general protection fault in load_new_mm_cr3
18 views
Skip to first unread message
syzbot
Jul 15, 2018, 9:39:04 AM7/15/18
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: d23b27c02f03 samples/bpf: xdp_redirect_cpu handle parsing ..
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=135bb32c400000
kernel config: https://syzkaller.appspot.com/x/.config?x=a501a01deaf0fe9
dashboard link: https://syzkaller.appspot.com/bug?extid=05b4a0460cbecb63861a
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
CC: [dave....@linux.intel.com h...@zytor.com
kirill....@linux.intel.com linux-...@vger.kernel.org
lu...@kernel.org mathieu....@efficios.com mi...@redhat.com
pet...@infradead.org tg...@linutronix.de tim.c...@linux.intel.com
x...@kernel.org]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+05b4a0...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
CPU: 1 PID: 4480 Comm: syz-executor1 Not tainted 4.18.0-rc3+ #53
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:write_cr3 arch/x86/include/asm/paravirt.h:72 [inline]
RIP: 0010:load_new_mm_cr3+0x7b/0x240 arch/x86/mm/tlb.c:120
Code: 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 0c 01
00 00 48 83 3d 46 b4 99 07 00 0f 84 e2 00 00 00 48 89 d7 <0f> 22 df 0f 1f
40 00 48 83 c4 08 5b 41 5c 5d c3 66 81 fe fe 0f 0f
RSP: 0018:ffff88019f5e7670 EFLAGS: 00010082
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffffffff11a26eb
RDX: 20006900393a8200 RSI: 0000000000000000 RDI: 20006900393a8200
RBP: ffff88019f5e7688 R08: 0000000000000000 R09: ffffed00393a8267
R10: ffffed00393a8267 R11: ffff8801c9d4133f R12: 1ffff100393a8200
kasan: CONFIG_KASAN_INLINE enabled
R13: 0000000000000000 R14: ffff8801c9d41330 R15: 0000000000000001
FS: 0000000000fc5940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kasan: GPF could be caused by NULL-ptr deref or user memory access
CR2: 00007fe8ad280ea0 CR3: 000000019f521000 CR4: 00000000001406e0
DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
switch_mm_irqs_off+0x41a/0x16c0 arch/x86/mm/tlb.c:304
context_switch kernel/sched/core.c:2850 [inline]
__schedule+0x79c/0x1ed0 kernel/sched/core.c:3504
schedule+0xfb/0x450 kernel/sched/core.c:3548
freezable_schedule include/linux/freezer.h:172 [inline]
do_nanosleep+0x20e/0x750 kernel/time/hrtimer.c:1689
hrtimer_nanosleep+0x2d4/0x620 kernel/time/hrtimer.c:1743
__do_sys_nanosleep kernel/time/hrtimer.c:1777 [inline]
__se_sys_nanosleep kernel/time/hrtimer.c:1764 [inline]
__x64_sys_nanosleep+0x1e7/0x280 kernel/time/hrtimer.c:1764
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4811c0
Code: 05 48 3d 01 f0 ff ff 0f 83 0d 03 f9 ff c3 66 2e 0f 1f 84 00 00 00 00
00 66 90 83 3d 91 52 5c 00 00 75 14 b8 23 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 0f 83 e4 02 f9 ff c3 48 83 ec 08 e8 6a 74 fd ff
RSP: 002b:00007ffde6a61988 EFLAGS: 00000246 ORIG_RAX: 0000000000000023
RAX: ffffffffffffffda RBX: 0000000000018233 RCX: 00000000004811c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffde6a61990
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000fc5940
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
R13: 00000000000002e0 R14: 00007ffde6a62050 R15: 000000000001822a
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace 29faf8d5ffa63c30 ]---
general protection fault: 0000 [#2] SMP KASAN
CPU: 0 PID: 12372 Comm: syz-executor0 Tainted: G D
4.18.0-rc3+ #53
RIP: 0010:write_cr3 arch/x86/include/asm/paravirt.h:72 [inline]
RIP: 0010:load_new_mm_cr3+0x7b/0x240 arch/x86/mm/tlb.c:120
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Code:
RIP: 0010:free_start_sg kernel/bpf/sockmap.c:586 [inline]
RIP: 0010:bpf_tcp_close+0x2bf/0x1050 kernel/bpf/sockmap.c:330
00
Code:
00
------------[ cut here ]------------
00
Bad or missing usercopy whitelist? Kernel memory overwrite attempt detected
to SLAB object 'TCPv6(129:syz0)' (offset 352, size 64)!
00
WARNING: CPU: 0 PID: 12372 at mm/usercopy.c:81 usercopy_warn+0xf5/0x120
mm/usercopy.c:76
00 fc
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: d23b27c02f03 samples/bpf: xdp_redirect_cpu handle parsing ..
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=135bb32c400000
kernel config: https://syzkaller.appspot.com/x/.config?x=a501a01deaf0fe9
dashboard link: https://syzkaller.appspot.com/bug?extid=05b4a0460cbecb63861a
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
CC: [dave....@linux.intel.com h...@zytor.com
kirill....@linux.intel.com linux-...@vger.kernel.org
lu...@kernel.org mathieu....@efficios.com mi...@redhat.com
pet...@infradead.org tg...@linutronix.de tim.c...@linux.intel.com
x...@kernel.org]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+05b4a0...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
CPU: 1 PID: 4480 Comm: syz-executor1 Not tainted 4.18.0-rc3+ #53
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:write_cr3 arch/x86/include/asm/paravirt.h:72 [inline]
RIP: 0010:load_new_mm_cr3+0x7b/0x240 arch/x86/mm/tlb.c:120
Code: 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 0c 01
00 00 48 83 3d 46 b4 99 07 00 0f 84 e2 00 00 00 48 89 d7 <0f> 22 df 0f 1f
40 00 48 83 c4 08 5b 41 5c 5d c3 66 81 fe fe 0f 0f
RSP: 0018:ffff88019f5e7670 EFLAGS: 00010082
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffffffff11a26eb
RDX: 20006900393a8200 RSI: 0000000000000000 RDI: 20006900393a8200
RBP: ffff88019f5e7688 R08: 0000000000000000 R09: ffffed00393a8267
R10: ffffed00393a8267 R11: ffff8801c9d4133f R12: 1ffff100393a8200
kasan: CONFIG_KASAN_INLINE enabled
R13: 0000000000000000 R14: ffff8801c9d41330 R15: 0000000000000001
FS: 0000000000fc5940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kasan: GPF could be caused by NULL-ptr deref or user memory access
CR2: 00007fe8ad280ea0 CR3: 000000019f521000 CR4: 00000000001406e0
DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
switch_mm_irqs_off+0x41a/0x16c0 arch/x86/mm/tlb.c:304
context_switch kernel/sched/core.c:2850 [inline]
__schedule+0x79c/0x1ed0 kernel/sched/core.c:3504
schedule+0xfb/0x450 kernel/sched/core.c:3548
freezable_schedule include/linux/freezer.h:172 [inline]
do_nanosleep+0x20e/0x750 kernel/time/hrtimer.c:1689
hrtimer_nanosleep+0x2d4/0x620 kernel/time/hrtimer.c:1743
__do_sys_nanosleep kernel/time/hrtimer.c:1777 [inline]
__se_sys_nanosleep kernel/time/hrtimer.c:1764 [inline]
__x64_sys_nanosleep+0x1e7/0x280 kernel/time/hrtimer.c:1764
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4811c0
Code: 05 48 3d 01 f0 ff ff 0f 83 0d 03 f9 ff c3 66 2e 0f 1f 84 00 00 00 00
00 66 90 83 3d 91 52 5c 00 00 75 14 b8 23 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 0f 83 e4 02 f9 ff c3 48 83 ec 08 e8 6a 74 fd ff
RSP: 002b:00007ffde6a61988 EFLAGS: 00000246 ORIG_RAX: 0000000000000023
RAX: ffffffffffffffda RBX: 0000000000018233 RCX: 00000000004811c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffde6a61990
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000fc5940
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
R13: 00000000000002e0 R14: 00007ffde6a62050 R15: 000000000001822a
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace 29faf8d5ffa63c30 ]---
general protection fault: 0000 [#2] SMP KASAN
CPU: 0 PID: 12372 Comm: syz-executor0 Tainted: G D
4.18.0-rc3+ #53
RIP: 0010:write_cr3 arch/x86/include/asm/paravirt.h:72 [inline]
RIP: 0010:load_new_mm_cr3+0x7b/0x240 arch/x86/mm/tlb.c:120
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Code:
RIP: 0010:free_start_sg kernel/bpf/sockmap.c:586 [inline]
RIP: 0010:bpf_tcp_close+0x2bf/0x1050 kernel/bpf/sockmap.c:330
00
Code:
00
------------[ cut here ]------------
00
Bad or missing usercopy whitelist? Kernel memory overwrite attempt detected
to SLAB object 'TCPv6(129:syz0)' (offset 352, size 64)!
00
WARNING: CPU: 0 PID: 12372 at mm/usercopy.c:81 usercopy_warn+0xf5/0x120
mm/usercopy.c:76
00 fc
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot
Feb 22, 2019, 5:09:05 AM2/22/19
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages