general protection fault in tcp_sendmsg

13 views
Skip to first unread message

syzbot

unread,
Sep 13, 2019, 3:41:08 AM9/13/19
to syzkaller-a...@googlegroups.com
Hello,

syzbot found the following crash on:

HEAD commit: f02af7b0 Merge 4.14.143 into android-4.14
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=10cc4349600000
kernel config: https://syzkaller.appspot.com/x/.config?x=4d9cf2fd50fd7015
dashboard link: https://syzkaller.appspot.com/bug?extid=12e2d60f55aebe109672
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+12e2d6...@syzkaller.appspotmail.com

__vfs_write+0xf9/0x5a0 fs/read_write.c:482
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
vfs_write+0x17f/0x4d0 fs/read_write.c:546
SYSC_write fs/read_write.c:594 [inline]
SyS_write+0x102/0x250 fs/read_write.c:586
general protection fault: 0000 [#1] PREEMPT SMP KASAN NOPTI
Modules linked in:
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
CPU: 1 PID: 3815 Comm: syz-executor.2 Not tainted 4.14.143+ #0
RIP: 0033:0x4598e9
task: 00000000e018343c task.stack: 00000000807ae78f
RSP: 002b:00007f9e339fdc78 EFLAGS: 00000246
RIP: 0010:tcp_sendmsg_locked+0x509/0x2f50 net/ipv4/tcp.c:1281
ORIG_RAX: 0000000000000001
RSP: 0018:ffff8881cb02f998 EFLAGS: 00010206
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004598e9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RAX: 0000000000000011 RBX: ffff8881cccd1b80 RCX: 000000000000010c
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
RDX: ffffffff8252e3a0 RSI: ffffc90003348000 RDI: 0000000000000088
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9e339fe6d4
RBP: ffff8881c8334d12 R08: 0000000000000001 R09: 0000000000000001
R13: 00000000004c9b57 R14: 00000000004e12c8 R15: 00000000ffffffff
R10: fffffbfff5605ba5 R11: 0000000000000000 R12: ffff8881cb02fc00
audit: type=1400 audit(1568356799.473:16): avc: denied { create } for
pid=3809 comm="syz-executor.2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
R13: 0000000000000000 R14: ffff8881c8334d00 R15: dffffc0000000000
FS: 00007f8a49dbc700(0000) GS:ffff8881dbb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000001cce36002 CR4: 00000000001606a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
audit: type=1400 audit(1568356799.473:17): avc: denied { write } for
pid=3809 comm="syz-executor.2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(1568356799.473:18): avc: denied { read } for
pid=3809 comm="syz-executor.2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1457
inet_sendmsg+0x15b/0x520 net/ipv4/af_inet.c:760
Mem-Info:
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xb7/0x100 net/socket.c:656
active_anon:83069 inactive_anon:2033 isolated_anon:0
active_file:4353 inactive_file:11112 isolated_file:0
unevictable:0 dirty:115 writeback:0 unstable:0
slab_reclaimable:5555 slab_unreclaimable:57897
mapped:58846 shmem:4144 pagetables:937 bounce:0
free:1417512 free_pcp:154 free_cma:0
sock_write_iter+0x20f/0x360 net/socket.c:925
call_write_iter include/linux/fs.h:1788 [inline]
new_sync_write fs/read_write.c:471 [inline]
__vfs_write+0x401/0x5a0 fs/read_write.c:484
Node 0 active_anon:332276kB inactive_anon:8132kB active_file:17412kB
inactive_file:44448kB unevictable:0kB isolated(anon):0kB isolated(file):0kB
mapped:235384kB dirty:460kB writeback:0kB shmem:16576kB writeback_tmp:0kB
unstable:0kB all_unreclaimable? no
vfs_write+0x17f/0x4d0 fs/read_write.c:546
DMA32 free:3079672kB min:4792kB low:7868kB high:10944kB active_anon:0kB
inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB
writepending:0kB present:3145324kB managed:3079672kB mlocked:0kB
kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB
free_cma:0kB
SYSC_write fs/read_write.c:594 [inline]
SyS_write+0x102/0x250 fs/read_write.c:586
lowmem_reserve[]:
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
0
RIP: 0033:0x4598e9
RSP: 002b:00007f8a49dbbc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004598e9
RDX: 000000000000004c RSI: 0000000020000140 RDI: 0000000000000007
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8a49dbc6d4
R13: 00000000004c5e50 R14: 00000000004e0380 R15: 00000000ffffffff
Code: 4e 32 de fe 48
3437
85 db 0f 84 12
3437
08 00 00 e8 40 32 de fe 8b 84 24 08 01 00 00 49 8d bd 88 00 00 00
89 44 24 08 48 89 f8 48 c1 e8
Normal free:2589556kB min:5480kB low:9000kB high:12520kB
active_anon:332276kB inactive_anon:8132kB active_file:17412kB
inactive_file:44448kB unevictable:0kB writepending:460kB present:4718592kB
managed:3521564kB mlocked:0kB kernel_stack:3232kB pagetables:3896kB
bounce:0kB free_pcp:620kB local_pcp:228kB free_cma:0kB
03 <42> 0f b6 04 38 84 c0 74 06 0f 8e
lowmem_reserve[]:
07 24 00 00 41 f6 85 88 00 00
0
RIP: tcp_sendmsg_locked+0x509/0x2f50 net/ipv4/tcp.c:1281 RSP:
ffff8881cb02f998
---[ end trace 33f184410e14726f ]---
0


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

syzbot

unread,
Jan 11, 2020, 1:41:06 AM1/11/20
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages