bisecting fixing commit since 8f8972a3127ff46df62ae30057d29606968ec4aa building syzkaller on 0342f8c7bc656ea8ee3c45e49edeb4ee9cc12cce testing commit 8f8972a3127ff46df62ae30057d29606968ec4aa with gcc (GCC) 8.1.0 kernel signature: c484fa400617229193a0d59df1680e526ba5b04c4864bef4b6d55ffd72bc0dbf all runs: crashed: KASAN: use-after-free Read in bitmap_ip_ext_cleanup testing current HEAD 0a44cac8105059eb756ed4276e932e54e1ba004d testing commit 0a44cac8105059eb756ed4276e932e54e1ba004d with gcc (GCC) 8.1.0 kernel signature: c72935eea1926ccd7e9f6a9f6fdf29951e33e1df1af9abf065e1b6e8a2eb01f9 all runs: OK # git bisect start 0a44cac8105059eb756ed4276e932e54e1ba004d 8f8972a3127ff46df62ae30057d29606968ec4aa Bisecting: 6327 revisions left to test after this (roughly 13 steps) [4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb] Merge tag 'for-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply testing commit 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb with gcc (GCC) 8.1.0 kernel signature: 8f65d5e4ed9530fe4ef844d7532d2d73fd7c3040cf22cba247f0b91ac2215c23 all runs: OK # git bisect bad 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb Bisecting: 2314 revisions left to test after this (roughly 12 steps) [bd2463ac7d7ec51d432f23bf0e893fb371a908cd] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit bd2463ac7d7ec51d432f23bf0e893fb371a908cd with gcc (GCC) 8.1.0 kernel signature: 56a0f9f0b90a43662f30fa6df134ef8a71ff2f5f940e91c15259678c79979bc3 all runs: OK # git bisect bad bd2463ac7d7ec51d432f23bf0e893fb371a908cd Bisecting: 1810 revisions left to test after this (roughly 11 steps) [c4c57b974d27f53744b1bc5669e002f080cec839] Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next testing commit c4c57b974d27f53744b1bc5669e002f080cec839 with gcc (GCC) 8.1.0 kernel signature: 76e54116b07ce9c4621cf700267101e3060b8b453f849fd69b42f074c79668b2 all runs: OK # git bisect bad c4c57b974d27f53744b1bc5669e002f080cec839 Bisecting: 878 revisions left to test after this (roughly 10 steps) [d49d0661b92478ec9362e379e7ba82450ec88048] Merge branch 'libbpf-include-path' testing commit d49d0661b92478ec9362e379e7ba82450ec88048 with gcc (GCC) 8.1.0 kernel signature: b5ce40b1e1e338bfad086ccb0085cd35f1ea6f5dd5de14056d268edd93f1426f all runs: crashed: KASAN: use-after-free Read in bitmap_ip_ext_cleanup # git bisect good d49d0661b92478ec9362e379e7ba82450ec88048 Bisecting: 438 revisions left to test after this (roughly 9 steps) [794eee259e8e1a7e6f31417ec8f6fa809597bb24] Merge branch 'net-phy-add-generic-ndo_do_ioctl-handler-phy_do_ioctl' testing commit 794eee259e8e1a7e6f31417ec8f6fa809597bb24 with gcc (GCC) 8.1.0 kernel signature: fb8ce919d9723e7a5ee09d6237568fa1a50ff7b666e27fe717700c27b39d644d all runs: crashed: KASAN: slab-out-of-bounds Read in bitmap_ip_ext_cleanup # git bisect good 794eee259e8e1a7e6f31417ec8f6fa809597bb24 Bisecting: 226 revisions left to test after this (roughly 8 steps) [2821e26f3a0a3872184581caac8115bb02641941] Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm testing commit 2821e26f3a0a3872184581caac8115bb02641941 with gcc (GCC) 8.1.0 kernel signature: 15f66dd000cb5501083a5b36bad721c0d7d545fb5e946072c5740b6f6fa7d430 all runs: OK # git bisect bad 2821e26f3a0a3872184581caac8115bb02641941 Bisecting: 107 revisions left to test after this (roughly 7 steps) [342508c1c7540e281fd36151c175ba5ff954a99f] net/mlx5e: kTLS, Do not send decrypted-marked SKBs via non-accel path testing commit 342508c1c7540e281fd36151c175ba5ff954a99f with gcc (GCC) 8.1.0 kernel signature: 37b9db800305981bdf1bd74df37a5e9014d791b6de1ff0691105e2b53a40a3f3 all runs: crashed: KASAN: slab-out-of-bounds Read in bitmap_ip_ext_cleanup # git bisect good 342508c1c7540e281fd36151c175ba5ff954a99f Bisecting: 51 revisions left to test after this (roughly 6 steps) [274adbff45e3c26c65b2e103581d2ab5834b0b7c] Merge tag 'drm-fixes-2020-01-24' of git://anongit.freedesktop.org/drm/drm testing commit 274adbff45e3c26c65b2e103581d2ab5834b0b7c with gcc (GCC) 8.1.0 kernel signature: ed130afeddfa3b0b64ffb1119a225442513d40a8232c62921d79da3d68e1eccd all runs: crashed: KASAN: slab-out-of-bounds Read in bitmap_ip_ext_cleanup # git bisect good 274adbff45e3c26c65b2e103581d2ab5834b0b7c Bisecting: 26 revisions left to test after this (roughly 5 steps) [93d1a05ea6b29737715769e2c9551cfe8a5fef22] Merge tag 'pinctrl-v5.5-5' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit 93d1a05ea6b29737715769e2c9551cfe8a5fef22 with gcc (GCC) 8.1.0 kernel signature: e4a59cf0208fc3f75e2af23581a53a34bd3e57aea88a66d3e1e05c24f402ffde all runs: crashed: KASAN: slab-out-of-bounds Read in bitmap_ip_ext_cleanup # git bisect good 93d1a05ea6b29737715769e2c9551cfe8a5fef22 Bisecting: 13 revisions left to test after this (roughly 4 steps) [6badad1c1d354db1f7bc216319d81884411d5098] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf testing commit 6badad1c1d354db1f7bc216319d81884411d5098 with gcc (GCC) 8.1.0 kernel signature: ac1c5e2f72f7e9beacba872e65bfa74cd5f53eb560552920c775a5eda104d41a all runs: OK # git bisect bad 6badad1c1d354db1f7bc216319d81884411d5098 Bisecting: 6 revisions left to test after this (roughly 3 steps) [eb014de4fd418de1a277913cba244e47274fe392] netfilter: nf_tables: autoload modules from the abort path testing commit eb014de4fd418de1a277913cba244e47274fe392 with gcc (GCC) 8.1.0 kernel signature: 673826e2f12c1dda0c56321440a36893cdb85b26ee56964b33a5b9ef543d0434 all runs: OK # git bisect bad eb014de4fd418de1a277913cba244e47274fe392 Bisecting: 2 revisions left to test after this (roughly 2 steps) [ab658b9fa7a2c467f79eac8b53ea308b8f98113d] netfilter: conntrack: sctp: use distinct states for new SCTP connections testing commit ab658b9fa7a2c467f79eac8b53ea308b8f98113d with gcc (GCC) 8.1.0 kernel signature: 35896c5a177ce97ea6b4b8964a281ed6c7f376a15bb92fdb4954f166286e8467 all runs: OK # git bisect bad ab658b9fa7a2c467f79eac8b53ea308b8f98113d Bisecting: 0 revisions left to test after this (roughly 1 step) [32c72165dbd0e246e69d16a3ad348a4851afd415] netfilter: ipset: use bitmap infrastructure completely testing commit 32c72165dbd0e246e69d16a3ad348a4851afd415 with gcc (GCC) 8.1.0 kernel signature: e97adccb5bf4f70722d2512c39b615fc59b0601418bc3958f4a9f13ffff2f2de all runs: OK # git bisect bad 32c72165dbd0e246e69d16a3ad348a4851afd415 Bisecting: 0 revisions left to test after this (roughly 0 steps) [7eaecf7963c1c8f62d62c6a8e7c439b0e7f2d365] netfilter: nft_osf: add missing check for DREG attribute testing commit 7eaecf7963c1c8f62d62c6a8e7c439b0e7f2d365 with gcc (GCC) 8.1.0 kernel signature: 409965892f3b24de9066c7d72a7bab06a1e6f1a6a691e0c8c8b7e4612ac36191 all runs: crashed: KASAN: slab-out-of-bounds Read in bitmap_ip_ext_cleanup # git bisect good 7eaecf7963c1c8f62d62c6a8e7c439b0e7f2d365 32c72165dbd0e246e69d16a3ad348a4851afd415 is the first bad commit commit 32c72165dbd0e246e69d16a3ad348a4851afd415 Author: Kadlecsik József Date: Sun Jan 19 22:06:49 2020 +0100 netfilter: ipset: use bitmap infrastructure completely The bitmap allocation did not use full unsigned long sizes when calculating the required size and that was triggered by KASAN as slab-out-of-bounds read in several places. The patch fixes all of them. Reported-by: syzbot+fabca5cbf5e54f3fe2de@syzkaller.appspotmail.com Reported-by: syzbot+827ced406c9a1d9570ed@syzkaller.appspotmail.com Reported-by: syzbot+190d63957b22ef673ea5@syzkaller.appspotmail.com Reported-by: syzbot+dfccdb2bdb4a12ad425e@syzkaller.appspotmail.com Reported-by: syzbot+df0d0f5895ef1f41a65b@syzkaller.appspotmail.com Reported-by: syzbot+b08bd19bb37513357fd4@syzkaller.appspotmail.com Reported-by: syzbot+53cdd0ec0bbabd53370a@syzkaller.appspotmail.com Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso include/linux/netfilter/ipset/ip_set.h | 7 ------- net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +- net/netfilter/ipset/ip_set_bitmap_ip.c | 6 +++--- net/netfilter/ipset/ip_set_bitmap_ipmac.c | 6 +++--- net/netfilter/ipset/ip_set_bitmap_port.c | 6 +++--- 5 files changed, 10 insertions(+), 17 deletions(-) culprit signature: e97adccb5bf4f70722d2512c39b615fc59b0601418bc3958f4a9f13ffff2f2de parent signature: 409965892f3b24de9066c7d72a7bab06a1e6f1a6a691e0c8c8b7e4612ac36191 revisions tested: 16, total time: 3h54m38.858832357s (build: 1h45m50.686008682s, test: 2h7m34.427612298s) first good commit: 32c72165dbd0e246e69d16a3ad348a4851afd415 netfilter: ipset: use bitmap infrastructure completely cc: ["kadlec@blackhole.kfki.hu" "kadlec@netfilter.org" "pablo@netfilter.org"]