ci starts bisection 2023-11-30 09:19:01.525708328 +0000 UTC m=+20450.925607688
bisecting cause commit starting from 300fbb247eb3d2146b37c8dc127056f695091218
building syzkaller on f819d6f7cb99737851dcaaa51f11190138fd48d5
ensuring issue is reproducible on original commit 300fbb247eb3d2146b37c8dc127056f695091218

testing commit 300fbb247eb3d2146b37c8dc127056f695091218 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: aad6cb162983ae0a39789f427933f3b35fae8fdbafd5998a197b730f5c801eff
all runs: crashed: KASAN: null-ptr-deref Write in unix_stream_bpf_update_proto
representative crash: KASAN: null-ptr-deref Write in unix_stream_bpf_update_proto, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit 300fbb247eb3d2146b37c8dc127056f695091218 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a4cb93d8d5d41f82e6a6ddf1823a9f89aff5c3e85a448c974f1c3fe20a894645
all runs: crashed: KASAN: null-ptr-deref Write in unix_stream_bpf_update_proto
representative crash: KASAN: null-ptr-deref Write in unix_stream_bpf_update_proto, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
kconfig minimization: base=3923 full=7658 leaves diff=2005
split chunks (needed=false): <2005>
split chunk #0 of len 2005 into 5 parts
testing without sub-chunk 1/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit 300fbb247eb3d2146b37c8dc127056f695091218 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: b82a9fefb6e842583e2f2a973d6a1db0e75aecbac05a69d628e2e97f98a35844
all runs: crashed: KASAN: null-ptr-deref Write in unix_stream_bpf_update_proto
representative crash: KASAN: null-ptr-deref Write in unix_stream_bpf_update_proto, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit 300fbb247eb3d2146b37c8dc127056f695091218 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c89b1ff9b5029709ad3de447cbb6084a3a3ccbb8403ec6ee901cab0f5e579c54
all runs: crashed: KASAN: null-ptr-deref Write in unix_stream_bpf_update_proto
representative crash: KASAN: null-ptr-deref Write in unix_stream_bpf_update_proto, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit 300fbb247eb3d2146b37c8dc127056f695091218 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 1af486e6043558caa750ed4f0cdcb36a35da478aa85e0d65beb2d13254a7d664
all runs: crashed: KASAN: null-ptr-deref Write in unix_stream_bpf_update_proto
representative crash: KASAN: null-ptr-deref Write in unix_stream_bpf_update_proto, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit 300fbb247eb3d2146b37c8dc127056f695091218 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 6f8233574f232773c10fc2a8642494eae20225ce7267ce53979fce29fdac825d
all runs: crashed: KASAN: null-ptr-deref Write in unix_stream_bpf_update_proto
representative crash: KASAN: null-ptr-deref Write in unix_stream_bpf_update_proto, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit 300fbb247eb3d2146b37c8dc127056f695091218 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 7d1f5ced89a4dd99496315c4cb59122e4f01db776a86adbdcae771517f29fa94
all runs: OK
false negative chance: 0.000
minimized to 401 configs; suspects: [ARCH_ENABLE_MEMORY_HOTREMOVE ATM BCMA BLK_DEV_ZONED BPF_SYSCALL CARDBUS CFG80211 CFG80211_WEXT CMA COMMON_CLK CONTIG_ALLOC CRYPTO_842 CRYPTO_LZ4 CRYPTO_LZ4HC CRYPTO_LZO CRYPTO_ZSTD DVB_CORE EXTCON FB GPIOLIB HID_ZEROPLUS I2C_MUX IIO IOMMUFD IRQ_REMAP KVM KVM_INTEL LIBNVDIMM MEDIA_ANALOG_TV_SUPPORT MEDIA_CAMERA_SUPPORT MEDIA_CEC_SUPPORT MEDIA_CONTROLLER MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_TEST_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_VIPERBOARD PARPORT PCCARD PCMCIA PHONET RADIO_ADAPTERS RADIO_SI470X RADIO_SI4713 RC_CORE RFKILL SND SOUND SPI SSB TAP TARGET_CORE TUN USB_AMD5536UDC USB_ATM USB_CONFIGFS USB_CONFIGFS_F_FS USB_CONFIGFS_F_HID USB_CONFIGFS_F_LB_SS USB_CONFIGFS_F_MIDI USB_CONFIGFS_F_PRINTER USB_CONFIGFS_F_TCM USB_CONFIGFS_F_UAC1 USB_CONFIGFS_F_UAC1_LEGACY USB_CONFIGFS_F_UAC2 USB_CONFIGFS_F_UVC USB_CONFIGFS_MASS_STORAGE USB_CONFIGFS_NCM USB_CONFIGFS_OBEX USB_CONFIGFS_PHONET USB_CONFIGFS_RNDIS USB_CONFIGFS_SERIAL USB_CXACRU USB_CYPRESS_CY7C63 USB_CYTHERM USB_DSBR USB_DUMMY_HCD USB_DWC2 USB_DWC2_HOST USB_DWC2_PCI USB_DWC3 USB_DWC3_GADGET USB_DWC3_OF_SIMPLE USB_DWC3_PCI USB_DWC3_ULPI USB_DYNAMIC_MINORS USB_EG20T USB_EHCI_HCD_PLATFORM USB_EHCI_ROOT_HUB_TT USB_EHSET_TEST_FIXTURE USB_EMI26 USB_EMI62 USB_EPSON2888 USB_EZUSB_FX2 USB_FEW_INIT_RETRIES USB_F_ACM USB_F_ECM USB_F_EEM USB_F_FS USB_F_HID USB_F_MASS_STORAGE USB_F_MIDI USB_F_NCM USB_F_OBEX USB_F_PHONET USB_F_PRINTER USB_F_RNDIS USB_F_SERIAL USB_F_SS_LB USB_F_SUBSET USB_F_TCM USB_F_UAC1 USB_F_UAC1_LEGACY USB_F_UAC2 USB_F_UVC USB_GADGET USB_GADGETFS USB_GADGET_DEBUG_FILES USB_GADGET_DEBUG_FS USB_GL860 USB_GOKU USB_GPIO_VBUS USB_GR_UDC USB_GSPCA USB_GSPCA_BENQ USB_GSPCA_CONEX USB_GSPCA_CPIA1 USB_GSPCA_DTCS033 USB_GSPCA_ETOMS USB_GSPCA_FINEPIX USB_GSPCA_JEILINJ USB_GSPCA_JL2005BCD USB_GSPCA_KINECT USB_GSPCA_KONICA USB_GSPCA_MARS USB_GSPCA_MR97310A USB_GSPCA_NW80X USB_GSPCA_OV519 USB_GSPCA_OV534 USB_GSPCA_OV534_9 USB_GSPCA_PAC207 USB_GSPCA_PAC7302 USB_GSPCA_PAC7311 USB_GSPCA_SE401 USB_GSPCA_SN9C2028 USB_GSPCA_SN9C20X USB_GSPCA_SONIXB USB_GSPCA_SONIXJ USB_GSPCA_SPCA1528 USB_GSPCA_SPCA500 USB_GSPCA_SPCA501 USB_GSPCA_SPCA505 USB_GSPCA_SPCA506 USB_GSPCA_SPCA508 USB_GSPCA_SPCA561 USB_GSPCA_SQ905 USB_GSPCA_SQ905C USB_GSPCA_SQ930X USB_GSPCA_STK014 USB_GSPCA_STK1135 USB_GSPCA_STV0680 USB_GSPCA_SUNPLUS USB_GSPCA_T613 USB_GSPCA_TOPRO USB_GSPCA_TOUPTEK USB_GSPCA_TV8532 USB_GSPCA_VC032X USB_GSPCA_VICAM USB_GSPCA_XIRLINK_CIT USB_GSPCA_ZC3XX USB_HACKRF USB_HCD_BCMA USB_HCD_SSB USB_HSIC_USB3503 USB_HSIC_USB4604 USB_HSO USB_HUB_USB251XB USB_IDMOUSE USB_IOWARRIOR USB_IPHETH USB_ISIGHTFW USB_ISP116X_HCD USB_ISP1301 USB_ISP1760 USB_ISP1760_DUAL_ROLE USB_ISP1760_HCD USB_ISP1761_UDC USB_KAWETH USB_KC2190 USB_KEENE USB_LAN78XX USB_LCD USB_LD USB_LEDS_TRIGGER_USBPORT USB_LED_TRIG USB_LEGOTOWER USB_LIBCOMPOSITE USB_LINK_LAYER_TEST USB_M5602 USB_MA901 USB_MAX3421_HCD USB_MDC800 USB_MICROTEK USB_MR800 USB_MSI2500 USB_MUSB_DUAL_ROLE USB_MUSB_HDRC USB_MV_U3D USB_MV_UDC USB_NET2272 USB_NET2272_DMA USB_NET2280 USB_NET_AX88179_178A USB_NET_AX8817X USB_NET_CDCETHER USB_NET_CDC_EEM USB_NET_CDC_MBIM USB_NET_CDC_NCM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_CH9200 USB_NET_CX82310_ETH USB_NET_DM9601 USB_NET_GL620A USB_NET_HUAWEI_CDC_NCM USB_NET_INT51X1 USB_NET_KALMIA USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_QMI_WWAN USB_NET_RNDIS_HOST USB_NET_RNDIS_WLAN USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_OXU210HP_HCD USB_PEGASUS USB_PULSE8_CEC USB_PWC USB_PWC_INPUT_EVDEV USB_PXA27X USB_R8A66597 USB_R8A66597_HCD USB_RAINSHADOW_CEC USB_RAREMONO USB_RAW_GADGET USB_RTL8150 USB_RTL8152 USB_RTL8153_ECM USB_S2255 USB_SERIAL USB_SERIAL_AIRCABLE USB_SERIAL_ARK3116 USB_SERIAL_BELKIN USB_SERIAL_CH341 USB_SERIAL_CONSOLE USB_SERIAL_CP210X USB_SERIAL_CYBERJACK USB_SERIAL_CYPRESS_M8 USB_SERIAL_DEBUG USB_SERIAL_DIGI_ACCELEPORT USB_SERIAL_EDGEPORT USB_SERIAL_EDGEPORT_TI USB_SERIAL_EMPEG USB_SERIAL_F81232 USB_SERIAL_F8153X USB_SERIAL_FTDI_SIO USB_SERIAL_GARMIN USB_SERIAL_GENERIC USB_SERIAL_IPAQ USB_SERIAL_IPW USB_SERIAL_IR USB_SERIAL_IUU USB_SERIAL_KEYSPAN USB_SERIAL_KEYSPAN_PDA USB_SERIAL_KLSI USB_SERIAL_KOBIL_SCT USB_SERIAL_MCT_U232 USB_SERIAL_METRO USB_SERIAL_MOS7715_PARPORT USB_SERIAL_MOS7720 USB_SERIAL_MOS7840 USB_SERIAL_MXUPORT USB_SERIAL_NAVMAN USB_SERIAL_OMNINET USB_SERIAL_OPTICON USB_SERIAL_OPTION USB_SERIAL_OTI6858 USB_SERIAL_PL2303 USB_SERIAL_QCAUX USB_SERIAL_QT2 USB_SERIAL_QUALCOMM USB_SERIAL_SAFE USB_SERIAL_SIERRAWIRELESS USB_SERIAL_SIMPLE USB_SERIAL_SPCP8X5 USB_SERIAL_SSU100 USB_SERIAL_SYMBOL USB_SERIAL_TI USB_SERIAL_UPD78F0730 USB_SERIAL_VISOR USB_SERIAL_WHITEHEAT USB_SERIAL_WISHBONE USB_SERIAL_WWAN USB_SERIAL_XR USB_SERIAL_XSENS_MT USB_SEVSEG USB_SI470X USB_SI4713 USB_SIERRA_NET USB_SISUSBVGA USB_SL811_CS USB_SL811_HCD USB_SL811_HCD_ISO USB_SNP_CORE USB_SPEEDTOUCH USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_ENE_UB6250 USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_STV06XX USB_TEST USB_TMC USB_TRANCEVIBRATOR USB_UAS USB_UEAGLEATM USB_ULPI_BUS USB_USBNET USB_USS720 USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_VIDEO_CLASS USB_VIDEO_CLASS_INPUT_EVDEV USB_VL600 USB_WDM USB_XHCI_DBGCAP USB_XHCI_PLATFORM USB_XUSBATM USB_YUREX USERFAULTFD USERIO USERMODE_DRIVER USER_RETURN_NOTIFIER UVC_COMMON U_SERIAL_CONSOLE V4L2_MEM2MEM_DEV V4L_TEST_DRIVERS VALIDATE_FS_PARSER VDPA VDPA_SIM VDPA_SIM_BLOCK VDPA_SIM_NET VDPA_USER VETH VFIO VFIO_DEVICE_CDEV VFIO_PCI VFIO_PCI_CORE VFIO_PCI_INTX VFIO_PCI_MMAP VFIO_VIRQFD VGASTATE VHOST VHOST_CROSS_ENDIAN_LEGACY VHOST_IOTLB VHOST_NET VHOST_RING VHOST_TASK VHOST_VDPA VHOST_VSOCK VIDEOBUF2_CORE VIDEOBUF2_DMA_CONTIG VIDEOBUF2_DMA_SG VIDEOBUF2_MEMOPS VIDEOBUF2_V4L2 VIDEOBUF2_VMALLOC VIDEOMODE_HELPERS VIDEO_AU0828 VIDEO_AU0828_RC VIDEO_AU0828_V4L2 VIDEO_CMDLINE VIDEO_CS53L32A VIDEO_CX231XX VIDEO_CX231XX_ALSA VIDEO_CX231XX_DVB VIDEO_CX231XX_RC VIDEO_CX2341X VIDEO_CX25840 VIDEO_DEV VIDEO_EM28XX VIDEO_EM28XX_ALSA VIDEO_EM28XX_DVB VIDEO_EM28XX_RC VIDEO_EM28XX_V4L2 VIDEO_GO7007 VIDEO_GO7007_LOADER VIDEO_GO7007_USB VIDEO_GO7007_USB_S2250_BOARD VIDEO_HDPVR VIDEO_MSP3400 VIDEO_NOMODESET VIDEO_PVRUSB2 VIDEO_PVRUSB2_DVB VIDEO_PVRUSB2_SYSFS VIDEO_SAA711X VIDEO_STK1160 VIDEO_TUNER VIDEO_TVEEPROM VIDEO_USBTV VIDEO_V4L2_I2C VIDEO_V4L2_SUBDEV_API VIDEO_V4L2_TPG VIDEO_VICODEC VIDEO_VIM2M VIDEO_VIMC VIDEO_VIVID VIDEO_VIVID_CEC VIDEO_WM8775 VIPERBOARD_ADC VIRTIO_BALLOON VIRTIO_DMA_SHARED_BUFFER VIRTIO_MEM VIRTIO_MMIO VIRTIO_MMIO_CMDLINE_DEVICES VIRTIO_PMEM VIRTIO_VDPA VIRTIO_VSOCKETS VIRTIO_VSOCKETS_COMMON VIRT_WIFI VLAN_8021Q VLAN_8021Q_GVRP VLAN_8021Q_MVRP VMAP_PFN VMWARE_VMCI VMXNET3 VP_VDPA VSOCKETS VSOCKETS_DIAG VSOCKETS_LOOPBACK VSOCKMON VT_HW_CONSOLE_BINDING VXFS_FS WANT_DEV_COREDUMP WEXT_CORE WEXT_PRIV WEXT_PROC WIREGUARD WIRELESS WIRELESS_EXT WLAN WLAN_VENDOR_ADMTEK WLAN_VENDOR_PURELIFI WLAN_VENDOR_SILABS X86_SGX X86_SGX_KVM X86_USER_SHADOW_STACK X86_X2APIC X86_X32_ABI XARRAY_MULTI XDP_SOCKETS XDP_SOCKETS_DIAG XFRM_ESPINTCP XFRM_INTERFACE XFRM_IPCOMP XFRM_MIGRATE XFRM_OFFLOAD XFRM_STATISTICS XFRM_SUB_POLICY XFRM_USER_COMPAT XFS_FS XFS_POSIX_ACL XFS_QUOTA XFS_RT XOR_BLOCKS YENTA YENTA_ENE_TUNE YENTA_O2 YENTA_RICOH YENTA_TI YENTA_TOSHIBA ZEROPLUS_FF ZLIB_DEFLATE ZONEFS_FS ZPOOL ZRAM ZRAM_DEF_COMP_LZORLE ZSMALLOC ZSTD_COMPRESS ZSWAP ZSWAP_COMPRESSOR_DEFAULT_LZO ZSWAP_DEFAULT_ON ZSWAP_ZPOOL_DEFAULT_ZSMALLOC]
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
picked [v6.6 v6.5 v6.4 v6.2 v6.0 v5.18 v5.16 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 29 release tags
testing release v6.6
testing commit ffc253263a1375a65fa6c9f62a893e9767fbebfa gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: cdd6b25e864d42e0f56dfeac77edecdf39a8031c00a864ebe3519b9c0e6b5097
all runs: OK
false negative chance: 0.000
# git bisect start 300fbb247eb3d2146b37c8dc127056f695091218 ffc253263a1375a65fa6c9f62a893e9767fbebfa
Bisecting: 8063 revisions left to test after this (roughly 13 steps)
[7d461b291e65938f15f56fe58da2303b07578a76] Merge tag 'drm-next-2023-10-31-1' of git://anongit.freedesktop.org/drm/drm

testing commit 7d461b291e65938f15f56fe58da2303b07578a76 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5535f0999d2ce12419a6d1ea90b2b7bf1d083092ab4d7896807d19a8a39b7d72
all runs: OK
false negative chance: 0.000
# git bisect good 7d461b291e65938f15f56fe58da2303b07578a76
Bisecting: 4037 revisions left to test after this (roughly 12 steps)
[136cc1e1f5be75f57f1e0404b94ee1c8792cb07d] Merge tag 'landlock-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux

testing commit 136cc1e1f5be75f57f1e0404b94ee1c8792cb07d gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 262dbf0315f772368077f459c72d3719fedae77a5d7ca7c0c958bb3f22261ae3
all runs: OK
false negative chance: 0.000
# git bisect good 136cc1e1f5be75f57f1e0404b94ee1c8792cb07d
Bisecting: 2046 revisions left to test after this (roughly 11 steps)
[37d9486874ec925fa298bcd7ba628a9b206e812f] Merge tag 'nvme-6.7-2023-11-8' of git://git.infradead.org/nvme into block-6.7

testing commit 37d9486874ec925fa298bcd7ba628a9b206e812f gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 1eff5cfe4d352c12f85a77bce8aaf4f1dc7821e9a1ba78b17deaf3607143fe7d
all runs: OK
false negative chance: 0.000
# git bisect good 37d9486874ec925fa298bcd7ba628a9b206e812f
Bisecting: 1028 revisions left to test after this (roughly 10 steps)
[ace92fd98475c15c860855b53aad3413e28399c8] Merge tag 'for-6.7-rc1-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux

testing commit ace92fd98475c15c860855b53aad3413e28399c8 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 0acebd831115ea755ffcee3d8f2f2511c221dd47c7079e54209e280af5a8106f
all runs: OK
false negative chance: 0.000
# git bisect good ace92fd98475c15c860855b53aad3413e28399c8
Bisecting: 515 revisions left to test after this (roughly 9 steps)
[4eeee6636af819454d7c43702e77ec7857a63000] Merge tag 'loongarch-6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson

testing commit 4eeee6636af819454d7c43702e77ec7857a63000 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c5622c3578767028fd9c256a3e5bc51ac2f97680d81a38bb22803525db12e386
all runs: OK
false negative chance: 0.000
# git bisect good 4eeee6636af819454d7c43702e77ec7857a63000
Bisecting: 296 revisions left to test after this (roughly 8 steps)
[791c8ab095f71327899023223940dd52257a4173] Merge tag 'bcachefs-2023-11-17' of https://evilpiepirate.org/git/bcachefs

testing commit 791c8ab095f71327899023223940dd52257a4173 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c56a46a80474523f817f62fb3a60933bcf440411f53918531ff1266bea7bbad2
all runs: OK
false negative chance: 0.000
# git bisect good 791c8ab095f71327899023223940dd52257a4173
Bisecting: 148 revisions left to test after this (roughly 7 steps)
[46a29dd1462198e67bf939c32a2faf4e9bf9ac63] Merge tag 'irq_urgent_for_v6.7_rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

testing commit 46a29dd1462198e67bf939c32a2faf4e9bf9ac63 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a93b80ff61d150e2defc150ecb032bb91aec66bb70c86df90606283ceca6ba2c
all runs: OK
false negative chance: 0.000
# git bisect good 46a29dd1462198e67bf939c32a2faf4e9bf9ac63
Bisecting: 83 revisions left to test after this (roughly 6 steps)
[39f04b1406b23fcc129a67e70d6205d5a7322f38] tools: ynl: fix duplicate op name in devlink

testing commit 39f04b1406b23fcc129a67e70d6205d5a7322f38 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 11d037494457b0912e76b4f65a09cc3127289418829fc7b48200c48af4e86de2
all runs: OK
false negative chance: 0.000
# git bisect good 39f04b1406b23fcc129a67e70d6205d5a7322f38
Bisecting: 41 revisions left to test after this (roughly 5 steps)
[e2b706c691905fe78468c361aaabc719d0a496f1] ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet

testing commit e2b706c691905fe78468c361aaabc719d0a496f1 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a3c5f8c920dad0a84afbdf54bddb0692d06eed2e6d8d1695b42308992f83ae00
all runs: OK
false negative chance: 0.000
# git bisect good e2b706c691905fe78468c361aaabc719d0a496f1
Bisecting: 21 revisions left to test after this (roughly 4 steps)
[83f2df9d66bc9e1e0dbd5d5586a701088f6a1d42] tools: ynl-gen: always construct struct ynl_req_state

testing commit 83f2df9d66bc9e1e0dbd5d5586a701088f6a1d42 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 865f24761c53b7bf65e2aad70595c006f346f7898d0f32663ff546d9b53c143c
all runs: OK
false negative chance: 0.000
# git bisect good 83f2df9d66bc9e1e0dbd5d5586a701088f6a1d42
Bisecting: 10 revisions left to test after this (roughly 4 steps)
[f4acfcd4deb158b96595250cc332901b282d15b0] debugfs: annotate debugfs handlers vs. removal with lockdep

testing commit f4acfcd4deb158b96595250cc332901b282d15b0 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: fd78821090f766f60cfb5a48daefd2d3c6964072de02254da680dd48f9a3ee82
all runs: OK
false negative chance: 0.000
# git bisect good f4acfcd4deb158b96595250cc332901b282d15b0
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[51354f700d400e55b329361e1386b04695e6e5c1] bpf, sockmap: Add af_unix test with both sockets in map

testing commit 51354f700d400e55b329361e1386b04695e6e5c1 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ede1d1f67ccae3961f5849b33500174de657d0c4f0152c51b978940cfc6a9c5c
all runs: crashed: KASAN: null-ptr-deref Write in unix_stream_bpf_update_proto
representative crash: KASAN: null-ptr-deref Write in unix_stream_bpf_update_proto, types: [KASAN]
# git bisect bad 51354f700d400e55b329361e1386b04695e6e5c1
Bisecting: 2 revisions left to test after this (roughly 1 step)
[75a442581d05edaee168222ffbe00d4389785636] bpf: Add missed allocation hint for bpf_mem_cache_alloc_flags()

testing commit 75a442581d05edaee168222ffbe00d4389785636 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 4ad7bd9feee1c8325dd490620f23ab3a042730115e4fbd29d4cc466222b664a5
all runs: OK
false negative chance: 0.000
# git bisect good 75a442581d05edaee168222ffbe00d4389785636
Bisecting: 0 revisions left to test after this (roughly 1 step)
[8866730aed5100f06d3d965c22f1c61f74942541] bpf, sockmap: af_unix stream sockets need to hold ref for pair sock

testing commit 8866730aed5100f06d3d965c22f1c61f74942541 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 63771c2457143ba437bb71f4941f0c666e5bea45fd5167d36e5d8512e08c182c
all runs: crashed: KASAN: null-ptr-deref Write in unix_stream_bpf_update_proto
representative crash: KASAN: null-ptr-deref Write in unix_stream_bpf_update_proto, types: [KASAN]
# git bisect bad 8866730aed5100f06d3d965c22f1c61f74942541
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[0bad281d0ecdf8391b0f42678b663336e7c3ceb0] netkit: Reject IFLA_NETKIT_PEER_INFO in netkit_change_link

testing commit 0bad281d0ecdf8391b0f42678b663336e7c3ceb0 gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e2b65e280cb7e1773187e8e37cfe2c36d2d8bae1e7a05896d2eaa1b2c3724e1f
all runs: OK
false negative chance: 0.000
# git bisect good 0bad281d0ecdf8391b0f42678b663336e7c3ceb0
8866730aed5100f06d3d965c22f1c61f74942541 is the first bad commit
commit 8866730aed5100f06d3d965c22f1c61f74942541
Author: John Fastabend <john.fastabend@gmail.com>
Date:   Tue Nov 28 17:25:56 2023 -0800

    bpf, sockmap: af_unix stream sockets need to hold ref for pair sock
    
    AF_UNIX stream sockets are a paired socket. So sending on one of the pairs
    will lookup the paired socket as part of the send operation. It is possible
    however to put just one of the pairs in a BPF map. This currently increments
    the refcnt on the sock in the sockmap to ensure it is not free'd by the
    stack before sockmap cleans up its state and stops any skbs being sent/recv'd
    to that socket.
    
    But we missed a case. If the peer socket is closed it will be free'd by the
    stack. However, the paired socket can still be referenced from BPF sockmap
    side because we hold a reference there. Then if we are sending traffic through
    BPF sockmap to that socket it will try to dereference the free'd pair in its
    send logic creating a use after free. And following splat:
    
       [59.900375] BUG: KASAN: slab-use-after-free in sk_wake_async+0x31/0x1b0
       [59.901211] Read of size 8 at addr ffff88811acbf060 by task kworker/1:2/954
       [...]
       [59.905468] Call Trace:
       [59.905787]  <TASK>
       [59.906066]  dump_stack_lvl+0x130/0x1d0
       [59.908877]  print_report+0x16f/0x740
       [59.910629]  kasan_report+0x118/0x160
       [59.912576]  sk_wake_async+0x31/0x1b0
       [59.913554]  sock_def_readable+0x156/0x2a0
       [59.914060]  unix_stream_sendmsg+0x3f9/0x12a0
       [59.916398]  sock_sendmsg+0x20e/0x250
       [59.916854]  skb_send_sock+0x236/0xac0
       [59.920527]  sk_psock_backlog+0x287/0xaa0
    
    To fix let BPF sockmap hold a refcnt on both the socket in the sockmap and its
    paired socket. It wasn't obvious how to contain the fix to bpf_unix logic. The
    primarily problem with keeping this logic in bpf_unix was: In the sock close()
    we could handle the deref by having a close handler. But, when we are destroying
    the psock through a map delete operation we wouldn't have gotten any signal
    thorugh the proto struct other than it being replaced. If we do the deref from
    the proto replace its too early because we need to deref the sk_pair after the
    backlog worker has been stopped.
    
    Given all this it seems best to just cache it at the end of the psock and eat 8B
    for the af_unix and vsock users. Notice dgram sockets are OK because they handle
    locking already.
    
    Fixes: 94531cfcbe79 ("af_unix: Add unix_stream_proto for sockmap")
    Signed-off-by: John Fastabend <john.fastabend@gmail.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
    Link: https://lore.kernel.org/bpf/20231129012557.95371-2-john.fastabend@gmail.com

 include/linux/skmsg.h | 1 +
 include/net/af_unix.h | 1 +
 net/core/skmsg.c      | 2 ++
 net/unix/af_unix.c    | 2 --
 net/unix/unix_bpf.c   | 5 +++++
 5 files changed, 9 insertions(+), 2 deletions(-)

accumulated error probability: 0.00
culprit signature: 63771c2457143ba437bb71f4941f0c666e5bea45fd5167d36e5d8512e08c182c
parent  signature: e2b65e280cb7e1773187e8e37cfe2c36d2d8bae1e7a05896d2eaa1b2c3724e1f
revisions tested: 23, total time: 5h17m15.348777277s (build: 2h12m46.739601794s, test: 2h51m3.584859171s)
first bad commit: 8866730aed5100f06d3d965c22f1c61f74942541 bpf, sockmap: af_unix stream sockets need to hold ref for pair sock
recipients (to): ["daniel@iogearbox.net" "jakub@cloudflare.com" "john.fastabend@gmail.com"]
recipients (cc): []
crash: KASAN: null-ptr-deref Write in unix_stream_bpf_update_proto
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: null-ptr-deref in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: null-ptr-deref in __refcount_add include/linux/refcount.h:193 [inline]
BUG: KASAN: null-ptr-deref in __refcount_inc include/linux/refcount.h:250 [inline]
BUG: KASAN: null-ptr-deref in refcount_inc include/linux/refcount.h:267 [inline]
BUG: KASAN: null-ptr-deref in sock_hold include/net/sock.h:777 [inline]
BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x56/0x390 net/unix/unix_bpf.c:171
Write of size 4 at addr 0000000000000080 by task syz-executor.0/2809

CPU: 0 PID: 2809 Comm: syz-executor.0 Not tainted 6.7.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x3d/0x60 lib/dump_stack.c:106
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 check_region_inline mm/kasan/generic.c:181 [inline]
 kasan_check_range+0xef/0x190 mm/kasan/generic.c:187
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
 __refcount_add include/linux/refcount.h:193 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 sock_hold include/net/sock.h:777 [inline]
 unix_stream_bpf_update_proto+0x56/0x390 net/unix/unix_bpf.c:171
 sock_map_init_proto net/core/sock_map.c:190 [inline]
 sock_map_link+0x39f/0xc30 net/core/sock_map.c:294
 sock_map_update_common+0xad/0x670 net/core/sock_map.c:483
 sock_map_update_elem_sys+0x307/0x3e0 net/core/sock_map.c:577
 map_update_elem kernel/bpf/syscall.c:1526 [inline]
 __sys_bpf+0x2694/0x3e00 kernel/bpf/syscall.c:5371
 __do_sys_bpf kernel/bpf/syscall.c:5487 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5485 [inline]
 __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5485
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fc4f62a9ae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc4f5e2c0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fc4f63c8f80 RCX: 00007fc4f62a9ae9
RDX: 0000000000000020 RSI: 0000000020000140 RDI: 0000000000000002
RBP: 00007fc4f62f547a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fc4f63c8f80 R15: 00007fff6050bba8
 </TASK>
==================================================================