bisecting fixing commit since 12cd844a39ed16aa183a820a54fe6f9a0bb4cd14 building syzkaller on 0a96a13cb96316b8374bb7d8dd0793bcaff166a0 testing commit 12cd844a39ed16aa183a820a54fe6f9a0bb4cd14 with gcc (GCC) 8.1.0 kernel signature: ef79ae83eb60786e4147f0c1b43780b3ca12fe4a141b4ee89bf4138ce7162273 all runs: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms testing current HEAD c10b57a567e4333b9fdf60b5ec36de9859263ca2 testing commit c10b57a567e4333b9fdf60b5ec36de9859263ca2 with gcc (GCC) 8.1.0 kernel signature: 4d91ec7e897428b9b0155966d9e7da13f1ac154dcfc6f314a660c90874ecfdc4 all runs: OK # git bisect start c10b57a567e4333b9fdf60b5ec36de9859263ca2 12cd844a39ed16aa183a820a54fe6f9a0bb4cd14 Bisecting: 144 revisions left to test after this (roughly 7 steps) [e52694b56eb6d4b1fe424bda6126b8ce13c246a8] futex: Fix inode life-time issue testing commit e52694b56eb6d4b1fe424bda6126b8ce13c246a8 with gcc (GCC) 8.1.0 kernel signature: 8d50dce4a3630e806f2ec7c1db1d3bad03585e9a9ab087546af677de699a68e3 all runs: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms # git bisect good e52694b56eb6d4b1fe424bda6126b8ce13c246a8 Bisecting: 72 revisions left to test after this (roughly 6 steps) [57194c6fd8c478f468f1aa7ae2175ea77c4d8de1] USB: cdc-acm: restore capability check order testing commit 57194c6fd8c478f468f1aa7ae2175ea77c4d8de1 with gcc (GCC) 8.1.0 kernel signature: c41ee9bd88e7f162b07bef88a107607f636f5c37c512065184d9f137d98715e9 all runs: OK # git bisect bad 57194c6fd8c478f468f1aa7ae2175ea77c4d8de1 Bisecting: 35 revisions left to test after this (roughly 5 steps) [4b7eb7a4693dd93bf5db8714da7410c6423324d3] scsi: ipr: Fix softlockup when rescanning devices in petitboot testing commit 4b7eb7a4693dd93bf5db8714da7410c6423324d3 with gcc (GCC) 8.1.0 kernel signature: 875997a103d8e358848b573bc492f09c7a3fef5a5d50d230fdcb1c3e15b6085b all runs: OK # git bisect bad 4b7eb7a4693dd93bf5db8714da7410c6423324d3 Bisecting: 17 revisions left to test after this (roughly 4 steps) [9f8b6c44be178c2498a00b270872a6e30e7c8266] net_sched: keep alloc_hash updated after hash allocation testing commit 9f8b6c44be178c2498a00b270872a6e30e7c8266 with gcc (GCC) 8.1.0 kernel signature: bb514bc7f665f6d58adb31030a97e23c276ca649d422388ccea8e7ff524c769f all runs: OK # git bisect bad 9f8b6c44be178c2498a00b270872a6e30e7c8266 Bisecting: 8 revisions left to test after this (roughly 3 steps) [e3bc8d886b40801abde9e01b85157994171be3bb] staging: greybus: loopback_test: fix potential path truncations testing commit e3bc8d886b40801abde9e01b85157994171be3bb with gcc (GCC) 8.1.0 kernel signature: 0310275d652b8282ff7f80d1e9a8a82ccd2de32362c37c81baad0ff89d59308e run #0: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #1: crashed: KASAN: use-after-free Write in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #3: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms # git bisect good e3bc8d886b40801abde9e01b85157994171be3bb Bisecting: 4 revisions left to test after this (roughly 2 steps) [c5980c71536ae46b69fada2ff4018afbaa088e4b] net: dsa: Fix duplicate frames flooded by learning testing commit c5980c71536ae46b69fada2ff4018afbaa088e4b with gcc (GCC) 8.1.0 kernel signature: e7baf0a6b06b4a6b984661f53f39ff0e2016749f7d80ee43224cf00c6139fdda all runs: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms # git bisect good c5980c71536ae46b69fada2ff4018afbaa088e4b Bisecting: 2 revisions left to test after this (roughly 1 step) [2975472e042e0bbfeeabddc5023cb8c011ec5a07] net/packet: tpacket_rcv: avoid a producer race condition testing commit 2975472e042e0bbfeeabddc5023cb8c011ec5a07 with gcc (GCC) 8.1.0 kernel signature: eaa06f05caa97c7e99c40ba9ef0817b3c2a3d02384186a27db914166ee9a2a52 all runs: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms # git bisect good 2975472e042e0bbfeeabddc5023cb8c011ec5a07 Bisecting: 0 revisions left to test after this (roughly 1 step) [f0c92f59cf528bc1b872f2ca91b01e128a2af3e6] net_sched: cls_route: remove the right filter from hashtable testing commit f0c92f59cf528bc1b872f2ca91b01e128a2af3e6 with gcc (GCC) 8.1.0 kernel signature: 75aaf0238efb5494ecfb66610aaccacf338e3e0aad63311cec0c5c3b2b4ca32b all runs: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms # git bisect good f0c92f59cf528bc1b872f2ca91b01e128a2af3e6 9f8b6c44be178c2498a00b270872a6e30e7c8266 is the first bad commit commit 9f8b6c44be178c2498a00b270872a6e30e7c8266 Author: Cong Wang Date: Wed Mar 11 22:42:28 2020 -0700 net_sched: keep alloc_hash updated after hash allocation [ Upstream commit 0d1c3530e1bd38382edef72591b78e877e0edcd3 ] In commit 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex") I moved cp->hash calculation before the first tcindex_alloc_perfect_hash(), but cp->alloc_hash is left untouched. This difference could lead to another out of bound access. cp->alloc_hash should always be the size allocated, we should update it after this tcindex_alloc_perfect_hash(). Reported-and-tested-by: syzbot+dcc34d54d68ef7d2d53d@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+c72da7b9ed57cde6fca2@syzkaller.appspotmail.com Fixes: 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex") Cc: Jamal Hadi Salim Cc: Jiri Pirko Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman net/sched/cls_tcindex.c | 1 + 1 file changed, 1 insertion(+) culprit signature: bb514bc7f665f6d58adb31030a97e23c276ca649d422388ccea8e7ff524c769f parent signature: 75aaf0238efb5494ecfb66610aaccacf338e3e0aad63311cec0c5c3b2b4ca32b revisions tested: 10, total time: 2h29m37.839292932s (build: 1h28m7.277193097s, test: 59m42.320012469s) first good commit: 9f8b6c44be178c2498a00b270872a6e30e7c8266 net_sched: keep alloc_hash updated after hash allocation cc: ["davem@davemloft.net" "gregkh@linuxfoundation.org" "syzbot+c72da7b9ed57cde6fca2@syzkaller.appspotmail.com" "syzbot+dcc34d54d68ef7d2d53d@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"]