From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 572ACE77188 for ; Wed, 8 Jan 2025 23:05:13 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id CCED46B0088; Wed, 8 Jan 2025 18:05:12 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id C7E4E6B0089; Wed, 8 Jan 2025 18:05:12 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B46106B008A; Wed, 8 Jan 2025 18:05:12 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 967C56B0088 for ; Wed, 8 Jan 2025 18:05:12 -0500 (EST) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id B4D5A140AA0 for ; Wed, 8 Jan 2025 23:05:11 +0000 (UTC) X-FDA: 82985817222.10.96B3BB2 Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by imf28.hostedemail.com (Postfix) with ESMTP id 61413C0015 for ; Wed, 8 Jan 2025 23:05:09 +0000 (UTC) Authentication-Results: imf28.hostedemail.com; dkim=none; dmarc=none; spf=pass (imf28.hostedemail.com: domain of pablo@netfilter.org designates 217.70.188.207 as permitted sender) smtp.mailfrom=pablo@netfilter.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1736377510; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Djl2e5gNDA7l1k8kcPevoNR7I01M71RGiGjnzNZFscU=; b=NRNaRD9i6lWBGoZswL28lYPMQ2zgxbYAqJPZIdPFAdKpBDk2qfXlkpEZs4A8tz1TVjTfQH 4RN+MTF1xs53J3i/r2fK1GqZu4DZ3arEGfXB4mbyqcfcnR+PqtxHCDbfRPfCblyTQ0vYON c0y3dt8iC/K4zhSgcqP02fw9fxkOuOQ= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1736377510; a=rsa-sha256; cv=none; b=s4eXQmmak4bL3i+iYt23Sz/mW2cRh182DHhbw5bPplm51WHlke0ESCnP4ZFO4Y981rZza4 3eMpJkXR3sqNHkTAcOOhVp5EYtOJ6tyN4DjvV+eSTwh+5WzQK2I/MmnvFaMjwmPjjaP23g hHV2LpC9E6XJyM9bpBxAEer8OLXmabY= ARC-Authentication-Results: i=1; imf28.hostedemail.com; dkim=none; dmarc=none; spf=pass (imf28.hostedemail.com: domain of pablo@netfilter.org designates 217.70.188.207 as permitted sender) smtp.mailfrom=pablo@netfilter.org Date: Thu, 9 Jan 2025 00:05:04 +0100 From: Pablo Neira Ayuso To: Andrew Morton Cc: cheung wall , linux-mm@kvack.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: Re: "WARNING in nf_ct_alloc_hashtable" in Linux kernel version 6.13.0-rc2 Message-ID: References: <20250103180150.4c4d1f30220720ba7f1a133b@linux-foundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20250103180150.4c4d1f30220720ba7f1a133b@linux-foundation.org> X-Rspamd-Queue-Id: 61413C0015 X-Rspam-User: X-Rspamd-Server: rspam07 X-Stat-Signature: uo5b1hgmmrxbbhihednww8n58aojwotq X-HE-Tag: 1736377509-103490 X-HE-Meta: U2FsdGVkX1+2bqMMobto5DMr9b7rJP6dpiZOkHQhLfFXKb8Q53Aj9imaJSIFVHNnXeJCswB9XZT2v6SWwYLpO30SfMAEbaBDC8ZLU1YAWblAT2I7RuPUaXhaxpYGKaMb44MEN4Mxvo/GlK7LtdHp1G4jLfgWeHq+xbNqCka1Fza7GlXVRz4WigWFyguuz9soJH2SwFHiwk7EfavaikxzGaAncR9YyClNj5M1c0CRt/TJ4osFogYpHfh81xnRZTWg4dj5ZUofCyO/C4Qr5Z2SdfZH1xxND9BYRHmEKPnjDZRg3mCiyCSkWR0JKaGAp7FvENEmxpd7zKb55+hvoZmrQi2Y3Acp32WN93VCe4Uf1C6GM6b3C/oL/d3QglgFfU9rC2Ut0E/Oms1n+TrpbHPJGDDKB5z34lgWB7TT8Yl531SkH06uqTApJFhG6JWNUpB8X4r8CT4BuS067kXq2U5a63AlxVZeYjSms7M1PY4hvy8xUBUGk1qiV6KeNt4fpi6i8MBTRtdRQZqv2rdqGenCx+GwIJvxMcJmQeFt6WCfBl+WtjhQZwHWItnfo2igormn+2hxlltVJNjUMuHIzryHEI6dfaybTl5vtIf0l1cDOMKrkYiKbntY+JTkTM4ZVl3HquFli7qHSMJDHm280QG0LKTmWUoxahc9wYlufHYkxwKrmM9q9LC6lK2jLVtro0NjvLmJVNsuPNWykAbeucT7LeVpH1UXvp9K2aiDoSMPoOWLIyQpt7LbVUKoCOcSCI2bY/2I1bgOXcC8yQcIPrlg677+O1ICUnA6FOp7OAefnll8EUJ5XVbSuU6j+GgrHgN+BtU4tpwmMIujv6J4fOlElQiOyIqbY0Hu62T5XaSnU1Ey8/LKEGs4NR0eMRBcNHkIVWOQt/RZZ7n3AtnTKpbEfxe+m9NRbsxIARaJ7rxYTRnAy9WrtPjQ29mYKJyFYnkcstx1qNSnAF3er5PNOJQ zsAAhINX 0XJU9ON0eKDVyQjFHY9ww6cDGoGY0K9f1w0JzYxUi1w41b6jpuJaIed+dBtftyTejpaeXad5ay+380pJu3BbUPNi4FG6PTbeVGijnTIjqf82sXpYZU6HdawBOREi4CfU4IQWXxh4G+Vbp/bc7H3FoagUOO44pQMRzAkGf/TkxkOOC48yemnOUTll0CmofqOzU216pMvxYcdSN7dEI1xwDR1bE13MVJrPD7gbWfHxqfeD/p7ipZcmjxdo4GMRVcrQ0S4jyGMc3HcweuhxPqd1aQ91ML7Z2mRLKsW4u X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi, On Fri, Jan 03, 2025 at 06:01:50PM -0800, Andrew Morton wrote: > On Fri, 3 Jan 2025 17:12:53 +0800 cheung wall wrote: > > > Hello, > > > > I am writing to report a potential vulnerability identified in the > > Linux Kernel version 6.13.0-rc2. This issue was discovered using our > > custom vulnerability discovery tool. > > > > HEAD commit: fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 (tag: v6.13-rc2) > > > > Affected File: mm/util.c > > > > File: mm/util.c > > > > Function: __kvmalloc_node_noprof > > (cc netfilter-devel) > > This is > > /* Don't even allow crazy sizes */ > if (unlikely(size > INT_MAX)) { > WARN_ON_ONCE(!(flags & __GFP_NOWARN)); > return NULL; > } > > in __kvmalloc_node_noprof(). Proposed fix: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20250108230157.21484-1-pablo@netfilter.org/ Note: hashtable resize is only possible from init_netns. Thanks. > > Detailed Call Stack: > > > > ------------[ cut here begin]------------ > > > > RIP: 0010:__kvmalloc_node_noprof+0x18d/0x1b0 mm/util.c:662 > > Code: a1 48 c7 c7 28 df 86 a8 e8 90 86 14 00 e9 70 ff ff ff e8 b6 d3 > > e3 ff 41 81 e4 00 20 00 00 0f 85 16 ff ff ff e8 a4 d3 e3 ff 90 <0f> 0b > > 90 31 db e9 c4 fe ff ff 48 c7 c7 f8 91 e3 a7 e8 5d 86 14 00 > > RSP: 0018:ffff88800f397b38 EFLAGS: 00010293 > > RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffa46327ec > > RDX: ffff88800fc4d500 RSI: ffffffffa471a1b1 RDI: 0000000000000000 > > RBP: 00000000cbad2000 R08: 0000000000000000 R09: 0a33303939333137 > > loop4: detected capacity change from 0 to 32768 > > R10: ffff88800f397b38 R11: 0000000000032001 R12: 0000000000000000 > > R13: 00000000ffffffff R14: 000000001975a400 R15: ffff88800f397e08 > > SELinux: security_context_str_to_sid (root) failed with errno=-22 > > FS: 00007fc9b1d23580(0000) GS:ffff88811b380000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 000055c7e2f2b6b8 CR3: 000000000b970000 CR4: 0000000000350ef0 > > Call Trace: > > > > kvmalloc_array_node_noprof include/linux/slab.h:1063 [inline] > > nf_ct_alloc_hashtable+0x83/0x110 net/netfilter/nf_conntrack_core.c:2526 > > nf_conntrack_hash_resize+0x91/0x4d0 net/netfilter/nf_conntrack_core.c:2547 > > nf_conntrack_hash_sysctl net/netfilter/nf_conntrack_standalone.c:540 [inline] > > nf_conntrack_hash_sysctl+0xa9/0x100 net/netfilter/nf_conntrack_standalone.c:527 > > proc_sys_call_handler+0x492/0x5d0 fs/proc/proc_sysctl.c:601 > > new_sync_write fs/read_write.c:586 [inline] > > vfs_write+0x51e/0xc80 fs/read_write.c:679 > > ksys_write+0x110/0x200 fs/read_write.c:731 > > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > > do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83 > > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > > > > > ------------[ cut here end]------------ > > > > Root Cause: > > > > The kernel panic originated within the __kvmalloc_node_noprof function > > in mm/util.c, triggered during the execution of the Netfilter > > connection tracking subsystem. Specifically, the > > nf_conntrack_hash_resize function attempted to allocate memory for > > resizing the connection tracking hash table from a capacity of 0 to > > 32,768 entries using kvmalloc_array_node_noprof. This memory > > allocation likely failed or was mishandled, resulting in an invalid > > memory access or dereference within __kvmalloc_node_noprof. > > Additionally, the log indicates a failure in the SELinux security > > context function security_context_str_to_sid, which returned an EINVAL > > error (errno=-22). The combination of these factors suggests that the > > crash was caused by improper handling of memory allocation during a > > significant capacity change in the connection tracking hash table, > > possibly due to unhandled allocation failures or logic errors in the > > resize process. > > > > Thank you for your time and attention. > > > > Best regards > > > > Wall >