lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 11 Aug 2023 18:06:17 +0300
From:   Vlad Buslov <vladbu@...dia.com>
To:     Ido Schimmel <idosch@...sch.org>
CC:     syzbot <syzbot+d810d3cd45ed1848c3f7@...kaller.appspotmail.com>,
        <ast@...nel.org>, <bpf@...r.kernel.org>, <daniel@...earbox.net>,
        <davem@...emloft.net>, <dsahern@...nel.org>, <edumazet@...gle.com>,
        <hawk@...nel.org>, <idosch@...dia.com>, <jasowang@...hat.com>,
        <john.fastabend@...il.com>, <kuba@...nel.org>,
        <linux-kernel@...r.kernel.org>, <netdev@...r.kernel.org>,
        <pabeni@...hat.com>, <syzkaller-bugs@...glegroups.com>,
        <willemdebruijn.kernel@...il.com>
Subject: Re: [syzbot] [net?] WARNING in ip6_tnl_exit_batch_net

On Fri 11 Aug 2023 at 18:03, Ido Schimmel <idosch@...sch.org> wrote:
> On Fri, Aug 11, 2023 at 06:57:07AM -0700, syzbot wrote:
>> Hello,
>> 
>> syzbot found the following issue on:
>> 
>> HEAD commit:    048c796beb6e ipv6: adjust ndisc_is_useropt() to also retur..
>> git tree:       net
>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=103213a5a80000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=fa5bd4cd5ab6259d
>> dashboard link: https://syzkaller.appspot.com/bug?extid=d810d3cd45ed1848c3f7
>> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1475a873a80000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=153cc91ba80000
>> 
>> Downloadable assets:
>> disk image: https://storage.googleapis.com/syzbot-assets/bf6b84b5998f/disk-048c796b.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/4000dee89ebe/vmlinux-048c796b.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/b700ee9bd306/bzImage-048c796b.xz
>> 
>> The issue was bisected to:
>> 
>> commit 718cb09aaa6fa78cc8124e9517efbc6c92665384
>> Author: Vlad Buslov <vladbu@...dia.com>
>> Date:   Tue Aug 8 09:35:21 2023 +0000
>> 
>>     vlan: Fix VLAN 0 memory leak
>
> I wasn't able to reproduce using the C reproducer, but I'm pretty sure I
> know what is the problem. I wasn't aware that user space can create VLAN
> devices with VID 0, which can result in the VLAN driver wrongly deleting
> it upon NETDEV_DOWN. Reproduced using:
>
> ip link add name dummy1 up type dummy
> ip link add link dummy1 name dummy1.0 type vlan id 0
> ip link del dev dummy1
>
> Always adding VID 0 on NETDEV_UP "solves" the problem, but it will
> increase the memory consumption for each netdev, which is not ideal. A
> possible solution is trying to delete VID 0 upon NETDEV_UNREGISTER
> instead of only iterating over upper VLAN devices.
>
> Anyway, Vlad, it's probably best to send a revert while we figure it
> out.

Will do.

>
>> 
>> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=12cbf169a80000
>> final oops:     https://syzkaller.appspot.com/x/report.txt?x=11cbf169a80000
>> console output: https://syzkaller.appspot.com/x/log.txt?x=16cbf169a80000
>> 
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+d810d3cd45ed1848c3f7@...kaller.appspotmail.com
>> Fixes: 718cb09aaa6f ("vlan: Fix VLAN 0 memory leak")
>> 
>> ------------[ cut here ]------------
>> WARNING: CPU: 0 PID: 12 at net/core/dev.c:10876 unregister_netdevice_many_notify+0x14d8/0x19a0 net/core/dev.c:10876
>> Modules linked in:
>> CPU: 0 PID: 12 Comm: kworker/u4:1 Not tainted 6.5.0-rc4-syzkaller-00248-g048c796beb6e #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
>> Workqueue: netns cleanup_net
>> RIP: 0010:unregister_netdevice_many_notify+0x14d8/0x19a0 net/core/dev.c:10876
>> Code: b4 1a 00 00 48 c7 c6 e0 18 81 8b 48 c7 c7 20 19 81 8b c6 05 ab 19 6c 06 01 e8 b4 22 23 f9 0f 0b e9 64 f7 ff ff e8 68 60 5c f9 <0f> 0b e9 3b f7 ff ff e8 fc 68 b0 f9 e9 fc ec ff ff 4c 89 e7 e8 4f
>> RSP: 0018:ffffc90000117a30 EFLAGS: 00010293
>> RAX: 0000000000000000 RBX: 0000000070de5201 RCX: 0000000000000000
>> RDX: ffff88801526d940 RSI: ffffffff8829a7b8 RDI: 0000000000000001
>> RBP: ffff88807d7ee000 R08: 0000000000000001 R09: 0000000000000000
>> R10: 0000000000000001 R11: ffffffff81004e11 R12: ffff888018fb2a00
>> R13: 0000000000000000 R14: 0000000000000002 R15: ffff888018fb2a00
>> FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00005581d741a950 CR3: 000000007deef000 CR4: 00000000003506f0
>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> Call Trace:
>>  <TASK>
>>  ip6_tnl_exit_batch_net+0x57d/0x6f0 net/ipv6/ip6_tunnel.c:2278
>>  ops_exit_list+0x125/0x170 net/core/net_namespace.c:175
>>  cleanup_net+0x505/0xb20 net/core/net_namespace.c:614
>>  process_one_work+0xaa2/0x16f0 kernel/workqueue.c:2597
>>  worker_thread+0x687/0x1110 kernel/workqueue.c:2748
>>  kthread+0x33a/0x430 kernel/kthread.c:389
>>  ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145
>>  ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
>>  </TASK>
>> 
>> 
>> ---
>> This report is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@...glegroups.com.
>> 
>> syzbot will keep track of this issue. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>> 
>> If the bug is already fixed, let syzbot know by replying with:
>> #syz fix: exact-commit-title
>> 
>> If you want syzbot to run the reproducer, reply with:
>> #syz test: git://repo/address.git branch-or-commit-hash
>> If you attach or paste a git patch, syzbot will apply it before testing.
>> 
>> If you want to change bug's subsystems, reply with:
>> #syz set subsystems: new-subsystem
>> (See the list of subsystem names on the web dashboard)
>> 
>> If the bug is a duplicate of another bug, reply with:
>> #syz dup: exact-subject-of-another-report
>> 
>> If you want to undo deduplication, reply with:
>> #syz undup
>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ