Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp5892656pxb; Tue, 16 Feb 2021 10:04:17 -0800 (PST) X-Google-Smtp-Source: ABdhPJzrKpdtgLxqV/ReMtMEiL79FdQBiRmor35k7VE5sTDJLcifCVTfCqcbwbQAAdXwZXqL4xrl X-Received: by 2002:a17:906:ae85:: with SMTP id md5mr22181254ejb.76.1613498657295; Tue, 16 Feb 2021 10:04:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613498657; cv=none; d=google.com; s=arc-20160816; b=ISt8ARrCJTrVTNUVZPFjLxDpkgWSaU/fBHzYmT3CePOiR7ouHInPlSbQ6xqnjIKtWm YOGVL2nuHCll1iX+f9J1n4HI8YoRS2o7iilucoo4IFtbJc44sNzlZrC1V9KWG6joJc8g 4Kou2p7i9KDANKsQBPIWG1CaMLMIi7QAiytn77BjM0HunDE7j6e2lGhCZFTWwSAT0VFD rk9Y0xK6X1eTeuAguYzIV+A2TLRb+JKBCpRQ7OZQ9TkxC+jtaF8Cuo+t5PrLyfVaDInZ y1nyEeAa4KSSZTeQlI7Z4/e19H9Pte4ZG1q3N35fC1r1+jbP5+riQgF//SXWmvbwQXC9 uEnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=7+NJuyBwamRMH117gwxUsyCoAlUGOkQw48Q9LZPToiE=; b=E7wx8T927L5BMRvjXfBCPu/yf4IFSGvsAP6GkM/G5OiPm4JFrwMGVqIDUvGBRDgfUJ fNzObW2rLXWihBuU/2pjtuW2w34vHeMn17KytglGGXo3cWMGlpapnkhmHHdBXg0m7eYn LuT1YrOgTR7l75zyf7hC4s9zSM0tWd5c7BJhQH7J5HEPpd3C7FmZdNgkk5M8j53JtilI HJDelyg5Kl40Dhc7+nhIPdne22Ckl1L0AP1kS8/FbRB/fsH4G9YYcbzSBEnurZN6/21p 98fzQMw5Ss5cwDgMuUWFPHNYbZsiqCVHaVHUlEXqL6v8ZWWN/u5DVwZjxX8nt1doPE24 8MGw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q14si15316708ejy.320.2021.02.16.10.03.53; Tue, 16 Feb 2021 10:04:17 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230031AbhBPSCg (ORCPT + 99 others); Tue, 16 Feb 2021 13:02:36 -0500 Received: from mail.kernel.org ([198.145.29.99]:39554 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229931AbhBPSC3 (ORCPT ); Tue, 16 Feb 2021 13:02:29 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id F0EF064DA1; Tue, 16 Feb 2021 18:01:46 +0000 (UTC) Date: Tue, 16 Feb 2021 18:01:44 +0000 From: Catalin Marinas To: "Jason A. Donenfeld" Cc: Netdev , syzbot , Mark Brown , Kees Cook , linux-arm-kernel , LKML , Mark Rutland , mbenes@suse.cz, syzkaller-bugs , Will Deacon , Ard Biesheuvel Subject: Re: KASAN: invalid-access Write in enqueue_timer Message-ID: <20210216180143.GB14978@arm.com> References: <0000000000000be4d705bb68dfa7@google.com> <20210216172817.GA14978@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 16, 2021 at 06:50:20PM +0100, Jason A. Donenfeld wrote: > On Tue, Feb 16, 2021 at 6:46 PM Jason A. Donenfeld wrote: > > On Tue, Feb 16, 2021 at 6:28 PM Catalin Marinas wrote: > > > > hlist_add_head include/linux/list.h:883 [inline] > > > > enqueue_timer+0x18/0xc0 kernel/time/timer.c:581 > > > > mod_timer+0x14/0x20 kernel/time/timer.c:1106 > > > > mod_peer_timer drivers/net/wireguard/timers.c:37 [inline] > > > > wg_timers_any_authenticated_packet_traversal+0x68/0x90 drivers/net/wireguard/timers.c:215 > > > > The line of hlist_add_head that it's hitting is: > > > > static inline void hlist_add_head(struct hlist_node *n, struct hlist_head *h) > > { > > struct hlist_node *first = h->first; > > WRITE_ONCE(n->next, first); > > if (first) > > > > So that means it's the dereferencing of h that's a problem. That comes from: > > > > static void enqueue_timer(struct timer_base *base, struct timer_list *timer, > > unsigned int idx, unsigned long bucket_expiry) > > { > > > > hlist_add_head(&timer->entry, base->vectors + idx); > > > > That means it concerns base->vectors + idx, not the timer_list object > > that wireguard manages. That's confusing. Could that imply that the > > bug is in freeing a previous timer without removing it from the timer > > lists, so that it winds up being in base->vectors? Good point, it's indeed likely that the timer list is messed up already, just an unlucky encounter in the wireguard code. > Digging around on syzkaller, it looks like there's a similar bug on > jbd2, concerning iptunnels's allocation: > > https://syzkaller.appspot.com/text?tag=CrashReport&x=13afb19cd00000 [...] > It might not actually be a wireguard bug? I wonder whether syzbot reported similar issues with CONFIG_KASAN_SW_TAGS. It shouldn't be that different from the HW_TAGS but at least we can rule out qemu bugs with the MTE emulation. -- Catalin