From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5570EE77188
	for <linux-mm@archiver.kernel.org>; Sat,  4 Jan 2025 02:01:55 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id B4DA16B0082; Fri,  3 Jan 2025 21:01:54 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id AD6866B0088; Fri,  3 Jan 2025 21:01:54 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 99D1E6B0089; Fri,  3 Jan 2025 21:01:54 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id 7ABEB6B0082
	for <linux-mm@kvack.org>; Fri,  3 Jan 2025 21:01:54 -0500 (EST)
Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay02.hostedemail.com (Postfix) with ESMTP id F2C5A120C3A
	for <linux-mm@kvack.org>; Sat,  4 Jan 2025 02:01:53 +0000 (UTC)
X-FDA: 82968118506.14.4830821
Received: from nyc.source.kernel.org (nyc.source.kernel.org [147.75.193.91])
	by imf01.hostedemail.com (Postfix) with ESMTP id 40E9440007
	for <linux-mm@kvack.org>; Sat,  4 Jan 2025 02:01:52 +0000 (UTC)
Authentication-Results: imf01.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b=eVm4qr3K;
	dmarc=none;
	spf=pass (imf01.hostedemail.com: domain of akpm@linux-foundation.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1735956112; a=rsa-sha256;
	cv=none;
	b=bCxtDNsidITWg80rOJkWfVe9q9svEhNrdS07NvFGCJf3jMlHVbRgvwjhgZuY4lwnWX5HRd
	8w8ZbGXjCghT/RebJ6nbsTZXmvHjSsJkuwPHdZj7uoGtvzE2fSYJYxOHPjatVxB9USvZ6k
	Hadlz+a0GSIQObGBXY+AxBVEslYiJx4=
ARC-Authentication-Results: i=1;
	imf01.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b=eVm4qr3K;
	dmarc=none;
	spf=pass (imf01.hostedemail.com: domain of akpm@linux-foundation.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1735956112;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=Vvm+B+krY1g1xAG3ucIF5xCzmzRlG/XsTSUr7M+ym6E=;
	b=JigTE6TWTD2aw7S28u95yXjs3l8MBbO849GhEa9ilz9kGOsJdEgtmUXEV60KMgzg0+p9Cy
	FS8YO6u3pNOQdp8ScHi93BrbeT90nybLYTzIKKw15B+rmRUCnheijZlWNDKmjNM9NY604w
	Lse3FE9MNb2CX6qy9PIKk3sK7exZ0no=
Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])
	by nyc.source.kernel.org (Postfix) with ESMTP id 70CC2A41191;
	Sat,  4 Jan 2025 02:00:02 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 15479C4CED6;
	Sat,  4 Jan 2025 02:01:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1735956111;
	bh=cp3y3UHEtG8IL5FlhkaF54hNlSs0zW2uWc58HvmwFt4=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
	b=eVm4qr3KDu2/KTN7kevzV2ArIu65yp6ZWJLcgbvbPry2y2nvWnu4lTgu/Kii/QzzE
	 OU+pmtfzk2BXEsrZUtTCj/SfCCmah1DU38NhObVizBTMmnFjxtg7neBR82tg7gjOOS
	 1qGH7+Oh3e7m9Z4ziKcVDTZFtYUPXrM5av5HK/sg=
Date: Fri, 3 Jan 2025 18:01:50 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: cheung wall <zzqq0103.hey@gmail.com>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
 netfilter-devel@vger.kernel.org
Subject: Re: "WARNING in nf_ct_alloc_hashtable" in Linux kernel version
 6.13.0-rc2
Message-Id: <20250103180150.4c4d1f30220720ba7f1a133b@linux-foundation.org>
In-Reply-To: <CAKHoSAtDrR9kkrVZufEYqPoKZpT7WyLC9DH8gCx9cox3oSNPaQ@mail.gmail.com>
References: <CAKHoSAtDrR9kkrVZufEYqPoKZpT7WyLC9DH8gCx9cox3oSNPaQ@mail.gmail.com>
X-Mailer: Sylpheed 3.8.0beta1 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Stat-Signature: cqnoozizakwqqb8rhdhxtums9aa4go8j
X-Rspam-User: 
X-Rspamd-Queue-Id: 40E9440007
X-Rspamd-Server: rspam08
X-HE-Tag: 1735956112-105535
X-HE-Meta: U2FsdGVkX1+agm6UesynUi+ramoaFl7z7hf6yDzuiO5sHv/Ke4oYyLOw+jUwyWWV7On4piC8YAVWawFyBQnDRTOLnNir3O7PZkTV1Vyc0q2ggHHIoOE8OIvZJPp0HWxUOeX49CKpWPkiIWEQ8FiYBWgssvqQIiSNPWAjTQWbdCkIHsoaBuXrGa9iHIsflWT5gSsqVxGyJA8gJBJc9//VKdhmDAs86JJbVf5KR5dZVAql8Ih5f0gk3JOcw4gxUmQ26yGIRPB/RGowPTL7Cbxf9PfFPQ8IBUis+e8pZJjVxwXfebjTiEv11LIFo37CZUD2oeQRYFvlQRsKu4mrvEbdGrlx9PQQrdUS1nCW7fPH+quRC5WM4QjABuKV4KhyWYyMZqJiTYyEWShuOkuiJisQQmL7yO+8Z6GLyH4u+haMHPC7oUJT1hK20VkK/LdwZJ5ozwYxUr6Q5hVWuqyt2sefhrirLmRhzUBmYw1kOj08KBu4spqqY1l9OXkL+KPGxz25ZyvJKd9dRBzf+U5lGwLLhTmO6NepVRNOses1z6+yHYH8hOzRqhdok7vd0vcojBNoPX6L8pZsPM23At3W7mrQezG7eTJolTix2JueE/tjTKT0S1ccp3BQKu2RG06x42J3G4wN9EYkvP3bWczemtRiEM2yYGjWY3hr2+5YUkwpvVIA9SFDpvl4VA+pVE/9QiraAHRRe1GXX/ZzMhz90bdssL7YGeqJDAV7o85QSI31D0x00He+XwXSNPLx2gtchL4RXANZnzoOSJCKJ8I0atLOPRH3v0qx0ClbWKyfVJTPT6OfgviYZ5XRx+qn6eD0V91feRr4qoAaMUIxuuQhvb9iQd639ArHxH46yPil3Gvk6bcV/d8aRR62sehmMi8YFBc3iZY+TOpCaRxPmZ4q+glkM8YGXWbqnBitw3mfj4sRrG9RG4glx4Y4qRshar4SGDlBatI4P4auex+wpTVTFtA
 yunOez0K
 IBzfEg7iIG3G8bpgv6poOvdvlvToei5EGX6PLyA5OO/TVokU4x8EatvBkZTxNcYPMwl3mP6WhE9iIn3haJF59pyjtMHdlj/fc9hxBKaJgSAC+ZpRmUrRw9hU8D/ItwMJlFZQHMM8AU92IOwnBqD4vD+kUrhg+8+KwUHoq3jf/gK1SujfMCOK+GZlbRnGwJvLxkG0BtA0W8w2kNlgfFTMM4M/1v094Zzs3IEpVrYBObEnHJN96K/6VVHHAdOS8ItP3wn60y74IO5bHnEz1xMvGluGQSssxtGxaINR4RCCIvi6CafKAkQjgcliRd8uvtuIfozwqB6dt4th+960U/32uzIA3CEn9DvWquCDS7f6gaG7cAgXFY+dCnQIIRXh6+IHrpHKw
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Fri, 3 Jan 2025 17:12:53 +0800 cheung wall <zzqq0103.hey@gmail.com> wrote:

> Hello,
> 
> I am writing to report a potential vulnerability identified in the
> Linux Kernel version 6.13.0-rc2. This issue was discovered using our
> custom vulnerability discovery tool.
> 
> HEAD commit: fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 (tag: v6.13-rc2)
> 
> Affected File: mm/util.c
> 
> File: mm/util.c
> 
> Function: __kvmalloc_node_noprof

(cc netfilter-devel)

This is

	/* Don't even allow crazy sizes */
	if (unlikely(size > INT_MAX)) {
		WARN_ON_ONCE(!(flags & __GFP_NOWARN));
		return NULL;
	}

in __kvmalloc_node_noprof().

> Detailed Call Stack:
> 
> ------------[ cut here begin]------------
> 
> RIP: 0010:__kvmalloc_node_noprof+0x18d/0x1b0 mm/util.c:662
> Code: a1 48 c7 c7 28 df 86 a8 e8 90 86 14 00 e9 70 ff ff ff e8 b6 d3
> e3 ff 41 81 e4 00 20 00 00 0f 85 16 ff ff ff e8 a4 d3 e3 ff 90 <0f> 0b
> 90 31 db e9 c4 fe ff ff 48 c7 c7 f8 91 e3 a7 e8 5d 86 14 00
> RSP: 0018:ffff88800f397b38 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffa46327ec
> RDX: ffff88800fc4d500 RSI: ffffffffa471a1b1 RDI: 0000000000000000
> RBP: 00000000cbad2000 R08: 0000000000000000 R09: 0a33303939333137
> loop4: detected capacity change from 0 to 32768
> R10: ffff88800f397b38 R11: 0000000000032001 R12: 0000000000000000
> R13: 00000000ffffffff R14: 000000001975a400 R15: ffff88800f397e08
> SELinux: security_context_str_to_sid (root) failed with errno=-22
> FS: 00007fc9b1d23580(0000) GS:ffff88811b380000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000055c7e2f2b6b8 CR3: 000000000b970000 CR4: 0000000000350ef0
> Call Trace:
> <TASK>
> kvmalloc_array_node_noprof include/linux/slab.h:1063 [inline]
> nf_ct_alloc_hashtable+0x83/0x110 net/netfilter/nf_conntrack_core.c:2526
> nf_conntrack_hash_resize+0x91/0x4d0 net/netfilter/nf_conntrack_core.c:2547
> nf_conntrack_hash_sysctl net/netfilter/nf_conntrack_standalone.c:540 [inline]
> nf_conntrack_hash_sysctl+0xa9/0x100 net/netfilter/nf_conntrack_standalone.c:527
> proc_sys_call_handler+0x492/0x5d0 fs/proc/proc_sysctl.c:601
> new_sync_write fs/read_write.c:586 [inline]
> vfs_write+0x51e/0xc80 fs/read_write.c:679
> ksys_write+0x110/0x200 fs/read_write.c:731
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> 
> ------------[ cut here end]------------
> 
> Root Cause:
> 
> The kernel panic originated within the __kvmalloc_node_noprof function
> in mm/util.c, triggered during the execution of the Netfilter
> connection tracking subsystem. Specifically, the
> nf_conntrack_hash_resize function attempted to allocate memory for
> resizing the connection tracking hash table from a capacity of 0 to
> 32,768 entries using kvmalloc_array_node_noprof. This memory
> allocation likely failed or was mishandled, resulting in an invalid
> memory access or dereference within __kvmalloc_node_noprof.
> Additionally, the log indicates a failure in the SELinux security
> context function security_context_str_to_sid, which returned an EINVAL
> error (errno=-22). The combination of these factors suggests that the
> crash was caused by improper handling of memory allocation during a
> significant capacity change in the connection tracking hash table,
> possibly due to unhandled allocation failures or logic errors in the
> resize process.
> 
> Thank you for your time and attention.
> 
> Best regards
> 
> Wall