bisecting fixing commit since db5b9190ff8202b609fe802ccde41cb28669389f building syzkaller on f9b6950728295eb8f52b05a0d9e5dccd99f93eaa testing commit db5b9190ff8202b609fe802ccde41cb28669389f with gcc (GCC) 8.1.0 kernel signature: 05737ba86c9090dd682c7a09e835861ba628cad190359b703b05646df49e192a all runs: crashed: general protection fault in xt_rateest_put testing current HEAD 9b15f7fae677336e04b9e026ff91854e43165455 testing commit 9b15f7fae677336e04b9e026ff91854e43165455 with gcc (GCC) 8.1.0 kernel signature: 94b5dd686a753e50af5dec803d9c1a92266e76f3ee39a4325bac4591f1bc6891 all runs: OK # git bisect start 9b15f7fae677336e04b9e026ff91854e43165455 db5b9190ff8202b609fe802ccde41cb28669389f Bisecting: 647 revisions left to test after this (roughly 9 steps) [1b7081bff268184c82cb811be1cacb9d82dac7a3] ACPI: PM: Introduce "poweroff" callbacks for ACPI PM domain and LPSS testing commit 1b7081bff268184c82cb811be1cacb9d82dac7a3 with gcc (GCC) 8.1.0 kernel signature: 59cdce097e5d6f965499bef9152ef660d4bcd3819322ec6eb5f5fe599590a699 all runs: OK # git bisect bad 1b7081bff268184c82cb811be1cacb9d82dac7a3 Bisecting: 323 revisions left to test after this (roughly 8 steps) [5fc07a47308ba169b28ce845e7dfcd244cc8eb9c] crypto: tgr192 - fix unaligned memory access testing commit 5fc07a47308ba169b28ce845e7dfcd244cc8eb9c with gcc (GCC) 8.1.0 kernel signature: d22bca0e4c02d94b5e2e20324cdcdd90818b7145ec54ba880bdfac50ed375b26 all runs: OK # git bisect bad 5fc07a47308ba169b28ce845e7dfcd244cc8eb9c Bisecting: 161 revisions left to test after this (roughly 7 steps) [565389fc18ebe7c54569f1630a320a3c5dc2cdae] mlxsw: spectrum: Wipe xstats.backlog of down ports testing commit 565389fc18ebe7c54569f1630a320a3c5dc2cdae with gcc (GCC) 8.1.0 kernel signature: afd48144df28ad7bef89ca5c46452510e9df745c0a232b635bbb7a355dae9a77 all runs: OK # git bisect bad 565389fc18ebe7c54569f1630a320a3c5dc2cdae Bisecting: 80 revisions left to test after this (roughly 6 steps) [10d55ea6136b4116623297df3bd156981cc87f7e] ioat: ioat_alloc_ring() failure handling. testing commit 10d55ea6136b4116623297df3bd156981cc87f7e with gcc (GCC) 8.1.0 kernel signature: a214d53e3ad1ea2dc643433a59f7e44a6bed38826330a6a8467d009a34bbe8f4 all runs: crashed: general protection fault in xt_rateest_put # git bisect good 10d55ea6136b4116623297df3bd156981cc87f7e Bisecting: 40 revisions left to test after this (roughly 5 steps) [107fb2906db14ac9fc14f780f2a92418974a0c66] drm/i915: Add missing include file testing commit 107fb2906db14ac9fc14f780f2a92418974a0c66 with gcc (GCC) 8.1.0 kernel signature: 63cd68e3470203855290a091bddc608d82158088d63fc2bd316d73cfb164b20d all runs: crashed: general protection fault in xt_rateest_put # git bisect good 107fb2906db14ac9fc14f780f2a92418974a0c66 Bisecting: 20 revisions left to test after this (roughly 4 steps) [5205825195a1af8d98ef2d2e3eb083f2f1bb4724] cfg80211: fix deadlocks in autodisconnect work testing commit 5205825195a1af8d98ef2d2e3eb083f2f1bb4724 with gcc (GCC) 8.1.0 kernel signature: 40f8596abe914646a78275a8549b8604cdf183c47deb656f9c8c448732b30575 all runs: crashed: general protection fault in xt_rateest_put # git bisect good 5205825195a1af8d98ef2d2e3eb083f2f1bb4724 Bisecting: 10 revisions left to test after this (roughly 3 steps) [da319f060b853a2cf4df3bc6119083813aaa1976] batman-adv: Fix DAT candidate selection on little endian systems testing commit da319f060b853a2cf4df3bc6119083813aaa1976 with gcc (GCC) 8.1.0 kernel signature: cc27c71b6c54d1d953b1f60a78a177db3736c1a8cc30988eb730db8d5708df1f all runs: OK # git bisect bad da319f060b853a2cf4df3bc6119083813aaa1976 Bisecting: 4 revisions left to test after this (roughly 2 steps) [6de941ce70cd5c6d672f8af2d0a6dc83039a283c] netfilter: nft_tunnel: fix null-attribute check testing commit 6de941ce70cd5c6d672f8af2d0a6dc83039a283c with gcc (GCC) 8.1.0 kernel signature: 85e0d1b195bc00e4957444ca52df4f290b8b2d1f9d58b6f4d293a66d53bd3223 all runs: OK # git bisect bad 6de941ce70cd5c6d672f8af2d0a6dc83039a283c Bisecting: 2 revisions left to test after this (roughly 1 step) [ec4234e5dd66f326931b2e30e40bcc29002b1478] cfg80211: fix page refcount issue in A-MSDU decap testing commit ec4234e5dd66f326931b2e30e40bcc29002b1478 with gcc (GCC) 8.1.0 kernel signature: 8e3be26ba94e6de5954dafca8e912ee3290fab2e315544ac26f541d70612d0ad all runs: crashed: general protection fault in xt_rateest_put # git bisect good ec4234e5dd66f326931b2e30e40bcc29002b1478 Bisecting: 0 revisions left to test after this (roughly 1 step) [e3282417b91c09af9e327238edfd11deb887b83a] netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct testing commit e3282417b91c09af9e327238edfd11deb887b83a with gcc (GCC) 8.1.0 kernel signature: 4959a57a7f51614ee9ee1673c0e322e016e8e7cf2a1dcf6afd9a4fca05c5a5fa all runs: OK # git bisect bad e3282417b91c09af9e327238edfd11deb887b83a Bisecting: 0 revisions left to test after this (roughly 0 steps) [dcefdeff4de8a95f546455a25bc9ea328b778230] netfilter: fix a use-after-free in mtype_destroy() testing commit dcefdeff4de8a95f546455a25bc9ea328b778230 with gcc (GCC) 8.1.0 kernel signature: 06068255ed476cf5a38c3427b9a8bca1e41410afc736a10835a5721af98fc79b all runs: crashed: general protection fault in xt_rateest_put # git bisect good dcefdeff4de8a95f546455a25bc9ea328b778230 e3282417b91c09af9e327238edfd11deb887b83a is the first bad commit commit e3282417b91c09af9e327238edfd11deb887b83a Author: Florian Westphal Date: Sat Jan 11 23:19:53 2020 +0100 netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct commit 212e7f56605ef9688d0846db60c6c6ec06544095 upstream. An earlier commit (1b789577f655060d98d20e, "netfilter: arp_tables: init netns pointer in xt_tgchk_param struct") fixed missing net initialization for arptables, but turns out it was incomplete. We can get a very similar struct net NULL deref during error unwinding: general protection fault: 0000 [#1] PREEMPT SMP KASAN RIP: 0010:xt_rateest_put+0xa1/0x440 net/netfilter/xt_RATEEST.c:77 xt_rateest_tg_destroy+0x72/0xa0 net/netfilter/xt_RATEEST.c:175 cleanup_entry net/ipv4/netfilter/arp_tables.c:509 [inline] translate_table+0x11f4/0x1d80 net/ipv4/netfilter/arp_tables.c:587 do_replace net/ipv4/netfilter/arp_tables.c:981 [inline] do_arpt_set_ctl+0x317/0x650 net/ipv4/netfilter/arp_tables.c:1461 Also init the netns pointer in xt_tgdtor_param struct. Fixes: add67461240c1d ("netfilter: add struct net * to target parameters") Reported-by: syzbot+91bdd8eece0f6629ec8b@syzkaller.appspotmail.com Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman net/ipv4/netfilter/arp_tables.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) culprit signature: 4959a57a7f51614ee9ee1673c0e322e016e8e7cf2a1dcf6afd9a4fca05c5a5fa parent signature: 06068255ed476cf5a38c3427b9a8bca1e41410afc736a10835a5721af98fc79b revisions tested: 13, total time: 3h35m27.88161796s (build: 2h0m35.046833134s, test: 1h33m32.818332605s) first good commit: e3282417b91c09af9e327238edfd11deb887b83a netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct cc: ["fw@strlen.de" "gregkh@linuxfoundation.org" "pablo@netfilter.org"]