[syzbot] [netfilter?] WARNING in __nf_unregister_net_hook (6)

[syzbot] [netfilter?] WARNING in __nf_unregister_net_hook (6)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    6465e260f487 Linux 6.6-rc3
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1376e3bc680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8d7d7928f78936aa
dashboard link: https://syzkaller.appspot.com/bug?extid=de4025c006ec68ac56fc
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17f218da680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=149ff8c6680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/563852357aa6/disk-6465e260.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/df22793fe953/vmlinux-6465e260.xz
kernel image: https://storage.googleapis.com/syzbot-assets/84c2aad43ae3/bzImage-6465e260.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+de4025c006ec68ac56fc@syzkaller.appspotmail.com

------------[ cut here ]------------
hook not found, pf 2 num 1
WARNING: CPU: 1 PID: 5062 at net/netfilter/core.c:517 __nf_unregister_net_hook+0x1de/0x670 net/netfilter/core.c:517
Modules linked in:
CPU: 1 PID: 5062 Comm: syz-executor417 Not tainted 6.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
RIP: 0010:__nf_unregister_net_hook+0x1de/0x670 net/netfilter/core.c:517
Code: 14 02 4c 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7a 04 00 00 8b 53 1c 48 c7 c7 c0 d4 a8 8b 8b 74 24 04 e8 b2 ce dc f8 <0f> 0b e9 ec 00 00 00 e8 46 a5 16 f9 48 89 e8 48 c1 e0 04 49 8d 7c
RSP: 0018:ffffc9000355f2b8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880218dde00 RCX: 0000000000000000
RDX: ffff888019aee000 RSI: ffffffff814cf016 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff92611690
R13: ffff888016fff020 R14: ffff888016fff000 R15: ffff8880218dde1c
FS:  00007f76ca1526c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f76ca1e86b8 CR3: 0000000020292000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 nf_unregister_net_hook+0xd5/0x110 net/netfilter/core.c:539
 __nf_tables_unregister_hook net/netfilter/nf_tables_api.c:361 [inline]
 __nf_tables_unregister_hook+0x1a0/0x220 net/netfilter/nf_tables_api.c:340
 nf_tables_unregister_hook net/netfilter/nf_tables_api.c:368 [inline]
 nf_tables_commit+0x410f/0x59f0 net/netfilter/nf_tables_api.c:9992
 nfnetlink_rcv_batch+0xf36/0x2500 net/netfilter/nfnetlink.c:569
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:639 [inline]
 nfnetlink_rcv+0x3bf/0x430 net/netfilter/nfnetlink.c:657
 netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
 netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
 netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
 sock_sendmsg_nosec net/socket.c:730 [inline]
 sock_sendmsg+0xd9/0x180 net/socket.c:753
 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2541
 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2595
 __sys_sendmsg+0x117/0x1e0 net/socket.c:2624
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f76ca192059
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f76ca152208 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f76ca21c3e8 RCX: 00007f76ca192059
RDX: 0000000000000000 RSI: 000000002000c2c0 RDI: 0000000000000004
RBP: 00007f76ca21c3e0 R08: 0000000000000003 R09: 0000000000000000
R10: 0000000000000a00 R11: 0000000000000246 R12: 00007f76ca1e917c
R13: 0000000000000001 R14: 0000000000000008 R15: 0200000000000000
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [PATCH] Test for 6465e260f487

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] Test for 6465e260f487
Author: eadavis@sina.com

please test warn in __nf_unregister_net_hook

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 3126911f5042..fc1b337aec8f 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -117,7 +117,8 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
 		orig_ops = nf_hook_entries_get_hook_ops(old);
 
 		for (i = 0; i < old_entries; i++) {
-			if (orig_ops[i] != &dummy_ops)
+			if (!__kernel_text_address(orig_ops[i]) && 
+			    orig_ops[i] != &dummy_ops)
 				alloc_entries++;
 
 			/* Restrict BPF hook type to force a unique priority, not
@@ -146,7 +147,8 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
 	i = 0;
 	nhooks = 0;
 	while (i < old_entries) {
-		if (orig_ops[i] == &dummy_ops) {
+		if (__kernel_text_address(orig_ops[i]) || 
+		    orig_ops[i] == &dummy_ops) {
 			++i;
 			continue;
 		}
@@ -263,10 +265,12 @@ static void *__nf_hook_entries_try_shrink(struct nf_hook_entries *old,
 
 	new_ops = nf_hook_entries_get_hook_ops(new);
 	for (i = 0, j = 0; i < old->num_hook_entries; i++) {
-		if (orig_ops[i] == &dummy_ops)
+		if (IS_ERR_OR_NULL(orig_ops[i]) || orig_ops[i] == &dummy_ops)
 			continue;
 		new->hooks[j] = old->hooks[i];
 		new_ops[j] = (void *)orig_ops[i];
+		printk("new ents: %p, new uo h: %p, new ops: %p, %s\n",
+			new, new->hooks[j], new_ops[j], __func__);
 		j++;
 	}
 	hooks_validate(new);
@@ -479,6 +483,7 @@ static bool nf_remove_net_hook(struct nf_hook_entries *old,
 			continue;
 		WRITE_ONCE(old->hooks[i].hook, accept_all);
 		WRITE_ONCE(orig_ops[i], (void *)&dummy_ops);
+		printk("ents: %p, deled ops: %p, i: %d, %s\n", old, orig_ops[i], i, __func__);
 		return true;
 	}
 

Re: [syzbot] [PATCH] Test for 6465e260f487

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] Test for 6465e260f487
Author: eadavis@sina.com

please test warn in __nf_unregister_net_hook

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487


diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 3126911f5042..58f2a5294453 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -113,6 +113,7 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
 	alloc_entries = 1;
 	old_entries = old ? old->num_hook_entries : 0;
 
+	mutex_lock(&nf_hook_mutex);
 	if (old) {
 		orig_ops = nf_hook_entries_get_hook_ops(old);
 
@@ -129,17 +130,23 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
 			 * prevent defrag, conntrack, iptables etc from attaching).
 			 */
 			if (reg->priority == orig_ops[i]->priority &&
-			    reg->hook_ops_type == NF_HOOK_OP_BPF)
-				return ERR_PTR(-EBUSY);
+			    reg->hook_ops_type == NF_HOOK_OP_BPF) {
+				new = ERR_PTR(-EBUSY);
+				goto unlock;
+			}
 		}
 	}
 
-	if (alloc_entries > MAX_HOOK_COUNT)
-		return ERR_PTR(-E2BIG);
+	if (alloc_entries > MAX_HOOK_COUNT) {
+		new = ERR_PTR(-E2BIG);
+		goto unlock;
+	}
 
 	new = allocate_hook_entries_size(alloc_entries);
-	if (!new)
-		return ERR_PTR(-ENOMEM);
+	if (!new) {
+		new = ERR_PTR(-ENOMEM);
+		goto unlock;
+	}
 
 	new_ops = nf_hook_entries_get_hook_ops(new);
 
@@ -170,6 +177,8 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
 		new->hooks[nhooks].priv = reg->priv;
 	}
 
+unlock:
+	mutex_unlock(&nf_hook_mutex);
 	return new;
 }
 
@@ -546,11 +555,13 @@ void nf_hook_entries_delete_raw(struct nf_hook_entries __rcu **pp,
 {
 	struct nf_hook_entries *p;
 
+	mutex_lock(&nf_hook_mutex);
 	p = rcu_dereference_raw(*pp);
 	if (nf_remove_net_hook(p, reg)) {
 		p = __nf_hook_entries_try_shrink(p, pp);
 		nf_hook_entries_free(p);
 	}
+	mutex_unlock(&nf_hook_mutex);
 }
 EXPORT_SYMBOL_GPL(nf_hook_entries_delete_raw);
 

Re: [syzbot] [PATCH] Test for 6465e260f487

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] Test for 6465e260f487
Author: eadavis@sina.com

please test warn in __nf_unregister_net_hook

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 3126911f5042..58f2a5294453 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -546,11 +555,13 @@ void nf_hook_entries_delete_raw(struct nf_hook_entries __rcu **pp,
 {
 	struct nf_hook_entries *p;
 
+	mutex_lock(&nf_hook_mutex);
 	p = rcu_dereference_raw(*pp);
 	if (nf_remove_net_hook(p, reg)) {
 		p = __nf_hook_entries_try_shrink(p, pp);
 		nf_hook_entries_free(p);
 	}
+	mutex_unlock(&nf_hook_mutex);
 }
 EXPORT_SYMBOL_GPL(nf_hook_entries_delete_raw);
 

Re: [syzbot] [PATCH] Test for 6465e260f487

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] Test for 6465e260f487
Author: eadavis@sina.com

please test warn in __nf_unregister_net_hook

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 3126911f5042..bec4aeef6a82 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -200,8 +200,10 @@ int nf_hook_entries_insert_raw(struct nf_hook_entries __rcu **pp,
 	struct nf_hook_entries *new_hooks;
 	struct nf_hook_entries *p;
 
+	mutex_lock(&nf_hook_mutex);
 	p = rcu_dereference_raw(*pp);
 	new_hooks = nf_hook_entries_grow(p, reg);
+	mutex_unlock(&nf_hook_mutex);
 	if (IS_ERR(new_hooks))
 		return PTR_ERR(new_hooks);
 
@@ -546,11 +548,13 @@ void nf_hook_entries_delete_raw(struct nf_hook_entries __rcu **pp,
 {
 	struct nf_hook_entries *p;
 
+	mutex_lock(&nf_hook_mutex);
 	p = rcu_dereference_raw(*pp);
 	if (nf_remove_net_hook(p, reg)) {
 		p = __nf_hook_entries_try_shrink(p, pp);
 		nf_hook_entries_free(p);
 	}
+	mutex_unlock(&nf_hook_mutex);
 }
 EXPORT_SYMBOL_GPL(nf_hook_entries_delete_raw);
 

Re: [syzbot] [PATCH] Test for 6465e260f487

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] Test for 6465e260f487
Author: eadavis@sina.com

please test warn in __nf_unregister_net_hook

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487

diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c
index 680fe557686e..246f381a8970 100644
--- a/net/netfilter/nft_chain_filter.c
+++ b/net/netfilter/nft_chain_filter.c
@@ -368,6 +368,9 @@ static int nf_tables_netdev_event(struct notifier_block *this,
 	    event != NETDEV_CHANGENAME)
 		return NOTIFY_DONE;
 
+	if (!check_net(ctx.net))
+		return NOTIFY_DONE;
+
 	nft_net = nft_pernet(ctx.net);
 	mutex_lock(&nft_net->commit_mutex);
 	list_for_each_entry(table, &nft_net->tables, list) {

Re: [syzbot] WARNING in __nf_unregister_net_hook

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: WARNING in __nf_unregister_net_hook
Author: fw@strlen.de

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git main

Re: [syzbot] WARNING in __nf_unregister_net_hook

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: WARNING in __nf_unregister_net_hook
Author: fw@strlen.de

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/fwestphal/nf.git dormant-reset