general protection fault in sendmsg
5 views
Skip to first unread message
syzbot
Nov 6, 2020, 7:35:18 AM11/6/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 6b6446ef Linux 4.14.204
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11f6bb46500000
kernel config: https://syzkaller.appspot.com/x/.config?x=3b2e3745f25cbc4e
dashboard link: https://syzkaller.appspot.com/bug?extid=30635fc2fc1cb398ae78
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+30635f...@syzkaller.appspotmail.com
kasan: GPF could be caused by NULL-ptr deref or user memory access
netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2433
genl_rcv+0x24/0x40 net/netlink/genetlink.c:636
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x62e/0xb80 net/netlink/af_netlink.c:1878
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 13306 Comm: syz-executor.3 Not tainted 4.14.204-syzkaller #0
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xb5/0x100 net/socket.c:656
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
task: ffff888056ef0600 task.stack: ffff88808c878000
RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:167 [inline]
RIP: 0010:rb_erase+0x29/0x1290 lib/rbtree.c:459
RSP: 0018:ffff88808c87fa68 EFLAGS: 00010292
RAX: dffffc0000000000 RBX: ffff88805caf08b0 RCX: ffffc90009d08000
RDX: 0000000000000001 RSI: ffffffff8bf92da0 RDI: 0000000000000008
RBP: 0000000000000000 R08: ffffffff8b9bf960 R09: 0000000000040410
R10: ffff888056ef0eb0 R11: ffff888056ef0600 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff88805cb397b8 R15: ffffffff8bf92da0
FS: 00007f9dc485d700(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000118c000 CR3: 000000009a298000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
integrity_inode_free+0x119/0x300 security/integrity/iint.c:146
security_inode_free+0x14/0x80 security/security.c:443
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
__destroy_inode+0x1e8/0x4d0 fs/inode.c:238
entry_SYSCALL_64_after_hwframe+0x46/0xbb
destroy_inode+0x49/0x110 fs/inode.c:265
RIP: 0033:0x45deb9
iput_final fs/inode.c:1524 [inline]
iput+0x458/0x7e0 fs/inode.c:1551
RSP: 002b:00007f02c76b0c78 EFLAGS: 00000246
ORIG_RAX: 000000000000002e
swap_inode_boot_loader fs/ext4/ioctl.c:197 [inline]
ext4_ioctl+0x16c5/0x3870 fs/ext4/ioctl.c:924
RAX: ffffffffffffffda RBX: 000000000002e480 RCX: 000000000045deb9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00007f02c76b0ca0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001c
R13: 00007ffc8242b31f R14: 00007f02c76b19c0 R15: 000000000118bf2c
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45deb9
RSP: 002b:00007f9dc485cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000000dbc0 RCX: 000000000045deb9
RDX: 0000000000000000 RSI: 0000000000006611 RDI: 0000000000000003
RBP: 000000000118c000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bfd4
R13: 00007ffe71825ecf R14: 00007f9dc485d9c0 R15: 000000000118bfd4
Code: ff ff 48 b8 00 00 00 00 00 fc ff df 41 57 49 89 f7 41 56 41 55 41 54 49 89 fc 48 83 c7 08 48 89 fa 55 48 c1 ea 03 53 48 83 ec 18 <80> 3c 02 00 0f 85 f2 0c 00 00 49 8d 7c 24 10 4d 8b 74 24 08 48
RIP: __rb_erase_augmented include/linux/rbtree_augmented.h:167 [inline] RSP: ffff88808c87fa68
RIP: rb_erase+0x29/0x1290 lib/rbtree.c:459 RSP: ffff88808c87fa68
---[ end trace 78bebb95871a179b ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 6b6446ef Linux 4.14.204
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11f6bb46500000
kernel config: https://syzkaller.appspot.com/x/.config?x=3b2e3745f25cbc4e
dashboard link: https://syzkaller.appspot.com/bug?extid=30635fc2fc1cb398ae78
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+30635f...@syzkaller.appspotmail.com
kasan: GPF could be caused by NULL-ptr deref or user memory access
netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2433
genl_rcv+0x24/0x40 net/netlink/genetlink.c:636
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x62e/0xb80 net/netlink/af_netlink.c:1878
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 13306 Comm: syz-executor.3 Not tainted 4.14.204-syzkaller #0
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xb5/0x100 net/socket.c:656
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
task: ffff888056ef0600 task.stack: ffff88808c878000
RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:167 [inline]
RIP: 0010:rb_erase+0x29/0x1290 lib/rbtree.c:459
RSP: 0018:ffff88808c87fa68 EFLAGS: 00010292
RAX: dffffc0000000000 RBX: ffff88805caf08b0 RCX: ffffc90009d08000
RDX: 0000000000000001 RSI: ffffffff8bf92da0 RDI: 0000000000000008
RBP: 0000000000000000 R08: ffffffff8b9bf960 R09: 0000000000040410
R10: ffff888056ef0eb0 R11: ffff888056ef0600 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff88805cb397b8 R15: ffffffff8bf92da0
FS: 00007f9dc485d700(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000118c000 CR3: 000000009a298000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
integrity_inode_free+0x119/0x300 security/integrity/iint.c:146
security_inode_free+0x14/0x80 security/security.c:443
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
__destroy_inode+0x1e8/0x4d0 fs/inode.c:238
entry_SYSCALL_64_after_hwframe+0x46/0xbb
destroy_inode+0x49/0x110 fs/inode.c:265
RIP: 0033:0x45deb9
iput_final fs/inode.c:1524 [inline]
iput+0x458/0x7e0 fs/inode.c:1551
RSP: 002b:00007f02c76b0c78 EFLAGS: 00000246
ORIG_RAX: 000000000000002e
swap_inode_boot_loader fs/ext4/ioctl.c:197 [inline]
ext4_ioctl+0x16c5/0x3870 fs/ext4/ioctl.c:924
RAX: ffffffffffffffda RBX: 000000000002e480 RCX: 000000000045deb9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00007f02c76b0ca0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001c
R13: 00007ffc8242b31f R14: 00007f02c76b19c0 R15: 000000000118bf2c
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45deb9
RSP: 002b:00007f9dc485cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000000dbc0 RCX: 000000000045deb9
RDX: 0000000000000000 RSI: 0000000000006611 RDI: 0000000000000003
RBP: 000000000118c000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bfd4
R13: 00007ffe71825ecf R14: 00007f9dc485d9c0 R15: 000000000118bfd4
Code: ff ff 48 b8 00 00 00 00 00 fc ff df 41 57 49 89 f7 41 56 41 55 41 54 49 89 fc 48 83 c7 08 48 89 fa 55 48 c1 ea 03 53 48 83 ec 18 <80> 3c 02 00 0f 85 f2 0c 00 00 49 8d 7c 24 10 4d 8b 74 24 08 48
RIP: __rb_erase_augmented include/linux/rbtree_augmented.h:167 [inline] RSP: ffff88808c87fa68
RIP: rb_erase+0x29/0x1290 lib/rbtree.c:459 RSP: ffff88808c87fa68
---[ end trace 78bebb95871a179b ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Mar 6, 2021, 7:35:09 AM3/6/21
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages