general protection fault in __sock

general protection fault in __sock_release (3)
Status: upstream: reported syz repro on 2020/08/31 19:38
Reported-by: syzbot+0cd67947050ba830202c@syzkaller.appspotmail.com
First crash: 426d, last: 419d

Cause bisection: introduced by (bisect log) :
commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682
Author: Marc Zyngier <maz@kernel.org>
Date: Wed Aug 19 16:12:17 2020 +0000

epoll: Keep a reference on files added to the check list

Crash: BUG: unable to handle kernel NULL pointer dereference in __sock_release (log)
Repro: syz .config

Fix bisection: fixed by (bisect log) [no-op commit]:
commit 4b04e0decd2518e54e3f371abf3d883b3198663d
Author: Sumanth Korikkar <sumanthk@linux.ibm.com>
Date: Mon Aug 17 07:27:54 2020 +0000

perf test: Fix basic bpf filtering test

similar bugs (4):
Kernel	Title	Repro	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.19	general protection fault in __sock_release	syz	done	8	414d	426d	1/1	fixed on 2020/10/09 08:27
linux-4.14	general protection fault in __sock_release	syz	done	12	414d	426d	1/1	fixed on 2020/10/09 20:44
upstream	general protection fault in __sock_release			1	1196d	1196d	9/22	fixed on 2018/08/07 13:43
upstream	general protection fault in __sock_release (2)			20	863d	1002d	0/22	auto-closed as invalid on 2019/10/25 08:42

Sample crash report:

general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 PID: 21996 Comm: syz-executor.0 Not tainted 5.9.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__sock_release+0xbb/0x280 net/socket.c:596
Code: ff df 48 c1 ea 03 80 3c 02 00 0f 85 a5 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 20 49 8d 7c 24 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 8e 01 00 00 48 89 df 41 ff 54 24 10 48 8d 7b 18
RSP: 0018:ffffc90009807e28 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8880858b1540 RCX: 1ffff92001300f67
RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010
RBP: ffff8880858b16e0 R08: ffff8880858b16e0 R09: ffff8880858b16f3
R10: ffffed1010b162de R11: 0000000000000000 R12: 0000000000000000
R13: ffff8880858b1560 R14: 0000000000000000 R15: ffff88808a866100
FS:  0000000002ba9940(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffccdd85e4c CR3: 00000000a8c7a000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 sock_close+0x18/0x20 net/socket.c:1277
 __fput+0x285/0x920 fs/file_table.c:281
 task_work_run+0xdd/0x190 kernel/task_work.c:141
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:140 [inline]
 exit_to_user_mode_prepare+0x195/0x1c0 kernel/entry/common.c:167
 syscall_exit_to_user_mode+0x59/0x2b0 kernel/entry/common.c:242
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x416f01
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffce4822f40 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000001190430 R09: 0000000000000000
R10: 00007ffce4823020 R11: 0000000000000293 R12: 0000000001190438
R13: 0000000000000001 R14: ffffffffffffffff R15: 000000000118cfec
Modules linked in:
---[ end trace 5633c6f97290c124 ]---
RIP: 0010:__sock_release+0xbb/0x280 net/socket.c:596
Code: ff df 48 c1 ea 03 80 3c 02 00 0f 85 a5 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 20 49 8d 7c 24 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 8e 01 00 00 48 89 df 41 ff 54 24 10 48 8d 7b 18
RSP: 0018:ffffc90009807e28 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8880858b1540 RCX: 1ffff92001300f67
RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010
RBP: ffff8880858b16e0 R08: ffff8880858b16e0 R09: ffff8880858b16f3
R10: ffffed1010b162de R11: 0000000000000000 R12: 0000000000000000
R13: ffff8880858b1560 R14: 0000000000000000 R15: ffff88808a866100
FS:  0000000002ba9940(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffccdd85e4c CR3: 00000000a8c7a000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (21):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro
ci-upstream-kasan-gce	2020/08/30 20:03	upstream	1127b219ce94	d5a3ae1f	.config	log	report	syz
ci-upstream-kasan-gce-selinux-root	2020/08/28 21:51	upstream	15bc20c6af4c	d5a3ae1f	.config	log	report	syz
ci-upstream-kasan-gce-root	2020/08/28 08:11	upstream	15bc20c6af4c	816e0689	.config	log	report	syz
ci-upstream-kasan-gce	2020/08/28 06:57	upstream	15bc20c6af4c	816e0689	.config	log	report	syz
ci-upstream-kasan-gce	2020/08/27 19:39	upstream	15bc20c6af4c	816e0689	.config	log	report	syz
ci-upstream-kasan-gce-root	2020/08/27 19:31	upstream	15bc20c6af4c	816e0689	.config	log	report	syz
ci-upstream-kasan-gce-386	2020/08/28 06:41	upstream	15bc20c6af4c	816e0689	.config	log	report	syz
ci-upstream-kasan-gce-386	2020/08/27 19:41	upstream	15bc20c6af4c	816e0689	.config	log	report	syz
ci-upstream-net-this-kasan-gce	2020/09/04 04:05	net	8b4a11c67da5	abf9ba4f	.config	log	report	syz
ci-upstream-net-this-kasan-gce	2020/09/03 22:05	net	8b4a11c67da5	abf9ba4f	.config	log	report	syz
ci-upstream-net-this-kasan-gce	2020/09/03 18:52	net	8b4a11c67da5	abf9ba4f	.config	log	report	syz
ci-upstream-net-this-kasan-gce	2020/08/29 14:38	net	c8146fe292a7	d5a3ae1f	.config	log	report	syz
ci-upstream-net-this-kasan-gce	2020/08/28 06:37	net	af8ea1111346	816e0689	.config	log	report	syz
ci-upstream-net-kasan-gce	2020/09/04 04:18	net-next	22b330b622e3	abf9ba4f	.config	log	report	syz
ci-upstream-net-kasan-gce	2020/08/28 19:42	net-next	0baf01942d3d	d5a3ae1f	.config	log	report	syz
ci-upstream-linux-next-kasan-gce-root	2020/08/29 06:36	linux-next	b36c969764ab	d5a3ae1f	.config	log	report	syz
ci-upstream-linux-next-kasan-gce-root	2020/08/27 21:05	linux-next	88abac0b753d	816e0689	.config	log	report	syz
ci-upstream-kasan-gce-386	2020/08/30 05:30	upstream	1127b219ce94	d5a3ae1f	.config	log	report
ci-upstream-net-this-kasan-gce	2020/09/04 00:15	net	8b4a11c67da5	abf9ba4f	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2020/09/03 00:03	linux-next	4442749a2031	abf9ba4f	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2020/09/01 23:45	linux-next	b36c969764ab	abf9ba4f	.config	log	report