general protection fault in genl_rcv
5 views
Skip to first unread message
syzbot
Sep 7, 2022, 5:34:35 AM9/7/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 65640c873dcf Linux 4.14.292
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=136a3155080000
kernel config: https://syzkaller.appspot.com/x/.config?x=e88a9c332b8ce547
dashboard link: https://syzkaller.appspot.com/bug?extid=bfffc0cf4311e49c741b
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/6f9421328839/disk-65640c87.raw.xz
vmlinux: https://storage.googleapis.com/dce3ee6401bc/vmlinux-65640c87.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bfffc0...@syzkaller.appspotmail.com
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10a/0x149 lib/fault-inject.c:149
kasan: CONFIG_KASAN_INLINE enabled
should_failslab+0xd6/0x130 mm/failslab.c:32
kasan: GPF could be caused by NULL-ptr deref or user memory access
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc_node mm/slab.c:3297 [inline]
kmem_cache_alloc_node+0x263/0x410 mm/slab.c:3640
general protection fault: 0000 [#1] PREEMPT SMP KASAN
__alloc_skb+0x5c/0x510 net/core/skbuff.c:193
Modules linked in:
alloc_skb include/linux/skbuff.h:980 [inline]
kobject_uevent_env+0x882/0xf30 lib/kobject_uevent.c:480
CPU: 1 PID: 7192 Comm: systemd-udevd Not tainted 4.14.292-syzkaller #0
nbd_size_clear drivers/block/nbd.c:267 [inline]
nbd_config_put+0x50a/0x6c0 drivers/block/nbd.c:1147
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
task: ffff8880aac1c540 task.stack: ffff88809a2a0000
nbd_genl_connect+0xcb9/0x13e0 drivers/block/nbd.c:1901
RIP: 0010:__lock_acquire+0x1cc/0x3f20 kernel/locking/lockdep.c:3369
RSP: 0018:ffff88809a2a7938 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000022 RSI: 0000000000000000 RDI: 0000000000000110
genl_family_rcv_msg+0x572/0xb20 net/netlink/genetlink.c:600
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff8880aac1c540 R12: 0000000000000110
R13: 0000000000000000 R14: 0000000000000001 R15: ffffffff8becddc0
FS: 00007f10edfdc8c0(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000
genl_rcv_msg+0xaf/0x140 net/netlink/genetlink.c:625
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454
CR2: 00007f002a129000 CR3: 0000000092125000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
genl_rcv+0x24/0x40 net/netlink/genetlink.c:636
netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline]
netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322
netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
flush_workqueue+0xfa/0x1310 kernel/workqueue.c:2625
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xb5/0x100 net/socket.c:656
___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
nbd_disconnect_and_put+0xc3/0x140 drivers/block/nbd.c:1917
nbd_release+0x123/0x150 drivers/block/nbd.c:1448
__blkdev_put+0x5aa/0x800 fs/block_dev.c:1803
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
blkdev_close+0x86/0xb0 fs/block_dev.c:1875
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
RIP: 0033:0x7f10ed122270
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RSP: 002b:00007ffe1c88b128 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RIP: 0033:0x7f1f57bd7279
RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007f10ed122270
RSP: 002b:00007f1f5654c168 EFLAGS: 00000246
RDX: 000000000aba9500 RSI: 0000000000000000 RDI: 0000000000000007
RBP: 00007f10edfdc710 R08: 000000000000004a R09: 0000000000000008
ORIG_RAX: 000000000000002e
R10: 0000562cd64a58f8 R11: 0000000000000246 R12: 0000000000000000
RAX: ffffffffffffffda RBX: 00007f1f57ce9f80 RCX: 00007f1f57bd7279
R13: 0000562cd64a8070 R14: 0000000000000003 R15: 000000000000000e
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000005
Code:
RBP: 00007f1f5654c1d0 R08: 0000000000000000 R09: 0000000000000000
18
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
00
R13: 00007ffe1cc9b59f R14: 00007f1f5654c300 R15: 0000000000022000
00 00 00 48 81 c4 80 01 00 00 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 67 2a 00 00 49 81 3c 24 e0 97 2f 8b 0f 84 5f
RIP: __lock_acquire+0x1cc/0x3f20 kernel/locking/lockdep.c:3369 RSP: ffff88809a2a7938
nbd: must specify at least one socket
---[ end trace 9418e77600ab763a ]---
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.4'.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 65640c873dcf Linux 4.14.292
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=136a3155080000
kernel config: https://syzkaller.appspot.com/x/.config?x=e88a9c332b8ce547
dashboard link: https://syzkaller.appspot.com/bug?extid=bfffc0cf4311e49c741b
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/6f9421328839/disk-65640c87.raw.xz
vmlinux: https://storage.googleapis.com/dce3ee6401bc/vmlinux-65640c87.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bfffc0...@syzkaller.appspotmail.com
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10a/0x149 lib/fault-inject.c:149
kasan: CONFIG_KASAN_INLINE enabled
should_failslab+0xd6/0x130 mm/failslab.c:32
kasan: GPF could be caused by NULL-ptr deref or user memory access
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc_node mm/slab.c:3297 [inline]
kmem_cache_alloc_node+0x263/0x410 mm/slab.c:3640
general protection fault: 0000 [#1] PREEMPT SMP KASAN
__alloc_skb+0x5c/0x510 net/core/skbuff.c:193
Modules linked in:
alloc_skb include/linux/skbuff.h:980 [inline]
kobject_uevent_env+0x882/0xf30 lib/kobject_uevent.c:480
CPU: 1 PID: 7192 Comm: systemd-udevd Not tainted 4.14.292-syzkaller #0
nbd_size_clear drivers/block/nbd.c:267 [inline]
nbd_config_put+0x50a/0x6c0 drivers/block/nbd.c:1147
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
task: ffff8880aac1c540 task.stack: ffff88809a2a0000
nbd_genl_connect+0xcb9/0x13e0 drivers/block/nbd.c:1901
RIP: 0010:__lock_acquire+0x1cc/0x3f20 kernel/locking/lockdep.c:3369
RSP: 0018:ffff88809a2a7938 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000022 RSI: 0000000000000000 RDI: 0000000000000110
genl_family_rcv_msg+0x572/0xb20 net/netlink/genetlink.c:600
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff8880aac1c540 R12: 0000000000000110
R13: 0000000000000000 R14: 0000000000000001 R15: ffffffff8becddc0
FS: 00007f10edfdc8c0(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000
genl_rcv_msg+0xaf/0x140 net/netlink/genetlink.c:625
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454
CR2: 00007f002a129000 CR3: 0000000092125000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
genl_rcv+0x24/0x40 net/netlink/genetlink.c:636
netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline]
netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322
netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
flush_workqueue+0xfa/0x1310 kernel/workqueue.c:2625
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xb5/0x100 net/socket.c:656
___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
nbd_disconnect_and_put+0xc3/0x140 drivers/block/nbd.c:1917
nbd_release+0x123/0x150 drivers/block/nbd.c:1448
__blkdev_put+0x5aa/0x800 fs/block_dev.c:1803
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
blkdev_close+0x86/0xb0 fs/block_dev.c:1875
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
RIP: 0033:0x7f10ed122270
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RSP: 002b:00007ffe1c88b128 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RIP: 0033:0x7f1f57bd7279
RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007f10ed122270
RSP: 002b:00007f1f5654c168 EFLAGS: 00000246
RDX: 000000000aba9500 RSI: 0000000000000000 RDI: 0000000000000007
RBP: 00007f10edfdc710 R08: 000000000000004a R09: 0000000000000008
ORIG_RAX: 000000000000002e
R10: 0000562cd64a58f8 R11: 0000000000000246 R12: 0000000000000000
RAX: ffffffffffffffda RBX: 00007f1f57ce9f80 RCX: 00007f1f57bd7279
R13: 0000562cd64a8070 R14: 0000000000000003 R15: 000000000000000e
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000005
Code:
RBP: 00007f1f5654c1d0 R08: 0000000000000000 R09: 0000000000000000
18
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
00
R13: 00007ffe1cc9b59f R14: 00007f1f5654c300 R15: 0000000000022000
00 00 00 48 81 c4 80 01 00 00 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 67 2a 00 00 49 81 3c 24 e0 97 2f 8b 0f 84 5f
RIP: __lock_acquire+0x1cc/0x3f20 kernel/locking/lockdep.c:3369 RSP: ffff88809a2a7938
nbd: must specify at least one socket
---[ end trace 9418e77600ab763a ]---
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.4'.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jan 5, 2023, 4:34:30 AM1/5/23
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages