syzbot


general protection fault in qrtr_endpoint_post

Status: fixed on 2020/08/12 02:00
Subsystems: arm-msm net
[Documentation on labels]
Reported-by: syzbot+03e343dbccf82a5242a2@syzkaller.appspotmail.com
Fix commit: 8ff41cc21714 net: qrtr: Fix an out of bounds read qrtr_endpoint_post()
First crash: 1626d, last: 1608d
Cause bisection: introduced by (bisect log) :
commit e42671084361302141a09284fde9bbc14fdd16bf
Author: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Date: Thu May 7 12:53:06 2020 +0000

  net: qrtr: Do not depend on ARCH_QCOM

Crash: general protection fault in qrtr_endpoint_post (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) :
commit 8ff41cc21714704ef0158a546c3c4d07fae2c952
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue Jun 30 11:46:15 2020 +0000

  net: qrtr: Fix an out of bounds read qrtr_endpoint_post()

  
Discussions (2)
Title Replies (including bot) Last reply
general protection fault in qrtr_endpoint_post 0 (3) 2020/08/11 07:02
[Linux-kernel-mentees] [PATCH net] qrtr: Fix ZERO_SIZE_PTR deref in qrtr_tun_write_iter() 3 (3) 2020/07/13 09:13
Last patch testing requests (1)
Created Duration User Patch Repo Result
2020/07/22 17:15 4m bkkarthik@pesu.pes.edu patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master error

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 PID: 6810 Comm: syz-executor018 Not tainted 5.8.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:qrtr_endpoint_post+0x8f/0x1110 net/qrtr/qrtr.c:440
Code: 44 89 ee ba 20 0a 00 00 e8 0e d9 4f fe 48 85 c0 0f 84 5c 02 00 00 49 89 c7 4c 89 e0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <8a> 04 08 84 c0 0f 85 7d 09 00 00 4d 8d 77 28 41 0f b6 1c 24 48 89
RSP: 0018:ffffc900023efd20 EFLAGS: 00010202
RAX: 0000000000000002 RBX: ffff8880a73efd08 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8880a1cdac38
RBP: ffff8880a2805800 R08: ffffffff866434bc R09: ffffed1010b32c1d
R10: ffffed1010b32c1d R11: 0000000000000000 R12: 0000000000000010
R13: 0000000000000000 R14: ffffc900023efdd8 R15: ffff8880a1cdab80
FS:  00000000008a2880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004551b0 CR3: 0000000093caa000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 qrtr_tun_write_iter+0xc6/0x120 net/qrtr/tun.c:92
 call_write_iter include/linux/fs.h:1907 [inline]
 new_sync_write fs/read_write.c:484 [inline]
 __vfs_write+0x52f/0x6e0 fs/read_write.c:497
 vfs_write+0x274/0x580 fs/read_write.c:559
 ksys_write+0x11b/0x220 fs/read_write.c:612
 do_syscall_64+0x73/0xe0 arch/x86/entry/common.c:359
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x440249
Code: Bad RIP value.
RSP: 002b:00007ffde0e93aa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007ffde0e93ab0 RCX: 0000000000440249
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 000000000000000f R09: 65732f636f72702f
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b30
R13: 0000000000401bc0 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace fb0bc1429785a12d ]---
RIP: 0010:qrtr_endpoint_post+0x8f/0x1110 net/qrtr/qrtr.c:440
Code: 44 89 ee ba 20 0a 00 00 e8 0e d9 4f fe 48 85 c0 0f 84 5c 02 00 00 49 89 c7 4c 89 e0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <8a> 04 08 84 c0 0f 85 7d 09 00 00 4d 8d 77 28 41 0f b6 1c 24 48 89
RSP: 0018:ffffc900023efd20 EFLAGS: 00010202
RAX: 0000000000000002 RBX: ffff8880a73efd08 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8880a1cdac38
RBP: ffff8880a2805800 R08: ffffffff866434bc R09: ffffed1010b32c1d
R10: ffffed1010b32c1d R11: 0000000000000000 R12: 0000000000000010
R13: 0000000000000000 R14: ffffc900023efdd8 R15: ffff8880a1cdab80
FS:  00000000008a2880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004551b0 CR3: 0000000093caa000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (54):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/06/27 09:03 upstream 1590a2e1c681 ffec44b5 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/06/27 09:01 upstream 1590a2e1c681 ffec44b5 .config console log report syz C ci-upstream-kasan-gce
2020/06/27 08:58 upstream 1590a2e1c681 ffec44b5 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/06/27 08:41 upstream 1590a2e1c681 ffec44b5 .config console log report syz C ci-upstream-kasan-gce-root
2020/06/24 04:39 upstream 7ae77150d94d 54566aff .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/06/24 04:36 upstream 7ae77150d94d 54566aff .config console log report syz C ci-upstream-kasan-gce-root
2020/06/24 04:27 upstream 7ae77150d94d 54566aff .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/06/24 03:59 upstream 7ae77150d94d 54566aff .config console log report syz C ci-upstream-kasan-gce
2020/06/27 09:06 upstream 1590a2e1c681 ffec44b5 .config console log report syz C ci-upstream-kasan-gce-386
2020/06/24 08:11 upstream 7ae77150d94d 54566aff .config console log report syz C ci-upstream-kasan-gce-386
2020/06/27 21:14 linux-next 36e3135df4d4 ffec44b5 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/06/24 16:34 linux-next e7b08814b16b 54566aff .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/07/12 02:31 upstream a581387e415b 18d18b59 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/11 15:46 upstream a581387e415b 18d18b59 .config console log report ci-upstream-kasan-gce
2020/07/11 00:11 upstream a581387e415b 18d18b59 .config console log report ci-upstream-kasan-gce-root
2020/07/10 13:50 upstream 42f82040ee66 edf162e8 .config console log report ci-upstream-kasan-gce-root
2020/07/10 04:30 upstream 0bddd227f3dc bc238812 .config console log report ci-upstream-kasan-gce
2020/07/09 04:41 upstream 0bddd227f3dc bc238812 .config console log report ci-upstream-kasan-gce
2020/07/08 17:27 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce
2020/07/07 23:23 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce
2020/07/06 20:18 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce
2020/07/05 21:16 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce-root
2020/07/05 20:10 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce
2020/07/05 19:54 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/05 04:56 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/05 04:56 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/05 04:53 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce
2020/07/03 23:56 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce
2020/07/03 15:46 upstream cd77006e01b3 bed10395 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/02 16:28 upstream cd77006e01b3 bed10395 .config console log report ci-upstream-kasan-gce-root
2020/07/02 15:20 upstream cd77006e01b3 bed10395 .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/01 09:03 upstream 9ebcfadb0610 917afeaa .config console log report ci-upstream-kasan-gce-selinux-root
2020/06/30 07:24 upstream 4e99b32169e8 a2cdad9d .config console log report ci-upstream-kasan-gce-root
2020/06/30 04:45 upstream 4e99b32169e8 a2cdad9d .config console log report ci-upstream-kasan-gce-smack-root
2020/06/28 12:43 upstream 1590a2e1c681 ffec44b5 .config console log report ci-upstream-kasan-gce
2020/06/28 08:06 upstream 1590a2e1c681 ffec44b5 .config console log report ci-upstream-kasan-gce
2020/06/27 12:04 upstream 1590a2e1c681 ffec44b5 .config console log report ci-upstream-kasan-gce-selinux-root
2020/06/27 11:51 upstream 1590a2e1c681 ffec44b5 .config console log report ci-upstream-kasan-gce-smack-root
2020/06/26 19:24 upstream 4a21185cda0f aea82c00 .config console log report ci-upstream-kasan-gce-smack-root
2020/06/26 15:08 upstream 4a21185cda0f aea82c00 .config console log report ci-upstream-kasan-gce-root
2020/06/25 11:21 upstream 7ae77150d94d 54566aff .config console log report ci-upstream-kasan-gce-smack-root
2020/06/24 14:57 upstream 7ae77150d94d 54566aff .config console log report ci-upstream-kasan-gce-smack-root
2020/06/24 05:36 upstream 7ae77150d94d 54566aff .config console log report ci-upstream-kasan-gce-root
2020/06/24 03:47 upstream 7ae77150d94d 54566aff .config console log report ci-upstream-kasan-gce
2020/07/05 04:58 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce-386
2020/07/05 04:54 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce-386
2020/07/03 11:58 upstream cd77006e01b3 bed10395 .config console log report ci-upstream-kasan-gce-386
2020/06/28 02:36 upstream 1590a2e1c681 ffec44b5 .config console log report ci-upstream-kasan-gce-386
2020/06/26 11:26 upstream 4a21185cda0f aea82c00 .config console log report ci-upstream-kasan-gce-386
2020/06/24 10:42 upstream 7ae77150d94d 54566aff .config console log report ci-upstream-kasan-gce-386
2020/06/28 09:06 linux-next 36e3135df4d4 ffec44b5 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.