| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID:
<SY8P300MB0421A0CA0D6C69A8BE4767A7A1FD2@SY8P300MB0421.AUSP300.PROD.OUTLOOK.COM>
Date: Tue, 11 Feb 2025 12:04:39 +0000
From: YAN KANG <kangyan91@...look.com>
To: Jakub Kicinski <kuba@...nel.org>, Andrew Lunn <andrew+netdev@...n.ch>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>, "netdev@...r.kernel.org"
<netdev@...r.kernel.org>, "linux-kernel@...r.kernel.org"
<linux-kernel@...r.kernel.org>
CC: "syzkaller@...glegroups.com" <syzkaller@...glegroups.com>
Subject: BUG: corrupted list in nsim_fib6_rt_destroy
Dear maintainers,
I found a kernel bug titiled "BUG: corrupted list in nsim_fib6_rt_destroy " while using modified syzkaller fuzzing tool. I Itested it on the latest Linux upstream version (6.13.0-rc7) .
After preliminary analysis, the bug is triggerd in nsim_fib6_rt_destroy function drivers/net/netdevsim/fib.c
when kernel try to delete node from list : list_del(&fib_rt->list);
the node has already unlink from the list.
If you fix this issue, please add the following tag to the commit:
Reported-by: yan kang <kangyan91@...look.com>
Reported-by: yue sun <samsun1006219@...il.com
I hope it helps.
Best regards
yan kang
Kernel crash log and reproducer are listed below.
==================================================================
Syzkaller hit 'BUG: corrupted list in nsim_fib6_rt_destroy' bug.
netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
list_del corruption. prev->next should be ffff888112b16f28, but was 0000000000000000. (prev=ffff8881083184a8)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:62!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 9911 Comm: kworker/u8:4 Not tainted 6.13.0-rc1 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:__list_del_entry_valid_or_report+0x12c/0x1c0 lib/list_debug.c:62
Code: e8 69 e2 d7 fc 90 0f 0b 48 89 ca 48 c7 c7 e0 b8 d1 8b e8 57 e2 d7 fc 90 0f 0b 48 89 c2 48 c7 c7 40 b9 d1 8b e8 45 e2 d7 fc 90 <0f> 0b 48 89 d1 48 c7 c7 c0 b9 d1 8b 48 89 c2 e8 30 e2 d7 fc 90 0f
RSP: 0018:ffffc90011aef820 EFLAGS: 00010286
RAX: 000000000000006d RBX: ffff888112b16f38 RCX: ffffffff8178b9f9
RDX: 0000000000000000 RSI: ffffffff817962f6 RDI: 0000000000000005
RBP: ffff888112b16f28 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff888112b16f00
R13: ffff888112b16f30 R14: ffff888112b16f38 R15: ffff888112b16f38
FS: 0000000000000000(0000) GS:ffff888062800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fee34fde828 CR3: 000000010d982000 CR4: 0000000000752ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]
nsim_fib_rt_fini drivers/net/netdevsim/fib.c:255 [inline]
nsim_fib6_rt_destroy+0xde/0x270 drivers/net/netdevsim/fib.c:585
nsim_fib6_rt_free drivers/net/netdevsim/fib.c:1069 [inline]
nsim_fib_rt_free+0x1e6/0x3e0 drivers/net/netdevsim/fib.c:1082
rhashtable_free_one lib/rhashtable.c:1113 [inline]
rhashtable_free_and_destroy+0x613/0x990 lib/rhashtable.c:1164
nsim_fib_destroy+0xae/0x1b0 drivers/net/netdevsim/fib.c:1660
nsim_dev_reload_destroy+0x16e/0x4d0 drivers/net/netdevsim/dev.c:1665
nsim_dev_reload_down+0x6e/0xd0 drivers/net/netdevsim/dev.c:968
devlink_reload+0x17f/0x7a0 net/devlink/dev.c:461
devlink_pernet_pre_exit+0x194/0x2a0 net/devlink/core.c:509
ops_pre_exit_list net/core/net_namespace.c:162 [inline]
cleanup_net+0x488/0xb40 net/core/net_namespace.c:612
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x12c/0x1c0 lib/list_debug.c:62
Code: e8 69 e2 d7 fc 90 0f 0b 48 89 ca 48 c7 c7 e0 b8 d1 8b e8 57 e2 d7 fc 90 0f 0b 48 89 c2 48 c7 c7 40 b9 d1 8b e8 45 e2 d7 fc 90 <0f> 0b 48 89 d1 48 c7 c7 c0 b9 d1 8b 48 89 c2 e8 30 e2 d7 fc 90 0f
RSP: 0018:ffffc90011aef820 EFLAGS: 00010286
RAX: 000000000000006d RBX: ffff888112b16f38 RCX: ffffffff8178b9f9
RDX: 0000000000000000 RSI: ffffffff817962f6 RDI: 0000000000000005
RBP: ffff888112b16f28 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff888112b16f00
R13: ffff888112b16f30 R14: ffff888112b16f38 R15: ffff888112b16f38
FS: 0000000000000000(0000) GS:ffff888062800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbf28048188 CR3: 0000000022e74000 CR4: 0000000000752ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Syzkaller reproducer:
# {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}
r0 = syz_open_dev$sg(&(0x7f0000000080), 0x0, 0x8200)
ioctl$SCSI_IOCTL_SEND_COMMAND(r0, 0x1, &(0x7f00000000c0)=ANY=[@ANYBLOB="0000000008000000850b19", @ANYRESOCT=r0])
Powered by blists - more mailing lists