ci2 starts bisection 2023-12-14 23:33:31.601254629 +0000 UTC m=+101774.589831458 bisecting fixing commit since 09e0f8509684d14f06d86c4de0f9f2d635d04b40 building syzkaller on aaed018397bf51a5aaff9a072ba223d81cd3c107 ensuring issue is reproducible on original commit 09e0f8509684d14f06d86c4de0f9f2d635d04b40 testing commit 09e0f8509684d14f06d86c4de0f9f2d635d04b40 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5b249fe6d0da372373547bb8d051094bc9685bf4cdf363015fd52da55e72a619 all runs: crashed: BUG: stack guard page was hit in sys_sendmmsg representative crash: BUG: stack guard page was hit in sys_sendmmsg, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 09e0f8509684d14f06d86c4de0f9f2d635d04b40 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ab051b1f166fc3e22a424adc1051e433c951c87c0168da44554b6aa6dc854314 all runs: OK false negative chance: 0.000 kconfig minimization: base=5179 full=6523 leaves diff=252 split chunks (needed=false): <252> split chunk #0 of len 252 into 5 parts testing without sub-chunk 1/5 testing commit 09e0f8509684d14f06d86c4de0f9f2d635d04b40 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 868209fc5941113db3c13a4a18e63354446b28c1e996498ac89f7e31ae87dc1d all runs: crashed: BUG: stack guard page was hit in sys_sendmmsg representative crash: BUG: stack guard page was hit in sys_sendmmsg, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 testing commit 09e0f8509684d14f06d86c4de0f9f2d635d04b40 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7ebea36f6e40c49b98fb074c9e07376e7aa73684a31d24cde0c3588ca7f45b1a all runs: crashed: BUG: stack guard page was hit in sys_sendmmsg representative crash: BUG: stack guard page was hit in sys_sendmmsg, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 testing commit 09e0f8509684d14f06d86c4de0f9f2d635d04b40 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7ffa63371f1f2d92f401c9c34d333ad7531e2a4ab778563a8f7fac85730d3f54 all runs: crashed: BUG: stack guard page was hit in sys_sendmmsg representative crash: BUG: stack guard page was hit in sys_sendmmsg, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 testing commit 09e0f8509684d14f06d86c4de0f9f2d635d04b40 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a8bc7cee5b683b3ff578de1e543e9d90924959a3d18875db26227e8c29f8268b all runs: crashed: BUG: stack guard page was hit in sys_sendmmsg representative crash: BUG: stack guard page was hit in sys_sendmmsg, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 testing commit 09e0f8509684d14f06d86c4de0f9f2d635d04b40 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building 09e0f8509684d14f06d86c4de0f9f2d635d04b40: net/socket.c:1225: undefined reference to `wext_handle_ioctl' net/socket.c:3420: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 48 configs; suspects: [HID_ZEROPLUS USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] testing current HEAD cc294d9503f8aa03d45318c0bf2a7870cea9c930 testing commit cc294d9503f8aa03d45318c0bf2a7870cea9c930 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 139aff8a965a8aa3dc6388e17a32894daf64772297f8e9f486e467adf67a9bea all runs: OK false negative chance: 0.000 # git bisect start cc294d9503f8aa03d45318c0bf2a7870cea9c930 09e0f8509684d14f06d86c4de0f9f2d635d04b40 Bisecting: 3101 revisions left to test after this (roughly 12 steps) [53dd2ca2c02fdcfe3aad2345091d371063f97d17] ovl: fix null pointer dereference in ovl_permission() determine whether the revision contains the guilty commit checking the merge base b1644a0031cfb3ca2cbd84c92f771f8ebb62302d no existing result, test the revision testing commit b1644a0031cfb3ca2cbd84c92f771f8ebb62302d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fbe73f05983cd1c690126b3ea7d765ea5b321bfb0095fe7a60901f7d97cac5d9 all runs: crashed: BUG: stack guard page was hit in sys_sendmmsg representative crash: BUG: stack guard page was hit in sys_sendmmsg, types: [UNKNOWN] testing commit 53dd2ca2c02fdcfe3aad2345091d371063f97d17 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4c2126d463e0b680ffb8f9ba7eb9f2cfbe641a847edd67458aeab8179463d8b5 all runs: crashed: BUG: stack guard page was hit in sys_sendmmsg representative crash: BUG: stack guard page was hit in sys_sendmmsg, types: [UNKNOWN] # git bisect good 53dd2ca2c02fdcfe3aad2345091d371063f97d17 Bisecting: 1551 revisions left to test after this (roughly 11 steps) [36974c3a5438f6ddeb2f0037aebacde46c662014] net: remove osize variable in __alloc_skb() determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit 36974c3a5438f6ddeb2f0037aebacde46c662014 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 227b1b2a4ecfe335b4d53afb7c82f31ad01be3e33b31ce16458eb0197b9f04de all runs: OK false negative chance: 0.000 # git bisect bad 36974c3a5438f6ddeb2f0037aebacde46c662014 Bisecting: 774 revisions left to test after this (roughly 10 steps) [029e491b8c11859525a1d6a307622bbc3a4ae559] net: bgmac: Fix return value check for fixed_phy_register() determine whether the revision contains the guilty commit revision 53dd2ca2c02fdcfe3aad2345091d371063f97d17 crashed and is reachable testing commit 029e491b8c11859525a1d6a307622bbc3a4ae559 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3ebb1a3c5df3a401388130fda3f25ac44953eacd07c46cc641e2df7871eb9696 all runs: crashed: BUG: stack guard page was hit in sys_sendmmsg representative crash: BUG: stack guard page was hit in sys_sendmmsg, types: [UNKNOWN] # git bisect good 029e491b8c11859525a1d6a307622bbc3a4ae559 Bisecting: 387 revisions left to test after this (roughly 9 steps) [ba1ca2cf4d0083990ef279dc3aeb0dde7efe9752] drm/bridge: anx7625: Use common macros for DP power sequencing commands determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit ba1ca2cf4d0083990ef279dc3aeb0dde7efe9752 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7165b0cb79d02db26ba169c541a727a0915651cb9eb94904be8d202f95d84cc6 run #0: basic kernel testing failed: failed to copy binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syz-executor3847213077" "root@10.128.1.191:./syz-executor3847213077"]: exit status 255 Executing: program /usr/bin/ssh host 10.128.1.191, user root, command sftp OpenSSH_9.2p1 Debian-2, OpenSSL 3.0.9 30 May 2023 debug1: Reading configuration data /dev/null debug1: Connecting to 10.128.1.191 [10.128.1.191] port 22. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2 Connection timed out during banner exchange Connection to 10.128.1.191 port 22 timed out scp: Connection closed run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK false negative chance: 0.000 # git bisect bad ba1ca2cf4d0083990ef279dc3aeb0dde7efe9752 Bisecting: 193 revisions left to test after this (roughly 8 steps) [179b9b062fe8ef4d674e5772598b36396b871060] netlabel: fix shift wrapping bug in netlbl_catmap_setlong() determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit 179b9b062fe8ef4d674e5772598b36396b871060 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d86c2e7fa4ccfa7a5b4fd98ec98f92a4f4810d50f2faeaf81acc2eb612e1409a all runs: OK false negative chance: 0.000 # git bisect bad 179b9b062fe8ef4d674e5772598b36396b871060 Bisecting: 96 revisions left to test after this (roughly 7 steps) [ae0188f9c2a88a2f9e96e5a0ced48adc84982287] thunderbolt: Fix a backport error for display flickering issue determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit ae0188f9c2a88a2f9e96e5a0ced48adc84982287 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8b5a6a951d73488bc48e0de99344e6fc4681e0e8344d1ae8574219747636b702 all runs: OK false negative chance: 0.000 # git bisect bad ae0188f9c2a88a2f9e96e5a0ced48adc84982287 Bisecting: 47 revisions left to test after this (roughly 6 steps) [e75de82b378617afd20805551e2e3596fbb447a1] radix tree: remove unused variable determine whether the revision contains the guilty commit revision 53dd2ca2c02fdcfe3aad2345091d371063f97d17 crashed and is reachable testing commit e75de82b378617afd20805551e2e3596fbb447a1 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 850a3760eac05d427a644943d10a888b6247d3c7a670477d1280d940b0646598 run #0: basic kernel testing failed: failed to copy binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syz-executor3076147699" "root@10.128.10.33:./syz-executor3076147699"]: exit status 255 Executing: program /usr/bin/ssh host 10.128.10.33, user root, command sftp OpenSSH_9.2p1 Debian-2, OpenSSL 3.0.9 30 May 2023 debug1: Reading configuration data /dev/null debug1: Connecting to 10.128.10.33 [10.128.10.33] port 22. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2 Connection timed out during banner exchange Connection to 10.128.10.33 port 22 timed out scp: Connection closed run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK false negative chance: 0.000 # git bisect bad e75de82b378617afd20805551e2e3596fbb447a1 Bisecting: 23 revisions left to test after this (roughly 5 steps) [85607ef399d9763c9a5d122eb6bce91d27d85cb9] ASoC: cs35l41: Correct amp_gain_tlv values determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit 85607ef399d9763c9a5d122eb6bce91d27d85cb9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2ab0a7fe00922252b496520ff819e3b3b8b752f301180189abaffb905e2317f8 run #0: basic kernel testing failed: failed to copy binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syz-executor1359685945" "root@10.128.1.168:./syz-executor1359685945"]: exit status 255 Executing: program /usr/bin/ssh host 10.128.1.168, user root, command sftp OpenSSH_9.2p1 Debian-2, OpenSSL 3.0.9 30 May 2023 debug1: Reading configuration data /dev/null debug1: Connecting to 10.128.1.168 [10.128.1.168] port 22. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2 Connection timed out during banner exchange Connection to 10.128.1.168 port 22 timed out scp: Connection closed run #1: basic kernel testing failed: failed to copy binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syz-executor425520006" "root@10.128.10.46:./syz-executor425520006"]: exit status 255 Executing: program /usr/bin/ssh host 10.128.10.46, user root, command sftp OpenSSH_9.2p1 Debian-2, OpenSSL 3.0.9 30 May 2023 debug1: Reading configuration data /dev/null debug1: Connecting to 10.128.10.46 [10.128.10.46] port 22. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2 Connection timed out during banner exchange Connection to 10.128.10.46 port 22 timed out scp: Connection closed run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK false negative chance: 0.000 # git bisect bad 85607ef399d9763c9a5d122eb6bce91d27d85cb9 Bisecting: 11 revisions left to test after this (roughly 4 steps) [136861956ad64429afbe31cfa90234114f7eab2e] i40e: fix potential NULL pointer dereferencing of pf->vf i40e_sync_vsi_filters() determine whether the revision contains the guilty commit revision 53dd2ca2c02fdcfe3aad2345091d371063f97d17 crashed and is reachable testing commit 136861956ad64429afbe31cfa90234114f7eab2e gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a0810da4c77e7a085a2dadec076411d06e53525bb2f2415b32b1c2815216477a all runs: crashed: BUG: stack guard page was hit in sys_sendmmsg representative crash: BUG: stack guard page was hit in sys_sendmmsg, types: [UNKNOWN] # git bisect good 136861956ad64429afbe31cfa90234114f7eab2e Bisecting: 5 revisions left to test after this (roughly 3 steps) [82d811ff566594de3676f35808e8a9e19c5c864c] KVM: x86/mmu: Fix an sign-extension bug with mmu_seq that hangs vCPUs determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit 82d811ff566594de3676f35808e8a9e19c5c864c gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 406bd074160c209b6562bc186645b7824579358fcfe9d68818665c5de9862967 all runs: OK false negative chance: 0.000 # git bisect bad 82d811ff566594de3676f35808e8a9e19c5c864c Bisecting: 2 revisions left to test after this (roughly 2 steps) [b15dea3de413b80c6e51acb26c0d09354080af65] rtnetlink: Reject negative ifindexes in RTM_NEWLINK determine whether the revision contains the guilty commit revision b1644a0031cfb3ca2cbd84c92f771f8ebb62302d crashed and is reachable testing commit b15dea3de413b80c6e51acb26c0d09354080af65 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e816d96cbc0f80d8974da3bcec2e576040fecd3354bd426fa3d91cc84509bf3a all runs: OK false negative chance: 0.000 # git bisect bad b15dea3de413b80c6e51acb26c0d09354080af65 Bisecting: 0 revisions left to test after this (roughly 1 step) [ed3fe5f9020c90125dfb40c1ae808d915ede68d8] netfilter: nf_tables: fix out of memory error handling determine whether the revision contains the guilty commit revision 136861956ad64429afbe31cfa90234114f7eab2e crashed and is reachable testing commit ed3fe5f9020c90125dfb40c1ae808d915ede68d8 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 493520ea37fdac03d8216418794bbb32556edafb8a66c45f595f001df6805080 all runs: crashed: BUG: stack guard page was hit in sys_sendmmsg representative crash: BUG: stack guard page was hit in sys_sendmmsg, types: [UNKNOWN] # git bisect good ed3fe5f9020c90125dfb40c1ae808d915ede68d8 b15dea3de413b80c6e51acb26c0d09354080af65 is the first bad commit commit b15dea3de413b80c6e51acb26c0d09354080af65 Author: Ido Schimmel Date: Wed Aug 23 09:43:48 2023 +0300 rtnetlink: Reject negative ifindexes in RTM_NEWLINK [ Upstream commit 30188bd7838c16a98a520db1fe9df01ffc6ed368 ] Negative ifindexes are illegal, but the kernel does not validate the ifindex in the ancillary header of RTM_NEWLINK messages, resulting in the kernel generating a warning [1] when such an ifindex is specified. Fix by rejecting negative ifindexes. [1] WARNING: CPU: 0 PID: 5031 at net/core/dev.c:9593 dev_index_reserve+0x1a2/0x1c0 net/core/dev.c:9593 [...] Call Trace: register_netdevice+0x69a/0x1490 net/core/dev.c:10081 br_dev_newlink+0x27/0x110 net/bridge/br_netlink.c:1552 rtnl_newlink_create net/core/rtnetlink.c:3471 [inline] __rtnl_newlink+0x115e/0x18c0 net/core/rtnetlink.c:3688 rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3701 rtnetlink_rcv_msg+0x439/0xd30 net/core/rtnetlink.c:6427 netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2545 netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910 sock_sendmsg_nosec net/socket.c:728 [inline] sock_sendmsg+0xd9/0x180 net/socket.c:751 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2538 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2592 __sys_sendmsg+0x117/0x1e0 net/socket.c:2621 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Fixes: 38f7b870d4a6 ("[RTNETLINK]: Link creation API") Reported-by: syzbot+5ba06978f34abb058571@syzkaller.appspotmail.com Signed-off-by: Ido Schimmel Reviewed-by: Jiri Pirko Reviewed-by: Jakub Kicinski Link: https://lore.kernel.org/r/20230823064348.2252280-1-idosch@nvidia.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin net/core/rtnetlink.c | 3 +++ 1 file changed, 3 insertions(+) accumulated error probability: 0.00 culprit signature: e816d96cbc0f80d8974da3bcec2e576040fecd3354bd426fa3d91cc84509bf3a parent signature: 493520ea37fdac03d8216418794bbb32556edafb8a66c45f595f001df6805080 revisions tested: 20, total time: 3h47m7.83304836s (build: 1h13m59.723051405s, test: 2h26m5.160696439s) first good commit: b15dea3de413b80c6e51acb26c0d09354080af65 rtnetlink: Reject negative ifindexes in RTM_NEWLINK recipients (to): ["idosch@nvidia.com" "jiri@nvidia.com" "kuba@kernel.org" "pabeni@redhat.com" "sashal@kernel.org"] recipients (cc): []