bisecting fixing commit since 67d584e33e54c3f33c8541928aa7115388c97433 building syzkaller on 78267cec1aaa5e066d66e6a6c76fea1753e51b46 testing commit 67d584e33e54c3f33c8541928aa7115388c97433 with gcc (GCC) 8.1.0 kernel signature: 813e78e276e76e4b8c0d9e8855df5024cd37a26b8443dabdcfca9d68c0f39faf run #0: crashed: general protection fault in tcf_action_destroy run #1: crashed: KASAN: use-after-free Write in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #3: crashed: KASAN: use-after-free Write in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #7: crashed: general protection fault in tcf_action_destroy run #8: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms testing current HEAD 96c9a7802af7d500a582d89a8b864584fe878c1b testing commit 96c9a7802af7d500a582d89a8b864584fe878c1b with gcc (GCC) 8.1.0 kernel signature: 92cda657f343e153762298c6fe42ae2c449702ab972891fbbd8d368be8fcc0fc all runs: OK # git bisect start 96c9a7802af7d500a582d89a8b864584fe878c1b 67d584e33e54c3f33c8541928aa7115388c97433 Bisecting: 6263 revisions left to test after this (roughly 13 steps) [f365ab31efacb70bed1e821f7435626e0b2528a6] Merge tag 'drm-next-2020-04-01' of git://anongit.freedesktop.org/drm/drm testing commit f365ab31efacb70bed1e821f7435626e0b2528a6 with gcc (GCC) 8.1.0 kernel signature: 7779e1a46d3ce06d6719d938075c7b79280a6fbc0c73a781702490475a5259ae all runs: OK # git bisect bad f365ab31efacb70bed1e821f7435626e0b2528a6 Bisecting: 4110 revisions left to test after this (roughly 12 steps) [56a451b780676bc1cdac011735fe2869fa2e9abf] Merge tag 'ntb-5.7' of git://github.com/jonmason/ntb testing commit 56a451b780676bc1cdac011735fe2869fa2e9abf with gcc (GCC) 8.1.0 kernel signature: 2bc213e360b20427f3b2f3dd91e3795a8d2c768feccbe7851553657bb62ce7b0 all runs: OK # git bisect bad 56a451b780676bc1cdac011735fe2869fa2e9abf Bisecting: 1860 revisions left to test after this (roughly 11 steps) [e129940938d84d8b71074e40a9cc4f69278eb1e1] Merge tag 'regmap-v5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap testing commit e129940938d84d8b71074e40a9cc4f69278eb1e1 with gcc (GCC) 8.1.0 kernel signature: 3e82a2b33079d1ec6afc14d5ea625dfede3c242e21d10432fa4c2435ae24edb7 all runs: OK # git bisect bad e129940938d84d8b71074e40a9cc4f69278eb1e1 Bisecting: 954 revisions left to test after this (roughly 10 steps) [47acac8cae28b36668bf89400c56b7fdebca3e75] Merge tag 'hwmon-for-v5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging testing commit 47acac8cae28b36668bf89400c56b7fdebca3e75 with gcc (GCC) 8.1.0 kernel signature: df3184dfb6fbf9bbff97ff1807b870eb47df980eb510e7706e8896214a40414f all runs: OK # git bisect bad 47acac8cae28b36668bf89400c56b7fdebca3e75 Bisecting: 404 revisions left to test after this (roughly 9 steps) [3a0eb192c01f43dca12628d8b5866d5b8ffb35f5] Merge tag 'for-5.7/libata-2020-03-29' of git://git.kernel.dk/linux-block testing commit 3a0eb192c01f43dca12628d8b5866d5b8ffb35f5 with gcc (GCC) 8.1.0 kernel signature: e410eda51a714b70c3354ad729e6389667dec519d1404b9e78614a157a547d04 all runs: OK # git bisect bad 3a0eb192c01f43dca12628d8b5866d5b8ffb35f5 Bisecting: 192 revisions left to test after this (roughly 8 steps) [328f5bb9939dc32152ae025cf5c476b4380b6215] Merge tag 'mac80211-for-net-2020-03-26' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 testing commit 328f5bb9939dc32152ae025cf5c476b4380b6215 with gcc (GCC) 8.1.0 kernel signature: fa1335831319d006a5889d9d71b9c8ed7b34199042f7b2bacb3a3bac3f6ddeb6 run #0: boot failed: failed to delete instance: googleapi: Error 503: Internal error. Please try again or contact Google Support. (Code: '-2453388643746075686'), backendError run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 328f5bb9939dc32152ae025cf5c476b4380b6215 Bisecting: 99 revisions left to test after this (roughly 7 steps) [07f8e4d0fddbf2f87e4cefb551278abc38db8cdd] tcp: also NULL skb->dev when copy was needed testing commit 07f8e4d0fddbf2f87e4cefb551278abc38db8cdd with gcc (GCC) 8.1.0 kernel signature: 2ec90ad983c1f395315d56517fdbc50e81c5ac56ac5c54fab1e258159f74b16e all runs: OK # git bisect bad 07f8e4d0fddbf2f87e4cefb551278abc38db8cdd Bisecting: 49 revisions left to test after this (roughly 6 steps) [fe2a31d790f81bd14a76de3d3b87f4f1362f60cd] netlink: allow extack cookie also for error messages testing commit fe2a31d790f81bd14a76de3d3b87f4f1362f60cd with gcc (GCC) 8.1.0 kernel signature: b4d1b53345ab802ddff61117f33e9f0afe836fed2d9a5bd928a3986d36694128 all runs: OK # git bisect bad fe2a31d790f81bd14a76de3d3b87f4f1362f60cd Bisecting: 21 revisions left to test after this (roughly 5 steps) [94b18a87efdd1626a1e6aef87271af4a7c616d36] Merge tag 'wireless-drivers-2020-03-13' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers testing commit 94b18a87efdd1626a1e6aef87271af4a7c616d36 with gcc (GCC) 8.1.0 kernel signature: eb7c7bdba0e928104f75435b8a5b9a843552889a74edc46852cd8fcc8d1ba9e3 run #0: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #3: crashed: KASAN: use-after-free Write in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #5: crashed: general protection fault in tcf_action_destroy run #6: crashed: KASAN: use-after-free Write in tcindex_set_parms run #7: crashed: KASAN: use-after-free Write in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms # git bisect good 94b18a87efdd1626a1e6aef87271af4a7c616d36 Bisecting: 10 revisions left to test after this (roughly 4 steps) [4a348601eb9131893c22b6ed2d3b6ba2bafc2391] net: mlx4: Use scnprintf() for avoiding potential buffer overflow testing commit 4a348601eb9131893c22b6ed2d3b6ba2bafc2391 with gcc (GCC) 8.1.0 kernel signature: c9d6307c71e56e690c8fe21bca34be66c63d9cf144ccde5e81071f3e7e41c9e8 all runs: OK # git bisect bad 4a348601eb9131893c22b6ed2d3b6ba2bafc2391 Bisecting: 5 revisions left to test after this (roughly 3 steps) [46ea929b2b3f66e6a9bc91adbb9ca2157065f9b2] cxgb4: fix delete filter entry fail in unload path testing commit 46ea929b2b3f66e6a9bc91adbb9ca2157065f9b2 with gcc (GCC) 8.1.0 kernel signature: d038b077ab008373e7755c6411efefbe67717bf9546a077ce09b9e3e94efec49 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect bad 46ea929b2b3f66e6a9bc91adbb9ca2157065f9b2 Bisecting: 2 revisions left to test after this (roughly 1 step) [0d1c3530e1bd38382edef72591b78e877e0edcd3] net_sched: keep alloc_hash updated after hash allocation testing commit 0d1c3530e1bd38382edef72591b78e877e0edcd3 with gcc (GCC) 8.1.0 kernel signature: df1b670a36608f6d1d57225547ebee160f5630fb90f3f5e240291d9bcbcb169e all runs: OK # git bisect bad 0d1c3530e1bd38382edef72591b78e877e0edcd3 Bisecting: 0 revisions left to test after this (roughly 0 steps) [b1be2e8cd290f620777bfdb8aa00890cd2fa02b5] net_sched: hold rtnl lock in tcindex_partial_destroy_work() testing commit b1be2e8cd290f620777bfdb8aa00890cd2fa02b5 with gcc (GCC) 8.1.0 kernel signature: db54e2ae83ed097d4bd53fc0e75e395d7dafe371c2333a9810818ad034cecf87 run #0: crashed: general protection fault in tcf_action_destroy run #1: crashed: general protection fault in tcf_action_destroy run #2: crashed: general protection fault in tcf_action_destroy run #3: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #4: crashed: KASAN: use-after-free Write in tcindex_set_parms run #5: crashed: KASAN: use-after-free Write in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms # git bisect good b1be2e8cd290f620777bfdb8aa00890cd2fa02b5 0d1c3530e1bd38382edef72591b78e877e0edcd3 is the first bad commit commit 0d1c3530e1bd38382edef72591b78e877e0edcd3 Author: Cong Wang Date: Wed Mar 11 22:42:28 2020 -0700 net_sched: keep alloc_hash updated after hash allocation In commit 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex") I moved cp->hash calculation before the first tcindex_alloc_perfect_hash(), but cp->alloc_hash is left untouched. This difference could lead to another out of bound access. cp->alloc_hash should always be the size allocated, we should update it after this tcindex_alloc_perfect_hash(). Reported-and-tested-by: syzbot+dcc34d54d68ef7d2d53d@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+c72da7b9ed57cde6fca2@syzkaller.appspotmail.com Fixes: 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex") Cc: Jamal Hadi Salim Cc: Jiri Pirko Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/sched/cls_tcindex.c | 1 + 1 file changed, 1 insertion(+) culprit signature: df1b670a36608f6d1d57225547ebee160f5630fb90f3f5e240291d9bcbcb169e parent signature: db54e2ae83ed097d4bd53fc0e75e395d7dafe371c2333a9810818ad034cecf87 revisions tested: 15, total time: 4h7m2.572508891s (build: 1h50m42.34985264s, test: 2h13m54.763576218s) first good commit: 0d1c3530e1bd38382edef72591b78e877e0edcd3 net_sched: keep alloc_hash updated after hash allocation cc: ["davem@davemloft.net" "syzbot+c72da7b9ed57cde6fca2@syzkaller.appspotmail.com" "syzbot+dcc34d54d68ef7d2d53d@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"]