leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6547e387d7
linux/drivers
History
Toshiaki Makita 6547e387d7 tun: Fix NULL pointer dereference in XDP redirect 
Calling XDP redirection requires bh disabled. Softirq can call another
XDP function and redirection functions, then the percpu static variable
ri->map can be overwritten to NULL.

This is a generic XDP case called from tun.

[ 3535.736058] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
[ 3535.743974] PGD 0 P4D 0
[ 3535.746530] Oops: 0000 [#1] SMP PTI
[ 3535.750049] Modules linked in: vhost_net vhost tap tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter sunrpc vfat fat ext4 mbcache jbd2 intel_rapl skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm ipmi_ssif irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc ses aesni_intel crypto_simd cryptd enclosure hpwdt hpilo glue_helper ipmi_si pcspkr wmi mei_me ioatdma mei ipmi_devintf shpchp dca ipmi_msghandler lpc_ich acpi_power_meter sch_fq_codel ip_tables xfs libcrc32c sd_mod mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm smartpqi i40e crc32c_intel scsi_transport_sas tg3 i2c_core ptp pps_core
[ 3535.813456] CPU: 5 PID: 1630 Comm: vhost-1614 Not tainted 4.17.0-rc4 #2
[ 3535.820127] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 11/14/2017
[ 3535.828732] RIP: 0010:__xdp_map_lookup_elem+0x5/0x30
[ 3535.833740] RSP: 0018:ffffb4bc47bf7c58 EFLAGS: 00010246
[ 3535.839009] RAX: ffff9fdfcfea1c40 RBX: 0000000000000000 RCX: ffff9fdf27fe3100
[ 3535.846205] RDX: ffff9fdfca769200 RSI: 0000000000000000 RDI: 0000000000000000
[ 3535.853402] RBP: ffffb4bc491d9000 R08: 00000000000045ad R09: 0000000000000ec0
[ 3535.860597] R10: 0000000000000001 R11: ffff9fdf26c3ce4e R12: ffff9fdf9e72c000
[ 3535.867794] R13: 0000000000000000 R14: fffffffffffffff2 R15: ffff9fdfc82cdd00
[ 3535.874990] FS:  0000000000000000(0000) GS:ffff9fdfcfe80000(0000) knlGS:0000000000000000
[ 3535.883152] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3535.888948] CR2: 0000000000000018 CR3: 0000000bde724004 CR4: 00000000007626e0
[ 3535.896145] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 3535.903342] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 3535.910538] PKRU: 55555554
[ 3535.913267] Call Trace:
[ 3535.915736]  xdp_do_generic_redirect+0x7a/0x310
[ 3535.920310]  do_xdp_generic.part.117+0x285/0x370
[ 3535.924970]  tun_get_user+0x5b9/0x1260 [tun]
[ 3535.929279]  tun_sendmsg+0x52/0x70 [tun]
[ 3535.933237]  handle_tx+0x2ad/0x5f0 [vhost_net]
[ 3535.937721]  vhost_worker+0xa5/0x100 [vhost]
[ 3535.942030]  kthread+0xf5/0x130
[ 3535.945198]  ? vhost_dev_ioctl+0x3b0/0x3b0 [vhost]
[ 3535.950031]  ? kthread_bind+0x10/0x10
[ 3535.953727]  ret_from_fork+0x35/0x40
[ 3535.957334] Code: 0e 74 15 83 f8 10 75 05 e9 49 aa b3 ff f3 c3 0f 1f 80 00 00 00 00 f3 c3 e9 29 9d b3 ff 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <8b> 47 18 83 f8 0e 74 0d 83 f8 10 75 05 e9 49 a9 b3 ff 31 c0 c3
[ 3535.976387] RIP: __xdp_map_lookup_elem+0x5/0x30 RSP: ffffb4bc47bf7c58
[ 3535.982883] CR2: 0000000000000018
[ 3535.987096] ---[ end trace 383b299dd1430240 ]---
[ 3536.131325] Kernel panic - not syncing: Fatal exception
[ 3536.137484] Kernel Offset: 0x26a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 3536.281406] ---[ end Kernel panic - not syncing: Fatal exception ]---

And a kernel with generic case fixed still panics in tun driver XDP
redirect, because it disabled only preemption, but not bh.

[ 2055.128746] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
[ 2055.136662] PGD 0 P4D 0
[ 2055.139219] Oops: 0000 [#1] SMP PTI
[ 2055.142736] Modules linked in: vhost_net vhost tap tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter sunrpc vfat fat ext4 mbcache jbd2 intel_rapl skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc ses aesni_intel ipmi_ssif crypto_simd enclosure cryptd hpwdt glue_helper ioatdma hpilo wmi dca pcspkr ipmi_si acpi_power_meter ipmi_devintf shpchp mei_me ipmi_msghandler mei lpc_ich sch_fq_codel ip_tables xfs libcrc32c sd_mod mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm i40e smartpqi tg3 scsi_transport_sas crc32c_intel i2c_core ptp pps_core
[ 2055.206142] CPU: 6 PID: 1693 Comm: vhost-1683 Tainted: G        W         4.17.0-rc5-fix-tun+ #1
[ 2055.215011] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 11/14/2017
[ 2055.223617] RIP: 0010:__xdp_map_lookup_elem+0x5/0x30
[ 2055.228624] RSP: 0018:ffff998b07607cc0 EFLAGS: 00010246
[ 2055.233892] RAX: ffff8dbd8e235700 RBX: ffff8dbd8ff21c40 RCX: 0000000000000004
[ 2055.241089] RDX: ffff998b097a9000 RSI: 0000000000000000 RDI: 0000000000000000
[ 2055.248286] RBP: 0000000000000000 R08: 00000000000065a8 R09: 0000000000005d80
[ 2055.255483] R10: 0000000000000040 R11: ffff8dbcf0100000 R12: ffff998b097a9000
[ 2055.262681] R13: ffff8dbd8c98c000 R14: 0000000000000000 R15: ffff998b07607d78
[ 2055.269879] FS:  0000000000000000(0000) GS:ffff8dbd8ff00000(0000) knlGS:0000000000000000
[ 2055.278039] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2055.283834] CR2: 0000000000000018 CR3: 0000000c0c8cc005 CR4: 00000000007626e0
[ 2055.291030] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2055.298227] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2055.305424] PKRU: 55555554
[ 2055.308153] Call Trace:
[ 2055.310624]  xdp_do_redirect+0x7b/0x380
[ 2055.314499]  tun_get_user+0x10fe/0x12a0 [tun]
[ 2055.318895]  tun_sendmsg+0x52/0x70 [tun]
[ 2055.322852]  handle_tx+0x2ad/0x5f0 [vhost_net]
[ 2055.327337]  vhost_worker+0xa5/0x100 [vhost]
[ 2055.331646]  kthread+0xf5/0x130
[ 2055.334813]  ? vhost_dev_ioctl+0x3b0/0x3b0 [vhost]
[ 2055.339646]  ? kthread_bind+0x10/0x10
[ 2055.343343]  ret_from_fork+0x35/0x40
[ 2055.346950] Code: 0e 74 15 83 f8 10 75 05 e9 e9 aa b3 ff f3 c3 0f 1f 80 00 00 00 00 f3 c3 e9 c9 9d b3 ff 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <8b> 47 18 83 f8 0e 74 0d 83 f8 10 75 05 e9 e9 a9 b3 ff 31 c0 c3
[ 2055.366004] RIP: __xdp_map_lookup_elem+0x5/0x30 RSP: ffff998b07607cc0
[ 2055.372500] CR2: 0000000000000018
[ 2055.375856] ---[ end trace 2a2dcc5e9e174268 ]---
[ 2055.523626] Kernel panic - not syncing: Fatal exception
[ 2055.529796] Kernel Offset: 0x2e000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 2055.677539] ---[ end Kernel panic - not syncing: Fatal exception ]---

v2:
 - Removed preempt_disable/enable since local_bh_disable will prevent
   preemption as well, feedback from Jason Wang.

Fixes: 761876c857 ("tap: XDP support")
Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-05-29 11:00:14 -04:00
..
accessibility
acpi ACPICA: Add deferred package support for the Load and loadTable operators 2018-05-14 22:25:45 +02:00
amba ARM: amba: Fix race condition with driver_override 2018-04-26 10:35:04 +02:00
android ANDROID: binder: prevent transactions into own process. 2018-04-23 12:12:41 +02:00
ata ahci: Add PCI ID for Cannon Lake PCH-LP AHCI 2018-05-24 07:03:32 -07:00
atm atm: zatm: fix memcmp casting 2018-05-29 09:59:53 -04:00
auxdisplay
base mm/memory_hotplug: fix leftover use of struct page during hotplug 2018-05-25 18:12:11 -07:00
bcma bcma: fix buffer size caused crash in bcma_core_mips_print_irq() 2018-05-12 11:36:59 +03:00
block for-linus-20180524 2018-05-24 08:53:20 -07:00
bluetooth Bluetooth: btusb: Add Dell XPS 13 9360 to btusb_needs_reset_resume_table 2018-04-30 10:56:04 +02:00
bus HISI LPC: Add Kconfig MFD_CORE dependency 2018-04-26 16:53:23 +02:00
cdrom cdrom: information leak in cdrom_ioctl_media_changed() 2018-04-18 08:21:32 -06:00
char agp: uninorth: make two functions static 2018-05-10 11:26:08 +10:00
clk clk: stm32: fix: stm32 clock drivers are not compiled by default 2018-05-15 15:47:03 -07:00
clocksource clocksource/imx-tpm: Correct -ETIME return condition check 2018-04-19 13:21:35 +02:00
connector
cpufreq cpufreq: armada-37xx: driver relies on cpufreq-dt 2018-05-14 22:25:56 +02:00
cpuidle cpuidle: menu: Avoid selecting shallow states with stopped tick 2018-04-09 11:54:57 +02:00
crypto .gitignore: move *-asn1.[ch] patterns to the top-level .gitignore 2018-04-07 19:04:02 +09:00
dax device-dax: allow MAP_SYNC to succeed 2018-04-19 15:11:50 -07:00
dca
devfreq
dio
dma dmaengine: qcom: bam_dma: check if the runtime pm enabled 2018-05-17 16:16:49 +05:30
dma-buf
edac * Add NVDIMM support to EDAC (Tony Luck) 2018-04-05 14:21:13 -07:00
eisa
extcon Char/Misc patches for 4.17-rc1 2018-04-04 20:07:20 -07:00
firewire
firmware Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2018-05-20 10:36:52 -07:00
fmc treewide: Fix typos in printk 2018-03-27 09:51:22 +02:00
fpga fpga-manager: altera-ps-spi: preserve nCONFIG state 2018-04-23 13:27:05 +02:00
fsi
gpio gpio: pcie-idio-24: Fix off-by-one error in get_multiple loop 2018-04-30 10:48:08 +02:00
gpu Merge branch 'vmwgfx-fixes-4.17' of git://people.freedesktop.org/~thomash/linux into drm-fixes 2018-05-25 09:47:56 +10:00
hid HID: i2c-hid: Add RESEND_REPORT_DESCR quirk for Toshiba Click Mini L9W-B 2018-05-09 13:58:01 +02:00
hsi
hv ARM: 2018-04-09 11:42:31 -07:00
hwmon hwmon: (k10temp) Use API function to access System Management Network 2018-05-13 09:00:49 -07:00
hwspinlock
hwtracing Char/Misc patches for 4.17-rc1 2018-04-04 20:07:20 -07:00
i2c i2c: viperboard: return message count on master_xfer success 2018-05-15 09:31:26 +02:00
ide for-4.17/block-20180402 2018-04-05 14:27:02 -07:00
idle
iio This is the bulk of GPIO changes for the v4.17 kernel cycle: 2018-04-05 09:51:41 -07:00
infiniband Merge candidates for 4.17-rc 2018-05-24 14:12:05 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2018-05-02 17:34:42 -10:00
iommu iommu: rockchip: fix building without CONFIG_OF 2018-05-03 16:36:07 +02:00
ipack
irqchip irqchip/qcom: Fix check for spurious interrupts 2018-05-02 15:56:10 +02:00
isdn isdn: eicon: fix a missing-check bug 2018-05-22 13:48:34 -04:00
leds
lightnvm lightnvm: pblk: remove some unnecessary NULL checks 2018-03-29 17:29:09 -06:00
macintosh powerpc updates for 4.17 2018-04-07 12:08:19 -07:00
mailbox
mcb
md for-linus-20180518 2018-05-18 10:10:43 -07:00
media MAINTAINERS & files: Canonize the e-mails I use at files 2018-05-04 06:21:06 -04:00
memory ARM: OMAP2+: Fix build when using split object directories 2018-04-18 10:07:13 -07:00
memstick
message scsi: mptsas: Disable WRITE SAME 2018-04-18 23:37:25 -04:00
mfd mfd: cros_ec: Retry commands when EC is known to be busy 2018-05-23 06:59:00 +01:00
misc Merge branch 'i2c/for-current-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2018-05-18 18:02:01 -07:00
mmc mmc: sdhci-iproc: add SDHCI_QUIRK2_HOST_OFF_CARD_ON for cygnus 2018-05-21 13:27:22 +02:00
mtd mtd: rawnand: marvell: Fix read logic for layouts with ->nchunks > 2 2018-05-14 14:46:20 +02:00
mux
net tun: Fix NULL pointer dereference in XDP redirect 2018-05-29 11:00:14 -04:00
nfc
ntb
nubus
nvdimm Revert "libnvdimm, of_pmem: workaround OF_NUMA=n build error" 2018-04-19 15:10:56 -07:00
nvme Merge candidates for 4.17-rc 2018-05-24 14:12:05 -07:00
nvmem Char/Misc patches for 4.17-rc1 2018-04-04 20:07:20 -07:00
of DeviceTree fixes for 4.17: 2018-05-07 05:33:29 -10:00
opp
oprofile oprofilefs: don't oops on allocation failure 2018-03-29 15:07:48 -04:00
parisc parisc: Move ccio_cujo20_fixup() into init section 2018-05-18 16:21:49 +02:00
parport Char/Misc patches for 4.17-rc1 2018-04-04 20:07:20 -07:00
pci PCI / PM: Check device_may_wakeup() in pci_enable_wake() 2018-05-10 16:50:26 +02:00
pcmcia Merge branch 'for-linus-sa1100' of git://git.armlinux.org.uk/~rmk/linux-arm 2018-04-09 09:26:36 -07:00
perf ARM: SoC driver updates for 4.17 2018-04-05 21:29:35 -07:00
phy ARM: SoC platform updates for 4.17 2018-04-05 21:21:08 -07:00
pinctrl pinctrl: sunrisepoint: Align GPIO number space with Windows 2018-05-02 14:36:00 +02:00
platform mfd: cros_ec: Retry commands when EC is known to be busy 2018-05-23 06:59:00 +01:00
pnp
power ARM: SoC platform updates for 4.17 2018-04-05 21:21:08 -07:00
powercap
pps
ps3
ptp
pwm pwm: Changes for v4.17-rc1 2018-04-13 15:46:21 -07:00
rapidio rapidio: fix rio_dma_transfer error handling 2018-04-20 17:18:35 -07:00
ras
regulator Merge remote-tracking branches 'regulator/topic/88pg86x', 'regulator/topic/dt', 'regulator/topic/formatting' and 'regulator/topic/gpio' into regulator-next 2018-03-28 10:33:53 +08:00
remoteproc remoteproc: qcom: Fix potential device node leaks 2018-04-25 16:46:55 -07:00
reset reset: uniphier: fix USB clock line for LD20 2018-04-27 11:51:12 +02:00
rpmsg rpmsg: added MODULE_ALIAS for rpmsg_char 2018-04-25 16:46:55 -07:00
rtc rtc: opal: Fix OPAL RTC driver OPAL_BUSY loops 2018-04-25 13:24:13 +10:00
s390 SCSI fixes on 20180521 2018-05-21 17:39:32 -07:00
sbus sparc64: Fix mistake in oradax license text 2018-04-30 16:06:01 -04:00
scsi for-linus-20180524 2018-05-24 08:53:20 -07:00
sfi
sh
siox
slimbus slimbus: Fix out-of-bounds access in slim_slicesize() 2018-04-23 13:40:15 +02:00
sn
soc soc: bcm: raspberrypi-power: Fix use of __packed 2018-04-16 15:15:23 -07:00
soundwire
spi spi: bcm2835aux: ensure interrupts are enabled for shared handler 2018-05-04 08:09:02 +09:00
spmi
ssb ssb: make SSB_PCICORE_HOSTMODE depend on SSB = y 2018-05-12 11:38:13 +03:00
staging Merge candidates for 4.17-rc 2018-05-24 14:12:05 -07:00
target scsi: target: tcmu: fix error resetting qfull_time_out to default 2018-05-14 22:44:50 -04:00
tc
tee tee: check shm references are consistent in offset/size 2018-05-07 11:51:03 +02:00
thermal Merge branch 'thermal-soc' into next 2018-05-11 09:37:21 +08:00
thunderbolt
tty tty: Use __GFP_NOFAIL for tty_ldisc_get() 2018-04-25 15:03:44 +02:00
uio uio_hv_generic: fix subchannel ring mmap 2018-04-23 12:43:48 +02:00
usb usbip: usbip_host: fix bad unlock balance during stub_probe() 2018-05-16 18:52:13 +02:00
uwb
vfio VFIO updates for v4.17-rc1 2018-04-06 19:44:27 -07:00
vhost vhost: synchronize IOTLB message with dev cleanup 2018-05-24 22:09:51 -04:00
video fbdev changes for v4.17: 2018-04-10 10:20:00 -07:00
virt virt: vbox: Log an error when we fail to get the host version 2018-04-23 13:41:55 +02:00
virtio virtio: feature 2018-04-11 18:58:27 -07:00
visorbus
vlynq
vme
w1
watchdog aspeed: watchdog: Set bootstatus during probe 2018-04-16 10:22:40 +02:00
xen xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent 2018-05-18 14:37:16 -04:00
zorro
Kconfig hwtracing: Add HW tracing support menu 2018-03-29 13:38:10 +03:00
Makefile