syzbot


general protection fault in bpf_skb_ancestor_cgroup_id
Status: fixed on 2022/03/08 16:11
Reported-by: syzbot+664b58e9a40fbb2cec71@syzkaller.appspotmail.com
Fix commit: 435b08ec0094 bpf, test, cgroup: Use sk_{alloc,free} for test cases
First crash: 255d, last: 235d

Cause bisection: introduced by (bisect log) [no-op commit]:
commit 39257da0e04e5cdb1e4a3ca715dc3d949fe8b059
Author: Quentin Perret <qperret@google.com>
Date: Mon Aug 9 15:24:40 2021 +0000

  KVM: arm64: Expose host stage-2 manipulation helpers

Crash: BUG: sleeping function called from invalid context in lock_sock_nested (log)
Repro: C syz .config
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 general protection fault in bpf_skb_ancestor_cgroup_id C 5845 1d02h 867d 0/2 upstream: reported C repro on 2020/01/11 04:44
Patch testing requests:
Created Duration User Patch Repo Result
2021/09/23 10:13 11m daniel@iogearbox.net git://git.kernel.org/pub/scm/linux/kernel/git/dborkman/bpf.git pr/bpf-cgroup-test4 OK
2021/09/21 14:48 10m daniel@iogearbox.net git://git.kernel.org/pub/scm/linux/kernel/git/dborkman/bpf.git pr/bpf-cgroup-test3 OK
2021/09/21 06:28 10m daniel@iogearbox.net git://git.kernel.org/pub/scm/linux/kernel/git/dborkman/bpf.git pr/bpf-cgroup-test3 OK
2021/09/20 22:20 10m daniel@iogearbox.net git://git.kernel.org/pub/scm/linux/kernel/git/dborkman/bpf.git pr/bpf-cgroup-test2 report log
2021/09/17 22:28 10m daniel@iogearbox.net git://git.kernel.org/pub/scm/linux/kernel/git/dborkman/bpf.git pr/bpf-cgroup-test OK

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000024: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000120-0x0000000000000127]
CPU: 0 PID: 8406 Comm: syz-executor074 Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:cgroup_ancestor include/linux/cgroup.h:593 [inline]
RIP: 0010:__bpf_sk_ancestor_cgroup_id net/core/filter.c:4494 [inline]
RIP: 0010:____bpf_skb_ancestor_cgroup_id net/core/filter.c:4504 [inline]
RIP: 0010:bpf_skb_ancestor_cgroup_id+0x152/0x300 net/core/filter.c:4501
Code: 03 80 3c 02 00 0f 85 9f 01 00 00 48 8b 9b 58 04 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 20 01 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 48 01 00 00 8b ab 20 01 00 00
RSP: 0018:ffffc9000101f828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000024 RSI: ffffffff87291cee RDI: 0000000000000120
RBP: 0000000000000080 R08: 0000000000000000 R09: 0000000000000007
R10: ffffffff87291cd1 R11: 000000000000001f R12: fffffffffffffe00
R13: 00000000fffffe00 R14: ffffc9000101fc30 R15: ffffc90000e48048
FS:  0000000001234300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000200 CR3: 000000007193e000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 bpf_prog_dcdd7aeecda69f3f+0x54/0x690
 bpf_dispatcher_nop_func include/linux/bpf.h:717 [inline]
 __bpf_prog_run include/linux/filter.h:624 [inline]
 bpf_prog_run include/linux/filter.h:631 [inline]
 bpf_test_run+0x381/0xa30 net/bpf/test_run.c:119
 bpf_prog_test_run_skb+0xac5/0x1d20 net/bpf/test_run.c:657
 bpf_prog_test_run kernel/bpf/syscall.c:3307 [inline]
 __sys_bpf+0x2137/0x5df0 kernel/bpf/syscall.c:4605
 __do_sys_bpf kernel/bpf/syscall.c:4691 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:4689 [inline]
 __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4689
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43f059
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc82a88608 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f059
RDX: 0000000000000040 RSI: 0000000020000280 RDI: 000000000000000a
RBP: 0000000000403040 R08: 0000000000000000 R09: 0000000000400488
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004030d0
R13: 0000000000000000 R14: 00000000004ad018 R15: 0000000000400488
Modules linked in:
---[ end trace 55d65f18b4ef47bb ]---
RIP: 0010:cgroup_ancestor include/linux/cgroup.h:593 [inline]
RIP: 0010:__bpf_sk_ancestor_cgroup_id net/core/filter.c:4494 [inline]
RIP: 0010:____bpf_skb_ancestor_cgroup_id net/core/filter.c:4504 [inline]
RIP: 0010:bpf_skb_ancestor_cgroup_id+0x152/0x300 net/core/filter.c:4501
Code: 03 80 3c 02 00 0f 85 9f 01 00 00 48 8b 9b 58 04 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 20 01 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 48 01 00 00 8b ab 20 01 00 00
RSP: 0018:ffffc9000101f828 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000024 RSI: ffffffff87291cee RDI: 0000000000000120
RBP: 0000000000000080 R08: 0000000000000000 R09: 0000000000000007
R10: ffffffff87291cd1 R11: 000000000000001f R12: fffffffffffffe00
R13: 00000000fffffe00 R14: ffffc9000101fc30 R15: ffffc90000e48048
FS:  0000000001234300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb37a158740 CR3: 000000007193e000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	03 80 3c 02 00 0f    	add    0xf00023c(%rax),%eax
   6:	85 9f 01 00 00 48    	test   %ebx,0x48000001(%rdi)
   c:	8b 9b 58 04 00 00    	mov    0x458(%rbx),%ebx
  12:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  19:	fc ff df
  1c:	48 8d bb 20 01 00 00 	lea    0x120(%rbx),%rdi
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax <-- trapping instruction
  2e:	84 c0                	test   %al,%al
  30:	74 08                	je     0x3a
  32:	3c 03                	cmp    $0x3,%al
  34:	0f 8e 48 01 00 00    	jle    0x182
  3a:	8b ab 20 01 00 00    	mov    0x120(%rbx),%ebp

Crashes (232):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-bpf-kasan-gce 2021/09/14 17:12 bpf 2865ba82476a 07e953c1 .config log report syz C general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-kasan-gce-smack-root 2021/09/29 22:59 upstream 02d5e016800d be530f6c .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-kasan-gce-smack-root 2021/09/28 21:17 upstream d33bec7b3dfa d82cb927 .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-kasan-gce-root 2021/09/28 11:29 upstream 0513e464f900 78494d16 .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-kasan-gce-root 2021/09/28 05:24 upstream 0513e464f900 78494d16 .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-kasan-gce-smack-root 2021/09/23 14:48 upstream 58e2cf5d7946 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-kasan-gce-root 2021/09/23 07:53 upstream cf1d2c3e7e2f 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-kasan-gce-root 2021/09/22 22:04 upstream cf1d2c3e7e2f 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-kasan-gce-root 2021/09/22 21:44 upstream cf1d2c3e7e2f 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-kasan-gce-root 2021/09/22 11:22 upstream 92477dd1faa6 169724fe .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-kasan-gce-root 2021/09/22 03:30 upstream 92477dd1faa6 169724fe .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-kasan-gce-selinux-root 2021/09/21 16:33 upstream d9fb678414c0 169724fe .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-kasan-gce-smack-root 2021/09/21 16:25 upstream d9fb678414c0 169724fe .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-kasan-gce-root 2021/09/21 12:23 upstream d9fb678414c0 169724fe .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-bpf-kasan-gce 2021/09/26 01:32 bpf a3debf177f21 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-bpf-kasan-gce 2021/09/22 13:13 bpf bc23f7244817 169724fe .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-this-kasan-gce 2021/09/17 03:12 net fc0c0548c1a2 5b989942 .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-bpf-kasan-gce 2021/09/14 13:55 bpf 2865ba82476a 58d09404 .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-bpf-next-kasan-gce 2021/10/04 00:23 bpf-next d636c8da2d60 db0f5787 .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-bpf-next-kasan-gce 2021/10/03 20:30 bpf-next d636c8da2d60 db0f5787 .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-bpf-next-kasan-gce 2021/10/01 15:34 bpf-next 6bbc7103738f cc80db95 .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/30 22:34 net-next 69508d43334e 1d849ab4 .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-bpf-next-kasan-gce 2021/09/30 18:06 bpf-next 161ecd537948 be530f6c .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/30 06:50 net-next ef91abfb20c7 be530f6c .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/29 09:59 net-next b69c99463d41 d82cb927 .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/29 05:21 net-next b69c99463d41 d82cb927 .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-bpf-next-kasan-gce 2021/09/28 21:13 bpf-next 29eef85be2f6 d82cb927 .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/28 00:14 net-next b69c99463d41 78494d16 .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/27 21:58 net-next b69c99463d41 78494d16 .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/27 06:19 net-next d59bdda85eb7 78494d16 .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/26 23:16 net-next d59bdda85eb7 78494d16 .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/26 15:41 net-next d59bdda85eb7 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/26 08:57 net-next 24aa160d5375 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/26 05:36 net-next 24aa160d5375 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/26 02:41 net-next 24aa160d5375 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/25 22:42 net-next 24aa160d5375 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/25 18:11 net-next 24aa160d5375 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/25 11:29 net-next acde891c243c 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/25 06:39 net-next acde891c243c 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/25 05:35 net-next acde891c243c 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/24 00:12 net-next 68a81bb2eebd 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/23 21:09 net-next 68a81bb2eebd 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/23 07:47 net-next 428168f99517 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/23 06:35 net-next 428168f99517 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/23 05:25 net-next 428168f99517 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/22 18:13 net-next 428168f99517 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/22 16:52 net-next 428168f99517 169724fe .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/22 09:13 net-next 07b855628c22 169724fe .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/21 19:32 net-next bea714581a31 169724fe .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-net-kasan-gce 2021/09/21 09:47 net-next 85c698863c15 af796c18 .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-bpf-next-kasan-gce 2021/09/21 07:17 bpf-next 97c140d94e2e af796c18 .config log report info general protection fault in bpf_skb_ancestor_cgroup_id
ci-upstream-linux-next-kasan-gce-root 2021/09/23 08:55 linux-next bc5aa70f2699 8cac236e .config log report info general protection fault in bpf_skb_ancestor_cgroup_id