* general protection fault in sctp_assoc_rwnd_increase
@ 2019-03-12 13:52 syzbot
2019-03-12 16:29 ` Xin Long
2019-03-16 14:09 ` syzbot
0 siblings, 2 replies; 6+ messages in thread
From: syzbot @ 2019-03-12 13:52 UTC (permalink / raw)
To: davem, linux-kernel, linux-sctp, marcelo.leitner, netdev,
nhorman, syzkaller-bugs, vyasevich
Hello,
syzbot found the following crash on:
HEAD commit: a089e4fe Merge tag 'linux-watchdog-5.1-rc1' of git://www.l..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=144e9ee7200000
kernel config: https://syzkaller.appspot.com/x/.config?x=b613f0327d980b6b
dashboard link: https://syzkaller.appspot.com/bug?extid=85e0b422ff140b03672a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: amd64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12613b13200000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f1884d200000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com
RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446679
RDX: 0000000000000066 RSI: 0000000000000084 RDI: 0000000000000003
RBP: 00000000006dbc30 R08: 0000000020000140 R09: 0000000000000038
R10: 0000000020000040 R11: 0000000000000246 R12: 00000000006dbc3c
R13: 00007f47f49ded90 R14: 0000000000000004 R15: 20c49ba5e353f7cf
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 7680 Comm: syz-executor161 Not tainted 5.0.0+ #18
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:sctp_assoc_rwnd_increase+0x34/0x520 net/sctp/associola.c:1498
Code: 41 54 49 89 fc 53 89 f3 48 83 ec 10 e8 95 90 f1 fa 49 8d bc 24 60 06
00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84
c0 74 08 3c 03 0f 8e 2f 04 00 00 45 8b ac 24 60 06
RSP: 0018:ffff88808da476f8 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001
RDX: 00000000000000cb RSI: ffffffff867ecd5b RDI: 000000000000065f
RBP: ffff88808da47730 R08: ffff88808c5d64c0 R09: ffff88808c5d6d88
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffff
R13: 0000000000000000 R14: ffff88808c4d6f00 R15: 0000000000000000
FS: 00007f47f49df700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000044 CR3: 0000000097508000 CR4: 00000000001406f0
Call Trace:
sctp_ulpevent_release_data net/sctp/ulpevent.c:1092 [inline]
sctp_ulpevent_free+0x21f/0x4e0 net/sctp/ulpevent.c:1129
sctp_queue_purge_ulpevents+0xc4/0x110 net/sctp/ulpevent.c:1146
sctp_close+0x148/0x860 net/sctp/socket.c:1515
inet_release+0x105/0x1f0 net/ipv4/af_inet.c:428
inet6_release+0x53/0x80 net/ipv6/af_inet6.c:473
__sock_release+0x1fe/0x2b0 net/socket.c:579
sock_release+0x18/0x20 net/socket.c:599
sctp_do_peeloff+0x38a/0x470 net/sctp/socket.c:5649
sctp_getsockopt_peeloff_common.isra.0+0x8e/0x270 net/sctp/socket.c:5665
sctp_getsockopt_peeloff net/sctp/socket.c:5707 [inline]
sctp_getsockopt net/sctp/socket.c:7802 [inline]
sctp_getsockopt+0x1ec1/0x6741 net/sctp/socket.c:7758
sock_common_getsockopt+0x9a/0xe0 net/core/sock.c:3079
__sys_getsockopt+0x168/0x250 net/socket.c:1960
__do_sys_getsockopt net/socket.c:1971 [inline]
__se_sys_getsockopt net/socket.c:1968 [inline]
__x64_sys_getsockopt+0xbe/0x150 net/socket.c:1968
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x446679
Code: e8 6c b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f47f49ded88 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446679
RDX: 0000000000000066 RSI: 0000000000000084 RDI: 0000000000000003
RBP: 00000000006dbc30 R08: 0000000020000140 R09: 0000000000000038
R10: 0000000020000040 R11: 0000000000000246 R12: 00000000006dbc3c
R13: 00007f47f49ded90 R14: 0000000000000004 R15: 20c49ba5e353f7cf
Modules linked in:
---[ end trace dfa9a15945f164b7 ]---
RIP: 0010:sctp_assoc_rwnd_increase+0x34/0x520 net/sctp/associola.c:1498
Code: 41 54 49 89 fc 53 89 f3 48 83 ec 10 e8 95 90 f1 fa 49 8d bc 24 60 06
00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84
c0 74 08 3c 03 0f 8e 2f 04 00 00 45 8b ac 24 60 06
RSP: 0018:ffff88808da476f8 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001
RDX: 00000000000000cb RSI: ffffffff867ecd5b RDI: 000000000000065f
RBP: ffff88808da47730 R08: ffff88808c5d64c0 R09: ffff88808c5d6d88
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffff
R13: 0000000000000000 R14: ffff88808c4d6f00 R15: 0000000000000000
FS: 00007f47f49df700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000044 CR3: 0000000097508000 CR4: 00000000001406f0
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: general protection fault in sctp_assoc_rwnd_increase
2019-03-12 13:52 general protection fault in sctp_assoc_rwnd_increase syzbot
@ 2019-03-12 16:29 ` Xin Long
2019-03-12 17:26 ` Dmitry Vyukov
2019-03-16 14:09 ` syzbot
1 sibling, 1 reply; 6+ messages in thread
From: Xin Long @ 2019-03-12 16:29 UTC (permalink / raw)
To: syzbot
Cc: davem, LKML, linux-sctp, Marcelo Ricardo Leitner, network dev,
Neil Horman, syzkaller-bugs, Vlad Yasevich
On Tue, Mar 12, 2019 at 9:52 PM syzbot
<syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: a089e4fe Merge tag 'linux-watchdog-5.1-rc1' of git://www.l..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=144e9ee7200000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b613f0327d980b6b
> dashboard link: https://syzkaller.appspot.com/bug?extid=85e0b422ff140b03672a
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> userspace arch: amd64
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12613b13200000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f1884d200000
Not sure why I got this Call Trace with the reproducer, and it's
different, is that expected?
[256577.101170] FAULT_INJECTION: forcing a failure.
[256577.101170] name failslab, interval 1, probability 0, space 0, times 0
[256577.103628] CPU: 0 PID: 2453 Comm: syz-executor Not tainted
5.0.0.test.syz #235
[256577.105201] Hardware name: Red Hat KVM, BIOS seabios-1.7.5-8.el7 04/01/2014
[256577.106680] Call Trace:
[256577.107248] dump_stack+0x7c/0xc0
[256577.107981] should_fail.cold.4+0x5/0x13
[256577.108853] ? fault_create_debugfs_attr+0x190/0x190
[256577.109926] ? lock_downgrade+0x5d0/0x5d0
[256577.110816] ? selinux_sk_alloc_security+0x72/0x190
[256577.111878] ? selinux_sk_alloc_security+0x72/0x190
[256577.112931] should_failslab+0xa/0x20
[256577.113738] kmem_cache_alloc_trace+0x27a/0x350
[256577.114733] selinux_sk_alloc_security+0x72/0x190
[256577.115757] ? kmem_cache_alloc+0x2dc/0x310
[256577.116674] security_sk_alloc+0x4f/0x90
[256577.117543] sk_prot_alloc+0x82/0x250
[256577.118362] sk_alloc+0x35/0xc80
[256577.119100] inet6_create+0x26e/0xec0
[256577.119924] __sock_create+0x277/0x550
[256577.120804] sctp_do_peeloff+0x162/0x3b0 [sctp]
[256577.121795] ? sched_clock+0x5/0x10
[256577.122596] ? sctp_copy_sock+0xfa0/0xfa0 [sctp]
[256577.123646] sctp_getsockopt_peeloff_common.isra.31+0x78/0x2c0 [sctp]
[256577.125064] ? sctp_do_peeloff+0x3b0/0x3b0 [sctp]
[256577.126129] sctp_getsockopt.part.32+0x2d76/0x4a90 [sctp]
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com
>
> RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446679
> RDX: 0000000000000066 RSI: 0000000000000084 RDI: 0000000000000003
> RBP: 00000000006dbc30 R08: 0000000020000140 R09: 0000000000000038
> R10: 0000000020000040 R11: 0000000000000246 R12: 00000000006dbc3c
> R13: 00007f47f49ded90 R14: 0000000000000004 R15: 20c49ba5e353f7cf
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 7680 Comm: syz-executor161 Not tainted 5.0.0+ #18
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:sctp_assoc_rwnd_increase+0x34/0x520 net/sctp/associola.c:1498
> Code: 41 54 49 89 fc 53 89 f3 48 83 ec 10 e8 95 90 f1 fa 49 8d bc 24 60 06
> 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84
> c0 74 08 3c 03 0f 8e 2f 04 00 00 45 8b ac 24 60 06
> RSP: 0018:ffff88808da476f8 EFLAGS: 00010203
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001
> RDX: 00000000000000cb RSI: ffffffff867ecd5b RDI: 000000000000065f
> RBP: ffff88808da47730 R08: ffff88808c5d64c0 R09: ffff88808c5d6d88
> R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffff
> R13: 0000000000000000 R14: ffff88808c4d6f00 R15: 0000000000000000
> FS: 00007f47f49df700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000020000044 CR3: 0000000097508000 CR4: 00000000001406f0
> Call Trace:
> sctp_ulpevent_release_data net/sctp/ulpevent.c:1092 [inline]
> sctp_ulpevent_free+0x21f/0x4e0 net/sctp/ulpevent.c:1129
> sctp_queue_purge_ulpevents+0xc4/0x110 net/sctp/ulpevent.c:1146
> sctp_close+0x148/0x860 net/sctp/socket.c:1515
> inet_release+0x105/0x1f0 net/ipv4/af_inet.c:428
> inet6_release+0x53/0x80 net/ipv6/af_inet6.c:473
> __sock_release+0x1fe/0x2b0 net/socket.c:579
> sock_release+0x18/0x20 net/socket.c:599
> sctp_do_peeloff+0x38a/0x470 net/sctp/socket.c:5649
> sctp_getsockopt_peeloff_common.isra.0+0x8e/0x270 net/sctp/socket.c:5665
> sctp_getsockopt_peeloff net/sctp/socket.c:5707 [inline]
> sctp_getsockopt net/sctp/socket.c:7802 [inline]
> sctp_getsockopt+0x1ec1/0x6741 net/sctp/socket.c:7758
> sock_common_getsockopt+0x9a/0xe0 net/core/sock.c:3079
> __sys_getsockopt+0x168/0x250 net/socket.c:1960
> __do_sys_getsockopt net/socket.c:1971 [inline]
> __se_sys_getsockopt net/socket.c:1968 [inline]
> __x64_sys_getsockopt+0xbe/0x150 net/socket.c:1968
> do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x446679
> Code: e8 6c b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007f47f49ded88 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446679
> RDX: 0000000000000066 RSI: 0000000000000084 RDI: 0000000000000003
> RBP: 00000000006dbc30 R08: 0000000020000140 R09: 0000000000000038
> R10: 0000000020000040 R11: 0000000000000246 R12: 00000000006dbc3c
> R13: 00007f47f49ded90 R14: 0000000000000004 R15: 20c49ba5e353f7cf
> Modules linked in:
> ---[ end trace dfa9a15945f164b7 ]---
> RIP: 0010:sctp_assoc_rwnd_increase+0x34/0x520 net/sctp/associola.c:1498
> Code: 41 54 49 89 fc 53 89 f3 48 83 ec 10 e8 95 90 f1 fa 49 8d bc 24 60 06
> 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84
> c0 74 08 3c 03 0f 8e 2f 04 00 00 45 8b ac 24 60 06
> RSP: 0018:ffff88808da476f8 EFLAGS: 00010203
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001
> RDX: 00000000000000cb RSI: ffffffff867ecd5b RDI: 000000000000065f
> RBP: ffff88808da47730 R08: ffff88808c5d64c0 R09: ffff88808c5d6d88
> R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffff
> R13: 0000000000000000 R14: ffff88808c4d6f00 R15: 0000000000000000
> FS: 00007f47f49df700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000020000044 CR3: 0000000097508000 CR4: 00000000001406f0
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: general protection fault in sctp_assoc_rwnd_increase
2019-03-12 16:29 ` Xin Long
@ 2019-03-12 17:26 ` Dmitry Vyukov
2019-03-18 6:25 ` Xin Long
0 siblings, 1 reply; 6+ messages in thread
From: Dmitry Vyukov @ 2019-03-12 17:26 UTC (permalink / raw)
To: Xin Long
Cc: syzbot, davem, LKML, linux-sctp, Marcelo Ricardo Leitner,
network dev, Neil Horman, syzkaller-bugs, Vlad Yasevich
On Tue, Mar 12, 2019 at 5:30 PM Xin Long <lucien.xin@gmail.com> wrote:
>
> On Tue, Mar 12, 2019 at 9:52 PM syzbot
> <syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: a089e4fe Merge tag 'linux-watchdog-5.1-rc1' of git://www.l..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=144e9ee7200000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=b613f0327d980b6b
> > dashboard link: https://syzkaller.appspot.com/bug?extid=85e0b422ff140b03672a
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > userspace arch: amd64
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12613b13200000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f1884d200000
> Not sure why I got this Call Trace with the reproducer, and it's
> different, is that expected?
Hi Xin,
This is no a crash. This is fault injection stack trace.
Fault injection subsystem prints stack whenever it injects a fault so
that it's possible o figure out what happened and where.
You can see a fault injection stack trace in the "console output' for
the crash too.
But if seems that your stack trace is slightly different, and that
most likely explains why you can't reproduce the bug.
This seems to be a bug that it triggered by a very particular failing
kmalloc. If on your kernel fault is injected into a different kmalloc,
you won't reproduce the bug.
For fault injection-triggered bugs you need precisely the same kernel.
You can actually see this in action: for smack and apparmor-based
kernels fault needs to be injected into 7-th and 8-th kmalloc in the
syscall respectively:
https://syzkaller.appspot.com/text?tag=ReproSyz&x=12613b13200000
https://syzkaller.appspot.com/text?tag=ReproSyz&x=14425577200000
Or you can play with the fault_nth parameter to target fault injection
into the right place... Or of course just change the kernel code to
fail that kmalloc explicitly.
> [256577.101170] FAULT_INJECTION: forcing a failure.
> [256577.101170] name failslab, interval 1, probability 0, space 0, times 0
> [256577.103628] CPU: 0 PID: 2453 Comm: syz-executor Not tainted
> 5.0.0.test.syz #235
> [256577.105201] Hardware name: Red Hat KVM, BIOS seabios-1.7.5-8.el7 04/01/2014
> [256577.106680] Call Trace:
> [256577.107248] dump_stack+0x7c/0xc0
> [256577.107981] should_fail.cold.4+0x5/0x13
> [256577.108853] ? fault_create_debugfs_attr+0x190/0x190
> [256577.109926] ? lock_downgrade+0x5d0/0x5d0
> [256577.110816] ? selinux_sk_alloc_security+0x72/0x190
> [256577.111878] ? selinux_sk_alloc_security+0x72/0x190
> [256577.112931] should_failslab+0xa/0x20
> [256577.113738] kmem_cache_alloc_trace+0x27a/0x350
> [256577.114733] selinux_sk_alloc_security+0x72/0x190
> [256577.115757] ? kmem_cache_alloc+0x2dc/0x310
> [256577.116674] security_sk_alloc+0x4f/0x90
> [256577.117543] sk_prot_alloc+0x82/0x250
> [256577.118362] sk_alloc+0x35/0xc80
> [256577.119100] inet6_create+0x26e/0xec0
> [256577.119924] __sock_create+0x277/0x550
> [256577.120804] sctp_do_peeloff+0x162/0x3b0 [sctp]
> [256577.121795] ? sched_clock+0x5/0x10
> [256577.122596] ? sctp_copy_sock+0xfa0/0xfa0 [sctp]
> [256577.123646] sctp_getsockopt_peeloff_common.isra.31+0x78/0x2c0 [sctp]
> [256577.125064] ? sctp_do_peeloff+0x3b0/0x3b0 [sctp]
> [256577.126129] sctp_getsockopt.part.32+0x2d76/0x4a90 [sctp]
>
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com
> >
> > RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446679
> > RDX: 0000000000000066 RSI: 0000000000000084 RDI: 0000000000000003
> > RBP: 00000000006dbc30 R08: 0000000020000140 R09: 0000000000000038
> > R10: 0000000020000040 R11: 0000000000000246 R12: 00000000006dbc3c
> > R13: 00007f47f49ded90 R14: 0000000000000004 R15: 20c49ba5e353f7cf
> > kasan: CONFIG_KASAN_INLINE enabled
> > kasan: GPF could be caused by NULL-ptr deref or user memory access
> > general protection fault: 0000 [#1] PREEMPT SMP KASAN
> > CPU: 0 PID: 7680 Comm: syz-executor161 Not tainted 5.0.0+ #18
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > RIP: 0010:sctp_assoc_rwnd_increase+0x34/0x520 net/sctp/associola.c:1498
> > Code: 41 54 49 89 fc 53 89 f3 48 83 ec 10 e8 95 90 f1 fa 49 8d bc 24 60 06
> > 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84
> > c0 74 08 3c 03 0f 8e 2f 04 00 00 45 8b ac 24 60 06
> > RSP: 0018:ffff88808da476f8 EFLAGS: 00010203
> > RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001
> > RDX: 00000000000000cb RSI: ffffffff867ecd5b RDI: 000000000000065f
> > RBP: ffff88808da47730 R08: ffff88808c5d64c0 R09: ffff88808c5d6d88
> > R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffff
> > R13: 0000000000000000 R14: ffff88808c4d6f00 R15: 0000000000000000
> > FS: 00007f47f49df700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 0000000020000044 CR3: 0000000097508000 CR4: 00000000001406f0
> > Call Trace:
> > sctp_ulpevent_release_data net/sctp/ulpevent.c:1092 [inline]
> > sctp_ulpevent_free+0x21f/0x4e0 net/sctp/ulpevent.c:1129
> > sctp_queue_purge_ulpevents+0xc4/0x110 net/sctp/ulpevent.c:1146
> > sctp_close+0x148/0x860 net/sctp/socket.c:1515
> > inet_release+0x105/0x1f0 net/ipv4/af_inet.c:428
> > inet6_release+0x53/0x80 net/ipv6/af_inet6.c:473
> > __sock_release+0x1fe/0x2b0 net/socket.c:579
> > sock_release+0x18/0x20 net/socket.c:599
> > sctp_do_peeloff+0x38a/0x470 net/sctp/socket.c:5649
> > sctp_getsockopt_peeloff_common.isra.0+0x8e/0x270 net/sctp/socket.c:5665
> > sctp_getsockopt_peeloff net/sctp/socket.c:5707 [inline]
> > sctp_getsockopt net/sctp/socket.c:7802 [inline]
> > sctp_getsockopt+0x1ec1/0x6741 net/sctp/socket.c:7758
> > sock_common_getsockopt+0x9a/0xe0 net/core/sock.c:3079
> > __sys_getsockopt+0x168/0x250 net/socket.c:1960
> > __do_sys_getsockopt net/socket.c:1971 [inline]
> > __se_sys_getsockopt net/socket.c:1968 [inline]
> > __x64_sys_getsockopt+0xbe/0x150 net/socket.c:1968
> > do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
> > entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > RIP: 0033:0x446679
> > Code: e8 6c b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
> > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> > ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
> > RSP: 002b:00007f47f49ded88 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446679
> > RDX: 0000000000000066 RSI: 0000000000000084 RDI: 0000000000000003
> > RBP: 00000000006dbc30 R08: 0000000020000140 R09: 0000000000000038
> > R10: 0000000020000040 R11: 0000000000000246 R12: 00000000006dbc3c
> > R13: 00007f47f49ded90 R14: 0000000000000004 R15: 20c49ba5e353f7cf
> > Modules linked in:
> > ---[ end trace dfa9a15945f164b7 ]---
> > RIP: 0010:sctp_assoc_rwnd_increase+0x34/0x520 net/sctp/associola.c:1498
> > Code: 41 54 49 89 fc 53 89 f3 48 83 ec 10 e8 95 90 f1 fa 49 8d bc 24 60 06
> > 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84
> > c0 74 08 3c 03 0f 8e 2f 04 00 00 45 8b ac 24 60 06
> > RSP: 0018:ffff88808da476f8 EFLAGS: 00010203
> > RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001
> > RDX: 00000000000000cb RSI: ffffffff867ecd5b RDI: 000000000000065f
> > RBP: ffff88808da47730 R08: ffff88808c5d64c0 R09: ffff88808c5d6d88
> > R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffff
> > R13: 0000000000000000 R14: ffff88808c4d6f00 R15: 0000000000000000
> > FS: 00007f47f49df700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 0000000020000044 CR3: 0000000097508000 CR4: 00000000001406f0
> >
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: general protection fault in sctp_assoc_rwnd_increase
2019-03-12 13:52 general protection fault in sctp_assoc_rwnd_increase syzbot
2019-03-12 16:29 ` Xin Long
@ 2019-03-16 14:09 ` syzbot
2019-03-17 13:17 ` Xin Long
1 sibling, 1 reply; 6+ messages in thread
From: syzbot @ 2019-03-16 14:09 UTC (permalink / raw)
To: davem, dvyukov, linux-kernel, linux-sctp, lucien.xin,
marcelo.leitner, netdev, nhorman, syzkaller-bugs, vyasevich
syzbot has bisected this bug to:
commit 89664c623617b1d34447a927ac7871ddf3db29d3
Author: Xin Long <lucien.xin@gmail.com>
Date: Sun Mar 3 09:54:53 2019 +0000
sctp: sctp_sock_migrate() returns error if sctp_bind_addr_dup() fails
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b17777200000
start commit: 89664c62 sctp: sctp_sock_migrate() returns error if sctp_b..
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=14717777200000
console output: https://syzkaller.appspot.com/x/log.txt?x=10717777200000
kernel config: https://syzkaller.appspot.com/x/.config?x=b613f0327d980b6b
dashboard link: https://syzkaller.appspot.com/bug?extid=85e0b422ff140b03672a
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12613b13200000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f1884d200000
Reported-by: syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com
Fixes: 89664c62 ("sctp: sctp_sock_migrate() returns error if
sctp_bind_addr_dup() fails")
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: general protection fault in sctp_assoc_rwnd_increase
2019-03-16 14:09 ` syzbot
@ 2019-03-17 13:17 ` Xin Long
0 siblings, 0 replies; 6+ messages in thread
From: Xin Long @ 2019-03-17 13:17 UTC (permalink / raw)
To: syzbot
Cc: davem, Dmitry Vyukov, LKML, linux-sctp, Marcelo Ricardo Leitner,
network dev, Neil Horman, syzkaller-bugs, Vlad Yasevich
On Sat, Mar 16, 2019 at 10:09 PM syzbot
<syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com> wrote:
>
> syzbot has bisected this bug to:
>
> commit 89664c623617b1d34447a927ac7871ddf3db29d3
> Author: Xin Long <lucien.xin@gmail.com>
> Date: Sun Mar 3 09:54:53 2019 +0000
>
> sctp: sctp_sock_migrate() returns error if sctp_bind_addr_dup() fails
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b17777200000
> start commit: 89664c62 sctp: sctp_sock_migrate() returns error if sctp_b..
> git tree: upstream
> final crash: https://syzkaller.appspot.com/x/report.txt?x=14717777200000
> console output: https://syzkaller.appspot.com/x/log.txt?x=10717777200000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b613f0327d980b6b
> dashboard link: https://syzkaller.appspot.com/bug?extid=85e0b422ff140b03672a
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12613b13200000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f1884d200000
>
> Reported-by: syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com
> Fixes: 89664c62 ("sctp: sctp_sock_migrate() returns error if
> sctp_bind_addr_dup() fails")
sctp_copy_descendant() coplied sctp_sock->pd_lobby. we should fix it with:
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 06c6f4a..e0857dd 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -9175,7 +9175,7 @@ static inline void sctp_copy_descendant(struct
sock *sk_to,
{
int ancestor_size = sizeof(struct inet_sock) +
sizeof(struct sctp_sock) -
- offsetof(struct sctp_sock, auto_asconf_list);
+ offsetof(struct sctp_sock, pd_lobby);
if (sk_from->sk_family == PF_INET6)
ancestor_size += sizeof(struct ipv6_pinfo);
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: general protection fault in sctp_assoc_rwnd_increase
2019-03-12 17:26 ` Dmitry Vyukov
@ 2019-03-18 6:25 ` Xin Long
0 siblings, 0 replies; 6+ messages in thread
From: Xin Long @ 2019-03-18 6:25 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: syzbot, davem, LKML, linux-sctp, Marcelo Ricardo Leitner,
network dev, Neil Horman, syzkaller-bugs, Vlad Yasevich
On Wed, Mar 13, 2019 at 1:27 AM Dmitry Vyukov <dvyukov@google.com> wrote:
>
> On Tue, Mar 12, 2019 at 5:30 PM Xin Long <lucien.xin@gmail.com> wrote:
> >
> > On Tue, Mar 12, 2019 at 9:52 PM syzbot
> > <syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit: a089e4fe Merge tag 'linux-watchdog-5.1-rc1' of git://www.l..
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=144e9ee7200000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=b613f0327d980b6b
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=85e0b422ff140b03672a
> > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > userspace arch: amd64
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12613b13200000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f1884d200000
> > Not sure why I got this Call Trace with the reproducer, and it's
> > different, is that expected?
>
> Hi Xin,
>
> This is no a crash. This is fault injection stack trace.
> Fault injection subsystem prints stack whenever it injects a fault so
> that it's possible o figure out what happened and where.
>
> You can see a fault injection stack trace in the "console output' for
> the crash too.
> But if seems that your stack trace is slightly different, and that
> most likely explains why you can't reproduce the bug.
> This seems to be a bug that it triggered by a very particular failing
> kmalloc. If on your kernel fault is injected into a different kmalloc,
> you won't reproduce the bug.
> For fault injection-triggered bugs you need precisely the same kernel.
> You can actually see this in action: for smack and apparmor-based
> kernels fault needs to be injected into 7-th and 8-th kmalloc in the
> syscall respectively:
>
> https://syzkaller.appspot.com/text?tag=ReproSyz&x=12613b13200000
> https://syzkaller.appspot.com/text?tag=ReproSyz&x=14425577200000
>
> Or you can play with the fault_nth parameter to target fault injection
> into the right place... Or of course just change the kernel code to
> fail that kmalloc explicitly.
I could be able to reproduce it with "-fault_nth=16" in my env.
Thanks Dmitry.
>
>
> > [256577.101170] FAULT_INJECTION: forcing a failure.
> > [256577.101170] name failslab, interval 1, probability 0, space 0, times 0
> > [256577.103628] CPU: 0 PID: 2453 Comm: syz-executor Not tainted
> > 5.0.0.test.syz #235
> > [256577.105201] Hardware name: Red Hat KVM, BIOS seabios-1.7.5-8.el7 04/01/2014
> > [256577.106680] Call Trace:
> > [256577.107248] dump_stack+0x7c/0xc0
> > [256577.107981] should_fail.cold.4+0x5/0x13
> > [256577.108853] ? fault_create_debugfs_attr+0x190/0x190
> > [256577.109926] ? lock_downgrade+0x5d0/0x5d0
> > [256577.110816] ? selinux_sk_alloc_security+0x72/0x190
> > [256577.111878] ? selinux_sk_alloc_security+0x72/0x190
> > [256577.112931] should_failslab+0xa/0x20
> > [256577.113738] kmem_cache_alloc_trace+0x27a/0x350
> > [256577.114733] selinux_sk_alloc_security+0x72/0x190
> > [256577.115757] ? kmem_cache_alloc+0x2dc/0x310
> > [256577.116674] security_sk_alloc+0x4f/0x90
> > [256577.117543] sk_prot_alloc+0x82/0x250
> > [256577.118362] sk_alloc+0x35/0xc80
> > [256577.119100] inet6_create+0x26e/0xec0
> > [256577.119924] __sock_create+0x277/0x550
> > [256577.120804] sctp_do_peeloff+0x162/0x3b0 [sctp]
> > [256577.121795] ? sched_clock+0x5/0x10
> > [256577.122596] ? sctp_copy_sock+0xfa0/0xfa0 [sctp]
> > [256577.123646] sctp_getsockopt_peeloff_common.isra.31+0x78/0x2c0 [sctp]
> > [256577.125064] ? sctp_do_peeloff+0x3b0/0x3b0 [sctp]
> > [256577.126129] sctp_getsockopt.part.32+0x2d76/0x4a90 [sctp]
> >
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com
> > >
> > > RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446679
> > > RDX: 0000000000000066 RSI: 0000000000000084 RDI: 0000000000000003
> > > RBP: 00000000006dbc30 R08: 0000000020000140 R09: 0000000000000038
> > > R10: 0000000020000040 R11: 0000000000000246 R12: 00000000006dbc3c
> > > R13: 00007f47f49ded90 R14: 0000000000000004 R15: 20c49ba5e353f7cf
> > > kasan: CONFIG_KASAN_INLINE enabled
> > > kasan: GPF could be caused by NULL-ptr deref or user memory access
> > > general protection fault: 0000 [#1] PREEMPT SMP KASAN
> > > CPU: 0 PID: 7680 Comm: syz-executor161 Not tainted 5.0.0+ #18
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > Google 01/01/2011
> > > RIP: 0010:sctp_assoc_rwnd_increase+0x34/0x520 net/sctp/associola.c:1498
> > > Code: 41 54 49 89 fc 53 89 f3 48 83 ec 10 e8 95 90 f1 fa 49 8d bc 24 60 06
> > > 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84
> > > c0 74 08 3c 03 0f 8e 2f 04 00 00 45 8b ac 24 60 06
> > > RSP: 0018:ffff88808da476f8 EFLAGS: 00010203
> > > RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001
> > > RDX: 00000000000000cb RSI: ffffffff867ecd5b RDI: 000000000000065f
> > > RBP: ffff88808da47730 R08: ffff88808c5d64c0 R09: ffff88808c5d6d88
> > > R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffff
> > > R13: 0000000000000000 R14: ffff88808c4d6f00 R15: 0000000000000000
> > > FS: 00007f47f49df700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
> > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > CR2: 0000000020000044 CR3: 0000000097508000 CR4: 00000000001406f0
> > > Call Trace:
> > > sctp_ulpevent_release_data net/sctp/ulpevent.c:1092 [inline]
> > > sctp_ulpevent_free+0x21f/0x4e0 net/sctp/ulpevent.c:1129
> > > sctp_queue_purge_ulpevents+0xc4/0x110 net/sctp/ulpevent.c:1146
> > > sctp_close+0x148/0x860 net/sctp/socket.c:1515
> > > inet_release+0x105/0x1f0 net/ipv4/af_inet.c:428
> > > inet6_release+0x53/0x80 net/ipv6/af_inet6.c:473
> > > __sock_release+0x1fe/0x2b0 net/socket.c:579
> > > sock_release+0x18/0x20 net/socket.c:599
> > > sctp_do_peeloff+0x38a/0x470 net/sctp/socket.c:5649
> > > sctp_getsockopt_peeloff_common.isra.0+0x8e/0x270 net/sctp/socket.c:5665
> > > sctp_getsockopt_peeloff net/sctp/socket.c:5707 [inline]
> > > sctp_getsockopt net/sctp/socket.c:7802 [inline]
> > > sctp_getsockopt+0x1ec1/0x6741 net/sctp/socket.c:7758
> > > sock_common_getsockopt+0x9a/0xe0 net/core/sock.c:3079
> > > __sys_getsockopt+0x168/0x250 net/socket.c:1960
> > > __do_sys_getsockopt net/socket.c:1971 [inline]
> > > __se_sys_getsockopt net/socket.c:1968 [inline]
> > > __x64_sys_getsockopt+0xbe/0x150 net/socket.c:1968
> > > do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
> > > entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > > RIP: 0033:0x446679
> > > Code: e8 6c b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
> > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> > > ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
> > > RSP: 002b:00007f47f49ded88 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446679
> > > RDX: 0000000000000066 RSI: 0000000000000084 RDI: 0000000000000003
> > > RBP: 00000000006dbc30 R08: 0000000020000140 R09: 0000000000000038
> > > R10: 0000000020000040 R11: 0000000000000246 R12: 00000000006dbc3c
> > > R13: 00007f47f49ded90 R14: 0000000000000004 R15: 20c49ba5e353f7cf
> > > Modules linked in:
> > > ---[ end trace dfa9a15945f164b7 ]---
> > > RIP: 0010:sctp_assoc_rwnd_increase+0x34/0x520 net/sctp/associola.c:1498
> > > Code: 41 54 49 89 fc 53 89 f3 48 83 ec 10 e8 95 90 f1 fa 49 8d bc 24 60 06
> > > 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84
> > > c0 74 08 3c 03 0f 8e 2f 04 00 00 45 8b ac 24 60 06
> > > RSP: 0018:ffff88808da476f8 EFLAGS: 00010203
> > > RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001
> > > RDX: 00000000000000cb RSI: ffffffff867ecd5b RDI: 000000000000065f
> > > RBP: ffff88808da47730 R08: ffff88808c5d64c0 R09: ffff88808c5d6d88
> > > R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffff
> > > R13: 0000000000000000 R14: ffff88808c4d6f00 R15: 0000000000000000
> > > FS: 00007f47f49df700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
> > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > CR2: 0000000020000044 CR3: 0000000097508000 CR4: 00000000001406f0
> > >
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-03-18 6:25 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-12 13:52 general protection fault in sctp_assoc_rwnd_increase syzbot
2019-03-12 16:29 ` Xin Long
2019-03-12 17:26 ` Dmitry Vyukov
2019-03-18 6:25 ` Xin Long
2019-03-16 14:09 ` syzbot
2019-03-17 13:17 ` Xin Long
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).