bisecting fixing commit since 88d6de67e390b6093f2c11189ad022988a9e2961 building syzkaller on c8e81ce4c7e3b59e7c83c6fab56c217916f3b3b6 testing commit 88d6de67e390b6093f2c11189ad022988a9e2961 with gcc (GCC) 8.1.0 kernel signature: b3fd912dbb8b506934bf1041e46d880fbf55ec178108420a3465ced857cab697 all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple testing current HEAD ad326970d25cc85128cd22d62398751ad072efff testing commit ad326970d25cc85128cd22d62398751ad072efff with gcc (GCC) 8.1.0 kernel signature: 07cd75985615bf51e82ef5fde1523c9a00a86e0b17bd114634eb64597a5396a9 all runs: OK # git bisect start ad326970d25cc85128cd22d62398751ad072efff 88d6de67e390b6093f2c11189ad022988a9e2961 Bisecting: 2161 revisions left to test after this (roughly 11 steps) [cfad68d10849c910bfe3885e2a17de3ca4707588] powerpc/powernv: Avoid re-registration of imc debugfs directory testing commit cfad68d10849c910bfe3885e2a17de3ca4707588 with gcc (GCC) 8.1.0 kernel signature: 7cabbec42c638270c859f2b48e6b97339b47773b966961ed5efa7caefd8bf17a all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple # git bisect good cfad68d10849c910bfe3885e2a17de3ca4707588 Bisecting: 1080 revisions left to test after this (roughly 10 steps) [71d781619fc57ef1000cec352343bfea1a559e0e] i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c testing commit 71d781619fc57ef1000cec352343bfea1a559e0e with gcc (GCC) 8.1.0 kernel signature: a4f8be489d8961d2aad536324b8c2243bdde51efd24d4c39668343af212fc9d9 all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple # git bisect good 71d781619fc57ef1000cec352343bfea1a559e0e Bisecting: 540 revisions left to test after this (roughly 9 steps) [3290c6ffef87e5acf213e90cb5013bf744e5b607] KVM: arm64: Add kvm_extable for vaxorcism code testing commit 3290c6ffef87e5acf213e90cb5013bf744e5b607 with gcc (GCC) 8.1.0 kernel signature: d7c543bc51844e8397e52fad7e1378e0696137eed2b72488a14080c207709a4e all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple # git bisect good 3290c6ffef87e5acf213e90cb5013bf744e5b607 Bisecting: 270 revisions left to test after this (roughly 8 steps) [bb198240240a8469d0708e472a397c02880faad9] dmaengine: stm32-mdma: use vchan_terminate_vdesc() in .terminate_all testing commit bb198240240a8469d0708e472a397c02880faad9 with gcc (GCC) 8.1.0 kernel signature: f643282dcc55bb3232ba7d8038c3df87f5f11e88c9969b55da96809665d5b25a all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple # git bisect good bb198240240a8469d0708e472a397c02880faad9 Bisecting: 135 revisions left to test after this (roughly 7 steps) [e63e927da2df208304725fbceb6f585eb47ddfdb] batman-adv: mcast/TT: fix wrongly dropped or rerouted packets testing commit e63e927da2df208304725fbceb6f585eb47ddfdb with gcc (GCC) 8.1.0 kernel signature: 5340c26216c2df7200066b847d451365b76eff99416f68784394807e0647beb1 all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple # git bisect good e63e927da2df208304725fbceb6f585eb47ddfdb Bisecting: 67 revisions left to test after this (roughly 6 steps) [be92b3b5e5aae0a55699d539783ea33f34a240ff] Revert "ravb: Fixed to be able to unload modules" testing commit be92b3b5e5aae0a55699d539783ea33f34a240ff with gcc (GCC) 8.1.0 kernel signature: f7fdf3ec5c56de1f7a622b97e55220ef0ec09425517b8010379ca97e3d797e40 all runs: OK # git bisect bad be92b3b5e5aae0a55699d539783ea33f34a240ff Bisecting: 33 revisions left to test after this (roughly 5 steps) [7f2acd64ac15271dc47fe42b6685fc64085b4d56] net: virtio_vsock: Enhance connection semantics testing commit 7f2acd64ac15271dc47fe42b6685fc64085b4d56 with gcc (GCC) 8.1.0 kernel signature: 15f9a57cfe993de9be2645aea1f60db2331474811bba4accce84ce9f0b9c4067 all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple # git bisect good 7f2acd64ac15271dc47fe42b6685fc64085b4d56 Bisecting: 16 revisions left to test after this (roughly 4 steps) [a84da5ea38334ff79c13259b7aa5cf50ed52aa67] clk: samsung: exynos4: mark 'chipid' clock as CLK_IGNORE_UNUSED testing commit a84da5ea38334ff79c13259b7aa5cf50ed52aa67 with gcc (GCC) 8.1.0 kernel signature: f4702667b5c2d09779f9988eeaa77da405816bade6f3ff94f0d1ad24ee5dda09 all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple # git bisect good a84da5ea38334ff79c13259b7aa5cf50ed52aa67 Bisecting: 8 revisions left to test after this (roughly 3 steps) [3e3bbc4d23eeb90bf282e98c7dfeca7702df3169] epoll: do not insert into poll queues until all sanity checks are done testing commit 3e3bbc4d23eeb90bf282e98c7dfeca7702df3169 with gcc (GCC) 8.1.0 kernel signature: 1e256660a8b470fa2a384830b27939a28a64700923261840068438fb14a97289 all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple # git bisect good 3e3bbc4d23eeb90bf282e98c7dfeca7702df3169 Bisecting: 4 revisions left to test after this (roughly 2 steps) [289fe546ea16c2dcb57c5198c5a7b7387604530e] netfilter: ctnetlink: add a range check for l3/l4 protonum testing commit 289fe546ea16c2dcb57c5198c5a7b7387604530e with gcc (GCC) 8.1.0 kernel signature: 505533329b9cd77aa8920d8a2f0991bc21cc574cf8546195ca85a421f352ccf5 all runs: OK # git bisect bad 289fe546ea16c2dcb57c5198c5a7b7387604530e Bisecting: 1 revision left to test after this (roughly 1 step) [90ef231ba534d43033884b8560df26e608ca0a21] epoll: EPOLL_CTL_ADD: close the race in decision to take fast path testing commit 90ef231ba534d43033884b8560df26e608ca0a21 with gcc (GCC) 8.1.0 kernel signature: 7f5cd97e18efb207bfbed132a4359c584f8488ae8ea515b422a9399170322ad4 all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple # git bisect good 90ef231ba534d43033884b8560df26e608ca0a21 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ced8ce5d2157142c469eccc5eef5ea8ad579fa5e] ep_create_wakeup_source(): dentry name can change under you... testing commit ced8ce5d2157142c469eccc5eef5ea8ad579fa5e with gcc (GCC) 8.1.0 kernel signature: 9c28c7bd49039d0e8e5b1e9c5e5adf7e2bcd08cd4260aa174c7ff400fd203a9e all runs: crashed: KASAN: global-out-of-bounds Read in get_unique_tuple # git bisect good ced8ce5d2157142c469eccc5eef5ea8ad579fa5e 289fe546ea16c2dcb57c5198c5a7b7387604530e is the first bad commit commit 289fe546ea16c2dcb57c5198c5a7b7387604530e Author: Will McVicker Date: Mon Aug 24 19:38:32 2020 +0000 netfilter: ctnetlink: add a range check for l3/l4 protonum commit 1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6 upstream. The indexes to the nf_nat_l[34]protos arrays come from userspace. So check the tuple's family, e.g. l3num, when creating the conntrack in order to prevent an OOB memory access during setup. Here is an example kernel panic on 4.14.180 when userspace passes in an index greater than NFPROTO_NUMPROTO. Internal error: Oops - BUG: 0 [#1] PREEMPT SMP Modules linked in:... Process poc (pid: 5614, stack limit = 0x00000000a3933121) CPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483 Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM task: 000000002a3dfffe task.stack: 00000000a3933121 pc : __cfi_check_fail+0x1c/0x24 lr : __cfi_check_fail+0x1c/0x24 ... Call trace: __cfi_check_fail+0x1c/0x24 name_to_dev_t+0x0/0x468 nfnetlink_parse_nat_setup+0x234/0x258 ctnetlink_parse_nat_setup+0x4c/0x228 ctnetlink_new_conntrack+0x590/0xc40 nfnetlink_rcv_msg+0x31c/0x4d4 netlink_rcv_skb+0x100/0x184 nfnetlink_rcv+0xf4/0x180 netlink_unicast+0x360/0x770 netlink_sendmsg+0x5a0/0x6a4 ___sys_sendmsg+0x314/0x46c SyS_sendmsg+0xb4/0x108 el0_svc_naked+0x34/0x38 This crash is not happening since 5.4+, however, ctnetlink still allows for creating entries with unsupported layer 3 protocol number. Fixes: c1d10adb4a521 ("[NETFILTER]: Add ctnetlink port for nf_conntrack") Signed-off-by: Will McVicker [pablo@netfilter.org: rebased original patch on top of nf.git] Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman net/netfilter/nf_conntrack_netlink.c | 2 ++ 1 file changed, 2 insertions(+) culprit signature: 505533329b9cd77aa8920d8a2f0991bc21cc574cf8546195ca85a421f352ccf5 parent signature: 9c28c7bd49039d0e8e5b1e9c5e5adf7e2bcd08cd4260aa174c7ff400fd203a9e revisions tested: 14, total time: 3h5m23.996633337s (build: 2h1m49.438649875s, test: 1h2m20.247708737s) first good commit: 289fe546ea16c2dcb57c5198c5a7b7387604530e netfilter: ctnetlink: add a range check for l3/l4 protonum recipients (to): ["gregkh@linuxfoundation.org" "pablo@netfilter.org" "willmcvicker@google.com"] recipients (cc): []