Received: by 2002:a05:7208:9594:b0:7e:5202:c8b4 with SMTP id gs20csp1928241rbb;
        Tue, 27 Feb 2024 05:53:27 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCX6gwDLrKE+Ml9pXrahiT3styXgcnKtEwBQhc0cHHy87iqay0S06XlD/ntywzeHoaTTXyAWfTv+MYQKVi/hjqo/hKi+62xrXmXNZtYGCQ==
X-Google-Smtp-Source: AGHT+IEz6oluPmobSTQk2P81CUiGkSOfpAs/AZHqOCyB5tFzWBN1ePHviUuXeHGa+OFo27GElkAK
X-Received: by 2002:a17:90a:8c05:b0:299:21ef:6b5a with SMTP id a5-20020a17090a8c0500b0029921ef6b5amr6636349pjo.24.1709042006406;
        Tue, 27 Feb 2024 05:53:26 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1709042006; cv=pass;
        d=google.com; s=arc-20160816;
        b=q5UF/6pEPJjXjj8apidaP3tikpxoZbvo+dVdxnIZWD/hFu/CGum2OLunOYVBVmljMW
         bAbfQbqr4nYpAiLoKo+Ukvu2CIeGA78b32HKLXH2TpzloqXVs4S67CQPaicgZ7+BTD50
         jIGk3fu1geCjWx8jdqTVo/nard/HWqbylSBbTrc0sLthWPZIn47TyhgFdLp/MPtxvUUt
         aKZ+fcwkECz6BntfDlCjUVr5ZqgnNswlvec2nD+1JFEXqfRjfaw3ZiSSE+xlLAjGvW6P
         rBUviIjxXBYpZ1KW3aVhuVU56iEpgO63O05uoyUXjGj/kyB4gH459dcxRR4kPak5nseI
         E+2w==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :message-id:date:references:in-reply-to:subject:to:from
         :dkim-signature;
        bh=i8mbe1CS3TTcDHJU4vH+bAHR/LNFBHI3QyCcLcqp1x8=;
        fh=tmEqb96Z8UX9qjmcLAw0YesW8veauW9Qo/j+x3VZx0c=;
        b=YdjHUICmRewnJFOtHUwpIT/uEhH1SssYyeuvyqXfDi/Z3+Rh/LL6Mje26EIEfAKgBN
         FQ35FKnzD9mIbszfCh8J7ggp/8a+94Tjse8n2UlKKC1qIqSAct/J1ohfoDGZxC8oWO0y
         jft7g2bg8g2EHbYVFR8VbyEVSQokp0CWhOIacVNJe+DTRVR0/5grWs8oBuTUutXdVy6+
         6V00nGMqoOKff/4P7w4HgATiyFandYwt9y7/fDSW7wTvaqQVtfhn+HRBaukUk/KFaQU3
         bSn5NI8UUc/uwCtpDIpV9TYaV9Kh8113F5tAIrJbMMl8EfwD0s/Z9FzZe/NOiz+WM5Qg
         O7FQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VnX+BKWo;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-83349-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-83349-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel+bounces-83349-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id x6-20020a17090aca0600b0029a2fddc490si7353347pjt.120.2024.02.27.05.53.26
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 27 Feb 2024 05:53:26 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-83349-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VnX+BKWo;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-83349-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-83349-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 88616289F7B
	for <linux.lists.archive@gmail.com>; Tue, 27 Feb 2024 13:51:30 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 8FAB4145FFC;
	Tue, 27 Feb 2024 13:50:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="VnX+BKWo"
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id ACD8F1420DF;
	Tue, 27 Feb 2024 13:50:13 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1709041813; cv=none; b=tPBDj3Lgeu7dShPz7F/HsjFe2tzv2z0Ojxa4n/KuZFdvp2aG7Y1lV06m8iNDfTDLvryQOgDghnYPcKoQOS6v6FFlIKYJtr2US2Z6lnwTbus1wabV+KeNkjYhbGEy51lgOwU2lRsm7z12fAzb6dPykbh97luuvIw6rb1Wp8wgbZg=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1709041813; c=relaxed/simple;
	bh=cmuHHl9CIeYfuV4aIWfaqsYJoNLPszhG15STpDSPOGs=;
	h=From:To:Subject:In-Reply-To:References:Date:Message-ID:
	 MIME-Version:Content-Type; b=QpywRHKotR82XKhAf6WTooakkOx2Q0Cr58B9Ajnby7ivKL2sJViZqtqxUZ/MP+E/QaQ2eRrmxvkPsw8dCCXGnhsPq/GTF0EcNVyOpEXfKshsPNFFO+iWuABuHYSUyy/VnJmrZjXsxn22Vpjb0RDF/8xznJVjVD76PabwsAHeb5I=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=VnX+BKWo; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 67F41C43390;
	Tue, 27 Feb 2024 13:50:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1709041813;
	bh=cmuHHl9CIeYfuV4aIWfaqsYJoNLPszhG15STpDSPOGs=;
	h=From:To:Subject:In-Reply-To:References:Date:From;
	b=VnX+BKWoPCfr+iBK1MyyV/mn28GcnQ5OFoqBa1D01Q87V64pKtBWiVJunSEHYKrTH
	 CX5PlXKK/ZozMZyUL0E3kwy3/GmpDGCiS2FAbC2275XWYR0P91ishov9M9UE9rXa3p
	 M/bpPEZmEJYQcVW28UmaSSercXZAxNzGyL9qBZboPWujw5kYkYNAMn1U6pGuxPvETU
	 1HcM5azXYUKafvySNdsVPyBAAIf4oNpGpBMrm7b5YSSZEpidGyr0VWxsV/s57X1ndU
	 1t/fLCj7Pb8lqehmdv1/Z+X/ftNbCZK1FaBi6UNghqcXP69u48QKdtppv1F4PiJ9l7
	 r0zV//MIhaNPQ==
Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000)
	id D1515112E511; Tue, 27 Feb 2024 14:50:10 +0100 (CET)
From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= <toke@kernel.org>
To: John Fastabend <john.fastabend@gmail.com>, syzbot
 <syzbot+8cd36f6b65f3cafd400a@syzkaller.appspotmail.com>,
 andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
 daniel@iogearbox.net, davem@davemloft.net, haoluo@google.com,
 hawk@kernel.org, john.fastabend@gmail.com, jolsa@kernel.org,
 kpsingh@kernel.org, kuba@kernel.org, linux-kernel@vger.kernel.org,
 martin.lau@linux.dev, netdev@vger.kernel.org, sdf@google.com,
 song@kernel.org, syzkaller-bugs@googlegroups.com, yonghong.song@linux.dev
Subject: Re: [syzbot] [bpf?] [net?] BUG: unable to handle kernel NULL
 pointer dereference in dev_map_hash_update_elem
In-Reply-To: <65dd075bc6cbd_20e0a20892@john.notmuch>
References: <000000000000ed666a0611af6818@google.com>
 <0000000000001d1939061240cbd7@google.com>
 <65dd075bc6cbd_20e0a20892@john.notmuch>
X-Clacks-Overhead: GNU Terry Pratchett
Date: Tue, 27 Feb 2024 14:50:10 +0100
Message-ID: <87msrmdnjh.fsf@toke.dk>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain

John Fastabend <john.fastabend@gmail.com> writes:

> syzbot wrote:
>> syzbot has found a reproducer for the following issue on:
>> 
>> HEAD commit:    70ff1fe626a1 Merge tag 'docs-6.8-fixes3' of git://git.lwn...
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1762045c180000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=4cf52b43f46d820d
>> dashboard link: https://syzkaller.appspot.com/bug?extid=8cd36f6b65f3cafd400a
>> compiler:       arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
>> userspace arch: arm
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=110cf122180000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=142f6d8c180000
>> 
>> Downloadable assets:
>> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/8ead8862021c/non_bootable_disk-70ff1fe6.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/bc398db9fd8c/vmlinux-70ff1fe6.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/6d3f8b72a671/zImage-70ff1fe6.xz
>> 
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+8cd36f6b65f3cafd400a@syzkaller.appspotmail.com
>> 
>
> I'll take a look this week if no one beats me to it. Looks like there is
> a reproducer so should be able to sort it out.

Took a look at the reproducer. Looks like it's creating the map with
max_entries=0x80000202, which means the rounding up of the number of
hash buckets overflows, and somehow the overflow check (for 0) is not
working on a 32-bit machine? I guess because the roundup_power_of_two()
ends up doing a (1UL << 32), which is undefined behaviour when an
unsigned long is four bytes.

I'll send a patch to check the value before the rounding up instead of
after.

-Toke