From patchwork Tue Mar 4 07:31:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ffhgfv <744439878@qq.com> X-Patchwork-Id: 14000081 Received: from out162-62-57-137.mail.qq.com (out162-62-57-137.mail.qq.com [162.62.57.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 445651F6679 for ; Tue, 4 Mar 2025 07:36:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=162.62.57.137 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741073809; cv=none; b=YVGbHxRPqUVI8w/acfKYNGZROmfeX3lFmI0zE/178JVDTPXIRc+wMfV2Iggrln76YAxAycXLmDJnSHLzwPJF2LdKu7YZETW+leyRIH7rCyljOKRIhKEesvo/Io3Qwj2VB76jP94cv+JRI0Jbls0wWVTN7VnvAt/IYDevwTnz1CY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741073809; c=relaxed/simple; bh=q7Y7inN7p9nxDEZdZPPFpPXz6k6mgqWC56UrWP0aGlY=; h=From:To:Subject:Mime-Version:Content-Type:Date:Message-ID; b=hTzKzZwPtl3Epv78JfW8+tVRSmJWvChu4kO+btbJBBS7BmZ7Nk7eWTc0ETYig4tuSZ9NXQ1raKE0IIP+nAbjpdjktAROocwDv2GBctUqfEDc3ZS3rHfJ7KnH0EYYCjhg5lldiGRUOEMpeyh8nWl+AAAigVH69p9+9IRzLjQvj0A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=hvG26w1Y; arc=none smtp.client-ip=162.62.57.137 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="hvG26w1Y" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1741073499; bh=q7Y7inN7p9nxDEZdZPPFpPXz6k6mgqWC56UrWP0aGlY=; h=From:To:Subject:Date; b=hvG26w1YU4WrSqzwlPOFMLCqxuJUlA/zj+Bh11NEyIY6MiMuH5kACkiO+ES97L0i6 M1ap6TN0/XBsjMQSNG44BTWfJENYa+FfP7dpnDqBdYJGC2rQgcCxIaGLQfmsaZh+Q8 kINnguLiCoJ15rAJaOc9ZLN3bjb+8uOqNBxA/c0Y= X-QQ-FEAT: oHWrrGTW1dCni6VLWI7Xi3lwP5c1dnPf X-QQ-SSF: 00000000000000F0000000000000 X-QQ-XMRINFO: OW8WShJdN8S2cMc/fs8JwkE= X-QQ-XMAILINFO: OTqiK0gT4U+cmgh7WDY0Za7rqIaxfpxORX2UGv52n3gU2ar7Qpb9eMtbJCC1dR XaNmrQ51Qt/0d6QUR9CUZJ1XEueAXQ5JM4n6HQI1J878NGCcrGjDu9P8MraKwA9xN7ic4g4k+PBZB 9mIW5oqoCWTINJI9XTTCfs1UJCp1Eov+1/2ySfWLz7SFNjJHMvHbzsFFlZibdJE0qtRDK+GfMa3C+ qljfYARMmJC/3fMB+9t6YJCuj6YManWuhJFweN2Uz69afd3ypwmqUUFIL4DvNr8wunxm9RwcD1kSj kkr4686RJD2373KpFz1KuqbNdadvceR7NraymAqYBC6aGf5ejtgoSpJySbmbcZ1fwRFe17Y8kxhZt vhhUkIzosY0DzSdt7Bh+LkASsxRwv07xqODFBTVena2JUVdLsKgorbxWTLAA3k116tf8ExHSD6uWw 3lvnDakXzfRpwhW5LrPQO+Ik8qLNpqJlnFL/XwevEYmDcuVqWeIEhuQrgc/w76Rl3iEZTxsLDvKLM cs/6LwEbKhSwBXFE72BBFxA+HrF6kgFIsvB8udPznoq/v2/GFYTRmQf4dMs7OemWahSK1rh+YePB2 EBeS2WAoistjvGys92DVeAzh5lZyrSsTrCjNq3y9O5Fv/V5aIXUyuJajPUfKMf0MxxOmXsr9HlyVD Hh4O1rh5NvquLdAFy03omowTjNC1LGD91/UZzaCQUr+i8PIfnr/luFmJVMOnbhxUEvQRtBqdwrmM0 e0aC7glvvyxjgofdduCZ3/F1t62VXZmjUnqHt/dzxTAm34B2jDDoeuCamjwqlQ3HaL4nlfeU1ty7X q0SlWIMiiCD9uVBKaBv/v2FcwzNxyHbczziwWFrigKLnSY/isG7RHCFzqpxS7w+FwFZyQvRxGRMjn 8NCsDNIKPROftWtqKIT/5q5hHGXOuzSP/sCwS79NBtwvI8FRmNl/odDu3VZbo/T3lGQDH+VkAfvzd +FGGO+4wPis9ZdrOTB X-HAS-ATTACH: no X-QQ-BUSINESS-ORIGIN: 2 X-QQ-STYLE: X-QQ-mid: webmail284t1741073498t405932 From: " =?iso-8859-1?q?ffhgfv?= " <744439878@qq.com> To: " =?iso-8859-1?q?wenjia?= " , " =?iso-8859-1?q?jak?= =?iso-8859-1?q?a?= " , " =?iso-8859-1?q?alibuda?= " , " =?iso-8859-1?q?tonylu?= " , " =?iso-8859-1?q?guwe?= =?iso-8859-1?q?n?= " , " =?iso-8859-1?q?davem?= " , " =?iso-8859-1?q?edumazet?= " , " =?iso-8859-1?q?kuba?= " , " =?iso-8859-1?q?pabeni?= " , " =?iso-8859-1?q?horms?= " , " =?iso-8859-1?q?linux-rdma?= " , " =?iso-8859-1?q?linux-s390?= " , " =?iso-8859-1?q?netdev?= " , " =?iso-8859-1?q?linux-?= =?iso-8859-1?q?kernel?= " Subject: kernel bug found and suggestions for fixing it Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Date: Tue, 4 Mar 2025 02:31:37 -0500 X-Priority: 3 Message-ID: X-QQ-MIME: TCMime 1.0 by Tencent X-Mailer: QQMail 2.x X-QQ-Mailer: QQMail 2.x Hello, I found a bug titled "KASAN: null-ptr-deref Read in smc_tcp_syn_recv_sock" with modified syzkaller in the lasted upstream related to bcachefs file system. If you fix this issue, please add the following tag to the commit: Reported-by: Jianzhou Zhao , xingwei lee , Zhizhuo Tang ------------[ cut here ]------------ TITLE: KASAN: null-ptr-deref Read in smc_tcp_syn_recv_sock ================================================================== BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] BUG: KASAN: null-ptr-deref in smc_tcp_syn_recv_sock+0xa7/0x4c0 net/smc/af_smc.c:131 Read of size 4 at addr 0000000000000a04 by task syz.7.21/12319 CPU: 1 UID: 0 PID: 12319 Comm: syz.7.21 Not tainted 6.14.0-rc5-dirty #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 kasan_report+0xbd/0xf0 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xf4/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:68 [inline] atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] smc_tcp_syn_recv_sock+0xa7/0x4c0 net/smc/af_smc.c:131 tcp_check_req+0x5e4/0x1a90 net/ipv4/tcp_minisocks.c:861 tcp_v4_rcv+0x1753/0x44e0 net/ipv4/tcp_ipv4.c:2274 ip_protocol_deliver_rcu+0xba/0x4c0 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x320/0x570 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip_local_deliver+0x19a/0x200 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:469 [inline] ip_rcv_finish net/ipv4/ip_input.c:447 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip_rcv+0x2be/0x5d0 net/ipv4/ip_input.c:567 __netif_receive_skb_one_core+0x19b/0x1f0 net/core/dev.c:5893 __netif_receive_skb+0x1d/0x170 net/core/dev.c:6006 process_backlog+0x319/0x1460 net/core/dev.c:6354 __napi_poll.constprop.0+0xb6/0x540 net/core/dev.c:7188 napi_poll net/core/dev.c:7257 [inline] net_rx_action+0x9d2/0xe30 net/core/dev.c:7379 handle_softirqs+0x1d1/0x870 kernel/softirq.c:561 do_softirq kernel/softirq.c:462 [inline] do_softirq+0xac/0xe0 kernel/softirq.c:449 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:389 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x1b7a/0x4120 net/core/dev.c:4676 dev_queue_xmit include/linux/netdevice.h:3313 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip_finish_output2+0xc1c/0x1f10 net/ipv4/ip_output.c:236 __ip_finish_output net/ipv4/ip_output.c:314 [inline] __ip_finish_output+0x442/0x940 net/ipv4/ip_output.c:296 ip_finish_output+0x35/0x380 net/ipv4/ip_output.c:324 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip_output+0x146/0x2b0 net/ipv4/ip_output.c:434 dst_output include/net/dst.h:459 [inline] ip_local_out net/ipv4/ip_output.c:130 [inline] __ip_queue_xmit+0x19ee/0x21f0 net/ipv4/ip_output.c:528 __tcp_transmit_skb+0x2a55/0x3e70 net/ipv4/tcp_output.c:1471 __tcp_send_ack.part.0+0x39c/0x720 net/ipv4/tcp_output.c:4275 __tcp_send_ack net/ipv4/tcp_output.c:4281 [inline] tcp_send_ack+0x81/0xa0 net/ipv4/tcp_output.c:4281 tcp_rcv_synsent_state_process net/ipv4/tcp_input.c:6600 [inline] tcp_rcv_state_process+0x40e2/0x4c80 net/ipv4/tcp_input.c:6794 tcp_v4_do_rcv+0x1a8/0xa70 net/ipv4/tcp_ipv4.c:1941 sk_backlog_rcv include/net/sock.h:1122 [inline] __release_sock+0x31d/0x400 net/core/sock.c:3123 release_sock+0x5a/0x220 net/core/sock.c:3677 tcp_sendmsg+0x3a/0x50 net/ipv4/tcp.c:1359 inet_sendmsg+0xb9/0x150 net/ipv4/af_inet.c:851 smc_sendmsg+0x22a/0x530 net/smc/af_smc.c:2796 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg net/socket.c:733 [inline] ____sys_sendmsg+0xab8/0xc70 net/socket.c:2573 ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2627 __sys_sendmsg+0x151/0x200 net/socket.c:2659 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f36ef9a962d Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f36f08c5f98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f36efbc5f80 RCX: 00007f36ef9a962d RDX: 0000000024040049 RSI: 0000000020000200 RDI: 0000000000000004 RBP: 00007f36efa4e373 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f36efbc5f80 R15: 00007f36f08a6000 ================================================================== I use the same kernel as syzbot instance upstream: 7eb172143d5508b4da468ed59ee857c6e5e01da6 kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=da4b04ae798b7ef6 compiler: gcc version 11.4.0 =============================================================================== Unfortunately, the modified syzkaller does not generate an effective repeat program. The following is my analysis of the bug and repair suggestions, hoping to help with the repair of the bug: ## Root cause analysis 1. ** null pointer access ** : 'smc_tcp_syn_recv_sock' function does not check whether the 'sk' pointer is valid, direct access to its member 'sk_wmem_alloc'. 2. ** Missing initialization ** : The 'sk' pointer may not be initialized correctly or returned in advance in the wrong path (such as memory allocation failure or SMC negotiation failure), resulting in a null pointer for subsequent operations. ### Repair suggestions 1. ** null pointer check ** : add 'if (!) before accessing' sk 'member sk) return NULL; '. 2. ** Error path handling ** : Ensure that resources are cleaned up in time when 'inet_csk_clone' fails to avoid passing invalid Pointers. Patch example: ========================================================================= I hope it helps. Best regards Jianzhou Zhao xingwei lee Zhizhuo Tang diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c --- a/net/smc/af_smc.c +++ b/net/smc/af_smc.c @@ -128,6 +128,8 @@ struct sock *child; smc = smc_clcsock_user_data(sk); + if (!smc) + goto drop; // Ensure that the smc pointer is valid before accessing its members if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) > sk->sk_max_ack_backlog)