bisecting cause commit starting from 0f4b9289bad354b606190a4cd54d5222b4e41d98 building syzkaller on e2776ee417c18d6e0056b058f3b6055f65206ee9 testing commit 0f4b9289bad354b606190a4cd54d5222b4e41d98 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 0a641ecef380eb29009b18cc94575bfeecb6dc7f04f685f945ac051020372b2d run #0: crashed: KASAN: use-after-free Read in nft_table_lookup run #1: crashed: KASAN: use-after-free Read in nft_table_lookup run #2: crashed: KASAN: use-after-free Read in nft_table_lookup run #3: crashed: KASAN: use-after-free Read in nft_table_lookup run #4: crashed: KASAN: use-after-free Read in nft_table_lookup run #5: crashed: KASAN: use-after-free Read in nft_table_lookup run #6: crashed: KASAN: use-after-free Read in nf_tables_dump_sets run #7: crashed: KASAN: use-after-free Read in nft_table_lookup run #8: crashed: KASAN: use-after-free Read in nft_table_lookup run #9: crashed: KASAN: use-after-free Read in nft_table_lookup run #10: crashed: KASAN: use-after-free Read in nft_table_lookup run #11: crashed: KASAN: use-after-free Read in nft_table_lookup run #12: crashed: KASAN: use-after-free Read in nf_tables_dump_sets run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: boot failed: KFENCE: use-after-free in kvm_fastop_exception testing release v5.14 testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: c7a96685f36d300f914d643ce230ea254f68b922997290f143876a9044cd0b7f run #0: crashed: KASAN: use-after-free Read in nft_table_lookup run #1: crashed: KASAN: use-after-free Read in nft_table_lookup run #2: crashed: KASAN: use-after-free Read in nft_table_lookup run #3: crashed: KASAN: use-after-free Read in nft_table_lookup run #4: crashed: KASAN: use-after-free Read in nft_table_lookup run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.13 testing commit 62fb9874f5da54fdb243003b386128037319b219 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: b5d274b52bcc0c809a9de98a5c5034fb82c544d94c7d707de28ff39e24a9d9d8 run #0: crashed: KASAN: use-after-free Read in nft_table_lookup run #1: crashed: KASAN: use-after-free Read in nft_table_lookup run #2: crashed: KASAN: use-after-free Read in nft_table_lookup run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky testing release v5.12 testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: c1c1ef54def5ac0ec34783402860c35c727be3178da1dd118b8273681292a4aa run #0: crashed: KASAN: use-after-free Read in nft_table_lookup run #1: crashed: KASAN: use-after-free Read in nft_table_lookup run #2: crashed: KASAN: use-after-free Read in nft_table_lookup run #3: crashed: KASAN: use-after-free Read in nft_table_lookup run #4: crashed: KASAN: use-after-free Read in nft_table_lookup run #5: crashed: KASAN: use-after-free Read in nft_table_lookup run #6: crashed: KASAN: use-after-free Read in nft_table_lookup run #7: crashed: KASAN: use-after-free Read in nft_table_lookup run #8: crashed: KASAN: use-after-free Read in nft_table_lookup run #9: crashed: KASAN: use-after-free Read in nft_table_lookup run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: c1e8683e9c5c6488f263e31c0325ac55e2047bfb239e72e013e7e241b391e84d all runs: OK # git bisect start 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 f40ddce88593482919761f74910f42f4b84c004b Bisecting: 6798 revisions left to test after this (roughly 13 steps) [d99676af540c2dc829999928fb81c58c80a1dce4] Merge tag 'drm-next-2021-02-19' of git://anongit.freedesktop.org/drm/drm testing commit d99676af540c2dc829999928fb81c58c80a1dce4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 5ed5cd300fc04c7c2a7b845b9ea8ef06294ec0a3f1f6a496d97f46030d6f32cd run #0: basic kernel testing failed: WARNING in kvm_wait run #1: basic kernel testing failed: WARNING in kvm_wait run #2: crashed: WARNING in kvm_wait run #3: crashed: WARNING in kvm_wait run #4: crashed: WARNING in kvm_wait run #5: crashed: WARNING in kvm_wait run #6: boot failed: WARNING in kvm_wait run #7: boot failed: WARNING in kvm_wait run #8: boot failed: WARNING in kvm_wait run #9: boot failed: WARNING in kvm_wait run #10: boot failed: WARNING in kvm_wait run #11: boot failed: WARNING in kvm_wait run #12: boot failed: WARNING in kvm_wait run #13: boot failed: WARNING in kvm_wait run #14: boot failed: WARNING in kvm_wait run #15: boot failed: WARNING in kvm_wait run #16: boot failed: WARNING in kvm_wait run #17: boot failed: WARNING in kvm_wait run #18: boot failed: WARNING in kvm_wait run #19: boot failed: WARNING in kvm_wait # git bisect bad d99676af540c2dc829999928fb81c58c80a1dce4 Bisecting: 3717 revisions left to test after this (roughly 12 steps) [f9d58de23152f2c16f326d7e014cfa2933b00304] Merge tag 'affs-for-5.12-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit f9d58de23152f2c16f326d7e014cfa2933b00304 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 9887796f28a2407aedd472334d68e9ad0f620acc86275b4e56999afcf557a547 run #0: crashed: KASAN: use-after-free Read in nft_table_lookup run #1: crashed: KASAN: use-after-free Read in nft_table_lookup run #2: crashed: KASAN: use-after-free Read in nft_table_lookup run #3: crashed: KASAN: use-after-free Read in nft_table_lookup run #4: crashed: KASAN: use-after-free Read in nft_table_lookup run #5: crashed: KASAN: use-after-free Read in nft_table_lookup run #6: crashed: KASAN: use-after-free Read in nft_table_lookup run #7: crashed: KASAN: use-after-free Read in nft_table_lookup run #8: OK run #9: crashed: KASAN: use-after-free Read in nft_table_lookup run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad f9d58de23152f2c16f326d7e014cfa2933b00304 Bisecting: 1819 revisions left to test after this (roughly 11 steps) [b8af417e4d93caeefb89bbfbd56ec95dedd8dab5] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit b8af417e4d93caeefb89bbfbd56ec95dedd8dab5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: dde7a1e0cbbe8e4c5204d934cd2ac7b7c553844e9f5822e9ba07aa5187900bb1 all runs: OK # git bisect good b8af417e4d93caeefb89bbfbd56ec95dedd8dab5 Bisecting: 948 revisions left to test after this (roughly 10 steps) [82851fce6107d5a3e66d95aee2ae68860a732703] Merge tag 'arm-dt-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 82851fce6107d5a3e66d95aee2ae68860a732703 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 11768579315301e6d2ba04ab99009cd56010bbd0887caa26ba9ecc2b8b936159 run #0: crashed: KASAN: use-after-free Read in nft_table_lookup run #1: crashed: KASAN: use-after-free Read in nft_table_lookup run #2: crashed: KASAN: use-after-free Read in nft_table_lookup run #3: crashed: KASAN: use-after-free Read in nft_table_lookup run #4: crashed: KASAN: use-after-free Read in nft_table_lookup run #5: crashed: KASAN: use-after-free Read in nft_table_lookup run #6: crashed: KASAN: use-after-free Read in nft_table_lookup run #7: crashed: KASAN: use-after-free Read in nft_table_lookup run #8: crashed: KASAN: use-after-free Read in nft_table_lookup run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 82851fce6107d5a3e66d95aee2ae68860a732703 Bisecting: 431 revisions left to test after this (roughly 9 steps) [b7976dcf363be984b8a33242f8e6b3b196f9c329] Merge tag 'qcom-dts-for-5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into arm/dt testing commit b7976dcf363be984b8a33242f8e6b3b196f9c329 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 56834dfbf963e4efa450d4cfb69db4434dc8ffc18c326e0ff30cf77981976458 all runs: OK # git bisect good b7976dcf363be984b8a33242f8e6b3b196f9c329 Bisecting: 189 revisions left to test after this (roughly 8 steps) [56bf6fc266ca14d2b9276c8a62e4ff6783bfe68b] Merge tag 'arm-defconfig-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 56bf6fc266ca14d2b9276c8a62e4ff6783bfe68b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 11768579315301e6d2ba04ab99009cd56010bbd0887caa26ba9ecc2b8b936159 run #0: crashed: KASAN: use-after-free Read in nft_table_lookup run #1: crashed: KASAN: use-after-free Read in nft_table_lookup run #2: crashed: KASAN: use-after-free Read in nft_table_lookup run #3: crashed: KASAN: use-after-free Read in nft_table_lookup run #4: crashed: KASAN: use-after-free Read in nft_table_lookup run #5: crashed: KASAN: use-after-free Read in nft_table_lookup run #6: crashed: KASAN: use-after-free Read in nft_table_lookup run #7: crashed: KASAN: use-after-free Read in nft_table_lookup run #8: crashed: KASAN: use-after-free Read in nft_table_lookup run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 56bf6fc266ca14d2b9276c8a62e4ff6783bfe68b Bisecting: 120 revisions left to test after this (roughly 7 steps) [797d3186544fcd5bfd7a03b9ef3e20c1db3802b8] ptp: ptp_clockmatrix: Add wait_for_sys_apll_dpll_lock. testing commit 797d3186544fcd5bfd7a03b9ef3e20c1db3802b8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: e2a08ad11c4beda8f10182ba81a634056ec6d839ae30ef285eba412a4806314c run #0: crashed: KASAN: use-after-free Read in nft_table_lookup run #1: crashed: KASAN: use-after-free Read in nft_table_lookup run #2: crashed: KASAN: use-after-free Read in nft_table_lookup run #3: crashed: KASAN: use-after-free Read in nft_table_lookup run #4: crashed: KASAN: use-after-free Read in nft_table_lookup run #5: crashed: KASAN: use-after-free Read in nft_table_lookup run #6: crashed: KASAN: use-after-free Read in nft_table_lookup run #7: crashed: KASAN: use-after-free Read in nft_table_lookup run #8: crashed: KASAN: use-after-free Read in nft_table_lookup run #9: crashed: KASAN: use-after-free Read in nft_table_lookup run #10: crashed: KASAN: use-after-free Read in nft_table_lookup run #11: crashed: KASAN: use-after-free Read in nft_table_lookup run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 797d3186544fcd5bfd7a03b9ef3e20c1db3802b8 Bisecting: 61 revisions left to test after this (roughly 6 steps) [3af409ca278d4a8d50e91f9f7c4c33b175645cf3] net: enetc: fix destroyed phylink dereference during unbind testing commit 3af409ca278d4a8d50e91f9f7c4c33b175645cf3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 61f53985708784fa6e7e0a157e2f866c88c40a25aeeedcf2d8e162259d5e7a7f all runs: OK # git bisect good 3af409ca278d4a8d50e91f9f7c4c33b175645cf3 Bisecting: 33 revisions left to test after this (roughly 5 steps) [18af77c50fede5b3fc22aa9f0a9b255a5c5285c9] drivers: net: xilinx_emaclite: remove arch limitation testing commit 18af77c50fede5b3fc22aa9f0a9b255a5c5285c9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 402151f12a53c78048b58924945c13b391fd77bad2d0283537df373395f87637 all runs: OK # git bisect good 18af77c50fede5b3fc22aa9f0a9b255a5c5285c9 Bisecting: 16 revisions left to test after this (roughly 4 steps) [c544fcb4cbae77f7c6106c5e12c39c7c52f4de00] Merge branch 'broadcom-next' testing commit c544fcb4cbae77f7c6106c5e12c39c7c52f4de00 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: bf9c2118f6aece776faec3999c7c04476a98282f0f2d8be913fb175831a39291 all runs: OK # git bisect good c544fcb4cbae77f7c6106c5e12c39c7c52f4de00 Bisecting: 7 revisions left to test after this (roughly 3 steps) [32511f8e498045a82f603454b21b34ad892a79c6] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next testing commit 32511f8e498045a82f603454b21b34ad892a79c6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: e2a08ad11c4beda8f10182ba81a634056ec6d839ae30ef285eba412a4806314c run #0: crashed: KASAN: use-after-free Read in nft_table_lookup run #1: crashed: KASAN: use-after-free Read in nft_table_lookup run #2: crashed: KASAN: use-after-free Read in nft_table_lookup run #3: crashed: KASAN: use-after-free Read in nft_table_lookup run #4: crashed: KASAN: use-after-free Read in nft_table_lookup run #5: crashed: KASAN: use-after-free Read in nft_table_lookup run #6: crashed: KASAN: use-after-free Read in nft_table_lookup run #7: crashed: KASAN: use-after-free Read in nft_table_lookup run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 32511f8e498045a82f603454b21b34ad892a79c6 Bisecting: 4 revisions left to test after this (roughly 2 steps) [597565556581d59641c0be50acaae87f7391a91b] net: mscc: ocelot: select PACKING in the Kconfig testing commit 597565556581d59641c0be50acaae87f7391a91b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: fc643f63bcff55a38be2f40a2dbb8c50229490844275504ea5045c24cb9ac010 all runs: OK # git bisect good 597565556581d59641c0be50acaae87f7391a91b Bisecting: 2 revisions left to test after this (roughly 1 step) [00dfe9bebdf09c37827fb71db89c66a396f1a38c] netfilter: nftables: add helper function to release hooks of one single table testing commit 00dfe9bebdf09c37827fb71db89c66a396f1a38c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: a5020db6ee001a226556071d079a46ea9668f2d80efc428d1f741e07e341299d all runs: OK # git bisect good 00dfe9bebdf09c37827fb71db89c66a396f1a38c Bisecting: 1 revision left to test after this (roughly 1 step) [6001a930ce0378b62210d4f83583fc88a903d89d] netfilter: nftables: introduce table ownership testing commit 6001a930ce0378b62210d4f83583fc88a903d89d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 76e4ea34d581f875d247f28823226bdce9fcee7d697f8c2c5dc1eff26235a41c run #0: crashed: KASAN: use-after-free Read in nft_table_lookup run #1: crashed: KASAN: use-after-free Read in nft_table_lookup run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: crashed: KASAN: use-after-free Read in nft_table_lookup run #10: OK run #11: OK run #12: OK run #13: OK run #14: crashed: KASAN: use-after-free Read in nft_table_lookup run #15: crashed: KASAN: use-after-free Read in nft_table_lookup run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 6001a930ce0378b62210d4f83583fc88a903d89d 6001a930ce0378b62210d4f83583fc88a903d89d is the first bad commit commit 6001a930ce0378b62210d4f83583fc88a903d89d Author: Pablo Neira Ayuso Date: Mon Feb 15 12:28:07 2021 +0100 netfilter: nftables: introduce table ownership A userspace daemon like firewalld might need to monitor for netlink updates to detect its ruleset removal by the (global) flush ruleset command to ensure ruleset persistency. This adds extra complexity from userspace and, for some little time, the firewall policy is not in place. This patch adds the NFT_TABLE_F_OWNER flag which allows a userspace program to own the table that creates in exclusivity. Tables that are owned... - can only be updated and removed by the owner, non-owners hit EPERM if they try to update it or remove it. - are destroyed when the owner closes the netlink socket or the process is gone (implicit netlink socket closure). - are skipped by the global flush ruleset command. - are listed in the global ruleset. The userspace process that sets on the NFT_TABLE_F_OWNER flag need to leave open the netlink socket. A new NFTA_TABLE_OWNER netlink attribute specifies the netlink port ID to identify the owner from userspace. This patch also updates error reporting when an unknown table flag is specified to change it from EINVAL to EOPNOTSUPP given that EINVAL is usually reserved to report for malformed netlink messages to userspace. Signed-off-by: Pablo Neira Ayuso include/net/netfilter/nf_tables.h | 6 ++ include/uapi/linux/netfilter/nf_tables.h | 5 + net/netfilter/nf_tables_api.c | 163 ++++++++++++++++++++++--------- 3 files changed, 128 insertions(+), 46 deletions(-) culprit signature: 76e4ea34d581f875d247f28823226bdce9fcee7d697f8c2c5dc1eff26235a41c parent signature: a5020db6ee001a226556071d079a46ea9668f2d80efc428d1f741e07e341299d Reproducer flagged being flaky revisions tested: 19, total time: 5h5m31.187653091s (build: 2h2m16.473417122s, test: 3h0m58.841452673s) first bad commit: 6001a930ce0378b62210d4f83583fc88a903d89d netfilter: nftables: introduce table ownership recipients (to): ["coreteam@netfilter.org" "davem@davemloft.net" "fw@strlen.de" "kadlec@netfilter.org" "kuba@kernel.org" "netdev@vger.kernel.org" "netfilter-devel@vger.kernel.org" "pablo@netfilter.org" "pablo@netfilter.org"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: KASAN: use-after-free Read in nft_table_lookup ================================================================== BUG: KASAN: use-after-free in strlen+0x79/0x90 lib/string.c:565 Read of size 1 at addr ffff88801f692de8 by task syz-executor.4/8372 CPU: 0 PID: 8372 Comm: syz-executor.4 Not tainted 5.11.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x9a/0xcc lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230 __kasan_report mm/kasan/report.c:396 [inline] kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413 strlen+0x79/0x90 lib/string.c:565 strlen include/linux/string.h:322 [inline] nla_strcmp+0x18/0xe0 lib/nlattr.c:826 nft_table_lookup+0xaf/0x1b0 net/netfilter/nf_tables_api.c:520 nft_ctx_init_from_setattr net/netfilter/nf_tables_api.c:3613 [inline] nf_tables_getset+0x13a/0x660 net/netfilter/nf_tables_api.c:4028 nfnetlink_rcv_msg+0x424/0xc90 net/netfilter/nfnetlink.c:241 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2502 nfnetlink_rcv+0x143/0x340 net/netfilter/nfnetlink.c:600 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x42e/0x700 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x70e/0xbe0 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xab/0xe0 net/socket.c:672 ____sys_sendmsg+0x5bf/0x7a0 net/socket.c:2345 ___sys_sendmsg+0xd3/0x150 net/socket.c:2399 __sys_sendmsg+0xb2/0x140 net/socket.c:2432 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4665f9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f0647d23188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665f9 RDX: 0000000000000000 RSI: 0000000020000d80 RDI: 0000000000000004 RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 R13: 00007ffd7620b60f R14: 00007f0647d23300 R15: 0000000000022000 Allocated by task 8372: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:401 [inline] ____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429 kmalloc include/linux/slab.h:557 [inline] nla_strdup+0x93/0x130 lib/nlattr.c:769 nf_tables_newtable+0x8b8/0x19f0 net/netfilter/nf_tables_api.c:1042 nfnetlink_rcv_batch+0x68c/0x2050 net/netfilter/nfnetlink.c:456 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline] nfnetlink_rcv+0x2bc/0x340 net/netfilter/nfnetlink.c:598 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x42e/0x700 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x70e/0xbe0 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xab/0xe0 net/socket.c:672 ____sys_sendmsg+0x5bf/0x7a0 net/socket.c:2345 ___sys_sendmsg+0xd3/0x150 net/socket.c:2399 __sys_sendmsg+0xb2/0x140 net/socket.c:2432 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 8361: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:356 ____kasan_slab_free+0xe1/0x110 mm/kasan/common.c:362 kasan_slab_free include/linux/kasan.h:192 [inline] slab_free_hook mm/slub.c:1547 [inline] slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1580 slab_free mm/slub.c:3143 [inline] kfree+0xdb/0x3b0 mm/slub.c:4139 nf_tables_table_destroy+0xba/0x180 net/netfilter/nf_tables_api.c:1238 __nft_release_table+0xa04/0xe60 net/netfilter/nf_tables_api.c:9073 nft_rcv_nl_event+0x3ac/0x510 net/netfilter/nf_tables_api.c:9113 notifier_call_chain+0x94/0x170 kernel/notifier.c:83 blocking_notifier_call_chain kernel/notifier.c:337 [inline] blocking_notifier_call_chain+0x5d/0x80 kernel/notifier.c:325 netlink_release+0xa1f/0x17d0 net/netlink/af_netlink.c:783 __sock_release+0xbb/0x270 net/socket.c:597 sock_close+0xf/0x20 net/socket.c:1256 __fput+0x204/0x870 fs/file_table.c:280 task_work_run+0xc0/0x160 kernel/task_work.c:140 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:174 [inline] exit_to_user_mode_prepare+0x249/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff88801f692de8 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 0 bytes inside of 8-byte region [ffff88801f692de8, ffff88801f692df0) The buggy address belongs to the page: page:00000000cc8bfb2c refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801f692820 pfn:0x1f692 flags: 0xfff00000000200(slab) raw: 00fff00000000200 ffffea0000574040 0000001800000018 ffff88800f441c80 raw: ffff88801f692820 000000008066005a 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 4059, ts 7815528972 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x144/0x1c0 mm/page_alloc.c:2297 prep_new_page mm/page_alloc.c:2306 [inline] get_page_from_freelist+0x1c6e/0x3f80 mm/page_alloc.c:3945 __alloc_pages_nodemask+0x2d6/0x730 mm/page_alloc.c:4995 alloc_pages include/linux/gfp.h:547 [inline] alloc_slab_page mm/slub.c:1618 [inline] allocate_slab+0x2b6/0x4a0 mm/slub.c:1758 new_slab mm/slub.c:1821 [inline] new_slab_objects mm/slub.c:2578 [inline] ___slab_alloc+0x476/0x790 mm/slub.c:2741 __slab_alloc.constprop.0+0x95/0xe0 mm/slub.c:2781 slab_alloc_node mm/slub.c:2857 [inline] slab_alloc mm/slub.c:2900 [inline] __kmalloc+0x34a/0x3e0 mm/slub.c:3981 kmalloc include/linux/slab.h:557 [inline] kzalloc include/linux/slab.h:682 [inline] lsm_cred_alloc security/security.c:534 [inline] security_prepare_creds+0xbf/0x140 security/security.c:1633 prepare_creds+0x3cc/0x590 kernel/cred.c:285 prepare_exec_creds+0x8/0x240 kernel/cred.c:304 prepare_bprm_creds fs/exec.c:1465 [inline] bprm_execve+0xba/0x1520 fs/exec.c:1794 kernel_execve+0x2c2/0x3e0 fs/exec.c:1969 call_usermodehelper_exec_async+0x2c1/0x500 kernel/umh.c:110 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1271 [inline] free_pcp_prepare+0x2cb/0x410 mm/page_alloc.c:1306 free_unref_page_prepare mm/page_alloc.c:3200 [inline] free_unref_page+0x12/0x1b0 mm/page_alloc.c:3248 __vunmap+0x59e/0x940 mm/vmalloc.c:2286 free_work+0x4b/0x70 mm/vmalloc.c:67 process_one_work+0x84c/0x13b0 kernel/workqueue.c:2275 worker_thread+0x598/0xf80 kernel/workqueue.c:2421 kthread+0x36f/0x450 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Memory state around the buggy address: ffff88801f692c80: 00 fc fc fc fc fb fc fc fc fc fa fc fc fc fc fa ffff88801f692d00: fc fc fc fc fa fc fc fc fc fa fc fc fc fc 00 fc >ffff88801f692d80: fc fc fc 00 fc fc fc fc 00 fc fc fc fc fa fc fc ^ ffff88801f692e00: fc fc fa fc fc fc fc fa fc fc fc fc fb fc fc fc ffff88801f692e80: fc fa fc fc fc fc fb fc fc fc fc fb fc fc fc fc ==================================================================