general protection fault in rdma_resolve_route
13 views
Skip to first unread message
syzbot
Apr 19, 2018, 12:04:03 PM4/19/18
to dan...@mellanox.com, dasaratharama...@intel.com, dled...@redhat.com, j...@ziepe.ca, le...@kernel.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, mo...@mellanox.com, pa...@mellanox.com, sw...@opengridcomputing.com, syzkall...@googlegroups.com
Hello,
syzbot hit the following crash on upstream commit
a27fc14219f2e3c4a46ba9177b04d9b52c875532 (Mon Apr 16 21:07:39 2018 +0000)
Merge branch 'parisc-4.17-3' of
git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=17c13600b3977aa8ef7f
So far this crash happened 2 times on upstream.
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=6198183931674624
Kernel config:
https://syzkaller.appspot.com/x/.config?id=-5914490758943236750
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+17c136...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 750 Comm: syz-executor4 Not tainted 4.17.0-rc1+ #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:rdma_cap_ib_sa include/rdma/ib_verbs.h:2840 [inline]
RIP: 0010:rdma_resolve_route+0x134/0x2160 drivers/infiniband/core/cma.c:2668
RSP: 0018:ffff8801b3e87850 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff8801abf92c00 RCX: 0000000000000029
RDX: dffffc0000000000 RSI: 0000000000000004 RDI: 0000000000000148
RBP: ffff8801b3e87a00 R08: ffffed00357f25e5 R09: ffffed00357f25e4
R10: ffffed00357f25e4 R11: ffff8801abf92f23 R12: 1ffff100367d0f12
R13: dffffc0000000000 R14: ffff8801abf92db8 R15: 0000000000000000
FS: 00007f673e752700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000a3eab8 CR3: 00000001b10e7000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ucma_resolve_route+0x179/0x1c0 drivers/infiniband/core/ucma.c:741
ucma_write+0x328/0x410 drivers/infiniband/core/ucma.c:1664
__vfs_write+0x10b/0x880 fs/read_write.c:485
vfs_write+0x1f8/0x560 fs/read_write.c:549
ksys_write+0xf9/0x250 fs/read_write.c:598
__do_sys_write fs/read_write.c:610 [inline]
__se_sys_write fs/read_write.c:607 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:607
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455329
RSP: 002b:00007f673e751c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f673e7526d4 RCX: 0000000000455329
RDX: 0000000000000010 RSI: 0000000020000100 RDI: 0000000000000014
RBP: 000000000072c010 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000006c3 R14: 00000000006fd2e8 R15: 0000000000000002
Code: ff df 48 c1 ea 03 80 3c 02 00 0f 85 14 1c 00 00 48 ba 00 00 00 00 00
fc ff df 48 8b 03 48 8d b8 48 01 00 00 48 89 f9 48 c1 e9 03 <80> 3c 11 00
0f 85 d7 1b 00 00 45 0f b6 ef 49 c1 e5 04 4c 03 a8
RIP: rdma_cap_ib_sa include/rdma/ib_verbs.h:2840 [inline] RSP:
ffff8801b3e87850
RIP: rdma_resolve_route+0x134/0x2160 drivers/infiniband/core/cma.c:2668
RSP: ffff8801b3e87850
---[ end trace c34c2fb6aeff4a19 ]---
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzbot hit the following crash on upstream commit
a27fc14219f2e3c4a46ba9177b04d9b52c875532 (Mon Apr 16 21:07:39 2018 +0000)
Merge branch 'parisc-4.17-3' of
git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=17c13600b3977aa8ef7f
So far this crash happened 2 times on upstream.
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=6198183931674624
Kernel config:
https://syzkaller.appspot.com/x/.config?id=-5914490758943236750
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+17c136...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 750 Comm: syz-executor4 Not tainted 4.17.0-rc1+ #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:rdma_cap_ib_sa include/rdma/ib_verbs.h:2840 [inline]
RIP: 0010:rdma_resolve_route+0x134/0x2160 drivers/infiniband/core/cma.c:2668
RSP: 0018:ffff8801b3e87850 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff8801abf92c00 RCX: 0000000000000029
RDX: dffffc0000000000 RSI: 0000000000000004 RDI: 0000000000000148
RBP: ffff8801b3e87a00 R08: ffffed00357f25e5 R09: ffffed00357f25e4
R10: ffffed00357f25e4 R11: ffff8801abf92f23 R12: 1ffff100367d0f12
R13: dffffc0000000000 R14: ffff8801abf92db8 R15: 0000000000000000
FS: 00007f673e752700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000a3eab8 CR3: 00000001b10e7000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ucma_resolve_route+0x179/0x1c0 drivers/infiniband/core/ucma.c:741
ucma_write+0x328/0x410 drivers/infiniband/core/ucma.c:1664
__vfs_write+0x10b/0x880 fs/read_write.c:485
vfs_write+0x1f8/0x560 fs/read_write.c:549
ksys_write+0xf9/0x250 fs/read_write.c:598
__do_sys_write fs/read_write.c:610 [inline]
__se_sys_write fs/read_write.c:607 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:607
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455329
RSP: 002b:00007f673e751c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f673e7526d4 RCX: 0000000000455329
RDX: 0000000000000010 RSI: 0000000020000100 RDI: 0000000000000014
RBP: 000000000072c010 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000006c3 R14: 00000000006fd2e8 R15: 0000000000000002
Code: ff df 48 c1 ea 03 80 3c 02 00 0f 85 14 1c 00 00 48 ba 00 00 00 00 00
fc ff df 48 8b 03 48 8d b8 48 01 00 00 48 89 f9 48 c1 e9 03 <80> 3c 11 00
0f 85 d7 1b 00 00 45 0f b6 ef 49 c1 e5 04 4c 03 a8
RIP: rdma_cap_ib_sa include/rdma/ib_verbs.h:2840 [inline] RSP:
ffff8801b3e87850
RIP: rdma_resolve_route+0x134/0x2160 drivers/infiniband/core/cma.c:2668
RSP: ffff8801b3e87850
---[ end trace c34c2fb6aeff4a19 ]---
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
Parav Pandit
Apr 19, 2018, 12:12:25 PM4/19/18
to syzbot, Daniel Jurgens, dasaratharama...@intel.com, dled...@redhat.com, j...@ziepe.ca, le...@kernel.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, Moni Shoua, sw...@opengridcomputing.com, syzkall...@googlegroups.com
> -----Original Message-----
> From: syzbot
> [mailto:syzbot+17c136...@syzkaller.appspotmail.com]
> Sent: Thursday, April 19, 2018 11:04 AM
> To: Daniel Jurgens <dan...@mellanox.com>;
> dasaratharama...@intel.com; dled...@redhat.com;
> j...@ziepe.ca; le...@kernel.org; linux-...@vger.kernel.org; linux-
> rd...@vger.kernel.org; Moni Shoua <mo...@mellanox.com>; Parav Pandit
> <pa...@mellanox.com>; sw...@opengridcomputing.com; syzkaller-
> bu...@googlegroups.com
> Subject: general protection fault in rdma_resolve_route
Currently its done at several places in ucma commands such as ucma_set_ib_path, ucma_notify etc.
Jason Gunthorpe
Apr 19, 2018, 12:23:12 PM4/19/18
to Parav Pandit, syzbot, Daniel Jurgens, dasaratharama...@intel.com, dled...@redhat.com, le...@kernel.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, Moni Shoua, sw...@opengridcomputing.com, syzkall...@googlegroups.com
> > This bug is generated by a dumb bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for details.
> > Direct all questions to syzk...@googlegroups.com.
> >
> > syzbot will keep track of this bug report.
> > If you forgot to add the Reported-by tag, once the fix for this bug is merged into
> > any tree, please reply to this email with:
> > #syz fix: exact-commit-title
> > To mark this as a duplicate of another syzbot report, please reply with:
> > #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report,
> > please reply with:
> > #syz invalid
> > Note: if the crash happens again, it will cause creation of a new bug report.
> > Note: all commands must start from beginning of the line in the email body.
>
> For short term, we need helper similar to ucma_get_ctx() as ucma_get_ctx_with_device() which performs NULL check for cm_id->device.
> Currently its done at several places in ucma commands such as ucma_set_ib_path, ucma_notify etc.
Like this?
> > See https://goo.gl/tpsmEJ for details.
> > Direct all questions to syzk...@googlegroups.com.
> >
> > syzbot will keep track of this bug report.
> > If you forgot to add the Reported-by tag, once the fix for this bug is merged into
> > any tree, please reply to this email with:
> > #syz fix: exact-commit-title
> > To mark this as a duplicate of another syzbot report, please reply with:
> > #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report,
> > please reply with:
> > #syz invalid
> > Note: if the crash happens again, it will cause creation of a new bug report.
> > Note: all commands must start from beginning of the line in the email body.
>
> For short term, we need helper similar to ucma_get_ctx() as ucma_get_ctx_with_device() which performs NULL check for cm_id->device.
> Currently its done at several places in ucma commands such as ucma_set_ib_path, ucma_notify etc.
https://patchwork.kernel.org/patch/10323727/
But I thought when I wrote this I couldn't find a case where the NULL
check was possible due to how the FSM was supposed to work :(
Ie how does this in rdma_resolve_route succeed without a cm_id->device?
if (!cma_comp_exch(id_priv, RDMA_CM_ADDR_RESOLVED, RDMA_CM_ROUTE_QUERY))
return -EINVAL;
Why hasn't state RDMA_CM_ADDR_RESOLVED set the device?
Is that the real bug here?
Jason
syzbot
Feb 22, 2019, 5:34:26 AM2/22/19
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages