ci starts bisection 2025-07-16 08:24:43.755893741 +0000 UTC m=+122.783589251 bisecting cause commit starting from 0be23810e32e6d0a17df7c0ebad895ba2c210fc4 building syzkaller on 03fcfc4b7385b545a89a3fc62bef4e1ec7532e0d fetch other tags and check if the commit is present ensuring issue is reproducible on original commit 0be23810e32e6d0a17df7c0ebad895ba2c210fc4 testing commit 0be23810e32e6d0a17df7c0ebad895ba2c210fc4 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: fc831e3bf5636cb0da81ccd71df1a12497a821252abda4adea3bc4ba007d4414 run #0: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #1: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #2: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #3: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #4: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #5: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #6: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #7: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #8: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #9: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #10: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #11: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #12: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #13: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #14: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #15: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #16: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #17: OK run #18: OK run #19: OK representative crash: KASAN: slab-use-after-free Read in mas_next_slot, types: [KASAN-USE-AFTER-FREE-READ] check whether we can drop unnecessary instrumentation disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 0be23810e32e6d0a17df7c0ebad895ba2c210fc4 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 259217769add8203e754b546b0c208f6a91acf4262ee5dd17b3d935ef27121e2 run #0: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #1: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #2: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #3: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #4: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #5: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #6: OK run #7: OK run #8: OK run #9: OK representative crash: KASAN: slab-use-after-free Read in mas_next_slot, types: [KASAN-USE-AFTER-FREE-READ] the bug reproduces without the instrumentation disabling configs for [ubsan bug_or_warning locking atomic_sleep hang memleak], they are not needed kconfig minimization: base=4095 full=8524 leaves diff=2188 split chunks (needed=false): <2188> split chunk #0 of len 2188 into 5 parts testing without sub-chunk 1/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 0be23810e32e6d0a17df7c0ebad895ba2c210fc4 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 5254330c17f99c5c29a47f9c3b351a0d9ed1d96f31d8a9c986685e22944d47e7 run #0: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #1: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #2: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #3: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK representative crash: KASAN: slab-use-after-free Read in mas_next_slot, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 0be23810e32e6d0a17df7c0ebad895ba2c210fc4 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 83d6ad422bf302c2bf620b1d96656851b204da995df77f74ce638adfa7d18839 run #0: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #1: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #2: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #3: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #4: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #5: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #6: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #7: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #8: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #9: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #10: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #11: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #12: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #13: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #14: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #15: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #16: OK run #17: OK run #18: OK run #19: OK representative crash: KASAN: slab-use-after-free Read in mas_next_slot, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 0be23810e32e6d0a17df7c0ebad895ba2c210fc4 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 48a6ce43ed124975810b0600dbf8b3ea8744e45ae99f6267772175ff189b323c run #0: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #1: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #2: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #3: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #4: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: KASAN: slab-use-after-free Read in mas_next_slot, types: [KASAN-USE-AFTER-FREE-READ] testing without sub-chunk 4/5 disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed testing commit 0be23810e32e6d0a17df7c0ebad895ba2c210fc4 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 3855a77aa135eb71bb6afd8f40f30022c9f9564a9fa64f07b931780d39a117db run #0: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #1: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #2: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #3: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #4: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #5: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #6: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #7: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #8: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #9: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #10: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: KASAN: slab-use-after-free Read in mas_next_slot, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 0be23810e32e6d0a17df7c0ebad895ba2c210fc4 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 71e691e1d4aa26b57a0de236c0b653aa480488976d2b82e1670bfafdd74e9b63 run #0: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #1: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #2: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #3: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #4: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #5: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #6: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #7: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #8: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #9: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #10: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #11: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #12: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: crashed: KASAN: slab-use-after-free Read in mas_next_slot representative crash: KASAN: slab-use-after-free Read in mas_next_slot, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped minimized to 438 configs; suspects: [AX25 BRIDGE BRIDGE_NETFILTER CAN CFG80211 CHECKPOINT_RESTORE DVB_CORE FB_CORE HAMRADIO HID_LOGITECH HSR INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_USER_ACCESS INPUT_JOYSTICK INPUT_MOUSE IP6_NF_RAW IPV6_MULTIPLE_TABLES IPV6_TUNNEL IPV6_VTI IPVLAN IPVLAN_L3S IPVTAP IP_FIB_TRIE_STATS IP_MROUTE_MULTIPLE_TABLES IP_NF_ARPFILTER IP_NF_ARPTABLES IP_NF_ARP_MANGLE IP_NF_MATCH_AH IP_NF_MATCH_ECN IP_NF_MATCH_RPFILTER IP_NF_MATCH_TTL IP_NF_RAW IP_NF_SECURITY IP_NF_TARGET_ECN IP_NF_TARGET_NETMAP IP_NF_TARGET_REDIRECT IP_NF_TARGET_SYNPROXY IP_NF_TARGET_TTL IP_ROUTE_CLASSID IP_SET IP_SET_BITMAP_IP IP_SET_BITMAP_IPMAC IP_SET_BITMAP_PORT IP_SET_HASH_IP IP_SET_HASH_IPMAC IP_SET_HASH_IPMARK IP_SET_HASH_IPPORT IP_SET_HASH_IPPORTIP IP_SET_HASH_IPPORTNET IP_SET_HASH_MAC IP_SET_HASH_NET IP_SET_HASH_NETIFACE IP_SET_HASH_NETNET IP_SET_HASH_NETPORT IP_SET_HASH_NETPORTNET IP_SET_LIST_SET IP_VS IP_VS_DH IP_VS_FO IP_VS_FTP IP_VS_IPV6 IP_VS_LBLC IP_VS_LBLCR IP_VS_LC IP_VS_MH IP_VS_NFCT IP_VS_NQ IP_VS_OVF IP_VS_PE_SIP IP_VS_PROTO_AH IP_VS_PROTO_AH_ESP IP_VS_PROTO_ESP IP_VS_PROTO_SCTP IP_VS_PROTO_TCP IP_VS_PROTO_UDP IP_VS_RR IP_VS_SED IP_VS_SH IP_VS_TWOS IP_VS_WLC IP_VS_WRR IRQ_BYPASS_MANAGER IRQ_MSI_LIB IRQ_POLL IR_IGORPLUGUSB IR_IGUANA IR_IMON IR_IMON_RAW IR_MCEUSB IR_REDRAT3 IR_STREAMZAP IR_TOY IR_TTUSBIR ISDN ISDN_CAPI JFFS2_CMODE_PRIORITY JFFS2_COMPRESSION_OPTIONS JFFS2_FS JFFS2_FS_POSIX_ACL JFFS2_FS_SECURITY JFFS2_FS_WRITEBUFFER JFFS2_FS_XATTR JFFS2_LZO JFFS2_RTIME JFFS2_RUBIN JFFS2_SUMMARY JFFS2_ZLIB JFS_DEBUG JFS_FS JFS_POSIX_ACL JFS_SECURITY JOYSTICK_IFORCE JOYSTICK_IFORCE_USB JOYSTICK_PXRC JOYSTICK_XPAD JOYSTICK_XPAD_FF JOYSTICK_XPAD_LEDS KARMA_PARTITION KCOV KCOV_ENABLE_COMPARISONS KCOV_INSTRUMENT_ALL KEYS_REQUEST_CACHE KEY_DH_OPERATIONS KEY_NOTIFICATIONS KSM KVM KVM_AMD KVM_ASYNC_PF KVM_COMMON KVM_COMPAT KVM_ELIDE_TLB_FLUSH_IF_YOUNG KVM_GENERIC_DIRTYLOG_READ_PROTECT KVM_GENERIC_HARDWARE_ENABLING KVM_GENERIC_MEMORY_ATTRIBUTES KVM_GENERIC_MMU_NOTIFIER KVM_GENERIC_PRE_FAULT_MEMORY KVM_GENERIC_PRIVATE_MEM KVM_HYPERV KVM_IOAPIC KVM_MMIO KVM_MMU_LOCKLESS_AGING KVM_PRIVATE_MEM KVM_PROVE_MMU KVM_SW_PROTECTED_VM KVM_VFIO KVM_X86 KVM_XEN KVM_XFER_TO_GUEST_WORK L2TP L2TP_ETH L2TP_IP L2TP_V3 LAPB LAPBETHER LDM_PARTITION LEDS_CLASS_MULTICOLOR LEGACY_PTYS LIBNVDIMM LINEAR_RANGES LLC LLC2 LOGIG940_FF LOGIRUMBLEPAD2_FF LOGITECH_FF LOGIWHEELS_FF LOGO LOGO_LINUX_MONO LOGO_LINUX_VGA16 LPC_ICH LWTUNNEL LWTUNNEL_BPF LZ4HC_COMPRESS LZ4_COMPRESS MAC80211 MAC80211_HAS_RC MAC80211_HWSIM MAC80211_MESH MAC80211_RC_DEFAULT_MINSTREL MAC80211_RC_MINSTREL MACSEC MACVLAN MACVTAP MAC_PARTITION MAPPING_DIRTY_HELPERS MCTP MDIO_MVUSB MD_RAID0 MD_RAID1 MD_RAID10 MD_RAID456 MEDIA_ANALOG_TV_SUPPORT MEDIA_ATTACH MEDIA_CONTROLLER MEDIA_CONTROLLER_DVB MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_SUPPORT_FILTER MEDIA_TUNER MEDIA_TUNER_MSI001 MEMORY_BALLOON MEMORY_HOTPLUG MEMORY_ISOLATION MEMREGION MEMSTICK MEMSTICK_REALTEK_USB MEM_SOFT_DIRTY MFD_CORE MFD_SYSCON MHI_BUS MHI_WWAN_CTRL MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO MHP_MEMMAP_ON_MEMORY MICROCHIP_PHY MINIX_FS MINIX_SUBPARTITION MIN_HEAP MISC_RTSX MISC_RTSX_USB MISDN MISDN_DSP MISDN_HFCUSB MISDN_L1OIP MITIGATION_TSA MKISS MLX4_CORE MLX4_INFINIBAND MMC MMC_REALTEK_USB MMC_USHC MMC_VUB300 MM_ID MODULE_SRCVERSION_ALL MOST MOST_USB_HDM MOUSE_APPLETOUCH MOUSE_BCM5974 MOUSE_PS2 MOUSE_PS2_ALPS MOUSE_PS2_BYD MOUSE_PS2_CYPRESS MOUSE_PS2_FOCALTECH MOUSE_PS2_LIFEBOOK MOUSE_PS2_LOGIPS2PP MOUSE_PS2_SMBUS MOUSE_PS2_SYNAPTICS MOUSE_PS2_SYNAPTICS_SMBUS MOUSE_PS2_TRACKPOINT MOUSE_SYNAPTICS_USB MPLS MPLS_IPTUNNEL MPLS_ROUTING MPTCP MPTCP_IPV6 MRP MTD MTD_BLKDEVS MTD_BLOCK MTD_BLOCK2MTD MTD_CFI_I1 MTD_CFI_I2 MTD_MAP_BANK_WIDTH_1 MTD_MAP_BANK_WIDTH_2 MTD_MAP_BANK_WIDTH_4 MTD_MTDRAM MTD_PHRAM MTD_SLRAM MUSB_PIO_ONLY ND_BTT ND_CLAIM ND_PFN NETDEVSIM NETFILTER_ADVANCED NETFILTER_BPF_LINK NETFILTER_FAMILY_ARP NETFILTER_FAMILY_BRIDGE NETFILTER_NETLINK_ACCT NETFILTER_NETLINK_OSF NETFILTER_NETLINK_QUEUE NETFILTER_SYNPROXY NETFILTER_XTABLES_COMPAT NETFILTER_XT_CONNMARK NETFILTER_XT_MATCH_BPF NETFILTER_XT_MATCH_CGROUP NETFILTER_XT_MATCH_CLUSTER NETFILTER_XT_MATCH_COMMENT NETFILTER_XT_MATCH_CONNBYTES NETFILTER_XT_MATCH_CONNLABEL NETFILTER_XT_MATCH_CONNLIMIT NETFILTER_XT_MATCH_CONNMARK NETFILTER_XT_MATCH_CPU NETFILTER_XT_MATCH_DCCP NETFILTER_XT_MATCH_DEVGROUP NETFILTER_XT_MATCH_DSCP NETFILTER_XT_MATCH_ECN NETFILTER_XT_MATCH_ESP NETFILTER_XT_MATCH_HASHLIMIT NETFILTER_XT_MATCH_HELPER NETFILTER_XT_MATCH_HL NETFILTER_XT_MATCH_IPCOMP NETFILTER_XT_MATCH_IPRANGE NETFILTER_XT_MATCH_IPVS NETFILTER_XT_MATCH_L2TP NETFILTER_XT_MATCH_LENGTH NETFILTER_XT_MATCH_LIMIT NETFILTER_XT_MATCH_MAC NETFILTER_XT_MATCH_MARK NETFILTER_XT_MATCH_MULTIPORT NETFILTER_XT_MATCH_NFACCT NETFILTER_XT_MATCH_OSF NETFILTER_XT_MATCH_OWNER NETFILTER_XT_MATCH_PHYSDEV NETFILTER_XT_MATCH_PKTTYPE NETFILTER_XT_MATCH_QUOTA NETFILTER_XT_MATCH_RATEEST NETFILTER_XT_MATCH_REALM NETFILTER_XT_MATCH_RECENT NETFILTER_XT_MATCH_SCTP NETFILTER_XT_MATCH_SOCKET NETFILTER_XT_MATCH_STATISTIC NETFILTER_XT_MATCH_STRING NETFILTER_XT_MATCH_TCPMSS NETFILTER_XT_MATCH_TIME NETFILTER_XT_MATCH_U32 NETFILTER_XT_SET NETFILTER_XT_TARGET_AUDIT NETFILTER_XT_TARGET_CHECKSUM NETFILTER_XT_TARGET_CLASSIFY NETFILTER_XT_TARGET_CONNMARK NETFILTER_XT_TARGET_CT NETFILTER_XT_TARGET_DSCP NETFILTER_XT_TARGET_HL NETFILTER_XT_TARGET_HMARK NETFILTER_XT_TARGET_IDLETIMER NETFILTER_XT_TARGET_LED NETFILTER_XT_TARGET_MARK NETFILTER_XT_TARGET_NETMAP NETFILTER_XT_TARGET_NFQUEUE NETFILTER_XT_TARGET_NOTRACK NETFILTER_XT_TARGET_RATEEST NETFILTER_XT_TARGET_REDIRECT NETFILTER_XT_TARGET_TCPOPTSTRIP NETFILTER_XT_TARGET_TEE NETFILTER_XT_TARGET_TPROXY NETFILTER_XT_TARGET_TRACE NETLABEL NETLINK_DIAG NETROM NET_9P_RDMA NET_ACT_BPF NET_ACT_CONNMARK NET_ACT_CSUM NET_ACT_CT NET_ACT_CTINFO NET_ACT_GATE NET_ACT_IFE NET_ACT_MPLS NET_ACT_NAT NET_ACT_PEDIT NET_ACT_POLICE NET_ACT_SAMPLE NET_ACT_SIMP NET_ACT_SKBEDIT NET_ACT_SKBMOD NET_ACT_TUNNEL_KEY NET_ACT_VLAN NET_CLS_BASIC NET_CLS_BPF NET_CLS_FLOW NET_CLS_FLOWER NET_CLS_FW NET_CLS_MATCHALL NET_CLS_ROUTE4 NET_CRC32C NET_DEVLINK NET_DEVMEM NET_DROP_MONITOR NET_DSA NET_DSA_TAG_BRCM NET_DSA_TAG_BRCM_COMMON NET_DSA_TAG_BRCM_PREPEND NET_DSA_TAG_MTK NET_DSA_TAG_QCA NET_DSA_TAG_RTL4_A NET_EMATCH_CANID NET_EMATCH_CMP NET_EMATCH_IPSET NET_EMATCH_IPT NET_EMATCH_META NET_EMATCH_NBYTE NET_EMATCH_TEXT NET_EMATCH_U32 NET_FC NET_FOU NET_FOU_IP_TUNNELS NET_IFE NET_IFE_SKBMARK NET_IFE_SKBPRIO NET_IFE_SKBTCINDEX NET_IPGRE NET_IPGRE_BROADCAST NET_IPGRE_DEMUX NET_IPIP NET_IPVTI NET_KEY NET_KEY_MIGRATE NET_L3_MASTER_DEV NET_MPLS_GSO NET_NCSI NET_NSH NET_REDIRECT NET_SCH_CAKE NET_SCH_CBS NET_SCH_CHOKE NET_SCH_CODEL NET_SCH_DRR NET_SCH_ETF NET_SCH_ETS NET_SCH_FQ NET_SCH_FQ_CODEL NET_SCH_FQ_PIE NET_SCH_GRED NET_SCH_HFSC NET_SCH_HHF NET_SCH_HTB NET_SCH_INGRESS NET_SCH_MQPRIO NET_SCH_MQPRIO_LIB NET_SCH_MULTIQ NET_SCH_NETEM NET_SCH_PIE NET_SCH_PLUG NET_SCH_PRIO NET_SCH_QFQ NET_SCH_RED NET_SCH_SFB NET_SCH_SFQ NET_SCH_SKBPRIO NET_SCH_TAPRIO NET_SCH_TBF NET_SCH_TEQL NET_SHAPER NET_SOCK_MSG NET_SWITCHDEV NET_TC_SKB_EXT NET_TEAM NET_TEAM_MODE_ACTIVEBACKUP NET_TEAM_MODE_BROADCAST NET_TEAM_MODE_LOADBALANCE NET_TEAM_MODE_RANDOM NET_TEAM_MODE_ROUNDROBIN NET_UDP_TUNNEL NET_VRF NFC NFC_DIGITAL NFC_FDP NFC_HCI NFC_MRVL NFC_MRVL_USB NFC_NCI NFC_NCI_UART NFC_PN533 NFC_PN533_USB NFC_PORT100 NFC_SHDLC NFC_SIM NFC_VIRTUAL_NCI NFSD NFSD_BLOCKLAYOUT NFSD_FLEXFILELAYOUT NFSD_PNFS NFSD_SCSILAYOUT NFSD_V3_ACL NFSD_V4 NFSD_V4_2_INTER_SSC NFSD_V4_SECURITY_LABEL NFS_FSCACHE NFS_V4_1 NFS_V4_2 NFS_V4_2_READ_PLUS NFS_V4_2_SSC_HELPER NFS_V4_SECURITY_LABEL NFT_BRIDGE_META NFT_BRIDGE_REJECT NFT_COMPAT NFT_COMPAT_ARP NFT_CONNLIMIT NFT_CT NFT_DUP_IPV4 NFT_DUP_IPV6 NFT_DUP_NETDEV NFT_FIB NFT_FIB_INET NFT_FIB_IPV4 NFT_FIB_IPV6 NFT_FIB_NETDEV NFT_FLOW_OFFLOAD NFT_HASH NFT_LIMIT NFT_LOG NFT_MASQ NFT_NAT NFT_NUMGEN NFT_OSF NFT_QUEUE NFT_QUOTA NFT_REDIR NFT_REJECT NFT_REJECT_INET NFT_REJECT_IPV4 NFT_REJECT_IPV6 NFT_REJECT_NETDEV NFT_SOCKET NFT_SYNPROXY NFT_TPROXY NFT_TUNNEL NFT_XFRM NF_CONNTRACK_AMANDA NF_CONNTRACK_BRIDGE NF_CONNTRACK_BROADCAST NF_CONNTRACK_EVENTS NF_CONNTRACK_H323 NF_CONNTRACK_LABELS NF_CONNTRACK_MARK NF_CONNTRACK_NETBIOS_NS NF_CONNTRACK_OVS NF_CONNTRACK_PPTP NF_FLOW_TABLE NF_TABLES NF_TABLES_ARP NF_TABLES_BRIDGE NF_TABLES_INET NF_TABLES_IPV4 NF_TABLES_IPV6 NF_TABLES_NETDEV PAGE_POOL PARTITION_ADVANCED PSAMPLE RC_CORE RC_DEVICES RFKILL SPI USB_GADGET USB_MUSB_HDRC VIDEO_DEV WAN WATCH_QUEUE WIRELESS WLAN WWAN X25] disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed picked [v6.15 v6.14 v6.13 v6.11 v6.9 v6.7 v6.5 v6.3 v6.0 v5.17 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 38 release tags testing release v6.15 testing commit 0ff41df1cb268fc69e703a08a57ee14ae967d0ca gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: af89a5187e94219e890a0a26877b0530121fec80057edcc7e848ba48ebced617 all runs: OK false negative chance: 0.000 # git bisect start 0be23810e32e6d0a17df7c0ebad895ba2c210fc4 0ff41df1cb268fc69e703a08a57ee14ae967d0ca Bisecting: 12487 revisions left to test after this (roughly 14 steps) [a184bb1e71a0e45201316a39fb564688d11d2d52] Merge branch 'netlink-specs-fix-all-the-yamllint-errors' testing commit a184bb1e71a0e45201316a39fb564688d11d2d52 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 764ec2597997da95ee9b6da2c6d8138ffb6cafdc39e65494a3fa9bccc873b24e all runs: OK false negative chance: 0.000 # git bisect good a184bb1e71a0e45201316a39fb564688d11d2d52 Bisecting: 6174 revisions left to test after this (roughly 13 steps) [ddb92dd540b4502b1caaece6bbbba25e8bac33a2] Merge branch 'next' of git://linuxtv.org/media-ci/media-pending.git testing commit ddb92dd540b4502b1caaece6bbbba25e8bac33a2 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 3cb4363a9a45641da6ad419b944ead8ac6ffb335a0cbfc1e7ef7a16b5ee7d268 run #0: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #1: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #2: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #3: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #4: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #5: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #6: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #7: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #8: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #9: OK run #10: OK run #11: OK run #12: OK run #13: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #14: OK run #15: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #16: OK run #17: OK run #18: OK run #19: OK representative crash: KASAN: slab-use-after-free Read in mas_next_slot, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad ddb92dd540b4502b1caaece6bbbba25e8bac33a2 Bisecting: 3156 revisions left to test after this (roughly 12 steps) [2fb268097d68d2a3e6e4062db6ccc86d7b5f6914] Merge branch 'i2c/i2c-host-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux.git testing commit 2fb268097d68d2a3e6e4062db6ccc86d7b5f6914 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 7baace4a642975699f0df56e1d3b13b3586ef508bfc9753e578d90f1ac1c32c9 all runs: OK false negative chance: 0.000 # git bisect good 2fb268097d68d2a3e6e4062db6ccc86d7b5f6914 Bisecting: 1573 revisions left to test after this (roughly 11 steps) [49345478f70de2dfe90ab21fe858f8a832867cf1] Merge branch 'clk-next' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux.git testing commit 49345478f70de2dfe90ab21fe858f8a832867cf1 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 8cd8bcbb26b7b8e7cd78d4d7d0cce8ab15ce86c14339b16ec519108ff2ca8797 run #0: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #1: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #2: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #3: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #4: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #5: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #6: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: KASAN: slab-use-after-free Read in mas_next_slot, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad 49345478f70de2dfe90ab21fe858f8a832867cf1 Bisecting: 802 revisions left to test after this (roughly 10 steps) [c19c14acfba9f506766635c6879914290095ac98] Merge branch 'at91-next' of git://git.kernel.org/pub/scm/linux/kernel/git/at91/linux.git testing commit c19c14acfba9f506766635c6879914290095ac98 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 1f700da96f0079f54545b9b01b8149d71b20991700cc196b2057ce988f0118cd run #0: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #1: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #2: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #3: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #4: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #5: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #6: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #7: OK run #8: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: KASAN: slab-use-after-free Read in mas_next_slot, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad c19c14acfba9f506766635c6879914290095ac98 Bisecting: 407 revisions left to test after this (roughly 9 steps) [9084cebb0f38e67969dc4a6a45c68271e4d1a34c] Merge branch 'mm-nonmm-unstable' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit 9084cebb0f38e67969dc4a6a45c68271e4d1a34c gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: b5be43ae9a4ea893c35abaf00a71f530d2474e933f3c0e03d43a2358432ab6bb run #0: infra problem: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS ErrorDetails:[0xc0069313b0 0xc0069314a0 0xc006931540] Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]} run #1: infra problem: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS ErrorDetails:[0xc005b05860 0xc005b05950 0xc005b059f0] Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]} run #2: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #3: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #4: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #5: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #6: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #7: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #8: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #9: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #10: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: KASAN: slab-use-after-free Read in mas_next_slot, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad 9084cebb0f38e67969dc4a6a45c68271e4d1a34c Bisecting: 185 revisions left to test after this (roughly 8 steps) [afe9bdf308518964d2fdf8540b56c0228a70cfab] mm/zsmalloc: make PageZsmalloc() sticky until the page is freed testing commit afe9bdf308518964d2fdf8540b56c0228a70cfab gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: ec2d019ab9728c49435abbed16ac4ed9fdfbb5b50cafab7d08af6582ec75ee96 all runs: OK false negative chance: 0.000 # git bisect good afe9bdf308518964d2fdf8540b56c0228a70cfab Bisecting: 92 revisions left to test after this (roughly 7 steps) [42f8be983a4f32558e9ba2489ad0d25e5908dd19] mm/shmem, swap: simplify swapin path and result handling testing commit 42f8be983a4f32558e9ba2489ad0d25e5908dd19 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 5662b20e750fbd71f0d1274c89ac08c5d9dcd2ef46f28631870132e0982ccd8b run #0: ignore: lost connection to test machine run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK false negative chance: 0.000 # git bisect good 42f8be983a4f32558e9ba2489ad0d25e5908dd19 Bisecting: 46 revisions left to test after this (roughly 6 steps) [468bf7f9fb276703cd53d7a64846ad31064702cf] panic: add 'panic_sys_info=' setup option for kernel cmdline testing commit 468bf7f9fb276703cd53d7a64846ad31064702cf gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 5f5932cb84c149311beb1b508d35b5ccf849e21f1eee9d3d5f3ab64a8ecdf736 all runs: OK false negative chance: 0.000 # git bisect good 468bf7f9fb276703cd53d7a64846ad31064702cf Bisecting: 21 revisions left to test after this (roughly 5 steps) [47c4876e7862d8bc71c91537d0136369aa357b05] Merge branch 'mm-unstable' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit 47c4876e7862d8bc71c91537d0136369aa357b05 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: ae096042cab9b91496985509b71859a32e66ce5e170a02c447ce8ef21e1d44f3 run #0: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #1: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #2: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #3: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #4: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #5: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #6: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #7: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #8: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #9: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #10: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: KASAN: slab-use-after-free Read in mas_next_slot, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad 47c4876e7862d8bc71c91537d0136369aa357b05 Bisecting: 12 revisions left to test after this (roughly 4 steps) [ef69a41567549aa8ba7deb350ab1f3f55011591d] mm/mremap: permit mremap() move of multiple VMAs testing commit ef69a41567549aa8ba7deb350ab1f3f55011591d gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: ef91ec33e4116cf897825c97f6b4f679849f46ce4591b70b18fdc373bb996ada run #0: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #1: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #2: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #3: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #4: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #5: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #6: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #7: OK run #8: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #9: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: crashed: KASAN: slab-use-after-free Read in mas_next_slot run #19: OK representative crash: KASAN: slab-use-after-free Read in mas_next_slot, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad ef69a41567549aa8ba7deb350ab1f3f55011591d Bisecting: 5 revisions left to test after this (roughly 3 steps) [4ba5d97ead86203fb30dbe4c34194ac74949af53] mm/mremap: put VMA check and prep logic into helper function testing commit 4ba5d97ead86203fb30dbe4c34194ac74949af53 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 23c4cdc3b928f70185a542c289dc0ce88ce0873a097fcd13a69aa9ce46f94fcc all runs: OK false negative chance: 0.000 # git bisect good 4ba5d97ead86203fb30dbe4c34194ac74949af53 Bisecting: 2 revisions left to test after this (roughly 2 steps) [680e69e07d569215e992137a66265fdca06f04b2] mm/mremap: check remap conditions earlier testing commit 680e69e07d569215e992137a66265fdca06f04b2 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 859e2b1ff9669a38fef8d3716241eb508f5b38b99754d9e9c760168dbad496fc all runs: OK false negative chance: 0.000 # git bisect good 680e69e07d569215e992137a66265fdca06f04b2 Bisecting: 0 revisions left to test after this (roughly 1 step) [5a4813c89fbd62ed6140546975ef4c4224c12240] mm/mremap: clean up mlock populate behaviour testing commit 5a4813c89fbd62ed6140546975ef4c4224c12240 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: cfc30fe0d7d48d4500743b0539cd920b37ec34baed1eadf1d5325500395afabb all runs: OK false negative chance: 0.000 # git bisect good 5a4813c89fbd62ed6140546975ef4c4224c12240 ef69a41567549aa8ba7deb350ab1f3f55011591d is the first bad commit commit ef69a41567549aa8ba7deb350ab1f3f55011591d Author: Lorenzo Stoakes Date: Fri Jul 11 12:38:23 2025 +0100 mm/mremap: permit mremap() move of multiple VMAs Historically we've made it a uAPI requirement that mremap() may only operate on a single VMA at a time. For instances where VMAs need to be resized, this makes sense, as it becomes very difficult to determine what a user actually wants should they indicate a desire to expand or shrink the size of multiple VMAs (truncate? Adjust sizes individually? Some other strategy?). However, in instances where a user is moving VMAs, it is restrictive to disallow this. This is especially the case when anonymous mapping remap may or may not be mergeable depending on whether VMAs have or have not been faulted due to anon_vma assignment and folio index alignment with vma->vm_pgoff. Often this can result in surprising impact where a moved region is faulted, then moved back and a user fails to observe a merge from otherwise compatible, adjacent VMAs. This change allows such cases to work without the user having to be cognizant of whether a prior mremap() move or other VMA operations has resulted in VMA fragmentation. We only permit this for mremap() operations that do NOT change the size of the VMA and DO specify MREMAP_MAYMOVE | MREMAP_FIXED. Should no VMA exist in the range, -EFAULT is returned as usual. If a VMA move spans a single VMA - then there is no functional change. Otherwise, we place additional requirements upon VMAs: * They must not have a userfaultfd context associated with them - this requires dropping the lock to notify users, and we want to perform the operation with the mmap write lock held throughout. * If file-backed, they cannot have a custom get_unmapped_area handler - this might result in MREMAP_FIXED not being honoured, which could result in unexpected positioning of VMAs in the moved region. There may be gaps in the range of VMAs that are moved: X Y X Y <---> <-> <---> <-> |-------| |-----| |-----| |-------| |-----| |-----| | A | | B | | C | ---> | A' | | B' | | C' | |-------| |-----| |-----| |-------| |-----| |-----| addr new_addr The move will preserve the gaps between each VMA. Note that any failures encountered will result in a partial move. Since an mremap() can fail at any time, this might result in only some of the VMAs being moved. Note that failures are very rare and typically require an out of a memory condition or a mapping limit condition to be hit, assuming the VMAs being moved are valid. We don't try to assess ahead of time whether VMAs are valid according to the multi VMA rules, as it would be rather unusual for a user to mix uffd-enabled VMAs and/or VMAs which map unusual driver mappings that specify custom get_unmapped_area() handlers in an aggregate operation. So we optimise for the far, far more likely case of the operation being entirely permissible. In the case of the move of a single VMA, the above conditions are permitted. This makes the behaviour identical for a single VMA as before. Link: https://lkml.kernel.org/r/8f41e72b0543953d277e96d5e67a52f287cdbac3.1752232673.git.lorenzo.stoakes@oracle.com Signed-off-by: Lorenzo Stoakes Cc: Al Viro Cc: Christian Brauner Cc: Jan Kara Cc: Jann Horn Cc: Liam Howlett Cc: Peter Xu Cc: Rik van Riel Cc: Vlastimil Babka Signed-off-by: Andrew Morton mm/mremap.c | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 150 insertions(+), 7 deletions(-) accumulated error probability: 0.00 culprit signature: ef91ec33e4116cf897825c97f6b4f679849f46ce4591b70b18fdc373bb996ada parent signature: cfc30fe0d7d48d4500743b0539cd920b37ec34baed1eadf1d5325500395afabb reproducer is flaky (0.44 repro chance estimate) revisions tested: 22, total time: 10h45m9.487552023s (build: 5h23m19.789004062s, test: 4h37m25.496395374s) first bad commit: ef69a41567549aa8ba7deb350ab1f3f55011591d mm/mremap: permit mremap() move of multiple VMAs recipients (to): ["Liam.Howlett@oracle.com" "akpm@linux-foundation.org" "akpm@linux-foundation.org" "linux-mm@kvack.org" "lorenzo.stoakes@oracle.com" "lorenzo.stoakes@oracle.com"] recipients (cc): ["jannh@google.com" "linux-kernel@vger.kernel.org" "pfalcato@suse.de" "vbabka@suse.cz"] crash: KASAN: slab-use-after-free Read in mas_next_slot ================================================================== BUG: KASAN: slab-use-after-free in ma_dead_node lib/maple_tree.c:575 [inline] BUG: KASAN: slab-use-after-free in mas_rewalk_if_dead lib/maple_tree.c:4415 [inline] BUG: KASAN: slab-use-after-free in mas_next_slot+0x18b/0xb00 lib/maple_tree.c:4697 Read of size 8 at addr ffff888104b28a00 by task syz.2.46/4876 CPU: 0 UID: 0 PID: 4876 Comm: syz.2.46 Not tainted 6.16.0-rc5-syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: dump_stack_lvl+0x18a/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x230 mm/kasan/report.c:480 kasan_report+0x118/0x150 mm/kasan/report.c:593 ma_dead_node lib/maple_tree.c:575 [inline] mas_rewalk_if_dead lib/maple_tree.c:4415 [inline] mas_next_slot+0x18b/0xb00 lib/maple_tree.c:4697 mas_find+0x9cc/0xc00 lib/maple_tree.c:6062 vma_find include/linux/mm.h:855 [inline] remap_move mm/mremap.c:1819 [inline] do_mremap mm/mremap.c:1904 [inline] __do_sys_mremap mm/mremap.c:1968 [inline] __se_sys_mremap+0xb09/0xd70 mm/mremap.c:1936 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2fbc2fe929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2fbbd6f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000019 RAX: ffffffffffffffda RBX: 00007f2fbc525fa0 RCX: 00007f2fbc2fe929 RDX: 0000000000600002 RSI: 0000000000600002 RDI: 0000200000000000 RBP: 00007f2fbc380b39 R08: 0000200000a00000 R09: 0000000000000000 R10: 0000000000000007 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f2fbc525fa0 R15: 00007ffd237a5788 Allocated by task 4876: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4149 [inline] kmem_cache_alloc_bulk_noprof+0x40d/0x640 mm/slub.c:5375 mt_alloc_bulk lib/maple_tree.c:181 [inline] mas_alloc_nodes+0x3ed/0x870 lib/maple_tree.c:1277 mas_node_count_gfp lib/maple_tree.c:1337 [inline] mas_preallocate+0x809/0xd30 lib/maple_tree.c:5537 vma_iter_prealloc mm/vma.h:463 [inline] __split_vma+0x290/0xa20 mm/vma.c:528 vms_gather_munmap_vmas+0x2de/0x1030 mm/vma.c:1359 __mmap_prepare mm/vma.c:2361 [inline] __mmap_region mm/vma.c:2653 [inline] mmap_region+0x715/0x1f70 mm/vma.c:2741 do_mmap+0xc30/0x10b0 mm/mmap.c:561 vm_mmap_pgoff+0x200/0x3e0 mm/util.c:579 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 1330: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2382 [inline] slab_free mm/slub.c:4644 [inline] kmem_cache_free+0x175/0x460 mm/slub.c:4746 rcu_do_batch kernel/rcu/tree.c:2576 [inline] rcu_core+0xbee/0x1530 kernel/rcu/tree.c:2832 handle_softirqs+0x19a/0x500 kernel/softirq.c:579 do_softirq+0xde/0x170 kernel/softirq.c:480 __local_bh_enable_ip+0x6b/0x70 kernel/softirq.c:407 spin_unlock_bh include/linux/spinlock.h:396 [inline] cfg80211_inform_single_bss_data+0xf62/0x18a0 net/wireless/scan.c:2383 cfg80211_inform_bss_data+0x1f0/0x3690 net/wireless/scan.c:3222 cfg80211_inform_bss_frame_data+0x3d5/0x680 net/wireless/scan.c:3313 ieee80211_bss_info_update+0x578/0x7b0 net/mac80211/scan.c:226 ieee80211_rx_bss_info net/mac80211/ibss.c:1094 [inline] ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1573 [inline] ieee80211_ibss_rx_queued_mgmt+0x92d/0x2710 net/mac80211/ibss.c:1600 ieee80211_iface_process_skb net/mac80211/iface.c:1668 [inline] ieee80211_iface_work+0x7c3/0xf20 net/mac80211/iface.c:1722 cfg80211_wiphy_work+0x2e9/0x530 net/wireless/core.c:435 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xa3d/0x1530 kernel/workqueue.c:3321 worker_thread+0xa03/0xeb0 kernel/workqueue.c:3402 kthread+0x66a/0x760 kernel/kthread.c:464 ret_from_fork+0x1b7/0x380 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Last potentially related work creation: kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548 __call_rcu_common kernel/rcu/tree.c:3094 [inline] call_rcu+0x14a/0x790 kernel/rcu/tree.c:3214 mas_wr_node_store lib/maple_tree.c:3893 [inline] mas_wr_store_entry+0x19c1/0x2960 lib/maple_tree.c:4104 mas_store_prealloc+0xc77/0x1330 lib/maple_tree.c:5510 vma_iter_store_new mm/vma.h:509 [inline] vma_complete+0x419/0xbc0 mm/vma.c:354 __split_vma+0x8df/0xa20 mm/vma.c:568 vms_gather_munmap_vmas+0x2de/0x1030 mm/vma.c:1359 do_vmi_align_munmap+0x246/0x390 mm/vma.c:1527 do_vmi_munmap+0x253/0x2e0 mm/vma.c:1584 do_munmap+0xe1/0x140 mm/mmap.c:1071 mremap_to+0x304/0x7b0 mm/mremap.c:1367 remap_move mm/mremap.c:1861 [inline] do_mremap mm/mremap.c:1904 [inline] __do_sys_mremap mm/mremap.c:1968 [inline] __se_sys_mremap+0xa85/0xd70 mm/mremap.c:1936 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888104b28a00 which belongs to the cache maple_node of size 256 The buggy address is located 0 bytes inside of freed 256-byte region [ffff888104b28a00, ffff888104b28b00) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104b28 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x200000000000040(head|node=0|zone=2) page_type: f5(slab) raw: 0200000000000040 ffff888100091000 ffffea00045e3580 dead000000000002 raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 0200000000000040 ffff888100091000 ffffea00045e3580 dead000000000002 head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 0200000000000001 ffffea000412ca01 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000002 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Unmovable, gfp_mask 0x52800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP), pid 26, tgid 26 (kdevtmpfs), ts 7639518065, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x168/0x1a0 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x295c/0x2aa0 mm/page_alloc.c:3858 __alloc_frozen_pages_noprof+0x26b/0x460 mm/page_alloc.c:5148 alloc_pages_mpol+0xd1/0x330 mm/mempolicy.c:2416 alloc_slab_page mm/slub.c:2452 [inline] allocate_slab+0x8a/0x350 mm/slub.c:2620 new_slab mm/slub.c:2674 [inline] ___slab_alloc+0x9dc/0x10e0 mm/slub.c:3860 __kmem_cache_alloc_bulk mm/slub.c:5295 [inline] kmem_cache_alloc_bulk_noprof+0x1c7/0x640 mm/slub.c:5367 mt_alloc_bulk lib/maple_tree.c:181 [inline] mas_alloc_nodes+0x3ed/0x870 lib/maple_tree.c:1277 mas_insert+0x38c/0x7c0 lib/maple_tree.c:4325 mas_alloc_cyclic+0x20e/0x630 lib/maple_tree.c:4388 mtree_alloc_cyclic+0x196/0x220 lib/maple_tree.c:6527 simple_offset_add+0xdc/0x190 fs/libfs.c:300 shmem_mknod+0xfa/0x1d0 mm/shmem.c:3871 vfs_mknod+0x37c/0x3c0 fs/namei.c:4244 handle_create drivers/base/devtmpfs.c:233 [inline] handle drivers/base/devtmpfs.c:389 [inline] devtmpfs_work_loop+0x98b/0xcf0 drivers/base/devtmpfs.c:404 devtmpfsd+0x4d/0x50 drivers/base/devtmpfs.c:446 page_owner free stack trace missing Memory state around the buggy address: ffff888104b28900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888104b28980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888104b28a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888104b28a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888104b28b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================