bisecting cause commit starting from d96d875ef5dd372f533059a44f98e92de9cf0d42 building syzkaller on 8eda0b957e5b39c0c525e74f51d6b39ab8c5b1ac testing commit d96d875ef5dd372f533059a44f98e92de9cf0d42 with gcc (GCC) 8.1.0 kernel signature: d397d0a6f935c788aecd6364826774395b013c16 run #0: crashed: BUG: corrupted list in __nf_tables_abort run #1: crashed: BUG: corrupted list in __nf_tables_abort run #2: crashed: BUG: corrupted list in __nf_tables_abort run #3: crashed: BUG: corrupted list in __nf_tables_abort run #4: crashed: BUG: corrupted list in __nf_tables_abort run #5: crashed: BUG: corrupted list in __nf_tables_abort run #6: crashed: BUG: corrupted list in __nf_tables_abort run #7: crashed: BUG: corrupted list in __nf_tables_abort run #8: crashed: BUG: corrupted list in __nf_tables_abort run #9: crashed: KASAN: use-after-free Read in __nf_tables_abort testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 432d1e7b8a1afc6c8cbc418358e142ff0ae70d7d all runs: OK # git bisect start d96d875ef5dd372f533059a44f98e92de9cf0d42 219d54332a09e8d8741c1e1982f5eae56099de85 Bisecting: 8418 revisions left to test after this (roughly 13 steps) [8c39f71ee2019e77ee14f88b1321b2348db51820] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 8c39f71ee2019e77ee14f88b1321b2348db51820 with gcc (GCC) 8.1.0 kernel signature: d89a1cbe8d3328a2e97987c26f9a2ea8cc8a84a6 all runs: OK # git bisect good 8c39f71ee2019e77ee14f88b1321b2348db51820 Bisecting: 4182 revisions left to test after this (roughly 12 steps) [97eeb4d9d755605385fa329da9afa38729f3413c] Merge tag 'xfs-5.5-merge-16' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux testing commit 97eeb4d9d755605385fa329da9afa38729f3413c with gcc (GCC) 8.1.0 kernel signature: 3f7fe430a0de673d73875531c98e8307822f1192 all runs: OK # git bisect good 97eeb4d9d755605385fa329da9afa38729f3413c Bisecting: 2093 revisions left to test after this (roughly 11 steps) [85190d15f4ea88e60047256fecb8216d5323ea47] pipe: don't use 'pipe_wait() for basic pipe IO testing commit 85190d15f4ea88e60047256fecb8216d5323ea47 with gcc (GCC) 8.1.0 kernel signature: cb2a462ad84affdcddb2ac452b277d4fbce73a3c all runs: OK # git bisect good 85190d15f4ea88e60047256fecb8216d5323ea47 Bisecting: 1128 revisions left to test after this (roughly 10 steps) [0dd1e3773ae8afc4bfdce782bdeffc10f9cae6ec] pipe: fix empty pipe check in pipe_write() testing commit 0dd1e3773ae8afc4bfdce782bdeffc10f9cae6ec with gcc (GCC) 8.1.0 kernel signature: cc7bd43ee9417e6da47d6f09cea151cd726022e7 all runs: OK # git bisect good 0dd1e3773ae8afc4bfdce782bdeffc10f9cae6ec Bisecting: 601 revisions left to test after this (roughly 9 steps) [b07f636fca1c8fbba124b0082487c0b3890a0e0c] Merge tag 'tpmdd-next-20200108' of git://git.infradead.org/users/jjs/linux-tpmdd testing commit b07f636fca1c8fbba124b0082487c0b3890a0e0c with gcc (GCC) 8.1.0 kernel signature: a39f49b96e6a90b79359f9f7237c0238d6823724 all runs: OK # git bisect good b07f636fca1c8fbba124b0082487c0b3890a0e0c Bisecting: 298 revisions left to test after this (roughly 8 steps) [ef64753c1922511e7d81947a8d27e72925a05e2c] Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux testing commit ef64753c1922511e7d81947a8d27e72925a05e2c with gcc (GCC) 8.1.0 kernel signature: 585817dd81857d767ee4f3b18012b143fd88abb3 all runs: OK # git bisect good ef64753c1922511e7d81947a8d27e72925a05e2c Bisecting: 145 revisions left to test after this (roughly 7 steps) [b07b9e8d631856c9e42af79900527509449206f4] Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit b07b9e8d631856c9e42af79900527509449206f4 with gcc (GCC) 8.1.0 kernel signature: 5178475d34555544e91da4e76a9459efe72cd2b9 all runs: OK # git bisect good b07b9e8d631856c9e42af79900527509449206f4 Bisecting: 72 revisions left to test after this (roughly 6 steps) [1712b2fff8c682d145c7889d2290696647d82dab] macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() testing commit 1712b2fff8c682d145c7889d2290696647d82dab with gcc (GCC) 8.1.0 kernel signature: a878dcc32f8c7b31c86cdb74437e8d192bf81f6f all runs: OK # git bisect good 1712b2fff8c682d145c7889d2290696647d82dab Bisecting: 36 revisions left to test after this (roughly 5 steps) [5f43644394a96a8bcd8fc29a8bbd9c40b4465b54] Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux testing commit 5f43644394a96a8bcd8fc29a8bbd9c40b4465b54 with gcc (GCC) 8.1.0 kernel signature: 28c8f71932c3901f01373aac908b778b56daa536 all runs: OK # git bisect good 5f43644394a96a8bcd8fc29a8bbd9c40b4465b54 Bisecting: 18 revisions left to test after this (roughly 4 steps) [49edd6a2c456150870ddcef5b7ed11b21d849e13] net: hns: fix soft lockup when there is not enough memory testing commit 49edd6a2c456150870ddcef5b7ed11b21d849e13 with gcc (GCC) 8.1.0 kernel signature: 403b1f7d9e2fa02bcfb2eff5494b70838d4a5d46 run #0: crashed: BUG: corrupted list in __nf_tables_abort run #1: crashed: BUG: corrupted list in __nf_tables_abort run #2: crashed: BUG: corrupted list in __nf_tables_abort run #3: crashed: BUG: corrupted list in __nf_tables_abort run #4: crashed: KASAN: use-after-free Read in __nf_tables_abort run #5: crashed: BUG: corrupted list in __nf_tables_abort run #6: crashed: BUG: corrupted list in __nf_tables_abort run #7: crashed: BUG: corrupted list in __nf_tables_abort run #8: crashed: BUG: corrupted list in __nf_tables_abort run #9: crashed: BUG: corrupted list in __nf_tables_abort # git bisect bad 49edd6a2c456150870ddcef5b7ed11b21d849e13 Bisecting: 8 revisions left to test after this (roughly 3 steps) [61177e911dad660df86a4553eb01c95ece2f6a82] netfilter: nat: fix ICMP header corruption on ICMP errors testing commit 61177e911dad660df86a4553eb01c95ece2f6a82 with gcc (GCC) 8.1.0 kernel signature: 0f44f8181d4a1eb7125d001400e5571d3648f899 run #0: crashed: BUG: corrupted list in __nf_tables_abort run #1: crashed: BUG: corrupted list in __nf_tables_abort run #2: crashed: BUG: corrupted list in __nf_tables_abort run #3: crashed: BUG: corrupted list in __nf_tables_abort run #4: crashed: BUG: corrupted list in __nf_tables_abort run #5: crashed: BUG: corrupted list in __nf_tables_abort run #6: crashed: KASAN: use-after-free Read in __nf_tables_abort run #7: crashed: BUG: corrupted list in __nf_tables_abort run #8: crashed: BUG: corrupted list in __nf_tables_abort run #9: crashed: BUG: corrupted list in __nf_tables_abort # git bisect bad 61177e911dad660df86a4553eb01c95ece2f6a82 Bisecting: 4 revisions left to test after this (roughly 2 steps) [1c702bf902bd37349f6d91cd7f4b372b1e46d0ed] netfilter: nft_tunnel: fix null-attribute check testing commit 1c702bf902bd37349f6d91cd7f4b372b1e46d0ed with gcc (GCC) 8.1.0 kernel signature: 5a9b5da9574d319be83cb88d4c2e1e7ef78d557f run #0: crashed: BUG: corrupted list in __nf_tables_abort run #1: crashed: BUG: corrupted list in __nf_tables_abort run #2: crashed: BUG: corrupted list in __nf_tables_abort run #3: crashed: BUG: corrupted list in __nf_tables_abort run #4: crashed: KASAN: use-after-free Read in __nf_tables_abort run #5: crashed: BUG: corrupted list in __nf_tables_abort run #6: crashed: BUG: corrupted list in __nf_tables_abort run #7: crashed: BUG: corrupted list in __nf_tables_abort run #8: crashed: BUG: corrupted list in __nf_tables_abort run #9: crashed: BUG: corrupted list in __nf_tables_abort # git bisect bad 1c702bf902bd37349f6d91cd7f4b372b1e46d0ed Bisecting: 1 revision left to test after this (roughly 1 step) [212e7f56605ef9688d0846db60c6c6ec06544095] netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct testing commit 212e7f56605ef9688d0846db60c6c6ec06544095 with gcc (GCC) 8.1.0 kernel signature: 952f1133359ee3750d6c6daf2c87f40114b6eb07 all runs: OK # git bisect good 212e7f56605ef9688d0846db60c6c6ec06544095 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91] netfilter: nf_tables: store transaction list locally while requesting module testing commit ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 with gcc (GCC) 8.1.0 kernel signature: 9dcd016e5e035592bd7743cea7edb8c843423299 all runs: crashed: BUG: corrupted list in __nf_tables_abort # git bisect bad ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 is the first bad commit commit ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 Author: Pablo Neira Ayuso Date: Mon Jan 13 18:09:58 2020 +0100 netfilter: nf_tables: store transaction list locally while requesting module This patch fixes a WARN_ON in nft_set_destroy() due to missing set reference count drop from the preparation phase. This is triggered by the module autoload path. Do not exercise the abort path from nft_request_module() while preparation phase cleaning up is still pending. WARNING: CPU: 3 PID: 3456 at net/netfilter/nf_tables_api.c:3740 nft_set_destroy+0x45/0x50 [nf_tables] [...] CPU: 3 PID: 3456 Comm: nft Not tainted 5.4.6-arch3-1 #1 RIP: 0010:nft_set_destroy+0x45/0x50 [nf_tables] Code: e8 30 eb 83 c6 48 8b 85 80 00 00 00 48 8b b8 90 00 00 00 e8 dd 6b d7 c5 48 8b 7d 30 e8 24 dd eb c5 48 89 ef 5d e9 6b c6 e5 c5 <0f> 0b c3 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8b 7f 10 e9 52 RSP: 0018:ffffac4f43e53700 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff99d63a154d80 RCX: 0000000001f88e03 RDX: 0000000001f88c03 RSI: ffff99d6560ef0c0 RDI: ffff99d63a101200 RBP: ffff99d617721de0 R08: 0000000000000000 R09: 0000000000000318 R10: 00000000f0000000 R11: 0000000000000001 R12: ffffffff880fabf0 R13: dead000000000122 R14: dead000000000100 R15: ffff99d63a154d80 FS: 00007ff3dbd5b740(0000) GS:ffff99d6560c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00001cb5de6a9000 CR3: 000000016eb6a004 CR4: 00000000001606e0 Call Trace: __nf_tables_abort+0x3e3/0x6d0 [nf_tables] nft_request_module+0x6f/0x110 [nf_tables] nft_expr_type_request_module+0x28/0x50 [nf_tables] nf_tables_expr_parse+0x198/0x1f0 [nf_tables] nft_expr_init+0x3b/0xf0 [nf_tables] nft_dynset_init+0x1e2/0x410 [nf_tables] nf_tables_newrule+0x30a/0x930 [nf_tables] nfnetlink_rcv_batch+0x2a0/0x640 [nfnetlink] nfnetlink_rcv+0x125/0x171 [nfnetlink] netlink_unicast+0x179/0x210 netlink_sendmsg+0x208/0x3d0 sock_sendmsg+0x5e/0x60 ____sys_sendmsg+0x21b/0x290 Update comment on the code to describe the new behaviour. Reported-by: Marco Oliverio Fixes: 452238e8d5ff ("netfilter: nf_tables: add and use helper for module autoload") Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_tables_api.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) culprit signature: 9dcd016e5e035592bd7743cea7edb8c843423299 parent signature: 952f1133359ee3750d6c6daf2c87f40114b6eb07 revisions tested: 16, total time: 4h11m12.540331599s (build: 1h43m37.054486402s, test: 2h25m42.866356636s) first bad commit: ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 netfilter: nf_tables: store transaction list locally while requesting module cc: ["coreteam@netfilter.org" "davem@davemloft.net" "fw@strlen.de" "kadlec@netfilter.org" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "netfilter-devel@vger.kernel.org" "pablo@netfilter.org"] crash: BUG: corrupted list in __nf_tables_abort netlink: 20 bytes leftover after parsing attributes in process `syz-executor.2'. list_del corruption, ffff8880a2c49c00->prev is LIST_POISON2 (dead000000000122) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:50! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8440 Comm: syz-executor.2 Not tainted 5.5.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x58 lib/list_debug.c:48 Code: fc fd 0f 0b 48 89 f1 48 c7 c7 a0 7f cd 87 48 89 de e8 e9 a4 fc fd 0f 0b 4c 89 e2 48 89 de 48 c7 c7 e0 80 cd 87 e8 d5 a4 fc fd <0f> 0b 4c 89 ea 48 89 de 48 c7 c7 80 80 cd 87 e8 c1 a4 fc fd 0f 0b RSP: 0018:ffffc90002bf7450 EFLAGS: 00010282 RAX: 000000000000004e RBX: ffff8880a2c49c00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff8a9444e0 RBP: ffffc90002bf7468 R08: ffffed1015d66621 R09: ffffed1015d66621 R10: ffffed1015d66620 R11: ffff8880aeb33107 R12: dead000000000122 R13: ffff8880801152b0 R14: ffff8880964752c0 R15: ffff8880a2f88900 FS: 00007f955ffce700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc6995ef78 CR3: 0000000092a62000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __list_del_entry+0xf/0xb0 include/linux/list.h:131 list_del_rcu include/linux/rculist.h:148 [inline] __nf_tables_abort+0x1bef/0x2c30 net/netfilter/nf_tables_api.c:7246 nf_tables_abort+0xf/0x30 net/netfilter/nf_tables_api.c:7361 nfnetlink_rcv_batch+0x50b/0x15b0 net/netfilter/nfnetlink.c:494 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:543 [inline] nfnetlink_rcv+0x2eb/0x3b0 net/netfilter/nfnetlink.c:561 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x45e/0x6a0 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x7b0/0xcb0 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:639 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:659 ____sys_sendmsg+0x603/0x950 net/socket.c:2330 ___sys_sendmsg+0xe4/0x160 net/socket.c:2384 __sys_sendmsg+0xd9/0x180 net/socket.c:2417 __do_sys_sendmsg net/socket.c:2426 [inline] __se_sys_sendmsg net/socket.c:2424 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2424 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45b349 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f955ffcdc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f955ffce6d4 RCX: 000000000045b349 RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000917 R14: 00000000004ca810 R15: 000000000075bf2c Modules linked in: ---[ end trace a30493a0dc8a4ca9 ]--- RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x58 lib/list_debug.c:48 Code: fc fd 0f 0b 48 89 f1 48 c7 c7 a0 7f cd 87 48 89 de e8 e9 a4 fc fd 0f 0b 4c 89 e2 48 89 de 48 c7 c7 e0 80 cd 87 e8 d5 a4 fc fd <0f> 0b 4c 89 ea 48 89 de 48 c7 c7 80 80 cd 87 e8 c1 a4 fc fd 0f 0b RSP: 0018:ffffc90002bf7450 EFLAGS: 00010282 RAX: 000000000000004e RBX: ffff8880a2c49c00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff8a9444e0 RBP: ffffc90002bf7468 R08: ffffed1015d66621 R09: ffffed1015d66621 R10: ffffed1015d66620 R11: ffff8880aeb33107 R12: dead000000000122 R13: ffff8880801152b0 R14: ffff8880964752c0 R15: ffff8880a2f88900 FS: 00007f955ffce700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc6995ef78 CR3: 0000000092a62000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400