6/0x190
__sk_receive_skb+0x36e/0x880
ip_protocol_deliver_rcu+0x62/0xa20
ip_local_deliver_finish+0x21d/0x460
NF_HOOK+0x255/0x300
NF_HOOK+0x255/0x300
__netif_receive_skb+0x1b7/0x4f0
process_backlog+0x2dd/0x640
__napi_poll+0x94/0x380
net_rx_action+0x65c/0xd60
__do_softirq+0x311/0xb1a
__irq_exit_rcu+0x159/0x240
irq_exit_rcu+0x9/0x20
sysvec_apic_timer_interrupt+0x95/0xb0
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:debug_lockdep_rcu_enabled+0x0/0x30
Code: bd 65 91 03 00 75 e7 48 c7 c7 60 77 ea 89 48 c7 c6 e0 9b ea 89 e8 40 01 9d f7 0f 0b eb d0 66 2e 0f 1f 84 00 00 00 00 00 66 90 0f 1e fa 31 c0 83 3d fb 31 91 03 00 74 1d 83 3d 7e 65 91 03 00
RSP: 0018:ffffc90005e7f538 EFLAGS: 00000206
RAX: dffffc0000000000 RBX: 1ffff92000bcfeb0 RCX: ffffffff81621d5a
RDX: dffffc0000000000 RSI: ffffffff89ea78c0 RDI: ffffffff8a3a1940
RBP: ffffc90005e7f610 R08: dffffc0000000000 R09: fffffbfff1e07c3f
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888027efe000
R13: 1ffff92000bcfeac R14: dffffc0000000000 R15: ffffc90005e7f580
count_memcg_event_mm+0x202/0x2e0
handle_mm_fault+0x155/0x3ce0
exc_page_fault+0x685/0x8a0
asm_exc_page_fault+0x26/0x30
RIP: 0010:__put_user_4+0x16/0x20
Code: 89 01 31 c9 0f 01 ca c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 bb fd ef ff ff ff 7f 00 00 48 39 d9 73 70 0f 01 cb <89> 01 31 c9 0f 01 ca c3 66 90 f3 0f 1e fa f3 0f 1e fa 0f 01 cb 89
RSP: 0018:ffffc90005e7fa18 EFLAGS: 00050293
RAX: 0000000000000000 RBX: 00007fffffffeffd RCX: 0000000020002038
RDX: 0000000020002000 RSI: ffffffff89ea8a40 RDI: ffffffff8a3a1940
RBP: ffffc90005e7fef0 R08: dffffc0000000000 R09: fffffbfff1a7ef16
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000007
R13: 1ffff92000bcff4c R14: 1ffff92000bcff78 R15: 0000000000000006
__sys_sendmmsg+0x38c/0x650
__x64_sys_sendmmsg+0x9b/0xb0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f346de8c189
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f346eb26168 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f346dfabf80 RCX: 00007f346de8c189
RDX: 000000000000ffc3 RSI: 0000000020001e80 RDI: 0000000000000006
RBP: 00007f346dee7b01 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd34fefcff R14: 00007f346eb26300 R15: 0000000000022000
Negotiation of local Allow Short Seqnos failed in state CHANGING at net/dccp/feat.c:1537/dccp_feat_activate_values()
----------------
Code disassembly (best guess):
0: bd 65 91 03 00 mov $0x39165,%ebp
5: 75 e7 jne 0xffffffee
7: 48 c7 c7 60 77 ea 89 mov $0xffffffff89ea7760,%rdi
e: 48 c7 c6 e0 9b ea 89 mov $0xffffffff89ea9be0,%rsi
15: e8 40 01 9d f7 callq 0xf79d015a
1a: 0f 0b ud2
1c: eb d0 jmp 0xffffffee
1e: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
25: 00 00 00
28: 66 90 xchg %ax,%ax
* 2a: f3 0f 1e fa endbr64 <-- trapping instruction
2e: 31 c0 xor %eax,%eax
30: 83 3d fb 31 91 03 00 cmpl $0x0,0x39131fb(%rip) # 0x3913232
37: 74 1d je 0x56
39: 83 3d 7e 65 91 03 00 cmpl $0x0,0x391657e(%rip) # 0x39165be