bisecting fixing commit since c14d30dc9987047b439b03d6e6db7d54d9f7f180 building syzkaller on bc15f7dbbc1c6e2042a7115b3fdacc0ada8c35e7 testing commit c14d30dc9987047b439b03d6e6db7d54d9f7f180 with gcc (GCC) 8.1.0 kernel signature: 32d7bda2bd340b7bcedfe114e7c83b0f04f4275a428a519e662b3483ad7381c9 all runs: crashed: general protection fault in get_unique_tuple testing current HEAD f5d8eef067acee3fda37137f4a08c0d3f6427a8e testing commit f5d8eef067acee3fda37137f4a08c0d3f6427a8e with gcc (GCC) 8.1.0 kernel signature: ee517871ffd6bb00b9e6a8004e1d046b86b68883a54554e281797414cd730590 all runs: OK # git bisect start f5d8eef067acee3fda37137f4a08c0d3f6427a8e c14d30dc9987047b439b03d6e6db7d54d9f7f180 Bisecting: 671 revisions left to test after this (roughly 9 steps) [cb0f66eb67d75b93a66063c12414b969ee137b51] USB: quirks: Add USB_QUIRK_IGNORE_REMOTE_WAKEUP quirk for BYD zhaoxin notebook testing commit cb0f66eb67d75b93a66063c12414b969ee137b51 with gcc (GCC) 8.1.0 kernel signature: 70589eb01895533ea727ecd461bb956c11c0253eb68296b0d562ea3bc18ffba0 all runs: crashed: general protection fault in get_unique_tuple # git bisect good cb0f66eb67d75b93a66063c12414b969ee137b51 Bisecting: 335 revisions left to test after this (roughly 8 steps) [7b9eaa7241ea2cfa580b854d461be72107a4b35c] fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h testing commit 7b9eaa7241ea2cfa580b854d461be72107a4b35c with gcc (GCC) 8.1.0 kernel signature: c03a44b7453ab48f231ceb28a7bb2de3d4a211fe069c5457f37f325c585bd0a4 all runs: OK # git bisect bad 7b9eaa7241ea2cfa580b854d461be72107a4b35c Bisecting: 167 revisions left to test after this (roughly 7 steps) [102bdec1d1cf196aaafa4e54513490d5de6e05a4] drm/msm/a5xx: Always set an OPP supported hardware value testing commit 102bdec1d1cf196aaafa4e54513490d5de6e05a4 with gcc (GCC) 8.1.0 kernel signature: 6e149251194816c2cce504dced4a353bef9c447ccbd6e98603845639a06a7695 all runs: crashed: general protection fault in get_unique_tuple # git bisect good 102bdec1d1cf196aaafa4e54513490d5de6e05a4 Bisecting: 83 revisions left to test after this (roughly 6 steps) [7d3d6fc18caeeef094d4417cbddf335b82b1c2c5] ubi: fastmap: Free unused fastmap anchor peb during detach testing commit 7d3d6fc18caeeef094d4417cbddf335b82b1c2c5 with gcc (GCC) 8.1.0 kernel signature: dafcfbe0f34a46e5b5b4a1a15fa7c196c32a3cacd8b0f391ae309f35b9de3770 all runs: crashed: general protection fault in get_unique_tuple # git bisect good 7d3d6fc18caeeef094d4417cbddf335b82b1c2c5 Bisecting: 41 revisions left to test after this (roughly 5 steps) [3b69fe0d6d0f760f6faba1e5e11cfacd35df8d75] ata: sata_mv, avoid trigerrable BUG_ON testing commit 3b69fe0d6d0f760f6faba1e5e11cfacd35df8d75 with gcc (GCC) 8.1.0 kernel signature: 30cb787df87170b6d65046f2f35e3ed5551cace481a230b70e0bb81a9baec1f3 all runs: crashed: general protection fault in get_unique_tuple # git bisect good 3b69fe0d6d0f760f6faba1e5e11cfacd35df8d75 Bisecting: 20 revisions left to test after this (roughly 4 steps) [7fcf25b4f8af806064c7b9c037bff8067ba90701] drivers/net/wan/hdlc: Set skb->protocol before transmitting testing commit 7fcf25b4f8af806064c7b9c037bff8067ba90701 with gcc (GCC) 8.1.0 kernel signature: cfa0555d53ac7efc6ce3e447dede7bfb77137a251fae5f6d56922328ee5e67ea all runs: crashed: general protection fault in get_unique_tuple # git bisect good 7fcf25b4f8af806064c7b9c037bff8067ba90701 Bisecting: 10 revisions left to test after this (roughly 3 steps) [78ba2e803f40d55e4147f12bf9b29ac1f933992f] Input: trackpoint - enable Synaptics trackpoints testing commit 78ba2e803f40d55e4147f12bf9b29ac1f933992f with gcc (GCC) 8.1.0 kernel signature: e11989d90dbaa8d09077d9d3d1057818f221b1d613145748521ae6c91a0071e2 all runs: crashed: general protection fault in get_unique_tuple # git bisect good 78ba2e803f40d55e4147f12bf9b29ac1f933992f Bisecting: 5 revisions left to test after this (roughly 3 steps) [3e3bbc4d23eeb90bf282e98c7dfeca7702df3169] epoll: do not insert into poll queues until all sanity checks are done testing commit 3e3bbc4d23eeb90bf282e98c7dfeca7702df3169 with gcc (GCC) 8.1.0 kernel signature: 7c7b7b5e7cd6fbecf9d9fabf32c23cb84089a54fdf90b26cb541e8e577368010 all runs: crashed: general protection fault in get_unique_tuple # git bisect good 3e3bbc4d23eeb90bf282e98c7dfeca7702df3169 Bisecting: 2 revisions left to test after this (roughly 2 steps) [ced8ce5d2157142c469eccc5eef5ea8ad579fa5e] ep_create_wakeup_source(): dentry name can change under you... testing commit ced8ce5d2157142c469eccc5eef5ea8ad579fa5e with gcc (GCC) 8.1.0 kernel signature: 2ae54d533fa9d77b6442770af927151b3b0a9caa4e732d5de391d899e7548c78 all runs: crashed: general protection fault in get_unique_tuple # git bisect good ced8ce5d2157142c469eccc5eef5ea8ad579fa5e Bisecting: 0 revisions left to test after this (roughly 1 step) [a1b977b49b66c75e6c51a515f6700371ae720217] Linux 4.19.150 testing commit a1b977b49b66c75e6c51a515f6700371ae720217 with gcc (GCC) 8.1.0 kernel signature: c03a44b7453ab48f231ceb28a7bb2de3d4a211fe069c5457f37f325c585bd0a4 all runs: OK # git bisect bad a1b977b49b66c75e6c51a515f6700371ae720217 Bisecting: 0 revisions left to test after this (roughly 0 steps) [289fe546ea16c2dcb57c5198c5a7b7387604530e] netfilter: ctnetlink: add a range check for l3/l4 protonum testing commit 289fe546ea16c2dcb57c5198c5a7b7387604530e with gcc (GCC) 8.1.0 kernel signature: 9b1999912285ae981e6bf2e87666b8c6583aa89ed74711e3f872066c19058b79 all runs: OK # git bisect bad 289fe546ea16c2dcb57c5198c5a7b7387604530e 289fe546ea16c2dcb57c5198c5a7b7387604530e is the first bad commit commit 289fe546ea16c2dcb57c5198c5a7b7387604530e Author: Will McVicker Date: Mon Aug 24 19:38:32 2020 +0000 netfilter: ctnetlink: add a range check for l3/l4 protonum commit 1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6 upstream. The indexes to the nf_nat_l[34]protos arrays come from userspace. So check the tuple's family, e.g. l3num, when creating the conntrack in order to prevent an OOB memory access during setup. Here is an example kernel panic on 4.14.180 when userspace passes in an index greater than NFPROTO_NUMPROTO. Internal error: Oops - BUG: 0 [#1] PREEMPT SMP Modules linked in:... Process poc (pid: 5614, stack limit = 0x00000000a3933121) CPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483 Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM task: 000000002a3dfffe task.stack: 00000000a3933121 pc : __cfi_check_fail+0x1c/0x24 lr : __cfi_check_fail+0x1c/0x24 ... Call trace: __cfi_check_fail+0x1c/0x24 name_to_dev_t+0x0/0x468 nfnetlink_parse_nat_setup+0x234/0x258 ctnetlink_parse_nat_setup+0x4c/0x228 ctnetlink_new_conntrack+0x590/0xc40 nfnetlink_rcv_msg+0x31c/0x4d4 netlink_rcv_skb+0x100/0x184 nfnetlink_rcv+0xf4/0x180 netlink_unicast+0x360/0x770 netlink_sendmsg+0x5a0/0x6a4 ___sys_sendmsg+0x314/0x46c SyS_sendmsg+0xb4/0x108 el0_svc_naked+0x34/0x38 This crash is not happening since 5.4+, however, ctnetlink still allows for creating entries with unsupported layer 3 protocol number. Fixes: c1d10adb4a521 ("[NETFILTER]: Add ctnetlink port for nf_conntrack") Signed-off-by: Will McVicker [pablo@netfilter.org: rebased original patch on top of nf.git] Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman net/netfilter/nf_conntrack_netlink.c | 2 ++ 1 file changed, 2 insertions(+) culprit signature: 9b1999912285ae981e6bf2e87666b8c6583aa89ed74711e3f872066c19058b79 parent signature: 2ae54d533fa9d77b6442770af927151b3b0a9caa4e732d5de391d899e7548c78 revisions tested: 13, total time: 2h59m54.000226107s (build: 1h52m44.217940712s, test: 1h5m49.380327747s) first good commit: 289fe546ea16c2dcb57c5198c5a7b7387604530e netfilter: ctnetlink: add a range check for l3/l4 protonum recipients (to): ["gregkh@linuxfoundation.org" "pablo@netfilter.org" "willmcvicker@google.com"] recipients (cc): []