Re: [syzbot] [net?] general protection fault in tls_merge_open_record

[Jann Horn]

On Mon, Oct 30, 2023 at 6:52 AM syzbot
<syzbot+40d43509a099ea756317@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    66f1e1ea3548 Add linux-next specific files for 20231027
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=11b621fd680000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2911330219149de4
> dashboard link: https://syzkaller.appspot.com/bug?extid=40d43509a099ea756317
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1552332d680000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/e0bf12f215f2/disk-66f1e1ea.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/5e854ca6e2c3/vmlinux-66f1e1ea.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/25e8c098714e/bzImage-66f1e1ea.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+40d43509a099ea756317@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> CPU: 1 PID: 12569 Comm: syz-executor.0 Not tainted 6.6.0-rc7-next-20231027-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
> RIP: 0010:_compound_head include/linux/page-flags.h:247 [inline]
> RIP: 0010:put_page include/linux/mm.h:1544 [inline]
> RIP: 0010:tls_merge_open_record+0x4b9/0x7f0 net/tls/tls_sw.c:669

I've posted an analysis and suggested fix for the issue at
<https://lore.kernel.org/lkml/20231122214447.675768-1-jannh@xxxxxxxxxx/>.