lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5ad95805.EXDIDfbk83xLufcv%lkp@intel.com>
Date:   Fri, 20 Apr 2018 11:01:25 +0800
From:   kernel test robot <lkp@...el.com>
To:     Cong Wang <xiyou.wangcong@...il.com>
Cc:     LKP <lkp@...org>, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, wfg@...ux.intel.com
Subject: f7e4367268 ("llc: hold llc_sap before release_sock()"):  BUG:
 unable to handle kernel NULL pointer dereference at 0000000000000004

Greetings,

0day kernel testing robot got the below dmesg and the first bad commit is

https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master

commit f7e43672683b097bb074a8fe7af9bc600a23f231
Author:     Cong Wang <xiyou.wangcong@...il.com>
AuthorDate: Wed Apr 18 11:51:56 2018 -0700
Commit:     David S. Miller <davem@...emloft.net>
CommitDate: Thu Apr 19 13:54:53 2018 -0400

    llc: hold llc_sap before release_sock()
    
    syzbot reported we still access llc->sap in llc_backlog_rcv()
    after it is freed in llc_sap_remove_socket():
    
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x1b9/0x294 lib/dump_stack.c:113
     print_address_description+0x6c/0x20b mm/kasan/report.c:256
     kasan_report_error mm/kasan/report.c:354 [inline]
     kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
     __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
     llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785
     llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline]
     llc_conn_service net/llc/llc_conn.c:400 [inline]
     llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75
     llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891
     sk_backlog_rcv include/net/sock.h:909 [inline]
     __release_sock+0x12f/0x3a0 net/core/sock.c:2335
     release_sock+0xa4/0x2b0 net/core/sock.c:2850
     llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204
    
    llc->sap is refcount'ed and llc_sap_remove_socket() is paired
    with llc_sap_add_socket(). This can be amended by holding its refcount
    before llc_sap_remove_socket() and releasing it after release_sock().
    
    Reported-by: <syzbot+6e181fc95081c2cf9051@...kaller.appspotmail.com>
    Signed-off-by: Cong Wang <xiyou.wangcong@...il.com>
    Signed-off-by: David S. Miller <davem@...emloft.net>

02b94fc70f  MAINTAINERS: Direct networking documentation changes to netdev
f7e4367268  llc: hold llc_sap before release_sock()
1255fcb2a6  net/smc: fix shutdown in state SMC_LISTEN
+------------------------------------------+------------+------------+------------+
|                                          | 02b94fc70f | f7e4367268 | 1255fcb2a6 |
+------------------------------------------+------------+------------+------------+
| boot_successes                           | 35         | 2          | 8          |
| boot_failures                            | 0          | 11         | 11         |
| BUG:unable_to_handle_kernel              | 0          | 5          | 5          |
| Oops:#[##]                               | 0          | 11         | 11         |
| RIP:llc_ui_release                       | 0          | 11         | 11         |
| Kernel_panic-not_syncing:Fatal_exception | 0          | 11         | 11         |
+------------------------------------------+------------+------------+------------+

[main] Setsockopt(1 2 693000 4) on fd 380 [17:10:768]
[main] 375 sockets created based on info from socket cachefile.
[main] Generating file descriptors
[main] Added 323 filenames from /dev
[   27.243291] mmap: trinity-c0 (518) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt.
[   27.313502] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
[   27.316567] PGD 8000000015ff3067 P4D 8000000015ff3067 PUD 15f28067 PMD 0 
[   27.319763] Oops: 0002 [#1] PREEMPT PTI
[   27.320587] CPU: 0 PID: 510 Comm: trinity-main Not tainted 4.16.0-11886-gf7e4367 #1
[   27.324367] RIP: 0010:llc_ui_release+0x53/0xda
[   27.328594] RSP: 0018:ffffc9000131bde0 EFLAGS: 00010202
[   27.329674] RAX: 0000000000000001 RBX: ffff880015174800 RCX: 0000000000000000
[   27.331192] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880015174800
[   27.335588] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   27.337158] R10: 0000000000000000 R11: 0000000000000000 R12: ffff880015a50b70
[   27.342054] R13: ffff88000037b020 R14: ffff880015a4c000 R15: ffff880015c4d880
[   27.343540] FS:  00007fddacaae700(0000) GS:ffffffff83674000(0000) knlGS:0000000000000000
[   27.345294] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   27.348873] CR2: 0000000000000004 CR3: 0000000015ec0000 CR4: 00000000000006b0
[   27.350369] DR0: 000000000068b000 DR1: 0000000000000000 DR2: 0000000000000000
[   27.352726] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[   27.356603] Call Trace:
[   27.357141]  sock_release+0x15/0x5d
[   27.357872]  sock_close+0xe/0x11
[   27.366177]  __fput+0x114/0x27d
[   27.366854]  task_work_run+0x8b/0xb3
[   27.367587]  do_exit+0x411/0xec5
[   27.368265]  ? syscall_trace_enter+0x208/0x3ff
[   27.369167]  do_group_exit+0x5d/0xd2
[   27.369899]  SyS_exit_group+0x10/0x10
[   27.370669]  do_syscall_64+0xef/0x4f0
[   27.371417]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   27.372422] RIP: 0033:0x7fddac593408
[   27.373161] RSP: 002b:00007ffdfc124d28 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[   27.374711] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fddac593408
[   27.387300] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   27.388714] RBP: 0000000000000000 R08: 00000000000000e7 R09: ffffffffffffffa0
[   27.390145] R10: 00007ffdfc124ac0 R11: 0000000000000206 R12: 0000000000000004
[   27.391560] R13: 00007ffdfc124f10 R14: 0000000000000000 R15: 0000000000000000
[   27.393052] Code: 84 83 00 00 00 ff 43 78 0f 88 8f 70 23 00 31 f6 48 89 df e8 f0 7b f9 ff 48 89 df e8 20 7d ff ff 85 c0 74 7a 48 8b ab 48 04 00 00 <ff> 45 04 0f 88 6f 70 23 00 48 8b 43 58 f6 c4 01 74 50 48 89 df 
[   27.396817] RIP: llc_ui_release+0x53/0xda RSP: ffffc9000131bde0
[   27.398012] CR2: 0000000000000004
[   27.398716] ---[ end trace 0bbdb5cd4042e3c4 ]---
[   27.409714] Kernel panic - not syncing: Fatal exception

                                                          # HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start f0250ccd19ffe9683493c9b965a17b52feb71cfb 60cc43fc888428bb2f18f08997432d426a243338 --
git bisect  bad aee4c52a8e10296fdb3a90614bf725e1cd756203  # 06:33  B      0     6   19   0  Merge 'rdma/wip/dl-for-rc' into devel-catchup-201804200527
git bisect  bad 6cc36eca7b959d69049e04482e3ca01fb4cebec4  # 06:48  B      0     1   14   0  Merge 'net-next/master' into devel-catchup-201804200527
git bisect good 3343c5945e8a864b2c5d96443c485ec251dcfdc7  # 07:04  G     11     0    0   0  Merge 'jpirko-mlxsw/petrm_erspan' into devel-catchup-201804200527
git bisect good fc1c8776fc11649e79e545847c2fd66267fe3bc4  # 07:22  G     11     0    0   0  Merge 'linux-review/Roland-Dreier/RDMA-ucma-Allow-resolving-address-without-specifying-source-address/20180420-044005' into devel-catchup-201804200527
git bisect good 565be37aec5425628471094c8329a86992f3433f  # 07:39  G     11     0    0   0  Merge 'block/for-linus' into devel-catchup-201804200527
git bisect  bad 4712d54c5f6d807be2c78ac45841eb918b7ee4f4  # 07:52  B      0    11   25   0  Merge 'net/master' into devel-catchup-201804200527
git bisect good 4fb0534fb7bbc2346ba7d3a072b538007f4135a5  # 08:08  G     11     0    0   0  team: avoid adding twice the same option to the event list
git bisect good 64e86fec54069266ba32be551d7b7f75e88ab60c  # 08:30  G     11     0    0   0  net: qualcomm: rmnet: Fix warning seen with fill_info
git bisect  bad 65ec0bd1c7c14522670a5294de35710fb577a7fd  # 08:41  B      0     1   14   0  vmxnet3: fix incorrect dereference when rxvlan is disabled
git bisect good 5e84b38b07e676fcd3ab6e296780b4f77a29d09f  # 09:04  G     11     0    0   0  net: caif: fix spelling mistake "UKNOWN" -> "UNKNOWN"
git bisect good f3335545b34315fc42cc03a83165bdd26d956584  # 09:19  G     11     0    0   0  atm: iphase: fix spelling mistake: "Tansmit" -> "Transmit"
git bisect  bad f7e43672683b097bb074a8fe7af9bc600a23f231  # 09:33  B      0     2   16   0  llc: hold llc_sap before release_sock()
git bisect good 02b94fc70ffe320a7799c35e09372809e40b7131  # 10:02  G     11     0    0   0  MAINTAINERS: Direct networking documentation changes to netdev
# first bad commit: [f7e43672683b097bb074a8fe7af9bc600a23f231] llc: hold llc_sap before release_sock()
git bisect good 02b94fc70ffe320a7799c35e09372809e40b7131  # 10:10  G     31     0    0   0  MAINTAINERS: Direct networking documentation changes to netdev
# extra tests with debug options
git bisect  bad f7e43672683b097bb074a8fe7af9bc600a23f231  # 10:21  B      0     6   19   0  llc: hold llc_sap before release_sock()
# extra tests on HEAD of linux-devel/devel-catchup-201804200527
git bisect  bad f0250ccd19ffe9683493c9b965a17b52feb71cfb  # 10:21  B      0    13   32   2  0day head guard for 'devel-catchup-201804200527'
# extra tests on tree/branch net/master
git bisect  bad 1255fcb2a655f05e02f3a74675a6d6525f187afd  # 10:36  B      0     1   15   0  net/smc: fix shutdown in state SMC_LISTEN
# extra tests with first bad commit reverted
git bisect good 4418dff382eb778442f4b92b0276308ba32d4c43  # 11:01  G     11     0    0   0  Revert "llc: hold llc_sap before release_sock()"

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/lkp                          Intel Corporation

Download attachment "dmesg-quantal-intel12-12:20180420093339:x86_64-randconfig-s0-04200522:4.16.0-11886-gf7e4367:1.gz" of type "application/gzip" (21063 bytes)

View attachment "reproduce-quantal-intel12-12:20180420093339:x86_64-randconfig-s0-04200522:4.16.0-11886-gf7e4367:1" of type "text/plain" (909 bytes)

View attachment "config-4.16.0-11886-gf7e4367" of type "text/plain" (114338 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ