Re: [Syzkaller & bisect] There is KASAN: slab-use-after-free Read in __nf_unregister_net_hook in v6.12-rc1

[Florian Westphal]

Eric Dumazet <edumazet@xxxxxxxxxx> wrote:
> On Thu, Oct 10, 2024 at 2:02 PM Florian Westphal <fw@xxxxxxxxx> wrote:
> >
> > Eric Dumazet <edumazet@xxxxxxxxxx> wrote:
> > > On Thu, Oct 10, 2024 at 10:58 AM Eric Dumazet <edumazet@xxxxxxxxxx> wrote:
> > > >
> > > > On Thu, Oct 10, 2024 at 10:19 AM Lai, Yi <yi1.lai@xxxxxxxxxxxxxxx> wrote:
> > > > >
> > > Florian, Pablo :
> > >
> > > It seems that bpf was able to defer the __nf_unregister_net_hook()
> > > after exit()/close() time.
> >
> > Thanks for the analysis, I will send a patch later today.
> 
> Wow, this was fast, thanks Florian !

I spoke too soon, I cannot get the rerpdocuer to work, it fails with:

bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_NETFILTER, insn_cnt=4, insns=0x20000200, license="syzkaller", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_NETFILTER, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144) = -1 EINVAL (Invalid argument)
bpf(BPF_LINK_CREATE, {link_create={prog_fd=-1, target_fd=0, attach_type=BPF_NETFILTER, flags=0}, ...}, 64) = -1 EBADF (Bad file descriptor)
...
Killed
uname -a
Linux virtme-ng 6.12.0-rc1-kvm-virtme #1 SMP PREEMPT_DYNAMIC Thu Oct 10 17:25:40 CEST 2024 x86_64 GNU/Linux

... with vng --build --config kconfig_origin on
9852d85ec9d492ebef56dc5f229416c925758edc (== 6.12.0-rc1).

As Erics analysis looks correct to me I will send a patch anyway, but I
can't say if it resolves the problem or not.