bisecting fixing commit since 01364dad1d4577e27a57729d41053f661bb8a5b9 building syzkaller on a34e2c332411388ed2b3f6f1a3acdc062feceb79 testing commit 01364dad1d4577e27a57729d41053f661bb8a5b9 with gcc (GCC) 8.1.0 kernel signature: 75f45e5f66c16e211023a141b8cc00cbab9b5b4f7604a065f4fb75668cfc00dc run #0: crashed: KASAN: use-after-free Read in route4_get run #1: crashed: KASAN: use-after-free Read in route4_get run #2: crashed: KASAN: use-after-free Read in route4_get run #3: crashed: KASAN: use-after-free Read in route4_get run #4: crashed: KASAN: use-after-free Read in route4_get run #5: crashed: KASAN: use-after-free Read in route4_get run #6: crashed: KASAN: use-after-free Read in route4_get run #7: crashed: KASAN: use-after-free Read in route4_get run #8: crashed: WARNING: ODEBUG bug in __route4_delete_filter run #9: crashed: KASAN: use-after-free Read in route4_get testing current HEAD 050272a0423e68207fd2367831ae610680129062 testing commit 050272a0423e68207fd2367831ae610680129062 with gcc (GCC) 8.1.0 kernel signature: db28ebd4b245b4aeddae6501ad61143269db323d5e888887507a02cfeff20052 all runs: OK # git bisect start 050272a0423e68207fd2367831ae610680129062 01364dad1d4577e27a57729d41053f661bb8a5b9 Bisecting: 194 revisions left to test after this (roughly 8 steps) [82146d1de45651ddd02a2c693382b732e4d428bb] hinic: fix wrong para of wait_for_completion_timeout testing commit 82146d1de45651ddd02a2c693382b732e4d428bb with gcc (GCC) 8.1.0 kernel signature: a7648cd7dd3fb3005520059e2cfe6aac9ebb40f678f200fe1184ffe420ee1a56 all runs: OK # git bisect bad 82146d1de45651ddd02a2c693382b732e4d428bb Bisecting: 96 revisions left to test after this (roughly 7 steps) [1ec47ff0525c4a530dc7783cb28044179334a4cc] mac80211: mark station unauthorized before key removal testing commit 1ec47ff0525c4a530dc7783cb28044179334a4cc with gcc (GCC) 8.1.0 kernel signature: 24b6f526ba3778b83bf8839b8c817ff0989de9432ddf85c79385994223bfe424 all runs: OK # git bisect bad 1ec47ff0525c4a530dc7783cb28044179334a4cc Bisecting: 48 revisions left to test after this (roughly 6 steps) [c4ad116663f3d589d39ceb382dfcafb8feae2960] Revert "ipv6: Fix handling of LLA with VRF and sockets bound to VRF" testing commit c4ad116663f3d589d39ceb382dfcafb8feae2960 with gcc (GCC) 8.1.0 kernel signature: 47f4fd45a25a810cf6ce04af546d472a73919db358889810ae9df0c23d78956e run #0: crashed: KASAN: use-after-free Read in route4_get run #1: crashed: KASAN: use-after-free Read in route4_get run #2: crashed: KASAN: use-after-free Read in route4_get run #3: crashed: KASAN: use-after-free Read in route4_get run #4: crashed: KASAN: use-after-free Read in route4_get run #5: crashed: KASAN: use-after-free Read in route4_get run #6: crashed: WARNING: ODEBUG bug in route4_change run #7: crashed: KASAN: use-after-free Read in route4_get run #8: crashed: WARNING: ODEBUG bug in route4_change run #9: crashed: KASAN: use-after-free Read in route4_get # git bisect good c4ad116663f3d589d39ceb382dfcafb8feae2960 Bisecting: 24 revisions left to test after this (roughly 5 steps) [4ba7450cf490f5852632a8ebda61233bcf4e8191] hsr: set .netnsok flag testing commit 4ba7450cf490f5852632a8ebda61233bcf4e8191 with gcc (GCC) 8.1.0 kernel signature: 98d7cca43dcf1c1713f32f5ef9c15c1725232abe7ebf862ff8b4e4cea2bbf350 all runs: OK # git bisect bad 4ba7450cf490f5852632a8ebda61233bcf4e8191 Bisecting: 11 revisions left to test after this (roughly 4 steps) [2975472e042e0bbfeeabddc5023cb8c011ec5a07] net/packet: tpacket_rcv: avoid a producer race condition testing commit 2975472e042e0bbfeeabddc5023cb8c011ec5a07 with gcc (GCC) 8.1.0 kernel signature: b5df9d720eb89ac8eb4e0e5e24a90b2f37e22f5d6f8b3f211f26a6fd0b424e47 run #0: crashed: KASAN: use-after-free Read in route4_get run #1: crashed: KASAN: use-after-free Read in route4_get run #2: crashed: WARNING: ODEBUG bug in route4_change run #3: crashed: KASAN: use-after-free Read in route4_get run #4: crashed: KASAN: use-after-free Read in route4_get run #5: crashed: KASAN: use-after-free Read in route4_get run #6: crashed: KASAN: use-after-free Read in route4_get run #7: crashed: KASAN: use-after-free Read in route4_get run #8: crashed: WARNING: ODEBUG bug in route4_change run #9: crashed: KASAN: use-after-free Read in route4_get # git bisect good 2975472e042e0bbfeeabddc5023cb8c011ec5a07 Bisecting: 5 revisions left to test after this (roughly 3 steps) [795536e997419cc81c6c4a08e49d7cac7141ca9d] slcan: not call free_netdev before rtnl_unlock in slcan_open testing commit 795536e997419cc81c6c4a08e49d7cac7141ca9d with gcc (GCC) 8.1.0 kernel signature: c3c70521467ccc9bc6d70f73ed9c722aff36444ce30b91108bc938488d002d91 all runs: OK # git bisect bad 795536e997419cc81c6c4a08e49d7cac7141ca9d Bisecting: 2 revisions left to test after this (roughly 2 steps) [9f8b6c44be178c2498a00b270872a6e30e7c8266] net_sched: keep alloc_hash updated after hash allocation testing commit 9f8b6c44be178c2498a00b270872a6e30e7c8266 with gcc (GCC) 8.1.0 kernel signature: 9cf3f4d474a38cf8564a84398d4ba9100d2581e79a756d5c1b2b4a333ad39ef1 all runs: OK # git bisect bad 9f8b6c44be178c2498a00b270872a6e30e7c8266 Bisecting: 0 revisions left to test after this (roughly 1 step) [f0c92f59cf528bc1b872f2ca91b01e128a2af3e6] net_sched: cls_route: remove the right filter from hashtable testing commit f0c92f59cf528bc1b872f2ca91b01e128a2af3e6 with gcc (GCC) 8.1.0 kernel signature: e42213f43331b4f12e8f0fab01b21ba105072ee9fcddd869c40d4d65e628bc20 all runs: OK # git bisect bad f0c92f59cf528bc1b872f2ca91b01e128a2af3e6 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ee86fd16c8c6c4336c744c141f82b19a9768ebd7] net: qmi_wwan: add support for ASKEY WWHC050 testing commit ee86fd16c8c6c4336c744c141f82b19a9768ebd7 with gcc (GCC) 8.1.0 kernel signature: 027ba97316eec30924c7df2eec0bd6e85ae742a03e6d37127816f441274f8cdb all runs: crashed: KASAN: use-after-free Read in route4_get # git bisect good ee86fd16c8c6c4336c744c141f82b19a9768ebd7 f0c92f59cf528bc1b872f2ca91b01e128a2af3e6 is the first bad commit commit f0c92f59cf528bc1b872f2ca91b01e128a2af3e6 Author: Cong Wang Date: Fri Mar 13 22:29:54 2020 -0700 net_sched: cls_route: remove the right filter from hashtable [ Upstream commit ef299cc3fa1a9e1288665a9fdc8bff55629fd359 ] route4_change() allocates a new filter and copies values from the old one. After the new filter is inserted into the hash table, the old filter should be removed and freed, as the final step of the update. However, the current code mistakenly removes the new one. This looks apparently wrong to me, and it causes double "free" and use-after-free too, as reported by syzbot. Reported-and-tested-by: syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com Fixes: 1109c00547fc ("net: sched: RCU cls_route") Cc: Jamal Hadi Salim Cc: Jiri Pirko Cc: John Fastabend Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman net/sched/cls_route.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) culprit signature: e42213f43331b4f12e8f0fab01b21ba105072ee9fcddd869c40d4d65e628bc20 parent signature: 027ba97316eec30924c7df2eec0bd6e85ae742a03e6d37127816f441274f8cdb revisions tested: 11, total time: 3h1m27.664303621s (build: 1h36m36.473781596s, test: 1h23m17.283523443s) first good commit: f0c92f59cf528bc1b872f2ca91b01e128a2af3e6 net_sched: cls_route: remove the right filter from hashtable cc: ["davem@davemloft.net" "gregkh@linuxfoundation.org" "syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com" "syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com" "syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"]