BPF Archive on lore.kernel.org
 help / color / Atom feed
From: Thomas Reim <reimth@gmail.com>
To: bpf@vger.kernel.org
Cc: reimth@gmail.com
Subject: Re: BUG: kernel NULL pointer dereference in __cgroup_bpf_run_filter_skb
Date: Wed, 1 Jul 2020 08:46:11 +0200
Message-ID: <14498254-3673-bda9-a163-4b6db4999cbd@gmail.com> (raw)
In-Reply-To: <CAOLRBTUSkRbku25rbw6Fyb019wFqFvEN=6xGM+RgFJFQ=NH4KQ@mail.gmail.com>

:
> We have experienced a kernel BPF null pointer dereference issue on all
> our machines since mid of June. It might be related to an upgrade of
> libvirt/kvm/qemu at that point of time. But we’re not sure.
>
...
> We experienced the kernel freeze on following Arch Linux kernels:
> - 5.7.0 (5.7.0-3-MANJARO x64)
> - 5.6.16 (5.6.16-1-MANJARO x64)
> - 5.4.44 (5.4.44-1-MANJARO x64)
> - 4.19.126 (4.19.126-1-MANJARO x64)
> - 4.14.183 (4.14.183-1-MANJARO x64)
> Kernel configs can be taken from https://gitlab.manjaro.org/packages/core.
>
> Subsequent e-mails will contain the relevant extracts from journal or
> netconsole logs.
>
> Help and support on this issue is welcome.
>
Linux Kernel 5.6.16 (5.6.16-1-MANJARO x64)

BUG: kernel NULL pointer dereference, address: 0000000000000010
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 2 PID: 988 Comm: nfsd Not tainted 5.6.16-1-MANJARO #1
Hardware name: ASUS All Series/CS-B, BIOS 3602 03/26/2018
RIP: 0010:__cgroup_bpf_run_filter_skb+0x196/0x230
Code: 48 89 73 18 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 31 c0 c3 c3 e8 38 ef ec ff e8 f3 2d f2 ff 48 8b 85 38 06 00 00 31 ed <48> 8b 78 10 4c 8d 70 10 48 85 ff 74 34 49 8b 46 08 65 48 89 05 d1
RSP: 0018:ffffa3e54097f9f0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff962908bb82e0 RCX: 0000000000000034
RDX: 0000000000000000 RSI: ffff962907408900 RDI: ffffffffa2df2178
RBP: 0000000000000000 R08: ffff96290981ed20 R09: 000000000000fa4c
R10: 0000000000007d26 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff96290ff00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 00000003e185e005 CR4: 00000000001626e0
Call Trace:
  ? __local_bh_enable_ip+0x33/0x70
  ip_finish_output+0x68/0xa0
  ip_output+0x76/0x130
  ? __ip_local_out+0x4b/0x170
  __ip_queue_xmit+0x186/0x440
  ? __switch_to_asm+0x34/0x70
  ? __switch_to_asm+0x40/0x70
  __tcp_transmit_skb+0x53e/0xbf0
  ? __switch_to_asm+0x34/0x70
  tcp_write_xmit+0x391/0x11b0
  __tcp_push_pending_frames+0x32/0xf0
  do_tcp_sendpages+0x5f8/0x630
  tcp_sendpage+0x48/0x80
  inet_sendpage+0x52/0x90
  kernel_sendpage+0x1a/0x30
  svc_send_common+0x62/0x150 [sunrpc]
  svc_sendto+0xd7/0x240 [sunrpc]
  svc_tcp_sendto+0x36/0x50 [sunrpc]
  svc_send+0x7b/0x190 [sunrpc]
  nfsd+0xed/0x150 [nfsd]
  ? nfsd_destroy+0x60/0x60 [nfsd]
  kthread+0x117/0x130
  ? __kthread_bind_mask+0x60/0x60
  ret_from_fork+0x35/0x40
Modules linked in: rpcsec_gss_krb5 vhost_net vhost tap tun fuse bridge stp llc nct6775 hwmon_vid nls_iso8859_1 nls_cp437 vfat fat joydev mousedev input_leds intel_rapl_msr ofpart cmdlinepart intel_spi_platform intel_spi mei_wdt mei_hdcp spi_nor mtd iTCO_wdt iTCO_vendor_support eeepc_wmi asus_wmi battery sparse_keymap rfkill wmi_bmof intel_rapl_common snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm i915 irqbypass crct10dif_pclmul snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio crc32_pclmul snd_hda_intel i2c_algo_bit ghash_clmulni_intel snd_intel_dspcfg aesni_intel crypto_simd snd_hda_codec drm_kms_helper cryptd glue_helper intel_cstate pcspkr i2c_i801 intel_uncore snd_hda_core intel_rapl_perf snd_hwdep cec snd_pcm r8169 rc_core realtek intel_gtt snd_timer syscopyarea mei_me libphy lpc_ich snd mei e1000e sysfillrect soundcore sysimgblt fb_sys_fops wmi evdev mac_hid nfsd nfsv4 dns_resolver nfs_acl nfs lockd auth_rpcgss grace drm sunrpc
  fscache agpgart ip_tables x_tables ext4 crc16 mbcache jbd2 hid_logitech_hidpp hid_logitech_dj dm_thin_pool dm_persistent_data libcrc32c crc32c_generic dm_bio_prison dm_bufio hid_generic usbhid hid dm_mod crc32c_intel sr_mod xhci_pci cdrom xhci_hcd ehci_pci ehci_hcd
CR2: 0000000000000010
---[ end trace 50bcc1a93a161137 ]---
RIP: 0010:__cgroup_bpf_run_filter_skb+0x196/0x230
Code: 48 89 73 18 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 31 c0 c3 c3 e8 38 ef ec ff e8 f3 2d f2 ff 48 8b 85 38 06 00 00 31 ed <48> 8b 78 10 4c 8d 70 10 48 85 ff 74 34 49 8b 46 08 65 48 89 05 d1
RSP: 0018:ffffa3e54097f9f0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff962908bb82e0 RCX: 0000000000000034
RDX: 0000000000000000 RSI: ffff962907408900 RDI: ffffffffa2df2178
RBP: 0000000000000000 R08: ffff96290981ed20 R09: 000000000000fa4c
R10: 0000000000007d26 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff96290ff00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 00000003e185e005 CR4: 00000000001626e0
note: nfsd[988] exited with preempt_count 1
-- Reboot --


  parent reply index

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-30 14:28 Rudi Ratloser
2020-06-30 14:56 ` Daniel Borkmann
2020-07-01  7:08   ` Thomas Reim
2020-07-01  6:46 ` Thomas Reim [this message]
2020-07-01  6:51 ` Thomas Reim
2020-07-01  6:58 ` Thomas Reim
  -- strict thread matches above, loose matches on Subject: below --
2020-06-30 15:11 Rudi Ratloser
     [not found] <20200530074608.GA60664@fnst.localdomain>
2020-06-02 21:46 ` Brenden Blanco
2020-06-02 22:17   ` Alexei Starovoitov
2020-06-03  6:20     ` Lu Fengqi
2020-06-03  8:22       ` Lu Fengqi
2020-06-09 20:50     ` Daniel Borkmann
2020-06-10  1:37       ` Zefan Li
2020-06-03  6:16   ` Lu Fengqi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=14498254-3673-bda9-a163-4b6db4999cbd@gmail.com \
    --to=reimth@gmail.com \
    --cc=bpf@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

BPF Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/bpf/0 bpf/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 bpf bpf/ https://lore.kernel.org/bpf \
		bpf@vger.kernel.org
	public-inbox-index bpf

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.bpf


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git