bisecting fixing commit since 8f8972a3127ff46df62ae30057d29606968ec4aa building syzkaller on 0342f8c7bc656ea8ee3c45e49edeb4ee9cc12cce testing commit 8f8972a3127ff46df62ae30057d29606968ec4aa with gcc (GCC) 8.1.0 kernel signature: 229e9f84057f8b981a6c1abd70e7252ccfc12bc721617b20a793b7317f6df7ac all runs: crashed: KASAN: use-after-free Read in bitmap_ip_ext_cleanup testing current HEAD b1da3acc781ce445445d959b41064d209a27bc2d testing commit b1da3acc781ce445445d959b41064d209a27bc2d with gcc (GCC) 8.1.0 kernel signature: 772d9de3aa01744b2379b4d1a78905025815ddbc25932e243c488c3f0706fcf4 all runs: OK # git bisect start b1da3acc781ce445445d959b41064d209a27bc2d 8f8972a3127ff46df62ae30057d29606968ec4aa Bisecting: 6318 revisions left to test after this (roughly 13 steps) [4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb] Merge tag 'for-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply testing commit 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb with gcc (GCC) 8.1.0 kernel signature: 4aae8f5d48a68bc1c3f4f8b11c6d542cb31d3d14d3a0d07417692ed5c5402178 all runs: OK # git bisect bad 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb Bisecting: 2314 revisions left to test after this (roughly 12 steps) [bd2463ac7d7ec51d432f23bf0e893fb371a908cd] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit bd2463ac7d7ec51d432f23bf0e893fb371a908cd with gcc (GCC) 8.1.0 kernel signature: 358158c0d180aff95e7b907673353bf992d8d240ee42612490c2af54797d1e33 all runs: OK # git bisect bad bd2463ac7d7ec51d432f23bf0e893fb371a908cd Bisecting: 1810 revisions left to test after this (roughly 11 steps) [c4c57b974d27f53744b1bc5669e002f080cec839] Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next testing commit c4c57b974d27f53744b1bc5669e002f080cec839 with gcc (GCC) 8.1.0 kernel signature: 58bb2242e2de6ad6ef34cb9e7010b7e55c42559baa2a8df71e36734424bff651 all runs: OK # git bisect bad c4c57b974d27f53744b1bc5669e002f080cec839 Bisecting: 878 revisions left to test after this (roughly 10 steps) [d49d0661b92478ec9362e379e7ba82450ec88048] Merge branch 'libbpf-include-path' testing commit d49d0661b92478ec9362e379e7ba82450ec88048 with gcc (GCC) 8.1.0 kernel signature: da08c9c45ee7c155d0462f7f67f954721c29bacf0b193155100f6ec8d9a322aa all runs: crashed: KASAN: use-after-free Read in bitmap_ip_ext_cleanup # git bisect good d49d0661b92478ec9362e379e7ba82450ec88048 Bisecting: 438 revisions left to test after this (roughly 9 steps) [794eee259e8e1a7e6f31417ec8f6fa809597bb24] Merge branch 'net-phy-add-generic-ndo_do_ioctl-handler-phy_do_ioctl' testing commit 794eee259e8e1a7e6f31417ec8f6fa809597bb24 with gcc (GCC) 8.1.0 kernel signature: bb093c8cbb870a3e1b532bd9cb00f80bcb0829b56681f7dd2d72b37970b1b536 all runs: crashed: KASAN: slab-out-of-bounds Read in bitmap_ip_ext_cleanup # git bisect good 794eee259e8e1a7e6f31417ec8f6fa809597bb24 Bisecting: 226 revisions left to test after this (roughly 8 steps) [2821e26f3a0a3872184581caac8115bb02641941] Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm testing commit 2821e26f3a0a3872184581caac8115bb02641941 with gcc (GCC) 8.1.0 kernel signature: df88ef88d931a4858c2e2f3e7a65b59fe8cacbb6439c5ef1b394b79ca662b867 all runs: OK # git bisect bad 2821e26f3a0a3872184581caac8115bb02641941 Bisecting: 107 revisions left to test after this (roughly 7 steps) [342508c1c7540e281fd36151c175ba5ff954a99f] net/mlx5e: kTLS, Do not send decrypted-marked SKBs via non-accel path testing commit 342508c1c7540e281fd36151c175ba5ff954a99f with gcc (GCC) 8.1.0 kernel signature: 0ba198e84e1d4748d2bed59b3bc792f6f5377229010714b999f9944b35dc19a2 all runs: crashed: KASAN: slab-out-of-bounds Read in bitmap_ip_ext_cleanup # git bisect good 342508c1c7540e281fd36151c175ba5ff954a99f Bisecting: 51 revisions left to test after this (roughly 6 steps) [274adbff45e3c26c65b2e103581d2ab5834b0b7c] Merge tag 'drm-fixes-2020-01-24' of git://anongit.freedesktop.org/drm/drm testing commit 274adbff45e3c26c65b2e103581d2ab5834b0b7c with gcc (GCC) 8.1.0 kernel signature: 965458a9e35ed9a78a2482d816ea1b1189b7ff28e6304e4ca176d76ad2169dea all runs: crashed: KASAN: slab-out-of-bounds Read in bitmap_ip_ext_cleanup # git bisect good 274adbff45e3c26c65b2e103581d2ab5834b0b7c Bisecting: 26 revisions left to test after this (roughly 5 steps) [93d1a05ea6b29737715769e2c9551cfe8a5fef22] Merge tag 'pinctrl-v5.5-5' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit 93d1a05ea6b29737715769e2c9551cfe8a5fef22 with gcc (GCC) 8.1.0 kernel signature: c451b4135ce6eebee6f508bd371b54d45a2370a20a88e5d69fc69901c417b1a1 all runs: crashed: KASAN: slab-out-of-bounds Read in bitmap_ip_ext_cleanup # git bisect good 93d1a05ea6b29737715769e2c9551cfe8a5fef22 Bisecting: 13 revisions left to test after this (roughly 4 steps) [6badad1c1d354db1f7bc216319d81884411d5098] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf testing commit 6badad1c1d354db1f7bc216319d81884411d5098 with gcc (GCC) 8.1.0 kernel signature: 20a3d74ac126d4d5363748821a9dcf44fc11f7fee20769a9343097239858ec73 all runs: OK # git bisect bad 6badad1c1d354db1f7bc216319d81884411d5098 Bisecting: 6 revisions left to test after this (roughly 3 steps) [eb014de4fd418de1a277913cba244e47274fe392] netfilter: nf_tables: autoload modules from the abort path testing commit eb014de4fd418de1a277913cba244e47274fe392 with gcc (GCC) 8.1.0 kernel signature: c0e64badf918d103226f020bca4952ab28c07abeb4e968a64ebd803c6ac4332d all runs: OK # git bisect bad eb014de4fd418de1a277913cba244e47274fe392 Bisecting: 2 revisions left to test after this (roughly 2 steps) [ab658b9fa7a2c467f79eac8b53ea308b8f98113d] netfilter: conntrack: sctp: use distinct states for new SCTP connections testing commit ab658b9fa7a2c467f79eac8b53ea308b8f98113d with gcc (GCC) 8.1.0 kernel signature: cac392857cc5479056eb00f785226c7602c99b6a6939b65600cf42b6dcd33480 all runs: OK # git bisect bad ab658b9fa7a2c467f79eac8b53ea308b8f98113d Bisecting: 0 revisions left to test after this (roughly 1 step) [32c72165dbd0e246e69d16a3ad348a4851afd415] netfilter: ipset: use bitmap infrastructure completely testing commit 32c72165dbd0e246e69d16a3ad348a4851afd415 with gcc (GCC) 8.1.0 kernel signature: 00c508432e357657bdad22b183196ebc3eb3dfc012f83d0419e3ef684b88eda0 all runs: OK # git bisect bad 32c72165dbd0e246e69d16a3ad348a4851afd415 Bisecting: 0 revisions left to test after this (roughly 0 steps) [7eaecf7963c1c8f62d62c6a8e7c439b0e7f2d365] netfilter: nft_osf: add missing check for DREG attribute testing commit 7eaecf7963c1c8f62d62c6a8e7c439b0e7f2d365 with gcc (GCC) 8.1.0 kernel signature: 1284d174c21c192e22ead60e45e6c4f09e7a5ea2aeae92243fee39bebb1376b2 all runs: crashed: KASAN: slab-out-of-bounds Read in bitmap_ip_ext_cleanup # git bisect good 7eaecf7963c1c8f62d62c6a8e7c439b0e7f2d365 32c72165dbd0e246e69d16a3ad348a4851afd415 is the first bad commit commit 32c72165dbd0e246e69d16a3ad348a4851afd415 Author: Kadlecsik József Date: Sun Jan 19 22:06:49 2020 +0100 netfilter: ipset: use bitmap infrastructure completely The bitmap allocation did not use full unsigned long sizes when calculating the required size and that was triggered by KASAN as slab-out-of-bounds read in several places. The patch fixes all of them. Reported-by: syzbot+fabca5cbf5e54f3fe2de@syzkaller.appspotmail.com Reported-by: syzbot+827ced406c9a1d9570ed@syzkaller.appspotmail.com Reported-by: syzbot+190d63957b22ef673ea5@syzkaller.appspotmail.com Reported-by: syzbot+dfccdb2bdb4a12ad425e@syzkaller.appspotmail.com Reported-by: syzbot+df0d0f5895ef1f41a65b@syzkaller.appspotmail.com Reported-by: syzbot+b08bd19bb37513357fd4@syzkaller.appspotmail.com Reported-by: syzbot+53cdd0ec0bbabd53370a@syzkaller.appspotmail.com Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso include/linux/netfilter/ipset/ip_set.h | 7 ------- net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +- net/netfilter/ipset/ip_set_bitmap_ip.c | 6 +++--- net/netfilter/ipset/ip_set_bitmap_ipmac.c | 6 +++--- net/netfilter/ipset/ip_set_bitmap_port.c | 6 +++--- 5 files changed, 10 insertions(+), 17 deletions(-) culprit signature: 00c508432e357657bdad22b183196ebc3eb3dfc012f83d0419e3ef684b88eda0 parent signature: 1284d174c21c192e22ead60e45e6c4f09e7a5ea2aeae92243fee39bebb1376b2 revisions tested: 16, total time: 3h57m58.697530608s (build: 1h47m39.528204404s, test: 2h8m35.898516469s) first good commit: 32c72165dbd0e246e69d16a3ad348a4851afd415 netfilter: ipset: use bitmap infrastructure completely cc: ["kadlec@blackhole.kfki.hu" "kadlec@netfilter.org" "pablo@netfilter.org"]