On Wed, Mar 30, 2022 at 07:59:57AM -0700, Tadeusz Struk wrote:
> On 3/30/22 07:46, Greg KH wrote:
> > On Tue, Mar 29, 2022 at 03:02:56PM -0700, Tadeusz Struk wrote:
> > > Please apply this to stable 5.10.y, and 5.15.y
> > > ---8<---
> > >
> > > From: Kees Cook<keescook@xxxxxxxxxxxx>
> > >
> > > Upstream commit: 1a2fb220edca ("skbuff: Extract list pointers to silence compiler warnings")
> > >
> > > Under both -Warray-bounds and the object_size sanitizer, the compiler is
> > > upset about accessing prev/next of sk_buff when the object it thinks it
> > > is coming from is sk_buff_head. The warning is a false positive due to
> > > the compiler taking a conservative approach, opting to warn at casting
> > > time rather than access time.
> > >
> > > However, in support of enabling -Warray-bounds globally (which has
> > > found many real bugs), arrange things for sk_buff so that the compiler
> > > can unambiguously see that there is no intention to access anything
> > > except prev/next. Introduce and cast to a separate struct sk_buff_list,
> > > which contains_only_ the first two fields, silencing the warnings:
> > We don't have -Warray-bounds enabled on any stable kernel tree, so why
> > is this needed?
> >
> > Where is this showing up as a problem?
>
> The issue shows up and hinders testing stable kernels in test automations
> like syzkaller:
>
> https://syzkaller.appspot.com/text?tag=Error&x=12b3aac3700000
>
> Applying it to stable would enable more test coverage.
Hi! I think a better solution may be to backport this change instead:
69d0db01e210 ("ubsan: remove CONFIG_UBSAN_OBJECT_SIZE")
i.e. remove CONFIG_UBSAN_OBJECT_SIZE entirely, which is the cause of
these syzkaller splats.
-Kees
--
Kees Cook
