[linus:master] [bpf, sockmap] 5d609ba262: BUG:KASAN:null-ptr-deref_in_splice_to_socket

[linus:master] [bpf, sockmap] 5d609ba262: BUG:KASAN:null-ptr-deref_in_splice_to_socket

[kernel test robot]

Hello,

kernel test robot noticed "BUG:KASAN:null-ptr-deref_in_splice_to_socket" on:

commit: 5d609ba262475db450ba69b8e8a557bd768ac07a ("bpf, sockmap: Several fixes to bpf_msg_pop_data")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master

[test failed on linus/master      8faabc041a001140564f718dabe37753e88b37fa]
[test failed on linux-next/master 8155b4ef3466f0e289e8fcc9e6e62f3f4dceeac2]

in testcase: kernel-selftests-bpf
version: 
with following parameters:

	group: bpf



config: x86_64-rhel-9.4-bpf
compiler: gcc-12
test machine: 8 threads 1 sockets Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz (Kaby Lake) with 32G memory

(please refer to attached dmesg/kmsg for entire log/backtrace)


If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202412252136.8e8395f3-lkp@intel.com


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20241225/202412252136.8e8395f3-lkp@intel.com


[ 1571.082367][T49469] ==================================================================
[ 1571.092110][T49469] BUG: KASAN: null-ptr-deref in splice_to_socket+0x6d3/0x7d0
[ 1571.099401][T49469] Read of size 8 at addr 0000000000000008 by task test_sockmap/49469
[ 1571.107402][T49469] 
[ 1571.109626][T49469] CPU: 4 UID: 0 PID: 49469 Comm: test_sockmap Tainted: G           OE      6.12.0-rc5-01137-g5d609ba26247 #1
[ 1571.121113][T49469] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[ 1571.127170][T49469] Hardware name: Dell Inc. OptiPlex 7050/062KRH, BIOS 1.2.0 12/22/2016
[ 1571.135326][T49469] Call Trace:
[ 1571.138498][T49469]  <TASK>
[ 1571.141320][T49469]  dump_stack_lvl+0x62/0x90
[ 1571.145719][T49469]  kasan_report+0xb9/0xf0
[ 1571.149950][T49469]  ? splice_to_socket+0x6d3/0x7d0
[ 1571.154888][T49469]  splice_to_socket+0x6d3/0x7d0
[ 1571.159641][T49469]  ? current_time+0x71/0x170
[ 1571.164145][T49469]  ? __pfx_splice_to_socket+0x10/0x10
[ 1571.169443][T49469]  ? lockdep_hardirqs_on_prepare+0x131/0x200
[ 1571.175344][T49469]  ? __pfx_current_time+0x10/0x10
[ 1571.180277][T49469]  ? atime_needs_update+0x18e/0x240
[ 1571.185380][T49469]  ? touch_atime+0x3d/0x2a0
[ 1571.189781][T49469]  ? shmem_file_splice_read+0x5c6/0x630
[ 1571.195236][T49469]  ? __pfx_direct_splice_actor+0x10/0x10
[ 1571.200778][T49469]  direct_splice_actor+0xb1/0x2f0
[ 1571.205706][T49469]  splice_direct_to_actor+0x1c5/0x450
[ 1571.210982][T49469]  ? __pfx_direct_splice_actor+0x10/0x10
[ 1571.216532][T49469]  ? __pfx_splice_direct_to_actor+0x10/0x10
[ 1571.222338][T49469]  do_splice_direct+0xee/0x170
[ 1571.227000][T49469]  ? __pfx_do_splice_direct+0x10/0x10
[ 1571.232275][T49469]  ? __pfx_direct_file_splice_eof+0x10/0x10
[ 1571.238077][T49469]  ? security_file_permission+0x84/0x90
[ 1571.243528][T49469]  ? rw_verify_area+0x1e5/0x2e0
[ 1571.248278][T49469]  do_sendfile+0x601/0x6e0
[ 1571.252593][T49469]  ? __pfx_do_sendfile+0x10/0x10
[ 1571.257443][T49469]  ? mark_held_locks+0x24/0x90
[ 1571.262105][T49469]  ? lockdep_hardirqs_on_prepare+0x131/0x200
[ 1571.267991][T49469]  ? syscall_exit_to_user_mode+0xa2/0x2a0
[ 1571.273619][T49469]  __x64_sys_sendfile64+0x138/0x150
[ 1571.278720][T49469]  ? __pfx___x64_sys_sendfile64+0x10/0x10
[ 1571.284347][T49469]  ? mark_lock+0x8f/0x530
[ 1571.288569][T49469]  ? mark_held_locks+0x24/0x90
[ 1571.293233][T49469]  do_syscall_64+0x8c/0x170
[ 1571.297638][T49469]  ? do_user_addr_fault+0x39d/0x790
[ 1571.302738][T49469]  ? reacquire_held_locks+0x16b/0x270
[ 1571.308012][T49469]  ? do_user_addr_fault+0x39d/0x790
[ 1571.313118][T49469]  ? find_held_lock+0x83/0xa0
[ 1571.317694][T49469]  ? do_user_addr_fault+0x3f6/0x790
[ 1571.322793][T49469]  ? __lock_release+0x130/0x260
[ 1571.328154][T49469]  ? do_user_addr_fault+0x3f6/0x790
[ 1571.333255][T49469]  ? __pfx___lock_release+0x10/0x10
[ 1571.338967][T49469]  ? __up_read+0x161/0x470
[ 1571.343281][T49469]  ? __pfx___up_read+0x10/0x10
[ 1571.347945][T49469]  ? do_user_addr_fault+0x3f6/0x790
[ 1571.353049][T49469]  ? __rcu_read_unlock+0x65/0x90
[ 1571.357888][T49469]  ? do_user_addr_fault+0x400/0x790
[ 1571.362990][T49469]  ? mark_held_locks+0x24/0x90
[ 1571.367656][T49469]  ? lockdep_hardirqs_on_prepare+0x131/0x200
[ 1571.373548][T49469]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 1571.379352][T49469] RIP: 0033:0x7fb9e873c77a
[ 1571.383665][T49469] Code: c3 0f 1f 80 00 00 00 00 4c 89 d2 4c 89 c6 e9 fd fd ff ff 0f 1f 44 00 00 31 c0 c3 0f 1f 44 00 00 49 89 ca b8 28 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 56 56 0d 00 f7 d8 64 89 01 48
[ 1571.403312][T49469] RSP: 002b:00007fff4192bac8 EFLAGS: 00000203 ORIG_RAX: 0000000000000028
[ 1571.411663][T49469] RAX: ffffffffffffffda RBX: 00007fff4192bf28 RCX: 00007fb9e873c77a
[ 1571.419574][T49469] RDX: 0000000000000000 RSI: 0000000000000218 RDI: 0000000000000212
[ 1571.427497][T49469] RBP: 00007fff4192bb20 R08: 000da7112e464d67 R09: 00007fb9e8812cd0
[ 1571.435397][T49469] R10: 0000000000002000 R11: 0000000000000203 R12: 0000000000000000
[ 1571.443318][T49469] R13: 00007fff4192bf38 R14: 000055f5228dbf18 R15: 00007fb9e88a3020
[ 1571.451226][T49469]  </TASK>
[ 1571.454133][T49469] ==================================================================
[ 1571.462327][T49469] Disabling lock debugging due to kernel taint
[ 1571.468595][T49469] BUG: kernel NULL pointer dereference, address: 0000000000000008
[ 1571.476319][T49469] #PF: supervisor read access in kernel mode
[ 1571.482203][T49469] #PF: error_code(0x0000) - not-present page
[ 1571.488085][T49469] PGD 0 P4D 0 
[ 1571.491350][T49469] Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
[ 1571.497321][T49469] CPU: 4 UID: 0 PID: 49469 Comm: test_sockmap Tainted: G    B      OE      6.12.0-rc5-01137-g5d609ba26247 #1
[ 1571.508811][T49469] Tainted: [B]=BAD_PAGE, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[ 1571.516096][T49469] Hardware name: Dell Inc. OptiPlex 7050/062KRH, BIOS 1.2.0 12/22/2016
[ 1571.524256][T49469] RIP: 0010:splice_to_socket+0x6d3/0x7d0
[ 1571.529795][T49469] Code: 85 d2 49 89 4f 08 75 32 49 8d 7f 10 83 c3 01 e8 63 88 ef ff 4d 8b 67 10 49 c7 47 10 00 00 00 00 49 8d 7c 24 08 e8 4d 88 ef ff <49> 8b 44 24 08 4c 89 fe 4c 89 ef ff d0 0f 1f 00 4d 85 f6 0f 8f 5c
[ 1571.549440][T49469] RSP: 0018:ffff888350677650 EFLAGS: 00010286
[ 1571.555434][T49469] RAX: 0000000000000001 RBX: 0000000000000003 RCX: ffffffff81143986
[ 1571.563333][T49469] RDX: fffffbfff0cf2b19 RSI: 0000000000000008 RDI: ffffffff867958c0
[ 1571.571229][T49469] RBP: ffff888350677930 R08: 0000000000000001 R09: fffffbfff0cf2b18
[ 1571.579126][T49469] R10: ffffffff867958c7 R11: 0000000000000001 R12: 0000000000000000
[ 1571.587024][T49469] R13: ffff8883aee95400 R14: 0000000000001001 R15: ffff8887ca88e050
[ 1571.594920][T49469] FS:  00007fb9e863f080(0000) GS:ffff888733200000(0000) knlGS:0000000000000000
[ 1571.603779][T49469] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1571.610275][T49469] CR2: 0000000000000008 CR3: 00000003b05b0003 CR4: 00000000003726f0
[ 1571.618172][T49469] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1571.626068][T49469] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1571.633968][T49469] Call Trace:
[ 1571.637143][T49469]  <TASK>
[ 1571.639967][T49469]  ? __die+0x1f/0x60
[ 1571.643761][T49469]  ? page_fault_oops+0x8d/0xc0
[ 1571.648451][T49469]  ? exc_page_fault+0x57/0xe0
[ 1571.653043][T49469]  ? asm_exc_page_fault+0x22/0x30
[ 1571.657979][T49469]  ? add_taint+0x26/0x90
[ 1571.662118][T49469]  ? splice_to_socket+0x6d3/0x7d0
[ 1571.667043][T49469]  ? current_time+0x71/0x170
[ 1571.671537][T49469]  ? __pfx_splice_to_socket+0x10/0x10
[ 1571.676811][T49469]  ? lockdep_hardirqs_on_prepare+0x131/0x200
[ 1571.682702][T49469]  ? __pfx_current_time+0x10/0x10
[ 1571.687632][T49469]  ? atime_needs_update+0x18e/0x240
[ 1571.692735][T49469]  ? touch_atime+0x3d/0x2a0
[ 1571.697136][T49469]  ? shmem_file_splice_read+0x5c6/0x630
[ 1571.702592][T49469]  ? __pfx_direct_splice_actor+0x10/0x10
[ 1571.708132][T49469]  direct_splice_actor+0xb1/0x2f0
[ 1571.713058][T49469]  splice_direct_to_actor+0x1c5/0x450
[ 1571.718332][T49469]  ? __pfx_direct_splice_actor+0x10/0x10
[ 1571.723873][T49469]  ? __pfx_splice_direct_to_actor+0x10/0x10
[ 1571.729676][T49469]  do_splice_direct+0xee/0x170
[ 1571.734337][T49469]  ? __pfx_do_splice_direct+0x10/0x10
[ 1571.739612][T49469]  ? __pfx_direct_file_splice_eof+0x10/0x10
[ 1571.745435][T49469]  ? security_file_permission+0x84/0x90
[ 1571.750884][T49469]  ? rw_verify_area+0x1e5/0x2e0
[ 1571.755634][T49469]  do_sendfile+0x601/0x6e0
[ 1571.759950][T49469]  ? __pfx_do_sendfile+0x10/0x10
[ 1571.764786][T49469]  ? mark_held_locks+0x24/0x90
[ 1571.769452][T49469]  ? lockdep_hardirqs_on_prepare+0x131/0x200
[ 1571.775351][T49469]  ? syscall_exit_to_user_mode+0xa2/0x2a0
[ 1571.780978][T49469]  __x64_sys_sendfile64+0x138/0x150
[ 1571.786078][T49469]  ? __pfx___x64_sys_sendfile64+0x10/0x10
[ 1571.791702][T49469]  ? mark_lock+0x8f/0x530
[ 1571.795924][T49469]  ? mark_held_locks+0x24/0x90
[ 1571.800587][T49469]  do_syscall_64+0x8c/0x170
[ 1571.804991][T49469]  ? do_user_addr_fault+0x39d/0x790
[ 1571.810089][T49469]  ? reacquire_held_locks+0x16b/0x270
[ 1571.815364][T49469]  ? do_user_addr_fault+0x39d/0x790
[ 1571.820466][T49469]  ? find_held_lock+0x83/0xa0
[ 1571.825053][T49469]  ? do_user_addr_fault+0x3f6/0x790
[ 1571.830154][T49469]  ? __lock_release+0x130/0x260
[ 1571.835513][T49469]  ? do_user_addr_fault+0x3f6/0x790
[ 1571.840613][T49469]  ? __pfx___lock_release+0x10/0x10
[ 1571.846327][T49469]  ? __up_read+0x161/0x470
[ 1571.850637][T49469]  ? __pfx___up_read+0x10/0x10
[ 1571.855299][T49469]  ? do_user_addr_fault+0x3f6/0x790
[ 1571.860398][T49469]  ? __rcu_read_unlock+0x65/0x90
[ 1571.865237][T49469]  ? do_user_addr_fault+0x400/0x790
[ 1571.870337][T49469]  ? mark_held_locks+0x24/0x90
[ 1571.875001][T49469]  ? lockdep_hardirqs_on_prepare+0x131/0x200
[ 1571.880897][T49469]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 1571.886704][T49469] RIP: 0033:0x7fb9e873c77a
[ 1571.891022][T49469] Code: c3 0f 1f 80 00 00 00 00 4c 89 d2 4c 89 c6 e9 fd fd ff ff 0f 1f 44 00 00 31 c0 c3 0f 1f 44 00 00 49 89 ca b8 28 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 56 56 0d 00 f7 d8 64 89 01 48
[ 1571.910665][T49469] RSP: 002b:00007fff4192bac8 EFLAGS: 00000203 ORIG_RAX: 0000000000000028
[ 1571.919004][T49469] RAX: ffffffffffffffda RBX: 00007fff4192bf28 RCX: 00007fb9e873c77a
[ 1571.926901][T49469] RDX: 0000000000000000 RSI: 0000000000000218 RDI: 0000000000000212
[ 1571.934798][T49469] RBP: 00007fff4192bb20 R08: 000da7112e464d67 R09: 00007fb9e8812cd0
[ 1571.942694][T49469] R10: 0000000000002000 R11: 0000000000000203 R12: 0000000000000000
[ 1571.950591][T49469] R13: 00007fff4192bf38 R14: 000055f5228dbf18 R15: 00007fb9e88a3020
[ 1571.958508][T49469]  </TASK>
[ 1571.961435][T49469] Modules linked in: tls rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 psample snd_hda_codec_hdmi snd_ctl_led intel_rapl_msr snd_hda_codec_realtek intel_rapl_common snd_hda_codec_generic snd_hda_scodec_component intel_uncore_frequency intel_uncore_frequency_common btrfs blake2b_generic xor zstd_compress snd_soc_avs raid6_pq libcrc32c snd_soc_hda_codec x86_pkg_temp_thermal snd_hda_ext_core intel_powerclamp i915 coretemp sd_mod snd_soc_core sg kvm_intel cec snd_compress drm_buddy kvm snd_hda_intel drm_display_helper snd_intel_dspcfg snd_intel_sdw_acpi crct10dif_pclmul ttm dell_pc snd_hda_codec crc32_pclmul dell_wmi crc32c_intel snd_hda_core drm_kms_helper mei_wdt ghash_clmulni_intel i2c_designware_platform snd_hwdep ahci intel_gtt i2c_designware_core rapl snd_pcm agpgart libahci dell_smbios platform_profile ipmi_devintf dell_wmi_aio intel_cstate ipmi_msghandler dcdbas dell_wmi_descriptor wmi_bmof sparse_keymap snd_timer video mei_me
[ 1571.961682][T49469]  intel_lpss_pci intel_uncore snd i2c_i801 pcspkr intel_pmc_core libata intel_lpss mei soundcore i2c_smbus idma64 intel_vsec pmt_telemetry wmi pinctrl_sunrisepoint pmt_class acpi_pad binfmt_misc drm dm_mod ip_tables x_tables sch_fq_codel [last unloaded: bpf_testmod(OE)]
[ 1572.078794][T49469] CR2: 0000000000000008
[ 1572.082843][T49469] ---[ end trace 0000000000000000 ]---
[ 1572.088202][T49469] RIP: 0010:splice_to_socket+0x6d3/0x7d0
[ 1572.093740][T49469] Code: 85 d2 49 89 4f 08 75 32 49 8d 7f 10 83 c3 01 e8 63 88 ef ff 4d 8b 67 10 49 c7 47 10 00 00 00 00 49 8d 7c 24 08 e8 4d 88 ef ff <49> 8b 44 24 08 4c 89 fe 4c 89 ef ff d0 0f 1f 00 4d 85 f6 0f 8f 5c
[ 1572.113363][T49469] RSP: 0018:ffff888350677650 EFLAGS: 00010286
[ 1572.119346][T49469] RAX: 0000000000000001 RBX: 0000000000000003 RCX: ffffffff81143986
[ 1572.127253][T49469] RDX: fffffbfff0cf2b19 RSI: 0000000000000008 RDI: ffffffff867958c0
[ 1572.135161][T49469] RBP: ffff888350677930 R08: 0000000000000001 R09: fffffbfff0cf2b18
[ 1572.143071][T49469] R10: ffffffff867958c7 R11: 0000000000000001 R12: 0000000000000000
[ 1572.150969][T49469] R13: ffff8883aee95400 R14: 0000000000001001 R15: ffff8887ca88e050
[ 1572.158867][T49469] FS:  00007fb9e863f080(0000) GS:ffff888733200000(0000) knlGS:0000000000000000
[ 1572.167730][T49469] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1572.174226][T49469] CR2: 0000000000000008 CR3: 00000003b05b0003 CR4: 00000000003726f0
[ 1572.182125][T49469] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1572.190023][T49469] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1572.197918][T49469] Kernel panic - not syncing: Fatal exception
[ 1572.203935][T49469] Kernel Offset: disabled



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki