ci starts bisection 2024-05-20 10:40:40.298862988 +0000 UTC m=+209199.407956161
bisecting cause commit starting from 61307b7be41a1f1039d1d1368810a1d92cb97b44
building syzkaller on c0f1611a36d66bb0bb8e2f294b97fb685bfc5f9c
ensuring issue is reproducible on original commit 61307b7be41a1f1039d1d1368810a1d92cb97b44

testing commit 61307b7be41a1f1039d1d1368810a1d92cb97b44 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 914cd2ea803b31f5ee2fc8b7afd7bb43ae99f4e12b589e55453d0edcad37fd05
all runs: crashed: WARNING in __inet_accept
representative crash: WARNING in __inet_accept, types: [WARNING]
check whether we can drop unnecessary instrumentation
disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit 61307b7be41a1f1039d1d1368810a1d92cb97b44 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 55c9f7660421a4a03dd509917715576bc8fe8741e1516a78b4bce717ae4c071c
all runs: crashed: WARNING in __inet_accept
representative crash: WARNING in __inet_accept, types: [WARNING]
the bug reproduces without the instrumentation
disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed
kconfig minimization: base=3976 full=8036 leaves diff=2025
split chunks (needed=false): <2025>
split chunk #0 of len 2025 into 5 parts
testing without sub-chunk 1/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN KASAN], they are not needed
testing commit 61307b7be41a1f1039d1d1368810a1d92cb97b44 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c40d25ba2ba942775faee4b3b6b6ca3f29f018b51717350a0a55c92daa15b936
all runs: crashed: WARNING in __inet_accept
representative crash: WARNING in __inet_accept, types: [WARNING]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN KASAN LOCKDEP], they are not needed
testing commit 61307b7be41a1f1039d1d1368810a1d92cb97b44 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: f57399fdf14db82e83b0001fda1c5aaa6d0be7f0b452651cab7623c831c67f08
all runs: crashed: WARNING in __inet_accept
representative crash: WARNING in __inet_accept, types: [WARNING]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit 61307b7be41a1f1039d1d1368810a1d92cb97b44 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: aaaf909be9dd7c312480891365d731372fab8ef42bbd63382588a0081de5e07f
all runs: OK
false negative chance: 0.000
testing without sub-chunk 4/5
disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit 61307b7be41a1f1039d1d1368810a1d92cb97b44 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: fdc1996b9a2e9a48a750b2da9a6163e7b49e9f651c2943488e1c6c5d29995699
all runs: crashed: WARNING in __inet_accept
representative crash: WARNING in __inet_accept, types: [WARNING]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit 61307b7be41a1f1039d1d1368810a1d92cb97b44 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 2666f075f79afe3259a930cf0a8b89696dd2769962f90d08b3f3d80ae3f22553
all runs: crashed: WARNING in __inet_accept
representative crash: WARNING in __inet_accept, types: [WARNING]
the chunk can be dropped
minimized to 405 configs; suspects: [AX25 BRIDGE BRIDGE_NETFILTER CAN CFG80211 CHECKPOINT_RESTORE CPU_MITIGATIONS DVB_CORE FB_CORE HAMRADIO HSR INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_USER_ACCESS INPUT_JOYSTICK INPUT_MOUSE IP6_NF_RAW IPV6_MULTIPLE_TABLES IP_NF_RAW IP_SET IP_VS IP_VS_LBLC IP_VS_LBLCR IP_VS_LC IP_VS_MH IP_VS_NFCT IP_VS_NQ IP_VS_OVF IP_VS_PE_SIP IP_VS_PROTO_AH IP_VS_PROTO_AH_ESP IP_VS_PROTO_ESP IP_VS_PROTO_SCTP IP_VS_PROTO_UDP IP_VS_RR IP_VS_SED IP_VS_SH IP_VS_TWOS IP_VS_WLC IP_VS_WRR IRQ_BYPASS_MANAGER IRQ_POLL IR_IGORPLUGUSB IR_IGUANA IR_IMON IR_MCEUSB IR_REDRAT3 IR_STREAMZAP IR_TTUSBIR ISDN ISDN_CAPI_MIDDLEWARE JFFS2_CMODE_PRIORITY JFFS2_COMPRESSION_OPTIONS JFFS2_FS JFFS2_FS_POSIX_ACL JFFS2_FS_SECURITY JFFS2_FS_WRITEBUFFER JFFS2_FS_XATTR JFFS2_LZO JFFS2_RTIME JFFS2_RUBIN JFFS2_SUMMARY JFFS2_ZLIB JFS_DEBUG JFS_FS JFS_POSIX_ACL JFS_SECURITY JOYSTICK_IFORCE JOYSTICK_IFORCE_USB JOYSTICK_XPAD JOYSTICK_XPAD_FF JOYSTICK_XPAD_LEDS KARMA_PARTITION KCOV KCOV_ENABLE_COMPARISONS KCOV_INSTRUMENT_ALL KEYS_REQUEST_CACHE KEY_DH_OPERATIONS KEY_NOTIFICATIONS KSM KVM KVM_AMD KVM_ASYNC_PF KVM_COMMON KVM_COMPAT KVM_GENERIC_DIRTYLOG_READ_PROTECT KVM_GENERIC_HARDWARE_ENABLING KVM_GENERIC_MEMORY_ATTRIBUTES KVM_GENERIC_MMU_NOTIFIER KVM_GENERIC_PRIVATE_MEM KVM_HYPERV KVM_INTEL KVM_INTEL_PROVE_VE KVM_MMIO KVM_PRIVATE_MEM KVM_PROVE_MMU KVM_SW_PROTECTED_VM KVM_VFIO KVM_XEN KVM_XFER_TO_GUEST_WORK L2TP L2TP_ETH L2TP_IP L2TP_V3 LAPB LAPBETHER LDM_PARTITION LEDS_TRIGGER_AUDIO LEGACY_PTYS LIBCRC32C LIBNVDIMM LINEAR_RANGES LLC LLC2 LOGIG940_FF LOGIRUMBLEPAD2_FF LOGO LOGO_LINUX_MONO LOGO_LINUX_VGA16 LPC_ICH LRU_GEN LRU_GEN_ENABLED LRU_GEN_WALKS_MMU LWTUNNEL LWTUNNEL_BPF LZ4HC_COMPRESS LZ4_COMPRESS MAC80211 MAC80211_HAS_RC MAC80211_HWSIM MAC80211_MESH MAC80211_RC_DEFAULT_MINSTREL MAC80211_RC_MINSTREL MACSEC MACVLAN MACVTAP MAC_PARTITION MAPPING_DIRTY_HELPERS MD_RAID0 MD_RAID1 MD_RAID10 MD_RAID456 MEDIA_ANALOG_TV_SUPPORT MEDIA_ATTACH MEDIA_CONTROLLER MEDIA_CONTROLLER_DVB MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_SUPPORT_FILTER MEDIA_TUNER MEDIA_TUNER_MSI001 MEMORY_BALLOON MEMORY_HOTPLUG MEMORY_HOTPLUG_DEFAULT_ONLINE MEMORY_ISOLATION MEMREGION MEMSTICK MEMSTICK_REALTEK_USB MEM_SOFT_DIRTY MFD_CORE MFD_SYSCON MHI_BUS MHI_WWAN_CTRL MHP_MEMMAP_ON_MEMORY MICROCHIP_PHY MINIX_FS MINIX_SUBPARTITION MISC_RTSX MISC_RTSX_USB MISDN MISDN_DSP MISDN_HFCUSB MISDN_L1OIP MITIGATION_SPECTRE_BHI MKISS MLX4_CORE MLX4_INFINIBAND MMC MMC_REALTEK_USB MMC_USHC MMC_VUB300 MMU_NOTIFIER MODULE_SRCVERSION_ALL MODVERSIONS MOST MOUSE_APPLETOUCH MOUSE_BCM5974 MOUSE_PS2 MOUSE_PS2_ALPS MOUSE_PS2_BYD MOUSE_PS2_CYPRESS MOUSE_PS2_FOCALTECH MOUSE_PS2_LIFEBOOK MOUSE_PS2_LOGIPS2PP MOUSE_PS2_SMBUS MOUSE_PS2_SYNAPTICS MOUSE_PS2_SYNAPTICS_SMBUS MOUSE_PS2_TRACKPOINT MOUSE_SYNAPTICS_USB MPLS MPLS_IPTUNNEL MPLS_ROUTING MPTCP MPTCP_IPV6 MRP MTD MTD_BLKDEVS MTD_BLOCK MTD_BLOCK2MTD MTD_CFI_I1 MTD_CFI_I2 MTD_MAP_BANK_WIDTH_1 MTD_MAP_BANK_WIDTH_2 MTD_MAP_BANK_WIDTH_4 MTD_MTDRAM MTD_PHRAM MTD_SLRAM MUSB_PIO_ONLY ND_BTT ND_CLAIM ND_PFN NETDEVSIM NETFILTER_ADVANCED NETFILTER_BPF_LINK NETFILTER_FAMILY_ARP NETFILTER_FAMILY_BRIDGE NETFILTER_NETLINK_ACCT NETFILTER_NETLINK_GLUE_CT NETFILTER_NETLINK_OSF NETFILTER_NETLINK_QUEUE NETFILTER_SYNPROXY NETFILTER_XTABLES_COMPAT NETFILTER_XT_CONNMARK NETFILTER_XT_MATCH_BPF NETFILTER_XT_MATCH_CGROUP NETFILTER_XT_MATCH_CLUSTER NETFILTER_XT_MATCH_COMMENT NETFILTER_XT_MATCH_CONNBYTES NETFILTER_XT_MATCH_CONNLABEL NETFILTER_XT_MATCH_CONNLIMIT NETFILTER_XT_MATCH_CONNMARK NETFILTER_XT_MATCH_CPU NETFILTER_XT_MATCH_DCCP NETFILTER_XT_MATCH_DEVGROUP NETFILTER_XT_MATCH_DSCP NETFILTER_XT_MATCH_ECN NETFILTER_XT_MATCH_ESP NETFILTER_XT_MATCH_HASHLIMIT NETFILTER_XT_MATCH_HELPER NETFILTER_XT_MATCH_HL NETFILTER_XT_MATCH_IPCOMP NETFILTER_XT_MATCH_IPRANGE NETFILTER_XT_MATCH_IPVS NETFILTER_XT_MATCH_L2TP NETFILTER_XT_MATCH_LENGTH NETFILTER_XT_MATCH_LIMIT NETFILTER_XT_MATCH_MAC NETFILTER_XT_MATCH_MARK NETFILTER_XT_MATCH_MULTIPORT NETFILTER_XT_MATCH_NFACCT NETFILTER_XT_MATCH_OSF NETFILTER_XT_MATCH_OWNER NETFILTER_XT_MATCH_PHYSDEV NETFILTER_XT_MATCH_PKTTYPE NETFILTER_XT_MATCH_QUOTA NETFILTER_XT_MATCH_RATEEST NETFILTER_XT_MATCH_REALM NETFILTER_XT_MATCH_RECENT NETFILTER_XT_MATCH_SCTP NETFILTER_XT_MATCH_SOCKET NETFILTER_XT_MATCH_STATISTIC NETFILTER_XT_MATCH_STRING NETFILTER_XT_MATCH_TCPMSS NETFILTER_XT_MATCH_TIME NETFILTER_XT_MATCH_U32 NETFILTER_XT_SET NETFILTER_XT_TARGET_AUDIT NETFILTER_XT_TARGET_CHECKSUM NETFILTER_XT_TARGET_CLASSIFY NETFILTER_XT_TARGET_CONNMARK NETFILTER_XT_TARGET_CT NETFILTER_XT_TARGET_DSCP NETFILTER_XT_TARGET_HL NETFILTER_XT_TARGET_HMARK NETFILTER_XT_TARGET_IDLETIMER NETFILTER_XT_TARGET_LED NETFILTER_XT_TARGET_MARK NETFILTER_XT_TARGET_NETMAP NETFILTER_XT_TARGET_NFQUEUE NETFILTER_XT_TARGET_NOTRACK NETFILTER_XT_TARGET_RATEEST NETFILTER_XT_TARGET_REDIRECT NETFILTER_XT_TARGET_TCPOPTSTRIP NETFILTER_XT_TARGET_TEE NETFILTER_XT_TARGET_TPROXY NETFILTER_XT_TARGET_TRACE NETLABEL NETLINK_DIAG NETROM NET_9P_RDMA NET_ACT_BPF NET_ACT_CONNMARK NET_ACT_CSUM NET_ACT_CT NET_ACT_CTINFO NET_ACT_GATE NET_ACT_IFE NET_ACT_MPLS NET_ACT_NAT NET_ACT_PEDIT NET_ACT_POLICE NET_ACT_SAMPLE NET_ACT_SIMP NET_ACT_SKBEDIT NET_ACT_SKBMOD NET_ACT_TUNNEL_KEY NET_ACT_VLAN NET_CLS_BASIC NET_CLS_BPF NET_CLS_FLOW NET_CLS_FLOWER NET_CLS_FW NET_CLS_MATCHALL NET_CLS_ROUTE4 NET_DEVLINK NET_DROP_MONITOR NET_DSA NET_DSA_TAG_BRCM NET_DSA_TAG_BRCM_COMMON NET_DSA_TAG_BRCM_PREPEND NET_DSA_TAG_MTK NET_DSA_TAG_QCA NET_DSA_TAG_RTL4_A NET_EMATCH_CANID NET_EMATCH_CMP NET_EMATCH_IPSET NET_EMATCH_IPT NET_EMATCH_META NET_EMATCH_NBYTE NET_EMATCH_TEXT NET_EMATCH_U32 NET_FC NET_FOU NET_FOU_IP_TUNNELS NET_IFE NET_IFE_SKBMARK NET_IFE_SKBPRIO NET_IFE_SKBTCINDEX NET_IPGRE NET_IPGRE_BROADCAST NET_IPGRE_DEMUX NET_IPIP NET_IPVTI NET_KEY NET_KEY_MIGRATE NET_L3_MASTER_DEV NET_MPLS_GSO NET_NCSI NET_NSH NET_REDIRECT NET_SCH_CAKE NET_SCH_CBS NET_SCH_CHOKE NET_SCH_CODEL NET_SCH_DRR NET_SCH_ETF NET_SCH_ETS NET_SCH_FQ NET_SCH_FQ_CODEL NET_SCH_FQ_PIE NET_SCH_GRED NET_SCH_HFSC NET_SCH_HHF NET_SCH_HTB NET_SCH_INGRESS NET_SCH_MQPRIO NET_SCH_MQPRIO_LIB NET_SCH_MULTIQ NET_SCH_NETEM NET_SCH_PIE NET_SCH_PLUG NET_SCH_PRIO NET_SCH_QFQ NET_SCH_RED NET_SCH_SFB NET_SCH_SFQ NET_SCH_SKBPRIO NET_SCH_TAPRIO NET_SCH_TBF NET_SCH_TEQL NET_SOCK_MSG NET_SWITCHDEV NET_TC_SKB_EXT NET_TEAM NET_TEAM_MODE_ACTIVEBACKUP NET_TEAM_MODE_BROADCAST NET_TEAM_MODE_LOADBALANCE NET_TEAM_MODE_RANDOM NET_TEAM_MODE_ROUNDROBIN NET_UDP_TUNNEL NET_VRF NFC NFC_DIGITAL NFC_FDP NFC_HCI NFC_MRVL NFC_MRVL_USB NFC_NCI NFC_NCI_UART NFC_PN533 NFC_PN533_USB NFC_PORT100 NFC_SHDLC NFC_SIM NFC_VIRTUAL_NCI NFSD NFSD_BLOCKLAYOUT NFSD_FLEXFILELAYOUT NFSD_PNFS NFSD_SCSILAYOUT NFSD_V3_ACL NFSD_V4 NFSD_V4_2_INTER_SSC NFSD_V4_SECURITY_LABEL NFS_FSCACHE NFS_V4_1 NFS_V4_2 NFS_V4_2_READ_PLUS NFS_V4_2_SSC_HELPER NFS_V4_SECURITY_LABEL NFT_BRIDGE_META NFT_BRIDGE_REJECT NFT_COMPAT NFT_CONNLIMIT NFT_CT NFT_DUP_IPV4 NFT_DUP_IPV6 NFT_DUP_NETDEV NFT_FIB NFT_FIB_INET NFT_FIB_IPV4 NFT_FIB_IPV6 NFT_FIB_NETDEV NFT_FLOW_OFFLOAD NFT_HASH NFT_LIMIT NFT_LOG NFT_MASQ NFT_NAT NFT_NUMGEN NFT_OSF NFT_QUEUE NFT_QUOTA NFT_REDIR NFT_REJECT NFT_REJECT_INET NFT_REJECT_IPV4 NFT_REJECT_IPV6 NFT_REJECT_NETDEV NFT_SOCKET NFT_SYNPROXY NFT_TPROXY NFT_TUNNEL NFT_XFRM NF_CONNTRACK_AMANDA NF_CONNTRACK_BRIDGE NF_CONNTRACK_BROADCAST NF_CONNTRACK_EVENTS NF_CONNTRACK_H323 NF_CONNTRACK_LABELS NF_CONNTRACK_MARK NF_CONNTRACK_NETBIOS_NS NF_CONNTRACK_OVS NF_CONNTRACK_PPTP NF_CONNTRACK_SANE NF_CONNTRACK_TFTP NF_CONNTRACK_TIMEOUT NF_CONNTRACK_TIMESTAMP NF_CONNTRACK_ZONES NF_CT_NETLINK_HELPER NF_CT_NETLINK_TIMEOUT NF_CT_PROTO_DCCP NF_CT_PROTO_GRE NF_CT_PROTO_SCTP NF_CT_PROTO_UDPLITE NF_DUP_IPV4 NF_DUP_IPV6 NF_DUP_NETDEV NF_FLOW_TABLE NF_FLOW_TABLE_INET NF_NAT_AMANDA NF_NAT_H323 NF_TABLES NF_TABLES_BRIDGE NF_TABLES_INET NF_TABLES_IPV4 NF_TABLES_IPV6 NF_TABLES_NETDEV PARTITION_ADVANCED PSAMPLE RC_CORE RC_DEVICES RFKILL SPI USB_GADGET USB_MUSB_HDRC VIDEO_DEV WAN WATCH_QUEUE WIRELESS WLAN WWAN X25 X86_X32_ABI]
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN KASAN LOCKDEP], they are not needed
picked [v6.9 v6.8 v6.7 v6.5 v6.3 v6.1 v5.19 v5.17 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 32 release tags
testing release v6.9
testing commit a38297e3fb012ddfa7ce0321a7e5a8daeb1872b6 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ad80f49b8949da6fa3d6bb9a8cb7cbe40c23c3bbafb8794644ed4acd740755a4
all runs: crashed: WARNING in __inet_accept
representative crash: WARNING in __inet_accept, types: [WARNING]
testing release v6.8
testing commit e8f897f4afef0031fe618a8e94127a0934896aba gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: b44ff74d9f46a4ac571298adbc2c4b78ba054b077c7f65f3ab5fb16974ab946e
all runs: OK
false negative chance: 0.000
# git bisect start a38297e3fb012ddfa7ce0321a7e5a8daeb1872b6 e8f897f4afef0031fe618a8e94127a0934896aba
Bisecting: 7604 revisions left to test after this (roughly 13 steps)
[480e035fc4c714fb5536e64ab9db04fedc89e910] Merge tag 'drm-next-2024-03-13' of https://gitlab.freedesktop.org/drm/kernel

testing commit 480e035fc4c714fb5536e64ab9db04fedc89e910 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d20cded9e6b76a48b9df7f8c438235ee616be512404b638f051edb610f49ac43
all runs: OK
false negative chance: 0.000
# git bisect good 480e035fc4c714fb5536e64ab9db04fedc89e910
Bisecting: 3840 revisions left to test after this (roughly 12 steps)
[2ac2b1665d3fbec6ca709dd6ef3ea05f4a51ee4c] Merge tag 'hwlock-v6.9' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux

testing commit 2ac2b1665d3fbec6ca709dd6ef3ea05f4a51ee4c gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e5f1b62dc1571d2a8099b1441a7fab27da362e480f642a66914d6448d1443fc6
all runs: boot failed: WARNING: refcount bug in __free_pages_ok
unable to determine the verdict: 0 good runs (wanted 5), for bad wanted 5 in total, got 0
# git bisect skip 2ac2b1665d3fbec6ca709dd6ef3ea05f4a51ee4c
Bisecting: 3840 revisions left to test after this (roughly 12 steps)
[f299ee709fb45036454ca11e90cb2810fe771878] octeontx2-af: avoid off-by-one read from userspace

testing commit f299ee709fb45036454ca11e90cb2810fe771878 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 621f2bf42ab5fafcdc2ae4cdbb57f3fb681516b7921df1a2816244999333f27a
all runs: OK
false negative chance: 0.000
# git bisect good f299ee709fb45036454ca11e90cb2810fe771878
Bisecting: 363 revisions left to test after this (roughly 9 steps)
[4893b8b3ef8db2b182d1a1bebf6c7acf91405000] hsr: Simplify code for announcing HSR nodes timer setup

testing commit 4893b8b3ef8db2b182d1a1bebf6c7acf91405000 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 0edef9fd90c37c194bcc15df208e681ea335328cc67cf0093d6d00a547ef5597
all runs: crashed: WARNING in __inet_accept
representative crash: WARNING in __inet_accept, types: [WARNING]
# git bisect bad 4893b8b3ef8db2b182d1a1bebf6c7acf91405000
Bisecting: 179 revisions left to test after this (roughly 8 steps)
[d43df69f3879f32fcc08d92ec47bff86ae0fcfaa] Merge tag '6.9-rc5-cifs-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6

testing commit d43df69f3879f32fcc08d92ec47bff86ae0fcfaa gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 677c082888a943cb4332a719dc3d5f716c92fc3e6e5ab51b8576a967c24982d6
all runs: OK
false negative chance: 0.000
# git bisect good d43df69f3879f32fcc08d92ec47bff86ae0fcfaa
Bisecting: 88 revisions left to test after this (roughly 7 steps)
[0106679839f7c69632b3b9833c3268c316c0a9fc] Merge tag 'regulator-fix-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator

testing commit 0106679839f7c69632b3b9833c3268c316c0a9fc gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d65b83074507ee2d184a47dfe2f68f915060d7594a0925343c783e276fa7cc2d
all runs: OK
false negative chance: 0.000
# git bisect good 0106679839f7c69632b3b9833c3268c316c0a9fc
Bisecting: 43 revisions left to test after this (roughly 6 steps)
[5ef31ea5d053a8f493a772ebad3f3ce82c35d845] net: gro: fix udp bad offset in socket lookup by adding {inner_}network_offset to napi_gro_cb

testing commit 5ef31ea5d053a8f493a772ebad3f3ce82c35d845 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e997f0b31909a6907d70d884bb5c6db6952b0ef05339ede84c7610b99dd31ee6
all runs: OK
false negative chance: 0.000
# git bisect good 5ef31ea5d053a8f493a772ebad3f3ce82c35d845
Bisecting: 21 revisions left to test after this (roughly 5 steps)
[f2d859045ec148ba12d26637c1ea50f16828916f] Merge tag 'for-net-2024-05-03' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth

testing commit f2d859045ec148ba12d26637c1ea50f16828916f gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 596cd6ef2fd76c848955ef345eaa81698466a84e460cc3338ec735c24ef19e97
all runs: crashed: WARNING in __inet_accept
representative crash: WARNING in __inet_accept, types: [WARNING]
# git bisect bad f2d859045ec148ba12d26637c1ea50f16828916f
Bisecting: 10 revisions left to test after this (roughly 4 steps)
[10f9f426ac6e752c8d87bf4346930ba347aaabac] Bluetooth: msft: fix slab-use-after-free in msft_do_close()

testing commit 10f9f426ac6e752c8d87bf4346930ba347aaabac gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 94c972ccf91eb4239573ffdad415d497efbb61a3c64bb5faafa2702f5744b4db
all runs: crashed: WARNING in __inet_accept
representative crash: WARNING in __inet_accept, types: [WARNING]
# git bisect bad 10f9f426ac6e752c8d87bf4346930ba347aaabac
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[545c494465d24b10a4370545ba213c0916f70b95] Merge tag 'net-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

testing commit 545c494465d24b10a4370545ba213c0916f70b95 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 045746a6601fd885f18bfb4e880d33956687cd94de62ac0effa394c9fa5b22a3
all runs: OK
false negative chance: 0.000
# git bisect good 545c494465d24b10a4370545ba213c0916f70b95
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[483bc08181827fc475643272ffb69c533007e546] Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout

testing commit 483bc08181827fc475643272ffb69c533007e546 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ce9f65c5d2c89f32db107cb953627692237325b4dfb3140011902132efd7bee0
all runs: crashed: WARNING in __inet_accept
representative crash: WARNING in __inet_accept, types: [WARNING]
# git bisect bad 483bc08181827fc475643272ffb69c533007e546
Bisecting: 1 revision left to test after this (roughly 1 step)
[94062790aedb505bdda209b10bea47b294d6394f] tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets

testing commit 94062790aedb505bdda209b10bea47b294d6394f gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c31238b3056ddb2a54f411c313376c9db3dfbf658b2f5ca9d2b90147fe5659c5
all runs: crashed: WARNING in __inet_accept
representative crash: WARNING in __inet_accept, types: [WARNING]
# git bisect bad 94062790aedb505bdda209b10bea47b294d6394f
94062790aedb505bdda209b10bea47b294d6394f is the first bad commit
commit 94062790aedb505bdda209b10bea47b294d6394f
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed May 1 12:54:48 2024 +0000

    tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets
    
    TCP_SYN_RECV state is really special, it is only used by
    cross-syn connections, mostly used by fuzzers.
    
    In the following crash [1], syzbot managed to trigger a divide
    by zero in tcp_rcv_space_adjust()
    
    A socket makes the following state transitions,
    without ever calling tcp_init_transfer(),
    meaning tcp_init_buffer_space() is also not called.
    
             TCP_CLOSE
    connect()
             TCP_SYN_SENT
             TCP_SYN_RECV
    shutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)
             TCP_FIN_WAIT1
    
    To fix this issue, change tcp_shutdown() to not
    perform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,
    which makes no sense anyway.
    
    When tcp_rcv_state_process() later changes socket state
    from TCP_SYN_RECV to TCP_ESTABLISH, then look at
    sk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,
    and send a FIN packet from a sane socket state.
    
    This means tcp_send_fin() can now be called from BH
    context, and must use GFP_ATOMIC allocations.
    
    [1]
    divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
    CPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
     RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767
    Code: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48
    RSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246
    RAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000
    RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
    RBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7
    R10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30
    R13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da
    FS:  00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0
    Call Trace:
     <TASK>
      tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513
      tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578
      inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680
      sock_recvmsg_nosec net/socket.c:1046 [inline]
      sock_recvmsg+0x109/0x280 net/socket.c:1068
      ____sys_recvmsg+0x1db/0x470 net/socket.c:2803
      ___sys_recvmsg net/socket.c:2845 [inline]
      do_recvmmsg+0x474/0xae0 net/socket.c:2939
      __sys_recvmmsg net/socket.c:3018 [inline]
      __do_sys_recvmmsg net/socket.c:3041 [inline]
      __se_sys_recvmmsg net/socket.c:3034 [inline]
      __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    RIP: 0033:0x7faeb6363db9
    Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
    RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9
    RDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005
    RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c
    R10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000
    R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Neal Cardwell <ncardwell@google.com>
    Link: https://lore.kernel.org/r/20240501125448.896529-1-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

 net/ipv4/tcp.c        | 4 ++--
 net/ipv4/tcp_input.c  | 2 ++
 net/ipv4/tcp_output.c | 4 +++-
 3 files changed, 7 insertions(+), 3 deletions(-)

accumulated error probability: 0.00
culprit signature: c31238b3056ddb2a54f411c313376c9db3dfbf658b2f5ca9d2b90147fe5659c5
parent  signature: 045746a6601fd885f18bfb4e880d33956687cd94de62ac0effa394c9fa5b22a3
revisions tested: 21, total time: 4h13m22.730454923s (build: 2h1m47.462671095s, test: 1h59m9.026823266s)
first bad commit: 94062790aedb505bdda209b10bea47b294d6394f tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets
recipients (to): ["edumazet@google.com" "kuba@kernel.org" "ncardwell@google.com"]
recipients (cc): []
crash: WARNING in __inet_accept
------------[ cut here ]------------
WARNING: CPU: 1 PID: 3101 at net/ipv4/af_inet.c:761 __inet_accept+0xef/0x200 net/ipv4/af_inet.c:759
Modules linked in:
CPU: 1 PID: 3101 Comm: syz-executor.0 Not tainted 6.9.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:__inet_accept+0xef/0x200 net/ipv4/af_inet.c:759
Code: 3d 19 ff 48 89 ef e8 d0 89 5e 00 c7 03 03 00 00 00 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 62 85 aa fe 90 <0f> 0b 90 e9 5f ff ff ff e8 54 85 aa fe 90 0f 0b 90 eb 89 f3 0f 1e
RSP: 0018:ffffc90001f53d70 EFLAGS: 00010293
RAX: ffffffff828f881e RBX: ffff8881162e8000 RCX: ffff888105b93680
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff828f8775 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881162e9600
R13: ffffffff8336dca0 R14: ffff888109fd1980 R15: ffff8881162e9600
FS:  00007ff7b9ace6c0(0000) GS:ffff888237d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000040 CR3: 0000000106fe6000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 inet_accept+0x78/0xc0 net/ipv4/af_inet.c:786
 do_accept+0x269/0x310 net/socket.c:1929
 __sys_accept4_file net/socket.c:1969 [inline]
 __sys_accept4+0x9b/0x110 net/socket.c:1999
 __do_sys_accept net/socket.c:2016 [inline]
 __se_sys_accept net/socket.c:2013 [inline]
 __x64_sys_accept+0x1f/0x30 net/socket.c:2013
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xe2/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff7b9f4bee9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff7b9ace0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002b
RAX: ffffffffffffffda RBX: 00007ff7ba07af80 RCX: 00007ff7b9f4bee9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007ff7b9f9849e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000006 R14: 00007ff7ba07af80 R15: 00007ffc27d82988
 </TASK>