lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 29 Aug 2023 17:19:13 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Muhammad Usama Anjum <usama.anjum@...labora.com>
Cc: syzbot <syzbot+de6565462ab540f50e47@...kaller.appspotmail.com>, 
	bpf@...r.kernel.org, davem@...emloft.net, dsahern@...nel.org, 
	jacob.e.keller@...el.com, jiri@...dia.com, kuba@...nel.org, 
	linux-kernel@...r.kernel.org, netdev@...r.kernel.org, pabeni@...hat.com, 
	syzkaller-bugs@...glegroups.com, fishgylk@...il.com, bagasdotme@...il.com
Subject: Re: [syzbot] [net?] WARNING in inet_sock_destruct (4)

On Tue, Aug 29, 2023 at 2:44 PM Muhammad Usama Anjum
<usama.anjum@...labora.com> wrote:
>
> On 6/23/23 7:36 PM, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: 45a3e24f65e9 Linux 6.4-rc7
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=160cc82f280000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=2cbd298d0aff1140
> > dashboard link: https://syzkaller.appspot.com/bug?extid=de6565462ab540f50e47
> > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=160aacb7280000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c115d3280000
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/c09bcd4ec365/disk-45a3e24f.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/03549b639718/vmlinux-45a3e24f.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/91f203e5f63e/bzImage-45a3e24f.xz
> >
> > The issue was bisected to:
> >
> > commit 565b4824c39fa335cba2028a09d7beb7112f3c9a
> > Author: Jiri Pirko <jiri@...dia.com>
> > Date: Mon Feb 6 09:41:51 2023 +0000
> >
> > devlink: change port event netdev notifier from per-net to global
> >
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=110a1a5b280000
> > final oops: https://syzkaller.appspot.com/x/report.txt?x=130a1a5b280000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=150a1a5b280000
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+de6565462ab540f50e47@...kaller.appspotmail.com
> > Fixes: 565b4824c39f ("devlink: change port event netdev notifier from per-net to global")
> >
> > ------------[ cut here ]------------
> > WARNING: CPU: 0 PID: 5025 at net/ipv4/af_inet.c:154 inet_sock_destruct+0x6df/0x8a0 net/ipv4/af_inet.c:154
> This same warning has been spotted and reported:
> https://bugzilla.kernel.org/show_bug.cgi?id=217555
>
> Syzbot has found the same warning on 4.14, 5.15, 6.1, 6.5-rc and latest
> mainline (1c59d383390f9) kernels. The provided reproducers (such as
> https://syzkaller.appspot.com/text?tag=ReproC&x=15a10e8aa80000) are
> reproducing the same warnings on multicore (at least 2 CPUs) qemu instance.

Can you test the following fix ?
Thanks.

diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 25816e790527dbd6ff55ffb94762b5974e8144aa..1085357b30c9a0d4bf7a578cebf3eeddec953632
100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -377,8 +377,13 @@ static int dccp_v6_conn_request(struct sock *sk,
struct sk_buff *skb)
        if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) ||
            np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
            np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
+               /* Only initialize ireq->pktops once.
+                * We must take a refcount on skb because ireq->pktops
+                * could be consumed immediately.
+                */
                refcount_inc(&skb->users);
-               ireq->pktopts = skb;
+               if (cmpxchg(&ireq->pktopts, NULL, skb))
+                       refcount_dec(&skb->users);
        }
        ireq->ir_iif = READ_ONCE(sk->sk_bound_dev_if);

diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 6e86721e1cdbb8d47b754a2675f6ab1643c7342c..d45aa267473c4ab817cfda06966a536718b50a53
100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -798,8 +798,13 @@ static void tcp_v6_init_req(struct request_sock *req,
             np->rxopt.bits.rxinfo ||
             np->rxopt.bits.rxoinfo || np->rxopt.bits.rxhlim ||
             np->rxopt.bits.rxohlim || np->repflow)) {
+               /* Only initialize ireq->pktops once.
+                * We must take a refcount on skb because ireq->pktops
+                * could be consumed immediately.
+                */
                refcount_inc(&skb->users);
-               ireq->pktopts = skb;
+               if (cmpxchg(&ireq->pktopts, NULL, skb))
+                       refcount_dec(&skb->users);
        }
 }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ