ci2 starts bisection 2025-07-17 11:11:51.055993215 +0000 UTC m=+104.475615510 bisecting fixing commit since 2408a807bfc3f738850ef5ad5e3fd59d66168996 building syzkaller on 429ea00719313e5b518a2093a9f48c79bb7b5f52 ensuring issue is reproducible on original commit 2408a807bfc3f738850ef5ad5e3fd59d66168996 testing commit 2408a807bfc3f738850ef5ad5e3fd59d66168996 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 53a92b79f165aefb858319bd7d4bc1b4fc03e69a537559507a84de9ce2ef7c14 run #0: crashed: KASAN: slab-out-of-bounds Read in crypto_poly1305_update run #1: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #2: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #3: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #4: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #5: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #6: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #7: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #8: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #9: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #10: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #11: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #12: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #13: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #14: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #15: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #16: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #17: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #18: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #19: crashed: KASAN: use-after-free Read in crypto_poly1305_update representative crash: KASAN: use-after-free Read in crypto_poly1305_update, types: [KASAN-USE-AFTER-FREE-READ] check whether we can drop unnecessary instrumentation disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 2408a807bfc3f738850ef5ad5e3fd59d66168996 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 1b0a2f235693d1ec4add7fd7043c4464b07536b71f9aaeff31334af79c61310d run #0: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #1: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #2: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #3: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #4: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #5: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #6: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #7: crashed: KASAN: slab-use-after-free Read in crypto_poly1305_update run #8: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #9: crashed: KASAN: use-after-free Read in crypto_poly1305_update representative crash: KASAN: use-after-free Read in crypto_poly1305_update, types: [KASAN-USE-AFTER-FREE-READ] the bug reproduces without the instrumentation disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed kconfig minimization: base=4088 full=8256 leaves diff=2144 split chunks (needed=false): <2144> split chunk #0 of len 2144 into 5 parts testing without sub-chunk 1/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 2408a807bfc3f738850ef5ad5e3fd59d66168996 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: f3d803406cd6f92f4be5283eab448dddc09d080caf892c5284e3f7b81b5abd53 all runs: OK false negative chance: 0.000 testing without sub-chunk 2/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 2408a807bfc3f738850ef5ad5e3fd59d66168996 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 1689b71ba2fedf03e7244da9c002fb20541b70f112f67d5a1843f9b70248e327 run #0: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #1: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #2: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #3: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #4: crashed: KASAN: slab-out-of-bounds Read in crypto_poly1305_update run #5: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #6: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #7: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #8: crashed: KASAN: use-after-free Read in crypto_poly1305_update run #9: crashed: KASAN: use-after-free Read in crypto_poly1305_update representative crash: KASAN: use-after-free Read in crypto_poly1305_update, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 2408a807bfc3f738850ef5ad5e3fd59d66168996 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 1194ac5422539b62dcde4c86cd66a12a425fbb61afdb6fe134c785192c7dfac4 all runs: crashed: KASAN: use-after-free Read in crypto_poly1305_update representative crash: KASAN: use-after-free Read in crypto_poly1305_update, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed testing commit 2408a807bfc3f738850ef5ad5e3fd59d66168996 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 40be0bcd61034dd224221dc0216ec3a46fc9e28104678613dcf53e7c5bf3b2d2 all runs: crashed: KASAN: use-after-free Read in crypto_poly1305_update representative crash: KASAN: use-after-free Read in crypto_poly1305_update, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed testing commit 2408a807bfc3f738850ef5ad5e3fd59d66168996 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 2d068129efce446676ca6bab901efb5fc8481220d552f60d5fd70a4614db38de all runs: crashed: KASAN: use-after-free Read in crypto_poly1305_update representative crash: KASAN: use-after-free Read in crypto_poly1305_update, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped minimized to 429 configs; suspects: [6LOWPAN 6LOWPAN_GHC_EXT_HDR_DEST 6LOWPAN_GHC_EXT_HDR_FRAG 6LOWPAN_GHC_EXT_HDR_HOP 6LOWPAN_GHC_EXT_HDR_ROUTE 6LOWPAN_GHC_ICMPV6 6LOWPAN_GHC_UDP 6LOWPAN_NHC 6LOWPAN_NHC_DEST 6LOWPAN_NHC_FRAGMENT 6LOWPAN_NHC_HOP 6LOWPAN_NHC_IPV6 6LOWPAN_NHC_MOBILITY 6LOWPAN_NHC_ROUTING 6LOWPAN_NHC_UDP 6PACK 842_COMPRESS 842_DECOMPRESS 9P_FSCACHE 9P_FS_POSIX_ACL 9P_FS_SECURITY ACORN_PARTITION ACORN_PARTITION_ADFS ACORN_PARTITION_CUMANA ACORN_PARTITION_EESOX ACORN_PARTITION_ICS ACORN_PARTITION_POWERTEC ACORN_PARTITION_RISCIX ACPI_NFIT ACPI_NHLT ACPI_PLATFORM_PROFILE ADFS_FS AFFS_FS AFS_FS AFS_FSCACHE AF_KCM AF_RXRPC AF_RXRPC_IPV6 AIX_PARTITION AMD_SFH_HID AMIGA_PARTITION ANDROID_BINDER_IPC ANON_VMA_NAME APERTURE_HELPERS APPLE_MFI_FASTCHARGE AR5523 ARCH_ENABLE_MEMORY_HOTREMOVE ARCH_ENABLE_THP_MIGRATION ARCH_HAS_CRC32 ARCH_HAS_CRC_T10DIF ARCH_HAS_USER_SHADOW_STACK ARCH_SUPPORTS_HUGE_PFNMAP ARCH_SUPPORTS_PMD_PFNMAP ARCH_SUPPORTS_PUD_PFNMAP ARCH_WANT_PMD_MKWRITE ASM_MODVERSIONS ASUS_TF103C_DOCK ASYNC_CORE ASYNC_MEMCPY ASYNC_PQ ASYNC_RAID6_RECOV ASYNC_TX_DMA ASYNC_XOR AS_SHA1_NI AS_SHA256_NI AS_TPAUSE ATARI_PARTITION ATA_GENERIC ATA_OVER_ETH ATH10K ATH10K_CE ATH10K_LEDS ATH10K_PCI ATH10K_USB ATH11K ATH6KL ATH6KL_USB ATH9K ATH9K_AHB ATH9K_BTCOEX_SUPPORT ATH9K_CHANNEL_CONTEXT ATH9K_COMMON ATH9K_COMMON_DEBUG ATH9K_COMMON_SPECTRAL ATH9K_DEBUGFS ATH9K_DYNACK ATH9K_HTC ATH9K_HTC_DEBUGFS ATH9K_HW ATH9K_PCI ATH9K_PCOEM ATH9K_RFKILL ATH_COMMON ATM ATM_BR2684 ATM_CLIP ATM_DRIVERS ATM_LANE ATM_MPOA ATM_TCP AUXILIARY_BUS AX25 AX25_DAMA_SLAVE AX88796B_PHY BAREUDP BATMAN_ADV BATMAN_ADV_BATMAN_V BATMAN_ADV_BLA BATMAN_ADV_DAT BATMAN_ADV_MCAST BATMAN_ADV_NC BCACHE BCACHEFS_DEBUG BCACHEFS_ERASURE_CODING BCACHEFS_FS BCACHEFS_POSIX_ACL BCACHEFS_QUOTA BCACHEFS_SIX_OPTIMISTIC_SPIN BCMA BCMA_HOST_PCI_POSSIBLE BEFS_FS BFQ_CGROUP_DEBUG BFQ_GROUP_IOSCHED BFS_FS BIG_KEYS BLK_CGROUP_PUNT_BIO BLK_CGROUP_RWSTAT BLK_DEV_BSGLIB BLK_DEV_INTEGRITY BLK_DEV_NBD BLK_DEV_NULL_BLK BLK_DEV_NULL_BLK_FAULT_INJECTION BLK_DEV_NVME BLK_DEV_PMEM BLK_DEV_RAM BLK_DEV_RNBD BLK_DEV_RNBD_CLIENT BLK_DEV_THROTTLING BLK_DEV_ZONED BLK_ICQ BLK_INLINE_ENCRYPTION BLK_INLINE_ENCRYPTION_FALLBACK BLK_MQ_PCI BLK_MQ_VIRTIO BLK_WBT BLK_WBT_MQ BONDING BOOT_VESA_SUPPORT BPF_EVENTS BPF_JIT BPF_JIT_ALWAYS_ON BPF_JIT_DEFAULT_ON BPF_LSM BPF_PRELOAD BPF_PRELOAD_UMD BPF_STREAM_PARSER BPF_SYSCALL BPQETHER BRIDGE BRIDGE_CFM BRIDGE_EBT_802_3 BRIDGE_EBT_AMONG BRIDGE_EBT_ARP BRIDGE_EBT_ARPREPLY BRIDGE_EBT_BROUTE BRIDGE_EBT_DNAT BRIDGE_EBT_IP BRIDGE_EBT_IP6 BRIDGE_EBT_LIMIT BRIDGE_EBT_LOG BRIDGE_EBT_MARK BRIDGE_EBT_MARK_T BRIDGE_EBT_NFLOG BRIDGE_EBT_PKTTYPE BRIDGE_EBT_REDIRECT BRIDGE_EBT_SNAT BRIDGE_EBT_STP BRIDGE_EBT_T_FILTER BRIDGE_EBT_T_NAT BRIDGE_EBT_VLAN BRIDGE_IGMP_SNOOPING BRIDGE_MRP BRIDGE_NF_EBTABLES BRIDGE_NF_EBTABLES_LEGACY BRIDGE_VLAN_FILTERING BSD_DISKLABEL BSD_PROCESS_ACCT_V3 BT BTRFS_ASSERT BTRFS_FS BTRFS_FS_POSIX_ACL BTRFS_FS_REF_VERIFY BTT BT_6LOWPAN BT_ATH3K BT_BCM BT_BNEP BT_BNEP_MC_FILTER BT_BNEP_PROTO_FILTER BT_BREDR BT_HCIBCM203X BT_HCIBFUSB BT_HCIBPA10X BT_HCIBTUSB BT_HCIBTUSB_AUTOSUSPEND BT_HCIBTUSB_BCM BT_HCIBTUSB_MTK BT_HCIBTUSB_POLL_SYNC BT_HCIBTUSB_RTL BT_HCIUART BT_HCIUART_3WIRE BT_HCIUART_AG6XX BT_HCIUART_BCSP BT_HCIUART_H4 BT_HCIUART_LL BT_HCIUART_MRVL BT_HCIUART_QCA BT_HCIUART_SERDEV BT_HCIVHCI BT_INTEL BT_LE BT_LEDS BT_LE_L2CAP_ECRED BT_MRVL BT_MRVL_SDIO BT_MSFTEXT BT_MTK BT_MTKSDIO BT_MTKUART BT_QCA BT_RFCOMM BT_RFCOMM_TTY BT_RTL CACHEFILES CAIF CAIF_DEBUG CAIF_DRIVERS CAIF_NETDEV CAIF_TTY CAIF_USB CAIF_VIRTIO CAN CAN_8DEV_USB CAN_BCM CAN_CALC_BITTIMING CAN_DEV CAN_EMS_USB CAN_ESD_USB CAN_ETAS_ES58X CAN_F81604 CAN_GS_USB CAN_GW CAN_IFI_CANFD CAN_ISOTP CAN_J1939 CAN_KVASER_USB CAN_MCBA_USB CAN_NETLINK CAN_PEAK_USB CAN_RAW CAN_RX_OFFLOAD CAN_SLCAN CAN_UCAN CAN_VCAN CAN_VXCAN CARL9170 CARL9170_HWRNG CARL9170_LEDS CARL9170_WPC CC_CAN_LINK_STATIC CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER CC_HAS_SANE_STACKPROTECTOR CEC_CORE CEPH_FS CEPH_FSCACHE CEPH_FS_POSIX_ACL CEPH_LIB CEPH_LIB_USE_DNS_RESOLVER CFG80211 CFG80211_CRDA_SUPPORT CFG80211_DEBUGFS CFG80211_DEFAULT_PS CFG80211_REQUIRE_SIGNED_REGDB CFG80211_USE_KERNEL_REGDB_KEYS CFG80211_WEXT CFS_BANDWIDTH CGROUP_BPF CHARGER_ISP1704 CHR_DEV_ST CIFS CIFS_ALLOW_INSECURE_LEGACY CIFS_DEBUG CIFS_DFS_UPCALL CIFS_FSCACHE CIFS_POSIX CIFS_SMB_DIRECT CIFS_SWN_UPCALL CIFS_UPCALL CIFS_XATTR CLOSURES CLS_U32_MARK CLS_U32_PERF CMA CMA_SIZE_SEL_MAX CMDLINE_PARTITION COMEDI COMEDI_DT9812 COMEDI_NI_USB6501 COMEDI_USBDUX COMEDI_USBDUXFAST COMEDI_USBDUXSIGMA COMEDI_USB_DRIVERS COMEDI_VMK80XX COMPAT_NETLINK_MESSAGES COUNTER CRAMFS CRAMFS_BLOCKDEV CRAMFS_MTD CRC4 CRC64 CRC64_ROCKSOFT CRC7 CRC8 CRC_ITU_T CRC_T10DIF CRC_T10DIF_ARCH CRYPTO_842 CRYPTO_ADIANTUM CRYPTO_AEGIS128 CRYPTO_AEGIS128_AESNI_SSE2 CRYPTO_AES_NI_INTEL CRYPTO_AES_TI CRYPTO_ANSI_CPRNG CRYPTO_ANUBIS CRYPTO_ARC4 CRYPTO_ARCH_HAVE_LIB_BLAKE2S CRYPTO_ARCH_HAVE_LIB_CHACHA CRYPTO_ARCH_HAVE_LIB_CURVE25519 CRYPTO_ARCH_HAVE_LIB_POLY1305 CRYPTO_ARIA CRYPTO_ARIA_AESNI_AVX_X86_64 CRYPTO_BLAKE2B CRYPTO_BLAKE2S_X86 CRYPTO_BLOWFISH CRYPTO_BLOWFISH_COMMON CRYPTO_BLOWFISH_X86_64 CRYPTO_CAMELLIA CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 CRYPTO_CAMELLIA_AESNI_AVX_X86_64 CRYPTO_CAMELLIA_X86_64 CRYPTO_CAST5 CRYPTO_CAST5_AVX_X86_64 CRYPTO_CAST6 CRYPTO_CAST6_AVX_X86_64 CRYPTO_CAST_COMMON CRYPTO_CHACHA20 CRYPTO_CHACHA20POLY1305 CRYPTO_CHACHA20_X86_64 CRYPTO_CRC32 CRYPTO_CRC32C CRYPTO_CRC64_ROCKSOFT CRYPTO_CRYPTD CRYPTO_CTS CRYPTO_CURVE25519 CRYPTO_CURVE25519_X86 CRYPTO_DEFLATE CRYPTO_DES CRYPTO_DES3_EDE_X86_64 CRYPTO_DEV_CCP CRYPTO_DEV_CCP_DD CRYPTO_DEV_PADLOCK CRYPTO_DEV_PADLOCK_AES CRYPTO_DEV_PADLOCK_SHA CRYPTO_DEV_QAT CRYPTO_DEV_QAT_C3XXX CRYPTO_DEV_QAT_C3XXXVF CRYPTO_DEV_QAT_C62X CRYPTO_DEV_QAT_C62XVF CRYPTO_DEV_QAT_DH895xCC CRYPTO_DEV_QAT_DH895xCCVF CRYPTO_DEV_VIRTIO CRYPTO_DH CRYPTO_DRBG_CTR CRYPTO_DRBG_HASH CRYPTO_ECDH CRYPTO_ECRDSA CRYPTO_ENGINE CRYPTO_ESSIV CRYPTO_FCRYPT CRYPTO_GHASH_CLMUL_NI_INTEL CRYPTO_HCTR2 CRYPTO_KDF800108_CTR CRYPTO_KHAZAD CRYPTO_KPP CRYPTO_LIB_ARC4 CRYPTO_LIB_CHACHA CRYPTO_LIB_CHACHA20POLY1305 CRYPTO_LIB_CHACHA_GENERIC CRYPTO_LIB_CURVE25519 CRYPTO_LIB_CURVE25519_GENERIC CRYPTO_LIB_DES CRYPTO_LIB_POLY1305 CRYPTO_LIB_POLY1305_GENERIC CRYPTO_LRW CRYPTO_LZ4 CRYPTO_LZ4HC CRYPTO_MANAGER_DISABLE_TESTS CRYPTO_MICHAEL_MIC CRYPTO_NHPOLY1305 CRYPTO_NHPOLY1305_AVX2 CRYPTO_NHPOLY1305_SSE2 CRYPTO_NULL CRYPTO_NULL2 CRYPTO_PCBC CRYPTO_PCRYPT CRYPTO_POLY1305 CRYPTO_POLY1305_X86_64 CRYPTO_POLYVAL CRYPTO_POLYVAL_CLMUL_NI CRYPTO_RMD160 CRYPTO_SEED CRYPTO_SERPENT CRYPTO_SERPENT_AVX2_X86_64 CRYPTO_SERPENT_AVX_X86_64 CRYPTO_SERPENT_SSE2_X86_64 CRYPTO_SHA1_SSSE3 CRYPTO_SHA256_SSSE3 CRYPTO_SHA512_SSSE3 CRYPTO_SIMD CRYPTO_SM3 CRYPTO_SM3_AVX_X86_64 CRYPTO_SM4 CRYPTO_SM4_AESNI_AVX2_X86_64 CRYPTO_SM4_AESNI_AVX_X86_64 CRYPTO_SM4_GENERIC CRYPTO_STREEBOG CRYPTO_TEA CRYPTO_TWOFISH CRYPTO_TWOFISH_AVX_X86_64 CRYPTO_TWOFISH_COMMON CRYPTO_TWOFISH_X86_64 CRYPTO_TWOFISH_X86_64_3WAY CRYPTO_USER CRYPTO_USER_API CRYPTO_USER_API_AEAD CRYPTO_USER_API_ENABLE_OBSOLETE CRYPTO_USER_API_HASH CRYPTO_USER_API_RNG CRYPTO_USER_API_SKCIPHER CRYPTO_WP512 CRYPTO_XCBC CRYPTO_XCTR CRYPTO_XTS CRYPTO_XXHASH CRYPTO_ZSTD CUSE CYPRESS_FIRMWARE DAMON DAMON_PADDR DAMON_RECLAIM DAMON_VADDR DAX DCA DCB DEFAULT_CODEL DEVICE_MIGRATION DEVICE_PRIVATE DEV_COREDUMP DEV_DAX DLN2_ADC DMABUF_HEAPS DMABUF_HEAPS_CMA DMABUF_HEAPS_SYSTEM DMABUF_MOVE_NOTIFY DMA_CMA DMA_ENGINE_RAID DM_AUDIT DM_BIO_PRISON DM_BUFIO DM_CACHE DM_CACHE_SMQ DM_CLONE DM_CRYPT DM_FLAKEY DM_INTEGRITY DM_MULTIPATH DM_MULTIPATH_QL DM_MULTIPATH_ST DM_PERSISTENT_DATA DM_RAID DM_SNAPSHOT DM_THIN_PROVISIONING DM_UEVENT DM_VERITY DM_VERITY_FEC DM_WRITECACHE DM_ZONED DRAGONRISE_FF DRM DRM_AUX_BRIDGE DRM_BOCHS DRM_BRIDGE DRM_BUDDY DRM_CIRRUS_QEMU DRM_CLIENT DRM_CLIENT_DEFAULT_FBDEV DRM_CLIENT_LIB DRM_CLIENT_SELECTION DRM_CLIENT_SETUP DRM_DEBUG_MM DRM_FBDEV_EMULATION ENCRYPTED_KEYS FSCACHE FUSE_FS GPIOLIB HAMRADIO HID_DRAGONRISE IIO INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_RTRS_CLIENT IOSCHED_BFQ LIBNVDIMM MAC80211 MAC80211_DEBUGFS MAC80211_LEDS MCORE2 MEDIA_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MMC MTD NET_CLS_U32 NET_SCH_DEFAULT PARTITION_ADVANCED RFKILL SERIAL_DEV_BUS TLS TLS_DEVICE TRANSPARENT_HUGEPAGE TRUSTED_KEYS USB_GADGET USB_PHY VLAN_8021Q WANT_COMPAT_NETLINK_MESSAGES WEXT_CORE WIRELESS WLAN WLAN_VENDOR_ATH X86_X32_ABI ZONE_DEVICE] disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed testing current HEAD e2291551827fe5d2d3758c435c191d32b6d1350e testing commit e2291551827fe5d2d3758c435c191d32b6d1350e gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 1771b984066ffb481b729e0aa15973c6a3f165f7e1e46cac1ebe72fa2e37cf5c all runs: OK false negative chance: 0.000 # git bisect start e2291551827fe5d2d3758c435c191d32b6d1350e 2408a807bfc3f738850ef5ad5e3fd59d66168996 Bisecting: 16400 revisions left to test after this (roughly 14 steps) [4acf6d4f6afc3478753e49c495132619667549d9] Merge branch 'fix-netdevim-to-correctly-mark-napi-ids' determine whether the revision contains the guilty commit revision 2408a807bfc3f738850ef5ad5e3fd59d66168996 crashed and is reachable testing commit 4acf6d4f6afc3478753e49c495132619667549d9 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 8db0c99ebd44d1dde8b847a47edf58043c4f7e3ad0f08ca68745236b7c613e6b run #0: crashed: KASAN: slab-use-after-free Read in bch2_checksum run #1: crashed: invalid opcode in bch2_btree_path_level_init run #2: crashed: KASAN: slab-use-after-free Read in bch2_checksum run #3: crashed: KASAN: slab-use-after-free Read in bch2_checksum run #4: crashed: KASAN: use-after-free Read in bch2_checksum run #5: crashed: KASAN: use-after-free Read in bch2_checksum run #6: crashed: KASAN: use-after-free Read in bch2_checksum run #7: crashed: KASAN: use-after-free Read in bch2_checksum run #8: crashed: KASAN: use-after-free Read in bch2_checksum run #9: crashed: KASAN: use-after-free Read in bch2_checksum representative crash: KASAN: slab-use-after-free Read in bch2_checksum, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 4acf6d4f6afc3478753e49c495132619667549d9 Bisecting: 7826 revisions left to test after this (roughly 13 steps) [1b98f357dadd6ea613a435fbaef1a5dd7b35fd21] Merge tag 'net-next-6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next determine whether the revision contains the guilty commit revision 4acf6d4f6afc3478753e49c495132619667549d9 crashed and is reachable testing commit 1b98f357dadd6ea613a435fbaef1a5dd7b35fd21 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: d26f9a05d5799b930879cf2464c9ea61f6f8709816e8abab9d2bbd4c2c7a3749 run #0: crashed: KASAN: use-after-free Read in poly1305_update run #1: crashed: KASAN: use-after-free Read in poly1305_update run #2: crashed: invalid opcode in bch2_btree_path_level_init run #3: crashed: KASAN: use-after-free Read in poly1305_update run #4: crashed: KASAN: use-after-free Read in poly1305_update run #5: crashed: KASAN: use-after-free Read in poly1305_update run #6: crashed: KASAN: use-after-free Read in poly1305_update run #7: crashed: KASAN: use-after-free Read in poly1305_update run #8: crashed: KASAN: use-after-free Read in poly1305_update run #9: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 1b98f357dadd6ea613a435fbaef1a5dd7b35fd21 Bisecting: 3924 revisions left to test after this (roughly 12 steps) [549e914c96ae67760f36b9714b424dc992a0a69b] tracing: Add rcu annotation around file->filter accesses determine whether the revision contains the guilty commit revision 2408a807bfc3f738850ef5ad5e3fd59d66168996 crashed and is reachable testing commit 549e914c96ae67760f36b9714b424dc992a0a69b gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 439da0c803871471617ec5ca97bca443d7df2ebae2c6c65675b28a29e1a01002 all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 549e914c96ae67760f36b9714b424dc992a0a69b Bisecting: 1962 revisions left to test after this (roughly 11 steps) [c0c9379f235df33a12ceae94370ad80c5278324d] Merge tag 'usb-6.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb determine whether the revision contains the guilty commit revision 1b98f357dadd6ea613a435fbaef1a5dd7b35fd21 crashed and is reachable testing commit c0c9379f235df33a12ceae94370ad80c5278324d gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: a09fc8a4cf63c7b4401290e11f0f72958c83f0341e890d2a4c6f784454348208 all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good c0c9379f235df33a12ceae94370ad80c5278324d Bisecting: 980 revisions left to test after this (roughly 10 steps) [07d45e80960a6f3e51d62104e2083eaa0cda86a6] Merge tag 'aspeed-6.16-fixes-0' of https://git.kernel.org/pub/scm/linux/kernel/git/bmc/linux into arm/fixes determine whether the revision contains the guilty commit revision 4acf6d4f6afc3478753e49c495132619667549d9 crashed and is reachable testing commit 07d45e80960a6f3e51d62104e2083eaa0cda86a6 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 4ab84834dd634f5e9bccfbf85f2c2a51761794c48223948d3a3714dab4d3a604 all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 07d45e80960a6f3e51d62104e2083eaa0cda86a6 Bisecting: 490 revisions left to test after this (roughly 9 steps) [849704b8b2115647e12436e5076b8e7a4944f21a] net: thunderx: avoid direct MTU assignment after WRITE_ONCE() determine whether the revision contains the guilty commit revision 549e914c96ae67760f36b9714b424dc992a0a69b crashed and is reachable testing commit 849704b8b2115647e12436e5076b8e7a4944f21a gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 3d47f4d9ce2dc15c7c76dd2fa9d9a587834b7a7f6c7a7a159a267b01cae10342 all runs: OK false negative chance: 0.000 # git bisect bad 849704b8b2115647e12436e5076b8e7a4944f21a Bisecting: 247 revisions left to test after this (roughly 8 steps) [26fd9f7b7ff3794c5de0e6ae538cead53118b4c3] Merge tag 'cxl-fixes-6.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl determine whether the revision contains the guilty commit revision 2408a807bfc3f738850ef5ad5e3fd59d66168996 crashed and is reachable testing commit 26fd9f7b7ff3794c5de0e6ae538cead53118b4c3 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: b3da94e63191a8498cc803ffa9460f0a6cc9debc83434fb6fc5154abf8d6da24 all runs: OK false negative chance: 0.000 # git bisect bad 26fd9f7b7ff3794c5de0e6ae538cead53118b4c3 Bisecting: 120 revisions left to test after this (roughly 7 steps) [f02769e7f272d6f42b9767f066c5a99afd2338f3] Merge tag 'devicetree-fixes-for-6.16-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux determine whether the revision contains the guilty commit revision c0c9379f235df33a12ceae94370ad80c5278324d crashed and is reachable testing commit f02769e7f272d6f42b9767f066c5a99afd2338f3 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: bdbd3e8c47208b9d65e02e97e337203ce4074238fc6c626bb197f89649c3fd58 all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good f02769e7f272d6f42b9767f066c5a99afd2338f3 Bisecting: 53 revisions left to test after this (roughly 6 steps) [6f2a71a99ebd5dfaa7948a2e9c59eae94b741bd8] Merge tag 'bcachefs-2025-06-26' of git://evilpiepirate.org/bcachefs determine whether the revision contains the guilty commit revision 2408a807bfc3f738850ef5ad5e3fd59d66168996 crashed and is reachable testing commit 6f2a71a99ebd5dfaa7948a2e9c59eae94b741bd8 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 89926877c53108ac15b7a2dc2c1380cc182ccecba51d86a3267bdd0b96b7088d all runs: OK false negative chance: 0.000 # git bisect bad 6f2a71a99ebd5dfaa7948a2e9c59eae94b741bd8 Bisecting: 33 revisions left to test after this (roughly 5 steps) [bbc3a0b17a890aa19bddd0f9b08e8af488f1ec94] bcachefs: fsck: Fix check_directory_structure when no check_dirents determine whether the revision contains the guilty commit revision 4acf6d4f6afc3478753e49c495132619667549d9 crashed and is reachable testing commit bbc3a0b17a890aa19bddd0f9b08e8af488f1ec94 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 57cc980ea70301d0191c99d87ba3dc971f7ce363d1db6bff928be9a26204ff4d all runs: OK false negative chance: 0.000 # git bisect bad bbc3a0b17a890aa19bddd0f9b08e8af488f1ec94 Bisecting: 16 revisions left to test after this (roughly 4 steps) [10dfe4926de30b550913409d107005278ab47911] bcachefs: Kill unused tracepoints determine whether the revision contains the guilty commit revision c0c9379f235df33a12ceae94370ad80c5278324d crashed and is reachable testing commit 10dfe4926de30b550913409d107005278ab47911 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: ad4715eb3b998c96c47d5d9bc4df8f5349eb389a178a392c2f051a409d492bf9 all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 10dfe4926de30b550913409d107005278ab47911 Bisecting: 8 revisions left to test after this (roughly 3 steps) [7029cc4d13453499a88f512720d26c1a0c4e957b] bcachefs: fsck: Print path when we find a subvol loop determine whether the revision contains the guilty commit revision 2408a807bfc3f738850ef5ad5e3fd59d66168996 crashed and is reachable testing commit 7029cc4d13453499a88f512720d26c1a0c4e957b gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 8171db1b3136ec63c7e9974a9bab63eb053eb7035b07cef5d5644526f7f2d1ce all runs: OK false negative chance: 0.000 # git bisect bad 7029cc4d13453499a88f512720d26c1a0c4e957b Bisecting: 3 revisions left to test after this (roughly 2 steps) [03208bd06a61bc2ebc423b6485cbcffecd37af36] bcachefs: don't return fsck_fix for unfixable node errors in __btree_err determine whether the revision contains the guilty commit revision 1b98f357dadd6ea613a435fbaef1a5dd7b35fd21 crashed and is reachable testing commit 03208bd06a61bc2ebc423b6485cbcffecd37af36 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: e4d5056ee473a3943d85a74e4aeba6b645ae1e7ae3ce3090885d6d0c9ee70a55 all runs: OK false negative chance: 0.000 # git bisect bad 03208bd06a61bc2ebc423b6485cbcffecd37af36 Bisecting: 1 revision left to test after this (roughly 1 step) [d89a34b14df5c205de698c23c3950b2b947cdb97] bcachefs: Move bset size check before csum check determine whether the revision contains the guilty commit revision 2408a807bfc3f738850ef5ad5e3fd59d66168996 crashed and is reachable testing commit d89a34b14df5c205de698c23c3950b2b947cdb97 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 7af57c1e75f9d232f2f90435a5278d647af7ca6b7be752e309ed49f713eb2e13 all runs: OK false negative chance: 0.000 # git bisect bad d89a34b14df5c205de698c23c3950b2b947cdb97 Bisecting: 0 revisions left to test after this (roughly 0 steps) [7c9cef5f8bf10a803fd0937ea071a93778f1108a] bcachefs: mark more errors autofix determine whether the revision contains the guilty commit revision 10dfe4926de30b550913409d107005278ab47911 crashed and is reachable testing commit 7c9cef5f8bf10a803fd0937ea071a93778f1108a gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 85fc3c3f8196fd629591bfecdf2a0461f5efc0e114aefe7682b5267ee7bc8024 all runs: crashed: KASAN: use-after-free Read in poly1305_update representative crash: KASAN: use-after-free Read in poly1305_update, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 7c9cef5f8bf10a803fd0937ea071a93778f1108a d89a34b14df5c205de698c23c3950b2b947cdb97 is the first bad commit commit d89a34b14df5c205de698c23c3950b2b947cdb97 Author: Alan Huang Date: Sat Jun 14 17:18:07 2025 +0800 bcachefs: Move bset size check before csum check In syzbot's crash, the bset's u64s is larger than the btree node. Reported-by: syzbot+bfaeaa8e26281970158d@syzkaller.appspotmail.com Signed-off-by: Alan Huang Signed-off-by: Kent Overstreet fs/bcachefs/btree_io.c | 42 ++++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 20 deletions(-) accumulated error probability: 0.00 culprit signature: 7af57c1e75f9d232f2f90435a5278d647af7ca6b7be752e309ed49f713eb2e13 parent signature: 85fc3c3f8196fd629591bfecdf2a0461f5efc0e114aefe7682b5267ee7bc8024 revisions tested: 23, total time: 9h36m47.095065729s (build: 2h39m24.440383438s, test: 2h56m57.891483343s) first good commit: d89a34b14df5c205de698c23c3950b2b947cdb97 bcachefs: Move bset size check before csum check recipients (to): ["kent.overstreet@linux.dev" "mmpgouride@gmail.com"] recipients (cc): []