From patchwork Mon Aug 20 16:29:33 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 178874 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 1517E2C00A2 for ; Tue, 21 Aug 2012 02:29:51 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756228Ab2HTQ3l (ORCPT ); Mon, 20 Aug 2012 12:29:41 -0400 Received: from mail-bk0-f46.google.com ([209.85.214.46]:43993 "EHLO mail-bk0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752723Ab2HTQ3i (ORCPT ); Mon, 20 Aug 2012 12:29:38 -0400 Received: by bkwj10 with SMTP id j10so1919241bkw.19 for ; Mon, 20 Aug 2012 09:29:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; bh=VO9tNIYzybdF4T9SdPoFszpTQiH1RpwsEYZ4W2IonK8=; b=yNx69+01wmrK+LcqQ6GUO9SYy9T6MWiSUEHEmuMAhqMfA/QAfcDDoeZbfde5WbVAcs Xu86GeGVESmPfJBWzQqgl/1SM9ux5eVR4+vi+SQMgkkDsDLquf9EQBSITs2wPx0v3lNT BpTYpcSxD/PzLDqFeHIHSyzNk4yGBWL+PCoHKBF/bQaftRx8WuTBm7G63MLQBdQH50HB ldlUM3h9Ip4uNpJccjUTJ0NKX8EY1NRIDyGFoE7LRlivSwItuzYl8k0AmK+bledkbYZq GTrMhO/TSu8ZzFWZhAdTLJH8xINQSJEdJJ2bdWgya+GXo20g6x7O4lGCEqiz6vvdCJ0y ZK9A== Received: by 10.205.137.8 with SMTP id im8mr4471300bkc.135.1345480176849; Mon, 20 Aug 2012 09:29:36 -0700 (PDT) Received: from [172.28.91.230] ([74.125.122.49]) by mx.google.com with ESMTPS id t23sm6492135bks.4.2012.08.20.09.29.35 (version=SSLv3 cipher=OTHER); Mon, 20 Aug 2012 09:29:35 -0700 (PDT) Subject: Re: Fw: [Bug 46131] New: 32-bit read from uninitialized memory in __ip_select_ident since 3.6-rc2 From: Eric Dumazet To: Stephen Hemminger Cc: netdev@vger.kernel.org, casteyde.christian@free.fr In-Reply-To: <1345479866.5158.324.camel@edumazet-glaptop> References: <20120820090313.4856779b@nehalam.linuxnetplumber.net> <1345479866.5158.324.camel@edumazet-glaptop> Date: Mon, 20 Aug 2012 18:29:33 +0200 Message-ID: <1345480173.5158.326.camel@edumazet-glaptop> Mime-Version: 1.0 X-Mailer: Evolution 2.28.3 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Mon, 2012-08-20 at 18:24 +0200, Eric Dumazet wrote: > On Mon, 2012-08-20 at 09:03 -0700, Stephen Hemminger wrote: > > > > Begin forwarded message: > > > > Date: Sat, 18 Aug 2012 09:49:45 +0000 (UTC) > > From: bugzilla-daemon@bugzilla.kernel.org > > To: shemminger@linux-foundation.org > > Subject: [Bug 46131] New: 32-bit read from uninitialized memory in __ip_select_ident since 3.6-rc2 > > > > > > https://bugzilla.kernel.org/show_bug.cgi?id=46131 > > > > Summary: 32-bit read from uninitialized memory in > > __ip_select_ident since 3.6-rc2 > > Product: Networking > > Version: 2.5 > > Kernel Version: 3.6-rc2 > > Platform: All > > OS/Version: Linux > > Tree: Mainline > > Status: NEW > > Severity: normal > > Priority: P1 > > Component: IPV4 > > AssignedTo: shemminger@linux-foundation.org > > ReportedBy: casteyde.christian@free.fr > > Regression: Yes > > > > > > Slacware64 current > > Intel Core i7 > > 6GB RAM > > > > Since 3.6-rc2 (this is a regression from 3.6-rc1), I get the following warning > > when I ping a host: > > > > WARNING: kmemcheck: Caught 32-bit read from uninitialized memory > > (ffff8801c3f79460) > > 00000000030380ab00000000450000482881000080118ebbc0a8010bc0a8010d > > u u u u i i i i i i i i i i i i i i i i i i i i i i i i i i i i > > ^ > > Pid: 5836, comm: udev-acl.ck Not tainted 3.6.0-rc2 #3 Acer Aspire 7750G/JE70_HR > > RIP: 0010:[] [] > > __ip_select_ident+0x22/0x120 > > RSP: 0000:ffff8801c7e035e0 EFLAGS: 00010282 > > RAX: ffff88018194ab00 RBX: ffff88018b454700 RCX: 0000000000000040 > > RDX: 0000000000000001 RSI: ffff8801c7e035ec RDI: ffff8801c3f79450 > > RBP: ffff8801c7e03620 R08: ffff8801c54a8238 R09: 0000000000000000 > > R10: ffff8801c7e03770 R11: 0000000000000050 R12: ffff8801c3f79450 > > R13: 0000000000000000 R14: ffff88018db74a80 R15: ffff8801c3f79450 > > FS: 00007f0692dfb740(0000) GS:ffff8801c7e00000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: ffff8801c6b06a88 CR3: 00000001a9ae5000 CR4: 00000000000407f0 > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400 > > [] __ip_make_skb+0x2f8/0x3c0 > > [] ip_push_pending_frames+0x17/0x30 > > [] icmp_push_reply+0xee/0x120 > > [] icmp_send+0x4a5/0xb10 > > [] __udp4_lib_rcv+0x568/0x920 > > [] udp_rcv+0x15/0x20 > > [] ip_local_deliver_finish+0x107/0x460 > > [] ip_local_deliver+0x88/0x90 > > [] ip_rcv_finish+0x120/0x5e0 > > [] ip_rcv+0x219/0x2b0 > > [] __netif_receive_skb+0x742/0x9b0 > > [] netif_receive_skb+0x28/0x1e0 > > [] ieee80211_deliver_skb.isra.28+0xa5/0x220 > > [] ieee80211_rx_handlers+0xf27/0x2380 > > [] ieee80211_prepare_and_rx_handle+0x307/0x8b0 > > [] ieee80211_rx+0x67e/0xce0 > > [] ath_rx_tasklet+0xc9c/0x1350 > > [] ath9k_tasklet+0xe4/0x140 > > [] tasklet_action+0x6c/0xe0 > > [] __do_softirq+0xba/0x180 > > [] call_softirq+0x1c/0x30 > > [] do_softirq+0x7d/0xb0 > > [] irq_exit+0x96/0xc0 > > [] do_IRQ+0x5e/0xd0 > > [] ret_from_intr+0x0/0x13 > > [] 0xffffffffffffffff > > Thanks for the report, I am testing a patch. > Christian, are you sure its a 3.6.-rc2 regression, because I believe its an old bug... Could you test following fix ? (ip_select_ident() must be called _after_ iph->daddr is set) --- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 147ccc3..c196d74 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -1338,10 +1338,10 @@ struct sk_buff *__ip_make_skb(struct sock *sk, iph->ihl = 5; iph->tos = inet->tos; iph->frag_off = df; - ip_select_ident(iph, &rt->dst, sk); iph->ttl = ttl; iph->protocol = sk->sk_protocol; ip_copy_addrs(iph, fl4); + ip_select_ident(iph, &rt->dst, sk); if (opt) { iph->ihl += opt->optlen>>2;