* Kernel Panic while accessing avtab_search_node
[not found] <90976d10374046f198e6777609554b23@quicinc.com>
@ 2022-11-22 11:18 ` Jaihind Yadav (QUIC)
2022-11-22 18:23 ` Paul Moore
0 siblings, 1 reply; 4+ messages in thread
From: Jaihind Yadav (QUIC) @ 2022-11-22 11:18 UTC (permalink / raw)
To: selinux
Hi Selinux team,
We are getting kernel panic due to invalid memory access from avtab_search_node @231.
165.187593][T21313] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000081000000
[ 165.265699][T22438] pc : avtab_search_node+0xe4/0x138
[ 165.265710][T22438] lr : context_struct_compute_av+0x260/0x908
[ 165.265715][T22438] sp : ffffffc0330a3920
[ 165.265717][T22438] x29: ffffffc0330a3a20 x28: ffffff804097ea40 x27: 0000000000000360
[ 165.265725][T22438] x26: ffffff803acab190 x25: ffffff803acab138 x24: ffffffc0330a3b60
[ 165.265732][T22438] x23: ffffff804097ea40 x22: ffffffc0330a3b48 x21: 0000000000000361
[ 165.265739][T22438] x20: 0000000000000360 x19: ffffff80409d3608 x18: ffffffc02ba1d070
[ 165.265746][T22438] x17: 000000008f58b13b x16: 000000005bbbfbe1 x15: 00000000e6546b64
[ 165.265753][T22438] x14: 000000001b873593 x13: 0000000058a5459e x12: 0000000000000061
[ 165.265760][T22438] x11: 0000000000000707 x10: 0000000000000361 x9 : 0000000000000361
[ 165.265767][T22438] x8 : 0000000000000002 x7 : 0000000000000000 x6 : ffffffc0330a39ac
[ 165.265773][T22438] x5 : ffffffc0330a3b60 x4 : ffffffc0330a3b48 x3 : ffffffc0330a3b60
[ 165.265780][T22438] x2 : ffffffc0330a3b48 x1 : ffffffc0330a3960 x0 : 0000000081000000
[ 165.265787][T22438] Call trace:
[ 165.265789][T22438] avtab_search_node+0xe4/0x138
[ 165.265793][T22438] security_compute_av+0x18c/0x3f4
[ 165.265798][T22438] avc_compute_av+0x84/0xe4
[ 165.265804][T22438] avc_has_perm+0x188/0x1f4
[ 165.265808][T22438] selinux_task_alloc+0x48/0x58
[ 165.265812][T22438] security_task_alloc+0x84/0x150
[ 165.265816][T22438] copy_process+0x51c/0xe98
[ 165.265823][T22438] kernel_clone+0xb8/0x684
[ 165.265827][T22438] __arm64_sys_clone+0x5c/0x8c
[ 165.265831][T22438] invoke_syscall+0x60/0x150
[ 165.265836][T22438] el0_svc_common+0x98/0x114
[ 165.265840][T22438] do_el0_svc+0x28/0xa0
[ 165.265843][T22438] el0_svc+0x28/0x90
[ 165.265848][T22438] el0t_64_sync_handler+0x88/0xec
[ 165.265852][T22438] el0t_64_sync+0x1b4/0x1b8
[ 165.265858][T22438] Code: f86bd980 b4000260 79400c2b 1200396b (7940000c)
[ 165.265862][T22438] ---[ end trace 78d0a75f861b1c77 ]---
Kernel panic is coming while accessing cur @231 line from below code snippet.
218 struct avtab_node *avtab_search_node(struct avtab *h,
219 const struct avtab_key *key)
220 {
221 int hvalue;
222 struct avtab_node *cur;
223 u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
224
225 if (!h || !h->nslot)
226 return NULL;
227
228 hvalue = avtab_hash(key, h->mask);
229 for (cur = h->htable[hvalue]; cur;
230 cur = cur->next) {
231 if (key->source_type == cur->key.source_type &&
232 key->target_type == cur->key.target_type &&
233 key->target_class == cur->key.target_class &&
234 (specified & cur->key.specified))
235 return cur;
In the above code null check are properly handled So I am suspecting the hashtable is getting modified by other thread/process when it is accessing the code.
Can you please provide your expert opinion what could be the issue here and how to fix this issue .
Thanks,
Jaihind Yadav
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Kernel Panic while accessing avtab_search_node
2022-11-22 11:18 ` Kernel Panic while accessing avtab_search_node Jaihind Yadav (QUIC)
@ 2022-11-22 18:23 ` Paul Moore
2022-11-23 12:52 ` Jaihind Yadav (QUIC)
0 siblings, 1 reply; 4+ messages in thread
From: Paul Moore @ 2022-11-22 18:23 UTC (permalink / raw)
To: Jaihind Yadav (QUIC); +Cc: selinux
On Tue, Nov 22, 2022 at 6:22 AM Jaihind Yadav (QUIC)
<quic_jaihindy@quicinc.com> wrote:
> Hi Selinux team,
>
> We are getting kernel panic due to invalid memory access from avtab_search_node @231.
>
> 165.187593][T21313] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000081000000
> [ 165.265699][T22438] pc : avtab_search_node+0xe4/0x138
> [ 165.265710][T22438] lr : context_struct_compute_av+0x260/0x908
> [ 165.265715][T22438] sp : ffffffc0330a3920
> [ 165.265717][T22438] x29: ffffffc0330a3a20 x28: ffffff804097ea40 x27: 0000000000000360
> [ 165.265725][T22438] x26: ffffff803acab190 x25: ffffff803acab138 x24: ffffffc0330a3b60
> [ 165.265732][T22438] x23: ffffff804097ea40 x22: ffffffc0330a3b48 x21: 0000000000000361
> [ 165.265739][T22438] x20: 0000000000000360 x19: ffffff80409d3608 x18: ffffffc02ba1d070
> [ 165.265746][T22438] x17: 000000008f58b13b x16: 000000005bbbfbe1 x15: 00000000e6546b64
> [ 165.265753][T22438] x14: 000000001b873593 x13: 0000000058a5459e x12: 0000000000000061
> [ 165.265760][T22438] x11: 0000000000000707 x10: 0000000000000361 x9 : 0000000000000361
> [ 165.265767][T22438] x8 : 0000000000000002 x7 : 0000000000000000 x6 : ffffffc0330a39ac
> [ 165.265773][T22438] x5 : ffffffc0330a3b60 x4 : ffffffc0330a3b48 x3 : ffffffc0330a3b60
> [ 165.265780][T22438] x2 : ffffffc0330a3b48 x1 : ffffffc0330a3960 x0 : 0000000081000000
> [ 165.265787][T22438] Call trace:
> [ 165.265789][T22438] avtab_search_node+0xe4/0x138
> [ 165.265793][T22438] security_compute_av+0x18c/0x3f4
> [ 165.265798][T22438] avc_compute_av+0x84/0xe4
> [ 165.265804][T22438] avc_has_perm+0x188/0x1f4
> [ 165.265808][T22438] selinux_task_alloc+0x48/0x58
> [ 165.265812][T22438] security_task_alloc+0x84/0x150
> [ 165.265816][T22438] copy_process+0x51c/0xe98
> [ 165.265823][T22438] kernel_clone+0xb8/0x684
> [ 165.265827][T22438] __arm64_sys_clone+0x5c/0x8c
> [ 165.265831][T22438] invoke_syscall+0x60/0x150
> [ 165.265836][T22438] el0_svc_common+0x98/0x114
> [ 165.265840][T22438] do_el0_svc+0x28/0xa0
> [ 165.265843][T22438] el0_svc+0x28/0x90
> [ 165.265848][T22438] el0t_64_sync_handler+0x88/0xec
> [ 165.265852][T22438] el0t_64_sync+0x1b4/0x1b8
> [ 165.265858][T22438] Code: f86bd980 b4000260 79400c2b 1200396b (7940000c)
> [ 165.265862][T22438] ---[ end trace 78d0a75f861b1c77 ]---
>
> Kernel panic is coming while accessing cur @231 line from below code snippet.
>
> 218 struct avtab_node *avtab_search_node(struct avtab *h,
> 219 const struct avtab_key *key)
> 220 {
> 221 int hvalue;
> 222 struct avtab_node *cur;
> 223 u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
> 224
> 225 if (!h || !h->nslot)
> 226 return NULL;
> 227
> 228 hvalue = avtab_hash(key, h->mask);
> 229 for (cur = h->htable[hvalue]; cur;
> 230 cur = cur->next) {
> 231 if (key->source_type == cur->key.source_type &&
> 232 key->target_type == cur->key.target_type &&
> 233 key->target_class == cur->key.target_class &&
> 234 (specified & cur->key.specified))
> 235 return cur;
>
> In the above code null check are properly handled So I am suspecting the hashtable is getting modified by other thread/process when it is accessing the code.
>
> Can you please provide your expert opinion what could be the issue here and how to fix this issue .
Hi Jaihind,
We need some additional information to help understand the problem.
What Linux distribution are you using? What kernel are you using
(version number), and do you have any patches applied to that kernel?
What SELinux policy are you using?
--
paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: Kernel Panic while accessing avtab_search_node
2022-11-22 18:23 ` Paul Moore
@ 2022-11-23 12:52 ` Jaihind Yadav (QUIC)
2022-11-23 17:21 ` Paul Moore
0 siblings, 1 reply; 4+ messages in thread
From: Jaihind Yadav (QUIC) @ 2022-11-23 12:52 UTC (permalink / raw)
To: Paul Moore; +Cc: selinux
Hi Paul Moore Sir,
Thanks for quick response .
Please find the additional information below.
We are using 5.15 kernel in Android T.
We have not applied any additional patch to the kernel .
I am replying on the same thread again because in that email I attached call stack frame with locals images to explain the issue better after loading the dump in t32,
but It converted the images in base32 due to plain text format and made it unreadable . Sorry for inconvenience caused.
Please let me know if more information is needed .
Thanks,
Jaihind Yadav
-----Original Message-----
From: Paul Moore <paul@paul-moore.com>
Sent: Tuesday, November 22, 2022 11:53 PM
To: Jaihind Yadav (QUIC) <quic_jaihindy@quicinc.com>
Cc: selinux@vger.kernel.org
Subject: Re: Kernel Panic while accessing avtab_search_node
On Tue, Nov 22, 2022 at 6:22 AM Jaihind Yadav (QUIC) <quic_jaihindy@quicinc.com> wrote:
> Hi Selinux team,
>
> We are getting kernel panic due to invalid memory access from avtab_search_node @231.
>
> 165.187593][T21313] Unable to handle kernel access to user memory
> outside uaccess routines at virtual address 0000000081000000 [
> 165.265699][T22438] pc : avtab_search_node+0xe4/0x138 [
> 165.265710][T22438] lr : context_struct_compute_av+0x260/0x908
> [ 165.265715][T22438] sp : ffffffc0330a3920 [ 165.265717][T22438]
> x29: ffffffc0330a3a20 x28: ffffff804097ea40 x27: 0000000000000360 [
> 165.265725][T22438] x26: ffffff803acab190 x25: ffffff803acab138 x24:
> ffffffc0330a3b60 [ 165.265732][T22438] x23: ffffff804097ea40 x22:
> ffffffc0330a3b48 x21: 0000000000000361 [ 165.265739][T22438] x20:
> 0000000000000360 x19: ffffff80409d3608 x18: ffffffc02ba1d070 [
> 165.265746][T22438] x17: 000000008f58b13b x16: 000000005bbbfbe1 x15:
> 00000000e6546b64 [ 165.265753][T22438] x14: 000000001b873593 x13:
> 0000000058a5459e x12: 0000000000000061 [ 165.265760][T22438] x11:
> 0000000000000707 x10: 0000000000000361 x9 : 0000000000000361 [
> 165.265767][T22438] x8 : 0000000000000002 x7 : 0000000000000000 x6 :
> ffffffc0330a39ac [ 165.265773][T22438] x5 : ffffffc0330a3b60 x4 : ffffffc0330a3b48 x3 : ffffffc0330a3b60 [ 165.265780][T22438] x2 : ffffffc0330a3b48 x1 : ffffffc0330a3960 x0 : 0000000081000000 [ 165.265787][T22438] Call trace:
> [ 165.265789][T22438] avtab_search_node+0xe4/0x138 [
> 165.265793][T22438] security_compute_av+0x18c/0x3f4 [
> 165.265798][T22438] avc_compute_av+0x84/0xe4 [ 165.265804][T22438]
> avc_has_perm+0x188/0x1f4 [ 165.265808][T22438]
> selinux_task_alloc+0x48/0x58 [ 165.265812][T22438]
> security_task_alloc+0x84/0x150 [ 165.265816][T22438]
> copy_process+0x51c/0xe98 [ 165.265823][T22438]
> kernel_clone+0xb8/0x684 [ 165.265827][T22438]
> __arm64_sys_clone+0x5c/0x8c [ 165.265831][T22438]
> invoke_syscall+0x60/0x150 [ 165.265836][T22438]
> el0_svc_common+0x98/0x114 [ 165.265840][T22438] do_el0_svc+0x28/0xa0
> [ 165.265843][T22438] el0_svc+0x28/0x90 [ 165.265848][T22438]
> el0t_64_sync_handler+0x88/0xec [ 165.265852][T22438]
> el0t_64_sync+0x1b4/0x1b8 [ 165.265858][T22438] Code: f86bd980
> b4000260 79400c2b 1200396b (7940000c) [ 165.265862][T22438] ---[ end
> trace 78d0a75f861b1c77 ]---
>
> Kernel panic is coming while accessing cur @231 line from below code snippet.
>
> 218 struct avtab_node *avtab_search_node(struct avtab *h,
> 219 const struct avtab_key *key)
> 220 {
> 221 int hvalue;
> 222 struct avtab_node *cur;
> 223 u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
> 224
> 225 if (!h || !h->nslot)
> 226 return NULL;
> 227
> 228 hvalue = avtab_hash(key, h->mask);
> 229 for (cur = h->htable[hvalue]; cur;
> 230 cur = cur->next) {
> 231 if (key->source_type == cur->key.source_type &&
> 232 key->target_type == cur->key.target_type &&
> 233 key->target_class == cur->key.target_class &&
> 234 (specified & cur->key.specified))
> 235 return cur;
>
> In the above code null check are properly handled So I am suspecting the hashtable is getting modified by other thread/process when it is accessing the code.
>
> Can you please provide your expert opinion what could be the issue here and how to fix this issue .
Hi Jaihind,
We need some additional information to help understand the problem.
What Linux distribution are you using? What kernel are you using (version number), and do you have any patches applied to that kernel?
What SELinux policy are you using?
--
paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Kernel Panic while accessing avtab_search_node
2022-11-23 12:52 ` Jaihind Yadav (QUIC)
@ 2022-11-23 17:21 ` Paul Moore
0 siblings, 0 replies; 4+ messages in thread
From: Paul Moore @ 2022-11-23 17:21 UTC (permalink / raw)
To: Jaihind Yadav (QUIC); +Cc: selinux
On Wed, Nov 23, 2022 at 7:52 AM Jaihind Yadav (QUIC)
<quic_jaihindy@quicinc.com> wrote:
> Hi Paul Moore Sir,
>
> Thanks for quick response .
> Please find the additional information below.
> We are using 5.15 kernel in Android T.
> We have not applied any additional patch to the kernel .
>
> I am replying on the same thread again because in that email I attached call stack frame with locals images to explain the issue better after loading the dump in t32,
> but It converted the images in base32 due to plain text format and made it unreadable . Sorry for inconvenience caused.
>
> Please let me know if more information is needed .
Hi Jaihind,
Thanks for the additional information. Unfortunately Android has been
known to carry a large number of kernel patches in their kernels so I
would suggest contacting the Android team for additional help on
resolving this issue. If you can reproduce this problem with a plain
upstream kernel we may be able to help, but I don't recall seeing
anything similar in any of our upstream kernel use/testing.
Good luck,
-Paul
> -----Original Message-----
> From: Paul Moore <paul@paul-moore.com>
> Sent: Tuesday, November 22, 2022 11:53 PM
> To: Jaihind Yadav (QUIC) <quic_jaihindy@quicinc.com>
> Cc: selinux@vger.kernel.org
> Subject: Re: Kernel Panic while accessing avtab_search_node
>
> On Tue, Nov 22, 2022 at 6:22 AM Jaihind Yadav (QUIC) <quic_jaihindy@quicinc.com> wrote:
> > Hi Selinux team,
> >
> > We are getting kernel panic due to invalid memory access from avtab_search_node @231.
> >
> > 165.187593][T21313] Unable to handle kernel access to user memory
> > outside uaccess routines at virtual address 0000000081000000 [
> > 165.265699][T22438] pc : avtab_search_node+0xe4/0x138 [
> > 165.265710][T22438] lr : context_struct_compute_av+0x260/0x908
> > [ 165.265715][T22438] sp : ffffffc0330a3920 [ 165.265717][T22438]
> > x29: ffffffc0330a3a20 x28: ffffff804097ea40 x27: 0000000000000360 [
> > 165.265725][T22438] x26: ffffff803acab190 x25: ffffff803acab138 x24:
> > ffffffc0330a3b60 [ 165.265732][T22438] x23: ffffff804097ea40 x22:
> > ffffffc0330a3b48 x21: 0000000000000361 [ 165.265739][T22438] x20:
> > 0000000000000360 x19: ffffff80409d3608 x18: ffffffc02ba1d070 [
> > 165.265746][T22438] x17: 000000008f58b13b x16: 000000005bbbfbe1 x15:
> > 00000000e6546b64 [ 165.265753][T22438] x14: 000000001b873593 x13:
> > 0000000058a5459e x12: 0000000000000061 [ 165.265760][T22438] x11:
> > 0000000000000707 x10: 0000000000000361 x9 : 0000000000000361 [
> > 165.265767][T22438] x8 : 0000000000000002 x7 : 0000000000000000 x6 :
> > ffffffc0330a39ac [ 165.265773][T22438] x5 : ffffffc0330a3b60 x4 : ffffffc0330a3b48 x3 : ffffffc0330a3b60 [ 165.265780][T22438] x2 : ffffffc0330a3b48 x1 : ffffffc0330a3960 x0 : 0000000081000000 [ 165.265787][T22438] Call trace:
> > [ 165.265789][T22438] avtab_search_node+0xe4/0x138 [
> > 165.265793][T22438] security_compute_av+0x18c/0x3f4 [
> > 165.265798][T22438] avc_compute_av+0x84/0xe4 [ 165.265804][T22438]
> > avc_has_perm+0x188/0x1f4 [ 165.265808][T22438]
> > selinux_task_alloc+0x48/0x58 [ 165.265812][T22438]
> > security_task_alloc+0x84/0x150 [ 165.265816][T22438]
> > copy_process+0x51c/0xe98 [ 165.265823][T22438]
> > kernel_clone+0xb8/0x684 [ 165.265827][T22438]
> > __arm64_sys_clone+0x5c/0x8c [ 165.265831][T22438]
> > invoke_syscall+0x60/0x150 [ 165.265836][T22438]
> > el0_svc_common+0x98/0x114 [ 165.265840][T22438] do_el0_svc+0x28/0xa0
> > [ 165.265843][T22438] el0_svc+0x28/0x90 [ 165.265848][T22438]
> > el0t_64_sync_handler+0x88/0xec [ 165.265852][T22438]
> > el0t_64_sync+0x1b4/0x1b8 [ 165.265858][T22438] Code: f86bd980
> > b4000260 79400c2b 1200396b (7940000c) [ 165.265862][T22438] ---[ end
> > trace 78d0a75f861b1c77 ]---
> >
> > Kernel panic is coming while accessing cur @231 line from below code snippet.
> >
> > 218 struct avtab_node *avtab_search_node(struct avtab *h,
> > 219 const struct avtab_key *key)
> > 220 {
> > 221 int hvalue;
> > 222 struct avtab_node *cur;
> > 223 u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
> > 224
> > 225 if (!h || !h->nslot)
> > 226 return NULL;
> > 227
> > 228 hvalue = avtab_hash(key, h->mask);
> > 229 for (cur = h->htable[hvalue]; cur;
> > 230 cur = cur->next) {
> > 231 if (key->source_type == cur->key.source_type &&
> > 232 key->target_type == cur->key.target_type &&
> > 233 key->target_class == cur->key.target_class &&
> > 234 (specified & cur->key.specified))
> > 235 return cur;
> >
> > In the above code null check are properly handled So I am suspecting the hashtable is getting modified by other thread/process when it is accessing the code.
> >
> > Can you please provide your expert opinion what could be the issue here and how to fix this issue .
>
> Hi Jaihind,
>
> We need some additional information to help understand the problem.
> What Linux distribution are you using? What kernel are you using (version number), and do you have any patches applied to that kernel?
> What SELinux policy are you using?
--
paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-11-23 17:22 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <90976d10374046f198e6777609554b23@quicinc.com>
2022-11-22 11:18 ` Kernel Panic while accessing avtab_search_node Jaihind Yadav (QUIC)
2022-11-22 18:23 ` Paul Moore
2022-11-23 12:52 ` Jaihind Yadav (QUIC)
2022-11-23 17:21 ` Paul Moore
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).