* Re: tc qdisc kernel crash
[not found] <154947154317.4485.11268926035712969198.reportbug@Telenet-PC>
@ 2019-02-10 15:51 ` Ben Hutchings
2019-02-10 18:30 ` Cong Wang
0 siblings, 1 reply; 2+ messages in thread
From: Ben Hutchings @ 2019-02-10 15:51 UTC (permalink / raw)
To: netdev; +Cc: 921542, Adrian
[-- Attachment #1: Type: text/plain, Size: 4491 bytes --]
Control: tag -1 confirmed upstream
Control: found -1 4.20-1~exp1
Adrian (cc'd) reported (https://bugs.debian.org/921542) that a script
using tc could trigger a kernel crash. I've simplified the script he
provided down to:
--- BEGIN ---
#!/bin/sh -ex
modprobe ifb
while true; do
tc qdisc add dev ifb0 root handle 2:0 prio bands 5
tc qdisc add dev ifb0 parent 2:5 sfq
tc filter add dev ifb0 parent 2:0 protocol ip prio 5 handle 0 tcindex mask 0 classid 2:5 pass_on
tc qdisc del dev ifb0 root || true
done
--- END ---
The crash is still reproducible in 4.20 and 5.0-rc5. KASan shows a
use-after-free:
+ modprobe ifb
+ true
+ tc qdisc add dev ifb0 root handle 2:0 prio bands 5
+ tc qdisc add dev ifb0 parent 2:5 sfq
+ tc filter add dev ifb0 parent 2:0 protocol ip prio 5 handle 0 tcindex mask 0 classid 2:5 pass_on
+ tc qdisc del dev ifb0 root
+ true
+ tc qdisc add dev ifb0 root handle 2:0 prio bands 5
[ 63.926983] ==================================================================
[ 63.929429] BUG: KASAN: use-after-free in worker_thread+0x327/0x5b0
[ 63.931489] Read of size 8 at addr ffff88804fd22130 by task kworker/u8:1/32
[ 63.933766]
[ 63.934397] CPU: 0 PID: 32 Comm: kworker/u8:1 Not tainted 5.0.0-rc5 #3
[ 63.936629] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 63.939537] Workqueue: (null) (events_unbound)
[ 63.942039] Call Trace:
[ 63.943187] dump_stack+0x71/0xa0
[ 63.944386] ? worker_thread+0x327/0x5b0
[ 63.945881] print_address_description+0x65/0x22e
[ 63.947980] ? worker_thread+0x327/0x5b0
[ 63.949588] ? worker_thread+0x327/0x5b0
[ 63.951254] kasan_report.cold.3+0x1a/0x40
[ 63.953036] ? worker_thread+0x327/0x5b0
[ 63.954692] worker_thread+0x327/0x5b0
[ 63.956236] ? flush_rcu_work+0x40/0x40
[ 63.957722] kthread+0x1ae/0x1d0
[ 63.959067] ? __kthread_parkme+0x90/0x90
[ 63.960451] ret_from_fork+0x35/0x40
[ 63.962020]
[ 63.962817] Allocated by task 757:
[ 63.964465] __kasan_kmalloc.constprop.13+0xc1/0xd0
[ 63.966670] tcindex_alloc_perfect_hash+0x37/0x150 [cls_tcindex]
[ 63.969287] tcindex_set_parms+0xb38/0xd30 [cls_tcindex]
[ 63.972539] tcindex_change+0x13d/0x1c2 [cls_tcindex]
[ 63.974796] tc_new_tfilter+0x7ec/0xaf0
[ 63.976546] rtnetlink_rcv_msg+0x35c/0x490
[ 63.978302] netlink_rcv_skb+0xc6/0x1f0
[ 63.980050] netlink_unicast+0x309/0x3d0
[ 63.981990] netlink_sendmsg+0x37d/0x5e0
[ 63.983849] sock_sendmsg+0x6d/0x80
[ 63.985538] ___sys_sendmsg+0x46a/0x4e0
[ 63.987328] __sys_sendmsg+0xd3/0x160
[ 63.988974] do_syscall_64+0x73/0x140
[ 63.990616] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 63.992538]
[ 63.993430] Freed by task 9:
[ 63.994660] __kasan_slab_free+0x125/0x170
[ 63.996239] kfree+0x90/0x1d0
[ 63.997496] __tcindex_destroy+0x1f/0x40 [cls_tcindex]
[ 63.999316] rcu_process_callbacks+0x3cb/0x650
[ 64.000889] __do_softirq+0x115/0x3b4
[ 64.003254]
[ 64.004138] The buggy address belongs to the object at ffff88804fd22100
[ 64.004138] which belongs to the cache kmalloc-8k of size 8192
[ 64.009001] The buggy address is located 48 bytes inside of
[ 64.009001] 8192-byte region [ffff88804fd22100, ffff88804fd24100)
[ 64.013752] The buggy address belongs to the page:
[ 64.015906] page:ffffea00013f4800 count:1 mapcount:0 mapping:ffff888051002700 index:0x0 compound_mapcount: 0
[ 64.020237] flags: 0xffffc000010200(slab|head)
[ 64.022176] raw: 00ffffc000010200 dead000000000100 dead000000000200 ffff888051002700
[ 64.025247] raw: 0000000000000000 0000000080030003 00000001ffffffff 0000000000000000
[ 64.028847] page dumped because: kasan: bad access detected
[ 64.031367]
[ 64.033285] Memory state around the buggy address:
[ 64.035276] ffff88804fd22000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 64.037741] ffff88804fd22080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 64.040138] >ffff88804fd22100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 64.042717] ^
[ 64.044794] ffff88804fd22180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 64.047431] ffff88804fd22200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 64.049993] ==================================================================
Ben.
--
Ben Hutchings
The world is coming to an end. Please log off.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: tc qdisc kernel crash
2019-02-10 15:51 ` tc qdisc kernel crash Ben Hutchings
@ 2019-02-10 18:30 ` Cong Wang
0 siblings, 0 replies; 2+ messages in thread
From: Cong Wang @ 2019-02-10 18:30 UTC (permalink / raw)
To: Ben Hutchings; +Cc: netdev, 921542, Adrian
On Sun, Feb 10, 2019 at 7:54 AM Ben Hutchings <ben@decadent.org.uk> wrote:
>
> Control: tag -1 confirmed upstream
> Control: found -1 4.20-1~exp1
>
> Adrian (cc'd) reported (https://bugs.debian.org/921542) that a script
> using tc could trigger a kernel crash. I've simplified the script he
> provided down to:
>
> --- BEGIN ---
> #!/bin/sh -ex
>
> modprobe ifb
>
> while true; do
> tc qdisc add dev ifb0 root handle 2:0 prio bands 5
> tc qdisc add dev ifb0 parent 2:5 sfq
> tc filter add dev ifb0 parent 2:0 protocol ip prio 5 handle 0 tcindex mask 0 classid 2:5 pass_on
> tc qdisc del dev ifb0 root || true
> done
> --- END ---
>
> The crash is still reproducible in 4.20 and 5.0-rc5. KASan shows a
> use-after-free:
Thanks for the reproducer and report! I will send a fix.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-02-10 18:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <154947154317.4485.11268926035712969198.reportbug@Telenet-PC>
2019-02-10 15:51 ` tc qdisc kernel crash Ben Hutchings
2019-02-10 18:30 ` Cong Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).