PPTP VPN crashes kernel in pppopns_recv_core() |
|||||||||||
Issue descriptionSeen on eve 65.0.3325.184: [ 1429.855781] ------------[ cut here ]------------ [ 1429.855787] kernel BUG at ../../../../../tmp/portage/sys-kernel/chromeos-kernel-4_4-4.4.111-r1357/work/chromeos-kernel-4_4-4.4.111/include/linux/skbuff.h:1824! [ 1429.855790] invalid opcode: 0000 [#1] PREEMPT SMP [ 1429.857685] gsmi: Log Shutdown Reason 0x03 [ 1429.857687] Modules linked in: ip6t_REJECT nf_reject_ipv6 algif_hash algif_skcipher af_alg ccm veth cmac rfcomm uinput ip6table_filter snd_soc_kbl_rt5663_rt5514_max98927 snd_soc_hdac_hdmi snd_soc_dmic snd_soc_skl_ssp_clk snd_soc_skl snd_soc_skl_ipc snd_soc_sst_ipc snd_soc_sst_dsp uvcvideo videobuf2_vmalloc snd_soc_sst_match snd_hda_ext_core videobuf2_memops videobuf2_v4l2 videobuf2_core snd_hda_core zram snd_soc_rt5514 snd_soc_rt5663 snd_soc_rt5514_spi snd_soc_max98927 bridge snd_soc_rl6231 stp llc ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_mark fuse snd_seq_dummy snd_seq snd_seq_device iio_trig_sysfs cros_ec_light_prox cros_ec_sensors cros_ec_sensors_ring cros_ec_sensors_core industrialio_triggered_buffer kfifo_buf industrialio iwlmvm iwl7000_mac80211 iwlwifi cfg80211 btusb btrtl btbcm btintel bluetooth usb_serial_simple joydev [ 1429.857761] CPU: 3 PID: 465 Comm: irq/275-iwlwifi Not tainted 4.4.111-12565-g3574f116f40f-dirty #1 [ 1429.857763] Hardware name: Google Eve/Eve, BIOS Google_Eve.9584.107.0 11/07/2017 [ 1429.857766] task: ffff880271073800 ti: ffff88026b7d8000 task.ti: ffff88026b7d8000 [ 1429.857769] RIP: 0010:[<ffffffff849a8f31>] [<ffffffff849a8f31>] __skb_pull+0x11/0x28 [ 1429.857776] RSP: 0018:ffff88027ed83bb0 EFLAGS: 00010293 [ 1429.857779] RAX: 0000000000000154 RBX: ffff8800566deb00 RCX: 0000000000000004 [ 1429.857781] RDX: 0000000000000120 RSI: 0000000000000010 RDI: ffff8800566deb00 [ 1429.857784] RBP: ffff88027ed83bb0 R08: ffff880271073800 R09: 0000000041010002 [ 1429.857786] R10: ffff8801a28a1000 R11: ffffffff8471493f R12: ffff8801a28a0400 [ 1429.857789] R13: ffff8800565a7440 R14: ffff8801a28a10d0 R15: 0000000100113d4c [ 1429.857792] FS: 0000000000000000(0000) GS:ffff88027ed80000(0000) knlGS:0000000000000000 [ 1429.857795] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1429.857797] CR2: 000002bebe906ae8 CR3: 0000000004e10000 CR4: 0000000000360670 [ 1429.857800] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1429.857802] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 1429.857804] Stack: [ 1429.857807] ffff88027ed83bc0 ffffffff849a8f5d ffff88027ed83c00 ffffffff84714744 [ 1429.857813] 0000000000000001 ffff8801a28a1000 ffff8800566deb00 ffff8801a28a1088 [ 1429.857820] ffff8801a28a10d0 ffff8801a28a10e8 ffff88027ed83c10 ffffffff848ab68a [ 1429.857825] Call Trace: [ 1429.857828] <IRQ> [ 1429.857832] [<ffffffff849a8f5d>] skb_pull+0x15/0x17 [ 1429.857838] [<ffffffff84714744>] pppopns_recv_core+0xa9/0x2a4 [ 1429.857843] [<ffffffff848ab68a>] sk_backlog_rcv+0x26/0x3b [ 1429.857846] [<ffffffff848ac6f6>] sk_receive_skb+0x6a/0x163 [ 1429.857850] [<ffffffff84714976>] pppopns_recv+0x37/0x3e [ 1429.857854] [<ffffffff849a8869>] sock_queue_rcv_skb+0x1ff/0x21a [ 1429.857858] [<ffffffff8492eb27>] raw_rcv_skb+0x22/0x3c [ 1429.857862] [<ffffffff84930043>] raw_rcv+0xc0/0xc7 [ 1429.857865] [<ffffffff849301b5>] raw_local_deliver+0x16b/0x1f4 [ 1429.857869] [<ffffffff849b6482>] ip_local_deliver+0x10f/0x1f6 [ 1429.857875] [<ffffffff8490bb15>] ? xfrm_policy_check.constprop.8+0x54/0x54 [ 1429.857878] [<ffffffff849b698b>] ip_rcv+0x422/0x487 [ 1429.857884] [<ffffffff84266702>] ? native_sched_clock+0xb/0x3a [ 1429.857888] [<ffffffff8490b967>] ? ip_rcv_options+0x133/0x133 [ 1429.857892] [<ffffffff849ad9d6>] __netif_receive_skb_core+0x59d/0x724 [ 1429.857896] [<ffffffff849adb78>] __netif_receive_skb+0x1b/0x69 [ 1429.857900] [<ffffffff848bbaf6>] process_backlog+0x9f/0x12a [ 1429.857904] [<ffffffff848babd3>] net_rx_action+0xf1/0x2b8 [ 1429.857912] [<ffffffff849d0ef4>] __do_softirq+0x154/0x2c7 [ 1429.857918] [<ffffffff849d00fc>] do_softirq_own_stack+0x1c/0x30 [ 1429.857920] <EOI> [ 1429.857924] [<ffffffff8426f031>] do_softirq+0x2b/0x30 [ 1429.857928] [<ffffffff84314c1a>] __local_bh_enable_ip+0x6b/0x85 [ 1429.857936] [<ffffffffc04b0b2f>] iwl_pcie_irq_handler+0x609/0x85f [iwlwifi] [ 1429.857940] [<ffffffff842a741b>] ? irq_finalize_oneshot+0xa9/0xa9 [ 1429.857944] [<ffffffff8432b248>] irq_thread+0x1dd/0x3c7 [ 1429.857948] [<ffffffff842a74b7>] ? irq_forced_thread_fn+0x5c/0x5c [ 1429.857951] [<ffffffff8432b06b>] ? kref_put+0x41/0x41 [ 1429.857954] [<ffffffff84285603>] kthread+0x12f/0x137 [ 1429.857958] [<ffffffff842854d4>] ? kthread_stop+0x13a/0x13a [ 1429.857962] [<ffffffff849ce72f>] ret_from_fork+0x3f/0x70 [ 1429.857965] [<ffffffff842854d4>] ? kthread_stop+0x13a/0x13a [ 1429.857967] Code: e2 02 44 0f 45 eb e9 7e fe ff ff 5a 48 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 8b 47 78 55 48 89 e5 29 f0 89 47 78 3b 47 7c 73 02 <0f> 0b 89 f6 48 89 f0 48 03 87 d0 00 00 00 5d 48 89 87 d0 00 00 [ 1429.858032] RIP [<ffffffff849a8f31>] __skb_pull+0x11/0x28 [ 1429.858037] RSP <ffff88027ed83bb0> [ 1429.858054] ---[ end trace a4a494fecb1d7cd7 ]--- [ 1429.863450] Kernel panic - not syncing: Fatal exception in interrupt If a paged skb is passed into pppopns_recv_core(), the second skb_pull() operation may hit a BUG() when it tries to skip the Enhanced GRE Header (RFC2637 section 4.1), resulting in a kernel crash + system reboot. This is reproducible using superfreevpn on wifi. You may need to use a tethered connection since many networks will drop (or neglect to perform NAT for) GRE traffic. This was not reproducible using a local Linux pptpd server and a wired ethernet connection. Upstream Android bug: http://b/77140922
,
Apr 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e7f21383b904ed360d4d895c992f97ecf14e099c commit e7f21383b904ed360d4d895c992f97ecf14e099c Author: Kevin Cernekee <cernekee@chromium.org> Date: Mon Apr 02 08:15:16 2018 CHROMIUM: net: pppopns: Fix crash on paged skbs If a paged skb is passed into pppopns_recv_core(), the second skb_pull() operation may hit a BUG() when it tries to skip the Enhanced GRE Header (RFC2637 section 4.1), resulting in a kernel crash + system reboot. Fix this by linearizing the skb, if necessary. BUG= chromium:827901 TEST=connect to superfreevpn service using a tethered wifi uplink Change-Id: Id127cb3ceaed5c6cf06500e470ab294780b35080 Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/989405 Reviewed-by: Hugo Benichi <hugobenichi@google.com> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> [modify] https://crrev.com/e7f21383b904ed360d4d895c992f97ecf14e099c/drivers/net/ppp/pppopns.c
,
Apr 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5bb6591ea5296feef2beef8f5f5e4997500f9ad5 commit 5bb6591ea5296feef2beef8f5f5e4997500f9ad5 Author: Kevin Cernekee <cernekee@chromium.org> Date: Mon Apr 02 08:15:18 2018 CHROMIUM: net: pppopns: Fix crash on paged skbs If a paged skb is passed into pppopns_recv_core(), the second skb_pull() operation may hit a BUG() when it tries to skip the Enhanced GRE Header (RFC2637 section 4.1), resulting in a kernel crash + system reboot. Fix this by linearizing the skb, if necessary. BUG= chromium:827901 TEST=connect to superfreevpn service using a tethered wifi uplink Change-Id: Id127cb3ceaed5c6cf06500e470ab294780b35080 Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/989338 Reviewed-by: Hugo Benichi <hugobenichi@google.com> [modify] https://crrev.com/5bb6591ea5296feef2beef8f5f5e4997500f9ad5/drivers/net/ppp/pppopns.c
,
Apr 2 2018
Verified on canary 10539.0.0
,
Apr 2 2018
This bug requires manual review: M66 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 3 2018
,
Apr 3 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/934b478cc9cf8131df263af619e9961122e3b2bc commit 934b478cc9cf8131df263af619e9961122e3b2bc Author: Kevin Cernekee <cernekee@chromium.org> Date: Tue Apr 03 18:39:02 2018 CHROMIUM: net: pppopns: Fix crash on paged skbs If a paged skb is passed into pppopns_recv_core(), the second skb_pull() operation may hit a BUG() when it tries to skip the Enhanced GRE Header (RFC2637 section 4.1), resulting in a kernel crash + system reboot. Fix this by linearizing the skb, if necessary. BUG= chromium:827901 TEST=connect to superfreevpn service using a tethered wifi uplink Change-Id: Id127cb3ceaed5c6cf06500e470ab294780b35080 Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/989338 Reviewed-by: Hugo Benichi <hugobenichi@google.com> (cherry picked from commit 5bb6591ea5296feef2beef8f5f5e4997500f9ad5) Reviewed-on: https://chromium-review.googlesource.com/992776 [modify] https://crrev.com/934b478cc9cf8131df263af619e9961122e3b2bc/drivers/net/ppp/pppopns.c
,
Apr 3 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/6848d8b97aedd1bdb638ef5a049764b3c4d537a9 commit 6848d8b97aedd1bdb638ef5a049764b3c4d537a9 Author: Kevin Cernekee <cernekee@chromium.org> Date: Tue Apr 03 18:39:05 2018 CHROMIUM: net: pppopns: Fix crash on paged skbs If a paged skb is passed into pppopns_recv_core(), the second skb_pull() operation may hit a BUG() when it tries to skip the Enhanced GRE Header (RFC2637 section 4.1), resulting in a kernel crash + system reboot. Fix this by linearizing the skb, if necessary. BUG= chromium:827901 TEST=connect to superfreevpn service using a tethered wifi uplink Change-Id: Id127cb3ceaed5c6cf06500e470ab294780b35080 Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/989339 Reviewed-by: Hugo Benichi <hugobenichi@google.com> (cherry picked from commit 21d7a6f4950836bac1db9e5abffe9fd37f12920c) Reviewed-on: https://chromium-review.googlesource.com/992777 [modify] https://crrev.com/6848d8b97aedd1bdb638ef5a049764b3c4d537a9/drivers/net/ppp/pppopns.c
,
Apr 3 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/55eada3e8492595c39f6778efdd1f703c8a5c9a3 commit 55eada3e8492595c39f6778efdd1f703c8a5c9a3 Author: Kevin Cernekee <cernekee@chromium.org> Date: Tue Apr 03 18:39:09 2018 CHROMIUM: net: pppopns: Fix crash on paged skbs If a paged skb is passed into pppopns_recv_core(), the second skb_pull() operation may hit a BUG() when it tries to skip the Enhanced GRE Header (RFC2637 section 4.1), resulting in a kernel crash + system reboot. Fix this by linearizing the skb, if necessary. BUG= chromium:827901 TEST=connect to superfreevpn service using a tethered wifi uplink Change-Id: Id127cb3ceaed5c6cf06500e470ab294780b35080 Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/989405 Reviewed-by: Hugo Benichi <hugobenichi@google.com> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> (cherry picked from commit e7f21383b904ed360d4d895c992f97ecf14e099c) Reviewed-on: https://chromium-review.googlesource.com/992778 [modify] https://crrev.com/55eada3e8492595c39f6778efdd1f703c8a5c9a3/drivers/net/ppp/pppopns.c
,
Apr 3 2018
,
Apr 5 2018
We are not planning on any additional 65 pushes so I don't think we need to bother merging. |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by bugdroid1@chromium.org
, Apr 2 2018