* general protection fault in sctp_assoc_rwnd_increase @ 2019-03-12 13:52 syzbot 2019-03-12 16:29 ` Xin Long 2019-03-16 14:09 ` syzbot 0 siblings, 2 replies; 6+ messages in thread From: syzbot @ 2019-03-12 13:52 UTC (permalink / raw) To: davem, linux-kernel, linux-sctp, marcelo.leitner, netdev, nhorman, syzkaller-bugs, vyasevich Hello, syzbot found the following crash on: HEAD commit: a089e4fe Merge tag 'linux-watchdog-5.1-rc1' of git://www.l.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=144e9ee7200000 kernel config: https://syzkaller.appspot.com/x/.config?x=b613f0327d980b6b dashboard link: https://syzkaller.appspot.com/bug?extid=85e0b422ff140b03672a compiler: gcc (GCC) 9.0.0 20181231 (experimental) userspace arch: amd64 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12613b13200000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f1884d200000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446679 RDX: 0000000000000066 RSI: 0000000000000084 RDI: 0000000000000003 RBP: 00000000006dbc30 R08: 0000000020000140 R09: 0000000000000038 R10: 0000000020000040 R11: 0000000000000246 R12: 00000000006dbc3c R13: 00007f47f49ded90 R14: 0000000000000004 R15: 20c49ba5e353f7cf kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 7680 Comm: syz-executor161 Not tainted 5.0.0+ #18 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:sctp_assoc_rwnd_increase+0x34/0x520 net/sctp/associola.c:1498 Code: 41 54 49 89 fc 53 89 f3 48 83 ec 10 e8 95 90 f1 fa 49 8d bc 24 60 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 2f 04 00 00 45 8b ac 24 60 06 RSP: 0018:ffff88808da476f8 EFLAGS: 00010203 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 00000000000000cb RSI: ffffffff867ecd5b RDI: 000000000000065f RBP: ffff88808da47730 R08: ffff88808c5d64c0 R09: ffff88808c5d6d88 R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffff R13: 0000000000000000 R14: ffff88808c4d6f00 R15: 0000000000000000 FS: 00007f47f49df700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000044 CR3: 0000000097508000 CR4: 00000000001406f0 Call Trace: sctp_ulpevent_release_data net/sctp/ulpevent.c:1092 [inline] sctp_ulpevent_free+0x21f/0x4e0 net/sctp/ulpevent.c:1129 sctp_queue_purge_ulpevents+0xc4/0x110 net/sctp/ulpevent.c:1146 sctp_close+0x148/0x860 net/sctp/socket.c:1515 inet_release+0x105/0x1f0 net/ipv4/af_inet.c:428 inet6_release+0x53/0x80 net/ipv6/af_inet6.c:473 __sock_release+0x1fe/0x2b0 net/socket.c:579 sock_release+0x18/0x20 net/socket.c:599 sctp_do_peeloff+0x38a/0x470 net/sctp/socket.c:5649 sctp_getsockopt_peeloff_common.isra.0+0x8e/0x270 net/sctp/socket.c:5665 sctp_getsockopt_peeloff net/sctp/socket.c:5707 [inline] sctp_getsockopt net/sctp/socket.c:7802 [inline] sctp_getsockopt+0x1ec1/0x6741 net/sctp/socket.c:7758 sock_common_getsockopt+0x9a/0xe0 net/core/sock.c:3079 __sys_getsockopt+0x168/0x250 net/socket.c:1960 __do_sys_getsockopt net/socket.c:1971 [inline] __se_sys_getsockopt net/socket.c:1968 [inline] __x64_sys_getsockopt+0xbe/0x150 net/socket.c:1968 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x446679 Code: e8 6c b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f47f49ded88 EFLAGS: 00000246 ORIG_RAX: 0000000000000037 RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446679 RDX: 0000000000000066 RSI: 0000000000000084 RDI: 0000000000000003 RBP: 00000000006dbc30 R08: 0000000020000140 R09: 0000000000000038 R10: 0000000020000040 R11: 0000000000000246 R12: 00000000006dbc3c R13: 00007f47f49ded90 R14: 0000000000000004 R15: 20c49ba5e353f7cf Modules linked in: ---[ end trace dfa9a15945f164b7 ]--- RIP: 0010:sctp_assoc_rwnd_increase+0x34/0x520 net/sctp/associola.c:1498 Code: 41 54 49 89 fc 53 89 f3 48 83 ec 10 e8 95 90 f1 fa 49 8d bc 24 60 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 2f 04 00 00 45 8b ac 24 60 06 RSP: 0018:ffff88808da476f8 EFLAGS: 00010203 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 00000000000000cb RSI: ffffffff867ecd5b RDI: 000000000000065f RBP: ffff88808da47730 R08: ffff88808c5d64c0 R09: ffff88808c5d6d88 R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffff R13: 0000000000000000 R14: ffff88808c4d6f00 R15: 0000000000000000 FS: 00007f47f49df700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000044 CR3: 0000000097508000 CR4: 00000000001406f0 --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: general protection fault in sctp_assoc_rwnd_increase 2019-03-12 13:52 general protection fault in sctp_assoc_rwnd_increase syzbot @ 2019-03-12 16:29 ` Xin Long 2019-03-12 17:26 ` Dmitry Vyukov 2019-03-16 14:09 ` syzbot 1 sibling, 1 reply; 6+ messages in thread From: Xin Long @ 2019-03-12 16:29 UTC (permalink / raw) To: syzbot Cc: davem, LKML, linux-sctp, Marcelo Ricardo Leitner, network dev, Neil Horman, syzkaller-bugs, Vlad Yasevich On Tue, Mar 12, 2019 at 9:52 PM syzbot <syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit: a089e4fe Merge tag 'linux-watchdog-5.1-rc1' of git://www.l.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=144e9ee7200000 > kernel config: https://syzkaller.appspot.com/x/.config?x=b613f0327d980b6b > dashboard link: https://syzkaller.appspot.com/bug?extid=85e0b422ff140b03672a > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > userspace arch: amd64 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12613b13200000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f1884d200000 Not sure why I got this Call Trace with the reproducer, and it's different, is that expected? [256577.101170] FAULT_INJECTION: forcing a failure. [256577.101170] name failslab, interval 1, probability 0, space 0, times 0 [256577.103628] CPU: 0 PID: 2453 Comm: syz-executor Not tainted 5.0.0.test.syz #235 [256577.105201] Hardware name: Red Hat KVM, BIOS seabios-1.7.5-8.el7 04/01/2014 [256577.106680] Call Trace: [256577.107248] dump_stack+0x7c/0xc0 [256577.107981] should_fail.cold.4+0x5/0x13 [256577.108853] ? fault_create_debugfs_attr+0x190/0x190 [256577.109926] ? lock_downgrade+0x5d0/0x5d0 [256577.110816] ? selinux_sk_alloc_security+0x72/0x190 [256577.111878] ? selinux_sk_alloc_security+0x72/0x190 [256577.112931] should_failslab+0xa/0x20 [256577.113738] kmem_cache_alloc_trace+0x27a/0x350 [256577.114733] selinux_sk_alloc_security+0x72/0x190 [256577.115757] ? kmem_cache_alloc+0x2dc/0x310 [256577.116674] security_sk_alloc+0x4f/0x90 [256577.117543] sk_prot_alloc+0x82/0x250 [256577.118362] sk_alloc+0x35/0xc80 [256577.119100] inet6_create+0x26e/0xec0 [256577.119924] __sock_create+0x277/0x550 [256577.120804] sctp_do_peeloff+0x162/0x3b0 [sctp] [256577.121795] ? sched_clock+0x5/0x10 [256577.122596] ? sctp_copy_sock+0xfa0/0xfa0 [sctp] [256577.123646] sctp_getsockopt_peeloff_common.isra.31+0x78/0x2c0 [sctp] [256577.125064] ? sctp_do_peeloff+0x3b0/0x3b0 [sctp] [256577.126129] sctp_getsockopt.part.32+0x2d76/0x4a90 [sctp] > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com > > RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446679 > RDX: 0000000000000066 RSI: 0000000000000084 RDI: 0000000000000003 > RBP: 00000000006dbc30 R08: 0000000020000140 R09: 0000000000000038 > R10: 0000000020000040 R11: 0000000000000246 R12: 00000000006dbc3c > R13: 00007f47f49ded90 R14: 0000000000000004 R15: 20c49ba5e353f7cf > kasan: CONFIG_KASAN_INLINE enabled > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: 0000 [#1] PREEMPT SMP KASAN > CPU: 0 PID: 7680 Comm: syz-executor161 Not tainted 5.0.0+ #18 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > RIP: 0010:sctp_assoc_rwnd_increase+0x34/0x520 net/sctp/associola.c:1498 > Code: 41 54 49 89 fc 53 89 f3 48 83 ec 10 e8 95 90 f1 fa 49 8d bc 24 60 06 > 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 > c0 74 08 3c 03 0f 8e 2f 04 00 00 45 8b ac 24 60 06 > RSP: 0018:ffff88808da476f8 EFLAGS: 00010203 > RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 > RDX: 00000000000000cb RSI: ffffffff867ecd5b RDI: 000000000000065f > RBP: ffff88808da47730 R08: ffff88808c5d64c0 R09: ffff88808c5d6d88 > R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffff > R13: 0000000000000000 R14: ffff88808c4d6f00 R15: 0000000000000000 > FS: 00007f47f49df700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000020000044 CR3: 0000000097508000 CR4: 00000000001406f0 > Call Trace: > sctp_ulpevent_release_data net/sctp/ulpevent.c:1092 [inline] > sctp_ulpevent_free+0x21f/0x4e0 net/sctp/ulpevent.c:1129 > sctp_queue_purge_ulpevents+0xc4/0x110 net/sctp/ulpevent.c:1146 > sctp_close+0x148/0x860 net/sctp/socket.c:1515 > inet_release+0x105/0x1f0 net/ipv4/af_inet.c:428 > inet6_release+0x53/0x80 net/ipv6/af_inet6.c:473 > __sock_release+0x1fe/0x2b0 net/socket.c:579 > sock_release+0x18/0x20 net/socket.c:599 > sctp_do_peeloff+0x38a/0x470 net/sctp/socket.c:5649 > sctp_getsockopt_peeloff_common.isra.0+0x8e/0x270 net/sctp/socket.c:5665 > sctp_getsockopt_peeloff net/sctp/socket.c:5707 [inline] > sctp_getsockopt net/sctp/socket.c:7802 [inline] > sctp_getsockopt+0x1ec1/0x6741 net/sctp/socket.c:7758 > sock_common_getsockopt+0x9a/0xe0 net/core/sock.c:3079 > __sys_getsockopt+0x168/0x250 net/socket.c:1960 > __do_sys_getsockopt net/socket.c:1971 [inline] > __se_sys_getsockopt net/socket.c:1968 [inline] > __x64_sys_getsockopt+0xbe/0x150 net/socket.c:1968 > do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x446679 > Code: e8 6c b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:00007f47f49ded88 EFLAGS: 00000246 ORIG_RAX: 0000000000000037 > RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446679 > RDX: 0000000000000066 RSI: 0000000000000084 RDI: 0000000000000003 > RBP: 00000000006dbc30 R08: 0000000020000140 R09: 0000000000000038 > R10: 0000000020000040 R11: 0000000000000246 R12: 00000000006dbc3c > R13: 00007f47f49ded90 R14: 0000000000000004 R15: 20c49ba5e353f7cf > Modules linked in: > ---[ end trace dfa9a15945f164b7 ]--- > RIP: 0010:sctp_assoc_rwnd_increase+0x34/0x520 net/sctp/associola.c:1498 > Code: 41 54 49 89 fc 53 89 f3 48 83 ec 10 e8 95 90 f1 fa 49 8d bc 24 60 06 > 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 > c0 74 08 3c 03 0f 8e 2f 04 00 00 45 8b ac 24 60 06 > RSP: 0018:ffff88808da476f8 EFLAGS: 00010203 > RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 > RDX: 00000000000000cb RSI: ffffffff867ecd5b RDI: 000000000000065f > RBP: ffff88808da47730 R08: ffff88808c5d64c0 R09: ffff88808c5d6d88 > R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffff > R13: 0000000000000000 R14: ffff88808c4d6f00 R15: 0000000000000000 > FS: 00007f47f49df700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000020000044 CR3: 0000000097508000 CR4: 00000000001406f0 > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with > syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: general protection fault in sctp_assoc_rwnd_increase 2019-03-12 16:29 ` Xin Long @ 2019-03-12 17:26 ` Dmitry Vyukov 2019-03-18 6:25 ` Xin Long 0 siblings, 1 reply; 6+ messages in thread From: Dmitry Vyukov @ 2019-03-12 17:26 UTC (permalink / raw) To: Xin Long Cc: syzbot, davem, LKML, linux-sctp, Marcelo Ricardo Leitner, network dev, Neil Horman, syzkaller-bugs, Vlad Yasevich On Tue, Mar 12, 2019 at 5:30 PM Xin Long <lucien.xin@gmail.com> wrote: > > On Tue, Mar 12, 2019 at 9:52 PM syzbot > <syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com> wrote: > > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: a089e4fe Merge tag 'linux-watchdog-5.1-rc1' of git://www.l.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=144e9ee7200000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=b613f0327d980b6b > > dashboard link: https://syzkaller.appspot.com/bug?extid=85e0b422ff140b03672a > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > userspace arch: amd64 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12613b13200000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f1884d200000 > Not sure why I got this Call Trace with the reproducer, and it's > different, is that expected? Hi Xin, This is no a crash. This is fault injection stack trace. Fault injection subsystem prints stack whenever it injects a fault so that it's possible o figure out what happened and where. You can see a fault injection stack trace in the "console output' for the crash too. But if seems that your stack trace is slightly different, and that most likely explains why you can't reproduce the bug. This seems to be a bug that it triggered by a very particular failing kmalloc. If on your kernel fault is injected into a different kmalloc, you won't reproduce the bug. For fault injection-triggered bugs you need precisely the same kernel. You can actually see this in action: for smack and apparmor-based kernels fault needs to be injected into 7-th and 8-th kmalloc in the syscall respectively: https://syzkaller.appspot.com/text?tag=ReproSyz&x=12613b13200000 https://syzkaller.appspot.com/text?tag=ReproSyz&x=14425577200000 Or you can play with the fault_nth parameter to target fault injection into the right place... Or of course just change the kernel code to fail that kmalloc explicitly. > [256577.101170] FAULT_INJECTION: forcing a failure. > [256577.101170] name failslab, interval 1, probability 0, space 0, times 0 > [256577.103628] CPU: 0 PID: 2453 Comm: syz-executor Not tainted > 5.0.0.test.syz #235 > [256577.105201] Hardware name: Red Hat KVM, BIOS seabios-1.7.5-8.el7 04/01/2014 > [256577.106680] Call Trace: > [256577.107248] dump_stack+0x7c/0xc0 > [256577.107981] should_fail.cold.4+0x5/0x13 > [256577.108853] ? fault_create_debugfs_attr+0x190/0x190 > [256577.109926] ? lock_downgrade+0x5d0/0x5d0 > [256577.110816] ? selinux_sk_alloc_security+0x72/0x190 > [256577.111878] ? selinux_sk_alloc_security+0x72/0x190 > [256577.112931] should_failslab+0xa/0x20 > [256577.113738] kmem_cache_alloc_trace+0x27a/0x350 > [256577.114733] selinux_sk_alloc_security+0x72/0x190 > [256577.115757] ? kmem_cache_alloc+0x2dc/0x310 > [256577.116674] security_sk_alloc+0x4f/0x90 > [256577.117543] sk_prot_alloc+0x82/0x250 > [256577.118362] sk_alloc+0x35/0xc80 > [256577.119100] inet6_create+0x26e/0xec0 > [256577.119924] __sock_create+0x277/0x550 > [256577.120804] sctp_do_peeloff+0x162/0x3b0 [sctp] > [256577.121795] ? sched_clock+0x5/0x10 > [256577.122596] ? sctp_copy_sock+0xfa0/0xfa0 [sctp] > [256577.123646] sctp_getsockopt_peeloff_common.isra.31+0x78/0x2c0 [sctp] > [256577.125064] ? sctp_do_peeloff+0x3b0/0x3b0 [sctp] > [256577.126129] sctp_getsockopt.part.32+0x2d76/0x4a90 [sctp] > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com > > > > RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446679 > > RDX: 0000000000000066 RSI: 0000000000000084 RDI: 0000000000000003 > > RBP: 00000000006dbc30 R08: 0000000020000140 R09: 0000000000000038 > > R10: 0000000020000040 R11: 0000000000000246 R12: 00000000006dbc3c > > R13: 00007f47f49ded90 R14: 0000000000000004 R15: 20c49ba5e353f7cf > > kasan: CONFIG_KASAN_INLINE enabled > > kasan: GPF could be caused by NULL-ptr deref or user memory access > > general protection fault: 0000 [#1] PREEMPT SMP KASAN > > CPU: 0 PID: 7680 Comm: syz-executor161 Not tainted 5.0.0+ #18 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > RIP: 0010:sctp_assoc_rwnd_increase+0x34/0x520 net/sctp/associola.c:1498 > > Code: 41 54 49 89 fc 53 89 f3 48 83 ec 10 e8 95 90 f1 fa 49 8d bc 24 60 06 > > 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 > > c0 74 08 3c 03 0f 8e 2f 04 00 00 45 8b ac 24 60 06 > > RSP: 0018:ffff88808da476f8 EFLAGS: 00010203 > > RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 > > RDX: 00000000000000cb RSI: ffffffff867ecd5b RDI: 000000000000065f > > RBP: ffff88808da47730 R08: ffff88808c5d64c0 R09: ffff88808c5d6d88 > > R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffff > > R13: 0000000000000000 R14: ffff88808c4d6f00 R15: 0000000000000000 > > FS: 00007f47f49df700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 0000000020000044 CR3: 0000000097508000 CR4: 00000000001406f0 > > Call Trace: > > sctp_ulpevent_release_data net/sctp/ulpevent.c:1092 [inline] > > sctp_ulpevent_free+0x21f/0x4e0 net/sctp/ulpevent.c:1129 > > sctp_queue_purge_ulpevents+0xc4/0x110 net/sctp/ulpevent.c:1146 > > sctp_close+0x148/0x860 net/sctp/socket.c:1515 > > inet_release+0x105/0x1f0 net/ipv4/af_inet.c:428 > > inet6_release+0x53/0x80 net/ipv6/af_inet6.c:473 > > __sock_release+0x1fe/0x2b0 net/socket.c:579 > > sock_release+0x18/0x20 net/socket.c:599 > > sctp_do_peeloff+0x38a/0x470 net/sctp/socket.c:5649 > > sctp_getsockopt_peeloff_common.isra.0+0x8e/0x270 net/sctp/socket.c:5665 > > sctp_getsockopt_peeloff net/sctp/socket.c:5707 [inline] > > sctp_getsockopt net/sctp/socket.c:7802 [inline] > > sctp_getsockopt+0x1ec1/0x6741 net/sctp/socket.c:7758 > > sock_common_getsockopt+0x9a/0xe0 net/core/sock.c:3079 > > __sys_getsockopt+0x168/0x250 net/socket.c:1960 > > __do_sys_getsockopt net/socket.c:1971 [inline] > > __se_sys_getsockopt net/socket.c:1968 [inline] > > __x64_sys_getsockopt+0xbe/0x150 net/socket.c:1968 > > do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > RIP: 0033:0x446679 > > Code: e8 6c b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > > ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 > > RSP: 002b:00007f47f49ded88 EFLAGS: 00000246 ORIG_RAX: 0000000000000037 > > RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446679 > > RDX: 0000000000000066 RSI: 0000000000000084 RDI: 0000000000000003 > > RBP: 00000000006dbc30 R08: 0000000020000140 R09: 0000000000000038 > > R10: 0000000020000040 R11: 0000000000000246 R12: 00000000006dbc3c > > R13: 00007f47f49ded90 R14: 0000000000000004 R15: 20c49ba5e353f7cf > > Modules linked in: > > ---[ end trace dfa9a15945f164b7 ]--- > > RIP: 0010:sctp_assoc_rwnd_increase+0x34/0x520 net/sctp/associola.c:1498 > > Code: 41 54 49 89 fc 53 89 f3 48 83 ec 10 e8 95 90 f1 fa 49 8d bc 24 60 06 > > 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 > > c0 74 08 3c 03 0f 8e 2f 04 00 00 45 8b ac 24 60 06 > > RSP: 0018:ffff88808da476f8 EFLAGS: 00010203 > > RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 > > RDX: 00000000000000cb RSI: ffffffff867ecd5b RDI: 000000000000065f > > RBP: ffff88808da47730 R08: ffff88808c5d64c0 R09: ffff88808c5d6d88 > > R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffff > > R13: 0000000000000000 R14: ffff88808c4d6f00 R15: 0000000000000000 > > FS: 00007f47f49df700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 0000000020000044 CR3: 0000000097508000 CR4: 00000000001406f0 > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: general protection fault in sctp_assoc_rwnd_increase 2019-03-12 17:26 ` Dmitry Vyukov @ 2019-03-18 6:25 ` Xin Long 0 siblings, 0 replies; 6+ messages in thread From: Xin Long @ 2019-03-18 6:25 UTC (permalink / raw) To: Dmitry Vyukov Cc: syzbot, davem, LKML, linux-sctp, Marcelo Ricardo Leitner, network dev, Neil Horman, syzkaller-bugs, Vlad Yasevich On Wed, Mar 13, 2019 at 1:27 AM Dmitry Vyukov <dvyukov@google.com> wrote: > > On Tue, Mar 12, 2019 at 5:30 PM Xin Long <lucien.xin@gmail.com> wrote: > > > > On Tue, Mar 12, 2019 at 9:52 PM syzbot > > <syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com> wrote: > > > > > > Hello, > > > > > > syzbot found the following crash on: > > > > > > HEAD commit: a089e4fe Merge tag 'linux-watchdog-5.1-rc1' of git://www.l.. > > > git tree: upstream > > > console output: https://syzkaller.appspot.com/x/log.txt?x=144e9ee7200000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=b613f0327d980b6b > > > dashboard link: https://syzkaller.appspot.com/bug?extid=85e0b422ff140b03672a > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > userspace arch: amd64 > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12613b13200000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f1884d200000 > > Not sure why I got this Call Trace with the reproducer, and it's > > different, is that expected? > > Hi Xin, > > This is no a crash. This is fault injection stack trace. > Fault injection subsystem prints stack whenever it injects a fault so > that it's possible o figure out what happened and where. > > You can see a fault injection stack trace in the "console output' for > the crash too. > But if seems that your stack trace is slightly different, and that > most likely explains why you can't reproduce the bug. > This seems to be a bug that it triggered by a very particular failing > kmalloc. If on your kernel fault is injected into a different kmalloc, > you won't reproduce the bug. > For fault injection-triggered bugs you need precisely the same kernel. > You can actually see this in action: for smack and apparmor-based > kernels fault needs to be injected into 7-th and 8-th kmalloc in the > syscall respectively: > > https://syzkaller.appspot.com/text?tag=ReproSyz&x=12613b13200000 > https://syzkaller.appspot.com/text?tag=ReproSyz&x=14425577200000 > > Or you can play with the fault_nth parameter to target fault injection > into the right place... Or of course just change the kernel code to > fail that kmalloc explicitly. I could be able to reproduce it with "-fault_nth=16" in my env. Thanks Dmitry. > > > > [256577.101170] FAULT_INJECTION: forcing a failure. > > [256577.101170] name failslab, interval 1, probability 0, space 0, times 0 > > [256577.103628] CPU: 0 PID: 2453 Comm: syz-executor Not tainted > > 5.0.0.test.syz #235 > > [256577.105201] Hardware name: Red Hat KVM, BIOS seabios-1.7.5-8.el7 04/01/2014 > > [256577.106680] Call Trace: > > [256577.107248] dump_stack+0x7c/0xc0 > > [256577.107981] should_fail.cold.4+0x5/0x13 > > [256577.108853] ? fault_create_debugfs_attr+0x190/0x190 > > [256577.109926] ? lock_downgrade+0x5d0/0x5d0 > > [256577.110816] ? selinux_sk_alloc_security+0x72/0x190 > > [256577.111878] ? selinux_sk_alloc_security+0x72/0x190 > > [256577.112931] should_failslab+0xa/0x20 > > [256577.113738] kmem_cache_alloc_trace+0x27a/0x350 > > [256577.114733] selinux_sk_alloc_security+0x72/0x190 > > [256577.115757] ? kmem_cache_alloc+0x2dc/0x310 > > [256577.116674] security_sk_alloc+0x4f/0x90 > > [256577.117543] sk_prot_alloc+0x82/0x250 > > [256577.118362] sk_alloc+0x35/0xc80 > > [256577.119100] inet6_create+0x26e/0xec0 > > [256577.119924] __sock_create+0x277/0x550 > > [256577.120804] sctp_do_peeloff+0x162/0x3b0 [sctp] > > [256577.121795] ? sched_clock+0x5/0x10 > > [256577.122596] ? sctp_copy_sock+0xfa0/0xfa0 [sctp] > > [256577.123646] sctp_getsockopt_peeloff_common.isra.31+0x78/0x2c0 [sctp] > > [256577.125064] ? sctp_do_peeloff+0x3b0/0x3b0 [sctp] > > [256577.126129] sctp_getsockopt.part.32+0x2d76/0x4a90 [sctp] > > > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com > > > > > > RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446679 > > > RDX: 0000000000000066 RSI: 0000000000000084 RDI: 0000000000000003 > > > RBP: 00000000006dbc30 R08: 0000000020000140 R09: 0000000000000038 > > > R10: 0000000020000040 R11: 0000000000000246 R12: 00000000006dbc3c > > > R13: 00007f47f49ded90 R14: 0000000000000004 R15: 20c49ba5e353f7cf > > > kasan: CONFIG_KASAN_INLINE enabled > > > kasan: GPF could be caused by NULL-ptr deref or user memory access > > > general protection fault: 0000 [#1] PREEMPT SMP KASAN > > > CPU: 0 PID: 7680 Comm: syz-executor161 Not tainted 5.0.0+ #18 > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > > Google 01/01/2011 > > > RIP: 0010:sctp_assoc_rwnd_increase+0x34/0x520 net/sctp/associola.c:1498 > > > Code: 41 54 49 89 fc 53 89 f3 48 83 ec 10 e8 95 90 f1 fa 49 8d bc 24 60 06 > > > 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 > > > c0 74 08 3c 03 0f 8e 2f 04 00 00 45 8b ac 24 60 06 > > > RSP: 0018:ffff88808da476f8 EFLAGS: 00010203 > > > RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 > > > RDX: 00000000000000cb RSI: ffffffff867ecd5b RDI: 000000000000065f > > > RBP: ffff88808da47730 R08: ffff88808c5d64c0 R09: ffff88808c5d6d88 > > > R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffff > > > R13: 0000000000000000 R14: ffff88808c4d6f00 R15: 0000000000000000 > > > FS: 00007f47f49df700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 > > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > > CR2: 0000000020000044 CR3: 0000000097508000 CR4: 00000000001406f0 > > > Call Trace: > > > sctp_ulpevent_release_data net/sctp/ulpevent.c:1092 [inline] > > > sctp_ulpevent_free+0x21f/0x4e0 net/sctp/ulpevent.c:1129 > > > sctp_queue_purge_ulpevents+0xc4/0x110 net/sctp/ulpevent.c:1146 > > > sctp_close+0x148/0x860 net/sctp/socket.c:1515 > > > inet_release+0x105/0x1f0 net/ipv4/af_inet.c:428 > > > inet6_release+0x53/0x80 net/ipv6/af_inet6.c:473 > > > __sock_release+0x1fe/0x2b0 net/socket.c:579 > > > sock_release+0x18/0x20 net/socket.c:599 > > > sctp_do_peeloff+0x38a/0x470 net/sctp/socket.c:5649 > > > sctp_getsockopt_peeloff_common.isra.0+0x8e/0x270 net/sctp/socket.c:5665 > > > sctp_getsockopt_peeloff net/sctp/socket.c:5707 [inline] > > > sctp_getsockopt net/sctp/socket.c:7802 [inline] > > > sctp_getsockopt+0x1ec1/0x6741 net/sctp/socket.c:7758 > > > sock_common_getsockopt+0x9a/0xe0 net/core/sock.c:3079 > > > __sys_getsockopt+0x168/0x250 net/socket.c:1960 > > > __do_sys_getsockopt net/socket.c:1971 [inline] > > > __se_sys_getsockopt net/socket.c:1968 [inline] > > > __x64_sys_getsockopt+0xbe/0x150 net/socket.c:1968 > > > do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 > > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > RIP: 0033:0x446679 > > > Code: e8 6c b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > > > ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 > > > RSP: 002b:00007f47f49ded88 EFLAGS: 00000246 ORIG_RAX: 0000000000000037 > > > RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446679 > > > RDX: 0000000000000066 RSI: 0000000000000084 RDI: 0000000000000003 > > > RBP: 00000000006dbc30 R08: 0000000020000140 R09: 0000000000000038 > > > R10: 0000000020000040 R11: 0000000000000246 R12: 00000000006dbc3c > > > R13: 00007f47f49ded90 R14: 0000000000000004 R15: 20c49ba5e353f7cf > > > Modules linked in: > > > ---[ end trace dfa9a15945f164b7 ]--- > > > RIP: 0010:sctp_assoc_rwnd_increase+0x34/0x520 net/sctp/associola.c:1498 > > > Code: 41 54 49 89 fc 53 89 f3 48 83 ec 10 e8 95 90 f1 fa 49 8d bc 24 60 06 > > > 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 > > > c0 74 08 3c 03 0f 8e 2f 04 00 00 45 8b ac 24 60 06 > > > RSP: 0018:ffff88808da476f8 EFLAGS: 00010203 > > > RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 > > > RDX: 00000000000000cb RSI: ffffffff867ecd5b RDI: 000000000000065f > > > RBP: ffff88808da47730 R08: ffff88808c5d64c0 R09: ffff88808c5d6d88 > > > R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffff > > > R13: 0000000000000000 R14: ffff88808c4d6f00 R15: 0000000000000000 > > > FS: 00007f47f49df700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 > > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > > CR2: 0000000020000044 CR3: 0000000097508000 CR4: 00000000001406f0 > > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: general protection fault in sctp_assoc_rwnd_increase 2019-03-12 13:52 general protection fault in sctp_assoc_rwnd_increase syzbot 2019-03-12 16:29 ` Xin Long @ 2019-03-16 14:09 ` syzbot 2019-03-17 13:17 ` Xin Long 1 sibling, 1 reply; 6+ messages in thread From: syzbot @ 2019-03-16 14:09 UTC (permalink / raw) To: davem, dvyukov, linux-kernel, linux-sctp, lucien.xin, marcelo.leitner, netdev, nhorman, syzkaller-bugs, vyasevich syzbot has bisected this bug to: commit 89664c623617b1d34447a927ac7871ddf3db29d3 Author: Xin Long <lucien.xin@gmail.com> Date: Sun Mar 3 09:54:53 2019 +0000 sctp: sctp_sock_migrate() returns error if sctp_bind_addr_dup() fails bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b17777200000 start commit: 89664c62 sctp: sctp_sock_migrate() returns error if sctp_b.. git tree: upstream final crash: https://syzkaller.appspot.com/x/report.txt?x=14717777200000 console output: https://syzkaller.appspot.com/x/log.txt?x=10717777200000 kernel config: https://syzkaller.appspot.com/x/.config?x=b613f0327d980b6b dashboard link: https://syzkaller.appspot.com/bug?extid=85e0b422ff140b03672a syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12613b13200000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f1884d200000 Reported-by: syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com Fixes: 89664c62 ("sctp: sctp_sock_migrate() returns error if sctp_bind_addr_dup() fails") ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: general protection fault in sctp_assoc_rwnd_increase 2019-03-16 14:09 ` syzbot @ 2019-03-17 13:17 ` Xin Long 0 siblings, 0 replies; 6+ messages in thread From: Xin Long @ 2019-03-17 13:17 UTC (permalink / raw) To: syzbot Cc: davem, Dmitry Vyukov, LKML, linux-sctp, Marcelo Ricardo Leitner, network dev, Neil Horman, syzkaller-bugs, Vlad Yasevich On Sat, Mar 16, 2019 at 10:09 PM syzbot <syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com> wrote: > > syzbot has bisected this bug to: > > commit 89664c623617b1d34447a927ac7871ddf3db29d3 > Author: Xin Long <lucien.xin@gmail.com> > Date: Sun Mar 3 09:54:53 2019 +0000 > > sctp: sctp_sock_migrate() returns error if sctp_bind_addr_dup() fails > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b17777200000 > start commit: 89664c62 sctp: sctp_sock_migrate() returns error if sctp_b.. > git tree: upstream > final crash: https://syzkaller.appspot.com/x/report.txt?x=14717777200000 > console output: https://syzkaller.appspot.com/x/log.txt?x=10717777200000 > kernel config: https://syzkaller.appspot.com/x/.config?x=b613f0327d980b6b > dashboard link: https://syzkaller.appspot.com/bug?extid=85e0b422ff140b03672a > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12613b13200000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f1884d200000 > > Reported-by: syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com > Fixes: 89664c62 ("sctp: sctp_sock_migrate() returns error if > sctp_bind_addr_dup() fails") sctp_copy_descendant() coplied sctp_sock->pd_lobby. we should fix it with: diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 06c6f4a..e0857dd 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -9175,7 +9175,7 @@ static inline void sctp_copy_descendant(struct sock *sk_to, { int ancestor_size = sizeof(struct inet_sock) + sizeof(struct sctp_sock) - - offsetof(struct sctp_sock, auto_asconf_list); + offsetof(struct sctp_sock, pd_lobby); if (sk_from->sk_family == PF_INET6) ancestor_size += sizeof(struct ipv6_pinfo); ^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-03-18 6:25 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-03-12 13:52 general protection fault in sctp_assoc_rwnd_increase syzbot 2019-03-12 16:29 ` Xin Long 2019-03-12 17:26 ` Dmitry Vyukov 2019-03-18 6:25 ` Xin Long 2019-03-16 14:09 ` syzbot 2019-03-17 13:17 ` Xin Long
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).