All of lore.kernel.org
 help / color / mirror / Atom feed
* kasan r8169 use-after-free trace.
@ 2015-11-11  3:30 Dave Jones
  2015-11-11  9:19 ` Francois Romieu
  0 siblings, 1 reply; 5+ messages in thread
From: Dave Jones @ 2015-11-11  3:30 UTC (permalink / raw)
  To: netdev; +Cc: Francois Romieu

This happens during boot, (and then there's a flood of traces that happen so fast
afterwards it completely overwhelms serial console; not sure if they're the
same/related or not).


==================================================================
BUG: KASAN: use-after-free in rtl8169_poll+0x4b6/0xb70 at addr ffff8801d43b3288
Read of size 1 by task kworker/0:3/188
=============================================================================
BUG kmalloc-256 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Slab 0xffffea000750ecc0 objects=16 used=16 fp=0x          (null) flags=0x8000000000000080
INFO: Object 0xffff8801d43b3200 @offset=512 fp=0xffff8801d43b3800

Bytes b4 ffff8801d43b31f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff8801d43b3200: 00 38 3b d4 01 88 ff ff 00 00 00 00 00 00 00 00  .8;.............
Object ffff8801d43b3210: 0d 17 8e 3c 8b 87 15 14 00 00 00 00 00 00 00 00  ...<............
Object ffff8801d43b3220: 00 80 bb 37 00 88 ff ff 00 00 00 00 00 00 00 00  ...7............
Object ffff8801d43b3230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff8801d43b3240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff8801d43b3250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff8801d43b3260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff8801d43b3270: 00 00 00 00 00 00 00 00 2e 00 00 00 00 00 00 00  ................
Object ffff8801d43b3280: 0e 00 00 00 00 00 21 00 01 00 00 00 00 00 00 00  ......!.........
Object ffff8801d43b3290: 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00  ................
Object ffff8801d43b32a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff8801d43b32b0: 00 00 00 00 08 06 4e 00 4e 00 40 00 7c 00 00 00  ......N.N.@.|...
Object ffff8801d43b32c0: 80 00 00 00 00 00 00 00 40 7e 60 d5 01 88 ff ff  ........@~`.....
Object ffff8801d43b32d0: 8e 7e 60 d5 01 88 ff ff c0 02 00 00 01 00 00 00  .~`.............
Object ffff8801d43b32e0: 40 82 c5 d3 01 88 ff ff 00 00 00 00 00 00 00 00  @...............
Object ffff8801d43b32f0: a8 1c 2d d5 00 88 ff ff 00 00 00 00 00 00 00 00  ..-.............
CPU: 0 PID: 188 Comm: kworker/0:3 Tainted: G    B           4.3.0-firewall+ #15
Workqueue: events linkwatch_event
 ffff880037bb89d8 ffff8801d7a07bc8 ffffffff93489155 ffff8801d6801900
 ffff8801d7a07bf8 ffffffff932295de ffff8801d6801900 ffffea000750ecc0
 ffff8801d43b3200 ffff8800d442a000 ffff8801d7a07c20 ffffffff9322ce06
Call Trace:
 <IRQ>  [<ffffffff93489155>] dump_stack+0x4e/0x79
 [<ffffffff932295de>] print_trailer+0xfe/0x160
 [<ffffffff9322ce06>] object_err+0x36/0x40
 [<ffffffff93230bb0>] kasan_report_error+0x220/0x550
 [<ffffffff9393224b>] ? dev_gro_receive+0xbb/0x7f0
 [<ffffffff93932449>] ? dev_gro_receive+0x2b9/0x7f0
 [<ffffffff93230f1b>] kasan_report+0x3b/0x40
 [<ffffffff93812146>] ? rtl8169_poll+0x4b6/0xb70
 [<ffffffff93230198>] __asan_load1+0x48/0x50
 [<ffffffff93812146>] rtl8169_poll+0x4b6/0xb70
 [<ffffffff93c0afb3>] ? _raw_spin_unlock_irqrestore+0x43/0x70
 [<ffffffff9393adeb>] net_rx_action+0x41b/0x6a0
 [<ffffffff9393a9d0>] ? napi_complete_done+0x100/0x100
 [<ffffffff93077f32>] __do_softirq+0x1b2/0x5c0
 [<ffffffff9307858c>] irq_exit+0xfc/0x110
 [<ffffffff93c0ddf2>] do_IRQ+0x82/0x160
 [<ffffffff93c0c4c6>] common_interrupt+0x86/0x86
 <EOI>  [<ffffffff930f712d>] ? console_unlock+0x3bd/0x620
 [<ffffffff930f775e>] vprintk_emit+0x3ce/0x6d0

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: kasan r8169 use-after-free trace.
  2015-11-11  3:30 kasan r8169 use-after-free trace Dave Jones
@ 2015-11-11  9:19 ` Francois Romieu
  2015-11-11 13:16   ` Eric Dumazet
  2015-11-12 16:24   ` Dave Jones
  0 siblings, 2 replies; 5+ messages in thread
From: Francois Romieu @ 2015-11-11  9:19 UTC (permalink / raw)
  To: Dave Jones; +Cc: netdev

Dave Jones <davej@codemonkey.org.uk> :
> This happens during boot, (and then there's a flood of traces that happen so fast
> afterwards it completely overwhelms serial console; not sure if they're the
> same/related or not).
> 
> ==================================================================
> BUG: KASAN: use-after-free in rtl8169_poll+0x4b6/0xb70 at addr ffff8801d43b3288
> Read of size 1 by task kworker/0:3/188
> =============================================================================
> BUG kmalloc-256 (Not tainted): kasan: bad access detected
> -----------------------------------------------------------------------------
> 
> Disabling lock debugging due to kernel taint
> INFO: Slab 0xffffea000750ecc0 objects=16 used=16 fp=0x          (null) flags=0x8000000000000080
> INFO: Object 0xffff8801d43b3200 @offset=512 fp=0xffff8801d43b3800
> 
> Bytes b4 ffff8801d43b31f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> Object ffff8801d43b3200: 00 38 3b d4 01 88 ff ff 00 00 00 00 00 00 00 00  .8;.............

Does the patch below cure it ?

diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
index b4f2123..79ef799 100644
--- a/drivers/net/ethernet/realtek/r8169.c
+++ b/drivers/net/ethernet/realtek/r8169.c
@@ -7429,15 +7429,15 @@ process_pkt:
 
 			rtl8169_rx_vlan_tag(desc, skb);
 
+			if (skb->pkt_type == PACKET_MULTICAST)
+				dev->stats.multicast++;
+
 			napi_gro_receive(&tp->napi, skb);
 
 			u64_stats_update_begin(&tp->rx_stats.syncp);
 			tp->rx_stats.packets++;
 			tp->rx_stats.bytes += pkt_size;
 			u64_stats_update_end(&tp->rx_stats.syncp);
-
-			if (skb->pkt_type == PACKET_MULTICAST)
-				dev->stats.multicast++;
 		}
 release_descriptor:
 		desc->opts2 = 0;

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: kasan r8169 use-after-free trace.
  2015-11-11  9:19 ` Francois Romieu
@ 2015-11-11 13:16   ` Eric Dumazet
  2015-11-11 15:34     ` Corinna Vinschen
  2015-11-12 16:24   ` Dave Jones
  1 sibling, 1 reply; 5+ messages in thread
From: Eric Dumazet @ 2015-11-11 13:16 UTC (permalink / raw)
  To: Francois Romieu; +Cc: Dave Jones, netdev, Corinna Vinschen

On Wed, 2015-11-11 at 10:19 +0100, Francois Romieu wrote:
> Dave Jones <davej@codemonkey.org.uk> :
> > This happens during boot, (and then there's a flood of traces that happen so fast
> > afterwards it completely overwhelms serial console; not sure if they're the
> > same/related or not).
> > 
> > ==================================================================
> > BUG: KASAN: use-after-free in rtl8169_poll+0x4b6/0xb70 at addr ffff8801d43b3288
> > Read of size 1 by task kworker/0:3/188
> > =============================================================================
> > BUG kmalloc-256 (Not tainted): kasan: bad access detected
> > -----------------------------------------------------------------------------
> > 
> > Disabling lock debugging due to kernel taint
> > INFO: Slab 0xffffea000750ecc0 objects=16 used=16 fp=0x          (null) flags=0x8000000000000080
> > INFO: Object 0xffff8801d43b3200 @offset=512 fp=0xffff8801d43b3800
> > 
> > Bytes b4 ffff8801d43b31f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> > Object ffff8801d43b3200: 00 38 3b d4 01 88 ff ff 00 00 00 00 00 00 00 00  .8;.............
> 
> Does the patch below cure it ?
> 
> diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
> index b4f2123..79ef799 100644
> --- a/drivers/net/ethernet/realtek/r8169.c
> +++ b/drivers/net/ethernet/realtek/r8169.c
> @@ -7429,15 +7429,15 @@ process_pkt:
>  
>  			rtl8169_rx_vlan_tag(desc, skb);
>  
> +			if (skb->pkt_type == PACKET_MULTICAST)
> +				dev->stats.multicast++;
> +
>  			napi_gro_receive(&tp->napi, skb);
>  
>  			u64_stats_update_begin(&tp->rx_stats.syncp);
>  			tp->rx_stats.packets++;
>  			tp->rx_stats.bytes += pkt_size;
>  			u64_stats_update_end(&tp->rx_stats.syncp);
> -
> -			if (skb->pkt_type == PACKET_MULTICAST)
> -				dev->stats.multicast++;
>  		}
>  release_descriptor:
>  		desc->opts2 = 0;

This looks obvious indeed, please submit this formally Francois ;)

Fixes: d7d2d89d4b0af ("r8169: Add software counter for multicast packages")
Acked-by: Eric Dumazet <edumazet@google.com>
Cc: Corinna Vinschen <vinschen@redhat.com>

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: kasan r8169 use-after-free trace.
  2015-11-11 13:16   ` Eric Dumazet
@ 2015-11-11 15:34     ` Corinna Vinschen
  0 siblings, 0 replies; 5+ messages in thread
From: Corinna Vinschen @ 2015-11-11 15:34 UTC (permalink / raw)
  To: netdev; +Cc: Eric Dumazet, Francois Romieu, Dave Jones

[-- Attachment #1: Type: text/plain, Size: 2382 bytes --]

On Nov 11 05:16, Eric Dumazet wrote:
> On Wed, 2015-11-11 at 10:19 +0100, Francois Romieu wrote:
> > Dave Jones <davej@codemonkey.org.uk> :
> > > This happens during boot, (and then there's a flood of traces that happen so fast
> > > afterwards it completely overwhelms serial console; not sure if they're the
> > > same/related or not).
> > > 
> > > ==================================================================
> > > BUG: KASAN: use-after-free in rtl8169_poll+0x4b6/0xb70 at addr ffff8801d43b3288
> > > Read of size 1 by task kworker/0:3/188
> > > =============================================================================
> > > BUG kmalloc-256 (Not tainted): kasan: bad access detected
> > > -----------------------------------------------------------------------------
> > > 
> > > Disabling lock debugging due to kernel taint
> > > INFO: Slab 0xffffea000750ecc0 objects=16 used=16 fp=0x          (null) flags=0x8000000000000080
> > > INFO: Object 0xffff8801d43b3200 @offset=512 fp=0xffff8801d43b3800
> > > 
> > > Bytes b4 ffff8801d43b31f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> > > Object ffff8801d43b3200: 00 38 3b d4 01 88 ff ff 00 00 00 00 00 00 00 00  .8;.............
> > 
> > Does the patch below cure it ?
> > 
> > diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
> > index b4f2123..79ef799 100644
> > --- a/drivers/net/ethernet/realtek/r8169.c
> > +++ b/drivers/net/ethernet/realtek/r8169.c
> > @@ -7429,15 +7429,15 @@ process_pkt:
> >  
> >  			rtl8169_rx_vlan_tag(desc, skb);
> >  
> > +			if (skb->pkt_type == PACKET_MULTICAST)
> > +				dev->stats.multicast++;
> > +
> >  			napi_gro_receive(&tp->napi, skb);
> >  
> >  			u64_stats_update_begin(&tp->rx_stats.syncp);
> >  			tp->rx_stats.packets++;
> >  			tp->rx_stats.bytes += pkt_size;
> >  			u64_stats_update_end(&tp->rx_stats.syncp);
> > -
> > -			if (skb->pkt_type == PACKET_MULTICAST)
> > -				dev->stats.multicast++;
> >  		}
> >  release_descriptor:
> >  		desc->opts2 = 0;
> 
> This looks obvious indeed, please submit this formally Francois ;)

Yes, please.  Thank you Francois.


> Fixes: d7d2d89d4b0af ("r8169: Add software counter for multicast packages")
> Acked-by: Eric Dumazet <edumazet@google.com>

Acked-by: Corinna Vinschen <vinschen@redhat.com>


Corinna

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: kasan r8169 use-after-free trace.
  2015-11-11  9:19 ` Francois Romieu
  2015-11-11 13:16   ` Eric Dumazet
@ 2015-11-12 16:24   ` Dave Jones
  1 sibling, 0 replies; 5+ messages in thread
From: Dave Jones @ 2015-11-12 16:24 UTC (permalink / raw)
  To: Francois Romieu; +Cc: netdev

On Wed, Nov 11, 2015 at 10:19:28AM +0100, Francois Romieu wrote:
 > Dave Jones <davej@codemonkey.org.uk> :
 > > This happens during boot, (and then there's a flood of traces that happen so fast
 > > afterwards it completely overwhelms serial console; not sure if they're the
 > > same/related or not).
 > > 
 > > ==================================================================
 > > BUG: KASAN: use-after-free in rtl8169_poll+0x4b6/0xb70 at addr ffff8801d43b3288
 > > Read of size 1 by task kworker/0:3/188
 > > =============================================================================
 > > BUG kmalloc-256 (Not tainted): kasan: bad access detected
 > > -----------------------------------------------------------------------------
 > > 
 > > Disabling lock debugging due to kernel taint
 > > INFO: Slab 0xffffea000750ecc0 objects=16 used=16 fp=0x          (null) flags=0x8000000000000080
 > > INFO: Object 0xffff8801d43b3200 @offset=512 fp=0xffff8801d43b3800
 > > 
 > > Bytes b4 ffff8801d43b31f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 > > Object ffff8801d43b3200: 00 38 3b d4 01 88 ff ff 00 00 00 00 00 00 00 00  .8;.............
 > 
 > Does the patch below cure it ?

It did, thanks for the quick turnaround!  It also turns out this was responsible
for the flood of spew afterwards. It's completely silent when I apply your diff.

	Dave

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-11-12 16:25 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-11-11  3:30 kasan r8169 use-after-free trace Dave Jones
2015-11-11  9:19 ` Francois Romieu
2015-11-11 13:16   ` Eric Dumazet
2015-11-11 15:34     ` Corinna Vinschen
2015-11-12 16:24   ` Dave Jones

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.