bisecting fixing commit since ff33472c282e209da54cbc0c7c1c06ddfcc93d33 building syzkaller on f28bf2a5db3e13cb2f3edd4834a65d986a7334d3 testing commit ff33472c282e209da54cbc0c7c1c06ddfcc93d33 with gcc (GCC) 8.1.0 kernel signature: 9b999e75fb1f176c3b0c126160e1acb2a25873b5 all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_mac testing current HEAD a844dc4c544291470aa69edbe2434b040794e269 testing commit a844dc4c544291470aa69edbe2434b040794e269 with gcc (GCC) 8.1.0 kernel signature: 66ae09d0bd4e8a0daf7461dc8667c89430d7d1ef run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor581097293" "root@10.128.0.140:./syz-executor581097293"]: exit status 1 ssh: connect to host 10.128.0.140 port 22: Connection timed out lost connection run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect start a844dc4c544291470aa69edbe2434b040794e269 ff33472c282e209da54cbc0c7c1c06ddfcc93d33 Bisecting: 1217 revisions left to test after this (roughly 10 steps) [30ec4150a445c29119e9d729beaec74137842512] media: stkwebcam: fix runtime PM after driver unbind testing commit 30ec4150a445c29119e9d729beaec74137842512 with gcc (GCC) 8.1.0 kernel signature: f888b1ca72dd2609e102143f4b0622b64e3eee81 all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_mac # git bisect good 30ec4150a445c29119e9d729beaec74137842512 Bisecting: 608 revisions left to test after this (roughly 9 steps) [3d30bea686142879f9cf0ec396fb23f08918db66] bnx2x: Ignore bandwidth attention in single function mode testing commit 3d30bea686142879f9cf0ec396fb23f08918db66 with gcc (GCC) 8.1.0 kernel signature: d6c1c50b62fa535aa2f3ab89b2f92bc27f59b3c3 all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_mac # git bisect good 3d30bea686142879f9cf0ec396fb23f08918db66 Bisecting: 304 revisions left to test after this (roughly 8 steps) [71db3989910218b45c624473029228a56a82cb88] hfsplus: prevent btree data loss on ENOSPC testing commit 71db3989910218b45c624473029228a56a82cb88 with gcc (GCC) 8.1.0 kernel signature: 15fc8f4fa3b80cd7bf24b224287be86127b9b1f2 all runs: OK # git bisect bad 71db3989910218b45c624473029228a56a82cb88 Bisecting: 151 revisions left to test after this (roughly 7 steps) [c0933fa586b472a381310a5e911d27811087c889] crypto: mxs-dcp - Fix SHA null hashes and output length testing commit c0933fa586b472a381310a5e911d27811087c889 with gcc (GCC) 8.1.0 kernel signature: e3b403af1285980db8d5a0359d34b1f05c7b980c all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_mac # git bisect good c0933fa586b472a381310a5e911d27811087c889 Bisecting: 75 revisions left to test after this (roughly 6 steps) [436a4721765a66f43d31f808baf51be560951c3e] misc: mic: fix a DMA pool free failure testing commit 436a4721765a66f43d31f808baf51be560951c3e with gcc (GCC) 8.1.0 kernel signature: 686fae79a689e594ecf81e3a1df0876367a27957 all runs: OK # git bisect bad 436a4721765a66f43d31f808baf51be560951c3e Bisecting: 37 revisions left to test after this (roughly 5 steps) [d09d148cad42abf45addbf6f1d39733e2993d899] tools: PCI: Fix broken pcitest compilation testing commit d09d148cad42abf45addbf6f1d39733e2993d899 with gcc (GCC) 8.1.0 kernel signature: 3e12ac49e820ce6a11be9868f9b9a6e59731d544 all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_mac # git bisect good d09d148cad42abf45addbf6f1d39733e2993d899 Bisecting: 18 revisions left to test after this (roughly 4 steps) [efb868d452dd1724007c9b3310d2062a53472a97] platform/x86: asus-wmi: Only Tell EC the OS will handle display hotkeys from asus_nb_wmi testing commit efb868d452dd1724007c9b3310d2062a53472a97 with gcc (GCC) 8.1.0 kernel signature: 99a2a3173a8fd72fa0e3dd8f48162a5d92c75782 all runs: OK # git bisect bad efb868d452dd1724007c9b3310d2062a53472a97 Bisecting: 9 revisions left to test after this (roughly 3 steps) [faacb24993b5505eaa60a1607aa6d16497568188] net/sched: act_pedit: fix WARN() in the traffic path testing commit faacb24993b5505eaa60a1607aa6d16497568188 with gcc (GCC) 8.1.0 kernel signature: 3f8112f08d8efb8cfcbed575f55fab806ab42990 all runs: OK # git bisect bad faacb24993b5505eaa60a1607aa6d16497568188 Bisecting: 4 revisions left to test after this (roughly 2 steps) [08265ef6179e82ca70d5712223d568f725f371fb] net/mlx4_en: fix mlx4 ethtool -N insertion testing commit 08265ef6179e82ca70d5712223d568f725f371fb with gcc (GCC) 8.1.0 kernel signature: 4a7b7c029a5edea1c1c696d05986a99f5b527583 all runs: crashed: BUG: unable to handle kernel paging request in dummy_set_vf_mac # git bisect good 08265ef6179e82ca70d5712223d568f725f371fb Bisecting: 2 revisions left to test after this (roughly 1 step) [561f9a0fb445f23543cff7eaa0ad38f363362f9c] sfc: Only cancel the PPS workqueue if it exists testing commit 561f9a0fb445f23543cff7eaa0ad38f363362f9c with gcc (GCC) 8.1.0 kernel signature: 79c416a421d6e21ffefe27d838223e8cd1abdfe9 all runs: OK # git bisect bad 561f9a0fb445f23543cff7eaa0ad38f363362f9c Bisecting: 0 revisions left to test after this (roughly 0 steps) [9ed49fc95f37a457d940324c033c20d85cefb930] net: rtnetlink: prevent underflows in do_setvfinfo() testing commit 9ed49fc95f37a457d940324c033c20d85cefb930 with gcc (GCC) 8.1.0 kernel signature: 22ff05f1267c4f7050eb5f437c7fc13a41d11148 all runs: OK # git bisect bad 9ed49fc95f37a457d940324c033c20d85cefb930 9ed49fc95f37a457d940324c033c20d85cefb930 is the first bad commit commit 9ed49fc95f37a457d940324c033c20d85cefb930 Author: Dan Carpenter Date: Wed Nov 20 15:34:38 2019 +0300 net: rtnetlink: prevent underflows in do_setvfinfo() [ Upstream commit d658c8f56ec7b3de8051a24afb25da9ba3c388c5 ] The "ivm->vf" variable is a u32, but the problem is that a number of drivers cast it to an int and then forget to check for negatives. An example of this is in the cxgb4 driver. drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c 2890 static int cxgb4_mgmt_get_vf_config(struct net_device *dev, 2891 int vf, struct ifla_vf_info *ivi) ^^^^^^ 2892 { 2893 struct port_info *pi = netdev_priv(dev); 2894 struct adapter *adap = pi->adapter; 2895 struct vf_info *vfinfo; 2896 2897 if (vf >= adap->num_vfs) ^^^^^^^^^^^^^^^^^^^ 2898 return -EINVAL; 2899 vfinfo = &adap->vfinfo[vf]; ^^^^^^^^^^^^^^^^^^^^^^^^^^ There are 48 functions affected. drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c:8435 hclge_set_vf_vlan_filter() warn: can 'vfid' underflow 's32min-2147483646' drivers/net/ethernet/freescale/enetc/enetc_pf.c:377 enetc_pf_set_vf_mac() warn: can 'vf' underflow 's32min-2147483646' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:2899 cxgb4_mgmt_get_vf_config() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:2960 cxgb4_mgmt_set_vf_rate() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3019 cxgb4_mgmt_set_vf_rate() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3038 cxgb4_mgmt_set_vf_vlan() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3086 cxgb4_mgmt_set_vf_link_state() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/chelsio/cxgb/cxgb2.c:791 get_eeprom() warn: can 'i' underflow 's32min-(-4),0,4-s32max' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:82 bnxt_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:164 bnxt_set_vf_trust() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:186 bnxt_get_vf_config() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:228 bnxt_set_vf_mac() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:264 bnxt_set_vf_vlan() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:293 bnxt_set_vf_bw() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:333 bnxt_set_vf_link_state() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:2595 bnx2x_vf_op_prep() warn: can 'vfidx' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:2595 bnx2x_vf_op_prep() warn: can 'vfidx' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2281 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2285 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2286 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2292 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2297 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1832 qlcnic_sriov_set_vf_mac() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1864 qlcnic_sriov_set_vf_tx_rate() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1937 qlcnic_sriov_set_vf_vlan() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:2005 qlcnic_sriov_get_vf_config() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:2036 qlcnic_sriov_set_vf_spoofchk() warn: can 'vf' underflow 's32min-254' drivers/net/ethernet/emulex/benet/be_main.c:1914 be_get_vf_config() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:1915 be_get_vf_config() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:1922 be_set_vf_tvt() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:1951 be_clear_vf_tvt() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:2063 be_set_vf_tx_rate() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/emulex/benet/be_main.c:2091 be_set_vf_link_state() warn: can 'vf' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:2609 ice_set_vf_port_vlan() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3050 ice_get_vf_cfg() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3103 ice_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3181 ice_set_vf_mac() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3237 ice_set_vf_trust() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3286 ice_set_vf_link_state() warn: can 'vf_id' underflow 's32min-65534' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:3919 i40e_validate_vf() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:3957 i40e_ndo_set_vf_mac() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4104 i40e_ndo_set_vf_port_vlan() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4263 i40e_ndo_set_vf_bw() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4309 i40e_ndo_get_vf_config() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4371 i40e_ndo_set_vf_link_state() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4441 i40e_ndo_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4441 i40e_ndo_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-2147483646' drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4504 i40e_ndo_set_vf_trust() warn: can 'vf_id' underflow 's32min-2147483646' Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman net/core/rtnetlink.c | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) culprit signature: 22ff05f1267c4f7050eb5f437c7fc13a41d11148 parent signature: 4a7b7c029a5edea1c1c696d05986a99f5b527583 revisions tested: 13, total time: 3h15m11.114517478s (build: 1h43m39.620148264s, test: 1h29m58.960047217s) first good commit: 9ed49fc95f37a457d940324c033c20d85cefb930 net: rtnetlink: prevent underflows in do_setvfinfo() cc: ["dan.carpenter@oracle.com" "davem@davemloft.net" "gregkh@linuxfoundation.org"]