syzbot


general protection fault in get_work_pool

Status: fixed on 2019/11/03 21:23
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+880087058dbc131a2703@syzkaller.appspotmail.com
Fix commit: 07bf7908950a xfrm: Validate address prefix lengths in the xfrm selector.
First crash: 2270d, last: 1867d
Fix bisection: fixed by (bisect log) :
commit 07bf7908950a8b14e81aa1807e3c667eab39287a
Author: Steffen Klassert <steffen.klassert@secunet.com>
Date: Wed Aug 1 11:45:11 2018 +0000

  xfrm: Validate address prefix lengths in the xfrm selector.

  
Discussions (3)
Title Replies (including bot) Last reply
Reminder: 26 open syzbot bugs in "net/xfrm" subsystem 1 (1) 2019/07/24 01:42
Reminder: 27 open syzbot bugs in "net/xfrm" subsystem 1 (1) 2019/06/25 05:51
general protection fault in get_work_pool 0 (1) 2018/03/03 03:59
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 general protection fault in get_work_pool 1 1290d 1290d 0/1 auto-closed as invalid on 2021/03/07 04:54
android-44 general protection fault in get_work_pool C 5 2095d 1866d 0/2 public: reported C repro on 2019/04/11 08:44
android-414 general protection fault in get_work_pool 4 1915d 1863d 0/1 auto-closed as invalid on 2019/08/20 09:55
linux-4.14 general protection fault in get_work_pool C done 1 1256d 1286d 1/1 fixed on 2021/01/09 22:02
android-49 general protection fault in get_work_pool C 24 1955d 1864d 0/3 public: reported C repro on 2019/04/13 00:00

Sample crash report:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
CPU: 0 PID: 5458 Comm: syz-executor877 Not tainted 4.18.0+ #203
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:get_work_pool+0x19f/0x260 kernel/workqueue.c:716
Code: 48 83 c4 60 5b 41 5c 41 5d 41 5e 5d c3 e8 a9 7a 2d 00 48 81 e3 00 fe ff ff 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 9e 00 00 00 48 8b 1b eb 99 e8 7d 7a 2d 00 e8 08
RSP: 0018:ffff8801ae266f40 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 00000000fffffe00 RCX: ffffffff814f49aa
RDX: 000000001fffffc0 RSI: ffffffff814f4a27 RDI: 0000000000000007
RBP: ffff8801ae266fc0 R08: ffff8801d7bfe080 R09: ffffed003b6046d6
R10: ffffed003b6046d6 R11: ffff8801db0236b3 R12: 0000000000000004
R13: 1ffff10035c4cde8 R14: ffff8801ae266fa0 R15: 0000000000000000
FS:  00000000019e7880(0000) GS:ffff8801db000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000300 CR3: 00000001add0a000 CR4: 00000000001406f0
Call Trace:
 __queue_work+0x319/0x12f0 kernel/workqueue.c:1401
 queue_work_on+0x19a/0x1e0 kernel/workqueue.c:1486
 queue_work include/linux/workqueue.h:512 [inline]
 schedule_work include/linux/workqueue.h:570 [inline]
 xfrm_policy_insert+0xe66/0x16d0 net/xfrm/xfrm_policy.c:803
 xfrm_add_policy+0x2c8/0x750 net/xfrm/xfrm_user.c:1642
 xfrm_user_rcv_msg+0x455/0x8b0 net/xfrm/xfrm_user.c:2650
 netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2454
 xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2658
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x5a0/0x760 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0xa18/0xfc0 net/netlink/af_netlink.c:1908
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:631
 ___sys_sendmsg+0x7fd/0x930 net/socket.c:2114
 __sys_sendmsg+0x11d/0x290 net/socket.c:2152
 __do_sys_sendmsg net/socket.c:2161 [inline]
 __se_sys_sendmsg net/socket.c:2159 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2159
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441409
Code: e8 6c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffdb319a658 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441409
RDX: 000000000000c800 RSI: 0000000020000500 RDI: 0000000000000003
RBP: 0000000000008bbe R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000000000
R13: 00000000004022f0 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
---[ end trace 7d56894d5132b2c0 ]---
RIP: 0010:get_work_pool+0x19f/0x260 kernel/workqueue.c:716
Code: 48 83 c4 60 5b 41 5c 41 5d 41 5e 5d c3 e8 a9 7a 2d 00 48 81 e3 00 fe ff ff 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 9e 00 00 00 48 8b 1b eb 99 e8 7d 7a 2d 00 e8 08
RSP: 0018:ffff8801ae266f40 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 00000000fffffe00 RCX: ffffffff814f49aa
RDX: 000000001fffffc0 RSI: ffffffff814f4a27 RDI: 0000000000000007
RBP: ffff8801ae266fc0 R08: ffff8801d7bfe080 R09: ffffed003b6046d6
R10: ffffed003b6046d6 R11: ffff8801db0236b3 R12: 0000000000000004
R13: 1ffff10035c4cde8 R14: ffff8801ae266fa0 R15: 0000000000000000
FS:  00000000019e7880(0000) GS:ffff8801db000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000300 CR3: 00000001add0a000 CR4: 00000000001406f0

Crashes (24):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/08/23 02:42 upstream 899fbc33fd77 95b5c82b .config console log report syz C ci-upstream-kasan-gce-root
2018/08/21 02:31 upstream cc26ebbebde8 95b5c82b .config console log report syz C ci-upstream-kasan-gce
2018/03/03 03:11 upstream 0573fed92b67 2c6f473e .config console log report syz C ci-upstream-kasan-gce
2018/08/20 21:12 net-old 176eb614b118 95b5c82b .config console log report syz C ci-upstream-net-this-kasan-gce
2018/08/20 20:39 net-next-old 2ad0d5269970 95b5c82b .config console log report syz C ci-upstream-net-kasan-gce
2018/08/24 03:37 linux-next 455fb5ec1df1 95b5c82b .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/02/14 14:25 upstream 1f947a7a011f 6a46f448 .config console log report ci-upstream-kasan-gce-selinux-root
2019/01/14 16:20 upstream 1c7fc5cbc339 95485883 .config console log report ci-upstream-kasan-gce
2018/11/05 20:42 upstream 651022382c7f 8bd6bd63 .config console log report ci-upstream-kasan-gce-selinux-root
2018/11/05 20:41 upstream 651022382c7f 8bd6bd63 .config console log report ci-upstream-kasan-gce-root
2018/06/19 07:00 upstream ba4dbdedd3ed 45c54f75 .config console log report ci-upstream-kasan-gce-root
2018/03/19 16:39 upstream c698ca527893 7e7d7ed2 .config console log report ci-upstream-kasan-gce
2018/03/05 13:17 upstream 661e50bc8532 bbd5104f .config console log report ci-upstream-kasan-gce
2019/04/10 04:12 net-old c03fd0171ba6 65b612b7 .config console log report ci-upstream-net-this-kasan-gce
2019/02/17 13:04 net-old 46f376663810 f42dee6d .config console log report ci-upstream-net-this-kasan-gce
2019/01/07 09:10 net-old d4a7e9bb74b5 ee332608 .config console log report ci-upstream-net-this-kasan-gce
2019/02/04 06:12 net-next-old 9fb20801dab4 c198d5dd .config console log report ci-upstream-net-kasan-gce
2018/08/08 13:31 net-next-old e93dd8a1ac31 ddeb9f8d .config console log report ci-upstream-net-kasan-gce
2018/08/08 03:27 net-next-old c5d99d2b35da 1beb8136 .config console log report ci-upstream-net-kasan-gce
2018/08/02 22:23 net-next-old 89b1698c93a9 5b7e23bb .config console log report ci-upstream-net-kasan-gce
2018/07/29 13:44 net-next-old 19725496da56 0824d7a1 .config console log report ci-upstream-net-kasan-gce
2018/07/13 00:02 net-next-old e0479b670d39 06c33b3a .config console log report ci-upstream-net-kasan-gce
2018/03/15 02:42 net-next-old c292566a7779 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/09/30 07:46 linux-next 4794a36bf08d 41e4b329 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.