bisecting fixing commit since 1752938529c614a8ed4432ecce6ebc95d3b87207
building syzkaller on 5cc121d679e3f161f29503eeba9288431b6d644d
testing commit 1752938529c614a8ed4432ecce6ebc95d3b87207 with gcc (GCC) 8.4.1 20210217
kernel signature: 860611cee61a5449b0a7a8e247474f85f41dcfd17757ab521d3d9638e57630ad
run #0: crashed: possible deadlock in red_adaptative_timer
run #1: crashed: possible deadlock in red_change
run #2: crashed: possible deadlock in red_change
run #3: crashed: possible deadlock in red_adaptative_timer
run #4: crashed: possible deadlock in red_change
run #5: crashed: possible deadlock in red_change
run #6: crashed: possible deadlock in red_change
run #7: crashed: possible deadlock in red_change
run #8: crashed: possible deadlock in red_change
run #9: crashed: possible deadlock in red_change
run #10: crashed: possible deadlock in red_change
run #11: crashed: possible deadlock in red_change
run #12: crashed: possible deadlock in red_change
run #13: crashed: possible deadlock in red_change
run #14: crashed: possible deadlock in red_change
run #15: crashed: possible deadlock in red_change
run #16: crashed: possible deadlock in red_adaptative_timer
run #17: crashed: possible deadlock in red_change
run #18: crashed: possible deadlock in red_adaptative_timer
run #19: crashed: possible deadlock in red_adaptative_timer
testing current HEAD cf256fbcbe347b7d0ff58fe2dfa382a156bd3694
testing commit cf256fbcbe347b7d0ff58fe2dfa382a156bd3694 with gcc (GCC) 8.4.1 20210217
kernel signature: befabd4af02442c16002cfeb59b02e7c2a53a9e0249460f768e1626a5be6b87b
all runs: OK
# git bisect start cf256fbcbe347b7d0ff58fe2dfa382a156bd3694 1752938529c614a8ed4432ecce6ebc95d3b87207
Bisecting: 463 revisions left to test after this (roughly 9 steps)
[04cb57e6e760413c2013dbe7656f2ceddb5b35fe] i40e: Fix overwriting flow control settings during driver loading

testing commit 04cb57e6e760413c2013dbe7656f2ceddb5b35fe with gcc (GCC) 8.4.1 20210217
kernel signature: 05a8d242aa5c46467c0988a76f3aa9e3b6891621e9eea5b6d812caa7dc56dcc8
run #0: crashed: possible deadlock in red_adaptative_timer
run #1: crashed: possible deadlock in red_change
run #2: crashed: possible deadlock in red_change
run #3: crashed: possible deadlock in red_change
run #4: crashed: possible deadlock in red_change
run #5: crashed: possible deadlock in red_adaptative_timer
run #6: crashed: possible deadlock in red_adaptative_timer
run #7: crashed: possible deadlock in red_change
run #8: crashed: possible deadlock in red_change
run #9: crashed: possible deadlock in red_change
# git bisect good 04cb57e6e760413c2013dbe7656f2ceddb5b35fe
Bisecting: 231 revisions left to test after this (roughly 8 steps)
[e95a27359babea91956331539849e730378e505f] tools build feature: Check if get_current_dir_name() is available

testing commit e95a27359babea91956331539849e730378e505f with gcc (GCC) 8.4.1 20210217
kernel signature: 24ec1c8273602be04a281c222cee6fbdf9a3a7f42a89731406d2ca20a5a02ad5
all runs: crashed: possible deadlock in red_change
# git bisect good e95a27359babea91956331539849e730378e505f
Bisecting: 115 revisions left to test after this (roughly 7 steps)
[462634ba1a0d1208635a2185f4aa5d79e19ae13d] net: wan/lmc: unregister device when no matching device is found

testing commit 462634ba1a0d1208635a2185f4aa5d79e19ae13d with gcc (GCC) 8.4.1 20210217
kernel signature: ea6d00db08ffde48ab8a9828ee1a765e27cad2fc4e6d74f2c53b75c6cd1ece14
all runs: OK
# git bisect bad 462634ba1a0d1208635a2185f4aa5d79e19ae13d
Bisecting: 57 revisions left to test after this (roughly 6 steps)
[f3f23501d325e8c1e607cafd3eefb3d4f67cf424] arm64: dts: ls1012a: mark crypto engine dma coherent

testing commit f3f23501d325e8c1e607cafd3eefb3d4f67cf424 with gcc (GCC) 8.4.1 20210217
kernel signature: 78c2e3c212ad60b96a2f6c727c3e905375da5ac8560f64820da0fba0f27ce2dc
run #0: crashed: possible deadlock in red_change
run #1: crashed: possible deadlock in red_change
run #2: crashed: possible deadlock in red_change
run #3: crashed: possible deadlock in red_adaptative_timer
run #4: crashed: possible deadlock in red_adaptative_timer
run #5: crashed: possible deadlock in red_change
run #6: crashed: possible deadlock in red_change
run #7: crashed: possible deadlock in red_adaptative_timer
run #8: crashed: possible deadlock in red_change
run #9: crashed: possible deadlock in red_change
# git bisect good f3f23501d325e8c1e607cafd3eefb3d4f67cf424
Bisecting: 28 revisions left to test after this (roughly 5 steps)
[2f2095844840ec62e25f51c6fa6ec21e12b2af33] can: dev: Move device back to init netns on owning netns delete

testing commit 2f2095844840ec62e25f51c6fa6ec21e12b2af33 with gcc (GCC) 8.4.1 20210217
kernel signature: fa912c0b0cc3c079f84cce9696dbeb0d095f2feee4d87d5624f6dc1070a0b49b
run #0: crashed: possible deadlock in red_change
run #1: crashed: possible deadlock in red_change
run #2: crashed: possible deadlock in red_adaptative_timer
run #3: crashed: possible deadlock in red_change
run #4: crashed: possible deadlock in red_change
run #5: crashed: possible deadlock in red_change
run #6: crashed: possible deadlock in red_change
run #7: crashed: possible deadlock in red_change
run #8: crashed: possible deadlock in red_change
run #9: crashed: possible deadlock in red_change
# git bisect good 2f2095844840ec62e25f51c6fa6ec21e12b2af33
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[f83e0ef9939e7a90bceef25f9ba39d07be876546] ASoC: sgtl5000: set DAP_AVC_CTRL register to correct default value on probe

testing commit f83e0ef9939e7a90bceef25f9ba39d07be876546 with gcc (GCC) 8.4.1 20210217
kernel signature: 580e48dc0742b5b703f1511c36517b59f7fa414c2f4529a1a9f0e76bb1ce3053
all runs: OK
# git bisect bad f83e0ef9939e7a90bceef25f9ba39d07be876546
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[bd634aa6416382439890b78f7be0023020a86207] Linux 4.14.228

testing commit bd634aa6416382439890b78f7be0023020a86207 with gcc (GCC) 8.4.1 20210217
kernel signature: 251b69151fd840622191bca897694e9eec3c9e3cdc7e5a245777a4453e6e64e2
all runs: OK
# git bisect bad bd634aa6416382439890b78f7be0023020a86207
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[d2ddd5417f6d5be4421068434408e716787cf1b3] mac80211: fix double free in ibss_leave

testing commit d2ddd5417f6d5be4421068434408e716787cf1b3 with gcc (GCC) 8.4.1 20210217
kernel signature: 15268926964ea5cb0d2ffe1745eb5e67e529bcfe3ad54fd6ff8c39a3e187ad52
all runs: OK
# git bisect bad d2ddd5417f6d5be4421068434408e716787cf1b3
Bisecting: 0 revisions left to test after this (roughly 1 step)
[749d2e33bfbacb3112cbfaafde75e507cb46c67d] net: qrtr: fix a kernel-infoleak in qrtr_recvmsg()

testing commit 749d2e33bfbacb3112cbfaafde75e507cb46c67d with gcc (GCC) 8.4.1 20210217
kernel signature: 2ab8e70c9a179ca4208641edd801e02b3788ef861ec78f10c5683ffa35dc00c6
all runs: OK
# git bisect bad 749d2e33bfbacb3112cbfaafde75e507cb46c67d
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[43c9bffda3a21f363c0beab06f24c1974e1d4b9f] net: sched: validate stab values

testing commit 43c9bffda3a21f363c0beab06f24c1974e1d4b9f with gcc (GCC) 8.4.1 20210217
kernel signature: 2ab8e70c9a179ca4208641edd801e02b3788ef861ec78f10c5683ffa35dc00c6
all runs: OK
# git bisect bad 43c9bffda3a21f363c0beab06f24c1974e1d4b9f
43c9bffda3a21f363c0beab06f24c1974e1d4b9f is the first bad commit
commit 43c9bffda3a21f363c0beab06f24c1974e1d4b9f
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Mar 10 08:26:41 2021 -0800

    net: sched: validate stab values
    
    commit e323d865b36134e8c5c82c834df89109a5c60dab upstream.
    
    iproute2 package is well behaved, but malicious user space can
    provide illegal shift values and trigger UBSAN reports.
    
    Add stab parameter to red_check_params() to validate user input.
    
    syzbot reported:
    
    UBSAN: shift-out-of-bounds in ./include/net/red.h:312:18
    shift exponent 111 is too large for 64-bit type 'long unsigned int'
    CPU: 1 PID: 14662 Comm: syz-executor.3 Not tainted 5.12.0-rc2-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:79 [inline]
     dump_stack+0x141/0x1d7 lib/dump_stack.c:120
     ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
     __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
     red_calc_qavg_from_idle_time include/net/red.h:312 [inline]
     red_calc_qavg include/net/red.h:353 [inline]
     choke_enqueue.cold+0x18/0x3dd net/sched/sch_choke.c:221
     __dev_xmit_skb net/core/dev.c:3837 [inline]
     __dev_queue_xmit+0x1943/0x2e00 net/core/dev.c:4150
     neigh_hh_output include/net/neighbour.h:499 [inline]
     neigh_output include/net/neighbour.h:508 [inline]
     ip6_finish_output2+0x911/0x1700 net/ipv6/ip6_output.c:117
     __ip6_finish_output net/ipv6/ip6_output.c:182 [inline]
     __ip6_finish_output+0x4c1/0xe10 net/ipv6/ip6_output.c:161
     ip6_finish_output+0x35/0x200 net/ipv6/ip6_output.c:192
     NF_HOOK_COND include/linux/netfilter.h:290 [inline]
     ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:215
     dst_output include/net/dst.h:448 [inline]
     NF_HOOK include/linux/netfilter.h:301 [inline]
     NF_HOOK include/linux/netfilter.h:295 [inline]
     ip6_xmit+0x127e/0x1eb0 net/ipv6/ip6_output.c:320
     inet6_csk_xmit+0x358/0x630 net/ipv6/inet6_connection_sock.c:135
     dccp_transmit_skb+0x973/0x12c0 net/dccp/output.c:138
     dccp_send_reset+0x21b/0x2b0 net/dccp/output.c:535
     dccp_finish_passive_close net/dccp/proto.c:123 [inline]
     dccp_finish_passive_close+0xed/0x140 net/dccp/proto.c:118
     dccp_terminate_connection net/dccp/proto.c:958 [inline]
     dccp_close+0xb3c/0xe60 net/dccp/proto.c:1028
     inet_release+0x12e/0x280 net/ipv4/af_inet.c:431
     inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:478
     __sock_release+0xcd/0x280 net/socket.c:599
     sock_close+0x18/0x20 net/socket.c:1258
     __fput+0x288/0x920 fs/file_table.c:280
     task_work_run+0xdd/0x1a0 kernel/task_work.c:140
     tracehook_notify_resume include/linux/tracehook.h:189 [inline]
    
    Fixes: 8afa10cbe281 ("net_sched: red: Avoid illegal values")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 include/net/red.h     | 10 +++++++++-
 net/sched/sch_choke.c |  7 ++++---
 net/sched/sch_gred.c  |  2 +-
 net/sched/sch_red.c   |  7 +++++--
 net/sched/sch_sfq.c   |  2 +-
 5 files changed, 20 insertions(+), 8 deletions(-)

culprit signature: 2ab8e70c9a179ca4208641edd801e02b3788ef861ec78f10c5683ffa35dc00c6
parent  signature: fa912c0b0cc3c079f84cce9696dbeb0d095f2feee4d87d5624f6dc1070a0b49b
revisions tested: 12, total time: 3h1m7.271899694s (build: 1h27m23.074828068s, test: 1h32m47.080770169s)
first good commit: 43c9bffda3a21f363c0beab06f24c1974e1d4b9f net: sched: validate stab values
recipients (to): ["davem@davemloft.net" "edumazet@google.com" "gregkh@linuxfoundation.org"]
recipients (cc): []