bisecting cause commit starting from 5a9ef19454cd5daec8041bc7c3c11deb7456d9a0
building syzkaller on 3de7aabbb79a6c2267f5d7ee8a8aaa83f63305b7
testing commit 5a9ef19454cd5daec8041bc7c3c11deb7456d9a0 with gcc (GCC) 8.1.0
kernel signature: 552391d83f8b1d279895f548b32bc12e922592c5
run #0: crashed: BUG: corrupted list in __nf_tables_abort
run #1: crashed: BUG: corrupted list in __nf_tables_abort
run #2: crashed: BUG: corrupted list in __nf_tables_abort
run #3: crashed: BUG: corrupted list in __nf_tables_abort
run #4: crashed: KASAN: use-after-free Read in __nf_tables_abort
run #5: crashed: BUG: corrupted list in __nf_tables_abort
run #6: crashed: BUG: corrupted list in __nf_tables_abort
run #7: crashed: BUG: corrupted list in __nf_tables_abort
run #8: crashed: BUG: corrupted list in __nf_tables_abort
run #9: crashed: BUG: corrupted list in __nf_tables_abort
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: e50284e2056bc6a3158a4b75288a5ceb6cfa4ff9
all runs: OK
# git bisect start 5a9ef19454cd5daec8041bc7c3c11deb7456d9a0 219d54332a09e8d8741c1e1982f5eae56099de85
Bisecting: 8004 revisions left to test after this (roughly 13 steps)
[8c39f71ee2019e77ee14f88b1321b2348db51820] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
testing commit 8c39f71ee2019e77ee14f88b1321b2348db51820 with gcc (GCC) 8.1.0
kernel signature: b3247ada9cb4d8f7ba04d1254cfc7fc5af3743c4
all runs: OK
# git bisect good 8c39f71ee2019e77ee14f88b1321b2348db51820
Bisecting: 3970 revisions left to test after this (roughly 12 steps)
[ef2cc88e2a205b8a11a19e78db63a70d3728cdf5] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
testing commit ef2cc88e2a205b8a11a19e78db63a70d3728cdf5 with gcc (GCC) 8.1.0
kernel signature: 673c25900cb9d9d3feb1d45d57efb37b997201f4
all runs: OK
# git bisect good ef2cc88e2a205b8a11a19e78db63a70d3728cdf5
Bisecting: 1980 revisions left to test after this (roughly 11 steps)
[b08baef02b26cf7c2123e4a24a2fa1fb7a593ffb] Merge tag 'armsoc-defconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
testing commit b08baef02b26cf7c2123e4a24a2fa1fb7a593ffb with gcc (GCC) 8.1.0
kernel signature: 9782bd8955a495927e72ef658642f187b34e0699
all runs: OK
# git bisect good b08baef02b26cf7c2123e4a24a2fa1fb7a593ffb
Bisecting: 990 revisions left to test after this (roughly 10 steps)
[89c683cd06e03dfd3186c4cab1e2a39982c42a48] Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit 89c683cd06e03dfd3186c4cab1e2a39982c42a48 with gcc (GCC) 8.1.0
kernel signature: 1336b5e2ba18bc469a4d240d4dda70327e41ec13
all runs: OK
# git bisect good 89c683cd06e03dfd3186c4cab1e2a39982c42a48
Bisecting: 491 revisions left to test after this (roughly 9 steps)
[a396560706d457058b9f54f184b6f5973c82032c] Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
testing commit a396560706d457058b9f54f184b6f5973c82032c with gcc (GCC) 8.1.0
kernel signature: 7509e037f9f215aa5a4264b271beb00e9cb98443
all runs: OK
# git bisect good a396560706d457058b9f54f184b6f5973c82032c
Bisecting: 251 revisions left to test after this (roughly 8 steps)
[7312b70699252074d753c5005fc67266c547bbe3] hexagon: define ioremap_uc
testing commit 7312b70699252074d753c5005fc67266c547bbe3 with gcc (GCC) 8.1.0
kernel signature: c19e70844ce1a16dcef46023d807d32456770e7a
all runs: OK
# git bisect good 7312b70699252074d753c5005fc67266c547bbe3
Bisecting: 110 revisions left to test after this (roughly 7 steps)
[a5f48c7878d2365f6ff7008e9317abbc16f68847] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
testing commit a5f48c7878d2365f6ff7008e9317abbc16f68847 with gcc (GCC) 8.1.0
kernel signature: 35609d8d80ad7ba709ce37d03f6f1545f08fdcaf
all runs: OK
# git bisect good a5f48c7878d2365f6ff7008e9317abbc16f68847
Bisecting: 52 revisions left to test after this (roughly 6 steps)
[eb507906feaaf827395e5f96f2320e0c7731e4ff] Merge tag 'mac80211-for-net-2020-01-15' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
testing commit eb507906feaaf827395e5f96f2320e0c7731e4ff with gcc (GCC) 8.1.0
kernel signature: b544238c655a0112132fa3610b01391f01f44f07
all runs: OK
# git bisect good eb507906feaaf827395e5f96f2320e0c7731e4ff
Bisecting: 22 revisions left to test after this (roughly 5 steps)
[3981f955eb27fd4f52b8cef198091530811229f2] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
testing commit 3981f955eb27fd4f52b8cef198091530811229f2 with gcc (GCC) 8.1.0
kernel signature: 1b6fa84ce0fc4228416e83aeb352cd0bf7c41a74
all runs: OK
# git bisect good 3981f955eb27fd4f52b8cef198091530811229f2
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[61177e911dad660df86a4553eb01c95ece2f6a82] netfilter: nat: fix ICMP header corruption on ICMP errors
testing commit 61177e911dad660df86a4553eb01c95ece2f6a82 with gcc (GCC) 8.1.0
kernel signature: b61231c6b05479875a8ca40dbde23c9c943b5b5b
run #0: crashed: BUG: corrupted list in __nf_tables_abort
run #1: crashed: KASAN: use-after-free Read in __nf_tables_abort
run #2: crashed: BUG: corrupted list in __nf_tables_abort
run #3: crashed: BUG: corrupted list in __nf_tables_abort
run #4: crashed: BUG: corrupted list in __nf_tables_abort
run #5: crashed: KASAN: use-after-free Read in __nf_tables_abort
run #6: crashed: BUG: corrupted list in __nf_tables_abort
run #7: crashed: KASAN: use-after-free Read in __nf_tables_abort
run #8: crashed: BUG: corrupted list in __nf_tables_abort
run #9: crashed: KASAN: use-after-free Read in __nf_tables_abort
# git bisect bad 61177e911dad660df86a4553eb01c95ece2f6a82
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[1c702bf902bd37349f6d91cd7f4b372b1e46d0ed] netfilter: nft_tunnel: fix null-attribute check
testing commit 1c702bf902bd37349f6d91cd7f4b372b1e46d0ed with gcc (GCC) 8.1.0
kernel signature: d3cd07527e9fc6cdaf6b19cc60249b8f75f165e9
all runs: crashed: BUG: corrupted list in __nf_tables_abort
# git bisect bad 1c702bf902bd37349f6d91cd7f4b372b1e46d0ed
Bisecting: 1 revision left to test after this (roughly 1 step)
[212e7f56605ef9688d0846db60c6c6ec06544095] netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct
testing commit 212e7f56605ef9688d0846db60c6c6ec06544095 with gcc (GCC) 8.1.0
kernel signature: 9bd503fea771877d5f3abd2e4730e93929c9979c
all runs: OK
# git bisect good 212e7f56605ef9688d0846db60c6c6ec06544095
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91] netfilter: nf_tables: store transaction list locally while requesting module
testing commit ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 with gcc (GCC) 8.1.0
kernel signature: 931b82f99f6e5b5beb25cf1dd289ba8c4689766c
run #0: crashed: BUG: corrupted list in __nf_tables_abort
run #1: crashed: BUG: corrupted list in __nf_tables_abort
run #2: crashed: BUG: corrupted list in __nf_tables_abort
run #3: crashed: BUG: corrupted list in __nf_tables_abort
run #4: crashed: BUG: corrupted list in __nf_tables_abort
run #5: crashed: BUG: corrupted list in __nf_tables_abort
run #6: crashed: BUG: corrupted list in __nf_tables_abort
run #7: crashed: BUG: corrupted list in __nf_tables_abort
run #8: crashed: BUG: corrupted list in __nf_tables_abort
run #9: crashed: KASAN: use-after-free Read in __nf_tables_abort
# git bisect bad ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91
ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 is the first bad commit
commit ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Mon Jan 13 18:09:58 2020 +0100

    netfilter: nf_tables: store transaction list locally while requesting module
    
    This patch fixes a WARN_ON in nft_set_destroy() due to missing
    set reference count drop from the preparation phase. This is triggered
    by the module autoload path. Do not exercise the abort path from
    nft_request_module() while preparation phase cleaning up is still
    pending.
    
     WARNING: CPU: 3 PID: 3456 at net/netfilter/nf_tables_api.c:3740 nft_set_destroy+0x45/0x50 [nf_tables]
     [...]
     CPU: 3 PID: 3456 Comm: nft Not tainted 5.4.6-arch3-1 #1
     RIP: 0010:nft_set_destroy+0x45/0x50 [nf_tables]
     Code: e8 30 eb 83 c6 48 8b 85 80 00 00 00 48 8b b8 90 00 00 00 e8 dd 6b d7 c5 48 8b 7d 30 e8 24 dd eb c5 48 89 ef 5d e9 6b c6 e5 c5 <0f> 0b c3 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8b 7f 10 e9 52
     RSP: 0018:ffffac4f43e53700 EFLAGS: 00010202
     RAX: 0000000000000001 RBX: ffff99d63a154d80 RCX: 0000000001f88e03
     RDX: 0000000001f88c03 RSI: ffff99d6560ef0c0 RDI: ffff99d63a101200
     RBP: ffff99d617721de0 R08: 0000000000000000 R09: 0000000000000318
     R10: 00000000f0000000 R11: 0000000000000001 R12: ffffffff880fabf0
     R13: dead000000000122 R14: dead000000000100 R15: ffff99d63a154d80
     FS:  00007ff3dbd5b740(0000) GS:ffff99d6560c0000(0000) knlGS:0000000000000000
     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     CR2: 00001cb5de6a9000 CR3: 000000016eb6a004 CR4: 00000000001606e0
     Call Trace:
      __nf_tables_abort+0x3e3/0x6d0 [nf_tables]
      nft_request_module+0x6f/0x110 [nf_tables]
      nft_expr_type_request_module+0x28/0x50 [nf_tables]
      nf_tables_expr_parse+0x198/0x1f0 [nf_tables]
      nft_expr_init+0x3b/0xf0 [nf_tables]
      nft_dynset_init+0x1e2/0x410 [nf_tables]
      nf_tables_newrule+0x30a/0x930 [nf_tables]
      nfnetlink_rcv_batch+0x2a0/0x640 [nfnetlink]
      nfnetlink_rcv+0x125/0x171 [nfnetlink]
      netlink_unicast+0x179/0x210
      netlink_sendmsg+0x208/0x3d0
      sock_sendmsg+0x5e/0x60
      ____sys_sendmsg+0x21b/0x290
    
    Update comment on the code to describe the new behaviour.
    
    Reported-by: Marco Oliverio <marco.oliverio@tanaza.com>
    Fixes: 452238e8d5ff ("netfilter: nf_tables: add and use helper for module autoload")
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nf_tables_api.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)
culprit signature: 931b82f99f6e5b5beb25cf1dd289ba8c4689766c
parent  signature: 9bd503fea771877d5f3abd2e4730e93929c9979c
revisions tested: 15, total time: 3h57m52.659711014s (build: 1h37m35.367637833s, test: 2h18m45.724064137s)
first bad commit: ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 netfilter: nf_tables: store transaction list locally while requesting module
cc: ["coreteam@netfilter.org" "davem@davemloft.net" "fw@strlen.de" "kadlec@netfilter.org" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "netfilter-devel@vger.kernel.org" "pablo@netfilter.org"]
crash: KASAN: use-after-free Read in __nf_tables_abort
==================================================================
BUG: KASAN: use-after-free in __list_del_entry_valid+0xd0/0xf3 lib/list_debug.c:42
Read of size 8 at addr ffff88809a6d6008 by task syz-executor.4/8556

CPU: 0 PID: 8556 Comm: syz-executor.4 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x12d/0x187 lib/dump_stack.c:118
 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:374
 __kasan_report.cold.11+0x1b/0x3a mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:639
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
 __list_del_entry_valid+0xd0/0xf3 lib/list_debug.c:42
 __list_del_entry+0xf/0xb0 include/linux/list.h:131
 list_del_rcu include/linux/rculist.h:148 [inline]
 __nf_tables_abort+0x1bef/0x2c30 net/netfilter/nf_tables_api.c:7246
 nf_tables_abort+0xf/0x30 net/netfilter/nf_tables_api.c:7361
 nfnetlink_rcv_batch+0x50b/0x15b0 net/netfilter/nfnetlink.c:494
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:543 [inline]
 nfnetlink_rcv+0x2eb/0x3b0 net/netfilter/nfnetlink.c:561
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0x45e/0x6a0 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x7b0/0xcb0 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:659
 ____sys_sendmsg+0x603/0x950 net/socket.c:2330
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2384
 __sys_sendmsg+0xd9/0x180 net/socket.c:2417
 __do_sys_sendmsg net/socket.c:2426 [inline]
 __se_sys_sendmsg net/socket.c:2424 [inline]
 __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2424
 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45aff9
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f269790bc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f269790c6d4 RCX: 000000000045aff9
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000901 R14: 00000000004ca2fe R15: 000000000075bf2c

Allocated by task 8556:
 save_stack+0x21/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc.constprop.17+0xc7/0xd0 mm/kasan/common.c:513
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527
 kmem_cache_alloc_trace+0x15b/0x780 mm/slab.c:3551
 kmalloc include/linux/slab.h:556 [inline]
 kzalloc include/linux/slab.h:670 [inline]
 nf_tables_newtable+0x27f/0x14e0 net/netfilter/nf_tables_api.c:979
 nfnetlink_rcv_batch+0xc75/0x15b0 net/netfilter/nfnetlink.c:433
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:543 [inline]
 nfnetlink_rcv+0x2eb/0x3b0 net/netfilter/nfnetlink.c:561
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0x45e/0x6a0 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x7b0/0xcb0 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:659
 ____sys_sendmsg+0x603/0x950 net/socket.c:2330
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2384
 __sys_sendmsg+0xd9/0x180 net/socket.c:2417
 __do_sys_sendmsg net/socket.c:2426 [inline]
 __se_sys_sendmsg net/socket.c:2424 [inline]
 __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2424
 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 2733:
 save_stack+0x21/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:335 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x108/0x2c0 mm/slab.c:3757
 nf_tables_table_destroy.isra.61+0xd0/0x110 net/netfilter/nf_tables_api.c:1152
 nft_commit_release net/netfilter/nf_tables_api.c:6798 [inline]
 nf_tables_trans_destroy_work+0x45c/0x6e0 net/netfilter/nf_tables_api.c:6848
 process_one_work+0x856/0x1630 kernel/workqueue.c:2264
 worker_thread+0x85/0xb60 kernel/workqueue.c:2410
 kthread+0x331/0x3f0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff88809a6d6000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes inside of
 512-byte region [ffff88809a6d6000, ffff88809a6d6200)
The buggy address belongs to the page:
page:ffffea000269b580 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0x0
raw: 00fffe0000000200 ffffea0002843348 ffffea0002574e88 ffff8880aa400a80
raw: 0000000000000000 ffff88809a6d6000 0000000100000004 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809a6d5f00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
 ffff88809a6d5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809a6d6000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88809a6d6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809a6d6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================