On Wed, Mar 21, 2018 at 09:00:01AM -0700, syzbot wrote:
> Hello,
>
> syzbot hit the following crash on upstream commit
> 3215b9d57a2c75c4305a3956ca303d7004485200 (Wed Mar 21 00:44:27 2018 +)
> Merge tag 'clk-fixes-for-linus' of
> git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux
> syzbot dashboard link:
> https://syzkaller.appspot.com/bug?extid=b51c77ef956678a65834
>
> So far this crash happened 4 times on net-next, upstream.
> C reproducer is attached.
> syzkaller reproducer is attached.
> Raw console output is attached.
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+b51c77ef956678a65...@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
> audit: type=1400 audit(1521615317.627:7): avc: denied { map } for
> pid=4240 comm="syzkaller468044" path="/root/syzkaller468044973" dev="sda1"
> ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: [#1] SMP KASAN
> Dumping ftrace buffer:
>(ftrace buffer empty)
> Modules linked in:
> CPU: 1 PID: 4244 Comm: syzkaller468044 Not tainted 4.16.0-rc6+ #361
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:rds_ib_get_mr+0x5c/0x230 net/rds/ib_rdma.c:544
> RSP: 0018:8801b059f890 EFLAGS: 00010202
> RAX: dc00 RBX: 8801b07e1300 RCX: 8562d96e
> RDX: 000d RSI: 0001 RDI: 0068
> RBP: 8801b059f8b8 R08: ed0036274244 R09: 8801b13a1200
> R10: 0004 R11: ed0036274243 R12: 8801b13a1200
> R13: 0001 R14: 8801ca09fa9c R15:
> FS: 7f4d050af700() GS:8801db30() knlGS:
> CS: 0010 DS: ES: CR0: 80050033
> CR2: 7f4d050aee78 CR3: 0001b0d9b006 CR4: 001606e0
> DR0: DR1: DR2:
> DR3: DR6: fffe0ff0 DR7: 0400
> Call Trace:
> __rds_rdma_map+0x710/0x1050 net/rds/rdma.c:271
> rds_get_mr_for_dest+0x1d4/0x2c0 net/rds/rdma.c:357
> rds_setsockopt+0x6cc/0x980 net/rds/af_rds.c:347
> SYSC_setsockopt net/socket.c:1849 [inline]
> SyS_setsockopt+0x189/0x360 net/socket.c:1828
> do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
> entry_SYSCALL_64_after_hwframe+0x42/0xb7
> RIP: 0033:0x4456d9
> RSP: 002b:7f4d050aedb8 EFLAGS: 0246 ORIG_RAX: 0036
> RAX: ffda RBX: 006dac3c RCX: 004456d9
> RDX: 0007 RSI: 0114 RDI: 0004
> RBP: 006dac38 R08: 00a0 R09:
> R10: 2380 R11: 0246 R12:
> R13: 7fffbfb36d6f R14: 7f4d050af9c0 R15: 0005
> Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 cc 01 00 00 4c 8b bb 80 04 00 00 48
> b8 00 00 00 00 00 fc ff df 49 8d 7f 68 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f
> 85 9c 01 00 00 4d 8b 7f 68 48 b8 00 00 00 00 00
> RIP: rds_ib_get_mr+0x5c/0x230 net/rds/ib_rdma.c:544 RSP: 8801b059f890
> ---[ end trace 7e1cea13b85473b0 ]---
> Kernel panic - not syncing: Fatal exception
> Dumping ftrace buffer:
>(ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzkal...@googlegroups.com.
>
> syzbot will keep track of this bug report.
> If you forgot to add the Reported-by tag, once the fix for this bug is
> merged
> into any tree, please reply to this email with:
> #syz fix: exact-commit-title
> If you want to test a patch for this bug, please reply with:
> #syz test: git://repo/address.git branch
> and provide the patch inline or as an attachment.
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line in the email body.
Still reproducible on Linus' tree (commit 66e1c94db3cd4) and linux-next
(next-20180511). Here's a simplified reproducer:
#include
#include
#include
int main()
{
int transport = RDS_TRANS_IB;
int fd;
fd = socket(AF_RDS, SOCK_SEQPACKET, 0);
setsockopt(fd, SOL_RDS, SO_RDS_TRANSPORT, ,
sizeof(transport));
if (fork()) {
for (;;) {
struct sockaddr_in addr = {
