ci starts bisection 2025-08-05 01:27:57.553221938 +0000 UTC m=+32441.357432385
bisecting cause commit starting from 5c5a10f0be967a8950a2309ea965bae54251b50e
building syzkaller on 7368264b463a401571d2eb381f50ea2a758e9d05
ensuring issue is reproducible on original commit 5c5a10f0be967a8950a2309ea965bae54251b50e

testing commit 5c5a10f0be967a8950a2309ea965bae54251b50e gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: b37d2f606cf09d9237c16893d433473fb60c1bf4da93d85bfcc2235708a33da2
all runs: crashed: BUG: unable to handle kernel paging request in rcuref_put
representative crash: BUG: unable to handle kernel paging request in rcuref_put, types: [MEMORY_SAFETY_BUG]
check whether we can drop unnecessary instrumentation
disabling configs for [ubsan kasan locking atomic_sleep hang memleak], they are not needed
testing commit 5c5a10f0be967a8950a2309ea965bae54251b50e gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 652a54b30eb44a9abb44a2492eee60dd752ab1a0bd464397180ccd58916a806b
all runs: crashed: BUG: unable to handle kernel paging request in dst_release
representative crash: BUG: unable to handle kernel paging request in dst_release, types: [MEMORY_SAFETY_BUG]
the bug reproduces without the instrumentation
disabling configs for [ubsan kasan locking atomic_sleep hang memleak], they are not needed
kconfig minimization: base=4095 full=8511 leaves diff=2196
split chunks (needed=false): <2196>
split chunk #0 of len 2196 into 5 parts
testing without sub-chunk 1/5
disabling configs for [hang memleak ubsan kasan locking atomic_sleep], they are not needed
testing commit 5c5a10f0be967a8950a2309ea965bae54251b50e gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 9dda3552cdb65dc995cb536e23a74c667fd058f9d55d176600a5e5964221464e
all runs: crashed: BUG: unable to handle kernel paging request in dst_release
representative crash: BUG: unable to handle kernel paging request in dst_release, types: [MEMORY_SAFETY_BUG]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [kasan locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 5c5a10f0be967a8950a2309ea965bae54251b50e gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 27a7df5f1a8a873712a0d64e79f05a90c8face9a8db9c1062430988ed99c53e1
all runs: crashed: BUG: unable to handle kernel paging request in dst_release
representative crash: BUG: unable to handle kernel paging request in dst_release, types: [MEMORY_SAFETY_BUG]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [hang memleak ubsan kasan locking atomic_sleep], they are not needed
testing commit 5c5a10f0be967a8950a2309ea965bae54251b50e gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 5d370b0ebdb8a3738eadddf5b60ff139f09b3b821757aa7fee4bd7f4f670e7f1
all runs: crashed: BUG: unable to handle kernel paging request in dst_release
representative crash: BUG: unable to handle kernel paging request in dst_release, types: [MEMORY_SAFETY_BUG]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [atomic_sleep hang memleak ubsan kasan locking], they are not needed
testing commit 5c5a10f0be967a8950a2309ea965bae54251b50e gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: ca07b3717b2b6a1f78e0ba5ce1599d7c6eb531ce4be01e6bec64248d9eabb1ef
all runs: OK
false negative chance: 0.000
testing without sub-chunk 5/5
disabling configs for [hang memleak ubsan kasan locking atomic_sleep], they are not needed
testing commit 5c5a10f0be967a8950a2309ea965bae54251b50e gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 7cd0dd6dc8ba53c449dfd8a623203902ab67325a163495c4645d9a7c3a32cc02
all runs: crashed: BUG: unable to handle kernel paging request in dst_release
representative crash: BUG: unable to handle kernel paging request in dst_release, types: [MEMORY_SAFETY_BUG]
the chunk can be dropped
minimized to 440 configs; suspects: [AF_RXRPC ARCH_ENABLE_MEMORY_HOTREMOVE ATM AX25 BT BT_BREDR BT_HIDP BXT_WC_PMIC_OPREGION CFG80211 CMA DAX DLM DRM DVB_CORE ENCRYPTED_KEYS EXTCON GENEVE GPIOLIB HAMRADIO HAVE_CLK HID_NINTENDO HID_NVIDIA_SHIELD HID_PLAYSTATION HID_SENSOR_HUB HID_SMARTJOYPLUS HID_STEAM HID_THRUSTMASTER IIO INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_IPOIB INFINIBAND_USER_ACCESS INFINIBAND_VIRT_DMA INPUT_TABLET INPUT_TOUCHSCREEN INTEL_SCU_IPC INTEL_SOC_PMIC_BXTWC IP_SCTP L2TP LEDS_CLASS_MULTICOLOR LIBNVDIMM MAC80211 MEDIA_COMMON_OPTIONS MEDIA_DIGITAL_TV_SUPPORT MEDIA_PLATFORM_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MFD_INTEL_PMC_BXT MFD_MT6360 MFD_MT6370 MFD_RETU MMC MTD MTD_UBI NETFILTER_ADVANCED NETFILTER_CONNCOUNT NET_IPGRE NET_IPGRE_DEMUX NFS_V4_1 NF_CONNTRACK_SNMP NF_NAT_SNMP_BASIC NF_NAT_TFTP NF_SOCKET_IPV4 NF_SOCKET_IPV6 NF_TPROXY_IPV4 NF_TPROXY_IPV6 NILFS2_FS NINTENDO_FF NLMON NLS_CODEPAGE_1250 NLS_CODEPAGE_1251 NLS_CODEPAGE_737 NLS_CODEPAGE_775 NLS_CODEPAGE_850 NLS_CODEPAGE_852 NLS_CODEPAGE_855 NLS_CODEPAGE_857 NLS_CODEPAGE_860 NLS_CODEPAGE_861 NLS_CODEPAGE_862 NLS_CODEPAGE_863 NLS_CODEPAGE_864 NLS_CODEPAGE_865 NLS_CODEPAGE_866 NLS_CODEPAGE_869 NLS_CODEPAGE_874 NLS_CODEPAGE_932 NLS_CODEPAGE_936 NLS_CODEPAGE_949 NLS_CODEPAGE_950 NLS_ISO8859_13 NLS_ISO8859_14 NLS_ISO8859_15 NLS_ISO8859_2 NLS_ISO8859_3 NLS_ISO8859_4 NLS_ISO8859_5 NLS_ISO8859_6 NLS_ISO8859_7 NLS_ISO8859_8 NLS_ISO8859_9 NLS_KOI8_R NLS_KOI8_U NLS_MAC_CELTIC NLS_MAC_CENTEURO NLS_MAC_CROATIAN NLS_MAC_CYRILLIC NLS_MAC_GAELIC NLS_MAC_GREEK NLS_MAC_ICELAND NLS_MAC_INUIT NLS_MAC_ROMAN NLS_MAC_ROMANIAN NLS_MAC_TURKISH NLS_UCS2_UTILS NOZOMI NTFS3_FS NTFS3_FS_POSIX_ACL NTFS3_LZX_XPRESS NULL_TTY NUMA_BALANCING NUMA_BALANCING_DEFAULT_ENABLED NUMA_EMU NUMA_KEEP_MEMINFO NVDIMM_DAX NVDIMM_KEYS NVDIMM_PFN NVIDIA_SHIELD_FF NVME_CORE NVME_FABRICS NVME_FC NVME_MULTIPATH NVME_RDMA NVME_TARGET NVME_TARGET_FC NVME_TARGET_FCLOOP NVME_TARGET_LOOP NVME_TARGET_RDMA NVME_TARGET_TCP NVME_TCP N_GSM N_HDLC OCFS2_DEBUG_FS OCFS2_FS OCFS2_FS_O2CB OCFS2_FS_STATS OCFS2_FS_USERSPACE_CLUSTER OF_GPIO OF_PMEM OMFS_FS OPENVSWITCH OPENVSWITCH_GENEVE OPENVSWITCH_GRE OPENVSWITCH_VXLAN ORANGEFS_FS OSF_PARTITION OVERLAY_FS OVERLAY_FS_DEBUG OVERLAY_FS_INDEX OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW OVERLAY_FS_REDIRECT_DIR PACKET_DIAG PAGE_IDLE_FLAG PAGE_REPORTING PAHOLE_HAS_BTF_TAG PAHOLE_HAS_LANG_EXCLUDE PAHOLE_HAS_SPLIT_BTF PARPORT PARPORT_NOT_PC PARTITION_ADVANCED PCCARD PCCARD_NONSTATIC PCIEAER PCI_ENDPOINT PCI_IOV PCMCIA PCMCIA_LOAD_CIS PERCPU_STATS PERSISTENT_KEYRINGS PHYLINK PHY_CPCAP_USB PHY_QCOM_USB_HS PHY_QCOM_USB_HSIC PHY_SAMSUNG_USB2 PHY_TUSB1210 PKCS7_TEST_KEY PKCS8_PRIVATE_KEY_PARSER PLAYSTATION_FF PLFXLC PMIC_OPREGION PM_CLK PNFS_BLOCK PNFS_FILE_LAYOUT PNFS_FLEXFILE_LAYOUT PPP PPPOATM PPPOE PPPOE_HASH_BITS_1 PPPOL2TP PPP_ASYNC PPP_BSDCOMP PPP_DEFLATE PPP_FILTER PPP_MPPE PPP_MULTILINK PPP_SYNC_TTY PPTP PREEMPT PREEMPT_NOTIFIERS PROC_CHILDREN PSAMPLE PSI PSTORE PSTORE_COMPRESS QCOM_QMI_HELPERS QNX4FS_FS QNX6FS_FS QRTR QRTR_TUN RADIO_ADAPTERS RADIO_SHARK RADIO_SHARK2 RADIO_TEA575X RAID6_PQ RAID_ATTRS RC_ATI_REMOTE RC_CORE RC_DEVICES RC_XBOX_DVD RDMA_RXE RDMA_SIW RDS RDS_RDMA RDS_TCP READ_ONLY_THP_FOR_FS REALTEK_AUTOPM REED_SOLOMON REED_SOLOMON_DEC8 REGMAP REGMAP_I2C REGMAP_IRQ REGMAP_MMIO REGMAP_SPI REGULATOR REGULATOR_FIXED_VOLTAGE REGULATOR_TWL4030 RESET_CONTROLLER RFKILL RFKILL_INPUT RFKILL_LEDS RMI4_2D_SENSOR RMI4_CORE RMI4_F03 RMI4_F03_SERIO RMI4_F11 RMI4_F12 RMI4_F30 RMI4_F3A ROMFS_BACKED_BY_BOTH ROMFS_FS ROMFS_ON_BLOCK ROMFS_ON_MTD ROSE RTC_DRV_HID_SENSOR_TIME RXKAD SCHED_CORE SCREEN_INFO SCSI_FC_ATTRS SCSI_HPSA SCSI_ISCSI_ATTRS SCSI_LOGGING SCSI_NETLINK SCSI_SAS_ATA SCSI_SAS_ATTRS SCSI_SAS_LIBSAS SCSI_SCAN_ASYNC SCSI_SRP_ATTRS SCTP_COOKIE_HMAC_MD5 SCTP_COOKIE_HMAC_SHA1 SCTP_DEFAULT_COOKIE_HMAC_MD5 SECONDARY_TRUSTED_KEYRING SECURITY_INFINIBAND SECURITY_NETWORK_XFRM SENSORS_AQUACOMPUTER_D5NEXT SENSORS_CORSAIR_CPRO SENSORS_CORSAIR_PSU SENSORS_GIGABYTE_WATERFORCE SENSORS_NZXT_KRAKEN2 SENSORS_NZXT_SMART2 SENSORS_POWERZ SERIAL_DEV_BUS SERIAL_DEV_CTRL_TTYPORT SERIAL_MCTRL_GPIO SGI_PARTITION SIGNATURE SIGNED_PE_FILE_VERIFICATION SKB_DECRYPTED SLHC SLIP SLIP_COMPRESSED SLIP_MODE_SLIP6 SLIP_SMART SMARTJOYPLUS_FF SMBFS SMB_SERVER SMC SMC_DIAG SMSC_PHY SMS_SDIO_DRV SMS_SIANO_DEBUGFS SMS_SIANO_MDTV SMS_SIANO_RC SMS_USB_DRV SND SND_ALOOP SND_BCD2000 SND_CTL_FAST_LOOKUP SND_CTL_LED SND_DEBUG SND_DMA_SGBUF SND_DRIVERS SND_DUMMY SND_DYNAMIC_MINORS SND_HDA SND_HDA_CODEC_ALC260 SND_HDA_CODEC_ALC262 SND_HDA_CODEC_ALC268 SND_HDA_CODEC_ALC269 SND_HDA_CODEC_ALC662 SND_HDA_CODEC_ALC680 SND_HDA_CODEC_ALC861 SND_HDA_CODEC_ALC861VD SND_HDA_CODEC_ALC880 SND_HDA_CODEC_ALC882 SND_HDA_CODEC_ANALOG SND_HDA_CODEC_CA0110 SND_HDA_CODEC_CA0132 SND_HDA_CODEC_CIRRUS SND_HDA_CODEC_CMEDIA SND_HDA_CODEC_CONEXANT SND_HDA_CODEC_CS420X SND_HDA_CODEC_CS421X SND_HDA_CODEC_HDMI SND_HDA_CODEC_HDMI_ATI SND_HDA_CODEC_HDMI_GENERIC SND_HDA_CODEC_HDMI_INTEL SND_HDA_CODEC_HDMI_NVIDIA SND_HDA_CODEC_HDMI_NVIDIA_MCP SND_HDA_CODEC_HDMI_SIMPLE SND_HDA_CODEC_HDMI_TEGRA SND_HDA_CODEC_REALTEK SND_HDA_CODEC_REALTEK_LIB SND_HDA_CODEC_SI3054 SND_HDA_CODEC_SIGMATEL SND_HDA_CODEC_VIA SND_HDA_COMPONENT SND_HDA_CORE SND_HDA_GENERIC SND_HDA_GENERIC_LEDS SND_HDA_HWDEP SND_HDA_I915 SND_HDA_INPUT_BEEP SND_HDA_INTEL SND_HDA_PATCH_LOADER SND_HDA_RECONFIG SND_HDA_SCODEC_COMPONENT SND_HRTIMER SND_HWDEP SND_INTEL_DSP_CONFIG SND_INTEL_NHLT SND_INTEL_SOUNDWIRE_ACPI SND_JACK SND_JACK_INPUT_DEV SND_MIXER_OSS SND_OSSEMUL SND_PCI SND_PCM SND_PCMCIA SND_PCM_ELD SND_PCM_OSS SND_PCM_OSS_PLUGINS SND_PCM_TIMER SND_PCM_XRUN_DEBUG SND_PROC_FS SND_RAWMIDI SND_SEQUENCER SND_SEQUENCER_OSS SND_SEQ_DEVICE SND_SEQ_DUMMY SND_SEQ_HRTIMER_DEFAULT SND_SEQ_MIDI SND_SEQ_MIDI_EVENT SND_SEQ_VIRMIDI SND_SOC SND_SOC_I2C_AND_SPI SND_SOC_SDCA_OPTIONAL SND_SUPPORT_OLD_API SND_TIMER SND_UMP SND_UMP_LEGACY_RAWMIDI SND_USB SND_USB_6FIRE SND_USB_AUDIO SND_USB_AUDIO_MIDI_V2 SND_USB_AUDIO_USE_MEDIA_CONTROLLER SND_USB_CAIAQ SND_USB_CAIAQ_INPUT SND_USB_HIFACE SND_USB_LINE6 SND_USB_POD SND_USB_PODHD SND_USB_TONEPORT SND_USB_UA101 SND_USB_US122L SND_USB_USX2Y SND_USB_VARIAX SND_VERBOSE_PROCFS SND_VIRMIDI SND_VIRTIO SND_VMASTER SND_X86 SOCK_VALIDATE_XMIT SOLARIS_X86_PARTITION SONY_FF SOUND SOUNDWIRE SOUND_OSS_CORE SOUND_OSS_CORE_PRECLAIM SPI SPI_DLN2 SPI_DYNAMIC SPI_LJCA SPI_MASTER SQUASHFS SQUASHFS_4K_DEVBLK_SIZE SQUASHFS_COMPILE_DECOMP_MULTI SQUASHFS_DECOMP_MULTI SQUASHFS_FILE_DIRECT SQUASHFS_LZ4 SQUASHFS_LZO SQUASHFS_XATTR SQUASHFS_XZ SQUASHFS_ZLIB SQUASHFS_ZSTD SSB SSB_PCIHOST_POSSIBLE SSB_PCMCIAHOST_POSSIBLE SSB_SDIOHOST_POSSIBLE STEAM_FF STP STREAM_PARSER SUNRPC_BACKCHANNEL SUN_PARTITION SURFACE_AGGREGATOR SURFACE_AGGREGATOR_BUS SURFACE_AGGREGATOR_REGISTRY SURFACE_HID SURFACE_HID_CORE SURFACE_KBD SW_SYNC SYSFB SYSFS_SYSCALL SYSV68_PARTITION TABLET_USB_ACECAD TABLET_USB_AIPTEK TABLET_USB_HANWANG TABLET_USB_KBTAB TABLET_USB_PEGASUS TAHVO_USB TAHVO_USB_HOST_BY_DEFAULT TCG_CRB TCG_TIS TCG_TIS_CORE TCG_TPM TCP_CONG_BBR TCP_CONG_BIC TCP_CONG_CDG TCP_CONG_DCTCP TCP_CONG_HSTCP TCP_CONG_HTCP TCP_CONG_HYBLA TCP_CONG_ILLINOIS TCP_CONG_LP TCP_CONG_NV TCP_CONG_SCALABLE TCP_CONG_VEGAS TCP_CONG_VENO TCP_CONG_WESTWOOD TCP_CONG_YEAH TEE TEXTSEARCH TEXTSEARCH_BM TEXTSEARCH_FSM TEXTSEARCH_KMP THP_SWAP THRUSTMASTER_FF TIPC TIPC_CRYPTO TIPC_DIAG TIPC_MEDIA_IB TIPC_MEDIA_UDP TLS TLS_TOE TMPFS_QUOTA TOOLS_SUPPORT_RELR TOUCHSCREEN_SUR40 TOUCHSCREEN_USB_3M TOUCHSCREEN_USB_COMPOSITE TOUCHSCREEN_USB_DMC_TSC10 TOUCHSCREEN_USB_E2I TOUCHSCREEN_USB_EASYTOUCH TOUCHSCREEN_USB_EGALAX TOUCHSCREEN_USB_ELO TOUCHSCREEN_USB_ETT_TC45USB TOUCHSCREEN_USB_ETURBO TOUCHSCREEN_USB_GENERAL_TOUCH TOUCHSCREEN_USB_GOTOP TOUCHSCREEN_USB_GUNZE TOUCHSCREEN_USB_IDEALTEK TOUCHSCREEN_USB_IRTOUCH TOUCHSCREEN_USB_ITM TOUCHSCREEN_USB_JASTEC TOUCHSCREEN_USB_NEXIO TOUCHSCREEN_USB_PANJIT TOUCHSCREEN_USB_ZYTRONIC TRACEFS_AUTOMOUNT_DEPRECATED TRANSPARENT_HUGEPAGE TRANSPARENT_HUGEPAGE_MADVISE TTPCI_EEPROM TTY_PRINTK TUN_VNET_CROSS_LE TWL4030_CORE TYPEC TYPEC_ANX7411 TYPEC_DP_ALTMODE TYPEC_FUSB302 TYPEC_HD3SS3220 TYPEC_MT6360 TYPEC_MUX_FSA4480 TYPEC_MUX_GPIO_SBU TYPEC_MUX_INTEL_PMC TYPEC_MUX_NB7VPQ904M TYPEC_MUX_PTN36502 TYPEC_MUX_WCD939X_USBSS TYPEC_NVIDIA_ALTMODE TYPEC_RT1711H TYPEC_RT1719 TYPEC_STUSB160X TYPEC_TCPCI TYPEC_TCPCI_MAXIM TYPEC_TCPCI_MT6370 TYPEC_TCPM TYPEC_TPS6598X TYPEC_UCSI TYPEC_WCOVE TYPEC_WUSB3801 UBIFS_ATIME_SUPPORT UBIFS_FS UBIFS_FS_ADVANCED_COMPR UBIFS_FS_LZO UBIFS_FS_SECURITY UBIFS_FS_XATTR UBIFS_FS_ZLIB UBIFS_FS_ZSTD UCSI_ACPI UCSI_CCG UCSI_STM32G0 UDF_FS UDMABUF UFS_FS UFS_FS_WRITE UHID ULTRIX_PARTITION UNICODE UNIXWARE_DISKLABEL UNIX_DIAG USB4 USB4_NET USBIP_CORE USBIP_HOST USBIP_VHCI_HCD USBIP_VUDC USBPCWATCHDOG USB_DWC2 USB_GADGET USB_LJCA USB_MUSB_HDRC USB_ROLE_SWITCH USB_STORAGE_REALTEK USB_ULPI_BUS VIDEO_DEV VXLAN WIRELESS WLAN WLAN_VENDOR_PURELIFI ZONE_DEVICE]
disabling configs for [hang memleak ubsan kasan locking atomic_sleep], they are not needed
picked [v6.16 v6.15 v6.14 v6.12 v6.10 v6.8 v6.6 v6.4 v6.1 v5.18 v5.15 v5.12 v5.9 v5.6 v5.3 v5.0 v4.19] out of 39 release tags
testing release v6.16
testing commit 038d61fd642278bab63ee8ef722c50d10ab01e8f gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 72b8a438e8561609c69eb236cfe0dde71278583acb70ba43e7b57f59c09d68f8
all runs: OK
false negative chance: 0.000
# git bisect start 5c5a10f0be967a8950a2309ea965bae54251b50e 038d61fd642278bab63ee8ef722c50d10ab01e8f
Bisecting: 6609 revisions left to test after this (roughly 13 steps)
[ae8508b25def57982493c48694ef135973bfabe0] net/sched: taprio: enforce minimum value for picos_per_byte

testing commit ae8508b25def57982493c48694ef135973bfabe0 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 0b1be77bc9ee0bb0ea3f50eadeb3a989e5031cb99d979a7134bd607b43252943
run #0: crashed: BUG: unable to handle kernel paging request in dst_release
run #1: crashed: BUG: unable to handle kernel paging request in dst_release
run #2: crashed: BUG: unable to handle kernel paging request in dst_release
run #3: crashed: BUG: unable to handle kernel paging request in dst_release
run #4: crashed: BUG: unable to handle kernel paging request in dst_release
run #5: crashed: BUG: unable to handle kernel paging request in dst_release
run #6: crashed: BUG: unable to handle kernel paging request in dst_release
run #7: crashed: BUG: unable to handle kernel paging request in dst_release
run #8: crashed: BUG: unable to handle kernel paging request in dst_release
run #9: basic kernel testing failed: failed to copy binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syz-executor1502185864" "root@10.128.10.3:./syz-executor1502185864"]: exit status 255
Executing: program /usr/bin/ssh host 10.128.10.3, user root, command sftp
OpenSSH_9.2p1 Debian-2+deb12u6, OpenSSL 3.0.16 11 Feb 2025
debug1: Reading configuration data /dev/null
debug1: Connecting to 10.128.10.3 [10.128.10.3] port 22.
debug1: connect to address 10.128.10.3 port 22: Connection timed out
ssh: connect to host 10.128.10.3 port 22: Connection timed out
scp: Connection closed

representative crash: BUG: unable to handle kernel paging request in dst_release, types: [MEMORY_SAFETY_BUG]
# git bisect bad ae8508b25def57982493c48694ef135973bfabe0
Bisecting: 3255 revisions left to test after this (roughly 12 steps)
[115e74a29b530d121891238e9551c4bcdf7b04b5] Merge tag 'soc-dt-6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

testing commit 115e74a29b530d121891238e9551c4bcdf7b04b5 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 488938251a19d68b30d7d45e9c8dfcf974dce94df96880234da230e13627c53c
all runs: OK
false negative chance: 0.000
# git bisect good 115e74a29b530d121891238e9551c4bcdf7b04b5
Bisecting: 1675 revisions left to test after this (roughly 11 steps)
[55c172c13718b93300d3808b65ec326b5287c766] ssb: use new GPIO line value setter callbacks for the second GPIO chip

testing commit 55c172c13718b93300d3808b65ec326b5287c766 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: e4463f489f81d67fc86ad22fc1c89b633afaf3ca6e88800b192be0ecd62f4c8c
all runs: OK
false negative chance: 0.000
# git bisect good 55c172c13718b93300d3808b65ec326b5287c766
Bisecting: 838 revisions left to test after this (roughly 10 steps)
[e12ac84acc722f06e8b1be66fbb138c5934aaf54] Merge tag 'x86-kconfig-2025-07-29' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

testing commit e12ac84acc722f06e8b1be66fbb138c5934aaf54 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: a5a661cfc8b2a50c9793c2d3a4b515f789ba233dc476e681454e2ca16a5c44d7
all runs: OK
false negative chance: 0.000
# git bisect good e12ac84acc722f06e8b1be66fbb138c5934aaf54
Bisecting: 472 revisions left to test after this (roughly 9 steps)
[fa582ca7e187a15e772e6a72fe035f649b387a60] dpll: zl3073x: Fix build failure

testing commit fa582ca7e187a15e772e6a72fe035f649b387a60 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: d4563bcf741d8c9fa7e4f89fe6590a818ac8935b642176e624cf93af43746f36
all runs: OK
false negative chance: 0.000
# git bisect good fa582ca7e187a15e772e6a72fe035f649b387a60
Bisecting: 247 revisions left to test after this (roughly 8 steps)
[8be4d31cb8aaeea27bde4b7ddb26e28a89062ebf] Merge tag 'net-next-6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next

testing commit 8be4d31cb8aaeea27bde4b7ddb26e28a89062ebf gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 8ffb122a0c1cad58c74840ca8fc746629964ca38278c528df6aef8ef172360b3
all runs: OK
false negative chance: 0.000
# git bisect good 8be4d31cb8aaeea27bde4b7ddb26e28a89062ebf
Bisecting: 123 revisions left to test after this (roughly 7 steps)
[c3b9faac9bd690263e03b78eb78c75cae5ff7509] bpf: avoid jump misprediction for PTR_TO_MEM | PTR_UNTRUSTED

testing commit c3b9faac9bd690263e03b78eb78c75cae5ff7509 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: de9c5280ac846f81ecb9b4856af2ffc159bf884298c5bfbe85f9d7378b6415d6
all runs: OK
false negative chance: 0.000
# git bisect good c3b9faac9bd690263e03b78eb78c75cae5ff7509
Bisecting: 61 revisions left to test after this (roughly 6 steps)
[dc704d0cfa431b5fbaa546941b3b82b4f318cb5f] bpf, arm64: remove structs on stack constraint

testing commit dc704d0cfa431b5fbaa546941b3b82b4f318cb5f gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: acd5c81136cf89a6841ccc4b5c94d5ea3059427edd85e3241e0cb638c6c9936e
run #0: basic kernel testing failed: lost connection to test machine
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
false negative chance: 0.000
# git bisect good dc704d0cfa431b5fbaa546941b3b82b4f318cb5f
Bisecting: 30 revisions left to test after this (roughly 5 steps)
[5b4c54ac49af7f486806d79e3233fc8a9363961c] bpf: Fix various typos in verifier.c comments

testing commit 5b4c54ac49af7f486806d79e3233fc8a9363961c gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 47661f89055524e37841ca2b2f0e0794016952eb22ba905b16a845e201101665
all runs: OK
false negative chance: 0.000
# git bisect good 5b4c54ac49af7f486806d79e3233fc8a9363961c
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[6fb5ff63b35b7e849cc8510957f25753f87f63d2] phy: mscc: Fix parsing of unicast frames

testing commit 6fb5ff63b35b7e849cc8510957f25753f87f63d2 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: f405a78d16e9c4b1929f93b8a69ec5b652869ddc37ccd1effaa63f97e797de62
all runs: OK
false negative chance: 0.000
# git bisect good 6fb5ff63b35b7e849cc8510957f25753f87f63d2
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[38358fa3cc8e16c6862a3e5c5c233f9f652e3a6d] net: airoha: Fix PPE table access in airoha_ppe_debugfs_foe_show()

testing commit 38358fa3cc8e16c6862a3e5c5c233f9f652e3a6d gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 58f865aa1af6cd94eb3da421f673482aabd03cab33773da5972ddb400ed2200b
all runs: crashed: BUG: unable to handle kernel paging request in dst_release
representative crash: BUG: unable to handle kernel paging request in dst_release, types: [MEMORY_SAFETY_BUG]
# git bisect bad 38358fa3cc8e16c6862a3e5c5c233f9f652e3a6d
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[de9c4861fb42f0cd72da844c3c34f692d5895b7b] pptp: ensure minimal skb length in pptp_xmit()

testing commit de9c4861fb42f0cd72da844c3c34f692d5895b7b gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 1948cc2106cbb039880aa9f2dc442ea5aef0c861f28362c9950be5aed657ed80
all runs: crashed: BUG: unable to handle kernel paging request in dst_release
representative crash: BUG: unable to handle kernel paging request in dst_release, types: [MEMORY_SAFETY_BUG]
# git bisect bad de9c4861fb42f0cd72da844c3c34f692d5895b7b
Bisecting: 1 revision left to test after this (roughly 1 step)
[57ec5a8735dc5dccd1ee68afdb1114956a3fce0d] net: phy: smsc: add proper reset flags for LAN8710A

testing commit 57ec5a8735dc5dccd1ee68afdb1114956a3fce0d gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 49196c534fbf256166907ace697b67ced6dd2e10dfd541e96eb666c414dd3571
all runs: OK
false negative chance: 0.000
# git bisect good 57ec5a8735dc5dccd1ee68afdb1114956a3fce0d
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[3b98c9352511db627b606477fc7944b2fa53a165] net: mdio_bus: Use devm for getting reset GPIO

testing commit 3b98c9352511db627b606477fc7944b2fa53a165 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 8acaaab515d5a4a10dfb9a118aac03c830e133b1d23ae02b25d38db9bbbc60cf
all runs: OK
false negative chance: 0.000
# git bisect good 3b98c9352511db627b606477fc7944b2fa53a165
de9c4861fb42f0cd72da844c3c34f692d5895b7b is the first bad commit
commit de9c4861fb42f0cd72da844c3c34f692d5895b7b
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Jul 29 08:02:07 2025 +0000

    pptp: ensure minimal skb length in pptp_xmit()
    
    Commit aabc6596ffb3 ("net: ppp: Add bound checking for skb data
    on ppp_sync_txmung") fixed ppp_sync_txmunge()
    
    We need a similar fix in pptp_xmit(), otherwise we might
    read uninit data as reported by syzbot.
    
    BUG: KMSAN: uninit-value in pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193
      pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193
      ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2290 [inline]
      ppp_input+0x1d6/0xe60 drivers/net/ppp/ppp_generic.c:2314
      pppoe_rcv_core+0x1e8/0x760 drivers/net/ppp/pppoe.c:379
      sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148
      __release_sock+0x1d3/0x330 net/core/sock.c:3213
      release_sock+0x6b/0x270 net/core/sock.c:3767
      pppoe_sendmsg+0x15d/0xcb0 drivers/net/ppp/pppoe.c:904
      sock_sendmsg_nosec net/socket.c:712 [inline]
      __sock_sendmsg+0x330/0x3d0 net/socket.c:727
      ____sys_sendmsg+0x893/0xd80 net/socket.c:2566
      ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620
      __sys_sendmmsg+0x2d9/0x7c0 net/socket.c:2709
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: syzbot+afad90ffc8645324afe5@syzkaller.appspotmail.com
    Closes: https://lore.kernel.org/netdev/68887d86.a00a0220.b12ec.00cd.GAE@google.com/T/#u
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
    Link: https://patch.msgid.link/20250729080207.1863408-1-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

 drivers/net/ppp/pptp.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

accumulated error probability: 0.00
culprit signature: 1948cc2106cbb039880aa9f2dc442ea5aef0c861f28362c9950be5aed657ed80
parent  signature: 8acaaab515d5a4a10dfb9a118aac03c830e133b1d23ae02b25d38db9bbbc60cf
revisions tested: 22, total time: 10h5m49.877041226s (build: 6h25m44.928116124s, test: 3h10m12.34457706s)
first bad commit: de9c4861fb42f0cd72da844c3c34f692d5895b7b pptp: ensure minimal skb length in pptp_xmit()
recipients (to): ["dawid.osuchowski@linux.intel.com" "edumazet@google.com" "kuba@kernel.org"]
recipients (cc): []
crash: BUG: unable to handle kernel paging request in dst_release
BUG: unable to handle page fault for address: ffffffffffffffdb
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 384d067 P4D 384d067 PUD 384f067 PMD 0 
Oops: Oops: 0002 [#1] SMP PTI
CPU: 0 UID: 0 PID: 4335 Comm: syz.3.336 Not tainted 6.16.0-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:85 [inline]
RIP: 0010:raw_atomic_sub_return_release include/linux/atomic/atomic-arch-fallback.h:846 [inline]
RIP: 0010:atomic_sub_return_release include/linux/atomic/atomic-instrumented.h:327 [inline]
RIP: 0010:__rcuref_put include/linux/rcuref.h:109 [inline]
RIP: 0010:rcuref_put include/linux/rcuref.h:173 [inline]
RIP: 0010:dst_release+0x21/0xc0 net/core/dst.c:167
Code: 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 53 48 85 ff 0f 84 a1 00 00 00 48 89 fb bf 01 00 00 00 e8 a4 f7 d9 fe be ff ff ff ff <f0> 0f c1 73 40 ff ce 78 6f 31 ed bf 01 00 00 00 e8 4a f8 d9 fe 65
RSP: 0018:ffffc90002b27cf0 EFLAGS: 00010202
RAX: 0000000000000203 RBX: ffffffffffffff9b RCX: b18b3c2384fc0b00
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000001
RBP: 000000000001010a R08: 0000000000000000 R09: 000000000a010100
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88810c06b800
R13: ffff88810d823500 R14: ffffc90002b27d20 R15: ffffffffffffff9b
FS:  00007fe2236166c0(0000) GS:ffff8881b71e9000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffdb CR3: 000000010e928000 CR4: 00000000003506f0
Call Trace:
 <TASK>
 ip_rt_put include/net/route.h:285 [inline]
 pptp_xmit+0x4ff/0x560 drivers/net/ppp/pptp.c:267
 __ppp_channel_push+0x4b/0xa0 drivers/net/ppp/ppp_generic.c:2166
 ppp_channel_push+0x117/0x1a0 drivers/net/ppp/ppp_generic.c:2198
 ppp_write+0x106/0x160 drivers/net/ppp/ppp_generic.c:544
 vfs_write+0x169/0x4c0 fs/read_write.c:684
 ksys_write+0x74/0xf0 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe2/0x2f0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe22278eb69
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe223616038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fe2229b5fa0 RCX: 00007fe22278eb69
RDX: 0000000000000013 RSI: 00002000000002c0 RDI: 0000000000000004
RBP: 00007fe222811df1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fe2229b5fa0 R15: 00007fff87f8dc48
 </TASK>
Modules linked in:
CR2: ffffffffffffffdb
---[ end trace 0000000000000000 ]---
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:85 [inline]
RIP: 0010:raw_atomic_sub_return_release include/linux/atomic/atomic-arch-fallback.h:846 [inline]
RIP: 0010:atomic_sub_return_release include/linux/atomic/atomic-instrumented.h:327 [inline]
RIP: 0010:__rcuref_put include/linux/rcuref.h:109 [inline]
RIP: 0010:rcuref_put include/linux/rcuref.h:173 [inline]
RIP: 0010:dst_release+0x21/0xc0 net/core/dst.c:167
Code: 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 53 48 85 ff 0f 84 a1 00 00 00 48 89 fb bf 01 00 00 00 e8 a4 f7 d9 fe be ff ff ff ff <f0> 0f c1 73 40 ff ce 78 6f 31 ed bf 01 00 00 00 e8 4a f8 d9 fe 65
RSP: 0018:ffffc90002b27cf0 EFLAGS: 00010202
RAX: 0000000000000203 RBX: ffffffffffffff9b RCX: b18b3c2384fc0b00
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000001
RBP: 000000000001010a R08: 0000000000000000 R09: 000000000a010100
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88810c06b800
R13: ffff88810d823500 R14: ffffc90002b27d20 R15: ffffffffffffff9b
FS:  00007fe2236166c0(0000) GS:ffff8881b71e9000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffdb CR3: 000000010e928000 CR4: 00000000003506f0
----------------
Code disassembly (best guess):
   0:	90                   	nop
   1:	90                   	nop
   2:	90                   	nop
   3:	90                   	nop
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	f3 0f 1e fa          	endbr64
   d:	55                   	push   %rbp
   e:	53                   	push   %rbx
   f:	48 85 ff             	test   %rdi,%rdi
  12:	0f 84 a1 00 00 00    	je     0xb9
  18:	48 89 fb             	mov    %rdi,%rbx
  1b:	bf 01 00 00 00       	mov    $0x1,%edi
  20:	e8 a4 f7 d9 fe       	call   0xfed9f7c9
  25:	be ff ff ff ff       	mov    $0xffffffff,%esi
* 2a:	f0 0f c1 73 40       	lock xadd %esi,0x40(%rbx) <-- trapping instruction
  2f:	ff ce                	dec    %esi
  31:	78 6f                	js     0xa2
  33:	31 ed                	xor    %ebp,%ebp
  35:	bf 01 00 00 00       	mov    $0x1,%edi
  3a:	e8 4a f8 d9 fe       	call   0xfed9f889
  3f:	65                   	gs