bisecting fixing commit since 7472c4028e2357202949f99ad94c5a5a34f95666 building syzkaller on 35f53e457420e79fa28e3260cdbbf9f37b9f97e4 testing commit 7472c4028e2357202949f99ad94c5a5a34f95666 with gcc (GCC) 8.1.0 kernel signature: ed827eba0b81bd0f7a4788b33e18f4a282e1980c9f5d222385b50f1d61c11315 all runs: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms testing current HEAD dda0e2920330128e0dbdeb11c8f25031aa40b11c testing commit dda0e2920330128e0dbdeb11c8f25031aa40b11c with gcc (GCC) 8.1.0 kernel signature: 4e6a72f8eee5b2faad47183ec6967c9132a819121cb512b383bcc49d3ee5cbf9 all runs: OK # git bisect start dda0e2920330128e0dbdeb11c8f25031aa40b11c 7472c4028e2357202949f99ad94c5a5a34f95666 Bisecting: 202 revisions left to test after this (roughly 8 steps) [5043d35d37381cff1d37ae32e5fc3be070ee4e50] net: rmnet: fix packet forwarding in rmnet bridge mode testing commit 5043d35d37381cff1d37ae32e5fc3be070ee4e50 with gcc (GCC) 8.1.0 kernel signature: 58280c1ccb38ff15bc2fb36ef4d484bb6b7eabc25982df3a3b0673da9016303e run #0: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #3: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #4: crashed: KASAN: use-after-free Write in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms # git bisect good 5043d35d37381cff1d37ae32e5fc3be070ee4e50 Bisecting: 101 revisions left to test after this (roughly 7 steps) [efec582aa025f01bc9663738a6f0c66bec74dec5] net: qmi_wwan: add support for ASKEY WWHC050 testing commit efec582aa025f01bc9663738a6f0c66bec74dec5 with gcc (GCC) 8.1.0 kernel signature: 86b32a714c5c1283a4e883cd0e97004de3710105a2bb5e3e1fdf20175c268f86 all runs: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms # git bisect good efec582aa025f01bc9663738a6f0c66bec74dec5 Bisecting: 50 revisions left to test after this (roughly 6 steps) [f8ee708284e1d62ecc345908b40b7f9ccca4e603] vti[6]: fix packet tx through bpf_redirect() in XinY cases testing commit f8ee708284e1d62ecc345908b40b7f9ccca4e603 with gcc (GCC) 8.1.0 kernel signature: 9e964d94cab46850e93ab60731583931a1269032ebd45630689e7b819eeb16f7 all runs: OK # git bisect bad f8ee708284e1d62ecc345908b40b7f9ccca4e603 Bisecting: 25 revisions left to test after this (roughly 5 steps) [7deaf533087dad3a2c445dccd6521d705d7d3adc] fsl/fman: detect FMan erratum A050385 testing commit 7deaf533087dad3a2c445dccd6521d705d7d3adc with gcc (GCC) 8.1.0 kernel signature: 2f3a4e30c1547cd35d33cd742abfca2fc332a7706dac95b79a153700438d934e all runs: OK # git bisect bad 7deaf533087dad3a2c445dccd6521d705d7d3adc Bisecting: 12 revisions left to test after this (roughly 4 steps) [87559662c7b0c4a81326e2fa638cd98afe7478ff] r8169: re-enable MSI on RTL8168c testing commit 87559662c7b0c4a81326e2fa638cd98afe7478ff with gcc (GCC) 8.1.0 kernel signature: 6b83eed45aaa1d4d051a296ee73d5ad2e97ce5a5f1b61f39c216fe9596982530 all runs: OK # git bisect bad 87559662c7b0c4a81326e2fa638cd98afe7478ff Bisecting: 5 revisions left to test after this (roughly 3 steps) [867c079ef0c2dd8e513f1867c28f3f8e1baff6ea] bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets() testing commit 867c079ef0c2dd8e513f1867c28f3f8e1baff6ea with gcc (GCC) 8.1.0 kernel signature: 8b7b577a51acf630d2fa1b2f52e8fe6f4fd28b9d811ca319d3419204c230fb0d all runs: OK # git bisect bad 867c079ef0c2dd8e513f1867c28f3f8e1baff6ea Bisecting: 2 revisions left to test after this (roughly 2 steps) [47e36be14674184cb2bc5562e3c9f156f0c27493] net: stmmac: dwmac-rk: fix error path in rk_gmac_probe testing commit 47e36be14674184cb2bc5562e3c9f156f0c27493 with gcc (GCC) 8.1.0 kernel signature: 4c736c706be60e7d5d9f67eea06452730a5872457ba9b7689f7e35cb3199981b all runs: OK # git bisect bad 47e36be14674184cb2bc5562e3c9f156f0c27493 Bisecting: 0 revisions left to test after this (roughly 1 step) [557d015ffb27b672e24e6ad141fd887783871dc2] net_sched: keep alloc_hash updated after hash allocation testing commit 557d015ffb27b672e24e6ad141fd887783871dc2 with gcc (GCC) 8.1.0 kernel signature: 9a6727b7651202401a5d10381ed9b7e3fe39e293c363ad1f01ce27061169cd08 all runs: OK # git bisect bad 557d015ffb27b672e24e6ad141fd887783871dc2 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ea3d6652c240978736a91b9e85fde9fee9359be4] net_sched: cls_route: remove the right filter from hashtable testing commit ea3d6652c240978736a91b9e85fde9fee9359be4 with gcc (GCC) 8.1.0 kernel signature: 7186d2e779f0370197d790b03a66d0c14f7ec3829cc5e0e94823913487259efa all runs: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms # git bisect good ea3d6652c240978736a91b9e85fde9fee9359be4 557d015ffb27b672e24e6ad141fd887783871dc2 is the first bad commit commit 557d015ffb27b672e24e6ad141fd887783871dc2 Author: Cong Wang Date: Wed Mar 11 22:42:28 2020 -0700 net_sched: keep alloc_hash updated after hash allocation [ Upstream commit 0d1c3530e1bd38382edef72591b78e877e0edcd3 ] In commit 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex") I moved cp->hash calculation before the first tcindex_alloc_perfect_hash(), but cp->alloc_hash is left untouched. This difference could lead to another out of bound access. cp->alloc_hash should always be the size allocated, we should update it after this tcindex_alloc_perfect_hash(). Reported-and-tested-by: syzbot+dcc34d54d68ef7d2d53d@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+c72da7b9ed57cde6fca2@syzkaller.appspotmail.com Fixes: 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex") Cc: Jamal Hadi Salim Cc: Jiri Pirko Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman net/sched/cls_tcindex.c | 1 + 1 file changed, 1 insertion(+) culprit signature: 9a6727b7651202401a5d10381ed9b7e3fe39e293c363ad1f01ce27061169cd08 parent signature: 7186d2e779f0370197d790b03a66d0c14f7ec3829cc5e0e94823913487259efa revisions tested: 11, total time: 3h2m44.929537224s (build: 1h40m48.997612627s, test: 1h20m43.821011941s) first good commit: 557d015ffb27b672e24e6ad141fd887783871dc2 net_sched: keep alloc_hash updated after hash allocation cc: ["davem@davemloft.net" "gregkh@linuxfoundation.org" "syzbot+c72da7b9ed57cde6fca2@syzkaller.appspotmail.com" "syzbot+dcc34d54d68ef7d2d53d@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"]