Re: tc qdisc kernel crash

Re: tc qdisc kernel crash

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 4491 bytes --]

Control: tag -1 confirmed upstream
Control: found -1 4.20-1~exp1

Adrian (cc'd) reported (https://bugs.debian.org/921542) that a script
using tc could trigger a kernel crash.  I've simplified the script he
provided down to:

--- BEGIN ---
#!/bin/sh -ex

modprobe ifb

while true; do
    tc qdisc add dev ifb0 root handle 2:0 prio bands 5
    tc qdisc add dev ifb0 parent 2:5 sfq
    tc filter add dev ifb0 parent 2:0 protocol ip prio 5 handle 0 tcindex mask 0 classid 2:5 pass_on
    tc qdisc del dev ifb0 root || true
done
--- END ---

The crash is still reproducible in 4.20 and 5.0-rc5.  KASan shows a
use-after-free:

+ modprobe ifb
+ true
+ tc qdisc add dev ifb0 root handle 2:0 prio bands 5
+ tc qdisc add dev ifb0 parent 2:5 sfq
+ tc filter add dev ifb0 parent 2:0 protocol ip prio 5 handle 0 tcindex mask 0 classid 2:5 pass_on
+ tc qdisc del dev ifb0 root
+ true
+ tc qdisc add dev ifb0 root handle 2:0 prio bands 5
[   63.926983] ==================================================================
[   63.929429] BUG: KASAN: use-after-free in worker_thread+0x327/0x5b0
[   63.931489] Read of size 8 at addr ffff88804fd22130 by task kworker/u8:1/32
[   63.933766]
[   63.934397] CPU: 0 PID: 32 Comm: kworker/u8:1 Not tainted 5.0.0-rc5 #3
[   63.936629] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[   63.939537] Workqueue:            (null) (events_unbound)
[   63.942039] Call Trace:
[   63.943187]  dump_stack+0x71/0xa0
[   63.944386]  ? worker_thread+0x327/0x5b0
[   63.945881]  print_address_description+0x65/0x22e
[   63.947980]  ? worker_thread+0x327/0x5b0
[   63.949588]  ? worker_thread+0x327/0x5b0
[   63.951254]  kasan_report.cold.3+0x1a/0x40
[   63.953036]  ? worker_thread+0x327/0x5b0
[   63.954692]  worker_thread+0x327/0x5b0
[   63.956236]  ? flush_rcu_work+0x40/0x40
[   63.957722]  kthread+0x1ae/0x1d0
[   63.959067]  ? __kthread_parkme+0x90/0x90
[   63.960451]  ret_from_fork+0x35/0x40
[   63.962020]
[   63.962817] Allocated by task 757:
[   63.964465]  __kasan_kmalloc.constprop.13+0xc1/0xd0
[   63.966670]  tcindex_alloc_perfect_hash+0x37/0x150 [cls_tcindex]
[   63.969287]  tcindex_set_parms+0xb38/0xd30 [cls_tcindex]
[   63.972539]  tcindex_change+0x13d/0x1c2 [cls_tcindex]
[   63.974796]  tc_new_tfilter+0x7ec/0xaf0
[   63.976546]  rtnetlink_rcv_msg+0x35c/0x490
[   63.978302]  netlink_rcv_skb+0xc6/0x1f0
[   63.980050]  netlink_unicast+0x309/0x3d0
[   63.981990]  netlink_sendmsg+0x37d/0x5e0
[   63.983849]  sock_sendmsg+0x6d/0x80
[   63.985538]  ___sys_sendmsg+0x46a/0x4e0
[   63.987328]  __sys_sendmsg+0xd3/0x160
[   63.988974]  do_syscall_64+0x73/0x140
[   63.990616]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   63.992538]
[   63.993430] Freed by task 9:
[   63.994660]  __kasan_slab_free+0x125/0x170
[   63.996239]  kfree+0x90/0x1d0
[   63.997496]  __tcindex_destroy+0x1f/0x40 [cls_tcindex]
[   63.999316]  rcu_process_callbacks+0x3cb/0x650
[   64.000889]  __do_softirq+0x115/0x3b4
[   64.003254]
[   64.004138] The buggy address belongs to the object at ffff88804fd22100
[   64.004138]  which belongs to the cache kmalloc-8k of size 8192
[   64.009001] The buggy address is located 48 bytes inside of
[   64.009001]  8192-byte region [ffff88804fd22100, ffff88804fd24100)
[   64.013752] The buggy address belongs to the page:
[   64.015906] page:ffffea00013f4800 count:1 mapcount:0 mapping:ffff888051002700 index:0x0 compound_mapcount: 0
[   64.020237] flags: 0xffffc000010200(slab|head)
[   64.022176] raw: 00ffffc000010200 dead000000000100 dead000000000200 ffff888051002700
[   64.025247] raw: 0000000000000000 0000000080030003 00000001ffffffff 0000000000000000
[   64.028847] page dumped because: kasan: bad access detected
[   64.031367]
[   64.033285] Memory state around the buggy address:
[   64.035276]  ffff88804fd22000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   64.037741]  ffff88804fd22080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   64.040138] >ffff88804fd22100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.042717]                                      ^
[   64.044794]  ffff88804fd22180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.047431]  ffff88804fd22200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.049993] ==================================================================

Ben.

-- 
Ben Hutchings
The world is coming to an end.	Please log off.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: tc qdisc kernel crash

[Cong Wang]

On Sun, Feb 10, 2019 at 7:54 AM Ben Hutchings <ben@decadent.org.uk> wrote:
>
> Control: tag -1 confirmed upstream
> Control: found -1 4.20-1~exp1
>
> Adrian (cc'd) reported (https://bugs.debian.org/921542) that a script
> using tc could trigger a kernel crash.  I've simplified the script he
> provided down to:
>
> --- BEGIN ---
> #!/bin/sh -ex
>
> modprobe ifb
>
> while true; do
>     tc qdisc add dev ifb0 root handle 2:0 prio bands 5
>     tc qdisc add dev ifb0 parent 2:5 sfq
>     tc filter add dev ifb0 parent 2:0 protocol ip prio 5 handle 0 tcindex mask 0 classid 2:5 pass_on
>     tc qdisc del dev ifb0 root || true
> done
> --- END ---
>
> The crash is still reproducible in 4.20 and 5.0-rc5.  KASan shows a
> use-after-free:

Thanks for the reproducer and report! I will send a fix.