ci2 starts bisection 2023-11-18 16:26:08.308002102 +0000 UTC m=+425435.416032875 bisecting cause commit starting from 1b639e97b8fc9a60089ded544e103753a0a542a2 building syzkaller on cb976f63e0177b96eb9ce1c631cc5e2c4b4b0759 ensuring issue is reproducible on original commit 1b639e97b8fc9a60089ded544e103753a0a542a2 testing commit 1b639e97b8fc9a60089ded544e103753a0a542a2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ca3420b1e73cc1b06c413cd65193b52a30115331e8acbbc11ac16c698a27cca4 run #0: crashed: general protection fault in hrtimer_try_to_cancel run #1: crashed: general protection fault in hrtimer_try_to_cancel run #2: crashed: general protection fault in hrtimer_try_to_cancel run #3: crashed: general protection fault in hrtimer_try_to_cancel run #4: crashed: general protection fault in hrtimer_try_to_cancel run #5: crashed: general protection fault in hrtimer_try_to_cancel run #6: crashed: general protection fault in hrtimer_try_to_cancel run #7: crashed: general protection fault in hrtimer_try_to_cancel run #8: crashed: general protection fault in hrtimer_try_to_cancel run #9: crashed: general protection fault in hrtimer_try_to_cancel run #10: crashed: general protection fault in hrtimer_try_to_cancel run #11: crashed: general protection fault in hrtimer_try_to_cancel run #12: crashed: general protection fault in hrtimer_try_to_cancel run #13: crashed: general protection fault in hrtimer_try_to_cancel run #14: crashed: general protection fault in hrtimer_try_to_cancel run #15: crashed: general protection fault in hrtimer_try_to_cancel run #16: crashed: general protection fault in hrtimer_try_to_cancel run #17: crashed: no output from test machine run #18: crashed: no output from test machine run #19: crashed: no output from test machine representative crash: general protection fault in hrtimer_try_to_cancel, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 1b639e97b8fc9a60089ded544e103753a0a542a2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 96f54cb56b190b2b163589935e35195631329e82048d52cafa1a293c82533623 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel, types: [UNKNOWN] the bug reproduces without the instrumentation disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed kconfig minimization: base=5179 full=6485 leaves diff=250 split chunks (needed=false): <250> split chunk #0 of len 250 into 5 parts testing without sub-chunk 1/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 1b639e97b8fc9a60089ded544e103753a0a542a2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 251be7129c9c51bdc6ef22430fbc583e736ceb0f26d29ef6f5b7991084275118 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 1b639e97b8fc9a60089ded544e103753a0a542a2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b7425b0b559ec1f57bb07f92ebf1bdb453c11fb935e219b10eff5ff68fee7af6 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #6: basic kernel testing failed: failed to copy binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syz-executor2832258529" "root@10.128.0.96:./syz-executor2832258529"]: exit status 255 Executing: program /usr/bin/ssh host 10.128.0.96, user root, command sftp OpenSSH_9.2p1 Debian-2, OpenSSL 3.0.9 30 May 2023 debug1: Reading configuration data /dev/null debug1: Connecting to 10.128.0.96 [10.128.0.96] port 22. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2 Connection timed out during banner exchange Connection to 10.128.0.96 port 22 timed out scp: Connection closed run #7: crashed: no output from test machine run #8: crashed: no output from test machine run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed testing commit 1b639e97b8fc9a60089ded544e103753a0a542a2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9ff6bb537dfff73d371ac1731fa922dfd0a4e80c97ef9a8c44eaf67cc778d489 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed testing commit 1b639e97b8fc9a60089ded544e103753a0a542a2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 88ca906ae743d34c56ce8804bccd556ba2e619ee3a815b374ac98d7d8ad48c8a run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #8: crashed: no output from test machine run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed testing commit 1b639e97b8fc9a60089ded544e103753a0a542a2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building 1b639e97b8fc9a60089ded544e103753a0a542a2: net/socket.c:1225: undefined reference to `wext_handle_ioctl' net/socket.c:3420: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 50 configs; suspects: [HID_ZEROPLUS USB_NET_CDC_MBIM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed picked [v6.1.43 v6.1.42 v6.1.22 v6.1 v6.0 v5.19 v5.17 v5.15 v5.13 v5.11 v5.9 v5.6 v5.3 v5.0 v4.19] out of 67 release tags testing release v6.1.43 testing commit 52a953d0934b17a88f403b4135eb3cdf83d19f91 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ad7cedcedc13bb7cb9596bdcaeb9ac2d4784e7a055781ca4249d55c3f3e0b6a1 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #8: crashed: no output from test machine run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel, types: [UNKNOWN] testing release v6.1.42 testing commit d2a6dc4eaf6d50ba32a9b39b4c6ec713a92072ab gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d7f308298fe68b562c1fa39d94575e4adf72b0e43fc9086d64d03050b83d0a5f run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #8: crashed: no output from test machine run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel, types: [UNKNOWN] testing release v6.1.22 testing commit 3b29299e5f604550faf3eff811d6cd60b4c6cae6 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 28a0c17f4e3dfc68f2c81f813292b59d48b760dfc747bd3a3f2613b6873fa6fb run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel, types: [UNKNOWN] testing release v6.1 testing commit 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f7b81564d193d2b30b56f88403a2bc8205e4c8eb868664dbbad5779daf38a56d run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel, types: [UNKNOWN] testing release v6.0 testing commit 4fe89d07dcc2804c8b562f6c7896a45643d34b2f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ff509f8e0940f94ed76a11cbfd7a41b321f70cd37a94828a0511c2372a6f24a8 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel, types: [UNKNOWN] testing release v5.19 testing commit 3d7cb6b04c3f3115719235cc6866b10326de34cd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 39d09521bc49266a6fb1151074e5fe79c1e4977792c8d92bb26bce6866c9f904 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #8: crashed: no output from test machine run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel, types: [UNKNOWN] testing release v5.17 testing commit f443e374ae131c168a065ea1748feac6b2e76613 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 283a3a41a704207733ab5ff08800738a17f42c16b41f1f0a12242ecf035597dd all runs: OK false negative chance: 0.000 # git bisect start 3d7cb6b04c3f3115719235cc6866b10326de34cd f443e374ae131c168a065ea1748feac6b2e76613 Bisecting: 16314 revisions left to test after this (roughly 14 steps) [a6f844da39af8046798ba5cadf92a0c54da80b26] Merge tag 'v5.18' into rdma.git for-next testing commit a6f844da39af8046798ba5cadf92a0c54da80b26 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ffc6103d0e05de1059ab3a2e2b48a643a8535e4ee3a5c8ed4ef3981c1d69a6e8 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel, types: [UNKNOWN] # git bisect bad a6f844da39af8046798ba5cadf92a0c54da80b26 Bisecting: 8582 revisions left to test after this (roughly 13 steps) [25fd2d41b505d0640bdfe67aa77c549de2d3c18a] selftests: kselftest framework: provide "finished" helper testing commit 25fd2d41b505d0640bdfe67aa77c549de2d3c18a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 48ea64ff56f3f574a26914a92e0c1ec9cd59bda790ba9d931465894119a3d095 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel, types: [UNKNOWN] # git bisect bad 25fd2d41b505d0640bdfe67aa77c549de2d3c18a Bisecting: 3943 revisions left to test after this (roughly 12 steps) [b4bc93bd76d4da32600795cd323c971f00a2e788] Merge tag 'arm-drivers-5.18' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit b4bc93bd76d4da32600795cd323c971f00a2e788 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4f4a97452bb51d8e8b1c4c7c3069b410d372a183c7365c3fa108b49a483b4f82 all runs: OK false negative chance: 0.000 # git bisect good b4bc93bd76d4da32600795cd323c971f00a2e788 Bisecting: 1997 revisions left to test after this (roughly 11 steps) [9a225f81f540f65225e4b820e303d40d9e747e78] ice: Support GTP-U and GTP-C offload in switchdev testing commit 9a225f81f540f65225e4b820e303d40d9e747e78 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4dca11f54a5a3b3d089f7a9f1bb084bdd93ea9e7fe036979c3c3fb72e50dc4a6 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #8: crashed: no output from test machine run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel, types: [UNKNOWN] # git bisect bad 9a225f81f540f65225e4b820e303d40d9e747e78 Bisecting: 944 revisions left to test after this (roughly 10 steps) [b96a79253fff1cd2c928b379eadd8c7a6f8055e1] Merge tag 'wireless-next-2022-02-11' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next testing commit b96a79253fff1cd2c928b379eadd8c7a6f8055e1 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 206e4b1b73689fab17e9aef667d13522d0764873a05232f286b3d9424dbba817 all runs: OK false negative chance: 0.000 # git bisect good b96a79253fff1cd2c928b379eadd8c7a6f8055e1 Bisecting: 472 revisions left to test after this (roughly 9 steps) [d73dd1275e70023a5a28af558791a64392c60edf] iavf: Add support for 50G/100G in AIM algorithm testing commit d73dd1275e70023a5a28af558791a64392c60edf gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d3e762262d901cb6754951d24ebf854f0cb0b4a81554d0bef36d077de34dbffc all runs: OK false negative chance: 0.000 # git bisect good d73dd1275e70023a5a28af558791a64392c60edf Bisecting: 236 revisions left to test after this (roughly 8 steps) [6dff1574c20b833d702e893caf3592d307be53d4] Merge branch 'mptcp-selftest-refinements-and-a-new-test' testing commit 6dff1574c20b833d702e893caf3592d307be53d4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: da2dd21e40303bc7c37ee04e30e2d8f2f9de9b5b589a5d14b0f8bd3b864557b5 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel, types: [UNKNOWN] # git bisect bad 6dff1574c20b833d702e893caf3592d307be53d4 Bisecting: 114 revisions left to test after this (roughly 7 steps) [4ee508ff78c83c4bf855148f026315fa58c7baf4] Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queue testing commit 4ee508ff78c83c4bf855148f026315fa58c7baf4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d9e2b9ce9bfa3a6425578a525b8bb4e090a0c9cc5180c4ade4e19abee2a646fa all runs: OK false negative chance: 0.000 # git bisect good 4ee508ff78c83c4bf855148f026315fa58c7baf4 Bisecting: 57 revisions left to test after this (roughly 6 steps) [8fafe702253d50bf90daf324ae86b5ad5ac8a5e1] Bluetooth: mt7921s: support bluetooth reset mechanism testing commit 8fafe702253d50bf90daf324ae86b5ad5ac8a5e1 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4b3d3f1e1c15b2599fbc524f6d641143e93e4d011103c198080bb294e5d9734c all runs: OK false negative chance: 0.000 # git bisect good 8fafe702253d50bf90daf324ae86b5ad5ac8a5e1 Bisecting: 28 revisions left to test after this (roughly 5 steps) [8bbe98bdccef0bb4fe88c666c28a3d4fe51151f7] Merge branch 'fixes for bpf_prog_pack' testing commit 8bbe98bdccef0bb4fe88c666c28a3d4fe51151f7 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4a373eea3a5078b07f25b5d0d30d986db59a4b2c170c0f91ef2e5c993ed6c265 all runs: OK false negative chance: 0.000 # git bisect good 8bbe98bdccef0bb4fe88c666c28a3d4fe51151f7 Bisecting: 14 revisions left to test after this (roughly 4 steps) [2bc0a832fad341a745786ba158e9a32ab1beced6] Merge tag 'for-net-next-2022-03-04' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next testing commit 2bc0a832fad341a745786ba158e9a32ab1beced6 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2cda30993187294ecd933ef71d76d22ff81c7f38a71a28ab7e122928b403f296 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel run #8: crashed: no output from test machine run #9: crashed: no output from test machine representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel, types: [UNKNOWN] # git bisect bad 2bc0a832fad341a745786ba158e9a32ab1beced6 Bisecting: 6 revisions left to test after this (roughly 3 steps) [eb3f05179a27b98f99e590bf2164582113f23f7e] Bluetooth: btmtksdio: Fix kernel oops when sdio suspend. testing commit eb3f05179a27b98f99e590bf2164582113f23f7e gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b4a984a8727c136ff116535fdfbf6a660806b0e8c399b9987700814e4ace80fa all runs: OK false negative chance: 0.000 # git bisect good eb3f05179a27b98f99e590bf2164582113f23f7e Bisecting: 3 revisions left to test after this (roughly 2 steps) [6dfbe29f45fb0bde29213dbd754a79e8bfc6ecef] Bluetooth: btusb: Add another Realtek 8761BU testing commit 6dfbe29f45fb0bde29213dbd754a79e8bfc6ecef gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d24ad961429f98940fa0c47a91ebc6638b17603d6debddca22f586b101d44559 all runs: OK false negative chance: 0.000 # git bisect good 6dfbe29f45fb0bde29213dbd754a79e8bfc6ecef Bisecting: 1 revision left to test after this (roughly 1 step) [7df5072cc05fd1aab5823bbc465d033cd292fca8] bpf: Small BPF verifier log improvements testing commit 7df5072cc05fd1aab5823bbc465d033cd292fca8 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7b27f4a490c57fe2bcfde4288071fe588094cd2dd02da008a85e6199e4cd6258 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel representative crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel, types: [UNKNOWN] # git bisect bad 7df5072cc05fd1aab5823bbc465d033cd292fca8 Bisecting: 0 revisions left to test after this (roughly 0 steps) [41332d6e3a430adc91e0af115b4261b0d2f116ec] libbpf: Add a check to ensure that page_cnt is non-zero testing commit 41332d6e3a430adc91e0af115b4261b0d2f116ec gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 85e100cdc51238d69c191b06237c5fb6b3590a92c5c02d7cb1387f1c6b9938b7 all runs: OK false negative chance: 0.000 # git bisect good 41332d6e3a430adc91e0af115b4261b0d2f116ec 7df5072cc05fd1aab5823bbc465d033cd292fca8 is the first bad commit commit 7df5072cc05fd1aab5823bbc465d033cd292fca8 Author: Mykola Lysenko Date: Tue Mar 1 14:27:45 2022 -0800 bpf: Small BPF verifier log improvements In particular these include: 1) Remove output of inv for scalars in print_verifier_state 2) Replace inv with scalar in verifier error messages 3) Remove _value suffixes for umin/umax/s32_min/etc (except map_value) 4) Remove output of id=0 5) Remove output of ref_obj_id=0 Signed-off-by: Mykola Lysenko Signed-off-by: Daniel Borkmann Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20220301222745.1667206-1-mykolal@fb.com kernel/bpf/verifier.c | 64 +++--- tools/testing/selftests/bpf/prog_tests/align.c | 218 ++++++++++----------- tools/testing/selftests/bpf/prog_tests/log_buf.c | 4 +- .../selftests/bpf/verifier/atomic_invalid.c | 6 +- tools/testing/selftests/bpf/verifier/bounds.c | 4 +- tools/testing/selftests/bpf/verifier/calls.c | 6 +- tools/testing/selftests/bpf/verifier/ctx.c | 4 +- .../selftests/bpf/verifier/direct_packet_access.c | 2 +- .../selftests/bpf/verifier/helper_access_var_len.c | 6 +- tools/testing/selftests/bpf/verifier/jmp32.c | 16 +- tools/testing/selftests/bpf/verifier/precise.c | 4 +- tools/testing/selftests/bpf/verifier/raw_stack.c | 4 +- .../testing/selftests/bpf/verifier/ref_tracking.c | 6 +- .../selftests/bpf/verifier/search_pruning.c | 2 +- tools/testing/selftests/bpf/verifier/sock.c | 2 +- tools/testing/selftests/bpf/verifier/spill_fill.c | 38 ++-- tools/testing/selftests/bpf/verifier/unpriv.c | 4 +- .../selftests/bpf/verifier/value_illegal_alu.c | 4 +- .../selftests/bpf/verifier/value_ptr_arith.c | 4 +- tools/testing/selftests/bpf/verifier/var_off.c | 2 +- 20 files changed, 203 insertions(+), 197 deletions(-) accumulated error probability: 0.00 culprit signature: 7b27f4a490c57fe2bcfde4288071fe588094cd2dd02da008a85e6199e4cd6258 parent signature: 85e100cdc51238d69c191b06237c5fb6b3590a92c5c02d7cb1387f1c6b9938b7 revisions tested: 28, total time: 6h5m53.970096919s (build: 1h18m9.685099025s, test: 4h35m5.515099766s) first bad commit: 7df5072cc05fd1aab5823bbc465d033cd292fca8 bpf: Small BPF verifier log improvements recipients (to): ["andrii@kernel.org" "daniel@iogearbox.net" "mykolal@fb.com"] recipients (cc): [] crash: BUG: unable to handle kernel NULL pointer dereference in hrtimer_try_to_cancel netlink: 'syz-executor.0': attribute type 27 has an invalid length. bridge0: port 2(bridge_slave_1) entered disabled state bridge0: port 1(bridge_slave_0) entered disabled state BUG: kernel NULL pointer dereference, address: 0000000000000010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1110d5067 P4D 1110d5067 PUD 11311c067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 442 Comm: syz-executor.0 Not tainted 5.17.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 RIP: 0010:__seqprop_raw_spinlock_sequence include/linux/seqlock.h:276 [inline] RIP: 0010:hrtimer_active kernel/time/hrtimer.c:1611 [inline] RIP: 0010:hrtimer_try_to_cancel+0x12/0xb0 kernel/time/hrtimer.c:1328 Code: 00 e8 72 29 01 00 5b 41 5e 5d c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 55 48 89 e5 41 57 41 56 41 54 53 48 89 fb 48 8b 43 30 <8b> 48 10 f6 c1 01 74 04 f3 90 eb f4 80 7b 38 00 75 25 48 39 58 18 RSP: 0018:ffffc90000faf088 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88811323d918 RCX: 0000000000000004 RDX: 000000000000000d RSI: 000061100fc019e9 RDI: ffff88811323d918 RBP: ffffc90000faf0a8 R08: ffff8881132210a0 R09: ffffc90000135000 R10: ffffffff829877c0 R11: 0000000000000001 R12: ffff88811323d800 R13: 000061100fc019e9 R14: ffff888113221000 R15: 0000000000000300 FS: 00007f33911496c0(0000) GS:ffff888237d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000011311e000 CR4: 00000000003506a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: hrtimer_cancel+0xd/0x20 kernel/time/hrtimer.c:1443 napi_disable+0x54/0x60 net/core/dev.c:6286 veth_napi_del_range drivers/net/veth.c:975 [inline] veth_napi_del drivers/net/veth.c:990 [inline] veth_set_features+0x7a/0xe0 drivers/net/veth.c:1418 __netdev_update_features+0x2a7/0x700 net/core/dev.c:9317 netdev_update_features+0x20/0x90 net/core/dev.c:9391 veth_xdp_set drivers/net/veth.c:1509 [inline] veth_xdp+0x197/0x1d0 drivers/net/veth.c:1522 dev_xdp_install+0x65/0xf0 net/core/dev.c:8711 dev_xdp_attach+0x3c6/0x500 net/core/dev.c:8859 dev_change_xdp_fd+0xd3/0x110 net/core/dev.c:9105 do_setlink+0xfcc/0x1050 net/core/rtnetlink.c:2952 rtnl_group_changelink net/core/rtnetlink.c:3265 [inline] __rtnl_newlink net/core/rtnetlink.c:3421 [inline] rtnl_newlink+0x722/0xb90 net/core/rtnetlink.c:3531 rtnetlink_rcv_msg+0x25f/0x430 net/core/rtnetlink.c:5598 netlink_rcv_skb+0xec/0x120 net/netlink/af_netlink.c:2494 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:5616 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x285/0x370 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x387/0x420 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg net/socket.c:725 [inline] ____sys_sendmsg+0x181/0x220 net/socket.c:2413 ___sys_sendmsg+0x278/0x2b0 net/socket.c:2467 __sys_sendmsg net/socket.c:2496 [inline] __do_sys_sendmsg net/socket.c:2505 [inline] __se_sys_sendmsg+0xea/0x120 net/socket.c:2503 __x64_sys_sendmsg+0x18/0x20 net/socket.c:2503 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x563e3109cae9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f33911490c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000563e311bc050 RCX: 0000563e3109cae9 RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000005 RBP: 0000563e310e847a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 0000563e311bc050 R15: 00007ffde9b93308 Modules linked in: CR2: 0000000000000010 ---[ end trace 0000000000000000 ]--- RIP: 0010:__seqprop_raw_spinlock_sequence include/linux/seqlock.h:276 [inline] RIP: 0010:hrtimer_active kernel/time/hrtimer.c:1611 [inline] RIP: 0010:hrtimer_try_to_cancel+0x12/0xb0 kernel/time/hrtimer.c:1328 Code: 00 e8 72 29 01 00 5b 41 5e 5d c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 55 48 89 e5 41 57 41 56 41 54 53 48 89 fb 48 8b 43 30 <8b> 48 10 f6 c1 01 74 04 f3 90 eb f4 80 7b 38 00 75 25 48 39 58 18 RSP: 0018:ffffc90000faf088 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88811323d918 RCX: 0000000000000004 RDX: 000000000000000d RSI: 000061100fc019e9 RDI: ffff88811323d918 RBP: ffffc90000faf0a8 R08: ffff8881132210a0 R09: ffffc90000135000 R10: ffffffff829877c0 R11: 0000000000000001 R12: ffff88811323d800 R13: 000061100fc019e9 R14: ffff888113221000 R15: 0000000000000300 FS: 00007f33911496c0(0000) GS:ffff888237d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000011311e000 CR4: 00000000003506a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 00 e8 add %ch,%al 2: 72 29 jb 0x2d 4: 01 00 add %eax,(%rax) 6: 5b pop %rbx 7: 41 5e pop %r14 9: 5d pop %rbp a: c3 ret b: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 12: 00 00 00 15: 0f 1f 00 nopl (%rax) 18: 55 push %rbp 19: 48 89 e5 mov %rsp,%rbp 1c: 41 57 push %r15 1e: 41 56 push %r14 20: 41 54 push %r12 22: 53 push %rbx 23: 48 89 fb mov %rdi,%rbx 26: 48 8b 43 30 mov 0x30(%rbx),%rax * 2a: 8b 48 10 mov 0x10(%rax),%ecx <-- trapping instruction 2d: f6 c1 01 test $0x1,%cl 30: 74 04 je 0x36 32: f3 90 pause 34: eb f4 jmp 0x2a 36: 80 7b 38 00 cmpb $0x0,0x38(%rbx) 3a: 75 25 jne 0x61 3c: 48 39 58 18 cmp %rbx,0x18(%rax)