[syzbot] linux-next test error: general protection fault in xfrm_policy_lookup_bytype

[syzbot] linux-next test error: general protection fault in xfrm_policy_lookup_bytype

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    e4cd8d3ff7f9 Add linux-next specific files for 20221121
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1472370d880000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a0ebedc6917bacc1
dashboard link: https://syzkaller.appspot.com/bug?extid=bfb2bee01b9c01fff864
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b59eb967701d/disk-e4cd8d3f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/37a7b43e6e84/vmlinux-e4cd8d3f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ebfb0438e6a2/bzImage-e4cd8d3f.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bfb2bee01b9c01fff864@syzkaller.appspotmail.com

general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
CPU: 0 PID: 5295 Comm: kworker/0:3 Not tainted 6.1.0-rc5-next-20221121-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:xfrm_policy_lookup_bytype.cold+0x1c/0x54 net/xfrm/xfrm_policy.c:2139
Code: 80 44 28 8e e8 9a 88 37 fa e9 28 e7 7b fe e8 c0 25 7a f7 49 8d bf cc 00 00 00 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1c 41
RSP: 0018:ffffc90003cdf1e0 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000019 RSI: ffffffff8a068150 RDI: 00000000000000cc
RBP: 0000000000000000 R08: 0000000000000007 R09: fffffffffffff000
R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000000
R13: ffff88802ae78000 R14: ffffed10055cf2ff R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb5cb893300 CR3: 00000000714fb000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 xfrm_policy_lookup net/xfrm/xfrm_policy.c:2151 [inline]
 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:2958 [inline]
 xfrm_lookup_with_ifid+0x39b/0x20f0 net/xfrm/xfrm_policy.c:3099
 xfrmi_xmit2 net/xfrm/xfrm_interface.c:404 [inline]
 xfrmi_xmit+0x3c7/0x1b90 net/xfrm/xfrm_interface.c:521
 __netdev_start_xmit include/linux/netdevice.h:4859 [inline]
 netdev_start_xmit include/linux/netdevice.h:4873 [inline]
 xmit_one net/core/dev.c:3583 [inline]
 dev_hard_start_xmit+0x1c2/0x990 net/core/dev.c:3599
 __dev_queue_xmit+0x2cdf/0x3ba0 net/core/dev.c:4249
 dev_queue_xmit include/linux/netdevice.h:3029 [inline]
 neigh_connected_output+0x3c4/0x520 net/core/neighbour.c:1600
 neigh_output include/net/neighbour.h:546 [inline]
 ip6_finish_output2+0x56c/0x1530 net/ipv6/ip6_output.c:134
 __ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
 ip6_finish_output+0x694/0x1170 net/ipv6/ip6_output.c:206
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
 dst_output include/net/dst.h:444 [inline]
 NF_HOOK include/linux/netfilter.h:302 [inline]
 ndisc_send_skb+0xa63/0x1740 net/ipv6/ndisc.c:508
 ndisc_send_rs+0x132/0x6f0 net/ipv6/ndisc.c:718
 addrconf_dad_completed+0x37a/0xda0 net/ipv6/addrconf.c:4248
 addrconf_dad_begin net/ipv6/addrconf.c:4014 [inline]
 addrconf_dad_work+0x820/0x12d0 net/ipv6/addrconf.c:4116
 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
 worker_thread+0x669/0x1090 kernel/workqueue.c:2436
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:xfrm_policy_lookup_bytype.cold+0x1c/0x54 net/xfrm/xfrm_policy.c:2139
Code: 80 44 28 8e e8 9a 88 37 fa e9 28 e7 7b fe e8 c0 25 7a f7 49 8d bf cc 00 00 00 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1c 41
RSP: 0018:ffffc90003cdf1e0 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000019 RSI: ffffffff8a068150 RDI: 00000000000000cc
RBP: 0000000000000000 R08: 0000000000000007 R09: fffffffffffff000
R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000000
R13: ffff88802ae78000 R14: ffffed10055cf2ff R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb5cb893300 CR3: 00000000714fb000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	44 28 8e e8 9a 88 37 	sub    %r9b,0x37889ae8(%rsi)
   7:	fa                   	cli
   8:	e9 28 e7 7b fe       	jmpq   0xfe7be735
   d:	e8 c0 25 7a f7       	callq  0xf77a25d2
  12:	49 8d bf cc 00 00 00 	lea    0xcc(%r15),%rdi
  19:	b8 ff ff 37 00       	mov    $0x37ffff,%eax
  1e:	48 89 fa             	mov    %rdi,%rdx
  21:	48 c1 e0 2a          	shl    $0x2a,%rax
  25:	48 c1 ea 03          	shr    $0x3,%rdx
* 29:	0f b6 14 02          	movzbl (%rdx,%rax,1),%edx <-- trapping instruction
  2d:	48 89 f8             	mov    %rdi,%rax
  30:	83 e0 07             	and    $0x7,%eax
  33:	83 c0 03             	add    $0x3,%eax
  36:	38 d0                	cmp    %dl,%al
  38:	7c 04                	jl     0x3e
  3a:	84 d2                	test   %dl,%dl
  3c:	75 1c                	jne    0x5a
  3e:	41                   	rex.B


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Re: [syzbot] linux-next test error: general protection fault in xfrm_policy_lookup_bytype

[Sabrina Dubroca]

2022-11-21, 05:47:38 -0800, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    e4cd8d3ff7f9 Add linux-next specific files for 20221121
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1472370d880000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a0ebedc6917bacc1
> dashboard link: https://syzkaller.appspot.com/bug?extid=bfb2bee01b9c01fff864
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/b59eb967701d/disk-e4cd8d3f.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/37a7b43e6e84/vmlinux-e4cd8d3f.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/ebfb0438e6a2/bzImage-e4cd8d3f.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+bfb2bee01b9c01fff864@syzkaller.appspotmail.com
> 
> general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
> CPU: 0 PID: 5295 Comm: kworker/0:3 Not tainted 6.1.0-rc5-next-20221121-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
> Workqueue: ipv6_addrconf addrconf_dad_work
> RIP: 0010:xfrm_policy_lookup_bytype.cold+0x1c/0x54 net/xfrm/xfrm_policy.c:2139

That's the printk at the end of the function, when
xfrm_policy_lookup_bytype returns NULL. It seems to have snuck into
commit c39f95aaf6d1 ("xfrm: Fix oops in __xfrm_state_delete()"), we
can just remove it:

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 3a203c59a11b..e392d8d05e0c 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2135,9 +2135,6 @@ static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
 fail:
 	rcu_read_unlock();
 
-	if (!IS_ERR(ret))
-		printk("xfrm_policy_lookup_bytype: policy if_id %d, wanted if_id  %d\n", ret->if_id, if_id);
-
 	return ret;
 }
 


> Code: 80 44 28 8e e8 9a 88 37 fa e9 28 e7 7b fe e8 c0 25 7a f7 49 8d bf cc 00 00 00 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1c 41
> RSP: 0018:ffffc90003cdf1e0 EFLAGS: 00010203
> RAX: dffffc0000000000 RBX: 0000000000000001 RCX: 0000000000000000
> RDX: 0000000000000019 RSI: ffffffff8a068150 RDI: 00000000000000cc
> RBP: 0000000000000000 R08: 0000000000000007 R09: fffffffffffff000
> R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000000
> R13: ffff88802ae78000 R14: ffffed10055cf2ff R15: 0000000000000000
> FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fb5cb893300 CR3: 00000000714fb000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  xfrm_policy_lookup net/xfrm/xfrm_policy.c:2151 [inline]
>  xfrm_bundle_lookup net/xfrm/xfrm_policy.c:2958 [inline]
>  xfrm_lookup_with_ifid+0x39b/0x20f0 net/xfrm/xfrm_policy.c:3099
>  xfrmi_xmit2 net/xfrm/xfrm_interface.c:404 [inline]
>  xfrmi_xmit+0x3c7/0x1b90 net/xfrm/xfrm_interface.c:521
>  __netdev_start_xmit include/linux/netdevice.h:4859 [inline]
>  netdev_start_xmit include/linux/netdevice.h:4873 [inline]
>  xmit_one net/core/dev.c:3583 [inline]
>  dev_hard_start_xmit+0x1c2/0x990 net/core/dev.c:3599
>  __dev_queue_xmit+0x2cdf/0x3ba0 net/core/dev.c:4249
>  dev_queue_xmit include/linux/netdevice.h:3029 [inline]
>  neigh_connected_output+0x3c4/0x520 net/core/neighbour.c:1600
>  neigh_output include/net/neighbour.h:546 [inline]
>  ip6_finish_output2+0x56c/0x1530 net/ipv6/ip6_output.c:134
>  __ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
>  ip6_finish_output+0x694/0x1170 net/ipv6/ip6_output.c:206
>  NF_HOOK_COND include/linux/netfilter.h:291 [inline]
>  ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
>  dst_output include/net/dst.h:444 [inline]
>  NF_HOOK include/linux/netfilter.h:302 [inline]
>  ndisc_send_skb+0xa63/0x1740 net/ipv6/ndisc.c:508
>  ndisc_send_rs+0x132/0x6f0 net/ipv6/ndisc.c:718
>  addrconf_dad_completed+0x37a/0xda0 net/ipv6/addrconf.c:4248
>  addrconf_dad_begin net/ipv6/addrconf.c:4014 [inline]
>  addrconf_dad_work+0x820/0x12d0 net/ipv6/addrconf.c:4116
>  process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
>  worker_thread+0x669/0x1090 kernel/workqueue.c:2436
>  kthread+0x2e8/0x3a0 kernel/kthread.c:376
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
>  </TASK>

-- 
Sabrina

Re: [syzbot] linux-next test error: general protection fault in xfrm_policy_lookup_bytype

[Steffen Klassert]

On Mon, Nov 21, 2022 at 04:07:26PM +0100, Sabrina Dubroca wrote:
> 2022-11-21, 05:47:38 -0800, syzbot wrote:
> > Hello,
> > 
> > syzbot found the following issue on:
> > 
> > HEAD commit:    e4cd8d3ff7f9 Add linux-next specific files for 20221121
> > git tree:       linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1472370d880000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=a0ebedc6917bacc1
> > dashboard link: https://syzkaller.appspot.com/bug?extid=bfb2bee01b9c01fff864
> > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > 
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/b59eb967701d/disk-e4cd8d3f.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/37a7b43e6e84/vmlinux-e4cd8d3f.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/ebfb0438e6a2/bzImage-e4cd8d3f.xz
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+bfb2bee01b9c01fff864@syzkaller.appspotmail.com
> > 
> > general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
> > KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
> > CPU: 0 PID: 5295 Comm: kworker/0:3 Not tainted 6.1.0-rc5-next-20221121-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
> > Workqueue: ipv6_addrconf addrconf_dad_work
> > RIP: 0010:xfrm_policy_lookup_bytype.cold+0x1c/0x54 net/xfrm/xfrm_policy.c:2139
> 
> That's the printk at the end of the function, when
> xfrm_policy_lookup_bytype returns NULL. It seems to have snuck into
> commit c39f95aaf6d1 ("xfrm: Fix oops in __xfrm_state_delete()"), we
> can just remove it:
> 
> diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
> index 3a203c59a11b..e392d8d05e0c 100644
> --- a/net/xfrm/xfrm_policy.c
> +++ b/net/xfrm/xfrm_policy.c
> @@ -2135,9 +2135,6 @@ static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
>  fail:
>  	rcu_read_unlock();
>  
> -	if (!IS_ERR(ret))
> -		printk("xfrm_policy_lookup_bytype: policy if_id %d, wanted if_id  %d\n", ret->if_id, if_id);
> -
>  	return ret;

Hm, this was not in the original patch. Maybe my tree was not
clean when I applied it. Do you want to send a patch, or should
I just remove it?

Re: [syzbot] linux-next test error: general protection fault in xfrm_policy_lookup_bytype

[Sabrina Dubroca]

2022-11-21, 18:15:13 +0100, Steffen Klassert wrote:
> On Mon, Nov 21, 2022 at 04:07:26PM +0100, Sabrina Dubroca wrote:
> > 2022-11-21, 05:47:38 -0800, syzbot wrote:
> > > Hello,
> > > 
> > > syzbot found the following issue on:
> > > 
> > > HEAD commit:    e4cd8d3ff7f9 Add linux-next specific files for 20221121
> > > git tree:       linux-next
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=1472370d880000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=a0ebedc6917bacc1
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=bfb2bee01b9c01fff864
> > > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > 
> > > Downloadable assets:
> > > disk image: https://storage.googleapis.com/syzbot-assets/b59eb967701d/disk-e4cd8d3f.raw.xz
> > > vmlinux: https://storage.googleapis.com/syzbot-assets/37a7b43e6e84/vmlinux-e4cd8d3f.xz
> > > kernel image: https://storage.googleapis.com/syzbot-assets/ebfb0438e6a2/bzImage-e4cd8d3f.xz
> > > 
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+bfb2bee01b9c01fff864@syzkaller.appspotmail.com
> > > 
> > > general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
> > > KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
> > > CPU: 0 PID: 5295 Comm: kworker/0:3 Not tainted 6.1.0-rc5-next-20221121-syzkaller #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
> > > Workqueue: ipv6_addrconf addrconf_dad_work
> > > RIP: 0010:xfrm_policy_lookup_bytype.cold+0x1c/0x54 net/xfrm/xfrm_policy.c:2139
> > 
> > That's the printk at the end of the function, when
> > xfrm_policy_lookup_bytype returns NULL. It seems to have snuck into
> > commit c39f95aaf6d1 ("xfrm: Fix oops in __xfrm_state_delete()"), we
> > can just remove it:
> > 
> > diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
> > index 3a203c59a11b..e392d8d05e0c 100644
> > --- a/net/xfrm/xfrm_policy.c
> > +++ b/net/xfrm/xfrm_policy.c
> > @@ -2135,9 +2135,6 @@ static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
> >  fail:
> >  	rcu_read_unlock();
> >  
> > -	if (!IS_ERR(ret))
> > -		printk("xfrm_policy_lookup_bytype: policy if_id %d, wanted if_id  %d\n", ret->if_id, if_id);
> > -
> >  	return ret;
> 
> Hm, this was not in the original patch. Maybe my tree was not
> clean when I applied it. Do you want to send a patch, or should
> I just remove it?

Go ahead, I guess it's more convenient for you.

-- 
Sabrina

Re: [syzbot] linux-next test error: general protection fault in xfrm_policy_lookup_bytype

[Steffen Klassert]

On Mon, Nov 21, 2022 at 10:41:57PM +0100, Sabrina Dubroca wrote:
> 2022-11-21, 18:15:13 +0100, Steffen Klassert wrote:
> > On Mon, Nov 21, 2022 at 04:07:26PM +0100, Sabrina Dubroca wrote:
> > > 2022-11-21, 05:47:38 -0800, syzbot wrote:
> > > > Hello,
> > > > 
> > > > syzbot found the following issue on:
> > > > 
> > > > HEAD commit:    e4cd8d3ff7f9 Add linux-next specific files for 20221121
> > > > git tree:       linux-next
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=1472370d880000
> > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=a0ebedc6917bacc1
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=bfb2bee01b9c01fff864
> > > > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > > 
> > > > Downloadable assets:
> > > > disk image: https://storage.googleapis.com/syzbot-assets/b59eb967701d/disk-e4cd8d3f.raw.xz
> > > > vmlinux: https://storage.googleapis.com/syzbot-assets/37a7b43e6e84/vmlinux-e4cd8d3f.xz
> > > > kernel image: https://storage.googleapis.com/syzbot-assets/ebfb0438e6a2/bzImage-e4cd8d3f.xz
> > > > 
> > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > Reported-by: syzbot+bfb2bee01b9c01fff864@syzkaller.appspotmail.com
> > > > 
> > > > general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
> > > > KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
> > > > CPU: 0 PID: 5295 Comm: kworker/0:3 Not tainted 6.1.0-rc5-next-20221121-syzkaller #0
> > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
> > > > Workqueue: ipv6_addrconf addrconf_dad_work
> > > > RIP: 0010:xfrm_policy_lookup_bytype.cold+0x1c/0x54 net/xfrm/xfrm_policy.c:2139
> > > 
> > > That's the printk at the end of the function, when
> > > xfrm_policy_lookup_bytype returns NULL. It seems to have snuck into
> > > commit c39f95aaf6d1 ("xfrm: Fix oops in __xfrm_state_delete()"), we
> > > can just remove it:
> > > 
> > > diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
> > > index 3a203c59a11b..e392d8d05e0c 100644
> > > --- a/net/xfrm/xfrm_policy.c
> > > +++ b/net/xfrm/xfrm_policy.c
> > > @@ -2135,9 +2135,6 @@ static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
> > >  fail:
> > >  	rcu_read_unlock();
> > >  
> > > -	if (!IS_ERR(ret))
> > > -		printk("xfrm_policy_lookup_bytype: policy if_id %d, wanted if_id  %d\n", ret->if_id, if_id);
> > > -
> > >  	return ret;
> > 
> > Hm, this was not in the original patch. Maybe my tree was not
> > clean when I applied it. Do you want to send a patch, or should
> > I just remove it?
> 
> Go ahead, I guess it's more convenient for you.

I just did a forced push to remove that hunk.

Thanks!

Re: [syzbot] linux-next test error: general protection fault in xfrm_policy_lookup_bytype

[Dmitry Vyukov]

On Tue, 22 Nov 2022 at 07:27, Steffen Klassert
<steffen.klassert@secunet.com> wrote:
>
> On Mon, Nov 21, 2022 at 10:41:57PM +0100, Sabrina Dubroca wrote:
> > 2022-11-21, 18:15:13 +0100, Steffen Klassert wrote:
> > > On Mon, Nov 21, 2022 at 04:07:26PM +0100, Sabrina Dubroca wrote:
> > > > 2022-11-21, 05:47:38 -0800, syzbot wrote:
> > > > > Hello,
> > > > >
> > > > > syzbot found the following issue on:
> > > > >
> > > > > HEAD commit:    e4cd8d3ff7f9 Add linux-next specific files for 20221121
> > > > > git tree:       linux-next
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=1472370d880000
> > > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=a0ebedc6917bacc1
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=bfb2bee01b9c01fff864
> > > > > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > > >
> > > > > Downloadable assets:
> > > > > disk image: https://storage.googleapis.com/syzbot-assets/b59eb967701d/disk-e4cd8d3f.raw.xz
> > > > > vmlinux: https://storage.googleapis.com/syzbot-assets/37a7b43e6e84/vmlinux-e4cd8d3f.xz
> > > > > kernel image: https://storage.googleapis.com/syzbot-assets/ebfb0438e6a2/bzImage-e4cd8d3f.xz
> > > > >
> > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > > Reported-by: syzbot+bfb2bee01b9c01fff864@syzkaller.appspotmail.com
> > > > >
> > > > > general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
> > > > > KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
> > > > > CPU: 0 PID: 5295 Comm: kworker/0:3 Not tainted 6.1.0-rc5-next-20221121-syzkaller #0
> > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
> > > > > Workqueue: ipv6_addrconf addrconf_dad_work
> > > > > RIP: 0010:xfrm_policy_lookup_bytype.cold+0x1c/0x54 net/xfrm/xfrm_policy.c:2139
> > > >
> > > > That's the printk at the end of the function, when
> > > > xfrm_policy_lookup_bytype returns NULL. It seems to have snuck into
> > > > commit c39f95aaf6d1 ("xfrm: Fix oops in __xfrm_state_delete()"), we
> > > > can just remove it:
> > > >
> > > > diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
> > > > index 3a203c59a11b..e392d8d05e0c 100644
> > > > --- a/net/xfrm/xfrm_policy.c
> > > > +++ b/net/xfrm/xfrm_policy.c
> > > > @@ -2135,9 +2135,6 @@ static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
> > > >  fail:
> > > >   rcu_read_unlock();
> > > >
> > > > - if (!IS_ERR(ret))
> > > > -         printk("xfrm_policy_lookup_bytype: policy if_id %d, wanted if_id  %d\n", ret->if_id, if_id);
> > > > -
> > > >   return ret;
> > >
> > > Hm, this was not in the original patch. Maybe my tree was not
> > > clean when I applied it. Do you want to send a patch, or should
> > > I just remove it?
> >
> > Go ahead, I guess it's more convenient for you.
>
> I just did a forced push to remove that hunk.

Let's tell syzbot about the fix, so that it reports similarly looking
crashes in future:

#syz fix: xfrm: Fix oops in __xfrm_state_delete()