[syzbot] [netfilter?] WARNING in __nf_unregister_net_hook (6)
44 views
Skip to first unread message
syzbot
Oct 17, 2023, 2:05:00 PM10/17/23
to b...@vger.kernel.org, core...@netfilter.org, da...@davemloft.net, edum...@google.com, f...@strlen.de, kad...@netfilter.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, netfilt...@vger.kernel.org, pab...@redhat.com, pa...@netfilter.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 6465e260f487 Linux 6.6-rc3
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1376e3bc680000
kernel config: https://syzkaller.appspot.com/x/.config?x=8d7d7928f78936aa
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17f218da680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=149ff8c6680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/563852357aa6/disk-6465e260.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/df22793fe953/vmlinux-6465e260.xz
kernel image: https://storage.googleapis.com/syzbot-assets/84c2aad43ae3/bzImage-6465e260.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+de4025...@syzkaller.appspotmail.com
------------[ cut here ]------------
hook not found, pf 2 num 1
WARNING: CPU: 1 PID: 5062 at net/netfilter/core.c:517 __nf_unregister_net_hook+0x1de/0x670 net/netfilter/core.c:517
Modules linked in:
CPU: 1 PID: 5062 Comm: syz-executor417 Not tainted 6.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
RIP: 0010:__nf_unregister_net_hook+0x1de/0x670 net/netfilter/core.c:517
Code: 14 02 4c 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7a 04 00 00 8b 53 1c 48 c7 c7 c0 d4 a8 8b 8b 74 24 04 e8 b2 ce dc f8 <0f> 0b e9 ec 00 00 00 e8 46 a5 16 f9 48 89 e8 48 c1 e0 04 49 8d 7c
RSP: 0018:ffffc9000355f2b8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880218dde00 RCX: 0000000000000000
RDX: ffff888019aee000 RSI: ffffffff814cf016 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff92611690
R13: ffff888016fff020 R14: ffff888016fff000 R15: ffff8880218dde1c
FS: 00007f76ca1526c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f76ca1e86b8 CR3: 0000000020292000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
nf_unregister_net_hook+0xd5/0x110 net/netfilter/core.c:539
__nf_tables_unregister_hook net/netfilter/nf_tables_api.c:361 [inline]
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f76ca192059
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f76ca152208 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f76ca21c3e8 RCX: 00007f76ca192059
RDX: 0000000000000000 RSI: 000000002000c2c0 RDI: 0000000000000004
RBP: 00007f76ca21c3e0 R08: 0000000000000003 R09: 0000000000000000
R10: 0000000000000a00 R11: 0000000000000246 R12: 00007f76ca1e917c
R13: 0000000000000001 R14: 0000000000000008 R15: 0200000000000000
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 6465e260f487 Linux 6.6-rc3
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1376e3bc680000
kernel config: https://syzkaller.appspot.com/x/.config?x=8d7d7928f78936aa
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17f218da680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=149ff8c6680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/563852357aa6/disk-6465e260.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/df22793fe953/vmlinux-6465e260.xz
kernel image: https://storage.googleapis.com/syzbot-assets/84c2aad43ae3/bzImage-6465e260.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+de4025...@syzkaller.appspotmail.com
------------[ cut here ]------------
hook not found, pf 2 num 1
WARNING: CPU: 1 PID: 5062 at net/netfilter/core.c:517 __nf_unregister_net_hook+0x1de/0x670 net/netfilter/core.c:517
Modules linked in:
CPU: 1 PID: 5062 Comm: syz-executor417 Not tainted 6.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
RIP: 0010:__nf_unregister_net_hook+0x1de/0x670 net/netfilter/core.c:517
Code: 14 02 4c 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7a 04 00 00 8b 53 1c 48 c7 c7 c0 d4 a8 8b 8b 74 24 04 e8 b2 ce dc f8 <0f> 0b e9 ec 00 00 00 e8 46 a5 16 f9 48 89 e8 48 c1 e0 04 49 8d 7c
RSP: 0018:ffffc9000355f2b8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880218dde00 RCX: 0000000000000000
RDX: ffff888019aee000 RSI: ffffffff814cf016 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff92611690
R13: ffff888016fff020 R14: ffff888016fff000 R15: ffff8880218dde1c
FS: 00007f76ca1526c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f76ca1e86b8 CR3: 0000000020292000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
nf_unregister_net_hook+0xd5/0x110 net/netfilter/core.c:539
__nf_tables_unregister_hook net/netfilter/nf_tables_api.c:361 [inline]
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f76ca192059
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f76ca152208 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f76ca21c3e8 RCX: 00007f76ca192059
RDX: 0000000000000000 RSI: 000000002000c2c0 RDI: 0000000000000004
RBP: 00007f76ca21c3e0 R08: 0000000000000003 R09: 0000000000000000
R10: 0000000000000a00 R11: 0000000000000246 R12: 00007f76ca1e917c
R13: 0000000000000001 R14: 0000000000000008 R15: 0200000000000000
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Edward AD
Oct 18, 2023, 11:13:56 PM10/18/23
to syzbot+de4025...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index ef4e76e5aef9..edf69d52675b 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -473,10 +473,13 @@ static bool nf_remove_net_hook(struct nf_hook_entries *old,
struct nf_hook_ops **orig_ops;
unsigned int i;
+ printk("%p, %p, %s\n", old, unreg, __func__);
orig_ops = nf_hook_entries_get_hook_ops(old);
for (i = 0; i < old->num_hook_entries; i++) {
- if (orig_ops[i] != unreg)
+ if (orig_ops[i] != unreg) {
+ printk("%p, %d\n", orig_ops[i], i, __func__);
continue;
+ }
WRITE_ONCE(old->hooks[i].hook, accept_all);
WRITE_ONCE(orig_ops[i], (void *)&dummy_ops);
return true;
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index ef4e76e5aef9..edf69d52675b 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -473,10 +473,13 @@ static bool nf_remove_net_hook(struct nf_hook_entries *old,
struct nf_hook_ops **orig_ops;
unsigned int i;
+ printk("%p, %p, %s\n", old, unreg, __func__);
orig_ops = nf_hook_entries_get_hook_ops(old);
for (i = 0; i < old->num_hook_entries; i++) {
- if (orig_ops[i] != unreg)
+ if (orig_ops[i] != unreg) {
+ printk("%p, %d\n", orig_ops[i], i, __func__);
continue;
+ }
WRITE_ONCE(old->hooks[i].hook, accept_all);
WRITE_ONCE(orig_ops[i], (void *)&dummy_ops);
return true;
syzbot
Oct 18, 2023, 11:29:32 PM10/18/23
to syzkall...@googlegroups.com, twuu...@gmail.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
ffff888029fad628, 0
ffff88802ac4fe00, 1
ffff8880799b8400, 2
ffff888061009178, 3
ffffffff8b259880, 4
ffffffff8ba945b8, 5
Modules linked in:
CPU: 1 PID: 5735 Comm: syz-executor.2 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:__nf_unregister_net_hook+0x4d2/0x570 net/netfilter/core.c:520
Code: 48 c1 ea 03 0f b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 7b 8b 53 1c 89 ee 48 c7 c7 40 d5 a8 8b e8 2e ca dc f8 <0f> 0b e9 53 fc ff ff e8 62 90 6b f9 e9 58 fb ff ff 4c 89 e7 e8 55
RSP: 0018:ffffc9000351f2c8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88801c5d2600 RCX: 0000000000000000
RDX: ffff8880293bc1c0 RSI: ffffffff814cf016 RDI: 0000000000000001
RBP: 0000000000000002 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff888028beb210
R13: ffff888028bea0c0 R14: ffff88801c5d261c R15: ffff88807ae9fe00
FS: 00007f310c1796c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f310c1790c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f310b59bf80 RCX: 00007f310b47cae9
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f310b59bf80 R15: 00007fff348bc838
</TASK>
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1014e1d5680000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
ffff888029fad628, 0
ffff88802ac4fe00, 1
ffff8880799b8400, 2
ffff888061009178, 3
ffffffff8b259880, 4
ffffffff8ba945b8, 5
------------[ cut here ]------------
hook not found, pf 2 num 1
WARNING: CPU: 1 PID: 5735 at net/netfilter/core.c:520 __nf_unregister_net_hook+0x4d2/0x570 net/netfilter/core.c:520
hook not found, pf 2 num 1
Modules linked in:
CPU: 1 PID: 5735 Comm: syz-executor.2 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:__nf_unregister_net_hook+0x4d2/0x570 net/netfilter/core.c:520
Code: 48 c1 ea 03 0f b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 7b 8b 53 1c 89 ee 48 c7 c7 40 d5 a8 8b e8 2e ca dc f8 <0f> 0b e9 53 fc ff ff e8 62 90 6b f9 e9 58 fb ff ff 4c 89 e7 e8 55
RSP: 0018:ffffc9000351f2c8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88801c5d2600 RCX: 0000000000000000
RDX: ffff8880293bc1c0 RSI: ffffffff814cf016 RDI: 0000000000000001
RBP: 0000000000000002 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff888028beb210
R13: ffff888028bea0c0 R14: ffff88801c5d261c R15: ffff88807ae9fe00
FS: 00007f310c1796c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdee0973ff8 CR3: 000000001f6dc000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
nf_unregister_net_hook+0xd5/0x110 net/netfilter/core.c:542
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__nf_tables_unregister_hook net/netfilter/nf_tables_api.c:361 [inline]
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f310b47cae9
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f310c1790c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f310b59bf80 RCX: 00007f310b47cae9
RDX: 0000000000000000 RSI: 000000002000c2c0 RDI: 0000000000000004
RBP: 00007f310b4c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f310b59bf80 R15: 00007fff348bc838
</TASK>
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1014e1d5680000
kernel config: https://syzkaller.appspot.com/x/.config?x=8d7d7928f78936aa
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=142baab1680000
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Oct 19, 2023, 2:37:36 AM10/19/23
to syzbot+de4025...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index ef4e76e5aef9..393c2c432916 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -473,10 +473,13 @@ static bool nf_remove_net_hook(struct nf_hook_entries *old,
struct nf_hook_ops **orig_ops;
unsigned int i;
+ printk("%d, %p, %p, %s, %d\n", IS_ERR(old), old, unreg, old->num_hook_entries, __func__);
+++ b/net/netfilter/core.c
@@ -473,10 +473,13 @@ static bool nf_remove_net_hook(struct nf_hook_entries *old,
struct nf_hook_ops **orig_ops;
unsigned int i;
orig_ops = nf_hook_entries_get_hook_ops(old);
for (i = 0; i < old->num_hook_entries; i++) {
- if (orig_ops[i] != unreg)
+ if (orig_ops[i] != unreg) {
+ printk("%p, %d, %s\n", orig_ops[i], i, __func__);
for (i = 0; i < old->num_hook_entries; i++) {
- if (orig_ops[i] != unreg)
+ if (orig_ops[i] != unreg) {
continue;
+ }
WRITE_ONCE(old->hooks[i].hook, accept_all);
WRITE_ONCE(orig_ops[i], (void *)&dummy_ops);
return true;
@@ -514,6 +517,8 @@ static void __nf_unregister_net_hook(struct net *net, int pf,
+ }
WRITE_ONCE(old->hooks[i].hook, accept_all);
WRITE_ONCE(orig_ops[i], (void *)&dummy_ops);
return true;
#endif
nf_static_key_dec(reg, pf);
} else {
+ if (IS_ERR(p))
+ return;
WARN_ONCE(1, "hook not found, pf %d num %d", pf, reg->hooknum);
}
syzbot
Oct 19, 2023, 2:53:33 AM10/19/23
to syzkall...@googlegroups.com, twuu...@gmail.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
ffffffff8ba945b8, 5, nf_remove_net_hook
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
------------[ cut here ]------------
hook not found, pf 2 num 1
WARNING: CPU: 1 PID: 5713 at net/netfilter/core.c:522 __nf_unregister_net_hook+0x4f3/0x590 net/netfilter/core.c:522
hook not found, pf 2 num 1
Modules linked in:
CPU: 1 PID: 5713 Comm: syz-executor.1 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:__nf_unregister_net_hook+0x4f3/0x590 net/netfilter/core.c:522
Code: 48 c1 ea 03 0f b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 7b 8b 53 1c 89 ee 48 c7 c7 40 d5 a8 8b e8 bd c9 dc f8 <0f> 0b e9 53 fc ff ff e8 f1 8f 6b f9 e9 37 fb ff ff 4c 89 e7 e8 e4
RSP: 0018:ffffc900035ef2c8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff888077498200 RCX: 0000000000000000
RDX: ffff88801cd741c0 RSI: ffffffff814cf016 RDI: 0000000000000001
RBP: 0000000000000002 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff888076fb5310
R13: ffff888076fb41c0 R14: ffff88807749821c R15: ffff88801c3b0a00
FS: 00007f0b2d6bf6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb117b75198 CR3: 000000006182f000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
nf_unregister_net_hook+0xd5/0x110 net/netfilter/core.c:544
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__nf_tables_unregister_hook net/netfilter/nf_tables_api.c:361 [inline]
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f0b2c87cae9
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0b2d6bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f0b2c99bf80 RCX: 00007f0b2c87cae9
RDX: 0000000000000000 RSI: 000000002000c2c0 RDI: 0000000000000004
RBP: 00007f0b2c8c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f0b2c99bf80 R15: 00007fff31f94f98
</TASK>
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17f23775680000
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=8d7d7928f78936aa
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15b37113680000
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Oct 19, 2023, 3:05:06 AM10/19/23
to syzbot+de4025...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index ef4e76e5aef9..1357ae9e3272 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -473,10 +473,13 @@ static bool nf_remove_net_hook(struct nf_hook_entries *old,
struct nf_hook_ops **orig_ops;
unsigned int i;
+ printk("%d, %p, %p, %d, %s\n", IS_ERR(old), old, unreg, old->num_hook_entries, __func__);
+++ b/net/netfilter/core.c
@@ -473,10 +473,13 @@ static bool nf_remove_net_hook(struct nf_hook_entries *old,
struct nf_hook_ops **orig_ops;
unsigned int i;
syzbot
Oct 19, 2023, 3:29:30 AM10/19/23
to syzkall...@googlegroups.com, twuu...@gmail.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
ffff88807db88a00, 1, nf_remove_net_hook
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
ffff88807db88800, 2, nf_remove_net_hook
ffff88802afb6878, 3, nf_remove_net_hook
ffffffff8b259880, 4, nf_remove_net_hook
ffffffff8ba945b8, 5, nf_remove_net_hook
------------[ cut here ]------------
hook not found, pf 2 num 1
WARNING: CPU: 1 PID: 5681 at net/netfilter/core.c:522 __nf_unregister_net_hook+0x4f3/0x590 net/netfilter/core.c:522
------------[ cut here ]------------
hook not found, pf 2 num 1
Modules linked in:
CPU: 1 PID: 5681 Comm: syz-executor.2 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:__nf_unregister_net_hook+0x4f3/0x590 net/netfilter/core.c:522
Code: 48 c1 ea 03 0f b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 7b 8b 53 1c 89 ee 48 c7 c7 40 d5 a8 8b e8 bd c9 dc f8 <0f> 0b e9 53 fc ff ff e8 f1 8f 6b f9 e9 37 fb ff ff 4c 89 e7 e8 e4
RSP: 0018:ffffc9000370f2c8 EFLAGS: 00010286
RIP: 0010:__nf_unregister_net_hook+0x4f3/0x590 net/netfilter/core.c:522
Code: 48 c1 ea 03 0f b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 7b 8b 53 1c 89 ee 48 c7 c7 40 d5 a8 8b e8 bd c9 dc f8 <0f> 0b e9 53 fc ff ff e8 f1 8f 6b f9 e9 37 fb ff ff 4c 89 e7 e8 e4
RAX: 0000000000000000 RBX: ffff88802a5b9e00 RCX: 0000000000000000
RDX: ffff88807a714040 RSI: ffffffff814cf016 RDI: 0000000000000001
RBP: 0000000000000002 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff888076321250
R13: ffff888076320100 R14: ffff88802a5b9e1c R15: ffff88801f7c6e00
FS: 00007f467d1fc6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9092828ff8 CR3: 00000000650fa000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
nf_unregister_net_hook+0xd5/0x110 net/netfilter/core.c:544
__nf_tables_unregister_hook net/netfilter/nf_tables_api.c:361 [inline]
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f467c47cae9
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
nf_unregister_net_hook+0xd5/0x110 net/netfilter/core.c:544
__nf_tables_unregister_hook net/netfilter/nf_tables_api.c:361 [inline]
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f467d1fc0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f467c59bf80 RCX: 00007f467c47cae9
RDX: 0000000000000000 RSI: 000000002000c2c0 RDI: 0000000000000004
RBP: 00007f467c4c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f467c59bf80 R15: 00007ffc76a36548
</TASK>
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10f10dc5680000
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=8d7d7928f78936aa
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1720ef29680000
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Oct 20, 2023, 10:28:36 PM10/20/23
to syzbot+de4025...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index ef4e76e5aef9..f61233ad6ef5 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -279,6 +279,14 @@ static struct nf_hook_entries __rcu **
nf_hook_entry_head(struct net *net, int pf, unsigned int hooknum,
struct net_device *dev)
{
+ printk("%d, %d, %d, %d, %d, %d, %d, %d, %s\n", pf,
+ ARRAY_SIZE(net->nf.hooks_arp),
+ ARRAY_SIZE(net->nf.hooks_bridge),
+ NF_INET_INGRESS,
+ ARRAY_SIZE(net->nf.hooks_ipv4),
+ ARRAY_SIZE(net->nf.hooks_ipv6),
+ NF_NETDEV_EGRESS,
+ hooknum, __func__);
switch (pf) {
case NFPROTO_NETDEV:
break;
@@ -473,10 +481,13 @@ static bool nf_remove_net_hook(struct nf_hook_entries *old,
struct nf_hook_ops **orig_ops;
unsigned int i;
+ printk("%d, %p, %p, %d, %s\n", IS_ERR(old), old, unreg, old->num_hook_entries, __func__);
orig_ops = nf_hook_entries_get_hook_ops(old);
for (i = 0; i < old->num_hook_entries; i++) {
- if (orig_ops[i] != unreg)
+ if (orig_ops[i] != unreg) {
+ printk("%p, %d, %s\n", orig_ops[i], i, __func__);
continue;
+ }
WRITE_ONCE(old->hooks[i].hook, accept_all);
WRITE_ONCE(orig_ops[i], (void *)&dummy_ops);
return true;
@@ -514,6 +525,8 @@ static void __nf_unregister_net_hook(struct net *net, int pf,
unsigned int i;
+ printk("%d, %p, %p, %d, %s\n", IS_ERR(old), old, unreg, old->num_hook_entries, __func__);
orig_ops = nf_hook_entries_get_hook_ops(old);
for (i = 0; i < old->num_hook_entries; i++) {
- if (orig_ops[i] != unreg)
+ if (orig_ops[i] != unreg) {
+ printk("%p, %d, %s\n", orig_ops[i], i, __func__);
continue;
+ }
WRITE_ONCE(old->hooks[i].hook, accept_all);
WRITE_ONCE(orig_ops[i], (void *)&dummy_ops);
return true;
syzbot
Oct 20, 2023, 10:42:28 PM10/20/23
to syzkall...@googlegroups.com, twuu...@gmail.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS ErrorDetails:[0xc000aa8910 0xc000aa8a00 0xc000aa8aa0] Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}.
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs-2/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs-2/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build4141668001=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 0b6a67ac4
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0b6a67ac4b0dc26f43030c5edd01c9175f13b784 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230913-073137'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0b6a67ac4b0dc26f43030c5edd01c9175f13b784 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230913-073137'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0b6a67ac4b0dc26f43030c5edd01c9175f13b784 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230913-073137'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"0b6a67ac4b0dc26f43030c5edd01c9175f13b784\"
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
syzbot tried to test the proposed patch but the build/boot failed:
create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS ErrorDetails:[0xc000aa8910 0xc000aa8a00 0xc000aa8aa0] Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}.
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs-2/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs-2/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build4141668001=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 0b6a67ac4
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0b6a67ac4b0dc26f43030c5edd01c9175f13b784 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230913-073137'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0b6a67ac4b0dc26f43030c5edd01c9175f13b784 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230913-073137'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0b6a67ac4b0dc26f43030c5edd01c9175f13b784 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230913-073137'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"0b6a67ac4b0dc26f43030c5edd01c9175f13b784\"
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=8d7d7928f78936aa
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1362b289680000
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Oct 20, 2023, 10:48:10 PM10/20/23
to syzbot+de4025...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
syzbot
Oct 20, 2023, 11:16:32 PM10/20/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
------------[ cut here ]------------
hook not found, pf 2 num 1
WARNING: CPU: 1 PID: 5771 at net/netfilter/core.c:530 __nf_unregister_net_hook+0x4f3/0x590 net/netfilter/core.c:530
hook not found, pf 2 num 1
Modules linked in:
CPU: 1 PID: 5771 Comm: syz-executor.5 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:__nf_unregister_net_hook+0x4f3/0x590 net/netfilter/core.c:530
Code: 48 c1 ea 03 0f b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 7b 8b 53 1c 89 ee 48 c7 c7 a0 d5 a8 8b e8 7d c9 dc f8 <0f> 0b e9 53 fc ff ff e8 b1 8f 6b f9 e9 37 fb ff ff 4c 89 e7 e8 a4
RSP: 0018:ffffc900033ef2c8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88806075e400 RCX: 0000000000000000
RDX: ffff888078de2100 RSI: ffffffff814cf016 RDI: 0000000000000001
RBP: 0000000000000002 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 205d313737355420 R12: ffff88807b1ab290
R13: ffff88807b1aa140 R14: ffff88806075e41c R15: ffff888029023800
FS: 00007f2991fe76c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556dbe413300 CR3: 0000000061e3e000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
nf_unregister_net_hook+0xd5/0x110 net/netfilter/core.c:552
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__nf_tables_unregister_hook net/netfilter/nf_tables_api.c:361 [inline]
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f299127cae9
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2991fe70c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f299139c050 RCX: 00007f299127cae9
RDX: 0000000000000000 RSI: 000000002000c2c0 RDI: 0000000000000004
RBP: 00007f29912c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007f299139c050 R15: 00007ffd9299d328
</TASK>
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=8d7d7928f78936aa
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=176fbacd680000
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Oct 21, 2023, 9:14:46 AM10/21/23
to syzbot+de4025...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index ef4e76e5aef9..6c53221a1922 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -59,8 +59,10 @@ static struct nf_hook_entries *allocate_hook_entries_size(u16 num)
return NULL;
e = kvzalloc(alloc, GFP_KERNEL_ACCOUNT);
- if (e)
+ if (e) {
+ printk("%p, %d, %s\n", e, num, __func__);
e->num_hook_entries = num;
+ }
return e;
}
@@ -151,6 +153,7 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
continue;
}
+ printk("%p, %s\n", orig_ops[i], __func__);
if (inserted || reg->priority > orig_ops[i]->priority) {
new_ops[nhooks] = (void *)orig_ops[i];
new->hooks[nhooks] = old->hooks[i];
@@ -279,6 +282,14 @@ static struct nf_hook_entries __rcu **
nf_hook_entry_head(struct net *net, int pf, unsigned int hooknum,
struct net_device *dev)
{
+ printk("%d, %d, %d, %d, %d, %d, %d, %d, %s\n", pf,
+ ARRAY_SIZE(net->nf.hooks_arp),
+ ARRAY_SIZE(net->nf.hooks_bridge),
+ NF_INET_INGRESS,
+ ARRAY_SIZE(net->nf.hooks_ipv4),
+ ARRAY_SIZE(net->nf.hooks_ipv6),
+ NF_NETDEV_EGRESS,
+ hooknum, __func__);
switch (pf) {
case NFPROTO_NETDEV:
break;
@@ -473,10 +484,13 @@ static bool nf_remove_net_hook(struct nf_hook_entries *old,
struct net_device *dev)
{
+ printk("%d, %d, %d, %d, %d, %d, %d, %d, %s\n", pf,
+ ARRAY_SIZE(net->nf.hooks_arp),
+ ARRAY_SIZE(net->nf.hooks_bridge),
+ NF_INET_INGRESS,
+ ARRAY_SIZE(net->nf.hooks_ipv4),
+ ARRAY_SIZE(net->nf.hooks_ipv6),
+ NF_NETDEV_EGRESS,
+ hooknum, __func__);
switch (pf) {
case NFPROTO_NETDEV:
break;
syzbot
Oct 21, 2023, 1:04:33 PM10/21/23
to syzkall...@googlegroups.com, twuu...@gmail.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
------------[ cut here ]------------
hook not found, pf 2 num 1
WARNING: CPU: 0 PID: 5960 at net/netfilter/core.c:531 __nf_unregister_net_hook+0x4d2/0x570 net/netfilter/core.c:531
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
------------[ cut here ]------------
hook not found, pf 2 num 1
Modules linked in:
CPU: 0 PID: 5960 Comm: syz-executor.2 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:__nf_unregister_net_hook+0x4d2/0x570 net/netfilter/core.c:531
Code: 48 c1 ea 03 0f b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 7b 8b 53 1c 89 ee 48 c7 c7 e0 d5 a8 8b e8 ce c7 dc f8 <0f> 0b e9 53 fc ff ff e8 02 8e 6b f9 e9 58 fb ff ff 4c 89 e7 e8 f5
RSP: 0018:ffffc90003edf2c8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff888062297600 RCX: 0000000000000000
RDX: ffff88807b2e6140 RSI: ffffffff814cf016 RDI: 0000000000000001
RBP: 0000000000000002 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 205d363639355420 R12: ffff88802a4dd2d0
R13: ffff88802a4dc180 R14: ffff88806229761c R15: ffff88801fa45500
FS: 00007fb0207fe6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0c05dddd58 CR3: 000000006653c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
nf_unregister_net_hook+0xd5/0x110 net/netfilter/core.c:553
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__nf_tables_unregister_hook net/netfilter/nf_tables_api.c:361 [inline]
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fb02147cae9
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb0207fe0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fb02159c050 RCX: 00007fb02147cae9
RDX: 0000000000000000 RSI: 000000002000c2c0 RDI: 0000000000000004
RBP: 00007fb0214c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007fb02159c050 R15: 00007ffdb4e08dd8
</TASK>
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=169ab605680000
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=8d7d7928f78936aa
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11865469680000
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Oct 22, 2023, 12:50:43 AM10/22/23
to syzbot+de4025...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
From: Edward AD <twuu...@gmail.com>
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index ef4e76e5aef9..fb5a8ab56d19 100644
if (!new)
return NULL;
+ printk("old ents: %p, new ents: %p, %s\n", old, new, __func__);
new_ops = nf_hook_entries_get_hook_ops(new);
for (i = 0, j = 0; i < old->num_hook_entries; i++) {
if (orig_ops[i] == &dummy_ops)
continue;
new->hooks[j] = old->hooks[i];
new_ops[j] = (void *)orig_ops[i];
+ printk("new ents: %p, new use old hooks: %p, new ops:%p, %s\n",new, new->hooks[j], new_ops[j], __func__);
j++;
}
hooks_validate(new);
@@ -279,6 +284,9 @@ static struct nf_hook_entries __rcu **
+ ARRAY_SIZE(net->nf.hooks_ipv4),
return true;
}
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index a72b6aeefb1b..a5fb9b1de917 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10001,6 +10001,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
nft_chain_del(trans->ctx.chain);
nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
NULL);
+ printk("destroy chain %p, %s\n", &trans->ctx.chain, __func__);
nf_tables_unregister_hook(trans->ctx.net,
trans->ctx.table,
trans->ctx.chain);
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -59,8 +59,10 @@ static struct nf_hook_entries *allocate_hook_entries_size(u16 num)
return NULL;
e = kvzalloc(alloc, GFP_KERNEL_ACCOUNT);
- if (e)
+ if (e) {
+ printk("%p, %d, %s\n", e, num, __func__);
e->num_hook_entries = num;
+ }
return e;
}
@@ -151,6 +153,7 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
continue;
}
+ printk("%p, %s\n", orig_ops[i], __func__);
if (inserted || reg->priority > orig_ops[i]->priority) {
new_ops[nhooks] = (void *)orig_ops[i];
new->hooks[nhooks] = old->hooks[i];
@@ -261,12 +264,14 @@ static void *__nf_hook_entries_try_shrink(struct nf_hook_entries *old,
+++ b/net/netfilter/core.c
@@ -59,8 +59,10 @@ static struct nf_hook_entries *allocate_hook_entries_size(u16 num)
return NULL;
e = kvzalloc(alloc, GFP_KERNEL_ACCOUNT);
- if (e)
+ if (e) {
+ printk("%p, %d, %s\n", e, num, __func__);
e->num_hook_entries = num;
+ }
return e;
}
@@ -151,6 +153,7 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
continue;
}
+ printk("%p, %s\n", orig_ops[i], __func__);
if (inserted || reg->priority > orig_ops[i]->priority) {
new_ops[nhooks] = (void *)orig_ops[i];
new->hooks[nhooks] = old->hooks[i];
if (!new)
return NULL;
+ printk("old ents: %p, new ents: %p, %s\n", old, new, __func__);
new_ops = nf_hook_entries_get_hook_ops(new);
for (i = 0, j = 0; i < old->num_hook_entries; i++) {
if (orig_ops[i] == &dummy_ops)
continue;
new->hooks[j] = old->hooks[i];
new_ops[j] = (void *)orig_ops[i];
+ printk("new ents: %p, new use old hooks: %p, new ops:%p, %s\n",new, new->hooks[j], new_ops[j], __func__);
j++;
}
hooks_validate(new);
@@ -279,6 +284,9 @@ static struct nf_hook_entries __rcu **
nf_hook_entry_head(struct net *net, int pf, unsigned int hooknum,
struct net_device *dev)
{
+ printk("pf: %d, ipv4 size: %d, hooknum: %d, %s\n", pf,
struct net_device *dev)
{
+ ARRAY_SIZE(net->nf.hooks_ipv4),
+ hooknum, __func__);
switch (pf) {
case NFPROTO_NETDEV:
break;
@@ -473,12 +481,16 @@ static bool nf_remove_net_hook(struct nf_hook_entries *old,
switch (pf) {
case NFPROTO_NETDEV:
break;
struct nf_hook_ops **orig_ops;
unsigned int i;
+ printk("ents: %p, del ops: %p, num: %d, %s\n", old, unreg, old->num_hook_entries, __func__);
unsigned int i;
orig_ops = nf_hook_entries_get_hook_ops(old);
for (i = 0; i < old->num_hook_entries; i++) {
- if (orig_ops[i] != unreg)
+ if (orig_ops[i] != unreg) {
+ printk("%p, %d, %s\n", orig_ops[i], i, __func__);
continue;
+ }
WRITE_ONCE(old->hooks[i].hook, accept_all);
WRITE_ONCE(orig_ops[i], (void *)&dummy_ops);
+ printk("ents: %p, del ops: %p, i: %d, %s\n", old, orig_ops[i], i, __func__);
for (i = 0; i < old->num_hook_entries; i++) {
- if (orig_ops[i] != unreg)
+ if (orig_ops[i] != unreg) {
+ printk("%p, %d, %s\n", orig_ops[i], i, __func__);
continue;
+ }
WRITE_ONCE(old->hooks[i].hook, accept_all);
WRITE_ONCE(orig_ops[i], (void *)&dummy_ops);
return true;
}
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index a72b6aeefb1b..a5fb9b1de917 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10001,6 +10001,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
nft_chain_del(trans->ctx.chain);
nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
NULL);
+ printk("destroy chain %p, %s\n", &trans->ctx.chain, __func__);
nf_tables_unregister_hook(trans->ctx.net,
trans->ctx.table,
trans->ctx.chain);
syzbot
Oct 22, 2023, 2:17:34 AM10/22/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
ffff8880682f8828, 0, nf_remove_net_hook
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
ffff88801c3a0e00, 1, nf_remove_net_hook
ffff888075188600, 2, nf_remove_net_hook
ffff88801cc74278, 3, nf_remove_net_hook
ffffffff8b259880, 4, nf_remove_net_hook
ffffffff8ba94878, 5, nf_remove_net_hook
------------[ cut here ]------------
hook not found, pf 2 num 1
WARNING: CPU: 1 PID: 6037 at net/netfilter/core.c:529 __nf_unregister_net_hook+0x4d2/0x570 net/netfilter/core.c:529
hook not found, pf 2 num 1
Modules linked in:
CPU: 1 PID: 6037 Comm: syz-executor.3 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:__nf_unregister_net_hook+0x4d2/0x570 net/netfilter/core.c:529
Code: 48 c1 ea 03 0f b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 7b 8b 53 1c 89 ee 48 c7 c7 00 d7 a8 8b e8 0e c7 dc f8 <0f> 0b e9 53 fc ff ff e8 42 8d 6b f9 e9 58 fb ff ff 4c 89 e7 e8 35
RSP: 0018:ffffc90003f9f2c8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff888079a06000 RCX: 0000000000000000
RDX: ffff88807e23a1c0 RSI: ffffffff814cf016 RDI: 0000000000000001
RBP: 0000000000000002 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff8880285f1210
R13: ffff8880285f00c0 R14: ffff888079a0601c R15: ffff888021540e00
FS: 00007f3f2bfdd6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2f79527ff8 CR3: 0000000027345000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
nf_unregister_net_hook+0xd5/0x110 net/netfilter/core.c:551
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__nf_tables_unregister_hook net/netfilter/nf_tables_api.c:361 [inline]
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x4125/0x5a00 net/netfilter/nf_tables_api.c:9993
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f3f2cc7cae9
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3f2bfdd0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f3f2cd9c050 RCX: 00007f3f2cc7cae9
RDX: 0000000000000000 RSI: 000000002000c2c0 RDI: 0000000000000004
RBP: 00007f3f2ccc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007f3f2cd9c050 R15: 00007ffe4c8dcf48
</TASK>
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14d4576d680000
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=8d7d7928f78936aa
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=171b465d680000
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Oct 22, 2023, 10:33:02 PM10/22/23
to syzbot+de4025...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
From: Edward AD <twuu...@gmail.com>
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index ef4e76e5aef9..e5415ba18652 100644
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -59,8 +59,10 @@ static struct nf_hook_entries *allocate_hook_entries_size(u16 num)
return NULL;
e = kvzalloc(alloc, GFP_KERNEL_ACCOUNT);
- if (e)
+ if (e) {
+ printk("%p, %d, %s\n", e, num, __func__);
e->num_hook_entries = num;
+ }
return e;
}
@@ -117,7 +119,7 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
+++ b/net/netfilter/core.c
@@ -59,8 +59,10 @@ static struct nf_hook_entries *allocate_hook_entries_size(u16 num)
return NULL;
e = kvzalloc(alloc, GFP_KERNEL_ACCOUNT);
- if (e)
+ if (e) {
+ printk("%p, %d, %s\n", e, num, __func__);
e->num_hook_entries = num;
+ }
return e;
}
orig_ops = nf_hook_entries_get_hook_ops(old);
for (i = 0; i < old_entries; i++) {
- if (orig_ops[i] != &dummy_ops)
+ if (orig_ops[i] && orig_ops[i] != &dummy_ops)
alloc_entries++;
/* Restrict BPF hook type to force a unique priority, not
@@ -151,6 +153,7 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
continue;
}
+ printk("n %p, o %p, %p, %s\n", new, old, orig_ops[i], __func__);
continue;
}
if (inserted || reg->priority > orig_ops[i]->priority) {
new_ops[nhooks] = (void *)orig_ops[i];
new->hooks[nhooks] = old->hooks[i];
@@ -201,6 +204,7 @@ int nf_hook_entries_insert_raw(struct nf_hook_entries __rcu **pp,
new_ops[nhooks] = (void *)orig_ops[i];
new->hooks[nhooks] = old->hooks[i];
struct nf_hook_entries *p;
p = rcu_dereference_raw(*pp);
+ printk("%p, %s\n",p, __func__);
new_hooks = nf_hook_entries_grow(p, reg);
if (IS_ERR(new_hooks))
return PTR_ERR(new_hooks);
@@ -244,7 +248,7 @@ static void *__nf_hook_entries_try_shrink(struct nf_hook_entries *old,
orig_ops = nf_hook_entries_get_hook_ops(old);
for (i = 0; i < old->num_hook_entries; i++) {
+ if (!orig_ops[i] || orig_ops[i] == &dummy_ops)
skip++;
}
@@ -261,12 +265,15 @@ static void *__nf_hook_entries_try_shrink(struct nf_hook_entries *old,
if (!new)
return NULL;
+ printk("old ents: %p, new ents: %p, %s\n", old, new, __func__);
new_ops = nf_hook_entries_get_hook_ops(new);
for (i = 0, j = 0; i < old->num_hook_entries; i++) {
- if (orig_ops[i] == &dummy_ops)
return NULL;
+ printk("old ents: %p, new ents: %p, %s\n", old, new, __func__);
new_ops = nf_hook_entries_get_hook_ops(new);
for (i = 0, j = 0; i < old->num_hook_entries; i++) {
+ if (!orig_ops[i] || orig_ops[i] == &dummy_ops)
continue;
new->hooks[j] = old->hooks[i];
new_ops[j] = (void *)orig_ops[i];
+ printk("new ents: %p, new uo h: %p, new ops: %p, %s\n",
new->hooks[j] = old->hooks[i];
new_ops[j] = (void *)orig_ops[i];
+ new, new->hooks[j], new_ops[j], __func__);
j++;
}
hooks_validate(new);
@@ -279,6 +286,9 @@ static struct nf_hook_entries __rcu **
nf_hook_entry_head(struct net *net, int pf, unsigned int hooknum,
struct net_device *dev)
{
+ printk("pf: %d, ipv4 size: %d, hooknum: %d, %s\n", pf,
+ ARRAY_SIZE(net->nf.hooks_ipv4),
+ hooknum, __func__);
switch (pf) {
case NFPROTO_NETDEV:
break;
@@ -432,6 +442,7 @@ static int __nf_register_net_hook(struct net *net, int pf,
struct net_device *dev)
{
+ printk("pf: %d, ipv4 size: %d, hooknum: %d, %s\n", pf,
+ ARRAY_SIZE(net->nf.hooks_ipv4),
+ hooknum, __func__);
switch (pf) {
case NFPROTO_NETDEV:
break;
mutex_lock(&nf_hook_mutex);
p = nf_entry_dereference(*pp);
+ printk("%p, %s\n",p, __func__);
new_hooks = nf_hook_entries_grow(p, reg);
if (!IS_ERR(new_hooks)) {
@@ -473,12 +484,16 @@ static bool nf_remove_net_hook(struct nf_hook_entries *old,
struct nf_hook_ops **orig_ops;
unsigned int i;
+ printk("ents: %p, del ops: %p, num: %d, %s\n", old, unreg, old->num_hook_entries, __func__);
orig_ops = nf_hook_entries_get_hook_ops(old);
for (i = 0; i < old->num_hook_entries; i++) {
- if (orig_ops[i] != unreg)
+ if (orig_ops[i] != unreg) {
+ printk("%p, %d, %s\n", orig_ops[i], i, __func__);
continue;
+ }
WRITE_ONCE(old->hooks[i].hook, accept_all);
WRITE_ONCE(orig_ops[i], (void *)&dummy_ops);
+ printk("ents: %p, del ops: %p, i: %d, %s\n", old, orig_ops[i], i, __func__);
return true;
}
@@ -558,6 +573,7 @@ int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg)
unsigned int i;
+ printk("ents: %p, del ops: %p, num: %d, %s\n", old, unreg, old->num_hook_entries, __func__);
orig_ops = nf_hook_entries_get_hook_ops(old);
for (i = 0; i < old->num_hook_entries; i++) {
- if (orig_ops[i] != unreg)
+ if (orig_ops[i] != unreg) {
+ printk("%p, %d, %s\n", orig_ops[i], i, __func__);
continue;
+ }
WRITE_ONCE(old->hooks[i].hook, accept_all);
WRITE_ONCE(orig_ops[i], (void *)&dummy_ops);
+ printk("ents: %p, del ops: %p, i: %d, %s\n", old, orig_ops[i], i, __func__);
return true;
}
{
int err;
+ printk("%p, %p, %s\n", net, reg, __func__);
if (reg->pf == NFPROTO_INET) {
if (reg->hooknum == NF_INET_INGRESS) {
err = __nf_register_net_hook(net, NFPROTO_INET, reg);
syzbot
Oct 22, 2023, 10:57:38 PM10/22/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
ffff88807887c628, 0, nf_remove_net_hook
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
ffff88806103ae00, 1, nf_remove_net_hook
ffff88801ef45e00, 2, nf_remove_net_hook
ffff888079031e78, 3, nf_remove_net_hook
ffffffff8b259880, 4, nf_remove_net_hook
ffffffff8ba949b8, 5, nf_remove_net_hook
------------[ cut here ]------------
hook not found, pf 2 num 1
WARNING: CPU: 0 PID: 5910 at net/netfilter/core.c:532 __nf_unregister_net_hook+0x4d2/0x570 net/netfilter/core.c:532
hook not found, pf 2 num 1
Modules linked in:
CPU: 0 PID: 5910 Comm: syz-executor.5 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:__nf_unregister_net_hook+0x4d2/0x570 net/netfilter/core.c:532
Code: 48 c1 ea 03 0f b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 7b 8b 53 1c 89 ee 48 c7 c7 00 d7 a8 8b e8 0e c7 dc f8 <0f> 0b e9 53 fc ff ff e8 42 8d 6b f9 e9 58 fb ff ff 4c 89 e7 e8 35
RSP: 0018:ffffc9000361f2c8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff888065719400 RCX: 0000000000000000
RDX: ffff88802065c000 RSI: ffffffff814cf016 RDI: 0000000000000001
RBP: 0000000000000002 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802abc9250
R13: ffff88802abc8100 R14: ffff88806571941c R15: ffff888021b48900
FS: 00007f268b8fe6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005628f2ebe068 CR3: 000000006eb2c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
nf_unregister_net_hook+0xd5/0x110 net/netfilter/core.c:554
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__nf_tables_unregister_hook net/netfilter/nf_tables_api.c:361 [inline]
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x4125/0x5a00 net/netfilter/nf_tables_api.c:9993
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f268ac7cae9
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x4125/0x5a00 net/netfilter/nf_tables_api.c:9993
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f268b8fe0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f268ad9bf80 RCX: 00007f268ac7cae9
RDX: 0000000000000000 RSI: 000000002000c2c0 RDI: 0000000000000004
RBP: 00007f268acc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f268ad9bf80 R15: 00007ffc706dc9b8
</TASK>
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=174d8d99680000
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=8d7d7928f78936aa
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1387f8ed680000
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Nov 5, 2023, 1:00:20 AM11/5/23
to syzbot+de4025...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 3126911f5042..fc1b337aec8f 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -117,7 +117,8 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
orig_ops = nf_hook_entries_get_hook_ops(old);
for (i = 0; i < old_entries; i++) {
- if (orig_ops[i] != &dummy_ops)
+ if (!__kernel_text_address(orig_ops[i]) &&
for (i = 0; i < old_entries; i++) {
- if (orig_ops[i] != &dummy_ops)
+ orig_ops[i] != &dummy_ops)
alloc_entries++;
/* Restrict BPF hook type to force a unique priority, not
@@ -146,7 +147,8 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
/* Restrict BPF hook type to force a unique priority, not
i = 0;
nhooks = 0;
while (i < old_entries) {
- if (orig_ops[i] == &dummy_ops) {
+ if (__kernel_text_address(orig_ops[i]) ||
+ orig_ops[i] == &dummy_ops) {
++i;
continue;
}
@@ -263,10 +265,12 @@ static void *__nf_hook_entries_try_shrink(struct nf_hook_entries *old,
new_ops = nf_hook_entries_get_hook_ops(new);
for (i = 0, j = 0; i < old->num_hook_entries; i++) {
- if (orig_ops[i] == &dummy_ops)
continue;
new->hooks[j] = old->hooks[i];
new_ops[j] = (void *)orig_ops[i];
+ printk("new ents: %p, new uo h: %p, new ops: %p, %s\n",
+ new, new->hooks[j], new_ops[j], __func__);
j++;
}
hooks_validate(new);
@@ -479,6 +483,7 @@ static bool nf_remove_net_hook(struct nf_hook_entries *old,
new->hooks[j] = old->hooks[i];
new_ops[j] = (void *)orig_ops[i];
+ printk("new ents: %p, new uo h: %p, new ops: %p, %s\n",
+ new, new->hooks[j], new_ops[j], __func__);
j++;
}
hooks_validate(new);
continue;
WRITE_ONCE(old->hooks[i].hook, accept_all);
WRITE_ONCE(orig_ops[i], (void *)&dummy_ops);
+ printk("ents: %p, deled ops: %p, i: %d, %s\n", old, orig_ops[i], i, __func__);
WRITE_ONCE(orig_ops[i], (void *)&dummy_ops);
return true;
}
syzbot
Nov 5, 2023, 1:16:11 AM11/5/23
to ead...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
------------[ cut here ]------------
hook not found, pf 2 num 1
WARNING: CPU: 0 PID: 5762 at net/netfilter/core.c:522 __nf_unregister_net_hook+0x1e1/0x6a0 net/netfilter/core.c:522
hook not found, pf 2 num 1
Modules linked in:
CPU: 0 PID: 5762 Comm: syz-executor.5 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:__nf_unregister_net_hook+0x1e1/0x6a0 net/netfilter/core.c:522
Code: 14 02 4c 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 9f 04 00 00 8b 53 1c 48 c7 c7 80 d5 a8 8b 8b 74 24 0c e8 ef cc dc f8 <0f> 0b e9 0b 01 00 00 e8 83 a3 16 f9 44 89 e0 48 89 c2 48 c1 e2 04
RSP: 0018:ffffc90002dff2b8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff88802171f400 RCX: 0000000000000000
RDX: ffff888027ec0080 RSI: ffffffff814cf016 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000006
R13: ffff8880786ef2d0 R14: ffff888021deca00 R15: ffff88802171f41c
FS: 00007f7c803336c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f749c681ff8 CR3: 0000000063052000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
nf_unregister_net_hook+0xd5/0x110 net/netfilter/core.c:544
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__nf_tables_unregister_hook net/netfilter/nf_tables_api.c:361 [inline]
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f7c7f67cae9
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7c803330c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f7c7f79c050 RCX: 00007f7c7f67cae9
RDX: 0000000000000000 RSI: 000000002000c2c0 RDI: 0000000000000004
RBP: 00007f7c7f6c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007f7c7f79c050 R15: 00007ffe393fad78
</TASK>
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=158da6eb680000
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=8d7d7928f78936aa
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1030cd60e80000
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Nov 19, 2023, 12:15:14 AM11/19/23
to syzbot+de4025...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 3126911f5042..58f2a5294453 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -113,6 +113,7 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
alloc_entries = 1;
old_entries = old ? old->num_hook_entries : 0;
+ mutex_lock(&nf_hook_mutex);
if (old) {
orig_ops = nf_hook_entries_get_hook_ops(old);
@@ -129,17 +130,23 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
* prevent defrag, conntrack, iptables etc from attaching).
*/
if (reg->priority == orig_ops[i]->priority &&
- reg->hook_ops_type == NF_HOOK_OP_BPF)
- return ERR_PTR(-EBUSY);
+ reg->hook_ops_type == NF_HOOK_OP_BPF) {
+ new = ERR_PTR(-EBUSY);
+ goto unlock;
+ }
}
}
- if (alloc_entries > MAX_HOOK_COUNT)
- return ERR_PTR(-E2BIG);
+ if (alloc_entries > MAX_HOOK_COUNT) {
+ new = ERR_PTR(-E2BIG);
+ goto unlock;
+ }
new = allocate_hook_entries_size(alloc_entries);
- if (!new)
- return ERR_PTR(-ENOMEM);
+ if (!new) {
+ new = ERR_PTR(-ENOMEM);
+ goto unlock;
+ }
new_ops = nf_hook_entries_get_hook_ops(new);
@@ -170,6 +177,8 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
new->hooks[nhooks].priv = reg->priv;
}
+unlock:
+ mutex_unlock(&nf_hook_mutex);
return new;
}
@@ -546,11 +555,13 @@ void nf_hook_entries_delete_raw(struct nf_hook_entries __rcu **pp,
{
struct nf_hook_entries *p;
+ mutex_lock(&nf_hook_mutex);
p = rcu_dereference_raw(*pp);
if (nf_remove_net_hook(p, reg)) {
p = __nf_hook_entries_try_shrink(p, pp);
nf_hook_entries_free(p);
}
+ mutex_unlock(&nf_hook_mutex);
}
EXPORT_SYMBOL_GPL(nf_hook_entries_delete_raw);
syzbot
Nov 19, 2023, 1:12:07 AM11/19/23
to ead...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
36819][ T1] clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns
[ 4.642425][ T1] NET: Registered PF_INET protocol family
[ 4.653180][ T1] IP idents hash table entries: 131072 (order: 8, 1048576 bytes, vmalloc)
[ 4.673990][ T1] tcp_listen_portaddr_hash hash table entries: 4096 (order: 6, 294912 bytes, vmalloc)
[ 4.679141][ T1] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, vmalloc)
[ 4.686154][ T1] TCP established hash table entries: 65536 (order: 7, 524288 bytes, vmalloc)
[ 4.702134][ T1] TCP bind hash table entries: 65536 (order: 11, 9437184 bytes, vmalloc hugepage)
[ 4.715835][ T1] TCP: Hash tables configured (established 65536 bind 65536)
[ 4.725918][ T1] MPTCP token hash table entries: 8192 (order: 7, 720896 bytes, vmalloc)
[ 4.735121][ T1] UDP hash table entries: 4096 (order: 7, 655360 bytes, vmalloc)
[ 4.742928][ T1] UDP-Lite hash table entries: 4096 (order: 7, 655360 bytes, vmalloc)
[ 4.748791][ T1] NET: Registered PF_UNIX/PF_LOCAL protocol family
[ 4.755767][ T1] RPC: Registered named UNIX socket transport module.
[ 4.757922][ T1] RPC: Registered udp transport module.
[ 4.759137][ T1] RPC: Registered tcp transport module.
[ 4.760533][ T1] RPC: Registered tcp-with-tls transport module.
[ 4.762569][ T1] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 4.770304][ T1] NET: Registered PF_XDP protocol family
[ 4.771660][ T1] pci_bus 0000:00: resource 4 [io 0x0000-0x0cf7 window]
[ 4.772804][ T1] pci_bus 0000:00: resource 5 [io 0x0d00-0xffff window]
[ 4.774225][ T1] pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window]
[ 4.775706][ T1] pci_bus 0000:00: resource 7 [mem 0xc0000000-0xfebfefff window]
[ 4.779891][ T1] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[ 4.781720][ T1] PCI: CLS 0 bytes, default 64
[ 4.783062][ T1] PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
[ 4.785627][ T1] software IO TLB: mapped [mem 0x00000000b5800000-0x00000000b9800000] (64MB)
[ 4.787580][ T1] ACPI: bus type thunderbolt registered
[ 4.801824][ T59] kworker/u4:3 (59) used greatest stack depth: 28288 bytes left
[ 4.803556][ T57] kworker/u4:3 (57) used greatest stack depth: 27936 bytes left
[ 4.807247][ T1] RAPL PMU: API unit is 2^-32 Joules, 0 fixed counters, 10737418240 ms ovfl timer
[ 4.836525][ T1] kvm_amd: CPU 0 isn't AMD or Hygon
[ 4.838378][ T1] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x1fb6feccdd0, max_idle_ns: 440795259471 ns
[ 4.840308][ T1] clocksource: Switched to clocksource tsc
[ 4.841701][ T60] kworker/u4:4 (60) used greatest stack depth: 27488 bytes left
[ 7.942031][ T1] Initialise system trusted keyrings
[ 7.950098][ T1] workingset: timestamp_bits=40 max_order=21 bucket_order=0
[ 7.953009][ T1] zbud: loaded
[ 7.964477][ T1] DLM installed
[ 7.971427][ T1] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 7.981282][ T1] NFS: Registering the id_resolver key type
[ 7.982457][ T1] Key type id_resolver registered
[ 7.983292][ T1] Key type id_legacy registered
[ 7.984197][ T1] nfs4filelayout_init: NFSv4 File Layout Driver Registering...
[ 7.985996][ T1] nfs4flexfilelayout_init: NFSv4 Flexfile Layout Driver Registering...
[ 7.999168][ T1] Key type cifs.spnego registered
[ 8.001028][ T1] Key type cifs.idmap registered
[ 8.002981][ T1] ntfs: driver 2.1.32 [Flags: R/W].
[ 8.004816][ T1] ntfs3: Max link count 4000
[ 8.005624][ T1] ntfs3: Enabled Linux POSIX ACLs support
[ 8.006545][ T1] ntfs3: Read-only LZX/Xpress compression included
[ 8.008379][ T1] efs: 1.0a - http://aeschi.ch.eu.org/efs/
[ 8.009817][ T1] jffs2: version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc.
[ 8.014805][ T1] romfs: ROMFS MTD (C) 2007 Red Hat, Inc.
[ 8.016201][ T1] QNX4 filesystem 0.2.3 registered.
[ 8.017663][ T1] qnx6: QNX6 filesystem 1.0.0 registered.
[ 8.019893][ T1] fuse: init (API version 7.39)
[ 8.024969][ T1] orangefs_debugfs_init: called with debug mask: :none: :0:
[ 8.028357][ T1] orangefs_init: module version upstream loaded
[ 8.030312][ T1] JFS: nTxBlock = 8192, nTxLock = 65536
[ 8.063381][ T1] SGI XFS with ACLs, security attributes, realtime, quota, no debug enabled
[ 8.072453][ T1] 9p: Installing v9fs 9p2000 file system support
[ 8.074784][ T1] NILFS version 2 loaded
[ 8.075542][ T1] befs: version: 0.9.3
[ 8.077453][ T1] ocfs2: Registered cluster interface o2cb
[ 8.079215][ T1] ocfs2: Registered cluster interface user
[ 8.081170][ T1] OCFS2 User DLM kernel interface loaded
[ 8.103497][ T1] gfs2: GFS2 installed
[ 8.118728][ T1] ceph: loaded (mds proto 32)
[ 8.122243][ T1]
[ 8.122768][ T1] ============================================
[ 8.123835][ T1] WARNING: possible recursive locking detected
[ 8.124729][ T1] 6.6.0-rc3-syzkaller-dirty #0 Not tainted
[ 8.125560][ T1] --------------------------------------------
[ 8.126518][ T1] swapper/0/1 is trying to acquire lock:
[ 8.126735][ T1] ffffffff8e69c268 (nf_hook_mutex){+.+.}-{3:3}, at: nf_hook_entries_grow+0x580/0x8b0
[ 8.126735][ T1]
[ 8.126735][ T1] but task is already holding lock:
[ 8.126735][ T1] ffffffff8e69c268 (nf_hook_mutex){+.+.}-{3:3}, at: __nf_register_net_hook+0xef/0x830
[ 8.126735][ T1]
[ 8.126735][ T1] other info that might help us debug this:
[ 8.126735][ T1] Possible unsafe locking scenario:
[ 8.126735][ T1]
[ 8.126735][ T1] CPU0
[ 8.126735][ T1] ----
[ 8.126735][ T1] lock(nf_hook_mutex);
[ 8.126735][ T1] lock(nf_hook_mutex);
[ 8.126735][ T1]
[ 8.126735][ T1] *** DEADLOCK ***
[ 8.126735][ T1]
[ 8.126735][ T1] May be due to missing lock nesting notation
[ 8.126735][ T1]
[ 8.126735][ T1] 2 locks held by swapper/0/1:
[ 8.126735][ T1] #0: ffffffff8e5e4190 (pernet_ops_rwsem){+.+.}-{3:3}, at: register_pernet_subsys+0x19/0x40
[ 8.126735][ T1] #1: ffffffff8e69c268 (nf_hook_mutex){+.+.}-{3:3}, at: __nf_register_net_hook+0xef/0x830
[ 8.126735][ T1]
[ 8.126735][ T1] stack backtrace:
[ 8.126735][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.0-rc3-syzkaller-dirty #0
[ 8.126735][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
[ 8.126735][ T1] Call Trace:
[ 8.126735][ T1] <TASK>
[ 8.126735][ T1] dump_stack_lvl+0xd9/0x1b0
[ 8.126735][ T1] __lock_acquire+0x2971/0x5de0
[ 8.126735][ T1] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 8.126735][ T1] lock_acquire+0x1ae/0x510
[ 8.126735][ T1] ? nf_hook_entries_grow+0x580/0x8b0
[ 8.126735][ T1] ? lock_sync+0x190/0x190
[ 8.126735][ T1] ? lock_acquire+0x1ae/0x510
[ 8.126735][ T1] ? preempt_count_sub+0x150/0x150
[ 8.126735][ T1] __mutex_lock+0x181/0x1340
[ 8.126735][ T1] ? nf_hook_entries_grow+0x580/0x8b0
[ 8.126735][ T1] ? nf_hook_entries_grow+0x580/0x8b0
[ 8.126735][ T1] ? preempt_count_sub+0x150/0x150
[ 8.126735][ T1] ? mutex_lock_io_nested+0x11a0/0x11a0
[ 8.126735][ T1] ? trace_contention_end+0xd6/0x100
[ 8.126735][ T1] ? __mutex_lock+0x25b/0x1340
[ 8.126735][ T1] ? __lock_acquire+0x182f/0x5de0
[ 8.126735][ T1] ? mutex_lock_io_nested+0x11a0/0x11a0
[ 8.126735][ T1] ? nf_hook_entries_grow+0x580/0x8b0
[ 8.126735][ T1] nf_hook_entries_grow+0x580/0x8b0
[ 8.126735][ T1] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 8.166836][ T1] __nf_register_net_hook+0x142/0x830
[ 8.166836][ T1] nf_register_net_hook+0x101/0x150
[ 8.166836][ T1] nf_register_net_hooks+0x5d/0xc0
[ 8.166836][ T1] ? selinux_nf_unregister+0x30/0x30
[ 8.166836][ T1] ops_init+0xb9/0x650
[ 8.166836][ T1] register_pernet_operations+0x34b/0x820
[ 8.166836][ T1] ? cleanup_net+0xb20/0xb20
[ 8.166836][ T1] ? rng_is_initialized+0x40/0x40
[ 8.166836][ T1] ? selinux_init+0x320/0x320
[ 8.166836][ T1] register_pernet_subsys+0x28/0x40
[ 8.166836][ T1] selinux_nf_ip_init+0x35/0x80
[ 8.166836][ T1] do_one_initcall+0x117/0x630
[ 8.166836][ T1] ? trace_event_raw_event_initcall_level+0x200/0x200
[ 8.166836][ T1] kernel_init_freeable+0x5c2/0x900
[ 8.166836][ T1] ? rest_init+0x2b0/0x2b0
[ 8.166836][ T1] kernel_init+0x1c/0x2a0
[ 8.166836][ T1] ? rest_init+0x2b0/0x2b0
[ 8.166836][ T1] ret_from_fork+0x45/0x80
[ 8.166836][ T1] ? rest_init+0x2b0/0x2b0
[ 8.166836][ T1] ret_from_fork_asm+0x11/0x20
[ 8.166836][ T1] </TASK>
[ 286.966884][ T28] INFO: task swapper/0:1 blocked for more than 143 seconds.
[ 286.969104][ T28] Not tainted 6.6.0-rc3-syzkaller-dirty #0
[ 286.971304][ T28] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 286.973620][ T28] task:swapper/0 state:D stack:23024 pid:1 ppid:0 flags:0x00004000
[ 286.976023][ T28] Call Trace:
[ 286.976678][ T28] <TASK>
[ 286.977696][ T28] __schedule+0xee1/0x5a10
[ 286.978895][ T28] ? rcu_is_watching+0x12/0xb0
[ 286.980008][ T28] ? trace_irq_enable.constprop.0+0xd0/0x100
[ 286.981277][ T28] ? irqentry_enter+0x2c/0x50
[ 286.982136][ T28] ? rcu_is_watching+0x12/0xb0
[ 286.982834][ T28] ? io_schedule_timeout+0x150/0x150
[ 286.983837][ T28] ? rcu_is_watching+0x12/0xb0
[ 286.984537][ T28] ? __mutex_lock+0x964/0x1340
[ 286.985252][ T28] ? do_raw_spin_lock+0x12e/0x2b0
[ 286.985953][ T28] ? spin_bug+0x1d0/0x1d0
[ 286.986683][ T28] schedule+0xe7/0x1b0
[ 286.987309][ T28] schedule_preempt_disabled+0x13/0x20
[ 286.992893][ T28] __mutex_lock+0x969/0x1340
[ 286.997691][ T28] ? nf_hook_entries_grow+0x580/0x8b0
[ 287.003162][ T28] ? preempt_count_sub+0x150/0x150
[ 287.008617][ T28] ? mutex_lock_io_nested+0x11a0/0x11a0
[ 287.014340][ T28] ? trace_contention_end+0xd6/0x100
[ 287.019881][ T28] ? __mutex_lock+0x25b/0x1340
[ 287.024740][ T28] ? __lock_acquire+0x182f/0x5de0
[ 287.029819][ T28] ? mutex_lock_io_nested+0x11a0/0x11a0
[ 287.035385][ T28] ? nf_hook_entries_grow+0x580/0x8b0
[ 287.041001][ T28] nf_hook_entries_grow+0x580/0x8b0
[ 287.046464][ T28] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 287.052618][ T28] __nf_register_net_hook+0x142/0x830
[ 287.058143][ T28] nf_register_net_hook+0x101/0x150
[ 287.063352][ T28] nf_register_net_hooks+0x5d/0xc0
[ 287.068504][ T28] ? selinux_nf_unregister+0x30/0x30
[ 287.073863][ T28] ops_init+0xb9/0x650
[ 287.078000][ T28] register_pernet_operations+0x34b/0x820
[ 287.083725][ T28] ? cleanup_net+0xb20/0xb20
[ 287.088364][ T28] ? rng_is_initialized+0x40/0x40
[ 287.093503][ T28] ? selinux_init+0x320/0x320
[ 287.098308][ T28] register_pernet_subsys+0x28/0x40
[ 287.103675][ T28] selinux_nf_ip_init+0x35/0x80
[ 287.108677][ T28] do_one_initcall+0x117/0x630
[ 287.113475][ T28] ? trace_event_raw_event_initcall_level+0x200/0x200
[ 287.120835][ T28] kernel_init_freeable+0x5c2/0x900
[ 287.126412][ T28] ? rest_init+0x2b0/0x2b0
[ 287.130885][ T28] kernel_init+0x1c/0x2a0
[ 287.135437][ T28] ? rest_init+0x2b0/0x2b0
[ 287.139959][ T28] ret_from_fork+0x45/0x80
[ 287.144525][ T28] ? rest_init+0x2b0/0x2b0
[ 287.149056][ T28] ret_from_fork_asm+0x11/0x20
[ 287.153819][ T28] </TASK>
[ 287.157157][ T28] INFO: lockdep is turned off.
[ 287.161893][ T28] Kernel panic - not syncing: hung_task: blocked tasks
[ 287.167099][ T28] CPU: 0 PID: 28 Comm: khungtaskd Not tainted 6.6.0-rc3-syzkaller-dirty #0
[ 287.167099][ T28] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
[ 287.167099][ T28] Call Trace:
[ 287.167099][ T28] <TASK>
[ 287.167099][ T28] dump_stack_lvl+0xd9/0x1b0
[ 287.167099][ T28] panic+0x6a6/0x750
[ 287.167099][ T28] ? panic_smp_self_stop+0xa0/0xa0
[ 287.167099][ T28] ? preempt_count_sub+0x150/0x150
[ 287.167099][ T28] ? watchdog+0xd3e/0x1210
[ 287.167099][ T28] watchdog+0xd4f/0x1210
[ 287.167099][ T28] ? proc_dohung_task_timeout_secs+0x90/0x90
[ 287.167099][ T28] ? lockdep_hardirqs_on+0x7d/0x100
[ 287.167099][ T28] ? __kthread_parkme+0x14b/0x220
[ 287.167099][ T28] ? proc_dohung_task_timeout_secs+0x90/0x90
[ 287.167099][ T28] kthread+0x33c/0x440
[ 287.167099][ T28] ? _raw_spin_unlock_irq+0x23/0x50
[ 287.167099][ T28] ? kthread_complete_and_exit+0x40/0x40
[ 287.167099][ T28] ret_from_fork+0x45/0x80
[ 287.167099][ T28] ? kthread_complete_and_exit+0x40/0x40
[ 287.167099][ T28] ret_from_fork_asm+0x11/0x20
[ 287.167099][ T28] </TASK>
[ 287.167099][ T28] Kernel Offset: disabled
[ 287.167099][ T28] Rebooting in 86400 seconds..
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1107752955=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 0b6a67ac4
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0b6a67ac4b0dc26f43030c5edd01c9175f13b784 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230913-073137'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0b6a67ac4b0dc26f43030c5edd01c9175f13b784 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230913-073137'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0b6a67ac4b0dc26f43030c5edd01c9175f13b784 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230913-073137'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"0b6a67ac4b0dc26f43030c5edd01c9175f13b784\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=15d5cd10e80000
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
syzbot tried to test the proposed patch but the build/boot failed:
36819][ T1] clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns
[ 4.642425][ T1] NET: Registered PF_INET protocol family
[ 4.653180][ T1] IP idents hash table entries: 131072 (order: 8, 1048576 bytes, vmalloc)
[ 4.673990][ T1] tcp_listen_portaddr_hash hash table entries: 4096 (order: 6, 294912 bytes, vmalloc)
[ 4.679141][ T1] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, vmalloc)
[ 4.686154][ T1] TCP established hash table entries: 65536 (order: 7, 524288 bytes, vmalloc)
[ 4.702134][ T1] TCP bind hash table entries: 65536 (order: 11, 9437184 bytes, vmalloc hugepage)
[ 4.715835][ T1] TCP: Hash tables configured (established 65536 bind 65536)
[ 4.725918][ T1] MPTCP token hash table entries: 8192 (order: 7, 720896 bytes, vmalloc)
[ 4.735121][ T1] UDP hash table entries: 4096 (order: 7, 655360 bytes, vmalloc)
[ 4.742928][ T1] UDP-Lite hash table entries: 4096 (order: 7, 655360 bytes, vmalloc)
[ 4.748791][ T1] NET: Registered PF_UNIX/PF_LOCAL protocol family
[ 4.755767][ T1] RPC: Registered named UNIX socket transport module.
[ 4.757922][ T1] RPC: Registered udp transport module.
[ 4.759137][ T1] RPC: Registered tcp transport module.
[ 4.760533][ T1] RPC: Registered tcp-with-tls transport module.
[ 4.762569][ T1] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 4.770304][ T1] NET: Registered PF_XDP protocol family
[ 4.771660][ T1] pci_bus 0000:00: resource 4 [io 0x0000-0x0cf7 window]
[ 4.772804][ T1] pci_bus 0000:00: resource 5 [io 0x0d00-0xffff window]
[ 4.774225][ T1] pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window]
[ 4.775706][ T1] pci_bus 0000:00: resource 7 [mem 0xc0000000-0xfebfefff window]
[ 4.779891][ T1] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[ 4.781720][ T1] PCI: CLS 0 bytes, default 64
[ 4.783062][ T1] PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
[ 4.785627][ T1] software IO TLB: mapped [mem 0x00000000b5800000-0x00000000b9800000] (64MB)
[ 4.787580][ T1] ACPI: bus type thunderbolt registered
[ 4.801824][ T59] kworker/u4:3 (59) used greatest stack depth: 28288 bytes left
[ 4.803556][ T57] kworker/u4:3 (57) used greatest stack depth: 27936 bytes left
[ 4.807247][ T1] RAPL PMU: API unit is 2^-32 Joules, 0 fixed counters, 10737418240 ms ovfl timer
[ 4.836525][ T1] kvm_amd: CPU 0 isn't AMD or Hygon
[ 4.838378][ T1] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x1fb6feccdd0, max_idle_ns: 440795259471 ns
[ 4.840308][ T1] clocksource: Switched to clocksource tsc
[ 4.841701][ T60] kworker/u4:4 (60) used greatest stack depth: 27488 bytes left
[ 7.942031][ T1] Initialise system trusted keyrings
[ 7.950098][ T1] workingset: timestamp_bits=40 max_order=21 bucket_order=0
[ 7.953009][ T1] zbud: loaded
[ 7.964477][ T1] DLM installed
[ 7.971427][ T1] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 7.981282][ T1] NFS: Registering the id_resolver key type
[ 7.982457][ T1] Key type id_resolver registered
[ 7.983292][ T1] Key type id_legacy registered
[ 7.984197][ T1] nfs4filelayout_init: NFSv4 File Layout Driver Registering...
[ 7.985996][ T1] nfs4flexfilelayout_init: NFSv4 Flexfile Layout Driver Registering...
[ 7.999168][ T1] Key type cifs.spnego registered
[ 8.001028][ T1] Key type cifs.idmap registered
[ 8.002981][ T1] ntfs: driver 2.1.32 [Flags: R/W].
[ 8.004816][ T1] ntfs3: Max link count 4000
[ 8.005624][ T1] ntfs3: Enabled Linux POSIX ACLs support
[ 8.006545][ T1] ntfs3: Read-only LZX/Xpress compression included
[ 8.008379][ T1] efs: 1.0a - http://aeschi.ch.eu.org/efs/
[ 8.009817][ T1] jffs2: version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc.
[ 8.014805][ T1] romfs: ROMFS MTD (C) 2007 Red Hat, Inc.
[ 8.016201][ T1] QNX4 filesystem 0.2.3 registered.
[ 8.017663][ T1] qnx6: QNX6 filesystem 1.0.0 registered.
[ 8.019893][ T1] fuse: init (API version 7.39)
[ 8.024969][ T1] orangefs_debugfs_init: called with debug mask: :none: :0:
[ 8.028357][ T1] orangefs_init: module version upstream loaded
[ 8.030312][ T1] JFS: nTxBlock = 8192, nTxLock = 65536
[ 8.063381][ T1] SGI XFS with ACLs, security attributes, realtime, quota, no debug enabled
[ 8.072453][ T1] 9p: Installing v9fs 9p2000 file system support
[ 8.074784][ T1] NILFS version 2 loaded
[ 8.075542][ T1] befs: version: 0.9.3
[ 8.077453][ T1] ocfs2: Registered cluster interface o2cb
[ 8.079215][ T1] ocfs2: Registered cluster interface user
[ 8.081170][ T1] OCFS2 User DLM kernel interface loaded
[ 8.103497][ T1] gfs2: GFS2 installed
[ 8.118728][ T1] ceph: loaded (mds proto 32)
[ 8.122243][ T1]
[ 8.122768][ T1] ============================================
[ 8.123835][ T1] WARNING: possible recursive locking detected
[ 8.124729][ T1] 6.6.0-rc3-syzkaller-dirty #0 Not tainted
[ 8.125560][ T1] --------------------------------------------
[ 8.126518][ T1] swapper/0/1 is trying to acquire lock:
[ 8.126735][ T1] ffffffff8e69c268 (nf_hook_mutex){+.+.}-{3:3}, at: nf_hook_entries_grow+0x580/0x8b0
[ 8.126735][ T1]
[ 8.126735][ T1] but task is already holding lock:
[ 8.126735][ T1] ffffffff8e69c268 (nf_hook_mutex){+.+.}-{3:3}, at: __nf_register_net_hook+0xef/0x830
[ 8.126735][ T1]
[ 8.126735][ T1] other info that might help us debug this:
[ 8.126735][ T1] Possible unsafe locking scenario:
[ 8.126735][ T1]
[ 8.126735][ T1] CPU0
[ 8.126735][ T1] ----
[ 8.126735][ T1] lock(nf_hook_mutex);
[ 8.126735][ T1] lock(nf_hook_mutex);
[ 8.126735][ T1]
[ 8.126735][ T1] *** DEADLOCK ***
[ 8.126735][ T1]
[ 8.126735][ T1] May be due to missing lock nesting notation
[ 8.126735][ T1]
[ 8.126735][ T1] 2 locks held by swapper/0/1:
[ 8.126735][ T1] #0: ffffffff8e5e4190 (pernet_ops_rwsem){+.+.}-{3:3}, at: register_pernet_subsys+0x19/0x40
[ 8.126735][ T1] #1: ffffffff8e69c268 (nf_hook_mutex){+.+.}-{3:3}, at: __nf_register_net_hook+0xef/0x830
[ 8.126735][ T1]
[ 8.126735][ T1] stack backtrace:
[ 8.126735][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.0-rc3-syzkaller-dirty #0
[ 8.126735][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
[ 8.126735][ T1] Call Trace:
[ 8.126735][ T1] <TASK>
[ 8.126735][ T1] dump_stack_lvl+0xd9/0x1b0
[ 8.126735][ T1] __lock_acquire+0x2971/0x5de0
[ 8.126735][ T1] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 8.126735][ T1] lock_acquire+0x1ae/0x510
[ 8.126735][ T1] ? nf_hook_entries_grow+0x580/0x8b0
[ 8.126735][ T1] ? lock_sync+0x190/0x190
[ 8.126735][ T1] ? lock_acquire+0x1ae/0x510
[ 8.126735][ T1] ? preempt_count_sub+0x150/0x150
[ 8.126735][ T1] __mutex_lock+0x181/0x1340
[ 8.126735][ T1] ? nf_hook_entries_grow+0x580/0x8b0
[ 8.126735][ T1] ? nf_hook_entries_grow+0x580/0x8b0
[ 8.126735][ T1] ? preempt_count_sub+0x150/0x150
[ 8.126735][ T1] ? mutex_lock_io_nested+0x11a0/0x11a0
[ 8.126735][ T1] ? trace_contention_end+0xd6/0x100
[ 8.126735][ T1] ? __mutex_lock+0x25b/0x1340
[ 8.126735][ T1] ? __lock_acquire+0x182f/0x5de0
[ 8.126735][ T1] ? mutex_lock_io_nested+0x11a0/0x11a0
[ 8.126735][ T1] ? nf_hook_entries_grow+0x580/0x8b0
[ 8.126735][ T1] nf_hook_entries_grow+0x580/0x8b0
[ 8.126735][ T1] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 8.166836][ T1] __nf_register_net_hook+0x142/0x830
[ 8.166836][ T1] nf_register_net_hook+0x101/0x150
[ 8.166836][ T1] nf_register_net_hooks+0x5d/0xc0
[ 8.166836][ T1] ? selinux_nf_unregister+0x30/0x30
[ 8.166836][ T1] ops_init+0xb9/0x650
[ 8.166836][ T1] register_pernet_operations+0x34b/0x820
[ 8.166836][ T1] ? cleanup_net+0xb20/0xb20
[ 8.166836][ T1] ? rng_is_initialized+0x40/0x40
[ 8.166836][ T1] ? selinux_init+0x320/0x320
[ 8.166836][ T1] register_pernet_subsys+0x28/0x40
[ 8.166836][ T1] selinux_nf_ip_init+0x35/0x80
[ 8.166836][ T1] do_one_initcall+0x117/0x630
[ 8.166836][ T1] ? trace_event_raw_event_initcall_level+0x200/0x200
[ 8.166836][ T1] kernel_init_freeable+0x5c2/0x900
[ 8.166836][ T1] ? rest_init+0x2b0/0x2b0
[ 8.166836][ T1] kernel_init+0x1c/0x2a0
[ 8.166836][ T1] ? rest_init+0x2b0/0x2b0
[ 8.166836][ T1] ret_from_fork+0x45/0x80
[ 8.166836][ T1] ? rest_init+0x2b0/0x2b0
[ 8.166836][ T1] ret_from_fork_asm+0x11/0x20
[ 8.166836][ T1] </TASK>
[ 286.966884][ T28] INFO: task swapper/0:1 blocked for more than 143 seconds.
[ 286.969104][ T28] Not tainted 6.6.0-rc3-syzkaller-dirty #0
[ 286.971304][ T28] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 286.973620][ T28] task:swapper/0 state:D stack:23024 pid:1 ppid:0 flags:0x00004000
[ 286.976023][ T28] Call Trace:
[ 286.976678][ T28] <TASK>
[ 286.977696][ T28] __schedule+0xee1/0x5a10
[ 286.978895][ T28] ? rcu_is_watching+0x12/0xb0
[ 286.980008][ T28] ? trace_irq_enable.constprop.0+0xd0/0x100
[ 286.981277][ T28] ? irqentry_enter+0x2c/0x50
[ 286.982136][ T28] ? rcu_is_watching+0x12/0xb0
[ 286.982834][ T28] ? io_schedule_timeout+0x150/0x150
[ 286.983837][ T28] ? rcu_is_watching+0x12/0xb0
[ 286.984537][ T28] ? __mutex_lock+0x964/0x1340
[ 286.985252][ T28] ? do_raw_spin_lock+0x12e/0x2b0
[ 286.985953][ T28] ? spin_bug+0x1d0/0x1d0
[ 286.986683][ T28] schedule+0xe7/0x1b0
[ 286.987309][ T28] schedule_preempt_disabled+0x13/0x20
[ 286.992893][ T28] __mutex_lock+0x969/0x1340
[ 286.997691][ T28] ? nf_hook_entries_grow+0x580/0x8b0
[ 287.003162][ T28] ? preempt_count_sub+0x150/0x150
[ 287.008617][ T28] ? mutex_lock_io_nested+0x11a0/0x11a0
[ 287.014340][ T28] ? trace_contention_end+0xd6/0x100
[ 287.019881][ T28] ? __mutex_lock+0x25b/0x1340
[ 287.024740][ T28] ? __lock_acquire+0x182f/0x5de0
[ 287.029819][ T28] ? mutex_lock_io_nested+0x11a0/0x11a0
[ 287.035385][ T28] ? nf_hook_entries_grow+0x580/0x8b0
[ 287.041001][ T28] nf_hook_entries_grow+0x580/0x8b0
[ 287.046464][ T28] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 287.052618][ T28] __nf_register_net_hook+0x142/0x830
[ 287.058143][ T28] nf_register_net_hook+0x101/0x150
[ 287.063352][ T28] nf_register_net_hooks+0x5d/0xc0
[ 287.068504][ T28] ? selinux_nf_unregister+0x30/0x30
[ 287.073863][ T28] ops_init+0xb9/0x650
[ 287.078000][ T28] register_pernet_operations+0x34b/0x820
[ 287.083725][ T28] ? cleanup_net+0xb20/0xb20
[ 287.088364][ T28] ? rng_is_initialized+0x40/0x40
[ 287.093503][ T28] ? selinux_init+0x320/0x320
[ 287.098308][ T28] register_pernet_subsys+0x28/0x40
[ 287.103675][ T28] selinux_nf_ip_init+0x35/0x80
[ 287.108677][ T28] do_one_initcall+0x117/0x630
[ 287.113475][ T28] ? trace_event_raw_event_initcall_level+0x200/0x200
[ 287.120835][ T28] kernel_init_freeable+0x5c2/0x900
[ 287.126412][ T28] ? rest_init+0x2b0/0x2b0
[ 287.130885][ T28] kernel_init+0x1c/0x2a0
[ 287.135437][ T28] ? rest_init+0x2b0/0x2b0
[ 287.139959][ T28] ret_from_fork+0x45/0x80
[ 287.144525][ T28] ? rest_init+0x2b0/0x2b0
[ 287.149056][ T28] ret_from_fork_asm+0x11/0x20
[ 287.153819][ T28] </TASK>
[ 287.157157][ T28] INFO: lockdep is turned off.
[ 287.161893][ T28] Kernel panic - not syncing: hung_task: blocked tasks
[ 287.167099][ T28] CPU: 0 PID: 28 Comm: khungtaskd Not tainted 6.6.0-rc3-syzkaller-dirty #0
[ 287.167099][ T28] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
[ 287.167099][ T28] Call Trace:
[ 287.167099][ T28] <TASK>
[ 287.167099][ T28] dump_stack_lvl+0xd9/0x1b0
[ 287.167099][ T28] panic+0x6a6/0x750
[ 287.167099][ T28] ? panic_smp_self_stop+0xa0/0xa0
[ 287.167099][ T28] ? preempt_count_sub+0x150/0x150
[ 287.167099][ T28] ? watchdog+0xd3e/0x1210
[ 287.167099][ T28] watchdog+0xd4f/0x1210
[ 287.167099][ T28] ? proc_dohung_task_timeout_secs+0x90/0x90
[ 287.167099][ T28] ? lockdep_hardirqs_on+0x7d/0x100
[ 287.167099][ T28] ? __kthread_parkme+0x14b/0x220
[ 287.167099][ T28] ? proc_dohung_task_timeout_secs+0x90/0x90
[ 287.167099][ T28] kthread+0x33c/0x440
[ 287.167099][ T28] ? _raw_spin_unlock_irq+0x23/0x50
[ 287.167099][ T28] ? kthread_complete_and_exit+0x40/0x40
[ 287.167099][ T28] ret_from_fork+0x45/0x80
[ 287.167099][ T28] ? kthread_complete_and_exit+0x40/0x40
[ 287.167099][ T28] ret_from_fork_asm+0x11/0x20
[ 287.167099][ T28] </TASK>
[ 287.167099][ T28] Kernel Offset: disabled
[ 287.167099][ T28] Rebooting in 86400 seconds..
git status (err=<nil>)
HEAD detached at 0b6a67ac4
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0b6a67ac4b0dc26f43030c5edd01c9175f13b784 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230913-073137'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0b6a67ac4b0dc26f43030c5edd01c9175f13b784 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230913-073137'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0b6a67ac4b0dc26f43030c5edd01c9175f13b784 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230913-073137'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"0b6a67ac4b0dc26f43030c5edd01c9175f13b784\"
https://syzkaller.appspot.com/x/error.txt?x=15d5cd10e80000
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=8d7d7928f78936aa
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10b3d658e80000
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Nov 19, 2023, 5:32:20 AM11/19/23
to syzbot+de4025...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 3126911f5042..58f2a5294453 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 3126911f5042..58f2a5294453 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
syzbot
Nov 19, 2023, 6:11:09 AM11/19/23
to ead...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
------------[ cut here ]------------
hook not found, pf 2 num 1
WARNING: CPU: 1 PID: 6126 at net/netfilter/core.c:517 __nf_unregister_net_hook+0x1de/0x670 net/netfilter/core.c:517
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
------------[ cut here ]------------
hook not found, pf 2 num 1
Modules linked in:
CPU: 1 PID: 6126 Comm: syz-executor.1 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:__nf_unregister_net_hook+0x1de/0x670 net/netfilter/core.c:517
Code: 14 02 4c 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7a 04 00 00 8b 53 1c 48 c7 c7 c0 d4 a8 8b 8b 74 24 04 e8 b2 ce dc f8 <0f> 0b e9 ec 00 00 00 e8 46 a5 16 f9 48 89 e8 48 c1 e0 04 49 8d 7c
RSP: 0018:ffffc9000378f2b8 EFLAGS: 00010282
Code: 14 02 4c 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7a 04 00 00 8b 53 1c 48 c7 c7 c0 d4 a8 8b 8b 74 24 04 e8 b2 ce dc f8 <0f> 0b e9 ec 00 00 00 e8 46 a5 16 f9 48 89 e8 48 c1 e0 04 49 8d 7c
RAX: 0000000000000000 RBX: ffff88805fc88800 RCX: 0000000000000000
RDX: ffff88801db5c200 RSI: ffffffff814cf016 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: fffffffffffddb78 R12: ffff888029249250
R13: ffff888064376598 R14: ffff888064376500 R15: ffff88805fc8881c
FS: 00007f560e44d6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055555691d938 CR3: 0000000063604000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
nf_unregister_net_hook+0xd5/0x110 net/netfilter/core.c:539
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__nf_tables_unregister_hook net/netfilter/nf_tables_api.c:361 [inline]
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f560d67cae9
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f560e44d0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f560d79c050 RCX: 00007f560d67cae9
RDX: 0000000000000000 RSI: 000000002000c2c0 RDI: 0000000000000004
RBP: 00007f560d6c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007f560d79c050 R15: 00007fffbdf48218
</TASK>
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=8d7d7928f78936aa
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11b643d4e80000
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Nov 19, 2023, 10:07:14 PM11/19/23
to syzbot+de4025...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 3126911f5042..bec4aeef6a82 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -200,8 +200,10 @@ int nf_hook_entries_insert_raw(struct nf_hook_entries __rcu **pp,
struct nf_hook_entries *new_hooks;
struct nf_hook_entries *p;
+ mutex_lock(&nf_hook_mutex);
p = rcu_dereference_raw(*pp);
new_hooks = nf_hook_entries_grow(p, reg);
+ mutex_lock(&nf_hook_mutex);
p = rcu_dereference_raw(*pp);
+ mutex_unlock(&nf_hook_mutex);
if (IS_ERR(new_hooks))
return PTR_ERR(new_hooks);
@@ -546,11 +548,13 @@ void nf_hook_entries_delete_raw(struct nf_hook_entries __rcu **pp,
syzbot
Nov 19, 2023, 10:43:07 PM11/19/23
to ead...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
------------[ cut here ]------------
hook not found, pf 2 num 1
WARNING: CPU: 0 PID: 5828 at net/netfilter/core.c:519 __nf_unregister_net_hook+0x1de/0x670 net/netfilter/core.c:519
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
------------[ cut here ]------------
hook not found, pf 2 num 1
Modules linked in:
CPU: 0 PID: 5828 Comm: syz-executor.2 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:__nf_unregister_net_hook+0x1de/0x670 net/netfilter/core.c:519
Code: 14 02 4c 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7a 04 00 00 8b 53 1c 48 c7 c7 c0 d4 a8 8b 8b 74 24 04 e8 b2 ce dc f8 <0f> 0b e9 ec 00 00 00 e8 46 a5 16 f9 48 89 e8 48 c1 e0 04 49 8d 7c
RSP: 0018:ffffc90003ecf2b8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff888061921800 RCX: 0000000000000000
RDX: ffff88807a4a6180 RSI: ffffffff814cf016 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff8880772b7250
R13: ffff888023717598 R14: ffff888023717500 R15: ffff88806192181c
FS: 00007f709206d6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2411480420 CR3: 000000001c0be000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
nf_unregister_net_hook+0xd5/0x110 net/netfilter/core.c:541
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__nf_tables_unregister_hook net/netfilter/nf_tables_api.c:361 [inline]
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f709127cae9
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f709206d0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f709139bf80 RCX: 00007f709127cae9
RDX: 0000000000000000 RSI: 000000002000c2c0 RDI: 0000000000000004
RBP: 00007f70912c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f709139bf80 R15: 00007ffca21c8a28
</TASK>
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=127331b8e80000
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=8d7d7928f78936aa
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14c46f2f680000
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Nov 20, 2023, 5:55:57 AM11/20/23
to syzbot+de4025...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test warn in __nf_unregister_net_hook
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487
index 680fe557686e..246f381a8970 100644
--- a/net/netfilter/nft_chain_filter.c
+++ b/net/netfilter/nft_chain_filter.c
@@ -368,6 +368,9 @@ static int nf_tables_netdev_event(struct notifier_block *this,
event != NETDEV_CHANGENAME)
return NOTIFY_DONE;
+ if (!check_net(ctx.net))
+ return NOTIFY_DONE;
+
nft_net = nft_pernet(ctx.net);
mutex_lock(&nft_net->commit_mutex);
list_for_each_entry(table, &nft_net->tables, list) {
syzbot
Nov 20, 2023, 6:34:05 AM11/20/23
to ead...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
------------[ cut here ]------------
hook not found, pf 2 num 1
WARNING: CPU: 0 PID: 5838 at net/netfilter/core.c:517 __nf_unregister_net_hook+0x1de/0x670 net/netfilter/core.c:517
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __nf_unregister_net_hook
------------[ cut here ]------------
hook not found, pf 2 num 1
Modules linked in:
CPU: 0 PID: 5838 Comm: syz-executor.0 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:__nf_unregister_net_hook+0x1de/0x670 net/netfilter/core.c:517
Code: 14 02 4c 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7a 04 00 00 8b 53 1c 48 c7 c7 c0 d4 a8 8b 8b 74 24 04 e8 b2 ce dc f8 <0f> 0b e9 ec 00 00 00 e8 46 a5 16 f9 48 89 e8 48 c1 e0 04 49 8d 7c
RSP: 0018:ffffc90003e8f2b8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880655a7800 RCX: 0000000000000000
RDX: ffff888020762000 RSI: ffffffff814cf016 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff888027c57290
R13: ffff888065865b98 R14: ffff888065865b00 R15: ffff8880655a781c
FS: 00007f3c5fffe6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3c60d98000 CR3: 0000000079951000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
nf_unregister_net_hook+0xd5/0x110 net/netfilter/core.c:539
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__nf_tables_unregister_hook net/netfilter/nf_tables_api.c:361 [inline]
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f3c60c7cae9
__nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:753
____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
__sys_sendmsg+0x117/0x1e0 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3c5fffe0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f3c60d9c050 RCX: 00007f3c60c7cae9
RDX: 0000000000000000 RSI: 000000002000c2c0 RDI: 0000000000000003
RBP: 00007f3c60cc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007f3c60d9c050 R15: 00007fffd735cc38
</TASK>
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=127de958e80000
Tested on:
commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=8d7d7928f78936aa
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10447648e80000
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Feb 17, 2024, 7:38:31 AMFeb 17
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: WARNING in __nf_unregister_net_hook
Author: f...@strlen.de
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git main
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: WARNING in __nf_unregister_net_hook
Author: f...@strlen.de
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git main
syzbot
Feb 19, 2024, 9:04:11 AMFeb 19
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages