syzbot


general protection fault in ieee80211_assign_vif_chanctx

Status: fixed on 2022/03/08 16:11
Subsystems: wireless
[Documentation on labels]
Reported-by: syzbot+bbf402b783eeb6d908db@syzkaller.appspotmail.com
Fix commit: 563fbefed46a cfg80211: call cfg80211_stop_ap when switch from P2P_GO type
First crash: 1150d, last: 889d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: general protection fault in ieee80211_chanctx_num_assigned (log)
Repro: C syz .config
  
Discussions (10)
Title Replies (including bot) Last reply
[PATCH 4.19 000/323] 4.19.218-rc1 review 339 (339) 2021/12/04 10:30
[PATCH 4.4 000/162] 4.4.293-rc1 review 168 (168) 2021/11/25 13:11
[PATCH 4.14 000/251] 4.14.256-rc1 review 262 (262) 2021/11/25 13:07
[PATCH 4.9 000/207] 4.9.291-rc1 review 216 (216) 2021/11/25 12:58
[PATCH 5.10 000/154] 5.10.82-rc1 review 167 (167) 2021/11/25 11:43
[PATCH 5.15 000/279] 5.15.5-rc1 review 285 (285) 2021/11/25 11:19
[PATCH 5.4 000/100] 5.4.162-rc1 review 108 (108) 2021/11/25 08:50
[PATCH v2] net:wireless: call cfg80211_stop_ap when switch from P2P_GO type 1 (1) 2021/10/27 17:37
[PATCH] net:wireless: call cfg80211_stop_ap when switch from P2P_GO type 1 (1) 2021/10/27 17:29
general protection fault in ieee80211_assign_vif_chanctx 0 (1) 2021/02/05 23:40
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 general protection fault in ieee80211_assign_vif_chanctx C 3 1263d 1269d 0/2 auto-obsoleted due to no activity on 2023/04/17 01:56
Last patch testing requests (4)
Created Duration User Patch Repo Result
2021/10/27 08:26 19m phind.uet@gmail.com patch upstream OK
2021/10/27 08:19 0m phind.uet@gmail.com patch upstream error OK
2021/10/27 01:03 11m phind.uet@gmail.com upstream report log
2021/10/26 14:57 10m phind.uet@gmail.com linux-next report log
Fix bisection attempts (8)
Created Duration User Patch Repo Result
2021/10/21 14:38 20m bisect fix upstream job log (0) log
2021/09/21 14:11 21m bisect fix upstream job log (0) log
2021/08/22 08:44 21m bisect fix upstream job log (0) log
2021/07/22 21:50 20m bisect fix upstream job log (0) log
2021/06/22 14:47 21m bisect fix upstream job log (0) log
2021/05/23 11:16 21m bisect fix upstream job log (0) log
2021/04/23 09:36 1h39m bisect fix upstream job log (0) log
2021/03/15 20:26 20m bisect fix upstream job log (0) log
Cause bisection attempts (2)
Created Duration User Patch Repo Result
2021/02/23 01:34 3h25m bisect upstream job log (0) log
2021/02/01 23:31 0m bisect upstream error job log (0)

Sample crash report:
general protection fault, probably for non-canonical address 0xfbd59c0000000020: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]
CPU: 1 PID: 8395 Comm: syz-executor137 Not tainted 5.12.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:ieee80211_chanctx_num_assigned net/mac80211/chan.c:22 [inline]
RIP: 0010:ieee80211_assign_vif_chanctx+0x6a7/0xa80 net/mac80211/chan.c:746
Code: f8 48 83 7c 24 08 00 0f 85 91 00 00 00 e9 f2 00 00 00 e8 6c 74 7e f8 49 83 c6 20 31 db 4c 89 f5 0f 1f 00 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 ea 4a c2 f8 48 8b 6d 00 4c 39 f5
RSP: 0018:ffffc9000167f670 EFLAGS: 00010a02
RAX: 1bd5a00000000020 RBX: 0000000000000002 RCX: ffff888020cc1c40
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: dead000000000100 R08: ffffffff88fa99ba R09: fffffbfff1b6b276
R10: fffffbfff1b6b276 R11: 0000000000000000 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff888013f5e220 R15: ffff88801b86cc00
FS:  0000000001cd3300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6c9d6cc710 CR3: 000000001c8af000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __ieee80211_vif_release_channel+0x279/0x540 net/mac80211/chan.c:1619
 ieee80211_vif_release_channel+0x13e/0x1a0 net/mac80211/chan.c:1833
 ieee80211_ibss_disconnect+0x6ef/0x870 net/mac80211/ibss.c:735
 ieee80211_ibss_leave+0x26/0xf0 net/mac80211/ibss.c:1871
 rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline]
 __cfg80211_leave_ibss+0x11c/0x200 net/wireless/ibss.c:213
 cfg80211_leave_ibss+0x5c/0x70 net/wireless/ibss.c:231
 cfg80211_change_iface+0x46c/0xb40 net/wireless/util.c:1047
 nl80211_set_interface+0x497/0x7f0 net/wireless/nl80211.c:3912
 genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
 genl_rcv_msg+0xe4e/0x1280 net/netlink/genetlink.c:800
 netlink_rcv_skb+0x190/0x3a0 net/netlink/af_netlink.c:2502
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x786/0x940 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x9ae/0xd50 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg net/socket.c:674 [inline]
 ____sys_sendmsg+0x519/0x800 net/socket.c:2350
 ___sys_sendmsg net/socket.c:2404 [inline]
 __sys_sendmsg+0x2bf/0x370 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x448179
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffd32c7b08 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000000b608 RCX: 0000000000448179
RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007fffd32c7ca8 R09: 00007fffd32c7ca8
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffd32c7b1c
R13: 431bde82d7b634db R14: 00000000004b5018 R15: 00000000004004b8
Modules linked in:
---[ end trace 9283e7dc6160772c ]---
RIP: 0010:ieee80211_chanctx_num_assigned net/mac80211/chan.c:22 [inline]
RIP: 0010:ieee80211_assign_vif_chanctx+0x6a7/0xa80 net/mac80211/chan.c:746
Code: f8 48 83 7c 24 08 00 0f 85 91 00 00 00 e9 f2 00 00 00 e8 6c 74 7e f8 49 83 c6 20 31 db 4c 89 f5 0f 1f 00 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 ea 4a c2 f8 48 8b 6d 00 4c 39 f5
RSP: 0018:ffffc9000167f670 EFLAGS: 00010a02
RAX: 1bd5a00000000020 RBX: 0000000000000002 RCX: ffff888020cc1c40
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: dead000000000100 R08: ffffffff88fa99ba R09: fffffbfff1b6b276
R10: fffffbfff1b6b276 R11: 0000000000000000 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff888013f5e220 R15: ffff88801b86cc00
FS:  0000000001cd3300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f852003d078 CR3: 000000001c8af000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/03/24 09:35 upstream 7acac4b3196c e613994b .config console log report syz C ci-upstream-kasan-gce-smack-root general protection fault in ieee80211_assign_vif_chanctx
2021/02/13 20:26 upstream c6d8570e4d64 98682e5e .config console log report syz C ci-upstream-kasan-gce-smack-root general protection fault in ieee80211_assign_vif_chanctx
2021/02/03 18:50 upstream 3aaf0a27ffc2 624dad51 .config console log report syz C ci-upstream-kasan-gce-smack-root general protection fault in ieee80211_assign_vif_chanctx
2021/02/01 23:31 upstream 1048ba83fb1c e6b95f32 .config console log report syz C ci-upstream-kasan-gce-smack-root general protection fault in ieee80211_assign_vif_chanctx
* Struck through repros no longer work on HEAD.