syzbot


general protection fault in tcp_create_openreq_child

Status: internal: reported C repro on 2022/04/23 04:10
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: ba5a4fdd63ae tcp: make sure treq->af_specific is initialized
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-riscv64]
First crash: 67d, last: 64d

Cause bisection: introduced by (bisect log) [merge commit]:
commit 182966e1cd74ec0e326cd376de241803ee79741b
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Wed Mar 23 21:51:35 2022 +0000

  Merge tag 'media/v5.18-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

Crash: SYZFAIL: wrong response packet (log)
Repro: C syz .config

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 3609 Comm: syz-executor999 Not tainted 5.18.0-rc3-syzkaller-00225-g165e3e17fe8f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:tcp_create_openreq_child+0xe16/0x16b0 net/ipv4/tcp_minisocks.c:534
Code: 48 c1 ea 03 80 3c 02 00 0f 85 e5 07 00 00 4c 8b b3 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7e 08 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 c9 07 00 00 48 8b 3c 24 48 89 de 41 ff 56 08 48
RSP: 0018:ffffc90000de05a8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8880246f6000 RCX: 0000000000000100
RDX: 0000000000000001 RSI: ffffffff87d67ff0 RDI: 0000000000000008
RBP: ffff888071902e78 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff87d67f00 R11: 0000000000000000 R12: ffff888071902640
R13: ffff888023621268 R14: 0000000000000000 R15: 0000000000000000
FS:  0000555556ff2300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd996797b8 CR3: 000000007f551000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 tcp_v6_syn_recv_sock+0x199/0x23b0 net/ipv6/tcp_ipv6.c:1267
 tcp_get_cookie_sock+0xc9/0x850 net/ipv4/syncookies.c:207
 cookie_v6_check+0x15c3/0x2340 net/ipv6/syncookies.c:258
 tcp_v6_cookie_check net/ipv6/tcp_ipv6.c:1131 [inline]
 tcp_v6_do_rcv+0x1148/0x13b0 net/ipv6/tcp_ipv6.c:1486
 tcp_v6_rcv+0x3305/0x3840 net/ipv6/tcp_ipv6.c:1725
 ip6_protocol_deliver_rcu+0x2e9/0x1900 net/ipv6/ip6_input.c:422
 ip6_input_finish+0x14c/0x2c0 net/ipv6/ip6_input.c:464
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:473
 dst_input include/net/dst.h:461 [inline]
 ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ipv6_rcv+0x27f/0x3b0 net/ipv6/ip6_input.c:297
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5405
 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5519
 process_backlog+0x3a0/0x7c0 net/core/dev.c:5847
 __napi_poll+0xb3/0x6e0 net/core/dev.c:6413
 napi_poll net/core/dev.c:6480 [inline]
 net_rx_action+0x8ec/0xc60 net/core/dev.c:6567
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 do_softirq.part.0+0xde/0x130 kernel/softirq.c:459
 </IRQ>
 <TASK>
 do_softirq kernel/softirq.c:451 [inline]
 __local_bh_enable_ip+0x102/0x120 kernel/softirq.c:383
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:764 [inline]
 ip6_finish_output2+0x5bc/0x1500 net/ipv6/ip6_output.c:127
 __ip6_finish_output net/ipv6/ip6_output.c:191 [inline]
 __ip6_finish_output+0x61e/0xe90 net/ipv6/ip6_output.c:170
 ip6_finish_output+0x32/0x280 net/ipv6/ip6_output.c:201
 NF_HOOK_COND include/linux/netfilter.h:296 [inline]
 ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:224
 dst_output include/net/dst.h:451 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip6_xmit+0x11d4/0x1a50 net/ipv6/ip6_output.c:324
 inet6_csk_xmit+0x3b1/0x6c0 net/ipv6/inet6_connection_sock.c:135
 __tcp_transmit_skb+0x190e/0x38b0 net/ipv4/tcp_output.c:1402
 tcp_transmit_skb net/ipv4/tcp_output.c:1420 [inline]
 tcp_write_xmit+0xd93/0x5fe0 net/ipv4/tcp_output.c:2690
 __tcp_push_pending_frames+0xaa/0x390 net/ipv4/tcp_output.c:2874
 tcp_send_fin+0x117/0xb70 net/ipv4/tcp_output.c:3419
 __tcp_close+0xae7/0x12b0 net/ipv4/tcp.c:2839
 tcp_close+0x29/0xc0 net/ipv4/tcp.c:2929
 inet_release+0x12e/0x280 net/ipv4/af_inet.c:428
 inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:481
 __sock_release+0xcd/0x280 net/socket.c:650
 sock_close+0x18/0x20 net/socket.c:1318
 __fput+0x277/0x9d0 fs/file_table.c:317
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
 exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fc2e4d1e5e3
Code: c7 c2 c0 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb ba 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8
RSP: 002b:00007ffd996797d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007fc2e4d1e5e3
RDX: 000000000000001c RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000020b63fe4 R09: 000000000000001c
R10: 0000000022004001 R11: 0000000000000246 R12: 00007ffd996797f0
R13: 00000000000f4240 R14: 00000000000101d1 R15: 00007ffd996797e4
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:tcp_create_openreq_child+0xe16/0x16b0 net/ipv4/tcp_minisocks.c:534
Code: 48 c1 ea 03 80 3c 02 00 0f 85 e5 07 00 00 4c 8b b3 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7e 08 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 c9 07 00 00 48 8b 3c 24 48 89 de 41 ff 56 08 48
RSP: 0018:ffffc90000de05a8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8880246f6000 RCX: 0000000000000100
RDX: 0000000000000001 RSI: ffffffff87d67ff0 RDI: 0000000000000008
RBP: ffff888071902e78 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff87d67f00 R11: 0000000000000000 R12: ffff888071902640
R13: ffff888023621268 R14: 0000000000000000 R15: 0000000000000000
FS:  0000555556ff2300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd996797b8 CR3: 000000007f551000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 c1 ea 03          	shr    $0x3,%rdx
   4:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   8:	0f 85 e5 07 00 00    	jne    0x7f3
   e:	4c 8b b3 28 01 00 00 	mov    0x128(%rbx),%r14
  15:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  1c:	fc ff df
  1f:	49 8d 7e 08          	lea    0x8(%r14),%rdi
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 c9 07 00 00    	jne    0x7fd
  34:	48 8b 3c 24          	mov    (%rsp),%rdi
  38:	48 89 de             	mov    %rbx,%rsi
  3b:	41 ff 56 08          	callq  *0x8(%r14)
  3f:	48                   	rex.W

Crashes (83):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-net-this-kasan-gce 2022/04/25 05:24 net 165e3e17fe8f 131df97d .config log report syz C general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/25 03:10 net 165e3e17fe8f 131df97d .config log report syz C general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/25 02:48 net 165e3e17fe8f 131df97d .config log report syz C general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 11:51 net 165e3e17fe8f 131df97d .config log report syz C general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 06:35 net 165e3e17fe8f 131df97d .config log report syz C general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 03:08 net 165e3e17fe8f 131df97d .config log report syz C general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 02:48 net 165e3e17fe8f 131df97d .config log report syz C general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 08:53 net 5fd1fe4807f9 131df97d .config log report syz C general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/25 00:53 net 165e3e17fe8f 131df97d .config log report syz general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 22:14 net 165e3e17fe8f 131df97d .config log report syz general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 20:19 net 165e3e17fe8f 131df97d .config log report syz general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 16:00 net 165e3e17fe8f 131df97d .config log report syz general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 10:41 net 165e3e17fe8f 131df97d .config log report syz general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/25 17:57 net c4c89a6ad8e1 c889aef9 .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/25 16:16 net c4c89a6ad8e1 c889aef9 .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/25 15:30 net c4c89a6ad8e1 c889aef9 .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/25 12:57 net c4c89a6ad8e1 c889aef9 .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/25 11:27 net c4c89a6ad8e1 c889aef9 .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/25 09:51 net 165e3e17fe8f c889aef9 .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/25 08:02 net 165e3e17fe8f c889aef9 .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/25 06:54 net 165e3e17fe8f c889aef9 .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 17:30 net 165e3e17fe8f 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 13:43 net 165e3e17fe8f 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 10:38 net 165e3e17fe8f 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 08:30 net 165e3e17fe8f 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 08:16 net 165e3e17fe8f 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 08:01 net 165e3e17fe8f 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 06:06 net 165e3e17fe8f 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 05:35 net 165e3e17fe8f 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 05:35 net 165e3e17fe8f 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 02:41 net 165e3e17fe8f 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 01:59 net 165e3e17fe8f 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 01:16 net 165e3e17fe8f 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/24 01:07 net 165e3e17fe8f 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 23:24 net 165e3e17fe8f 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 23:24 net 165e3e17fe8f 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 23:04 net 165e3e17fe8f 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 21:37 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 20:49 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 18:42 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 17:24 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 17:04 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 16:51 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 15:41 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 15:23 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 15:13 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 14:09 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 12:55 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 12:52 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 12:49 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 12:23 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 10:56 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 10:31 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 09:22 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 08:03 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 06:54 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child
ci-upstream-net-this-kasan-gce 2022/04/23 04:09 net 5fd1fe4807f9 131df97d .config log report info general protection fault in tcp_create_openreq_child