From: syzbot <syzbot+f9704d1878e290eddf73@syzkaller.appspotmail.com>
To: andrii@kernel.org, asml.silence@gmail.com, ast@kernel.org,
axboe@kernel.dk, bpf@vger.kernel.org, daniel@iogearbox.net,
davem@davemloft.net, dvyukov@google.com,
io-uring@vger.kernel.org, john.fastabend@gmail.com, kafai@fb.com,
kpsingh@kernel.org, kuba@kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
songliubraving@fb.com, syzkaller-bugs@googlegroups.com,
yhs@fb.com
Subject: Re: [syzbot] general protection fault in sock_from_file
Date: Mon, 30 Aug 2021 13:45:20 -0700 [thread overview]
Message-ID: <00000000000059117905cacce99e@google.com> (raw)
In-Reply-To: <00000000000011360d05cacbb622@google.com>
syzbot has found a reproducer for the following issue on:
HEAD commit: 93717cde744f Add linux-next specific files for 20210830
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15200fad300000
kernel config: https://syzkaller.appspot.com/x/.config?x=c643ef5289990dd1
dashboard link: https://syzkaller.appspot.com/bug?extid=f9704d1878e290eddf73
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=111f5f9d300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1651a415300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f9704d1878e290eddf73@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 0 PID: 6548 Comm: syz-executor433 Not tainted 5.14.0-next-20210830-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:sock_from_file+0x20/0x90 net/socket.c:505
Code: f5 ff ff ff c3 0f 1f 44 00 00 41 54 53 48 89 fb e8 85 e9 62 fa 48 8d 7b 28 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 4f 45 31 e4 48 81 7b 28 80 f1 8a 8a 74 0c e8 58 e9
RSP: 0018:ffffc90002caf8e8 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000005 RSI: ffffffff8713203b RDI: 0000000000000028
RBP: ffff888019fc0780 R08: ffffffff899aee40 R09: ffffffff81e21978
R10: 0000000000000027 R11: 0000000000000009 R12: dffffc0000000000
R13: 1ffff110033f80f9 R14: 0000000000000003 R15: ffff888019fc0780
FS: 00000000013b5300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004ae0f0 CR3: 000000001d355000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
io_sendmsg+0x98/0x640 fs/io_uring.c:4681
io_issue_sqe+0x14de/0x6ba0 fs/io_uring.c:6578
__io_queue_sqe+0x90/0xb50 fs/io_uring.c:6864
io_req_task_submit+0xbf/0x1b0 fs/io_uring.c:2218
tctx_task_work+0x166/0x610 fs/io_uring.c:2143
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
tracehook_notify_signal include/linux/tracehook.h:212 [inline]
handle_signal_work kernel/entry/common.c:146 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x256/0x290 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43fd49
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd6347b9d8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: 0000000000001000 RBX: 0000000000000003 RCX: 000000000043fd49
RDX: 0000000000000000 RSI: 000000000000688c RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004035d0
R13: 431bde82d7b634db R14: 00000000004ae018 R15: 0000000000400488
Modules linked in:
---[ end trace aa9bf60339277d03 ]---
RIP: 0010:sock_from_file+0x20/0x90 net/socket.c:505
Code: f5 ff ff ff c3 0f 1f 44 00 00 41 54 53 48 89 fb e8 85 e9 62 fa 48 8d 7b 28 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 4f 45 31 e4 48 81 7b 28 80 f1 8a 8a 74 0c e8 58 e9
RSP: 0018:ffffc90002caf8e8 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000005 RSI: ffffffff8713203b RDI: 0000000000000028
RBP: ffff888019fc0780 R08: ffffffff899aee40 R09: ffffffff81e21978
R10: 0000000000000027 R11: 0000000000000009 R12: dffffc0000000000
R13: 1ffff110033f80f9 R14: 0000000000000003 R15: ffff888019fc0780
FS: 00000000013b5300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2cc6f84000 CR3: 000000001d355000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 3 bytes skipped:
0: ff c3 inc %ebx
2: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
7: 41 54 push %r12
9: 53 push %rbx
a: 48 89 fb mov %rdi,%rbx
d: e8 85 e9 62 fa callq 0xfa62e997
12: 48 8d 7b 28 lea 0x28(%rbx),%rdi
16: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1d: fc ff df
20: 48 89 fa mov %rdi,%rdx
23: 48 c1 ea 03 shr $0x3,%rdx
* 27: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2b: 75 4f jne 0x7c
2d: 45 31 e4 xor %r12d,%r12d
30: 48 81 7b 28 80 f1 8a cmpq $0xffffffff8a8af180,0x28(%rbx)
37: 8a
38: 74 0c je 0x46
3a: e8 .byte 0xe8
3b: 58 pop %rax
3c: e9 .byte 0xe9
next prev parent reply other threads:[~2021-08-30 20:45 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-30 19:19 [syzbot] general protection fault in sock_from_file syzbot
2021-08-30 19:22 ` Dmitry Vyukov
2021-08-30 20:45 ` syzbot [this message]
2021-08-31 2:14 ` Jens Axboe
2021-08-31 9:19 ` Hao Xu
2021-08-31 9:42 ` Pavel Begunkov
2021-08-31 11:05 ` Hao Xu
2021-08-31 11:26 ` Pavel Begunkov
2021-08-31 11:48 ` Hao Xu
2021-08-31 11:50 ` Pavel Begunkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00000000000059117905cacce99e@google.com \
--to=syzbot+f9704d1878e290eddf73@syzkaller.appspotmail.com \
--cc=andrii@kernel.org \
--cc=asml.silence@gmail.com \
--cc=ast@kernel.org \
--cc=axboe@kernel.dk \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=io-uring@vger.kernel.org \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=songliubraving@fb.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.