Re: [syzbot] WARNING: refcount bug in qrtr_node_lookup

Re: [syzbot] WARNING: refcount bug in qrtr_node_lookup

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: object-size-mismatch in send4

================================================================================
UBSAN: object-size-mismatch in ./include/net/flow.h:197:33
member access within address 000000001597b753 with insufficient space
for an object of type 'struct flowi'
CPU: 1 PID: 231 Comm: kworker/u4:4 Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: wg-kex-wg0 wg_packet_handshake_send_worker
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x15e/0x1d3 lib/dump_stack.c:105
 ubsan_epilogue lib/ubsan.c:148 [inline]
 handle_object_size_mismatch lib/ubsan.c:229 [inline]
 ubsan_type_mismatch_common+0x1de/0x390 lib/ubsan.c:242
 __ubsan_handle_type_mismatch_v1+0x41/0x50 lib/ubsan.c:271
 flowi4_to_flowi_common include/net/flow.h:197 [inline]
 send4+0x39b/0xdd0 drivers/net/wireguard/socket.c:52
 wg_socket_send_skb_to_peer+0xc7/0x200 drivers/net/wireguard/socket.c:174
 wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
 wg_packet_handshake_send_worker+0x14a/0x190 drivers/net/wireguard/send.c:51
 process_one_work+0x471/0x840 kernel/workqueue.c:2276
 worker_thread+0x686/0x9e0 kernel/workqueue.c:2422
 kthread+0x3ca/0x3f0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
================================================================================
================================================================================
UBSAN: object-size-mismatch in ./include/net/flow.h:197:33
member access within address 000000001597b753 with insufficient space
for an object of type 'union (anonymous union at ./include/net/flow.h:172:2)'
CPU: 1 PID: 231 Comm: kworker/u4:4 Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: wg-kex-wg0 wg_packet_handshake_send_worker
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x15e/0x1d3 lib/dump_stack.c:105
 ubsan_epilogue lib/ubsan.c:148 [inline]
 handle_object_size_mismatch lib/ubsan.c:229 [inline]
 ubsan_type_mismatch_common+0x1de/0x390 lib/ubsan.c:242
 __ubsan_handle_type_mismatch_v1+0x41/0x50 lib/ubsan.c:271
 flowi4_to_flowi_common include/net/flow.h:197 [inline]
 send4+0x3aa/0xdd0 drivers/net/wireguard/socket.c:52
 wg_socket_send_skb_to_peer+0xc7/0x200 drivers/net/wireguard/socket.c:174
 wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
 wg_packet_handshake_send_worker+0x14a/0x190 drivers/net/wireguard/send.c:51
 process_one_work+0x471/0x840 kernel/workqueue.c:2276
 worker_thread+0x686/0x9e0 kernel/workqueue.c:2422
 kthread+0x3ca/0x3f0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
================================================================================


Tested on:

commit:         b91db6a0 Merge tag 'for-5.15/io_uring-vfs-2021-08-30' ..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11740133300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7d1b73d0f1d597e4
dashboard link: https://syzkaller.appspot.com/bug?extid=c613e88b3093ebf3686e
compiler:       Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13a44435300000

Re: [syzbot] WARNING: refcount bug in qrtr_node_lookup

[Paul Moore]

On Thu, Sep 2, 2021 at 12:13 AM Hillf Danton <hdanton@sina.com> wrote:
> On Wed, 01 Sep 2021 19:32:06 -0700
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > UBSAN: object-size-mismatch in send4
> >
> > ================================================================================
> > UBSAN: object-size-mismatch in ./include/net/flow.h:197:33
> > member access within address 000000001597b753 with insufficient space
> > for an object of type 'struct flowi'
> > CPU: 1 PID: 231 Comm: kworker/u4:4 Not tainted 5.14.0-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Workqueue: wg-kex-wg0 wg_packet_handshake_send_worker
> > Call Trace:
> >  __dump_stack lib/dump_stack.c:88 [inline]
> >  dump_stack_lvl+0x15e/0x1d3 lib/dump_stack.c:105
> >  ubsan_epilogue lib/ubsan.c:148 [inline]
> >  handle_object_size_mismatch lib/ubsan.c:229 [inline]
> >  ubsan_type_mismatch_common+0x1de/0x390 lib/ubsan.c:242
> >  __ubsan_handle_type_mismatch_v1+0x41/0x50 lib/ubsan.c:271
> >  flowi4_to_flowi_common include/net/flow.h:197 [inline]
>
> This was added in 3df98d79215a ("lsm,selinux: pass flowi_common instead of
> flowi to the LSM hooks"), could you take a look at the UBSAN report, Paul?

Sure, although due to some flooding here at home it might take a day
(two?) before I have any real comments on this.

-- 
paul moore
www.paul-moore.com

Re: [syzbot] WARNING: refcount bug in qrtr_node_lookup

[Paul Moore]

On Thu, Sep 2, 2021 at 9:58 AM Paul Moore <paul@paul-moore.com> wrote:
>
> On Thu, Sep 2, 2021 at 12:13 AM Hillf Danton <hdanton@sina.com> wrote:
> > On Wed, 01 Sep 2021 19:32:06 -0700
> > >
> > > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > > UBSAN: object-size-mismatch in send4
> > >
> > > ================================================================================
> > > UBSAN: object-size-mismatch in ./include/net/flow.h:197:33
> > > member access within address 000000001597b753 with insufficient space
> > > for an object of type 'struct flowi'
> > > CPU: 1 PID: 231 Comm: kworker/u4:4 Not tainted 5.14.0-syzkaller #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > > Workqueue: wg-kex-wg0 wg_packet_handshake_send_worker
> > > Call Trace:
> > >  __dump_stack lib/dump_stack.c:88 [inline]
> > >  dump_stack_lvl+0x15e/0x1d3 lib/dump_stack.c:105
> > >  ubsan_epilogue lib/ubsan.c:148 [inline]
> > >  handle_object_size_mismatch lib/ubsan.c:229 [inline]
> > >  ubsan_type_mismatch_common+0x1de/0x390 lib/ubsan.c:242
> > >  __ubsan_handle_type_mismatch_v1+0x41/0x50 lib/ubsan.c:271
> > >  flowi4_to_flowi_common include/net/flow.h:197 [inline]
> >
> > This was added in 3df98d79215a ("lsm,selinux: pass flowi_common instead of
> > flowi to the LSM hooks"), could you take a look at the UBSAN report, Paul?
>
> Sure, although due to some flooding here at home it might take a day
> (two?) before I have any real comments on this.

I'm looking quickly at this tonight after a long day so it's possible
I'm missing something, but in the original report if you look one step
before the backtrace above you see the caller is send4 in the
wireguard code, which starts off by creating it's own flowi4 variable
on the stack and then eventually passing it down to
flowi4_to_flowi_common() for use as the second parameter to
security_sk_classify_flow().  Because the wireguard code only
allocates a flowi4 and not a full flowi struct it seems like this
would explain the size mismatch warning (flowi is larger than flowi4
due to the union containing flowi6 as well as flowi4).

Off the top of my head it isn't clear to me if it is considered "safe"
to allocate just a flowi4 in this way, you may need to allocate a full
flowi; if none of the netdev folks reply we could always check the
other flowi4 users in the kernel.

Depending on the above, the fix may be either to adjust send4() to use
a full flowi, or to adjust flowi4_to_flowi_common() to use the
flowi_common struct at the top of the flowi4 struct instead of first
looking for the flowi struct and going from there.

-- 
paul moore
www.paul-moore.com

Re: [syzbot] WARNING: refcount bug in qrtr_node_lookup

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: object-size-mismatch in wg_xmit

================================================================================
UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2048:28
member access within address 0000000096a277f4 with insufficient space
for an object of type 'struct sk_buff'
CPU: 0 PID: 3568 Comm: kworker/0:5 Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x15e/0x1d3 lib/dump_stack.c:105
 ubsan_epilogue lib/ubsan.c:151 [inline]
 handle_object_size_mismatch lib/ubsan.c:232 [inline]
 ubsan_type_mismatch_common+0x1de/0x390 lib/ubsan.c:245
 __ubsan_handle_type_mismatch_v1+0x41/0x50 lib/ubsan.c:274
 __skb_queue_before include/linux/skbuff.h:2048 [inline]
 __skb_queue_tail include/linux/skbuff.h:2081 [inline]
 wg_xmit+0x4da/0xa60 drivers/net/wireguard/device.c:182
 __netdev_start_xmit include/linux/netdevice.h:4970 [inline]
 netdev_start_xmit+0x7b/0x140 include/linux/netdevice.h:4984
 xmit_one net/core/dev.c:3576 [inline]
 dev_hard_start_xmit+0x182/0x2e0 net/core/dev.c:3592
 __dev_queue_xmit+0x13b0/0x21a0 net/core/dev.c:4202
 neigh_output include/net/neighbour.h:510 [inline]
 ip6_finish_output2+0xc51/0x11b0 net/ipv6/ip6_output.c:126
 dst_output include/net/dst.h:450 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ndisc_send_skb+0x835/0xcf0 net/ipv6/ndisc.c:508
 addrconf_dad_completed+0x6c5/0xa70 net/ipv6/addrconf.c:4203
 addrconf_dad_work+0xba5/0x1510 net/ipv6/addrconf.c:3970
 process_one_work+0x4b5/0x8d0 kernel/workqueue.c:2297
 worker_thread+0x686/0x9e0 kernel/workqueue.c:2444
 kthread+0x3ca/0x3f0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
================================================================================
================================================================================
UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1941:2
member access within address 0000000096a277f4 with insufficient space
for an object of type 'struct sk_buff'
CPU: 0 PID: 3568 Comm: kworker/0:5 Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x15e/0x1d3 lib/dump_stack.c:105
 ubsan_epilogue lib/ubsan.c:151 [inline]
 handle_object_size_mismatch lib/ubsan.c:232 [inline]
 ubsan_type_mismatch_common+0x1de/0x390 lib/ubsan.c:245
 __ubsan_handle_type_mismatch_v1+0x41/0x50 lib/ubsan.c:274
 __skb_insert include/linux/skbuff.h:1941 [inline]
 __skb_queue_before include/linux/skbuff.h:2048 [inline]
 __skb_queue_tail include/linux/skbuff.h:2081 [inline]
 wg_xmit+0x53c/0xa60 drivers/net/wireguard/device.c:182
 __netdev_start_xmit include/linux/netdevice.h:4970 [inline]
 netdev_start_xmit+0x7b/0x140 include/linux/netdevice.h:4984
 xmit_one net/core/dev.c:3576 [inline]
 dev_hard_start_xmit+0x182/0x2e0 net/core/dev.c:3592
 __dev_queue_xmit+0x13b0/0x21a0 net/core/dev.c:4202
 neigh_output include/net/neighbour.h:510 [inline]
 ip6_finish_output2+0xc51/0x11b0 net/ipv6/ip6_output.c:126
 dst_output include/net/dst.h:450 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ndisc_send_skb+0x835/0xcf0 net/ipv6/ndisc.c:508
 addrconf_dad_completed+0x6c5/0xa70 net/ipv6/addrconf.c:4203
 addrconf_dad_work+0xba5/0x1510 net/ipv6/addrconf.c:3970
 process_one_work+0x4b5/0x8d0 kernel/workqueue.c:2297
 worker_thread+0x686/0x9e0 kernel/workqueue.c:2444
 kthread+0x3ca/0x3f0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
================================================================================
IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready


Tested on:

commit:         a9c9a6f7 Merge tag 'scsi-misc' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=134c5b6d300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=5f845e3d82a95a0e
dashboard link: https://syzkaller.appspot.com/bug?extid=c613e88b3093ebf3686e
compiler:       Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14673df5300000

Re: [syzbot] WARNING: refcount bug in qrtr_node_lookup

[Eric Dumazet]

On 8/31/21 8:41 PM, syzbot wrote:
> Hello,
> 
> syzbot tried to test the proposed patch but the build/boot failed:
> 
> arch/x86/kernel/setup.c:916:6: error: implicit declaration of function 'acpi_mps_check' [-Werror,-Wimplicit-function-declaration]
> arch/x86/kernel/setup.c:1110:2: error: implicit declaration of function 'acpi_table_upgrade' [-Werror,-Wimplicit-function-declaration]
> arch/x86/kernel/setup.c:1112:2: error: implicit declaration of function 'acpi_boot_table_init' [-Werror,-Wimplicit-function-declaration]
> arch/x86/kernel/setup.c:1120:2: error: implicit declaration of function 'early_acpi_boot_init' [-Werror,-Wimplicit-function-declaration]
> arch/x86/kernel/setup.c:1162:2: error: implicit declaration of function 'acpi_boot_init' [-Werror,-Wimplicit-function-declaration]
> 
> 
> Tested on:
> 
> commit:         9e9fb765 Merge tag 'net-next-5.15' of git://git.kernel..
> git tree:       upstream
> dashboard link: https://syzkaller.appspot.com/bug?extid=c613e88b3093ebf3686e
> compiler:       
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=1413e2f5300000
> 

Tree seems broken, no idea why the following is needed.

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 63b20536c8d236083336c2b50dc5f54225a80eab..6edec9a28293ea3241bd7842ab5555a1691e6cea 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -22,6 +22,7 @@
 #include <linux/usb/xhci-dbgp.h>
 #include <linux/static_call.h>
 #include <linux/swiotlb.h>
+#include <linux/acpi.h>
 
 #include <uapi/linux/mount.h>
 

Re: [syzbot] WARNING: refcount bug in qrtr_node_lookup

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

arch/x86/kernel/setup.c:916:6: error: implicit declaration of function 'acpi_mps_check' [-Werror,-Wimplicit-function-declaration]
arch/x86/kernel/setup.c:1110:2: error: implicit declaration of function 'acpi_table_upgrade' [-Werror,-Wimplicit-function-declaration]
arch/x86/kernel/setup.c:1112:2: error: implicit declaration of function 'acpi_boot_table_init' [-Werror,-Wimplicit-function-declaration]
arch/x86/kernel/setup.c:1120:2: error: implicit declaration of function 'early_acpi_boot_init' [-Werror,-Wimplicit-function-declaration]
arch/x86/kernel/setup.c:1162:2: error: implicit declaration of function 'acpi_boot_init' [-Werror,-Wimplicit-function-declaration]


Tested on:

commit:         9e9fb765 Merge tag 'net-next-5.15' of git://git.kernel..
git tree:       upstream
dashboard link: https://syzkaller.appspot.com/bug?extid=c613e88b3093ebf3686e
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1413e2f5300000

Re: [syzbot] WARNING: refcount bug in qrtr_node_lookup

[Dmitry Vyukov]

On Sat, 28 Aug 2021 at 20:32, syzbot
<syzbot+c613e88b3093ebf3686e@syzkaller.appspotmail.com> wrote:
>
> syzbot suspects this issue was fixed by commit:
>
> commit 7e78c597c3ebfd0cb329aa09a838734147e4f117
> Author: Xiaolong Huang <butterflyhuangxx@gmail.com>
> Date:   Thu Aug 19 19:50:34 2021 +0000
>
>     net: qrtr: fix another OOB Read in qrtr_endpoint_post
>
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=11279a4d300000
> start commit:   ba4f184e126b Linux 5.9-rc6
> git tree:       upstream
> kernel config:  https://syzkaller.appspot.com/x/.config?x=af502ec9a451c9fc
> dashboard link: https://syzkaller.appspot.com/bug?extid=c613e88b3093ebf3686e
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12263dd9900000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13d77603900000
>
> If the result looks correct, please mark the issue as fixed by replying with:
>
> #syz fix: net: qrtr: fix another OOB Read in qrtr_endpoint_post
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Hi Hillf,

You posted some patch related to refcounts. Do you think "net: qrtr:
fix another OOB Read in qrtr_endpoint_post" is a plausible fix? Or is
there still something wrong with refcounts?

Re: [syzbot] WARNING: refcount bug in qrtr_node_lookup

[Dmitry Vyukov via Linux-kernel-mentees]

On Sat, 28 Aug 2021 at 20:32, syzbot
<syzbot+c613e88b3093ebf3686e@syzkaller.appspotmail.com> wrote:
>
> syzbot suspects this issue was fixed by commit:
>
> commit 7e78c597c3ebfd0cb329aa09a838734147e4f117
> Author: Xiaolong Huang <butterflyhuangxx@gmail.com>
> Date:   Thu Aug 19 19:50:34 2021 +0000
>
>     net: qrtr: fix another OOB Read in qrtr_endpoint_post
>
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=11279a4d300000
> start commit:   ba4f184e126b Linux 5.9-rc6
> git tree:       upstream
> kernel config:  https://syzkaller.appspot.com/x/.config?x=af502ec9a451c9fc
> dashboard link: https://syzkaller.appspot.com/bug?extid=c613e88b3093ebf3686e
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12263dd9900000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13d77603900000
>
> If the result looks correct, please mark the issue as fixed by replying with:
>
> #syz fix: net: qrtr: fix another OOB Read in qrtr_endpoint_post
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Hi Hillf,

You posted some patch related to refcounts. Do you think "net: qrtr:
fix another OOB Read in qrtr_endpoint_post" is a plausible fix? Or is
there still something wrong with refcounts?
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [syzbot] WARNING: refcount bug in qrtr_node_lookup

[syzbot]

syzbot suspects this issue was fixed by commit:

commit 7e78c597c3ebfd0cb329aa09a838734147e4f117
Author: Xiaolong Huang <butterflyhuangxx@gmail.com>
Date:   Thu Aug 19 19:50:34 2021 +0000

    net: qrtr: fix another OOB Read in qrtr_endpoint_post

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=11279a4d300000
start commit:   ba4f184e126b Linux 5.9-rc6
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=af502ec9a451c9fc
dashboard link: https://syzkaller.appspot.com/bug?extid=c613e88b3093ebf3686e
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12263dd9900000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13d77603900000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: net: qrtr: fix another OOB Read in qrtr_endpoint_post

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] WARNING: refcount bug in qrtr_node_lookup

[syzbot]

syzbot suspects this issue was fixed by commit:

commit 7e78c597c3ebfd0cb329aa09a838734147e4f117
Author: Xiaolong Huang <butterflyhuangxx@gmail.com>
Date:   Thu Aug 19 19:50:34 2021 +0000

    net: qrtr: fix another OOB Read in qrtr_endpoint_post

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=11279a4d300000
start commit:   ba4f184e126b Linux 5.9-rc6
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=af502ec9a451c9fc
dashboard link: https://syzkaller.appspot.com/bug?extid=c613e88b3093ebf3686e
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12263dd9900000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13d77603900000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: net: qrtr: fix another OOB Read in qrtr_endpoint_post

For information about bisection process see: https://goo.gl/tpsmEJ#bisection
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees