Re: general protection fault in finish_wait

From: Eric Biggers
Date: Tue Feb 26 2019 - 19:55:49 EST


On Mon, Jul 09, 2018 at 04:49:02AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 6508b6781be0 tcp: cleanup copied_seq and urg_data in tcp_d..
> git tree: net
> console output: https://syzkaller.appspot.com/x/log.txt?x=1256e6dc400000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2ca6c7a31d407f86
> dashboard link: https://syzkaller.appspot.com/bug?extid=3aac4a52d8e8ca0414d5
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1310fafc400000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10af4f48400000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+3aac4a52d8e8ca0414d5@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN
> CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 4.18.0-rc3+ #4
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Workqueue: events smc_tcp_listen_work
> RIP: 0010:__lock_acquire+0x245/0x5020 kernel/locking/lockdep.c:3314
> Code: 28 00 00 00 0f 85 03 34 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f
> 5d c3 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85
> c6 35 00 00 49 81 7d 00 60 76 e7 89 0f 84 42 ff
> RSP: 0000:ffff8801d9b36d20 EFLAGS: 00010006
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
> RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffffffff88f1b060
> RBP: ffff8801d9b370a8 R08: 0000000000000001 R09: 0000000000000001
> R10: ffff8801d9b2a500 R11: 0000000000000001 R12: 0000000000000001
> R13: 0000000000000018 R14: ffff8801d9b2a500 R15: 0000000000000000
> FS: 0000000000000000(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000020002cc0 CR3: 00000001ae03f000 CR4: 00000000001406e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
> __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
> _raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:152
> finish_wait+0x119/0x430 kernel/sched/wait.c:364
> inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:418 [inline]
> inet_csk_accept+0x6d0/0xe70 net/ipv4/inet_connection_sock.c:451
> inet_accept+0x138/0x9f0 net/ipv4/af_inet.c:734
> kernel_accept+0x136/0x310 net/socket.c:3251
> smc_clcsock_accept net/smc/af_smc.c:701 [inline]
> smc_tcp_listen_work+0x222/0xef0 net/smc/af_smc.c:1114
> process_one_work+0xc73/0x1ba0 kernel/workqueue.c:2153
> worker_thread+0x189/0x13c0 kernel/workqueue.c:2296
> kthread+0x345/0x410 kernel/kthread.c:240
> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
> Modules linked in:
> Dumping ftrace buffer:
> (ftrace buffer empty)
> ---[ end trace 472b359041f047a6 ]---
> RIP: 0010:__lock_acquire+0x245/0x5020 kernel/locking/lockdep.c:3314
> Code: 28 00 00 00 0f 85 03 34 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f
> 5d c3 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85
> c6 35 00 00 49 81 7d 00 60 76 e7 89 0f 84 42 ff
> RSP: 0000:ffff8801d9b36d20 EFLAGS: 00010006
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
> RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffffffff88f1b060
> RBP: ffff8801d9b370a8 R08: 0000000000000001 R09: 0000000000000001
> R10: ffff8801d9b2a500 R11: 0000000000000001 R12: 0000000000000001
> R13: 0000000000000018 R14: ffff8801d9b2a500 R15: 0000000000000000
> FS: 0000000000000000(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000020002cc0 CR3: 00000001ae03f000 CR4: 00000000001406e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxxx
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxxx
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/0000000000009276d205708f9910%40google.com.
> For more options, visit https://groups.google.com/d/optout.

This was fixed by:

commit 78abe3d0dfad196959b1246003366e2610775ea6 (refs/bisect/new)
Author: Myungho Jung <mhjungk@xxxxxxxxx>
Date: Tue Dec 18 09:02:25 2018 -0800

net/smc: fix TCP fallback socket release

#syz fix: net/smc: fix TCP fallback socket release

There are newer crashes with this same signature, e.g.
https://syzkaller.appspot.com/text?tag=CrashReport&x=16cb391f400000
but they are something different...

- Eric