bisecting cause commit starting from c20037652700024cffeb6b0f74306ce9b391248f building syzkaller on 2e9971bbbfb4df6ba0118353163a7703f3dbd6ec testing commit c20037652700024cffeb6b0f74306ce9b391248f with gcc (GCC) 8.1.0 kernel signature: 4b7b8e8c268da254f4a23dacf0ac5620109b2312aa8900edcf177a1ae4528141 run #0: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #3: crashed: KASAN: use-after-free Write in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: d7d97a0080eaa22fe70306e0681693a5bc54cf523ff96e98771c3c9881ea06c7 all runs: OK # git bisect start c20037652700024cffeb6b0f74306ce9b391248f d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 Bisecting: 7233 revisions left to test after this (roughly 13 steps) [4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb] Merge tag 'for-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply testing commit 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb with gcc (GCC) 8.1.0 kernel signature: 5a7a556bf9cfb85d2ab9f05e3f715101b7961d1473b8dcb71da68da63d1627a2 all runs: OK # git bisect good 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb Bisecting: 3614 revisions left to test after this (roughly 12 steps) [a45ad71e8995eed2b95c6ef0f4c442da0c4f6677] Merge tag 'rproc-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/andersson/remoteproc testing commit a45ad71e8995eed2b95c6ef0f4c442da0c4f6677 with gcc (GCC) 8.1.0 kernel signature: 90dc9b6f8d6b68305e406457549f8df10f4a320f23e160ebbea94f2b06197a6c all runs: OK # git bisect good a45ad71e8995eed2b95c6ef0f4c442da0c4f6677 Bisecting: 1774 revisions left to test after this (roughly 11 steps) [1afa9c3b7c9bdcb562e2afe9f58cc99d0b071cdc] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 1afa9c3b7c9bdcb562e2afe9f58cc99d0b071cdc with gcc (GCC) 8.1.0 kernel signature: 84156825ec40aa5161e79047f5bf0672990e40d96f152ad9b66d4b1d942c6310 all runs: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms # git bisect bad 1afa9c3b7c9bdcb562e2afe9f58cc99d0b071cdc Bisecting: 921 revisions left to test after this (roughly 10 steps) [41dcd67e88688afbeb3b2bd23960eed5daec74e7] Merge tag 'docs-5.6-2' of git://git.lwn.net/linux testing commit 41dcd67e88688afbeb3b2bd23960eed5daec74e7 with gcc (GCC) 8.1.0 kernel signature: 4572b3b5af5c891287faadd31f526d9927a4f11016e0eab8bee169943fc2fec4 run #0: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #3: crashed: KASAN: use-after-free Write in tcindex_set_parms run #4: crashed: KASAN: use-after-free Write in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms # git bisect bad 41dcd67e88688afbeb3b2bd23960eed5daec74e7 Bisecting: 481 revisions left to test after this (roughly 9 steps) [c1ef57a3a3f5e69e98baf89055b423da62791c13] Merge tag 'io_uring-5.6-2020-02-05' of git://git.kernel.dk/linux-block testing commit c1ef57a3a3f5e69e98baf89055b423da62791c13 with gcc (GCC) 8.1.0 kernel signature: eb37c98e9f19dc2222318ba6ac3a92cdc4c5f6217d6d67dc217ab5f931bc8492 run #0: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #3: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #9: crashed: KASAN: use-after-free Write in tcindex_set_parms # git bisect bad c1ef57a3a3f5e69e98baf89055b423da62791c13 Bisecting: 217 revisions left to test after this (roughly 8 steps) [33b40134e5cfbbccad7f3040d1919889537a3df7] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 33b40134e5cfbbccad7f3040d1919889537a3df7 with gcc (GCC) 8.1.0 kernel signature: 4f3c9cb93d88b5249fe626a5d42571dc36d89187db13e8a33c120cd9775cbed2 all runs: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms # git bisect bad 33b40134e5cfbbccad7f3040d1919889537a3df7 Bisecting: 108 revisions left to test after this (roughly 7 steps) [509cd3f2b473330238c768bb21a4f2cdc80393fa] powerpc/32: Simplify KASAN init testing commit 509cd3f2b473330238c768bb21a4f2cdc80393fa with gcc (GCC) 8.1.0 kernel signature: 95261c70125fe13a6d81935bd32d8295c8dc8e9129cf4f8fa9f67a245fa73fe6 all runs: OK # git bisect good 509cd3f2b473330238c768bb21a4f2cdc80393fa Bisecting: 52 revisions left to test after this (roughly 6 steps) [d60ddd244215da7c695cba858427094d8e366aa7] Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm testing commit d60ddd244215da7c695cba858427094d8e366aa7 with gcc (GCC) 8.1.0 kernel signature: 6307d2b81cfb5515f5b43ca9139d417e768903ab375d5d677a4c3bd56ce6a46e all runs: OK # git bisect good d60ddd244215da7c695cba858427094d8e366aa7 Bisecting: 28 revisions left to test after this (roughly 5 steps) [83d0585f91da441a0b11bc5ff93f4cda56de6703] Merge branch 'Fix-reconnection-latency-caused-by-FIN-ACK-handling-race' testing commit 83d0585f91da441a0b11bc5ff93f4cda56de6703 with gcc (GCC) 8.1.0 kernel signature: 22be0baba3bc8cbc14d0fb871e767aaf6d2453a0fd288328bcb582d4f51e571d all runs: OK # git bisect good 83d0585f91da441a0b11bc5ff93f4cda56de6703 Bisecting: 14 revisions left to test after this (roughly 4 steps) [8526ad9646b17c59b6d430d8baa8f152a14fe177] netdevsim: fix panic in nsim_dev_take_snapshot_write() testing commit 8526ad9646b17c59b6d430d8baa8f152a14fe177 with gcc (GCC) 8.1.0 kernel signature: b6014229453ee2e8ca5f1f2a23e2072d6665f5aec586d1af9e44516111884707 all runs: OK # git bisect good 8526ad9646b17c59b6d430d8baa8f152a14fe177 Bisecting: 7 revisions left to test after this (roughly 3 steps) [7145fcfffef1fad4266aaf5ca96727696916edb7] tc-testing: fix eBPF tests failure on linux fresh clones testing commit 7145fcfffef1fad4266aaf5ca96727696916edb7 with gcc (GCC) 8.1.0 kernel signature: f1e59232a54f3ad9b58fa8e06c35218ae53d2f85c8c3e22f868b4b596d1b4771 all runs: OK # git bisect good 7145fcfffef1fad4266aaf5ca96727696916edb7 Bisecting: 3 revisions left to test after this (roughly 2 steps) [599be01ee567b61f4471ee8078870847d0a11e8e] net_sched: fix an OOB access in cls_tcindex testing commit 599be01ee567b61f4471ee8078870847d0a11e8e with gcc (GCC) 8.1.0 kernel signature: ff421f5c505a4cd5f9755c3056ebe14f4ac81d752df07251783ae384ec68ce87 run #0: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #3: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #4: crashed: KASAN: use-after-free Write in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #8: crashed: KASAN: use-after-free Write in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms # git bisect bad 599be01ee567b61f4471ee8078870847d0a11e8e Bisecting: 1 revision left to test after this (roughly 1 step) [9afe2322cb90a8fbc27e32bfc691100c653cab2a] Merge branch 'unbreak-basic-and-bpf-tdc-testcases' testing commit 9afe2322cb90a8fbc27e32bfc691100c653cab2a with gcc (GCC) 8.1.0 kernel signature: 7acb9a5e076a73882ee9db21a0b5b3cde23e39eac6e94081087f282753715b32 all runs: OK # git bisect good 9afe2322cb90a8fbc27e32bfc691100c653cab2a Bisecting: 0 revisions left to test after this (roughly 0 steps) [83b43045308ea0600099830292955f18818f8d5e] qed: Remove set but not used variable 'p_link' testing commit 83b43045308ea0600099830292955f18818f8d5e with gcc (GCC) 8.1.0 kernel signature: 9ca0596a1d123949332de7ec9c8de6e48741a156d4794f7851c7fca5cbf6035e all runs: OK # git bisect good 83b43045308ea0600099830292955f18818f8d5e 599be01ee567b61f4471ee8078870847d0a11e8e is the first bad commit commit 599be01ee567b61f4471ee8078870847d0a11e8e Author: Cong Wang Date: Sun Feb 2 21:14:35 2020 -0800 net_sched: fix an OOB access in cls_tcindex As Eric noticed, tcindex_alloc_perfect_hash() uses cp->hash to compute the size of memory allocation, but cp->hash is set again after the allocation, this caused an out-of-bound access. So we have to move all cp->hash initialization and computation before the memory allocation. Move cp->mask and cp->shift together as cp->hash may need them for computation too. Reported-and-tested-by: syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com Fixes: 331b72922c5f ("net: sched: RCU cls_tcindex") Cc: Eric Dumazet Cc: John Fastabend Cc: Jamal Hadi Salim Cc: Jiri Pirko Cc: Jakub Kicinski Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/sched/cls_tcindex.c | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) culprit signature: ff421f5c505a4cd5f9755c3056ebe14f4ac81d752df07251783ae384ec68ce87 parent signature: 9ca0596a1d123949332de7ec9c8de6e48741a156d4794f7851c7fca5cbf6035e revisions tested: 16, total time: 3h53m16.234602294s (build: 1h44m50.703857577s, test: 2h7m20.67074992s) first bad commit: 599be01ee567b61f4471ee8078870847d0a11e8e net_sched: fix an OOB access in cls_tcindex cc: ["davem@davemloft.net" "syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"] crash: KASAN: slab-out-of-bounds Write in tcindex_set_parms ================================================================== BUG: KASAN: slab-out-of-bounds in tcindex_set_parms+0x1690/0x1b90 net/sched/cls_tcindex.c:455 Write of size 16 at addr ffff88807a76c8b8 by task syz-executor.0/8570 CPU: 1 PID: 8570 Comm: syz-executor.0 Not tainted 5.5.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:374 __kasan_report.cold.11+0x1c/0x34 mm/kasan/report.c:506 kasan_report+0xe/0x20 mm/kasan/common.c:639 tcindex_set_parms+0x1690/0x1b90 net/sched/cls_tcindex.c:455 tcindex_change+0x1c2/0x280 net/sched/cls_tcindex.c:519 tc_new_tfilter+0xffa/0x1da0 net/sched/cls_api.c:2103 rtnetlink_rcv_msg+0x60c/0x8c0 net/core/rtnetlink.c:5429 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2477 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xac/0xe0 net/socket.c:672 ____sys_sendmsg+0x54e/0x750 net/socket.c:2343 ___sys_sendmsg+0xe4/0x160 net/socket.c:2397 __sys_sendmsg+0xce/0x170 net/socket.c:2430 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x231/0xb27 arch/x86/entry/common.c:408 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 Allocated by task 8570: save_stack+0x19/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:513 kmem_cache_alloc_trace+0x156/0x780 mm/slab.c:3551 kmalloc include/linux/slab.h:556 [inline] kzalloc include/linux/slab.h:670 [inline] tcindex_set_parms+0x1b7/0x1b90 net/sched/cls_tcindex.c:325 tcindex_change+0x1c2/0x280 net/sched/cls_tcindex.c:519 tc_new_tfilter+0xffa/0x1da0 net/sched/cls_api.c:2103 rtnetlink_rcv_msg+0x60c/0x8c0 net/core/rtnetlink.c:5429 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2477 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xac/0xe0 net/socket.c:672 ____sys_sendmsg+0x54e/0x750 net/socket.c:2343 ___sys_sendmsg+0xe4/0x160 net/socket.c:2397 __sys_sendmsg+0xce/0x170 net/socket.c:2430 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x231/0xb27 arch/x86/entry/common.c:408 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff88807a76c800 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 184 bytes inside of 192-byte region [ffff88807a76c800, ffff88807a76c8c0) The buggy address belongs to the page: page:ffffea0001e9db00 refcount:1 mapcount:0 mapping:ffff8880aa400000 index:0x0 raw: 00fffe0000000200 ffffea0001e9d808 ffff8880aa401148 ffff8880aa400000 raw: 0000000000000000 ffff88807a76c000 0000000100000010 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88807a76c780: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88807a76c800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88807a76c880: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88807a76c900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88807a76c980: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================