* "WARNING in nf_ct_alloc_hashtable" in Linux kernel version 6.13.0-rc2
@ 2025-01-03 9:12 cheung wall
2025-01-04 2:01 ` Andrew Morton
0 siblings, 1 reply; 4+ messages in thread
From: cheung wall @ 2025-01-03 9:12 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-mm, linux-kernel
Hello,
I am writing to report a potential vulnerability identified in the
Linux Kernel version 6.13.0-rc2. This issue was discovered using our
custom vulnerability discovery tool.
HEAD commit: fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 (tag: v6.13-rc2)
Affected File: mm/util.c
File: mm/util.c
Function: __kvmalloc_node_noprof
Detailed Call Stack:
------------[ cut here begin]------------
RIP: 0010:__kvmalloc_node_noprof+0x18d/0x1b0 mm/util.c:662
Code: a1 48 c7 c7 28 df 86 a8 e8 90 86 14 00 e9 70 ff ff ff e8 b6 d3
e3 ff 41 81 e4 00 20 00 00 0f 85 16 ff ff ff e8 a4 d3 e3 ff 90 <0f> 0b
90 31 db e9 c4 fe ff ff 48 c7 c7 f8 91 e3 a7 e8 5d 86 14 00
RSP: 0018:ffff88800f397b38 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffa46327ec
RDX: ffff88800fc4d500 RSI: ffffffffa471a1b1 RDI: 0000000000000000
RBP: 00000000cbad2000 R08: 0000000000000000 R09: 0a33303939333137
loop4: detected capacity change from 0 to 32768
R10: ffff88800f397b38 R11: 0000000000032001 R12: 0000000000000000
R13: 00000000ffffffff R14: 000000001975a400 R15: ffff88800f397e08
SELinux: security_context_str_to_sid (root) failed with errno=-22
FS: 00007fc9b1d23580(0000) GS:ffff88811b380000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055c7e2f2b6b8 CR3: 000000000b970000 CR4: 0000000000350ef0
Call Trace:
<TASK>
kvmalloc_array_node_noprof include/linux/slab.h:1063 [inline]
nf_ct_alloc_hashtable+0x83/0x110 net/netfilter/nf_conntrack_core.c:2526
nf_conntrack_hash_resize+0x91/0x4d0 net/netfilter/nf_conntrack_core.c:2547
nf_conntrack_hash_sysctl net/netfilter/nf_conntrack_standalone.c:540 [inline]
nf_conntrack_hash_sysctl+0xa9/0x100 net/netfilter/nf_conntrack_standalone.c:527
proc_sys_call_handler+0x492/0x5d0 fs/proc/proc_sysctl.c:601
new_sync_write fs/read_write.c:586 [inline]
vfs_write+0x51e/0xc80 fs/read_write.c:679
ksys_write+0x110/0x200 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
------------[ cut here end]------------
Root Cause:
The kernel panic originated within the __kvmalloc_node_noprof function
in mm/util.c, triggered during the execution of the Netfilter
connection tracking subsystem. Specifically, the
nf_conntrack_hash_resize function attempted to allocate memory for
resizing the connection tracking hash table from a capacity of 0 to
32,768 entries using kvmalloc_array_node_noprof. This memory
allocation likely failed or was mishandled, resulting in an invalid
memory access or dereference within __kvmalloc_node_noprof.
Additionally, the log indicates a failure in the SELinux security
context function security_context_str_to_sid, which returned an EINVAL
error (errno=-22). The combination of these factors suggests that the
crash was caused by improper handling of memory allocation during a
significant capacity change in the connection tracking hash table,
possibly due to unhandled allocation failures or logic errors in the
resize process.
Thank you for your time and attention.
Best regards
Wall
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: "WARNING in nf_ct_alloc_hashtable" in Linux kernel version 6.13.0-rc2
2025-01-03 9:12 "WARNING in nf_ct_alloc_hashtable" in Linux kernel version 6.13.0-rc2 cheung wall
@ 2025-01-04 2:01 ` Andrew Morton
2025-01-05 21:10 ` Pablo Neira Ayuso
2025-01-08 23:05 ` Pablo Neira Ayuso
0 siblings, 2 replies; 4+ messages in thread
From: Andrew Morton @ 2025-01-04 2:01 UTC (permalink / raw)
To: cheung wall; +Cc: linux-mm, linux-kernel, netfilter-devel
On Fri, 3 Jan 2025 17:12:53 +0800 cheung wall <zzqq0103.hey@gmail.com> wrote:
> Hello,
>
> I am writing to report a potential vulnerability identified in the
> Linux Kernel version 6.13.0-rc2. This issue was discovered using our
> custom vulnerability discovery tool.
>
> HEAD commit: fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 (tag: v6.13-rc2)
>
> Affected File: mm/util.c
>
> File: mm/util.c
>
> Function: __kvmalloc_node_noprof
(cc netfilter-devel)
This is
/* Don't even allow crazy sizes */
if (unlikely(size > INT_MAX)) {
WARN_ON_ONCE(!(flags & __GFP_NOWARN));
return NULL;
}
in __kvmalloc_node_noprof().
> Detailed Call Stack:
>
> ------------[ cut here begin]------------
>
> RIP: 0010:__kvmalloc_node_noprof+0x18d/0x1b0 mm/util.c:662
> Code: a1 48 c7 c7 28 df 86 a8 e8 90 86 14 00 e9 70 ff ff ff e8 b6 d3
> e3 ff 41 81 e4 00 20 00 00 0f 85 16 ff ff ff e8 a4 d3 e3 ff 90 <0f> 0b
> 90 31 db e9 c4 fe ff ff 48 c7 c7 f8 91 e3 a7 e8 5d 86 14 00
> RSP: 0018:ffff88800f397b38 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffa46327ec
> RDX: ffff88800fc4d500 RSI: ffffffffa471a1b1 RDI: 0000000000000000
> RBP: 00000000cbad2000 R08: 0000000000000000 R09: 0a33303939333137
> loop4: detected capacity change from 0 to 32768
> R10: ffff88800f397b38 R11: 0000000000032001 R12: 0000000000000000
> R13: 00000000ffffffff R14: 000000001975a400 R15: ffff88800f397e08
> SELinux: security_context_str_to_sid (root) failed with errno=-22
> FS: 00007fc9b1d23580(0000) GS:ffff88811b380000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000055c7e2f2b6b8 CR3: 000000000b970000 CR4: 0000000000350ef0
> Call Trace:
> <TASK>
> kvmalloc_array_node_noprof include/linux/slab.h:1063 [inline]
> nf_ct_alloc_hashtable+0x83/0x110 net/netfilter/nf_conntrack_core.c:2526
> nf_conntrack_hash_resize+0x91/0x4d0 net/netfilter/nf_conntrack_core.c:2547
> nf_conntrack_hash_sysctl net/netfilter/nf_conntrack_standalone.c:540 [inline]
> nf_conntrack_hash_sysctl+0xa9/0x100 net/netfilter/nf_conntrack_standalone.c:527
> proc_sys_call_handler+0x492/0x5d0 fs/proc/proc_sysctl.c:601
> new_sync_write fs/read_write.c:586 [inline]
> vfs_write+0x51e/0xc80 fs/read_write.c:679
> ksys_write+0x110/0x200 fs/read_write.c:731
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
>
> ------------[ cut here end]------------
>
> Root Cause:
>
> The kernel panic originated within the __kvmalloc_node_noprof function
> in mm/util.c, triggered during the execution of the Netfilter
> connection tracking subsystem. Specifically, the
> nf_conntrack_hash_resize function attempted to allocate memory for
> resizing the connection tracking hash table from a capacity of 0 to
> 32,768 entries using kvmalloc_array_node_noprof. This memory
> allocation likely failed or was mishandled, resulting in an invalid
> memory access or dereference within __kvmalloc_node_noprof.
> Additionally, the log indicates a failure in the SELinux security
> context function security_context_str_to_sid, which returned an EINVAL
> error (errno=-22). The combination of these factors suggests that the
> crash was caused by improper handling of memory allocation during a
> significant capacity change in the connection tracking hash table,
> possibly due to unhandled allocation failures or logic errors in the
> resize process.
>
> Thank you for your time and attention.
>
> Best regards
>
> Wall
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: "WARNING in nf_ct_alloc_hashtable" in Linux kernel version 6.13.0-rc2
2025-01-04 2:01 ` Andrew Morton
@ 2025-01-05 21:10 ` Pablo Neira Ayuso
2025-01-08 23:05 ` Pablo Neira Ayuso
1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2025-01-05 21:10 UTC (permalink / raw)
To: Andrew Morton; +Cc: cheung wall, linux-mm, linux-kernel, netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 836 bytes --]
Hi,
On Fri, Jan 03, 2025 at 06:01:50PM -0800, Andrew Morton wrote:
> On Fri, 3 Jan 2025 17:12:53 +0800 cheung wall <zzqq0103.hey@gmail.com> wrote:
>
> > Hello,
> >
> > I am writing to report a potential vulnerability identified in the
> > Linux Kernel version 6.13.0-rc2. This issue was discovered using our
> > custom vulnerability discovery tool.
> >
> > HEAD commit: fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 (tag: v6.13-rc2)
> >
> > Affected File: mm/util.c
> >
> > File: mm/util.c
> >
> > Function: __kvmalloc_node_noprof
>
> (cc netfilter-devel)
>
> This is
>
> /* Don't even allow crazy sizes */
> if (unlikely(size > INT_MAX)) {
> WARN_ON_ONCE(!(flags & __GFP_NOWARN));
> return NULL;
> }
>
> in __kvmalloc_node_noprof().
Ok, then I assume this is a WARN_ON_ONCE splat.
I'm attaching a patch to address this.
[-- Attachment #2: x.patch --]
[-- Type: text/x-diff, Size: 669 bytes --]
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 8666d733b984..13a2097b56e2 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -2516,7 +2516,7 @@ void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls)
BUILD_BUG_ON(sizeof(struct hlist_nulls_head) != sizeof(struct hlist_head));
nr_slots = *sizep = roundup(*sizep, PAGE_SIZE / sizeof(struct hlist_nulls_head));
- hash = kvcalloc(nr_slots, sizeof(struct hlist_nulls_head), GFP_KERNEL);
+ hash = kvcalloc(nr_slots, sizeof(struct hlist_nulls_head), GFP_KERNEL | __GFP_NOWARN);
if (hash && nulls)
for (i = 0; i < nr_slots; i++)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: "WARNING in nf_ct_alloc_hashtable" in Linux kernel version 6.13.0-rc2
2025-01-04 2:01 ` Andrew Morton
2025-01-05 21:10 ` Pablo Neira Ayuso
@ 2025-01-08 23:05 ` Pablo Neira Ayuso
1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2025-01-08 23:05 UTC (permalink / raw)
To: Andrew Morton; +Cc: cheung wall, linux-mm, linux-kernel, netfilter-devel
Hi,
On Fri, Jan 03, 2025 at 06:01:50PM -0800, Andrew Morton wrote:
> On Fri, 3 Jan 2025 17:12:53 +0800 cheung wall <zzqq0103.hey@gmail.com> wrote:
>
> > Hello,
> >
> > I am writing to report a potential vulnerability identified in the
> > Linux Kernel version 6.13.0-rc2. This issue was discovered using our
> > custom vulnerability discovery tool.
> >
> > HEAD commit: fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 (tag: v6.13-rc2)
> >
> > Affected File: mm/util.c
> >
> > File: mm/util.c
> >
> > Function: __kvmalloc_node_noprof
>
> (cc netfilter-devel)
>
> This is
>
> /* Don't even allow crazy sizes */
> if (unlikely(size > INT_MAX)) {
> WARN_ON_ONCE(!(flags & __GFP_NOWARN));
> return NULL;
> }
>
> in __kvmalloc_node_noprof().
Proposed fix:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20250108230157.21484-1-pablo@netfilter.org/
Note: hashtable resize is only possible from init_netns.
Thanks.
> > Detailed Call Stack:
> >
> > ------------[ cut here begin]------------
> >
> > RIP: 0010:__kvmalloc_node_noprof+0x18d/0x1b0 mm/util.c:662
> > Code: a1 48 c7 c7 28 df 86 a8 e8 90 86 14 00 e9 70 ff ff ff e8 b6 d3
> > e3 ff 41 81 e4 00 20 00 00 0f 85 16 ff ff ff e8 a4 d3 e3 ff 90 <0f> 0b
> > 90 31 db e9 c4 fe ff ff 48 c7 c7 f8 91 e3 a7 e8 5d 86 14 00
> > RSP: 0018:ffff88800f397b38 EFLAGS: 00010293
> > RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffa46327ec
> > RDX: ffff88800fc4d500 RSI: ffffffffa471a1b1 RDI: 0000000000000000
> > RBP: 00000000cbad2000 R08: 0000000000000000 R09: 0a33303939333137
> > loop4: detected capacity change from 0 to 32768
> > R10: ffff88800f397b38 R11: 0000000000032001 R12: 0000000000000000
> > R13: 00000000ffffffff R14: 000000001975a400 R15: ffff88800f397e08
> > SELinux: security_context_str_to_sid (root) failed with errno=-22
> > FS: 00007fc9b1d23580(0000) GS:ffff88811b380000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 000055c7e2f2b6b8 CR3: 000000000b970000 CR4: 0000000000350ef0
> > Call Trace:
> > <TASK>
> > kvmalloc_array_node_noprof include/linux/slab.h:1063 [inline]
> > nf_ct_alloc_hashtable+0x83/0x110 net/netfilter/nf_conntrack_core.c:2526
> > nf_conntrack_hash_resize+0x91/0x4d0 net/netfilter/nf_conntrack_core.c:2547
> > nf_conntrack_hash_sysctl net/netfilter/nf_conntrack_standalone.c:540 [inline]
> > nf_conntrack_hash_sysctl+0xa9/0x100 net/netfilter/nf_conntrack_standalone.c:527
> > proc_sys_call_handler+0x492/0x5d0 fs/proc/proc_sysctl.c:601
> > new_sync_write fs/read_write.c:586 [inline]
> > vfs_write+0x51e/0xc80 fs/read_write.c:679
> > ksys_write+0x110/0x200 fs/read_write.c:731
> > do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> > do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> >
> > ------------[ cut here end]------------
> >
> > Root Cause:
> >
> > The kernel panic originated within the __kvmalloc_node_noprof function
> > in mm/util.c, triggered during the execution of the Netfilter
> > connection tracking subsystem. Specifically, the
> > nf_conntrack_hash_resize function attempted to allocate memory for
> > resizing the connection tracking hash table from a capacity of 0 to
> > 32,768 entries using kvmalloc_array_node_noprof. This memory
> > allocation likely failed or was mishandled, resulting in an invalid
> > memory access or dereference within __kvmalloc_node_noprof.
> > Additionally, the log indicates a failure in the SELinux security
> > context function security_context_str_to_sid, which returned an EINVAL
> > error (errno=-22). The combination of these factors suggests that the
> > crash was caused by improper handling of memory allocation during a
> > significant capacity change in the connection tracking hash table,
> > possibly due to unhandled allocation failures or logic errors in the
> > resize process.
> >
> > Thank you for your time and attention.
> >
> > Best regards
> >
> > Wall
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-01-08 23:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-01-03 9:12 "WARNING in nf_ct_alloc_hashtable" in Linux kernel version 6.13.0-rc2 cheung wall
2025-01-04 2:01 ` Andrew Morton
2025-01-05 21:10 ` Pablo Neira Ayuso
2025-01-08 23:05 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox