Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp1019190iob; Fri, 13 May 2022 19:51:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzITWxUG7REuFn4UdTOG+0Q0B4RFqQ8bwzbIVCV7rMVZr7jYtFtXty8EllXfzHohQgHd/il X-Received: by 2002:a05:600c:378b:b0:394:3894:3a65 with SMTP id o11-20020a05600c378b00b0039438943a65mr7049630wmr.18.1652496711065; Fri, 13 May 2022 19:51:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652496711; cv=none; d=google.com; s=arc-20160816; b=cQ6UMZAxperoqzW0EaNKmhxKxrnFWDk/MpoI1nhrAp4NkZv3TiDIXApvKKnfaMnder ePkmfgBXMdQnVeS+nuNyFG+3dxC9ltTy0d6LmhQLbFUQ8CDOM88EzgasUmhIvo6WqZeP yxn97rNzLBRQizhHOFOwmKs26/3XMzlmv6T0KWPibpFkuevqgJAgB/HK61hyJGlBisOX reG9TomtfHs1RS9YeT39I0lC6bUxncCknIU8Dm9Ov8MWgiNlQ6Laxp+ku5XzFT0DDbtu VzGE8bjrUxu43tJmKvHw1+862DGhJGU6Ap6F7sf7WeYzCWv0InnBnVvysbmZbPd8XZxM m4EQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=/IBL4o/K3mi7O3S3vncGMcGF2ntCO5oHKAbwaK5FrhU=; b=ZZc/LJhctY052ep2CQBmKJxOMjWoVO3ICWpP52NTILRpnvW53IE8q0P6GpYiIa3xwa I3AOKIeKnf3DrAAXr89EZW7e3VvCsvlPwLIsxcVExzidKpDOCCQ8lwg70nS7uVWWK2Ns lh5bp2SyTHzswywUkHejdTIosMSTbZ/Uju4nCtMv5Yh9M644Bi1qmom+NVFXa+Ev3B9n iGyJDGfIkwzxzvbmMZqQxpX7x1qmW59RaznsmbHNpoU5FAR6Ovz9vuLrWYdKpOCZa7FS qv8s1Ghi3ZDUYNGZkKC52rLbu7tmBnHACvrQiqypIJ1tcZJZlWoTixMY8iPeyo3USM5y yJgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=hELtvxKS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id p18-20020a05600c205200b00393fc463378si3614744wmg.190.2022.05.13.19.51.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 May 2022 19:51:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=hELtvxKS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id DE939379FF1; Fri, 13 May 2022 16:38:06 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1358701AbiELVUI (ORCPT + 99 others); Thu, 12 May 2022 17:20:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45754 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1358675AbiELVUF (ORCPT ); Thu, 12 May 2022 17:20:05 -0400 Received: from mail-yw1-x1136.google.com (mail-yw1-x1136.google.com [IPv6:2607:f8b0:4864:20::1136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 00E681CD262 for ; Thu, 12 May 2022 14:20:04 -0700 (PDT) Received: by mail-yw1-x1136.google.com with SMTP id 00721157ae682-2ec42eae76bso71100587b3.10 for ; Thu, 12 May 2022 14:20:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/IBL4o/K3mi7O3S3vncGMcGF2ntCO5oHKAbwaK5FrhU=; b=hELtvxKSnPKMqfkxLXWz76N3K0+kWx1DjCEsVBJV7/WAEebNdg48uYU8qNN6aazczF IsPWtfxWGEzvPpv5JRFZ9BPsCIpnhUp8FPPalYzoK/eGrRg2110rs30xyMtta4yux9hj LieyKQA2OW2opwre4pB/XuQW47eQDxLZJiqUihu4ORAOgPAvMFNiiUEr4ASpEX3nhiKs onr0MhrvpSMd4vkTqFshMtqwBThqa8+2cDfywqcOn2owHlcS5F/BH5GIi+PRinhthEGd v0BPJfHih4FhWtjJ4fRiHmqGxcW/qyOHYl4YMSHz0W9XdYmlBENa78LBqdgweWUFW35K RFXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/IBL4o/K3mi7O3S3vncGMcGF2ntCO5oHKAbwaK5FrhU=; b=MKCafu8Z2W36kHSzayDS+tuXiV9Au+635aUxx6v4R49DonmKynfbjYGBuLUOxx0xLX /4/3JxqwqasNlZzYUtMCuOZm70C57WH6YHrxfF8ByWu6+5AC0oqRGhJvuPYPGbhpur/o 1IWr8/l9VT/nFk5VDpuyZCR//53Jb/zT1ZOpHzhOdTIUf7JN9G4ebzc6PTfel4hrOtGA 8i3mhr4D5ZhurNam3LVN03IQqgzoz6GDiDSly/n5oRvRNzfaU/JeyOYR+qiTlwJkC9jo C8nuX7Au01Hk1e1sCOirjpsp7ju1N0zU1hbZ1+oOVyJu3OQ7pCqkGV+rgXf6TrnuzjmK s8ag== X-Gm-Message-State: AOAM5324vSG/czvRV8fI7BhVFJ6n0dam3AHM1VYGImKAEYm92oPIPfub 4OyVeYc1z6s2AQLAYT2IVyoW6CnNxURyRFT/MElWaQ== X-Received: by 2002:a81:a016:0:b0:2f7:cfa3:4dc3 with SMTP id x22-20020a81a016000000b002f7cfa34dc3mr2153337ywg.467.1652390402987; Thu, 12 May 2022 14:20:02 -0700 (PDT) MIME-Version: 1.0 References: <0000000000005f1a8805ded719cc@google.com> In-Reply-To: <0000000000005f1a8805ded719cc@google.com> From: Eric Dumazet Date: Thu, 12 May 2022 14:19:51 -0700 Message-ID: Subject: Re: [syzbot] UBSAN: shift-out-of-bounds in tcf_pedit_init To: syzbot Cc: David Miller , Jamal Hadi Salim , Jiri Pirko , Jakub Kicinski , LKML , netdev , Paolo Abeni , syzkaller-bugs , Cong Wang Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-7.0 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SORTED_RECIPS,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 12, 2022 at 2:18 PM syzbot wrote: > > Hello, > > syzbot found the following issue on: > > HEAD commit: 810c2f0a3f86 mlxsw: Avoid warning during ip6gre device rem.. > git tree: net > console+strace: https://syzkaller.appspot.com/x/log.txt?x=1448a599f00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=331feb185f8828e0 > dashboard link: https://syzkaller.appspot.com/bug?extid=8ed8fc4c57e9dcf23ca6 > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=104e9749f00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15f913b9f00000 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+8ed8fc4c57e9dcf23ca6@syzkaller.appspotmail.com > > netlink: 28 bytes leftover after parsing attributes in process `syz-executor151'. > netlink: 28 bytes leftover after parsing attributes in process `syz-executor151'. > ================================================================================ > UBSAN: shift-out-of-bounds in net/sched/act_pedit.c:238:43 > shift exponent 1400735974 is too large for 32-bit type 'unsigned int' > CPU: 0 PID: 3606 Comm: syz-executor151 Not tainted 5.18.0-rc5-syzkaller-00165-g810c2f0a3f86 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > Call Trace: > > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 > ubsan_epilogue+0xb/0x50 lib/ubsan.c:151 > __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x187 lib/ubsan.c:322 > tcf_pedit_init.cold+0x1a/0x1f net/sched/act_pedit.c:238 > tcf_action_init_1+0x414/0x690 net/sched/act_api.c:1367 > tcf_action_init+0x530/0x8d0 net/sched/act_api.c:1432 > tcf_action_add+0xf9/0x480 net/sched/act_api.c:1956 > tc_ctl_action+0x346/0x470 net/sched/act_api.c:2015 > rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5993 > netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 > netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] > netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 > netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1921 > sock_sendmsg_nosec net/socket.c:705 [inline] > sock_sendmsg+0xcf/0x120 net/socket.c:725 > ____sys_sendmsg+0x6e2/0x800 net/socket.c:2413 > ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 > __sys_sendmsg+0xe5/0x1b0 net/socket.c:2496 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x44/0xae > RIP: 0033:0x7fe36e9e1b59 > Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007ffef796fe88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e > RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe36e9e1b59 > RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003 > RBP: 00007fe36e9a5d00 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe36e9a5d90 > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > > ================================================================================ > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this issue, for details see: > https://goo.gl/tpsmEJ#testing-patches As mentioned earlier, this came with commit 8b796475fd7882663a870456466a4fb315cc1bd6 Author: Paolo Abeni Date: Tue May 10 16:57:34 2022 +0200 net/sched: act_pedit: really ensure the skb is writable