bisecting cause commit starting from 5a9ef19454cd5daec8041bc7c3c11deb7456d9a0 building syzkaller on 3de7aabbb79a6c2267f5d7ee8a8aaa83f63305b7 testing commit 5a9ef19454cd5daec8041bc7c3c11deb7456d9a0 with gcc (GCC) 8.1.0 kernel signature: 7ca85088d4360637f79812563e0049b6afc0a0a7 all runs: crashed: WARNING in nf_tables_table_destroy testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 1f09ab6ef5becb12aac5104dfa07ac643dc9e8e9 all runs: OK # git bisect start 5a9ef19454cd5daec8041bc7c3c11deb7456d9a0 219d54332a09e8d8741c1e1982f5eae56099de85 Bisecting: 8004 revisions left to test after this (roughly 13 steps) [8c39f71ee2019e77ee14f88b1321b2348db51820] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 8c39f71ee2019e77ee14f88b1321b2348db51820 with gcc (GCC) 8.1.0 kernel signature: cf16fe8bdb482dcbd64cceb21ddd128ca8fae190 all runs: OK # git bisect good 8c39f71ee2019e77ee14f88b1321b2348db51820 Bisecting: 3970 revisions left to test after this (roughly 12 steps) [ef2cc88e2a205b8a11a19e78db63a70d3728cdf5] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit ef2cc88e2a205b8a11a19e78db63a70d3728cdf5 with gcc (GCC) 8.1.0 kernel signature: 71e6a45486380ebcbdcdf8667cf3531d41d9eab8 all runs: OK # git bisect good ef2cc88e2a205b8a11a19e78db63a70d3728cdf5 Bisecting: 1980 revisions left to test after this (roughly 11 steps) [b08baef02b26cf7c2123e4a24a2fa1fb7a593ffb] Merge tag 'armsoc-defconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit b08baef02b26cf7c2123e4a24a2fa1fb7a593ffb with gcc (GCC) 8.1.0 kernel signature: d17ca8d3ca2b40efd230c1ebbf5a209a1da12d4b all runs: OK # git bisect good b08baef02b26cf7c2123e4a24a2fa1fb7a593ffb Bisecting: 990 revisions left to test after this (roughly 10 steps) [89c683cd06e03dfd3186c4cab1e2a39982c42a48] Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 89c683cd06e03dfd3186c4cab1e2a39982c42a48 with gcc (GCC) 8.1.0 kernel signature: 5c78147c55fd6cd531fc3013e6e7eacb2ceb9f36 all runs: OK # git bisect good 89c683cd06e03dfd3186c4cab1e2a39982c42a48 Bisecting: 491 revisions left to test after this (roughly 9 steps) [a396560706d457058b9f54f184b6f5973c82032c] Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 testing commit a396560706d457058b9f54f184b6f5973c82032c with gcc (GCC) 8.1.0 kernel signature: f6d6885c48372f6833df4d20f1e15d2be2a2ed90 all runs: OK # git bisect good a396560706d457058b9f54f184b6f5973c82032c Bisecting: 251 revisions left to test after this (roughly 8 steps) [7312b70699252074d753c5005fc67266c547bbe3] hexagon: define ioremap_uc testing commit 7312b70699252074d753c5005fc67266c547bbe3 with gcc (GCC) 8.1.0 kernel signature: e62f208105cdfbef88f5fbdd7d07822c668779c3 all runs: OK # git bisect good 7312b70699252074d753c5005fc67266c547bbe3 Bisecting: 110 revisions left to test after this (roughly 7 steps) [a5f48c7878d2365f6ff7008e9317abbc16f68847] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit a5f48c7878d2365f6ff7008e9317abbc16f68847 with gcc (GCC) 8.1.0 kernel signature: 124344e9089c3ac0559301ec2716d69256b68b12 all runs: OK # git bisect good a5f48c7878d2365f6ff7008e9317abbc16f68847 Bisecting: 52 revisions left to test after this (roughly 6 steps) [eb507906feaaf827395e5f96f2320e0c7731e4ff] Merge tag 'mac80211-for-net-2020-01-15' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 testing commit eb507906feaaf827395e5f96f2320e0c7731e4ff with gcc (GCC) 8.1.0 kernel signature: 9116a16068ad40ef18d2b616c9535be5d99471b3 all runs: OK # git bisect good eb507906feaaf827395e5f96f2320e0c7731e4ff Bisecting: 22 revisions left to test after this (roughly 5 steps) [3981f955eb27fd4f52b8cef198091530811229f2] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf testing commit 3981f955eb27fd4f52b8cef198091530811229f2 with gcc (GCC) 8.1.0 kernel signature: b270a6a6d6d800731b7d338d3bdf6a84eaf52b20 all runs: OK # git bisect good 3981f955eb27fd4f52b8cef198091530811229f2 Bisecting: 13 revisions left to test after this (roughly 4 steps) [61177e911dad660df86a4553eb01c95ece2f6a82] netfilter: nat: fix ICMP header corruption on ICMP errors testing commit 61177e911dad660df86a4553eb01c95ece2f6a82 with gcc (GCC) 8.1.0 kernel signature: 067c005cddab29445cbc6482acfce2e7f3c20034 all runs: crashed: WARNING in nf_tables_table_destroy # git bisect bad 61177e911dad660df86a4553eb01c95ece2f6a82 Bisecting: 4 revisions left to test after this (roughly 2 steps) [1c702bf902bd37349f6d91cd7f4b372b1e46d0ed] netfilter: nft_tunnel: fix null-attribute check testing commit 1c702bf902bd37349f6d91cd7f4b372b1e46d0ed with gcc (GCC) 8.1.0 kernel signature: ee9dc48f91e579e8f663897f08c94238f92a9625 all runs: crashed: WARNING in nf_tables_table_destroy # git bisect bad 1c702bf902bd37349f6d91cd7f4b372b1e46d0ed Bisecting: 1 revision left to test after this (roughly 1 step) [212e7f56605ef9688d0846db60c6c6ec06544095] netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct testing commit 212e7f56605ef9688d0846db60c6c6ec06544095 with gcc (GCC) 8.1.0 kernel signature: 1709e1695b88d273a525fbd35cd741d9a4465574 all runs: OK # git bisect good 212e7f56605ef9688d0846db60c6c6ec06544095 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91] netfilter: nf_tables: store transaction list locally while requesting module testing commit ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 with gcc (GCC) 8.1.0 kernel signature: 353a22e3a1bb3b5785674ff3c9b60e441a486981 all runs: crashed: WARNING in nf_tables_table_destroy # git bisect bad ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 is the first bad commit commit ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 Author: Pablo Neira Ayuso Date: Mon Jan 13 18:09:58 2020 +0100 netfilter: nf_tables: store transaction list locally while requesting module This patch fixes a WARN_ON in nft_set_destroy() due to missing set reference count drop from the preparation phase. This is triggered by the module autoload path. Do not exercise the abort path from nft_request_module() while preparation phase cleaning up is still pending. WARNING: CPU: 3 PID: 3456 at net/netfilter/nf_tables_api.c:3740 nft_set_destroy+0x45/0x50 [nf_tables] [...] CPU: 3 PID: 3456 Comm: nft Not tainted 5.4.6-arch3-1 #1 RIP: 0010:nft_set_destroy+0x45/0x50 [nf_tables] Code: e8 30 eb 83 c6 48 8b 85 80 00 00 00 48 8b b8 90 00 00 00 e8 dd 6b d7 c5 48 8b 7d 30 e8 24 dd eb c5 48 89 ef 5d e9 6b c6 e5 c5 <0f> 0b c3 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8b 7f 10 e9 52 RSP: 0018:ffffac4f43e53700 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff99d63a154d80 RCX: 0000000001f88e03 RDX: 0000000001f88c03 RSI: ffff99d6560ef0c0 RDI: ffff99d63a101200 RBP: ffff99d617721de0 R08: 0000000000000000 R09: 0000000000000318 R10: 00000000f0000000 R11: 0000000000000001 R12: ffffffff880fabf0 R13: dead000000000122 R14: dead000000000100 R15: ffff99d63a154d80 FS: 00007ff3dbd5b740(0000) GS:ffff99d6560c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00001cb5de6a9000 CR3: 000000016eb6a004 CR4: 00000000001606e0 Call Trace: __nf_tables_abort+0x3e3/0x6d0 [nf_tables] nft_request_module+0x6f/0x110 [nf_tables] nft_expr_type_request_module+0x28/0x50 [nf_tables] nf_tables_expr_parse+0x198/0x1f0 [nf_tables] nft_expr_init+0x3b/0xf0 [nf_tables] nft_dynset_init+0x1e2/0x410 [nf_tables] nf_tables_newrule+0x30a/0x930 [nf_tables] nfnetlink_rcv_batch+0x2a0/0x640 [nfnetlink] nfnetlink_rcv+0x125/0x171 [nfnetlink] netlink_unicast+0x179/0x210 netlink_sendmsg+0x208/0x3d0 sock_sendmsg+0x5e/0x60 ____sys_sendmsg+0x21b/0x290 Update comment on the code to describe the new behaviour. Reported-by: Marco Oliverio Fixes: 452238e8d5ff ("netfilter: nf_tables: add and use helper for module autoload") Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_tables_api.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) culprit signature: 353a22e3a1bb3b5785674ff3c9b60e441a486981 parent signature: 1709e1695b88d273a525fbd35cd741d9a4465574 revisions tested: 15, total time: 4h0m4.78300034s (build: 1h38m49.557335447s, test: 2h20m8.313001927s) first bad commit: ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 netfilter: nf_tables: store transaction list locally while requesting module cc: ["coreteam@netfilter.org" "davem@davemloft.net" "fw@strlen.de" "kadlec@netfilter.org" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "netfilter-devel@vger.kernel.org" "pablo@netfilter.org"] crash: WARNING in nf_tables_table_destroy ------------[ cut here ]------------ WARNING: CPU: 1 PID: 8293 at net/netfilter/nf_tables_api.c:1147 nf_tables_table_destroy.isra.61+0xd5/0x110 net/netfilter/nf_tables_api.c:1153 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 8293 Comm: syz-executor.4 Not tainted 5.5.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x12d/0x187 lib/dump_stack.c:118 panic+0x22a/0x4e3 kernel/panic.c:221 __warn.cold.10+0x25/0x2a kernel/panic.c:582 report_bug+0x1b0/0x270 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:174 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:286 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 RIP: 0010:nf_tables_table_destroy.isra.61+0xd5/0x110 net/netfilter/nf_tables_api.c:1147 Code: 00 e8 9f c6 b3 fb 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 36 48 8b 3b e8 80 c6 b3 fb 5b 41 5c 5d c3 <0f> 0b eb f7 e8 a2 15 b4 fb e9 6e ff ff ff e8 b8 15 b4 fb e9 38 ff RSP: 0018:ffffc90002717478 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff88809653eda0 RCX: 1ffff11013052a70 RDX: 1ffff11012c70834 RSI: 0000000000000008 RDI: ffff8880963841a0 RBP: ffffc90002717488 R08: 0000000000000006 R09: fffffbfff14badb3 R10: fffffbfff14badb2 R11: ffffffff8a5d6d97 R12: ffff888096384000 R13: ffff888098295380 R14: dffffc0000000000 R15: ffff88809653ed88 nf_tables_abort_release net/netfilter/nf_tables_api.c:7204 [inline] __nf_tables_abort+0x1914/0x2c30 net/netfilter/nf_tables_api.c:7348 nf_tables_abort+0xf/0x30 net/netfilter/nf_tables_api.c:7361 nfnetlink_rcv_batch+0x50b/0x15b0 net/netfilter/nfnetlink.c:494 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:543 [inline] nfnetlink_rcv+0x2eb/0x3b0 net/netfilter/nfnetlink.c:561 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x45e/0x6a0 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x7b0/0xcb0 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:639 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:659 ____sys_sendmsg+0x603/0x950 net/socket.c:2330 ___sys_sendmsg+0xe4/0x160 net/socket.c:2384 __sys_sendmsg+0xd9/0x180 net/socket.c:2417 __do_sys_sendmsg net/socket.c:2426 [inline] __se_sys_sendmsg net/socket.c:2424 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2424 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45aff9 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f9e17b77c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f9e17b786d4 RCX: 000000000045aff9 RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000004 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000901 R14: 00000000004ca2fe R15: 000000000075bf2c Kernel Offset: disabled Rebooting in 86400 seconds..