bisecting cause commit starting from 51d69817519f5f00041a1a039277f0367d76c82c
building syzkaller on f9b6950728295eb8f52b05a0d9e5dccd99f93eaa
testing commit 51d69817519f5f00041a1a039277f0367d76c82c with gcc (GCC) 8.1.0
kernel signature: 8ba745aa1e705dc03a58278322b69e99f543dd66
all runs: crashed: BUG: corrupted list in nf_tables_commit
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 5a30fb6b8022b7e1da57bb04e17c342df7893046
all runs: crashed: BUG: corrupted list in nf_tables_commit
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: ff7e85e525fad265b309eea421abced4d87eaae3
all runs: crashed: BUG: corrupted list in nf_tables_commit
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: 3856698a3d1bfdcc20df87e5365b7c242abb717b
all runs: crashed: BUG: corrupted list in nf_tables_commit
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
kernel signature: 0296f104938da96db56dbb39115ede5eb52e53f6
all runs: crashed: BUG: corrupted list in nf_tables_commit
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
kernel signature: f4323e53b5f8846dae61af6c1d907de85d7eb0b5
run #0: crashed: BUG: corrupted list in nf_tables_commit
run #1: crashed: BUG: corrupted list in nf_tables_commit
run #2: crashed: BUG: corrupted list in corrupted
run #3: crashed: BUG: corrupted list in corrupted
run #4: crashed: BUG: corrupted list in nf_tables_commit
run #5: crashed: BUG: corrupted list in nf_tables_commit
run #6: crashed: BUG: corrupted list in nf_tables_commit
run #7: crashed: BUG: corrupted list in nf_tables_commit
run #8: crashed: BUG: corrupted list in nf_tables_commit
run #9: crashed: BUG: corrupted list in nf_tables_commit
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
kernel signature: 6c080b9ea8160c470c736dfc16eced8f9017c4c6
run #0: crashed: BUG: corrupted list in corrupted
run #1: crashed: BUG: corrupted list in nf_tables_commit
run #2: crashed: BUG: corrupted list in corrupted
run #3: crashed: BUG: corrupted list in nf_tables_commit
run #4: crashed: BUG: corrupted list in nf_tables_commit
run #5: crashed: BUG: corrupted list in corrupted
run #6: crashed: BUG: corrupted list in nf_tables_commit
run #7: crashed: BUG: corrupted list in nf_tables_commit
run #8: crashed: BUG: corrupted list in nf_tables_commit
run #9: crashed: BUG: corrupted list in nf_tables_commit
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
kernel signature: 6c5d5faf326b59294c426b654e2e25211af1f769
run #0: crashed: BUG: corrupted list in nf_tables_commit
run #1: crashed: BUG: corrupted list in nf_tables_commit
run #2: crashed: BUG: corrupted list in nf_tables_commit
run #3: crashed: BUG: corrupted list in nf_tables_commit
run #4: crashed: BUG: corrupted list in nf_tables_commit
run #5: crashed: BUG: corrupted list in corrupted
run #6: crashed: BUG: corrupted list in nf_tables_commit
run #7: crashed: BUG: corrupted list in nf_tables_commit
run #8: crashed: BUG: corrupted list in nf_tables_commit
run #9: crashed: BUG: corrupted list in corrupted
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
kernel signature: 7da7d00b32a1dcaa9051f2219659838c068a2e39
all runs: crashed: BUG: corrupted list in nf_tables_commit
testing release v4.17
testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0
kernel signature: 5bce25d96aff57cc8577868ce7cdd71157da7cf7
all runs: crashed: BUG: corrupted list in nf_tables_commit
testing release v4.16
testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0
kernel signature: f3183ba93324dad76c34d3430068cd3211aa022a
all runs: crashed: BUG: corrupted list in nf_tables_commit
testing release v4.15
testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0
kernel signature: 1293e4da2f49a36cafa710761981b9aa94ec880d
all runs: OK
# git bisect start 0adb32858b0bddf4ada5f364a84ed60b196dbcda d8a5b80568a9cb66810e75b182018e9edb68e8ff
Bisecting: 7566 revisions left to test after this (roughly 13 steps)
[c14376de3a1befa70d9811ca2872d47367b48767] printk: Wake klogd when passing console_lock owner
testing commit c14376de3a1befa70d9811ca2872d47367b48767 with gcc (GCC) 8.1.0
kernel signature: da6a3b09654502f638789141b3fc8a0f8baaae93
all runs: crashed: BUG: corrupted list in nf_tables_commit
# git bisect bad c14376de3a1befa70d9811ca2872d47367b48767
Bisecting: 3620 revisions left to test after this (roughly 12 steps)
[a103950e0dd2058df5e8a8d4a915707bdcf205f0] Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
testing commit a103950e0dd2058df5e8a8d4a915707bdcf205f0 with gcc (GCC) 8.1.0
kernel signature: 3e80cd258b263daf1eb6be0dbe100989f4f89b7d
all runs: OK
# git bisect good a103950e0dd2058df5e8a8d4a915707bdcf205f0
Bisecting: 1810 revisions left to test after this (roughly 11 steps)
[0542e13b5f5663ffdc18e0e028413b2cd09f426f] Merge branch '10GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue
testing commit 0542e13b5f5663ffdc18e0e028413b2cd09f426f with gcc (GCC) 8.1.0
kernel signature: 857e1a345f10261b1b45eccb29d30852ecf71fa9
all runs: crashed: BUG: corrupted list in nf_tables_commit
# git bisect bad 0542e13b5f5663ffdc18e0e028413b2cd09f426f
Bisecting: 914 revisions left to test after this (roughly 10 steps)
[8a4816cad00bf14642f0ed6043b32d29a05006ce] tg3: Add Macronix NVRAM support
testing commit 8a4816cad00bf14642f0ed6043b32d29a05006ce with gcc (GCC) 8.1.0
kernel signature: c9fa584b8fb43e63f68e9a271f0ce7b4a91d2b83
all runs: OK
# git bisect good 8a4816cad00bf14642f0ed6043b32d29a05006ce
Bisecting: 498 revisions left to test after this (roughly 9 steps)
[e8a9d9683c8a62f917c19e57f1618363fb9ed04e] Merge branch 'bpf-libbpf-cleanups'
testing commit e8a9d9683c8a62f917c19e57f1618363fb9ed04e with gcc (GCC) 8.1.0
kernel signature: d7e440f6d8ed24cb9971bb3b418a6d71507b0d7a
all runs: crashed: general protection fault in nf_tables_flowtable_lookup
# git bisect bad e8a9d9683c8a62f917c19e57f1618363fb9ed04e
Bisecting: 207 revisions left to test after this (roughly 8 steps)
[4312782479fbf7c5efb9a6f19ad90f8d924055c1] net/mlx5e: IPoIB, Fix spelling mistake "functionts" -> "functions"
testing commit 4312782479fbf7c5efb9a6f19ad90f8d924055c1 with gcc (GCC) 8.1.0
kernel signature: f2f99c0e2e8963b58ef2798a35f949cff7830437
all runs: crashed: general protection fault in nf_tables_flowtable_lookup
# git bisect bad 4312782479fbf7c5efb9a6f19ad90f8d924055c1
Bisecting: 103 revisions left to test after this (roughly 7 steps)
[6b3d933000cbe539e5b234d639b083da60bb275c] netfilter: ipvs: Remove useless ipvsh param of frag_safe_skb_hp
testing commit 6b3d933000cbe539e5b234d639b083da60bb275c with gcc (GCC) 8.1.0
kernel signature: 9edb4917228fb8484abf354303cb839ef3975b5c
all runs: OK
# git bisect good 6b3d933000cbe539e5b234d639b083da60bb275c
Bisecting: 57 revisions left to test after this (roughly 6 steps)
[f998b6b10144cd9809da6af02758615f789e8aa1] netfilter: ipset: Missing nfnl_lock()/nfnl_unlock() is added to ip_set_net_exit()
testing commit f998b6b10144cd9809da6af02758615f789e8aa1 with gcc (GCC) 8.1.0
kernel signature: 58aefe13e9887d412de941b7925528e757c84293
all runs: crashed: general protection fault in nf_tables_flowtable_lookup
# git bisect bad f998b6b10144cd9809da6af02758615f789e8aa1
Bisecting: 22 revisions left to test after this (roughly 5 steps)
[12355d3670dac0dde5aae3deefb59f8cc0a9ed2a] netfilter: nf_tables_inet: don't use multihook infrastructure anymore
testing commit 12355d3670dac0dde5aae3deefb59f8cc0a9ed2a with gcc (GCC) 8.1.0
kernel signature: a32e335d34f6840ef2c864371312dcdd6d7380b9
all runs: OK
# git bisect good 12355d3670dac0dde5aae3deefb59f8cc0a9ed2a
Bisecting: 11 revisions left to test after this (roughly 4 steps)
[f6931f5f5b713705c3cc91e4f9c222f2b181e2ef] netfilter: meta: secpath support
testing commit f6931f5f5b713705c3cc91e4f9c222f2b181e2ef with gcc (GCC) 8.1.0
kernel signature: 2b4ef4a46244cb456f7690c484fb7b14d06439ad
all runs: OK
# git bisect good f6931f5f5b713705c3cc91e4f9c222f2b181e2ef
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[97add9f0d66da9898da325f84e80533db9cc0ced] netfilter: flow table support for IPv4
testing commit 97add9f0d66da9898da325f84e80533db9cc0ced with gcc (GCC) 8.1.0
kernel signature: fd7a34b6a673972292953b6861d0fc9baee0b160
all runs: OK
# git bisect good 97add9f0d66da9898da325f84e80533db9cc0ced
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[a3c90f7a2323b331ae816d5b0633e68148e25d04] netfilter: nf_tables: flow offload expression
testing commit a3c90f7a2323b331ae816d5b0633e68148e25d04 with gcc (GCC) 8.1.0
kernel signature: 76b1a96a4a2fe6165615b66aa7c36e585413b853
all runs: crashed: general protection fault in nf_tables_flowtable_lookup
# git bisect bad a3c90f7a2323b331ae816d5b0633e68148e25d04
Bisecting: 0 revisions left to test after this (roughly 1 step)
[7c23b629a8085b11daccd68c62b5116ff498f84a] netfilter: flow table support for the mixed IPv4/IPv6 family
testing commit 7c23b629a8085b11daccd68c62b5116ff498f84a with gcc (GCC) 8.1.0
kernel signature: 4f0edc0ef98809d7353fabbad3788066d725f778
all runs: crashed: general protection fault in nf_tables_flowtable_lookup
# git bisect bad 7c23b629a8085b11daccd68c62b5116ff498f84a
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[0995210753a26c4fa1a3d8c63cc230e22a8537cd] netfilter: flow table support for IPv6
testing commit 0995210753a26c4fa1a3d8c63cc230e22a8537cd with gcc (GCC) 8.1.0
kernel signature: 7093d0eb26f60dba3540e4f96ae3545cb7229765
all runs: OK
# git bisect good 0995210753a26c4fa1a3d8c63cc230e22a8537cd
7c23b629a8085b11daccd68c62b5116ff498f84a is the first bad commit
commit 7c23b629a8085b11daccd68c62b5116ff498f84a
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Sun Jan 7 01:04:22 2018 +0100

    netfilter: flow table support for the mixed IPv4/IPv6 family
    
    This patch adds the IPv6 flow table type, that implements the datapath
    flow table to forward IPv6 traffic.
    
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 include/net/netfilter/nf_flow_table.h   |  5 ++++
 net/ipv4/netfilter/nf_flow_table_ipv4.c |  3 ++-
 net/ipv6/netfilter/nf_flow_table_ipv6.c |  3 ++-
 net/netfilter/Kconfig                   |  8 ++++++
 net/netfilter/Makefile                  |  1 +
 net/netfilter/nf_flow_table_inet.c      | 48 +++++++++++++++++++++++++++++++++
 6 files changed, 66 insertions(+), 2 deletions(-)
 create mode 100644 net/netfilter/nf_flow_table_inet.c
culprit signature: 4f0edc0ef98809d7353fabbad3788066d725f778
parent  signature: 7093d0eb26f60dba3540e4f96ae3545cb7229765
revisions tested: 26, total time: 5h12m13.731950542s (build: 2h36m30.399102815s, test: 2h33m29.119563348s)
first bad commit: 7c23b629a8085b11daccd68c62b5116ff498f84a netfilter: flow table support for the mixed IPv4/IPv6 family
cc: ["coreteam@netfilter.org" "davem@davemloft.net" "fw@strlen.de" "kadlec@blackhole.kfki.hu" "kuznet@ms2.inr.ac.ru" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "netfilter-devel@vger.kernel.org" "pablo@netfilter.org" "yoshfuji@linux-ipv6.org"]
crash: general protection fault in nf_tables_flowtable_lookup
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_virt_wifi: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_vlan: link is not ready
device veth0_vlan entered promiscuous mode
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
device veth1_vlan entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_vlan: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
device veth0_vlan entered promiscuous mode
device veth1_vlan entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_virt_wifi: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_vlan: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
device veth0_vlan entered promiscuous mode
device veth1_vlan entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
Modules linked in:
CPU: 0 PID: 7476 Comm: syz-executor.3 Not tainted 4.15.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:nla_strcmp+0x30/0xe0 lib/nlattr.c:402
RSP: 0018:ffff880096abf5a0 EFLAGS: 00010246
RAX: 0000000000000004 RBX: ffff8800a36f84c0 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: ffff8800a6698a40 RDI: ffff8800a6698a40
RBP: ffff880096abf5d0 R08: ffff880096abf6f0 R09: ffff880099dbae80
R10: ffffffff883c5660 R11: ffff880096abf718 R12: 0000000000000000
R13: ffff8800a6698a40 R14: 0000000000000000 R15: 0000000000000001
FS:  00007f568dbac700(0000) GS:ffff8800aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000960004 CR3: 00000000917ba000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 nf_tables_flowtable_lookup+0x66/0xf0 net/netfilter/nf_tables_api.c:4920
 nf_tables_delflowtable+0x190/0x650 net/netfilter/nf_tables_api.c:5223
 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:394 [inline]
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:495 [inline]
 nfnetlink_rcv+0x8b2/0x1850 net/netfilter/nfnetlink.c:513
 netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline]
 netlink_unicast+0x447/0x670 net/netlink/af_netlink.c:1334
 netlink_sendmsg+0x8c3/0xe80 net/netlink/af_netlink.c:1897
 sock_sendmsg_nosec net/socket.c:628 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:638
 ___sys_sendmsg+0x66b/0x9a0 net/socket.c:2018
 __sys_sendmsg+0xd6/0x220 net/socket.c:2052
 SYSC_sendmsg net/socket.c:2063 [inline]
 SyS_sendmsg+0xd/0x20 net/socket.c:2059
 entry_SYSCALL_64_fastpath+0x23/0x9a
RIP: 0033:0x45aff9
RSP: 002b:00007f568dbabc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f568dbac700 RCX: 000000000045aff9
RDX: 0000000000000042 RSI: 0000000020003ac0 RDI: 0000000000000003
RBP: 00007fffec31fba0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fffec31fa3f R14: 00007f568dbac9c0 R15: 000000000075bf2c
Code: 57 41 56 41 55 49 89 f5 41 54 49 89 fc 48 89 f7 53 48 83 ec 08 e8 b1 ec f0 03 4c 89 e1 48 ba 00 00 00 00 00 fc ff df 48 c1 e9 03 <0f> b6 0c 11 4c 89 e2 83 e2 07 83 c2 01 38 ca 7c 04 84 c9 75 69 
RIP: nla_strcmp+0x30/0xe0 lib/nlattr.c:402 RSP: ffff880096abf5a0
---[ end trace 9196319c1e2ea15a ]---