bisecting cause commit starting from b94ae8ad9fe79da61231999f347f79645b909bda
building syzkaller on f879db37f90dcefb681897d2e486c11d8298cb72
testing commit b94ae8ad9fe79da61231999f347f79645b909bda with gcc (GCC) 8.1.0
kernel signature: b1c2fd76a4e716183e6e19efdc1a7cad11b64c35
all runs: crashed: WARNING: refcount bug in skb_set_owner_w
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: c58e7762a6f9e0e103933a8d8c9e2f48d60c6d90
all runs: crashed: WARNING in refcount_error_report
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: 8bb4e80e21b63c4cd76231c45cfd013b95862f46
all runs: crashed: WARNING in refcount_error_report
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: 51be006f6e5e5b43b84f73a249fa1cd9dea663d6
all runs: crashed: WARNING in refcount_error_report
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
kernel signature: 620330df07074ae2e0f6f9b36c450bea2d2e7601
all runs: crashed: WARNING in refcount_error_report
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
kernel signature: 1d0dd0346461aff39ad77855b39404d275bd5c06
all runs: crashed: WARNING in refcount_error_report
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
kernel signature: 91bf3ce292929811e13ea4ae345bb1e19ddb2dbd
all runs: crashed: WARNING in refcount_error_report
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
kernel signature: 2dbe9a00d439334a7090c3f6be70db3af16d0fce
all runs: crashed: WARNING in refcount_error_report
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
kernel signature: 89187c14d2674f7183310dc6a403a5a723fab67e
all runs: crashed: WARNING in refcount_error_report
testing release v4.17
testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0
kernel signature: 555376c6d2c15ca5cab0aa5ee44da8543204864a
all runs: crashed: WARNING in refcount_error_report
testing release v4.16
testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0
kernel signature: c4ec32b5ceb84156a211c55dca3b20c5feae54f7
all runs: crashed: WARNING in refcount_error_report
testing release v4.15
testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0
kernel signature: b567260e515185e279b3147904548197dc21bb84
all runs: crashed: kernel BUG at ADDR [verbose debug info unavailable]
testing release v4.14
testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0
kernel signature: a4b841e510cfc0945c4984163b8904121bda575f
all runs: OK
# git bisect start d8a5b80568a9cb66810e75b182018e9edb68e8ff bebc6082da0a9f5d47a1ea2edc099bf671058bd4
Bisecting: 8497 revisions left to test after this (roughly 13 steps)
[5d352e69c60e54b5f04d6e337a1d2bf0dbf3d94a] Merge tag 'media/v4.15-1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
testing commit 5d352e69c60e54b5f04d6e337a1d2bf0dbf3d94a with gcc (GCC) 8.1.0
kernel signature: 59fa9a10585d36fe29d87f1732a8c102d9894f65
all runs: OK
# git bisect good 5d352e69c60e54b5f04d6e337a1d2bf0dbf3d94a
Bisecting: 3900 revisions left to test after this (roughly 12 steps)
[f6705bf959efac87bca76d40050d342f1d212587] Merge tag 'drm-for-v4.15-amd-dc' of git://people.freedesktop.org/~airlied/linux
testing commit f6705bf959efac87bca76d40050d342f1d212587 with gcc (GCC) 8.1.0
kernel signature: 71e473401bfd4fc46497f42334739e03df18631c
all runs: OK
# git bisect good f6705bf959efac87bca76d40050d342f1d212587
Bisecting: 1936 revisions left to test after this (roughly 11 steps)
[4066aa72f9f2886105c6f747d7f9bd4f14f53c12] Merge tag 'drm-fixes-for-v4.15-rc3' of git://people.freedesktop.org/~airlied/linux
testing commit 4066aa72f9f2886105c6f747d7f9bd4f14f53c12 with gcc (GCC) 8.1.0
kernel signature: 248cfa826d244ac454af20a69f5aeccd46350a3d
all runs: OK
# git bisect good 4066aa72f9f2886105c6f747d7f9bd4f14f53c12
Bisecting: 983 revisions left to test after this (roughly 10 steps)
[fd84b751ddb7dab7a8c22826e7bff85f3ff3f9a6] Merge tag 'drm-fixes-for-v4.15-rc6' of git://people.freedesktop.org/~airlied/linux
testing commit fd84b751ddb7dab7a8c22826e7bff85f3ff3f9a6 with gcc (GCC) 8.1.0
kernel signature: c806717d3aaabc32b28923ccd453294801ac2c96
all runs: crashed: kernel BUG at ADDR [verbose debug info unavailable]
# git bisect bad fd84b751ddb7dab7a8c22826e7bff85f3ff3f9a6
Bisecting: 433 revisions left to test after this (roughly 9 steps)
[7a3c296ae08f9b51e399074d8ef6867d65fbd22b] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
testing commit 7a3c296ae08f9b51e399074d8ef6867d65fbd22b with gcc (GCC) 8.1.0
net/wireless/shipped-certs.c:92:10: error: redefinition of ‘shipped_regdb_certs’
# git bisect skip 7a3c296ae08f9b51e399074d8ef6867d65fbd22b
Bisecting: 433 revisions left to test after this (roughly 9 steps)
[37e92a9d4fe38dc3e7308913575983a6a088c8d4] net/mlx5: Fix rate limit packet pacing naming and struct
testing commit 37e92a9d4fe38dc3e7308913575983a6a088c8d4 with gcc (GCC) 8.1.0
kernel signature: 5294d192bd954c280a7129c800629527dbec71b4
all runs: crashed: kernel BUG at ADDR [verbose debug info unavailable]
# git bisect bad 37e92a9d4fe38dc3e7308913575983a6a088c8d4
Bisecting: 291 revisions left to test after this (roughly 8 steps)
[4e746cf4f721d6397bace501f5feadb46eec1314] Merge tag 'riscv-for-linus-4.15-rc4-riscv_fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/palmer/linux
testing commit 4e746cf4f721d6397bace501f5feadb46eec1314 with gcc (GCC) 8.1.0
kernel signature: b56510004d2571beadbf769147b830859fd71b6d
all runs: crashed: kernel BUG at ADDR [verbose debug info unavailable]
# git bisect bad 4e746cf4f721d6397bace501f5feadb46eec1314
Bisecting: 140 revisions left to test after this (roughly 7 steps)
[4ded3bec65a07343258ed8fd9d46483f032d866f] Merge tag 'keys-fixes-20171208' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into keys-for-linus
testing commit 4ded3bec65a07343258ed8fd9d46483f032d866f with gcc (GCC) 8.1.0
kernel signature: bacd5d65c360595b0e7a173777bc0eca3cd59fb8
all runs: crashed: kernel BUG at ADDR [verbose debug info unavailable]
# git bisect bad 4ded3bec65a07343258ed8fd9d46483f032d866f
Bisecting: 76 revisions left to test after this (roughly 6 steps)
[03afb6e43aaf71e761c1e22d36c2670ef82f089a] Merge tag 'wireless-drivers-for-davem-2017-12-08' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
testing commit 03afb6e43aaf71e761c1e22d36c2670ef82f089a with gcc (GCC) 8.1.0
kernel signature: e4f46d87f3ca2c03fc031e87b57fb58273bf9dd6
all runs: crashed: kernel BUG at ADDR [verbose debug info unavailable]
# git bisect bad 03afb6e43aaf71e761c1e22d36c2670ef82f089a
Bisecting: 36 revisions left to test after this (roughly 5 steps)
[a4abd7a80addb4a9547f7dfc7812566b60ec505c] usbnet: fix alignment for frames with no ethernet header
testing commit a4abd7a80addb4a9547f7dfc7812566b60ec505c with gcc (GCC) 8.1.0
kernel signature: 7406be8f11d77e0ee6f218f333eb0a80608c4b3b
all runs: crashed: kernel BUG at ADDR [verbose debug info unavailable]
# git bisect bad a4abd7a80addb4a9547f7dfc7812566b60ec505c
Bisecting: 16 revisions left to test after this (roughly 4 steps)
[69c64866ce072dea1d1e59a0d61e0f66c0dffb76] dccp: CVE-2017-8824: use-after-free in DCCP code
testing commit 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 with gcc (GCC) 8.1.0
kernel signature: 97dcfbed7712b6972f72defd1be99a2c3c74054e
all runs: OK
# git bisect good 69c64866ce072dea1d1e59a0d61e0f66c0dffb76
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[30f1e59550363f6be28213393407ef225150e7fe] drivers: net: dsa: remove duplicate includes
testing commit 30f1e59550363f6be28213393407ef225150e7fe with gcc (GCC) 8.1.0
kernel signature: a070c4eb4ea7dcc20f4fc2534a9fe7e1068d66db
all runs: OK
# git bisect good 30f1e59550363f6be28213393407ef225150e7fe
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[3126aeec5313565bfa19e2dd8fd7e3c3390514cb] net: dsa: mv88e6xxx: Unregister MDIO bus on error path
testing commit 3126aeec5313565bfa19e2dd8fd7e3c3390514cb with gcc (GCC) 8.1.0
kernel signature: ddb9d24b9150109589c52b263a80224e25b380fe
all runs: OK
# git bisect good 3126aeec5313565bfa19e2dd8fd7e3c3390514cb
Bisecting: 1 revision left to test after this (roughly 1 step)
[6e237d099fac1f73a7b6d7287bb9191f29585a4e] netlink: Relax attr validation for fixed length types
testing commit 6e237d099fac1f73a7b6d7287bb9191f29585a4e with gcc (GCC) 8.1.0
kernel signature: 294586650ac251f2fd031fcdd412e8651d84b2b0
all runs: crashed: kernel BUG at ADDR [verbose debug info unavailable]
# git bisect bad 6e237d099fac1f73a7b6d7287bb9191f29585a4e
Bisecting: 0 revisions left to test after this (roughly 1 step)
[74c4b656c3d92ec4c824ea1a4afd726b7b6568c8] adding missing rcu_read_unlock in ipxip6_rcv
testing commit 74c4b656c3d92ec4c824ea1a4afd726b7b6568c8 with gcc (GCC) 8.1.0
kernel signature: c6445b58a15f21b7220f8c35dda0bf5412fff675
all runs: OK
# git bisect good 74c4b656c3d92ec4c824ea1a4afd726b7b6568c8
6e237d099fac1f73a7b6d7287bb9191f29585a4e is the first bad commit
commit 6e237d099fac1f73a7b6d7287bb9191f29585a4e
Author: David Ahern <dsahern@gmail.com>
Date:   Wed Dec 6 20:09:12 2017 -0800

    netlink: Relax attr validation for fixed length types
    
    Commit 28033ae4e0f5 ("net: netlink: Update attr validation to require
    exact length for some types") requires attributes using types NLA_U* and
    NLA_S* to have an exact length. This change is exposing bugs in various
    userspace commands that are sending attributes with an invalid length
    (e.g., attribute has type NLA_U8 and userspace sends NLA_U32). While
    the commands are clearly broken and need to be fixed, users are arguing
    that the sudden change in enforcement is breaking older commands on
    newer kernels for use cases that otherwise "worked".
    
    Relax the validation to print a warning mesage similar to what is done
    for messages containing extra bytes after parsing.
    
    Fixes: 28033ae4e0f5 ("net: netlink: Update attr validation to require exact length for some types")
    Signed-off-by: David Ahern <dsahern@gmail.com>
    Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 lib/nlattr.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)
kernel signature:   294586650ac251f2fd031fcdd412e8651d84b2b0
previous signature: c6445b58a15f21b7220f8c35dda0bf5412fff675
revisions tested: 28, total time: 5h57m45.653065477s (build: 2h42m39.086643262s, test: 3h7m24.131809309s)
first bad commit: 6e237d099fac1f73a7b6d7287bb9191f29585a4e netlink: Relax attr validation for fixed length types
cc: ["adobriyan@gmail.com" "davem@davemloft.net" "dsahern@gmail.com" "ja@ssi.bg" "jhs@mojatatu.com" "johannes@sipsolutions.net" "linux-kernel@vger.kernel.org" "tgraf@suug.ch"]
crash: kernel BUG at ADDR [verbose debug info unavailable]
netlink: 'syz-executor.0': attribute type 4 has an invalid length.
netlink: 'syz-executor.0': attribute type 4 has an invalid length.
netlink: 'syz-executor.1': attribute type 4 has an invalid length.
netlink: 'syz-executor.4': attribute type 4 has an invalid length.
------------[ cut here ]------------
Kernel BUG at 00000000ad06fdc8 [verbose debug info unavailable]
------------[ cut here ]------------
refcount_t overflow at refcount_add arch/x86/include/asm/refcount.h:43 [inline] in syz-executor.0[7339], uid/euid: 0/0
refcount_t overflow at skb_set_owner_w+0x20a/0x2f0 net/core/sock.c:1846 in syz-executor.0[7339], uid/euid: 0/0
WARNING: CPU: 1 PID: 7339 at kernel/panic.c:657 refcount_error_report+0x1a4/0x202 kernel/panic.c:653
Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 7339 Comm: syz-executor.0 Not tainted 4.15.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x145/0x1e1 lib/dump_stack.c:53
 panic+0x1a9/0x34e kernel/panic.c:183
 __warn.cold.8+0x120/0x156 kernel/panic.c:547
 report_bug+0x1a3/0x230 lib/bug.c:184
 fixup_bug arch/x86/kernel/traps.c:177 [inline]
 do_error_trap+0x1bd/0x460 arch/x86/kernel/traps.c:295
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
 invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:930
RIP: 0010:refcount_error_report+0x1a4/0x202 kernel/panic.c:653
RSP: 0018:ffff8800984af290 EFLAGS: 00010282
RAX: 0000000000000059 RBX: ffff8800984af4b8 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffff880098168cc8 RDI: ffffffff8a6711a0
RBP: ffff8800984af2c8 R08: ffff880098168ce8 R09: 0000000000000006
R10: 0000000000000000 R11: dffffc0000000000 R12: ffffffff8787d660
R13: 0000000000000000 R14: ffff880098168400 R15: ffff8800984af3d0
 ex_handler_refcount+0x10e/0x180 arch/x86/mm/extable.c:77
 fixup_exception+0x7c/0xb3 arch/x86/mm/extable.c:196
 do_trap_no_signal arch/x86/kernel/traps.c:208 [inline]
 do_trap+0x63/0x240 arch/x86/kernel/traps.c:257
 do_error_trap+0x159/0x460 arch/x86/kernel/traps.c:301
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
 invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:930
RIP: 0010:skb_set_owner_w+0x20a/0x2f0 net/core/sock.c:1847
RSP: 0018:ffff8800984af568 EFLAGS: 00010a82
RAX: 0000000000040100 RBX: ffff8800a8f3f2c0 RCX: ffff8800a074a9a4
RDX: 1ffff100151e7e74 RSI: ffff8800a074a740 RDI: ffff8800a8f3f3a0
RBP: ffff8800984af588 R08: ffffed0040aeb9a4 R09: ffff88020575cd00
R10: ffffed0040aeb9a3 R11: ffff88020575cd1f R12: ffff8800a074a740
R13: ffff8800a8f3f320 R14: ffff8800a8f3f2d8 R15: 0000000000035318
 sock_wmalloc+0x12f/0x1c0 net/core/sock.c:1932
 ip_append_page+0x55f/0xe90 net/ipv4/ip_output.c:1239
 udp_sendpage+0x1f7/0x490 net/ipv4/udp.c:1148
 inet_sendpage+0x16f/0x730 net/ipv4/af_inet.c:780
 kernel_sendpage+0x60/0xd0 net/socket.c:3364
 sock_sendpage+0x73/0xd0 net/socket.c:861
 pipe_to_sendpage+0x228/0x4e0 fs/splice.c:451
 splice_from_pipe_feed fs/splice.c:502 [inline]
 __splice_from_pipe+0x2cb/0x720 fs/splice.c:626
 splice_from_pipe+0x1a7/0x300 fs/splice.c:661
 generic_splice_sendpage+0x10/0x20 fs/splice.c:832
 do_splice_from fs/splice.c:851 [inline]
 direct_splice_actor+0x104/0x1c0 fs/splice.c:1018
 splice_direct_to_actor+0x28a/0x7e0 fs/splice.c:973
 do_splice_direct+0x24d/0x550 fs/splice.c:1061
 do_sendfile+0x51e/0x1100 fs/read_write.c:1413
 SYSC_sendfile64 fs/read_write.c:1474 [inline]
 SyS_sendfile64+0x11e/0x140 fs/read_write.c:1460
 entry_SYSCALL_64_fastpath+0x23/0x9a
RIP: 0033:0x45a679
RSP: 002b:00007f127a1b0c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f127a1b1700 RCX: 000000000045a679
RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000005
RBP: 00007ffc774c2700 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000010001 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc774c259f R14: 00007f127a1b19c0 R15: 000000000075bfd4
Kernel Offset: disabled
Rebooting in 86400 seconds..