bisecting cause commit starting from c63ee2939dc1c6eee6c544af1b4ab441490bfe6e building syzkaller on 598ca6c8b8766304c3b2865e38f5f301c39bd299 testing commit c63ee2939dc1c6eee6c544af1b4ab441490bfe6e with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.84 testing commit c555efaf14026c7751fa68d87403a5eb5ae7dcaf with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.83 testing commit 7d8dbefc22ff71c12c5f63ab0c6de7f70d1f044a with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.82 testing commit 5ee93551c703f8fa1a6c414a7d08f956de311df3 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.81 testing commit ef244c3088856cf048c77231653b4c92a7b2213c with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.80 testing commit c3038e718a19fc596f7b1baba0f83d5146dc7784 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.79 testing commit dafd634415a7f9892a6fcc99c540fe567ab42c92 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.78 testing commit 58fce20645303bee01d74144ec00e405be43b1ca with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.77 testing commit 6cad9d0cf87b95b10f3f4d7826c2c15e45e2a277 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.76 testing commit 555161ee1b7a74e77ca70fd14ed8a5137c8108ac with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.75 testing commit d573e8a79f70404ba08623d1de7ea617d55092ac with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.74 testing commit dbc29aff8d04f134553326a0c533a442a1774041 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.73 testing commit db2d0b7c1dde59b93045a6d011f392fb04b276af with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.72 testing commit ee809c7e08956d737cb66454f5b6ca32cc0d9f26 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.71 testing commit e7d2672c66e4d3675570369bf20856296da312c4 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.70 testing commit 0fed55c248d98e70dd74f0942f64a139ba07f75d with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.69 testing commit 97ab07e11fbf55c86c3758e07ab295028bf17f94 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.68 testing commit def4c11b31312777a8db1f1083e0d4bc6c9bbef0 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.67 testing commit a5aa80588fcd5520ece36121c41b7d8e72245e33 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.66 testing commit 893af1c79e42e53af0da22165b46eea135af0613 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.65 testing commit cc4c818b2219c58af5f0ca59f3e9f02c48bc0b65 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.64 testing commit b3060a1a313ff7a545d658378f62fe9c250acdee with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.63 testing commit 9a9de33a9dfaaf6628d63c56d58ea5cbfe707739 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.62 testing commit 64f4694072aa4ac23eb9ad2feeb0a178d2a054da with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.61 testing commit 7250956f6eafc6edf2ad9a1cccaffb7f16c7b38d with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.60 testing commit be9b6782a9eb128a45b4d4fce556f7053234773d with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.59 testing commit 3bd837bfe431839a378e9d421af05b2e22a6d329 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.58 testing commit 7a6bfa08b938d33ba0a2b80d4f717d4f0dbf9170 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.57 testing commit 1a05924366694d17a36e6b086d5bba1a8d74b977 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.56 testing commit aec3002d07fd2564cd32e56f126fa6db14a168bb with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.55 testing commit 78778071092e60ab947a0ac99c6bb59aad304526 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.54 testing commit 63bbbcd8ed53c404649e0b4248c1e5d42c41ac97 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.53 testing commit 9f31eb60d7a23536bf3902d4dc602f10c822b79e with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.52 testing commit 6500aa436df40a46998f7a56a32e8199a3513e6d with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.51 testing commit 7aa823a959e1f50c0dab9e01c1940235eccc04cc with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.50 testing commit 768292d053619b2725b846ed2bf556bf40f43de2 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.49 testing commit bb7b450e61a1dbe2bfbe998a1afeda654c6a67e9 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.48 testing commit e109a984cf380b4b80418b7477c970bfeb428325 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.47 testing commit 0df021b2e841eded862ebc3b61532e7c73965535 with gcc (GCC) 8.1.0 all runs: crashed: BUG: corrupted list in proto_register testing release v4.19.46 testing commit 8b2fc005825583918be22b7bea6c155061e2f18d with gcc (GCC) 8.1.0 all runs: crashed: BUG: corrupted list in proto_register testing release v4.19.45 testing commit c3a0725977484ea2d7f17746d7e168d2b19f99a2 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.44 testing commit dafc674bbcb11c6a5c63b75be5873b118e2add17 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.43 testing commit 3351e9d39947881910230a73be77e6f29ab8b72e with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.42 testing commit 9c2556f428cfdbf9a18f4452c510aba93d224c8b with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.41 testing commit 21de7eb67cff193e92a4556ae282a994e69b8499 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.40 testing commit 1656b14572090df53ff096f158726c1d1355f5ca with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.39 testing commit ad119c970bbe966222eaeb063138e430a78ee27f with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.38 testing commit a03957ab0fd5d7d03b512a72ab9106a1749f556e with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.37 testing commit 19bb613acb9ad8e57593cad5118acaee117cc303 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.36 testing commit c98875d930e915d01e8c40c7d3c16f00b3c8abe1 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.35 testing commit 4b0e041c9dada60197efc1697928cd32c2c70cd2 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.34 testing commit 4d552acf337038028f7e2f63a927afb7adf65fc1 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.33 testing commit 4b3a3ab00fa7a951eb1d7568c71855e75fd5af85 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.32 testing commit 3a2156c839c75c24691e3c672a6d607b24b0c210 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.31 testing commit a2cddfe2ce6e9108341820fff8af46713685b2cb with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.30 testing commit 7794d352260604f02e7d446e632af2ca7fe8dda6 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.29 testing commit ce194fa2b267e2018f42442347d90df01c4071d6 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.28 testing commit 6a31767f84ad31445865f1297d49937319f775c3 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.27 testing commit adc2a008ae56d240e8dae0b6b7807876d51f9fc2 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.26 testing commit 51ea85abe794450e24352b970c33ed12f0e13a4c with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.25 testing commit eb1e5b1a64ee6526a7cdb22357dcafc6ba643fbe with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.24 testing commit f287634fe3211277f078092bf57dc2b2a2e38dda with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.23 testing commit 67d52fae61c152a68924d94dcf0c569a96fa2f5d with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.22 testing commit 6f8c14ee7b6f827aa6253fa24353fec7689506e5 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.21 testing commit 43d3d5141515dd201aa6d268e3c02fb7383769f6 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.20 testing commit 323e0195e63ff967a4fbdab7b17120f544ddc88f with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree testing release v4.19.19 testing commit dffbba4348e9686d6bf42d54eb0f2cd1c4fb3520 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 323e0195e63ff967a4fbdab7b17120f544ddc88f dffbba4348e9686d6bf42d54eb0f2cd1c4fb3520 Bisecting: 37 revisions left to test after this (roughly 5 steps) [7e3251667a1f0cafd0c278b0159e48585e5b6c68] iommu/vt-d: Fix memory leak in intel_iommu_put_resv_regions() testing commit 7e3251667a1f0cafd0c278b0159e48585e5b6c68 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree # git bisect bad 7e3251667a1f0cafd0c278b0159e48585e5b6c68 Bisecting: 18 revisions left to test after this (roughly 4 steps) [aafe74b726891386cd139d3432ec619ed5189b29] vhost: fix OOB in get_rx_bufs() testing commit aafe74b726891386cd139d3432ec619ed5189b29 with gcc (GCC) 8.1.0 all runs: OK # git bisect good aafe74b726891386cd139d3432ec619ed5189b29 Bisecting: 9 revisions left to test after this (roughly 3 steps) [4c2e63dc645233d97853061c82b6e1a5b4cb36eb] virtio_net: Don't call free_old_xmit_skbs for xdp_frames testing commit 4c2e63dc645233d97853061c82b6e1a5b4cb36eb with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree # git bisect bad 4c2e63dc645233d97853061c82b6e1a5b4cb36eb Bisecting: 4 revisions left to test after this (roughly 2 steps) [505e5f3d4623b35e3b538f7bdafd64d1d9c77b8d] ip6mr: Fix notifiers call on mroute_clean_tables() testing commit 505e5f3d4623b35e3b538f7bdafd64d1d9c77b8d with gcc (GCC) 8.1.0 all runs: OK # git bisect good 505e5f3d4623b35e3b538f7bdafd64d1d9c77b8d Bisecting: 2 revisions left to test after this (roughly 1 step) [cbf23d40cece0a1631c5b6b4bcc937f49650439f] sctp: set chunk transport correctly when it's a new asoc testing commit cbf23d40cece0a1631c5b6b4bcc937f49650439f with gcc (GCC) 8.1.0 all runs: crashed: WARNING: refcount bug in sock_wfree # git bisect bad cbf23d40cece0a1631c5b6b4bcc937f49650439f Bisecting: 0 revisions left to test after this (roughly 0 steps) [a188f568596595306004c6b3ab994c0aef8ad177] Revert "net/mlx5e: E-Switch, Initialize eswitch only if eswitch manager" testing commit a188f568596595306004c6b3ab994c0aef8ad177 with gcc (GCC) 8.1.0 all runs: OK # git bisect good a188f568596595306004c6b3ab994c0aef8ad177 cbf23d40cece0a1631c5b6b4bcc937f49650439f is the first bad commit commit cbf23d40cece0a1631c5b6b4bcc937f49650439f Author: Xin Long Date: Tue Jan 22 02:42:09 2019 +0800 sctp: set chunk transport correctly when it's a new asoc [ Upstream commit 4ff40b86262b73553ee47cc3784ce8ba0f220bd8 ] In the paths: sctp_sf_do_unexpected_init() -> sctp_make_init_ack() sctp_sf_do_dupcook_a/b()() -> sctp_sf_do_5_1D_ce() The new chunk 'retval' transport is set from the incoming chunk 'chunk' transport. However, 'retval' transport belong to the new asoc, which is a different one from 'chunk' transport's asoc. It will cause that the 'retval' chunk gets set with a wrong transport. Later when sending it and because of Commit b9fd683982c9 ("sctp: add sctp_packet_singleton"), sctp_packet_singleton() will set some fields, like vtag to 'retval' chunk from that wrong transport's asoc. This patch is to fix it by setting 'retval' transport correctly which belongs to the right asoc in sctp_make_init_ack() and sctp_sf_do_5_1D_ce(). Fixes: b9fd683982c9 ("sctp: add sctp_packet_singleton") Reported-by: Ying Xu Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman net/sctp/sm_make_chunk.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) revisions tested: 73, total time: 14h47m4.480835278s (build: 10h9m17.608899797s, test: 4h19m40.099838543s) first bad commit: cbf23d40cece0a1631c5b6b4bcc937f49650439f sctp: set chunk transport correctly when it's a new asoc cc: ["davem@davemloft.net" "gregkh@linuxfoundation.org" "linux-kernel@vger.kernel.org" "linux-sctp@vger.kernel.org" "lucien.xin@gmail.com" "marcelo.leitner@gmail.com" "netdev@vger.kernel.org" "nhorman@tuxdriver.com" "vyasevich@gmail.com"] crash: WARNING: refcount bug in sock_wfree IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready ------------[ cut here ]------------ IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready refcount_t: underflow; use-after-free. IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready WARNING: CPU: 0 PID: 7058 at lib/refcount.c:187 refcount_sub_and_test_checked+0x15a/0x180 lib/refcount.c:187 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 7058 Comm: syz-executor.3 Not tainted 4.19.19-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x109/0x157 lib/dump_stack.c:113 panic+0x1c6/0x36e kernel/panic.c:185 __warn.cold.8+0x1b/0x45 kernel/panic.c:540 report_bug+0x1a4/0x200 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x200/0x350 arch/x86/kernel/traps.c:296 IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316 IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:993 RIP: 0010:refcount_sub_and_test_checked+0x15a/0x180 lib/refcount.c:187 Code: c1 44 29 e0 85 c9 89 c3 74 88 80 3d 11 26 bf 05 00 74 04 31 c0 eb a9 48 c7 c7 60 3a fe 86 c6 05 fd 25 bf 05 01 e8 b9 c3 4b fe <0f> 0b 31 c0 eb 90 4c 89 ff e8 88 d6 a2 fe e9 2b ff ff ff e8 ae bd RSP: 0018:ffff88807600f6d8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 00000000ffffff01 RCX: 0000000000000000 RDX: 0000000000000004 RSI: ffff88808c854968 RDI: ffffffff89a5d660 RBP: ffff88807600f768 R08: ffff88808c854988 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000008100 R13: ffff88807600f740 R14: 1ffff1100ec01edc R15: ffff8880a44c09bc sock_wfree+0x9b/0x120 net/core/sock.c:1817 sctp_wfree+0x345/0x910 net/sctp/socket.c:8482 skb_release_head_state+0xfc/0x200 net/core/skbuff.c:612 skb_release_all+0xd/0x50 net/core/skbuff.c:625 __kfree_skb net/core/skbuff.c:641 [inline] consume_skb+0x91/0x270 net/core/skbuff.c:701 sctp_chunk_destroy net/sctp/sm_make_chunk.c:1467 [inline] sctp_chunk_put+0x150/0x230 net/sctp/sm_make_chunk.c:1494 sctp_chunk_free+0x3f/0x50 net/sctp/sm_make_chunk.c:1481 __sctp_outq_teardown+0x1a2/0xc30 net/sctp/outqueue.c:234 sctp_outq_free+0x9/0x10 net/sctp/outqueue.c:291 sctp_association_free+0x1d5/0x711 net/sctp/associola.c:360 sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:939 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1353 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline] sctp_do_sm+0x1b23/0x4ca0 net/sctp/sm_sideeffect.c:1191 sctp_primitive_ABORT+0x7c/0xc0 net/sctp/primitive.c:119 sctp_close+0x227/0x750 net/sctp/socket.c:1558 inet_release+0xd9/0x1c0 net/ipv4/af_inet.c:428 __sock_release+0xc2/0x230 net/socket.c:579 sock_close+0x10/0x20 net/socket.c:1141 __fput+0x249/0x7f0 fs/file_table.c:278 ____fput+0x9/0x10 fs/file_table.c:309 task_work_run+0x108/0x180 kernel/task_work.c:113 IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x1a9/0x200 arch/x86/entry/common.c:166 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_64+0x407/0x4d0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4141d1 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007ffdde9c3fa0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00000000004141d1 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006 RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff R10: 00007ffdde9c4080 R11: 0000000000000293 R12: 000000000075bf20 R13: 000000000000ddbf R14: 0000000000761400 R15: 000000000075bf2c Kernel Offset: disabled Rebooting in 86400 seconds..