[syzbot] memory leak in __vsock_create
35 views
Skip to first unread message
syzbot
Apr 10, 2022, 1:46:19 AM4/10/22
to da...@davemloft.net, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, sgar...@redhat.com, syzkall...@googlegroups.com, virtual...@lists.linux-foundation.org
Hello,
syzbot found the following issue on:
HEAD commit: ce4c854ee868 Merge tag 'for-5.18-rc1-tag' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1099787f700000
kernel config: https://syzkaller.appspot.com/x/.config?x=983cf973af0d1b0f
dashboard link: https://syzkaller.appspot.com/bug?extid=b03f55bf128f9a38f064
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bf17f7700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12810bbf700000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b03f55...@syzkaller.appspotmail.com
Warning: Permanently added '10.128.1.36' (ECDSA) to the list of known hosts.
executing program
executing program
BUG: memory leak
unreferenced object 0xffff88810ea56a40 (size 1232):
comm "syz-executor756", pid 3604, jiffies 4294947681 (age 12.350s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
28 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............
backtrace:
[<ffffffff837c830e>] sk_prot_alloc+0x3e/0x1b0 net/core/sock.c:1930
[<ffffffff837cbe22>] sk_alloc+0x32/0x2e0 net/core/sock.c:1989
[<ffffffff842ccf68>] __vsock_create.constprop.0+0x38/0x320 net/vmw_vsock/af_vsock.c:734
[<ffffffff842ce8f1>] vsock_create+0xc1/0x2d0 net/vmw_vsock/af_vsock.c:2203
[<ffffffff837c0cbb>] __sock_create+0x1ab/0x2b0 net/socket.c:1468
[<ffffffff837c3acf>] sock_create net/socket.c:1519 [inline]
[<ffffffff837c3acf>] __sys_socket+0x6f/0x140 net/socket.c:1561
[<ffffffff837c3bba>] __do_sys_socket net/socket.c:1570 [inline]
[<ffffffff837c3bba>] __se_sys_socket net/socket.c:1568 [inline]
[<ffffffff837c3bba>] __x64_sys_socket+0x1a/0x20 net/socket.c:1568
[<ffffffff84512815>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84512815>] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
unreferenced object 0xffff88810fb89080 (size 96):
comm "syz-executor756", pid 3604, jiffies 4294947681 (age 12.350s)
hex dump (first 32 bytes):
40 6a a5 0e 81 88 ff ff 00 00 00 00 00 00 00 00 @j..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff842d3767>] kmalloc include/linux/slab.h:581 [inline]
[<ffffffff842d3767>] kzalloc include/linux/slab.h:714 [inline]
[<ffffffff842d3767>] virtio_transport_do_socket_init+0x27/0xe0 net/vmw_vsock/virtio_transport_common.c:593
[<ffffffff842cbaf0>] vsock_assign_transport+0x200/0x320 net/vmw_vsock/af_vsock.c:502
[<ffffffff842cf8a8>] vsock_connect+0x128/0x5d0 net/vmw_vsock/af_vsock.c:1345
[<ffffffff837c4722>] __sys_connect_file+0x92/0xa0 net/socket.c:1900
[<ffffffff81667a4a>] io_connect+0x8a/0x370 fs/io_uring.c:5711
[<ffffffff8166ea49>] io_issue_sqe+0xb29/0x2cb0 fs/io_uring.c:7294
[<ffffffff81671c09>] __io_queue_sqe fs/io_uring.c:7605 [inline]
[<ffffffff81671c09>] io_queue_sqe fs/io_uring.c:7647 [inline]
[<ffffffff81671c09>] io_submit_sqe fs/io_uring.c:7855 [inline]
[<ffffffff81671c09>] io_submit_sqes+0xa99/0x2ed0 fs/io_uring.c:7961
[<ffffffff81674581>] __do_sys_io_uring_enter+0x541/0xa20 fs/io_uring.c:11011
[<ffffffff84512815>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84512815>] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: ce4c854ee868 Merge tag 'for-5.18-rc1-tag' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1099787f700000
kernel config: https://syzkaller.appspot.com/x/.config?x=983cf973af0d1b0f
dashboard link: https://syzkaller.appspot.com/bug?extid=b03f55bf128f9a38f064
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bf17f7700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12810bbf700000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b03f55...@syzkaller.appspotmail.com
Warning: Permanently added '10.128.1.36' (ECDSA) to the list of known hosts.
executing program
executing program
BUG: memory leak
unreferenced object 0xffff88810ea56a40 (size 1232):
comm "syz-executor756", pid 3604, jiffies 4294947681 (age 12.350s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
28 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............
backtrace:
[<ffffffff837c830e>] sk_prot_alloc+0x3e/0x1b0 net/core/sock.c:1930
[<ffffffff837cbe22>] sk_alloc+0x32/0x2e0 net/core/sock.c:1989
[<ffffffff842ccf68>] __vsock_create.constprop.0+0x38/0x320 net/vmw_vsock/af_vsock.c:734
[<ffffffff842ce8f1>] vsock_create+0xc1/0x2d0 net/vmw_vsock/af_vsock.c:2203
[<ffffffff837c0cbb>] __sock_create+0x1ab/0x2b0 net/socket.c:1468
[<ffffffff837c3acf>] sock_create net/socket.c:1519 [inline]
[<ffffffff837c3acf>] __sys_socket+0x6f/0x140 net/socket.c:1561
[<ffffffff837c3bba>] __do_sys_socket net/socket.c:1570 [inline]
[<ffffffff837c3bba>] __se_sys_socket net/socket.c:1568 [inline]
[<ffffffff837c3bba>] __x64_sys_socket+0x1a/0x20 net/socket.c:1568
[<ffffffff84512815>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84512815>] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
unreferenced object 0xffff88810fb89080 (size 96):
comm "syz-executor756", pid 3604, jiffies 4294947681 (age 12.350s)
hex dump (first 32 bytes):
40 6a a5 0e 81 88 ff ff 00 00 00 00 00 00 00 00 @j..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff842d3767>] kmalloc include/linux/slab.h:581 [inline]
[<ffffffff842d3767>] kzalloc include/linux/slab.h:714 [inline]
[<ffffffff842d3767>] virtio_transport_do_socket_init+0x27/0xe0 net/vmw_vsock/virtio_transport_common.c:593
[<ffffffff842cbaf0>] vsock_assign_transport+0x200/0x320 net/vmw_vsock/af_vsock.c:502
[<ffffffff842cf8a8>] vsock_connect+0x128/0x5d0 net/vmw_vsock/af_vsock.c:1345
[<ffffffff837c4722>] __sys_connect_file+0x92/0xa0 net/socket.c:1900
[<ffffffff81667a4a>] io_connect+0x8a/0x370 fs/io_uring.c:5711
[<ffffffff8166ea49>] io_issue_sqe+0xb29/0x2cb0 fs/io_uring.c:7294
[<ffffffff81671c09>] __io_queue_sqe fs/io_uring.c:7605 [inline]
[<ffffffff81671c09>] io_queue_sqe fs/io_uring.c:7647 [inline]
[<ffffffff81671c09>] io_submit_sqe fs/io_uring.c:7855 [inline]
[<ffffffff81671c09>] io_submit_sqes+0xa99/0x2ed0 fs/io_uring.c:7961
[<ffffffff81674581>] __do_sys_io_uring_enter+0x541/0xa20 fs/io_uring.c:11011
[<ffffffff84512815>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84512815>] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 19, 2022, 9:11:08 AM4/19/22
to syzkall...@googlegroups.com, zhaojun...@126.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in virtio_transport_stream_has_data
kmalloc include/linux/slab.h:581 [inline]
kzalloc include/linux/slab.h:714 [inline]
virtio_transport_do_socket_init+0x27/0xe0 net/vmw_vsock/virtio_transport_common.c:593
vsock_assign_transport+0x200/0x320 net/vmw_vsock/af_vsock.c:502
vsock_connect+0x128/0x5e0 net/vmw_vsock/af_vsock.c:1345
__sys_connect_file+0x92/0xa0 net/socket.c:1900
io_connect+0x8a/0x370 fs/io_uring.c:5679
io_issue_sqe+0x119d/0x3210 fs/io_uring.c:7171
__io_queue_sqe fs/io_uring.c:7499 [inline]
io_queue_sqe fs/io_uring.c:7541 [inline]
io_submit_sqe fs/io_uring.c:7746 [inline]
io_submit_sqes+0x553/0x3020 fs/io_uring.c:7852
__do_sys_io_uring_enter+0x6dd/0x10e0 fs/io_uring.c:10797
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
general protection fault, probably for non-canonical address 0xfd887c08fd8b4219: 0000 [#1] PREEMPT SMP
CPU: 0 PID: 4176 Comm: syz-executor.2 Not tainted 5.18.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__pv_queued_spin_lock_slowpath+0x1ad/0x2d0 kernel/locking/qspinlock.c:471
Code: eb 96 83 e0 03 c1 ea 12 41 be 01 00 00 00 4c 8d 6b 14 48 c1 e0 05 4c 8d a0 00 c7 02 00 8d 42 ff 48 98 4c 03 24 c5 a0 58 7c 85 <49> 89 1c 24 b8 00 80 00 00 eb 15 84 c0 75 0a 41 0f b6 54 24 14 84
RSP: 0018:ffffc90003bbbb70 EFLAGS: 00010282
RAX: 0000000000003ffe RBX: ffff88813bc2c700 RCX: 0000000000000001
RDX: 0000000000003fff RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff88811825920c R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff842cd014 R11: 0000000000000000 R12: fd887c08fd8b4219
R13: ffff88813bc2c714 R14: 0000000000000001 R15: 0000000000040000
FS: 00007f638a3de700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f638a3bd718 CR3: 000000011877e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:591 [inline]
queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:85 [inline]
do_raw_spin_lock include/linux/spinlock.h:185 [inline]
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178
spin_lock_bh include/linux/spinlock.h:354 [inline]
virtio_transport_stream_has_data+0x1f/0x40 net/vmw_vsock/virtio_transport_common.c:542
virtio_transport_notify_poll_in+0x17/0x40 net/vmw_vsock/virtio_transport_common.c:637
vsock_poll+0x24a/0x4f0 net/vmw_vsock/af_vsock.c:1069
sock_poll+0x7b/0x1d0 net/socket.c:1306
vfs_poll include/linux/poll.h:88 [inline]
__io_arm_poll_handler+0xb3/0x350 fs/io_uring.c:6106
io_arm_poll_handler+0x203/0x4f0 fs/io_uring.c:6200
io_queue_sqe_arm_apoll+0x31/0x120 fs/io_uring.c:7474
__io_queue_sqe fs/io_uring.c:7514 [inline]
io_queue_sqe fs/io_uring.c:7541 [inline]
io_submit_sqe fs/io_uring.c:7746 [inline]
io_submit_sqes+0x2f3a/0x3020 fs/io_uring.c:7852
__do_sys_io_uring_enter+0x6dd/0x10e0 fs/io_uring.c:10797
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f6389289049
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f638a3de168 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: ffffffffffffffda RBX: 00007f638939bf60 RCX: 00007f6389289049
RDX: 0000000000000000 RSI: 00000000000067b5 RDI: 0000000000000003
RBP: 00007f63892e308d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd20eb8b9f R14: 00007f638a3de300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__pv_queued_spin_lock_slowpath+0x1ad/0x2d0 kernel/locking/qspinlock.c:471
Code: eb 96 83 e0 03 c1 ea 12 41 be 01 00 00 00 4c 8d 6b 14 48 c1 e0 05 4c 8d a0 00 c7 02 00 8d 42 ff 48 98 4c 03 24 c5 a0 58 7c 85 <49> 89 1c 24 b8 00 80 00 00 eb 15 84 c0 75 0a 41 0f b6 54 24 14 84
RSP: 0018:ffffc90003bbbb70 EFLAGS: 00010282
RAX: 0000000000003ffe RBX: ffff88813bc2c700 RCX: 0000000000000001
RDX: 0000000000003fff RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff88811825920c R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff842cd014 R11: 0000000000000000 R12: fd887c08fd8b4219
R13: ffff88813bc2c714 R14: 0000000000000001 R15: 0000000000040000
FS: 00007f638a3de700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f638a3bd718 CR3: 000000011877e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: eb 96 jmp 0xffffff98
2: 83 e0 03 and $0x3,%eax
5: c1 ea 12 shr $0x12,%edx
8: 41 be 01 00 00 00 mov $0x1,%r14d
e: 4c 8d 6b 14 lea 0x14(%rbx),%r13
12: 48 c1 e0 05 shl $0x5,%rax
16: 4c 8d a0 00 c7 02 00 lea 0x2c700(%rax),%r12
1d: 8d 42 ff lea -0x1(%rdx),%eax
20: 48 98 cltq
22: 4c 03 24 c5 a0 58 7c add -0x7a83a760(,%rax,8),%r12
29: 85
* 2a: 49 89 1c 24 mov %rbx,(%r12) <-- trapping instruction
2e: b8 00 80 00 00 mov $0x8000,%eax
33: eb 15 jmp 0x4a
35: 84 c0 test %al,%al
37: 75 0a jne 0x43
39: 41 0f b6 54 24 14 movzbl 0x14(%r12),%edx
3f: 84 .byte 0x84
Tested on:
commit: b2d229d4 Linux 5.18-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13439c44f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=e6156282f3a672da
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in virtio_transport_stream_has_data
kmalloc include/linux/slab.h:581 [inline]
kzalloc include/linux/slab.h:714 [inline]
virtio_transport_do_socket_init+0x27/0xe0 net/vmw_vsock/virtio_transport_common.c:593
vsock_assign_transport+0x200/0x320 net/vmw_vsock/af_vsock.c:502
vsock_connect+0x128/0x5e0 net/vmw_vsock/af_vsock.c:1345
__sys_connect_file+0x92/0xa0 net/socket.c:1900
io_connect+0x8a/0x370 fs/io_uring.c:5679
io_issue_sqe+0x119d/0x3210 fs/io_uring.c:7171
__io_queue_sqe fs/io_uring.c:7499 [inline]
io_queue_sqe fs/io_uring.c:7541 [inline]
io_submit_sqe fs/io_uring.c:7746 [inline]
io_submit_sqes+0x553/0x3020 fs/io_uring.c:7852
__do_sys_io_uring_enter+0x6dd/0x10e0 fs/io_uring.c:10797
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
general protection fault, probably for non-canonical address 0xfd887c08fd8b4219: 0000 [#1] PREEMPT SMP
CPU: 0 PID: 4176 Comm: syz-executor.2 Not tainted 5.18.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__pv_queued_spin_lock_slowpath+0x1ad/0x2d0 kernel/locking/qspinlock.c:471
Code: eb 96 83 e0 03 c1 ea 12 41 be 01 00 00 00 4c 8d 6b 14 48 c1 e0 05 4c 8d a0 00 c7 02 00 8d 42 ff 48 98 4c 03 24 c5 a0 58 7c 85 <49> 89 1c 24 b8 00 80 00 00 eb 15 84 c0 75 0a 41 0f b6 54 24 14 84
RSP: 0018:ffffc90003bbbb70 EFLAGS: 00010282
RAX: 0000000000003ffe RBX: ffff88813bc2c700 RCX: 0000000000000001
RDX: 0000000000003fff RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff88811825920c R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff842cd014 R11: 0000000000000000 R12: fd887c08fd8b4219
R13: ffff88813bc2c714 R14: 0000000000000001 R15: 0000000000040000
FS: 00007f638a3de700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f638a3bd718 CR3: 000000011877e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:591 [inline]
queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:85 [inline]
do_raw_spin_lock include/linux/spinlock.h:185 [inline]
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178
spin_lock_bh include/linux/spinlock.h:354 [inline]
virtio_transport_stream_has_data+0x1f/0x40 net/vmw_vsock/virtio_transport_common.c:542
virtio_transport_notify_poll_in+0x17/0x40 net/vmw_vsock/virtio_transport_common.c:637
vsock_poll+0x24a/0x4f0 net/vmw_vsock/af_vsock.c:1069
sock_poll+0x7b/0x1d0 net/socket.c:1306
vfs_poll include/linux/poll.h:88 [inline]
__io_arm_poll_handler+0xb3/0x350 fs/io_uring.c:6106
io_arm_poll_handler+0x203/0x4f0 fs/io_uring.c:6200
io_queue_sqe_arm_apoll+0x31/0x120 fs/io_uring.c:7474
__io_queue_sqe fs/io_uring.c:7514 [inline]
io_queue_sqe fs/io_uring.c:7541 [inline]
io_submit_sqe fs/io_uring.c:7746 [inline]
io_submit_sqes+0x2f3a/0x3020 fs/io_uring.c:7852
__do_sys_io_uring_enter+0x6dd/0x10e0 fs/io_uring.c:10797
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f6389289049
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f638a3de168 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: ffffffffffffffda RBX: 00007f638939bf60 RCX: 00007f6389289049
RDX: 0000000000000000 RSI: 00000000000067b5 RDI: 0000000000000003
RBP: 00007f63892e308d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd20eb8b9f R14: 00007f638a3de300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__pv_queued_spin_lock_slowpath+0x1ad/0x2d0 kernel/locking/qspinlock.c:471
Code: eb 96 83 e0 03 c1 ea 12 41 be 01 00 00 00 4c 8d 6b 14 48 c1 e0 05 4c 8d a0 00 c7 02 00 8d 42 ff 48 98 4c 03 24 c5 a0 58 7c 85 <49> 89 1c 24 b8 00 80 00 00 eb 15 84 c0 75 0a 41 0f b6 54 24 14 84
RSP: 0018:ffffc90003bbbb70 EFLAGS: 00010282
RAX: 0000000000003ffe RBX: ffff88813bc2c700 RCX: 0000000000000001
RDX: 0000000000003fff RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff88811825920c R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff842cd014 R11: 0000000000000000 R12: fd887c08fd8b4219
R13: ffff88813bc2c714 R14: 0000000000000001 R15: 0000000000040000
FS: 00007f638a3de700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f638a3bd718 CR3: 000000011877e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: eb 96 jmp 0xffffff98
2: 83 e0 03 and $0x3,%eax
5: c1 ea 12 shr $0x12,%edx
8: 41 be 01 00 00 00 mov $0x1,%r14d
e: 4c 8d 6b 14 lea 0x14(%rbx),%r13
12: 48 c1 e0 05 shl $0x5,%rax
16: 4c 8d a0 00 c7 02 00 lea 0x2c700(%rax),%r12
1d: 8d 42 ff lea -0x1(%rdx),%eax
20: 48 98 cltq
22: 4c 03 24 c5 a0 58 7c add -0x7a83a760(,%rax,8),%r12
29: 85
* 2a: 49 89 1c 24 mov %rbx,(%r12) <-- trapping instruction
2e: b8 00 80 00 00 mov $0x8000,%eax
33: eb 15 jmp 0x4a
35: 84 c0 test %al,%al
37: 75 0a jne 0x43
39: 41 0f b6 54 24 14 movzbl 0x14(%r12),%edx
3f: 84 .byte 0x84
Tested on:
commit: b2d229d4 Linux 5.18-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13439c44f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=e6156282f3a672da
dashboard link: https://syzkaller.appspot.com/bug?extid=b03f55bf128f9a38f064
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=11bc3394f00000
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
Apr 19, 2022, 9:45:10 PM4/19/22
to syzkall...@googlegroups.com, zhaojun...@126.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in virtio_transport_remove_sock
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 117d1d067 P4D 117d1d067
PUD 117d14067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 4144 Comm: syz-executor.3 Not tainted 5.18.0-rc3-syzkaller-00007-g559089e0a93d-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:virtio_transport_remove_sock+0x3a/0xd0 net/vmw_vsock/virtio_transport_common.c:869
Code: 49 bd 22 01 00 00 00 00 ad de 41 54 55 53 48 89 fb 48 83 ec 08 48 89 3c 24 e8 22 b9 08 fd 4c 8b a3 c8 04 00 00 49 8b 44 24 30 <48> 8b 18 48 8d 68 d0 48 83 eb 30 49 39 ec 75 05 eb 64 48 89 c3 e8
RSP: 0018:ffffc900029cbc20 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888117db3a80 RCX: 0000000000000000
RDX: ffff888115c607c0 RSI: ffffffff842d4dae RDI: ffff888117db3a80
RBP: ffff888117db3a80 R08: 0000000000000000 R09: 0000000000000007
R10: ffffffff842d60c3 R11: 000000000000000b R12: ffff888117c60780
R13: dead000000000122 R14: dead000000000100 R15: ffff888113a04600
FS: 00007f9e311dd700(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000117d8d000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
virtio_transport_release+0x51/0x430 net/vmw_vsock/virtio_transport_common.c:980
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__vsock_release+0x4d/0x310 net/vmw_vsock/af_vsock.c:810
vsock_release+0x14/0x30 net/vmw_vsock/af_vsock.c:887
__sock_release+0x47/0xd0 net/socket.c:650
sock_close+0x15/0x20 net/socket.c:1318
__fput+0x105/0x430 fs/file_table.c:317
task_work_run+0x73/0xb0 kernel/task_work.c:164
get_signal+0xb9/0xf90 kernel/signal.c:2641
arch_do_signal_or_restart+0x31/0x720 arch/x86/kernel/signal.c:867
exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
exit_to_user_mode_prepare+0xa7/0x160 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:294
do_syscall_64+0x42/0x80 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f9e31a89049
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9e311dd168 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: fffffffffffffffc RBX: 00007f9e31b9c030 RCX: 00007f9e31a89049
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007f9e31ae308d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd5225875f R14: 00007f9e311dd300 R15: 0000000000022000
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:virtio_transport_remove_sock+0x3a/0xd0 net/vmw_vsock/virtio_transport_common.c:869
Code: 49 bd 22 01 00 00 00 00 ad de 41 54 55 53 48 89 fb 48 83 ec 08 48 89 3c 24 e8 22 b9 08 fd 4c 8b a3 c8 04 00 00 49 8b 44 24 30 <48> 8b 18 48 8d 68 d0 48 83 eb 30 49 39 ec 75 05 eb 64 48 89 c3 e8
RSP: 0018:ffffc900029cbc20 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888117db3a80 RCX: 0000000000000000
RDX: ffff888115c607c0 RSI: ffffffff842d4dae RDI: ffff888117db3a80
RBP: ffff888117db3a80 R08: 0000000000000000 R09: 0000000000000007
R10: ffffffff842d60c3 R11: 000000000000000b R12: ffff888117c60780
R13: dead000000000122 R14: dead000000000100 R15: ffff888113a04600
FS: 00007f9e311dd700(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000117d8d000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 49 bd 22 01 00 00 00 movabs $0xdead000000000122,%r13
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
7: 00 ad de
a: 41 54 push %r12
c: 55 push %rbp
d: 53 push %rbx
e: 48 89 fb mov %rdi,%rbx
11: 48 83 ec 08 sub $0x8,%rsp
15: 48 89 3c 24 mov %rdi,(%rsp)
19: e8 22 b9 08 fd callq 0xfd08b940
1e: 4c 8b a3 c8 04 00 00 mov 0x4c8(%rbx),%r12
25: 49 8b 44 24 30 mov 0x30(%r12),%rax
* 2a: 48 8b 18 mov (%rax),%rbx <-- trapping instruction
2d: 48 8d 68 d0 lea -0x30(%rax),%rbp
31: 48 83 eb 30 sub $0x30,%rbx
35: 49 39 ec cmp %rbp,%r12
38: 75 05 jne 0x3f
3a: eb 64 jmp 0xa0
3c: 48 89 c3 mov %rax,%rbx
3f: e8 .byte 0xe8
Tested on:
commit: 559089e0 vmalloc: replace VM_NO_HUGE_VMAP with VM_ALLO..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14d8673f700000
kernel config: https://syzkaller.appspot.com/x/.config?x=e6156282f3a672da
dashboard link: https://syzkaller.appspot.com/bug?extid=b03f55bf128f9a38f064
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=16b36fccf00000
dashboard link: https://syzkaller.appspot.com/bug?extid=b03f55bf128f9a38f064
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
Apr 19, 2022, 10:19:08 PM4/19/22
to syzkall...@googlegroups.com, zhaojun...@126.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in virtio_transport_remove_sock
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 118310067 P4D 118310067 PUD 118313067 PMD 0
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in virtio_transport_remove_sock
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
Oops: 0000 [#1] PREEMPT SMP
CPU: 0 PID: 4200 Comm: syz-executor.0 Tainted: G W 5.18.0-rc3-syzkaller-00007-g559089e0a93d-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:virtio_transport_remove_sock+0x3a/0xd0 net/vmw_vsock/virtio_transport_common.c:869
Code: 49 bd 22 01 00 00 00 00 ad de 41 54 55 53 48 89 fb 48 83 ec 08 48 89 3c 24 e8 12 b9 08 fd 4c 8b a3 c8 04 00 00 49 8b 44 24 30 <48> 8b 18 48 8d 68 d0 48 83 eb 30 49 39 ec 75 05 eb 64 48 89 c3 e8
RIP: 0010:virtio_transport_remove_sock+0x3a/0xd0 net/vmw_vsock/virtio_transport_common.c:869
RSP: 0018:ffffc90002b0bc20 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888118321a80 RCX: 0000000000000000
RDX: ffff888113462340 RSI: ffffffff842d4dbe RDI: ffff888118321a80
RBP: ffff888118321a80 R08: 0000000000000000 R09: 0000000000000007
R10: ffffffff842d60d3 R11: 000000000000000b R12: ffff888117bbe100
R13: dead000000000122 R14: dead000000000100 R15: ffff888113a08d80
FS: 00007f9f7fbfe700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000118342000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
virtio_transport_release+0x51/0x430 net/vmw_vsock/virtio_transport_common.c:980
__vsock_release+0x4d/0x320 net/vmw_vsock/af_vsock.c:810
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
virtio_transport_release+0x51/0x430 net/vmw_vsock/virtio_transport_common.c:980
vsock_release+0x14/0x30 net/vmw_vsock/af_vsock.c:889
__sock_release+0x47/0xd0 net/socket.c:650
sock_close+0x15/0x20 net/socket.c:1318
__fput+0x105/0x430 fs/file_table.c:317
task_work_run+0x73/0xb0 kernel/task_work.c:164
get_signal+0xb9/0xf90 kernel/signal.c:2641
arch_do_signal_or_restart+0x31/0x720 arch/x86/kernel/signal.c:867
exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
exit_to_user_mode_prepare+0xa7/0x160 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:294
do_syscall_64+0x42/0x80 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f9f80489049
sock_close+0x15/0x20 net/socket.c:1318
__fput+0x105/0x430 fs/file_table.c:317
task_work_run+0x73/0xb0 kernel/task_work.c:164
get_signal+0xb9/0xf90 kernel/signal.c:2641
arch_do_signal_or_restart+0x31/0x720 arch/x86/kernel/signal.c:867
exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
exit_to_user_mode_prepare+0xa7/0x160 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:294
do_syscall_64+0x42/0x80 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9f7fbfe168 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: fffffffffffffffc RBX: 00007f9f8059c030 RCX: 00007f9f80489049
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007f9f804e308d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc3ac67c1f R14: 00007f9f7fbfe300 R15: 0000000000022000
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:virtio_transport_remove_sock+0x3a/0xd0 net/vmw_vsock/virtio_transport_common.c:869
Code: 49 bd 22 01 00 00 00 00 ad de 41 54 55 53 48 89 fb 48 83 ec 08 48 89 3c 24 e8 12 b9 08 fd 4c 8b a3 c8 04 00 00 49 8b 44 24 30 <48> 8b 18 48 8d 68 d0 48 83 eb 30 49 39 ec 75 05 eb 64 48 89 c3 e8
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:virtio_transport_remove_sock+0x3a/0xd0 net/vmw_vsock/virtio_transport_common.c:869
RSP: 0018:ffffc90002b0bc20 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888118321a80 RCX: 0000000000000000
RDX: ffff888113462340 RSI: ffffffff842d4dbe RDI: ffff888118321a80
RBP: ffff888118321a80 R08: 0000000000000000 R09: 0000000000000007
R10: ffffffff842d60d3 R11: 000000000000000b R12: ffff888117bbe100
R13: dead000000000122 R14: dead000000000100 R15: ffff888113a08d80
FS: 00007f9f7fbfe700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000118342000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 49 bd 22 01 00 00 00 movabs $0xdead000000000122,%r13
7: 00 ad de
a: 41 54 push %r12
c: 55 push %rbp
d: 53 push %rbx
e: 48 89 fb mov %rdi,%rbx
11: 48 83 ec 08 sub $0x8,%rsp
15: 48 89 3c 24 mov %rdi,(%rsp)
19: e8 12 b9 08 fd callq 0xfd08b930
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 49 bd 22 01 00 00 00 movabs $0xdead000000000122,%r13
7: 00 ad de
a: 41 54 push %r12
c: 55 push %rbp
d: 53 push %rbx
e: 48 89 fb mov %rdi,%rbx
11: 48 83 ec 08 sub $0x8,%rsp
15: 48 89 3c 24 mov %rdi,(%rsp)
1e: 4c 8b a3 c8 04 00 00 mov 0x4c8(%rbx),%r12
25: 49 8b 44 24 30 mov 0x30(%r12),%rax
* 2a: 48 8b 18 mov (%rax),%rbx <-- trapping instruction
2d: 48 8d 68 d0 lea -0x30(%rax),%rbp
31: 48 83 eb 30 sub $0x30,%rbx
35: 49 39 ec cmp %rbp,%r12
38: 75 05 jne 0x3f
3a: eb 64 jmp 0xa0
3c: 48 89 c3 mov %rax,%rbx
3f: e8 .byte 0xe8
Tested on:
commit: 559089e0 vmalloc: replace VM_NO_HUGE_VMAP with VM_ALLO..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13248becf00000
25: 49 8b 44 24 30 mov 0x30(%r12),%rax
* 2a: 48 8b 18 mov (%rax),%rbx <-- trapping instruction
2d: 48 8d 68 d0 lea -0x30(%rax),%rbp
31: 48 83 eb 30 sub $0x30,%rbx
35: 49 39 ec cmp %rbp,%r12
38: 75 05 jne 0x3f
3a: eb 64 jmp 0xa0
3c: 48 89 c3 mov %rax,%rbx
3f: e8 .byte 0xe8
Tested on:
commit: 559089e0 vmalloc: replace VM_NO_HUGE_VMAP with VM_ALLO..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=e6156282f3a672da
dashboard link: https://syzkaller.appspot.com/bug?extid=b03f55bf128f9a38f064
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=16c9d398f00000
dashboard link: https://syzkaller.appspot.com/bug?extid=b03f55bf128f9a38f064
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
Apr 19, 2022, 10:42:17 PM4/19/22
to syzkall...@googlegroups.com, zhaojun...@126.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in virtio_transport_remove_sock
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault, probably for non-canonical address 0x432000002060101: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 4194 Comm: syz-executor.5 Not tainted 5.18.0-rc3-syzkaller-00007-g559089e0a93d-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:virtio_transport_remove_sock+0x3a/0xd0 net/vmw_vsock/virtio_transport_common.c:869
Code: 49 bd 22 01 00 00 00 00 ad de 41 54 55 53 48 89 fb 48 83 ec 08 48 89 3c 24 e8 12 b9 08 fd 4c 8b a3 c8 04 00 00 49 8b 44 24 30 <48> 8b 18 48 8d 68 d0 48 83 eb 30 49 39 ec 75 05 eb 64 48 89 c3 e8
RSP: 0018:ffffc90002ab3b80 EFLAGS: 00010293
RIP: 0010:virtio_transport_remove_sock+0x3a/0xd0 net/vmw_vsock/virtio_transport_common.c:869
Code: 49 bd 22 01 00 00 00 00 ad de 41 54 55 53 48 89 fb 48 83 ec 08 48 89 3c 24 e8 12 b9 08 fd 4c 8b a3 c8 04 00 00 49 8b 44 24 30 <48> 8b 18 48 8d 68 d0 48 83 eb 30 49 39 ec 75 05 eb 64 48 89 c3 e8
RAX: 0432000002060101 RBX: ffff8881196a5a80 RCX: 0000000000000000
RDX: ffff888116bb4d00 RSI: ffffffff842d4dbe RDI: ffff8881196a5a80
RBP: ffff8881196a5a80 R08: 0000000000000000 R09: 0000000000000002
R10: ffffffff842d60d3 R11: 000000000000000b R12: ffff888118eda200
R13: dead000000000122 R14: dead000000000100 R15: ffff8881121a5900
FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1e52b82718 CR3: 000000011963a000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
virtio_transport_release+0x51/0x430 net/vmw_vsock/virtio_transport_common.c:980
__vsock_release+0x4d/0x320 net/vmw_vsock/af_vsock.c:810
vsock_release+0x14/0x30 net/vmw_vsock/af_vsock.c:888
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
virtio_transport_release+0x51/0x430 net/vmw_vsock/virtio_transport_common.c:980
__vsock_release+0x4d/0x320 net/vmw_vsock/af_vsock.c:810
__sock_release+0x47/0xd0 net/socket.c:650
sock_close+0x15/0x20 net/socket.c:1318
__fput+0x105/0x430 fs/file_table.c:317
task_work_run+0x73/0xb0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:37 [inline]
sock_close+0x15/0x20 net/socket.c:1318
__fput+0x105/0x430 fs/file_table.c:317
task_work_run+0x73/0xb0 kernel/task_work.c:164
do_exit+0x47e/0x1110 kernel/exit.c:795
do_group_exit+0x4b/0xf0 kernel/exit.c:925
get_signal+0xf8f/0xf90 kernel/signal.c:2864
arch_do_signal_or_restart+0x31/0x720 arch/x86/kernel/signal.c:867
exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
exit_to_user_mode_prepare+0xa7/0x160 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:294
do_syscall_64+0x42/0x80 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f1e51a89049
exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
exit_to_user_mode_prepare+0xa7/0x160 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:294
do_syscall_64+0x42/0x80 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
Code: Unable to access opcode bytes at RIP 0x7f1e51a8901f.
RSP: 002b:00007f1e52ba3218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f1e51b9bf68 RCX: 00007f1e51a89049
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f1e51b9bf68
RBP: 00007f1e51b9bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1e51b9bf6c
R13: 00007ffc02f0353f R14: 00007f1e52ba3300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:virtio_transport_remove_sock+0x3a/0xd0 net/vmw_vsock/virtio_transport_common.c:869
Code: 49 bd 22 01 00 00 00 00 ad de 41 54 55 53 48 89 fb 48 83 ec 08 48 89 3c 24 e8 12 b9 08 fd 4c 8b a3 c8 04 00 00 49 8b 44 24 30 <48> 8b 18 48 8d 68 d0 48 83 eb 30 49 39 ec 75 05 eb 64 48 89 c3 e8
RSP: 0018:ffffc90002ab3b80 EFLAGS: 00010293
RIP: 0010:virtio_transport_remove_sock+0x3a/0xd0 net/vmw_vsock/virtio_transport_common.c:869
Code: 49 bd 22 01 00 00 00 00 ad de 41 54 55 53 48 89 fb 48 83 ec 08 48 89 3c 24 e8 12 b9 08 fd 4c 8b a3 c8 04 00 00 49 8b 44 24 30 <48> 8b 18 48 8d 68 d0 48 83 eb 30 49 39 ec 75 05 eb 64 48 89 c3 e8
RAX: 0432000002060101 RBX: ffff8881196a5a80 RCX: 0000000000000000
RDX: ffff888116bb4d00 RSI: ffffffff842d4dbe RDI: ffff8881196a5a80
RBP: ffff8881196a5a80 R08: 0000000000000000 R09: 0000000000000002
R10: ffffffff842d60d3 R11: 000000000000000b R12: ffff888118eda200
R13: dead000000000122 R14: dead000000000100 R15: ffff8881121a5900
FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1e52b82718 CR3: 0000000113850000 CR4: 00000000003506e0
kernel config: https://syzkaller.appspot.com/x/.config?x=e6156282f3a672da
dashboard link: https://syzkaller.appspot.com/bug?extid=b03f55bf128f9a38f064
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=14ecf02cf00000
dashboard link: https://syzkaller.appspot.com/bug?extid=b03f55bf128f9a38f064
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
Apr 19, 2022, 11:24:13 PM4/19/22
to syzkall...@googlegroups.com, zhaojun...@126.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in prepare_creds
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: memory leak
unreferenced object 0xffff8881045f5480 (size 176):
comm "syz-executor.4", pid 3885, jiffies 4294942965 (age 11.500s)
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8127a927>] prepare_creds+0x27/0x470 kernel/cred.c:260
[<ffffffff8127b750>] copy_creds+0x40/0x2c0 kernel/cred.c:365
[<ffffffff8123779e>] copy_process+0x5ce/0x23d0 kernel/fork.c:2094
[<ffffffff812397d3>] kernel_clone+0xf3/0x660 kernel/fork.c:2639
[<ffffffff81239db6>] __do_sys_clone+0x76/0xa0 kernel/fork.c:2756
[<ffffffff84514625>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84514625>] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
unreferenced object 0xffff888103970700 (size 32):
BUG: memory leak
comm "syz-executor.4", pid 3885, jiffies 4294942965 (age 11.500s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 b0 2e 04 40 81 88 ff ff ...........@....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff821c317f>] lsm_cred_alloc security/security.c:537 [inline]
[<ffffffff821c317f>] security_prepare_creds+0x9f/0xc0 security/security.c:1708
[<ffffffff8127abe6>] prepare_creds+0x2e6/0x470 kernel/cred.c:291
[<ffffffff8127b750>] copy_creds+0x40/0x2c0 kernel/cred.c:365
[<ffffffff8123779e>] copy_process+0x5ce/0x23d0 kernel/fork.c:2094
[<ffffffff812397d3>] kernel_clone+0xf3/0x660 kernel/fork.c:2639
[<ffffffff81239db6>] __do_sys_clone+0x76/0xa0 kernel/fork.c:2756
[<ffffffff84514625>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84514625>] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
unreferenced object 0xffff88811898ba80 (size 1232):
BUG: memory leak
comm "syz-executor.4", pid 4190, jiffies 4294942965 (age 11.500s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
28 00 02 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............
backtrace:
[<ffffffff837c8eee>] sk_prot_alloc+0x3e/0x1b0 net/core/sock.c:1930
[<ffffffff837cca02>] sk_alloc+0x32/0x2e0 net/core/sock.c:1989
[<ffffffff842ce1b8>] __vsock_create.constprop.0+0x38/0x320 net/vmw_vsock/af_vsock.c:734
[<ffffffff842cfb41>] vsock_create+0xc1/0x2d0 net/vmw_vsock/af_vsock.c:2204
[<ffffffff837c189b>] __sock_create+0x1ab/0x2b0 net/socket.c:1468
[<ffffffff837c46af>] sock_create net/socket.c:1519 [inline]
[<ffffffff837c46af>] __sys_socket+0x6f/0x140 net/socket.c:1561
[<ffffffff837c479a>] __do_sys_socket net/socket.c:1570 [inline]
[<ffffffff837c479a>] __se_sys_socket net/socket.c:1568 [inline]
[<ffffffff837c479a>] __x64_sys_socket+0x1a/0x20 net/socket.c:1568
[<ffffffff84514625>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84514625>] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
unreferenced object 0xffff888118817360 (size 32):
BUG: memory leak
comm "syz-executor.4", pid 4190, jiffies 4294942965 (age 11.500s)
hex dump (first 32 bytes):
b0 2e 04 40 81 88 ff ff 00 00 00 00 00 00 00 00 ...@............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff821fefe3>] kmalloc include/linux/slab.h:581 [inline]
[<ffffffff821fefe3>] kzalloc include/linux/slab.h:714 [inline]
[<ffffffff821fefe3>] apparmor_sk_alloc_security+0x53/0xd0 security/apparmor/lsm.c:792
[<ffffffff821c4ba1>] security_sk_alloc+0x31/0x70 security/security.c:2279
[<ffffffff837c8f45>] sk_prot_alloc+0x95/0x1b0 net/core/sock.c:1939
[<ffffffff837cca02>] sk_alloc+0x32/0x2e0 net/core/sock.c:1989
[<ffffffff842ce1b8>] __vsock_create.constprop.0+0x38/0x320 net/vmw_vsock/af_vsock.c:734
[<ffffffff842cfb41>] vsock_create+0xc1/0x2d0 net/vmw_vsock/af_vsock.c:2204
[<ffffffff837c189b>] __sock_create+0x1ab/0x2b0 net/socket.c:1468
[<ffffffff837c46af>] sock_create net/socket.c:1519 [inline]
[<ffffffff837c46af>] __sys_socket+0x6f/0x140 net/socket.c:1561
[<ffffffff837c479a>] __do_sys_socket net/socket.c:1570 [inline]
[<ffffffff837c479a>] __se_sys_socket net/socket.c:1568 [inline]
[<ffffffff837c479a>] __x64_sys_socket+0x1a/0x20 net/socket.c:1568
[<ffffffff84514625>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84514625>] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
unreferenced object 0xffff8881040c03c0 (size 176):
BUG: memory leak
comm "syz-executor.4", pid 3885, jiffies 4294942971 (age 11.440s)
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8127a927>] prepare_creds+0x27/0x470 kernel/cred.c:260
[<ffffffff8127b750>] copy_creds+0x40/0x2c0 kernel/cred.c:365
[<ffffffff8123779e>] copy_process+0x5ce/0x23d0 kernel/fork.c:2094
[<ffffffff812397d3>] kernel_clone+0xf3/0x660 kernel/fork.c:2639
[<ffffffff81239db6>] __do_sys_clone+0x76/0xa0 kernel/fork.c:2756
[<ffffffff84514625>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84514625>] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
Tested on:
commit: 559089e0 vmalloc: replace VM_NO_HUGE_VMAP with VM_ALLO..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=e6156282f3a672da
dashboard link: https://syzkaller.appspot.com/bug?extid=b03f55bf128f9a38f064
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=13336f5cf00000
dashboard link: https://syzkaller.appspot.com/bug?extid=b03f55bf128f9a38f064
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Reply all
Reply to author
Forward
0 new messages