AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
fe2ac04712
kernel_optimize_test/net/tipc
History
Xin Long c3bcde0266 tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb 
udp_tunnel(6)_xmit_skb() called by tipc_udp_xmit() expects a tunnel device
to count packets on dev->tstats, a perpcu variable. However, TIPC is using
udp tunnel with no tunnel device, and pass the lower dev, like veth device
that only initializes dev->lstats(a perpcu variable) when creating it.

Later iptunnel_xmit_stats() called by ip(6)tunnel_xmit() thinks the dev as
a tunnel device, and uses dev->tstats instead of dev->lstats. tstats' each
pointer points to a bigger struct than lstats, so when tstats->tx_bytes is
increased, other percpu variable's members could be overwritten.

syzbot has reported quite a few crashes due to fib_nh_common percpu member
'nhc_pcpu_rth_output' overwritten, call traces are like:

  BUG: KASAN: slab-out-of-bounds in rt_cache_valid+0x158/0x190
  net/ipv4/route.c:1556
    rt_cache_valid+0x158/0x190 net/ipv4/route.c:1556
    __mkroute_output net/ipv4/route.c:2332 [inline]
    ip_route_output_key_hash_rcu+0x819/0x2d50 net/ipv4/route.c:2564
    ip_route_output_key_hash+0x1ef/0x360 net/ipv4/route.c:2393
    __ip_route_output_key include/net/route.h:125 [inline]
    ip_route_output_flow+0x28/0xc0 net/ipv4/route.c:2651
    ip_route_output_key include/net/route.h:135 [inline]
  ...

or:

  kasan: GPF could be caused by NULL-ptr deref or user memory access
  RIP: 0010:dst_dev_put+0x24/0x290 net/core/dst.c:168
    <IRQ>
    rt_fibinfo_free_cpus net/ipv4/fib_semantics.c:200 [inline]
    free_fib_info_rcu+0x2e1/0x490 net/ipv4/fib_semantics.c:217
    __rcu_reclaim kernel/rcu/rcu.h:240 [inline]
    rcu_do_batch kernel/rcu/tree.c:2437 [inline]
    invoke_rcu_callbacks kernel/rcu/tree.c:2716 [inline]
    rcu_process_callbacks+0x100a/0x1ac0 kernel/rcu/tree.c:2697
  ...

The issue exists since tunnel stats update is moved to iptunnel_xmit by
Commit 039f50629b ("ip_tunnel: Move stats update to iptunnel_xmit()"),
and here to fix it by passing a NULL tunnel dev to udp_tunnel(6)_xmit_skb
so that the packets counting won't happen on dev->tstats.

Reported-by: syzbot+9d4c12bfd45a58738d0a@syzkaller.appspotmail.com
Reported-by: syzbot+a9e23ea2aa21044c2798@syzkaller.appspotmail.com
Reported-by: syzbot+c4c4b2bb358bb936ad7e@syzkaller.appspotmail.com
Reported-by: syzbot+0290d2290a607e035ba1@syzkaller.appspotmail.com
Reported-by: syzbot+a43d8d4e7e8a7a9e149e@syzkaller.appspotmail.com
Reported-by: syzbot+a47c5f4c6c00fc1ed16e@syzkaller.appspotmail.com
Fixes: 039f50629b ("ip_tunnel: Move stats update to iptunnel_xmit()")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-18 20:48:45 -04:00
..
addr.c
addr.h
bcast.c tipc: add NULL pointer check 2019-04-04 17:34:11 -07:00
bcast.h tipc: fix a null pointer deref 2019-03-21 09:56:55 -07:00
bearer.c netlink: make validation more configurable for future strictness 2019-04-27 17:07:21 -04:00
bearer.h tipc: enable tracepoints in tipc 2018-12-19 11:49:24 -08:00
core.c tipc: fix modprobe tipc failed after switch order of device registration 2019-05-20 10:45:43 -07:00
core.h tipc: introduce new capability flag for cluster 2019-03-19 13:56:17 -07:00
diag.c tipc: switch to rhashtable iterator 2018-08-29 18:04:54 -07:00
discover.c tipc: fix lockdep warning when reinitilaizing sockets 2018-11-17 22:01:31 -08:00
discover.h
eth_media.c
group.c tipc: purge deferredq list for each grp member in tipc_group_delete 2019-06-16 20:42:05 -07:00
group.h
ib_media.c
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
link.c tipc: fix issues with early FAILOVER_MSG from peer 2019-06-18 10:03:37 -07:00
link.h tipc: fix missing Name entries due to half-failover 2019-05-04 00:59:51 -04:00
Makefile tipc: enable tracepoints in tipc 2018-12-19 11:49:24 -08:00
monitor.c netlink: make nla_nest_start() add NLA_F_NESTED flag 2019-04-27 17:03:44 -04:00
monitor.h
msg.c tipc: buffer overflow handling in listener socket 2018-09-29 11:24:22 -07:00
msg.h tipc: reduce duplicate packets for unicast traffic 2019-04-04 18:29:25 -07:00
name_distr.c tipc: eliminate message disordering during binding table update 2018-10-22 19:29:12 -07:00
name_distr.h
name_table.c netlink: make nla_nest_start() add NLA_F_NESTED flag 2019-04-27 17:03:44 -04:00
name_table.h tipc: eliminate message disordering during binding table update 2018-10-22 19:29:12 -07:00
net.c netlink: make validation more configurable for future strictness 2019-04-27 17:07:21 -04:00
net.h tipc: fix lockdep warning when reinitilaizing sockets 2018-11-17 22:01:31 -08:00
netlink_compat.c genetlink: optionally validate strictly/dumps 2019-04-27 17:07:22 -04:00
netlink.c genetlink: optionally validate strictly/dumps 2019-04-27 17:07:22 -04:00
netlink.h
node.c tipc: fix issues with early FAILOVER_MSG from peer 2019-06-18 10:03:37 -07:00
node.h tipc: improve TIPC throughput by Gap ACK blocks 2019-04-04 18:29:25 -07:00
socket.c tipc: fix hanging clients using poll with EPOLLOUT flag 2019-05-09 09:26:09 -07:00
socket.h tipc: add trace_events for tipc socket 2018-12-19 11:49:24 -08:00
subscr.c
subscr.h tipc: fix modprobe tipc failed after switch order of device registration 2019-05-20 10:45:43 -07:00
sysctl.c tipc: set sysctl_tipc_rmem and named_timeout right range 2019-04-16 21:32:02 -07:00
topsrv.c tipc: fix modprobe tipc failed after switch order of device registration 2019-05-20 10:45:43 -07:00
topsrv.h
trace.c tipc: remove unneeded semicolon in trace.c 2019-01-17 22:04:43 -08:00
trace.h tipc: add trace_events for tipc bearer 2018-12-19 11:49:25 -08:00
udp_media.c tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb 2019-06-18 20:48:45 -04:00
udp_media.h