syzbot


general protection fault in rcu_core

Status: fixed on 2019/08/27 17:15
Subsystems: kernel
[Documentation on labels]
Reported-by: syzbot+73ac69a8f7a5e5c126f1@syzkaller.appspotmail.com
Fix commit: 95fa145479fb bpf: sockmap/tls, close can race with map free
First crash: 1923d, last: 1923d
Cause bisection: introduced by (bisect log) :
commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
Author: John Fastabend <john.fastabend@gmail.com>
Date: Sat Jun 30 13:17:47 2018 +0000

  bpf: sockhash fix omitted bucket lock in sock_close

Crash: KASAN: use-after-free Write in bpf_tcp_close (log)
Repro: syz .config
  
Discussions (1)
Title Replies (including bot) Last reply
general protection fault in rcu_core 0 (1) 2019/07/10 07:57
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in rcu_core (2) reiserfs C done done 4 279d 494d 0/28 auto-obsoleted due to no activity on 2024/04/17 10:35

Sample crash report:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 9817 Comm: blkid Not tainted 5.2.0-next-20190709 #34
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:lookup_object lib/debugobjects.c:193 [inline]
RIP: 0010:debug_object_active_state lib/debugobjects.c:900 [inline]
RIP: 0010:debug_object_active_state+0x16e/0x350 lib/debugobjects.c:885
Code: 1a 4c 89 e0 48 c1 e8 03 80 3c 08 00 0f 85 6c 01 00 00 4d 8b 24 24 4d 85 e4 74 6a 4d 8d 44 24 18 83 c3 01 4c 89 c7 48 c1 ef 03 <80> 3c 0f 00 0f 85 17 01 00 00 4d 3b 7c 24 18 75 c6 49 8d 7c 24 10
RSP: 0018:ffff8880ae809d00 EFLAGS: 00010802
RAX: 1ffffffff0c4eadc RBX: 0000000000000005 RCX: dffffc0000000000
RDX: 0000000000000001 RSI: 0000000000000286 RDI: 1dc43d1fffffc920
RBP: ffff8880ae809de8 R08: ee21e8fffffe4901 R09: ffffed1015d0138d
R10: ffffffff8a9b1768 R11: 0000000000000003 R12: ee21e8fffffe48e9
R13: 1ffff11015d013a4 R14: ffffffff88dab220 R15: ffff8880a21f7f58
FS:  00007f3fd76fc740(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3fd72daa20 CR3: 000000008fe3c000 CR4: 00000000001406f0
Call Trace:
 <IRQ>
 debug_rcu_head_unqueue kernel/rcu/rcu.h:185 [inline]
 rcu_do_batch kernel/rcu/tree.c:2113 [inline]
 rcu_core+0x745/0x1580 kernel/rcu/tree.c:2314
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2323
 __do_softirq+0x262/0x98c kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x19b/0x1e0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:537 [inline]
 smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1095
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:828
 </IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:767 [inline]
RIP: 0010:console_unlock+0xdab/0xf10 kernel/printk/printk.c:2467
Code: 88 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 30 48 83 3d 42 4a 77 07 00 74 1f e8 7b ab 16 00 48 8b 7d 98 57 9d <0f> 1f 44 00 00 e9 64 fa ff ff e8 c6 ea 50 00 e9 0e f5 ff ff e8 5c
RSP: 0018:ffff8880991bf2b8 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
RAX: ffff8880a7e1e000 RBX: 0000000000000200 RCX: 1ffffffff134a59e
RDX: 0000000000000000 RSI: ffffffff815b9995 RDI: 0000000000000293
RBP: ffff8880991bf340 R08: ffff8880a7e1e000 R09: fffffbfff1349f60
R10: fffffbfff1349f5f R11: ffffffff89a4faff R12: 0000000000000001
R13: ffffffff843434b0 R14: dffffc0000000000 R15: ffffffff893cb710
 vprintk_emit+0x2a0/0x700 kernel/printk/printk.c:1986
 vprintk_default+0x28/0x30 kernel/printk/printk.c:2013
 vprintk_func+0x7e/0x189 kernel/printk/printk_safe.c:386
 printk+0xba/0xed kernel/printk/printk.c:2046
 __warn_printk+0x9b/0xf3 kernel/panic.c:630
 debug_mutex_wake_waiter+0x1d7/0x330 kernel/locking/mutex-debug.c:41
 __mutex_unlock_slowpath+0x3d5/0x6b0 kernel/locking/mutex.c:1241
 mutex_unlock+0xd/0x10 kernel/locking/mutex.c:714
 kobj_lookup+0x250/0x460 drivers/base/map.c:123
 get_gendisk+0x4d/0x390 block/genhd.c:869
 bdev_get_gendisk fs/block_dev.c:1100 [inline]
 __blkdev_get+0x457/0x1660 fs/block_dev.c:1493
 blkdev_get+0xc4/0x990 fs/block_dev.c:1652
 blkdev_open+0x205/0x290 fs/block_dev.c:1810
 do_dentry_open+0x4df/0x1250 fs/open.c:778
 vfs_open+0xa0/0xd0 fs/open.c:887
 do_last fs/namei.c:3416 [inline]
 path_openat+0x10e9/0x4630 fs/namei.c:3533
 do_filp_open+0x1a1/0x280 fs/namei.c:3563
 do_sys_open+0x3fe/0x5d0 fs/open.c:1070
 __do_sys_open fs/open.c:1088 [inline]
 __se_sys_open fs/open.c:1083 [inline]
 __x64_sys_open+0x7e/0xc0 fs/open.c:1083
 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f3fd7004120
Code: 48 8b 15 1b 4d 2b 00 f7 d8 64 89 02 83 c8 ff c3 90 90 90 90 90 90 90 90 90 90 83 3d d5 a4 2b 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 5e 8c 01 00 48 89 04 24
RSP: 002b:00007ffc2fe70dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3fd7004120
RDX: 00007ffc2fe72f33 RSI: 0000000000000000 RDI: 00007ffc2fe72f33
RBP: 0000000000000000 R08: 0000000000000078 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000001882030
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000005
Modules linked in:
---[ end trace d75a73838ffe8a54 ]---
RIP: 0010:lookup_object lib/debugobjects.c:193 [inline]
RIP: 0010:debug_object_active_state lib/debugobjects.c:900 [inline]
RIP: 0010:debug_object_active_state+0x16e/0x350 lib/debugobjects.c:885
Code: 1a 4c 89 e0 48 c1 e8 03 80 3c 08 00 0f 85 6c 01 00 00 4d 8b 24 24 4d 85 e4 74 6a 4d 8d 44 24 18 83 c3 01 4c 89 c7 48 c1 ef 03 <80> 3c 0f 00 0f 85 17 01 00 00 4d 3b 7c 24 18 75 c6 49 8d 7c 24 10
RSP: 0018:ffff8880ae809d00 EFLAGS: 00010802
RAX: 1ffffffff0c4eadc RBX: 0000000000000005 RCX: dffffc0000000000
RDX: 0000000000000001 RSI: 0000000000000286 RDI: 1dc43d1fffffc920
RBP: ffff8880ae809de8 R08: ee21e8fffffe4901 R09: ffffed1015d0138d
R10: ffffffff8a9b1768 R11: 0000000000000003 R12: ee21e8fffffe48e9
R13: 1ffff11015d013a4 R14: ffffffff88dab220 R15: ffff8880a21f7f58
FS:  00007f3fd76fc740(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3fd72daa20 CR3: 000000008fe3c000 CR4: 00000000001406f0

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/07/09 18:47 linux-next 4608a726c668 f62e1e85 .config console log report syz ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.