* [PATCH v2 0/3] Fix three issues found by syzbot
@ 2019-08-12 7:32 Ying Xue
2019-08-12 7:32 ` [PATCH v2 1/3] tipc: fix memory leak issue Ying Xue
` (3 more replies)
0 siblings, 4 replies; 9+ messages in thread
From: Ying Xue @ 2019-08-12 7:32 UTC (permalink / raw)
To: davem, netdev
Cc: jon.maloy, hdanton, tipc-discussion, syzkaller-bugs, jakub.kicinski
In this series, try to fix two memory leak issues and another issue of
calling smp_processor_id() in preemptible context.
Changes since v1:
- Fix "Reported-by:" missing in patch #3, which was reported by Jakub
Kicinski
Ying Xue (3):
tipc: fix memory leak issue
tipc: fix memory leak issue
tipc: fix issue of calling smp_processor_id() in preemptible
net/tipc/group.c | 22 +++++++++++++---------
net/tipc/node.c | 7 +++++--
net/tipc/udp_media.c | 12 +++++++++---
3 files changed, 27 insertions(+), 14 deletions(-)
--
2.7.4
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v2 1/3] tipc: fix memory leak issue
2019-08-12 7:32 [PATCH v2 0/3] Fix three issues found by syzbot Ying Xue
@ 2019-08-12 7:32 ` Ying Xue
2019-08-12 7:54 ` Eric Dumazet
2019-08-12 7:32 ` [PATCH v2 2/3] " Ying Xue
` (2 subsequent siblings)
3 siblings, 1 reply; 9+ messages in thread
From: Ying Xue @ 2019-08-12 7:32 UTC (permalink / raw)
To: davem, netdev
Cc: jon.maloy, hdanton, tipc-discussion, syzkaller-bugs, jakub.kicinski
syzbot found the following memory leak:
[ 68.602482][ T7130] kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak
unreferenced object 0xffff88810df83c00 (size 512):
comm "softirq", pid 0, jiffies 4294942354 (age 19.830s)
hex dump (first 32 bytes):
38 1a 0d 0f 81 88 ff ff 38 1a 0d 0f 81 88 ff ff 8.......8.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000009375ee42>] kmem_cache_alloc_node+0x153/0x2a0
[<000000004c563922>] __alloc_skb+0x6e/0x210
[<00000000ec87bfa1>] tipc_buf_acquire+0x2f/0x80
[<00000000d151ef84>] tipc_msg_create+0x37/0xe0
[<000000008bb437b0>] tipc_group_create_event+0xb3/0x1b0
[<00000000947b1d0f>] tipc_group_proto_rcv+0x569/0x640
[<00000000b75ab039>] tipc_sk_filter_rcv+0x9ac/0xf20
[<000000000dab7a6c>] tipc_sk_rcv+0x494/0x8a0
[<00000000023a7ddd>] tipc_node_xmit+0x196/0x1f0
[<00000000337dd9eb>] tipc_node_distr_xmit+0x7d/0x120
[<00000000b6375182>] tipc_group_delete+0xe6/0x130
[<000000000361ba2b>] tipc_sk_leave+0x57/0xb0
[<000000009df90505>] tipc_release+0x7b/0x5e0
[<000000009f3189da>] __sock_release+0x4b/0xe0
[<00000000d3568ee0>] sock_close+0x1b/0x30
[<00000000266a6215>] __fput+0xed/0x300
Reported-by: syzbot+78fbe679c8ca8d264a8d@syzkaller.appspotmail.com
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Ying Xue <ying.xue@windriver.com>
---
net/tipc/node.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/tipc/node.c b/net/tipc/node.c
index 7ca0190..d1852fc 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -1469,10 +1469,13 @@ int tipc_node_xmit(struct net *net, struct sk_buff_head *list,
spin_unlock_bh(&le->lock);
tipc_node_read_unlock(n);
- if (unlikely(rc == -ENOBUFS))
+ if (unlikely(rc == -ENOBUFS)) {
tipc_node_link_down(n, bearer_id, false);
- else
+ skb_queue_purge(list);
+ skb_queue_purge(&xmitq);
+ } else {
tipc_bearer_xmit(net, bearer_id, &xmitq, &le->maddr);
+ }
tipc_node_put(n);
--
2.7.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v2 2/3] tipc: fix memory leak issue
2019-08-12 7:32 [PATCH v2 0/3] Fix three issues found by syzbot Ying Xue
2019-08-12 7:32 ` [PATCH v2 1/3] tipc: fix memory leak issue Ying Xue
@ 2019-08-12 7:32 ` Ying Xue
2019-08-12 7:32 ` [PATCH v2 3/3] tipc: fix issue of calling smp_processor_id() in preemptible Ying Xue
2019-08-12 15:25 ` [PATCH v2 0/3] Fix three issues found by syzbot David Miller
3 siblings, 0 replies; 9+ messages in thread
From: Ying Xue @ 2019-08-12 7:32 UTC (permalink / raw)
To: davem, netdev
Cc: jon.maloy, hdanton, tipc-discussion, syzkaller-bugs, jakub.kicinski
syzbot found the following memory leak issue:
[ 72.286706][ T7064] kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak
unreferenced object 0xffff888122bca200 (size 128):
comm "syz-executor232", pid 7065, jiffies 4294943817 (age 8.880s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 a2 bc 22 81 88 ff ff ..........."....
backtrace:
[<000000005bada299>] kmem_cache_alloc_trace+0x145/0x2c0
[<00000000e7bcdc9f>] tipc_group_create_member+0x3c/0x190
[<0000000005f56f40>] tipc_group_add_member+0x34/0x40
[<0000000044406683>] tipc_nametbl_build_group+0x9b/0xf0
[<000000009f71e803>] tipc_setsockopt+0x170/0x490
[<000000007f61cbc2>] __sys_setsockopt+0x10f/0x220
[<00000000cc630372>] __x64_sys_setsockopt+0x26/0x30
[<00000000ec30be33>] do_syscall_64+0x76/0x1a0
[<00000000271be3e6>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Reported-by: syzbot+f95d90c454864b3b5bc9@syzkaller.appspotmail.com
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Ying Xue <ying.xue@windriver.com>
---
net/tipc/group.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/net/tipc/group.c b/net/tipc/group.c
index 5f98d38..cbc540a 100644
--- a/net/tipc/group.c
+++ b/net/tipc/group.c
@@ -273,8 +273,8 @@ static struct tipc_member *tipc_group_find_node(struct tipc_group *grp,
return NULL;
}
-static void tipc_group_add_to_tree(struct tipc_group *grp,
- struct tipc_member *m)
+struct tipc_member *tipc_group_add_to_tree(struct tipc_group *grp,
+ struct tipc_member *m)
{
u64 nkey, key = (u64)m->node << 32 | m->port;
struct rb_node **n, *parent = NULL;
@@ -282,7 +282,6 @@ static void tipc_group_add_to_tree(struct tipc_group *grp,
n = &grp->members.rb_node;
while (*n) {
- tmp = container_of(*n, struct tipc_member, tree_node);
parent = *n;
tmp = container_of(parent, struct tipc_member, tree_node);
nkey = (u64)tmp->node << 32 | tmp->port;
@@ -291,17 +290,18 @@ static void tipc_group_add_to_tree(struct tipc_group *grp,
else if (key > nkey)
n = &(*n)->rb_right;
else
- return;
+ return tmp;
}
rb_link_node(&m->tree_node, parent, n);
rb_insert_color(&m->tree_node, &grp->members);
+ return m;
}
static struct tipc_member *tipc_group_create_member(struct tipc_group *grp,
u32 node, u32 port,
u32 instance, int state)
{
- struct tipc_member *m;
+ struct tipc_member *m, *n;
m = kzalloc(sizeof(*m), GFP_ATOMIC);
if (!m)
@@ -315,10 +315,14 @@ static struct tipc_member *tipc_group_create_member(struct tipc_group *grp,
m->instance = instance;
m->bc_acked = grp->bc_snd_nxt - 1;
grp->member_cnt++;
- tipc_group_add_to_tree(grp, m);
- tipc_nlist_add(&grp->dests, m->node);
- m->state = state;
- return m;
+ n = tipc_group_add_to_tree(grp, m);
+ if (n == m) {
+ tipc_nlist_add(&grp->dests, m->node);
+ m->state = state;
+ } else {
+ kfree(m);
+ }
+ return n;
}
void tipc_group_add_member(struct tipc_group *grp, u32 node,
--
2.7.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v2 3/3] tipc: fix issue of calling smp_processor_id() in preemptible
2019-08-12 7:32 [PATCH v2 0/3] Fix three issues found by syzbot Ying Xue
2019-08-12 7:32 ` [PATCH v2 1/3] tipc: fix memory leak issue Ying Xue
2019-08-12 7:32 ` [PATCH v2 2/3] " Ying Xue
@ 2019-08-12 7:32 ` Ying Xue
2020-02-19 8:29 ` Dmitry Vyukov
2019-08-12 15:25 ` [PATCH v2 0/3] Fix three issues found by syzbot David Miller
3 siblings, 1 reply; 9+ messages in thread
From: Ying Xue @ 2019-08-12 7:32 UTC (permalink / raw)
To: davem, netdev
Cc: jon.maloy, hdanton, tipc-discussion, syzkaller-bugs, jakub.kicinski
syzbot found the following issue:
[ 81.119772][ T8612] BUG: using smp_processor_id() in preemptible [00000000] code: syz-executor834/8612
[ 81.136212][ T8612] caller is dst_cache_get+0x3d/0xb0
[ 81.141450][ T8612] CPU: 0 PID: 8612 Comm: syz-executor834 Not tainted 5.2.0-rc6+ #48
[ 81.149435][ T8612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 81.159480][ T8612] Call Trace:
[ 81.162789][ T8612] dump_stack+0x172/0x1f0
[ 81.167123][ T8612] debug_smp_processor_id+0x251/0x280
[ 81.172479][ T8612] dst_cache_get+0x3d/0xb0
[ 81.176928][ T8612] tipc_udp_xmit.isra.0+0xc4/0xb80
[ 81.182046][ T8612] ? kasan_kmalloc+0x9/0x10
[ 81.186531][ T8612] ? tipc_udp_addr2str+0x170/0x170
[ 81.191641][ T8612] ? __copy_skb_header+0x2e8/0x560
[ 81.196750][ T8612] ? __skb_checksum_complete+0x3f0/0x3f0
[ 81.202364][ T8612] ? netdev_alloc_frag+0x1b0/0x1b0
[ 81.207452][ T8612] ? skb_copy_header+0x21/0x2b0
[ 81.212282][ T8612] ? __pskb_copy_fclone+0x516/0xc90
[ 81.217470][ T8612] tipc_udp_send_msg+0x29a/0x4b0
[ 81.222400][ T8612] tipc_bearer_xmit_skb+0x16c/0x360
[ 81.227585][ T8612] tipc_enable_bearer+0xabe/0xd20
[ 81.232606][ T8612] ? __nla_validate_parse+0x2d0/0x1ee0
[ 81.238048][ T8612] ? tipc_bearer_xmit_skb+0x360/0x360
[ 81.243401][ T8612] ? nla_memcpy+0xb0/0xb0
[ 81.247710][ T8612] ? nla_memcpy+0xb0/0xb0
[ 81.252020][ T8612] ? __nla_parse+0x43/0x60
[ 81.256417][ T8612] __tipc_nl_bearer_enable+0x2de/0x3a0
[ 81.261856][ T8612] ? __tipc_nl_bearer_enable+0x2de/0x3a0
[ 81.267467][ T8612] ? tipc_nl_bearer_disable+0x40/0x40
[ 81.272848][ T8612] ? unwind_get_return_address+0x58/0xa0
[ 81.278501][ T8612] ? lock_acquire+0x16f/0x3f0
[ 81.283190][ T8612] tipc_nl_bearer_enable+0x23/0x40
[ 81.288300][ T8612] genl_family_rcv_msg+0x74b/0xf90
[ 81.293404][ T8612] ? genl_unregister_family+0x790/0x790
[ 81.298935][ T8612] ? __lock_acquire+0x54f/0x5490
[ 81.303852][ T8612] ? __netlink_lookup+0x3fa/0x7b0
[ 81.308865][ T8612] genl_rcv_msg+0xca/0x16c
[ 81.313266][ T8612] netlink_rcv_skb+0x177/0x450
[ 81.318043][ T8612] ? genl_family_rcv_msg+0xf90/0xf90
[ 81.323311][ T8612] ? netlink_ack+0xb50/0xb50
[ 81.327906][ T8612] ? lock_acquire+0x16f/0x3f0
[ 81.332589][ T8612] ? kasan_check_write+0x14/0x20
[ 81.337511][ T8612] genl_rcv+0x29/0x40
[ 81.341485][ T8612] netlink_unicast+0x531/0x710
[ 81.346268][ T8612] ? netlink_attachskb+0x770/0x770
[ 81.351374][ T8612] ? _copy_from_iter_full+0x25d/0x8c0
[ 81.356765][ T8612] ? __sanitizer_cov_trace_cmp8+0x18/0x20
[ 81.362479][ T8612] ? __check_object_size+0x3d/0x42f
[ 81.367667][ T8612] netlink_sendmsg+0x8ae/0xd70
[ 81.372415][ T8612] ? netlink_unicast+0x710/0x710
[ 81.377520][ T8612] ? aa_sock_msg_perm.isra.0+0xba/0x170
[ 81.383051][ T8612] ? apparmor_socket_sendmsg+0x2a/0x30
[ 81.388530][ T8612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 81.394775][ T8612] ? security_socket_sendmsg+0x8d/0xc0
[ 81.400240][ T8612] ? netlink_unicast+0x710/0x710
[ 81.405161][ T8612] sock_sendmsg+0xd7/0x130
[ 81.409561][ T8612] ___sys_sendmsg+0x803/0x920
[ 81.414220][ T8612] ? copy_msghdr_from_user+0x430/0x430
[ 81.419667][ T8612] ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[ 81.425461][ T8612] ? debug_object_active_state+0x25d/0x380
[ 81.431255][ T8612] ? __lock_acquire+0x54f/0x5490
[ 81.436174][ T8612] ? kasan_check_read+0x11/0x20
[ 81.441208][ T8612] ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[ 81.447008][ T8612] ? mark_held_locks+0xf0/0xf0
[ 81.451768][ T8612] ? __call_rcu.constprop.0+0x28b/0x720
[ 81.457298][ T8612] ? call_rcu+0xb/0x10
[ 81.461353][ T8612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 81.467589][ T8612] ? __fget_light+0x1a9/0x230
[ 81.472249][ T8612] ? __fdget+0x1b/0x20
[ 81.476301][ T8612] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 81.482545][ T8612] __sys_sendmsg+0x105/0x1d0
[ 81.487115][ T8612] ? __ia32_sys_shutdown+0x80/0x80
[ 81.492208][ T8612] ? blkcg_maybe_throttle_current+0x5e2/0xfb0
[ 81.498272][ T8612] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 81.503726][ T8612] ? do_syscall_64+0x26/0x680
[ 81.508385][ T8612] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 81.514444][ T8612] ? do_syscall_64+0x26/0x680
[ 81.519110][ T8612] __x64_sys_sendmsg+0x78/0xb0
[ 81.523862][ T8612] do_syscall_64+0xfd/0x680
[ 81.528352][ T8612] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 81.534234][ T8612] RIP: 0033:0x444679
[ 81.538114][ T8612] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 81.557709][ T8612] RSP: 002b:00007fff0201a8b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 81.566147][ T8612] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444679
[ 81.574108][ T8612] RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003
[ 81.582152][ T8612] RBP: 00000000006cf018 R08: 0000000000000001 R09: 00000000004002e0
[ 81.590113][ T8612] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000402320
[ 81.598089][ T8612] R13: 00000000004023b0 R14: 0000000000000000 R15: 0000000000
In commit e9c1a793210f ("tipc: add dst_cache support for udp media")
dst_cache_get() was introduced to be called in tipc_udp_xmit(). But
smp_processor_id() called by dst_cache_get() cannot be invoked in
preemptible context, as a result, the complaint above was reported.
Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media")
Reported-by: syzbot+1a68504d96cd17b33a05@syzkaller.appspotmail.com
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Ying Xue <ying.xue@windriver.com>
---
net/tipc/udp_media.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
index 287df687..ca3ae2e 100644
--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -224,6 +224,8 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
struct udp_bearer *ub;
int err = 0;
+ local_bh_disable();
+
if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
if (err)
@@ -237,9 +239,12 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
goto out;
}
- if (addr->broadcast != TIPC_REPLICAST_SUPPORT)
- return tipc_udp_xmit(net, skb, ub, src, dst,
- &ub->rcast.dst_cache);
+ if (addr->broadcast != TIPC_REPLICAST_SUPPORT) {
+ err = tipc_udp_xmit(net, skb, ub, src, dst,
+ &ub->rcast.dst_cache);
+ local_bh_enable();
+ return err;
+ }
/* Replicast, send an skb to each configured IP address */
list_for_each_entry_rcu(rcast, &ub->rcast.list, list) {
@@ -259,6 +264,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
err = 0;
out:
kfree_skb(skb);
+ local_bh_enable();
return err;
}
--
2.7.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH v2 1/3] tipc: fix memory leak issue
2019-08-12 7:32 ` [PATCH v2 1/3] tipc: fix memory leak issue Ying Xue
@ 2019-08-12 7:54 ` Eric Dumazet
0 siblings, 0 replies; 9+ messages in thread
From: Eric Dumazet @ 2019-08-12 7:54 UTC (permalink / raw)
To: Ying Xue, davem, netdev
Cc: jon.maloy, hdanton, tipc-discussion, syzkaller-bugs, jakub.kicinski
On 8/12/19 9:32 AM, Ying Xue wrote:
> syzbot found the following memory leak:
>
> [ 68.602482][ T7130] kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
> BUG: memory leak
> unreferenced object 0xffff88810df83c00 (size 512):
> comm "softirq", pid 0, jiffies 4294942354 (age 19.830s)
> hex dump (first 32 bytes):
> 38 1a 0d 0f 81 88 ff ff 38 1a 0d 0f 81 88 ff ff 8.......8.......
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<000000009375ee42>] kmem_cache_alloc_node+0x153/0x2a0
> [<000000004c563922>] __alloc_skb+0x6e/0x210
> [<00000000ec87bfa1>] tipc_buf_acquire+0x2f/0x80
> [<00000000d151ef84>] tipc_msg_create+0x37/0xe0
> [<000000008bb437b0>] tipc_group_create_event+0xb3/0x1b0
> [<00000000947b1d0f>] tipc_group_proto_rcv+0x569/0x640
> [<00000000b75ab039>] tipc_sk_filter_rcv+0x9ac/0xf20
> [<000000000dab7a6c>] tipc_sk_rcv+0x494/0x8a0
> [<00000000023a7ddd>] tipc_node_xmit+0x196/0x1f0
> [<00000000337dd9eb>] tipc_node_distr_xmit+0x7d/0x120
> [<00000000b6375182>] tipc_group_delete+0xe6/0x130
> [<000000000361ba2b>] tipc_sk_leave+0x57/0xb0
> [<000000009df90505>] tipc_release+0x7b/0x5e0
> [<000000009f3189da>] __sock_release+0x4b/0xe0
> [<00000000d3568ee0>] sock_close+0x1b/0x30
> [<00000000266a6215>] __fput+0xed/0x300
>
> Reported-by: syzbot+78fbe679c8ca8d264a8d@syzkaller.appspotmail.com
> Signed-off-by: Hillf Danton <hdanton@sina.com>
> Signed-off-by: Ying Xue <ying.xue@windriver.com>
> ---
> net/tipc/node.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/net/tipc/node.c b/net/tipc/node.c
> index 7ca0190..d1852fc 100644
> --- a/net/tipc/node.c
> +++ b/net/tipc/node.c
> @@ -1469,10 +1469,13 @@ int tipc_node_xmit(struct net *net, struct sk_buff_head *list,
> spin_unlock_bh(&le->lock);
> tipc_node_read_unlock(n);
>
> - if (unlikely(rc == -ENOBUFS))
> + if (unlikely(rc == -ENOBUFS)) {
> tipc_node_link_down(n, bearer_id, false);
> - else
> + skb_queue_purge(list);
> + skb_queue_purge(&xmitq);
This will crash if you enable LOCKDEP
> + } else {
> tipc_bearer_xmit(net, bearer_id, &xmitq, &le->maddr);
> + }
>
> tipc_node_put(n);
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 0/3] Fix three issues found by syzbot
2019-08-12 7:32 [PATCH v2 0/3] Fix three issues found by syzbot Ying Xue
` (2 preceding siblings ...)
2019-08-12 7:32 ` [PATCH v2 3/3] tipc: fix issue of calling smp_processor_id() in preemptible Ying Xue
@ 2019-08-12 15:25 ` David Miller
3 siblings, 0 replies; 9+ messages in thread
From: David Miller @ 2019-08-12 15:25 UTC (permalink / raw)
To: ying.xue
Cc: netdev, jon.maloy, hdanton, tipc-discussion, syzkaller-bugs,
jakub.kicinski
From: Ying Xue <ying.xue@windriver.com>
Date: Mon, 12 Aug 2019 15:32:39 +0800
> Ying Xue (3):
> tipc: fix memory leak issue
> tipc: fix memory leak issue
Please make the subject lines for these two patches unique. Perhaps
mention what part of the tipc code has the memory leak you are fixing.
Thanks.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 3/3] tipc: fix issue of calling smp_processor_id() in preemptible
2019-08-12 7:32 ` [PATCH v2 3/3] tipc: fix issue of calling smp_processor_id() in preemptible Ying Xue
@ 2020-02-19 8:29 ` Dmitry Vyukov
2020-02-19 8:33 ` Dmitry Vyukov
0 siblings, 1 reply; 9+ messages in thread
From: Dmitry Vyukov @ 2020-02-19 8:29 UTC (permalink / raw)
To: Ying Xue
Cc: David Miller, netdev, Jon Maloy, Hillf Danton, tipc-discussion,
syzkaller-bugs, Jakub Kicinski
On Mon, Aug 12, 2019 at 9:44 AM Ying Xue <ying.xue@windriver.com> wrote:
>
> syzbot found the following issue:
>
> [ 81.119772][ T8612] BUG: using smp_processor_id() in preemptible [00000000] code: syz-executor834/8612
> [ 81.136212][ T8612] caller is dst_cache_get+0x3d/0xb0
> [ 81.141450][ T8612] CPU: 0 PID: 8612 Comm: syz-executor834 Not tainted 5.2.0-rc6+ #48
> [ 81.149435][ T8612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> [ 81.159480][ T8612] Call Trace:
> [ 81.162789][ T8612] dump_stack+0x172/0x1f0
> [ 81.167123][ T8612] debug_smp_processor_id+0x251/0x280
> [ 81.172479][ T8612] dst_cache_get+0x3d/0xb0
> [ 81.176928][ T8612] tipc_udp_xmit.isra.0+0xc4/0xb80
> [ 81.182046][ T8612] ? kasan_kmalloc+0x9/0x10
> [ 81.186531][ T8612] ? tipc_udp_addr2str+0x170/0x170
> [ 81.191641][ T8612] ? __copy_skb_header+0x2e8/0x560
> [ 81.196750][ T8612] ? __skb_checksum_complete+0x3f0/0x3f0
> [ 81.202364][ T8612] ? netdev_alloc_frag+0x1b0/0x1b0
> [ 81.207452][ T8612] ? skb_copy_header+0x21/0x2b0
> [ 81.212282][ T8612] ? __pskb_copy_fclone+0x516/0xc90
> [ 81.217470][ T8612] tipc_udp_send_msg+0x29a/0x4b0
> [ 81.222400][ T8612] tipc_bearer_xmit_skb+0x16c/0x360
> [ 81.227585][ T8612] tipc_enable_bearer+0xabe/0xd20
> [ 81.232606][ T8612] ? __nla_validate_parse+0x2d0/0x1ee0
> [ 81.238048][ T8612] ? tipc_bearer_xmit_skb+0x360/0x360
> [ 81.243401][ T8612] ? nla_memcpy+0xb0/0xb0
> [ 81.247710][ T8612] ? nla_memcpy+0xb0/0xb0
> [ 81.252020][ T8612] ? __nla_parse+0x43/0x60
> [ 81.256417][ T8612] __tipc_nl_bearer_enable+0x2de/0x3a0
> [ 81.261856][ T8612] ? __tipc_nl_bearer_enable+0x2de/0x3a0
> [ 81.267467][ T8612] ? tipc_nl_bearer_disable+0x40/0x40
> [ 81.272848][ T8612] ? unwind_get_return_address+0x58/0xa0
> [ 81.278501][ T8612] ? lock_acquire+0x16f/0x3f0
> [ 81.283190][ T8612] tipc_nl_bearer_enable+0x23/0x40
> [ 81.288300][ T8612] genl_family_rcv_msg+0x74b/0xf90
> [ 81.293404][ T8612] ? genl_unregister_family+0x790/0x790
> [ 81.298935][ T8612] ? __lock_acquire+0x54f/0x5490
> [ 81.303852][ T8612] ? __netlink_lookup+0x3fa/0x7b0
> [ 81.308865][ T8612] genl_rcv_msg+0xca/0x16c
> [ 81.313266][ T8612] netlink_rcv_skb+0x177/0x450
> [ 81.318043][ T8612] ? genl_family_rcv_msg+0xf90/0xf90
> [ 81.323311][ T8612] ? netlink_ack+0xb50/0xb50
> [ 81.327906][ T8612] ? lock_acquire+0x16f/0x3f0
> [ 81.332589][ T8612] ? kasan_check_write+0x14/0x20
> [ 81.337511][ T8612] genl_rcv+0x29/0x40
> [ 81.341485][ T8612] netlink_unicast+0x531/0x710
> [ 81.346268][ T8612] ? netlink_attachskb+0x770/0x770
> [ 81.351374][ T8612] ? _copy_from_iter_full+0x25d/0x8c0
> [ 81.356765][ T8612] ? __sanitizer_cov_trace_cmp8+0x18/0x20
> [ 81.362479][ T8612] ? __check_object_size+0x3d/0x42f
> [ 81.367667][ T8612] netlink_sendmsg+0x8ae/0xd70
> [ 81.372415][ T8612] ? netlink_unicast+0x710/0x710
> [ 81.377520][ T8612] ? aa_sock_msg_perm.isra.0+0xba/0x170
> [ 81.383051][ T8612] ? apparmor_socket_sendmsg+0x2a/0x30
> [ 81.388530][ T8612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [ 81.394775][ T8612] ? security_socket_sendmsg+0x8d/0xc0
> [ 81.400240][ T8612] ? netlink_unicast+0x710/0x710
> [ 81.405161][ T8612] sock_sendmsg+0xd7/0x130
> [ 81.409561][ T8612] ___sys_sendmsg+0x803/0x920
> [ 81.414220][ T8612] ? copy_msghdr_from_user+0x430/0x430
> [ 81.419667][ T8612] ? _raw_spin_unlock_irqrestore+0x6b/0xe0
> [ 81.425461][ T8612] ? debug_object_active_state+0x25d/0x380
> [ 81.431255][ T8612] ? __lock_acquire+0x54f/0x5490
> [ 81.436174][ T8612] ? kasan_check_read+0x11/0x20
> [ 81.441208][ T8612] ? _raw_spin_unlock_irqrestore+0xa4/0xe0
> [ 81.447008][ T8612] ? mark_held_locks+0xf0/0xf0
> [ 81.451768][ T8612] ? __call_rcu.constprop.0+0x28b/0x720
> [ 81.457298][ T8612] ? call_rcu+0xb/0x10
> [ 81.461353][ T8612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [ 81.467589][ T8612] ? __fget_light+0x1a9/0x230
> [ 81.472249][ T8612] ? __fdget+0x1b/0x20
> [ 81.476301][ T8612] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
> [ 81.482545][ T8612] __sys_sendmsg+0x105/0x1d0
> [ 81.487115][ T8612] ? __ia32_sys_shutdown+0x80/0x80
> [ 81.492208][ T8612] ? blkcg_maybe_throttle_current+0x5e2/0xfb0
> [ 81.498272][ T8612] ? trace_hardirqs_on_thunk+0x1a/0x1c
> [ 81.503726][ T8612] ? do_syscall_64+0x26/0x680
> [ 81.508385][ T8612] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
> [ 81.514444][ T8612] ? do_syscall_64+0x26/0x680
> [ 81.519110][ T8612] __x64_sys_sendmsg+0x78/0xb0
> [ 81.523862][ T8612] do_syscall_64+0xfd/0x680
> [ 81.528352][ T8612] entry_SYSCALL_64_after_hwframe+0x49/0xbe
> [ 81.534234][ T8612] RIP: 0033:0x444679
> [ 81.538114][ T8612] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> [ 81.557709][ T8612] RSP: 002b:00007fff0201a8b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> [ 81.566147][ T8612] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444679
> [ 81.574108][ T8612] RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003
> [ 81.582152][ T8612] RBP: 00000000006cf018 R08: 0000000000000001 R09: 00000000004002e0
> [ 81.590113][ T8612] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000402320
> [ 81.598089][ T8612] R13: 00000000004023b0 R14: 0000000000000000 R15: 0000000000
>
> In commit e9c1a793210f ("tipc: add dst_cache support for udp media")
> dst_cache_get() was introduced to be called in tipc_udp_xmit(). But
> smp_processor_id() called by dst_cache_get() cannot be invoked in
> preemptible context, as a result, the complaint above was reported.
>
> Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media")
> Reported-by: syzbot+1a68504d96cd17b33a05@syzkaller.appspotmail.com
> Signed-off-by: Hillf Danton <hdanton@sina.com>
> Signed-off-by: Ying Xue <ying.xue@windriver.com>
Hi,
Was this ever merged?
The bug is still open, alive and kicking:
https://syzkaller.appspot.com/bug?extid=1a68504d96cd17b33a05
and one of the top crashers currently.
Along with few other top crashers, these bugs prevent most of the
other kernel testing from happening.
> ---
> net/tipc/udp_media.c | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
> index 287df687..ca3ae2e 100644
> --- a/net/tipc/udp_media.c
> +++ b/net/tipc/udp_media.c
> @@ -224,6 +224,8 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
> struct udp_bearer *ub;
> int err = 0;
>
> + local_bh_disable();
> +
> if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
> err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
> if (err)
> @@ -237,9 +239,12 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
> goto out;
> }
>
> - if (addr->broadcast != TIPC_REPLICAST_SUPPORT)
> - return tipc_udp_xmit(net, skb, ub, src, dst,
> - &ub->rcast.dst_cache);
> + if (addr->broadcast != TIPC_REPLICAST_SUPPORT) {
> + err = tipc_udp_xmit(net, skb, ub, src, dst,
> + &ub->rcast.dst_cache);
> + local_bh_enable();
> + return err;
> + }
>
> /* Replicast, send an skb to each configured IP address */
> list_for_each_entry_rcu(rcast, &ub->rcast.list, list) {
> @@ -259,6 +264,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
> err = 0;
> out:
> kfree_skb(skb);
> + local_bh_enable();
> return err;
> }
>
> --
> 2.7.4
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/1565595162-1383-4-git-send-email-ying.xue%40windriver.com.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 3/3] tipc: fix issue of calling smp_processor_id() in preemptible
2020-02-19 8:29 ` Dmitry Vyukov
@ 2020-02-19 8:33 ` Dmitry Vyukov
2020-02-20 15:44 ` Xin Long
0 siblings, 1 reply; 9+ messages in thread
From: Dmitry Vyukov @ 2020-02-19 8:33 UTC (permalink / raw)
To: Ying Xue
Cc: David Miller, netdev, Hillf Danton, tipc-discussion,
syzkaller-bugs, Jakub Kicinski, jmaloy
On Wed, Feb 19, 2020 at 9:29 AM Dmitry Vyukov <dvyukov@google.com> wrote:
>
> On Mon, Aug 12, 2019 at 9:44 AM Ying Xue <ying.xue@windriver.com> wrote:
> >
> > syzbot found the following issue:
> >
> > [ 81.119772][ T8612] BUG: using smp_processor_id() in preemptible [00000000] code: syz-executor834/8612
> > [ 81.136212][ T8612] caller is dst_cache_get+0x3d/0xb0
> > [ 81.141450][ T8612] CPU: 0 PID: 8612 Comm: syz-executor834 Not tainted 5.2.0-rc6+ #48
> > [ 81.149435][ T8612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > [ 81.159480][ T8612] Call Trace:
> > [ 81.162789][ T8612] dump_stack+0x172/0x1f0
> > [ 81.167123][ T8612] debug_smp_processor_id+0x251/0x280
> > [ 81.172479][ T8612] dst_cache_get+0x3d/0xb0
> > [ 81.176928][ T8612] tipc_udp_xmit.isra.0+0xc4/0xb80
> > [ 81.182046][ T8612] ? kasan_kmalloc+0x9/0x10
> > [ 81.186531][ T8612] ? tipc_udp_addr2str+0x170/0x170
> > [ 81.191641][ T8612] ? __copy_skb_header+0x2e8/0x560
> > [ 81.196750][ T8612] ? __skb_checksum_complete+0x3f0/0x3f0
> > [ 81.202364][ T8612] ? netdev_alloc_frag+0x1b0/0x1b0
> > [ 81.207452][ T8612] ? skb_copy_header+0x21/0x2b0
> > [ 81.212282][ T8612] ? __pskb_copy_fclone+0x516/0xc90
> > [ 81.217470][ T8612] tipc_udp_send_msg+0x29a/0x4b0
> > [ 81.222400][ T8612] tipc_bearer_xmit_skb+0x16c/0x360
> > [ 81.227585][ T8612] tipc_enable_bearer+0xabe/0xd20
> > [ 81.232606][ T8612] ? __nla_validate_parse+0x2d0/0x1ee0
> > [ 81.238048][ T8612] ? tipc_bearer_xmit_skb+0x360/0x360
> > [ 81.243401][ T8612] ? nla_memcpy+0xb0/0xb0
> > [ 81.247710][ T8612] ? nla_memcpy+0xb0/0xb0
> > [ 81.252020][ T8612] ? __nla_parse+0x43/0x60
> > [ 81.256417][ T8612] __tipc_nl_bearer_enable+0x2de/0x3a0
> > [ 81.261856][ T8612] ? __tipc_nl_bearer_enable+0x2de/0x3a0
> > [ 81.267467][ T8612] ? tipc_nl_bearer_disable+0x40/0x40
> > [ 81.272848][ T8612] ? unwind_get_return_address+0x58/0xa0
> > [ 81.278501][ T8612] ? lock_acquire+0x16f/0x3f0
> > [ 81.283190][ T8612] tipc_nl_bearer_enable+0x23/0x40
> > [ 81.288300][ T8612] genl_family_rcv_msg+0x74b/0xf90
> > [ 81.293404][ T8612] ? genl_unregister_family+0x790/0x790
> > [ 81.298935][ T8612] ? __lock_acquire+0x54f/0x5490
> > [ 81.303852][ T8612] ? __netlink_lookup+0x3fa/0x7b0
> > [ 81.308865][ T8612] genl_rcv_msg+0xca/0x16c
> > [ 81.313266][ T8612] netlink_rcv_skb+0x177/0x450
> > [ 81.318043][ T8612] ? genl_family_rcv_msg+0xf90/0xf90
> > [ 81.323311][ T8612] ? netlink_ack+0xb50/0xb50
> > [ 81.327906][ T8612] ? lock_acquire+0x16f/0x3f0
> > [ 81.332589][ T8612] ? kasan_check_write+0x14/0x20
> > [ 81.337511][ T8612] genl_rcv+0x29/0x40
> > [ 81.341485][ T8612] netlink_unicast+0x531/0x710
> > [ 81.346268][ T8612] ? netlink_attachskb+0x770/0x770
> > [ 81.351374][ T8612] ? _copy_from_iter_full+0x25d/0x8c0
> > [ 81.356765][ T8612] ? __sanitizer_cov_trace_cmp8+0x18/0x20
> > [ 81.362479][ T8612] ? __check_object_size+0x3d/0x42f
> > [ 81.367667][ T8612] netlink_sendmsg+0x8ae/0xd70
> > [ 81.372415][ T8612] ? netlink_unicast+0x710/0x710
> > [ 81.377520][ T8612] ? aa_sock_msg_perm.isra.0+0xba/0x170
> > [ 81.383051][ T8612] ? apparmor_socket_sendmsg+0x2a/0x30
> > [ 81.388530][ T8612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> > [ 81.394775][ T8612] ? security_socket_sendmsg+0x8d/0xc0
> > [ 81.400240][ T8612] ? netlink_unicast+0x710/0x710
> > [ 81.405161][ T8612] sock_sendmsg+0xd7/0x130
> > [ 81.409561][ T8612] ___sys_sendmsg+0x803/0x920
> > [ 81.414220][ T8612] ? copy_msghdr_from_user+0x430/0x430
> > [ 81.419667][ T8612] ? _raw_spin_unlock_irqrestore+0x6b/0xe0
> > [ 81.425461][ T8612] ? debug_object_active_state+0x25d/0x380
> > [ 81.431255][ T8612] ? __lock_acquire+0x54f/0x5490
> > [ 81.436174][ T8612] ? kasan_check_read+0x11/0x20
> > [ 81.441208][ T8612] ? _raw_spin_unlock_irqrestore+0xa4/0xe0
> > [ 81.447008][ T8612] ? mark_held_locks+0xf0/0xf0
> > [ 81.451768][ T8612] ? __call_rcu.constprop.0+0x28b/0x720
> > [ 81.457298][ T8612] ? call_rcu+0xb/0x10
> > [ 81.461353][ T8612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> > [ 81.467589][ T8612] ? __fget_light+0x1a9/0x230
> > [ 81.472249][ T8612] ? __fdget+0x1b/0x20
> > [ 81.476301][ T8612] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
> > [ 81.482545][ T8612] __sys_sendmsg+0x105/0x1d0
> > [ 81.487115][ T8612] ? __ia32_sys_shutdown+0x80/0x80
> > [ 81.492208][ T8612] ? blkcg_maybe_throttle_current+0x5e2/0xfb0
> > [ 81.498272][ T8612] ? trace_hardirqs_on_thunk+0x1a/0x1c
> > [ 81.503726][ T8612] ? do_syscall_64+0x26/0x680
> > [ 81.508385][ T8612] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > [ 81.514444][ T8612] ? do_syscall_64+0x26/0x680
> > [ 81.519110][ T8612] __x64_sys_sendmsg+0x78/0xb0
> > [ 81.523862][ T8612] do_syscall_64+0xfd/0x680
> > [ 81.528352][ T8612] entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > [ 81.534234][ T8612] RIP: 0033:0x444679
> > [ 81.538114][ T8612] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > [ 81.557709][ T8612] RSP: 002b:00007fff0201a8b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> > [ 81.566147][ T8612] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444679
> > [ 81.574108][ T8612] RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003
> > [ 81.582152][ T8612] RBP: 00000000006cf018 R08: 0000000000000001 R09: 00000000004002e0
> > [ 81.590113][ T8612] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000402320
> > [ 81.598089][ T8612] R13: 00000000004023b0 R14: 0000000000000000 R15: 0000000000
> >
> > In commit e9c1a793210f ("tipc: add dst_cache support for udp media")
> > dst_cache_get() was introduced to be called in tipc_udp_xmit(). But
> > smp_processor_id() called by dst_cache_get() cannot be invoked in
> > preemptible context, as a result, the complaint above was reported.
> >
> > Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media")
> > Reported-by: syzbot+1a68504d96cd17b33a05@syzkaller.appspotmail.com
> > Signed-off-by: Hillf Danton <hdanton@sina.com>
> > Signed-off-by: Ying Xue <ying.xue@windriver.com>
>
> Hi,
>
> Was this ever merged?
> The bug is still open, alive and kicking:
> https://syzkaller.appspot.com/bug?extid=1a68504d96cd17b33a05
>
> and one of the top crashers currently.
> Along with few other top crashers, these bugs prevent most of the
> other kernel testing from happening.
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
+jmaloy new email address
> > ---
> > net/tipc/udp_media.c | 12 +++++++++---
> > 1 file changed, 9 insertions(+), 3 deletions(-)
> >
> > diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
> > index 287df687..ca3ae2e 100644
> > --- a/net/tipc/udp_media.c
> > +++ b/net/tipc/udp_media.c
> > @@ -224,6 +224,8 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
> > struct udp_bearer *ub;
> > int err = 0;
> >
> > + local_bh_disable();
> > +
> > if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
> > err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
> > if (err)
> > @@ -237,9 +239,12 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
> > goto out;
> > }
> >
> > - if (addr->broadcast != TIPC_REPLICAST_SUPPORT)
> > - return tipc_udp_xmit(net, skb, ub, src, dst,
> > - &ub->rcast.dst_cache);
> > + if (addr->broadcast != TIPC_REPLICAST_SUPPORT) {
> > + err = tipc_udp_xmit(net, skb, ub, src, dst,
> > + &ub->rcast.dst_cache);
> > + local_bh_enable();
> > + return err;
> > + }
> >
> > /* Replicast, send an skb to each configured IP address */
> > list_for_each_entry_rcu(rcast, &ub->rcast.list, list) {
> > @@ -259,6 +264,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
> > err = 0;
> > out:
> > kfree_skb(skb);
> > + local_bh_enable();
> > return err;
> > }
> >
> > --
> > 2.7.4
> >
> > --
> > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/1565595162-1383-4-git-send-email-ying.xue%40windriver.com.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 3/3] tipc: fix issue of calling smp_processor_id() in preemptible
2020-02-19 8:33 ` Dmitry Vyukov
@ 2020-02-20 15:44 ` Xin Long
0 siblings, 0 replies; 9+ messages in thread
From: Xin Long @ 2020-02-20 15:44 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: Ying Xue, David Miller, netdev, Hillf Danton, tipc-discussion,
syzkaller-bugs, Jakub Kicinski, jmaloy
On Wed, Feb 19, 2020 at 4:34 PM Dmitry Vyukov <dvyukov@google.com> wrote:
>
> On Wed, Feb 19, 2020 at 9:29 AM Dmitry Vyukov <dvyukov@google.com> wrote:
> >
> > On Mon, Aug 12, 2019 at 9:44 AM Ying Xue <ying.xue@windriver.com> wrote:
> > >
> > > syzbot found the following issue:
> > >
> > > [ 81.119772][ T8612] BUG: using smp_processor_id() in preemptible [00000000] code: syz-executor834/8612
> > > [ 81.136212][ T8612] caller is dst_cache_get+0x3d/0xb0
> > > [ 81.141450][ T8612] CPU: 0 PID: 8612 Comm: syz-executor834 Not tainted 5.2.0-rc6+ #48
> > > [ 81.149435][ T8612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > > [ 81.159480][ T8612] Call Trace:
> > > [ 81.162789][ T8612] dump_stack+0x172/0x1f0
> > > [ 81.167123][ T8612] debug_smp_processor_id+0x251/0x280
> > > [ 81.172479][ T8612] dst_cache_get+0x3d/0xb0
> > > [ 81.176928][ T8612] tipc_udp_xmit.isra.0+0xc4/0xb80
> > > [ 81.182046][ T8612] ? kasan_kmalloc+0x9/0x10
> > > [ 81.186531][ T8612] ? tipc_udp_addr2str+0x170/0x170
> > > [ 81.191641][ T8612] ? __copy_skb_header+0x2e8/0x560
> > > [ 81.196750][ T8612] ? __skb_checksum_complete+0x3f0/0x3f0
> > > [ 81.202364][ T8612] ? netdev_alloc_frag+0x1b0/0x1b0
> > > [ 81.207452][ T8612] ? skb_copy_header+0x21/0x2b0
> > > [ 81.212282][ T8612] ? __pskb_copy_fclone+0x516/0xc90
> > > [ 81.217470][ T8612] tipc_udp_send_msg+0x29a/0x4b0
In tipc_bearer_xmit_skb(), b->media->send_msg()/tipc_udp_send_msg()
is called under rcu_read_lock(), which is already ensure it's a
non-preemptible context.
What I saw here is imbalance rcu_read_(un)lock() call somewhere.
> > > [ 81.222400][ T8612] tipc_bearer_xmit_skb+0x16c/0x360
> > > [ 81.227585][ T8612] tipc_enable_bearer+0xabe/0xd20
> > > [ 81.232606][ T8612] ? __nla_validate_parse+0x2d0/0x1ee0
> > > [ 81.238048][ T8612] ? tipc_bearer_xmit_skb+0x360/0x360
> > > [ 81.243401][ T8612] ? nla_memcpy+0xb0/0xb0
> > > [ 81.247710][ T8612] ? nla_memcpy+0xb0/0xb0
> > > [ 81.252020][ T8612] ? __nla_parse+0x43/0x60
> > > [ 81.256417][ T8612] __tipc_nl_bearer_enable+0x2de/0x3a0
> > > [ 81.261856][ T8612] ? __tipc_nl_bearer_enable+0x2de/0x3a0
> > > [ 81.267467][ T8612] ? tipc_nl_bearer_disable+0x40/0x40
> > > [ 81.272848][ T8612] ? unwind_get_return_address+0x58/0xa0
> > > [ 81.278501][ T8612] ? lock_acquire+0x16f/0x3f0
> > > [ 81.283190][ T8612] tipc_nl_bearer_enable+0x23/0x40
> > > [ 81.288300][ T8612] genl_family_rcv_msg+0x74b/0xf90
> > > [ 81.293404][ T8612] ? genl_unregister_family+0x790/0x790
> > > [ 81.298935][ T8612] ? __lock_acquire+0x54f/0x5490
> > > [ 81.303852][ T8612] ? __netlink_lookup+0x3fa/0x7b0
> > > [ 81.308865][ T8612] genl_rcv_msg+0xca/0x16c
> > > [ 81.313266][ T8612] netlink_rcv_skb+0x177/0x450
> > > [ 81.318043][ T8612] ? genl_family_rcv_msg+0xf90/0xf90
> > > [ 81.323311][ T8612] ? netlink_ack+0xb50/0xb50
> > > [ 81.327906][ T8612] ? lock_acquire+0x16f/0x3f0
> > > [ 81.332589][ T8612] ? kasan_check_write+0x14/0x20
> > > [ 81.337511][ T8612] genl_rcv+0x29/0x40
> > > [ 81.341485][ T8612] netlink_unicast+0x531/0x710
> > > [ 81.346268][ T8612] ? netlink_attachskb+0x770/0x770
> > > [ 81.351374][ T8612] ? _copy_from_iter_full+0x25d/0x8c0
> > > [ 81.356765][ T8612] ? __sanitizer_cov_trace_cmp8+0x18/0x20
> > > [ 81.362479][ T8612] ? __check_object_size+0x3d/0x42f
> > > [ 81.367667][ T8612] netlink_sendmsg+0x8ae/0xd70
> > > [ 81.372415][ T8612] ? netlink_unicast+0x710/0x710
> > > [ 81.377520][ T8612] ? aa_sock_msg_perm.isra.0+0xba/0x170
> > > [ 81.383051][ T8612] ? apparmor_socket_sendmsg+0x2a/0x30
> > > [ 81.388530][ T8612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> > > [ 81.394775][ T8612] ? security_socket_sendmsg+0x8d/0xc0
> > > [ 81.400240][ T8612] ? netlink_unicast+0x710/0x710
> > > [ 81.405161][ T8612] sock_sendmsg+0xd7/0x130
> > > [ 81.409561][ T8612] ___sys_sendmsg+0x803/0x920
> > > [ 81.414220][ T8612] ? copy_msghdr_from_user+0x430/0x430
> > > [ 81.419667][ T8612] ? _raw_spin_unlock_irqrestore+0x6b/0xe0
> > > [ 81.425461][ T8612] ? debug_object_active_state+0x25d/0x380
> > > [ 81.431255][ T8612] ? __lock_acquire+0x54f/0x5490
> > > [ 81.436174][ T8612] ? kasan_check_read+0x11/0x20
> > > [ 81.441208][ T8612] ? _raw_spin_unlock_irqrestore+0xa4/0xe0
> > > [ 81.447008][ T8612] ? mark_held_locks+0xf0/0xf0
> > > [ 81.451768][ T8612] ? __call_rcu.constprop.0+0x28b/0x720
> > > [ 81.457298][ T8612] ? call_rcu+0xb/0x10
> > > [ 81.461353][ T8612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> > > [ 81.467589][ T8612] ? __fget_light+0x1a9/0x230
> > > [ 81.472249][ T8612] ? __fdget+0x1b/0x20
> > > [ 81.476301][ T8612] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
> > > [ 81.482545][ T8612] __sys_sendmsg+0x105/0x1d0
> > > [ 81.487115][ T8612] ? __ia32_sys_shutdown+0x80/0x80
> > > [ 81.492208][ T8612] ? blkcg_maybe_throttle_current+0x5e2/0xfb0
> > > [ 81.498272][ T8612] ? trace_hardirqs_on_thunk+0x1a/0x1c
> > > [ 81.503726][ T8612] ? do_syscall_64+0x26/0x680
> > > [ 81.508385][ T8612] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > > [ 81.514444][ T8612] ? do_syscall_64+0x26/0x680
> > > [ 81.519110][ T8612] __x64_sys_sendmsg+0x78/0xb0
> > > [ 81.523862][ T8612] do_syscall_64+0xfd/0x680
> > > [ 81.528352][ T8612] entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > > [ 81.534234][ T8612] RIP: 0033:0x444679
> > > [ 81.538114][ T8612] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > [ 81.557709][ T8612] RSP: 002b:00007fff0201a8b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> > > [ 81.566147][ T8612] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444679
> > > [ 81.574108][ T8612] RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003
> > > [ 81.582152][ T8612] RBP: 00000000006cf018 R08: 0000000000000001 R09: 00000000004002e0
> > > [ 81.590113][ T8612] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000402320
> > > [ 81.598089][ T8612] R13: 00000000004023b0 R14: 0000000000000000 R15: 0000000000
> > >
> > > In commit e9c1a793210f ("tipc: add dst_cache support for udp media")
> > > dst_cache_get() was introduced to be called in tipc_udp_xmit(). But
> > > smp_processor_id() called by dst_cache_get() cannot be invoked in
> > > preemptible context, as a result, the complaint above was reported.
> > >
> > > Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media")
> > > Reported-by: syzbot+1a68504d96cd17b33a05@syzkaller.appspotmail.com
> > > Signed-off-by: Hillf Danton <hdanton@sina.com>
> > > Signed-off-by: Ying Xue <ying.xue@windriver.com>
> >
> > Hi,
> >
> > Was this ever merged?
> > The bug is still open, alive and kicking:
> > https://syzkaller.appspot.com/bug?extid=1a68504d96cd17b33a05
> >
> > and one of the top crashers currently.
> > Along with few other top crashers, these bugs prevent most of the
> > other kernel testing from happening.
>
> /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
>
> +jmaloy new email address
>
> > > ---
> > > net/tipc/udp_media.c | 12 +++++++++---
> > > 1 file changed, 9 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
> > > index 287df687..ca3ae2e 100644
> > > --- a/net/tipc/udp_media.c
> > > +++ b/net/tipc/udp_media.c
> > > @@ -224,6 +224,8 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
> > > struct udp_bearer *ub;
> > > int err = 0;
> > >
> > > + local_bh_disable();
> > > +
> > > if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
> > > err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
> > > if (err)
> > > @@ -237,9 +239,12 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
> > > goto out;
> > > }
> > >
> > > - if (addr->broadcast != TIPC_REPLICAST_SUPPORT)
> > > - return tipc_udp_xmit(net, skb, ub, src, dst,
> > > - &ub->rcast.dst_cache);
> > > + if (addr->broadcast != TIPC_REPLICAST_SUPPORT) {
> > > + err = tipc_udp_xmit(net, skb, ub, src, dst,
> > > + &ub->rcast.dst_cache);
> > > + local_bh_enable();
> > > + return err;
> > > + }
> > >
> > > /* Replicast, send an skb to each configured IP address */
> > > list_for_each_entry_rcu(rcast, &ub->rcast.list, list) {
> > > @@ -259,6 +264,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
> > > err = 0;
> > > out:
> > > kfree_skb(skb);
> > > + local_bh_enable();
> > > return err;
> > > }
> > >
> > > --
> > > 2.7.4
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/1565595162-1383-4-git-send-email-ying.xue%40windriver.com.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-02-20 15:43 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-12 7:32 [PATCH v2 0/3] Fix three issues found by syzbot Ying Xue
2019-08-12 7:32 ` [PATCH v2 1/3] tipc: fix memory leak issue Ying Xue
2019-08-12 7:54 ` Eric Dumazet
2019-08-12 7:32 ` [PATCH v2 2/3] " Ying Xue
2019-08-12 7:32 ` [PATCH v2 3/3] tipc: fix issue of calling smp_processor_id() in preemptible Ying Xue
2020-02-19 8:29 ` Dmitry Vyukov
2020-02-19 8:33 ` Dmitry Vyukov
2020-02-20 15:44 ` Xin Long
2019-08-12 15:25 ` [PATCH v2 0/3] Fix three issues found by syzbot David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).