[syzbot] WARNING in __nf_unregister_net_hook (4)

4 views
Skip to first unread message

syzbot

unread,
Apr 10, 2021, 10:49:18 AMApr 10
to core...@netfilter.org, da...@davemloft.net, f...@strlen.de, kad...@netfilter.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, netfilt...@vger.kernel.org, pa...@netfilter.org, syzkall...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: cc0626c2 net: smsc911x: skip acpi_device_id table when !CO..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=110a3096d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=7eff0f22b8563a5f
dashboard link: https://syzkaller.appspot.com/bug?extid=154bd5be532a63aa778b

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+154bd5...@syzkaller.appspotmail.com

hook not found, pf 2 num 0
WARNING: CPU: 1 PID: 8144 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x1eb/0x610 net/netfilter/core.c:480
Modules linked in:
CPU: 1 PID: 8144 Comm: syz-executor.0 Not tainted 5.12.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__nf_unregister_net_hook+0x1eb/0x610 net/netfilter/core.c:480
Code: 0f b6 14 02 48 89 c8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 11 04 00 00 8b 53 1c 89 ee 48 c7 c7 e0 26 6c 8a e8 72 df 87 01 <0f> 0b e9 e5 00 00 00 e8 09 1d 37 fa 44 8b 3c 24 4c 89 f8 48 c1 e0
RSP: 0018:ffffc9001534f418 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff88802f867a00 RCX: 0000000000000000
RDX: 0000000000040000 RSI: ffffffff815c5205 RDI: fffff52002a69e75
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815bdf9e R11: 0000000000000000 R12: ffff8880272c8f20
R13: 0000000000000000 R14: ffff88802fa34c00 R15: 0000000000000006
FS: 00007feaf7d10700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb651f70ca0 CR3: 0000000069f31000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
nf_unregister_net_hook+0xd5/0x110 net/netfilter/core.c:502
nf_tables_unregister_hook.part.0+0x131/0x200 net/netfilter/nf_tables_api.c:234
nf_tables_unregister_hook net/netfilter/nf_tables_api.c:8122 [inline]
nf_tables_commit+0x1d9b/0x4710 net/netfilter/nf_tables_api.c:8122
nfnetlink_rcv_batch+0x975/0x21b0 net/netfilter/nfnetlink.c:508
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline]
nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598
netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
sock_sendmsg_nosec net/socket.c:654 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:674
____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
___sys_sendmsg+0xf3/0x170 net/socket.c:2404
__sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x466459
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007feaf7d10188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000466459
RDX: 0000000000000000 RSI: 000000002000c2c0 RDI: 0000000000000003
RBP: 00000000004bf9fb R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffe0fcaf04f R14: 00007feaf7d10300 R15: 0000000000022000


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Dmitry Vyukov

unread,
May 8, 2021, 1:08:03 AMMay 8
to syzbot, core...@netfilter.org, David Miller, Florian Westphal, Jozsef Kadlecsik, Jakub Kicinski, LKML, netdev, NetFilter, Pablo Neira Ayuso, syzkaller-bugs
On Sat, Apr 10, 2021 at 4:49 PM syzbot
<syzbot+154bd5...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: cc0626c2 net: smsc911x: skip acpi_device_id table when !CO..
> git tree: net-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=110a3096d00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=7eff0f22b8563a5f
> dashboard link: https://syzkaller.appspot.com/bug?extid=154bd5be532a63aa778b
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+154bd5...@syzkaller.appspotmail.com

Is this also fixed by "netfilter: arptables: use pernet ops struct
during unregister"?
The warning is the same, but the stack is different...
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/0000000000008ce91e05bf9f62bc%40google.com.

Florian Westphal

unread,
May 8, 2021, 10:47:09 AMMay 8
to Dmitry Vyukov, syzbot, core...@netfilter.org, David Miller, Florian Westphal, Jozsef Kadlecsik, Jakub Kicinski, LKML, netdev, NetFilter, Pablo Neira Ayuso, syzkaller-bugs
Dmitry Vyukov <dvy...@google.com> wrote:
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+154bd5...@syzkaller.appspotmail.com
>
> Is this also fixed by "netfilter: arptables: use pernet ops struct
> during unregister"?
> The warning is the same, but the stack is different...

No, this is a different bug.

In both cases the caller attempts to unregister a hook that the core
can't find, but in this case the caller is nftables, not arptables.

Pablo Neira Ayuso

unread,
May 12, 2021, 8:56:14 PMMay 12
to Florian Westphal, Dmitry Vyukov, syzbot, core...@netfilter.org, David Miller, Jozsef Kadlecsik, Jakub Kicinski, LKML, netdev, NetFilter, syzkaller-bugs
I see no reproducer for this bug. Maybe I broke the dormant flag handling?

Or maybe syzbot got here after the arptables bug has been hitted?

Dmitry Vyukov

unread,
May 13, 2021, 3:08:32 AMMay 13
to Pablo Neira Ayuso, Florian Westphal, syzbot, core...@netfilter.org, David Miller, Jozsef Kadlecsik, Jakub Kicinski, LKML, netdev, NetFilter, syzkaller-bugs
syzbot always stops after the first bug to give you perfect "Not
tainted" oopses.

Pablo Neira Ayuso

unread,
May 17, 2021, 6:57:50 AMMay 17
to Dmitry Vyukov, Florian Westphal, syzbot, core...@netfilter.org, David Miller, Jozsef Kadlecsik, Jakub Kicinski, LKML, netdev, NetFilter, syzkaller-bugs
Looking at the log file:

https://syzkaller.appspot.com/text?tag=CrashLog&x=110a3096d00000

This is mixing calls to nftables:

14:43:16 executing program 0:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000001c0)={{0x9}, [@NFT_MSG_NEWTABLE={0x28, 0x0, 0xa, 0x3, 0x0, 0x0, {0x2}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}, @NFTA_TABLE_FLAGS={0x8}]}], {0x14}}, 0x50}}, 0x0)

with arptables:

14:43:16 executing program 1:
r0 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$ARPT_SO_SET_REPLACE(r0, 0x0, 0x60, &(0x7f0000000000)={'filter\x00', 0x4, 0x4, 0x3f8, 0x310, 0x200, 0x200, 0x310, 0x310, 0x310, 0x4, 0x0, {[{{@arp={@broadcast, @rand_addr, 0x87010000, 0x0, 0x0, 0x0, {@mac=@link_local}, {@mac}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 'bridge0\x00', 'erspan0\x00'}, 0xc0, 0x100}, @unspec=@RATEEST={0x40, 'RATEEST\x00', 0x0, {'syz1\x00', 0x0, 0x4}}}, {{@arp={@initdev={0xac, 0x1e, 0x0, 0x0}, @local, 0x0, 0x0, 0x0, 0x0, {@mac=@remote}, {}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 'veth0_to_bridge\x00', 'geneve1\x00'}, 0xc0, 0x100}, @unspec=@RATEEST={0x40, 'RATEEST\x00', 0x0, {'syz0\x00', 0x0, 0x2}}}, {{@arp={@local, @multicast1, 0x0, 0x0, 0x0, 0x0, {}, {@mac=@broadcast}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 'veth0_to_batadv\x00', 'veth0_to_hsr\x00'}, 0xc0, 0x110}, @mangle={0x50, 'mangle\x00', 0x0, {@mac=@remote, @mac=@local, @multicast2, @initdev={0xac, 0x1e, 0x0, 0x0}}}}], {{[], 0xc0, 0xe8}, {0x28}}}}, 0x448)

arptables was buggy at the time this bug has been reported.

Am I understanding correctly the syzbot log?

I wonder if the (buggy) arptables removed the incorrect hook from
nftables, then nftables crashed on the same location when removing the
hook. I don't see a clear sequence for this to happen though.

Would it be possible to make syzbot exercise the NFT_MSG_NEWTABLE
codepath (with NFTA_TABLE_FLAGS) to check if the problem still
persists?

Thanks.

Dmitry Vyukov

unread,
May 17, 2021, 8:42:54 AMMay 17
to Pablo Neira Ayuso, Florian Westphal, syzbot, core...@netfilter.org, David Miller, Jozsef Kadlecsik, Jakub Kicinski, LKML, netdev, NetFilter, syzkaller-bugs
This happened only once so far 40 days ago. So if you consider it
possible that it actually happened due to the arptables issue, I would
mark it as invalid (with "#syz invalid") and move on. If it ever
happens again, syzbot will notify, but then we know it happened with
the aprtables issue fixed.

This bug does not have a reproducer, so it's not possible to test this
exact scenario. It's possible to replay the whole log, but somehow
syzkaller wasn't able to retrigger it by replaying the log. I don't
think it's worth our time at this point.

Pablo Neira Ayuso

unread,
May 17, 2021, 10:10:06 AMMay 17
to Dmitry Vyukov, Florian Westphal, syzbot, core...@netfilter.org, David Miller, Jozsef Kadlecsik, Jakub Kicinski, LKML, netdev, NetFilter, syzkaller-bugs
Thanks.

I found the root cause, I was getting confused by the arptables
report. I'll post a patch.
Reply all
Reply to author
Forward
0 new messages