syzbot


general protection fault in dev_map_enqueue (2)

Status: upstream: reported C repro on 2024/05/27 00:44
Subsystems: bpf net
[Documentation on labels]
Reported-by: syzbot+cca39e6e84a367a7e6f6@syzkaller.appspotmail.com
Fix commit: bpf: Make sure internal and UAPI bpf_redirect flags don't overlap
Patched on: [ci-upstream-bpf-kasan-gce ci-upstream-linux-next-kasan-gce-root], missing on: [ci-qemu-gce-upstream-auto ci-qemu-native-arm64-kvm ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-snapshot-upstream-root ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb]
First crash: 142d, last: 72d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: fixed by (bisect log) :
commit 401cb7dae8130fd34eb84648e02ab4c506df7d5e
Author: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Date: Thu Jun 20 13:22:04 2024 +0000

  net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.

  
Discussions (5)
Title Replies (including bot) Last reply
[PATCH bpf-next] bpf: Make sure internal and UAPI bpf_redirect flags don't overlap 4 (4) 2024/10/02 08:35
[syzbot] [bpf?] [net?] general protection fault in dev_map_enqueue (2) 2 (6) 2024/09/20 11:18
[syzbot] Monthly bpf report (Aug 2024) 0 (1) 2024/08/14 12:43
[PATCH] bpf: Ensure BPF programs testing skb context initialization 6 (6) 2024/07/17 19:16
[syzbot] Monthly bpf report (Jun 2024) 0 (1) 2024/06/12 22:41
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-6-1 general protection fault in dev_map_enqueue missing-backport C 915 9h54m 199d 0/2 upstream: reported C repro on 2024/03/26 23:53
upstream general protection fault in dev_map_enqueue bpf net C 676 142d 199d 25/28 fixed on 2024/05/22 23:26
linux-6.1 general protection fault in dev_map_enqueue origin:upstream missing-backport C unreliable 101 8d17h 199d 0/3 upstream: reported C repro on 2024/03/26 19:03
Last patch testing requests (3)
Created Duration User Patch Repo Result
2024/07/31 07:12 23m retest repro bpf OK log
2024/07/31 05:16 23m retest repro net OK log
2024/07/08 16:03 23m michal.switala@infogain.com patch bpf OK log

Sample crash report:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 5089 Comm: syz-executor284 Not tainted 6.10.0-rc2-syzkaller-00242-g36534d3c5453 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
RIP: 0010:dev_map_enqueue+0x31/0x3e0 kernel/bpf/devmap.c:539
Code: 41 56 41 55 41 54 53 48 83 ec 18 49 89 d4 49 89 f5 48 89 fd 49 be 00 00 00 00 00 fc ff df e8 46 9c d7 ff 48 89 e8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 ef e8 a0 5e 3d 00 4c 8b 7d 00 48 83 c5
RSP: 0018:ffffc9000334f678 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888015f40000
RDX: 0000000000000000 RSI: ffff888076066070 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff89625806 R09: ffffffff896257c3
R10: 0000000000000004 R11: ffff888015f40000 R12: ffff8880151e8000
R13: ffff888076066070 R14: dffffc0000000000 R15: 0000000000000000
FS:  00005555831b5380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020002c80 CR3: 000000001f842000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __xdp_do_redirect_frame net/core/filter.c:4397 [inline]
 xdp_do_redirect_frame+0x2a6/0x660 net/core/filter.c:4451
 xdp_test_run_batch net/bpf/test_run.c:336 [inline]
 bpf_test_run_xdp_live+0xe60/0x1e60 net/bpf/test_run.c:384
 bpf_prog_test_run_xdp+0x80e/0x11b0 net/bpf/test_run.c:1281
 bpf_prog_test_run+0x33a/0x3b0 kernel/bpf/syscall.c:4292
 __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5706
 __do_sys_bpf kernel/bpf/syscall.c:5795 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5793 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5793
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f453fc37239
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcaa6f1598 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f453fc37239
RDX: 0000000000000050 RSI: 0000000020000240 RDI: 000000000000000a
RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000006
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:dev_map_enqueue+0x31/0x3e0 kernel/bpf/devmap.c:539
Code: 41 56 41 55 41 54 53 48 83 ec 18 49 89 d4 49 89 f5 48 89 fd 49 be 00 00 00 00 00 fc ff df e8 46 9c d7 ff 48 89 e8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 ef e8 a0 5e 3d 00 4c 8b 7d 00 48 83 c5
RSP: 0018:ffffc9000334f678 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888015f40000
RDX: 0000000000000000 RSI: ffff888076066070 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff89625806 R09: ffffffff896257c3
R10: 0000000000000004 R11: ffff888015f40000 R12: ffff8880151e8000
R13: ffff888076066070 R14: dffffc0000000000 R15: 0000000000000000
FS:  00005555831b5380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020002c80 CR3: 000000001f842000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	41 56                	push   %r14
   2:	41 55                	push   %r13
   4:	41 54                	push   %r12
   6:	53                   	push   %rbx
   7:	48 83 ec 18          	sub    $0x18,%rsp
   b:	49 89 d4             	mov    %rdx,%r12
   e:	49 89 f5             	mov    %rsi,%r13
  11:	48 89 fd             	mov    %rdi,%rbp
  14:	49 be 00 00 00 00 00 	movabs $0xdffffc0000000000,%r14
  1b:	fc ff df
  1e:	e8 46 9c d7 ff       	call   0xffd79c69
  23:	48 89 e8             	mov    %rbp,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 30 00       	cmpb   $0x0,(%rax,%r14,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 ef             	mov    %rbp,%rdi
  34:	e8 a0 5e 3d 00       	call   0x3d5ed9
  39:	4c 8b 7d 00          	mov    0x0(%rbp),%r15
  3d:	48                   	rex.W
  3e:	83                   	.byte 0x83
  3f:	c5                   	.byte 0xc5

Crashes (336):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/06/24 12:34 bpf 36534d3c5453 edc5149a .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in dev_map_enqueue
2024/06/09 11:34 net c44711b78608 82c05ab8 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in dev_map_enqueue
2024/07/16 21:27 upstream 408323581b72 215bec2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in dev_map_enqueue
2024/07/14 01:24 upstream d0d0cd380055 eaeb5c15 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in dev_map_enqueue
2024/07/09 00:28 upstream 4376e966ecb7 cde64f7d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in dev_map_enqueue
2024/07/07 16:15 upstream c6653f49e4fd bc4ebbb5 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in dev_map_enqueue
2024/07/07 01:55 upstream 22f902dfc51e bc4ebbb5 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in dev_map_enqueue
2024/07/05 09:51 upstream 661e504db04c 2a40360c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in dev_map_enqueue
2024/07/03 22:32 upstream 8a9c6c40432e 409d975c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in dev_map_enqueue
2024/07/03 12:57 upstream e9d22f7a6655 409d975c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in dev_map_enqueue
2024/07/03 11:54 upstream e9d22f7a6655 409d975c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root general protection fault in dev_map_enqueue
2024/07/02 00:45 upstream 73e931504f8e b294e901 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in dev_map_enqueue
2024/05/24 20:52 upstream 8f6a15f095a6 8f98448e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in dev_map_enqueue
2024/07/16 17:11 upstream d67978318827 74c18f46 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 general protection fault in dev_map_enqueue
2024/07/12 00:57 upstream 9d9a2f29aefd 3cf1187a .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 general protection fault in dev_map_enqueue
2024/07/10 21:38 upstream a19ea421490d c699c2eb .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 general protection fault in dev_map_enqueue
2024/07/17 04:49 net 0a1868b93fad 215bec2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in dev_map_enqueue
2024/07/17 03:34 net 0a1868b93fad 215bec2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in dev_map_enqueue
2024/07/16 15:00 net 0a1868b93fad b66b37bd .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in dev_map_enqueue
2024/07/15 21:07 net 0a1868b93fad efee4ed2 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in dev_map_enqueue
2024/07/14 11:13 bpf 528dd46d0fc3 eaeb5c15 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in dev_map_enqueue
2024/07/14 07:49 bpf 528dd46d0fc3 eaeb5c15 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in dev_map_enqueue
2024/07/13 04:46 net 425652d45c31 eaeb5c15 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in dev_map_enqueue
2024/07/12 11:12 net 503757c80928 eaeb5c15 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in dev_map_enqueue
2024/07/12 04:22 bpf d7c199e77ef2 eaeb5c15 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in dev_map_enqueue
2024/07/10 16:04 net e1533b6319ab e7213be3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in dev_map_enqueue
2024/07/10 10:36 net e1533b6319ab e7213be3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in dev_map_enqueue
2024/07/09 21:52 bpf f0c180256937 79d68ada .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in dev_map_enqueue
2024/07/07 09:09 bpf 0005b2dc43f9 bc4ebbb5 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in dev_map_enqueue
2024/07/07 05:04 bpf 0005b2dc43f9 bc4ebbb5 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in dev_map_enqueue
2024/07/04 18:02 net e367197166a0 dc6bbff0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in dev_map_enqueue
2024/07/04 01:08 net 8eb301bd7b0f 409d975c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in dev_map_enqueue
2024/07/03 06:14 net 8905a2c7d39b 1ecfa2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in dev_map_enqueue
2024/07/02 23:44 bpf 42391445a863 1ecfa2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in dev_map_enqueue
2024/07/02 22:04 bpf 42391445a863 8373af66 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in dev_map_enqueue
2024/05/23 00:37 bpf 4b377b4868ef 4d098039 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in dev_map_enqueue
2024/07/09 07:23 bpf-next 90dc946059b7 bc23a442 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce general protection fault in dev_map_enqueue
2024/07/09 05:56 bpf-next 90dc946059b7 bc23a442 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce general protection fault in dev_map_enqueue
2024/07/07 23:04 bpf-next fd8db07705c5 bc4ebbb5 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce general protection fault in dev_map_enqueue
2024/07/07 13:23 bpf-next fd8db07705c5 bc4ebbb5 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce general protection fault in dev_map_enqueue
2024/07/05 14:55 bpf-next fd8db07705c5 2a40360c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce general protection fault in dev_map_enqueue
2024/07/05 04:05 bpf-next fd8db07705c5 dc6bbff0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce general protection fault in dev_map_enqueue
2024/07/05 01:08 bpf-next fd8db07705c5 dc6bbff0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce general protection fault in dev_map_enqueue
2024/07/04 04:02 bpf-next fd8db07705c5 409d975c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce general protection fault in dev_map_enqueue
2024/07/03 02:19 bpf-next fd8db07705c5 1ecfa2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce general protection fault in dev_map_enqueue
2024/06/24 11:51 net-next 568ebdaba637 edc5149a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in dev_map_enqueue
2024/06/14 22:22 linux-next a957267fa7e9 8d849073 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in dev_map_enqueue
2024/07/03 10:41 upstream e9d22f7a6655 1ecfa2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-use-after-free Read in dev_map_enqueue
2024/07/12 21:42 upstream 43db1e03c086 eaeb5c15 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm64-mte KASAN: invalid-access Read in dev_map_enqueue
2024/07/14 20:08 net 70c676cb3dfc eaeb5c15 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in dev_map_enqueue
2024/07/13 19:05 net 528dd46d0fc3 eaeb5c15 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in dev_map_enqueue
2024/07/08 03:10 net 0ec986ed7bab bc4ebbb5 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in dev_map_enqueue
2024/07/07 11:03 bpf 0005b2dc43f9 bc4ebbb5 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce KASAN: slab-use-after-free Read in dev_map_enqueue
2024/07/06 02:41 net 0c754d9d86ff 2a40360c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in dev_map_enqueue
2024/07/05 06:20 net 0005b2dc43f9 dc6bbff0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in dev_map_enqueue
2024/07/04 23:17 net e367197166a0 dc6bbff0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in dev_map_enqueue
2024/07/03 03:22 bpf 42391445a863 1ecfa2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce KASAN: slab-use-after-free Read in dev_map_enqueue
2024/07/09 09:40 bpf-next 90dc946059b7 bc23a442 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce KASAN: slab-use-after-free Read in dev_map_enqueue
2024/07/08 16:23 bpf-next a5912c37faf7 cde64f7d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce KASAN: slab-use-after-free Read in dev_map_enqueue
2024/07/07 07:22 bpf-next fd8db07705c5 bc4ebbb5 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce KASAN: slab-use-after-free Read in dev_map_enqueue
2024/07/06 15:54 bpf-next fd8db07705c5 bc4ebbb5 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce KASAN: slab-use-after-free Read in dev_map_enqueue
2024/08/01 00:52 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci c912bf709078 1e9c4cf3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in dev_map_enqueue
2024/07/01 09:35 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8fcad59bb267 b294e901 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in dev_map_enqueue
* Struck through repros no longer work on HEAD.