From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jakub Kicinski Subject: Re: [Bug 199637] New: UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6 Date: Thu, 7 Jun 2018 17:07:59 -0700 Message-ID: <20180607170759.176186fd@cakuba.netronome.com> References: <20180507103345.08e3992d@xeon-e3> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, David Ahern , David Miller To: Stephen Hemminger Return-path: Received: from mail-pl0-f65.google.com ([209.85.160.65]:41332 "EHLO mail-pl0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752142AbeFHAID (ORCPT ); Thu, 7 Jun 2018 20:08:03 -0400 Received: by mail-pl0-f65.google.com with SMTP id az12-v6so7134468plb.8 for ; Thu, 07 Jun 2018 17:08:02 -0700 (PDT) In-Reply-To: <20180507103345.08e3992d@xeon-e3> Sender: netdev-owner@vger.kernel.org List-ID: On Mon, 7 May 2018 10:33:45 -0700, Stephen Hemminger wrote: > Begin forwarded message: > > Date: Mon, 07 May 2018 16:07:24 +0000 > From: bugzilla-daemon@bugzilla.kernel.org > To: stephen@networkplumber.org > Subject: [Bug 199637] New: UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6 > > > https://bugzilla.kernel.org/show_bug.cgi?id=199637 > > Bug ID: 199637 > Summary: UBSAN: Undefined behaviour in > net/ipv4/fib_trie.c:503:6 > Product: Networking > Version: 2.5 > Kernel Version: 4.16.7 > Hardware: x86-64 > OS: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: IPV4 > Assignee: stephen@networkplumber.org > Reporter: combuster@archlinux.us > Regression: No > > After recompiling the 4.16.7 kernel with gcc 8.1, UBSAN reports the following: > > [ 25.427424] > ================================================================================ > [ 25.429680] UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6 > [ 25.431920] member access within null pointer of type 'struct tnode' > [ 25.434153] CPU: 3 PID: 1 Comm: systemd Not tainted 4.16.7-CUSTOM #1 > [ 25.436384] Hardware name: Gigabyte Technology Co., Ltd. > H67MA-UD2H-B3/H67MA-UD2H-B3, BIOS F8 03/27/2012 > [ 25.438647] Call Trace: > [ 25.440889] dump_stack+0x62/0x9f > [ 25.443104] ubsan_epilogue+0x9/0x35 > [ 25.445293] handle_null_ptr_deref+0x80/0x90 > [ 25.447464] __ubsan_handle_type_mismatch_v1+0x6a/0x80 > [ 25.449628] tnode_free+0xce/0x120 > [ 25.451749] ? replace+0xa0/0x1f0 > [ 25.453833] ? resize+0x4e2/0xb70 > [ 25.455916] ? __kmalloc+0x1fe/0x2d0 > [ 25.457997] ? tnode_new+0x66/0x160 > [ 25.460072] ? fib_insert_alias+0x4a8/0x9e0 > [ 25.462145] ? fib_table_insert+0x208/0x690 > [ 25.464214] ? fib_magic+0x20c/0x310 > [ 25.466280] ? fib_netdev_event+0x81/0x200 > [ 25.468339] ? notifier_call_chain+0x63/0x110 > [ 25.470407] ? __dev_notify_flags+0xa8/0x170 > [ 25.472472] ? dev_change_flags+0x56/0x80 > [ 25.474538] ? do_setlink+0x3c2/0x1a00 > [ 25.476603] ? fib_magic+0x20c/0x310 > [ 25.478666] ? rtnl_setlink+0x129/0x1e0 > [ 25.480728] ? rtnetlink_rcv_msg+0x2a4/0x7d0 > [ 25.482765] ? rtnetlink_rcv+0x10/0x10 > [ 25.484757] ? netlink_rcv_skb+0x6f/0x170 > [ 25.486741] ? netlink_unicast+0x1c0/0x2d0 > [ 25.488716] ? netlink_sendmsg+0x2c1/0x630 > [ 25.490661] ? sock_sendmsg+0x49/0xb0 > [ 25.492564] ? SyS_sendto+0x12b/0x1d0 > [ 25.494449] ? do_syscall_64+0xad/0x5cc > [ 25.496305] ? page_fault+0x2f/0x50 > [ 25.498140] ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2 > [ 25.499974] > ================================================================================ > > UBSAN reported nothing when the same kernel was compiled with gcc 7.3.1 from > Arch Linux repositories. > > I have three more similar reports to make, if I continue to c/p in each I'm > gonna feel like a fuzzbot... > And this one I'm seeing too (once at boot): [ 32.459535] ================================================================================ [ 32.469133] UBSAN: Undefined behaviour in ../net/ipv4/fib_trie.c:504:6 [ 32.476534] member access within null pointer of type 'struct tnode' [ 32.483733] CPU: 8 PID: 1 Comm: systemd Not tainted 4.17.0-rc7-debug-01088-g47bffcfef048 #9 [ 32.493191] Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.3.4 11/08/2016 [ 32.501680] Call Trace: [ 32.504513] dump_stack+0xe6/0x1a0 [ 32.508412] ? dump_stack_print_info.cold.0+0x1b/0x1b [ 32.514164] ? do_raw_spin_lock+0xcf/0x220 [ 32.518848] ubsan_epilogue+0x9/0x7a [ 32.522940] handle_null_ptr_deref+0x16b/0x1e0 [ 32.528008] ? ucs2_as_utf8+0x6b0/0x6b0 [ 32.532397] ? __x64_sys_sendto+0xe6/0x1d0 [ 32.537079] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.543025] __ubsan_handle_type_mismatch_v1+0x16b/0x19e [ 32.549054] ? ubsan_type_mismatch_common.part.5.cold.9+0x1bb/0x1bb [ 32.556168] ? fib_find_node+0x350/0x350 [ 32.560655] tnode_free+0x115/0x180 [ 32.564655] replace+0x21d/0x5e0 [ 32.568361] ? fib_insert_alias+0x1b20/0x1b20 [ 32.573332] ? put_child+0x546/0x7b0 [ 32.577427] ? __kmalloc+0x1b1/0x5f0 [ 32.581520] ? fib_trie_seq_start+0x510/0x510 [ 32.586497] resize+0x1253/0x2150 [ 32.590299] ? netlink_sendmsg+0x7b5/0x10c0 [ 32.595074] ? __sys_sendto+0x340/0x680 [ 32.599460] ? do_syscall_64+0x14b/0x720 [ 32.603954] ? __node_free_rcu+0x70/0x70 [ 32.608442] ? rcu_lockdep_current_cpu_online+0x1e7/0x2c0 [ 32.614578] ? rcu_dynticks_curr_cpu_in_eqs+0xd6/0x1f0 [ 32.620435] ? lockdep_rtnl_is_held+0x16/0x20 [ 32.625401] ? put_child+0x546/0x7b0 [ 32.629494] ? __kmalloc+0x1b1/0x5f0 [ 32.633586] ? fib_trie_seq_start+0x510/0x510 [ 32.638561] ? tnode_new+0x6c/0x310 [ 32.642561] fib_insert_alias+0xe9c/0x1b20 [ 32.647246] ? resize+0x2150/0x2150 [ 32.651238] ? __atomic_notifier_call_chain+0xb0/0x150 [ 32.657081] ? __atomic_notifier_call_chain+0x5/0x150 [ 32.662827] ? lock_downgrade+0x750/0x750 [ 32.667412] ? rcu_read_lock_bh_held+0xc0/0xc0 [ 32.672481] ? rcu_dynticks_curr_cpu_in_eqs+0xd6/0x1f0 [ 32.678338] ? __atomic_notifier_call_chain+0xcd/0x150 [ 32.684187] ? call_fib_notifiers+0x3d/0x90 [ 32.688955] ? call_fib_entry_notifiers+0x2a8/0x3f0 [ 32.694508] ? tnode_free+0x180/0x180 [ 32.698701] ? kmem_cache_alloc+0x37d/0x530 [ 32.703477] ? fib_net_init+0x3d0/0x3d0 [ 32.707866] fib_table_insert+0x8b2/0x18d0 [ 32.712552] ? fib_new_table+0xd1/0x5c0 [ 32.716929] ? inet_addr_type_dev_table+0x420/0x420 [ 32.722470] ? rcu_dynticks_curr_cpu_in_eqs+0xd6/0x1f0 [ 32.728314] ? replace+0x5e0/0x5e0 [ 32.732213] ? rcu_read_lock_bh_held+0xc0/0xc0 [ 32.737279] ? rcu_dynticks_curr_cpu_in_eqs+0xd6/0x1f0 [ 32.743126] ? fib_magic+0x5dd/0x980 [ 32.747222] fib_magic+0x5dd/0x980 [ 32.751124] ? fib_new_table+0x5c0/0x5c0 [ 32.755620] ? fib_add_ifaddr+0x38c/0x4a0 [ 32.760205] fib_netdev_event+0x114/0x390 [ 32.764786] notifier_call_chain+0x127/0x2c0 [ 32.769664] ? __se_sys_setns.cold.2+0x15/0x15 [ 32.774730] ? rtnl_is_locked+0x61/0xc0 [ 32.779115] ? rtnl_trylock+0x20/0x20 [ 32.783298] ? netlink_broadcast+0xf/0x20 [ 32.787876] ? nlmsg_notify+0x84/0x190 [ 32.792173] __dev_notify_flags+0x13f/0x410 [ 32.796943] ? dev_change_name+0xd90/0xd90 [ 32.801621] ? rtnl_bridge_getlink+0xcb0/0xcb0 [ 32.806686] ? __lock_acquire+0x6ad/0x3b10 [ 32.811369] ? print_irqtrace_events+0x280/0x280 [ 32.816625] ? __lock_acquire+0x6ad/0x3b10 [ 32.821310] dev_change_flags+0xea/0x140 [ 32.825792] do_setlink+0xb27/0x4300 [ 32.829885] ? debug_check_no_locks_freed+0x260/0x260 [ 32.835635] ? rtnl_link_get_net_capable.constprop.10+0x2b0/0x2b0 [ 32.842546] ? print_irqtrace_events+0x280/0x280 [ 32.847804] ? debug_check_no_locks_freed+0x260/0x260 [ 32.853551] ? debug_check_no_locks_freed+0x260/0x260 [ 32.859297] ? print_irqtrace_events+0x280/0x280 [ 32.864553] ? __lock_acquire+0x6ad/0x3b10 [ 32.869230] ? debug_check_no_locks_freed+0x260/0x260 [ 32.874964] ? debug_check_no_locks_freed+0x260/0x260 [ 32.880712] ? debug_check_no_locks_freed+0x260/0x260 [ 32.886463] ? __lock_acquire+0x6ad/0x3b10 [ 32.891135] ? print_irqtrace_events+0x280/0x280 [ 32.896399] ? __is_insn_slot_addr+0x238/0x490 [ 32.901474] ? lock_acquire+0x1a2/0x5a0 [ 32.905859] ? rtnetlink_rcv_msg+0x359/0xb10 [ 32.910733] ? lock_release+0x980/0x980 [ 32.915124] ? finish_task_switch+0xc10/0xc10 [ 32.920096] ? __bpf_trace_xdp_cpumap_enqueue+0x10/0x10 [ 32.926046] ? __mutex_lock+0xd17/0x1b50 [ 32.930529] ? rtnetlink_rcv_msg+0x359/0xb10 [ 32.935398] ? __lock_acquire+0x6ad/0x3b10 [ 32.940080] ? __ww_mutex_wakeup_for_backoff+0x330/0x330 [ 32.946120] ? memset+0x1f/0x40 [ 32.949729] ? nla_parse+0x7d/0x4e0 [ 32.953726] ? nla_validate+0x360/0x360 [ 32.958121] rtnl_setlink+0x256/0x400 [ 32.962313] ? do_setlink+0x4300/0x4300 [ 32.966732] ? rcu_dynticks_curr_cpu_in_eqs+0xd6/0x1f0 [ 32.972582] ? security_capable+0x4e/0x90 [ 32.977167] rtnetlink_rcv_msg+0x3aa/0xb10 [ 32.981848] ? rtnl_get_link+0x2c0/0x2c0 [ 32.986333] ? netlink_lookup+0xb9/0x140 [ 32.990813] ? netlink_seq_show+0x620/0x620 [ 32.995592] netlink_rcv_skb+0x13a/0x390 [ 33.000071] ? rtnl_get_link+0x2c0/0x2c0 [ 33.004554] ? finish_task_switch+0xc10/0xc10 [ 33.009512] ? netlink_ack+0xa90/0xa90 [ 33.013815] netlink_unicast+0x45f/0x6e0 [ 33.018302] ? netlink_sendskb+0x60/0x60 [ 33.022787] ? aa_af_perm+0x520/0x520 [ 33.026975] ? lock_downgrade+0x750/0x750 [ 33.031554] ? lock_release+0x980/0x980 [ 33.035935] ? security_socket_getpeersec_dgram+0x52/0xa0 [ 33.042074] netlink_sendmsg+0x7b5/0x10c0 [ 33.046660] ? nlmsg_notify+0x190/0x190 [ 33.051052] ? nlmsg_notify+0x190/0x190 [ 33.055435] sock_sendmsg+0xdf/0x180 [ 33.059528] __sys_sendto+0x340/0x680 [ 33.063723] ? __ia32_sys_getpeername+0xc0/0xc0 [ 33.068921] ? kernel_setsockopt+0x340/0x340 [ 33.073885] ? __sys_socket+0x148/0x220 [ 33.078275] ? __bpf_trace_sys_enter+0x10/0x10 [ 33.083344] __x64_sys_sendto+0xe6/0x1d0 [ 33.087827] ? trace_hardirqs_on_caller+0x3d0/0x630 [ 33.093378] do_syscall_64+0x14b/0x720 [ 33.097668] ? syscall_return_slowpath+0x560/0x560 [ 33.103126] ? syscall_return_slowpath+0x38d/0x560 [ 33.108582] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 33.114528] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.119890] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.125636] RIP: 0033:0x7fc408e74da7 [ 33.129730] RSP: 002b:00007ffd4f2cf4e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 33.138319] RAX: ffffffffffffffda RBX: 000055e490a09390 RCX: 00007fc408e74da7 [ 33.146397] RDX: 0000000000000020 RSI: 000055e490a07890 RDI: 0000000000000004 [ 33.154476] RBP: 000055e490a0dad0 R08: 00007ffd4f2cf4f0 R09: 0000000000000010 [ 33.162544] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 33.170622] R13: 00007ffd4f2cf564 R14: 00007ffd4f2cf5d0 R15: 000055e490a07a60 [ 33.178717] ================================================================================