Received: by 10.223.176.5 with SMTP id f5csp464798wra; Tue, 30 Jan 2018 14:29:03 -0800 (PST) X-Google-Smtp-Source: AH8x224oYRjjdc5WS6ZJyvrCjr/yIU7GQnbVS2cRPSsIbVlOMm3A9ISarkbMbnING+wweeI/ixtZ X-Received: by 2002:a17:902:42a5:: with SMTP id h34-v6mr25751906pld.265.1517351342952; Tue, 30 Jan 2018 14:29:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517351342; cv=none; d=google.com; s=arc-20160816; b=Rzx47gUvVMTVCBZxLwau1DIGZtTf36GJBf/uWb/dSxtGi7sJaXp9XfLbVtL830gLC+ IfNR+voC3vmcHSqD4GCFyz6JhBAUk3iG9q/ftm1lnlIJDbCYm+bpbkTg72pOwjYGwDmf hxAVTQMn8VwrS/k6Oih0pUB5bfABRx2w/kXDz9V3II6XhMxAPOVLyqixcaraClRXmNV6 WQINPNmZREttFH0JdjrHntPGKA4TRwFeNDZrd+a3tS/0xWOtnMbs6NVgnWCSSRgceb9j yKCozHpIu1p63vgST5uO+j3fVH8wb90ABtUAQcqigozqw0Y136ng26sUKleEa4W4ui5L lUww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=UHhTwLveZrwBgaQPKDQWESfDmbje33nUQXExGuhanv8=; b=PE9TvTwV15DLx03LYjV4oX4ye27meel5AZVlR0sVASlR/RdFIDduQ6ULTfip7dyOZQ 3C8NVgNgrysjSJZ8nQ4ICM68hnYNEJitTAlO9z5qcEAkkbD2dLE7B/QCPa7HMAM0YeF9 05Ujwe8Cf9OggkfA3o9LJjuHU843quL/W+T9XbL8E0PFOWtZTplFx2tS15N7V8kDodY8 jcIMnHcABCK/szulq2BpUwiEGXZLO+AoF5UxvE5wFh4gl5TAViS8L4Ced0vH9WG0vYtK /2ETe19BHRDeOCnz0cITMaNpe2n1x8rGZxKCWUL6Ju2CnpYfeAp/Qjokbtx6jW6O+E7T 3k8A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=VsXXNyGl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y128si2316626pfy.110.2018.01.30.14.28.47; Tue, 30 Jan 2018 14:29:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=VsXXNyGl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752772AbeA3WWf (ORCPT + 99 others); Tue, 30 Jan 2018 17:22:35 -0500 Received: from mail-io0-f175.google.com ([209.85.223.175]:43208 "EHLO mail-io0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752535AbeA3WWc (ORCPT ); Tue, 30 Jan 2018 17:22:32 -0500 Received: by mail-io0-f175.google.com with SMTP id 72so13172711iom.10; Tue, 30 Jan 2018 14:22:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=UHhTwLveZrwBgaQPKDQWESfDmbje33nUQXExGuhanv8=; b=VsXXNyGlPdQvwBt5M2NocgReCMdpmMawehYU4/G/fBQgeFHShif2USGmKLcXH4RDjw Go4M+/P2dFCia/7+44SmwraCIYMEDgrzOTTqZo6Yw5kzqyXr5GG+Q2PdqCWsSilVTtuV gH5duenuhMKdcjRJN+b77EIIRJwimTtsm2BkwUWKsqwXITm9jBw4xJzKZtZJLKL9sO9Y D9hQ/3613qxHyQM2fGvmuNZCzQutWZzdXFS2xuJyFsZOcOGAHnaWQdsJRQVpjXOxA3TN cTZbjgAYJT9z5eCUZzRYGjh9FFHxUzWuA5Z/DNktvkfgFmUxd5iHN1KPE76DqYM8uaus fWWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=UHhTwLveZrwBgaQPKDQWESfDmbje33nUQXExGuhanv8=; b=UTyCmowdO/NuVyLZoOndmVsZgFc9J1O8odJeG1clL9mI1p3mmPXyM9xzQKPN6cxNvU vYthHtD3X5TZRxjB2iv2Ox+w9mkP6amzb/QH1gtxbZ3Y5fv0ydtCCEOaeYlJ8LhFdKQg Jw18kj0mW7bfidjcsB+qN74YUARPoMJNo+6pKtWcJxcagxySJeFDRoJVHALunQ/ric9J vai4NCQibl8fVdVtC+LXDe4JJlvH0bGTogyA8rzkxYmnHfu3psc261iBJE2AwEBVdh/s R6YlJfVzQk4QE2+f2cA7S/cVBRxf0WG+RhSlq+uUjUuz9Xpg9ybJ/Zqk5F49Wos2yCmz rRlA== X-Gm-Message-State: AKwxytckRraZ8c5WHmGKTqi5mmuDSB9pO/yE9KOV0LYWwM3TgHL4ZOUQ bbKarDVP06DPUEXZkNEzB17O8qQJ3hM= X-Received: by 10.107.137.104 with SMTP id l101mr5714023iod.179.1517350951222; Tue, 30 Jan 2018 14:22:31 -0800 (PST) Received: from gmail.com ([2620:15c:17:3:dc28:5c82:b905:e8a8]) by smtp.gmail.com with ESMTPSA id n4sm1898032itg.2.2018.01.30.14.22.30 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 30 Jan 2018 14:22:30 -0800 (PST) Date: Tue, 30 Jan 2018 14:22:28 -0800 From: Eric Biggers To: Sowmini Varadhan Cc: David Miller , santosh.shilimkar@oracle.com, rds-devel@oss.oracle.com, bot+aaf54a8c644d559d34dedcf3126aac68a20c9e63@syzkaller.appspotmail.com, linux-rdma@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org Subject: Re: [rds-devel] BUG: unable to handle kernel NULL pointer dereference in rds_send_xmit Message-ID: <20180130222228.q23csjr5l666v3o5@gmail.com> References: <001a1145ac5480242305609956b3@google.com> <5ba83a68-0103-d514-1b22-900f755f5aa4@oracle.com> <20171218.121213.289437104214632276.davem@davemloft.net> <20171218172251.GD26203@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171218172251.GD26203@oracle.com> User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Dec 18, 2017 at 12:22:51PM -0500, Sowmini Varadhan wrote: > > From: Santosh Shilimkar > > Date: Mon, 18 Dec 2017 08:28:05 -0800 > : > > > Looks like another one tripping on empty transport. Mostly below > > > should > > > address it but we will test it if it does. > > that was my first thought, but it cannot be the case here: rds_sendmsg > etc itself would have bombed if that were the case, and the packet > would never have gotten queued. > > This is unlike f3069c6d33, where an applications skips the transport > binding (either misses the explicit bind, or gets the wrong transport > due to an implicit bind) before it triggers the setsockopt. > > I suspect that the problems is that the conn (and thus c_trans) > have gotten destroyed, but the cp_send_w work got incorrectly > re-queued. For example, rds_cong_queue_updates() (because the > peer sent a congestion update) can happen in softirq context, > and would end up requeing work in the middle of rds_conn_destroy, > after we have assumed that everything is quisced. > > On (12/18/17 12:12), David Miller wrote: > > > > We're seeming to accumulate a lot of checks like this, maybe there > > is a more general way to deal with this problem? > > Yeah, I was thinking about this.. let me try to reprodcue this in-house > and get back with a patchset. > I assume you weren't able to reproduce this? This crash hasn't been seen again, and it was reported while KASAN was accidentally disabled in the syzbot kconfig due to a change to the kconfig menus in linux-next. So this crash was possibly caused by slab corruption elsewhere. I am invalidating the bug for syzbot so it will report the same crash signature again if it occurs, but if you think there is a real bug feel free to keep looking into it. #syz invalid Thanks, Eric