bisecting fixing commit since ac309e7744bee222df6de0122facaf2d9706fa70 building syzkaller on 97bc55cead011ec5d60af8c3696ee2724b78fea5 testing commit ac309e7744bee222df6de0122facaf2d9706fa70 with gcc (GCC) 8.1.0 kernel signature: 2cd55903298dd58fcf55ff1dac036f57f8f945296dbaa60d5ae80065bdc647c4 run #0: crashed: WARNING: refcount bug in __tcf_action_put run #1: crashed: KASAN: use-after-free Write in tcindex_set_parms run #2: crashed: KASAN: use-after-free Write in tcindex_set_parms run #3: crashed: KASAN: use-after-free Write in tcindex_set_parms run #4: crashed: KASAN: use-after-free Write in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #6: crashed: KASAN: out-of-bounds Write in tcindex_set_parms run #7: crashed: general protection fault in tcf_action_destroy run #8: crashed: KASAN: use-after-free Write in tcindex_set_parms run #9: crashed: KASAN: use-after-free Write in tcindex_set_parms testing current HEAD 7a56db0299f9d43b4fe076838150c5cc293df131 testing commit 7a56db0299f9d43b4fe076838150c5cc293df131 with gcc (GCC) 8.1.0 kernel signature: ebf090db94a961e2c6a3afde1636cc2dabacdafc892805568ec3adbe374533c8 all runs: OK # git bisect start 7a56db0299f9d43b4fe076838150c5cc293df131 ac309e7744bee222df6de0122facaf2d9706fa70 Bisecting: 7091 revisions left to test after this (roughly 13 steps) [4646de87d32526ee87b46c2e0130413367fb5362] Merge tag 'mailbox-v5.7' of git://git.linaro.org/landing-teams/working/fujitsu/integration testing commit 4646de87d32526ee87b46c2e0130413367fb5362 with gcc (GCC) 8.1.0 kernel signature: 33ddfb2ffa278a0d60d2b3519cb6cd9e8c55db1277ac775595bcf840b3e44806 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect bad 4646de87d32526ee87b46c2e0130413367fb5362 Bisecting: 3235 revisions left to test after this (roughly 12 steps) [1455c69900c8c6442b182a74087931f4ffb1cac4] Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/fscrypt testing commit 1455c69900c8c6442b182a74087931f4ffb1cac4 with gcc (GCC) 8.1.0 kernel signature: 0e1450a0e66bfb89198778008046ddeeeacf6dd81f11eefbfe8fad98dc924ed9 all runs: OK # git bisect bad 1455c69900c8c6442b182a74087931f4ffb1cac4 Bisecting: 1588 revisions left to test after this (roughly 11 steps) [59838093be51ee9447f6ad05483d697b6fa0368d] Merge tag 'driver-core-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core testing commit 59838093be51ee9447f6ad05483d697b6fa0368d with gcc (GCC) 8.1.0 kernel signature: 92c44f1c82bf7113fe51e71f5933b7baf84c5288d2d0b3417b2bf3b48d40e447 all runs: OK # git bisect bad 59838093be51ee9447f6ad05483d697b6fa0368d Bisecting: 726 revisions left to test after this (roughly 10 steps) [e59cd88028dbd41472453e5883f78330aa73c56e] Merge tag 'for-5.7/io_uring-2020-03-29' of git://git.kernel.dk/linux-block testing commit e59cd88028dbd41472453e5883f78330aa73c56e with gcc (GCC) 8.1.0 kernel signature: 7bd6df536d0254dabf1404819e0e4aac205ed8e85b16f2e831397b3013ca522a all runs: OK # git bisect bad e59cd88028dbd41472453e5883f78330aa73c56e Bisecting: 375 revisions left to test after this (roughly 9 steps) [f3e69428b5e26b0851d7ef4c15859cffebf2b9de] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input testing commit f3e69428b5e26b0851d7ef4c15859cffebf2b9de with gcc (GCC) 8.1.0 kernel signature: edf9f74aaad24bad4e1bd9a3719324ffb6a177224338bb35134c3b1632954cc3 all runs: OK # git bisect bad f3e69428b5e26b0851d7ef4c15859cffebf2b9de Bisecting: 198 revisions left to test after this (roughly 8 steps) [1dfb642b10158b45068102402decc3bcf853cb76] Merge tag 'gpio-v5.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio testing commit 1dfb642b10158b45068102402decc3bcf853cb76 with gcc (GCC) 8.1.0 kernel signature: 42c398ae7ecc7957727227c54dd05aee9b037ed2439103b45cab9a6b7f0407a4 run #0: crashed: WARNING in tcf_exts_destroy run #1: crashed: general protection fault in tcf_action_destroy run #2: crashed: KASAN: use-after-free Write in tcindex_set_parms run #3: crashed: KASAN: use-after-free Write in tcindex_set_parms run #4: crashed: KASAN: use-after-free Write in tcindex_set_parms run #5: crashed: KASAN: use-after-free Write in tcindex_set_parms run #6: crashed: KASAN: use-after-free Write in tcindex_set_parms run #7: crashed: KASAN: use-after-free Write in tcindex_set_parms run #8: crashed: KASAN: global-out-of-bounds Read in tcf_action_destroy run #9: crashed: KASAN: use-after-free Write in tcindex_set_parms # git bisect good 1dfb642b10158b45068102402decc3bcf853cb76 Bisecting: 99 revisions left to test after this (roughly 7 steps) [07f8e4d0fddbf2f87e4cefb551278abc38db8cdd] tcp: also NULL skb->dev when copy was needed testing commit 07f8e4d0fddbf2f87e4cefb551278abc38db8cdd with gcc (GCC) 8.1.0 kernel signature: b07d32b9542b7d65aeb9b82566cab51b77cce5a01a66973ac8dea31b16984208 all runs: OK # git bisect bad 07f8e4d0fddbf2f87e4cefb551278abc38db8cdd Bisecting: 49 revisions left to test after this (roughly 6 steps) [fe2a31d790f81bd14a76de3d3b87f4f1362f60cd] netlink: allow extack cookie also for error messages testing commit fe2a31d790f81bd14a76de3d3b87f4f1362f60cd with gcc (GCC) 8.1.0 kernel signature: cf19e064f64c1bbf53fce697e262b7adb661e581c6ee38c464c84123b66197d0 all runs: OK # git bisect bad fe2a31d790f81bd14a76de3d3b87f4f1362f60cd Bisecting: 21 revisions left to test after this (roughly 5 steps) [94b18a87efdd1626a1e6aef87271af4a7c616d36] Merge tag 'wireless-drivers-2020-03-13' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers testing commit 94b18a87efdd1626a1e6aef87271af4a7c616d36 with gcc (GCC) 8.1.0 kernel signature: 6fe2dc1e6f7ef4e9d202d57e6df3dcc0b3684c417ecae7ec8794327a0efe6788 run #0: crashed: KASAN: use-after-free Write in tcindex_set_parms run #1: crashed: KASAN: invalid-free in tcf_exts_destroy run #2: crashed: KASAN: use-after-free Write in tcindex_set_parms run #3: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #4: crashed: KASAN: use-after-free Write in tcindex_set_parms run #5: crashed: general protection fault in smk_tskacc run #6: crashed: KASAN: use-after-free Write in tcindex_set_parms run #7: crashed: KASAN: use-after-free Write in tcindex_set_parms run #8: crashed: KASAN: use-after-free Write in tcindex_set_parms run #9: crashed: KASAN: use-after-free Write in tcindex_set_parms # git bisect good 94b18a87efdd1626a1e6aef87271af4a7c616d36 Bisecting: 10 revisions left to test after this (roughly 4 steps) [4a348601eb9131893c22b6ed2d3b6ba2bafc2391] net: mlx4: Use scnprintf() for avoiding potential buffer overflow testing commit 4a348601eb9131893c22b6ed2d3b6ba2bafc2391 with gcc (GCC) 8.1.0 kernel signature: 8955d85d673870b293f2971f8bd8426b29a68dd6d5018fd6025a843c72dae521 all runs: OK # git bisect bad 4a348601eb9131893c22b6ed2d3b6ba2bafc2391 Bisecting: 5 revisions left to test after this (roughly 3 steps) [46ea929b2b3f66e6a9bc91adbb9ca2157065f9b2] cxgb4: fix delete filter entry fail in unload path testing commit 46ea929b2b3f66e6a9bc91adbb9ca2157065f9b2 with gcc (GCC) 8.1.0 kernel signature: e2fcb5f9d1879b6fff608b1d7e10c8d387964d2f28d502cc86b0a27cf23c2092 all runs: OK # git bisect bad 46ea929b2b3f66e6a9bc91adbb9ca2157065f9b2 Bisecting: 2 revisions left to test after this (roughly 1 step) [0d1c3530e1bd38382edef72591b78e877e0edcd3] net_sched: keep alloc_hash updated after hash allocation testing commit 0d1c3530e1bd38382edef72591b78e877e0edcd3 with gcc (GCC) 8.1.0 kernel signature: ee8eacddda0bab3ae6ba90e9281141fb518d9edd725b1903c1374b25727427bd all runs: OK # git bisect bad 0d1c3530e1bd38382edef72591b78e877e0edcd3 Bisecting: 0 revisions left to test after this (roughly 0 steps) [b1be2e8cd290f620777bfdb8aa00890cd2fa02b5] net_sched: hold rtnl lock in tcindex_partial_destroy_work() testing commit b1be2e8cd290f620777bfdb8aa00890cd2fa02b5 with gcc (GCC) 8.1.0 kernel signature: c6fdd913fa690d5ee76d0cf553c6b2a8a4873cf9eb607a80e786e6de07ba6960 run #0: crashed: general protection fault in smack_cred_free run #1: crashed: KASAN: use-after-free Write in tcindex_set_parms run #2: crashed: KASAN: use-after-free Write in tcindex_set_parms run #3: crashed: KASAN: use-after-free Write in tcindex_set_parms run #4: crashed: KASAN: use-after-free Write in tcindex_set_parms run #5: crashed: KASAN: use-after-free Write in tcindex_set_parms run #6: crashed: WARNING in tcf_exts_destroy run #7: crashed: KASAN: use-after-free Write in tcindex_set_parms run #8: crashed: KASAN: use-after-free Write in tcindex_set_parms run #9: crashed: KASAN: use-after-free Write in tcindex_set_parms # git bisect good b1be2e8cd290f620777bfdb8aa00890cd2fa02b5 0d1c3530e1bd38382edef72591b78e877e0edcd3 is the first bad commit commit 0d1c3530e1bd38382edef72591b78e877e0edcd3 Author: Cong Wang Date: Wed Mar 11 22:42:28 2020 -0700 net_sched: keep alloc_hash updated after hash allocation In commit 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex") I moved cp->hash calculation before the first tcindex_alloc_perfect_hash(), but cp->alloc_hash is left untouched. This difference could lead to another out of bound access. cp->alloc_hash should always be the size allocated, we should update it after this tcindex_alloc_perfect_hash(). Reported-and-tested-by: syzbot+dcc34d54d68ef7d2d53d@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+c72da7b9ed57cde6fca2@syzkaller.appspotmail.com Fixes: 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex") Cc: Jamal Hadi Salim Cc: Jiri Pirko Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/sched/cls_tcindex.c | 1 + 1 file changed, 1 insertion(+) culprit signature: ee8eacddda0bab3ae6ba90e9281141fb518d9edd725b1903c1374b25727427bd parent signature: c6fdd913fa690d5ee76d0cf553c6b2a8a4873cf9eb607a80e786e6de07ba6960 revisions tested: 15, total time: 3h48m49.00555095s (build: 1h39m24.290345301s, test: 2h7m44.620988306s) first good commit: 0d1c3530e1bd38382edef72591b78e877e0edcd3 net_sched: keep alloc_hash updated after hash allocation cc: ["davem@davemloft.net" "syzbot+c72da7b9ed57cde6fca2@syzkaller.appspotmail.com" "syzbot+dcc34d54d68ef7d2d53d@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"]