Hi,
Recently I tried tools/testing/selftests/net/rtnetlink.sh with KASAN
enabled and encountered following BUG.
kernel: ==================================================================
kernel: BUG: KASAN: null-ptr-deref in tcf_block_put+0x8c/0xc0
kernel: Read of size 8 at addr 0000000000000018 by task tc/2966
kernel:
kernel: CPU: 0 PID: 2966 Comm: tc Not tainted 4.15.0-rc3+ #24
kernel: Hardware name: Hewlett-Packard HP Z440 Workstation/212B, BIOS
M60 v02.34 05/18/2017
kernel: Call Trace:
kernel: dump_stack+0xaf/0x127
kernel: ? _atomic_dec_and_lock+0x159/0x159
kernel: ? tcf_block_put_ext+0x215/0x270
kernel: kasan_report+0x15f/0x360
kernel: ? tcf_block_put+0x8c/0xc0
kernel: tcf_block_put+0x8c/0xc0
kernel: ? tcf_block_put_ext+0x270/0x270
kernel: ? kfree+0x9c/0x1b0
kernel: htb_destroy_class.isra.17+0x54/0x70 [sch_htb]
kernel: htb_destroy+0x122/0x200 [sch_htb]
kernel: qdisc_destroy+0xa4/0x2a0
kernel: ? rtnetlink_send+0x94/0xa0
kernel: qdisc_graft+0x530/0x650
kernel: tc_get_qdisc+0x235/0x370
kernel: ? tc_ctl_tclass+0x5f0/0x5f0
kernel: ? security_capable+0x2d/0x70
kernel: rtnetlink_rcv_msg+0x69c/0x790
kernel: ? rtnl_calcit.isra.26+0x250/0x250
kernel: ? depot_save_stack+0x12d/0x470
kernel: ? save_stack+0x89/0xb0
kernel: ? kasan_kmalloc+0xa0/0xd0
kernel: ? __kmalloc_node_track_caller+0x192/0x2d0
kernel: ? __kmalloc_reserve.isra.39+0x2e/0x80
kernel: ? __alloc_skb+0xf9/0x3a0
kernel: ? netlink_sendmsg+0x558/0x680
kernel: ? sock_sendmsg+0x6b/0x80
kernel: ? ___sys_sendmsg+0x49a/0x500
kernel: ? __sys_sendmsg+0xb5/0x150
kernel: ? entry_SYSCALL_64_fastpath+0x1a/0x7d
kernel: ? __alloc_skb+0xc9/0x3a0
kernel: ? netlink_sendmsg+0x558/0x680
kernel: ? sock_sendmsg+0x6b/0x80
kernel: ? ___sys_sendmsg+0x49a/0x500
kernel: ? __sys_sendmsg+0xb5/0x150
kernel: ? entry_SYSCALL_64_fastpath+0x1a/0x7d
kernel: ? lru_cache_add+0x145/0x210
kernel: ? lru_cache_add_file+0x10/0x10
kernel: ? mem_cgroup_low+0x140/0x140
kernel: ? netlink_compare+0x53/0x70
kernel: ? __netlink_lookup+0x2d3/0x3e0
kernel: ? netlink_broadcast+0x20/0x20
kernel: ? memcg_kmem_get_cache+0x4e0/0x4e0
kernel: ? netlink_deliver_tap+0x10b/0x530
kernel: ? kasan_kmalloc+0xa0/0xd0
kernel: ? netlink_has_listeners+0x170/0x170
kernel: ? __kmalloc_node_track_caller+0x231/0x2d0
kernel: ? iov_iter_advance+0x176/0x7a0
kernel: netlink_rcv_skb+0x122/0x230
kernel: ? rtnl_calcit.isra.26+0x250/0x250
kernel: ? netlink_ack+0x4b0/0x4b0
kernel: ? netlink_trim+0x123/0x1c0
kernel: ? alloc_pages_vma+0x93/0x260
kernel: netlink_unicast+0x2c2/0x360
kernel: ? netlink_attachskb+0x3f0/0x3f0
kernel: ? import_iovec+0x128/0x1d0
kernel: netlink_sendmsg+0x528/0x680
kernel: ? netlink_unicast+0x360/0x360
kernel: ? netlink_unicast+0x360/0x360
kernel: sock_sendmsg+0x6b/0x80
kernel: ___sys_sendmsg+0x49a/0x500
kernel: ? copy_msghdr_from_user+0x260/0x260
kernel: ? netlink_sendmsg+0x2b2/0x680
kernel: ? netlink_unicast+0x360/0x360
kernel: ? mem_cgroup_from_task+0x9c/0xe0
kernel: ? mem_cgroup_reset+0x190/0x190
kernel: ? __fget_light+0x17e/0x200
kernel: ? expand_files+0x570/0x570
kernel: ? handle_mm_fault+0x1ca/0x380
kernel: ? __handle_mm_fault+0x1f10/0x1f10
kernel: ? vmacache_find+0xe6/0x110
kernel: ? __do_page_fault+0x5c5/0x6d0
kernel: ? __sys_sendmsg+0xb5/0x150
kernel: __sys_sendmsg+0xb5/0x150
kernel: ? SyS_shutdown+0x160/0x160
kernel: ? kmem_cache_free+0x7c/0x1f0
kernel: ? __do_page_fault+0x6d0/0x6d0
kernel: ? do_sys_open+0x1f0/0x380
kernel: entry_SYSCALL_64_fastpath+0x1a/0x7d
After some investigation I found this commit:
[1] https://patchwork.ozlabs.org/patch/833596 which fixed this bug.
But recently accepted commit:
[2] https://patchwork.ozlabs.org/patch/849101/ reverted it.
So I tried same fix in [1] on top of latest net-next. The bug did not
reproduce.
-Prashant
