bisecting fixing commit since 01fd1694b93c92ad54fa684dac9c8068ecda8288 building syzkaller on bf6bcce4f2733d7869d2c73b437351a11d59c033 testing commit 01fd1694b93c92ad54fa684dac9c8068ecda8288 with gcc (GCC) 8.1.0 kernel signature: 5a749d10f6a2a077c8fe4228ac8959ecefe7b850 all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_rate testing current HEAD a844dc4c544291470aa69edbe2434b040794e269 testing commit a844dc4c544291470aa69edbe2434b040794e269 with gcc (GCC) 8.1.0 kernel signature: b16e9c5459c7591f3559db140bd42126d2dc7379 all runs: OK # git bisect start a844dc4c544291470aa69edbe2434b040794e269 01fd1694b93c92ad54fa684dac9c8068ecda8288 Bisecting: 908 revisions left to test after this (roughly 10 steps) [0e65dac6c9ec068f9cc1902535207f9c8bc57948] ceph: add missing check in d_revalidate snapdir handling testing commit 0e65dac6c9ec068f9cc1902535207f9c8bc57948 with gcc (GCC) 8.1.0 kernel signature: fe2aff8125768fcac5c9980e0a5fb19e74b313a4 all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_rate # git bisect good 0e65dac6c9ec068f9cc1902535207f9c8bc57948 Bisecting: 454 revisions left to test after this (roughly 9 steps) [3dc925644961b2e71ee5c6a8f10c11bd5443290e] xfrm: use correct size to initialise sp->ovec testing commit 3dc925644961b2e71ee5c6a8f10c11bd5443290e with gcc (GCC) 8.1.0 kernel signature: 1b62ada3cf43a5dcfc866afe2aa5dc443912ff43 all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_rate # git bisect good 3dc925644961b2e71ee5c6a8f10c11bd5443290e Bisecting: 227 revisions left to test after this (roughly 8 steps) [2d4c3e5c180f0f91cdc41cf65675bd768401b584] media: imon: invalid dereference in imon_touch_event testing commit 2d4c3e5c180f0f91cdc41cf65675bd768401b584 with gcc (GCC) 8.1.0 kernel signature: e9448a78d1e82ff2728047a0ab9667bc3d37c5e0 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect bad 2d4c3e5c180f0f91cdc41cf65675bd768401b584 Bisecting: 113 revisions left to test after this (roughly 7 steps) [27b1ef75f5794c743b5996ebcad807e0a71e2734] powerpc/pseries: Export raw per-CPU VPA data via debugfs testing commit 27b1ef75f5794c743b5996ebcad807e0a71e2734 with gcc (GCC) 8.1.0 kernel signature: 798ea0ce96fafb0d5000c3067205636695106b1b all runs: OK # git bisect bad 27b1ef75f5794c743b5996ebcad807e0a71e2734 Bisecting: 56 revisions left to test after this (roughly 6 steps) [0e52a00e450f065d8d48af0a15757d8de9fbe821] mwifiex: Fix NL80211_TX_POWER_LIMITED testing commit 0e52a00e450f065d8d48af0a15757d8de9fbe821 with gcc (GCC) 8.1.0 kernel signature: 100f8bcea9112138c635079c23a2033d7b2beba8 all runs: OK # git bisect bad 0e52a00e450f065d8d48af0a15757d8de9fbe821 Bisecting: 27 revisions left to test after this (roughly 5 steps) [b72443ac86e762f31681861dac3f6b4e58ee7e38] netfilter: nft_compat: do not dump private area testing commit b72443ac86e762f31681861dac3f6b4e58ee7e38 with gcc (GCC) 8.1.0 kernel signature: 892b617d7973987ac8fcb3f11a8ec9120208af66 all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_rate # git bisect good b72443ac86e762f31681861dac3f6b4e58ee7e38 Bisecting: 13 revisions left to test after this (roughly 4 steps) [561f9a0fb445f23543cff7eaa0ad38f363362f9c] sfc: Only cancel the PPS workqueue if it exists testing commit 561f9a0fb445f23543cff7eaa0ad38f363362f9c with gcc (GCC) 8.1.0 kernel signature: 6514ebf97052e09f3d5eb633399a199ed24b6d04 all runs: OK # git bisect bad 561f9a0fb445f23543cff7eaa0ad38f363362f9c Bisecting: 6 revisions left to test after this (roughly 3 steps) [1dee3a3efdb877419639f3cafb1f91cfcf9c11ab] ARM: dts: omap5: Fix dual-role mode on Super-Speed port testing commit 1dee3a3efdb877419639f3cafb1f91cfcf9c11ab with gcc (GCC) 8.1.0 kernel signature: cd228b01781885fadbd35c0e6fc89de1eee2a796 all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_rate # git bisect good 1dee3a3efdb877419639f3cafb1f91cfcf9c11ab Bisecting: 3 revisions left to test after this (roughly 2 steps) [ee2df37dd9a392260387c6d392d053c8f0538c0f] mmc: tmio: fix SCC error handling to avoid false positive CRC error testing commit ee2df37dd9a392260387c6d392d053c8f0538c0f with gcc (GCC) 8.1.0 kernel signature: fd2960bfd92e01b034758eec451ba3f8a114e5ff all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_rate # git bisect good ee2df37dd9a392260387c6d392d053c8f0538c0f Bisecting: 1 revision left to test after this (roughly 1 step) [08265ef6179e82ca70d5712223d568f725f371fb] net/mlx4_en: fix mlx4 ethtool -N insertion testing commit 08265ef6179e82ca70d5712223d568f725f371fb with gcc (GCC) 8.1.0 kernel signature: 7c56d8cdfeca836264fc4bb0d61a8093fc7bd8f4 all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_rate # git bisect good 08265ef6179e82ca70d5712223d568f725f371fb Bisecting: 0 revisions left to test after this (roughly 0 steps) [9ed49fc95f37a457d940324c033c20d85cefb930] net: rtnetlink: prevent underflows in do_setvfinfo() testing commit 9ed49fc95f37a457d940324c033c20d85cefb930 with gcc (GCC) 8.1.0 kernel signature: c40c772db70502854bed0633a113a27fdf8aa905 all runs: OK # git bisect bad 9ed49fc95f37a457d940324c033c20d85cefb930 9ed49fc95f37a457d940324c033c20d85cefb930 is the first bad commit commit 9ed49fc95f37a457d940324c033c20d85cefb930 Author: Dan Carpenter Date: Wed Nov 20 15:34:38 2019 +0300 net: rtnetlink: prevent underflows in do_setvfinfo() [ Upstream commit d658c8f56ec7b3de8051a24afb25da9ba3c388c5 ] The "ivm->vf" variable is a u32, but the problem is that a number of drivers cast it to an int and then forget to check for negatives. An example of this is in the cxgb4 driver. drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c 2890 static int cxgb4_mgmt_get_vf_config(struct net_device *dev, 2891 int vf, struct ifla_vf_info *ivi) ^^^^^^ 2892 { 2893 struct port_info *pi = netdev_priv(dev); 2894 struct adapter *adap = pi->adapter; 2895 struct vf_info *vfinfo; 2896 2897 if (vf >= adap->num_vfs) ^^^^^^^^^^^^^^^^^^^ 2898 return -EINVAL; 2899 vfinfo = &adap->vfinfo[vf]; ^^^^^^^^^^^^^^^^^^^^^^^^^^ There are 48 functions affected. drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c:8435 hclge_set_vf_vlan_filter() warn: can 'vfid' underflow 's32min-2147483646' drivers/net/ethernet/freescale/enetc/enetc_pf.c:377 enetc_pf_set_vf_mac() warn: can 'vf' underflow 's32min-2147483646' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:2899 cxgb4_mgmt_get_vf_config() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:2960 cxgb4_mgmt_set_vf_rate() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3019 cxgb4_mgmt_set_vf_rate() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3038 cxgb4_mgmt_set_vf_vlan() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3086 cxgb4_mgmt_set_vf_link_state() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb/cxgb2.c:791 get_eeprom() warn: can 'i' underflow 's32min-(-4),0,4-s32max' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:82 bnxt_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:164 bnxt_set_vf_trust() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:186 bnxt_get_vf_config() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:228 bnxt_set_vf_mac() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:264 bnxt_set_vf_vlan() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:293 bnxt_set_vf_bw() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:333 bnxt_set_vf_link_state() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:2595 bnx2x_vf_op_prep() warn: can 'vfidx' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:2595 bnx2x_vf_op_prep() warn: can 'vfidx' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2281 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2285 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2286 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2292 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2297 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1832 qlcnic_sriov_set_vf_mac() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1864 qlcnic_sriov_set_vf_tx_rate() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1937 qlcnic_sriov_set_vf_vlan() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:2005 qlcnic_sriov_get_vf_config() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:2036 qlcnic_sriov_set_vf_spoofchk() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/emulex/benet/be_main.c:1914 be_get_vf_config() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:1915 be_get_vf_config() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:1922 be_set_vf_tvt() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:1951 be_clear_vf_tvt() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:2063 be_set_vf_tx_rate() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:2091 be_set_vf_link_state() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:2609 ice_set_vf_port_vlan() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3050 ice_get_vf_cfg() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3103 ice_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3181 ice_set_vf_mac() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3237 ice_set_vf_trust() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3286 ice_set_vf_link_state() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:3919 i40e_validate_vf() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:3957 i40e_ndo_set_vf_mac() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4104 i40e_ndo_set_vf_port_vlan() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4263 i40e_ndo_set_vf_bw() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4309 i40e_ndo_get_vf_config() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4371 i40e_ndo_set_vf_link_state() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4441 i40e_ndo_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4441 i40e_ndo_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4504 i40e_ndo_set_vf_trust() warn: can 'vf_id' underflow 's32min-2147483646' Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman net/core/rtnetlink.c | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) kernel signature: c40c772db70502854bed0633a113a27fdf8aa905 previous signature: 7c56d8cdfeca836264fc4bb0d61a8093fc7bd8f4 revisions tested: 13, total time: 3h9m28.211844567s (build: 1h43m46.100944623s, test: 1h24m31.815774587s) first good commit: 9ed49fc95f37a457d940324c033c20d85cefb930 net: rtnetlink: prevent underflows in do_setvfinfo() cc: ["dan.carpenter@oracle.com" "davem@davemloft.net" "edumazet@google.com" "gregkh@linuxfoundation.org" "idosch@mellanox.com" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org"]