Hi Pablo,
On Wed, Jun 02, 2021 at 07:03:17PM +0200, Pablo Neira Ayuso wrote:
On Wed, Jun 02, 2021 at 09:37:26AM -0700, syzbot wrote:
Hello,
syzbot found the following issue on:
HEAD commit: 6850ec97 Merge branch 'mptcp-fixes-for-5-13' git tree: net console output: https://syzkaller.appspot.com/x/log.txt?x=1355504dd00000 kernel config: https://syzkaller.appspot.com/x/.config?x=770708ea7cfd4916 dashboard link: https://syzkaller.appspot.com/bug?extid=ce96ca2b1d0b37c6422d syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1502d517d00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12bbbe13d00000
The issue was bisected to:
commit 05abe4456fa376040f6cc3cc6830d2e328723478 Author: Pablo Neira Ayuso pablo@netfilter.org Date: Wed May 20 13:44:37 2020 +0000
netfilter: nf_tables: allow to register flowtable with no devicesbisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10fa1387d00000 final oops: https://syzkaller.appspot.com/x/report.txt?x=12fa1387d00000 console output: https://syzkaller.appspot.com/x/log.txt?x=14fa1387d00000
IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com Fixes: 05abe4456fa3 ("netfilter: nf_tables: allow to register flowtable with no devices")
general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 8438 Comm: syz-executor343 Not tainted 5.13.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:nft_set_elem_expr_alloc+0x17e/0x280 net/netfilter/nf_tables_api.c:5321 Code: 48 c1 ea 03 80 3c 02 00 0f 85 09 01 00 00 49 8b 9d c0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 70 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 d9 00 00 00 48 8b 5b 70 48 85 db 74 21 e8 9a bd
It's a real bug. Bisect is not correct though.
I'll post a patch to fix it. Thanks.
So if I see it correctly the fix landed in ad9f151e560b ("netfilter: nf_tables: initialize set before expression setup") in 5.13-rc7 and landed as well in 5.12.13. The issue is though still present in the 5.10.y series.
Would it be possible to backport the fix as well to 5.10.y? It is needed there as well.
Regards, Salvatore
On Wed, Sep 08, 2021 at 10:58:11PM +0200, Salvatore Bonaccorso wrote:
Hi Pablo,
On Wed, Jun 02, 2021 at 07:03:17PM +0200, Pablo Neira Ayuso wrote:
On Wed, Jun 02, 2021 at 09:37:26AM -0700, syzbot wrote:
Hello,
syzbot found the following issue on:
HEAD commit: 6850ec97 Merge branch 'mptcp-fixes-for-5-13' git tree: net console output: https://syzkaller.appspot.com/x/log.txt?x=1355504dd00000 kernel config: https://syzkaller.appspot.com/x/.config?x=770708ea7cfd4916 dashboard link: https://syzkaller.appspot.com/bug?extid=ce96ca2b1d0b37c6422d syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1502d517d00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12bbbe13d00000
The issue was bisected to:
commit 05abe4456fa376040f6cc3cc6830d2e328723478 Author: Pablo Neira Ayuso pablo@netfilter.org Date: Wed May 20 13:44:37 2020 +0000
netfilter: nf_tables: allow to register flowtable with no devicesbisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10fa1387d00000 final oops: https://syzkaller.appspot.com/x/report.txt?x=12fa1387d00000 console output: https://syzkaller.appspot.com/x/log.txt?x=14fa1387d00000
IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com Fixes: 05abe4456fa3 ("netfilter: nf_tables: allow to register flowtable with no devices")
general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 8438 Comm: syz-executor343 Not tainted 5.13.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:nft_set_elem_expr_alloc+0x17e/0x280 net/netfilter/nf_tables_api.c:5321 Code: 48 c1 ea 03 80 3c 02 00 0f 85 09 01 00 00 49 8b 9d c0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 70 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 d9 00 00 00 48 8b 5b 70 48 85 db 74 21 e8 9a bd
It's a real bug. Bisect is not correct though.
I'll post a patch to fix it. Thanks.
So if I see it correctly the fix landed in ad9f151e560b ("netfilter: nf_tables: initialize set before expression setup") in 5.13-rc7 and landed as well in 5.12.13. The issue is though still present in the 5.10.y series.
Would it be possible to backport the fix as well to 5.10.y? It is needed there as well.
I would need a working backport, as it does not apply cleanly to 5.10.y :(
thanks,
greg k-h
Greg KH gregkh@linuxfoundation.org wrote:
On Wed, Sep 08, 2021 at 10:58:11PM +0200, Salvatore Bonaccorso wrote:
So if I see it correctly the fix landed in ad9f151e560b ("netfilter: nf_tables: initialize set before expression setup") in 5.13-rc7 and landed as well in 5.12.13. The issue is though still present in the 5.10.y series.
Would it be possible to backport the fix as well to 5.10.y? It is needed there as well.
I would need a working backport, as it does not apply cleanly to 5.10.y :(
Done, sent to stable@.
linux-stable-mirror@lists.linaro.org
-
Florian Westphal -
Greg KH -
Salvatore Bonaccorso