bisecting fixing commit since c3038e718a19fc596f7b1baba0f83d5146dc7784 building syzkaller on 8c88c9c1c99c8cd8dabc951164c820b9c9f25114 testing commit c3038e718a19fc596f7b1baba0f83d5146dc7784 with gcc (GCC) 8.4.1 20210217 kernel signature: 0fa92837df84da43c02f458f7b97cb306071644785b52830bb15eeaa9f1e2568 all runs: crashed: BUG: sleeping function called from invalid context in htb_destroy testing current HEAD 2965db2e004cf9c92b87c1f559e9812c0ae878c1 testing commit 2965db2e004cf9c92b87c1f559e9812c0ae878c1 with gcc (GCC) 8.4.1 20210217 kernel signature: 14bc1fe19aae170e00dfe5fb53b2e7632e1464b9d851b4cb7f423129ec08257c all runs: OK # git bisect start 2965db2e004cf9c92b87c1f559e9812c0ae878c1 c3038e718a19fc596f7b1baba0f83d5146dc7784 Bisecting: 5193 revisions left to test after this (roughly 12 steps) [1c7259f744826151d74af4b63fc07e5300f87e57] f2fs: fix NULL pointer dereference in f2fs_write_begin() testing commit 1c7259f744826151d74af4b63fc07e5300f87e57 with gcc (GCC) 8.4.1 20210217 kernel signature: ae83514633bc8bd7e1ecaa9edcee44db0bd4e798e8bce565740c5b526b684490 all runs: crashed: BUG: sleeping function called from invalid context in htb_destroy # git bisect good 1c7259f744826151d74af4b63fc07e5300f87e57 Bisecting: 2596 revisions left to test after this (roughly 11 steps) [1e6a4232befee0c3dbd201f8a50b5c333498f259] net: openvswitch: use div_u64() for 64-by-32 divisions testing commit 1e6a4232befee0c3dbd201f8a50b5c333498f259 with gcc (GCC) 8.4.1 20210217 kernel signature: 7a60f7b3f91305b759572859698a6b3425eb4e243659c7cd9b3b6dbe8083f49b all runs: crashed: BUG: sleeping function called from invalid context in htb_destroy # git bisect good 1e6a4232befee0c3dbd201f8a50b5c333498f259 Bisecting: 1298 revisions left to test after this (roughly 10 steps) [7f3547b3eb0477b14b9ce95a99395503c6b616c7] s390/smp: perform initial CPU reset also for SMT siblings testing commit 7f3547b3eb0477b14b9ce95a99395503c6b616c7 with gcc (GCC) 8.4.1 20210217 kernel signature: 0b4b2b66019fd2e1173f3e9abff657d9fc6adc4860edefc1d568543d2202155d all runs: crashed: BUG: sleeping function called from invalid context in htb_destroy # git bisect good 7f3547b3eb0477b14b9ce95a99395503c6b616c7 Bisecting: 649 revisions left to test after this (roughly 9 steps) [274b959307bd393c771f4bcc62262a5b5fa25032] ata: ahci_brcm: Add back regulators management testing commit 274b959307bd393c771f4bcc62262a5b5fa25032 with gcc (GCC) 8.4.1 20210217 kernel signature: 893afdcf38b842984c75c91683e100ede91026014ce03c27335b184ae9187a1b all runs: crashed: BUG: sleeping function called from invalid context in htb_destroy # git bisect good 274b959307bd393c771f4bcc62262a5b5fa25032 Bisecting: 324 revisions left to test after this (roughly 8 steps) [1d7056fa8b0830225d28857b048e0ad1755e241f] USB: serial: io_edgeport: fix memory leak in edge_startup testing commit 1d7056fa8b0830225d28857b048e0ad1755e241f with gcc (GCC) 8.4.1 20210217 kernel signature: 156c8db693f22c02ed95cedd278d0da3b3fa5848e8f4f147e115476da3b97128 all runs: crashed: BUG: sleeping function called from invalid context in htb_destroy # git bisect good 1d7056fa8b0830225d28857b048e0ad1755e241f Bisecting: 162 revisions left to test after this (roughly 7 steps) [00e17e57a3c724874bd40710f3ad2528045d5711] can: dev: Move device back to init netns on owning netns delete testing commit 00e17e57a3c724874bd40710f3ad2528045d5711 with gcc (GCC) 8.4.1 20210217 kernel signature: dce8b570bbfbcbcfa305e0a4755d9a3e5fd101b41cec57a7a3318121cc6230a8 all runs: crashed: BUG: sleeping function called from invalid context in htb_destroy # git bisect good 00e17e57a3c724874bd40710f3ad2528045d5711 Bisecting: 81 revisions left to test after this (roughly 6 steps) [b97ed64cf80b072cb765c3b9389a7f19df2dd595] init/Kconfig: make COMPILE_TEST depend on !S390 testing commit b97ed64cf80b072cb765c3b9389a7f19df2dd595 with gcc (GCC) 8.4.1 20210217 kernel signature: 871e33036a2064235a7709ba8615954660cee794acaa30c7c96a82178a391236 all runs: OK # git bisect bad b97ed64cf80b072cb765c3b9389a7f19df2dd595 Bisecting: 40 revisions left to test after this (roughly 5 steps) [5f40a359356b05ec28a802d6c60babdee3f90e44] PM: runtime: Fix ordering in pm_runtime_get_suppliers() testing commit 5f40a359356b05ec28a802d6c60babdee3f90e44 with gcc (GCC) 8.4.1 20210217 kernel signature: 3b918d286087c6049d754ac9f8ecd7394d29b59fa55b7318a67d96ff094fb142 all runs: OK # git bisect bad 5f40a359356b05ec28a802d6c60babdee3f90e44 Bisecting: 19 revisions left to test after this (roughly 4 steps) [f5b401fa295c7903d3a4f4a2f931ce5a35704ef3] ASoC: cs42l42: Always wait at least 3ms after reset testing commit f5b401fa295c7903d3a4f4a2f931ce5a35704ef3 with gcc (GCC) 8.4.1 20210217 kernel signature: c3078e0a262ef9a7ec972d744f294e218d1c521e2b11ef2c86d74b7813d59d7f all runs: OK # git bisect bad f5b401fa295c7903d3a4f4a2f931ce5a35704ef3 Bisecting: 9 revisions left to test after this (roughly 3 steps) [1cf636535f7a7f440559724a7b11bb505776e410] ipv6: weaken the v4mapped source check testing commit 1cf636535f7a7f440559724a7b11bb505776e410 with gcc (GCC) 8.4.1 20210217 kernel signature: 7d2716688e2679377896939cc6d13728cc850efa2c967edf4e8aca8bd7b9f2ba all runs: OK # git bisect bad 1cf636535f7a7f440559724a7b11bb505776e410 Bisecting: 4 revisions left to test after this (roughly 2 steps) [b707fabecefaf47813d6a980a55c64558bc9cd82] can: peak_usb: Revert "can: peak_usb: add forgotten supported devices" testing commit b707fabecefaf47813d6a980a55c64558bc9cd82 with gcc (GCC) 8.4.1 20210217 kernel signature: 47546ed6d08b2c893efdc1252909dc21676ca5e83336abf42aea5215efc7af0e all runs: OK # git bisect bad b707fabecefaf47813d6a980a55c64558bc9cd82 Bisecting: 2 revisions left to test after this (roughly 1 step) [5f09be2a1a35cb8bd6c178d5f205b7265bd68646] net: qrtr: fix a kernel-infoleak in qrtr_recvmsg() testing commit 5f09be2a1a35cb8bd6c178d5f205b7265bd68646 with gcc (GCC) 8.4.1 20210217 kernel signature: b5f7c066bb598d7c1bf32b6305d0ca96c83d9e995a9fafae4db780fc444ffcd4 all runs: OK # git bisect bad 5f09be2a1a35cb8bd6c178d5f205b7265bd68646 Bisecting: 0 revisions left to test after this (roughly 0 steps) [66f6f4094ff2c7313b7eff8bfe1e4966c0b70b83] net: sched: validate stab values testing commit 66f6f4094ff2c7313b7eff8bfe1e4966c0b70b83 with gcc (GCC) 8.4.1 20210217 kernel signature: b5f7c066bb598d7c1bf32b6305d0ca96c83d9e995a9fafae4db780fc444ffcd4 all runs: OK # git bisect bad 66f6f4094ff2c7313b7eff8bfe1e4966c0b70b83 66f6f4094ff2c7313b7eff8bfe1e4966c0b70b83 is the first bad commit commit 66f6f4094ff2c7313b7eff8bfe1e4966c0b70b83 Author: Eric Dumazet Date: Wed Mar 10 08:26:41 2021 -0800 net: sched: validate stab values commit e323d865b36134e8c5c82c834df89109a5c60dab upstream. iproute2 package is well behaved, but malicious user space can provide illegal shift values and trigger UBSAN reports. Add stab parameter to red_check_params() to validate user input. syzbot reported: UBSAN: shift-out-of-bounds in ./include/net/red.h:312:18 shift exponent 111 is too large for 64-bit type 'long unsigned int' CPU: 1 PID: 14662 Comm: syz-executor.3 Not tainted 5.12.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327 red_calc_qavg_from_idle_time include/net/red.h:312 [inline] red_calc_qavg include/net/red.h:353 [inline] choke_enqueue.cold+0x18/0x3dd net/sched/sch_choke.c:221 __dev_xmit_skb net/core/dev.c:3837 [inline] __dev_queue_xmit+0x1943/0x2e00 net/core/dev.c:4150 neigh_hh_output include/net/neighbour.h:499 [inline] neigh_output include/net/neighbour.h:508 [inline] ip6_finish_output2+0x911/0x1700 net/ipv6/ip6_output.c:117 __ip6_finish_output net/ipv6/ip6_output.c:182 [inline] __ip6_finish_output+0x4c1/0xe10 net/ipv6/ip6_output.c:161 ip6_finish_output+0x35/0x200 net/ipv6/ip6_output.c:192 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:215 dst_output include/net/dst.h:448 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] NF_HOOK include/linux/netfilter.h:295 [inline] ip6_xmit+0x127e/0x1eb0 net/ipv6/ip6_output.c:320 inet6_csk_xmit+0x358/0x630 net/ipv6/inet6_connection_sock.c:135 dccp_transmit_skb+0x973/0x12c0 net/dccp/output.c:138 dccp_send_reset+0x21b/0x2b0 net/dccp/output.c:535 dccp_finish_passive_close net/dccp/proto.c:123 [inline] dccp_finish_passive_close+0xed/0x140 net/dccp/proto.c:118 dccp_terminate_connection net/dccp/proto.c:958 [inline] dccp_close+0xb3c/0xe60 net/dccp/proto.c:1028 inet_release+0x12e/0x280 net/ipv4/af_inet.c:431 inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:478 __sock_release+0xcd/0x280 net/socket.c:599 sock_close+0x18/0x20 net/socket.c:1258 __fput+0x288/0x920 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:140 tracehook_notify_resume include/linux/tracehook.h:189 [inline] Fixes: 8afa10cbe281 ("net_sched: red: Avoid illegal values") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman include/net/red.h | 10 +++++++++- net/sched/sch_choke.c | 7 ++++--- net/sched/sch_gred.c | 2 +- net/sched/sch_red.c | 7 +++++-- net/sched/sch_sfq.c | 2 +- 5 files changed, 20 insertions(+), 8 deletions(-) culprit signature: b5f7c066bb598d7c1bf32b6305d0ca96c83d9e995a9fafae4db780fc444ffcd4 parent signature: dce8b570bbfbcbcfa305e0a4755d9a3e5fd101b41cec57a7a3318121cc6230a8 revisions tested: 15, total time: 3h29m42.310937134s (build: 2h0m11.793578508s, test: 1h27m58.240414826s) first good commit: 66f6f4094ff2c7313b7eff8bfe1e4966c0b70b83 net: sched: validate stab values recipients (to): ["davem@davemloft.net" "edumazet@google.com" "gregkh@linuxfoundation.org"] recipients (cc): []