lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:	Sat, 11 Jul 2015 06:59:47 +0200
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Alex Gartrell <alexgartrell@...il.com>
Cc:	netdev <netdev@...r.kernel.org>, kernel-team <kernel-team@...com>
Subject: Re: Panic with demuxed ipv4 multicast udp sockets on 4.0.4

On Fri, 2015-07-10 at 13:31 -0700, Alex Gartrell wrote:
> Hey everyone,
> 
> There's some kind of nasty condition in which sk_rx_dst points to an
> apparently garbage datastructure and it's blowing up in the early
> demux code because dst->ops is NULL.  The packet in question was for
> bit torrent local peer discovery
> https://en.wikipedia.org/wiki/Local_Peer_Discovery .  We're seeing
> this on about a 1/200 chance of panic per day.
> 
> crash> bt
> PID: 1899532  TASK: ffff88000826cf00  CPU: 9   COMMAND: "hhvm.node.1"
>  #0 [ffff88047fc23990] machine_kexec at ffffffff8103bf05
>  #1 [ffff88047fc239e0] crash_kexec at ffffffff810cb4e8
>  #2 [ffff88047fc23ab0] oops_end at ffffffff81006468
>  #3 [ffff88047fc23ae0] no_context at ffffffff8167aac1
>  #4 [ffff88047fc23b40] __bad_area_nosemaphore at ffffffff8167acb9
>  #5 [ffff88047fc23b90] bad_area_nosemaphore at ffffffff8167aceb
>  #6 [ffff88047fc23ba0] __do_page_fault at ffffffff81044ac5
>  #7 [ffff88047fc23c10] do_page_fault at ffffffff81044eec
>  #8 [ffff88047fc23c20] page_fault at ffffffff81686c02
>     [exception RIP: udp_v4_early_demux+481]
>     RIP: ffffffff816249a1  RSP: ffff88047fc23cd8  RFLAGS: 00010246
>     RAX: ffff880248ee4500  RBX: 000000000000093a  RCX: 0000000000000002
>     RDX: 0000000000000000  RSI: 0000000000000000  RDI: ffff880248ee4500
>     RBP: ffff88047fc23d48   R8: 0000000000000000   R9: 0000000000000000
>     R10: 0000000000000001  R11: ffffc9000199f3a0  R12: ffff88006f8a6300
>     R13: ffffffff81cbb1c0  R14: 0000000000000001  R15: ffff880474798f00
>     ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0000
>  #9 [ffff88047fc23cd0] udp_v4_early_demux at ffffffff81624bb3
> #10 [ffff88047fc23d50] ip_rcv_finish at ffffffff815f3055
> #11 [ffff88047fc23d80] ip_rcv at ffffffff815f3952
> #12 [ffff88047fc23dc0] __netif_receive_skb_core at ffffffff815b96d4
> #13 [ffff88047fc23e30] __netif_receive_skb at ffffffff815b9911
> #14 [ffff88047fc23e50] process_backlog at ffffffff815b99f0
> #15 [ffff88047fc23ea0] net_rx_action at ffffffff815ba1e8
> #16 [ffff88047fc23f30] __do_softirq at ffffffff81054ce6
> #17 [ffff88047fc23f90] irq_exit at ffffffff81055075
> #18 [ffff88047fc23fa0] smp_call_function_single_interrupt at ffffffff810319f5
> #19 [ffff88047fc23fb0] call_function_single_interrupt at ffffffff8168637a
> --- <IRQ stack> ---
> #20 [ffff8800792dff58] call_function_single_interrupt at ffffffff8168637a
>     RIP: 00000000006e7b4c  RSP: 00007f4c8ba38b80  RFLAGS: 00000216
>     RAX: 000000000000006b  RBX: ffffffff816851f2  RCX: 00007f49f4de84d6
>     RDX: 00007f49f4de84d8  RSI: 00007f48dbcce731  RDI: 0000000000000000
>     RBP: 00007f4c8ba38bd0   R8: 000000000000006b   R9: 00000000ffffffff
>     R10: 00007f48dbcce737  R11: 00007f49f4de84e0  R12: 00007f4adab85198
>     R13: 0000000000000014  R14: 00007f4adaaa4c00  R15: 0000000000000000
>     ORIG_RAX: ffffffffffffff04  CS: 0033  SS: 002b
> crash> print *(struct *dst_entry)0xffff880248ee4500
> A syntax error in expression, near `*dst_entry)0xffff880248ee4500'.
> gdb: gdb request failed: print *(struct *dst_entry)0xffff880248ee4500
> crash> print *(struct dst_entry*)0xffff880248ee4500
> $1 = {
>   callback_head = {
>     next = 0xffff880248ee4d00,
>     func = 0x0
>   },
>   child = 0x13eacdfb7df67f6b,
>   dev = 0xffff880113975d00,
>   ops = 0x0,
>   _metrics = 13729079323838086211,
>   expires = 103079215104,
>   path = 0x24c8d3baa,
>   from = 0x0,
>   xfrm = 0x600000000,
>   input = 0x0,
>   output = 0x0,
>   flags = 5536,
>   pending_confirm = 33114,
>   error = -1,
>   obsolete = -1,
>   header_len = 0,
>   trailer_len = 0,
>   tclassid = 0,
>   __pad_to_align_refcnt = {0, 704374636708},
>   __refcnt = {
>     counter = 14
>   },
>   __use = 2097153,
>   lastuse = 536576,
>   {
>     next = 0x0,
>     rt_next = 0x0,
>     rt6_next = 0x0,
>     dn_next = 0x0
>   }
> }

Seems similar to what commit d0c294c53a771 fixed

Have you tried following patch ?

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 83aa604f9273..35c0a4ac540c 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1995,7 +1995,7 @@ void udp_v4_early_demux(struct sk_buff *skb)
 
 	skb->sk = sk;
 	skb->destructor = sock_efree;
-	dst = sk->sk_rx_dst;
+	dst = READ_ONCE(sk->sk_rx_dst);
 
 	if (dst)
 		dst = dst_check(dst, 0);


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists