bisecting cause commit starting from 30bb5572ce7a8710fa9ea720b6ecb382791c9800 building syzkaller on 35f53e457420e79fa28e3260cdbbf9f37b9f97e4 testing commit 30bb5572ce7a8710fa9ea720b6ecb382791c9800 with gcc (GCC) 8.1.0 kernel signature: f0e8cb1fcf2bdb51e808c0f91f79e3c6c87bcc11e77207e0a70098030993fc27 all runs: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: 422e8ea0ac652150785845a1b37cecc6d37e2601c0a7173970924ed5b07ae648 all runs: OK # git bisect start 30bb5572ce7a8710fa9ea720b6ecb382791c9800 d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 Bisecting: 7349 revisions left to test after this (roughly 13 steps) [4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb] Merge tag 'for-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply testing commit 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb with gcc (GCC) 8.1.0 kernel signature: 3b0c477f91af34198a806a586dff952b4ae936b54153e10aff9f4c5a0e929784 all runs: OK # git bisect good 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb Bisecting: 3707 revisions left to test after this (roughly 12 steps) [153b5c566d30fb984827acb12fd93c3aa6c147d3] Merge tag 'microblaze-v5.6-rc1' of git://git.monstr.eu/linux-2.6-microblaze testing commit 153b5c566d30fb984827acb12fd93c3aa6c147d3 with gcc (GCC) 8.1.0 kernel signature: 20ee26a128faf9d9178eab981673ce21a327ea9ad2a08578df592f08867ecd58 all runs: OK # git bisect good 153b5c566d30fb984827acb12fd93c3aa6c147d3 Bisecting: 1890 revisions left to test after this (roughly 11 steps) [1afa9c3b7c9bdcb562e2afe9f58cc99d0b071cdc] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 1afa9c3b7c9bdcb562e2afe9f58cc99d0b071cdc with gcc (GCC) 8.1.0 kernel signature: 454b4d07f204edc56aad8c442e4e29c1e844372817abdfa510855b5270b8d969 all runs: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms # git bisect bad 1afa9c3b7c9bdcb562e2afe9f58cc99d0b071cdc Bisecting: 921 revisions left to test after this (roughly 10 steps) [41dcd67e88688afbeb3b2bd23960eed5daec74e7] Merge tag 'docs-5.6-2' of git://git.lwn.net/linux testing commit 41dcd67e88688afbeb3b2bd23960eed5daec74e7 with gcc (GCC) 8.1.0 kernel signature: ebf51642680c30a006e6e4fec7858ecc2e00984e2b2ccf8af48c2aac95c2f2d7 run #0: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #1: crashed: KASAN: use-after-free Write in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #3: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #4: crashed: KASAN: use-after-free Write in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms # git bisect bad 41dcd67e88688afbeb3b2bd23960eed5daec74e7 Bisecting: 481 revisions left to test after this (roughly 9 steps) [c1ef57a3a3f5e69e98baf89055b423da62791c13] Merge tag 'io_uring-5.6-2020-02-05' of git://git.kernel.dk/linux-block testing commit c1ef57a3a3f5e69e98baf89055b423da62791c13 with gcc (GCC) 8.1.0 kernel signature: a4177ec56efa70a4e1eba43eefbf7a4f8746fa9ceaf34a095a5957b5e5f03935 all runs: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms # git bisect bad c1ef57a3a3f5e69e98baf89055b423da62791c13 Bisecting: 206 revisions left to test after this (roughly 8 steps) [72f582ff8569900ccc4439b26bbe5e2fff509f08] Merge branch 'work.recursive_removal' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 72f582ff8569900ccc4439b26bbe5e2fff509f08 with gcc (GCC) 8.1.0 kernel signature: e738c972a70bef21a224b159871fbf4abbe309d9d446984dac8423e481bfed7f all runs: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms # git bisect bad 72f582ff8569900ccc4439b26bbe5e2fff509f08 Bisecting: 102 revisions left to test after this (roughly 7 steps) [94dd54c51a410b9ffa6356c3ed2ab0317f998ded] powerpc/32s: Avoid crossing page boundary while changing SRR0/1. testing commit 94dd54c51a410b9ffa6356c3ed2ab0317f998ded with gcc (GCC) 8.1.0 kernel signature: 8aca37d0e8f24ea2bbf1ef40e4a6359167e116467f5322b84920218dbfac8f6d all runs: OK # git bisect good 94dd54c51a410b9ffa6356c3ed2ab0317f998ded Bisecting: 51 revisions left to test after this (roughly 6 steps) [0d0d9a388a858e271bb70e71e99e7fe2a6fd6f64] l2tp: Allow duplicate session creation with UDP testing commit 0d0d9a388a858e271bb70e71e99e7fe2a6fd6f64 with gcc (GCC) 8.1.0 kernel signature: d2125b0edd193c9be347be436a9fe1330608c9aa95599756b435b9d03f2eb2d1 run #0: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #2: crashed: KASAN: use-after-free Write in tcindex_set_parms run #3: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #8: crashed: KASAN: use-after-free Write in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms # git bisect bad 0d0d9a388a858e271bb70e71e99e7fe2a6fd6f64 Bisecting: 26 revisions left to test after this (roughly 5 steps) [83d0585f91da441a0b11bc5ff93f4cda56de6703] Merge branch 'Fix-reconnection-latency-caused-by-FIN-ACK-handling-race' testing commit 83d0585f91da441a0b11bc5ff93f4cda56de6703 with gcc (GCC) 8.1.0 kernel signature: 18edf5f0e3f898573ca6e3e58681a26736bd9a6b3164c3591e0697e0c28bc7ad all runs: OK # git bisect good 83d0585f91da441a0b11bc5ff93f4cda56de6703 Bisecting: 13 revisions left to test after this (roughly 4 steps) [6ab63366e1ec4ec1900f253aa64727b4b5f4ee73] netdevsim: disable devlink reload when resources are being used testing commit 6ab63366e1ec4ec1900f253aa64727b4b5f4ee73 with gcc (GCC) 8.1.0 kernel signature: 633b30a31fdea9a80e3619e54057d286fd5f0596b65162dcfdda4a5e822af328 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect good 6ab63366e1ec4ec1900f253aa64727b4b5f4ee73 Bisecting: 6 revisions left to test after this (roughly 3 steps) [2b5b8251bc9fe2f9118411f037862ee17cf81e97] net: hsr: fix possible NULL deref in hsr_handle_frame() testing commit 2b5b8251bc9fe2f9118411f037862ee17cf81e97 with gcc (GCC) 8.1.0 kernel signature: 2548f7fcdca0b6657458a8eeb072586691cc21476c93659a56289031b709d14d all runs: OK # git bisect good 2b5b8251bc9fe2f9118411f037862ee17cf81e97 Bisecting: 3 revisions left to test after this (roughly 2 steps) [9afe2322cb90a8fbc27e32bfc691100c653cab2a] Merge branch 'unbreak-basic-and-bpf-tdc-testcases' testing commit 9afe2322cb90a8fbc27e32bfc691100c653cab2a with gcc (GCC) 8.1.0 kernel signature: 9930efabf936a96a25218af7441d7578e5ad63cccf3587b876634362ba56d299 all runs: OK # git bisect good 9afe2322cb90a8fbc27e32bfc691100c653cab2a Bisecting: 1 revision left to test after this (roughly 1 step) [599be01ee567b61f4471ee8078870847d0a11e8e] net_sched: fix an OOB access in cls_tcindex testing commit 599be01ee567b61f4471ee8078870847d0a11e8e with gcc (GCC) 8.1.0 kernel signature: d22da139fe502e27ad6d8982f669eb02208d6146c40799edb24928d4a45402b3 run #0: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #3: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #9: crashed: KASAN: use-after-free Write in tcindex_set_parms # git bisect bad 599be01ee567b61f4471ee8078870847d0a11e8e Bisecting: 0 revisions left to test after this (roughly 0 steps) [83b43045308ea0600099830292955f18818f8d5e] qed: Remove set but not used variable 'p_link' testing commit 83b43045308ea0600099830292955f18818f8d5e with gcc (GCC) 8.1.0 kernel signature: c49fe159f5042ff34efb058e7f17ededc21cc7ad6602202be29f851344f31e7b all runs: OK # git bisect good 83b43045308ea0600099830292955f18818f8d5e 599be01ee567b61f4471ee8078870847d0a11e8e is the first bad commit commit 599be01ee567b61f4471ee8078870847d0a11e8e Author: Cong Wang Date: Sun Feb 2 21:14:35 2020 -0800 net_sched: fix an OOB access in cls_tcindex As Eric noticed, tcindex_alloc_perfect_hash() uses cp->hash to compute the size of memory allocation, but cp->hash is set again after the allocation, this caused an out-of-bound access. So we have to move all cp->hash initialization and computation before the memory allocation. Move cp->mask and cp->shift together as cp->hash may need them for computation too. Reported-and-tested-by: syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com Fixes: 331b72922c5f ("net: sched: RCU cls_tcindex") Cc: Eric Dumazet Cc: John Fastabend Cc: Jamal Hadi Salim Cc: Jiri Pirko Cc: Jakub Kicinski Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/sched/cls_tcindex.c | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) culprit signature: d22da139fe502e27ad6d8982f669eb02208d6146c40799edb24928d4a45402b3 parent signature: c49fe159f5042ff34efb058e7f17ededc21cc7ad6602202be29f851344f31e7b revisions tested: 16, total time: 4h1m16.175953415s (build: 1h48m16.446713105s, test: 2h11m56.224477227s) first bad commit: 599be01ee567b61f4471ee8078870847d0a11e8e net_sched: fix an OOB access in cls_tcindex cc: ["davem@davemloft.net" "syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"] crash: KASAN: use-after-free Write in tcindex_set_parms ================================================================== BUG: KASAN: use-after-free in tcindex_set_parms+0x1690/0x1b90 net/sched/cls_tcindex.c:455 Write of size 16 at addr ffff8880a77a1ab8 by task syz-executor.1/8528 CPU: 0 PID: 8528 Comm: syz-executor.1 Not tainted 5.5.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:374 __kasan_report.cold.11+0x1c/0x34 mm/kasan/report.c:506 kasan_report+0xe/0x20 mm/kasan/common.c:639 tcindex_set_parms+0x1690/0x1b90 net/sched/cls_tcindex.c:455 tcindex_change+0x1c2/0x280 net/sched/cls_tcindex.c:519 tc_new_tfilter+0xffa/0x1da0 net/sched/cls_api.c:2103 rtnetlink_rcv_msg+0x60c/0x8c0 net/core/rtnetlink.c:5429 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2477 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xac/0xe0 net/socket.c:672 ____sys_sendmsg+0x54e/0x750 net/socket.c:2343 ___sys_sendmsg+0xe4/0x160 net/socket.c:2397 __sys_sendmsg+0xce/0x170 net/socket.c:2430 do_syscall_64+0xc6/0x5e0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45c4a9 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f1f8a09fc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f1f8a0a06d4 RCX: 000000000045c4a9 RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000009fa R14: 00000000004cc777 R15: 000000000076bf2c Allocated by task 8330: save_stack+0x19/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:513 kmem_cache_alloc_trace+0x156/0x780 mm/slab.c:3551 kmalloc include/linux/slab.h:556 [inline] kzalloc include/linux/slab.h:670 [inline] kset_create lib/kobject.c:955 [inline] kset_create_and_add+0x47/0x160 lib/kobject.c:998 register_queue_kobjects net/core/net-sysfs.c:1528 [inline] netdev_register_kobject+0x18f/0x350 net/core/net-sysfs.c:1759 register_netdevice+0x464/0xe30 net/core/dev.c:9380 register_netdev+0x15/0x30 net/core/dev.c:9504 ip6_tnl_init_net+0x420/0x6a0 net/ipv6/ip6_tunnel.c:2242 ops_init+0x92/0x350 net/core/net_namespace.c:137 setup_net+0x2c0/0x780 net/core/net_namespace.c:327 copy_net_ns+0x24d/0x490 net/core/net_namespace.c:468 create_new_namespaces+0x491/0x900 kernel/nsproxy.c:108 unshare_nsproxy_namespaces+0x82/0x1a0 kernel/nsproxy.c:229 ksys_unshare+0x321/0x6a0 kernel/fork.c:2955 __do_sys_unshare kernel/fork.c:3023 [inline] __se_sys_unshare kernel/fork.c:3021 [inline] __x64_sys_unshare+0x28/0x40 kernel/fork.c:3021 do_syscall_64+0xc6/0x5e0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 21: save_stack+0x19/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:335 [inline] __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:474 __cache_free mm/slab.c:3426 [inline] kfree+0x107/0x2b0 mm/slab.c:3757 kobject_cleanup lib/kobject.c:693 [inline] kobject_release lib/kobject.c:722 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x14b/0x210 lib/kobject.c:739 remove_queue_kobjects net/core/net-sysfs.c:1569 [inline] netdev_unregister_kobject+0x167/0x1d0 net/core/net-sysfs.c:1717 rollback_registered_many+0x7e4/0xd10 net/core/dev.c:8847 unregister_netdevice_many+0x39/0x1f0 net/core/dev.c:9976 ip6_tnl_exit_batch_net+0x35b/0x510 net/ipv6/ip6_tunnel.c:2265 cleanup_net+0x45f/0x910 net/core/net_namespace.c:589 process_one_work+0x903/0x15c0 kernel/workqueue.c:2264 worker_thread+0x82/0xb50 kernel/workqueue.c:2410 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff8880a77a1a00 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 184 bytes inside of 192-byte region [ffff8880a77a1a00, ffff8880a77a1ac0) The buggy address belongs to the page: page:ffffea00029de840 refcount:1 mapcount:0 mapping:ffff8880aa400000 index:0x0 raw: 00fffe0000000200 ffffea00029d2f08 ffffea00029b0088 ffff8880aa400000 raw: 0000000000000000 ffff8880a77a1000 0000000100000010 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a77a1980: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880a77a1a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880a77a1a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff8880a77a1b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880a77a1b80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================