bisecting cause commit starting from 6a9dc5fd6170d0a41c8a14eb19e63d94bea5705a
building syzkaller on 344da168cb738076d82a75e1a7a1f5177df8dbc7
testing commit 6a9dc5fd6170d0a41c8a14eb19e63d94bea5705a with gcc (GCC) 8.1.0
kernel signature: 28969c93784ef3b3b3b2806b29a874bdd0484c68ca26c422ac528298f9925f26
all runs: crashed: WARNING: refcount bug in qdisc_create
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: f9330f265a01f3f23f3e980321a015f1c9be40c14d0a72d9f2651a7fa235eb5a
all runs: OK
# git bisect start 6a9dc5fd6170d0a41c8a14eb19e63d94bea5705a bcf876870b95592b52519ed4aafcf9d95999bc9c
Bisecting: 8194 revisions left to test after this (roughly 13 steps)
[8186749621ed6b8fc42644c399e8c755a2b6f630] Merge tag 'drm-next-2020-08-06' of git://anongit.freedesktop.org/drm/drm
testing commit 8186749621ed6b8fc42644c399e8c755a2b6f630 with gcc (GCC) 8.1.0
kernel signature: b5b61031a12f326942f940ee9b8e37a7af262249585c0edd07a3c543d8b42a59
all runs: OK
# git bisect good 8186749621ed6b8fc42644c399e8c755a2b6f630
Bisecting: 4094 revisions left to test after this (roughly 12 steps)
[dfdf16ecfd6abafc22b7f02364d9bb879ca8a5ee] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
testing commit dfdf16ecfd6abafc22b7f02364d9bb879ca8a5ee with gcc (GCC) 8.1.0
kernel signature: 2956fe44b3eff4f78d57dec13d2ab0d20133832c7069c8d71069ecc48c8819a6
all runs: crashed: WARNING: refcount bug in qdisc_create
# git bisect bad dfdf16ecfd6abafc22b7f02364d9bb879ca8a5ee
Bisecting: 2054 revisions left to test after this (roughly 11 steps)
[76769c38b45d94f5492ff9be363ac7007fd8e58b] Merge tag 'mlx5-updates-2020-08-03' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux
testing commit 76769c38b45d94f5492ff9be363ac7007fd8e58b with gcc (GCC) 8.1.0
kernel signature: 02edec5a200ed87df86084648b410fa537f0733cf22db3f621d0f40c8eeb24f6
all runs: crashed: WARNING: refcount bug in qdisc_create
# git bisect bad 76769c38b45d94f5492ff9be363ac7007fd8e58b
Bisecting: 1022 revisions left to test after this (roughly 10 steps)
[94d9f78f4d64b967273a676167bd34ddad2f978c] docs: networking: timestamping: add section for stacked PHC devices
testing commit 94d9f78f4d64b967273a676167bd34ddad2f978c with gcc (GCC) 8.1.0
kernel signature: dda123fa287adcbd09f5ae02f289f42c5fe3f832c13374cc2c815b1da52683bc
all runs: crashed: WARNING: refcount bug in qdisc_create
# git bisect bad 94d9f78f4d64b967273a676167bd34ddad2f978c
Bisecting: 514 revisions left to test after this (roughly 9 steps)
[11a20c7152823efe17e282e11cdfcc683d5e2a06] Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue
testing commit 11a20c7152823efe17e282e11cdfcc683d5e2a06 with gcc (GCC) 8.1.0
kernel signature: 24420c2e2111f94f6e36968cc9922b5d24b4cce23e6b8e67e68f68fb207fde2d
all runs: crashed: WARNING: refcount bug in qdisc_create
# git bisect bad 11a20c7152823efe17e282e11cdfcc683d5e2a06
Bisecting: 257 revisions left to test after this (roughly 8 steps)
[18c955b730002afdb0f86be39c0d202450acbbfc] bonding: Remove extraneous parentheses in bond_setup
testing commit 18c955b730002afdb0f86be39c0d202450acbbfc with gcc (GCC) 8.1.0
kernel signature: 920165ccf45c2e875fdead2c8cd9ea04126a6559c6737351e4f2ca94f581f37e
all runs: OK
# git bisect good 18c955b730002afdb0f86be39c0d202450acbbfc
Bisecting: 128 revisions left to test after this (roughly 7 steps)
[53e1f21abd89bde46ed30061c58370b8a079f6f5] sfc: commonise FC advertising
testing commit 53e1f21abd89bde46ed30061c58370b8a079f6f5 with gcc (GCC) 8.1.0
kernel signature: dffe2a15e3c83c9d2bb68611274ecb54588c593765e0793b2dfecee453e9a3d7
all runs: crashed: WARNING: refcount bug in qdisc_create
# git bisect bad 53e1f21abd89bde46ed30061c58370b8a079f6f5
Bisecting: 64 revisions left to test after this (roughly 6 steps)
[146ba9a3679ff8846e2044886b0dfce4ad03bc08] usbnet: ipheth: fix ipheth_tx()'s return type
testing commit 146ba9a3679ff8846e2044886b0dfce4ad03bc08 with gcc (GCC) 8.1.0
kernel signature: f0d27c2fea0e94ee00ba6f337e695c0b1a513f81a237d5c60fc8edb65f1464dd
all runs: OK
# git bisect good 146ba9a3679ff8846e2044886b0dfce4ad03bc08
Bisecting: 40 revisions left to test after this (roughly 5 steps)
[989d957a8b3e4442006d9ab68d0215718f57ec56] Merge branch 'TC-Introduce-qevents'
testing commit 989d957a8b3e4442006d9ab68d0215718f57ec56 with gcc (GCC) 8.1.0
kernel signature: f98f9f80d5f3cc0c37d334294cc91aa700ec361883fef1be2f9bce294adc861b
all runs: crashed: WARNING: refcount bug in qdisc_create
# git bisect bad 989d957a8b3e4442006d9ab68d0215718f57ec56
Bisecting: 11 revisions left to test after this (roughly 4 steps)
[7bcffde02152dd3cb180f6f3aef27e8586b2a905] net: ethernet: ti: am65-cpsw-nuss: restore vlan configuration while down/up
testing commit 7bcffde02152dd3cb180f6f3aef27e8586b2a905 with gcc (GCC) 8.1.0
kernel signature: db465679d2d3720dacb15c039a1df683e6cc5f427615d94c4b66c9572953b465
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: boot failed: can't ssh into the instance
# git bisect good 7bcffde02152dd3cb180f6f3aef27e8586b2a905
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[5e701e49b7b40166cc56f7b0db205355095cad6b] Merge branch 'net-ethernet-ti-am65-cpsw-update-and-enable-sr2-0-soc'
testing commit 5e701e49b7b40166cc56f7b0db205355095cad6b with gcc (GCC) 8.1.0
kernel signature: 1f137faa2a1fc6f34f74c09a1da1dd6f74fdc31c85e9caed9b1e117b580455e8
all runs: OK
# git bisect good 5e701e49b7b40166cc56f7b0db205355095cad6b
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[65545ea24998bb9aab1ce713a67c693dc7a947ec] net: sched: sch_red: Split init and change callbacks
testing commit 65545ea24998bb9aab1ce713a67c693dc7a947ec with gcc (GCC) 8.1.0
kernel signature: 4a2373c8317a0403ac252e69cc4366965c4563d7f76db85286804dea3c1ac765
all runs: OK
# git bisect good 65545ea24998bb9aab1ce713a67c693dc7a947ec
Bisecting: 0 revisions left to test after this (roughly 1 step)
[6cf0291f95172db68d8a283854389a1966e43c65] selftests: forwarding: Add a RED test for SW datapath
testing commit 6cf0291f95172db68d8a283854389a1966e43c65 with gcc (GCC) 8.1.0
kernel signature: 713f44893b9fe41cf0fb3dc5dd96b116f13fa0fdda10de8892e8c2523fcc6d14
all runs: crashed: WARNING: refcount bug in qdisc_create
# git bisect bad 6cf0291f95172db68d8a283854389a1966e43c65
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[aee9caa03fc3c8b02f8f31824354d85f30e562e0] net: sched: sch_red: Add qevents "early_drop" and "mark"
testing commit aee9caa03fc3c8b02f8f31824354d85f30e562e0 with gcc (GCC) 8.1.0
kernel signature: 495b6c09922049825910d8ea07075d91b61314c65ed8eacd59211974722c069e
all runs: crashed: WARNING: refcount bug in qdisc_create
# git bisect bad aee9caa03fc3c8b02f8f31824354d85f30e562e0
aee9caa03fc3c8b02f8f31824354d85f30e562e0 is the first bad commit
commit aee9caa03fc3c8b02f8f31824354d85f30e562e0
Author: Petr Machata <petrm@mellanox.com>
Date:   Sat Jun 27 01:45:28 2020 +0300

    net: sched: sch_red: Add qevents "early_drop" and "mark"
    
    In order to allow acting on dropped and/or ECN-marked packets, add two new
    qevents to the RED qdisc: "early_drop" and "mark". Filters attached at
    "early_drop" block are executed as packets are early-dropped, those
    attached at the "mark" block are executed as packets are ECN-marked.
    
    Two new attributes are introduced: TCA_RED_EARLY_DROP_BLOCK with the block
    index for the "early_drop" qevent, and TCA_RED_MARK_BLOCK for the "mark"
    qevent. Absence of these attributes signifies "don't care": no block is
    allocated in that case, or the existing blocks are left intact in case of
    the change callback.
    
    For purposes of offloading, blocks attached to these qevents appear with
    newly-introduced binder types, FLOW_BLOCK_BINDER_TYPE_RED_EARLY_DROP and
    FLOW_BLOCK_BINDER_TYPE_RED_MARK.
    
    Signed-off-by: Petr Machata <petrm@mellanox.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/flow_offload.h     |  2 ++
 include/uapi/linux/pkt_sched.h |  2 ++
 net/sched/sch_red.c            | 58 ++++++++++++++++++++++++++++++++++++++++--
 3 files changed, 60 insertions(+), 2 deletions(-)
culprit signature: 495b6c09922049825910d8ea07075d91b61314c65ed8eacd59211974722c069e
parent  signature: 4a2373c8317a0403ac252e69cc4366965c4563d7f76db85286804dea3c1ac765
revisions tested: 16, total time: 3h8m45.93781791s (build: 1h28m28.501708823s, test: 1h38m50.659808403s)
first bad commit: aee9caa03fc3c8b02f8f31824354d85f30e562e0 net: sched: sch_red: Add qevents "early_drop" and "mark"
recipients (to): ["davem@davemloft.net" "davem@davemloft.net" "jhs@mojatatu.com" "jiri@resnulli.us" "kuba@kernel.org" "netdev@vger.kernel.org" "petrm@mellanox.com" "xiyou.wangcong@gmail.com"]
recipients (cc): ["linux-kernel@vger.kernel.org"]
crash: WARNING: refcount bug in qdisc_create
WARNING: CPU: 0 PID: 8399 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x140 lib/refcount.c:28
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 8399 Comm: syz-executor.2 Not tainted 5.8.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x12f/0x192 lib/dump_stack.c:118
 panic+0x22a/0x4e3 kernel/panic.c:231
 __warn.cold.12+0x25/0x31 kernel/panic.c:600
 report_bug+0x1b2/0x260 lib/bug.c:198
 exc_invalid_op+0x1b6/0x370 arch/x86/kernel/traps.c:235
 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:563
RIP: 0010:refcount_warn_saturate+0x12b/0x140 lib/refcount.c:28
Code: 3e ed fd 0f 0b e9 53 ff ff ff 48 89 df e8 fd d1 4d fe e9 23 ff ff ff 48 c7 c7 00 6c cf 87 c6 05 b7 4d 6d 06 01 e8 9a 3e ed fd <0f> 0b e9 2c ff ff ff 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 41
RSP: 0018:ffffc90004f074a0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff88809fc2b864 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff87cfa400 RDI: ffffffff8b99d1a0
RBP: 0000000000000003 R08: ffffed1015d06315 R09: ffffed1015d06315
R10: ffff8880ae8318a7 R11: ffffed1015d06314 R12: ffff8880869c8000
R13: ffff88809db2f000 R14: 00000000ffffffea R15: ffff88809db2f03c
 qdisc_create+0xb2b/0x1070 net/sched/sch_api.c:1294
 tc_modify_qdisc+0x3ba/0x1720 net/sched/sch_api.c:1661
 rtnetlink_rcv_msg+0x346/0x8c0 net/core/rtnetlink.c:5460
 netlink_rcv_skb+0x117/0x370 net/netlink/af_netlink.c:2469
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xac/0xe0 net/socket.c:672
 ____sys_sendmsg+0x57b/0x790 net/socket.c:2352
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2406
 __sys_sendmsg+0xce/0x170 net/socket.c:2439
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:359
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45d579
Code: Bad RIP value.
RSP: 002b:00007f682ac68c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000002cd80 RCX: 000000000045d579
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000004
RBP: 000000000118d020 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cfec
R13: 00007fff6f7f040f R14: 00007f682ac699c0 R15: 000000000118cfec
Kernel Offset: disabled