syzbot


general protection fault in __sock_release (3)

Status: upstream: reported syz repro on 2020/08/31 19:38
Reported-by: syzbot+0cd67947050ba830202c@syzkaller.appspotmail.com
First crash: 761d, last: 754d

Cause bisection: introduced by (bisect log) :
commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682
Author: Marc Zyngier <maz@kernel.org>
Date: Wed Aug 19 16:12:17 2020 +0000

  epoll: Keep a reference on files added to the check list

Crash: BUG: unable to handle kernel NULL pointer dereference in __sock_release (log)
Repro: syz .config

Fix bisection: fixed by (bisect log) [no-op commit]:
commit 4b04e0decd2518e54e3f371abf3d883b3198663d
Author: Sumanth Korikkar <sumanthk@linux.ibm.com>
Date: Mon Aug 17 07:27:54 2020 +0000

  perf test: Fix basic bpf filtering test

similar bugs (4):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 general protection fault in __sock_release syz done 8 749d 761d 1/1 fixed on 2020/10/09 08:27
linux-4.14 general protection fault in __sock_release syz done 12 749d 761d 1/1 fixed on 2020/10/09 20:44
upstream general protection fault in __sock_release 1 1531d 1531d 9/24 fixed on 2018/08/07 13:43
upstream general protection fault in __sock_release (2) 20 1199d 1337d 0/24 auto-closed as invalid on 2019/10/25 08:42
Patch testing requests:
Created Duration User Patch Repo Result
2022/09/23 07:30 16m upstream OK log
2022/09/23 03:30 16m upstream OK log
2022/09/21 15:29 15m linux-next OK log
2022/09/21 13:29 16m linux-next OK log
2022/09/20 09:29 16m upstream OK log
2022/09/12 08:27 16m upstream OK log
2022/09/12 05:27 16m upstream OK log
2022/09/12 01:27 16m upstream OK log
2022/09/10 06:27 15m net-next OK log
2022/09/10 02:27 15m net-next OK log
2022/09/09 18:27 16m net OK log
2022/09/09 12:27 16m net OK log
2022/09/09 09:27 16m net OK log
2022/09/09 05:27 15m net OK log
2022/09/09 01:27 15m net OK log
2022/09/07 22:27 7m upstream error
2022/09/07 19:27 16m upstream OK log

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 PID: 7662 Comm: syz-executor.0 Not tainted 5.9.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__sock_release+0xbb/0x280 net/socket.c:596
Code: ff df 48 c1 ea 03 80 3c 02 00 0f 85 a5 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 20 49 8d 7c 24 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 8e 01 00 00 48 89 df 41 ff 54 24 10 48 8d 7b 18
RSP: 0018:ffffc9000a91fe00 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888084e4b540 RCX: 1ffff92001523f62
RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010
RBP: ffff888084e4b6e0 R08: ffff888084e4b6e0 R09: ffff888084e4b6f3
R10: ffffed10109c96de R11: 0000000000000000 R12: 0000000000000000
R13: ffff888084e4b560 R14: 0000000000000000 R15: ffff888086b4dd38
FS:  0000000000000000(0000) GS:ffff8880ae700000(0063) knlGS:000000000a4e8900
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000f7792db0 CR3: 00000000a26cc000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 sock_close+0x18/0x20 net/socket.c:1277
 __fput+0x285/0x920 fs/file_table.c:281
 task_work_run+0xdd/0x190 kernel/task_work.c:141
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:140 [inline]
 exit_to_user_mode_prepare+0x195/0x1c0 kernel/entry/common.c:167
 syscall_exit_to_user_mode+0x59/0x2b0 kernel/entry/common.c:242
 __do_fast_syscall_32+0x63/0x80 arch/x86/entry/common.c:127
 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:149
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
RIP: 0023:0xf7fb9549
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000ffe101ec EFLAGS: 00000292 ORIG_RAX: 0000000000000006
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 4b0eaddb14ff000c ]---
RIP: 0010:__sock_release+0xbb/0x280 net/socket.c:596
Code: ff df 48 c1 ea 03 80 3c 02 00 0f 85 a5 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 20 49 8d 7c 24 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 8e 01 00 00 48 89 df 41 ff 54 24 10 48 8d 7b 18
RSP: 0018:ffffc9000a91fe00 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888084e4b540 RCX: 1ffff92001523f62
RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010
RBP: ffff888084e4b6e0 R08: ffff888084e4b6e0 R09: ffff888084e4b6f3
R10: ffffed10109c96de R11: 0000000000000000 R12: 0000000000000000
R13: ffff888084e4b560 R14: 0000000000000000 R15: ffff888086b4dd38
FS:  0000000000000000(0000) GS:ffff8880ae700000(0063) knlGS:000000000a4e8900
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000f7792db0 CR3: 00000000a26cc000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (21):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-386 2020/08/27 19:41 upstream 15bc20c6af4c 816e0689 .config log report syz
ci-upstream-kasan-gce 2020/08/30 20:03 upstream 1127b219ce94 d5a3ae1f .config log report syz
ci-upstream-kasan-gce-selinux-root 2020/08/28 21:51 upstream 15bc20c6af4c d5a3ae1f .config log report syz
ci-upstream-kasan-gce-root 2020/08/28 08:11 upstream 15bc20c6af4c 816e0689 .config log report syz
ci-upstream-kasan-gce 2020/08/28 06:57 upstream 15bc20c6af4c 816e0689 .config log report syz
ci-upstream-kasan-gce 2020/08/27 19:39 upstream 15bc20c6af4c 816e0689 .config log report syz
ci-upstream-kasan-gce-root 2020/08/27 19:31 upstream 15bc20c6af4c 816e0689 .config log report syz
ci-upstream-kasan-gce-386 2020/08/28 06:41 upstream 15bc20c6af4c 816e0689 .config log report syz
ci-upstream-net-this-kasan-gce 2020/09/04 04:05 net 8b4a11c67da5 abf9ba4f .config log report syz
ci-upstream-net-this-kasan-gce 2020/09/03 22:05 net 8b4a11c67da5 abf9ba4f .config log report syz
ci-upstream-net-this-kasan-gce 2020/09/03 18:52 net 8b4a11c67da5 abf9ba4f .config log report syz
ci-upstream-net-this-kasan-gce 2020/08/29 14:38 net c8146fe292a7 d5a3ae1f .config log report syz
ci-upstream-net-this-kasan-gce 2020/08/28 06:37 net af8ea1111346 816e0689 .config log report syz
ci-upstream-net-kasan-gce 2020/09/04 04:18 net-next 22b330b622e3 abf9ba4f .config log report syz
ci-upstream-net-kasan-gce 2020/08/28 19:42 net-next 0baf01942d3d d5a3ae1f .config log report syz
ci-upstream-linux-next-kasan-gce-root 2020/08/29 06:36 linux-next b36c969764ab d5a3ae1f .config log report syz
ci-upstream-linux-next-kasan-gce-root 2020/08/27 21:05 linux-next 88abac0b753d 816e0689 .config log report syz
ci-upstream-kasan-gce-386 2020/08/30 05:30 upstream 1127b219ce94 d5a3ae1f .config log report
ci-upstream-net-this-kasan-gce 2020/09/04 00:15 net 8b4a11c67da5 abf9ba4f .config log report
ci-upstream-linux-next-kasan-gce-root 2020/09/03 00:03 linux-next 4442749a2031 abf9ba4f .config log report
ci-upstream-linux-next-kasan-gce-root 2020/09/01 23:45 linux-next b36c969764ab abf9ba4f .config log report
* Struck through repros no longer work on HEAD.