bisecting fixing commit since db5b9190ff8202b609fe802ccde41cb28669389f building syzkaller on f9b6950728295eb8f52b05a0d9e5dccd99f93eaa testing commit db5b9190ff8202b609fe802ccde41cb28669389f with gcc (GCC) 8.1.0 kernel signature: 6cef6cbce9094dec465521fb275da4c13152e6dcdd392150c3afcf18b523d913 run #0: crashed: BUG: corrupted list in nf_tables_commit run #1: crashed: BUG: corrupted list in corrupted run #2: crashed: BUG: corrupted list in nf_tables_commit run #3: crashed: BUG: corrupted list in nf_tables_commit run #4: crashed: BUG: corrupted list in corrupted run #5: crashed: BUG: corrupted list in corrupted run #6: crashed: BUG: corrupted list in nf_tables_commit run #7: crashed: BUG: corrupted list in nf_tables_commit run #8: crashed: BUG: corrupted list in nf_tables_commit run #9: crashed: BUG: corrupted list in corrupted testing current HEAD 9b15f7fae677336e04b9e026ff91854e43165455 testing commit 9b15f7fae677336e04b9e026ff91854e43165455 with gcc (GCC) 8.1.0 kernel signature: 1dd281f3b41a2ea5648837e52fea8b876bf388a08aabd5091c6623a0e3a0dc8f all runs: OK # git bisect start 9b15f7fae677336e04b9e026ff91854e43165455 db5b9190ff8202b609fe802ccde41cb28669389f Bisecting: 647 revisions left to test after this (roughly 9 steps) [1b7081bff268184c82cb811be1cacb9d82dac7a3] ACPI: PM: Introduce "poweroff" callbacks for ACPI PM domain and LPSS testing commit 1b7081bff268184c82cb811be1cacb9d82dac7a3 with gcc (GCC) 8.1.0 kernel signature: 908f9600e01a07ddf5c80ad6ac3ff87f6276374f939d3f210f21f33234e14341 all runs: OK # git bisect bad 1b7081bff268184c82cb811be1cacb9d82dac7a3 Bisecting: 323 revisions left to test after this (roughly 8 steps) [5fc07a47308ba169b28ce845e7dfcd244cc8eb9c] crypto: tgr192 - fix unaligned memory access testing commit 5fc07a47308ba169b28ce845e7dfcd244cc8eb9c with gcc (GCC) 8.1.0 kernel signature: 67ac04bc95ef006b3e963ed6cfe0f6a77767fa95ae3626213721c2f71ac13b8c all runs: OK # git bisect bad 5fc07a47308ba169b28ce845e7dfcd244cc8eb9c Bisecting: 161 revisions left to test after this (roughly 7 steps) [565389fc18ebe7c54569f1630a320a3c5dc2cdae] mlxsw: spectrum: Wipe xstats.backlog of down ports testing commit 565389fc18ebe7c54569f1630a320a3c5dc2cdae with gcc (GCC) 8.1.0 kernel signature: 697233dd4df115af665dab86bd8e201e98a025ddfb5187fd7072f224bff064e1 all runs: OK # git bisect bad 565389fc18ebe7c54569f1630a320a3c5dc2cdae Bisecting: 80 revisions left to test after this (roughly 6 steps) [10d55ea6136b4116623297df3bd156981cc87f7e] ioat: ioat_alloc_ring() failure handling. testing commit 10d55ea6136b4116623297df3bd156981cc87f7e with gcc (GCC) 8.1.0 kernel signature: ae060f254dc4c703dbd84aadedbe8f8b3b03330a392cd5669dbea27487aae0b1 run #0: crashed: BUG: corrupted list in corrupted run #1: crashed: BUG: corrupted list in nf_tables_commit run #2: crashed: BUG: corrupted list in nf_tables_commit run #3: crashed: BUG: corrupted list in nf_tables_commit run #4: crashed: BUG: corrupted list in nf_tables_commit run #5: crashed: BUG: corrupted list in nf_tables_commit run #6: crashed: BUG: corrupted list in corrupted run #7: crashed: BUG: corrupted list in nf_tables_commit run #8: crashed: BUG: corrupted list in nf_tables_commit run #9: crashed: BUG: corrupted list in nf_tables_commit # git bisect good 10d55ea6136b4116623297df3bd156981cc87f7e Bisecting: 40 revisions left to test after this (roughly 5 steps) [107fb2906db14ac9fc14f780f2a92418974a0c66] drm/i915: Add missing include file testing commit 107fb2906db14ac9fc14f780f2a92418974a0c66 with gcc (GCC) 8.1.0 kernel signature: aac2002bc140dba2573c3ef042a8ff1200690bf20dac68955a211086ddd96286 run #0: crashed: BUG: corrupted list in nf_tables_commit run #1: crashed: BUG: corrupted list in nf_tables_commit run #2: crashed: BUG: corrupted list in nf_tables_commit run #3: crashed: BUG: corrupted list in corrupted run #4: crashed: BUG: corrupted list in nf_tables_commit run #5: crashed: BUG: corrupted list in nf_tables_commit run #6: crashed: BUG: corrupted list in corrupted run #7: crashed: BUG: corrupted list in nf_tables_commit run #8: crashed: BUG: corrupted list in corrupted run #9: crashed: BUG: corrupted list in nf_tables_commit # git bisect good 107fb2906db14ac9fc14f780f2a92418974a0c66 Bisecting: 20 revisions left to test after this (roughly 4 steps) [5205825195a1af8d98ef2d2e3eb083f2f1bb4724] cfg80211: fix deadlocks in autodisconnect work testing commit 5205825195a1af8d98ef2d2e3eb083f2f1bb4724 with gcc (GCC) 8.1.0 kernel signature: 07222a7a7c06048c1e1463969ad446960eed0c43c74ff9e05ee56c63e42107ce run #0: crashed: BUG: corrupted list in nf_tables_commit run #1: crashed: BUG: corrupted list in nf_tables_commit run #2: crashed: BUG: corrupted list in nf_tables_commit run #3: crashed: BUG: corrupted list in nf_tables_commit run #4: crashed: BUG: corrupted list in corrupted run #5: crashed: BUG: corrupted list in corrupted run #6: crashed: BUG: corrupted list in corrupted run #7: crashed: BUG: corrupted list in corrupted run #8: crashed: BUG: corrupted list in corrupted run #9: crashed: BUG: corrupted list in corrupted # git bisect good 5205825195a1af8d98ef2d2e3eb083f2f1bb4724 Bisecting: 10 revisions left to test after this (roughly 3 steps) [da319f060b853a2cf4df3bc6119083813aaa1976] batman-adv: Fix DAT candidate selection on little endian systems testing commit da319f060b853a2cf4df3bc6119083813aaa1976 with gcc (GCC) 8.1.0 kernel signature: 503685bcde5f810a817f5cd5d39c7f3dbb15cc7e33f9ce83ec37a8953b703033 all runs: OK # git bisect bad da319f060b853a2cf4df3bc6119083813aaa1976 Bisecting: 4 revisions left to test after this (roughly 2 steps) [6de941ce70cd5c6d672f8af2d0a6dc83039a283c] netfilter: nft_tunnel: fix null-attribute check testing commit 6de941ce70cd5c6d672f8af2d0a6dc83039a283c with gcc (GCC) 8.1.0 kernel signature: ec3848b840e797e479f156e662a67341ca1232acfb5e8332dbc860adcf8f2d66 run #0: crashed: BUG: corrupted list in corrupted run #1: crashed: BUG: corrupted list in nf_tables_commit run #2: crashed: BUG: corrupted list in nf_tables_commit run #3: crashed: BUG: corrupted list in nf_tables_commit run #4: crashed: BUG: corrupted list in nf_tables_commit run #5: crashed: BUG: corrupted list in corrupted run #6: crashed: BUG: corrupted list in nf_tables_commit run #7: crashed: BUG: corrupted list in nf_tables_commit run #8: crashed: BUG: corrupted list in corrupted run #9: crashed: BUG: corrupted list in nf_tables_commit # git bisect good 6de941ce70cd5c6d672f8af2d0a6dc83039a283c Bisecting: 2 revisions left to test after this (roughly 1 step) [7ed065bd8a20f8348af3098508ae9a11f02bf258] netfilter: nf_tables: store transaction list locally while requesting module testing commit 7ed065bd8a20f8348af3098508ae9a11f02bf258 with gcc (GCC) 8.1.0 kernel signature: e16664146f459c092c0beb6c2c350fad461c82bc89bc827c970fffa750dd905d run #0: crashed: BUG: corrupted list in corrupted run #1: crashed: BUG: corrupted list in corrupted run #2: crashed: BUG: corrupted list in nf_tables_commit run #3: crashed: BUG: corrupted list in nf_tables_commit run #4: crashed: BUG: corrupted list in nf_tables_commit run #5: crashed: BUG: corrupted list in corrupted run #6: crashed: BUG: corrupted list in nf_tables_commit run #7: crashed: BUG: corrupted list in corrupted run #8: crashed: BUG: corrupted list in nf_tables_commit run #9: crashed: BUG: corrupted list in nf_tables_commit # git bisect good 7ed065bd8a20f8348af3098508ae9a11f02bf258 Bisecting: 0 revisions left to test after this (roughly 1 step) [c043fc7ce7e2e1ddba611e934442e068f6a58d24] NFC: pn533: fix bulk-message timeout testing commit c043fc7ce7e2e1ddba611e934442e068f6a58d24 with gcc (GCC) 8.1.0 kernel signature: 2bc981ecb5e0b22298bfb4596e3087ff59e749a1a9d0ccb63f605516aca3ca63 all runs: OK # git bisect bad c043fc7ce7e2e1ddba611e934442e068f6a58d24 Bisecting: 0 revisions left to test after this (roughly 0 steps) [8260ce5aeee4d7c4a6305e469edeae1066de2800] netfilter: nf_tables: fix flowtable list del corruption testing commit 8260ce5aeee4d7c4a6305e469edeae1066de2800 with gcc (GCC) 8.1.0 kernel signature: fb8ab8bf89210c50c99f227e1b522cb7af99df34fa0d9a2528428733464bcbe6 all runs: OK # git bisect bad 8260ce5aeee4d7c4a6305e469edeae1066de2800 8260ce5aeee4d7c4a6305e469edeae1066de2800 is the first bad commit commit 8260ce5aeee4d7c4a6305e469edeae1066de2800 Author: Florian Westphal Date: Thu Jan 16 12:03:01 2020 +0100 netfilter: nf_tables: fix flowtable list del corruption commit 335178d5429c4cee61b58f4ac80688f556630818 upstream. syzbot reported following crash: list_del corruption, ffff88808c9bb000->prev is LIST_POISON2 (dead000000000122) [..] Call Trace: __list_del_entry include/linux/list.h:131 [inline] list_del_rcu include/linux/rculist.h:148 [inline] nf_tables_commit+0x1068/0x3b30 net/netfilter/nf_tables_api.c:7183 [..] The commit transaction list has: NFT_MSG_NEWTABLE NFT_MSG_NEWFLOWTABLE NFT_MSG_DELFLOWTABLE NFT_MSG_DELTABLE A missing generation check during DELTABLE processing causes it to queue the DELFLOWTABLE operation a second time, so we corrupt the list here: case NFT_MSG_DELFLOWTABLE: list_del_rcu(&nft_trans_flowtable(trans)->list); nf_tables_flowtable_notify(&trans->ctx, because we have two different DELFLOWTABLE transactions for the same flowtable. We then call list_del_rcu() twice for the same flowtable->list. The object handling seems to suffer from the same bug so add a generation check too and only queue delete transactions for flowtables/objects that are still active in the next generation. Reported-by: syzbot+37a6804945a3a13b1572@syzkaller.appspotmail.com Fixes: 3b49e2e94e6eb ("netfilter: nf_tables: add flow table netlink frontend") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman net/netfilter/nf_tables_api.c | 6 ++++++ 1 file changed, 6 insertions(+) culprit signature: fb8ab8bf89210c50c99f227e1b522cb7af99df34fa0d9a2528428733464bcbe6 parent signature: e16664146f459c092c0beb6c2c350fad461c82bc89bc827c970fffa750dd905d revisions tested: 13, total time: 3h33m14.278573137s (build: 2h2m16.234452299s, test: 1h29m51.745791312s) first good commit: 8260ce5aeee4d7c4a6305e469edeae1066de2800 netfilter: nf_tables: fix flowtable list del corruption cc: ["fw@strlen.de" "gregkh@linuxfoundation.org" "pablo@netfilter.org"]