Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp11345079ybi; Thu, 25 Jul 2019 14:41:01 -0700 (PDT) X-Google-Smtp-Source: APXvYqxLZYoxxpH2alFNijDUegoZB9pxKb/IKGQNKU4wnvNLBhkxFtZgi3p1FNakHRj/eXyrga6g X-Received: by 2002:a62:642:: with SMTP id 63mr18856824pfg.257.1564090861679; Thu, 25 Jul 2019 14:41:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564090861; cv=none; d=google.com; s=arc-20160816; b=lU3zbxBZa0B2Ca+JNkF5lnb9J2t89BON/Q1ve67eiAEpZgxyI7bcH89quRpbPE8gJw kRtIxQup/RgGAiRxLgho9oqz5doXiv/vyKYFtiKyGw8O4/w39WhKg1myFLjT9SbDZnpF X2d4pXGH5LcWPm7B9yM/CDw0pUcLaqjtJkhfMyqB6D4wfRq6z/Fa/a1f79HetpxiWOtx DUFJzLaXZ5JGOooztZ7KURZyLN700WILt4xJsiP7oXJSdxR0L/dQthyDnGKvbFXopJYi VJ5ubRPKR3gyxUXUmq+OgmEW1ntS6nTWdWzBdmoFp4mc15TkFyOdG9/1g+P3EHcKYRMV zl3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date:dkim-signature; bh=CSygOM7YhBnAy6MsNYv6TaOG2ZVJz0P5wm8bU+ygO/4=; b=snTWZKPs3K3xJaBLHHENwqcOmEx72+NqeLnGDV97khenc3Yti7dUUYKL42POiNp49Q skTvDIGHAYWm0rVno4Dcsi214fgeTfWYxqovi5VPezx718mRF+4bEX9G85+8VY9Mq9M4 gJzYP6ngOn1gBKajyfv14pA8ScuD11jMiXSg6tsPgZNuTOo3ua95jVcLYeE22KqROvEC 92isCaQQCv41tDvNjjn1C38YdSDB6EifQurMj5n2+UhusXyGZgCcUt50tfAZ611k40Vx u7ame+clULFbGfyM427/k4zIPFAtLagb4uOY3fLbcAEpXn2HFGzzD9m0Jrs/oylQlHxM DF3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@netronome-com.20150623.gappssmtp.com header.s=20150623 header.b=he8sVU6r; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e66si16451599plb.254.2019.07.25.14.40.45; Thu, 25 Jul 2019 14:41:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@netronome-com.20150623.gappssmtp.com header.s=20150623 header.b=he8sVU6r; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726816AbfGYVji (ORCPT + 99 others); Thu, 25 Jul 2019 17:39:38 -0400 Received: from mail-qt1-f194.google.com ([209.85.160.194]:37618 "EHLO mail-qt1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726823AbfGYVjh (ORCPT ); Thu, 25 Jul 2019 17:39:37 -0400 Received: by mail-qt1-f194.google.com with SMTP id y26so50593684qto.4 for ; Thu, 25 Jul 2019 14:39:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:in-reply-to:references :organization:mime-version:content-transfer-encoding; bh=CSygOM7YhBnAy6MsNYv6TaOG2ZVJz0P5wm8bU+ygO/4=; b=he8sVU6r0LuORP3V5bECPCNh4zTrWW+c+9YByWiA/m4wVPzKwS4rxcjYhtNb8XAtCr vPhn6X9s1m9Ea721keeZtJtM6n6D0w70kDoKdR2eXi7pykvlO3oDfajbvt21kgOXIyGm A6wer3iU+3tejiUzRkwfva1C7JpiU9qVgnqDbvw67NKyV8AlfL00gNGijmy61Q6m+CDe +J86Y/mXfWPrI/ewTSTpr6yeebWZTELAR6B8EWA6I1CyIafedvBEDfCDTVJyy/aiP3hW pGbDNqi5ZJe8rms1lBSBS8vg1Lt8dAaSeB8qhTDq+z4AWvhEKkggpKF3dSELmZ2IW5g8 WkSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:organization:mime-version:content-transfer-encoding; bh=CSygOM7YhBnAy6MsNYv6TaOG2ZVJz0P5wm8bU+ygO/4=; b=XsFIq24cLh7GOkIAW2VQyfOZjrShJndm1YRGmKX0V0TTze3m/1C1TJzhrCb+Cv7URm uTXXVA1BA0FtM7aamrsu+c4g1axFzV7sNvNI2Oi+gPtzrQerJpQ+N8AlaOiQuONNRayQ yEzRvHWOXmE1Nea4MY2sO6898378tnAGWKur3UuwOtlabgF1It5eOBIOXoXBuNXA/iRX w5ObeRmYyCA1eUmu8sb2bR7K5z15IL6+JgiBLLRqzI79suAfepkmhwDVI+YWur7BSmFZ U0MexB19arrGqVwgjeQe/GUYExqHB0EDn3xlO4VNBDCfA8GwEMWNfqXwxB33xjKUiRDe Ntqg== X-Gm-Message-State: APjAAAWvkYFbqhpC5U6Sfu+IqvFbJmrk0YG2hRYloHHwNg7pmvhl5ye7 N6odezq9SHNLcO0ci/G7DlLPYA== X-Received: by 2002:a0c:c93c:: with SMTP id r57mr49389143qvj.226.1564090776809; Thu, 25 Jul 2019 14:39:36 -0700 (PDT) Received: from cakuba.netronome.com ([66.60.152.14]) by smtp.gmail.com with ESMTPSA id z33sm23385643qtc.56.2019.07.25.14.39.35 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Thu, 25 Jul 2019 14:39:36 -0700 (PDT) Date: Thu, 25 Jul 2019 14:39:32 -0700 From: Jakub Kicinski To: syzbot Cc: ast@kernel.org, aviadye@mellanox.com, borisp@mellanox.com, bpf@vger.kernel.org, daniel@iogearbox.net, davejwatson@fb.com, davem@davemloft.net, john.fastabend@gmail.com, kafai@fb.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, songliubraving@fb.com, syzkaller-bugs@googlegroups.com, yhs@fb.com Subject: Re: general protection fault in tls_trim_both_msgs Message-ID: <20190725143932.78705103@cakuba.netronome.com> In-Reply-To: <0000000000002b4896058e7abf78@google.com> References: <0000000000002b4896058e7abf78@google.com> Organization: Netronome Systems, Ltd. MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 24 Jul 2019 22:32:07 -0700, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit: 9e6dfe80 Add linux-next specific files for 20190724 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=1046971fa00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=6cbb8fc2cf2842d7 > dashboard link: https://syzkaller.appspot.com/bug?extid=0e0fedcad708d12d3032 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. Looks very like the issue we mentioned in the cover letter for unhash fixes. TX is waiting for mem, the connection dies, we free ctx, TX wakes up with a now stale ctx pointer. I'm testing a fix for this, Netronome team was actually able to trigger a NULL-deref on the RX side, because there ctx is reloaded but not NULL-checked. > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+0e0fedcad708d12d3032@syzkaller.appspotmail.com > > kasan: CONFIG_KASAN_INLINE enabled > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: 0000 [#1] PREEMPT SMP KASAN > CPU: 1 PID: 15517 Comm: syz-executor.4 Not tainted 5.3.0-rc1-next-20190724 > #50 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > RIP: 0010:tls_trim_both_msgs+0x54/0x130 net/tls/tls_sw.c:268 > Code: 48 c1 ea 03 80 3c 02 00 0f 85 e3 00 00 00 4d 8b b5 b0 06 00 00 48 b8 > 00 00 00 00 00 fc ff df 49 8d 7e 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f > 85 b3 00 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b > RSP: 0018:ffff8880612cfac0 EFLAGS: 00010206 > RAX: dffffc0000000000 RBX: ffff8880a8794340 RCX: ffffc9000e7b9000 > RDX: 0000000000000005 RSI: ffffffff86298656 RDI: 0000000000000028 > RBP: ffff8880612cfae0 R08: ffff88805ae4c580 R09: fffffbfff14a8155 > R10: fffffbfff14a8154 R11: ffffffff8a540aa7 R12: 0000000000000000 > R13: ffff888061d82e00 R14: 0000000000000000 R15: 00000000ffffffe0 > FS: 00007f7d33516700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000001b2fa2f000 CR3: 000000009fcf1000 CR4: 00000000001406e0 > Call Trace: > tls_sw_sendmsg+0xe38/0x17b0 net/tls/tls_sw.c:1057 > inet6_sendmsg+0x9e/0xe0 net/ipv6/af_inet6.c:576 > sock_sendmsg_nosec net/socket.c:637 [inline] > sock_sendmsg+0xd7/0x130 net/socket.c:657 > __sys_sendto+0x262/0x380 net/socket.c:1952 > __do_sys_sendto net/socket.c:1964 [inline] > __se_sys_sendto net/socket.c:1960 [inline] > __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1960 > do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x459829 > Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:00007f7d33515c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c > RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000459829 > RDX: ffffffffffffffc1 RSI: 00000000200005c0 RDI: 0000000000000003 > RBP: 000000000075bf20 R08: 0000000000000000 R09: 1201000000003618 > R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7d335166d4 > R13: 00000000004c7669 R14: 00000000004dcc70 R15: 00000000ffffffff > Modules linked in: > ---[ end trace 2dd728cceb39a185 ]--- > RIP: 0010:tls_trim_both_msgs+0x54/0x130 net/tls/tls_sw.c:268 > Code: 48 c1 ea 03 80 3c 02 00 0f 85 e3 00 00 00 4d 8b b5 b0 06 00 00 48 b8 > 00 00 00 00 00 fc ff df 49 8d 7e 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f > 85 b3 00 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b > RSP: 0018:ffff8880612cfac0 EFLAGS: 00010206 > RAX: dffffc0000000000 RBX: ffff8880a8794340 RCX: ffffc9000e7b9000 > RDX: 0000000000000005 RSI: ffffffff86298656 RDI: 0000000000000028 > RBP: ffff8880612cfae0 R08: ffff88805ae4c580 R09: fffffbfff14a8155 > R10: fffffbfff14a8154 R11: ffffffff8a540aa7 R12: 0000000000000000 > R13: ffff888061d82e00 R14: 0000000000000000 R15: 00000000ffffffe0 > FS: 00007f7d33516700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00000000019dbe80 CR3: 000000009fcf1000 CR4: 00000000001406e0 > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.