Re: [syzbot] [net?] BUG: unable to handle kernel paging request in net_generic

[syzbot <syzbot+6acef9e0a4d1f46c83d4@syzkaller.appspotmail.com>]

> On 26/07/2024 16:02, Jakub Kicinski wrote:
>> CC: James [L2TP]
>> 
>> On Thu, 25 Jul 2024 03:37:24 -0700 syzbot wrote:
>>> Hello,
>>>
>>> syzbot found the following issue on:
>>>
>>> HEAD commit:    c912bf709078 Merge remote-tracking branches 'origin/arm64-..
>>> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=1625a15e980000
>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=79a49b0b9ffd6585
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=6acef9e0a4d1f46c83d4
>>> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>>> userspace arch: arm64
>>>
>>> Unfortunately, I don't have any reproducer for this issue yet.
>>>
>>> Downloadable assets:
>>> disk image: https://storage.googleapis.com/syzbot-assets/fea69a9d153c/disk-c912bf70.raw.xz
>>> vmlinux: https://storage.googleapis.com/syzbot-assets/be06762a72ef/vmlinux-c912bf70.xz
>>> kernel image: https://storage.googleapis.com/syzbot-assets/6c8e58b4215d/Image-c912bf70.gz.xz
>>>
>>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>>> Reported-by: syzbot+6acef9e0a4d1f46c83d4@syzkaller.appspotmail.com
>>>
>>> Unable to handle kernel paging request at virtual address dfff800000000257
>>> KASAN: probably user-memory-access in range [0x00000000000012b8-0x00000000000012bf]
>  >> ...
>>> Call trace:
>>>  net_generic+0xd0/0x250 include/net/netns/generic.h:46
>>>  l2tp_pernet net/l2tp/l2tp_core.c:125 [inline]
>>>  l2tp_tunnel_get+0x90/0x464 net/l2tp/l2tp_core.c:207
>>>  l2tp_udp_recv_core net/l2tp/l2tp_core.c:852 [inline]
>>>  l2tp_udp_encap_recv+0x314/0xb3c net/l2tp/l2tp_core.c:933
>>>  udpv6_queue_rcv_one_skb+0x1870/0x1ad4 net/ipv6/udp.c:727
>>>  udpv6_queue_rcv_skb+0x3bc/0x574 net/ipv6/udp.c:789
>>>  udp6_unicast_rcv_skb+0x1cc/0x320 net/ipv6/udp.c:929
>>>  __udp6_lib_rcv+0xbcc/0x1330 net/ipv6/udp.c:1018
>>>  udpv6_rcv+0x88/0x9c net/ipv6/udp.c:1133
>>>  ip6_protocol_deliver_rcu+0x988/0x12a4 net/ipv6/ip6_input.c:438
>>>  ip6_input_finish+0x164/0x298 net/ipv6/ip6_input.c:483
>>> ...
>
> This crash is the result of a call to net_generic() being unable to 
> dereference net when handling a received l2tpv2 packet.
>
> The stack frame indicates that l2tp_udp_recv_core finds that the 
> packet's tunnel_id does not match the tunnel pointer derived from 
> sk_user_data of the receiving socket. This can happen when more than one 
> socket shares the same 5-tuple address. When a tunnel ID mismatch is 
> detected, l2tp looks up the tunnel using the ID from the packet. It is 
> this lookup which segfaults in net_generic() when l2tp tries to access 
> its per-net tunnel list.
>
> The code implicated by the crash, which added support for aliased 
> sockets, is no longer in linux-net or net-next. l2tp no longer looks up 
> tunnels in the datapath; instead it looks up sessions without finding 
> the parent tunnel first. The commits are:
>
>   * support for aliased sockets was added in 628bc3e5a1be ("l2tp: 
> Support several sockets with same IP/port quadruple") May 2024.
>
>   * l2tp's receive path was refactored in ff6a2ac23cb0 ("l2tp: refactor 
> udp recv to lookup to not use sk_user_data") June 2024.
>
> Is 628bc3e5a1be in any LTS or stable kernel? I didn't find it in 
> linux-stable.git
>
> A possible fix is attached.
>
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git 

This crash does not have a reproducer. I cannot test it.

> for-kernelci