syzbot


general protection fault in hidraw_release

Status: upstream: reported C repro on 2022/01/04 07:49
Reported-by: syzbot+953a33deaf38c66a915e@syzkaller.appspotmail.com
First crash: 341d, last: 24d

Cause bisection: introduced by (bisect log) :
commit e4b8954074f6d0db01c8c97d338a67f9389c042f
Author: Eric Dumazet <edumazet@google.com>
Date: Tue Dec 7 01:30:37 2021 +0000

  netlink: add net device refcount tracker to struct ethnl_req_info

Crash: WARNING in free_netdev (log)
Repro: C syz .config
Patch testing requests:
Created Duration User Patch Repo Result
2022/02/04 05:47 11m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ 9f7fb8de5d9b OK
2022/02/03 10:22 11m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ 9f7fb8de5d9b report log

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000011: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]
CPU: 0 PID: 15736 Comm: syz-executor272 Not tainted 5.19.0-rc3-syzkaller-00038-gca1fdab7fd27 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__lock_acquire+0x6a/0x1f80 kernel/locking/lockdep.c:4923
Code: ff df 8a 04 10 84 c0 0f 85 60 16 00 00 83 3d 30 ee 9b 0c 00 0f 84 10 15 00 00 83 3d 7f f4 36 0b 00 74 2c 4c 89 e8 48 c1 e8 03 <80> 3c 10 00 74 12 4c 89 ef e8 28 bc 72 00 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc90006dd79c8 EFLAGS: 00010006
RAX: 0000000000000011 RBX: 0000000000000000 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000088
RBP: ffff88807e813b00 R08: 0000000000000001 R09: 0000000000000001
R10: fffffbfff1c071de R11: 1ffffffff1c071dd R12: 0000000000000000
R13: 0000000000000088 R14: 0000000000000001 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f65cc6e6130 CR3: 000000007ec59000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 lock_acquire+0x1a7/0x400 kernel/locking/lockdep.c:5665
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
 hidraw_release+0xb9/0x4a0 drivers/hid/hidraw.c:352
 __fput+0x3b9/0x820 fs/file_table.c:317
 task_work_run+0x146/0x1c0 kernel/task_work.c:177
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x547/0x1ed0 kernel/exit.c:795
 do_group_exit+0x23b/0x2f0 kernel/exit.c:925
 __do_sys_exit_group kernel/exit.c:936 [inline]
 __se_sys_exit_group kernel/exit.c:934 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:934
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f65cc67bda9
Code: Unable to access opcode bytes at RIP 0x7f65cc67bd7f.
RSP: 002b:00007ffc25d1b0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f65cc6e8310 RCX: 00007f65cc67bda9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000140
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f65cc6e8310
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0x6a/0x1f80 kernel/locking/lockdep.c:4923
Code: ff df 8a 04 10 84 c0 0f 85 60 16 00 00 83 3d 30 ee 9b 0c 00 0f 84 10 15 00 00 83 3d 7f f4 36 0b 00 74 2c 4c 89 e8 48 c1 e8 03 <80> 3c 10 00 74 12 4c 89 ef e8 28 bc 72 00 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc90006dd79c8 EFLAGS: 00010006
RAX: 0000000000000011 RBX: 0000000000000000 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000088
RBP: ffff88807e813b00 R08: 0000000000000001 R09: 0000000000000001
R10: fffffbfff1c071de R11: 1ffffffff1c071dd R12: 0000000000000000
R13: 0000000000000088 R14: 0000000000000001 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f65cc6e6130 CR3: 000000007ec59000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	df 8a 04 10 84 c0    	fisttps -0x3f7beffc(%rdx)
   6:	0f 85 60 16 00 00    	jne    0x166c
   c:	83 3d 30 ee 9b 0c 00 	cmpl   $0x0,0xc9bee30(%rip)        # 0xc9bee43
  13:	0f 84 10 15 00 00    	je     0x1529
  19:	83 3d 7f f4 36 0b 00 	cmpl   $0x0,0xb36f47f(%rip)        # 0xb36f49f
  20:	74 2c                	je     0x4e
  22:	4c 89 e8             	mov    %r13,%rax
  25:	48 c1 e8 03          	shr    $0x3,%rax
* 29:	80 3c 10 00          	cmpb   $0x0,(%rax,%rdx,1) <-- trapping instruction
  2d:	74 12                	je     0x41
  2f:	4c 89 ef             	mov    %r13,%rdi
  32:	e8 28 bc 72 00       	callq  0x72bc5f
  37:	48                   	rex.W
  38:	ba 00 00 00 00       	mov    $0x0,%edx
  3d:	00 fc                	add    %bh,%ah

Fix bisection attempts:
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-386 2022/06/13 15:56 upstream b13baccc3850 4ebb2798 .config log report syz C
* Struck through repros no longer work on HEAD.
Crashes (45):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-smack-root 2022/06/22 08:10 upstream ca1fdab7fd27 0fc5c330 .config log report syz C general protection fault in hidraw_release
ci-upstream-kasan-gce-386 2022/10/11 10:38 upstream 55be6084c8e0 2b253ced .config log report syz C general protection fault in hidraw_release
ci-upstream-kasan-gce-386 2022/02/02 11:36 upstream 9f7fb8de5d9b 4ebb2798 .config log report syz C general protection fault in hidraw_release
ci-upstream-kasan-gce 2022/02/02 13:33 upstream 9f7fb8de5d9b 4ebb2798 .config log report syz C KASAN: use-after-free Read in hidraw_release
ci-upstream-kasan-gce-selinux-root 2022/02/02 07:18 upstream 9f7fb8de5d9b 4ebb2798 .config log report syz C KASAN: use-after-free Read in hidraw_release
ci-upstream-kasan-gce-root 2022/05/12 01:03 upstream feb9c5e19e91 beb0b407 .config log report syz general protection fault in hidraw_release
ci-upstream-linux-next-kasan-gce-root 2022/10/11 09:24 linux-next aaa11ce2ffc8 2b253ced .config log report syz general protection fault in hidraw_release
ci-upstream-kasan-gce-selinux-root 2022/11/12 13:29 upstream f5020a08b2b3 3ead01ad .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce 2022/11/03 09:54 upstream b229b6ca5abb 7a2ebf95 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce 2022/10/25 04:57 upstream 247f34f7b803 ff2fe65d .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce-smack-root 2022/10/19 02:03 upstream 55be6084c8e0 b31320fc .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce-selinux-root 2022/10/16 16:45 upstream 55be6084c8e0 67cb024c .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce-selinux-root 2022/09/04 20:04 upstream 7726d4c3e60b 28811d0a .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce-root 2022/08/15 13:16 upstream 7ebfc85e2cd7 8dfcaa3d .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce 2022/08/12 03:23 upstream 7ebfc85e2cd7 787ed7e0 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce 2022/07/25 21:59 upstream e0dccc3b76fb 664c519c .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce 2022/05/09 07:34 upstream c5eb0a61238d e60b1103 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce 2022/05/08 21:52 upstream 379c72654524 e60b1103 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce 2022/05/07 19:53 upstream 30c8e80f7932 e60b1103 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce 2022/05/04 06:25 upstream 107c948d1d3e dc9e5259 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce-selinux-root 2022/05/02 21:48 upstream 9050ba3a61a4 2df221f6 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce-smack-root 2022/04/16 02:00 upstream 59250f8a7f3a 8bcc32a6 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce-smack-root 2022/04/10 16:13 upstream 1862a69c9174 e22c3da3 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce 2022/03/01 02:40 upstream 7e57714cd0ad 45a13a73 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce-selinux-root 2022/02/02 02:14 upstream 9f7fb8de5d9b 4ebb2798 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce 2022/01/29 04:07 upstream df0001545b27 495e00c5 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce-smack-root 2022/01/23 05:38 upstream 1c52283265a4 214351e1 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce-386 2022/10/11 03:36 upstream 55be6084c8e0 2b253ced .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce-386 2022/09/15 22:01 upstream 3245cb65fd91 dd9a85ff .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce-386 2022/05/14 09:14 upstream ec7f49619d8e 744a39e2 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce-386 2022/05/08 05:40 upstream 30c8e80f7932 e60b1103 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce-386 2022/05/04 23:28 upstream a7391ad35724 dc9e5259 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce-386 2022/05/04 21:02 upstream a7391ad35724 dc9e5259 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce-386 2022/05/02 12:11 upstream 672c0c517342 2df221f6 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce-386 2022/03/09 22:45 upstream e7e19defa575 9e8eaa75 .config log report info general protection fault in hidraw_release
ci2-upstream-usb 2022/10/23 12:50 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing a6afa4199d3d 23bf86af .config log report info general protection fault in hidraw_release
ci2-upstream-usb 2022/10/20 18:11 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing a6afa4199d3d b31320fc .config log report info general protection fault in hidraw_release
ci-upstream-linux-next-kasan-gce-root 2022/10/12 20:13 linux-next aaa11ce2ffc8 89b5a509 .config log report info general protection fault in hidraw_release
ci-upstream-linux-next-kasan-gce-root 2022/10/11 08:59 linux-next aaa11ce2ffc8 2b253ced .config log report info general protection fault in hidraw_release
ci2-upstream-usb 2022/08/30 06:20 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing ffcf9c5700e4 4a380809 .config log report info general protection fault in hidraw_release
ci-upstream-linux-next-kasan-gce-root 2022/07/06 07:44 linux-next cb71b93c2dc3 bff65f44 .config log report info general protection fault in hidraw_release
ci-upstream-linux-next-kasan-gce-root 2022/01/15 06:05 linux-next bd8d9cef2a79 723cfaf0 .config log report info general protection fault in hidraw_release
ci-upstream-linux-next-kasan-gce-root 2022/01/13 15:38 linux-next 27c9d5b3c24a 44d1319a .config log report info general protection fault in hidraw_release
ci-upstream-linux-next-kasan-gce-root 2021/12/31 03:40 linux-next ea586a076e8a 36bd2e48 .config log report info general protection fault in hidraw_release
ci-upstream-kasan-gce-selinux-root 2022/04/05 06:02 upstream 312310928417 5915c2cb .config log report info KASAN: use-after-free Read in hidraw_release
* Struck through repros no longer work on HEAD.