Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp3624210rwb; Sun, 25 Sep 2022 09:36:53 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7Fs4uNiE+6CZtzuMVFJ5tdS+3YrO5fBeVD/BJ8CUVPPda0IWVrgHJAL4hDcNTJk049xC+z X-Received: by 2002:a05:6402:90e:b0:443:ec4b:2b03 with SMTP id g14-20020a056402090e00b00443ec4b2b03mr18164009edz.71.1664123813031; Sun, 25 Sep 2022 09:36:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664123813; cv=none; d=google.com; s=arc-20160816; b=TwLxSllcnbwqhpxDIb5mJyjkJZ5+DSI2X+mrzU2Mr2KKLMZKZXZ+82WLWhHOnYnR5r kI5CiCnFUkyAVuAu0TpmK4VxjaW9GYrVrvmYYVtn0NPlNxjtd73nrpNPOS0Jf1R1YqJq KcdmC6Jb8O0aRj7+pL/lNLtVis4bdb8ykPO5t2VsIYsXyp5deYMBrNAYru9LKlgaVcz9 EtGyS+2Kv+TZ7Vh1UrpfWBrsLbHoGxDL2xR+MmiXlzX/HNisJ3RyK53dhEijRkR1yhZA U25nReD7RcTeZK7JyVzM/lcKR81eLR+lbz/bbSUC1H8VyHsgfQ+DbRyoxhtx2QYNcxyk Uk6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=aBqJlL/02oBSrti+6d3L04f/LaPwYB+ZmoE/wMNY/eU=; b=zf01GH990Fb/FsI4lbxvB6EtxlpnSKeZ/up8HdGWvZIc+2n9r+29zVtpCjz3GWV2tF 41GcON5veT6yXGs3mUsyu8fimsaES23pqfRH4Ph0mq9w0O95fgenpXO0KwDZ70ndQVyv 6aJao9q+hZnLl5GIEUlV8gdvxplu7VKI6MuUC6JifjjVYG2A1Ezptoav8thzN4y2aYH1 1bmNK0FrbnsuYjAdu9gq4lwXdV8Fm/yDXTrVzXJZyGSsHVnYCN42/4oFs2cPaj1B432t CUXUx7ZoSUNXnVXHfjjSKHj3qMFcgx1DF2nNdpQPd6HZIO5SlZKNJ9kOXD0fD+qMb3j+ WLXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=bf6sS35Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d18-20020a170906041200b007707ab4be28si11429893eja.972.2022.09.25.09.36.28; Sun, 25 Sep 2022 09:36:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=bf6sS35Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229850AbiIYQ3K (ORCPT + 99 others); Sun, 25 Sep 2022 12:29:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47114 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229592AbiIYQ3I (ORCPT ); Sun, 25 Sep 2022 12:29:08 -0400 Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 87F832CCA6 for ; Sun, 25 Sep 2022 09:29:05 -0700 (PDT) Received: by mail-yb1-xb2f.google.com with SMTP id e81so5641206ybb.13 for ; Sun, 25 Sep 2022 09:29:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=aBqJlL/02oBSrti+6d3L04f/LaPwYB+ZmoE/wMNY/eU=; b=bf6sS35YmcXV5zSC1/hE5asbL/mes1Lxc4P4Mq/uFPvPTk5UYP3XWw6hFQ80W59GO+ pc/zM9ZxTrLgz3wy63F6fQpXXf+xSHgDI0kLWlZUkPpGXBpIVw8IUySs2qKyA0aAY6cH bT2Rzune1FY3tbOUwvKSLTuD8ByxzkOtzImN7TF2vjoF1opSiH99vT5gWGzdVlRSfd5g xzcngRqcd2qkAHHg9RTX5B6iWe+c/SDmC6r+0ZpOCA6RK1Vp2TwO7V2wJCazJYtlcrYR 7XgUo7Zu2s18p5ao3qD2lBUj2AWaepMN8gDnQFYrxeU+dEw5zyDTZmcf0wFnn3S1V92/ KaCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=aBqJlL/02oBSrti+6d3L04f/LaPwYB+ZmoE/wMNY/eU=; b=Xe7QwggJV0ql+44MjUz1k0HuYhRa3jACP3uj1uHt1gOpoomtuzdzABCJMgo50Uhf7e CAEuVbeY4m2RWWaHVcCBczNRI/tf30hfYURFCPuIRph6TO/TZbNpfuylGXBhFWaqy6nT IFOqA1g+7BC2qO+8eZO6Z06dbIT3FfrCFscOS5BCK3DAT6ZRN7rfud4fEmCtGYm4a9Mj 7E+D+Y1XbkY1azFFu9PQA16fenabsi1nUgxwmC+EISZcJQ7hi4SSW3b/qJTnqwyUcmIt K1tBr/xOey1Be3SGtlNSdVa8YU4Tis1ryrdh1jQ5rhwbPGlNmhZ1m/iKjEi15YbdBHNJ bZvw== X-Gm-Message-State: ACrzQf2UUv3SXZNm2vhVNnKd5KkROOL0L+qZcn7pozWwCRISLLsF+gbY juXLjUq/DQGfLRVlEXR7iMTIxWnZudtEx7vaUYkqig== X-Received: by 2002:a05:6902:10c3:b0:6ae:98b0:b8b1 with SMTP id w3-20020a05690210c300b006ae98b0b8b1mr18621750ybu.231.1664123344367; Sun, 25 Sep 2022 09:29:04 -0700 (PDT) MIME-Version: 1.0 References: <000000000000a96c0b05e97f0444@google.com> In-Reply-To: From: Eric Dumazet Date: Sun, 25 Sep 2022 09:28:53 -0700 Message-ID: Subject: Re: [syzbot] WARNING in u32_change To: Jamal Hadi Salim Cc: syzbot , David Miller , Jiri Pirko , Jakub Kicinski , LKML , netdev , Paolo Abeni , syzkaller-bugs , Cong Wang , Kees Cook Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Sep 25, 2022 at 9:14 AM Jamal Hadi Salim wrote: > > On Sun, Sep 25, 2022 at 11:38 AM Jamal Hadi Salim wrote: > > > > Is there a way to tell the boat "looking into it?" > > > I guess I have to swim across to it to get the message;-> > > I couldnt see the warning message but it is obvious by inspection that > the memcpy is broken. We should add more test coverage. > This should fix it. Will send a formal patch later: > > diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c > index 4d27300c2..591cbbf27 100644 > --- a/net/sched/cls_u32.c > +++ b/net/sched/cls_u32.c > @@ -1019,7 +1019,7 @@ static int u32_change(struct net *net, struct > sk_buff *in_skb, > } > > s = nla_data(tb[TCA_U32_SEL]); > - sel_size = struct_size(s, keys, s->nkeys); > + sel_size = struct_size(s, keys, s->nkeys) + sizeof(n->sel); > if (nla_len(tb[TCA_U32_SEL]) < sel_size) { > err = -EINVAL; > goto erridr; This patch is not needed, please look at struct_size() definition. Here, we might switch to unsafe_memcpy() instead of memcpy()