Re: [syzbot] [net?] general protection fault in reuseport_add_sock (3)

[Kuniyuki Iwashima]

From: syzbot <syzbot+e6979a5d2f10ecb700e4@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 29 Jul 2024 09:28:29 -0700
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    301927d2d2eb Merge tag 'for-net-2024-07-26' of git://git.k..
> git tree:       net
> console output: https://syzkaller.appspot.com/x/log.txt?x=17332fad980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=968c4fa762577d3f
> dashboard link: https://syzkaller.appspot.com/bug?extid=e6979a5d2f10ecb700e4
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11d0a623980000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1538ac55980000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cb9ce2729d35/disk-301927d2.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/644eaaef61a5/vmlinux-301927d2.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/2f92322485c3/bzImage-301927d2.xz
> 
> The issue was bisected to:
> 
> commit 6ba84574026792ce33a40c7da721dea36d0f3973
> Author: Xin Long <lucien.xin@xxxxxxxxx>
> Date:   Mon Nov 12 10:27:17 2018 +0000
> 
>     sctp: process sk_reuseport in sctp_get_port_local
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=14ad25bd980000
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=16ad25bd980000
> console output: https://syzkaller.appspot.com/x/log.txt?x=12ad25bd980000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+e6979a5d2f10ecb700e4@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: 6ba845740267 ("sctp: process sk_reuseport in sctp_get_port_local")
> 
> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI
> KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
> CPU: 1 UID: 0 PID: 10230 Comm: syz-executor119 Not tainted 6.10.0-syzkaller-12585-g301927d2d2eb #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
> RIP: 0010:reuseport_add_sock+0x27e/0x5e0 net/core/sock_reuseport.c:350
> Code: 00 0f b7 5d 00 bf 01 00 00 00 89 de e8 1b a4 ff f7 83 fb 01 0f 85 a3 01 00 00 e8 6d a0 ff f7 49 8d 7e 12 48 89 f8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 0f 85 4b 02 00 00 41 0f b7 5e 12 49 8d 7e 14
> RSP: 0018:ffffc9000b947c98 EFLAGS: 00010202
> RAX: 0000000000000002 RBX: ffff8880252ddf98 RCX: ffff888079478000
> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000012
> RBP: 0000000000000001 R08: ffffffff8993e18d R09: 1ffffffff1fef385
> R10: dffffc0000000000 R11: fffffbfff1fef386 R12: ffff8880252ddac0
> R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
> FS:  00007f24e45b96c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffcced5f7b8 CR3: 00000000241be000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  __sctp_hash_endpoint net/sctp/input.c:762 [inline]

Here we need to protect the other sk in the hash table as we do so for
TCP/UDP by taking the hash bucket lock.


#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git 1722389b0d863056d78287a120a1d6cadb8d4f7b

diff --git a/net/core/sock_reuseport.c b/net/core/sock_reuseport.c
index 5a165286e4d8..b1614da1e41c 100644
--- a/net/core/sock_reuseport.c
+++ b/net/core/sock_reuseport.c
@@ -347,6 +347,8 @@ int reuseport_add_sock(struct sock *sk, struct sock *sk2, bool bind_inany)
 		return -EBUSY;
 	}
 
+	WARN_ON(!reuse);
+
 	if (reuse->num_socks + reuse->num_closed_socks == reuse->max_socks) {
 		reuse = reuseport_grow(reuse);
 		if (!reuse) {
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 17fcaa9b0df9..a8a254a5008e 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -735,15 +735,19 @@ static int __sctp_hash_endpoint(struct sctp_endpoint *ep)
 	struct sock *sk = ep->base.sk;
 	struct net *net = sock_net(sk);
 	struct sctp_hashbucket *head;
+	int err = 0;
 
 	ep->hashent = sctp_ep_hashfn(net, ep->base.bind_addr.port);
 	head = &sctp_ep_hashtable[ep->hashent];
 
+	write_lock(&head->lock);
 	if (sk->sk_reuseport) {
 		bool any = sctp_is_ep_boundall(sk);
 		struct sctp_endpoint *ep2;
 		struct list_head *list;
-		int cnt = 0, err = 1;
+		int cnt = 0;
+
+		err = 1;
 
 		list_for_each(list, &ep->base.bind_addr.address_list)
 			cnt++;
@@ -761,24 +765,24 @@ static int __sctp_hash_endpoint(struct sctp_endpoint *ep)
 			if (!err) {
 				err = reuseport_add_sock(sk, sk2, any);
 				if (err)
-					return err;
+					goto out;
 				break;
 			} else if (err < 0) {
-				return err;
+				goto out;
 			}
 		}
 
 		if (err) {
 			err = reuseport_alloc(sk, any);
 			if (err)
-				return err;
+				goto out;
 		}
 	}
 
-	write_lock(&head->lock);
 	hlist_add_head(&ep->node, &head->chain);
+out:
 	write_unlock(&head->lock);
-	return 0;
+	return err;
 }
 
 /* Add an endpoint to the hash. Local BH-safe. */
@@ -803,10 +807,9 @@ static void __sctp_unhash_endpoint(struct sctp_endpoint *ep)
 
 	head = &sctp_ep_hashtable[ep->hashent];
 
+	write_lock(&head->lock);
 	if (rcu_access_pointer(sk->sk_reuseport_cb))
 		reuseport_detach_sock(sk);
-
-	write_lock(&head->lock);
 	hlist_del_init(&ep->node);
 	write_unlock(&head->lock);
 }