Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cgroup_pidlist_start: Unable to handle kernel paging request at virtual address 1200544e #103

Open
amboar opened this issue Aug 26, 2016 · 3 comments
Open

cgroup_pidlist_start: Unable to handle kernel paging request at virtual address 1200544e #103

amboar opened this issue Aug 26, 2016 · 3 comments

Comments

@amboar
Copy link
Member

amboar commented Aug 26, 2016

Same kernel/qemu configuration as #101, but different backtrace:

Unable to handle kernel paging request at virtual address 1200544e
pgd = c8c3c000
[1200544e] *pgd=00000000
Internal error: Oops: 5 [#1] ARM
Modules linked in:
CPU: 0 PID: 1 Comm: systemd Not tainted 4.7.1-00053-g6d93f625315a #581
Hardware name: ASpeed SoC
task: df443460 ti: df444000 task.ti: df444000
PC is at cgroup_pidlist_start+0xc0/0x44c
LR is at cgroup_pidlist_start+0xa4/0x44c
pc : [<c0166868>]    lr : [<c016684c>]    psr: 00000093
sp : df445e18  ip : 00000000  fp : 00000000
r10: 00000002  r9 : df445f78  r8 : 00000000
r7 : c8f5d1a0  r6 : c8ddc0e0  r5 : c0702028  r4 : c8d6ee00
r3 : 1200544a  r2 : c8d6eea0  r1 : 12005452  r0 : c070d058
Flags: nzcv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 00093177  Table: 48c3c000  DAC: 00000051
Process systemd (pid: 1, stack limit = 0xdf444190)
Stack: (0xdf445e18 to 0xdf446000)
5e00:                                                       00000001 ffffe000
5e20: 00000000 60000013 df445ea8 c0702028 df445f78 c8cacea0 df445ea8 c013628c
5e40: 00000001 00000000 00000000 c020abc0 00000000 00000000 ffffe000 1aadfd66
5e60: 60000013 df445ea8 c8ddc0e0 c8f5d1a0 00000000 810fa130 df445f78 c8cacea0
5e80: df445ea8 c020abe8 c8ddc0e0 00001000 00000000 c01d38dc 00000001 c8ddc110
5ea0: c0702028 c0702028 00000000 00000000 df444000 00000000 bec887ec 1aadfd66
5ec0: c8cacea0 c020a9b4 c8cacea0 c0702028 df445f78 810fa130 00001000 00000000
5ee0: bec887ec c01b1fd0 00000000 00000000 00000000 00000000 00001000 00000000
5f00: 00000000 00000000 57bfbcd2 1443fd00 57bfbcd2 1443fd00 57bfbcd2 1443fd00
5f20: 0000005f 00000000 00000000 c8cacea0 df445f78 1aadfd66 00001000 c8cacea0
5f40: 810fa130 df445f78 810fa130 c01b2c1c c8cacea0 810fa130 00001000 c8cacea0
5f60: c0702028 c0702028 c8cacea0 810fa130 00001000 c01b38d0 00000000 00000000
5f80: 00001000 1aadfd66 00000000 8109ac70 8109ac70 00000000 00000003 c01025a4
5fa0: df444000 c0102400 8109ac70 8109ac70 00000010 810fa130 00001000 00000040
5fc0: 8109ac70 8109ac70 00000000 00000003 7f74c8a7 00000000 b6dec020 bec887ec
5fe0: 00000000 bec881c0 b6d8e0b4 b6d700b4 80000010 00000010 00000000 00000000
[<c0166868>] (cgroup_pidlist_start) from [<c020abe8>] (kernfs_seq_start+0x4c/0x8c)
[<c020abe8>] (kernfs_seq_start) from [<c01d38dc>] (seq_read+0x194/0x428)
[<c01d38dc>] (seq_read) from [<c01b1fd0>] (__vfs_read+0x28/0x128)
[<c01b1fd0>] (__vfs_read) from [<c01b2c1c>] (vfs_read+0x90/0xfc)
[<c01b2c1c>] (vfs_read) from [<c01b38d0>] (SyS_read+0x50/0xa0)
[<c01b38d0>] (SyS_read) from [<c0102400>] (ret_fast_syscall+0x0/0x38)
Code: e2433008 e2831008 e1510002 0a000005 (e5931004) 
---[ end trace 05cbde247dfcab60 ]---
@amboar
Copy link
Member Author

amboar commented Aug 26, 2016

Immediately followed by:

BUG: spinlock lockup suspected on CPU#0, systemd-cgroups/703
 lock: css_set_lock+0x0/0x20, .magic: dead4ead, .owner: systemd/1, .owner_cpu: 0
CPU: 0 PID: 703 Comm: systemd-cgroups Tainted: G      D         4.7.1-00053-g6d93f625315a #581
Hardware name: ASpeed SoC
[<c01077e8>] (unwind_backtrace) from [<c01053d0>] (show_stack+0x10/0x14)
[<c01053d0>] (show_stack) from [<c0138650>] (do_raw_spin_lock+0xd8/0x118)
[<c0138650>] (do_raw_spin_lock) from [<c01671ec>] (cgroup_exit+0x28/0x6c)
[<c01671ec>] (cgroup_exit) from [<c0110458>] (do_exit+0x3b8/0x848)
[<c0110458>] (do_exit) from [<c01118f8>] (do_group_exit+0x48/0xbc)
[<c01118f8>] (do_group_exit) from [<c011197c>] (SyS_exit_group+0x10/0x14)
[<c011197c>] (SyS_exit_group) from [<c0102400>] (ret_fast_syscall+0x0/0x38)
Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b

---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b

@amboar amboar mentioned this issue Sep 1, 2016
Closed
@amboar
Copy link
Member Author

amboar commented Mar 14, 2017

Just saw this on Witherspoon:

ucd9000: probe of 11-0064 failed with error -74
Alignment trap: not handling instruction e1902f9f at [<8043baf4>]
Unhandled fault: alignment exception (0x001) at 0x9e7c349f
pgd = 9d000000
[9e7c349f] *pgd=9e60041e(bad)
Internal error: : 1 [#1] ARM
CPU: 0 PID: 1 Comm: systemd Not tainted 4.7.10-00295-g1f70c8c051a8-dirty #548
Hardware name: ASpeed SoC
task: 9e4388a0 ti: 9e43a000 task.ti: 9e43a000
PC is at mutex_lock+0x8/0x24
LR is at cgroup_pidlist_start+0x4c/0x39c
pc : [<8043baf8>]    lr : [<801548a4>]    psr: 60000013
sp : 9e43be18  ip : 00000001  fp : 00000000
r10: 9d76c320  r9 : 00000000  r8 : 9d9914c0
r7 : 00000000  r6 : 9d9cca40  r5 : 9e7c33ff  r4 : 8070200c
r3 : 9e43bea8  r2 : 9e7a6d70  r1 : 9e43bea8  r0 : 9e7c349f
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 00c5387d  Table: 9d000008  DAC: 00000051
Process systemd (pid: 1, stack limit = 0x9e43a188)
Stack: (0x9e43be18 to 0x9e43c000)
be00:                                                       00000018 9d76c320
be20: 9d0ae000 9e43bea8 9e43bec0 801ac004 9e43bec0 00000000 00000000 801ad250
be40: 9d553000 9d494d20 8070bf30 00000000 9e43bf70 00000000 00020000 61fea8ae
be60: 00000000 9e43bea8 9d9cca40 9d9914c0 00000000 5543d828 9e43bf78 9d76c320
be80: 9e43bea8 801f6ea4 9d9cca40 00001000 00000000 801bfaf0 9e4046a0 9d9cca70
bea0: 8070200c 7eec3f78 00000000 00000000 9e43a000 00000000 7eec462c 61fea8ae
bec0: 9d76c320 801f6c84 00001000 8070200c 5543d828 9e43bf78 00001000 00000000
bee0: 7eec462c 801a2884 00000000 00000000 00000000 00000000 00001000 00000000
bf00: 00000000 00000000 58ad2cfa 160dc104 58ad2cfa 160dc104 58ad2cfa 160dc104
bf20: 00000117 00000000 00000000 9d76c320 9e43bf78 61fea8ae 9d76c320 00001000
bf40: 00000000 5543d828 9e43bf78 801a2a14 9d76c320 5543d828 00001000 9d76c320
bf60: 54c0f912 8070200c 9d76c320 5543d828 00001000 801a2df8 00000000 00000000
bf80: 00001000 61fea8ae 00000000 553bffb0 54c0f912 00000075 00000003 80102384
bfa0: 9e43a000 801021c0 553bffb0 54c0f912 00000048 5543d828 00001000 00000040
bfc0: 553bffb0 54c0f912 00000075 00000003 54c0f913 00000000 76e6c020 7eec462c
bfe0: 00000000 7eec3ffc 76d9a398 76df104c 60000010 00000048 e22ef1db 6b45edfe
[<8043baf8>] (mutex_lock) from [<801548a4>] (cgroup_pidlist_start+0x4c/0x39c)
[<801548a4>] (cgroup_pidlist_start) from [<801f6ea4>] (kernfs_seq_start+0x4c/0x80)
[<801f6ea4>] (kernfs_seq_start) from [<801bfaf0>] (seq_read+0x104/0x424)
[<801bfaf0>] (seq_read) from [<801a2884>] (__vfs_read+0x28/0x128)
[<801a2884>] (__vfs_read) from [<801a2a14>] (vfs_read+0x90/0xfc)
[<801a2a14>] (vfs_read) from [<801a2df8>] (SyS_read+0x4c/0x9c)
[<801a2df8>] (SyS_read) from [<801021c0>] (ret_fast_syscall+0x0/0x3c)
Code: e8bd83f0 8070200c f5d0f000 e1902f9f (e2422001) 
---[ end trace f354de3abd1d87d0 ]---
-sh: echo: write error: No such device
-sh: echo: write error: No such device
ucd9000 11-0064: Device ID UCD90160|2.3.4.0000|110603
Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b

Rebooting in 1 seconds..

U-Boot 2016.07 (Feb 22 2017 - 17:20:20 +0000)

@legoater legoater mentioned this issue Jul 4, 2017
Open
@legoater
Copy link

legoater commented Jul 7, 2017

as this issue occurred on a Witherspoon system just after the ucd9000 was probed, can we consider it was fixed in the recent kernel changes ?

shenki pushed a commit that referenced this issue Jun 19, 2018
@gregkh
net: metrics: add proper netlink validation
8b1cd48 
[ Upstream commit 5b5e7a0 ]

Before using nla_get_u32(), better make sure the attribute
is of the proper size.

Code recently was changed, but bug has been there from beginning
of git.

BUG: KMSAN: uninit-value in rtnetlink_put_metrics+0x553/0x960 net/core/rtnetlink.c:746
CPU: 1 PID: 14139 Comm: syz-executor6 Not tainted 4.17.0-rc5+ #103
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084
 __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686
 rtnetlink_put_metrics+0x553/0x960 net/core/rtnetlink.c:746
 fib_dump_info+0xc42/0x2190 net/ipv4/fib_semantics.c:1361
 rtmsg_fib+0x65f/0x8c0 net/ipv4/fib_semantics.c:419
 fib_table_insert+0x2314/0x2b50 net/ipv4/fib_trie.c:1287
 inet_rtm_newroute+0x210/0x340 net/ipv4/fib_frontend.c:779
 rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x455a09
RSP: 002b:00007faae5fd8c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007faae5fd96d4 RCX: 0000000000455a09
RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000013
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000005d0 R14: 00000000006fdc20 R15: 0000000000000000

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:529
 fib_convert_metrics net/ipv4/fib_semantics.c:1056 [inline]
 fib_create_info+0x2d46/0x9dc0 net/ipv4/fib_semantics.c:1150
 fib_table_insert+0x3e4/0x2b50 net/ipv4/fib_trie.c:1146
 inet_rtm_newroute+0x210/0x340 net/ipv4/fib_frontend.c:779
 rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322
 slab_post_alloc_hook mm/slab.h:446 [inline]
 slab_alloc_node mm/slub.c:2753 [inline]
 __kmalloc_node_track_caller+0xb32/0x11b0 mm/slub.c:4395
 __kmalloc_reserve net/core/skbuff.c:138 [inline]
 __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:988 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
 netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: a919525 ("net: Move fib_convert_metrics to metrics file")
Fixes: 1da177e ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
shenki pushed a commit that referenced this issue Jun 19, 2018
@gregkh
rtnetlink: validate attributes in do_setlink()
bbfa6b2 
[ Upstream commit 644c7ee ]

It seems that rtnl_group_changelink() can call do_setlink
while a prior call to validate_linkmsg(dev = NULL, ...) could
not validate IFLA_ADDRESS / IFLA_BROADCAST

Make sure do_setlink() calls validate_linkmsg() instead
of letting its callers having this responsibility.

With help from Dmitry Vyukov, thanks a lot !

BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:199 [inline]
BUG: KMSAN: uninit-value in eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline]
BUG: KMSAN: uninit-value in eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308
CPU: 1 PID: 8695 Comm: syz-executor3 Not tainted 4.17.0-rc5+ #103
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084
 __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686
 is_valid_ether_addr include/linux/etherdevice.h:199 [inline]
 eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline]
 eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308
 dev_set_mac_address+0x261/0x530 net/core/dev.c:7157
 do_setlink+0xbc3/0x5fc0 net/core/rtnetlink.c:2317
 rtnl_group_changelink net/core/rtnetlink.c:2824 [inline]
 rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976
 rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x455a09
RSP: 002b:00007fc07480ec68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fc07480f6d4 RCX: 0000000000455a09
RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000014
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000005d0 R14: 00000000006fdc20 R15: 0000000000000000

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
 kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
 __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:478
 do_setlink+0xb84/0x5fc0 net/core/rtnetlink.c:2315
 rtnl_group_changelink net/core/rtnetlink.c:2824 [inline]
 rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976
 rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322
 slab_post_alloc_hook mm/slab.h:446 [inline]
 slab_alloc_node mm/slub.c:2753 [inline]
 __kmalloc_node_track_caller+0xb32/0x11b0 mm/slub.c:4395
 __kmalloc_reserve net/core/skbuff.c:138 [inline]
 __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:988 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
 netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: e7ed828 ("netlink: support setting devgroup parameters")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
amboar pushed a commit to amboar/linux that referenced this issue Nov 26, 2020
@gregkh
ACPI: debug: don't allow debugging when ACPI is disabled
62bf715 
commit 0fada27 upstream.

If ACPI is disabled then loading the acpi_dbg module will result in the
following splat when lock debugging is enabled.

  DEBUG_LOCKS_WARN_ON(lock->magic != lock)
  WARNING: CPU: 0 PID: 1 at kernel/locking/mutex.c:938 __mutex_lock+0xa10/0x1290
  Kernel panic - not syncing: panic_on_warn set ...
  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.9.0-rc8+ openbmc#103
  Hardware name: linux,dummy-virt (DT)
  Call trace:
   dump_backtrace+0x0/0x4d8
   show_stack+0x34/0x48
   dump_stack+0x174/0x1f8
   panic+0x360/0x7a0
   __warn+0x244/0x2ec
   report_bug+0x240/0x398
   bug_handler+0x50/0xc0
   call_break_hook+0x160/0x1d8
   brk_handler+0x30/0xc0
   do_debug_exception+0x184/0x340
   el1_dbg+0x48/0xb0
   el1_sync_handler+0x170/0x1c8
   el1_sync+0x80/0x100
   __mutex_lock+0xa10/0x1290
   mutex_lock_nested+0x6c/0xc0
   acpi_register_debugger+0x40/0x88
   acpi_aml_init+0xc4/0x114
   do_one_initcall+0x24c/0xb10
   kernel_init_freeable+0x690/0x728
   kernel_init+0x20/0x1e8
   ret_from_fork+0x10/0x18

This is because acpi_debugger.lock has not been initialized as
acpi_debugger_init() is not called when ACPI is disabled.  Fail module
loading to avoid this and any subsequent problems that might arise by
trying to debug AML when ACPI is disabled.

Fixes: 8cfb0cd ("ACPI / debugger: Add IO interface to access debugger functionalities")
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Jamie Iles <jamie@nuviainc.com>
Cc: 4.10+ <stable@vger.kernel.org> # 4.10+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
shenki pushed a commit that referenced this issue May 19, 2022
@ebirger @gregkh
bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit…
86d8076 
… lwt hook

[ Upstream commit b02d196 ]

xmit_check_hhlen() observes the dst for getting the device hard header
length to make sure a modified packet can fit. When a helper which changes
the dst - such as bpf_skb_set_tunnel_key() - is called as part of the
xmit program the accessed dst is no longer valid.

This leads to the following splat:

 BUG: kernel NULL pointer dereference, address: 00000000000000de
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 0 P4D 0
 Oops: 0000 [#1] PREEMPT SMP PTI
 CPU: 0 PID: 798 Comm: ping Not tainted 5.18.0-rc2+ #103
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
 RIP: 0010:bpf_xmit+0xfb/0x17f
 Code: c6 c0 4d cd 8e 48 c7 c7 7d 33 f0 8e e8 42 09 fb ff 48 8b 45 58 48 8b 95 c8 00 00 00 48 2b 95 c0 00 00 00 48 83 e0 fe 48 8b 00 <0f> b7 80 de 00 00 00 39 c2 73 22 29 d0 b9 20 0a 00 00 31 d2 48 89
 RSP: 0018:ffffb148c0bc7b98 EFLAGS: 00010282
 RAX: 0000000000000000 RBX: 0000000000240008 RCX: 0000000000000000
 RDX: 0000000000000010 RSI: 00000000ffffffea RDI: 00000000ffffffff
 RBP: ffff922a828a4e00 R08: ffffffff8f1350e8 R09: 00000000ffffdfff
 R10: ffffffff8f055100 R11: ffffffff8f105100 R12: 0000000000000000
 R13: ffff922a828a4e00 R14: 0000000000000040 R15: 0000000000000000
 FS:  00007f414e8f0080(0000) GS:ffff922afdc00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00000000000000de CR3: 0000000002d80006 CR4: 0000000000370ef0
 Call Trace:
  <TASK>
  lwtunnel_xmit.cold+0x71/0xc8
  ip_finish_output2+0x279/0x520
  ? __ip_finish_output.part.0+0x21/0x130

Fix by fetching the device hard header length before running the BPF code.

Fixes: 3a0af8f ("bpf: BPF for lightweight tunnel infrastructure")
Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20220420165219.1755407-1-eyal.birger@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@amboar @legoater