[PATCH 0/3] Fix three issues found by syzbot

[Ying Xue]

In this series, try to fix two memory leak issues and another issue of
calling smp_processor_id() in preemptible context.

Ying Xue (3):
tipc: fix memory leak issue
tipc: fix memory leak issue
tipc: fix issue of calling smp_processor_id() in preemptible

net/tipc/group.c | 22 +++++++++++++---------
net/tipc/node.c | 7 +++++--
net/tipc/udp_media.c | 12 +++++++++---
3 files changed, 27 insertions(+), 14 deletions(-)

--
2.7.4

[Ying Xue]

syzbot found the following issue:

[ 81.119772][ T8612] BUG: using smp_processor_id() in preemptible [00000000] code: syz-executor834/8612
[ 81.136212][ T8612] caller is dst_cache_get+0x3d/0xb0
[ 81.141450][ T8612] CPU: 0 PID: 8612 Comm: syz-executor834 Not tainted 5.2.0-rc6+ #48
[ 81.149435][ T8612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 81.159480][ T8612] Call Trace:
[ 81.162789][ T8612] dump_stack+0x172/0x1f0
[ 81.167123][ T8612] debug_smp_processor_id+0x251/0x280
[ 81.172479][ T8612] dst_cache_get+0x3d/0xb0
[ 81.176928][ T8612] tipc_udp_xmit.isra.0+0xc4/0xb80
[ 81.182046][ T8612] ? kasan_kmalloc+0x9/0x10
[ 81.186531][ T8612] ? tipc_udp_addr2str+0x170/0x170
[ 81.191641][ T8612] ? __copy_skb_header+0x2e8/0x560
[ 81.196750][ T8612] ? __skb_checksum_complete+0x3f0/0x3f0
[ 81.202364][ T8612] ? netdev_alloc_frag+0x1b0/0x1b0
[ 81.207452][ T8612] ? skb_copy_header+0x21/0x2b0
[ 81.212282][ T8612] ? __pskb_copy_fclone+0x516/0xc90
[ 81.217470][ T8612] tipc_udp_send_msg+0x29a/0x4b0
[ 81.222400][ T8612] tipc_bearer_xmit_skb+0x16c/0x360
[ 81.227585][ T8612] tipc_enable_bearer+0xabe/0xd20
[ 81.232606][ T8612] ? __nla_validate_parse+0x2d0/0x1ee0
[ 81.238048][ T8612] ? tipc_bearer_xmit_skb+0x360/0x360
[ 81.243401][ T8612] ? nla_memcpy+0xb0/0xb0
[ 81.247710][ T8612] ? nla_memcpy+0xb0/0xb0
[ 81.252020][ T8612] ? __nla_parse+0x43/0x60
[ 81.256417][ T8612] __tipc_nl_bearer_enable+0x2de/0x3a0
[ 81.261856][ T8612] ? __tipc_nl_bearer_enable+0x2de/0x3a0
[ 81.267467][ T8612] ? tipc_nl_bearer_disable+0x40/0x40
[ 81.272848][ T8612] ? unwind_get_return_address+0x58/0xa0
[ 81.278501][ T8612] ? lock_acquire+0x16f/0x3f0
[ 81.283190][ T8612] tipc_nl_bearer_enable+0x23/0x40
[ 81.288300][ T8612] genl_family_rcv_msg+0x74b/0xf90
[ 81.293404][ T8612] ? genl_unregister_family+0x790/0x790
[ 81.298935][ T8612] ? __lock_acquire+0x54f/0x5490
[ 81.303852][ T8612] ? __netlink_lookup+0x3fa/0x7b0
[ 81.308865][ T8612] genl_rcv_msg+0xca/0x16c
[ 81.313266][ T8612] netlink_rcv_skb+0x177/0x450
[ 81.318043][ T8612] ? genl_family_rcv_msg+0xf90/0xf90
[ 81.323311][ T8612] ? netlink_ack+0xb50/0xb50
[ 81.327906][ T8612] ? lock_acquire+0x16f/0x3f0
[ 81.332589][ T8612] ? kasan_check_write+0x14/0x20
[ 81.337511][ T8612] genl_rcv+0x29/0x40
[ 81.341485][ T8612] netlink_unicast+0x531/0x710
[ 81.346268][ T8612] ? netlink_attachskb+0x770/0x770
[ 81.351374][ T8612] ? _copy_from_iter_full+0x25d/0x8c0
[ 81.356765][ T8612] ? __sanitizer_cov_trace_cmp8+0x18/0x20
[ 81.362479][ T8612] ? __check_object_size+0x3d/0x42f
[ 81.367667][ T8612] netlink_sendmsg+0x8ae/0xd70
[ 81.372415][ T8612] ? netlink_unicast+0x710/0x710
[ 81.377520][ T8612] ? aa_sock_msg_perm.isra.0+0xba/0x170
[ 81.383051][ T8612] ? apparmor_socket_sendmsg+0x2a/0x30
[ 81.388530][ T8612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 81.394775][ T8612] ? security_socket_sendmsg+0x8d/0xc0
[ 81.400240][ T8612] ? netlink_unicast+0x710/0x710
[ 81.405161][ T8612] sock_sendmsg+0xd7/0x130
[ 81.409561][ T8612] ___sys_sendmsg+0x803/0x920
[ 81.414220][ T8612] ? copy_msghdr_from_user+0x430/0x430
[ 81.419667][ T8612] ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[ 81.425461][ T8612] ? debug_object_active_state+0x25d/0x380
[ 81.431255][ T8612] ? __lock_acquire+0x54f/0x5490
[ 81.436174][ T8612] ? kasan_check_read+0x11/0x20
[ 81.441208][ T8612] ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[ 81.447008][ T8612] ? mark_held_locks+0xf0/0xf0
[ 81.451768][ T8612] ? __call_rcu.constprop.0+0x28b/0x720
[ 81.457298][ T8612] ? call_rcu+0xb/0x10
[ 81.461353][ T8612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 81.467589][ T8612] ? __fget_light+0x1a9/0x230
[ 81.472249][ T8612] ? __fdget+0x1b/0x20
[ 81.476301][ T8612] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 81.482545][ T8612] __sys_sendmsg+0x105/0x1d0
[ 81.487115][ T8612] ? __ia32_sys_shutdown+0x80/0x80
[ 81.492208][ T8612] ? blkcg_maybe_throttle_current+0x5e2/0xfb0
[ 81.498272][ T8612] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 81.503726][ T8612] ? do_syscall_64+0x26/0x680
[ 81.508385][ T8612] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 81.514444][ T8612] ? do_syscall_64+0x26/0x680
[ 81.519110][ T8612] __x64_sys_sendmsg+0x78/0xb0
[ 81.523862][ T8612] do_syscall_64+0xfd/0x680
[ 81.528352][ T8612] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 81.534234][ T8612] RIP: 0033:0x444679
[ 81.538114][ T8612] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 81.557709][ T8612] RSP: 002b:00007fff0201a8b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 81.566147][ T8612] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444679
[ 81.574108][ T8612] RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003
[ 81.582152][ T8612] RBP: 00000000006cf018 R08: 0000000000000001 R09: 00000000004002e0
[ 81.590113][ T8612] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000402320
[ 81.598089][ T8612] R13: 00000000004023b0 R14: 0000000000000000 R15: 0000000000

In commit e9c1a793210f ("tipc: add dst_cache support for udp media")
dst_cache_get() was introduced to be called in tipc_udp_xmit(). But
smp_processor_id() called by dst_cache_get() cannot be invoked in
preemptible context, as a result, the complaint above was reported.

Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media")
syzbot+1a6850...@syzkaller.appspotmail.com
Signed-off-by: Hillf Danton <hda...@sina.com>
Signed-off-by: Ying Xue <ying...@windriver.com>
---
net/tipc/udp_media.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
index 287df687..ca3ae2e 100644
--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -224,6 +224,8 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
struct udp_bearer *ub;
int err = 0;

+ local_bh_disable();
+
if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
if (err)
@@ -237,9 +239,12 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
goto out;
}

- if (addr->broadcast != TIPC_REPLICAST_SUPPORT)
- return tipc_udp_xmit(net, skb, ub, src, dst,
- &ub->rcast.dst_cache);
+ if (addr->broadcast != TIPC_REPLICAST_SUPPORT) {
+ err = tipc_udp_xmit(net, skb, ub, src, dst,
+ &ub->rcast.dst_cache);
+ local_bh_enable();
+ return err;
+ }

/* Replicast, send an skb to each configured IP address */
list_for_each_entry_rcu(rcast, &ub->rcast.list, list) {
@@ -259,6 +264,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
err = 0;
out:
kfree_skb(skb);
+ local_bh_enable();
return err;
}

--
2.7.4

[Ying Xue]

syzbot found the following memory leak issue:

[ 72.286706][ T7064] kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak
unreferenced object 0xffff888122bca200 (size 128):
comm "syz-executor232", pid 7065, jiffies 4294943817 (age 8.880s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 a2 bc 22 81 88 ff ff ..........."....
backtrace:
[<000000005bada299>] kmem_cache_alloc_trace+0x145/0x2c0
[<00000000e7bcdc9f>] tipc_group_create_member+0x3c/0x190
[<0000000005f56f40>] tipc_group_add_member+0x34/0x40
[<0000000044406683>] tipc_nametbl_build_group+0x9b/0xf0
[<000000009f71e803>] tipc_setsockopt+0x170/0x490
[<000000007f61cbc2>] __sys_setsockopt+0x10f/0x220
[<00000000cc630372>] __x64_sys_setsockopt+0x26/0x30
[<00000000ec30be33>] do_syscall_64+0x76/0x1a0
[<00000000271be3e6>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Reported-by: syzbot+f95d90...@syzkaller.appspotmail.com

Signed-off-by: Hillf Danton <hda...@sina.com>
Signed-off-by: Ying Xue <ying...@windriver.com>
---

net/tipc/group.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/net/tipc/group.c b/net/tipc/group.c
index 5f98d38..cbc540a 100644
--- a/net/tipc/group.c
+++ b/net/tipc/group.c
@@ -273,8 +273,8 @@ static struct tipc_member *tipc_group_find_node(struct tipc_group *grp,
return NULL;
}

-static void tipc_group_add_to_tree(struct tipc_group *grp,
- struct tipc_member *m)
+struct tipc_member *tipc_group_add_to_tree(struct tipc_group *grp,
+ struct tipc_member *m)
{
u64 nkey, key = (u64)m->node << 32 | m->port;
struct rb_node **n, *parent = NULL;
@@ -282,7 +282,6 @@ static void tipc_group_add_to_tree(struct tipc_group *grp,

n = &grp->members.rb_node;
while (*n) {
- tmp = container_of(*n, struct tipc_member, tree_node);
parent = *n;
tmp = container_of(parent, struct tipc_member, tree_node);
nkey = (u64)tmp->node << 32 | tmp->port;
@@ -291,17 +290,18 @@ static void tipc_group_add_to_tree(struct tipc_group *grp,
else if (key > nkey)
n = &(*n)->rb_right;
else
- return;
+ return tmp;
}
rb_link_node(&m->tree_node, parent, n);
rb_insert_color(&m->tree_node, &grp->members);
+ return m;
}

static struct tipc_member *tipc_group_create_member(struct tipc_group *grp,
u32 node, u32 port,
u32 instance, int state)
{
- struct tipc_member *m;
+ struct tipc_member *m, *n;

m = kzalloc(sizeof(*m), GFP_ATOMIC);
if (!m)
@@ -315,10 +315,14 @@ static struct tipc_member *tipc_group_create_member(struct tipc_group *grp,
m->instance = instance;
m->bc_acked = grp->bc_snd_nxt - 1;
grp->member_cnt++;
- tipc_group_add_to_tree(grp, m);
- tipc_nlist_add(&grp->dests, m->node);
- m->state = state;
- return m;
+ n = tipc_group_add_to_tree(grp, m);
+ if (n == m) {
+ tipc_nlist_add(&grp->dests, m->node);
+ m->state = state;
+ } else {
+ kfree(m);
+ }
+ return n;
}

void tipc_group_add_member(struct tipc_group *grp, u32 node,
--
2.7.4

[Ying Xue]

syzbot found the following memory leak:

[ 68.602482][ T7130] kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak
unreferenced object 0xffff88810df83c00 (size 512):
comm "softirq", pid 0, jiffies 4294942354 (age 19.830s)

hex dump (first 32 bytes):

38 1a 0d 0f 81 88 ff ff 38 1a 0d 0f 81 88 ff ff 8.......8.......

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

backtrace:
[<000000009375ee42>] kmem_cache_alloc_node+0x153/0x2a0
[<000000004c563922>] __alloc_skb+0x6e/0x210
[<00000000ec87bfa1>] tipc_buf_acquire+0x2f/0x80
[<00000000d151ef84>] tipc_msg_create+0x37/0xe0
[<000000008bb437b0>] tipc_group_create_event+0xb3/0x1b0
[<00000000947b1d0f>] tipc_group_proto_rcv+0x569/0x640
[<00000000b75ab039>] tipc_sk_filter_rcv+0x9ac/0xf20
[<000000000dab7a6c>] tipc_sk_rcv+0x494/0x8a0
[<00000000023a7ddd>] tipc_node_xmit+0x196/0x1f0
[<00000000337dd9eb>] tipc_node_distr_xmit+0x7d/0x120
[<00000000b6375182>] tipc_group_delete+0xe6/0x130
[<000000000361ba2b>] tipc_sk_leave+0x57/0xb0
[<000000009df90505>] tipc_release+0x7b/0x5e0
[<000000009f3189da>] __sock_release+0x4b/0xe0
[<00000000d3568ee0>] sock_close+0x1b/0x30
[<00000000266a6215>] __fput+0xed/0x300

Reported-by: syzbot+78fbe6...@syzkaller.appspotmail.com

Signed-off-by: Hillf Danton <hda...@sina.com>
Signed-off-by: Ying Xue <ying...@windriver.com>
---

net/tipc/node.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/tipc/node.c b/net/tipc/node.c
index 7ca0190..d1852fc 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -1469,10 +1469,13 @@ int tipc_node_xmit(struct net *net, struct sk_buff_head *list,
spin_unlock_bh(&le->lock);
tipc_node_read_unlock(n);

- if (unlikely(rc == -ENOBUFS))
+ if (unlikely(rc == -ENOBUFS)) {
tipc_node_link_down(n, bearer_id, false);
- else
+ skb_queue_purge(list);
+ skb_queue_purge(&xmitq);
+ } else {
tipc_bearer_xmit(net, bearer_id, &xmitq, &le->maddr);
+ }

tipc_node_put(n);

--
2.7.4

[Jakub Kicinski]

On Fri, 9 Aug 2019 15:16:57 +0800, Ying Xue wrote:
> Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media")
> syzbot+1a6850...@syzkaller.appspotmail.com

^
Reported-by: missing here?

[Ying Xue]

syzbot found the following memory leak issue:

[ 72.286706][ T7064] kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak

unreferenced object 0xffff888122bca200 (size 128):
comm "syz-executor232", pid 7065, jiffies 4294943817 (age 8.880s)

hex dump (first 32 bytes):

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 18 a2 bc 22 81 88 ff ff ..........."....
backtrace:
[<000000005bada299>] kmem_cache_alloc_trace+0x145/0x2c0
[<00000000e7bcdc9f>] tipc_group_create_member+0x3c/0x190
[<0000000005f56f40>] tipc_group_add_member+0x34/0x40
[<0000000044406683>] tipc_nametbl_build_group+0x9b/0xf0
[<000000009f71e803>] tipc_setsockopt+0x170/0x490
[<000000007f61cbc2>] __sys_setsockopt+0x10f/0x220
[<00000000cc630372>] __x64_sys_setsockopt+0x26/0x30
[<00000000ec30be33>] do_syscall_64+0x76/0x1a0
[<00000000271be3e6>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Reported-by: syzbot+f95d90...@syzkaller.appspotmail.com

Signed-off-by: Hillf Danton <hda...@sina.com>
Signed-off-by: Ying Xue <ying...@windriver.com>

[Ying Xue]

Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media")

Reported-by: syzbot+1a6850...@syzkaller.appspotmail.com

Signed-off-by: Hillf Danton <hda...@sina.com>
Signed-off-by: Ying Xue <ying...@windriver.com>
---

[Ying Xue]

syzbot found the following memory leak:

[ 68.602482][ T7130] kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak

unreferenced object 0xffff88810df83c00 (size 512):
comm "softirq", pid 0, jiffies 4294942354 (age 19.830s)

hex dump (first 32 bytes):

38 1a 0d 0f 81 88 ff ff 38 1a 0d 0f 81 88 ff ff 8.......8.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000009375ee42>] kmem_cache_alloc_node+0x153/0x2a0
[<000000004c563922>] __alloc_skb+0x6e/0x210
[<00000000ec87bfa1>] tipc_buf_acquire+0x2f/0x80
[<00000000d151ef84>] tipc_msg_create+0x37/0xe0
[<000000008bb437b0>] tipc_group_create_event+0xb3/0x1b0
[<00000000947b1d0f>] tipc_group_proto_rcv+0x569/0x640
[<00000000b75ab039>] tipc_sk_filter_rcv+0x9ac/0xf20
[<000000000dab7a6c>] tipc_sk_rcv+0x494/0x8a0
[<00000000023a7ddd>] tipc_node_xmit+0x196/0x1f0
[<00000000337dd9eb>] tipc_node_distr_xmit+0x7d/0x120
[<00000000b6375182>] tipc_group_delete+0xe6/0x130
[<000000000361ba2b>] tipc_sk_leave+0x57/0xb0
[<000000009df90505>] tipc_release+0x7b/0x5e0
[<000000009f3189da>] __sock_release+0x4b/0xe0
[<00000000d3568ee0>] sock_close+0x1b/0x30
[<00000000266a6215>] __fput+0xed/0x300

Reported-by: syzbot+78fbe6...@syzkaller.appspotmail.com

Signed-off-by: Hillf Danton <hda...@sina.com>
Signed-off-by: Ying Xue <ying...@windriver.com>
---

[Ying Xue]

In this series, try to fix two memory leak issues and another issue of
calling smp_processor_id() in preemptible context.

Changes since v1:
- Fix "Reported-by:" missing in patch #3, which was reported by Jakub
Kicinski

[David Miller]

From: Ying Xue <ying...@windriver.com>
Date: Mon, 12 Aug 2019 15:32:39 +0800

> Ying Xue (3):
> tipc: fix memory leak issue
> tipc: fix memory leak issue

Please make the subject lines for these two patches unique. Perhaps
mention what part of the tipc code has the memory leak you are fixing.

Thanks.

[Dmitry Vyukov]

Hi,

Was this ever merged?
The bug is still open, alive and kicking:
https://syzkaller.appspot.com/bug?extid=1a68504d96cd17b33a05

and one of the top crashers currently.
Along with few other top crashers, these bugs prevent most of the
other kernel testing from happening.

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/1565595162-1383-4-git-send-email-ying.xue%40windriver.com.

[Dmitry Vyukov]

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

+jmaloy new email address

[Xin Long]

On Wed, Feb 19, 2020 at 4:34 PM Dmitry Vyukov <dvy...@google.com> wrote:
>
> On Wed, Feb 19, 2020 at 9:29 AM Dmitry Vyukov <dvy...@google.com> wrote:
> >
> > On Mon, Aug 12, 2019 at 9:44 AM Ying Xue <ying...@windriver.com> wrote:
> > >
> > > syzbot found the following issue:
> > >
> > > [ 81.119772][ T8612] BUG: using smp_processor_id() in preemptible [00000000] code: syz-executor834/8612
> > > [ 81.136212][ T8612] caller is dst_cache_get+0x3d/0xb0
> > > [ 81.141450][ T8612] CPU: 0 PID: 8612 Comm: syz-executor834 Not tainted 5.2.0-rc6+ #48
> > > [ 81.149435][ T8612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > > [ 81.159480][ T8612] Call Trace:
> > > [ 81.162789][ T8612] dump_stack+0x172/0x1f0
> > > [ 81.167123][ T8612] debug_smp_processor_id+0x251/0x280
> > > [ 81.172479][ T8612] dst_cache_get+0x3d/0xb0
> > > [ 81.176928][ T8612] tipc_udp_xmit.isra.0+0xc4/0xb80
> > > [ 81.182046][ T8612] ? kasan_kmalloc+0x9/0x10
> > > [ 81.186531][ T8612] ? tipc_udp_addr2str+0x170/0x170
> > > [ 81.191641][ T8612] ? __copy_skb_header+0x2e8/0x560
> > > [ 81.196750][ T8612] ? __skb_checksum_complete+0x3f0/0x3f0
> > > [ 81.202364][ T8612] ? netdev_alloc_frag+0x1b0/0x1b0
> > > [ 81.207452][ T8612] ? skb_copy_header+0x21/0x2b0
> > > [ 81.212282][ T8612] ? __pskb_copy_fclone+0x516/0xc90
> > > [ 81.217470][ T8612] tipc_udp_send_msg+0x29a/0x4b0

In tipc_bearer_xmit_skb(), b->media->send_msg()/tipc_udp_send_msg()
is called under rcu_read_lock(), which is already ensure it's a
non-preemptible context.

What I saw here is imbalance rcu_read_(un)lock() call somewhere.

[Jon Maloy]

On 2/20/20 10:44 AM, Xin Long wrote:

On Wed, Feb 19, 2020 at 4:34 PM Dmitry Vyukov <dvy...@google.com> wrote:

On Wed, Feb 19, 2020 at 9:29 AM Dmitry Vyukov <dvy...@google.com> wrote:

On Mon, Aug 12, 2019 at 9:44 AM Ying Xue <ying...@windriver.com> wrote:

syzbot found the following issue:

[   81.119772][ T8612] BUG: using smp_processor_id() in preemptible [00000000] code: syz-executor834/8612
[   81.136212][ T8612] caller is dst_cache_get+0x3d/0xb0
[   81.141450][ T8612] CPU: 0 PID: 8612 Comm: syz-executor834 Not tainted 5.2.0-rc6+ #48

[...]

Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media")
Reported-by: syzbot+1a6850...@syzkaller.appspotmail.com
Signed-off-by: Hillf Danton <hda...@sina.com>
Signed-off-by: Ying Xue <ying...@windriver.com>

Hi,

Was this ever merged?
The bug is still open, alive and kicking:
https://syzkaller.appspot.com/bug?extid=1a68504d96cd17b33a05

and one of the top crashers currently.
Along with few other top crashers, these bugs prevent most of the
other kernel testing from happening.

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

+jmaloy new email address

Acked-by: Jon Maloy <jma...@redhat.com>