lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250210041348.69881-1-kuniyu@amazon.com>
Date: Mon, 10 Feb 2025 13:13:48 +0900
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: <edumazet@...gle.com>
CC: <davem@...emloft.net>, <eric.dumazet@...il.com>, <horms@...nel.org>,
	<kuba@...nel.org>, <netdev@...r.kernel.org>, <pabeni@...hat.com>
Subject: Re: [PATCH v3 net-next 3/5] net: no longer hold RTNL while calling flush_all_backlogs()

Hi Eric,

From: Eric Dumazet <edumazet@...gle.com>
Date: Tue, 14 Jan 2025 20:55:29 +0000
> @@ -11575,8 +11598,10 @@ void unregister_netdevice_many_notify(struct list_head *head,
>  		unlist_netdevice(dev);
>  		WRITE_ONCE(dev->reg_state, NETREG_UNREGISTERING);
>  	}
> -	flush_all_backlogs();
>  
> +	rtnl_drop_if_cleanup_net();
> +	flush_all_backlogs();
> +	rtnl_acquire_if_cleanup_net();
>  	synchronize_net();
>  
>  	list_for_each_entry(dev, head, unreg_list) {

One of my syzkaller setup happend to not have the revert of this series
and this hunk seemed to trigger BUG_ON(dev->reg_state != NETREG_REGISTERED)
for PPP.

ppp_release() assumed that RTNL is not released until ->ndo_uninit() that
clears ppp->owner to NULL, so this change may be needed in the next try,
just fyi.

Thanks!

---8<---
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 4583e15ad03a..ccf3b708bbc9 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -406,7 +406,8 @@ static int ppp_release(struct inode *unused, struct file *file)
 		if (pf->kind == INTERFACE) {
 			ppp = PF_TO_PPP(pf);
 			rtnl_lock();
-			if (file == ppp->owner)
+			if (file == ppp->owner &&
+			    ppp->dev->reg_state == NETREG_REGISTERED)
 				unregister_netdevice(ppp->dev);
 			rtnl_unlock();
 		}
---8<---

---8<---
kernel BUG at net/core/dev.c:11773!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 UID: 0 PID: 1681 Comm: syz.2.364 Not tainted 6.13.0-04046-g0ad9617c78ac #25 2a4f595e37b581d176eb9aae48dfe81ca9e88551
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:unregister_netdevice_many_notify+0x1d44/0x1d50 net/core/dev.c:11773
Code: c1 80 61 30 87 80 e1 07 80 c1 03 38 c1 0f 8c c8 e8 ff ff 48 c7 c7 80 61 30 87 e8 17 6b dc fd e9 b7 e8 ff ff e8 3d c6 8b fd 90 <0f> 0b e8 35 c6 8b fd 90 0f 0b 66 90 55 41 57 41 56 41 55 41 54 53
RSP: 0018:ffa000001440f6c0 EFLAGS: 00010293
RAX: ffffffff83cad063 RBX: 1fe22000029bc02f RCX: ff11000103764480
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000001
RBP: ffa000001440f890 R08: ffffffff8709abc7 R09: 1ffffffff0e13578
R10: dffffc0000000000 R11: fffffbfff0e13579 R12: ffa000001440f8e0
R13: ffa000001440f8e0 R14: 0000000000000002 R15: 0000000000000002
FS:  0000000000000000(0000) GS:ff1100011a000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9c1a46e000 CR3: 00000001095ee002 CR4: 0000000000771ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
PKRU: 80000000
Call Trace:
 <TASK>
 unregister_netdevice_many net/core/dev.c:11875 [inline]
 unregister_netdevice_queue+0x33d/0x380 net/core/dev.c:11741
 unregister_netdevice include/linux/netdevice.h:3329 [inline]
 ppp_release+0xed/0x1f0 drivers/net/ppp/ppp_generic.c:410
 __fput+0x212/0xa60 fs/file_table.c:450
 task_work_run+0x1cb/0x240 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0x87e/0x2470 kernel/exit.c:938
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1087
 get_signal+0x1206/0x12c0 kernel/signal.c:3036
 arch_do_signal_or_restart+0x87/0x7a0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x8b/0x110 kernel/entry/common.c:218
 do_syscall_64+0xf1/0x1c0 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f35b2c05d29
Code: Unable to access opcode bytes at 0x7f35b2c05cff.
RSP: 002b:00007f35b1235038 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: 0000000000000005 RBX: 00007f35b2df6160 RCX: 00007f35b2c05d29
RDX: fdffffffffffffff RSI: 0000000000000000 RDI: 0000000020000100
RBP: 00007f35b2c81b08 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f35b2df6160 R15: 00007f35b2f1fa28
 </TASK>
Modules linked in:
---8<---

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ