lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Apr 2018 11:04:59 +0800 From: kernel test robot <shun.hao@...el.com> To: Cong Wang <xiyou.wangcong@...il.com> Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org, LKP <lkp@...org> Subject: [lkp-robot] f7e4367268 [ 27.313502] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 Greetings, 0day kernel testing robot got the below dmesg and the first bad commit is https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master commit f7e43672683b097bb074a8fe7af9bc600a23f231 Author: Cong Wang <xiyou.wangcong@...il.com> AuthorDate: Wed Apr 18 11:51:56 2018 -0700 Commit: David S. Miller <davem@...emloft.net> CommitDate: Thu Apr 19 13:54:53 2018 -0400 llc: hold llc_sap before release_sock() syzbot reported we still access llc->sap in llc_backlog_rcv() after it is freed in llc_sap_remove_socket(): Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785 llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline] llc_conn_service net/llc/llc_conn.c:400 [inline] llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75 llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891 sk_backlog_rcv include/net/sock.h:909 [inline] __release_sock+0x12f/0x3a0 net/core/sock.c:2335 release_sock+0xa4/0x2b0 net/core/sock.c:2850 llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204 llc->sap is refcount'ed and llc_sap_remove_socket() is paired with llc_sap_add_socket(). This can be amended by holding its refcount before llc_sap_remove_socket() and releasing it after release_sock(). Reported-by: <syzbot+6e181fc95081c2cf9051@...kaller.appspotmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@...il.com> Signed-off-by: David S. Miller <davem@...emloft.net> 02b94fc70f MAINTAINERS: Direct networking documentation changes to netdev f7e4367268 llc: hold llc_sap before release_sock() 1255fcb2a6 net/smc: fix shutdown in state SMC_LISTEN +------------------------------------------+------------+------------+------------+ | | 02b94fc70f | f7e4367268 | 1255fcb2a6 | +------------------------------------------+------------+------------+------------+ | boot_successes | 35 | 2 | 8 | | boot_failures | 0 | 11 | 11 | | BUG:unable_to_handle_kernel | 0 | 5 | 5 | | Oops:#[##] | 0 | 11 | 11 | | RIP:llc_ui_release | 0 | 11 | 11 | | Kernel_panic-not_syncing:Fatal_exception | 0 | 11 | 11 | +------------------------------------------+------------+------------+------------+ [main] Setsockopt(1 2 693000 4) on fd 380 [17:10:768] [main] 375 sockets created based on info from socket cachefile. [main] Generating file descriptors [main] Added 323 filenames from /dev [ 27.243291] mmap: trinity-c0 (518) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt. [ 27.313502] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 [ 27.316567] PGD 8000000015ff3067 P4D 8000000015ff3067 PUD 15f28067 PMD 0 [ 27.319763] Oops: 0002 [#1] PREEMPT PTI [ 27.320587] CPU: 0 PID: 510 Comm: trinity-main Not tainted 4.16.0-11886-gf7e4367 #1 [ 27.324367] RIP: 0010:llc_ui_release+0x53/0xda [ 27.328594] RSP: 0018:ffffc9000131bde0 EFLAGS: 00010202 [ 27.329674] RAX: 0000000000000001 RBX: ffff880015174800 RCX: 0000000000000000 [ 27.331192] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880015174800 [ 27.335588] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 27.337158] R10: 0000000000000000 R11: 0000000000000000 R12: ffff880015a50b70 [ 27.342054] R13: ffff88000037b020 R14: ffff880015a4c000 R15: ffff880015c4d880 [ 27.343540] FS: 00007fddacaae700(0000) GS:ffffffff83674000(0000) knlGS:0000000000000000 [ 27.345294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.348873] CR2: 0000000000000004 CR3: 0000000015ec0000 CR4: 00000000000006b0 [ 27.350369] DR0: 000000000068b000 DR1: 0000000000000000 DR2: 0000000000000000 [ 27.352726] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600 [ 27.356603] Call Trace: [ 27.357141] sock_release+0x15/0x5d [ 27.357872] sock_close+0xe/0x11 [ 27.366177] __fput+0x114/0x27d [ 27.366854] task_work_run+0x8b/0xb3 [ 27.367587] do_exit+0x411/0xec5 [ 27.368265] ? syscall_trace_enter+0x208/0x3ff [ 27.369167] do_group_exit+0x5d/0xd2 [ 27.369899] SyS_exit_group+0x10/0x10 [ 27.370669] do_syscall_64+0xef/0x4f0 [ 27.371417] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 27.372422] RIP: 0033:0x7fddac593408 [ 27.373161] RSP: 002b:00007ffdfc124d28 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 [ 27.374711] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fddac593408 [ 27.387300] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 27.388714] RBP: 0000000000000000 R08: 00000000000000e7 R09: ffffffffffffffa0 [ 27.390145] R10: 00007ffdfc124ac0 R11: 0000000000000206 R12: 0000000000000004 [ 27.391560] R13: 00007ffdfc124f10 R14: 0000000000000000 R15: 0000000000000000 [ 27.393052] Code: 84 83 00 00 00 ff 43 78 0f 88 8f 70 23 00 31 f6 48 89 df e8 f0 7b f9 ff 48 89 df e8 20 7d ff ff 85 c0 74 7a 48 8b ab 48 04 00 00 <ff> 45 04 0f 88 6f 70 23 00 48 8b 43 58 f6 c4 01 74 50 48 89 df [ 27.396817] RIP: llc_ui_release+0x53/0xda RSP: ffffc9000131bde0 [ 27.398012] CR2: 0000000000000004 [ 27.398716] ---[ end trace 0bbdb5cd4042e3c4 ]--- [ 27.409714] Kernel panic - not syncing: Fatal exception # HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD git bisect start f0250ccd19ffe9683493c9b965a17b52feb71cfb 60cc43fc888428bb2f18f08997432d426a243338 -- git bisect bad aee4c52a8e10296fdb3a90614bf725e1cd756203 # 06:33 B 0 6 19 0 Merge 'rdma/wip/dl-for-rc' into devel-catchup-201804200527 git bisect bad 6cc36eca7b959d69049e04482e3ca01fb4cebec4 # 06:48 B 0 1 14 0 Merge 'net-next/master' into devel-catchup-201804200527 git bisect good 3343c5945e8a864b2c5d96443c485ec251dcfdc7 # 07:04 G 11 0 0 0 Merge 'jpirko-mlxsw/petrm_erspan' into devel-catchup-201804200527 git bisect good fc1c8776fc11649e79e545847c2fd66267fe3bc4 # 07:22 G 11 0 0 0 Merge 'linux-review/Roland-Dreier/RDMA-ucma-Allow-resolving-address-without-specifying-source-address/20180420-044005' into devel-catchup-201804200527 git bisect good 565be37aec5425628471094c8329a86992f3433f # 07:39 G 11 0 0 0 Merge 'block/for-linus' into devel-catchup-201804200527 git bisect bad 4712d54c5f6d807be2c78ac45841eb918b7ee4f4 # 07:52 B 0 11 25 0 Merge 'net/master' into devel-catchup-201804200527 git bisect good 4fb0534fb7bbc2346ba7d3a072b538007f4135a5 # 08:08 G 11 0 0 0 team: avoid adding twice the same option to the event list git bisect good 64e86fec54069266ba32be551d7b7f75e88ab60c # 08:30 G 11 0 0 0 net: qualcomm: rmnet: Fix warning seen with fill_info git bisect bad 65ec0bd1c7c14522670a5294de35710fb577a7fd # 08:41 B 0 1 14 0 vmxnet3: fix incorrect dereference when rxvlan is disabled git bisect good 5e84b38b07e676fcd3ab6e296780b4f77a29d09f # 09:04 G 11 0 0 0 net: caif: fix spelling mistake "UKNOWN" -> "UNKNOWN" git bisect good f3335545b34315fc42cc03a83165bdd26d956584 # 09:19 G 11 0 0 0 atm: iphase: fix spelling mistake: "Tansmit" -> "Transmit" git bisect bad f7e43672683b097bb074a8fe7af9bc600a23f231 # 09:33 B 0 2 16 0 llc: hold llc_sap before release_sock() git bisect good 02b94fc70ffe320a7799c35e09372809e40b7131 # 10:02 G 11 0 0 0 MAINTAINERS: Direct networking documentation changes to netdev # first bad commit: [f7e43672683b097bb074a8fe7af9bc600a23f231] llc: hold llc_sap before release_sock() git bisect good 02b94fc70ffe320a7799c35e09372809e40b7131 # 10:10 G 31 0 0 0 MAINTAINERS: Direct networking documentation changes to netdev # extra tests with debug options git bisect bad f7e43672683b097bb074a8fe7af9bc600a23f231 # 10:21 B 0 6 19 0 llc: hold llc_sap before release_sock() # extra tests on HEAD of linux-devel/devel-catchup-201804200527 git bisect bad f0250ccd19ffe9683493c9b965a17b52feb71cfb # 10:21 B 0 13 32 2 0day head guard for 'devel-catchup-201804200527' # extra tests on tree/branch net/master git bisect bad 1255fcb2a655f05e02f3a74675a6d6525f187afd # 10:36 B 0 1 15 0 net/smc: fix shutdown in state SMC_LISTEN # extra tests with first bad commit reverted git bisect good 4418dff382eb778442f4b92b0276308ba32d4c43 # 11:01 G 11 0 0 0 Revert "llc: hold llc_sap before release_sock()" --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/lkp Intel Corporation Download attachment "dmesg-quantal-intel12-12:20180420093339:x86_64-randconfig-s0-04200522:4.16.0-11886-gf7e4367:1.gz" of type "application/gzip" (21063 bytes) View attachment "reproduce-quantal-intel12-12:20180420093339:x86_64-randconfig-s0-04200522:4.16.0-11886-gf7e4367:1" of type "text/plain" (909 bytes) View attachment "config-4.16.0-11886-gf7e4367" of type "text/plain" (114338 bytes)
Powered by blists - more mailing lists