From: "Michael S. Tsirkin" <mst@redhat.com>
To: Jean-Philippe Menil <jpmenil@gmail.com>
Cc: netdev@vger.kernel.org, jasowang@redhat.com,
John Fastabend <john.fastabend@gmail.com>
Subject: Re: BUG: KASAN: use-after-free in free_old_xmit_skbs
Date: Mon, 5 Jun 2017 05:08:25 +0300 [thread overview]
Message-ID: <20170605050423-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <d2e8cf65-ea3d-7db2-9382-a063daf1168a@gmail.com>
On Mon, Jun 05, 2017 at 12:48:53AM +0200, Jean-Philippe Menil wrote:
> Hi,
>
> while playing with xdp and ebpf, i'm hitting the following:
>
> [ 309.993136]
> ==================================================================
> [ 309.994735] BUG: KASAN: use-after-free in
> free_old_xmit_skbs.isra.29+0x2b7/0x2e0 [virtio_net]
> [ 309.998396] Read of size 8 at addr ffff88006aa64220 by task sshd/323
> [ 310.000650]
> [ 310.002305] CPU: 1 PID: 323 Comm: sshd Not tainted 4.12.0-rc3+ #2
> [ 310.004018] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.10.2-20170228_101828-anatol 04/01/2014
> [ 310.006495] Call Trace:
> [ 310.007610] dump_stack+0xb8/0x14c
> [ 310.008748] ? _atomic_dec_and_lock+0x174/0x174
> [ 310.009998] ? pm_qos_get_value.part.7+0x6/0x6
> [ 310.011203] print_address_description+0x6f/0x280
> [ 310.012416] kasan_report+0x27a/0x370
> [ 310.013573] ? free_old_xmit_skbs.isra.29+0x2b7/0x2e0 [virtio_net]
> [ 310.014900] __asan_report_load8_noabort+0x19/0x20
> [ 310.016136] free_old_xmit_skbs.isra.29+0x2b7/0x2e0 [virtio_net]
> [ 310.017467] ? virtnet_del_vqs+0xe0/0xe0 [virtio_net]
> [ 310.018759] ? packet_rcv+0x20d0/0x20d0
> [ 310.019950] ? dev_queue_xmit_nit+0x5cd/0xaf0
> [ 310.021168] start_xmit+0x1b4/0x1b10 [virtio_net]
> [ 310.022413] ? default_device_exit+0x2d0/0x2d0
> [ 310.023634] ? virtnet_remove+0xf0/0xf0 [virtio_net]
> [ 310.024874] ? update_load_avg+0x1281/0x29f0
> [ 310.026059] dev_hard_start_xmit+0x1ea/0x7f0
> [ 310.027247] ? validate_xmit_skb_list+0x100/0x100
> [ 310.028470] ? validate_xmit_skb+0x7f/0xc10
> [ 310.029731] ? netif_skb_features+0x920/0x920
> [ 310.033469] ? __skb_tx_hash+0x2f0/0x2f0
> [ 310.035615] ? validate_xmit_skb_list+0xa3/0x100
> [ 310.037782] sch_direct_xmit+0x2eb/0x7a0
> [ 310.039842] ? dev_deactivate_queue.constprop.29+0x230/0x230
> [ 310.041980] ? netdev_pick_tx+0x212/0x2b0
> [ 310.043868] __dev_queue_xmit+0x12fa/0x20b0
> [ 310.045564] ? netdev_pick_tx+0x2b0/0x2b0
> [ 310.047210] ? __account_cfs_rq_runtime+0x630/0x630
> [ 310.048301] ? update_stack_state+0x402/0x780
> [ 310.049307] ? account_entity_enqueue+0x730/0x730
> [ 310.050322] ? __rb_erase_color+0x27d0/0x27d0
> [ 310.051286] ? update_curr_fair+0x70/0x70
> [ 310.052206] ? enqueue_entity+0x2450/0x2450
> [ 310.053124] ? entry_SYSCALL64_slow_path+0x25/0x25
> [ 310.054082] ? dequeue_entity+0x27a/0x1520
> [ 310.054967] ? bpf_prog_alloc+0x320/0x320
> [ 310.055822] ? yield_to_task_fair+0x110/0x110
> [ 310.056708] ? set_next_entity+0x2f2/0xa90
> [ 310.057574] ? dequeue_task_fair+0xc09/0x2ec0
> [ 310.058457] dev_queue_xmit+0x10/0x20
> [ 310.059298] ip_finish_output2+0xacf/0x12a0
> [ 310.060160] ? dequeue_entity+0x1520/0x1520
> [ 310.063410] ? ip_fragment.constprop.47+0x220/0x220
> [ 310.065078] ? ring_buffer_set_clock+0x50/0x50
> [ 310.066677] ? __switch_to+0x685/0xda0
> [ 310.068166] ? load_balance+0x38f0/0x38f0
> [ 310.069544] ? compat_start_thread+0x80/0x80
> [ 310.070989] ? trace_find_cmdline+0x60/0x60
> [ 310.072402] ? rt_cpu_seq_show+0x2d0/0x2d0
> [ 310.073579] ip_finish_output+0x407/0x880
> [ 310.074441] ? ip_finish_output+0x407/0x880
> [ 310.075255] ? update_stack_state+0x402/0x780
> [ 310.076076] ip_output+0x1c0/0x640
> [ 310.076843] ? ip_mc_output+0x1350/0x1350
> [ 310.077642] ? __sk_dst_check+0x164/0x370
> [ 310.078441] ? complete_formation.isra.53+0xa30/0xa30
> [ 310.079313] ? __read_once_size_nocheck.constprop.7+0x20/0x20
> [ 310.080265] ? sock_prot_inuse_add+0xa0/0xa0
> [ 310.081097] ? memcpy+0x45/0x50
> [ 310.081850] ? __copy_skb_header+0x1fa/0x280
> [ 310.082676] ip_local_out+0x70/0x90
> [ 310.083448] ip_queue_xmit+0x8a1/0x22a0
> [ 310.084236] ? ip_build_and_send_pkt+0xe80/0xe80
> [ 310.085079] ? tcp_v4_md5_lookup+0x13/0x20
> [ 310.085884] tcp_transmit_skb+0x187a/0x3e00
> [ 310.086696] ? __tcp_select_window+0xaf0/0xaf0
> [ 310.087524] ? sock_sendmsg+0xba/0xf0
> [ 310.088298] ? __vfs_write+0x4e0/0x960
> [ 310.089074] ? vfs_write+0x155/0x4b0
> [ 310.089838] ? SyS_write+0xf7/0x240
> [ 310.090593] ? do_syscall_64+0x235/0x5b0
> [ 310.091372] ? entry_SYSCALL64_slow_path+0x25/0x25
> [ 310.094690] ? sock_sendmsg+0xba/0xf0
> [ 310.096133] ? do_syscall_64+0x235/0x5b0
> [ 310.097593] ? entry_SYSCALL64_slow_path+0x25/0x25
> [ 310.099157] ? tcp_init_tso_segs+0x1e0/0x1e0
> [ 310.100539] ? radix_tree_lookup+0xd/0x10
> [ 310.101894] ? get_work_pool+0xcd/0x150
> [ 310.103216] ? check_flush_dependency+0x330/0x330
> [ 310.104113] tcp_write_xmit+0x498/0x52a0
> [ 310.104905] ? kasan_unpoison_shadow+0x35/0x50
> [ 310.105729] ? kasan_kmalloc+0xad/0xe0
> [ 310.106505] ? tcp_transmit_skb+0x3e00/0x3e00
> [ 310.107331] ? memset+0x31/0x40
> [ 310.108070] ? __check_object_size+0x22e/0x55c
> [ 310.108895] ? skb_pull_rcsum+0x2b0/0x2b0
> [ 310.109690] ? check_stack_object+0x120/0x120
> [ 310.110512] ? tcp_v4_md5_lookup+0x13/0x20
> [ 310.111315] __tcp_push_pending_frames+0x8d/0x2a0
> [ 310.112159] tcp_push+0x47c/0xbd0
> [ 310.112912] ? copy_from_iter_full+0x21e/0xc70
> [ 310.113747] ? sock_warn_obsolete_bsdism+0x70/0x70
> [ 310.114604] ? tcp_splice_data_recv+0x1c0/0x1c0
> [ 310.115436] ? iov_iter_copy_from_user_atomic+0xeb0/0xeb0
> [ 310.116324] tcp_sendmsg+0xd6d/0x43f0
> [ 310.117106] ? tcp_sendpage+0x2170/0x2170
> [ 310.117911] ? set_fd_set.part.1+0x50/0x50
> [ 310.118718] ? remove_wait_queue+0x196/0x3b0
> [ 310.119535] ? set_fd_set.part.1+0x50/0x50
> [ 310.120365] ? add_wait_queue_exclusive+0x290/0x290
> [ 310.121224] ? __wake_up+0x44/0x50
> [ 310.121985] ? n_tty_read+0x9f9/0x19d0
> [ 310.122898] ? __check_object_size+0x22e/0x55c
> [ 310.125380] inet_sendmsg+0x111/0x590
> [ 310.126863] ? inet_recvmsg+0x5e0/0x5e0
> [ 310.128348] ? inet_recvmsg+0x5e0/0x5e0
> [ 310.129817] sock_sendmsg+0xba/0xf0
> [ 310.131110] sock_write_iter+0x2e4/0x6a0
> [ 310.132433] ? core_sys_select+0x47d/0x780
> [ 310.133779] ? sock_sendmsg+0xf0/0xf0
> [ 310.134591] __vfs_write+0x4e0/0x960
> [ 310.135351] ? kvm_clock_get_cycles+0x1e/0x20
> [ 310.136160] ? __vfs_read+0x950/0x950
> [ 310.136931] ? rw_verify_area+0xbd/0x2b0
> [ 310.137711] vfs_write+0x155/0x4b0
> [ 310.138454] SyS_write+0xf7/0x240
> [ 310.139183] ? SyS_read+0x240/0x240
> [ 310.139922] ? SyS_read+0x240/0x240
> [ 310.140649] do_syscall_64+0x235/0x5b0
> [ 310.141390] ? trace_raw_output_sys_exit+0xf0/0xf0
> [ 310.142204] ? syscall_return_slowpath+0x240/0x240
> [ 310.143018] ? trace_do_page_fault+0xc4/0x3a0
> [ 310.143810] ? prepare_exit_to_usermode+0x124/0x160
> [ 310.144634] ? perf_trace_sys_enter+0x1080/0x1080
> [ 310.145447] entry_SYSCALL64_slow_path+0x25/0x25
> [ 310.146257] RIP: 0033:0x7f6f868fb070
> [ 310.146999] RSP: 002b:00007fffed379578 EFLAGS: 00000246 ORIG_RAX:
> 0000000000000001
> [ 310.148507] RAX: ffffffffffffffda RBX: 00000000000002e4 RCX:
> 00007f6f868fb070
> [ 310.149521] RDX: 00000000000002e4 RSI: 000055603b5cfc10 RDI:
> 0000000000000003
> [ 310.150532] RBP: 000055603b5aca60 R08: 0000000000000000 R09:
> 0000000000003000
> [ 310.151530] R10: 0000000000000008 R11: 0000000000000246 R12:
> 0000000000000000
> [ 310.152537] R13: 00007fffed37960f R14: 000055603a832e31 R15:
> 0000000000000003
> [ 310.153578]
> [ 310.156362] Allocated by task 483:
> [ 310.157812] save_stack_trace+0x1b/0x20
> [ 310.159274] save_stack+0x43/0xd0
> [ 310.160663] kasan_kmalloc+0xad/0xe0
> [ 310.161943] __kmalloc+0x105/0x230
> [ 310.163233] __vring_new_virtqueue+0xd1/0xee0
> [ 310.164623] vring_create_virtqueue+0x2e3/0x5e0
> [ 310.165536] setup_vq+0x136/0x620
> [ 310.166286] vp_setup_vq+0x13d/0x6d0
> [ 310.167059] vp_find_vqs_msix+0x46c/0xb50
> [ 310.167855] vp_find_vqs+0x71/0x410
> [ 310.168641] vp_modern_find_vqs+0x21/0x140
> [ 310.169453] init_vqs+0x957/0x1390 [virtio_net]
> [ 310.170306] virtnet_restore_up+0x4a/0x590 [virtio_net]
> [ 310.171214] virtnet_xdp+0x89f/0xdf0 [virtio_net]
> [ 310.172077] dev_change_xdp_fd+0x1ca/0x420
> [ 310.172918] do_setlink+0x2c33/0x3bc0
> [ 310.173703] rtnl_setlink+0x245/0x380
> [ 310.174511] rtnetlink_rcv_msg+0x530/0x9b0
> [ 310.175344] netlink_rcv_skb+0x213/0x450
> [ 310.176166] rtnetlink_rcv+0x28/0x30
> [ 310.176990] netlink_unicast+0x4a0/0x6c0
> [ 310.177807] netlink_sendmsg+0x9ec/0xe50
> [ 310.178646] sock_sendmsg+0xba/0xf0
> [ 310.179435] SYSC_sendto+0x31d/0x620
> [ 310.180229] SyS_sendto+0xe/0x10
> [ 310.181004] do_syscall_64+0x235/0x5b0
> [ 310.181783] return_from_SYSCALL_64+0x0/0x6a
> [ 310.182595]
> [ 310.183217] Freed by task 483:
> [ 310.183934] save_stack_trace+0x1b/0x20
> [ 310.184801] save_stack+0x43/0xd0
> [ 310.187187] kasan_slab_free+0x72/0xc0
> [ 310.188530] kfree+0x94/0x1a0
> [ 310.189797] vring_del_virtqueue+0x19a/0x430
> [ 310.191221] del_vq+0x11c/0x250
> [ 310.192474] vp_del_vqs+0x379/0xc30
> [ 310.193772] virtnet_del_vqs+0xad/0xe0 [virtio_net]
> [ 310.195064] virtnet_xdp+0x836/0xdf0 [virtio_net]
> [ 310.196231] dev_change_xdp_fd+0x37c/0x420
> [ 310.197072] do_setlink+0x2c33/0x3bc0
> [ 310.197804] rtnl_setlink+0x245/0x380
> [ 310.198530] rtnetlink_rcv_msg+0x530/0x9b0
> [ 310.199283] netlink_rcv_skb+0x213/0x450
> [ 310.200036] rtnetlink_rcv+0x28/0x30
> [ 310.200754] netlink_unicast+0x4a0/0x6c0
> [ 310.201496] netlink_sendmsg+0x9ec/0xe50
> [ 310.202236] sock_sendmsg+0xba/0xf0
> [ 310.202947] SYSC_sendto+0x31d/0x620
> [ 310.203660] SyS_sendto+0xe/0x10
> [ 310.204340] do_syscall_64+0x235/0x5b0
> [ 310.205050] return_from_SYSCALL_64+0x0/0x6a
> [ 310.205792]
> [ 310.206350] The buggy address belongs to the object at ffff88006aa64200
> [ 310.206350] which belongs to the cache kmalloc-8192 of size 8192
> [ 310.208149] The buggy address is located 32 bytes inside of
> [ 310.208149] 8192-byte region [ffff88006aa64200, ffff88006aa66200)
> [ 310.209929] The buggy address belongs to the page:
> [ 310.210763] page:ffffea0001aa9800 count:1 mapcount:0 mapping: (null)
> index:0x0 compound_mapcount: 0
> [ 310.212499] flags: 0x1ffff8000008100(slab|head)
> [ 310.213373] raw: 01ffff8000008100 0000000000000000 0000000000000000
> 0000000100030003
> [ 310.214481] raw: dead000000000100 dead000000000200 ffff88006cc02700
> 0000000000000000
> [ 310.215635] page dumped because: kasan: bad access detected
> [ 310.218989]
> [ 310.220398] Memory state around the buggy address:
> [ 310.222141] ffff88006aa64100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc
> [ 310.223996] ffff88006aa64180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc
> [ 310.225469] >ffff88006aa64200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb
> [ 310.227400] ^
> [ 310.228367] ffff88006aa64280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb
> [ 310.229510] ffff88006aa64300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb
> [ 310.230639]
> ==================================================================
> [ 310.231788] Disabling lock debugging due to kernel taint
> [ 310.233499] kasan: CONFIG_KASAN_INLINE enabled
> [ 310.236846] kasan: GPF could be caused by NULL-ptr deref or user memory
> access
> [ 310.239138] general protection fault: 0000 [#1] SMP KASAN
> [ 310.240926] Modules linked in: joydev kvm_intel kvm psmouse irqbypass
> i2c_piix4 qemu_fw_cfg ip_tables x_tables autofs4 serio_raw virtio_balloon
> pata_acpi virtio_net virtio_blk
> [ 310.243618] CPU: 0 PID: 352 Comm: sshd Tainted: G B 4.12.0-rc3+ #2
> [ 310.245780] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.10.2-20170228_101828-anatol 04/01/2014
> [ 310.249799] task: ffff880066ca8d80 task.stack: ffff880069e40000
> [ 310.251090] RIP: 0010:free_old_xmit_skbs.isra.29+0x9d/0x2e0 [virtio_net]
> [ 310.252403] RSP: 0018:ffff880069e46540 EFLAGS: 00010202
> [ 310.253631] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
> 0000000000000004
> [ 310.255916] RDX: dffffc0000000000 RSI: 0000000000000008 RDI:
> 0000000000000020
> [ 310.258017] RBP: ffff880069e465e8 R08: ffff880069e45f10 R09:
> ffff880066b3c400
> [ 310.259430] R10: ffff880069e45e98 R11: 1ffff1000cd952f3 R12:
> ffff880066b3c400
> [ 310.260797] R13: ffff880066b3c400 R14: ffff88006afc9156 R15:
> ffff88006afc9001
> [ 310.262139] FS: 00007f3020f26680(0000) GS:ffff88006d000000(0000)
> knlGS:0000000000000000
> [ 310.263564] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 310.264825] CR2: 00007efed4534010 CR3: 000000006986d000 CR4:
> 00000000000006f0
> [ 310.266178] Call Trace:
> [ 310.267231] ? virtnet_del_vqs+0xe0/0xe0 [virtio_net]
> [ 310.268453] ? packet_rcv+0x20d0/0x20d0
> [ 310.269559] start_xmit+0x1b4/0x1b10 [virtio_net]
> [ 310.270762] ? default_device_exit+0x2d0/0x2d0
> [ 310.271910] ? virtnet_remove+0xf0/0xf0 [virtio_net]
> [ 310.273076] ? update_load_avg+0x1281/0x29f0
> [ 310.274189] dev_hard_start_xmit+0x1ea/0x7f0
> [ 310.275295] ? validate_xmit_skb_list+0x100/0x100
> [ 310.276425] ? validate_xmit_skb+0x7f/0xc10
> [ 310.277548] ? rb_insert_color+0x1590/0x1590
> [ 310.280172] ? netif_skb_features+0x920/0x920
> [ 310.281275] ? __skb_tx_hash+0x2f0/0x2f0
> [ 310.282362] ? validate_xmit_skb_list+0xa3/0x100
> [ 310.283494] sch_direct_xmit+0x2eb/0x7a0
> [ 310.284559] ? dev_deactivate_queue.constprop.29+0x230/0x230
> [ 310.286448] ? netdev_pick_tx+0x212/0x2b0
> [ 310.288251] ? __account_cfs_rq_runtime+0x630/0x630
> [ 310.289707] __dev_queue_xmit+0x12fa/0x20b0
> [ 310.290788] ? netdev_pick_tx+0x2b0/0x2b0
> [ 310.291837] ? update_curr+0x1ef/0x750
> [ 310.292826] ? update_stack_state+0x402/0x780
> [ 310.293827] ? account_entity_enqueue+0x730/0x730
> [ 310.294831] ? update_stack_state+0x402/0x780
> [ 310.295818] ? update_curr_fair+0x70/0x70
> [ 310.296737] ? entry_SYSCALL64_slow_path+0x25/0x25
> [ 310.297693] ? dequeue_entity+0x27a/0x1520
> [ 310.298591] ? bpf_prog_alloc+0x320/0x320
> [ 310.299484] ? yield_to_task_fair+0x110/0x110
> [ 310.300385] ? unwind_dump+0x4e0/0x4e0
> [ 310.301246] ? __free_insn_slot+0x600/0x600
> [ 310.302125] ? unwind_dump+0x4e0/0x4e0
> [ 310.302975] ? dequeue_task_fair+0xc09/0x2ec0
> [ 310.303883] dev_queue_xmit+0x10/0x20
> [ 310.304711] ip_finish_output2+0xacf/0x12a0
> [ 310.305558] ? dequeue_entity+0x1520/0x1520
> [ 310.306393] ? ip_fragment.constprop.47+0x220/0x220
> [ 310.307320] ? save_stack_trace+0x1b/0x20
> [ 310.308133] ? save_stack+0x43/0xd0
> [ 310.309081] ? kasan_slab_free+0x72/0xc0
> [ 310.310614] ? kfree_skbmem+0xb6/0x1d0
> [ 310.311406] ? tcp_ack+0x2730/0x7450
> [ 310.312167] ? tcp_rcv_established+0xdbb/0x2db0
> [ 310.312987] ? tcp_v4_do_rcv+0x2bb/0x7a0
> [ 310.313769] ? __release_sock+0x14a/0x2b0
> [ 310.314550] ? release_sock+0xa8/0x270
> [ 310.315330] ? inet_sendmsg+0x111/0x590
> [ 310.316100] ? sock_sendmsg+0xba/0xf0
> [ 310.317403] ? sock_write_iter+0x2e4/0x6a0
> [ 310.318759] ? __rb_erase_color+0x27d0/0x27d0
> [ 310.319949] ? rt_cpu_seq_show+0x2d0/0x2d0
> [ 310.320800] ? update_stack_state+0x402/0x780
> [ 310.321590] ip_finish_output+0x407/0x880
> [ 310.322347] ? ip_finish_output+0x407/0x880
> [ 310.323138] ? update_stack_state+0x402/0x780
> [ 310.323948] ip_output+0x1c0/0x640
> [ 310.324661] ? ip_mc_output+0x1350/0x1350
> [ 310.325415] ? __sk_dst_check+0x164/0x370
> [ 310.326169] ? complete_formation.isra.53+0xa30/0xa30
> [ 310.327013] ? __read_once_size_nocheck.constprop.7+0x20/0x20
> [ 310.327896] ? sock_prot_inuse_add+0xa0/0xa0
> [ 310.328684] ? memcpy+0x45/0x50
> [ 310.329393] ? __copy_skb_header+0x1fa/0x280
> [ 310.330180] ip_local_out+0x70/0x90
> [ 310.330914] ip_queue_xmit+0x8a1/0x22a0
> [ 310.331676] ? ip_build_and_send_pkt+0xe80/0xe80
> [ 310.332517] ? tcp_v4_md5_lookup+0x13/0x20
> [ 310.333298] tcp_transmit_skb+0x187a/0x3e00
> [ 310.334085] ? __tcp_select_window+0xaf0/0xaf0
> [ 310.334887] ? sock_sendmsg+0xba/0xf0
> [ 310.335637] ? __vfs_write+0x4e0/0x960
> [ 310.336391] ? vfs_write+0x155/0x4b0
> [ 310.337135] ? SyS_write+0xf7/0x240
> [ 310.337861] ? do_syscall_64+0x235/0x5b0
> [ 310.338612] ? entry_SYSCALL64_slow_path+0x25/0x25
> [ 310.339443] ? sock_sendmsg+0xba/0xf0
> [ 310.341675] ? do_syscall_64+0x235/0x5b0
> [ 310.342441] ? entry_SYSCALL64_slow_path+0x25/0x25
> [ 310.343298] ? tcp_init_tso_segs+0x1e0/0x1e0
> [ 310.344095] ? radix_tree_lookup+0xd/0x10
> [ 310.344871] ? get_work_pool+0xcd/0x150
> [ 310.345635] ? check_flush_dependency+0x330/0x330
> [ 310.346466] tcp_write_xmit+0x498/0x52a0
> [ 310.347826] ? kasan_unpoison_shadow+0x35/0x50
> [ 310.349243] ? kasan_kmalloc+0xad/0xe0
> [ 310.350156] ? tcp_transmit_skb+0x3e00/0x3e00
> [ 310.351261] ? memset+0x31/0x40
> [ 310.352054] ? __check_object_size+0x22e/0x55c
> [ 310.352881] ? skb_pull_rcsum+0x2b0/0x2b0
> [ 310.353686] ? check_stack_object+0x120/0x120
> [ 310.354506] ? tcp_v4_md5_lookup+0x13/0x20
> [ 310.355327] __tcp_push_pending_frames+0x8d/0x2a0
> [ 310.356174] ? tcp_cwnd_restart+0x169/0x440
> [ 310.357016] tcp_push+0x47c/0xbd0
> [ 310.357777] ? copy_from_iter_full+0x21e/0xc70
> [ 310.358618] ? tcp_splice_data_recv+0x1c0/0x1c0
> [ 310.359463] ? iov_iter_copy_from_user_atomic+0xeb0/0xeb0
> [ 310.360355] ? tcp_send_mss+0x24/0x2b0
> [ 310.361135] tcp_sendmsg+0xd6d/0x43f0
> [ 310.361908] ? select_estimate_accuracy+0x440/0x440
> [ 310.362765] ? tcp_sendpage+0x2170/0x2170
> [ 310.363583] ? set_fd_set.part.1+0x50/0x50
> [ 310.364392] ? remove_wait_queue+0x196/0x3b0
> [ 310.365205] ? set_fd_set.part.1+0x50/0x50
> [ 310.366005] ? add_wait_queue_exclusive+0x290/0x290
> [ 310.366865] ? __wake_up+0x44/0x50
> [ 310.367637] ? n_tty_read+0x9f9/0x19d0
> [ 310.368424] ? update_blocked_averages+0x9a0/0x9a0
> [ 310.369283] ? __check_object_size+0x22e/0x55c
> [ 310.370129] inet_sendmsg+0x111/0x590
> [ 310.371104] ? inet_recvmsg+0x5e0/0x5e0
> [ 310.372571] ? inet_recvmsg+0x5e0/0x5e0
> [ 310.373449] sock_sendmsg+0xba/0xf0
> [ 310.374217] sock_write_iter+0x2e4/0x6a0
> [ 310.375005] ? core_sys_select+0x47d/0x780
> [ 310.375822] ? sock_sendmsg+0xf0/0xf0
> [ 310.376607] __vfs_write+0x4e0/0x960
> [ 310.377463] ? kvm_clock_get_cycles+0x1e/0x20
> [ 310.378864] ? __vfs_read+0x950/0x950
> [ 310.380178] ? rw_verify_area+0xbd/0x2b0
> [ 310.381092] vfs_write+0x155/0x4b0
> [ 310.381877] SyS_write+0xf7/0x240
> [ 310.382616] ? SyS_read+0x240/0x240
> [ 310.383404] ? SyS_read+0x240/0x240
> [ 310.384159] do_syscall_64+0x235/0x5b0
> [ 310.384930] ? trace_raw_output_sys_exit+0xf0/0xf0
> [ 310.385747] ? syscall_return_slowpath+0x240/0x240
> [ 310.386564] ? trace_do_page_fault+0xc4/0x3a0
> [ 310.387424] ? prepare_exit_to_usermode+0x124/0x160
> [ 310.388524] ? perf_trace_sys_enter+0x1080/0x1080
> [ 310.389347] entry_SYSCALL64_slow_path+0x25/0x25
> [ 310.390164] RIP: 0033:0x7f301f83c070
> [ 310.390906] RSP: 002b:00007ffff738fc78 EFLAGS: 00000246 ORIG_RAX:
> 0000000000000001
> [ 310.391943] RAX: ffffffffffffffda RBX: 0000000000000564 RCX:
> 00007f301f83c070
> [ 310.392938] RDX: 0000000000000564 RSI: 000055cf87fb0748 RDI:
> 0000000000000003
> [ 310.393947] RBP: 000055cf87f8f090 R08: 0000000000000000 R09:
> 0000000000003000
> [ 310.394948] R10: 0000000000000008 R11: 0000000000000246 R12:
> 0000000000000000
> [ 310.395967] R13: 00007ffff738fd0f R14: 000055cf873dde31 R15:
> 0000000000000003
> [ 310.396969] Code: 00 00 48 89 5d d0 31 db 80 3c 02 00 0f 85 05 02 00 00
> 49 8b 45 00 48 ba 00 00 00 00 00 fc ff df 48 8d 78 20 48 89 f9 48 c1 e9 03
> <80> 3c 11 00 0f 85 04 02 00 00 48 8b 58 20 48 ba 00 00 00 00 00
> [ 310.399937] RIP: free_old_xmit_skbs.isra.29+0x9d/0x2e0 [virtio_net] RSP:
> ffff880069e46540
> [ 310.401120] ---[ end trace 89c5b0ea3f07debe ]---
> [ 310.403923] Kernel panic - not syncing: Fatal exception in interrupt
> [ 310.405942] Kernel Offset: 0x33200000 from 0xffffffff81000000 (relocation
> range: 0xffffffff80000000-0xffffffffbfffffff)
> [ 310.408133] ---[ end Kernel panic - not syncing: Fatal exception in
> interrupt
>
>
> (gdb) l *(free_old_xmit_skbs+0x2b7)
> 0x22f7 is in free_old_xmit_skbs (drivers/net/virtio_net.c:1051).
> 1046
> 1047 static void free_old_xmit_skbs(struct send_queue *sq)
> 1048 {
> 1049 struct sk_buff *skb;
> 1050 unsigned int len;
> 1051 struct virtnet_info *vi = sq->vq->vdev->priv;
> 1052 struct virtnet_stats *stats = this_cpu_ptr(vi->stats);
> 1053 unsigned int packets = 0;
> 1054 unsigned int bytes = 0;
> 1055
>
> Let me know if i need to provide more informations.
>
> Best regards.
>
> Jean-Philippe
So del_vq done during xdp setup seems to race with regular xmit.
Since commit 680557cf79f82623e2c4fd42733077d60a843513
virtio_net: rework mergeable buffer handling
we no longer must do the resets, we now have enough space
to store a bit saying whether a buffer is xdp one or not.
And that's probably a cleaner way to fix these issues than
try to find and fix the race condition.
John?
--
MST
next prev parent reply other threads:[~2017-06-05 2:08 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-04 22:48 BUG: KASAN: use-after-free in free_old_xmit_skbs Jean-Philippe Menil
2017-06-05 2:08 ` Michael S. Tsirkin [this message]
2017-06-05 23:52 ` Michael S. Tsirkin
2017-06-05 23:52 ` [Qemu-devel] " Michael S. Tsirkin
2017-06-22 6:15 ` jean-philippe menil
2017-06-22 6:15 ` [Qemu-devel] " jean-philippe menil
2017-06-22 18:53 ` Michael S. Tsirkin
2017-06-22 18:53 ` [Qemu-devel] " Michael S. Tsirkin
2017-06-23 8:43 ` Jason Wang
2017-06-23 8:43 ` [Qemu-devel] " Jason Wang
2017-06-23 9:33 ` Jean-Philippe Menil
2017-06-23 9:33 ` [Qemu-devel] " Jean-Philippe Menil
2017-06-23 9:33 ` Jean-Philippe Menil
2017-06-23 22:32 ` Cong Wang
2017-06-23 22:32 ` [Qemu-devel] " Cong Wang
2017-06-26 2:50 ` Jason Wang
2017-06-26 2:50 ` [Qemu-devel] " Jason Wang
2017-06-26 7:35 ` Jean-Philippe Menil
2017-06-26 7:35 ` [Qemu-devel] " Jean-Philippe Menil
2017-06-27 2:13 ` Jason Wang
2017-06-27 2:13 ` Jason Wang
2017-06-27 12:35 ` Jean-Philippe Menil
2017-06-27 12:35 ` Jean-Philippe Menil
2017-06-26 7:35 ` Jean-Philippe Menil
2017-06-23 22:32 ` Cong Wang
2017-06-22 18:53 ` Michael S. Tsirkin
2017-06-05 23:52 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170605050423-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=jasowang@redhat.com \
--cc=john.fastabend@gmail.com \
--cc=jpmenil@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.