| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250813011023.4357-1-hdanton@sina.com>
Date: Wed, 13 Aug 2025 09:10:22 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+8aa80c6232008f7b957d@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] BUG: unable to handle kernel paging request in nsim_queue_free
> Date: Tue, 12 Aug 2025 02:58:28 -0700 [thread overview]
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 53e760d89498 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16c415a2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d67d3af29f50297e
> dashboard link: https://syzkaller.appspot.com/bug?extid=8aa80c6232008f7b957d
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=151be9a2580000
#syz test
--- x/drivers/net/netdevsim/netdev.c
+++ y/drivers/net/netdevsim/netdev.c
@@ -709,10 +709,14 @@ static struct nsim_rq *nsim_queue_alloc(
static void nsim_queue_free(struct net_device *dev, struct nsim_rq *rq)
{
+ struct netdevsim *ns = netdev_priv(dev);
+
hrtimer_cancel(&rq->napi_timer);
- local_bh_disable();
- dev_dstats_rx_dropped_add(dev, rq->skb_queue.qlen);
- local_bh_enable();
+ if (ns->registed) {
+ local_bh_disable();
+ dev_dstats_rx_dropped_add(dev, rq->skb_queue.qlen);
+ local_bh_enable();
+ }
skb_queue_purge_reason(&rq->skb_queue, SKB_DROP_REASON_QUEUE_PURGE);
kfree(rq);
}
@@ -981,6 +985,7 @@ err_free_prev:
while (i--)
kfree(ns->rq[i]);
kfree(ns->rq);
+ ns->rq = NULL;
return -ENOMEM;
}
@@ -989,6 +994,8 @@ static void nsim_queue_uninit(struct net
struct net_device *dev = ns->netdev;
int i;
+ if (!ns->rq)
+ return;
for (i = 0; i < dev->num_rx_queues; i++)
nsim_queue_free(dev, ns->rq[i]);
@@ -1001,6 +1008,7 @@ static int nsim_init_netdevsim(struct ne
struct mock_phc *phc;
int err;
+ ns->registed = 0;
phc = mock_phc_create(&ns->nsim_bus_dev->dev);
if (IS_ERR(phc))
return PTR_ERR(phc);
@@ -1038,6 +1046,7 @@ static int nsim_init_netdevsim(struct ne
&ns->nn))
ns->nb.notifier_call = NULL;
}
+ ns->registed = 1;
return 0;
--- x/drivers/net/netdevsim/netdevsim.h
+++ y/drivers/net/netdevsim/netdevsim.h
@@ -106,6 +106,7 @@ struct netdevsim {
struct mock_phc *phc;
struct nsim_rq **rq;
+ int registed;
int rq_reset_mode;
struct nsim_bus_dev *nsim_bus_dev;
--- x/net/ipv4/udp_tunnel_nic.c
+++ y/net/ipv4/udp_tunnel_nic.c
@@ -733,7 +733,8 @@ static void udp_tunnel_nic_device_sync_w
struct udp_tunnel_nic *utn =
container_of(work, struct udp_tunnel_nic, work);
- rtnl_lock();
+ if (!rtnl_trylock())
+ return;
mutex_lock(&utn->lock);
utn->work_pending = 0;
@@ -782,6 +783,8 @@ static void udp_tunnel_nic_free(struct u
for (i = 0; i < utn->n_tables; i++)
kfree(utn->entries[i]);
+ disable_work(&utn->work);
+ cancel_work_sync(&utn->work);
kfree(utn);
}
@@ -901,12 +904,6 @@ udp_tunnel_nic_unregister(struct net_dev
udp_tunnel_nic_flush(dev, utn);
udp_tunnel_nic_unlock(dev);
- /* Wait for the work to be done using the state, netdev core will
- * retry unregister until we give up our reference on this device.
- */
- if (utn->work_pending)
- return;
-
udp_tunnel_nic_free(utn);
release_dev:
dev->udp_tunnel_nic = NULL;
@@ -940,7 +937,7 @@ udp_tunnel_nic_netdevice_event(struct no
if (event == NETDEV_UNREGISTER) {
udp_tunnel_nic_unregister(dev, utn);
- return NOTIFY_OK;
+ return NOTIFY_DONE;
}
/* All other events only matter if NIC has to be programmed open */
--
Powered by blists - more mailing lists