From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Dumazet Subject: [BUG] net/sched: use after free Date: Wed, 29 Nov 2017 09:32:02 -0800 Message-ID: <1511976722.16595.22.camel@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Cc: netdev To: Cong Wang Return-path: Received: from mail-pg0-f52.google.com ([74.125.83.52]:43061 "EHLO mail-pg0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933685AbdK2RcE (ORCPT ); Wed, 29 Nov 2017 12:32:04 -0500 Received: by mail-pg0-f52.google.com with SMTP id b18so1787478pgv.10 for ; Wed, 29 Nov 2017 09:32:04 -0800 (PST) Sender: netdev-owner@vger.kernel.org List-ID: Hi Running the following script twice gave me a KASAN splat on net tree, (this is on commit f6454f80e8a965fca203dab28723f68ec78db608 ) ETH=eth0 tc qdisc del dev $ETH ingress 2>/dev/null tc qdisc add dev $ETH ingress tc filter add dev eth0 parent ffff: \                matchall action sample rate 12 group 4 [  118.517005] ================================================================== [  118.524253] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0xb8/0xe0 [  118.530779] Read of size 8 at addr ffff881056a38f60 by task swapper/29/0 [  118.538996] CPU: 29 PID: 0 Comm: swapper/29 Not tainted 4.14.0-smp-DEV #2 [  118.538997] Hardware name: Intel RML,PCH/Ibis_QC_18, BIOS 2.40.0 06/22/2016 [  118.538998] Call Trace: [  118.539000]   [  118.539006]  dump_stack+0x46/0x67 [  118.539010]  print_address_description+0x6a/0x260 [  118.539012]  ? rcu_cblist_dequeue+0xb8/0xe0 [  118.539014]  kasan_report+0x228/0x340 [  118.539016]  rcu_cblist_dequeue+0xb8/0xe0 [  118.539018]  rcu_process_callbacks+0x2d8/0x1430 [  118.539020]  ? __hrtimer_run_queues+0x2c3/0x620 [  118.539022]  ? note_gp_changes+0x190/0x190 [  118.539025]  __do_softirq+0x1d7/0x5c8 [  118.539028]  irq_exit+0x14e/0x180 [  118.539030]  smp_apic_timer_interrupt+0xbc/0x310 [  118.539032]  apic_timer_interrupt+0x89/0x90 [  118.539041]   [  118.539044] RIP: 0010:cpuidle_enter_state+0xfa/0x740 [  118.539045] RSP: 0018:ffff88105aa07eb0 EFLAGS: 00000212 ORIG_RAX: ffffffffffffff11 [  118.539048] RAX: dffffc0000000000 RBX: ffffe8ffffd553d0 RCX: 000000000000001f [  118.539049] RDX: 1ffff1020ffac84d RSI: fff3b038d885714d RDI: ffff88107fd64268 [  118.539050] RBP: 00000000000f27d5 R08: ffff88107fd60704 R09: ffff88107fd606a0 [  118.539051] R10: 071c71c71c71c71c R11: ffff88107fd606e4 R12: 0000000000000005 [  118.539052] R13: 0000000000000005 R14: 0000000000000005 R15: 0000001b981aba1d [  118.539055]  ? rcu_eqs_exit_common.isra.51+0x26/0x140 [  118.539058]  do_idle+0x226/0x2a0 [  118.539059]  cpu_startup_entry+0x19/0x20 [  118.539061]  secondary_startup_64+0xa5/0xb0 [  118.540556] Allocated by task 10820: [  118.544135]  kasan_kmalloc+0xa0/0xd0 [  118.544137]  __kmalloc+0xd4/0x570 [  118.544139]  tcf_idr_create+0xa2/0x6e0 [  118.544142]  tcf_sample_init+0x4bc/0x830 [act_sample] [  118.544144]  tcf_action_init_1+0x5c6/0x8f0 [  118.544145]  tcf_action_init+0x1ff/0x3e0 [  118.544147]  tcf_exts_validate+0x27c/0x500 [  118.544149]  mall_change+0x3c5/0xcbf [cls_matchall] [  118.544150]  tc_ctl_tfilter+0x1104/0x1c70 [  118.544152]  rtnetlink_rcv_msg+0x35a/0x680 [  118.544153]  netlink_rcv_skb+0x2a5/0x3d0 [  118.544155]  netlink_unicast+0x3f4/0x580 [  118.544156]  netlink_sendmsg+0x738/0xae0 [  118.544159]  sock_sendmsg+0xb1/0xe0 [  118.544160]  ___sys_sendmsg+0x658/0x870 [  118.544162]  __sys_sendmsg+0xb0/0x130 [  118.544163]  entry_SYSCALL_64_fastpath+0x13/0x6c [  118.545658] Freed by task 5: [  118.548537]  kasan_slab_free+0x71/0xc0 [  118.548538]  kfree+0x75/0xe0 [  118.548540]  __tcf_idr_release+0x16e/0x220 [  118.548541]  tcf_action_destroy+0xcb/0x160 [  118.548543]  tcf_exts_destroy+0x177/0x350 [  118.548544]  __mall_destroy+0xe/0x60 [cls_matchall] [  118.548546]  mall_destroy_work+0x17/0x20 [cls_matchall] [  118.548548]  process_one_work+0x785/0x11c0 [  118.548549]  worker_thread+0xdf/0x12f0 [  118.548551]  kthread+0x29e/0x390 [  118.548552]  ret_from_fork+0x1f/0x30 [  118.550044] The buggy address belongs to the object at ffff881056a38e80                 which belongs to the cache kmalloc-256 of size 256 [  118.562564] The buggy address is located 224 bytes inside of                 256-byte region [ffff881056a38e80, ffff881056a38f80) [  118.574281] The buggy address belongs to the page: [  118.579074] page:ffffea00415a8e00 count:1 mapcount:0 mapping:ffff881056a380c0 index:0x0 [  118.587075] flags: 0x2800000000000100(slab) [  118.591262] raw: 2800000000000100 ffff881056a380c0 0000000000000000 000000010000000c [  118.599000] raw: ffffea00414151e0 ffffea004126a520 ffff88081f400680 0000000000000000 [  118.606737] page dumped because: kasan: bad access detected [  118.613793] Memory state around the buggy address: [  118.618575]  ffff881056a38e00: 00 00 00 00 00 00 00 05 fc fc fc fc fc fc fc fc [  118.625793]  ffff881056a38e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [  118.633006] >ffff881056a38f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [  118.640225]                                                        ^ [  118.646578]  ffff881056a38f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [  118.653808]  ffff881056a39000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [  118.661035] ================================================================== [  118.668254] Disabling lock debugging due to kernel taint