From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Florian Westphal <fw@strlen.de>,
syzbot <syzbot+154bd5be532a63aa778b@syzkaller.appspotmail.com>,
coreteam@netfilter.org, David Miller <davem@davemloft.net>,
Jozsef Kadlecsik <kadlec@netfilter.org>,
Jakub Kicinski <kuba@kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
netdev <netdev@vger.kernel.org>,
NetFilter <netfilter-devel@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: [syzbot] WARNING in __nf_unregister_net_hook (4)
Date: Mon, 17 May 2021 12:57:45 +0200 [thread overview]
Message-ID: <20210517105745.GA19031@salvia> (raw)
In-Reply-To: <CACT4Y+YhQQtHBErLYRDqHyw16Bxu9FCMQymviMBR-ywiKf3VQw@mail.gmail.com>
On Thu, May 13, 2021 at 09:08:20AM +0200, Dmitry Vyukov wrote:
> On Thu, May 13, 2021 at 2:56 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >
> > On Sat, May 08, 2021 at 04:46:57PM +0200, Florian Westphal wrote:
> > > Dmitry Vyukov <dvyukov@google.com> wrote:
> > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > > Reported-by: syzbot+154bd5be532a63aa778b@syzkaller.appspotmail.com
> > > >
> > > > Is this also fixed by "netfilter: arptables: use pernet ops struct
> > > > during unregister"?
> > > > The warning is the same, but the stack is different...
> > >
> > > No, this is a different bug.
> > >
> > > In both cases the caller attempts to unregister a hook that the core
> > > can't find, but in this case the caller is nftables, not arptables.
> >
> > I see no reproducer for this bug. Maybe I broke the dormant flag handling?
> >
> > Or maybe syzbot got here after the arptables bug has been hitted?
>
> syzbot always stops after the first bug to give you perfect "Not
> tainted" oopses.
Looking at the log file:
https://syzkaller.appspot.com/text?tag=CrashLog&x=110a3096d00000
This is mixing calls to nftables:
14:43:16 executing program 0:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000001c0)={{0x9}, [@NFT_MSG_NEWTABLE={0x28, 0x0, 0xa, 0x3, 0x0, 0x0, {0x2}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}, @NFTA_TABLE_FLAGS={0x8}]}], {0x14}}, 0x50}}, 0x0)
with arptables:
14:43:16 executing program 1:
r0 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$ARPT_SO_SET_REPLACE(r0, 0x0, 0x60, &(0x7f0000000000)={'filter\x00', 0x4, 0x4, 0x3f8, 0x310, 0x200, 0x200, 0x310, 0x310, 0x310, 0x4, 0x0, {[{{@arp={@broadcast, @rand_addr, 0x87010000, 0x0, 0x0, 0x0, {@mac=@link_local}, {@mac}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 'bridge0\x00', 'erspan0\x00'}, 0xc0, 0x100}, @unspec=@RATEEST={0x40, 'RATEEST\x00', 0x0, {'syz1\x00', 0x0, 0x4}}}, {{@arp={@initdev={0xac, 0x1e, 0x0, 0x0}, @local, 0x0, 0x0, 0x0, 0x0, {@mac=@remote}, {}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 'veth0_to_bridge\x00', 'geneve1\x00'}, 0xc0, 0x100}, @unspec=@RATEEST={0x40, 'RATEEST\x00', 0x0, {'syz0\x00', 0x0, 0x2}}}, {{@arp={@local, @multicast1, 0x0, 0x0, 0x0, 0x0, {}, {@mac=@broadcast}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 'veth0_to_batadv\x00', 'veth0_to_hsr\x00'}, 0xc0, 0x110}, @mangle={0x50, 'mangle\x00', 0x0, {@mac=@remote, @mac=@local, @multicast2, @initdev={0xac, 0x1e, 0x0, 0x0}}}}], {{[], 0xc0, 0xe8}, {0x28}}}}, 0x448)
arptables was buggy at the time this bug has been reported.
Am I understanding correctly the syzbot log?
I wonder if the (buggy) arptables removed the incorrect hook from
nftables, then nftables crashed on the same location when removing the
hook. I don't see a clear sequence for this to happen though.
Would it be possible to make syzbot exercise the NFT_MSG_NEWTABLE
codepath (with NFTA_TABLE_FLAGS) to check if the problem still
persists?
Thanks.
next prev parent reply other threads:[~2021-05-17 10:57 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-10 14:49 [syzbot] WARNING in __nf_unregister_net_hook (4) syzbot
2021-05-08 5:07 ` Dmitry Vyukov
2021-05-08 14:46 ` Florian Westphal
2021-05-13 0:56 ` Pablo Neira Ayuso
2021-05-13 7:08 ` Dmitry Vyukov
2021-05-17 10:57 ` Pablo Neira Ayuso [this message]
2021-05-17 12:42 ` Dmitry Vyukov
2021-05-17 14:10 ` Pablo Neira Ayuso
2021-09-30 17:27 ` syzbot
2021-10-06 14:20 ` [PATCH nf] netfilter: nftables: skip netdev events generated on netns removal Florian Westphal
2021-10-07 17:40 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210517105745.GA19031@salvia \
--to=pablo@netfilter.org \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=syzbot+154bd5be532a63aa778b@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.