bisecting cause commit starting from d887ae3247e022183f244cb325dca1dfbd0a9ed0
building syzkaller on 744a39e220cece33e207035facce6c5ae161b775
testing commit d887ae3247e022183f244cb325dca1dfbd0a9ed0
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: af494809536d54ede2cb03be2890eb624a8e5ec36b6b99fdfa359f33717e0824
all runs: crashed: UBSAN: array-index-out-of-bounds in nfnetlink_unbind
testing release v5.17
testing commit f443e374ae131c168a065ea1748feac6b2e76613
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: ecf9cd2473f2dc3230de9dc5f050a9d9e083706153e8478f20f4bfc93955614c
all runs: OK
# git bisect start d887ae3247e022183f244cb325dca1dfbd0a9ed0 f443e374ae131c168a065ea1748feac6b2e76613
Bisecting: 8195 revisions left to test after this (roughly 13 steps)
[b14ffae378aa1db993e62b01392e70d1e585fb23] Merge tag 'drm-next-2022-03-24' of git://anongit.freedesktop.org/drm/drm

testing commit b14ffae378aa1db993e62b01392e70d1e585fb23
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: dca79c76583c7ad3c3da4819719e8702b30f7fe48f271b21863c204688596d9f
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good b14ffae378aa1db993e62b01392e70d1e585fb23
Bisecting: 4058 revisions left to test after this (roughly 12 steps)
[95124339875c8d9c092eb2fa3993e4751e1be48d] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux

testing commit 95124339875c8d9c092eb2fa3993e4751e1be48d
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d1db7fefc94d17e6c95e9aca9991f355b060b5b4b53556443b2bc07b41b28aa1
all runs: OK
# git bisect good 95124339875c8d9c092eb2fa3993e4751e1be48d
Bisecting: 2019 revisions left to test after this (roughly 11 steps)
[249aca0d3d631660aa3583c6a3559b75b6e971b4] Merge tag 'net-5.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

testing commit 249aca0d3d631660aa3583c6a3559b75b6e971b4
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 8f626db94be5f6f632a09f459b41ae197779c9268c8161dd8d78c4168fb7b02a
all runs: OK
# git bisect good 249aca0d3d631660aa3583c6a3559b75b6e971b4
Bisecting: 953 revisions left to test after this (roughly 10 steps)
[f43f0cd2d9b07caf38d744701b0b54d4244da8cc] Merge tag 'wireless-next-2022-05-03' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next

testing commit f43f0cd2d9b07caf38d744701b0b54d4244da8cc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 2b2c6152d25ea7af5869e0d1cf3297fb4a882eb8e0f3b82892e24e198af6f2da
all runs: OK
# git bisect good f43f0cd2d9b07caf38d744701b0b54d4244da8cc
Bisecting: 476 revisions left to test after this (roughly 9 steps)
[05a8d7d4fadfc0ab65c6e8d81f8a02484d8db116] mlxsw: spectrum: Update a comment

testing commit 05a8d7d4fadfc0ab65c6e8d81f8a02484d8db116
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: ab8a0a2e9ad33aa2de70cda0fea90331e26959e5af9c6625230bb4f3a2a16084
all runs: OK
# git bisect good 05a8d7d4fadfc0ab65c6e8d81f8a02484d8db116
Bisecting: 255 revisions left to test after this (roughly 8 steps)
[f3f19f939c11925dadd3f4776f99f8c278a7017b] Merge tag 'net-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

testing commit f3f19f939c11925dadd3f4776f99f8c278a7017b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: f33a5f4d87c022f43d9188c9dde414d0c1fe26756a0132091dd516d57daadee8
all runs: OK
# git bisect good f3f19f939c11925dadd3f4776f99f8c278a7017b
Bisecting: 127 revisions left to test after this (roughly 7 steps)
[f4826443f4d69d2c97c184952c085caf0936a7b8] mlxbf_gige: remove driver-managed interrupt counts

testing commit f4826443f4d69d2c97c184952c085caf0936a7b8
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: c4e1b0c0ea8d2f6cf91c9787a77dfd13681ef376ae21d308ca69313fb0f925c7
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good f4826443f4d69d2c97c184952c085caf0936a7b8
Bisecting: 65 revisions left to test after this (roughly 6 steps)
[d9713088158b23973266e07fdc85ff7d68791a8c] ice: Expose RSS indirection tables for queue groups via ethtool

testing commit d9713088158b23973266e07fdc85ff7d68791a8c
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 05932f444d575bb89e15473f7418dbc10a7dc0e02dbd064b102aadb27be085e8
all runs: OK
# git bisect good d9713088158b23973266e07fdc85ff7d68791a8c
Bisecting: 32 revisions left to test after this (roughly 5 steps)
[80e425b613421911f89664663a7060216abcaed2] ipv6: Add hop-by-hop header to jumbograms in ip6_output

testing commit 80e425b613421911f89664663a7060216abcaed2
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: fe7ce8df3ed8b830d822e1110540c09b3aab2f2580cd20a246ecdfc64d887746
all runs: crashed: UBSAN: array-index-out-of-bounds in nfnetlink_unbind
# git bisect bad 80e425b613421911f89664663a7060216abcaed2
Bisecting: 16 revisions left to test after this (roughly 4 steps)
[3412e16418286bdc12561827cbd22f94cb8af5e1] netfilter: flowtable: nft_flow_route use more data for reverse route

testing commit 3412e16418286bdc12561827cbd22f94cb8af5e1
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3d6f4eba0284471d6ad6ba181fddbd014240e6b98b43e0f10fb346863a764172
all runs: crashed: UBSAN: array-index-out-of-bounds in nfnetlink_unbind
# git bisect bad 3412e16418286bdc12561827cbd22f94cb8af5e1
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[ace53fdc262fa6751acd3d61f3236f84ae3340f1] netfilter: conntrack: remove __nf_ct_unconfirmed_destroy

testing commit ace53fdc262fa6751acd3d61f3236f84ae3340f1
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: f714f3955db18529e2ad02fa8081fa33027728a35961384a958fd03b63336a6e
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good ace53fdc262fa6751acd3d61f3236f84ae3340f1
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[2794cdb0b97bfe62d25c996c8afe4832207e78bc] netfilter: nfnetlink: allow to detect if ctnetlink listeners exist

testing commit 2794cdb0b97bfe62d25c996c8afe4832207e78bc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 471d88c61c01fcebbe5ec1646d77b51c5e40d46a6895f845cd3d0e9df565f012
all runs: crashed: UBSAN: array-index-out-of-bounds in nfnetlink_unbind
# git bisect bad 2794cdb0b97bfe62d25c996c8afe4832207e78bc
Bisecting: 1 revision left to test after this (roughly 1 step)
[0bcfbafbcd345f285db0c3788e6359ceac6a008c] netfilter: conntrack: avoid unconditional local_bh_disable

testing commit 0bcfbafbcd345f285db0c3788e6359ceac6a008c
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e8e11b10c47083dcbac7b0d29b68d327f48220bec98f77208110a2985bc3eb9a
all runs: OK
# git bisect good 0bcfbafbcd345f285db0c3788e6359ceac6a008c
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[8169ff584003c871a226719e998bb034231954d6] netfilter: conntrack: add nf_ct_iter_data object for nf_ct_iterate_cleanup*()

testing commit 8169ff584003c871a226719e998bb034231954d6
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b97889a0fd5fff83791001893774b4ed088401da0b159eda6be3cca8e535c30f
all runs: OK
# git bisect good 8169ff584003c871a226719e998bb034231954d6
2794cdb0b97bfe62d25c996c8afe4832207e78bc is the first bad commit
commit 2794cdb0b97bfe62d25c996c8afe4832207e78bc
Author: Florian Westphal <fw@strlen.de>
Date:   Mon Apr 25 15:15:41 2022 +0200

    netfilter: nfnetlink: allow to detect if ctnetlink listeners exist
    
    At this time, every new conntrack gets the 'event cache extension'
    enabled for it.
    
    This is because the 'net.netfilter.nf_conntrack_events' sysctl defaults
    to 1.
    
    Changing the default to 0 means that commands that rely on the event
    notification extension, e.g. 'conntrack -E' or conntrackd, stop working.
    
    We COULD detect if there is a listener by means of
    'nfnetlink_has_listeners()' and only add the extension if this is true.
    
    The downside is a dependency from conntrack module to nfnetlink module.
    
    This adds a different way: inc/dec a counter whenever a ctnetlink group
    is being (un)subscribed and toggle a flag in struct net.
    
    Next patches will take advantage of this and will only add the event
    extension if the flag is set.
    
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 include/net/netns/conntrack.h |  1 +
 net/netfilter/nfnetlink.c     | 40 +++++++++++++++++++++++++++++++++++++---
 2 files changed, 38 insertions(+), 3 deletions(-)

culprit signature: 471d88c61c01fcebbe5ec1646d77b51c5e40d46a6895f845cd3d0e9df565f012
parent  signature: b97889a0fd5fff83791001893774b4ed088401da0b159eda6be3cca8e535c30f
revisions tested: 16, total time: 3h37m54.059066469s (build: 1h38m41.960212789s, test: 1h57m35.501894119s)
first bad commit: 2794cdb0b97bfe62d25c996c8afe4832207e78bc netfilter: nfnetlink: allow to detect if ctnetlink listeners exist
recipients (to): ["coreteam@netfilter.org" "davem@davemloft.net" "fw@strlen.de" "fw@strlen.de" "kadlec@netfilter.org" "kuba@kernel.org" "netdev@vger.kernel.org" "netfilter-devel@vger.kernel.org" "pabeni@redhat.com" "pablo@netfilter.org" "pablo@netfilter.org"]
recipients (cc): ["ali.abdallah@suse.com" "linux-kernel@vger.kernel.org" "ozsh@nvidia.com" "paulb@nvidia.com"]
crash: UBSAN: array-index-out-of-bounds in nfnetlink_unbind
================================================================================
UBSAN: array-index-out-of-bounds in net/netfilter/nfnetlink.c:697:28
index 10 is out of range for type 'int [10]'
CPU: 0 PID: 4082 Comm: syz-executor.0 Not tainted 5.18.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106
 ubsan_epilogue+0x5/0x36 lib/ubsan.c:151
 __ubsan_handle_out_of_bounds.cold+0x43/0x48 lib/ubsan.c:283
 nfnetlink_unbind+0x296/0x2c0 net/netfilter/nfnetlink.c:697
 netlink_release+0x889/0x17c0 net/netlink/af_netlink.c:773
 __sock_release+0xbb/0x270 net/socket.c:650
 sock_close+0xf/0x20 net/socket.c:1318
 __fput+0x1f5/0x8c0 fs/file_table.c:317
 task_work_run+0xc0/0x160 kernel/task_work.c:164
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
 exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f7cb723bd2b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffd8e868f60 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f7cb723bd2b
RDX: 00007f7cb73a0178 RSI: ffffffffffffffff RDI: 0000000000000003
RBP: 00007f7cb739d960 R08: 0000000000000000 R09: 00007f7cb73a0180
R10: 00007ffd8e869060 R11: 0000000000000293 R12: 0000000000012071
R13: 00007ffd8e869060 R14: 00007f7cb739bf60 R15: 0000000000000032
 </TASK>
================================================================================