bisecting fixing commit since 88d6de67e390b6093f2c11189ad022988a9e2961 building syzkaller on c8e81ce4c7e3b59e7c83c6fab56c217916f3b3b6 testing commit 88d6de67e390b6093f2c11189ad022988a9e2961 with gcc (GCC) 8.1.0 kernel signature: 4a3a861ef8c5d87098adc503fd2476e0352adcf5c2582c247b6d037f3f921661 all runs: crashed: KASAN: slab-out-of-bounds Read in __nla_put_nohdr testing current HEAD f25804f389846835535db255e7ba80eeed967ed7 testing commit f25804f389846835535db255e7ba80eeed967ed7 with gcc (GCC) 8.1.0 kernel signature: 202a67c2b98a57df5c6550cfad8b6cd0aa6c2f60f1da88b9fc20981cfbfb0c51 all runs: OK # git bisect start f25804f389846835535db255e7ba80eeed967ed7 88d6de67e390b6093f2c11189ad022988a9e2961 Bisecting: 347 revisions left to test after this (roughly 9 steps) [d4ab9cc432bb1945820b5813cb7a37d9d802d2cd] KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks testing commit d4ab9cc432bb1945820b5813cb7a37d9d802d2cd with gcc (GCC) 8.1.0 kernel signature: 87685e5fd00cac9341d81fb1839c38151555a6221178b19ff298b6e322b667f5 all runs: OK # git bisect bad d4ab9cc432bb1945820b5813cb7a37d9d802d2cd Bisecting: 173 revisions left to test after this (roughly 8 steps) [645d72fb040bf632d665d6f0abdec33e73747755] ARM: dts: sun8i: a83t: Correct USB3503 GPIOs polarity testing commit 645d72fb040bf632d665d6f0abdec33e73747755 with gcc (GCC) 8.1.0 kernel signature: eac155ffe4ceb058cc5438554841a821bfc7239aad7c971c11c6c4c73ea63397 all runs: OK # git bisect bad 645d72fb040bf632d665d6f0abdec33e73747755 Bisecting: 86 revisions left to test after this (roughly 7 steps) [dc6be8597c8c2959a7ba0c7cc809094d5dd8d99a] mm/memory_hotplug: remove "zone" parameter from sparse_remove_one_section testing commit dc6be8597c8c2959a7ba0c7cc809094d5dd8d99a with gcc (GCC) 8.1.0 kernel signature: c4469096a7941854b93a4e3c7f0cb5597bbd1504ddfee225562a3476c8dc0006 all runs: OK # git bisect bad dc6be8597c8c2959a7ba0c7cc809094d5dd8d99a Bisecting: 43 revisions left to test after this (roughly 6 steps) [752f72edea55f9b7c6fd019e71365def13a0f2b6] do_last(): fetch directory ->i_mode and ->i_uid before it's too late testing commit 752f72edea55f9b7c6fd019e71365def13a0f2b6 with gcc (GCC) 8.1.0 kernel signature: f02df8058a32867af4d69995e688f19e78aa61d41ecff891af646173189b7073 all runs: OK # git bisect bad 752f72edea55f9b7c6fd019e71365def13a0f2b6 Bisecting: 21 revisions left to test after this (roughly 5 steps) [8f50a05dd6fe2372ac0d5c67645e4e480254ce30] tun: add mutex_unlock() call and napi.skb clearing in tun_get_user() testing commit 8f50a05dd6fe2372ac0d5c67645e4e480254ce30 with gcc (GCC) 8.1.0 kernel signature: c017c3ef70ae72d6118ada52d269cc088f38d88a51bcc9fa244f84bbad637034 all runs: OK # git bisect bad 8f50a05dd6fe2372ac0d5c67645e4e480254ce30 Bisecting: 10 revisions left to test after this (roughly 3 steps) [be1a2be7a7b0ed5a758fd8decc39386ba3b5d556] net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() testing commit be1a2be7a7b0ed5a758fd8decc39386ba3b5d556 with gcc (GCC) 8.1.0 kernel signature: dfffd001703cf932bf4bf57b653d5e173751dd733462a18fba55c36b85af5d38 all runs: crashed: KASAN: slab-out-of-bounds Read in __nla_put_nohdr # git bisect good be1a2be7a7b0ed5a758fd8decc39386ba3b5d556 Bisecting: 5 revisions left to test after this (roughly 3 steps) [33c540f663d1dc95461380e2e2ca83cc9b25dd59] net-sysfs: Call dev_hold always in rx_queue_add_kobject testing commit 33c540f663d1dc95461380e2e2ca83cc9b25dd59 with gcc (GCC) 8.1.0 kernel signature: 22cbc70c754398e16a88c5686065e4506bbc3f2337be77130fe9af5aae630568 all runs: OK # git bisect bad 33c540f663d1dc95461380e2e2ca83cc9b25dd59 Bisecting: 2 revisions left to test after this (roughly 1 step) [60e715466109b76073c02e02b50df1c56ea4aac9] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject testing commit 60e715466109b76073c02e02b50df1c56ea4aac9 with gcc (GCC) 8.1.0 kernel signature: da8f440017b3b845e1181cc8e6b29218843c7fb8f68cb88490dc884d6a619bc5 all runs: basic kernel testing failed: general protection fault in kernfs_find_ns # git bisect skip 60e715466109b76073c02e02b50df1c56ea4aac9 Bisecting: 2 revisions left to test after this (roughly 1 step) [7070695e6077e2c3bb3a67432682cf4b3c258942] net-sysfs: fix netdev_queue_add_kobject() breakage testing commit 7070695e6077e2c3bb3a67432682cf4b3c258942 with gcc (GCC) 8.1.0 kernel signature: 607e687e7b0905c4a309eaea2bf3bfdec8b1bb925121cce2c241e79ea6cb8e1e all runs: OK # git bisect bad 7070695e6077e2c3bb3a67432682cf4b3c258942 Bisecting: 0 revisions left to test after this (roughly 1 step) [66ac8ee96faa582a252ae19510f35529c9143670] net_sched: fix datalen for ematch testing commit 66ac8ee96faa582a252ae19510f35529c9143670 with gcc (GCC) 8.1.0 kernel signature: 7d0962d563351692a9fcb9067c3b12c6080fc2ae7a59d6f51ddf721db0647003 all runs: OK # git bisect bad 66ac8ee96faa582a252ae19510f35529c9143670 66ac8ee96faa582a252ae19510f35529c9143670 is the first bad commit commit 66ac8ee96faa582a252ae19510f35529c9143670 Author: Cong Wang Date: Wed Jan 22 15:42:02 2020 -0800 net_sched: fix datalen for ematch [ Upstream commit 61678d28d4a45ef376f5d02a839cc37509ae9281 ] syzbot reported an out-of-bound access in em_nbyte. As initially analyzed by Eric, this is because em_nbyte sets its own em->datalen in em_nbyte_change() other than the one specified by user, but this value gets overwritten later by its caller tcf_em_validate(). We should leave em->datalen untouched to respect their choices. I audit all the in-tree ematch users, all of those implement ->change() set em->datalen, so we can just avoid setting it twice in this case. Reported-and-tested-by: syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com Reported-by: syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: Eric Dumazet Signed-off-by: Cong Wang Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman net/sched/ematch.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) culprit signature: 7d0962d563351692a9fcb9067c3b12c6080fc2ae7a59d6f51ddf721db0647003 parent signature: dfffd001703cf932bf4bf57b653d5e173751dd733462a18fba55c36b85af5d38 revisions tested: 12, total time: 3h44m15.828221795s (build: 2h0m21.395243612s, test: 1h42m19.219121558s) first good commit: 66ac8ee96faa582a252ae19510f35529c9143670 net_sched: fix datalen for ematch cc: ["davem@davemloft.net" "edumazet@google.com" "gregkh@linuxfoundation.org" "syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"]