syzbot


general protection fault in tcf_action_destroy (2)

Status: fixed on 2020/11/16 12:12
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+92a80fff3b3af6c4464e@syzkaller.appspotmail.com
Fix commit: 0d1c3530e1bd net_sched: keep alloc_hash updated after hash allocation
First crash: 1730d, last: 1517d
Cause bisection: introduced by (bisect log) :
commit 599be01ee567b61f4471ee8078870847d0a11e8e
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date: Mon Feb 3 05:14:35 2020 +0000

  net_sched: fix an OOB access in cls_tcindex

Crash: KASAN: slab-out-of-bounds Read in tcindex_set_parms (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) :
commit 0d1c3530e1bd38382edef72591b78e877e0edcd3
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date: Thu Mar 12 05:42:28 2020 +0000

  net_sched: keep alloc_hash updated after hash allocation

  
Discussions (1)
Title Replies (including bot) Last reply
general protection fault in tcf_action_destroy (2) 1 (4) 2020/11/11 13:13
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 general protection fault in tcf_action_destroy C done 15 1889d 1911d 1/1 fixed on 2019/12/11 14:03
upstream general protection fault in tcf_action_destroy net 128 1893d 1912d 13/28 fixed on 2019/10/15 23:40
linux-4.19 general protection fault in tcf_action_destroy (2) 1 1732d 1732d 0/1 auto-closed as invalid on 2020/07/06 08:55
upstream general protection fault in tcf_action_destroy (3) net C error error 4 1473d 1473d 0/28 closed as invalid on 2021/12/14 20:22

Sample crash report:
general protection fault, probably for non-canonical address 0xe00d898eadcf2e8e: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0x006c6c756e797470-0x006c6c756e797477]
CPU: 0 PID: 10491 Comm: syz-executor103 Not tainted 5.6.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:tcf_action_destroy+0x94/0x150 net/sched/act_api.c:723
Code: 42 80 3c 28 00 0f 85 ae 00 00 00 4c 8b 3b 4d 85 ff 0f 84 8b 00 00 00 e8 7a d3 46 fb 4c 89 f8 48 c7 03 00 00 00 00 48 c1 e8 03 <42> 80 3c 28 00 0f 85 91 00 00 00 49 8b 07 31 ff 44 89 f6 48 89 04
RSP: 0018:ffffc900029c7028 EFLAGS: 00010207
RAX: 000d8d8eadcf2e8e RBX: ffffffff885ee6c0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff862b51a6 RDI: ffffffff885ee6c0
RBP: 0000000000000000 R08: ffff88808f07c340 R09: ffffed1015cc7074
R10: ffffed1015cc7073 R11: ffff8880ae63839b R12: 0000000000000000
R13: dffffc0000000000 R14: 0000000000000001 R15: 006c6c756e797474
FS:  0000000000fe2940(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000280 CR3: 0000000097d6f000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 tcf_exts_destroy+0x42/0xc0 net/sched/cls_api.c:3001
 tcf_exts_change+0xf4/0x150 net/sched/cls_api.c:3059
 tcindex_set_parms+0xed8/0x1a00 net/sched/cls_tcindex.c:456
 tcindex_change+0x203/0x2e0 net/sched/cls_tcindex.c:518
 tc_new_tfilter+0xa59/0x20b0 net/sched/cls_api.c:2103
 rtnetlink_rcv_msg+0x810/0xad0 net/core/rtnetlink.c:5427
 netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2478
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:672
 ____sys_sendmsg+0x6b9/0x7d0 net/socket.c:2345
 ___sys_sendmsg+0x100/0x170 net/socket.c:2399
 __sys_sendmsg+0xec/0x1b0 net/socket.c:2432
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x442d99
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fffae866b38 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fffae866b70 RCX: 0000000000442d99
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000001000002 R09: 0000000001000002
R10: 0000000001000002 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000003 R14: 0000000000000004 R15: 00007fffae866c40
Modules linked in:
---[ end trace c1be637078322dcb ]---
RIP: 0010:tcf_action_destroy+0x94/0x150 net/sched/act_api.c:723
Code: 42 80 3c 28 00 0f 85 ae 00 00 00 4c 8b 3b 4d 85 ff 0f 84 8b 00 00 00 e8 7a d3 46 fb 4c 89 f8 48 c7 03 00 00 00 00 48 c1 e8 03 <42> 80 3c 28 00 0f 85 91 00 00 00 49 8b 07 31 ff 44 89 f6 48 89 04
RSP: 0018:ffffc900029c7028 EFLAGS: 00010207
RAX: 000d8d8eadcf2e8e RBX: ffffffff885ee6c0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff862b51a6 RDI: ffffffff885ee6c0
RBP: 0000000000000000 R08: ffff88808f07c340 R09: ffffed1015cc7074
R10: ffffed1015cc7073 R11: ffff8880ae63839b R12: 0000000000000000
R13: dffffc0000000000 R14: 0000000000000001 R15: 006c6c756e797474
FS:  0000000000fe2940(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000280 CR3: 0000000097d6f000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (29):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/03/23 09:25 upstream 67d584e33e54 78267cec .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/03/20 05:28 upstream cd607737f3b8 2c31c529 .config console log report syz C ci-upstream-kasan-gce-root
2020/03/19 14:08 upstream 5076190daded 2c31c529 .config console log report syz C ci-upstream-kasan-gce-root
2020/03/10 17:45 upstream 30bb5572ce7a 35f53e45 .config console log report syz C ci-upstream-kasan-gce-386
2020/03/11 05:36 net-old ece0d7bd7461 35f53e45 .config console log report syz C ci-upstream-net-this-kasan-gce
2020/03/29 22:54 linux-next 770fbb32d34e 05736b29 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/03/17 20:30 upstream fb33c6510d55 749688d2 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/10/02 14:29 upstream 472e5b056f00 9602ddf4 .config console log report info ci-upstream-kasan-gce-root
2020/09/16 16:16 upstream fc4f28bb3daf 18d7d030 .config console log report info ci-upstream-kasan-gce
2020/08/27 22:19 upstream 15bc20c6af4c 816e0689 .config console log report ci-upstream-kasan-gce-smack-root
2020/09/29 04:01 upstream fb0155a09b02 1b88c6d5 .config console log report info ci-upstream-kasan-gce-386
2020/09/03 01:12 upstream 9c7d619be5a0 abf9ba4f .config console log report ci-upstream-kasan-gce-386
2020/10/06 18:12 net-old 7575fdda569b 1880b4a9 .config console log report info ci-upstream-net-this-kasan-gce
2020/09/07 17:05 net-old 4ddcaf1ebb5e abf9ba4f .config console log report ci-upstream-net-this-kasan-gce
2020/08/28 01:47 net-old af8ea1111346 816e0689 .config console log report ci-upstream-net-this-kasan-gce
2020/08/22 13:34 net-old 4af7b32f84aa 6436ce4b .config console log report ci-upstream-net-this-kasan-gce
2020/08/17 21:55 net-old b3b2854dcf70 424dd8e7 .config console log report ci-upstream-net-this-kasan-gce
2020/10/10 00:43 net-next-old 036dfd8322be d81b165e .config console log report info ci-upstream-net-kasan-gce
2020/09/25 01:21 net-next-old 3fc826f121d8 54289b08 .config console log report info ci-upstream-net-kasan-gce
2020/09/24 21:54 net-next-old 1a26e88d534b 54289b08 .config console log report info ci-upstream-net-kasan-gce
2020/09/24 20:37 net-next-old 1a26e88d534b 54289b08 .config console log report info ci-upstream-net-kasan-gce
2020/09/24 18:00 net-next-old 1a26e88d534b 54289b08 .config console log report info ci-upstream-net-kasan-gce
2020/09/24 15:02 net-next-old 1a26e88d534b 54289b08 .config console log report info ci-upstream-net-kasan-gce
2020/09/24 10:59 net-next-old 1a26e88d534b 54289b08 .config console log report info ci-upstream-net-kasan-gce
2020/09/05 08:23 net-next-old 44a8c4f33c00 abf9ba4f .config console log report ci-upstream-net-kasan-gce
2020/09/03 05:28 net-next-old d3dfc362e073 abf9ba4f .config console log report ci-upstream-net-kasan-gce
2020/08/28 02:00 net-next-old 50aba46c234e 816e0689 .config console log report ci-upstream-net-kasan-gce
2020/08/17 21:13 net-next-old 7fca4dee610d 424dd8e7 .config console log report ci-upstream-net-kasan-gce
2020/08/01 16:39 linux-next 01830e6c042e d895b3be .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.