Bug 98081 - net/bridge/br_private.h:626 suspicious rcu_dereference_check() usage!
Summary: net/bridge/br_private.h:626 suspicious rcu_dereference_check() usage!
Status: RESOLVED WILL_NOT_FIX
Alias: None
Product: Networking
Classification: Unclassified
Component: Other (show other bugs)
Hardware: x86-64 Linux
: P1 normal
Assignee: Stephen Hemminger
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-11 17:53 UTC by poma
Modified: 2015-05-12 01:34 UTC (History)
0 users

See Also:
Kernel Version: 4.1.0-0.rc3.git0.1.fc23.x86_64+debug
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description poma 2015-05-11 17:53:16 UTC 
...
[   44.182420] device enp3s0 entered promiscuous mode
[   44.183508] bridge0: port 1(enp3s0) entered forwarding state
[   44.184216] bridge0: port 1(enp3s0) entered forwarding state
[   59.232867] bridge0: port 1(enp3s0) entered forwarding state

[   59.232878] ===============================
[   59.232879] [ INFO: suspicious RCU usage. ]
[   59.232881] 4.1.0-0.rc3.git0.1.fc23.x86_64+debug #1 Tainted: G        WC     
[   59.232883] -------------------------------
[   59.232884] net/bridge/br_private.h:626 suspicious rcu_dereference_check() usage!
[   59.232885] 
other info that might help us debug this:

[   59.232887] 
rcu_scheduler_active = 1, debug_locks = 0
[   59.232889] 2 locks held by locate/3730:
[   59.232890]  #0:  (((&p->forward_delay_timer))){+.-...}, at: [<ffffffff8113bf25>] call_timer_fn+0x5/0x4f0
[   59.232899]  #1:  (&(&br->lock)->rlock){+.-...}, at: [<ffffffffa0968dc1>] br_forward_delay_timer_expired+0x31/0x140 [bridge]
[   59.232908] 
stack backtrace:
[   59.232911] CPU: 3 PID: 3730 Comm: locate Tainted: G        WC      4.1.0-0.rc3.git0.1.fc23.x86_64+debug #1
...
[   59.232922] Call Trace:
[   59.232923]  <IRQ>  [<ffffffff81895355>] dump_stack+0x4c/0x65
[   59.232930]  [<ffffffff8110dd17>] lockdep_rcu_suspicious+0xe7/0x120
[   59.232935]  [<ffffffffa096a0f9>] br_fill_ifinfo+0x4a9/0x6a0 [bridge]
[   59.232940]  [<ffffffffa096a66b>] br_ifinfo_notify+0x11b/0x4b0 [bridge]
[   59.232944]  [<ffffffffa0968d90>] ? br_hold_timer_expired+0x70/0x70 [bridge]
[   59.232948]  [<ffffffffa0968de8>] br_forward_delay_timer_expired+0x58/0x140 [bridge]
[   59.232952]  [<ffffffffa0968d90>] ? br_hold_timer_expired+0x70/0x70 [bridge]
[   59.232954]  [<ffffffff8113bfe3>] call_timer_fn+0xc3/0x4f0
[   59.232956]  [<ffffffff8113bf25>] ? call_timer_fn+0x5/0x4f0
[   59.232958]  [<ffffffff8110c94f>] ? lock_release_holdtime.part.29+0xf/0x200
[   59.232962]  [<ffffffffa0968d90>] ? br_hold_timer_expired+0x70/0x70 [bridge]
[   59.232964]  [<ffffffff8113c654>] run_timer_softirq+0x244/0x490
[   59.232967]  [<ffffffff810b687c>] __do_softirq+0xec/0x670
[   59.232970]  [<ffffffff810b7085>] irq_exit+0x145/0x150
[   59.232972]  [<ffffffff818a20c6>] smp_apic_timer_interrupt+0x46/0x60
[   59.232974]  [<ffffffff818a00e3>] apic_timer_interrupt+0x73/0x80
[   59.232975]  <EOI> 
...


$ NetworkManager --version
1.0.2-2.fc21
Comment 2 poma 2015-05-12 00:10:40 UTC 
Original:

$ modinfo /lib/modules/4.1.0-0.rc3.git0.1.fc23.x86_64+debug/kernel/net/bridge/bridge.ko.xz
filename:       /lib/modules/4.1.0-0.rc3.git0.1.fc23.x86_64+debug/kernel/net/bridge/bridge.ko.xz
alias:          rtnl-link-bridge
version:        2.3
license:        GPL
srcversion:     60F51A73446797150AAC94B
depends:        stp,llc
intree:         Y
vermagic:       4.1.0-0.rc3.git0.1.fc23.x86_64+debug SMP mod_unload 
signer:         Fedora kernel signing key
sig_key:        56:8D:5E:49:46:EB:2F:4D:1F:24:93:1D:25:92:B3:FE:A3:EF:65:0A
sig_hashalgo:   sha256

~~~~~~~~~~~~~~~~

Patched:

http://www.spinics.net/lists/netdev/msg328395.html

$ modinfo bridge
filename:       /lib/modules/4.1.0-0.rc3.git0.1.fc23.x86_64+debug/updates/bridge.ko
alias:          rtnl-link-bridge
version:        2.3
license:        GPL
srcversion:     48C656B7572137343AD5CB9
depends:        
intree:         Y
vermagic:       4.1.0-0.rc3.git0.1.fc23.x86_64+debug SMP mod_unload 


$ dmesg:
...
[   32.443261] bridge: module verification failed: signature and/or required key missing - tainting kernel
[   32.447985] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
[   33.876858] ------------[ cut here ]------------
[   33.877407] WARNING: CPU: 0 PID: 2414 at lib/list_debug.c:29 __list_add+0x70/0xd0()
[   33.877924] list_add corruption. next->prev should be prev (ffffffff81ecf690), but was ffffffffa0978020. (next=ffffffffa0966990).
[   33.878957] Modules linked in: xt_conntrack ebtable_nat ebtable_broute bridge(E) stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw it87 hwmon_vid arc4 rt2800usb rt2x00usb rt2800lib rt2x00lib mac80211 cfg80211 r8712u(C) crc_ccitt rfkill mxl5007t af9013 dvb_usb_af9015 dvb_usb_v2 dvb_core uas rc_core usb_storage tuner_simple tuner_types wm8775 tda9887 tda8290 tuner cx25840 nouveau ivtv ppdev snd_hda_codec_realtek mxm_wmi snd_hda_codec_generic kvm_amd video kvm tveeprom ttm edac_core cx2341x drm_kms_helper serio_raw v4l2_common snd_hda_intel edac_mce_amd drm videodev skge
[   33.882720]  snd_hda_controller media r8169 i2c_algo_bit parport_serial snd_hda_codec parport_pc parport mii ata_generic pata_acpi snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm wmi snd_timer snd i2c_nforce2 soundcore pata_amd shpchp acpi_cpufreq nfsd ecryptfs auth_rpcgss nfs_acl lockd encrypted_keys grace trusted tpm sunrpc binfmt_misc i2c_dev raid1
[   33.885318] CPU: 0 PID: 2414 Comm: automount Tainted: G        WC  E   4.1.0-0.rc3.git0.1.fc23.x86_64+debug #1
...
[   33.888603] Call Trace:
[   33.889241]  [<ffffffff81895355>] dump_stack+0x4c/0x65
[   33.889880]  [<ffffffff810b043a>] warn_slowpath_common+0x8a/0xc0
[   33.890525]  [<ffffffff810b04c5>] warn_slowpath_fmt+0x55/0x70
[   33.891174]  [<ffffffffa0978020>] ? check+0x20/0x20 [ebtable_broute]
[   33.891817]  [<ffffffff81455bb0>] __list_add+0x70/0xd0
[   33.892462]  [<ffffffff814639fd>] __percpu_counter_init+0xad/0xe0
[   33.893092]  [<ffffffff81284c4d>] sget+0x11d/0x460
[   33.893707]  [<ffffffff81283e80>] ? get_anon_bdev+0x120/0x120
[   33.894301]  [<ffffffff8138b950>] ? autofs4_get_inode+0xe0/0xe0
[   33.894897]  [<ffffffff81285080>] mount_nodev+0x30/0xa0
[   33.895489]  [<ffffffff8138b518>] autofs_mount+0x18/0x20
[   33.896080]  [<ffffffff81285c68>] mount_fs+0x38/0x190
[   33.896679]  [<ffffffff812a8f0b>] vfs_kern_mount+0x6b/0x160
[   33.897272]  [<ffffffff812ac01d>] do_mount+0x21d/0xbe0
[   33.897864]  [<ffffffff818a33a4>] ? bad_gs+0xd7f/0x1bfb
[   33.898453]  [<ffffffff812acd43>] SyS_mount+0xa3/0x110
[   33.899047]  [<ffffffff8189f16e>] system_call_fastpath+0x12/0x76
[   33.899640] ---[ end trace 1ed269835126938d ]---
[   36.184429] BUG: unable to handle kernel NULL pointer dereference at           (null)
[   36.184682] IP: [<ffffffff8156c274>] extract_entropy+0x1f4/0x6a0
[   36.184896] PGD 0 
[   36.185091] Oops: 0002 [#1] SMP 
[   36.185299] Modules linked in: ip6t_REJECT nf_reject_ipv6 xt_conntrack ebtable_nat ebtable_broute bridge(E) stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw it87 hwmon_vid arc4 rt2800usb rt2x00usb rt2800lib rt2x00lib mac80211 cfg80211 r8712u(C) crc_ccitt rfkill mxl5007t af9013 dvb_usb_af9015 dvb_usb_v2 dvb_core uas rc_core usb_storage tuner_simple tuner_types wm8775 tda9887 tda8290 tuner cx25840 nouveau ivtv ppdev snd_hda_codec_realtek mxm_wmi snd_hda_codec_generic kvm_amd video kvm tveeprom ttm edac_core cx2341x drm_kms_helper serio_raw v4l2_common snd_hda_intel edac_mce_amd
[   36.187279]  drm videodev skge snd_hda_controller media r8169 i2c_algo_bit parport_serial snd_hda_codec parport_pc parport mii ata_generic pata_acpi snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm wmi snd_timer snd i2c_nforce2 soundcore pata_amd shpchp acpi_cpufreq nfsd ecryptfs auth_rpcgss nfs_acl lockd encrypted_keys grace trusted tpm sunrpc binfmt_misc i2c_dev raid1
[   36.188726] CPU: 1 PID: 2254 Comm: NetworkManager Tainted: G        WC  E   4.1.0-0.rc3.git0.1.fc23.x86_64+debug #1
...
[   36.189477] task: ffff8801291da680 ti: ffff8800bceb4000 task.ti: ffff8800bceb4000
[   36.189849] RIP: 0010:[<ffffffff8156c274>]  [<ffffffff8156c274>] extract_entropy+0x1f4/0x6a0
[   36.190235] RSP: 0018:ffff8800bceb76b8  EFLAGS: 00010202
[   36.190618] RAX: 0000000000000006 RBX: 0000000000000006 RCX: 0000000000000000
[   36.191010] RDX: 00000000d4df6adf RSI: 0000000000000000 RDI: ffff8800bceb7630
[   36.191401] RBP: ffff8800bceb7738 R08: 0000000000000001 R09: ffff8800bceb7618
[   36.191800] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800bceb76f6
[   36.192188] R13: 0000000000000000 R14: 0000000000000000 R15: ffffffff81eeab00
[   36.192578] FS:  00007f9d779f28c0(0000) GS:ffff88012a800000(0000) knlGS:0000000000000000
[   36.192967] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   36.193360] CR2: 0000000000000000 CR3: 00000000bce2e000 CR4: 00000000000007e0
...
[   36.195391] Call Trace:
[   36.195806]  [<ffffffffa0951cb7>] ? br_dev_setup+0x37/0x1b0 [bridge]
[   36.196207]  [<ffffffffa0951cb7>] ? br_dev_setup+0x37/0x1b0 [bridge]
[   36.196617]  [<ffffffff8156d6ed>] get_random_bytes+0x5d/0x1f0
[   36.197031]  [<ffffffffa0951cb7>] br_dev_setup+0x37/0x1b0 [bridge]
[   36.197441]  [<ffffffff8174688a>] alloc_netdev_mqs+0x1ca/0x3e0
[   36.197854]  [<ffffffffa0951c80>] ? br_netpoll_disable+0x30/0x30 [bridge]
[   36.198271]  [<ffffffff8175dfbf>] rtnl_create_link+0x5f/0x1e0
[   36.198693]  [<ffffffff81760aa5>] rtnl_newlink+0x6f5/0x910
[   36.199110]  [<ffffffff81467f99>] ? nla_parse+0xb9/0x120
[   36.199531]  [<ffffffff8189e726>] ? _raw_spin_unlock_irqrestore+0x36/0x70
[   36.199948]  [<ffffffff81468052>] ? nla_strlcpy+0x52/0x60
[   36.200373]  [<ffffffff8175d920>] ? rtnl_link_ops_get+0x40/0x60
[   36.200798]  [<ffffffff81760530>] ? rtnl_newlink+0x180/0x910
[   36.201224]  [<ffffffff8175f045>] rtnetlink_rcv_msg+0xf5/0x270
[   36.201643]  [<ffffffff8175ef2f>] ? rtnetlink_rcv+0x1f/0x40
[   36.202063]  [<ffffffff8175ef2f>] ? rtnetlink_rcv+0x1f/0x40
[   36.202475]  [<ffffffff8175ef50>] ? rtnetlink_rcv+0x40/0x40
[   36.202880]  [<ffffffff81788489>] netlink_rcv_skb+0xb9/0xe0
[   36.203283]  [<ffffffff8175ef3e>] rtnetlink_rcv+0x2e/0x40
[   36.203687]  [<ffffffff81787b5d>] netlink_unicast+0x19d/0x2a0
[   36.204077]  [<ffffffff81787ad7>] ? netlink_unicast+0x117/0x2a0
[   36.204462]  [<ffffffff81788150>] netlink_sendmsg+0x4f0/0x650
[   36.204837]  [<ffffffff8172931d>] sock_sendmsg+0x3d/0x50
[   36.205198]  [<ffffffff81729d93>] ___sys_sendmsg+0x2e3/0x2f0
[   36.205548]  [<ffffffff81111447>] ? __lock_acquire+0xce7/0x1e40
[   36.205888]  [<ffffffff81027e7d>] ? native_sched_clock+0x2d/0xa0
[   36.206212]  [<ffffffff81027ef9>] ? sched_clock+0x9/0x10
[   36.206528]  [<ffffffff810ee045>] ? local_clock+0x25/0x30
[   36.206835]  [<ffffffff8110c94f>] ? lock_release_holdtime.part.29+0xf/0x200
[   36.207125]  [<ffffffff812a6077>] ? __fget+0x117/0x210
[   36.207407]  [<ffffffff812a5f65>] ? __fget+0x5/0x210
[   36.207683]  [<ffffffff8110c94f>] ? lock_release_holdtime.part.29+0xf/0x200
[   36.207950]  [<ffffffff812a61da>] ? __fget_light+0x2a/0xa0
[   36.208217]  [<ffffffff8172af47>] __sys_sendmsg+0x57/0xa0
[   36.208473]  [<ffffffff8172afa2>] SyS_sendmsg+0x12/0x20
[   36.208729]  [<ffffffff8189f16e>] system_call_fastpath+0x12/0x76
[   36.208978] Code: 83 e2 f8 48 83 fa 08 72 8d 48 83 e2 f8 31 c9 4c 8b 04 0f 4c 89 04 0e 48 83 c1 08 48 39 d1 72 ef e9 71 ff ff ff 66 90 41 8b 14 24 <41> 89 16 41 8b 54 04 fc 41 89 54 06 fc e9 59 ff ff ff 66 2e 0f 
[   36.209677] RIP  [<ffffffff8156c274>] extract_entropy+0x1f4/0x6a0
[   36.209999]  RSP <ffff8800bceb76b8>
[   36.210284] CR2: 0000000000000000
[   36.210637] ---[ end trace 1ed269835126938e ]---
Note You need to log in before you can comment on or make changes to this bug.