bisecting fixing commit since 68d7a45eec101bc1550294c0e675a490c047b2e5 building syzkaller on 8e3c52b11d5d0843be47f41e00c5612ce29811b0 testing commit 68d7a45eec101bc1550294c0e675a490c047b2e5 with gcc (GCC) 8.1.0 kernel signature: 976ec9c39a52450576af7dbdca7bb8e0f0a871fa all runs: crashed: WARNING in xfrm_state_fini testing current HEAD a844dc4c544291470aa69edbe2434b040794e269 testing commit a844dc4c544291470aa69edbe2434b040794e269 with gcc (GCC) 8.1.0 kernel signature: 1a93362483d2319e7f4294eabc10e52377b25ba5 all runs: OK # git bisect start a844dc4c544291470aa69edbe2434b040794e269 68d7a45eec101bc1550294c0e675a490c047b2e5 Bisecting: 1874 revisions left to test after this (roughly 11 steps) [e2a74958ee0d27f05c016cfcc821b0d3d11b9f45] bonding: Force slave speed check after link state recovery for 802.3ad testing commit e2a74958ee0d27f05c016cfcc821b0d3d11b9f45 with gcc (GCC) 8.1.0 kernel signature: d777cb11b9746c401d41176922262ceafb2aa90c all runs: crashed: WARNING in xfrm_state_fini # git bisect good e2a74958ee0d27f05c016cfcc821b0d3d11b9f45 Bisecting: 937 revisions left to test after this (roughly 10 steps) [169795c893f424cd889aa106e971628c780b81a3] powerpc/book3s64/mm: Don't do tlbie fixup for some hardware revisions testing commit 169795c893f424cd889aa106e971628c780b81a3 with gcc (GCC) 8.1.0 kernel signature: c6eebeba1cffab110c76557fb0c077ea180d7f5d all runs: OK # git bisect bad 169795c893f424cd889aa106e971628c780b81a3 Bisecting: 468 revisions left to test after this (roughly 9 steps) [9aa376a13f4340a2483184a3634f74051524094f] Btrfs: fix race setting up and completing qgroup rescan workers testing commit 9aa376a13f4340a2483184a3634f74051524094f with gcc (GCC) 8.1.0 kernel signature: 10db81308d3d3b086e5fb2fd109689182d8400dd all runs: OK # git bisect bad 9aa376a13f4340a2483184a3634f74051524094f Bisecting: 233 revisions left to test after this (roughly 8 steps) [e28c683440a64c0a1451d54aeb41301f588a004a] firmware: google: check if size is valid when decoding VPD data testing commit e28c683440a64c0a1451d54aeb41301f588a004a with gcc (GCC) 8.1.0 kernel signature: c4e4d389412a7d12fb0fcea0a235a0d82aa4ae97 all runs: OK # git bisect bad e28c683440a64c0a1451d54aeb41301f588a004a Bisecting: 116 revisions left to test after this (roughly 7 steps) [414510bc00a5fc954d8340c170083f518d09aa55] Linux 4.14.142 testing commit 414510bc00a5fc954d8340c170083f518d09aa55 with gcc (GCC) 8.1.0 kernel signature: 469b7c7c3ead704331a7280b078821e25b9259ef all runs: crashed: WARNING in xfrm_state_fini # git bisect good 414510bc00a5fc954d8340c170083f518d09aa55 Bisecting: 58 revisions left to test after this (roughly 6 steps) [2eff0ac931699b8d6b5eff7779da6ccad83812eb] clk: s2mps11: Add used attribute to s2mps11_dt_match testing commit 2eff0ac931699b8d6b5eff7779da6ccad83812eb with gcc (GCC) 8.1.0 kernel signature: 5578b8d499c8406ee2d2acd4e85c848e96c66dc2 all runs: OK # git bisect bad 2eff0ac931699b8d6b5eff7779da6ccad83812eb Bisecting: 28 revisions left to test after this (roughly 5 steps) [cdc9acde7a72c6fe8e221f1a735bb12906ea3d02] spi: bcm2835aux: remove dangerous uncontrolled read of fifo testing commit cdc9acde7a72c6fe8e221f1a735bb12906ea3d02 with gcc (GCC) 8.1.0 kernel signature: ca52e73e0de71d05fadc9059b6b85ee97a146883 all runs: crashed: WARNING in xfrm_state_fini # git bisect good cdc9acde7a72c6fe8e221f1a735bb12906ea3d02 Bisecting: 14 revisions left to test after this (roughly 4 steps) [fe4d826a6e6acd5425b761fdbc5407d7629077d6] ALSA: hda/realtek - Fix the problem of two front mics on a ThinkCentre testing commit fe4d826a6e6acd5425b761fdbc5407d7629077d6 with gcc (GCC) 8.1.0 kernel signature: 8d8b017cae90ac82ecf62e052f4ca9b8feaeff76 run #0: crashed: WARNING in xfrm_state_fini run #1: crashed: WARNING in xfrm_state_fini run #2: crashed: WARNING in xfrm_state_fini run #3: crashed: WARNING in xfrm_state_fini run #4: crashed: WARNING in xfrm_state_fini run #5: crashed: WARNING in xfrm_state_fini run #6: crashed: WARNING in xfrm_state_fini run #7: crashed: WARNING in xfrm_state_fini run #8: boot failed: can't ssh into the instance run #9: boot failed: can't ssh into the instance # git bisect good fe4d826a6e6acd5425b761fdbc5407d7629077d6 Bisecting: 7 revisions left to test after this (roughly 3 steps) [b36199bc9dada09c082b0c47516bd59b8bc38c9b] PCI: dra7xx: Fix legacy INTD IRQ handling testing commit b36199bc9dada09c082b0c47516bd59b8bc38c9b with gcc (GCC) 8.1.0 kernel signature: 6edd0dfb23c6dc70937b7709bfca852e9b9f70c5 all runs: OK # git bisect bad b36199bc9dada09c082b0c47516bd59b8bc38c9b Bisecting: 3 revisions left to test after this (roughly 2 steps) [32b803e81ce17eec816f09d5388ef0a1cc9e4c2f] powerpc/tm: Fix FP/VMX unavailable exceptions inside a transaction testing commit 32b803e81ce17eec816f09d5388ef0a1cc9e4c2f with gcc (GCC) 8.1.0 kernel signature: d3a739b8bfd33699c344d1d91f69773f807c69cb all runs: crashed: WARNING in xfrm_state_fini # git bisect good 32b803e81ce17eec816f09d5388ef0a1cc9e4c2f Bisecting: 1 revision left to test after this (roughly 1 step) [720a6817e131b1208263f1a951d0c8ee1982950a] ip6: fix skb leak in ip6frag_expire_frag_queue() testing commit 720a6817e131b1208263f1a951d0c8ee1982950a with gcc (GCC) 8.1.0 kernel signature: 5dee7bdf1a5eba2ae09034f00ffef8175026f506 all runs: OK # git bisect bad 720a6817e131b1208263f1a951d0c8ee1982950a Bisecting: 0 revisions left to test after this (roughly 0 steps) [cd393b38514dc3caa916db3b4405d592bfd3c9ea] xfrm: clean up xfrm protocol checks testing commit cd393b38514dc3caa916db3b4405d592bfd3c9ea with gcc (GCC) 8.1.0 kernel signature: 46196634652286f39c8d19986883191f1440fc7a all runs: OK # git bisect bad cd393b38514dc3caa916db3b4405d592bfd3c9ea cd393b38514dc3caa916db3b4405d592bfd3c9ea is the first bad commit commit cd393b38514dc3caa916db3b4405d592bfd3c9ea Author: Cong Wang Date: Fri Mar 22 16:26:19 2019 -0700 xfrm: clean up xfrm protocol checks commit dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399 upstream. In commit 6a53b7593233 ("xfrm: check id proto in validate_tmpl()") I introduced a check for xfrm protocol, but according to Herbert IPSEC_PROTO_ANY should only be used as a wildcard for lookup, so it should be removed from validate_tmpl(). And, IPSEC_PROTO_ANY is expected to only match 3 IPSec-specific protocols, this is why xfrm_state_flush() could still miss IPPROTO_ROUTING, which leads that those entries are left in net->xfrm.state_all before exit net. Fix this by replacing IPSEC_PROTO_ANY with zero. This patch also extracts the check from validate_tmpl() to xfrm_id_proto_valid() and uses it in parse_ipsecrequest(). With this, no other protocols should be added into xfrm. Fixes: 6a53b7593233 ("xfrm: check id proto in validate_tmpl()") Reported-by: syzbot+0bf0519d6e0de15914fe@syzkaller.appspotmail.com Cc: Steffen Klassert Cc: Herbert Xu Signed-off-by: Cong Wang Acked-by: Herbert Xu Signed-off-by: Steffen Klassert Signed-off-by: Zubin Mithra Signed-off-by: Greg Kroah-Hartman include/net/xfrm.h | 17 +++++++++++++++++ net/key/af_key.c | 4 +++- net/xfrm/xfrm_state.c | 2 +- net/xfrm/xfrm_user.c | 14 +------------- 4 files changed, 22 insertions(+), 15 deletions(-) kernel signature: 46196634652286f39c8d19986883191f1440fc7a previous signature: d3a739b8bfd33699c344d1d91f69773f807c69cb revisions tested: 14, total time: 3h49m20.725126835s (build: 1h51m8.949579533s, test: 1h56m54.27656348s) first good commit: cd393b38514dc3caa916db3b4405d592bfd3c9ea xfrm: clean up xfrm protocol checks cc: ["gregkh@linuxfoundation.org" "herbert@gondor.apana.org.au" "steffen.klassert@secunet.com" "xiyou.wangcong@gmail.com" "zsm@chromium.org"]