syzbot


general protection fault in xsk_recvmsg

Status: fixed on 2021/03/10 01:48
Subsystems: bpf net
[Documentation on labels]
Reported-by: syzbot+b974d32294d1dffbea36@syzkaller.appspotmail.com
Fix commit: 3546b9b8eced xsk: Validate socket state in xsk_recvmsg, prior touching socket members
First crash: 1203d, last: 1190d
Cause bisection: introduced by (bisect log) :
commit dcd479e10a0510522a5d88b29b8f79ea3467d501
Author: Johannes Berg <johannes.berg@intel.com>
Date: Fri Oct 9 12:17:11 2020 +0000

  mac80211: always wind down STA state

Crash: BUG: sleeping function called from invalid context in sta_info_move_state (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) [no-op commit]:
commit fcb48454c23c5679d1a2e252f127642e91b05cbe
Author: Russell Currey <ruscur@russell.cc>
Date: Tue Nov 17 05:59:11 2020 +0000

  selftests/powerpc: rfi_flush: disable entry flush if present

  
Discussions (1)
Title Replies (including bot) Last reply
general protection fault in xsk_recvmsg 2 (3) 2021/01/15 13:50

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000045: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000228-0x000000000000022f]
CPU: 1 PID: 8481 Comm: syz-executor119 Not tainted 5.10.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:xsk_recvmsg+0x79/0x5e0 net/xdp/xsk.c:563
Code: 03 80 3c 02 00 0f 85 00 05 00 00 48 8b 9d c8 04 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 28 02 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 9c 04 00 00 8b 9b 28 02 00 00
RSP: 0018:ffffc9000165fae0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000040000000
RDX: 0000000000000045 RSI: ffffffff88a6a995 RDI: 0000000000000228
RBP: ffff88801a140000 R08: 0000000040000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000040000000
R13: 0000000040000000 R14: ffffc9000165fe98 R15: 0000000000000000
FS:  00000000007fd880(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020004880 CR3: 000000001f1bd000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 sock_recvmsg_nosec net/socket.c:885 [inline]
 sock_recvmsg net/socket.c:903 [inline]
 sock_recvmsg net/socket.c:899 [inline]
 ____sys_recvmsg+0x2c4/0x600 net/socket.c:2576
 ___sys_recvmsg+0x127/0x200 net/socket.c:2618
 __sys_recvmsg+0xe2/0x1a0 net/socket.c:2654
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x440269
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffdbb92b6c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440269
RDX: 0000000040000000 RSI: 0000000020004880 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a70
R13: 0000000000401b00 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 184efc29c05fd9c5 ]---
RIP: 0010:xsk_recvmsg+0x79/0x5e0 net/xdp/xsk.c:563
Code: 03 80 3c 02 00 0f 85 00 05 00 00 48 8b 9d c8 04 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 28 02 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 9c 04 00 00 8b 9b 28 02 00 00
RSP: 0018:ffffc9000165fae0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000040000000
RDX: 0000000000000045 RSI: ffffffff88a6a995 RDI: 0000000000000228
RBP: ffff88801a140000 R08: 0000000040000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000040000000
R13: 0000000040000000 R14: ffffc9000165fe98 R15: 0000000000000000
FS:  00000000007fd880(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f66a803d058 CR3: 000000001f1bd000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (1800):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/01 17:24 bpf-next df5422851559 07bfe8a5 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2020/12/01 19:20 linux-next 0eedceafd3a6 07bfe8a5 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/12/15 04:17 net-next-old 13458ffe0a95 97183ed7 .config console log report info ci-upstream-net-kasan-gce
2020/12/15 03:13 net-next-old 13458ffe0a95 97183ed7 .config console log report info ci-upstream-net-kasan-gce
2020/12/15 01:07 net-next-old 13458ffe0a95 97183ed7 .config console log report info ci-upstream-net-kasan-gce
2020/12/15 00:03 net-next-old 13458ffe0a95 97183ed7 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 23:00 net-next-old 13458ffe0a95 97183ed7 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 21:51 net-next-old 13458ffe0a95 97183ed7 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 20:38 net-next-old 13458ffe0a95 97183ed7 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 19:32 net-next-old 13458ffe0a95 97183ed7 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 18:20 net-next-old 13458ffe0a95 97183ed7 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 17:13 net-next-old 13458ffe0a95 97183ed7 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 16:09 net-next-old 13458ffe0a95 97183ed7 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 15:37 net-next-old 13458ffe0a95 97183ed7 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 12:51 net-next-old 13458ffe0a95 b22a7ec3 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 10:40 net-next-old 13458ffe0a95 b22a7ec3 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 09:38 net-next-old 13458ffe0a95 b22a7ec3 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 09:06 net-next-old 13458ffe0a95 b22a7ec3 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 08:03 net-next-old 13458ffe0a95 b22a7ec3 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 06:41 net-next-old 13458ffe0a95 b22a7ec3 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 05:12 net-next-old 13458ffe0a95 b22a7ec3 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 05:11 net-next-old 13458ffe0a95 b22a7ec3 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 03:31 net-next-old 13458ffe0a95 b22a7ec3 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 02:18 net-next-old 13458ffe0a95 b22a7ec3 .config console log report info ci-upstream-net-kasan-gce
2020/12/14 01:06 net-next-old 13458ffe0a95 b22a7ec3 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 23:53 net-next-old 13458ffe0a95 b22a7ec3 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 23:24 net-next-old 13458ffe0a95 b22a7ec3 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 22:04 net-next-old 13458ffe0a95 b22a7ec3 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 20:55 net-next-old 13458ffe0a95 b22a7ec3 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 19:39 net-next-old 13458ffe0a95 bca53db9 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 18:38 net-next-old 13458ffe0a95 bca53db9 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 17:30 net-next-old 13458ffe0a95 bca53db9 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 16:18 net-next-old 13458ffe0a95 bca53db9 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 16:08 net-next-old 13458ffe0a95 bca53db9 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 14:15 net-next-old 00f7763a26cb bca53db9 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 12:55 net-next-old 00f7763a26cb bca53db9 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 11:54 net-next-old 00f7763a26cb bca53db9 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 10:50 net-next-old 00f7763a26cb bca53db9 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 10:16 net-next-old 00f7763a26cb bca53db9 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 09:03 net-next-old 00f7763a26cb bca53db9 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 07:38 net-next-old 00f7763a26cb bca53db9 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 06:20 net-next-old 00f7763a26cb bca53db9 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 05:44 net-next-old 00f7763a26cb bca53db9 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 04:36 net-next-old 00f7763a26cb bca53db9 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 03:36 net-next-old 00f7763a26cb bca53db9 .config console log report info ci-upstream-net-kasan-gce
2020/12/13 02:01 net-next-old 00f7763a26cb bca53db9 .config console log report info ci-upstream-net-kasan-gce
2020/12/09 04:07 bpf-next 2f4b03195fe8 a7f7f4a4 .config console log report info ci-upstream-bpf-next-kasan-gce
2020/12/10 12:26 linux-next a9e26cb5f261 c090b4da .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/01 13:17 linux-next 0eedceafd3a6 b3a34598 .config console log report info ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.