Re: net/kcm: GPF in kcm_sendmsg

From: Cong Wang
Date: Mon Feb 13 2017 - 12:15:34 EST

Next message: Shannon Nelson: "Re: [PATCH v3 net-next 4/9] sunvnet: add driver stats for ethtool support"
Previous message: Steven Rostedt: "Re: [PATCH] building libtraceevent with clang"
In reply to: Dmitry Vyukov: "net/kcm: GPF in kcm_sendmsg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Feb 13, 2017 at 7:14 AM, Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote:
> Hello,
>
> The following program triggers GPF in kcm_sendmsg:
>
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #define _GNU_SOURCE
> #include <sys/socket.h>
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <stddef.h>
> #include <string.h>
> #include <unistd.h>
>
> int main()
> {
> int sock = socket(41 /*AF_KCM*/, SOCK_SEQPACKET, 0);
> struct mmsghdr msg;
> memset(&msg, 0, sizeof(msg));
> sendmmsg(sock, &msg, 1, 0);
> return 0;
> }
>
>
> general protection fault: 0000 [#1] SMP KASAN
> Modules linked in:
> CPU: 2 PID: 2935 Comm: a.out Not tainted 4.10.0-rc8+ #218
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: ffff88006b506440 task.stack: ffff8800662b8000
> RIP: 0010:kcm_sendmsg+0x92e/0x2240 net/kcm/kcmsock.c:1048

Hmm, head is NULL in kcm_tx_msg(head)->last_skb = skb;,
I missed the !eor case in the previous fix.

> RSP: 0018:ffff8800662bf720 EFLAGS: 00010202
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
> RDX: 0000000000000008 RSI: ffff88006b506c38 RDI: 0000000000000040
> RBP: ffff8800662bfa00 R08: 0000000000000001 R09: 0000000000000000
> R10: 0000000000000006 R11: 0000000000000000 R12: 7fffffffffffffff
> R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88006af12040
> FS: 0000000001077880(0000) GS:ffff88006d100000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000004b2140 CR3: 00000000651b7000 CR4: 00000000001406e0
> Call Trace:
> sock_sendmsg_nosec net/socket.c:635 [inline]
> sock_sendmsg+0xca/0x110 net/socket.c:645
> ___sys_sendmsg+0x4a3/0x9f0 net/socket.c:1985
> __sys_sendmmsg+0x25c/0x750 net/socket.c:2075
> SYSC_sendmmsg net/socket.c:2106 [inline]
> SyS_sendmmsg+0x35/0x60 net/socket.c:2101
> entry_SYSCALL_64_fastpath+0x1f/0xc2
> RIP: 0033:0x436dc9
> RSP: 002b:00007ffe84e1a938 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
> RAX: ffffffffffffffda RBX: 0000000000401730 RCX: 0000000000436dc9
> RDX: 0000000000000001 RSI: 00007ffe84e1a950 RDI: 0000000000000003
> RBP: 0000000000000000 R08: 000000000000000b R09: 0000000000000004
> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004002b0
> R13: 00007ffe84e1aa88 R14: 0000000000000002 R15: 0000000000000000
> Code: 02 00 0f 85 d4 14 00 00 48 8b 85 c0 fd ff ff 48 8d 78 40 49 89
> 87 30 05 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80>
> 3c 02 00 0f 85 9d 14 00 00 48 8b 85 c0 fd ff ff 4c 89 70 40
> RIP: kcm_sendmsg+0x92e/0x2240 net/kcm/kcmsock.c:1048 RSP: ffff8800662bf720
> ---[ end trace 62093774c8609871 ]---
>
>
> On commit 7089db84e356562f8ba737c29e472cc42d530dbc (4.10-rc8).

Next message: Shannon Nelson: "Re: [PATCH v3 net-next 4/9] sunvnet: add driver stats for ethtool support"
Previous message: Steven Rostedt: "Re: [PATCH] building libtraceevent with clang"
In reply to: Dmitry Vyukov: "net/kcm: GPF in kcm_sendmsg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]