lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2628673a6ff1418193bc31c3c1285e0c@huawei.com>
Date:   Thu, 3 Nov 2022 09:53:20 +0000
From:   Caowangbao <caowangbao@...wei.com>
To:     Xin Long <lucien.xin@...il.com>,
        "Chenzhen(EulerOS)" <chenzhen126@...wei.com>
CC:     "vyasevich@...il.com" <vyasevich@...il.com>,
        "nhorman@...driver.com" <nhorman@...driver.com>,
        "marcelo.leitner@...il.com" <marcelo.leitner@...il.com>,
        "linux-sctp@...r.kernel.org" <linux-sctp@...r.kernel.org>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "edumazet@...gle.com" <edumazet@...gle.com>,
        "kuba@...nel.org" <kuba@...nel.org>,
        "pabeni@...hat.com" <pabeni@...hat.com>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "Yanan (Euler)" <yanan@...wei.com>
Subject: 答复: BUG: kernel NULL pointer dereference in sctp_sched_dequeue_common

I have reduced the recurrence conditions and can reproduce the problem by running the following statement:

18:00:56 executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_ADD(r0, 0x84, 0x64, &(0x7f00000001c0)=[@in={0x2, 0x4e20, @empty}], 0x10) (async)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000580)={<r1=>0x0, 0x10, &(0x7f0000000540)=[@in={0x2, 0x4e20, @local}]}, &(0x7f0000000600)=0x10) (async)
r2 = dup2(r0, r0)
setsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r2, 0x84, 0x72, &(0x7f0000000000)={0x0, 0x6, 0x30}, 0xc) (async)
sendmmsg$sock(r2, &(0x7f0000004080)=[{{0x0, 0x0, &(0x7f00000004c0)=[{&(0x7f00000000c0)="e2ff7d6cd84b5554e164cdef3d47df10ae7086708a0a6233c8a9140b1442bedff29a0f3269fecf4e30729b5e000e19ee3fca2126d5d692aefaaa4b973bd22069f7bbf517bd8d20d728e57b4c825772b9c969267641030a435c84cf4bc886c529caedde7fe5f95bc5b181957777229f698a6c0443ee032255504b69826982f431ed5ff6bc7f78d9f62c101c970bd9f025352f78cc8ac2372db1a5e695a9b4949cc46b8f0a88a4a5cf02c0d87e0e7755f30b6aed5277c03d867ddac14d92c79b11e154a61971465ff83c30f55cc65db5f9e2ace2b5", 0xd4}, {&(0x7f0000000200)="4cff64fe953bf3e3002eec4353f2a84c68e20baa7b0a034c7f54623bc25313948f9b8d26e0db35a5375b76fb2cc898d5f37f7cdc87e096f6e840c7f14eda940675a083807849543115b5bd5a24e57c8e518760980304fc14db12f1dcb7d8257f7c2c7e71c98ae63a6512359f8568401810053194c2b0a1d5fc105a365996b94025db593c9f06f3fb67037ba612ea719b1b34a9842c5a91c5c7e6651d001daa20df2e070bc3872e721d657651aed5c6ecdba6754085442428888035a62ca2f83421275cbf10e3d8dc4356538953935d47047be040d1e4b27f41b47fa19d", 0xfc4e}, {&(0x7f0000000640)="1ce43ffec47883e95a25112228aed95cec448334ec21cd7c3ea9c65ccbb2205fff51085ac1dec943b5fb5356012b4ce608b0993f0adcb5077bbeaa0a5e1bd755c64cb29b2c1016fa50348dd095e6aff882b8bbad6a92ba934084e6bd17c737df9b7ac0a9691af9a966be6c727db123d411846c43e9796eb261be521911ec629e05d827ea240880a00e26390418838d03fc9c10bac460130d38170feac080e2b612415977a65e8576b7fb8dc70fa4ec0e228aa84979e6e603aad88aec311d4ca563c448b5986e1970b861f69787ffedf85052c9660cd2a11db1e7879c26846874e686f10c7b58648e2044754c64b9c2d05d07a3a842685592a6ad7cc9cb569ea0a4894a2c0958aadb4a2e93fe86974771369d79b675e717ed74c62955102cd12eac38ad069d6f16ff699da082db438c178c0f6d9f669acfee79e47320e1c4627a98ae962ee9be7152cbe74eb49303c1a758862430aaa3660a06ba21e048562436765d7a0840322ecb74952a002e5d26301bcc701d70c7d0f28c13a0222dd18f70d47682017fdd5c6fe14e01a60cba39ca801082a2f52755fff57061fb582c181d9e8ac2f096fa064a68ae133cb25956d6368e1ee0583c546eb77feddca2a3ab61afa60a2192ce18fbb96732aed1adab9e2cc45c4bba9583f483aa3dae70ac7f6a25cfc393f0f20d0630e7860d05669d7879181ab4bc1d2e609e7a7bcee21dfae8abb74342af3563bd9621548fb43df1b9d54d0d77869a1e71c2af4b931c30b727a03ea93d3da4593553ea18d82ad619add52178334ac2989f7f9e44cd24d478ad3fe8cf7e823f761245cc6ec6b33e0b67f578ee68139c3eb2064a88eca03e88dd8c9784e9a92d8cc12f17dc4a8e21b3117af991672a0dae6c753af1f5b34ebd2581242731fc390a86eee06aa24d79b897206eb68cde35e4d82d8c5960c2e310ff1733acafb30c21a5348241f7e207249ad65a382d83518e46ce4f6b2a03ea38f251f73788fb51e6bb2d23f16a8dc578bce61ceaf49a01807ab90c80449b344bb07653ae80543a36911bbcaf5631feb07c06358988f303ff451d3fd1478ee71dafbad38fc1134293e55c2c428a73cf2c1c725400bc2995390d95200d85ac01e2557e1e03a6e59f0ad6d3b847d2930928087a69a5b510dec20b1cda873e5d934bff33c72ef38cae51b8e3f5eba887e6a5d5b5e29011e7d8d11cc0c2963a1d52dfaff03fa4f7c0bd7888e199480e83e8afbf7a054dfad0c11a0087586ded7660505f4928ff2fd6400c180916bdcd393f654935efc38dcbcb28846b61004b66b0f45045b79d9f4b5087afc07c41ec63838b68863c6456521a1628605662894e073d9bf85062785fb11d03dbf94f9988291a54bec115a84fcb4473cfcd461f3c1c364d33681e69d1f77062c9bbb28dffd4ffccc1f9f6a4a8a93a2b027db807834a1b4f06c9262083f94e68f4317c84a0e5bd543dd8b4e7fe68b04a644908e42e1e31dbc37d76938a4291f275c8cfdf33589f0f19db69bd3c69948e801066b77f12744ed73efd96a81de4f2f2a3e88ca5fa0bc4184e7cea11ba0ff0335fc4cec581ce508df82540474a96683e15514a780f0cb4fdfdb62a91de2e3a382d2d653f3a0f4ffe24438a9f2af66deb9f3198c48f0e2681c15c4af26edf8cb64ee3e1a2b2eda431046e46cd42de6d50da28b48a7117eac8341fb03c8a028dfa4868e22aeb6017000b250d84dfdb45403da0f1ab0118b8948ab78c860d1e923ecdef03e8464f9c78e5f211e15a5132543a6f9499f5b357bbe9f5fc9fb5d09eee221b75710fd416ff6da9aab0c94f6fae43749a0fa8e5f1a93ef6a97111401db8605b7f6ed8d70f4b7561af39e524dd6e56b496aaa6db17f8ad7111940bbd4bfef60d6a137f091662c85cbef872faaf4a2f6798b5308f7a8361c6f199a8630232c4ea7673c3a9c697a7108f2ca4a06c1c75ea379df29e41a58db54fd580582c884c9afe4b5a648ad200a49cca9cb401f27f00c16f684389b9a3d953696235134872de8e2b0f8f42edafb5e8f84326c381a1f66bc84788a287c216551f9f5e9e30e7144506692108296d2be06db413e4274357eccadaabdb1d4d05f6cf9ee0639ead2a1752fb6161e194ba8ecd932528a9fb9a29424e8f848c3c73bddd09debd945586d5448d45f90f5889414d2665901b2f0e7ff8fc775a5264c4fbc5c6f2afc511ccc3a24c43dd420bb7555b8e151c1607f9e4a9892d96d0601db07b7d59f4abb575f1b2e0f30e8016174208046d8606b1830c3f124bca0f596c0468329dfd2c0336eae2d17f9544a9814aebe8105733ae488a5b3117e79f4b8f0ef7ddef05b625591856cece61be1c2040916772cef4572bce57eb6a7e663cbee0055e2b3512593680d4e3b61ac7b73982714d5428b730fe848837d4a8906999c7a3083359224670bcec9798159bad025da0b5079db482328c55121d1f06e098bdbe9bef4b1155a89726da29a9ff60d8a520c60ccc03cf45efa76021e2233ddeacfcad1fdc768ddc3cdb30f3c189fb834000bb772e97bd0910475c770e2d2e08c5cc4fb460d88311386a59137765787248dba00c32ec660377c5ba05d767fa983d63792153ea060be22af925a67bc272fe0acdb0ad2e1a490ee66637aff77513b6f8d8a35ba82226f41c13294b38b9031cceb7a14b40a19e4692c7c328d43a53f35c2c05c9b78f2eb6633340625c00fbc8f41cbb5d5b6bbc03bf31e6c60e2f2db54c4fb271c402c23f4d6001cc46c2fbb652000d766479f1ecb0635e397c8ea8d32ad44f87eca2a7724732fd6c50a1f9c66b437550ce0d7d0dae8bd83da351fcd8ddf9e18fe94e807ee7b99df020aa7d625a729de1ca111617ff6a64e34dd9b4410755d9553ee25e70fe37a20f92d926d7f02370a17e6cf8a48364d27a83a051a2df5e5aa816ab0310796965a17b590f757adf34dba3306fdc12163430c56b6e41e7bc04aadf177e5573261ce76c218865d089a2ca4e842f4d30b97eb2e2ee804f08e88a4402b4f08e9c2b5f470780b760dc5e68be8bb6a11ff0946e7caffcb5c8e3c067675c0d654092d5a405348c90af8171481bd1b173d73f91c910c37ab076464d106612d15c6ee4b33f66dc257236bab9d5b922480f0152982a1126b2c664e9effd3a799b64d3bd30f9a2e3fdd993bb3b2c8335342d03a35e1a9cb8dfb0f0a35b482b762825d3dc7cec9659c4918e3f50c8d6e7151dd8695137032dde8a83c185a8b03b0191eafbb5852c9a875c268f5c7e91863d66e7a7d3df33782ba1cae0247d93e7ee28e53b1b796e2786fdf158e6fc0e2a4838582297896b821317cd11692a45304cc796b63cc034919e108f07f488087a250625b5940940254ace8512f06618582ac10b7e247b07ad662f800b801721020bc538eb143a8d760f4683b091be41419def0c78040bd4f421459069f0f253ce5f852afb98ad0c00cdc9f429a2c43221dc949dd0653744d33579ba44f6fa3e815cdf42d51c6236dcf0dc6b0e5d157ddc493c2b157be363ca2acf941b8b3b3edb17e1f79a8058cddd37f136bfc005e31264eb9136e4c1769cb3a8a40c5fb8a496322be404c243fbc68779deddf2c18dd8a9556a386b1e7dc52995dd84cefb0c2a2cee424d59ef01bb435a87fadfe36a332dafad19a43f2fd471f20d0e55744ca065fcd77014591cc0245fdbeb3976e55dabc61f11c088a915ff767140af4bf5574663c7001a200d0e46e018e4e149c7ead895055d58a39b1a4b21bea98392e58550cf456f519fffa7fe090edf66282dcd051c3fa150b5b5e68585c062e46d6272b1790223ad35d13f63622c4d6e9bd26b4cb5f850177f192e89329a7dcb6d13b7512ac4574e171a33548582a3ce3bfdf372eb7c6e356369b79350b8c9771ba1347d682dbf83f8935f7ff2b35582f2984c405774cc3f868d596de672a708dcd695853b2b22fff584f14d2aeef11dc6cb75f3a00f984428202139bd3397b2abe4d5e8aba703637c44308c8d7ecc810975a88effab7246fbd3ff94d616c32662199e6031530c3341f70f846296685781ea74c539d8545dabb3e152b29e2bb3105dfb7b832f7149c3b688a08237f7e85f86f7e8315f7d8546bb946a6c6f746272cf0450bf3dd83c8b1cc7bb1601e227167ad3ae350b61e9bfc685a5f061f5db755376055d3ed72abb37c9fd5296298d2a9eae3a482f3fe3e2c66f50f26920d57615f772726b8d5958a463fd0e458ae4e3c53e795ca8e9d256c58063d49002bbf03d09b9aad690a9c3d979fd17004a88b95d3e248ae131cb58ecb4a4105ca348d6c0f8d16b520d7a4c865a23610f156c3bfeb229230c905a44c8ba6a086ee5ec5b47285536762bfa7a0410fda4cc90ad30872d1213c022e7c6476e0021a80908c0e58c8a859a2ccb14d80bf0ca96d7c80a747d8af16737cdaadeabb8296ff521fb181ca0aa3e9b9758723a5a308f91ed40e80750e5bb9a8fc789df1d7d0606f3f589b2e52a7eb86c8702feeff1674e58cda5fdb3fdd9e2186c608eb9c824575773b7dfd085a61fbb057febe480db9b6bc1d2fe3c256fff5fd4d1373f6f9246748381e51101494a5ff0f00c4f69d74a6a9c60ee8d77cfc331f472f085bbb8c81cc968160dbecbf988d2fec38a71b4f72be9bd4225f84c26465ea95efebd7ae5b7ea2c0fb726ad8e669c985017d15dcb3f1a420dadcabb6a8c937b108dbedfda837ff34fdcee7b5ba874781c3fecab3d20e94fba13d1a4ac8f64329861b66e44ac4e65059640d2441a7a26c761b4762bfca00c26e4fe52dab3586e46f162729fb39e9ffab9b513672c529c2bd6a61a8cbbed710bbdb04382c4b77aabf78dc7423cd116d1b2f7e91f17d4f7156c9b4a880f689d18b2919dc4b4408696d506b48eb1726c052e06090d23107ce5f04f307bd941e87d19a9d903ca6ee6d29d83ac8fabc9bd4e816c97b8c2165c72ba76677ba5fa7b6a16707ecf911a855a79bfde3abd3aa0b0aeca500c4f4ebc2e07879edfdf979d164c1820b5b94f57a3b4eb66906c7e5fc3a064cf77e17e28a7b095e6070f55986657e76690702d0ce84381f133415512b47f185815c231f7781ed248c4be48bd6cac85d74eb16df5dbf1d0ef662d5ef20864e9624d6f68de2faf6100f7fd098c899077729e9c072fcad8be58be02bd98de91370bcc2739b292a80178dedab250c81ec6456dabf50c0633448c06e80315c64134dc3efdc8c87750c41e7572c4ff28e4721ad0e55f43f83614a55249f4f5279d4dbd68d98d4b76616bdd7c9826f0f6f7963dd7b802bc340e60445177f25e89275744715c3ca941022c1499d094d00d333d07277f4bf57aefc17c5a702fad60959429eb569319754ce00e3607623854ae88ad6979afdc75f62bdff55396766d9cf238dbbb393a3c249086d2523f7d9be80f632f4bb3b5671643dc5b8b913aaa68a131c681603a5c521acc5ccfa2439f2c4fdb8a0a35227c34d69b658d275fcb2b787e5f20b0317f4da6c71b4feaa11701b10fa8ac19c6dded2947b8e1291944b03d05d93b3458469b358997d944ca46a94da2985fa24a405088dcfb5ece012db79921eee224124bf2df81adf037bd2898e6e06ba22f61292ebf08cbc3d8c99569b7b7354a0c26a5acad40a1f3561bda26f02770c047d33dd9d30b911a3821aaab0afd6a29542d92db28ec003fe8fe1c3a6bda0828d6e8a0cfc96f516be76583051c5d1efb776161153a4a8cc30e475ff23259dd2bdc29ee7b006ebfa97368665ab895d179f594ccc427a7b8373b138f1675f5034aa20b", 0x1000}, {&(0x7f0000000300)="1f319c0f8dfe077fc72545a82570de7ebf815606fb501be670c2e107bbb31b305489967053f26a7d5c2ad8c6632904d2b67bfc2a3eabe44c2d38ae7854e56ab336339aafad417bd028f126d5c07773d431560d7990702b17ce7606481d9bc78d69cbececf84a5e016265ca571b6812994c9a441b3baeb28ee7d35cd8ff031ce245af0be2402212fa3450d4815f108b2eb605d450615a0ddb55533d7ad6ff63046c435e8b34ac1132bc4faa73d97c3e51b2e5436b013f70f078a95f355b61d7672fd50454af3f5016a9d7d1f14e3964ed3f", 0xd1}, {&(0x7f0000002740)="1049f61fed427e3f6f9876bb8d9381b936e5acaf9a326a77538b59587d07e699695ffd988f4ed33629a22c09791eaa95c53be75be75240f3e30d04d46af0c56d1cc13c0fa746713b2215315bd92fb1036790e444d2c655fa7c07942a675cebcec4027a18e6d5dab43b5a55", 0xffbb}, {&(0x7f0000000400)="127398da9d1c27e871", 0x9}, {&(0x7f0000000440)="76f1868873174a9650df0074a5dc3cd7bb4f2fbce84824f8115cdd50d741a46fb694ea396e308c25993a8b6c9aecd34f3faeffdac2a3e6662630ed08838d574ca9e3fd959aadfa41d322a3e1699a5e4c3ad2e7972fee94129713b4918895c07234ed9b458729d1ddf9b3ca1cf1f4b32a041b4d10b44598b8d9", 0x79}, {&(0x7f0000001640)="cd71814d4058141f0dc27d472631824b06321a7cf86db802badf017901ad55374ea5e41c45b65d80ea9c935cd5d4205b7a3eb42c5e64e998400744146afb02b9a301c805cb1909b807a8b1ffa6c16410282894b2d77325d6d72af022de992ea2bed39c384f7ce79c3ef96359c33e22fea37fe8f80803ea10cf54351fba10e960cb6e810082fc9cff452503af509320718a7cc0744a95232297001652161705461cca4c1b557ad185c3e3983fdf821fbe5793f5c0a00b1d80a9c222f7a2f5656433fe16d821f629fb05004ecab253689c80d773c200e017974447ee7612fc14c9b62912d1206b29f411c05ec0296589bad9a53188009db98832807330df5c1995730c5dc6c351b6912ceff34a47c1653b33cd759d30860820024de48f425b8156cc6643a5abae738d531c390e54570092b225a44820b2fabc0c1e49a58e9123cbce54baf37e104a2d034147b405e3a462eefe629f6cfaee0e0db6e80216509836017662f9a016553b41e874e641cbdcace22d6b12f3dc10695674de10095e718d75f70a4251850ad0aa39b333b84a5fbd96f511ad09fc1b47940a61eb0b37e560656d8ac449b586e88fb4c15261bd5e76813fdf7d762eaa82892a747d84b24974b8d49a89ea0767094f6ec49d0f88cb3f186f596bbbe9ff3b6f9ddaece7da3cda853550e9b487688aae8fde3e551371b9a5f300cd205028113c36b9701d07b661fb7e15e71cead628b8bea50d6a6bc9b382475b9d74c22b78341355197b35c9e8c88b1a1f802d1ca2cdfc8fb8b2e53ceaf12bb27e789246a27ce82fd12108e888287298d936bcf881e5defc425959ae15bf827ebf0ecb21ff729bfa2046e43e72d3704ca3f8801afbd08afe0f33989c9f691bf35a665919101a4361769397032b51c74ab1c9505dfa05e9d0b4e429b9ebcc2a2369a73a1d4ad7ee4d1e2eba0302be5efadcc713b423f0460908ac6f470e89f92061386f8b5e1380d69fec8f601c4a1e772ff95ecbe87bec8437bba7b0edf4a0cca38cd518375d858e7fadf9e896ae996fdb6758e84461734d2b7f074cc65645aa9a7fd7a9008bc4e2f5565a5a8e84f10e5648f2d5ecf5d57698f23cc50df4f13eb5f33a6b80eadab54702d0cffcb2981f7d939ebe307883de086de4d14ac03c4d1aff98c460eabb72a2b5c6aff21303fcd3eaa1865863daa85837aac3c12e5afb9877f0452a02590edb9f72ee21221d484210c55c4dee65e641e1ab207240490d7c2900a11c49b419416ab4ef6906acc19e09d9e76c2c5451b5cd932ab551f60f6b63c30d69184e8e5f4608f48740861ea27af168218c1fa35301d21cf20021fe66d7b521c1d9d9481f5845a64884ebf2c1788daacd468866186bc93c434ab5316b0c09c7215d5afc8d952c3426e4ffe21d2997a5c37011b846c90cb67f8bbf4779d8839f7d4ec35e58626567b134e109f34f06bf39b44d1744b3b4d1dbcd636f8584f2745f176953fa4a3cb17ee28f7a29bd5a43baefae78c4d0ce10e76b0c03db6692da2dce5370c5e3a9be567f112602a2682373f0c8fac7b5267f55e514d11d2313b3c38f1c4bc560ed0cbf40434217834e18fde8a8667947682570687dbabd043c3d9160447f6276ab94e9fd5a688ea945a26e19d86dcc27a79ee194b82b3930507c63555b2572beb51c5327e9cf46275b45f2471591e8b8f41db40abe462d6d9bf1dabc863fe9384045f0624cc4f6e7f1b1f14bd8e87bb8f4e50f647845581a919dc510a7fef9af6ef58e0a9467fbbc6903cd0a2d0ee1b64f18005108688a5846e17db2bd2fe601cd0f75de859c0e8c8ca68fc458cc0ac8aa73f1aa54424162db64d3b98bed04d414d11bfa459369e44fdbf04b9ba10fa2fb29a51fae3207fed591a0407e2d25bdb964be81dae86a334fd73ca11b7eefcd2f70159b2aaca5d94c69ae38d2be50210fb40346f46a190ff9ffa89905b43e0125fa00b07ef83552eecf02d89def694a1664d80888fb4d5bc26db5153e4cec4648f554254b7568276ea68d2a8b7a2292d699b2e4908c15dbb7a9df3efdb45c1d81774aad228247366c85484c56f1305aa7163fd1520057f2cae9df40a3c7219558b2853970c8eef7880efaa665195330a85debbc26164f3102feca19615dcb8dd923468419ffcabfc9d31c1c998d54e9abd758876faae27bc0676e9c551130b91ec00f97dcec73c4ae4e80690d7824506ef3f7dc9d16bbcf0da9ab5b20a358cd10571cd12bb09f73ac71384b4828373cd6210da402cc5b9ea49802b2f9c4f7327438f07ec953c0eed2cd26ffff73e15434e1a4f7a51efcac98851efc4f167105f2eb8167b679ef0b84581612ecffff7ab3a4dc8f2aa8b69095a9beb15061c0375afed0e40b6362e036f03b0985043096059e75664c4d17d14ae1965624533048122b7fc7b6aeaf288e7b38fb8ac314492940b78def3a06954e6a6df0b2d0389880177ebd8c0f05932f5b4923bf053ecc2941b0dfa2fe72339af727d2133141face89f2a4e75f479fad6553253fd41b81aa2c4a305460272604bc1b32ae814548075fe117cd9d177d6c9b24f4dc3f4971fe0e235c5bd3d364759f9a5851893119367d586f22f5304d6dd2b9535a1a53c6c29e61b038266d0977797c665929df8654d773150d8c24a280214bc0e1e0c5c542e917751ad7e04c9462917ecb0a3b8cc7268bf93ae681d8106c3fa9e954ea86d70ee5c6fb1f5d3ee775a4b2b3fba1fba358c38bc231a68b2236ea3cdf761f799c187faacc7696b1b77391578875d15f071b3a9f12f126633af919691475753ffc15727331cfbea82736143db0c8c53a4429f03686258df56451420bdf1c1a4efd582007b9da6bc701e5708870ac4c86c17e66fc540b26e0d92721b24d36c41794816e8330fc3afe488da451da9bf19cf9f4da6db39b9694ac4c087123dfdced5e47313318258fe2674cdbc8bcfdd4a124844893254acb5c7270460072a5b9d97721397e867127324c37eb1bb026a82de909237bb003e536dc939615f3ae138b5dad5ee3c0ef08e50aeebea0d11299e3855280f4618d9c8e9b14cb9ff7f05aa97fbf02290ff5b58e81bbc85f4d4221fbddf3df10779a9209b01fc0ecdbeb37781cb1fdc5571dd04b2424e8e301d6a993b28c9748fe8c64697fde7290cb69c90640ac12dfbd0e9dbfe958f5697f867b672b7e7d28ed20db42013e48013db04378de21b91ade3cb5229f2202936ca053744ccd3d2c6a1bbaa2b83deff68da043522537e4b24a6bdd70c1707d46067d7fd64313482431e025c97a80882e14eee51bddb182caa8b930e5ff1a3dbb425b785c05dd05bd431db9bf3db06f9acdfac9fde2d563eb92977d65539a425a32b4a0886269c620decd11d498a05d2af0cca7525a343978dbd82aeaf3f7c6459739f61aea3ec42c80d86d75802fe39adf1a8498f2a8aedcc835f2122e356d1d28280a9027d82f251e404223603b0f227aa108e49a3fa41837e4a409832c861a16bb718c4f90c60a517cc0516c6fe4cac3c69ceb7dc902b120dfd9f9cc115d3e9a07f5912ccca54cc53fe7ae2c2802dfbd6a0c5276104578484a5fc2b8a5f1fcfcdfabe7d1a1ad7b4c85c8d759895fe2098c19f08dcc780aa301cd72154994776b5e004a6d5fd7f6a471cf1769dbd992bb7bbc7cecb6877af3ef884dff8ebe39f7d9282a44cde809ef35ae953641251cd75caa75b425e5be97afe5baa5ae39e0471a818b7b49d1b8f7b877578d754d9090f6cc3509d0edf71d18cb5a623cf137c6e169a14635a2ed14716cd637fb69e924732655621c72dd5110bad4c15bf79f97b4bca81c3b3cd327939165827535e0c3e10181b26056b59645738f5a4c57bf4822cff2eebeba541c1c1b819d1a4279c82946cf39ae7387fa5961ca3f2a10b5dc5daa223dfebd643fbd6d740e98b0542ff5b175512ff5b5427bcd686af4884f21df65ea465521bd13db540fe27992cce73457c898ce6704991dd0edfb416c60b9b220cb7c24157796086b4c5088da5fe1346540f6803e95054231b8705f44591837e3e8fa69de749bcf32898b488ffbe93b51074cfee8c645a4584db739d592bc2bd1f743f2524fda52529df794a4c7808a6ca6c260fc1b24d42939c70abb530d0fcc0f4952f41ed742e146dbea6b0626acfc4652c9ff4ba645576bf074b6ab449ccf2b3367dab6fa0acff78530f6c59a60b29f7d8027cf6ba4f9e5ffc5cf6794636964eb79813483a71a0b2fb877478cf07429262736962c46070e78635fd9b3be44310efedbf35f67cee1f922c5f0d061f59dcbebdb869931cf9caa7bb6d87d3985d84d805414f6859f2da3791702f12ac40029ea6e58a2b8e4d83c6893a88759c0a7585fd9b8805a6e3d5de00c3027559d9d957ed535567001385dadc77567d7c6920d9bcd04d4ecf15de0723e01c3258a59f840e227bffb91eb2f7d448cda942223a8f97a344c0e7cb1d7171bde1ed61b5fc3bcfcf651a7c468e78b0b0f2680d4d9059956a18df3eb9214a19d77ceca8bb9c5d0cde80e608fe1d4992463e04fd641133bd2ee8055da8dad16918d08ef12845118267166e0c574a6bf113edf1beb2ee94f391e87e2fc865a4c55605e60987335d8709f4d4f027d4820f03d29f592bb5ec9144a08991c3e0ae24d834dd914a64d81db2d031a3c8f3df1c25ca48d0912d907bf02192b965211df5b79b97fbb3839a436ea5a6914f97afa395f24c01cb2bee33f8a75be3982f37ee15bd2ce28fa56cbe6d412e224ad686d95e98dd277da9b53e215f2c4e510d10d02f66a184c17c103510f80a1555b5169c260e1290fd0af1afdf602140b7364c1492cc1325dbaf10ffe13521dfb78f34377d4913ea29783d83393febdf315f0c2ebec448bc1ca5a442e5ce4beac5cf258fab5aeb1b28622a44568b741ea1b2964940d9e32562240fb021893d9a392c683a84eb8dae65577a46800c4b97ebc084a8691c84bc2ae8ee66b5df2b11bc491159f63702b70e1c529f748e22f95dd67b42716e9263be4845d14bb8f5f050db3c18e91201d05480e2738d637d311c2c034b65cbd562c879300d62ba712109617e047f0dd23e3a7b1bad8b992", 0xe12}], 0x8}}, {{0x0, 0x0, &(0x7f0000002600)=[{&(0x7f00000036c0)="a3", 0x1}, {&(0x7f0000002540)="0cc4133bc069e90fdf29592bea536fc6035278be299e2635149bff893c5bf3c3ded729d926d4398f48f7f29a6da3383552fb6a29950e59d270b990b54ec1e155e005567960730035f96d28c3af508ba38923392f6b5ff358248e81a05bbca115a75f00f08692db0cc7443309a6785763901577f25ab55b3e010df64d890103d2fdd0680d0438f01a52fe5e206575a0a323705920051ceb25019e65d49e926942367406af5db28d3c734c440529efed38f674"}], 0x1}}], 0x2, 0x8001) (async)
r3 = socket$inet6_sctp(0xa, 0x1, 0x84)
r4 = dup2(r2, r3)
setsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r4, 0x84, 0x72, &(0x7f0000000040), 0xc)
sendmsg$alg(r4, &(0x7f0000002700)={0x0, 0x0, &(0x7f0000002500)=[{&(0x7f0000004100)='@', 0x1}], 0x1}, 0x0) (async)
setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r2, 0x84, 0x22, &(0x7f0000002480)={0x5, 0x202, 0x9, 0x10001, r1}, 0x10) (async)
write$tun(r4, &(0x7f0000002640)=ANY=[@ANYBLOB="000000000000000000000000000006000000aaaaaaaaaabb467219e67b1d64441845437b38c12ddeb986e59e82bd4247f1ed8a05309a31b9494bda521ffd4b68bf072b030d7ef04cc219c73572fac79f47369d49ae19df01641921e3af34cb84766ede45e4fa9a14460fae51557f643d108ba54f7cb8440ce5aa0e60d7c2c4da"], 0x1e) (async)
write(r0, &(0x7f0000000080)="e4", 0x1)



-----邮件原件-----
发件人: Caowangbao 
发送时间: 2022年11月3日 10:13
收件人: 'Xin Long' <lucien.xin@...il.com>; Chenzhen(EulerOS) <chenzhen126@...wei.com>
抄送: 'vyasevich@...il.com' <vyasevich@...il.com>; 'nhorman@...driver.com' <nhorman@...driver.com>; 'marcelo.leitner@...il.com' <marcelo.leitner@...il.com>; 'linux-sctp@...r.kernel.org' <linux-sctp@...r.kernel.org>; 'davem@...emloft.net' <davem@...emloft.net>; 'edumazet@...gle.com' <edumazet@...gle.com>; 'kuba@...nel.org' <kuba@...nel.org>; 'pabeni@...hat.com' <pabeni@...hat.com>; 'netdev@...r.kernel.org' <netdev@...r.kernel.org>; Yanan (Euler) <yanan@...wei.com>
主题: 答复: BUG: kernel NULL pointer dereference in sctp_sched_dequeue_common

It can be reproduce by the command " ./syz-execprog -procs=16 -repeat=0 sctp_sched_dequeue_common" with the attachments.

void sctp_sched_dequeue_common(struct sctp_outq *q, struct sctp_chunk *ch) {
	list_del_init(&ch->list);
	list_del_init(&ch->stream_list);
	q->out_qlen -= ch->skb->len;			// ch->skb is null in the VMCore
}

The kernel log records:
	[23411.786575] list_del corruption, ffffa035ddf01c18->next is NULL
	[23411.787780] WARNING: CPU: 1 PID: 250682 at lib/list_debug.c:49 __list_del_entry_valid+0x59/0xe0
	******
	[23411.830256] Call Trace:
	[23411.830863]  sctp_sched_dequeue_common+0x17/0x70 [sctp]
	[23411.831940]  sctp_sched_fcfs_dequeue+0x37/0x50 [sctp]
	[23411.832967]  sctp_outq_flush_data+0x85/0x360 [sctp] It means "ch->list" has no element.

And in VMCore , there are many calls like:
 	#2 [ffffaf7d84f6bbb8] __lock_sock at ffffffff8ac74ef9
 	#3 [ffffaf7d84f6bc08] lock_sock_nested at ffffffff8ac74f92
 	#4 [ffffaf7d84f6bc20] sctp_wait_for_sndbuf at ffffffffc0c8d9d2 [sctp]
 	#5 [ffffaf7d84f6bc98] sctp_sendmsg_to_asoc at ffffffffc0c8dd1e [sctp]
 	#6 [ffffaf7d84f6bd08] sctp_sendmsg at ffffffffc0c95f55 [sctp]
 	#7 [ffffaf7d84f6bdb8] sock_sendmsg at ffffffff8ac6fd0b
	#8 [ffffaf7d84f6bdd0] sock_write_iter at ffffffff8ac6fdb7
 	#9 [ffffaf7d84f6be48] new_sync_write at ffffffff8a784021
	#10 [ffffaf7d84f6bed0] vfs_write at ffffffff8a784d07
	#11 [ffffaf7d84f6bf08] ksys_write at ffffffff8a78719b
	#12 [ffffaf7d84f6bf40] do_syscall_64 at ffffffff8ae9a8b3 It may have something to do with these concurrent invocations.

-----邮件原件-----
发件人: Xin Long [mailto:lucien.xin@...il.com]
发送时间: 2022年11月3日 9:20
收件人: Chenzhen(EulerOS) <chenzhen126@...wei.com>
抄送: vyasevich@...il.com; nhorman@...driver.com; marcelo.leitner@...il.com; linux-sctp@...r.kernel.org; davem@...emloft.net; edumazet@...gle.com; kuba@...nel.org; pabeni@...hat.com; netdev@...r.kernel.org; Caowangbao <caowangbao@...wei.com>; Yanan (Euler) <yanan@...wei.com>
主题: Re: BUG: kernel NULL pointer dereference in sctp_sched_dequeue_common

On Wed, Nov 2, 2022 at 10:29 AM Zhen Chen <chenzhen126@...wei.com> wrote:
>
> Hi,all
>
> We found the following crash when running fuzz tests on stable-5.10.
>
> ------------[ cut here ]------------
> list_del corruption, ffffa035ddf01c18->next is NULL
> WARNING: CPU: 1 PID: 250682 at lib/list_debug.c:49 __list_del_entry_valid+0x59/0xe0
> CPU: 1 PID: 250682 Comm: syz-executor.7 Kdump: loaded Tainted: G           O
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014
> RIP: 0010:__list_del_entry_valid+0x59/0xe0
> Code: c0 74 5a 4d 8b 00 49 39 f0 75 6a 48 8b 52 08 4c 39 c2 75 79 b8
> 01 00 00 00 c3 cc cc cc cc 48 c7 c7 68 ae 78 8b e8 d2 3d 4e 00 <0f> 0b
> 31 c0 c3 cc cc cc cc 48 c7 c7 90 ae 78 8b e8 bd 3d 4e 00 0f
> RSP: 0018:ffffaf7d84a57930 EFLAGS: 00010286
> RAX: 0000000000000000 RBX: ffffa035ddf01c18 RCX: 0000000000000000
> RDX: ffffa035facb0820 RSI: ffffa035faca0410 RDI: ffffa035faca0410
> RBP: ffffa035dddff6f8 R08: 0000000000000000 R09: ffffaf7d84a57770
> R10: ffffaf7d84a57768 R11: ffffffff8bddc248 R12: ffffa035ddf01c18
> R13: ffffaf7d84a57af8 R14: ffffaf7d84a57c28 R15: 0000000000000000
> FS:  00007fb7353ae700(0000) GS:ffffa035fac80000(0000)
> knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f509a3d0ee8 CR3: 000000010f7c2001 CR4: 00000000001706e0 Call
> Trace:
>  sctp_sched_dequeue_common+0x17/0x70 [sctp]
>  sctp_sched_fcfs_dequeue+0x37/0x50 [sctp]
>  sctp_outq_flush_data+0x85/0x360 [sctp]
>  sctp_outq_uncork+0x77/0xa0 [sctp]
>  sctp_cmd_interpreter.constprop.0+0x164/0x1450 [sctp]
>  sctp_side_effects+0x37/0xe0 [sctp]
>  sctp_do_sm+0xd0/0x230 [sctp]
>  sctp_primitive_SEND+0x2f/0x40 [sctp]
>  sctp_sendmsg_to_asoc+0x3fa/0x5c0 [sctp]
>  sctp_sendmsg+0x3d5/0x440 [sctp]
>  sock_sendmsg+0x5b/0x70
>  sock_write_iter+0x97/0x100
>  new_sync_write+0x1a1/0x1b0
>  vfs_write+0x1b7/0x250
>  ksys_write+0xab/0xe0
>  do_syscall_64+0x33/0x40
>  entry_SYSCALL_64_after_hwframe+0x61/0xc6
> RIP: 0033:0x461e3d
> Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fb7353adc08 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> RAX: ffffffffffffffda RBX: 000000000058c1d0 RCX: 0000000000461e3d
> RDX: 000000000000001e RSI: 0000000020002640 RDI: 0000000000000004
> RBP: 000000000058c1d0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007fb7353ae700 R14: 00007ffc4c20ce00 R15: 0000000000000fff ---[ 
> end trace 332cf75246d5ba68 ]---
> BUG: kernel NULL pointer dereference, address: 0000000000000070
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page PGD 800000010c0d4067 P4D
> 800000010c0d4067 PUD 10f275067 PMD 0
> Oops: 0000 [#1] SMP PTI
> CPU: 1 PID: 250682 Comm: syz-executor.7 Kdump: loaded Tainted: G        W  O
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014
> RIP: 0010:sctp_sched_dequeue_common+0x5c/0x70 [sctp]
> Code: 5b 08 4c 89 e7 e8 44 c5 cc c9 84 c0 74 0f 48 8b 53 18 48 8b 43
> 20 48 89 42 08 48 89 10 48 8b 43 38 4c 89 63 18 4c 89 63 20 5b <8b> 40
> 70 29 45 20 5d 41 5c c3 cc cc cc cc 66 0f 1f 44 00 00 0f 1f
> RSP: 0018:ffffaf7d84a57940 EFLAGS: 00010202
> RAX: 0000000000000000 RBX: ffffaf7d84a579a0 RCX: 0000000000000000
> RDX: ffffa035ddf01c30 RSI: ffffa035ddf01c30 RDI: ffffa035ddf01c30
> RBP: ffffa035dddff6f8 R08: ffffa035ddf01c30 R09: ffffaf7d84a57770
> R10: ffffaf7d84a57768 R11: ffffffff8bddc248 R12: ffffa035ddf01c30
> R13: ffffaf7d84a57af8 R14: ffffaf7d84a57c28 R15: 0000000000000000
> FS:  00007fb7353ae700(0000) GS:ffffa035fac80000(0000)
> knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000070 CR3: 000000010f7c2001 CR4: 00000000001706e0 Call
> Trace:
>  sctp_sched_fcfs_dequeue+0x37/0x50 [sctp]
>  sctp_outq_flush_data+0x85/0x360 [sctp]
>  sctp_outq_uncork+0x77/0xa0 [sctp]
>  sctp_cmd_interpreter.constprop.0+0x164/0x1450 [sctp]
>  sctp_side_effects+0x37/0xe0 [sctp]
>  sctp_do_sm+0xd0/0x230 [sctp]
>  sctp_primitive_SEND+0x2f/0x40 [sctp]
>  sctp_sendmsg_to_asoc+0x3fa/0x5c0 [sctp]
>  sctp_sendmsg+0x3d5/0x440 [sctp]
>  sock_sendmsg+0x5b/0x70
>  sock_write_iter+0x97/0x100
>  new_sync_write+0x1a1/0x1b0
>  vfs_write+0x1b7/0x250
>  ksys_write+0xab/0xe0
>  do_syscall_64+0x33/0x40
>  entry_SYSCALL_64_after_hwframe+0x61/0xc6
> RIP: 0033:0x461e3d
> Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fb7353adc08 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> RAX: ffffffffffffffda RBX: 000000000058c1d0 RCX: 0000000000461e3d
> RDX: 000000000000001e RSI: 0000000020002640 RDI: 0000000000000004
> RBP: 000000000058c1d0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007fb7353ae700 R14: 00007ffc4c20ce00 R15: 0000000000000fff
>
>
> It is quite similar to the issue (See 
> https://lore.kernel.org/all/CAO4mrfcB0d+qbwtfndzqcrL+QEQgfOmJYQMAdzwxR
> ePmP8TY1A@...l.gmail.com/ ) , which was addressed by 181d8d2066c0
> (sctp: leave the err path free in sctp_stream_init to 
> sctp_stream_free), but unfortunately the patch do not work with this 
> bug :(
>
So this issue is reproducible in your env?
Can you show what it does in your test or the reproducer if there is one?

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ