syzbot

 sign-in | mailing list | source | docs
🐞 Open [1164] 🐞 Fixed [4299] 🐞 Invalid [9645] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes

general protection fault in sock_close

Status: fixed on 2022/05/26 00:19
Reported-by: syzbot+e24baf53dc389927a7c3@syzkaller.appspotmail.com
Fix commit: 77f4689de17c fix regression in "epoll: Keep a reference on files added to the check list"
First crash: 883d, last: 883d

Cause bisection: introduced by (bisect log) :
commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682
Author: Marc Zyngier <maz@kernel.org>
Date: Wed Aug 19 16:12:17 2020 +0000

  epoll: Keep a reference on files added to the check list

Crash: BUG: unable to handle kernel NULL pointer dereference in __sock_release (log)
Repro: syz .config

Fix bisection: fixed by (bisect log) [no-op commit]:
commit 4b04e0decd2518e54e3f371abf3d883b3198663d
Author: Sumanth Korikkar <sumanthk@linux.ibm.com>
Date: Mon Aug 17 07:27:54 2020 +0000

  perf test: Fix basic bpf filtering test

similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 general protection fault in sock_close syz 13 871d 883d 0/2 upstream: reported syz repro on 2020/08/27 19:06

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 PID: 10799 Comm: syz-executor.0 Not tainted 5.9.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__sock_release net/socket.c:596 [inline]
RIP: 0010:sock_close+0xc5/0x260 net/socket.c:1277
Code: fc ff df 41 80 3c 04 00 74 08 4c 89 ff e8 e3 cf 49 fb 49 8b 1f 48 83 c3 10 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 bd cf 49 fb 4c 89 f7 ff 13 49 8d 5e
RSP: 0018:ffffc90008c0fe10 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: dffffc0000000000
RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001
RBP: ffffffff88b9ad58 R08: dffffc0000000000 R09: ffffed10102ae0df
R10: ffffed10102ae0df R11: 0000000000000000 R12: 1ffff110102ae0ac
R13: ffff8880815706e0 R14: ffff888081570540 R15: ffff888081570560
FS:  00007fca8527d700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000009e6da000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __fput+0x34f/0x7b0 fs/file_table.c:281
 task_work_run+0x137/0x1c0 kernel/task_work.c:141
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:140 [inline]
 exit_to_user_mode_prepare+0xfa/0x1b0 kernel/entry/common.c:167
 syscall_exit_to_user_mode+0x5e/0x1a0 kernel/entry/common.c:242
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45d5b9
Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fca8527cc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9
RDX: 0000000000000004 RSI: 0000000000000001 RDI: 0000000000000005
RBP: 000000000118cf88 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020000000 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffc398ecebf R14: 00007fca8527d9c0 R15: 000000000118cf4c
Modules linked in:
---[ end trace ab5a9dad69a71650 ]---
RIP: 0010:__sock_release net/socket.c:596 [inline]
RIP: 0010:sock_close+0xc5/0x260 net/socket.c:1277
Code: fc ff df 41 80 3c 04 00 74 08 4c 89 ff e8 e3 cf 49 fb 49 8b 1f 48 83 c3 10 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 bd cf 49 fb 4c 89 f7 ff 13 49 8d 5e
RSP: 0018:ffffc90008c0fe10 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: dffffc0000000000
RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001
RBP: ffffffff88b9ad58 R08: dffffc0000000000 R09: ffffed10102ae0df
R10: ffffed10102ae0df R11: 0000000000000000 R12: 1ffff110102ae0ac
R13: ffff8880815706e0 R14: ffff888081570540 R15: ffff888081570560
FS:  00007fca8527d700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f62fc03b028 CR3: 000000009e6da000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-kasan-gce-smack-root 2020/08/28 06:37 upstream 15bc20c6af4c 816e0689 .config console log report syz
ci-upstream-kasan-gce-smack-root 2020/08/27 19:38 upstream 15bc20c6af4c 816e0689 .config console log report syz
* Struck through repros no longer work on HEAD.