lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <00000000000011542d0603fca409@google.com>
Date: Mon, 28 Aug 2023 07:37:59 -0700
From: syzbot <syzbot+b197eb04ec8e2c0407bd@...kaller.appspotmail.com>
To: davem@...emloft.net, edumazet@...gle.com, jhs@...atatu.com, 
	jiri@...nulli.us, kuba@...nel.org, linux-kernel@...r.kernel.org, 
	netdev@...r.kernel.org, pabeni@...hat.com, syzkaller-bugs@...glegroups.com, 
	xiyou.wangcong@...il.com
Subject: [syzbot] [net?] KCSAN: data-race in pfifo_fast_dequeue /
 pfifo_fast_enqueue (3)

Hello,

syzbot found the following issue on:

HEAD commit:    25aa0bebba72 Merge tag 'net-6.5-rc6' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=140d163ba80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a1abf5b066126c86
dashboard link: https://syzkaller.appspot.com/bug?extid=b197eb04ec8e2c0407bd
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/37e7726f4b59/disk-25aa0beb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c08aceaec1ed/vmlinux-25aa0beb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/49fb33802692/bzImage-25aa0beb.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b197eb04ec8e2c0407bd@...kaller.appspotmail.com

==================================================================
BUG: KCSAN: data-race in pfifo_fast_dequeue / pfifo_fast_enqueue

write to 0xffff88810487fe80 of 8 bytes by task 19023 on cpu 1:
 __ptr_ring_discard_one include/linux/ptr_ring.h:280 [inline]
 __ptr_ring_consume include/linux/ptr_ring.h:301 [inline]
 __skb_array_consume include/linux/skb_array.h:98 [inline]
 pfifo_fast_dequeue+0x887/0xee0 net/sched/sch_generic.c:757
 dequeue_skb net/sched/sch_generic.c:292 [inline]
 qdisc_restart net/sched/sch_generic.c:397 [inline]
 __qdisc_run+0x1a2/0x1100 net/sched/sch_generic.c:415
 __dev_xmit_skb net/core/dev.c:3766 [inline]
 __dev_queue_xmit+0xe98/0x1d10 net/core/dev.c:4169
 dev_queue_xmit include/linux/netdevice.h:3088 [inline]
 llc_build_and_send_ui_pkt+0x1d4/0x1f0 net/llc/llc_output.c:67
 llc_ui_sendmsg+0x43a/0x5e0 net/llc/af_llc.c:978
 sock_sendmsg_nosec net/socket.c:725 [inline]
 sock_sendmsg+0x79/0xd0 net/socket.c:748
 splice_to_socket+0x653/0x9c0 fs/splice.c:884
 do_splice_from fs/splice.c:936 [inline]
 direct_splice_actor+0x8a/0xb0 fs/splice.c:1145
 splice_direct_to_actor+0x31d/0x690 fs/splice.c:1091
 do_splice_direct+0x10d/0x190 fs/splice.c:1197
 do_sendfile+0x3b6/0x9a0 fs/read_write.c:1254
 __do_sys_sendfile64 fs/read_write.c:1322 [inline]
 __se_sys_sendfile64 fs/read_write.c:1308 [inline]
 __x64_sys_sendfile64+0x110/0x150 fs/read_write.c:1308
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

read to 0xffff88810487fe80 of 8 bytes by task 19022 on cpu 0:
 __ptr_ring_produce include/linux/ptr_ring.h:106 [inline]
 ptr_ring_produce include/linux/ptr_ring.h:129 [inline]
 skb_array_produce include/linux/skb_array.h:44 [inline]
 pfifo_fast_enqueue+0xcc/0x2a0 net/sched/sch_generic.c:730
 dev_qdisc_enqueue net/core/dev.c:3732 [inline]
 __dev_xmit_skb net/core/dev.c:3772 [inline]
 __dev_queue_xmit+0x7c7/0x1d10 net/core/dev.c:4169
 dev_queue_xmit include/linux/netdevice.h:3088 [inline]
 llc_build_and_send_ui_pkt+0x1d4/0x1f0 net/llc/llc_output.c:67
 llc_ui_sendmsg+0x43a/0x5e0 net/llc/af_llc.c:978
 sock_sendmsg_nosec net/socket.c:725 [inline]
 sock_sendmsg+0x79/0xd0 net/socket.c:748
 splice_to_socket+0x653/0x9c0 fs/splice.c:884
 do_splice_from fs/splice.c:936 [inline]
 direct_splice_actor+0x8a/0xb0 fs/splice.c:1145
 splice_direct_to_actor+0x31d/0x690 fs/splice.c:1091
 do_splice_direct+0x10d/0x190 fs/splice.c:1197
 do_sendfile+0x3b6/0x9a0 fs/read_write.c:1254
 __do_sys_sendfile64 fs/read_write.c:1322 [inline]
 __se_sys_sendfile64 fs/read_write.c:1308 [inline]
 __x64_sys_sendfile64+0x110/0x150 fs/read_write.c:1308
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

value changed: 0xffff888161b34f00 -> 0x0000000000000000

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 19022 Comm: syz-executor.0 Tainted: G        W          6.5.0-rc5-syzkaller-00182-g25aa0bebba72 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ