bisecting fixing commit since 8f8972a3127ff46df62ae30057d29606968ec4aa building syzkaller on 0342f8c7bc656ea8ee3c45e49edeb4ee9cc12cce testing commit 8f8972a3127ff46df62ae30057d29606968ec4aa with gcc (GCC) 8.1.0 kernel signature: 3c0a074e7de8b8101902024d815f66fe8a21034538952d0375d405bd695937de all runs: crashed: KASAN: use-after-free Read in bitmap_ipmac_ext_cleanup testing current HEAD 0a44cac8105059eb756ed4276e932e54e1ba004d testing commit 0a44cac8105059eb756ed4276e932e54e1ba004d with gcc (GCC) 8.1.0 kernel signature: d99a36ccb8235492c35b4c861a0a9ec82e6b11069b06377f2c3564f356b33621 all runs: OK # git bisect start 0a44cac8105059eb756ed4276e932e54e1ba004d 8f8972a3127ff46df62ae30057d29606968ec4aa Bisecting: 6327 revisions left to test after this (roughly 13 steps) [4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb] Merge tag 'for-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply testing commit 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb with gcc (GCC) 8.1.0 kernel signature: 05e8538db29519ca77a3151bcf1807cad7a4064b7a09b7a69f4b855a14a478ef all runs: OK # git bisect bad 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb Bisecting: 2314 revisions left to test after this (roughly 12 steps) [bd2463ac7d7ec51d432f23bf0e893fb371a908cd] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit bd2463ac7d7ec51d432f23bf0e893fb371a908cd with gcc (GCC) 8.1.0 kernel signature: 2b338d78fd55b22c6475e3f8551a753872b183e19045a539a221dafd18545e0c all runs: OK # git bisect bad bd2463ac7d7ec51d432f23bf0e893fb371a908cd Bisecting: 1810 revisions left to test after this (roughly 11 steps) [c4c57b974d27f53744b1bc5669e002f080cec839] Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next testing commit c4c57b974d27f53744b1bc5669e002f080cec839 with gcc (GCC) 8.1.0 kernel signature: 928aa2080b5d9e516d7b95c0828e5d9fb2c4fecc69ebc14cebe71a266cc57360 all runs: OK # git bisect bad c4c57b974d27f53744b1bc5669e002f080cec839 Bisecting: 878 revisions left to test after this (roughly 10 steps) [d49d0661b92478ec9362e379e7ba82450ec88048] Merge branch 'libbpf-include-path' testing commit d49d0661b92478ec9362e379e7ba82450ec88048 with gcc (GCC) 8.1.0 kernel signature: efd594680a787642a2cbc812f2603ac5b305c3f504405e5aa1d5060a09f8b677 all runs: crashed: KASAN: use-after-free Read in bitmap_ipmac_ext_cleanup # git bisect good d49d0661b92478ec9362e379e7ba82450ec88048 Bisecting: 438 revisions left to test after this (roughly 9 steps) [794eee259e8e1a7e6f31417ec8f6fa809597bb24] Merge branch 'net-phy-add-generic-ndo_do_ioctl-handler-phy_do_ioctl' testing commit 794eee259e8e1a7e6f31417ec8f6fa809597bb24 with gcc (GCC) 8.1.0 kernel signature: e00fecf47ca93a50ab99c92c6bff00aa544bbe2cf04088c9a532b95fcb0ed40c all runs: crashed: KASAN: slab-out-of-bounds Read in bitmap_ipmac_ext_cleanup # git bisect good 794eee259e8e1a7e6f31417ec8f6fa809597bb24 Bisecting: 226 revisions left to test after this (roughly 8 steps) [2821e26f3a0a3872184581caac8115bb02641941] Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm testing commit 2821e26f3a0a3872184581caac8115bb02641941 with gcc (GCC) 8.1.0 kernel signature: 539a8a158a601a487a4fa34a346cbb22550f1bf88a93469857992f06727790f6 all runs: OK # git bisect bad 2821e26f3a0a3872184581caac8115bb02641941 Bisecting: 107 revisions left to test after this (roughly 7 steps) [342508c1c7540e281fd36151c175ba5ff954a99f] net/mlx5e: kTLS, Do not send decrypted-marked SKBs via non-accel path testing commit 342508c1c7540e281fd36151c175ba5ff954a99f with gcc (GCC) 8.1.0 kernel signature: 679f37fc9f1f523938cbe093a8529ca6cc7da7197a33a86c517105a6d5a18a2b all runs: crashed: KASAN: slab-out-of-bounds Read in bitmap_ipmac_ext_cleanup # git bisect good 342508c1c7540e281fd36151c175ba5ff954a99f Bisecting: 51 revisions left to test after this (roughly 6 steps) [274adbff45e3c26c65b2e103581d2ab5834b0b7c] Merge tag 'drm-fixes-2020-01-24' of git://anongit.freedesktop.org/drm/drm testing commit 274adbff45e3c26c65b2e103581d2ab5834b0b7c with gcc (GCC) 8.1.0 kernel signature: 5b9f761d4e332c2150c89d28f20ed38e30481bd11f3cd38d27bccd0d199f2358 all runs: crashed: KASAN: slab-out-of-bounds Read in bitmap_ipmac_ext_cleanup # git bisect good 274adbff45e3c26c65b2e103581d2ab5834b0b7c Bisecting: 26 revisions left to test after this (roughly 5 steps) [93d1a05ea6b29737715769e2c9551cfe8a5fef22] Merge tag 'pinctrl-v5.5-5' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit 93d1a05ea6b29737715769e2c9551cfe8a5fef22 with gcc (GCC) 8.1.0 kernel signature: a183ed767f1110bd81361f744495225a820f127dd1ac07073b5be9b5b5db2a20 all runs: crashed: KASAN: slab-out-of-bounds Read in bitmap_ipmac_ext_cleanup # git bisect good 93d1a05ea6b29737715769e2c9551cfe8a5fef22 Bisecting: 13 revisions left to test after this (roughly 4 steps) [6badad1c1d354db1f7bc216319d81884411d5098] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf testing commit 6badad1c1d354db1f7bc216319d81884411d5098 with gcc (GCC) 8.1.0 kernel signature: d1f0059ba682b0d81e71fa73c23e1887fdc7ab96d2827cd18b203d3a17f2aa8e all runs: OK # git bisect bad 6badad1c1d354db1f7bc216319d81884411d5098 Bisecting: 6 revisions left to test after this (roughly 3 steps) [eb014de4fd418de1a277913cba244e47274fe392] netfilter: nf_tables: autoload modules from the abort path testing commit eb014de4fd418de1a277913cba244e47274fe392 with gcc (GCC) 8.1.0 kernel signature: 5d39fa404b5b4195d80a541c2b440a5dbf2f164597e95576ee8ff83d44d19142 all runs: OK # git bisect bad eb014de4fd418de1a277913cba244e47274fe392 Bisecting: 2 revisions left to test after this (roughly 2 steps) [ab658b9fa7a2c467f79eac8b53ea308b8f98113d] netfilter: conntrack: sctp: use distinct states for new SCTP connections testing commit ab658b9fa7a2c467f79eac8b53ea308b8f98113d with gcc (GCC) 8.1.0 kernel signature: dfdf0cda06cf99abfc85ac65df089d718acfad71d16905fa2609419c493f3f12 all runs: OK # git bisect bad ab658b9fa7a2c467f79eac8b53ea308b8f98113d Bisecting: 0 revisions left to test after this (roughly 1 step) [32c72165dbd0e246e69d16a3ad348a4851afd415] netfilter: ipset: use bitmap infrastructure completely testing commit 32c72165dbd0e246e69d16a3ad348a4851afd415 with gcc (GCC) 8.1.0 kernel signature: b57367aa57adcd861079d9d01fc1ff9e4e4caa51cd921cc4045b3a2c8ed0413d all runs: OK # git bisect bad 32c72165dbd0e246e69d16a3ad348a4851afd415 Bisecting: 0 revisions left to test after this (roughly 0 steps) [7eaecf7963c1c8f62d62c6a8e7c439b0e7f2d365] netfilter: nft_osf: add missing check for DREG attribute testing commit 7eaecf7963c1c8f62d62c6a8e7c439b0e7f2d365 with gcc (GCC) 8.1.0 kernel signature: 6cce6cbc1d91295cf8d6ebc2a5b10df49f68834db697f36b6a5c8fe70fde8afc all runs: crashed: KASAN: slab-out-of-bounds Read in bitmap_ipmac_ext_cleanup # git bisect good 7eaecf7963c1c8f62d62c6a8e7c439b0e7f2d365 32c72165dbd0e246e69d16a3ad348a4851afd415 is the first bad commit commit 32c72165dbd0e246e69d16a3ad348a4851afd415 Author: Kadlecsik József Date: Sun Jan 19 22:06:49 2020 +0100 netfilter: ipset: use bitmap infrastructure completely The bitmap allocation did not use full unsigned long sizes when calculating the required size and that was triggered by KASAN as slab-out-of-bounds read in several places. The patch fixes all of them. Reported-by: syzbot+fabca5cbf5e54f3fe2de@syzkaller.appspotmail.com Reported-by: syzbot+827ced406c9a1d9570ed@syzkaller.appspotmail.com Reported-by: syzbot+190d63957b22ef673ea5@syzkaller.appspotmail.com Reported-by: syzbot+dfccdb2bdb4a12ad425e@syzkaller.appspotmail.com Reported-by: syzbot+df0d0f5895ef1f41a65b@syzkaller.appspotmail.com Reported-by: syzbot+b08bd19bb37513357fd4@syzkaller.appspotmail.com Reported-by: syzbot+53cdd0ec0bbabd53370a@syzkaller.appspotmail.com Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso include/linux/netfilter/ipset/ip_set.h | 7 ------- net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +- net/netfilter/ipset/ip_set_bitmap_ip.c | 6 +++--- net/netfilter/ipset/ip_set_bitmap_ipmac.c | 6 +++--- net/netfilter/ipset/ip_set_bitmap_port.c | 6 +++--- 5 files changed, 10 insertions(+), 17 deletions(-) culprit signature: b57367aa57adcd861079d9d01fc1ff9e4e4caa51cd921cc4045b3a2c8ed0413d parent signature: 6cce6cbc1d91295cf8d6ebc2a5b10df49f68834db697f36b6a5c8fe70fde8afc revisions tested: 16, total time: 3h54m59.937084274s (build: 1h46m14.891815426s, test: 2h7m24.221499615s) first good commit: 32c72165dbd0e246e69d16a3ad348a4851afd415 netfilter: ipset: use bitmap infrastructure completely cc: ["kadlec@blackhole.kfki.hu" "kadlec@netfilter.org" "pablo@netfilter.org"]