syzbot


general protection fault in rb_erase (2)

Status: fixed on 2019/08/27 17:15
Subsystems: kernel
[Documentation on labels]
Reported-by: syzbot+e8c40862180d8949d624@syzkaller.appspotmail.com
Fix commit: 95fa145479fb bpf: sockmap/tls, close can race with map free
First crash: 1911d, last: 1704d
Cause bisection: introduced by (bisect log) :
commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
Author: John Fastabend <john.fastabend@gmail.com>
Date: Sat Jun 30 13:17:47 2018 +0000

  bpf: sockhash fix omitted bucket lock in sock_close

Crash: KASAN: use-after-free Write in bpf_tcp_close (log)
Repro: syz .config
  
Discussions (3)
Title Replies (including bot) Last reply
Reminder: 36 open syzbot bugs in "net/bpf" subsystem 1 (1) 2019/07/03 06:01
Reminder: 30 open syzbot bugs in "net/bpf" subsystem 1 (1) 2019/06/24 05:01
general protection fault in rb_erase (2) 0 (3) 2019/06/06 09:21
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 general protection fault in rb_erase C error 34042 1292d 1813d 0/1 upstream: reported C repro on 2019/04/11 11:41
upstream general protection fault in rb_erase (3) kernfs 1 1360d 1356d 0/26 auto-closed as invalid on 2020/09/05 07:17
upstream general protection fault in rb_erase integrity lsm C 79836 1970d 2010d 11/26 fixed on 2018/11/12 21:25

Sample crash report:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 12754 Comm: syz-executor.2 Not tainted 5.3.0-rc2 #81
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:____rb_erase_color lib/rbtree.c:262 [inline]
RIP: 0010:rb_erase+0x2ec/0x1c10 lib/rbtree.c:445
Code: 84 f3 01 00 00 49 8d 7d 08 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 01 0f 00 00 4d 8b 75 08 4d 85 f6 74 1b 4c 89 f0 48 c1 e8 03 <80> 3c 18 00 0f 85 d6 0c 00 00 41 f6 06 01 0f 84 41 09 00 00 4d 85
RSP: 0018:ffff8880ae809d50 EFLAGS: 00010003
RAX: 063f66976b9d1f68 RBX: dffffc0000000000 RCX: 1ffff11015d04dc9
RDX: ffffed1015d04dc8 RSI: ffff8880ae826e40 RDI: ffffffff862ba6fd
RBP: ffff8880ae809d98 R08: ffff8880ae8276c8 R09: ffff88807a73fac8
R10: fffffbfff134adef R11: ffffffff89a56f7f R12: ffff8880ae8276c0
R13: ffffffff862ba6f5 R14: 31fb34bb5ce8fb46 R15: f981e8c689c389ff
FS:  000055555711f940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe788eeebc CR3: 000000009b351000 CR4: 00000000001406f0
Call Trace:
 <IRQ>
 timerqueue_del+0x86/0x150 lib/timerqueue.c:74
 __remove_hrtimer+0xa8/0x1c0 kernel/time/hrtimer.c:974
 __run_hrtimer kernel/time/hrtimer.c:1371 [inline]
 __hrtimer_run_queues+0x2b8/0xe40 kernel/time/hrtimer.c:1451
 hrtimer_interrupt+0x314/0x770 kernel/time/hrtimer.c:1509
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1068 [inline]
 smp_apic_timer_interrupt+0x160/0x610 arch/x86/kernel/apic/apic.c:1093
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:828
 </IRQ>
Modules linked in:
---[ end trace 24350ae9a4f9ba9e ]---
RIP: 0010:____rb_erase_color lib/rbtree.c:262 [inline]
RIP: 0010:rb_erase+0x2ec/0x1c10 lib/rbtree.c:445
Code: 84 f3 01 00 00 49 8d 7d 08 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 01 0f 00 00 4d 8b 75 08 4d 85 f6 74 1b 4c 89 f0 48 c1 e8 03 <80> 3c 18 00 0f 85 d6 0c 00 00 41 f6 06 01 0f 84 41 09 00 00 4d 85
RSP: 0018:ffff8880ae809d50 EFLAGS: 00010003
RAX: 063f66976b9d1f68 RBX: dffffc0000000000 RCX: 1ffff11015d04dc9
RDX: ffffed1015d04dc8 RSI: ffff8880ae826e40 RDI: ffffffff862ba6fd
RBP: ffff8880ae809d98 R08: ffff8880ae8276c8 R09: ffff88807a73fac8
R10: fffffbfff134adef R11: ffffffff89a56f7f R12: ffff8880ae8276c0
R13: ffffffff862ba6f5 R14: 31fb34bb5ce8fb46 R15: f981e8c689c389ff
FS:  000055555711f940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe788eeebc CR3: 000000009b351000 CR4: 00000000001406f0

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/07/29 14:52 upstream 609488bc979f c85e1c5b .config console log report syz ci-upstream-kasan-gce-selinux-root
2019/06/06 03:58 upstream 156c05917e09 a547defc .config console log report syz ci-upstream-kasan-gce-root
2019/01/03 02:19 upstream 85f78456f286 06a2b89f .config console log report ci-upstream-kasan-gce-root
2019/01/03 00:25 upstream 85f78456f286 06a2b89f .config console log report ci-upstream-kasan-gce-selinux-root
* Struck through repros no longer work on HEAD.