[PATCH v2 0/3] Fix three issues found by syzbot

[PATCH v2 0/3] Fix three issues found by syzbot

[Ying Xue]

In this series, try to fix two memory leak issues and another issue of
calling smp_processor_id() in preemptible context.

Changes since v1:
 - Fix "Reported-by:" missing in patch #3, which was reported by Jakub
   Kicinski

Ying Xue (3):
  tipc: fix memory leak issue
  tipc: fix memory leak issue
  tipc: fix issue of calling smp_processor_id() in preemptible

 net/tipc/group.c     | 22 +++++++++++++---------
 net/tipc/node.c      |  7 +++++--
 net/tipc/udp_media.c | 12 +++++++++---
 3 files changed, 27 insertions(+), 14 deletions(-)

-- 
2.7.4

[PATCH v2 1/3] tipc: fix memory leak issue

[Ying Xue]

syzbot found the following memory leak:

[   68.602482][ T7130] kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak
unreferenced object 0xffff88810df83c00 (size 512):
  comm "softirq", pid 0, jiffies 4294942354 (age 19.830s)
  hex dump (first 32 bytes):
    38 1a 0d 0f 81 88 ff ff 38 1a 0d 0f 81 88 ff ff  8.......8.......
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000009375ee42>] kmem_cache_alloc_node+0x153/0x2a0
    [<000000004c563922>] __alloc_skb+0x6e/0x210
    [<00000000ec87bfa1>] tipc_buf_acquire+0x2f/0x80
    [<00000000d151ef84>] tipc_msg_create+0x37/0xe0
    [<000000008bb437b0>] tipc_group_create_event+0xb3/0x1b0
    [<00000000947b1d0f>] tipc_group_proto_rcv+0x569/0x640
    [<00000000b75ab039>] tipc_sk_filter_rcv+0x9ac/0xf20
    [<000000000dab7a6c>] tipc_sk_rcv+0x494/0x8a0
    [<00000000023a7ddd>] tipc_node_xmit+0x196/0x1f0
    [<00000000337dd9eb>] tipc_node_distr_xmit+0x7d/0x120
    [<00000000b6375182>] tipc_group_delete+0xe6/0x130
    [<000000000361ba2b>] tipc_sk_leave+0x57/0xb0
    [<000000009df90505>] tipc_release+0x7b/0x5e0
    [<000000009f3189da>] __sock_release+0x4b/0xe0
    [<00000000d3568ee0>] sock_close+0x1b/0x30
    [<00000000266a6215>] __fput+0xed/0x300

Reported-by: syzbot+78fbe679c8ca8d264a8d@syzkaller.appspotmail.com
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Ying Xue <ying.xue@windriver.com>
---
 net/tipc/node.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/tipc/node.c b/net/tipc/node.c
index 7ca0190..d1852fc 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -1469,10 +1469,13 @@ int tipc_node_xmit(struct net *net, struct sk_buff_head *list,
 	spin_unlock_bh(&le->lock);
 	tipc_node_read_unlock(n);
 
-	if (unlikely(rc == -ENOBUFS))
+	if (unlikely(rc == -ENOBUFS)) {
 		tipc_node_link_down(n, bearer_id, false);
-	else
+		skb_queue_purge(list);
+		skb_queue_purge(&xmitq);
+	} else {
 		tipc_bearer_xmit(net, bearer_id, &xmitq, &le->maddr);
+	}
 
 	tipc_node_put(n);
 
-- 
2.7.4

[PATCH v2 2/3] tipc: fix memory leak issue

[Ying Xue]

syzbot found the following memory leak issue:

[   72.286706][ T7064] kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak
unreferenced object 0xffff888122bca200 (size 128):
  comm "syz-executor232", pid 7065, jiffies 4294943817 (age 8.880s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 18 a2 bc 22 81 88 ff ff  ..........."....
  backtrace:
    [<000000005bada299>] kmem_cache_alloc_trace+0x145/0x2c0
    [<00000000e7bcdc9f>] tipc_group_create_member+0x3c/0x190
    [<0000000005f56f40>] tipc_group_add_member+0x34/0x40
    [<0000000044406683>] tipc_nametbl_build_group+0x9b/0xf0
    [<000000009f71e803>] tipc_setsockopt+0x170/0x490
    [<000000007f61cbc2>] __sys_setsockopt+0x10f/0x220
    [<00000000cc630372>] __x64_sys_setsockopt+0x26/0x30
    [<00000000ec30be33>] do_syscall_64+0x76/0x1a0
    [<00000000271be3e6>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Reported-by: syzbot+f95d90c454864b3b5bc9@syzkaller.appspotmail.com
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Ying Xue <ying.xue@windriver.com>
---
 net/tipc/group.c | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/net/tipc/group.c b/net/tipc/group.c
index 5f98d38..cbc540a 100644
--- a/net/tipc/group.c
+++ b/net/tipc/group.c
@@ -273,8 +273,8 @@ static struct tipc_member *tipc_group_find_node(struct tipc_group *grp,
 	return NULL;
 }
 
-static void tipc_group_add_to_tree(struct tipc_group *grp,
-				   struct tipc_member *m)
+struct tipc_member *tipc_group_add_to_tree(struct tipc_group *grp,
+					   struct tipc_member *m)
 {
 	u64 nkey, key = (u64)m->node << 32 | m->port;
 	struct rb_node **n, *parent = NULL;
@@ -282,7 +282,6 @@ static void tipc_group_add_to_tree(struct tipc_group *grp,
 
 	n = &grp->members.rb_node;
 	while (*n) {
-		tmp = container_of(*n, struct tipc_member, tree_node);
 		parent = *n;
 		tmp = container_of(parent, struct tipc_member, tree_node);
 		nkey = (u64)tmp->node << 32 | tmp->port;
@@ -291,17 +290,18 @@ static void tipc_group_add_to_tree(struct tipc_group *grp,
 		else if (key > nkey)
 			n = &(*n)->rb_right;
 		else
-			return;
+			return tmp;
 	}
 	rb_link_node(&m->tree_node, parent, n);
 	rb_insert_color(&m->tree_node, &grp->members);
+	return m;
 }
 
 static struct tipc_member *tipc_group_create_member(struct tipc_group *grp,
 						    u32 node, u32 port,
 						    u32 instance, int state)
 {
-	struct tipc_member *m;
+	struct tipc_member *m, *n;
 
 	m = kzalloc(sizeof(*m), GFP_ATOMIC);
 	if (!m)
@@ -315,10 +315,14 @@ static struct tipc_member *tipc_group_create_member(struct tipc_group *grp,
 	m->instance = instance;
 	m->bc_acked = grp->bc_snd_nxt - 1;
 	grp->member_cnt++;
-	tipc_group_add_to_tree(grp, m);
-	tipc_nlist_add(&grp->dests, m->node);
-	m->state = state;
-	return m;
+	n = tipc_group_add_to_tree(grp, m);
+	if (n == m) {
+		tipc_nlist_add(&grp->dests, m->node);
+		m->state = state;
+	} else {
+		kfree(m);
+	}
+	return n;
 }
 
 void tipc_group_add_member(struct tipc_group *grp, u32 node,
-- 
2.7.4

[PATCH v2 3/3] tipc: fix issue of calling smp_processor_id() in preemptible

[Ying Xue]

syzbot found the following issue:

[   81.119772][ T8612] BUG: using smp_processor_id() in preemptible [00000000] code: syz-executor834/8612
[   81.136212][ T8612] caller is dst_cache_get+0x3d/0xb0
[   81.141450][ T8612] CPU: 0 PID: 8612 Comm: syz-executor834 Not tainted 5.2.0-rc6+ #48
[   81.149435][ T8612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   81.159480][ T8612] Call Trace:
[   81.162789][ T8612]  dump_stack+0x172/0x1f0
[   81.167123][ T8612]  debug_smp_processor_id+0x251/0x280
[   81.172479][ T8612]  dst_cache_get+0x3d/0xb0
[   81.176928][ T8612]  tipc_udp_xmit.isra.0+0xc4/0xb80
[   81.182046][ T8612]  ? kasan_kmalloc+0x9/0x10
[   81.186531][ T8612]  ? tipc_udp_addr2str+0x170/0x170
[   81.191641][ T8612]  ? __copy_skb_header+0x2e8/0x560
[   81.196750][ T8612]  ? __skb_checksum_complete+0x3f0/0x3f0
[   81.202364][ T8612]  ? netdev_alloc_frag+0x1b0/0x1b0
[   81.207452][ T8612]  ? skb_copy_header+0x21/0x2b0
[   81.212282][ T8612]  ? __pskb_copy_fclone+0x516/0xc90
[   81.217470][ T8612]  tipc_udp_send_msg+0x29a/0x4b0
[   81.222400][ T8612]  tipc_bearer_xmit_skb+0x16c/0x360
[   81.227585][ T8612]  tipc_enable_bearer+0xabe/0xd20
[   81.232606][ T8612]  ? __nla_validate_parse+0x2d0/0x1ee0
[   81.238048][ T8612]  ? tipc_bearer_xmit_skb+0x360/0x360
[   81.243401][ T8612]  ? nla_memcpy+0xb0/0xb0
[   81.247710][ T8612]  ? nla_memcpy+0xb0/0xb0
[   81.252020][ T8612]  ? __nla_parse+0x43/0x60
[   81.256417][ T8612]  __tipc_nl_bearer_enable+0x2de/0x3a0
[   81.261856][ T8612]  ? __tipc_nl_bearer_enable+0x2de/0x3a0
[   81.267467][ T8612]  ? tipc_nl_bearer_disable+0x40/0x40
[   81.272848][ T8612]  ? unwind_get_return_address+0x58/0xa0
[   81.278501][ T8612]  ? lock_acquire+0x16f/0x3f0
[   81.283190][ T8612]  tipc_nl_bearer_enable+0x23/0x40
[   81.288300][ T8612]  genl_family_rcv_msg+0x74b/0xf90
[   81.293404][ T8612]  ? genl_unregister_family+0x790/0x790
[   81.298935][ T8612]  ? __lock_acquire+0x54f/0x5490
[   81.303852][ T8612]  ? __netlink_lookup+0x3fa/0x7b0
[   81.308865][ T8612]  genl_rcv_msg+0xca/0x16c
[   81.313266][ T8612]  netlink_rcv_skb+0x177/0x450
[   81.318043][ T8612]  ? genl_family_rcv_msg+0xf90/0xf90
[   81.323311][ T8612]  ? netlink_ack+0xb50/0xb50
[   81.327906][ T8612]  ? lock_acquire+0x16f/0x3f0
[   81.332589][ T8612]  ? kasan_check_write+0x14/0x20
[   81.337511][ T8612]  genl_rcv+0x29/0x40
[   81.341485][ T8612]  netlink_unicast+0x531/0x710
[   81.346268][ T8612]  ? netlink_attachskb+0x770/0x770
[   81.351374][ T8612]  ? _copy_from_iter_full+0x25d/0x8c0
[   81.356765][ T8612]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   81.362479][ T8612]  ? __check_object_size+0x3d/0x42f
[   81.367667][ T8612]  netlink_sendmsg+0x8ae/0xd70
[   81.372415][ T8612]  ? netlink_unicast+0x710/0x710
[   81.377520][ T8612]  ? aa_sock_msg_perm.isra.0+0xba/0x170
[   81.383051][ T8612]  ? apparmor_socket_sendmsg+0x2a/0x30
[   81.388530][ T8612]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   81.394775][ T8612]  ? security_socket_sendmsg+0x8d/0xc0
[   81.400240][ T8612]  ? netlink_unicast+0x710/0x710
[   81.405161][ T8612]  sock_sendmsg+0xd7/0x130
[   81.409561][ T8612]  ___sys_sendmsg+0x803/0x920
[   81.414220][ T8612]  ? copy_msghdr_from_user+0x430/0x430
[   81.419667][ T8612]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[   81.425461][ T8612]  ? debug_object_active_state+0x25d/0x380
[   81.431255][ T8612]  ? __lock_acquire+0x54f/0x5490
[   81.436174][ T8612]  ? kasan_check_read+0x11/0x20
[   81.441208][ T8612]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   81.447008][ T8612]  ? mark_held_locks+0xf0/0xf0
[   81.451768][ T8612]  ? __call_rcu.constprop.0+0x28b/0x720
[   81.457298][ T8612]  ? call_rcu+0xb/0x10
[   81.461353][ T8612]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   81.467589][ T8612]  ? __fget_light+0x1a9/0x230
[   81.472249][ T8612]  ? __fdget+0x1b/0x20
[   81.476301][ T8612]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   81.482545][ T8612]  __sys_sendmsg+0x105/0x1d0
[   81.487115][ T8612]  ? __ia32_sys_shutdown+0x80/0x80
[   81.492208][ T8612]  ? blkcg_maybe_throttle_current+0x5e2/0xfb0
[   81.498272][ T8612]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   81.503726][ T8612]  ? do_syscall_64+0x26/0x680
[   81.508385][ T8612]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   81.514444][ T8612]  ? do_syscall_64+0x26/0x680
[   81.519110][ T8612]  __x64_sys_sendmsg+0x78/0xb0
[   81.523862][ T8612]  do_syscall_64+0xfd/0x680
[   81.528352][ T8612]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   81.534234][ T8612] RIP: 0033:0x444679
[   81.538114][ T8612] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   81.557709][ T8612] RSP: 002b:00007fff0201a8b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   81.566147][ T8612] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444679
[   81.574108][ T8612] RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003
[   81.582152][ T8612] RBP: 00000000006cf018 R08: 0000000000000001 R09: 00000000004002e0
[   81.590113][ T8612] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000402320
[   81.598089][ T8612] R13: 00000000004023b0 R14: 0000000000000000 R15: 0000000000

In commit e9c1a793210f ("tipc: add dst_cache support for udp media")
dst_cache_get() was introduced to be called in tipc_udp_xmit(). But
smp_processor_id() called by dst_cache_get() cannot be invoked in
preemptible context, as a result, the complaint above was reported.

Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media")
Reported-by: syzbot+1a68504d96cd17b33a05@syzkaller.appspotmail.com
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Ying Xue <ying.xue@windriver.com>
---
 net/tipc/udp_media.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
index 287df687..ca3ae2e 100644
--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -224,6 +224,8 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
 	struct udp_bearer *ub;
 	int err = 0;
 
+	local_bh_disable();
+
 	if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
 		err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
 		if (err)
@@ -237,9 +239,12 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
 		goto out;
 	}
 
-	if (addr->broadcast != TIPC_REPLICAST_SUPPORT)
-		return tipc_udp_xmit(net, skb, ub, src, dst,
-				     &ub->rcast.dst_cache);
+	if (addr->broadcast != TIPC_REPLICAST_SUPPORT) {
+		err = tipc_udp_xmit(net, skb, ub, src, dst,
+				    &ub->rcast.dst_cache);
+		local_bh_enable();
+		return err;
+	}
 
 	/* Replicast, send an skb to each configured IP address */
 	list_for_each_entry_rcu(rcast, &ub->rcast.list, list) {
@@ -259,6 +264,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
 	err = 0;
 out:
 	kfree_skb(skb);
+	local_bh_enable();
 	return err;
 }
 
-- 
2.7.4

Re: [PATCH v2 1/3] tipc: fix memory leak issue

[Eric Dumazet]

On 8/12/19 9:32 AM, Ying Xue wrote:
> syzbot found the following memory leak:
> 
> [   68.602482][ T7130] kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
> BUG: memory leak
> unreferenced object 0xffff88810df83c00 (size 512):
>   comm "softirq", pid 0, jiffies 4294942354 (age 19.830s)
>   hex dump (first 32 bytes):
>     38 1a 0d 0f 81 88 ff ff 38 1a 0d 0f 81 88 ff ff  8.......8.......
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<000000009375ee42>] kmem_cache_alloc_node+0x153/0x2a0
>     [<000000004c563922>] __alloc_skb+0x6e/0x210
>     [<00000000ec87bfa1>] tipc_buf_acquire+0x2f/0x80
>     [<00000000d151ef84>] tipc_msg_create+0x37/0xe0
>     [<000000008bb437b0>] tipc_group_create_event+0xb3/0x1b0
>     [<00000000947b1d0f>] tipc_group_proto_rcv+0x569/0x640
>     [<00000000b75ab039>] tipc_sk_filter_rcv+0x9ac/0xf20
>     [<000000000dab7a6c>] tipc_sk_rcv+0x494/0x8a0
>     [<00000000023a7ddd>] tipc_node_xmit+0x196/0x1f0
>     [<00000000337dd9eb>] tipc_node_distr_xmit+0x7d/0x120
>     [<00000000b6375182>] tipc_group_delete+0xe6/0x130
>     [<000000000361ba2b>] tipc_sk_leave+0x57/0xb0
>     [<000000009df90505>] tipc_release+0x7b/0x5e0
>     [<000000009f3189da>] __sock_release+0x4b/0xe0
>     [<00000000d3568ee0>] sock_close+0x1b/0x30
>     [<00000000266a6215>] __fput+0xed/0x300
> 
> Reported-by: syzbot+78fbe679c8ca8d264a8d@syzkaller.appspotmail.com
> Signed-off-by: Hillf Danton <hdanton@sina.com>
> Signed-off-by: Ying Xue <ying.xue@windriver.com>
> ---
>  net/tipc/node.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/net/tipc/node.c b/net/tipc/node.c
> index 7ca0190..d1852fc 100644
> --- a/net/tipc/node.c
> +++ b/net/tipc/node.c
> @@ -1469,10 +1469,13 @@ int tipc_node_xmit(struct net *net, struct sk_buff_head *list,
>  	spin_unlock_bh(&le->lock);
>  	tipc_node_read_unlock(n);
>  
> -	if (unlikely(rc == -ENOBUFS))
> +	if (unlikely(rc == -ENOBUFS)) {
>  		tipc_node_link_down(n, bearer_id, false);
> -	else
> +		skb_queue_purge(list);
> +		skb_queue_purge(&xmitq);

This will crash if you enable LOCKDEP

> +	} else {
>  		tipc_bearer_xmit(net, bearer_id, &xmitq, &le->maddr);
> +	}
>  
>  	tipc_node_put(n);
>  
> 

Re: [PATCH v2 0/3] Fix three issues found by syzbot

[David Miller]

From: Ying Xue <ying.xue@windriver.com>
Date: Mon, 12 Aug 2019 15:32:39 +0800

> Ying Xue (3):
>   tipc: fix memory leak issue
>   tipc: fix memory leak issue

Please make the subject lines for these two patches unique.  Perhaps
mention what part of the tipc code has the memory leak you are fixing.

Thanks.

Re: [PATCH v2 3/3] tipc: fix issue of calling smp_processor_id() in preemptible

[Dmitry Vyukov]

On Mon, Aug 12, 2019 at 9:44 AM Ying Xue <ying.xue@windriver.com> wrote:
>
> syzbot found the following issue:
>
> [   81.119772][ T8612] BUG: using smp_processor_id() in preemptible [00000000] code: syz-executor834/8612
> [   81.136212][ T8612] caller is dst_cache_get+0x3d/0xb0
> [   81.141450][ T8612] CPU: 0 PID: 8612 Comm: syz-executor834 Not tainted 5.2.0-rc6+ #48
> [   81.149435][ T8612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> [   81.159480][ T8612] Call Trace:
> [   81.162789][ T8612]  dump_stack+0x172/0x1f0
> [   81.167123][ T8612]  debug_smp_processor_id+0x251/0x280
> [   81.172479][ T8612]  dst_cache_get+0x3d/0xb0
> [   81.176928][ T8612]  tipc_udp_xmit.isra.0+0xc4/0xb80
> [   81.182046][ T8612]  ? kasan_kmalloc+0x9/0x10
> [   81.186531][ T8612]  ? tipc_udp_addr2str+0x170/0x170
> [   81.191641][ T8612]  ? __copy_skb_header+0x2e8/0x560
> [   81.196750][ T8612]  ? __skb_checksum_complete+0x3f0/0x3f0
> [   81.202364][ T8612]  ? netdev_alloc_frag+0x1b0/0x1b0
> [   81.207452][ T8612]  ? skb_copy_header+0x21/0x2b0
> [   81.212282][ T8612]  ? __pskb_copy_fclone+0x516/0xc90
> [   81.217470][ T8612]  tipc_udp_send_msg+0x29a/0x4b0
> [   81.222400][ T8612]  tipc_bearer_xmit_skb+0x16c/0x360
> [   81.227585][ T8612]  tipc_enable_bearer+0xabe/0xd20
> [   81.232606][ T8612]  ? __nla_validate_parse+0x2d0/0x1ee0
> [   81.238048][ T8612]  ? tipc_bearer_xmit_skb+0x360/0x360
> [   81.243401][ T8612]  ? nla_memcpy+0xb0/0xb0
> [   81.247710][ T8612]  ? nla_memcpy+0xb0/0xb0
> [   81.252020][ T8612]  ? __nla_parse+0x43/0x60
> [   81.256417][ T8612]  __tipc_nl_bearer_enable+0x2de/0x3a0
> [   81.261856][ T8612]  ? __tipc_nl_bearer_enable+0x2de/0x3a0
> [   81.267467][ T8612]  ? tipc_nl_bearer_disable+0x40/0x40
> [   81.272848][ T8612]  ? unwind_get_return_address+0x58/0xa0
> [   81.278501][ T8612]  ? lock_acquire+0x16f/0x3f0
> [   81.283190][ T8612]  tipc_nl_bearer_enable+0x23/0x40
> [   81.288300][ T8612]  genl_family_rcv_msg+0x74b/0xf90
> [   81.293404][ T8612]  ? genl_unregister_family+0x790/0x790
> [   81.298935][ T8612]  ? __lock_acquire+0x54f/0x5490
> [   81.303852][ T8612]  ? __netlink_lookup+0x3fa/0x7b0
> [   81.308865][ T8612]  genl_rcv_msg+0xca/0x16c
> [   81.313266][ T8612]  netlink_rcv_skb+0x177/0x450
> [   81.318043][ T8612]  ? genl_family_rcv_msg+0xf90/0xf90
> [   81.323311][ T8612]  ? netlink_ack+0xb50/0xb50
> [   81.327906][ T8612]  ? lock_acquire+0x16f/0x3f0
> [   81.332589][ T8612]  ? kasan_check_write+0x14/0x20
> [   81.337511][ T8612]  genl_rcv+0x29/0x40
> [   81.341485][ T8612]  netlink_unicast+0x531/0x710
> [   81.346268][ T8612]  ? netlink_attachskb+0x770/0x770
> [   81.351374][ T8612]  ? _copy_from_iter_full+0x25d/0x8c0
> [   81.356765][ T8612]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
> [   81.362479][ T8612]  ? __check_object_size+0x3d/0x42f
> [   81.367667][ T8612]  netlink_sendmsg+0x8ae/0xd70
> [   81.372415][ T8612]  ? netlink_unicast+0x710/0x710
> [   81.377520][ T8612]  ? aa_sock_msg_perm.isra.0+0xba/0x170
> [   81.383051][ T8612]  ? apparmor_socket_sendmsg+0x2a/0x30
> [   81.388530][ T8612]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [   81.394775][ T8612]  ? security_socket_sendmsg+0x8d/0xc0
> [   81.400240][ T8612]  ? netlink_unicast+0x710/0x710
> [   81.405161][ T8612]  sock_sendmsg+0xd7/0x130
> [   81.409561][ T8612]  ___sys_sendmsg+0x803/0x920
> [   81.414220][ T8612]  ? copy_msghdr_from_user+0x430/0x430
> [   81.419667][ T8612]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
> [   81.425461][ T8612]  ? debug_object_active_state+0x25d/0x380
> [   81.431255][ T8612]  ? __lock_acquire+0x54f/0x5490
> [   81.436174][ T8612]  ? kasan_check_read+0x11/0x20
> [   81.441208][ T8612]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
> [   81.447008][ T8612]  ? mark_held_locks+0xf0/0xf0
> [   81.451768][ T8612]  ? __call_rcu.constprop.0+0x28b/0x720
> [   81.457298][ T8612]  ? call_rcu+0xb/0x10
> [   81.461353][ T8612]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [   81.467589][ T8612]  ? __fget_light+0x1a9/0x230
> [   81.472249][ T8612]  ? __fdget+0x1b/0x20
> [   81.476301][ T8612]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
> [   81.482545][ T8612]  __sys_sendmsg+0x105/0x1d0
> [   81.487115][ T8612]  ? __ia32_sys_shutdown+0x80/0x80
> [   81.492208][ T8612]  ? blkcg_maybe_throttle_current+0x5e2/0xfb0
> [   81.498272][ T8612]  ? trace_hardirqs_on_thunk+0x1a/0x1c
> [   81.503726][ T8612]  ? do_syscall_64+0x26/0x680
> [   81.508385][ T8612]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
> [   81.514444][ T8612]  ? do_syscall_64+0x26/0x680
> [   81.519110][ T8612]  __x64_sys_sendmsg+0x78/0xb0
> [   81.523862][ T8612]  do_syscall_64+0xfd/0x680
> [   81.528352][ T8612]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> [   81.534234][ T8612] RIP: 0033:0x444679
> [   81.538114][ T8612] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> [   81.557709][ T8612] RSP: 002b:00007fff0201a8b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> [   81.566147][ T8612] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444679
> [   81.574108][ T8612] RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003
> [   81.582152][ T8612] RBP: 00000000006cf018 R08: 0000000000000001 R09: 00000000004002e0
> [   81.590113][ T8612] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000402320
> [   81.598089][ T8612] R13: 00000000004023b0 R14: 0000000000000000 R15: 0000000000
>
> In commit e9c1a793210f ("tipc: add dst_cache support for udp media")
> dst_cache_get() was introduced to be called in tipc_udp_xmit(). But
> smp_processor_id() called by dst_cache_get() cannot be invoked in
> preemptible context, as a result, the complaint above was reported.
>
> Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media")
> Reported-by: syzbot+1a68504d96cd17b33a05@syzkaller.appspotmail.com
> Signed-off-by: Hillf Danton <hdanton@sina.com>
> Signed-off-by: Ying Xue <ying.xue@windriver.com>

Hi,

Was this ever merged?
The bug is still open, alive and kicking:
https://syzkaller.appspot.com/bug?extid=1a68504d96cd17b33a05

and one of the top crashers currently.
Along with few other top crashers, these bugs prevent most of the
other kernel testing from happening.


> ---
>  net/tipc/udp_media.c | 12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
> index 287df687..ca3ae2e 100644
> --- a/net/tipc/udp_media.c
> +++ b/net/tipc/udp_media.c
> @@ -224,6 +224,8 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
>         struct udp_bearer *ub;
>         int err = 0;
>
> +       local_bh_disable();
> +
>         if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
>                 err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
>                 if (err)
> @@ -237,9 +239,12 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
>                 goto out;
>         }
>
> -       if (addr->broadcast != TIPC_REPLICAST_SUPPORT)
> -               return tipc_udp_xmit(net, skb, ub, src, dst,
> -                                    &ub->rcast.dst_cache);
> +       if (addr->broadcast != TIPC_REPLICAST_SUPPORT) {
> +               err = tipc_udp_xmit(net, skb, ub, src, dst,
> +                                   &ub->rcast.dst_cache);
> +               local_bh_enable();
> +               return err;
> +       }
>
>         /* Replicast, send an skb to each configured IP address */
>         list_for_each_entry_rcu(rcast, &ub->rcast.list, list) {
> @@ -259,6 +264,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
>         err = 0;
>  out:
>         kfree_skb(skb);
> +       local_bh_enable();
>         return err;
>  }
>
> --
> 2.7.4
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/1565595162-1383-4-git-send-email-ying.xue%40windriver.com.

Re: [PATCH v2 3/3] tipc: fix issue of calling smp_processor_id() in preemptible

[Dmitry Vyukov]

On Wed, Feb 19, 2020 at 9:29 AM Dmitry Vyukov <dvyukov@google.com> wrote:
>
> On Mon, Aug 12, 2019 at 9:44 AM Ying Xue <ying.xue@windriver.com> wrote:
> >
> > syzbot found the following issue:
> >
> > [   81.119772][ T8612] BUG: using smp_processor_id() in preemptible [00000000] code: syz-executor834/8612
> > [   81.136212][ T8612] caller is dst_cache_get+0x3d/0xb0
> > [   81.141450][ T8612] CPU: 0 PID: 8612 Comm: syz-executor834 Not tainted 5.2.0-rc6+ #48
> > [   81.149435][ T8612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > [   81.159480][ T8612] Call Trace:
> > [   81.162789][ T8612]  dump_stack+0x172/0x1f0
> > [   81.167123][ T8612]  debug_smp_processor_id+0x251/0x280
> > [   81.172479][ T8612]  dst_cache_get+0x3d/0xb0
> > [   81.176928][ T8612]  tipc_udp_xmit.isra.0+0xc4/0xb80
> > [   81.182046][ T8612]  ? kasan_kmalloc+0x9/0x10
> > [   81.186531][ T8612]  ? tipc_udp_addr2str+0x170/0x170
> > [   81.191641][ T8612]  ? __copy_skb_header+0x2e8/0x560
> > [   81.196750][ T8612]  ? __skb_checksum_complete+0x3f0/0x3f0
> > [   81.202364][ T8612]  ? netdev_alloc_frag+0x1b0/0x1b0
> > [   81.207452][ T8612]  ? skb_copy_header+0x21/0x2b0
> > [   81.212282][ T8612]  ? __pskb_copy_fclone+0x516/0xc90
> > [   81.217470][ T8612]  tipc_udp_send_msg+0x29a/0x4b0
> > [   81.222400][ T8612]  tipc_bearer_xmit_skb+0x16c/0x360
> > [   81.227585][ T8612]  tipc_enable_bearer+0xabe/0xd20
> > [   81.232606][ T8612]  ? __nla_validate_parse+0x2d0/0x1ee0
> > [   81.238048][ T8612]  ? tipc_bearer_xmit_skb+0x360/0x360
> > [   81.243401][ T8612]  ? nla_memcpy+0xb0/0xb0
> > [   81.247710][ T8612]  ? nla_memcpy+0xb0/0xb0
> > [   81.252020][ T8612]  ? __nla_parse+0x43/0x60
> > [   81.256417][ T8612]  __tipc_nl_bearer_enable+0x2de/0x3a0
> > [   81.261856][ T8612]  ? __tipc_nl_bearer_enable+0x2de/0x3a0
> > [   81.267467][ T8612]  ? tipc_nl_bearer_disable+0x40/0x40
> > [   81.272848][ T8612]  ? unwind_get_return_address+0x58/0xa0
> > [   81.278501][ T8612]  ? lock_acquire+0x16f/0x3f0
> > [   81.283190][ T8612]  tipc_nl_bearer_enable+0x23/0x40
> > [   81.288300][ T8612]  genl_family_rcv_msg+0x74b/0xf90
> > [   81.293404][ T8612]  ? genl_unregister_family+0x790/0x790
> > [   81.298935][ T8612]  ? __lock_acquire+0x54f/0x5490
> > [   81.303852][ T8612]  ? __netlink_lookup+0x3fa/0x7b0
> > [   81.308865][ T8612]  genl_rcv_msg+0xca/0x16c
> > [   81.313266][ T8612]  netlink_rcv_skb+0x177/0x450
> > [   81.318043][ T8612]  ? genl_family_rcv_msg+0xf90/0xf90
> > [   81.323311][ T8612]  ? netlink_ack+0xb50/0xb50
> > [   81.327906][ T8612]  ? lock_acquire+0x16f/0x3f0
> > [   81.332589][ T8612]  ? kasan_check_write+0x14/0x20
> > [   81.337511][ T8612]  genl_rcv+0x29/0x40
> > [   81.341485][ T8612]  netlink_unicast+0x531/0x710
> > [   81.346268][ T8612]  ? netlink_attachskb+0x770/0x770
> > [   81.351374][ T8612]  ? _copy_from_iter_full+0x25d/0x8c0
> > [   81.356765][ T8612]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
> > [   81.362479][ T8612]  ? __check_object_size+0x3d/0x42f
> > [   81.367667][ T8612]  netlink_sendmsg+0x8ae/0xd70
> > [   81.372415][ T8612]  ? netlink_unicast+0x710/0x710
> > [   81.377520][ T8612]  ? aa_sock_msg_perm.isra.0+0xba/0x170
> > [   81.383051][ T8612]  ? apparmor_socket_sendmsg+0x2a/0x30
> > [   81.388530][ T8612]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> > [   81.394775][ T8612]  ? security_socket_sendmsg+0x8d/0xc0
> > [   81.400240][ T8612]  ? netlink_unicast+0x710/0x710
> > [   81.405161][ T8612]  sock_sendmsg+0xd7/0x130
> > [   81.409561][ T8612]  ___sys_sendmsg+0x803/0x920
> > [   81.414220][ T8612]  ? copy_msghdr_from_user+0x430/0x430
> > [   81.419667][ T8612]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
> > [   81.425461][ T8612]  ? debug_object_active_state+0x25d/0x380
> > [   81.431255][ T8612]  ? __lock_acquire+0x54f/0x5490
> > [   81.436174][ T8612]  ? kasan_check_read+0x11/0x20
> > [   81.441208][ T8612]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
> > [   81.447008][ T8612]  ? mark_held_locks+0xf0/0xf0
> > [   81.451768][ T8612]  ? __call_rcu.constprop.0+0x28b/0x720
> > [   81.457298][ T8612]  ? call_rcu+0xb/0x10
> > [   81.461353][ T8612]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> > [   81.467589][ T8612]  ? __fget_light+0x1a9/0x230
> > [   81.472249][ T8612]  ? __fdget+0x1b/0x20
> > [   81.476301][ T8612]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
> > [   81.482545][ T8612]  __sys_sendmsg+0x105/0x1d0
> > [   81.487115][ T8612]  ? __ia32_sys_shutdown+0x80/0x80
> > [   81.492208][ T8612]  ? blkcg_maybe_throttle_current+0x5e2/0xfb0
> > [   81.498272][ T8612]  ? trace_hardirqs_on_thunk+0x1a/0x1c
> > [   81.503726][ T8612]  ? do_syscall_64+0x26/0x680
> > [   81.508385][ T8612]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > [   81.514444][ T8612]  ? do_syscall_64+0x26/0x680
> > [   81.519110][ T8612]  __x64_sys_sendmsg+0x78/0xb0
> > [   81.523862][ T8612]  do_syscall_64+0xfd/0x680
> > [   81.528352][ T8612]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > [   81.534234][ T8612] RIP: 0033:0x444679
> > [   81.538114][ T8612] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > [   81.557709][ T8612] RSP: 002b:00007fff0201a8b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> > [   81.566147][ T8612] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444679
> > [   81.574108][ T8612] RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003
> > [   81.582152][ T8612] RBP: 00000000006cf018 R08: 0000000000000001 R09: 00000000004002e0
> > [   81.590113][ T8612] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000402320
> > [   81.598089][ T8612] R13: 00000000004023b0 R14: 0000000000000000 R15: 0000000000
> >
> > In commit e9c1a793210f ("tipc: add dst_cache support for udp media")
> > dst_cache_get() was introduced to be called in tipc_udp_xmit(). But
> > smp_processor_id() called by dst_cache_get() cannot be invoked in
> > preemptible context, as a result, the complaint above was reported.
> >
> > Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media")
> > Reported-by: syzbot+1a68504d96cd17b33a05@syzkaller.appspotmail.com
> > Signed-off-by: Hillf Danton <hdanton@sina.com>
> > Signed-off-by: Ying Xue <ying.xue@windriver.com>
>
> Hi,
>
> Was this ever merged?
> The bug is still open, alive and kicking:
> https://syzkaller.appspot.com/bug?extid=1a68504d96cd17b33a05
>
> and one of the top crashers currently.
> Along with few other top crashers, these bugs prevent most of the
> other kernel testing from happening.

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

+jmaloy new email address

> > ---
> >  net/tipc/udp_media.c | 12 +++++++++---
> >  1 file changed, 9 insertions(+), 3 deletions(-)
> >
> > diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
> > index 287df687..ca3ae2e 100644
> > --- a/net/tipc/udp_media.c
> > +++ b/net/tipc/udp_media.c
> > @@ -224,6 +224,8 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
> >         struct udp_bearer *ub;
> >         int err = 0;
> >
> > +       local_bh_disable();
> > +
> >         if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
> >                 err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
> >                 if (err)
> > @@ -237,9 +239,12 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
> >                 goto out;
> >         }
> >
> > -       if (addr->broadcast != TIPC_REPLICAST_SUPPORT)
> > -               return tipc_udp_xmit(net, skb, ub, src, dst,
> > -                                    &ub->rcast.dst_cache);
> > +       if (addr->broadcast != TIPC_REPLICAST_SUPPORT) {
> > +               err = tipc_udp_xmit(net, skb, ub, src, dst,
> > +                                   &ub->rcast.dst_cache);
> > +               local_bh_enable();
> > +               return err;
> > +       }
> >
> >         /* Replicast, send an skb to each configured IP address */
> >         list_for_each_entry_rcu(rcast, &ub->rcast.list, list) {
> > @@ -259,6 +264,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
> >         err = 0;
> >  out:
> >         kfree_skb(skb);
> > +       local_bh_enable();
> >         return err;
> >  }
> >
> > --
> > 2.7.4
> >
> > --
> > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/1565595162-1383-4-git-send-email-ying.xue%40windriver.com.

Re: [PATCH v2 3/3] tipc: fix issue of calling smp_processor_id() in preemptible

[Xin Long]

On Wed, Feb 19, 2020 at 4:34 PM Dmitry Vyukov <dvyukov@google.com> wrote:
>
> On Wed, Feb 19, 2020 at 9:29 AM Dmitry Vyukov <dvyukov@google.com> wrote:
> >
> > On Mon, Aug 12, 2019 at 9:44 AM Ying Xue <ying.xue@windriver.com> wrote:
> > >
> > > syzbot found the following issue:
> > >
> > > [   81.119772][ T8612] BUG: using smp_processor_id() in preemptible [00000000] code: syz-executor834/8612
> > > [   81.136212][ T8612] caller is dst_cache_get+0x3d/0xb0
> > > [   81.141450][ T8612] CPU: 0 PID: 8612 Comm: syz-executor834 Not tainted 5.2.0-rc6+ #48
> > > [   81.149435][ T8612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > > [   81.159480][ T8612] Call Trace:
> > > [   81.162789][ T8612]  dump_stack+0x172/0x1f0
> > > [   81.167123][ T8612]  debug_smp_processor_id+0x251/0x280
> > > [   81.172479][ T8612]  dst_cache_get+0x3d/0xb0
> > > [   81.176928][ T8612]  tipc_udp_xmit.isra.0+0xc4/0xb80
> > > [   81.182046][ T8612]  ? kasan_kmalloc+0x9/0x10
> > > [   81.186531][ T8612]  ? tipc_udp_addr2str+0x170/0x170
> > > [   81.191641][ T8612]  ? __copy_skb_header+0x2e8/0x560
> > > [   81.196750][ T8612]  ? __skb_checksum_complete+0x3f0/0x3f0
> > > [   81.202364][ T8612]  ? netdev_alloc_frag+0x1b0/0x1b0
> > > [   81.207452][ T8612]  ? skb_copy_header+0x21/0x2b0
> > > [   81.212282][ T8612]  ? __pskb_copy_fclone+0x516/0xc90
> > > [   81.217470][ T8612]  tipc_udp_send_msg+0x29a/0x4b0
In tipc_bearer_xmit_skb(), b->media->send_msg()/tipc_udp_send_msg()
is called under rcu_read_lock(), which is already ensure it's a
non-preemptible context.

What I saw here is imbalance rcu_read_(un)lock() call somewhere.

> > > [   81.222400][ T8612]  tipc_bearer_xmit_skb+0x16c/0x360
> > > [   81.227585][ T8612]  tipc_enable_bearer+0xabe/0xd20
> > > [   81.232606][ T8612]  ? __nla_validate_parse+0x2d0/0x1ee0
> > > [   81.238048][ T8612]  ? tipc_bearer_xmit_skb+0x360/0x360
> > > [   81.243401][ T8612]  ? nla_memcpy+0xb0/0xb0
> > > [   81.247710][ T8612]  ? nla_memcpy+0xb0/0xb0
> > > [   81.252020][ T8612]  ? __nla_parse+0x43/0x60
> > > [   81.256417][ T8612]  __tipc_nl_bearer_enable+0x2de/0x3a0
> > > [   81.261856][ T8612]  ? __tipc_nl_bearer_enable+0x2de/0x3a0
> > > [   81.267467][ T8612]  ? tipc_nl_bearer_disable+0x40/0x40
> > > [   81.272848][ T8612]  ? unwind_get_return_address+0x58/0xa0
> > > [   81.278501][ T8612]  ? lock_acquire+0x16f/0x3f0
> > > [   81.283190][ T8612]  tipc_nl_bearer_enable+0x23/0x40
> > > [   81.288300][ T8612]  genl_family_rcv_msg+0x74b/0xf90
> > > [   81.293404][ T8612]  ? genl_unregister_family+0x790/0x790
> > > [   81.298935][ T8612]  ? __lock_acquire+0x54f/0x5490
> > > [   81.303852][ T8612]  ? __netlink_lookup+0x3fa/0x7b0
> > > [   81.308865][ T8612]  genl_rcv_msg+0xca/0x16c
> > > [   81.313266][ T8612]  netlink_rcv_skb+0x177/0x450
> > > [   81.318043][ T8612]  ? genl_family_rcv_msg+0xf90/0xf90
> > > [   81.323311][ T8612]  ? netlink_ack+0xb50/0xb50
> > > [   81.327906][ T8612]  ? lock_acquire+0x16f/0x3f0
> > > [   81.332589][ T8612]  ? kasan_check_write+0x14/0x20
> > > [   81.337511][ T8612]  genl_rcv+0x29/0x40
> > > [   81.341485][ T8612]  netlink_unicast+0x531/0x710
> > > [   81.346268][ T8612]  ? netlink_attachskb+0x770/0x770
> > > [   81.351374][ T8612]  ? _copy_from_iter_full+0x25d/0x8c0
> > > [   81.356765][ T8612]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
> > > [   81.362479][ T8612]  ? __check_object_size+0x3d/0x42f
> > > [   81.367667][ T8612]  netlink_sendmsg+0x8ae/0xd70
> > > [   81.372415][ T8612]  ? netlink_unicast+0x710/0x710
> > > [   81.377520][ T8612]  ? aa_sock_msg_perm.isra.0+0xba/0x170
> > > [   81.383051][ T8612]  ? apparmor_socket_sendmsg+0x2a/0x30
> > > [   81.388530][ T8612]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> > > [   81.394775][ T8612]  ? security_socket_sendmsg+0x8d/0xc0
> > > [   81.400240][ T8612]  ? netlink_unicast+0x710/0x710
> > > [   81.405161][ T8612]  sock_sendmsg+0xd7/0x130
> > > [   81.409561][ T8612]  ___sys_sendmsg+0x803/0x920
> > > [   81.414220][ T8612]  ? copy_msghdr_from_user+0x430/0x430
> > > [   81.419667][ T8612]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
> > > [   81.425461][ T8612]  ? debug_object_active_state+0x25d/0x380
> > > [   81.431255][ T8612]  ? __lock_acquire+0x54f/0x5490
> > > [   81.436174][ T8612]  ? kasan_check_read+0x11/0x20
> > > [   81.441208][ T8612]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
> > > [   81.447008][ T8612]  ? mark_held_locks+0xf0/0xf0
> > > [   81.451768][ T8612]  ? __call_rcu.constprop.0+0x28b/0x720
> > > [   81.457298][ T8612]  ? call_rcu+0xb/0x10
> > > [   81.461353][ T8612]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> > > [   81.467589][ T8612]  ? __fget_light+0x1a9/0x230
> > > [   81.472249][ T8612]  ? __fdget+0x1b/0x20
> > > [   81.476301][ T8612]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
> > > [   81.482545][ T8612]  __sys_sendmsg+0x105/0x1d0
> > > [   81.487115][ T8612]  ? __ia32_sys_shutdown+0x80/0x80
> > > [   81.492208][ T8612]  ? blkcg_maybe_throttle_current+0x5e2/0xfb0
> > > [   81.498272][ T8612]  ? trace_hardirqs_on_thunk+0x1a/0x1c
> > > [   81.503726][ T8612]  ? do_syscall_64+0x26/0x680
> > > [   81.508385][ T8612]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > > [   81.514444][ T8612]  ? do_syscall_64+0x26/0x680
> > > [   81.519110][ T8612]  __x64_sys_sendmsg+0x78/0xb0
> > > [   81.523862][ T8612]  do_syscall_64+0xfd/0x680
> > > [   81.528352][ T8612]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > > [   81.534234][ T8612] RIP: 0033:0x444679
> > > [   81.538114][ T8612] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > [   81.557709][ T8612] RSP: 002b:00007fff0201a8b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> > > [   81.566147][ T8612] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444679
> > > [   81.574108][ T8612] RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003
> > > [   81.582152][ T8612] RBP: 00000000006cf018 R08: 0000000000000001 R09: 00000000004002e0
> > > [   81.590113][ T8612] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000402320
> > > [   81.598089][ T8612] R13: 00000000004023b0 R14: 0000000000000000 R15: 0000000000
> > >
> > > In commit e9c1a793210f ("tipc: add dst_cache support for udp media")
> > > dst_cache_get() was introduced to be called in tipc_udp_xmit(). But
> > > smp_processor_id() called by dst_cache_get() cannot be invoked in
> > > preemptible context, as a result, the complaint above was reported.
> > >
> > > Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media")
> > > Reported-by: syzbot+1a68504d96cd17b33a05@syzkaller.appspotmail.com
> > > Signed-off-by: Hillf Danton <hdanton@sina.com>
> > > Signed-off-by: Ying Xue <ying.xue@windriver.com>
> >
> > Hi,
> >
> > Was this ever merged?
> > The bug is still open, alive and kicking:
> > https://syzkaller.appspot.com/bug?extid=1a68504d96cd17b33a05
> >
> > and one of the top crashers currently.
> > Along with few other top crashers, these bugs prevent most of the
> > other kernel testing from happening.
>
> /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
>
> +jmaloy new email address
>
> > > ---
> > >  net/tipc/udp_media.c | 12 +++++++++---
> > >  1 file changed, 9 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
> > > index 287df687..ca3ae2e 100644
> > > --- a/net/tipc/udp_media.c
> > > +++ b/net/tipc/udp_media.c
> > > @@ -224,6 +224,8 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
> > >         struct udp_bearer *ub;
> > >         int err = 0;
> > >
> > > +       local_bh_disable();
> > > +
> > >         if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
> > >                 err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
> > >                 if (err)
> > > @@ -237,9 +239,12 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
> > >                 goto out;
> > >         }
> > >
> > > -       if (addr->broadcast != TIPC_REPLICAST_SUPPORT)
> > > -               return tipc_udp_xmit(net, skb, ub, src, dst,
> > > -                                    &ub->rcast.dst_cache);
> > > +       if (addr->broadcast != TIPC_REPLICAST_SUPPORT) {
> > > +               err = tipc_udp_xmit(net, skb, ub, src, dst,
> > > +                                   &ub->rcast.dst_cache);
> > > +               local_bh_enable();
> > > +               return err;
> > > +       }
> > >
> > >         /* Replicast, send an skb to each configured IP address */
> > >         list_for_each_entry_rcu(rcast, &ub->rcast.list, list) {
> > > @@ -259,6 +264,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
> > >         err = 0;
> > >  out:
> > >         kfree_skb(skb);
> > > +       local_bh_enable();
> > >         return err;
> > >  }
> > >
> > > --
> > > 2.7.4
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/1565595162-1383-4-git-send-email-ying.xue%40windriver.com.