From: Florian Westphal <fw@strlen.de>
To: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>,
"Lai, Yi" <yi1.lai@linux.intel.com>,
Pablo Neira Ayuso <pablo@netfilter.org>,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
yi1.lai@intel.com
Subject: Re: [Syzkaller & bisect] There is KASAN: slab-use-after-free Read in __nf_unregister_net_hook in v6.12-rc1
Date: Thu, 10 Oct 2024 17:49:37 +0200 [thread overview]
Message-ID: <20241010154937.GA8322@breakpoint.cc> (raw)
In-Reply-To: <CANn89iK0a_h2KdGekLdvYKrxOyzwW=L2u33QscDBKH1zKwTdQg@mail.gmail.com>
Eric Dumazet <edumazet@google.com> wrote:
> On Thu, Oct 10, 2024 at 2:02 PM Florian Westphal <fw@strlen.de> wrote:
> >
> > Eric Dumazet <edumazet@google.com> wrote:
> > > On Thu, Oct 10, 2024 at 10:58 AM Eric Dumazet <edumazet@google.com> wrote:
> > > >
> > > > On Thu, Oct 10, 2024 at 10:19 AM Lai, Yi <yi1.lai@linux.intel.com> wrote:
> > > > >
> > > Florian, Pablo :
> > >
> > > It seems that bpf was able to defer the __nf_unregister_net_hook()
> > > after exit()/close() time.
> >
> > Thanks for the analysis, I will send a patch later today.
>
> Wow, this was fast, thanks Florian !
I spoke too soon, I cannot get the rerpdocuer to work, it fails with:
bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_NETFILTER, insn_cnt=4, insns=0x20000200, license="syzkaller", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_NETFILTER, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144) = -1 EINVAL (Invalid argument)
bpf(BPF_LINK_CREATE, {link_create={prog_fd=-1, target_fd=0, attach_type=BPF_NETFILTER, flags=0}, ...}, 64) = -1 EBADF (Bad file descriptor)
...
Killed
uname -a
Linux virtme-ng 6.12.0-rc1-kvm-virtme #1 SMP PREEMPT_DYNAMIC Thu Oct 10 17:25:40 CEST 2024 x86_64 GNU/Linux
... with vng --build --config kconfig_origin on
9852d85ec9d492ebef56dc5f229416c925758edc (== 6.12.0-rc1).
As Erics analysis looks correct to me I will send a patch anyway, but I
can't say if it resolves the problem or not.
next prev parent reply other threads:[~2024-10-10 15:49 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-10 8:18 [Syzkaller & bisect] There is KASAN: slab-use-after-free Read in __nf_unregister_net_hook in v6.12-rc1 Lai, Yi
2024-10-10 8:58 ` Eric Dumazet
2024-10-10 9:17 ` Eric Dumazet
2024-10-10 12:02 ` Florian Westphal
2024-10-10 12:30 ` Eric Dumazet
2024-10-10 15:49 ` Florian Westphal [this message]
2024-10-10 9:26 ` Lai, Yi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241010154937.GA8322@breakpoint.cc \
--to=fw@strlen.de \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yi1.lai@intel.com \
--cc=yi1.lai@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox