NULL pointer deref in dccp (inet_csk_listen_start/inet_csk_get_port)

Hi all,

I've been running into the following oops:

[ 1128.895622] BUG: unable to handle kernel NULL pointer dereference at 
           (null)
[ 1128.896010] IP: [<          (null)>]           (null)
[ 1128.896010] PGD 179ee067 PUD 189b1067 PMD 0
[ 1128.896010] Oops: 0010 [#1] PREEMPT SMP
[ 1128.896010] CPU: 1 PID: 1023 Comm: a.out Not tainted 4.4.0-rc5+ #64
[ 1128.896010] task: ffff88001a7e72c0 ti: ffff880017534000 task.ti: 
ffff880017534000
[ 1128.896010] RIP: 0010:[<0000000000000000>]  [<          (null)>] 
       (null)
[ 1128.896010] RSP: 0018:ffff880017537e60  EFLAGS: 00010246
[ 1128.896010] RAX: ffffffff820deec0 RBX: ffff880019e12e00 RCX: 
000000000000a90c
[ 1128.896010] RDX: 0000000000000001 RSI: ffff880019e12e00 RDI: 
ffff880018f23f00
[ 1128.896010] RBP: ffff880017537ed0 R08: 00007f0788df40f4 R09: 
00000000fe0ab1db
[ 1128.896010] R10: 0000000000000000 R11: 0000000000000206 R12: 
000000000000a90c
[ 1128.896010] R13: ffffffff828233c0 R14: ffff880018f23f00 R15: 
ffff8800196b1db0
[ 1128.896010] FS:  00007f078872f700(0000) GS:ffff88001a900000(0000) 
knlGS:0000000000000000
[ 1128.896010] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1128.896010] CR2: 0000000000000000 CR3: 0000000018832000 CR4: 
00000000001406a0
[ 1128.896010] Stack:
[ 1128.896010]  ffffffff81ae7190 0000000000000005 ffff880018f23f00 
0000000600000000
[ 1128.896010]  ffffffff810dc981 ffffffff8311b380 0000000000000000 
0000a90cffffffff
[ 1128.896010]  0000400000000001 ffff880018f23f00 000000000000007d 
000000000000007d
[ 1128.896010] Call Trace:
[ 1128.896010]  [<ffffffff81ae7190>] ? inet_csk_get_port+0x4c0/0x820
[ 1128.896010]  [<ffffffff810dc981>] ? 
__raw_callee_save___pv_queued_spin_unlock+0x11/0x20
[ 1128.896010]  [<ffffffff81ae9158>] inet_csk_listen_start+0x78/0xf0
[ 1128.896010]  [<ffffffff81c9d2fe>] inet_dccp_listen+0xbe/0x120
[ 1128.896010]  [<ffffffff81a2459c>] SyS_listen+0xcc/0xe0
[ 1128.896010]  [<ffffffff81e8532e>] entry_SYSCALL_64_fastpath+0x12/0x71
[ 1128.896010] Code:  Bad RIP value.
[ 1128.896010] RIP  [<          (null)>]           (null)
[ 1128.896010]  RSP <ffff880017537e60>
[ 1128.896010] CR2: 0000000000000000
[ 1128.896010] ---[ end trace 583887ed13928755 ]---

It looks like the same thing that Dave Jones ran into a couple of times
before:

https://www.mail-archive.com/netdev@vger.kernel.org/msg73745.html
https://www.mail-archive.com/netdev@vger.kernel.org/msg87675.html

I am able to reproduce this reliably within ~30 seconds or so (as non-root).

Jamie Iles and I been able to narrow it down to a race between connect()
and listen() on AF_INET6/IPPROTO_DCCP sockets:

- Thread A does connect() which calls dccp_v6_connect() which sets
icsk->icsk_af_ops = &dccp_ipv6_mapped. However, dccp_ipv6_mapped has
->bind_conflict == NULL.

- Thread B does listen() which calls into inet_csk_get_port() and tries
to call inet_csk(sk)->icsk_af_ops->bind_conflict.

Using the following patch we can no longer reproduce this specific issue:

         .compat_getsockopt = compat_ipv6_getsockopt,

If you think this is the right fix, we can submit a proper patch.

Thanks,

Vegard
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Message ID	5676D341.5080407@oracle.com
State	RFC, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 0536714032B for <patchwork-incoming@ozlabs.org>; Mon, 21 Dec 2015 03:12:30 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754348AbbLTQMF (ORCPT <rfc822;patchwork-incoming@ozlabs.org>); Sun, 20 Dec 2015 11:12:05 -0500 Received: from userp1040.oracle.com ([156.151.31.81]:32882 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751709AbbLTQMD (ORCPT <rfc822;netdev@vger.kernel.org>); Sun, 20 Dec 2015 11:12:03 -0500 Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id tBKGBnMO020136 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 20 Dec 2015 16:11:50 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0022.oracle.com (8.13.8/8.13.8) with ESMTP id tBKGBmEA016460 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sun, 20 Dec 2015 16:11:49 GMT Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id tBKGBm2Q018194; Sun, 20 Dec 2015 16:11:48 GMT Received: from [10.175.218.244] (/10.175.218.244) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 20 Dec 2015 08:11:48 -0800 To: Dave Jones <davej@codemonkey.org.uk> Cc: Jamie Iles <jamie.iles@oracle.com>, Eric Dumazet <edumazet@google.com>, linux-kernel@vger.kernel.org, netdev@vger.kernel.org From: Vegard Nossum <vegard.nossum@oracle.com> Subject: NULL pointer deref in dccp (inet_csk_listen_start/inet_csk_get_port) Message-ID: <5676D341.5080407@oracle.com> Date: Sun, 20 Dec 2015 17:11:45 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: userv0022.oracle.com [156.151.31.74] Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: <netdev.vger.kernel.org> X-Mailing-List: netdev@vger.kernel.org

NULL pointer deref in dccp (inet_csk_listen_start/inet_csk_get_port)

Commit Message

Patch