Re: general protection fault in send_sigurg_to_task

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+1f371ca19b341a276761@syzkaller.appspotmail.com>
To: bfields@fieldses.org, jlayton@kernel.org,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk
Subject: Re: general protection fault in send_sigurg_to_task
Date: Mon, 13 Aug 2018 06:33:02 -0700	[thread overview]
Message-ID: <000000000000f4136d0573512103@google.com> (raw)
In-Reply-To: <0000000000007f59610573509684@google.com>

syzbot has found a reproducer for the following crash on:

HEAD commit:    5ed5da74de9e Add linux-next specific files for 20180813
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=10787028400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=18edf0289d1b5ab
dashboard link: https://syzkaller.appspot.com/bug?extid=1f371ca19b341a276761
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1487e828400000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15084b72400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+1f371ca19b341a276761@syzkaller.appspotmail.com

nf_conntrack: default automatic helper assignment has been turned off for  
security reasons and CT-based  firewall rule not found. Use the iptables CT  
target to attach helpers instead.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
CPU: 1 PID: 4474 Comm: syz-executor782 Not tainted 4.18.0-next-20180813+ #37
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline]
RIP: 0010:sigio_perm fs/fcntl.c:715 [inline]
RIP: 0010:send_sigurg_to_task+0xf5/0x4d0 fs/fcntl.c:810
Code: 61 af b1 ff 45 84 f6 0f 84 52 03 00 00 e8 83 ae b1 ff 49 8d bf 58 06  
00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f  
85 91 03 00 00 48 8d 43 c0 4d 8b b7 58 06 00 00 48
RSP: 0000:ffff8801db106c18 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8801db106c88 RCX: ffffffff81cae2d0
RDX: 00000000000000cb RSI: ffffffff81cadf6d RDI: 0000000000000658
RBP: ffff8801db106cb0 R08: ffff8801b4ad4640 R09: ffffed003b6246d6
R10: ffffed003b6246d6 R11: ffff8801db1236b3 R12: 1ffff1003b620d85
R13: ffff8801b4cb9388 R14: 0000000000000001 R15: 0000000000000000
FS:  0000000000949880(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000400bc3 CR3: 00000001bb122000 CR4: 00000000001406e0
Call Trace:
  <IRQ>
  send_sigurg+0x342/0x480 fs/fcntl.c:833
  sk_send_sigurg+0xd2/0x3d0 net/core/sock.c:2731
  tcp_check_urg net/ipv4/tcp_input.c:5266 [inline]
  tcp_urg+0x3c3/0xba0 net/ipv4/tcp_input.c:5307
  tcp_rcv_established+0xd45/0x2130 net/ipv4/tcp_input.c:5637
  tcp_v4_do_rcv+0x635/0x8f0 net/ipv4/tcp_ipv4.c:1532
  tcp_v4_rcv+0x2ff9/0x3a90 net/ipv4/tcp_ipv4.c:1824
  ip_local_deliver_finish+0x2eb/0xda0 net/ipv4/ip_input.c:215
  NF_HOOK include/linux/netfilter.h:287 [inline]
  ip_local_deliver+0x1e9/0x750 net/ipv4/ip_input.c:256
  dst_input include/net/dst.h:450 [inline]
  ip_rcv_finish+0x1f9/0x300 net/ipv4/ip_input.c:415
  NF_HOOK include/linux/netfilter.h:287 [inline]
  ip_rcv+0xed/0x610 net/ipv4/ip_input.c:524
  __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4892
  __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5002
  process_backlog+0x219/0x760 net/core/dev.c:5808
  napi_poll net/core/dev.c:6228 [inline]
  net_rx_action+0x799/0x1900 net/core/dev.c:6294
  __do_softirq+0x2e8/0xa6d kernel/softirq.c:292
  invoke_softirq kernel/softirq.c:372 [inline]
  irq_exit+0x1d4/0x210 kernel/softirq.c:412
  exiting_irq arch/x86/include/asm/apic.h:527 [inline]
  smp_apic_timer_interrupt+0x186/0x690 arch/x86/kernel/apic/apic.c:1055
  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:867
  </IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:783  
[inline]
RIP: 0010:lock_is_held_type+0x18b/0x210 kernel/locking/lockdep.c:3941
Code: ff df 41 c7 84 24 3c 08 00 00 00 00 00 00 48 89 fa 48 c1 ea 03 80 3c  
02 00 75 63 48 83 3d f4 33 93 06 00 74 30 48 89 df 57 9d <0f> 1f 44 00 00  
48 83 c4 08 44 89 e8 5b 41 5c 41 5d 5d c3 48 83 c4
RSP: 0000:ffff8801c6de7578 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: dffffc0000000000 RBX: 0000000000000286 RCX: 0000000000000000
RDX: 1ffffffff0fe3665 RSI: 0000000000000000 RDI: 0000000000000286
RBP: ffff8801c6de7598 R08: ffffed003b6246d7 R09: ffffed003b6246d6
R10: ffffed003b6246d6 R11: ffff8801db1236b3 R12: ffff8801b4ad4640
R13: 0000000000000001 R14: dffffc0000000000 R15: 0000000000000000
  lock_is_held include/linux/lockdep.h:344 [inline]
  rcu_read_lock_held+0xa9/0xc0 kernel/rcu/update.c:285
  xa_entry include/linux/xarray.h:486 [inline]
  xas_next_entry include/linux/xarray.h:905 [inline]
  filemap_map_pages+0xdab/0x1990 mm/filemap.c:2536
  do_fault_around mm/memory.c:3603 [inline]
  do_read_fault mm/memory.c:3637 [inline]
  do_fault mm/memory.c:3742 [inline]
  handle_pte_fault mm/memory.c:3973 [inline]
  __handle_mm_fault+0x339c/0x4470 mm/memory.c:4097
  handle_mm_fault+0x53e/0xc80 mm/memory.c:4134
  __do_page_fault+0x620/0xe50 arch/x86/mm/fault.c:1395
  do_page_fault+0xf6/0x7a4 arch/x86/mm/fault.c:1470
  page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1164
RIP: 0033:0x400bc3
Code: 09 00 00 00 e8 0e 09 04 00 48 c7 05 2b 2b 2d 00 00 00 00 00 48 83 c4  
10 e8 fa f1 03 00 85 c0 0f 85 d2 07 00 00 e8 ed f1 03 00 <89> c3 89 c5 85  
c0 79 0a bf 01 00 00 00 e8 6b ed 00 00 85 c0 0f 85
RSP: 002b:00007ffd6e71ae70 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 000000000000116b RCX: 000000000043fe8a
RDX: 0000001899a3a3ae RSI: 0000000000000000 RDI: 0000000001200011
RBP: 000000000000116b R08: 0000000000001149 R09: 0000000000949880
R10: 0000000000949b50 R11: 0000000000000246 R12: 000000000000a5e7
R13: 00000000004023f0 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
Dumping ftrace buffer:
    (ftrace buffer empty)
---[ end trace b74ebc04d71b9f0f ]---
RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline]
RIP: 0010:sigio_perm fs/fcntl.c:715 [inline]
RIP: 0010:send_sigurg_to_task+0xf5/0x4d0 fs/fcntl.c:810
Code: 61 af b1 ff 45 84 f6 0f 84 52 03 00 00 e8 83 ae b1 ff 49 8d bf 58 06  
00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f  
85 91 03 00 00 48 8d 43 c0 4d 8b b7 58 06 00 00 48
RSP: 0000:ffff8801db106c18 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8801db106c88 RCX: ffffffff81cae2d0
RDX: 00000000000000cb RSI: ffffffff81cadf6d RDI: 0000000000000658
RBP: ffff8801db106cb0 R08: ffff8801b4ad4640 R09: ffffed003b6246d6
R10: ffffed003b6246d6 R11: ffff8801db1236b3 R12: 1ffff1003b620d85
R13: ffff8801b4cb9388 R14: 0000000000000001 R15: 0000000000000000
FS:  0000000000949880(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000400bc3 CR3: 00000001bb122000 CR4: 00000000001406e0

next prev parent reply	other threads:[~2018-08-13 13:33 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-13 12:54 general protection fault in send_sigurg_to_task syzbot
2018-08-13 13:33 ` syzbot [this message]
2018-08-14 19:11   ` J. Bruce Fields
2018-08-14 20:50     ` Dmitry Vyukov
2018-08-15  0:11       ` Stephen Rothwell
2018-08-15 18:53         ` J. Bruce Fields
2018-08-15 20:35       ` J. Bruce Fields
2018-08-16  4:01       ` Eric W. Biederman
2018-08-17 17:26         ` Dmitry Vyukov
2018-08-17 18:22           ` Eric W. Biederman
2018-08-17 18:38             ` J. Bruce Fields
2018-08-17 18:42             ` Dmitry Vyukov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000f4136d0573512103@google.com \
    --to=syzbot+1f371ca19b341a276761@syzkaller.appspotmail.com \
    --cc=bfields@fieldses.org \
    --cc=jlayton@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.