* Re: [net 1/1] tipc: don't assume linear buffer when reading ancillary data
From: David Miller @ 2018-11-18 6:08 UTC (permalink / raw)
To: donmalo99
Cc: netdev, gordan.mihaljevic, tung.q.nguyen, hoang.h.le, jon.maloy,
maloy, xinl, ying.xue, tipc-discussion
In-Reply-To: <1542475026-20413-1-git-send-email-jon.maloy@ericsson.com>
From: Jon Maloy <donmalo99@gmail.com>
Date: Sat, 17 Nov 2018 12:17:06 -0500
> The code for reading ancillary data from a received buffer is assuming
> the buffer is linear. To make this assumption true we have to linearize
> the buffer before message data is read.
>
> Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Applied and queued up for -stable, thanks Jon.
^ permalink raw reply
* Re: [PATCH 0/3] Fix unsafe BPF_PROG_TEST_RUN interface
From: Y Song @ 2018-11-18 6:13 UTC (permalink / raw)
To: lmb; +Cc: Alexei Starovoitov, Daniel Borkmann, netdev, linux-api
In-Reply-To: <20181116125329.3974-1-lmb@cloudflare.com>
On Fri, Nov 16, 2018 at 12:54 PM Lorenz Bauer <lmb@cloudflare.com> wrote:
>
> Right now, there is no safe way to use BPF_PROG_TEST_RUN with data_out.
> This is because bpf_test_finish copies the output buffer to user space
> without checking its size. This can lead to the kernel overwriting
> data in user space after the buffer if xdp_adjust_head and friends are
> in play.
>
> Fix this by using bpf_attr.test.data_size_out as a size hint. The old
> behaviour is retained if size_hint is zero.
There is a slight change of user space behavior for this patch.
Without this patch, the value bpf_attr.test.data_size_out is output only.
For example,
output buffer : out_buf (user allocated size 10)
data_size_out is a random value (e.g., 1),
The actual data to copy is 5.
In today's implementation, the kernel will copy 5 and set data_size_out is 5.
With this patch, the kernel will copy 1 and set data_size_out is 5.
I am not 100% sure at this time whether we CAN overload data_size_out
since it MAY break existing applications.
Alternativley, we can append another field to bpf_attr.test
__u32 data_out_size;
this will provide the data_out buffer size.
Inside kernel, if the user input attr is smaller than kernel and does not
have data_out_size, the current behavior should be used. Otherwise,
data_out_size is data_out buffer size.
Daniel and Alexei, which option do you think is reasonable?
>
> Interestingly, do_test_single() in test_verifier.c already assumes
> that this is the intended use of data_size_out, and sets it to the
> output buffer size.
>
> Lorenz Bauer (3):
> bpf: respect size hint to BPF_PROG_TEST_RUN if present
> libbpf: require size hint in bpf_prog_test_run
> selftests: add a test for bpf_prog_test_run output size
>
> net/bpf/test_run.c | 9 ++++-
> tools/lib/bpf/bpf.c | 4 ++-
> tools/testing/selftests/bpf/test_progs.c | 44 ++++++++++++++++++++++++
> 3 files changed, 55 insertions(+), 2 deletions(-)
>
> --
> 2.17.1
>
^ permalink raw reply
* Re: [PATCH v3] net: Add trace events for all receive exit points
From: David Miller @ 2018-11-18 6:19 UTC (permalink / raw)
To: mathieu.desnoyers; +Cc: gbastien, netdev, rostedt, mingo
In-Reply-To: <1286988499.7245.1542479249307.JavaMail.zimbra@efficios.com>
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Sat, 17 Nov 2018 13:27:29 -0500 (EST)
> I see two possible solutions:
>
> 1) Remove the "skb" argument from the sbk_exit tracepoints completely.
> Anyway, I think it's not really needed for analysis purposes because
> we can link the "entry" with the associated "exit" using the thread ID
> executing those tracepoints. (Geneviève, would that work for your
> analyses ?)
>
> 2) Move the skb_exit tracepoints before freeing the skb pointer. My
> concern here is that the instrumentation may become much uglier than
> the currently proposed patch. (I have not looked at the specifics
> though, so I may be wrong.)
>
> Do you have a preference between those two approaches, or perhaps you
> have an alternative solution in mind ?
I wonder how other situations handle this.
About #2, if you put the tracepoint beforehand you can't log the
'ret' value. So at least in that regard I prefer #1.
If tracepoints generally handle this by matching up the thread
ID, then definitely that's how we should do it here too instead
of trying to use the SKB pointer for this purpose.
^ permalink raw reply
* Re: [PATCH 2/7] dt-bindings: net: phy: add bindings for the IC Plus Corp. IP101A/G PHYs
From: Andrew Lunn @ 2018-11-18 17:03 UTC (permalink / raw)
To: Martin Blumenstingl
Cc: netdev, devicetree, f.fainelli, mark.rutland, robh+dt, davem,
linux-kernel
In-Reply-To: <20181117182007.14791-3-martin.blumenstingl@googlemail.com>
On Sat, Nov 17, 2018 at 07:20:02PM +0100, Martin Blumenstingl wrote:
> The IP101A and IP101G series both have various models. Depending on the
> board implementation we need a special property for the IP101GR (32-pin
> LQFP package) PHY:
> pin 21 ("RXER/INTR_32") outputs the "receive error" signal by default
> (LOW means "normal operation", HIGH means that there's either a decoding
> error of the received signal or that the PHY is receiving LPI). This pin
> can also be switched to INTR32 mode, where the interrupt signal is
> routed to this pin. The other PHYs don't need this special handling
> because they have more pins available so the interrupt function gets a
> dedicated pin.
>
> This adds two properties to either select the "receive error" or
> "interrupt" function of pin 21. Not specifying any function means that
> the default set by the bootloader is used. This is required because the
> IP101GR cannot be differentiated between other IP101 PHYs as the PHY
> identification registers on all of these is 0x02430c54.
Hi Martin
Not being able to identify the device is a real problem here.
I did wonder about adding a property which tells you if this is the R
variant, but the binding you suggests seems equally good.
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Andrew
^ permalink raw reply
* Re: [PATCH 3/7] net: phy: icplus: keep all ip101a_g functions together
From: Andrew Lunn @ 2018-11-18 17:04 UTC (permalink / raw)
To: Martin Blumenstingl
Cc: netdev, devicetree, f.fainelli, mark.rutland, robh+dt, davem,
linux-kernel
In-Reply-To: <20181117182007.14791-4-martin.blumenstingl@googlemail.com>
On Sat, Nov 17, 2018 at 07:20:03PM +0100, Martin Blumenstingl wrote:
> This simply moves ip101a_g_config_init right above
> ip101a_g_config_intr so all functions for the ICPlus IP101A/G PHYs are
> grouped together.
> No functional changes.
>
> Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Andrew
^ permalink raw reply
* Re: [PATCH 4/7] net: phy: icplus: use the BIT macro where possible
From: Andrew Lunn @ 2018-11-18 17:04 UTC (permalink / raw)
To: Martin Blumenstingl
Cc: netdev, devicetree, f.fainelli, mark.rutland, robh+dt, davem,
linux-kernel
In-Reply-To: <20181117182007.14791-5-martin.blumenstingl@googlemail.com>
On Sat, Nov 17, 2018 at 07:20:04PM +0100, Martin Blumenstingl wrote:
> This makes the code consistent by using the BIT() macro instead of
> manual bit-shifting for some of the fields. No functional changes.
>
> Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Andrew
^ permalink raw reply
* Re: [PATCH 5/7] net: phy: icplus: rename IP101A_G_NO_IRQ to IP101A_G_IRQ_ALL_MASK
From: Andrew Lunn @ 2018-11-18 17:06 UTC (permalink / raw)
To: Martin Blumenstingl
Cc: netdev, devicetree, f.fainelli, mark.rutland, robh+dt, davem,
linux-kernel
In-Reply-To: <20181117182007.14791-6-martin.blumenstingl@googlemail.com>
On Sat, Nov 17, 2018 at 07:20:05PM +0100, Martin Blumenstingl wrote:
> The datasheet uses the name "All Mask" for this bit. Change the name of
> our #define to be consistent with the datasheet. While here also replace
> the tab between the #define and IP101A_G_IRQ_ALL_MASK with a space.
> No functional changes.
>
> Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
I think this is the bit which confused Florian. Nice change, it makes
it a lot clearer what is going on.
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Andrew
^ permalink raw reply
* Re: [PATCH 6/7] net: phy: icplus: implement .did_interrupt for IP101A/G
From: Andrew Lunn @ 2018-11-18 17:09 UTC (permalink / raw)
To: Martin Blumenstingl
Cc: netdev, devicetree, f.fainelli, mark.rutland, robh+dt, davem,
linux-kernel
In-Reply-To: <20181117182007.14791-7-martin.blumenstingl@googlemail.com>
On Sat, Nov 17, 2018 at 07:20:06PM +0100, Martin Blumenstingl wrote:
> The IP101A_G_IRQ_CONF_STATUS register has bits to detect which
> interrupts have fired. Implement the .did_interrupt callback to let the
> PHY core know whether the interrupt was for this specific PHY.
>
> This is useful for debugging interrupt problems with 32-pin IP101GR PHYs
> where the interrupt line is shared with the RX_ERR (receive error
> status) signal. The default values are:
> - RX_ERR is enabled by default (LOW means that there is no receive
> error)
> - the PHY's interrupt line is configured "active low" by default
>
> Without any additional changes there is a flood of interrupts if the
> RX_ERR/INTR32 signal is configured in RX_ERR mode (which is the
> default). Having a did_interrupt ensures that the PHY core returns
> IRQ_NONE instead of endlessly triggering the PHY state machine.
> Additionally the kernel will report this after a while:
> irq 28: nobody cared (try booting with the "irqpoll" option)
That is a useful hint.
>
> Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Andrew
^ permalink raw reply
* Re: [PATCH 7/7] net: phy: icplus: allow configuring the interrupt function on IP101GR
From: Andrew Lunn @ 2018-11-18 17:13 UTC (permalink / raw)
To: Martin Blumenstingl
Cc: netdev, devicetree, f.fainelli, mark.rutland, robh+dt, davem,
linux-kernel
In-Reply-To: <20181117182007.14791-8-martin.blumenstingl@googlemail.com>
Hi Martin
> +static int ip101a_g_probe(struct phy_device *phydev)
> +{
> + struct device *dev = &phydev->mdio.dev;
> + struct ip101a_g_phy_priv *priv;
> +
> + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
> + if (!priv)
> + return -ENOMEM;
> +
> + if (device_property_read_bool(dev, "icplus,select-rx-error"))
> + priv->sel_intr32 = IP101GR_SEL_INTR32_RXER;
> + else if (device_property_read_bool(dev, "icplus,select-interrupt"))
> + priv->sel_intr32 = IP101GR_SEL_INTR32_INTR;
> + else
> + priv->sel_intr32 = IP101GR_SEL_INTR32_KEEP;
It would be good to return -EINVAL if both properties are found.
This looks good otherwise.
Andrew
^ permalink raw reply
* Re: [PATCH net] sctp: not allow to set asoc prsctp_enable by sockopt
From: Xin Long @ 2018-11-18 7:02 UTC (permalink / raw)
To: Neil Horman; +Cc: Marcelo Ricardo Leitner, network dev, linux-sctp, davem
In-Reply-To: <20181116151216.GA12928@neilslaptop.think-freely.org>
On Sat, Nov 17, 2018 at 12:12 AM Neil Horman <nhorman@tuxdriver.com> wrote:
>
> On Thu, Nov 15, 2018 at 09:41:01PM -0200, Marcelo Ricardo Leitner wrote:
> > [ re-sending, without html this time ]
> >
> > On Thu, Nov 15, 2018, 15:26 Neil Horman <nhorman@tuxdriver.com wrote:
> >
> > > On Thu, Nov 15, 2018 at 08:25:36PM -0200, Marcelo Ricardo Leitner wrote:
> > > > On Thu, Nov 15, 2018 at 04:43:10PM -0500, Neil Horman wrote:
> > > > > On Thu, Nov 15, 2018 at 03:22:21PM -0200, Marcelo Ricardo Leitner
> > > wrote:
> > > > > > On Thu, Nov 15, 2018 at 07:14:28PM +0800, Xin Long wrote:
> > > > > > > As rfc7496#section4.5 says about SCTP_PR_SUPPORTED:
> > > > > > >
> > > > > > > This socket option allows the enabling or disabling of the
> > > > > > > negotiation of PR-SCTP support for future associations. For
> > > existing
> > > > > > > associations, it allows one to query whether or not PR-SCTP
> > > support
> > > > > > > was negotiated on a particular association.
> > > > > > >
> > > > > > > It means only sctp sock's prsctp_enable can be set.
> > > > > > >
> > > > > > > Note that for the limitation of SCTP_{CURRENT|ALL}_ASSOC, we will
> > > > > > > add it when introducing SCTP_{FUTURE|CURRENT|ALL}_ASSOC for linux
> > > > > > > sctp in another patchset.
> > > > > > >
> > > > > > > Fixes: 28aa4c26fce2 ("sctp: add SCTP_PR_SUPPORTED on sctp sockopt")
> > > > > > > Reported-by: Ying Xu <yinxu@redhat.com>
> > > > > > > Signed-off-by: Xin Long <lucien.xin@gmail.com>
> > > > > > > ---
> > > > > > > net/sctp/socket.c | 13 +++----------
> > > > > > > 1 file changed, 3 insertions(+), 10 deletions(-)
> > > > > > >
> > > > > > > diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> > > > > > > index 739f3e5..e9b8232 100644
> > > > > > > --- a/net/sctp/socket.c
> > > > > > > +++ b/net/sctp/socket.c
> > > > > > > @@ -3940,7 +3940,6 @@ static int
> > > sctp_setsockopt_pr_supported(struct sock *sk,
> > > > > > > unsigned int optlen)
> > > > > > > {
> > > > > > > struct sctp_assoc_value params;
> > > > > > > - struct sctp_association *asoc;
> > > > > > > int retval = -EINVAL;
> > > > > > >
> > > > > > > if (optlen != sizeof(params))
> > > > > > > @@ -3951,16 +3950,10 @@ static int
> > > sctp_setsockopt_pr_supported(struct sock *sk,
> > > > > > > goto out;
> > > > > > > }
> > > > > > >
> > > > > > > - asoc = sctp_id2assoc(sk, params.assoc_id);
> > > > > > > - if (asoc) {
> > > > > > > - asoc->prsctp_enable = !!params.assoc_value;
> > > > > > > - } else if (!params.assoc_id) {
> > > > > > > - struct sctp_sock *sp = sctp_sk(sk);
> > > > > > > -
> > > > > > > - sp->ep->prsctp_enable = !!params.assoc_value;
> > > > > > > - } else {
> > > > > > > + if (sctp_style(sk, UDP) && sctp_id2assoc(sk,
> > > params.assoc_id))
> > > > > >
> > > > > > This would allow using a non-existent assoc id on UDP-style sockets
> > > to
> > > > > > set it at the socket, which is not expected. It should be more like:
> > > > > >
> > > > > > + if (sctp_style(sk, UDP) && params.assoc_id)
> > > > > How do you see that to be the case? sctp_id2assoc will return NULL if
> > > an
> > > > > association isn't found, so the use of sctp_id2assoc should work just
> > > fine.
> > > >
> > > > Right, it will return NULL, and because of that it won't bail out as
> > > > it should and will adjust the socket config instead.
> > > >
> > >
> > > Oh, duh, you're absolutely right, NULL will evalutate to false there, and
> > > skip
> > > the conditional goto out;
> > >
> > > that said, It would make more sense to me to just change the sense of the
> > > second
> > > condition to !sctp_id2assoc(sk, params.assoc_id), so that we goto out if no
> > > association is found. it still seems a
> >
> >
> > That would break setting it on the socket without an assoc so far.
> >
> ok, yes, I see what xin is getting at now. The RFC indicates that the
> setsockopt method for this socket option is meant to set the prsctp enabled
> value on _future_ associations, implying that we should not operate at all on
> already existing associations (i.e. we should ignore the assoc_id in the passed
> in structure and only operate on the socket). That said, heres the entire text
> of the RFC section:
>
> 4.5. Socket Option for Getting and Setting the PR-SCTP Support
> (SCTP_PR_SUPPORTED)
>
> This socket option allows the enabling or disabling of the
> negotiation of PR-SCTP support for future associations. For existing
> associations, it allows one to query whether or not PR-SCTP support
> was negotiated on a particular association.
>
> Whether or not PR-SCTP is enabled by default is implementation
> specific.
>
> This socket option uses IPPROTO_SCTP as its level and
> SCTP_PR_SUPPORTED as its name. It can be used with getsockopt() and
> setsockopt(). The socket option value uses the following structure
> defined in [RFC6458]:
>
> struct sctp_assoc_value {
> sctp_assoc_t assoc_id;
> uint32_t assoc_value;
> };
>
> assoc_id: This parameter is ignored for one-to-one style sockets.
> For one-to-many style sockets, this parameter indicates upon which
> association the user is performing an action. The special
> sctp_assoc_t SCTP_FUTURE_ASSOC can also be used; it is an error to
> use SCTP_{CURRENT|ALL}_ASSOC in assoc_id.
>
> assoc_value: A non-zero value encodes the enabling of PR-SCTP,
> whereas a value of 0 encodes the disabling of PR-SCTP.
>
> sctp_opt_info() needs to be extended to support SCTP_PR_SUPPORTED
>
> My read of this suggests that for setting the prsctp_enabled flag, we only need
> a valid socket (the presence or lack of associations is irrelevant), its only
> for the getsockopt method that we need to specify an assoc_id, as the getsockopt
> method operates on associations, while the setsockopt method operates at the
> socket level (to be inherited as association init).
>
> Given that, I'd argue that we can skip the check entirely, and just assign
> sctp_sock(sk)->prsctp_enabled = !!param.assoc_value
>
> directly.
RFC seems to have no clear demands for this, I will just drop the check
in this patch, thanks.
^ permalink raw reply
* [PATCH net] sctp: count sk_wmem_alloc by skb truesize in sctp_packet_transmit
From: Xin Long @ 2018-11-18 7:07 UTC (permalink / raw)
To: network dev, linux-sctp; +Cc: davem, Marcelo Ricardo Leitner, Neil Horman
Now sctp increases sk_wmem_alloc by 1 when doing set_owner_w for the
skb allocked in sctp_packet_transmit and decreases by 1 when freeing
this skb.
But when this skb goes through networking stack, some subcomponents
might change skb->truesize and add the same amount on sk_wmem_alloc.
However sctp doesn't know the amount to decrease by, it would cause
a leak on sk->sk_wmem_alloc and the sock can never be freed.
Xiumei found this issue when it hit esp_output_head() by using sctp
over ipsec, where skb->truesize is added and so is sk->sk_wmem_alloc.
Since sctp has used sk_wmem_queued to count for writable space since
Commit cd305c74b0f8 ("sctp: use sk_wmem_queued to check for writable
space"), it's ok to fix it by counting sk_wmem_alloc by skb truesize
in sctp_packet_transmit.
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Reported-by: Xiumei Mu <xmu@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
net/sctp/output.c | 21 +--------------------
1 file changed, 1 insertion(+), 20 deletions(-)
diff --git a/net/sctp/output.c b/net/sctp/output.c
index 67939ad..88dfa6a 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -396,25 +396,6 @@ enum sctp_xmit sctp_packet_append_chunk(struct sctp_packet *packet,
return retval;
}
-static void sctp_packet_release_owner(struct sk_buff *skb)
-{
- sk_free(skb->sk);
-}
-
-static void sctp_packet_set_owner_w(struct sk_buff *skb, struct sock *sk)
-{
- skb_orphan(skb);
- skb->sk = sk;
- skb->destructor = sctp_packet_release_owner;
-
- /*
- * The data chunks have already been accounted for in sctp_sendmsg(),
- * therefore only reserve a single byte to keep socket around until
- * the packet has been transmitted.
- */
- refcount_inc(&sk->sk_wmem_alloc);
-}
-
static void sctp_packet_gso_append(struct sk_buff *head, struct sk_buff *skb)
{
if (SCTP_OUTPUT_CB(head)->last == head)
@@ -601,7 +582,7 @@ int sctp_packet_transmit(struct sctp_packet *packet, gfp_t gfp)
if (!head)
goto out;
skb_reserve(head, packet->overhead + MAX_HEADER);
- sctp_packet_set_owner_w(head, sk);
+ skb_set_owner_w(head, sk);
/* set sctp header */
sh = skb_push(head, sizeof(struct sctphdr));
--
2.1.0
^ permalink raw reply related
* Re: KASAN: use-after-free Read in bpf_prog_kallsyms_add
From: syzbot @ 2018-11-18 17:28 UTC (permalink / raw)
To: ast, daniel, linux-kernel, netdev, syzkaller-bugs
In-Reply-To: <000000000000ebd44005758029c2@google.com>
syzbot has found a reproducer for the following crash on:
HEAD commit: 1ce80e0fe98e Merge tag 'fsnotify_for_v4.20-rc3' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11752783400000
kernel config: https://syzkaller.appspot.com/x/.config?x=d86f24333880b605
dashboard link: https://syzkaller.appspot.com/bug?extid=ac0311cfc9e80cd2e0e8
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16abd093400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ac0311cfc9e80cd2e0e8@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
==================================================================
BUG: KASAN: use-after-free in __list_add_valid+0x8f/0xac lib/list_debug.c:26
Read of size 8 at addr ffff8881b97b8560 by task syz-executor3/12896
CPU: 1 PID: 12896 Comm: syz-executor3 Not tainted 4.20.0-rc2+ #117
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x244/0x39d lib/dump_stack.c:113
print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
__list_add_valid+0x8f/0xac lib/list_debug.c:26
__list_add_rcu include/linux/rculist.h:52 [inline]
list_add_tail_rcu include/linux/rculist.h:101 [inline]
bpf_prog_ksym_node_add kernel/bpf/core.c:460 [inline]
bpf_prog_kallsyms_add+0x200/0x9b0 kernel/bpf/core.c:491
jit_subprogs kernel/bpf/verifier.c:5973 [inline]
fixup_call_args kernel/bpf/verifier.c:6023 [inline]
bpf_check+0x4fcb/0x6310 kernel/bpf/verifier.c:6404
bpf_prog_load+0x113d/0x1cc0 kernel/bpf/syscall.c:1528
__do_sys_bpf kernel/bpf/syscall.c:2504 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2466 [inline]
__x64_sys_bpf+0x36c/0x520 kernel/bpf/syscall.c:2466
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457569
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f6de3718c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569
RDX: 0000000000000048 RSI: 0000000020000000 RDI: 0000000000000005
RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6de37196d4
R13: 00000000004bd97c R14: 00000000004cc688 R15: 00000000ffffffff
Allocated by task 12883:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
kmem_cache_alloc_trace+0x152/0x750 mm/slab.c:3620
kmalloc include/linux/slab.h:546 [inline]
kzalloc include/linux/slab.h:741 [inline]
bpf_prog_alloc+0x16b/0x3e0 kernel/bpf/core.c:89
bpf_prog_load+0x435/0x1cc0 kernel/bpf/syscall.c:1482
__do_sys_bpf kernel/bpf/syscall.c:2504 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2466 [inline]
__x64_sys_bpf+0x36c/0x520 kernel/bpf/syscall.c:2466
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 17:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kfree+0xcf/0x230 mm/slab.c:3817
__bpf_prog_free kernel/bpf/core.c:146 [inline]
bpf_prog_unlock_free include/linux/filter.h:743 [inline]
bpf_prog_free_deferred+0x2a4/0x420 kernel/bpf/core.c:1781
process_one_work+0xc90/0x1c40 kernel/workqueue.c:2153
worker_thread+0x17f/0x1390 kernel/workqueue.c:2296
kthread+0x35a/0x440 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
The buggy address belongs to the object at ffff8881b97b8500
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 96 bytes inside of
512-byte region [ffff8881b97b8500, ffff8881b97b8700)
The buggy address belongs to the page:
page:ffffea0006e5ee00 count:1 mapcount:0 mapping:ffff8881da800940
index:0xffff8881b97b8a00
flags: 0x2fffc0000000200(slab)
raw: 02fffc0000000200 ffffea0006ede848 ffffea0006e6b508 ffff8881da800940
raw: ffff8881b97b8a00 ffff8881b97b8000 0000000100000005 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881b97b8400: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881b97b8480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8881b97b8500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881b97b8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881b97b8600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
^ permalink raw reply
* Re: [PATCH 2/7] dt-bindings: net: phy: add bindings for the IC Plus Corp. IP101A/G PHYs
From: Martin Blumenstingl @ 2018-11-18 17:29 UTC (permalink / raw)
To: andrew
Cc: netdev, devicetree, f.fainelli, mark.rutland, robh+dt, davem,
linux-kernel
In-Reply-To: <20181118170331.GB5591@lunn.ch>
Hi Andrew,
On Sun, Nov 18, 2018 at 6:03 PM Andrew Lunn <andrew@lunn.ch> wrote:
>
> On Sat, Nov 17, 2018 at 07:20:02PM +0100, Martin Blumenstingl wrote:
> > The IP101A and IP101G series both have various models. Depending on the
> > board implementation we need a special property for the IP101GR (32-pin
> > LQFP package) PHY:
> > pin 21 ("RXER/INTR_32") outputs the "receive error" signal by default
> > (LOW means "normal operation", HIGH means that there's either a decoding
> > error of the received signal or that the PHY is receiving LPI). This pin
> > can also be switched to INTR32 mode, where the interrupt signal is
> > routed to this pin. The other PHYs don't need this special handling
> > because they have more pins available so the interrupt function gets a
> > dedicated pin.
> >
> > This adds two properties to either select the "receive error" or
> > "interrupt" function of pin 21. Not specifying any function means that
> > the default set by the bootloader is used. This is required because the
> > IP101GR cannot be differentiated between other IP101 PHYs as the PHY
> > identification registers on all of these is 0x02430c54.
>
> Hi Martin
>
> Not being able to identify the device is a real problem here.
indeed, even some extra "custom version" register would have helped
> I did wonder about adding a property which tells you if this is the R
> variant, but the binding you suggests seems equally good.
I decided against that because I *believe* (I have no evidence though)
that the IP101G could have the same problem in theory.
according to the datasheet I have the IP101G is a "Dice" (which I'm
interpreting as "raw die, no package")
<some company> could make a multi-chip package with the IP101G and
only route the RXER/INTR_32 to the outside
due to lack of evidence I decided not to document this in the
dt-bindings themselves, but if you want I can add this theory to the
patch description
apart from that: thank you for reviewing this series!
Regards
Martin
^ permalink raw reply
* Re: [PATCH 7/7] net: phy: icplus: allow configuring the interrupt function on IP101GR
From: Martin Blumenstingl @ 2018-11-18 17:30 UTC (permalink / raw)
To: andrew
Cc: netdev, devicetree, f.fainelli, mark.rutland, robh+dt, davem,
linux-kernel
In-Reply-To: <20181118171340.GG5591@lunn.ch>
Hi Andrew,
On Sun, Nov 18, 2018 at 6:13 PM Andrew Lunn <andrew@lunn.ch> wrote:
>
> Hi Martin
>
> > +static int ip101a_g_probe(struct phy_device *phydev)
> > +{
> > + struct device *dev = &phydev->mdio.dev;
> > + struct ip101a_g_phy_priv *priv;
> > +
> > + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
> > + if (!priv)
> > + return -ENOMEM;
> > +
> > + if (device_property_read_bool(dev, "icplus,select-rx-error"))
> > + priv->sel_intr32 = IP101GR_SEL_INTR32_RXER;
> > + else if (device_property_read_bool(dev, "icplus,select-interrupt"))
> > + priv->sel_intr32 = IP101GR_SEL_INTR32_INTR;
> > + else
> > + priv->sel_intr32 = IP101GR_SEL_INTR32_KEEP;
>
> It would be good to return -EINVAL if both properties are found.
that makes sense
I'll wait a few days for more feedback and re-send this series with
that issue fixed
> This looks good otherwise.
great, thanks for looking into it!
Regards
Martin
^ permalink raw reply
* [PATCHv2 net] sctp: not allow to set asoc prsctp_enable by sockopt
From: Xin Long @ 2018-11-18 7:21 UTC (permalink / raw)
To: network dev, linux-sctp; +Cc: davem, Marcelo Ricardo Leitner, Neil Horman
As rfc7496#section4.5 says about SCTP_PR_SUPPORTED:
This socket option allows the enabling or disabling of the
negotiation of PR-SCTP support for future associations. For existing
associations, it allows one to query whether or not PR-SCTP support
was negotiated on a particular association.
It means only sctp sock's prsctp_enable can be set.
Note that for the limitation of SCTP_{CURRENT|ALL}_ASSOC, we will
add it when introducing SCTP_{FUTURE|CURRENT|ALL}_ASSOC for linux
sctp in another patchset.
v1->v2:
- drop the params.assoc_id check as Neil suggested.
Fixes: 28aa4c26fce2 ("sctp: add SCTP_PR_SUPPORTED on sctp sockopt")
Reported-by: Ying Xu <yinxu@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
net/sctp/socket.c | 26 +++++---------------------
1 file changed, 5 insertions(+), 21 deletions(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 739f3e5..bf618d1 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3940,32 +3940,16 @@ static int sctp_setsockopt_pr_supported(struct sock *sk,
unsigned int optlen)
{
struct sctp_assoc_value params;
- struct sctp_association *asoc;
- int retval = -EINVAL;
if (optlen != sizeof(params))
- goto out;
-
- if (copy_from_user(¶ms, optval, optlen)) {
- retval = -EFAULT;
- goto out;
- }
-
- asoc = sctp_id2assoc(sk, params.assoc_id);
- if (asoc) {
- asoc->prsctp_enable = !!params.assoc_value;
- } else if (!params.assoc_id) {
- struct sctp_sock *sp = sctp_sk(sk);
+ return -EINVAL;
- sp->ep->prsctp_enable = !!params.assoc_value;
- } else {
- goto out;
- }
+ if (copy_from_user(¶ms, optval, optlen))
+ return -EFAULT;
- retval = 0;
+ sctp_sk(sk)->ep->prsctp_enable = !!params.assoc_value;
-out:
- return retval;
+ return 0;
}
static int sctp_setsockopt_default_prinfo(struct sock *sk,
--
2.1.0
^ permalink raw reply related
* Re: [PATCH 7/7] net: phy: icplus: allow configuring the interrupt function on IP101GR
From: Andrew Lunn @ 2018-11-18 17:45 UTC (permalink / raw)
To: Martin Blumenstingl
Cc: netdev, devicetree, f.fainelli, mark.rutland, robh+dt, davem,
linux-kernel
In-Reply-To: <CAFBinCBkH3OrtxROpcbqF-1BtRY=6QqS2zkhZTo=W==1FKqZsw@mail.gmail.com>
> I'll wait a few days for more feedback and re-send this series with
> that issue fixed
Hi Martin
In networking world, you should expect feedback within 3 days. So i
was actually a bit slow. If i'd of waited much longer, David would of
merged the patches very soon.
So feel free to respin the patchset now if you want.
Andrew
^ permalink raw reply
* [PATCH net] tuntap: fix multiqueue rx
From: Matthew Cover @ 2018-11-18 7:46 UTC (permalink / raw)
To: davem, jasowang, brouer, mst, edumazet, sd, netdev, matthew.cover
In-Reply-To: <20181117.211126.1736118365709071572.davem@davemloft.net>
When writing packets to a descriptor associated with a combined queue, the
packets should end up on that queue.
Before this change all packets written to any descriptor associated with a
tap interface end up on rx-0, even when the descriptor is associated with a
different queue.
The rx traffic can be generated by either of the following.
1. a simple tap program which spins up multiple queues and writes packets
to each of the file descriptors
2. tx from a qemu vm with a tap multiqueue netdev
The queue for rx traffic can be observed by either of the following (done
on the hypervisor in the qemu case).
1. a simple netmap program which opens and reads from per-queue
descriptors
2. configuring RPS and doing per-cpu captures with rxtxcpu
Alternatively, if you printk() the return value of skb_get_rx_queue() just
before each instance of netif_receive_skb() in tun.c, you will get 65535
for every skb.
Calling skb_record_rx_queue() to set the rx queue to the queue_index fixes
the association between descriptor and rx queue.
Signed-off-by: Matthew Cover <matthew.cover@stackpath.com>
---
drivers/net/tun.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 060135ceaf0e..e244f5d7512a 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1536,6 +1536,7 @@ static void tun_rx_batched(struct tun_struct *tun, struct tun_file *tfile,
if (!rx_batched || (!more && skb_queue_empty(queue))) {
local_bh_disable();
+ skb_record_rx_queue(skb, tfile->queue_index);
netif_receive_skb(skb);
local_bh_enable();
return;
@@ -1555,8 +1556,11 @@ static void tun_rx_batched(struct tun_struct *tun, struct tun_file *tfile,
struct sk_buff *nskb;
local_bh_disable();
- while ((nskb = __skb_dequeue(&process_queue)))
+ while ((nskb = __skb_dequeue(&process_queue))) {
+ skb_record_rx_queue(nskb, tfile->queue_index);
netif_receive_skb(nskb);
+ }
+ skb_record_rx_queue(skb, tfile->queue_index);
netif_receive_skb(skb);
local_bh_enable();
}
@@ -2451,6 +2455,7 @@ static int tun_xdp_one(struct tun_struct *tun,
if (!rcu_dereference(tun->steering_prog))
rxhash = __skb_get_hash_symmetric(skb);
+ skb_record_rx_queue(skb, tfile->queue_index);
netif_receive_skb(skb);
stats = get_cpu_ptr(tun->pcpu_stats);
--
2.15.2 (Apple Git-101.1)
^ permalink raw reply related
* Re: KASAN: use-after-free Read in bpf_prog_kallsyms_del
From: syzbot @ 2018-11-18 18:14 UTC (permalink / raw)
To: ast, daniel, linux-kernel, netdev, syzkaller-bugs
In-Reply-To: <0000000000001d985405783e8aee@google.com>
syzbot has found a reproducer for the following crash on:
HEAD commit: 1ce80e0fe98e Merge tag 'fsnotify_for_v4.20-rc3' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16d4e26d400000
kernel config: https://syzkaller.appspot.com/x/.config?x=d86f24333880b605
dashboard link: https://syzkaller.appspot.com/bug?extid=10cffda23c81a3ff1088
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17e0be2b400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+10cffda23c81a3ff1088@syzkaller.appspotmail.com
audit: type=1400 audit(1542564624.749:40): avc: denied { prog_run } for
pid=7713 comm="syz-executor0"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf
permissive=1
==================================================================
BUG: KASAN: use-after-free in __list_del_entry_valid+0xf1/0x100
lib/list_debug.c:51
Read of size 8 at addr ffff8881bdb8daa0 by task syz-executor5/7868
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x244/0x39d lib/dump_stack.c:113
print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
__list_del_entry_valid+0xf1/0x100 lib/list_debug.c:51
__list_del_entry include/linux/list.h:117 [inline]
list_del_rcu include/linux/rculist.h:130 [inline]
bpf_prog_ksym_node_del kernel/bpf/core.c:470 [inline]
bpf_prog_kallsyms_del+0x1e7/0x410 kernel/bpf/core.c:501
bpf_prog_kallsyms_del_subprogs+0xde/0x180 kernel/bpf/core.c:358
bpf_prog_kallsyms_del_all+0x15/0x20 kernel/bpf/core.c:363
__bpf_prog_put+0xd7/0x150 kernel/bpf/syscall.c:1215
bpf_prog_put kernel/bpf/syscall.c:1223 [inline]
bpf_prog_release+0x3c/0x50 kernel/bpf/syscall.c:1231
__fput+0x385/0xa30 fs/file_table.c:278
____fput+0x15/0x20 fs/file_table.c:309
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x1ad6/0x26d0 kernel/exit.c:867
do_group_exit+0x177/0x440 kernel/exit.c:970
get_signal+0x8b0/0x1980 kernel/signal.c:2517
do_signal+0x9c/0x21c0 arch/x86/kernel/signal.c:816
WARNING: CPU: 1 PID: 7868 at kernel/bpf/core.c:384 bpf_get_prog_addr_region
kernel/bpf/core.c:384 [inline]
WARNING: CPU: 1 PID: 7868 at kernel/bpf/core.c:384 bpf_tree_comp
kernel/bpf/core.c:438 [inline]
WARNING: CPU: 1 PID: 7868 at kernel/bpf/core.c:384 __lt_find
include/linux/rbtree_latch.h:115 [inline]
WARNING: CPU: 1 PID: 7868 at kernel/bpf/core.c:384 latch_tree_find
include/linux/rbtree_latch.h:208 [inline]
WARNING: CPU: 1 PID: 7868 at kernel/bpf/core.c:384
bpf_prog_kallsyms_find+0x2d0/0x4a0 kernel/bpf/core.c:512
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x244/0x39d lib/dump_stack.c:113
panic+0x2ad/0x55c kernel/panic.c:188
__warn.cold.8+0x20/0x45 kernel/panic.c:540
report_bug+0x254/0x2d0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:178 [inline]
do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:969
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:384 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2d0/0x4a0 kernel/bpf/core.c:512
Code: 38 ca 7f 08 84 d2 0f 85 74 01 00 00 41 0f b6 45 02 31 ff 83 e0 01 41
89 c5 89 c6 e8 fa 82 f3 ff 45 84 ed 75 07 e8 20 82 f3 ff <0f> 0b e8 19 82
f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7
RSP: 0018:ffff8881bfd3ec28 EFLAGS: 00010093
RAX: ffff8881b8bce2c0 RBX: ffff8881bdb8da70 RCX: ffffffff818c05b6
RDX: 0000000000000000 RSI: ffffffff818c05c0 RDI: 0000000000000001
RBP: ffff8881bfd3eda0 R08: ffff8881b8bce2c0 R09: ffffed103b5e5b67
R10: ffffed103b5e5b67 R11: ffff8881daf2db3b R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff8881bdb8da70
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3e638 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3e7b0 R08: ffff8881b8bce2c0 R09: ffffed103b5e5b67
R10: ffffed103b5e5b67 R11: ffff8881daf2db3b R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#2] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3e228 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3e3a0 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#3] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3de18 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3df90 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#4] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3da08 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3db80 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#5] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3d5f8 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3d770 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#6] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3d1e8 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3d360 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#7] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3cdd8 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3cf50 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#8] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3c9c8 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3cb40 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#9] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3c5b8 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3c730 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#10] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3c1a8 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3c320 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#11] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3bd98 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3bf10 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#12] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3b988 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3bb00 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#13] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3b578 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3b6f0 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#14] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3b168 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3b2e0 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#15] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3ad58 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3aed0 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#16] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3a948 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3aac0 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#17] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3a538 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3a6b0 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#18] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3a128 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3a2a0 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#19] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd39d18 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd39e90 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#20] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd39908 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd39a80 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#21] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd394f8 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd39670 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#22] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd390e8 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd39260 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#23] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd38cd8 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd38e50 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#24] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd388c8 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd38a40 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#25] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd384b8 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd38630 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
------------[ cut here ]------------
kernel BUG at mm/slab.c:4425!
invalid opcode: 0000 [#26] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__check_heap_object+0xa7/0xb5 mm/slab.c:4450
Code: 48 c7 c7 15 b1 14 89 e8 97 e3 0a 00 5d c3 41 8b 91 04 01 00 00 48 29
c7 48 39 d7 77 be 48 01 d0 48 29 c8 48 39 f0 72 b3 5d c3 <0f> 0b 48 c7 c7
15 b1 14 89 e8 fd eb 0a 00 44 89 e9 48 c7 c7 d0 b1
RSP: 0018:ffff8881bfd372e0 EFLAGS: 00010046
RAX: 0000000000000001 RBX: 1ffff11037fa6e63 RCX: 000000000000000c
RDX: ffff8881bfd36300 RSI: 0000000000000002 RDI: ffff8881bfd37488
RBP: ffff8881bfd372e0 R08: ffff8881b8bce2c0 R09: ffff8881da986e40
R10: 0000000000000f78 R11: 0000000000000000 R12: ffff8881bfd37488
R13: 0000000000000002 R14: ffffea0006ff4d80 R15: 0000000000000001
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#27] PREEMPT SMP KASAN
CPU: 1 PID: 7868 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #118
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd36e30 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd36fa8 R08: ffff8881b8bce2c0 R09: 0000000000000001
R10: ffffed103b5e5b67 R11: ffff8881b8bce2c0 R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
Modules linked in:
---[ end trace 2e83966fafd9dc18 ]---
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:387 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:438 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x2fe/0x4a0 kernel/bpf/core.c:512
Code: 82 f3 ff 4c 8b ad b0 fe ff ff 4c 89 e6 4c 89 ef e8 b7 82 f3 ff 4d 39
e5 0f 82 a7 00 00 00 e8 f9 81 f3 ff 4c 89 e0 48 c1 e8 03 <42> 0f b6 04 30
84 c0 74 08 3c 03 0f 8e 35 01 00 00 41 8b 04 24 4c
RSP: 0018:ffff8881bfd3e638 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8881bdb8da70 RCX: ffffffff818c05d9
RDX: 0000000000000000 RSI: ffffffff818c05e7 RDI: 0000000000000006
RBP: ffff8881bfd3e7b0 R08: ffff8881b8bce2c0 R09: ffffed103b5e5b67
R10: ffffed103b5e5b67 R11: ffff8881daf2db3b R12: 0000000000000000
R13: ffffffffffffffff R14: dffffc0000000000 R15: ffff8881bdb8da70
FS: 00007fce36f50700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000072c000 CR3: 00000001ce339000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
^ permalink raw reply
* [PATCHv3 net-next 0/4] sctp: add subscribe per asoc and sockopt SCTP_EVENT
From: Xin Long @ 2018-11-18 8:08 UTC (permalink / raw)
To: network dev, linux-sctp; +Cc: Marcelo Ricardo Leitner, Neil Horman, davem
This patchset mainly adds the Event Subscription sockopt described in
rfc6525#section-6.2:
"Subscribing to events as described in [RFC6458] uses a setsockopt()
call with the SCTP_EVENT socket option. This option takes the
following structure, which specifies the association, the event type
(using the same value found in the event type field), and an on/off
boolean.
struct sctp_event {
sctp_assoc_t se_assoc_id;
uint16_t se_type;
uint8_t se_on;
};
The user fills in the se_type field with the same value found in the
strreset_type field, i.e., SCTP_STREAM_RESET_EVENT. The user will
also fill in the se_assoc_id field with either the association to set
this event on (this field is ignored for one-to-one style sockets) or
one of the reserved constant values defined in [RFC6458]. Finally,
the se_on field is set with a 1 to enable the event or a 0 to disable
the event."
As for the old SCTP_EVENTS Option with struct sctp_event_subscribe,
it's being DEPRECATED.
v1->v2:
- fix some key word in changelog that triggerred the filters at
vger.kernel.org.
v2->v3:
- fix an array out of bounds noticed by Neil in patch 1/4.
Xin Long (4):
sctp: define subscribe in sctp_sock as __u16
sctp: add subscribe per asoc
sctp: rename enum sctp_event to sctp_event_type
sctp: add sockopt SCTP_EVENT
include/net/sctp/constants.h | 2 +-
include/net/sctp/sm.h | 4 +-
include/net/sctp/structs.h | 4 +-
include/net/sctp/ulpevent.h | 39 ++++++++------
include/uapi/linux/sctp.h | 13 ++++-
net/sctp/associola.c | 2 +
net/sctp/chunk.c | 8 ++-
net/sctp/primitive.c | 2 +-
net/sctp/sm_sideeffect.c | 12 ++---
net/sctp/sm_statetable.c | 2 +-
net/sctp/socket.c | 125 ++++++++++++++++++++++++++++++++++++++++---
net/sctp/stream_interleave.c | 12 +++--
net/sctp/ulpqueue.c | 8 +--
13 files changed, 183 insertions(+), 50 deletions(-)
--
2.1.0
^ permalink raw reply
* [PATCHv3 net-next 1/4] sctp: define subscribe in sctp_sock as __u16
From: Xin Long @ 2018-11-18 8:08 UTC (permalink / raw)
To: network dev, linux-sctp; +Cc: Marcelo Ricardo Leitner, Neil Horman, davem
In-Reply-To: <cover.1542528309.git.lucien.xin@gmail.com>
The member subscribe in sctp_sock is used to indicate to which of
the events it is subscribed, more like a group of flags. So it's
better to be defined as __u16 (2 bytpes), instead of struct
sctp_event_subscribe (13 bytes).
Note that sctp_event_subscribe is an UAPI struct, used on sockopt
calls, and thus it will not be removed. This patch only changes
the internal storage of the flags.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
include/net/sctp/structs.h | 2 +-
include/net/sctp/ulpevent.h | 39 ++++++++++++++++++++++++---------------
include/uapi/linux/sctp.h | 6 +++++-
net/sctp/chunk.c | 4 ++--
net/sctp/socket.c | 35 ++++++++++++++++++++++++++---------
net/sctp/stream_interleave.c | 11 ++++++-----
net/sctp/ulpqueue.c | 8 ++++----
7 files changed, 68 insertions(+), 37 deletions(-)
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index af9d494..bc7808a 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -217,7 +217,7 @@ struct sctp_sock {
* These two structures must be grouped together for the usercopy
* whitelist region.
*/
- struct sctp_event_subscribe subscribe;
+ __u16 subscribe;
struct sctp_initmsg initmsg;
int user_frag;
diff --git a/include/net/sctp/ulpevent.h b/include/net/sctp/ulpevent.h
index 51b4e06..bd922a0 100644
--- a/include/net/sctp/ulpevent.h
+++ b/include/net/sctp/ulpevent.h
@@ -164,30 +164,39 @@ void sctp_ulpevent_read_nxtinfo(const struct sctp_ulpevent *event,
__u16 sctp_ulpevent_get_notification_type(const struct sctp_ulpevent *event);
+static inline void sctp_ulpevent_type_set(__u16 *subscribe,
+ __u16 sn_type, __u8 on)
+{
+ if (sn_type > SCTP_SN_TYPE_MAX)
+ return;
+
+ if (on)
+ *subscribe |= (1 << (sn_type - SCTP_SN_TYPE_BASE));
+ else
+ *subscribe &= ~(1 << (sn_type - SCTP_SN_TYPE_BASE));
+}
+
/* Is this event type enabled? */
-static inline int sctp_ulpevent_type_enabled(__u16 sn_type,
- struct sctp_event_subscribe *mask)
+static inline bool sctp_ulpevent_type_enabled(__u16 subscribe, __u16 sn_type)
{
- int offset = sn_type - SCTP_SN_TYPE_BASE;
- char *amask = (char *) mask;
+ if (sn_type > SCTP_SN_TYPE_MAX)
+ return false;
- if (offset >= sizeof(struct sctp_event_subscribe))
- return 0;
- return amask[offset];
+ return subscribe & (1 << (sn_type - SCTP_SN_TYPE_BASE));
}
/* Given an event subscription, is this event enabled? */
-static inline int sctp_ulpevent_is_enabled(const struct sctp_ulpevent *event,
- struct sctp_event_subscribe *mask)
+static inline bool sctp_ulpevent_is_enabled(const struct sctp_ulpevent *event,
+ __u16 subscribe)
{
__u16 sn_type;
- int enabled = 1;
- if (sctp_ulpevent_is_notification(event)) {
- sn_type = sctp_ulpevent_get_notification_type(event);
- enabled = sctp_ulpevent_type_enabled(sn_type, mask);
- }
- return enabled;
+ if (!sctp_ulpevent_is_notification(event))
+ return true;
+
+ sn_type = sctp_ulpevent_get_notification_type(event);
+
+ return sctp_ulpevent_type_enabled(subscribe, sn_type);
}
#endif /* __sctp_ulpevent_h__ */
diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
index c81feb3..66afa5b 100644
--- a/include/uapi/linux/sctp.h
+++ b/include/uapi/linux/sctp.h
@@ -632,7 +632,9 @@ union sctp_notification {
*/
enum sctp_sn_type {
- SCTP_SN_TYPE_BASE = (1<<15),
+ SCTP_SN_TYPE_BASE = (1<<15),
+ SCTP_DATA_IO_EVENT = SCTP_SN_TYPE_BASE,
+#define SCTP_DATA_IO_EVENT SCTP_DATA_IO_EVENT
SCTP_ASSOC_CHANGE,
#define SCTP_ASSOC_CHANGE SCTP_ASSOC_CHANGE
SCTP_PEER_ADDR_CHANGE,
@@ -657,6 +659,8 @@ enum sctp_sn_type {
#define SCTP_ASSOC_RESET_EVENT SCTP_ASSOC_RESET_EVENT
SCTP_STREAM_CHANGE_EVENT,
#define SCTP_STREAM_CHANGE_EVENT SCTP_STREAM_CHANGE_EVENT
+ SCTP_SN_TYPE_MAX = SCTP_STREAM_CHANGE_EVENT,
+#define SCTP_SN_TYPE_MAX SCTP_SN_TYPE_MAX
};
/* Notification error codes used to fill up the error fields in some
diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
index ce80878..6c761af 100644
--- a/net/sctp/chunk.c
+++ b/net/sctp/chunk.c
@@ -109,8 +109,8 @@ static void sctp_datamsg_destroy(struct sctp_datamsg *msg)
error = asoc->outqueue.error;
sp = sctp_sk(asoc->base.sk);
- notify = sctp_ulpevent_type_enabled(SCTP_SEND_FAILED,
- &sp->subscribe);
+ notify = sctp_ulpevent_type_enabled(sp->subscribe,
+ SCTP_SEND_FAILED);
}
/* Generate a SEND FAILED event only if enabled. */
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 5299add..9d75129 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -2230,7 +2230,7 @@ static int sctp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
if (sp->recvrcvinfo)
sctp_ulpevent_read_rcvinfo(event, msg);
/* Check if we allow SCTP_SNDRCVINFO. */
- if (sp->subscribe.sctp_data_io_event)
+ if (sctp_ulpevent_type_enabled(sp->subscribe, SCTP_DATA_IO_EVENT))
sctp_ulpevent_read_sndrcvinfo(event, msg);
err = copied;
@@ -2304,21 +2304,28 @@ static int sctp_setsockopt_disable_fragments(struct sock *sk,
static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
unsigned int optlen)
{
- struct sctp_association *asoc;
- struct sctp_ulpevent *event;
+ struct sctp_event_subscribe subscribe;
+ __u8 *sn_type = (__u8 *)&subscribe;
+ struct sctp_sock *sp = sctp_sk(sk);
+ int i;
if (optlen > sizeof(struct sctp_event_subscribe))
return -EINVAL;
- if (copy_from_user(&sctp_sk(sk)->subscribe, optval, optlen))
+
+ if (copy_from_user(&subscribe, optval, optlen))
return -EFAULT;
+ for (i = 0; i < optlen; i++)
+ sctp_ulpevent_type_set(&sp->subscribe, SCTP_SN_TYPE_BASE + i,
+ sn_type[i]);
+
/* At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,
* if there is no data to be sent or retransmit, the stack will
* immediately send up this notification.
*/
- if (sctp_ulpevent_type_enabled(SCTP_SENDER_DRY_EVENT,
- &sctp_sk(sk)->subscribe)) {
- asoc = sctp_id2assoc(sk, 0);
+ if (sctp_ulpevent_type_enabled(sp->subscribe, SCTP_SENDER_DRY_EVENT)) {
+ struct sctp_association *asoc = sctp_id2assoc(sk, 0);
+ struct sctp_ulpevent *event;
if (asoc && sctp_outq_is_empty(&asoc->outqueue)) {
event = sctp_ulpevent_make_sender_dry_event(asoc,
@@ -4722,7 +4729,7 @@ static int sctp_init_sock(struct sock *sk)
/* Initialize default event subscriptions. By default, all the
* options are off.
*/
- memset(&sp->subscribe, 0, sizeof(struct sctp_event_subscribe));
+ sp->subscribe = 0;
/* Default Peer Address Parameters. These defaults can
* be modified via SCTP_PEER_ADDR_PARAMS
@@ -5267,14 +5274,24 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
int __user *optlen)
{
+ struct sctp_event_subscribe subscribe;
+ __u8 *sn_type = (__u8 *)&subscribe;
+ int i;
+
if (len == 0)
return -EINVAL;
if (len > sizeof(struct sctp_event_subscribe))
len = sizeof(struct sctp_event_subscribe);
if (put_user(len, optlen))
return -EFAULT;
- if (copy_to_user(optval, &sctp_sk(sk)->subscribe, len))
+
+ for (i = 0; i < len; i++)
+ sn_type[i] = sctp_ulpevent_type_enabled(sctp_sk(sk)->subscribe,
+ SCTP_SN_TYPE_BASE + i);
+
+ if (copy_to_user(optval, &subscribe, len))
return -EFAULT;
+
return 0;
}
diff --git a/net/sctp/stream_interleave.c b/net/sctp/stream_interleave.c
index 2b499a8..ceef5a3 100644
--- a/net/sctp/stream_interleave.c
+++ b/net/sctp/stream_interleave.c
@@ -503,7 +503,7 @@ static int sctp_enqueue_event(struct sctp_ulpq *ulpq,
sk_incoming_cpu_update(sk);
}
- if (!sctp_ulpevent_is_enabled(event, &sp->subscribe))
+ if (!sctp_ulpevent_is_enabled(event, sp->subscribe))
goto out_free;
if (skb_list)
@@ -992,10 +992,11 @@ static void sctp_intl_stream_abort_pd(struct sctp_ulpq *ulpq, __u16 sid,
__u32 mid, __u16 flags, gfp_t gfp)
{
struct sock *sk = ulpq->asoc->base.sk;
+ struct sctp_sock *sp = sctp_sk(sk);
struct sctp_ulpevent *ev = NULL;
- if (!sctp_ulpevent_type_enabled(SCTP_PARTIAL_DELIVERY_EVENT,
- &sctp_sk(sk)->subscribe))
+ if (!sctp_ulpevent_type_enabled(sp->subscribe,
+ SCTP_PARTIAL_DELIVERY_EVENT))
return;
ev = sctp_ulpevent_make_pdapi(ulpq->asoc, SCTP_PARTIAL_DELIVERY_ABORTED,
@@ -1003,8 +1004,8 @@ static void sctp_intl_stream_abort_pd(struct sctp_ulpq *ulpq, __u16 sid,
if (ev) {
__skb_queue_tail(&sk->sk_receive_queue, sctp_event2skb(ev));
- if (!sctp_sk(sk)->data_ready_signalled) {
- sctp_sk(sk)->data_ready_signalled = 1;
+ if (!sp->data_ready_signalled) {
+ sp->data_ready_signalled = 1;
sk->sk_data_ready(sk);
}
}
diff --git a/net/sctp/ulpqueue.c b/net/sctp/ulpqueue.c
index 331cc73..b36dd90 100644
--- a/net/sctp/ulpqueue.c
+++ b/net/sctp/ulpqueue.c
@@ -219,7 +219,7 @@ int sctp_ulpq_tail_event(struct sctp_ulpq *ulpq, struct sctp_ulpevent *event)
sk_incoming_cpu_update(sk);
}
/* Check if the user wishes to receive this event. */
- if (!sctp_ulpevent_is_enabled(event, &sp->subscribe))
+ if (!sctp_ulpevent_is_enabled(event, sp->subscribe))
goto out_free;
/* If we are in partial delivery mode, post to the lobby until
@@ -1129,16 +1129,16 @@ void sctp_ulpq_renege(struct sctp_ulpq *ulpq, struct sctp_chunk *chunk,
void sctp_ulpq_abort_pd(struct sctp_ulpq *ulpq, gfp_t gfp)
{
struct sctp_ulpevent *ev = NULL;
- struct sock *sk;
struct sctp_sock *sp;
+ struct sock *sk;
if (!ulpq->pd_mode)
return;
sk = ulpq->asoc->base.sk;
sp = sctp_sk(sk);
- if (sctp_ulpevent_type_enabled(SCTP_PARTIAL_DELIVERY_EVENT,
- &sctp_sk(sk)->subscribe))
+ if (sctp_ulpevent_type_enabled(sp->subscribe,
+ SCTP_PARTIAL_DELIVERY_EVENT))
ev = sctp_ulpevent_make_pdapi(ulpq->asoc,
SCTP_PARTIAL_DELIVERY_ABORTED,
0, 0, 0, gfp);
--
2.1.0
^ permalink raw reply related
* [PATCHv3 net-next 2/4] sctp: add subscribe per asoc
From: Xin Long @ 2018-11-18 8:08 UTC (permalink / raw)
To: network dev, linux-sctp; +Cc: Marcelo Ricardo Leitner, Neil Horman, davem
In-Reply-To: <cover.1542528309.git.lucien.xin@gmail.com>
The member subscribe should be per asoc, so that sockopt SCTP_EVENT
in the next patch can subscribe a event from one asoc only.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
include/net/sctp/structs.h | 2 ++
net/sctp/associola.c | 2 ++
net/sctp/chunk.c | 6 ++----
net/sctp/socket.c | 6 +++++-
net/sctp/stream_interleave.c | 7 ++++---
net/sctp/ulpqueue.c | 4 ++--
6 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index bc7808a..7eaa294 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -2077,6 +2077,8 @@ struct sctp_association {
int sent_cnt_removable;
+ __u16 subscribe;
+
__u64 abandoned_unsent[SCTP_PR_INDEX(MAX) + 1];
__u64 abandoned_sent[SCTP_PR_INDEX(MAX) + 1];
};
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 6a28b96..685c7ef 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -135,6 +135,8 @@ static struct sctp_association *sctp_association_init(
*/
asoc->max_burst = sp->max_burst;
+ asoc->subscribe = sp->subscribe;
+
/* initialize association timers */
asoc->timeouts[SCTP_EVENT_TIMEOUT_T1_COOKIE] = asoc->rto_initial;
asoc->timeouts[SCTP_EVENT_TIMEOUT_T1_INIT] = asoc->rto_initial;
diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
index 6c761af..0b203b8 100644
--- a/net/sctp/chunk.c
+++ b/net/sctp/chunk.c
@@ -86,11 +86,10 @@ void sctp_datamsg_free(struct sctp_datamsg *msg)
/* Final destructruction of datamsg memory. */
static void sctp_datamsg_destroy(struct sctp_datamsg *msg)
{
+ struct sctp_association *asoc = NULL;
struct list_head *pos, *temp;
struct sctp_chunk *chunk;
- struct sctp_sock *sp;
struct sctp_ulpevent *ev;
- struct sctp_association *asoc = NULL;
int error = 0, notify;
/* If we failed, we may need to notify. */
@@ -108,8 +107,7 @@ static void sctp_datamsg_destroy(struct sctp_datamsg *msg)
else
error = asoc->outqueue.error;
- sp = sctp_sk(asoc->base.sk);
- notify = sctp_ulpevent_type_enabled(sp->subscribe,
+ notify = sctp_ulpevent_type_enabled(asoc->subscribe,
SCTP_SEND_FAILED);
}
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 9d75129..c771827 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -2307,6 +2307,7 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
struct sctp_event_subscribe subscribe;
__u8 *sn_type = (__u8 *)&subscribe;
struct sctp_sock *sp = sctp_sk(sk);
+ struct sctp_association *asoc;
int i;
if (optlen > sizeof(struct sctp_event_subscribe))
@@ -2319,14 +2320,17 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
sctp_ulpevent_type_set(&sp->subscribe, SCTP_SN_TYPE_BASE + i,
sn_type[i]);
+ list_for_each_entry(asoc, &sp->ep->asocs, asocs)
+ asoc->subscribe = sctp_sk(sk)->subscribe;
+
/* At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,
* if there is no data to be sent or retransmit, the stack will
* immediately send up this notification.
*/
if (sctp_ulpevent_type_enabled(sp->subscribe, SCTP_SENDER_DRY_EVENT)) {
- struct sctp_association *asoc = sctp_id2assoc(sk, 0);
struct sctp_ulpevent *event;
+ asoc = sctp_id2assoc(sk, 0);
if (asoc && sctp_outq_is_empty(&asoc->outqueue)) {
event = sctp_ulpevent_make_sender_dry_event(asoc,
GFP_USER | __GFP_NOWARN);
diff --git a/net/sctp/stream_interleave.c b/net/sctp/stream_interleave.c
index ceef5a3..a6bf215 100644
--- a/net/sctp/stream_interleave.c
+++ b/net/sctp/stream_interleave.c
@@ -503,7 +503,7 @@ static int sctp_enqueue_event(struct sctp_ulpq *ulpq,
sk_incoming_cpu_update(sk);
}
- if (!sctp_ulpevent_is_enabled(event, sp->subscribe))
+ if (!sctp_ulpevent_is_enabled(event, ulpq->asoc->subscribe))
goto out_free;
if (skb_list)
@@ -992,16 +992,17 @@ static void sctp_intl_stream_abort_pd(struct sctp_ulpq *ulpq, __u16 sid,
__u32 mid, __u16 flags, gfp_t gfp)
{
struct sock *sk = ulpq->asoc->base.sk;
- struct sctp_sock *sp = sctp_sk(sk);
struct sctp_ulpevent *ev = NULL;
- if (!sctp_ulpevent_type_enabled(sp->subscribe,
+ if (!sctp_ulpevent_type_enabled(ulpq->asoc->subscribe,
SCTP_PARTIAL_DELIVERY_EVENT))
return;
ev = sctp_ulpevent_make_pdapi(ulpq->asoc, SCTP_PARTIAL_DELIVERY_ABORTED,
sid, mid, flags, gfp);
if (ev) {
+ struct sctp_sock *sp = sctp_sk(sk);
+
__skb_queue_tail(&sk->sk_receive_queue, sctp_event2skb(ev));
if (!sp->data_ready_signalled) {
diff --git a/net/sctp/ulpqueue.c b/net/sctp/ulpqueue.c
index b36dd90..5dde921 100644
--- a/net/sctp/ulpqueue.c
+++ b/net/sctp/ulpqueue.c
@@ -219,7 +219,7 @@ int sctp_ulpq_tail_event(struct sctp_ulpq *ulpq, struct sctp_ulpevent *event)
sk_incoming_cpu_update(sk);
}
/* Check if the user wishes to receive this event. */
- if (!sctp_ulpevent_is_enabled(event, sp->subscribe))
+ if (!sctp_ulpevent_is_enabled(event, ulpq->asoc->subscribe))
goto out_free;
/* If we are in partial delivery mode, post to the lobby until
@@ -1137,7 +1137,7 @@ void sctp_ulpq_abort_pd(struct sctp_ulpq *ulpq, gfp_t gfp)
sk = ulpq->asoc->base.sk;
sp = sctp_sk(sk);
- if (sctp_ulpevent_type_enabled(sp->subscribe,
+ if (sctp_ulpevent_type_enabled(ulpq->asoc->subscribe,
SCTP_PARTIAL_DELIVERY_EVENT))
ev = sctp_ulpevent_make_pdapi(ulpq->asoc,
SCTP_PARTIAL_DELIVERY_ABORTED,
--
2.1.0
^ permalink raw reply related
* [PATCHv3 net-next 3/4] sctp: rename enum sctp_event to sctp_event_type
From: Xin Long @ 2018-11-18 8:08 UTC (permalink / raw)
To: network dev, linux-sctp; +Cc: Marcelo Ricardo Leitner, Neil Horman, davem
In-Reply-To: <cover.1542528309.git.lucien.xin@gmail.com>
sctp_event is a structure name defined in RFC for sockopt
SCTP_EVENT. To avoid the conflict, rename it.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
include/net/sctp/constants.h | 2 +-
include/net/sctp/sm.h | 4 ++--
net/sctp/primitive.c | 2 +-
net/sctp/sm_sideeffect.c | 12 ++++++------
net/sctp/sm_statetable.c | 2 +-
5 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/include/net/sctp/constants.h b/include/net/sctp/constants.h
index 8dadc74..4588bdc 100644
--- a/include/net/sctp/constants.h
+++ b/include/net/sctp/constants.h
@@ -71,7 +71,7 @@ enum { SCTP_DEFAULT_INSTREAMS = SCTP_MAX_STREAM };
SCTP_NUM_AUTH_CHUNK_TYPES)
/* These are the different flavours of event. */
-enum sctp_event {
+enum sctp_event_type {
SCTP_EVENT_T_CHUNK = 1,
SCTP_EVENT_T_TIMEOUT,
SCTP_EVENT_T_OTHER,
diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
index 9e3d327..24825a8 100644
--- a/include/net/sctp/sm.h
+++ b/include/net/sctp/sm.h
@@ -173,7 +173,7 @@ sctp_state_fn_t sctp_sf_autoclose_timer_expire;
__u8 sctp_get_chunk_type(struct sctp_chunk *chunk);
const struct sctp_sm_table_entry *sctp_sm_lookup_event(
struct net *net,
- enum sctp_event event_type,
+ enum sctp_event_type event_type,
enum sctp_state state,
union sctp_subtype event_subtype);
int sctp_chunk_iif(const struct sctp_chunk *);
@@ -313,7 +313,7 @@ struct sctp_chunk *sctp_process_strreset_resp(
/* Prototypes for statetable processing. */
-int sctp_do_sm(struct net *net, enum sctp_event event_type,
+int sctp_do_sm(struct net *net, enum sctp_event_type event_type,
union sctp_subtype subtype, enum sctp_state state,
struct sctp_endpoint *ep, struct sctp_association *asoc,
void *event_arg, gfp_t gfp);
diff --git a/net/sctp/primitive.c b/net/sctp/primitive.c
index c0817f7a..a8c4c33 100644
--- a/net/sctp/primitive.c
+++ b/net/sctp/primitive.c
@@ -53,7 +53,7 @@
int sctp_primitive_ ## name(struct net *net, struct sctp_association *asoc, \
void *arg) { \
int error = 0; \
- enum sctp_event event_type; union sctp_subtype subtype; \
+ enum sctp_event_type event_type; union sctp_subtype subtype; \
enum sctp_state state; \
struct sctp_endpoint *ep; \
\
diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index 85d3930..1d143bc 100644
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -52,7 +52,7 @@
#include <net/sctp/sm.h>
#include <net/sctp/stream_sched.h>
-static int sctp_cmd_interpreter(enum sctp_event event_type,
+static int sctp_cmd_interpreter(enum sctp_event_type event_type,
union sctp_subtype subtype,
enum sctp_state state,
struct sctp_endpoint *ep,
@@ -61,7 +61,7 @@ static int sctp_cmd_interpreter(enum sctp_event event_type,
enum sctp_disposition status,
struct sctp_cmd_seq *commands,
gfp_t gfp);
-static int sctp_side_effects(enum sctp_event event_type,
+static int sctp_side_effects(enum sctp_event_type event_type,
union sctp_subtype subtype,
enum sctp_state state,
struct sctp_endpoint *ep,
@@ -623,7 +623,7 @@ static void sctp_cmd_init_failed(struct sctp_cmd_seq *commands,
/* Worker routine to handle SCTP_CMD_ASSOC_FAILED. */
static void sctp_cmd_assoc_failed(struct sctp_cmd_seq *commands,
struct sctp_association *asoc,
- enum sctp_event event_type,
+ enum sctp_event_type event_type,
union sctp_subtype subtype,
struct sctp_chunk *chunk,
unsigned int error)
@@ -1162,7 +1162,7 @@ static void sctp_cmd_send_asconf(struct sctp_association *asoc)
* If you want to understand all of lksctp, this is a
* good place to start.
*/
-int sctp_do_sm(struct net *net, enum sctp_event event_type,
+int sctp_do_sm(struct net *net, enum sctp_event_type event_type,
union sctp_subtype subtype, enum sctp_state state,
struct sctp_endpoint *ep, struct sctp_association *asoc,
void *event_arg, gfp_t gfp)
@@ -1199,7 +1199,7 @@ int sctp_do_sm(struct net *net, enum sctp_event event_type,
/*****************************************************************
* This the master state function side effect processing function.
*****************************************************************/
-static int sctp_side_effects(enum sctp_event event_type,
+static int sctp_side_effects(enum sctp_event_type event_type,
union sctp_subtype subtype,
enum sctp_state state,
struct sctp_endpoint *ep,
@@ -1285,7 +1285,7 @@ static int sctp_side_effects(enum sctp_event event_type,
********************************************************************/
/* This is the side-effect interpreter. */
-static int sctp_cmd_interpreter(enum sctp_event event_type,
+static int sctp_cmd_interpreter(enum sctp_event_type event_type,
union sctp_subtype subtype,
enum sctp_state state,
struct sctp_endpoint *ep,
diff --git a/net/sctp/sm_statetable.c b/net/sctp/sm_statetable.c
index 691d9dc..d239b94 100644
--- a/net/sctp/sm_statetable.c
+++ b/net/sctp/sm_statetable.c
@@ -79,7 +79,7 @@ static const struct sctp_sm_table_entry bug = {
const struct sctp_sm_table_entry *sctp_sm_lookup_event(
struct net *net,
- enum sctp_event event_type,
+ enum sctp_event_type event_type,
enum sctp_state state,
union sctp_subtype event_subtype)
{
--
2.1.0
^ permalink raw reply related
* [PATCHv3 net-next 4/4] sctp: add sockopt SCTP_EVENT
From: Xin Long @ 2018-11-18 8:08 UTC (permalink / raw)
To: network dev, linux-sctp; +Cc: Marcelo Ricardo Leitner, Neil Horman, davem
In-Reply-To: <cover.1542528309.git.lucien.xin@gmail.com>
This patch adds sockopt SCTP_EVENT described in rfc6525#section-6.2.
With this sockopt users can subscribe to an event from a specified
asoc.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
include/uapi/linux/sctp.h | 7 ++++
net/sctp/socket.c | 88 +++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 95 insertions(+)
diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
index 66afa5b..d584073 100644
--- a/include/uapi/linux/sctp.h
+++ b/include/uapi/linux/sctp.h
@@ -129,6 +129,7 @@ typedef __s32 sctp_assoc_t;
#define SCTP_STREAM_SCHEDULER_VALUE 124
#define SCTP_INTERLEAVING_SUPPORTED 125
#define SCTP_SENDMSG_CONNECT 126
+#define SCTP_EVENT 127
/* PR-SCTP policies */
#define SCTP_PR_SCTP_NONE 0x0000
@@ -1154,6 +1155,12 @@ struct sctp_add_streams {
uint16_t sas_outstrms;
};
+struct sctp_event {
+ sctp_assoc_t se_assoc_id;
+ uint16_t se_type;
+ uint8_t se_on;
+};
+
/* SCTP Stream schedulers */
enum sctp_sched_type {
SCTP_SS_FCFS,
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index c771827..e16c090 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4288,6 +4288,57 @@ static int sctp_setsockopt_reuse_port(struct sock *sk, char __user *optval,
return 0;
}
+static int sctp_setsockopt_event(struct sock *sk, char __user *optval,
+ unsigned int optlen)
+{
+ struct sctp_association *asoc;
+ struct sctp_ulpevent *event;
+ struct sctp_event param;
+ int retval = 0;
+
+ if (optlen < sizeof(param)) {
+ retval = -EINVAL;
+ goto out;
+ }
+
+ optlen = sizeof(param);
+ if (copy_from_user(¶m, optval, optlen)) {
+ retval = -EFAULT;
+ goto out;
+ }
+
+ if (param.se_type < SCTP_SN_TYPE_BASE ||
+ param.se_type > SCTP_SN_TYPE_MAX) {
+ retval = -EINVAL;
+ goto out;
+ }
+
+ asoc = sctp_id2assoc(sk, param.se_assoc_id);
+ if (!asoc) {
+ sctp_ulpevent_type_set(&sctp_sk(sk)->subscribe,
+ param.se_type, param.se_on);
+ goto out;
+ }
+
+ sctp_ulpevent_type_set(&asoc->subscribe, param.se_type, param.se_on);
+
+ if (param.se_type == SCTP_SENDER_DRY_EVENT && param.se_on) {
+ if (sctp_outq_is_empty(&asoc->outqueue)) {
+ event = sctp_ulpevent_make_sender_dry_event(asoc,
+ GFP_USER | __GFP_NOWARN);
+ if (!event) {
+ retval = -ENOMEM;
+ goto out;
+ }
+
+ asoc->stream.si->enqueue_event(&asoc->ulpq, event);
+ }
+ }
+
+out:
+ return retval;
+}
+
/* API 6.2 setsockopt(), getsockopt()
*
* Applications use setsockopt() and getsockopt() to set or retrieve
@@ -4485,6 +4536,9 @@ static int sctp_setsockopt(struct sock *sk, int level, int optname,
case SCTP_REUSE_PORT:
retval = sctp_setsockopt_reuse_port(sk, optval, optlen);
break;
+ case SCTP_EVENT:
+ retval = sctp_setsockopt_event(sk, optval, optlen);
+ break;
default:
retval = -ENOPROTOOPT;
break;
@@ -7430,6 +7484,37 @@ static int sctp_getsockopt_reuse_port(struct sock *sk, int len,
return 0;
}
+static int sctp_getsockopt_event(struct sock *sk, int len, char __user *optval,
+ int __user *optlen)
+{
+ struct sctp_association *asoc;
+ struct sctp_event param;
+ __u16 subscribe;
+
+ if (len < sizeof(param))
+ return -EINVAL;
+
+ len = sizeof(param);
+ if (copy_from_user(¶m, optval, len))
+ return -EFAULT;
+
+ if (param.se_type < SCTP_SN_TYPE_BASE ||
+ param.se_type > SCTP_SN_TYPE_MAX)
+ return -EINVAL;
+
+ asoc = sctp_id2assoc(sk, param.se_assoc_id);
+ subscribe = asoc ? asoc->subscribe : sctp_sk(sk)->subscribe;
+ param.se_on = sctp_ulpevent_type_enabled(subscribe, param.se_type);
+
+ if (put_user(len, optlen))
+ return -EFAULT;
+
+ if (copy_to_user(optval, ¶m, len))
+ return -EFAULT;
+
+ return 0;
+}
+
static int sctp_getsockopt(struct sock *sk, int level, int optname,
char __user *optval, int __user *optlen)
{
@@ -7628,6 +7713,9 @@ static int sctp_getsockopt(struct sock *sk, int level, int optname,
case SCTP_REUSE_PORT:
retval = sctp_getsockopt_reuse_port(sk, len, optval, optlen);
break;
+ case SCTP_EVENT:
+ retval = sctp_getsockopt_event(sk, len, optval, optlen);
+ break;
default:
retval = -ENOPROTOOPT;
break;
--
2.1.0
^ permalink raw reply related
* [PATCH net] Revert "sctp: remove sctp_transport_pmtu_check"
From: Xin Long @ 2018-11-18 8:14 UTC (permalink / raw)
To: network dev, linux-sctp; +Cc: davem, Marcelo Ricardo Leitner, Neil Horman
This reverts commit 22d7be267eaa8114dcc28d66c1c347f667d7878a.
The dst's mtu in transport can be updated by a non sctp place like
in xfrm where the MTU information didn't get synced between asoc,
transport and dst, so it is still needed to do the pmtu check
in sctp_packet_config.
---
include/net/sctp/sctp.h | 12 ++++++++++++
net/sctp/output.c | 3 +++
2 files changed, 15 insertions(+)
diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
index 8c2caa3..ab9242e 100644
--- a/include/net/sctp/sctp.h
+++ b/include/net/sctp/sctp.h
@@ -608,4 +608,16 @@ static inline __u32 sctp_dst_mtu(const struct dst_entry *dst)
SCTP_DEFAULT_MINSEGMENT));
}
+static inline bool sctp_transport_pmtu_check(struct sctp_transport *t)
+{
+ __u32 pmtu = sctp_dst_mtu(t->dst);
+
+ if (t->pathmtu == pmtu)
+ return true;
+
+ t->pathmtu = pmtu;
+
+ return false;
+}
+
#endif /* __net_sctp_h__ */
diff --git a/net/sctp/output.c b/net/sctp/output.c
index 67939ad..0860122 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -118,6 +118,9 @@ void sctp_packet_config(struct sctp_packet *packet, __u32 vtag,
sctp_transport_route(tp, NULL, sp);
if (asoc->param_flags & SPP_PMTUD_ENABLE)
sctp_assoc_sync_pmtu(asoc);
+ } else if (!sctp_transport_pmtu_check(tp)) {
+ if (asoc->param_flags & SPP_PMTUD_ENABLE)
+ sctp_assoc_sync_pmtu(asoc);
}
if (asoc->pmtu_pending) {
--
2.1.0
^ permalink raw reply related
* KASAN: use-after-free Read in sctp_hash_transport
From: syzbot @ 2018-11-18 19:23 UTC (permalink / raw)
To: davem, linux-kernel, linux-sctp, marcelo.leitner, netdev, nhorman,
syzkaller-bugs, vyasevich
Hello,
syzbot found the following crash on:
HEAD commit: e119a369b0f1 Merge branch 'SMSC95xx-driver-updates'
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=124f5f7b400000
kernel config: https://syzkaller.appspot.com/x/.config?x=d86f24333880b605
dashboard link: https://syzkaller.appspot.com/bug?extid=0b05d8aa7cb185107483
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0b05d8aa7cb185107483@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in sctp_hash_transport+0x803/0x810
net/sctp/input.c:958
Read of size 8 at addr ffff8881c6b98cb0 by task syz-executor5/3552
CPU: 0 PID: 3552 Comm: syz-executor5 Not tainted 4.20.0-rc2+ #299
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x244/0x39d lib/dump_stack.c:113
print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
sctp_hash_transport+0x803/0x810 net/sctp/input.c:958
sctp_assoc_add_peer+0xa21/0x10d0 net/sctp/associola.c:724
sctp_sendmsg_new_asoc+0x5da/0x11f0 net/sctp/socket.c:1757
sctp_sendmsg+0x18a5/0x1da0 net/sctp/socket.c:2086
inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg+0xd5/0x120 net/socket.c:631
___sys_sendmsg+0x7fd/0x930 net/socket.c:2116
__sys_sendmsg+0x11d/0x280 net/socket.c:2154
__do_sys_sendmsg net/socket.c:2163 [inline]
__se_sys_sendmsg net/socket.c:2161 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2161
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457569
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f45462c7c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569
RDX: 0000000000000000 RSI: 000000002001afc8 RDI: 0000000000000005
RBP: 000000000072c0e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f45462c86d4
R13: 00000000004c381e R14: 00000000004d59e8 R15: 00000000ffffffff
Allocated by task 3509:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
kmem_cache_alloc_trace+0x152/0x750 mm/slab.c:3620
kmalloc include/linux/slab.h:546 [inline]
kzalloc include/linux/slab.h:741 [inline]
sctp_association_new+0x14e/0x2290 net/sctp/associola.c:311
sctp_sendmsg_new_asoc+0x39c/0x11f0 net/sctp/socket.c:1723
sctp_sendmsg+0x18a5/0x1da0 net/sctp/socket.c:2086
inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg+0xd5/0x120 net/socket.c:631
___sys_sendmsg+0x7fd/0x930 net/socket.c:2116
__sys_sendmsg+0x11d/0x280 net/socket.c:2154
__do_sys_sendmsg net/socket.c:2163 [inline]
__se_sys_sendmsg net/socket.c:2161 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2161
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 3552:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kfree+0xcf/0x230 mm/slab.c:3817
sctp_association_destroy net/sctp/associola.c:437 [inline]
sctp_association_put+0x264/0x350 net/sctp/associola.c:889
sctp_transport_destroy net/sctp/transport.c:180 [inline]
sctp_transport_put+0x186/0x1f0 net/sctp/transport.c:340
sctp_hash_cmp+0x1ef/0x260 net/sctp/input.c:901
__rhashtable_lookup.isra.24.constprop.29+0x3b6/0x7d0
include/linux/rhashtable.h:483
rhltable_lookup include/linux/rhashtable.h:566 [inline]
sctp_hash_transport+0x2f6/0x810 net/sctp/input.c:954
sctp_assoc_add_peer+0xa21/0x10d0 net/sctp/associola.c:724
sctp_sendmsg_new_asoc+0x5da/0x11f0 net/sctp/socket.c:1757
sctp_sendmsg+0x18a5/0x1da0 net/sctp/socket.c:2086
inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg+0xd5/0x120 net/socket.c:631
___sys_sendmsg+0x7fd/0x930 net/socket.c:2116
__sys_sendmsg+0x11d/0x280 net/socket.c:2154
__do_sys_sendmsg net/socket.c:2163 [inline]
__se_sys_sendmsg net/socket.c:2161 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2161
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881c6b98c00
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 176 bytes inside of
4096-byte region [ffff8881c6b98c00, ffff8881c6b99c00)
The buggy address belongs to the page:
page:ffffea00071ae600 count:1 mapcount:0 mapping:ffff8881da800dc0 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000010200(slab|head)
raw: 02fffc0000010200 ffffea0007175888 ffffea0006421308 ffff8881da800dc0
raw: 0000000000000000 ffff8881c6b98c00 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881c6b98b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881c6b98c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881c6b98c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881c6b98d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881c6b98d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox