syzbot


general protection fault in xfrm_user_rcv_msg_compat
Status: fixed on 2022/05/13 11:13
Reported-by: syzbot+5078fc2d7cf37d71de1c@syzkaller.appspotmail.com
Fix commit: 4e9505064f58 net/xfrm/compat: Copy xfrm_spdattr_type_t atributes
First crash: 513d, last: 295d

Cause bisection: introduced by (bisect log) [merge commit]:
commit 0cd7d9795fa82226e7516d38b474bddae8b1ff26
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Thu Oct 15 22:07:57 2020 +0000

  Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/livepatching/livepatching

Crash: SYZFAIL: wrong response packet (log)
Repro: C syz .config

Fix bisection: fixed by (bisect log) :
commit 4e9505064f58d1252805952f8547a5b7dbc5c111
Author: Dmitry Safonov <dima@arista.com>
Date: Sat Jul 17 15:02:21 2021 +0000

  net/xfrm/compat: Copy xfrm_spdattr_type_t atributes

similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in xfrm_user_rcv_msg_compat 5346 245d 510d 0/22 auto-closed as invalid on 2021/12/23 18:56

Sample crash report:
general protection fault, probably for non-canonical address 0xe51af2c1f2c7bd20: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0x28d7b60f963de900-0x28d7b60f963de907]
CPU: 1 PID: 8357 Comm: syz-executor113 Not tainted 5.11.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:nla_type include/net/netlink.h:1130 [inline]
RIP: 0010:xfrm_xlate32_attr net/xfrm/xfrm_compat.c:404 [inline]
RIP: 0010:xfrm_xlate32 net/xfrm/xfrm_compat.c:526 [inline]
RIP: 0010:xfrm_user_rcv_msg_compat+0x5e5/0x1070 net/xfrm/xfrm_compat.c:571
Code: 3c 38 00 0f 85 50 08 00 00 48 8b 04 24 4c 8b 20 4d 85 e4 0f 84 0b 02 00 00 e8 b7 7f c9 f9 49 8d 7c 24 02 48 89 f8 48 c1 e8 03 <42> 0f b6 14 38 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85
RSP: 0018:ffffc900017ff3d8 EFLAGS: 00010202
RAX: 051af6c1f2c7bd20 RBX: 0000000000000006 RCX: 0000000000000000
RDX: ffff88801ac60000 RSI: ffffffff87a9f019 RDI: 28d7b60f963de902
RBP: ffff888020c9af50 R08: 000000000000001b R09: ffff888020c9af53
R10: ffffffff87a9f259 R11: 0000000000000024 R12: 28d7b60f963de900
R13: 0000000000000007 R14: ffff888020c9af40 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0063) knlGS:0000000009c092c0
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000020002752 CR3: 000000002d87a000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 xfrm_user_rcv_msg+0x556/0x8b0 net/xfrm/xfrm_user.c:2774
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
 xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2824
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:672
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2348
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2402
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2435
 do_syscall_32_irqs_on arch/x86/entry/common.c:77 [inline]
 __do_fast_syscall_32+0x56/0x80 arch/x86/entry/common.c:139
 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:164
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
RIP: 0023:0xf7f48549
Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000ffca8dbc EFLAGS: 00000282 ORIG_RAX: 0000000000000172
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020003c80
RDX: 0000000000000000 RSI: 00000000ffca8e10 RDI: 00000000080e3000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 1494ca3373de8f76 ]---
RIP: 0010:nla_type include/net/netlink.h:1130 [inline]
RIP: 0010:xfrm_xlate32_attr net/xfrm/xfrm_compat.c:404 [inline]
RIP: 0010:xfrm_xlate32 net/xfrm/xfrm_compat.c:526 [inline]
RIP: 0010:xfrm_user_rcv_msg_compat+0x5e5/0x1070 net/xfrm/xfrm_compat.c:571
Code: 3c 38 00 0f 85 50 08 00 00 48 8b 04 24 4c 8b 20 4d 85 e4 0f 84 0b 02 00 00 e8 b7 7f c9 f9 49 8d 7c 24 02 48 89 f8 48 c1 e8 03 <42> 0f b6 14 38 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85
RSP: 0018:ffffc900017ff3d8 EFLAGS: 00010202
RAX: 051af6c1f2c7bd20 RBX: 0000000000000006 RCX: 0000000000000000
RDX: ffff88801ac60000 RSI: ffffffff87a9f019 RDI: 28d7b60f963de902
RBP: ffff888020c9af50 R08: 000000000000001b R09: ffff888020c9af53
R10: ffffffff87a9f259 R11: 0000000000000024 R12: 28d7b60f963de900
R13: 0000000000000007 R14: ffff888020c9af40 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0063) knlGS:0000000009c092c0
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00007efcea642000 CR3: 000000002d87a000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (1543):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-386 2021/02/23 14:46 upstream a99163e9e708 c26fb06b .config log report syz C general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/05 15:22 upstream 251a1524293d 7f7bb950 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/05 14:47 upstream 251a1524293d 7f7bb950 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/05 13:45 upstream 251a1524293d 7f7bb950 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/05 11:51 upstream 251a1524293d 7f7bb950 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/05 10:32 upstream 251a1524293d 7f7bb950 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/05 09:09 upstream 251a1524293d 7f7bb950 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/05 02:18 upstream 251a1524293d b97d64c9 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/04 15:47 upstream d5ad8ec3cfb5 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/04 06:17 upstream d5ad8ec3cfb5 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/04 06:13 upstream d5ad8ec3cfb5 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-qemu-upstream-386 2021/08/04 04:16 upstream d5ad8ec3cfb5 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/04 02:15 upstream d5ad8ec3cfb5 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/03 20:55 upstream c500bee1c5b2 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/03 19:53 upstream c500bee1c5b2 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/03 15:05 upstream c500bee1c5b2 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/03 11:48 upstream c500bee1c5b2 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/03 10:36 upstream c500bee1c5b2 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/03 06:28 upstream c500bee1c5b2 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-qemu-upstream-386 2021/08/03 03:30 upstream c500bee1c5b2 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/02 22:14 upstream c500bee1c5b2 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-qemu-upstream-386 2021/08/02 16:48 upstream c500bee1c5b2 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/02 15:34 upstream c500bee1c5b2 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/02 13:54 upstream c500bee1c5b2 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/02 04:21 upstream d4affd6b6e81 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/02 03:09 upstream d4affd6b6e81 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/02 00:05 upstream d4affd6b6e81 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/01 18:25 upstream f3438b4c4e69 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/01 17:02 upstream f3438b4c4e69 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-qemu-upstream-386 2021/08/01 15:53 upstream f3438b4c4e69 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-qemu-upstream-386 2021/08/01 10:17 upstream f3438b4c4e69 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-qemu-upstream-386 2021/08/01 05:58 upstream f3438b4c4e69 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-qemu-upstream-386 2021/08/01 05:18 upstream f3438b4c4e69 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/08/01 03:13 upstream f3438b4c4e69 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/07/31 22:07 upstream c7d102232649 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-qemu-upstream-386 2021/07/31 18:52 upstream c7d102232649 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/07/31 13:45 upstream c7d102232649 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/07/31 07:02 upstream 764a5bc89b12 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/07/31 05:06 upstream 764a5bc89b12 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/07/31 02:22 upstream 764a5bc89b12 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/07/30 22:42 upstream 764a5bc89b12 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/07/30 20:53 upstream 764a5bc89b12 6c236867 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/07/30 11:57 upstream 7e96bf476270 c585c7b0 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-upstream-kasan-gce-386 2021/07/30 04:44 upstream 7e96bf476270 c585c7b0 .config log report info general protection fault in xfrm_user_rcv_msg_compat
ci-qemu-upstream-386 2021/01/17 04:50 upstream 0da0a8a0a0e1 65a7a854 .config log report info
ci-qemu-upstream-386 2021/01/05 02:03 upstream 36bbbd0e234d 2a28ff1f .config log report info
ci-qemu-upstream-386 2021/01/02 00:42 upstream eda809aef534 79264ae3 .config log report info
ci-qemu-upstream-386 2020/12/30 23:28 upstream f6e1ea196492 ecb8c012 .config log report info