bisecting fixing commit since f9be84db09d2e8930319503683305781378a7dbf building syzkaller on 6972b10616d785401dea17cec890cca8916424a7 testing commit f9be84db09d2e8930319503683305781378a7dbf compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7f65f3364dac6eb2d4fce796363688e24aa366e55bd68352b40e3154805fa14f run #0: crashed: general protection fault in nf_tables_dump_sets run #1: crashed: KASAN: use-after-free Read in nft_table_lookup run #2: crashed: KASAN: use-after-free Read in nf_tables_dump_sets run #3: crashed: KASAN: use-after-free Read in nft_table_lookup run #4: crashed: KASAN: use-after-free Read in nft_table_lookup run #5: crashed: general protection fault in nf_tables_dump_sets run #6: crashed: KASAN: use-after-free Read in nf_tables_dump_sets run #7: crashed: KASAN: use-after-free Read in nf_tables_dump_sets run #8: crashed: KASAN: use-after-free Read in nf_tables_dump_sets run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK reproducer seems to be flaky testing current HEAD 6d99f85e342d2aa346c36e5fe52041a9c56a6c30 testing commit 6d99f85e342d2aa346c36e5fe52041a9c56a6c30 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2fc133dd94a17479bce3ba553dcf670f6fc82424cab90088b24e802824d19419 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect start 6d99f85e342d2aa346c36e5fe52041a9c56a6c30 f9be84db09d2e8930319503683305781378a7dbf Bisecting: 6057 revisions left to test after this (roughly 13 steps) [477f70cd2a67904e04c2c2b9bd0fa2e95222f2f6] Merge tag 'drm-next-2021-08-31-1' of git://anongit.freedesktop.org/drm/drm testing commit 477f70cd2a67904e04c2c2b9bd0fa2e95222f2f6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b997da428749c22b3d82a7ef7db2d45270c14047d062ef6e991c3950497cbe9c run #0: crashed: general protection fault in nf_tables_dump_sets run #1: crashed: KASAN: use-after-free Read in nft_table_lookup run #2: crashed: general protection fault in nf_tables_dump_sets run #3: crashed: general protection fault in nf_tables_dump_sets run #4: crashed: KASAN: use-after-free Read in nft_table_lookup run #5: crashed: general protection fault in nf_tables_dump_sets run #6: crashed: general protection fault in nf_tables_dump_sets run #7: crashed: general protection fault in nf_tables_dump_sets run #8: crashed: KASAN: use-after-free Read in nft_table_lookup run #9: crashed: general protection fault in nf_tables_dump_sets run #10: crashed: general protection fault in nf_tables_dump_sets run #11: crashed: general protection fault in nf_tables_dump_sets run #12: crashed: KASAN: use-after-free Read in nft_table_lookup run #13: crashed: general protection fault in nf_tables_dump_sets run #14: crashed: general protection fault in nf_tables_dump_sets run #15: crashed: general protection fault in nf_tables_dump_sets run #16: crashed: KASAN: use-after-free Read in nft_table_lookup run #17: crashed: general protection fault in nf_tables_dump_sets run #18: crashed: general protection fault in nf_tables_dump_sets run #19: crashed: general protection fault in nf_tables_dump_sets # git bisect good 477f70cd2a67904e04c2c2b9bd0fa2e95222f2f6 Bisecting: 3028 revisions left to test after this (roughly 12 steps) [86406a9e733347f877a2bd5269ce7429d3748c6a] Merge tag 'mfd-next-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd testing commit 86406a9e733347f877a2bd5269ce7429d3748c6a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a54fe5030011372f3ec1fb4be92280739dd556f313cc439dc7870b3c3f2b4a48 run #0: crashed: KASAN: use-after-free Read in nf_tables_dump_sets run #1: crashed: KASAN: use-after-free Read in nft_table_lookup run #2: crashed: KASAN: use-after-free Read in nft_table_lookup run #3: crashed: KASAN: use-after-free Read in nft_table_lookup run #4: crashed: KASAN: use-after-free Read in nft_table_lookup run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good 86406a9e733347f877a2bd5269ce7429d3748c6a Bisecting: 1496 revisions left to test after this (roughly 11 steps) [fc0c0548c1a2e676d3a928aaed70f2d4d254e395] Merge tag 'net-5.15-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit fc0c0548c1a2e676d3a928aaed70f2d4d254e395 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 62a4c4c5d6a2f7364abd9294a996f8891340e3ab80321694dbac47a632750251 run #0: crashed: KASAN: use-after-free Read in nft_table_lookup run #1: crashed: KASAN: use-after-free Read in nft_table_lookup run #2: crashed: general protection fault in nf_tables_dump_sets run #3: crashed: general protection fault in nf_tables_dump_sets run #4: crashed: general protection fault in nf_tables_dump_sets run #5: crashed: KASAN: use-after-free Read in nf_tables_dump_sets run #6: crashed: KASAN: use-after-free Read in nft_table_lookup run #7: crashed: KASAN: use-after-free Read in nft_table_lookup run #8: crashed: general protection fault in nf_tables_dump_sets run #9: crashed: KASAN: use-after-free Read in nft_table_lookup run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good fc0c0548c1a2e676d3a928aaed70f2d4d254e395 Bisecting: 743 revisions left to test after this (roughly 10 steps) [4de593fb965fc2bd11a0b767e0c65ff43540a6e4] Merge tag 'net-5.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 4de593fb965fc2bd11a0b767e0c65ff43540a6e4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e3fc5fe89527f654048be42eca84e600468f0d4572902c49154abd1111e797e0 all runs: OK # git bisect bad 4de593fb965fc2bd11a0b767e0c65ff43540a6e4 Bisecting: 369 revisions left to test after this (roughly 9 steps) [85736168463db124e1c4f382c7c2fca64c3acb80] Merge tag 'char-misc-5.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit 85736168463db124e1c4f382c7c2fca64c3acb80 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ae2358d2aae5a95e9a31bac175f482771eb8f7df18dbe0f0e26b3ecbf0538bef run #0: crashed: KASAN: use-after-free Read in nft_table_lookup run #1: crashed: general protection fault in nf_tables_dump_sets run #2: crashed: general protection fault in nf_tables_dump_sets run #3: crashed: general protection fault in nf_tables_dump_sets run #4: crashed: KASAN: use-after-free Read in nft_table_lookup run #5: crashed: KASAN: use-after-free Read in nft_table_lookup run #6: crashed: KASAN: use-after-free Read in nft_table_lookup run #7: crashed: KASAN: use-after-free Read in nft_table_lookup run #8: crashed: KASAN: use-after-free Read in nft_table_lookup run #9: crashed: general protection fault in nf_tables_dump_sets run #10: crashed: KASAN: use-after-free Read in nf_tables_dump_sets run #11: crashed: KASAN: use-after-free Read in nf_tables_dump_sets run #12: crashed: general protection fault in nf_tables_dump_sets run #13: crashed: general protection fault in nf_tables_dump_sets run #14: crashed: KASAN: use-after-free Read in nft_table_lookup run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good 85736168463db124e1c4f382c7c2fca64c3acb80 Bisecting: 180 revisions left to test after this (roughly 8 steps) [9cccec2bf32fa2a8039cfcd228b9f3a4f0a4f5aa] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit 9cccec2bf32fa2a8039cfcd228b9f3a4f0a4f5aa compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5bf0bb78642f23cefc56ea51961bc8309462fa2661709843ceec515b18a9570c run #0: crashed: KASAN: use-after-free Read in nf_tables_dump_sets run #1: crashed: KASAN: use-after-free Read in nft_table_lookup run #2: OK run #3: crashed: KASAN: use-after-free Read in nft_table_lookup run #4: crashed: KASAN: use-after-free Read in nf_tables_dump_sets run #5: crashed: KASAN: use-after-free Read in nft_table_lookup run #6: crashed: general protection fault in nf_tables_dump_sets run #7: crashed: KASAN: use-after-free Read in nft_table_lookup run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good 9cccec2bf32fa2a8039cfcd228b9f3a4f0a4f5aa Bisecting: 88 revisions left to test after this (roughly 7 steps) [78c56e53821a7ec3462ce448c1fe6a8d44358831] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 78c56e53821a7ec3462ce448c1fe6a8d44358831 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 373a8118728dff0fe404e17f301f5da87ed6dbf5fefdd4207b5415ec155288d0 run #0: crashed: general protection fault in nf_tables_dump_sets run #1: crashed: KASAN: use-after-free Read in nft_table_lookup run #2: crashed: KASAN: use-after-free Read in nft_table_lookup run #3: crashed: KASAN: use-after-free Read in nft_table_lookup run #4: crashed: KASAN: use-after-free Read in nft_table_lookup run #5: crashed: general protection fault in nf_tables_dump_sets run #6: crashed: KASAN: use-after-free Read in nft_table_lookup run #7: crashed: KASAN: use-after-free Read in nft_table_lookup run #8: crashed: KASAN: use-after-free Read in nft_table_lookup run #9: crashed: general protection fault in nf_tables_dump_sets run #10: crashed: general protection fault in nf_tables_dump_sets run #11: crashed: KASAN: use-after-free Read in nft_table_lookup run #12: OK run #13: OK run #14: crashed: KASAN: use-after-free Read in nft_table_lookup run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good 78c56e53821a7ec3462ce448c1fe6a8d44358831 Bisecting: 44 revisions left to test after this (roughly 6 steps) [3b1b6e82fb5e08e2cb355d7b2ee8644ec289de66] net: phy: enhance GPY115 loopback disable function testing commit 3b1b6e82fb5e08e2cb355d7b2ee8644ec289de66 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c92940afbd9c5b15d076d9378f61ef3d1479dbc9624b4791c8e5d45dd7c0ccd3 all runs: OK # git bisect bad 3b1b6e82fb5e08e2cb355d7b2ee8644ec289de66 Bisecting: 19 revisions left to test after this (roughly 5 steps) [7fe7f3182a0dd8f9bad463598ed103b3d8cfa739] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf testing commit 7fe7f3182a0dd8f9bad463598ed103b3d8cfa739 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f7fdc0f6745bce63daa0eb4561703a73af5ea28f3387b5ffb21ee68e8125bb61 all runs: OK # git bisect bad 7fe7f3182a0dd8f9bad463598ed103b3d8cfa739 Bisecting: 11 revisions left to test after this (roughly 4 steps) [7970a19b71044bf4dc2c1becc200275bdf1884d4] netfilter: nf_nat_masquerade: defer conntrack walk to work queue testing commit 7970a19b71044bf4dc2c1becc200275bdf1884d4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 517123806dd47e471b7bae00a2221ad7aab46b17c4f103226af4cbcab313beb9 run #0: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-fuzzer" "root@10.128.15.192:./syz-fuzzer"] Warning: Permanently added '10.128.15.192' (ECDSA) to the list of known hosts. run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 7970a19b71044bf4dc2c1becc200275bdf1884d4 Bisecting: 5 revisions left to test after this (roughly 3 steps) [d2966dc77ba7b2678f7aee97bf9a65702ec8e2b6] netfilter: nat: include zone id in nat table hash again testing commit d2966dc77ba7b2678f7aee97bf9a65702ec8e2b6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 09eb24d68d8ac379ca94d411d93f985de884862c01fde53e8f295cb413bf6a78 run #0: crashed: KASAN: use-after-free Read in nft_table_lookup run #1: crashed: KASAN: use-after-free Read in nft_table_lookup run #2: crashed: KASAN: use-after-free Read in nft_table_lookup run #3: crashed: KASAN: use-after-free Read in nft_table_lookup run #4: crashed: general protection fault in nf_tables_dump_sets run #5: crashed: KASAN: use-after-free Read in nft_table_lookup run #6: crashed: KASAN: use-after-free Read in nft_table_lookup run #7: crashed: general protection fault in nf_tables_dump_sets run #8: crashed: general protection fault in nf_tables_dump_sets run #9: crashed: KASAN: use-after-free Read in nft_table_lookup run #10: crashed: general protection fault in nf_tables_dump_sets run #11: crashed: KASAN: use-after-free Read in nft_table_lookup run #12: crashed: general protection fault in nf_tables_dump_sets run #13: crashed: KASAN: use-after-free Read in nft_table_lookup run #14: crashed: general protection fault in nf_tables_dump_sets run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good d2966dc77ba7b2678f7aee97bf9a65702ec8e2b6 Bisecting: 2 revisions left to test after this (roughly 2 steps) [a499b03bf36b0c2e3b958a381d828678ab0ffc5e] netfilter: nf_tables: unlink table before deleting it testing commit a499b03bf36b0c2e3b958a381d828678ab0ffc5e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f47ee9d178c17acf1c358b2541fd164a866deaa397e943c6e9057c24c3661d65 all runs: OK # git bisect bad a499b03bf36b0c2e3b958a381d828678ab0ffc5e Bisecting: 0 revisions left to test after this (roughly 1 step) [cb89f63ba662d2b56583f4dd3dd2b7f03b6d6587] selftests: netfilter: add zone stress test with colliding tuples testing commit cb89f63ba662d2b56583f4dd3dd2b7f03b6d6587 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 09eb24d68d8ac379ca94d411d93f985de884862c01fde53e8f295cb413bf6a78 run #0: crashed: general protection fault in nf_tables_dump_sets run #1: crashed: KASAN: use-after-free Read in nft_table_lookup run #2: crashed: KASAN: use-after-free Read in nft_table_lookup run #3: crashed: KASAN: use-after-free Read in nft_table_lookup run #4: crashed: KASAN: use-after-free Read in nft_table_lookup run #5: crashed: general protection fault in nf_tables_dump_sets run #6: crashed: KASAN: use-after-free Read in nft_table_lookup run #7: crashed: KASAN: use-after-free Read in nft_table_lookup run #8: crashed: KASAN: use-after-free Read in nft_table_lookup run #9: crashed: KASAN: use-after-free Read in nft_table_lookup run #10: crashed: KASAN: use-after-free Read in nf_tables_dump_sets run #11: crashed: KASAN: use-after-free Read in nft_table_lookup run #12: OK run #13: OK run #14: OK run #15: crashed: KASAN: use-after-free Read in nft_table_lookup run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good cb89f63ba662d2b56583f4dd3dd2b7f03b6d6587 a499b03bf36b0c2e3b958a381d828678ab0ffc5e is the first bad commit commit a499b03bf36b0c2e3b958a381d828678ab0ffc5e Author: Florian Westphal Date: Mon Sep 13 14:42:33 2021 +0200 netfilter: nf_tables: unlink table before deleting it syzbot reports following UAF: BUG: KASAN: use-after-free in memcmp+0x18f/0x1c0 lib/string.c:955 nla_strcmp+0xf2/0x130 lib/nlattr.c:836 nft_table_lookup.part.0+0x1a2/0x460 net/netfilter/nf_tables_api.c:570 nft_table_lookup net/netfilter/nf_tables_api.c:4064 [inline] nf_tables_getset+0x1b3/0x860 net/netfilter/nf_tables_api.c:4064 nfnetlink_rcv_msg+0x659/0x13f0 net/netfilter/nfnetlink.c:285 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 Problem is that all get operations are lockless, so the commit_mutex held by nft_rcv_nl_event() isn't enough to stop a parallel GET request from doing read-accesses to the table object even after synchronize_rcu(). To avoid this, unlink the table first and store the table objects in on-stack scratch space. Fixes: 6001a930ce03 ("netfilter: nftables: introduce table ownership") Reported-and-tested-by: syzbot+f31660cf279b0557160c@syzkaller.appspotmail.com Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_tables_api.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) culprit signature: f47ee9d178c17acf1c358b2541fd164a866deaa397e943c6e9057c24c3661d65 parent signature: 09eb24d68d8ac379ca94d411d93f985de884862c01fde53e8f295cb413bf6a78 Reproducer flagged being flaky revisions tested: 15, total time: 3h55m42.556579685s (build: 1h40m31.050062421s, test: 2h13m41.379448018s) first good commit: a499b03bf36b0c2e3b958a381d828678ab0ffc5e netfilter: nf_tables: unlink table before deleting it recipients (to): ["fw@strlen.de" "pablo@netfilter.org" "syzbot+f31660cf279b0557160c@syzkaller.appspotmail.com"] recipients (cc): []