syzbot


general protection fault in tcp_splice_read

Status: fixed on 2019/11/09 22:22
Subsystems: net
[Documentation on labels]
Fix commit: 07603b230895 net/smc: propagate file from SMC to TCP socket
First crash: 1987d, last: 1877d
Cause bisection: introduced by (bisect log) :
commit 5692dbb56e6012c0755614ee64fe4c221f357e7a
Author: Simon Horman <simon.horman@netronome.com>
Date: Wed Mar 8 16:57:08 2017 +0000

  nfp: prevent theoretical buffer overrun in nfp_eth_read_ports

Crash: KASAN: use-after-free Write in ida_get_new_above (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) :
commit 07603b230895a74ebb1e2a1231ac45c29c2a8cd3
Author: Ursula Braun <ubraun@linux.ibm.com>
Date: Thu Apr 11 09:17:32 2019 +0000

  net/smc: propagate file from SMC to TCP socket

  
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 general protection fault in tcp_splice_read C error 11 864d 1652d 0/1 upstream: reported C repro on 2019/11/20 18:48
linux-4.14 general protection fault in tcp_splice_read C 167 455d 1402d 0/1 upstream: reported C repro on 2020/07/26 21:05

Sample crash report:
audit: type=1400 audit(1545405296.644:35): avc:  denied  { map } for  pid=6180 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(1545405303.574:36): avc:  denied  { map } for  pid=6194 comm="syz-executor089" path="/root/syz-executor089589930" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 6194 Comm: syz-executor089 Not tainted 4.20.0-rc7+ #161
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:tcp_splice_read+0x1fd/0xf90 net/ipv4/tcp.c:799
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 52 0c 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 6d 18 49 8d 7d 78 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e e5 0a 00 00 45 8b 6d 78 31 ff
RSP: 0018:ffff8881ce667a58 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8881ce667bb0 RCX: 1ffff11035bc9176
RDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078
RBP: ffff8881ce667bd8 R08: ffff8881ade48bb0 R09: 0000000000000006
R10: 0000000000000000 R11: ffff8881ade482c0 R12: ffff8881ce63cc00
R13: 0000000000000000 R14: 0000000000000000 R15: ffff8881ce667d58
FS:  0000000001fd5880(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000140 CR3: 00000001d15ff000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 smc_splice_read+0x265/0x380 net/smc/af_smc.c:1852
 sock_splice_read+0xba/0x110 net/socket.c:858
 do_splice_to+0x12e/0x190 fs/splice.c:880
 do_splice+0x1014/0x1430 fs/splice.c:1178
 __do_sys_splice fs/splice.c:1419 [inline]
 __se_sys_splice fs/splice.c:1399 [inline]
 __x64_sys_splice+0x2c1/0x330 fs/splice.c:1399
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4400e9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffcdb8f1bd8 EFLAGS: 00000216 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 00000000006ca018 R08: 0000000000010009 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000401970
R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace ac2a2bcf0280e1df ]---
RIP: 0010:tcp_splice_read+0x1fd/0xf90 net/ipv4/tcp.c:799
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 52 0c 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 6d 18 49 8d 7d 78 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e e5 0a 00 00 45 8b 6d 78 31 ff
RSP: 0018:ffff8881ce667a58 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8881ce667bb0 RCX: 1ffff11035bc9176
RDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078
RBP: ffff8881ce667bd8 R08: ffff8881ade48bb0 R09: 0000000000000006
R10: 0000000000000000 R11: ffff8881ade482c0 R12: ffff8881ce63cc00
R13: 0000000000000000 R14: 0000000000000000 R15: ffff8881ce667d58
FS:  0000000001fd5880(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000140 CR3: 00000001d15ff000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (23):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/12/21 15:17 upstream 9097a058d49e 588075e6 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2018/12/20 20:35 upstream 1d51b4b1d3f2 aaf59e84 .config console log report syz C ci-upstream-kasan-gce-smack-root
2018/12/20 19:58 upstream 1d51b4b1d3f2 aaf59e84 .config console log report syz C ci-upstream-kasan-gce-root
2018/12/20 19:28 upstream 1d51b4b1d3f2 aaf59e84 .config console log report syz C ci-upstream-kasan-gce
2018/12/20 20:20 upstream 1d51b4b1d3f2 aaf59e84 .config console log report syz C ci-upstream-kasan-gce-386
2018/12/20 17:21 net-old d84e7bc0595a aaf59e84 .config console log report syz C ci-upstream-net-this-kasan-gce
2018/12/21 03:46 net-next-old 962ad710f7d6 2b497001 .config console log report syz C ci-upstream-net-kasan-gce
2018/12/26 13:56 linux-next 6a1d293238c1 8a41a0ad .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/04/08 05:19 upstream 3b0468914708 c34fde03 .config console log report ci-upstream-kasan-gce
2019/04/02 16:50 upstream 5e7a8ca31926 dfd3394d .config console log report ci-upstream-kasan-gce-smack-root
2019/03/21 01:57 upstream babf09c3837f a664c187 .config console log report ci-upstream-kasan-gce
2019/01/23 06:58 upstream 787a3b432276 b1ff06b2 .config console log report ci-upstream-kasan-gce-selinux-root
2019/04/06 11:57 net-old 7f46774c6480 c34fde03 .config console log report ci-upstream-net-this-kasan-gce
2019/03/10 20:17 net-old 69b51bbb03f7 12365b99 .config console log report ci-upstream-net-this-kasan-gce
2019/01/31 15:39 net-old 3aa9179b2dfe 0e8ea0a3 .config console log report ci-upstream-net-this-kasan-gce
2019/01/19 10:06 net-old 8a7fa0c35027 2103a236 .config console log report ci-upstream-net-this-kasan-gce
2019/01/06 05:57 net-old d4a7e9bb74b5 53be0a37 .config console log report ci-upstream-net-this-kasan-gce
2018/12/20 16:05 net-old d84e7bc0595a aaf59e84 .config console log report ci-upstream-net-this-kasan-gce
2019/03/23 02:32 net-next-old 1d965c4def07 3361bde5 .config console log report ci-upstream-net-kasan-gce
2019/03/15 02:42 net-next-old 3b319ee220a8 d72db19b .config console log report ci-upstream-net-kasan-gce
2019/02/04 03:33 net-next-old 9fb20801dab4 c198d5dd .config console log report ci-upstream-net-kasan-gce
2019/01/17 22:57 net-next-old 44543f1dd2a3 769e75ed .config console log report ci-upstream-net-kasan-gce
2019/04/09 01:34 linux-next ac5b84a1ffe9 0dfb0452 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.