syzbot


general protection fault in smap_list_hash_remove

Status: fixed on 2019/10/04 12:05
Subsystems: bpf
[Documentation on labels]
Reported-by: syzbot+b912ba691bb508925d72@syzkaller.appspotmail.com
Fix commit: 99ba2b5aba24 bpf: sockhash, disallow bpf_tcp_close and update in parallel
First crash: 2155d, last: 2137d
Fix bisection: fixed by (bisect log) :
commit 99ba2b5aba24e022683a7db63204f9e306fe7ab9
Author: John Fastabend <john.fastabend@gmail.com>
Date: Thu Jul 5 15:50:04 2018 +0000

  bpf: sockhash, disallow bpf_tcp_close and update in parallel

  
Discussions (3)
Title Replies (including bot) Last reply
Reminder: 36 open syzbot bugs in "net/bpf" subsystem 1 (1) 2019/07/03 06:01
Reminder: 30 open syzbot bugs in "net/bpf" subsystem 1 (1) 2019/06/24 05:01
general protection fault in smap_list_hash_remove 0 (1) 2018/07/04 15:09

Sample crash report:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
CPU: 0 PID: 4548 Comm: syz-executor136 Not tainted 4.18.0-rc5+ #151
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__lock_acquire+0x245/0x5020 kernel/locking/lockdep.c:3314
Code: 28 00 00 00 0f 85 03 34 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 c6 35 00 00 49 81 7d 00 60 86 e7 89 0f 84 42 ff 
RSP: 0018:ffff8801b42cf340 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000049 RSI: 0000000000000000 RDI: ffffffff88f1b060
RBP: ffff8801b42cf6d0 R08: 0000000000000001 R09: 0000000000000000
R10: ffffed003b5c46d6 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000248 R14: ffff8801ac826740 R15: 0000000000000000
FS:  00007f315bcaa700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd2f774949 CR3: 00000001d9439000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
 spin_lock_bh include/linux/spinlock.h:315 [inline]
 smap_list_hash_remove+0xa3/0x470 kernel/bpf/sockmap.c:1683
 sock_hash_ctx_update_elem.isra.27+0x1140/0x1690 kernel/bpf/sockmap.c:2384
 sock_hash_update_elem+0x157/0x2f0 kernel/bpf/sockmap.c:2418
 map_update_elem+0x5c4/0xc90 kernel/bpf/syscall.c:765
 __do_sys_bpf kernel/bpf/syscall.c:2296 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:2267 [inline]
 __x64_sys_bpf+0x32d/0x510 kernel/bpf/syscall.c:2267
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445c39
Code: e8 bc e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 
RSP: 002b:00007f315bca9db8 EFLAGS: 00000297 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00000000006dac44 RCX: 0000000000445c39
RDX: 0000000000000020 RSI: 0000000020000180 RDI: 0000000000000002
RBP: 00000000006dac40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000000
R13: 00007ffef4070e6f R14: 00007f315bcaa9c0 R15: 0000000000000007
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
---[ end trace fde189bc816ebac5 ]---
RIP: 0010:__lock_acquire+0x245/0x5020 kernel/locking/lockdep.c:3314
Code: 28 00 00 00 0f 85 03 34 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 c6 35 00 00 49 81 7d 00 60 86 e7 89 0f 84 42 ff 
RSP: 0018:ffff8801b42cf340 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000049 RSI: 0000000000000000 RDI: ffffffff88f1b060
RBP: ffff8801b42cf6d0 R08: 0000000000000001 R09: 0000000000000000
R10: ffffed003b5c46d6 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000248 R14: ffff8801ac826740 R15: 0000000000000000
FS:  00007f315bcaa700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd2f774949 CR3: 00000001d9439000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (52):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/07/17 08:17 upstream 30b06abfb92b 13761366 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/13 23:27 upstream 9d2e34897d8d 92a49505 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/13 03:05 upstream 63f047771621 06c33b3a .config console log report syz C ci-upstream-kasan-gce-root
2018/07/12 06:24 upstream c25c74b7476e 2e0e3130 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/12 00:23 upstream c25c74b7476e 2e0e3130 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/10 18:46 upstream 092150a25cb7 9fa03fa5 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/09 02:38 upstream ca04b3cca11a f25e5770 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/08 08:23 upstream b2d44d145d2a c9a7a4dc .config console log report syz C ci-upstream-kasan-gce-root
2018/07/08 02:24 upstream 624434af256a ab89aea9 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/07 10:55 upstream 29119529d8de 6c0c0099 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/06 22:22 upstream b4d0562137c9 9636bc93 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/05 18:21 upstream fc36def997cf d3b2a0e2 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/04 20:36 upstream fc36def997cf e1b966c6 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/04 20:02 upstream fc36def997cf e1b966c6 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/04 13:41 upstream fc36def997cf 317fc8ea .config console log report syz C ci-upstream-kasan-gce-root
2018/07/07 11:31 bpf c48424d993fa 6c0c0099 .config console log report syz C ci-upstream-bpf-kasan-gce
2018/07/07 07:51 bpf c48424d993fa 6c0c0099 .config console log report syz C ci-upstream-bpf-kasan-gce
2018/07/07 05:18 bpf c48424d993fa 6c0c0099 .config console log report syz C ci-upstream-bpf-kasan-gce
2018/07/23 06:44 bpf-next 8ae71e76cf1f 8cc079c3 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/22 03:49 bpf-next 8ae71e76cf1f 8cc079c3 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/20 23:11 bpf-next 8ae71e76cf1f af255b09 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/18 03:58 bpf-next dc989d2ce2c2 6d5bd5b5 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/17 01:57 bpf-next 301f935be9e0 40cb0c9a .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/16 03:59 bpf-next 13f7432bdd8e 92a49505 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/16 00:44 bpf-next 13f7432bdd8e 92a49505 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/15 20:28 bpf-next 13f7432bdd8e 92a49505 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/13 23:08 bpf-next 9c48b1d116cd 92a49505 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/13 09:17 bpf-next 6fd066604123 06c33b3a .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/13 05:36 bpf-next 6fd066604123 06c33b3a .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/11 06:23 bpf-next d90c936fb318 2e0e3130 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/10 07:05 bpf-next d90c936fb318 f25e5770 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/09 06:51 bpf-next d90c936fb318 f25e5770 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/08 12:41 bpf-next d90c936fb318 c9a7a4dc .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/08 06:30 bpf-next d90c936fb318 c9a7a4dc .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/08 04:09 bpf-next d90c936fb318 c9a7a4dc .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/07 19:05 bpf-next d90c936fb318 ab89aea9 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/07 10:13 bpf-next d90c936fb318 6c0c0099 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/05 14:08 bpf-next 6fcf9b1d4d6c f525fd72 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/05 08:23 bpf-next 2bdea157b999 f525fd72 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/05 05:12 bpf-next 2bdea157b999 e1b966c6 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/05 02:23 bpf-next 2bdea157b999 e1b966c6 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/05 00:13 bpf-next 2bdea157b999 e1b966c6 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/04 20:11 bpf-next 2bdea157b999 e1b966c6 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/04 16:08 bpf-next 2bdea157b999 317fc8ea .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/04 14:25 bpf-next 2bdea157b999 317fc8ea .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/04 10:30 bpf-next 2bdea157b999 317fc8ea .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/04 10:28 bpf-next 2bdea157b999 317fc8ea .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/09 04:28 linux-next 526674536360 f25e5770 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/08 17:21 linux-next 526674536360 c9a7a4dc .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/08 08:06 linux-next 526674536360 c9a7a4dc .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/07 19:43 linux-next 526674536360 ab89aea9 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/07 10:51 linux-next 526674536360 6c0c0099 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.