bisecting fixing commit since 80d9f3a0fdb8c1129921147780661ed0a2cae2a1 building syzkaller on 08dacaa0b938aa2951de182c1dfe1862ebe2a20c testing commit 80d9f3a0fdb8c1129921147780661ed0a2cae2a1 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in xfrm_init_replay testing current HEAD 459c5fb44379335c966d98c7fdc4e8ebe2d2b93f testing commit 459c5fb44379335c966d98c7fdc4e8ebe2d2b93f with gcc (GCC) 8.1.0 all runs: OK # git bisect start 459c5fb44379335c966d98c7fdc4e8ebe2d2b93f 80d9f3a0fdb8c1129921147780661ed0a2cae2a1 Bisecting: 58916 revisions left to test after this (roughly 16 steps) [5f179793f0a73965681db6a3203fa1baabd9b3c3] Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost testing commit 5f179793f0a73965681db6a3203fa1baabd9b3c3 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 5f179793f0a73965681db6a3203fa1baabd9b3c3 Bisecting: 29457 revisions left to test after this (roughly 15 steps) [cf90d884b347c50a1e8c1effc4093e497dd68b4b] btrfs: Introduce mount time chunk <-> dev extent mapping check testing commit cf90d884b347c50a1e8c1effc4093e497dd68b4b with gcc (GCC) 8.1.0 all runs: OK # git bisect bad cf90d884b347c50a1e8c1effc4093e497dd68b4b Bisecting: 14731 revisions left to test after this (roughly 14 steps) [bc2dbc5420e82560e650f8531ceca597441ca171] Merge branch 'akpm' (patches from Andrew) testing commit bc2dbc5420e82560e650f8531ceca597441ca171 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad bc2dbc5420e82560e650f8531ceca597441ca171 Bisecting: 7311 revisions left to test after this (roughly 13 steps) [06dd3dfeea60e2a6457a6aedf97afc8e6d2ba497] Merge tag 'char-misc-4.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit 06dd3dfeea60e2a6457a6aedf97afc8e6d2ba497 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 06dd3dfeea60e2a6457a6aedf97afc8e6d2ba497 Bisecting: 3713 revisions left to test after this (roughly 12 steps) [f2d285669aae656dfeafa0bf25e86bbbc5d22329] Merge tag 'pm-4.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit f2d285669aae656dfeafa0bf25e86bbbc5d22329 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad f2d285669aae656dfeafa0bf25e86bbbc5d22329 Bisecting: 2025 revisions left to test after this (roughly 11 steps) [1679ae8f8f4148766423066aeb3dbb0a985a373a] drm/amdkfd: Use ordered workqueue to restore processes testing commit 1679ae8f8f4148766423066aeb3dbb0a985a373a with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in xfrm_init_replay # git bisect good 1679ae8f8f4148766423066aeb3dbb0a985a373a Bisecting: 1038 revisions left to test after this (roughly 10 steps) [19193bcad8dced863f2f720b1a76110bda07c970] locking/Kconfig: Restructure the lock debugging menu testing commit 19193bcad8dced863f2f720b1a76110bda07c970 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 19193bcad8dced863f2f720b1a76110bda07c970 Bisecting: 492 revisions left to test after this (roughly 9 steps) [9ce207880d8e4b20b6c1bcd82c749970c2b9e6d2] Merge tag 'mmc-v4.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc testing commit 9ce207880d8e4b20b6c1bcd82c749970c2b9e6d2 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in xfrm_init_replay # git bisect good 9ce207880d8e4b20b6c1bcd82c749970c2b9e6d2 Bisecting: 250 revisions left to test after this (roughly 8 steps) [e7d7743f1be5f15caebbf13713d1eb0a5f08b5c2] Merge tag 'acpi-4.16-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit e7d7743f1be5f15caebbf13713d1eb0a5f08b5c2 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad e7d7743f1be5f15caebbf13713d1eb0a5f08b5c2 Bisecting: 116 revisions left to test after this (roughly 7 steps) [d2ddf628e90ffb92b411757eeb8655314371b879] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec testing commit d2ddf628e90ffb92b411757eeb8655314371b879 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad d2ddf628e90ffb92b411757eeb8655314371b879 Bisecting: 62 revisions left to test after this (roughly 6 steps) [652dfb2b31b076153c73106863a4a57e5318c152] Merge tag 'wireless-drivers-for-davem-2018-03-08' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers testing commit 652dfb2b31b076153c73106863a4a57e5318c152 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in xfrm_init_replay # git bisect good 652dfb2b31b076153c73106863a4a57e5318c152 Bisecting: 30 revisions left to test after this (roughly 5 steps) [9e5fb7207024e53700bdac23f53d1e44d530a7f6] Merge branch 'bnxt_en-Bug-fixes' testing commit 9e5fb7207024e53700bdac23f53d1e44d530a7f6 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in xfrm_init_replay # git bisect good 9e5fb7207024e53700bdac23f53d1e44d530a7f6 Bisecting: 15 revisions left to test after this (roughly 4 steps) [2f987a76a97773beafbc615b9c4d8fe79129a7f4] net: ipv6: keep sk status consistent after datagram connect failure testing commit 2f987a76a97773beafbc615b9c4d8fe79129a7f4 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in xfrm_init_replay # git bisect good 2f987a76a97773beafbc615b9c4d8fe79129a7f4 Bisecting: 7 revisions left to test after this (roughly 3 steps) [87cdf3148b11d46382dbce2754ae7036aba96380] xfrm: Verify MAC header exists before overwriting eth_hdr(skb)->h_proto testing commit 87cdf3148b11d46382dbce2754ae7036aba96380 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 87cdf3148b11d46382dbce2754ae7036aba96380 Bisecting: 3 revisions left to test after this (roughly 2 steps) [510c321b557121861601f9d259aadd65aa274f35] xfrm: reuse uncached_list to track xdsts testing commit 510c321b557121861601f9d259aadd65aa274f35 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 510c321b557121861601f9d259aadd65aa274f35 Bisecting: 1 revision left to test after this (roughly 1 step) [2471c98165494173a3cd03231b216b909c063e41] xfrm: Fix policy hold queue after flowcache removal. testing commit 2471c98165494173a3cd03231b216b909c063e41 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in xfrm_init_replay # git bisect good 2471c98165494173a3cd03231b216b909c063e41 Bisecting: 0 revisions left to test after this (roughly 0 steps) [d97ca5d714a5334aecadadf696875da40f1fbf3e] xfrm_user: uncoditionally validate esn replay attribute struct testing commit d97ca5d714a5334aecadadf696875da40f1fbf3e with gcc (GCC) 8.1.0 all runs: OK # git bisect bad d97ca5d714a5334aecadadf696875da40f1fbf3e d97ca5d714a5334aecadadf696875da40f1fbf3e is the first bad commit commit d97ca5d714a5334aecadadf696875da40f1fbf3e Author: Florian Westphal Date: Mon Feb 12 14:42:01 2018 +0100 xfrm_user: uncoditionally validate esn replay attribute struct The sanity test added in ecd7918745234 can be bypassed, validation only occurs if XFRM_STATE_ESN flag is set, but rest of code doesn't care and just checks if the attribute itself is present. So always validate. Alternative is to reject if we have the attribute without the flag but that would change abi. Reported-by: syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com Cc: Mathias Krause Fixes: ecd7918745234 ("xfrm_user: ensure user supplied esn replay window is valid") Fixes: d8647b79c3b7e ("xfrm: Add user interface for esn and big anti-replay windows") Signed-off-by: Florian Westphal Signed-off-by: Steffen Klassert :040000 040000 3cddc95c21e0851bd97193084f06abdb92352161 143f1bd4a3faa12d93f824a465aaba47c0f771bb M net revisions tested: 19, total time: 3h54m44.768607714s (build: 1h21m39.484094584s, test: 2h26m4.185376471s) first good commit: d97ca5d714a5334aecadadf696875da40f1fbf3e xfrm_user: uncoditionally validate esn replay attribute struct cc: ["davem@davemloft.net" "fw@strlen.de" "herbert@gondor.apana.org.au" "linux-kernel@vger.kernel.org" "minipli@googlemail.com" "netdev@vger.kernel.org" "steffen.klassert@secunet.com"]