general protection fault in __tcf_idr_release
6 views
Skip to first unread message
syzbot
Sep 25, 2020, 3:51:17 PM9/25/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: cbfa1702 Linux 4.14.198
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1410e89d900000
kernel config: https://syzkaller.appspot.com/x/.config?x=3990958d85b55e59
dashboard link: https://syzkaller.appspot.com/bug?extid=9848e7488c582717ef7a
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9848e7...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 9759 Comm: syz-executor.4 Not tainted 4.14.198-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880a57f4180 task.stack: ffff888055708000
RIP: 0010:__tcf_idr_release+0x15e/0x260 net/sched/act_api.c:99
RSP: 0018:ffff88805570f4f0 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc9000811d000
RDX: 0000000000000009 RSI: ffffffff85234889 RDI: 0000000000000048
RBP: ffff8880484377a0 R08: ffffffff8a096f08 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8880a57f4180 R12: 0000000000000000
R13: 0000000081413c7c R14: 0000000000000000 R15: 0000000000000000
FS: 00007fc07e5d1700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000052e378 CR3: 0000000094ea2000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tcf_action_destroy+0xed/0x170 net/sched/act_api.c:527
tcf_action_init+0x294/0x400 net/sched/act_api.c:769
tcf_action_add net/sched/act_api.c:1079 [inline]
tc_ctl_action+0x2e3/0x50f net/sched/act_api.c:1131
rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4316
netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2433
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x62e/0xb80 net/netlink/af_netlink.c:1878
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xb5/0x100 net/socket.c:656
___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45e179
RSP: 002b:00007fc07e5d0c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000002d400 RCX: 000000000045e179
RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003
RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffda8f87adf R14: 00007fc07e5d19c0 R15: 000000000118cf4c
Code: fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 fc 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 65 00 49 8d 7c 24 48 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 c7 00 00 00 4d 8b 64 24 48 4d 85 e4 74 0e e8
RIP: __tcf_idr_release+0x15e/0x260 net/sched/act_api.c:99 RSP: ffff88805570f4f0
kauditd_printk_skb: 1 callbacks suppressed
audit: type=1804 audit(1601063438.207:49): pid=9814 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir305906542/syzkaller.GT6e6W/69/bus" dev="sda1" ino=16092 res=1
FAT-fs (loop2): Directory bread(block 6) failed
---[ end trace 78376cc37c797e8a ]---
FAT-fs (loop2): Directory bread(block 6) failed
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: cbfa1702 Linux 4.14.198
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1410e89d900000
kernel config: https://syzkaller.appspot.com/x/.config?x=3990958d85b55e59
dashboard link: https://syzkaller.appspot.com/bug?extid=9848e7488c582717ef7a
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9848e7...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 9759 Comm: syz-executor.4 Not tainted 4.14.198-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880a57f4180 task.stack: ffff888055708000
RIP: 0010:__tcf_idr_release+0x15e/0x260 net/sched/act_api.c:99
RSP: 0018:ffff88805570f4f0 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc9000811d000
RDX: 0000000000000009 RSI: ffffffff85234889 RDI: 0000000000000048
RBP: ffff8880484377a0 R08: ffffffff8a096f08 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8880a57f4180 R12: 0000000000000000
R13: 0000000081413c7c R14: 0000000000000000 R15: 0000000000000000
FS: 00007fc07e5d1700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000052e378 CR3: 0000000094ea2000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tcf_action_destroy+0xed/0x170 net/sched/act_api.c:527
tcf_action_init+0x294/0x400 net/sched/act_api.c:769
tcf_action_add net/sched/act_api.c:1079 [inline]
tc_ctl_action+0x2e3/0x50f net/sched/act_api.c:1131
rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4316
netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2433
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x62e/0xb80 net/netlink/af_netlink.c:1878
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xb5/0x100 net/socket.c:656
___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45e179
RSP: 002b:00007fc07e5d0c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000002d400 RCX: 000000000045e179
RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003
RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffda8f87adf R14: 00007fc07e5d19c0 R15: 000000000118cf4c
Code: fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 fc 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 65 00 49 8d 7c 24 48 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 c7 00 00 00 4d 8b 64 24 48 4d 85 e4 74 0e e8
RIP: __tcf_idr_release+0x15e/0x260 net/sched/act_api.c:99 RSP: ffff88805570f4f0
kauditd_printk_skb: 1 callbacks suppressed
audit: type=1804 audit(1601063438.207:49): pid=9814 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir305906542/syzkaller.GT6e6W/69/bus" dev="sda1" ino=16092 res=1
FAT-fs (loop2): Directory bread(block 6) failed
---[ end trace 78376cc37c797e8a ]---
FAT-fs (loop2): Directory bread(block 6) failed
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Sep 25, 2020, 4:34:17 PM9/25/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: cbfa1702 Linux 4.14.198
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1211b307900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=161679c3900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9848e7...@syzkaller.appspotmail.com
netlink: 32 bytes leftover after parsing attributes in process `syz-executor809'.
netlink: 32 bytes leftover after parsing attributes in process `syz-executor809'.
netlink: 32 bytes leftover after parsing attributes in process `syz-executor809'.
RIP: 0010:__tcf_idr_release+0x17d/0x260 net/sched/act_api.c:100
RSP: 0018:ffff888097a1f4f0 EFLAGS: 00010297
RAX: ffff8880972e0480 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88808f8bf7a0
RBP: ffff88808f8bf7a0 R08: ffffffff8a096f08 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8880972e0480 R12: e801000000beffff
R13: 00000000850ca675 R14: ffffffff81856373 R15: 0000000000000000
FS: 00007f7675640700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
RSP: 002b:00007f767563fd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446c19
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c
R13: 0001008400000000 R14: 0000000000e60000 R15: 053b003000000098
Code: 49 8d 7c 24 48 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 c7 00 00 00 4d 8b 64 24 48 4d 85 e4 74 0e e8 39 4e 38 fc 0f b6 f3 48 89 ef <41> ff d4 e8 2b 4e 38 fc 48 8d 7d 20 48 b8 00 00 00 00 00 fc ff
RIP: __tcf_idr_release+0x17d/0x260 net/sched/act_api.c:100 RSP: ffff888097a1f4f0
---[ end trace 4816c45cc30af74c ]---
HEAD commit: cbfa1702 Linux 4.14.198
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=3990958d85b55e59
dashboard link: https://syzkaller.appspot.com/bug?extid=9848e7488c582717ef7a
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=174f7ed3900000
dashboard link: https://syzkaller.appspot.com/bug?extid=9848e7488c582717ef7a
compiler: gcc (GCC) 10.1.0-syz 20200507
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=161679c3900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9848e7...@syzkaller.appspotmail.com
netlink: 32 bytes leftover after parsing attributes in process `syz-executor809'.
netlink: 32 bytes leftover after parsing attributes in process `syz-executor809'.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 6370 Comm: syz-executor809 Not tainted 4.14.198-syzkaller #0
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880972e0480 task.stack: ffff888097a18000
RIP: 0010:__tcf_idr_release+0x17d/0x260 net/sched/act_api.c:100
RSP: 0018:ffff888097a1f4f0 EFLAGS: 00010297
RAX: ffff8880972e0480 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88808f8bf7a0
RBP: ffff88808f8bf7a0 R08: ffffffff8a096f08 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8880972e0480 R12: e801000000beffff
R13: 00000000850ca675 R14: ffffffff81856373 R15: 0000000000000000
FS: 00007f7675640700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc21661dac CR3: 000000009b735000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tcf_action_destroy+0xed/0x170 net/sched/act_api.c:527
tcf_action_init+0x294/0x400 net/sched/act_api.c:769
tcf_action_add net/sched/act_api.c:1079 [inline]
tc_ctl_action+0x2e3/0x50f net/sched/act_api.c:1131
rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4316
netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2433
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x62e/0xb80 net/netlink/af_netlink.c:1878
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xb5/0x100 net/socket.c:656
___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x446c19
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tcf_action_destroy+0xed/0x170 net/sched/act_api.c:527
tcf_action_init+0x294/0x400 net/sched/act_api.c:769
tcf_action_add net/sched/act_api.c:1079 [inline]
tc_ctl_action+0x2e3/0x50f net/sched/act_api.c:1131
rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4316
netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2433
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x62e/0xb80 net/netlink/af_netlink.c:1878
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xb5/0x100 net/socket.c:656
___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RSP: 002b:00007f767563fd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446c19
RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003
RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c
R13: 0001008400000000 R14: 0000000000e60000 R15: 053b003000000098
Code: 49 8d 7c 24 48 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 c7 00 00 00 4d 8b 64 24 48 4d 85 e4 74 0e e8 39 4e 38 fc 0f b6 f3 48 89 ef <41> ff d4 e8 2b 4e 38 fc 48 8d 7d 20 48 b8 00 00 00 00 00 fc ff
RIP: __tcf_idr_release+0x17d/0x260 net/sched/act_api.c:100 RSP: ffff888097a1f4f0
---[ end trace 4816c45cc30af74c ]---
Reply all
Reply to author
Forward
0 new messages