ci starts bisection 2025-01-13 19:21:15.551208387 +0000 UTC m=+41.150550195 bisecting cause commit starting from 7b4b9bf203da94fbeac75ed3116c84aa03e74578 building syzkaller on 6dbc6a9bc76e06852841ed5c5bdbb78409b17f53 fetch other tags and check if the commit is present ensuring issue is reproducible on original commit 7b4b9bf203da94fbeac75ed3116c84aa03e74578 testing commit 7b4b9bf203da94fbeac75ed3116c84aa03e74578 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f7b92ebfcd3891a41a75e36f4b022653f073776fe6ef1fbf55ec7c9e265e2bad all runs: crashed: KASAN: global-out-of-bounds Read in number representative crash: KASAN: global-out-of-bounds Read in number, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 7b4b9bf203da94fbeac75ed3116c84aa03e74578 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e06ab04f8646212504230fde4fea16e847a23a9e08064aa86514a6d26ef299ec all runs: crashed: KASAN: global-out-of-bounds Read in number representative crash: KASAN: global-out-of-bounds Read in number, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed kconfig minimization: base=4045 full=8257 leaves diff=2126 split chunks (needed=false): <2126> split chunk #0 of len 2126 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 7b4b9bf203da94fbeac75ed3116c84aa03e74578 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e4abe9fa295375733040a839e187abcde54ad97d3c3c0ff4e16277783ab3236a all runs: crashed: KASAN: global-out-of-bounds Read in number representative crash: KASAN: global-out-of-bounds Read in number, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 7b4b9bf203da94fbeac75ed3116c84aa03e74578 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building 7b4b9bf203da94fbeac75ed3116c84aa03e74578: drivers/gpu/drm/bridge/aux-bridge.c:116: undefined reference to `devm_drm_of_get_bridge' testing without sub-chunk 3/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 7b4b9bf203da94fbeac75ed3116c84aa03e74578 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 459aba3438c24fa63c1a85e43d31399fcc65945ad3fed2c2a68884eefbbf46ba run #0: crashed: KASAN: global-out-of-bounds Read in number run #1: crashed: KASAN: global-out-of-bounds Read in number run #2: crashed: KASAN: global-out-of-bounds Read in number run #3: crashed: KASAN: global-out-of-bounds Read in number run #4: crashed: KASAN: global-out-of-bounds Read in number run #5: crashed: KASAN: global-out-of-bounds Read in number run #6: crashed: KASAN: global-out-of-bounds Read in number run #7: crashed: KASAN: global-out-of-bounds Read in number run #8: crashed: KASAN: global-out-of-bounds Read in number run #9: boot failed: can't ssh into the instance representative crash: KASAN: global-out-of-bounds Read in number, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 7b4b9bf203da94fbeac75ed3116c84aa03e74578 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 460a9ad2e5375acf8496942842df3e817353e1ab5612b6fca9ff7ed83543adb2 all runs: crashed: KASAN: global-out-of-bounds Read in number representative crash: KASAN: global-out-of-bounds Read in number, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 7b4b9bf203da94fbeac75ed3116c84aa03e74578 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c52748d85ebe14df3267ed0d088d22cb6d547a8fc8710d875b070dc423aab629 all runs: crashed: KASAN: global-out-of-bounds Read in number representative crash: KASAN: global-out-of-bounds Read in number, types: [KASAN] the chunk can be dropped minimized to 426 configs; suspects: [6LOWPAN ARCH_ENABLE_MEMORY_HOTREMOVE ASUS_WMI CHARGER_BQ24190 CMA COMMON_CLK DAX DLM DRM DRM_BRIDGE DRM_I915 DRM_I915_USERPTR DRM_KMS_HELPER DRM_MIPI_DSI DRM_PANEL DRM_PANEL_BRIDGE DRM_PANEL_EDP DRM_PANEL_ORIENTATION_QUIRKS DRM_SIMPLEDRM DRM_TTM DRM_TTM_HELPER DRM_UDL DRM_VGEM DRM_VIRTIO_GPU DRM_VIRTIO_GPU_KMS DRM_VKMS DRM_VMWGFX DUMMY DVB_AF9013 DVB_AF9033 DVB_AS102 DVB_AS102_FE DVB_B2C2_FLEXCOP DVB_B2C2_FLEXCOP_USB DVB_CORE DVB_DIB3000MB DVB_DIB3000MC DVB_EC100 DVB_GP8PSK_FE DVB_RTL2830 DVB_RTL2832 DVB_RTL2832_SDR DVB_TEST_DRIVERS DVB_TTUSB_BUDGET DVB_TTUSB_DEC DVB_USB DVB_USB_A800 DVB_USB_AF9005 DVB_USB_AF9005_REMOTE DVB_USB_AF9015 DVB_USB_AF9035 DVB_USB_ANYSEE DVB_USB_AU6610 DVB_USB_AZ6007 DVB_USB_AZ6027 DVB_USB_CE6230 DVB_USB_CINERGY_T2 DVB_USB_CXUSB DVB_USB_CXUSB_ANALOG DVB_USB_DIB0700 DVB_USB_DIB3000MC DVB_USB_DIBUSB_MB DVB_USB_DIBUSB_MC DVB_USB_DIGITV DVB_USB_DTT200U DVB_USB_DTV5100 DVB_USB_DVBSKY DVB_USB_DW2102 DVB_USB_EC168 DVB_USB_GL861 DVB_USB_GP8PSK DVB_USB_LME2510 DVB_USB_M920X DVB_USB_MXL111SF DVB_USB_NOVA_T_USB2 DVB_USB_OPERA1 DVB_USB_PCTV452E DVB_USB_RTL28XXU DVB_USB_TECHNISAT_USB2 DVB_USB_TTUSB2 DVB_USB_UMT_010 DVB_USB_V2 DVB_USB_VP702X DVB_USB_VP7045 DVB_USB_ZD1301 DVB_VIDTV DVB_ZL10353 ECRYPT_FS ECRYPT_FS_MESSAGING EDAC EEPROM_93CX6 EFS_FS ENCRYPTED_KEYS EQUALIZER EROFS_FS EROFS_FS_BACKED_BY_FILE EROFS_FS_POSIX_ACL EROFS_FS_SECURITY EROFS_FS_XATTR EROFS_FS_ZIP EVM EVM_ADD_XATTRS EVM_ATTR_FSUUID EXFAT_FS EXPORTFS_BLOCK_OPS EXT3_FS EXT3_FS_POSIX_ACL EXT3_FS_SECURITY EXTCON EXTCON_INTEL_CHT_WC EXTCON_PTN5150 EXTCON_USBC_TUSB320 F2FS_CHECK_FS F2FS_FAULT_INJECTION F2FS_FS F2FS_FS_COMPRESSION F2FS_FS_LZ4 F2FS_FS_LZ4HC F2FS_FS_LZO F2FS_FS_LZORLE F2FS_FS_POSIX_ACL F2FS_FS_SECURITY F2FS_FS_XATTR F2FS_FS_ZSTD F2FS_STAT_FS FANOTIFY FANOTIFY_ACCESS_PERMISSIONS FB FB_CFB_COPYAREA FB_CFB_FILLRECT FB_CFB_IMAGEBLIT FB_CORE FB_DEFERRED_IO FB_DEVICE FB_IOMEM_FOPS FB_IOMEM_HELPERS FB_NOTIFY FB_SYSMEM_FOPS FB_SYSMEM_HELPERS FB_SYSMEM_HELPERS_DEFERRED FB_SYS_COPYAREA FB_SYS_FILLRECT FB_SYS_IMAGEBLIT FB_TILEBLITTING FB_VESA FB_VGA16 FB_VIRTUAL FDDI FIREWIRE FIREWIRE_NET FIREWIRE_OHCI FIREWIRE_SBP2 FONT_8x16 FONT_8x8 FONT_SUPPORT FRAMEBUFFER_CONSOLE FRAMEBUFFER_CONSOLE_DETECT_PRIMARY FRAMEBUFFER_CONSOLE_ROTATION FS_DAX FS_DAX_PMD FS_ENCRYPTION FS_ENCRYPTION_ALGS FS_STACK FS_VERITY FS_VERITY_BUILTIN_SIGNATURES FTL FUSE_DAX FUSE_FS FW_LOADER_COMPRESS FW_LOADER_PAGED_BUF FW_LOADER_SYSFS FW_LOADER_USER_HELPER FW_LOADER_USER_HELPER_FALLBACK GACT_PROB GARP GENERIC_PHY GET_FREE_REGION GFS2_FS GFS2_FS_LOCKING_DLM GNSS GNSS_USB GOOGLE_COREBOOT_TABLE GOOGLE_FIRMWARE GOOGLE_MEMCONSOLE GOOGLE_MEMCONSOLE_COREBOOT GOOGLE_VPD GPIOLIB GPIOLIB_IRQCHIP GPIO_ACPI GPIO_DLN2 GPIO_LJCA GPIO_VIPERBOARD GREENASIA_FF GREYBUS GREYBUS_BRIDGED_PHY GREYBUS_ES2 GREYBUS_HID GREYBUS_USB GROUP_SCHED_WEIGHT GTP GUEST_PERF_EVENTS GVE HAS_SECURITY_AUDIT HAVE_ARCH_NODE_DEV_GROUP HAVE_ARCH_USERFAULTFD_MINOR HAVE_ARCH_USERFAULTFD_WP HAVE_BOOTMEM_INFO_NODE HAVE_CLK_PREPARE HAVE_KVM_CPU_RELAX_INTERCEPT HAVE_KVM_DIRTY_RING HAVE_KVM_DIRTY_RING_ACQ_REL HAVE_KVM_DIRTY_RING_TSO HAVE_KVM_IRQCHIP HAVE_KVM_IRQ_BYPASS HAVE_KVM_IRQ_ROUTING HAVE_KVM_MSI HAVE_KVM_NO_POLL HAVE_KVM_PFNCACHE HAVE_KVM_PM_NOTIFIER HAVE_KVM_READONLY_MEM HAVE_SCHED_AVG_IRQ HDLC HDLC_CISCO HDLC_FR HDLC_PPP HDLC_RAW HDLC_RAW_ETH HDLC_X25 HDMI HFSPLUS_FS HFS_FS HID_ACCUTOUCH HID_ACRUX HID_ACRUX_FF HID_ALPS HID_APPLEIR HID_ASUS HID_AUREAL HID_BATTERY_STRENGTH HID_BETOP_FF HID_BIGBEN_FF HID_CMEDIA HID_CORSAIR HID_COUGAR HID_CP2112 HID_CREATIVE_SB0540 HID_ELAN HID_ELECOM HID_ELO HID_EMS_FF HID_EVISION HID_FT260 HID_GEMBIRD HID_GFRM HID_GLORIOUS HID_GOOGLE_STADIA_FF HID_GREENASIA HID_GT683R HID_HOLTEK HID_ICADE HID_JABRA HID_KEYTOUCH HID_KYE HID_LCPOWER HID_LED HID_LENOVO HID_LETSKETCH HID_LOGITECH_DJ HID_LOGITECH_HIDPP HID_MACALLY HID_MAGICMOUSE HID_MALTRON HID_MAYFLASH HID_MCP2200 HID_MCP2221 HID_MEGAWORLD_FF HID_MULTITOUCH HID_NTI HID_ORTEK HID_PENMOUNT HID_PICOLCD HID_PICOLCD_BACKLIGHT HID_PICOLCD_CIR HID_PICOLCD_FB HID_PICOLCD_LCD HID_PICOLCD_LEDS HID_PLANTRONICS HID_PRIMAX HID_PRODIKEYS HID_PXRC HID_RAZER HID_RETRODE HID_RMI HID_ROCCAT HID_SAITEK HID_SEMITEK HID_SENSOR_ACCEL_3D HID_SENSOR_ALS HID_SENSOR_CUSTOM_INTEL_HINGE HID_SENSOR_CUSTOM_SENSOR HID_SENSOR_DEVICE_ROTATION HID_SENSOR_GYRO_3D HID_SENSOR_HUB HID_SENSOR_HUMIDITY HID_SENSOR_IIO_COMMON HID_SENSOR_IIO_TRIGGER HID_SENSOR_INCLINOMETER_3D HID_SENSOR_MAGNETOMETER_3D HID_SENSOR_PRESS HID_SENSOR_PROX HID_SENSOR_TEMP HID_SIGMAMICRO HID_SPEEDLINK HID_STEELSERIES HID_THINGM HID_TIVO HID_TOPRE HID_TWINHAN HID_U2FZERO HID_UCLOGIC HID_UDRAW_PS3 HID_VIEWSONIC HID_VIVALDI HID_VIVALDI_COMMON HID_VRC2 HID_WACOM HID_WALTOP HID_WIIMOTE HID_XIAOMI HID_XINMO HID_ZYDACRON HMM_MIRROR HOLTEK_FF HOTPLUG_PCI_PCIE HPET_MMAP HPET_MMAP_DEFAULT HPFS_FS I2C_ALGOBIT I2C_CHARDEV I2C_CP2615 I2C_DESIGNWARE_CORE I2C_DESIGNWARE_PLATFORM I2C_DIOLAN_U2C I2C_DLN2 I2C_HID_ACPI I2C_HID_CORE I2C_HID_OF I2C_LJCA I2C_MUX I2C_MUX_REG I2C_ROBOTFUZZ_OSIF I2C_SI4713 I2C_SLAVE I2C_SLAVE_EEPROM I2C_TINY_USB I2C_VIPERBOARD IEEE802154 IEEE802154_6LOWPAN IEEE802154_ATUSB IEEE802154_DRIVERS IEEE802154_HWSIM IEEE802154_NL802154_EXPERIMENTAL IEEE802154_SOCKET IFB IIO IIO_BUFFER IIO_KFIFO_BUF IIO_TRIGGER IIO_TRIGGERED_BUFFER IKCONFIG IKCONFIG_PROC IMA IMA_APPRAISE IMA_APPRAISE_MODSIG IMA_DEFAULT_HASH_SHA256 IMA_LSM_RULES IMA_MEASURE_ASYMMETRIC_KEYS IMA_NG_TEMPLATE IMA_QUEUE_EARLY_BOOT_KEYS IMA_READ_POLICY IMA_WRITE_POLICY INET6_ESPINTCP INET6_ESP_OFFLOAD INET6_IPCOMP INET6_TUNNEL INET6_XFRM_TUNNEL INET_AH INET_DCCP_DIAG INET_DIAG INET_DIAG_DESTROY INET_ESP INET_ESPINTCP INET_ESP_OFFLOAD INET_IPCOMP INET_MPTCP_DIAG INET_RAW_DIAG INET_SCTP_DIAG INET_TCP_DIAG INET_UDP_DIAG INET_XFRM_TUNNEL INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_ADDR_TRANS_CONFIGFS INFINIBAND_IPOIB INFINIBAND_IPOIB_CM INFINIBAND_IPOIB_DEBUG INFINIBAND_ISER INFINIBAND_ON_DEMAND_PAGING INFINIBAND_RTRS INFINIBAND_SRP INFINIBAND_USER_ACCESS INFINIBAND_USER_MAD INFINIBAND_USER_MEM INPUT_ATI_REMOTE2 INPUT_CM109 INPUT_IMS_PCU INPUT_JOYDEV INPUT_KEYSPAN_REMOTE INPUT_LEDS INPUT_MOUSEDEV INPUT_MOUSEDEV_PSAUX INPUT_POWERMATE INPUT_UINPUT INPUT_YEALINK INTEGRITY INTEGRITY_ASYMMETRIC_KEYS INTEGRITY_AUDIT INTEGRITY_SIGNATURE INTEGRITY_TRUSTED_KEYRING INTEL_CHTWC_INT33FE INTEL_IDMA64 INTEL_IOATDMA INTEL_IOMMU_DEFAULT_ON INTEL_IOMMU_SVM INTEL_ISHTP_ECLITE INTEL_ISH_FIRMWARE_DOWNLOADER INTEL_ISH_HID INTEL_SOC_PMIC_CHTWC INTERVAL_TREE_SPAN_ITER IOMMUFD IOMMUFD_DRIVER IOMMUFD_DRIVER_CORE IOMMUFD_TEST IP6_NF_MATCH_AH IP6_NF_MATCH_EUI64 IP6_NF_MATCH_FRAG IP6_NF_MATCH_HL IP6_NF_MATCH_MH IP6_NF_MATCH_OPTS IP6_NF_MATCH_RPFILTER IP6_NF_MATCH_RT IP6_NF_MATCH_SRH IP6_NF_NAT IP6_NF_RAW IP6_NF_SECURITY IP6_NF_TARGET_HL IP6_NF_TARGET_MASQUERADE IP6_NF_TARGET_NPT IP6_NF_TARGET_SYNPROXY IPV6_FOU IPV6_FOU_TUNNEL IPV6_GRE IPV6_ILA IPV6_MIP6 IPV6_MROUTE IPV6_MROUTE_MULTIPLE_TABLES IPV6_MULTIPLE_TABLES IPV6_OPTIMISTIC_DAD IPV6_PIMSM_V2 IPV6_ROUTER_PREF IPV6_ROUTE_INFO IPV6_RPL_LWTUNNEL IPV6_SEG6_BPF IPV6_SEG6_HMAC IPV6_SEG6_LWTUNNEL IPV6_SIT_6RD IPV6_SUBTREES IPV6_TUNNEL IPV6_VTI IPVLAN IPVLAN_L3S IPVTAP IP_DCCP IP_DCCP_CCID3 IP_DCCP_TFRC_LIB IP_FIB_TRIE_STATS IP_MROUTE_MULTIPLE_TABLES IP_NF_ARPFILTER IP_NF_ARPTABLES IP_NF_ARP_MANGLE IP_NF_MATCH_AH IP_NF_MATCH_ECN IP_NF_MATCH_RPFILTER IP_NF_MATCH_TTL IP_NF_RAW IP_NF_SECURITY IP_NF_TARGET_ECN IP_NF_TARGET_NETMAP IP_NF_TARGET_REDIRECT IP_NF_TARGET_SYNPROXY IP_NF_TARGET_TTL IP_ROUTE_CLASSID IP_SCTP IP_SET IP_SET_BITMAP_IP IP_SET_BITMAP_IPMAC IP_SET_BITMAP_PORT IP_SET_HASH_IP IP_SET_HASH_IPMAC IP_SET_HASH_IPMARK IP_SET_HASH_IPPORT IP_SET_HASH_IPPORTIP IP_SET_HASH_IPPORTNET IP_SET_HASH_MAC IP_SET_HASH_NET IP_SET_HASH_NETIFACE IP_SET_HASH_NETNET IP_SET_HASH_NETPORT IP_SET_HASH_NETPORTNET IP_SET_LIST_SET IP_VS IP_VS_DH IP_VS_FO IP_VS_FTP IP_VS_PROTO_TCP IRQ_TIME_ACCOUNTING LAPB LCD_CLASS_DEVICE MAC802154 MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_TEST_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MFD_VIPERBOARD MPTCP MTD NETFILTER_ADVANCED NET_ACT_GACT NET_ACT_MIRRED NET_IPGRE_DEMUX NFT_COMPAT NFT_COMPAT_ARP NFT_FWD_NETDEV NF_TABLES NF_TABLES_ARP NF_TABLES_NETDEV RADIO_ADAPTERS RADIO_SI4713 RAS RC_CORE REGULATOR RFKILL SND SOUND STAGING TRANSPARENT_HUGEPAGE TYPEC TYPEC_MUX_PI3USB30532 USB_LJCA USB_ROLES_INTEL_XHCI USB_ROLE_SWITCH VIDEO_DEV VIRTIO_FS WAN ZONE_DEVICE] disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed picked [v6.12 v6.11 v6.10 v6.8 v6.6 v6.4 v6.2 v6.0 v5.17 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 35 release tags testing release v6.12 testing commit adc218676eef25575469234709c2d87185ca223a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 934e9108ee94b6563653d7f68f5cddd73df6243c8b3c30e4ed834ea2568f5232 all runs: OK false negative chance: 0.000 # git bisect start 7b4b9bf203da94fbeac75ed3116c84aa03e74578 adc218676eef25575469234709c2d87185ca223a Bisecting: 10115 revisions left to test after this (roughly 13 steps) [1746db26f85e4f4b3dd11d7b55f4eff4b0423884] Merge tag 'pci-v6.13-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci testing commit 1746db26f85e4f4b3dd11d7b55f4eff4b0423884 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 05249456f9e0e416398d16b818466a5dfcfbadbecb6388f0bf0eca4606b9707f all runs: OK false negative chance: 0.000 # git bisect good 1746db26f85e4f4b3dd11d7b55f4eff4b0423884 Bisecting: 5162 revisions left to test after this (roughly 12 steps) [e59ca319069a020548148444c69a621db4e3c233] Merge branch 'xtensa-for-next' of git://github.com/jcmvbkbc/linux-xtensa.git testing commit e59ca319069a020548148444c69a621db4e3c233 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 832c4a7e7c371e90fbf407bd0fbd0f8af2da5e87017f200bf5fd7d38ad54121c all runs: crashed: KASAN: global-out-of-bounds Read in number representative crash: KASAN: global-out-of-bounds Read in number, types: [KASAN] # git bisect bad e59ca319069a020548148444c69a621db4e3c233 Bisecting: 2477 revisions left to test after this (roughly 11 steps) [b1f3a2f5a742c1e939a73031bd31b9e557a2d77d] netdev: fix repeated netlink messages in queue dump testing commit b1f3a2f5a742c1e939a73031bd31b9e557a2d77d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d8b7ec220a58b91659c0625ade5e63a11f7b5db15dfe667f1d6878afa85a6811 all runs: OK false negative chance: 0.000 # git bisect good b1f3a2f5a742c1e939a73031bd31b9e557a2d77d Bisecting: 1402 revisions left to test after this (roughly 10 steps) [7283307534785b0e8b3260a4699b6a65f63c1cd5] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git testing commit 7283307534785b0e8b3260a4699b6a65f63c1cd5 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0a26e64725e4e3356975642a626e9ba906a54a8d2fa1203b6f877e0a991e3771 all runs: crashed: KASAN: global-out-of-bounds Read in number representative crash: KASAN: global-out-of-bounds Read in number, types: [KASAN] # git bisect bad 7283307534785b0e8b3260a4699b6a65f63c1cd5 Bisecting: 537 revisions left to test after this (roughly 9 steps) [4aa748dd1abf337426b4c941ae1b606ed0e2a5aa] Merge tag 'mm-hotfixes-stable-2024-12-21-12-09' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit 4aa748dd1abf337426b4c941ae1b606ed0e2a5aa gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7fb59262fd80c7ee51b15ba39207f9fa9414c4a24299dc3d341986e8aa9ecbbd all runs: OK false negative chance: 0.000 # git bisect good 4aa748dd1abf337426b4c941ae1b606ed0e2a5aa Bisecting: 266 revisions left to test after this (roughly 8 steps) [aba74e639f8d76d29b94991615e33319d7371b63] Merge tag 'net-6.13-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit aba74e639f8d76d29b94991615e33319d7371b63 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0a5a7aca73ba8a0fb7275b63b010ac32279a5d2d24390f652f5cb9cc245acc00 all runs: OK false negative chance: 0.000 # git bisect good aba74e639f8d76d29b94991615e33319d7371b63 Bisecting: 134 revisions left to test after this (roughly 7 steps) [10c4a1ac8463566c7f81f8152f44e1e300a2518f] Merge branch 'main' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git testing commit 10c4a1ac8463566c7f81f8152f44e1e300a2518f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 76a522743bda1c25696f3ff8f5722b6a2f747609f52e112849eeabf59fa5b0bc all runs: OK false negative chance: 0.000 # git bisect good 10c4a1ac8463566c7f81f8152f44e1e300a2518f Bisecting: 64 revisions left to test after this (roughly 6 steps) [3e0dc49747e704d96e233e73475e39e4657e270c] Merge branch 'fixes-togreg' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio.git testing commit 3e0dc49747e704d96e233e73475e39e4657e270c gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e62322cb70c48abfaa32fa0feee7bd2e19dadf935c508d4cd5222410653db264 all runs: OK false negative chance: 0.000 # git bisect good 3e0dc49747e704d96e233e73475e39e4657e270c Bisecting: 34 revisions left to test after this (roughly 5 steps) [8756e073e94e83c665f645134ca76097a6b3ab42] Merge branch 'riscv-dt-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/conor/linux.git testing commit 8756e073e94e83c665f645134ca76097a6b3ab42 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: eef928f57508fcdd059b8e6cf809d13407250fb2f6dfe6e426b35b2351614336 all runs: OK false negative chance: 0.000 # git bisect good 8756e073e94e83c665f645134ca76097a6b3ab42 Bisecting: 13 revisions left to test after this (roughly 4 steps) [7271353cfca680904ea38aa3cc57db69a1b25f78] Merge branch 'msm-fixes' of https://gitlab.freedesktop.org/drm/msm.git testing commit 7271353cfca680904ea38aa3cc57db69a1b25f78 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9df1b108766ea708583aa5714f66a6ef6d66cb5dc2f9d5b9707b798a009bf75a all runs: OK false negative chance: 0.000 # git bisect good 7271353cfca680904ea38aa3cc57db69a1b25f78 Bisecting: 6 revisions left to test after this (roughly 3 steps) [f372b2256acbfbbf703cfdfae3d02c5a6c0e1679] vsnprintf: inline skip_atoi() again testing commit f372b2256acbfbbf703cfdfae3d02c5a6c0e1679 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9b0152b8fbe0e028bec7e53399eca7bf76b7b5bc8219f8a37de27906cb6ab888 all runs: OK false negative chance: 0.000 # git bisect good f372b2256acbfbbf703cfdfae3d02c5a6c0e1679 Bisecting: 3 revisions left to test after this (roughly 2 steps) [4c538044ee2d11299cc57ac1e92d343e1e83b847] vsprintf: don't make the 'binary' version pack small integer arguments testing commit 4c538044ee2d11299cc57ac1e92d343e1e83b847 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d06b4fba644404a8b2d51bd855984a05ade8919a09f4ec38c326f27b5e4db4c4 all runs: crashed: KASAN: global-out-of-bounds Read in number representative crash: KASAN: global-out-of-bounds Read in number, types: [KASAN] # git bisect bad 4c538044ee2d11299cc57ac1e92d343e1e83b847 Bisecting: 0 revisions left to test after this (roughly 1 step) [8d4826cc8a8aca01a3b5e95438dfc0eb3bd589ab] vsnprintf: collapse the number format state into one single state testing commit 8d4826cc8a8aca01a3b5e95438dfc0eb3bd589ab gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2b08a98096c0c64cd64b8e983b4c1c02b7184c4ffbaa83265c4496386f64ffe8 all runs: crashed: KASAN: global-out-of-bounds Read in number representative crash: KASAN: global-out-of-bounds Read in number, types: [KASAN] # git bisect bad 8d4826cc8a8aca01a3b5e95438dfc0eb3bd589ab Bisecting: 0 revisions left to test after this (roughly 0 steps) [2b76e39fca4739a75c9a4f96f3471af6b1c18d9e] vsnprintf: mark the indirect width and precision cases unlikely testing commit 2b76e39fca4739a75c9a4f96f3471af6b1c18d9e gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 874377b7f23c18b61ba8b68ef8b6abe1ff99463d5fd53fd2261271abf54a2d54 all runs: OK false negative chance: 0.000 # git bisect good 2b76e39fca4739a75c9a4f96f3471af6b1c18d9e 8d4826cc8a8aca01a3b5e95438dfc0eb3bd589ab is the first bad commit commit 8d4826cc8a8aca01a3b5e95438dfc0eb3bd589ab Author: Linus Torvalds Date: Thu Dec 19 13:52:53 2024 -0800 vsnprintf: collapse the number format state into one single state We'll squirrel away the size of the number in 'struct fmt' instead. We have two fairly separate state structures: the 'decode state' is in 'struct fmt', while the 'printout format' is in 'printf_spec'. Both structures are small enough to pass around in registers even across function boundaries (ie two words), even on 32-bit machines. The goal here is to avoid the case statements on the format states, which generate either deep conditionals or jump tables, while also keeping the state size manageable. Signed-off-by: Linus Torvalds lib/vsprintf.c | 137 +++++++++++++++++++++++++++------------------------------ 1 file changed, 66 insertions(+), 71 deletions(-) accumulated error probability: 0.00 culprit signature: 2b08a98096c0c64cd64b8e983b4c1c02b7184c4ffbaa83265c4496386f64ffe8 parent signature: 874377b7f23c18b61ba8b68ef8b6abe1ff99463d5fd53fd2261271abf54a2d54 revisions tested: 21, total time: 10h7m35.859923306s (build: 3h58m58.116901297s, test: 3h13m54.031157722s) first bad commit: 8d4826cc8a8aca01a3b5e95438dfc0eb3bd589ab vsnprintf: collapse the number format state into one single state recipients (to): ["akpm@linux-foundation.org" "linux-kernel@vger.kernel.org" "pmladek@suse.com" "rostedt@goodmis.org" "torvalds@linux-foundation.org"] recipients (cc): ["andriy.shevchenko@linux.intel.com" "linux@rasmusvillemoes.dk" "senozhatsky@chromium.org"] crash: KASAN: global-out-of-bounds Read in number ================================================================== BUG: KASAN: global-out-of-bounds in number+0x4b8/0x1100 lib/vsprintf.c:494 Read of size 1 at addr ffffffff85c02b51 by task syz.3.16/3553 CPU: 1 UID: 0 PID: 3553 Comm: syz.3.16 Not tainted 6.13.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x108/0x280 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 number+0x4b8/0x1100 lib/vsprintf.c:494 pointer+0x739/0xe60 lib/vsprintf.c:2484 vsnprintf+0x6f1/0x11d0 lib/vsprintf.c:2846 seq_vprintf fs/seq_file.c:391 [inline] seq_printf+0x168/0x250 fs/seq_file.c:406 show_partition+0x19c/0x2a0 block/genhd.c:892 seq_read_iter+0x8af/0xb90 fs/seq_file.c:272 proc_reg_read_iter+0x10c/0x1f0 fs/proc/inode.c:299 copy_splice_read+0x5be/0xb50 fs/splice.c:365 do_splice_read fs/splice.c:985 [inline] splice_direct_to_actor+0x3ae/0x9f0 fs/splice.c:1089 do_splice_direct_actor fs/splice.c:1207 [inline] do_splice_direct+0x233/0x350 fs/splice.c:1233 do_sendfile+0x4a2/0x720 fs/read_write.c:1363 __do_sys_sendfile64 fs/read_write.c:1424 [inline] __se_sys_sendfile64 fs/read_write.c:1410 [inline] __x64_sys_sendfile64+0x19f/0x200 fs/read_write.c:1410 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x8d/0x170 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f31fbd85d29 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f31fcbc4038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007f31fbf76080 RCX: 00007f31fbd85d29 RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000005 RBP: 00007f31fbe01b08 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000023b R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f31fbf76080 R15: 00007fff01f49828 The buggy address belongs to the variable: hex_asc_upper+0x11/0x40 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5c02 flags: 0x80000000002000(reserved|node=0|zone=1) raw: 0080000000002000 ffffea0000170088 ffffea0000170088 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner info is not present (never set?) Memory state around the buggy address: ffffffff85c02a00: 02 f9 f9 f9 00 02 f9 f9 00 04 f9 f9 00 03 f9 f9 ffffffff85c02a80: 07 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00 >ffffffff85c02b00: 00 00 01 f9 f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 ^ ffffffff85c02b80: 00 04 f9 f9 02 f9 f9 f9 01 f9 f9 f9 00 f9 f9 f9 ffffffff85c02c00: 00 f9 f9 f9 00 04 f9 f9 00 06 f9 f9 00 f9 f9 f9 ==================================================================