From bde6f9ded1bd37ff27a042dcb968e104d92b02c1 Mon Sep 17 00:00:00 2001 From: David Ahern Date: Wed, 16 Sep 2015 10:16:39 -0600 Subject: [PATCH] net: Initialize table in fib result Sergey, Richard and Fabio reported an oops in ip_route_input_noref. e.g., from Richard: [ 0.877040] BUG: unable to handle kernel NULL pointer dereference at 0000000000000056 [ 0.877597] IP: [] ip_route_input_noref+0x1a2/0xb00 [ 0.877597] PGD 3fa14067 PUD 3fa6e067 PMD 0 [ 0.877597] Oops: 0000 [#1] SMP [ 0.877597] Modules linked in: virtio_net virtio_pci virtio_ring virtio [ 0.877597] CPU: 1 PID: 119 Comm: ifconfig Not tainted 4.2.0+ #1 [ 0.877597] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 0.877597] task: ffff88003fab0bc0 ti: ffff88003faa8000 task.ti: ffff88003faa8000 [ 0.877597] RIP: 0010:[] [] ip_route_input_noref+0x1a2/0xb00 [ 0.877597] RSP: 0018:ffff88003ed03ba0 EFLAGS: 00010202 [ 0.877597] RAX: 0000000000000046 RBX: 00000000ffffff8f RCX: 0000000000000020 [ 0.877597] RDX: ffff88003fab50b8 RSI: 0000000000000200 RDI: ffffffff8152b4b8 [ 0.877597] RBP: ffff88003ed03c50 R08: 0000000000000000 R09: 0000000000000000 [ 0.877597] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88003fab6f00 [ 0.877597] R13: ffff88003fab5000 R14: 0000000000000000 R15: ffffffff81cb5600 [ 0.877597] FS: 00007f6de5751700(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000 [ 0.877597] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.877597] CR2: 0000000000000056 CR3: 000000003fa6d000 CR4: 00000000000006e0 [ 0.877597] Stack: [ 0.877597] 0000000000000000 0000000000000046 ffff88003fffa600 ffff88003ed03be0 [ 0.877597] ffff88003f9e2c00 697da8c0017da8c0 ffff880000000000 000000000007fd00 [ 0.877597] 0000000000000000 0000000000000046 0000000000000000 0000000400000000 [ 0.877597] Call Trace: [ 0.877597] [ 0.877597] [] ? cpumask_next_and+0x2f/0x40 [ 0.877597] [] arp_process+0x39c/0x690 [ 0.877597] [] arp_rcv+0x13e/0x170 [ 0.877597] [] __netif_receive_skb_core+0x60c/0xa00 [ 0.877597] [] ? __build_skb+0x25/0x100 [ 0.877597] [] ? __build_skb+0x25/0x100 [ 0.877597] [] __netif_receive_skb+0x16/0x70 [ 0.877597] [] netif_receive_skb_internal+0x28/0x90 [ 0.877597] [] napi_gro_receive+0x7f/0xd0 [ 0.877597] [] virtnet_receive+0x256/0x910 [virtio_net] [ 0.877597] [] virtnet_poll+0x18/0x80 [virtio_net] [ 0.877597] [] net_rx_action+0x1dd/0x2f0 [ 0.877597] [] __do_softirq+0x98/0x260 [ 0.877597] [] do_softirq_own_stack+0x1c/0x30 The root cause is use of res.table uninitialized. Thanks to Nikolay for noticing the uninitialized use amongst the maze of gotos. As Nikolay pointed out the second initialization is not required to fix the oops, but rather to fix a related problem where a valid lookup should be invalidated before creating the rth entry. Fixes: b7503e0cdb5d ("net: Add FIB table id to rtable") Reported-by: Sergey Senozhatsky Reported-by: Richard Alpe Reported-by: Fabio Estevam Tested-by: Fabio Estevam Signed-off-by: David Ahern Signed-off-by: Nikolay Aleksandrov Tested-by: Sergey Senozhatsky Signed-off-by: David S. Miller --- net/ipv4/route.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index da427a4a33fe..80f7c5b7b832 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1712,6 +1712,7 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, goto martian_source; res.fi = NULL; + res.table = NULL; if (ipv4_is_lbcast(daddr) || (saddr == 0 && daddr == 0)) goto brd_input; @@ -1834,6 +1835,7 @@ no_route: RT_CACHE_STAT_INC(in_no_route); res.type = RTN_UNREACHABLE; res.fi = NULL; + res.table = NULL; goto local_input; /* -- 2.39.5