Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kernel 3.12.0 panic on boot #421

Closed
srcshelton opened this issue Nov 7, 2013 · 3 comments
Closed

kernel 3.12.0 panic on boot #421

srcshelton opened this issue Nov 7, 2013 · 3 comments

Comments

@srcshelton
Copy link 

[   50.894023] Internal error: Oops: 17 [#2] ARM
[   50.900441] Modules linked in: vchiq spi_bcm2708 i2c_bcm2708 i2c_core cachefiles fscache bcm2708_wdog bcm2835_thermal thermal_sys bcm2708_rng rng_core dmaer_master smsc95xx usbnet mii unix
[   50.919617] CPU: 0 PID: 3400 Comm: shell_var Tainted: G      D      3.12.0-srcs #3
[   50.929310] task: dbbdcf80 ti: dc122000 task.ti: dc122000
[   50.936925] PC is at kmem_cache_free+0x8/0xe0
[   50.943471] LR is at remove_vma+0x50/0x5c
[   50.949658] pc : [<c00a3038>]    lr : [<c0091324>]    psr: 60000013
[   50.949658] sp : dc123ee0  ip : 00000000  fp : 00000000
[   50.965433] r10: 00000000  r9 : dc122000  r8 : 00000001
[   50.972854] r7 : dbb53db0  r6 : 00000008  r5 : de8d4580  r4 : de8d4ec8
[   50.981575] r3 : 00000000  r2 : 00000004  r1 : 00000004  r0 : 00000000
[   50.990298] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[   50.999643] Control: 00c5387d  Table: 1c3a0008  DAC: 00000015
[   51.007601] Process shell_var (pid: 3400, stack limit = 0xdc1221b8)
[   51.016110] Stack: (0xdc123ee0 to 0xdc124000)
[   51.022707] 3ee0: de8d4ec8 de8d4580 00000008 c0091324 00001000 de8d4ec8 dbb53d80 c0092bd4
[   51.033220] 3f00: dbb53d80 00000001 00000000 00000000 ffffffff dbbdcf80 dc123f9c 00000000
[   51.043738] 3f20: 00000400 dbb50000 dbbdcf80 00000000 00000002 c0068f98 dbbdcf80 00000001
[   51.054315] 3f40: dbbdcf80 00000000 dbb53d80 dbb53d80 00000000 c001d26c dbbdcf80 c0020cdc
[   51.064926] 3f60: 00000007 00000000 00000000 de9fcb40 00000000 00000000 00000000 b6edb74c
[   51.075535] 3f80: 000000f8 c000db64 dc122000 00000000 00000000 c00212d8 00000001 c0021324
[   51.086144] 3fa0: 00000000 c000d9e0 00000001 00000000 00000000 b6f4a4c0 00000008 00000000
[   51.096689] 3fc0: 00000001 00000000 b6edb74c 000000f8 0001bdac 00000000 00000058 00000000
[   51.107290] 3fe0: 00094020 bece2760 0009403c b6e49060 60000010 00000000 00000000 00000000
[   51.117958] [<c00a3038>] (kmem_cache_free+0x8/0xe0) from [<c0091324>] (remove_vma+0x50/0x5c)
[   51.128832] [<c0091324>] (remove_vma+0x50/0x5c) from [<c0092bd4>] (exit_mmap+0x1ac/0x1f8)
[   51.139546] [<c0092bd4>] (exit_mmap+0x1ac/0x1f8) from [<c001d26c>] (mmput+0x50/0xd4)
[   51.149862] [<c001d26c>] (mmput+0x50/0xd4) from [<c0020cdc>] (do_exit+0x314/0x810)
[   51.159995] [<c0020cdc>] (do_exit+0x314/0x810) from [<c00212d8>] (do_group_exit+0x70/0xac)
[   51.170858] [<c00212d8>] (do_group_exit+0x70/0xac) from [<c0021324>] (__wake_up_parent+0x0/0x18)
[   51.182250] Code: ea089f9e c04779d8 e92d4070 e1a02001 (e5903004) 
[   51.191182] ---[ end trace 6ef13f8960c4e009 ]---
[   51.198506] Fixing recursive fault but reboot is needed!
[   54.555076] Bad mode in prefetch abort handler detected
[   54.562932] Internal error: Oops - bad mode: 0 [#3] ARM
[   54.570585] Modules linked in: vchiq spi_bcm2708 i2c_bcm2708 i2c_core cachefiles fscache bcm2708_wdog bcm2835_thermal thermal_sys bcm2708_rng rng_core dmaer_master smsc95xx usbnet mii unix
[   54.590127] CPU: 0 PID: 0 Comm: swapper Tainted: G      D      3.12.0-srcs #3
[   54.599809] task: c04206f0 ti: c0416000 task.ti: c0416000
[   54.607748] PC is at 0x8
[   54.612756] LR is at arch_cpu_idle+0x2c/0x38
[   54.619552] pc : [<00000008>]    lr : [<c000e3d8>]    psr: 600001d1
[   54.619552] sp : c0417f78  ip : c0432f40  fp : 00000000
[   54.636100] r10: 0040e5e0  r9 : 410fb767  r8 : 00004008
[   54.643827] r7 : 00000008  r6 : 00000008  r5 : 00000008  r4 : 00000008
[   54.652899] r3 : 00000008  r2 : 00000000  r1 : aa995566  r0 : c045006c
[   54.661867] Flags: nZCv  IRQs off  FIQs off  Mode FIQ_32  ISA ARM  Segment kernel
[   54.671877] Control: 00c5387d  Table: 1c300008  DAC: 00000017
[   54.680092] Process swapper (pid: 0, stack limit = 0xc04161b8)
[   54.688436] Stack: (0xc0417f78 to 0xc0418000)
[   54.695196] 7f60:                                                       c045006c aa995566
[   54.705871] 7f80: 00000000 00000008 00000008 00000008 00000008 00000008 00004008 410fb767
[   54.716578] 7fa0: 0040e5e0 00000000 c0432f40 c0417f78 c000e3d8 00000008 600001d1 ffffffff
[   54.727255] 7fc0: c0432f40 c004812c 00000000 c03f99e4 ffffffff ffffffff c03f94e8 00000000
[   54.737980] 7fe0: 00000000 c040f0c8 00c5387d c041e020 c040f0c4 00008068 00000000 00000000
[   54.748743] [<c000e3d8>] (arch_cpu_idle+0x2c/0x38) from [<aa995566>] (0xaa995566)
[   54.758819] Code: bad PC value
[   54.764437] ---[ end trace 6ef13f8960c4e00a ]---
[   54.771629] Kernel panic - not syncing: Attempted to kill the idle task!
[   63.778696] Internal error: Oops - undefined instruction: 0 [#4] ARM
[   63.787774] Modules linked in: vchiq spi_bcm2708 i2c_bcm2708 i2c_core cachefiles fscache bcm2708_wdog bcm2835_thermal thermal_sys bcm2708_rng rng_core dmaer_master smsc95xx usbnet mii unix
[   63.807553] CPU: 0 PID: 0 Comm: swapper Tainted: G      D      3.12.0-srcs #3
[   63.817472] task: c04206f0 ti: c0416000 task.ti: c0416000
[   63.825623] PC is at 0xc08d114c
[   63.831470] LR is at internal_add_timer+0x10/0x40
[   63.838853] pc : [<c08d114c>]    lr : [<c002735c>]    psr: 20000153
[   63.838853] sp : c0417d58  ip : fffeeaee  fp : 00000100
[   63.855660] r10: c0450780  r9 : 00200000  r8 : 00200200
[   63.863490] r7 : 00000000  r6 : c04508e0  r5 : fffeeb29  r4 : de8df6bc
[   63.872699] r3 : a0000153  r2 : 00000b09  r1 : de8df6bc  r0 : c0450a38
[   63.881788] Flags: nzCv  IRQs on  FIQs off  Mode SVC_32  ISA ARM  Segment kernel
[   63.891652] Control: 00c5387d  Table: 1c300008  DAC: 00000017
[   63.899862] Process swapper (pid: 0, stack limit = 0xc04161b8)
[   63.908161] Stack: (0xc0417d58 to 0xc0418000)
[   63.914998] 7d40:                                                       de8df6bc a0000153
[   63.925692] 7d60: de8e5194 c0416000 00000100 c0426408 c01973b4 c00277ec c01973b4 de8e5000
[   63.936407] 7d80: c0417d98 c04508e0 c0417d98 c0426408 00000000 c0027994 c0417d98 c0417d98
[   63.947102] 7da0: 00000001 00000004 c0416000 0000000a c0450760 c002280c 00000001 00015220
[   63.957863] 7dc0: 00000001 00000004 00000001 fffeeaee c042838c 600001d3 00000000 f200b200
[   63.968640] 7de0: c0417e4c c0450308 00000000 c04417a8 c0371fc3 c0022970 00000003 c0022bc8
[   63.979334] 7e00: 00000003 c000e2bc c017a134 c001b70c a0000153 c0010d34 04027c03 000003e7
[   63.990102] 7e20: f97dc550 00000000 c0417e6c 000003e7 00002328 00000003 c0450308 00000000
[   64.000886] 7e40: c04417a8 c0371fc3 000008d8 c0417e60 c017a134 c001b70c a0000153 ffffffff
[   64.011632] 7e60: 04027a81 c017a174 000003e7 04027c03 f97dc550 00000001 000022c4 c02ca330
[   64.022451] 7e80: c0375838 c0417eac 00000000 c04206f0 0000000b 00000000 c0417f0f 00000017
[   64.033252] 7ea0: 00000008 c0020a48 c0375838 c0417eb8 00000000 c0416000 c0371fc3 c02ca6d8
[   64.044038] 7ec0: c03757a5 c0417edc 60c4e00a c0417f78 0000000b 00000000 c0417f0f 00000017
[   64.054831] 7ee0: 00000000 00000008 c0371fc3 c00105b0 c04161b8 0000000b 00000000 c00470e8
[   64.065636] 7f00: 00000008 600001d3 00000000 62000000 50206461 61762043 0065756c 00000000
[   64.076433] 7f20: a6f3560e c0417f78 00000008 600001d1 ffffffff 00004008 410fb767 0040e5e0
[   64.087225] 7f40: 00000000 271ae11c c03720f7 c0417f78 00000008 600001d1 ffffffff 00004008
[   64.098029] 7f60: 410fb767 0040e5e0 00000000 c00108a0 c045006c c000e3d8 c045006c aa995566
[   64.108864] 7f80: 00000000 00000008 00000008 00000008 00000008 00000008 00004008 410fb767
[   64.119700] 7fa0: 0040e5e0 00000000 c0432f40 c0417f78 c000e3d8 00000008 600001d1 ffffffff
[   64.130383] 7fc0: c0432f40 c004812c 00000000 c03f99e4 ffffffff ffffffff c03f94e8 00000000
[   64.141013] 7fe0: 00000000 c040f0c8 00c5387d c041e020 c040f0c4 00008068 00000000 00000000
[   64.151679] [<c002735c>] (internal_add_timer+0x10/0x40) from [<c0416000>] (0xc0416000)
[   64.162029] Code: 00000000 0000002c dbb514ec 00000002 (ffffffff) 
[   64.170631] ---[ end trace 6ef13f8960c4e00b ]---
[   64.177690] Kernel panic - not syncing: Fatal exception in interrupt
[  538.354318] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[  538.365025] pgd = c0004000
[  538.370321] [00000000] *pgd=00000000
[  538.376533] Internal error: Oops: 80000007 [#5] ARM
[  538.383963] Modules linked in: vchiq spi_bcm2708 i2c_bcm2708 i2c_core cachefiles fscache bcm2708_wdog bcm2835_thermal thermal_sys bcm2708_rng rng_core dmaer_master smsc95xx usbnet mii unix
[  538.403696] CPU: 0 PID: 0 Comm: swapper Tainted: G      D      3.12.0-srcs #3
[  538.413506] task: c04206f0 ti: c0416000 task.ti: c0416000
[  538.421655] PC is at 0x0
[  538.426921] LR is at read_current_timer+0x20/0x38
[  538.434317] pc : [<00000000>]    lr : [<c017a134>]    psr: a0000153
[  538.434317] sp : c0417ba0  ip : 000008d8  fp : c0371fc3
[  538.451100] r10: c04417a8  r9 : 00000000  r8 : c0450308
[  538.458985] r7 : 00000042  r6 : 00073eb0  r5 : 000003e7  r4 : c0417bac
[  538.468168] r3 : 00000000  r2 : f97dc550  r1 : 000003e7  r0 : 204bf2c9
[  538.477311] Flags: NzCv  IRQs on  FIQs off  Mode SVC_32  ISA ARM  Segment kernel
[  538.487342] Control: 00c5387d  Table: 1c300008  DAC: 00000017
[  538.495641] Process swapper (pid: 0, stack limit = 0xc04161b8)
[  538.504068] Stack: (0xc0417ba0 to 0xc0418000)
[  538.510998] 7ba0: 204bf064 c017a174 000003e7 204bf2bf f97dc550 00000000 00073de8 c02ca330
[  538.521801] 7bc0: c037203f c0417bec c0417bf8 c0417d10 0000000b c08d114e c0417c46 00000017
[  538.532615] 7be0: c08d114c c00105a0 c037203f 00000001 c0417bf8 00000100 c04161b8 0000000b
[  538.543438] 7c00: 00000005 c0371fbb 00000008 600001d3 00000000 300000ff 30303030 20303030
[  538.554270] 7c20: 30303030 63323030 62626420 65343135 30302063 30303030 28203230 66666666
[  538.565059] 7c40: 66666666 c0002029 c0426d40 271ae11c 00000000 ffffffff c0417d10 c08d114c
[  538.575897] 7c60: 00000001 00000f00 c0010e0c c0416000 00000100 c0008228 00000006 00077359
[  538.586721] 7c80: 00000004 00000000 00030001 c08d114c 00077359 c0473780 c0473780 c0417cd0
[  538.597462] 7ca0: 00000000 c004e9cc 00000000 c004e9cc 00000b93 00000000 00000d05 00000000
[  538.608280] 7cc0: fffff2fb ffffffff 800001d3 00000001 800001d3 00000001 c0427520 c0427520
[  538.619093] 7ce0: c0426408 0032dcd5 00000000 00000001 00000000 c0038c84 0032dcd5 00000000
[  538.629837] 7d00: c08d1150 20000153 c0416050 c0010e0c c0450a38 de8df6bc 00000b09 a0000153
[  538.640636] 7d20: de8df6bc fffeeb29 c04508e0 00000000 00200200 00200000 c0450780 00000100
[  538.651441] 7d40: fffeeaee c0417d58 c002735c c08d114c 20000153 ffffffff de8df6bc a0000153
[  538.662218] 7d60: de8e5194 c0416000 00000100 c0426408 c01973b4 c00277ec c01973b4 de8e5000
[  538.673041] 7d80: c0417d98 c04508e0 c0417d98 c0426408 00000000 c0027994 c0417d98 c0417d98
[  538.683835] 7da0: 00000001 00000004 c0416000 0000000a c0450760 c002280c 00000001 00015220
[  538.694614] 7dc0: 00000001 00000004 00000001 fffeeaee c042838c 600001d3 00000000 f200b200
[  538.705423] 7de0: c0417e4c c0450308 00000000 c04417a8 c0371fc3 c0022970 00000003 c0022bc8
[  538.716240] 7e00: 00000003 c000e2bc c017a134 c001b70c a0000153 c0010d34 04027c03 000003e7
[  538.726974] 7e20: f97dc550 00000000 c0417e6c 000003e7 00002328 00000003 c0450308 00000000
[  538.737599] 7e40: c04417a8 c0371fc3 000008d8 c0417e60 c017a134 c001b70c a0000153 ffffffff
[  538.748205] 7e60: 04027a81 c017a174 000003e7 04027c03 f97dc550 00000001 000022c4 c02ca330
[  538.758872] 7e80: c0375838 c0417eac 00000000 c04206f0 0000000b 00000000 c0417f0f 00000017
[  538.769563] 7ea0: 00000008 c0020a48 c0375838 c0417eb8 00000000 c0416000 c0371fc3 c02ca6d8
[  538.780190] 7ec0: c03757a5 c0417edc 60c4e00a c0417f78 0000000b 00000000 c0417f0f 00000017
[  538.790895] 7ee0: 00000000 00000008 c0371fc3 c00105b0 c04161b8 0000000b 00000000 c00470e8
[  538.801624] 7f00: 00000008 600001d3 00000000 62000000 50206461 61762043 0065756c 00000000
[  538.812340] 7f20: a6f3560e c0417f78 00000008 600001d1 ffffffff 00004008 410fb767 0040e5e0
[  538.823121] 7f40: 00000000 271ae11c c03720f7 c0417f78 00000008 600001d1 ffffffff 00004008
[  538.833909] 7f60: 410fb767 0040e5e0 00000000 c00108a0 c045006c c000e3d8 c045006c aa995566
[  538.844686] 7f80: 00000000 00000008 00000008 00000008 00000008 00000008 00004008 410fb767
[  538.855485] 7fa0: 0040e5e0 00000000 c0432f40 c0417f78 c000e3d8 00000008 600001d1 ffffffff
[  538.866277] 7fc0: c0432f40 c004812c 00000000 c03f99e4 ffffffff ffffffff c03f94e8 00000000
[  538.877065] 7fe0: 00000000 c040f0c8 00c5387d c041e020 c040f0c4 00008068 00000000 00000000
[  538.887871] [<c017a134>] (read_current_timer+0x20/0x38) from [<c017a174>] (__timer_delay+0x28/0x44)
[  538.899592] [<c017a174>] (__timer_delay+0x28/0x44) from [<c02ca330>] (panic+0x198/0x1c8)
[  538.910358] [<c02ca330>] (panic+0x198/0x1c8) from [<c00105a0>] (die+0x330/0x3c4)
[  538.920423] [<c00105a0>] (die+0x330/0x3c4) from [<c0008228>] (do_undefinstr+0x84/0x144)
[  538.931042] [<c0008228>] (do_undefinstr+0x84/0x144) from [<c0010e0c>] (__und_svc_finish+0x0/0x34)
[  538.942568] Exception stack(0xc0417d10 to 0xc0417d58)
[  538.950251] 7d00:                                     c0450a38 de8df6bc 00000b09 a0000153
[  538.961110] 7d20: de8df6bc fffeeb29 c04508e0 00000000 00200200 00200000 c0450780 00000100
[  538.971979] 7d40: fffeeaee c0417d58 c002735c c08d114c 20000153 ffffffff
[  538.981266] [<c0010e0c>] (__und_svc_finish+0x0/0x34) from [<c08d114c>] (0xc08d114c)
[  538.991641] Code: bad PC value
[  538.997354] ---[ end trace 6ef13f8960c4e00c ]---
[  539.004674] Kernel panic - not syncing: Fatal exception in interrupt
@srcshelton
Copy link
Author

Only occurs if 'CONFIG_BCM2708_VCHIQ' is set to "" - with VideoCore support built-in, the kernel boots correctly.

Note, however, that even in the crash above the vchiq module is loaded...

@popcornmix
Copy link
Collaborator

I just tried removing CONFIG_BCM2708_VCHIQ from 3.12 kernel and it booted okay.

$ uname -a
Linux raspberrypi 3.12.0+ #842 PREEMPT Mon Nov 18 19:34:56 GMT 2013 armv6l GNU/Linux
$ zcat /proc/config.gz |grep VCHIQ
# CONFIG_BCM2708_VCHIQ is not set

@srcshelton
Copy link
Author

Hmm - I had CONFIG_BCM2708_VCHIQ=M (seems to have been missed off my previous comment, sorry!), so perhaps it works built-in or excluded entirely, but fails when built as a module?

@notro notro mentioned this issue Dec 29, 2014
Closed
popcornmix pushed a commit that referenced this issue Apr 25, 2016
@ctmarinas
drivers/perf: arm-pmu: fix RCU usage on pmu resume from low-power
cbcc72e 
Commit da4e4f1 ("drivers/perf: arm_pmu: implement CPU_PM notifier")
added code in the arm perf infrastructure that allows the kernel to
save/restore perf counters whenever the CPU enters a low-power
state. The kernel saves/restores the counters for each active event
through the armpmu_{stop/start} ARM pmu API, so that the low-power state
enter/exit cycle is emulated through pmu start/stop operations for each
event in use.

However, calling armpmu_start() for each active event on power up
executes code that requires RCU locking (perf_event_update_userpage())
to be functional, so, given that the core may call the CPU_PM notifiers
while running the idle thread in an quiescent RCU state this is not
allowed as detected through the following splat when kernel is run with
CONFIG_PROVE_LOCKING enabled:

[   49.293286]
[   49.294761] ===============================
[   49.298895] [ INFO: suspicious RCU usage. ]
[   49.303031] 4.6.0-rc3+ #421 Not tainted
[   49.306821] -------------------------------
[   49.310956] include/linux/rcupdate.h:872 rcu_read_lock() used
illegally while idle!
[   49.318530]
[   49.318530] other info that might help us debug this:
[   49.318530]
[   49.326451]
[   49.326451] RCU used illegally from idle CPU!
[   49.326451] rcu_scheduler_active = 1, debug_locks = 0
[   49.337209] RCU used illegally from extended quiescent state!
[   49.342892] 2 locks held by swapper/2/0:
[   49.346768]  #0:  (cpu_pm_notifier_lock){......}, at:
[<ffffff8008163c28>] cpu_pm_exit+0x18/0x80
[   49.355492]  #1:  (rcu_read_lock){......}, at: [<ffffff800816dc38>]
perf_event_update_userpage+0x0/0x260

This patch wraps the armpmu_start() call (that indirectly calls
perf_event_update_userpage()) on CPU_PM notifier power state exit (or
failed entry) within the RCU_NONIDLE() macro so that the RCU subsystem
is made aware the calling cpu is not idle from an RCU perspective for
the armpmu_start() call duration, therefore fixing the issue.

Fixes: da4e4f1 ("drivers/perf: arm_pmu: implement CPU_PM notifier")
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Reported-by: James Morse <james.morse@arm.com>
Suggested-by: Kevin Hilman <khilman@baylibre.com>
Cc: Ashwin Chaugule <ashwin.chaugule@linaro.org>
Cc: Kevin Hilman <khilman@baylibre.com>
Cc: Sudeep Holla <sudeep.holla@arm.com>
Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
popcornmix pushed a commit that referenced this issue Jul 30, 2018
@dcaratti @davem330
net/sched: act_csum: fix NULL dereference when 'goto chain' is used
11a245e 
the control action in the common member of struct tcf_csum must be a valid
value, as it can contain the chain index when 'goto chain' is used. Ensure
that the control action can be read as x->tcfa_action, when x is a pointer
to struct tc_action and x->ops->type is TCA_ACT_CSUM, to prevent the
following command:

  # tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
  > $tcflags dst_mac $h2mac action csum ip or tcp or udp or sctp goto chain 1

from triggering a NULL pointer dereference when a matching packet is
received.

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
 PGD 800000010416b067 P4D 800000010416b067 PUD 1041be067 PMD 0
 Oops: 0000 [#1] SMP PTI
 CPU: 0 PID: 3072 Comm: mausezahn Tainted: G            E     4.18.0-rc2.auguri+ #421
 Hardware name: Hewlett-Packard HP Z220 CMT Workstation/1790, BIOS K51 v01.58 02/07/2013
 RIP: 0010:tcf_action_exec+0xb8/0x100
 Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
 RSP: 0018:ffffa020dea03c40 EFLAGS: 00010246
 RAX: 0000000020000001 RBX: ffffa020d7ccef00 RCX: 0000000000000054
 RDX: 0000000000000000 RSI: ffffa020ca5ae000 RDI: ffffa020d7ccef00
 RBP: ffffa020dea03e60 R08: 0000000000000000 R09: ffffa020dea03c9c
 R10: ffffa020dea03c78 R11: 0000000000000008 R12: ffffa020d3fe4f00
 R13: ffffa020d3fe4f08 R14: 0000000000000001 R15: ffffa020d53ca300
 FS:  00007f5a46942740(0000) GS:ffffa020dea00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 0000000104218002 CR4: 00000000001606f0
 Call Trace:
  <IRQ>
  fl_classify+0x1ad/0x1c0 [cls_flower]
  ? arp_rcv+0x121/0x1b0
  ? __x2apic_send_IPI_dest+0x40/0x40
  ? smp_reschedule_interrupt+0x1c/0xd0
  ? reschedule_interrupt+0xf/0x20
  ? reschedule_interrupt+0xa/0x20
  ? device_is_rmrr_locked+0xe/0x50
  ? iommu_should_identity_map+0x49/0xd0
  ? __intel_map_single+0x30/0x140
  ? e1000e_update_rdt_wa.isra.52+0x22/0xb0 [e1000e]
  ? e1000_alloc_rx_buffers+0x233/0x250 [e1000e]
  ? kmem_cache_alloc+0x38/0x1c0
  tcf_classify+0x89/0x140
  __netif_receive_skb_core+0x5ea/0xb70
  ? enqueue_task_fair+0xb6/0x7d0
  ? process_backlog+0x97/0x150
  process_backlog+0x97/0x150
  net_rx_action+0x14b/0x3e0
  __do_softirq+0xde/0x2b4
  do_softirq_own_stack+0x2a/0x40
  </IRQ>
  do_softirq.part.18+0x49/0x50
  __local_bh_enable_ip+0x49/0x50
  __dev_queue_xmit+0x4ab/0x8a0
  ? wait_woken+0x80/0x80
  ? packet_sendmsg+0x38f/0x810
  ? __dev_queue_xmit+0x8a0/0x8a0
  packet_sendmsg+0x38f/0x810
  sock_sendmsg+0x36/0x40
  __sys_sendto+0x10e/0x140
  ? do_vfs_ioctl+0xa4/0x630
  ? syscall_trace_enter+0x1df/0x2e0
  ? __audit_syscall_exit+0x22a/0x290
  __x64_sys_sendto+0x24/0x30
  do_syscall_64+0x5b/0x180
  entry_SYSCALL_64_after_hwframe+0x44/0xa9
 RIP: 0033:0x7f5a45cbec93
 Code: 48 8b 0d 18 83 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 59 c7 20 00 00 75 13 49 89 ca b8 2c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8 2b f7 ff ff 48 89 04 24
 RSP: 002b:00007ffd0ee6d748 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
 RAX: ffffffffffffffda RBX: 0000000001161010 RCX: 00007f5a45cbec93
 RDX: 0000000000000062 RSI: 0000000001161322 RDI: 0000000000000003
 RBP: 00007ffd0ee6d780 R08: 00007ffd0ee6d760 R09: 0000000000000014
 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000062
 R13: 0000000001161322 R14: 00007ffd0ee6d760 R15: 0000000000000003
 Modules linked in: act_csum act_gact cls_flower sch_ingress vrf veth act_tunnel_key(E) xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel snd_hda_codec_hdmi snd_hda_codec_realtek kvm snd_hda_codec_generic hp_wmi iTCO_wdt sparse_keymap rfkill mei_wdt iTCO_vendor_support wmi_bmof gpio_ich irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel snd_hda_intel crypto_simd cryptd snd_hda_codec glue_helper snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm pcspkr i2c_i801 snd_timer snd sg lpc_ich soundcore wmi mei_me
  mei ie31200_edac nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sr_mod cdrom sd_mod ahci libahci crc32c_intel i915 ixgbe serio_raw libata video dca i2c_algo_bit sfc drm_kms_helper syscopyarea mtd sysfillrect mdio sysimgblt fb_sys_fops drm e1000e i2c_core
 CR2: 0000000000000000
 ---[ end trace 3c9e9d1a77df4026 ]---
 RIP: 0010:tcf_action_exec+0xb8/0x100
 Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
 RSP: 0018:ffffa020dea03c40 EFLAGS: 00010246
 RAX: 0000000020000001 RBX: ffffa020d7ccef00 RCX: 0000000000000054
 RDX: 0000000000000000 RSI: ffffa020ca5ae000 RDI: ffffa020d7ccef00
 RBP: ffffa020dea03e60 R08: 0000000000000000 R09: ffffa020dea03c9c
 R10: ffffa020dea03c78 R11: 0000000000000008 R12: ffffa020d3fe4f00
 R13: ffffa020d3fe4f08 R14: 0000000000000001 R15: ffffa020d53ca300
 FS:  00007f5a46942740(0000) GS:ffffa020dea00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 0000000104218002 CR4: 00000000001606f0
 Kernel panic - not syncing: Fatal exception in interrupt
 Kernel Offset: 0x26400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
 ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Fixes: 9c5f69b ("net/sched: act_csum: don't use spinlock in the fast path")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
popcornmix pushed a commit that referenced this issue Jul 30, 2018
@dcaratti @davem330
net/sched: act_tunnel_key: fix NULL dereference when 'goto chain' is …
38230a3 
…used

the control action in the common member of struct tcf_tunnel_key must be a
valid value, as it can contain the chain index when 'goto chain' is used.
Ensure that the control action can be read as x->tcfa_action, when x is a
pointer to struct tc_action and x->ops->type is TCA_ACT_TUNNEL_KEY, to
prevent the following command:

 # tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
 > $tcflags dst_mac $h2mac action tunnel_key unset goto chain 1

from causing a NULL dereference when a matching packet is received:

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
 PGD 80000001097ac067 P4D 80000001097ac067 PUD 103b0a067 PMD 0
 Oops: 0000 [#1] SMP PTI
 CPU: 0 PID: 3491 Comm: mausezahn Tainted: G            E     4.18.0-rc2.auguri+ #421
 Hardware name: Hewlett-Packard HP Z220 CMT Workstation/1790, BIOS K51 v01.58 02/07/2013
 RIP: 0010:tcf_action_exec+0xb8/0x100
 Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
 RSP: 0018:ffff95145ea03c40 EFLAGS: 00010246
 RAX: 0000000020000001 RBX: ffff9514499e5800 RCX: 0000000000000001
 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
 RBP: ffff95145ea03e60 R08: 0000000000000000 R09: ffff95145ea03c9c
 R10: ffff95145ea03c78 R11: 0000000000000008 R12: ffff951456a69800
 R13: ffff951456a69808 R14: 0000000000000001 R15: ffff95144965ee40
 FS:  00007fd67ee11740(0000) GS:ffff95145ea00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 00000001038a2006 CR4: 00000000001606f0
 Call Trace:
  <IRQ>
  fl_classify+0x1ad/0x1c0 [cls_flower]
  ? __update_load_avg_se.isra.47+0x1ca/0x1d0
  ? __update_load_avg_se.isra.47+0x1ca/0x1d0
  ? update_load_avg+0x665/0x690
  ? update_load_avg+0x665/0x690
  ? kmem_cache_alloc+0x38/0x1c0
  tcf_classify+0x89/0x140
  __netif_receive_skb_core+0x5ea/0xb70
  ? enqueue_entity+0xd0/0x270
  ? process_backlog+0x97/0x150
  process_backlog+0x97/0x150
  net_rx_action+0x14b/0x3e0
  __do_softirq+0xde/0x2b4
  do_softirq_own_stack+0x2a/0x40
  </IRQ>
  do_softirq.part.18+0x49/0x50
  __local_bh_enable_ip+0x49/0x50
  __dev_queue_xmit+0x4ab/0x8a0
  ? wait_woken+0x80/0x80
  ? packet_sendmsg+0x38f/0x810
  ? __dev_queue_xmit+0x8a0/0x8a0
  packet_sendmsg+0x38f/0x810
  sock_sendmsg+0x36/0x40
  __sys_sendto+0x10e/0x140
  ? do_vfs_ioctl+0xa4/0x630
  ? syscall_trace_enter+0x1df/0x2e0
  ? __audit_syscall_exit+0x22a/0x290
  __x64_sys_sendto+0x24/0x30
  do_syscall_64+0x5b/0x180
  entry_SYSCALL_64_after_hwframe+0x44/0xa9
 RIP: 0033:0x7fd67e18dc93
 Code: 48 8b 0d 18 83 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 59 c7 20 00 00 75 13 49 89 ca b8 2c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8 2b f7 ff ff 48 89 04 24
 RSP: 002b:00007ffe0189b748 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
 RAX: ffffffffffffffda RBX: 00000000020ca010 RCX: 00007fd67e18dc93
 RDX: 0000000000000062 RSI: 00000000020ca322 RDI: 0000000000000003
 RBP: 00007ffe0189b780 R08: 00007ffe0189b760 R09: 0000000000000014
 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000062
 R13: 00000000020ca322 R14: 00007ffe0189b760 R15: 0000000000000003
 Modules linked in: act_tunnel_key act_gact cls_flower sch_ingress vrf veth act_csum(E) xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter intel_rapl snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_realtek coretemp snd_hda_codec_generic kvm_intel kvm irqbypass snd_hda_intel crct10dif_pclmul crc32_pclmul hp_wmi ghash_clmulni_intel pcbc snd_hda_codec aesni_intel sparse_keymap rfkill snd_hda_core snd_hwdep snd_seq crypto_simd iTCO_wdt gpio_ich iTCO_vendor_support wmi_bmof cryptd mei_wdt glue_helper snd_seq_device snd_pcm pcspkr snd_timer snd i2c_i801 lpc_ich sg soundcore wmi mei_me
  mei ie31200_edac nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sd_mod sr_mod cdrom i915 video i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ahci crc32c_intel libahci serio_raw sfc libata mtd drm ixgbe mdio i2c_core e1000e dca
 CR2: 0000000000000000
 ---[ end trace 1ab8b5b5d4639dfc ]---
 RIP: 0010:tcf_action_exec+0xb8/0x100
 Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
 RSP: 0018:ffff95145ea03c40 EFLAGS: 00010246
 RAX: 0000000020000001 RBX: ffff9514499e5800 RCX: 0000000000000001
 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
 RBP: ffff95145ea03e60 R08: 0000000000000000 R09: ffff95145ea03c9c
 R10: ffff95145ea03c78 R11: 0000000000000008 R12: ffff951456a69800
 R13: ffff951456a69808 R14: 0000000000000001 R15: ffff95144965ee40
 FS:  00007fd67ee11740(0000) GS:ffff95145ea00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 00000001038a2006 CR4: 00000000001606f0
 Kernel panic - not syncing: Fatal exception in interrupt
 Kernel Offset: 0x11400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
 ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Fixes: d0f6dd8 ("net/sched: Introduce act_tunnel_key")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
popcornmix pushed a commit that referenced this issue Aug 29, 2018
@dcaratti @gregkh
net/sched: act_tunnel_key: fix NULL dereference when 'goto chain' is …
de9f245 
…used

[ Upstream commit 38230a3 ]

the control action in the common member of struct tcf_tunnel_key must be a
valid value, as it can contain the chain index when 'goto chain' is used.
Ensure that the control action can be read as x->tcfa_action, when x is a
pointer to struct tc_action and x->ops->type is TCA_ACT_TUNNEL_KEY, to
prevent the following command:

 # tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
 > $tcflags dst_mac $h2mac action tunnel_key unset goto chain 1

from causing a NULL dereference when a matching packet is received:

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
 PGD 80000001097ac067 P4D 80000001097ac067 PUD 103b0a067 PMD 0
 Oops: 0000 [#1] SMP PTI
 CPU: 0 PID: 3491 Comm: mausezahn Tainted: G            E     4.18.0-rc2.auguri+ #421
 Hardware name: Hewlett-Packard HP Z220 CMT Workstation/1790, BIOS K51 v01.58 02/07/2013
 RIP: 0010:tcf_action_exec+0xb8/0x100
 Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
 RSP: 0018:ffff95145ea03c40 EFLAGS: 00010246
 RAX: 0000000020000001 RBX: ffff9514499e5800 RCX: 0000000000000001
 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
 RBP: ffff95145ea03e60 R08: 0000000000000000 R09: ffff95145ea03c9c
 R10: ffff95145ea03c78 R11: 0000000000000008 R12: ffff951456a69800
 R13: ffff951456a69808 R14: 0000000000000001 R15: ffff95144965ee40
 FS:  00007fd67ee11740(0000) GS:ffff95145ea00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 00000001038a2006 CR4: 00000000001606f0
 Call Trace:
  <IRQ>
  fl_classify+0x1ad/0x1c0 [cls_flower]
  ? __update_load_avg_se.isra.47+0x1ca/0x1d0
  ? __update_load_avg_se.isra.47+0x1ca/0x1d0
  ? update_load_avg+0x665/0x690
  ? update_load_avg+0x665/0x690
  ? kmem_cache_alloc+0x38/0x1c0
  tcf_classify+0x89/0x140
  __netif_receive_skb_core+0x5ea/0xb70
  ? enqueue_entity+0xd0/0x270
  ? process_backlog+0x97/0x150
  process_backlog+0x97/0x150
  net_rx_action+0x14b/0x3e0
  __do_softirq+0xde/0x2b4
  do_softirq_own_stack+0x2a/0x40
  </IRQ>
  do_softirq.part.18+0x49/0x50
  __local_bh_enable_ip+0x49/0x50
  __dev_queue_xmit+0x4ab/0x8a0
  ? wait_woken+0x80/0x80
  ? packet_sendmsg+0x38f/0x810
  ? __dev_queue_xmit+0x8a0/0x8a0
  packet_sendmsg+0x38f/0x810
  sock_sendmsg+0x36/0x40
  __sys_sendto+0x10e/0x140
  ? do_vfs_ioctl+0xa4/0x630
  ? syscall_trace_enter+0x1df/0x2e0
  ? __audit_syscall_exit+0x22a/0x290
  __x64_sys_sendto+0x24/0x30
  do_syscall_64+0x5b/0x180
  entry_SYSCALL_64_after_hwframe+0x44/0xa9
 RIP: 0033:0x7fd67e18dc93
 Code: 48 8b 0d 18 83 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 59 c7 20 00 00 75 13 49 89 ca b8 2c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8 2b f7 ff ff 48 89 04 24
 RSP: 002b:00007ffe0189b748 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
 RAX: ffffffffffffffda RBX: 00000000020ca010 RCX: 00007fd67e18dc93
 RDX: 0000000000000062 RSI: 00000000020ca322 RDI: 0000000000000003
 RBP: 00007ffe0189b780 R08: 00007ffe0189b760 R09: 0000000000000014
 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000062
 R13: 00000000020ca322 R14: 00007ffe0189b760 R15: 0000000000000003
 Modules linked in: act_tunnel_key act_gact cls_flower sch_ingress vrf veth act_csum(E) xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter intel_rapl snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_realtek coretemp snd_hda_codec_generic kvm_intel kvm irqbypass snd_hda_intel crct10dif_pclmul crc32_pclmul hp_wmi ghash_clmulni_intel pcbc snd_hda_codec aesni_intel sparse_keymap rfkill snd_hda_core snd_hwdep snd_seq crypto_simd iTCO_wdt gpio_ich iTCO_vendor_support wmi_bmof cryptd mei_wdt glue_helper snd_seq_device snd_pcm pcspkr snd_timer snd i2c_i801 lpc_ich sg soundcore wmi mei_me
  mei ie31200_edac nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sd_mod sr_mod cdrom i915 video i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ahci crc32c_intel libahci serio_raw sfc libata mtd drm ixgbe mdio i2c_core e1000e dca
 CR2: 0000000000000000
 ---[ end trace 1ab8b5b5d4639dfc ]---
 RIP: 0010:tcf_action_exec+0xb8/0x100
 Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
 RSP: 0018:ffff95145ea03c40 EFLAGS: 00010246
 RAX: 0000000020000001 RBX: ffff9514499e5800 RCX: 0000000000000001
 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
 RBP: ffff95145ea03e60 R08: 0000000000000000 R09: ffff95145ea03c9c
 R10: ffff95145ea03c78 R11: 0000000000000008 R12: ffff951456a69800
 R13: ffff951456a69808 R14: 0000000000000001 R15: ffff95144965ee40
 FS:  00007fd67ee11740(0000) GS:ffff95145ea00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 00000001038a2006 CR4: 00000000001606f0
 Kernel panic - not syncing: Fatal exception in interrupt
 Kernel Offset: 0x11400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
 ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Fixes: d0f6dd8 ("net/sched: Introduce act_tunnel_key")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
popcornmix pushed a commit that referenced this issue Aug 29, 2018
@dcaratti @gregkh
net/sched: act_csum: fix NULL dereference when 'goto chain' is used
28694ed 
[ Upstream commit 11a245e ]

the control action in the common member of struct tcf_csum must be a valid
value, as it can contain the chain index when 'goto chain' is used. Ensure
that the control action can be read as x->tcfa_action, when x is a pointer
to struct tc_action and x->ops->type is TCA_ACT_CSUM, to prevent the
following command:

  # tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
  > $tcflags dst_mac $h2mac action csum ip or tcp or udp or sctp goto chain 1

from triggering a NULL pointer dereference when a matching packet is
received.

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
 PGD 800000010416b067 P4D 800000010416b067 PUD 1041be067 PMD 0
 Oops: 0000 [#1] SMP PTI
 CPU: 0 PID: 3072 Comm: mausezahn Tainted: G            E     4.18.0-rc2.auguri+ #421
 Hardware name: Hewlett-Packard HP Z220 CMT Workstation/1790, BIOS K51 v01.58 02/07/2013
 RIP: 0010:tcf_action_exec+0xb8/0x100
 Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
 RSP: 0018:ffffa020dea03c40 EFLAGS: 00010246
 RAX: 0000000020000001 RBX: ffffa020d7ccef00 RCX: 0000000000000054
 RDX: 0000000000000000 RSI: ffffa020ca5ae000 RDI: ffffa020d7ccef00
 RBP: ffffa020dea03e60 R08: 0000000000000000 R09: ffffa020dea03c9c
 R10: ffffa020dea03c78 R11: 0000000000000008 R12: ffffa020d3fe4f00
 R13: ffffa020d3fe4f08 R14: 0000000000000001 R15: ffffa020d53ca300
 FS:  00007f5a46942740(0000) GS:ffffa020dea00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 0000000104218002 CR4: 00000000001606f0
 Call Trace:
  <IRQ>
  fl_classify+0x1ad/0x1c0 [cls_flower]
  ? arp_rcv+0x121/0x1b0
  ? __x2apic_send_IPI_dest+0x40/0x40
  ? smp_reschedule_interrupt+0x1c/0xd0
  ? reschedule_interrupt+0xf/0x20
  ? reschedule_interrupt+0xa/0x20
  ? device_is_rmrr_locked+0xe/0x50
  ? iommu_should_identity_map+0x49/0xd0
  ? __intel_map_single+0x30/0x140
  ? e1000e_update_rdt_wa.isra.52+0x22/0xb0 [e1000e]
  ? e1000_alloc_rx_buffers+0x233/0x250 [e1000e]
  ? kmem_cache_alloc+0x38/0x1c0
  tcf_classify+0x89/0x140
  __netif_receive_skb_core+0x5ea/0xb70
  ? enqueue_task_fair+0xb6/0x7d0
  ? process_backlog+0x97/0x150
  process_backlog+0x97/0x150
  net_rx_action+0x14b/0x3e0
  __do_softirq+0xde/0x2b4
  do_softirq_own_stack+0x2a/0x40
  </IRQ>
  do_softirq.part.18+0x49/0x50
  __local_bh_enable_ip+0x49/0x50
  __dev_queue_xmit+0x4ab/0x8a0
  ? wait_woken+0x80/0x80
  ? packet_sendmsg+0x38f/0x810
  ? __dev_queue_xmit+0x8a0/0x8a0
  packet_sendmsg+0x38f/0x810
  sock_sendmsg+0x36/0x40
  __sys_sendto+0x10e/0x140
  ? do_vfs_ioctl+0xa4/0x630
  ? syscall_trace_enter+0x1df/0x2e0
  ? __audit_syscall_exit+0x22a/0x290
  __x64_sys_sendto+0x24/0x30
  do_syscall_64+0x5b/0x180
  entry_SYSCALL_64_after_hwframe+0x44/0xa9
 RIP: 0033:0x7f5a45cbec93
 Code: 48 8b 0d 18 83 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 59 c7 20 00 00 75 13 49 89 ca b8 2c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8 2b f7 ff ff 48 89 04 24
 RSP: 002b:00007ffd0ee6d748 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
 RAX: ffffffffffffffda RBX: 0000000001161010 RCX: 00007f5a45cbec93
 RDX: 0000000000000062 RSI: 0000000001161322 RDI: 0000000000000003
 RBP: 00007ffd0ee6d780 R08: 00007ffd0ee6d760 R09: 0000000000000014
 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000062
 R13: 0000000001161322 R14: 00007ffd0ee6d760 R15: 0000000000000003
 Modules linked in: act_csum act_gact cls_flower sch_ingress vrf veth act_tunnel_key(E) xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel snd_hda_codec_hdmi snd_hda_codec_realtek kvm snd_hda_codec_generic hp_wmi iTCO_wdt sparse_keymap rfkill mei_wdt iTCO_vendor_support wmi_bmof gpio_ich irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel snd_hda_intel crypto_simd cryptd snd_hda_codec glue_helper snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm pcspkr i2c_i801 snd_timer snd sg lpc_ich soundcore wmi mei_me
  mei ie31200_edac nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sr_mod cdrom sd_mod ahci libahci crc32c_intel i915 ixgbe serio_raw libata video dca i2c_algo_bit sfc drm_kms_helper syscopyarea mtd sysfillrect mdio sysimgblt fb_sys_fops drm e1000e i2c_core
 CR2: 0000000000000000
 ---[ end trace 3c9e9d1a77df4026 ]---
 RIP: 0010:tcf_action_exec+0xb8/0x100
 Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
 RSP: 0018:ffffa020dea03c40 EFLAGS: 00010246
 RAX: 0000000020000001 RBX: ffffa020d7ccef00 RCX: 0000000000000054
 RDX: 0000000000000000 RSI: ffffa020ca5ae000 RDI: ffffa020d7ccef00
 RBP: ffffa020dea03e60 R08: 0000000000000000 R09: ffffa020dea03c9c
 R10: ffffa020dea03c78 R11: 0000000000000008 R12: ffffa020d3fe4f00
 R13: ffffa020d3fe4f08 R14: 0000000000000001 R15: ffffa020d53ca300
 FS:  00007f5a46942740(0000) GS:ffffa020dea00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 0000000104218002 CR4: 00000000001606f0
 Kernel panic - not syncing: Fatal exception in interrupt
 Kernel Offset: 0x26400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
 ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Fixes: 9c5f69b ("net/sched: act_csum: don't use spinlock in the fast path")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
popcornmix pushed a commit that referenced this issue Aug 29, 2018
@dcaratti @gregkh
net/sched: act_tunnel_key: fix NULL dereference when 'goto chain' is …
01e1bef 
…used

[ Upstream commit 38230a3 ]

the control action in the common member of struct tcf_tunnel_key must be a
valid value, as it can contain the chain index when 'goto chain' is used.
Ensure that the control action can be read as x->tcfa_action, when x is a
pointer to struct tc_action and x->ops->type is TCA_ACT_TUNNEL_KEY, to
prevent the following command:

 # tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
 > $tcflags dst_mac $h2mac action tunnel_key unset goto chain 1

from causing a NULL dereference when a matching packet is received:

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
 PGD 80000001097ac067 P4D 80000001097ac067 PUD 103b0a067 PMD 0
 Oops: 0000 [#1] SMP PTI
 CPU: 0 PID: 3491 Comm: mausezahn Tainted: G            E     4.18.0-rc2.auguri+ #421
 Hardware name: Hewlett-Packard HP Z220 CMT Workstation/1790, BIOS K51 v01.58 02/07/2013
 RIP: 0010:tcf_action_exec+0xb8/0x100
 Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
 RSP: 0018:ffff95145ea03c40 EFLAGS: 00010246
 RAX: 0000000020000001 RBX: ffff9514499e5800 RCX: 0000000000000001
 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
 RBP: ffff95145ea03e60 R08: 0000000000000000 R09: ffff95145ea03c9c
 R10: ffff95145ea03c78 R11: 0000000000000008 R12: ffff951456a69800
 R13: ffff951456a69808 R14: 0000000000000001 R15: ffff95144965ee40
 FS:  00007fd67ee11740(0000) GS:ffff95145ea00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 00000001038a2006 CR4: 00000000001606f0
 Call Trace:
  <IRQ>
  fl_classify+0x1ad/0x1c0 [cls_flower]
  ? __update_load_avg_se.isra.47+0x1ca/0x1d0
  ? __update_load_avg_se.isra.47+0x1ca/0x1d0
  ? update_load_avg+0x665/0x690
  ? update_load_avg+0x665/0x690
  ? kmem_cache_alloc+0x38/0x1c0
  tcf_classify+0x89/0x140
  __netif_receive_skb_core+0x5ea/0xb70
  ? enqueue_entity+0xd0/0x270
  ? process_backlog+0x97/0x150
  process_backlog+0x97/0x150
  net_rx_action+0x14b/0x3e0
  __do_softirq+0xde/0x2b4
  do_softirq_own_stack+0x2a/0x40
  </IRQ>
  do_softirq.part.18+0x49/0x50
  __local_bh_enable_ip+0x49/0x50
  __dev_queue_xmit+0x4ab/0x8a0
  ? wait_woken+0x80/0x80
  ? packet_sendmsg+0x38f/0x810
  ? __dev_queue_xmit+0x8a0/0x8a0
  packet_sendmsg+0x38f/0x810
  sock_sendmsg+0x36/0x40
  __sys_sendto+0x10e/0x140
  ? do_vfs_ioctl+0xa4/0x630
  ? syscall_trace_enter+0x1df/0x2e0
  ? __audit_syscall_exit+0x22a/0x290
  __x64_sys_sendto+0x24/0x30
  do_syscall_64+0x5b/0x180
  entry_SYSCALL_64_after_hwframe+0x44/0xa9
 RIP: 0033:0x7fd67e18dc93
 Code: 48 8b 0d 18 83 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 59 c7 20 00 00 75 13 49 89 ca b8 2c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8 2b f7 ff ff 48 89 04 24
 RSP: 002b:00007ffe0189b748 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
 RAX: ffffffffffffffda RBX: 00000000020ca010 RCX: 00007fd67e18dc93
 RDX: 0000000000000062 RSI: 00000000020ca322 RDI: 0000000000000003
 RBP: 00007ffe0189b780 R08: 00007ffe0189b760 R09: 0000000000000014
 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000062
 R13: 00000000020ca322 R14: 00007ffe0189b760 R15: 0000000000000003
 Modules linked in: act_tunnel_key act_gact cls_flower sch_ingress vrf veth act_csum(E) xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter intel_rapl snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_realtek coretemp snd_hda_codec_generic kvm_intel kvm irqbypass snd_hda_intel crct10dif_pclmul crc32_pclmul hp_wmi ghash_clmulni_intel pcbc snd_hda_codec aesni_intel sparse_keymap rfkill snd_hda_core snd_hwdep snd_seq crypto_simd iTCO_wdt gpio_ich iTCO_vendor_support wmi_bmof cryptd mei_wdt glue_helper snd_seq_device snd_pcm pcspkr snd_timer snd i2c_i801 lpc_ich sg soundcore wmi mei_me
  mei ie31200_edac nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sd_mod sr_mod cdrom i915 video i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ahci crc32c_intel libahci serio_raw sfc libata mtd drm ixgbe mdio i2c_core e1000e dca
 CR2: 0000000000000000
 ---[ end trace 1ab8b5b5d4639dfc ]---
 RIP: 0010:tcf_action_exec+0xb8/0x100
 Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
 RSP: 0018:ffff95145ea03c40 EFLAGS: 00010246
 RAX: 0000000020000001 RBX: ffff9514499e5800 RCX: 0000000000000001
 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
 RBP: ffff95145ea03e60 R08: 0000000000000000 R09: ffff95145ea03c9c
 R10: ffff95145ea03c78 R11: 0000000000000008 R12: ffff951456a69800
 R13: ffff951456a69808 R14: 0000000000000001 R15: ffff95144965ee40
 FS:  00007fd67ee11740(0000) GS:ffff95145ea00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 00000001038a2006 CR4: 00000000001606f0
 Kernel panic - not syncing: Fatal exception in interrupt
 Kernel Offset: 0x11400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
 ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Fixes: d0f6dd8 ("net/sched: Introduce act_tunnel_key")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@srcshelton @popcornmix