syzbot


general protection fault in __sock_release (3)
Status: upstream: reported syz repro on 2020/08/31 19:38
Reported-by: syzbot+0cd67947050ba830202c@syzkaller.appspotmail.com
First crash: 639d, last: 631d

Cause bisection: introduced by (bisect log) :
commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682
Author: Marc Zyngier <maz@kernel.org>
Date: Wed Aug 19 16:12:17 2020 +0000

  epoll: Keep a reference on files added to the check list

Crash: BUG: unable to handle kernel NULL pointer dereference in __sock_release (log)
Repro: syz .config

Fix bisection: fixed by (bisect log) [no-op commit]:
commit 4b04e0decd2518e54e3f371abf3d883b3198663d
Author: Sumanth Korikkar <sumanthk@linux.ibm.com>
Date: Mon Aug 17 07:27:54 2020 +0000

  perf test: Fix basic bpf filtering test

similar bugs (4):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 general protection fault in __sock_release syz done 8 626d 639d 1/1 fixed on 2020/10/09 08:27
linux-4.14 general protection fault in __sock_release syz done 12 626d 639d 1/1 fixed on 2020/10/09 20:44
upstream general protection fault in __sock_release 1 1409d 1409d 9/22 fixed on 2018/08/07 13:43
upstream general protection fault in __sock_release (2) 20 1076d 1214d 0/22 auto-closed as invalid on 2019/10/25 08:42

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 PID: 21996 Comm: syz-executor.0 Not tainted 5.9.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__sock_release+0xbb/0x280 net/socket.c:596
Code: ff df 48 c1 ea 03 80 3c 02 00 0f 85 a5 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 20 49 8d 7c 24 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 8e 01 00 00 48 89 df 41 ff 54 24 10 48 8d 7b 18
RSP: 0018:ffffc90009807e28 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8880858b1540 RCX: 1ffff92001300f67
RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010
RBP: ffff8880858b16e0 R08: ffff8880858b16e0 R09: ffff8880858b16f3
R10: ffffed1010b162de R11: 0000000000000000 R12: 0000000000000000
R13: ffff8880858b1560 R14: 0000000000000000 R15: ffff88808a866100
FS:  0000000002ba9940(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffccdd85e4c CR3: 00000000a8c7a000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 sock_close+0x18/0x20 net/socket.c:1277
 __fput+0x285/0x920 fs/file_table.c:281
 task_work_run+0xdd/0x190 kernel/task_work.c:141
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:140 [inline]
 exit_to_user_mode_prepare+0x195/0x1c0 kernel/entry/common.c:167
 syscall_exit_to_user_mode+0x59/0x2b0 kernel/entry/common.c:242
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x416f01
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffce4822f40 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000001190430 R09: 0000000000000000
R10: 00007ffce4823020 R11: 0000000000000293 R12: 0000000001190438
R13: 0000000000000001 R14: ffffffffffffffff R15: 000000000118cfec
Modules linked in:
---[ end trace 5633c6f97290c124 ]---
RIP: 0010:__sock_release+0xbb/0x280 net/socket.c:596
Code: ff df 48 c1 ea 03 80 3c 02 00 0f 85 a5 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 20 49 8d 7c 24 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 8e 01 00 00 48 89 df 41 ff 54 24 10 48 8d 7b 18
RSP: 0018:ffffc90009807e28 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8880858b1540 RCX: 1ffff92001300f67
RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010
RBP: ffff8880858b16e0 R08: ffff8880858b16e0 R09: ffff8880858b16f3
R10: ffffed1010b162de R11: 0000000000000000 R12: 0000000000000000
R13: ffff8880858b1560 R14: 0000000000000000 R15: ffff88808a866100
FS:  0000000002ba9940(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffccdd85e4c CR3: 00000000a8c7a000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (21):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2020/08/30 20:03 upstream 1127b219ce94 d5a3ae1f .config log report syz
ci-upstream-kasan-gce-selinux-root 2020/08/28 21:51 upstream 15bc20c6af4c d5a3ae1f .config log report syz
ci-upstream-kasan-gce-root 2020/08/28 08:11 upstream 15bc20c6af4c 816e0689 .config log report syz
ci-upstream-kasan-gce 2020/08/28 06:57 upstream 15bc20c6af4c 816e0689 .config log report syz
ci-upstream-kasan-gce 2020/08/27 19:39 upstream 15bc20c6af4c 816e0689 .config log report syz
ci-upstream-kasan-gce-root 2020/08/27 19:31 upstream 15bc20c6af4c 816e0689 .config log report syz
ci-upstream-kasan-gce-386 2020/08/28 06:41 upstream 15bc20c6af4c 816e0689 .config log report syz
ci-upstream-kasan-gce-386 2020/08/27 19:41 upstream 15bc20c6af4c 816e0689 .config log report syz
ci-upstream-net-this-kasan-gce 2020/09/04 04:05 net 8b4a11c67da5 abf9ba4f .config log report syz
ci-upstream-net-this-kasan-gce 2020/09/03 22:05 net 8b4a11c67da5 abf9ba4f .config log report syz
ci-upstream-net-this-kasan-gce 2020/09/03 18:52 net 8b4a11c67da5 abf9ba4f .config log report syz
ci-upstream-net-this-kasan-gce 2020/08/29 14:38 net c8146fe292a7 d5a3ae1f .config log report syz
ci-upstream-net-this-kasan-gce 2020/08/28 06:37 net af8ea1111346 816e0689 .config log report syz
ci-upstream-net-kasan-gce 2020/09/04 04:18 net-next 22b330b622e3 abf9ba4f .config log report syz
ci-upstream-net-kasan-gce 2020/08/28 19:42 net-next 0baf01942d3d d5a3ae1f .config log report syz
ci-upstream-linux-next-kasan-gce-root 2020/08/29 06:36 linux-next b36c969764ab d5a3ae1f .config log report syz
ci-upstream-linux-next-kasan-gce-root 2020/08/27 21:05 linux-next 88abac0b753d 816e0689 .config log report syz
ci-upstream-kasan-gce-386 2020/08/30 05:30 upstream 1127b219ce94 d5a3ae1f .config log report
ci-upstream-net-this-kasan-gce 2020/09/04 00:15 net 8b4a11c67da5 abf9ba4f .config log report
ci-upstream-linux-next-kasan-gce-root 2020/09/03 00:03 linux-next 4442749a2031 abf9ba4f .config log report
ci-upstream-linux-next-kasan-gce-root 2020/09/01 23:45 linux-next b36c969764ab abf9ba4f .config log report