* Fw: [Bug 199637] New: UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6
@ 2018-05-07 17:33 Stephen Hemminger
2018-06-08 0:07 ` Jakub Kicinski
0 siblings, 1 reply; 3+ messages in thread
From: Stephen Hemminger @ 2018-05-07 17:33 UTC (permalink / raw)
To: netdev
Begin forwarded message:
Date: Mon, 07 May 2018 16:07:24 +0000
From: bugzilla-daemon@bugzilla.kernel.org
To: stephen@networkplumber.org
Subject: [Bug 199637] New: UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6
https://bugzilla.kernel.org/show_bug.cgi?id=199637
Bug ID: 199637
Summary: UBSAN: Undefined behaviour in
net/ipv4/fib_trie.c:503:6
Product: Networking
Version: 2.5
Kernel Version: 4.16.7
Hardware: x86-64
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: IPV4
Assignee: stephen@networkplumber.org
Reporter: combuster@archlinux.us
Regression: No
After recompiling the 4.16.7 kernel with gcc 8.1, UBSAN reports the following:
[ 25.427424]
================================================================================
[ 25.429680] UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6
[ 25.431920] member access within null pointer of type 'struct tnode'
[ 25.434153] CPU: 3 PID: 1 Comm: systemd Not tainted 4.16.7-CUSTOM #1
[ 25.436384] Hardware name: Gigabyte Technology Co., Ltd.
H67MA-UD2H-B3/H67MA-UD2H-B3, BIOS F8 03/27/2012
[ 25.438647] Call Trace:
[ 25.440889] dump_stack+0x62/0x9f
[ 25.443104] ubsan_epilogue+0x9/0x35
[ 25.445293] handle_null_ptr_deref+0x80/0x90
[ 25.447464] __ubsan_handle_type_mismatch_v1+0x6a/0x80
[ 25.449628] tnode_free+0xce/0x120
[ 25.451749] ? replace+0xa0/0x1f0
[ 25.453833] ? resize+0x4e2/0xb70
[ 25.455916] ? __kmalloc+0x1fe/0x2d0
[ 25.457997] ? tnode_new+0x66/0x160
[ 25.460072] ? fib_insert_alias+0x4a8/0x9e0
[ 25.462145] ? fib_table_insert+0x208/0x690
[ 25.464214] ? fib_magic+0x20c/0x310
[ 25.466280] ? fib_netdev_event+0x81/0x200
[ 25.468339] ? notifier_call_chain+0x63/0x110
[ 25.470407] ? __dev_notify_flags+0xa8/0x170
[ 25.472472] ? dev_change_flags+0x56/0x80
[ 25.474538] ? do_setlink+0x3c2/0x1a00
[ 25.476603] ? fib_magic+0x20c/0x310
[ 25.478666] ? rtnl_setlink+0x129/0x1e0
[ 25.480728] ? rtnetlink_rcv_msg+0x2a4/0x7d0
[ 25.482765] ? rtnetlink_rcv+0x10/0x10
[ 25.484757] ? netlink_rcv_skb+0x6f/0x170
[ 25.486741] ? netlink_unicast+0x1c0/0x2d0
[ 25.488716] ? netlink_sendmsg+0x2c1/0x630
[ 25.490661] ? sock_sendmsg+0x49/0xb0
[ 25.492564] ? SyS_sendto+0x12b/0x1d0
[ 25.494449] ? do_syscall_64+0xad/0x5cc
[ 25.496305] ? page_fault+0x2f/0x50
[ 25.498140] ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[ 25.499974]
================================================================================
UBSAN reported nothing when the same kernel was compiled with gcc 7.3.1 from
Arch Linux repositories.
I have three more similar reports to make, if I continue to c/p in each I'm
gonna feel like a fuzzbot...
--
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Bug 199637] New: UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6
2018-05-07 17:33 Fw: [Bug 199637] New: UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6 Stephen Hemminger
@ 2018-06-08 0:07 ` Jakub Kicinski
2018-06-08 1:27 ` David Ahern
0 siblings, 1 reply; 3+ messages in thread
From: Jakub Kicinski @ 2018-06-08 0:07 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: netdev, David Ahern, David Miller
On Mon, 7 May 2018 10:33:45 -0700, Stephen Hemminger wrote:
> Begin forwarded message:
>
> Date: Mon, 07 May 2018 16:07:24 +0000
> From: bugzilla-daemon@bugzilla.kernel.org
> To: stephen@networkplumber.org
> Subject: [Bug 199637] New: UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6
>
>
> https://bugzilla.kernel.org/show_bug.cgi?id=199637
>
> Bug ID: 199637
> Summary: UBSAN: Undefined behaviour in
> net/ipv4/fib_trie.c:503:6
> Product: Networking
> Version: 2.5
> Kernel Version: 4.16.7
> Hardware: x86-64
> OS: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: IPV4
> Assignee: stephen@networkplumber.org
> Reporter: combuster@archlinux.us
> Regression: No
>
> After recompiling the 4.16.7 kernel with gcc 8.1, UBSAN reports the following:
>
> [ 25.427424]
> ================================================================================
> [ 25.429680] UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6
> [ 25.431920] member access within null pointer of type 'struct tnode'
> [ 25.434153] CPU: 3 PID: 1 Comm: systemd Not tainted 4.16.7-CUSTOM #1
> [ 25.436384] Hardware name: Gigabyte Technology Co., Ltd.
> H67MA-UD2H-B3/H67MA-UD2H-B3, BIOS F8 03/27/2012
> [ 25.438647] Call Trace:
> [ 25.440889] dump_stack+0x62/0x9f
> [ 25.443104] ubsan_epilogue+0x9/0x35
> [ 25.445293] handle_null_ptr_deref+0x80/0x90
> [ 25.447464] __ubsan_handle_type_mismatch_v1+0x6a/0x80
> [ 25.449628] tnode_free+0xce/0x120
> [ 25.451749] ? replace+0xa0/0x1f0
> [ 25.453833] ? resize+0x4e2/0xb70
> [ 25.455916] ? __kmalloc+0x1fe/0x2d0
> [ 25.457997] ? tnode_new+0x66/0x160
> [ 25.460072] ? fib_insert_alias+0x4a8/0x9e0
> [ 25.462145] ? fib_table_insert+0x208/0x690
> [ 25.464214] ? fib_magic+0x20c/0x310
> [ 25.466280] ? fib_netdev_event+0x81/0x200
> [ 25.468339] ? notifier_call_chain+0x63/0x110
> [ 25.470407] ? __dev_notify_flags+0xa8/0x170
> [ 25.472472] ? dev_change_flags+0x56/0x80
> [ 25.474538] ? do_setlink+0x3c2/0x1a00
> [ 25.476603] ? fib_magic+0x20c/0x310
> [ 25.478666] ? rtnl_setlink+0x129/0x1e0
> [ 25.480728] ? rtnetlink_rcv_msg+0x2a4/0x7d0
> [ 25.482765] ? rtnetlink_rcv+0x10/0x10
> [ 25.484757] ? netlink_rcv_skb+0x6f/0x170
> [ 25.486741] ? netlink_unicast+0x1c0/0x2d0
> [ 25.488716] ? netlink_sendmsg+0x2c1/0x630
> [ 25.490661] ? sock_sendmsg+0x49/0xb0
> [ 25.492564] ? SyS_sendto+0x12b/0x1d0
> [ 25.494449] ? do_syscall_64+0xad/0x5cc
> [ 25.496305] ? page_fault+0x2f/0x50
> [ 25.498140] ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2
> [ 25.499974]
> ================================================================================
>
> UBSAN reported nothing when the same kernel was compiled with gcc 7.3.1 from
> Arch Linux repositories.
>
> I have three more similar reports to make, if I continue to c/p in each I'm
> gonna feel like a fuzzbot...
>
And this one I'm seeing too (once at boot):
[ 32.459535] ================================================================================
[ 32.469133] UBSAN: Undefined behaviour in ../net/ipv4/fib_trie.c:504:6
[ 32.476534] member access within null pointer of type 'struct tnode'
[ 32.483733] CPU: 8 PID: 1 Comm: systemd Not tainted 4.17.0-rc7-debug-01088-g47bffcfef048 #9
[ 32.493191] Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.3.4 11/08/2016
[ 32.501680] Call Trace:
[ 32.504513] dump_stack+0xe6/0x1a0
[ 32.508412] ? dump_stack_print_info.cold.0+0x1b/0x1b
[ 32.514164] ? do_raw_spin_lock+0xcf/0x220
[ 32.518848] ubsan_epilogue+0x9/0x7a
[ 32.522940] handle_null_ptr_deref+0x16b/0x1e0
[ 32.528008] ? ucs2_as_utf8+0x6b0/0x6b0
[ 32.532397] ? __x64_sys_sendto+0xe6/0x1d0
[ 32.537079] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 32.543025] __ubsan_handle_type_mismatch_v1+0x16b/0x19e
[ 32.549054] ? ubsan_type_mismatch_common.part.5.cold.9+0x1bb/0x1bb
[ 32.556168] ? fib_find_node+0x350/0x350
[ 32.560655] tnode_free+0x115/0x180
[ 32.564655] replace+0x21d/0x5e0
[ 32.568361] ? fib_insert_alias+0x1b20/0x1b20
[ 32.573332] ? put_child+0x546/0x7b0
[ 32.577427] ? __kmalloc+0x1b1/0x5f0
[ 32.581520] ? fib_trie_seq_start+0x510/0x510
[ 32.586497] resize+0x1253/0x2150
[ 32.590299] ? netlink_sendmsg+0x7b5/0x10c0
[ 32.595074] ? __sys_sendto+0x340/0x680
[ 32.599460] ? do_syscall_64+0x14b/0x720
[ 32.603954] ? __node_free_rcu+0x70/0x70
[ 32.608442] ? rcu_lockdep_current_cpu_online+0x1e7/0x2c0
[ 32.614578] ? rcu_dynticks_curr_cpu_in_eqs+0xd6/0x1f0
[ 32.620435] ? lockdep_rtnl_is_held+0x16/0x20
[ 32.625401] ? put_child+0x546/0x7b0
[ 32.629494] ? __kmalloc+0x1b1/0x5f0
[ 32.633586] ? fib_trie_seq_start+0x510/0x510
[ 32.638561] ? tnode_new+0x6c/0x310
[ 32.642561] fib_insert_alias+0xe9c/0x1b20
[ 32.647246] ? resize+0x2150/0x2150
[ 32.651238] ? __atomic_notifier_call_chain+0xb0/0x150
[ 32.657081] ? __atomic_notifier_call_chain+0x5/0x150
[ 32.662827] ? lock_downgrade+0x750/0x750
[ 32.667412] ? rcu_read_lock_bh_held+0xc0/0xc0
[ 32.672481] ? rcu_dynticks_curr_cpu_in_eqs+0xd6/0x1f0
[ 32.678338] ? __atomic_notifier_call_chain+0xcd/0x150
[ 32.684187] ? call_fib_notifiers+0x3d/0x90
[ 32.688955] ? call_fib_entry_notifiers+0x2a8/0x3f0
[ 32.694508] ? tnode_free+0x180/0x180
[ 32.698701] ? kmem_cache_alloc+0x37d/0x530
[ 32.703477] ? fib_net_init+0x3d0/0x3d0
[ 32.707866] fib_table_insert+0x8b2/0x18d0
[ 32.712552] ? fib_new_table+0xd1/0x5c0
[ 32.716929] ? inet_addr_type_dev_table+0x420/0x420
[ 32.722470] ? rcu_dynticks_curr_cpu_in_eqs+0xd6/0x1f0
[ 32.728314] ? replace+0x5e0/0x5e0
[ 32.732213] ? rcu_read_lock_bh_held+0xc0/0xc0
[ 32.737279] ? rcu_dynticks_curr_cpu_in_eqs+0xd6/0x1f0
[ 32.743126] ? fib_magic+0x5dd/0x980
[ 32.747222] fib_magic+0x5dd/0x980
[ 32.751124] ? fib_new_table+0x5c0/0x5c0
[ 32.755620] ? fib_add_ifaddr+0x38c/0x4a0
[ 32.760205] fib_netdev_event+0x114/0x390
[ 32.764786] notifier_call_chain+0x127/0x2c0
[ 32.769664] ? __se_sys_setns.cold.2+0x15/0x15
[ 32.774730] ? rtnl_is_locked+0x61/0xc0
[ 32.779115] ? rtnl_trylock+0x20/0x20
[ 32.783298] ? netlink_broadcast+0xf/0x20
[ 32.787876] ? nlmsg_notify+0x84/0x190
[ 32.792173] __dev_notify_flags+0x13f/0x410
[ 32.796943] ? dev_change_name+0xd90/0xd90
[ 32.801621] ? rtnl_bridge_getlink+0xcb0/0xcb0
[ 32.806686] ? __lock_acquire+0x6ad/0x3b10
[ 32.811369] ? print_irqtrace_events+0x280/0x280
[ 32.816625] ? __lock_acquire+0x6ad/0x3b10
[ 32.821310] dev_change_flags+0xea/0x140
[ 32.825792] do_setlink+0xb27/0x4300
[ 32.829885] ? debug_check_no_locks_freed+0x260/0x260
[ 32.835635] ? rtnl_link_get_net_capable.constprop.10+0x2b0/0x2b0
[ 32.842546] ? print_irqtrace_events+0x280/0x280
[ 32.847804] ? debug_check_no_locks_freed+0x260/0x260
[ 32.853551] ? debug_check_no_locks_freed+0x260/0x260
[ 32.859297] ? print_irqtrace_events+0x280/0x280
[ 32.864553] ? __lock_acquire+0x6ad/0x3b10
[ 32.869230] ? debug_check_no_locks_freed+0x260/0x260
[ 32.874964] ? debug_check_no_locks_freed+0x260/0x260
[ 32.880712] ? debug_check_no_locks_freed+0x260/0x260
[ 32.886463] ? __lock_acquire+0x6ad/0x3b10
[ 32.891135] ? print_irqtrace_events+0x280/0x280
[ 32.896399] ? __is_insn_slot_addr+0x238/0x490
[ 32.901474] ? lock_acquire+0x1a2/0x5a0
[ 32.905859] ? rtnetlink_rcv_msg+0x359/0xb10
[ 32.910733] ? lock_release+0x980/0x980
[ 32.915124] ? finish_task_switch+0xc10/0xc10
[ 32.920096] ? __bpf_trace_xdp_cpumap_enqueue+0x10/0x10
[ 32.926046] ? __mutex_lock+0xd17/0x1b50
[ 32.930529] ? rtnetlink_rcv_msg+0x359/0xb10
[ 32.935398] ? __lock_acquire+0x6ad/0x3b10
[ 32.940080] ? __ww_mutex_wakeup_for_backoff+0x330/0x330
[ 32.946120] ? memset+0x1f/0x40
[ 32.949729] ? nla_parse+0x7d/0x4e0
[ 32.953726] ? nla_validate+0x360/0x360
[ 32.958121] rtnl_setlink+0x256/0x400
[ 32.962313] ? do_setlink+0x4300/0x4300
[ 32.966732] ? rcu_dynticks_curr_cpu_in_eqs+0xd6/0x1f0
[ 32.972582] ? security_capable+0x4e/0x90
[ 32.977167] rtnetlink_rcv_msg+0x3aa/0xb10
[ 32.981848] ? rtnl_get_link+0x2c0/0x2c0
[ 32.986333] ? netlink_lookup+0xb9/0x140
[ 32.990813] ? netlink_seq_show+0x620/0x620
[ 32.995592] netlink_rcv_skb+0x13a/0x390
[ 33.000071] ? rtnl_get_link+0x2c0/0x2c0
[ 33.004554] ? finish_task_switch+0xc10/0xc10
[ 33.009512] ? netlink_ack+0xa90/0xa90
[ 33.013815] netlink_unicast+0x45f/0x6e0
[ 33.018302] ? netlink_sendskb+0x60/0x60
[ 33.022787] ? aa_af_perm+0x520/0x520
[ 33.026975] ? lock_downgrade+0x750/0x750
[ 33.031554] ? lock_release+0x980/0x980
[ 33.035935] ? security_socket_getpeersec_dgram+0x52/0xa0
[ 33.042074] netlink_sendmsg+0x7b5/0x10c0
[ 33.046660] ? nlmsg_notify+0x190/0x190
[ 33.051052] ? nlmsg_notify+0x190/0x190
[ 33.055435] sock_sendmsg+0xdf/0x180
[ 33.059528] __sys_sendto+0x340/0x680
[ 33.063723] ? __ia32_sys_getpeername+0xc0/0xc0
[ 33.068921] ? kernel_setsockopt+0x340/0x340
[ 33.073885] ? __sys_socket+0x148/0x220
[ 33.078275] ? __bpf_trace_sys_enter+0x10/0x10
[ 33.083344] __x64_sys_sendto+0xe6/0x1d0
[ 33.087827] ? trace_hardirqs_on_caller+0x3d0/0x630
[ 33.093378] do_syscall_64+0x14b/0x720
[ 33.097668] ? syscall_return_slowpath+0x560/0x560
[ 33.103126] ? syscall_return_slowpath+0x38d/0x560
[ 33.108582] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[ 33.114528] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 33.119890] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 33.125636] RIP: 0033:0x7fc408e74da7
[ 33.129730] RSP: 002b:00007ffd4f2cf4e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 33.138319] RAX: ffffffffffffffda RBX: 000055e490a09390 RCX: 00007fc408e74da7
[ 33.146397] RDX: 0000000000000020 RSI: 000055e490a07890 RDI: 0000000000000004
[ 33.154476] RBP: 000055e490a0dad0 R08: 00007ffd4f2cf4f0 R09: 0000000000000010
[ 33.162544] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 33.170622] R13: 00007ffd4f2cf564 R14: 00007ffd4f2cf5d0 R15: 000055e490a07a60
[ 33.178717] ================================================================================
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Bug 199637] New: UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6
2018-06-08 0:07 ` Jakub Kicinski
@ 2018-06-08 1:27 ` David Ahern
0 siblings, 0 replies; 3+ messages in thread
From: David Ahern @ 2018-06-08 1:27 UTC (permalink / raw)
To: Jakub Kicinski, Stephen Hemminger; +Cc: netdev, David Miller
On 6/7/18 5:07 PM, Jakub Kicinski wrote:
>> After recompiling the 4.16.7 kernel with gcc 8.1, UBSAN reports the following:
>>
>> [ 25.427424]
>> ================================================================================
>> [ 25.429680] UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6
>> [ 25.431920] member access within null pointer of type 'struct tnode'
>> [ 25.434153] CPU: 3 PID: 1 Comm: systemd Not tainted 4.16.7-CUSTOM #1
>> [ 25.436384] Hardware name: Gigabyte Technology Co., Ltd.
>> H67MA-UD2H-B3/H67MA-UD2H-B3, BIOS F8 03/27/2012
>> [ 25.438647] Call Trace:
>> [ 25.440889] dump_stack+0x62/0x9f
>> [ 25.443104] ubsan_epilogue+0x9/0x35
>> [ 25.445293] handle_null_ptr_deref+0x80/0x90
>> [ 25.447464] __ubsan_handle_type_mismatch_v1+0x6a/0x80
>> [ 25.449628] tnode_free+0xce/0x120
arguably this one should be guarded:
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 5bc0c89e81e4..32c589059fb3 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -501,7 +501,8 @@ static void tnode_free(struct key_vector *tn)
tnode_free_size += TNODE_SIZE(1ul << tn->bits);
node_free(tn);
- tn = container_of(head, struct tnode, rcu)->kv;
+ if (head)
+ tn = container_of(head, struct tnode, rcu)->kv;
}
if (tnode_free_size >= PAGE_SIZE * sync_pages) {
but if head is NULL, tn is set but not dereferenced as the loop breaks.
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-06-08 1:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-07 17:33 Fw: [Bug 199637] New: UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6 Stephen Hemminger
2018-06-08 0:07 ` Jakub Kicinski
2018-06-08 1:27 ` David Ahern
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.