hello Eric,
On Tue, Apr 30, 2024 at 12:31 PM Eric Dumazet edumazet@google.com wrote:
I just had 5 or 6 syzbot reports about this issue.
I tested the following fix.
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c index 31dfd6c7405b01e22fe1b8c80944e2bed7d30ddc..d3f6006b563ccd8827b7af362ce9dceaa78f8841 100644 --- a/net/sched/sch_generic.c +++ b/net/sched/sch_generic.c @@ -982,6 +982,7 @@ struct Qdisc *qdisc_alloc(struct netdev_queue *dev_queue,
return sch;
errout1:
lockdep_unregister_key(&sch->root_lock_key); kfree(sch);
errout: return ERR_PTR(err);
hello Eric,
On Tue, Apr 30, 2024 at 12:31 PM Eric Dumazet edumazet@google.com wrote:
[...]
I just had 5 or 6 syzbot reports about this issue.
I tested the following fix.
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c index 31dfd6c7405b01e22fe1b8c80944e2bed7d30ddc..d3f6006b563ccd8827b7af362ce9dceaa78f8841 100644 --- a/net/sched/sch_generic.c +++ b/net/sched/sch_generic.c @@ -982,6 +982,7 @@ struct Qdisc *qdisc_alloc(struct netdev_queue *dev_queue,
return sch;
errout1:
lockdep_unregister_key(&sch->root_lock_key); kfree(sch);
errout: return ERR_PTR(err);
this is ok, but it's not sufficient: qdisc_free() is called in the error path of qdisc_create(), even after successful qdisc_alloc(), and I was not unregistering the key also in this case.
[ 247.171430] ================================================================== [ 247.178663] BUG: KASAN: slab-use-after-free in lockdep_register_key+0x5f2/0x700 [ 247.185976] Read of size 8 at addr ffff88811236f2a8 by task ip/7925 [ 247.192244] [ 247.193754] CPU: 26 PID: 7925 Comm: ip Kdump: loaded Not tainted 6.9.0-rc2+ #648 [ 247.201164] Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 [ 247.209775] Call Trace: [ 247.212227] <TASK> [ 247.214332] dump_stack_lvl+0x7c/0xc0 [ 247.218008] print_report+0xc9/0x610 [ 247.221587] ? __virt_addr_valid+0x21a/0x3e0 [ 247.225859] ? lockdep_register_key+0x5f2/0x700 [ 247.230392] ? lockdep_register_key+0x5f2/0x700 [ 247.234925] kasan_report+0x89/0xc0 [ 247.238419] ? lockdep_register_key+0x5f2/0x700 [ 247.242952] lockdep_register_key+0x5f2/0x700 [ 247.247310] ? __pfx_lockdep_register_key+0x10/0x10 [ 247.252188] ? trace_kmalloc+0x2b/0xc0 [ 247.255941] ? qdisc_alloc+0xae/0xb60 [ 247.259611] qdisc_alloc+0x21d/0xb60 [ 247.263198] qdisc_create_dflt+0x63/0x3c0 [ 247.267217] attach_one_default_qdisc.constprop.37+0x8e/0x170 [ 247.272964] dev_activate+0x4bd/0xc30 [ 247.276629] ? mark_held_locks+0xb7/0x120 [ 247.280640] ? __pfx_dev_activate+0x10/0x10 [ 247.284839] ? __local_bh_enable_ip+0xa8/0x120 [ 247.289289] ? __local_bh_enable_ip+0xa8/0x120 [ 247.293739] __dev_open+0x275/0x380 [ 247.297238] ? __pfx___dev_open+0x10/0x10 [ 247.301251] ? __local_bh_enable_ip+0xa8/0x120 [ 247.305698] __dev_change_flags+0x3f1/0x570 [ 247.309892] ? __pfx___dev_change_flags+0x10/0x10 [ 247.314601] dev_change_flags+0x7c/0x160 [ 247.318532] ? find_held_lock+0x3a/0x1d0 [ 247.322458] do_setlink+0x1ea1/0x34b0 [ 247.326125] ? __pfx_lock_release+0x10/0x10 [ 247.330310] ? __pfx_lock_acquire+0x10/0x10 [ 247.334504] ? __pfx_do_setlink+0x10/0x10 [ 247.338529] ? __pfx_unwind_next_frame+0x10/0x10 [ 247.343157] ? is_bpf_text_address+0x6a/0xf0 [ 247.347436] ? kernel_text_address+0xcb/0xd0 [ 247.351709] ? __kernel_text_address+0xe/0x40 [ 247.356067] ? unwind_get_return_address+0x63/0xb0 [ 247.360867] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 247.366180] ? arch_stack_walk+0xa1/0xf0 [ 247.370113] ? stack_depot_save_flags+0x28/0x8b0 [ 247.374738] ? kasan_save_stack+0x2a/0x40 [ 247.378757] ? kasan_save_stack+0x1c/0x40 [ 247.382768] ? kasan_save_track+0x10/0x30 [ 247.386782] ? __kasan_kmalloc+0x7b/0x90 [ 247.390708] ? __nla_validate_parse+0x48/0x3f0 [ 247.395153] ? __rtnl_newlink+0x14f0/0x1510 [ 247.399339] ? rtnetlink_rcv_msg+0x2f0/0xbc0 [ 247.403613] ? netlink_rcv_skb+0x120/0x380 [ 247.407710] ? netlink_unicast+0x420/0x630 [ 247.411830] __rtnl_newlink+0x8c9/0x1510 [ 247.415758] ? find_held_lock+0x3a/0x1d0 [ 247.419689] ? __pfx___rtnl_newlink+0x10/0x10 [ 247.424049] ? __mutex_lock+0x348/0x2100 [ 247.427978] ? kasan_save_track+0x10/0x30 [ 247.431996] ? __kasan_kmalloc+0x20/0x90 [ 247.435923] ? kmalloc_trace+0x1c8/0x350 [ 247.439863] rtnl_newlink+0x61/0x90 [ 247.443368] rtnetlink_rcv_msg+0x2f0/0xbc0 [ 247.447468] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 247.452112] ? __pfx_lock_release+0x10/0x10 [ 247.456298] ? find_held_lock+0x3a/0x1d0 [ 247.460226] netlink_rcv_skb+0x120/0x380 [ 247.464159] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 247.468778] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 247.473226] ? netlink_deliver_tap+0x141/0xb60 [ 247.477681] netlink_unicast+0x420/0x630 [ 247.481614] ? __pfx_netlink_unicast+0x10/0x10 [ 247.486061] netlink_sendmsg+0x732/0xbc0 [ 247.489986] ? __pfx_netlink_sendmsg+0x10/0x10 [ 247.494433] ? __pfx_netlink_sendmsg+0x10/0x10 [ 247.498883] __sock_sendmsg+0x1ea/0x280 [ 247.502725] ____sys_sendmsg+0x5a9/0x990 [ 247.506653] ? __pfx_____sys_sendmsg+0x10/0x10 [ 247.511105] ? __pfx_copy_msghdr_from_user+0x10/0x10 [ 247.516072] ? __lock_acquire+0x19ae/0x3150 [ 247.520259] ___sys_sendmsg+0xf1/0x180 [ 247.524011] ? __pfx____sys_sendmsg+0x10/0x10 [ 247.528368] ? find_held_lock+0x3a/0x1d0 [ 247.532298] ? __pfx_lock_release+0x10/0x10 [ 247.536489] ? debug_check_no_obj_freed+0x154/0x5a0 [ 247.541377] ? __pfx_lock_acquired+0x10/0x10 [ 247.545652] ? hlock_class+0x4e/0x120 [ 247.549316] ? __lock_acquire+0x19ae/0x3150 [ 247.553508] ? __fget_light+0x52/0x1f0 [ 247.557266] __sys_sendmsg+0xd3/0x180 [ 247.560939] ? __pfx___sys_sendmsg+0x10/0x10 [ 247.565209] ? __pfx_lock_release+0x10/0x10 [ 247.569397] ? __pfx_lock_acquire+0x10/0x10 [ 247.573591] do_syscall_64+0x96/0x180 [ 247.577259] ? asm_exc_page_fault+0x22/0x30 [ 247.581453] entry_SYSCALL_64_after_hwframe+0x71/0x79 [ 247.586505] RIP: 0033:0x7f9503f4fa07 [ 247.590092] Code: 0a 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 [ 247.608844] RSP: 002b:00007fff6c729068 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 247.616421] RAX: ffffffffffffffda RBX: 000000006630c681 RCX: 00007f9503f4fa07 [ 247.623553] RDX: 0000000000000000 RSI: 00007fff6c7290d0 RDI: 0000000000000003 [ 247.630686] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000078 [ 247.637828] R10: 000000000000009b R11: 0000000000000246 R12: 0000000000000001 [ 247.644960] R13: 00007fff6c729180 R14: 0000000000000000 R15: 000055bf67dd9040 [ 247.652099] </TASK> [ 247.654285] [ 247.655785] Allocated by task 7745: [ 247.659286] kasan_save_stack+0x1c/0x40 [ 247.663125] kasan_save_track+0x10/0x30 [ 247.666964] __kasan_kmalloc+0x7b/0x90 [ 247.670717] __kmalloc_node+0x1ff/0x460 [ 247.674558] qdisc_alloc+0xae/0xb60 [ 247.678050] qdisc_create+0xdd/0xfb0 [ 247.681628] tc_modify_qdisc+0x37e/0x1960 [ 247.685641] rtnetlink_rcv_msg+0x2f0/0xbc0 [ 247.689741] netlink_rcv_skb+0x120/0x380 [ 247.693666] netlink_unicast+0x420/0x630 [ 247.697593] netlink_sendmsg+0x732/0xbc0 [ 247.701519] __sock_sendmsg+0x1ea/0x280 [ 247.705358] ____sys_sendmsg+0x5a9/0x990 [ 247.709283] ___sys_sendmsg+0xf1/0x180 [ 247.713036] __sys_sendmsg+0xd3/0x180 [ 247.716702] do_syscall_64+0x96/0x180 [ 247.720367] entry_SYSCALL_64_after_hwframe+0x71/0x79 [ 247.725422] [ 247.726919] Freed by task 7745: [ 247.730066] kasan_save_stack+0x1c/0x40 [ 247.733906] kasan_save_track+0x10/0x30 [ 247.737745] kasan_save_free_info+0x36/0x60 [ 247.741932] __kasan_slab_free+0xfe/0x180 [ 247.745944] kfree+0x113/0x380 [ 247.749004] qdisc_create+0xafb/0xfb0 [ 247.752669] tc_modify_qdisc+0x37e/0x1960 [ 247.756683] rtnetlink_rcv_msg+0x2f0/0xbc0 [ 247.760781] netlink_rcv_skb+0x120/0x380 [ 247.764724] netlink_unicast+0x420/0x630 [ 247.768651] netlink_sendmsg+0x732/0xbc0 [ 247.772578] __sock_sendmsg+0x1ea/0x280 [ 247.776417] ____sys_sendmsg+0x5a9/0x990 [ 247.780341] ___sys_sendmsg+0xf1/0x180 [ 247.784093] __sys_sendmsg+0xd3/0x180 [ 247.787760] do_syscall_64+0x96/0x180 [ 247.791425] entry_SYSCALL_64_after_hwframe+0x71/0x79 [ 247.796482] [ 247.797978] The buggy address belongs to the object at ffff88811236f000 [ 247.797978] which belongs to the cache kmalloc-2k of size 2048 [ 247.810497] The buggy address is located 680 bytes inside of [ 247.810497] freed 2048-byte region [ffff88811236f000, ffff88811236f800) [ 247.822838] [ 247.824333] The buggy address belongs to the physical page: [ 247.829906] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112368 [ 247.837906] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 247.844606] flags: 0x17ffffe0000840(slab|head|node=0|zone=2|lastcpupid=0x3fffff) [ 247.851998] page_type: 0xffffffff() [ 247.855495] raw: 0017ffffe0000840 ffff88810004cf00 ffffea000db5a400 dead000000000002 [ 247.863239] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 247.870978] head: 0017ffffe0000840 ffff88810004cf00 ffffea000db5a400 dead000000000002 [ 247.878815] head: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 247.886639] head: 0017ffffe0000003 ffffea000448da01 ffffea000448da48 00000000ffffffff [ 247.894465] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000 [ 247.902307] page dumped because: kasan: bad access detected [ 247.907881] [ 247.909380] Memory state around the buggy address: [ 247.914174] ffff88811236f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 247.921393] ffff88811236f200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 247.928613] >ffff88811236f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 247.935831] ^ [ 247.940363] ffff88811236f300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 247.947584] ffff88811236f380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 247.954802] ================================================================== [ 247.962030] Disabling lock debugging due to kernel taint
I'm trying to see if there are other points missing. thanks,