lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Y3uULqIZ31at0aIX@hog>
Date:   Mon, 21 Nov 2022 16:07:26 +0100
From:   Sabrina Dubroca <sd@...asysnail.net>
To:     steffen.klassert@...unet.com,
        syzbot <syzbot+bfb2bee01b9c01fff864@...kaller.appspotmail.com>
Cc:     davem@...emloft.net, edumazet@...gle.com,
        herbert@...dor.apana.org.au, kuba@...nel.org,
        linux-kernel@...r.kernel.org, linux-next@...r.kernel.org,
        netdev@...r.kernel.org, pabeni@...hat.com, sfr@...b.auug.org.au,
        syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] linux-next test error: general protection fault in
 xfrm_policy_lookup_bytype

2022-11-21, 05:47:38 -0800, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    e4cd8d3ff7f9 Add linux-next specific files for 20221121
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1472370d880000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a0ebedc6917bacc1
> dashboard link: https://syzkaller.appspot.com/bug?extid=bfb2bee01b9c01fff864
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/b59eb967701d/disk-e4cd8d3f.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/37a7b43e6e84/vmlinux-e4cd8d3f.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/ebfb0438e6a2/bzImage-e4cd8d3f.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+bfb2bee01b9c01fff864@...kaller.appspotmail.com
> 
> general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
> CPU: 0 PID: 5295 Comm: kworker/0:3 Not tainted 6.1.0-rc5-next-20221121-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
> Workqueue: ipv6_addrconf addrconf_dad_work
> RIP: 0010:xfrm_policy_lookup_bytype.cold+0x1c/0x54 net/xfrm/xfrm_policy.c:2139

That's the printk at the end of the function, when
xfrm_policy_lookup_bytype returns NULL. It seems to have snuck into
commit c39f95aaf6d1 ("xfrm: Fix oops in __xfrm_state_delete()"), we
can just remove it:

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 3a203c59a11b..e392d8d05e0c 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2135,9 +2135,6 @@ static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
 fail:
 	rcu_read_unlock();
 
-	if (!IS_ERR(ret))
-		printk("xfrm_policy_lookup_bytype: policy if_id %d, wanted if_id  %d\n", ret->if_id, if_id);
-
 	return ret;
 }
 


> Code: 80 44 28 8e e8 9a 88 37 fa e9 28 e7 7b fe e8 c0 25 7a f7 49 8d bf cc 00 00 00 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1c 41
> RSP: 0018:ffffc90003cdf1e0 EFLAGS: 00010203
> RAX: dffffc0000000000 RBX: 0000000000000001 RCX: 0000000000000000
> RDX: 0000000000000019 RSI: ffffffff8a068150 RDI: 00000000000000cc
> RBP: 0000000000000000 R08: 0000000000000007 R09: fffffffffffff000
> R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000000
> R13: ffff88802ae78000 R14: ffffed10055cf2ff R15: 0000000000000000
> FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fb5cb893300 CR3: 00000000714fb000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  xfrm_policy_lookup net/xfrm/xfrm_policy.c:2151 [inline]
>  xfrm_bundle_lookup net/xfrm/xfrm_policy.c:2958 [inline]
>  xfrm_lookup_with_ifid+0x39b/0x20f0 net/xfrm/xfrm_policy.c:3099
>  xfrmi_xmit2 net/xfrm/xfrm_interface.c:404 [inline]
>  xfrmi_xmit+0x3c7/0x1b90 net/xfrm/xfrm_interface.c:521
>  __netdev_start_xmit include/linux/netdevice.h:4859 [inline]
>  netdev_start_xmit include/linux/netdevice.h:4873 [inline]
>  xmit_one net/core/dev.c:3583 [inline]
>  dev_hard_start_xmit+0x1c2/0x990 net/core/dev.c:3599
>  __dev_queue_xmit+0x2cdf/0x3ba0 net/core/dev.c:4249
>  dev_queue_xmit include/linux/netdevice.h:3029 [inline]
>  neigh_connected_output+0x3c4/0x520 net/core/neighbour.c:1600
>  neigh_output include/net/neighbour.h:546 [inline]
>  ip6_finish_output2+0x56c/0x1530 net/ipv6/ip6_output.c:134
>  __ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
>  ip6_finish_output+0x694/0x1170 net/ipv6/ip6_output.c:206
>  NF_HOOK_COND include/linux/netfilter.h:291 [inline]
>  ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
>  dst_output include/net/dst.h:444 [inline]
>  NF_HOOK include/linux/netfilter.h:302 [inline]
>  ndisc_send_skb+0xa63/0x1740 net/ipv6/ndisc.c:508
>  ndisc_send_rs+0x132/0x6f0 net/ipv6/ndisc.c:718
>  addrconf_dad_completed+0x37a/0xda0 net/ipv6/addrconf.c:4248
>  addrconf_dad_begin net/ipv6/addrconf.c:4014 [inline]
>  addrconf_dad_work+0x820/0x12d0 net/ipv6/addrconf.c:4116
>  process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
>  worker_thread+0x669/0x1090 kernel/workqueue.c:2436
>  kthread+0x2e8/0x3a0 kernel/kthread.c:376
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
>  </TASK>

-- 
Sabrina

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ