syzbot


BUG: corrupted list in rdma_listen (2)

Status: upstream: reported C repro on 2020/07/30 18:22
Reported-by: syzbot+dbe5efc341bec3342aba@syzkaller.appspotmail.com
First crash: 1305d, last: 544d
Fix bisection: failed (error log, bisect log)
  
Similar bugs (11)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 BUG: corrupted list in rdma_listen 4 1437d 1476d 0/1 auto-closed as invalid on 2020/07/18 15:58
upstream BUG: corrupted list in rdma_listen rdma C 202 1559d 2138d 15/26 fixed on 2020/05/10 10:41
upstream BUG: corrupted list in rdma_listen (2) rdma C inconclusive 5 747d 813d 22/26 fixed on 2023/02/24 13:50
linux-4.19 BUG: corrupted list in rdma_listen 3 1418d 1452d 0/1 auto-closed as invalid on 2020/08/06 14:55
upstream KASAN: use-after-free Read in rdma_listen (3) rdma 1 1038d 1030d 0/26 auto-closed as invalid on 2021/08/21 07:04
linux-4.14 KASAN: use-after-free Read in rdma_listen C 1358 356d 1722d 0/1 upstream: reported C repro on 2019/06/10 00:44
linux-4.19 general protection fault in rdma_listen (2) 7 1414d 1434d 0/1 auto-closed as invalid on 2020/08/11 01:18
upstream general protection fault in rdma_listen (2) rdma syz done 104 1425d 1936d 15/26 fixed on 2020/05/10 10:41
linux-4.19 general protection fault in rdma_listen 1 1715d 1715d 0/1 auto-closed as invalid on 2019/10/25 08:41
upstream general protection fault in rdma_listen rdma C 36 2168d 2180d 0/26 closed as dup on 2018/03/22 15:25
linux-4.14 general protection fault in rdma_listen 7 1367d 1454d 0/1 auto-closed as invalid on 2020/09/26 15:09
Last patch testing requests (3)
Created Duration User Patch Repo Result
2023/03/06 14:32 0m retest repro linux-4.14.y error OK
2023/03/06 13:32 0m retest repro linux-4.14.y error OK
2023/03/06 12:32 0m retest repro linux-4.14.y error OK
Fix bisection attempts (15)
Created Duration User Patch Repo Result
2022/10/13 02:13 0m bisect fix linux-4.14.y error job log (0)
2022/08/30 08:54 25m bisect fix linux-4.14.y job log (0) log
2022/07/26 06:06 22m bisect fix linux-4.14.y job log (0) log
2022/06/26 05:47 18m bisect fix linux-4.14.y job log (0) log
2022/05/14 02:28 23m bisect fix linux-4.14.y job log (0) log
2022/04/14 02:00 28m bisect fix linux-4.14.y job log (0) log
2022/03/04 00:41 21m bisect fix linux-4.14.y job log (0) log
2022/01/03 11:15 25m bisect fix linux-4.14.y job log (0) log
2021/11/30 18:28 24m bisect fix linux-4.14.y job log (0) log
2021/10/31 17:35 21m bisect fix linux-4.14.y job log (0) log
2021/09/11 22:28 20m bisect fix linux-4.14.y job log (0) log
2021/08/12 22:02 26m bisect fix linux-4.14.y job log (0) log
2021/07/13 21:23 21m bisect fix linux-4.14.y job log (0) log
2021/06/13 16:31 23m bisect fix linux-4.14.y job log (0) log
2021/05/14 16:02 26m bisect fix linux-4.14.y job log (0) log

Sample crash report:
kasan: CONFIG_KASAN_INLINE enabled
 futex_wait_setup+0xb3/0x260 kernel/futex.c:2787
 futex_wait+0x199/0x5a0 kernel/futex.c:2850
kasan: GPF could be caused by NULL-ptr deref or user memory access
 do_futex+0x1d8/0x1570 kernel/futex.c:3906
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 8006 Comm: syz-executor332 Not tainted 4.14.281-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880b3b36500 task.stack: ffff88808d378000
RIP: 0010:cma_bind_listen drivers/infiniband/core/cma.c:3206 [inline]
RIP: 0010:rdma_listen+0x32b/0x9b0 drivers/infiniband/core/cma.c:3319
RSP: 0018:ffff88808d37fbe8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8880b3f9bb40 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000002 RDI: 0000000000000008
RBP: ffff8880b3f9bd54 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8880b3b36500 R12: 0000000000000000
 SYSC_futex kernel/futex.c:3966 [inline]
 SyS_futex+0x1da/0x290 kernel/futex.c:3934
R13: 0000000000000400 R14: ffff8880b3f9bd58 R15: 0000000000000008
FS:  00007fc39b19d700(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1f3c574000 CR3: 00000000a9240000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
Call Trace:
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
 ucma_listen+0x10b/0x170 drivers/infiniband/core/ucma.c:1078
RIP: 0033:0x7fc39b20cfb9
RSP: 002b:00007fc39b13a2e8 EFLAGS: 00000246
 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007fc39b296520 RCX: 00007fc39b20cfb9
 ucma_write+0x206/0x2c0 drivers/infiniband/core/ucma.c:1672
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fc39b296528
RBP: 00007fc39b263194 R08: 0000000000000032 R09: 0000000000000032
 __vfs_write+0xe4/0x630 fs/read_write.c:480
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc39b13a2f0
R13: 006d635f616d6472 R14: 00007fc39b296528 R15: 0000000000000001
 vfs_write+0x17f/0x4d0 fs/read_write.c:544
 SYSC_write fs/read_write.c:590 [inline]
 SyS_write+0xf2/0x210 fs/read_write.c:582
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7fc39b20cfb9
RSP: 002b:00007fc39b19d2e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fc39b2964f0 RCX: 00007fc39b20cfb9
RDX: 0000000000000010 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00007fc39b263194 R08: 00007fc39b19d700 R09: 0000000000000000
R10: 00007fc39b19d700 R11: 0000000000000246 R12: 00007fc39b19d2f0
R13: 006d635f616d6472 R14: 00007fc39b2964f8 R15: 0000000000022000
Code: 4c 8b a3 c0 01 00 00 31 f6 48 c7 c7 c0 cb b4 89 e8 5b 93 d5 01 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 08 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 92 05 00 00 48 b8 00 00 00 00 00 fc ff df 4d 
RIP: cma_bind_listen drivers/infiniband/core/cma.c:3206 [inline] RSP: ffff88808d37fbe8
RIP: rdma_listen+0x32b/0x9b0 drivers/infiniband/core/cma.c:3319 RSP: ffff88808d37fbe8
---[ end trace 85ab7b5b612abf1a ]---
----------------
Code disassembly (best guess):
   0:	4c 8b a3 c0 01 00 00 	mov    0x1c0(%rbx),%r12
   7:	31 f6                	xor    %esi,%esi
   9:	48 c7 c7 c0 cb b4 89 	mov    $0xffffffff89b4cbc0,%rdi
  10:	e8 5b 93 d5 01       	callq  0x1d59370
  15:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  1c:	fc ff df
  1f:	49 8d 7c 24 08       	lea    0x8(%r12),%rdi
  24:	48 89 fa             	mov    %rdi,%rdx
  27:	48 c1 ea 03          	shr    $0x3,%rdx
* 2b:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2f:	0f 85 92 05 00 00    	jne    0x5c7
  35:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  3c:	fc ff df
  3f:	4d                   	rex.WRB

Crashes (21):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/05/27 05:47 linux-4.14.y 501eec4f9e13 3037caa9 .config console log report syz C ci2-linux-4-14 general protection fault in rdma_listen
2021/04/10 17:10 linux-4.14.y 958e517f4e16 6a81331a .config console log report syz ci2-linux-4-14 general protection fault in rdma_listen
2021/03/08 04:34 linux-4.14.y 1d177c0872ab 09fbf400 .config console log report syz ci2-linux-4-14 general protection fault in rdma_listen
2021/04/10 01:25 linux-4.14.y 0cc244011f40 6a81331a .config console log report info ci2-linux-4-14 BUG: corrupted list in rdma_listen
2021/03/21 08:55 linux-4.14.y cb83ddcd5332 17810eae .config console log report info ci2-linux-4-14 BUG: corrupted list in rdma_listen
2021/02/11 06:25 linux-4.14.y 2c8a3fceddf0 a52ee10a .config console log report info ci2-linux-4-14 BUG: corrupted list in rdma_listen
2021/01/28 05:47 linux-4.14.y 2d2791fce891 a57db36f .config console log report info ci2-linux-4-14 BUG: corrupted list in rdma_listen
2022/07/30 02:48 linux-4.14.y b641242202ed fef302b1 .config console log report info ci2-linux-4-14 general protection fault in rdma_listen
2022/05/27 05:15 linux-4.14.y 501eec4f9e13 3037caa9 .config console log report info ci2-linux-4-14 general protection fault in rdma_listen
2022/03/15 01:35 linux-4.14.y af48f51cb593 9e8eaa75 .config console log report info ci2-linux-4-14 general protection fault in rdma_listen
2022/02/02 00:25 linux-4.14.y b86ee2b7ae42 4ebb2798 .config console log report info ci2-linux-4-14 general protection fault in rdma_listen
2022/01/30 18:57 linux-4.14.y b86ee2b7ae42 495e00c5 .config console log report info ci2-linux-4-14 general protection fault in rdma_listen
2021/12/04 11:15 linux-4.14.y 66722c42ec91 a617004c .config console log report info ci2-linux-4-14 general protection fault in rdma_listen
2021/09/25 13:24 linux-4.14.y 8ea4f73cfa7e 8cac236e .config console log report info ci2-linux-4-14 general protection fault in rdma_listen
2021/04/14 09:48 linux-4.14.y 958e517f4e16 3134b37f .config console log report info ci2-linux-4-14 general protection fault in rdma_listen
2021/03/08 02:53 linux-4.14.y 1d177c0872ab 09fbf400 .config console log report info ci2-linux-4-14 general protection fault in rdma_listen
2021/03/05 12:50 linux-4.14.y 397a88b2cc86 9d751681 .config console log report info ci2-linux-4-14 general protection fault in rdma_listen
2020/11/24 15:57 linux-4.14.y 87335852c5d9 e34b696c .config console log report info ci2-linux-4-14
2020/10/08 07:55 linux-4.14.y cbfa1702aaf6 1880b4a9 .config console log report info ci2-linux-4-14
2020/09/10 02:35 linux-4.14.y 458a534cac0c ac7ca78e .config console log report ci2-linux-4-14
2020/07/30 18:21 linux-4.14.y e5a54aa2d312 b0947553 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.