bisecting cause commit starting from 2981de746b18227892dfbda7b70c099077c4580d building syzkaller on 35f5e45ed3cc032d9f969f3a8700e29607c1364f testing commit 2981de746b18227892dfbda7b70c099077c4580d with gcc (GCC) 8.1.0 kernel signature: ff0e18d9c76f0a001ce79da03d15e269487409236fe797295b45b36b54ac9155 all runs: crashed: WARNING: proc registration bug in hashlimit_mt_check_common testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: 14ca28d7ae6ba586efd91e46bbd1dd3974f1da50cfcd45516d906a14fb0147c3 all runs: OK # git bisect start 2981de746b18227892dfbda7b70c099077c4580d d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 Bisecting: 7094 revisions left to test after this (roughly 13 steps) [4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb] Merge tag 'for-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply testing commit 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb with gcc (GCC) 8.1.0 kernel signature: fba0589fa865ce07af745f98a083fc5125d3228af9352b32d9220b32b774634c all runs: OK # git bisect good 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb Bisecting: 3575 revisions left to test after this (roughly 12 steps) [9717c1cea16e3eae81ca226f4c3670bb799b61ad] Merge tag 'drm-next-2020-02-04' of git://anongit.freedesktop.org/drm/drm testing commit 9717c1cea16e3eae81ca226f4c3670bb799b61ad with gcc (GCC) 8.1.0 kernel signature: f59912630f2644a9cefe9014f76b84ca1ceac1b96fdc013a4554de19897bb2cd all runs: OK # git bisect good 9717c1cea16e3eae81ca226f4c3670bb799b61ad Bisecting: 1635 revisions left to test after this (roughly 11 steps) [1afa9c3b7c9bdcb562e2afe9f58cc99d0b071cdc] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 1afa9c3b7c9bdcb562e2afe9f58cc99d0b071cdc with gcc (GCC) 8.1.0 kernel signature: c5dd3b7f9db28386a84567ff39f8cdf420ed76499b2d02bc36cf31ba4a0572b7 all runs: OK # git bisect good 1afa9c3b7c9bdcb562e2afe9f58cc99d0b071cdc Bisecting: 786 revisions left to test after this (roughly 10 steps) [e85162784f6d656ab1d47b1b2803619c8f2bc8e6] Merge remote-tracking branch 'xtensa/xtensa-for-next' testing commit e85162784f6d656ab1d47b1b2803619c8f2bc8e6 with gcc (GCC) 8.1.0 kernel signature: c32fa712398da77597e622463ff86045d9cf8dd92ced6ceb8d78fc31be04f58e all runs: crashed: WARNING: proc registration bug in hashlimit_mt_check_common # git bisect bad e85162784f6d656ab1d47b1b2803619c8f2bc8e6 Bisecting: 423 revisions left to test after this (roughly 9 steps) [fc9b10b4461433a6cb734048822b6d494d04c2f3] Merge remote-tracking branch 'arm-soc-fixes/arm/fixes' testing commit fc9b10b4461433a6cb734048822b6d494d04c2f3 with gcc (GCC) 8.1.0 kernel signature: f8a8d4e9c57c9a00ec7237028addfb078968022fce5340b7c70944c0c82e45f5 all runs: OK # git bisect good fc9b10b4461433a6cb734048822b6d494d04c2f3 Bisecting: 209 revisions left to test after this (roughly 8 steps) [95860f38a33e0e145a121044dbb58d166a2f75f4] Merge remote-tracking branch 'sunxi/sunxi/for-next' testing commit 95860f38a33e0e145a121044dbb58d166a2f75f4 with gcc (GCC) 8.1.0 kernel signature: 4d02924173b7d7516f71ed0e762206693b4fffb8dc6f7e467a8a8588977bd69c all runs: crashed: WARNING: proc registration bug in hashlimit_mt_check_common # git bisect bad 95860f38a33e0e145a121044dbb58d166a2f75f4 Bisecting: 114 revisions left to test after this (roughly 7 steps) [42f2a509748527200ba253ca2d1cf217e32e8144] Merge remote-tracking branch 'mvebu/for-next' testing commit 42f2a509748527200ba253ca2d1cf217e32e8144 with gcc (GCC) 8.1.0 kernel signature: 27aea5eb8c6c10914240248b8b5b5ec4dbaa673f3274c17e8442b2dbdcd90b4d all runs: crashed: WARNING: proc registration bug in hashlimit_mt_check_common # git bisect bad 42f2a509748527200ba253ca2d1cf217e32e8144 Bisecting: 53 revisions left to test after this (roughly 6 steps) [1433b2950fa9438a808313dba3f97668786e45ce] Merge remote-tracking branch 'drm-misc-fixes/for-linux-next-fixes' testing commit 1433b2950fa9438a808313dba3f97668786e45ce with gcc (GCC) 8.1.0 kernel signature: 3fc8deb8854725dd6b6f5af76ba4e0d9d4a3e3dd9e624d27c12f589d20a72771 run #0: crashed: WARNING: proc registration bug in hashlimit_mt_check_common run #1: crashed: WARNING: proc registration bug in hashlimit_mt_check_common run #2: crashed: WARNING: proc registration bug in hashlimit_mt_check_common run #3: crashed: WARNING: proc registration bug in hashlimit_mt_check_common run #4: crashed: WARNING: proc registration bug in hashlimit_mt_check_common run #5: crashed: WARNING: proc registration bug in hashlimit_mt_check_common run #6: crashed: WARNING: proc registration bug in hashlimit_mt_check_common run #7: crashed: WARNING: proc registration bug in hashlimit_mt_check_common run #8: crashed: WARNING: proc registration bug in hashlimit_mt_check_common run #9: boot failed: can't ssh into the instance # git bisect bad 1433b2950fa9438a808313dba3f97668786e45ce Bisecting: 22 revisions left to test after this (roughly 5 steps) [04e1fdc108a343a09a0e3422fb2d4087e5f218c2] Merge remote-tracking branch 'spi-fixes/for-linus' testing commit 04e1fdc108a343a09a0e3422fb2d4087e5f218c2 with gcc (GCC) 8.1.0 kernel signature: 00c102bdf103054bbc9b292b1b83b0af74d68872c472ee382c933686307eb7b5 all runs: crashed: WARNING: proc registration bug in hashlimit_mt_check_common # git bisect bad 04e1fdc108a343a09a0e3422fb2d4087e5f218c2 Bisecting: 9 revisions left to test after this (roughly 4 steps) [5a1e1ee8a64cad4d7a558f8a10169a13fbb6b0ac] Merge remote-tracking branch 'mac80211/master' testing commit 5a1e1ee8a64cad4d7a558f8a10169a13fbb6b0ac with gcc (GCC) 8.1.0 kernel signature: 1af1cf7164f33a7e8c4ea31764cd977ce7354a0d9e4ddb411d79aff6e78bde69 all runs: crashed: WARNING: proc registration bug in hashlimit_mt_check_common # git bisect bad 5a1e1ee8a64cad4d7a558f8a10169a13fbb6b0ac Bisecting: 4 revisions left to test after this (roughly 3 steps) [fb33b3c39ff86b2c312748b463adfcefecfd0c39] Merge remote-tracking branch 'netfilter/master' testing commit fb33b3c39ff86b2c312748b463adfcefecfd0c39 with gcc (GCC) 8.1.0 kernel signature: 3f2329a54a5289fcccb0059fc165b587a097fb37dc7d74c1440e9f45a5b09a3e all runs: crashed: WARNING: proc registration bug in hashlimit_mt_check_common # git bisect bad fb33b3c39ff86b2c312748b463adfcefecfd0c39 Bisecting: 3 revisions left to test after this (roughly 2 steps) [a7da92c2c8a1faf253a3b3e292fda6910deba540] netfilter: flowtable: skip offload setup if disabled testing commit a7da92c2c8a1faf253a3b3e292fda6910deba540 with gcc (GCC) 8.1.0 kernel signature: 9ad0028cecf0925803e552ffb85c1b931ad6526fadc26512e672afddf3564e41 all runs: crashed: WARNING: proc registration bug in hashlimit_mt_check_common # git bisect bad a7da92c2c8a1faf253a3b3e292fda6910deba540 Bisecting: 0 revisions left to test after this (roughly 1 step) [8d0015a7ab76b8b1e89a3e5f5710a6e5103f2dd5] netfilter: xt_hashlimit: limit the max size of hashtable testing commit 8d0015a7ab76b8b1e89a3e5f5710a6e5103f2dd5 with gcc (GCC) 8.1.0 kernel signature: f896240c2388bc922048d4f4c99ffa9dc4031c186d71d674b68cb5e1c973d13f all runs: crashed: WARNING: proc registration bug in hashlimit_mt_check_common # git bisect bad 8d0015a7ab76b8b1e89a3e5f5710a6e5103f2dd5 Bisecting: 0 revisions left to test after this (roughly 0 steps) [c4a3922d2d20c710f827d3a115ee338e8d0467df] netfilter: xt_hashlimit: reduce hashlimit_mutex scope for htable_put() testing commit c4a3922d2d20c710f827d3a115ee338e8d0467df with gcc (GCC) 8.1.0 kernel signature: aa23e6a9d6da1c40003692aa4272e23c9db1996ffef34bfcf10a3ad657a84381 all runs: OK # git bisect good c4a3922d2d20c710f827d3a115ee338e8d0467df 8d0015a7ab76b8b1e89a3e5f5710a6e5103f2dd5 is the first bad commit commit 8d0015a7ab76b8b1e89a3e5f5710a6e5103f2dd5 Author: Cong Wang Date: Sun Feb 2 20:30:53 2020 -0800 netfilter: xt_hashlimit: limit the max size of hashtable The user-specified hashtable size is unbound, this could easily lead to an OOM or a hung task as we hold the global mutex while allocating and initializing the new hashtable. Add a max value to cap both cfg->size and cfg->max, as suggested by Florian. Reported-and-tested-by: syzbot+adf6c6c2be1c3a718121@syzkaller.appspotmail.com Signed-off-by: Cong Wang Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_hashlimit.c | 10 ++++++++++ 1 file changed, 10 insertions(+) culprit signature: f896240c2388bc922048d4f4c99ffa9dc4031c186d71d674b68cb5e1c973d13f parent signature: aa23e6a9d6da1c40003692aa4272e23c9db1996ffef34bfcf10a3ad657a84381 revisions tested: 16, total time: 3h34m59.718036298s (build: 1h47m32.919520987s, test: 1h45m43.651191866s) first bad commit: 8d0015a7ab76b8b1e89a3e5f5710a6e5103f2dd5 netfilter: xt_hashlimit: limit the max size of hashtable cc: ["fw@strlen.de" "pablo@netfilter.org" "syzbot+adf6c6c2be1c3a718121@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"] crash: WARNING: proc registration bug in hashlimit_mt_check_common ------------[ cut here ]------------ proc_dir_entry 'ip6t_hashlimit/syzkaller1' already registered WARNING: CPU: 1 PID: 8319 at fs/proc/generic.c:363 proc_register+0x2f1/0x4c0 fs/proc/generic.c:362 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 8319 Comm: syz-executor.3 Not tainted 5.5.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x12d/0x187 lib/dump_stack.c:118 panic+0x22a/0x4e3 kernel/panic.c:221 __warn.cold.10+0x25/0x2a kernel/panic.c:582 report_bug+0x1b0/0x270 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:174 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:286 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 RIP: 0010:proc_register+0x2f1/0x4c0 fs/proc/generic.c:362 Code: 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 bd 01 00 00 48 8b b3 d0 00 00 00 48 c7 c7 a0 9e b7 87 e8 47 96 73 ff <0f> 0b 48 c7 c7 c0 2c 0a 89 e8 c1 a5 85 05 4c 89 ea 48 b8 00 00 00 RSP: 0018:ffffc90007837500 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff88809b3f6280 RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000000008 RDI: ffffffff8ab81360 RBP: ffffc90007837550 R08: ffffed1015d66659 R09: ffffed1015d66659 R10: ffffed1015d66658 R11: ffff8880aeb332c7 R12: ffffed1012a494d3 R13: ffff88809524a64c R14: ffff88809524a690 R15: ffff88809524a5c0 proc_create_seq_private+0xec/0x170 fs/proc/generic.c:593 htable_create net/netfilter/xt_hashlimit.c:341 [inline] hashlimit_mt_check_common.isra.9+0x899/0x11b0 net/netfilter/xt_hashlimit.c:902 hashlimit_mt_check_v1+0x2f7/0x37a net/netfilter/xt_hashlimit.c:928 xt_check_match+0x200/0x5f0 net/netfilter/x_tables.c:501 check_match net/ipv6/netfilter/ip6_tables.c:489 [inline] find_check_match net/ipv6/netfilter/ip6_tables.c:506 [inline] find_check_entry.isra.8+0x310/0x910 net/ipv6/netfilter/ip6_tables.c:557 translate_table+0xd15/0x1ab0 net/ipv6/netfilter/ip6_tables.c:734 do_replace net/ipv6/netfilter/ip6_tables.c:1153 [inline] do_ip6t_set_ctl+0x251/0x40b net/ipv6/netfilter/ip6_tables.c:1681 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x5c/0xb0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt+0x9e/0x100 net/ipv6/ipv6_sockglue.c:949 rawv6_setsockopt+0x34/0xd0 net/ipv6/raw.c:1081 sock_common_setsockopt+0x73/0xf0 net/core/sock.c:3149 __sys_setsockopt+0x213/0x440 net/socket.c:2130 __do_sys_setsockopt net/socket.c:2146 [inline] __se_sys_setsockopt net/socket.c:2143 [inline] __x64_sys_setsockopt+0xb9/0x150 net/socket.c:2143 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45b399 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f7703afcc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007f7703afd6d4 RCX: 000000000045b399 RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003 RBP: 000000000075bfc8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000020000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000a04 R14: 00000000004d4558 R15: 000000000075bfd4 Kernel Offset: disabled Rebooting in 86400 seconds..