bisecting fixing commit since c63ee2939dc1c6eee6c544af1b4ab441490bfe6e building syzkaller on 598ca6c8b8766304c3b2865e38f5f301c39bd299 testing commit c63ee2939dc1c6eee6c544af1b4ab441490bfe6e with gcc (GCC) 8.1.0 kernel signature: 807ce85b233605282495079c3d87f9fcde23802ec77f60b1d0cac7dfed2479c9 all runs: crashed: WARNING: refcount bug in sock_wfree testing current HEAD 8488c3f3bc867e4422bf00b303d7d1fbe829d528 testing commit 8488c3f3bc867e4422bf00b303d7d1fbe829d528 with gcc (GCC) 8.1.0 kernel signature: ffcceb5c99016e1fbe29d93f90628e15ff83625bab4cceb661c37dd69638c86c all runs: OK # git bisect start 8488c3f3bc867e4422bf00b303d7d1fbe829d528 c63ee2939dc1c6eee6c544af1b4ab441490bfe6e Bisecting: 2095 revisions left to test after this (roughly 11 steps) [ad285a59d5696b1a9d1b065a3392493b6262da2f] ARM: qcom_defconfig: Enable MAILBOX testing commit ad285a59d5696b1a9d1b065a3392493b6262da2f with gcc (GCC) 8.1.0 kernel signature: 081958a2df0646cb7e99b7361cf89bda4f0d1390947421f047b5b544bee98c57 all runs: crashed: WARNING: refcount bug in sock_wfree # git bisect good ad285a59d5696b1a9d1b065a3392493b6262da2f Bisecting: 1047 revisions left to test after this (roughly 10 steps) [f2b55429200853f75d2193682c69752cdbd13c27] ARC: [plat-axs10x]: Add missing multicast filter number to GMAC node testing commit f2b55429200853f75d2193682c69752cdbd13c27 with gcc (GCC) 8.1.0 kernel signature: 35f82a00073ddc388b8c6ca2f1324b3470c821561ef18c0f320c389c2e49d7f8 all runs: crashed: WARNING: refcount bug in sock_wfree # git bisect good f2b55429200853f75d2193682c69752cdbd13c27 Bisecting: 523 revisions left to test after this (roughly 9 steps) [55c009b419778c30e2deb8c92be54f3a1cac4082] scsi: pm80xx: Fixed kernel panic during error recovery for SATA drive testing commit 55c009b419778c30e2deb8c92be54f3a1cac4082 with gcc (GCC) 8.1.0 kernel signature: 8f4079c586932f3d1725814b0ce2013cd330db49742b357799b1ae9abb06ac32 all runs: crashed: WARNING: refcount bug in sock_wfree # git bisect good 55c009b419778c30e2deb8c92be54f3a1cac4082 Bisecting: 261 revisions left to test after this (roughly 8 steps) [d34dce8d3dbfa7412cb10f38f9fa5583675b55cf] mac80211: mark station unauthorized before key removal testing commit d34dce8d3dbfa7412cb10f38f9fa5583675b55cf with gcc (GCC) 8.1.0 kernel signature: 9a5ed406e19117429f8961881994faa73943f44ffb222b7105cc428236e2854a all runs: crashed: WARNING: refcount bug in sock_wfree # git bisect good d34dce8d3dbfa7412cb10f38f9fa5583675b55cf Bisecting: 130 revisions left to test after this (roughly 7 steps) [fd397508347f31324a70d1f389ee4ec75e3f9dc0] block: keep bdi->io_pages in sync with max_sectors_kb for stacked devices testing commit fd397508347f31324a70d1f389ee4ec75e3f9dc0 with gcc (GCC) 8.1.0 kernel signature: 0b827321b9c5d404d0d70c86fef95c272519bce873c6c0e00a03014eacc6cef7 all runs: OK # git bisect bad fd397508347f31324a70d1f389ee4ec75e3f9dc0 Bisecting: 65 revisions left to test after this (roughly 6 steps) [236c445eb3529aa7c976f8812513c3cb26d77e27] drm/bochs: downgrade pci_request_region failure from error to warning testing commit 236c445eb3529aa7c976f8812513c3cb26d77e27 with gcc (GCC) 8.1.0 kernel signature: 4e9e4410cb79aa914ce353b0c6a615d3280269596dd66545bce296b114fbea4f all runs: OK # git bisect bad 236c445eb3529aa7c976f8812513c3cb26d77e27 Bisecting: 32 revisions left to test after this (roughly 5 steps) [bf204158a8a66fe8bd1da65d23906b87d26bfccf] libfs: fix infoleak in simple_attr_read() testing commit bf204158a8a66fe8bd1da65d23906b87d26bfccf with gcc (GCC) 8.1.0 kernel signature: 65f349a2e149f75a468e2063ccea000eb2f3c510a38b7fe9711ac90e54a11eb8 all runs: crashed: WARNING: refcount bug in sock_wfree # git bisect good bf204158a8a66fe8bd1da65d23906b87d26bfccf Bisecting: 16 revisions left to test after this (roughly 4 steps) [e29629d20112af8938e791e6676a93f44d610612] gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 CHT + AXP288 model testing commit e29629d20112af8938e791e6676a93f44d610612 with gcc (GCC) 8.1.0 kernel signature: 710cad59d80772d62904c71fe5caf70c490526bb48e5ccf56cb2b90cf8045c98 all runs: crashed: WARNING: refcount bug in sock_wfree # git bisect good e29629d20112af8938e791e6676a93f44d610612 Bisecting: 8 revisions left to test after this (roughly 3 steps) [66d4ef50b0ce02501a7641695018e509074149ca] arm64: dts: ls1043a-rdb: correct RGMII delay mode to rgmii-id testing commit 66d4ef50b0ce02501a7641695018e509074149ca with gcc (GCC) 8.1.0 kernel signature: c15910fbfc18e1835f652dc9de379e5efa2560f981f23f20abec91ca67de7c2e all runs: crashed: WARNING: refcount bug in sock_wfree # git bisect good 66d4ef50b0ce02501a7641695018e509074149ca Bisecting: 4 revisions left to test after this (roughly 2 steps) [48dee02237117c0758410fa4989ce71bdb6cf184] net, ip_tunnel: fix interface lookup with no key testing commit 48dee02237117c0758410fa4989ce71bdb6cf184 with gcc (GCC) 8.1.0 kernel signature: a014b5d79d8074f5e431f805017ecf4725538bc0fee1b9d50a5521c88e995435 all runs: crashed: WARNING: refcount bug in sock_wfree # git bisect good 48dee02237117c0758410fa4989ce71bdb6cf184 Bisecting: 2 revisions left to test after this (roughly 1 step) [e2ed7b117f3fe6aa0237568dcb69ed7f39cb4979] sctp: fix possibly using a bad saddr with a given dst testing commit e2ed7b117f3fe6aa0237568dcb69ed7f39cb4979 with gcc (GCC) 8.1.0 kernel signature: 6ec0abf2b69f0856837f384f5709ab810d577cfc61156e025a54b71863def5a8 all runs: OK # git bisect bad e2ed7b117f3fe6aa0237568dcb69ed7f39cb4979 Bisecting: 0 revisions left to test after this (roughly 0 steps) [6ce6aea362d46781d4f5f03cfda16f0a395445d2] sctp: fix refcount bug in sctp_wfree testing commit 6ce6aea362d46781d4f5f03cfda16f0a395445d2 with gcc (GCC) 8.1.0 kernel signature: f3ad995006f100d2e4ec8ec21524fd07d364467e1e56d109d0d3617565e764a1 all runs: OK # git bisect bad 6ce6aea362d46781d4f5f03cfda16f0a395445d2 6ce6aea362d46781d4f5f03cfda16f0a395445d2 is the first bad commit commit 6ce6aea362d46781d4f5f03cfda16f0a395445d2 Author: Qiujun Huang Date: Fri Mar 27 11:07:51 2020 +0800 sctp: fix refcount bug in sctp_wfree [ Upstream commit 5c3e82fe159622e46e91458c1a6509c321a62820 ] We should iterate over the datamsgs to move all chunks(skbs) to newsk. The following case cause the bug: for the trouble SKB, it was in outq->transmitted list sctp_outq_sack sctp_check_transmitted SKB was moved to outq->sacked list then throw away the sack queue SKB was deleted from outq->sacked (but it was held by datamsg at sctp_datamsg_to_asoc So, sctp_wfree was not called here) then migrate happened sctp_for_each_tx_datachunk( sctp_clear_owner_w); sctp_assoc_migrate(); sctp_for_each_tx_datachunk( sctp_set_owner_w); SKB was not in the outq, and was not changed to newsk finally __sctp_outq_teardown sctp_chunk_put (for another skb) sctp_datamsg_put __kfree_skb(msg->frag_list) sctp_wfree (for SKB) SKB->sk was still oldsk (skb->sk != asoc->base.sk). Reported-and-tested-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com Signed-off-by: Qiujun Huang Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman net/sctp/socket.c | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) culprit signature: f3ad995006f100d2e4ec8ec21524fd07d364467e1e56d109d0d3617565e764a1 parent signature: a014b5d79d8074f5e431f805017ecf4725538bc0fee1b9d50a5521c88e995435 revisions tested: 14, total time: 3h25m44.656915717s (build: 2h5m11.671239662s, test: 1h18m41.195056927s) first good commit: 6ce6aea362d46781d4f5f03cfda16f0a395445d2 sctp: fix refcount bug in sctp_wfree cc: ["davem@davemloft.net" "gregkh@linuxfoundation.org" "hqjagain@gmail.com" "mleitner@redhat.com" "syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com"]