bisecting fixing commit since 14cfdbd39e316efd91ae6e403ef8211f0b022603 building syzkaller on 33e14df3b17974ae67fcec4419bc5f36840fe04b testing commit 14cfdbd39e316efd91ae6e403ef8211f0b022603 with gcc (GCC) 8.1.0 kernel signature: b126b765b485f9a84752c414e6fe3c7c842b8db71c5d5047245c7a449de1dd64 run #0: crashed: WARNING: ODEBUG bug in tcf_queue_work run #1: crashed: WARNING: ODEBUG bug in tcf_queue_work run #2: crashed: KASAN: use-after-free Read in route4_get run #3: crashed: WARNING: ODEBUG bug in tcf_queue_work run #4: crashed: WARNING: ODEBUG bug in tcf_queue_work run #5: crashed: WARNING: ODEBUG bug in tcf_queue_work run #6: crashed: WARNING: ODEBUG bug in tcf_queue_work run #7: crashed: WARNING: ODEBUG bug in tcf_queue_work run #8: crashed: WARNING: ODEBUG bug in tcf_queue_work run #9: crashed: WARNING: ODEBUG bug in tcf_queue_work testing current HEAD 7edd66cf61670d2d0c31f89cb3a247016e489a8a testing commit 7edd66cf61670d2d0c31f89cb3a247016e489a8a with gcc (GCC) 8.1.0 kernel signature: f706b0a1572d1af27bee899bf9b99a0df6da960899a51e4e9a74a3625f1fbc7d all runs: OK # git bisect start 7edd66cf61670d2d0c31f89cb3a247016e489a8a 14cfdbd39e316efd91ae6e403ef8211f0b022603 Bisecting: 246 revisions left to test after this (roughly 8 steps) [8c80608a4eefe4717e02d469cad6983c4450978d] qlcnic: Fix bad kzalloc null test testing commit 8c80608a4eefe4717e02d469cad6983c4450978d with gcc (GCC) 8.1.0 kernel signature: 1a425810ccc84842809a555d770bb1ef402ac1aac4310c450ff65351f2b5027e all runs: OK # git bisect bad 8c80608a4eefe4717e02d469cad6983c4450978d Bisecting: 122 revisions left to test after this (roughly 7 steps) [d500b060316ad75d1dd391c36c89e6d5fd82b81e] scsi: sd: Fix optimal I/O size for devices that change reported values testing commit d500b060316ad75d1dd391c36c89e6d5fd82b81e with gcc (GCC) 8.1.0 kernel signature: 56301806007a130a10b84b9581d9218987aa75cf8c0697e30cd2875e5c4f986c all runs: OK # git bisect bad d500b060316ad75d1dd391c36c89e6d5fd82b81e Bisecting: 61 revisions left to test after this (roughly 6 steps) [1dd632975d11e28ad532288b6dc865a054819cc7] arm64: smp: fix smp_send_stop() behaviour testing commit 1dd632975d11e28ad532288b6dc865a054819cc7 with gcc (GCC) 8.1.0 kernel signature: b30b4de34965713349b917fb121341f218f0b87123c86efee9bc41788c248a79 run #0: crashed: WARNING: ODEBUG bug in tcf_queue_work run #1: crashed: KASAN: use-after-free Read in route4_get run #2: crashed: WARNING: ODEBUG bug in tcf_queue_work run #3: crashed: WARNING: ODEBUG bug in tcf_queue_work run #4: crashed: WARNING: ODEBUG bug in tcf_queue_work run #5: crashed: WARNING: ODEBUG bug in tcf_queue_work run #6: crashed: KASAN: use-after-free Read in route4_get run #7: crashed: WARNING: ODEBUG bug in tcf_queue_work run #8: crashed: WARNING: ODEBUG bug in tcf_queue_work run #9: crashed: WARNING: ODEBUG bug in tcf_queue_work # git bisect good 1dd632975d11e28ad532288b6dc865a054819cc7 Bisecting: 30 revisions left to test after this (roughly 5 steps) [39c6f2beb1b760275be46abcf30f7aef16841d98] net: phy: mdio-mux-bcm-iproc: check clk_prepare_enable() return value testing commit 39c6f2beb1b760275be46abcf30f7aef16841d98 with gcc (GCC) 8.1.0 kernel signature: 284bc3ae3c92b1dd56e9c930a99cf96e38c1eae45d0c902153f93e92ecd5092e all runs: OK # git bisect bad 39c6f2beb1b760275be46abcf30f7aef16841d98 Bisecting: 15 revisions left to test after this (roughly 4 steps) [b371fdcd26675e7bc583ac9449c667e2e90b4e7e] mlxsw: spectrum_mr: Fix list iteration in error path testing commit b371fdcd26675e7bc583ac9449c667e2e90b4e7e with gcc (GCC) 8.1.0 kernel signature: 303ca137be1f0dd954c2efa109c6b5b225f2a13a1986e1e09c27699a5e05a6d2 run #0: crashed: KASAN: use-after-free Read in route4_get run #1: crashed: KASAN: use-after-free Read in route4_get run #2: crashed: WARNING: ODEBUG bug in tcf_queue_work run #3: crashed: WARNING: ODEBUG bug in tcf_queue_work run #4: crashed: WARNING: ODEBUG bug in tcf_queue_work run #5: crashed: WARNING: ODEBUG bug in tcf_queue_work run #6: crashed: WARNING: ODEBUG bug in tcf_queue_work run #7: crashed: KASAN: use-after-free Read in route4_get run #8: crashed: WARNING: ODEBUG bug in tcf_queue_work run #9: crashed: KASAN: use-after-free Read in route4_get # git bisect good b371fdcd26675e7bc583ac9449c667e2e90b4e7e Bisecting: 7 revisions left to test after this (roughly 3 steps) [47e36be14674184cb2bc5562e3c9f156f0c27493] net: stmmac: dwmac-rk: fix error path in rk_gmac_probe testing commit 47e36be14674184cb2bc5562e3c9f156f0c27493 with gcc (GCC) 8.1.0 kernel signature: 671faefd9e7b8a6662f1a768640e90a38acb39df50511fc742e203846c1c9230 all runs: OK # git bisect bad 47e36be14674184cb2bc5562e3c9f156f0c27493 Bisecting: 3 revisions left to test after this (roughly 2 steps) [6fb0e4385928900ccb8697748555b3f54bba5193] net/packet: tpacket_rcv: avoid a producer race condition testing commit 6fb0e4385928900ccb8697748555b3f54bba5193 with gcc (GCC) 8.1.0 kernel signature: 83d4f7231464f608abf2f42aa77845133c42b0d0e7143dd86ada876afe531295 run #0: crashed: KASAN: use-after-free Read in route4_get run #1: crashed: WARNING: ODEBUG bug in tcf_queue_work run #2: crashed: WARNING: ODEBUG bug in tcf_queue_work run #3: crashed: KASAN: use-after-free Read in route4_get run #4: crashed: WARNING: ODEBUG bug in tcf_queue_work run #5: crashed: WARNING: ODEBUG bug in tcf_queue_work run #6: crashed: WARNING: ODEBUG bug in tcf_queue_work run #7: crashed: WARNING: ODEBUG bug in tcf_queue_work run #8: crashed: WARNING: ODEBUG bug in tcf_queue_work run #9: crashed: WARNING: ODEBUG bug in __route4_delete_filter # git bisect good 6fb0e4385928900ccb8697748555b3f54bba5193 Bisecting: 1 revision left to test after this (roughly 1 step) [ea3d6652c240978736a91b9e85fde9fee9359be4] net_sched: cls_route: remove the right filter from hashtable testing commit ea3d6652c240978736a91b9e85fde9fee9359be4 with gcc (GCC) 8.1.0 kernel signature: 6ca612c910cc7551fd164c20c732f1c575056a9640f136ac806abf1779db1025 all runs: OK # git bisect bad ea3d6652c240978736a91b9e85fde9fee9359be4 Bisecting: 0 revisions left to test after this (roughly 0 steps) [efec582aa025f01bc9663738a6f0c66bec74dec5] net: qmi_wwan: add support for ASKEY WWHC050 testing commit efec582aa025f01bc9663738a6f0c66bec74dec5 with gcc (GCC) 8.1.0 kernel signature: 7af4c9cd17df71edae983ef390ecc632961bd1951eaf3e71cac81078ff4f3d2a run #0: crashed: WARNING: ODEBUG bug in tcf_queue_work run #1: crashed: WARNING: ODEBUG bug in tcf_queue_work run #2: crashed: WARNING: ODEBUG bug in tcf_queue_work run #3: crashed: WARNING: ODEBUG bug in tcf_queue_work run #4: crashed: KASAN: use-after-free Read in route4_get run #5: crashed: WARNING: ODEBUG bug in tcf_queue_work run #6: crashed: WARNING: ODEBUG bug in tcf_queue_work run #7: crashed: WARNING: ODEBUG bug in tcf_queue_work run #8: crashed: WARNING: ODEBUG bug in tcf_queue_work run #9: crashed: WARNING: ODEBUG bug in tcf_queue_work # git bisect good efec582aa025f01bc9663738a6f0c66bec74dec5 ea3d6652c240978736a91b9e85fde9fee9359be4 is the first bad commit commit ea3d6652c240978736a91b9e85fde9fee9359be4 Author: Cong Wang Date: Fri Mar 13 22:29:54 2020 -0700 net_sched: cls_route: remove the right filter from hashtable [ Upstream commit ef299cc3fa1a9e1288665a9fdc8bff55629fd359 ] route4_change() allocates a new filter and copies values from the old one. After the new filter is inserted into the hash table, the old filter should be removed and freed, as the final step of the update. However, the current code mistakenly removes the new one. This looks apparently wrong to me, and it causes double "free" and use-after-free too, as reported by syzbot. Reported-and-tested-by: syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com Fixes: 1109c00547fc ("net: sched: RCU cls_route") Cc: Jamal Hadi Salim Cc: Jiri Pirko Cc: John Fastabend Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman net/sched/cls_route.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) culprit signature: 6ca612c910cc7551fd164c20c732f1c575056a9640f136ac806abf1779db1025 parent signature: 7af4c9cd17df71edae983ef390ecc632961bd1951eaf3e71cac81078ff4f3d2a revisions tested: 11, total time: 2h59m16.169857849s (build: 1h42m33.155541029s, test: 1h15m21.892049143s) first good commit: ea3d6652c240978736a91b9e85fde9fee9359be4 net_sched: cls_route: remove the right filter from hashtable cc: ["davem@davemloft.net" "gregkh@linuxfoundation.org" "syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com" "syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com" "syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"]