ci starts bisection 2025-09-23 11:50:41.175240292 +0000 UTC m=+93629.269997329 bisecting fixing commit since 5189dafa4cf950e675f02ee04b577dfbbad0d9b1 building syzkaller on 6f4edef43e90da260aa93c16da223a2a5569c978 ensuring issue is reproducible on original commit 5189dafa4cf950e675f02ee04b577dfbbad0d9b1 testing commit 5189dafa4cf950e675f02ee04b577dfbbad0d9b1 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: b8de060bd9aebf2257eb297f46552897161481e7452521080dbaa59bc5f2e73c all runs: crashed: general protection fault in iter_file_splice_write representative crash: general protection fault in iter_file_splice_write, types: [DoS] check whether we can drop unnecessary instrumentation disabling configs for [ubsan bug_or_warning kasan locking atomic_sleep hang memleak], they are not needed testing commit 5189dafa4cf950e675f02ee04b577dfbbad0d9b1 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 93396f21c555af60faa14f84cde3d1cb1c12d90bce9f8b40436d3595e240f01f all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write representative crash: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write, types: [NULL-POINTER-DEREFERENCE] the bug reproduces without the instrumentation disabling configs for [ubsan bug_or_warning kasan locking atomic_sleep hang memleak], they are not needed kconfig minimization: base=4099 full=8136 leaves diff=2141 split chunks (needed=false): <2141> split chunk #0 of len 2141 into 5 parts testing without sub-chunk 1/5 disabling configs for [ubsan bug_or_warning kasan locking atomic_sleep hang memleak], they are not needed testing commit 5189dafa4cf950e675f02ee04b577dfbbad0d9b1 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 5e6f664d7f34dde191afcf9ae7cdd65d6444b2a8de899f69a916ed441a38199d all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write representative crash: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write, types: [NULL-POINTER-DEREFERENCE] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [hang memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed testing commit 5189dafa4cf950e675f02ee04b577dfbbad0d9b1 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 679c0ba054642bdd7674a661303350b7daa871294ce2f36347564515595452cb all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write representative crash: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write, types: [NULL-POINTER-DEREFERENCE] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning kasan], they are not needed testing commit 5189dafa4cf950e675f02ee04b577dfbbad0d9b1 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 15d1b62b241d1c4e080746a83e1339aa544d5bd7609013d405f9238c270f4370 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write representative crash: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write, types: [NULL-POINTER-DEREFERENCE] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [bug_or_warning kasan locking atomic_sleep hang memleak ubsan], they are not needed testing commit 5189dafa4cf950e675f02ee04b577dfbbad0d9b1 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: cdb86323fd0db3a6d7d7924aadcd4ad6d5006b8a9ea068c21a6d58afb4e2a142 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #7: OK run #8: OK run #9: OK representative crash: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write, types: [NULL-POINTER-DEREFERENCE] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [bug_or_warning kasan locking atomic_sleep hang memleak ubsan], they are not needed testing commit 5189dafa4cf950e675f02ee04b577dfbbad0d9b1 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: a2104cee142aa0f24e317bf956897c274bfba36dc986bcaa68cc9d396581549f run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #7: OK run #8: OK run #9: OK representative crash: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write, types: [NULL-POINTER-DEREFERENCE] the chunk can be dropped disabling configs for [bug_or_warning kasan locking atomic_sleep hang memleak ubsan], they are not needed testing current HEAD cec1e6e5d1ab33403b809f79cd20d6aff124ccfe testing commit cec1e6e5d1ab33403b809f79cd20d6aff124ccfe gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: b9209071f0926065781174ef7af5ef80434f39d1d92374ccdd4f1f36b1239da7 all runs: OK false negative chance: 0.000 # git bisect start cec1e6e5d1ab33403b809f79cd20d6aff124ccfe 5189dafa4cf950e675f02ee04b577dfbbad0d9b1 Bisecting: 44265 revisions left to test after this (roughly 16 steps) [4f74a45c6b1906574669999b9748feb1a92bee84] Merge tag 'for-net-next-2025-03-25' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next determine whether the revision contains the guilty commit revision 5189dafa4cf950e675f02ee04b577dfbbad0d9b1 crashed and is reachable testing commit 4f74a45c6b1906574669999b9748feb1a92bee84 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: d7110849817d640ae4cb28c6fa0d4253c308e75710624388ea25a06fafc83779 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK representative crash: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write, types: [NULL-POINTER-DEREFERENCE] # git bisect good 4f74a45c6b1906574669999b9748feb1a92bee84 Bisecting: 22207 revisions left to test after this (roughly 15 steps) [6fe26f694c824b8a4dbf50c635bee1302e3f099c] Bluetooth: MGMT: Protect mgmt_pending list with its own lock determine whether the revision contains the guilty commit revision 5189dafa4cf950e675f02ee04b577dfbbad0d9b1 crashed and is reachable testing commit 6fe26f694c824b8a4dbf50c635bee1302e3f099c gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: e61cd0430b6b9a3dba678e855693228ce8892b9f3b77c86ba8f4d65ad9e73aad run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK representative crash: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write, types: [NULL-POINTER-DEREFERENCE] # git bisect good 6fe26f694c824b8a4dbf50c635bee1302e3f099c Bisecting: 10809 revisions left to test after this (roughly 14 steps) [115e74a29b530d121891238e9551c4bcdf7b04b5] Merge tag 'soc-dt-6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc determine whether the revision contains the guilty commit revision 5189dafa4cf950e675f02ee04b577dfbbad0d9b1 crashed and is reachable testing commit 115e74a29b530d121891238e9551c4bcdf7b04b5 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 951b0f8ff46336e897781fc60ee281afce102b302e9ab9de9aa0756cb71e0ce4 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #10: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #11: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #12: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #13: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write, types: [NULL-POINTER-DEREFERENCE] # git bisect good 115e74a29b530d121891238e9551c4bcdf7b04b5 Bisecting: 5459 revisions left to test after this (roughly 12 steps) [40a826bd6c82ae45cfd3a19cd2a60a10f56b74c0] module: Rename MAX_PARAM_PREFIX_LEN to __MODULE_NAME_LEN determine whether the revision contains the guilty commit revision 4f74a45c6b1906574669999b9748feb1a92bee84 crashed and is reachable testing commit 40a826bd6c82ae45cfd3a19cd2a60a10f56b74c0 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: e491797cc0d2a03269c323d7485b7188e9fb173d637a7d5d848de68f44e8f4c2 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #10: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #11: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #12: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write, types: [NULL-POINTER-DEREFERENCE] # git bisect good 40a826bd6c82ae45cfd3a19cd2a60a10f56b74c0 Bisecting: 2707 revisions left to test after this (roughly 11 steps) [e991acf1bce7a428794514cbbe216973c9c0a3c8] Merge tag 'mm-nonmm-stable-2025-08-03-12-47' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm determine whether the revision contains the guilty commit revision 4f74a45c6b1906574669999b9748feb1a92bee84 crashed and is reachable testing commit e991acf1bce7a428794514cbbe216973c9c0a3c8 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: e939a7caed251ad310dd62ab98592ca7cf11109fce8aaba25e586acc2579b5fa run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #18: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #19: OK representative crash: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write, types: [NULL-POINTER-DEREFERENCE] # git bisect good e991acf1bce7a428794514cbbe216973c9c0a3c8 Bisecting: 1360 revisions left to test after this (roughly 10 steps) [d28de4fc0aaa8db6c0163e37c6d4d07f062a08db] Merge tag 'io_uring-6.17-20250822' of git://git.kernel.dk/linux determine whether the revision contains the guilty commit revision e991acf1bce7a428794514cbbe216973c9c0a3c8 crashed and is reachable testing commit d28de4fc0aaa8db6c0163e37c6d4d07f062a08db gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: eadfc79efb30c60f7b4a39c3b5fa8623865d92ff160b0ac420e02b68bb07e99e all runs: OK false negative chance: 0.000 # git bisect bad d28de4fc0aaa8db6c0163e37c6d4d07f062a08db Bisecting: 673 revisions left to test after this (roughly 9 steps) [39f8fcda2088382a4aa70b258d6f7225aa386f11] bnxt: fill data page pool with frags if PAGE_SIZE > BNXT_RX_PAGE_SIZE determine whether the revision contains the guilty commit revision 115e74a29b530d121891238e9551c4bcdf7b04b5 crashed and is reachable testing commit 39f8fcda2088382a4aa70b258d6f7225aa386f11 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: a7ede1198bcdb4fedd79a06a766785e2e87d7921f1560f5a24055ca82ccac58b run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #10: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write, types: [NULL-POINTER-DEREFERENCE] # git bisect good 39f8fcda2088382a4aa70b258d6f7225aa386f11 Bisecting: 336 revisions left to test after this (roughly 8 steps) [e318cd6714592fb762fcab59c5684a442243a12f] net: dsa: microchip: Fix KSZ9477 HSR port setup issue determine whether the revision contains the guilty commit revision 4f74a45c6b1906574669999b9748feb1a92bee84 crashed and is reachable testing commit e318cd6714592fb762fcab59c5684a442243a12f gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 63a5518cc43d8df56a37651d80b127fb3569a17ef6147d941f709296b43b6184 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #10: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #11: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #12: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #13: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write, types: [NULL-POINTER-DEREFERENCE] # git bisect good e318cd6714592fb762fcab59c5684a442243a12f Bisecting: 168 revisions left to test after this (roughly 7 steps) [055f213075fbfa8e950bed8f2c50d01ac71bbf37] Merge tag 'vfs-6.17-rc3.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs determine whether the revision contains the guilty commit revision 40a826bd6c82ae45cfd3a19cd2a60a10f56b74c0 crashed and is reachable testing commit 055f213075fbfa8e950bed8f2c50d01ac71bbf37 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: a057a063e5d71052f582b03611d6735711da1e8117ba7b381758efa6d81fe47d all runs: OK false negative chance: 0.000 # git bisect bad 055f213075fbfa8e950bed8f2c50d01ac71bbf37 Bisecting: 95 revisions left to test after this (roughly 6 steps) [d0efc9e4276cda07c2f76652d240b165c30b05b8] Merge tag 'xfs-fixes-6.17-rc2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux determine whether the revision contains the guilty commit revision 4f74a45c6b1906574669999b9748feb1a92bee84 crashed and is reachable testing commit d0efc9e4276cda07c2f76652d240b165c30b05b8 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 2c185b23afaf762a5769996baf7a0f5039533c8ad06b05f8f4047651d2da8186 run #0: basic kernel testing failed: lost connection to test machine run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #10: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #11: OK run #12: OK run #13: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #14: OK run #15: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #16: OK run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write, types: [NULL-POINTER-DEREFERENCE] # git bisect good d0efc9e4276cda07c2f76652d240b165c30b05b8 Bisecting: 45 revisions left to test after this (roughly 6 steps) [8d561baae505bab6b3f133e10dc48e27e4505cbe] Merge tag 'x86_urgent_for_v6.17_rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip determine whether the revision contains the guilty commit revision d0efc9e4276cda07c2f76652d240b165c30b05b8 crashed and is reachable testing commit 8d561baae505bab6b3f133e10dc48e27e4505cbe gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 0b34cff6287cebd1b1e27ee6dd235433cb25d61bd6d93417fdb764f11857a4da run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write, types: [NULL-POINTER-DEREFERENCE] # git bisect good 8d561baae505bab6b3f133e10dc48e27e4505cbe Bisecting: 16 revisions left to test after this (roughly 5 steps) [be48bcf004f9d0c9207ff21d0edb3b42f253829e] Merge tag 'for-6.17-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux determine whether the revision contains the guilty commit revision d0efc9e4276cda07c2f76652d240b165c30b05b8 crashed and is reachable testing commit be48bcf004f9d0c9207ff21d0edb3b42f253829e gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: e4e22870e6e863b1adeeb453f85c4dc82b41469878a16325dd652b96bafd6031 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #10: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #11: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #12: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write, types: [NULL-POINTER-DEREFERENCE] # git bisect good be48bcf004f9d0c9207ff21d0edb3b42f253829e Bisecting: 8 revisions left to test after this (roughly 3 steps) [593d9e4c3d634c370f226f55453c376bf43b3684] fs: fix incorrect lflags value in the move_mount syscall determine whether the revision contains the guilty commit revision 5189dafa4cf950e675f02ee04b577dfbbad0d9b1 crashed and is reachable testing commit 593d9e4c3d634c370f226f55453c376bf43b3684 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: b887cb3833f069531bdef14814e540353c7c394285d9b8fdc63f8a1a3113827a run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #10: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #11: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #12: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #13: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write, types: [NULL-POINTER-DEREFERENCE] # git bisect good 593d9e4c3d634c370f226f55453c376bf43b3684 Bisecting: 4 revisions left to test after this (roughly 2 steps) [0b2d71a7c82628bb36fd43e80193bcc2693c239a] pidfs: Fix memory leak in pidfd_info() determine whether the revision contains the guilty commit revision 5189dafa4cf950e675f02ee04b577dfbbad0d9b1 crashed and is reachable testing commit 0b2d71a7c82628bb36fd43e80193bcc2693c239a gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 5678ddd062f52d0fdcf5bb1ab7f6ec5ea1ed73f8e505393cd1e4e91caf66fc0e all runs: OK false negative chance: 0.000 # git bisect bad 0b2d71a7c82628bb36fd43e80193bcc2693c239a Bisecting: 1 revision left to test after this (roughly 1 step) [b5ca88927e353185b3d9ac4362d33e5aeb25771f] fhandle: do_handle_open() should get FD with user flags determine whether the revision contains the guilty commit revision 4f74a45c6b1906574669999b9748feb1a92bee84 crashed and is reachable testing commit b5ca88927e353185b3d9ac4362d33e5aeb25771f gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 416dbfda3d31d75e7cec7ddcd635d63564e8307739ca05a8d49aae9efce694fd run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #10: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #11: OK run #12: OK run #13: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #14: crashed: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: BUG: unable to handle kernel NULL pointer dereference in iter_file_splice_write, types: [NULL-POINTER-DEREFERENCE] # git bisect good b5ca88927e353185b3d9ac4362d33e5aeb25771f Bisecting: 0 revisions left to test after this (roughly 0 steps) [a3de58b12ce074ec05b8741fa28d62ccb1070468] netfs: Fix unbuffered write error handling determine whether the revision contains the guilty commit revision 593d9e4c3d634c370f226f55453c376bf43b3684 crashed and is reachable testing commit a3de58b12ce074ec05b8741fa28d62ccb1070468 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: b31e943b1e812b31d06a5ed16b3dce95e4f559a147a8a8033840820a9bb70d85 all runs: OK false negative chance: 0.000 # git bisect bad a3de58b12ce074ec05b8741fa28d62ccb1070468 a3de58b12ce074ec05b8741fa28d62ccb1070468 is the first bad commit commit a3de58b12ce074ec05b8741fa28d62ccb1070468 Author: David Howells Date: Thu Aug 14 22:45:50 2025 +0100 netfs: Fix unbuffered write error handling If all the subrequests in an unbuffered write stream fail, the subrequest collector doesn't update the stream->transferred value and it retains its initial LONG_MAX value. Unfortunately, if all active streams fail, then we take the smallest value of { LONG_MAX, LONG_MAX, ... } as the value to set in wreq->transferred - which is then returned from ->write_iter(). LONG_MAX was chosen as the initial value so that all the streams can be quickly assessed by taking the smallest value of all stream->transferred - but this only works if we've set any of them. Fix this by adding a flag to indicate whether the value in stream->transferred is valid and checking that when we integrate the values. stream->transferred can then be initialised to zero. This was found by running the generic/750 xfstest against cifs with cache=none. It splices data to the target file. Once (if) it has used up all the available scratch space, the writes start failing with ENOSPC. This causes ->write_iter() to fail. However, it was returning wreq->transferred, i.e. LONG_MAX, rather than an error (because it thought the amount transferred was non-zero) and iter_file_splice_write() would then try to clean up that amount of pipe bufferage - leading to an oops when it overran. The kernel log showed: CIFS: VFS: Send error in write = -28 followed by: BUG: kernel NULL pointer dereference, address: 0000000000000008 with: RIP: 0010:iter_file_splice_write+0x3a4/0x520 do_splice+0x197/0x4e0 or: RIP: 0010:pipe_buf_release (include/linux/pipe_fs_i.h:282) iter_file_splice_write (fs/splice.c:755) Also put a warning check into splice to announce if ->write_iter() returned that it had written more than it was asked to. Fixes: 288ace2f57c9 ("netfs: New writeback implementation") Reported-by: Xiaoli Feng Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220445 Signed-off-by: David Howells Link: https://lore.kernel.org/915443.1755207950@warthog.procyon.org.uk cc: Paulo Alcantara cc: Steve French cc: Shyam Prasad N cc: netfs@lists.linux.dev cc: linux-cifs@vger.kernel.org cc: linux-fsdevel@vger.kernel.org cc: stable@vger.kernel.org Signed-off-by: Christian Brauner fs/netfs/read_collect.c | 4 +++- fs/netfs/write_collect.c | 10 ++++++++-- fs/netfs/write_issue.c | 4 ++-- fs/splice.c | 3 +++ include/linux/netfs.h | 1 + 5 files changed, 17 insertions(+), 5 deletions(-) accumulated error probability: 0.00 culprit signature: b31e943b1e812b31d06a5ed16b3dce95e4f559a147a8a8033840820a9bb70d85 parent signature: 416dbfda3d31d75e7cec7ddcd635d63564e8307739ca05a8d49aae9efce694fd reproducer is flaky (0.50 repro chance estimate) revisions tested: 24, total time: 8h8m1.080276167s (build: 2h51m38.755293376s, test: 4h44m30.452604696s) first good commit: a3de58b12ce074ec05b8741fa28d62ccb1070468 netfs: Fix unbuffered write error handling recipients (to): ["brauner@kernel.org" "dhowells@redhat.com" "dhowells@redhat.com" "linux-fsdevel@vger.kernel.org" "netfs@lists.linux.dev" "pc@manguebit.org"] recipients (cc): ["brauner@kernel.org" "jack@suse.cz" "linux-kernel@vger.kernel.org" "viro@zeniv.linux.org.uk"]