[syzbot] [net?] [bpf?] general protection fault in __dev_flush

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 68b59730459e Merge tag 'perf-tools-for-v6.11-2024-07-16' o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14cb0ab5980000
kernel config: https://syzkaller.appspot.com/x/.config?x=b6230d83d52af231
dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8229997a3dbb/disk-68b59730.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fd51823e0836/vmlinux-68b59730.xz
kernel image: https://storage.googleapis.com/syzbot-assets/01811b27f987/bzImage-68b59730.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+446233...@syzkaller.appspotmail.com

Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000001: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0xdead4ead00000008-0xdead4ead0000000f]
CPU: 1 PID: 8860 Comm: syz.0.1070 Not tainted 6.10.0-syzkaller-08280-g68b59730459e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:__list_del include/linux/list.h:195 [inline]
RIP: 0010:__list_del_clearprev include/linux/list.h:209 [inline]
RIP: 0010:__dev_flush+0xe4/0x160 kernel/bpf/devmap.c:428
Code: b8 00 00 00 00 00 fc ff df 41 80 7c 05 00 00 49 89 c5 74 08 48 89 df e8 6a c3 3d 00 48 8b 2b 48 8d 5d 08 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 3d c4 3d 00 4c 89 23 4c 89 e0 48
RSP: 0018:ffffc90000a18af0 EFLAGS: 00010212
RAX: 1bd5a9d5a0000001 RBX: dead4ead00000008 RCX: 0000000000000000
RDX: 0000000000000010 RSI: 0000000000000000 RDI: ffff8880b943e868
RBP: dead4ead00000000 R08: ffff8880b943e867 R09: ffff8880b943e858
R10: dffffc0000000000 R11: ffffed1017287d0d R12: 00000000ffffffff
R13: dffffc0000000000 R14: ffff8880b943e848 R15: 1ffff11017287d09
FS: 00007f33633c96c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffec0000 CR3: 0000000054f40000 CR4: 0000000000350ef0
Call Trace:
<IRQ>
xdp_do_check_flushed+0x129/0x240 net/core/filter.c:4300
__napi_poll+0xe4/0x490 net/core/dev.c:6774
napi_poll net/core/dev.c:6840 [inline]
net_rx_action+0x89b/0x1240 net/core/dev.c:6962
handle_softirqs+0x2c6/0x970 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
common_interrupt+0xaa/0xd0 arch/x86/kernel/irq.c:278
</IRQ>
<TASK>
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:finish_task_switch+0x1ea/0x870 kernel/sched/core.c:5062
Code: c9 50 e8 19 b6 0b 00 48 83 c4 08 4c 89 f7 e8 7d 38 00 00 e9 de 04 00 00 4c 89 f7 e8 d0 d9 32 0a e8 4b e8 36 00 fb 48 8b 5d c0 <48> 8d bb f8 15 00 00 48 89 f8 48 c1 e8 03 49 be 00 00 00 00 00 fc
RSP: 0018:ffffc90003a377a8 EFLAGS: 00000286
RAX: 94ed15acce52c200 RBX: ffff88807e01da00 RCX: ffffffff947db703
RDX: dffffc0000000000 RSI: ffffffff8bcac9a0 RDI: ffffffff8c205b20
RBP: ffffc90003a377f0 R08: ffffffff8faec7af R09: 1ffffffff1f5d8f5
R10: dffffc0000000000 R11: fffffbfff1f5d8f6 R12: 1ffff110172a7ebb
R13: dffffc0000000000 R14: ffff8880b943e840 R15: ffff8880b953f5d8
context_switch kernel/sched/core.c:5191 [inline]
__schedule+0x1808/0x4a60 kernel/sched/core.c:6529
__schedule_loop kernel/sched/core.c:6606 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6621
futex_wait_queue+0x14e/0x1d0 kernel/futex/waitwake.c:370
__futex_wait+0x17f/0x320 kernel/futex/waitwake.c:669
futex_wait+0x101/0x360 kernel/futex/waitwake.c:697
do_futex+0x33b/0x560 kernel/futex/syscalls.c:102
__do_sys_futex kernel/futex/syscalls.c:179 [inline]
__se_sys_futex+0x3f9/0x480 kernel/futex/syscalls.c:160
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3362575b59
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f33633c90f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007f3362705f68 RCX: 00007f3362575b59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f3362705f68
RBP: 00007f3362705f60 R08: 00007f33633c96c0 R09: 00007f33633c96c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3362705f6c
R13: 000000000000000b R14: 00007ffec9a21080 R15: 00007ffec9a21168
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del include/linux/list.h:195 [inline]
RIP: 0010:__list_del_clearprev include/linux/list.h:209 [inline]
RIP: 0010:__dev_flush+0xe4/0x160 kernel/bpf/devmap.c:428
Code: b8 00 00 00 00 00 fc ff df 41 80 7c 05 00 00 49 89 c5 74 08 48 89 df e8 6a c3 3d 00 48 8b 2b 48 8d 5d 08 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 3d c4 3d 00 4c 89 23 4c 89 e0 48
RSP: 0018:ffffc90000a18af0 EFLAGS: 00010212
RAX: 1bd5a9d5a0000001 RBX: dead4ead00000008 RCX: 0000000000000000
RDX: 0000000000000010 RSI: 0000000000000000 RDI: ffff8880b943e868
RBP: dead4ead00000000 R08: ffff8880b943e867 R09: ffff8880b943e858
R10: dffffc0000000000 R11: ffffed1017287d0d R12: 00000000ffffffff
R13: dffffc0000000000 R14: ffff8880b943e848 R15: 1ffff11017287d09
FS: 00007f33633c96c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffec0000 CR3: 0000000054f40000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess):
0: b8 00 00 00 00 mov $0x0,%eax
5: 00 fc add %bh,%ah
7: ff (bad)
8: df 41 80 filds -0x80(%rcx)
b: 7c 05 jl 0x12
d: 00 00 add %al,(%rax)
f: 49 89 c5 mov %rax,%r13
12: 74 08 je 0x1c
14: 48 89 df mov %rbx,%rdi
17: e8 6a c3 3d 00 call 0x3dc386
1c: 48 8b 2b mov (%rbx),%rbp
1f: 48 8d 5d 08 lea 0x8(%rbp),%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 3d c4 3d 00 call 0x3dc476
39: 4c 89 23 mov %r12,(%rbx)
3c: 4c 89 e0 mov %r12,%rax
3f: 48 rex.W


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: 7846b618e0a4 Merge tag 'rtc-6.11' of git://git.kernel.org/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=142d3eb5980000
kernel config: https://syzkaller.appspot.com/x/.config?x=be4129de17851dbe
dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=154c40b1980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14f3e11d980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-7846b618.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3a2831ffe61c/vmlinux-7846b618.xz
kernel image: https://storage.googleapis.com/syzbot-assets/575e23a7c452/bzImage-7846b618.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+446233...@syzkaller.appspotmail.com

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 5389 Comm: syz-executor357 Not tainted 6.10.0-syzkaller-11323-g7846b618e0a4 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__dev_flush+0x49/0x1e0 kernel/bpf/devmap.c:424
Code: 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 98 01 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 2f 48 8d 5d 80 48 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 69 01 00 00 48 8b 45 00 49 39 ef 4c 8d 60 80 0f
RSP: 0018:ffffc900008b0c90 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffffffffffff80 RCX: ffffffff88d6a5bb
RDX: 0000000000000000 RSI: ffffffff81af9c56 RDI: ffffc9000345fa68
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000345fa58
R13: ffff888022ec0fb0 R14: ffffc9000345fa68 R15: ffffc9000345fa68
FS: 0000555568ea6380(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ff4743880f0 CR3: 0000000023168000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
xdp_do_check_flushed+0x40a/0x4e0 net/core/filter.c:4300
__napi_poll.constprop.0+0xd1/0x550 net/core/dev.c:6774
napi_poll net/core/dev.c:6840 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6962
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
do_softirq kernel/softirq.c:455 [inline]
do_softirq+0xb2/0xf0 kernel/softirq.c:442
</IRQ>
<TASK>
__local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382
local_bh_enable include/linux/bottom_half.h:33 [inline]
tun_get_user+0x1d9b/0x3c30 drivers/net/tun.c:1936
tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2052
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0x6b6/0x1140 fs/read_write.c:590
ksys_write+0x12f/0x260 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff47430af50
Code: 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d 51 e1 07 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89
RSP: 002b:00007ffde0326728 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007ffde03267c0 RCX: 00007ff47430af50
RDX: 0000000000000e80 RSI: 0000000020000100 RDI: 00000000000000c8
RBP: 00007ffde0326770 R08: 00007ffde0326750 R09: 00007ffde0326750
R10: 00007ffde0326750 R11: 0000000000000202 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---

RIP: 0010:__dev_flush+0x49/0x1e0 kernel/bpf/devmap.c:424
Code: 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 98 01 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 2f 48 8d 5d 80 48 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 69 01 00 00 48 8b 45 00 49 39 ef 4c 8d 60 80 0f
RSP: 0018:ffffc900008b0c90 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffffffffffff80 RCX: ffffffff88d6a5bb
RDX: 0000000000000000 RSI: ffffffff81af9c56 RDI: ffffc9000345fa68
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000345fa58
R13: ffff888022ec0fb0 R14: ffffc9000345fa68 R15: ffffc9000345fa68
FS: 0000555568ea6380(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ff4743880f0 CR3: 0000000023168000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 4 bytes skipped:
0: 48 c1 ea 03 shr $0x3,%rdx
4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
8: 0f 85 98 01 00 00 jne 0x1a6
e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
15: fc ff df
18: 49 8b 2f mov (%r15),%rbp
1b: 48 8d 5d 80 lea -0x80(%rbp),%rbx
1f: 48 89 ea mov %rbp,%rdx
22: 48 c1 ea 03 shr $0x3,%rdx
* 26: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2a: 0f 85 69 01 00 00 jne 0x199
30: 48 8b 45 00 mov 0x0(%rbp),%rax
34: 49 39 ef cmp %rbp,%r15
37: 4c 8d 60 80 lea -0x80(%rax),%r12
3b: 0f .byte 0xf


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

[Jeongjun Park]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
include/linux/filter.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/include/linux/filter.h b/include/linux/filter.h
index b6672ff61407..22691015d175 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -842,15 +842,15 @@ static inline void bpf_net_ctx_get_all_used_flush_lists(struct list_head **lh_ma
if (!IS_ENABLED(CONFIG_BPF_SYSCALL))
return;

- lh = &bpf_net_ctx->dev_map_flush_list;
+ lh = this_cpu_ptr(&bpf_net_ctx->dev_map_flush_list);
if (kern_flags & BPF_RI_F_DEV_MAP_INIT && !list_empty(lh))
*lh_dev = lh;

- lh = &bpf_net_ctx->cpu_map_flush_list;
+ lh = this_cpu_ptr(&bpf_net_ctx->cpu_map_flush_list);
if (kern_flags & BPF_RI_F_CPU_MAP_INIT && !list_empty(lh))
*lh_map = lh;

- lh = &bpf_net_ctx->xskmap_map_flush_list;
+ lh = this_cpu_ptr(&bpf_net_ctx->xskmap_map_flush_list);
if (IS_ENABLED(CONFIG_XDP_SOCKETS) &&
kern_flags & BPF_RI_F_XSK_MAP_INIT && !list_empty(lh))
*lh_xsk = lh;
--

[Jeongjun Park]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: stack-out-of-bounds Read in xdp_do_check_flushed

==================================================================
BUG: KASAN: stack-out-of-bounds in bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]
BUG: KASAN: stack-out-of-bounds in xdp_do_check_flushed+0x355/0x3f0 net/core/filter.c:4298
Read of size 4 at addr ffffc90003387a50 by task syz.0.105/5938

CPU: 0 UID: 0 PID: 5938 Comm: syz.0.105 Not tainted 6.10.0-syzkaller-g933069701c1b-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]
xdp_do_check_flushed+0x355/0x3f0 net/core/filter.c:4298

__napi_poll.constprop.0+0xd1/0x550 net/core/dev.c:6774
napi_poll net/core/dev.c:6840 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6962
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554

__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]

__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__schedule+0xe3f/0x5490 kernel/sched/core.c:6399
Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 ba 3f 00 00 48 8b bd 10 ff ff ff 4d 89 77 10 4c 89 f6 e8 c9 a5 0f f6 48 89 c7 e8 61 54 6a f6 <48> 8b 8d a0 fe ff ff 48 b8 00 00 00 00 00 fc ff df 48 01 c1 48 c7
RSP: 0018:ffffc90003387980 EFLAGS: 00000206
RAX: 00000000000001a9 RBX: ffff888043a40000 RCX: 1ffffffff1fce089
RDX: 0000000000000000 RSI: ffffffff8b2cc580 RDI: ffffffff8b90c740
RBP: ffffc90003387b10 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8fe7489f R11: 0000000000000001 R12: ffff88806b03f908
R13: 0000000000000000 R14: ffff888043a40000 R15: ffff88806b03ee00
preempt_schedule_common+0x44/0xc0 kernel/sched/core.c:6708
preempt_schedule_thunk+0x1a/0x30 arch/x86/entry/thunk.S:12
class_preempt_destructor include/linux/preempt.h:480 [inline]
class_preempt_destructor include/linux/preempt.h:480 [inline]
try_to_wake_up+0xc08/0x13e0 kernel/sched/core.c:4022
wake_up_process kernel/sched/core.c:4299 [inline]
wake_up_q+0x91/0x140 kernel/sched/core.c:1029
futex_wake+0x43e/0x4e0 kernel/futex/waitwake.c:199
do_futex+0x1e5/0x350 kernel/futex/syscalls.c:107
__do_sys_futex kernel/futex/syscalls.c:179 [inline]
__se_sys_futex kernel/futex/syscalls.c:160 [inline]
__x64_sys_futex+0x1e1/0x4c0 kernel/futex/syscalls.c:160

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7faaa0975b59
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007faaa16670f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007faaa0b05f68 RCX: 00007faaa0975b59
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007faaa0b05f6c
RBP: 00007faaa0b05f60 R08: 00007faaa1668080 R09: 00007faaa16676c0
R10: 0000000000000e80 R11: 0000000000000246 R12: 00007faaa0b05f6c
R13: 000000000000000b R14: 00007fff8e045980 R15: 00007fff8e045a68
</TASK>

The buggy address belongs to stack of task syz.0.105/5938
and is located at offset 40 in frame:
__schedule+0x0/0x5490

This frame has 3 objects:
[48, 52) 'cid'
[64, 80) 'rf'
[96, 120) 'ac'

The buggy address belongs to the virtual mapping at
[ffffc90003380000, ffffc90003389000) created by:
kernel_clone+0xfd/0x980 kernel/fork.c:2781

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801f49d0f0 pfn:0x1f49d
memcg:ffff88802787e902
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff88801f49d0f0 0000000000000000 00000001ffffffff ffff88802787e902
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 5663, tgid 5663 (syz-executor), ts 127270798487, free_ts 127240380476
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1493
prep_new_page mm/page_alloc.c:1501 [inline]
get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3438
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4696
alloc_pages_mpol_noprof+0x275/0x610 mm/mempolicy.c:2263
vm_area_alloc_pages mm/vmalloc.c:3584 [inline]
__vmalloc_area_node mm/vmalloc.c:3660 [inline]
__vmalloc_node_range_noprof+0xa6a/0x1520 mm/vmalloc.c:3841
alloc_thread_stack_node kernel/fork.c:313 [inline]
dup_task_struct kernel/fork.c:1113 [inline]
copy_process+0x2f3b/0x8de0 kernel/fork.c:2204
kernel_clone+0xfd/0x980 kernel/fork.c:2781
__do_sys_clone+0xba/0x100 kernel/fork.c:2924

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

page last free pid 5663 tgid 5663 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1094 [inline]
free_unref_page+0x64a/0xe40 mm/page_alloc.c:2608
__folio_put+0x31c/0x3e0 mm/swap.c:128
folio_put include/linux/mm.h:1479 [inline]
free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308
__tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2569 [inline]
rcu_core+0x828/0x16b0 kernel/rcu/tree.c:2843
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554

__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]

__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Memory state around the buggy address:
ffffc90003387900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90003387980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90003387a00: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 04 f2 00 00 f2
^
ffffc90003387a80: f2 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00
ffffc90003387b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

----------------
Code disassembly (best guess):

0: fa cli
1: 48 c1 ea 03 shr $0x3,%rdx
5: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
9: 0f 85 ba 3f 00 00 jne 0x3fc9
f: 48 8b bd 10 ff ff ff mov -0xf0(%rbp),%rdi
16: 4d 89 77 10 mov %r14,0x10(%r15)
1a: 4c 89 f6 mov %r14,%rsi
1d: e8 c9 a5 0f f6 call 0xf60fa5eb
22: 48 89 c7 mov %rax,%rdi
25: e8 61 54 6a f6 call 0xf66a548b
* 2a: 48 8b 8d a0 fe ff ff mov -0x160(%rbp),%rcx <-- trapping instruction
31: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
38: fc ff df
3b: 48 01 c1 add %rax,%rcx
3e: 48 rex.W
3f: c7 .byte 0xc7


Tested on:

commit: 93306970 Merge tag '6.11-rc-smb3-server-fixes' of git:..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1162fe3d980000
kernel config: https://syzkaller.appspot.com/x/.config?x=c043ce4607a33671

dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1214995e980000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: stack-out-of-bounds Read in xdp_do_check_flushed

==================================================================
BUG: KASAN: stack-out-of-bounds in bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]

BUG: KASAN: stack-out-of-bounds in xdp_do_check_flushed+0x41c/0x4e0 net/core/filter.c:4298
Read of size 4 at addr ffffc9000167fa50 by task syz.0.111/5959

CPU: 1 UID: 0 PID: 5959 Comm: syz.0.111 Not tainted 6.10.0-syzkaller-g933069701c1b #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]

xdp_do_check_flushed+0x41c/0x4e0 net/core/filter.c:4298

__napi_poll.constprop.0+0xd1/0x550 net/core/dev.c:6774
napi_poll net/core/dev.c:6840 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6962
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

RIP: 0010:write_comp_data+0x0/0x90 kernel/kcov.c:230
Code: 48 8b 05 e3 5c 79 7e 48 8b 80 10 16 00 00 c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <49> 89 d2 49 89 f8 49 89 f1 65 48 8b 15 af 5c 79 7e 65 8b 05 b0 5c
RSP: 0018:ffffc9000167f618 EFLAGS: 00000246
RAX: 0000000000000003 RBX: ffffea0000d86e40 RCX: ffffffff81d6e231
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000005
RBP: ffffea0000d86e40 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: 0000000000000000 R15: ffffc9000167fab8
__folio_rmap_sanity_checks+0x61/0x550 include/linux/rmap.h:201
__folio_remove_rmap mm/rmap.c:1514 [inline]
folio_remove_rmap_ptes+0x31/0x3d0 mm/rmap.c:1595
zap_present_folio_ptes mm/memory.c:1517 [inline]
zap_present_ptes mm/memory.c:1576 [inline]
zap_pte_range mm/memory.c:1618 [inline]
zap_pmd_range mm/memory.c:1736 [inline]
zap_pud_range mm/memory.c:1765 [inline]
zap_p4d_range mm/memory.c:1786 [inline]
unmap_page_range+0x1997/0x3c10 mm/memory.c:1807
unmap_single_vma+0x194/0x2b0 mm/memory.c:1853
unmap_vmas+0x22f/0x490 mm/memory.c:1897
exit_mmap+0x1b8/0xb20 mm/mmap.c:3382
__mmput+0x12a/0x480 kernel/fork.c:1345
mmput+0x62/0x70 kernel/fork.c:1367
exit_mm kernel/exit.c:571 [inline]
do_exit+0x9bf/0x2bb0 kernel/exit.c:869
do_group_exit+0xd3/0x2a0 kernel/exit.c:1031
get_signal+0x25fd/0x2770 kernel/signal.c:2917
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f66e7375b59
Code: Unable to access opcode bytes at 0x7f66e7375b2f.
RSP: 002b:00007f66e809c0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f66e7505f68 RCX: 00007f66e7375b59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f66e7505f68
RBP: 00007f66e7505f60 R08: 00007f66e809c6c0 R09: 00007f66e809c6c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f66e7505f6c
R13: 000000000000000b R14: 00007ffd814e49e0 R15: 00007ffd814e4ac8
</TASK>

The buggy address belongs to stack of task syz.0.111/5959
and is located at offset 24 in frame:
exit_mmap+0x0/0xb20 mm/mmap.c:3202

This frame has 2 objects:
[32, 96) 'vmi'
[128, 256) 'tlb'

The buggy address belongs to the virtual mapping at

[ffffc90001678000, ffffc90001681000) created by:

kernel_clone+0xfd/0x980 kernel/fork.c:2781

The buggy address belongs to the physical page:

page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801ec13150 pfn:0x1ec13
memcg:ffff8880261f3b82

flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000

raw: ffff88801ec13150 0000000000000000 00000001ffffffff ffff8880261f3b82

page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 5636, tgid 5636 (syz-executor), ts 121181133330, free_ts 121100052787

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1493
prep_new_page mm/page_alloc.c:1501 [inline]
get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3438
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4696
alloc_pages_mpol_noprof+0x275/0x610 mm/mempolicy.c:2263
vm_area_alloc_pages mm/vmalloc.c:3584 [inline]
__vmalloc_area_node mm/vmalloc.c:3660 [inline]
__vmalloc_node_range_noprof+0xa6a/0x1520 mm/vmalloc.c:3841
alloc_thread_stack_node kernel/fork.c:313 [inline]
dup_task_struct kernel/fork.c:1113 [inline]
copy_process+0x2f3b/0x8de0 kernel/fork.c:2204
kernel_clone+0xfd/0x980 kernel/fork.c:2781
__do_sys_clone+0xba/0x100 kernel/fork.c:2924
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

page last free pid 0 tgid 0 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1094 [inline]
free_unref_page+0x64a/0xe40 mm/page_alloc.c:2608
__folio_put+0x31c/0x3e0 mm/swap.c:128
folio_put include/linux/mm.h:1479 [inline]
free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308
__tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2569 [inline]
rcu_core+0x828/0x16b0 kernel/rcu/tree.c:2843
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Memory state around the buggy address:

ffffc9000167f900: 00 f2 f2 f2 00 f2 f2 f2 00 00 f2 f2 00 00 00 00
ffffc9000167f980: 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
>ffffc9000167fa00: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00
^
ffffc9000167fa80: 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00
ffffc9000167fb00: 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00

==================================================================
----------------
Code disassembly (best guess):

0: 48 8b 05 e3 5c 79 7e mov 0x7e795ce3(%rip),%rax # 0x7e795cea
7: 48 8b 80 10 16 00 00 mov 0x1610(%rax),%rax
e: c3 ret
f: cc int3
10: cc int3
11: cc int3
12: cc int3
13: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
1a: 90 nop
1b: 90 nop
1c: 90 nop
1d: 90 nop
1e: 90 nop
1f: 90 nop
20: 90 nop
21: 90 nop
22: 90 nop
23: 90 nop
24: 90 nop
25: 90 nop
26: 90 nop
27: 90 nop
28: 90 nop
29: 90 nop
* 2a: 49 89 d2 mov %rdx,%r10 <-- trapping instruction
2d: 49 89 f8 mov %rdi,%r8
30: 49 89 f1 mov %rsi,%r9
33: 65 48 8b 15 af 5c 79 mov %gs:0x7e795caf(%rip),%rdx # 0x7e795cea
3a: 7e
3b: 65 gs
3c: 8b .byte 0x8b
3d: 05 .byte 0x5
3e: b0 5c mov $0x5c,%al

Tested on:

commit: 93306970 Merge tag '6.11-rc-smb3-server-fixes' of git:..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=17687d79980000

kernel config: https://syzkaller.appspot.com/x/.config?x=c043ce4607a33671
dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

[Jeongjun Park]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7846b618e0a4c3e08888099d1d4512722b39ca99

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: stack-out-of-bounds Read in xdp_do_check_flushed

==================================================================
BUG: KASAN: stack-out-of-bounds in bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]

BUG: KASAN: stack-out-of-bounds in xdp_do_check_flushed+0x355/0x3f0 net/core/filter.c:4298
Read of size 4 at addr ffffc9000336fa50 by task syz.0.70/5863

CPU: 1 PID: 5863 Comm: syz.0.70 Not tainted 6.10.0-syzkaller-11323-g7846b618e0a4-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<IRQ>

__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114

print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]

xdp_do_check_flushed+0x355/0x3f0 net/core/filter.c:4298

__napi_poll.constprop.0+0xd1/0x550 net/core/dev.c:6774
napi_poll net/core/dev.c:6840 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6962
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

RIP: 0010:__schedule+0xe3f/0x5490 kernel/sched/core.c:6399

Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 ba 3f 00 00 48 8b bd 10 ff ff ff 4d 89 77 10 4c 89 f6 e8 b9 6e 0f f6 48 89 c7 e8 71 e8 69 f6 <48> 8b 8d a0 fe ff ff 48 b8 00 00 00 00 00 fc ff df 48 01 c1 48 c7
RSP: 0018:ffffc9000336f980 EFLAGS: 00000206
RAX: 000000000000018b RBX: ffff8880256b0000 RCX: 1ffffffff1fce461
RDX: 0000000000000000 RSI: ffffffff8b2cbac0 RDI: ffffffff8b909e40
RBP: ffffc9000336fb10 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8fe7675f R11: 0000000000000001 R12: ffff88806b13f788
R13: 0000000000000000 R14: ffff8880256b0000 R15: ffff88806b13ec80

preempt_schedule_common+0x44/0xc0 kernel/sched/core.c:6708
preempt_schedule_thunk+0x1a/0x30 arch/x86/entry/thunk.S:12
class_preempt_destructor include/linux/preempt.h:480 [inline]
class_preempt_destructor include/linux/preempt.h:480 [inline]
try_to_wake_up+0xc08/0x13e0 kernel/sched/core.c:4022
wake_up_process kernel/sched/core.c:4299 [inline]
wake_up_q+0x91/0x140 kernel/sched/core.c:1029
futex_wake+0x43e/0x4e0 kernel/futex/waitwake.c:199
do_futex+0x1e5/0x350 kernel/futex/syscalls.c:107
__do_sys_futex kernel/futex/syscalls.c:179 [inline]
__se_sys_futex kernel/futex/syscalls.c:160 [inline]
__x64_sys_futex+0x1e1/0x4c0 kernel/futex/syscalls.c:160

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fc830f75b59

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fc831d8e0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007fc831105f68 RCX: 00007fc830f75b59
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fc831105f6c
RBP: 00007fc831105f60 R08: 00007fc831d8f080 R09: 00007fc831d8e6c0
R10: 0000000000000e80 R11: 0000000000000246 R12: 00007fc831105f6c
R13: 000000000000000b R14: 00007ffea9d2b330 R15: 00007ffea9d2b418
</TASK>

The buggy address belongs to stack of task syz.0.70/5863

and is located at offset 40 in frame:
__schedule+0x0/0x5490

This frame has 3 objects:
[48, 52) 'cid'
[64, 80) 'rf'
[96, 120) 'ac'

The buggy address belongs to the virtual mapping at

[ffffc90003368000, ffffc90003371000) created by:
kernel_clone+0xfd/0x980 kernel/fork.c:2780

The buggy address belongs to the physical page:

page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802b714360 pfn:0x2b714
memcg:ffff888021296f02

flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000

raw: ffff88802b714360 0000000000000000 00000001ffffffff ffff888021296f02

page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 5862, tgid 5862 (syz.0.70), ts 130256428069, free_ts 129532353425
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1473
prep_new_page mm/page_alloc.c:1481 [inline]
get_page_from_freelist+0x1353/0x2e50 mm/page_alloc.c:3425
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4683
alloc_pages_mpol_noprof+0x275/0x610 mm/mempolicy.c:2265
vm_area_alloc_pages mm/vmalloc.c:3583 [inline]
__vmalloc_area_node mm/vmalloc.c:3659 [inline]
__vmalloc_node_range_noprof+0xa6a/0x1520 mm/vmalloc.c:3840
alloc_thread_stack_node kernel/fork.c:311 [inline]
dup_task_struct kernel/fork.c:1111 [inline]
copy_process+0x2f3b/0x8de0 kernel/fork.c:2203
kernel_clone+0xfd/0x980 kernel/fork.c:2780
__do_sys_clone3+0x1f5/0x270 kernel/fork.c:3084

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

page last free pid 5829 tgid 5828 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1093 [inline]
free_unref_page+0x64a/0xe40 mm/page_alloc.c:2588
tlb_batch_list_free mm/mmu_gather.c:159 [inline]
tlb_finish_mmu+0x237/0x7b0 mm/mmu_gather.c:468
exit_mmap+0x3d1/0xb20 mm/mmap.c:3354
__mmput+0x12a/0x480 kernel/fork.c:1343
mmput+0x62/0x70 kernel/fork.c:1365
exit_mm kernel/exit.c:566 [inline]
do_exit+0x9bf/0x2bb0 kernel/exit.c:864
do_group_exit+0xd3/0x2a0 kernel/exit.c:1026
get_signal+0x25fb/0x2770 kernel/signal.c:2917

arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:

ffffc9000336f900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc9000336f980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc9000336fa00: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 04 f2 00 00 f2
^
ffffc9000336fa80: f2 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00
ffffc9000336fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

==================================================================
----------------
Code disassembly (best guess):

0: fa cli
1: 48 c1 ea 03 shr $0x3,%rdx
5: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
9: 0f 85 ba 3f 00 00 jne 0x3fc9
f: 48 8b bd 10 ff ff ff mov -0xf0(%rbp),%rdi
16: 4d 89 77 10 mov %r14,0x10(%r15)
1a: 4c 89 f6 mov %r14,%rsi

1d: e8 b9 6e 0f f6 call 0xf60f6edb

22: 48 89 c7 mov %rax,%rdi

25: e8 71 e8 69 f6 call 0xf669e89b

* 2a: 48 8b 8d a0 fe ff ff mov -0x160(%rbp),%rcx <-- trapping instruction
31: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
38: fc ff df
3b: 48 01 c1 add %rax,%rcx
3e: 48 rex.W
3f: c7 .byte 0xc7


Tested on:

commit: 7846b618 Merge tag 'rtc-6.11' of git://git.kernel.org/..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11d729b5980000
kernel config: https://syzkaller.appspot.com/x/.config?x=be4129de17851dbe

dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=148939c3980000

[Jeongjun Park]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
drivers/net/tun.c | 4 ----
1 file changed, 4 deletions(-)

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 9b24861464bc..022ffadae2af 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1661,7 +1661,6 @@ static struct sk_buff *tun_build_skb(struct tun_struct *tun,
int len, int *skb_xdp)
{
struct page_frag *alloc_frag = &current->task_frag;
- struct bpf_net_context __bpf_net_ctx, *bpf_net_ctx;
struct bpf_prog *xdp_prog;
int buflen = SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
char *buf;
@@ -1701,7 +1700,6 @@ static struct sk_buff *tun_build_skb(struct tun_struct *tun,

local_bh_disable();
rcu_read_lock();
- bpf_net_ctx = bpf_net_ctx_set(&__bpf_net_ctx);
xdp_prog = rcu_dereference(tun->xdp_prog);
if (xdp_prog) {
struct xdp_buff xdp;
@@ -1730,14 +1728,12 @@ static struct sk_buff *tun_build_skb(struct tun_struct *tun,
pad = xdp.data - xdp.data_hard_start;
len = xdp.data_end - xdp.data;
}
- bpf_net_ctx_clear(bpf_net_ctx);
rcu_read_unlock();
local_bh_enable();

return __tun_build_skb(tfile, alloc_frag, buf, buflen, len, pad);

out:
- bpf_net_ctx_clear(bpf_net_ctx);
rcu_read_unlock();
local_bh_enable();
return NULL;
--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: stack-out-of-bounds Read in xdp_do_check_flushed

==================================================================
BUG: KASAN: stack-out-of-bounds in bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]

BUG: KASAN: stack-out-of-bounds in xdp_do_check_flushed+0x41c/0x4e0 net/core/filter.c:4298
Read of size 4 at addr ffffc9000331fa50 by task syz.0.36/5802

CPU: 0 UID: 0 PID: 5802 Comm: syz.0.36 Not tainted 6.10.0-syzkaller-12246-g786c8248dbd3-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<IRQ>

__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119

print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]

xdp_do_check_flushed+0x41c/0x4e0 net/core/filter.c:4298

__napi_poll.constprop.0+0xd1/0x550 net/core/dev.c:6774
napi_poll net/core/dev.c:6840 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6962
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649

instr_sysvec_call_function arch/x86/kernel/smp.c:257 [inline]
sysvec_call_function+0x95/0xb0 arch/x86/kernel/smp.c:257
</IRQ>
<TASK>
asm_sysvec_call_function+0x1a/0x20 arch/x86/include/asm/idtentry.h:710
RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60 kernel/kcov.c:200
Code: be b0 01 00 00 e8 a0 ff ff ff 31 c0 c3 cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 65 48 8b 15 94 54 79 7e 65 8b 05 95 54 79 7e a9 00 01
RSP: 0018:ffffc9000331f3e8 EFLAGS: 00000283
RAX: dffffc0000000000 RBX: ffffc9000331f470 RCX: ffffffff813cf026
RDX: 1ffff92000663e90 RSI: ffffffff813cf082 RDI: ffffc9000331f480
RBP: ffffc9000331fcd0 R08: 0000000000000004 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90003318000
R13: ffffc90003320000 R14: 0000000000000001 R15: 0000000000000001
on_stack arch/x86/include/asm/stacktrace.h:60 [inline]
unwind_next_frame+0x11af/0x23a0 arch/x86/kernel/unwind_orc.c:665
arch_stack_walk+0x100/0x170 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x95/0xd0 kernel/stacktrace.c:122
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
__kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2252 [inline]
slab_free mm/slub.c:4473 [inline]
kmem_cache_free+0x12f/0x3a0 mm/slub.c:4548
anon_vma_chain_free mm/rmap.c:147 [inline]
unlink_anon_vmas+0x173/0x820 mm/rmap.c:421
free_pgtables+0x33c/0x950 mm/memory.c:409
exit_mmap+0x3c9/0xb20 mm/mmap.c:3393

__mmput+0x12a/0x480 kernel/fork.c:1345
mmput+0x62/0x70 kernel/fork.c:1367
exit_mm kernel/exit.c:571 [inline]
do_exit+0x9bf/0x2bb0 kernel/exit.c:869
do_group_exit+0xd3/0x2a0 kernel/exit.c:1031

get_signal+0x25fd/0x2770 kernel/signal.c:2917

arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f0dd5175b59
Code: Unable to access opcode bytes at 0x7f0dd5175b2f.
RSP: 002b:00007f0dd5f6a0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f0dd5305f68 RCX: 00007f0dd5175b59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f0dd5305f68
RBP: 00007f0dd5305f60 R08: 00007f0dd5f6a6c0 R09: 00007f0dd5f6a6c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0dd5305f6c
R13: 000000000000000b R14: 00007ffd8748bdc0 R15: 00007ffd8748bea8
</TASK>

The buggy address belongs to stack of task syz.0.36/5802

and is located at offset 24 in frame:
exit_mmap+0x0/0xb20 mm/mmap.c:3202

This frame has 2 objects:
[32, 96) 'vmi'
[128, 256) 'tlb'

The buggy address belongs to the virtual mapping at

[ffffc90003318000, ffffc90003321000) created by:
kernel_clone+0xfd/0x980 kernel/fork.c:2781

The buggy address belongs to the physical page:

page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888029ce3690 pfn:0x29ce3
memcg:ffff88801dd09c02

flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000

raw: ffff888029ce3690 0000000000000000 00000001ffffffff ffff88801dd09c02

page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 5781, tgid 5781 (syz.0.26), ts 125931643135, free_ts 125907940889
set_page_owner include/linux/page_owner.h:32 [inline]

post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1493
prep_new_page mm/page_alloc.c:1501 [inline]
get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3438
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4696
alloc_pages_mpol_noprof+0x275/0x610 mm/mempolicy.c:2263
vm_area_alloc_pages mm/vmalloc.c:3584 [inline]
__vmalloc_area_node mm/vmalloc.c:3660 [inline]
__vmalloc_node_range_noprof+0xa6a/0x1520 mm/vmalloc.c:3841
alloc_thread_stack_node kernel/fork.c:313 [inline]
dup_task_struct kernel/fork.c:1113 [inline]
copy_process+0x2f3b/0x8de0 kernel/fork.c:2204
kernel_clone+0xfd/0x980 kernel/fork.c:2781

__do_sys_clone3+0x1f5/0x270 kernel/fork.c:3085

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

page last free pid 5780 tgid 5779 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]

free_pages_prepare mm/page_alloc.c:1094 [inline]
free_unref_page+0x64a/0xe40 mm/page_alloc.c:2608
__folio_put+0x31c/0x3e0 mm/swap.c:128
folio_put include/linux/mm.h:1479 [inline]
free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308
__tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2569 [inline]
rcu_core+0x828/0x16b0 kernel/rcu/tree.c:2843

handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043

asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Memory state around the buggy address:

ffffc9000331f900: 00 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 00
ffffc9000331f980: 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00
>ffffc9000331fa00: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00
^
ffffc9000331fa80: 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00
ffffc9000331fb00: 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00

==================================================================
----------------
Code disassembly (best guess):

0: be b0 01 00 00 mov $0x1b0,%esi
5: e8 a0 ff ff ff call 0xffffffaa
a: 31 c0 xor %eax,%eax
c: c3 ret
d: cc int3
e: cc int3

f: cc int3
10: cc int3

11: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
18: 00 00

1a: 90 nop
1b: 90 nop
1c: 90 nop
1d: 90 nop
1e: 90 nop
1f: 90 nop
20: 90 nop
21: 90 nop
22: 90 nop
23: 90 nop
24: 90 nop
25: 90 nop
26: 90 nop
27: 90 nop
28: 90 nop
29: 90 nop

* 2a: f3 0f 1e fa endbr64 <-- trapping instruction
2e: 65 48 8b 15 94 54 79 mov %gs:0x7e795494(%rip),%rdx # 0x7e7954ca
35: 7e
36: 65 8b 05 95 54 79 7e mov %gs:0x7e795495(%rip),%eax # 0x7e7954d2
3d: a9 .byte 0xa9
3e: 00 01 add %al,(%rcx)


Tested on:

commit: 786c8248 Merge tag 'perf-tools-fixes-for-v6.11-2024-07..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12e39145980000
kernel config: https://syzkaller.appspot.com/x/.config?x=47beaba1a1054668

dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=138553b5980000

[Jeongjun Park]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---

drivers/net/tun.c | 7 -------
1 file changed, 7 deletions(-)

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 9b24861464bc..9254bca2813d 100644

@@ -2570,7 +2566,6 @@ static int tun_sendmsg(struct socket *sock, struct msghdr *m, size_t total_len)

if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
ctl && ctl->type == TUN_MSG_PTR) {

- struct bpf_net_context __bpf_net_ctx, *bpf_net_ctx;

struct tun_page tpage;
int n = ctl->num;
int flush = 0, queued = 0;
@@ -2579,7 +2574,6 @@ static int tun_sendmsg(struct socket *sock, struct msghdr *m, size_t total_len)

local_bh_disable();
rcu_read_lock();
- bpf_net_ctx = bpf_net_ctx_set(&__bpf_net_ctx);

for (i = 0; i < n; i++) {
xdp = &((struct xdp_buff *)ctl->ptr)[i];
@@ -2594,7 +2588,6 @@ static int tun_sendmsg(struct socket *sock, struct msghdr *m, size_t total_len)
if (tfile->napi_enabled && queued > 0)
napi_schedule(&tfile->napi);

- bpf_net_ctx_clear(bpf_net_ctx);
rcu_read_unlock();
local_bh_enable();

--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: stack-out-of-bounds Read in xdp_do_check_flushed

==================================================================
BUG: KASAN: stack-out-of-bounds in bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]
BUG: KASAN: stack-out-of-bounds in xdp_do_check_flushed+0x41c/0x4e0 net/core/filter.c:4298

Read of size 4 at addr ffffc900032bfa50 by task syz.0.42/5811

CPU: 0 UID: 0 PID: 5811 Comm: syz.0.42 Not tainted 6.10.0-syzkaller-12246-g786c8248dbd3-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]
xdp_do_check_flushed+0x41c/0x4e0 net/core/filter.c:4298
__napi_poll.constprop.0+0xd1/0x550 net/core/dev.c:6774
napi_poll net/core/dev.c:6840 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6962
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649

instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043

</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

RIP: 0010:const_folio_flags.constprop.0+0x56/0x150 include/linux/page-flags.h:310
Code: 8b 6b 08 31 ff 83 e5 01 48 89 ee e8 84 cc ab ff 48 85 ed 0f 85 d4 00 00 00 e8 46 d1 ab ff 66 90 e8 3f d1 ab ff e8 3a d1 ab ff <48> 89 d8 5b 5d 41 5c c3 cc cc cc cc e8 29 d1 ab ff 48 89 dd 31 ff
RSP: 0018:ffffc900032bf6d0 EFLAGS: 00000293
RAX: 0000000000000000 RBX: ffffea00010118c0 RCX: ffffffff81deb54c
RDX: ffff8880274e8000 RSI: ffffffff81deb566 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000127
R13: ffff88802305c948 R14: ffffea00010118c0 R15: 0000000000000000
folio_test_swapbacked include/linux/page-flags.h:534 [inline]
folio_test_swapcache include/linux/page-flags.h:576 [inline]
free_swap_cache mm/swap_state.c:291 [inline]
free_pages_and_swap_cache+0x24e/0x510 mm/swap_state.c:325
__tlb_batch_free_encoded_pages+0xf9/0x290 mm/mmu_gather.c:136
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
tlb_flush_mmu mm/mmu_gather.c:373 [inline]
tlb_finish_mmu+0x168/0x7b0 mm/mmu_gather.c:465
exit_mmap+0x3d1/0xb20 mm/mmap.c:3395

__mmput+0x12a/0x480 kernel/fork.c:1345
mmput+0x62/0x70 kernel/fork.c:1367
exit_mm kernel/exit.c:571 [inline]
do_exit+0x9bf/0x2bb0 kernel/exit.c:869
do_group_exit+0xd3/0x2a0 kernel/exit.c:1031
get_signal+0x25fd/0x2770 kernel/signal.c:2917
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f6f7c575b59
Code: Unable to access opcode bytes at 0x7f6f7c575b2f.
RSP: 002b:00007f6f7d27b0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f6f7c705f68 RCX: 00007f6f7c575b59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f6f7c705f68
RBP: 00007f6f7c705f60 R08: 00007f6f7d27b6c0 R09: 00007f6f7d27b6c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6f7c705f6c
R13: 000000000000000b R14: 00007ffd97f8d280 R15: 00007ffd97f8d368
</TASK>

The buggy address belongs to stack of task syz.0.42/5811

and is located at offset 24 in frame:
exit_mmap+0x0/0xb20 mm/mmap.c:3202

This frame has 2 objects:
[32, 96) 'vmi'
[128, 256) 'tlb'

The buggy address belongs to the virtual mapping at

[ffffc900032b8000, ffffc900032c1000) created by:

kernel_clone+0xfd/0x980 kernel/fork.c:2781

The buggy address belongs to the physical page:

page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802b3e0000 pfn:0x2b3e0
memcg:ffff8880206d0182

flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000

raw: ffff88802b3e0000 0000000000000000 00000001ffffffff ffff8880206d0182

page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 5653, tgid 5653 (syz-executor), ts 116595661744, free_ts 116458660012

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1493
prep_new_page mm/page_alloc.c:1501 [inline]
get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3438
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4696
alloc_pages_mpol_noprof+0x275/0x610 mm/mempolicy.c:2263
vm_area_alloc_pages mm/vmalloc.c:3584 [inline]
__vmalloc_area_node mm/vmalloc.c:3660 [inline]
__vmalloc_node_range_noprof+0xa6a/0x1520 mm/vmalloc.c:3841
alloc_thread_stack_node kernel/fork.c:313 [inline]
dup_task_struct kernel/fork.c:1113 [inline]
copy_process+0x2f3b/0x8de0 kernel/fork.c:2204
kernel_clone+0xfd/0x980 kernel/fork.c:2781

__do_sys_clone+0xba/0x100 kernel/fork.c:2924

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

page last free pid 5653 tgid 5653 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1094 [inline]
free_unref_page+0x64a/0xe40 mm/page_alloc.c:2608

qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3988 [inline]
slab_alloc_node mm/slub.c:4037 [inline]
__kmalloc_cache_node_noprof+0x173/0x350 mm/slub.c:4197
kmalloc_node_noprof include/linux/slab.h:704 [inline]
__get_vm_area_node+0xe1/0x2d0 mm/vmalloc.c:3109
__vmalloc_node_range_noprof+0x276/0x1520 mm/vmalloc.c:3801
__vmalloc_node_noprof mm/vmalloc.c:3906 [inline]
vzalloc_noprof+0x6b/0x90 mm/vmalloc.c:3979
alloc_counters net/ipv4/netfilter/ip_tables.c:799 [inline]
copy_entries_to_user net/ipv4/netfilter/ip_tables.c:821 [inline]
get_entries net/ipv4/netfilter/ip_tables.c:1022 [inline]
do_ipt_get_ctl+0x6b8/0xaa0 net/ipv4/netfilter/ip_tables.c:1668
nf_getsockopt+0x79/0xe0 net/netfilter/nf_sockopt.c:116
ip_getsockopt+0x18e/0x1e0 net/ipv4/ip_sockglue.c:1777
tcp_getsockopt+0x9e/0x100 net/ipv4/tcp.c:4409
do_sock_getsockopt+0x2e5/0x760 net/socket.c:2386
__sys_getsockopt+0x1a1/0x270 net/socket.c:2415
__do_sys_getsockopt net/socket.c:2425 [inline]
__se_sys_getsockopt net/socket.c:2422 [inline]
__x64_sys_getsockopt+0xbd/0x160 net/socket.c:2422

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83

Memory state around the buggy address:

ffffc900032bf900: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900032bf980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc900032bfa00: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00
^
ffffc900032bfa80: 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00
ffffc900032bfb00: 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00

==================================================================
----------------
Code disassembly (best guess):

0: 8b 6b 08 mov 0x8(%rbx),%ebp
3: 31 ff xor %edi,%edi
5: 83 e5 01 and $0x1,%ebp
8: 48 89 ee mov %rbp,%rsi
b: e8 84 cc ab ff call 0xffabcc94
10: 48 85 ed test %rbp,%rbp
13: 0f 85 d4 00 00 00 jne 0xed
19: e8 46 d1 ab ff call 0xffabd164
1e: 66 90 xchg %ax,%ax
20: e8 3f d1 ab ff call 0xffabd164
25: e8 3a d1 ab ff call 0xffabd164
* 2a: 48 89 d8 mov %rbx,%rax <-- trapping instruction
2d: 5b pop %rbx
2e: 5d pop %rbp
2f: 41 5c pop %r12
31: c3 ret
32: cc int3
33: cc int3
34: cc int3
35: cc int3
36: e8 29 d1 ab ff call 0xffabd164
3b: 48 89 dd mov %rbx,%rbp
3e: 31 ff xor %edi,%edi

Tested on:

commit: 786c8248 Merge tag 'perf-tools-fixes-for-v6.11-2024-07..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=1293bca1980000

kernel config: https://syzkaller.appspot.com/x/.config?x=47beaba1a1054668
dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=11c0adad980000

[Jeongjun Park]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---

net/core/dev.c | 5 -----
1 file changed, 5 deletions(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index 6ea1d20676fb..ca1d470bc48a 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -5126,14 +5126,11 @@ static DEFINE_STATIC_KEY_FALSE(generic_xdp_needed_key);

int do_xdp_generic(struct bpf_prog *xdp_prog, struct sk_buff **pskb)
{

- struct bpf_net_context __bpf_net_ctx, *bpf_net_ctx;

-

if (xdp_prog) {
struct xdp_buff xdp;

u32 act;
int err;

- bpf_net_ctx = bpf_net_ctx_set(&__bpf_net_ctx);
act = netif_receive_generic_xdp(pskb, &xdp, xdp_prog);
if (act != XDP_PASS) {
switch (act) {
@@ -5147,13 +5144,11 @@ int do_xdp_generic(struct bpf_prog *xdp_prog, struct sk_buff **pskb)
generic_xdp_tx(*pskb, xdp_prog);
break;
}
- bpf_net_ctx_clear(bpf_net_ctx);
return XDP_DROP;
}
}
return XDP_PASS;
out_redir:
- bpf_net_ctx_clear(bpf_net_ctx);
kfree_skb_reason(*pskb, SKB_DROP_REASON_XDP);
return XDP_DROP;
}
--

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+446233...@syzkaller.appspotmail.com
Tested-by: syzbot+446233...@syzkaller.appspotmail.com

Tested on:

commit: 786c8248 Merge tag 'perf-tools-fixes-for-v6.11-2024-07..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=167af1f1980000

kernel config: https://syzkaller.appspot.com/x/.config?x=47beaba1a1054668
dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=174a58e3980000

Note: testing is done by a robot and is best-effort only.

[Jeongjun Park]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---

drivers/net/tun.c | 3 +++
net/core/dev.c | 8 +++-----
2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 9b24861464bc..095ada4a525e 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1919,10 +1919,12 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,

if (skb_xdp) {
struct bpf_prog *xdp_prog;
+ struct bpf_net_context __bpf_net_ctx, *bpf_net_ctx;
int ret;

local_bh_disable();
rcu_read_lock();
+ bpf_net_ctx = bpf_net_ctx_set(&__bpf_net_ctx);

xdp_prog = rcu_dereference(tun->xdp_prog);
if (xdp_prog) {

ret = do_xdp_generic(xdp_prog, &skb);
@@ -1932,6 +1934,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
goto unlock_frags;
}
}
+ bpf_net_ctx_clear(bpf_net_ctx);
rcu_read_unlock();
local_bh_enable();
}
diff --git a/net/core/dev.c b/net/core/dev.c
index 6ea1d20676fb..26f9fdd66e64 100644

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -5126,14 +5126,11 @@ static DEFINE_STATIC_KEY_FALSE(generic_xdp_needed_key);

int do_xdp_generic(struct bpf_prog *xdp_prog, struct sk_buff **pskb)
{
- struct bpf_net_context __bpf_net_ctx, *bpf_net_ctx;
-
if (xdp_prog) {
struct xdp_buff xdp;
u32 act;
int err;

- bpf_net_ctx = bpf_net_ctx_set(&__bpf_net_ctx);
act = netif_receive_generic_xdp(pskb, &xdp, xdp_prog);
if (act != XDP_PASS) {
switch (act) {
@@ -5147,13 +5144,11 @@ int do_xdp_generic(struct bpf_prog *xdp_prog, struct sk_buff **pskb)
generic_xdp_tx(*pskb, xdp_prog);
break;
}
- bpf_net_ctx_clear(bpf_net_ctx);
return XDP_DROP;
}
}
return XDP_PASS;
out_redir:
- bpf_net_ctx_clear(bpf_net_ctx);
kfree_skb_reason(*pskb, SKB_DROP_REASON_XDP);
return XDP_DROP;
}

@@ -5475,10 +5470,13 @@ static int __netif_receive_skb_core(struct sk_buff **pskb, bool pfmemalloc,

if (static_branch_unlikely(&generic_xdp_needed_key)) {
int ret2;
+ struct bpf_net_context __bpf_net_ctx, *bpf_net_ctx;

migrate_disable();
+ bpf_net_context = bpf_net_ctx_set(&__bpf_net_ctx);
ret2 = do_xdp_generic(rcu_dereference(skb->dev->xdp_prog),
&skb);
+ bpf_net_ctx_clear(bpf_net_ctx);
migrate_enable();

if (ret2 != XDP_PASS) {
--

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

net/core/dev.c:5476:17: error: 'bpf_net_context' undeclared (first use in this function)

Tested on:

commit: 786c8248 Merge tag 'perf-tools-fixes-for-v6.11-2024-07..
git tree: upstream

kernel config: https://syzkaller.appspot.com/x/.config?x=be4129de17851dbe

dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=11ad573d980000

[Jeongjun Park]

+ bpf_net_ctx = bpf_net_ctx_set(&__bpf_net_ctx);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+446233...@syzkaller.appspotmail.com
Tested-by: syzbot+446233...@syzkaller.appspotmail.com

Tested on:

commit: 786c8248 Merge tag 'perf-tools-fixes-for-v6.11-2024-07..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=146f5203980000
kernel config: https://syzkaller.appspot.com/x/.config?x=47beaba1a1054668

dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=122626e6980000

[Jeongjun Park]

In the previous commit, bpf_net_context handling was added to
tun_sendmsg() and do_xdp_generic(), but if you write code like this,
bpf_net_context overlaps in the call trace below, causing various
memory corruptions.

<Call trace>
...
tun_sendmsg() // bpf_net_ctx_set()
tun_xdp_one()
do_xdp_generic() // bpf_net_ctx_set() <-- nested
...

This patch removes the bpf_net_context handling that exists in
do_xdp_generic() and modifies it to handle it in the parent function.

Reported-by: syzbot+446233...@syzkaller.appspotmail.com
Fixes: fecef4cd42c6 ("tun: Assign missing bpf_net_context.")
Signed-off-by: Jeongjun Park <aha3...@gmail.com>

[Willem de Bruijn]

Jeongjun Park wrote:
> In the previous commit, bpf_net_context handling was added to
> tun_sendmsg() and do_xdp_generic(), but if you write code like this,
> bpf_net_context overlaps in the call trace below, causing various
> memory corruptions.

I'm no expert on this code, but commit 401cb7dae813 that introduced
bpf_net_ctx_set explicitly states that nested calls are allowed.

And the function does imply that:

static inline struct bpf_net_context *bpf_net_ctx_set(struct bpf_net_context *bpf_net_ctx)
{
struct task_struct *tsk = current;

if (tsk->bpf_net_context != NULL)
return NULL;
bpf_net_ctx->ri.kern_flags = 0;

tsk->bpf_net_context = bpf_net_ctx;
return bpf_net_ctx;

}



> <Call trace>
> ...
> tun_sendmsg() // bpf_net_ctx_set()
> tun_xdp_one()
> do_xdp_generic() // bpf_net_ctx_set() <-- nested
> ...
>
> This patch removes the bpf_net_context handling that exists in
> do_xdp_generic() and modifies it to handle it in the parent function.

Is tun_xdp_one missing? That also calls do_xdp_generic.

[Jeongjun Park]

Willem de Bruijn wrote:
> I'm no expert on this code, but commit 401cb7dae813 that introduced
> bpf_net_ctx_set explicitly states that nested calls are allowed.
>
> And the function does imply that:
>
> static inline struct bpf_net_context *bpf_net_ctx_set(struct bpf_net_context *bpf_net_ctx)
> {
> struct task_struct *tsk = current;
>
> if (tsk->bpf_net_context != NULL)
> return NULL;
> bpf_net_ctx->ri.kern_flags = 0;
>
> tsk->bpf_net_context = bpf_net_ctx;
> return bpf_net_ctx;
> }

I'm not an expert on this code either. As you said, there is a
possibility that the bug is not caused by overlapping calls, but various
memory corruptions are occurring due to the handling of bpf_net_context
in do_xdp_generic. Therefore, it is appropriate to modify it to handle
it in the parent function rather than in do_xdp_generic.

> Is tun_xdp_one missing? That also calls do_xdp_generic.

This is no problem since tun_xdp_one is only called from tun_sendmsg
and tun_sendmsg already does the bpf_net_context handling.

Regards,
Jeongjun Park.

[Paolo Abeni]

On 7/25/24 04:43, Willem de Bruijn wrote:
> Jeongjun Park wrote:
>> In the previous commit, bpf_net_context handling was added to
>> tun_sendmsg() and do_xdp_generic(), but if you write code like this,
>> bpf_net_context overlaps in the call trace below, causing various
>> memory corruptions.
>
> I'm no expert on this code, but commit 401cb7dae813 that introduced
> bpf_net_ctx_set explicitly states that nested calls are allowed.
>
> And the function does imply that:
>
> static inline struct bpf_net_context *bpf_net_ctx_set(struct bpf_net_context *bpf_net_ctx)
> {
> struct task_struct *tsk = current;
>
> if (tsk->bpf_net_context != NULL)
> return NULL;
> bpf_net_ctx->ri.kern_flags = 0;
>
> tsk->bpf_net_context = bpf_net_ctx;
> return bpf_net_ctx;
> }

I agree with Willem, the ctx nesting looks legit generally speaking.
@Jeongjun: you need to track down more accurately the issue root cause
and include such info into the commit message.

Skimming over the code I *think* do_xdp_generic() is not cleaning the
nested context in all the paths before return and that could cause the
reported issue.

Thanks,

Paolo

[Jeongjun Park]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---

net/core/dev.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/core/dev.c b/net/core/dev.c
index 6ea1d20676fb..a741000c81d8 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -5150,6 +5150,8 @@ int do_xdp_generic(struct bpf_prog *xdp_prog, struct sk_buff **pskb)
bpf_net_ctx_clear(bpf_net_ctx);
return XDP_DROP;
}
+
+ bpf_net_ctx_clear(bpf_net_ctx);
}
return XDP_PASS;
out_redir:
--

[Jeongjun Park]

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+446233...@syzkaller.appspotmail.com
Tested-by: syzbot+446233...@syzkaller.appspotmail.com

Tested on:

commit: c33ffdb7 Merge tag 'phy-for-6.11' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13c4d29d980000
kernel config: https://syzkaller.appspot.com/x/.config?x=582add3de1ac8f6

dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=12337145980000

[Jeongjun Park]

Thanks to your comment, I re-read the code and found the root cause.
I will send a patch for that bug.

Regards,
Jeongjun Park

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+446233...@syzkaller.appspotmail.com
Tested-by: syzbot+446233...@syzkaller.appspotmail.com

Tested on:

commit: c33ffdb7 Merge tag 'phy-for-6.11' of git://git.kernel...
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=108cff95980000

kernel config: https://syzkaller.appspot.com/x/.config?x=582add3de1ac8f6
dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1462adad980000

[Jeongjun Park]

There are cases where do_xdp_generic returns bpf_net_context without
clearing it. This causes various memory corruptions, so the missing
bpf_net_ctx_clear must be added.

Reported-by: syzbot+446233...@syzkaller.appspotmail.com
Fixes: fecef4cd42c6 ("tun: Assign missing bpf_net_context.")
Signed-off-by: Jeongjun Park <aha3...@gmail.com>
---

net/core/dev.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/net/core/dev.c b/net/core/dev.c
index 6ea1d20676fb..751d9b70e6ad 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -5150,6 +5150,7 @@ int do_xdp_generic(struct bpf_prog *xdp_prog, struct sk_buff **pskb)

[Jason Wang]

On Fri, Jul 26, 2024 at 5:41 AM Jeongjun Park <aha3...@gmail.com> wrote:
>
> There are cases where do_xdp_generic returns bpf_net_context without
> clearing it. This causes various memory corruptions, so the missing
> bpf_net_ctx_clear must be added.
>
> Reported-by: syzbot+446233...@syzkaller.appspotmail.com
> Fixes: fecef4cd42c6 ("tun: Assign missing bpf_net_context.")
> Signed-off-by: Jeongjun Park <aha3...@gmail.com>

Acked-by: Jason Wang <jaso...@redhat.com>

(Looks like the do_xdp_generic() needs some tweak for example we can
merge the two paths for XDP_DROP at least).

Thanks

[Willem de Bruijn]

On Thu, Jul 25, 2024 at 10:21 PM Jason Wang <jaso...@redhat.com> wrote:
>
> On Fri, Jul 26, 2024 at 5:41 AM Jeongjun Park <aha3...@gmail.com> wrote:
> >
> > There are cases where do_xdp_generic returns bpf_net_context without
> > clearing it. This causes various memory corruptions, so the missing
> > bpf_net_ctx_clear must be added.
> >
> > Reported-by: syzbot+446233...@syzkaller.appspotmail.com
> > Fixes: fecef4cd42c6 ("tun: Assign missing bpf_net_context.")
> > Signed-off-by: Jeongjun Park <aha3...@gmail.com>
>
> Acked-by: Jason Wang <jaso...@redhat.com>

Reviewed-by: Willem de Bruijn <wil...@google.com>

[Jakub Kicinski]

On Fri, 26 Jul 2024 06:40:49 +0900 Jeongjun Park wrote:
> There are cases where do_xdp_generic returns bpf_net_context without
> clearing it. This causes various memory corruptions, so the missing
> bpf_net_ctx_clear must be added.
>
> Reported-by: syzbot+446233...@syzkaller.appspotmail.com
> Fixes: fecef4cd42c6 ("tun: Assign missing bpf_net_context.")
> Signed-off-by: Jeongjun Park <aha3...@gmail.com>

Also likely:

Reported-by: syzbot+3c2b6d...@syzkaller.appspotmail.com
Reported-by: syzbot+707d98...@syzkaller.appspotmail.com

Right?

[Jeongjun Park]

Yes, both appear to be bugs with the same root cause.

Regards,
Jeongjun Park

[Jeongjun Park]

On Fri, 26 Jul 2024 06:40:49 +0900 Jeongjun Park wrote:

> There are cases where do_xdp_generic returns bpf_net_context without
> clearing it. This causes various memory corruptions, so the missing
> bpf_net_ctx_clear must be added.
>
> Reported-by: syzbot+446233...@syzkaller.appspotmail.com
> Fixes: fecef4cd42c6 ("tun: Assign missing bpf_net_context.")
> Signed-off-by: Jeongjun Park <aha3...@gmail.com>

Reported-by: syzbot+c22675...@syzkaller.appspotmail.com
Reported-by: syzbot+61a1cf...@syzkaller.appspotmail.com
Reported-by: syzbot+709e4c...@syzkaller.appspotmail.com

After searching, I found reports with the same root cause, so I added
them.

[patchwork-b...@kernel.org]

Hello:

This patch was applied to netdev/net.git (main)
by David S. Miller <da...@davemloft.net>:

On Fri, 26 Jul 2024 06:40:49 +0900 you wrote:
> There are cases where do_xdp_generic returns bpf_net_context without
> clearing it. This causes various memory corruptions, so the missing
> bpf_net_ctx_clear must be added.
>
> Reported-by: syzbot+446233...@syzkaller.appspotmail.com
> Fixes: fecef4cd42c6 ("tun: Assign missing bpf_net_context.")
> Signed-off-by: Jeongjun Park <aha3...@gmail.com>
>

> [...]

Here is the summary with links:
- [net] tun: Add missing bpf_net_ctx_clear() in do_xdp_generic()
https://git.kernel.org/netdev/net/c/9da49aa80d68

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html