| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260102114605.3351c6eb@phoenix.local>
Date: Fri, 2 Jan 2026 11:46:05 -0800
From: Stephen Hemminger <stephen@...workplumber.org>
To: Andrew Lunn <andrew@...n.ch>, Vladimir Oltean <olteanv@...il.com>
Cc: netdev@...r.kernel.org
Subject: Fw: [Bug 220932] New: Possible bug (use after free) on DSA driver
removal
Begin forwarded message:
Date: Thu, 01 Jan 2026 22:56:38 +0000
From: bugzilla-daemon@...nel.org
To: stephen@...workplumber.org
Subject: [Bug 220932] New: Possible bug (use after free) on DSA driver removal
https://bugzilla.kernel.org/show_bug.cgi?id=220932
Bug ID: 220932
Summary: Possible bug (use after free) on DSA driver removal
Product: Networking
Version: 2.5
Hardware: Mips32
OS: Linux
Status: NEW
Severity: normal
Priority: P3
Component: Other
Assignee: stephen@...workplumber.org
Reporter: luizluca@...il.com
Regression: No
While testing a driver patch for OpenWrt (dev), I noticed that the system
sometimes crashes a little after I remove the module. I dropped all my patches
and bruteforce it:
echo 'file drivers/net/dsa/realtek/rtl8365mb.c +p' >
/sys/kernel/debug/dynamic_debug/control; echo 'file net/dsa/* +p' >
/sys/kernel/debug/dynamic_debug/control; rmmod rtl8365mb; echo 0 >
/proc/sys/kernel/panic; while true; do sleep 1; insmod /tmp/rtl8365mb.ko; sleep
10; rmmod rtl8365mb; done
After a couple of cycles, I got this (repeatable) crash below.
rtl8365mb_get_tag_protocol and rtl8365mb_port_stp_state_set messages are from a
small debug patch I added trying to trace the crash origin but it should not
matter.
[ 469.884379] DSA: tree 0 torn down
[ 471.094669] rtl8365mb-mdio mdio-bus:1d: found an RTL8367S switch
[ 471.100980] rtl8365mb-mdio mdio-bus:1d: rtl8365mb_get_tag_protocol
priv:126ea59d
[ 471.349018] rtl8365mb-mdio mdio-bus:1d: rtl8365mb_port_stp_state_set
priv:126ea59d
[ 471.357364] rtl8365mb-mdio mdio-bus:1d: rtl8365mb_port_stp_state_set
priv:126ea59d
[ 471.365716] rtl8365mb-mdio mdio-bus:1d: rtl8365mb_port_stp_state_set
priv:126ea59d
[ 471.373964] rtl8365mb-mdio mdio-bus:1d: rtl8365mb_port_stp_state_set
priv:126ea59d
[ 471.382228] rtl8365mb-mdio mdio-bus:1d: rtl8365mb_port_stp_state_set
priv:126ea59d
[ 471.390503] rtl8365mb-mdio mdio-bus:1d: rtl8365mb_port_stp_state_set
priv:126ea59d
[ 471.398580] rtl8365mb-mdio mdio-bus:1d: rtl8365mb_port_change_mtu
priv:126ea59d
[ 471.647590] mtk_soc_eth 10100000.ethernet eth0: port 5 link down
[ 471.674092] CPU 0 Unable to handle kernel paging request at virtual address
702e7660, epc == 702e7660, ra == 80001e90
[ 471.685048] Oops[#1]:
[ 471.687381] CPU: 0 UID: 0 PID: 7473 Comm: modprobe Tainted: G O
6.12.60 #0
[ 471.695837] Tainted: [O]=OOT_MODULE
[ 471.699401] Hardware name: TP-Link Archer C5 v4
[ 471.704029] $ 0 : 00000000 00000001 81c40560 80a63cdc
[ 471.709403] $ 4 : 00000cc0 00000001 0004c50b 82ab2f00
[ 471.714771] $ 8 : 0004c50c 00000cc0 00000000 77e89000
[ 471.720139] $12 : 00000003 82b8dc0c 00000001 77e8afff
[ 471.725508] $16 : 00001173 77e89000 7f958894 00400dc1
[ 471.730877] $20 : 8383fbf8 77e903d0 00000000 7f958730
[ 471.736246] $24 : 00000003 8084aba8
[ 471.741613] $28 : 81c1c000 81c1df28 00000000 80001e90
[ 471.746982] Hi : 00000000
[ 471.749926] Lo : 00000000
[ 471.752868] epc : 702e7660 0x702e7660
[ 471.756798] ra : 80001e90 work_notifysig+0x10/0x18
[ 471.761975] Status: 1100b403 KERNEL EXL IE
[ 471.766269] Cause : 50800008 (ExcCode 02)
[ 471.770366] BadVA : 702e7660
[ 471.773309] PrId : 00019650 (MIPS 24KEc)
[ 471.777406] Modules linked in: rtl8365mb(+) rt2800soc(O) rt2800mmio(O)
rt2800lib(O) pppoe ppp_async nft_fib_inet nf_flow_table_inet rt2x00mmio(O)
rt2x00lib(O) pppox ppp_generic nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet
nft_reject nft_redir nft_quot
a nft_numgen nft_nat nft_masq nft_log nft_limit nft_hash nft_flow_offload
nft_fib_ipv6 nft_fib_ipv4 nft_fib nft_ct nft_chain_nat nf_tables nf_nat
nf_flow_table nf_conntrack mt76x2e(O) mt76x2_common(O) mt76x02_lib(O) mt76(O)
mac80211(O) cfg80211(O) slhc nfne
tlink nf_reject_ipv6 nf_reject_ipv4 nf_log_syslog nf_defrag_ipv6 nf_defrag_ipv4
libcrc32c crc_ccitt compat(O) i2c_dev ledtrig_usbport sha512_generic seqiv
sha3_generic jitterentropy_rng drbg hmac geniv rng cmac leds_gpio tag_rtl8_4
realtek_dsa dsa_core gpio
_button_hotplug(O) realtek hwmon i2c_core phylink crc32c_generic [last
unloaded: rtl8365mb]
[ 471.854523] Process modprobe (pid: 7473, threadinfo=674a8fb4, task=b017bdbf,
tls=77e98dfc)
[ 471.862981] Stack : 00000000 00000000 00000000 00000000 77e97290 00420f38
77e97290 00420f10
[ 471.871571] 00000000 00000001 00000000 77e1f644 77e89000 00001173
00000000 00000000
[ 471.880157] 0000000c 83855940 77e85000 77e77000 81b911e5 00000001
81bbac60 77e85fff
[ 471.888745] 00001173 77e89000 7f958894 00400dc1 8383fbf8 77e903d0
00000000 7f958730
[ 471.897333] 81bbac60 77e556d0 00000001 00000000 77e97290 7f958450
00000000 77e1f674
[ 471.905921] ...
[ 471.908431] Call Trace:
[ 471.908437]
[ 471.912653]
[ 471.914177] Code: (Bad address in epc)
[ 471.914177]
[ 471.919517]
[ 471.921240] ---[ end trace 0000000000000000 ]---
[ 471.926052] Kernel panic - not syncing: Fatal exception
[ 471.931404] ---[ end Kernel panic - not syncing: Fatal exception ]---
The RA value (80001e90 work_notifysig+0x10/0x18) indicates that the crash came
from a notification. Maybe DSA didn't unregister/drain notifications after the
tear down.
I'm using kernel 6.12.60 (LTS) and I also didn't notice any relevant changes
since that version. I'm just not sure if
2bcf4772e45adb00649a4e9cbff14b08a144f9e3 would be related.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are the assignee for the bug.
Powered by blists - more mailing lists