* [syzbot] [netfilter?] WARNING in __nf_unregister_net_hook (6)
@ 2023-10-17 18:04 syzbot
2023-11-05 5:00 ` [syzbot] [PATCH] Test for 6465e260f487 syzbot
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: syzbot @ 2023-10-17 18:04 UTC (permalink / raw)
To: bpf, coreteam, davem, edumazet, fw, kadlec, kuba, linux-kernel,
netdev, netfilter-devel, pabeni, pablo, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 6465e260f487 Linux 6.6-rc3
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1376e3bc680000
kernel config: https://syzkaller.appspot.com/x/.config?x=8d7d7928f78936aa
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17f218da680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=149ff8c6680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/563852357aa6/disk-6465e260.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/df22793fe953/vmlinux-6465e260.xz
kernel image: https://storage.googleapis.com/syzbot-assets/84c2aad43ae3/bzImage-6465e260.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+de4025c006ec68ac56fc@syzkaller.appspotmail.com
------------[ cut here ]------------
hook not found, pf 2 num 1
WARNING: CPU: 1 PID: 5062 at net/netfilter/core.c:517 __nf_unregister_net_hook+0x1de/0x670 net/netfilter/core.c:517
Modules linked in:
CPU: 1 PID: 5062 Comm: syz-executor417 Not tainted 6.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
RIP: 0010:__nf_unregister_net_hook+0x1de/0x670 net/netfilter/core.c:517
Code: 14 02 4c 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7a 04 00 00 8b 53 1c 48 c7 c7 c0 d4 a8 8b 8b 74 24 04 e8 b2 ce dc f8 <0f> 0b e9 ec 00 00 00 e8 46 a5 16 f9 48 89 e8 48 c1 e0 04 49 8d 7c
RSP: 0018:ffffc9000355f2b8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880218dde00 RCX: 0000000000000000
RDX: ffff888019aee000 RSI: ffffffff814cf016 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff92611690
R13: ffff888016fff020 R14: ffff888016fff000 R15: ffff8880218dde1c
FS: 00007f76ca1526c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f76ca1e86b8 CR3: 0000000020292000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
nf_unregister_net_hook+0xd5/0x110 net/netfilter/core.c:539
__nf_tables_unregister_hook net/netfilter/nf_tables_api.c:361 [inline]
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f76ca192059
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f76ca152208 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f76ca21c3e8 RCX: 00007f76ca192059
RDX: 0000000000000000 RSI: 000000002000c2c0 RDI: 0000000000000004
RBP: 00007f76ca21c3e0 R08: 0000000000000003 R09: 0000000000000000
R10: 0000000000000a00 R11: 0000000000000246 R12: 00007f76ca1e917c
R13: 0000000000000001 R14: 0000000000000008 R15: 0200000000000000
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] [PATCH] Test for 6465e260f487
2023-10-17 18:04 [syzbot] [netfilter?] WARNING in __nf_unregister_net_hook (6) syzbot
@ 2023-11-05 5:00 ` syzbot
2023-11-19 5:15 ` syzbot
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: syzbot @ 2023-11-05 5:00 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test for 6465e260f487
Author: eadavis@sina.com
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 3126911f5042..fc1b337aec8f 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -117,7 +117,8 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
orig_ops = nf_hook_entries_get_hook_ops(old);
for (i = 0; i < old_entries; i++) {
- if (orig_ops[i] != &dummy_ops)
+ if (!__kernel_text_address(orig_ops[i]) &&
+ orig_ops[i] != &dummy_ops)
alloc_entries++;
/* Restrict BPF hook type to force a unique priority, not
@@ -146,7 +147,8 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
i = 0;
nhooks = 0;
while (i < old_entries) {
- if (orig_ops[i] == &dummy_ops) {
+ if (__kernel_text_address(orig_ops[i]) ||
+ orig_ops[i] == &dummy_ops) {
++i;
continue;
}
@@ -263,10 +265,12 @@ static void *__nf_hook_entries_try_shrink(struct nf_hook_entries *old,
new_ops = nf_hook_entries_get_hook_ops(new);
for (i = 0, j = 0; i < old->num_hook_entries; i++) {
- if (orig_ops[i] == &dummy_ops)
+ if (IS_ERR_OR_NULL(orig_ops[i]) || orig_ops[i] == &dummy_ops)
continue;
new->hooks[j] = old->hooks[i];
new_ops[j] = (void *)orig_ops[i];
+ printk("new ents: %p, new uo h: %p, new ops: %p, %s\n",
+ new, new->hooks[j], new_ops[j], __func__);
j++;
}
hooks_validate(new);
@@ -479,6 +483,7 @@ static bool nf_remove_net_hook(struct nf_hook_entries *old,
continue;
WRITE_ONCE(old->hooks[i].hook, accept_all);
WRITE_ONCE(orig_ops[i], (void *)&dummy_ops);
+ printk("ents: %p, deled ops: %p, i: %d, %s\n", old, orig_ops[i], i, __func__);
return true;
}
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [syzbot] [PATCH] Test for 6465e260f487
2023-10-17 18:04 [syzbot] [netfilter?] WARNING in __nf_unregister_net_hook (6) syzbot
2023-11-05 5:00 ` [syzbot] [PATCH] Test for 6465e260f487 syzbot
@ 2023-11-19 5:15 ` syzbot
2023-11-19 10:32 ` syzbot
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: syzbot @ 2023-11-19 5:15 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test for 6465e260f487
Author: eadavis@sina.com
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 3126911f5042..58f2a5294453 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -113,6 +113,7 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
alloc_entries = 1;
old_entries = old ? old->num_hook_entries : 0;
+ mutex_lock(&nf_hook_mutex);
if (old) {
orig_ops = nf_hook_entries_get_hook_ops(old);
@@ -129,17 +130,23 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
* prevent defrag, conntrack, iptables etc from attaching).
*/
if (reg->priority == orig_ops[i]->priority &&
- reg->hook_ops_type == NF_HOOK_OP_BPF)
- return ERR_PTR(-EBUSY);
+ reg->hook_ops_type == NF_HOOK_OP_BPF) {
+ new = ERR_PTR(-EBUSY);
+ goto unlock;
+ }
}
}
- if (alloc_entries > MAX_HOOK_COUNT)
- return ERR_PTR(-E2BIG);
+ if (alloc_entries > MAX_HOOK_COUNT) {
+ new = ERR_PTR(-E2BIG);
+ goto unlock;
+ }
new = allocate_hook_entries_size(alloc_entries);
- if (!new)
- return ERR_PTR(-ENOMEM);
+ if (!new) {
+ new = ERR_PTR(-ENOMEM);
+ goto unlock;
+ }
new_ops = nf_hook_entries_get_hook_ops(new);
@@ -170,6 +177,8 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
new->hooks[nhooks].priv = reg->priv;
}
+unlock:
+ mutex_unlock(&nf_hook_mutex);
return new;
}
@@ -546,11 +555,13 @@ void nf_hook_entries_delete_raw(struct nf_hook_entries __rcu **pp,
{
struct nf_hook_entries *p;
+ mutex_lock(&nf_hook_mutex);
p = rcu_dereference_raw(*pp);
if (nf_remove_net_hook(p, reg)) {
p = __nf_hook_entries_try_shrink(p, pp);
nf_hook_entries_free(p);
}
+ mutex_unlock(&nf_hook_mutex);
}
EXPORT_SYMBOL_GPL(nf_hook_entries_delete_raw);
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [syzbot] [PATCH] Test for 6465e260f487
2023-10-17 18:04 [syzbot] [netfilter?] WARNING in __nf_unregister_net_hook (6) syzbot
2023-11-05 5:00 ` [syzbot] [PATCH] Test for 6465e260f487 syzbot
2023-11-19 5:15 ` syzbot
@ 2023-11-19 10:32 ` syzbot
2023-11-20 3:07 ` syzbot
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: syzbot @ 2023-11-19 10:32 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test for 6465e260f487
Author: eadavis@sina.com
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 3126911f5042..58f2a5294453 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -546,11 +555,13 @@ void nf_hook_entries_delete_raw(struct nf_hook_entries __rcu **pp,
{
struct nf_hook_entries *p;
+ mutex_lock(&nf_hook_mutex);
p = rcu_dereference_raw(*pp);
if (nf_remove_net_hook(p, reg)) {
p = __nf_hook_entries_try_shrink(p, pp);
nf_hook_entries_free(p);
}
+ mutex_unlock(&nf_hook_mutex);
}
EXPORT_SYMBOL_GPL(nf_hook_entries_delete_raw);
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [syzbot] [PATCH] Test for 6465e260f487
2023-10-17 18:04 [syzbot] [netfilter?] WARNING in __nf_unregister_net_hook (6) syzbot
` (2 preceding siblings ...)
2023-11-19 10:32 ` syzbot
@ 2023-11-20 3:07 ` syzbot
2023-11-20 10:56 ` syzbot
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: syzbot @ 2023-11-20 3:07 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test for 6465e260f487
Author: eadavis@sina.com
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 3126911f5042..bec4aeef6a82 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -200,8 +200,10 @@ int nf_hook_entries_insert_raw(struct nf_hook_entries __rcu **pp,
struct nf_hook_entries *new_hooks;
struct nf_hook_entries *p;
+ mutex_lock(&nf_hook_mutex);
p = rcu_dereference_raw(*pp);
new_hooks = nf_hook_entries_grow(p, reg);
+ mutex_unlock(&nf_hook_mutex);
if (IS_ERR(new_hooks))
return PTR_ERR(new_hooks);
@@ -546,11 +548,13 @@ void nf_hook_entries_delete_raw(struct nf_hook_entries __rcu **pp,
{
struct nf_hook_entries *p;
+ mutex_lock(&nf_hook_mutex);
p = rcu_dereference_raw(*pp);
if (nf_remove_net_hook(p, reg)) {
p = __nf_hook_entries_try_shrink(p, pp);
nf_hook_entries_free(p);
}
+ mutex_unlock(&nf_hook_mutex);
}
EXPORT_SYMBOL_GPL(nf_hook_entries_delete_raw);
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [syzbot] [PATCH] Test for 6465e260f487
2023-10-17 18:04 [syzbot] [netfilter?] WARNING in __nf_unregister_net_hook (6) syzbot
` (3 preceding siblings ...)
2023-11-20 3:07 ` syzbot
@ 2023-11-20 10:56 ` syzbot
2024-02-17 12:38 ` [syzbot] WARNING in __nf_unregister_net_hook syzbot
2024-02-19 14:04 ` syzbot
6 siblings, 0 replies; 8+ messages in thread
From: syzbot @ 2023-11-20 10:56 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test for 6465e260f487
Author: eadavis@sina.com
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c
index 680fe557686e..246f381a8970 100644
--- a/net/netfilter/nft_chain_filter.c
+++ b/net/netfilter/nft_chain_filter.c
@@ -368,6 +368,9 @@ static int nf_tables_netdev_event(struct notifier_block *this,
event != NETDEV_CHANGENAME)
return NOTIFY_DONE;
+ if (!check_net(ctx.net))
+ return NOTIFY_DONE;
+
nft_net = nft_pernet(ctx.net);
mutex_lock(&nft_net->commit_mutex);
list_for_each_entry(table, &nft_net->tables, list) {
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [syzbot] WARNING in __nf_unregister_net_hook
2023-10-17 18:04 [syzbot] [netfilter?] WARNING in __nf_unregister_net_hook (6) syzbot
` (4 preceding siblings ...)
2023-11-20 10:56 ` syzbot
@ 2024-02-17 12:38 ` syzbot
2024-02-19 14:04 ` syzbot
6 siblings, 0 replies; 8+ messages in thread
From: syzbot @ 2024-02-17 12:38 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: WARNING in __nf_unregister_net_hook
Author: fw@strlen.de
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git main
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] WARNING in __nf_unregister_net_hook
2023-10-17 18:04 [syzbot] [netfilter?] WARNING in __nf_unregister_net_hook (6) syzbot
` (5 preceding siblings ...)
2024-02-17 12:38 ` [syzbot] WARNING in __nf_unregister_net_hook syzbot
@ 2024-02-19 14:04 ` syzbot
6 siblings, 0 replies; 8+ messages in thread
From: syzbot @ 2024-02-19 14:04 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: WARNING in __nf_unregister_net_hook
Author: fw@strlen.de
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/fwestphal/nf.git dormant-reset
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2024-02-19 14:04 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-17 18:04 [syzbot] [netfilter?] WARNING in __nf_unregister_net_hook (6) syzbot
2023-11-05 5:00 ` [syzbot] [PATCH] Test for 6465e260f487 syzbot
2023-11-19 5:15 ` syzbot
2023-11-19 10:32 ` syzbot
2023-11-20 3:07 ` syzbot
2023-11-20 10:56 ` syzbot
2024-02-17 12:38 ` [syzbot] WARNING in __nf_unregister_net_hook syzbot
2024-02-19 14:04 ` syzbot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.