lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <5080BBF9.1080208@oracle.com>
Date:	Thu, 18 Oct 2012 22:33:29 -0400
From:	Sasha Levin <sasha.levin@...cle.com>
To:	vyasevich@...il.com, sri@...ibm.com, davem@...emloft.net
CC:	linux-sctp@...r.kernel.org, netdev@...r.kernel.org,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	Dave Jones <davej@...hat.com>
Subject: net,sctp: oops in sctp_do_sm

Hi all,

While fuzzing with trinity inside a KVM tools (lkvm) guest running today's linux-next, I've
stumbled on the following:

[  439.574039] BUG: unable to handle kernel paging request at ffff88001b9f40c8
[  439.576486] IP: [<ffffffff83746fc3>] sctp_do_sm+0x293/0x310
[  439.578128] PGD 4e27063 PUD 4e2b063 PMD 1fa57067 PTE 1b9f4160
[  439.580796] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[  439.581635] Dumping ftrace buffer:
[  439.582171]    (ftrace buffer empty)
[  439.582673] CPU 3
[  439.582957] Pid: 7101, comm: trinity-child16 Tainted: G        W    3.7.0-rc1-next-20121018-sasha-00002-g60a870d-dirty #62
[  439.582986] RIP: 0010:[<ffffffff83746fc3>]  [<ffffffff83746fc3>] sctp_do_sm+0x293/0x310
[  439.582986] RSP: 0018:ffff880010c57988  EFLAGS: 00010286
[  439.582986] RAX: 0000000000000003 RBX: 0000000000000001 RCX: 0000000000000006
[  439.582986] RDX: 0000000000000003 RSI: 0000000000000001 RDI: ffff880010c579d0
[  439.582986] RBP: ffff880010c57ae8 R08: 0000000000000000 R09: 0000000000000000
[  439.582986] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000004
[  439.582986] R13: ffff88001b9f4000 R14: ffff880065d22600 R15: 0000000000000003
[  439.582986] FS:  00007f9a949c3700(0000) GS:ffff880067600000(0000) knlGS:0000000000000000
[  439.582986] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  439.582986] CR2: ffff88001b9f40c8 CR3: 0000000015850000 CR4: 00000000000406e0
[  439.582986] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  439.582986] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  439.582986] Process trinity-child16 (pid: 7101, threadinfo ffff880010c56000, task ffff880010a98000)
[  439.582986] Stack:
[  439.582986]  ffffffff000000d0 0000000000000000 ffffffff84c92d36 ffffffff84cc4b50
[  439.582986]  ffffffff83763b30 0000000000000004 ffffffff842c0370 0000000181152f15
[  439.582986]  ffff880010c579f8 0000000000000002 0000000000000015 0000000000000000
[  439.582986] Call Trace:
[  439.582986]  [<ffffffff83763b30>] ? sctp_cname+0x70/0x70
[  439.582986]  [<ffffffff83761403>] sctp_primitive_SHUTDOWN+0x43/0x50
[  439.582986]  [<ffffffff8375bd70>] sctp_close+0x150/0x310
[  439.606533]  [<ffffffff8351bf22>] inet_release+0x1b2/0x1c0
[  439.606533]  [<ffffffff8351bd8d>] ? inet_release+0x1d/0x1c0
[  439.606533]  [<ffffffff83578b04>] inet6_release+0x34/0x60
[  439.606533]  [<ffffffff833c17b8>] sock_release+0x18/0x80
[  439.610261]  [<ffffffff833c1849>] sock_close+0x29/0x30
[  439.610261]  [<ffffffff812773f2>] __fput+0x122/0x2d0
[  439.610261]  [<ffffffff812775a9>] ____fput+0x9/0x10
[  439.610261]  [<ffffffff81131afe>] task_work_run+0xbe/0x100
[  439.610261]  [<ffffffff811107e2>] do_exit+0x432/0xbd0
[  439.610261]  [<ffffffff811243d9>] ? get_signal_to_deliver+0x899/0x910
[  439.610261]  [<ffffffff8117b2e2>] ? get_lock_stats+0x22/0x70
[  439.610261]  [<ffffffff8117b36e>] ? put_lock_stats.isra.16+0xe/0x40
[  439.610261]  [<ffffffff83a6802b>] ? _raw_spin_unlock_irq+0x2b/0x80
[  439.610261]  [<ffffffff81111044>] do_group_exit+0x84/0xd0
[  439.610261]  [<ffffffff8112433d>] get_signal_to_deliver+0x7fd/0x910
[  439.610261]  [<ffffffff8117dffd>] ? trace_hardirqs_off+0xd/0x10
[  439.620391]  [<ffffffff819fe7db>] ? debug_object_assert_init+0xbb/0x110
[  439.620391]  [<ffffffff8106d59a>] do_signal+0x3a/0x950
[  439.620391]  [<ffffffff811c62c3>] ? rcu_cleanup_after_idle+0x23/0x170
[  439.620391]  [<ffffffff811ca824>] ? rcu_eqs_exit_common+0x64/0x270
[  439.620391]  [<ffffffff811c90bd>] ? rcu_user_enter+0x10d/0x140
[  439.620391]  [<ffffffff811cae05>] ? rcu_user_exit+0xc5/0xf0
[  439.620391]  [<ffffffff8106df1f>] do_notify_resume+0x4f/0xa0
[  439.620391]  [<ffffffff83a69bea>] int_signal+0x12/0x17
[  439.620391] Code: e8 eb 48 2c 00 0f 0b 90 41 b8 f4 ff ff ff 66 2e 0f 1f 84 00 00 00 00 00 8b 35 5a 0a 06 02 85 f6 74 66 4d 85
ed 75 04 31 c0 eb 2a <41> 8b b5 c8 00 00 00 44 89 85 b8 fe ff ff 49 8b 7e 20 e8 f6 51
[  439.630251] RIP  [<ffffffff83746fc3>] sctp_do_sm+0x293/0x310
[  439.630251]  RSP <ffff880010c57988>
[  439.630251] CR2: ffff88001b9f40c8
[  439.630251] ---[ end trace aa5ad9f036ee09dd ]---

This points to the DEBUG_POST_SFX macro in sctp_do_sm().


Thanks,
Sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ