syzbot

 sign-in | mailing list | source | docs
🐞 Open [979] Subsystems 🐞 Fixed [5216] 🐞 Invalid [12474] Missing Backports [82] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

general protection fault in kcm_sendmsg

Status: fixed on 2021/11/10 00:50
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+65badd5e74ec62cb67dc@syzkaller.appspotmail.com
Fix commit: a47c397bb29f revert "net: kcm: fix memory leak in kcm_sendmsg"
First crash: 1050d, last: 1025d
Cause bisection: introduced by (bisect log) :
commit f9006acc8dfe59e25aa75729728ac57a8d84fc32
Author: Florian Westphal <fw@strlen.de>
Date: Wed Apr 21 07:51:08 2021 +0000

  netfilter: arp_tables: pass table pointer via nf_hook_ops

Crash: WARNING in __nf_unregister_net_hook (log)
Repro: C syz .config
  
Discussions (2)
Title Replies (including bot) Last reply
[syzbot] general protection fault in kcm_sendmsg 2 (3) 2021/06/08 10:16
[PATCH] revert "net: kcm: fix memory leak in kcm_sendmsg" 3 (3) 2021/06/07 20:40

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
CPU: 1 PID: 8417 Comm: syz-executor813 Not tainted 5.13.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:skb_end_pointer include/linux/skbuff.h:1419 [inline]
RIP: 0010:skb_has_frag_list include/linux/skbuff.h:3566 [inline]
RIP: 0010:kcm_sendmsg+0xdd7/0x2240 net/kcm/kcmsock.c:1069
Code: fb 05 0f 84 25 0b 00 00 e8 56 52 48 f9 48 8b 44 24 18 4c 8d a8 c8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 5d 11 00 00 48 8b 44 24 18 48 8d a8 c4 00 00 00
RSP: 0018:ffffc90000fbfa70 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000019 RSI: ffffffff882bbf0a RDI: 0000000000000003
RBP: ffff888035a8596a R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff882bc26b R11: 0000000000000000 R12: 00000000fffffe00
R13: 00000000000000c8 R14: ffff88803abaaa80 R15: ffff888035a853c0
FS:  00000000013f0300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6150acfab4 CR3: 00000000233cc000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 sock_write_iter+0x289/0x3c0 net/socket.c:1001
 call_write_iter include/linux/fs.h:2114 [inline]
 new_sync_write+0x426/0x650 fs/read_write.c:518
 vfs_write+0x796/0xa30 fs/read_write.c:605
 ksys_write+0x1ee/0x250 fs/read_write.c:658
 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43fc29
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe42684be8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043fc29
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000000 R08: 00007ffe42684d88 R09: 00007ffe42684d88
R10: 00007ffe42684d88 R11: 0000000000000246 R12: 00000000004034b0
R13: 431bde82d7b634db R14: 00000000004ad018 R15: 0000000000400488
Modules linked in:
---[ end trace 89bff05d4272a26f ]---
RIP: 0010:skb_end_pointer include/linux/skbuff.h:1419 [inline]
RIP: 0010:skb_has_frag_list include/linux/skbuff.h:3566 [inline]
RIP: 0010:kcm_sendmsg+0xdd7/0x2240 net/kcm/kcmsock.c:1069
Code: fb 05 0f 84 25 0b 00 00 e8 56 52 48 f9 48 8b 44 24 18 4c 8d a8 c8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 5d 11 00 00 48 8b 44 24 18 48 8d a8 c4 00 00 00
RSP: 0018:ffffc90000fbfa70 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000019 RSI: ffffffff882bbf0a RDI: 0000000000000003
RBP: ffff888035a8596a R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff882bc26b R11: 0000000000000000 R12: 00000000fffffe00
R13: 00000000000000c8 R14: ffff88803abaaa80 R15: ffff888035a853c0
FS:  00000000013f0300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000013f02c0 CR3: 00000000233cc000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (7957):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/06/06 02:10 upstream 9d32fa5d74b1 500c2339 .config console log report syz C ci-upstream-kasan-gce-selinux-root general protection fault in kcm_sendmsg
2021/06/04 08:56 bpf 1a8024239dac 0740de69 .config console log report syz C ci-upstream-bpf-kasan-gce general protection fault in kcm_sendmsg
2021/06/19 17:00 upstream b1edae0d5f2e aba2b2fb .config console log report info ci-upstream-kasan-gce-smack-root general protection fault in kcm_sendmsg
2021/06/19 16:51 upstream b1edae0d5f2e aba2b2fb .config console log report info ci-upstream-kasan-gce-root general protection fault in kcm_sendmsg
2021/06/18 01:04 upstream 70585216fe77 aba2b2fb .config console log report info ci-upstream-kasan-gce-selinux-root general protection fault in kcm_sendmsg
2021/06/15 09:28 upstream 009c9aa5be65 1ba81399 .config console log report info ci-upstream-kasan-gce general protection fault in kcm_sendmsg
2021/06/15 05:49 upstream 009c9aa5be65 1ba81399 .config console log report info ci-qemu-upstream general protection fault in kcm_sendmsg
2021/06/18 10:41 upstream fd0aa1a4567d aba2b2fb .config console log report info ci-upstream-kasan-gce-386 general protection fault in kcm_sendmsg
2021/06/15 06:36 upstream 009c9aa5be65 1ba81399 .config console log report info ci-qemu-upstream-386 general protection fault in kcm_sendmsg
2021/06/15 09:26 bpf 973377ffe814 1ba81399 .config console log report info ci-upstream-bpf-kasan-gce general protection fault in kcm_sendmsg
2021/06/06 18:45 net-old 3822d0670c9d 500c2339 .config console log report info ci-upstream-net-this-kasan-gce general protection fault in kcm_sendmsg
2021/06/04 07:41 bpf 1a8024239dac 0740de69 .config console log report info ci-upstream-bpf-kasan-gce general protection fault in kcm_sendmsg
2021/06/29 00:53 bpf-next 328aac5ecd11 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 23:50 bpf-next 328aac5ecd11 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 23:16 bpf-next 328aac5ecd11 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 22:11 bpf-next 328aac5ecd11 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 21:05 bpf-next 328aac5ecd11 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 20:19 bpf-next 328aac5ecd11 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 18:52 bpf-next 328aac5ecd11 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 18:32 bpf-next 328aac5ecd11 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 17:32 bpf-next 328aac5ecd11 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 16:24 bpf-next 328aac5ecd11 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 15:24 bpf-next 328aac5ecd11 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 13:20 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 12:48 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 11:44 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 10:39 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 09:20 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 09:08 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 07:56 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 06:51 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 05:34 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 05:32 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 04:24 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 03:09 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 01:39 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/28 00:55 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/27 23:46 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/27 22:39 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/27 21:49 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/27 20:41 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/27 19:28 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/27 18:47 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/27 17:41 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/27 16:38 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/27 15:46 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/27 14:46 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/27 13:43 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/27 13:03 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/27 11:53 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/27 10:35 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/27 09:17 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/27 08:10 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/27 07:06 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/27 06:42 bpf-next a196fa78a265 9d2ab5df .config console log report info ci-upstream-bpf-next-kasan-gce general protection fault in kcm_sendmsg
2021/06/17 19:34 net-next-old 0c33795231bf aba2b2fb .config console log report info ci-upstream-net-kasan-gce general protection fault in kcm_sendmsg
2021/06/19 08:25 upstream b1edae0d5f2e aba2b2fb .config console log report info ci-qemu2-arm64 BUG: unable to handle kernel paging request in kcm_sendmsg
2021/06/19 08:00 upstream b1edae0d5f2e aba2b2fb .config console log report info ci-qemu2-arm64 BUG: unable to handle kernel paging request in kcm_sendmsg
2021/06/14 22:53 bpf 11fc79fc9f2e 1ba81399 .config console log report info ci-upstream-bpf-kasan-gce KASAN: use-after-free Read in kcm_sendmsg
* Struck through repros no longer work on HEAD.