https://github.com/torvalds/linux
Revision d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae authored by Kuniyuki Iwashima on 01 April 2024, 21:10:04 UTC, committed by Jakub Kicinski on 03 April 2024, 02:10:57 UTC
syzkaller reported infinite recursive calls of fib6_dump_done() during
netlink socket destruction. [1]
From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then
the response was generated. The following recvmmsg() resumed the dump
for IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due
to the fault injection. [0]
12:01:34 executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, ... snip ...)
recvmmsg(r0, ... snip ...) (fail_nth: 8)
Here, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call
of inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped
receiving the response halfway through, and finally netlink_sock_destruct()
called nlk_sk(sk)->cb.done().
fib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it
is still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by
nlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling
itself recursively and hitting the stack guard page.
To avoid the issue, let's set the destructor after kzalloc().
[0]:
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:117)
should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)
should_failslab (mm/slub.c:3733)
kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)
inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)
rtnl_dump_all (net/core/rtnetlink.c:4029)
netlink_dump (net/netlink/af_netlink.c:2269)
netlink_recvmsg (net/netlink/af_netlink.c:1988)
____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)
___sys_recvmsg (net/socket.c:2846)
do_recvmmsg (net/socket.c:2943)
__x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)
[1]:
BUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)
stack guard page: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Workqueue: events netlink_sock_destruct_work
RIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)
Code: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc9000d980000 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3
RDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358
RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000
R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68
FS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0
PKRU: 55555554
Call Trace:
<#DF>
</#DF>
<TASK>
fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
...
fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))
netlink_sock_destruct (net/netlink/af_netlink.c:401)
__sk_destruct (net/core/sock.c:2177 (discriminator 2))
sk_destruct (net/core/sock.c:2224)
__sk_free (net/core/sock.c:2235)
sk_free (net/core/sock.c:2246)
process_one_work (kernel/workqueue.c:3259)
worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416)
kthread (kernel/kthread.c:388)
ret_from_fork (arch/x86/kernel/process.c:153)
ret_from_fork_asm (arch/x86/entry/entry_64.S:256)
Modules linked in:
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240401211003.25274-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
1 parent 5d872c9
Tip revision: d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae authored by Kuniyuki Iwashima on 01 April 2024, 21:10:04 UTC
ipv6: Fix infinite recursion in fib6_dump_done().
ipv6: Fix infinite recursion in fib6_dump_done().
Tip revision: d21d406
| File | Mode | Size |
|---|---|---|
| damon | ||
| kasan | ||
| kfence | ||
| kmsan | ||
| Kconfig | -rw-r--r-- | 38.6 KB |
| Kconfig.debug | -rw-r--r-- | 9.9 KB |
| Makefile | -rw-r--r-- | 5.0 KB |
| backing-dev.c | -rw-r--r-- | 26.6 KB |
| balloon_compaction.c | -rw-r--r-- | 8.2 KB |
| bootmem_info.c | -rw-r--r-- | 3.4 KB |
| cma.c | -rw-r--r-- | 15.6 KB |
| cma.h | -rw-r--r-- | 1.6 KB |
| cma_debug.c | -rw-r--r-- | 4.5 KB |
| cma_sysfs.c | -rw-r--r-- | 2.9 KB |
| compaction.c | -rw-r--r-- | 92.7 KB |
| debug.c | -rw-r--r-- | 7.3 KB |
| debug_page_alloc.c | -rw-r--r-- | 1.6 KB |
| debug_page_ref.c | -rw-r--r-- | 1.4 KB |
| debug_vm_pgtable.c | -rw-r--r-- | 40.4 KB |
| dmapool.c | -rw-r--r-- | 13.1 KB |
| dmapool_test.c | -rw-r--r-- | 2.9 KB |
| early_ioremap.c | -rw-r--r-- | 6.7 KB |
| fadvise.c | -rw-r--r-- | 5.5 KB |
| fail_page_alloc.c | -rw-r--r-- | 1.6 KB |
| failslab.c | -rw-r--r-- | 1.6 KB |
| filemap.c | -rw-r--r-- | 121.7 KB |
| folio-compat.c | -rw-r--r-- | 2.8 KB |
| gup.c | -rw-r--r-- | 96.4 KB |
| gup_test.c | -rw-r--r-- | 9.0 KB |
| gup_test.h | -rw-r--r-- | 1.2 KB |
| highmem.c | -rw-r--r-- | 20.2 KB |
| hmm.c | -rw-r--r-- | 17.1 KB |
| huge_memory.c | -rw-r--r-- | 100.7 KB |
| hugetlb.c | -rw-r--r-- | 218.7 KB |
| hugetlb_cgroup.c | -rw-r--r-- | 24.2 KB |
| hugetlb_vmemmap.c | -rw-r--r-- | 20.7 KB |
| hugetlb_vmemmap.h | -rw-r--r-- | 2.3 KB |
| hwpoison-inject.c | -rw-r--r-- | 2.8 KB |
| init-mm.c | -rw-r--r-- | 1.7 KB |
| internal.h | -rw-r--r-- | 42.0 KB |
| interval_tree.c | -rw-r--r-- | 3.1 KB |
| io-mapping.c | -rw-r--r-- | 993 bytes |
| ioremap.c | -rw-r--r-- | 1.7 KB |
| khugepaged.c | -rw-r--r-- | 71.8 KB |
| kmemleak.c | -rw-r--r-- | 62.8 KB |
| ksm.c | -rw-r--r-- | 107.9 KB |
| list_lru.c | -rw-r--r-- | 13.8 KB |
| maccess.c | -rw-r--r-- | 5.9 KB |
| madvise.c | -rw-r--r-- | 38.7 KB |
| mapping_dirty_helpers.c | -rw-r--r-- | 10.4 KB |
| memblock.c | -rw-r--r-- | 64.9 KB |
| memcontrol.c | -rw-r--r-- | 215.4 KB |
| memfd.c | -rw-r--r-- | 9.3 KB |
| memory-failure.c | -rw-r--r-- | 73.6 KB |
| memory-tiers.c | -rw-r--r-- | 24.2 KB |
| memory.c | -rw-r--r-- | 175.5 KB |
| memory_hotplug.c | -rw-r--r-- | 68.1 KB |
| mempolicy.c | -rw-r--r-- | 89.2 KB |
| mempool.c | -rw-r--r-- | 17.6 KB |
| memremap.c | -rw-r--r-- | 14.4 KB |
| memtest.c | -rw-r--r-- | 3.5 KB |
| migrate.c | -rw-r--r-- | 69.5 KB |
| migrate_device.c | -rw-r--r-- | 27.0 KB |
| mincore.c | -rw-r--r-- | 7.1 KB |
| mlock.c | -rw-r--r-- | 20.7 KB |
| mm_init.c | -rw-r--r-- | 78.4 KB |
| mm_slot.h | -rw-r--r-- | 1.4 KB |
| mmap.c | -rw-r--r-- | 105.3 KB |
| mmap_lock.c | -rw-r--r-- | 6.2 KB |
| mmu_gather.c | -rw-r--r-- | 12.3 KB |
| mmu_notifier.c | -rw-r--r-- | 34.5 KB |
| mmzone.c | -rw-r--r-- | 2.6 KB |
| mprotect.c | -rw-r--r-- | 22.4 KB |
| mremap.c | -rw-r--r-- | 31.1 KB |
| msync.c | -rw-r--r-- | 2.9 KB |
| nommu.c | -rw-r--r-- | 44.3 KB |
| oom_kill.c | -rw-r--r-- | 33.4 KB |
| page-writeback.c | -rw-r--r-- | 94.6 KB |
| page_alloc.c | -rw-r--r-- | 192.2 KB |
| page_counter.c | -rw-r--r-- | 6.8 KB |
| page_ext.c | -rw-r--r-- | 13.6 KB |
| page_idle.c | -rw-r--r-- | 5.3 KB |
| page_io.c | -rw-r--r-- | 13.7 KB |
| page_isolation.c | -rw-r--r-- | 21.5 KB |
| page_owner.c | -rw-r--r-- | 23.7 KB |
| page_poison.c | -rw-r--r-- | 2.5 KB |
| page_reporting.c | -rw-r--r-- | 11.7 KB |
| page_reporting.h | -rw-r--r-- | 1.6 KB |
| page_table_check.c | -rw-r--r-- | 5.8 KB |
| page_vma_mapped.c | -rw-r--r-- | 9.2 KB |
| pagewalk.c | -rw-r--r-- | 18.7 KB |
| percpu-internal.h | -rw-r--r-- | 7.3 KB |
| percpu-km.c | -rw-r--r-- | 3.2 KB |
| percpu-stats.c | -rw-r--r-- | 5.8 KB |
| percpu-vm.c | -rw-r--r-- | 11.7 KB |
| percpu.c | -rw-r--r-- | 102.6 KB |
| pgalloc-track.h | -rw-r--r-- | 1.3 KB |
| pgtable-generic.c | -rw-r--r-- | 11.1 KB |
| process_vm_access.c | -rw-r--r-- | 8.3 KB |
| ptdump.c | -rw-r--r-- | 4.6 KB |
| readahead.c | -rw-r--r-- | 25.4 KB |
| rmap.c | -rw-r--r-- | 78.6 KB |
| rodata_test.c | -rw-r--r-- | 1.2 KB |
| secretmem.c | -rw-r--r-- | 6.4 KB |
| shmem.c | -rw-r--r-- | 130.7 KB |
| shmem_quota.c | -rw-r--r-- | 9.5 KB |
| show_mem.c | -rw-r--r-- | 11.8 KB |
| shrinker.c | -rw-r--r-- | 21.3 KB |
| shrinker_debug.c | -rw-r--r-- | 6.1 KB |
| shuffle.c | -rw-r--r-- | 4.6 KB |
| shuffle.h | -rw-r--r-- | 1.2 KB |
| slab.h | -rw-r--r-- | 18.3 KB |
| slab_common.c | -rw-r--r-- | 33.7 KB |
| slub.c | -rw-r--r-- | 177.2 KB |
| sparse-vmemmap.c | -rw-r--r-- | 11.9 KB |
| sparse.c | -rw-r--r-- | 25.6 KB |
| swap.c | -rw-r--r-- | 31.8 KB |
| swap.h | -rw-r--r-- | 4.1 KB |
| swap_cgroup.c | -rw-r--r-- | 5.2 KB |
| swap_slots.c | -rw-r--r-- | 9.3 KB |
| swap_state.c | -rw-r--r-- | 25.7 KB |
| swapfile.c | -rw-r--r-- | 92.8 KB |
| truncate.c | -rw-r--r-- | 25.6 KB |
| usercopy.c | -rw-r--r-- | 8.1 KB |
| userfaultfd.c | -rw-r--r-- | 45.0 KB |
| util.c | -rw-r--r-- | 29.6 KB |
| vmalloc.c | -rw-r--r-- | 130.6 KB |
| vmpressure.c | -rw-r--r-- | 14.1 KB |
| vmscan.c | -rw-r--r-- | 207.3 KB |
| vmstat.c | -rw-r--r-- | 55.6 KB |
| workingset.c | -rw-r--r-- | 27.1 KB |
| z3fold.c | -rw-r--r-- | 36.8 KB |
| zbud.c | -rw-r--r-- | 12.8 KB |
| zpool.c | -rw-r--r-- | 9.9 KB |
| zsmalloc.c | -rw-r--r-- | 54.1 KB |
| zswap.c | -rw-r--r-- | 50.6 KB |
Computing file changes ...
