bisecting fixing commit since 12cd844a39ed16aa183a820a54fe6f9a0bb4cd14
building syzkaller on 2c31c529a9a44be5d99e769204b7a4b84b93eec1
testing commit 12cd844a39ed16aa183a820a54fe6f9a0bb4cd14 with gcc (GCC) 8.1.0
kernel signature: 10cf5d404ea47e80e56a492c000074c35a4b8281aa8b1d4006af948091aaafc8
run #0: crashed: KASAN: use-after-free Read in tcindex_lookup
run #1: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #2: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms
run #3: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #4: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #5: crashed: general protection fault in getname_kernel
run #6: crashed: INFO: trying to register non-static key in process_one_work
run #7: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_change
run #8: crashed: INFO: trying to register non-static key in process_one_work
run #9: crashed: KASAN: use-after-free Write in tcindex_set_parms
testing current HEAD c10b57a567e4333b9fdf60b5ec36de9859263ca2
testing commit c10b57a567e4333b9fdf60b5ec36de9859263ca2 with gcc (GCC) 8.1.0
kernel signature: c9171a8baa24319d033bcb5e58838a39a1a926a7c00923fe8201f31c6831198f
all runs: OK
# git bisect start c10b57a567e4333b9fdf60b5ec36de9859263ca2 12cd844a39ed16aa183a820a54fe6f9a0bb4cd14
Bisecting: 144 revisions left to test after this (roughly 7 steps)
[e52694b56eb6d4b1fe424bda6126b8ce13c246a8] futex: Fix inode life-time issue
testing commit e52694b56eb6d4b1fe424bda6126b8ce13c246a8 with gcc (GCC) 8.1.0
kernel signature: 3056b35da917d6acfacce19a2ac2891fc2b0dacf2c0a710dee79e5f37c36afe7
run #0: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms
run #1: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #2: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #3: crashed: INFO: trying to register non-static key in process_one_work
run #4: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #5: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #6: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #7: crashed: INFO: trying to register non-static key in process_one_work
run #8: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #9: crashed: KASAN: use-after-free Read in tcindex_lookup
# git bisect good e52694b56eb6d4b1fe424bda6126b8ce13c246a8
Bisecting: 72 revisions left to test after this (roughly 6 steps)
[57194c6fd8c478f468f1aa7ae2175ea77c4d8de1] USB: cdc-acm: restore capability check order
testing commit 57194c6fd8c478f468f1aa7ae2175ea77c4d8de1 with gcc (GCC) 8.1.0
kernel signature: f29e7971638521d8ea6b01bc4f48b018408f9f2592e917fc9f4d7f07a75a8b0a
all runs: OK
# git bisect bad 57194c6fd8c478f468f1aa7ae2175ea77c4d8de1
Bisecting: 35 revisions left to test after this (roughly 5 steps)
[4b7eb7a4693dd93bf5db8714da7410c6423324d3] scsi: ipr: Fix softlockup when rescanning devices in petitboot
testing commit 4b7eb7a4693dd93bf5db8714da7410c6423324d3 with gcc (GCC) 8.1.0
kernel signature: 3d9e3720001e667ed1b1986d3bf430e44c75fccc07106111bcee25431e27f8eb
all runs: OK
# git bisect bad 4b7eb7a4693dd93bf5db8714da7410c6423324d3
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[9f8b6c44be178c2498a00b270872a6e30e7c8266] net_sched: keep alloc_hash updated after hash allocation
testing commit 9f8b6c44be178c2498a00b270872a6e30e7c8266 with gcc (GCC) 8.1.0
kernel signature: 6c8e8507a0947f19075b6b452c20fa8c9b9e5d2af67bc900c4fc9d1159b68b10
all runs: OK
# git bisect bad 9f8b6c44be178c2498a00b270872a6e30e7c8266
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[e3bc8d886b40801abde9e01b85157994171be3bb] staging: greybus: loopback_test: fix potential path truncations
testing commit e3bc8d886b40801abde9e01b85157994171be3bb with gcc (GCC) 8.1.0
kernel signature: 8a49b77a1dedf5a01cccff8418307fee1215e4ed24f34a588bf9fa3468bdcdad
run #0: crashed: general protection fault in getname_kernel
run #1: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #2: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #3: crashed: kernel BUG at arch/x86/mm/physaddr.c:LINE!
run #4: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #5: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms
run #6: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms
run #7: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #8: crashed: KASAN: use-after-free Read in tcindex_lookup
run #9: crashed: KASAN: use-after-free Write in tcindex_set_parms
# git bisect good e3bc8d886b40801abde9e01b85157994171be3bb
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[c5980c71536ae46b69fada2ff4018afbaa088e4b] net: dsa: Fix duplicate frames flooded by learning
testing commit c5980c71536ae46b69fada2ff4018afbaa088e4b with gcc (GCC) 8.1.0
kernel signature: 19d2e9ea612d1ee6a9b9ea650aeb1420bb9bf2a8328a144c4e148ee02fe2f7bc
run #0: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #1: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #2: crashed: KASAN: use-after-free Read in tcindex_lookup
run #3: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #4: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #5: crashed: BUG: sleeping function called from invalid context in __do_page_fault
run #6: crashed: INFO: trying to register non-static key in process_one_work
run #7: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #8: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #9: crashed: KASAN: use-after-free Read in tcindex_lookup
# git bisect good c5980c71536ae46b69fada2ff4018afbaa088e4b
Bisecting: 2 revisions left to test after this (roughly 1 step)
[2975472e042e0bbfeeabddc5023cb8c011ec5a07] net/packet: tpacket_rcv: avoid a producer race condition
testing commit 2975472e042e0bbfeeabddc5023cb8c011ec5a07 with gcc (GCC) 8.1.0
kernel signature: 2d6aa4919193d02016bcfcc7e1acc159509687f2b466f320e467d443b6a68a6d
run #0: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #1: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms
run #2: crashed: KASAN: use-after-free Read in tcindex_lookup
run #3: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #4: crashed: general protection fault in getname_kernel
run #5: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #6: crashed: KASAN: use-after-free Read in tcindex_lookup
run #7: crashed: INFO: trying to register non-static key in process_one_work
run #8: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #9: crashed: KASAN: use-after-free Write in tcindex_set_parms
# git bisect good 2975472e042e0bbfeeabddc5023cb8c011ec5a07
Bisecting: 0 revisions left to test after this (roughly 1 step)
[f0c92f59cf528bc1b872f2ca91b01e128a2af3e6] net_sched: cls_route: remove the right filter from hashtable
testing commit f0c92f59cf528bc1b872f2ca91b01e128a2af3e6 with gcc (GCC) 8.1.0
kernel signature: c583e2f644b927bf928d1d608776db7676511be2423439dedeb00f75f376962a
run #0: crashed: general protection fault in getname_kernel
run #1: crashed: WARNING: locking bug in corrupted
run #2: crashed: INFO: trying to register non-static key in corrupted
run #3: crashed: general protection fault in getname_kernel
run #4: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #5: crashed: general protection fault in getname_kernel
run #6: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #7: crashed: KASAN: use-after-free Read in tcindex_lookup
run #8: crashed: KASAN: use-after-free Write in tcindex_set_parms
run #9: crashed: KASAN: use-after-free Write in tcindex_set_parms
# git bisect good f0c92f59cf528bc1b872f2ca91b01e128a2af3e6
9f8b6c44be178c2498a00b270872a6e30e7c8266 is the first bad commit
commit 9f8b6c44be178c2498a00b270872a6e30e7c8266
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date:   Wed Mar 11 22:42:28 2020 -0700

    net_sched: keep alloc_hash updated after hash allocation
    
    [ Upstream commit 0d1c3530e1bd38382edef72591b78e877e0edcd3 ]
    
    In commit 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex")
    I moved cp->hash calculation before the first
    tcindex_alloc_perfect_hash(), but cp->alloc_hash is left untouched.
    This difference could lead to another out of bound access.
    
    cp->alloc_hash should always be the size allocated, we should
    update it after this tcindex_alloc_perfect_hash().
    
    Reported-and-tested-by: syzbot+dcc34d54d68ef7d2d53d@syzkaller.appspotmail.com
    Reported-and-tested-by: syzbot+c72da7b9ed57cde6fca2@syzkaller.appspotmail.com
    Fixes: 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex")
    Cc: Jamal Hadi Salim <jhs@mojatatu.com>
    Cc: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 net/sched/cls_tcindex.c | 1 +
 1 file changed, 1 insertion(+)
culprit signature: 6c8e8507a0947f19075b6b452c20fa8c9b9e5d2af67bc900c4fc9d1159b68b10
parent  signature: c583e2f644b927bf928d1d608776db7676511be2423439dedeb00f75f376962a
revisions tested: 10, total time: 2h26m47.214879533s (build: 1h26m42.204907989s, test: 58m50.48296381s)
first good commit: 9f8b6c44be178c2498a00b270872a6e30e7c8266 net_sched: keep alloc_hash updated after hash allocation
cc: ["davem@davemloft.net" "gregkh@linuxfoundation.org" "syzbot+c72da7b9ed57cde6fca2@syzkaller.appspotmail.com" "syzbot+dcc34d54d68ef7d2d53d@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"]