lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 13 Nov 2017 21:25:26 +0000
From:   Jon Maloy <jon.maloy@...csson.com>
To:     Tommi Rantala <tommi.t.rantala@...ia.com>,
        Ying Xue <ying.xue@...driver.com>,
        "David S. Miller" <davem@...emloft.net>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "tipc-discussion@...ts.sourceforge.net" 
        <tipc-discussion@...ts.sourceforge.net>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: tipc_udp_send_msg oops in 4.4 when setting link tolerance

Hi Tommi,
I am not sure, but is seems like the following patch is what you need:
commit 9b3009604b8e ("tipc: add net device to skb before UDP xmit")
This was applied in tipc 4.5.

Is this a stooping problem for you?

BR
///jon

> -----Original Message-----
> From: netdev-owner@...r.kernel.org [mailto:netdev-
> owner@...r.kernel.org] On Behalf Of Tommi Rantala
> Sent: Monday, November 13, 2017 11:23
> To: Jon Maloy <jon.maloy@...csson.com>; Ying Xue
> <ying.xue@...driver.com>; David S. Miller <davem@...emloft.net>;
> netdev@...r.kernel.org; tipc-discussion@...ts.sourceforge.net; linux-
> kernel@...r.kernel.org
> Subject: tipc_udp_send_msg oops in 4.4 when setting link tolerance
> 
> Hi,
> 
> I always get an instant TIPC oops in 4.4, when I try to set the link tolerance
> (with LINKNAME != "broadcast-link"):
> 
>   $ tipc link set tolerance 1000 link $LINKNAME
> 
> Any idea what's going on? Some tipc patch missing in 4.4?
> 
> In 4.9 the "tipc" command executes just fine, but I've seen a few times that
> later some random process crashes with "BUG: Bad page state". KASAN does
> not report anything before it happens.
> 
> 4.14 is OK, could not reproduce these problems with it.
> 
> 
> 
> 
> tipc_udp_send_msg+0x102/0x4f0
> 
> matches to:
> tipc_udp_send_msg at linux-stable/net/tipc/udp_media.c:172
> 
> static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
>                               struct tipc_bearer *b,
>                               struct tipc_media_addr *dest) {
>          int ttl, err = 0;
>          struct udp_bearer *ub;
>          struct udp_media_addr *dst = (struct udp_media_addr *)&dest->value;
>          struct udp_media_addr *src = (struct udp_media_addr *)&b-
> >addr.value;
>          struct rtable *rt;
> 
>          if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
>                  err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0,
> GFP_ATOMIC);
>                  if (err)
>                          goto tx_error;
>          }
> 
>          skb_set_inner_protocol(skb, htons(ETH_P_TIPC));
>          ub = rcu_dereference_rtnl(b->media_ptr);
>          if (!ub) {
>                  err = -ENODEV;
>                  goto tx_error;
>          }
>          if (dst->proto == htons(ETH_P_IP)) {   <------ HERE
> 
> 
> 
> [  111.423647]
> ==========================================================
> ========
> [  111.424826] BUG: KASAN: null-ptr-deref on address           (null)
> [  111.425538] Read of size 2 by task tipc/2643 [  111.426215] CPU: 3 PID: 2643
> Comm: tipc Not tainted 4.4.97-pc64 #1 [  111.428081]  0000000000000000
> ffff880026327478 ffffffff8248005e
> 0000000000000002
> [  111.429476]  ffff880047ad5ac0 ffff8800263274f8 ffffffff8227f5af
> 0000000265711040
> [  111.430728]  0000000000000000 0000000000000297 ffffffffa0387fd2
> 02090220ffffffff [  111.432051] Call Trace:
> [  111.432472]  [<ffffffff8248005e>] dump_stack+0x86/0xc8 [  111.433208]
> [<ffffffff8227f5af>] kasan_report.part.2+0x41f/0x520 [  111.434040]
> [<ffffffffa0387fd2>] ? tipc_udp_send_msg+0x102/0x4f0 [tipc] [  111.434908]
> [<ffffffff8227f965>] kasan_report+0x25/0x30 [  111.435647]
> [<ffffffff8227e3a6>] __asan_load2+0x66/0x70 [  111.436391]
> [<ffffffffa0387fd2>] tipc_udp_send_msg+0x102/0x4f0 [tipc] [  111.437334]
> [<ffffffff8227eb1e>] ? kasan_kmalloc+0x5e/0x70 [  111.438301]
> [<ffffffff8227edfd>] ? kasan_slab_alloc+0xd/0x10 [  111.439328]
> [<ffffffff8227e04c>] ?
> __kmalloc_node_track_caller+0xac/0x230
> [  111.440493]  [<ffffffff8227eb1e>] ? kasan_kmalloc+0x5e/0x70 [
> 111.441479]  [<ffffffffa0387ed0>] ? tipc_udp_disable+0xe0/0xe0 [tipc] [
> 111.442628]  [<ffffffff8227eb1e>] ? kasan_kmalloc+0x5e/0x70 [  111.443598]
> [<ffffffff8227ef52>] ? kasan_krealloc+0x62/0x80 [  111.444610]
> [<ffffffff8227ebf8>] ? memset+0x28/0x30 [  111.445539]  [<ffffffff8275fab3>]
> ? __alloc_skb+0x2b3/0x310 [  111.446560]  [<ffffffff8275f800>] ?
> skb_complete_tx_timestamp+0x110/0x110
> [  111.447695]  [<ffffffff82147a16>] ? __module_text_address+0x16/0xa0 [
> 111.448735]  [<ffffffff8275e3fb>] ? skb_put+0x8b/0xd0 [  111.449608]
> [<ffffffff8227ec76>] ? memcpy+0x36/0x40 [  111.450524]
> [<ffffffffa03665e8>] ?
> tipc_link_build_proto_msg+0x398/0x4c0 [tipc] [  111.451946]
> [<ffffffffa0364920>] tipc_bearer_xmit_skb+0xa0/0xb0 [tipc] [  111.453078]
> [<ffffffffa036a60b>] tipc_link_proto_xmit+0x11b/0x160 [tipc] [  111.454218]
> [<ffffffffa036a4f0>] ?
> tipc_link_build_reset_msg+0x50/0x50 [tipc] [  111.455542]
> [<ffffffffa036c5be>] tipc_nl_link_set+0x1ee/0x3b0 [tipc] [  111.456659]
> [<ffffffffa036c3d0>] ? tipc_nl_parse_link_prop+0xd0/0xd0 [tipc] [
> 111.457831]  [<ffffffff82190a29>] ? is_ftrace_trampoline+0x59/0x90 [
> 111.458884]  [<ffffffff820b15a5>] ? __kernel_text_address+0x65/0x80 [
> 111.459931]  [<ffffffff824ba386>] ? nla_parse+0xb6/0x140 [  111.460892]
> [<ffffffff827d20ee>] genl_family_rcv_msg+0x37e/0x5e0 [  111.461948]
> [<ffffffffa0380005>] ? set_orig_addr.isra.53+0xe5/0x120 [tipc] [  111.463107]
> [<ffffffff827d1d70>] ? genl_rcv+0x40/0x40 [  111.463987]
> [<ffffffff82278864>] ? alloc_debug_processing+0x154/0x180
> [  111.465048]  [<ffffffff8227a39d>] ? ___slab_alloc+0x43d/0x460 [
> 111.465986]  [<ffffffff82278864>] ? alloc_debug_processing+0x154/0x180
> [  111.467045]  [<ffffffff827cde5c>] ? netlink_lookup+0x19c/0x220 [
> 111.468067]  [<ffffffff827d2428>] genl_rcv_msg+0xd8/0x110 [  111.468994]
> [<ffffffff827d143b>] netlink_rcv_skb+0x14b/0x180 [  111.469939]
> [<ffffffff827d2350>] ? genl_family_rcv_msg+0x5e0/0x5e0 [  111.470954]
> [<ffffffff827d1d58>] genl_rcv+0x28/0x40 [  111.471798]  [<ffffffff827d0a27>]
> netlink_unicast+0x2e7/0x3a0 [  111.472806]  [<ffffffff827d0740>] ?
> netlink_attachskb+0x330/0x330 [  111.473845]  [<ffffffff8249b731>] ?
> copy_from_iter+0xf1/0x3b0 [  111.474847]  [<ffffffff827d0f8d>]
> netlink_sendmsg+0x4ad/0x620 [  111.475788]  [<ffffffff827d0ae0>] ?
> netlink_unicast+0x3a0/0x3a0 [  111.476793]  [<ffffffff822c0683>] ?
> __fdget+0x13/0x20 [  111.477723]  [<ffffffff82751575>] ?
> sockfd_lookup_light+0x95/0xb0 [  111.478773]  [<ffffffff827538fc>]
> SYSC_sendto+0x1bc/0x290 [  111.479659]  [<ffffffff82753740>] ?
> sock_write_iter+0x200/0x200 [  111.480692]  [<ffffffff822c0683>] ?
> __fdget+0x13/0x20 [  111.481559]  [<ffffffff82751575>] ?
> sockfd_lookup_light+0x95/0xb0 [  111.482591]  [<ffffffff827caf71>] ?
> netlink_getname+0xb1/0x110 [  111.483570]  [<ffffffff82750b0c>] ?
> move_addr_to_user+0x5c/0x70 [  111.484539]  [<ffffffff82751706>] ?
> SYSC_getsockname+0x176/0x190 [  111.485540]  [<ffffffff82751590>] ?
> sockfd_lookup_light+0xb0/0xb0 [  111.486558]  [<ffffffff82753225>] ?
> SYSC_bind+0xe5/0x180 [  111.487548]  [<ffffffff82753140>] ?
> __sock_recv_ts_and_drops+0x260/0x260
> [  111.488700]  [<ffffffff822c132b>] ? fd_install+0x3b/0x50 [  111.489596]
> [<ffffffff827514b4>] ? sock_map_fd+0x44/0x70 [  111.490553]
> [<ffffffff82753f4c>] ? SyS_socket+0xcc/0x120 [  111.491437]
> [<ffffffff82753e80>] ? move_addr_to_kernel+0x40/0x40 [  111.492505]
> [<ffffffff820022b6>] ? exit_to_usermode_loop+0x86/0x120 [  111.493557]
> [<ffffffff82002017>] ? trace_hardirqs_on_thunk+0x17/0x19 [  111.494629]
> [<ffffffff827544ce>] SyS_sendto+0xe/0x10 [  111.495588]
> [<ffffffff829299ae>] entry_SYSCALL_64_fastpath+0x12/0x6d
> [  111.496697]
> ==========================================================
> ========
> [  111.498005] Disabling lock debugging due to kernel taint [  111.499059]
> BUG: unable to handle kernel NULL pointer dereference at
>           (null)
> [  111.500698] IP: [<ffffffffa0387fd2>] tipc_udp_send_msg+0x102/0x4f0
> [tipc] [  111.502027] PGD 4b01c067 PUD 1f0a5067 PMD 0 [  111.503053] Oops:
> 0000 [#1] SMP KASAN [  111.503980] Modules linked in: ip6table_mangle
> ip6_tables iptable_mangle iptable_filter ip_tables x_tables tipc
> ip6_udp_tunnel udp_tunnel fuse isofs aesni_intel aes_x86_64 glue_helper
> lrw gf128mul ablk_helper cryptd ata_piix i6300esb sch_fq_codel
> nf_conntrack_proto_sctp nf_conntrack autofs4
> [  111.509927] CPU: 3 PID: 2643 Comm: tipc Tainted: G    B
> 4.4.97-pc64 #1
> [  111.511249] Hardware name: Fedora Project OpenStack Nova, BIOS
> seabios-1.7.5-11.el7.tis.1 04/01/2014
> [  111.512935] task: ffff880047ad5ac0 ti: ffff880026320000 task.ti:
> ffff880026320000
> [  111.514283] RIP: 0010:[<ffffffffa0387fd2>]  [<ffffffffa0387fd2>]
> tipc_udp_send_msg+0x102/0x4f0 [tipc]
> [  111.515960] RSP: 0018:ffff880026327528  EFLAGS: 00010292 [  111.516832]
> RAX: ffff880047ad5ac0 RBX: ffff880065711040 RCX:
> 0000000000000000
> [  111.517992] RDX: 1ffffffff06b9196 RSI: 0000000000000297 RDI:
> 0000000000000297
> [  111.519117] RBP: ffff8800263276f0 R08: 0000000000000000 R09:
> fffffbfff069f014
> [  111.520228] R10: dffffc0000000001 R11: ffff88006bc02a00 R12:
> 1ffff10004c64eb1
> [  111.521361] R13: ffff88005ad07750 R14: 0000000000000000 R15:
> ffff88005154d9e0
> [  111.522538] FS:  00007f467f3ac700(0000) GS:ffff88006c380000(0000)
> knlGS:0000000000000000
> [  111.523960] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [
> 111.524947] CR2: 0000000000000000 CR3: 000000001f076000 CR4:
> 00000000001406e0
> [  111.526084] Stack:
> [  111.526551]  1ffff1000a2c11d8 ffff880026327550 ffffffff8227eb1e
> ffff880051608cc0
> [  111.528272]  ffff88006bc02a00 ffff880026327560 ffffffff8227edfd
> ffff8800263275b0
> [  111.529886]  ffffffff8227e04c ffff880026327590 ffffffff8227eb1e
> ffffffff832dfec0
> [  111.531535] Call Trace:
> [  111.532106]  [<ffffffff8227eb1e>] ? kasan_kmalloc+0x5e/0x70 [
> 111.533075]  [<ffffffff8227edfd>] ? kasan_slab_alloc+0xd/0x10 [  111.534041]
> [<ffffffff8227e04c>] ?
> __kmalloc_node_track_caller+0xac/0x230
> [  111.535102]  [<ffffffff8227eb1e>] ? kasan_kmalloc+0x5e/0x70 [
> 111.536047]  [<ffffffffa0387ed0>] ? tipc_udp_disable+0xe0/0xe0 [tipc] [
> 111.537186]  [<ffffffff8227eb1e>] ? kasan_kmalloc+0x5e/0x70 [  111.538139]
> [<ffffffff8227ef52>] ? kasan_krealloc+0x62/0x80 [  111.539106]
> [<ffffffff8227ebf8>] ? memset+0x28/0x30 [  111.539946]  [<ffffffff8275fab3>]
> ? __alloc_skb+0x2b3/0x310 [  111.540876]  [<ffffffff8275f800>] ?
> skb_complete_tx_timestamp+0x110/0x110
> [  111.541954]  [<ffffffff82147a16>] ? __module_text_address+0x16/0xa0 [
> 111.542978]  [<ffffffff8275e3fb>] ? skb_put+0x8b/0xd0 [  111.543914]
> [<ffffffff8227ec76>] ? memcpy+0x36/0x40 [  111.544817]
> [<ffffffffa03665e8>] ?
> tipc_link_build_proto_msg+0x398/0x4c0 [tipc] [  111.546199]
> [<ffffffffa0364920>] tipc_bearer_xmit_skb+0xa0/0xb0 [tipc] [  111.547355]
> [<ffffffffa036a60b>] tipc_link_proto_xmit+0x11b/0x160 [tipc] [  111.548482]
> [<ffffffffa036a4f0>] ?
> tipc_link_build_reset_msg+0x50/0x50 [tipc] [  111.549763]
> [<ffffffffa036c5be>] tipc_nl_link_set+0x1ee/0x3b0 [tipc] [  111.550822]
> [<ffffffffa036c3d0>] ? tipc_nl_parse_link_prop+0xd0/0xd0 [tipc] [
> 111.551921]  [<ffffffff82190a29>] ? is_ftrace_trampoline+0x59/0x90 [
> 111.552961]  [<ffffffff820b15a5>] ? __kernel_text_address+0x65/0x80 [
> 111.554010]  [<ffffffff824ba386>] ? nla_parse+0xb6/0x140 [  111.554906]
> [<ffffffff827d20ee>] genl_family_rcv_msg+0x37e/0x5e0 [  111.555954]
> [<ffffffffa0380005>] ? set_orig_addr.isra.53+0xe5/0x120 [tipc] [  111.557104]
> [<ffffffff827d1d70>] ? genl_rcv+0x40/0x40 [  111.557949]
> [<ffffffff82278864>] ? alloc_debug_processing+0x154/0x180
> [  111.559030]  [<ffffffff8227a39d>] ? ___slab_alloc+0x43d/0x460 [
> 111.559983]  [<ffffffff82278864>] ? alloc_debug_processing+0x154/0x180
> [  111.561058]  [<ffffffff827cde5c>] ? netlink_lookup+0x19c/0x220 [
> 111.562038]  [<ffffffff827d2428>] genl_rcv_msg+0xd8/0x110 [  111.562966]
> [<ffffffff827d143b>] netlink_rcv_skb+0x14b/0x180 [  111.563930]
> [<ffffffff827d2350>] ? genl_family_rcv_msg+0x5e0/0x5e0 [  111.564949]
> [<ffffffff827d1d58>] genl_rcv+0x28/0x40 [  111.565818]  [<ffffffff827d0a27>]
> netlink_unicast+0x2e7/0x3a0 [  111.566759]  [<ffffffff827d0740>] ?
> netlink_attachskb+0x330/0x330 [  111.567765]  [<ffffffff8249b731>] ?
> copy_from_iter+0xf1/0x3b0 [  111.568707]  [<ffffffff827d0f8d>]
> netlink_sendmsg+0x4ad/0x620 [  111.569706]  [<ffffffff827d0ae0>] ?
> netlink_unicast+0x3a0/0x3a0 [  111.570658]  [<ffffffff822c0683>] ?
> __fdget+0x13/0x20 [  111.571548]  [<ffffffff82751575>] ?
> sockfd_lookup_light+0x95/0xb0 [  111.572541]  [<ffffffff827538fc>]
> SYSC_sendto+0x1bc/0x290 [  111.573459]  [<ffffffff82753740>] ?
> sock_write_iter+0x200/0x200 [  111.574435]  [<ffffffff822c0683>] ?
> __fdget+0x13/0x20 [  111.575330]  [<ffffffff82751575>] ?
> sockfd_lookup_light+0x95/0xb0 [  111.576354]  [<ffffffff827caf71>] ?
> netlink_getname+0xb1/0x110 [  111.577371]  [<ffffffff82750b0c>] ?
> move_addr_to_user+0x5c/0x70 [  111.578385]  [<ffffffff82751706>] ?
> SYSC_getsockname+0x176/0x190 [  111.579407]  [<ffffffff82751590>] ?
> sockfd_lookup_light+0xb0/0xb0 [  111.580431]  [<ffffffff82753225>] ?
> SYSC_bind+0xe5/0x180 [  111.581369]  [<ffffffff82753140>] ?
> __sock_recv_ts_and_drops+0x260/0x260
> [  111.582518]  [<ffffffff822c132b>] ? fd_install+0x3b/0x50 [  111.583450]
> [<ffffffff827514b4>] ? sock_map_fd+0x44/0x70 [  111.584417]
> [<ffffffff82753f4c>] ? SyS_socket+0xcc/0x120 [  111.585353]
> [<ffffffff82753e80>] ? move_addr_to_kernel+0x40/0x40 [  111.586405]
> [<ffffffff820022b6>] ? exit_to_usermode_loop+0x86/0x120 [  111.587434]
> [<ffffffff82002017>] ? trace_hardirqs_on_thunk+0x17/0x19 [  111.588511]
> [<ffffffff827544ce>] SyS_sendto+0xe/0x10 [  111.589378]
> [<ffffffff829299ae>] entry_SYSCALL_64_fastpath+0x12/0x6d
> [  111.590420] Code: 00 00 e8 e2 64 ef e1 4c 89 ef 80 a3 93 00 00 00 f7
> e8 43 65 ef e1 4d 8b 7d 00 4d 85 ff 0f 84 db 03 00 00 4c 89 f7 e8 6e 63 ef e1
> <66> 41 83 3e 08 0f 84 80 01 00 00 48 8d bc 24 20 01 00 00 31 c0 [  111.598579]
> RIP  [<ffffffffa0387fd2>] tipc_udp_send_msg+0x102/0x4f0 [tipc] [
> 111.599831]  RSP <ffff880026327528> [  111.600538] CR2: 0000000000000000 [
> 111.601202] ---[ end trace 827dd66f798de44a ]--- [  111.602025] Kernel panic -
> not syncing: Fatal exception in interrupt [  111.614704] Kernel Offset: disabled
> [  111.615249] Rebooting in 60 seconds..
> 
> 
> 
> 
> 
> [   31.985039] BUG: Bad page state in process ___ pfn:400c0
> [   31.985680] page:ffffea0001003000 count:0 mapcount:0
> mapping:000000000000003c index:0x0
> [   31.986619] flags: 0x10000(mappedtodisk)
> [   31.987081] page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag set
> [   31.987701] bad because of flags: 0x10000(mappedtodisk)
> [   31.988268] Modules linked in: iptable_filter ip_tables x_tables tipc ...
> [   31.991804] CPU: 3 PID: 2716 Not tainted 4.9.52 #1
> [   31.993608]  ffffc90003023b28 ffffffff822ee180 ffffea0001003000
> ffffffff827b76c8
> [   31.994792]  ffffc90003023b50 ffffffff8215c5e4 0000000000010000
> ffffea0001000000
> [   31.995986]  0000000000000009 ffffc90003023b60 ffffffff8215c71f
> ffffc90003023c28
> [   31.997380] Call Trace:
> [   31.997780]  [<ffffffff822ee180>] dump_stack+0x86/0xc6
> [   31.998460]  [<ffffffff8215c5e4>] bad_page+0xc4/0x130
> [   31.999160]  [<ffffffff8215c71f>] check_new_page_bad+0x5f/0x70
> [   31.999968]  [<ffffffff8215fe5a>] get_page_from_freelist+0x7ca/0xb20
> [   32.000782]  [<ffffffff8216123c>] __alloc_pages_nodemask+0xdc/0x220
> [   32.001621]  [<ffffffff821a4c18>] alloc_fresh_huge_page+0x68/0xc0
> [   32.002407]  [<ffffffff821a590f>] set_max_huge_pages+0x4df/0x530
> [   32.003176]  [<ffffffff8230698c>] ? _kstrtoull+0x2c/0x70
> [   32.003841]  [<ffffffff821a59ec>] nr_hugepages_store_common+0x8c/0xf0
> [   32.004619]  [<ffffffff821c2626>] ?
> mem_cgroup_commit_charge+0x66/0x430
> [   32.005384]  [<ffffffff821a5a83>] nr_hugepages_store+0x13/0x20
> [   32.006176]  [<ffffffff822f02bf>] kobj_attr_store+0xf/0x20
> [   32.006838]  [<ffffffff82237877>] sysfs_kf_write+0x37/0x40
> [   32.007534]  [<ffffffff82236bcc>] kernfs_fop_write+0x11c/0x1b0
> [   32.008258]  [<ffffffff821c7068>] __vfs_write+0x28/0x120
> [   32.008931]  [<ffffffff820fb23d>] ? __audit_syscall_entry+0xad/0xf0
> [   32.009681]  [<ffffffff821c7735>] vfs_write+0xb5/0x1a0
> [   32.010308]  [<ffffffff821c8a96>] SyS_write+0x46/0xa0
> [   32.010917]  [<ffffffff8204b8fa>] ? trace_do_page_fault+0x5a/0x140
> [   32.011741]  [<ffffffff82002bfe>] do_syscall_64+0x7e/0x1a0
> [   32.012476]  [<ffffffff825dc0c4>] entry_SYSCALL64_slow_path+0x25/0x25
> [   32.013244] Disabling lock debugging due to kernel taint
> [   34.055994] ip6_tables: (C) 2000-2006 Netfilter Core Team
> 
> 
> -Tommi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ