[Android 5.15] kernel BUG in cdc_ncm_fill_tx_frame (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 19c0ed55a470 Merge 5.15.106 into android13-5.15-lts
git tree: android13-5.15-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=141214dc280000
kernel config: https://syzkaller.appspot.com/x/.config?x=e8bc8779358f24fb
dashboard link: https://syzkaller.appspot.com/bug?extid=9f575a1f15fc0c01ed69
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1424c5f4280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=151d5d7a280000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8ade0e897782/disk-19c0ed55.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/203011b1fd4d/vmlinux-19c0ed55.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7f39bb0b7ba9/bzImage-19c0ed55.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9f575a...@syzkaller.appspotmail.com

IPv6: ADDRCONF(NETDEV_CHANGE): usb0: link becomes ready
skbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:113!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Workqueue: mld mld_ifc_work
RIP: 0010:skb_panic net/core/skbuff.c:113 [inline]
RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118
Code: c0 c6 b1 85 48 c7 c6 b0 6f fd 85 48 8b 55 c0 8b 4d d4 44 8b 45 d0 4c 8b 4d c8 53 41 55 41 54 41 57 e8 ad 02 dd 00 48 83 c4 20 <0f> 0b 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 10 89
RSP: 0018:ffffc900008d6f80 EFLAGS: 00010282
RAX: 0000000000000087 RBX: ffffffff85b1c740 RCX: 3b464bf4c86e1400
RDX: 0000000000000000 RSI: 0000000080000603 RDI: 0000000000000000
RBP: ffffc900008d6fc0 R08: ffffffff815748e5 R09: ffffed103ee065e8
R10: 0000000000000000 R11: dffffc0000000001 R12: 00000000000000b8
R13: 0000000000000080 R14: dffffc0000000000 R15: ffff88811f1c6c00
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d06720e000 CR3: 0000000115e8d000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
skb_put+0x151/0x210 net/core/skbuff.c:2047
skb_put_zero include/linux/skbuff.h:2422 [inline]
cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline]
cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308
cdc_ncm_tx_fixup+0xa3/0x100
usbnet_start_xmit+0x118/0x1b60 drivers/net/usb/usbnet.c:1368
__netdev_start_xmit include/linux/netdevice.h:5059 [inline]
netdev_start_xmit include/linux/netdevice.h:5073 [inline]
xmit_one net/core/dev.c:3599 [inline]
dev_hard_start_xmit+0x228/0x620 net/core/dev.c:3615
sch_direct_xmit+0x298/0x9b0 net/sched/sch_generic.c:342
__dev_xmit_skb net/core/dev.c:3826 [inline]
__dev_queue_xmit+0x161e/0x2e70 net/core/dev.c:4195
dev_queue_xmit+0x17/0x20 net/core/dev.c:4263
neigh_resolve_output+0x6b8/0x760 net/core/neighbour.c:1524
neigh_output include/net/neighbour.h:524 [inline]
ip6_finish_output2+0xf95/0x16e0 net/ipv6/ip6_output.c:126
__ip6_finish_output+0x678/0x850 net/ipv6/ip6_output.c:191
ip6_finish_output+0x31/0x210 net/ipv6/ip6_output.c:201
NF_HOOK_COND include/linux/netfilter.h:299 [inline]
ip6_output+0x1f7/0x4d0 net/ipv6/ip6_output.c:224
dst_output include/net/dst.h:450 [inline]
NF_HOOK include/linux/netfilter.h:310 [inline]
mld_sendpack+0x662/0xbb0 net/ipv6/mcast.c:1820
mld_send_cr net/ipv6/mcast.c:2121 [inline]
mld_ifc_work+0x7dc/0xbb0 net/ipv6/mcast.c:2653
process_one_work+0x6bb/0xc10 kernel/workqueue.c:2313
worker_thread+0xad5/0x12a0 kernel/workqueue.c:2460
kthread+0x421/0x510 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
Modules linked in:
-


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 3ad342cf5b2c Revert "net: mdio: fix owner field for mdio b..
git tree: android13-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16f5ea32280000
kernel config: https://syzkaller.appspot.com/x/.config?x=4c2e555eed123787
dashboard link: https://syzkaller.appspot.com/bug?extid=38fc76976c23d1ad8d44

compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13747922280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b4fb90280000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/68efc541dcd2/disk-3ad342cf.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f1c55bff052a/vmlinux-3ad342cf.xz
kernel image: https://storage.googleapis.com/syzbot-assets/62b39d17209d/bzImage-3ad342cf.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:

Reported-by: syzbot+38fc76...@syzkaller.appspotmail.com

skbuff: skb_over_panic: text:ffffffff8304d6bb len:184 put:172 head:ffff8881073a2400 data:ffff8881073a2400 tail:0xb8 end:0x80 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:110!

invalid opcode: 0000 [#1] PREEMPT SMP KASAN

CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.10.177-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023

RIP: 0010:skb_panic net/core/skbuff.c:110 [inline]
RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:115
Code: 60 5f 8d 85 48 c7 c6 f5 04 d8 85 48 8b 55 c0 8b 4d d4 44 8b 45 d0 4c 8b 4d c8 53 41 55 41 54 41 57 e8 e7 8b ec 00 48 83 c4 20 <0f> 0b 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 10 89
RSP: 0018:ffffc9000016fea0 EFLAGS: 00010286
RAX: 0000000000000087 RBX: ffffffff858d5fe0 RCX: d8a862c2af08d000
RDX: 0000000080000704 RSI: 0000000080000704 RDI: 0000000000000000
RBP: ffffc9000016fee0 R08: ffffffff8151f808 R09: ffffed103ee2a600

R10: 0000000000000000 R11: dffffc0000000001 R12: 00000000000000b8

R13: 0000000000000080 R14: dffffc0000000000 R15: ffff8881073a2400
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00005573324327d8 CR3: 0000000115aa2000 CR4: 00000000003506a0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:

<IRQ>
skb_put+0x151/0x210 net/core/skbuff.c:1915
skb_put_zero include/linux/skbuff.h:2328 [inline]
cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1118 [inline]
cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1295
cdc_ncm_tx_fixup+0xa3/0x100
usbnet_start_xmit+0x118/0x1a40 drivers/net/usb/usbnet.c:1336
__netdev_start_xmit include/linux/netdevice.h:4841 [inline]
netdev_start_xmit include/linux/netdevice.h:4855 [inline]
xmit_one net/core/dev.c:3597 [inline]
dev_hard_start_xmit+0x228/0x620 net/core/dev.c:3613
sch_direct_xmit+0x292/0x9b0 net/sched/sch_generic.c:336
qdisc_restart net/sched/sch_generic.c:401 [inline]
__qdisc_run+0xa85/0x1df0 net/sched/sch_generic.c:409
qdisc_run+0x121/0x330 include/net/pkt_sched.h:127
__dev_xmit_skb net/core/dev.c:3789 [inline]
__dev_queue_xmit+0xcf0/0x28e0 net/core/dev.c:4145
dev_queue_xmit+0x17/0x20 net/core/dev.c:4213
neigh_resolve_output+0x6b8/0x760 net/core/neighbour.c:1529
neigh_output include/net/neighbour.h:524 [inline]
ip6_finish_output2+0xf21/0x1850 net/ipv6/ip6_output.c:145
__ip6_finish_output+0x658/0x820 net/ipv6/ip6_output.c:210
ip6_finish_output+0x34/0x1e0 net/ipv6/ip6_output.c:220
NF_HOOK_COND include/linux/netfilter.h:293 [inline]
ip6_output+0x1f7/0x4d0 net/ipv6/ip6_output.c:243
dst_output include/net/dst.h:443 [inline]
NF_HOOK include/linux/netfilter.h:304 [inline]
mld_sendpack+0x5fc/0xb40 net/ipv6/mcast.c:1676
mld_send_cr net/ipv6/mcast.c:1972 [inline]
mld_ifc_timer_expire+0x816/0xbf0 net/ipv6/mcast.c:2471
call_timer_fn+0x3b/0x2d0 kernel/time/timer.c:1420
expire_timers kernel/time/timer.c:1465 [inline]
__run_timers+0x72a/0xa10 kernel/time/timer.c:1759
run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1772
__do_softirq+0x268/0x5bb kernel/softirq.c:309
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:405 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:435
irq_exit_rcu+0x9/0x10 kernel/softirq.c:447
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:49 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry drivers/acpi/processor_idle.c:575 [inline]
RIP: 0010:acpi_idle_enter+0x416/0x760 drivers/acpi/processor_idle.c:710
Code: 89 de 48 83 e6 08 31 ff e8 f7 65 bb fc 48 83 e3 08 0f 85 b0 00 00 00 0f 1f 44 00 00 e8 a3 61 bb fc 0f 00 2d ac f0 b6 00 fb f4 <fa> e9 e1 00 00 00 49 83 c7 04 4c 89 f8 48 c1 e8 03 42 0f b6 04 30
RSP: 0018:ffffc90000107c30 EFLAGS: 000002d3
RAX: ffffffff84af0b4d RBX: 0000000000000000 RCX: ffff888100290000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000107c70 R08: ffffffff84af0b39 R09: ffffed1020052001
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000001
R13: ffff888100076004 R14: dffffc0000000000 R15: ffff888105f81864
cpuidle_enter_state+0x5e1/0x1550 drivers/cpuidle/cpuidle.c:249
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:364
call_cpuidle kernel/sched/idle.c:160 [inline]
cpuidle_idle_call kernel/sched/idle.c:241 [inline]
do_idle+0x364/0x5c0 kernel/sched/idle.c:302
cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:398
start_secondary+0x2e9/0x3a0 arch/x86/kernel/smpboot.c:265
secondary_startup_64_no_verify+0xb1/0xbb
Modules linked in:
---[ end trace 64c317807c21ae36 ]---
RIP: 0010:skb_panic net/core/skbuff.c:110 [inline]
RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:115
Code: 60 5f 8d 85 48 c7 c6 f5 04 d8 85 48 8b 55 c0 8b 4d d4 44 8b 45 d0 4c 8b 4d c8 53 41 55 41 54 41 57 e8 e7 8b ec 00 48 83 c4 20 <0f> 0b 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 10 89
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 f7 65 bb fc callq 0xfcbb6604
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 b0 00 00 00 jne 0xc7
17: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
1c: e8 a3 61 bb fc callq 0xfcbb61c4
21: 0f 00 2d ac f0 b6 00 verw 0xb6f0ac(%rip) # 0xb6f0d4
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 e1 00 00 00 jmpq 0x111
30: 49 83 c7 04 add $0x4,%r15
34: 4c 89 f8 mov %r15,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 0f b6 04 30 movzbl (%rax,%r14,1),%eax

[Tudor Ambarus]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
linux-5.15.y

[syzbot]

syzbot has bisected this issue to:

commit 3c55aa6ffeeff6673ab8077c0b9c0c46a4edd476
Author: Vignesh Saravanaperumal <vigne...@samsung.com>
Date: Thu Jul 8 14:01:33 2021 +0000

ANDROID: GKI: add vendor padding variable in struct skb_shared_info

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1639a250280000
start commit: 19c0ed55a470 Merge 5.15.106 into android13-5.15-lts
git tree: android13-5.15-lts
final oops: https://syzkaller.appspot.com/x/report.txt?x=1539a250280000
console output: https://syzkaller.appspot.com/x/log.txt?x=1139a250280000

kernel config: https://syzkaller.appspot.com/x/.config?x=e8bc8779358f24fb
dashboard link: https://syzkaller.appspot.com/bug?extid=9f575a1f15fc0c01ed69

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1424c5f4280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=151d5d7a280000

Reported-by: syzbot+9f575a...@syzkaller.appspotmail.com
Fixes: 3c55aa6ffeef ("ANDROID: GKI: add vendor padding variable in struct skb_shared_info")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+9f575a...@syzkaller.appspotmail.com

Tested on:

commit: 8a7f2a5c Linux 5.15.110
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=113b2c98280000
kernel config: https://syzkaller.appspot.com/x/.config?x=4fa6b7df0a6ad796
dashboard link: https://syzkaller.appspot.com/bug?extid=9f575a1f15fc0c01ed69

compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

[Tudor Ambarus]

I can't reproduce locally, checking syzbot's reproducibility rate:

#syz test: https://android.googlesource.com/kernel/common
19c0ed55a470d1cd766484abab04871b648560fb

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in cdc_ncm_fill_tx_frame

IPv6: ADDRCONF(NETDEV_CHANGE): usb0: link becomes ready

skbuff: skb_over_panic: text:ffffffff831f5f3b len:184 put:172 head:ffff88812371d400 data:ffff88812371d400 tail:0xb8 end:0x80 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:113!

invalid opcode: 0000 [#1] PREEMPT SMP KASAN

CPU: 1 PID: 293 Comm: kworker/1:2 Not tainted 5.15.106-syzkaller-05912-g19c0ed55a470 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
Workqueue: mld mld_ifc_work
RIP: 0010:skb_panic net/core/skbuff.c:113 [inline]
RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118
Code: 40 c6 b1 85 48 c7 c6 80 67 fd 85 48 8b 55 c0 8b 4d d4 44 8b 45 d0 4c 8b 4d c8 53 41 55 41 54 41 57 e8 cd 08 dd 00 48 83 c4 20 <0f> 0b 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 10 89
RSP: 0018:ffffc900009f6f80 EFLAGS: 00010282
RAX: 0000000000000087 RBX: ffffffff85b1c6c0 RCX: 7dbcee8b8cbeea00
RDX: 0000000000000000 RSI: 0000000000000603 RDI: 0000000000000000
RBP: ffffc900009f6fc0 R08: ffffffff815748e5 R09: ffffed103ee265e8

R10: 0000000000000000 R11: dffffc0000000001 R12: 00000000000000b8

R13: 0000000000000080 R14: dffffc0000000000 R15: ffff88812371d400

FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000562b10818000 CR3: 000000011ee83000 CR4: 00000000003506a0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:

Modules linked in:
---[ end trace f1e38367dfd87335 ]---
RIP: 0010:skb_panic net/core/skbuff.c:113 [inline]
RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118
Code: 40 c6 b1 85 48 c7 c6 80 67 fd 85 48 8b 55 c0 8b 4d d4 44 8b 45 d0 4c 8b 4d c8 53 41 55 41 54 41 57 e8 cd 08 dd 00 48 83 c4 20 <0f> 0b 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 10 89
RSP: 0018:ffffc900009f6f80 EFLAGS: 00010282
RAX: 0000000000000087 RBX: ffffffff85b1c6c0 RCX: 7dbcee8b8cbeea00
RDX: 0000000000000000 RSI: 0000000000000603 RDI: 0000000000000000
RBP: ffffc900009f6fc0 R08: ffffffff815748e5 R09: ffffed103ee265e8

R10: 0000000000000000 R11: dffffc0000000001 R12: 00000000000000b8

R13: 0000000000000080 R14: dffffc0000000000 R15: ffff88812371d400

FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000562b10818000 CR3: 000000011ee83000 CR4: 00000000003506a0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Tested on:

commit: 19c0ed55 Merge 5.15.106 into android13-5.15-lts
git tree: https://android.googlesource.com/kernel/common
console output: https://syzkaller.appspot.com/x/log.txt?x=12b372c6280000
kernel config: https://syzkaller.appspot.com/x/.config?x=229b64f4e32e3998

[Tudor Ambarus]

Let's add some prints:

#syz test: https://android.googlesource.com/kernel/common
19c0ed55a470d1cd766484abab04871b648560fb

diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index 15f91d691bba3..74198fdd12c5e 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -163,6 +163,8 @@ static u32 cdc_ncm_check_rx_max(struct usbnet *dev,
u32 new_rx)
}

val = clamp_t(u32, new_rx, min, max);
+ dev_err(&dev->intf->dev, "%s: [new_rx, min, max] [%u, %u, %u]
range\n",
+ __func__, new_rx, min, max);
if (val != new_rx)
dev_dbg(&dev->intf->dev, "rx_max must be in the [%u, %u]
range\n", min, max);

@@ -187,6 +189,8 @@ static u32 cdc_ncm_check_tx_max(struct usbnet *dev,
u32 new_tx)
/* some devices set dwNtbOutMaxSize too low for the above default */
min = min(min, max);

+ dev_err(&dev->intf->dev, "%s: [new_tx, min, max] [%u, %u, %u]\n",
+ __func__, new_tx, min, max);
val = clamp_t(u32, new_tx, min, max);
if (val != new_tx)
dev_dbg(&dev->intf->dev, "tx_max must be in the [%u, %u]
range\n", min, max);
@@ -707,6 +711,8 @@ static int cdc_ncm_setup(struct usbnet *dev)
def_tx = min_t(u32, CDC_NCM_NTB_DEF_SIZE_TX,
le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize));

+ dev_err(&dev->intf->dev, "%s
le32_to_cpu(ctx->ncm_parm.dwNtbInMaxSize) = %u,
le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize) = %u \n",
+ __func__, le32_to_cpu(ctx->ncm_parm.dwNtbInMaxSize),
le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize));
/* clamp rx_max and tx_max and inform device */
cdc_ncm_update_rxtx_max(dev, def_rx, def_tx);

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file drivers/net/usb/cdc_ncm.c
patch: **** unexpected end of file in patch

Tested on:

commit: 19c0ed55 Merge 5.15.106 into android13-5.15-lts
git tree: https://android.googlesource.com/kernel/common

dashboard link: https://syzkaller.appspot.com/bug?extid=9f575a1f15fc0c01ed69
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=123ab911280000

[Tudor Ambarus]

add some debug prints.

#syz test: https://github.com/ambarus/linux.git cdc_ncm_fill_tx_frame2-bug

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in cdc_ncm_fill_tx_frame

skbuff: skb_over_panic: text:ffffffff831f637b len:184 put:172 head:ffff88810cc6a800 data:ffff88810cc6a800 tail:0xb8 end:0x80 dev:<NULL>

------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:113!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN

CPU: 0 PID: 20 Comm: kworker/0:1 Not tainted 5.15.106-syzkaller-05913-g41c2901e24e0 #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
Workqueue: mld mld_ifc_work
RIP: 0010:skb_panic net/core/skbuff.c:113 [inline]
RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118

Code: 40 c7 b1 85 48 c7 c6 b0 68 fd 85 48 8b 55 c0 8b 4d d4 44 8b 45 d0 4c 8b 4d c8 53 41 55 41 54 41 57 e8 3d 03 dd 00 48 83 c4 20 <0f> 0b 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 10 89
RSP: 0018:ffffc90000146f80 EFLAGS: 00010282
RAX: 0000000000000087 RBX: ffffffff85b1c7c0 RCX: 01d7663484d4ff00

RDX: 0000000000000000 RSI: 0000000000000603 RDI: 0000000000000000

RBP: ffffc90000146fc0 R08: ffffffff815748e5 R09: ffffed103ee065e8

R10: 0000000000000000 R11: dffffc0000000001 R12: 00000000000000b8

R13: 0000000000000080 R14: dffffc0000000000 R15: ffff88810cc6a800
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f06af4a4a12 CR3: 000000011eef6000 CR4: 00000000003506b0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
skb_put+0x151/0x210 net/core/skbuff.c:2047
skb_put_zero include/linux/skbuff.h:2422 [inline]

cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1138 [inline]
cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1315

---[ end trace 2fab3b4c1ff6a42f ]---

RIP: 0010:skb_panic net/core/skbuff.c:113 [inline]
RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118

Code: 40 c7 b1 85 48 c7 c6 b0 68 fd 85 48 8b 55 c0 8b 4d d4 44 8b 45 d0 4c 8b 4d c8 53 41 55 41 54 41 57 e8 3d 03 dd 00 48 83 c4 20 <0f> 0b 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 10 89
RSP: 0018:ffffc90000146f80 EFLAGS: 00010282
RAX: 0000000000000087 RBX: ffffffff85b1c7c0 RCX: 01d7663484d4ff00

RDX: 0000000000000000 RSI: 0000000000000603 RDI: 0000000000000000

RBP: ffffc90000146fc0 R08: ffffffff815748e5 R09: ffffed103ee065e8

R10: 0000000000000000 R11: dffffc0000000001 R12: 00000000000000b8

R13: 0000000000000080 R14: dffffc0000000000 R15: ffff88810cc6a800
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f06af4a4a12 CR3: 000000011eef6000 CR4: 00000000003506b0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit: 41c2901e add debug prints
git tree: https://github.com/ambarus/linux.git cdc_ncm_fill_tx_frame2-bug
console output: https://syzkaller.appspot.com/x/log.txt?x=15587906280000

[Tudor Ambarus]

It looks like we should add a min boundary for dwNtbOutMaxSize, checking
the code.
le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize) = 2

[Tudor Ambarus]

let's clamp ctx->ncm_parm.dwNtbOutMaxSize, to protect from values
smaller than 2048.

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+9f575a...@syzkaller.appspotmail.com

Tested on:

commit: 9e895e27 clamp ctx->ncm_parm.dwNtbOutMaxSize

git tree: https://github.com/ambarus/linux.git cdc_ncm_fill_tx_frame2-bug

console output: https://syzkaller.appspot.com/x/log.txt?x=10609cba280000

kernel config: https://syzkaller.appspot.com/x/.config?x=229b64f4e32e3998
dashboard link: https://syzkaller.appspot.com/bug?extid=9f575a1f15fc0c01ed69
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.

[Tudor Ambarus]

okay, so we need to protect form low values of dwNtbOutMaxSize, will
send a patch to the netdev ml.

[Tudor Ambarus]

retest before sending proposal to mainline:

#syz test: https://github.com/ambarus/linux.git cdc_ncm_fill_tx_frame2-bug

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+9f575a...@syzkaller.appspotmail.com

Tested on:

commit: 3ee24901 clamp ctx->ncm_parm.dwNtbOutMaxSize

git tree: https://github.com/ambarus/linux.git cdc_ncm_fill_tx_frame2-bug

console output: https://syzkaller.appspot.com/x/log.txt?x=15d7804a280000

[Tudor Ambarus]

sent proposal to mainline:

https://lore.kernel.org/all/20230517133808.1873...@linaro.org/