bisecting fixing commit since 98db2bf27b9ed2d5ed0b6c9c8a4bfcb127a19796 building syzkaller on 59b57593586656c1d5be820aeed0e751087e6ac6 testing commit 98db2bf27b9ed2d5ed0b6c9c8a4bfcb127a19796 with gcc (GCC) 8.1.0 kernel signature: b2ebe925be53c8f12bbc4d507b7f0b91dc126204c9200dfdf6f222f5ec18e786 run #0: crashed: INFO: task hung in hashlimit_mt_check_common run #1: crashed: INFO: task hung in synchronize_rcu run #2: crashed: INFO: task hung in synchronize_rcu run #3: crashed: INFO: task hung in htable_put run #4: crashed: INFO: task hung in hashlimit_mt_check_common run #5: crashed: INFO: task hung in flush_delayed_work run #6: crashed: INFO: task hung in htable_put run #7: crashed: INFO: task hung in synchronize_rcu run #8: crashed: INFO: task hung in cleanup_net run #9: crashed: INFO: task hung in synchronize_rcu testing current HEAD 01364dad1d4577e27a57729d41053f661bb8a5b9 testing commit 01364dad1d4577e27a57729d41053f661bb8a5b9 with gcc (GCC) 8.1.0 kernel signature: a5a2c94ed8b941d8dde00d4a9500a3a128a9cecb15f0e385eb29672970374c1f all runs: OK # git bisect start 01364dad1d4577e27a57729d41053f661bb8a5b9 98db2bf27b9ed2d5ed0b6c9c8a4bfcb127a19796 Bisecting: 230 revisions left to test after this (roughly 8 steps) [a86265edeb3314f9c3270a5bf18b4e72ebc65beb] netfilter: xt_hashlimit: limit the max size of hashtable testing commit a86265edeb3314f9c3270a5bf18b4e72ebc65beb with gcc (GCC) 8.1.0 kernel signature: a4ac939125d7fe148d1e505b8d5d7bb241fdd43fbd59df4c66b4ad6c60bdafaf all runs: OK # git bisect bad a86265edeb3314f9c3270a5bf18b4e72ebc65beb Bisecting: 114 revisions left to test after this (roughly 7 steps) [8f8d6aebe2d84c54e143c490b56a60f7e6832fe3] vme: bridges: reduce stack usage testing commit 8f8d6aebe2d84c54e143c490b56a60f7e6832fe3 with gcc (GCC) 8.1.0 kernel signature: 1527f5f80c31744186feb2c36a9ec82ee7de56c1644e6d90c2cffa84aaa50fa8 run #0: crashed: INFO: task hung in htable_put run #1: crashed: INFO: task hung in htable_put run #2: crashed: INFO: task hung in hashlimit_mt_check_common run #3: crashed: INFO: task hung in synchronize_rcu run #4: crashed: INFO: task hung in hashlimit_mt_check_common run #5: crashed: INFO: task hung in htable_put run #6: crashed: INFO: task hung in synchronize_rcu run #7: crashed: INFO: task hung in hashlimit_mt_check_common run #8: crashed: INFO: task hung in htable_put run #9: crashed: INFO: task hung in synchronize_rcu # git bisect good 8f8d6aebe2d84c54e143c490b56a60f7e6832fe3 Bisecting: 57 revisions left to test after this (roughly 6 steps) [010e880595cb51dd8ba6da202761ecec6785753c] thunderbolt: Prevent crash if non-active NVMem file is read testing commit 010e880595cb51dd8ba6da202761ecec6785753c with gcc (GCC) 8.1.0 kernel signature: e59797a5415e56118e72f204a39673382d112678c61652ee4e1945754e9ece1a run #0: crashed: INFO: task hung in hashlimit_mt_check_common run #1: crashed: INFO: task hung in flush_delayed_work run #2: crashed: INFO: task hung in htable_put run #3: crashed: INFO: task hung in htable_put run #4: crashed: INFO: task hung in htable_put run #5: crashed: INFO: task hung in hashlimit_mt_check_common run #6: crashed: INFO: task hung in htable_put run #7: crashed: INFO: task hung in hashlimit_mt_check_common run #8: crashed: INFO: task hung in hashlimit_mt_check_common run #9: crashed: INFO: task hung in flush_delayed_work # git bisect good 010e880595cb51dd8ba6da202761ecec6785753c Bisecting: 28 revisions left to test after this (roughly 5 steps) [69b2384bf875b59e85ac38abe6a535440706987a] xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms testing commit 69b2384bf875b59e85ac38abe6a535440706987a with gcc (GCC) 8.1.0 kernel signature: a022bc90bb5fa8535942034970d7515d3f74619af8494c5151e524d29d35daee run #0: crashed: INFO: task hung in htable_put run #1: crashed: INFO: task hung in htable_put run #2: crashed: INFO: task hung in hashlimit_mt_check_common run #3: crashed: INFO: task hung in hashlimit_mt_check_common run #4: crashed: INFO: task hung in synchronize_rcu run #5: crashed: INFO: task hung in synchronize_rcu run #6: crashed: INFO: task hung in synchronize_rcu run #7: crashed: INFO: task hung in hashlimit_mt_check_common run #8: crashed: INFO: task hung in synchronize_rcu run #9: crashed: INFO: task hung in synchronize_rcu # git bisect good 69b2384bf875b59e85ac38abe6a535440706987a Bisecting: 14 revisions left to test after this (roughly 4 steps) [647bdd69c205143bbbd77c1053f6baee1455f434] KVM: apic: avoid calculating pending eoi from an uninitialized val testing commit 647bdd69c205143bbbd77c1053f6baee1455f434 with gcc (GCC) 8.1.0 kernel signature: f1a874fa3a9c81fbacf3e65ca470fd42eb44a6648c55833ff25944eddbaef627 run #0: crashed: INFO: task hung in hashlimit_mt_check_common run #1: crashed: INFO: task hung in htable_put run #2: crashed: INFO: task hung in synchronize_rcu run #3: crashed: INFO: task hung in flush_delayed_work run #4: crashed: INFO: task hung in synchronize_rcu run #5: crashed: INFO: task hung in synchronize_rcu run #6: crashed: INFO: task hung in hashlimit_mt_check_common run #7: crashed: INFO: task hung in hashlimit_mt_check_common run #8: crashed: INFO: task hung in hashlimit_mt_check_common run #9: crashed: INFO: task hung in hashlimit_mt_check_common # git bisect good 647bdd69c205143bbbd77c1053f6baee1455f434 Bisecting: 7 revisions left to test after this (roughly 3 steps) [edd606c03aeaa06cff00ca9b80f6efdff71f2f6c] staging: rtl8723bs: fix copy of overlapping memory testing commit edd606c03aeaa06cff00ca9b80f6efdff71f2f6c with gcc (GCC) 8.1.0 kernel signature: 104768c4c652348ee65eda0856f77a97fe688496703233f92dde1652ec6a6bbb run #0: crashed: INFO: task hung in htable_put run #1: crashed: INFO: task hung in hashlimit_mt_check_common run #2: crashed: INFO: task hung in hashlimit_mt_check_common run #3: crashed: INFO: task hung in htable_put run #4: crashed: INFO: task hung in flush_delayed_work run #5: crashed: INFO: task hung in flush_delayed_work run #6: crashed: INFO: task hung in htable_put run #7: crashed: INFO: task hung in hashlimit_mt_check_common run #8: crashed: INFO: task hung in hashlimit_mt_check_common run #9: crashed: INFO: task hung in hashlimit_mt_check_common # git bisect good edd606c03aeaa06cff00ca9b80f6efdff71f2f6c Bisecting: 3 revisions left to test after this (roughly 2 steps) [d3daa3edcf879828fe6767f71b00fc44e24bdd6e] genirq/proc: Reject invalid affinity masks (again) testing commit d3daa3edcf879828fe6767f71b00fc44e24bdd6e with gcc (GCC) 8.1.0 kernel signature: 91cc4aca78686b9c01d8d9bdd6e1e224fd8f5c2ca088be0589175974630e6f8c run #0: crashed: INFO: task hung in htable_put run #1: crashed: INFO: task hung in hashlimit_mt_check_common run #2: crashed: INFO: task hung in hashlimit_mt_check_common run #3: crashed: INFO: task hung in htable_put run #4: crashed: INFO: task hung in hashlimit_mt_check_common run #5: crashed: INFO: task hung in hashlimit_mt_check_common run #6: crashed: INFO: task hung in htable_put run #7: crashed: INFO: task hung in hashlimit_mt_check_common run #8: crashed: INFO: task hung in hashlimit_mt_check_common run #9: crashed: INFO: task hung in htable_put # git bisect good d3daa3edcf879828fe6767f71b00fc44e24bdd6e Bisecting: 1 revision left to test after this (roughly 1 step) [29238bccf63b8339a2b65bcbecb07c142f1d7073] ALSA: seq: Avoid concurrent access to queue flags testing commit 29238bccf63b8339a2b65bcbecb07c142f1d7073 with gcc (GCC) 8.1.0 kernel signature: 43e26f1f9d71a5f728299f2af0cfad5ab4e908bd2924ca689620bb8da78aebff run #0: crashed: INFO: task hung in htable_put run #1: crashed: INFO: task hung in hashlimit_mt_check_common run #2: crashed: INFO: task hung in hashlimit_mt_check_common run #3: crashed: INFO: task hung in hashlimit_mt_check_common run #4: crashed: INFO: task hung in hashlimit_mt_check_common run #5: crashed: INFO: task hung in htable_put run #6: crashed: INFO: task hung in htable_put run #7: crashed: INFO: task hung in htable_put run #8: crashed: INFO: task hung in synchronize_rcu run #9: crashed: INFO: task hung in synchronize_rcu # git bisect good 29238bccf63b8339a2b65bcbecb07c142f1d7073 Bisecting: 0 revisions left to test after this (roughly 0 steps) [c33c14e30f3437d419761048f70dd88b7ec797c8] ALSA: seq: Fix concurrent access to queue current tick/time testing commit c33c14e30f3437d419761048f70dd88b7ec797c8 with gcc (GCC) 8.1.0 kernel signature: f732bc22d2d303f8885518b77752d9dd7278f5c2d5af5e7d33a01b833e05786d run #0: crashed: INFO: task hung in hashlimit_mt_check_common run #1: crashed: INFO: task hung in hashlimit_mt_check_common run #2: crashed: INFO: task hung in hashlimit_mt_check_common run #3: crashed: INFO: task hung in htable_put run #4: crashed: INFO: task hung in hashlimit_mt_check_common run #5: crashed: INFO: task hung in synchronize_rcu run #6: crashed: INFO: task hung in synchronize_rcu run #7: crashed: INFO: task hung in hashlimit_mt_check_common run #8: crashed: INFO: task hung in hashlimit_mt_check_common run #9: crashed: INFO: task hung in synchronize_rcu # git bisect good c33c14e30f3437d419761048f70dd88b7ec797c8 a86265edeb3314f9c3270a5bf18b4e72ebc65beb is the first bad commit commit a86265edeb3314f9c3270a5bf18b4e72ebc65beb Author: Cong Wang Date: Sun Feb 2 20:30:53 2020 -0800 netfilter: xt_hashlimit: limit the max size of hashtable commit 8d0015a7ab76b8b1e89a3e5f5710a6e5103f2dd5 upstream. The user-specified hashtable size is unbound, this could easily lead to an OOM or a hung task as we hold the global mutex while allocating and initializing the new hashtable. Add a max value to cap both cfg->size and cfg->max, as suggested by Florian. Reported-and-tested-by: syzbot+adf6c6c2be1c3a718121@syzkaller.appspotmail.com Signed-off-by: Cong Wang Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman net/netfilter/xt_hashlimit.c | 10 ++++++++++ 1 file changed, 10 insertions(+) culprit signature: a4ac939125d7fe148d1e505b8d5d7bb241fdd43fbd59df4c66b4ad6c60bdafaf parent signature: f732bc22d2d303f8885518b77752d9dd7278f5c2d5af5e7d33a01b833e05786d revisions tested: 11, total time: 3h4m32.937046886s (build: 1h30m22.236973656s, test: 1h33m10.044341278s) first good commit: a86265edeb3314f9c3270a5bf18b4e72ebc65beb netfilter: xt_hashlimit: limit the max size of hashtable cc: ["fw@strlen.de" "gregkh@linuxfoundation.org" "pablo@netfilter.org" "syzbot+adf6c6c2be1c3a718121@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"]