* Re: [PATCH v2 4/4 net-next] net: mdio device: use flexible sleeping in reset function
From: Florian Fainelli @ 2020-08-02 20:19 UTC (permalink / raw)
To: Bruno Thomsen, netdev
Cc: Andrew Lunn, Fabio Estevam, Russell King - ARM Linux,
Heiner Kallweit, Lars Alex Pedersen, Bruno Thomsen
In-Reply-To: <20200730195749.4922-5-bruno.thomsen@gmail.com>
On 7/30/2020 12:57 PM, Bruno Thomsen wrote:
> MDIO device reset assert and deassert length was created by
> usleep_range() but that does not ensure optimal handling of
> all the different values from device tree properties.
> By switching to the new flexible sleeping helper function,
> fsleep(), the correct delay function is called depending on
> delay length, e.g. udelay(), usleep_range() or msleep().
>
> Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
--
Florian
^ permalink raw reply
* Re: [PATCH v3 1/9] ptp: Add generic ptp v2 header parsing function
From: Florian Fainelli @ 2020-08-02 20:20 UTC (permalink / raw)
To: Kurt Kanzenbach, Richard Cochran
Cc: Andrew Lunn, Vivien Didelot, David S. Miller, Jakub Kicinski,
Jiri Pirko, Ido Schimmel, Heiner Kallweit, Russell King,
Grygorii Strashko, Ivan Khoronzhuk, Samuel Zou, netdev,
Petr Machata, Russell King
In-Reply-To: <20200730080048.32553-2-kurt@linutronix.de>
On 7/30/2020 1:00 AM, Kurt Kanzenbach wrote:
> Reason: A lot of the ptp drivers - which implement hardware time stamping - need
> specific fields such as the sequence id from the ptp v2 header. Currently all
> drivers implement that themselves.
>
> Introduce a generic function to retrieve a pointer to the start of the ptp v2
> header.
>
> Suggested-by: Russell King <rmk+kernel@armlinux.org.uk>
> Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
--
Florian
^ permalink raw reply
* Re: [PATCH v3 2/9] ptp: Add generic ptp message type function
From: Florian Fainelli @ 2020-08-02 20:20 UTC (permalink / raw)
To: Kurt Kanzenbach, Richard Cochran
Cc: Andrew Lunn, Vivien Didelot, David S. Miller, Jakub Kicinski,
Jiri Pirko, Ido Schimmel, Heiner Kallweit, Russell King,
Grygorii Strashko, Ivan Khoronzhuk, Samuel Zou, netdev,
Petr Machata
In-Reply-To: <20200730080048.32553-3-kurt@linutronix.de>
On 7/30/2020 1:00 AM, Kurt Kanzenbach wrote:
> The message type is located at different offsets within the ptp header depending
> on the ptp version (v1 or v2). Therefore, drivers which also deal with ptp v1
> have some code for it.
>
> Extract this into a helper function for drivers to be used.
>
> Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
--
Florian
^ permalink raw reply
* Re: [PATCH v3 3/9] net: dsa: mv88e6xxx: Use generic helper function
From: Florian Fainelli @ 2020-08-02 20:21 UTC (permalink / raw)
To: Kurt Kanzenbach, Richard Cochran
Cc: Andrew Lunn, Vivien Didelot, David S. Miller, Jakub Kicinski,
Jiri Pirko, Ido Schimmel, Heiner Kallweit, Russell King,
Grygorii Strashko, Ivan Khoronzhuk, Samuel Zou, netdev,
Petr Machata
In-Reply-To: <20200730080048.32553-4-kurt@linutronix.de>
On 7/30/2020 1:00 AM, Kurt Kanzenbach wrote:
> In order to reduce code duplication between ptp drivers, generic helper
> functions were introduced. Use them.
>
> Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
--
Florian
^ permalink raw reply
* Re: [PATCH v3 4/9] mlxsw: spectrum_ptp: Use generic helper function
From: Florian Fainelli @ 2020-08-02 20:21 UTC (permalink / raw)
To: Kurt Kanzenbach, Richard Cochran
Cc: Andrew Lunn, Vivien Didelot, David S. Miller, Jakub Kicinski,
Jiri Pirko, Ido Schimmel, Heiner Kallweit, Russell King,
Grygorii Strashko, Ivan Khoronzhuk, Samuel Zou, netdev,
Petr Machata
In-Reply-To: <20200730080048.32553-5-kurt@linutronix.de>
On 7/30/2020 1:00 AM, Kurt Kanzenbach wrote:
> In order to reduce code duplication between ptp drivers, generic helper
> functions were introduced. Use them.
>
> Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
--
Florian
^ permalink raw reply
* Re: [PATCH v3 6/9] ethernet: ti: cpts: Use generic helper function
From: Florian Fainelli @ 2020-08-02 20:22 UTC (permalink / raw)
To: Kurt Kanzenbach, Richard Cochran
Cc: Andrew Lunn, Vivien Didelot, David S. Miller, Jakub Kicinski,
Jiri Pirko, Ido Schimmel, Heiner Kallweit, Russell King,
Grygorii Strashko, Ivan Khoronzhuk, Samuel Zou, netdev,
Petr Machata
In-Reply-To: <20200730080048.32553-7-kurt@linutronix.de>
On 7/30/2020 1:00 AM, Kurt Kanzenbach wrote:
> In order to reduce code duplication between ptp drivers, generic helper
> functions were introduced. Use them.
>
> Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
> ---
[snip]
> - if (unlikely(ptp_class & PTP_CLASS_V1))
> - msgtype = data + offset + OFF_PTP_CONTROL;
> - else
> - msgtype = data + offset;
> + msgtype = ptp_get_msgtype(hdr, ptp_class);
> + seqid = be16_to_cpu(hdr->sequence_id);
Same comment as patch 5 would probably apply here as well, with using
ntohs():
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
--
Florian
^ permalink raw reply
* Re: [PATCH v3 7/9] net: phy: dp83640: Use generic helper function
From: Florian Fainelli @ 2020-08-02 20:23 UTC (permalink / raw)
To: Kurt Kanzenbach, Richard Cochran
Cc: Andrew Lunn, Vivien Didelot, David S. Miller, Jakub Kicinski,
Jiri Pirko, Ido Schimmel, Heiner Kallweit, Russell King,
Grygorii Strashko, Ivan Khoronzhuk, Samuel Zou, netdev,
Petr Machata
In-Reply-To: <20200730080048.32553-8-kurt@linutronix.de>
On 7/30/2020 1:00 AM, Kurt Kanzenbach wrote:
> In order to reduce code duplication between ptp drivers, generic helper
> functions were introduced. Use them.
>
> Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
--
Florian
^ permalink raw reply
* Re: [PATCH v3 8/9] ptp: ptp_ines: Use generic helper function
From: Florian Fainelli @ 2020-08-02 20:23 UTC (permalink / raw)
To: Kurt Kanzenbach, Richard Cochran
Cc: Andrew Lunn, Vivien Didelot, David S. Miller, Jakub Kicinski,
Jiri Pirko, Ido Schimmel, Heiner Kallweit, Russell King,
Grygorii Strashko, Ivan Khoronzhuk, Samuel Zou, netdev,
Petr Machata
In-Reply-To: <20200730080048.32553-9-kurt@linutronix.de>
On 7/30/2020 1:00 AM, Kurt Kanzenbach wrote:
> In order to reduce code duplication between ptp drivers, generic helper
> functions were introduced. Use them.
>
> Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
--
Florian
^ permalink raw reply
* Re: [PATCH v3 9/9] ptp: Remove unused macro
From: Florian Fainelli @ 2020-08-02 20:24 UTC (permalink / raw)
To: Kurt Kanzenbach, Richard Cochran
Cc: Andrew Lunn, Vivien Didelot, David S. Miller, Jakub Kicinski,
Jiri Pirko, Ido Schimmel, Heiner Kallweit, Russell King,
Grygorii Strashko, Ivan Khoronzhuk, Samuel Zou, netdev,
Petr Machata
In-Reply-To: <20200730080048.32553-10-kurt@linutronix.de>
On 7/30/2020 1:00 AM, Kurt Kanzenbach wrote:
> The offset for the control field is not needed anymore. Remove it.
>
> Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
--
Florian
^ permalink raw reply
* Re: Bug#966459: linux: traffic class socket options (both IPv4/IPv6) inconsistent with docs/standards
From: Ben Hutchings @ 2020-08-02 20:29 UTC (permalink / raw)
To: Thorsten Glaser; +Cc: 966459, netdev
In-Reply-To: <Pine.BSM.4.64L.2008021919500.2148@herc.mirbsd.org>
[-- Attachment #1: Type: text/plain, Size: 1326 bytes --]
On Sun, 2020-08-02 at 19:29 +0000, Thorsten Glaser wrote:
> Ben Hutchings dixit:
>
> >ip(7) also doesn't document IP_PKTOPIONS.
>
> Hmm, I don’t use IP_PKTOPIONS though. I’m not exactly sure I found
> the correct place in the kernel for what I do.
The first instance of put_cmsg(...IP_TOS...) you found in
net/ipv4/ip_sockglue.c implements that socket option.
[...]
> >I see no point in changing the IPv6 behaviour: it seems to be
> >consistent with itself and with the standard
>
> Not really: if the kernel writes an int and userspace reads
> its first byte, it only works by accident on little endian,
> but not elsewhere.
The RFC says that the IPV6_TCLASS option's value is an int, and that
"the first byte of cmsg_data[] will be the *first byte of the integer*
traffic class" (my emphasis). We can infer from "the first byte of"
that cmsg_data[] will hold more than one byte. And "the integer"
suggests that it's a C int, like the socket option.
> >so only risks breaking user-space that works today.
>
> Hrm. It risks breaking userspace that reads an int. But the
> RFC clearly says it should read the first byte, not an int.
[...]
No, the wording is *not* clear.
Ben.
--
Ben Hutchings
It is easier to write an incorrect program
than to understand a correct one.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply
* KASAN: use-after-free Read in hci_chan_del
From: syzbot @ 2020-08-02 20:45 UTC (permalink / raw)
To: davem, johan.hedberg, kuba, linux-bluetooth, linux-kernel, marcel,
netdev, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: ac3a0c84 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11b8d570900000
kernel config: https://syzkaller.appspot.com/x/.config?x=e59ee776d5aa8d55
dashboard link: https://syzkaller.appspot.com/bug?extid=305a91e025a73e4fd6ce
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11f7ceea900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17e5de04900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+305a91e025a73e4fd6ce@syzkaller.appspotmail.com
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: use-after-free in hci_chan_del+0x33/0x130 net/bluetooth/hci_conn.c:1707
Read of size 8 at addr ffff8880a9591f18 by task syz-executor081/6793
CPU: 0 PID: 6793 Comm: syz-executor081 Not tainted 5.8.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1f0/0x31e lib/dump_stack.c:118
print_address_description+0x66/0x5a0 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report+0x132/0x1d0 mm/kasan/report.c:530
hci_chan_del+0x33/0x130 net/bluetooth/hci_conn.c:1707
l2cap_conn_del+0x4c2/0x650 net/bluetooth/l2cap_core.c:1900
hci_disconn_cfm include/net/bluetooth/hci_core.h:1355 [inline]
hci_conn_hash_flush+0x127/0x200 net/bluetooth/hci_conn.c:1536
hci_dev_do_close+0xb7b/0x1040 net/bluetooth/hci_core.c:1761
hci_unregister_dev+0x16d/0x1590 net/bluetooth/hci_core.c:3606
vhci_release+0x73/0xc0 drivers/bluetooth/hci_vhci.c:340
__fput+0x2f0/0x750 fs/file_table.c:281
task_work_run+0x137/0x1c0 kernel/task_work.c:135
exit_task_work include/linux/task_work.h:25 [inline]
do_exit+0x601/0x1f80 kernel/exit.c:805
do_group_exit+0x161/0x2d0 kernel/exit.c:903
__do_sys_exit_group+0x13/0x20 kernel/exit.c:914
__se_sys_exit_group+0x10/0x10 kernel/exit.c:912
__x64_sys_exit_group+0x37/0x40 kernel/exit.c:912
do_syscall_64+0x73/0xe0 arch/x86/entry/common.c:384
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x444fe8
Code: Bad RIP value.
RSP: 002b:00007ffe96e46e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000444fe8
RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
RBP: 00000000004ccdd0 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 00007f5ee25cd700 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 6821:
save_stack mm/kasan/common.c:48 [inline]
set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc+0x103/0x140 mm/kasan/common.c:494
kmem_cache_alloc_trace+0x234/0x300 mm/slab.c:3551
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
hci_chan_create+0x9a/0x270 net/bluetooth/hci_conn.c:1692
l2cap_conn_add+0x66/0xb00 net/bluetooth/l2cap_core.c:7699
l2cap_connect_cfm+0xdb/0x12b0 net/bluetooth/l2cap_core.c:8097
hci_connect_cfm include/net/bluetooth/hci_core.h:1340 [inline]
hci_remote_features_evt net/bluetooth/hci_event.c:3210 [inline]
hci_event_packet+0x1164c/0x18260 net/bluetooth/hci_event.c:6061
hci_rx_work+0x236/0x9c0 net/bluetooth/hci_core.c:4705
process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
Freed by task 1530:
save_stack mm/kasan/common.c:48 [inline]
set_track mm/kasan/common.c:56 [inline]
kasan_set_free_info mm/kasan/common.c:316 [inline]
__kasan_slab_free+0x114/0x170 mm/kasan/common.c:455
__cache_free mm/slab.c:3426 [inline]
kfree+0x10a/0x220 mm/slab.c:3757
hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4999 [inline]
hci_event_packet+0x304e/0x18260 net/bluetooth/hci_event.c:6188
hci_rx_work+0x236/0x9c0 net/bluetooth/hci_core.c:4705
process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
The buggy address belongs to the object at ffff8880a9591f00
which belongs to the cache kmalloc-128 of size 128
The buggy address is located 24 bytes inside of
128-byte region [ffff8880a9591f00, ffff8880a9591f80)
The buggy address belongs to the page:
page:ffffea0002a56440 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a9591800
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002a5a648 ffffea00028a4a08 ffff8880aa400700
raw: ffff8880a9591800 ffff8880a9591000 000000010000000a 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a9591e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a9591e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a9591f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a9591f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880a9592000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply
* general protection fault in hci_event_packet
From: syzbot @ 2020-08-02 20:45 UTC (permalink / raw)
To: davem, johan.hedberg, kuba, linux-bluetooth, linux-kernel, linux,
marcel, netdev, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: ac3a0c84 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11af8670900000
kernel config: https://syzkaller.appspot.com/x/.config?x=e59ee776d5aa8d55
dashboard link: https://syzkaller.appspot.com/bug?extid=0bef568258653cff272f
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=146f0832900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=101f8e04900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 PID: 6835 Comm: kworker/u5:1 Not tainted 5.8.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
RIP: 0010:hci_phy_link_complete_evt net/bluetooth/hci_event.c:4926 [inline]
RIP: 0010:hci_event_packet+0x8386/0x18260 net/bluetooth/hci_event.c:6180
Code: c1 e8 03 49 be 00 00 00 00 00 fc ff df 42 80 3c 30 00 74 08 48 89 df e8 58 9a 5e fa 48 8b 1b 48 83 c3 10 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 3b 9a 5e fa 48 8b 1b 48 89 d8 48
RSP: 0018:ffffc900015b7ac8 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: dffffc0000000000
RDX: ffff8880920805c0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff888092ef2000 R08: ffffffff875506b4 R09: fffffbfff131a9a6
R10: fffffbfff131a9a6 R11: 0000000000000000 R12: ffff8880a6e4c010
R13: ffff8880a6e4d110 R14: dffffc0000000000 R15: ffff8880a6e4c000
FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 00000000a85d0000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
hci_rx_work+0x236/0x9c0 net/bluetooth/hci_core.c:4705
process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
Modules linked in:
---[ end trace c208f496eb8e7691 ]---
RIP: 0010:hci_phy_link_complete_evt net/bluetooth/hci_event.c:4926 [inline]
RIP: 0010:hci_event_packet+0x8386/0x18260 net/bluetooth/hci_event.c:6180
Code: c1 e8 03 49 be 00 00 00 00 00 fc ff df 42 80 3c 30 00 74 08 48 89 df e8 58 9a 5e fa 48 8b 1b 48 83 c3 10 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 3b 9a 5e fa 48 8b 1b 48 89 d8 48
RSP: 0018:ffffc900015b7ac8 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: dffffc0000000000
RDX: ffff8880920805c0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff888092ef2000 R08: ffffffff875506b4 R09: fffffbfff131a9a6
R10: fffffbfff131a9a6 R11: 0000000000000000 R12: ffff8880a6e4c010
R13: ffff8880a6e4d110 R14: dffffc0000000000 R15: ffff8880a6e4c000
FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f095f0866c0 CR3: 0000000009479000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply
* KASAN: use-after-free Write in __sco_sock_close
From: syzbot @ 2020-08-02 20:45 UTC (permalink / raw)
To: davem, johan.hedberg, kuba, linux-bluetooth, linux-kernel, marcel,
netdev, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: ac3a0c84 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17082904900000
kernel config: https://syzkaller.appspot.com/x/.config?x=e59ee776d5aa8d55
dashboard link: https://syzkaller.appspot.com/bug?extid=077eca30d3cb7c02b273
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12cf1904900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10d52e14900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+077eca30d3cb7c02b273@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_write include/linux/instrumented.h:71 [inline]
BUG: KASAN: use-after-free in atomic_dec_and_test include/asm-generic/atomic-instrumented.h:748 [inline]
BUG: KASAN: use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1049 [inline]
BUG: KASAN: use-after-free in sco_chan_del net/bluetooth/sco.c:148 [inline]
BUG: KASAN: use-after-free in __sco_sock_close+0x47c/0xed0 net/bluetooth/sco.c:433
Write of size 4 at addr ffff88809191e010 by task syz-executor393/6961
CPU: 0 PID: 6961 Comm: syz-executor393 Not tainted 5.8.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1f0/0x31e lib/dump_stack.c:118
print_address_description+0x66/0x5a0 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report+0x132/0x1d0 mm/kasan/report.c:530
check_memory_region_inline mm/kasan/generic.c:183 [inline]
check_memory_region+0x2b5/0x2f0 mm/kasan/generic.c:192
instrument_atomic_write include/linux/instrumented.h:71 [inline]
atomic_dec_and_test include/asm-generic/atomic-instrumented.h:748 [inline]
hci_conn_drop include/net/bluetooth/hci_core.h:1049 [inline]
sco_chan_del net/bluetooth/sco.c:148 [inline]
__sco_sock_close+0x47c/0xed0 net/bluetooth/sco.c:433
sco_sock_close net/bluetooth/sco.c:447 [inline]
sco_sock_release+0x63/0x4f0 net/bluetooth/sco.c:1021
__sock_release net/socket.c:605 [inline]
sock_close+0xd8/0x260 net/socket.c:1278
__fput+0x2f0/0x750 fs/file_table.c:281
task_work_run+0x137/0x1c0 kernel/task_work.c:135
exit_task_work include/linux/task_work.h:25 [inline]
do_exit+0x601/0x1f80 kernel/exit.c:805
do_group_exit+0x161/0x2d0 kernel/exit.c:903
get_signal+0x139b/0x1d30 kernel/signal.c:2743
do_signal+0x33/0x610 arch/x86/kernel/signal.c:810
exit_to_usermode_loop arch/x86/entry/common.c:235 [inline]
__prepare_exit_to_usermode+0xd7/0x1e0 arch/x86/entry/common.c:269
do_syscall_64+0x7f/0xe0 arch/x86/entry/common.c:393
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x446e69
Code: Bad RIP value.
RSP: 002b:00007ffde45fd7f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: fffffffffffffffc RBX: 0000000000000000 RCX: 0000000000446e69
RDX: 0000000000000008 RSI: 0000000020000000 RDI: 0000000000000004
RBP: 0000000000000004 R08: 0000000000000002 R09: 00000003000000ff
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000407ac0 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 6961:
save_stack mm/kasan/common.c:48 [inline]
set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc+0x103/0x140 mm/kasan/common.c:494
kmem_cache_alloc_trace+0x234/0x300 mm/slab.c:3551
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
hci_conn_add+0x5d/0x1040 net/bluetooth/hci_conn.c:525
hci_connect_sco+0x29a/0xa10 net/bluetooth/hci_conn.c:1279
sco_connect net/bluetooth/sco.c:240 [inline]
sco_sock_connect+0x2de/0xaa0 net/bluetooth/sco.c:576
__sys_connect_file net/socket.c:1854 [inline]
__sys_connect+0x2da/0x360 net/socket.c:1871
__do_sys_connect net/socket.c:1882 [inline]
__se_sys_connect net/socket.c:1879 [inline]
__x64_sys_connect+0x76/0x80 net/socket.c:1879
do_syscall_64+0x73/0xe0 arch/x86/entry/common.c:384
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 6957:
save_stack mm/kasan/common.c:48 [inline]
set_track mm/kasan/common.c:56 [inline]
kasan_set_free_info mm/kasan/common.c:316 [inline]
__kasan_slab_free+0x114/0x170 mm/kasan/common.c:455
__cache_free mm/slab.c:3426 [inline]
kfree+0x10a/0x220 mm/slab.c:3757
device_release+0x70/0x1a0 drivers/base/core.c:1575
kobject_cleanup lib/kobject.c:693 [inline]
kobject_release lib/kobject.c:722 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x15b/0x220 lib/kobject.c:739
hci_conn_del+0x2c2/0x550 net/bluetooth/hci_conn.c:645
hci_phy_link_complete_evt net/bluetooth/hci_event.c:4921 [inline]
hci_event_packet+0x8335/0x18260 net/bluetooth/hci_event.c:6180
hci_rx_work+0x236/0x9c0 net/bluetooth/hci_core.c:4705
process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
The buggy address belongs to the object at ffff88809191e000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 16 bytes inside of
4096-byte region [ffff88809191e000, ffff88809191f000)
The buggy address belongs to the page:
page:ffffea0002464780 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea0002464780 order:1 compound_mapcount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea0002489f88 ffffea000249dd08 ffff8880aa402000
raw: 0000000000000000 ffff88809191e000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809191df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88809191df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809191e000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88809191e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809191e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply
* general protection fault in hci_phy_link_complete_evt
From: syzbot @ 2020-08-02 20:45 UTC (permalink / raw)
To: davem, johan.hedberg, kuba, linux-bluetooth, linux-kernel, linux,
marcel, netdev, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: ac3a0c84 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15ab47ca900000
kernel config: https://syzkaller.appspot.com/x/.config?x=c0cfcf935bcc94d2
dashboard link: https://syzkaller.appspot.com/bug?extid=18e38290a2a263b31aa0
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17f3dd0c900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1032a642900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+18e38290a2a263b31aa0@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 PID: 6861 Comm: kworker/u5:1 Not tainted 5.8.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
RIP: 0010:hci_phy_link_complete_evt.isra.0+0x23e/0x790 net/bluetooth/hci_event.c:4926
Code: 48 c1 ea 03 80 3c 02 00 0f 85 3e 05 00 00 48 8b 9d 30 09 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 da 04 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b
RSP: 0018:ffffc90001897a38 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff871af0e3
RDX: 0000000000000002 RSI: ffffffff871af0f0 RDI: 0000000000000010
RBP: ffff88808f25e000 R08: 0000000000000001 R09: ffff8880a1cf6a88
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880877f1110 R14: ffff8880926b480b R15: 00000000000000c8
FS: 0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 00000000a7ccc000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
hci_event_packet+0x481a/0x86f5 net/bluetooth/hci_event.c:6180
hci_rx_work+0x22e/0xb10 net/bluetooth/hci_core.c:4705
process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
kthread+0x3b5/0x4a0 kernel/kthread.c:291
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
Modules linked in:
---[ end trace 905ef6786a414f06 ]---
RIP: 0010:hci_phy_link_complete_evt.isra.0+0x23e/0x790 net/bluetooth/hci_event.c:4926
Code: 48 c1 ea 03 80 3c 02 00 0f 85 3e 05 00 00 48 8b 9d 30 09 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 da 04 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b
RSP: 0018:ffffc90001897a38 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff871af0e3
RDX: 0000000000000002 RSI: ffffffff871af0f0 RDI: 0000000000000010
RBP: ffff88808f25e000 R08: 0000000000000001 R09: ffff8880a1cf6a88
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880877f1110 R14: ffff8880926b480b R15: 00000000000000c8
FS: 0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff77d3f7a7 CR3: 000000009291e000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply
* KASAN: use-after-free Read in hci_send_acl
From: syzbot @ 2020-08-02 20:46 UTC (permalink / raw)
To: davem, johan.hedberg, kuba, linux-bluetooth, linux-kernel, marcel,
netdev, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: ac3a0c84 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13482904900000
kernel config: https://syzkaller.appspot.com/x/.config?x=c0cfcf935bcc94d2
dashboard link: https://syzkaller.appspot.com/bug?extid=98228e7407314d2d4ba2
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=152f1904900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1482dfca900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+98228e7407314d2d4ba2@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in hci_send_acl+0xabe/0xc60 net/bluetooth/hci_core.c:3991
Read of size 8 at addr ffff8880a6ff8818 by task kworker/u5:2/6855
CPU: 1 PID: 6855 Comm: kworker/u5:2 Not tainted 5.8.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18f/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xae/0x436 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
hci_send_acl+0xabe/0xc60 net/bluetooth/hci_core.c:3991
l2cap_send_cmd+0x6d5/0x8a0 net/bluetooth/l2cap_core.c:949
l2cap_send_move_chan_cfm_icid net/bluetooth/l2cap_core.c:4917 [inline]
l2cap_move_fail net/bluetooth/l2cap_core.c:5401 [inline]
l2cap_move_channel_rsp net/bluetooth/l2cap_core.c:5440 [inline]
l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:5719 [inline]
l2cap_sig_channel net/bluetooth/l2cap_core.c:6418 [inline]
l2cap_recv_frame+0x6936/0xae10 net/bluetooth/l2cap_core.c:7660
l2cap_recv_acldata+0x7f6/0x8e0 net/bluetooth/l2cap_core.c:8313
hci_acldata_packet net/bluetooth/hci_core.c:4520 [inline]
hci_rx_work+0x4c7/0xb10 net/bluetooth/hci_core.c:4710
process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
kthread+0x3b5/0x4a0 kernel/kthread.c:291
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
Allocated by task 6855:
save_stack+0x1b/0x40 mm/kasan/common.c:48
set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:494
kmem_cache_alloc_trace+0x14f/0x2d0 mm/slab.c:3551
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
hci_chan_create+0x9b/0x330 net/bluetooth/hci_conn.c:1692
l2cap_conn_add.part.0+0x1e/0xe10 net/bluetooth/l2cap_core.c:7699
l2cap_conn_add net/bluetooth/l2cap_core.c:8139 [inline]
l2cap_connect_cfm+0x23b/0x1090 net/bluetooth/l2cap_core.c:8097
hci_connect_cfm include/net/bluetooth/hci_core.h:1340 [inline]
hci_remote_features_evt net/bluetooth/hci_event.c:3210 [inline]
hci_event_packet+0x3e01/0x86f5 net/bluetooth/hci_event.c:6061
hci_rx_work+0x22e/0xb10 net/bluetooth/hci_core.c:4705
process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
kthread+0x3b5/0x4a0 kernel/kthread.c:291
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
Freed by task 6855:
save_stack+0x1b/0x40 mm/kasan/common.c:48
set_track mm/kasan/common.c:56 [inline]
kasan_set_free_info mm/kasan/common.c:316 [inline]
__kasan_slab_free+0xf5/0x140 mm/kasan/common.c:455
__cache_free mm/slab.c:3426 [inline]
kfree+0x103/0x2c0 mm/slab.c:3757
hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4999 [inline]
hci_event_packet+0x319a/0x86f5 net/bluetooth/hci_event.c:6188
hci_rx_work+0x22e/0xb10 net/bluetooth/hci_core.c:4705
process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
kthread+0x3b5/0x4a0 kernel/kthread.c:291
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
The buggy address belongs to the object at ffff8880a6ff8800
which belongs to the cache kmalloc-128 of size 128
The buggy address is located 24 bytes inside of
128-byte region [ffff8880a6ff8800, ffff8880a6ff8880)
The buggy address belongs to the page:
page:ffffea00029bfe00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a6ff8c00
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002934388 ffff8880aa001540 ffff8880aa000700
raw: ffff8880a6ff8c00 ffff8880a6ff8000 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a6ff8700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a6ff8780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a6ff8800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a6ff8880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880a6ff8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply
* KMSAN: uninit-value in process_adv_report
From: syzbot @ 2020-08-02 20:46 UTC (permalink / raw)
To: davem, glider, johan.hedberg, kuba, linux-bluetooth, linux-kernel,
linux, marcel, netdev, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 93f54a72 instrumented.h: fix KMSAN support
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=13238a42900000
kernel config: https://syzkaller.appspot.com/x/.config?x=fa4f3b91169c2501
dashboard link: https://syzkaller.appspot.com/bug?extid=e4244d85e5b777ac4d3d
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=108830ec900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f9336c900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e4244d85e5b777ac4d3d@syzkaller.appspotmail.com
Bluetooth: hci0: unknown advertising packet type: 0x2b
=====================================================
BUG: KMSAN: uninit-value in hci_bdaddr_is_rpa include/net/bluetooth/hci_core.h:1486 [inline]
BUG: KMSAN: uninit-value in process_adv_report+0x781/0x2000 net/bluetooth/hci_event.c:5409
CPU: 0 PID: 2202 Comm: kworker/u5:0 Not tainted 5.8.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1df/0x240 lib/dump_stack.c:118
kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
__msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
hci_bdaddr_is_rpa include/net/bluetooth/hci_core.h:1486 [inline]
process_adv_report+0x781/0x2000 net/bluetooth/hci_event.c:5409
hci_le_direct_adv_report_evt net/bluetooth/hci_event.c:5837 [inline]
hci_le_meta_evt net/bluetooth/hci_event.c:5902 [inline]
hci_event_packet+0x1d08/0x33ee0 net/bluetooth/hci_event.c:6155
hci_rx_work+0x95f/0xce0 net/bluetooth/hci_core.c:4705
process_one_work+0x1540/0x1f30 kernel/workqueue.c:2269
worker_thread+0xed2/0x23f0 kernel/workqueue.c:2415
kthread+0x515/0x550 kernel/kthread.c:292
ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:80
slab_alloc_node mm/slub.c:2839 [inline]
__kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4478
__kmalloc_reserve net/core/skbuff.c:142 [inline]
__alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
alloc_skb include/linux/skbuff.h:1083 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:377 [inline]
vhci_get_user drivers/bluetooth/hci_vhci.c:165 [inline]
vhci_write+0x15b/0x800 drivers/bluetooth/hci_vhci.c:285
call_write_iter include/linux/fs.h:1908 [inline]
new_sync_write fs/read_write.c:503 [inline]
vfs_write+0xd98/0x1480 fs/read_write.c:578
ksys_write+0x267/0x450 fs/read_write.c:631
__do_sys_write fs/read_write.c:643 [inline]
__se_sys_write+0x92/0xb0 fs/read_write.c:640
__ia32_sys_write+0x4a/0x70 fs/read_write.c:640
do_syscall_32_irqs_on arch/x86/entry/common.c:430 [inline]
__do_fast_syscall_32+0x2aa/0x400 arch/x86/entry/common.c:477
do_fast_syscall_32+0x6b/0xd0 arch/x86/entry/common.c:505
do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:554
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply
* Re: Bug#966459: linux: traffic class socket options (both IPv4/IPv6) inconsistent with docs/standards
From: Thorsten Glaser @ 2020-08-02 20:44 UTC (permalink / raw)
To: Ben Hutchings; +Cc: 966459, netdev
In-Reply-To: <e1beb0b98109d90738e054683f5eb1dd483011dd.camel@decadent.org.uk>
On Sun, 2 Aug 2020, Ben Hutchings wrote:
> The RFC says that the IPV6_TCLASS option's value is an int, and that
for setsockopt (“option's”), not cmsg
> No, the wording is *not* clear.
Agreed.
So perhaps let’s try to find out what’s actually right…
Thanks for helping,
//mirabilos
--
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
^ permalink raw reply
* [PATCH bpf-next v4 0/2] bpf: cgroup skb improvements for bpf_prog_test_run
From: Dmitry Yakunin @ 2020-08-02 21:30 UTC (permalink / raw)
To: alexei.starovoitov, daniel, netdev, bpf; +Cc: sdf
This patchset contains some improvements for testing cgroup/skb programs
through BPF_PROG_TEST_RUN command.
v2:
- fix build without CONFIG_CGROUP_BPF (kernel test robot <lkp@intel.com>)
v3:
- fix build without CONFIG_IPV6 (kernel test robot <lkp@intel.com>)
v4:
- remove cgroup storage related commits for future rework (Daniel Borkmann)
v5:
- check skb length before access to inet headers (Eric Dumazet)
Dmitry Yakunin (2):
bpf: setup socket family and addresses in bpf_prog_test_run_skb
bpf: allow to specify ifindex for skb in bpf_prog_test_run_skb
net/bpf/test_run.c | 39 ++++++++++++++++++++++--
tools/testing/selftests/bpf/prog_tests/skb_ctx.c | 5 +++
2 files changed, 42 insertions(+), 2 deletions(-)
--
2.7.4
^ permalink raw reply
* [PATCH bpf-next v5 1/2] bpf: setup socket family and addresses in bpf_prog_test_run_skb
From: Dmitry Yakunin @ 2020-08-02 21:30 UTC (permalink / raw)
To: alexei.starovoitov, daniel, netdev, bpf; +Cc: sdf
In-Reply-To: <20200802213026.78731-1-zeil@yandex-team.ru>
Now it's impossible to test all branches of cgroup_skb bpf program which
accesses skb->family and skb->{local,remote}_ip{4,6} fields because they
are zeroed during socket allocation. This commit fills socket family and
addresses from related fields in constructed skb.
v2:
- fix build without CONFIG_IPV6 (kernel test robot <lkp@intel.com>)
v3:
- check skb length before access to inet headers (Eric Dumazet)
Signed-off-by: Dmitry Yakunin <zeil@yandex-team.ru>
---
net/bpf/test_run.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index b03c469..8d69295 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -449,6 +449,27 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
skb->protocol = eth_type_trans(skb, current->nsproxy->net_ns->loopback_dev);
skb_reset_network_header(skb);
+ switch (skb->protocol) {
+ case htons(ETH_P_IP):
+ sk->sk_family = AF_INET;
+ if (pskb_may_pull(skb, sizeof(struct iphdr))) {
+ sk->sk_rcv_saddr = ip_hdr(skb)->saddr;
+ sk->sk_daddr = ip_hdr(skb)->daddr;
+ }
+ break;
+#if IS_ENABLED(CONFIG_IPV6)
+ case htons(ETH_P_IPV6):
+ sk->sk_family = AF_INET6;
+ if (pskb_may_pull(skb, sizeof(struct ipv6hdr))) {
+ sk->sk_v6_rcv_saddr = ipv6_hdr(skb)->saddr;
+ sk->sk_v6_daddr = ipv6_hdr(skb)->daddr;
+ }
+ break;
+#endif
+ default:
+ break;
+ }
+
if (is_l2)
__skb_push(skb, hh_len);
if (is_direct_pkt_access)
--
2.7.4
^ permalink raw reply related
* [PATCH bpf-next v5 2/2] bpf: allow to specify ifindex for skb in bpf_prog_test_run_skb
From: Dmitry Yakunin @ 2020-08-02 21:30 UTC (permalink / raw)
To: alexei.starovoitov, daniel, netdev, bpf; +Cc: sdf
In-Reply-To: <20200802213026.78731-1-zeil@yandex-team.ru>
Now skb->dev is unconditionally set to the loopback device in current net
namespace. But if we want to test bpf program which contains code branch
based on ifindex condition (eg filters out localhost packets) it is useful
to allow specifying of ifindex from userspace. This patch adds such option
through ctx_in (__sk_buff) parameter.
Signed-off-by: Dmitry Yakunin <zeil@yandex-team.ru>
---
net/bpf/test_run.c | 22 ++++++++++++++++++++--
tools/testing/selftests/bpf/prog_tests/skb_ctx.c | 5 +++++
2 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 8d69295..369ce90 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -327,6 +327,12 @@ static int convert___skb_to_skb(struct sk_buff *skb, struct __sk_buff *__skb)
/* priority is allowed */
if (!range_is_zero(__skb, offsetofend(struct __sk_buff, priority),
+ offsetof(struct __sk_buff, ifindex)))
+ return -EINVAL;
+
+ /* ifindex is allowed */
+
+ if (!range_is_zero(__skb, offsetofend(struct __sk_buff, ifindex),
offsetof(struct __sk_buff, cb)))
return -EINVAL;
@@ -381,6 +387,7 @@ static void convert_skb_to___skb(struct sk_buff *skb, struct __sk_buff *__skb)
__skb->mark = skb->mark;
__skb->priority = skb->priority;
+ __skb->ifindex = skb->dev->ifindex;
__skb->tstamp = skb->tstamp;
memcpy(__skb->cb, &cb->data, QDISC_CB_PRIV_LEN);
__skb->wire_len = cb->pkt_len;
@@ -391,6 +398,8 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
union bpf_attr __user *uattr)
{
bool is_l2 = false, is_direct_pkt_access = false;
+ struct net *net = current->nsproxy->net_ns;
+ struct net_device *dev = net->loopback_dev;
u32 size = kattr->test.data_size_in;
u32 repeat = kattr->test.repeat;
struct __sk_buff *ctx = NULL;
@@ -432,7 +441,7 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
kfree(ctx);
return -ENOMEM;
}
- sock_net_set(sk, current->nsproxy->net_ns);
+ sock_net_set(sk, net);
sock_init_data(NULL, sk);
skb = build_skb(data, 0);
@@ -446,7 +455,14 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
skb_reserve(skb, NET_SKB_PAD + NET_IP_ALIGN);
__skb_put(skb, size);
- skb->protocol = eth_type_trans(skb, current->nsproxy->net_ns->loopback_dev);
+ if (ctx && ctx->ifindex > 1) {
+ dev = dev_get_by_index(net, ctx->ifindex);
+ if (!dev) {
+ ret = -ENODEV;
+ goto out;
+ }
+ }
+ skb->protocol = eth_type_trans(skb, dev);
skb_reset_network_header(skb);
switch (skb->protocol) {
@@ -502,6 +518,8 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
ret = bpf_ctx_finish(kattr, uattr, ctx,
sizeof(struct __sk_buff));
out:
+ if (dev && dev != net->loopback_dev)
+ dev_put(dev);
kfree_skb(skb);
bpf_sk_storage_free(sk);
kfree(sk);
diff --git a/tools/testing/selftests/bpf/prog_tests/skb_ctx.c b/tools/testing/selftests/bpf/prog_tests/skb_ctx.c
index 7021b92..25de86a 100644
--- a/tools/testing/selftests/bpf/prog_tests/skb_ctx.c
+++ b/tools/testing/selftests/bpf/prog_tests/skb_ctx.c
@@ -11,6 +11,7 @@ void test_skb_ctx(void)
.cb[3] = 4,
.cb[4] = 5,
.priority = 6,
+ .ifindex = 1,
.tstamp = 7,
.wire_len = 100,
.gso_segs = 8,
@@ -92,6 +93,10 @@ void test_skb_ctx(void)
"ctx_out_priority",
"skb->priority == %d, expected %d\n",
skb.priority, 7);
+ CHECK_ATTR(skb.ifindex != 1,
+ "ctx_out_ifindex",
+ "skb->ifindex == %d, expected %d\n",
+ skb.ifindex, 1);
CHECK_ATTR(skb.tstamp != 8,
"ctx_out_tstamp",
"skb->tstamp == %lld, expected %d\n",
--
2.7.4
^ permalink raw reply related
* [PATCH v3 bpf-next] bpf/selftests: fold test_current_pid_tgid_new_ns into test_progs.
From: Carlos Neira @ 2020-08-02 21:33 UTC (permalink / raw)
To: netdev; +Cc: yhs, ebiederm, brouer, bpf, cneirabustos
Currently tests for bpf_get_ns_current_pid_tgid() are outside test_progs.
This change folds a test case into test_progs.
Changes from V2:
- Tests are now using skeleton.
- Test not creating a new namespace has been included in test_progs.
- Test creating a new pid namespace has been added as a standalone test.
Signed-off-by: Carlos Neira <cneirabustos@gmail.com>
---
tools/testing/selftests/bpf/.gitignore | 2 +-
tools/testing/selftests/bpf/Makefile | 3 +-
.../bpf/prog_tests/ns_current_pid_tgid.c | 85 -----------------
.../bpf/prog_tests/ns_current_pidtgid.c | 59 ++++++++++++
.../bpf/progs/test_ns_current_pid_tgid.c | 37 --------
.../bpf/progs/test_ns_current_pidtgid.c | 25 +++++
...new_ns.c => test_current_pidtgid_new_ns.c} | 0
.../bpf/test_ns_current_pidtgid_newns.c | 91 +++++++++++++++++++
8 files changed, 178 insertions(+), 124 deletions(-)
delete mode 100644 tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c
create mode 100644 tools/testing/selftests/bpf/prog_tests/ns_current_pidtgid.c
delete mode 100644 tools/testing/selftests/bpf/progs/test_ns_current_pid_tgid.c
create mode 100644 tools/testing/selftests/bpf/progs/test_ns_current_pidtgid.c
rename tools/testing/selftests/bpf/{test_current_pid_tgid_new_ns.c => test_current_pidtgid_new_ns.c} (100%)
create mode 100644 tools/testing/selftests/bpf/test_ns_current_pidtgid_newns.c
diff --git a/tools/testing/selftests/bpf/.gitignore b/tools/testing/selftests/bpf/.gitignore
index 1bb204cee853..022055f23592 100644
--- a/tools/testing/selftests/bpf/.gitignore
+++ b/tools/testing/selftests/bpf/.gitignore
@@ -30,8 +30,8 @@ test_tcpnotify_user
test_libbpf
test_tcp_check_syncookie_user
test_sysctl
-test_current_pid_tgid_new_ns
xdping
+test_ns_current_pidtgid_newns
test_cpp
*.skel.h
/no_alu32
diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
index e7a8cf83ba48..c1ba9c947196 100644
--- a/tools/testing/selftests/bpf/Makefile
+++ b/tools/testing/selftests/bpf/Makefile
@@ -37,7 +37,7 @@ TEST_GEN_PROGS = test_verifier test_tag test_maps test_lru_map test_lpm_map test
test_cgroup_storage \
test_netcnt test_tcpnotify_user test_sock_fields test_sysctl \
test_progs-no_alu32 \
- test_current_pid_tgid_new_ns
+ test_ns_current_pidtgid_newns
# Also test bpf-gcc, if present
ifneq ($(BPF_GCC),)
@@ -163,6 +163,7 @@ $(OUTPUT)/test_cgroup_storage: cgroup_helpers.c
$(OUTPUT)/test_netcnt: cgroup_helpers.c
$(OUTPUT)/test_sock_fields: cgroup_helpers.c
$(OUTPUT)/test_sysctl: cgroup_helpers.c
+$(OUTPUT)/test_ns_current_pidtgid_newns: test_ns_current_pidtgid_newns.c
DEFAULT_BPFTOOL := $(SCRATCH_DIR)/sbin/bpftool
BPFTOOL ?= $(DEFAULT_BPFTOOL)
diff --git a/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c b/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c
deleted file mode 100644
index e74dc501b27f..000000000000
--- a/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c
+++ /dev/null
@@ -1,85 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/* Copyright (c) 2020 Carlos Neira cneirabustos@gmail.com */
-#include <test_progs.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <sys/syscall.h>
-
-struct bss {
- __u64 dev;
- __u64 ino;
- __u64 pid_tgid;
- __u64 user_pid_tgid;
-};
-
-void test_ns_current_pid_tgid(void)
-{
- const char *probe_name = "raw_tracepoint/sys_enter";
- const char *file = "test_ns_current_pid_tgid.o";
- int err, key = 0, duration = 0;
- struct bpf_link *link = NULL;
- struct bpf_program *prog;
- struct bpf_map *bss_map;
- struct bpf_object *obj;
- struct bss bss;
- struct stat st;
- __u64 id;
-
- obj = bpf_object__open_file(file, NULL);
- if (CHECK(IS_ERR(obj), "obj_open", "err %ld\n", PTR_ERR(obj)))
- return;
-
- err = bpf_object__load(obj);
- if (CHECK(err, "obj_load", "err %d errno %d\n", err, errno))
- goto cleanup;
-
- bss_map = bpf_object__find_map_by_name(obj, "test_ns_.bss");
- if (CHECK(!bss_map, "find_bss_map", "failed\n"))
- goto cleanup;
-
- prog = bpf_object__find_program_by_title(obj, probe_name);
- if (CHECK(!prog, "find_prog", "prog '%s' not found\n",
- probe_name))
- goto cleanup;
-
- memset(&bss, 0, sizeof(bss));
- pid_t tid = syscall(SYS_gettid);
- pid_t pid = getpid();
-
- id = (__u64) tid << 32 | pid;
- bss.user_pid_tgid = id;
-
- if (CHECK_FAIL(stat("/proc/self/ns/pid", &st))) {
- perror("Failed to stat /proc/self/ns/pid");
- goto cleanup;
- }
-
- bss.dev = st.st_dev;
- bss.ino = st.st_ino;
-
- err = bpf_map_update_elem(bpf_map__fd(bss_map), &key, &bss, 0);
- if (CHECK(err, "setting_bss", "failed to set bss : %d\n", err))
- goto cleanup;
-
- link = bpf_program__attach_raw_tracepoint(prog, "sys_enter");
- if (CHECK(IS_ERR(link), "attach_raw_tp", "err %ld\n",
- PTR_ERR(link))) {
- link = NULL;
- goto cleanup;
- }
-
- /* trigger some syscalls */
- usleep(1);
-
- err = bpf_map_lookup_elem(bpf_map__fd(bss_map), &key, &bss);
- if (CHECK(err, "set_bss", "failed to get bss : %d\n", err))
- goto cleanup;
-
- if (CHECK(id != bss.pid_tgid, "Compare user pid/tgid vs. bpf pid/tgid",
- "User pid/tgid %llu BPF pid/tgid %llu\n", id, bss.pid_tgid))
- goto cleanup;
-cleanup:
- bpf_link__destroy(link);
- bpf_object__close(obj);
-}
diff --git a/tools/testing/selftests/bpf/prog_tests/ns_current_pidtgid.c b/tools/testing/selftests/bpf/prog_tests/ns_current_pidtgid.c
new file mode 100644
index 000000000000..49578c0afbe0
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/ns_current_pidtgid.c
@@ -0,0 +1,59 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2020 Carlos Neira cneirabustos@gmail.com */
+
+#define _GNU_SOURCE
+#include <test_progs.h>
+#include "test_ns_current_pidtgid.skel.h"
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <sched.h>
+#include <sys/wait.h>
+#include <sys/mount.h>
+#include <sys/fcntl.h>
+
+void test_ns_current_pidtgid(void)
+{
+ int err, duration = 0;
+ struct test_ns_current_pidtgid *skel;
+ struct test_ns_current_pidtgid__bss *bss;
+ struct stat st;
+ __u64 id;
+
+ skel = test_ns_current_pidtgid__open();
+ if (CHECK(!skel, "skel_open", "failed to open skeleton\n"))
+ return;
+
+ err = test_ns_current_pidtgid__load(skel);
+ if (CHECK(err, "skel_load", "failed to load skeleton: %d\n", err))
+ goto cleanup;
+
+ pid_t tid = syscall(SYS_gettid);
+ pid_t pid = getpid();
+
+ id = (__u64) tid << 32 | pid;
+
+ if (CHECK_FAIL(stat("/proc/self/ns/pid", &st))) {
+ perror("Failed to stat /proc/self/ns/pid");
+ goto cleanup;
+ }
+
+ bss = skel->bss;
+ bss->dev = st.st_dev;
+ bss->ino = st.st_ino;
+ bss->user_pid_tgid = 0;
+
+ err = test_ns_current_pidtgid__attach(skel);
+ if (CHECK(err, "skel_attach", "skeleton attach failed: %d\n", err))
+ goto cleanup;
+
+ /* trigger tracepoint */
+ usleep(1);
+
+ CHECK(bss->user_pid_tgid != id, "pid/tgid", "got %llu != exp %llu\n",
+ bss->user_pid_tgid, id);
+cleanup:
+ test_ns_current_pidtgid__destroy(skel);
+
+}
diff --git a/tools/testing/selftests/bpf/progs/test_ns_current_pid_tgid.c b/tools/testing/selftests/bpf/progs/test_ns_current_pid_tgid.c
deleted file mode 100644
index 1dca70a6de2f..000000000000
--- a/tools/testing/selftests/bpf/progs/test_ns_current_pid_tgid.c
+++ /dev/null
@@ -1,37 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/* Copyright (c) 2019 Carlos Neira cneirabustos@gmail.com */
-
-#include <linux/bpf.h>
-#include <stdint.h>
-#include <bpf/bpf_helpers.h>
-
-static volatile struct {
- __u64 dev;
- __u64 ino;
- __u64 pid_tgid;
- __u64 user_pid_tgid;
-} res;
-
-SEC("raw_tracepoint/sys_enter")
-int trace(void *ctx)
-{
- __u64 ns_pid_tgid, expected_pid;
- struct bpf_pidns_info nsdata;
- __u32 key = 0;
-
- if (bpf_get_ns_current_pid_tgid(res.dev, res.ino, &nsdata,
- sizeof(struct bpf_pidns_info)))
- return 0;
-
- ns_pid_tgid = (__u64)nsdata.tgid << 32 | nsdata.pid;
- expected_pid = res.user_pid_tgid;
-
- if (expected_pid != ns_pid_tgid)
- return 0;
-
- res.pid_tgid = ns_pid_tgid;
-
- return 0;
-}
-
-char _license[] SEC("license") = "GPL";
diff --git a/tools/testing/selftests/bpf/progs/test_ns_current_pidtgid.c b/tools/testing/selftests/bpf/progs/test_ns_current_pidtgid.c
new file mode 100644
index 000000000000..9818a56510d9
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/test_ns_current_pidtgid.c
@@ -0,0 +1,25 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2019 Carlos Neira cneirabustos@gmail.com */
+
+#include <linux/bpf.h>
+#include <stdint.h>
+#include <bpf/bpf_helpers.h>
+
+__u64 user_pid_tgid = 0;
+__u64 dev = 0;
+__u64 ino = 0;
+
+SEC("raw_tracepoint/sys_enter")
+int handler(const void *ctx)
+{
+ struct bpf_pidns_info nsdata;
+
+ if (bpf_get_ns_current_pid_tgid(dev, ino, &nsdata,
+ sizeof(struct bpf_pidns_info)))
+ return 0;
+ user_pid_tgid = (__u64)nsdata.tgid << 32 | nsdata.pid;
+
+ return 0;
+}
+
+char _license[] SEC("license") = "GPL";
diff --git a/tools/testing/selftests/bpf/test_current_pid_tgid_new_ns.c b/tools/testing/selftests/bpf/test_current_pidtgid_new_ns.c
similarity index 100%
rename from tools/testing/selftests/bpf/test_current_pid_tgid_new_ns.c
rename to tools/testing/selftests/bpf/test_current_pidtgid_new_ns.c
diff --git a/tools/testing/selftests/bpf/test_ns_current_pidtgid_newns.c b/tools/testing/selftests/bpf/test_ns_current_pidtgid_newns.c
new file mode 100644
index 000000000000..3bca38941c99
--- /dev/null
+++ b/tools/testing/selftests/bpf/test_ns_current_pidtgid_newns.c
@@ -0,0 +1,91 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2020 Carlos Neira cneirabustos@gmail.com */
+
+#define _GNU_SOURCE
+#include <test_progs.h>
+#include "test_ns_current_pidtgid.skel.h"
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <sched.h>
+#include <sys/wait.h>
+#include <sys/mount.h>
+#include <sys/fcntl.h>
+
+#define STACK_SIZE (1024 * 1024)
+static char child_stack[STACK_SIZE];
+
+static int newns_pidtgid(void *arg)
+{
+ struct test_ns_current_pidtgid__bss *bss;
+ struct test_ns_current_pidtgid *skel;
+ int pidns_fd = 0, err = 0;
+ pid_t pid, tid;
+ struct stat st;
+ __u64 id;
+
+ skel = test_ns_current_pidtgid__open();
+ err = test_ns_current_pidtgid__load(skel);
+ if (err) {
+ perror("Failed to load skeleton");
+ goto cleanup;
+ }
+
+ tid = syscall(SYS_gettid);
+ pid = getpid();
+ id = (__u64) tid << 32 | pid;
+
+ if (stat("/proc/self/ns/pid", &st)) {
+ printf("Failed to stat /proc/self/ns/pid: %s\n",
+ strerror(errno));
+ goto cleanup;
+ }
+
+ bss = skel->bss;
+ bss->dev = st.st_dev;
+ bss->ino = st.st_ino;
+ bss->user_pid_tgid = 0;
+
+ err = test_ns_current_pidtgid__attach(skel);
+ if (err) {
+ printf("Failed to attach: %s err: %d\n", strerror(errno), err);
+ goto cleanup;
+ }
+ /* trigger tracepoint */
+ usleep(1);
+
+ if (bss->user_pid_tgid != id) {
+ printf("test_ns_current_pidtgid_newns:FAIL\n");
+ err = EXIT_FAILURE;
+ } else {
+ printf("test_ns_current_pidtgid_newns:PASS\n");
+ err = EXIT_SUCCESS;
+ }
+
+cleanup:
+ setns(pidns_fd, CLONE_NEWPID);
+ test_ns_current_pidtgid__destroy(skel);
+
+ return 0;
+}
+
+int main(int argc, char **argv)
+{
+ pid_t cpid;
+ int wstatus;
+
+ cpid = clone(newns_pidtgid,
+ child_stack + STACK_SIZE,
+ CLONE_NEWPID | SIGCHLD, NULL);
+ if (cpid == -1) {
+ printf("test_ns_current_pidtgid_newns:Failed on CLONE: %s\n",
+ strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+ if (waitpid(cpid, &wstatus, 0) == -1) {
+ printf("test_ns_current_pidtgid_newns:Failed on waitpid: %s\n",
+ strerror(errno));
+ }
+ return (WEXITSTATUS(wstatus));
+}
--
2.20.1
^ permalink raw reply related
* Re: [PATCH bpf-next v4 0/2] bpf: cgroup skb improvements for bpf_prog_test_run
From: Dmitry Yakunin @ 2020-08-02 21:35 UTC (permalink / raw)
To: alexei.starovoitov@gmail.com, daniel@iogearbox.net,
netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: sdf@google.com
In-Reply-To: <20200802213026.78731-1-zeil@yandex-team.ru>
Sorry, forgot to bump version in cover letter subject. I will resend it.
03.08.2020, 00:30, "Dmitry Yakunin" <zeil@yandex-team.ru>:
> This patchset contains some improvements for testing cgroup/skb programs
> through BPF_PROG_TEST_RUN command.
>
> v2:
> - fix build without CONFIG_CGROUP_BPF (kernel test robot <lkp@intel.com>)
>
> v3:
> - fix build without CONFIG_IPV6 (kernel test robot <lkp@intel.com>)
>
> v4:
> - remove cgroup storage related commits for future rework (Daniel Borkmann)
>
> v5:
> - check skb length before access to inet headers (Eric Dumazet)
>
> Dmitry Yakunin (2):
> bpf: setup socket family and addresses in bpf_prog_test_run_skb
> bpf: allow to specify ifindex for skb in bpf_prog_test_run_skb
>
> net/bpf/test_run.c | 39 ++++++++++++++++++++++--
> tools/testing/selftests/bpf/prog_tests/skb_ctx.c | 5 +++
> 2 files changed, 42 insertions(+), 2 deletions(-)
>
> --
> 2.7.4
^ permalink raw reply
* WARNING: ODEBUG bug in bt_host_release
From: syzbot @ 2020-08-02 21:36 UTC (permalink / raw)
To: davem, johan.hedberg, kuba, linux-bluetooth, linux-kernel, marcel,
netdev, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: ac3a0c84 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11e1da92900000
kernel config: https://syzkaller.appspot.com/x/.config?x=e59ee776d5aa8d55
dashboard link: https://syzkaller.appspot.com/bug?extid=0ce8a29c6c6469b16632
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14f653ca900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0ce8a29c6c6469b16632@syzkaller.appspotmail.com
------------[ cut here ]------------
ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x80 arch/x86/include/asm/paravirt.h:770
WARNING: CPU: 1 PID: 20314 at lib/debugobjects.c:488 debug_print_object lib/debugobjects.c:485 [inline]
WARNING: CPU: 1 PID: 20314 at lib/debugobjects.c:488 __debug_check_no_obj_freed lib/debugobjects.c:967 [inline]
WARNING: CPU: 1 PID: 20314 at lib/debugobjects.c:488 debug_check_no_obj_freed+0x45c/0x640 lib/debugobjects.c:998
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 20314 Comm: syz-executor.5 Not tainted 5.8.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1f0/0x31e lib/dump_stack.c:118
panic+0x264/0x7a0 kernel/panic.c:231
__warn+0x227/0x250 kernel/panic.c:600
report_bug+0x1b1/0x2e0 lib/bug.c:198
handle_bug+0x42/0x80 arch/x86/kernel/traps.c:235
exc_invalid_op+0x16/0x40 arch/x86/kernel/traps.c:255
asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:540
RIP: 0010:debug_print_object lib/debugobjects.c:485 [inline]
RIP: 0010:__debug_check_no_obj_freed lib/debugobjects.c:967 [inline]
RIP: 0010:debug_check_no_obj_freed+0x45c/0x640 lib/debugobjects.c:998
Code: 74 08 4c 89 f7 e8 04 e4 11 fe 4d 8b 06 48 c7 c7 ef b7 14 89 48 c7 c6 fd 95 12 89 48 89 da 89 e9 4d 89 f9 31 c0 e8 64 95 a4 fd <0f> 0b 48 ba 00 00 00 00 00 fc ff df ff 05 86 c1 eb 05 48 8b 5c 24
RSP: 0018:ffffc90003777b90 EFLAGS: 00010046
RAX: ffd2d42dae8b6000 RBX: ffffffff8918b660 RCX: ffff888087ef6000
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff815dd389 R09: ffffed1015d241c3
R10: ffffed1015d241c3 R11: 0000000000000000 R12: ffff8880a131c9ec
R13: ffffffff8ba5dfb8 R14: ffffffff894edb20 R15: ffffffff814c4b60
kfree+0xfc/0x220 mm/slab.c:3756
bt_host_release+0x18/0x20 net/bluetooth/hci_sysfs.c:86
device_release+0x70/0x1a0 drivers/base/core.c:1575
kobject_cleanup lib/kobject.c:693 [inline]
kobject_release lib/kobject.c:722 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x15b/0x220 lib/kobject.c:739
vhci_release+0x7b/0xc0 drivers/bluetooth/hci_vhci.c:341
__fput+0x2f0/0x750 fs/file_table.c:281
task_work_run+0x137/0x1c0 kernel/task_work.c:135
exit_task_work include/linux/task_work.h:25 [inline]
do_exit+0x601/0x1f80 kernel/exit.c:805
do_group_exit+0x161/0x2d0 kernel/exit.c:903
__do_sys_exit_group+0x13/0x20 kernel/exit.c:914
__se_sys_exit_group+0x10/0x10 kernel/exit.c:912
__x64_sys_exit_group+0x37/0x40 kernel/exit.c:912
do_syscall_64+0x73/0xe0 arch/x86/entry/common.c:384
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45cc79
Code: Bad RIP value.
RSP: 002b:00007ffe023458d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045cc79
RDX: 00000000004166d1 RSI: 0000000000ca85f0 RDI: 0000000000000043
RBP: 00000000004c2903 R08: 000000000000000b R09: 0000000000000000
R10: 000000000246f940 R11: 0000000000000246 R12: 0000000000000004
R13: 00007ffe02345a20 R14: 00000000000b206f R15: 00007ffe02345a30
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply
* [PATCH bpf-next v5 0/2] bpf: cgroup skb improvements for bpf_prog_test_run
From: Dmitry Yakunin @ 2020-08-02 21:36 UTC (permalink / raw)
To: alexei.starovoitov, daniel, netdev, bpf; +Cc: sdf
This patchset contains some improvements for testing cgroup/skb programs
through BPF_PROG_TEST_RUN command.
v2:
- fix build without CONFIG_CGROUP_BPF (kernel test robot <lkp@intel.com>)
v3:
- fix build without CONFIG_IPV6 (kernel test robot <lkp@intel.com>)
v4:
- remove cgroup storage related commits for future rework (Daniel Borkmann)
v5:
- check skb length before access to inet headers (Eric Dumazet)
Dmitry Yakunin (2):
bpf: setup socket family and addresses in bpf_prog_test_run_skb
bpf: allow to specify ifindex for skb in bpf_prog_test_run_skb
net/bpf/test_run.c | 39 ++++++++++++++++++++++--
tools/testing/selftests/bpf/prog_tests/skb_ctx.c | 5 +++
2 files changed, 42 insertions(+), 2 deletions(-)
--
2.7.4
^ permalink raw reply
* [PATCH bpf-next v5 1/2] bpf: setup socket family and addresses in bpf_prog_test_run_skb
From: Dmitry Yakunin @ 2020-08-02 21:36 UTC (permalink / raw)
To: alexei.starovoitov, daniel, netdev, bpf; +Cc: sdf
In-Reply-To: <20200802213631.78937-1-zeil@yandex-team.ru>
Now it's impossible to test all branches of cgroup_skb bpf program which
accesses skb->family and skb->{local,remote}_ip{4,6} fields because they
are zeroed during socket allocation. This commit fills socket family and
addresses from related fields in constructed skb.
v2:
- fix build without CONFIG_IPV6 (kernel test robot <lkp@intel.com>)
v3:
- check skb length before access to inet headers (Eric Dumazet)
Signed-off-by: Dmitry Yakunin <zeil@yandex-team.ru>
---
net/bpf/test_run.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index b03c469..8d69295 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -449,6 +449,27 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
skb->protocol = eth_type_trans(skb, current->nsproxy->net_ns->loopback_dev);
skb_reset_network_header(skb);
+ switch (skb->protocol) {
+ case htons(ETH_P_IP):
+ sk->sk_family = AF_INET;
+ if (pskb_may_pull(skb, sizeof(struct iphdr))) {
+ sk->sk_rcv_saddr = ip_hdr(skb)->saddr;
+ sk->sk_daddr = ip_hdr(skb)->daddr;
+ }
+ break;
+#if IS_ENABLED(CONFIG_IPV6)
+ case htons(ETH_P_IPV6):
+ sk->sk_family = AF_INET6;
+ if (pskb_may_pull(skb, sizeof(struct ipv6hdr))) {
+ sk->sk_v6_rcv_saddr = ipv6_hdr(skb)->saddr;
+ sk->sk_v6_daddr = ipv6_hdr(skb)->daddr;
+ }
+ break;
+#endif
+ default:
+ break;
+ }
+
if (is_l2)
__skb_push(skb, hh_len);
if (is_direct_pkt_access)
--
2.7.4
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox