Received: by 2002:a05:7412:798b:b0:fc:a2b0:25d7 with SMTP id fb11csp196602rdb; Thu, 22 Feb 2024 00:15:21 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVFRTZYYWLV4NHSfOHfTWSquAJ5YTBz7/6pxIrggvdPfSFr9k7hFBpmx4ctZj889M0LIBsbS7pF6k4Udmf+WNQRiEz6fTG69/fCllz/zQ== X-Google-Smtp-Source: AGHT+IGhGWqhDhzEkex6G864jI8X9w0zE7GUFPdvaX9KWnF/wb47Mlo6WiNX76sTCtavl3puJQRg X-Received: by 2002:a05:6a21:1707:b0:1a0:d756:e280 with SMTP id nv7-20020a056a21170700b001a0d756e280mr292837pzb.30.1708589721076; Thu, 22 Feb 2024 00:15:21 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708589721; cv=pass; d=google.com; s=arc-20160816; b=nyPuhI9PjYUYG9MCWSbGbJoQRpd9GQ9gB8DuckHtzQpQFYTyQPcPTpsFZlpeA9R9rq D/nJLOoRhlNTZz/6Yy2urU01sfJxZWGlggB0Vt7pQO5rzZtVprnDrdnqVMiGQVvwQiSx GrP5ylJRmJY1MhNpRoHVPlEeisPb4t5atOHUur2IJL5QrBf6HXo3tAJCyv47vjQds+d4 mpS+zz/Sdt3KNW4E/oXw2DUflqO+JWTobbS7AIzr0qMhEi6EAqWgmu9ula3K7RSJVXwG ne71/D3yCCXeqWwp0IoXzm5To7SFQvtJNgt0LVbSivokNKCEjglL5WkebIUUM02D5cDM TRZA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=xURSw6KW5lgBMAPfJSy1M5ugizuie720TfwPyi4dy7w=; fh=RWhKqzwUTuDX3lQLxzBOWfE64EiIhDAMpJuV0+loBRk=; b=gZLU/BEUcCMIengkoAOUXck03VZcl3+e/nnS/cuTaTXQ3Yb4tWJ/SPL1ZMiuDiy8/r aMMfdsnOG/dMLMkGOMA09HIc95fWV/uqJK4bLrMEPqAvhqvOD5sJx04CkZ739hkPGktc C90h54hthKxxohLEUOjRirM2eT/hxYpb/FpXxjCUryR/IuPfTWj0YCG9H0tn5U4z4tkp REUwMBnm1BwDQQz/Qvs9ZMDmIfp+TlNur3TM/aZlJcSwiyt21CbTVYLzWRHF+zcqoRuM b0hFuHxBiGFK0cE6ta8bQbYmKIbmbS2G9bSbY77tcIy928Ka0BspVmi/mmwP1gNu0e+G StHg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=DUbwh1ro; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-76076-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-76076-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id e6-20020a17090301c600b001d92eb54a6asi9624803plh.387.2024.02.22.00.15.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Feb 2024 00:15:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-76076-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=DUbwh1ro; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-76076-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-76076-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 2A43FB22546 for ; Thu, 22 Feb 2024 08:14:53 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5155E1A27D; Thu, 22 Feb 2024 08:14:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="DUbwh1ro" Received: from mail-ed1-f46.google.com (mail-ed1-f46.google.com [209.85.208.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 734BE21A06 for ; Thu, 22 Feb 2024 08:14:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.46 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708589670; cv=none; b=ZU1SWFuH7XP6f6wYv3QrygVnKIU597Ogd5hfOvEOjJYAGO7MsOqJMLx/VrUCpL6NFZG4V7xof6Yyk7B8tTCULq5Ignitmwv7gyoCTg3/RK/UfS6KDhAAsk1PlG5axrluPfABmBghqEWRysitmsoE44gnWTi5RyxYbHUlqmlOauM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708589670; c=relaxed/simple; bh=EqD816pglUnsi5Oj/BjrpKl6ESqtw1vpOgd1NM0G+0A=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=XtiqkPIP5ojVO5tIaejN2ZWUUJ6FzWKZlulRs2yVw63AA4/jTqh5h/ecPA/NZ6emYFyWTTVQkTGHcKk0B22SMJSRekfmH4A9khz0bfR4ZUqv8f7HoGHisY6VQR6GvGg+MPOfqgHhSfKarBE9roIPZgUyiskKx9GOTTkZswcG5kE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=DUbwh1ro; arc=none smtp.client-ip=209.85.208.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-ed1-f46.google.com with SMTP id 4fb4d7f45d1cf-5654a367f53so282a12.0 for ; Thu, 22 Feb 2024 00:14:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1708589667; x=1709194467; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=xURSw6KW5lgBMAPfJSy1M5ugizuie720TfwPyi4dy7w=; b=DUbwh1royOtkFeGUCM58F8ooKIFHeOB08ZCPfg6u68PjgG8FL+LbEng4MAdLie1+jM R6RTX9teZvLo+whHoyF46jGOa2Wv6nrHjhJfxph72NssR/Vz7HR5t5Hins8wTJYVZDld VXEPTDcfzHpfL2NXztvK/i8WX98FIXf7Sylph4i66J0e3GZcUP+dJtK/wFvKS+veVsM7 REEi7G6BIFXKdVtBfPGG8SSc4RoGhkCwJFqci46yE7t/MThyvn5WJGDd9SHEhocdd9KG 091WneYqaZq80u0u/nuRQlwFuk2YL6WdNSqdvxXZo9FItFAu7JH7fIKwuDxJkNPt0dPj MXZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708589667; x=1709194467; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xURSw6KW5lgBMAPfJSy1M5ugizuie720TfwPyi4dy7w=; b=kDYYGBHX5JD+wIJPDrE/79cITHZjcAE+TGUGrO4MekMpEXwjOwdJwznW2a1MuCnHNi QZ5M6787T1OHQDkBTMaAi/5BubboQBvvy2yiamIey61ICH9rlcXefOVBk8aEu7OIgE1M hXYq43J6S9624dAH/pCS8x6aLI8ttQ6/LRWhjVASbt5fcpZ/2dYfiwpR4COVI2vyI8CL iAJgKBY5cVhIeREqCiRr2hFr199cyf1+wTIFj33Sdt/dY8IrLomrWNjn4pDAZ/5Y2ts8 ZqgX+clQcQPxYLNadn8surpndCeurUsJDOGtOTcF2+rv/Z5/worOYdTEj5q8w0CoHBoH IRig== X-Forwarded-Encrypted: i=1; AJvYcCXi1bhureD09WmoOZWel2CDPRrx8nQaicliBt/kMfFzNm1Wg/nFB2SVF72RCevZ68p0SkxVQUemKPcyTFuG9bOiLqeWuX5PYPtBgago X-Gm-Message-State: AOJu0YyOQbENXdByQ3XVUAnzw+WSBxiZC5aOJtqh7we6mwlXjxFq9+dt jYBq8ciBr0IV8m89cztRsZ+QSvgnpGFXILBYvhnV/RaL87tNfFf/kpXGwghAkpYRgFk0nsgRYh9 gBgKJKAbtOXsGi77DhhfiAoyoxSdRvNxKMfsV X-Received: by 2002:a50:f615:0:b0:563:c0e0:667c with SMTP id c21-20020a50f615000000b00563c0e0667cmr391120edn.0.1708589666422; Thu, 22 Feb 2024 00:14:26 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <00000000000043b1310611e388aa@google.com> <20240221131546.GE15988@breakpoint.cc> In-Reply-To: <20240221131546.GE15988@breakpoint.cc> From: Eric Dumazet Date: Thu, 22 Feb 2024 09:14:15 +0100 Message-ID: Subject: Re: [syzbot] [net?] WARNING in mpls_gso_segment To: Florian Westphal Cc: syzbot , davem@davemloft.net, dsahern@kernel.org, horms@kernel.org, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pabeni@redhat.com, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Feb 21, 2024 at 2:15=E2=80=AFPM Florian Westphal wro= te: > > syzbot wrote: > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=3D1536462c180= 000 > > > > Downloadable assets: > > disk image: https://storage.googleapis.com/syzbot-assets/adbf5d8e38d7/d= isk-49344462.raw.xz > > vmlinux: https://storage.googleapis.com/syzbot-assets/0f8e3fb78410/vmli= nux-49344462.xz > > kernel image: https://storage.googleapis.com/syzbot-assets/682f4814bf23= /bzImage-49344462.xz > > > > The issue was bisected to: > > > > commit 219eee9c0d16f1b754a8b85275854ab17df0850a > > Author: Florian Westphal > > Date: Fri Feb 16 11:36:57 2024 +0000 > > > > net: skbuff: add overflow debug check to pull/push helpers > > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=3D13262752= 180000 > > final oops: https://syzkaller.appspot.com/x/report.txt?x=3D10a62752= 180000 > > console output: https://syzkaller.appspot.com/x/log.txt?x=3D17262752180= 000 > > > > IMPORTANT: if you fix the issue, please add the following tag to the co= mmit: > > Reported-by: syzbot+99d15fcdb0132a1e1a82@syzkaller.appspotmail.com > > Fixes: 219eee9c0d16 ("net: skbuff: add overflow debug check to pull/pus= h helpers") > > > > ------------[ cut here ]------------ > > WARNING: CPU: 0 PID: 5068 at include/linux/skbuff.h:2723 pskb_may_pull_= reason include/linux/skbuff.h:2723 [inline] > > WARNING: CPU: 0 PID: 5068 at include/linux/skbuff.h:2723 pskb_may_pull = include/linux/skbuff.h:2739 [inline] > > WARNING: CPU: 0 PID: 5068 at include/linux/skbuff.h:2723 mpls_gso_segme= nt+0x773/0xaa0 net/mpls/mpls_gso.c:34 > > Two possible solutions: > > 1.) > > diff --git a/net/mpls/mpls_gso.c b/net/mpls/mpls_gso.c > index 533d082f0701..43801b78dd64 100644 > --- a/net/mpls/mpls_gso.c > +++ b/net/mpls/mpls_gso.c > @@ -25,12 +25,13 @@ static struct sk_buff *mpls_gso_segment(struct sk_buf= f *skb, > netdev_features_t mpls_features; > u16 mac_len =3D skb->mac_len; > __be16 mpls_protocol; > - unsigned int mpls_hlen; > + int mpls_hlen; > > skb_reset_network_header(skb); > mpls_hlen =3D skb_inner_network_header(skb) - skb_network_header(= skb); > - if (unlikely(!mpls_hlen || mpls_hlen % MPLS_HLEN)) > + if (unlikely(mpls_hlen <=3D 0 || mpls_hlen % MPLS_HLEN)) > goto out; > + > if (unlikely(!pskb_may_pull(skb, mpls_hlen))) > goto out; I guess we should try this, or perhaps understand why skb->encapsulation might not be set, or why skb_inner_network_header(skb) is not set at this point. > > (or a variation thereof). > > 2) revert the pskb_may_pull_reason change added in 219eee9c0d16f1b754a8 t= o > make it tolerant to "negative" (huge) may-pull requests again. > > With above repro, skb_inner_network_header() yields 0, skb_network_header= () > returns 108, so we "pskb_may_pull(skb, -108)))" which now triggers > DEBUG_NET_WARN_ON_ONCE() check. > > Before blamed commit, this would make pskb_may_pull hit: > > if (unlikely(len > skb->len)) > return SKB_DROP_REASON_PKT_TOO_SMALL; > > and mpls_gso_segment takes the 'goto out' label. > > So question is really if we should fix this in mpls_gso (and possible oth= ers > that try to pull negative numbers...) or if we should legalize this, eith= er by > adding explicit if (unlikely(len > INT_MAX)) test to pskb_may_pull_reason= or > by adding a comment that negative 'len' numbers are expected to be caught= by > the check vs. skb->len. > > Opinions? Lets live without 2) for a while, try to fix callers ?