syzbot


general protection fault in tcp_sendmsg

Status: auto-closed as invalid on 2020/01/11 06:41
Reported-by: syzbot+12e2d60f55aebe109672@syzkaller.appspotmail.com
First crash: 1746d, last: 1746d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-44 general protection fault in tcp_sendmsg syz 5 2016d 1898d 0/2 public: reported syz repro on 2019/04/14 00:02

Sample crash report:
 __vfs_write+0xf9/0x5a0 fs/read_write.c:482
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
 vfs_write+0x17f/0x4d0 fs/read_write.c:546
 SYSC_write fs/read_write.c:594 [inline]
 SyS_write+0x102/0x250 fs/read_write.c:586
general protection fault: 0000 [#1] PREEMPT SMP KASAN NOPTI
Modules linked in:
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
CPU: 1 PID: 3815 Comm: syz-executor.2 Not tainted 4.14.143+ #0
RIP: 0033:0x4598e9
task: 00000000e018343c task.stack: 00000000807ae78f
RSP: 002b:00007f9e339fdc78 EFLAGS: 00000246
RIP: 0010:tcp_sendmsg_locked+0x509/0x2f50 net/ipv4/tcp.c:1281
 ORIG_RAX: 0000000000000001
RSP: 0018:ffff8881cb02f998 EFLAGS: 00010206
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004598e9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RAX: 0000000000000011 RBX: ffff8881cccd1b80 RCX: 000000000000010c
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
RDX: ffffffff8252e3a0 RSI: ffffc90003348000 RDI: 0000000000000088
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9e339fe6d4
RBP: ffff8881c8334d12 R08: 0000000000000001 R09: 0000000000000001
R13: 00000000004c9b57 R14: 00000000004e12c8 R15: 00000000ffffffff
R10: fffffbfff5605ba5 R11: 0000000000000000 R12: ffff8881cb02fc00
audit: type=1400 audit(1568356799.473:16): avc:  denied  { create } for  pid=3809 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
R13: 0000000000000000 R14: ffff8881c8334d00 R15: dffffc0000000000
FS:  00007f8a49dbc700(0000) GS:ffff8881dbb00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000001cce36002 CR4: 00000000001606a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
audit: type=1400 audit(1568356799.473:17): avc:  denied  { write } for  pid=3809 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(1568356799.473:18): avc:  denied  { read } for  pid=3809 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
 tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1457
 inet_sendmsg+0x15b/0x520 net/ipv4/af_inet.c:760
Mem-Info:
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb7/0x100 net/socket.c:656
active_anon:83069 inactive_anon:2033 isolated_anon:0
 active_file:4353 inactive_file:11112 isolated_file:0
 unevictable:0 dirty:115 writeback:0 unstable:0
 slab_reclaimable:5555 slab_unreclaimable:57897
 mapped:58846 shmem:4144 pagetables:937 bounce:0
 free:1417512 free_pcp:154 free_cma:0
 sock_write_iter+0x20f/0x360 net/socket.c:925
 call_write_iter include/linux/fs.h:1788 [inline]
 new_sync_write fs/read_write.c:471 [inline]
 __vfs_write+0x401/0x5a0 fs/read_write.c:484
Node 0 active_anon:332276kB inactive_anon:8132kB active_file:17412kB inactive_file:44448kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:235384kB dirty:460kB writeback:0kB shmem:16576kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no
 vfs_write+0x17f/0x4d0 fs/read_write.c:546
DMA32 free:3079672kB min:4792kB low:7868kB high:10944kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3145324kB managed:3079672kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
 SYSC_write fs/read_write.c:594 [inline]
 SyS_write+0x102/0x250 fs/read_write.c:586
lowmem_reserve[]:
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
 0
RIP: 0033:0x4598e9
RSP: 002b:00007f8a49dbbc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004598e9
RDX: 000000000000004c RSI: 0000000020000140 RDI: 0000000000000007
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8a49dbc6d4
R13: 00000000004c5e50 R14: 00000000004e0380 R15: 00000000ffffffff
Code: 4e 32 de fe 48 
 3437
85 db 0f 84 12 
 3437
08 00 00 e8 40 32 de fe 8b 84 24 08 01 00 00 49 8d bd 88 00 00 00 
89 44 24 08 48 89 f8 48 c1 e8 
Normal free:2589556kB min:5480kB low:9000kB high:12520kB active_anon:332276kB inactive_anon:8132kB active_file:17412kB inactive_file:44448kB unevictable:0kB writepending:460kB present:4718592kB managed:3521564kB mlocked:0kB kernel_stack:3232kB pagetables:3896kB bounce:0kB free_pcp:620kB local_pcp:228kB free_cma:0kB
03 <42> 0f b6 04 38 84 c0 74 06 0f 8e 
lowmem_reserve[]:
07 24 00 00 41 f6 85 88 00 00 
 0
RIP: tcp_sendmsg_locked+0x509/0x2f50 net/ipv4/tcp.c:1281 RSP: ffff8881cb02f998
---[ end trace 33f184410e14726f ]---
 0

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/09/13 06:40 android-4.14 f02af7b02c26 40fa42bc .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.