ci2 starts bisection 2023-04-15 21:48:47.586906854 +0000 UTC m=+119235.811807758 bisecting fixing commit since 6449a0ba6843fe70523eeb7855984054f36f6d24 building syzkaller on 18b586030b9a7e7f4c7208f44be8994740608841 ensuring issue is reproducible on original commit 6449a0ba6843fe70523eeb7855984054f36f6d24 testing commit 6449a0ba6843fe70523eeb7855984054f36f6d24 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: abe3df886b3b39aa126c2798161f159f5a18ea782eefe2d8cdc2e17940b2e9de run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc00298c0a0] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #1: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc000aea190] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #2: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc00298c140] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #3: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc001a5c0f0] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #4: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc00298c3c0] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #5: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc00298c780] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #6: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc000aea500] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #7: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc001a5c280] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #8: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc00298c8c0] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #9: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc000aea820] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #10: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc000aea910] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #11: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc001a5c910] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #12: crashed: WARNING: refcount bug in qrtr_node_lookup run #13: crashed: WARNING: refcount bug in qrtr_node_lookup run #14: crashed: WARNING: refcount bug in qrtr_node_lookup run #15: crashed: WARNING: refcount bug in qrtr_node_lookup run #16: crashed: WARNING: refcount bug in qrtr_node_lookup run #17: crashed: WARNING: refcount bug in qrtr_node_lookup run #18: crashed: WARNING: refcount bug in qrtr_node_lookup run #19: OK testing current HEAD 0102425ac76bd184704c698cab7cb4fe37997556 testing commit 0102425ac76bd184704c698cab7cb4fe37997556 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 86f21b73d02071e8aa8e3c30f657f67875c030c22e96e0b0f5777ffccb1818c4 run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc003949040] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #1: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc0037d63c0] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect start 0102425ac76bd184704c698cab7cb4fe37997556 6449a0ba6843fe70523eeb7855984054f36f6d24 Bisecting: 454 revisions left to test after this (roughly 9 steps) [587dd59049bf558ab647b27331a3143900c2355b] thunderbolt: Use const qualifier for `ring_interrupt_index` testing commit 587dd59049bf558ab647b27331a3143900c2355b gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bb090a902da72ef1e9b6159181c6644d601788f02fc4e9700fdcd382d6511ff5 run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc0006be730] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #1: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc0009d4e10] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #2: crashed: WARNING: refcount bug in qrtr_node_lookup run #3: crashed: WARNING: refcount bug in qrtr_node_lookup run #4: crashed: WARNING: refcount bug in qrtr_node_lookup run #5: crashed: WARNING: refcount bug in qrtr_node_lookup run #6: crashed: WARNING: refcount bug in qrtr_node_lookup run #7: crashed: WARNING: refcount bug in qrtr_node_lookup run #8: crashed: WARNING: refcount bug in qrtr_node_lookup run #9: crashed: WARNING: refcount bug in qrtr_node_lookup # git bisect good 587dd59049bf558ab647b27331a3143900c2355b Bisecting: 227 revisions left to test after this (roughly 8 steps) [db0ac14908af0bb9bf66d1e79804f52a262679f4] Input: xpad - fix incorrectly applied patch for MAP_PROFILE_BUTTON testing commit db0ac14908af0bb9bf66d1e79804f52a262679f4 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d4d2642645f77f775ffedf3c7a92f034c914dda866d43f5bd275927cf5c0368a run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc000c2d0e0] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #1: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc0037d6780] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #2: crashed: WARNING: refcount bug in qrtr_node_lookup run #3: crashed: WARNING: refcount bug in qrtr_node_lookup run #4: crashed: WARNING: refcount bug in qrtr_node_lookup run #5: crashed: WARNING: refcount bug in qrtr_node_lookup run #6: crashed: WARNING: refcount bug in qrtr_node_lookup run #7: crashed: WARNING: refcount bug in qrtr_node_lookup run #8: crashed: WARNING: refcount bug in qrtr_node_lookup run #9: crashed: WARNING: refcount bug in qrtr_node_lookup # git bisect good db0ac14908af0bb9bf66d1e79804f52a262679f4 Bisecting: 113 revisions left to test after this (roughly 7 steps) [e3bcf2a77060bea4d8d09cb09d92c7056f07df5a] netlink: annotate lockless accesses to nlk->max_recvmsg_len testing commit e3bcf2a77060bea4d8d09cb09d92c7056f07df5a gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d6eb8d1ea9d7323b1b4f5d6a67c2ca3bc12cb461a620a06ed65876526b7c1f44 run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc000825ef0] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #1: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc00452c960] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad e3bcf2a77060bea4d8d09cb09d92c7056f07df5a Bisecting: 56 revisions left to test after this (roughly 6 steps) [fbfe493874e98970071b15c6753116fba054487f] usb: ucsi: Fix ucsi->connector race testing commit fbfe493874e98970071b15c6753116fba054487f gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ae34635dd40817868ee83e51969e1774a9d0c9871ac7467a81d099b6f7ab83d9 run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc004566e10] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #1: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc003948e60] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #2: crashed: WARNING: refcount bug in qrtr_node_lookup run #3: crashed: WARNING: refcount bug in qrtr_node_lookup run #4: crashed: WARNING: refcount bug in qrtr_node_lookup run #5: crashed: WARNING: refcount bug in qrtr_node_lookup run #6: crashed: WARNING: refcount bug in qrtr_node_lookup run #7: crashed: WARNING: refcount bug in qrtr_node_lookup run #8: crashed: WARNING: refcount bug in qrtr_node_lookup run #9: crashed: WARNING: refcount bug in qrtr_node_lookup # git bisect good fbfe493874e98970071b15c6753116fba054487f Bisecting: 28 revisions left to test after this (roughly 5 steps) [2b15feabc95b902cd77c6ce820768360d9a06eac] net: phylink: add phylink_expects_phy() method testing commit 2b15feabc95b902cd77c6ce820768360d9a06eac gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ba29116480309daab1b630ce1540d7cdf865ba530ebb6920889b08f8542784b2 run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc0009d4b40] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #1: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc0009d4c30] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 2b15feabc95b902cd77c6ce820768360d9a06eac Bisecting: 13 revisions left to test after this (roughly 4 steps) [8df93c8da5327b4eb1cfebf7efa5271c89b3a377] gpio: GPIO_REGMAP: select REGMAP instead of depending on it testing commit 8df93c8da5327b4eb1cfebf7efa5271c89b3a377 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 86f5d995d794614bee0c6490738cb2c43c6601b08663438deca279dc6af723cf run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc000aeab90] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #1: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc0063aa280] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #2: crashed: WARNING: refcount bug in qrtr_node_lookup run #3: crashed: WARNING: refcount bug in qrtr_node_lookup run #4: crashed: WARNING: refcount bug in qrtr_node_lookup run #5: crashed: WARNING: refcount bug in qrtr_node_lookup run #6: crashed: WARNING: refcount bug in qrtr_node_lookup run #7: crashed: WARNING: refcount bug in qrtr_node_lookup run #8: crashed: WARNING: refcount bug in qrtr_node_lookup run #9: crashed: WARNING: refcount bug in qrtr_node_lookup # git bisect good 8df93c8da5327b4eb1cfebf7efa5271c89b3a377 Bisecting: 6 revisions left to test after this (roughly 3 steps) [c6af1a3ae767e26708b17e329e961b0eacffdfeb] pwm: sprd: Explicitly set .polarity in .get_state() testing commit c6af1a3ae767e26708b17e329e961b0eacffdfeb gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9e92889e0aa4467e55f75c5e19ec116846adfe4e5cb92be28ce5620afa83d099 run #0: crashed: WARNING: refcount bug in qrtr_node_lookup run #1: crashed: WARNING: refcount bug in qrtr_node_lookup run #2: crashed: WARNING: refcount bug in qrtr_node_lookup run #3: crashed: WARNING: refcount bug in qrtr_node_lookup run #4: crashed: WARNING: refcount bug in qrtr_node_lookup run #5: crashed: WARNING: refcount bug in qrtr_node_lookup run #6: crashed: WARNING: refcount bug in qrtr_node_lookup run #7: crashed: WARNING: refcount bug in qrtr_node_lookup run #8: crashed: WARNING: refcount bug in qrtr_node_lookup run #9: OK # git bisect good c6af1a3ae767e26708b17e329e961b0eacffdfeb Bisecting: 3 revisions left to test after this (roughly 2 steps) [1d797b152ca343953351de8bd46512f54dc3feea] KVM: s390: pv: fix external interruption loop not always detected testing commit 1d797b152ca343953351de8bd46512f54dc3feea gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: db7ddaeb172756ffd2a33c1689ca247db62e492840289e1fab20d20936ce5ddb all runs: crashed: WARNING: refcount bug in qrtr_node_lookup # git bisect good 1d797b152ca343953351de8bd46512f54dc3feea Bisecting: 1 revision left to test after this (roughly 1 step) [022c8320d9eb7394538bd716fa1a07a5ed92621b] wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta testing commit 022c8320d9eb7394538bd716fa1a07a5ed92621b gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7868753fe5ed2c55dd365239bf731a4911af4216f22386dae5f51897839f1efc run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc000e76c80] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #1: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc0009b1ae0] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #2: crashed: WARNING: refcount bug in qrtr_node_lookup run #3: crashed: WARNING: refcount bug in qrtr_node_lookup run #4: crashed: WARNING: refcount bug in qrtr_node_lookup run #5: crashed: WARNING: refcount bug in qrtr_node_lookup run #6: crashed: WARNING: refcount bug in qrtr_node_lookup run #7: crashed: WARNING: refcount bug in qrtr_node_lookup run #8: crashed: WARNING: refcount bug in qrtr_node_lookup run #9: crashed: WARNING: refcount bug in qrtr_node_lookup # git bisect good 022c8320d9eb7394538bd716fa1a07a5ed92621b Bisecting: 0 revisions left to test after this (roughly 0 steps) [aa95efa187b4114075f312b3c4680d050b56fdec] net: qrtr: Fix a refcount bug in qrtr_recvmsg() testing commit aa95efa187b4114075f312b3c4680d050b56fdec gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 24ec31a75a813427a4801443a3b6d3c330b3ab3a24db84fff9d6a88b7bd49aec run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc001d1ceb0] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #1: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED ErrorDetails:[0xc001d1cfa0] Location: Message:Quota 'T2A_CPUS' exceeded. Limit: 64.0 in region us-central1. ForceSendFields:[] NullFields:[]}. run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad aa95efa187b4114075f312b3c4680d050b56fdec aa95efa187b4114075f312b3c4680d050b56fdec is the first bad commit commit aa95efa187b4114075f312b3c4680d050b56fdec Author: Ziyang Xuan Date: Thu Mar 30 09:25:32 2023 +0800 net: qrtr: Fix a refcount bug in qrtr_recvmsg() [ Upstream commit 44d807320000db0d0013372ad39b53e12d52f758 ] Syzbot reported a bug as following: refcount_t: addition on 0; use-after-free. ... RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25 ... Call Trace: __refcount_add include/linux/refcount.h:199 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] kref_get include/linux/kref.h:45 [inline] qrtr_node_acquire net/qrtr/af_qrtr.c:202 [inline] qrtr_node_lookup net/qrtr/af_qrtr.c:398 [inline] qrtr_send_resume_tx net/qrtr/af_qrtr.c:1003 [inline] qrtr_recvmsg+0x85f/0x990 net/qrtr/af_qrtr.c:1070 sock_recvmsg_nosec net/socket.c:1017 [inline] sock_recvmsg+0xe2/0x160 net/socket.c:1038 qrtr_ns_worker+0x170/0x1700 net/qrtr/ns.c:688 process_one_work+0x991/0x15c0 kernel/workqueue.c:2390 worker_thread+0x669/0x1090 kernel/workqueue.c:2537 It occurs in the concurrent scenario of qrtr_recvmsg() and qrtr_endpoint_unregister() as following: cpu0 cpu1 qrtr_recvmsg qrtr_endpoint_unregister qrtr_send_resume_tx qrtr_node_release qrtr_node_lookup mutex_lock(&qrtr_node_lock) spin_lock_irqsave(&qrtr_nodes_lock, ) refcount_dec_and_test(&node->ref) [node->ref == 0] radix_tree_lookup [node != NULL] __qrtr_node_release qrtr_node_acquire spin_lock_irqsave(&qrtr_nodes_lock, ) kref_get(&node->ref) [WARNING] ... mutex_unlock(&qrtr_node_lock) Use qrtr_node_lock to protect qrtr_node_lookup() implementation, this is actually improving the protection of node reference. Fixes: 0a7e0d0ef054 ("net: qrtr: Migrate node lookup tree to spinlock") Reported-by: syzbot+a7492efaa5d61b51db23@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=a7492efaa5d61b51db23 Signed-off-by: Ziyang Xuan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin net/qrtr/af_qrtr.c | 2 ++ 1 file changed, 2 insertions(+) culprit signature: 24ec31a75a813427a4801443a3b6d3c330b3ab3a24db84fff9d6a88b7bd49aec parent signature: 7868753fe5ed2c55dd365239bf731a4911af4216f22386dae5f51897839f1efc revisions tested: 12, total time: 7h54m52.44356227s (build: 5h38m34.352061901s, test: 2h3m28.340168115s) first good commit: aa95efa187b4114075f312b3c4680d050b56fdec net: qrtr: Fix a refcount bug in qrtr_recvmsg() recipients (to): ["davem@davemloft.net" "sashal@kernel.org" "william.xuanziyang@huawei.com"] recipients (cc): []