general protection fault in nfc_genl_dump_ses_done
5 views
Skip to first unread message
syzbot
Nov 18, 2022, 8:41:35 PM11/18/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=110d3a4e880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=301e2e1577f5b394737e
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+301e2e...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'.
CPU: 1 PID: 4695 Comm: kworker/1:2 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: events netlink_sock_destruct_work
RIP: 0010:klist_iter_exit+0x21/0x80 lib/klist.c:314
Code: 66 0f 1f 84 00 00 00 00 00 41 54 55 53 48 89 fb e8 34 69 74 f9 48 8d 6b 08 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 <80> 3c 02 00 75 40 4c 8b 63 08 4d 85 e4 74 2e e8 0b 69 74 f9 31 f6
(unnamed net_device) (uninitialized): invalid ARP target 0.0.0.0 specified for addition
RSP: 0018:ffff88809c65fc48 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff87ee1c3c RDI: 0000000000000000
RBP: 0000000000000008 R08: 0000000000000000 R09: fffffbfff15cf8ac
R10: ffffffff8ae7c567 R11: 0000000000074071 R12: 0000000000000000
R13: ffffffff896f1440 R14: ffff8880ba12a8c0 R15: ffff8880ba12f000
FS: 0000000000000000(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3f32645de0 CR3: 0000000098daf000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
(unnamed net_device) (uninitialized): option arp_ip_target: invalid value (0)
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
nfc_genl_dump_ses_done+0x31/0x50 net/nfc/netlink.c:177
genl_lock_done+0x82/0xc0 net/netlink/genetlink.c:495
netlink_sock_destruct+0x96/0x280 net/netlink/af_netlink.c:398
__sk_destruct+0x4b/0x8a0 net/core/sock.c:1576
sk_destruct net/core/sock.c:1617 [inline]
__sk_free+0x165/0x3b0 net/core/sock.c:1628
sk_free+0x3b/0x50 net/core/sock.c:1639
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Modules linked in:
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'.
(unnamed net_device) (uninitialized): invalid ARP target 0.0.0.0 specified for addition
(unnamed net_device) (uninitialized): option arp_ip_target: invalid value (0)
---[ end trace 51842fb328da6f08 ]---
RIP: 0010:klist_iter_exit+0x21/0x80 lib/klist.c:314
Code: 66 0f 1f 84 00 00 00 00 00 41 54 55 53 48 89 fb e8 34 69 74 f9 48 8d 6b 08 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 <80> 3c 02 00 75 40 4c 8b 63 08 4d 85 e4 74 2e e8 0b 69 74 f9 31 f6
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'.
(unnamed net_device) (uninitialized): invalid ARP target 0.0.0.0 specified for addition
RSP: 0018:ffff88809c65fc48 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
(unnamed net_device) (uninitialized): option arp_ip_target: invalid value (0)
RDX: 0000000000000001 RSI: ffffffff87ee1c3c RDI: 0000000000000000
RBP: 0000000000000008 R08: 0000000000000000 R09: fffffbfff15cf8ac
R10: ffffffff8ae7c567 R11: 0000000000074071 R12: 0000000000000000
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
R13: ffffffff896f1440 R14: ffff8880ba12a8c0 R15: ffff8880ba12f000
(unnamed net_device) (uninitialized): invalid ARP target 0.0.0.0 specified for addition
FS: 0000000000000000(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
(unnamed net_device) (uninitialized): option arp_ip_target: invalid value (0)
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555fd9708 CR3: 00000000a1073000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
7: 00 00
9: 41 54 push %r12
b: 55 push %rbp
c: 53 push %rbx
d: 48 89 fb mov %rdi,%rbx
10: e8 34 69 74 f9 callq 0xf9746949
15: 48 8d 6b 08 lea 0x8(%rbx),%rbp
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 ea mov %rbp,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 75 40 jne 0x70
30: 4c 8b 63 08 mov 0x8(%rbx),%r12
34: 4d 85 e4 test %r12,%r12
37: 74 2e je 0x67
39: e8 0b 69 74 f9 callq 0xf9746949
3e: 31 f6 xor %esi,%esi
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=110d3a4e880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=301e2e1577f5b394737e
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+301e2e...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'.
CPU: 1 PID: 4695 Comm: kworker/1:2 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: events netlink_sock_destruct_work
RIP: 0010:klist_iter_exit+0x21/0x80 lib/klist.c:314
Code: 66 0f 1f 84 00 00 00 00 00 41 54 55 53 48 89 fb e8 34 69 74 f9 48 8d 6b 08 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 <80> 3c 02 00 75 40 4c 8b 63 08 4d 85 e4 74 2e e8 0b 69 74 f9 31 f6
(unnamed net_device) (uninitialized): invalid ARP target 0.0.0.0 specified for addition
RSP: 0018:ffff88809c65fc48 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff87ee1c3c RDI: 0000000000000000
RBP: 0000000000000008 R08: 0000000000000000 R09: fffffbfff15cf8ac
R10: ffffffff8ae7c567 R11: 0000000000074071 R12: 0000000000000000
R13: ffffffff896f1440 R14: ffff8880ba12a8c0 R15: ffff8880ba12f000
FS: 0000000000000000(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3f32645de0 CR3: 0000000098daf000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
(unnamed net_device) (uninitialized): option arp_ip_target: invalid value (0)
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
nfc_genl_dump_ses_done+0x31/0x50 net/nfc/netlink.c:177
genl_lock_done+0x82/0xc0 net/netlink/genetlink.c:495
netlink_sock_destruct+0x96/0x280 net/netlink/af_netlink.c:398
__sk_destruct+0x4b/0x8a0 net/core/sock.c:1576
sk_destruct net/core/sock.c:1617 [inline]
__sk_free+0x165/0x3b0 net/core/sock.c:1628
sk_free+0x3b/0x50 net/core/sock.c:1639
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Modules linked in:
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'.
(unnamed net_device) (uninitialized): invalid ARP target 0.0.0.0 specified for addition
(unnamed net_device) (uninitialized): option arp_ip_target: invalid value (0)
---[ end trace 51842fb328da6f08 ]---
RIP: 0010:klist_iter_exit+0x21/0x80 lib/klist.c:314
Code: 66 0f 1f 84 00 00 00 00 00 41 54 55 53 48 89 fb e8 34 69 74 f9 48 8d 6b 08 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 <80> 3c 02 00 75 40 4c 8b 63 08 4d 85 e4 74 2e e8 0b 69 74 f9 31 f6
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'.
(unnamed net_device) (uninitialized): invalid ARP target 0.0.0.0 specified for addition
RSP: 0018:ffff88809c65fc48 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
(unnamed net_device) (uninitialized): option arp_ip_target: invalid value (0)
RDX: 0000000000000001 RSI: ffffffff87ee1c3c RDI: 0000000000000000
RBP: 0000000000000008 R08: 0000000000000000 R09: fffffbfff15cf8ac
R10: ffffffff8ae7c567 R11: 0000000000074071 R12: 0000000000000000
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
R13: ffffffff896f1440 R14: ffff8880ba12a8c0 R15: ffff8880ba12f000
(unnamed net_device) (uninitialized): invalid ARP target 0.0.0.0 specified for addition
FS: 0000000000000000(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
(unnamed net_device) (uninitialized): option arp_ip_target: invalid value (0)
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555fd9708 CR3: 00000000a1073000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
7: 00 00
9: 41 54 push %r12
b: 55 push %rbp
c: 53 push %rbx
d: 48 89 fb mov %rdi,%rbx
10: e8 34 69 74 f9 callq 0xf9746949
15: 48 8d 6b 08 lea 0x8(%rbx),%rbp
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 ea mov %rbp,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 75 40 jne 0x70
30: 4c 8b 63 08 mov 0x8(%rbx),%r12
34: 4d 85 e4 test %r12,%r12
37: 74 2e je 0x67
39: e8 0b 69 74 f9 callq 0xf9746949
3e: 31 f6 xor %esi,%esi
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Nov 18, 2022, 8:56:41 PM11/18/22
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16fb682d880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121fe09880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+301e2e...@syzkaller.appspotmail.com
RBP: 00007ffd69cd8590 R08: 0000000000000001 R09: 000000000000000d
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
R13: 000000000000000d R14: 00007fd73a9704a0 R15: 00007ffd69cd8602
FS: 0000000000000000(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=301e2e1577f5b394737e
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1586499e880000
dashboard link: https://syzkaller.appspot.com/bug?extid=301e2e1577f5b394737e
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121fe09880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+301e2e...@syzkaller.appspotmail.com
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
R13: 000000000000000d R14: 00007fd73a9704a0 R15: 00007ffd69cd8602
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 3689 Comm: kworker/0:2 Not tainted 4.19.211-syzkaller #0
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: events netlink_sock_destruct_work
RIP: 0010:klist_iter_exit+0x21/0x80 lib/klist.c:314
Code: 66 0f 1f 84 00 00 00 00 00 41 54 55 53 48 89 fb e8 34 69 74 f9 48 8d 6b 08 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 <80> 3c 02 00 75 40 4c 8b 63 08 4d 85 e4 74 2e e8 0b 69 74 f9 31 f6
RSP: 0018:ffff8880a840fc48 EFLAGS: 00010202
Workqueue: events netlink_sock_destruct_work
RIP: 0010:klist_iter_exit+0x21/0x80 lib/klist.c:314
Code: 66 0f 1f 84 00 00 00 00 00 41 54 55 53 48 89 fb e8 34 69 74 f9 48 8d 6b 08 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 <80> 3c 02 00 75 40 4c 8b 63 08 4d 85 e4 74 2e e8 0b 69 74 f9 31 f6
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff87ee1c3c RDI: 0000000000000000
RBP: 0000000000000008 R08: 0000000000000000 R09: fffffbfff15cf8ac
R10: ffffffff8ae7c567 R11: 0000000000074071 R12: 0000000000000000
R13: ffffffff896f1440 R14: ffff8880ba02a8c0 R15: ffff8880ba02f000
RDX: 0000000000000001 RSI: ffffffff87ee1c3c RDI: 0000000000000000
RBP: 0000000000000008 R08: 0000000000000000 R09: fffffbfff15cf8ac
R10: ffffffff8ae7c567 R11: 0000000000074071 R12: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5c7430a000 CR3: 00000000a1372000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
nfc_genl_dump_ses_done+0x31/0x50 net/nfc/netlink.c:177
genl_lock_done+0x82/0xc0 net/netlink/genetlink.c:495
netlink_sock_destruct+0x96/0x280 net/netlink/af_netlink.c:398
__sk_destruct+0x4b/0x8a0 net/core/sock.c:1576
sk_destruct net/core/sock.c:1617 [inline]
__sk_free+0x165/0x3b0 net/core/sock.c:1628
sk_free+0x3b/0x50 net/core/sock.c:1639
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0
nfc_genl_dump_ses_done+0x31/0x50 net/nfc/netlink.c:177
genl_lock_done+0x82/0xc0 net/netlink/genetlink.c:495
netlink_sock_destruct+0x96/0x280 net/netlink/af_netlink.c:398
__sk_destruct+0x4b/0x8a0 net/core/sock.c:1576
sk_destruct net/core/sock.c:1617 [inline]
__sk_free+0x165/0x3b0 net/core/sock.c:1628
sk_free+0x3b/0x50 net/core/sock.c:1639
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0
Reply all
Reply to author
Forward
0 new messages