Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp5818102pxb; Tue, 16 Feb 2021 08:18:18 -0800 (PST) X-Google-Smtp-Source: ABdhPJzQH784YVH9DH4LNW0UvR4YvlCR50jPj3cdADTxbHiSgXH0nY4uz93xDmx3TusQY8vkuW/Y X-Received: by 2002:a17:906:c413:: with SMTP id u19mr20912709ejz.147.1613492297870; Tue, 16 Feb 2021 08:18:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613492297; cv=none; d=google.com; s=arc-20160816; b=X4lXvITUq7shIitXFCuhYuaqYFbfql/FRWuDNnRL4JW70Gby2q4ULHm0GkUFlvbvcs GaJElY2GUjgfY9NFJEVx63mcC1MGun3TxQ82C1d2D0Il3Kpso50bbqnypPUElr3t9n58 8v+zB6HguIofo+TIpqNLutyxY/BuTouu8N5Y090Pyw9vgBO4EEZXhPxlCcltirorVfcy nb80XgAV34dF3Dm4rFipOJOXfmy0zxoYirUOV0uB75AXVYHt0/Z+GxQBocJQVpP81f3V H8w46Emw4XPfgyVH1VyHI1xvPcrVHeUkiTutcjTk9PGahYG9g9dUFdNuD//zOLeBND2a iVLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:dkim-signature:mime-version:message-id:date :in-reply-to:subject:cc:to:from:user-agent:references; bh=iueBWvrzQvXvpiyEkIDejuii6oURkDiMVH2u8gFcUWU=; b=TYvsKPXdx4OnHS9yCLUx4Y4mGcc7UFYao2Nbb05yT1q50OUz0vafxiXErPiAQZ4nft suMN2RmmKvbEKsZX9ti0KL0mfoiw90RfCtOwZk9HOkqVBa8ORdGIMkPoGlY2fzoYSC5P t/iLgun8M04SNTPkJFZpkdOmyHU/gVd3oz5wlIo8umS9g219wrvQ9nR+YalVbQPcMTWq 8IoUkngY8n0T/Erl2WaXjJ8i4KNV6g9ymPi73LvI0U1CWXjl8z6T1MIn6VYttIxqD5Vr 1mIr7rPMcBlktQm3dWGz0d4PoOfLJ5HSFG1TJYE+kn5638P2rtPVqiIE1d/JGlMZjnVr JYiw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@nvidia.com header.s=n1 header.b=pvdrQCW9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nvidia.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dt1si13507088ejc.377.2021.02.16.08.17.54; Tue, 16 Feb 2021 08:18:17 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@nvidia.com header.s=n1 header.b=pvdrQCW9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nvidia.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230389AbhBPQOG (ORCPT + 99 others); Tue, 16 Feb 2021 11:14:06 -0500 Received: from hqnvemgate24.nvidia.com ([216.228.121.143]:11547 "EHLO hqnvemgate24.nvidia.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230004AbhBPQNP (ORCPT ); Tue, 16 Feb 2021 11:13:15 -0500 Received: from hqmail.nvidia.com (Not Verified[216.228.121.13]) by hqnvemgate24.nvidia.com (using TLS: TLSv1.2, AES256-SHA) id ; Tue, 16 Feb 2021 08:12:34 -0800 Received: from reg-r-vrt-018-180.nvidia.com (172.20.145.6) by HQMAIL107.nvidia.com (172.20.187.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 16 Feb 2021 16:12:32 +0000 References: <0000000000005243f805b05abc7c@google.com> <00000000000008f12905bb0923e0@google.com> User-agent: mu4e 1.4.10; emacs 27.1 From: Vlad Buslov To: Cong Wang CC: syzbot , "David Miller" , Jamal Hadi Salim , "Jiri Pirko" , Jakub Kicinski , LKML , Linux Kernel Network Developers , syzkaller-bugs Subject: Re: KASAN: null-ptr-deref Read in tcf_idrinfo_destroy In-Reply-To: Date: Tue, 16 Feb 2021 18:12:29 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [172.20.145.6] X-ClientProxiedBy: HQMAIL107.nvidia.com (172.20.187.13) To HQMAIL107.nvidia.com (172.20.187.13) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nvidia.com; s=n1; t=1613491954; bh=iueBWvrzQvXvpiyEkIDejuii6oURkDiMVH2u8gFcUWU=; h=References:User-agent:From:To:CC:Subject:In-Reply-To:Date: Message-ID:MIME-Version:Content-Type:X-Originating-IP: X-ClientProxiedBy; b=pvdrQCW9Wc+7YIOJh3I5O29T7sl5MkIlhfukUO6oEmY2OdvLjHcxm2tkKIqv2tFwW 2ZxveW6VNA7uSJ3/YQ3NAvRMwgkvKDE/ELEbz9EqdVfY6NbA5IT/YLIki1f67Tna0D WJnmveJGreRcDlxSMPWgXCmRdefpkdhCib3xooXSjihrZCOjQubjJZrHhaCbH+z5Rn ScyvK7OHUccGYCsjY/kfN/VJAY4oG3e3H5qXS+9cd8JgUbVKlT0TNZOCQpFBYfrkvA MCQZ037Xrmo9xg782X4+LjKi3qs8+X/x/ba+Ovdd00xAnAeGKpTDgh4LDEuOndNSUs NuoQviAE/bx1w== Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue 16 Feb 2021 at 01:22, Cong Wang wrote: > On Wed, Feb 10, 2021 at 9:53 PM syzbot > wrote: >> >> syzbot has found a reproducer for the following issue on: >> >> HEAD commit: 291009f6 Merge tag 'pm-5.11-rc8' of git://git.kernel.org/p.. >> git tree: upstream >> console output: https://syzkaller.appspot.com/x/log.txt?x=14470d18d00000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=a53fd47f16f22f8c >> dashboard link: https://syzkaller.appspot.com/bug?extid=151e3e714d34ae4ce7e8 >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15f45814d00000 >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15f4aff8d00000 >> >> IMPORTANT: if you fix the issue, please add the following tag to the commit: >> Reported-by: syzbot+151e3e714d34ae4ce7e8@syzkaller.appspotmail.com >> >> ================================================================== >> BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline] >> BUG: KASAN: null-ptr-deref in atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] >> BUG: KASAN: null-ptr-deref in __tcf_idr_release net/sched/act_api.c:178 [inline] >> BUG: KASAN: null-ptr-deref in tcf_idrinfo_destroy+0x129/0x1d0 net/sched/act_api.c:598 >> Read of size 4 at addr 0000000000000010 by task kworker/u4:5/204 >> >> CPU: 0 PID: 204 Comm: kworker/u4:5 Not tainted 5.11.0-rc7-syzkaller #0 >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 >> Workqueue: netns cleanup_net >> Call Trace: >> __dump_stack lib/dump_stack.c:79 [inline] >> dump_stack+0x107/0x163 lib/dump_stack.c:120 >> __kasan_report mm/kasan/report.c:400 [inline] >> kasan_report.cold+0x5f/0xd5 mm/kasan/report.c:413 >> check_memory_region_inline mm/kasan/generic.c:179 [inline] >> check_memory_region+0x13d/0x180 mm/kasan/generic.c:185 >> instrument_atomic_read include/linux/instrumented.h:71 [inline] >> atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] >> __tcf_idr_release net/sched/act_api.c:178 [inline] >> tcf_idrinfo_destroy+0x129/0x1d0 net/sched/act_api.c:598 >> tc_action_net_exit include/net/act_api.h:151 [inline] >> police_exit_net+0x168/0x360 net/sched/act_police.c:390 > > This is really strange. It seems we still left some -EBUSY placeholders > in the idr, however, we actually call tcf_action_destroy() to clean up > everything including -EBUSY ones on error path. > > What do you think, Vlad? > > Thanks. Hi Cong, I couldn't reproduce the issue with syzbot repro.c, but it looks like we are missing tcf_idr_insert_many() in exts->police handling code inside tcf_exts_validate() which calls tcf_action_init_1(). After recent changes action is no longer inserted in idr by init_1 and requires manual call to tcf_idr_insert_many(). I'll send a fix. Regards, Vlad