bisecting fixing commit since cb1f9a169a0e197f93816ace48a6520e8640809d building syzkaller on 4c04afaa19a16e90d8b495cc3795fd4ed21df4df testing commit cb1f9a169a0e197f93816ace48a6520e8640809d with gcc (GCC) 8.1.0 kernel signature: 1b00f8f741c4bf2d2700bb110b7abd65a242b9da2ba6d4dcc8829714f3b03c33 all runs: crashed: general protection fault in nf_ct_netns_do_get testing current HEAD 357668399cf70ccdc0ee8967bff3448d0f4f9ae1 testing commit 357668399cf70ccdc0ee8967bff3448d0f4f9ae1 with gcc (GCC) 8.1.0 kernel signature: 1a28bf6a218fe49755828d8d75fe07f79d0ba123abf80e748b79c98e9f4b9c2c all runs: OK # git bisect start 357668399cf70ccdc0ee8967bff3448d0f4f9ae1 cb1f9a169a0e197f93816ace48a6520e8640809d Bisecting: 686 revisions left to test after this (roughly 10 steps) [80c33da1c125c0593c31e196fc0d0cacb05d70b8] ARM: riscpc: fix lack of keyboard interrupts after irq conversion testing commit 80c33da1c125c0593c31e196fc0d0cacb05d70b8 with gcc (GCC) 8.1.0 kernel signature: f8a805eafea10263816a422f99bcf81273713a8517b08e6b819ee2c25bf50199 all runs: OK # git bisect bad 80c33da1c125c0593c31e196fc0d0cacb05d70b8 Bisecting: 342 revisions left to test after this (roughly 9 steps) [a9375dc8ce0607e102a91f124c15e842ad2b8832] iio: fix position relative kernel version testing commit a9375dc8ce0607e102a91f124c15e842ad2b8832 with gcc (GCC) 8.1.0 kernel signature: 1b2d1069d9d4c81b1653e271b7d4a007a433af23787de48b3fdcc91dbb16c3b2 all runs: OK # git bisect bad a9375dc8ce0607e102a91f124c15e842ad2b8832 Bisecting: 171 revisions left to test after this (roughly 8 steps) [d847154df490d018cb850dbc17b621260b10d1e3] platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 testing commit d847154df490d018cb850dbc17b621260b10d1e3 with gcc (GCC) 8.1.0 kernel signature: 8e6d07267abd2169556edb02bce788643af619f90adc9ab5a2ce46e27ff3a2d8 all runs: OK # git bisect bad d847154df490d018cb850dbc17b621260b10d1e3 Bisecting: 85 revisions left to test after this (roughly 7 steps) [ec576895d61356a2cab096e1ca23bf7cc765e5b2] chardev: Avoid potential use-after-free in 'chrdev_open()' testing commit ec576895d61356a2cab096e1ca23bf7cc765e5b2 with gcc (GCC) 8.1.0 kernel signature: 291d3f7c8d2db97297570fc2e856cdb4f598536bee1b81439e0537967ead5f3e all runs: crashed: general protection fault in nf_ct_netns_do_get # git bisect good ec576895d61356a2cab096e1ca23bf7cc765e5b2 Bisecting: 42 revisions left to test after this (roughly 6 steps) [46abb2a5cd2f34a8fa67df24f5b33a494e42f9ec] netfilter: arp_tables: init netns pointer in xt_tgchk_param struct testing commit 46abb2a5cd2f34a8fa67df24f5b33a494e42f9ec with gcc (GCC) 8.1.0 kernel signature: e370fac406755f1b200abc992cbe2df40f792203f64ae4c977c9c6ef9af63ef8 all runs: OK # git bisect bad 46abb2a5cd2f34a8fa67df24f5b33a494e42f9ec Bisecting: 21 revisions left to test after this (roughly 5 steps) [8bd6980a014d34f3c250ce14b8670a9a09e6f7e9] can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs testing commit 8bd6980a014d34f3c250ce14b8670a9a09e6f7e9 with gcc (GCC) 8.1.0 kernel signature: d2e97b5b5e6e932211dcaceed32ce6fdab5d2dd7cb188b0c4a246d6ae76029f9 all runs: crashed: general protection fault in nf_ct_netns_do_get # git bisect good 8bd6980a014d34f3c250ce14b8670a9a09e6f7e9 Bisecting: 10 revisions left to test after this (roughly 4 steps) [65c6710c3fab92dcdf924c1a6daf75439f7f3199] tty: link tty and port before configuring it as console testing commit 65c6710c3fab92dcdf924c1a6daf75439f7f3199 with gcc (GCC) 8.1.0 kernel signature: 7569c2e5459bb4b913829ee8c2fe31e2f67692514669e7ecf5b3fcfc3c72642f all runs: crashed: general protection fault in nf_ct_netns_do_get # git bisect good 65c6710c3fab92dcdf924c1a6daf75439f7f3199 Bisecting: 5 revisions left to test after this (roughly 3 steps) [0e27512c5d0bc2c3d33c1e7f73a8983015c82b83] rtl8xxxu: prevent leaking urb testing commit 0e27512c5d0bc2c3d33c1e7f73a8983015c82b83 with gcc (GCC) 8.1.0 kernel signature: 7ae24037099959ce9cb111e757f39fff78a7b94166ee53e2ad600ceba180b489 all runs: crashed: general protection fault in nf_ct_netns_do_get # git bisect good 0e27512c5d0bc2c3d33c1e7f73a8983015c82b83 Bisecting: 2 revisions left to test after this (roughly 2 steps) [1a4da00e9af21ef982efaccfde2736f0a5cf645a] USB: Fix: Don't skip endpoint descriptors with maxpacket=0 testing commit 1a4da00e9af21ef982efaccfde2736f0a5cf645a with gcc (GCC) 8.1.0 kernel signature: 69e754703891789217bd0f43d8a43cc8ded7b90ae0ef27a6ebfd1b480bc2117c all runs: crashed: general protection fault in nf_ct_netns_do_get # git bisect good 1a4da00e9af21ef982efaccfde2736f0a5cf645a Bisecting: 0 revisions left to test after this (roughly 1 step) [d429612632cc33d8b929a59f7242bcb3239813dd] phy: cpcap-usb: Fix flakey host idling and enumerating of devices testing commit d429612632cc33d8b929a59f7242bcb3239813dd with gcc (GCC) 8.1.0 kernel signature: d1a45b91980e9936fde8c69c88509f33088727769aff8787b021bba91b368105 all runs: crashed: general protection fault in nf_ct_netns_do_get # git bisect good d429612632cc33d8b929a59f7242bcb3239813dd 46abb2a5cd2f34a8fa67df24f5b33a494e42f9ec is the first bad commit commit 46abb2a5cd2f34a8fa67df24f5b33a494e42f9ec Author: Florian Westphal Date: Fri Dec 27 01:33:10 2019 +0100 netfilter: arp_tables: init netns pointer in xt_tgchk_param struct commit 1b789577f655060d98d20ed0c6f9fbd469d6ba63 upstream. We get crash when the targets checkentry function tries to make use of the network namespace pointer for arptables. When the net pointer got added back in 2010, only ip/ip6/ebtables were changed to initialize it, so arptables has this set to NULL. This isn't a problem for normal arptables because no existing arptables target has a checkentry function that makes use of par->net. However, direct users of the setsockopt interface can provide any target they want as long as its registered for ARP or UNPSEC protocols. syzkaller managed to send a semi-valid arptables rule for RATEEST target which is enough to trigger NULL deref: kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN RIP: xt_rateest_tg_checkentry+0x11d/0xb40 net/netfilter/xt_RATEEST.c:109 [..] xt_check_target+0x283/0x690 net/netfilter/x_tables.c:1019 check_target net/ipv4/netfilter/arp_tables.c:399 [inline] find_check_entry net/ipv4/netfilter/arp_tables.c:422 [inline] translate_table+0x1005/0x1d70 net/ipv4/netfilter/arp_tables.c:572 do_replace net/ipv4/netfilter/arp_tables.c:977 [inline] do_arpt_set_ctl+0x310/0x640 net/ipv4/netfilter/arp_tables.c:1456 Fixes: add67461240c1d ("netfilter: add struct net * to target parameters") Reported-by: syzbot+d7358a458d8a81aee898@syzkaller.appspotmail.com Signed-off-by: Florian Westphal Acked-by: Cong Wang Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman net/ipv4/netfilter/arp_tables.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) culprit signature: e370fac406755f1b200abc992cbe2df40f792203f64ae4c977c9c6ef9af63ef8 parent signature: d1a45b91980e9936fde8c69c88509f33088727769aff8787b021bba91b368105 revisions tested: 12, total time: 3h7m49.267187479s (build: 1h52m50.408495415s, test: 1h13m43.404514317s) first good commit: 46abb2a5cd2f34a8fa67df24f5b33a494e42f9ec netfilter: arp_tables: init netns pointer in xt_tgchk_param struct cc: ["fw@strlen.de" "gregkh@linuxfoundation.org" "pablo@netfilter.org" "xiyou.wangcong@gmail.com"]