[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5ad95805.EXDIDfbk83xLufcv%lkp@intel.com>
Date: Fri, 20 Apr 2018 11:01:25 +0800
From: kernel test robot <lkp@...el.com>
To: Cong Wang <xiyou.wangcong@...il.com>
Cc: LKP <lkp@...org>, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org, wfg@...ux.intel.com
Subject: f7e4367268 ("llc: hold llc_sap before release_sock()"): BUG:
unable to handle kernel NULL pointer dereference at 0000000000000004
Greetings,
0day kernel testing robot got the below dmesg and the first bad commit is
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master
commit f7e43672683b097bb074a8fe7af9bc600a23f231
Author: Cong Wang <xiyou.wangcong@...il.com>
AuthorDate: Wed Apr 18 11:51:56 2018 -0700
Commit: David S. Miller <davem@...emloft.net>
CommitDate: Thu Apr 19 13:54:53 2018 -0400
llc: hold llc_sap before release_sock()
syzbot reported we still access llc->sap in llc_backlog_rcv()
after it is freed in llc_sap_remove_socket():
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785
llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline]
llc_conn_service net/llc/llc_conn.c:400 [inline]
llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75
llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891
sk_backlog_rcv include/net/sock.h:909 [inline]
__release_sock+0x12f/0x3a0 net/core/sock.c:2335
release_sock+0xa4/0x2b0 net/core/sock.c:2850
llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204
llc->sap is refcount'ed and llc_sap_remove_socket() is paired
with llc_sap_add_socket(). This can be amended by holding its refcount
before llc_sap_remove_socket() and releasing it after release_sock().
Reported-by: <syzbot+6e181fc95081c2cf9051@...kaller.appspotmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@...il.com>
Signed-off-by: David S. Miller <davem@...emloft.net>
02b94fc70f MAINTAINERS: Direct networking documentation changes to netdev
f7e4367268 llc: hold llc_sap before release_sock()
1255fcb2a6 net/smc: fix shutdown in state SMC_LISTEN
+------------------------------------------+------------+------------+------------+
| | 02b94fc70f | f7e4367268 | 1255fcb2a6 |
+------------------------------------------+------------+------------+------------+
| boot_successes | 35 | 2 | 8 |
| boot_failures | 0 | 11 | 11 |
| BUG:unable_to_handle_kernel | 0 | 5 | 5 |
| Oops:#[##] | 0 | 11 | 11 |
| RIP:llc_ui_release | 0 | 11 | 11 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 11 | 11 |
+------------------------------------------+------------+------------+------------+
[main] Setsockopt(1 2 693000 4) on fd 380 [17:10:768]
[main] 375 sockets created based on info from socket cachefile.
[main] Generating file descriptors
[main] Added 323 filenames from /dev
[ 27.243291] mmap: trinity-c0 (518) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt.
[ 27.313502] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
[ 27.316567] PGD 8000000015ff3067 P4D 8000000015ff3067 PUD 15f28067 PMD 0
[ 27.319763] Oops: 0002 [#1] PREEMPT PTI
[ 27.320587] CPU: 0 PID: 510 Comm: trinity-main Not tainted 4.16.0-11886-gf7e4367 #1
[ 27.324367] RIP: 0010:llc_ui_release+0x53/0xda
[ 27.328594] RSP: 0018:ffffc9000131bde0 EFLAGS: 00010202
[ 27.329674] RAX: 0000000000000001 RBX: ffff880015174800 RCX: 0000000000000000
[ 27.331192] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880015174800
[ 27.335588] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 27.337158] R10: 0000000000000000 R11: 0000000000000000 R12: ffff880015a50b70
[ 27.342054] R13: ffff88000037b020 R14: ffff880015a4c000 R15: ffff880015c4d880
[ 27.343540] FS: 00007fddacaae700(0000) GS:ffffffff83674000(0000) knlGS:0000000000000000
[ 27.345294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 27.348873] CR2: 0000000000000004 CR3: 0000000015ec0000 CR4: 00000000000006b0
[ 27.350369] DR0: 000000000068b000 DR1: 0000000000000000 DR2: 0000000000000000
[ 27.352726] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[ 27.356603] Call Trace:
[ 27.357141] sock_release+0x15/0x5d
[ 27.357872] sock_close+0xe/0x11
[ 27.366177] __fput+0x114/0x27d
[ 27.366854] task_work_run+0x8b/0xb3
[ 27.367587] do_exit+0x411/0xec5
[ 27.368265] ? syscall_trace_enter+0x208/0x3ff
[ 27.369167] do_group_exit+0x5d/0xd2
[ 27.369899] SyS_exit_group+0x10/0x10
[ 27.370669] do_syscall_64+0xef/0x4f0
[ 27.371417] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 27.372422] RIP: 0033:0x7fddac593408
[ 27.373161] RSP: 002b:00007ffdfc124d28 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[ 27.374711] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fddac593408
[ 27.387300] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[ 27.388714] RBP: 0000000000000000 R08: 00000000000000e7 R09: ffffffffffffffa0
[ 27.390145] R10: 00007ffdfc124ac0 R11: 0000000000000206 R12: 0000000000000004
[ 27.391560] R13: 00007ffdfc124f10 R14: 0000000000000000 R15: 0000000000000000
[ 27.393052] Code: 84 83 00 00 00 ff 43 78 0f 88 8f 70 23 00 31 f6 48 89 df e8 f0 7b f9 ff 48 89 df e8 20 7d ff ff 85 c0 74 7a 48 8b ab 48 04 00 00 <ff> 45 04 0f 88 6f 70 23 00 48 8b 43 58 f6 c4 01 74 50 48 89 df
[ 27.396817] RIP: llc_ui_release+0x53/0xda RSP: ffffc9000131bde0
[ 27.398012] CR2: 0000000000000004
[ 27.398716] ---[ end trace 0bbdb5cd4042e3c4 ]---
[ 27.409714] Kernel panic - not syncing: Fatal exception
# HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start f0250ccd19ffe9683493c9b965a17b52feb71cfb 60cc43fc888428bb2f18f08997432d426a243338 --
git bisect bad aee4c52a8e10296fdb3a90614bf725e1cd756203 # 06:33 B 0 6 19 0 Merge 'rdma/wip/dl-for-rc' into devel-catchup-201804200527
git bisect bad 6cc36eca7b959d69049e04482e3ca01fb4cebec4 # 06:48 B 0 1 14 0 Merge 'net-next/master' into devel-catchup-201804200527
git bisect good 3343c5945e8a864b2c5d96443c485ec251dcfdc7 # 07:04 G 11 0 0 0 Merge 'jpirko-mlxsw/petrm_erspan' into devel-catchup-201804200527
git bisect good fc1c8776fc11649e79e545847c2fd66267fe3bc4 # 07:22 G 11 0 0 0 Merge 'linux-review/Roland-Dreier/RDMA-ucma-Allow-resolving-address-without-specifying-source-address/20180420-044005' into devel-catchup-201804200527
git bisect good 565be37aec5425628471094c8329a86992f3433f # 07:39 G 11 0 0 0 Merge 'block/for-linus' into devel-catchup-201804200527
git bisect bad 4712d54c5f6d807be2c78ac45841eb918b7ee4f4 # 07:52 B 0 11 25 0 Merge 'net/master' into devel-catchup-201804200527
git bisect good 4fb0534fb7bbc2346ba7d3a072b538007f4135a5 # 08:08 G 11 0 0 0 team: avoid adding twice the same option to the event list
git bisect good 64e86fec54069266ba32be551d7b7f75e88ab60c # 08:30 G 11 0 0 0 net: qualcomm: rmnet: Fix warning seen with fill_info
git bisect bad 65ec0bd1c7c14522670a5294de35710fb577a7fd # 08:41 B 0 1 14 0 vmxnet3: fix incorrect dereference when rxvlan is disabled
git bisect good 5e84b38b07e676fcd3ab6e296780b4f77a29d09f # 09:04 G 11 0 0 0 net: caif: fix spelling mistake "UKNOWN" -> "UNKNOWN"
git bisect good f3335545b34315fc42cc03a83165bdd26d956584 # 09:19 G 11 0 0 0 atm: iphase: fix spelling mistake: "Tansmit" -> "Transmit"
git bisect bad f7e43672683b097bb074a8fe7af9bc600a23f231 # 09:33 B 0 2 16 0 llc: hold llc_sap before release_sock()
git bisect good 02b94fc70ffe320a7799c35e09372809e40b7131 # 10:02 G 11 0 0 0 MAINTAINERS: Direct networking documentation changes to netdev
# first bad commit: [f7e43672683b097bb074a8fe7af9bc600a23f231] llc: hold llc_sap before release_sock()
git bisect good 02b94fc70ffe320a7799c35e09372809e40b7131 # 10:10 G 31 0 0 0 MAINTAINERS: Direct networking documentation changes to netdev
# extra tests with debug options
git bisect bad f7e43672683b097bb074a8fe7af9bc600a23f231 # 10:21 B 0 6 19 0 llc: hold llc_sap before release_sock()
# extra tests on HEAD of linux-devel/devel-catchup-201804200527
git bisect bad f0250ccd19ffe9683493c9b965a17b52feb71cfb # 10:21 B 0 13 32 2 0day head guard for 'devel-catchup-201804200527'
# extra tests on tree/branch net/master
git bisect bad 1255fcb2a655f05e02f3a74675a6d6525f187afd # 10:36 B 0 1 15 0 net/smc: fix shutdown in state SMC_LISTEN
# extra tests with first bad commit reverted
git bisect good 4418dff382eb778442f4b92b0276308ba32d4c43 # 11:01 G 11 0 0 0 Revert "llc: hold llc_sap before release_sock()"
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/lkp Intel Corporation
Download attachment "dmesg-quantal-intel12-12:20180420093339:x86_64-randconfig-s0-04200522:4.16.0-11886-gf7e4367:1.gz" of type "application/gzip" (21063 bytes)
View attachment "reproduce-quantal-intel12-12:20180420093339:x86_64-randconfig-s0-04200522:4.16.0-11886-gf7e4367:1" of type "text/plain" (909 bytes)
View attachment "config-4.16.0-11886-gf7e4367" of type "text/plain" (114338 bytes)
Powered by blists - more mailing lists