bisecting fixing commit since b98aebd298246df37b472c52a2ee1023256d02e3
building syzkaller on 8c88c9c1c99c8cd8dabc951164c820b9c9f25114
testing commit b98aebd298246df37b472c52a2ee1023256d02e3 with gcc (GCC) 8.1.0
kernel signature: 6a910ccda6f7dcf005a7def8267571478cd2374b80079f40cddf3e25dcae5650
all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy
testing current HEAD 12cd844a39ed16aa183a820a54fe6f9a0bb4cd14
testing commit 12cd844a39ed16aa183a820a54fe6f9a0bb4cd14 with gcc (GCC) 8.1.0
kernel signature: 025e172b42eac88196e8bb644a2a40b3c9aeb374383ed528c796f0168fdb3483
all runs: OK
# git bisect start 12cd844a39ed16aa183a820a54fe6f9a0bb4cd14 b98aebd298246df37b472c52a2ee1023256d02e3
Bisecting: 1550 revisions left to test after this (roughly 11 steps)
[7642460c2780aab4e66852576d1de5484de8da63] IB/iser: bound protection_sg size by data_sg size
testing commit 7642460c2780aab4e66852576d1de5484de8da63 with gcc (GCC) 8.1.0
kernel signature: 18dbc7d2567c04c5dbf239681559daf561fab0b871354dbb6bb88a2cb057c39e
all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy
# git bisect good 7642460c2780aab4e66852576d1de5484de8da63
Bisecting: 775 revisions left to test after this (roughly 10 steps)
[d999896bec7cd5cedb3d9afc4ea1ff6db041be5b] ASoC: ti: davinci-mcasp: Fix slot mask settings when using multiple AXRs
testing commit d999896bec7cd5cedb3d9afc4ea1ff6db041be5b with gcc (GCC) 8.1.0
kernel signature: e9d1542c997ceab2e05f7af0ef594fbce0e3085ee1df1f7bbdff79ad128ef6b6
all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy
# git bisect good d999896bec7cd5cedb3d9afc4ea1ff6db041be5b
Bisecting: 387 revisions left to test after this (roughly 9 steps)
[e69fb85b026bd7e71d7ac5c51dfa8cd82a1107b9] NFS/pnfs: Fix pnfs_generic_prepare_to_resend_writes()
testing commit e69fb85b026bd7e71d7ac5c51dfa8cd82a1107b9 with gcc (GCC) 8.1.0
kernel signature: f1e03dcd136fca1f2144257a1405caf514a36f64ba727a59e7c1882af05a83de
all runs: OK
# git bisect bad e69fb85b026bd7e71d7ac5c51dfa8cd82a1107b9
Bisecting: 193 revisions left to test after this (roughly 8 steps)
[08e4a312439c294b9753166537baf3cc0bd6bb07] ext4: validate the debug_want_extra_isize mount option at parse time
testing commit 08e4a312439c294b9753166537baf3cc0bd6bb07 with gcc (GCC) 8.1.0
kernel signature: bb381ec721cc503735e0b66df69eeac714d6d265edf9fb99941bc2372a74d4b6
all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy
# git bisect good 08e4a312439c294b9753166537baf3cc0bd6bb07
Bisecting: 96 revisions left to test after this (roughly 7 steps)
[182f211e1160ab75ee889a19e72b3acb8a58ab81] f2fs: choose hardlimit when softlimit is larger than hardlimit in f2fs_statfs_project()
testing commit 182f211e1160ab75ee889a19e72b3acb8a58ab81 with gcc (GCC) 8.1.0
kernel signature: 6a449fe4e2b73fdc3605f9b892f95b01d2aca850373a3ca0c43f802e76dd151d
all runs: OK
# git bisect bad 182f211e1160ab75ee889a19e72b3acb8a58ab81
Bisecting: 48 revisions left to test after this (roughly 6 steps)
[e0f8b8a65a473a8baa439cf865a694bbeb83fe90] Linux 4.14.170
testing commit e0f8b8a65a473a8baa439cf865a694bbeb83fe90 with gcc (GCC) 8.1.0
kernel signature: 30bfa7995239bdeb4833e713c197e72205aaf3686f52d46b7eed3a896c10e793
all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy
# git bisect good e0f8b8a65a473a8baa439cf865a694bbeb83fe90
Bisecting: 24 revisions left to test after this (roughly 5 steps)
[7d0c0dfe866736e221ce1773a6b45b06af945e9b] usb: gadget: f_ecm: Use atomic_t to track in-flight request
testing commit 7d0c0dfe866736e221ce1773a6b45b06af945e9b with gcc (GCC) 8.1.0
kernel signature: 7a2d0f7239967ecbc8de7cd72b0a80d06135c20f4c1f45f0b1ddb3c382e1057e
all runs: OK
# git bisect bad 7d0c0dfe866736e221ce1773a6b45b06af945e9b
Bisecting: 11 revisions left to test after this (roughly 4 steps)
[24070b40926b42c35ca0649f44711cad5da0cf96] tcp: clear tp->total_retrans in tcp_disconnect()
testing commit 24070b40926b42c35ca0649f44711cad5da0cf96 with gcc (GCC) 8.1.0
kernel signature: 05fffdc05442209d9edb4fa8cef81985c3f184eaf76d8f255747ce4be208b893
all runs: OK
# git bisect bad 24070b40926b42c35ca0649f44711cad5da0cf96
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[44220931fc222da3f15efe15495c9f022ace499c] cls_rsvp: fix rsvp_policy
testing commit 44220931fc222da3f15efe15495c9f022ace499c with gcc (GCC) 8.1.0
kernel signature: 7ab0848a00bcbdaa037ed21249eb6c0911054b3c30ed30257810a8a27b16b7e1
all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy
# git bisect good 44220931fc222da3f15efe15495c9f022ace499c
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[7950ef09699d175bfec32d318d547c845462cc2f] net: hsr: fix possible NULL deref in hsr_handle_frame()
testing commit 7950ef09699d175bfec32d318d547c845462cc2f with gcc (GCC) 8.1.0
kernel signature: f03ad5fb38671b6ff65ac77bbb38dce46eddc2a9f36e400c99364626375aa8e5
all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy
# git bisect good 7950ef09699d175bfec32d318d547c845462cc2f
Bisecting: 0 revisions left to test after this (roughly 1 step)
[fa32d7ce0cf8c04cefa72c87a95f222164be0131] bnxt_en: Fix TC queue mapping.
testing commit fa32d7ce0cf8c04cefa72c87a95f222164be0131 with gcc (GCC) 8.1.0
kernel signature: fc2f9298e2a01214ccbbb6d1a04bcd0be73dacfe0b09a14505956bbf7ddc1313
all runs: OK
# git bisect bad fa32d7ce0cf8c04cefa72c87a95f222164be0131
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[6cb448ee493c8a514c9afa0c346f3f5b3227de85] net_sched: fix an OOB access in cls_tcindex
testing commit 6cb448ee493c8a514c9afa0c346f3f5b3227de85 with gcc (GCC) 8.1.0
kernel signature: 751456cca80a2c0c03513618a1661a532c05e519c4165cb4bcba84ce955ecefc
all runs: OK
# git bisect bad 6cb448ee493c8a514c9afa0c346f3f5b3227de85
6cb448ee493c8a514c9afa0c346f3f5b3227de85 is the first bad commit
commit 6cb448ee493c8a514c9afa0c346f3f5b3227de85
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date:   Sun Feb 2 21:14:35 2020 -0800

    net_sched: fix an OOB access in cls_tcindex
    
    [ Upstream commit 599be01ee567b61f4471ee8078870847d0a11e8e ]
    
    As Eric noticed, tcindex_alloc_perfect_hash() uses cp->hash
    to compute the size of memory allocation, but cp->hash is
    set again after the allocation, this caused an out-of-bound
    access.
    
    So we have to move all cp->hash initialization and computation
    before the memory allocation. Move cp->mask and cp->shift together
    as cp->hash may need them for computation too.
    
    Reported-and-tested-by: syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com
    Fixes: 331b72922c5f ("net: sched: RCU cls_tcindex")
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Cc: John Fastabend <john.fastabend@gmail.com>
    Cc: Jamal Hadi Salim <jhs@mojatatu.com>
    Cc: Jiri Pirko <jiri@resnulli.us>
    Cc: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 net/sched/cls_tcindex.c | 40 ++++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 20 deletions(-)
culprit signature: 751456cca80a2c0c03513618a1661a532c05e519c4165cb4bcba84ce955ecefc
parent  signature: f03ad5fb38671b6ff65ac77bbb38dce46eddc2a9f36e400c99364626375aa8e5
revisions tested: 14, total time: 3h43m16.571971412s (build: 2h1m8.962303572s, test: 1h40m42.332640739s)
first good commit: 6cb448ee493c8a514c9afa0c346f3f5b3227de85 net_sched: fix an OOB access in cls_tcindex
cc: ["davem@davemloft.net" "gregkh@linuxfoundation.org" "syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"]