syzbot

 sign-in | mailing list | source | docs
🐞 Open [873] Subsystems 🐞 Fixed [4875] 🐞 Invalid [11647] Missing Backports [68] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

general protection fault in dev_map_hash_update_elem

Status: fixed on 2019/10/15 23:39
Subsystems: net bpf
[Documentation on labels]
Reported-by: syzbot+4e7a85b1432052e8d6f8@syzkaller.appspotmail.com
Fix commit: af58e7ee6a8d xdp: Fix race in dev_map_hash_update_elem() when replacing element
First crash: 1549d, last: 1543d
Cause bisection: the cause commit could be any of (bisect log):
  116e7dbe34b4 Merge branch 'gen-syn-cookie'
  91bc35789db4 selftests/bpf: add test for bpf_tcp_gen_syncookie
  637f71c09ba2 selftests/bpf: bpf_tcp_gen_syncookie->bpf_helpers
  bf8ff0f8cfd7 selftests/bpf: fix clearing buffered output between tests/subtests
  3745ee18017e bpf: sync bpf.h to tools/
  a98bf57391a2 tools: bpftool: add support for reporting the effective cgroup progs
  70d66244317e bpf: add bpf_tcp_gen_syncookie helper
  9babe825da76 bpf: always allocate at least 16 bytes for setsockopt hook
  9349d600fb6a tcp: add skb-less helpers to retrieve SYN cookie
  fd5ef31f370a selftests/bpf: extend sockopt_sk selftest with TCP_CONGESTION use case
  02bc2b64940e Merge branch 'setsockopt-extra-mem'
  965112785e4b tcp: tcp_syn_flood_action read port from socket
  a78d0dbec712 selftests/bpf: add loop test 4
  d3406913561c Merge branch 'devmap_hash'
  1375dc4a4579 tools: Add definitions for devmap_hash map type
  8c30396074c1 selftests/bpf: add loop test 5
  946152b3c5d6 selftests/bpf: test_progs: switch to open_memstream
  e42346192c9f tools/libbpf_probes: Add new devmap_hash type
  10fbe21163fc tools/include/uapi: Add devmap_hash BPF map type
  66bd2ec1e0d9 selftests/bpf: test_progs: test__printf -> printf
  16e910d4467c selftests/bpf: test_progs: drop extra trailing tab
  6f9d451ab1a3 xdp: Add devmap_hash map type for looking up devices by hashed index
  682cdbdc2160 Merge branch 'test_progs-stdio'
  fca16e51078e xdp: Refactor devmap allocation code for reuse
  6dbff13ca8a2 include/bpf.h: Remove map_insert_ctx() stubs
  ef20a9b27c66 libbpf: add helpers for working with BTF types
  475e31f8da1b Merge branch 'revamp-test_progs'
  b03bc6853c0e libbpf: convert libbpf code to use new btf helpers
  4cedc0dad9b5 libbpf: add .BTF.ext offset relocation section loading
  b207edfe4e02 selftests/bpf: convert send_signal.c to use subtests
  51436ed78d59 selftests/bpf: convert bpf_verif_scale.c to sub-tests API
  ddc7c3042614 libbpf: implement BPF CO-RE offset relocation algorithm
  2dc26d5a4f2e selftests/bpf: add BPF_CORE_READ relocatable read macro
  3a516a0a3a7b selftests/bpf: add sub-tests support for test_progs
  0ff97e56c098 selftests/bpf: abstract away test log output
  df36e621418b selftests/bpf: add CO-RE relocs testing setup
  002d3afce655 selftests/bpf: add CO-RE relocs struct flavors tests
  329e38f76cc2 selftest/bpf: centralize libbpf logging management for test_progs
  e87fd8bae44c libbpf: return previous print callback from libbpf_set_print
  ec6438a988a4 selftests/bpf: add CO-RE relocs nesting tests
  20a9ad2e7136 selftests/bpf: add CO-RE relocs array tests
  8160bae21fc2 selftests/bpf: add test selectors by number and name to test_progs
  766f2a59323a selftests/bpf: revamp test_progs to allow more control
  d9db3550300f selftests/bpf: add CO-RE relocs enum/ptr/func_proto tests
  61098e89e6c8 selftests/bpf: prevent headers to be compiled as C code
  9654e2ae908e selftests/bpf: add CO-RE relocs modifiers/typedef tests
  943e398dd36c Merge branch 'flow_dissector-input-flags'
  d698f9dbdbed selftests/bpf: add CO-RE relocs ptr-as-array tests
  c1f5e7dd19e7 selftests/bpf: add CO-RE relocs ints tests
  e853ae776a58 selftests/bpf: support BPF_FLOW_DISSECTOR_F_STOP_AT_ENCAP
  29e1c6687245 selftests/bpf: add CO-RE relocs misc tests
  71c99e32b926 bpf/flow_dissector: support ipv6 flow_label and BPF_FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL
  726e333fd2e9 Merge branch 'compile-once-run-everywhere'
  ae173a915785 selftests/bpf: support BPF_FLOW_DISSECTOR_F_PARSE_1ST_FRAG
  57debff23c4c tools/bpf: sync bpf_flow_keys flags
  b707659213d3 tools/bpf: fix core_reloc.c compilation error
  b2ca4e1cfa7d bpf/flow_dissector: support flags in BPF_PROG_TEST_RUN
  d9973cec9d57 xdp: xdp_umem: fix umem pages mapping for 32bits systems
  1ac6b126dbe8 bpf/flow_dissector: document flags
  3783d43752ea samples/bpf: xdp_fwd rename devmap name to be xdp_tx_ports
  086f95682114 bpf/flow_dissector: pass input flags to BPF flow dissector program
  a32a32cb26eb samples/bpf: make xdp_fwd more practically usable via devmap lookup
  03cd1d1a493e selftests/bpf: Add selftests for bpf_perf_event_output
  abcce733adb7 samples/bpf: xdp_fwd explain bpf_fib_lookup return codes
  7c4b90d79d0f bpf: Allow bpf_skb_event_output for a few prog types
  9f30cd568b39 Merge branch 'bpf-xdp-fwd-sample-improvements'
  5e31d507da6c Merge branch 'convert-tests-to-libbpf'
  a664a834579a tools: bpftool: fix reading from /proc/config.gz
  341dfcf8d78e btf: expose BTF info through sysfs
  47da6e4dc3d3 selftests/bpf: remove perf buffer helpers
  c17bec549c9d samples/bpf: switch trace_output sample to perf_buffer API
  d66fa3c70e59 tools: bpftool: add feature check for zlib
  9840a4ffcf0b selftests/bpf: fix race in flow dissector tests
  f58a4d51d8da samples/bpf: convert xdp_sample_pkts_user to perf_buffer API
  7fd785685e22 btf: rename /sys/kernel/btf/kernel into /sys/kernel/btf/vmlinux
  898ca681cd78 selftests/bpf: switch test_tcpnotify to perf_buffer API
  58b80815362e selftests/bpf: convert test_get_stack_raw_tp to perf_buffer API
  a1916a153c25 libbpf: attempt to load kernel BTF from sysfs first
  72ef80b5ee13 Merge branch 'bpf-libbpf-read-sysfs-btf'
  f2a3e4e95f40 libbpf: provide more helpful message on uninitialized global var
  708852dcac84 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next
   
Discussions (3)
Title Replies (including bot) Last reply
[PATCH bpf-next] xdp: Fix race in dev_map_hash_update_elem() when replacing element 3 (3) 2019/09/08 11:28
Re: general protection fault in dev_map_hash_update_elem 1 (1) 2019/09/08 08:09
general protection fault in dev_map_hash_update_elem 3 (5) 2019/09/08 01:59
Last patch testing requests (6)
Created Duration User Patch Repo Result
2019/09/07 14:38 16m toke@redhat.com patch net-next-old OK
2019/09/07 10:54 10m toke@redhat.com patch net-next-old report log
2019/09/07 10:53 16m toke@redhat.com patch net-next-old OK
2019/09/06 23:08 3m toke@redhat.com patch linux-next error OK
2019/09/06 23:07 4m toke@redhat.com patch linux-next error OK
2019/09/06 23:06 3m toke@redhat.com patch linux-next error OK

Sample crash report:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 12664 Comm: syz-executor689 Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__write_once_size include/linux/compiler.h:226 [inline]
RIP: 0010:__hlist_del include/linux/list.h:762 [inline]
RIP: 0010:hlist_del_rcu include/linux/rculist.h:455 [inline]
RIP: 0010:__dev_map_hash_update_elem kernel/bpf/devmap.c:668 [inline]
RIP: 0010:dev_map_hash_update_elem+0x3c8/0x6e0 kernel/bpf/devmap.c:691
Code: 48 89 f1 48 89 75 c8 48 c1 e9 03 80 3c 11 00 0f 85 d3 02 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 53 10 48 89 d6 48 c1 ee 03 <80> 3c 0e 00 0f 85 97 02 00 00 48 85 c0 48 89 02 74 38 48 89 55 b8
RSP: 0018:ffff8880845c7c30 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8880a02acd80 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8880a02acd88
RBP: ffff8880845c7c78 R08: 1ffff1101229ed15 R09: ffffed101229ed16
R10: ffffed101229ed15 R11: ffff8880914f68ab R12: ffff8880914f6780
R13: ffff888090a52000 R14: 0000000000000000 R15: ffff8880914f68a8
FS:  00007fc29cf45700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd1d820cb0 CR3: 000000008e1e0000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 map_update_elem+0xc82/0x10b0 kernel/bpf/syscall.c:966
 __do_sys_bpf+0x8b5/0x3350 kernel/bpf/syscall.c:2854
 __se_sys_bpf kernel/bpf/syscall.c:2825 [inline]
 __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:2825
 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x446a29
Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fc29cf44db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446a29
RDX: 0000000000000020 RSI: 0000000020000180 RDI: 0000000000000002
RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c
R13: 00007ffd1d820c2f R14: 00007fc29cf459c0 R15: 0000000000000000
Modules linked in:
---[ end trace ec12a653c0093bf8 ]---
RIP: 0010:__write_once_size include/linux/compiler.h:226 [inline]
RIP: 0010:__hlist_del include/linux/list.h:762 [inline]
RIP: 0010:hlist_del_rcu include/linux/rculist.h:455 [inline]
RIP: 0010:__dev_map_hash_update_elem kernel/bpf/devmap.c:668 [inline]
RIP: 0010:dev_map_hash_update_elem+0x3c8/0x6e0 kernel/bpf/devmap.c:691
Code: 48 89 f1 48 89 75 c8 48 c1 e9 03 80 3c 11 00 0f 85 d3 02 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 53 10 48 89 d6 48 c1 ee 03 <80> 3c 0e 00 0f 85 97 02 00 00 48 85 c0 48 89 02 74 38 48 89 55 b8
RSP: 0018:ffff8880845c7c30 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8880a02acd80 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8880a02acd88
RBP: ffff8880845c7c78 R08: 1ffff1101229ed15 R09: ffffed101229ed16
R10: ffffed101229ed15 R11: ffff8880914f68ab R12: ffff8880914f6780
R13: ffff888090a52000 R14: 0000000000000000 R15: ffff8880914f68a8
FS:  00007fc29cf45700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd1d820cb0 CR3: 000000008e1e0000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/09/12 09:11 net-next-old c1609946b8b6 f4e53c10 .config console log report syz C ci-upstream-net-kasan-gce
2019/09/08 01:58 bpf-next a2c11b034142 a60cb4cd .config console log report syz C ci-upstream-bpf-next-kasan-gce
2019/09/12 06:45 linux-next 6d028043b55e f4e53c10 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/09/05 13:48 linux-next 6d028043b55e 040fda58 .config console log report syz ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.