general protection fault in em_cmp_match

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: f3226d86f8ce Revert "xfrm: fix "disable_policy" on ipv4 ea..
git tree: android12-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15dd760b880000
kernel config: https://syzkaller.appspot.com/x/.config?x=688a14d196e754da
dashboard link: https://syzkaller.appspot.com/bug?extid=d20933a868ac6b7b379b
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12086b6d880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17812ddb880000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2257de906339/disk-f3226d86.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6afc82dd0371/vmlinux-f3226d86.xz
kernel image: https://storage.googleapis.com/syzbot-assets/026810a3e231/bzImage-f3226d86.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d20933...@syzkaller.appspotmail.com

general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 68 Comm: kworker/0:1 Not tainted 5.10.157-syzkaller-01102-gf3226d86f8ce #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: wg-crypt-wg2 wg_packet_tx_worker
RIP: 0010:em_cmp_match+0x4e/0x580 net/sched/em_cmp.c:25
Code: 89 fd 48 83 c3 08 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 a0 61 c3 fd 4c 8b 33 49 8d 5e 0a 48 89 d8 48 c1 e8 03 <42> 8a 04 38 84 c0 0f 85 dd 03 00 00 0f b7 1b 48 89 5d d0 c1 eb 08
RSP: 0018:ffffc9000024f0f8 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 000000000000000a RCX: ffff8881065fcf00
RDX: 0000000000000000 RSI: ffff88811388d2c0 RDI: ffff8881141c2500
RBP: ffffc9000024f130 R08: ffffffff83e3b005 R09: ffffc9000024f1c0
R10: fffff52000049e48 R11: 1ffff92000049e38 R12: ffffffff868e0510
R13: ffff8881141c2500 R14: 0000000000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff773eaff8 CR3: 00000001057f0000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tcf_em_match net/sched/ematch.c:492 [inline]
__tcf_em_tree_match+0x194/0x720 net/sched/ematch.c:518
tcf_em_tree_match include/net/pkt_cls.h:467 [inline]
basic_classify+0xd8/0x250 net/sched/cls_basic.c:48
__tcf_classify net/sched/cls_api.c:1550 [inline]
tcf_classify+0x161/0x430 net/sched/cls_api.c:1587
prio_classify net/sched/sch_prio.c:42 [inline]
prio_enqueue+0x1d0/0x6a0 net/sched/sch_prio.c:75
__dev_xmit_skb net/core/dev.c:3827 [inline]
__dev_queue_xmit+0xd71/0x2a20 net/core/dev.c:4141
dev_queue_xmit+0x17/0x20 net/core/dev.c:4209
neigh_hh_output include/net/neighbour.h:508 [inline]
neigh_output include/net/neighbour.h:522 [inline]
ip_finish_output2+0xb25/0xfd0 net/ipv4/ip_output.c:237
__ip_finish_output+0x412/0x750 net/ipv4/ip_output.c:259
ip_finish_output+0x1c9/0x1e0 net/ipv4/ip_output.c:325
NF_HOOK_COND include/linux/netfilter.h:293 [inline]
ip_output+0x1e9/0x410 net/ipv4/ip_output.c:439
dst_output include/net/dst.h:443 [inline]
ip_local_out+0x92/0xb0 net/ipv4/ip_output.c:126
iptunnel_xmit+0x45e/0x830 net/ipv4/ip_tunnel_core.c:82
udp_tunnel_xmit_skb+0x1b6/0x2c0 net/ipv4/udp_tunnel_core.c:190
send4+0x609/0xd30 drivers/net/wireguard/socket.c:85
wg_socket_send_skb_to_peer+0xd5/0x1d0 drivers/net/wireguard/socket.c:175
wg_packet_create_data_done drivers/net/wireguard/send.c:251 [inline]
wg_packet_tx_worker+0x1f2/0x510 drivers/net/wireguard/send.c:276
process_one_work+0x726/0xc10 kernel/workqueue.c:2296
worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:299
Modules linked in:
---[ end trace a14651166ff1a6b6 ]---
RIP: 0010:em_cmp_match+0x4e/0x580 net/sched/em_cmp.c:25
Code: 89 fd 48 83 c3 08 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 a0 61 c3 fd 4c 8b 33 49 8d 5e 0a 48 89 d8 48 c1 e8 03 <42> 8a 04 38 84 c0 0f 85 dd 03 00 00 0f b7 1b 48 89 5d d0 c1 eb 08
RSP: 0018:ffffc9000024f0f8 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 000000000000000a RCX: ffff8881065fcf00
RDX: 0000000000000000 RSI: ffff88811388d2c0 RDI: ffff8881141c2500
RBP: ffffc9000024f130 R08: ffffffff83e3b005 R09: ffffc9000024f1c0
R10: fffff52000049e48 R11: 1ffff92000049e38 R12: ffffffff868e0510
R13: ffff8881141c2500 R14: 0000000000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff773eaff8 CR3: 00000001057f0000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 fd mov %edi,%ebp
2: 48 83 c3 08 add $0x8,%rbx
6: 48 89 d8 mov %rbx,%rax
9: 48 c1 e8 03 shr $0x3,%rax
d: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
12: 74 08 je 0x1c
14: 48 89 df mov %rbx,%rdi
17: e8 a0 61 c3 fd callq 0xfdc361bc
1c: 4c 8b 33 mov (%rbx),%r14
1f: 49 8d 5e 0a lea 0xa(%r14),%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 8a 04 38 mov (%rax,%r15,1),%al <-- trapping instruction
2e: 84 c0 test %al,%al
30: 0f 85 dd 03 00 00 jne 0x413
36: 0f b7 1b movzwl (%rbx),%ebx
39: 48 89 5d d0 mov %rbx,-0x30(%rbp)
3d: c1 eb 08 shr $0x8,%ebx


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 7048384c9872 Revert "net: macb: Specify PHY PM management ..
git tree: android13-5.15-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=162ea0cd880000
kernel config: https://syzkaller.appspot.com/x/.config?x=e2b117a8214c7c29
dashboard link: https://syzkaller.appspot.com/bug?extid=963f7637dae8becc038f

compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1565948f880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12412ddb880000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7c86dd44b0fe/disk-7048384c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d8642546089a/vmlinux-7048384c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e31d92b43c74/bzImage-7048384c.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:

Reported-by: syzbot+963f76...@syzkaller.appspotmail.com

general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]

CPU: 0 PID: 6 Comm: kworker/0:0 Not tainted 5.15.77-syzkaller-00764-g7048384c9872 #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: wg-crypt-wg2 wg_packet_tx_worker

RIP: 0010:em_cmp_match+0x4e/0x5f0 net/sched/em_cmp.c:25
Code: 66 fd 48 83 c3 08 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 90 ec a8 fd 4c 8b 33 49 8d 5e 0a 48 89 d8 48 c1 e8 03 <42> 8a 04 38 84 c0 0f 85 0f 04 00 00 0f b7 1b 48 89 5d d0 c1 eb 08
RSP: 0018:ffffc90000066fd8 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 000000000000000a RCX: ffff88810034e2c0
RDX: 0000000000000000 RSI: ffff88811490ba00 RDI: ffff88811bd683c0
RBP: ffffc90000067010 R08: ffffffff840b00b5 R09: ffffc900000670a0
R10: fffff5200000ce24 R11: 1ffff9200000ce14 R12: ffffffff86f34d10
R13: ffff88811bd683c0 R14: 0000000000000000 R15: dffffc0000000000

FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000020000080 CR3: 000000011eed7000 CR4: 00000000003506b0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:

<TASK>

tcf_em_match net/sched/ematch.c:492 [inline]
__tcf_em_tree_match+0x194/0x720 net/sched/ematch.c:518

tcf_em_tree_match include/net/pkt_cls.h:463 [inline]
basic_classify+0xd8/0x250 net/sched/cls_basic.c:48
__tcf_classify net/sched/cls_api.c:1549 [inline]
tcf_classify+0x161/0x430 net/sched/cls_api.c:1589
prio_classify net/sched/sch_prio.c:42 [inline]
prio_enqueue+0x1d3/0x6a0 net/sched/sch_prio.c:75
dev_qdisc_enqueue net/core/dev.c:3792 [inline]
__dev_xmit_skb+0x35c/0x1650 net/core/dev.c:3876
__dev_queue_xmit+0x8f3/0x1b50 net/core/dev.c:4193
dev_queue_xmit+0x17/0x20 net/core/dev.c:4261

neigh_hh_output include/net/neighbour.h:508 [inline]
neigh_output include/net/neighbour.h:522 [inline]

ip_finish_output2+0xc0f/0xf00 net/ipv4/ip_output.c:228
__ip_finish_output+0x163/0x370
ip_finish_output+0x20b/0x220 net/ipv4/ip_output.c:316
NF_HOOK_COND include/linux/netfilter.h:299 [inline]
ip_output+0x1e9/0x410 net/ipv4/ip_output.c:430
dst_output include/net/dst.h:450 [inline]
ip_local_out+0x92/0xb0 net/ipv4/ip_output.c:126
iptunnel_xmit+0x4a2/0x890 net/ipv4/ip_tunnel_core.c:82
udp_tunnel_xmit_skb+0x1b6/0x2c0 net/ipv4/udp_tunnel_core.c:175
send4+0x78d/0xd20 drivers/net/wireguard/socket.c:85

wg_socket_send_skb_to_peer+0xd5/0x1d0 drivers/net/wireguard/socket.c:175
wg_packet_create_data_done drivers/net/wireguard/send.c:251 [inline]

wg_packet_tx_worker+0x202/0x560 drivers/net/wireguard/send.c:276
process_one_work+0x6db/0xc00 kernel/workqueue.c:2313
worker_thread+0xb3e/0x1340 kernel/workqueue.c:2460
kthread+0x41c/0x500 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
Modules linked in:
---[ end trace 96ef6555c9d22182 ]---
RIP: 0010:em_cmp_match+0x4e/0x5f0 net/sched/em_cmp.c:25
Code: 66 fd 48 83 c3 08 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 90 ec a8 fd 4c 8b 33 49 8d 5e 0a 48 89 d8 48 c1 e8 03 <42> 8a 04 38 84 c0 0f 85 0f 04 00 00 0f b7 1b 48 89 5d d0 c1 eb 08
RSP: 0018:ffffc90000066fd8 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 000000000000000a RCX: ffff88810034e2c0
RDX: 0000000000000000 RSI: ffff88811490ba00 RDI: ffff88811bd683c0
RBP: ffffc90000067010 R08: ffffffff840b00b5 R09: ffffc900000670a0
R10: fffff5200000ce24 R11: 1ffff9200000ce14 R12: ffffffff86f34d10
R13: ffff88811bd683c0 R14: 0000000000000000 R15: dffffc0000000000

FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000020000080 CR3: 000000011eed7000 CR4: 00000000003506b0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):

0: 66 fd data16 std

2: 48 83 c3 08 add $0x8,%rbx
6: 48 89 d8 mov %rbx,%rax
9: 48 c1 e8 03 shr $0x3,%rax
d: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
12: 74 08 je 0x1c
14: 48 89 df mov %rbx,%rdi

17: e8 90 ec a8 fd callq 0xfda8ecac

1c: 4c 8b 33 mov (%rbx),%r14
1f: 49 8d 5e 0a lea 0xa(%r14),%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 8a 04 38 mov (%rax,%r15,1),%al <-- trapping instruction
2e: 84 c0 test %al,%al

30: 0f 85 0f 04 00 00 jne 0x445

[Jun Nie]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[Jun Nie]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in em_cmp_match

general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]

CPU: 0 PID: 425 Comm: kworker/0:3 Not tainted 6.1.0-syzkaller-00167-g830b3c68c1fb #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022

Workqueue: wg-crypt-wg1 wg_packet_tx_worker

RIP: 0010:em_cmp_match+0x4e/0x5f0 net/sched/em_cmp.c:25

Code: 61 fd 48 83 c3 08 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 90 2e a8 fd 4c 8b 33 49 8d 5e 0a 48 89 d8 48 c1 e8 03 <42> 8a 04 38 84 c0 0f 85 0f 04 00 00 0f b7 1b 48 89 5d d0 c1 eb 08
RSP: 0018:ffffc90002b4efd8 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 000000000000000a RCX: ffff888111354300
RDX: 0000000000000000 RSI: ffff8881179e6180 RDI: ffff88811c1cda00
RBP: ffffc90002b4f010 R08: ffffffff8412cc95 R09: ffffc90002b4f0a0
R10: fffff52000569e24 R11: 1ffff92000569e14 R12: ffffffff86b3c190
R13: ffff88811c1cda00 R14: 0000000000000000 R15: dffffc0000000000

FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ffc1d558af8 CR3: 0000000122a09000 CR4: 00000000003506b0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tcf_em_match net/sched/ematch.c:492 [inline]
__tcf_em_tree_match+0x194/0x720 net/sched/ematch.c:518

tcf_em_tree_match include/net/pkt_cls.h:502 [inline]
basic_classify+0xd8/0x250 net/sched/cls_basic.c:48
__tcf_classify net/sched/cls_api.c:1567 [inline]
tcf_classify+0x191/0x480 net/sched/cls_api.c:1607

prio_classify net/sched/sch_prio.c:42 [inline]
prio_enqueue+0x1d3/0x6a0 net/sched/sch_prio.c:75

dev_qdisc_enqueue net/core/dev.c:3785 [inline]
__dev_xmit_skb+0x361/0x1460 net/core/dev.c:3874
__dev_queue_xmit+0x9f1/0x2210 net/core/dev.c:4222
dev_queue_xmit include/linux/netdevice.h:3008 [inline]
neigh_hh_output include/net/neighbour.h:530 [inline]
neigh_output include/net/neighbour.h:544 [inline]
ip_finish_output2+0xbe7/0xf80 net/ipv4/ip_output.c:228
__ip_finish_output+0x163/0x370
ip_finish_output+0x280/0x2a0 net/ipv4/ip_output.c:316
NF_HOOK_COND include/linux/netfilter.h:291 [inline]
ip_output+0x1e9/0x410 net/ipv4/ip_output.c:430
dst_output include/net/dst.h:445 [inline]
ip_local_out+0x92/0xb0 net/ipv4/ip_output.c:126
iptunnel_xmit+0x4d2/0x8b0 net/ipv4/ip_tunnel_core.c:82
udp_tunnel_xmit_skb+0x1b6/0x2c0 net/ipv4/udp_tunnel_core.c:172
send4+0x7b3/0xd20 drivers/net/wireguard/socket.c:85

wg_socket_send_skb_to_peer+0xd5/0x1d0 drivers/net/wireguard/socket.c:175
wg_packet_create_data_done drivers/net/wireguard/send.c:251 [inline]
wg_packet_tx_worker+0x202/0x560 drivers/net/wireguard/send.c:276

process_one_work+0x6cb/0xc00 kernel/workqueue.c:2289
worker_thread+0xb3c/0x1390 kernel/workqueue.c:2436
kthread+0x26b/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---

RIP: 0010:em_cmp_match+0x4e/0x5f0 net/sched/em_cmp.c:25

Code: 61 fd 48 83 c3 08 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 90 2e a8 fd 4c 8b 33 49 8d 5e 0a 48 89 d8 48 c1 e8 03 <42> 8a 04 38 84 c0 0f 85 0f 04 00 00 0f b7 1b 48 89 5d d0 c1 eb 08
RSP: 0018:ffffc90002b4efd8 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 000000000000000a RCX: ffff888111354300
RDX: 0000000000000000 RSI: ffff8881179e6180 RDI: ffff88811c1cda00
RBP: ffffc90002b4f010 R08: ffffffff8412cc95 R09: ffffc90002b4f0a0
R10: fffff52000569e24 R11: 1ffff92000569e14 R12: ffffffff86b3c190
R13: ffff88811c1cda00 R14: 0000000000000000 R15: dffffc0000000000

FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ffc1d558af8 CR3: 0000000122a09000 CR4: 00000000003506b0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------

Code disassembly (best guess), 1 bytes skipped:
0: fd std
1: 48 83 c3 08 add $0x8,%rbx
5: 48 89 d8 mov %rbx,%rax
8: 48 c1 e8 03 shr $0x3,%rax
c: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
11: 74 08 je 0x1b
13: 48 89 df mov %rbx,%rdi
16: e8 90 2e a8 fd callq 0xfda82eab
1b: 4c 8b 33 mov (%rbx),%r14
1e: 49 8d 5e 0a lea 0xa(%r14),%rbx
22: 48 89 d8 mov %rbx,%rax
25: 48 c1 e8 03 shr $0x3,%rax
* 29: 42 8a 04 38 mov (%rax,%r15,1),%al <-- trapping instruction
2d: 84 c0 test %al,%al
2f: 0f 85 0f 04 00 00 jne 0x444
35: 0f b7 1b movzwl (%rbx),%ebx
38: 48 89 5d d0 mov %rbx,-0x30(%rbp)
3c: c1 eb 08 shr $0x8,%ebx


Tested on:

commit: 830b3c68 Linux 6.1
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=10524613880000
kernel config: https://syzkaller.appspot.com/x/.config?x=b954a3c6aa597886

dashboard link: https://syzkaller.appspot.com/bug?extid=963f7637dae8becc038f
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.

[Tudor Ambarus]

[Tudor Ambarus]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
linux-5.10.y

[Tudor Ambarus]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
linux-5.15.y

On 12.12.2022 10:36, Tudor Ambarus wrote:
> #syz test git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
> linux-5.10.y

[syzbot]

> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

I see the command, but I cannot identify the bug that was meant.
Several bugs with the exact same title were earlier sent to the mailing list.
Please resend the email to syzbo...@syzkaller.appspotmail.com address
that is the sender of the original bug report (also present in the Reported-by tag).

> master
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-android-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-android...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-android-bugs/54dd87cd-c4f2-40bc-90d1-e3dc6cde3be2n%40googlegroups.com.

[Jun Nie]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in em_cmp_match

general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]

CPU: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.1.0-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: wg-crypt-wg1 wg_packet_tx_worker
RIP: 0010:em_cmp_match+0x4e/0x5f0 net/sched/em_cmp.c:25

Code: 73 fd 48 83 c3 08 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 20 0e b5 fd 4c 8b 33 49 8d 5e 0a 48 89 d8 48 c1 e8 03 <42> 8a 04 38 84 c0 0f 85 0f 04 00 00 0f b7 1b 48 89 5d d0 c1 eb 08
RSP: 0018:ffffc90000896fd8 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 000000000000000a RCX: ffff88810c600000
RDX: 0000000000000000 RSI: ffff88810c9d4500 RDI: ffff88812697ec80
RBP: ffffc90000897010 R08: ffffffff83ffa385 R09: ffffc900008970a0
R10: fffff52000112e24 R11: 1ffff92000112e14 R12: ffffffff86915f70
R13: ffff88812697ec80 R14: 0000000000000000 R15: dffffc0000000000

FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00005555563a8728 CR3: 000000011101a000 CR4: 00000000003506b0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tcf_em_match net/sched/ematch.c:492 [inline]
__tcf_em_tree_match+0x194/0x720 net/sched/ematch.c:518
tcf_em_tree_match include/net/pkt_cls.h:502 [inline]
basic_classify+0xd8/0x250 net/sched/cls_basic.c:48
__tcf_classify net/sched/cls_api.c:1567 [inline]
tcf_classify+0x191/0x480 net/sched/cls_api.c:1607
prio_classify net/sched/sch_prio.c:42 [inline]
prio_enqueue+0x1d3/0x6a0 net/sched/sch_prio.c:75
dev_qdisc_enqueue net/core/dev.c:3785 [inline]
__dev_xmit_skb+0x361/0x1460 net/core/dev.c:3874
__dev_queue_xmit+0x9f1/0x2210 net/core/dev.c:4222
dev_queue_xmit include/linux/netdevice.h:3008 [inline]
neigh_hh_output include/net/neighbour.h:530 [inline]
neigh_output include/net/neighbour.h:544 [inline]

ip_finish_output2+0xb25/0xf70 net/ipv4/ip_output.c:228
__ip_finish_output+0x5b6/0x950
ip_finish_output+0x235/0x250 net/ipv4/ip_output.c:316

NF_HOOK_COND include/linux/netfilter.h:291 [inline]
ip_output+0x1e9/0x410 net/ipv4/ip_output.c:430
dst_output include/net/dst.h:445 [inline]
ip_local_out+0x92/0xb0 net/ipv4/ip_output.c:126
iptunnel_xmit+0x4d2/0x8b0 net/ipv4/ip_tunnel_core.c:82
udp_tunnel_xmit_skb+0x1b6/0x2c0 net/ipv4/udp_tunnel_core.c:172
send4+0x7b3/0xd20 drivers/net/wireguard/socket.c:85
wg_socket_send_skb_to_peer+0xd5/0x1d0 drivers/net/wireguard/socket.c:175
wg_packet_create_data_done drivers/net/wireguard/send.c:251 [inline]
wg_packet_tx_worker+0x202/0x560 drivers/net/wireguard/send.c:276
process_one_work+0x6cb/0xc00 kernel/workqueue.c:2289
worker_thread+0xb3c/0x1390 kernel/workqueue.c:2436
kthread+0x26b/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:em_cmp_match+0x4e/0x5f0 net/sched/em_cmp.c:25

Code: 73 fd 48 83 c3 08 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 20 0e b5 fd 4c 8b 33 49 8d 5e 0a 48 89 d8 48 c1 e8 03 <42> 8a 04 38 84 c0 0f 85 0f 04 00 00 0f b7 1b 48 89 5d d0 c1 eb 08
RSP: 0018:ffffc90000896fd8 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 000000000000000a RCX: ffff88810c600000
RDX: 0000000000000000 RSI: ffff88810c9d4500 RDI: ffff88812697ec80
RBP: ffffc90000897010 R08: ffffffff83ffa385 R09: ffffc900008970a0
R10: fffff52000112e24 R11: 1ffff92000112e14 R12: ffffffff86915f70
R13: ffff88812697ec80 R14: 0000000000000000 R15: dffffc0000000000

FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00005555563a8728 CR3: 000000000620f000 CR4: 00000000003506b0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------

Code disassembly (best guess):
0: 73 fd jae 0xffffffff

2: 48 83 c3 08 add $0x8,%rbx
6: 48 89 d8 mov %rbx,%rax
9: 48 c1 e8 03 shr $0x3,%rax
d: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
12: 74 08 je 0x1c

14: 48 89 df mov %rbx,%rdi
17: e8 20 0e b5 fd callq 0xfdb50e3c

1c: 4c 8b 33 mov (%rbx),%r14
1f: 49 8d 5e 0a lea 0xa(%r14),%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 8a 04 38 mov (%rax,%r15,1),%al <-- trapping instruction
2e: 84 c0 test %al,%al

30: 0f 85 0f 04 00 00 jne 0x445
36: 0f b7 1b movzwl (%rbx),%ebx
39: 48 89 5d d0 mov %rbx,-0x30(%rbp)
3d: c1 eb 08 shr $0x8,%ebx

Tested on:

commit: 830b3c68 Linux 6.1
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=11125887880000
kernel config: https://syzkaller.appspot.com/x/.config?x=c03cf35e868d50db
dashboard link: https://syzkaller.appspot.com/bug?extid=d20933a868ac6b7b379b

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in em_cmp_match

general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]

CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 5.10.158-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: wg-crypt-wg1 wg_packet_tx_worker

RIP: 0010:em_cmp_match+0x4e/0x580 net/sched/em_cmp.c:25
Code: b5 fd 48 83 c3 08 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 b0 c3 ec fd 4c 8b 33 49 8d 5e 0a 48 89 d8 48 c1 e8 03 <42> 8a 04 38 84 c0 0f 85 dd 03 00 00 0f b7 1b 48 89 5d d0 c1 eb 08
RSP: 0018:ffffc9000022f488 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 000000000000000a RCX: ffff8881024cbd00
RDX: 0000000000000000 RSI: ffff8881178fc300 RDI: ffff88810e790500
RBP: ffffc9000022f4c0 R08: ffffffff83b3a565 R09: ffffc9000022f520
R10: fffff52000045eb4 R11: 1ffff92000045ea4 R12: 0000000000000000
R13: ffff88810e790500 R14: 0000000000000000 R15: dffffc0000000000

FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000020000080 CR3: 000000010a09e000 CR4: 00000000003506b0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:

tcf_em_match net/sched/ematch.c:492 [inline]
__tcf_em_tree_match+0x153/0x6b0 net/sched/ematch.c:518
tcf_em_tree_match include/net/pkt_cls.h:467 [inline]
basic_classify+0xd8/0x250 net/sched/cls_basic.c:48

__tcf_classify net/sched/cls_api.c:1550 [inline]
tcf_classify+0x161/0x430 net/sched/cls_api.c:1587
prio_classify net/sched/sch_prio.c:42 [inline]

prio_enqueue+0x17d/0x620 net/sched/sch_prio.c:75
__dev_xmit_skb net/core/dev.c:3822 [inline]
__dev_queue_xmit+0xc35/0x2a90 net/core/dev.c:4136
dev_queue_xmit+0x17/0x20 net/core/dev.c:4204
neigh_hh_output include/net/neighbour.h:500 [inline]
neigh_output include/net/neighbour.h:514 [inline]
ip_finish_output2+0xa84/0xf10 net/ipv4/ip_output.c:237
__ip_finish_output+0x480/0x7f0 net/ipv4/ip_output.c:259
ip_finish_output+0x20b/0x220 net/ipv4/ip_output.c:325
NF_HOOK_COND include/linux/netfilter.h:290 [inline]
ip_output+0x1a5/0x390 net/ipv4/ip_output.c:439

dst_output include/net/dst.h:443 [inline]
ip_local_out+0x92/0xb0 net/ipv4/ip_output.c:126
iptunnel_xmit+0x45e/0x830 net/ipv4/ip_tunnel_core.c:82
udp_tunnel_xmit_skb+0x1b6/0x2c0 net/ipv4/udp_tunnel_core.c:190

send4+0x5d8/0xc30 drivers/net/wireguard/socket.c:85

wg_socket_send_skb_to_peer+0xd5/0x1d0 drivers/net/wireguard/socket.c:175
wg_packet_create_data_done drivers/net/wireguard/send.c:251 [inline]

wg_packet_tx_worker+0x1e1/0x540 drivers/net/wireguard/send.c:276
process_one_work+0x711/0xce0 kernel/workqueue.c:2279
worker_thread+0xb17/0x1540 kernel/workqueue.c:2425
kthread+0x365/0x400 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:299
Modules linked in:
---[ end trace bbe3fa954a6c01e6 ]---

RIP: 0010:em_cmp_match+0x4e/0x580 net/sched/em_cmp.c:25

Code: b5 fd 48 83 c3 08 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 b0 c3 ec fd 4c 8b 33 49 8d 5e 0a 48 89 d8 48 c1 e8 03 <42> 8a 04 38 84 c0 0f 85 dd 03 00 00 0f b7 1b 48 89 5d d0 c1 eb 08
RSP: 0018:ffffc9000022f488 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 000000000000000a RCX: ffff8881024cbd00
RDX: 0000000000000000 RSI: ffff8881178fc300 RDI: ffff88810e790500
RBP: ffffc9000022f4c0 R08: ffffffff83b3a565 R09: ffffc9000022f520
R10: fffff52000045eb4 R11: 1ffff92000045ea4 R12: 0000000000000000
R13: ffff88810e790500 R14: 0000000000000000 R15: dffffc0000000000

FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000020000080 CR3: 000000010a09e000 CR4: 00000000003506b0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):

0: b5 fd mov $0xfd,%ch

2: 48 83 c3 08 add $0x8,%rbx
6: 48 89 d8 mov %rbx,%rax
9: 48 c1 e8 03 shr $0x3,%rax
d: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
12: 74 08 je 0x1c
14: 48 89 df mov %rbx,%rdi

17: e8 b0 c3 ec fd callq 0xfdecc3cc

1c: 4c 8b 33 mov (%rbx),%r14
1f: 49 8d 5e 0a lea 0xa(%r14),%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 8a 04 38 mov (%rax,%r15,1),%al <-- trapping instruction
2e: 84 c0 test %al,%al

30: 0f 85 dd 03 00 00 jne 0x413

36: 0f b7 1b movzwl (%rbx),%ebx
39: 48 89 5d d0 mov %rbx,-0x30(%rbp)
3d: c1 eb 08 shr $0x8,%ebx


Tested on:

commit: 592346d5 Linux 5.10.158
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1474bc3b880000
kernel config: https://syzkaller.appspot.com/x/.config?x=88f7ed38c118c4dc

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in em_cmp_match

general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]

CPU: 0 PID: 110 Comm: kworker/0:2 Not tainted 5.15.82-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022

Workqueue: wg-crypt-wg2 wg_packet_tx_worker

RIP: 0010:em_cmp_match+0x4e/0x5f0 net/sched/em_cmp.c:25

Code: 8a fd 48 83 c3 08 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 00 45 c7 fd 4c 8b 33 49 8d 5e 0a 48 89 d8 48 c1 e8 03 <42> 8a 04 38 84 c0 0f 85 0f 04 00 00 0f b7 1b 48 89 5d d0 c1 eb 08
RSP: 0018:ffffc90000a16fd8 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 000000000000000a RCX: ffff88810b035000
RDX: 0000000000000000 RSI: ffff888106187bc0 RDI: ffff888118775dc0
RBP: ffffc90000a17010 R08: ffffffff83e522e5 R09: ffffc90000a170a0
R10: fffff52000142e24 R11: 1ffff92000142e14 R12: ffffffff864e5c30
R13: ffff888118775dc0 R14: 0000000000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f6b9884b0c0 CR3: 0000000005e0f000 CR4: 00000000003506b0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:

<TASK>
tcf_em_match net/sched/ematch.c:492 [inline]
__tcf_em_tree_match+0x194/0x720 net/sched/ematch.c:518

tcf_em_tree_match include/net/pkt_cls.h:463 [inline]
basic_classify+0xd8/0x250 net/sched/cls_basic.c:48
__tcf_classify net/sched/cls_api.c:1549 [inline]
tcf_classify+0x191/0x480 net/sched/cls_api.c:1589

prio_classify net/sched/sch_prio.c:42 [inline]
prio_enqueue+0x1d3/0x6a0 net/sched/sch_prio.c:75
dev_qdisc_enqueue net/core/dev.c:3785 [inline]

__dev_xmit_skb+0x35c/0x1650 net/core/dev.c:3869
__dev_queue_xmit+0x92a/0x1bd0 net/core/dev.c:4186
dev_queue_xmit+0x17/0x20 net/core/dev.c:4254

neigh_hh_output include/net/neighbour.h:500 [inline]
neigh_output include/net/neighbour.h:514 [inline]

ip_finish_output2+0xb54/0xf50 net/ipv4/ip_output.c:228
__ip_finish_output+0x5b6/0x950
ip_finish_output+0x1cb/0x1e0 net/ipv4/ip_output.c:316
NF_HOOK_COND include/linux/netfilter.h:296 [inline]
ip_output+0x1e9/0x410 net/ipv4/ip_output.c:430

dst_output include/net/dst.h:450 [inline]
ip_local_out+0x92/0xb0 net/ipv4/ip_output.c:126

iptunnel_xmit+0x4d2/0x8e0 net/ipv4/ip_tunnel_core.c:82
udp_tunnel_xmit_skb+0x1b6/0x2c0 net/ipv4/udp_tunnel_core.c:175
send4+0x78f/0xd20 drivers/net/wireguard/socket.c:85

wg_socket_send_skb_to_peer+0xd5/0x1d0 drivers/net/wireguard/socket.c:175
wg_packet_create_data_done drivers/net/wireguard/send.c:251 [inline]

wg_packet_tx_worker+0x202/0x560 drivers/net/wireguard/send.c:276
process_one_work+0x6db/0xc00 kernel/workqueue.c:2306
worker_thread+0xb3e/0x1340 kernel/workqueue.c:2453

kthread+0x41c/0x500 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>

Modules linked in:
---[ end trace a6e085f760ed660a ]---

RIP: 0010:em_cmp_match+0x4e/0x5f0 net/sched/em_cmp.c:25

Code: 8a fd 48 83 c3 08 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 00 45 c7 fd 4c 8b 33 49 8d 5e 0a 48 89 d8 48 c1 e8 03 <42> 8a 04 38 84 c0 0f 85 0f 04 00 00 0f b7 1b 48 89 5d d0 c1 eb 08
RSP: 0018:ffffc90000a16fd8 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 000000000000000a RCX: ffff88810b035000
RDX: 0000000000000000 RSI: ffff888106187bc0 RDI: ffff888118775dc0
RBP: ffffc90000a17010 R08: ffffffff83e522e5 R09: ffffc90000a170a0
R10: fffff52000142e24 R11: 1ffff92000142e14 R12: ffffffff864e5c30
R13: ffff888118775dc0 R14: 0000000000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f6b9884b0c0 CR3: 0000000005e0f000 CR4: 00000000003506b0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):

0: 8a fd mov %ch,%bh

2: 48 83 c3 08 add $0x8,%rbx
6: 48 89 d8 mov %rbx,%rax
9: 48 c1 e8 03 shr $0x3,%rax
d: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
12: 74 08 je 0x1c
14: 48 89 df mov %rbx,%rdi

17: e8 00 45 c7 fd callq 0xfdc7451c

1c: 4c 8b 33 mov (%rbx),%r14
1f: 49 8d 5e 0a lea 0xa(%r14),%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 8a 04 38 mov (%rax,%r15,1),%al <-- trapping instruction
2e: 84 c0 test %al,%al

30: 0f 85 0f 04 00 00 jne 0x445

36: 0f b7 1b movzwl (%rbx),%ebx
39: 48 89 5d d0 mov %rbx,-0x30(%rbp)
3d: c1 eb 08 shr $0x8,%ebx


Tested on:

commit: d9790301 Linux 5.15.82
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17011a13880000
kernel config: https://syzkaller.appspot.com/x/.config?x=58010925eb6a52c

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+963f76...@syzkaller.appspotmail.com

Tested on:

commit: 691806e9 Merge tag 'thermal-6.2-rc1' of git://git.kern..

git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=111e6eb7880000
kernel config: https://syzkaller.appspot.com/x/.config?x=655e3f51c8178926
dashboard link: https://syzkaller.appspot.com/bug?extid=963f7637dae8becc038f

compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=11ad5db7880000

Note: testing is done by a robot and is best-effort only.

[Jun Nie]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git  e42617b825f80735

Double confirm first bad commit is as below, that follows e42617b825f80735(v5.5-rc1)

 [e7096c131e5161fa3b8e52a650d7719d2857adfd] net: WireGuard secure network tunnel

[Jun Nie]

[Jun Nie]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
e42617b825f80735

[Jun Nie]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
e42617b825f80

[syzbot]

> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

I see the command, but I cannot identify the bug that was meant.
Several bugs with the exact same title were earlier sent to the mailing list.
Please resend the email to syzbo...@syzkaller.appspotmail.com address
that is the sender of the original bug report (also present in the Reported-by tag).

> e42617b825f80735
> Double confirm first bad commit is as below, that follows
> e42617b825f80735(v5.5-rc1)
> [e7096c131e5161fa3b8e52a650d7719d2857adfd] net: WireGuard secure network
> tunnel
>

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-android-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-android...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-android-bugs/fdf36f0e-1c7f-4f1f-a448-eee37e28e1b7n%40googlegroups.com.

[syzbot]

> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

I see the command, but I cannot identify the bug that was meant.
Several bugs with the exact same title were earlier sent to the mailing list.
Please resend the email to syzbo...@syzkaller.appspotmail.com address
that is the sender of the original bug report (also present in the Reported-by tag).

> e42617b825f80735
>

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-android-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-android...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-android-bugs/34dac177-ddbf-4f81-8182-cf7c78605dacn%40googlegroups.com.

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

arch/x86/events/core.c:1651: undefined reference to `stpcpy'
arch/x86/events/core.c:1674: undefined reference to `stpcpy'
arch/x86/events/intel/uncore.c:100: undefined reference to `stpcpy'
drivers/tty/tty_io.c:1139: undefined reference to `stpcpy'
drivers/usb/class/usblp.c:1083: undefined reference to `stpcpy'


Tested on:

commit: e42617b8 Linux 5.5-rc1
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

dashboard link: https://syzkaller.appspot.com/bug?extid=963f7637dae8becc038f
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63

[Jun Nie]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master

diff --git a/net/sched/ematch.c b/net/sched/ematch.c
index 4ce681361851..5c1235e6076a 100644
--- a/net/sched/ematch.c
+++ b/net/sched/ematch.c
@@ -255,6 +255,8 @@ static int tcf_em_validate(struct tcf_proto *tp,
* the value carried.
*/
if (em_hdr->flags & TCF_EM_SIMPLE) {
+ if (em->ops->datalen > 0)
+ goto errout;
if (data_len < sizeof(u32))
goto errout;
em->data = *(u32 *) data;

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+963f76...@syzkaller.appspotmail.com

Tested on:

commit: f9ff5644 Merge tag 'hsi-for-6.2' of git://git.kernel.o..

git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=16cd4c20480000
kernel config: https://syzkaller.appspot.com/x/.config?x=915a662200e09d74
dashboard link: https://syzkaller.appspot.com/bug?extid=963f7637dae8becc038f

compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=1092cf77880000

[Tudor Ambarus]

#syz fix: net_sched: reject TCF_EM_SIMPLE case for complex ematch module

[Tudor Ambarus]

[Tudor Ambarus]

[syzbot]

> #syz fix: net_sched: reject TCF_EM_SIMPLE case for complex ematch module

Your 'fix:' command is accepted, but please keep syzkaller...@googlegroups.com mailing list in CC next time. It serves as a history of what happened with each bug report. Thank you.

[Tudor Ambarus]

[syzbot]

> #syz fix: net_sched: reject TCF_EM_SIMPLE case for complex ematch module

[Tudor Ambarus]

#syz fix: ext4: fix kernel BUG in 'ext4_write_inline_data_end()'

[syzbot]

This bug is marked as fixed by commit:

net_sched: reject TCF_EM_SIMPLE case for complex ematch module

But I can't find it in the tested trees[1] for more than 90 days.
Is it a correct commit? Please update it by replying:

#syz fix: exact-commit-title

Until then the bug is still considered open and new crashes with
the same signature are ignored.

Kernel: Android 5.10
Dashboard link: https://syzkaller.appspot.com/bug?extid=d20933a868ac6b7b379b

---
[1] I expect the commit to be present in:

1. android12-5.10-lts branch of
https://android.googlesource.com/kernel/common

[syzbot]

This bug is marked as fixed by commit:
net_sched: reject TCF_EM_SIMPLE case for complex ematch module

But I can't find it in the tested trees[1] for more than 90 days.
Is it a correct commit? Please update it by replying:

#syz fix: exact-commit-title

Until then the bug is still considered open and new crashes with
the same signature are ignored.

Kernel: Linux 4.19
Dashboard link: https://syzkaller.appspot.com/bug?extid=0f85f339d85a5e331ec1

---
[1] I expect the commit to be present in:

1. linux-4.19.y branch of
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git

[Tudor Ambarus]

+ Aleksandr

But the patch is present in that branch:
stable/linux-4.19.y:
134b529db48a7 net_sched: reject TCF_EM_SIMPLE case for complex ematch module

Aleksandr?

[Tudor Ambarus]

+ Aleksandr

Here too:

aosp/android12-5.10-lts:
a4d6d4d1e7c83 UPSTREAM: net_sched: reject TCF_EM_SIMPLE case for complex
ematch module
5c544c7c6afab net_sched: reject TCF_EM_SIMPLE case for complex ematch module

[Aleksandr Nogikh]

Hi Tudor,

syzkaller only grabs new commits if it has managed to switch fuzzing
to the newer kernel revision. Android 5.10 build is broken for 116
days now: https://syzkaller.appspot.com/bug?id=0f1e1644d7ed28d1d925d6c9e2e2c0c1c18cb794

--
Aleksandr

[Lee Jones]

You need to disable CONFIG_WERROR in the kernel config that is fed to Syzbot.

[Dmitry Vyukov]

On Tue, 18 Apr 2023 at 17:27, 'Lee Jones' via syzkaller-android-bugs
<syzkaller-a...@googlegroups.com> wrote:
>
> You need to disable CONFIG_WERROR in the kernel config that is fed to Syzbot.

We will detect stack overflows at runtime, so I guess we can disable
this or all warnings.

[Lee Jones]

Funny thing is, it's Syzbot, or at least the configs that it enables (KASAN) that pushes the stacks over the limit.

I already fixed all of these issues in Mainline and Stable - not sure why these are now showing up.

--

Lee Jones Software Engineer jone...@google.com +44 (0) 2078814435

[Aleksandr Nogikh]

We don't enable CONFIG_WERROR for Android:
https://github.com/google/syzkaller/blob/master/dashboard/config/linux/android-5.10.config

There's a separate CONFIG_FRAME_WARN that controls this behavior. I've sent a PR to increase it for Androids:
https://github.com/google/syzkaller/pull/3821

[Lee Jones]

We don't have to explicitly enable it, WERROR is on by default:

$ git grep -A2 WERROR aosp/android12-5.10 -- init/Kconfig

aosp/android12-5.10:init/Kconfig:config WERROR
aosp/android12-5.10:init/Kconfig-       bool "Compile the kernel with warnings as errors"
aosp/android12-5.10:init/Kconfig-       default y

Bumping CONFIG_FRAME_WARN is a workaround at best.   Please let us fix this correctly.

[Aleksandr Nogikh]

On Wed, Apr 19, 2023 at 5:27 PM Lee Jones <jone...@google.com> wrote:
>
> We don't have to explicitly enable it, WERROR is on by default:
>
> $ git grep -A2 WERROR aosp/android12-5.10 -- init/Kconfig
> aosp/android12-5.10:init/Kconfig:config WERROR
> aosp/android12-5.10:init/Kconfig- bool "Compile the kernel with warnings as errors"
> aosp/android12-5.10:init/Kconfig- default y
>
> Bumping CONFIG_FRAME_WARN is a workaround at best. Please let us fix this correctly.

Should I revert that syzkaller commit now?

>
> On Wed, 19 Apr 2023 at 14:46, Aleksandr Nogikh <nog...@google.com> wrote:
>>
>> We don't enable CONFIG_WERROR for Android:
>> https://github.com/google/syzkaller/blob/master/dashboard/config/linux/android-5.10.config
>>
>> There's a separate CONFIG_FRAME_WARN that controls this behavior. I've sent a PR to increase it for Androids:
>> https://github.com/google/syzkaller/pull/3821
>>
>> On Tue, Apr 18, 2023 at 5:58 PM Lee Jones <jone...@google.com> wrote:
>>>
>>> Funny thing is, it's Syzbot, or at least the configs that it enables (KASAN) that pushes the stacks over the limit.
>>>
>>> I already fixed all of these issues in Mainline and Stable - not sure why these are now showing up.
>>>
>>> On Tue, 18 Apr 2023 at 16:52, Dmitry Vyukov <dvy...@google.com> wrote:
>>>>
>>>> On Tue, 18 Apr 2023 at 17:27, 'Lee Jones' via syzkaller-android-bugs
>>>> <syzkaller-a...@googlegroups.com> wrote:
>>>> >
>>>> > You need to disable CONFIG_WERROR in the kernel config that is fed to Syzbot.
>>>>
>>>> We will detect stack overflows at runtime, so I guess we can disable
>>>> this or all warnings.
>>>
>>>
>>>
>>> --
>>>

[Lee Jones]

> We don't have to explicitly enable it, WERROR is on by default:
>
> $ git grep -A2 WERROR aosp/android12-5.10 -- init/Kconfig
> aosp/android12-5.10:init/Kconfig:config WERROR
> aosp/android12-5.10:init/Kconfig-       bool "Compile the kernel with warnings as errors"
> aosp/android12-5.10:init/Kconfig-       default y
>
> Bumping CONFIG_FRAME_WARN is a workaround at best.   Please let us fix this correctly.

Should I revert that syzkaller commit now?

Since it's already merged, let's keep hold of it until we can fix it properly.

--

[Aleksandr Nogikh]

The new config didn't solve the problem completely:
https://syzkaller.appspot.com/text?tag=CrashLog&x=1380bb3fc80000
Now it's failing because of even bigger stack frames :)

net/bluetooth/rfcomm/core.c:2109:12: error: stack frame size (6584)
exceeds limit (4096) in 'rfcomm_run' [-Werror,-Wframe-larger-than]
static int rfcomm_run(void *unused)

On Wed, Apr 19, 2023 at 5:33 PM Lee Jones <jone...@google.com> wrote:
>>
>> > We don't have to explicitly enable it, WERROR is on by default:
>> >
>> > $ git grep -A2 WERROR aosp/android12-5.10 -- init/Kconfig
>> > aosp/android12-5.10:init/Kconfig:config WERROR
>> > aosp/android12-5.10:init/Kconfig- bool "Compile the kernel with warnings as errors"
>> > aosp/android12-5.10:init/Kconfig- default y
>> >
>> > Bumping CONFIG_FRAME_WARN is a workaround at best. Please let us fix this correctly.
>>
>> Should I revert that syzkaller commit now?
>
>
> Since it's already merged, let's keep hold of it until we can fix it properly.
>
> --
>

[Lee Jones]

Right.  Papering over the cracks isn't going to cut it.  We should fix the warnings properly IMHO.

Either that or raise the warning level to 8192 (caveat: not a real suggestion 🙂).

The correct *temporary* workaround to get us up and running again would be to disable WERROR.

--

[Aleksandr Nogikh]

On Thu, Apr 20, 2023 at 9:12 AM 'Lee Jones' via syzkaller-android-bugs
<syzkaller-a...@googlegroups.com> wrote:
>
> Right. Papering over the cracks isn't going to cut it. We should fix the warnings properly IMHO.

I fully agree :)

>
> Either that or raise the warning level to 8192 (caveat: not a real suggestion 🙂).
>
> The correct *temporary* workaround to get us up and running again would be to disable WERROR.

The logic was that raising the bar only for a single warning would be
a less harmful workaround than ignoring all of them at once.

> You received this message because you are subscribed to the Google Groups "syzkaller-android-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-android...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-android-bugs/CACwKH4YZBD3yBbsCY7GBTYXYRfohYgx_wh1WLTmHGV%2BAoaLjew%40mail.gmail.com.

[Aleksandr Nogikh]

Thanks for reporting!
We stopped fuzzing Android 4.19, but forgot about these notifications.
Now the namespace is properly decommissioned, so there should be no
such messages.

--
Aleksandr

[Aleksandr Nogikh]

On Thu, Apr 20, 2023 at 1:12 PM Aleksandr Nogikh <nog...@google.com> wrote:
>
> Thanks for reporting!
> We stopped fuzzing Android 4.19, but forgot about these notifications.

^^ Linux 4.19

[Tudor Ambarus]

On 4/20/23 09:30, Aleksandr Nogikh wrote:
> On Thu, Apr 20, 2023 at 9:12 AM 'Lee Jones' via syzkaller-android-bugs
> <syzkaller-a...@googlegroups.com> wrote:
>>
>> Right. Papering over the cracks isn't going to cut it. We should fix the warnings properly IMHO.
>
> I fully agree :)
>

Similar errors are hit in Linux upstream too if one updates
x86_64_defconfig to:
diff --git a/arch/x86/configs/x86_64_defconfig
b/arch/x86/configs/x86_64_defconfig
index 27759236fd60e..ad58e99be22c9 100644
--- a/arch/x86/configs/x86_64_defconfig
+++ b/arch/x86/configs/x86_64_defconfig
@@ -271,6 +271,8 @@ CONFIG_DEBUG_KERNEL=y
CONFIG_MAGIC_SYSRQ=y
CONFIG_DEBUG_WX=y
CONFIG_DEBUG_STACK_USAGE=y
+CONFIG_KASAN=y
+CONFIG_KASAN_STACK=y
# CONFIG_SCHED_DEBUG is not set
CONFIG_SCHEDSTATS=y
CONFIG_BLK_DEV_IO_TRACE=y


I looked over all the errors (see [1]) and there are no large structures
declared on stack or large parameters passed by value. The excessive
stack usage is caused by KASAN_STACK when using clang.

Until clang is fixed let's disable the -Wframe-larger-than warning by
default. The downside is that with the default value we may miss some
real -Wframe-larger-than warnings, but users can override it when they
feel adventurous.

diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 39d1d93164bd0..f0d1109dc92de 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -429,6 +429,7 @@ endif # DEBUG_INFO
config FRAME_WARN
int "Warn for stack frames larger than"
range 0 8192
+ default 0 if KASAN_STACK && CC_IS_CLANG
default 0 if KMSAN
default 2048 if GCC_PLUGIN_LATENT_ENTROPY
default 2048 if PARISC

Thoughts? Cheers,
ta

[1]
drivers/block/loop.c:1531:12: error: stack frame size (2616) exceeds
limit (2048) in 'lo_ioctl' [-Werror,-Wframe-larger-than]
static int lo_ioctl(struct block_device *bdev, fmode_t mode,

drivers/gpu/drm/i915/gt/intel_workarounds.c:964:6: error: stack frame
size (3032) exceeds limit (2048) in 'intel_engine_init_ctx_wa'
[-Werror,-Wframe-larger-than]
void intel_engine_init_ctx_wa(struct intel_engine_cs *engine)

drivers/gpu/drm/i915/gt/intel_workarounds.c:1818:6: error: stack frame
size (5496) exceeds limit (2048) in 'intel_gt_init_workarounds'
[-Werror,-Wframe-larger-than]
void intel_gt_init_workarounds(struct intel_gt *gt)

drivers/gpu/drm/i915/gt/intel_workarounds.c:3153:6: error: stack frame
size (5848) exceeds limit (2048) in 'intel_engine_init_workarounds'
[-Werror,-Wframe-larger-than]
void intel_engine_init_workarounds(struct intel_engine_cs *engine)

drivers/usb/core/devio.c:2801:13: error: stack frame size (2104) exceeds
limit (2048) in 'usbdev_ioctl' [-Werror,-Wframe-larger-than]
static long usbdev_ioctl(struct file *file, unsigned int cmd,

[Lee Jones]

Please attempt to upstream it (ensure to Cc: Arnd and myself).

If it's not the correct solution, someone should be able to help you arrive at it.

--

[Tudor Ambarus]

As per Lee's suggestion I lowered FRAME_WARN limit in order to determine
KASAN's and KASAN_STACK's stack bloat:

On 4/20/23 16:39, Tudor Ambarus wrote:

KASAN=y, KASAN_STACK=y:

> drivers/block/loop.c:1531:12: error: stack frame size (2616) exceeds
> limit (2048) in 'lo_ioctl' [-Werror,-Wframe-larger-than]
> static int lo_ioctl(struct block_device *bdev, fmode_t mode,

KASAN=n (and implicitly KASAN_STACK=n)
drivers/block/loop.c:1531:12: error: stack frame size (528) exceeds
limit (512) in 'lo_ioctl' [-Werror,-Wframe-larger-than]

static int lo_ioctl(struct block_device *bdev, fmode_t mode,

KASAN=y, KASAN_STACK=n:
drivers/block/loop.c:1531:12: error: stack frame size (600) exceeds
limit (512) in 'lo_ioctl' [-Werror,-Wframe-larger-than]

static int lo_ioctl(struct block_device *bdev, fmode_t mode,

Thus KASAN_STACK's bloat in this case is ~2k.

>

KASAN=y, KASAN_STACK=y:

> drivers/gpu/drm/i915/gt/intel_workarounds.c:964:6: error: stack frame
> size (3032) exceeds limit (2048) in 'intel_engine_init_ctx_wa'
> [-Werror,-Wframe-larger-than]
> void intel_engine_init_ctx_wa(struct intel_engine_cs *engine)
>
> drivers/gpu/drm/i915/gt/intel_workarounds.c:1818:6: error: stack frame
> size (5496) exceeds limit (2048) in 'intel_gt_init_workarounds'
> [-Werror,-Wframe-larger-than]
> void intel_gt_init_workarounds(struct intel_gt *gt)
>
> drivers/gpu/drm/i915/gt/intel_workarounds.c:3153:6: error: stack frame
> size (5848) exceeds limit (2048) in 'intel_engine_init_workarounds'
> [-Werror,-Wframe-larger-than]
> void intel_engine_init_workarounds(struct intel_engine_cs *engine)
>

KASAN=n:
drivers/gpu/drm/i915/gt/intel_workarounds.c:3360:5: error: stack frame
size (144) exceeds limit (128) in 'intel_engine_verify_workarounds'
[-Werror,-Wframe-larger-than]
int intel_engine_verify_workarounds(struct intel_engine_cs *engine,
^


KASAN=y, KASAN_STACK=n:

drivers/gpu/drm/i915/gt/intel_workarounds.c:1818:6: error: stack frame

size (136) exceeds limit (128) in 'intel_gt_init_workarounds'

[-Werror,-Wframe-larger-than]
void intel_gt_init_workarounds(struct intel_gt *gt)

^
drivers/gpu/drm/i915/gt/intel_workarounds.c:1942:6: error: stack frame
size (168) exceeds limit (128) in 'intel_gt_verify_workarounds'
[-Werror,-Wframe-larger-than]
bool intel_gt_verify_workarounds(struct intel_gt *gt, const char *from)
^
drivers/gpu/drm/i915/gt/intel_workarounds.c:3360:5: error: stack frame
size (288) exceeds limit (128) in 'intel_engine_verify_workarounds'
[-Werror,-Wframe-larger-than]
int intel_engine_verify_workarounds(struct intel_engine_cs *engine,


When enabling KASAN_STACK there's excessive stack usage, varying from
~2.8k to 5.6k


KASAN=y, KASAN_STACK=y:

> drivers/usb/core/devio.c:2801:13: error: stack frame size (2104) exceeds
> limit (2048) in 'usbdev_ioctl' [-Werror,-Wframe-larger-than]
> static long usbdev_ioctl(struct file *file, unsigned int cmd,

KASAN=n
drivers/usb/core/devio.c:2801:13: error: stack frame size (416) exceeds
limit (256) in 'usbdev_ioctl' [-Werror,-Wframe-larger-than]

static long usbdev_ioctl(struct file *file, unsigned int cmd,

KASAN=y, KASAN_STACK=n:
drivers/usb/core/devio.c:2801:13: error: stack frame size (480) exceeds
limit (256) in 'usbdev_ioctl' [-Werror,-Wframe-larger-than]

static long usbdev_ioctl(struct file *file, unsigned int cmd,

The overall conclusion is that KASAN adds a little bloat to the stack,
but nothing non-manageable, while when enabling KASAN_STACK the stack
goes crazy with excess from ~1.7k to ~5.6k for these particular examples.

Cheers,
ta

[Tudor Ambarus]

FYI I sent a patch addressing this at:
LINK:
https://lore.kernel.org/all/20230421130111.4041...@linaro.org/