syzbot


general protection fault in rdma_listen (2)

Status: fixed on 2020/05/10 10:41
Reported-by: syzbot+6b46b135602a3f3ac99e@syzkaller.appspotmail.com
Fix commit: 7c11910783a1 RDMA/ucma: Put a lock around every call to the rdma_cm layer
First crash: 1482d, last: 970d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: BUG: unable to handle kernel NULL pointer dereference in rdma_listen (log)
Repro: syz .config
similar bugs (5):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 general protection fault in rdma_listen (2) 7 959d 980d 0/1 auto-closed as invalid on 2020/08/11 01:18
linux-4.19 general protection fault in rdma_listen 1 1261d 1261d 0/1 auto-closed as invalid on 2019/10/25 08:41
upstream general protection fault in rdma_listen C 36 1714d 1726d 0/24 closed as dup on 2018/03/22 15:25
linux-4.14 BUG: corrupted list in rdma_listen (2) C error 21 90d 850d 0/1 upstream: reported C repro on 2020/07/30 18:22
linux-4.14 general protection fault in rdma_listen 7 913d 999d 0/1 auto-closed as invalid on 2020/09/26 15:09

Sample crash report:
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
8021q: adding VLAN 0 to HW filter on device team0
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 6506 Comm: syz-executor0 Not tainted 4.20.0-rc2+ #117
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:cma_bind_listen drivers/infiniband/core/cma.c:3355 [inline]
RIP: 0010:rdma_listen+0x357/0x990 drivers/infiniband/core/cma.c:3469
Code: 4c 8b ab c8 01 00 00 31 f6 48 c7 c7 e0 3b db 89 e8 4e e9 25 02 48 b8 00 00 00 00 00 fc ff df 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 64 05 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b
RSP: 0018:ffff8881b79bf970 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8881ae7b35c0 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000008
RBP: ffff8881b79bfa10 R08: fffffbfff13b6785 R09: fffffbfff13b6784
R10: ffff8881b79bf960 R11: ffffffff89db3c23 R12: 1ffff11036f37f31
R13: 0000000000000000 R14: 0000000000000000 R15: ffff8881c5ec6800
FS:  00007f93cda84700(0000) GS:ffff8881dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000126cfd0 CR3: 00000001ccd24000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ucma_listen+0x1a4/0x260 drivers/infiniband/core/ucma.c:1100
 ucma_write+0x365/0x460 drivers/infiniband/core/ucma.c:1689
 __vfs_write+0x119/0x9f0 fs/read_write.c:485
 vfs_write+0x1fc/0x560 fs/read_write.c:549
 ksys_write+0x101/0x260 fs/read_write.c:598
 __do_sys_write fs/read_write.c:610 [inline]
 __se_sys_write fs/read_write.c:607 [inline]
 __x64_sys_write+0x73/0xb0 fs/read_write.c:607
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457569
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f93cda83c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569
RDX: 0000000000000010 RSI: 0000000020000200 RDI: 0000000000000005
RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f93cda846d4
R13: 00000000004c571f R14: 00000000004d9360 R15: 00000000ffffffff
Modules linked in:
---[ end trace e9a895fef682ba60 ]---
RIP: 0010:cma_bind_listen drivers/infiniband/core/cma.c:3355 [inline]
RIP: 0010:rdma_listen+0x357/0x990 drivers/infiniband/core/cma.c:3469
Code: 4c 8b ab c8 01 00 00 31 f6 48 c7 c7 e0 3b db 89 e8 4e e9 25 02 48 b8 00 00 00 00 00 fc ff df 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 64 05 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b
RSP: 0018:ffff8881b79bf970 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8881ae7b35c0 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000008
RBP: ffff8881b79bfa10 R08: fffffbfff13b6785 R09: fffffbfff13b6784
R10: ffff8881b79bf960 R11: ffffffff89db3c23 R12: 1ffff11036f37f31
R13: 0000000000000000 R14: 0000000000000000 R15: ffff8881c5ec6800
FS:  00007f93cda84700(0000) GS:ffff8881dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000126cfd0 CR3: 00000001ccd24000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Fix bisection attempts:
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-smack-root 2020/01/27 22:04 upstream 6a1000bd2703 b08ee62a .config log report syz
ci-upstream-kasan-gce-selinux-root 2019/12/18 16:41 upstream 2187f215ebaa f5e275d1 .config log report syz
ci-upstream-kasan-gce 2019/11/04 20:00 upstream da5322e65940 f5e275d1 .config log report syz
ci-upstream-kasan-gce 2019/10/05 19:39 upstream da5322e65940 f5e275d1 .config log report syz
ci-upstream-kasan-gce 2019/08/19 06:55 upstream da5322e65940 f5e275d1 .config log report syz
* Struck through repros no longer work on HEAD.
Crashes (104):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-smack-root 2018/11/17 12:22 upstream 1ce80e0fe98e b08ee62a .config log report syz
ci-upstream-kasan-gce-selinux-root 2018/11/16 18:12 upstream da5322e65940 f5e275d1 .config log report syz
ci-upstream-kasan-gce-root 2018/11/16 18:08 upstream da5322e65940 f5e275d1 .config log report syz
ci-upstream-kasan-gce 2018/11/16 17:43 upstream da5322e65940 f5e275d1 .config log report syz
ci-upstream-kasan-gce-386 2018/11/16 18:15 upstream da5322e65940 f5e275d1 .config log report syz
ci-upstream-linux-next-kasan-gce-root 2020/03/11 05:32 linux-next 770fbb32d34e 35f53e45 .config log report syz
ci-upstream-linux-next-kasan-gce-root 2018/11/16 18:10 linux-next 442b8cea2477 f5e275d1 .config log report syz
ci-upstream-kasan-gce-root 2020/04/02 02:15 upstream 1a323ea5356e a34e2c33 .config log report
ci-upstream-kasan-gce-selinux-root 2020/03/05 06:46 upstream 63623fd44972 c88c7b75 .config log report
ci-upstream-kasan-gce-selinux-root 2020/03/01 03:06 upstream 63623fd44972 c88c7b75 .config log report
ci-upstream-kasan-gce-smack-root 2020/02/29 14:18 upstream f8788d86ab28 59b57593 .config log report
ci-upstream-kasan-gce-selinux-root 2020/02/25 06:24 upstream f8788d86ab28 59b57593 .config log report
ci-upstream-kasan-gce-selinux-root 2020/02/14 20:11 upstream b19e8c684703 5d7b90f1 .config log report
ci-upstream-kasan-gce 2019/08/26 05:13 upstream a55aa89aab90 d21c5d9d .config log report
ci-upstream-kasan-gce-root 2019/04/04 18:38 upstream 145f47c7381d 6a475fff .config log report
ci-upstream-kasan-gce 2019/03/27 19:59 upstream 14c741de9386 4e668495 .config log report
ci-upstream-kasan-gce 2019/03/15 11:43 upstream f261c4e529da bab43553 .config log report
ci-upstream-kasan-gce-smack-root 2019/03/12 20:55 upstream ea295481b6e3 a71bfb62 .config log report
ci-upstream-kasan-gce-smack-root 2019/02/28 23:15 upstream 7d762d69145a 09aeeba4 .config log report
ci-upstream-kasan-gce-selinux-root 2019/02/20 16:12 upstream 40e196a906d9 c95f0707 .config log report
ci-upstream-kasan-gce 2019/02/17 10:54 upstream 64c0133eb88a f42dee6d .config log report
ci-upstream-kasan-gce-root 2019/02/16 18:57 upstream 5ded5871030e f42dee6d .config log report
ci-upstream-kasan-gce 2019/02/16 07:43 upstream 5ded5871030e f42dee6d .config log report
ci-upstream-kasan-gce 2019/02/14 01:44 upstream 1f947a7a011f 0a49c954 .config log report
ci-upstream-kasan-gce 2019/02/13 10:09 upstream 57902dc0670c 1eedba36 .config log report
ci-upstream-kasan-gce 2019/02/13 08:41 upstream 57902dc0670c 1eedba36 .config log report
ci-upstream-kasan-gce 2019/02/11 17:21 upstream d13937116f1e 73f5f452 .config log report
ci-upstream-kasan-gce-smack-root 2019/02/10 10:41 upstream e8b50608f666 b4f792e4 .config log report
ci-upstream-kasan-gce 2019/02/06 05:39 upstream 8834f5600cf3 d672172c .config log report
ci-upstream-kasan-gce 2019/02/03 17:57 upstream 12491ed354d2 c198d5dd .config log report
ci-upstream-kasan-gce-root 2019/02/02 17:37 upstream cd984a5be215 c198d5dd .config log report
ci-upstream-kasan-gce-smack-root 2019/02/01 03:19 upstream 9f789567142c 0e8ea0a3 .config log report
ci-upstream-kasan-gce-root 2019/01/31 17:24 upstream af0c9af1b3f6 0e8ea0a3 .config log report
ci-upstream-kasan-gce-root 2019/01/29 18:26 upstream 4aa9fc2a435a aa432daf .config log report
ci-upstream-kasan-gce-smack-root 2018/11/07 04:21 upstream 8053e5b93eca 8bd6bd63 .config log report
ci-upstream-kasan-gce-386 2020/03/04 19:52 upstream 63623fd44972 c88c7b75 .config log report
ci-upstream-kasan-gce-386 2020/02/27 00:06 upstream f8788d86ab28 59b57593 .config log report
ci-upstream-kasan-gce-386 2019/09/05 19:18 upstream 3b47fd5ca9ea 040fda58 .config log report
ci-upstream-kasan-gce-386 2019/04/04 08:56 upstream 8ed86627f715 d6fc4177 .config log report
ci-upstream-kasan-gce-386 2019/04/01 15:20 upstream 79a3aaa7b82e ccf2355a .config log report
ci-upstream-kasan-gce-386 2019/03/29 03:40 upstream 8c7ae38d1ce1 14c58f8d .config log report
ci-upstream-kasan-gce-386 2019/03/26 06:31 upstream 8c2ffd917477 55684ce1 .config log report
ci-upstream-kasan-gce-386 2019/02/25 17:56 upstream 5908e6b738e3 a70141bf .config log report
ci-upstream-kasan-gce-386 2019/02/25 05:10 upstream c3619a482e15 7a06e792 .config log report
ci-upstream-kasan-gce-386 2019/02/21 18:49 upstream f6163d67cc31 3133098b .config log report
ci-upstream-kasan-gce-386 2019/02/16 17:49 upstream 5ded5871030e f42dee6d .config log report
ci-upstream-kasan-gce-386 2019/02/11 05:12 upstream df3865f8f568 b4f792e4 .config log report
ci-upstream-kasan-gce-386 2019/02/10 05:06 upstream e8b50608f666 b4f792e4 .config log report
ci-upstream-kasan-gce-386 2019/02/07 22:35 upstream b0314565da2b aa4feb03 .config log report
ci-upstream-kasan-gce-386 2019/02/05 13:00 upstream 8834f5600cf3 d672172c .config log report
ci-upstream-kasan-gce-386 2019/02/05 06:15 upstream 8834f5600cf3 d672172c .config log report
ci-upstream-kasan-gce-386 2019/02/03 07:18 upstream 12491ed354d2 c198d5dd .config log report
ci-upstream-kasan-gce-386 2019/01/29 23:42 upstream 4aa9fc2a435a aa432daf .config log report
ci-upstream-linux-next-kasan-gce-root 2020/03/16 14:57 linux-next 770fbb32d34e 749688d2 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/02/06 02:03 linux-next 1ff540338564 d672172c .config log report
ci-upstream-linux-next-kasan-gce-root 2019/02/02 22:23 linux-next dc4c89997735 c198d5dd .config log report
* Struck through repros no longer work on HEAD.