From mboxrd@z Thu Jan  1 00:00:00 1970
From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Subject: Re: BUG: unable to handle kernel NULL pointer dereference in
 rds_send_xmit
Date: Mon, 18 Dec 2017 08:55:24 -0500
Message-ID: <20171218135524.GA26203@oracle.com>
References: <001a1145ac5480242305609956b3@google.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: netdev@vger.kernel.org, rds-devel@oss.oracle.com,
        syzkaller-bugs@googlegroups.com
To: syzbot
        <bot+aaf54a8c644d559d34dedcf3126aac68a20c9e63@syzkaller.appspotmail.com>
Return-path: <netdev-owner@vger.kernel.org>
Received: from aserp2120.oracle.com ([141.146.126.78]:51562 "EHLO
        aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1758247AbdLRNzg (ORCPT
        <rfc822;netdev@vger.kernel.org>); Mon, 18 Dec 2017 08:55:36 -0500
Content-Disposition: inline
In-Reply-To: <001a1145ac5480242305609956b3@google.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

On (12/18/17 00:43), syzbot wrote:
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
> program syz-executor6 is using a deprecated SCSI ioctl, please convert it to
> SG_IO
> IP: rds_send_xmit+0x80/0x930 net/rds/send.c:186

conn->c_trans is at offset 0x28.

Both this and https://marc.info/?l=linux-netdev&m=151360062922798&w=2
are manifestations of the same bug: somehow the cp_send_w is still 
getting queued incorrectly after the conn destroy is initiated (commit
681648e67d fixes one such window, maybe there are others). 
Let me look at how this slipped through the cracks.

--Sowmini