Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp672261pxu; Thu, 3 Dec 2020 09:45:59 -0800 (PST) X-Google-Smtp-Source: ABdhPJyq7PniRjEaxhH5oAtDVqe3TOr0OqkN4jBJMC5fZpIdpjg2viTlppNhA/Knb83SRqUEyciI X-Received: by 2002:a17:907:3e85:: with SMTP id hs5mr3651265ejc.548.1607017559516; Thu, 03 Dec 2020 09:45:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607017559; cv=none; d=google.com; s=arc-20160816; b=AMxYargAjU1Cnm0MSs9MYYoKufbYdK7jteYlVuY6WaaC4n8ir9XiURwHMP/ZW90oqU DkOYkws8VDi6v7y7kIQJ6ZUDhBfP9j5z/6gvUPyJuODWEfbfFMaywE3fkf1mCpPN+f5h gOr0EpWnecJT3wjiIfYfZRY5Gb0++iVA8oJEF7oK2IldViQ0mzOfJllbZaN04e5zGQbg 52t8xD4qvrooXk/x7ueD0Z7LxWf1mb/PRFoZGiHa8UZFgtODDWuUjmFEOuAHo50skSE+ G/cSxgL73N7bMlueMvhvdhbaBa/HwTvLQKKQVnpBcchA3Roy/4H8Adn2vtQxqB5AsMJ8 N4uw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=XHrW8mjy1C0a9goFULp/hny7Gv2kJDAvY8hVIvI9pdE=; b=ynMWhU2Uqa9hn/N1tAl9ynVZLf4LreNTdyv0n66yvFyfVPeyMZsToWY7HMqfcaVobW q/wWUxpzbyxYvbENsmANFE7RfZ4Fu6K430Ikjw6tEeqpG7Nf/2NEO3qd2X13ZuZAGNXE E0jkjYZ2QRYdbj89/cJL54jgczibt//DBzEofGTaWHbQN91Pn8iUuCy1R2WnQBIjM6oJ 1dUtqvMI+zmrKWpVSIpdPqfySwxh6SEKocnOjMXlAdystJ9SH+Y3rjocxCti6ARjNNij pzWxnXx4p279w/AGboH2JSftzznyesCM7d7Qx12TgDs74eIu/H3ZKOkHx4IPgIDUrmxP mrTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=iNhxhJDr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dt1si1424238ejc.558.2020.12.03.09.45.36; Thu, 03 Dec 2020 09:45:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=iNhxhJDr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727030AbgLCRmG (ORCPT + 99 others); Thu, 3 Dec 2020 12:42:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41814 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727498AbgLCRmF (ORCPT ); Thu, 3 Dec 2020 12:42:05 -0500 Received: from mail-wr1-x441.google.com (mail-wr1-x441.google.com [IPv6:2a00:1450:4864:20::441]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9562DC061A4F for ; Thu, 3 Dec 2020 09:41:24 -0800 (PST) Received: by mail-wr1-x441.google.com with SMTP id z7so2750446wrn.3 for ; Thu, 03 Dec 2020 09:41:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=XHrW8mjy1C0a9goFULp/hny7Gv2kJDAvY8hVIvI9pdE=; b=iNhxhJDr8zcLFJdo0nG8hI4Yje5IWbV1RsJWPOtN8lmmRZj+2E48OZf3p4m+ghPHOQ knUBCWWS+lEBzmxtvBSZJ7x3/qMedAcTNsYMQYqfS9CBRi4wSBtFNEly3arwLunEzj9S VmHUtdlT67f3WnhIzb+406smRoWv/Pj9st1mL08CQpkECGuySGtSOu9mcvVz1EOBn7/s U5F1mRfkgpTMNc/dEW45LibT23/L4G9ugbXgB/RZxQ64mZV4ZAA2G4nkasNcfmkU7XRp zjwI8Iv4eg0GUWdxFuYiXTOw1T0NFri/vA4BeiGN128wBKnFICfMDPAWpcSJLvKR9Gi9 +tcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=XHrW8mjy1C0a9goFULp/hny7Gv2kJDAvY8hVIvI9pdE=; b=Jmfu8tUSFihP5cKsoDWG3Eog2SSRQDRSav02Hec/AyX26aiSjnwJAYq2MY8qHmnN0q CeWc+rueX0Z3nUsjPeD8Ee18uQWxr2C0jVyq+lbY0TOk6RYJVuk3+MZg93WwbmHTlyCh t4bcyJ2w/clXsHfYNzSB5IQ+bFBozqEcqgOZ7zMRuwDMCs9YWpGb9LaSbJBJGSib+OU5 G/UTK8LQ3O6CqhhlqzpCl8Q5u0gSnhTaNN1avYF59qilGNR38uZ6mKc3mOS+sNoaO/WG +7eF5m2uKC9TEc8tD7UIerKaIyFsLGhwGi7tFHMYr790iXqvPH+bqMUK2U9MPBga3eFu KP2A== X-Gm-Message-State: AOAM532NHZ3NH4DFFnXo5JcEmTd7jK6fUQa4qLKmb8yJG+aYbz/oaTJE CRWAwL5QbAyLosilhWGvHm11Ng== X-Received: by 2002:a05:6000:105:: with SMTP id o5mr348769wrx.164.1607017283176; Thu, 03 Dec 2020 09:41:23 -0800 (PST) Received: from elver.google.com ([2a00:79e0:15:13:f693:9fff:fef4:2449]) by smtp.gmail.com with ESMTPSA id b14sm233781wrx.35.2020.12.03.09.41.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Dec 2020 09:41:22 -0800 (PST) Date: Thu, 3 Dec 2020 18:41:16 +0100 From: Marco Elver To: Eric Dumazet Cc: netdev , Andrew Morton , David Miller , Dmitry Vyukov , Alexander Potapenko , Jann Horn , Jakub Kicinski , LKML , Stephen Rothwell , syzkaller-bugs , Willem de Bruijn , syzbot Subject: Re: WARNING in sk_stream_kill_queues (5) Message-ID: References: <000000000000b4862805b54ef573@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/2.0.2 (2020-11-20) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Dec 03, 2020 at 05:42PM +0100, Eric Dumazet wrote: > On Thu, Dec 3, 2020 at 5:34 PM Marco Elver wrote: > > > > On Thu, 3 Dec 2020 at 17:27, Eric Dumazet wrote: > > > On Thu, Dec 3, 2020 at 4:58 PM Marco Elver wrote: > > > > > > > > On Mon, Nov 30, 2020 at 12:40AM -0800, syzbot wrote: > > > > > Hello, > > > > > > > > > > syzbot found the following issue on: > > > > > > > > > > HEAD commit: 6147c83f Add linux-next specific files for 20201126 > > > > > git tree: linux-next > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=117c9679500000 > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=9b91566da897c24f > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=7b99aafdcc2eedea6178 > > > > > compiler: gcc (GCC) 10.1.0-syz 20200507 > > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103bf743500000 > > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=167c60c9500000 > > > > > > > > > > The issue was bisected to: > > > > > > > > > > commit 145cd60fb481328faafba76842aa0fd242e2b163 > > > > > Author: Alexander Potapenko > > > > > Date: Tue Nov 24 05:38:44 2020 +0000 > > > > > > > > > > mm, kfence: insert KFENCE hooks for SLUB > > > > > > > > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13abe5b3500000 > > > > > final oops: https://syzkaller.appspot.com/x/report.txt?x=106be5b3500000 > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=17abe5b3500000 > > > > > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > > > Reported-by: syzbot+7b99aafdcc2eedea6178@syzkaller.appspotmail.com > > > > > Fixes: 145cd60fb481 ("mm, kfence: insert KFENCE hooks for SLUB") > > > > > > > > > > ------------[ cut here ]------------ > > > > > WARNING: CPU: 0 PID: 11307 at net/core/stream.c:207 sk_stream_kill_queues+0x3c3/0x530 net/core/stream.c:207 > > > > [...] > > > > > Call Trace: > > > > > inet_csk_destroy_sock+0x1a5/0x490 net/ipv4/inet_connection_sock.c:885 > > > > > __tcp_close+0xd3e/0x1170 net/ipv4/tcp.c:2585 > > > > > tcp_close+0x29/0xc0 net/ipv4/tcp.c:2597 > > > > > inet_release+0x12e/0x280 net/ipv4/af_inet.c:431 > > > > > __sock_release+0xcd/0x280 net/socket.c:596 > > > > > sock_close+0x18/0x20 net/socket.c:1255 > > > > > __fput+0x283/0x920 fs/file_table.c:280 > > > > > task_work_run+0xdd/0x190 kernel/task_work.c:140 > > > > > exit_task_work include/linux/task_work.h:30 [inline] > > > > > do_exit+0xb89/0x29e0 kernel/exit.c:823 > > > > > do_group_exit+0x125/0x310 kernel/exit.c:920 > > > > > get_signal+0x3ec/0x2010 kernel/signal.c:2770 > > > > > arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:811 > > > > > handle_signal_work kernel/entry/common.c:144 [inline] > > > > > exit_to_user_mode_loop kernel/entry/common.c:168 [inline] > > > > > exit_to_user_mode_prepare+0x124/0x200 kernel/entry/common.c:198 > > > > > syscall_exit_to_user_mode+0x36/0x260 kernel/entry/common.c:275 > > > > > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > > > > > > > I've been debugging this and I think enabling KFENCE uncovered that some > > > > code is assuming that the following is always true: > > > > > > > > ksize(kmalloc(S)) == ksize(kmalloc(S)) > > > > > > > > > > > > > I do not think we make this assumption. > > > > > > Each skb tracks the 'truesize' which is populated from __alloc_skb() > > > using ksize(allocated head) . > > > > > > So if ksize() decides to give us random data, it should be still fine, > > > because we use ksize(buff) only once at alloc skb time, and record the > > > value in skb->truesize > > > (only the socket buffer accounting would be off) > > > > Good, thanks for clarifying. So something else must be off then. > > Actually we might have the following assumption : > > buff = kmalloc(size, GFP...) > if (buff) > ASSERT(ksize(buff) >= size) > > So obviously ksize() should not be completely random ;) One more experiment -- simply adding --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -207,7 +207,21 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t gfp_mask, */ size = SKB_DATA_ALIGN(size); size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); + size = 1 << kmalloc_index(size); /* HACK */ data = kmalloc_reserve(size, gfp_mask, node, &pfmemalloc); also got rid of the warnings. Something must be off with some value that is computed in terms of ksize(). If not, I don't have any explanation for why the above hides the problem. Thanks, -- Marco