* net/kcm: GPF in kcm_sendmsg
@ 2017-02-13 15:14 Dmitry Vyukov
2017-02-13 17:06 ` Cong Wang
0 siblings, 1 reply; 2+ messages in thread
From: Dmitry Vyukov @ 2017-02-13 15:14 UTC (permalink / raw)
To: David Miller, Tom Herbert, Cong Wang, Alexei Starovoitov,
Al Viro, Daniel Borkmann, Eric Dumazet, netdev, LKML
Cc: syzkaller
Hello,
The following program triggers GPF in kcm_sendmsg:
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <stddef.h>
#include <string.h>
#include <unistd.h>
int main()
{
int sock = socket(41 /*AF_KCM*/, SOCK_SEQPACKET, 0);
struct mmsghdr msg;
memset(&msg, 0, sizeof(msg));
sendmmsg(sock, &msg, 1, 0);
return 0;
}
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 2 PID: 2935 Comm: a.out Not tainted 4.10.0-rc8+ #218
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88006b506440 task.stack: ffff8800662b8000
RIP: 0010:kcm_sendmsg+0x92e/0x2240 net/kcm/kcmsock.c:1048
RSP: 0018:ffff8800662bf720 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000008 RSI: ffff88006b506c38 RDI: 0000000000000040
RBP: ffff8800662bfa00 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000006 R11: 0000000000000000 R12: 7fffffffffffffff
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88006af12040
FS: 0000000001077880(0000) GS:ffff88006d100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004b2140 CR3: 00000000651b7000 CR4: 00000000001406e0
Call Trace:
sock_sendmsg_nosec net/socket.c:635 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:645
___sys_sendmsg+0x4a3/0x9f0 net/socket.c:1985
__sys_sendmmsg+0x25c/0x750 net/socket.c:2075
SYSC_sendmmsg net/socket.c:2106 [inline]
SyS_sendmmsg+0x35/0x60 net/socket.c:2101
entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x436dc9
RSP: 002b:00007ffe84e1a938 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000401730 RCX: 0000000000436dc9
RDX: 0000000000000001 RSI: 00007ffe84e1a950 RDI: 0000000000000003
RBP: 0000000000000000 R08: 000000000000000b R09: 0000000000000004
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004002b0
R13: 00007ffe84e1aa88 R14: 0000000000000002 R15: 0000000000000000
Code: 02 00 0f 85 d4 14 00 00 48 8b 85 c0 fd ff ff 48 8d 78 40 49 89
87 30 05 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80>
3c 02 00 0f 85 9d 14 00 00 48 8b 85 c0 fd ff ff 4c 89 70 40
RIP: kcm_sendmsg+0x92e/0x2240 net/kcm/kcmsock.c:1048 RSP: ffff8800662bf720
---[ end trace 62093774c8609871 ]---
On commit 7089db84e356562f8ba737c29e472cc42d530dbc (4.10-rc8).
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: net/kcm: GPF in kcm_sendmsg
2017-02-13 15:14 net/kcm: GPF in kcm_sendmsg Dmitry Vyukov
@ 2017-02-13 17:06 ` Cong Wang
0 siblings, 0 replies; 2+ messages in thread
From: Cong Wang @ 2017-02-13 17:06 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: David Miller, Tom Herbert, Alexei Starovoitov, Al Viro,
Daniel Borkmann, Eric Dumazet, netdev, LKML, syzkaller
On Mon, Feb 13, 2017 at 7:14 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
> Hello,
>
> The following program triggers GPF in kcm_sendmsg:
>
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #define _GNU_SOURCE
> #include <sys/socket.h>
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <stddef.h>
> #include <string.h>
> #include <unistd.h>
>
> int main()
> {
> int sock = socket(41 /*AF_KCM*/, SOCK_SEQPACKET, 0);
> struct mmsghdr msg;
> memset(&msg, 0, sizeof(msg));
> sendmmsg(sock, &msg, 1, 0);
> return 0;
> }
>
>
> general protection fault: 0000 [#1] SMP KASAN
> Modules linked in:
> CPU: 2 PID: 2935 Comm: a.out Not tainted 4.10.0-rc8+ #218
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: ffff88006b506440 task.stack: ffff8800662b8000
> RIP: 0010:kcm_sendmsg+0x92e/0x2240 net/kcm/kcmsock.c:1048
Hmm, head is NULL in kcm_tx_msg(head)->last_skb = skb;,
I missed the !eor case in the previous fix.
> RSP: 0018:ffff8800662bf720 EFLAGS: 00010202
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
> RDX: 0000000000000008 RSI: ffff88006b506c38 RDI: 0000000000000040
> RBP: ffff8800662bfa00 R08: 0000000000000001 R09: 0000000000000000
> R10: 0000000000000006 R11: 0000000000000000 R12: 7fffffffffffffff
> R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88006af12040
> FS: 0000000001077880(0000) GS:ffff88006d100000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000004b2140 CR3: 00000000651b7000 CR4: 00000000001406e0
> Call Trace:
> sock_sendmsg_nosec net/socket.c:635 [inline]
> sock_sendmsg+0xca/0x110 net/socket.c:645
> ___sys_sendmsg+0x4a3/0x9f0 net/socket.c:1985
> __sys_sendmmsg+0x25c/0x750 net/socket.c:2075
> SYSC_sendmmsg net/socket.c:2106 [inline]
> SyS_sendmmsg+0x35/0x60 net/socket.c:2101
> entry_SYSCALL_64_fastpath+0x1f/0xc2
> RIP: 0033:0x436dc9
> RSP: 002b:00007ffe84e1a938 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
> RAX: ffffffffffffffda RBX: 0000000000401730 RCX: 0000000000436dc9
> RDX: 0000000000000001 RSI: 00007ffe84e1a950 RDI: 0000000000000003
> RBP: 0000000000000000 R08: 000000000000000b R09: 0000000000000004
> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004002b0
> R13: 00007ffe84e1aa88 R14: 0000000000000002 R15: 0000000000000000
> Code: 02 00 0f 85 d4 14 00 00 48 8b 85 c0 fd ff ff 48 8d 78 40 49 89
> 87 30 05 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80>
> 3c 02 00 0f 85 9d 14 00 00 48 8b 85 c0 fd ff ff 4c 89 70 40
> RIP: kcm_sendmsg+0x92e/0x2240 net/kcm/kcmsock.c:1048 RSP: ffff8800662bf720
> ---[ end trace 62093774c8609871 ]---
>
>
> On commit 7089db84e356562f8ba737c29e472cc42d530dbc (4.10-rc8).
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-02-13 17:15 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-13 15:14 net/kcm: GPF in kcm_sendmsg Dmitry Vyukov
2017-02-13 17:06 ` Cong Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).