syzbot

 sign-in | mailing list | source | docs
🐞 Open [977] Subsystems 🐞 Fixed [5216] 🐞 Invalid [12473] Missing Backports [82] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

BUG: unable to handle kernel paging request in hrtimer_interrupt

Status: fixed on 2019/08/27 17:15
Subsystems: kernel
[Documentation on labels]
Reported-by: syzbot+037e18398ba8c655a652@syzkaller.appspotmail.com
Fix commit: 95fa145479fb bpf: sockmap/tls, close can race with map free
First crash: 1765d, last: 1728d
Cause bisection: introduced by (bisect log) :
commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
Author: John Fastabend <john.fastabend@gmail.com>
Date: Sat Jun 30 13:17:47 2018 +0000

  bpf: sockhash fix omitted bucket lock in sock_close

Crash: KASAN: use-after-free Write in bpf_tcp_close (log)
Repro: syz .config
  
Discussions (3)
Title Replies (including bot) Last reply
Reminder: 36 open syzbot bugs in "net/bpf" subsystem 1 (1) 2019/07/03 06:01
BUG: unable to handle kernel paging request in hrtimer_interrupt 1 (3) 2019/06/28 19:39
Reminder: 30 open syzbot bugs in "net/bpf" subsystem 1 (1) 2019/06/24 05:01

Sample crash report:
kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
BUG: unable to handle page fault for address: ffff88807a92fb10
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0011) - permissions violation
PGD b401067 P4D b401067 PUD 80000000400001e3 
Thread overran stack, or stack corrupted
Oops: 0011 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 9205 Comm: syz-executor.0 Not tainted 5.2.0-rc5+ #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:0xffff88807a92fb10
Code: ff ff 15 b8 0d 86 ff ff ff ff 00 b5 0d 86 ff ff ff ff 40 8c f0 89 80 88 ff ff 00 00 00 00 00 00 00 00 a0 a9 1d 8b ff ff ff ff <40> fb 92 7a 80 88 ff ff 15 b8 0d 86 ff ff ff ff 00 b5 0d 86 ff ff
RSP: 0018:ffff8880ae909e10 EFLAGS: 00010006
RAX: ffff88807a92fb10 RBX: 0000000000000000 RCX: ffffffff816162e2
RDX: 0000000000010000 RSI: ffffffff81615cdf RDI: ffff88807a92fab8
RBP: ffff8880ae909f08 R08: ffff888092914180 R09: ffffed1015d26c70
R10: ffffed1015d26c6f R11: ffff8880ae93637b R12: ffff8880ae926d80
R13: ffffffff8b1da9a0 R14: ffff88807a92fab8 R15: dffffc0000000000
FS:  0000555557401940(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88807a92fb10 CR3: 000000009016a000 CR4: 00000000001406e0
Call Trace:
 <IRQ>
 hrtimer_interrupt+0x314/0x770 kernel/time/hrtimer.c:1509
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1041 [inline]
 smp_apic_timer_interrupt+0x111/0x550 arch/x86/kernel/apic/apic.c:1066
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:806
 </IRQ>
Modules linked in:
CR2: ffff88807a92fb10
---[ end trace f7934f1b1fe3f476 ]---
RIP: 0010:0xffff88807a92fb10
Code: ff ff 15 b8 0d 86 ff ff ff ff 00 b5 0d 86 ff ff ff ff 40 8c f0 89 80 88 ff ff 00 00 00 00 00 00 00 00 a0 a9 1d 8b ff ff ff ff <40> fb 92 7a 80 88 ff ff 15 b8 0d 86 ff ff ff ff 00 b5 0d 86 ff ff
RSP: 0018:ffff8880ae909e10 EFLAGS: 00010006
RAX: ffff88807a92fb10 RBX: 0000000000000000 RCX: ffffffff816162e2
RDX: 0000000000010000 RSI: ffffffff81615cdf RDI: ffff88807a92fab8
RBP: ffff8880ae909f08 R08: ffff888092914180 R09: ffffed1015d26c70
R10: ffffed1015d26c6f R11: ffff8880ae93637b R12: ffff8880ae926d80
R13: ffffffff8b1da9a0 R14: ffff88807a92fab8 R15: dffffc0000000000
FS:  0000555557401940(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88807a92fb10 CR3: 000000009016a000 CR4: 00000000001406e0

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/06/19 01:52 upstream 29f785ff76b6 e3f76baa .config console log report syz ci-upstream-kasan-gce-smack-root
2019/07/26 03:12 net-next-old 31cc088a4f5d 732bc5a0 .config console log report syz ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.