bisecting fixing commit since 5692097116094a4a7045abcc1dbc172dbdc5657e building syzkaller on d850e9d08467726cd94b6a9caaf8090c594721ba testing commit 5692097116094a4a7045abcc1dbc172dbdc5657e with gcc (GCC) 8.1.0 kernel signature: 9537f536524ec0187165677f395d4428d17b8237f0026f69997aba7986b11dad run #0: crashed: KASAN: use-after-free Write in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #3: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms testing current HEAD dda0e2920330128e0dbdeb11c8f25031aa40b11c testing commit dda0e2920330128e0dbdeb11c8f25031aa40b11c with gcc (GCC) 8.1.0 kernel signature: ef5e3c8691d598f06f38912c6ae065cc217aabd4430551a2d24d52a04723ecb3 all runs: OK # git bisect start dda0e2920330128e0dbdeb11c8f25031aa40b11c 5692097116094a4a7045abcc1dbc172dbdc5657e Bisecting: 159 revisions left to test after this (roughly 7 steps) [9ce255e1d0106916f5436f4ff82cdb4750a0afe4] usb: host: xhci-plat: add a shutdown testing commit 9ce255e1d0106916f5436f4ff82cdb4750a0afe4 with gcc (GCC) 8.1.0 kernel signature: 0d3d8c5df25e0ecfdc9be44a865986787c3debd789d055bb6c6def98740bf464 run #0: crashed: KASAN: use-after-free Write in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #3: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms # git bisect good 9ce255e1d0106916f5436f4ff82cdb4750a0afe4 Bisecting: 79 revisions left to test after this (roughly 6 steps) [5a8a69435d333f77b7551b8e662b2e6d6bc74227] cgroup1: don't call release_agent when it is "" testing commit 5a8a69435d333f77b7551b8e662b2e6d6bc74227 with gcc (GCC) 8.1.0 kernel signature: b8765acfa8a1751df09a185040a29ef9e4fe54ca44a13b1ece2a075f82c0364d all runs: OK # git bisect bad 5a8a69435d333f77b7551b8e662b2e6d6bc74227 Bisecting: 39 revisions left to test after this (roughly 5 steps) [21213fb67401a6ad5ea3d36d8b404ce4c40a316a] drm/bridge: dw-hdmi: fix AVI frame colorimetry testing commit 21213fb67401a6ad5ea3d36d8b404ce4c40a316a with gcc (GCC) 8.1.0 kernel signature: dc894af8f561e093ad4bf5b425b6598301f60d11ae3c68618cc4070aa77a0467 run #0: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #3: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #7: crashed: KASAN: use-after-free Write in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms # git bisect good 21213fb67401a6ad5ea3d36d8b404ce4c40a316a Bisecting: 19 revisions left to test after this (roughly 4 steps) [557d015ffb27b672e24e6ad141fd887783871dc2] net_sched: keep alloc_hash updated after hash allocation testing commit 557d015ffb27b672e24e6ad141fd887783871dc2 with gcc (GCC) 8.1.0 kernel signature: fd4a6ed6cafc74b8337dbe54328ecc05d47d79586a4bff0e10807aabe392d64d all runs: OK # git bisect bad 557d015ffb27b672e24e6ad141fd887783871dc2 Bisecting: 9 revisions left to test after this (roughly 3 steps) [2c1a05e91fc60c357eeb53998a11c593673cba9e] geneve: move debug check after netdev unregister testing commit 2c1a05e91fc60c357eeb53998a11c593673cba9e with gcc (GCC) 8.1.0 kernel signature: 2be4b7337e62e7613eb447eb54ed33c7f97cc5089cc4e7b9fafc558f78cbaa81 run #0: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #3: crashed: KASAN: use-after-free Write in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms # git bisect good 2c1a05e91fc60c357eeb53998a11c593673cba9e Bisecting: 4 revisions left to test after this (roughly 2 steps) [e90e9226bea32e2f7eed3d35b4223f67ee3067e2] net: dsa: Fix duplicate frames flooded by learning testing commit e90e9226bea32e2f7eed3d35b4223f67ee3067e2 with gcc (GCC) 8.1.0 kernel signature: 7a730a48ef7f5a49f31fb6f93af02685165af6f93ed9621096f71a43bc5d9676 run #0: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #3: crashed: general protection fault in tcf_action_destroy run #4: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms # git bisect good e90e9226bea32e2f7eed3d35b4223f67ee3067e2 Bisecting: 2 revisions left to test after this (roughly 1 step) [6fb0e4385928900ccb8697748555b3f54bba5193] net/packet: tpacket_rcv: avoid a producer race condition testing commit 6fb0e4385928900ccb8697748555b3f54bba5193 with gcc (GCC) 8.1.0 kernel signature: 8d3189e461633d3ec8080e286073962219d73a5e8431e3398f7c56bec9e61218 run #0: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #3: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #7: crashed: KASAN: use-after-free Write in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms # git bisect good 6fb0e4385928900ccb8697748555b3f54bba5193 Bisecting: 0 revisions left to test after this (roughly 1 step) [ea3d6652c240978736a91b9e85fde9fee9359be4] net_sched: cls_route: remove the right filter from hashtable testing commit ea3d6652c240978736a91b9e85fde9fee9359be4 with gcc (GCC) 8.1.0 kernel signature: 6f7fa29810d0f70e8134f9c977cae5dfc62a4a5fe85bdf9c5428a1ba2a7b5c50 run #0: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #3: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #7: crashed: KASAN: use-after-free Write in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms # git bisect good ea3d6652c240978736a91b9e85fde9fee9359be4 557d015ffb27b672e24e6ad141fd887783871dc2 is the first bad commit commit 557d015ffb27b672e24e6ad141fd887783871dc2 Author: Cong Wang Date: Wed Mar 11 22:42:28 2020 -0700 net_sched: keep alloc_hash updated after hash allocation [ Upstream commit 0d1c3530e1bd38382edef72591b78e877e0edcd3 ] In commit 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex") I moved cp->hash calculation before the first tcindex_alloc_perfect_hash(), but cp->alloc_hash is left untouched. This difference could lead to another out of bound access. cp->alloc_hash should always be the size allocated, we should update it after this tcindex_alloc_perfect_hash(). Reported-and-tested-by: syzbot+dcc34d54d68ef7d2d53d@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+c72da7b9ed57cde6fca2@syzkaller.appspotmail.com Fixes: 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex") Cc: Jamal Hadi Salim Cc: Jiri Pirko Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman net/sched/cls_tcindex.c | 1 + 1 file changed, 1 insertion(+) culprit signature: fd4a6ed6cafc74b8337dbe54328ecc05d47d79586a4bff0e10807aabe392d64d parent signature: 6f7fa29810d0f70e8134f9c977cae5dfc62a4a5fe85bdf9c5428a1ba2a7b5c50 revisions tested: 10, total time: 2h21m34.822109587s (build: 1h29m18.690166133s, test: 51m8.082439016s) first good commit: 557d015ffb27b672e24e6ad141fd887783871dc2 net_sched: keep alloc_hash updated after hash allocation cc: ["davem@davemloft.net" "gregkh@linuxfoundation.org" "syzbot+c72da7b9ed57cde6fca2@syzkaller.appspotmail.com" "syzbot+dcc34d54d68ef7d2d53d@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"]