bisecting cause commit starting from 7be97138e7276c71cc9ad1752dcb502d28f4400d
building syzkaller on a34e2c332411388ed2b3f6f1a3acdc062feceb79
testing commit 7be97138e7276c71cc9ad1752dcb502d28f4400d with gcc (GCC) 8.1.0
kernel signature: 1ad15d13978db05f2976eb07beb309ff12b08cc7db10bfad85b6943025c4580a
all runs: crashed: KASAN: invalid-free in nf_tables_newset
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: ca9d3dcf371bd24a546874e51b720dcf2e0e89247d1e05b35a60473b46916e95
all runs: OK
# git bisect start 7be97138e7276c71cc9ad1752dcb502d28f4400d 7111951b8d4973bda27ff663f2cf18b663d15b48
Bisecting: 4567 revisions left to test after this (roughly 12 steps)
[56a451b780676bc1cdac011735fe2869fa2e9abf] Merge tag 'ntb-5.7' of git://github.com/jonmason/ntb
testing commit 56a451b780676bc1cdac011735fe2869fa2e9abf with gcc (GCC) 8.1.0
kernel signature: a767982c6b51f9f03fda1c03beaa9a4f4013e927ffbd764a9be57b16edac9357
all runs: OK
# git bisect good 56a451b780676bc1cdac011735fe2869fa2e9abf
Bisecting: 2270 revisions left to test after this (roughly 11 steps)
[ed52f2c608c9451fa2bad298b2ab927416105d65] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next
testing commit ed52f2c608c9451fa2bad298b2ab927416105d65 with gcc (GCC) 8.1.0
kernel signature: 551a8eb2cf38c08b59d3ac358bcbd383892dbf597e7af7aa2ac995e3eeb56605
all runs: crashed: KASAN: invalid-free in nf_tables_newset
# git bisect bad ed52f2c608c9451fa2bad298b2ab927416105d65
Bisecting: 1148 revisions left to test after this (roughly 10 steps)
[9b96a3e6dd4bf3b92df15798f088ee6b35928712] net: ibm: remove set but not used variables 'err'
testing commit 9b96a3e6dd4bf3b92df15798f088ee6b35928712 with gcc (GCC) 8.1.0
kernel signature: 1c5252ec6a7889a038e17e750f11a7a92e2673e5bac3f83aadb688897ebedfdb
all runs: OK
# git bisect good 9b96a3e6dd4bf3b92df15798f088ee6b35928712
Bisecting: 574 revisions left to test after this (roughly 9 steps)
[fcbd30d09ba05389cb40cc1769b565df62aead35] net: phy: introduce phy_read_poll_timeout macro
testing commit fcbd30d09ba05389cb40cc1769b565df62aead35 with gcc (GCC) 8.1.0
kernel signature: d263673dd9ecaede96449f1160cbae910591a4c9b19980251d01a18bf21c28a4
all runs: OK
# git bisect good fcbd30d09ba05389cb40cc1769b565df62aead35
Bisecting: 302 revisions left to test after this (roughly 8 steps)
[0b992b898c9e52e274af1c4b6c3de21632199b4d] Merge branch 's390-qeth-next'
testing commit 0b992b898c9e52e274af1c4b6c3de21632199b4d with gcc (GCC) 8.1.0
kernel signature: ec38b2d8c6b1abe46bdb157c11d78542d6bbb10d3264e019d7e91554fa739cc8
all runs: OK
# git bisect good 0b992b898c9e52e274af1c4b6c3de21632199b4d
Bisecting: 151 revisions left to test after this (roughly 7 steps)
[2a8c2c1a0264ebf80787f53d7aa8c661b336a07f] ionic: move debugfs add/delete to match alloc/free
testing commit 2a8c2c1a0264ebf80787f53d7aa8c661b336a07f with gcc (GCC) 8.1.0
kernel signature: d50f5b2e4720e1ee597bd6d90e01b26ee6bd8fd35c93ef483b578ca64a538d3a
all runs: OK
# git bisect good 2a8c2c1a0264ebf80787f53d7aa8c661b336a07f
Bisecting: 75 revisions left to test after this (roughly 6 steps)
[0c991ebc8c69d29b7fc44db17075c5aa5253e2ab] bpf: Implement bpf_prog replacement for an active bpf_cgroup_link
testing commit 0c991ebc8c69d29b7fc44db17075c5aa5253e2ab with gcc (GCC) 8.1.0
kernel signature: 794ab443ff8a84182674e909eb70c2c64b907ef69050f2a0f9fb78d0ba98df7b
all runs: OK
# git bisect good 0c991ebc8c69d29b7fc44db17075c5aa5253e2ab
Bisecting: 37 revisions left to test after this (roughly 5 steps)
[bc82521e3b8e8cfa7e0136080c75a3af3a1b448a] mlxsw: spectrum_trap: Do not initialize dedicated discard policer
testing commit bc82521e3b8e8cfa7e0136080c75a3af3a1b448a with gcc (GCC) 8.1.0
kernel signature: 3429dca8bc4dd2f1cb74ee0ad0105e285df572943b06facc8fdfd3093de177c2
all runs: OK
# git bisect good bc82521e3b8e8cfa7e0136080c75a3af3a1b448a
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[af370ab36fcd19f04e3408c402608e7e56e6f188] netfilter: nf_queue: do not release refcouts until nf_reinject is done
testing commit af370ab36fcd19f04e3408c402608e7e56e6f188 with gcc (GCC) 8.1.0
kernel signature: 74b8b794937b8e0a8d3c39c8de03548036d8f1a4c8d26874e3272010445c2015
all runs: crashed: KASAN: invalid-free in nf_tables_newset
# git bisect bad af370ab36fcd19f04e3408c402608e7e56e6f188
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[73348fed35d023e998cbd303a28400f2c0ec30a3] ipvs: optimize tunnel dumps for icmp errors
testing commit 73348fed35d023e998cbd303a28400f2c0ec30a3 with gcc (GCC) 8.1.0
kernel signature: f8fbfa398fdbce307a87100d5a04ab84e9e7066aed30daa3b3502d8034e672b5
all runs: crashed: KASAN: invalid-free in nf_tables_newset
# git bisect bad 73348fed35d023e998cbd303a28400f2c0ec30a3
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[772f4e82b3ffa1eb7412cd531f718a96a0e5474b] netfilter: nf_tables: fix double-free on set expression from the error path
testing commit 772f4e82b3ffa1eb7412cd531f718a96a0e5474b with gcc (GCC) 8.1.0
kernel signature: de1d4cd491c008474f68af86d56714b2336ffe473f73ad6c996c254ec451794f
all runs: crashed: KASAN: invalid-free in nf_tables_newset
# git bisect bad 772f4e82b3ffa1eb7412cd531f718a96a0e5474b
Bisecting: 1 revision left to test after this (roughly 1 step)
[0c2a85edd143162b3a698f31e94bf8cdc041da87] netfilter: nf_tables: pass context to nft_set_destroy()
testing commit 0c2a85edd143162b3a698f31e94bf8cdc041da87 with gcc (GCC) 8.1.0
kernel signature: 658a86a424a166e0784c6e0e3a7a1680e183441aab3dfded7145d2bae3a528b4
all runs: OK
# git bisect good 0c2a85edd143162b3a698f31e94bf8cdc041da87
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[65038428b2c6c5be79d3f78a6b79c0cdc3a58a41] netfilter: nf_tables: allow to specify stateful expression in set definition
testing commit 65038428b2c6c5be79d3f78a6b79c0cdc3a58a41 with gcc (GCC) 8.1.0
kernel signature: c0dddfaf127a2c1cd1e9aa4068f4cdc18d1bb876a9b2b5b59d31c1e1a50b06e1
run #0: crashed: KASAN: invalid-free in nf_tables_newset
run #1: crashed: KASAN: invalid-free in nf_tables_newset
run #2: crashed: KASAN: invalid-free in nf_tables_newset
run #3: crashed: KASAN: invalid-free in nf_tables_newset
run #4: crashed: KASAN: invalid-free in nf_tables_newset
run #5: crashed: KASAN: invalid-free in nf_tables_newset
run #6: crashed: KASAN: invalid-free in nf_tables_newset
run #7: crashed: KASAN: invalid-free in nf_tables_newset
run #8: crashed: KASAN: invalid-free in nf_tables_newset
run #9: boot failed: can't ssh into the instance
# git bisect bad 65038428b2c6c5be79d3f78a6b79c0cdc3a58a41
65038428b2c6c5be79d3f78a6b79c0cdc3a58a41 is the first bad commit
commit 65038428b2c6c5be79d3f78a6b79c0cdc3a58a41
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Tue Mar 17 14:13:46 2020 +0100

    netfilter: nf_tables: allow to specify stateful expression in set definition
    
    This patch allows users to specify the stateful expression for the
    elements in this set via NFTA_SET_EXPR. This new feature allows you to
    turn on counters for all of the elements in this set.
    
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 include/net/netfilter/nf_tables.h        |  2 ++
 include/uapi/linux/netfilter/nf_tables.h |  2 ++
 net/netfilter/nf_tables_api.c            | 60 +++++++++++++++++++++++++-------
 3 files changed, 52 insertions(+), 12 deletions(-)
culprit signature: c0dddfaf127a2c1cd1e9aa4068f4cdc18d1bb876a9b2b5b59d31c1e1a50b06e1
parent  signature: 658a86a424a166e0784c6e0e3a7a1680e183441aab3dfded7145d2bae3a528b4
revisions tested: 15, total time: 3h33m27.370491704s (build: 1h26m58.779326103s, test: 2h5m26.375712291s)
first bad commit: 65038428b2c6c5be79d3f78a6b79c0cdc3a58a41 netfilter: nf_tables: allow to specify stateful expression in set definition
cc: ["coreteam@netfilter.org" "davem@davemloft.net" "fw@strlen.de" "kadlec@netfilter.org" "kuba@kernel.org" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "netfilter-devel@vger.kernel.org" "pablo@netfilter.org"]
crash: KASAN: invalid-free in nf_tables_newset
==================================================================
BUG: KASAN: double-free or invalid-free in nf_tables_newset+0x1863/0x1e30 net/netfilter/nf_tables_api.c:4144

CPU: 0 PID: 8538 Comm: syz-executor.1 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x128/0x182 lib/dump_stack.c:118
 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:374
 kasan_report_invalid_free+0x60/0xa0 mm/kasan/report.c:468
 __kasan_slab_free+0x129/0x140 mm/kasan/common.c:455
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x107/0x2b0 mm/slab.c:3757
 nf_tables_newset+0x1863/0x1e30 net/netfilter/nf_tables_api.c:4144
 nfnetlink_rcv_batch+0x854/0x1370 net/netfilter/nfnetlink.c:433
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:543 [inline]
 nfnetlink_rcv+0x2bc/0x340 net/netfilter/nfnetlink.c:561
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xac/0xe0 net/socket.c:672
 ____sys_sendmsg+0x54e/0x750 net/socket.c:2343
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2397
 __sys_sendmsg+0xce/0x170 net/socket.c:2430
 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
 do_fast_syscall_32+0x231/0xb9f arch/x86/entry/common.c:408
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139

Allocated by task 8538:
 save_stack+0x19/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:515
 __do_kmalloc mm/slab.c:3656 [inline]
 __kmalloc_track_caller+0x15c/0x7a0 mm/slab.c:3671
 kvasprintf+0xa7/0x120 lib/kasprintf.c:25
 kasprintf+0x96/0xc0 lib/kasprintf.c:59
 nf_tables_set_alloc_name net/netfilter/nf_tables_api.c:3535 [inline]
 nf_tables_newset+0x1110/0x1e30 net/netfilter/nf_tables_api.c:4084
 nfnetlink_rcv_batch+0x854/0x1370 net/netfilter/nfnetlink.c:433
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:543 [inline]
 nfnetlink_rcv+0x2bc/0x340 net/netfilter/nfnetlink.c:561
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xac/0xe0 net/socket.c:672
 ____sys_sendmsg+0x54e/0x750 net/socket.c:2343
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2397
 __sys_sendmsg+0xce/0x170 net/socket.c:2430
 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
 do_fast_syscall_32+0x231/0xb9f arch/x86/entry/common.c:408
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139

Freed by task 8538:
 save_stack+0x19/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:476
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x107/0x2b0 mm/slab.c:3757
 nf_tables_set_alloc_name net/netfilter/nf_tables_api.c:3543 [inline]
 nf_tables_newset+0x18cd/0x1e30 net/netfilter/nf_tables_api.c:4084
 nfnetlink_rcv_batch+0x854/0x1370 net/netfilter/nfnetlink.c:433
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:543 [inline]
 nfnetlink_rcv+0x2bc/0x340 net/netfilter/nfnetlink.c:561
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xac/0xe0 net/socket.c:672
 ____sys_sendmsg+0x54e/0x750 net/socket.c:2343
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2397
 __sys_sendmsg+0xce/0x170 net/socket.c:2430
 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
 do_fast_syscall_32+0x231/0xb9f arch/x86/entry/common.c:408
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139

The buggy address belongs to the object at ffff8880a7ddd140
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
 32-byte region [ffff8880a7ddd140, ffff8880a7ddd160)
The buggy address belongs to the page:
page:ffffea00029f7740 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff8880a7dddfc1
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00028e8d48 ffffea0002684448 ffff8880aa4001c0
raw: ffff8880a7dddfc1 ffff8880a7ddd000 000000010000003f 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a7ddd000: fb fb fb fb fc fc fc fc 00 02 fc fc fc fc fc fc
 ffff8880a7ddd080: 06 fc fc fc fc fc fc fc 00 00 00 03 fc fc fc fc
>ffff8880a7ddd100: 06 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
                                           ^
 ffff8880a7ddd180: fb fb fb fb fc fc fc fc 06 fc fc fc fc fc fc fc
 ffff8880a7ddd200: 00 05 fc fc fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================