bisecting cause commit starting from 569aad4fcd82cba64eb10ede235d330a00f0aa09 building syzkaller on b7a87a83f8bdbe141f04275ab84bd0f38ce1d4a9 testing commit 569aad4fcd82cba64eb10ede235d330a00f0aa09 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 all runs: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 run #0: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #1: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #2: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #3: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #4: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy run #5: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #6: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #7: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #8: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #9: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 all runs: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 run #0: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #1: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #2: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #3: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #4: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #5: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #6: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy run #7: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #8: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #9: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash testing release v4.14 testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0 all runs: OK # git bisect start v4.15 v4.14 Bisecting: 8497 revisions left to test after this (roughly 13 steps) [5d352e69c60e54b5f04d6e337a1d2bf0dbf3d94a] Merge tag 'media/v4.15-1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 5d352e69c60e54b5f04d6e337a1d2bf0dbf3d94a with gcc (GCC) 8.1.0 all runs: OK # git bisect good 5d352e69c60e54b5f04d6e337a1d2bf0dbf3d94a Bisecting: 3900 revisions left to test after this (roughly 12 steps) [f6705bf959efac87bca76d40050d342f1d212587] Merge tag 'drm-for-v4.15-amd-dc' of git://people.freedesktop.org/~airlied/linux testing commit f6705bf959efac87bca76d40050d342f1d212587 with gcc (GCC) 8.1.0 all runs: OK # git bisect good f6705bf959efac87bca76d40050d342f1d212587 Bisecting: 1936 revisions left to test after this (roughly 11 steps) [4066aa72f9f2886105c6f747d7f9bd4f14f53c12] Merge tag 'drm-fixes-for-v4.15-rc3' of git://people.freedesktop.org/~airlied/linux testing commit 4066aa72f9f2886105c6f747d7f9bd4f14f53c12 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 4066aa72f9f2886105c6f747d7f9bd4f14f53c12 Bisecting: 983 revisions left to test after this (roughly 10 steps) [fd84b751ddb7dab7a8c22826e7bff85f3ff3f9a6] Merge tag 'drm-fixes-for-v4.15-rc6' of git://people.freedesktop.org/~airlied/linux testing commit fd84b751ddb7dab7a8c22826e7bff85f3ff3f9a6 with gcc (GCC) 8.1.0 run #0: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #1: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #2: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #3: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #4: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy run #5: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #6: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #7: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #8: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #9: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash # git bisect bad fd84b751ddb7dab7a8c22826e7bff85f3ff3f9a6 Bisecting: 433 revisions left to test after this (roughly 9 steps) [7a3c296ae08f9b51e399074d8ef6867d65fbd22b] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 7a3c296ae08f9b51e399074d8ef6867d65fbd22b with gcc (GCC) 8.1.0 net/wireless/shipped-certs.c:92:10: error: redefinition of ‘shipped_regdb_certs’ # git bisect skip 7a3c296ae08f9b51e399074d8ef6867d65fbd22b Bisecting: 433 revisions left to test after this (roughly 9 steps) [37e92a9d4fe38dc3e7308913575983a6a088c8d4] net/mlx5: Fix rate limit packet pacing naming and struct testing commit 37e92a9d4fe38dc3e7308913575983a6a088c8d4 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash # git bisect bad 37e92a9d4fe38dc3e7308913575983a6a088c8d4 Bisecting: 291 revisions left to test after this (roughly 8 steps) [4e746cf4f721d6397bace501f5feadb46eec1314] Merge tag 'riscv-for-linus-4.15-rc4-riscv_fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/palmer/linux testing commit 4e746cf4f721d6397bace501f5feadb46eec1314 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash # git bisect bad 4e746cf4f721d6397bace501f5feadb46eec1314 Bisecting: 140 revisions left to test after this (roughly 7 steps) [4ded3bec65a07343258ed8fd9d46483f032d866f] Merge tag 'keys-fixes-20171208' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into keys-for-linus testing commit 4ded3bec65a07343258ed8fd9d46483f032d866f with gcc (GCC) 8.1.0 run #0: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #1: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #2: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #3: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #4: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #5: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #6: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #7: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #8: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #9: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy # git bisect bad 4ded3bec65a07343258ed8fd9d46483f032d866f Bisecting: 76 revisions left to test after this (roughly 6 steps) [03afb6e43aaf71e761c1e22d36c2670ef82f089a] Merge tag 'wireless-drivers-for-davem-2017-12-08' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers testing commit 03afb6e43aaf71e761c1e22d36c2670ef82f089a with gcc (GCC) 8.1.0 run #0: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #1: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #2: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #3: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #4: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #5: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #6: crashed: KASAN: slab-out-of-bounds Read in tcf_exts_destroy run #7: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #8: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash run #9: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash # git bisect bad 03afb6e43aaf71e761c1e22d36c2670ef82f089a Bisecting: 36 revisions left to test after this (roughly 5 steps) [a4abd7a80addb4a9547f7dfc7812566b60ec505c] usbnet: fix alignment for frames with no ethernet header testing commit a4abd7a80addb4a9547f7dfc7812566b60ec505c with gcc (GCC) 8.1.0 all runs: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash # git bisect bad a4abd7a80addb4a9547f7dfc7812566b60ec505c Bisecting: 16 revisions left to test after this (roughly 4 steps) [69c64866ce072dea1d1e59a0d61e0f66c0dffb76] dccp: CVE-2017-8824: use-after-free in DCCP code testing commit 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 Bisecting: 8 revisions left to test after this (roughly 3 steps) [30f1e59550363f6be28213393407ef225150e7fe] drivers: net: dsa: remove duplicate includes testing commit 30f1e59550363f6be28213393407ef225150e7fe with gcc (GCC) 8.1.0 all runs: OK # git bisect good 30f1e59550363f6be28213393407ef225150e7fe Bisecting: 4 revisions left to test after this (roughly 2 steps) [3126aeec5313565bfa19e2dd8fd7e3c3390514cb] net: dsa: mv88e6xxx: Unregister MDIO bus on error path testing commit 3126aeec5313565bfa19e2dd8fd7e3c3390514cb with gcc (GCC) 8.1.0 all runs: OK # git bisect good 3126aeec5313565bfa19e2dd8fd7e3c3390514cb Bisecting: 1 revision left to test after this (roughly 1 step) [6e237d099fac1f73a7b6d7287bb9191f29585a4e] netlink: Relax attr validation for fixed length types testing commit 6e237d099fac1f73a7b6d7287bb9191f29585a4e with gcc (GCC) 8.1.0 all runs: crashed: WARNING: kmalloc bug in tcindex_alloc_perfect_hash # git bisect bad 6e237d099fac1f73a7b6d7287bb9191f29585a4e Bisecting: 0 revisions left to test after this (roughly 1 step) [74c4b656c3d92ec4c824ea1a4afd726b7b6568c8] adding missing rcu_read_unlock in ipxip6_rcv testing commit 74c4b656c3d92ec4c824ea1a4afd726b7b6568c8 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 74c4b656c3d92ec4c824ea1a4afd726b7b6568c8 6e237d099fac1f73a7b6d7287bb9191f29585a4e is the first bad commit commit 6e237d099fac1f73a7b6d7287bb9191f29585a4e Author: David Ahern Date: Wed Dec 6 20:09:12 2017 -0800 netlink: Relax attr validation for fixed length types Commit 28033ae4e0f5 ("net: netlink: Update attr validation to require exact length for some types") requires attributes using types NLA_U* and NLA_S* to have an exact length. This change is exposing bugs in various userspace commands that are sending attributes with an invalid length (e.g., attribute has type NLA_U8 and userspace sends NLA_U32). While the commands are clearly broken and need to be fixed, users are arguing that the sudden change in enforcement is breaking older commands on newer kernels for use cases that otherwise "worked". Relax the validation to print a warning mesage similar to what is done for messages containing extra bytes after parsing. Fixes: 28033ae4e0f5 ("net: netlink: Update attr validation to require exact length for some types") Signed-off-by: David Ahern Reviewed-by: Johannes Berg Signed-off-by: David S. Miller :040000 040000 a6a5b1fad1eeb2302681c4f0e12e5e8e51ae975f e20034d881a305949c4c6015e54d308eea70172d M lib revisions tested: 27, total time: 5h5m44.734338256s (build: 2h25m17.897092954s, test: 2h31m50.230236715s) first bad commit: 6e237d099fac1f73a7b6d7287bb9191f29585a4e netlink: Relax attr validation for fixed length types cc: ["adobriyan@gmail.com" "davem@davemloft.net" "dsahern@gmail.com" "ja@ssi.bg" "jhs@mojatatu.com" "johannes@sipsolutions.net" "linux-kernel@vger.kernel.org" "tgraf@suug.ch"] crash: WARNING: kmalloc bug in tcindex_alloc_perfect_hash protocol 88fb is buggy, dev hsr_slave_1 device hsr_slave_1 entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready chnl_net:caif_netlink_parms(): no params data found netlink: 'syz-executor.1': attribute type 2 has an invalid length. WARNING: CPU: 1 PID: 6599 at mm/slab_common.c:971 kmalloc_slab+0x5d/0x70 mm/slab_common.c:971 protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 6599 Comm: syz-executor.1 Not tainted 4.15.0-rc2+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x145/0x1e1 lib/dump_stack.c:53 panic+0x1a9/0x34e kernel/panic.c:183 __warn.cold.8+0x120/0x156 kernel/panic.c:547 report_bug+0x1a3/0x230 lib/bug.c:184 fixup_bug arch/x86/kernel/traps.c:177 [inline] do_error_trap+0x1bd/0x460 arch/x86/kernel/traps.c:295 protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314 invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:930 RIP: 0010:kmalloc_slab+0x5d/0x70 mm/slab_common.c:971 RSP: 0018:ffff8800a6fcecc8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 1ffff10014df9dc5 RCX: 0000000000000000 RDX: 1ffff100149ee424 RSI: 0000000000000000 RDI: 0000000054abf000 RBP: ffff8800a6fcecc8 R08: ffff8800923149a8 R09: 0000000000000006 R10: 0000000000000000 R11: ffff8800923140c0 R12: ffff8800a6fceec8 R13: ffff8800a4f72180 R14: ffff8800a4f72100 R15: 00000000014080c0 __do_kmalloc mm/slab.c:3706 [inline] __kmalloc+0x25/0x7b0 mm/slab.c:3720 kmalloc_array include/linux/slab.h:618 [inline] kcalloc include/linux/slab.h:629 [inline] tcindex_alloc_perfect_hash+0x4f/0x2e0 net/sched/cls_tcindex.c:302 tcindex_set_parms+0x1353/0x1d60 net/sched/cls_tcindex.c:429 protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 tcindex_change+0x1b7/0x24e net/sched/cls_tcindex.c:542 tc_ctl_tfilter+0x15bc/0x2250 net/sched/cls_api.c:919 rtnetlink_rcv_msg+0x50e/0xed0 net/core/rtnetlink.c:4411 netlink_rcv_skb+0x211/0x490 net/netlink/af_netlink.c:2405 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:4423 netlink_unicast_kernel net/netlink/af_netlink.c:1272 [inline] netlink_unicast+0x426/0x630 net/netlink/af_netlink.c:1298 netlink_sendmsg+0x8c3/0xe80 net/netlink/af_netlink.c:1861 sock_sendmsg_nosec net/socket.c:636 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:646 ___sys_sendmsg+0x2ad/0x9a0 net/socket.c:2026 __sys_sendmmsg+0x1ae/0x590 net/socket.c:2116 SYSC_sendmmsg net/socket.c:2147 [inline] SyS_sendmmsg+0xd/0x20 net/socket.c:2142 entry_SYSCALL_64_fastpath+0x23/0x9a RIP: 0033:0x459a29 RSP: 002b:00007f851d4a7c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f851d4a8700 RCX: 0000000000459a29 RDX: 0000000000000332 RSI: 0000000020000140 RDI: 0000000000000008 RBP: 00007fffe9ffeea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffe9ffed3f R14: 00007f851d4a89c0 R15: 000000000075c07c Kernel Offset: disabled Rebooting in 86400 seconds..