syzbot


general protection fault in tls_push_sg (2)

Status: upstream: reported C repro on 2022/03/21 10:19
Reported-by: syzbot+8c45039423baa04a1c51@syzkaller.appspotmail.com
First crash: 814d, last: 703d
Fix bisection: failed (error log, bisect log)
  
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in tls_push_sg net 12 2075d 2184d 11/28 fixed on 2019/02/26 22:09
linux-4.19 general protection fault in tls_push_sg 3 1687d 1787d 0/1 auto-closed as invalid on 2020/02/27 15:41

Sample crash report:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8067 Comm: syz-executor191 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
RIP: 0010:__read_once_size include/linux/compiler.h:263 [inline]
RIP: 0010:compound_head include/linux/page-flags.h:142 [inline]
RIP: 0010:put_page include/linux/mm.h:951 [inline]
RIP: 0010:tls_push_sg+0x219/0x7c0 net/tls/tls_main.c:134
Code: 89 04 24 4c 89 e7 e8 86 be 69 fa 49 39 ec 75 ab e8 6c bd 69 fa 49 8d 7e 08 48 b9 00 00 00 00 00 fc ff df 48 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 b3 04 00 00 49 8b 5e 08 31 ff 48 89 dd 83 e5 01
RSP: 0018:ffff888095f7fa70 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: ffffffff86f8c804 RDI: 0000000000000008
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000006 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88809ea9c040
FS:  00005555571ee300(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a9163000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 tls_push_record+0xb4e/0x1370 net/tls/tls_sw.c:245
 tls_handle_open_record net/tls/tls_main.c:156 [inline]
 tls_sk_proto_close+0x8cf/0xc20 net/tls/tls_main.c:271
 inet_release+0xd7/0x1e0 net/ipv4/af_inet.c:427
 inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:472
 __sock_release+0xcd/0x2a0 net/socket.c:599
 sock_close+0x15/0x20 net/socket.c:1214
 __fput+0x2ce/0x890 fs/file_table.c:278
 task_work_run+0x148/0x1c0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xbf3/0x2be0 kernel/exit.c:870
 do_group_exit+0x125/0x310 kernel/exit.c:967
 __do_sys_exit_group kernel/exit.c:978 [inline]
 __se_sys_exit_group kernel/exit.c:976 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:976
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f67b6eeae29
Code: Bad RIP value.
RSP: 002b:00007ffc50c0dd98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f67b6f5e270 RCX: 00007f67b6eeae29
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000000000000028 R11: 0000000000000246 R12: 00007f67b6f5e270
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
Modules linked in:
---[ end trace 3573dbef9a90c10f ]---
RIP: 0010:__read_once_size include/linux/compiler.h:263 [inline]
RIP: 0010:compound_head include/linux/page-flags.h:142 [inline]
RIP: 0010:put_page include/linux/mm.h:951 [inline]
RIP: 0010:tls_push_sg+0x219/0x7c0 net/tls/tls_main.c:134
Code: 89 04 24 4c 89 e7 e8 86 be 69 fa 49 39 ec 75 ab e8 6c bd 69 fa 49 8d 7e 08 48 b9 00 00 00 00 00 fc ff df 48 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 b3 04 00 00 49 8b 5e 08 31 ff 48 89 dd 83 e5 01
RSP: 0018:ffff888095f7fa70 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: ffffffff86f8c804 RDI: 0000000000000008
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000006 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88809ea9c040
FS:  00005555571ee300(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffdd762fff8 CR3: 0000000009e6d000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	89 04 24             	mov    %eax,(%rsp)
   3:	4c 89 e7             	mov    %r12,%rdi
   6:	e8 86 be 69 fa       	callq  0xfa69be91
   b:	49 39 ec             	cmp    %rbp,%r12
   e:	75 ab                	jne    0xffffffbb
  10:	e8 6c bd 69 fa       	callq  0xfa69bd81
  15:	49 8d 7e 08          	lea    0x8(%r14),%rdi
  19:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
  20:	fc ff df
  23:	48 89 f8             	mov    %rdi,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	80 3c 08 00          	cmpb   $0x0,(%rax,%rcx,1) <-- trapping instruction
  2e:	0f 85 b3 04 00 00    	jne    0x4e7
  34:	49 8b 5e 08          	mov    0x8(%r14),%rbx
  38:	31 ff                	xor    %edi,%edi
  3a:	48 89 dd             	mov    %rbx,%rbp
  3d:	83 e5 01             	and    $0x1,%ebp

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/07/10 17:04 linux-4.19.y 3f8a27f9e27b b5765a15 .config console log report syz C ci2-linux-4-19 general protection fault in tls_push_sg
2022/03/25 15:42 linux-4.19.y 3f8a27f9e27b 89bc8608 .config console log report syz C ci2-linux-4-19 general protection fault in tls_push_sg
2022/07/10 16:48 linux-4.19.y 3f8a27f9e27b b5765a15 .config console log report info ci2-linux-4-19 general protection fault in tls_push_sg
2022/05/30 17:39 linux-4.19.y 3f8a27f9e27b af70c3a9 .config console log report info ci2-linux-4-19 general protection fault in tls_push_sg
2022/03/25 15:25 linux-4.19.y 3f8a27f9e27b 89bc8608 .config console log report info ci2-linux-4-19 general protection fault in tls_push_sg
2022/03/21 10:19 linux-4.19.y 3f8a27f9e27b e2d91b1d .config console log report info ci2-linux-4-19 general protection fault in tls_push_sg
* Struck through repros no longer work on HEAD.