AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-12-27 20:05:14 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
f7369179ad
linux_dsm_epyc7002/include/net
History
Eric Dumazet 3c8fc87820 inet: frags: rework rhashtable dismantle 
syszbot found an interesting use-after-free [1] happening
while IPv4 fragment rhashtable was destroyed at netns dismantle.

While no insertions can possibly happen at the time a dismantling
netns is destroying this rhashtable, timers can still fire and
attempt to remove elements from this rhashtable.

This is forbidden, since rhashtable_free_and_destroy() has
no synchronization against concurrent inserts and deletes.

Add a new fqdir->dead flag so that timers do not attempt
a rhashtable_remove_fast() operation.

We also have to respect an RCU grace period before starting
the rhashtable_free_and_destroy() from process context,
thus we use rcu_work infrastructure.

This is a refinement of a prior rough attempt to fix this bug :
https://marc.info/?l=linux-netdev&m=153845936820900&w=2

Since the rhashtable cleanup is now deferred to a work queue,
netns dismantles should be slightly faster.

[1]
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:194 [inline]
BUG: KASAN: use-after-free in rhashtable_last_table+0x162/0x180 lib/rhashtable.c:212
Read of size 8 at addr ffff8880a6497b70 by task kworker/0:0/5

CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.2.0-rc1+ #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events rht_deferred_worker
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
 __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 kasan_report+0x12/0x20 mm/kasan/common.c:614
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 __read_once_size include/linux/compiler.h:194 [inline]
 rhashtable_last_table+0x162/0x180 lib/rhashtable.c:212
 rht_deferred_worker+0x111/0x2030 lib/rhashtable.c:411
 process_one_work+0x989/0x1790 kernel/workqueue.c:2269
 worker_thread+0x98/0xe40 kernel/workqueue.c:2415
 kthread+0x354/0x420 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 32687:
 save_stack+0x23/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_kmalloc mm/kasan/common.c:489 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503
 __do_kmalloc_node mm/slab.c:3620 [inline]
 __kmalloc_node+0x4e/0x70 mm/slab.c:3627
 kmalloc_node include/linux/slab.h:590 [inline]
 kvmalloc_node+0x68/0x100 mm/util.c:431
 kvmalloc include/linux/mm.h:637 [inline]
 kvzalloc include/linux/mm.h:645 [inline]
 bucket_table_alloc+0x90/0x480 lib/rhashtable.c:178
 rhashtable_init+0x3f4/0x7b0 lib/rhashtable.c:1057
 inet_frags_init_net include/net/inet_frag.h:109 [inline]
 ipv4_frags_init_net+0x182/0x410 net/ipv4/ip_fragment.c:683
 ops_init+0xb3/0x410 net/core/net_namespace.c:130
 setup_net+0x2d3/0x740 net/core/net_namespace.c:316
 copy_net_ns+0x1df/0x340 net/core/net_namespace.c:439
 create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:107
 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206
 ksys_unshare+0x440/0x980 kernel/fork.c:2692
 __do_sys_unshare kernel/fork.c:2760 [inline]
 __se_sys_unshare kernel/fork.c:2758 [inline]
 __x64_sys_unshare+0x31/0x40 kernel/fork.c:2758
 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 7:
 save_stack+0x23/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
 __cache_free mm/slab.c:3432 [inline]
 kfree+0xcf/0x220 mm/slab.c:3755
 kvfree+0x61/0x70 mm/util.c:460
 bucket_table_free+0x69/0x150 lib/rhashtable.c:108
 rhashtable_free_and_destroy+0x165/0x8b0 lib/rhashtable.c:1155
 inet_frags_exit_net+0x3d/0x50 net/ipv4/inet_fragment.c:152
 ipv4_frags_exit_net+0x73/0x90 net/ipv4/ip_fragment.c:695
 ops_exit_list.isra.0+0xaa/0x150 net/core/net_namespace.c:154
 cleanup_net+0x3fb/0x960 net/core/net_namespace.c:553
 process_one_work+0x989/0x1790 kernel/workqueue.c:2269
 worker_thread+0x98/0xe40 kernel/workqueue.c:2415
 kthread+0x354/0x420 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff8880a6497b40
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 48 bytes inside of
 1024-byte region [ffff8880a6497b40, ffff8880a6497f40)
The buggy address belongs to the page:
page:ffffea0002992580 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0xffff8880a64964c0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea0002916e88 ffffea000218fe08 ffff8880aa400ac0
raw: ffff8880a64964c0 ffff8880a6496040 0000000100000005 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a6497a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a6497a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8880a6497b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                             ^
 ffff8880a6497b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a6497c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Fixes: 648700f76b ("inet: frags: use rhashtables for reassembly units")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-05-26 14:08:05 -07:00
..
9p
bluetooth Bluetooth: Ignore CC events not matching the last HCI command 2019-05-05 19:29:04 +02:00
caif
iucv
netfilter netfilter: add API to manage NAT helpers. 2019-04-30 14:19:55 +02:00
netns net: dynamically allocate fqdir structures 2019-05-26 14:08:05 -07:00
nfc treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
phonet
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-05-02 22:14:21 -04:00
tc_act net/sched: move police action structures to header 2019-05-05 21:49:24 -07:00
6lowpan.h
act_api.h
addrconf.h
af_ieee802154.h
af_rxrpc.h rxrpc: Allow the kernel to mark a call as being non-interruptible 2019-05-16 16:25:20 +01:00
af_unix.h
af_vsock.h
ah.h
arp.h ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled 2019-05-05 11:25:49 -07:00
atmclip.h
ax25.h
ax88796.h
bond_3ad.h
bond_alb.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 5 2019-05-21 11:28:40 +02:00
bond_options.h
bonding.h
bpf_sk_storage.h bpf: Introduce bpf sk local storage 2019-04-27 09:07:04 -07:00
busy_poll.h
calipso.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
cfg80211-wext.h
cfg80211.h Various updates, notably: 2019-04-26 16:05:52 -04:00
cfg802154.h
checksum.h
cipso_ipv4.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
cls_cgroup.h
codel_impl.h
codel_qdisc.h
codel.h
compat.h
datalink.h
dcbevent.h
dcbnl.h
devlink.h devlink: add warning in case driver does not set port type 2019-05-23 09:18:43 -07:00
dn_dev.h
dn_fib.h
dn_neigh.h
dn_nsp.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 24 2019-05-21 11:52:39 +02:00
dn_route.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 24 2019-05-21 11:52:39 +02:00
dn.h
dsa.h net: dsa: Remove the now unused DSA_SKB_CB_COPY() macro 2019-05-12 13:19:46 -07:00
dsfield.h
dst_cache.h
dst_metadata.h
dst_ops.h
dst.h
erspan.h
esp.h
ethoc.h
failover.h
fib_notifier.h
fib_rules.h net: Set strict_start_type for routes and rules 2019-05-22 17:50:24 -07:00
firewire.h
flow_dissector.h
flow_offload.h flow_offload: support CVLAN match 2019-05-16 12:02:42 -07:00
flow.h
fou.h
fq_impl.h mac80211: calculate hash for fq without holding fq->lock in itxq enqueue 2019-04-26 13:02:11 +02:00
fq.h
garp.h
gen_stats.h
genetlink.h genetlink: optionally validate strictly/dumps 2019-04-27 17:07:22 -04:00
geneve.h
gre.h
gro_cells.h
gtp.h
gue.h
hwbm.h
icmp.h
ieee80211_radiotap.h
ieee802154_netdev.h
if_inet6.h
ife.h
ila.h
inet6_connection_sock.h
inet6_hashtables.h
inet_common.h
inet_connection_sock.h
inet_ecn.h
inet_frag.h inet: frags: rework rhashtable dismantle 2019-05-26 14:08:05 -07:00
inet_hashtables.h
inet_sock.h
inet_timewait_sock.h
inetpeer.h
ip6_checksum.h
ip6_fib.h ipv6: Make fib6_nh optional at the end of fib6_info 2019-05-24 13:26:44 -07:00
ip6_route.h ipv6: Make fib6_nh optional at the end of fib6_info 2019-05-24 13:26:44 -07:00
ip6_tunnel.h
ip_fib.h ipv4: Rename and export nh_update_mtu 2019-05-22 17:48:44 -07:00
ip_tunnels.h
ip_vs.h
ip.h
ipcomp.h
ipconfig.h
ipv6_frag.h ip6: fix skb leak in ip6frag_expire_frag_queue() 2019-05-05 10:40:24 -07:00
ipv6_stubs.h ipv6: export function to send route updates 2019-05-22 17:48:43 -07:00
ipv6.h
ipx.h
iw_handler.h
kcm.h
l3mdev.h
lag.h
lapb.h
lib80211.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
llc.h
lwtunnel.h
mac80211.h Various updates, notably: 2019-04-26 16:05:52 -04:00
mac802154.h
mip6.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
mld.h
mpls_iptunnel.h
mpls.h
mrp.h
ncsi.h
ndisc.h
neighbour.h
net_failover.h
net_namespace.h
net_ratelimit.h
netevent.h
netlabel.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
netlink.h netlink: add validation of NLA_F_NESTED flag 2019-05-04 01:27:11 -04:00
netprio_cgroup.h
netrom.h
nl802154.h
nsh.h
p8022.h
page_pool.h
ping.h
pkt_cls.h net/sched: remove block pointer from common offload structure 2019-05-07 12:23:40 -07:00
pkt_sched.h
pptp.h
protocol.h
psample.h
psnap.h
raw.h
rawv6.h
red.h
regulatory.h
request_sock.h
rose.h
route.h
rsi_91x.h
rtnetlink.h
rtnh.h
sch_generic.h
scm.h
secure_seq.h
seg6_hmac.h
seg6_local.h
seg6.h
slhc_vj.h
smc.h
snmp.h
sock_reuseport.h
sock.h tcp: do not recycle cloned skbs 2019-05-15 09:22:41 -07:00
Space.h
stp.h
strparser.h
switchdev.h
tcp_states.h
tcp.h net/tcp: use deferred jump label for TCP acked data hook 2019-05-09 11:13:57 -07:00
timewait_sock.h
tipc.h
tls.h net/tls: byte swap device req TCP seq no upon setting 2019-04-27 16:52:21 -04:00
transp_v6.h
tso.h
tun_proto.h
udp_tunnel.h
udp.h
udplite.h
vsock_addr.h
vxlan.h
wext.h
wimax.h
x25.h
x25device.h
xdp_sock.h
xdp.h
xfrm.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2019-05-07 22:03:58 -07:00