From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: <syzbot+444ca0907e96f7c5e48b@syzkaller.appspotmail.com>
Cc: <bpf@vger.kernel.org>, <davem@davemloft.net>,
<dsahern@kernel.org>, <edumazet@google.com>, <kuba@kernel.org>,
<linux-kernel@vger.kernel.org>, <netdev@vger.kernel.org>,
<pabeni@redhat.com>, <syzkaller-bugs@googlegroups.com>,
<willemdebruijn.kernel@gmail.com>, <kuniyu@amazon.com>
Subject: Re: [syzbot] [net?] general protection fault in __sk_mem_raise_allocated
Date: Mon, 22 May 2023 10:32:00 -0700 [thread overview]
Message-ID: <20230522173200.59608-1-kuniyu@amazon.com> (raw)
In-Reply-To: <000000000000182b5f05fc41db4a@google.com>
From: syzbot <syzbot+444ca0907e96f7c5e48b@syzkaller.appspotmail.com>
Date: Sun, 21 May 2023 22:51:02 -0700
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: f1fcbaa18b28 Linux 6.4-rc2
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1216efba280000
> kernel config: https://syzkaller.appspot.com/x/.config?x=ac0db1213414a978
> dashboard link: https://syzkaller.appspot.com/bug?extid=444ca0907e96f7c5e48b
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> userspace arch: i386
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/ea7e2a44b1f9/disk-f1fcbaa1.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/f4e3201419a9/vmlinux-f1fcbaa1.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/c2cd3eb9954b/bzImage-f1fcbaa1.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+444ca0907e96f7c5e48b@syzkaller.appspotmail.com
>
> general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> CPU: 0 PID: 6829 Comm: syz-executor.1 Not tainted 6.4.0-rc2-syzkaller #0
The last syz-executor.1 seems to create UDP_LITE (0x88) sk.
https://syzkaller.appspot.com/text?tag=CrashLog&x=1216efba280000
---8<---
14:25:52 executing program 1:
r0 = socket$inet6(0xa, 0x80002, 0x88)
bind$inet6(r0, &(0x7f00000001c0)={0xa, 0x10010000004e20}, 0x1c)
syz_emit_ethernet(0x83, &(0x7f0000000040)=ANY=[@ANYBLOB="aaaaaaaaaaaaaaaaaaab90aa86dd601bfc97004d8880fe800001000000000000000000000600ff02000000000000000000000000000101004e20004590"], 0x0)
ppoll(&(0x7f0000000240)=[{r0}], 0x1, &(0x7f0000000140), 0x0, 0x0)
---8<---
udplitev6_rcv() calls __udp6_lib_rcv(), which expects .sysctl_rmem_offset
or sysctl_rmem is configured in sk_prot, but udplitev6_prot has neither.
I'll post a fix after testing.
Thanks,
Kuniyuki
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
> RIP: 0010:sk_get_rmem0 include/net/sock.h:2907 [inline]
> RIP: 0010:__sk_mem_raise_allocated+0x806/0x17a0 net/core/sock.c:3006
> Code: c1 ea 03 80 3c 02 00 0f 85 23 0f 00 00 48 8b 44 24 08 48 8b 98 38 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 0f 8d 6f 0a 00 00 8b
> RSP: 0018:ffffc90005d7f450 EFLAGS: 00010246
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004d92000
> RDX: 0000000000000000 RSI: ffffffff88066482 RDI: ffffffff8e2ccbb8
> RBP: ffff8880173f7000 R08: 0000000000000005 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000030000
> R13: 0000000000000001 R14: 0000000000000340 R15: 0000000000000001
> FS: 0000000000000000(0000) GS:ffff8880b9800000(0063) knlGS:00000000f7f1cb40
> CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
> CR2: 000000002e82f000 CR3: 0000000034ff0000 CR4: 00000000003506f0
> Call Trace:
> <TASK>
> __sk_mem_schedule+0x6c/0xe0 net/core/sock.c:3077
> udp_rmem_schedule net/ipv4/udp.c:1539 [inline]
> __udp_enqueue_schedule_skb+0x776/0xb30 net/ipv4/udp.c:1581
> __udpv6_queue_rcv_skb net/ipv6/udp.c:666 [inline]
> udpv6_queue_rcv_one_skb+0xc39/0x16c0 net/ipv6/udp.c:775
> udpv6_queue_rcv_skb+0x194/0xa10 net/ipv6/udp.c:793
> __udp6_lib_mcast_deliver net/ipv6/udp.c:906 [inline]
> __udp6_lib_rcv+0x1bda/0x2bd0 net/ipv6/udp.c:1013
> ip6_protocol_deliver_rcu+0x2e7/0x1250 net/ipv6/ip6_input.c:437
> ip6_input_finish+0x150/0x2f0 net/ipv6/ip6_input.c:482
> NF_HOOK include/linux/netfilter.h:303 [inline]
> NF_HOOK include/linux/netfilter.h:297 [inline]
> ip6_input+0xa0/0xd0 net/ipv6/ip6_input.c:491
> ip6_mc_input+0x40b/0xf50 net/ipv6/ip6_input.c:585
> dst_input include/net/dst.h:468 [inline]
> ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
> NF_HOOK include/linux/netfilter.h:303 [inline]
> NF_HOOK include/linux/netfilter.h:297 [inline]
> ipv6_rcv+0x250/0x380 net/ipv6/ip6_input.c:309
> __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5491
> __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5605
> netif_receive_skb_internal net/core/dev.c:5691 [inline]
> netif_receive_skb+0x133/0x7a0 net/core/dev.c:5750
> tun_rx_batched+0x4b3/0x7a0 drivers/net/tun.c:1553
> tun_get_user+0x2452/0x39c0 drivers/net/tun.c:1989
> tun_chr_write_iter+0xdf/0x200 drivers/net/tun.c:2035
> call_write_iter include/linux/fs.h:1868 [inline]
> new_sync_write fs/read_write.c:491 [inline]
> vfs_write+0x945/0xd50 fs/read_write.c:584
> ksys_write+0x12b/0x250 fs/read_write.c:637
> do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
> __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
> do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
> entry_SYSENTER_compat_after_hwframe+0x70/0x82
> RIP: 0023:0xf7f21579
> Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
> RSP: 002b:00000000f7f1c590 EFLAGS: 00000282 ORIG_RAX: 0000000000000004
> RAX: ffffffffffffffda RBX: 00000000000000c8 RCX: 0000000020000040
> RDX: 0000000000000083 RSI: 00000000f734e000 RDI: 0000000000000000
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:sk_get_rmem0 include/net/sock.h:2907 [inline]
> RIP: 0010:__sk_mem_raise_allocated+0x806/0x17a0 net/core/sock.c:3006
> Code: c1 ea 03 80 3c 02 00 0f 85 23 0f 00 00 48 8b 44 24 08 48 8b 98 38 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 0f 8d 6f 0a 00 00 8b
> RSP: 0018:ffffc90005d7f450 EFLAGS: 00010246
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004d92000
> RDX: 0000000000000000 RSI: ffffffff88066482 RDI: ffffffff8e2ccbb8
> RBP: ffff8880173f7000 R08: 0000000000000005 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000030000
> R13: 0000000000000001 R14: 0000000000000340 R15: 0000000000000001
> FS: 0000000000000000(0000) GS:ffff8880b9800000(0063) knlGS:00000000f7f1cb40
> CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
> CR2: 000000002e82f000 CR3: 0000000034ff0000 CR4: 00000000003506f0
> ----------------
> Code disassembly (best guess):
> 0: c1 ea 03 shr $0x3,%edx
> 3: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
> 7: 0f 85 23 0f 00 00 jne 0xf30
> d: 48 8b 44 24 08 mov 0x8(%rsp),%rax
> 12: 48 8b 98 38 01 00 00 mov 0x138(%rax),%rbx
> 19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
> 20: fc ff df
> 23: 48 89 da mov %rbx,%rdx
> 26: 48 c1 ea 03 shr $0x3,%rdx
> * 2a: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction
> 2e: 48 89 d8 mov %rbx,%rax
> 31: 83 e0 07 and $0x7,%eax
> 34: 83 c0 03 add $0x3,%eax
> 37: 38 d0 cmp %dl,%al
> 39: 0f 8d 6f 0a 00 00 jge 0xaae
> 3f: 8b .byte 0x8b
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the bug is already fixed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want to change bug's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the bug is a duplicate of another bug, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
prev parent reply other threads:[~2023-05-22 17:32 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-22 5:51 [syzbot] [net?] general protection fault in __sk_mem_raise_allocated syzbot
2023-05-22 17:32 ` Kuniyuki Iwashima [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230522173200.59608-1-kuniyu@amazon.com \
--to=kuniyu@amazon.com \
--cc=bpf@vger.kernel.org \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+444ca0907e96f7c5e48b@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.