Re: general protection fault in mm_update_next_owner

From: Dmitry Vyukov
Date: Tue Jun 11 2019 - 03:04:50 EST

On Mon, Jun 10, 2019 at 11:27 PM Eric W. Biederman
<ebiederm@xxxxxxxxxxxx> wrote:
> syzbot <syzbot+f625baafb9a1c4bfc3f6@xxxxxxxxxxxxxxxxxxxxxxxxx> writes:
> > syzbot has bisected this bug to:
> >
> > commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
> > Author: John Fastabend <john.fastabend@xxxxxxxxx>
> > Date: Sat Jun 30 13:17:47 2018 +0000
> >
> > bpf: sockhash fix omitted bucket lock in sock_close
> >
> > bisection log:
> > start commit: 38e406f6 Merge git://
> > git tree: net
> > final crash:
> > console output:
> > kernel config:
> > dashboard link:
> > syz repro:
> >
> > Reported-by: syzbot+f625baafb9a1c4bfc3f6@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Fixes: e9db4ef6bf4c ("bpf: sockhash fix omitted bucket lock in sock_close")
> >
> > For information about bisection process see:
> How is mm_update_next_owner connected to bpf?

There seems to be a nasty bug in bpf that causes assorted crashes
throughout the kernel for some time. I've seen a bunch of reproducers
that do something with bpf and then cause a random crash. The more
unpleasant ones are the bugs without reproducers, because for these we
don't have a way to link them back to the bpf bug but they are still
hanging there without good explanation, e.g. maybe a part of one-off
crashes in moderation:

Such bugs are nice to fix asap to not produce more and more random
crash reports.

Hillf, did you understand the mechanics of this bug and memory
corruption? A good question is why this was unnoticed by KASAN. If we
could make it catch it at the point of occurrence, then it would be a
single bug report clearly attributed to bpf rather then dozens of
assorted crashes.