ci2 starts bisection 2024-04-14 08:42:27.965448069 +0000 UTC m=+151516.244227671 bisecting fixing commit since a9567a35d0b87f17387ee2a86f6092aa6c1c85d0 building syzkaller on ebcad15ccd9a570d2e16081b7b07b288462b7b91 ensuring issue is reproducible on original commit a9567a35d0b87f17387ee2a86f6092aa6c1c85d0 testing commit a9567a35d0b87f17387ee2a86f6092aa6c1c85d0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e47e24f8c77be4f7c81133c134d613c494e3b306867f57e7027b8c0df90e182c all runs: crashed: general protection fault in skb_segment representative crash: general protection fault in skb_segment, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit a9567a35d0b87f17387ee2a86f6092aa6c1c85d0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4f0f19d56b0acf842b0a6658926e7fcc7c223a4784e598e60b206c62c2cfd17d all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] the bug reproduces without the instrumentation disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed kconfig minimization: base=5179 full=6490 leaves diff=254 split chunks (needed=false): <254> split chunk #0 of len 254 into 5 parts testing without sub-chunk 1/5 disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit a9567a35d0b87f17387ee2a86f6092aa6c1c85d0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f50995b5da59b802852810b4269799d146c7c23fad5f67d081f31414377436a7 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit a9567a35d0b87f17387ee2a86f6092aa6c1c85d0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2398bcde955a02477cdf1b8d5f61406a2d216b4c461db2eed67b88eb5d24ae93 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit a9567a35d0b87f17387ee2a86f6092aa6c1c85d0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 070a700dd3d795bf0fc47103c55dfcabda12d0659070b51171b6ea77e1db87d1 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit a9567a35d0b87f17387ee2a86f6092aa6c1c85d0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 20e08e8d24f019a4910d91c7a8ea56a2d1692a6437e5f4086eddcfd561d3dde9 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit a9567a35d0b87f17387ee2a86f6092aa6c1c85d0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building a9567a35d0b87f17387ee2a86f6092aa6c1c85d0: net/socket.c:1242: undefined reference to `wext_handle_ioctl' net/socket.c:3437: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 50 configs; suspects: [HID_ZEROPLUS USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing current HEAD cfa154389a656247d15205f7e01a0b10912183bd testing commit cfa154389a656247d15205f7e01a0b10912183bd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b2c07854b714fdebb90242950483ac02e61a040c062eb6757107910ba5019e89 all runs: OK false negative chance: 0.000 # git bisect start cfa154389a656247d15205f7e01a0b10912183bd a9567a35d0b87f17387ee2a86f6092aa6c1c85d0 Bisecting: 1556 revisions left to test after this (roughly 11 steps) [686cc4de099fdb3b3935896e21583803bad0fbf0] mm: fix oops when filemap_map_pmd() without prealloc_pte determine whether the revision contains the guilty commit checking the merge base 082280fe94a09462c727fb6e7b0c982efb36dede no existing result, test the revision testing commit 082280fe94a09462c727fb6e7b0c982efb36dede gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1d1afafa9882ce8a3ebb97602c35564a99ee4bb9d42a8c75ad43518f998f2db2 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] testing commit 686cc4de099fdb3b3935896e21583803bad0fbf0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4ffd18946a162a3d7467545f48c684ee02bc0194289d6edcce6f27263cc11116 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] # git bisect good 686cc4de099fdb3b3935896e21583803bad0fbf0 Bisecting: 778 revisions left to test after this (roughly 10 steps) [45d8d80cdaa261dee46b680777566d743bd02254] arm64: dts: qcom: ipq6018: fix clock rates for GCC_USB0_MOCK_UTMI_CLK determine whether the revision contains the guilty commit revision 686cc4de099fdb3b3935896e21583803bad0fbf0 crashed and is reachable testing commit 45d8d80cdaa261dee46b680777566d743bd02254 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0b25cc91a46748c7d4ad288f4c3a83e72719569262cfe831a24a50141df9391b all runs: OK false negative chance: 0.000 # git bisect bad 45d8d80cdaa261dee46b680777566d743bd02254 Bisecting: 388 revisions left to test after this (roughly 9 steps) [e7b04372179e2f4d1693787c8d06a4b8de5f0d0c] spi: Constify spi parameters of chip select APIs determine whether the revision contains the guilty commit revision 082280fe94a09462c727fb6e7b0c982efb36dede crashed and is reachable testing commit e7b04372179e2f4d1693787c8d06a4b8de5f0d0c gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cd8a83aea509352983680bd35955b2bed494aeb09f83ec49349e2ed46c6941df all runs: OK false negative chance: 0.000 # git bisect bad e7b04372179e2f4d1693787c8d06a4b8de5f0d0c Bisecting: 194 revisions left to test after this (roughly 8 steps) [0f5de95fa266163a44c32bb7e5ad562725d04d3b] net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list() determine whether the revision contains the guilty commit revision 082280fe94a09462c727fb6e7b0c982efb36dede crashed and is reachable testing commit 0f5de95fa266163a44c32bb7e5ad562725d04d3b gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 990aef3118047d8cc93e031d068c19d29c61516694f47a5282e4a677e71e5600 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] # git bisect good 0f5de95fa266163a44c32bb7e5ad562725d04d3b Bisecting: 97 revisions left to test after this (roughly 7 steps) [a413b88cdb69cdd7922d6481fead43e52be19710] loop: deprecate autoloading callback loop_probe() determine whether the revision contains the guilty commit revision 082280fe94a09462c727fb6e7b0c982efb36dede crashed and is reachable testing commit a413b88cdb69cdd7922d6481fead43e52be19710 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: eac4ac10347b8221c6224d8b708a59be9386a01bb702c98b4210c8a6f129b723 all runs: OK false negative chance: 0.000 # git bisect bad a413b88cdb69cdd7922d6481fead43e52be19710 Bisecting: 48 revisions left to test after this (roughly 6 steps) [ec350809cd98ba01878e1b43831250207d5ce301] wifi: cfg80211: Add my certificate determine whether the revision contains the guilty commit revision 686cc4de099fdb3b3935896e21583803bad0fbf0 crashed and is reachable testing commit ec350809cd98ba01878e1b43831250207d5ce301 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: caa820d60426b98b8275ed9ef50cf45d77e8e3fb748fd24ab3a394910e04421a all runs: OK false negative chance: 0.000 # git bisect bad ec350809cd98ba01878e1b43831250207d5ce301 Bisecting: 23 revisions left to test after this (roughly 5 steps) [9b4c95a63e2dfe5ea73d92fb82ec34c3efa76284] afs: Fix use-after-free due to get/remove race in volume tree determine whether the revision contains the guilty commit revision 082280fe94a09462c727fb6e7b0c982efb36dede crashed and is reachable testing commit 9b4c95a63e2dfe5ea73d92fb82ec34c3efa76284 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 336d3ec1290321da80e5aeda382fd87103f71db16e700734822b9edc5f501022 all runs: OK false negative chance: 0.000 # git bisect bad 9b4c95a63e2dfe5ea73d92fb82ec34c3efa76284 Bisecting: 11 revisions left to test after this (roughly 4 steps) [6707baabe432116b9ca2e1f0cf96092fe2fac40a] net: sched: ife: fix potential use-after-free determine whether the revision contains the guilty commit revision 082280fe94a09462c727fb6e7b0c982efb36dede crashed and is reachable testing commit 6707baabe432116b9ca2e1f0cf96092fe2fac40a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 449e32626cb38595c57fc0151d30dd02e119b1aff3b3452e3fca4bfaa35989fb all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] # git bisect good 6707baabe432116b9ca2e1f0cf96092fe2fac40a Bisecting: 5 revisions left to test after this (roughly 3 steps) [a70c2dd74198492e36862faf9db4c6157a069ce2] net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev() determine whether the revision contains the guilty commit revision 6707baabe432116b9ca2e1f0cf96092fe2fac40a crashed and is reachable testing commit a70c2dd74198492e36862faf9db4c6157a069ce2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1696976f5bd1952c65187daf25faf58ede1c8a05c8655e453d879422e066b0fd all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] # git bisect good a70c2dd74198492e36862faf9db4c6157a069ce2 Bisecting: 2 revisions left to test after this (roughly 2 steps) [3e617c7e39eb6e605f86d5e726476ebd002d9ddf] net: check dev->gso_max_size in gso_features_check() determine whether the revision contains the guilty commit revision 6707baabe432116b9ca2e1f0cf96092fe2fac40a crashed and is reachable testing commit 3e617c7e39eb6e605f86d5e726476ebd002d9ddf gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 32d25d4753f3d745c274d845df710c87c3b02ad52db9d241a868c54986254adb all runs: OK false negative chance: 0.000 # git bisect bad 3e617c7e39eb6e605f86d5e726476ebd002d9ddf Bisecting: 0 revisions left to test after this (roughly 1 step) [087b96adc694d2cb54cb387c67fc585cf68397c1] afs: Fix dynamic root lookup DNS check determine whether the revision contains the guilty commit revision 082280fe94a09462c727fb6e7b0c982efb36dede crashed and is reachable testing commit 087b96adc694d2cb54cb387c67fc585cf68397c1 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 47c49ff84390dfcc83206ef3f0403bc5a51428d21717ba311fd95d482db0556e all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in skb_segment representative crash: BUG: unable to handle kernel NULL pointer dereference in skb_segment, types: [UNKNOWN] # git bisect good 087b96adc694d2cb54cb387c67fc585cf68397c1 3e617c7e39eb6e605f86d5e726476ebd002d9ddf is the first bad commit commit 3e617c7e39eb6e605f86d5e726476ebd002d9ddf Author: Eric Dumazet Date: Tue Dec 19 12:53:31 2023 +0000 net: check dev->gso_max_size in gso_features_check() [ Upstream commit 24ab059d2ebd62fdccc43794796f6ffbabe49ebc ] Some drivers might misbehave if TSO packets get too big. GVE for instance uses a 16bit field in its TX descriptor, and will do bad things if a packet is bigger than 2^16 bytes. Linux TCP stack honors dev->gso_max_size, but there are other ways for too big packets to reach an ndo_start_xmit() handler : virtio_net, af_packet, GRO... Add a generic check in gso_features_check() and fallback to GSO when needed. gso_max_size was added in the blamed commit. Fixes: 82cc1a7a5687 ("[NET]: Add per-connection option to set max TSO frame size") Signed-off-by: Eric Dumazet Link: https://lore.kernel.org/r/20231219125331.4127498-1-edumazet@google.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin net/core/dev.c | 3 +++ 1 file changed, 3 insertions(+) accumulated error probability: 0.00 culprit signature: 32d25d4753f3d745c274d845df710c87c3b02ad52db9d241a868c54986254adb parent signature: 47c49ff84390dfcc83206ef3f0403bc5a51428d21717ba311fd95d482db0556e revisions tested: 19, total time: 4h26m16.239768945s (build: 1h20m25.757134198s, test: 2h58m42.530784914s) first good commit: 3e617c7e39eb6e605f86d5e726476ebd002d9ddf net: check dev->gso_max_size in gso_features_check() recipients (to): ["edumazet@google.com" "pabeni@redhat.com" "sashal@kernel.org"] recipients (cc): []