bisecting cause commit starting from 2c523b344dfa65a3738e7039832044aa133c75fb building syzkaller on 35f53e457420e79fa28e3260cdbbf9f37b9f97e4 testing commit 2c523b344dfa65a3738e7039832044aa133c75fb with gcc (GCC) 8.1.0 kernel signature: 7f91ec140fd1d4e1f140086bcecabf8224e0bf45df86aaed51a9aedf61d1e7e8 run #0: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #3: crashed: KASAN: use-after-free Write in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #7: crashed: KASAN: use-after-free Write in tcindex_set_parms run #8: crashed: KASAN: use-after-free Write in tcindex_set_parms run #9: boot failed: can't ssh into the instance testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: 2a23aeed0cc04e89fb52ba8229ce32089dea89d4107c7904fc823049a21b550d all runs: OK # git bisect start 2c523b344dfa65a3738e7039832044aa133c75fb d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 Bisecting: 7336 revisions left to test after this (roughly 13 steps) [4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb] Merge tag 'for-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply testing commit 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb with gcc (GCC) 8.1.0 kernel signature: 0a7a5be3419bc02d11be8714495369b38550bc4a88344998f4401f1d99147b06 all runs: OK # git bisect good 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb Bisecting: 3694 revisions left to test after this (roughly 12 steps) [153b5c566d30fb984827acb12fd93c3aa6c147d3] Merge tag 'microblaze-v5.6-rc1' of git://git.monstr.eu/linux-2.6-microblaze testing commit 153b5c566d30fb984827acb12fd93c3aa6c147d3 with gcc (GCC) 8.1.0 kernel signature: a0b4f74fd4c874d6f74c3821cdd2a80d7bae3b5b390e208c93697f20288cf216 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect good 153b5c566d30fb984827acb12fd93c3aa6c147d3 Bisecting: 1877 revisions left to test after this (roughly 11 steps) [1afa9c3b7c9bdcb562e2afe9f58cc99d0b071cdc] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 1afa9c3b7c9bdcb562e2afe9f58cc99d0b071cdc with gcc (GCC) 8.1.0 kernel signature: e6d4ff64f3a2524e1cd841d44613968dbd3e2aab819cd0a1a582ccf24b114137 run #0: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #3: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #6: crashed: general protection fault in tcf_action_destroy run #7: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #8: crashed: KASAN: use-after-free Write in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms # git bisect bad 1afa9c3b7c9bdcb562e2afe9f58cc99d0b071cdc Bisecting: 921 revisions left to test after this (roughly 10 steps) [41dcd67e88688afbeb3b2bd23960eed5daec74e7] Merge tag 'docs-5.6-2' of git://git.lwn.net/linux testing commit 41dcd67e88688afbeb3b2bd23960eed5daec74e7 with gcc (GCC) 8.1.0 kernel signature: 0d09f7fa4d7fb7c15772460cb6be4c959650929acc7426a8407e0cc36bb60762 run #0: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #3: crashed: KASAN: use-after-free Write in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #5: crashed: KASAN: use-after-free Write in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #8: crashed: KASAN: use-after-free Write in tcindex_set_parms run #9: crashed: KASAN: use-after-free Write in tcindex_set_parms # git bisect bad 41dcd67e88688afbeb3b2bd23960eed5daec74e7 Bisecting: 481 revisions left to test after this (roughly 9 steps) [c1ef57a3a3f5e69e98baf89055b423da62791c13] Merge tag 'io_uring-5.6-2020-02-05' of git://git.kernel.dk/linux-block testing commit c1ef57a3a3f5e69e98baf89055b423da62791c13 with gcc (GCC) 8.1.0 kernel signature: f5b11e7ef55261c5fce1dc0d058c662d1d332263def1a3112648c89d787b4972 run #0: crashed: KASAN: use-after-free Write in tcindex_set_parms run #1: crashed: KASAN: use-after-free Write in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Write in tcindex_filter_result_init run #3: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #5: crashed: KASAN: use-after-free Write in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #7: crashed: general protection fault in tcf_action_destroy run #8: crashed: KASAN: use-after-free Write in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms # git bisect bad c1ef57a3a3f5e69e98baf89055b423da62791c13 Bisecting: 206 revisions left to test after this (roughly 8 steps) [72f582ff8569900ccc4439b26bbe5e2fff509f08] Merge branch 'work.recursive_removal' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 72f582ff8569900ccc4439b26bbe5e2fff509f08 with gcc (GCC) 8.1.0 kernel signature: e6746bd2da21533e77d0234cc1b558f01f790e4d27ccdbc2fb6ee8936e11a39b run #0: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #3: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #8: crashed: WARNING in kfree run #9: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms # git bisect bad 72f582ff8569900ccc4439b26bbe5e2fff509f08 Bisecting: 102 revisions left to test after this (roughly 7 steps) [94dd54c51a410b9ffa6356c3ed2ab0317f998ded] powerpc/32s: Avoid crossing page boundary while changing SRR0/1. testing commit 94dd54c51a410b9ffa6356c3ed2ab0317f998ded with gcc (GCC) 8.1.0 kernel signature: 1ec50255bfb22cf1df44569198fbc58e41d835ba34ae9767ec3de5c304f9cb04 all runs: OK # git bisect good 94dd54c51a410b9ffa6356c3ed2ab0317f998ded Bisecting: 51 revisions left to test after this (roughly 6 steps) [0d0d9a388a858e271bb70e71e99e7fe2a6fd6f64] l2tp: Allow duplicate session creation with UDP testing commit 0d0d9a388a858e271bb70e71e99e7fe2a6fd6f64 with gcc (GCC) 8.1.0 kernel signature: 47f677dec4d950bded2543bd449dc71d322f69d14997a51d17334348fe90d147 run #0: crashed: KASAN: use-after-free Write in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #3: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #4: crashed: KASAN: use-after-free Write in tcindex_set_parms run #5: crashed: WARNING in kfree run #6: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #8: crashed: KASAN: use-after-free Write in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms # git bisect bad 0d0d9a388a858e271bb70e71e99e7fe2a6fd6f64 Bisecting: 26 revisions left to test after this (roughly 5 steps) [83d0585f91da441a0b11bc5ff93f4cda56de6703] Merge branch 'Fix-reconnection-latency-caused-by-FIN-ACK-handling-race' testing commit 83d0585f91da441a0b11bc5ff93f4cda56de6703 with gcc (GCC) 8.1.0 kernel signature: d8710d8fb30871a842a7126c2dd06041e4ece9deb65f74896a6e7cb736aafb7f all runs: OK # git bisect good 83d0585f91da441a0b11bc5ff93f4cda56de6703 Bisecting: 13 revisions left to test after this (roughly 4 steps) [6ab63366e1ec4ec1900f253aa64727b4b5f4ee73] netdevsim: disable devlink reload when resources are being used testing commit 6ab63366e1ec4ec1900f253aa64727b4b5f4ee73 with gcc (GCC) 8.1.0 kernel signature: 6c58b33011dcb0290590bd2736679a9dbb4f0cec53cecf7d88d1751a80a16051 all runs: OK # git bisect good 6ab63366e1ec4ec1900f253aa64727b4b5f4ee73 Bisecting: 6 revisions left to test after this (roughly 3 steps) [2b5b8251bc9fe2f9118411f037862ee17cf81e97] net: hsr: fix possible NULL deref in hsr_handle_frame() testing commit 2b5b8251bc9fe2f9118411f037862ee17cf81e97 with gcc (GCC) 8.1.0 kernel signature: 1ce436b6c4af2e3ce31ecce98e23a8003ee7f63d67e9f36bea12a9ef1cd189ad all runs: OK # git bisect good 2b5b8251bc9fe2f9118411f037862ee17cf81e97 Bisecting: 3 revisions left to test after this (roughly 2 steps) [9afe2322cb90a8fbc27e32bfc691100c653cab2a] Merge branch 'unbreak-basic-and-bpf-tdc-testcases' testing commit 9afe2322cb90a8fbc27e32bfc691100c653cab2a with gcc (GCC) 8.1.0 kernel signature: 92856f085bb59f30922de3ad7bc9b0a7b7a559d089c0daad1c8809a1afb6ad7f all runs: OK # git bisect good 9afe2322cb90a8fbc27e32bfc691100c653cab2a Bisecting: 1 revision left to test after this (roughly 1 step) [599be01ee567b61f4471ee8078870847d0a11e8e] net_sched: fix an OOB access in cls_tcindex testing commit 599be01ee567b61f4471ee8078870847d0a11e8e with gcc (GCC) 8.1.0 kernel signature: cc62e48990c8c133783620f0b5a4887c485c5d07989483fe9c54eb699df5befa run #0: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #3: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #8: crashed: KASAN: use-after-free Write in tcindex_set_parms run #9: crashed: KASAN: invalid-free in tcf_exts_destroy # git bisect bad 599be01ee567b61f4471ee8078870847d0a11e8e Bisecting: 0 revisions left to test after this (roughly 0 steps) [83b43045308ea0600099830292955f18818f8d5e] qed: Remove set but not used variable 'p_link' testing commit 83b43045308ea0600099830292955f18818f8d5e with gcc (GCC) 8.1.0 kernel signature: 13691db33578e558ac8d91d050f36b152b04dddf58cf713bdd8785c717763ed7 all runs: OK # git bisect good 83b43045308ea0600099830292955f18818f8d5e 599be01ee567b61f4471ee8078870847d0a11e8e is the first bad commit commit 599be01ee567b61f4471ee8078870847d0a11e8e Author: Cong Wang Date: Sun Feb 2 21:14:35 2020 -0800 net_sched: fix an OOB access in cls_tcindex As Eric noticed, tcindex_alloc_perfect_hash() uses cp->hash to compute the size of memory allocation, but cp->hash is set again after the allocation, this caused an out-of-bound access. So we have to move all cp->hash initialization and computation before the memory allocation. Move cp->mask and cp->shift together as cp->hash may need them for computation too. Reported-and-tested-by: syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com Fixes: 331b72922c5f ("net: sched: RCU cls_tcindex") Cc: Eric Dumazet Cc: John Fastabend Cc: Jamal Hadi Salim Cc: Jiri Pirko Cc: Jakub Kicinski Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/sched/cls_tcindex.c | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) culprit signature: cc62e48990c8c133783620f0b5a4887c485c5d07989483fe9c54eb699df5befa parent signature: 13691db33578e558ac8d91d050f36b152b04dddf58cf713bdd8785c717763ed7 revisions tested: 16, total time: 3h54m36.396245727s (build: 1h46m7.102882987s, test: 2h7m13.50009375s) first bad commit: 599be01ee567b61f4471ee8078870847d0a11e8e net_sched: fix an OOB access in cls_tcindex cc: ["davem@davemloft.net" "syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"] crash: KASAN: invalid-free in tcf_exts_destroy ================================================================== BUG: KASAN: double-free or invalid-free in tcf_exts_destroy+0x53/0xb0 net/sched/cls_api.c:3002 CPU: 0 PID: 8436 Comm: syz-executor.4 Not tainted 5.5.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:374 kasan_report_invalid_free+0x60/0xa0 mm/kasan/report.c:468 __kasan_slab_free+0x129/0x140 mm/kasan/common.c:453 __cache_free mm/slab.c:3426 [inline] kfree+0x107/0x2b0 mm/slab.c:3757 tcf_exts_destroy+0x53/0xb0 net/sched/cls_api.c:3002 tcf_exts_change+0xeb/0x140 net/sched/cls_api.c:3059 tcindex_set_parms+0xcce/0x1b90 net/sched/cls_tcindex.c:456 tcindex_change+0x1c2/0x280 net/sched/cls_tcindex.c:519 tc_new_tfilter+0xffa/0x1da0 net/sched/cls_api.c:2103 rtnetlink_rcv_msg+0x60c/0x8c0 net/core/rtnetlink.c:5429 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2477 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xac/0xe0 net/socket.c:672 ____sys_sendmsg+0x54e/0x750 net/socket.c:2343 ___sys_sendmsg+0xe4/0x160 net/socket.c:2397 __sys_sendmsg+0xce/0x170 net/socket.c:2430 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x231/0xb27 arch/x86/entry/common.c:408 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 Allocated by task 8346: save_stack+0x19/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:513 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc_track_caller+0x15c/0x7a0 mm/slab.c:3671 kmemdup+0x17/0x40 mm/util.c:127 kmemdup include/linux/string.h:453 [inline] neigh_parms_alloc+0x7a/0x420 net/core/neighbour.c:1615 inetdev_init+0x124/0x3f0 net/ipv4/devinet.c:266 inetdev_event+0xc90/0x1170 net/ipv4/devinet.c:1525 notifier_call_chain+0x86/0x150 kernel/notifier.c:83 call_netdevice_notifiers_extack net/core/dev.c:1955 [inline] call_netdevice_notifiers net/core/dev.c:1969 [inline] register_netdevice+0x60b/0xe30 net/core/dev.c:9411 veth_newlink+0x48f/0x890 drivers/net/veth.c:1312 __rtnl_newlink+0xbe9/0x1250 net/core/rtnetlink.c:3319 rtnl_newlink+0x5c/0x80 net/core/rtnetlink.c:3377 rtnetlink_rcv_msg+0x346/0x8c0 net/core/rtnetlink.c:5438 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2477 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xac/0xe0 net/socket.c:672 __sys_sendto+0x1d3/0x2b0 net/socket.c:1998 __do_compat_sys_socketcall net/compat.c:771 [inline] __se_compat_sys_socketcall net/compat.c:719 [inline] __ia32_compat_sys_socketcall+0x401/0x550 net/compat.c:719 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x231/0xb27 arch/x86/entry/common.c:408 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff88809e9a6c00 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 16 bytes inside of 192-byte region [ffff88809e9a6c00, ffff88809e9a6cc0) The buggy address belongs to the page: page:ffffea00027a6980 refcount:1 mapcount:0 mapping:ffff8880aa400000 index:0x0 raw: 00fffe0000000200 ffffea0002a183c8 ffffea00029e73c8 ffff8880aa400000 raw: 0000000000000000 ffff88809e9a6000 0000000100000010 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809e9a6b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88809e9a6b80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88809e9a6c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff88809e9a6c80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88809e9a6d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================