From: Xin Long <lucien.xin@gmail.com>
To: network dev <netdev@vger.kernel.org>
Cc: davem@davemloft.net, Jon Maloy <jon.maloy@ericsson.com>,
Ying Xue <ying.xue@windriver.com>,
tipc-discussion@lists.sourceforge.net,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
Su Yanjun <suyj.fnst@cn.fujitsu.com>,
David Ahern <dsahern@gmail.com>,
syzkaller-bugs@googlegroups.com,
Dmitry Vyukov <dvyukov@google.com>,
Pravin B Shelar <pshelar@nicira.com>
Subject: [PATCH net 0/3] net: fix quite a few dst_cache crashes reported by syzbot
Date: Mon, 17 Jun 2019 21:34:12 +0800 [thread overview]
Message-ID: <cover.1560778340.git.lucien.xin@gmail.com> (raw)
There are two kinds of crashes reported many times by syzbot with no
reproducer. Call Traces are like:
BUG: KASAN: slab-out-of-bounds in rt_cache_valid+0x158/0x190
net/ipv4/route.c:1556
rt_cache_valid+0x158/0x190 net/ipv4/route.c:1556
__mkroute_output net/ipv4/route.c:2332 [inline]
ip_route_output_key_hash_rcu+0x819/0x2d50 net/ipv4/route.c:2564
ip_route_output_key_hash+0x1ef/0x360 net/ipv4/route.c:2393
__ip_route_output_key include/net/route.h:125 [inline]
ip_route_output_flow+0x28/0xc0 net/ipv4/route.c:2651
ip_route_output_key include/net/route.h:135 [inline]
...
or:
kasan: GPF could be caused by NULL-ptr deref or user memory access
RIP: 0010:dst_dev_put+0x24/0x290 net/core/dst.c:168
<IRQ>
rt_fibinfo_free_cpus net/ipv4/fib_semantics.c:200 [inline]
free_fib_info_rcu+0x2e1/0x490 net/ipv4/fib_semantics.c:217
__rcu_reclaim kernel/rcu/rcu.h:240 [inline]
rcu_do_batch kernel/rcu/tree.c:2437 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2716 [inline]
rcu_process_callbacks+0x100a/0x1ac0 kernel/rcu/tree.c:2697
...
They were caused by the fib_nh_common percpu member 'nhc_pcpu_rth_output'
overwritten by another percpu variable 'dev->tstats' access overflow in
tipc udp media xmit path when counting packets on a non tunnel device.
The fix is to make udp tunnel work with no tunnel device by allowing not
to count packets on the tstats when the tunnel dev is NULL in Patches 1/3
and 2/3, then pass a NULL tunnel dev in tipc_udp_tunnel() in Patch 3/3.
Xin Long (3):
ip_tunnel: allow not to count pkts on tstats by setting skb's dev to
NULL
ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL
tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb
include/net/ip6_tunnel.h | 9 ++++++---
net/ipv4/ip_tunnel_core.c | 9 ++++++---
net/tipc/udp_media.c | 8 +++-----
3 files changed, 15 insertions(+), 11 deletions(-)
--
2.1.0
next reply other threads:[~2019-06-17 13:34 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-17 13:34 Xin Long [this message]
2019-06-17 13:34 ` [PATCH net 1/3] ip_tunnel: allow not to count pkts on tstats by setting skb's dev to NULL Xin Long
2019-06-17 13:34 ` [PATCH net 2/3] ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL Xin Long
2019-06-17 13:34 ` [PATCH net 3/3] tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb Xin Long
2019-06-19 0:49 ` [PATCH net 0/3] net: fix quite a few dst_cache crashes reported by syzbot David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1560778340.git.lucien.xin@gmail.com \
--to=lucien.xin@gmail.com \
--cc=davem@davemloft.net \
--cc=dsahern@gmail.com \
--cc=dvyukov@google.com \
--cc=jon.maloy@ericsson.com \
--cc=marcelo.leitner@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=pshelar@nicira.com \
--cc=suyj.fnst@cn.fujitsu.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tipc-discussion@lists.sourceforge.net \
--cc=ying.xue@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).