bisecting fixing commit since f56f3d0e65adb447b8b583c8ed4fbbe544c9bfde
building syzkaller on 598ca6c8b8766304c3b2865e38f5f301c39bd299
testing commit f56f3d0e65adb447b8b583c8ed4fbbe544c9bfde with gcc (GCC) 8.1.0
kernel signature: f40e2d8c40bdf568ebc9cdde5834a31a7753fe788c2fef6f484f88fa19a429b6
all runs: crashed: WARNING: refcount bug in sock_wfree
testing current HEAD c10b57a567e4333b9fdf60b5ec36de9859263ca2
testing commit c10b57a567e4333b9fdf60b5ec36de9859263ca2 with gcc (GCC) 8.1.0
kernel signature: 584845b647d6edc51edd8277cacdef793df5b5251c725f9b726ed8d4594f05c9
all runs: OK
# git bisect start c10b57a567e4333b9fdf60b5ec36de9859263ca2 f56f3d0e65adb447b8b583c8ed4fbbe544c9bfde
Bisecting: 1359 revisions left to test after this (roughly 10 steps)
[f27885c16525c3e4d4c5fa79ba9fcfcf3d1ab96c] ARM: dts: am571x-idk: Fix gpios property to have the correct gpio number
testing commit f27885c16525c3e4d4c5fa79ba9fcfcf3d1ab96c with gcc (GCC) 8.1.0
kernel signature: 6bcb36a301f436d89f9b00235e81f2f5c8d071443842413335e1a2ae0a539c3c
all runs: crashed: WARNING: refcount bug in sock_wfree
# git bisect good f27885c16525c3e4d4c5fa79ba9fcfcf3d1ab96c
Bisecting: 679 revisions left to test after this (roughly 9 steps)
[2edc1dc9008b02fc43f22698c88c390c493e9399] PCI: Don't disable bridge BARs when assigning bus resources
testing commit 2edc1dc9008b02fc43f22698c88c390c493e9399 with gcc (GCC) 8.1.0
kernel signature: 86b8f8dc0773c0367bde4f829f8d91a2c815fe21dc90cc5d7db7699be0e3c424
all runs: crashed: WARNING: refcount bug in sock_wfree
# git bisect good 2edc1dc9008b02fc43f22698c88c390c493e9399
Bisecting: 339 revisions left to test after this (roughly 8 steps)
[e476b55da6d22cb29ac50f5b585a16d37854c312] usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags
testing commit e476b55da6d22cb29ac50f5b585a16d37854c312 with gcc (GCC) 8.1.0
kernel signature: cb019687c9a429205592d1225f532ac4d2902a2c7cf2af11dd428292a7b3bb99
all runs: crashed: WARNING: refcount bug in sock_wfree
# git bisect good e476b55da6d22cb29ac50f5b585a16d37854c312
Bisecting: 169 revisions left to test after this (roughly 7 steps)
[ef3ae20feb82c9c14f76135a34bdaeef5664b6ec] usb: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c
testing commit ef3ae20feb82c9c14f76135a34bdaeef5664b6ec with gcc (GCC) 8.1.0
kernel signature: a30f5832d5a0784dc0e7a36ef5aef553ef3a52ee1bb2126671038024b1559cef
all runs: crashed: WARNING: refcount bug in sock_wfree
# git bisect good ef3ae20feb82c9c14f76135a34bdaeef5664b6ec
Bisecting: 84 revisions left to test after this (roughly 6 steps)
[1046035d3b8b461194ce693d7f8e33e99f4f4abe] RDMA/mlx5: Block delay drop to unprivileged users
testing commit 1046035d3b8b461194ce693d7f8e33e99f4f4abe with gcc (GCC) 8.1.0
kernel signature: 0b891a9d563f6d27c92a01aa401daa2987a2a2880079a96ef0cce474e11a5f71
all runs: crashed: WARNING: refcount bug in sock_wfree
# git bisect good 1046035d3b8b461194ce693d7f8e33e99f4f4abe
Bisecting: 42 revisions left to test after this (roughly 5 steps)
[a34bb888980be1fa40117512c34cbf1da3231056] arm64: dts: ls1043a-rdb: correct RGMII delay mode to rgmii-id
testing commit a34bb888980be1fa40117512c34cbf1da3231056 with gcc (GCC) 8.1.0
kernel signature: 051c8a70a871c95340821545c40141fdc65e2fcb43272ce1a6717c27ceeaedd8
all runs: crashed: WARNING: refcount bug in sock_wfree
# git bisect good a34bb888980be1fa40117512c34cbf1da3231056
Bisecting: 21 revisions left to test after this (roughly 5 steps)
[d0a7c3373404bd931565f361802d320462fbe9f9] slcan: Don't transmit uninitialized stack data in padding
testing commit d0a7c3373404bd931565f361802d320462fbe9f9 with gcc (GCC) 8.1.0
kernel signature: e3ff37beffd6f92c00c9dae8b0b8218da1468a70609c6972e9733e4bf7062ced
all runs: OK
# git bisect bad d0a7c3373404bd931565f361802d320462fbe9f9
Bisecting: 10 revisions left to test after this (roughly 3 steps)
[c0eab61c136f671bccdf7530dd86cdb66e4ae7ba] drm/etnaviv: replace MMU flush marker with flush sequence
testing commit c0eab61c136f671bccdf7530dd86cdb66e4ae7ba with gcc (GCC) 8.1.0
kernel signature: 1f06bbf7636fd7c7faeb13aabbbbf14677aa7840d763870ed0e839a91d7ba6de
all runs: OK
# git bisect bad c0eab61c136f671bccdf7530dd86cdb66e4ae7ba
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[968f831d9056bcb3fcca031c11d39f4853908307] sctp: fix refcount bug in sctp_wfree
testing commit 968f831d9056bcb3fcca031c11d39f4853908307 with gcc (GCC) 8.1.0
kernel signature: ad260b481cf896ce0be7c13bb7948b294ce1511162bdaea717b3aa9fe14bc8af
all runs: OK
# git bisect bad 968f831d9056bcb3fcca031c11d39f4853908307
Bisecting: 2 revisions left to test after this (roughly 1 step)
[4520f06b03ae667e442da1ab9351fd28cd7ac598] Linux 4.14.175
testing commit 4520f06b03ae667e442da1ab9351fd28cd7ac598 with gcc (GCC) 8.1.0
kernel signature: 808f64bbf1f189dd566803fbd7e3bf61ab459edbb8c58c61aef6c4a1a6c418bf
all runs: crashed: WARNING: refcount bug in sock_wfree
# git bisect good 4520f06b03ae667e442da1ab9351fd28cd7ac598
Bisecting: 0 revisions left to test after this (roughly 1 step)
[b57327db68d3bbf2e0eae2a3398c5adc14237550] net, ip_tunnel: fix interface lookup with no key
testing commit b57327db68d3bbf2e0eae2a3398c5adc14237550 with gcc (GCC) 8.1.0
kernel signature: a103634007ef5622b8badae0adba1f17beb2a7049662c6f6862a9874f114849b
all runs: crashed: WARNING: refcount bug in sock_wfree
# git bisect good b57327db68d3bbf2e0eae2a3398c5adc14237550
968f831d9056bcb3fcca031c11d39f4853908307 is the first bad commit
commit 968f831d9056bcb3fcca031c11d39f4853908307
Author: Qiujun Huang <hqjagain@gmail.com>
Date:   Fri Mar 27 11:07:51 2020 +0800

    sctp: fix refcount bug in sctp_wfree
    
    [ Upstream commit 5c3e82fe159622e46e91458c1a6509c321a62820 ]
    
    We should iterate over the datamsgs to move
    all chunks(skbs) to newsk.
    
    The following case cause the bug:
    for the trouble SKB, it was in outq->transmitted list
    
    sctp_outq_sack
            sctp_check_transmitted
                    SKB was moved to outq->sacked list
            then throw away the sack queue
                    SKB was deleted from outq->sacked
    (but it was held by datamsg at sctp_datamsg_to_asoc
    So, sctp_wfree was not called here)
    
    then migrate happened
    
            sctp_for_each_tx_datachunk(
            sctp_clear_owner_w);
            sctp_assoc_migrate();
            sctp_for_each_tx_datachunk(
            sctp_set_owner_w);
    SKB was not in the outq, and was not changed to newsk
    
    finally
    
    __sctp_outq_teardown
            sctp_chunk_put (for another skb)
                    sctp_datamsg_put
                            __kfree_skb(msg->frag_list)
                                    sctp_wfree (for SKB)
            SKB->sk was still oldsk (skb->sk != asoc->base.sk).
    
    Reported-and-tested-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com
    Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
    Acked-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 net/sctp/socket.c | 31 +++++++++++++++++++++++--------
 1 file changed, 23 insertions(+), 8 deletions(-)
culprit signature: ad260b481cf896ce0be7c13bb7948b294ce1511162bdaea717b3aa9fe14bc8af
parent  signature: a103634007ef5622b8badae0adba1f17beb2a7049662c6f6862a9874f114849b
revisions tested: 13, total time: 2h57m15.480704101s (build: 1h47m37.530800605s, test: 1h8m19.575244065s)
first good commit: 968f831d9056bcb3fcca031c11d39f4853908307 sctp: fix refcount bug in sctp_wfree
cc: ["davem@davemloft.net" "gregkh@linuxfoundation.org" "hqjagain@gmail.com" "mleitner@redhat.com" "syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com"]