From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E1C3CC433DB for ; Tue, 16 Feb 2021 18:02:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AADB064E04 for ; Tue, 16 Feb 2021 18:02:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230088AbhBPSCh (ORCPT ); Tue, 16 Feb 2021 13:02:37 -0500 Received: from mail.kernel.org ([198.145.29.99]:39554 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229931AbhBPSC3 (ORCPT ); Tue, 16 Feb 2021 13:02:29 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id F0EF064DA1; Tue, 16 Feb 2021 18:01:46 +0000 (UTC) Date: Tue, 16 Feb 2021 18:01:44 +0000 From: Catalin Marinas To: "Jason A. Donenfeld" Cc: Netdev , syzbot , Mark Brown , Kees Cook , linux-arm-kernel , LKML , Mark Rutland , mbenes@suse.cz, syzkaller-bugs , Will Deacon , Ard Biesheuvel Subject: Re: KASAN: invalid-access Write in enqueue_timer Message-ID: <20210216180143.GB14978@arm.com> References: <0000000000000be4d705bb68dfa7@google.com> <20210216172817.GA14978@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Tue, Feb 16, 2021 at 06:50:20PM +0100, Jason A. Donenfeld wrote: > On Tue, Feb 16, 2021 at 6:46 PM Jason A. Donenfeld wrote: > > On Tue, Feb 16, 2021 at 6:28 PM Catalin Marinas wrote: > > > > hlist_add_head include/linux/list.h:883 [inline] > > > > enqueue_timer+0x18/0xc0 kernel/time/timer.c:581 > > > > mod_timer+0x14/0x20 kernel/time/timer.c:1106 > > > > mod_peer_timer drivers/net/wireguard/timers.c:37 [inline] > > > > wg_timers_any_authenticated_packet_traversal+0x68/0x90 drivers/net/wireguard/timers.c:215 > > > > The line of hlist_add_head that it's hitting is: > > > > static inline void hlist_add_head(struct hlist_node *n, struct hlist_head *h) > > { > > struct hlist_node *first = h->first; > > WRITE_ONCE(n->next, first); > > if (first) > > > > So that means it's the dereferencing of h that's a problem. That comes from: > > > > static void enqueue_timer(struct timer_base *base, struct timer_list *timer, > > unsigned int idx, unsigned long bucket_expiry) > > { > > > > hlist_add_head(&timer->entry, base->vectors + idx); > > > > That means it concerns base->vectors + idx, not the timer_list object > > that wireguard manages. That's confusing. Could that imply that the > > bug is in freeing a previous timer without removing it from the timer > > lists, so that it winds up being in base->vectors? Good point, it's indeed likely that the timer list is messed up already, just an unlucky encounter in the wireguard code. > Digging around on syzkaller, it looks like there's a similar bug on > jbd2, concerning iptunnels's allocation: > > https://syzkaller.appspot.com/text?tag=CrashReport&x=13afb19cd00000 [...] > It might not actually be a wireguard bug? I wonder whether syzbot reported similar issues with CONFIG_KASAN_SW_TAGS. It shouldn't be that different from the HW_TAGS but at least we can rule out qemu bugs with the MTE emulation. -- Catalin