On Tuesday, 7 July 2020 17:30:14 CEST syzbot wrote:
general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 9126 Comm: kworker/u4:9 Not tainted 5.8.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet RIP: 0010:batadv_iv_ogm_schedule_buff+0xd1e/0x1410 net/batman-adv/bat_iv_ogm.c:843
Seems to be following lines:
838 /* OGMs from primary interfaces are scheduled on all 839 * interfaces. 840 */ 841 rcu_read_lock(); 842 list_for_each_entry_rcu(tmp_hard_iface, &batadv_hardif_list, list) { 843 if (tmp_hard_iface->soft_iface != hard_iface->soft_iface) 844 continue;
If I understand it correctly, the tmp_hard_iface is NULL and then accessing soft_iface (offset 0x70 on amd64) causes this problem. But neither the batadv_hardif_list should ever point to NULL nor any entry inside the list.
I've just went through all code which accesses the list:
* bat_iv_ogm.c 839,7 @@ static void batadv_iv_ogm_schedule_buff * bat_iv_ogm.c 1606,7 @@ static void batadv_iv_ogm_process * bat_iv_ogm.c 1671,7 @@ static void batadv_iv_ogm_process * bat_iv_ogm.c 2144,7 @@ static void batadv_iv_neigh_print * bat_iv_ogm.c 2313,8 @@ batadv_iv_ogm_neigh_dump * bat_v.c 188,7 @@ static void batadv_v_neigh_print * bat_v.c 315,7 @@ batadv_v_neigh_dump * bat_v_elp.c 425,7 @@ void batadv_v_elp_primary_iface_set * bat_v_ogm.c 298,7 @@ static void batadv_v_ogm_send_softif * bat_v_ogm.c 923,7 @@ static void batadv_v_ogm_process * hard-interface.c 68,7 @@ batadv_hardif_get_by_netdev * hard-interface.c 431,7 @@ batadv_hardif_get_active * hard-interface.c 501,7 @@ static void batadv_check_known_mac_addr * hard-interface.c 533,7 @@ static void batadv_hardif_recalc_extra_skbroom * hard-interface.c 572,7 @@ int batadv_hardif_min_mtu * hard-interface.c 829,7 @@ static size_t batadv_hardif_cnt * main.c 290,7 @@ bool batadv_is_my_mac * netlink.c 991,7 @@ batadv_netlink_dump_hardif * originator.c 1301,7 @@ static bool batadv_purge_orig_node * send.c 882,7 @@ static void batadv_send_outstanding_bcast_packet * soft-interface.c 1141,7 @@ static void batadv_softif_destroy_netlink
and all the code which adds to the list or initializes parts of the list:
* hard-interface.c 927,7 @@ batadv_hardif_add_interface
- should be under rtnl_lock
* hard-interface.c 945,7 @@ batadv_hardif_add_interface
- should be under rtnl_lock
* hard-interface.c 99,7 @@ static int __init batadv_init
- this is done to initialized the list head before the rest of the code is initialized
and all the code which removes entries from the list:
* hard-interface.c 985,8 @@ void batadv_hardif_remove_interfaces
- is under rtnl_lock - there should also be nothing in this list because unregister_netdevice_notifier will trigger a NETDEV_UNREGISTER of these devices
* hard-interface.c 1048,7 @@ static int batadv_hard_if_event
- should be under rtnl_lock
The batadv_hard_iface is only kfree_rcu'ed by batadv_hardif_release when the reference counter is zero. The reference counter is increased in:
* bat_iv_ogm.c 843,20 @@ static void batadv_iv_ogm_schedule_buff * bat_iv_ogm.c 1678,13 @@ static void batadv_iv_ogm_process * bat_v_ogm.c 302,7 @@ static void batadv_v_ogm_send_softif * bat_v_ogm.c 930,7 @@ static void batadv_v_ogm_process * hard-interface.c 70,7 @@ batadv_hardif_get_by_netdev * hard-interface.c 436,7 @@ batadv_hardif_get_active * hard-interface.c 471,7 @@ static void batadv_primary_if_select * hard-interface.c 720,7 @@ int batadv_hardif_enable_interface * hard-interface.c 765,7 @@ int batadv_hardif_enable_interface * hard-interface.c 932,7 @@ batadv_hardif_add_interface * hard-interface.c 944,7 @@ batadv_hardif_add_interface * hard-interface.h 133,7 @@ batadv_primary_if_get_selected * main.c 460,7 @@ int batadv_batman_skb_recv * originator.c 413,7 @@ batadv_orig_ifinfo_new * originator.c 491,7 @@ batadv_neigh_ifinfo_new * originator.c 570,7 @@ batadv_hardif_neigh_create * originator.c 682,7 @@ batadv_neigh_node_create * originator.c 1308,7 @@ static bool batadv_purge_orig_node * send.c 527,10 @@ batadv_forw_packet_alloc * send.c 932,7 @@ static void batadv_send_outstanding_bcast_packet
and decreased:
* bat_iv_ogm.c 518,7 @@ batadv_iv_ogm_can_aggregate * bat_iv_ogm.c 843,20 @@ static void batadv_iv_ogm_schedule_buff * bat_iv_ogm.c 1678,13 @@ static void batadv_iv_ogm_process * bat_v.c 51,7 @@ static void batadv_v_iface_activate * bat_v.c 108,7 @@ static void batadv_v_iface_update_mac * bat_v_elp.c 540,7 @@ int batadv_v_elp_packet_recv * bat_v_ogm.c 326,7 @@ static void batadv_v_ogm_send_softif * bat_v_ogm.c 340,12 @@ static void batadv_v_ogm_send_softif * bat_v_ogm.c 958,7 @@ static void batadv_v_ogm_process * bat_v_ogm.c 966,7 @@ static void batadv_v_ogm_process * bridge_loop_avoidance.c 440,7 @@ static void batadv_bla_send_claim * bridge_loop_avoidance.c 1405,7 @@ void batadv_bla_status_update * bridge_loop_avoidance.c 1499,7 @@ static void batadv_bla_periodic_work * bridge_loop_avoidance.c 1538,7 @@ int batadv_bla_init * bridge_loop_avoidance.c 1746,7 @@ void batadv_bla_free * bridge_loop_avoidance.c 1910,7 @@ bool batadv_bla_rx * bridge_loop_avoidance.c 2017,7 @@ bool batadv_bla_tx * bridge_loop_avoidance.c 2081,7 @@ int batadv_bla_claim_table_seq_print_text * bridge_loop_avoidance.c 2248,7 @@ int batadv_bla_claim_dump * bridge_loop_avoidance.c 2317,7 @@ int batadv_bla_backbone_table_seq_print_text * bridge_loop_avoidance.c 2486,7 @@ int batadv_bla_backbone_dump * bridge_loop_avoidance.c 2538,7 @@ bool batadv_bla_check_claim * distributed-arp-table.c 891,7 @@ int batadv_dat_cache_seq_print_text * distributed-arp-table.c 1037,7 @@ int batadv_dat_cache_dump * fragmentation.c 540,7 @@ int batadv_frag_send_packet * gateway_client.c 535,7 @@ int batadv_gw_client_seq_print_text * gateway_client.c 595,7 @@ int batadv_gw_dump * hard-interface.c 239,7 @@ static struct net_device *batadv_get_real_netdevice * hard-interface.c 460,7 @@ static void batadv_primary_if_update_addr * hard-interface.c 484,7 @@ static void batadv_primary_if_select * hard-interface.c 657,7 @@ batadv_hardif_activate_interface * hard-interface.c 809,7 @@ int batadv_hardif_enable_interface * hard-interface.c 860,7 @@ void batadv_hardif_disable_interface * hard-interface.c 870,7 @@ void batadv_hardif_disable_interface * hard-interface.c 893,11 @@ void batadv_hardif_disable_interface * hard-interface.c 973,7 @@ static void batadv_hardif_remove_interface * hard-interface.c 1086,10 @@ static int batadv_hard_if_event * icmp_socket.c 278,7 @@ static ssize_t batadv_socket_write * main.c 336,7 @@ batadv_seq_print_text_primary_if_get * main.c 504,7 @@ int batadv_batman_skb_recv * main.c 515,7 @@ int batadv_batman_skb_recv * multicast.c 2152,7 @@ int batadv_mcast_flags_seq_print_text * multicast.c 2361,7 @@ batadv_mcast_netlink_get_primary * multicast.c 2389,7 @@ int batadv_mcast_flags_dump * netlink.c 359,14 @@ static int batadv_netlink_mesh_fill * netlink.c 1217,7 @@ batadv_get_hardif_from_info * netlink.c 1336,7 @@ static void batadv_post_doit * network-coding.c 1937,7 @@ int batadv_nc_nodes_seq_print_text * originator.c 239,7 @@ static void batadv_neigh_ifinfo_release * originator.c 270,7 @@ static void batadv_hardif_neigh_release * originator.c 304,7 @@ static void batadv_neigh_node_release * originator.c 756,7 @@ int batadv_hardif_neigh_seq_print_text * originator.c 835,11 @@ int batadv_hardif_neigh_dump * originator.c 859,7 @@ static void batadv_orig_ifinfo_release * originator.c 1319,7 @@ static bool batadv_purge_orig_node * originator.c 1406,7 @@ int batadv_orig_seq_print_text * originator.c 1461,7 @@ int batadv_orig_hardif_seq_print_text * originator.c 1532,11 @@ int batadv_orig_dump * routing.c 280,7 @@ static int batadv_recv_my_icmp_packet * routing.c 335,7 @@ static int batadv_recv_icmp_ttl_exceeded * routing.c 796,7 @@ batadv_reroute_unicast_packet * routing.c 907,7 @@ static bool batadv_check_unicast_ttvn * send.c 310,7 @@ bool batadv_send_skb_prepare_unicast_4addr * send.c 475,9 @@ void batadv_forw_packet_free * send.c 767,14 @@ int batadv_add_bcast_packet_to_list * send.c 932,7 @@ static void batadv_send_outstanding_bcast_packet * soft-interface.c 395,7 @@ static netdev_tx_t batadv_interface_tx * soft-interface.c 893,7 @@ static int batadv_softif_slave_add * soft-interface.c 920,7 @@ static int batadv_softif_slave_del * sysfs.c 282,7 @@ ssize_t batadv_store_##_name * sysfs.c 301,7 @@ ssize_t batadv_show_##_name * sysfs.c 959,7 @@ static ssize_t batadv_show_mesh_iface * sysfs.c 1013,7 @@ static int batadv_store_mesh_iface_finish * sysfs.c 1110,7 @@ static ssize_t batadv_show_iface_status * sysfs.c 1170,7 @@ static ssize_t batadv_store_throughput_override * sysfs.c 1190,7 @@ static ssize_t batadv_show_throughput_override * tp_meter.c 748,7 @@ static void batadv_tp_recv_ack * tp_meter.c 882,7 @@ static int batadv_tp_send * tp_meter.c 1207,7 @@ static int batadv_tp_send_ack * translation-table.c 820,7 @@ bool batadv_tt_local_add * translation-table.c 1135,7 @@ int batadv_tt_local_seq_print_text * translation-table.c 1293,7 @@ int batadv_tt_local_dump * translation-table.c 2007,7 @@ int batadv_tt_global_seq_print_text * translation-table.c 2214,7 @@ int batadv_tt_global_dump * translation-table.c 3198,7 @@ static bool batadv_send_tt_request * translation-table.c 3461,7 @@ static bool batadv_send_my_tt_response * translation-table.c 3785,7 @@ static void batadv_send_roam_adv
Btw. we can most likely ignore everything related to bat_v* because it crashed in bat_iv. So if anybody else spots something which I've missed....
Kind regards, Sven