[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <8d401247-9ab7-0bdd-eca7-dfaedd6a9284@gmail.com>
Date: Wed, 14 Mar 2018 08:04:17 -0700
From: Eric Dumazet <eric.dumazet@...il.com>
To: Andrei Vagin <avagin@...tuozzo.com>, netdev@...r.kernel.org
Subject: Re: [v4.15.9] BUG: KASAN: slab-out-of-bounds in
__dev_queue_xmit+0x2e5/0x14c0
On 03/13/2018 11:55 PM, Andrei Vagin wrote:
> Hi,
>
> I got the following warning on the v4.15.9 kernel.
>
> :[ 4483.052174] ==================================================================
> :[ 4483.052659] BUG: KASAN: slab-out-of-bounds in __dev_queue_xmit+0x2e5/0x14c0
> :[ 4483.052937] Read of size 1 at addr ffff880067ef7bc0 by task objtool/26177
> :
> :[ 4483.053361] CPU: 0 PID: 26177 Comm: objtool Not tainted 4.15.9 #1
> :[ 4483.053603] Hardware name: Parallels Software International Inc. Parallels Virtual Platform/Parallels Virtual Platform, BIOS 6.12.26068.1232434 02/27/2017
> :[ 4483.054116] Call Trace:
> :[ 4483.054272] <IRQ>
> :[ 4483.054419] dump_stack+0xda/0x16f
> :[ 4483.054589] ? _atomic_dec_and_lock+0x101/0x101
> :[ 4483.054810] ? rcu_lockdep_current_cpu_online+0xba/0x120
> :[ 4483.055077] print_address_description+0x6a/0x270
> :[ 4483.055312] kasan_report+0x277/0x360
> :[ 4483.055491] ? __dev_queue_xmit+0x2e5/0x14c0
> :[ 4483.055688] __dev_queue_xmit+0x2e5/0x14c0
> :[ 4483.055892] ? do_raw_spin_unlock+0x147/0x220
> :[ 4483.056122] ? netdev_pick_tx+0x150/0x150
> :[ 4483.056369] ? mark_held_locks+0x52/0x90
> :[ 4483.056560] ? __lock_acquire+0x61b/0x2060
> :[ 4483.056771] ? match_held_lock+0x8d/0x420
> :[ 4483.056969] ? mark_lock+0x1c9/0xa30
> :[ 4483.057173] ? save_trace+0x1e0/0x1e0
> :[ 4483.057367] ? print_irqtrace_events+0x110/0x110
> :[ 4483.057602] ? nf_conntrack_alter_reply+0x2a0/0x2a0 [nf_conntrack]
> :[ 4483.057867] ? tcp_new+0x510/0x510 [nf_conntrack]
> :[ 4483.058101] ? debug_check_no_locks_freed+0x1b0/0x1b0
> :[ 4483.058360] ? kernel_text_address+0xec/0x100
> :[ 4483.058562] ? find_held_lock+0x6d/0xd0
> :[ 4483.058754] ? lock_downgrade+0x320/0x320
> :[ 4483.058959] ? lock_release+0x4d0/0x4d0
> :[ 4483.059184] ? nf_ct_get_tuple+0x98/0xd0 [nf_conntrack]
> :[ 4483.059422] ? rcu_lockdep_current_cpu_online+0xba/0x120
> :[ 4483.059655] ? mark_held_locks+0x52/0x90
> :[ 4483.059845] ? ip_finish_output2+0x83d/0xb10
> :[ 4483.060068] ip_finish_output2+0x93f/0xb10
> :[ 4483.060292] ? ip_copy_metadata+0x320/0x320
> :[ 4483.060485] ? save_trace+0x1e0/0x1e0
> :[ 4483.060659] ? rcu_is_watching+0x81/0xc0
> :[ 4483.060872] ? ipv4_nlattr_to_tuple+0x80/0x80 [nf_conntrack_ipv4]
> :[ 4483.061166] ? nf_ct_deliver_cached_events+0x1a3/0x450 [nf_conntrack]
> :[ 4483.061461] ? __local_bh_enable_ip+0x9a/0x110
> :[ 4483.061662] ? ipt_do_table+0x65c/0x7e0
> :[ 4483.061845] ? ipv4_mtu+0x1ac/0x220
> :[ 4483.062025] ? find_held_lock+0x6d/0xd0
> :[ 4483.062267] ? ip_finish_output+0x435/0x590
> :[ 4483.062462] ip_finish_output+0x435/0x590
> :[ 4483.062649] ? ip_fragment.constprop.45+0xf0/0xf0
> :[ 4483.062860] ? ipv4_nlattr_to_tuple+0x80/0x80 [nf_conntrack_ipv4]
> :[ 4483.063142] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat]
> :[ 4483.063393] ? iptable_nat_ipv4_local_fn+0x20/0x20 [iptable_nat]
> :[ 4483.063634] ? rcu_is_watching+0x81/0xc0
> :[ 4483.063829] ? nf_hook_slow+0xa4/0xe0
> :[ 4483.064031] ip_output+0x12a/0x450
> :[ 4483.064237] ? ip_mc_output+0xc30/0xc30
> :[ 4483.064435] ? ip_fragment.constprop.45+0xf0/0xf0
> :[ 4483.064644] ? tcp_make_synack+0x7b9/0x950
> :[ 4483.064849] ip_build_and_send_pkt+0x2f7/0x480
> :[ 4483.065086] ? ip_local_out+0x90/0x90
> :[ 4483.065283] ? __lockdep_init_map+0x98/0x2a0
> :[ 4483.065485] ? inet_bind_hash+0x130/0x130
> :[ 4483.065681] tcp_v4_send_synack+0x1b7/0x280
> :[ 4483.065878] ? tcp_v4_send_check+0x40/0x40
> :[ 4483.066094] ? ip_mc_output+0x4b0/0xc30
> :[ 4483.066344] ? inet_csk_reqsk_queue_hash_add+0x11b/0x170
> :[ 4483.066569] ? inet_csk_route_child_sock+0x430/0x430
> :[ 4483.066798] tcp_conn_request+0x152e/0x1a70
> :[ 4483.067017] ? tcp_event_data_recv+0x6a0/0x6a0
> :[ 4483.067259] ? __lock_acquire+0x61b/0x2060
> :[ 4483.067483] ? debug_check_no_locks_freed+0x1b0/0x1b0
> :[ 4483.067696] ? print_irqtrace_events+0x110/0x110
> :[ 4483.067902] ? __lock_acquire+0x61b/0x2060
> :[ 4483.068126] ? match_held_lock+0x8d/0x420
> :[ 4483.068376] ? match_held_lock+0x8d/0x420
> :[ 4483.068617] ? match_held_lock+0x8d/0x420
> :[ 4483.068868] ? save_trace+0x1e0/0x1e0
> :[ 4483.069132] ? save_trace+0x1e0/0x1e0
> :[ 4483.069383] ? save_trace+0x1e0/0x1e0
> :[ 4483.069615] ? find_held_lock+0x6d/0xd0
> :[ 4483.069888] ? __lock_is_held+0x71/0xc0
> :[ 4483.070181] ? tcp_rcv_state_process+0x507/0x1fb0
> :[ 4483.070557] tcp_rcv_state_process+0x507/0x1fb0
> :[ 4483.070824] ? rcu_is_watching+0x81/0xc0
> :[ 4483.071103] ? tcp_finish_connect+0x180/0x180
> :[ 4483.071394] ? sk_filter_trim_cap+0x30b/0x510
> :[ 4483.071658] ? sk_skb_is_valid_access+0xd0/0xd0
> :[ 4483.071933] ? tcp_parse_md5sig_option+0x6d/0x90
> :[ 4483.072231] ? tcp_v4_inbound_md5_hash+0xca/0x2a0
> :[ 4483.072530] ? tcp_v4_do_rcv+0x266/0x340
> :[ 4483.072763] tcp_v4_do_rcv+0x266/0x340
> :[ 4483.073018] tcp_v4_rcv+0x1255/0x1290
> :[ 4483.073324] ? tcp_v4_early_demux+0x3b0/0x3b0
> :[ 4483.073583] ? find_held_lock+0xb0/0xd0
> :[ 4483.073840] ip_local_deliver_finish+0x1c9/0x5f0
> :[ 4483.074137] ? ipv4_nlattr_to_tuple+0x80/0x80 [nf_conntrack_ipv4]
> :[ 4483.074425] ? inet_del_offload+0x40/0x40
> :[ 4483.074618] ? nf_hook_slow+0xa4/0xe0
> :[ 4483.074799] ip_local_deliver+0x324/0x410
> :[ 4483.075005] ? ip_call_ra_chain+0x390/0x390
> :[ 4483.075239] ? inet_del_offload+0x40/0x40
> :[ 4483.075460] ip_rcv_finish+0x587/0xbb0
> :[ 4483.075646] ? ip_local_deliver_finish+0x5f0/0x5f0
> :[ 4483.075860] ? find_held_lock+0x6d/0xd0
> :[ 4483.076067] ? ip_rcv+0x70b/0x940
> :[ 4483.076252] ? lock_downgrade+0x320/0x320
> :[ 4483.076556] ? tcp_v4_send_synack+0x280/0x280
> :[ 4483.076757] ? do_add_counters+0x2b0/0x2b0
> :[ 4483.076958] ? rcu_is_watching+0x81/0xc0
> :[ 4483.077179] ? iptable_nat_ipv4_out+0x20/0x20 [iptable_nat]
> :[ 4483.077424] ? nf_hook_slow+0xa4/0xe0
> :[ 4483.077606] ip_rcv+0x54d/0x940
> :[ 4483.077776] ? ip_local_deliver+0x410/0x410
> :[ 4483.077985] ? ip_local_deliver_finish+0x5f0/0x5f0
> :[ 4483.078229] ? match_held_lock+0x8d/0x420
> :[ 4483.078455] ? ip_local_deliver+0x410/0x410
> :[ 4483.078653] __netif_receive_skb_core+0x13d7/0x1a20
> :[ 4483.078884] ? enqueue_to_backlog+0x730/0x730
> :[ 4483.079110] ? __is_insn_slot_addr+0x17b/0x240
> :[ 4483.079332] ? lock_downgrade+0x320/0x320
> :[ 4483.079535] ? find_held_lock+0x6d/0xd0
> :[ 4483.079727] ? is_bpf_text_address+0x60/0xe0
> :[ 4483.079931] ? match_held_lock+0x8d/0x420
> :[ 4483.080138] ? lock_downgrade+0x320/0x320
> :[ 4483.080344] ? save_trace+0x1e0/0x1e0
> :[ 4483.080518] ? lock_release+0x4d0/0x4d0
> :[ 4483.080699] ? __free_insn_slot+0x3e0/0x3e0
> :[ 4483.080892] ? rcu_is_watching+0x81/0xc0
> :[ 4483.081104] ? rcutorture_record_progress+0x10/0x10
> :[ 4483.081339] ? page_fault+0x7b/0x80
> :[ 4483.081514] ? match_held_lock+0x8d/0x420
> :[ 4483.081705] ? save_trace+0x1e0/0x1e0
> :[ 4483.081882] ? find_held_lock+0x6d/0xd0
> :[ 4483.082093] ? inet_gro_receive+0x21e/0x7c0
> :[ 4483.082309] ? lock_downgrade+0x320/0x320
> :[ 4483.082504] ? lock_release+0x4d0/0x4d0
> :[ 4483.082695] ? find_held_lock+0x6d/0xd0
> :[ 4483.082887] ? lock_acquire+0x129/0x320
> :[ 4483.083090] ? lock_acquire+0x129/0x320
> :[ 4483.083293] ? netif_receive_skb_internal+0xb2/0x4b0
> :[ 4483.083519] ? lock_release+0x4d0/0x4d0
> :[ 4483.083703] ? rcu_is_watching+0x81/0xc0
> :[ 4483.083889] ? rcu_is_watching+0x81/0xc0
> :[ 4483.084097] ? rcutorture_record_progress+0x10/0x10
> :[ 4483.084335] ? save_trace+0x1e0/0x1e0
> :[ 4483.084518] ? netif_receive_skb_internal+0xfa/0x4b0
> :[ 4483.084729] netif_receive_skb_internal+0xfa/0x4b0
> :[ 4483.084962] ? dev_cpu_dead+0x500/0x500
> :[ 4483.085176] ? net_rx_action+0xbf0/0xbf0
> :[ 4483.085386] ? __lock_is_held+0x51/0xc0
> :[ 4483.085588] napi_gro_receive+0x262/0x2e0
> :[ 4483.085773] ? dev_gro_receive+0xfe0/0xfe0
> :[ 4483.085966] ? eth_type_trans+0x133/0x280
> :[ 4483.086180] ? eth_gro_receive+0x3d0/0x3d0
> :[ 4483.086411] e1000_clean_rx_irq+0x2fa/0x940 [e1000]
> :[ 4483.086654] ? e1000_clean_jumbo_rx_irq+0x1110/0x1110 [e1000]
> :[ 4483.086904] ? update_max_interval+0x40/0x40
> :[ 4483.087145] ? __lock_is_held+0x71/0xc0
> :[ 4483.087348] ? __calc_delta+0xf6/0x140
> :[ 4483.087529] ? update_min_vruntime+0x7d/0xb0
> :[ 4483.087731] ? e1000_clean_jumbo_rx_irq+0x1110/0x1110 [e1000]
> :[ 4483.087989] e1000_clean+0x65e/0x1190 [e1000]
> :[ 4483.088252] ? e1000_unmap_and_free_tx_resource.isra.45+0x120/0x120 [e1000]
> :[ 4483.088545] ? do_raw_spin_trylock+0x100/0x100
> :[ 4483.088744] ? find_held_lock+0xb0/0xd0
> :[ 4483.088940] ? calc_global_load_tick+0x90/0x170
> :[ 4483.089178] ? match_held_lock+0xa5/0x420
> :[ 4483.089446] ? match_held_lock+0x8d/0x420
> :[ 4483.089637] ? save_trace+0x1e0/0x1e0
> :[ 4483.089824] ? enqueue_hrtimer+0xe2/0x290
> :[ 4483.090023] ? mark_held_locks+0x6e/0x90
> :[ 4483.090241] ? net_rx_action+0x2e3/0xbf0
> :[ 4483.090441] net_rx_action+0x477/0xbf0
> :[ 4483.090647] ? napi_complete_done+0x350/0x350
> :[ 4483.090848] ? lock_downgrade+0x320/0x320
> :[ 4483.091078] ? find_held_lock+0x6d/0xd0
> :[ 4483.091293] ? match_held_lock+0xa5/0x420
> :[ 4483.091481] ? ktime_get+0x18f/0x250
> :[ 4483.091655] ? mark_lock+0x1c9/0xa30
> :[ 4483.091828] ? do_raw_spin_unlock+0x147/0x220
> :[ 4483.092053] ? print_irqtrace_events+0x110/0x110
> :[ 4483.092304] ? pvclock_clocksource_read+0x12c/0x230
> :[ 4483.092525] ? pvclock_read_flags+0x50/0x50
> :[ 4483.092725] ? native_apic_msr_write+0x27/0x30
> :[ 4483.092928] ? lapic_next_event+0x36/0x40
> :[ 4483.093139] ? idle_cpu+0x96/0x110
> :[ 4483.093325] ? task_prio+0x20/0x20
> :[ 4483.093495] ? sched_clock_cpu+0x14/0xe0
> :[ 4483.093683] ? irqtime_account_irq+0xa1/0xd0
> :[ 4483.093893] ? rcu_irq_exit+0x62/0xb0
> :[ 4483.094095] ? irq_exit+0x7a/0x150
> :[ 4483.094322] ? smp_apic_timer_interrupt+0x13e/0x490
> :[ 4483.094534] ? smp_call_function_single_interrupt+0x430/0x430
> :[ 4483.094773] ? trace_hardirqs_off_caller+0x70/0x100
> :[ 4483.095001] ? match_held_lock+0xa5/0x420
> :[ 4483.095227] ? save_trace+0x1e0/0x1e0
> :[ 4483.095417] ? mark_held_locks+0x6e/0x90
> :[ 4483.095599] ? retint_kernel+0x10/0x10
> :[ 4483.095779] ? trace_hardirqs_on_caller+0x17f/0x260
> :[ 4483.096018] ? trace_hardirqs_on_thunk+0x1a/0x1c
> :[ 4483.096263] ? irq_exit+0x7a/0x150
> :[ 4483.096448] ? __lock_is_held+0x51/0xc0
> :[ 4483.096646] __do_softirq+0x1de/0x765
> :[ 4483.096840] ? __irqentry_text_end+0x1fa1d7/0x1fa1d7
> :[ 4483.097081] ? handle_irq+0x109/0x1c0
> :[ 4483.097280] ? lock_downgrade+0x320/0x320
> :[ 4483.097473] ? pvclock_clocksource_read+0x12c/0x230
> :[ 4483.097690] ? pvclock_read_flags+0x50/0x50
> :[ 4483.097884] ? __irq_complete_move+0x15/0x50
> :[ 4483.098100] ? kzalloc.constprop.11+0x15/0x15
> :[ 4483.098314] ? ioapic_ack_level+0xbb/0x1e0
> :[ 4483.098526] ? sched_clock+0x5/0x10
> :[ 4483.098693] ? sched_clock_cpu+0x14/0xe0
> :[ 4483.098899] irq_exit+0x146/0x150
> :[ 4483.099093] do_IRQ+0xb0/0x130
> :[ 4483.099290] common_interrupt+0x91/0x91
> :[ 4483.099474] </IRQ>
> :[ 4483.099601] RIP: 0010:lock_release+0x280/0x4d0
> :[ 4483.099794] RSP: 0000:ffff880011667918 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffda
> :[ 4483.100123] RAX: 0000000000000000 RBX: 1ffff100022ccf26 RCX: ffffffff911cc36f
> :[ 4483.100417] RDX: 0000000000000007 RSI: dffffc0000000000 RDI: 0000000000000246
> :[ 4483.100689] RBP: ffff880062aea7c0 R08: 0000000000000000 R09: 0000000000000000
> :[ 4483.100975] R10: 0000000000000000 R11: 0000000000000000 R12: ffff880062aea7c0
> :[ 4483.101289] R13: 0000000000000001 R14: 0000000000000001 R15: e9e54f45c56e85aa
> :[ 4483.101598] ? lock_release+0x26f/0x4d0
> :[ 4483.101798] ? __handle_mm_fault+0xc29/0x2040
> :[ 4483.102046] ? lock_downgrade+0x320/0x320
> :[ 4483.102257] ? lock_release+0x4d0/0x4d0
> :[ 4483.102448] ? do_raw_spin_trylock+0x100/0x100
> :[ 4483.102670] _raw_spin_unlock+0x1c/0x30
> :[ 4483.102850] __handle_mm_fault+0xc29/0x2040
> :[ 4483.103077] ? __pmd_alloc+0x320/0x320
> :[ 4483.103302] ? handle_mm_fault+0x17a/0x4d0
> :[ 4483.103499] ? lock_downgrade+0x320/0x320
> :[ 4483.103706] ? mem_cgroup_from_task+0xb4/0x170
> :[ 4483.103910] ? rcu_is_watching+0x81/0xc0
> :[ 4483.104137] handle_mm_fault+0x204/0x4d0
> :[ 4483.104345] ? __handle_mm_fault+0x2040/0x2040
> :[ 4483.104546] ? vmacache_find+0xe6/0x110
> :[ 4483.104739] __do_page_fault+0x3b1/0x6e0
> :[ 4483.104935] ? spurious_fault+0x320/0x320
> :[ 4483.105151] ? __do_page_fault+0x5dd/0x6e0
> :[ 4483.105369] do_page_fault+0xb6/0x440
> :[ 4483.105545] ? __do_page_fault+0x6e0/0x6e0
> :[ 4483.105736] ? exit_to_usermode_loop+0xb7/0x170
> :[ 4483.105946] ? trace_raw_output_sys_exit+0x80/0x80
> :[ 4483.106183] ? __do_page_fault+0x5dd/0x6e0
> :[ 4483.106388] ? lockdep_sys_exit+0x16/0x8e
> :[ 4483.106572] ? syscall_return_slowpath+0x1bc/0x2c0
> :[ 4483.106783] ? mark_held_locks+0x1c/0x90
> :[ 4483.107093] ? retint_user+0x18/0x18
> :[ 4483.107281] ? page_fault+0x65/0x80
> :[ 4483.107462] ? trace_hardirqs_off_caller+0xbe/0x100
> :[ 4483.107674] ? trace_hardirqs_off_thunk+0x1a/0x1c
> :[ 4483.107890] ? page_fault+0x65/0x80
> :[ 4483.108079] page_fault+0x7b/0x80
> :[ 4483.108267] RIP: 0033:0x408de0
> :[ 4483.108434] RSP: 002b:00007ffc27610e80 EFLAGS: 00010202
> :[ 4483.108656] RAX: 00007fb1b53da000 RBX: 00007fb1b7152068 RCX: 00007fb1b540a880
> :[ 4483.108939] RDX: 00007fb1b538a870 RSI: 0000000000081000 RDI: 0000000000000000
> :[ 4483.109248] RBP: 00007fb1b7152010 R08: 00007fb1b538a010 R09: 0000000000000000
> :[ 4483.109532] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000000029
> :[ 4483.109804] R13: 00007fb1b538a010 R14: 000000000115b3b8 R15: 0000000000000000
> :
> :[ 4483.110264] Allocated by task 0:
> :[ 4483.110429] (stack is not available)
> :
> :[ 4483.110702] Freed by task 0:
> :[ 4483.110853] (stack is not available)
> :
> :[ 4483.111159] The buggy address belongs to the object at ffff880067ef7b00
> : which belongs to the cache request_sock_TCP of size 328
> :[ 4483.111629] The buggy address is located 192 bytes inside of
> : 328-byte region [ffff880067ef7b00, ffff880067ef7c48)
> :[ 4483.112063] The buggy address belongs to the page:
> :[ 4483.112289] page:ffffea00019fbd00 count:1 mapcount:0 mapping:0000000000000000 index:0xffff880067ef7e30 compound_mapcount: 0
> :[ 4483.112699] flags: 0xfffe000008100(slab|head)
> :[ 4483.112900] raw: 000fffe000008100 0000000000000000 ffff880067ef7e30 0000000100280002
> :[ 4483.113232] raw: ffff880069909780 ffff880069909780 ffff88006a186f80 0000000000000000
> :[ 4483.113539] page dumped because: kasan: bad access detected
> :
> :[ 4483.113872] Memory state around the buggy address:
> :[ 4483.114108] ffff880067ef7a80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
> :[ 4483.114415] ffff880067ef7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> :[ 4483.114695] >ffff880067ef7b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> :[ 4483.114990] ^
> :[ 4483.115246] ffff880067ef7c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> :[ 4483.115537] ffff880067ef7c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> :[ 4483.115816] ==================================================================
> :[ 4483.116132] Disabling lock debugging due to kernel taint
>
> /root/linux/./include/linux/cgroup-defs.h:761
> 169c2: 49 8d bc 24 f0 03 00 lea 0x3f0(%r12),%rdi
> 169c9: 00
> 169ca: 41 bd 01 00 00 00 mov $0x1,%r13d
> 169d0: e8 00 00 00 00 callq 169d5 <__dev_queue_xmit+0x2e5>
> 169d5: 41 f6 84 24 f0 03 00 testb $0x1,0x3f0(%r12)
> 169dc: 00 01
> 169de: 74 16 je 169f6 <__dev_queue_xmit+0x306>
> 169e0: 49 8d bc 24 f2 03 00 lea 0x3f2(%r12),%rdi
> 169e7: 00
> 169e8: e8 00 00 00 00 callq 169ed <__dev_queue_xmit+0x2fd>
> 169ed: 45 0f b7 ac 24 f2 03 movzwl 0x3f2(%r12),%r13d
> 169f4: 00 00
>
> static inline u16 sock_cgroup_prioidx(struct sock_cgroup_data *skcd)
> {
> /* fallback to 1 which is always the ID of the root cgroup */
> 761: return (skcd->is_data & 1) ? skcd->prioidx : 1;
> }
Thanks for the report, I have cooked a patch and will send it after tests.
Powered by blists - more mailing lists