syzbot


general protection fault in drop_sysctl_table (2)

Status: auto-closed as invalid on 2022/02/04 05:07
Reported-by: syzbot+@syzkaller.appspotmail.com
First crash: 395d, last: 395d
similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 general protection fault in drop_sysctl_table 1 516d 516d 0/1 auto-closed as invalid on 2021/11/05 12:30
linux-4.14 general protection fault in drop_sysctl_table 1 591d 591d 0/1 auto-closed as invalid on 2021/08/22 12:55
upstream general protection fault in drop_sysctl_table 1 806d 806d 0/24 auto-closed as invalid on 2020/12/19 16:03

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 14975 Comm: kworker/u4:58 Not tainted 5.15.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
RIP: 0010:rb_set_parent_color include/linux/rbtree_augmented.h:165 [inline]
RIP: 0010:____rb_erase_color lib/rbtree.c:255 [inline]
RIP: 0010:rb_erase+0x494/0x1210 lib/rbtree.c:445
Code: ef 48 89 14 24 e8 ec 51 c9 fd 48 8b 14 24 e9 f2 fe ff ff 4c 89 e8 49 89 ee 4c 89 6d 08 48 c1 e8 03 49 89 6c 24 10 49 83 ce 01 <80> 3c 18 00 0f 85 b9 09 00 00 48 89 e8 4d 89 75 00 48 c1 e8 03 80
RSP: 0018:ffffc9001fa87770 EFLAGS: 00010286
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: ffffed100e24a78a RSI: ffff8880001021b0 RDI: ffff8880001020e0
RBP: ffff888000102170 R08: 0000000000000001 R09: 0000000000000003
R10: fffff52003f50eea R11: 0000000000000000 R12: ffff8880001020d0
R13: 0000000000000000 R14: ffff888000102171 R15: ffff888071253c50
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020007038 CR3: 00000000351b5000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 erase_entry fs/proc/proc_sysctl.c:180 [inline]
 erase_header fs/proc/proc_sysctl.c:209 [inline]
 start_unregistering fs/proc/proc_sysctl.c:300 [inline]
 drop_sysctl_table+0x233/0x4e0 fs/proc/proc_sysctl.c:1643
 unregister_sysctl_table fs/proc/proc_sysctl.c:1685 [inline]
 unregister_sysctl_table+0xc0/0x190 fs/proc/proc_sysctl.c:1660
 neigh_sysctl_unregister+0x5b/0x80 net/core/neighbour.c:3810
 devinet_sysctl_unregister net/ipv4/devinet.c:2633 [inline]
 inetdev_destroy net/ipv4/devinet.c:326 [inline]
 inetdev_event+0xd01/0x15d0 net/ipv4/devinet.c:1600
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2002
 call_netdevice_notifiers_extack net/core/dev.c:2014 [inline]
 call_netdevice_notifiers net/core/dev.c:2028 [inline]
 unregister_netdevice_many+0x94f/0x1790 net/core/dev.c:11074
 ip6gre_exit_batch_net+0x4a7/0x760 net/ipv6/ip6_gre.c:1629
 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:171
 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:593
 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
 kthread+0x405/0x4f0 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
Modules linked in:
---[ end trace 18698554b7ccaf00 ]---
RIP: 0010:rb_set_parent_color include/linux/rbtree_augmented.h:165 [inline]
RIP: 0010:____rb_erase_color lib/rbtree.c:255 [inline]
RIP: 0010:rb_erase+0x494/0x1210 lib/rbtree.c:445
Code: ef 48 89 14 24 e8 ec 51 c9 fd 48 8b 14 24 e9 f2 fe ff ff 4c 89 e8 49 89 ee 4c 89 6d 08 48 c1 e8 03 49 89 6c 24 10 49 83 ce 01 <80> 3c 18 00 0f 85 b9 09 00 00 48 89 e8 4d 89 75 00 48 c1 e8 03 80
RSP: 0018:ffffc9001fa87770 EFLAGS: 00010286
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: ffffed100e24a78a RSI: ffff8880001021b0 RDI: ffff8880001020e0
RBP: ffff888000102170 R08: 0000000000000001 R09: 0000000000000003
R10: fffff52003f50eea R11: 0000000000000000 R12: ffff8880001020d0
R13: 0000000000000000 R14: ffff888000102171 R15: ffff888071253c50
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020007038 CR3: 00000000351b5000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess):
   0:	ef                   	out    %eax,(%dx)
   1:	48 89 14 24          	mov    %rdx,(%rsp)
   5:	e8 ec 51 c9 fd       	callq  0xfdc951f6
   a:	48 8b 14 24          	mov    (%rsp),%rdx
   e:	e9 f2 fe ff ff       	jmpq   0xffffff05
  13:	4c 89 e8             	mov    %r13,%rax
  16:	49 89 ee             	mov    %rbp,%r14
  19:	4c 89 6d 08          	mov    %r13,0x8(%rbp)
  1d:	48 c1 e8 03          	shr    $0x3,%rax
  21:	49 89 6c 24 10       	mov    %rbp,0x10(%r12)
  26:	49 83 ce 01          	or     $0x1,%r14
* 2a:	80 3c 18 00          	cmpb   $0x0,(%rax,%rbx,1) <-- trapping instruction
  2e:	0f 85 b9 09 00 00    	jne    0x9ed
  34:	48 89 e8             	mov    %rbp,%rax
  37:	4d 89 75 00          	mov    %r14,0x0(%r13)
  3b:	48 c1 e8 03          	shr    $0x3,%rax
  3f:	80                   	.byte 0x80

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2021/11/06 05:05 upstream d4439a1189f9 4c1be0be .config log report info general protection fault in drop_sysctl_table
* Struck through repros no longer work on HEAD.