From: Yunseong Kim <yskelg@gmail.com>
To: "Pedro Tammela" <pctammela@mojatatu.com>,
"Steven Rostedt" <rostedt@goodmis.org>,
"Masami Hiramatsu" <mhiramat@kernel.org>,
"Mathieu Desnoyers" <mathieu.desnoyers@efficios.com>,
"Takashi Iwai" <tiwai@suse.de>,
"David S. Miller" <davem@davemloft.net>,
"Thomas Hellström" <thomas.hellstrom@linux.intel.com>,
"Rafael J. Wysocki" <rafael@kernel.org>,
"Jamal Hadi Salim" <jhs@mojatatu.com>,
"Cong Wang" <xiyou.wangcong@gmail.com>,
"Jiri Pirko" <jiri@resnulli.us>,
"Eric Dumazet" <edumazet@google.com>,
"Jakub Kicinski" <kuba@kernel.org>,
"Paolo Abeni" <pabeni@redhat.com>
Cc: Taehee Yoo <ap420073@gmail.com>,
Austin Kim <austindh.kim@gmail.com>,
shjy180909@gmail.com, linux-kernel@vger.kernel.org,
linux-trace-kernel@vger.kernel.org, netdev@vger.kernel.org,
pbuk5246@gmail.com
Subject: Re: [PATCH] qdisc: fix NULL pointer dereference in perf_trace_qdisc_reset()
Date: Sat, 22 Jun 2024 00:06:56 +0900 [thread overview]
Message-ID: <23f571cd-aaf6-46d9-a2b1-38e7b6a1f908@gmail.com> (raw)
In-Reply-To: <f2ff57c9-1c10-429f-8739-39743bf58daf@mojatatu.com>
[-- Attachment #1: Type: text/plain, Size: 2582 bytes --]
Hi Pedro,
On 6/21/24 11:24 오후, Pedro Tammela wrote:
> On 21/06/2024 08:45, yskelg@gmail.com wrote:
>> From: Yunseong Kim <yskelg@gmail.com>
>>
>> In the TRACE_EVENT(qdisc_reset) NULL dereference occurred from
>>
>> qdisc->dev_queue->dev <NULL> ->name
>>
>> This situation simulated from bunch of veths and Bluetooth
>> dis/reconnection.
>>
>> During qdisc initialization, qdisc was being set to noop_queue.
>> In veth_init_queue, the initial tx_num was reduced back to one,
>> causing the qdisc reset to be called with noop, which led to the
>> kernel panic.
>>
>> I think this will happen on the kernel version.
>> Linux kernel version ≥ v6.7.10, ≥ v6.8 ≥ v6.9 and 6.10
>
> You should tag your patch for the net tree
Thank you for the code review, I will tag the next patch for the net tree.
>> This occurred from 51270d573a8d. I think this patch is absolutely
>> necessary. Previously, It was showing not intended string value of name.
> Add a 'Fixes:' tag with this commit
I will added 'Fixes: 51270d573a8d' Tag on patch v2 message.
>> I can attach a sys-execprog's executing program, kernel dump and dmesg
>> if someone need it, but I'm not sure how to safely attach large vmcore
>> with vmlinux.
>
> The syzkaller program + C reproducer is usually enough, please make it
> visible somewhere
I got it, I have a converted C syz program. So, I've attached the GitHub
gist link and C source code in this mail.
https://gist.github.com/yskelg/cc64562873ce249cdd0d5a358b77d740
>> Signed-off-by: Yunseong Kim <yskelg@gmail.com>, Yeoreum Yun
>> <yeoreum.yun@arm.com>
>
> Should be two SoB tags
Oh, It's the first time we've sent together, I made a mistake.. Sorry.
Thank you Pedro for the advice!
>> ---
>> include/trace/events/qdisc.h | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/include/trace/events/qdisc.h b/include/trace/events/qdisc.h
>> index f1b5e816e7e5..170b51fbe47a 100644
>> --- a/include/trace/events/qdisc.h
>> +++ b/include/trace/events/qdisc.h
>> @@ -81,7 +81,7 @@ TRACE_EVENT(qdisc_reset,
>> TP_ARGS(q),
>> TP_STRUCT__entry(
>> - __string( dev, qdisc_dev(q)->name )
>> + __string(dev, qdisc_dev(q) ? qdisc_dev(q)->name : "noop_queue")
>> __string( kind, q->ops->id )
>> __field( u32, parent )
>> __field( u32, handle )
>
Warm Regards,
Yunseong Kim
[-- Attachment #2: qdisc-null-ptr-deref.c --]
[-- Type: text/plain, Size: 9962 bytes --]
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#ifndef __NR_add_key
#define __NR_add_key 217
#endif
#ifndef __NR_bpf
#define __NR_bpf 280
#endif
#ifndef __NR_io_uring_register
#define __NR_io_uring_register 427
#endif
#ifndef __NR_io_uring_setup
#define __NR_io_uring_setup 425
#endif
#ifndef __NR_keyctl
#define __NR_keyctl 219
#endif
#ifndef __NR_mlockall
#define __NR_mlockall 230
#endif
#ifndef __NR_mmap
#define __NR_mmap 222
#endif
#ifndef __NR_mremap
#define __NR_mremap 216
#endif
#ifndef __NR_munmap
#define __NR_munmap 215
#endif
#ifndef __NR_openat
#define __NR_openat 56
#endif
#ifndef __NR_read
#define __NR_read 63
#endif
#ifndef __NR_shmctl
#define __NR_shmctl 195
#endif
#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
*(type*)(addr) = \
htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
(((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
uint64_t r[7] = {0xffffffffffffffff,
0xffffffffffffffff,
0xffffffffffffffff,
0x0,
0xffffffffffffffff,
0xffffffffffffffff,
0x0};
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
const char* reason;
(void)reason;
intptr_t res = 0;
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
}
*(uint32_t*)0x20000004 = 0;
*(uint32_t*)0x20000008 = 0;
*(uint32_t*)0x2000000c = 0;
*(uint32_t*)0x20000010 = 0;
*(uint32_t*)0x20000018 = -1;
memset((void*)0x2000001c, 0, 12);
res =
syscall(__NR_io_uring_setup, /*entries=*/0xe68, /*params=*/0x20000000ul);
if (res != -1)
r[0] = res;
memset((void*)0x20000080, 111, 1);
syscall(__NR_io_uring_register, /*fd=*/r[0], /*opcode=*/0xaul,
/*arg=*/0x20000080ul, /*size=*/1ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0xa000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0ul,
/*size=*/0xfffffffffffffc91ul);
if (res != -1)
r[1] = res;
*(uint32_t*)0x200000c0 = -1;
*(uint32_t*)0x200000c4 = 0;
res = syscall(__NR_bpf, /*cmd=*/0x21ul, /*arg=*/0x200000c0ul, /*size=*/8ul);
if (res != -1)
r[2] = res;
*(uint32_t*)0x20000c80 = -1;
*(uint32_t*)0x20000c84 = 0x20;
*(uint64_t*)0x20000c88 = 0x20000280;
*(uint64_t*)0x20000280 = 0x20000180;
*(uint32_t*)0x20000288 = 0x95;
*(uint64_t*)0x20000290 = 0x20000b80;
res = syscall(__NR_bpf, /*cmd=*/0xful, /*arg=*/0x20000c80ul, /*size=*/0x10ul);
if (res != -1)
r[3] = *(uint32_t*)0x2000028c;
memcpy((void*)0x20000040, "./file1\000", 8);
res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x20000040ul,
/*flags=*/0ul, /*mode=*/0ul);
if (res != -1)
r[4] = res;
syscall(__NR_read, /*fd=*/r[4], /*buf=*/0ul, /*count=*/0ul);
*(uint32_t*)0x20000cc0 = 0x1b;
*(uint32_t*)0x20000cc4 = 0;
*(uint32_t*)0x20000cc8 = 0;
*(uint32_t*)0x20000ccc = 0x9ff;
*(uint32_t*)0x20000cd0 = 0;
*(uint32_t*)0x20000cd4 = r[1];
*(uint32_t*)0x20000cd8 = 0;
memset((void*)0x20000cdc, 0, 16);
*(uint32_t*)0x20000cec = 0;
*(uint32_t*)0x20000cf0 = -1;
*(uint32_t*)0x20000cf4 = 4;
*(uint32_t*)0x20000cf8 = 4;
*(uint32_t*)0x20000cfc = 4;
*(uint64_t*)0x20000d00 = 0;
res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x20000cc0ul, /*size=*/0x48ul);
if (res != -1)
r[5] = res;
*(uint32_t*)0x20000e00 = 0;
*(uint32_t*)0x20000e04 = 6;
*(uint64_t*)0x20000e08 = 0x20000040;
*(uint8_t*)0x20000040 = 0x18;
STORE_BY_BITMASK(uint8_t, , 0x20000041, 7, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x20000041, 4, 4, 4);
*(uint16_t*)0x20000042 = 0;
*(uint32_t*)0x20000044 = 4;
*(uint8_t*)0x20000048 = 0;
*(uint8_t*)0x20000049 = 0;
*(uint16_t*)0x2000004a = 0;
*(uint32_t*)0x2000004c = 0;
STORE_BY_BITMASK(uint8_t, , 0x20000050, 4, 0, 3);
STORE_BY_BITMASK(uint8_t, , 0x20000050, 1, 3, 1);
STORE_BY_BITMASK(uint8_t, , 0x20000050, 0, 4, 4);
STORE_BY_BITMASK(uint8_t, , 0x20000051, 0xa, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x20000051, 0, 4, 4);
*(uint16_t*)0x20000052 = 0xc;
*(uint32_t*)0x20000054 = 0;
*(uint8_t*)0x20000058 = 0x18;
STORE_BY_BITMASK(uint8_t, , 0x20000059, 0, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x20000059, 4, 4, 4);
*(uint16_t*)0x2000005a = 0;
*(uint32_t*)0x2000005c = 5;
*(uint8_t*)0x20000060 = 0;
*(uint8_t*)0x20000061 = 0;
*(uint16_t*)0x20000062 = 0;
*(uint32_t*)0x20000064 = 0;
*(uint8_t*)0x20000068 = 0x85;
STORE_BY_BITMASK(uint8_t, , 0x20000069, 0, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x20000069, 1, 4, 4);
*(uint16_t*)0x2000006a = 0;
*(uint32_t*)0x2000006c = 0xfffffff9;
*(uint64_t*)0x20000e10 = 0x20000080;
memcpy((void*)0x20000080, "GPL\000", 4);
*(uint32_t*)0x20000e18 = 3;
*(uint32_t*)0x20000e1c = 0;
*(uint64_t*)0x20000e20 = 0;
*(uint32_t*)0x20000e28 = 0x41100;
*(uint32_t*)0x20000e2c = 0x50;
memset((void*)0x20000e30, 0, 16);
*(uint32_t*)0x20000e40 = 0;
*(uint32_t*)0x20000e44 = 0x21;
*(uint32_t*)0x20000e48 = r[2];
*(uint32_t*)0x20000e4c = 8;
*(uint64_t*)0x20000e50 = 0x20000100;
*(uint32_t*)0x20000100 = 3;
*(uint32_t*)0x20000104 = 5;
*(uint32_t*)0x20000e58 = 8;
*(uint32_t*)0x20000e5c = 0x10;
*(uint64_t*)0x20000e60 = 0x20000140;
*(uint32_t*)0x20000140 = 3;
*(uint32_t*)0x20000144 = 9;
*(uint32_t*)0x20000148 = 0x62;
*(uint32_t*)0x2000014c = 0x5038;
*(uint32_t*)0x20000e68 = 0x10;
*(uint32_t*)0x20000e6c = r[3];
*(uint32_t*)0x20000e70 = r[4];
*(uint32_t*)0x20000e74 = 5;
*(uint64_t*)0x20000e78 = 0x20000d40;
*(uint32_t*)0x20000d40 = r[1];
*(uint32_t*)0x20000d44 = r[1];
*(uint32_t*)0x20000d48 = r[5];
*(uint64_t*)0x20000e80 = 0x20000d80;
*(uint32_t*)0x20000d80 = 2;
*(uint32_t*)0x20000d84 = 3;
*(uint32_t*)0x20000d88 = 2;
*(uint32_t*)0x20000d8c = 7;
*(uint32_t*)0x20000d90 = 0;
*(uint32_t*)0x20000d94 = 5;
*(uint32_t*)0x20000d98 = 7;
*(uint32_t*)0x20000d9c = 7;
*(uint32_t*)0x20000da0 = 4;
*(uint32_t*)0x20000da4 = 4;
*(uint32_t*)0x20000da8 = 6;
*(uint32_t*)0x20000dac = 0xa;
*(uint32_t*)0x20000db0 = 2;
*(uint32_t*)0x20000db4 = 5;
*(uint32_t*)0x20000db8 = 7;
*(uint32_t*)0x20000dbc = 7;
*(uint32_t*)0x20000dc0 = 4;
*(uint32_t*)0x20000dc4 = 1;
*(uint32_t*)0x20000dc8 = 0xf;
*(uint32_t*)0x20000dcc = 8;
*(uint32_t*)0x20000e88 = 0x10;
*(uint32_t*)0x20000e8c = 0x46f;
syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000e00ul, /*size=*/0x90ul);
memcpy((void*)0x20000000, "asymmetric\000", 11);
memcpy((void*)0x20000240, "syz", 3);
*(uint8_t*)0x20000243 = 0x21;
*(uint8_t*)0x20000244 = 0;
res = syscall(__NR_add_key, /*type=*/0x20000000ul, /*desc=*/0x20000240ul,
/*payload=*/0ul, /*paylen=*/0ul, /*keyring=*/0xfffffff9);
if (res != -1)
r[6] = res;
syscall(__NR_keyctl, /*code=*/0xbul, /*key=*/r[6], /*payload=*/0x20000300ul,
/*len=*/0x44ul, 0);
*(uint32_t*)0x200000c0 = 5;
*(uint32_t*)0x200000c4 = 0xb;
*(uint64_t*)0x200000c8 = 0x20000180;
*(uint8_t*)0x20000180 = r[2];
*(uint64_t*)0x200000d0 = 0x20000200;
memcpy((void*)0x20000200, "GPL\000", 4);
*(uint32_t*)0x200000d8 = 0x4000004;
*(uint32_t*)0x200000dc = 0;
*(uint64_t*)0x200000e0 = 0;
*(uint32_t*)0x200000e8 = 0x40f00;
*(uint32_t*)0x200000ec = 0;
memset((void*)0x200000f0, 0, 16);
*(uint32_t*)0x20000100 = 0;
*(uint32_t*)0x20000104 = 0x17;
*(uint32_t*)0x20000108 = 0;
*(uint32_t*)0x2000010c = 0;
*(uint64_t*)0x20000110 = 0;
*(uint32_t*)0x20000118 = 0;
*(uint32_t*)0x2000011c = 0;
*(uint64_t*)0x20000120 = 0;
*(uint32_t*)0x20000128 = 0;
*(uint32_t*)0x2000012c = r[3];
*(uint32_t*)0x20000130 = 0;
*(uint32_t*)0x20000134 = 0;
*(uint64_t*)0x20000138 = 0;
*(uint64_t*)0x20000140 = 0;
*(uint32_t*)0x20000148 = 0;
*(uint32_t*)0x2000014c = 0;
syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200000c0ul, /*size=*/0x90ul);
syscall(__NR_mlockall, /*flags=MCL_FUTURE|MCL_CURRENT*/ 3ul);
*(uint32_t*)0x20000280 = 0x798e2636;
*(uint32_t*)0x20000284 = 0;
*(uint32_t*)0x20000288 = 0;
*(uint32_t*)0x2000028c = 0;
*(uint32_t*)0x20000290 = 0xee00;
*(uint32_t*)0x20000294 = 0;
*(uint16_t*)0x20000298 = 0;
*(uint32_t*)0x2000029c = 0x80;
*(uint64_t*)0x200002a0 = 0;
*(uint64_t*)0x200002a8 = 0;
*(uint64_t*)0x200002b0 = 0;
*(uint32_t*)0x200002b8 = 0;
*(uint32_t*)0x200002bc = 0;
*(uint16_t*)0x200002c0 = 0;
*(uint16_t*)0x200002c2 = 0;
*(uint64_t*)0x200002c8 = 0;
*(uint64_t*)0x200002d0 = 0;
syscall(__NR_shmctl, /*shmid=*/0, /*cmd=*/1ul, /*buf=*/0x20000280ul);
syscall(__NR_munmap, /*addr=*/0x20000000ul, /*len=*/0x400000ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0xa000ul,
/*prot=PROT_GROWSDOWN|PROT_SEM|PROT_READ|PROT_EXEC*/ 0x100000dul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mremap, /*addr=*/0x20000000ul, /*len=*/0xc00000ul,
/*newlen=*/0x3000ul, /*flags=MREMAP_FIXED|MREMAP_MAYMOVE*/ 3ul,
/*newaddr=*/0x20ffa000ul);
return 0;
}
next prev parent reply other threads:[~2024-06-21 15:07 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-21 11:45 [PATCH] qdisc: fix NULL pointer dereference in perf_trace_qdisc_reset() yskelg
2024-06-21 14:24 ` Pedro Tammela
2024-06-21 15:06 ` Yunseong Kim [this message]
2024-06-25 22:41 ` Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=23f571cd-aaf6-46d9-a2b1-38e7b6a1f908@gmail.com \
--to=yskelg@gmail.com \
--cc=ap420073@gmail.com \
--cc=austindh.kim@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=mhiramat@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pbuk5246@gmail.com \
--cc=pctammela@mojatatu.com \
--cc=rafael@kernel.org \
--cc=rostedt@goodmis.org \
--cc=shjy180909@gmail.com \
--cc=thomas.hellstrom@linux.intel.com \
--cc=tiwai@suse.de \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).