bisecting cause commit starting from 6a8b55ed4056ea5559ebe4f6a4b247f627870d4c
building syzkaller on 0ce7569ee76fda7e5a68b0fe14c93a3e8eb7d108
testing commit 6a8b55ed4056ea5559ebe4f6a4b247f627870d4c with gcc (GCC) 8.1.0
kernel signature: f3f395a2608d748f991fd032637c0d81b5fb87d5fdc8220acd08118098b99e56
run #0: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #1: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #2: crashed: WARNING: refcount bug in crypto_mod_get
run #3: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #4: crashed: WARNING: refcount bug in crypto_mod_get
run #5: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #6: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #7: crashed: WARNING: refcount bug in crypto_mod_get
run #8: crashed: WARNING: refcount bug in crypto_mod_get
run #9: crashed: WARNING: refcount bug in crypto_destroy_tfm
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 734ef38c028f4c0d567facd52ae37825c27b0626da440f6053d55291ef650374
run #0: crashed: WARNING: refcount bug in crypto_mod_get
run #1: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #2: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #3: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #4: crashed: WARNING: refcount bug in crypto_mod_get
run #5: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #6: crashed: WARNING: refcount bug in crypto_mod_get
run #7: crashed: WARNING: refcount bug in crypto_mod_get
run #8: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #9: crashed: WARNING: refcount bug in crypto_destroy_tfm
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: daa0913d04a64424c21610b29eebe1d1a6b370c7973aab0dbaf0fdefd9482a81
all runs: OK
# git bisect start 7111951b8d4973bda27ff663f2cf18b663d15b48 d5226fa6dbae0569ee43ecfc08bdcd6770fc4755
Bisecting: 6113 revisions left to test after this (roughly 13 steps)
[9f68e3655aae6d49d6ba05dd263f99f33c2567af] Merge tag 'drm-next-2020-01-30' of git://anongit.freedesktop.org/drm/drm
testing commit 9f68e3655aae6d49d6ba05dd263f99f33c2567af with gcc (GCC) 8.1.0
kernel signature: 5ce7d8ce76186391bad55f607ad66e53de2923bae1c493b6c06c2c13478fa005
run #0: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #1: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #2: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #3: crashed: WARNING: refcount bug in crypto_mod_get
run #4: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #5: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #6: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #7: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #8: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #9: crashed: WARNING: refcount bug in crypto_destroy_tfm
# git bisect bad 9f68e3655aae6d49d6ba05dd263f99f33c2567af
Bisecting: 3686 revisions left to test after this (roughly 12 steps)
[fb95aae6e67c4e319a24b3eea32032d4246a5335] Merge tag 'sound-5.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
testing commit fb95aae6e67c4e319a24b3eea32032d4246a5335 with gcc (GCC) 8.1.0
kernel signature: 5160586d88a60a1de963b159a857ed22e276dcb0575d22fc195e3832bbfcb718
run #0: crashed: WARNING: refcount bug in crypto_mod_get
run #1: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #2: crashed: WARNING: refcount bug in crypto_mod_get
run #3: crashed: WARNING: refcount bug in crypto_mod_get
run #4: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #5: crashed: WARNING: refcount bug in crypto_mod_get
run #6: crashed: WARNING: refcount bug in crypto_mod_get
run #7: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #8: crashed: WARNING: refcount bug in crypto_mod_get
run #9: crashed: WARNING: refcount bug in crypto_mod_get
# git bisect bad fb95aae6e67c4e319a24b3eea32032d4246a5335
Bisecting: 2267 revisions left to test after this (roughly 11 steps)
[f76e4c167ea2212e23c15ee7e601a865e822c291] net: phy: add default ARCH_BCM_IPROC for MDIO_BCM_IPROC
testing commit f76e4c167ea2212e23c15ee7e601a865e822c291 with gcc (GCC) 8.1.0
kernel signature: a74afd86eaa29e6195f50ef299eaf73e229cf4d6f3ccfb41e2d48cbf4c31e129
all runs: OK
# git bisect good f76e4c167ea2212e23c15ee7e601a865e822c291
Bisecting: 1113 revisions left to test after this (roughly 10 steps)
[c677124e631d97130e4ff7db6e10acdfb7a82321] Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit c677124e631d97130e4ff7db6e10acdfb7a82321 with gcc (GCC) 8.1.0
kernel signature: bd703cc1de839a4caaebfeff2072a32f198b1ef7657eca041ad4fb9dc4f2c1e9
all runs: OK
# git bisect good c677124e631d97130e4ff7db6e10acdfb7a82321
Bisecting: 458 revisions left to test after this (roughly 9 steps)
[90fb04f890bcb7384b4d4c216dc2640b0a870df3] Merge tag 'asoc-v5.6' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
testing commit 90fb04f890bcb7384b4d4c216dc2640b0a870df3 with gcc (GCC) 8.1.0
kernel signature: 923a25e3b98771736dee7734a722275c440240f4645cad8aeeafa0b7caa606a0
all runs: OK
# git bisect good 90fb04f890bcb7384b4d4c216dc2640b0a870df3
Bisecting: 229 revisions left to test after this (roughly 8 steps)
[684cf266eb04911825a6de10dadd188cf801d063] crypto: ccree - fix typo in comment
testing commit 684cf266eb04911825a6de10dadd188cf801d063 with gcc (GCC) 8.1.0
kernel signature: d3276015dabcecf96839c1a33723e4ddbe86f459617d069a9f856223d83a66c8
run #0: crashed: WARNING: refcount bug in crypto_mod_get
run #1: crashed: WARNING: refcount bug in crypto_mod_get
run #2: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #3: crashed: WARNING: refcount bug in crypto_mod_get
run #4: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #5: crashed: WARNING: refcount bug in crypto_mod_get
run #6: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #7: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #8: crashed: WARNING: refcount bug in crypto_mod_get
run #9: crashed: WARNING: refcount bug in crypto_mod_get
# git bisect bad 684cf266eb04911825a6de10dadd188cf801d063
Bisecting: 114 revisions left to test after this (roughly 7 steps)
[0e69378940eafe386464679a84856d1b63e1bac2] crypto: atmel-{aes,sha} - Fix incorrect use of dmaengine_terminate_all()
testing commit 0e69378940eafe386464679a84856d1b63e1bac2 with gcc (GCC) 8.1.0
kernel signature: f2d8c000e06997b86e296280d64df9e5b415dbd5c68bc0ec6414e19b1a3810fa
run #0: crashed: WARNING: refcount bug in crypto_mod_get
run #1: crashed: WARNING: refcount bug in crypto_mod_get
run #2: crashed: WARNING: refcount bug in crypto_mod_get
run #3: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #4: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #5: crashed: WARNING: refcount bug in crypto_mod_get
run #6: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #7: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #8: crashed: WARNING: refcount bug in crypto_destroy_tfm
run #9: crashed: WARNING: refcount bug in crypto_mod_get
# git bisect bad 0e69378940eafe386464679a84856d1b63e1bac2
Bisecting: 56 revisions left to test after this (roughly 6 steps)
[095be695e564d1c64d33327b03e32bf5749b1174] crypto: aead - move crypto_aead_maxauthsize() to <crypto/aead.h>
testing commit 095be695e564d1c64d33327b03e32bf5749b1174 with gcc (GCC) 8.1.0
kernel signature: 02087245042c49f63c54f48eeeeaeaa3193ae0db8820be7baa86837aa484c852
run #0: crashed: KASAN: null-ptr-deref Read in pcrypt_create
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 095be695e564d1c64d33327b03e32bf5749b1174
Bisecting: 28 revisions left to test after this (roughly 5 steps)
[0a940d4e27658a545884351c46a70b132272a38d] crypto: api - remove another reference to blkcipher
testing commit 0a940d4e27658a545884351c46a70b132272a38d with gcc (GCC) 8.1.0
kernel signature: c9ae17bf421faefaff8bb27bf7ea4352969c44336106ac6d4af0f5abaa5a037f
all runs: OK
# git bisect good 0a940d4e27658a545884351c46a70b132272a38d
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[a9befcf46913bd70d1421ea6b77e8b47a8b70483] crypto: omap-aes-gcm - fix corner case with only auth data
testing commit a9befcf46913bd70d1421ea6b77e8b47a8b70483 with gcc (GCC) 8.1.0
kernel signature: 02ef63849d776439674a12eee02039acce151bfed0cd8a92c01b55bb89b514a7
all runs: OK
# git bisect good a9befcf46913bd70d1421ea6b77e8b47a8b70483
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[b877ad1a135c802d4529a72aa82faf46ef5db097] crypto: omap-aes-gcm - check length of assocdata in RFC4106 mode
testing commit b877ad1a135c802d4529a72aa82faf46ef5db097 with gcc (GCC) 8.1.0
kernel signature: 246063ca0e33100d2495e8da1a9ded2b72c71a70de7c5cd070b1e071e1729880
run #0: crashed: BUG: corrupted list in crypto_drop_spawn
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad b877ad1a135c802d4529a72aa82faf46ef5db097
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[dbb326fd009346061e5083c3a0d2d1a2fa348e04] crypto: omap-aes - reject invalid input sizes for block modes
testing commit dbb326fd009346061e5083c3a0d2d1a2fa348e04 with gcc (GCC) 8.1.0
kernel signature: 0e1db94a08af4c859ef7cbf2fb0f28433264f8676c0849f8194d2a93d00bb07d
all runs: OK
# git bisect good dbb326fd009346061e5083c3a0d2d1a2fa348e04
Bisecting: 1 revision left to test after this (roughly 1 step)
[46d57443eca46999051946c27ec95df313f3619a] crypto: omap-aes-gcm - deal with memory allocation failure
testing commit 46d57443eca46999051946c27ec95df313f3619a with gcc (GCC) 8.1.0
kernel signature: 515134312092713439fac5ac8b10c953e74265330a4da89cac354d9125f32c20
all runs: OK
# git bisect good 46d57443eca46999051946c27ec95df313f3619a
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[12adf9d63ec3af674f1e3145308a29daffb73887] crypto: omap-aes-gcm - add missing .setauthsize hooks
testing commit 12adf9d63ec3af674f1e3145308a29daffb73887 with gcc (GCC) 8.1.0
kernel signature: 990a3bc89f4872c9d0495b943035ca9fde1d22773931317ee8db1f172c186aaf
all runs: OK
# git bisect good 12adf9d63ec3af674f1e3145308a29daffb73887
b877ad1a135c802d4529a72aa82faf46ef5db097 is the first bad commit
commit b877ad1a135c802d4529a72aa82faf46ef5db097
Author: Ard Biesheuvel <ardb@kernel.org>
Date:   Tue Nov 5 16:01:04 2019 +0200

    crypto: omap-aes-gcm - check length of assocdata in RFC4106 mode
    
    RFC4106 requires the associated data to be a certain size, so reject
    inputs that are wrong. This also prevents crashes or other problems due
    to assoclen becoming negative after subtracting 8 bytes.
    
    Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
    Reviewed-by: Tero Kristo <t-kristo@ti.com>
    Tested-by: Tero Kristo <t-kristo@ti.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

 drivers/crypto/omap-aes-gcm.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
culprit signature: 246063ca0e33100d2495e8da1a9ded2b72c71a70de7c5cd070b1e071e1729880
parent  signature: 990a3bc89f4872c9d0495b943035ca9fde1d22773931317ee8db1f172c186aaf
revisions tested: 17, total time: 4h17m30.18578756s (build: 1h53m9.730377441s, test: 2h23m9.155796726s)
first bad commit: b877ad1a135c802d4529a72aa82faf46ef5db097 crypto: omap-aes-gcm - check length of assocdata in RFC4106 mode
cc: ["ardb@kernel.org" "herbert@gondor.apana.org.au" "t-kristo@ti.com"]
crash: BUG: corrupted list in crypto_drop_spawn
list_del corruption. prev->next should be ffff888098a561e0, but was ffff888089e16f40
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:53!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 10665 Comm: cryptomgr_probe Not tainted 5.5.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_del_entry_valid.cold.1+0x48/0x4d lib/list_debug.c:51
Code: 4d 8d 87 e8 db d7 11 fe 0f 0b 48 89 de 48 c7 c7 e0 4e 8d 87 e8 ca d7 11 fe 0f 0b 48 89 de 48 c7 c7 80 4e 8d 87 e8 b9 d7 11 fe <0f> 0b cc cc cc 41 57 41 56 41 55 41 54 55 48 bd 00 00 00 00 00 fc
RSP: 0018:ffffc90005d1fe48 EFLAGS: 00010286
RAX: 0000000000000054 RBX: ffff888098a561e0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff8b3db460
RBP: ffffc90005317d50 R08: ffffed1015d26629 R09: ffffed1015d26629
R10: ffffed1015d26628 R11: ffff8880ae933147 R12: ffffc90005317d50
R13: ffff888098a56218 R14: ffff888098a561e0 R15: ffff888098a56000
FS:  0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffcdac36f9c CR3: 00000000a7187000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __list_del_entry include/linux/list.h:131 [inline]
 list_del include/linux/list.h:139 [inline]
 crypto_drop_spawn+0x4b/0x190 crypto/algapi.c:676
 crypto_drop_aead include/crypto/internal/aead.h:95 [inline]
 pcrypt_create_aead crypto/pcrypt.c:298 [inline]
 pcrypt_create+0x5af/0x7c0 crypto/pcrypt.c:318
 cryptomgr_probe+0x54/0x1f0 crypto/algboss.c:70
 kthread+0x31d/0x3e0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Modules linked in:
---[ end trace 49babc9cda7e7163 ]---
RIP: 0010:__list_del_entry_valid.cold.1+0x48/0x4d lib/list_debug.c:51
Code: 4d 8d 87 e8 db d7 11 fe 0f 0b 48 89 de 48 c7 c7 e0 4e 8d 87 e8 ca d7 11 fe 0f 0b 48 89 de 48 c7 c7 80 4e 8d 87 e8 b9 d7 11 fe <0f> 0b cc cc cc 41 57 41 56 41 55 41 54 55 48 bd 00 00 00 00 00 fc
RSP: 0018:ffffc90005d1fe48 EFLAGS: 00010286
RAX: 0000000000000054 RBX: ffff888098a561e0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff8b3db460
RBP: ffffc90005317d50 R08: ffffed1015d26629 R09: ffffed1015d26629
R10: ffffed1015d26628 R11: ffff8880ae933147 R12: ffffc90005317d50
R13: ffff888098a56218 R14: ffff888098a561e0 R15: ffff888098a56000
FS:  0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc256820000 CR3: 00000000952d3000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400