[PATCH] net/ncsi: Fix NULL pointer derefence if CIS arrives before SP

[PATCH] net/ncsi: Fix NULL pointer derefence if CIS arrives before SP

[Eddie James]

If a Clear Initial State response packet is received before the
Select Package response, then the channel set up will dereference
the NULL package pointer. Fix this by setting up the package
in the CIS handler if it's not found.

[    9.289221] 8<--- cut here ---
[    9.289244] Unable to handle kernel NULL pointer dereference at virtual address 00000018 when read
[    9.289306] [00000018] *pgd=00000000
[    9.289333] Internal error: Oops: 5 [#1] SMP ARM
[    9.289367] CPU: 0 PID: 35 Comm: kworker/0:2 Not tainted 6.6.69-f1d562d-gf1d562dd8fa4 #1
[    9.289423] Hardware name: Generic DT based system
[    9.289457] Workqueue:  0x0 (events)
[    9.289486] PC is at _raw_spin_lock_irqsave+0x10/0x4c
[    9.289525] LR is at ncsi_add_channel+0xd0/0x174
[    9.289561] pc : [<808d1018>]    lr : [<808907bc>]    psr: 40000193
[    9.289605] sp : b4801e20  ip : 8695e000  fp : 80d6c2a8
[    9.289642] r10: 80d6c2a8  r9 : 8136a4dc  r8 : 00000018
[    9.289680] r7 : 00000000  r6 : 00000000  r5 : 8695dc00  r4 : 00000000
[    9.289725] r3 : 00000005  r2 : 00000018  r1 : 8089202c  r0 : 40000113
[    9.289770] Flags: nZcv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment none
[    9.289821] Control: 10c5387d  Table: 81adc06a  DAC: 00000051
[    9.289861] Register r0 information: non-paged memory
[    9.289898] Register r1 information: non-slab/vmalloc memory
[    9.289939] Register r2 information: non-paged memory
[    9.289976] Register r3 information: non-paged memory
[    9.290012] Register r4 information: NULL pointer
[    9.290046] Register r5 information: slab kmalloc-1k start 8695dc00 pointer offset 0 size 1024
[    9.290111] Register r6 information: NULL pointer
[    9.290145] Register r7 information: NULL pointer
[    9.290180] Register r8 information: non-paged memory
[    9.290216] Register r9 information: non-slab/vmalloc memory
[    9.290257] Register r10 information: non-slab/vmalloc memory
[    9.290298] Register r11 information: non-slab/vmalloc memory
[    9.290339] Register r12 information: slab kmalloc-1k start 8695e000 pointer offset 0 size 1024
[    9.290404] Process kworker/0:2 (pid: 35, stack limit = 0x401e97d3)
[    9.290448] Stack: (0xb4801e20 to 0xb4802000)
[    9.290482] 1e20: 00000000 81099810 81be7150 81368000 00000000 000024a8 81be7150 8088efc4
[    9.290540] 1e40: 81be7150 00000000 00000000 8ae45185 00000000 00000000 81368000 8088f4fc
[    9.290598] 1e60: 86337300 806fce18 81368018 0000008a 00000780 00000000 86662dc2 8ae45185
[    9.290656] 1e80: 00000780 81365800 8088f3e4 0000002a b2c44000 b2c44090 81365800 86337300
[    9.290714] 1ea0: 00000000 8071c4d8 00000002 86337300 8136c45c 8ae45185 80115aa0 86337300
[    9.290772] 1ec0: 0000000a 8071c584 b2c44000 b2c44090 00005800 8ae45185 81365dd8 805be000
[    9.290830] 1ee0: 00000000 805be060 00000040 81365d80 0000002a 00000000 00000036 00000001
[    9.290888] 1f00: 00000040 81365dd8 b4801f53 ffff8ea7 80d03d00 00000000 81365dd8 8071d010
[    9.290946] 1f20: 81365dd8 8071d010 49514f00 b3d96100 0000012c b3d962c0 b4801f58 8071d4a4
[    9.291004] 1f40: b4801f60 81081980 80c4e100 33148000 00c4e100 33148000 b4801f58 b4801f58
[    9.291062] 1f60: b4801f60 b4801f60 b4801f68 8ae45185 b3d929f0 00000004 00000008 80d0308c
[    9.291120] 1f80: 81081980 00000100 40000003 0000000c 80d03080 801206d4 80c4c790 b480900c
[    9.291178] 1fa0: 80d03080 b4801f98 80c493c8 0000000a 00000000 80c4d380 80c4d380 ffff8ea6
[    9.291237] 1fc0: 80d03d00 04208060 80c4c790 8016c180 80d06094 81081980 80000013 ffffffff
[    9.291295] 1fe0: b4935f44 61c88647 81081980 81081980 b4935f08 80120c84 80134f4c 808945b8
[    9.291351]  _raw_spin_lock_irqsave from ncsi_add_channel+0xd0/0x174
[    9.291402]  ncsi_add_channel from ncsi_rsp_handler_cis+0x98/0xb4
[    9.291451]  ncsi_rsp_handler_cis from ncsi_rcv_rsp+0x118/0x2c4
[    9.291498]  ncsi_rcv_rsp from __netif_receive_skb_one_core+0x58/0x7c
[    9.291547]  __netif_receive_skb_one_core from netif_receive_skb+0x2c/0xc4
[    9.291597]  netif_receive_skb from ftgmac100_poll+0x350/0x43c
[    9.291642]  ftgmac100_poll from __napi_poll.constprop.0+0x2c/0x180
[    9.291690]  __napi_poll.constprop.0 from net_rx_action+0x340/0x3c0
[    9.291736]  net_rx_action from handle_softirqs+0xf4/0x25c
[    9.291777]  handle_softirqs from irq_exit+0x80/0xb0
[    9.291816]  irq_exit from call_with_stack+0x18/0x20
[    9.291857]  call_with_stack from __irq_svc+0x98/0xb0
[    9.291898] Exception stack(0xb4935f10 to 0xb4935f58)
[    9.291935] 5f00:                                     00000007 00000006 80d03d00 00000769
[    9.291993] 5f20: 85963e80 b3d953c0 80d03d00 b3d953e0 61c88647 85963eac 81081980 b3d953c0
[    9.292050] 5f40: 00000004 b4935f60 80134f28 80134f4c 80000013 ffffffff
[    9.292096]  __irq_svc from worker_thread+0x1fc/0x4e8
[    9.292137]  worker_thread from kthread+0xe0/0xfc
[    9.292176]  kthread from ret_from_fork+0x14/0x28
[    9.292213] Exception stack(0xb4935fb0 to 0xb4935ff8)
[    9.292250] 5fa0:                                     00000000 00000000 00000000 00000000
[    9.292308] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[    9.292365] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
[    9.292413] Code: e1a02000 e10f0000 f10c0080 f592f000 (e1923f9f)
[    9.292455] ---[ end trace 0000000000000000 ]---
[    9.295147] Kernel panic - not syncing: Fatal exception in interrupt

Signed-off-by: Eddie James <eajames@linux.ibm.com>
---
 net/ncsi/ncsi-rsp.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
index e28be33bdf2c4..59d0af7183acc 100644
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -100,6 +100,13 @@ static int ncsi_rsp_handler_cis(struct ncsi_request *nr)
 		if (ndp->flags & NCSI_DEV_PROBED)
 			return -ENXIO;
 
+		if (!np) {
+			id = NCSI_PACKAGE_INDEX(rsp->rsp.common.channel);
+			np = ncsi_add_package(ndp, id);
+			if (!np)
+				return -ENODEV;
+		}
+
 		id = NCSI_CHANNEL_INDEX(rsp->rsp.common.channel);
 		nc = ncsi_add_channel(np, id);
 	}
-- 
2.43.5

Re: [PATCH] net/ncsi: Fix NULL pointer derefence if CIS arrives before SP

[Jakub Kicinski]

Hi Paul!

Any thoughts on this fix?

On Fri, 10 Jan 2025 13:41:33 -0600 Eddie James wrote:
> If a Clear Initial State response packet is received before the
> Select Package response, then the channel set up will dereference
> the NULL package pointer. Fix this by setting up the package
> in the CIS handler if it's not found.
> 
> [    9.289221] 8<--- cut here ---
> [    9.289244] Unable to handle kernel NULL pointer dereference at virtual address 00000018 when read
> [    9.289306] [00000018] *pgd=00000000
> [    9.289333] Internal error: Oops: 5 [#1] SMP ARM
> [    9.289367] CPU: 0 PID: 35 Comm: kworker/0:2 Not tainted 6.6.69-f1d562d-gf1d562dd8fa4 #1
> [    9.289423] Hardware name: Generic DT based system
> [    9.289457] Workqueue:  0x0 (events)
> [    9.289486] PC is at _raw_spin_lock_irqsave+0x10/0x4c
> [    9.289525] LR is at ncsi_add_channel+0xd0/0x174
> [    9.289561] pc : [<808d1018>]    lr : [<808907bc>]    psr: 40000193
> [    9.289605] sp : b4801e20  ip : 8695e000  fp : 80d6c2a8
> [    9.289642] r10: 80d6c2a8  r9 : 8136a4dc  r8 : 00000018
> [    9.289680] r7 : 00000000  r6 : 00000000  r5 : 8695dc00  r4 : 00000000
> [    9.289725] r3 : 00000005  r2 : 00000018  r1 : 8089202c  r0 : 40000113
> [    9.289770] Flags: nZcv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment none
> [    9.289821] Control: 10c5387d  Table: 81adc06a  DAC: 00000051
> [    9.289861] Register r0 information: non-paged memory
> [    9.289898] Register r1 information: non-slab/vmalloc memory
> [    9.289939] Register r2 information: non-paged memory
> [    9.289976] Register r3 information: non-paged memory
> [    9.290012] Register r4 information: NULL pointer
> [    9.290046] Register r5 information: slab kmalloc-1k start 8695dc00 pointer offset 0 size 1024
> [    9.290111] Register r6 information: NULL pointer
> [    9.290145] Register r7 information: NULL pointer
> [    9.290180] Register r8 information: non-paged memory
> [    9.290216] Register r9 information: non-slab/vmalloc memory
> [    9.290257] Register r10 information: non-slab/vmalloc memory
> [    9.290298] Register r11 information: non-slab/vmalloc memory
> [    9.290339] Register r12 information: slab kmalloc-1k start 8695e000 pointer offset 0 size 1024
> [    9.290404] Process kworker/0:2 (pid: 35, stack limit = 0x401e97d3)
> [    9.290448] Stack: (0xb4801e20 to 0xb4802000)
> [    9.290482] 1e20: 00000000 81099810 81be7150 81368000 00000000 000024a8 81be7150 8088efc4
> [    9.290540] 1e40: 81be7150 00000000 00000000 8ae45185 00000000 00000000 81368000 8088f4fc
> [    9.290598] 1e60: 86337300 806fce18 81368018 0000008a 00000780 00000000 86662dc2 8ae45185
> [    9.290656] 1e80: 00000780 81365800 8088f3e4 0000002a b2c44000 b2c44090 81365800 86337300
> [    9.290714] 1ea0: 00000000 8071c4d8 00000002 86337300 8136c45c 8ae45185 80115aa0 86337300
> [    9.290772] 1ec0: 0000000a 8071c584 b2c44000 b2c44090 00005800 8ae45185 81365dd8 805be000
> [    9.290830] 1ee0: 00000000 805be060 00000040 81365d80 0000002a 00000000 00000036 00000001
> [    9.290888] 1f00: 00000040 81365dd8 b4801f53 ffff8ea7 80d03d00 00000000 81365dd8 8071d010
> [    9.290946] 1f20: 81365dd8 8071d010 49514f00 b3d96100 0000012c b3d962c0 b4801f58 8071d4a4
> [    9.291004] 1f40: b4801f60 81081980 80c4e100 33148000 00c4e100 33148000 b4801f58 b4801f58
> [    9.291062] 1f60: b4801f60 b4801f60 b4801f68 8ae45185 b3d929f0 00000004 00000008 80d0308c
> [    9.291120] 1f80: 81081980 00000100 40000003 0000000c 80d03080 801206d4 80c4c790 b480900c
> [    9.291178] 1fa0: 80d03080 b4801f98 80c493c8 0000000a 00000000 80c4d380 80c4d380 ffff8ea6
> [    9.291237] 1fc0: 80d03d00 04208060 80c4c790 8016c180 80d06094 81081980 80000013 ffffffff
> [    9.291295] 1fe0: b4935f44 61c88647 81081980 81081980 b4935f08 80120c84 80134f4c 808945b8
> [    9.291351]  _raw_spin_lock_irqsave from ncsi_add_channel+0xd0/0x174
> [    9.291402]  ncsi_add_channel from ncsi_rsp_handler_cis+0x98/0xb4
> [    9.291451]  ncsi_rsp_handler_cis from ncsi_rcv_rsp+0x118/0x2c4
> [    9.291498]  ncsi_rcv_rsp from __netif_receive_skb_one_core+0x58/0x7c
> [    9.291547]  __netif_receive_skb_one_core from netif_receive_skb+0x2c/0xc4
> [    9.291597]  netif_receive_skb from ftgmac100_poll+0x350/0x43c
> [    9.291642]  ftgmac100_poll from __napi_poll.constprop.0+0x2c/0x180
> [    9.291690]  __napi_poll.constprop.0 from net_rx_action+0x340/0x3c0
> [    9.291736]  net_rx_action from handle_softirqs+0xf4/0x25c
> [    9.291777]  handle_softirqs from irq_exit+0x80/0xb0
> [    9.291816]  irq_exit from call_with_stack+0x18/0x20
> [    9.291857]  call_with_stack from __irq_svc+0x98/0xb0
> [    9.291898] Exception stack(0xb4935f10 to 0xb4935f58)
> [    9.291935] 5f00:                                     00000007 00000006 80d03d00 00000769
> [    9.291993] 5f20: 85963e80 b3d953c0 80d03d00 b3d953e0 61c88647 85963eac 81081980 b3d953c0
> [    9.292050] 5f40: 00000004 b4935f60 80134f28 80134f4c 80000013 ffffffff
> [    9.292096]  __irq_svc from worker_thread+0x1fc/0x4e8
> [    9.292137]  worker_thread from kthread+0xe0/0xfc
> [    9.292176]  kthread from ret_from_fork+0x14/0x28
> [    9.292213] Exception stack(0xb4935fb0 to 0xb4935ff8)
> [    9.292250] 5fa0:                                     00000000 00000000 00000000 00000000
> [    9.292308] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> [    9.292365] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
> [    9.292413] Code: e1a02000 e10f0000 f10c0080 f592f000 (e1923f9f)
> [    9.292455] ---[ end trace 0000000000000000 ]---
> [    9.295147] Kernel panic - not syncing: Fatal exception in interrupt
> 
> Signed-off-by: Eddie James <eajames@linux.ibm.com>
> ---
>  net/ncsi/ncsi-rsp.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
> index e28be33bdf2c4..59d0af7183acc 100644
> --- a/net/ncsi/ncsi-rsp.c
> +++ b/net/ncsi/ncsi-rsp.c
> @@ -100,6 +100,13 @@ static int ncsi_rsp_handler_cis(struct ncsi_request *nr)
>  		if (ndp->flags & NCSI_DEV_PROBED)
>  			return -ENXIO;
>  
> +		if (!np) {
> +			id = NCSI_PACKAGE_INDEX(rsp->rsp.common.channel);
> +			np = ncsi_add_package(ndp, id);
> +			if (!np)
> +				return -ENODEV;
> +		}
> +
>  		id = NCSI_CHANNEL_INDEX(rsp->rsp.common.channel);
>  		nc = ncsi_add_channel(np, id);
>  	}

Re: [PATCH] net/ncsi: Fix NULL pointer derefence if CIS arrives before SP

[Paul Fertser]

Hi Jakub,

On Tue, Jan 14, 2025 at 02:49:32PM -0800, Jakub Kicinski wrote:
> Any thoughts on this fix?

This indeed looks related to what we discussed!

> On Fri, 10 Jan 2025 13:41:33 -0600 Eddie James wrote:
> > If a Clear Initial State response packet is received before the
> > Select Package response, then the channel set up will dereference
> > the NULL package pointer. Fix this by setting up the package
> > in the CIS handler if it's not found.

My current notion is that the responses can't normally be re-ordered
(as we are supposed to send the next command only after receiving
response for the previous one) and so any surprising event like that
signifies that the FSM got out of sync (unfortunately it's written in
such a way that it switches to the "next state" based on the quantity
of responses the current state expected, not on the actual content of
them; that's rather fragile).

Sending the "Select Package" command is the first thing that is
performed after package discovery is complete so problems in that area
suggest that the reason might be lack of processing for the response
to the last "Package Deselect" command: receiving it would advance the
state machine prematurely. It's not quite clear to me how the SP
response can be lost altogether or what else happens there in the
failure case, unfortunately it's not reproducible on my system so I
can't just add more debugging to see all responses and state
transitions as they happen.

Eddie, how easy is it to reproduce the issue in your setup? Can you
please try if the change in [0] makes a difference?

[0] https://lore.kernel.org/all/Z4ZewoBHkHyNuXT5@home.paul.comp/

-- 
Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software!
mailto:fercerpav@gmail.com

Re: [PATCH] net/ncsi: Fix NULL pointer derefence if CIS arrives before SP

[Eddie James]

On 1/15/25 17:01, Paul Fertser wrote:
> Hi Jakub,
>
> On Tue, Jan 14, 2025 at 02:49:32PM -0800, Jakub Kicinski wrote:
>> Any thoughts on this fix?
> This indeed looks related to what we discussed!
>
>> On Fri, 10 Jan 2025 13:41:33 -0600 Eddie James wrote:
>>> If a Clear Initial State response packet is received before the
>>> Select Package response, then the channel set up will dereference
>>> the NULL package pointer. Fix this by setting up the package
>>> in the CIS handler if it's not found.
> My current notion is that the responses can't normally be re-ordered
> (as we are supposed to send the next command only after receiving
> response for the previous one) and so any surprising event like that
> signifies that the FSM got out of sync (unfortunately it's written in
> such a way that it switches to the "next state" based on the quantity
> of responses the current state expected, not on the actual content of
> them; that's rather fragile).
>
> Sending the "Select Package" command is the first thing that is
> performed after package discovery is complete so problems in that area
> suggest that the reason might be lack of processing for the response
> to the last "Package Deselect" command: receiving it would advance the
> state machine prematurely. It's not quite clear to me how the SP
> response can be lost altogether or what else happens there in the
> failure case, unfortunately it's not reproducible on my system so I
> can't just add more debugging to see all responses and state
> transitions as they happen.
>
> Eddie, how easy is it to reproduce the issue in your setup? Can you
> please try if the change in [0] makes a difference?


I am able to reproduce the panic at will, and unfortunately your patch 
does not prevent the issue.

However I suspect this issue may be unique to my set up, so my patch may 
not be necessary. I found that I had some user space issues. Fixing 
userspace prevented this issue.


Thanks,

Eddie


>
> [0] https://lore.kernel.org/all/Z4ZewoBHkHyNuXT5@home.paul.comp/
>

Re: [PATCH] net/ncsi: Fix NULL pointer derefence if CIS arrives before SP

[Jakub Kicinski]

On Fri, 17 Jan 2025 15:05:24 -0600 Eddie James wrote:
> I am able to reproduce the panic at will, and unfortunately your patch 
> does not prevent the issue.
> 
> However I suspect this issue may be unique to my set up, so my patch may 
> not be necessary. I found that I had some user space issues. Fixing 
> userspace prevented this issue.

The kernel shouldn't crash even if user space is buggy..
Maybe we can apply a simplified patch to return an error if !np?

Re: [PATCH] net/ncsi: Fix NULL pointer derefence if CIS arrives before SP

[Paul Fertser]

Hi Eddie,

Thank you for testing the patch! More inline.

On Fri, Jan 17, 2025 at 03:05:24PM -0600, Eddie James wrote:
> > > On Fri, 10 Jan 2025 13:41:33 -0600 Eddie James wrote:
> > > > If a Clear Initial State response packet is received before the
> > > > Select Package response, then the channel set up will dereference
> > > > the NULL package pointer. Fix this by setting up the package
> > > > in the CIS handler if it's not found.
> >
> > My current notion is that the responses can't normally be re-ordered
> > (as we are supposed to send the next command only after receiving
> > response for the previous one) and so any surprising event like that
> > signifies that the FSM got out of sync (unfortunately it's written in
> > such a way that it switches to the "next state" based on the quantity
> > of responses the current state expected, not on the actual content of
> > them; that's rather fragile).
> > 
> > Sending the "Select Package" command is the first thing that is
> > performed after package discovery is complete so problems in that area
> > suggest that the reason might be lack of processing for the response
> > to the last "Package Deselect" command: receiving it would advance the
> > state machine prematurely. It's not quite clear to me how the SP
> > response can be lost altogether or what else happens there in the
> > failure case, unfortunately it's not reproducible on my system so I
> > can't just add more debugging to see all responses and state
> > transitions as they happen.
> > 
> > Eddie, how easy is it to reproduce the issue in your setup? Can you
> > please try if the change in [0] makes a difference?
> 
> I am able to reproduce the panic at will, and unfortunately your patch does
> not prevent the issue.
> 
> However I suspect this issue may be unique to my set up, so my patch may not
> be necessary. I found that I had some user space issues. Fixing userspace
> prevented this issue.

That's an interesting observation. Sounds like you're probably sending
some NCSI commands via netlink in parallel with the in-kernel
configuration process (this detail wasn't at all obvious from the
commit message) and that races somehow.

But in any case userspace shouldn't be able to crash the kernel, and
responses to netlink-initiated communication should be going back to
netlink rather than getting handled by the ncsi_rsp_handler_* code.

So there must be some insufficient locking or a logic error somewhere
worth fixing, especially since you're able to reproduce.

-- 
Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software!
mailto:fercerpav@gmail.com