bisecting cause commit starting from a59cf619787e628b31c310367f869fde26c8ede1 building syzkaller on 9602ddf403bdf3cfd87efef14becc76f9a38b81d testing commit a59cf619787e628b31c310367f869fde26c8ede1 with gcc (GCC) 8.1.0 kernel signature: b3441e2fa258175811e0a68fcf0151ac3833def67ad24174f548bf44471c7436 all runs: crashed: WARNING: refcount bug in tipc_mcast_xmit testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: 69112d1c0928faa32a7e1770f86075a3166541e0af12fd9f1f8540614505c3fc run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect start a59cf619787e628b31c310367f869fde26c8ede1 bcf876870b95592b52519ed4aafcf9d95999bc9c Bisecting: 7417 revisions left to test after this (roughly 13 steps) [47ec5303d73ea344e84f46660fff693c57641386] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 47ec5303d73ea344e84f46660fff693c57641386 with gcc (GCC) 8.1.0 kernel signature: f2576a477c8a1d2fe80fcb0e4ff500365df996d69a72ab26dda6c18e3723b55d all runs: OK # git bisect good 47ec5303d73ea344e84f46660fff693c57641386 Bisecting: 3705 revisions left to test after this (roughly 12 steps) [9420f1ce01869409d78901c3e036b2c437cbc6b8] Merge tag 'pinctrl-v5.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit 9420f1ce01869409d78901c3e036b2c437cbc6b8 with gcc (GCC) 8.1.0 kernel signature: f774b7a3fd555f26c9471d946f9c506ad2a1f65eee873a1e02b7c4bc854c0635 all runs: OK # git bisect good 9420f1ce01869409d78901c3e036b2c437cbc6b8 Bisecting: 1852 revisions left to test after this (roughly 11 steps) [ad6641189c5935192a15eeb4b369dd04ebedfabb] net: ipv4: remove duplicate "the the" phrase in Kconfig text testing commit ad6641189c5935192a15eeb4b369dd04ebedfabb with gcc (GCC) 8.1.0 kernel signature: 791565bb1750ac62b5aca97c8e214ba2508de2ebf49b5ad48754aa97213ae278 all runs: OK # git bisect good ad6641189c5935192a15eeb4b369dd04ebedfabb Bisecting: 925 revisions left to test after this (roughly 10 steps) [2fb547911ca54bc9ffa2709c55c9a7638ac50ae4] Merge tag 'thermal-v5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/thermal/linux testing commit 2fb547911ca54bc9ffa2709c55c9a7638ac50ae4 with gcc (GCC) 8.1.0 kernel signature: c5b7705cb1cd94d4accaefc8ba92c08940b7f6f6fa7d4adaa89bc88895570f63 all runs: OK # git bisect good 2fb547911ca54bc9ffa2709c55c9a7638ac50ae4 Bisecting: 454 revisions left to test after this (roughly 9 steps) [4c0449c906fe4d9631025bc11993009071094a9a] Merge tag 'drm-fixes-2020-09-18' of git://anongit.freedesktop.org/drm/drm testing commit 4c0449c906fe4d9631025bc11993009071094a9a with gcc (GCC) 8.1.0 kernel signature: 9dc0230e8db46fbb9aa383055aaa4374d7df1c39f056a9d9f1e61c7f149fd139 all runs: OK # git bisect good 4c0449c906fe4d9631025bc11993009071094a9a Bisecting: 265 revisions left to test after this (roughly 8 steps) [b334ec66d4554a0af0471b1f21c477575c8c175d] Merge branch 'Fix-broken-tc-flower-rules-for-mscc_ocelot-switches' testing commit b334ec66d4554a0af0471b1f21c477575c8c175d with gcc (GCC) 8.1.0 kernel signature: 67afbdb0a2956d66f22edf60e7fd7675ade8d65d9b9b17825bc5347a90d2418c run #0: crashed: WARNING: refcount bug in tipc_mcast_xmit run #1: crashed: WARNING: refcount bug in corrupted run #2: crashed: WARNING: refcount bug in tipc_mcast_xmit run #3: crashed: WARNING: refcount bug in tipc_mcast_xmit run #4: crashed: WARNING: refcount bug in tipc_mcast_xmit run #5: crashed: WARNING: refcount bug in tipc_mcast_xmit run #6: crashed: WARNING: refcount bug in tipc_mcast_xmit run #7: crashed: WARNING: refcount bug in tipc_mcast_xmit run #8: crashed: WARNING: refcount bug in tipc_mcast_xmit run #9: crashed: WARNING: refcount bug in tipc_mcast_xmit # git bisect bad b334ec66d4554a0af0471b1f21c477575c8c175d Bisecting: 94 revisions left to test after this (roughly 7 steps) [8e1b3ac4786680c2d2b5a24e38a2d714c3bcd1ef] net: sched: initialize with 0 before setting erspan md->u testing commit 8e1b3ac4786680c2d2b5a24e38a2d714c3bcd1ef with gcc (GCC) 8.1.0 kernel signature: 6863a9ab97f13ed5dbac464453a1f62cb9d0961a311bdbfad7643dd1e599efae all runs: crashed: WARNING: refcount bug in tipc_mcast_xmit # git bisect bad 8e1b3ac4786680c2d2b5a24e38a2d714c3bcd1ef Bisecting: 46 revisions left to test after this (roughly 6 steps) [0367f05885b9f21d062447bd2ba1302ba3cc7392] net: qede: Disable aRFS for NPAR and 100G testing commit 0367f05885b9f21d062447bd2ba1302ba3cc7392 with gcc (GCC) 8.1.0 kernel signature: 15a8f52d54a18abc92c60469730f93bf3e31f09184f0a9b5030048ebfad781a5 all runs: OK # git bisect good 0367f05885b9f21d062447bd2ba1302ba3cc7392 Bisecting: 23 revisions left to test after this (roughly 5 steps) [553d87b658fed0e22a0f86b4f1b093c39d3e3074] netlink: fix doc about nlmsg_parse/nla_validate testing commit 553d87b658fed0e22a0f86b4f1b093c39d3e3074 with gcc (GCC) 8.1.0 kernel signature: bf2433a8003d7643fe4ded654da31cacdf0005d87ea6dddc108e532c112ba6e3 all runs: OK # git bisect good 553d87b658fed0e22a0f86b4f1b093c39d3e3074 Bisecting: 11 revisions left to test after this (roughly 4 steps) [4202c9fdf03d79dedaa94b2c4cf574f25793d669] rndis_host: increase sleep time in the query-response loop testing commit 4202c9fdf03d79dedaa94b2c4cf574f25793d669 with gcc (GCC) 8.1.0 kernel signature: efb24fb682dc6e780996f34e07b18bbe60af97d5a9ed82ca851f4fb877f3bccb all runs: OK # git bisect good 4202c9fdf03d79dedaa94b2c4cf574f25793d669 Bisecting: 5 revisions left to test after this (roughly 3 steps) [1869e226a7b3ef75b4f70ede2f1b7229f7157fa4] ipv4: Initialize flowi4_multipath_hash in data path testing commit 1869e226a7b3ef75b4f70ede2f1b7229f7157fa4 with gcc (GCC) 8.1.0 kernel signature: d4723f0a76720b913861aef5dae5c97ba99604e28ceafbf72d1a53ce283e0788 all runs: OK # git bisect good 1869e226a7b3ef75b4f70ede2f1b7229f7157fa4 Bisecting: 2 revisions left to test after this (roughly 2 steps) [13e6ce98aa65ab5ce19351c020419360dfe8af29] net: sched: only keep the available bits when setting vxlan md->gbp testing commit 13e6ce98aa65ab5ce19351c020419360dfe8af29 with gcc (GCC) 8.1.0 kernel signature: b331ad843dd306be21f5f620dd9646d7f54fbed6c49db365c11f288d808fd475 all runs: crashed: WARNING: refcount bug in tipc_mcast_xmit # git bisect bad 13e6ce98aa65ab5ce19351c020419360dfe8af29 Bisecting: 0 revisions left to test after this (roughly 1 step) [ff48b6222e65ebdba5a403ef1deba6214e749193] tipc: use skb_unshare() instead in tipc_buf_append() testing commit ff48b6222e65ebdba5a403ef1deba6214e749193 with gcc (GCC) 8.1.0 kernel signature: 675510628ecc7a8af9c173a885bd1c3b6d5b9ba027cb8922dbd399f1b6244c8d all runs: crashed: WARNING: refcount bug in tipc_mcast_xmit # git bisect bad ff48b6222e65ebdba5a403ef1deba6214e749193 Bisecting: 0 revisions left to test after this (roughly 0 steps) [bb3a420d47ab00d7e1e5083286cab15235a96680] tipc: Fix memory leak in tipc_group_create_member() testing commit bb3a420d47ab00d7e1e5083286cab15235a96680 with gcc (GCC) 8.1.0 kernel signature: c82042343c6eff500545308a8f3670e2ce247e0ae1c58e5414fce8db49bf2472 all runs: OK # git bisect good bb3a420d47ab00d7e1e5083286cab15235a96680 ff48b6222e65ebdba5a403ef1deba6214e749193 is the first bad commit commit ff48b6222e65ebdba5a403ef1deba6214e749193 Author: Xin Long Date: Sun Sep 13 19:37:31 2020 +0800 tipc: use skb_unshare() instead in tipc_buf_append() In tipc_buf_append() it may change skb's frag_list, and it causes problems when this skb is cloned. skb_unclone() doesn't really make this skb's flag_list available to change. Shuang Li has reported an use-after-free issue because of this when creating quite a few macvlan dev over the same dev, where the broadcast packets will be cloned and go up to the stack: [ ] BUG: KASAN: use-after-free in pskb_expand_head+0x86d/0xea0 [ ] Call Trace: [ ] dump_stack+0x7c/0xb0 [ ] print_address_description.constprop.7+0x1a/0x220 [ ] kasan_report.cold.10+0x37/0x7c [ ] check_memory_region+0x183/0x1e0 [ ] pskb_expand_head+0x86d/0xea0 [ ] process_backlog+0x1df/0x660 [ ] net_rx_action+0x3b4/0xc90 [ ] [ ] Allocated by task 1786: [ ] kmem_cache_alloc+0xbf/0x220 [ ] skb_clone+0x10a/0x300 [ ] macvlan_broadcast+0x2f6/0x590 [macvlan] [ ] macvlan_process_broadcast+0x37c/0x516 [macvlan] [ ] process_one_work+0x66a/0x1060 [ ] worker_thread+0x87/0xb10 [ ] [ ] Freed by task 3253: [ ] kmem_cache_free+0x82/0x2a0 [ ] skb_release_data+0x2c3/0x6e0 [ ] kfree_skb+0x78/0x1d0 [ ] tipc_recvmsg+0x3be/0xa40 [tipc] So fix it by using skb_unshare() instead, which would create a new skb for the cloned frag and it'll be safe to change its frag_list. The similar things were also done in sctp_make_reassembled_event(), which is using skb_copy(). Reported-by: Shuang Li Fixes: 37e22164a8a3 ("tipc: rename and move message reassembly function") Signed-off-by: Xin Long Signed-off-by: David S. Miller net/tipc/msg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) culprit signature: 675510628ecc7a8af9c173a885bd1c3b6d5b9ba027cb8922dbd399f1b6244c8d parent signature: c82042343c6eff500545308a8f3670e2ce247e0ae1c58e5414fce8db49bf2472 revisions tested: 16, total time: 3h27m32.699936041s (build: 1h21m24.113418484s, test: 2h4m44.038620191s) first bad commit: ff48b6222e65ebdba5a403ef1deba6214e749193 tipc: use skb_unshare() instead in tipc_buf_append() recipients (to): ["davem@davemloft.net" "davem@davemloft.net" "jmaloy@redhat.com" "kuba@kernel.org" "lucien.xin@gmail.com" "netdev@vger.kernel.org" "tipc-discussion@lists.sourceforge.net" "ying.xue@windriver.com"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: WARNING: refcount bug in tipc_mcast_xmit WARNING: CPU: 0 PID: 8341 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0 lib/refcount.c:28 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 8341 Comm: syz-executor.1 Not tainted 5.9.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xa3/0xcc lib/dump_stack.c:118 panic+0x16e/0x353 kernel/panic.c:231 __warn.cold.13+0x20/0x2c kernel/panic.c:600 report_bug+0xc0/0xf0 lib/bug.c:198 handle_bug+0x35/0x90 arch/x86/kernel/traps.c:234 exc_invalid_op+0x13/0x60 arch/x86/kernel/traps.c:254 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536 RIP: 0010:refcount_warn_saturate+0xd8/0xe0 lib/refcount.c:28 Code: ff 48 c7 c7 a0 16 14 84 c6 05 f6 bf b8 02 01 e8 09 c4 40 ff 0f 0b c3 48 c7 c7 48 16 14 84 c6 05 e2 bf b8 02 01 e8 f3 c3 40 ff <0f> 0b c3 0f 1f 44 00 00 8b 07 3d 00 00 00 c0 74 12 83 f8 01 74 46 RSP: 0018:ffffc900027d7968 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffffc900027d7af0 RCX: 0000000000000001 RDX: 0000000080000001 RSI: ffffffff8424c4ce RDI: 00000000ffffffff RBP: ffffc900027d7a80 R08: 0000000000000001 R09: 0000000000000001 R10: ffff88810ed640c0 R11: 8530591fa3f72658 R12: ffffc900027d79f8 R13: ffff88812ac3a660 R14: 00000000fffffff4 R15: ffff888110e00100 __skb_queue_purge include/linux/skbuff.h:2794 [inline] tipc_mcast_xmit+0xfb/0x580 net/tipc/bcast.c:422 tipc_sendmcast+0x44d/0x550 net/tipc/socket.c:865 __tipc_sendmsg+0x57c/0x7a0 net/tipc/socket.c:1454 tipc_sendmsg+0x2b/0x40 net/tipc/socket.c:1387 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0x2b/0x40 net/socket.c:671 ____sys_sendmsg+0x1ed/0x230 net/socket.c:2353 ___sys_sendmsg+0x77/0xb0 net/socket.c:2407 __sys_sendmsg+0x52/0xa0 net/socket.c:2440 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45dd99 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f5dd35aec78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000002e740 RCX: 000000000045dd99 RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 RBP: 00007f5dd35aeca0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: 00007ffe7b9716ef R14: 00007f5dd35af9c0 R15: 000000000118bf2c Kernel Offset: disabled Rebooting in 86400 seconds..