ci starts bisection 2023-10-12 17:25:48.374376381 +0000 UTC m=+8028.783169756 bisecting fixing commit since bd6c11bc43c496cddfc6cf603b5d45365606dbd5 building syzkaller on 8bc9053e88dacf57f5ce550da040d31895eb9626 ensuring issue is reproducible on original commit bd6c11bc43c496cddfc6cf603b5d45365606dbd5 testing commit bd6c11bc43c496cddfc6cf603b5d45365606dbd5 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3daa14e95c5ea8ac7ea1cf11b296754971c6721b575b7a4ca7656027596e2130 all runs: crashed: general protection fault in scatterwalk_copychunks representative crash: general protection fault in scatterwalk_copychunks, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit bd6c11bc43c496cddfc6cf603b5d45365606dbd5 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b59aff2429ba91fc49b593e3b43b30a321f92565c37f85a1274e8ae52a6674c2 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] the bug reproduces without the instrumentation disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed kconfig minimization: base=3883 full=7650 leaves diff=2000 split chunks (needed=false): <2000> split chunk #0 of len 2000 into 5 parts testing without sub-chunk 1/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit bd6c11bc43c496cddfc6cf603b5d45365606dbd5 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 831e52d0f4cb16a17e86ca417700c561d293f364be49436655374dc4288d3f96 all runs: OK false negative chance: 0.000 testing without sub-chunk 2/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed testing commit bd6c11bc43c496cddfc6cf603b5d45365606dbd5 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c78240e66cd2680dff2b9ccc41ea5bcc9989c4d42e04e0bf2c5dfcde252c1210 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit bd6c11bc43c496cddfc6cf603b5d45365606dbd5 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 68d69435df9c7f3084381a1fe76abbe097c916bd91bb8ba6ea99884478098845 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit bd6c11bc43c496cddfc6cf603b5d45365606dbd5 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: aa293757a60ceff83613e72330a16ecbef3d5feca0fba57e2875436c015127d3 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit bd6c11bc43c496cddfc6cf603b5d45365606dbd5 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6671edf4c6956ba6b32dfd0fb2d5f66391bb7fa6c3059b6e132c6e50d12dc32c all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] the chunk can be dropped minimized to 400 configs; suspects: [6LOWPAN 6LOWPAN_GHC_EXT_HDR_DEST 6LOWPAN_GHC_EXT_HDR_FRAG 6LOWPAN_GHC_EXT_HDR_HOP 6LOWPAN_GHC_EXT_HDR_ROUTE 6LOWPAN_GHC_ICMPV6 6LOWPAN_GHC_UDP 6LOWPAN_NHC 6LOWPAN_NHC_DEST 6LOWPAN_NHC_FRAGMENT 6LOWPAN_NHC_HOP 6LOWPAN_NHC_IPV6 6LOWPAN_NHC_MOBILITY 6LOWPAN_NHC_ROUTING 6LOWPAN_NHC_UDP 6PACK 842_COMPRESS 842_DECOMPRESS 9P_FSCACHE 9P_FS_POSIX_ACL 9P_FS_SECURITY ACORN_PARTITION ACORN_PARTITION_ADFS ACORN_PARTITION_CUMANA ACORN_PARTITION_EESOX ACORN_PARTITION_ICS ACORN_PARTITION_POWERTEC ACORN_PARTITION_RISCIX ACPI_NFIT ACPI_PLATFORM_PROFILE ADDRESS_MASKING ADFS_FS AFFS_FS AFS_FS AFS_FSCACHE AF_KCM AF_RXRPC AF_RXRPC_IPV6 AIX_PARTITION AMIGA_PARTITION ANDROID_BINDERFS ANDROID_BINDER_IPC ANON_VMA_NAME APERTURE_HELPERS AR5523 ARCH_ENABLE_MEMORY_HOTREMOVE ARCH_ENABLE_THP_MIGRATION ASM_MODVERSIONS ASYNC_CORE ASYNC_MEMCPY ASYNC_PQ ASYNC_RAID6_RECOV ASYNC_TX_DMA ASYNC_XOR ATARI_PARTITION ATA_GENERIC ATA_OVER_ETH ATH10K ATH10K_CE ATH10K_PCI ATH10K_USB ATH11K ATH6KL ATH6KL_USB ATH9K ATH9K_AHB ATH9K_BTCOEX_SUPPORT ATH9K_CHANNEL_CONTEXT ATH9K_COMMON ATH9K_COMMON_DEBUG ATH9K_DEBUGFS ATH9K_DYNACK ATH9K_HTC ATH9K_HTC_DEBUGFS ATH9K_HW ATH9K_PCI ATH9K_PCOEM ATH9K_RFKILL ATH_COMMON ATM ATM_BR2684 ATM_CLIP ATM_DRIVERS ATM_LANE ATM_MPOA ATM_TCP AUXILIARY_BUS AX25 AX25_DAMA_SLAVE AX88796B_PHY BAREUDP BATMAN_ADV BATMAN_ADV_BATMAN_V BATMAN_ADV_BLA BATMAN_ADV_DAT BATMAN_ADV_MCAST BATMAN_ADV_NC BCACHE BCMA BCMA_HOST_PCI_POSSIBLE BEFS_FS BFQ_CGROUP_DEBUG BFQ_GROUP_IOSCHED BFS_FS BIG_KEYS BLK_CGROUP_PUNT_BIO BLK_CGROUP_RWSTAT BLK_DEBUG_FS_ZONED BLK_DEV_BSGLIB BLK_DEV_FD BLK_DEV_INTEGRITY BLK_DEV_INTEGRITY_T10 BLK_DEV_NBD BLK_DEV_NULL_BLK BLK_DEV_NULL_BLK_FAULT_INJECTION BLK_DEV_NVME BLK_DEV_PMEM BLK_DEV_RAM BLK_DEV_RNBD BLK_DEV_RNBD_CLIENT BLK_DEV_THROTTLING BLK_DEV_ZONED BLK_ICQ BLK_INLINE_ENCRYPTION BLK_INLINE_ENCRYPTION_FALLBACK BLK_WBT BLK_WBT_MQ BONDING BOOT_VESA_SUPPORT BPF_EVENTS BPF_JIT BPF_JIT_ALWAYS_ON BPF_JIT_DEFAULT_ON BPF_LSM BPF_PRELOAD BPF_PRELOAD_UMD BPF_STREAM_PARSER BPF_SYSCALL BPQETHER BRIDGE BRIDGE_CFM BRIDGE_EBT_802_3 BRIDGE_EBT_AMONG BRIDGE_EBT_ARP BRIDGE_EBT_ARPREPLY BRIDGE_EBT_BROUTE BRIDGE_EBT_DNAT BRIDGE_EBT_IP BRIDGE_EBT_IP6 BRIDGE_EBT_LIMIT BRIDGE_EBT_LOG BRIDGE_EBT_MARK BRIDGE_EBT_MARK_T BRIDGE_EBT_NFLOG BRIDGE_EBT_PKTTYPE BRIDGE_EBT_REDIRECT BRIDGE_EBT_SNAT BRIDGE_EBT_STP BRIDGE_EBT_T_FILTER BRIDGE_EBT_T_NAT BRIDGE_EBT_VLAN BRIDGE_IGMP_SNOOPING BRIDGE_MRP BRIDGE_NF_EBTABLES BRIDGE_VLAN_FILTERING BSD_DISKLABEL BSD_PROCESS_ACCT_V3 BT BTRFS_ASSERT BTRFS_FS BTRFS_FS_POSIX_ACL BTRFS_FS_REF_VERIFY BTT BT_6LOWPAN BT_ATH3K BT_BCM BT_BNEP BT_BNEP_MC_FILTER BT_BNEP_PROTO_FILTER BT_BREDR BT_CMTP BT_HCIBCM203X BT_HCIBFUSB BT_HCIBPA10X BT_HCIBTUSB BT_HCIBTUSB_BCM BT_HCIBTUSB_MTK BT_HCIBTUSB_POLL_SYNC BT_HCIBTUSB_RTL BT_HCIUART BT_HCIUART_3WIRE BT_HCIUART_AG6XX BT_HCIUART_BCSP BT_HCIUART_H4 BT_HCIUART_LL BT_HCIUART_MRVL BT_HCIUART_QCA BT_HCIUART_SERDEV BT_HCIVHCI BT_HIDP BT_HS BT_INTEL BT_LE BT_LEDS BT_LE_L2CAP_ECRED BT_MSFTEXT BT_MTK BT_QCA BT_RFCOMM BT_RFCOMM_TTY BT_RTL CACHEFILES CAIF CAIF_DEBUG CAIF_DRIVERS CAIF_NETDEV CAIF_TTY CAIF_USB CAIF_VIRTIO CAN CAN_8DEV_USB CAN_BCM CAN_CALC_BITTIMING CAN_DEV CAN_EMS_USB CAN_GS_USB CAN_GW CAN_IFI_CANFD CAN_ISOTP CAN_J1939 CAN_KVASER_USB CAN_MCBA_USB CAN_NETLINK CAN_PEAK_USB CAN_RAW CAN_RX_OFFLOAD CAN_SLCAN CAN_VCAN CAN_VXCAN CAPI_TRACE CARL9170 CARL9170_HWRNG CARL9170_LEDS CARL9170_WPC CEC_CORE CEPH_FS CEPH_FSCACHE CEPH_FS_POSIX_ACL CEPH_LIB CEPH_LIB_USE_DNS_RESOLVER CFG80211 CFG80211_CRDA_SUPPORT CFG80211_DEBUGFS CFG80211_DEFAULT_PS CFG80211_REQUIRE_SIGNED_REGDB CFG80211_USE_KERNEL_REGDB_KEYS CFG80211_WEXT CFS_BANDWIDTH CGROUP_BPF CHARGER_BQ24190 CHARGER_ISP1704 CHR_DEV_ST CIFS CIFS_ALLOW_INSECURE_LEGACY CIFS_DEBUG CIFS_DFS_UPCALL CIFS_FSCACHE CIFS_POSIX CIFS_SMB_DIRECT CIFS_SWN_UPCALL CIFS_UPCALL CIFS_XATTR CLS_U32_MARK CLS_U32_PERF CMA CMA_SIZE_SEL_MBYTES CMDLINE_PARTITION COMEDI COMEDI_DT9812 COMEDI_NI_USB6501 COMEDI_USBDUX COMEDI_USBDUXFAST COMEDI_USBDUXSIGMA COMEDI_USB_DRIVERS COMEDI_VMK80XX COMPAT_NETLINK_MESSAGES COUNTER CRAMFS CRAMFS_BLOCKDEV CRAMFS_MTD CRC4 CRC64 CRC64_ROCKSOFT CRC7 CRC8 CRC_ITU_T CRC_T10DIF CRYPTO_ADIANTUM CRYPTO_AEGIS128 CRYPTO_AEGIS128_AESNI_SSE2 CRYPTO_AES_NI_INTEL CRYPTO_AES_TI CRYPTO_ANSI_CPRNG CRYPTO_ANUBIS CRYPTO_ARC4 CRYPTO_ARCH_HAVE_LIB_BLAKE2S CRYPTO_ARCH_HAVE_LIB_CHACHA CRYPTO_ARCH_HAVE_LIB_CURVE25519 CRYPTO_ARCH_HAVE_LIB_POLY1305 CRYPTO_ARIA CRYPTO_ARIA_AESNI_AVX_X86_64 CRYPTO_BLAKE2B CRYPTO_BLAKE2S_X86 CRYPTO_BLOWFISH CRYPTO_BLOWFISH_COMMON CRYPTO_BLOWFISH_X86_64 CRYPTO_CAMELLIA CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 CRYPTO_CAMELLIA_AESNI_AVX_X86_64 CRYPTO_CAMELLIA_X86_64 CRYPTO_CAST5 CRYPTO_CAST5_AVX_X86_64 CRYPTO_CAST6 CRYPTO_CAST6_AVX_X86_64 CRYPTO_CAST_COMMON CRYPTO_CFB CRYPTO_CHACHA20 CRYPTO_CHACHA20POLY1305 CRYPTO_CHACHA20_X86_64 CRYPTO_CRC32 CRYPTO_CRC32C_INTEL CRYPTO_CRC32_PCLMUL CRYPTO_CRC64_ROCKSOFT CRYPTO_CRCT10DIF CRYPTO_CRCT10DIF_PCLMUL CRYPTO_CRYPTD CRYPTO_CTS CRYPTO_CURVE25519 CRYPTO_CURVE25519_X86 CRYPTO_DEFLATE CRYPTO_DES CRYPTO_DES3_EDE_X86_64 CRYPTO_DEV_CCP CRYPTO_DEV_CCP_DD CRYPTO_DEV_PADLOCK CRYPTO_DEV_PADLOCK_AES CRYPTO_DEV_PADLOCK_SHA CRYPTO_DEV_QAT CRYPTO_DEV_QAT_C3XXX CRYPTO_DEV_QAT_C3XXXVF CRYPTO_DEV_QAT_C62X CRYPTO_DEV_QAT_C62XVF CRYPTO_DEV_QAT_DH895xCC CRYPTO_DEV_QAT_DH895xCCVF CRYPTO_DEV_VIRTIO CRYPTO_DH CRYPTO_DRBG_CTR CRYPTO_DRBG_HASH CRYPTO_ECB CRYPTO_ECC CRYPTO_ECDH CRYPTO_ECRDSA CRYPTO_ENGINE CRYPTO_ESSIV CRYPTO_FCRYPT CRYPTO_GHASH_CLMUL_NI_INTEL CRYPTO_HCTR2 CRYPTO_KDF800108_CTR CRYPTO_KEYWRAP CRYPTO_KHAZAD CRYPTO_KPP CRYPTO_LIB_ARC4 CRYPTO_LIB_CHACHA CRYPTO_LIB_CHACHA20POLY1305 CRYPTO_LIB_CHACHA_GENERIC CRYPTO_LIB_CURVE25519 CRYPTO_LIB_CURVE25519_GENERIC CRYPTO_LIB_DES CRYPTO_LIB_POLY1305 CRYPTO_LIB_POLY1305_GENERIC CRYPTO_LRW CRYPTO_MICHAEL_MIC CRYPTO_NHPOLY1305 CRYPTO_NHPOLY1305_AVX2 CRYPTO_NHPOLY1305_SSE2 CRYPTO_OFB CRYPTO_PCBC CRYPTO_PCRYPT CRYPTO_POLY1305 CRYPTO_POLY1305_X86_64 CRYPTO_POLYVAL CRYPTO_POLYVAL_CLMUL_NI CRYPTO_RMD160 CRYPTO_SEED CRYPTO_SERPENT CRYPTO_SERPENT_AVX2_X86_64 CRYPTO_SERPENT_AVX_X86_64 CRYPTO_SERPENT_SSE2_X86_64 CRYPTO_SHA1_SSSE3 CRYPTO_SHA256_SSSE3 CRYPTO_SHA512_SSSE3 CRYPTO_SIMD CRYPTO_SM2 CRYPTO_SM3 CRYPTO_SM3_AVX_X86_64 CRYPTO_SM4 CRYPTO_SM4_AESNI_AVX2_X86_64 CRYPTO_SM4_AESNI_AVX_X86_64 CRYPTO_SM4_GENERIC CRYPTO_STREEBOG CRYPTO_TEA CRYPTO_TWOFISH CRYPTO_TWOFISH_AVX_X86_64 CRYPTO_TWOFISH_COMMON CRYPTO_TWOFISH_X86_64 CRYPTO_TWOFISH_X86_64_3WAY CRYPTO_USER CRYPTO_USER_API CRYPTO_USER_API_AEAD CRYPTO_USER_API_ENABLE_OBSOLETE CRYPTO_USER_API_HASH CRYPTO_USER_API_RNG CRYPTO_USER_API_SKCIPHER CRYPTO_VMAC CRYPTO_WP512 CRYPTO_XCBC CRYPTO_XCTR CRYPTO_XTS CRYPTO_XXHASH CUSE CYPRESS_FIRMWARE DAMON DAMON_DBGFS DAMON_PADDR DAMON_RECLAIM DAMON_VADDR DAX DCA DCB DEFAULT_PFIFO_FAST DEVICE_MIGRATION DEVICE_PRIVATE DEV_COREDUMP DEV_DAX DIMLIB DLN2_ADC DMABUF_HEAPS DMABUF_HEAPS_CMA DMABUF_HEAPS_SYSTEM DMABUF_MOVE_NOTIFY DMA_CMA DMA_ENGINE_RAID DM_AUDIT DM_BIO_PRISON DM_BUFIO DM_CACHE DM_CACHE_SMQ DM_CLONE DM_CRYPT DM_FLAKEY DM_INTEGRITY DM_MULTIPATH DM_MULTIPATH_QL DM_MULTIPATH_ST DM_PERSISTENT_DATA DM_RAID DM_SNAPSHOT DM_THIN_PROVISIONING DM_UEVENT DM_VERITY DM_VERITY_FEC DM_WRITECACHE DM_ZONED DRAGONRISE_FF DRM DRM_BOCHS DRM_BUDDY DRM_CIRRUS_QEMU ENCRYPTED_KEYS EXTCON FSCACHE FUSE_FS GPIOLIB HAMRADIO HID_DRAGONRISE IIO INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_RTRS_CLIENT IOSCHED_BFQ ISDN ISDN_CAPI LIBNVDIMM MAC80211 MAC80211_LEDS MEDIA_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MTD NET_CLS_U32 NET_SCH_DEFAULT PARTITION_ADVANCED RFKILL SERIAL_DEV_BUS TLS TLS_DEVICE TRANSPARENT_HUGEPAGE TRUSTED_KEYS USB_GADGET USB_PHY VLAN_8021Q WANT_COMPAT_NETLINK_MESSAGES WEXT_CORE WIRELESS WIRELESS_EXT WLAN WLAN_VENDOR_ATH X86_X32_ABI ZONE_DEVICE] disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing current HEAD 2f0968a030f2a5dd4897a0151c8395bf5babe5b0 testing commit 2f0968a030f2a5dd4897a0151c8395bf5babe5b0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 10a8e37adf74e5e098faa1f3279d0dcc47e18aabe383ae3f9eec151640a0a596 all runs: OK false negative chance: 0.000 # git bisect start 2f0968a030f2a5dd4897a0151c8395bf5babe5b0 bd6c11bc43c496cddfc6cf603b5d45365606dbd5 Bisecting: 5655 revisions left to test after this (roughly 13 steps) [51e7accbe8ab51476fbe55fbb5616c12fb3a0beb] Merge tag 'usb-6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb determine whether the revision contains the guilty commit revision bd6c11bc43c496cddfc6cf603b5d45365606dbd5 crashed and is reachable testing commit 51e7accbe8ab51476fbe55fbb5616c12fb3a0beb gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e87ebbe0bbe52469f83f85b52afdc71fb5e7f38bb175f5b2fafd490d548663e3 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] # git bisect good 51e7accbe8ab51476fbe55fbb5616c12fb3a0beb Bisecting: 2817 revisions left to test after this (roughly 12 steps) [0c02183427b4d2002992f26d4917c1263c5d4a7f] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm determine whether the revision contains the guilty commit revision bd6c11bc43c496cddfc6cf603b5d45365606dbd5 crashed and is reachable testing commit 0c02183427b4d2002992f26d4917c1263c5d4a7f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 36952d58649963d1c0d2f754e2f8e5f9ac6b5811af78f618b05289ce2ad9ab7a all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] # git bisect good 0c02183427b4d2002992f26d4917c1263c5d4a7f Bisecting: 1408 revisions left to test after this (roughly 11 steps) [7accef5353746caf75a70e9d6f2ac257f247bd78] Merge tag 'arm-smmu-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/will/linux into iommu/fixes determine whether the revision contains the guilty commit revision bd6c11bc43c496cddfc6cf603b5d45365606dbd5 crashed and is reachable testing commit 7accef5353746caf75a70e9d6f2ac257f247bd78 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: deb5e710d90cd76ee5850a6035a58e8f4b03fba1acce6a3167a5e46eccc48fab all runs: OK false negative chance: 0.000 # git bisect bad 7accef5353746caf75a70e9d6f2ac257f247bd78 Bisecting: 700 revisions left to test after this (roughly 10 steps) [535a265d7f0dd50d8c3a4f8b4f3a452d56bd160f] Merge tag 'perf-tools-for-v6.6-1-2023-09-05' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools determine whether the revision contains the guilty commit revision 0c02183427b4d2002992f26d4917c1263c5d4a7f crashed and is reachable testing commit 535a265d7f0dd50d8c3a4f8b4f3a452d56bd160f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d7bd42be6ac722619191e6a0b07bad738976490ac3b58d29027f36845ea33097 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] # git bisect good 535a265d7f0dd50d8c3a4f8b4f3a452d56bd160f Bisecting: 369 revisions left to test after this (roughly 9 steps) [b300c0fdf0045ede109a349aa9c79f81bfae086a] Merge tag 'hwmon-for-v6.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging determine whether the revision contains the guilty commit revision bd6c11bc43c496cddfc6cf603b5d45365606dbd5 crashed and is reachable testing commit b300c0fdf0045ede109a349aa9c79f81bfae086a gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f56ebd0d60016c8bfbd2b569fc296a46770151ca630ad87d1c3f8c5dcabcba4c all runs: OK false negative chance: 0.000 # git bisect bad b300c0fdf0045ede109a349aa9c79f81bfae086a Bisecting: 158 revisions left to test after this (roughly 7 steps) [9608c7b729e29c177525006711966ae0fd399b11] Merge tag 'drm-fixes-2023-09-15' of git://anongit.freedesktop.org/drm/drm determine whether the revision contains the guilty commit revision 51e7accbe8ab51476fbe55fbb5616c12fb3a0beb crashed and is reachable testing commit 9608c7b729e29c177525006711966ae0fd399b11 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b03f2599ef9adb2106ae88690831f8792c15d5cbd31b011e13c380c029100a83 all runs: OK false negative chance: 0.000 # git bisect bad 9608c7b729e29c177525006711966ae0fd399b11 Bisecting: 88 revisions left to test after this (roughly 7 steps) [aed8aee11130a954356200afa3f1b8753e8a9482] Merge tag 'pmdomain-v6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm determine whether the revision contains the guilty commit revision 51e7accbe8ab51476fbe55fbb5616c12fb3a0beb crashed and is reachable testing commit aed8aee11130a954356200afa3f1b8753e8a9482 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b390edece92d85bf12401f60a1b1b33a86f76fc38ec5c2bcbacf69c973c6643f all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] # git bisect good aed8aee11130a954356200afa3f1b8753e8a9482 Bisecting: 45 revisions left to test after this (roughly 6 steps) [9fdfb15a3dbf818e06be514f4abbfc071004cbe7] Merge tag 'net-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net determine whether the revision contains the guilty commit revision 51e7accbe8ab51476fbe55fbb5616c12fb3a0beb crashed and is reachable testing commit 9fdfb15a3dbf818e06be514f4abbfc071004cbe7 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c710c56163ce9d4b3752f2e7f94faff66a04289a7b206aaf0c0d6920d1381194 all runs: OK false negative chance: 0.000 # git bisect bad 9fdfb15a3dbf818e06be514f4abbfc071004cbe7 Bisecting: 21 revisions left to test after this (roughly 5 steps) [904de9858eb4b48a217bb6e26f43c37d4c52ff36] Merge branch 'sha1105-regressions' determine whether the revision contains the guilty commit revision bd6c11bc43c496cddfc6cf603b5d45365606dbd5 crashed and is reachable testing commit 904de9858eb4b48a217bb6e26f43c37d4c52ff36 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e11188cae77c0ef5ea07d5bfc238eff92ab4c0c06acc6dcd5279717826e1c488 run #0: infra problem: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS ErrorDetails:[0xc002520960 0xc002520a50 0xc002520af0] Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #1: infra problem: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS ErrorDetails:[0xc000720b90 0xc000720e60 0xc000720f00] Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #2: infra problem: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS ErrorDetails:[0xc000add6d0 0xc000add7c0 0xc000add860] Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] # git bisect good 904de9858eb4b48a217bb6e26f43c37d4c52ff36 Bisecting: 10 revisions left to test after this (roughly 4 steps) [c48ef9c4aed3632566b57ba66cec6ec78624d4cb] tcp: Fix bind() regression for v4-mapped-v6 non-wildcard address. determine whether the revision contains the guilty commit revision 51e7accbe8ab51476fbe55fbb5616c12fb3a0beb crashed and is reachable testing commit c48ef9c4aed3632566b57ba66cec6ec78624d4cb gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d2628b212437018a97faa2745402ec1a99a200b91837587117cd67c8f2f1e009 run #0: infra problem: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS ErrorDetails:[0xc008de0fa0 0xc008de1090 0xc008de1130] Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK false negative chance: 0.000 # git bisect bad c48ef9c4aed3632566b57ba66cec6ec78624d4cb Bisecting: 5 revisions left to test after this (roughly 3 steps) [cfaa80c91f6f99b9342b6557f0f0e1143e434066] net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() determine whether the revision contains the guilty commit revision 904de9858eb4b48a217bb6e26f43c37d4c52ff36 crashed and is reachable testing commit cfaa80c91f6f99b9342b6557f0f0e1143e434066 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ec8c21a7797955097a621841c73f0f617b3665d38cb417d65ceb6e782517e082 all runs: OK false negative chance: 0.000 # git bisect bad cfaa80c91f6f99b9342b6557f0f0e1143e434066 Bisecting: 2 revisions left to test after this (roughly 1 step) [c821a88bd720b0046433173185fd841a100d44ad] kcm: Fix memory leak in error path of kcm_sendmsg() determine whether the revision contains the guilty commit revision 51e7accbe8ab51476fbe55fbb5616c12fb3a0beb crashed and is reachable testing commit c821a88bd720b0046433173185fd841a100d44ad gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a59388ea77bc77f14fcf7bdab3a0d63aa7489daa98ff9f3743926b1b9eed37b2 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] # git bisect good c821a88bd720b0046433173185fd841a100d44ad Bisecting: 0 revisions left to test after this (roughly 1 step) [5a124b1fd3e6cb15a943f0cdfe96aa8f6d3d2f39] net: ethernet: mtk_eth_soc: fix pse_port configuration for MT7988 determine whether the revision contains the guilty commit revision bd6c11bc43c496cddfc6cf603b5d45365606dbd5 crashed and is reachable testing commit 5a124b1fd3e6cb15a943f0cdfe96aa8f6d3d2f39 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2ddc0c2dacf699d34f57f4896f5e7d2e1044aa18e9a45646cfacdb2cb7a56e9b all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] # git bisect good 5a124b1fd3e6cb15a943f0cdfe96aa8f6d3d2f39 cfaa80c91f6f99b9342b6557f0f0e1143e434066 is the first bad commit commit cfaa80c91f6f99b9342b6557f0f0e1143e434066 Author: Liu Jian Date: Sat Sep 9 16:14:34 2023 +0800 net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() I got the below warning when do fuzzing test: BUG: KASAN: null-ptr-deref in scatterwalk_copychunks+0x320/0x470 Read of size 4 at addr 0000000000000008 by task kworker/u8:1/9 CPU: 0 PID: 9 Comm: kworker/u8:1 Tainted: G OE Hardware name: linux,dummy-virt (DT) Workqueue: pencrypt_parallel padata_parallel_worker Call trace: dump_backtrace+0x0/0x420 show_stack+0x34/0x44 dump_stack+0x1d0/0x248 __kasan_report+0x138/0x140 kasan_report+0x44/0x6c __asan_load4+0x94/0xd0 scatterwalk_copychunks+0x320/0x470 skcipher_next_slow+0x14c/0x290 skcipher_walk_next+0x2fc/0x480 skcipher_walk_first+0x9c/0x110 skcipher_walk_aead_common+0x380/0x440 skcipher_walk_aead_encrypt+0x54/0x70 ccm_encrypt+0x13c/0x4d0 crypto_aead_encrypt+0x7c/0xfc pcrypt_aead_enc+0x28/0x84 padata_parallel_worker+0xd0/0x2dc process_one_work+0x49c/0xbdc worker_thread+0x124/0x880 kthread+0x210/0x260 ret_from_fork+0x10/0x18 This is because the value of rec_seq of tls_crypto_info configured by the user program is too large, for example, 0xffffffffffffff. In addition, TLS is asynchronously accelerated. When tls_do_encryption() returns -EINPROGRESS and sk->sk_err is set to EBADMSG due to rec_seq overflow, skmsg is released before the asynchronous encryption process ends. As a result, the UAF problem occurs during the asynchronous processing of the encryption module. If the operation is asynchronous and the encryption module returns EINPROGRESS, do not free the record information. Fixes: 635d93981786 ("net/tls: free record only on encryption error") Signed-off-by: Liu Jian Reviewed-by: Sabrina Dubroca Link: https://lore.kernel.org/r/20230909081434.2324940-1-liujian56@huawei.com Signed-off-by: Paolo Abeni net/tls/tls_sw.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) accumulated error probability: 0.00 culprit signature: ec8c21a7797955097a621841c73f0f617b3665d38cb417d65ceb6e782517e082 parent signature: 2ddc0c2dacf699d34f57f4896f5e7d2e1044aa18e9a45646cfacdb2cb7a56e9b revisions tested: 21, total time: 3h58m19.597097079s (build: 1h52m5.196156975s, test: 1h53m3.963374481s) first good commit: cfaa80c91f6f99b9342b6557f0f0e1143e434066 net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() recipients (to): ["liujian56@huawei.com" "pabeni@redhat.com" "sd@queasysnail.net"] recipients (cc): []