Hello, The following program triggers GPF in netlink_dump:
// autogenerated by syzkaller (http://github.com/google/syzkaller) #include <unistd.h> #include <sys/syscall.h> #include <sys/uio.h> int main() { syscall(__NR_mmap, 0x20000000ul, 0xd25000ul, 0x3ul, 0x32ul, -1, 0); int fd = syscall(__NR_socket, 0x10ul, 0x3ul, 0x10ul); struct iovec iov; iov.iov_base = "\x16\x00\x00\x00\x23\x00\x19\x07\x00\x00\x00\x46" "\xf1\xff\xff\xe8\x03\x00\x04\xff\xff\x75"; iov.iov_len = 22; syscall(__NR_writev, fd, &iov, 1); return 0; } kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN Modules linked in: CPU: 0 PID: 6913 Comm: a.out Not tainted 4.9.0-rc7+ #76 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff88006716a840 task.stack: ffff880063a38000 RIP: 0010:[<ffffffff81567f65>] [<ffffffff81567f65>] __lock_acquire+0xb35/0x3380 kernel/locking/lockdep.c:3221 RSP: 0018:ffff880063a3e578 EFLAGS: 00010006 RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000 RDX: 000000000000000c RSI: 0000000000000000 RDI: 1ffff1000c747d09 RBP: ffff880063a3eab0 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000060 R11: 0000000000000000 R12: ffff88006716a840 R13: 0000000000000001 R14: ffffffff8baba1a0 R15: 0000000000000001 FS: 000000000082a880(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004b20e0 CR3: 000000003dd5d000 CR4: 00000000000006f0 Stack: ffff88006716b060 ffff880063a3e5f0 ffff88006716b088 0000000041b58ab3 ffffffff894ee650 ffffffff81562600 ffff88006716b058 ffff880063a3e930 00000000894d005b 1ffff1000c747cbe 0000000100000000 ffffffff81557640 Call Trace: [<ffffffff8156b682>] lock_acquire+0x2a2/0x790 kernel/locking/lockdep.c:3746 [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 [<ffffffff88193a3f>] mutex_lock_nested+0x23f/0xf20 kernel/locking/mutex.c:621 [<ffffffff86cb2228>] netlink_dump+0xd8/0xd70 net/netlink/af_netlink.c:2067 [<ffffffff86cb6e8a>] __netlink_dump_start+0x4ea/0x760 net/netlink/af_netlink.c:2200 [<ffffffff86cc12e7>] genl_family_rcv_msg+0xa77/0x1070 net/netlink/genetlink.c:597 [<ffffffff86cc1a90>] genl_rcv_msg+0x1b0/0x260 net/netlink/genetlink.c:660 [<ffffffff86cbf66c>] netlink_rcv_skb+0x2bc/0x3a0 net/netlink/af_netlink.c:2281 [<ffffffff86cc085d>] genl_rcv+0x2d/0x40 net/netlink/genetlink.c:671 [< inline >] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [<ffffffff86cbde8a>] netlink_unicast+0x51a/0x740 net/netlink/af_netlink.c:1240 [<ffffffff86cbeb54>] netlink_sendmsg+0xaa4/0xe50 net/netlink/af_netlink.c:1786 [< inline >] sock_sendmsg_nosec net/socket.c:621 [<ffffffff86a7517f>] sock_sendmsg+0xcf/0x110 net/socket.c:631 [<ffffffff86a754eb>] sock_write_iter+0x32b/0x620 net/socket.c:829 [<ffffffff81a6ef33>] do_iter_readv_writev+0x363/0x670 fs/read_write.c:695 [<ffffffff81a71981>] do_readv_writev+0x431/0x9b0 fs/read_write.c:872 [<ffffffff81a724bc>] vfs_writev+0x8c/0xc0 fs/read_write.c:911 [<ffffffff81a72605>] do_writev+0x115/0x2d0 fs/read_write.c:944 [< inline >] SYSC_writev fs/read_write.c:1017 [<ffffffff81a75dbc>] SyS_writev+0x2c/0x40 fs/read_write.c:1014 [<ffffffff881a3d05>] entry_SYSCALL_64_fastpath+0x23/0xc6 arch/x86/entry/entry_64.S:209 Code: e9 03 f3 48 ab 48 81 c4 10 05 00 00 44 89 e8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 4c 89 d2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 00 26 00 00 49 81 3a c0 64 e2 8a 41 bf 00 00 RIP [<ffffffff81567f65>] __lock_acquire+0xb35/0x3380 kernel/locking/lockdep.c:3221 RSP <ffff880063a3e578> ---[ end trace 8d9cfd5e00f7ff0c ]--- ================================================================== On commit 2caceb3294a78c389b462e7e236a4e744a53a474 (Dec 1).
