On Wed, Nov 23, 2022 at 7:52 AM Jaihind Yadav (QUIC)
<quic_jaihindy@xxxxxxxxxxx> wrote:
> Hi Paul Moore Sir,
>
> Thanks for quick response .
> Please find the additional information below.
> We are using 5.15 kernel in Android T.
> We have not applied any additional patch to the kernel .
>
> I am replying on the same thread again because in that email I attached call stack frame with locals images to explain the issue better after loading the dump in t32,
> but It converted the images in base32 due to plain text format and made it unreadable . Sorry for inconvenience caused.
>
> Please let me know if more information is needed .
Hi Jaihind,
Thanks for the additional information. Unfortunately Android has been
known to carry a large number of kernel patches in their kernels so I
would suggest contacting the Android team for additional help on
resolving this issue. If you can reproduce this problem with a plain
upstream kernel we may be able to help, but I don't recall seeing
anything similar in any of our upstream kernel use/testing.
Good luck,
-Paul
> -----Original Message-----
> From: Paul Moore <paul@xxxxxxxxxxxxxx>
> Sent: Tuesday, November 22, 2022 11:53 PM
> To: Jaihind Yadav (QUIC) <quic_jaihindy@xxxxxxxxxxx>
> Cc: selinux@xxxxxxxxxxxxxxx
> Subject: Re: Kernel Panic while accessing avtab_search_node
>
> On Tue, Nov 22, 2022 at 6:22 AM Jaihind Yadav (QUIC) <quic_jaihindy@xxxxxxxxxxx> wrote:
> > Hi Selinux team,
> >
> > We are getting kernel panic due to invalid memory access from avtab_search_node @231.
> >
> > 165.187593][T21313] Unable to handle kernel access to user memory
> > outside uaccess routines at virtual address 0000000081000000 [
> > 165.265699][T22438] pc : avtab_search_node+0xe4/0x138 [
> > 165.265710][T22438] lr : context_struct_compute_av+0x260/0x908
> > [ 165.265715][T22438] sp : ffffffc0330a3920 [ 165.265717][T22438]
> > x29: ffffffc0330a3a20 x28: ffffff804097ea40 x27: 0000000000000360 [
> > 165.265725][T22438] x26: ffffff803acab190 x25: ffffff803acab138 x24:
> > ffffffc0330a3b60 [ 165.265732][T22438] x23: ffffff804097ea40 x22:
> > ffffffc0330a3b48 x21: 0000000000000361 [ 165.265739][T22438] x20:
> > 0000000000000360 x19: ffffff80409d3608 x18: ffffffc02ba1d070 [
> > 165.265746][T22438] x17: 000000008f58b13b x16: 000000005bbbfbe1 x15:
> > 00000000e6546b64 [ 165.265753][T22438] x14: 000000001b873593 x13:
> > 0000000058a5459e x12: 0000000000000061 [ 165.265760][T22438] x11:
> > 0000000000000707 x10: 0000000000000361 x9 : 0000000000000361 [
> > 165.265767][T22438] x8 : 0000000000000002 x7 : 0000000000000000 x6 :
> > ffffffc0330a39ac [ 165.265773][T22438] x5 : ffffffc0330a3b60 x4 : ffffffc0330a3b48 x3 : ffffffc0330a3b60 [ 165.265780][T22438] x2 : ffffffc0330a3b48 x1 : ffffffc0330a3960 x0 : 0000000081000000 [ 165.265787][T22438] Call trace:
> > [ 165.265789][T22438] avtab_search_node+0xe4/0x138 [
> > 165.265793][T22438] security_compute_av+0x18c/0x3f4 [
> > 165.265798][T22438] avc_compute_av+0x84/0xe4 [ 165.265804][T22438]
> > avc_has_perm+0x188/0x1f4 [ 165.265808][T22438]
> > selinux_task_alloc+0x48/0x58 [ 165.265812][T22438]
> > security_task_alloc+0x84/0x150 [ 165.265816][T22438]
> > copy_process+0x51c/0xe98 [ 165.265823][T22438]
> > kernel_clone+0xb8/0x684 [ 165.265827][T22438]
> > __arm64_sys_clone+0x5c/0x8c [ 165.265831][T22438]
> > invoke_syscall+0x60/0x150 [ 165.265836][T22438]
> > el0_svc_common+0x98/0x114 [ 165.265840][T22438] do_el0_svc+0x28/0xa0
> > [ 165.265843][T22438] el0_svc+0x28/0x90 [ 165.265848][T22438]
> > el0t_64_sync_handler+0x88/0xec [ 165.265852][T22438]
> > el0t_64_sync+0x1b4/0x1b8 [ 165.265858][T22438] Code: f86bd980
> > b4000260 79400c2b 1200396b (7940000c) [ 165.265862][T22438] ---[ end
> > trace 78d0a75f861b1c77 ]---
> >
> > Kernel panic is coming while accessing cur @231 line from below code snippet.
> >
> > 218 struct avtab_node *avtab_search_node(struct avtab *h,
> > 219 const struct avtab_key *key)
> > 220 {
> > 221 int hvalue;
> > 222 struct avtab_node *cur;
> > 223 u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
> > 224
> > 225 if (!h || !h->nslot)
> > 226 return NULL;
> > 227
> > 228 hvalue = avtab_hash(key, h->mask);
> > 229 for (cur = h->htable[hvalue]; cur;
> > 230 cur = cur->next) {
> > 231 if (key->source_type == cur->key.source_type &&
> > 232 key->target_type == cur->key.target_type &&
> > 233 key->target_class == cur->key.target_class &&
> > 234 (specified & cur->key.specified))
> > 235 return cur;
> >
> > In the above code null check are properly handled So I am suspecting the hashtable is getting modified by other thread/process when it is accessing the code.
> >
> > Can you please provide your expert opinion what could be the issue here and how to fix this issue .
>
> Hi Jaihind,
>
> We need some additional information to help understand the problem.
> What Linux distribution are you using? What kernel are you using (version number), and do you have any patches applied to that kernel?
> What SELinux policy are you using?
--
paul-moore.com
