Re: [syzbot] [net?] general protection fault in reuseport_add_sock (3)

From: Kuniyuki Iwashima
Date: Mon Jul 29 2024 - 14:02:00 EST


From: syzbot <syzbot+e6979a5d2f10ecb700e4@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 29 Jul 2024 09:28:29 -0700
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 301927d2d2eb Merge tag 'for-net-2024-07-26' of git://git.k..
> git tree: net
> console output: https://syzkaller.appspot.com/x/log.txt?x=17332fad980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=968c4fa762577d3f
> dashboard link: https://syzkaller.appspot.com/bug?extid=e6979a5d2f10ecb700e4
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11d0a623980000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1538ac55980000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cb9ce2729d35/disk-301927d2.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/644eaaef61a5/vmlinux-301927d2.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/2f92322485c3/bzImage-301927d2.xz
>
> The issue was bisected to:
>
> commit 6ba84574026792ce33a40c7da721dea36d0f3973
> Author: Xin Long <lucien.xin@xxxxxxxxx>
> Date: Mon Nov 12 10:27:17 2018 +0000
>
> sctp: process sk_reuseport in sctp_get_port_local
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14ad25bd980000
> final oops: https://syzkaller.appspot.com/x/report.txt?x=16ad25bd980000
> console output: https://syzkaller.appspot.com/x/log.txt?x=12ad25bd980000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+e6979a5d2f10ecb700e4@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: 6ba845740267 ("sctp: process sk_reuseport in sctp_get_port_local")
>
> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI
> KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
> CPU: 1 UID: 0 PID: 10230 Comm: syz-executor119 Not tainted 6.10.0-syzkaller-12585-g301927d2d2eb #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
> RIP: 0010:reuseport_add_sock+0x27e/0x5e0 net/core/sock_reuseport.c:350
> Code: 00 0f b7 5d 00 bf 01 00 00 00 89 de e8 1b a4 ff f7 83 fb 01 0f 85 a3 01 00 00 e8 6d a0 ff f7 49 8d 7e 12 48 89 f8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 0f 85 4b 02 00 00 41 0f b7 5e 12 49 8d 7e 14
> RSP: 0018:ffffc9000b947c98 EFLAGS: 00010202
> RAX: 0000000000000002 RBX: ffff8880252ddf98 RCX: ffff888079478000
> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000012
> RBP: 0000000000000001 R08: ffffffff8993e18d R09: 1ffffffff1fef385
> R10: dffffc0000000000 R11: fffffbfff1fef386 R12: ffff8880252ddac0
> R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
> FS: 00007f24e45b96c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffcced5f7b8 CR3: 00000000241be000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> __sctp_hash_endpoint net/sctp/input.c:762 [inline]

Here we need to protect the other sk in the hash table as we do so for
TCP/UDP by taking the hash bucket lock.


#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git 1722389b0d863056d78287a120a1d6cadb8d4f7b

diff --git a/net/core/sock_reuseport.c b/net/core/sock_reuseport.c
index 5a165286e4d8..b1614da1e41c 100644
--- a/net/core/sock_reuseport.c
+++ b/net/core/sock_reuseport.c
@@ -347,6 +347,8 @@ int reuseport_add_sock(struct sock *sk, struct sock *sk2, bool bind_inany)
return -EBUSY;
}

+ WARN_ON(!reuse);
+
if (reuse->num_socks + reuse->num_closed_socks == reuse->max_socks) {
reuse = reuseport_grow(reuse);
if (!reuse) {
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 17fcaa9b0df9..a8a254a5008e 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -735,15 +735,19 @@ static int __sctp_hash_endpoint(struct sctp_endpoint *ep)
struct sock *sk = ep->base.sk;
struct net *net = sock_net(sk);
struct sctp_hashbucket *head;
+ int err = 0;

ep->hashent = sctp_ep_hashfn(net, ep->base.bind_addr.port);
head = &sctp_ep_hashtable[ep->hashent];

+ write_lock(&head->lock);
if (sk->sk_reuseport) {
bool any = sctp_is_ep_boundall(sk);
struct sctp_endpoint *ep2;
struct list_head *list;
- int cnt = 0, err = 1;
+ int cnt = 0;
+
+ err = 1;

list_for_each(list, &ep->base.bind_addr.address_list)
cnt++;
@@ -761,24 +765,24 @@ static int __sctp_hash_endpoint(struct sctp_endpoint *ep)
if (!err) {
err = reuseport_add_sock(sk, sk2, any);
if (err)
- return err;
+ goto out;
break;
} else if (err < 0) {
- return err;
+ goto out;
}
}

if (err) {
err = reuseport_alloc(sk, any);
if (err)
- return err;
+ goto out;
}
}

- write_lock(&head->lock);
hlist_add_head(&ep->node, &head->chain);
+out:
write_unlock(&head->lock);
- return 0;
+ return err;
}

/* Add an endpoint to the hash. Local BH-safe. */
@@ -803,10 +807,9 @@ static void __sctp_unhash_endpoint(struct sctp_endpoint *ep)

head = &sctp_ep_hashtable[ep->hashent];

+ write_lock(&head->lock);
if (rcu_access_pointer(sk->sk_reuseport_cb))
reuseport_detach_sock(sk);
-
- write_lock(&head->lock);
hlist_del_init(&ep->node);
write_unlock(&head->lock);
}