general protection fault in __list_del_entry
5 views
Skip to first unread message
syzbot
Apr 11, 2019, 8:00:53 PM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 610c8356
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=11cfb901800000
kernel config: https://syzkaller.appspot.com/x/.config?x=44509e3077d6939
dashboard link: https://syzkaller.appspot.com/bug?extid=0c478104eb1792f665e8
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13892491800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11dd2621800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0c4781...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read, 115 bits of
entropy available)
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral
protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 3341 Comm: syzkaller877370 Not tainted 4.4.107-g610c835 #12
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801cfc52f80 task.stack: ffff8801d1140000
RIP: 0010:[<ffffffff81d641d6>] [<ffffffff81d641d6>]
__list_del_entry+0x86/0x1d0 lib/list_debug.c:57
RSP: 0018:ffff8801d1147628 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff8800b74f5a10
RDX: 0000000000000000 RSI: ffffffff851b2510 RDI: ffff8800b74f5a18
RBP: ffff8801d1147640 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 1ffff1003a228e94 R12: 0000000000000000
R13: ffff8800b74f59b9 R14: ffff8800b74f5a38 R15: 00000000ffffffde
FS: 00000000022e7880(0063) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020239000 CR3: 00000001d05c4000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8800b74f5a38 ffff8800b74f5a10 ffffffff846eb040 ffff8801d1147658
ffffffff81d6432d ffff8800b74f5a10 ffff8801d1147678 ffffffff832b081e
ffff8800b7032a80 ffff8800b74f5a10 ffff8801d1147698 ffffffff832cfd73
Call Trace:
[<ffffffff81d6432d>] list_del+0xd/0x70 lib/list_debug.c:77
[<ffffffff832b081e>] xfrm_state_walk_done+0x6e/0xa0
net/xfrm/xfrm_state.c:1675
[<ffffffff832cfd73>] xfrm_dump_sa_done+0x73/0xa0 net/xfrm/xfrm_user.c:913
[<ffffffff82f80f21>] netlink_dump+0x871/0xb40 net/netlink/af_netlink.c:2158
[<ffffffff82f8570e>] __netlink_dump_start+0x52e/0x7c0
net/netlink/af_netlink.c:2223
[<ffffffff832d035d>] netlink_dump_start include/linux/netlink.h:175
[inline]
[<ffffffff832d035d>] xfrm_user_rcv_msg+0x5bd/0x6b0
net/xfrm/xfrm_user.c:2512
[<ffffffff82f8adee>] netlink_rcv_skb+0x13e/0x370
net/netlink/af_netlink.c:2305
[<ffffffff832cc6ef>] xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2533
[<ffffffff82f89972>] netlink_unicast_kernel net/netlink/af_netlink.c:1223
[inline]
[<ffffffff82f89972>] netlink_unicast+0x522/0x760
net/netlink/af_netlink.c:1249
[<ffffffff82f8a498>] netlink_sendmsg+0x8e8/0xc50
net/netlink/af_netlink.c:1803
[<ffffffff82dec59a>] sock_sendmsg_nosec net/socket.c:625 [inline]
[<ffffffff82dec59a>] sock_sendmsg+0xca/0x110 net/socket.c:635
[<ffffffff82dec806>] sock_write_iter+0x226/0x3b0 net/socket.c:834
[<ffffffff8151b0ec>] new_sync_write fs/read_write.c:478 [inline]
[<ffffffff8151b0ec>] __vfs_write+0x33c/0x450 fs/read_write.c:491
[<ffffffff8151cd1a>] vfs_write+0x18a/0x530 fs/read_write.c:538
[<ffffffff8151f409>] SYSC_write fs/read_write.c:585 [inline]
[<ffffffff8151f409>] SyS_write+0xd9/0x1b0 fs/read_write.c:577
[<ffffffff83773d36>] entry_SYSCALL_64_fastpath+0x16/0x76
Code: c4 0f 84 94 00 00 00 48 b8 00 02 00 00 00 00 ad de 48 39 c3 0f 84 a5
00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00
0f 85 e8 00 00 00 4c 8b 03 49 39 c8 0f 85 9b 00 00
RIP [<ffffffff81d641d6>] __list_del_entry+0x86/0x1d0 lib/list_debug.c:57
RSP <ffff8801d1147628>
---[ end trace 1a116fbea6ba355f ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 610c8356
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=11cfb901800000
kernel config: https://syzkaller.appspot.com/x/.config?x=44509e3077d6939
dashboard link: https://syzkaller.appspot.com/bug?extid=0c478104eb1792f665e8
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13892491800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11dd2621800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0c4781...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read, 115 bits of
entropy available)
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral
protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 3341 Comm: syzkaller877370 Not tainted 4.4.107-g610c835 #12
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801cfc52f80 task.stack: ffff8801d1140000
RIP: 0010:[<ffffffff81d641d6>] [<ffffffff81d641d6>]
__list_del_entry+0x86/0x1d0 lib/list_debug.c:57
RSP: 0018:ffff8801d1147628 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff8800b74f5a10
RDX: 0000000000000000 RSI: ffffffff851b2510 RDI: ffff8800b74f5a18
RBP: ffff8801d1147640 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 1ffff1003a228e94 R12: 0000000000000000
R13: ffff8800b74f59b9 R14: ffff8800b74f5a38 R15: 00000000ffffffde
FS: 00000000022e7880(0063) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020239000 CR3: 00000001d05c4000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8800b74f5a38 ffff8800b74f5a10 ffffffff846eb040 ffff8801d1147658
ffffffff81d6432d ffff8800b74f5a10 ffff8801d1147678 ffffffff832b081e
ffff8800b7032a80 ffff8800b74f5a10 ffff8801d1147698 ffffffff832cfd73
Call Trace:
[<ffffffff81d6432d>] list_del+0xd/0x70 lib/list_debug.c:77
[<ffffffff832b081e>] xfrm_state_walk_done+0x6e/0xa0
net/xfrm/xfrm_state.c:1675
[<ffffffff832cfd73>] xfrm_dump_sa_done+0x73/0xa0 net/xfrm/xfrm_user.c:913
[<ffffffff82f80f21>] netlink_dump+0x871/0xb40 net/netlink/af_netlink.c:2158
[<ffffffff82f8570e>] __netlink_dump_start+0x52e/0x7c0
net/netlink/af_netlink.c:2223
[<ffffffff832d035d>] netlink_dump_start include/linux/netlink.h:175
[inline]
[<ffffffff832d035d>] xfrm_user_rcv_msg+0x5bd/0x6b0
net/xfrm/xfrm_user.c:2512
[<ffffffff82f8adee>] netlink_rcv_skb+0x13e/0x370
net/netlink/af_netlink.c:2305
[<ffffffff832cc6ef>] xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2533
[<ffffffff82f89972>] netlink_unicast_kernel net/netlink/af_netlink.c:1223
[inline]
[<ffffffff82f89972>] netlink_unicast+0x522/0x760
net/netlink/af_netlink.c:1249
[<ffffffff82f8a498>] netlink_sendmsg+0x8e8/0xc50
net/netlink/af_netlink.c:1803
[<ffffffff82dec59a>] sock_sendmsg_nosec net/socket.c:625 [inline]
[<ffffffff82dec59a>] sock_sendmsg+0xca/0x110 net/socket.c:635
[<ffffffff82dec806>] sock_write_iter+0x226/0x3b0 net/socket.c:834
[<ffffffff8151b0ec>] new_sync_write fs/read_write.c:478 [inline]
[<ffffffff8151b0ec>] __vfs_write+0x33c/0x450 fs/read_write.c:491
[<ffffffff8151cd1a>] vfs_write+0x18a/0x530 fs/read_write.c:538
[<ffffffff8151f409>] SYSC_write fs/read_write.c:585 [inline]
[<ffffffff8151f409>] SyS_write+0xd9/0x1b0 fs/read_write.c:577
[<ffffffff83773d36>] entry_SYSCALL_64_fastpath+0x16/0x76
Code: c4 0f 84 94 00 00 00 48 b8 00 02 00 00 00 00 ad de 48 39 c3 0f 84 a5
00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00
0f 85 e8 00 00 00 4c 8b 03 49 39 c8 0f 85 9b 00 00
RIP [<ffffffff81d641d6>] __list_del_entry+0x86/0x1d0 lib/list_debug.c:57
RSP <ffff8801d1147628>
---[ end trace 1a116fbea6ba355f ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages