bisecting fixing commit since 5a9ef19454cd5daec8041bc7c3c11deb7456d9a0 building syzkaller on 3de7aabbb79a6c2267f5d7ee8a8aaa83f63305b7 testing commit 5a9ef19454cd5daec8041bc7c3c11deb7456d9a0 with gcc (GCC) 8.1.0 kernel signature: c05d2259f4ec3607250e5c503a6a29c4beafbc0cabf96c5aa456cfc1ee5c86d7 all runs: crashed: WARNING in nf_tables_table_destroy testing current HEAD 2019fc96af228b412bdb2e8e0ad4b1fc12046a51 testing commit 2019fc96af228b412bdb2e8e0ad4b1fc12046a51 with gcc (GCC) 8.1.0 kernel signature: 4f10228af35e956e023b796288fb9095b6429636df44236c8ee908f64242455a all runs: OK # git bisect start 2019fc96af228b412bdb2e8e0ad4b1fc12046a51 5a9ef19454cd5daec8041bc7c3c11deb7456d9a0 Bisecting: 6137 revisions left to test after this (roughly 13 steps) [f67ef446291a09114f979a129fa42a859c5eb595] fs/binfmt_elf.c: fix ->start_code calculation testing commit f67ef446291a09114f979a129fa42a859c5eb595 with gcc (GCC) 8.1.0 kernel signature: 5c6324d8241a67770a8bf9182ea875ffdad10fe7518bd76ba60d7eae38816216 all runs: OK # git bisect bad f67ef446291a09114f979a129fa42a859c5eb595 Bisecting: 2267 revisions left to test after this (roughly 12 steps) [bd2463ac7d7ec51d432f23bf0e893fb371a908cd] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit bd2463ac7d7ec51d432f23bf0e893fb371a908cd with gcc (GCC) 8.1.0 kernel signature: 860a495045de00c2d2f3e6c9eaaff8e9bb6dd047461dae2af0e3a66de9473578 all runs: OK # git bisect bad bd2463ac7d7ec51d432f23bf0e893fb371a908cd Bisecting: 1928 revisions left to test after this (roughly 11 steps) [81a046b18b331ed6192e6fd9ff6d12a1f18058cf] Merge tag 'for-5.6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit 81a046b18b331ed6192e6fd9ff6d12a1f18058cf with gcc (GCC) 8.1.0 kernel signature: 0950bcbb0efc8184b518fee765ede8ffc193bceda9bbc36b09c194da08614d94 all runs: OK # git bisect bad 81a046b18b331ed6192e6fd9ff6d12a1f18058cf Bisecting: 979 revisions left to test after this (roughly 10 steps) [715d1285695382b5074e49a0fe475b9ba56a1101] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/livepatching/livepatching testing commit 715d1285695382b5074e49a0fe475b9ba56a1101 with gcc (GCC) 8.1.0 kernel signature: affe8279a7931aaaeea452ac811a14e4595df99c5c70923b425f5e2c8f52c8fb all runs: OK # git bisect bad 715d1285695382b5074e49a0fe475b9ba56a1101 Bisecting: 479 revisions left to test after this (roughly 9 steps) [457bfc0a4bf531487ecc3cf82ec728a5e114fb1e] net: fsl/fman: rename IF_MODE_XGMII to IF_MODE_10G testing commit 457bfc0a4bf531487ecc3cf82ec728a5e114fb1e with gcc (GCC) 8.1.0 kernel signature: 850d669b49895e2881a3cc9ed6282811b41ac6e62ded149d808640004c311f57 all runs: crashed: WARNING in nf_tables_table_destroy # git bisect good 457bfc0a4bf531487ecc3cf82ec728a5e114fb1e Bisecting: 239 revisions left to test after this (roughly 8 steps) [189fc98efe59b9b0a49a4f29ee3d91eeded4e4d4] Merge tag 'tpmdd-next-20200122' of git://git.infradead.org/users/jjs/linux-tpmdd testing commit 189fc98efe59b9b0a49a4f29ee3d91eeded4e4d4 with gcc (GCC) 8.1.0 kernel signature: 0edf8f9c1abec9d6aa5f34d882720fca93f10efbab74b8b0f5ce0af850486e3e all runs: OK # git bisect bad 189fc98efe59b9b0a49a4f29ee3d91eeded4e4d4 Bisecting: 99 revisions left to test after this (roughly 7 steps) [84809aaf78b5b4c2e6478dc6121a1c8fb439a024] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 84809aaf78b5b4c2e6478dc6121a1c8fb439a024 with gcc (GCC) 8.1.0 kernel signature: a86314a17cdc422a6bc806df0d18a9d1fd783cdf640a20537ccc16c2abfd05af all runs: OK # git bisect bad 84809aaf78b5b4c2e6478dc6121a1c8fb439a024 Bisecting: 76 revisions left to test after this (roughly 6 steps) [6381b442836ea3c52eae630b10be8c27c7a17af2] Merge tag 'iommu-fixes-v5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu testing commit 6381b442836ea3c52eae630b10be8c27c7a17af2 with gcc (GCC) 8.1.0 kernel signature: 82a46543c54fa336f5bfb47a4af225983284659c2dde8d9bdfc0f8b3d66e4f1b all runs: crashed: WARNING in nf_tables_table_destroy # git bisect good 6381b442836ea3c52eae630b10be8c27c7a17af2 Bisecting: 36 revisions left to test after this (roughly 5 steps) [722943a54de95343c97c2a9ad658253393632f97] Merge tag 'mlx5-fixes-2020-01-24' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux testing commit 722943a54de95343c97c2a9ad658253393632f97 with gcc (GCC) 8.1.0 kernel signature: f4177ac758fa7bb764cd7174770fde35911d15a8b9efb181744b82225d7e28d4 all runs: crashed: WARNING in nf_tables_table_destroy # git bisect good 722943a54de95343c97c2a9ad658253393632f97 Bisecting: 18 revisions left to test after this (roughly 4 steps) [93d1a05ea6b29737715769e2c9551cfe8a5fef22] Merge tag 'pinctrl-v5.5-5' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit 93d1a05ea6b29737715769e2c9551cfe8a5fef22 with gcc (GCC) 8.1.0 kernel signature: 9e3c0facc3b34fe02125e792cd7d62765800b38348f4efd73644a7e1b4c68ff8 all runs: crashed: WARNING in nf_tables_table_destroy # git bisect good 93d1a05ea6b29737715769e2c9551cfe8a5fef22 Bisecting: 9 revisions left to test after this (roughly 3 steps) [f041eadad7504b1364274494548b9716b2ed59ac] Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit f041eadad7504b1364274494548b9716b2ed59ac with gcc (GCC) 8.1.0 kernel signature: e78b921aeeb3998e61b83ada7ea68b2daf70f63a4e1f2179f81adcfeaf75db6a all runs: crashed: WARNING in nf_tables_table_destroy # git bisect good f041eadad7504b1364274494548b9716b2ed59ac Bisecting: 4 revisions left to test after this (roughly 2 steps) [826035498ec14b77b62a44f0cb6b94d45530db6f] netfilter: nf_tables: add __nft_chain_type_get() testing commit 826035498ec14b77b62a44f0cb6b94d45530db6f with gcc (GCC) 8.1.0 kernel signature: 5a133bf62e30baa42d082c9a7d4e939cceaee0ccd710560bef3a99ca69256e8e all runs: crashed: WARNING in nf_tables_table_destroy # git bisect good 826035498ec14b77b62a44f0cb6b94d45530db6f Bisecting: 2 revisions left to test after this (roughly 1 step) [189c9b1e94539b11c80636bc13e9cf47529e7bba] net: Fix skb->csum update in inet_proto_csum_replace16(). testing commit 189c9b1e94539b11c80636bc13e9cf47529e7bba with gcc (GCC) 8.1.0 kernel signature: 917f0de236bba2d16a80b38bc65e1cb8a191ff5d5d4bb088b03a3cb2034d5a5e all runs: OK # git bisect bad 189c9b1e94539b11c80636bc13e9cf47529e7bba Bisecting: 0 revisions left to test after this (roughly 0 steps) [eb014de4fd418de1a277913cba244e47274fe392] netfilter: nf_tables: autoload modules from the abort path testing commit eb014de4fd418de1a277913cba244e47274fe392 with gcc (GCC) 8.1.0 kernel signature: f49e92a2c411e8c9f96229f6c42db2552f3ef4b2bd47114870822ad32ecdcd0e all runs: OK # git bisect bad eb014de4fd418de1a277913cba244e47274fe392 eb014de4fd418de1a277913cba244e47274fe392 is the first bad commit commit eb014de4fd418de1a277913cba244e47274fe392 Author: Pablo Neira Ayuso Date: Tue Jan 21 16:48:03 2020 +0100 netfilter: nf_tables: autoload modules from the abort path This patch introduces a list of pending module requests. This new module list is composed of nft_module_request objects that contain the module name and one status field that tells if the module has been already loaded (the 'done' field). In the first pass, from the preparation phase, the netlink command finds that a module is missing on this list. Then, a module request is allocated and added to this list and nft_request_module() returns -EAGAIN. This triggers the abort path with the autoload parameter set on from nfnetlink, request_module() is called and the module request enters the 'done' state. Since the mutex is released when loading modules from the abort phase, the module list is zapped so this is iteration occurs over a local list. Therefore, the request_module() calls happen when object lists are in consistent state (after fulling aborting the transaction) and the commit list is empty. On the second pass, the netlink command will find that it already tried to load the module, so it does not request it again and nft_request_module() returns 0. Then, there is a look up to find the object that the command was missing. If the module was successfully loaded, the command proceeds normally since it finds the missing object in place, otherwise -ENOENT is reported to userspace. This patch also updates nfnetlink to include the reason to enter the abort phase, which is required for this new autoload module rationale. Fixes: ec7470b834fe ("netfilter: nf_tables: store transaction list locally while requesting module") Reported-by: syzbot+29125d208b3dae9a7019@syzkaller.appspotmail.com Signed-off-by: Pablo Neira Ayuso include/linux/netfilter/nfnetlink.h | 2 +- include/net/netns/nftables.h | 1 + net/netfilter/nf_tables_api.c | 126 ++++++++++++++++++++++++------------ net/netfilter/nfnetlink.c | 6 +- 4 files changed, 91 insertions(+), 44 deletions(-) culprit signature: f49e92a2c411e8c9f96229f6c42db2552f3ef4b2bd47114870822ad32ecdcd0e parent signature: 5a133bf62e30baa42d082c9a7d4e939cceaee0ccd710560bef3a99ca69256e8e revisions tested: 16, total time: 3h56m53.493831737s (build: 1h48m17.280042183s, test: 2h7m8.78375495s) first good commit: eb014de4fd418de1a277913cba244e47274fe392 netfilter: nf_tables: autoload modules from the abort path cc: ["coreteam@netfilter.org" "davem@davemloft.net" "fw@strlen.de" "kadlec@netfilter.org" "kuba@kernel.org" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "netfilter-devel@vger.kernel.org" "pablo@netfilter.org"]