* [PATCH] ipv6: delay procfs initialization after the ipv6 structs are ready
@ 2024-03-20 17:17 Nicolas Cavallari
2024-03-20 22:18 ` Kuniyuki Iwashima
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Nicolas Cavallari @ 2024-03-20 17:17 UTC (permalink / raw
To: David S. Miller, David Ahern, Eric Dumazet, Jakub Kicinski,
Paolo Abeni
Cc: netdev, linux-kernel
procfs files are created before the structure they reference are
initialized. For example, if6_proc_init() creates procfs files that
access structures initialized by addrconf_init().
If ipv6 is compiled as a module and a program manages to open an ipv6
procfs file during the loading of the module, it can oops the kernel.
It appears that we were unlucky enough to reproduce this problem
multiple times already, out of maybe 100 boots:
NET: Registered PF_INET6 protocol family
8<--- cut here ---
pwm-backlight backlight: supply power not found, using dummy regulator
Segment Routing with IPv6
In-situ OAM (IOAM) with IPv6
Unable to handle kernel NULL pointer dereference at virtual address
00000000
mt7915e 0000:03:00.0 wlp3s0: renamed from wlan0
[00000000] *pgd=00000000
Internal error: Oops: 5 [#1] SMP ARM
Modules linked in: ipv6 mt7915e mt76_connac_lib mt76 dw_hdmi_imx
mac80211 dw_hdmi drm_display_helper imxdrm drm_dma_helper
drm_kms_helper snd_soc_imx_sgtl5000 syscopyarea sysfillrect sysimgblt
fb_sys_fops imx_ipu_v3 snd_soc_fsl_asoc_card cfg80211 snd_soc_sgtl5000
drm libarc4 snd_soc_fsl_ssi snd_soc_simple_card_utils imx_pcm_dma
snd_soc_core rfkill snd_pcm_dmaengine snd_pcm
drm_panel_orientation_quirks cfbfillrect cfbimgblt cfbcopyarea
snd_timer snd egalax_ts snd_soc_imx_audmux soundcore flexcan mux_mmio
imx2_wdt mux_core can_dev pwm_bl
CPU: 2 PID: 850 Comm: snmpd Not tainted 6.1.14 #1
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
PC is at if6_seq_start+0x2c/0x98 [ipv6]
LR is at init_net+0x0/0xc00
[...]
if6_seq_start [ipv6] from seq_read_iter+0xb4/0x510
seq_read_iter from seq_read+0x80/0xac
seq_read from proc_reg_read+0xac/0x100
proc_reg_read from vfs_read+0xb0/0x284
vfs_read from ksys_read+0x64/0xec
ksys_read from ret_fast_syscall+0x0/0x54
Exception stack(0xf0e31fa8 to 0xf0e31ff0)
1fa0: b67fd0b0 be8a666b 0000000a b67fd148 00000400
00000000
1fc0: b67fd0b0 be8a666b 00000001 00000003 be8a67ec 00000000 b6d7e000
b6c9954a
1fe0: b6d7eb30 be8a6638 b6ef11b4 b6ef0ddc
Code: e5931004 e35100ff ca000014 e59e25dc (e7920101)
---[ end trace 0000000000000000 ]---
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
---
net/ipv6/af_inet6.c | 45 +++++++++++++++++++++++----------------------
1 file changed, 23 insertions(+), 22 deletions(-)
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 8041dc181bd4..d12d690a4867 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -1148,18 +1148,6 @@ static int __init inet6_init(void)
err = ipv6_netfilter_init();
if (err)
goto netfilter_fail;
- /* Create /proc/foo6 entries. */
-#ifdef CONFIG_PROC_FS
- err = -ENOMEM;
- if (raw6_proc_init())
- goto proc_raw6_fail;
- if (udplite6_proc_init())
- goto proc_udplite6_fail;
- if (ipv6_misc_proc_init())
- goto proc_misc6_fail;
- if (if6_proc_init())
- goto proc_if6_fail;
-#endif
err = ip6_route_init();
if (err)
goto ip6_route_fail;
@@ -1226,6 +1214,19 @@ static int __init inet6_init(void)
if (err)
goto ioam6_fail;
+ /* Create /proc/foo6 entries only after ipv6 structs are ready. */
+#ifdef CONFIG_PROC_FS
+ err = -ENOMEM;
+ if (raw6_proc_init())
+ goto proc_raw6_fail;
+ if (udplite6_proc_init())
+ goto proc_udplite6_fail;
+ if (ipv6_misc_proc_init())
+ goto proc_misc6_fail;
+ if (if6_proc_init())
+ goto proc_if6_fail;
+#endif
+
err = igmp6_late_init();
if (err)
goto igmp6_late_err;
@@ -1248,6 +1249,16 @@ static int __init inet6_init(void)
igmp6_late_cleanup();
#endif
igmp6_late_err:
+#ifdef CONFIG_PROC_FS
+ if6_proc_exit();
+proc_if6_fail:
+ ipv6_misc_proc_exit();
+proc_misc6_fail:
+ udplite6_proc_exit();
+proc_udplite6_fail:
+ raw6_proc_exit();
+proc_raw6_fail:
+#endif
ioam6_exit();
ioam6_fail:
rpl_exit();
@@ -1282,16 +1293,6 @@ static int __init inet6_init(void)
ndisc_late_fail:
ip6_route_cleanup();
ip6_route_fail:
-#ifdef CONFIG_PROC_FS
- if6_proc_exit();
-proc_if6_fail:
- ipv6_misc_proc_exit();
-proc_misc6_fail:
- udplite6_proc_exit();
-proc_udplite6_fail:
- raw6_proc_exit();
-proc_raw6_fail:
-#endif
ipv6_netfilter_fini();
netfilter_fail:
igmp6_cleanup();
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] ipv6: delay procfs initialization after the ipv6 structs are ready
2024-03-20 17:17 [PATCH] ipv6: delay procfs initialization after the ipv6 structs are ready Nicolas Cavallari
@ 2024-03-20 22:18 ` Kuniyuki Iwashima
2024-03-21 1:36 ` Shigeru Yoshida
2024-03-21 3:39 ` Jakub Kicinski
2 siblings, 0 replies; 4+ messages in thread
From: Kuniyuki Iwashima @ 2024-03-20 22:18 UTC (permalink / raw
To: nicolas.cavallari
Cc: davem, dsahern, edumazet, kuba, linux-kernel, netdev, pabeni,
Kuniyuki Iwashima
From: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Date: Wed, 20 Mar 2024 18:17:36 +0100
> procfs files are created before the structure they reference are
> initialized. For example, if6_proc_init() creates procfs files that
> access structures initialized by addrconf_init().
>
> If ipv6 is compiled as a module and a program manages to open an ipv6
> procfs file during the loading of the module, it can oops the kernel.
>
> It appears that we were unlucky enough to reproduce this problem
> multiple times already, out of maybe 100 boots:
>
> NET: Registered PF_INET6 protocol family
> 8<--- cut here ---
> pwm-backlight backlight: supply power not found, using dummy regulator
> Segment Routing with IPv6
> In-situ OAM (IOAM) with IPv6
> Unable to handle kernel NULL pointer dereference at virtual address
> 00000000
> mt7915e 0000:03:00.0 wlp3s0: renamed from wlan0
> [00000000] *pgd=00000000
> Internal error: Oops: 5 [#1] SMP ARM
> Modules linked in: ipv6 mt7915e mt76_connac_lib mt76 dw_hdmi_imx
> mac80211 dw_hdmi drm_display_helper imxdrm drm_dma_helper
> drm_kms_helper snd_soc_imx_sgtl5000 syscopyarea sysfillrect sysimgblt
> fb_sys_fops imx_ipu_v3 snd_soc_fsl_asoc_card cfg80211 snd_soc_sgtl5000
> drm libarc4 snd_soc_fsl_ssi snd_soc_simple_card_utils imx_pcm_dma
> snd_soc_core rfkill snd_pcm_dmaengine snd_pcm
> drm_panel_orientation_quirks cfbfillrect cfbimgblt cfbcopyarea
> snd_timer snd egalax_ts snd_soc_imx_audmux soundcore flexcan mux_mmio
> imx2_wdt mux_core can_dev pwm_bl
> CPU: 2 PID: 850 Comm: snmpd Not tainted 6.1.14 #1
> Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
> PC is at if6_seq_start+0x2c/0x98 [ipv6]
> LR is at init_net+0x0/0xc00
> [...]
> if6_seq_start [ipv6] from seq_read_iter+0xb4/0x510
> seq_read_iter from seq_read+0x80/0xac
> seq_read from proc_reg_read+0xac/0x100
> proc_reg_read from vfs_read+0xb0/0x284
> vfs_read from ksys_read+0x64/0xec
> ksys_read from ret_fast_syscall+0x0/0x54
> Exception stack(0xf0e31fa8 to 0xf0e31ff0)
> 1fa0: b67fd0b0 be8a666b 0000000a b67fd148 00000400
> 00000000
> 1fc0: b67fd0b0 be8a666b 00000001 00000003 be8a67ec 00000000 b6d7e000
> b6c9954a
> 1fe0: b6d7eb30 be8a6638 b6ef11b4 b6ef0ddc
> Code: e5931004 e35100ff ca000014 e59e25dc (e7920101)
> ---[ end trace 0000000000000000 ]---
>
> Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ipv6: delay procfs initialization after the ipv6 structs are ready
2024-03-20 17:17 [PATCH] ipv6: delay procfs initialization after the ipv6 structs are ready Nicolas Cavallari
2024-03-20 22:18 ` Kuniyuki Iwashima
@ 2024-03-21 1:36 ` Shigeru Yoshida
2024-03-21 3:39 ` Jakub Kicinski
2 siblings, 0 replies; 4+ messages in thread
From: Shigeru Yoshida @ 2024-03-21 1:36 UTC (permalink / raw
To: nicolas.cavallari
Cc: davem, dsahern, edumazet, kuba, pabeni, netdev, linux-kernel
On Wed, 20 Mar 2024 18:17:36 +0100, Nicolas Cavallari wrote:
> procfs files are created before the structure they reference are
> initialized. For example, if6_proc_init() creates procfs files that
> access structures initialized by addrconf_init().
>
> If ipv6 is compiled as a module and a program manages to open an ipv6
> procfs file during the loading of the module, it can oops the kernel.
>
> It appears that we were unlucky enough to reproduce this problem
> multiple times already, out of maybe 100 boots:
>
> NET: Registered PF_INET6 protocol family
> 8<--- cut here ---
> pwm-backlight backlight: supply power not found, using dummy regulator
> Segment Routing with IPv6
> In-situ OAM (IOAM) with IPv6
> Unable to handle kernel NULL pointer dereference at virtual address
> 00000000
> mt7915e 0000:03:00.0 wlp3s0: renamed from wlan0
> [00000000] *pgd=00000000
> Internal error: Oops: 5 [#1] SMP ARM
> Modules linked in: ipv6 mt7915e mt76_connac_lib mt76 dw_hdmi_imx
> mac80211 dw_hdmi drm_display_helper imxdrm drm_dma_helper
> drm_kms_helper snd_soc_imx_sgtl5000 syscopyarea sysfillrect sysimgblt
> fb_sys_fops imx_ipu_v3 snd_soc_fsl_asoc_card cfg80211 snd_soc_sgtl5000
> drm libarc4 snd_soc_fsl_ssi snd_soc_simple_card_utils imx_pcm_dma
> snd_soc_core rfkill snd_pcm_dmaengine snd_pcm
> drm_panel_orientation_quirks cfbfillrect cfbimgblt cfbcopyarea
> snd_timer snd egalax_ts snd_soc_imx_audmux soundcore flexcan mux_mmio
> imx2_wdt mux_core can_dev pwm_bl
> CPU: 2 PID: 850 Comm: snmpd Not tainted 6.1.14 #1
> Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
> PC is at if6_seq_start+0x2c/0x98 [ipv6]
> LR is at init_net+0x0/0xc00
> [...]
> if6_seq_start [ipv6] from seq_read_iter+0xb4/0x510
> seq_read_iter from seq_read+0x80/0xac
> seq_read from proc_reg_read+0xac/0x100
> proc_reg_read from vfs_read+0xb0/0x284
> vfs_read from ksys_read+0x64/0xec
> ksys_read from ret_fast_syscall+0x0/0x54
> Exception stack(0xf0e31fa8 to 0xf0e31ff0)
> 1fa0: b67fd0b0 be8a666b 0000000a b67fd148 00000400
> 00000000
> 1fc0: b67fd0b0 be8a666b 00000001 00000003 be8a67ec 00000000 b6d7e000
> b6c9954a
> 1fe0: b6d7eb30 be8a6638 b6ef11b4 b6ef0ddc
> Code: e5931004 e35100ff ca000014 e59e25dc (e7920101)
> ---[ end trace 0000000000000000 ]---
>
> Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
The following tag is needed?
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Also, we should put appropriate prefix in the subject for netdev
patches, i.e. "net" or "net-next". As for this patch, I think
appropriate prefix is "[PATCH net]".
Anyway,
Reviewed-by: Shigeru Yoshida <syoshida@redhat.com>
Thanks,
Shigeru
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ipv6: delay procfs initialization after the ipv6 structs are ready
2024-03-20 17:17 [PATCH] ipv6: delay procfs initialization after the ipv6 structs are ready Nicolas Cavallari
2024-03-20 22:18 ` Kuniyuki Iwashima
2024-03-21 1:36 ` Shigeru Yoshida
@ 2024-03-21 3:39 ` Jakub Kicinski
2 siblings, 0 replies; 4+ messages in thread
From: Jakub Kicinski @ 2024-03-21 3:39 UTC (permalink / raw
To: Nicolas Cavallari
Cc: David S. Miller, David Ahern, Eric Dumazet, Paolo Abeni, netdev,
linux-kernel
On Wed, 20 Mar 2024 18:17:36 +0100 Nicolas Cavallari wrote:
> procfs files are created before the structure they reference are
> initialized. For example, if6_proc_init() creates procfs files that
> access structures initialized by addrconf_init().
>
> If ipv6 is compiled as a module and a program manages to open an ipv6
> procfs file during the loading of the module, it can oops the kernel.
>
> It appears that we were unlucky enough to reproduce this problem
> multiple times already, out of maybe 100 boots:
I haven't investigated too closely but looks like this breaks
all selftests. Please run all net/forwarding selftests before
posting v2?
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-03-21 3:39 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-20 17:17 [PATCH] ipv6: delay procfs initialization after the ipv6 structs are ready Nicolas Cavallari
2024-03-20 22:18 ` Kuniyuki Iwashima
2024-03-21 1:36 ` Shigeru Yoshida
2024-03-21 3:39 ` Jakub Kicinski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).