Bug 199429 - smc_shutdown(net/smc/af_smc.c) has a use-after-free causing null pointer vulnerability.
Summary: smc_shutdown(net/smc/af_smc.c) has a use-after-free causing null pointer vuln...
Status: NEW
Alias: None
Product: Networking
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Stephen Hemminger
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-18 01:52 UTC by reactor(topsec)
Modified: 2018-04-27 09:10 UTC (History)
0 users

See Also:
Kernel Version: 4.16.0-rc7
Subsystem:
Regression: No
Bisected commit-id:

Attachments
POC (626 bytes, text/x-csrc)
2018-04-18 01:52 UTC, reactor(topsec) 		Details
Add an attachment (proposed patch, testcase, etc.)

Description reactor(topsec) 2018-04-18 01:52:59 UTC 
Created attachment 275431 [details]
POC

Syzkaller hit 'general protection fault in kernel_sock_shutdown' bug.

NET: Registered protocol family 43
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN PTI
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in: smc ib_core binfmt_misc joydev hid_generic snd_pcm snd_timer snd usbmouse usbhid soundcore psmouse e1000 hid pcspkr parport_pc input_leds i2c_piix4 parport serio_raw floppy qemu_fw_cfg evbug mac_hid
CPU: 1 PID: 1751 Comm: syzkaller252340 Not tainted 4.16.0-rc7+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
RIP: 0010:kernel_sock_shutdown+0x29/0x70 net/socket.c:3255
RSP: 0018:ffff88000666fcf8 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff829206e4
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000028
RBP: ffff88003b43a0d2 R08: 0000000000000003 R09: 000000000002b3c0
R10: 0000000000000ae7 R11: 00000000000000eb R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  000000000225b880(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5b85800000 CR3: 000000003bcde004 CR4: 00000000001606e0
Call Trace:
 smc_shutdown+0x431/0x4a0 [smc]
 SYSC_shutdown net/socket.c:1901 [inline]
 SyS_shutdown+0x140/0x250 net/socket.c:1892
 do_syscall_64+0x2ee/0x580 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x4431a9
RSP: 002b:00007ffcccb77758 EFLAGS: 00000217 ORIG_RAX: 0000000000000030
RAX: ffffffffffffffda RBX: 00000000004003d0 RCX: 00000000004431a9
RDX: 00000000004431a9 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000401800 R08: 00000000004003d0 R09: 00000000004003d0
R10: 00000000004003d0 R11: 0000000000000217 R12: 0000000000401890
R13: 0000000000000000 R14: 00000000006b1018 R15: 0000000000000000
Code: 00 00 0f 1f 44 00 00 41 54 55 41 89 f4 53 48 89 fb e8 4c bd ad fe 48 8d 7b 28 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 74 05 e8 7c 62 e0 fe 48 8b 6b 28 48 b8 00 00 00 00 
RIP: kernel_sock_shutdown+0x29/0x70 net/socket.c:3255 RSP: ffff88000666fcf8
---[ end trace ac1ba3c5e5bfa977 ]---

0xffffffffa02d1a82	1258				rc = smc_close_active(smc);
Dump of assembler code from 0xffffffffa02d1a82 to 0xffffffffa02d1a8c:
=> 0xffffffffa02d1a82 <smc_shutdown+1010>:	call   0xffffffffa02f3c50 <smc_close_active>
   0xffffffffa02d1a87 <smc_shutdown+1015>:	mov    r13d,eax
   0xffffffffa02d1a8a <smc_shutdown+1018>:	call   0xffffffff813fc430
End of assembler dump.
rax            0xffff88005a6217c0	-131939878955072
rbx            0xffff88005be55b40	-131939853575360
rcx            0xffffffffa02d1a7f	-1607656833
rdx            0x0	0
rsi            0xfffffe01	4294966785
rdi            0xffff88005be55b40	-131939853575360
rbp            0xffff88005be55b52	0xffff88005be55b52
rsp            0xffff88005e887d18	0xffff88005e887d18
r8             0xffff88005f9d0258	-131939791207848
r9             0xffff880060e2bc00	-131939769861120
r10            0xffff88005f9e7340	-131939791113408
r11            0xb9ed	47597
r12            0x0	0
r13            0x0	0
r14            0x0	0
r15            0x0	0
rip            0xffffffffa02d1a82	0xffffffffa02d1a82 <smc_shutdown+1010>
eflags         0x293	[ CF AF SF IF ]
cs             0x10	16
ss             0x18	24
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb) b *0xffffffffa02d1a87
Breakpoint 36 at 0xffffffffa02d1a87: file ../net/smc/af_smc.c, line 1258.
(gdb) c
Continuing.
[Switching to Thread 4]

Thread 4 hit Hardware watchpoint 34: ((struct smc_sock*) 0xffff88005be55b40)->clcsock

Old value = (struct socket *) 0xffff880058fa5100
New value = (struct socket *) 0x0
smc_tcp_listen_work (work=0xffff88005be55f90) at ../net/smc/af_smc.c:980
980		release_sock(lsk);
(gdb) bt
#0  smc_tcp_listen_work (work=0xffff88005be55f90) at ../net/smc/af_smc.c:980
#1  0xffffffff811dd957 in ?? ()
#2  0xffff880060faf300 in ?? ()
#3  0x000000000be15ecf in ?? ()
#4  0xffff88005f7f5990 in ?? ()
#5  0x1ffff1000be15ed7 in ?? ()
#6  0xffff88005f7f5998 in ?? ()
#7  0xffff88005f7f59a8 in ?? ()
#8  0xffffffff00000000 in ?? ()
#9  0xffff88005f7f59d0 in ?? ()
#10 0xffffffff83000194 in ?? ()
#11 0xffffffff830001a0 in ?? ()
#12 0xffffffff83000194 in ?? ()
#13 0x0000000041b58ab3 in ?? ()
#14 0xffffffff83a0dee0 in ?? ()
#15 0xffffffff811dce50 in ?? ()
#16 0xffffffff83000194 in ?? ()
#17 0xffffffff00000000 in ?? ()
#18 0xffffffff83000194 in ?? ()
#19 0xffffffff830001a0 in ?? ()
#20 0xffffffff83000194 in ?? ()
#21 0xffffffff830001a0 in ?? ()
#22 0xffffffff83000194 in ?? ()
#23 0xffffffff830001a0 in ?? ()
#24 0xcc8f7df19c7e2900 in ?? ()
#25 0xffff880060faf305 in ?? ()
#26 0xffff88005fb88040 in ?? ()
#27 0xffff880057c60040 in ?? ()
#28 0x0000000000000000 in ?? ()
(gdb) file vmlinux
A program is being debugged already.
Are you sure you want to change the file? (y or n) y
Load new symbol table from "vmlinux"? (y or n) y
Reading symbols from vmlinux...done.
warning: File "/home/sdk/linux/scripts/gdb/vmlinux-gdb.py" auto-loading has been declined by your `auto-load safe-path' set to "$debugdir:$datadir/auto-load".
(gdb) bt
#0  smc_tcp_listen_work (work=0xffff88005be55f90) at ../net/smc/af_smc.c:980
#1  0xffffffff811dd957 in process_one_work (worker=0xffff88005f7f5988, work=0xffff88005be55f90) at ../kernel/workqueue.c:2113
#2  0xffffffff811def0d in worker_thread (__worker=0xffff88005f7f5988) at ../kernel/workqueue.c:2247
#3  0xffffffff811f4f5f in kthread (_create=<optimized out>) at ../kernel/kthread.c:238
#4  0xffffffff83000205 in ret_from_fork () at ../arch/x86/entry/entry_64.S:406
#5  0x0000000000000000 in ?? ()
(gdb) bt
#0  smc_tcp_listen_work (work=0xffff88005be55f90) at ../net/smc/af_smc.c:980
#1  0xffffffff811dd957 in process_one_work (worker=0xffff88005f7f5988, work=0xffff88005be55f90) at ../kernel/workqueue.c:2113
#2  0xffffffff811def0d in worker_thread (__worker=0xffff88005f7f5988) at ../kernel/workqueue.c:2247
#3  0xffffffff811f4f5f in kthread (_create=<optimized out>) at ../kernel/kthread.c:238
#4  0xffffffff83000205 in ret_from_fork () at ../arch/x86/entry/entry_64.S:406
#5  0x0000000000000000 in ?? ()
(gdb) disas $rip,+0x10
Dump of assembler code from 0xffffffffa02d4304 to 0xffffffffa02d4314:
=> 0xffffffffa02d4304 <smc_tcp_listen_work+2724>:	call   0xffffffff813fc430 <__sanitizer_cov_trace_pc>
   0xffffffffa02d4309 <smc_tcp_listen_work+2729>:	mov    rdi,r12
   0xffffffffa02d430c <smc_tcp_listen_work+2732>:	call   0xffffffff82937820 <release_sock>
   0xffffffffa02d4311 <smc_tcp_listen_work+2737>:	lock dec DWORD PTR [rbp-0x3d0]
End of assembler dump.
(gdb) c
Continuing.
[Switching to Thread 3]

Thread 3 hit Breakpoint 36, 0xffffffffa02d1a87 in smc_shutdown (sock=<optimized out>, how=0) at ../net/smc/af_smc.c:1258
1258				rc = smc_close_active(smc);
(gdb) disas $rip,+0x10
Dump of assembler code from 0xffffffffa02d1a87 to 0xffffffffa02d1a97:
=> 0xffffffffa02d1a87 <smc_shutdown+1015>:	mov    r13d,eax
   0xffffffffa02d1a8a <smc_shutdown+1018>:	call   0xffffffff813fc430 <__sanitizer_cov_trace_pc>
   0xffffffffa02d1a8f <smc_shutdown+1023>:	lea    rdi,[rbx+0x2c8]
   0xffffffffa02d1a96 <smc_shutdown+1030>:	movabs rax,0xdffffc0000000000
End of assembler dump.
(gdb) so ni
1264		rc1 = kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa02d1a8a to 0xffffffffa02d1a94:
=> 0xffffffffa02d1a8a <smc_shutdown+1018>:	call   0xffffffff813fc430 <__sanitizer_cov_trace_pc>
   0xffffffffa02d1a8f <smc_shutdown+1023>:	lea    rdi,[rbx+0x2c8]
End of assembler dump.
rax            0x0	0
rbx            0xffff88005be55b40	-131939853575360
rcx            0xffffffffa02f482b	-1607514069
rdx            0x0	0
rsi            0x0	0
rdi            0xffff88005be55c50	-131939853575088
rbp            0xffff88005be55b52	0xffff88005be55b52
rsp            0xffff88005e887d18	0xffff88005e887d18
r8             0x88	136
r9             0xffff880060f2bc00	-131939768812544
r10            0xffff88005e17f2f8	-131939816705288
r11            0xb839	47161
r12            0x0	0
r13            0x0	0
r14            0x0	0
r15            0x0	0
rip            0xffffffffa02d1a8a	0xffffffffa02d1a8a <smc_shutdown+1018>
eflags         0x282	[ SF IF ]
cs             0x10	16
ss             0x18	24
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb) 
0xffffffffa02d1a8f	1264		rc1 = kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa02d1a8f to 0xffffffffa02d1a99:
=> 0xffffffffa02d1a8f <smc_shutdown+1023>:	lea    rdi,[rbx+0x2c8]
   0xffffffffa02d1a96 <smc_shutdown+1030>:	movabs rax,0xdffffc0000000000
End of assembler dump.
rax            0xffff88005a6217c0	-131939878955072
rbx            0xffff88005be55b40	-131939853575360
rcx            0xffffffffa02d1a8f	-1607656817
rdx            0x0	0
rsi            0x0	0
rdi            0xffff88005be55c50	-131939853575088
rbp            0xffff88005be55b52	0xffff88005be55b52
rsp            0xffff88005e887d18	0xffff88005e887d18
r8             0x88	136
r9             0xffff880060f2bc00	-131939768812544
r10            0xffff88005e17f2f8	-131939816705288
r11            0xb839	47161
r12            0x0	0
r13            0x0	0
r14            0x0	0
r15            0x0	0
rip            0xffffffffa02d1a8f	0xffffffffa02d1a8f <smc_shutdown+1023>
eflags         0x293	[ CF AF SF IF ]
cs             0x10	16
ss             0x18	24
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb) 
0xffffffffa02d1a96	1264		rc1 = kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa02d1a96 to 0xffffffffa02d1aa0:
=> 0xffffffffa02d1a96 <smc_shutdown+1030>:	movabs rax,0xdffffc0000000000
End of assembler dump.
rax            0xffff88005a6217c0	-131939878955072
rbx            0xffff88005be55b40	-131939853575360
rcx            0xffffffffa02d1a8f	-1607656817
rdx            0x0	0
rsi            0x0	0
rdi            0xffff88005be55e08	-131939853574648
rbp            0xffff88005be55b52	0xffff88005be55b52
rsp            0xffff88005e887d18	0xffff88005e887d18
r8             0x88	136
r9             0xffff880060f2bc00	-131939768812544
r10            0xffff88005e17f2f8	-131939816705288
r11            0xb839	47161
r12            0x0	0
r13            0x0	0
r14            0x0	0
r15            0x0	0
rip            0xffffffffa02d1a96	0xffffffffa02d1a96 <smc_shutdown+1030>
eflags         0x293	[ CF AF SF IF ]
cs             0x10	16
ss             0x18	24
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb) 
0xffffffffa02d1aa0	1264		rc1 = kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa02d1aa0 to 0xffffffffa02d1aaa:
=> 0xffffffffa02d1aa0 <smc_shutdown+1040>:	mov    rdx,rdi
   0xffffffffa02d1aa3 <smc_shutdown+1043>:	shr    rdx,0x3
   0xffffffffa02d1aa7 <smc_shutdown+1047>:	cmp    BYTE PTR [rdx+rax*1],0x0
End of assembler dump.
rax            0xdffffc0000000000	-2305847407260205056
rbx            0xffff88005be55b40	-131939853575360
rcx            0xffffffffa02d1a8f	-1607656817
rdx            0x0	0
rsi            0x0	0
rdi            0xffff88005be55e08	-131939853574648
rbp            0xffff88005be55b52	0xffff88005be55b52
rsp            0xffff88005e887d18	0xffff88005e887d18
r8             0x88	136
r9             0xffff880060f2bc00	-131939768812544
r10            0xffff88005e17f2f8	-131939816705288
r11            0xb839	47161
r12            0x0	0
r13            0x0	0
r14            0x0	0
r15            0x0	0
rip            0xffffffffa02d1aa0	0xffffffffa02d1aa0 <smc_shutdown+1040>
eflags         0x293	[ CF AF SF IF ]
cs             0x10	16
ss             0x18	24
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb) 
0xffffffffa02d1aa3	1264		rc1 = kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa02d1aa3 to 0xffffffffa02d1aad:
=> 0xffffffffa02d1aa3 <smc_shutdown+1043>:	shr    rdx,0x3
   0xffffffffa02d1aa7 <smc_shutdown+1047>:	cmp    BYTE PTR [rdx+rax*1],0x0
   0xffffffffa02d1aab <smc_shutdown+1051>:	je     0xffffffffa02d1ab2 <smc_shutdown+1058>
End of assembler dump.
rax            0xdffffc0000000000	-2305847407260205056
rbx            0xffff88005be55b40	-131939853575360
rcx            0xffffffffa02d1a8f	-1607656817
rdx            0xffff88005be55e08	-131939853574648
rsi            0x0	0
rdi            0xffff88005be55e08	-131939853574648
rbp            0xffff88005be55b52	0xffff88005be55b52
rsp            0xffff88005e887d18	0xffff88005e887d18
r8             0x88	136
r9             0xffff880060f2bc00	-131939768812544
r10            0xffff88005e17f2f8	-131939816705288
r11            0xb839	47161
r12            0x0	0
r13            0x0	0
r14            0x0	0
r15            0x0	0
rip            0xffffffffa02d1aa3	0xffffffffa02d1aa3 <smc_shutdown+1043>
eflags         0x293	[ CF AF SF IF ]
cs             0x10	16
ss             0x18	24
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb) 
0xffffffffa02d1aa7	1264		rc1 = kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa02d1aa7 to 0xffffffffa02d1ab1:
=> 0xffffffffa02d1aa7 <smc_shutdown+1047>:	cmp    BYTE PTR [rdx+rax*1],0x0
   0xffffffffa02d1aab <smc_shutdown+1051>:	je     0xffffffffa02d1ab2 <smc_shutdown+1058>
   0xffffffffa02d1aad <smc_shutdown+1053>:	call   0xffffffff81726980 <__asan_report_load8_noabort>
End of assembler dump.
rax            0xdffffc0000000000	-2305847407260205056
rbx            0xffff88005be55b40	-131939853575360
rcx            0xffffffffa02d1a8f	-1607656817
rdx            0x1ffff1000b7cabc1	2305826516731997121
rsi            0x0	0
rdi            0xffff88005be55e08	-131939853574648
rbp            0xffff88005be55b52	0xffff88005be55b52
rsp            0xffff88005e887d18	0xffff88005e887d18
r8             0x88	136
r9             0xffff880060f2bc00	-131939768812544
r10            0xffff88005e17f2f8	-131939816705288
r11            0xb839	47161
r12            0x0	0
r13            0x0	0
r14            0x0	0
r15            0x0	0
rip            0xffffffffa02d1aa7	0xffffffffa02d1aa7 <smc_shutdown+1047>
eflags         0x202	[ IF ]
cs             0x10	16
ss             0x18	24
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb) 
0xffffffffa02d1aab	1264		rc1 = kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa02d1aab to 0xffffffffa02d1ab5:
=> 0xffffffffa02d1aab <smc_shutdown+1051>:	je     0xffffffffa02d1ab2 <smc_shutdown+1058>
   0xffffffffa02d1aad <smc_shutdown+1053>:	call   0xffffffff81726980 <__asan_report_load8_noabort>
   0xffffffffa02d1ab2 <smc_shutdown+1058>:	mov    rdi,QWORD PTR [rbx+0x2c8]
End of assembler dump.
rax            0xdffffc0000000000	-2305847407260205056
rbx            0xffff88005be55b40	-131939853575360
rcx            0xffffffffa02d1a8f	-1607656817
rdx            0x1ffff1000b7cabc1	2305826516731997121
rsi            0x0	0
rdi            0xffff88005be55e08	-131939853574648
rbp            0xffff88005be55b52	0xffff88005be55b52
rsp            0xffff88005e887d18	0xffff88005e887d18
r8             0x88	136
r9             0xffff880060f2bc00	-131939768812544
r10            0xffff88005e17f2f8	-131939816705288
r11            0xb839	47161
r12            0x0	0
r13            0x0	0
r14            0x0	0
r15            0x0	0
rip            0xffffffffa02d1aab	0xffffffffa02d1aab <smc_shutdown+1051>
eflags         0x246	[ PF ZF IF ]
cs             0x10	16
ss             0x18	24
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb) 

Thread 3 hit Breakpoint 32, 0xffffffffa02d1ab2 in smc_shutdown (sock=<optimized out>, how=0) at ../net/smc/af_smc.c:1264
1264		rc1 = kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa02d1ab2 to 0xffffffffa02d1abc:
=> 0xffffffffa02d1ab2 <smc_shutdown+1058>:	mov    rdi,QWORD PTR [rbx+0x2c8]
   0xffffffffa02d1ab9 <smc_shutdown+1065>:	mov    esi,r12d
End of assembler dump.
rax            0xdffffc0000000000	-2305847407260205056
rbx            0xffff88005be55b40	-131939853575360
rcx            0xffffffffa02d1a8f	-1607656817
rdx            0x1ffff1000b7cabc1	2305826516731997121
rsi            0x0	0
rdi            0xffff88005be55e08	-131939853574648
rbp            0xffff88005be55b52	0xffff88005be55b52
rsp            0xffff88005e887d18	0xffff88005e887d18
r8             0x88	136
r9             0xffff880060f2bc00	-131939768812544
r10            0xffff88005e17f2f8	-131939816705288
r11            0xb839	47161
r12            0x0	0
r13            0x0	0
r14            0x0	0
r15            0x0	0
rip            0xffffffffa02d1ab2	0xffffffffa02d1ab2 <smc_shutdown+1058>
eflags         0x246	[ PF ZF IF ]
cs             0x10	16
ss             0x18	24
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb) 
0xffffffffa02d1ab9	1264		rc1 = kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa02d1ab9 to 0xffffffffa02d1ac3:
=> 0xffffffffa02d1ab9 <smc_shutdown+1065>:	mov    esi,r12d
   0xffffffffa02d1abc <smc_shutdown+1068>:	call   0xffffffff829206d0 <kernel_sock_shutdown>
   0xffffffffa02d1ac1 <smc_shutdown+1073>:	lea    rdi,[rbx+0x24a]
End of assembler dump.
rax            0xdffffc0000000000	-2305847407260205056
rbx            0xffff88005be55b40	-131939853575360
rcx            0xffffffffa02d1a8f	-1607656817
rdx            0x1ffff1000b7cabc1	2305826516731997121
rsi            0x0	0
rdi            0x0	0
rbp            0xffff88005be55b52	0xffff88005be55b52
rsp            0xffff88005e887d18	0xffff88005e887d18
r8             0x88	136
r9             0xffff880060f2bc00	-131939768812544
r10            0xffff88005e17f2f8	-131939816705288
r11            0xb839	47161
r12            0x0	0
r13            0x0	0
r14            0x0	0
r15            0x0	0
rip            0xffffffffa02d1ab9	0xffffffffa02d1ab9 <smc_shutdown+1065>
eflags         0x246	[ PF ZF IF ]
cs             0x10	16
ss             0x18	24
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb)
Comment 1 reactor(topsec) 2018-04-18 06:37:08 UTC 
The debugging here is clear
(gdb) b sock_register 
Breakpoint 2 at 0xffffffff82923e70: file ../net/socket.c, line 2540.

(gdb) c
Continuing.
[Switching to Thread 3]

Thread 3 hit Breakpoint 2, sock_register (ops=0xffffffffa032e2c0) at ../net/socket.c:2540
2540	{

(gdb) p ops.create 
$1 = (int (*)(struct net *, struct socket *, int, int)) 0xffffffffa030b5b0
(gdb) add-symbol-file net/smc/smc.ko 0xffffffffa030b5b0-0x35b0
add symbol table from file "net/smc/smc.ko" at
	.text_addr = 0xffffffffa0308000
(y or n) y
Reading symbols from net/smc/smc.ko...done.

(gdb) b smc_create
Breakpoint 3 at 0xffffffffa030b5b0: file ../net/smc/af_smc.c, line 1381.

(gdb) b smc_listen
Breakpoint 4 at 0xffffffffa030d240: file ../net/smc/af_smc.c, line 985.

(gdb) b smc_shutdown
Breakpoint 5 at 0xffffffffa0309690: file ../net/smc/af_smc.c, line 1220.

(gdb) c
Continuing.
[Switching to Thread 2]

Thread 2 hit Breakpoint 3, smc_create (net=0xffffffff84222480 <init_net>, sock=0xffff880058431140, protocol=0, kern=0) at ../net/smc/af_smc.c:1381
1381	{

(gdb) c
Continuing.

Thread 2 hit Breakpoint 4, smc_listen (sock=0xffff880058431140, backlog=0) at ../net/smc/af_smc.c:985
985	{

(gdb) c
Continuing.
[Switching to Thread 1]

Thread 1 hit Breakpoint 5, smc_shutdown (sock=0xffff880058431140, how=0) at ../net/smc/af_smc.c:1220
1220	{

(gdb) p (struct smc_sock*)(sock->sk)->clcsock
There is no member named clcsock.

(gdb) p sock
$2 = (struct socket *) 0xffff880058431140

(gdb) p sock->sk
$3 = (struct sock *) 0xffff880056dac7c0

(gdb) p ((struct smc_sock*)0xffff880056dac7c0)->clcsock 
$4 = (struct socket *) 0xffff880058436640

(gdb) b *0xffffffffa0309690+0x3ef
Breakpoint 6 at 0xffffffffa0309a7f: file ../net/smc/af_smc.c, line 1258.

(gdb) c
Continuing.
Thread 1 hit Breakpoint 6, 0xffffffffa0309a7f in smc_shutdown (sock=<optimized out>, how=0) at ../net/smc/af_smc.c:1258
1258				rc = smc_close_active(smc);

(gdb) disas $rip,+0x30
Dump of assembler code from 0xffffffffa0309a7f to 0xffffffffa0309aaf:
=> 0xffffffffa0309a7f <smc_shutdown+1007>:	mov    %rbx,%rdi
   0xffffffffa0309a82 <smc_shutdown+1010>:	callq  0xffffffffa032bc50 <smc_close_active>
   0xffffffffa0309a87 <smc_shutdown+1015>:	mov    %eax,%r13d
   0xffffffffa0309a8a <smc_shutdown+1018>:	callq  0xffffffff813fc430 <__sanitizer_cov_trace_pc>
   0xffffffffa0309a8f <smc_shutdown+1023>:	lea    0x2c8(%rbx),%rdi
   0xffffffffa0309a96 <smc_shutdown+1030>:	movabs $0xdffffc0000000000,%rax
   0xffffffffa0309aa0 <smc_shutdown+1040>:	mov    %rdi,%rdx
   0xffffffffa0309aa3 <smc_shutdown+1043>:	shr    $0x3,%rdx
   0xffffffffa0309aa7 <smc_shutdown+1047>:	cmpb   $0x0,(%rdx,%rax,1)
   0xffffffffa0309aab <smc_shutdown+1051>:	je     0xffffffffa0309ab2 <smc_shutdown+1058>
   0xffffffffa0309aad <smc_shutdown+1053>:	callq  0xffffffff81726980 <__asan_report_load8_noabort>
End of assembler dump.

(gdb) b *0xffffffffa0309a87
Breakpoint 7 at 0xffffffffa0309a87: file ../net/smc/af_smc.c, line 1258.

(gdb) watch ((struct smc_sock*)0xffff880056dac7c0)->clcsock
Hardware watchpoint 8: ((struct smc_sock*)0xffff880056dac7c0)->clcsock

(gdb) c
Continuing.
[Switching to Thread 2]
Thread 2 hit Hardware watchpoint 8: ((struct smc_sock*)0xffff880056dac7c0)->clcsock
Old value = (struct socket *) 0xffff880058436640
New value = (struct socket *) 0x0 <irq_stack_union>
smc_tcp_listen_work (work=0xffff880056dacc10) at ../net/smc/af_smc.c:980
980		release_sock(lsk);

(gdb) bt
#0  smc_tcp_listen_work (work=0xffff880056dacc10) at ../net/smc/af_smc.c:980
#1  0xffffffff811dd957 in process_one_work (worker=0xffff88005f486868, work=0xffff880056dacc10) at ../kernel/workqueue.c:2113
#2  0xffffffff811def0d in worker_thread (__worker=0xffff88005f486868) at ../kernel/workqueue.c:2247
#3  0xffffffff811f4f5f in kthread (_create=<optimized out>) at ../kernel/kthread.c:238
#4  0xffffffff83000205 in ret_from_fork () at ../arch/x86/entry/entry_64.S:406
#5  0x0000000000000000 in ?? ()

(gdb) c
Continuing.
[Switching to Thread 1]

Thread 1 hit Breakpoint 7, 0xffffffffa0309a87 in smc_shutdown (sock=<optimized out>, how=0) at ../net/smc/af_smc.c:1258
1258				rc = smc_close_active(smc);

(gdb) so ni
1264		rc1 = kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa0309a8a to 0xffffffffa0309a94:
=> 0xffffffffa0309a8a <smc_shutdown+1018>:	callq  0xffffffff813fc430 <__sanitizer_cov_trace_pc>
   0xffffffffa0309a8f <smc_shutdown+1023>:	lea    0x2c8(%rbx),%rdi
End of assembler dump.
rax            0x0	0
rbx            0xffff880056dac7c0	-131939938154560
rcx            0xffffffffa032c82b	-1607284693
rdx            0x0	0
rsi            0x0	0
rdi            0xffff880056dac8d0	-131939938154288
rbp            0xffff880056dac7d2	0xffff880056dac7d2
rsp            0xffff880056e8fd18	0xffff880056e8fd18
r8             0x2	2
r9             0x1ffffffff0780f60	2305843008953126752
r10            0xffffffff83c07b90	-2084537456
r11            0x0	0
r12            0x0	0
r13            0x0	0
r14            0x0	0
r15            0x0	0
rip            0xffffffffa0309a8a	0xffffffffa0309a8a <smc_shutdown+1018>
eflags         0x282	[ SF IF ]
cs             0x10	16
ss             0x18	24
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'


(gdb) 
0xffffffffa0309abc	1264		rc1 = kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa0309abc to 0xffffffffa0309ac6:
=> 0xffffffffa0309abc <smc_shutdown+1068>:	callq  0xffffffff829206d0 <kernel_sock_shutdown>
   0xffffffffa0309ac1 <smc_shutdown+1073>:	lea    0x24a(%rbx),%rdi
End of assembler dump.
rax            0xdffffc0000000000	-2305847407260205056
rbx            0xffff880056dac7c0	-131939938154560
rcx            0xffffffffa0309a8f	-1607427441
rdx            0x1ffff1000adb5951	2305826516721424721
rsi            0x0	0
rdi            0x0	0
rbp            0xffff880056dac7d2	0xffff880056dac7d2
rsp            0xffff880056e8fd18	0xffff880056e8fd18
r8             0x2	2
r9             0x1ffffffff0780f60	2305843008953126752
r10            0xffffffff83c07b90	-2084537456
r11            0x0	0
r12            0x0	0
r13            0x0	0
r14            0x0	0
r15            0x0	0
rip            0xffffffffa0309abc	0xffffffffa0309abc <smc_shutdown+1068>
eflags         0x246	[ PF ZF IF ]
cs             0x10	16
ss             0x18	24
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb)
Comment 2 reactor(topsec) 2018-04-27 09:10:04 UTC 
Is this a security problem?
Note You need to log in before you can comment on or make changes to this bug.