bisecting fixing commit since dafd634415a7f9892a6fcc99c540fe567ab42c92
building syzkaller on 8c88c9c1c99c8cd8dabc951164c820b9c9f25114
testing commit dafd634415a7f9892a6fcc99c540fe567ab42c92 with gcc (GCC) 8.1.0
kernel signature: 7bd28dde11d4557958f5566cd589b02b1374637272bdfdbf5192ed6328b67115
all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy
testing current HEAD 5692097116094a4a7045abcc1dbc172dbdc5657e
testing commit 5692097116094a4a7045abcc1dbc172dbdc5657e with gcc (GCC) 8.1.0
kernel signature: 8d93bb57669befa08cacb98d538ac7b72db4dc7576ec1dab80b35b110cdaeeec
all runs: OK
# git bisect start 5692097116094a4a7045abcc1dbc172dbdc5657e dafd634415a7f9892a6fcc99c540fe567ab42c92
Bisecting: 2332 revisions left to test after this (roughly 11 steps)
[69af5fc1c70d5eae901a5b537fc4d53ede7d594b] staging: rtl8192u: fix multiple memory leaks on error path
testing commit 69af5fc1c70d5eae901a5b537fc4d53ede7d594b with gcc (GCC) 8.1.0
kernel signature: 3b525ac430110c1b9bd2c6f6c52c4e43d230bc843888a019d2ca0c562e20a518
all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy
# git bisect good 69af5fc1c70d5eae901a5b537fc4d53ede7d594b
Bisecting: 1166 revisions left to test after this (roughly 10 steps)
[9cbefb0fdefcdca66fca88208f4467eb119b56f4] net/af_iucv: build proper skbs for HiperTransport
testing commit 9cbefb0fdefcdca66fca88208f4467eb119b56f4 with gcc (GCC) 8.1.0
kernel signature: 4b994d5b84d7dc280e81c7aab02a06f91b69d5527c2a9d7011b3ec46055e9f9a
all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy
# git bisect good 9cbefb0fdefcdca66fca88208f4467eb119b56f4
Bisecting: 583 revisions left to test after this (roughly 9 steps)
[70b43a9da1e5c54e80528c7ed911a82cc78df1b7] nfsd: fix delay timer on 32-bit architectures
testing commit 70b43a9da1e5c54e80528c7ed911a82cc78df1b7 with gcc (GCC) 8.1.0
kernel signature: 563f0368c78c0dd5caaf55da5658e2dae96ad50b2f4a47411fd567d1a38197c7
all runs: OK
# git bisect bad 70b43a9da1e5c54e80528c7ed911a82cc78df1b7
Bisecting: 291 revisions left to test after this (roughly 8 steps)
[b9cda6501a340c5d15487575a68454748e3132a4] mm/hotplug: kill is_dev_zone() usage in __remove_pages()
testing commit b9cda6501a340c5d15487575a68454748e3132a4 with gcc (GCC) 8.1.0
kernel signature: 084f3f33cd10db8f75aa0652926045d65a3650bd74f7b11088ad3cddbde10f7a
all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy
# git bisect good b9cda6501a340c5d15487575a68454748e3132a4
Bisecting: 145 revisions left to test after this (roughly 7 steps)
[f0af9cd881bb359776352374d10abd0e8d5986cc] l2tp: Allow duplicate session creation with UDP
testing commit f0af9cd881bb359776352374d10abd0e8d5986cc with gcc (GCC) 8.1.0
kernel signature: ad64c1a1368e447468622dcc0a9fb7d59080645f7215ac20979a3da532ad7107
all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy
# git bisect good f0af9cd881bb359776352374d10abd0e8d5986cc
Bisecting: 72 revisions left to test after this (roughly 6 steps)
[4ae8d3a5f3b47543fe90478b6707d1f03b966559] dm zoned: support zone sizes smaller than 128MiB
testing commit 4ae8d3a5f3b47543fe90478b6707d1f03b966559 with gcc (GCC) 8.1.0
kernel signature: fc266d87ef7dc8b145e420fdb0ac96fd7ab6571fb88713a3d20502bc234bae30
all runs: OK
# git bisect bad 4ae8d3a5f3b47543fe90478b6707d1f03b966559
Bisecting: 36 revisions left to test after this (roughly 5 steps)
[c1ed7347130c000552394fb53b5227d9a487df36] KVM: arm/arm64: Correct AArch32 SPSR on exception entry
testing commit c1ed7347130c000552394fb53b5227d9a487df36 with gcc (GCC) 8.1.0
kernel signature: 602c1204912f4ba4370c2d8562268c1ba0adf06b7312bfe0d816cc59169de60e
all runs: OK
# git bisect bad c1ed7347130c000552394fb53b5227d9a487df36
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[0eb1a435635f5f55e8ed293a5d4114bb553e95d6] brcmfmac: Fix memory leak in brcmf_usbdev_qinit
testing commit 0eb1a435635f5f55e8ed293a5d4114bb553e95d6 with gcc (GCC) 8.1.0
kernel signature: 12ec2800310233129d186561a6a846f98e327982d1c59b151dc495294047446c
all runs: OK
# git bisect bad 0eb1a435635f5f55e8ed293a5d4114bb553e95d6
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[85c45a480561e0dfc95d9707db2d71dfceac47bc] rxrpc: Fix use-after-free in rxrpc_put_local()
testing commit 85c45a480561e0dfc95d9707db2d71dfceac47bc with gcc (GCC) 8.1.0
kernel signature: 0b211f763f49131e6af177fbd8efa9a54f2c5878587a784bfa59e2576e06594e
all runs: OK
# git bisect bad 85c45a480561e0dfc95d9707db2d71dfceac47bc
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[e7ec10b4ea8f6dbc19e8377b1064f4be3f630f3e] bnxt_en: Fix TC queue mapping.
testing commit e7ec10b4ea8f6dbc19e8377b1064f4be3f630f3e with gcc (GCC) 8.1.0
kernel signature: e39a85dc61f2bdf20acb24bd89e13c7aee04145f61c4722aacbff88b372b1b54
all runs: OK
# git bisect bad e7ec10b4ea8f6dbc19e8377b1064f4be3f630f3e
Bisecting: 1 revision left to test after this (roughly 1 step)
[478c4b2ffd44e5186c7e22ae7c38a86a5b9cfde5] net_sched: fix an OOB access in cls_tcindex
testing commit 478c4b2ffd44e5186c7e22ae7c38a86a5b9cfde5 with gcc (GCC) 8.1.0
kernel signature: 85a0a16fa339f09cf3ca5aa89f812dbd3c8082c9532f99a9bb41881f7ce7cec8
all runs: OK
# git bisect bad 478c4b2ffd44e5186c7e22ae7c38a86a5b9cfde5
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[d5524d5a41f83e3d9b01415ef51a11fb1573ff0c] net: hsr: fix possible NULL deref in hsr_handle_frame()
testing commit d5524d5a41f83e3d9b01415ef51a11fb1573ff0c with gcc (GCC) 8.1.0
kernel signature: c38b5805aa4f9f840214e4514e76d4abd41a7dc431f8528f42678198e714c1b9
all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy
# git bisect good d5524d5a41f83e3d9b01415ef51a11fb1573ff0c
478c4b2ffd44e5186c7e22ae7c38a86a5b9cfde5 is the first bad commit
commit 478c4b2ffd44e5186c7e22ae7c38a86a5b9cfde5
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date:   Sun Feb 2 21:14:35 2020 -0800

    net_sched: fix an OOB access in cls_tcindex
    
    [ Upstream commit 599be01ee567b61f4471ee8078870847d0a11e8e ]
    
    As Eric noticed, tcindex_alloc_perfect_hash() uses cp->hash
    to compute the size of memory allocation, but cp->hash is
    set again after the allocation, this caused an out-of-bound
    access.
    
    So we have to move all cp->hash initialization and computation
    before the memory allocation. Move cp->mask and cp->shift together
    as cp->hash may need them for computation too.
    
    Reported-and-tested-by: syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com
    Fixes: 331b72922c5f ("net: sched: RCU cls_tcindex")
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Cc: John Fastabend <john.fastabend@gmail.com>
    Cc: Jamal Hadi Salim <jhs@mojatatu.com>
    Cc: Jiri Pirko <jiri@resnulli.us>
    Cc: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 net/sched/cls_tcindex.c | 40 ++++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 20 deletions(-)
culprit signature: 85a0a16fa339f09cf3ca5aa89f812dbd3c8082c9532f99a9bb41881f7ce7cec8
parent  signature: c38b5805aa4f9f840214e4514e76d4abd41a7dc431f8528f42678198e714c1b9
revisions tested: 14, total time: 3h59m7.721987094s (build: 2h7m15.381295234s, test: 1h49m50.76217718s)
first good commit: 478c4b2ffd44e5186c7e22ae7c38a86a5b9cfde5 net_sched: fix an OOB access in cls_tcindex
cc: ["davem@davemloft.net" "gregkh@linuxfoundation.org" "syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"]