lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <067963b0-17be-4c4d-8485-a49cfe9da5fb@redhat.com>
Date: Sun, 25 Aug 2024 11:43:54 -0400
From: Waiman Long <longman@...hat.com>
To: Xingyu Li <xli399@....edu>, peterz@...radead.org, mingo@...hat.com,
 will@...nel.org, boqun.feng@...il.com, linux-kernel@...r.kernel.org
Subject: Re: BUG: general protection fault in kernfs_remove_by_name_ns

On 8/25/24 00:53, Xingyu Li wrote:
> Hi,
>
> We found a bug in linux 6.10. It is probably a null pointer dereference bug.
> The bug report is as follows, but unfortunately there is no generated
> syzkaller reproducer.
>
> netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2
> family 0 port 6081 - 0
> netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2
> family 0 port 6081 - 0
> netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2
> family 0 port 6081 - 0
> Oops: general protection fault, probably for non-canonical address
> 0xdffffc0000000029: 0000 [#1] PREEMPT SMP KASAN PTI
> KASAN: null-ptr-deref in range [0x0000000000000148-0x000000000000014f]
> CPU: 0 PID: 10054 Comm: kworker/u4:29 Not tainted 6.10.0 #13
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> Workqueue: netns cleanup_net
> RIP: 0010:__lock_acquire+0x106/0x8050 kernel/locking/lockdep.c:5005
> Code: 85 5d 20 00 00 83 3d 14 d2 b5 0d 00 48 89 9c 24 18 01 00 00 0f
> 84 00 10 00 00 83 3d 33 3a 31 0c 00 74 31 48 89 d0 48 c1 e8 03 <42> 80
> 3c 00 00 74 17 48 89 d7 e8 fb 9c 85 00 48 8b 54 24 10 49 b8
> RSP: 0018:ffffc9000a0bf540 EFLAGS: 00010002
> RAX: 0000000000000029 RBX: 1ffff92001417ecc RCX: 0000000000000000
> RDX: 0000000000000148 RSI: 0000000000000000 RDI: 0000000000000148
> RBP: ffffc9000a0bf808 R08: dffffc0000000000 R09: 0000000000000000
> R10: dffffc0000000000 R11: fffffbfff1e48be6 R12: 0000000000000001
> R13: 0000000000000000 R14: 0000000000000000 R15: ffff88801fc31e00
> FS:  0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fc6fba84cd0 CR3: 0000000020224000 CR4: 0000000000350ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>   <TASK>
>   lock_acquire+0x1a9/0x400 kernel/locking/lockdep.c:5754
>   down_write+0x36/0x50 kernel/locking/rwsem.c:1579
>   kernfs_remove_by_name_ns+0x76/0x150 fs/kernfs/dir.c:1689
>   del_nbp+0xa6/0xb50 net/bridge/br_if.c:338
>   br_dev_delete+0x76/0x110 net/bridge/br_if.c:386
>   br_net_exit_batch_rtnl+0xee/0x1a0 net/bridge/br.c:369
>   cleanup_net+0x712/0xcd0 net/core/net_namespace.c:633
>   process_one_work kernel/workqueue.c:3248 [inline]
>   process_scheduled_works+0x977/0x1410 kernel/workqueue.c:3329
>   worker_thread+0xaa0/0x1020 kernel/workqueue.c:3409
>   kthread+0x2eb/0x380 kernel/kthread.c:389
>   ret_from_fork+0x49/0x80 arch/x86/kernel/process.c:147
>   ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
>   </TASK>

I don't believe it is a bug in the locking code.

> RIP: 0010:__lock_acquire+0x106/0x8050 kernel/locking/lockdep.c:5005

5005         if (!prove_locking || lock->key == &__lockdep_no_validate__)

This crash is likely caused by passing in an incorrect rw_semaphore pointer.

> kernfs_remove_by_name_ns+0x76/0x150 fs/kernfs/dir.c:1689

1676 int kernfs_remove_by_name_ns(struct kernfs_node *parent, const char 
*name,
1677                              const void *ns)
1678 {
   :
1688         root = kernfs_root(parent);
1689         down_write(&root->kernfs_rwsem);

> del_nbp+0xa6/0xb50 net/bridge/br_if.c:338

333 static void del_nbp(struct net_bridge_port *p)
334 {
335         struct net_bridge *br = p->br;
336         struct net_device *dev = p->dev;
337

338         sysfs_remove_link(br->ifobj, p->dev->name);

ETHERNET BRIDGE
M:      Roopa Prabhu <roopa@...dia.com>
M:      Nikolay Aleksandrov <razor@...ckwall.org>
L:      bridge@...ts.linux.dev
L:      netdev@...r.kernel.org
S:      Maintained
W:      http://www.linuxfoundation.org/en/Net:Bridge
F:      include/linux/netfilter_bridge/
F:      net/bridge/

I would suggest you report this issue to the maintainers to the ethernet 
bridge component first.

Cheers,
Longman

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ