bisecting fixing commit since 3ffe1e79c174b2093f7ee3df589a7705572c9620 building syzkaller on acb51638141ff960f547431757130749bc176bc0 testing commit 3ffe1e79c174b2093f7ee3df589a7705572c9620 with gcc (GCC) 8.1.0 kernel signature: 6fdbca951c406fce986d24814ad7972d0066baa1 all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_vlan testing current HEAD a844dc4c544291470aa69edbe2434b040794e269 testing commit a844dc4c544291470aa69edbe2434b040794e269 with gcc (GCC) 8.1.0 kernel signature: 4fe8aabd68236d2a8b243e66cc5767a8c7392004 all runs: OK # git bisect start a844dc4c544291470aa69edbe2434b040794e269 3ffe1e79c174b2093f7ee3df589a7705572c9620 Bisecting: 1011 revisions left to test after this (roughly 10 steps) [343e5699b74e8b9806b8627d59aa00243f5c96c8] arm64: Ensure VM_WRITE|VM_SHARED ptes are clean by default testing commit 343e5699b74e8b9806b8627d59aa00243f5c96c8 with gcc (GCC) 8.1.0 kernel signature: 173878e378a4776e9e3e78840fac5d635f9018a3 all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_vlan # git bisect good 343e5699b74e8b9806b8627d59aa00243f5c96c8 Bisecting: 505 revisions left to test after this (roughly 9 steps) [3610daee861f4b4a2758fc7087c53b5842c34f6e] ext4: fix build error when DX_DEBUG is defined testing commit 3610daee861f4b4a2758fc7087c53b5842c34f6e with gcc (GCC) 8.1.0 kernel signature: ad2dcad5140a5ff1095ab4e01b9906af67dcc13e all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_vlan # git bisect good 3610daee861f4b4a2758fc7087c53b5842c34f6e Bisecting: 252 revisions left to test after this (roughly 8 steps) [79d404a2aa86efe4f1ade51e054318bd811cce71] Bluetooth: Fix invalid-free in bcsp_close() testing commit 79d404a2aa86efe4f1ade51e054318bd811cce71 with gcc (GCC) 8.1.0 kernel signature: 82fe64374e5ef3bfe9dadc354cda4cf597ae1a6f all runs: OK # git bisect bad 79d404a2aa86efe4f1ade51e054318bd811cce71 Bisecting: 126 revisions left to test after this (roughly 7 steps) [9c6b1927f85618ad5998c65243a4787c9e228cb1] w1: IAD Register is yet readable trough iad sys file. Fix snprintf (%u for unsigned, count for max size). testing commit 9c6b1927f85618ad5998c65243a4787c9e228cb1 with gcc (GCC) 8.1.0 kernel signature: 0af6e38abe3100f73f2c6b711b780e2e6c455d85 all runs: OK # git bisect bad 9c6b1927f85618ad5998c65243a4787c9e228cb1 Bisecting: 62 revisions left to test after this (roughly 6 steps) [0f07c78437601b01eb2a75589561bea050a045e7] backlight: lm3639: Unconditionally call led_classdev_unregister testing commit 0f07c78437601b01eb2a75589561bea050a045e7 with gcc (GCC) 8.1.0 kernel signature: c38d460e248d900e2e23105b5e59d132cb5d497e all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_vlan # git bisect good 0f07c78437601b01eb2a75589561bea050a045e7 Bisecting: 31 revisions left to test after this (roughly 5 steps) [058fcda9e025ca3463645688e9091159d0926993] net/mlx5e: Fix set vf link state error flow testing commit 058fcda9e025ca3463645688e9091159d0926993 with gcc (GCC) 8.1.0 kernel signature: 16cd8417ce8b08b58a131e6bd53a2ae606249e07 all runs: OK # git bisect bad 058fcda9e025ca3463645688e9091159d0926993 Bisecting: 15 revisions left to test after this (roughly 4 steps) [31f3c76efc6273c55a59363ad3a37d2b0a5a0b80] hwmon: (ina3221) Fix INA3221_CONFIG_MODE macros testing commit 31f3c76efc6273c55a59363ad3a37d2b0a5a0b80 with gcc (GCC) 8.1.0 kernel signature: 91443d97d0b0c4abc5fa6b55feb896caf039d1ab all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_vlan # git bisect good 31f3c76efc6273c55a59363ad3a37d2b0a5a0b80 Bisecting: 7 revisions left to test after this (roughly 3 steps) [1dee3a3efdb877419639f3cafb1f91cfcf9c11ab] ARM: dts: omap5: Fix dual-role mode on Super-Speed port testing commit 1dee3a3efdb877419639f3cafb1f91cfcf9c11ab with gcc (GCC) 8.1.0 kernel signature: 6d7b9dbcf1f8593e2ec1bf27849b9443486204da all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_vlan # git bisect good 1dee3a3efdb877419639f3cafb1f91cfcf9c11ab Bisecting: 3 revisions left to test after this (roughly 2 steps) [43598c571e7ed29e4c81e35b4a870fe6b9f8d58e] Linux 4.14.156 testing commit 43598c571e7ed29e4c81e35b4a870fe6b9f8d58e with gcc (GCC) 8.1.0 kernel signature: 41c2f3322124dad77e73c95fa8d21d719050fb4f all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_vlan # git bisect good 43598c571e7ed29e4c81e35b4a870fe6b9f8d58e Bisecting: 1 revision left to test after this (roughly 1 step) [9ed49fc95f37a457d940324c033c20d85cefb930] net: rtnetlink: prevent underflows in do_setvfinfo() testing commit 9ed49fc95f37a457d940324c033c20d85cefb930 with gcc (GCC) 8.1.0 kernel signature: fe8d8b8f1d2c809cfede207bd832738c6626e1ce all runs: OK # git bisect bad 9ed49fc95f37a457d940324c033c20d85cefb930 Bisecting: 0 revisions left to test after this (roughly 0 steps) [08265ef6179e82ca70d5712223d568f725f371fb] net/mlx4_en: fix mlx4 ethtool -N insertion testing commit 08265ef6179e82ca70d5712223d568f725f371fb with gcc (GCC) 8.1.0 kernel signature: 7a82d701940252f79fa5f665f7e9b03b090f7def all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_vlan # git bisect good 08265ef6179e82ca70d5712223d568f725f371fb 9ed49fc95f37a457d940324c033c20d85cefb930 is the first bad commit commit 9ed49fc95f37a457d940324c033c20d85cefb930 Author: Dan Carpenter Date: Wed Nov 20 15:34:38 2019 +0300 net: rtnetlink: prevent underflows in do_setvfinfo() [ Upstream commit d658c8f56ec7b3de8051a24afb25da9ba3c388c5 ] The "ivm->vf" variable is a u32, but the problem is that a number of drivers cast it to an int and then forget to check for negatives. An example of this is in the cxgb4 driver. drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c 2890 static int cxgb4_mgmt_get_vf_config(struct net_device *dev, 2891 int vf, struct ifla_vf_info *ivi) ^^^^^^ 2892 { 2893 struct port_info *pi = netdev_priv(dev); 2894 struct adapter *adap = pi->adapter; 2895 struct vf_info *vfinfo; 2896 2897 if (vf >= adap->num_vfs) ^^^^^^^^^^^^^^^^^^^ 2898 return -EINVAL; 2899 vfinfo = &adap->vfinfo[vf]; ^^^^^^^^^^^^^^^^^^^^^^^^^^ There are 48 functions affected. drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c:8435 hclge_set_vf_vlan_filter() warn: can 'vfid' underflow 's32min-2147483646' drivers/net/ethernet/freescale/enetc/enetc_pf.c:377 enetc_pf_set_vf_mac() warn: can 'vf' underflow 's32min-2147483646' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:2899 cxgb4_mgmt_get_vf_config() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:2960 cxgb4_mgmt_set_vf_rate() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3019 cxgb4_mgmt_set_vf_rate() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3038 cxgb4_mgmt_set_vf_vlan() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3086 cxgb4_mgmt_set_vf_link_state() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb/cxgb2.c:791 get_eeprom() warn: can 'i' underflow 's32min-(-4),0,4-s32max' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:82 bnxt_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:164 bnxt_set_vf_trust() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:186 bnxt_get_vf_config() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:228 bnxt_set_vf_mac() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:264 bnxt_set_vf_vlan() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:293 bnxt_set_vf_bw() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:333 bnxt_set_vf_link_state() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:2595 bnx2x_vf_op_prep() warn: can 'vfidx' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:2595 bnx2x_vf_op_prep() warn: can 'vfidx' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2281 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2285 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2286 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2292 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2297 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1832 qlcnic_sriov_set_vf_mac() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1864 qlcnic_sriov_set_vf_tx_rate() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1937 qlcnic_sriov_set_vf_vlan() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:2005 qlcnic_sriov_get_vf_config() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:2036 qlcnic_sriov_set_vf_spoofchk() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/emulex/benet/be_main.c:1914 be_get_vf_config() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:1915 be_get_vf_config() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:1922 be_set_vf_tvt() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:1951 be_clear_vf_tvt() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:2063 be_set_vf_tx_rate() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:2091 be_set_vf_link_state() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:2609 ice_set_vf_port_vlan() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3050 ice_get_vf_cfg() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3103 ice_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3181 ice_set_vf_mac() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3237 ice_set_vf_trust() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3286 ice_set_vf_link_state() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:3919 i40e_validate_vf() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:3957 i40e_ndo_set_vf_mac() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4104 i40e_ndo_set_vf_port_vlan() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4263 i40e_ndo_set_vf_bw() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4309 i40e_ndo_get_vf_config() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4371 i40e_ndo_set_vf_link_state() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4441 i40e_ndo_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4441 i40e_ndo_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4504 i40e_ndo_set_vf_trust() warn: can 'vf_id' underflow 's32min-2147483646' Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman net/core/rtnetlink.c | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) culprit signature: fe8d8b8f1d2c809cfede207bd832738c6626e1ce parent signature: 7a82d701940252f79fa5f665f7e9b03b090f7def revisions tested: 13, total time: 3h2m14.936740117s (build: 1h45m32.029439872s, test: 1h15m29.748457004s) first good commit: 9ed49fc95f37a457d940324c033c20d85cefb930 net: rtnetlink: prevent underflows in do_setvfinfo() cc: ["dan.carpenter@oracle.com" "davem@davemloft.net" "gregkh@linuxfoundation.org"]