syzbot


BUG: corrupted list in rdma_listen (2)

Status: upstream: reported C repro on 2020/07/30 18:22
Reported-by: syzbot+dbe5efc341bec3342aba@syzkaller.appspotmail.com
First crash: 791d, last: 30d
similar bugs (11):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 BUG: corrupted list in rdma_listen 4 923d 961d 0/1 auto-closed as invalid on 2020/07/18 15:58
upstream BUG: corrupted list in rdma_listen C 202 1044d 1624d 17/24 fixed on 2020/05/10 10:41
upstream BUG: corrupted list in rdma_listen (2) C inconclusive 5 233d 299d 23/24 upstream: reported C repro on 2021/12/04 09:54
linux-4.19 BUG: corrupted list in rdma_listen 3 904d 938d 0/1 auto-closed as invalid on 2020/08/06 14:55
upstream KASAN: use-after-free Read in rdma_listen (3) 1 524d 516d 0/24 auto-closed as invalid on 2021/08/21 07:04
linux-4.14 KASAN: use-after-free Read in rdma_listen C 1266 7h16m 1207d 0/1 upstream: reported C repro on 2019/06/10 00:44
linux-4.19 general protection fault in rdma_listen (2) 7 899d 920d 0/1 auto-closed as invalid on 2020/08/11 01:18
upstream general protection fault in rdma_listen (2) syz done 104 910d 1421d 17/24 fixed on 2020/05/10 10:41
linux-4.19 general protection fault in rdma_listen 1 1201d 1201d 0/1 auto-closed as invalid on 2019/10/25 08:41
upstream general protection fault in rdma_listen C 36 1654d 1666d 0/24 closed as dup on 2018/03/22 15:25
linux-4.14 general protection fault in rdma_listen 7 853d 939d 0/1 auto-closed as invalid on 2020/09/26 15:09

Sample crash report:
kasan: CONFIG_KASAN_INLINE enabled
 futex_wait_setup+0xb3/0x260 kernel/futex.c:2787
 futex_wait+0x199/0x5a0 kernel/futex.c:2850
kasan: GPF could be caused by NULL-ptr deref or user memory access
 do_futex+0x1d8/0x1570 kernel/futex.c:3906
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 8006 Comm: syz-executor332 Not tainted 4.14.281-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880b3b36500 task.stack: ffff88808d378000
RIP: 0010:cma_bind_listen drivers/infiniband/core/cma.c:3206 [inline]
RIP: 0010:rdma_listen+0x32b/0x9b0 drivers/infiniband/core/cma.c:3319
RSP: 0018:ffff88808d37fbe8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8880b3f9bb40 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000002 RDI: 0000000000000008
RBP: ffff8880b3f9bd54 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8880b3b36500 R12: 0000000000000000
 SYSC_futex kernel/futex.c:3966 [inline]
 SyS_futex+0x1da/0x290 kernel/futex.c:3934
R13: 0000000000000400 R14: ffff8880b3f9bd58 R15: 0000000000000008
FS:  00007fc39b19d700(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1f3c574000 CR3: 00000000a9240000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
Call Trace:
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
 ucma_listen+0x10b/0x170 drivers/infiniband/core/ucma.c:1078
RIP: 0033:0x7fc39b20cfb9
RSP: 002b:00007fc39b13a2e8 EFLAGS: 00000246
 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007fc39b296520 RCX: 00007fc39b20cfb9
 ucma_write+0x206/0x2c0 drivers/infiniband/core/ucma.c:1672
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fc39b296528
RBP: 00007fc39b263194 R08: 0000000000000032 R09: 0000000000000032
 __vfs_write+0xe4/0x630 fs/read_write.c:480
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc39b13a2f0
R13: 006d635f616d6472 R14: 00007fc39b296528 R15: 0000000000000001
 vfs_write+0x17f/0x4d0 fs/read_write.c:544
 SYSC_write fs/read_write.c:590 [inline]
 SyS_write+0xf2/0x210 fs/read_write.c:582
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7fc39b20cfb9
RSP: 002b:00007fc39b19d2e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fc39b2964f0 RCX: 00007fc39b20cfb9
RDX: 0000000000000010 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00007fc39b263194 R08: 00007fc39b19d700 R09: 0000000000000000
R10: 00007fc39b19d700 R11: 0000000000000246 R12: 00007fc39b19d2f0
R13: 006d635f616d6472 R14: 00007fc39b2964f8 R15: 0000000000022000
Code: 4c 8b a3 c0 01 00 00 31 f6 48 c7 c7 c0 cb b4 89 e8 5b 93 d5 01 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 08 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 92 05 00 00 48 b8 00 00 00 00 00 fc ff df 4d 
RIP: cma_bind_listen drivers/infiniband/core/cma.c:3206 [inline] RSP: ffff88808d37fbe8
RIP: rdma_listen+0x32b/0x9b0 drivers/infiniband/core/cma.c:3319 RSP: ffff88808d37fbe8
---[ end trace 85ab7b5b612abf1a ]---
----------------
Code disassembly (best guess):
   0:	4c 8b a3 c0 01 00 00 	mov    0x1c0(%rbx),%r12
   7:	31 f6                	xor    %esi,%esi
   9:	48 c7 c7 c0 cb b4 89 	mov    $0xffffffff89b4cbc0,%rdi
  10:	e8 5b 93 d5 01       	callq  0x1d59370
  15:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  1c:	fc ff df
  1f:	49 8d 7c 24 08       	lea    0x8(%r12),%rdi
  24:	48 89 fa             	mov    %rdi,%rdx
  27:	48 c1 ea 03          	shr    $0x3,%rdx
* 2b:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2f:	0f 85 92 05 00 00    	jne    0x5c7
  35:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  3c:	fc ff df
  3f:	4d                   	rex.WRB

Fix bisection attempts:
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-14 2022/08/30 09:20 linux-4.14.y e548869f356f 3037caa9 .config log report syz C
ci2-linux-4-14 2022/07/26 06:29 linux-4.14.y 9c3bf9cf362f 3037caa9 .config log report syz C
ci2-linux-4-14 2022/06/26 06:05 linux-4.14.y f051383ef03b 3037caa9 .config log report syz C
ci2-linux-4-14 2022/05/14 02:51 linux-4.14.y 569d1abf9402 6a81331a .config log report syz
ci2-linux-4-14 2022/04/14 02:28 linux-4.14.y 74766a973637 6a81331a .config log report syz
ci2-linux-4-14 2022/03/04 01:03 linux-4.14.y e853993d29aa 6a81331a .config log report syz
ci2-linux-4-14 2022/01/03 11:40 linux-4.14.y a6ca7c65b137 6a81331a .config log report syz
ci2-linux-4-14 2021/11/30 18:53 linux-4.14.y 66722c42ec91 6a81331a .config log report syz
ci2-linux-4-14 2021/10/31 17:57 linux-4.14.y cd5296934610 6a81331a .config log report syz
ci2-linux-4-14 2021/09/11 22:48 linux-4.14.y f96eb53cbd76 6a81331a .config log report syz
ci2-linux-4-14 2021/08/12 22:28 linux-4.14.y 46914f96189b 6a81331a .config log report syz
ci2-linux-4-14 2021/07/13 21:45 linux-4.14.y 4e68c9b0763f 6a81331a .config log report syz
ci2-linux-4-14 2021/06/13 16:55 linux-4.14.y 3d3abdc8ebd3 6a81331a .config log report syz
ci2-linux-4-14 2021/05/14 16:29 linux-4.14.y 7d7d1c0ab3eb 6a81331a .config log report syz
* Struck through repros no longer work on HEAD.
Crashes (21):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-14 2022/05/27 05:47 linux-4.14.y 501eec4f9e13 3037caa9 .config log report syz C general protection fault in rdma_listen
ci2-linux-4-14 2021/04/10 17:10 linux-4.14.y 958e517f4e16 6a81331a .config log report syz general protection fault in rdma_listen
ci2-linux-4-14 2021/03/08 04:34 linux-4.14.y 1d177c0872ab 09fbf400 .config log report syz general protection fault in rdma_listen
ci2-linux-4-14 2021/04/10 01:25 linux-4.14.y 0cc244011f40 6a81331a .config log report info BUG: corrupted list in rdma_listen
ci2-linux-4-14 2021/03/21 08:55 linux-4.14.y cb83ddcd5332 17810eae .config log report info BUG: corrupted list in rdma_listen
ci2-linux-4-14 2021/02/11 06:25 linux-4.14.y 2c8a3fceddf0 a52ee10a .config log report info BUG: corrupted list in rdma_listen
ci2-linux-4-14 2021/01/28 05:47 linux-4.14.y 2d2791fce891 a57db36f .config log report info BUG: corrupted list in rdma_listen
ci2-linux-4-14 2022/07/30 02:48 linux-4.14.y b641242202ed fef302b1 .config log report info general protection fault in rdma_listen
ci2-linux-4-14 2022/05/27 05:15 linux-4.14.y 501eec4f9e13 3037caa9 .config log report info general protection fault in rdma_listen
ci2-linux-4-14 2022/03/15 01:35 linux-4.14.y af48f51cb593 9e8eaa75 .config log report info general protection fault in rdma_listen
ci2-linux-4-14 2022/02/02 00:25 linux-4.14.y b86ee2b7ae42 4ebb2798 .config log report info general protection fault in rdma_listen
ci2-linux-4-14 2022/01/30 18:57 linux-4.14.y b86ee2b7ae42 495e00c5 .config log report info general protection fault in rdma_listen
ci2-linux-4-14 2021/12/04 11:15 linux-4.14.y 66722c42ec91 a617004c .config log report info general protection fault in rdma_listen
ci2-linux-4-14 2021/09/25 13:24 linux-4.14.y 8ea4f73cfa7e 8cac236e .config log report info general protection fault in rdma_listen
ci2-linux-4-14 2021/04/14 09:48 linux-4.14.y 958e517f4e16 3134b37f .config log report info general protection fault in rdma_listen
ci2-linux-4-14 2021/03/08 02:53 linux-4.14.y 1d177c0872ab 09fbf400 .config log report info general protection fault in rdma_listen
ci2-linux-4-14 2021/03/05 12:50 linux-4.14.y 397a88b2cc86 9d751681 .config log report info general protection fault in rdma_listen
ci2-linux-4-14 2020/11/24 15:57 linux-4.14.y 87335852c5d9 e34b696c .config log report info
ci2-linux-4-14 2020/10/08 07:55 linux-4.14.y cbfa1702aaf6 1880b4a9 .config log report info
ci2-linux-4-14 2020/09/10 02:35 linux-4.14.y 458a534cac0c ac7ca78e .config log report
ci2-linux-4-14 2020/07/30 18:21 linux-4.14.y e5a54aa2d312 b0947553 .config log report
* Struck through repros no longer work on HEAD.