From: "Linus Lüssing" <linus.luessing@c0d3.blue>
To: The list for a Better Approach To Mobile Ad-hoc Networking
<b.a.t.m.a.n@lists.open-mesh.org>
Subject: Re: [B.A.T.M.A.N.] [RFC v3 02/19] batman-adv: Prepare framework for mesh genl config
Date: Mon, 7 Jan 2019 19:49:06 +0100 [thread overview]
Message-ID: <20190107184906.GC5399@otheros> (raw)
In-Reply-To: <20181207135846.6152-3-sven@narfation.org>
On Fri, Dec 07, 2018 at 02:58:29PM +0100, Sven Eckelmann wrote:
> diff --git a/net/batman-adv/netlink.c b/net/batman-adv/netlink.c
> index b20801a3..d89761f8 100644
> --- a/net/batman-adv/netlink.c
> +++ b/net/batman-adv/netlink.c
[...]
> -static int
> -batadv_netlink_mesh_info_put(struct sk_buff *msg, struct net_device *soft_iface)
> +static int batadv_netlink_mesh_put(struct sk_buff *msg,
> + struct batadv_priv *bat_priv,
> + enum batadv_nl_commands cmd,
> + u32 portid, u32 seq, int flags)
> {
> - struct batadv_priv *bat_priv = netdev_priv(soft_iface);
> + struct net_device *soft_iface = bat_priv->soft_iface;
> struct batadv_hard_iface *primary_if = NULL;
> struct net_device *hard_iface;
> - int ret = -ENOBUFS;
> + void *hdr;
> +
> + hdr = genlmsg_put(msg, portid, seq, &batadv_netlink_family, flags, cmd);
> + if (!hdr)
> + return -ENOBUFS;
>
> if (nla_put_string(msg, BATADV_ATTR_VERSION, BATADV_SOURCE_VERSION) ||
> nla_put_string(msg, BATADV_ATTR_ALGO_NAME,
> @@ -162,16 +173,16 @@ batadv_netlink_mesh_info_put(struct sk_buff *msg, struct net_device *soft_iface)
> soft_iface->dev_addr) ||
> nla_put_u8(msg, BATADV_ATTR_TT_TTVN,
> (u8)atomic_read(&bat_priv->tt.vn)))
> - goto out;
> + goto nla_put_failure;
>
> #ifdef CONFIG_BATMAN_ADV_BLA
> if (nla_put_u16(msg, BATADV_ATTR_BLA_CRC,
> ntohs(bat_priv->bla.claim_dest.group)))
> - goto out;
> + goto nla_put_failure;
> #endif
>
> if (batadv_mcast_mesh_info_put(msg, bat_priv))
> - goto out;
> + goto nla_put_failure;
>
> primary_if = batadv_primary_if_get_selected(bat_priv);
> if (primary_if && primary_if->if_status == BATADV_IF_ACTIVE) {
> @@ -183,77 +194,94 @@ batadv_netlink_mesh_info_put(struct sk_buff *msg, struct net_device *soft_iface)
> hard_iface->name) ||
> nla_put(msg, BATADV_ATTR_HARD_ADDRESS, ETH_ALEN,
> hard_iface->dev_addr))
> - goto out;
> + goto nla_put_failure;
> }
>
> - ret = 0;
> + batadv_hardif_put(primary_if);
I seem to be able to trigger a null pointer dereference for this
batadv_hardif_put() call here. With the following steps I end up
with a primary_if == NULL:
$ batctl if add 1
root@Linus-Debian:~# batctl o
Error - interface bat0 is not present or not a batman-adv interface
root@Linus-Debian:~# batctl if add 1
Error - interface does not exist: 1
root@Linus-Debian:~# batctl o
Killed
root@Linus-Debian:~#
root@Linus-Debian:~#
root@Linus-Debian:~# batctl o
>
> - out:
> + genlmsg_end(msg, hdr);
> + return 0;
> +
> +nla_put_failure:
> if (primary_if)
> batadv_hardif_put(primary_if);
>
> - return ret;
> + genlmsg_cancel(msg, hdr);
> + return -EMSGSIZE;
> }
The panic looks like this then:
[ 2309.363754] batman_adv: bat0: Interface deactivated: ens3
[ 2309.364709] batman_adv: bat0: Removing interface: ens3
[ 2309.365662] batman_adv: bat0: Interface deactivated: ens5
[ 2309.366624] batman_adv: bat0: Removing interface: ens5
[ 2310.402540] batman_adv: B.A.T.M.A.N. advanced 2018.4-38-g25676ce7-dirty (compatibility version 15) loaded
[ 2321.727530] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
[ 2321.728869] IP: [<ffffffffc091df19>] batadv_netlink_mesh_put.constprop.13+0x459/0x630 [batman_adv]
[ 2321.730060] PGD 0 [ 2321.730311]
[ 2321.730533] Oops: 0002 [#1] SMP
[ 2321.730952] Modules linked in: batman_adv(O) cfg80211 rfkill evdev joydev serio_raw pcspkr button nfsd bridge auth_rpcgss oid_registry stp nfs_acl lockd llc grace sunrpc crc16 ip_tables x_tables autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod dm_mirror dm_region_hash dm_log dm_mod 9pnet_rdma rdma_cm configfs iw_cm ib_cm ib_core 9p fscache 8139too ata_generic 9pnet_virtio 9pnet psmouse floppy virtio_pci virtio_ring virtio 8139cp mii ata_piix e1000 i2c_piix4 libata scsi_mod [last unloaded: batman_adv]
[ 2321.731472] CPU: 0 PID: 2948 Comm: batctl Tainted: G O 4.9.0-7-amd64 #1 Debian 4.9.110-3+deb9u2
[ 2321.731472] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 2321.731472] task: ffff9fa5d9cde100 task.stack: ffffc0d7805e8000
[ 2321.731472] RIP: 0010:[<ffffffffc091df19>] [<ffffffffc091df19>] batadv_netlink_mesh_put.constprop.13+0x459/0x630 [batman_adv]
[ 2321.731472] RSP: 0018:ffffc0d7805ebae0 EFLAGS: 00010282
[ 2321.731472] RAX: 0000000000000000 RBX: ffff9fa5dcf4c800 RCX: 00000000000003e8
[ 2321.731472] RDX: ffffffffc091a010 RSI: ffffc0d7805ebaec RDI: ffff9fa5db9c80f8
[ 2321.731472] RBP: ffff9fa5d9d538c0 R08: 00000000000003e8 R09: 0000000000000004
[ 2321.731472] R10: ffff9fa5db9c80fc R11: 0079747269642d37 R12: ffff9fa5db9c8014
[ 2321.731472] R13: 0000000000000028 R14: 0000000000000000 R15: ffffffff8bedbe00
[ 2321.731472] FS: 00007fa18cf5a740(0000) GS:ffff9fa5de800000(0000) knlGS:0000000000000000
[ 2321.731472] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2321.731472] CR2: 0000000000000028 CR3: 0000000018d9f000 CR4: 00000000000006f0
[ 2321.731472] Stack:
[ 2321.731472] ffffffff8b6f6cb6 000003e88b6f5d3e 7c37bd74f749c6fc ffffc0d7805ebb90
[ 2321.731472] ffff9fa5dcf4c800 ffff9fa5d9d538c0 ffff9fa5dfa6e500 ffff9fa5db925c00
[ 2321.731472] ffffffff8bedbe00 ffffffffc091e138 ffffffffc092d180 ffffffffc092d180
[ 2321.731472] Call Trace:
[ 2321.731472] [<ffffffff8b6f6cb6>] ? __alloc_skb+0x96/0x1e0
[ 2321.731472] [<ffffffffc091e138>] ? batadv_netlink_get_mesh+0x48/0xa0 [batman_adv]
[ 2321.731472] [<ffffffff8b7445f5>] ? genl_family_rcv_msg+0x1c5/0x360
[ 2321.731472] [<ffffffff8b6f5d3e>] ? __kmalloc_reserve.isra.35+0x2e/0x80
[ 2321.731472] [<ffffffff8b3e4906>] ? kmem_cache_alloc_node_trace+0x156/0x5a0
[ 2321.731472] [<ffffffff8b744790>] ? genl_family_rcv_msg+0x360/0x360
[ 2321.731472] [<ffffffff8b744812>] ? genl_rcv_msg+0x82/0xc0
[ 2321.731472] [<ffffffff8b743d94>] ? netlink_rcv_skb+0xa4/0xc0
[ 2321.731472] [<ffffffff8b744414>] ? genl_rcv+0x24/0x40
[ 2321.731472] [<ffffffff8b74376a>] ? netlink_unicast+0x18a/0x230
[ 2321.731472] [<ffffffff8b743b67>] ? netlink_sendmsg+0x357/0x3b0
[ 2321.731472] [<ffffffff8b6ee946>] ? sock_sendmsg+0x36/0x40
[ 2321.731472] [<ffffffff8b6ef3d8>] ? ___sys_sendmsg+0x2c8/0x2e0
[ 2321.731472] [<ffffffff8b3fe078>] ? mem_cgroup_commit_charge+0x78/0x4b0
[ 2321.731472] [<ffffffff8b3b8a6e>] ? handle_mm_fault+0xe7e/0x1280
[ 2321.731472] [<ffffffff8b6ed905>] ? move_addr_to_user+0xb5/0xd0
[ 2321.731472] [<ffffffff8b6efce1>] ? __sys_sendmsg+0x51/0x90
[ 2321.731472] [<ffffffff8b203b7d>] ? do_syscall_64+0x8d/0xf0
[ 2321.731472] [<ffffffff8b814c4e>] ? entry_SYSCALL_64_after_swapgs+0x58/0xc6
[ 2321.731472] Code: 00 00 be 39 00 00 00 48 89 df 89 44 24 0c e8 3f 03 c4 ca 85 c0 75 48 48 c7 c2 10 a0 91 c0 49 83 c5 28 48 85 d2 0f 84 ae 01 00 00 <f0> 41 83 6d 00 01 75 10 4c 89 ef 89 44 24 04 e8 e3 c0 ff ff 8b
[ 2321.731472] RIP [<ffffffffc091df19>] batadv_netlink_mesh_put.constprop.13+0x459/0x630 [batman_adv]
[ 2321.731472] RSP <ffffc0d7805ebae0>
[ 2321.731472] CR2: 0000000000000028
[ 2321.770447] ---[ end trace cdc14a8e37e47f7e ]---
Next to a missing bailout for a primary_if == NULL, it's also odd
that this "batctl if add" does seem to change something in the
kernel even though it returns an error. I haven't looked into why
that happens yet, though.
PS: In these tests I had also commented out all items in the *_attrs[] arrays
in sysfs.c to make sure that I'm using netlink for everything.
next prev parent reply other threads:[~2019-01-07 18:49 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-07 13:58 [B.A.T.M.A.N.] [RFC v3 00/19] batman-adv: netlink restructuring, part 2 Sven Eckelmann
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 01/19] batman-adv: Move common genl doit code pre/post hooks Sven Eckelmann
2018-12-30 16:57 ` Linus Lüssing
2018-12-31 19:08 ` Sven Eckelmann
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 02/19] batman-adv: Prepare framework for mesh genl config Sven Eckelmann
2018-12-31 11:09 ` Linus Lüssing
2018-12-31 19:11 ` Sven Eckelmann
2019-01-07 18:49 ` Linus Lüssing [this message]
2019-01-08 7:54 ` Sven Eckelmann
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 03/19] batman-adv: Prepare framework for hardif " Sven Eckelmann
2018-12-31 11:59 ` Linus Lüssing
2018-12-31 19:17 ` Sven Eckelmann
2019-01-04 0:39 ` Linus Lüssing
2019-01-04 7:52 ` Sven Eckelmann
2019-01-05 15:12 ` Linus Lüssing
2019-01-05 17:22 ` Sven Eckelmann
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 04/19] batman-adv: Prepare framework for vlan " Sven Eckelmann
2019-01-04 1:53 ` Linus Lüssing
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 05/19] batman-adv: Add aggregated_ogms mesh genl configuration Sven Eckelmann
2019-01-04 1:40 ` Linus Lüssing
2019-01-04 7:59 ` Sven Eckelmann
2019-01-04 2:06 ` Linus Lüssing
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 06/19] batman-adv: Add ap_isolation mesh/vlan " Sven Eckelmann
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 07/19] batman-adv: Add bonding mesh " Sven Eckelmann
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 08/19] batman-adv: Add bridge_loop_avoidance " Sven Eckelmann
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 09/19] batman-adv: Add distributed_arp_table " Sven Eckelmann
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 10/19] batman-adv: Add fragmentation " Sven Eckelmann
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 11/19] batman-adv: Add gateway " Sven Eckelmann
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 12/19] batman-adv: Add hop_penalty " Sven Eckelmann
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 13/19] batman-adv: Add log_level " Sven Eckelmann
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 14/19] batman-adv: Add multicast_mode " Sven Eckelmann
2019-01-04 1:57 ` Linus Lüssing
2019-01-04 7:44 ` Sven Eckelmann
2019-01-04 8:51 ` Jiri Pirko
2019-01-05 15:02 ` Linus Lüssing
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 15/19] batman-adv: Add network_coding " Sven Eckelmann
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 16/19] batman-adv: Add orig_interval " Sven Eckelmann
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 17/19] batman-adv: Add elp_interval hardif " Sven Eckelmann
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 18/19] batman-adv: Add throughput_override " Sven Eckelmann
2018-12-07 13:58 ` [B.A.T.M.A.N.] [RFC v3 19/19] batman-adv: Trigger genl notification on sysfs config change Sven Eckelmann
2019-01-04 2:29 ` Linus Lüssing
2019-01-04 7:58 ` Sven Eckelmann
2019-01-05 15:03 ` Linus Lüssing
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190107184906.GC5399@otheros \
--to=linus.luessing@c0d3.blue \
--cc=b.a.t.m.a.n@lists.open-mesh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox