general protection fault in vsock_poll

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 6a70f89c Merge tag 'nfs-for-5.8-3' of git://git.linux-nfs...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=172ed85f100000
kernel config: https://syzkaller.appspot.com/x/.config?x=a160d1053fc89af5
dashboard link: https://syzkaller.appspot.com/bug?extid=a61bac2fcc1a7c6623fe
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1539bcf0900000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a61bac...@syzkaller.appspotmail.com

general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]
CPU: 1 PID: 9090 Comm: syz-executor.3 Not tainted 5.8.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:vsock_poll+0x75a/0x8e0 net/vmw_vsock/af_vsock.c:1038
Code: 84 ed 0f 85 c4 00 00 00 e8 b3 33 99 f9 48 8d bb 90 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa c6 44 24 30 00 48 c1 ea 03 <80> 3c 02 00 0f 85 3f 01 00 00 48 8d 54 24 30 be 01 00 00 00 48 89
RSP: 0018:ffffc90007bcf650 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87da863f
RDX: 0000000000000012 RSI: ffffffff87da864d RDI: 0000000000000090
RBP: ffff8880a4fbc800 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffff8880a4fbcc2a R15: 0000000000000001
FS: 00007f97883c0700(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555e4c1776b0 CR3: 00000000a8182000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
sock_poll+0x159/0x460 net/socket.c:1266
vfs_poll include/linux/poll.h:90 [inline]
do_select+0x8dc/0x1630 fs/select.c:534
core_sys_select+0x3ba/0x8e0 fs/select.c:677
do_pselect.constprop.0+0x17b/0x1c0 fs/select.c:759
__do_sys_pselect6 fs/select.c:800 [inline]
__se_sys_pselect6 fs/select.c:791 [inline]
__x64_sys_pselect6+0x1ea/0x2e0 fs/select.c:791
do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45c1d9
Code: Bad RIP value.
RSP: 002b:00007f97883bfc78 EFLAGS: 00000246 ORIG_RAX: 000000000000010e
RAX: ffffffffffffffda RBX: 0000000000023b80 RCX: 000000000045c1d9
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000040
RBP: 000000000078c098 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020000140 R11: 0000000000000246 R12: 000000000078c04c
R13: 00007ffed20a578f R14: 00007f97883c09c0 R15: 000000000078c04c
Modules linked in:
---[ end trace 086e7155f301615d ]---
RIP: 0010:vsock_poll+0x75a/0x8e0 net/vmw_vsock/af_vsock.c:1038
Code: 84 ed 0f 85 c4 00 00 00 e8 b3 33 99 f9 48 8d bb 90 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa c6 44 24 30 00 48 c1 ea 03 <80> 3c 02 00 0f 85 3f 01 00 00 48 8d 54 24 30 be 01 00 00 00 48 89
RSP: 0018:ffffc90007bcf650 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87da863f
RDX: 0000000000000012 RSI: ffffffff87da864d RDI: 0000000000000090
RBP: ffff8880a4fbc800 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffff8880a4fbcc2a R15: 0000000000000001
FS: 00007f97883c0700(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004d9ad0 CR3: 00000000a8182000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[syzbot]

syzbot has bisected this issue to:

commit 408624af4c89989117bb2c6517bd50b7708a2fcd
Author: Stefano Garzarella <sgar...@redhat.com>
Date: Tue Dec 10 10:43:06 2019 +0000

vsock: use local transport when it is loaded

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17e6489b100000
start commit: 92ed3019 Linux 5.8-rc7
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=1416489b100000
console output: https://syzkaller.appspot.com/x/log.txt?x=1016489b100000
kernel config: https://syzkaller.appspot.com/x/.config?x=84f076779e989e69
dashboard link: https://syzkaller.appspot.com/bug?extid=a61bac2fcc1a7c6623fe
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15930b64900000

Reported-by: syzbot+a61bac...@syzkaller.appspotmail.com
Fixes: 408624af4c89 ("vsock: use local transport when it is loaded")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[Stefano Garzarella]

I'll take a look.

At first glance it seems strange, because if sk_state is TCP_ESTABLISHED,
the transport shouldn't be NULL, that's why we didn't put the check.

Stefano

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+a61bac...@syzkaller.appspotmail.com

Tested on:

commit: 0bbb9656 vsock: call vsock_transport_cancel_pkt() with soc..
git tree: https://github.com/stefano-garzarella/linux.git vsock-fix-poll-null-transport
kernel config: https://syzkaller.appspot.com/x/.config?x=5b9f823fa4d95d89

dashboard link: https://syzkaller.appspot.com/bug?extid=a61bac2fcc1a7c6623fe
compiler: gcc (GCC) 10.1.0-syz 20200507

Note: testing is done by a robot and is best-effort only.

[syzbot]

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+a61bac...@syzkaller.appspotmail.com

Tested on:

commit: dfa4b719 vsock: clean vsock_poll()

git tree: https://github.com/stefano-garzarella/linux.git vsock-fix-poll-null-transport

kernel config: https://syzkaller.appspot.com/x/.config?x=c5fed59685df626b

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+a61bac...@syzkaller.appspotmail.com

Tested on:

commit: 55124db5 vsock: fix potential null pointer dereference in ..

git tree: https://github.com/stefano-garzarella/linux.git vsock-fix-poll-null-transport

kernel config: https://syzkaller.appspot.com/x/.config?x=a1b5c8a2bd4a69c

[Big Budsupply]

Hello guys hope you are doing good! we are Bigbudsupply we grow and sell the best medical marijuana product, we are looking for long time customers, you can Email us /Bigbud...@gmail.com

Text/+14432672189

Looking forward to working with you guys

--

You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.

To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/0000000000001cdf3a05acad15e9%40google.com.