bisecting fixing commit since ba4f184e126b751d1bffad5897f263108befc780 building syzkaller on 9e1fa68ee1625a7f0ef03906ee1abb40cb987fbf testing commit ba4f184e126b751d1bffad5897f263108befc780 compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 3002effa8e8a479db947239df63ae9824b906c1f236ac3f505d93e797768a0ba all runs: crashed: WARNING: refcount bug in qrtr_node_lookup testing current HEAD 64b4fc45bea6f4faa843d2f97ff51665280efee1 testing commit 64b4fc45bea6f4faa843d2f97ff51665280efee1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: b7e5e7b8bc2c4f589d7c7ddd64f05f68dd7dc007428f87949056fe512f39b654 all runs: OK # git bisect start 64b4fc45bea6f4faa843d2f97ff51665280efee1 ba4f184e126b751d1bffad5897f263108befc780 Bisecting: 39823 revisions left to test after this (roughly 15 steps) [d99676af540c2dc829999928fb81c58c80a1dce4] Merge tag 'drm-next-2021-02-19' of git://anongit.freedesktop.org/drm/drm testing commit d99676af540c2dc829999928fb81c58c80a1dce4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 4055f0cd94a236397656d7a8c179c45ea14061a226859d7da30ab29411fa140b all runs: crashed: WARNING: refcount bug in qrtr_recvmsg # git bisect good d99676af540c2dc829999928fb81c58c80a1dce4 Bisecting: 20056 revisions left to test after this (roughly 14 steps) [4f9701057a9cc1ae6bfc533204c9d3ba386687de] Merge tag 'iommu-updates-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu testing commit 4f9701057a9cc1ae6bfc533204c9d3ba386687de compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 58293bdb6efa4eddbd6a7f058aa52e798f4124a15760d07ed37113fada8f1117 all runs: crashed: WARNING: refcount bug in qrtr_recvmsg # git bisect good 4f9701057a9cc1ae6bfc533204c9d3ba386687de Bisecting: 10305 revisions left to test after this (roughly 13 steps) [bcb9928a155444dbd212473e60241ca0a7f641e1] net: dsa: properly check for the bridge_leave methods in dsa_switch_bridge_leave() testing commit bcb9928a155444dbd212473e60241ca0a7f641e1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 24932b16b6fb5f8e056507acb9d75af0748c743a20d4aa5b07e56eda9ee79efb all runs: crashed: WARNING: refcount bug in qrtr_recvmsg # git bisect good bcb9928a155444dbd212473e60241ca0a7f641e1 Bisecting: 5119 revisions left to test after this (roughly 12 steps) [eed0218e8cae9fcd186c30e9fcf5fe46a87e056e] Merge tag 'char-misc-5.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit eed0218e8cae9fcd186c30e9fcf5fe46a87e056e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: dc3dc217c042790a605be6698b8281c38e24c4cb80e981db12ca6ab74ca040b0 all runs: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) # git bisect skip eed0218e8cae9fcd186c30e9fcf5fe46a87e056e Bisecting: 5119 revisions left to test after this (roughly 12 steps) [304ba5dca49a21e6f4040494c669134787145118] Merge drm/drm-next into drm-misc-next testing commit 304ba5dca49a21e6f4040494c669134787145118 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: c33e587ffa64bba798bee8f96ea94c4564bbb1464954b253a1c37d83b1d1db1e all runs: crashed: WARNING: refcount bug in qrtr_recvmsg # git bisect good 304ba5dca49a21e6f4040494c669134787145118 Bisecting: 5088 revisions left to test after this (roughly 12 steps) [f5c13f1fdef9fed65b95c3c5f343d22c425ac1d7] Merge tag 'driver-core-5.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core testing commit f5c13f1fdef9fed65b95c3c5f343d22c425ac1d7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 870f821eca9c5a2e78ecee7427df87697bb32ec23f58813b264d361aec737293 all runs: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) # git bisect skip f5c13f1fdef9fed65b95c3c5f343d22c425ac1d7 Bisecting: 5088 revisions left to test after this (roughly 12 steps) [351de44fde5afc3b0b23294ebf404e78065c2745] mm/swap: make NODE_DATA an inline function on CONFIG_FLATMEM testing commit 351de44fde5afc3b0b23294ebf404e78065c2745 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 44874dad39b87e0e65c4ba33150765063b4cd2886fec32e8d59920c6c3b5951f run #0: crashed: BUG: sleeping function called from invalid context in lock_sock_nested run #1: crashed: WARNING: refcount bug in qrtr_recvmsg run #2: crashed: WARNING: refcount bug in qrtr_recvmsg run #3: crashed: WARNING: refcount bug in qrtr_recvmsg run #4: crashed: WARNING: refcount bug in qrtr_recvmsg run #5: crashed: WARNING: refcount bug in qrtr_recvmsg run #6: crashed: WARNING: refcount bug in qrtr_recvmsg run #7: crashed: WARNING: refcount bug in qrtr_recvmsg run #8: crashed: WARNING: refcount bug in qrtr_recvmsg run #9: crashed: WARNING: refcount bug in qrtr_recvmsg # git bisect good 351de44fde5afc3b0b23294ebf404e78065c2745 Bisecting: 5088 revisions left to test after this (roughly 12 steps) [89be5957e7ec300cae7af4059db69a0e1f45662d] dt-bindings: pinctrl: Update enum for adding SGPM2 and SGPS2 testing commit 89be5957e7ec300cae7af4059db69a0e1f45662d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: e6b451426addd9ef47b823f49351b2f4ba345c1922ca55204196fd5f50575811 all runs: crashed: WARNING: refcount bug in qrtr_recvmsg # git bisect good 89be5957e7ec300cae7af4059db69a0e1f45662d Bisecting: 4337 revisions left to test after this (roughly 12 steps) [a16d8644bad461bb073b92e812080ea6715ddf2b] Merge tag 'staging-5.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging testing commit a16d8644bad461bb073b92e812080ea6715ddf2b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 88ef7cbcfe99e22958f18c151ad1738dc353275ef84453a195eb3d39ab3df3d8 all runs: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) # git bisect skip a16d8644bad461bb073b92e812080ea6715ddf2b Bisecting: 4337 revisions left to test after this (roughly 12 steps) [32a577b4c3a9d0b5d3e47ac47ffd50774a04f82a] RDMA/rxe: Add support for bind MW work requests testing commit 32a577b4c3a9d0b5d3e47ac47ffd50774a04f82a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 4f780c2bde26c8da303fad4daa81fac2d286e5c125c46207d0ef97ea29c62cfc all runs: crashed: WARNING: refcount bug in qrtr_recvmsg # git bisect good 32a577b4c3a9d0b5d3e47ac47ffd50774a04f82a Bisecting: 4337 revisions left to test after this (roughly 12 steps) [d1ba49e7763aa889108da0b9a1ec233abff4bb34] drm/amd/display: remove no need variable testing commit d1ba49e7763aa889108da0b9a1ec233abff4bb34 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 04ab75e78397fdc22ffc4ed0747a02597533dadccbdf2fee47aeb23fd401223a all runs: boot failed: BUG: unable to handle kernel paging request in hgafb_open # git bisect skip d1ba49e7763aa889108da0b9a1ec233abff4bb34 Bisecting: 4337 revisions left to test after this (roughly 12 steps) [520264db3bf9571ef8cca96e30ffcf6fb31999b3] phy: qcom-qmp: add QMP V2 PCIe PHY support for ipq60xx testing commit 520264db3bf9571ef8cca96e30ffcf6fb31999b3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: e6b451426addd9ef47b823f49351b2f4ba345c1922ca55204196fd5f50575811 all runs: crashed: WARNING: refcount bug in qrtr_recvmsg # git bisect good 520264db3bf9571ef8cca96e30ffcf6fb31999b3 Bisecting: 4337 revisions left to test after this (roughly 12 steps) [e22626a876a086e1ce268ab31d1826dfc4c77550] vdpa_sim_blk: remove duplicate include of linux/blkdev.h testing commit e22626a876a086e1ce268ab31d1826dfc4c77550 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 4f1878d6ac9c9fdd49ab6fa8f88029e0584bc1b3cb6010c537ad2ebfb288b3b8 run #0: crashed: BUG: sleeping function called from invalid context in lock_sock_nested run #1: crashed: WARNING: refcount bug in qrtr_recvmsg run #2: crashed: WARNING: refcount bug in qrtr_recvmsg run #3: crashed: WARNING: refcount bug in qrtr_recvmsg run #4: crashed: WARNING: refcount bug in qrtr_recvmsg run #5: crashed: WARNING: refcount bug in qrtr_recvmsg run #6: crashed: WARNING: refcount bug in qrtr_recvmsg run #7: crashed: WARNING: refcount bug in qrtr_recvmsg run #8: crashed: WARNING: refcount bug in qrtr_recvmsg run #9: crashed: WARNING: refcount bug in qrtr_recvmsg # git bisect good e22626a876a086e1ce268ab31d1826dfc4c77550 Bisecting: 3871 revisions left to test after this (roughly 12 steps) [79160a603bdb51916226caf4a6616cc4e1c58a58] Merge tag 'usb-5.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit 79160a603bdb51916226caf4a6616cc4e1c58a58 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: f1e885eb09118f05456c3d9780abca92f4077c7dd1c487b951c7af16f3488b68 all runs: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) # git bisect skip 79160a603bdb51916226caf4a6616cc4e1c58a58 Bisecting: 3871 revisions left to test after this (roughly 12 steps) [f227f0faf63b46a113c4d1aca633c80195622dd2] slub: fix unreclaimable slab stat for bulk free testing commit f227f0faf63b46a113c4d1aca633c80195622dd2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: a79c5c7e2845a8492a957aa60753533c011745f206d39de7a6c894d9ea593138 all runs: crashed: WARNING: refcount bug in qrtr_recvmsg # git bisect good f227f0faf63b46a113c4d1aca633c80195622dd2 Bisecting: 592 revisions left to test after this (roughly 9 steps) [f8fbb47c6e86c0b75f8df864db702c3e3f757361] Merge branch 'for-v5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace testing commit f8fbb47c6e86c0b75f8df864db702c3e3f757361 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 31b7452da10c5cc0ceb87e0ce87900b9dd5f48e090d3591e2a611cfe76ac8c58 all runs: crashed: WARNING: refcount bug in qrtr_recvmsg # git bisect good f8fbb47c6e86c0b75f8df864db702c3e3f757361 Bisecting: 295 revisions left to test after this (roughly 8 steps) [91ed3ed0f79884f66581e2162cc5ae91ce82b4fb] MAINTAINERS: update ClangBuiltLinux IRC chat testing commit 91ed3ed0f79884f66581e2162cc5ae91ce82b4fb compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 0cfa648e5d206daad030183f9711a5e7c9edfcb3bba5a0710547482c420d4868 all runs: crashed: WARNING: refcount bug in qrtr_recvmsg # git bisect good 91ed3ed0f79884f66581e2162cc5ae91ce82b4fb Bisecting: 147 revisions left to test after this (roughly 7 steps) [fa54d366a6e4fe3e16322abdb8b5115f8be0da8b] Merge tag 'acpi-5.14-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit fa54d366a6e4fe3e16322abdb8b5115f8be0da8b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 109e49e8bac56ec7fe8505b91e547ec427be6537e5cab506696566b6c84db1b8 all runs: crashed: WARNING: refcount bug in qrtr_recvmsg # git bisect good fa54d366a6e4fe3e16322abdb8b5115f8be0da8b Bisecting: 88 revisions left to test after this (roughly 6 steps) [1a6d80ff2419e8ad627b4bf4775a8b4c70af535d] Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux testing commit 1a6d80ff2419e8ad627b4bf4775a8b4c70af535d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: ef120ceb48445f21df37f450e0157191d2715583e4fd9ca0a515c085722bf0dc all runs: crashed: WARNING: refcount bug in qrtr_recvmsg # git bisect good 1a6d80ff2419e8ad627b4bf4775a8b4c70af535d Bisecting: 43 revisions left to test after this (roughly 6 steps) [3462207d2d684658d97499ca77c00c9ac7c87ea8] net: hns3: fix GRO configuration error after reset testing commit 3462207d2d684658d97499ca77c00c9ac7c87ea8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: b15831c70920b7aebbb6e635ff45ac7666db9954035bcb8bf77c3cf59c8a1517 all runs: OK # git bisect bad 3462207d2d684658d97499ca77c00c9ac7c87ea8 Bisecting: 22 revisions left to test after this (roughly 5 steps) [2d26f6e39afb88d32b8f39e76a51b542c3c51674] net: stmmac: dwmac-rk: fix unbalanced pm_runtime_enable warnings testing commit 2d26f6e39afb88d32b8f39e76a51b542c3c51674 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 731cbba5dd93dcc2926a0cdc9118cac7d67b1538c77cf2676620ae81ffc5fc6e all runs: OK # git bisect bad 2d26f6e39afb88d32b8f39e76a51b542c3c51674 Bisecting: 9 revisions left to test after this (roughly 4 steps) [46002bf3007ce0387be73d0c9640ee7cd2de4788] Merge branch '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue testing commit 46002bf3007ce0387be73d0c9640ee7cd2de4788 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: a0ba5fdd15a7cb3da43b2128a0a871a000e8d2ce5d8b564b7edb63be2aa4ebb6 all runs: OK # git bisect bad 46002bf3007ce0387be73d0c9640ee7cd2de4788 Bisecting: 5 revisions left to test after this (roughly 3 steps) [44a13a5d99c71bf9e1676d9e51679daf4d7b3d73] e1000e: Fix the max snoop/no-snoop latency for 10M testing commit 44a13a5d99c71bf9e1676d9e51679daf4d7b3d73 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 0dca6b7fb995afdc563ab495d3b597451b93c07de6515381a5dfe842f88b2217 all runs: OK # git bisect bad 44a13a5d99c71bf9e1676d9e51679daf4d7b3d73 Bisecting: 2 revisions left to test after this (roughly 2 steps) [ffc9c3ebb4af870a121da99826e9ccb63dc8b3d7] net: usb: pegasus: fixes of set_register(s) return value evaluation; testing commit ffc9c3ebb4af870a121da99826e9ccb63dc8b3d7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 101b8416cbcc0d33147cee164e5e965e2e58001eed4fe396876dcffd48911c09 all runs: OK # git bisect bad ffc9c3ebb4af870a121da99826e9ccb63dc8b3d7 Bisecting: 0 revisions left to test after this (roughly 1 step) [7e78c597c3ebfd0cb329aa09a838734147e4f117] net: qrtr: fix another OOB Read in qrtr_endpoint_post testing commit 7e78c597c3ebfd0cb329aa09a838734147e4f117 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: ca367349bda3ee5fef8f57fe7ad9eba6822755acf667859a1fc1a13a373f67ca all runs: OK # git bisect bad 7e78c597c3ebfd0cb329aa09a838734147e4f117 Bisecting: 0 revisions left to test after this (roughly 0 steps) [a8f89fa27773a8c96fd09fb4e2f4892d794f21f6] ice: do not abort devlink info if board identifier can't be found testing commit a8f89fa27773a8c96fd09fb4e2f4892d794f21f6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 13da9defcff7d73d4923d890008fd3c2f0f25523c79e7ea75d9906261955ab43 all runs: crashed: WARNING: refcount bug in qrtr_recvmsg # git bisect good a8f89fa27773a8c96fd09fb4e2f4892d794f21f6 7e78c597c3ebfd0cb329aa09a838734147e4f117 is the first bad commit commit 7e78c597c3ebfd0cb329aa09a838734147e4f117 Author: Xiaolong Huang Date: Fri Aug 20 03:50:34 2021 +0800 net: qrtr: fix another OOB Read in qrtr_endpoint_post This check was incomplete, did not consider size is 0: if (len != ALIGN(size, 4) + hdrlen) goto err; if size from qrtr_hdr is 0, the result of ALIGN(size, 4) will be 0, In case of len == hdrlen and size == 0 in header this check won't fail and if (cb->type == QRTR_TYPE_NEW_SERVER) { /* Remote node endpoint can bridge other distant nodes */ const struct qrtr_ctrl_pkt *pkt = data + hdrlen; qrtr_node_assign(node, le32_to_cpu(pkt->server.node)); } will also read out of bound from data, which is hdrlen allocated block. Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets") Fixes: ad9d24c9429e ("net: qrtr: fix OOB Read in qrtr_endpoint_post") Signed-off-by: Xiaolong Huang Signed-off-by: David S. Miller net/qrtr/qrtr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) culprit signature: ca367349bda3ee5fef8f57fe7ad9eba6822755acf667859a1fc1a13a373f67ca parent signature: 13da9defcff7d73d4923d890008fd3c2f0f25523c79e7ea75d9906261955ab43 revisions tested: 28, total time: 6h35m28.956470159s (build: 2h54m18.097411566s, test: 3h37m23.588389929s) first good commit: 7e78c597c3ebfd0cb329aa09a838734147e4f117 net: qrtr: fix another OOB Read in qrtr_endpoint_post recipients (to): ["butterflyhuangxx@gmail.com" "davem@davemloft.net" "davem@davemloft.net" "kuba@kernel.org" "netdev@vger.kernel.org"] recipients (cc): ["linux-arm-msm@vger.kernel.org" "linux-kernel@vger.kernel.org" "mani@kernel.org"]