Received: by 10.213.65.68 with SMTP id h4csp1347100imn; Sun, 1 Apr 2018 03:31:28 -0700 (PDT) X-Google-Smtp-Source: AIpwx49Y+WqoBH7mL0Ny0zWHujRv/m2yVhsXu64yNOedlKNvSvXF1w2fJmw6AvlqND4k75O00xIy X-Received: by 10.101.97.88 with SMTP id o24mr3628107pgv.270.1522578688449; Sun, 01 Apr 2018 03:31:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522578688; cv=none; d=google.com; s=arc-20160816; b=f4J9QkH9QzmDI4aA7ZLIzjPf9+cqGHwQmFEa7ziV7huWKAeqvzZCtnA/+UjOcOhuIh afVPQo85Ne7/Is1td7gsXg7BL6FaZhnY8jIZwmXl4zQR4Wfv2gzyl4oVb2sCgycDPe5D N95Fir6KqYXfDCMmMpQbW5mE9pUn2UfTkNDquvbmKTMbQZNI8ZU8Ob2N7XTY+MgOSFY0 +qOcuKhk7koBl895++ic1WxyRwUUlC5f+k+5KKpXmIXqpA9oOo300tOGCvKC73KTmM1m tpGlHoYibNUaoN6kTiUn2+cKycqrcO6OBnz5RiQiB0Uvr4zTbOVSSSrkAYvQzQRGVYz0 x9LA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=rlP1KMkYM4fT46PI0+VsWVFWzeQmdIYR1ffO3MxpahY=; b=Ayaola7aucI0c16f2EtZ+R5yZjHX1+px9JNrqyScag49Ax30k0AhMjnWtQm2h0BVA5 ri3w0kjV+4md22D3HMCTIDtoTnuCWmBcr4/UCMe4/lUnx+x3wD17/zflMNsXWwRm8Nes l0PPA3KcPZy0AZoPkRIUHDuurI6r9I38REJMTcUi8WOqIWgdRqQYOXo68SuV/6rQ0Ol3 Nb+h21HX7ks8cNRcsu090NzPz11xsaJZ7fLh7nnUr+/b9817z0D6IZTIkZXr2g+Q5kbZ P021q1102y74JBSAXI+gCn9d0yZwxrc4kLGYlBmel6CiLAweDRLeKKDKT4S1slcV+k2i e2Ig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=tx5J0PDA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z25si8181539pgc.821.2018.04.01.03.31.12; Sun, 01 Apr 2018 03:31:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=tx5J0PDA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753419AbeDAK31 (ORCPT + 99 others); Sun, 1 Apr 2018 06:29:27 -0400 Received: from mail-pl0-f45.google.com ([209.85.160.45]:44757 "EHLO mail-pl0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753377AbeDAK3Z (ORCPT ); Sun, 1 Apr 2018 06:29:25 -0400 Received: by mail-pl0-f45.google.com with SMTP id b6-v6so557150pla.11 for ; Sun, 01 Apr 2018 03:29:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rlP1KMkYM4fT46PI0+VsWVFWzeQmdIYR1ffO3MxpahY=; b=tx5J0PDAKh+jk3ojGVHMrtafE9tzDbujtmo9hKRFPhJaENh+UQQ2b3MYKKHSWJXsAb k1fu3pKip8gk7JEOs4bhioV2M1dMaawAz7cgbnzXFGIEHegIute2CU+B+HCo0mECkmJ4 PYsIW/yJ3bVugVcOP73bBmxbNNrYB9rWzGysxTGbg8AC8Omc7cHSugMmoJNEF+sYW8fQ kT5Ki/4TB62IdNAgAqG9nheykC14JNczdWKw8MUpZhaC96RbQKMhi2ww82szaIuAYmHq ykETmsF+zWl6cgkCyw34M9AaunF7Lf+s9/Bbg4hrjw1E//1723W6Bx7TI6th3MiMKTe2 mF4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rlP1KMkYM4fT46PI0+VsWVFWzeQmdIYR1ffO3MxpahY=; b=pUDYhnfjejcKAY3N55FMa8jxy4l2lWvoce5I2sN0j3NYXG75ypKSUDING/gN4u6EBS 9IknBsEVuUS5FdTgMELKlS2U/+92rb+I8S3JiSEAfPfs0EbJIRa6pOJ17oAutmLRGVjY 0IR5TisMkqh9YqR1WAwsioJtKU0PA5PJOfIabtwF19PnrVeVGfGJGBD3Ysk7LPQCDqrt DD4mvmrDKOt6DjyaCtMi0qZQ2w0kUgRKUKlNqk9sZJ2ZHREQ4+nl0gNzYIxjTbUKm+DR CiZ1JxFJxX+8bGf/DFuDFE6OmSdnox5Og7LFOkG/rbS5EN//lsZvxC/zfQj4290Aub7/ d5ZA== X-Gm-Message-State: AElRT7G9N4/fhKMJ9xAjwKMQJGD+IR4qiJ2ADOMyJHPAoBjyGsRZeyD/ qUTXQADvd2hAhYfvECcmyPVay/1efanBfrqqHpxGouQn2Pc= X-Received: by 2002:a17:902:820a:: with SMTP id x10-v6mr5815489pln.105.1522578564048; Sun, 01 Apr 2018 03:29:24 -0700 (PDT) MIME-Version: 1.0 Received: by 10.100.182.136 with HTTP; Sun, 1 Apr 2018 03:29:03 -0700 (PDT) In-Reply-To: <20180313111245.GB18164@hmswarspite.think-freely.org> References: <001a113ec036450c260567464832@google.com> <20180313111245.GB18164@hmswarspite.think-freely.org> From: Dmitry Vyukov Date: Sun, 1 Apr 2018 12:29:03 +0200 Message-ID: Subject: Re: BUG: corrupted list in sctp_association_free To: Neil Horman Cc: Xin Long , syzbot , davem , LKML , linux-sctp@vger.kernel.org, network dev , syzkaller-bugs@googlegroups.com, Vlad Yasevich Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 13, 2018 at 12:12 PM, Neil Horman wrote: > On Tue, Mar 13, 2018 at 02:09:09PM +0300, Dmitry Vyukov wrote: >> On Tue, Mar 13, 2018 at 1:44 PM, Xin Long wrote: >> > On Tue, Mar 13, 2018 at 3:34 PM, syzbot >> > wrote: >> >> Hello, >> >> >> >> syzbot hit the following crash on net-next commit >> >> fd372a7a9e5e9d8011a0222d10edd3523abcd3b1 (Thu Mar 8 19:43:48 2018 +0000) >> >> Merge tag 'mlx5-updates-2018-02-28-2' of >> >> git://git.kernel.org/pub/scm/linux/kernel/git/mellanox/linux >> >> >> >> Unfortunately, I don't have any reproducer for this crash yet. >> >> Raw console output is attached. >> >> compiler: gcc (GCC) 7.1.1 20170620 >> >> .config is attached. >> >> >> >> IMPORTANT: if you fix the bug, please add the following tag to the commit: >> >> Reported-by: syzbot+e56a5d45f832ef33ad2f@syzkaller.appspotmail.com >> >> It will help syzbot understand when the bug is fixed. See footer for >> >> details. >> >> If you forward the report, please keep this part and the footer. >> >> >> >> selinux_nlmsg_perm: 1 callbacks suppressed >> >> SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 >> >> sclass=netlink_route_socket pig=12502 comm=syz-executor3 >> >> SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 >> >> sclass=netlink_route_socket pig=12528 comm=syz-executor3 >> >> list_del corruption, 00000000fcc5fb27->next is LIST_POISON1 >> >> (00000000cb16e51d) >> >> ------------[ cut here ]------------ >> >> kernel BUG at lib/list_debug.c:47! >> >> invalid opcode: 0000 [#1] SMP KASAN >> >> Dumping ftrace buffer: >> >> (ftrace buffer empty) >> >> Modules linked in: >> >> CPU: 0 PID: 12537 Comm: syz-executor2 Not tainted 4.16.0-rc4+ #258 >> >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS >> >> Google 01/01/2011 >> >> RIP: 0010:__list_del_entry_valid+0xd3/0x150 lib/list_debug.c:45 >> >> RSP: 0018:ffff8801b6387778 EFLAGS: 00010286 >> >> RAX: 000000000000004e RBX: dead000000000200 RCX: 0000000000000000 >> >> RDX: 000000000000004e RSI: ffffc90002ed6000 RDI: ffffed0036c70ee3 >> >> RBP: ffff8801b6387790 R08: 1ffff10036c70e3b R09: 0000000000000000 >> >> R10: 0000000000000000 R11: 0000000000000000 R12: dead000000000100 >> >> R13: ffff8801d3164000 R14: ffff8801d8502220 R15: ffff8801b6387c58 >> >> FS: 00007ff42042f700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 >> >> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >> >> CR2: 00007ff42040ddb8 CR3: 00000001bd840003 CR4: 00000000001606f0 >> >> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 >> >> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 >> >> Call Trace: >> >> __list_del_entry include/linux/list.h:117 [inline] >> >> list_del include/linux/list.h:125 [inline] >> >> sctp_association_free+0x133/0x930 net/sctp/associola.c:341 >> >> sctp_sendmsg+0xc67/0x1a80 net/sctp/socket.c:2075 >> >> inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763 >> >> sock_sendmsg_nosec net/socket.c:629 [inline] >> >> sock_sendmsg+0xca/0x110 net/socket.c:639 >> >> SYSC_sendto+0x361/0x5c0 net/socket.c:1748 >> >> SyS_sendto+0x40/0x50 net/socket.c:1716 >> >> do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 >> >> entry_SYSCALL_64_after_hwframe+0x42/0xb7 >> >> RIP: 0033:0x453e69 >> >> RSP: 002b:00007ff42042ec68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c >> >> RAX: ffffffffffffffda RBX: 00007ff42042f6d4 RCX: 0000000000453e69 >> >> RDX: 0000000000000001 RSI: 0000000020000340 RDI: 0000000000000015 >> >> RBP: 000000000072c0c8 R08: 00000000204d9000 R09: 000000000000001c >> >> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff >> >> R13: 00000000000004cd R14: 00000000006f73d8 R15: 0000000000000003 >> >> Code: 8f 00 00 00 49 8b 54 24 08 48 39 f2 75 3b 48 83 c4 08 b8 01 00 00 00 >> >> 5b 41 5c 5d c3 4c 89 e2 48 c7 c7 c0 7c 40 86 e8 75 f6 fb fe <0f> 0b 48 c7 c7 >> >> 20 7d 40 86 e8 67 f6 fb fe 0f 0b 48 c7 c7 80 7d >> >> RIP: __list_del_entry_valid+0xd3/0x150 lib/list_debug.c:45 RSP: >> >> ffff8801b6387778 >> >> ---[ end trace a6b157f61f9bd43a ]--- >> >> Kernel panic - not syncing: Fatal exception >> >> Dumping ftrace buffer: >> >> (ftrace buffer empty) >> >> Kernel Offset: disabled >> >> Rebooting in 86400 seconds.. >> >> >> >> >> >> --- >> >> This bug is generated by a dumb bot. It may contain errors. >> >> See https://goo.gl/tpsmEJ for details. >> >> Direct all questions to syzkaller@googlegroups.com. >> >> >> >> syzbot will keep track of this bug report. >> >> If you forgot to add the Reported-by tag, once the fix for this bug is >> >> merged >> >> into any tree, please reply to this email with: >> >> #syz fix: exact-commit-title >> >> To mark this as a duplicate of another syzbot report, please reply with: >> >> #syz dup: exact-subject-of-another-report >> >> If it's a one-off invalid bug report, please reply with: >> >> #syz invalid >> >> Note: if the crash happens again, it will cause creation of a new bug >> >> report. >> >> Note: all commands must start from beginning of the line in the email body. >> > I'd think the patch Neil just posted would fix it. >> >> >> Hi Xin, >> >> Could you point me to that commit? We need to tell syzbot about it. >> >> Thanks > Its not been pulled in yet, but this is the email thread: > https://marc.info/?l=linux-netdev&m=152093814606747&w=2 > > I agree this patch should fix the crash syzbot noted #syz fix: sctp: fix error return code in sctp_sendmsg_new_asoc()