general protection fault in sock_def_error_report

general protection fault in sock_def_error_report

[Dipanjan Das]

[-- Attachment #1: Type: text/plain, Size: 5395 bytes --]

Hi,

We would like to report the following bug which has been found by our
modified version of syzkaller.

======================================================
description: general protection fault in sock_def_error_report
affected file: net/core/sock.c
kernel version: 5.4.206
kernel commit: 6584107915561f860b7b05dcca5c903dd62a308d
git tree: upstream
kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=1aab6d4187ddf667
crash reproducer: We could only generate the syz-repro for this bug.
The corresponding C-repro does not trigger the bug. The syz-repo can
be run as: `syz-execprog -executor=./syz-executor -repeat=0 -procs=16
-cover=0 repro.syz`
======================================================
Crash log:
======================================================
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5480 Comm: syz-executor.2 Tainted: G           OE     5.4.206+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:__wake_up_common+0x198/0x650 kernel/sched/wait.c:86
Code: 18 48 39 1c 24 0f 85 eb 01 00 00 8b 44 24 10 48 83 c4 28 5b 5d
41 5c 41 5d 41 5e 41 5f c3 49 8d 54 24 18 48 89 d0 48 c1 e8 03 <80> 3c
28 00 0f 85 c1 02 00 00 49 8b 44 24 18 4d 89 e0 48 83 e8 18
RSP: 0018:ffff8880b25ff4b0 EFLAGS: 00010802
RAX: 1bd5a00000000020 RBX: 0000000000000002 RCX: ffffc900080f5000
RDX: dead000000000100 RSI: ffffffff81c30ef8 RDI: 0000000000000001
RBP: dffffc0000000000 R08: ffff88809f932380 R09: ffffed101637d55d
R10: 00000000000000a0 R11: ffff88809f932380 R12: dead0000000000e8
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000008
FS:  00007f53462e4700(0000) GS:ffff88811a000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f75554d1098 CR3: 00000000b1a27004 CR4: 0000000000160ef0
Call Trace:
 __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:123
 sock_def_error_report+0x16a/0x590 net/core/sock.c:2817
 tcp_disconnect+0x14b9/0x1dc0 net/ipv4/tcp.c:2701
 __inet_stream_connect+0xb44/0xe60 net/ipv4/af_inet.c:707
 tcp_sendmsg_fastopen net/ipv4/tcp.c:1176 [inline]
 tcp_sendmsg_locked+0x22b9/0x3220 net/ipv4/tcp.c:1218
 tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1445
 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:807
 smc_sendmsg+0x31f/0x3f0 net/smc/af_smc.c:1566
 sock_sendmsg_nosec net/socket.c:637 [inline]
 sock_sendmsg+0xd3/0x130 net/socket.c:657
 ____sys_sendmsg+0x304/0x7e0 net/socket.c:2286
 ___sys_sendmsg+0x11d/0x1b0 net/socket.c:2340
 __sys_sendmmsg+0x195/0x480 net/socket.c:2443
 __do_sys_sendmmsg net/socket.c:2472 [inline]
 __se_sys_sendmmsg net/socket.c:2469 [inline]
 __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2469
 do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f53483544ed
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f53462e3be8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f5348473040 RCX: 00007f53483544ed
RDX: 0000000000000001 RSI: 0000000020001a80 RDI: 0000000000000003
RBP: 00007f53483c02e1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020000084 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffcd7ac395f R14: 00007f5348473040 R15: 00007f53462e3d80
Modules linked in: uio_ivshmem(OE) uio(E)
---[ end trace d3594c146e1822a7 ]---
RIP: 0010:__wake_up_common+0x198/0x650 kernel/sched/wait.c:86
Code: 18 48 39 1c 24 0f 85 eb 01 00 00 8b 44 24 10 48 83 c4 28 5b 5d
41 5c 41 5d 41 5e 41 5f c3 49 8d 54 24 18 48 89 d0 48 c1 e8 03 <80> 3c
28 00 0f 85 c1 02 00 00 49 8b 44 24 18 4d 89 e0 48 83 e8 18
RSP: 0018:ffff8880b25ff4b0 EFLAGS: 00010802
RAX: 1bd5a00000000020 RBX: 0000000000000002 RCX: ffffc900080f5000
RDX: dead000000000100 RSI: ffffffff81c30ef8 RDI: 0000000000000001
RBP: dffffc0000000000 R08: ffff88809f932380 R09: ffffed101637d55d
R10: 00000000000000a0 R11: ffff88809f932380 R12: dead0000000000e8
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000008
FS:  00007f53462e4700(0000) GS:ffff88811a000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f75554d1098 CR3: 00000000b1a27004 CR4: 0000000000160ef0
----------------
Code disassembly (best guess):
   0: 18 48 39              sbb    %cl,0x39(%rax)
   3: 1c 24                sbb    $0x24,%al
   5: 0f 85 eb 01 00 00    jne    0x1f6
   b: 8b 44 24 10          mov    0x10(%rsp),%eax
   f: 48 83 c4 28          add    $0x28,%rsp
  13: 5b                    pop    %rbx
  14: 5d                    pop    %rbp
  15: 41 5c                pop    %r12
  17: 41 5d                pop    %r13
  19: 41 5e                pop    %r14
  1b: 41 5f                pop    %r15
  1d: c3                    retq
  1e: 49 8d 54 24 18        lea    0x18(%r12),%rdx
  23: 48 89 d0              mov    %rdx,%rax
  26: 48 c1 e8 03          shr    $0x3,%rax
* 2a: 80 3c 28 00          cmpb   $0x0,(%rax,%rbp,1) <-- trapping instruction
  2e: 0f 85 c1 02 00 00    jne    0x2f5
  34: 49 8b 44 24 18        mov    0x18(%r12),%rax
  39: 4d 89 e0              mov    %r12,%r8
  3c: 48 83 e8 18          sub    $0x18,%rax

-- 
Thanks and Regards,

Dipanjan

[-- Attachment #2: repro.syz --]
[-- Type: application/octet-stream, Size: 349 bytes --]

r0 = socket$inet_smc(0x2b, 0x1, 0x0)
poll(&(0x7f0000000140)=[{r0, 0x1008}, {r0, 0x20}, {r0, 0x2000}, {0xffffffffffffffff, 0x1000}, {r0, 0x220}, {0xffffffffffffffff, 0x10001}, {0xffffffffffffffff, 0x2141}, {r0, 0x2000}, {}], 0x9, 0x7fffffff)
sendmmsg$inet(r0, &(0x7f0000001a80)=[{{&(0x7f0000000380)={0x2, 0x0, @local}, 0x10, 0x0}}], 0x1, 0x20000084)

Re: general protection fault in sock_def_error_report

[Greg KH]

On Sat, Jul 23, 2022 at 03:07:09PM -0700, Dipanjan Das wrote:
> Hi,
> 
> We would like to report the following bug which has been found by our
> modified version of syzkaller.

Do you have a fix for this issue?  Without that, it's a bit harder as:

> ======================================================
> description: general protection fault in sock_def_error_report
> affected file: net/core/sock.c
> kernel version: 5.4.206

You are using a very old kernel version, and we have loads of other
syzbot-reported issues to resolve that trigger on newer kernels.

thanks,

greg k-h

Re: general protection fault in sock_def_error_report

[Dipanjan Das]

On Sun, Jul 24, 2022 at 12:26 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Sat, Jul 23, 2022 at 03:07:09PM -0700, Dipanjan Das wrote:
> > Hi,
> >
> > We would like to report the following bug which has been found by our
> > modified version of syzkaller.
>
> Do you have a fix for this issue?  Without that, it's a bit harder as:

We will try to root cause the issue and provide a fix, if possible.

>
> > ======================================================
> > description: general protection fault in sock_def_error_report
> > affected file: net/core/sock.c
> > kernel version: 5.4.206
>
> You are using a very old kernel version, and we have loads of other
> syzbot-reported issues to resolve that trigger on newer kernels.

Since 5.4.206 is a longterm release kernel, we were under the
impression that the community is still accepting fixes and patches for
the same. I understand that adding another bug to the already pending
queue of syzbot reported issues is not going to help the developers
much. Therefore, we will definitely try our best to analyze the issue
and provide a fix in the coming days. Can you please confirm that it
is worth the effort for the longterm release kernels?

>
> thanks,
>
> greg k-h



-- 
Thanks and Regards,

Dipanjan

Re: general protection fault in sock_def_error_report

[Greg KH]

On Sun, Jul 24, 2022 at 12:40:09AM -0700, Dipanjan Das wrote:
> On Sun, Jul 24, 2022 at 12:26 AM Greg KH <gregkh@linuxfoundation.org> wrote:
> >
> > On Sat, Jul 23, 2022 at 03:07:09PM -0700, Dipanjan Das wrote:
> > > Hi,
> > >
> > > We would like to report the following bug which has been found by our
> > > modified version of syzkaller.
> >
> > Do you have a fix for this issue?  Without that, it's a bit harder as:
> 
> We will try to root cause the issue and provide a fix, if possible.
> 
> >
> > > ======================================================
> > > description: general protection fault in sock_def_error_report
> > > affected file: net/core/sock.c
> > > kernel version: 5.4.206
> >
> > You are using a very old kernel version, and we have loads of other
> > syzbot-reported issues to resolve that trigger on newer kernels.
> 
> Since 5.4.206 is a longterm release kernel, we were under the
> impression that the community is still accepting fixes and patches for
> the same. I understand that adding another bug to the already pending
> queue of syzbot reported issues is not going to help the developers
> much. Therefore, we will definitely try our best to analyze the issue
> and provide a fix in the coming days. Can you please confirm that it
> is worth the effort for the longterm release kernels?

It is worth the effort if the problem is still in the latest kernel
release as that is the only place that new development happens.  If the
issue is not reproducible on Linus's current releases, then finding the
change that solved the problem is also good so that we can then backport
it to the stable/long term kernel release for everyone to benefit from.

So does your reproducer still work on the latest 5.19-rc7 release?

thanks,

greg k-h

Re: general protection fault in sock_def_error_report

[Dipanjan Das]

On Sun, Jul 24, 2022 at 6:43 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> It is worth the effort if the problem is still in the latest kernel
> release as that is the only place that new development happens.

The problem does not exist in the latest release.

> If the issue is not reproducible on Linus's current releases, then finding the
> change that solved the problem is also good so that we can then backport
> it to the stable/long term kernel release for everyone to benefit from.

The change that solved the issue in the mainline is this:
341adeec9adad0874f29a0a1af35638207352a39

Here is one additional piece of information that you may find useful.
Though we originally reported the bug for the longterm release
v5.4.206, we noticed that the same issue exists in another longterm
release v5.10.131, too. We manually bisected the commits in those two
longterm branches to find the bug-introducing commits. We observe that
the commits d6e981ec9491be5ec46d838b1151e7edefe607f5 and
ff6eeb627898c179aac421af5d6515d3f50b84df introduced the bug in 5.4.y
and 5.10.y branches, respectively.

-- 
Thanks and Regards,

Dipanjan

Re: general protection fault in sock_def_error_report

[Greg KH]

On Thu, Jul 28, 2022 at 12:24:59PM -0700, Dipanjan Das wrote:
> On Sun, Jul 24, 2022 at 6:43 AM Greg KH <gregkh@linuxfoundation.org> wrote:
> >
> > It is worth the effort if the problem is still in the latest kernel
> > release as that is the only place that new development happens.
> 
> The problem does not exist in the latest release.
> 
> > If the issue is not reproducible on Linus's current releases, then finding the
> > change that solved the problem is also good so that we can then backport
> > it to the stable/long term kernel release for everyone to benefit from.
> 
> The change that solved the issue in the mainline is this:
> 341adeec9adad0874f29a0a1af35638207352a39

As you must have tested this, can you provide a properly backported
version of this commit for the 5.4.y and 5.10.y trees, as it does not
apply cleanly as-is.

Please submit it to stable@vger.kernel.org and we will be glad to apply
it.

thanks,

greg k-h

Re: general protection fault in sock_def_error_report

[Dipanjan Das]

On Fri, Jul 29, 2022 at 12:44 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> As you must have tested this, can you provide a properly backported
> version of this commit for the 5.4.y and 5.10.y trees, as it does not
> apply cleanly as-is.
>
> Please submit it to stable@vger.kernel.org and we will be glad to apply
> it.

Of course. Please allow us to take a couple of days. We will get back
with a backported patch.

-- 
Thanks and Regards,

Dipanjan