syzbot


general protection fault in skb_dequeue (3)

Status: fixed on 2023/06/08 14:41
Subsystems: wireless
[Documentation on labels]
Reported-by: syzbot+a440341a59e3b7142895@syzkaller.appspotmail.com
Fix commit: 33b3b041543e splice: Add a func to do a splice from an O_DIRECT file without ITER_PIPE
First crash: 507d, last: 497d
Cause bisection: introduced by (bisect log) :
commit 920756a3306a35f1c08f25207d375885bef98975
Author: David Howells <dhowells@redhat.com>
Date: Sat Jan 21 12:51:18 2023 +0000

  block: Convert bio_iov_iter_get_pages to use iov_iter_extract_pages

Crash: BUG: Bad rss-counter state (log)
Repro: C syz .config
  
Duplicate bugs (1)
duplicates (1):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
kernel BUG in process_one_work net C done 3 498d 501d 0/27 closed as dup on 2023/02/07 15:09
Discussions (6)
Title Replies (including bot) Last reply
[PATCH v14 00/17] iov_iter: Improve page extraction (pin or just list) 48 (48) 2023/02/18 09:25
[PATCH 00/17] smb3: Use iov_iters down to the network transport and fix DIO page pinning 25 (25) 2023/02/17 17:48
[PATCH v13 00/12] iov_iter: Improve page extraction (pin or just list) 35 (35) 2023/02/15 15:56
[PATCH v12 00/10] iov_iter: Improve page extraction (pin or just list) 19 (19) 2023/02/09 10:50
[PATCH 0/2] iomap, splice: Fix DIO/splice_read race memory corruptor and kill off ITER_PIPE 5 (5) 2023/02/07 15:22
[syzbot] general protection fault in skb_dequeue (3) 12 (14) 2023/02/07 12:29
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in skb_dequeue (2) bluetooth C inconclusive done 9 985d 1070d 0/27 auto-closed as invalid on 2022/10/03 17:36
upstream general protection fault in skb_dequeue net 1 1432d 1432d 0/27 auto-closed as invalid on 2020/09/18 07:31
android-54 KASAN: use-after-free Read in skb_dequeue syz 1 1040d 1040d 0/2 auto-obsoleted due to no activity on 2023/04/23 02:47
linux-4.19 KASAN: use-after-free Read in skb_dequeue (2) C done 2 1010d 1040d 1/1 fixed on 2021/10/15 14:38
Last patch testing requests (4)
Created Duration User Patch Repo Result
2023/02/07 11:22 22m dhowells@redhat.com https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/ iov-fixes OK log
2023/02/07 09:58 21m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 4fafd96910ad OK log
2023/02/01 23:39 23m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK log
2023/02/01 11:53 14m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 80bd9028feca report log

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 2838 Comm: kworker/u4:6 Not tainted 6.2.0-rc6-next-20230131-syzkaller-09515-g80bd9028feca #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Workqueue: phy4 ieee80211_iface_work
RIP: 0010:__skb_unlink include/linux/skbuff.h:2321 [inline]
RIP: 0010:__skb_dequeue include/linux/skbuff.h:2337 [inline]
RIP: 0010:skb_dequeue+0xf5/0x180 net/core/skbuff.c:3511
Code: 8d 7e 08 49 8b 5c 24 08 48 b8 00 00 00 00 00 fc ff df 49 c7 44 24 08 00 00 00 00 48 89 fa 49 c7 04 24 00 00 00 00 48 c1 ea 03 <80> 3c 02 00 75 6d 48 89 da 49 89 5e 08 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc9000ca2fc80 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff8808951d RDI: 0000000000000008
RBP: 0000000000000293 R08: 0000000000000001 R09: 0000000000000003
R10: fffff52001945f7e R11: 0000000000000000 R12: ffff88801d8f63c0
R13: ffff888075675880 R14: 0000000000000000 R15: ffff888075675868
FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4a51f6d150 CR3: 0000000072a78000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ieee80211_iface_work+0x369/0xd70 net/mac80211/iface.c:1631
 process_one_work+0x9bf/0x1820 kernel/workqueue.c:2390
 worker_thread+0x669/0x1090 kernel/workqueue.c:2537
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__skb_unlink include/linux/skbuff.h:2321 [inline]
RIP: 0010:__skb_dequeue include/linux/skbuff.h:2337 [inline]
RIP: 0010:skb_dequeue+0xf5/0x180 net/core/skbuff.c:3511
Code: 8d 7e 08 49 8b 5c 24 08 48 b8 00 00 00 00 00 fc ff df 49 c7 44 24 08 00 00 00 00 48 89 fa 49 c7 04 24 00 00 00 00 48 c1 ea 03 <80> 3c 02 00 75 6d 48 89 da 49 89 5e 08 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc9000ca2fc80 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff8808951d RDI: 0000000000000008
RBP: 0000000000000293 R08: 0000000000000001 R09: 0000000000000003
R10: fffff52001945f7e R11: 0000000000000000 R12: ffff88801d8f63c0
R13: ffff888075675880 R14: 0000000000000000 R15: ffff888075675868
FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4a51f6d150 CR3: 0000000072a78000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	8d 7e 08             	lea    0x8(%rsi),%edi
   3:	49 8b 5c 24 08       	mov    0x8(%r12),%rbx
   8:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
   f:	fc ff df
  12:	49 c7 44 24 08 00 00 	movq   $0x0,0x8(%r12)
  19:	00 00
  1b:	48 89 fa             	mov    %rdi,%rdx
  1e:	49 c7 04 24 00 00 00 	movq   $0x0,(%r12)
  25:	00
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	75 6d                	jne    0x9d
  30:	48 89 da             	mov    %rbx,%rdx
  33:	49 89 5e 08          	mov    %rbx,0x8(%r14)
  37:	48                   	rex.W
  38:	b8 00 00 00 00       	mov    $0x0,%eax
  3d:	00 fc                	add    %bh,%ah
  3f:	ff                   	.byte 0xff

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/01/31 18:30 linux-next 80bd9028feca 9dfcf09c .config console log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in skb_dequeue
2023/02/10 21:06 linux-next 38d2b86a665b 95871dcc .config console log report info ci-upstream-linux-next-kasan-gce-root general protection fault in skb_dequeue
2023/02/09 10:30 linux-next 38d2b86a665b 14a312c8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in skb_dequeue
2023/02/08 18:38 linux-next 38d2b86a665b fc9c934e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in skb_dequeue
2023/02/06 09:57 linux-next 129af7708234 be607b78 .config console log report info ci-upstream-linux-next-kasan-gce-root general protection fault in skb_dequeue
2023/02/03 10:12 linux-next 4fafd96910ad 16d19e30 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in skb_dequeue
* Struck through repros no longer work on HEAD.