bisecting fixing commit since 9bc62afe03afdf33904f5e784e1ad68c50ff00bb
building syzkaller on 8cac236e8c3741446e540b2fe0702086a4ae4c17
testing commit 9bc62afe03afdf33904f5e784e1ad68c50ff00bb
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 996e0c9a8941ee71fdb5dd5c27041c7c3103381c713c08f1f03b6ab9dee73458
run #0: crashed: general protection fault in nf_tables_dump_tables
run #1: crashed: general protection fault in nf_tables_dump_tables
run #2: crashed: KASAN: use-after-free Read in nf_tables_fill_table_info
run #3: crashed: general protection fault in nf_tables_dump_tables
run #4: crashed: general protection fault in nf_tables_dump_tables
run #5: crashed: general protection fault in nf_tables_dump_tables
run #6: crashed: general protection fault in nf_tables_dump_tables
run #7: crashed: general protection fault in nf_tables_dump_tables
run #8: crashed: general protection fault in nf_tables_dump_tables
run #9: crashed: KASAN: use-after-free Read in nf_tables_fill_table_info
run #10: crashed: KASAN: use-after-free Read in nf_tables_fill_table_info
run #11: crashed: general protection fault in nf_tables_dump_tables
run #12: crashed: general protection fault in nf_tables_dump_tables
run #13: crashed: general protection fault in nf_tables_dump_tables
run #14: crashed: KASAN: use-after-free Read in nf_tables_fill_table_info
run #15: crashed: general protection fault in nf_tables_dump_tables
run #16: crashed: general protection fault in nf_tables_dump_tables
run #17: crashed: general protection fault in nf_tables_dump_tables
run #18: crashed: general protection fault in nf_tables_dump_tables
run #19: crashed: general protection fault in nf_tables_dump_tables
testing current HEAD 95a359c9553342d36d408d35331ff0bfce75272f
testing commit 95a359c9553342d36d408d35331ff0bfce75272f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 97599639b046435f92cc6641083bb0588f6d5b82f654fa99b1d135312d0d2a10
all runs: OK
# git bisect start 95a359c9553342d36d408d35331ff0bfce75272f 9bc62afe03afdf33904f5e784e1ad68c50ff00bb
Bisecting: 763 revisions left to test after this (roughly 10 steps)
[3e899c7209dd8f7afca59518c5ace0f03385dbc3] Merge tag 'armsoc-fixes-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

testing commit 3e899c7209dd8f7afca59518c5ace0f03385dbc3
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 91dac45c30ab62c0cdae1f83aabe65d4cf89f00641843d23d0d49f75e8d2b083
all runs: OK
# git bisect bad 3e899c7209dd8f7afca59518c5ace0f03385dbc3
Bisecting: 400 revisions left to test after this (roughly 9 steps)
[115f6134a050bb098414f38555a5ab780ebbfef0] Merge tag 'gpio-fixes-for-v5.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux

testing commit 115f6134a050bb098414f38555a5ab780ebbfef0
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3db321beed6192b838fa59c296afed5fc966879db06a4725484feed1c61b6f2f
run #0: crashed: KASAN: use-after-free Read in nf_tables_fill_table_info
run #1: crashed: general protection fault in nf_tables_dump_tables
run #2: crashed: general protection fault in nf_tables_dump_tables
run #3: crashed: general protection fault in nf_tables_dump_tables
run #4: crashed: general protection fault in nf_tables_dump_tables
run #5: crashed: KASAN: use-after-free Read in nf_tables_fill_table_info
run #6: crashed: general protection fault in nf_tables_dump_tables
run #7: crashed: general protection fault in nf_tables_dump_tables
run #8: crashed: general protection fault in nf_tables_dump_tables
run #9: crashed: KASAN: use-after-free Read in nf_tables_fill_table_info
# git bisect good 115f6134a050bb098414f38555a5ab780ebbfef0
Bisecting: 203 revisions left to test after this (roughly 8 steps)
[7fab1c12bde926c5a8c7d5984c551d0854d7e0b3] objtool: print out the symbol type when complaining about it

testing commit 7fab1c12bde926c5a8c7d5984c551d0854d7e0b3
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 32fb5babc39d9f40bf0b93fd6183db228ae453438dea3285d35fa5207f1f6b1d
all runs: OK
# git bisect bad 7fab1c12bde926c5a8c7d5984c551d0854d7e0b3
Bisecting: 107 revisions left to test after this (roughly 7 steps)
[89e503592385fbed872c7ea1fb89931ece3409a5] Merge tag 'iommu-fixes-v5.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu

testing commit 89e503592385fbed872c7ea1fb89931ece3409a5
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: fd4295c10fef3538ee6242b5c8d5d9d88bdc10d29d0a2b7bfd24471a901c6ec0
all runs: OK
# git bisect bad 89e503592385fbed872c7ea1fb89931ece3409a5
Bisecting: 44 revisions left to test after this (roughly 6 steps)
[3b1b6e82fb5e08e2cb355d7b2ee8644ec289de66] net: phy: enhance GPY115 loopback disable function

testing commit 3b1b6e82fb5e08e2cb355d7b2ee8644ec289de66
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: da202d98dfb27a0f83d91208f54a7e6098a5e532c35bc3a3dad47b358c55dad7
all runs: OK
# git bisect bad 3b1b6e82fb5e08e2cb355d7b2ee8644ec289de66
Bisecting: 19 revisions left to test after this (roughly 5 steps)
[7fe7f3182a0dd8f9bad463598ed103b3d8cfa739] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

testing commit 7fe7f3182a0dd8f9bad463598ed103b3d8cfa739
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 0dac86e04bcf53645cea73a7f07d82434690368004fd5709cf75fb89cc3b3741
all runs: OK
# git bisect bad 7fe7f3182a0dd8f9bad463598ed103b3d8cfa739
Bisecting: 11 revisions left to test after this (roughly 4 steps)
[7970a19b71044bf4dc2c1becc200275bdf1884d4] netfilter: nf_nat_masquerade: defer conntrack walk to work queue

testing commit 7970a19b71044bf4dc2c1becc200275bdf1884d4
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 7451a6804aa35e77f74f00d1d9cd88f7cb7ab93dae7715bcb80aec7df6f54634
all runs: OK
# git bisect bad 7970a19b71044bf4dc2c1becc200275bdf1884d4
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[d2966dc77ba7b2678f7aee97bf9a65702ec8e2b6] netfilter: nat: include zone id in nat table hash again

testing commit d2966dc77ba7b2678f7aee97bf9a65702ec8e2b6
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 5051c29679aa77e0ec049132035cd5a5169f0ac301fae3cfcb6409337ad07427
run #0: crashed: general protection fault in nf_tables_dump_tables
run #1: crashed: KASAN: use-after-free Read in nf_tables_fill_table_info
run #2: crashed: KASAN: use-after-free Read in nf_tables_fill_table_info
run #3: crashed: general protection fault in nf_tables_dump_tables
run #4: crashed: general protection fault in nf_tables_dump_tables
run #5: crashed: KASAN: use-after-free Read in nf_tables_fill_table_info
run #6: crashed: KASAN: use-after-free Read in nf_tables_fill_table_info
run #7: crashed: general protection fault in nf_tables_dump_tables
run #8: crashed: general protection fault in nf_tables_dump_tables
run #9: crashed: general protection fault in nf_tables_dump_tables
# git bisect good d2966dc77ba7b2678f7aee97bf9a65702ec8e2b6
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[a499b03bf36b0c2e3b958a381d828678ab0ffc5e] netfilter: nf_tables: unlink table before deleting it

testing commit a499b03bf36b0c2e3b958a381d828678ab0ffc5e
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3b4ab800b62f55c9ff0fefc252f2ebeb1b542656d849479428eadb5ff4f9efc5
run #0: basic kernel testing failed: KFENCE: use-after-free in kvm_fastop_exception
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad a499b03bf36b0c2e3b958a381d828678ab0ffc5e
Bisecting: 0 revisions left to test after this (roughly 1 step)
[cb89f63ba662d2b56583f4dd3dd2b7f03b6d6587] selftests: netfilter: add zone stress test with colliding tuples

testing commit cb89f63ba662d2b56583f4dd3dd2b7f03b6d6587
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 5051c29679aa77e0ec049132035cd5a5169f0ac301fae3cfcb6409337ad07427
run #0: crashed: general protection fault in nf_tables_dump_tables
run #1: crashed: general protection fault in nf_tables_dump_tables
run #2: crashed: KASAN: use-after-free Read in nf_tables_fill_table_info
run #3: crashed: KASAN: use-after-free Read in nf_tables_fill_table_info
run #4: crashed: KASAN: use-after-free Read in nf_tables_fill_table_info
run #5: crashed: general protection fault in nf_tables_dump_tables
run #6: crashed: general protection fault in nf_tables_dump_tables
run #7: crashed: KASAN: use-after-free Read in nf_tables_fill_table_info
run #8: crashed: general protection fault in nf_tables_dump_tables
run #9: crashed: general protection fault in nf_tables_dump_tables
# git bisect good cb89f63ba662d2b56583f4dd3dd2b7f03b6d6587
a499b03bf36b0c2e3b958a381d828678ab0ffc5e is the first bad commit
commit a499b03bf36b0c2e3b958a381d828678ab0ffc5e
Author: Florian Westphal <fw@strlen.de>
Date:   Mon Sep 13 14:42:33 2021 +0200

    netfilter: nf_tables: unlink table before deleting it
    
    syzbot reports following UAF:
    BUG: KASAN: use-after-free in memcmp+0x18f/0x1c0 lib/string.c:955
     nla_strcmp+0xf2/0x130 lib/nlattr.c:836
     nft_table_lookup.part.0+0x1a2/0x460 net/netfilter/nf_tables_api.c:570
     nft_table_lookup net/netfilter/nf_tables_api.c:4064 [inline]
     nf_tables_getset+0x1b3/0x860 net/netfilter/nf_tables_api.c:4064
     nfnetlink_rcv_msg+0x659/0x13f0 net/netfilter/nfnetlink.c:285
     netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504
    
    Problem is that all get operations are lockless, so the commit_mutex
    held by nft_rcv_nl_event() isn't enough to stop a parallel GET request
    from doing read-accesses to the table object even after synchronize_rcu().
    
    To avoid this, unlink the table first and store the table objects in
    on-stack scratch space.
    
    Fixes: 6001a930ce03 ("netfilter: nftables: introduce table ownership")
    Reported-and-tested-by: syzbot+f31660cf279b0557160c@syzkaller.appspotmail.com
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nf_tables_api.c | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

culprit signature: 3b4ab800b62f55c9ff0fefc252f2ebeb1b542656d849479428eadb5ff4f9efc5
parent  signature: 5051c29679aa77e0ec049132035cd5a5169f0ac301fae3cfcb6409337ad07427
revisions tested: 12, total time: 2h56m17.426189s (build: 1h18m12.290960149s, test: 1h36m42.178281173s)
first good commit: a499b03bf36b0c2e3b958a381d828678ab0ffc5e netfilter: nf_tables: unlink table before deleting it
recipients (to): ["fw@strlen.de" "pablo@netfilter.org" "syzbot+f31660cf279b0557160c@syzkaller.appspotmail.com"]
recipients (cc): []