bisecting cause commit starting from 468c2a100208461c1821315f6fd81b32b9d12561 building syzkaller on 5ed396e666c7826bed46f06c4db1409376691fed testing commit 468c2a100208461c1821315f6fd81b32b9d12561 with gcc (GCC) 8.1.0 kernel signature: 4b92cd0e4360f55a783861a724baf3909978c6ef92a0aceec98e188f225fe8b9 run #0: crashed: WARNING: refcount bug in crypto_destroy_tfm run #1: crashed: WARNING: refcount bug in crypto_destroy_tfm run #2: crashed: WARNING: refcount bug in crypto_destroy_tfm run #3: crashed: WARNING: refcount bug in crypto_mod_get run #4: crashed: WARNING: refcount bug in crypto_mod_get run #5: crashed: WARNING: refcount bug in crypto_mod_get run #6: crashed: WARNING: refcount bug in crypto_mod_get run #7: crashed: WARNING: refcount bug in crypto_destroy_tfm run #8: crashed: WARNING: refcount bug in crypto_mod_get run #9: crashed: WARNING: refcount bug in crypto_destroy_tfm testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: 48e7848687bbb1ec976ec7126395e9fa55dfb720d0a15e5ee8d4074d8d4d774a run #0: crashed: WARNING: refcount bug in crypto_destroy_tfm run #1: crashed: WARNING: refcount bug in crypto_destroy_tfm run #2: crashed: WARNING: refcount bug in crypto_mod_get run #3: crashed: WARNING: refcount bug in crypto_destroy_tfm run #4: crashed: WARNING: refcount bug in crypto_destroy_tfm run #5: crashed: WARNING: refcount bug in crypto_destroy_tfm run #6: crashed: WARNING: refcount bug in crypto_mod_get run #7: crashed: WARNING: refcount bug in crypto_destroy_tfm run #8: crashed: WARNING: refcount bug in crypto_mod_get run #9: crashed: WARNING: refcount bug in crypto_destroy_tfm testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: 29057a7660f9fc5e8537359eca5127df176b7a6f4cb19687633eb8173e664759 all runs: OK # git bisect start 7111951b8d4973bda27ff663f2cf18b663d15b48 d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 Bisecting: 6113 revisions left to test after this (roughly 13 steps) [9f68e3655aae6d49d6ba05dd263f99f33c2567af] Merge tag 'drm-next-2020-01-30' of git://anongit.freedesktop.org/drm/drm testing commit 9f68e3655aae6d49d6ba05dd263f99f33c2567af with gcc (GCC) 8.1.0 kernel signature: 7708f73c661af19a9973fc6cf63e36ab4c9dc83536a1c16bf6d2fc80f57b886e run #0: crashed: WARNING: refcount bug in crypto_mod_get run #1: crashed: WARNING: refcount bug in crypto_destroy_tfm run #2: crashed: WARNING: refcount bug in crypto_destroy_tfm run #3: crashed: WARNING: refcount bug in crypto_destroy_tfm run #4: crashed: WARNING: refcount bug in crypto_mod_get run #5: crashed: WARNING: refcount bug in crypto_destroy_tfm run #6: crashed: WARNING: refcount bug in crypto_destroy_tfm run #7: crashed: WARNING: refcount bug in crypto_mod_get run #8: crashed: WARNING: refcount bug in crypto_mod_get run #9: crashed: WARNING: refcount bug in crypto_destroy_tfm # git bisect bad 9f68e3655aae6d49d6ba05dd263f99f33c2567af Bisecting: 3686 revisions left to test after this (roughly 12 steps) [fb95aae6e67c4e319a24b3eea32032d4246a5335] Merge tag 'sound-5.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit fb95aae6e67c4e319a24b3eea32032d4246a5335 with gcc (GCC) 8.1.0 kernel signature: f5f16d6b4444970e4d7f94a25ce8f8da7121c07e35c5529f0f90428945f3b25d run #0: crashed: WARNING: refcount bug in crypto_destroy_tfm run #1: crashed: WARNING: refcount bug in crypto_mod_get run #2: crashed: WARNING: refcount bug in crypto_destroy_tfm run #3: crashed: WARNING: refcount bug in crypto_mod_get run #4: crashed: WARNING: refcount bug in crypto_mod_get run #5: crashed: WARNING: refcount bug in crypto_destroy_tfm run #6: crashed: WARNING: refcount bug in crypto_destroy_tfm run #7: crashed: WARNING: refcount bug in crypto_destroy_tfm run #8: crashed: WARNING: refcount bug in crypto_destroy_tfm run #9: crashed: WARNING: refcount bug in crypto_mod_get # git bisect bad fb95aae6e67c4e319a24b3eea32032d4246a5335 Bisecting: 2267 revisions left to test after this (roughly 11 steps) [f76e4c167ea2212e23c15ee7e601a865e822c291] net: phy: add default ARCH_BCM_IPROC for MDIO_BCM_IPROC testing commit f76e4c167ea2212e23c15ee7e601a865e822c291 with gcc (GCC) 8.1.0 kernel signature: 6671afcfb9dfbf0184aca1cdcd33e089d933a513be9806d0385e4676534b5cca all runs: OK # git bisect good f76e4c167ea2212e23c15ee7e601a865e822c291 Bisecting: 1113 revisions left to test after this (roughly 10 steps) [c677124e631d97130e4ff7db6e10acdfb7a82321] Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit c677124e631d97130e4ff7db6e10acdfb7a82321 with gcc (GCC) 8.1.0 kernel signature: 7fa7a873b62d38ab189bc6336f95076956da1b25650b457d0e6999ead1cda9ac all runs: OK # git bisect good c677124e631d97130e4ff7db6e10acdfb7a82321 Bisecting: 458 revisions left to test after this (roughly 9 steps) [90fb04f890bcb7384b4d4c216dc2640b0a870df3] Merge tag 'asoc-v5.6' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus testing commit 90fb04f890bcb7384b4d4c216dc2640b0a870df3 with gcc (GCC) 8.1.0 kernel signature: 47c71c5a47b9fcfea0e4c8a863cb88cc5ffdcce82a8f0dd86e68d4920f26a160 all runs: OK # git bisect good 90fb04f890bcb7384b4d4c216dc2640b0a870df3 Bisecting: 229 revisions left to test after this (roughly 8 steps) [684cf266eb04911825a6de10dadd188cf801d063] crypto: ccree - fix typo in comment testing commit 684cf266eb04911825a6de10dadd188cf801d063 with gcc (GCC) 8.1.0 kernel signature: 58126cc19295f95f4e2970b0b75a011d59d96c313a985882654a0d0546d6cde0 run #0: crashed: WARNING: refcount bug in crypto_destroy_tfm run #1: crashed: WARNING: refcount bug in crypto_destroy_tfm run #2: crashed: WARNING: refcount bug in crypto_destroy_tfm run #3: crashed: WARNING: refcount bug in crypto_mod_get run #4: crashed: WARNING: refcount bug in crypto_destroy_tfm run #5: crashed: WARNING: refcount bug in crypto_destroy_tfm run #6: crashed: WARNING: refcount bug in crypto_destroy_tfm run #7: crashed: WARNING: refcount bug in crypto_destroy_tfm run #8: crashed: WARNING: refcount bug in crypto_mod_get run #9: crashed: WARNING: refcount bug in crypto_destroy_tfm # git bisect bad 684cf266eb04911825a6de10dadd188cf801d063 Bisecting: 114 revisions left to test after this (roughly 7 steps) [0e69378940eafe386464679a84856d1b63e1bac2] crypto: atmel-{aes,sha} - Fix incorrect use of dmaengine_terminate_all() testing commit 0e69378940eafe386464679a84856d1b63e1bac2 with gcc (GCC) 8.1.0 kernel signature: 62e6497a628a492dd0a36e35b680f1381665c50bda2b1bb1c53590c9b6a03913 run #0: crashed: WARNING: refcount bug in crypto_destroy_tfm run #1: crashed: WARNING: refcount bug in crypto_mod_get run #2: crashed: WARNING: refcount bug in crypto_mod_get run #3: crashed: WARNING: refcount bug in crypto_destroy_tfm run #4: crashed: WARNING: refcount bug in crypto_destroy_tfm run #5: crashed: WARNING: refcount bug in crypto_destroy_tfm run #6: crashed: WARNING: refcount bug in crypto_destroy_tfm run #7: crashed: WARNING: refcount bug in crypto_destroy_tfm run #8: crashed: WARNING: refcount bug in crypto_mod_get run #9: crashed: WARNING: refcount bug in crypto_mod_get # git bisect bad 0e69378940eafe386464679a84856d1b63e1bac2 Bisecting: 56 revisions left to test after this (roughly 6 steps) [095be695e564d1c64d33327b03e32bf5749b1174] crypto: aead - move crypto_aead_maxauthsize() to testing commit 095be695e564d1c64d33327b03e32bf5749b1174 with gcc (GCC) 8.1.0 kernel signature: a05b2382436701775831626f2f17f857f91eb6e05114852d8a76c0fc7d7c5172 all runs: OK # git bisect good 095be695e564d1c64d33327b03e32bf5749b1174 Bisecting: 28 revisions left to test after this (roughly 5 steps) [4c977e37b0fafc7505f814256a699c13fd03b7b6] crypto: atmel-sha - Void return type for atmel_sha_update_dma_stop() testing commit 4c977e37b0fafc7505f814256a699c13fd03b7b6 with gcc (GCC) 8.1.0 kernel signature: 47a509b04a5fecb783e782f3781699dc0a9e7c78d2801ec51d099e2154dd6b51 all runs: OK # git bisect good 4c977e37b0fafc7505f814256a699c13fd03b7b6 Bisecting: 14 revisions left to test after this (roughly 4 steps) [6eb0cc72bcbe9cc5b9ccd41d7226929767e41311] crypto: ccp - move SEV vdata to a dedicated data structure testing commit 6eb0cc72bcbe9cc5b9ccd41d7226929767e41311 with gcc (GCC) 8.1.0 kernel signature: 79f7b9813b716d81283373303eceec498ad675eaceb304cb5ff120c40c86713b run #0: crashed: WARNING: refcount bug in crypto_mod_get run #1: crashed: WARNING: refcount bug in crypto_mod_get run #2: crashed: WARNING: refcount bug in crypto_destroy_tfm run #3: crashed: WARNING: refcount bug in crypto_destroy_tfm run #4: crashed: WARNING: refcount bug in crypto_mod_get run #5: crashed: WARNING: refcount bug in crypto_mod_get run #6: crashed: WARNING: refcount bug in crypto_destroy_tfm run #7: crashed: WARNING: refcount bug in crypto_destroy_tfm run #8: crashed: WARNING: refcount bug in crypto_destroy_tfm run #9: crashed: WARNING: refcount bug in crypto_mod_get # git bisect bad 6eb0cc72bcbe9cc5b9ccd41d7226929767e41311 Bisecting: 6 revisions left to test after this (roughly 3 steps) [4f87ee118d16b4b2116a477229573ed5003b0d78] crypto: api - Do not zap spawn->alg testing commit 4f87ee118d16b4b2116a477229573ed5003b0d78 with gcc (GCC) 8.1.0 kernel signature: 038a1e63fe27c09c50252b51ffe0adf432356a73b77ba7ea415907cd3d5ba3ea run #0: crashed: WARNING: refcount bug in crypto_mod_get run #1: crashed: WARNING: refcount bug in crypto_destroy_tfm run #2: crashed: WARNING: refcount bug in crypto_destroy_tfm run #3: crashed: WARNING: refcount bug in crypto_mod_get run #4: crashed: WARNING: refcount bug in crypto_destroy_tfm run #5: crashed: WARNING: refcount bug in crypto_destroy_tfm run #6: crashed: WARNING: refcount bug in crypto_destroy_tfm run #7: crashed: WARNING: refcount bug in crypto_destroy_tfm run #8: crashed: WARNING: refcount bug in crypto_destroy_tfm run #9: crashed: WARNING: refcount bug in crypto_destroy_tfm # git bisect bad 4f87ee118d16b4b2116a477229573ed5003b0d78 Bisecting: 3 revisions left to test after this (roughly 2 steps) [579d705cd64e44f3fcda1a6cfd5f37468a5ddf63] crypto: chacha - fix warning message in header file testing commit 579d705cd64e44f3fcda1a6cfd5f37468a5ddf63 with gcc (GCC) 8.1.0 kernel signature: 66267a307a3fe37a70a5be11c4a5d92a088addfa7b470d15f9992eb7d8aa8b49 all runs: OK # git bisect good 579d705cd64e44f3fcda1a6cfd5f37468a5ddf63 Bisecting: 1 revision left to test after this (roughly 1 step) [4a2abbc6b8683dd8ac399d305b23409a7a7503d3] crypto: doc - remove references to ARC4 testing commit 4a2abbc6b8683dd8ac399d305b23409a7a7503d3 with gcc (GCC) 8.1.0 kernel signature: fc7de083d0b612cfc1f75043658b36a54a04d1caa86a48faf40e10d51919a094 all runs: OK # git bisect good 4a2abbc6b8683dd8ac399d305b23409a7a7503d3 Bisecting: 0 revisions left to test after this (roughly 0 steps) [73669cc556462f4e50376538d77ee312142e8a8a] crypto: api - Fix race condition in crypto_spawn_alg testing commit 73669cc556462f4e50376538d77ee312142e8a8a with gcc (GCC) 8.1.0 kernel signature: 3553bbe2d7bc6e6c972326465e792f57d4dd781ebfd4e21423bcacc5b308e364 all runs: OK # git bisect good 73669cc556462f4e50376538d77ee312142e8a8a 4f87ee118d16b4b2116a477229573ed5003b0d78 is the first bad commit commit 4f87ee118d16b4b2116a477229573ed5003b0d78 Author: Herbert Xu Date: Sat Dec 7 22:15:17 2019 +0800 crypto: api - Do not zap spawn->alg Currently when a spawn is removed we will zap its alg field. This is racy because the spawn could belong to an unregistered instance which may dereference the spawn->alg field. This patch fixes this by keeping spawn->alg constant and instead adding a new spawn->dead field to indicate that a spawn is going away. Signed-off-by: Herbert Xu crypto/algapi.c | 22 ++++++++++++---------- include/crypto/algapi.h | 1 + 2 files changed, 13 insertions(+), 10 deletions(-) culprit signature: 038a1e63fe27c09c50252b51ffe0adf432356a73b77ba7ea415907cd3d5ba3ea parent signature: 3553bbe2d7bc6e6c972326465e792f57d4dd781ebfd4e21423bcacc5b308e364 revisions tested: 17, total time: 3h47m57.685054905s (build: 1h42m22.942445739s, test: 2h4m32.184348225s) first bad commit: 4f87ee118d16b4b2116a477229573ed5003b0d78 crypto: api - Do not zap spawn->alg cc: ["davem@davemloft.net" "herbert@gondor.apana.org.au" "linux-crypto@vger.kernel.org" "linux-kernel@vger.kernel.org"] crash: WARNING: refcount bug in crypto_destroy_tfm ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 10503 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x140 lib/refcount.c:28 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 10503 Comm: syz-executor.0 Not tainted 5.5.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 panic+0x22a/0x4e3 kernel/panic.c:221 __warn.cold.10+0x25/0x26 kernel/panic.c:582 report_bug+0x1ad/0x270 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:174 [inline] do_error_trap+0x123/0x210 arch/x86/kernel/traps.c:267 do_invalid_op+0x31/0x40 arch/x86/kernel/traps.c:286 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 RIP: 0010:refcount_warn_saturate+0x12b/0x140 lib/refcount.c:28 Code: 78 ff fd 0f 0b e9 53 ff ff ff 48 89 df e8 fd b1 5b fe e9 23 ff ff ff 48 c7 c7 e0 0d 8d 87 c6 05 5f ee 2c 06 01 e8 11 78 ff fd <0f> 0b e9 2c ff ff ff 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 41 RSP: 0018:ffffc90002737ce8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8880a789387c RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff8b3d2360 RBP: 0000000000000003 R08: ffffed1015d26621 R09: ffffed1015d26621 R10: ffffed1015d26620 R11: ffff8880ae933107 R12: ffff8880a040e600 R13: 0000000000000000 R14: ffff8880a040e618 R15: ffff8880a040e610 refcount_sub_and_test include/linux/refcount.h:261 [inline] refcount_dec_and_test include/linux/refcount.h:281 [inline] crypto_alg_put crypto/internal.h:93 [inline] crypto_mod_put crypto/api.c:45 [inline] crypto_destroy_tfm+0x226/0x2a0 crypto/api.c:564 crypto_exit_ops crypto/api.c:306 [inline] crypto_destroy_tfm+0x9a/0x2a0 crypto/api.c:563 crypto_free_aead include/crypto/aead.h:185 [inline] aead_release+0x27/0x40 crypto/algif_aead.c:506 alg_do_release crypto/af_alg.c:114 [inline] alg_sock_destruct+0x75/0xc0 crypto/af_alg.c:358 __sk_destruct+0x42/0x640 net/core/sock.c:1695 sock_put include/net/sock.h:1729 [inline] af_alg_release+0x87/0xb0 crypto/af_alg.c:121 __sock_release+0xbb/0x270 net/socket.c:592 sock_close+0xf/0x20 net/socket.c:1270 __fput+0x256/0x780 fs/file_table.c:280 task_work_run+0x103/0x180 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x23d/0x2d0 arch/x86/entry/common.c:164 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline] syscall_return_slowpath arch/x86/entry/common.c:278 [inline] do_syscall_64+0x4f8/0x5e0 arch/x86/entry/common.c:304 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4163e1 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007ffc7fbcba70 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004163e1 RDX: 0000001b2f420000 RSI: 0000000000000001 RDI: 0000000000000003 RBP: 0000000000000001 R08: 00ffffffffffffff R09: 00ffffffffffffff R10: 00007ffc7fbcbb50 R11: 0000000000000293 R12: 000000000076c900 R13: 000000000076c900 R14: 0000000000010183 R15: 000000000076bf0c Kernel Offset: disabled Rebooting in 86400 seconds..