Re: [syzbot] KASAN: stack-out-of-bounds Read in __show_regs

[syzbot <syzbot+b17d3e853d5dce65f981@syzkaller.appspotmail.com>]

> On Tue, 14 Jun 2022 12:05:35 -0700
>> syzbot has found a reproducer for the following issue on:
>> 
>> HEAD commit:    2f3064574275 README.md: ORC is no more a problem
>> git tree:       https://github.com/google/kmsan.git master
>> console output: https://syzkaller.appspot.com/x/log.txt?x=169a2310080000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=8e6293529531e9ca
>> dashboard link: https://syzkaller.appspot.com/bug?extid=b17d3e853d5dce65f981
>> compiler:       clang version 15.0.0 (https://github.com/llvm/llvm-project.git 9ffb5944a699b6a0d69c169ceff97636395ee30f), GNU ld (GNU Binutils for Debian) 2.35.2
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14917c2ff00000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1303752ff00000
>> 
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+b17d3e853d5dce65f981@syzkaller.appspotmail.com
>> 
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> RIP: 0010:j1939_session_deactivate net/can/j1939/transport.c:1090 [inline]
>> RIP: 0010:j1939_session_deactivate_activate_next+0x271/0x480 net/can/j1939/transport.c:1100
>> Code: f4 e9 ed fd ff ff 8b 7d d4 e8 fb 31 13 f4 e9 24 fe ff ff 44 89 ff e8 ee 31 13 f4 41 83 fc 02 0f 83 68 fe ff ff e8 df 70 82 f3 <0f> 0b e9 61 fe ff ff 8b 7d d4 e8 d0 31 13 f4 e9 68 fe ff ff 44 89
>> RSP: 0018:ffff888102e3f5c8 EFLAGS: 00010246
>> =====================================================
>> BUG: KMSAN: uninit-value in __show_regs+0xe6/0x1040 arch/x86/kernel/process_64.c:76
>>  __show_regs+0xe6/0x1040 arch/x86/kernel/process_64.c:76
>>  show_regs+0xc0/0x160 arch/x86/kernel/dumpstack.c:463
>>  __warn+0x3c2/0x730 kernel/panic.c:596
>>  report_bug+0x8eb/0xae0 lib/bug.c:199
>>  handle_bug+0x41/0x70 arch/x86/kernel/traps.c:315
>>  exc_invalid_op+0x1b/0x50 arch/x86/kernel/traps.c:335
>>  asm_exc_invalid_op+0x12/0x20
>>  j1939_session_deactivate_activate_next+0x271/0x480 net/can/j1939/transport.c:1100
>>  j1939_xtp_rx_abort_one+0x861/0x900 net/can/j1939/transport.c:1340
>>  j1939_xtp_rx_abort net/can/j1939/transport.c:1351 [inline]
>>  j1939_tp_cmd_recv net/can/j1939/transport.c:2100 [inline]
>>  j1939_tp_recv+0x1534/0x1cd0 net/can/j1939/transport.c:2133
>>  j1939_can_recv+0xed0/0x1070 net/can/j1939/main.c:108
>>  deliver net/can/af_can.c:574 [inline]
>>  can_rcv_filter+0x74b/0x1110 net/can/af_can.c:608
>>  can_receive+0x4fb/0x6d0 net/can/af_can.c:665
>>  can_rcv+0x1f0/0x490 net/can/af_can.c:696
>>  __netif_receive_skb_one_core net/core/dev.c:5405 [inline]
>>  __netif_receive_skb+0x1f1/0x640 net/core/dev.c:5519
>>  process_backlog+0x4e7/0xb50 net/core/dev.c:5847
>>  __napi_poll+0x14e/0xb80 net/core/dev.c:6413
>>  napi_poll net/core/dev.c:6480 [inline]
>>  net_rx_action+0x7e8/0x1830 net/core/dev.c:6567
>>  __do_softirq+0x206/0x809 kernel/softirq.c:558
>>  run_ksoftirqd+0x37/0x50 kernel/softirq.c:921
>>  smpboot_thread_fn+0x626/0xbf0 kernel/smpboot.c:164
>>  kthread+0x3c7/0x500 kernel/kthread.c:376
>>  ret_from_fork+0x1f/0x30
>> 
>> Local variable mic created at:
>>  ieee80211_rx_h_michael_mic_verify+0x54/0x10f0 net/mac80211/wpa.c:100
>>  ieee80211_rx_handlers+0x2d31/0xf170 net/mac80211/rx.c:3929
>> 
>> CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 5.18.0-syzkaller-16253-g2f3064574275 #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> =====================================================
>
> See if session is already deactivated.
>
> #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git  24625f7d

KMSAN bugs can only be tested on https://github.com/google/kmsan.git tree
because KMSAN tool is not upstreamed yet.
See https://goo.gl/tpsmEJ#kmsan-bugs for details.

>
> diff -pur a/net/can/j1939/transport.c b/net/can/j1939/transport.c
> --- a/net/can/j1939/transport.c	2022-06-15 18:48:27.235848700 +0800
> +++ b/net/can/j1939/transport.c	2022-06-15 20:51:11.711001100 +0800
> @@ -1085,9 +1085,9 @@ static bool j1939_session_deactivate(str
>  
>  	j1939_session_list_lock(priv);
>  	/* This function should be called with a session ref-count of at
> -	 * least 2.
> +	 * least 2 if the session is not deactivated yet.
>  	 */
> -	WARN_ON_ONCE(kref_read(&session->kref) < 2);
> +	WARN_ON_ONCE(session->err != ESHUTDOWN && kref_read(&session->kref) < 2);
>  	active = j1939_session_deactivate_locked(session);
>  	j1939_session_list_unlock(priv);
>  
> --