bisecting fixing commit since aea8526edf59da3ff5306ca408e13d8f6ab89b34 building syzkaller on 1656845f45f284c574eb4f8bfe85dd7916a47a3a testing commit aea8526edf59da3ff5306ca408e13d8f6ab89b34 with gcc (GCC) 8.1.0 kernel signature: 54ddfa0a38f8c3cbd7ba71e3a43fe3eb3eed756e all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_rss_query_en testing current HEAD a844dc4c544291470aa69edbe2434b040794e269 testing commit a844dc4c544291470aa69edbe2434b040794e269 with gcc (GCC) 8.1.0 kernel signature: 698076f873228e38705a53c9c30ce9bace4fc984 all runs: OK # git bisect start a844dc4c544291470aa69edbe2434b040794e269 aea8526edf59da3ff5306ca408e13d8f6ab89b34 Bisecting: 1258 revisions left to test after this (roughly 10 steps) [546578f69ddba3008eadfc7e128fcc128d634c10] USB: iowarrior: fix use-after-free on release testing commit 546578f69ddba3008eadfc7e128fcc128d634c10 with gcc (GCC) 8.1.0 kernel signature: 7d5d8f26abbc3f1857fe6e0dfcff2e1282babbc7 all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_rss_query_en # git bisect good 546578f69ddba3008eadfc7e128fcc128d634c10 Bisecting: 629 revisions left to test after this (roughly 9 steps) [2cef1eda48328fef25062c75b691b49cee473561] net: xilinx: fix return type of ndo_start_xmit function testing commit 2cef1eda48328fef25062c75b691b49cee473561 with gcc (GCC) 8.1.0 kernel signature: bb3f82729b94b289ac96891871c44bdaca22eea5 all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_rss_query_en # git bisect good 2cef1eda48328fef25062c75b691b49cee473561 Bisecting: 314 revisions left to test after this (roughly 8 steps) [63cf63befc46a110697863458047181c0e34aa15] um: Make line/tty semantics use true write IRQ testing commit 63cf63befc46a110697863458047181c0e34aa15 with gcc (GCC) 8.1.0 kernel signature: 0e51d06d655c47b49f859d4fa3c329c5aba39e03 all runs: OK # git bisect bad 63cf63befc46a110697863458047181c0e34aa15 Bisecting: 157 revisions left to test after this (roughly 7 steps) [9dc57cbdc1f1ff226ad8cdb2026f88303d623964] brcmfmac: reduce timeout for action frame scan testing commit 9dc57cbdc1f1ff226ad8cdb2026f88303d623964 with gcc (GCC) 8.1.0 kernel signature: a9343c9608ea4d7ec099671c9f90a595aca87a8f all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_rss_query_en # git bisect good 9dc57cbdc1f1ff226ad8cdb2026f88303d623964 Bisecting: 78 revisions left to test after this (roughly 6 steps) [004ff4e09bb5f8a7e3212c5ef2642944bc7c524a] synclink_gt(): fix compat_ioctl() testing commit 004ff4e09bb5f8a7e3212c5ef2642944bc7c524a with gcc (GCC) 8.1.0 kernel signature: 9de1fdc3c591fa744f9b8f890cc20bd0341e676f all runs: OK # git bisect bad 004ff4e09bb5f8a7e3212c5ef2642944bc7c524a Bisecting: 39 revisions left to test after this (roughly 5 steps) [596b42285406eb1622ec9f892e17cdf49760f7bb] pinctrl: gemini: Mask and set properly testing commit 596b42285406eb1622ec9f892e17cdf49760f7bb with gcc (GCC) 8.1.0 kernel signature: e8f0289af4782c3780f8f8f53b325563d196f43c all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_rss_query_en # git bisect good 596b42285406eb1622ec9f892e17cdf49760f7bb Bisecting: 19 revisions left to test after this (roughly 4 steps) [9ed49fc95f37a457d940324c033c20d85cefb930] net: rtnetlink: prevent underflows in do_setvfinfo() testing commit 9ed49fc95f37a457d940324c033c20d85cefb930 with gcc (GCC) 8.1.0 kernel signature: 5ec1f2169ac9addca90638af6751f07ac041ed6a all runs: OK # git bisect bad 9ed49fc95f37a457d940324c033c20d85cefb930 Bisecting: 9 revisions left to test after this (roughly 3 steps) [21082313c028bb0ff4eae44029e202dbcb81814b] mac80211: minstrel: fix CCK rate group streams value testing commit 21082313c028bb0ff4eae44029e202dbcb81814b with gcc (GCC) 8.1.0 kernel signature: 8d64fc15411092b17f80cdcfd37ba6e265bda88b all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_rss_query_en # git bisect good 21082313c028bb0ff4eae44029e202dbcb81814b Bisecting: 4 revisions left to test after this (roughly 2 steps) [d09d148cad42abf45addbf6f1d39733e2993d899] tools: PCI: Fix broken pcitest compilation testing commit d09d148cad42abf45addbf6f1d39733e2993d899 with gcc (GCC) 8.1.0 kernel signature: a79fc5fdfad2e2649ac2146aa9869be2cce7cb81 all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_rss_query_en # git bisect good d09d148cad42abf45addbf6f1d39733e2993d899 Bisecting: 2 revisions left to test after this (roughly 1 step) [ee2df37dd9a392260387c6d392d053c8f0538c0f] mmc: tmio: fix SCC error handling to avoid false positive CRC error testing commit ee2df37dd9a392260387c6d392d053c8f0538c0f with gcc (GCC) 8.1.0 kernel signature: 3205f14e1433b09a4efe1a62dc09e715fadb660b all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_rss_query_en # git bisect good ee2df37dd9a392260387c6d392d053c8f0538c0f Bisecting: 0 revisions left to test after this (roughly 1 step) [08265ef6179e82ca70d5712223d568f725f371fb] net/mlx4_en: fix mlx4 ethtool -N insertion testing commit 08265ef6179e82ca70d5712223d568f725f371fb with gcc (GCC) 8.1.0 kernel signature: 000869533d3f1ab288a90c9db30331ceb9bd24d9 all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_rss_query_en # git bisect good 08265ef6179e82ca70d5712223d568f725f371fb 9ed49fc95f37a457d940324c033c20d85cefb930 is the first bad commit commit 9ed49fc95f37a457d940324c033c20d85cefb930 Author: Dan Carpenter Date: Wed Nov 20 15:34:38 2019 +0300 net: rtnetlink: prevent underflows in do_setvfinfo() [ Upstream commit d658c8f56ec7b3de8051a24afb25da9ba3c388c5 ] The "ivm->vf" variable is a u32, but the problem is that a number of drivers cast it to an int and then forget to check for negatives. An example of this is in the cxgb4 driver. drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c 2890 static int cxgb4_mgmt_get_vf_config(struct net_device *dev, 2891 int vf, struct ifla_vf_info *ivi) ^^^^^^ 2892 { 2893 struct port_info *pi = netdev_priv(dev); 2894 struct adapter *adap = pi->adapter; 2895 struct vf_info *vfinfo; 2896 2897 if (vf >= adap->num_vfs) ^^^^^^^^^^^^^^^^^^^ 2898 return -EINVAL; 2899 vfinfo = &adap->vfinfo[vf]; ^^^^^^^^^^^^^^^^^^^^^^^^^^ There are 48 functions affected. drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c:8435 hclge_set_vf_vlan_filter() warn: can 'vfid' underflow 's32min-2147483646' drivers/net/ethernet/freescale/enetc/enetc_pf.c:377 enetc_pf_set_vf_mac() warn: can 'vf' underflow 's32min-2147483646' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:2899 cxgb4_mgmt_get_vf_config() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:2960 cxgb4_mgmt_set_vf_rate() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3019 cxgb4_mgmt_set_vf_rate() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3038 cxgb4_mgmt_set_vf_vlan() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3086 cxgb4_mgmt_set_vf_link_state() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb/cxgb2.c:791 get_eeprom() warn: can 'i' underflow 's32min-(-4),0,4-s32max' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:82 bnxt_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:164 bnxt_set_vf_trust() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:186 bnxt_get_vf_config() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:228 bnxt_set_vf_mac() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:264 bnxt_set_vf_vlan() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:293 bnxt_set_vf_bw() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:333 bnxt_set_vf_link_state() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:2595 bnx2x_vf_op_prep() warn: can 'vfidx' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:2595 bnx2x_vf_op_prep() warn: can 'vfidx' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2281 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2285 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2286 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2292 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2297 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1832 qlcnic_sriov_set_vf_mac() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1864 qlcnic_sriov_set_vf_tx_rate() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1937 qlcnic_sriov_set_vf_vlan() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:2005 qlcnic_sriov_get_vf_config() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:2036 qlcnic_sriov_set_vf_spoofchk() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/emulex/benet/be_main.c:1914 be_get_vf_config() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:1915 be_get_vf_config() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:1922 be_set_vf_tvt() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:1951 be_clear_vf_tvt() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:2063 be_set_vf_tx_rate() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:2091 be_set_vf_link_state() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:2609 ice_set_vf_port_vlan() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3050 ice_get_vf_cfg() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3103 ice_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3181 ice_set_vf_mac() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3237 ice_set_vf_trust() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3286 ice_set_vf_link_state() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:3919 i40e_validate_vf() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:3957 i40e_ndo_set_vf_mac() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4104 i40e_ndo_set_vf_port_vlan() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4263 i40e_ndo_set_vf_bw() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4309 i40e_ndo_get_vf_config() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4371 i40e_ndo_set_vf_link_state() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4441 i40e_ndo_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4441 i40e_ndo_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4504 i40e_ndo_set_vf_trust() warn: can 'vf_id' underflow 's32min-2147483646' Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman net/core/rtnetlink.c | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) culprit signature: 5ec1f2169ac9addca90638af6751f07ac041ed6a parent signature: 000869533d3f1ab288a90c9db30331ceb9bd24d9 revisions tested: 13, total time: 2h55m1.827882409s (build: 1h43m11.345003241s, test: 1h10m17.321238319s) first good commit: 9ed49fc95f37a457d940324c033c20d85cefb930 net: rtnetlink: prevent underflows in do_setvfinfo() cc: ["dan.carpenter@oracle.com" "davem@davemloft.net" "gregkh@linuxfoundation.org"]