Re: [Bug 199643] New: UBSAN: Undefined behaviour in ./include/net/route.h:240:2
CC: Andrey On Thu, 7 Jun 2018 17:53:35 -0700, David Ahern wrote: > On 6/7/18 5:49 PM, Jakub Kicinski wrote: > > On Thu, 7 Jun 2018 17:28:59 -0700, Eric Dumazet wrote: > >> On 06/07/2018 05:11 PM, David Miller wrote: > >>> From: Jakub Kicinski > >>> Date: Thu, 7 Jun 2018 17:06:23 -0700 > >>> > [ 293.213661] ip_send_unicast_reply+0x1b67/0x1d0e > >>> > >>> This calls ip_setup_cork() which can NULL out the 'rt' route > >>> pointer. Hmmm... :-/ > >> > >> UBSAN seems unhappy with dst being NULL in : > >> > >> dst_release(>dst); > >> > >> But the code obviously is ready for dst being NULL, it is even documented > >> :) > > > > Oh, so the code depends on dst being the first member? Would it make > > sense to just cast the pointer instead? > > > > I've been going the other way with 'rt to dst' and 'dst to rt' > transformations. > > Perhaps UBSAN should be updated to understand that NULL + 0 is ok.
Re: [Bug 199643] New: UBSAN: Undefined behaviour in ./include/net/route.h:240:2
On 6/7/18 5:49 PM, Jakub Kicinski wrote: > On Thu, 7 Jun 2018 17:28:59 -0700, Eric Dumazet wrote: >> On 06/07/2018 05:11 PM, David Miller wrote: >>> From: Jakub Kicinski >>> Date: Thu, 7 Jun 2018 17:06:23 -0700 >>> [ 293.213661] ip_send_unicast_reply+0x1b67/0x1d0e >>> >>> This calls ip_setup_cork() which can NULL out the 'rt' route >>> pointer. Hmmm... :-/ >>> >> >> >> UBSAN seems unhappy with dst being NULL in : >> >> dst_release(>dst); >> >> But the code obviously is ready for dst being NULL, it is even documented :) > > Oh, so the code depends on dst being the first member? Would it make > sense to just cast the pointer instead? > I've been going the other way with 'rt to dst' and 'dst to rt' transformations. Perhaps UBSAN should be updated to understand that NULL + 0 is ok.
Re: [Bug 199643] New: UBSAN: Undefined behaviour in ./include/net/route.h:240:2
On Thu, 7 Jun 2018 17:28:59 -0700, Eric Dumazet wrote: > On 06/07/2018 05:11 PM, David Miller wrote: > > From: Jakub Kicinski > > Date: Thu, 7 Jun 2018 17:06:23 -0700 > > > >> [ 293.213661] ip_send_unicast_reply+0x1b67/0x1d0e > > > > This calls ip_setup_cork() which can NULL out the 'rt' route > > pointer. Hmmm... :-/ > > > > > UBSAN seems unhappy with dst being NULL in : > > dst_release(>dst); > > But the code obviously is ready for dst being NULL, it is even documented :) Oh, so the code depends on dst being the first member? Would it make sense to just cast the pointer instead?
Re: [Bug 199643] New: UBSAN: Undefined behaviour in ./include/net/route.h:240:2
On 06/07/2018 05:11 PM, David Miller wrote: > From: Jakub Kicinski > Date: Thu, 7 Jun 2018 17:06:23 -0700 > >> [ 293.213661] ip_send_unicast_reply+0x1b67/0x1d0e > > This calls ip_setup_cork() which can NULL out the 'rt' route > pointer. Hmmm... :-/ > UBSAN seems unhappy with dst being NULL in : dst_release(>dst); But the code obviously is ready for dst being NULL, it is even documented :)
Re: [Bug 199643] New: UBSAN: Undefined behaviour in ./include/net/route.h:240:2
From: Jakub Kicinski Date: Thu, 7 Jun 2018 17:06:23 -0700 > [ 293.213661] ip_send_unicast_reply+0x1b67/0x1d0e This calls ip_setup_cork() which can NULL out the 'rt' route pointer. Hmmm... :-/
Re: [Bug 199643] New: UBSAN: Undefined behaviour in ./include/net/route.h:240:2
On Tue, 8 May 2018 08:52:35 -0600, David Ahern wrote:
> On 5/7/18 10:12 PM, David Miller wrote:
> > From: Stephen Hemminger
> > Date: Mon, 7 May 2018 10:34:00 -0700
> >
> >> Subject: [Bug 199643] New: UBSAN: Undefined behaviour in
> >> ./include/net/route.h:240:2
> >
> > That's an empty line in both of my trees.
> >
>
> In 4.16.7 it is the dst_release in:
>
> static inline void ip_rt_put(struct rtable *rt)
> {
> /* dst_release() accepts a NULL parameter.
> * We rely on dst being first structure in struct rtable
> */
> BUILD_BUG_ON(offsetof(struct rtable, dst) != 0);
> --->dst_release(>dst);
I'm seeing these on net-next as of yesterday, but admittedly I haven't
run with UBSAN enabled for a while :( Was it resolved?
[ 293.130007] UBSAN: Undefined behaviour in ../include/net/route.h:239:2
[ 293.137408] member access within null pointer of type 'struct rtable'
[ 293.144716] CPU: 4 PID: 0 Comm: swapper/4 Not tainted
4.17.0-rc7-debug-01088-g47bffcfef048 #9
[ 293.154374] Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.3.4
11/08/2016
[ 293.162866] Call Trace:
[ 293.165696]
[ 293.168045] dump_stack+0xe6/0x1a0
[ 293.171943] ? dump_stack_print_info.cold.0+0x1b/0x1b
[ 293.177699] ? do_raw_spin_lock+0xcf/0x220
[ 293.182379] ubsan_epilogue+0x9/0x7a
[ 293.186471] handle_null_ptr_deref+0x16b/0x1e0
[ 293.191535] ? ucs2_as_utf8+0x6b0/0x6b0
[ 293.195919] ? ip_mc_output+0x1610/0x1610
[ 293.200505] __ubsan_handle_type_mismatch_v1+0x16b/0x19e
[ 293.206543] ? ubsan_type_mismatch_common.part.5.cold.9+0x1bb/0x1bb
[ 293.213661] ip_send_unicast_reply+0x1b67/0x1d0e
[ 293.218935] ? ip_make_skb+0x410/0x410
[ 293.223232] ? lock_acquire+0x1a2/0x5a0
[ 293.227622] ? lock_release+0x980/0x980
[ 293.232011] ? free_user_ns+0x300/0x300
[ 293.236396] ? rcu_dynticks_curr_cpu_in_eqs+0xd6/0x1f0
[ 293.242239] ? rcu_bh_qs+0x500/0x500
[ 293.246342] tcp_v4_send_reset+0x13c6/0x29f0
[ 293.251224] ? tcp_v4_inbound_md5_hash+0x650/0x650
[ 293.256698] ? debug_check_no_locks_freed+0x260/0x260
[ 293.262453] ? rcu_lockdep_current_cpu_online+0x1e7/0x2c0
[ 293.268586] ? rcu_dynticks_curr_cpu_in_eqs+0xd6/0x1f0
[ 293.274430] ? rcu_start_gp_advanced+0x740/0x740
[ 293.279688] ? rcu_bh_qs+0x500/0x500
[ 293.283790] ? tcp_v4_rcv+0xf9f/0x3ec0
[ 293.288075] tcp_v4_rcv+0xf9f/0x3ec0
[ 293.292189] ? tcp_v4_early_demux+0xa70/0xa70
[ 293.297179] ? __isolate_free_page+0x890/0x890
[ 293.302258] ? __accumulate_pelt_segments+0x29/0x40
[ 293.307819] ? lock_acquire+0x1a2/0x5a0
[ 293.312204] ? ip_local_deliver_finish+0x189/0xcd0
[ 293.317661] ? raw_rcv+0x510/0x510
[ 293.321564] ? rcu_lockdep_current_cpu_online+0x1e7/0x2c0
[ 293.327700] ? rcu_dynticks_curr_cpu_in_eqs+0xd6/0x1f0
[ 293.333546] ? rcu_start_gp_advanced+0x740/0x740
[ 293.338808] ? rcu_bh_qs+0x500/0x500
[ 293.342913] ip_local_deliver_finish+0x475/0xcd0
[ 293.348180] ? inet_add_protocol.cold.0+0x28/0x28
[ 293.353538] ? rcu_read_lock_bh_held+0xc0/0xc0
[ 293.358607] ? rcu_dynticks_curr_cpu_in_eqs+0xd6/0x1f0
[ 293.364455] ip_local_deliver+0x1a1/0x680
[ 293.369039] ? ip_call_ra_chain+0x700/0x700
[ 293.373816] ? rcu_lockdep_current_cpu_online+0x1e7/0x2c0
[ 293.379950] ? rcu_dynticks_curr_cpu_in_eqs+0xd6/0x1f0
[ 293.385792] ? rcu_start_gp_advanced+0x740/0x740
[ 293.391050] ? rcu_bh_qs+0x500/0x500
[ 293.395143] ? rb_erase+0x3460/0x3460
[ 293.399342] ip_rcv_finish+0x727/0x25c0
[ 293.403733] ? ip_local_deliver_finish+0xcd0/0xcd0
[ 293.409218] ? print_irqtrace_events+0x280/0x280
[ 293.414478] ? print_irqtrace_events+0x280/0x280
[ 293.419746] ? tcp_v4_send_synack+0x450/0x450
[ 293.424721] ? print_irqtrace_events+0x280/0x280
[ 293.429982] ? enqueue_entity+0x3760/0x3760
[ 293.434760] ? print_irqtrace_events+0x280/0x280
[ 293.440028] ip_rcv+0x973/0x1758
[ 293.443738] ? ip_local_deliver+0x680/0x680
[ 293.448513] ? print_irqtrace_events+0x280/0x280
[ 293.453771] ? print_irqtrace_events+0x280/0x280
[ 293.459021] ? print_irqtrace_events+0x280/0x280
[ 293.464283] ? print_irqtrace_events+0x280/0x280
[ 293.469549] ? rcu_lockdep_current_cpu_online+0x1e7/0x2c0
[ 293.475681] ? rcu_dynticks_curr_cpu_in_eqs+0xd6/0x1f0
[ 293.481526] ? rcu_start_gp_advanced+0x740/0x740
[ 293.486785] ? rcu_bh_qs+0x500/0x500
[ 293.490883] ? ip_local_deliver+0x680/0x680
[ 293.495659] __netif_receive_skb_core+0x23e7/0x5a80
[ 293.501244] ? debug_check_no_locks_freed+0x1e0/0x260
[ 293.506996] ? netif_schedule_queue+0x2c0/0x2c0
[ 293.512159] ? __lock_acquire+0x6ad/0x3b10
[ 293.516860] ? rcu_start_gp_advanced+0x740/0x740
[ 293.522122] ? debug_check_no_locks_freed+0x260/0x260
[ 293.527872] ? rcu_read_lock_sched_held+0x107/0x120
[ 293.533437] ? nfp_net_poll+0x87/0x1a0 [nfp]
[ 293.538306] ? module_assert_mutex_or_preempt+0x41/0x70
[ 293.544244]
Re: [Bug 199643] New: UBSAN: Undefined behaviour in ./include/net/route.h:240:2
On 5/7/18 10:12 PM, David Miller wrote:
> From: Stephen Hemminger <step...@networkplumber.org>
> Date: Mon, 7 May 2018 10:34:00 -0700
>
>> Subject: [Bug 199643] New: UBSAN: Undefined behaviour in
>> ./include/net/route.h:240:2
>
> That's an empty line in both of my trees.
>
In 4.16.7 it is the dst_release in:
static inline void ip_rt_put(struct rtable *rt)
{
/* dst_release() accepts a NULL parameter.
* We rely on dst being first structure in struct rtable
*/
BUILD_BUG_ON(offsetof(struct rtable, dst) != 0);
--->dst_release(>dst);
}
Re: [Bug 199643] New: UBSAN: Undefined behaviour in ./include/net/route.h:240:2
From: Stephen Hemminger <step...@networkplumber.org> Date: Mon, 7 May 2018 10:34:00 -0700 > Subject: [Bug 199643] New: UBSAN: Undefined behaviour in > ./include/net/route.h:240:2 That's an empty line in both of my trees.
Fw: [Bug 199643] New: UBSAN: Undefined behaviour in ./include/net/route.h:240:2
Begin forwarded message: Date: Mon, 07 May 2018 16:36:49 + From: bugzilla-dae...@bugzilla.kernel.org To: step...@networkplumber.org Subject: [Bug 199643] New: UBSAN: Undefined behaviour in ./include/net/route.h:240:2 https://bugzilla.kernel.org/show_bug.cgi?id=199643 Bug ID: 199643 Summary: UBSAN: Undefined behaviour in ./include/net/route.h:240:2 Product: Networking Version: 2.5 Kernel Version: 4.16.7-CUSTOM Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: Other Assignee: step...@networkplumber.org Reporter: combus...@archlinux.us Regression: No After recompiling the 4.16.7 kernel with gcc 8.1, UBSAN reports the following: [ 26.312176] [ 26.312179] UBSAN: Undefined behaviour in ./include/net/route.h:240:2 [ 26.312180] member access within null pointer of type 'struct rtable' [ 26.312183] CPU: 2 PID: 311 Comm: sd-resolve Not tainted 4.16.7-CUSTOM #1 [ 26.312185] Hardware name: Gigabyte Technology Co., Ltd. H67MA-UD2H-B3/H67MA-UD2H-B3, BIOS F8 03/27/2012 [ 26.312186] Call Trace: [ 26.312188] [ 26.312194] dump_stack+0x62/0x9f [ 26.312199] ubsan_epilogue+0x9/0x35 [ 26.312201] handle_null_ptr_deref+0x80/0x90 [ 26.312204] __ubsan_handle_type_mismatch_v1+0x6a/0x80 [ 26.312208] icmp_send+0xbb0/0xd90 [ 26.312218] __udp4_lib_rcv+0x760/0x1440 [ 26.312223] ? lock_acquire+0x69/0x100 [ 26.312226] ? ip_local_deliver_finish+0x62/0x4a0 [ 26.312229] ip_local_deliver_finish+0xf3/0x4a0 [ 26.312233] ip_local_deliver+0xa6/0x240 [ 26.312237] ip_rcv+0x33e/0x660 [ 26.312241] ? ip_local_deliver+0x240/0x240 [ 26.312246] __netif_receive_skb_core+0xaef/0x1bb0 [ 26.312254] ? process_backlog+0xcd/0x370 [ 26.312256] ? process_backlog+0xfd/0x370 [ 26.312258] process_backlog+0xfd/0x370 [ 26.312260] ? process_backlog+0xcd/0x370 [ 26.312264] net_rx_action+0x3cb/0xe40 [ 26.312270] ? __do_softirq+0x119/0x376 [ 26.312275] ? do_softirq_own_stack+0x2a/0x40 [ 26.312276] [ 26.312280] ? do_softirq.part.1+0x21/0x30 [ 26.312282] ? __local_bh_enable_ip+0x4f/0x60 [ 26.312284] ? ip_finish_output2+0x3af/0x720 [ 26.312288] ? ip_output+0xdc/0x270 [ 26.312290] ? ip_output+0xdc/0x270 [ 26.312295] ? ip_send_skb+0x1c/0x80 [ 26.312297] ? udp_send_skb+0x1bf/0x480 [ 26.312301] ? udp_sendmsg+0xbb7/0x1020 [ 26.312304] ? ip_reply_glue_bits+0x60/0x60 [ 26.312308] ? rw_copy_check_uvector+0x5d/0x210 [ 26.312316] ? sock_sendmsg+0x49/0xb0 [ 26.312319] ? ___sys_sendmsg+0x194/0x3b0 [ 26.312323] ? __fget+0x125/0x290 [ 26.312330] ? __sys_sendmmsg+0xdd/0x180 [ 26.312337] ? SyS_sendmmsg+0x5/0x10 [ 26.312340] ? do_syscall_64+0xad/0x5cc [ 26.312345] ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 26.312349] [ 26.312358] [ 26.312359] UBSAN: Undefined behaviour in ./include/net/route.h:240:2 [ 26.312360] member access within null pointer of type 'struct rtable' [ 26.312362] CPU: 2 PID: 311 Comm: sd-resolve Not tainted 4.16.7-CUSTOM #1 [ 26.312363] Hardware name: Gigabyte Technology Co., Ltd. H67MA-UD2H-B3/H67MA-UD2H-B3, BIOS F8 03/27/2012 [ 26.312364] Call Trace: [ 26.312367] dump_stack+0x62/0x9f [ 26.312370] ubsan_epilogue+0x9/0x35 [ 26.312372] handle_null_ptr_deref+0x80/0x90 [ 26.312375] __ubsan_handle_type_mismatch_v1+0x6a/0x80 [ 26.312378] udp_sendmsg+0xc37/0x1020 [ 26.312382] ? ip_reply_glue_bits+0x60/0x60 [ 26.312384] ? rw_copy_check_uvector+0x5d/0x210 [ 26.312391] sock_sendmsg+0x49/0xb0 [ 26.312394] ___sys_sendmsg+0x194/0x3b0 [ 26.312398] ? __fget+0x125/0x290 [ 26.312405] __sys_sendmmsg+0xdd/0x180 [ 26.312413] SyS_sendmmsg+0x5/0x10 [ 26.312415] do_syscall_64+0xad/0x5cc [ 26.312420] ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 26.312424] [ 206.391361] [ 206.391370] UBSAN: Undefined behaviour in ./include/net/route.h:240:2 [ 206.391372] member access within null pointer of type 'struct rtable' [ 206.391376] CPU: 0 PID: 624 Comm: CompositorTileW Not tainted 4.16.7-CUSTOM #1 [ 206.391378] Hardware name: Gigabyte Technology Co., Ltd. H67MA-UD2H-B3/H67MA-UD2H-B3, BIOS F8 03/27/2012 [ 206.391381] Call Trace: [ 206.391386] [ 206.391398] dump_stack+0x62/0x9f [ 206.391405] ubsan_epilogue+0x9/0x35 [ 206.391409] handle_null_ptr_deref+0x80/0x90 [ 206.391412] __ubsan_handle_type_mismatch_v1+0x6a/0x80 [ 206.391419] ip_send_unicast_reply+0x626/0x691
