general protection fault in __rds_rdma_map
17 views
Skip to first unread message
syzbot
Nov 27, 2017, 1:30:02āÆPM11/27/17
to da...@davemloft.net, linux-...@vger.kernel.org, linux...@vger.kernel.org, net...@vger.kernel.org, rds-...@oss.oracle.com, santosh....@oracle.com, syzkall...@googlegroups.com
Hello,
syzkaller hit the following crash on
e1d1ea549b57790a3d8cf6300e6ef86118d692a3
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
RDS: rds_bind could not find a transport for 224.0.0.2, load rds_tcp or
rds_rdma?
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 3078 Comm: syzkaller719569 Not tainted 4.14.0+ #189
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801cbbda580 task.stack: ffff8801cb8d0000
RIP: 0010:__rds_rdma_map+0x133/0x1050 net/rds/rdma.c:191
RSP: 0018:ffff8801cb8d7a28 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8801cb8d7bd0 RCX: ffffffff84c0b20d
RDX: 0000000000000018 RSI: ffff8801cb8d7bd0 RDI: 00000000000000c0
RBP: ffff8801cb8d7b90 R08: ffffed003971af96 R09: ffffed003971af96
R10: 0000000000000000 R11: ffffed003971af95 R12: 0000000000000000
R13: ffff8801cb407480 R14: 0000000000000000 R15: ffff8801cb407480
FS: 00007fb0be5a3700(0000) GS:ffff8801db500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb0be5a2e78 CR3: 00000001cfc07000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
rds_get_mr_for_dest+0x1bb/0x290 net/rds/rdma.c:357
rds_setsockopt+0x6b9/0x970 net/rds/af_rds.c:347
SYSC_setsockopt net/socket.c:1851 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1830
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x44a789
RSP: 002b:00007fb0be5a2dc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000044a789
RDX: 0000000000000007 RSI: 0000400000000114 RDI: 0000000000000004
RBP: 0000000000000086 R08: 00000000000000a0 R09: 00007fb0be5a3700
R10: 0000000020000ffc R11: 0000000000000202 R12: 0000000000000000
R13: 00000000007efe3f R14: 00007fb0be5a39c0 R15: 0000000000000000
Code: 57 0d 00 00 48 8b 85 f0 fe ff ff 4c 8b a0 c0 04 00 00 48 b8 00 00 00
00 00 fc ff df 49 8d bc 24 c0 00 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00
0f 85 6a 0e 00 00 49 83 bc 24 c0 00 00 00 00 0f 84
RIP: __rds_rdma_map+0x133/0x1050 net/rds/rdma.c:191 RSP: ffff8801cb8d7a28
---[ end trace 5e0e31770c7b70a7 ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzkaller hit the following crash on
e1d1ea549b57790a3d8cf6300e6ef86118d692a3
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
RDS: rds_bind could not find a transport for 224.0.0.2, load rds_tcp or
rds_rdma?
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 3078 Comm: syzkaller719569 Not tainted 4.14.0+ #189
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801cbbda580 task.stack: ffff8801cb8d0000
RIP: 0010:__rds_rdma_map+0x133/0x1050 net/rds/rdma.c:191
RSP: 0018:ffff8801cb8d7a28 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8801cb8d7bd0 RCX: ffffffff84c0b20d
RDX: 0000000000000018 RSI: ffff8801cb8d7bd0 RDI: 00000000000000c0
RBP: ffff8801cb8d7b90 R08: ffffed003971af96 R09: ffffed003971af96
R10: 0000000000000000 R11: ffffed003971af95 R12: 0000000000000000
R13: ffff8801cb407480 R14: 0000000000000000 R15: ffff8801cb407480
FS: 00007fb0be5a3700(0000) GS:ffff8801db500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb0be5a2e78 CR3: 00000001cfc07000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
rds_get_mr_for_dest+0x1bb/0x290 net/rds/rdma.c:357
rds_setsockopt+0x6b9/0x970 net/rds/af_rds.c:347
SYSC_setsockopt net/socket.c:1851 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1830
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x44a789
RSP: 002b:00007fb0be5a2dc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000044a789
RDX: 0000000000000007 RSI: 0000400000000114 RDI: 0000000000000004
RBP: 0000000000000086 R08: 00000000000000a0 R09: 00007fb0be5a3700
R10: 0000000020000ffc R11: 0000000000000202 R12: 0000000000000000
R13: 00000000007efe3f R14: 00007fb0be5a39c0 R15: 0000000000000000
Code: 57 0d 00 00 48 8b 85 f0 fe ff ff 4c 8b a0 c0 04 00 00 48 b8 00 00 00
00 00 fc ff df 49 8d bc 24 c0 00 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00
0f 85 6a 0e 00 00 49 83 bc 24 c0 00 00 00 00 0f 84
RIP: __rds_rdma_map+0x133/0x1050 net/rds/rdma.c:191 RSP: ffff8801cb8d7a28
---[ end trace 5e0e31770c7b70a7 ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
Santosh Shilimkar
Nov 27, 2017, 3:39:07āÆPM11/27/17
to linux...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com, da...@davemloft.net, linux-...@vger.kernel.org, rds-...@oss.oracle.com
On 11/27/2017 10:30 AM, syzbot wrote:
> Hello,
>
> syzkaller hit the following crash on
> e1d1ea549b57790a3d8cf6300e6ef86118d692a3
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See
> https://urldefense.proofpoint.com/v2/url?u=https-3A__goo.gl_kgGztJ&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=hWpFvp_cTkkwMMULcvbV65orOO9Gv3OUaY0ATWhQwak&m=0pw38xYdDB2QuLTkc6b0N3240iyzMU13jwFZvLaxDSo&s=0kx55ufXFnBORomS71r4MtXomSqMRKhkHI1tGM3oPic&e=
> Hello,
>
> syzkaller hit the following crash on
> e1d1ea549b57790a3d8cf6300e6ef86118d692a3
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See
>
> for information about syzkaller reproducers
>
>
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN
> RDS: rds_bind could not find a transport for 224.0.0.2, load rds_tcp or
> rds_rdma?
Seems like the RDMA operation got triggered on the non RDMA transport
> for information about syzkaller reproducers
>
>
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN
> RDS: rds_bind could not find a transport for 224.0.0.2, load rds_tcp or
> rds_rdma?
lead to non populated rs->rs_transport->get_mr(). Also seems like the
tests was running in the namespace and the RDMA transport doesn't
yet support it. Thanks for reporting. Will look into fix internally.
Regards,
Santosh
Eric Biggers
Jan 30, 2018, 4:14:37āÆPM1/30/18
to syzbot, da...@davemloft.net, linux-...@vger.kernel.org, linux...@vger.kernel.org, net...@vger.kernel.org, rds-...@oss.oracle.com, santosh....@oracle.com, syzkall...@googlegroups.com
#syz fix: rds: Fix NULL pointer dereference in __rds_rdma_map
Or Gerlitz
Jan 30, 2018, 4:35:10āÆPM1/30/18
to Eric Biggers, santosh shilimkar, rds-...@oss.oracle.com, syzkall...@googlegroups.com
some rdma device on the VM
where the syz bot runs? is it backed up by real HW card probed to the
VM or it's software based (e.g
some sort of emulator or software-RoCE (RXE driver))
Eric Biggers
Jan 30, 2018, 4:52:32āÆPM1/30/18
to Or Gerlitz, santosh shilimkar, rds-...@oss.oracle.com, syzkall...@googlegroups.com
Hi Or,
I don't think there is any rdma device at all; it's just testing a kernel with
tons of config options enabled, including CONFIG_RDS and CONFIG_RDS_TCP. And it
has definitions for AF_RDS:
https://github.com/google/syzkaller/blob/master/sys/linux/socket_rds.txt
tons of config options enabled, including CONFIG_RDS and CONFIG_RDS_TCP. And it
has definitions for AF_RDS:
https://github.com/google/syzkaller/blob/master/sys/linux/socket_rds.txt
Dmitry Vyukov
Jan 31, 2018, 8:12:15āÆAM1/31/18
to Eric Biggers, Or Gerlitz, santosh shilimkar, rds-...@oss.oracle.com, syzkall...@googlegroups.com
If there something reasonably simple that we can do to improve RDS
coverage, then we can look into it. E.g. we use tun to emulate remote
network activity, and vcan devices to test AF_CAN.
You can see current code coverage that we get on RDS here (use drop
down menu on top to select files):
https://drive.google.com/file/d/1X2Yzd7NKMcxH1gyYoFFnlwTEoXjQ3SAU/view?usp=sharing
Santosh Shilimkar
Jan 31, 2018, 11:32:47āÆAM1/31/18
to Dmitry Vyukov, Eric Biggers, Or Gerlitz, rds-...@oss.oracle.com, syzkall...@googlegroups.com
On 1/31/2018 5:11 AM, Dmitry Vyukov wrote:
> On Tue, Jan 30, 2018 at 10:52 PM, Eric Biggers <ebig...@gmail.com> wrote:
>> Hi Or,
[...]
> On Tue, Jan 30, 2018 at 10:52 PM, Eric Biggers <ebig...@gmail.com> wrote:
>> Hi Or,
>>> I wondered how rds-rdma comes into play on these tests? do you have
>>> some rdma device on the VM
>>> where the syz bot runs? is it backed up by real HW card probed to the
>>> VM or it's software based (e.g
>>> some sort of emulator or software-RoCE (RXE driver))
>>
>> I don't think there is any rdma device at all; it's just testing a kernel with
>> tons of config options enabled, including CONFIG_RDS and CONFIG_RDS_TCP. And it
>> has definitions for AF_RDS:
>> https://github.com/google/syzkaller/blob/master/sys/linux/socket_rds.txt
>
>
>
> What Eric said. This is a VM with no special setup for RDS.
> If there something reasonably simple that we can do to improve RDS
> coverage, then we can look into it. E.g. we use tun to emulate remote
> network activity, and vcan devices to test AF_CAN.
hardware. With SOFT ROCE driver getting mature, one can use that
device as RDMA device and run RDS RDMA over it.
Regards,
Santosh
Reply all
Reply to author
Forward
0 new messages