general protection fault in skb_unlink

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: 0044cdeb7313 Merge branch 'for-linus' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=157e3d2f800000
kernel config: https://syzkaller.appspot.com/x/.config?x=968b0b23c7854c0b
dashboard link: https://syzkaller.appspot.com/bug?extid=278279efdd2730dd14bf
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=16939b2f800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1046c54f800000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+278279...@syzkaller.appspotmail.com

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 8484 Comm: syz-executor919 Not tainted 4.17.0-rc7+ #74
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__skb_unlink include/linux/skbuff.h:1844 [inline]
RIP: 0010:skb_unlink+0xc1/0x160 net/core/skbuff.c:2921
RSP: 0018:ffff8801d012f6f0 EFLAGS: 00010002
RAX: 0000000000000286 RBX: ffff8801d6e073c0 RCX: 0000000000000001
RDX: dffffc0000000000 RSI: 0000000000000004 RDI: 0000000000000008
RBP: ffff8801d012f718 R08: ffffed0038bb3b6d R09: ffffed0038bb3b6c
R10: ffffed0038bb3b6c R11: ffff8801c5d9db63 R12: 0000000000000000
R13: 0000000000000000 R14: ffff8801c5d9db60 R15: ffff8801d012fce0
FS: 0000000000ab7880(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020e5b000 CR3: 00000001c31fb000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kcm_recvmsg+0x48d/0x590 net/kcm/kcmsock.c:1160
sock_recvmsg_nosec+0x8c/0xb0 net/socket.c:802
___sys_recvmsg+0x2b6/0x680 net/socket.c:2279
__sys_recvmmsg+0x2f9/0xb80 net/socket.c:2391
do_sys_recvmmsg+0xe4/0x190 net/socket.c:2472
__do_sys_recvmmsg net/socket.c:2485 [inline]
__se_sys_recvmmsg net/socket.c:2481 [inline]
__x64_sys_recvmmsg+0xbe/0x150 net/socket.c:2481
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4417a9
RSP: 002b:00007ffe27282838 EFLAGS: 00000206 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004417a9
RDX: 00000000040000f7 RSI: 00000000200002c0 RDI: 0000000000000006
RBP: 0000000000000000 R08: 0000000020000200 R09: 00007ffe272829f8
R10: 0000000000000060 R11: 0000000000000206 R12: 00000000000001f3
R13: 000000000001f871 R14: 0000000000000000 R15: 0000000000000000
Code: 00 00 00 49 8d 7d 08 4c 8b 63 08 48 ba 00 00 00 00 00 fc ff df 48 c7
43 08 00 00 00 00 48 89 f9 48 c7 03 00 00 00 00 48 c1 e9 03 <80> 3c 11 00
75 5b 4c 89 e1 4d 89 65 08 48 ba 00 00 00 00 00 fc
RIP: __skb_unlink include/linux/skbuff.h:1844 [inline] RSP: ffff8801d012f6f0
RIP: skb_unlink+0xc1/0x160 net/core/skbuff.c:2921 RSP: ffff8801d012f6f0
---[ end trace 7338a6b7e627a89e ]---


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

[Paolo Abeni]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master
--
diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index d3601d421571..95e1d95ab24a 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -188,6 +188,7 @@ static void kcm_rfree(struct sk_buff *skb)
}
}

+/* RX mux lock held */
static int kcm_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
struct sk_buff_head *list = &sk->sk_receive_queue;
@@ -1157,7 +1158,9 @@ static int kcm_recvmsg(struct socket *sock, struct msghdr *msg,
/* Finished with message */
msg->msg_flags |= MSG_EOR;
KCM_STATS_INCR(kcm->stats.rx_msgs);
+ spin_lock_bh(&kcm->mux->rx_lock);
skb_unlink(skb, &sk->sk_receive_queue);
+ spin_unlock_bh(&kcm->mux->rx_lock);
kfree_skb(skb);
}
}

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+278279...@syzkaller.appspotmail.com

Tested on:

commit: 885892fb378d mlx4_core: restore optimal ICM memory allocat..
git tree: net
kernel config: https://syzkaller.appspot.com/x/.config?x=968b0b23c7854c0b

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=13c24f2f800000

Note: testing is done by a robot and is best-effort only.

[Paolo Abeni]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master

better fix, suggest by Tom H.
---
diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index d3601d421571..c6e3e67e6b7c 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -223,7 +223,7 @@ static void requeue_rx_msgs(struct kcm_mux *mux, struct sk_buff_head *head)
struct sk_buff *skb;
struct kcm_sock *kcm;

- while ((skb = __skb_dequeue(head))) {
+ while ((skb = skb_dequeue(head))) {
/* Reset destructor to avoid calling kcm_rcv_ready */
skb->destructor = sock_rfree;
skb_orphan(skb);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
general protection fault in skb_unlink

8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:

CPU: 1 PID: 8915 Comm: syz-executor4 Not tainted 4.17.0-rc7+ #1

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__skb_unlink include/linux/skbuff.h:1844 [inline]
RIP: 0010:skb_unlink+0xc1/0x160 net/core/skbuff.c:2921

RSP: 0018:ffff8801af47f6f0 EFLAGS: 00010002
RAX: 0000000000000286 RBX: ffff8801abbb6280 RCX: 0000000000000001

RDX: dffffc0000000000 RSI: 0000000000000004 RDI: 0000000000000008

RBP: ffff8801af47f718 R08: ffffed0038eebd2d R09: ffffed0038eebd2c
R10: ffffed0038eebd2c R11: ffff8801c775e963 R12: 0000000000000000
R13: 0000000000000000 R14: ffff8801c775e960 R15: ffff8801af47fce0
FS: 00007fd114c88700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f3c33535010 CR3: 00000001ad6a0000 CR4: 00000000001406e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kcm_recvmsg+0x48d/0x590 net/kcm/kcmsock.c:1160
sock_recvmsg_nosec+0x8c/0xb0 net/socket.c:802
___sys_recvmsg+0x2b6/0x680 net/socket.c:2279
__sys_recvmmsg+0x2f9/0xb80 net/socket.c:2391
do_sys_recvmmsg+0xe4/0x190 net/socket.c:2472
__do_sys_recvmmsg net/socket.c:2485 [inline]
__se_sys_recvmmsg net/socket.c:2481 [inline]
__x64_sys_recvmmsg+0xbe/0x150 net/socket.c:2481
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe

RIP: 0033:0x455a09
RSP: 002b:00007fd114c87c68 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007fd114c886d4 RCX: 0000000000455a09

RDX: 00000000040000f7 RSI: 00000000200002c0 RDI: 0000000000000006

RBP: 000000000072bea0 R08: 0000000020000200 R09: 0000000000000000
R10: 0000000000000060 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000574 R14: 00000000006fd380 R15: 0000000000000000

Code: 00 00 00 49 8d 7d 08 4c 8b 63 08 48 ba 00 00 00 00 00 fc ff df 48 c7
43 08 00 00 00 00 48 89 f9 48 c7 03 00 00 00 00 48 c1 e9 03 <80> 3c 11 00
75 5b 4c 89 e1 4d 89 65 08 48 ba 00 00 00 00 00 fc

RIP: __skb_unlink include/linux/skbuff.h:1844 [inline] RSP: ffff8801af47f6f0
RIP: skb_unlink+0xc1/0x160 net/core/skbuff.c:2921 RSP: ffff8801af47f6f0
---[ end trace 846e7a94a663704f ]---

Tested on:

commit: 885892fb378d mlx4_core: restore optimal ICM memory allocat..
git tree: net

console output: https://syzkaller.appspot.com/x/log.txt?x=1152a6f7800000

kernel config: https://syzkaller.appspot.com/x/.config?x=968b0b23c7854c0b
compiler: gcc (GCC) 8.0.1 20180413 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=1444d3b7800000

[Paolo Abeni]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master

hopefully last attempt at this. we need to avoid also the races between
skb_peek and skb_dequeue

---
diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c

index d3601d421571..8f43ec3df0f4 100644

--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -223,7 +223,7 @@ static void requeue_rx_msgs(struct kcm_mux *mux, struct sk_buff_head *head)
struct sk_buff *skb;
struct kcm_sock *kcm;

- while ((skb = __skb_dequeue(head))) {
+ while ((skb = skb_dequeue(head))) {
/* Reset destructor to avoid calling kcm_rcv_ready */
skb->destructor = sock_rfree;
skb_orphan(skb);

@@ -1080,12 +1080,17 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
return err;
}

-static struct sk_buff *kcm_wait_data(struct sock *sk, int flags,
+static struct sk_buff *kcm_wait_data(struct sock *sk, int flags, bool peek,
long timeo, int *err)
{
struct sk_buff *skb;

- while (!(skb = skb_peek(&sk->sk_receive_queue))) {
+ for (;; ) {
+ skb = peek ? skb_peek(&sk->sk_receive_queue):
+ skb_dequeue(&sk->sk_receive_queue);
+ if (skb)
+ break;
+
if (sk->sk_err) {
*err = sock_error(sk);
return NULL;
@@ -1116,6 +1121,7 @@ static int kcm_recvmsg(struct socket *sock, struct msghdr *msg,
{
struct sock *sk = sock->sk;
struct kcm_sock *kcm = kcm_sk(sk);
+ bool peek = flags & MSG_PEEK;
int err = 0;
long timeo;
struct strp_msg *stm;
@@ -1126,7 +1132,7 @@ static int kcm_recvmsg(struct socket *sock, struct msghdr *msg,

lock_sock(sk);

- skb = kcm_wait_data(sk, flags, timeo, &err);
+ skb = kcm_wait_data(sk, flags, peek, timeo, &err);
if (!skb)
goto out;

@@ -1142,7 +1148,7 @@ static int kcm_recvmsg(struct socket *sock, struct msghdr *msg,
goto out;

copied = len;
- if (likely(!(flags & MSG_PEEK))) {
+ if (likely(!peek)) {
KCM_STATS_ADD(kcm->stats.rx_bytes, copied);
if (copied < stm->full_len) {
if (sock->type == SOCK_DGRAM) {
@@ -1157,7 +1163,6 @@ static int kcm_recvmsg(struct socket *sock, struct msghdr *msg,

/* Finished with message */
msg->msg_flags |= MSG_EOR;
KCM_STATS_INCR(kcm->stats.rx_msgs);

- skb_unlink(skb, &sk->sk_receive_queue);
kfree_skb(skb);
}
}
@@ -1186,7 +1191,7 @@ static ssize_t kcm_splice_read(struct socket *sock, loff_t *ppos,

lock_sock(sk);

- skb = kcm_wait_data(sk, flags, timeo, &err);
+ skb = kcm_wait_data(sk, flags, true, timeo, &err);
if (!skb)
goto err_out;

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+278279...@syzkaller.appspotmail.com

Tested on:

commit: 885892fb378d mlx4_core: restore optimal ICM memory allocat..
git tree: net

kernel config: https://syzkaller.appspot.com/x/.config?x=968b0b23c7854c0b
compiler: gcc (GCC) 8.0.1 20180413 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=15d0d1d7800000

[Paolo Abeni]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master

another attempt, with a more comprehensive solution

--
diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c

index 84b7d5c6fec8..3b78abfb300c 100644

--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -223,7 +223,7 @@ static void requeue_rx_msgs(struct kcm_mux *mux, struct sk_buff_head *head)
struct sk_buff *skb;
struct kcm_sock *kcm;

- while ((skb = __skb_dequeue(head))) {
+ while ((skb = skb_dequeue(head))) {
/* Reset destructor to avoid calling kcm_rcv_ready */
skb->destructor = sock_rfree;
skb_orphan(skb);

@@ -1080,12 +1080,28 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)

return err;
}

-static struct sk_buff *kcm_wait_data(struct sock *sk, int flags,

+static struct sk_buff *kcm_dequeue_or_peek(struct sock *sk, bool peek)
+{
+ struct sk_buff *skb;
+ unsigned long flags;
+
+ if (!peek)
+ return skb_dequeue(&sk->sk_receive_queue);
+
+ spin_lock_irqsave(&sk->sk_receive_queue.lock, flags);
+ skb = skb_peek(&sk->sk_receive_queue);
+ if (skb)
+ skb_get(skb);
+ spin_unlock_irqrestore(&sk->sk_receive_queue.lock, flags);
+ return skb;
+}
+

+static struct sk_buff *kcm_wait_data(struct sock *sk, int flags, bool peek,
long timeo, int *err)
{
struct sk_buff *skb;

- while (!(skb = skb_peek(&sk->sk_receive_queue))) {

+ while (!(skb = kcm_dequeue_or_peek(sk, peek))) {

if (sk->sk_err) {
*err = sock_error(sk);
return NULL;

@@ -1116,6 +1132,7 @@ static int kcm_recvmsg(struct socket *sock, struct msghdr *msg,

{
struct sock *sk = sock->sk;
struct kcm_sock *kcm = kcm_sk(sk);
+ bool peek = flags & MSG_PEEK;
int err = 0;
long timeo;
struct strp_msg *stm;

@@ -1126,7 +1143,7 @@ static int kcm_recvmsg(struct socket *sock, struct msghdr *msg,

lock_sock(sk);

- skb = kcm_wait_data(sk, flags, timeo, &err);
+ skb = kcm_wait_data(sk, flags, peek, timeo, &err);
if (!skb)
goto out;

@@ -1138,11 +1155,13 @@ static int kcm_recvmsg(struct socket *sock, struct msghdr *msg,
len = stm->full_len;

err = skb_copy_datagram_msg(skb, stm->offset, msg, len);
- if (err < 0)
+ if (err < 0) {
+ kfree_skb(skb);
goto out;
+ }

copied = len;
- if (likely(!(flags & MSG_PEEK))) {
+ if (likely(!peek)) {
KCM_STATS_ADD(kcm->stats.rx_bytes, copied);
if (copied < stm->full_len) {
if (sock->type == SOCK_DGRAM) {

@@ -1157,10 +1176,9 @@ static int kcm_recvmsg(struct socket *sock, struct msghdr *msg,

/* Finished with message */
msg->msg_flags |= MSG_EOR;
KCM_STATS_INCR(kcm->stats.rx_msgs);
- skb_unlink(skb, &sk->sk_receive_queue);

- kfree_skb(skb);
}
}
+ consume_skb(skb);

out:
release_sock(sk);
@@ -1186,7 +1204,7 @@ static ssize_t kcm_splice_read(struct socket *sock, loff_t *ppos,

lock_sock(sk);

- skb = kcm_wait_data(sk, flags, timeo, &err);
+ skb = kcm_wait_data(sk, flags, true, timeo, &err);
if (!skb)
goto err_out;

@@ -1200,6 +1218,7 @@ static ssize_t kcm_splice_read(struct socket *sock, loff_t *ppos,
copied = skb_splice_bits(skb, sk, stm->offset, pipe, len, flags);
if (copied < 0) {
err = copied;
+ kfree_skb(skb);
goto err_out;
}

@@ -1214,6 +1233,7 @@ static ssize_t kcm_splice_read(struct socket *sock, loff_t *ppos,
* finish reading the message.
*/

+ consume_skb(skb);
release_sock(sk);

return copied;

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

failed to checkout kernel repo
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/master: failed
to run /usr/bin/git [git checkout FETCH_HEAD]: exit status 128
Warning: you are leaving 4 commits behind, not connected to
any of your branches:

277aee3 bpf: selftest fix for sockmap
6b3ccdf bpf: sockhash fix omitted bucket lock in sock_close
945ae43 bpf: sockmap only allow ESTABLISHED sock state
6536b7d bpf: sockmap, fix crash when ipv6 sock is added

If you want to keep them by creating a new branch, this may be a good time
to do so with:

git branch <new-branch-name> 277aee3

fatal: update_ref failed for ref 'HEAD': Cannot update the ref 'HEAD':
unable to append to .git/logs/HEAD: Permission denied



Tested on:

commit: [unknown]
git tree: net

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=13a9b21f800000

[Dmitry Vyukov]

On Tue, Jun 12, 2018 at 3:19 PM, syzbot
<syzbot+278279...@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot tried to test the proposed patch but build/boot failed:
>
> failed to checkout kernel repo
> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/master: failed
> to run /usr/bin/git [git checkout FETCH_HEAD]: exit status 128
> Warning: you are leaving 4 commits behind, not connected to
> any of your branches:
>
> 277aee3 bpf: selftest fix for sockmap
> 6b3ccdf bpf: sockhash fix omitted bucket lock in sock_close
> 945ae43 bpf: sockmap only allow ESTABLISHED sock state
> 6536b7d bpf: sockmap, fix crash when ipv6 sock is added
>
> If you want to keep them by creating a new branch, this may be a good time
> to do so with:
>
> git branch <new-branch-name> 277aee3
>
> fatal: update_ref failed for ref 'HEAD': Cannot update the ref 'HEAD':
> unable to append to .git/logs/HEAD: Permission denied

Sorry, I broke everything. I am on it.

> Tested on:
>
> commit: [unknown]
> git tree: net
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> patch: https://syzkaller.appspot.com/x/patch.diff?x=13a9b21f800000
>

> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/000000000000b33a85056e71b55f%40google.com.
>
> For more options, visit https://groups.google.com/d/optout.

[Dmitry Vyukov]

On Tue, Jun 12, 2018 at 3:20 PM, Dmitry Vyukov <dvy...@google.com> wrote:
> On Tue, Jun 12, 2018 at 3:19 PM, syzbot
> <syzbot+278279...@syzkaller.appspotmail.com> wrote:
>> Hello,
>>
>> syzbot tried to test the proposed patch but build/boot failed:
>>
>> failed to checkout kernel repo
>> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/master: failed
>> to run /usr/bin/git [git checkout FETCH_HEAD]: exit status 128
>> Warning: you are leaving 4 commits behind, not connected to
>> any of your branches:
>>
>> 277aee3 bpf: selftest fix for sockmap
>> 6b3ccdf bpf: sockhash fix omitted bucket lock in sock_close
>> 945ae43 bpf: sockmap only allow ESTABLISHED sock state
>> 6536b7d bpf: sockmap, fix crash when ipv6 sock is added
>>
>> If you want to keep them by creating a new branch, this may be a good time
>> to do so with:
>>
>> git branch <new-branch-name> 277aee3
>>
>> fatal: update_ref failed for ref 'HEAD': Cannot update the ref 'HEAD':
>> unable to append to .git/logs/HEAD: Permission denied
>
>
> Sorry, I broke everything. I am on it.

Let's try again:

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+278279...@syzkaller.appspotmail.com

Tested on:

commit: 6892286e9c09 tcp: Do not reload skb pointer after skb_gro_..
git tree: net
kernel config: https://syzkaller.appspot.com/x/.config?x=398cd408de1fc39

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=10eb698f800000

[Shao Zhengchao]

Hello:

       Please ask:  Is there any problem with this patch? Why is this patch not merged into the mainline?

[Dmitry Vyukov]

Hi Shao,

There are no kernel developers on this mailing list (it's just an archive).
You need to ask kernel developers on kernel mailing lists.

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/fd044905-148a-4ed3-b6fc-cf16cc6f96b9n%40googlegroups.com.

[shaozhengchao]

OK, Thank you.