Re: tipc: NULL deref in tipc_net_finalize
From: Dmitry Vyukov
Date: Wed Dec 12 2018 - 05:45:13 EST
On Mon, Dec 10, 2018 at 4:33 PM Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote:
>
> Hello,
>
> The following program crashes upstream kernel on
> 40e020c129cfc991e8ab4736d2665351ffd1468d (Dec 9) with:
>
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
> PGD 0 P4D 0
> Oops: 0000 [#1] SMP PTI
> CPU: 1 PID: 45 Comm: kworker/1:1 Not tainted 4.20.0-rc6 #3
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
> Workqueue: events tipc_net_finalize_work
> RIP: 0010:rht_bucket_nested+0x31/0x90 lib/rhashtable.c:1190
> Code: 89 f3 e8 32 84 ca ff 8b 4d 04 b8 01 00 00 00 48 8b 95 80 00 00
> 00 44 8b 65 00 d3 e0 83 e8 01 41 d3 ec 21 d8 d3 eb 48 8d 04 c2 <48> 8b
> 28 48 85 ed 75 22 eb 29 e8 00 84 ca ff 89 d8 41 c1 ec 09 c1
> RSP: 0018:ffffb1bd8045fd68 EFLAGS: 00010246
> RAX: 0000000000000001 RBX: 0000000000000000 RCX: 00000000ffff9f0e
> RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9f0efa5433e0
> RBP: ffff9f0efa5433e0 R08: 00000006c423ea71 R09: 0000000000000027
> R10: ffffb1bd80377df8 R11: fefefefefefefeff R12: 000000000003e951
> R13: ffffb1bd8045fdf0 R14: 0000000000000000 R15: ffff9f0efa5433e0
> FS: 0000000000000000(0000) GS:ffff9f0efda80000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000001 CR3: 0000000015e0a002 CR4: 0000000000160ee0
> Call Trace:
> rht_bucket include/linux/rhashtable.h:280 [inline]
> __rhashtable_walk_find_next+0x1af/0x1e0 lib/rhashtable.c:801
> rhashtable_walk_next+0x56/0xf0 lib/rhashtable.c:885
> tipc_sk_reinit+0xaa/0x120 net/tipc/socket.c:2726
> tipc_net_finalize.part.4+0x26/0x50 net/tipc/net.c:138
> tipc_net_finalize net/tipc/net.c:134 [inline]
> tipc_net_finalize_work+0x3f/0x50 net/tipc/net.c:148
> process_one_work+0x290/0x540 kernel/workqueue.c:2153
> worker_thread+0x39/0x500 kernel/workqueue.c:2296
> kthread+0x12c/0x150 kernel/kthread.c:246
> ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:352
> Modules linked in:
> CR2: 0000000000000001
> ---[ end trace 49f6dae32389e817 ]---
> RIP: 0010:rht_bucket_nested+0x31/0x90 lib/rhashtable.c:1190
> Code: 89 f3 e8 32 84 ca ff 8b 4d 04 b8 01 00 00 00 48 8b 95 80 00 00
> 00 44 8b 65 00 d3 e0 83 e8 01 41 d3 ec 21 d8 d3 eb 48 8d 04 c2 <48> 8b
> 28 48 85 ed 75 22 eb 29 e8 00 84 ca ff 89 d8 41 c1 ec 09 c1
> RSP: 0018:ffffb1bd8045fd68 EFLAGS: 00010246
> RAX: 0000000000000001 RBX: 0000000000000000 RCX: 00000000ffff9f0e
> RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9f0efa5433e0
> RBP: ffff9f0efa5433e0 R08: 00000006c423ea71 R09: 0000000000000027
> R10: ffffb1bd80377df8 R11: fefefefefefefeff R12: 000000000003e951
> R13: ffffb1bd8045fdf0 R14: 0000000000000000 R15: ffff9f0efa5433e0
> FS: 0000000000000000(0000) GS:ffff9f0efda80000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000001 CR3: 0000000015e0a002 CR4: 0000000000160ee0
>
> Kernel config (nothing special: mostly defconfig+enabled tipc):
> https://gist.githubusercontent.com/dvyukov/b67e6428ecc170b090b9f65eec784e5a/raw/b77b0f3e86d702f868ab7511d04ca307180f3abc/gistfile1.txt
>
> Reproducer program:
> https://gist.github.com/dvyukov/9d9d9f2f87b05766323e3a97e07b5af8
>
> There is a bunch of boilerplate to enable namespaces and net devices,
> etc, but in a nutshell it basically does only TIPC_NL_BEARER_ENABLE:
>
> r0 = socket$nl_generic(0x10, 0x3, 0x10)
> r1 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000000)='TIPCv2\x00')
> sendmsg$TIPC_NL_BEARER_ENABLE(r0, &(0x7f0000000080)={0x0, 0x0,
> &(0x7f00000000c0)={&(0x7f0000000100)={0x54, r1, 0x1, 0x123, 0x234, {},
> [@TIPC_NLA_BEARER={0x40, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1,
> @udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14,
> 0x1, @in={0x2, 0x4e20, @loopback}}, {0x14, 0x2, @in={0x2, 0x4e20,
> @loopback}}}}]}]}, 0x54}}, 0x0)
>
> This makes overall tipc testing a bit problematic as kernel always
> crashes whenever syzkaller tries to do just anything with udp bearer,
> so I would appreciate timely fix.
>
> Thanks
FTR, this is fixed by Cong with "tipc: use lock_sock() in tipc_sk_reinit()"
https://www.spinics.net/lists/netdev/msg538775.html