bisecting cause commit starting from 9322c47b21b9e05d7f9c037aa2c472e9f0dc7f3b
building syzkaller on abf9ba4fc75d9b29af15625d44dcfc1360fad3b7
testing commit 9322c47b21b9e05d7f9c037aa2c472e9f0dc7f3b with gcc (GCC) 8.1.0
kernel signature: bccd66272e4b86cf4f59b57af5ed50def7f9b7d216c19887acc954b85fde2d35
all runs: crashed: WARNING: refcount bug in qrtr_node_lookup
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: 2698a4a73d073de9d65e5c17b27b91adff848145fd9460f5ac8048c68744afea
run #0: crashed: WARNING: refcount bug in qrtr_node_lookup
run #1: crashed: WARNING: refcount bug in qrtr_node_lookup
run #2: crashed: WARNING: refcount bug in qrtr_node_lookup
run #3: crashed: WARNING: refcount bug in qrtr_node_lookup
run #4: crashed: WARNING: refcount bug in qrtr_node_lookup
run #5: crashed: WARNING: refcount bug in qrtr_node_lookup
run #6: crashed: WARNING: refcount bug in qrtr_node_lookup
run #7: crashed: WARNING: refcount bug in qrtr_node_lookup
run #8: crashed: WARNING: refcount bug in qrtr_node_lookup
run #9: boot failed: can't ssh into the instance
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0
kernel signature: f38a1ba3f4bb82832a62d0d92b7c49bafb856572571a93b04ed6750f8988097a
all runs: OK
# git bisect start bcf876870b95592b52519ed4aafcf9d95999bc9c 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162
Bisecting: 8752 revisions left to test after this (roughly 13 steps)
[694b5a5d313f3997764b67d52bab66ec7e59e714] Merge tag 'arm-soc-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
testing commit 694b5a5d313f3997764b67d52bab66ec7e59e714 with gcc (GCC) 8.1.0
kernel signature: 57bc641d7899bc75963a9d50df365c6e6e160a36e573032d9eed520bbc78ecb6
all runs: crashed: WARNING: refcount bug in qrtr_node_lookup
# git bisect bad 694b5a5d313f3997764b67d52bab66ec7e59e714
Bisecting: 4417 revisions left to test after this (roughly 12 steps)
[2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63] Merge branch 'uaccess.comedi' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
testing commit 2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63 with gcc (GCC) 8.1.0
kernel signature: 2efa6e1fbe515ba4af75c6a58b3907f355d3cde5df36aba15bffd8c1cfb3471d
all runs: OK
# git bisect good 2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63
Bisecting: 2208 revisions left to test after this (roughly 11 steps)
[5df42c8267418bfb8da54cc4772b397ea4c88aea] ice: fix MAC write command
testing commit 5df42c8267418bfb8da54cc4772b397ea4c88aea with gcc (GCC) 8.1.0
kernel signature: 828ba4e574b92d74c80a844dcd5e766495738589840d8e041193389573208911
all runs: crashed: WARNING: refcount bug in qrtr_node_lookup
# git bisect bad 5df42c8267418bfb8da54cc4772b397ea4c88aea
Bisecting: 1095 revisions left to test after this (roughly 10 steps)
[5d9e4722c74e8868d5fe2f8749de80928eb4a1d1] Merge tag 'wireless-drivers-next-2020-05-07' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next
testing commit 5d9e4722c74e8868d5fe2f8749de80928eb4a1d1 with gcc (GCC) 8.1.0
kernel signature: 0e8bf252be412e44462a4ffef5d042a55f840057cab468cd48071d4b4dff95b0
all runs: crashed: WARNING: refcount bug in qrtr_node_lookup
# git bisect bad 5d9e4722c74e8868d5fe2f8749de80928eb4a1d1
Bisecting: 556 revisions left to test after this (roughly 9 steps)
[da4063bdfcfa70ec57a6c25f772ac6378b1584ad] netlink: allow NLA_MSECS to have range validation
testing commit da4063bdfcfa70ec57a6c25f772ac6378b1584ad with gcc (GCC) 8.1.0
kernel signature: 746cf2c65aa46ac31457142e99a03481eba82105168baa90b15d836a107681ab
all runs: OK
# git bisect good da4063bdfcfa70ec57a6c25f772ac6378b1584ad
Bisecting: 278 revisions left to test after this (roughly 8 steps)
[58618ef85546726cf27c38ddc1b022c703b7a6ad] net: nxp: Fix use correct return type for ndo_start_xmit()
testing commit 58618ef85546726cf27c38ddc1b022c703b7a6ad with gcc (GCC) 8.1.0
kernel signature: d78ab1ace6b0243f72b5fc96e1247e83eaaf48338c71687958e2cd8555a65f71
all runs: OK
# git bisect good 58618ef85546726cf27c38ddc1b022c703b7a6ad
Bisecting: 150 revisions left to test after this (roughly 7 steps)
[cbb1404f65414130fb89e52a97b9d853d303dc5c] rtlwifi: rtl8188ee: remove Comparison to bool in rf.c
testing commit cbb1404f65414130fb89e52a97b9d853d303dc5c with gcc (GCC) 8.1.0
kernel signature: 37ba5e6fd7b286326087308cc8d897e897bfea3ab201eb2d378253473943e555
all runs: OK
# git bisect good cbb1404f65414130fb89e52a97b9d853d303dc5c
Bisecting: 75 revisions left to test after this (roughly 6 steps)
[f30dcb7dcb1aa925dfc83923c580a53c975b754b] net: ipa: kill ipa_endpoint_stop()
testing commit f30dcb7dcb1aa925dfc83923c580a53c975b754b with gcc (GCC) 8.1.0
kernel signature: 4298a2bca13a3bc44564ac9ba6557b8407ab99d599b90c2281f2a41120d09274
all runs: OK
# git bisect good f30dcb7dcb1aa925dfc83923c580a53c975b754b
Bisecting: 37 revisions left to test after this (roughly 5 steps)
[d431f8939c1419854dfe89dd345387f5397c6edd] ath10k: remove the max_sched_scan_reqs value
testing commit d431f8939c1419854dfe89dd345387f5397c6edd with gcc (GCC) 8.1.0
kernel signature: 755164cb407c306698ea81dcf984ff20c01c134818ca55d139c7d60295cdfd5f
all runs: OK
# git bisect good d431f8939c1419854dfe89dd345387f5397c6edd
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[7f960633a458136d168f2049508d39cba8be55bd] net: encx24j600: make encx24j600_hw_init() return void
testing commit 7f960633a458136d168f2049508d39cba8be55bd with gcc (GCC) 8.1.0
kernel signature: 8872f5008a57f7ffd63001b8bb868bfcc61923212d3890b5d8eceee9168b2aad
all runs: OK
# git bisect good 7f960633a458136d168f2049508d39cba8be55bd
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[d7d43782d541edb8596d2f4fc7f41b0734948ec5] ath11k: fix kernel panic by freeing the msdu received with invalid length
testing commit d7d43782d541edb8596d2f4fc7f41b0734948ec5 with gcc (GCC) 8.1.0
kernel signature: ef4bd3f0d16953749b11d471d980f3a6b7158f7c59a8148a25d969a87fe8a587
all runs: OK
# git bisect good d7d43782d541edb8596d2f4fc7f41b0734948ec5
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[3031a86ebd3f9c818486dd7433f121c27ef23188] Merge branch 'Add-QRTR-MHI-client-driver'
testing commit 3031a86ebd3f9c818486dd7433f121c27ef23188 with gcc (GCC) 8.1.0
kernel signature: 98c2faf21e13acd0c4b97fe6417c684a75d65d4a45cad3b27bf2e544fbd32730
all runs: crashed: WARNING: refcount bug in qrtr_node_lookup
# git bisect bad 3031a86ebd3f9c818486dd7433f121c27ef23188
Bisecting: 2 revisions left to test after this (roughly 1 step)
[0932969e0b1b6ba54028b35b80148302e8fe7db8] via-rhine: Add platform dependencies
testing commit 0932969e0b1b6ba54028b35b80148302e8fe7db8 with gcc (GCC) 8.1.0
kernel signature: 286ef4218ab9741ec3a6607ae841614b6179b7bf8c200086b0683b3b88422e11
all runs: OK
# git bisect good 0932969e0b1b6ba54028b35b80148302e8fe7db8
Bisecting: 0 revisions left to test after this (roughly 1 step)
[e42671084361302141a09284fde9bbc14fdd16bf] net: qrtr: Do not depend on ARCH_QCOM
testing commit e42671084361302141a09284fde9bbc14fdd16bf with gcc (GCC) 8.1.0
kernel signature: 3f6c5fa39e5159efeecfeb66fc2a118ebc9082911e57db2562e11ee4afe66775
all runs: crashed: WARNING: refcount bug in qrtr_node_lookup
# git bisect bad e42671084361302141a09284fde9bbc14fdd16bf
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[6e728f321393b1fce9e1c2c3e55f9f7c15991321] net: qrtr: Add MHI transport layer
testing commit 6e728f321393b1fce9e1c2c3e55f9f7c15991321 with gcc (GCC) 8.1.0
kernel signature: dc96e252dadbda5827962e501277cd8b5700895cfcbb02413706bfb860835bee
all runs: OK
# git bisect good 6e728f321393b1fce9e1c2c3e55f9f7c15991321
e42671084361302141a09284fde9bbc14fdd16bf is the first bad commit
commit e42671084361302141a09284fde9bbc14fdd16bf
Author: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Date:   Thu May 7 18:23:06 2020 +0530

    net: qrtr: Do not depend on ARCH_QCOM
    
    IPC Router protocol is also used by external modems for exchanging the QMI
    messages. Hence, it doesn't always depend on Qualcomm platforms. One such
    instance is the QCA6390 WLAN device connected to x86 machine.
    
    Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/qrtr/Kconfig | 1 -
 1 file changed, 1 deletion(-)
culprit signature: 3f6c5fa39e5159efeecfeb66fc2a118ebc9082911e57db2562e11ee4afe66775
parent  signature: dc96e252dadbda5827962e501277cd8b5700895cfcbb02413706bfb860835bee
revisions tested: 18, total time: 4h38m7.728482958s (build: 1h43m48.868570933s, test: 2h52m29.589208968s)
first bad commit: e42671084361302141a09284fde9bbc14fdd16bf net: qrtr: Do not depend on ARCH_QCOM
recipients (to): ["bjorn.andersson@linaro.org" "davem@davemloft.net" "manivannan.sadhasivam@linaro.org"]
recipients (cc): []
crash: WARNING: refcount bug in qrtr_node_lookup
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 54 at lib/refcount.c:25 refcount_warn_saturate+0xdd/0x140 lib/refcount.c:25
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 54 Comm: kworker/u4:2 Not tainted 5.7.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: qrtr_ns_handler qrtr_ns_worker
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x128/0x182 lib/dump_stack.c:118
 panic+0x22a/0x4e3 kernel/panic.c:221
 __warn.cold.10+0x25/0x26 kernel/panic.c:582
 report_bug+0x1ad/0x270 lib/bug.c:195
 fixup_bug arch/x86/kernel/traps.c:175 [inline]
 do_error_trap+0x123/0x210 arch/x86/kernel/traps.c:267
 do_invalid_op+0x31/0x40 arch/x86/kernel/traps.c:286
 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0xdd/0x140 lib/refcount.c:25
Code: f1 dc 6e 06 01 e8 6f 59 f2 fd 0f 0b eb 9d 80 3d e0 dc 6e 06 00 75 94 48 c7 c7 a0 89 ce 87 c6 05 d0 dc 6e 06 01 e8 4f 59 f2 fd <0f> 0b e9 7a ff ff ff 80 3d ba dc 6e 06 00 0f 85 6d ff ff ff 48 c7
RSP: 0018:ffffc90000f379a0 EFLAGS: 00010082
RAX: 0000000000000000 RBX: ffff8880a8fb7c98 RCX: 0000000000000000
RDX: 0000000000000002 RSI: 0000000000000007 RDI: ffffffff8b8fe1a0
RBP: 0000000000000002 R08: ffffed1015d245f1 R09: ffffed1015d245f1
R10: ffff8880ae922f83 R11: ffffed1015d245f0 R12: ffff8880a8fb7c98
R13: ffff8880a42cedf4 R14: ffff8880a42cedf0 R15: 0000000050f32cd6
 refcount_add include/linux/refcount.h:204 [inline]
 refcount_inc include/linux/refcount.h:241 [inline]
 kref_get include/linux/kref.h:45 [inline]
 qrtr_node_acquire net/qrtr/qrtr.c:194 [inline]
 qrtr_node_lookup+0x7b/0x90 net/qrtr/qrtr.c:386
 qrtr_send_resume_tx net/qrtr/qrtr.c:972 [inline]
 qrtr_recvmsg+0x499/0x7f0 net/qrtr/qrtr.c:1035
 kernel_recvmsg+0xb1/0x140 net/socket.c:932
 qrtr_ns_worker+0x164/0x10d7 net/qrtr/ns.c:624
 process_one_work+0x908/0x15d0 kernel/workqueue.c:2268
 worker_thread+0x82/0xb50 kernel/workqueue.c:2414
 kthread+0x340/0x410 kernel/kthread.c:268
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Shutting down cpus with NMI
Kernel Offset: disabled
Rebooting in 86400 seconds..