bisecting fixing commit since 1bab61d3e8cd96f2badf515dcb06e4e1029bc017 building syzkaller on 8ca3b7d2bb7672b5608051fab4b825fdbbf2356a testing commit 1bab61d3e8cd96f2badf515dcb06e4e1029bc017 with gcc (GCC) 8.1.0 kernel signature: fff95df88de4a466b7cca844d8cd7883d147159c0af093aea2ae9066a3d3f5d9 all runs: crashed: general protection fault in get_unique_tuple testing current HEAD f5d8eef067acee3fda37137f4a08c0d3f6427a8e testing commit f5d8eef067acee3fda37137f4a08c0d3f6427a8e with gcc (GCC) 8.1.0 kernel signature: 7a6aa51908bf7463ae5fb49cd9a03ba2e9f6a80accfeee732862e9a11e1b0f79 all runs: OK # git bisect start f5d8eef067acee3fda37137f4a08c0d3f6427a8e 1bab61d3e8cd96f2badf515dcb06e4e1029bc017 Bisecting: 1307 revisions left to test after this (roughly 10 steps) [6569387565961965d872bab558f3cf167e818689] arm64: dts: hisilicon: hikey: fixes to comply with adi, adv7533 DT binding testing commit 6569387565961965d872bab558f3cf167e818689 with gcc (GCC) 8.1.0 kernel signature: 4769e03e0c01e076ba64cada4fa6d3735f5cb6f9e055cf28f14ce3477ba175c3 all runs: crashed: general protection fault in get_unique_tuple # git bisect good 6569387565961965d872bab558f3cf167e818689 Bisecting: 653 revisions left to test after this (roughly 9 steps) [35145dab2074abf12c1486317c912d8cff5a5fa8] cxgb4: Fix offset when clearing filter byte counters testing commit 35145dab2074abf12c1486317c912d8cff5a5fa8 with gcc (GCC) 8.1.0 kernel signature: f4e26f52dbbd4b9b4746c75ea6d9498911164f1d2b4b2a67276a6657522f67d1 all runs: crashed: general protection fault in get_unique_tuple # git bisect good 35145dab2074abf12c1486317c912d8cff5a5fa8 Bisecting: 326 revisions left to test after this (roughly 8 steps) [dfedfbe0feb7c01943882a601d43a3d2e8d2a16a] platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE reporting testing commit dfedfbe0feb7c01943882a601d43a3d2e8d2a16a with gcc (GCC) 8.1.0 kernel signature: 792a6cb809d9e542d67b7d1f3ec41c63ebe407276d8a389ee36a6c86ea2f3f82 all runs: OK # git bisect bad dfedfbe0feb7c01943882a601d43a3d2e8d2a16a Bisecting: 163 revisions left to test after this (roughly 7 steps) [b125a752eb1843a4546ec8ab6bf162baf8ebaae3] scsi: hpsa: correct race condition in offload enabled testing commit b125a752eb1843a4546ec8ab6bf162baf8ebaae3 with gcc (GCC) 8.1.0 kernel signature: a551b5b6cec327d81d3f8f75046acc1666003ec3a4da737a22311c69e43869b8 all runs: crashed: general protection fault in get_unique_tuple # git bisect good b125a752eb1843a4546ec8ab6bf162baf8ebaae3 Bisecting: 81 revisions left to test after this (roughly 6 steps) [8216a3852ae50f52e482c15b3a8fcfc4cb312f1e] i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices() testing commit 8216a3852ae50f52e482c15b3a8fcfc4cb312f1e with gcc (GCC) 8.1.0 kernel signature: c45ad5fcb8c4eb9d90f5ca18e5a8dc6061a371d7479410d7ec7fbe5521c33e7b all runs: crashed: general protection fault in get_unique_tuple # git bisect good 8216a3852ae50f52e482c15b3a8fcfc4cb312f1e Bisecting: 40 revisions left to test after this (roughly 5 steps) [7c20b974aac73b192fcb4aa8a3e3f901d1a9e591] vsock/virtio: add transport parameter to the virtio_transport_reset_no_sock() testing commit 7c20b974aac73b192fcb4aa8a3e3f901d1a9e591 with gcc (GCC) 8.1.0 kernel signature: 6298b122977c6bb865191b52ff1f583978f3b4d3f7a85d5fd7e17796f195af23 all runs: crashed: general protection fault in get_unique_tuple # git bisect good 7c20b974aac73b192fcb4aa8a3e3f901d1a9e591 Bisecting: 20 revisions left to test after this (roughly 4 steps) [69e0a9eb6c49ccbf1d565e8a4d188132af3df70e] i2c: cpm: Fix i2c_ram structure testing commit 69e0a9eb6c49ccbf1d565e8a4d188132af3df70e with gcc (GCC) 8.1.0 kernel signature: 01a805d1e3bcc6ae11c0f74fbef67fd5e227020f064f8bfaddbec5c510b5c906 all runs: crashed: general protection fault in get_unique_tuple # git bisect good 69e0a9eb6c49ccbf1d565e8a4d188132af3df70e Bisecting: 10 revisions left to test after this (roughly 3 steps) [289fe546ea16c2dcb57c5198c5a7b7387604530e] netfilter: ctnetlink: add a range check for l3/l4 protonum testing commit 289fe546ea16c2dcb57c5198c5a7b7387604530e with gcc (GCC) 8.1.0 kernel signature: e4e005143a9a96243025eed7daf4b76145f9edbdd144c417791549e32e8735d9 all runs: OK # git bisect bad 289fe546ea16c2dcb57c5198c5a7b7387604530e Bisecting: 4 revisions left to test after this (roughly 2 steps) [1c3886dc302329f199cc04f8a56ba44d17a0df16] net/packet: fix overflow in tpacket_rcv testing commit 1c3886dc302329f199cc04f8a56ba44d17a0df16 with gcc (GCC) 8.1.0 kernel signature: 11d16758122601069e909d125d57e0c91892f5467a6df13fe6c0e21a5dd1f23e all runs: crashed: general protection fault in get_unique_tuple # git bisect good 1c3886dc302329f199cc04f8a56ba44d17a0df16 Bisecting: 2 revisions left to test after this (roughly 1 step) [ff329915a5b1f6778344a6fc7b060c991376b095] epoll: replace ->visited/visited_list with generation count testing commit ff329915a5b1f6778344a6fc7b060c991376b095 with gcc (GCC) 8.1.0 kernel signature: 1712750eefb1fb185cd609f895f94c258aaa5b874abc14e2243e6d6bcb8520d0 all runs: crashed: general protection fault in get_unique_tuple # git bisect good ff329915a5b1f6778344a6fc7b060c991376b095 Bisecting: 0 revisions left to test after this (roughly 1 step) [ced8ce5d2157142c469eccc5eef5ea8ad579fa5e] ep_create_wakeup_source(): dentry name can change under you... testing commit ced8ce5d2157142c469eccc5eef5ea8ad579fa5e with gcc (GCC) 8.1.0 kernel signature: 4d21b191229eb1b3a3e574da67ea076833263ebce19a4dcdfaf09495b89ccdaa all runs: crashed: general protection fault in get_unique_tuple # git bisect good ced8ce5d2157142c469eccc5eef5ea8ad579fa5e 289fe546ea16c2dcb57c5198c5a7b7387604530e is the first bad commit commit 289fe546ea16c2dcb57c5198c5a7b7387604530e Author: Will McVicker Date: Mon Aug 24 19:38:32 2020 +0000 netfilter: ctnetlink: add a range check for l3/l4 protonum commit 1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6 upstream. The indexes to the nf_nat_l[34]protos arrays come from userspace. So check the tuple's family, e.g. l3num, when creating the conntrack in order to prevent an OOB memory access during setup. Here is an example kernel panic on 4.14.180 when userspace passes in an index greater than NFPROTO_NUMPROTO. Internal error: Oops - BUG: 0 [#1] PREEMPT SMP Modules linked in:... Process poc (pid: 5614, stack limit = 0x00000000a3933121) CPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483 Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM task: 000000002a3dfffe task.stack: 00000000a3933121 pc : __cfi_check_fail+0x1c/0x24 lr : __cfi_check_fail+0x1c/0x24 ... Call trace: __cfi_check_fail+0x1c/0x24 name_to_dev_t+0x0/0x468 nfnetlink_parse_nat_setup+0x234/0x258 ctnetlink_parse_nat_setup+0x4c/0x228 ctnetlink_new_conntrack+0x590/0xc40 nfnetlink_rcv_msg+0x31c/0x4d4 netlink_rcv_skb+0x100/0x184 nfnetlink_rcv+0xf4/0x180 netlink_unicast+0x360/0x770 netlink_sendmsg+0x5a0/0x6a4 ___sys_sendmsg+0x314/0x46c SyS_sendmsg+0xb4/0x108 el0_svc_naked+0x34/0x38 This crash is not happening since 5.4+, however, ctnetlink still allows for creating entries with unsupported layer 3 protocol number. Fixes: c1d10adb4a521 ("[NETFILTER]: Add ctnetlink port for nf_conntrack") Signed-off-by: Will McVicker [pablo@netfilter.org: rebased original patch on top of nf.git] Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman net/netfilter/nf_conntrack_netlink.c | 2 ++ 1 file changed, 2 insertions(+) culprit signature: e4e005143a9a96243025eed7daf4b76145f9edbdd144c417791549e32e8735d9 parent signature: 4d21b191229eb1b3a3e574da67ea076833263ebce19a4dcdfaf09495b89ccdaa revisions tested: 13, total time: 2h54m17.884850477s (build: 1h54m42.803055328s, test: 58m10.293498944s) first good commit: 289fe546ea16c2dcb57c5198c5a7b7387604530e netfilter: ctnetlink: add a range check for l3/l4 protonum recipients (to): ["gregkh@linuxfoundation.org" "pablo@netfilter.org" "willmcvicker@google.com"] recipients (cc): []