bisecting fixing commit since 2c523b344dfa65a3738e7039832044aa133c75fb building syzkaller on 35f53e457420e79fa28e3260cdbbf9f37b9f97e4 testing commit 2c523b344dfa65a3738e7039832044aa133c75fb with gcc (GCC) 8.1.0 kernel signature: 449633add55b5d867040ae3ed4933f9bec2e657f02657fcac767bbe672f8961d run #0: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #1: crashed: general protection fault in tcf_action_destroy run #2: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #3: crashed: general protection fault in tcf_action_destroy run #4: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #5: crashed: KASAN: use-after-free Read in tcindex_lookup run #6: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms testing current HEAD ae46d2aa6a7fbe8ca0946f24b061b6ccdc6c3f25 testing commit ae46d2aa6a7fbe8ca0946f24b061b6ccdc6c3f25 with gcc (GCC) 8.1.0 kernel signature: 47d22556db2085a241b26976fe9be41633dbd3d625304751a91e827a71737827 all runs: OK # git bisect start ae46d2aa6a7fbe8ca0946f24b061b6ccdc6c3f25 2c523b344dfa65a3738e7039832044aa133c75fb Bisecting: 6425 revisions left to test after this (roughly 13 steps) [dd6a4998e64a7806b54c3eba1e5e7bf6c81ccf8c] net: stmmac: Fix VLAN filtering when HW does not support it testing commit dd6a4998e64a7806b54c3eba1e5e7bf6c81ccf8c with gcc (GCC) 8.1.0 kernel signature: ea5456a2bee5cf198610f3f0708e0dabf3d8c8d016bc9b4ef8b8be129439bbfd all runs: OK # git bisect bad dd6a4998e64a7806b54c3eba1e5e7bf6c81ccf8c Bisecting: 3214 revisions left to test after this (roughly 12 steps) [cad18da0afb1bc7b37d73a74067ab7ff5974897c] Merge tag 'please-pull-ia64_for_5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux testing commit cad18da0afb1bc7b37d73a74067ab7ff5974897c with gcc (GCC) 8.1.0 kernel signature: 67cd33c01ddd35c99008a6d3398cf87e4838b8bca3328cc682ae994270b6d361 all runs: OK # git bisect bad cad18da0afb1bc7b37d73a74067ab7ff5974897c Bisecting: 1706 revisions left to test after this (roughly 11 steps) [063d1942247668eb0bb800aef5afbbef337344be] Merge tag 'media/v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 063d1942247668eb0bb800aef5afbbef337344be with gcc (GCC) 8.1.0 kernel signature: 83f7906dc6db2a025a9fce88445b102eaee2660068181abefba39832fdb0011c all runs: OK # git bisect bad 063d1942247668eb0bb800aef5afbbef337344be Bisecting: 745 revisions left to test after this (roughly 10 steps) [32db9f10d52c97ffc407c7dad81c6fafcad730b2] Merge tag 'arm-soc-fixes-5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 32db9f10d52c97ffc407c7dad81c6fafcad730b2 with gcc (GCC) 8.1.0 kernel signature: f7a5ce7db2dc40540a7be6e7f3ae2ed82a9e45ead818bdbce72ecbaa25e9adb5 all runs: OK # git bisect bad 32db9f10d52c97ffc407c7dad81c6fafcad730b2 Bisecting: 377 revisions left to test after this (roughly 9 steps) [12bf19c9268263cf8fc6653966813ff9d5ceef17] Merge tag 'sound-5.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit 12bf19c9268263cf8fc6653966813ff9d5ceef17 with gcc (GCC) 8.1.0 kernel signature: df6623526d0b8eb8fc930d09702fe8a90f7f534cb875ec40799f937fed161868 run #0: crashed: KASAN: use-after-free Write in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #3: crashed: KASAN: use-after-free Write in tcindex_set_parms run #4: crashed: general protection fault in tcf_action_destroy run #5: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #6: crashed: KASAN: use-after-free Write in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #9: crashed: WARNING in __queue_work # git bisect good 12bf19c9268263cf8fc6653966813ff9d5ceef17 Bisecting: 218 revisions left to test after this (roughly 8 steps) [2910594fd38d1cb3c32fbf235e6c6228c780ab87] Merge tag 'wireless-drivers-2020-03-25' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers testing commit 2910594fd38d1cb3c32fbf235e6c6228c780ab87 with gcc (GCC) 8.1.0 kernel signature: 66004e2d2912bfae66ed808afacd1de430a65cb582e8f441d8f51ff1f8240142 all runs: OK # git bisect bad 2910594fd38d1cb3c32fbf235e6c6228c780ab87 Bisecting: 79 revisions left to test after this (roughly 6 steps) [2b8765c52db24c0fbcc81bac9b5e8390f2c7d3c8] wireguard: receive: remove dead code from default packet type case testing commit 2b8765c52db24c0fbcc81bac9b5e8390f2c7d3c8 with gcc (GCC) 8.1.0 kernel signature: 3e5ef3ed8aa50736b9dd1fc6fc6c6520f7b6ea3a23466f0317b1532d6ea83551 all runs: OK # git bisect bad 2b8765c52db24c0fbcc81bac9b5e8390f2c7d3c8 Bisecting: 39 revisions left to test after this (roughly 5 steps) [413ae546f8726ac0652e59fcf97561fc21f52653] net: nfp: Use scnprintf() for avoiding potential buffer overflow testing commit 413ae546f8726ac0652e59fcf97561fc21f52653 with gcc (GCC) 8.1.0 kernel signature: 1d60e6bc34cfdf19b4642aa718ea1476d1590e1c5fc982857eab20451af0c54a all runs: OK # git bisect bad 413ae546f8726ac0652e59fcf97561fc21f52653 Bisecting: 23 revisions left to test after this (roughly 4 steps) [242a6df688dcad7c55105280a79aaff83addf7ce] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf testing commit 242a6df688dcad7c55105280a79aaff83addf7ce with gcc (GCC) 8.1.0 kernel signature: ad06095ec8760efbc12c68def35569f4e49602f8d6707c85f59190ddd458a685 run #0: crashed: KASAN: use-after-free Write in tcindex_set_parms run #1: crashed: KASAN: use-after-free Write in tcindex_set_parms run #2: crashed: general protection fault in tcf_action_destroy run #3: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #6: crashed: KASAN: use-after-free Write in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #9: crashed: general protection fault in tcf_action_destroy # git bisect good 242a6df688dcad7c55105280a79aaff83addf7ce Bisecting: 11 revisions left to test after this (roughly 4 steps) [94b18a87efdd1626a1e6aef87271af4a7c616d36] Merge tag 'wireless-drivers-2020-03-13' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers testing commit 94b18a87efdd1626a1e6aef87271af4a7c616d36 with gcc (GCC) 8.1.0 kernel signature: b0eebbcbed71032037ce3794374dc3b967ce313d1d0dfa3e2145c10d2a353a18 run #0: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #2: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #3: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #4: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #6: crashed: KASAN: use-after-free Write in tcindex_set_parms run #7: crashed: KASAN: slab-out-of-bounds Write in tcindex_set_parms run #8: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #9: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms # git bisect good 94b18a87efdd1626a1e6aef87271af4a7c616d36 Bisecting: 5 revisions left to test after this (roughly 3 steps) [e1f8f78ffe9854308b9e12a73ebe4e909074fc33] net: ip_gre: Separate ERSPAN newlink / changelink callbacks testing commit e1f8f78ffe9854308b9e12a73ebe4e909074fc33 with gcc (GCC) 8.1.0 kernel signature: b0ec89859efce41ee1b6baeb7fcc1b2d84909392565dffbde0e0f61cd2bc227c all runs: OK # git bisect bad e1f8f78ffe9854308b9e12a73ebe4e909074fc33 Bisecting: 2 revisions left to test after this (roughly 2 steps) [13d0f7b814d9b4c67e60d8c2820c86ea181e7d99] net/bpfilter: fix dprintf usage for /dev/kmsg testing commit 13d0f7b814d9b4c67e60d8c2820c86ea181e7d99 with gcc (GCC) 8.1.0 kernel signature: 10334153eaa6cabc70e925a60565f8afd32e38b2452de617cc9036c5398e71f5 all runs: OK # git bisect bad 13d0f7b814d9b4c67e60d8c2820c86ea181e7d99 Bisecting: 0 revisions left to test after this (roughly 1 step) [0d1c3530e1bd38382edef72591b78e877e0edcd3] net_sched: keep alloc_hash updated after hash allocation testing commit 0d1c3530e1bd38382edef72591b78e877e0edcd3 with gcc (GCC) 8.1.0 kernel signature: d4bc016be544d5ab08b0cb5b09bbe09317ed773e1d996cbaa04608ea2554f609 all runs: OK # git bisect bad 0d1c3530e1bd38382edef72591b78e877e0edcd3 Bisecting: 0 revisions left to test after this (roughly 0 steps) [b1be2e8cd290f620777bfdb8aa00890cd2fa02b5] net_sched: hold rtnl lock in tcindex_partial_destroy_work() testing commit b1be2e8cd290f620777bfdb8aa00890cd2fa02b5 with gcc (GCC) 8.1.0 kernel signature: 1cce1e1b8c241add5347db7b18c5f9f7f273887d86bd48fb6d2fd9aff423bda2 run #0: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #1: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #2: crashed: KASAN: invalid-free in tcf_exts_destroy run #3: crashed: KASAN: use-after-free Write in tcindex_set_parms run #4: crashed: KASAN: use-after-free Write in tcindex_set_parms run #5: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #6: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms run #7: crashed: general protection fault in tcf_action_destroy run #8: crashed: KASAN: slab-out-of-bounds Write in tcindex_filter_result_init run #9: crashed: KASAN: slab-out-of-bounds Read in tcindex_set_parms # git bisect good b1be2e8cd290f620777bfdb8aa00890cd2fa02b5 0d1c3530e1bd38382edef72591b78e877e0edcd3 is the first bad commit commit 0d1c3530e1bd38382edef72591b78e877e0edcd3 Author: Cong Wang Date: Wed Mar 11 22:42:28 2020 -0700 net_sched: keep alloc_hash updated after hash allocation In commit 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex") I moved cp->hash calculation before the first tcindex_alloc_perfect_hash(), but cp->alloc_hash is left untouched. This difference could lead to another out of bound access. cp->alloc_hash should always be the size allocated, we should update it after this tcindex_alloc_perfect_hash(). Reported-and-tested-by: syzbot+dcc34d54d68ef7d2d53d@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+c72da7b9ed57cde6fca2@syzkaller.appspotmail.com Fixes: 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex") Cc: Jamal Hadi Salim Cc: Jiri Pirko Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/sched/cls_tcindex.c | 1 + 1 file changed, 1 insertion(+) culprit signature: d4bc016be544d5ab08b0cb5b09bbe09317ed773e1d996cbaa04608ea2554f609 parent signature: 1cce1e1b8c241add5347db7b18c5f9f7f273887d86bd48fb6d2fd9aff423bda2 revisions tested: 16, total time: 3h55m47.615263244s (build: 1h48m48.075270716s, test: 2h5m10.090754119s) first good commit: 0d1c3530e1bd38382edef72591b78e877e0edcd3 net_sched: keep alloc_hash updated after hash allocation cc: ["davem@davemloft.net" "syzbot+c72da7b9ed57cde6fca2@syzkaller.appspotmail.com" "syzbot+dcc34d54d68ef7d2d53d@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"]