Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F507C64EC4 for ; Sat, 4 Mar 2023 15:12:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229595AbjCDPL2 (ORCPT ); Sat, 4 Mar 2023 10:11:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39712 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229509AbjCDPL2 (ORCPT ); Sat, 4 Mar 2023 10:11:28 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A7E8516321 for ; Sat, 4 Mar 2023 07:10:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1677942639; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type; bh=A1jyIshrRJXdDZu7B4588O6OdU6TI/IkIc6BCPhHzRM=; b=EqPThA/APB+yTpBIjNWtKLSFfozJye5DY9KKbx/x1BSDM0YdYZzJ5UEHOFSefohbSe4Ud6 mM2s1vtjWHhaJ8WX1lShnkdayGvMpCvRHFjAUEa+u2gp2eoDytdpbmfEfxZ8/dCokuaZiV /4UWFpmgQXnYvm++5GaRNbk7TGu4uEQ= Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com [209.85.214.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-81-m0bFtMrlPUC1LpJAeBLXdg-1; Sat, 04 Mar 2023 10:10:38 -0500 X-MC-Unique: m0bFtMrlPUC1LpJAeBLXdg-1 Received: by mail-pl1-f198.google.com with SMTP id ju20-20020a170903429400b0019ea5ea044aso1241028plb.21 for ; Sat, 04 Mar 2023 07:10:38 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677942637; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=A1jyIshrRJXdDZu7B4588O6OdU6TI/IkIc6BCPhHzRM=; b=tEzyv77lOX+8Ma8p8dzVcwKhqZcflcwABPwyCbYszYGLggNeTQwojdCGzjhA6hNIb6 3BhFsAA8ZwJ2/Nu16e2CB89LX0qc1MHlAZvlwlekNhCe4S29+vdjxnRzih2Tw8yONapG cDp3iJqcQIQ4A1TF1BUFuVMUZqiM5QymziSk3Mr0HHHgWJMIU7Hm4jDBdePNSgt3Z236 NTRbS9yhk5wDIAFxdTljwydYkb/Xs0l7hnl2f09zvs+ctOTWyFyRd+zao9FY6eWpFAyd 0EZSPqvC8RMIdugh1gIZGWdYG5aqMR1AJKPfp6VkjDeHoHjZEttf/Q5fS2oN+awN/3ry iprA== X-Gm-Message-State: AO0yUKXekBz5uMC3efabT/E6R55db7p7yC9fsbWGC3++TffUHtyVjpCG tj0EkPLNeLD7eZK442EwoC1Ay7pLxOFZi6+k8mj+U2uOgsY1ffmIp99oULPCVF7CYmGTkatgpmA cJr0plexzM+q7jGIAo/jtivkmi95ILaErNF0RQcXXEAOyZ3ZycyreNvcSUSg7a+fLvsYf54Dboh g5yWfw5bju/Zw= X-Received: by 2002:a17:90b:4f87:b0:239:e70c:b96f with SMTP id qe7-20020a17090b4f8700b00239e70cb96fmr5859441pjb.41.1677942637145; Sat, 04 Mar 2023 07:10:37 -0800 (PST) X-Google-Smtp-Source: AK7set/HFx2x1h2jknDBAjMaV30oUTG13XDTomETv77ey5GKn6JIaoZXseWVL6cjOwhDJ2HtcX1U8Q== X-Received: by 2002:a17:90b:4f87:b0:239:e70c:b96f with SMTP id qe7-20020a17090b4f8700b00239e70cb96fmr5859390pjb.41.1677942636318; Sat, 04 Mar 2023 07:10:36 -0800 (PST) Received: from kernel-devel ([240d:1a:c0d:9f00:ca6:1aff:fead:cef4]) by smtp.gmail.com with ESMTPSA id 19-20020a631253000000b004fb171df68fsm3380650pgs.7.2023.03.04.07.10.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Mar 2023 07:10:35 -0800 (PST) Date: Sun, 5 Mar 2023 00:10:31 +0900 From: Shigeru Yoshida To: linux-wireless@vger.kernel.org Cc: quic_alokad@quicinc.com, quic_msinada@quicinc.com, johannes.berg@intel.com Subject: WARNING in nla_get_range_unsigned Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Hi, Recently, when I ran syzkaller, the following warning was detected: [ 37.446619][ T8620] ------------[ cut here ]------------ [ 37.447395][ T8620] WARNING: CPU: 2 PID: 8620 at lib/nlattr.c:118 nla_get_range_unsigned+0x199/0x460 [ 37.448059][ T8620] Modules linked in: [ 37.448350][ T8620] CPU: 2 PID: 8620 Comm: repro Not tainted 6.2.0 #1 [ 37.448817][ T8620] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 [ 37.449485][ T8620] RIP: 0010:nla_get_range_unsigned+0x199/0x460 [ 37.449927][ T8620] Code: 0f 85 34 02 00 00 a9 08 00 08 00 0f 85 35 02 00 00 e8 9b 55 37 fd 0f 0b 5b 41 5c 41 5d 41 5e 5d e9 8c 55 37 fd e8 87 55 37 fd <0f> 0b e9 50 4 [ 37.451445][ T8620] RSP: 0018:ffffc900132873a0 EFLAGS: 00010293 [ 37.451883][ T8620] RAX: 0000000000000000 RBX: ffffffff8b7cff40 RCX: 0000000000000000 [ 37.452443][ T8620] RDX: ffff88801f018000 RSI: ffffffff844dde29 RDI: 0000000000000003 [ 37.452997][ T8620] RBP: ffffc900132873c0 R08: 0000000000000003 R09: 0000000000000000 [ 37.453555][ T8620] R10: 000000000000ffff R11: ffffffff8f9ebb5f R12: ffffc90013287468 [ 37.454114][ T8620] R13: ffffffff8b7cff41 R14: 000000000000ffff R15: ffff888022c24614 [ 37.454671][ T8620] FS: 00007f32f97ff600(0000) GS:ffff88802cb00000(0000) knlGS:0000000000000000 [ 37.455297][ T8620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.455764][ T8620] CR2: 00007f32f95c1585 CR3: 000000004d37e000 CR4: 0000000000750ee0 [ 37.456320][ T8620] PKRU: 55555554 [ 37.456582][ T8620] Call Trace: [ 37.456828][ T8620] [ 37.457050][ T8620] __nla_validate_parse+0x164e/0x24d0 [ 37.457461][ T8620] ? nla_get_range_signed+0x370/0x370 [ 37.457851][ T8620] ? kasan_unpoison+0x44/0x70 [ 37.458199][ T8620] __nla_parse+0x40/0x50 [ 37.458512][ T8620] genl_family_rcv_msg_attrs_parse.constprop.0+0x19e/0x280 [ 37.459025][ T8620] genl_family_rcv_msg_doit.isra.0+0xa3/0x2e0 [ 37.459461][ T8620] ? genl_start+0x650/0x650 [ 37.459790][ T8620] ? apparmor_capable+0x1da/0x4e0 [ 37.460158][ T8620] ? bpf_lsm_capable+0x9/0x10 [ 37.460500][ T8620] ? security_capable+0x92/0xc0 [ 37.460884][ T8620] ? ns_capable+0xd5/0x110 [ 37.461221][ T8620] genl_rcv_msg+0x4fe/0x7c0 [ 37.461552][ T8620] ? genl_family_rcv_msg_doit.isra.0+0x2e0/0x2e0 [ 37.462002][ T8620] ? nl80211_post_doit+0x2f0/0x2f0 [ 37.462378][ T8620] ? nl80211_assoc_bss+0x260/0x260 [ 37.462749][ T8620] ? nl80211_parse_sta_wme+0x3c0/0x3c0 [ 37.463156][ T8620] netlink_rcv_skb+0x166/0x440 [ 37.463506][ T8620] ? genl_family_rcv_msg_doit.isra.0+0x2e0/0x2e0 [ 37.463955][ T8620] ? netlink_ack+0x1370/0x1370 [ 37.464317][ T8620] genl_rcv+0x28/0x40 [ 37.464610][ T8620] netlink_unicast+0x530/0x800 [ 37.464963][ T8620] ? netlink_attachskb+0x880/0x880 [ 37.465339][ T8620] ? __sanitizer_cov_trace_switch+0x54/0x90 [ 37.465764][ T8620] ? __phys_addr_symbol+0x30/0x70 [ 37.467377][ T8620] ? __check_object_size+0x333/0x6f0 [ 37.468983][ T8620] netlink_sendmsg+0x90b/0xe10 [ 37.470566][ T8620] ? netlink_unicast+0x800/0x800 [ 37.472194][ T8620] ? bpf_lsm_socket_sendmsg+0x9/0x10 [ 37.473787][ T8620] ? netlink_unicast+0x800/0x800 [ 37.475357][ T8620] sock_sendmsg+0xd9/0x180 [ 37.476862][ T8620] ____sys_sendmsg+0x66d/0x910 [ 37.478373][ T8620] ? kernel_sendmsg+0x50/0x50 [ 37.479854][ T8620] ? __copy_msghdr+0x460/0x460 [ 37.481366][ T8620] ? find_held_lock+0x2d/0x110 [ 37.482806][ T8620] ___sys_sendmsg+0x11d/0x1b0 [ 37.484179][ T8620] ? do_recvmmsg+0x700/0x700 [ 37.485476][ T8620] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 37.486756][ T8620] ? file_tty_write.constprop.0+0x619/0x9f0 [ 37.488014][ T8620] ? n_tty_close+0x1f0/0x1f0 [ 37.489163][ T8620] ? find_held_lock+0x2d/0x110 [ 37.490296][ T8620] ? __fget_light+0x205/0x270 [ 37.491424][ T8620] __sys_sendmsg+0xfa/0x1d0 [ 37.492506][ T8620] ? __sys_sendmsg_sock+0x30/0x30 [ 37.493572][ T8620] ? __audit_syscall_entry+0x396/0x500 [ 37.494639][ T8620] do_syscall_64+0x38/0xb0 [ 37.495634][ T8620] entry_SYSCALL_64_after_hwframe+0x63/0xcd I investigated this issue and found that the issue relates to the following commit: d7c1a9a0ed18 wifi: nl80211: validate and configure puncturing bitmap This commit sets the maximum value of nla_policy for NL80211_ATTR_PUNCT_BITMAP to 0xffff as below: diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index c82c66c32faa..683adeb3c9e3 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -805,6 +805,7 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = { [NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN), [NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG }, [NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT }, + [NL80211_ATTR_PUNCT_BITMAP] = NLA_POLICY_RANGE(NLA_U8, 0, 0xffff), }; This triggers the warning in nla_get_range_unsigned() below as 0xffff is interpreted to -1: void nla_get_range_unsigned(const struct nla_policy *pt, struct netlink_range_validation *range) { WARN_ON_ONCE(pt->validation_type != NLA_VALIDATE_RANGE_PTR && (pt->min < 0 || pt->max < 0)); I also noticed that checking the value to 0xffff is a bit different in the following original patch: https://lore.kernel.org/all/20230131001227.25014-3-quic_alokad@quicinc.com/ So, I tried to modify the code like below, then the issue disappeared: diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 112b4bb009c8..066061fbeeb3 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -805,7 +805,7 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = { [NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN), [NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG }, [NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT }, - [NL80211_ATTR_PUNCT_BITMAP] = NLA_POLICY_RANGE(NLA_U8, 0, 0xffff), + [NL80211_ATTR_PUNCT_BITMAP] = { .type = NLA_U32 }, }; /* policy for the key attributes */ @@ -3183,9 +3183,15 @@ static int nl80211_parse_punct_bitmap(struct cfg80211_registered_device *rdev, const struct cfg80211_chan_def *chandef, u16 *punct_bitmap) { + u32 bitmap; + if (!wiphy_ext_feature_isset(&rdev->wiphy, NL80211_EXT_FEATURE_PUNCT)) return -EINVAL; + bitmap = nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]); + if (bitmap & 0xFFFF0000) + return -EINVAL; + *punct_bitmap = nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]); if (!cfg80211_valid_disable_subchannel_bitmap(punct_bitmap, chandef)) return -EINVAL; Is there any special reason to move checking the value to 0xffff in nla_policy? Otherwise, is this a bug of the warning in nla_get_range_unsigned()? Thanks, Shigeru