Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp1136091imm;
        Wed, 4 Jul 2018 12:20:49 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpfPG9xx4mzM5iD9BZBxx0DpK/MxVMFWWJM5F2/Jtt7Yq257kgiTV+mb79KP++jMgRIEnDIu
X-Received: by 2002:a62:4255:: with SMTP id p82-v6mr3397397pfa.227.1530732049022;
        Wed, 04 Jul 2018 12:20:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1530732048; cv=none;
        d=google.com; s=arc-20160816;
        b=0beREUmz/kJDrI4YGLctko1mHIHuFOCHX32T2PcU+Iy6DoJx8D8auCe9ZHOINFMU5P
         eq32uZCKnOBkIpCbix+ZkV8D0EPxdM+ucVZsnzJOI7bPhxS/+px0PT5gDSue3Rqgqgz1
         bfCu+oYdaf8BTg8AOFtjaG5i15ceLK0Q+IX9j7jvrJU9RvSIoT4SittJr9doBbYvzVJL
         KLF95p+p2TWmCVAuiogcJildVrMmrl5m2wFSjjWQbiW0+pjHFD5Y6++XKXeDDMY9/WMU
         HpQbO4YP6sMru3Pplar2pYVXLlzBXLnfCuLFjkxOlXzcjdLQo0/A61vGfFl+PvARMx1b
         s90w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=DhIwi68ugcDLxcHeMnMYX1VUBitc32G/Beu9H7QtQlI=;
        b=O9gMk86E+FCF4gKrff0fXnPx+d8tBimubpCF+VTpxDdL/2MTKm8DzlZ/kscSBzsHge
         xk0QEHj6gjGZECtCrUZ4IRveKWfpnmjLLE2GSPNL7/lAgpke/MFSMbilP/iIntLKuzE6
         BnsPaGHw2tICVBWBNjTwASrQZlc7NPu9aN8s3GSR8vVswJRfklgBlNJbRRW7T4ABCrrz
         sxIqwYFf/TGenJChhZCVcemIHbZDeeM/779ofspqxL9wIepls3+Vf0pnZ2lFiSBBx13s
         RSZhQ0H0UgdoztBrwgw1JwCpOZqWexaXMkiA9T50kt2LSU4LrFvDXxnyMav6gxNRxFaJ
         RwQQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=S8gUpoAq;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n9-v6si3966478plp.166.2018.07.04.12.20.34;
        Wed, 04 Jul 2018 12:20:48 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=S8gUpoAq;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752667AbeGDTT5 (ORCPT <rfc822;ntypanski@gmail.com> + 99 others);
        Wed, 4 Jul 2018 15:19:57 -0400
Received: from mail-pl0-f65.google.com ([209.85.160.65]:42671 "EHLO
        mail-pl0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752533AbeGDTTz (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 4 Jul 2018 15:19:55 -0400
Received: by mail-pl0-f65.google.com with SMTP id y8-v6so156395plr.9;
        Wed, 04 Jul 2018 12:19:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=DhIwi68ugcDLxcHeMnMYX1VUBitc32G/Beu9H7QtQlI=;
        b=S8gUpoAqxIOoQNGItSBsBG/gQUILp2wfSr8D4FLP1AI9JN+kams2BntlXNKFHtjEah
         ydTkO6yiDQd713RW6uSyHyiYKXdlyV3mtUwXXOhEHs8vqeICMKyBpRtahCTAFJHztqcB
         q81AJADrdRD7i2w4BdGcavmLawKlrZa1ercUXLRQRLMx1j6ZqwPweMPGmrpyPd483zxn
         zJV8HnpEmN+xbDfdtcguv7QYdcgIx/UVlkgeQ7005VAvJ6COQcFKxiVn787zMkDSxW89
         8ZWDD3OJF1VoaGNBc8I71MBc+qznrDAHrc+kMWD5mxrG+zFN1GrmHcwyXBeRDCTyDq0o
         5T9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=DhIwi68ugcDLxcHeMnMYX1VUBitc32G/Beu9H7QtQlI=;
        b=rMef4slw4xSXIUIGIG9exUmZWG+cJpmGmWPucLBt4esxOURfdmucH/BylmELwa4zYv
         JSooMyqr6rEeYFBecwlIbUc+XSXIhx0SsQo/x30J4TC5/eDJiCrK5oImJuReGMrvLa6x
         2xkdqsEcqPbPmP8ZBBJSXoLKUonp1INHlk6D4VzarNoGmfha4txz/4VepJ0vENN1F21Z
         kEn5rdYIjOuZSh8tofTpv4pUon2sJT5ym6wgeJtCEIehnge1VcElJ0/pGi9G2pZShvje
         lstfEyL4aOiTElmw/WyYsW4vO2ktQNg2qrMIJXx2fkUg0EkvgP0jqjXJXBT7ve8370yC
         b8Jg==
X-Gm-Message-State: APt69E18m6KB61V3Uz0YmB90aTbW4CQU2kZE7AYKeG/+EzYQY17OzJUH
        VJuJZcOWGeyfaAnCgodCPkU=
X-Received: by 2002:a17:902:2927:: with SMTP id g36-v6mr3190271plb.303.1530731994685;
        Wed, 04 Jul 2018 12:19:54 -0700 (PDT)
Received: from sol.localdomain (c-67-185-97-198.hsd1.wa.comcast.net. [67.185.97.198])
        by smtp.gmail.com with ESMTPSA id k13-v6sm14191152pfg.130.2018.07.04.12.19.53
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Wed, 04 Jul 2018 12:19:53 -0700 (PDT)
Date:   Wed, 4 Jul 2018 12:19:51 -0700
From:   Eric Biggers <ebiggers3@gmail.com>
To:     syzbot <syzbot+6111d5bfd5605f7520cb@syzkaller.appspotmail.com>
Cc:     davem@davemloft.net, linux-kernel@vger.kernel.org,
        netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: general protection fault in kernel_sock_shutdown
Message-ID: <20180704191951.GA725@sol.localdomain>
References: <001a11458fb4c130d50565e41374@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <001a11458fb4c130d50565e41374@google.com>
User-Agent: Mutt/1.10.0 (2018-05-17)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Feb 23, 2018 at 08:59:01AM -0800, syzbot wrote:
> Hello,
> 
> syzbot hit the following crash on upstream commit
> af3e79d29555b97dd096e2f8e36a0f50213808a8 (Tue Feb 20 18:05:02 2018 +0000)
> Merge tag 'leds_for-4.16-rc3' of
> git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds
> 
> So far this crash happened 15 times on
> https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/master,
> net-next.
> C reproducer is attached.
> syzkaller reproducer is attached.
> Raw console output is attached.
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached.
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+6111d5bfd5605f7520cb@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
> 
> audit: type=1400 audit(1519334784.255:7): avc:  denied  { map } for
> pid=4107 comm="syzkaller141165" path="/root/syzkaller141165324" dev="sda1"
> ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Modules linked in:
> CPU: 0 PID: 4107 Comm: syzkaller141165 Not tainted 4.16.0-rc2+ #324
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:kernel_sock_shutdown+0x29/0x70 net/socket.c:3250
> RSP: 0018:ffff8801c905fcc8 EFLAGS: 00010206
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff846006f4
> RDX: 0000000000000005 RSI: 0000000000000002 RDI: 0000000000000028
> RBP: ffff8801c905fce0 R08: 0000000000000000 R09: 1ffff1003920bf15
> R10: ffff8801c905f870 R11: 0000000000000001 R12: ffff8801c90267d2
> R13: 0000000000000002 R14: 0000000000000000 R15: ffff8801c905fd58
> FS:  00000000006e6880(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fc70e02f000 CR3: 00000001ca694005 CR4: 00000000001606f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  smc_shutdown+0x3ed/0x540 net/smc/af_smc.c:1268
>  SYSC_shutdown net/socket.c:1901 [inline]
>  SyS_shutdown+0x137/0x290 net/socket.c:1892
>  do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
>  entry_SYSCALL_64_after_hwframe+0x42/0xb7
> RIP: 0033:0x43fcb9
> RSP: 002b:00007ffde8479798 EFLAGS: 00000217 ORIG_RAX: 0000000000000030
> RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcb9
> RDX: 000000000043fcb9 RSI: 0000000000000002 RDI: 0000000000000003
> RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
> R10: 00000000004002c8 R11: 0000000000000217 R12: 00000000004015e0
> R13: 0000000000401670 R14: 0000000000000000 R15: 0000000000000000
> Code: 66 90 55 48 89 e5 41 55 41 54 53 48 89 fb 41 89 f5 e8 dc 04 11 fd 48
> 8d 7b 28 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75
> 32 4c 8b 63 28 48 b8 00 00 00 00 00 fc ff df 49
> RIP: kernel_sock_shutdown+0x29/0x70 net/socket.c:3250 RSP: ffff8801c905fcc8
> ---[ end trace 187d9b346b4a5aff ]---
> Kernel panic - not syncing: Fatal exception
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
> 
> 
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzkaller@googlegroups.com.
> 
> syzbot will keep track of this bug report.
> If you forgot to add the Reported-by tag, once the fix for this bug is
> merged
> into any tree, please reply to this email with:
> #syz fix: exact-commit-title

This was fixed by commit 1255fcb2a655f0:

#syz fix: net/smc: fix shutdown in state SMC_LISTEN

This also had been reported here: https://bugzilla.kernel.org/show_bug.cgi?id=199429

- Eric