KASAN: use-after-free Read in __llc_lookup_established

2018-10-10 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:3d647e62686f Merge tag 's390-4.19-4' of git://git.kernel.o..
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1707d80940
kernel config:  https://syzkaller.appspot.com/x/.config?x=88e9a8a39dc0be2d
dashboard link: https://syzkaller.appspot.com/bug?extid=11e05f04c15e03be5254
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+11e05f04c15e03be5...@syzkaller.appspotmail.com

==
BUG: KASAN: use-after-free in llc_estab_match net/llc/llc_conn.c:494  
[inline]
BUG: KASAN: use-after-free in __llc_lookup_established+0xc80/0xe10  
net/llc/llc_conn.c:522

Read of size 1 at addr 8801c5794a7f by task syz-executor3/10277

CPU: 0 PID: 10277 Comm: syz-executor3 Not tainted 4.19.0-rc7+ #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113
 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
net_ratelimit: 9 callbacks suppressed
openvswitch: netlink: Key type 12288 is out of range max 29
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
 llc_estab_match net/llc/llc_conn.c:494 [inline]
 __llc_lookup_established+0xc80/0xe10 net/llc/llc_conn.c:522
openvswitch: netlink: Key type 12288 is out of range max 29
 llc_lookup_established+0x36/0x60 net/llc/llc_conn.c:554
 llc_ui_bind+0x810/0xdd0 net/llc/af_llc.c:381
 __sys_bind+0x331/0x440 net/socket.c:1483
 __do_sys_bind net/socket.c:1494 [inline]
 __se_sys_bind net/socket.c:1492 [inline]
 __x64_sys_bind+0x73/0xb0 net/socket.c:1492
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457579
Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:7f2a18100c78 EFLAGS: 0246 ORIG_RAX: 0031
RAX: ffda RBX: 0003 RCX: 00457579
RDX: 0010 RSI: 2040 RDI: 0006
RBP: 0072bf00 R08:  R09: 
R10:  R11: 0246 R12: 7f2a181016d4
R13: 004bd718 R14: 004cbfe0 R15: 

Allocated by task 10278:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 __do_kmalloc mm/slab.c:3718 [inline]
 __kmalloc+0x14e/0x760 mm/slab.c:3727
 kmalloc include/linux/slab.h:518 [inline]
 sk_prot_alloc+0x1b0/0x2e0 net/core/sock.c:1468
 sk_alloc+0x10d/0x1690 net/core/sock.c:1522
 llc_sk_alloc+0x35/0x4b0 net/llc/llc_conn.c:949
 llc_ui_create+0x142/0x520 net/llc/af_llc.c:173
 __sock_create+0x536/0x930 net/socket.c:1277
 sock_create net/socket.c:1317 [inline]
 __sys_socket+0x106/0x260 net/socket.c:1347
 __do_sys_socket net/socket.c:1356 [inline]
 __se_sys_socket net/socket.c:1354 [inline]
 __x64_sys_socket+0x73/0xb0 net/socket.c:1354
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 10276:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xcf/0x230 mm/slab.c:3813
 sk_prot_free net/core/sock.c:1505 [inline]
 __sk_destruct+0x797/0xa80 net/core/sock.c:1587
 sk_destruct+0x78/0x90 net/core/sock.c:1595
 __sk_free+0xcf/0x300 net/core/sock.c:1606
 sk_free+0x42/0x50 net/core/sock.c:1617
 sock_put include/net/sock.h:1691 [inline]
 llc_sk_free+0x9d/0xb0 net/llc/llc_conn.c:1017
 llc_ui_release+0x161/0x2a0 net/llc/af_llc.c:218
 __sock_release+0xd7/0x250 net/socket.c:579
 sock_close+0x19/0x20 net/socket.c:1141
 __fput+0x385/0xa30 fs/file_table.c:278
 fput+0x15/0x20 fs/file_table.c:309
 task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:193 [inline]
 exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
 do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at 8801c5794600
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1151 bytes inside of
 2048-byte region [8801c5794600, 8801c5794e00)
The buggy address belongs to th

general protection fault in do_raw_spin_unlock

2018-07-16 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:1d4eb636f0ab Add linux-next specific files for 20180716
git tree:   linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1186bf0c40
kernel config:  https://syzkaller.appspot.com/x/.config?x=ea5926dddb0db97a
dashboard link: https://syzkaller.appspot.com/bug?extid=83a25334ef203851dc81
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=179ed0

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+83a25334ef203851d...@syzkaller.appspotmail.com

IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] SMP KASAN
CPU: 1 PID: 24 Comm: kworker/1:1 Not tainted 4.18.0-rc5-next-20180716+ #8
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: events p9_poll_workfn
RIP: 0010:debug_spin_unlock kernel/locking/spinlock_debug.c:97 [inline]
RIP: 0010:do_raw_spin_unlock+0x65/0x2f0 kernel/locking/spinlock_debug.c:134
Code: 0a bd 88 48 c7 85 78 ff ff ff b3 8a b5 41 48 c7 45 88 d0 3c 60 81 c7  
02 f1 f1 f1 f1 c7 42 04 04 f2 f2 f2 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48  
89 f8 65 48 8b 0c 25 28 00 00 00 48 89 4d d0 31 c9

RSP: 0018:8801d945f288 EFLAGS: 00010047
RAX: dc00 RBX:  RCX: 8770a045
RDX:  RSI: 0001 RDI: 0004
RBP: 8801d945f310 R08: 11003b28be45 R09: ed0035e7bd88
R10: ed0035e7bd88 R11: 8801af3dec43 R12: 
R13: 11003b28be51 R14: 8801d945f2e8 R15: 8801c5811d50
FS:  () GS:8801daf0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 0072c029 CR3: 0001b19fd000 CR4: 001406e0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:159 [inline]
 _raw_spin_unlock_irqrestore+0x27/0xc0 kernel/locking/spinlock.c:184
 spin_unlock_irqrestore include/linux/spinlock.h:384 [inline]
 p9_conn_cancel+0x9b6/0xd30 net/9p/trans_fd.c:208
 p9_poll_mux net/9p/trans_fd.c:620 [inline]
 p9_poll_workfn+0x4b2/0x6d0 net/9p/trans_fd.c:1107
 process_one_work+0xc73/0x1ba0 kernel/workqueue.c:2153
 worker_thread+0x189/0x13c0 kernel/workqueue.c:2296
 kthread+0x345/0x410 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
---[ end trace 4d86351f63a12683 ]---
RIP: 0010:debug_spin_unlock kernel/locking/spinlock_debug.c:97 [inline]
RIP: 0010:do_raw_spin_unlock+0x65/0x2f0 kernel/locking/spinlock_debug.c:134
Code: 0a bd 88 48 c7 85 78 ff ff ff b3 8a b5 41 48 c7 45 88 d0 3c 60 81 c7  
02 f1 f1 f1 f1 c7 42 04 04 f2 f2 f2 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48  
89 f8 65 48 8b 0c 25 28 00 00 00 48 89 4d d0 31 c9

RSP: 0018:8801d945f288 EFLAGS: 00010047
RAX: dc00 RBX:  RCX: 8770a045
RDX:  RSI: 0001 RDI: 0004
RBP: 8801d945f310 R08: 11003b28be45 R09: ed0035e7bd88
R10: ed0035e7bd88 R11: 8801af3dec43 R12: 
R13: 11003b28be51 R14: 8801d945f2e8 R15: 8801c5811d50
FS:  () GS:8801daf0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 0072c029 CR3: 0001b19fd000 CR4: 001406e0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: BUG: MAX_LOCK_DEPTH too low! (2)

2018-07-12 Thread syzbot 

syzbot has found a reproducer for the following crash on:

HEAD commit:6e6fddc78323 bpf: fix panic due to oob in bpf_prog_test_ru..
git tree:   bpf
console output: https://syzkaller.appspot.com/x/log.txt?x=1364db9440
kernel config:  https://syzkaller.appspot.com/x/.config?x=2ca6c7a31d407f86
dashboard link: https://syzkaller.appspot.com/bug?extid=802a5abb8abae86eb6de
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1157279440
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16aff56840

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+802a5abb8abae86eb...@syzkaller.appspotmail.com

IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
8021q: adding VLAN 0 to HW filter on device team0
BUG: MAX_LOCK_DEPTH too low!
turning off the locking correctness validator.
depth: 48  max: 48!
48 locks held by syz-executor169/4820:
 #0: (ptrval) (rcu_read_lock_bh){}, at:  
__dev_queue_xmit+0x328/0x3910 net/core/dev.c:3503
 #1: (ptrval) (&(>seqlock)->rlock){+...}, at: spin_trylock  
include/linux/spinlock.h:320 [inline]
 #1: (ptrval) (&(>seqlock)->rlock){+...}, at: qdisc_run_begin  
include/net/sch_generic.h:124 [inline]
 #1: (ptrval) (&(>seqlock)->rlock){+...}, at: qdisc_run  
include/net/pkt_sched.h:117 [inline]
 #1: (ptrval) (&(>seqlock)->rlock){+...}, at: __dev_xmit_skb  
net/core/dev.c:3229 [inline]
 #1: (ptrval) (&(>seqlock)->rlock){+...}, at:  
__dev_queue_xmit+0x13a3/0x3910 net/core/dev.c:3537
 #2: (ptrval) (dev->qdisc_running_key ?: _running_key){+...},  
at: dev_queue_xmit+0x17/0x20 net/core/dev.c:3602
 #3: (ptrval) (rcu_read_lock){}, at: __skb_pull  
include/linux/skbuff.h:2080 [inline]
 #3: (ptrval) (rcu_read_lock){}, at:  
skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787
 #4: (ptrval) (rcu_read_lock){}, at: __skb_pull  
include/linux/skbuff.h:2080 [inline]
 #4: (ptrval) (rcu_read_lock){}, at:  
skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787
 #5: (ptrval) (rcu_read_lock){}, at: __skb_pull  
include/linux/skbuff.h:2080 [inline]
 #5: (ptrval) (rcu_read_lock){}, at:  
skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787
 #6: (ptrval) (rcu_read_lock){}, at: __skb_pull  
include/linux/skbuff.h:2080 [inline]
 #6: (ptrval) (rcu_read_lock){}, at:  
skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787
 #7: (ptrval) (rcu_read_lock){}, at: __skb_pull  
include/linux/skbuff.h:2080 [inline]
 #7: (ptrval) (rcu_read_lock){}, at:  
skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787
 #8: (ptrval) (rcu_read_lock){}, at: __skb_pull  
include/linux/skbuff.h:2080 [inline]
 #8: (ptrval) (rcu_read_lock){}, at:  
skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787
 #9: (ptrval) (rcu_read_lock){}, at: __skb_pull  
include/linux/skbuff.h:2080 [inline]
 #9: (ptrval) (rcu_read_lock){}, at:  
skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787
 #10: (ptrval) (rcu_read_lock){}, at: __skb_pull  
include/linux/skbuff.h:2080 [inline]
 #10: (ptrval) (rcu_read_lock){}, at:  
skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787
 #11: (ptrval) (rcu_read_lock){}, at: __skb_pull  
include/linux/skbuff.h:2080 [inline]
 #11: (ptrval) (rcu_read_lock){}, at:  
skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787
 #12: (ptrval) (rcu_read_lock){}, at: __skb_pull  
include/linux/skbuff.h:2080 [inline]
 #12: (ptrval) (rcu_read_lock){}, at:  
skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787
 #13: (ptrval) (rcu_read_lock){}, at: __skb_pull  
include/linux/skbuff.h:2080 [inline]
 #13: (ptrval) (rcu_read_lock){}, at:  
skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787
 #14: (ptrval) (rcu_read_lock){}, at: __skb_pull  
include/linux/skbuff.h:2080 [inline]
 #14: (ptrval) (rcu_read_lock){}, at:  
skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787
 #15: (ptrval) (rcu_read_lock){}, at: __skb_pull  
include/linux/skbuff.h:2080 [inline]
 #15: (ptrval) (rcu_read_lock){}, at:  
skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787
 #16: (ptrval) (rcu_read_lock){}, at: __skb_pull  
include/linux/skbuff.h:2080 [inline]
 #16: (ptrval) (rcu_read_lock){}, at:  
skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787
 #17: (ptrval) (rcu_read_lock){}, at: __skb_pull  
include/linux/skbuff.h:2080 [inline]
 #17: (ptrval) (rcu_read_lock){}, at:  
skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787
 #18: (

KASAN: slab-out-of-bounds Read in rds_cong_queue_updates (2)

2018-07-11 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:0026129c8629 rhashtable: add restart routine in rhashtable..
git tree:   net
console output: https://syzkaller.appspot.com/x/log.txt?x=10b7ced040
kernel config:  https://syzkaller.appspot.com/x/.config?x=b88de6eac8694da6
dashboard link: https://syzkaller.appspot.com/bug?extid=0570fef57a5e020bdc87
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0570fef57a5e020bd...@syzkaller.appspotmail.com

==
BUG: KASAN: slab-out-of-bounds in atomic_read  
include/asm-generic/atomic-instrumented.h:21 [inline]
BUG: KASAN: slab-out-of-bounds in refcount_read include/linux/refcount.h:42  
[inline]
BUG: KASAN: slab-out-of-bounds in check_net include/net/net_namespace.h:237  
[inline]
BUG: KASAN: slab-out-of-bounds in rds_destroy_pending net/rds/rds.h:902  
[inline]
BUG: KASAN: slab-out-of-bounds in rds_cong_queue_updates+0x25d/0x5b0  
net/rds/cong.c:226

Read of size 4 at addr 88019f8ec204 by task syz-executor1/27023

CPU: 0 PID: 27023 Comm: syz-executor1 Not tainted 4.18.0-rc3+ #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
 kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
 atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
 refcount_read include/linux/refcount.h:42 [inline]
 check_net include/net/net_namespace.h:237 [inline]
 rds_destroy_pending net/rds/rds.h:902 [inline]
 rds_cong_queue_updates+0x25d/0x5b0 net/rds/cong.c:226
 rds_recv_rcvbuf_delta.part.3+0x332/0x3e0 net/rds/recv.c:123
 rds_recv_rcvbuf_delta net/rds/recv.c:382 [inline]
 rds_recv_incoming+0x85a/0x1320 net/rds/recv.c:382
netlink: 'syz-executor2': attribute type 18 has an invalid length.
 rds_loop_xmit+0x16a/0x340 net/rds/loop.c:95
 rds_send_xmit+0x1343/0x29c0 net/rds/send.c:355
netlink: 180 bytes leftover after parsing attributes in process  
`syz-executor5'.

 rds_sendmsg+0x229e/0x2a40 net/rds/send.c:1243
netlink: 180 bytes leftover after parsing attributes in process  
`syz-executor5'.

 sock_sendmsg_nosec net/socket.c:641 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:651
 __sys_sendto+0x3d7/0x670 net/socket.c:1797
 __do_sys_sendto net/socket.c:1809 [inline]
 __se_sys_sendto net/socket.c:1805 [inline]
 __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1805
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455e29
Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:7fd164b21c68 EFLAGS: 0246 ORIG_RAX: 002c
RAX: ffda RBX: 7fd164b226d4 RCX: 00455e29
RDX: 0481 RSI: 2000 RDI: 0013
RBP: 0072bea0 R08: 2069affb R09: 0010
R10:  R11: 0246 R12: 
R13: 004c14f2 R14: 004d1a08 R15: 

Allocated by task 26052:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
 getname_flags+0xd0/0x5a0 fs/namei.c:140
 getname+0x19/0x20 fs/namei.c:211
 do_sys_open+0x3a2/0x760 fs/open.c:1095
 __do_sys_open fs/open.c:1119 [inline]
 __se_sys_open fs/open.c:1114 [inline]
 __x64_sys_open+0x7e/0xc0 fs/open.c:1114
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 26052:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kmem_cache_free+0x86/0x2d0 mm/slab.c:3756
 putname+0xf2/0x130 fs/namei.c:261
 do_sys_open+0x569/0x760 fs/open.c:1110
 __do_sys_open fs/open.c:1119 [inline]
 __se_sys_open fs/open.c:1114 [inline]
 __x64_sys_open+0x7e/0xc0 fs/open.c:1114
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at 88019f8ec280
 which belongs to the cache names_cache of size 4096
The buggy address is located 124 bytes to the left of
 4096-byte region [88019f8ec280, 88019f8ed280)
The

KASAN: use-after-free Read in p9_fd_poll

2018-07-11 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:30c2c32d7f70 Merge tag 'drm-fixes-2018-07-10' of git://ano..
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1662c5b240
kernel config:  https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7
dashboard link: https://syzkaller.appspot.com/bug?extid=0442e6e2f7e1e33b1037
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0442e6e2f7e1e33b1...@syzkaller.appspotmail.com

9pnet: p9_errstr2errno: server reported unknown error etz0e&��?�d$5ܱI3�
QAT: Invalid ioctl
==
BUG: KASAN: use-after-free in p9_fd_poll+0x280/0x2b0 net/9p/trans_fd.c:238
Read of size 8 at addr 8801c647ec80 by task kworker/1:3/5005

CPU: 1 PID: 5005 Comm: kworker/1:3 Not tainted 4.18.0-rc4+ #140
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: events p9_poll_workfn
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 p9_fd_poll+0x280/0x2b0 net/9p/trans_fd.c:238
 p9_poll_mux net/9p/trans_fd.c:617 [inline]
 p9_poll_workfn+0x463/0x6d0 net/9p/trans_fd.c:1107
 process_one_work+0xc73/0x1ba0 kernel/workqueue.c:2153
 worker_thread+0x189/0x13c0 kernel/workqueue.c:2296
 kthread+0x345/0x410 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412

Allocated by task 29121:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620
 kmalloc include/linux/slab.h:513 [inline]
 kzalloc include/linux/slab.h:707 [inline]
 p9_fd_open net/9p/trans_fd.c:796 [inline]
 p9_fd_create+0x1a7/0x3f0 net/9p/trans_fd.c:1036
 p9_client_create+0x915/0x16c9 net/9p/client.c:1062
 v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400
 v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135
 mount_fs+0xae/0x328 fs/super.c:1277
 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2518 [inline]
 do_mount+0x581/0x30e0 fs/namespace.c:2848
 ksys_mount+0x12d/0x140 fs/namespace.c:3064
 __do_sys_mount fs/namespace.c:3078 [inline]
 __se_sys_mount fs/namespace.c:3075 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 29121:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xd9/0x260 mm/slab.c:3813
 p9_fd_close+0x416/0x5b0 net/9p/trans_fd.c:893
 p9_client_create+0xac2/0x16c9 net/9p/client.c:1076
 v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400
 v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135
 mount_fs+0xae/0x328 fs/super.c:1277
 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2518 [inline]
 do_mount+0x581/0x30e0 fs/namespace.c:2848
 ksys_mount+0x12d/0x140 fs/namespace.c:3064
 __do_sys_mount fs/namespace.c:3078 [inline]
 __se_sys_mount fs/namespace.c:3075 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at 8801c647ec80
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
 512-byte region [8801c647ec80, 8801c647ee80)
The buggy address belongs to the page:
page:ea0007191f80 count:1 mapcount:0 mapping:8801da800940 index:0x0
flags: 0x2fffc000100(slab)
raw: 02fffc000100 ea0006a8cc48 ea00074be548 8801da800940
raw:  8801c647e000 00010006 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 8801c647eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 8801c647ec00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

8801c647ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

   ^
 8801c647ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 8801c647ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at sy

KASAN: slab-out-of-bounds Read in pdu_read

2018-07-08 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:ca04b3cca11a Merge tag 'armsoc-fixes' of git://git.kernel...
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1609e96840
kernel config:  https://syzkaller.appspot.com/x/.config?x=2ca6c7a31d407f86
dashboard link: https://syzkaller.appspot.com/bug?extid=65c6b72f284a39d416b4
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1704f6d040
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17188a7840

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+65c6b72f284a39d41...@syzkaller.appspotmail.com

random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
==
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:345 [inline]
BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 net/9p/protocol.c:59
Read of size 62219 at addr 8801c9e904ed by task syz-executor251/4548

CPU: 0 PID: 4548 Comm: syz-executor251 Not tainted 4.18.0-rc3+ #137
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
 memcpy+0x23/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:345 [inline]
 pdu_read+0x90/0xd0 net/9p/protocol.c:59
 p9pdu_vreadf net/9p/protocol.c:162 [inline]
 p9pdu_readf+0x579/0x2170 net/9p/protocol.c:536
 p9_client_version net/9p/client.c:986 [inline]
 p9_client_create+0xde0/0x16c9 net/9p/client.c:1069
 v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400
 v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135
 mount_fs+0xae/0x328 fs/super.c:1277
 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2518 [inline]
 do_mount+0x581/0x30e0 fs/namespace.c:2848
 ksys_mount+0x12d/0x140 fs/namespace.c:3064
 __do_sys_mount fs/namespace.c:3078 [inline]
 __se_sys_mount fs/namespace.c:3075 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440319
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:7ffdfd76d4e8 EFLAGS: 0206 ORIG_RAX: 00a5
RAX: ffda RBX: 0030656c69662f2e RCX: 00440319
RDX: 2140 RSI: 2100 RDI: 
RBP: 69736f7030707070 R08: 2280 R09: 0001
R10: 0001 R11: 0206 R12: 4c50473070707028
R13: 64663d736e617274 R14:  R15: 

Allocated by task 4548:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 __do_kmalloc mm/slab.c:3718 [inline]
 __kmalloc+0x14e/0x760 mm/slab.c:3727
 kmalloc include/linux/slab.h:518 [inline]
 p9_fcall_alloc+0x1e/0x90 net/9p/client.c:236
 p9_tag_alloc net/9p/client.c:306 [inline]
 p9_client_prepare_req.part.8+0x754/0xcd0 net/9p/client.c:722
 p9_client_prepare_req net/9p/client.c:757 [inline]
 p9_client_rpc+0x1bd/0x1400 net/9p/client.c:757
 p9_client_version net/9p/client.c:976 [inline]
 p9_client_create+0xd09/0x16c9 net/9p/client.c:1069
 v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400
 v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135
 mount_fs+0xae/0x328 fs/super.c:1277
 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2518 [inline]
 do_mount+0x581/0x30e0 fs/namespace.c:2848
 ksys_mount+0x12d/0x140 fs/namespace.c:3064
 __do_sys_mount fs/namespace.c:3078 [inline]
 __se_sys_mount fs/namespace.c:3075 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at 8801c9e904c0
 which belongs to the cache kmalloc-16384 of size 16384
The buggy address is located 45 bytes inside of
 16384-byte region [8801c9e904c0, 8801c9e944c0)
The buggy address belongs to the page:
page:ea000727a400 count:1 mapcount:0 mapping:8801da802200 index:0x0  
compound_mapcount: 0

flags: 0x2fffc008100(slab|hea

KASAN: use-after-free Read in __queue_work (2)

2018-07-08 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:ca04b3cca11a Merge tag 'armsoc-fixes' of git://git.kernel...
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1066e6dc40
kernel config:  https://syzkaller.appspot.com/x/.config?x=2ca6c7a31d407f86
dashboard link: https://syzkaller.appspot.com/bug?extid=1c9db6a163a4000d0765
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1473a45240
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1408774840

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+1c9db6a163a4000d0...@syzkaller.appspotmail.com

==
BUG: KASAN: use-after-free in constant_test_bit  
arch/x86/include/asm/bitops.h:328 [inline]
BUG: KASAN: use-after-free in work_is_static_object+0x39/0x40  
kernel/workqueue.c:442

Read of size 8 at addr 8801d7a7fda0 by task kworker/0:2/27

CPU: 0 PID: 27 Comm: kworker/0:2 Not tainted 4.18.0-rc3+ #137
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: events p9_poll_workfn
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 constant_test_bit arch/x86/include/asm/bitops.h:328 [inline]
 work_is_static_object+0x39/0x40 kernel/workqueue.c:442
 debug_object_activate+0x2fc/0x690 lib/debugobjects.c:508
 debug_work_activate kernel/workqueue.c:491 [inline]
 __queue_work+0x1ca/0x1410 kernel/workqueue.c:1380
 queue_work_on+0x19a/0x1e0 kernel/workqueue.c:1486
 queue_work include/linux/workqueue.h:512 [inline]
 schedule_work include/linux/workqueue.h:570 [inline]
 p9_poll_mux net/9p/trans_fd.c:628 [inline]
 p9_poll_workfn+0x55e/0x6d0 net/9p/trans_fd.c:1107
 process_one_work+0xc73/0x1ba0 kernel/workqueue.c:2153
 worker_thread+0x189/0x13c0 kernel/workqueue.c:2296
 kthread+0x345/0x410 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412

Allocated by task 4537:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620
 kmalloc include/linux/slab.h:513 [inline]
 kzalloc include/linux/slab.h:707 [inline]
 p9_fd_open net/9p/trans_fd.c:796 [inline]
 p9_fd_create+0x1a7/0x3f0 net/9p/trans_fd.c:1036
 p9_client_create+0x915/0x16c9 net/9p/client.c:1062
 v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400
 v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135
 mount_fs+0xae/0x328 fs/super.c:1277
 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2518 [inline]
 do_mount+0x581/0x30e0 fs/namespace.c:2848
 ksys_mount+0x12d/0x140 fs/namespace.c:3064
 __do_sys_mount fs/namespace.c:3078 [inline]
 __se_sys_mount fs/namespace.c:3075 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 4537:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xd9/0x260 mm/slab.c:3813
 p9_fd_close+0x416/0x5b0 net/9p/trans_fd.c:893
 p9_client_create+0xac2/0x16c9 net/9p/client.c:1076
 v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400
 v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135
 mount_fs+0xae/0x328 fs/super.c:1277
 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2518 [inline]
 do_mount+0x581/0x30e0 fs/namespace.c:2848
 ksys_mount+0x12d/0x140 fs/namespace.c:3064
 __do_sys_mount fs/namespace.c:3078 [inline]
 __se_sys_mount fs/namespace.c:3075 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at 8801d7a7fc80
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 288 bytes inside of
 512-byte region [8801d7a7fc80, 8801d7a7fe80)
The buggy address belongs to the page:
page:ea00075e9fc0 count:1 mapcount:0 mapping:8801da800940 index:0x0
flags: 0x2fffc000100(slab)
raw: 02fffc000100 ea0007616688 ea00075d9a88 8801da800940
raw:  8801d7a7f000 00010006 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 8801d7a7fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 8801d7a7fd00: fb fb fb fb fb fb fb fb fb fb

Re: KASAN: use-after-free Read in tls_write_space

2018-07-08 Thread syzbot 

syzbot has found a reproducer for the following crash on:

HEAD commit:c47078d6a33f tcp: remove redundant SOCK_DONE checks
git tree:   net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=120012c240
kernel config:  https://syzkaller.appspot.com/x/.config?x=a501a01deaf0fe9
dashboard link: https://syzkaller.appspot.com/bug?extid=2134b6b74dec9f8c760f
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1695059440
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11d180c840

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2134b6b74dec9f8c7...@syzkaller.appspotmail.com

TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending  
cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending  
cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending  
cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending  
cookies.  Check SNMP counters.

==
BUG: KASAN: use-after-free in tls_write_space+0x2c2/0x360  
net/tls/tls_main.c:225

Read of size 1 at addr 8801aebdd420 by task ksoftirqd/1/18

CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.18.0-rc3+ #113
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
 tls_write_space+0x2c2/0x360 net/tls/tls_main.c:225
 tcp_new_space net/ipv4/tcp_input.c:5081 [inline]
 tcp_check_space+0x551/0x930 net/ipv4/tcp_input.c:5092
 tcp_data_snd_check net/ipv4/tcp_input.c:5102 [inline]
 tcp_rcv_established+0x8db/0x2180 net/ipv4/tcp_input.c:5581
 tcp_v6_do_rcv+0x4b2/0x1450 net/ipv6/tcp_ipv6.c:1325
 tcp_v6_rcv+0x342a/0x3a70 net/ipv6/tcp_ipv6.c:1554
 ip6_input_finish+0x407/0x1a40 net/ipv6/ip6_input.c:383
 NF_HOOK include/linux/netfilter.h:287 [inline]
 ip6_input+0xe9/0x600 net/ipv6/ip6_input.c:426
 dst_input include/net/dst.h:450 [inline]
 ip6_rcv_finish+0x17a/0x330 net/ipv6/ip6_input.c:76
 NF_HOOK include/linux/netfilter.h:287 [inline]
 ipv6_rcv+0x11e/0x650 net/ipv6/ip6_input.c:271
 __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4767
 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4872
 process_backlog+0x219/0x760 net/core/dev.c:5663
 napi_poll net/core/dev.c:6078 [inline]
 net_rx_action+0x7a5/0x1950 net/core/dev.c:6144
 __do_softirq+0x2e8/0xb17 kernel/softirq.c:288
 run_ksoftirqd+0x86/0x100 kernel/softirq.c:649
 smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164
 kthread+0x345/0x410 kernel/kthread.c:240
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412

Allocated by task 8159:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620
 kmalloc include/linux/slab.h:513 [inline]
 kzalloc include/linux/slab.h:707 [inline]
 create_ctx net/tls/tls_main.c:535 [inline]
 tls_init+0x1e7/0xb20 net/tls/tls_main.c:659
 tcp_set_ulp+0x1bc/0x520 net/ipv4/tcp_ulp.c:153
 do_tcp_setsockopt.isra.41+0x44a/0x2680 net/ipv4/tcp.c:2748
 tcp_setsockopt+0xc1/0xe0 net/ipv4/tcp.c:3059
 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3083
 __sys_setsockopt+0x1c5/0x3b0 net/socket.c:1911
 __do_sys_setsockopt net/socket.c:1922 [inline]
 __se_sys_setsockopt net/socket.c:1919 [inline]
 __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1919
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8159:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xd9/0x260 mm/slab.c:3813
 tls_sk_proto_close+0x712/0xae0 net/tls/tls_main.c:297
 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459
 __sock_release+0xd7/0x260 net/socket.c:599
 sock_close+0x19/0x20 net/socket.c:1150
 __fput+0x355/0x8b0 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1ec/0x2a0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:192 [inline]
 exit_to_usermode_loop+0x313/0x370 arch/x86/entry/common.c:166
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
 do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at 8801aebdd340
 which belongs

KMSAN: uninit-value in ebt_stp_mt_check (2)

2018-06-07 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:c6a6aed994b6 kmsan: remove dead code to trigger syzbot build
git tree:   https://github.com/google/kmsan.git/master
console output: https://syzkaller.appspot.com/x/log.txt?x=17bde74f80
kernel config:  https://syzkaller.appspot.com/x/.config?x=848e40757852af3e
dashboard link: https://syzkaller.appspot.com/bug?extid=da4494182233c23a5fcf
compiler:   clang version 7.0.0 (trunk 334104)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+da4494182233c23a5...@syzkaller.appspotmail.com

==
BUG: KMSAN: uninit-value in ebt_stp_mt_check+0x24b/0x450  
net/bridge/netfilter/ebt_stp.c:162

CPU: 0 PID: 12006 Comm: syz-executor7 Not tainted 4.17.0+ #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084
 __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:620
 ebt_stp_mt_check+0x24b/0x450 net/bridge/netfilter/ebt_stp.c:162
 xt_check_match+0x1438/0x1650 net/netfilter/x_tables.c:506
 ebt_check_match net/bridge/netfilter/ebtables.c:372 [inline]
 ebt_check_entry net/bridge/netfilter/ebtables.c:702 [inline]
 translate_table+0x4e88/0x6120 net/bridge/netfilter/ebtables.c:943
 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:999
 do_replace+0x719/0x780 net/bridge/netfilter/ebtables.c:1138
 do_ebt_set_ctl+0x2ab/0x3c0 net/bridge/netfilter/ebtables.c:1517
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x47c/0x4e0 net/netfilter/nf_sockopt.c:115
 ip_setsockopt+0x24b/0x2b0 net/ipv4/ip_sockglue.c:1251
 udp_setsockopt+0x108/0x1b0 net/ipv4/udp.c:2416
 sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3039
 __sys_setsockopt+0x496/0x540 net/socket.c:1903
 __do_sys_setsockopt net/socket.c:1914 [inline]
 __se_sys_setsockopt net/socket.c:1911 [inline]
 __x64_sys_setsockopt+0x15c/0x1c0 net/socket.c:1911
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4559f9
RSP: 002b:7f45b9246c68 EFLAGS: 0246 ORIG_RAX: 0036
RAX: ffda RBX: 7f45b92476d4 RCX: 004559f9
RDX: 0080 RSI:  RDI: 0014
RBP: 0072bea0 R08: 0300 R09: 
R10: 2480 R11: 0246 R12: 
R13: 004c0d6d R14: 004d07c8 R15: 

Local variable description: mtpar.i@translate_table
Variable was created at:
 translate_table+0xbb/0x6120 net/bridge/netfilter/ebtables.c:831
 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:999
==


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

BUG: unable to handle kernel (3)

2018-05-28 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:861d9dd37526 Merge tag 'kbuild-fixes-v4.17-2' of git://git..
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10bffd0f80
kernel config:  https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02
dashboard link: https://syzkaller.appspot.com/bug?extid=adfeaaee641dd4fdac43
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1156a92f80

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+adfeaaee641dd4fda...@syzkaller.appspotmail.com

IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
BUG: unable to handle kernel
IPVS: ftp: loaded support on port[0] = 21
paging request at c90001f30003
PGD 1da946067 P4D 1da946067 PUD 1da947067 PMD 1afa9e067 PTE 8001b7d3e163
Oops:  [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 8 Comm: ksoftirqd/0 Not tainted 4.17.0-rc6+ #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

RIP: 0010:ebt_do_table+0x1983/0x2140 net/bridge/netfilter/ebtables.c:283
RSP: 0018:8801d9aaeb68 EFLAGS: 00010246
RAX: c90001f30003 RBX: c90001f30003 RCX: c90001f24000
RDX:  RSI: 86a8513c RDI: 
RBP: 8801d9aaed38 R08: 8801d9a9c200 R09: ed003b5c46d2
R10: ed003b5c46d2 R11: 8801dae23693 R12: c90001f24000
R13: c90001f201a0 R14: c90001f200d0 R15: dc00
FS:  () GS:8801dae0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: c90001f30003 CR3: 0001ad782000 CR4: 001406f0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 ebt_broute+0x1f8/0x320 net/bridge/netfilter/ebtable_broute.c:60
 br_handle_frame+0x6b6/0x19f0 net/bridge/br_input.c:291
 __netif_receive_skb_core+0xc6e/0x3630 net/core/dev.c:4546
 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657
 process_backlog+0x219/0x760 net/core/dev.c:5337
 napi_poll net/core/dev.c:5735 [inline]
 net_rx_action+0x7b7/0x1930 net/core/dev.c:5801
 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
 run_ksoftirqd+0x86/0x100 kernel/softirq.c:646
 smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164
 kthread+0x345/0x410 kernel/kthread.c:240
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
Code: 6c 24 08 48 89 d8 48 89 9d d0 fe ff ff 48 c1 e8 03 42 0f b6 04 38 84  
c0 74 08 3c 03 0f 8e 3b 06 00 00 48 8b 85 d0 fe ff ff 31 ff <8b> 18 89 de  
e8 54 f1 d0 fa 85 db 0f 85 a0 02 00 00 e8 37 f0 d0
RIP: ebt_do_table+0x1983/0x2140 net/bridge/netfilter/ebtables.c:283 RSP:  
8801d9aaeb68

CR2: c90001f30003
---[ end trace d121cd1897af50a4 ]---


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

possible deadlock in sock_hash_free

2018-05-28 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:7a1a98c171ea Merge branch 'bpf-sendmsg-hook'
git tree:   bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=131f406780
kernel config:  https://syzkaller.appspot.com/x/.config?x=e4078980b886800c
dashboard link: https://syzkaller.appspot.com/bug?extid=83bdee62c80cc044cb1a
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=17a0be2f80
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=164cf10f80

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+83bdee62c80cc044c...@syzkaller.appspotmail.com


==
WARNING: possible circular locking dependency detected
4.17.0-rc6+ #25 Not tainted
--
kworker/1:0/18 is trying to acquire lock:
ef3a7ff3 (clock-AF_INET6){++..}, at: sock_hash_free+0x377/0x700  
kernel/bpf/sockmap.c:2089


but task is already holding lock:
989798b8 (>buckets[i].lock){+...}, at:  
sock_hash_free+0x1d4/0x700 kernel/bpf/sockmap.c:2083


which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (>buckets[i].lock){+...}:
   __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
   _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
   bpf_tcp_close+0x822/0x10b0 kernel/bpf/sockmap.c:285
   inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
   inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459
   sock_release+0x96/0x1b0 net/socket.c:594
   sock_close+0x16/0x20 net/socket.c:1149
   __fput+0x34d/0x890 fs/file_table.c:209
   fput+0x15/0x20 fs/file_table.c:243
   task_work_run+0x1e4/0x290 kernel/task_work.c:113
   exit_task_work include/linux/task_work.h:22 [inline]
   do_exit+0x1aee/0x2730 kernel/exit.c:865
   do_group_exit+0x16f/0x430 kernel/exit.c:968
   __do_sys_exit_group kernel/exit.c:979 [inline]
   __se_sys_exit_group kernel/exit.c:977 [inline]
   __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:977
   do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #0 (clock-AF_INET6){++..}:
   lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920
   __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
   _raw_write_lock_bh+0x31/0x40 kernel/locking/spinlock.c:312
   sock_hash_free+0x377/0x700 kernel/bpf/sockmap.c:2089
   bpf_map_free_deferred+0xba/0xf0 kernel/bpf/syscall.c:261
   process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
   worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
   kthread+0x345/0x410 kernel/kthread.c:240
   ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412

other info that might help us debug this:

 Possible unsafe locking scenario:

   CPU0CPU1
   
  lock(>buckets[i].lock);
   lock(clock-AF_INET6);
   lock(>buckets[i].lock);
  lock(clock-AF_INET6);

 *** DEADLOCK ***

4 locks held by kworker/1:0/18:
 #0: b569d373 ((wq_completion)"events"){+.+.}, at:  
__write_once_size include/linux/compiler.h:215 [inline]
 #0: b569d373 ((wq_completion)"events"){+.+.}, at:  
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
 #0: b569d373 ((wq_completion)"events"){+.+.}, at: atomic64_set  
include/asm-generic/atomic-instrumented.h:40 [inline]
 #0: b569d373 ((wq_completion)"events"){+.+.}, at: atomic_long_set  
include/asm-generic/atomic-long.h:57 [inline]
 #0: b569d373 ((wq_completion)"events"){+.+.}, at: set_work_data  
kernel/workqueue.c:617 [inline]
 #0: b569d373 ((wq_completion)"events"){+.+.}, at:  
set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline]
 #0: b569d373 ((wq_completion)"events"){+.+.}, at:  
process_one_work+0xaef/0x1b50 kernel/workqueue.c:2116
 #1: 41d1b332 ((work_completion)(>work)){+.+.}, at:  
process_one_work+0xb46/0x1b50 kernel/workqueue.c:2120
 #2: da1a504c (rcu_read_lock){}, at: sock_hash_free+0x0/0x700  
include/net/sock.h:2178
 #3: 989798b8 (>buckets[i].lock){+...}, at:  
sock_hash_free+0x1d4/0x700 kernel/bpf/sockmap.c:2083


stack backtrace:
CPU: 1 PID: 18 Comm: kworker/1:0 Not tainted 4.17.0-rc6+ #25
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: events bpf_map_free_deferred
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_circular_bug.isra.36.cold.54+0x1bd/0x27d  
kernel/locking/lockdep.c:1223

 check_prev_add kernel/locking/lockdep.c:1863 [inline]
 check_prevs_add kernel/locking/lockdep.c:1976 [inlin

Re: possible deadlock in bpf_tcp_close

2018-05-28 Thread syzbot 

syzbot has found a reproducer for the following crash on:

HEAD commit:7a1a98c171ea Merge branch 'bpf-sendmsg-hook'
git tree:   bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=149ae2b780
kernel config:  https://syzkaller.appspot.com/x/.config?x=e4078980b886800c
dashboard link: https://syzkaller.appspot.com/bug?extid=47ed903f50684f046b15
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1553b17b80
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1460be2f80

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+47ed903f50684f046...@syzkaller.appspotmail.com

random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)

==
WARNING: possible circular locking dependency detected
4.17.0-rc6+ #25 Not tainted
--
syz-executor800/4527 is trying to acquire lock:
(ptrval) (>buckets[i].lock){+...}, at:  
bpf_tcp_close+0x822/0x10b0 kernel/bpf/sockmap.c:285


but task is already holding lock:
(ptrval) (clock-AF_INET6){++..}, at: bpf_tcp_close+0x241/0x10b0  
kernel/bpf/sockmap.c:260


which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (clock-AF_INET6){++..}:
   __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
   _raw_write_lock_bh+0x31/0x40 kernel/locking/spinlock.c:312
   sock_hash_delete_elem+0x7c6/0xaf0 kernel/bpf/sockmap.c:2338
   map_delete_elem+0x32e/0x4e0 kernel/bpf/syscall.c:815
   __do_sys_bpf kernel/bpf/syscall.c:2349 [inline]
   __se_sys_bpf kernel/bpf/syscall.c:2317 [inline]
   __x64_sys_bpf+0x342/0x510 kernel/bpf/syscall.c:2317
   do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #0 (>buckets[i].lock){+...}:
   lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920
   __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
   _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
   bpf_tcp_close+0x822/0x10b0 kernel/bpf/sockmap.c:285
   inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
   inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459
   sock_release+0x96/0x1b0 net/socket.c:594
   sock_close+0x16/0x20 net/socket.c:1149
   __fput+0x34d/0x890 fs/file_table.c:209
   fput+0x15/0x20 fs/file_table.c:243
   task_work_run+0x1e4/0x290 kernel/task_work.c:113
   exit_task_work include/linux/task_work.h:22 [inline]
   do_exit+0x1aee/0x2730 kernel/exit.c:865
   do_group_exit+0x16f/0x430 kernel/exit.c:968
   get_signal+0x886/0x1960 kernel/signal.c:2482
   do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810
   exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162
   prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
   syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
   do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

 Possible unsafe locking scenario:

   CPU0CPU1
   
  lock(clock-AF_INET6);
   lock(>buckets[i].lock);
   lock(clock-AF_INET6);
  lock(>buckets[i].lock);

 *** DEADLOCK ***

2 locks held by syz-executor800/4527:
 #0: (ptrval) (rcu_read_lock){}, at: bpf_tcp_close+0x0/0x10b0  
kernel/bpf/sockmap.c:2106
 #1: (ptrval) (clock-AF_INET6){++..}, at:  
bpf_tcp_close+0x241/0x10b0 kernel/bpf/sockmap.c:260


stack backtrace:
CPU: 0 PID: 4527 Comm: syz-executor800 Not tainted 4.17.0-rc6+ #25
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_circular_bug.isra.36.cold.54+0x1bd/0x27d  
kernel/locking/lockdep.c:1223

 check_prev_add kernel/locking/lockdep.c:1863 [inline]
 check_prevs_add kernel/locking/lockdep.c:1976 [inline]
 validate_chain kernel/locking/lockdep.c:2417 [inline]
 __lock_acquire+0x343e/0x5140 kernel/locking/lockdep.c:3431
 lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
 bpf_tcp_close+0x822/0x10b0 kernel/bpf/sockmap.c:285
 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459
 sock_release+0x96/0x1b0 net/socket.c:594
 sock_close+0x16/0x20 net/socket.c:1149
 __fput+0x34d/0x890 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1e4/0x290 kernel/task_work.c:113
 exit

possible deadlock in bpf_tcp_close

2018-05-28 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:7a1a98c171ea Merge branch 'bpf-sendmsg-hook'
git tree:   bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=10fd82d780
kernel config:  https://syzkaller.appspot.com/x/.config?x=e4078980b886800c
dashboard link: https://syzkaller.appspot.com/bug?extid=47ed903f50684f046b15
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+47ed903f50684f046...@syzkaller.appspotmail.com


==
WARNING: possible circular locking dependency detected
4.17.0-rc6+ #25 Not tainted
--
syz-executor4/7489 is trying to acquire lock:
(ptrval) (>buckets[i].lock#2){+...}, at:  
bpf_tcp_close+0x822/0x10b0 kernel/bpf/sockmap.c:285


but task is already holding lock:
(ptrval) (clock-AF_INET6){++..}, at: bpf_tcp_close+0x241/0x10b0  
kernel/bpf/sockmap.c:260


which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (clock-AF_INET6){++..}:
   __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
   _raw_write_lock_bh+0x31/0x40 kernel/locking/spinlock.c:312
   sock_hash_delete_elem+0x7c6/0xaf0 kernel/bpf/sockmap.c:2338
   map_delete_elem+0x32e/0x4e0 kernel/bpf/syscall.c:815
   __do_sys_bpf kernel/bpf/syscall.c:2349 [inline]
   __se_sys_bpf kernel/bpf/syscall.c:2317 [inline]
   __x64_sys_bpf+0x342/0x510 kernel/bpf/syscall.c:2317
   do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #0 (>buckets[i].lock#2){+...}:
   lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920
   __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
   _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
   bpf_tcp_close+0x822/0x10b0 kernel/bpf/sockmap.c:285
   inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
   inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459
   sock_release+0x96/0x1b0 net/socket.c:594
   sock_close+0x16/0x20 net/socket.c:1149
   __fput+0x34d/0x890 fs/file_table.c:209
   fput+0x15/0x20 fs/file_table.c:243
   task_work_run+0x1e4/0x290 kernel/task_work.c:113
   exit_task_work include/linux/task_work.h:22 [inline]
   do_exit+0x1aee/0x2730 kernel/exit.c:865
   do_group_exit+0x16f/0x430 kernel/exit.c:968
   get_signal+0x886/0x1960 kernel/signal.c:2482
   do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810
   exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162
   prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
   syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
   do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

 Possible unsafe locking scenario:

   CPU0CPU1
   
  lock(clock-AF_INET6);
   lock(>buckets[i].lock#2);
   lock(clock-AF_INET6);
  lock(>buckets[i].lock#2);

 *** DEADLOCK ***

2 locks held by syz-executor4/7489:
 #0: (ptrval) (rcu_read_lock){}, at: bpf_tcp_close+0x0/0x10b0  
kernel/bpf/sockmap.c:2106
 #1: (ptrval) (clock-AF_INET6){++..}, at:  
bpf_tcp_close+0x241/0x10b0 kernel/bpf/sockmap.c:260


stack backtrace:
CPU: 1 PID: 7489 Comm: syz-executor4 Not tainted 4.17.0-rc6+ #25
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_circular_bug.isra.36.cold.54+0x1bd/0x27d  
kernel/locking/lockdep.c:1223

 check_prev_add kernel/locking/lockdep.c:1863 [inline]
 check_prevs_add kernel/locking/lockdep.c:1976 [inline]
 validate_chain kernel/locking/lockdep.c:2417 [inline]
 __lock_acquire+0x343e/0x5140 kernel/locking/lockdep.c:3431
 lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
 bpf_tcp_close+0x822/0x10b0 kernel/bpf/sockmap.c:285
 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459
 sock_release+0x96/0x1b0 net/socket.c:594
 sock_close+0x16/0x20 net/socket.c:1149
 __fput+0x34d/0x890 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1e4/0x290 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x1aee/0x2730 kernel/exit.c:865
 do_group_exit+0x16f/0x430 kernel/exit.c:968
 get_signal+0x886/0x1960 kernel/signal.c:2482
 do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810
 exit_to_usermode_loop+0x28a/0x

KASAN: use-after-free Write in bpf_tcp_close

2018-05-27 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:ff4fb475cea8 Merge branch 'btf-uapi-cleanups'
git tree:   bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12b3d57780
kernel config:  https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1
dashboard link: https://syzkaller.appspot.com/bug?extid=31025a5f3f7650081204
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=109a2f3780
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=171a727b80

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+31025a5f3f7650081...@syzkaller.appspotmail.com

==
BUG: KASAN: use-after-free in cmpxchg_size  
include/asm-generic/atomic-instrumented.h:355 [inline]
BUG: KASAN: use-after-free in bpf_tcp_close+0x6f5/0xf80  
kernel/bpf/sockmap.c:265

Write of size 8 at addr 8801ca277680 by task syz-executor749/9723

CPU: 0 PID: 9723 Comm: syz-executor749 Not tainted 4.17.0-rc4+ #19
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
 kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278
 cmpxchg_size include/asm-generic/atomic-instrumented.h:355 [inline]
 bpf_tcp_close+0x6f5/0xf80 kernel/bpf/sockmap.c:265
 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459
 sock_release+0x96/0x1b0 net/socket.c:594
 sock_close+0x16/0x20 net/socket.c:1149
 __fput+0x34d/0x890 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1e4/0x290 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x1aee/0x2730 kernel/exit.c:865
 do_group_exit+0x16f/0x430 kernel/exit.c:968
 __do_sys_exit_group kernel/exit.c:979 [inline]
 __se_sys_exit_group kernel/exit.c:977 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:977
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440a59
RSP: 002b:7ffdadf92488 EFLAGS: 0206 ORIG_RAX: 00e7
RAX: ffda RBX:  RCX: 00440a59
RDX: 00440a59 RSI: 0020 RDI: 
RBP:  R08: 004002c8 R09: 00401ea0
R10: 004002c8 R11: 0206 R12: 0001b5ac
R13: 00401ea0 R14:  R15: 

Allocated by task 9723:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 __do_kmalloc_node mm/slab.c:3682 [inline]
 __kmalloc_node+0x47/0x70 mm/slab.c:3689
 kmalloc_node include/linux/slab.h:554 [inline]
 bpf_map_area_alloc+0x3f/0x90 kernel/bpf/syscall.c:144
 sock_map_alloc+0x376/0x410 kernel/bpf/sockmap.c:1555
 find_and_alloc_map kernel/bpf/syscall.c:126 [inline]
 map_create+0x393/0x1010 kernel/bpf/syscall.c:448
 __do_sys_bpf kernel/bpf/syscall.c:2128 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:2105 [inline]
 __x64_sys_bpf+0x300/0x4f0 kernel/bpf/syscall.c:2105
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 4521:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xd9/0x260 mm/slab.c:3813
 kvfree+0x61/0x70 mm/util.c:440
 bpf_map_area_free+0x15/0x20 kernel/bpf/syscall.c:155
 sock_map_remove_complete kernel/bpf/sockmap.c:1443 [inline]
 sock_map_free+0x408/0x540 kernel/bpf/sockmap.c:1619
 bpf_map_free_deferred+0xba/0xf0 kernel/bpf/syscall.c:259
 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
 kthread+0x345/0x410 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412

The buggy address belongs to the object at 8801ca277680
 which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 0 bytes inside of
 1024-byte region [8801ca277680, 8801ca277a80)
The buggy address belongs to the page:
page:ea0007289d80 count:1 mapcount:0 mapping:8801ca276000 index:0x0  
compound_mapcount: 0

flags: 0x2fffc008100(slab|head)
raw: 02fffc008100 8801ca276000  00010007
raw: ea0006d12b20 ea000763bba0 8801da800ac0 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 8801ca277580: fc fc fc fc fc fc

Re: WARNING in bpf_int_jit_compile

2018-05-26 Thread syzbot 

syzbot has found a reproducer for the following crash on:

HEAD commit:62d18ecfa641 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14c6bf5780
kernel config:  https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02
dashboard link: https://syzkaller.appspot.com/bug?extid=9e762b52dd17e616a7a5
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=130e42b780

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9e762b52dd17e616a...@syzkaller.appspotmail.com

RAX: ffda RBX: 02542914 RCX: 00455a09
RDX: 0048 RSI: 2240 RDI: 0005
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 0003
R13: 0046 R14: 006f4730 R15: 0023
WARNING: CPU: 0 PID: 4752 at include/linux/filter.h:667  
bpf_jit_binary_lock_ro include/linux/filter.h:667 [inline]
WARNING: CPU: 0 PID: 4752 at include/linux/filter.h:667  
bpf_int_jit_compile+0xbf7/0xef7 arch/x86/net/bpf_jit_comp.c:1271

Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 4752 Comm: syz-executor0 Not tainted 4.17.0-rc6+ #67
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 panic+0x22f/0x4de kernel/panic.c:184
 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536
 report_bug+0x252/0x2d0 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:667 [inline]
RIP: 0010:bpf_int_jit_compile+0xbf7/0xef7 arch/x86/net/bpf_jit_comp.c:1271
RSP: 0018:8801d85ff920 EFLAGS: 00010293
RAX: 8801d78c40c0 RBX: 0046 RCX: 81445d89
RDX:  RSI: 81445d97 RDI: 0005
RBP: 8801d85ffa40 R08: 8801d78c40c0 R09: 
R10:  R11:  R12: c9000194e002
R13: 8801d85ffa18 R14: fff4 R15: 0003
 bpf_prog_select_runtime+0x131/0x640 kernel/bpf/core.c:1541
 bpf_prog_load+0x16c2/0x2070 kernel/bpf/syscall.c:1333
 __do_sys_bpf kernel/bpf/syscall.c:2073 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:2035 [inline]
 __x64_sys_bpf+0x389/0x4c0 kernel/bpf/syscall.c:2035
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a09
RSP: 002b:7ffec3da2868 EFLAGS: 0246 ORIG_RAX: 0141
RAX: ffda RBX: 02542914 RCX: 00455a09
RDX: 0048 RSI: 2240 RDI: 0005
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 0003
R13: 0046 R14: 006f4730 R15: 0023
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..

WARNING in bpf_int_jit_compile

2018-05-26 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:203ec2fed17a Merge tag 'armsoc-fixes' of git://git.kernel...
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14f0d5a780
kernel config:  https://syzkaller.appspot.com/x/.config?x=f3b4e30da84ec1ed
dashboard link: https://syzkaller.appspot.com/bug?extid=9e762b52dd17e616a7a5
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9e762b52dd17e616a...@syzkaller.appspotmail.com

RAX: ffda RBX: 7f9da107d6d4 RCX: 00455a09
RDX: 0048 RSI: 2000e000 RDI: 0005
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 0014
R13: 0046 R14: 006f4730 R15: 0021
WARNING: CPU: 0 PID: 20757 at include/linux/filter.h:667  
bpf_jit_binary_lock_ro include/linux/filter.h:667 [inline]
WARNING: CPU: 0 PID: 20757 at include/linux/filter.h:667  
bpf_int_jit_compile+0xbf7/0xef7 arch/x86/net/bpf_jit_comp.c:1271

Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 20757 Comm: syz-executor6 Not tainted 4.17.0-rc5+ #60
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 panic+0x22f/0x4de kernel/panic.c:184
 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536
 report_bug+0x252/0x2d0 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:667 [inline]
RIP: 0010:bpf_int_jit_compile+0xbf7/0xef7 arch/x86/net/bpf_jit_comp.c:1271
RSP: 0018:8801b3fbf920 EFLAGS: 00010246
RAX: 0004 RBX: 0047 RCX: c900050da000
RDX: 0004 RSI: 81444d37 RDI: 0005
RBP: 8801b3fbfa40 R08: 8801b4c18040 R09: 
R10:  R11:  R12: c90001932002
R13: 8801b3fbfa18 R14: fff4 R15: 0003
 bpf_prog_select_runtime+0x131/0x640 kernel/bpf/core.c:1491
 bpf_prog_load+0x16c2/0x2070 kernel/bpf/syscall.c:1333
 __do_sys_bpf kernel/bpf/syscall.c:2073 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:2035 [inline]
 __x64_sys_bpf+0x389/0x4c0 kernel/bpf/syscall.c:2035
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a09
RSP: 002b:7f9da107cc68 EFLAGS: 0246 ORIG_RAX: 0141
RAX: ffda RBX: 7f9da107d6d4 RCX: 00455a09
RDX: 0048 RSI: 2000e000 RDI: 0005
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 0014
R13: 0046 R14: 006f4730 R15: 0021
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

general protection fault in sock_do_ioctl

2018-05-26 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:62c8a069b510 net: mvpp2: Add missing VLAN tag detection
git tree:   net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=10ad582780
kernel config:  https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1
dashboard link: https://syzkaller.appspot.com/bug?extid=09b980aff7b322aac68d
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+09b980aff7b322aac...@syzkaller.appspotmail.com

 __sys_sendmsg+0x115/0x270 net/socket.c:2155
kasan: CONFIG_KASAN_INLINE enabled
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2162
kasan: GPF could be caused by NULL-ptr deref or user memory access
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
general protection fault:  [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
Modules linked in:
RIP: 0033:0x455a09
RSP: 002b:7f7f8526bc68 EFLAGS: 0246 ORIG_RAX: 002e
CPU: 0 PID: 8176 Comm: syz-executor2 Not tainted 4.17.0-rc4+ #53
RAX: ffda RBX: 7f7f8526c6d4 RCX: 00455a09
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

RDX:  RSI: 200019c0 RDI: 0013
RIP: 0010:smc_tx_prepared_sends net/smc/smc_tx.h:27 [inline]
RIP: 0010:smc_ioctl+0x6db/0x9f0 net/smc/af_smc.c:1506
RBP: 0072bea0 R08:  R09: 
RSP: 0018:8801afe4f770 EFLAGS: 00010202
R10:  R11: 0246 R12: 0014
R13: 059b R14: 006fc728 R15: 0005
RAX: dc00 RBX:  RCX: dc00
RDX: 0004 RSI: 110035fc9f0d RDI: 0020
RBP: 8801afe4f9d0 R08: ed0035fc9f0e R09: ed0035fc9f0d
R10: ed0035fc9f0d R11: 8801afe4f86f R12: 110035fc9ef1
R13: 23c0 R14: 8801afe4f868 R15: 8801afe4f828
FS:  7f6710832700() GS:8801dae0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 007270dc CR3: 0001c83ae000 CR4: 001406f0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 sock_do_ioctl+0xe4/0x3e0 net/socket.c:957
 sock_ioctl+0x30d/0x680 net/socket.c:1081
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1cf/0x16a0 fs/ioctl.c:684
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
 __do_sys_ioctl fs/ioctl.c:708 [inline]
 __se_sys_ioctl fs/ioctl.c:706 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 8189 Comm: syz-executor5 Not tainted 4.17.0-rc4+ #53
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

 entry_SYSCALL_64_after_hwframe+0x49/0xbe
Call Trace:
RIP: 0033:0x455a09
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
RSP: 002b:7f6710831c68 EFLAGS: 0246
 ORIG_RAX: 0010
RAX: ffda RBX: 7f67108326d4 RCX: 00455a09
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail.cold.4+0xa/0x1a lib/fault-inject.c:149
RDX: 23c0 RSI: 894b RDI: 0013
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 
R13: 044c R14: 006fa7c0 R15: 
Code:
f8
48
c1
e8
03
80
3c
10
00
0f
85
ed
01
00
00
48
8b
9b
 __should_failslab+0x124/0x180 mm/failslab.c:32
90
 should_failslab+0x9/0x14 mm/slab_common.c:1522
04
 slab_pre_alloc_hook mm/slab.h:423 [inline]
 slab_alloc mm/slab.c:3378 [inline]
 kmem_cache_alloc+0x47/0x760 mm/slab.c:3552
00
00
48
 kmem_cache_zalloc include/linux/slab.h:691 [inline]
 fill_pool lib/debugobjects.c:134 [inline]
 __debug_object_init+0xbc0/0x12c0 lib/debugobjects.c:377
b8
00
00
00
00
00 fc
ff
df
48
8d
7b
20
48
89
fa
48
c1
ea
03
<0f>
b6
04
02
84
c0
74
08
3c
03
 debug_object_init+0x16/0x20 lib/debugobjects.c:429
0f
 debug_timer_init kernel/time/timer.c:704 [inline]
 debug_init kernel/time/timer.c:757 [inline]
 init_timer_key+0xa1/0x470 kernel/time/timer.c:806
8e
b7
01
00
00
 sctp_association_init net/sctp/associola.c:152 [inline]
 sctp_association_new+0xa90/0x2170 net/sctp/associola.c:312
8b
43
20
49
8d
RIP: smc_tx_prepared_sends net/smc/smc_tx.h:27 [inline] RSP:  
8801afe4f770

RIP: smc_ioctl+0x6db/0x9f0 net/smc/af_smc.c:1506 RSP: 8801afe4f770
---[ end trace ed404e46621ff58c ]---


---
This bug is generated by a bot. It may contain error

general protection fault in bpf_tcp_close

2018-05-26 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:fd0bfa8d6e04 Merge branch 'bpf-af-xdp-cleanups'
git tree:   bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11da942780
kernel config:  https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1
dashboard link: https://syzkaller.appspot.com/bug?extid=0ce137753c78f7b6acc1
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0ce137753c78f7b6a...@syzkaller.appspotmail.com

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 12139 Comm: syz-executor2 Not tainted 4.17.0-rc4+ #17
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

RIP: 0010:__hlist_del include/linux/list.h:649 [inline]
RIP: 0010:hlist_del_rcu include/linux/rculist.h:427 [inline]
RIP: 0010:bpf_tcp_close+0x7d2/0xf80 kernel/bpf/sockmap.c:271
RSP: 0018:8801a8f8ef70 EFLAGS: 00010a02
RAX: ed00351f1dfd RBX: dc00 RCX: dead0200
RDX:  RSI: 1bd5a040 RDI: 8801cb710910
RBP: 8801a8f8f110 R08: ed003350ac9d R09: ed003350ac9c
R10: ed003350ac9c R11: 88019a8564e3 R12: 8801cb710380
R13: 8801b17ea6e0 R14: 8801cb710398 R15: 8801cb710900
FS:  7f9890c43700() GS:8801dae0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7fde1a668000 CR3: 00019dca2000 CR4: 001406f0
DR0: 21c0 DR1: 21c0 DR2: 
DR3:  DR6: fffe0ff0 DR7: 0600
Call Trace:
 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459
 sock_release+0x96/0x1b0 net/socket.c:594
 sock_close+0x16/0x20 net/socket.c:1149
 __fput+0x34d/0x890 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1e4/0x290 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x1aee/0x2730 kernel/exit.c:865
 do_group_exit+0x16f/0x430 kernel/exit.c:968
 get_signal+0x886/0x1960 kernel/signal.c:2469
 do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810
 exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162
 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
 do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a09
RSP: 002b:7f9890c42ce8 EFLAGS: 0246 ORIG_RAX: 00ca
RAX: fe00 RBX: 0072bec8 RCX: 00455a09
RDX:  RSI:  RDI: 0072bec8
RBP: 0072bec8 R08:  R09: 0072bea0
R10:  R11: 0246 R12: 
R13: 7ffcb48ac3ff R14: 7f9890c439c0 R15: 
Code: ff 48 c1 e9 03 80 3c 19 00 0f 85 a9 05 00 00 49 8b 4f 18 48 8b 85 98  
fe ff ff 48 89 ce c6 00 00 48 c1 ee 03 48 89 95 d8 fe ff ff <80> 3c 1e 00  
0f 85 c6 05 00 00 48 8b 85 98 fe ff ff 48 85 d2 48

RIP: __hlist_del include/linux/list.h:649 [inline] RSP: 8801a8f8ef70
RIP: hlist_del_rcu include/linux/rculist.h:427 [inline] RSP:  
8801a8f8ef70
RIP: bpf_tcp_close+0x7d2/0xf80 kernel/bpf/sockmap.c:271 RSP:  
8801a8f8ef70

---[ end trace e81227e93c7e7b75 ]---


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

KASAN: use-after-free Read in bpf_tcp_close

2018-05-26 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:3fb48d881dbe Merge branch 'bpf-fib-mtu-check'
git tree:   bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15fc197780
kernel config:  https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1
dashboard link: https://syzkaller.appspot.com/bug?extid=fce8f2462c403d02af98
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1310c85780
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17de717780

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fce8f2462c403d02a...@syzkaller.appspotmail.com

==
BUG: KASAN: use-after-free in hlist_del_rcu include/linux/rculist.h:427  
[inline]
BUG: KASAN: use-after-free in bpf_tcp_close+0xd7f/0xf80  
kernel/bpf/sockmap.c:271

Read of size 8 at addr 8801c884cf90 by task syz-executor330/11778

CPU: 1 PID: 11778 Comm: syz-executor330 Not tainted 4.17.0-rc4+ #18
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 hlist_del_rcu include/linux/rculist.h:427 [inline]
 bpf_tcp_close+0xd7f/0xf80 kernel/bpf/sockmap.c:271
 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459
 sock_release+0x96/0x1b0 net/socket.c:594
 sock_close+0x16/0x20 net/socket.c:1149
 __fput+0x34d/0x890 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1e4/0x290 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x1aee/0x2730 kernel/exit.c:865
 do_group_exit+0x16f/0x430 kernel/exit.c:968
 get_signal+0x886/0x1960 kernel/signal.c:2469
 do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810
 exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162
 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
 do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445ed9
RSP: 002b:7f0078c0adb8 EFLAGS: 0246 ORIG_RAX: 00ca
RAX: fe00 RBX: 006dbc24 RCX: 00445ed9
RDX:  RSI:  RDI: 006dbc24
RBP: 006dbc20 R08:  R09: 
R10:  R11: 0246 R12: 
R13: 7ffcd147dbef R14: 7f0078c0b9c0 R15: 0007

Allocated by task 11787:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 __do_kmalloc_node mm/slab.c:3682 [inline]
 __kmalloc_node+0x47/0x70 mm/slab.c:3689
 kmalloc_node include/linux/slab.h:554 [inline]
 alloc_sock_hash_elem kernel/bpf/sockmap.c:2114 [inline]
 sock_hash_ctx_update_elem.isra.23+0xa57/0x1560 kernel/bpf/sockmap.c:2245
 sock_hash_update_elem+0x14f/0x2d0 kernel/bpf/sockmap.c:2303
 map_update_elem+0x5c4/0xc90 kernel/bpf/syscall.c:760
 __do_sys_bpf kernel/bpf/syscall.c:2134 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:2105 [inline]
 __x64_sys_bpf+0x32a/0x4f0 kernel/bpf/syscall.c:2105
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8998:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xd9/0x260 mm/slab.c:3813
 sock_hash_free+0x24e/0x6e0 kernel/bpf/sockmap.c:2093
 bpf_map_free_deferred+0xba/0xf0 kernel/bpf/syscall.c:259
 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
 kthread+0x345/0x410 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412

The buggy address belongs to the object at 8801c884cf80
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 16 bytes inside of
 64-byte region [8801c884cf80, 8801c884cfc0)
The buggy address belongs to the page:
page:ea0007221300 count:1 mapcount:0 mapping:8801c884c000 index:0x0
flags: 0x2fffc000100(slab)
raw: 02fffc000100 8801c884c000  00010020
raw: ea00072e08e0 ea0006e99660 8801da800340 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 8801c884ce80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 8801c884cf00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc

8801c884cf80: fb fb fb fb fb fb fb fb

Re: WARNING: ODEBUG bug in __sk_destruct

2018-05-26 Thread syzbot 

syzbot has found a reproducer for the following crash on:

HEAD commit:e52cde717093 net: dsa: dsa_loop: Make dynamic debugging he..
git tree:   net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1424a4b780
kernel config:  https://syzkaller.appspot.com/x/.config?x=e4078980b886800c
dashboard link: https://syzkaller.appspot.com/bug?extid=92209502e7aab127c75f
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1071bc2f80
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16b51cb780

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+92209502e7aab127c...@syzkaller.appspotmail.com

[ cut here ]
ODEBUG: free active (active state 0) object type: work_struct hint:  
smc_tx_work+0x0/0x350 include/linux/compiler.h:188
WARNING: CPU: 0 PID: 5254 at lib/debugobjects.c:329  
debug_print_object+0x16a/0x210 lib/debugobjects.c:326

Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 5254 Comm: syz-executor351 Not tainted 4.17.0-rc6+ #64
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 panic+0x22f/0x4de kernel/panic.c:184
 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536
 report_bug+0x252/0x2d0 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
RIP: 0010:debug_print_object+0x16a/0x210 lib/debugobjects.c:326
RSP: 0018:8801c6f67158 EFLAGS: 00010082
RAX: 0059 RBX: 0003 RCX: 818435f8
RDX:  RSI: 8160f2c1 RDI: 0001
RBP: 8801c6f67198 R08: 8801cb640580 R09: ed003b5c3eb2
R10: ed003b5c3eb2 R11: 8801dae1f597 R12: 0001
R13: 88d5f040 R14: 87fa2a00 R15: 814ccb10
 __debug_check_no_obj_freed lib/debugobjects.c:783 [inline]
 debug_check_no_obj_freed+0x3a6/0x584 lib/debugobjects.c:815
 kmem_cache_free+0x216/0x2d0 mm/slab.c:3755
 sk_prot_free net/core/sock.c:1516 [inline]
 __sk_destruct+0x6fe/0xa40 net/core/sock.c:1600
 sk_destruct+0x78/0x90 net/core/sock.c:1608
 __sk_free+0xcf/0x300 net/core/sock.c:1619
 sk_free+0x42/0x50 net/core/sock.c:1630
 sock_put include/net/sock.h:1669 [inline]
 smc_release+0x459/0x610 net/smc/af_smc.c:156
 sock_release+0x96/0x1b0 net/socket.c:594
 sock_close+0x16/0x20 net/socket.c:1149
 __fput+0x34d/0x890 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1e4/0x290 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x1aee/0x2730 kernel/exit.c:865
 do_group_exit+0x16f/0x430 kernel/exit.c:968
 __do_sys_exit_group kernel/exit.c:979 [inline]
 __se_sys_exit_group kernel/exit.c:977 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:977
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4424f9
RSP: 002b:7ffcbea55c78 EFLAGS: 0202 ORIG_RAX: 00e7
RAX: ffda RBX: 02c0 RCX: 004424f9
RDX: 004424f9 RSI: 0001 RDI: 
RBP: 7ffcbea55db0 R08: 0003 R09: 7ffcbea55cc0
R10: 0004 R11: 0202 R12: 
R13:  R14: 1380 R15: 7ffcbea55dd8

==
WARNING: possible circular locking dependency detected
4.17.0-rc6+ #64 Not tainted
--
syz-executor351/5254 is trying to acquire lock:
(ptrval) ((console_sem).lock){-...}, at: down_trylock+0x13/0x70  
kernel/locking/semaphore.c:136


but task is already holding lock:
(ptrval) (_hash[i].lock){-.-.}, at: __debug_check_no_obj_freed  
lib/debugobjects.c:774 [inline]
(ptrval) (_hash[i].lock){-.-.}, at:  
debug_check_no_obj_freed+0x159/0x584 lib/debugobjects.c:815


which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 (_hash[i].lock){-.-.}:
   __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
   _raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:152
   __debug_object_init+0x11f/0x12c0 lib/debugobjects.c:381
   debug_object_init+0x16/0x20 lib/debugobjects.c:429
   debug_hrtimer_init kernel/time/hrtimer.c:410 [inline]
   debug_init kernel/time/hrtimer.c:458 [inline]
   hrtimer_init+0x8f/0x460 kernel/time/hrtimer.c:1308
   init_dl_task_timer+0x1b/0x50 kernel/sched/deadline.c:1056
   __sched_fork+0x2ae/0xc20 kernel/sched/core.c:2166
   init_idle+0x75/0x7a0 kernel/sched/core.c:5402
   sched_init+0xbeb/0xd10 kernel/sched/core.c:6100
   start_kernel+0x475/0x

KASAN: use-after-free Write in tls_push_record

2018-05-25 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:13405468f49d bpfilter: don't pass O_CREAT when opening con..
git tree:   net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=109ad82f80
kernel config:  https://syzkaller.appspot.com/x/.config?x=8be0182d69f8d422
dashboard link: https://syzkaller.appspot.com/bug?extid=709f2810a6a05f11d4d3
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=151ec3a780
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=154d302f80

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+709f2810a6a05f11d...@syzkaller.appspotmail.com

RDX: fdef RSI: 25c0 RDI: 0003
RBP: 7ffd6ccdd780 R08: 2000 R09: 001c
R10:  R11: 0212 R12: 0004
R13:  R14:  R15: 
==
BUG: KASAN: use-after-free in tls_fill_prepend include/net/tls.h:339  
[inline]
BUG: KASAN: use-after-free in tls_push_record+0x1023/0x13e0  
net/tls/tls_sw.c:240

Write of size 1 at addr 8801d88d5000 by task syz-executor377/4600

CPU: 1 PID: 4600 Comm: syz-executor377 Not tainted 4.17.0-rc6+ #61
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
 tls_fill_prepend include/net/tls.h:339 [inline]
 tls_push_record+0x1023/0x13e0 net/tls/tls_sw.c:240
 tls_sw_sendmsg+0x9de/0x12b0 net/tls/tls_sw.c:484
 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:639
 __sys_sendto+0x3d7/0x670 net/socket.c:1789
 __do_sys_sendto net/socket.c:1801 [inline]
 __se_sys_sendto net/socket.c:1797 [inline]
 __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1797
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4416d9
RSP: 002b:7ffd6ccdd758 EFLAGS: 0212 ORIG_RAX: 002c
RAX: ffda RBX:  RCX: 004416d9
RDX: fdef RSI: 25c0 RDI: 0003
RBP: 7ffd6ccdd780 R08: 2000 R09: 001c
R10:  R11: 0212 R12: 0004
R13:  R14:  R15: 

The buggy address belongs to the page:
page:ea0007623540 count:0 mapcount:0 mapping: index:0x0
flags: 0x2fffc00()
raw: 02fffc00   
raw: ea0007592b60 8801dae2fdd8  
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 8801d88d4f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 8801d88d4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

8801d88d5000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

   ^
 8801d88d5080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 8801d88d5100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv

2018-05-25 Thread syzbot 

syzbot has found a reproducer for the following crash on:

HEAD commit:b50694381cfc Merge branch 'stable/for-linus-4.17' of git:/..
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17151cb780
kernel config:  https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02
dashboard link: https://syzkaller.appspot.com/bug?extid=554ccde221001ab5479a
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1363ccb780
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1272e2b780

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+554ccde221001ab54...@syzkaller.appspotmail.com

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
==
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail.cold.4+0xa/0x1a lib/fault-inject.c:149
BUG: KASAN: use-after-free in ccid2_hc_tx_packet_recv+0x2383/0x275e  
net/dccp/ccids/ccid2.c:597

Read of size 1 at addr 8801ba4911c2 by task syz-executor940/4542

 __should_failslab+0x124/0x180 mm/failslab.c:32
 should_failslab+0x9/0x14 mm/slab_common.c:1522
 slab_pre_alloc_hook mm/slab.h:423 [inline]
 slab_alloc mm/slab.c:3378 [inline]
 kmem_cache_alloc_trace+0x4b/0x780 mm/slab.c:3618
 kmalloc include/linux/slab.h:512 [inline]
 dccp_ackvec_parsed_add+0xa1/0x310 net/dccp/ackvec.c:352
 ccid2_hc_tx_parse_options+0x9a/0xb0 net/dccp/ccids/ccid2.c:510
 ccid_hc_tx_parse_options net/dccp/ccid.h:207 [inline]
 dccp_parse_options+0x658/0x11f0 net/dccp/options.c:233
 dccp_rcv_established+0x44/0xb0 net/dccp/input.c:374
 dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654
 sk_backlog_rcv include/net/sock.h:909 [inline]
 __release_sock+0x12f/0x3a0 net/core/sock.c:2335
 release_sock+0xa4/0x2b0 net/core/sock.c:2850
 dccp_sendmsg+0x771/0x1020 net/dccp/proto.c:820
 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:639
 ___sys_sendmsg+0x525/0x940 net/socket.c:2117
 __sys_sendmmsg+0x240/0x6f0 net/socket.c:2212
 __do_sys_sendmmsg net/socket.c:2241 [inline]
 __se_sys_sendmmsg net/socket.c:2238 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2238
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441819
RSP: 002b:7ffdb9a9df08 EFLAGS: 0246 ORIG_RAX: 0133
RAX: ffda RBX:  RCX: 00441819
RDX: 040001e6 RSI: 2c00 RDI: 0005
RBP: 7ffdb9a9df20 R08: 0002 R09: 
R10:  R11: 0246 R12: 
R13: 040001e6 R14: 0006 R15: 
CPU: 0 PID: 4542 Comm: syz-executor940 Not tainted 4.17.0-rc6+ #66
dccp_parse_options: DCCP((ptrval)): Option 38 (len=1) error=5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
 ccid2_hc_tx_packet_recv+0x2383/0x275e net/dccp/ccids/ccid2.c:597
 ccid_hc_tx_packet_recv net/dccp/ccid.h:192 [inline]
 dccp_deliver_input_to_ccids+0x203/0x280 net/dccp/input.c:186
 dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378
 dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654
 sk_backlog_rcv include/net/sock.h:909 [inline]
 __release_sock+0x12f/0x3a0 net/core/sock.c:2335
 release_sock+0xa4/0x2b0 net/core/sock.c:2850
 dccp_sendmsg+0x771/0x1020 net/dccp/proto.c:820
 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:639
 ___sys_sendmsg+0x525/0x940 net/socket.c:2117
 __sys_sendmmsg+0x240/0x6f0 net/socket.c:2212
 __do_sys_sendmmsg net/socket.c:2241 [inline]
 __se_sys_sendmmsg net/socket.c:2238 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2238
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441819
RSP: 002b:7ffdb9a9df08 EFLAGS: 0246 ORIG_RAX: 0133
RAX: ffda RBX:  RCX: 00441819
RDX: 040001e6 RSI: 2c00 RDI: 0005
RBP: 7ffdb9a9df20 R08: 0002 R09: 
R10:  R11: 0246 R12: 
R13: 040001e6 R14: 0006 R15: 

Allocated by task 4542:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan

INFO: rcu detected stall in corrupted

2018-05-21 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:771c577c23ba Linux 4.17-rc6
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1713435780
kernel config:  https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02
dashboard link: https://syzkaller.appspot.com/bug?extid=f116bc1994efe725d51b
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=14e5a7cf80

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f116bc1994efe725d...@syzkaller.appspotmail.com

IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
INFO: rcu_sched self-detected stall on CPU
INFO: rcu_sched detected stalls on CPUs/tasks:
	0-...!: (124975 ticks this GP) idle=a36/1/4611686018427387906  
softirq=14002/14002 fqs=10


	0-...!: (124975 ticks this GP) idle=a36/1/4611686018427387906  
softirq=14002/14002 fqs=10


 (t=125002 jiffies g=7347 c=7346 q=349000)
(detected by 1, t=125002 jiffies, g=7347, c=7346, q=349000)
rcu_sched kthread starved for 124927 jiffies! g7347 c7346 f0x2  
RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=1

Sending NMI from CPU 1 to CPUs 0:
RCU grace-period kthread stack dump:
NMI backtrace for cpu 0
CPU: 0 PID: 8 Comm: ksoftirqd/0 Not tainted 4.17.0-rc6+ #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

RIP: 0010:get_current arch/x86/include/asm/current.h:15 [inline]
RIP: 0010:write_comp_data+0xa/0x70 kernel/kcov.c:121
RSP: 0018:8801dae06d30 EFLAGS: 0006
RAX: 00010105 RBX: 0006 RCX: 876bdc58
RDX:  RSI: 0005 RDI: 0001
RBP: 8801dae06d68 R08: 8801d9a9c200 R09: fbfff14da4bc
R10: fbfff14da4bc R11: 8a6d25e0 R12: 88644220
R13:  R14: 0001 R15: 0008
FS:  () GS:8801dae0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7f595e194270 CR3: 0001b09c2000 CR4: 001406f0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 
 vsnprintf+0x1b8/0x1b40 lib/vsprintf.c:2252
 sprintf+0xa7/0xd0 lib/vsprintf.c:2498
 print_time kernel/printk/printk.c:1223 [inline]
 print_prefix+0x26a/0x3f0 kernel/printk/printk.c:1246
 msg_print_text+0xca/0x1c0 kernel/printk/printk.c:1273
 console_unlock+0x4f5/0x1100 kernel/printk/printk.c:2369
 vprintk_emit+0x6ad/0xdd0 kernel/printk/printk.c:1907
 vprintk_default+0x28/0x30 kernel/printk/printk.c:1947
 vprintk_func+0x7a/0xe7 kernel/printk/printk_safe.c:379
 printk+0x9e/0xba kernel/printk/printk.c:1980
 rcu_check_gp_kthread_starvation+0x325/0x3a4 kernel/rcu/tree.c:1353
 print_cpu_stall kernel/rcu/tree.c:1523 [inline]
 check_cpu_stall.isra.61.cold.80+0x364/0x59a kernel/rcu/tree.c:1593
 __rcu_pending kernel/rcu/tree.c:3356 [inline]
 rcu_pending kernel/rcu/tree.c:3401 [inline]
 rcu_check_callbacks+0x21b/0xad0 kernel/rcu/tree.c:2763
 update_process_times+0x2d/0x70 kernel/time/timer.c:1636
 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:164
 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274
 __run_hrtimer kernel/time/hrtimer.c:1398 [inline]
 __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1460
 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
 smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
 
RIP: 0010:__sanitizer_cov_trace_pc+0x1/0x50 kernel/kcov.c:94
RSP: 0018:8801d9aad680 EFLAGS: 0293 ORIG_RAX: ff13
RAX: 0103 RBX: 0002 RCX: 867e02e0
RDX:  RSI: 0002 RDI: 0005
RBP: 8801d9aad7e0 R08: 8801d9a9c200 R09: 8801d9aadaf0
R10: ed003b5c46c2 R11: 8801dae23613 R12: 8801ce597c40
R13:  R14: 0002 R15: 
 find_match+0x244/0x13a0 net/ipv6/route.c:691
 find_rr_leaf net/ipv6/route.c:729 [inline]
 rt6_select net/ipv6/route.c:779 [inline]
 ip6_pol_route+0x946/0x3d40 net/ipv6/route.c:1705
 ip6_pol_route_output+0x54/0x70 net/ipv6/route.c:1969
 fib6_rule_lookup+0x211/0x6d0 net/ipv6/fib6_rules.c:89
 ip6_route_output_flags+0x2c5/0x350 net/ipv6/route.c:1997
 ip6_dst_lookup_tail+0x47b/0x1b30 net/ipv6/ip6_output.c:995
 ip6_dst_lookup_flow+0xc1/0x260 net/ipv6/ip6_output.c:1096
 sctp_v6_get_dst+0x16b4/0x20b0 net/sctp/ipv6.c:327
 sctp_transport_route+0xad/0x450 net/sctp/transport.c:293
 sctp_packet_config+0xb89/0xfd0 net/sctp/output.c:123
 sctp_outq_flush+0x79c/

Re: INFO: task hung in tls_push_record

2018-05-19 Thread syzbot 

syzbot has found a reproducer for the following crash on:

HEAD commit:eb38401c779d net: stmmac: Populate missing callbacks in HW..
git tree:   net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=16d0820f80
kernel config:  https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1
dashboard link: https://syzkaller.appspot.com/bug?extid=4006516aae0b06e7050f
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=10f6927b80
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15b7a20f80

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+4006516aae0b06e70...@syzkaller.appspotmail.com

INFO: task syz-executor793:4489 blocked for more than 120 seconds.
  Not tainted 4.17.0-rc4+ #52
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor793 D23464  4489   4486 0x
Call Trace:
 context_switch kernel/sched/core.c:2848 [inline]
 __schedule+0x801/0x1e30 kernel/sched/core.c:3490
 schedule+0xef/0x430 kernel/sched/core.c:3549
 schedule_timeout+0x1b5/0x240 kernel/time/timer.c:1777
 do_wait_for_common kernel/sched/completion.c:83 [inline]
 __wait_for_common kernel/sched/completion.c:104 [inline]
 wait_for_common kernel/sched/completion.c:115 [inline]
 wait_for_completion+0x3e7/0x870 kernel/sched/completion.c:136
 crypto_wait_req include/linux/crypto.h:512 [inline]
 tls_do_encryption net/tls/tls_sw.c:217 [inline]
 tls_push_record+0xedc/0x13e0 net/tls/tls_sw.c:248
 tls_sw_sendmsg+0x8d7/0x12b0 net/tls/tls_sw.c:440
 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:639
 __sys_sendto+0x3d7/0x670 net/socket.c:1789
 __do_sys_sendto net/socket.c:1801 [inline]
 __se_sys_sendto net/socket.c:1797 [inline]
 __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1797
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4457d9
RSP: 002b:7fa388d06da8 EFLAGS: 0216 ORIG_RAX: 002c
RAX: ffda RBX: 006dac24 RCX: 004457d9
RDX: fdef RSI: 25c0 RDI: 0022
RBP: 006dac20 R08: 2000 R09: 001c
R10:  R11: 0216 R12: 
R13: 7ffd5148ecaf R14: 7fa388d079c0 R15: 0001

Showing all locks held in the system:
2 locks held by khungtaskd/892:
 #0: 9dfaae0c (rcu_read_lock){}, at:  
check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline]
 #0: 9dfaae0c (rcu_read_lock){}, at: watchdog+0x1ff/0xf60  
kernel/hung_task.c:249
 #1: 58f79a8d (tasklist_lock){.+.+}, at:  
debug_show_all_locks+0xde/0x34a kernel/locking/lockdep.c:4470

1 lock held by rsyslogd/4370:
 #0: 59c3c7ae (>f_pos_lock){+.+.}, at: __fdget_pos+0x1a9/0x1e0  
fs/file.c:766

2 locks held by getty/4460:
 #0: e25a52c3 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: 2caea50f (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4461:
 #0: d38c9806 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: eaffe99d (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4462:
 #0: cec6abe7 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: 00afd91c (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4463:
 #0: 3456fca5 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: 38a65d91 (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4464:
 #0: 01e783b1 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: 3ecd2e34 (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4465:
 #0: 7ef8b451 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: 6996c3ed (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4466:
 #0: d15d9a92 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: ee44bcf4 (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

1 lock held by syz-executor793/4489:
 #0: 08c84b0d (sk_lock-AF_INET6){+.+.}, at: lock_sock  
include/net/sock.h:1474 [inline]
 #0: 08c84b0d (sk_lock-AF_INET6){+.+.}, at:  
tls_sw_sendmsg+0x1b9/0x12b0 net/tls/tls_sw.c:384

1 lock held by syz-executor793/4494:
 #0: f2de7555 (sk_lock-AF_INET6){+.+.}, at: lock_soc

INFO: rcu detected stall in is_bpf_text_address

2018-05-19 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:73fcb1a370c7 Merge branch 'akpm' (patches from Andrew)
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1462ec0f80
kernel config:  https://syzkaller.appspot.com/x/.config?x=f3b4e30da84ec1ed
dashboard link: https://syzkaller.appspot.com/bug?extid=3dcd59a1f907245f891f
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1079cf8f80
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=156daf9780

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3dcd59a1f907245f8...@syzkaller.appspotmail.com

8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
INFO: rcu_sched self-detected stall on CPU
	0-...!: (124998 ticks this GP) idle=0be/1/4611686018427387908  
softirq=15234/15234 fqs=59

 (t=125000 jiffies g=7610 c=7609 q=351640)
rcu_sched kthread starved for 124739 jiffies! g7610 c7609 f0x2  
RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=1

RCU grace-period kthread stack dump:
rcu_sched   R  running task23896 9  2 0x8000
Call Trace:
 context_switch kernel/sched/core.c:2859 [inline]
 __schedule+0x801/0x1e30 kernel/sched/core.c:3501
 schedule+0xef/0x430 kernel/sched/core.c:3545
 schedule_timeout+0x138/0x240 kernel/time/timer.c:1801
 rcu_gp_kthread+0x6b5/0x1940 kernel/rcu/tree.c:2231
 kthread+0x345/0x410 kernel/kthread.c:240
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
NMI backtrace for cpu 0
CPU: 0 PID: 6381 Comm: sh Not tainted 4.17.0-rc5+ #58
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
 nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
 trigger_single_cpu_backtrace include/linux/nmi.h:156 [inline]
 rcu_dump_cpu_stacks+0x175/0x1c2 kernel/rcu/tree.c:1376
 print_cpu_stall kernel/rcu/tree.c:1525 [inline]
 check_cpu_stall.isra.61.cold.80+0x36c/0x59a kernel/rcu/tree.c:1593
 __rcu_pending kernel/rcu/tree.c:3356 [inline]
 rcu_pending kernel/rcu/tree.c:3401 [inline]
 rcu_check_callbacks+0x21b/0xad0 kernel/rcu/tree.c:2763
 update_process_times+0x2d/0x70 kernel/time/timer.c:1636
 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:164
 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274
 __run_hrtimer kernel/time/hrtimer.c:1398 [inline]
 __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1460
 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
 smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:783  
[inline]

RIP: 0010:lock_acquire+0x257/0x520 kernel/locking/lockdep.c:3923
RSP: :8801dae06b60 EFLAGS: 0286 ORIG_RAX: ff13
RAX: dc00 RBX: 11003b5c0d71 RCX: 
RDX: 111a30e5 RSI: 8801c7b54c38 RDI: 0286
RBP: 8801dae06c50 R08: 0008 R09: 0003
R10: 8801c7b54cb0 R11: 8801c7b54400 R12: 8801c7b54400
R13: 0002 R14:  R15: 
 rcu_lock_acquire include/linux/rcupdate.h:246 [inline]
 rcu_read_lock include/linux/rcupdate.h:632 [inline]
 is_bpf_text_address+0x3b/0x170 kernel/bpf/core.c:478
 kernel_text_address+0x79/0xf0 kernel/extable.c:152
 __kernel_text_address+0xd/0x40 kernel/extable.c:107
 unwind_get_return_address+0x61/0xa0 arch/x86/kernel/unwind_frame.c:18
 __save_stack_trace+0x7e/0xd0 arch/x86/kernel/stacktrace.c:45
 save_stack_trace+0x1a/0x20 arch/x86/kernel/stacktrace.c:60
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
 slab_post_alloc_hook mm/slab.h:444 [inline]
 slab_alloc_node mm/slab.c:3335 [inline]
 kmem_cache_alloc_node+0x131/0x780 mm/slab.c:3642
 __alloc_skb+0x111/0x780 net/core/skbuff.c:193
 alloc_skb include/linux/skbuff.h:987 [inline]
 _sctp_make_chunk+0x58/0x280 net/sctp/sm_make_chunk.c:1417
 sctp_make_control net/sctp/sm_make_chunk.c:1464 [inline]
 sctp_make_heartbeat+0x8f/0x430 net/sctp/sm_make_chunk.c:1177
 sctp_sf_heartbeat.isra.23+0x26/0x180 net/sctp/sm_statefuns.c:1005
 sctp_sf_sendbeat_8_3+0x38e/0x550 net/sctp/sm_statefuns.c:1049
 sctp_do_sm+0x1ab/0x7160 net/sctp/sm_sideeffect.c:1188
 sctp_generate_heartbeat_event+0x218/0x450 net/sctp/sm_sideeffect.c:406
 call_ti

Re: WARNING in xfrm6_tunnel_net_exit (2)

2018-05-19 Thread syzbot 

syzbot has found a reproducer for the following crash on:

HEAD commit:eb38401c779d net: stmmac: Populate missing callbacks in HW..
git tree:   net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1233a82780
kernel config:  https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1
dashboard link: https://syzkaller.appspot.com/bug?extid=e9aebef558e3ed673934
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1547dbcf80
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=132307cf80

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e9aebef558e3ed673...@syzkaller.appspotmail.com

random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
IPVS: ftp: loaded support on port[0] = 21
WARNING: CPU: 1 PID: 44 at net/ipv6/xfrm6_tunnel.c:348  
xfrm6_tunnel_net_exit+0x2df/0x510 net/ipv6/xfrm6_tunnel.c:348

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 44 Comm: kworker/u4:2 Not tainted 4.17.0-rc4+ #52
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 panic+0x22f/0x4de kernel/panic.c:184
 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536
 report_bug+0x252/0x2d0 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
RIP: 0010:xfrm6_tunnel_net_exit+0x2df/0x510 net/ipv6/xfrm6_tunnel.c:348
RSP: 0018:8801d95273d8 EFLAGS: 00010293
RAX: 8801d955c380 RBX: 8801b03399f8 RCX: 86925525
RDX:  RSI: 8692552f RDI: 0007
RBP: 8801d95274f8 R08: 8801d955c380 R09: 0006
R10: 8801d955c380 R11:  R12: 00ff
R13: ed003b2a4e82 R14: 8801d95274d0 R15: 8801b3e25780
 ops_exit_list.isra.7+0xb0/0x160 net/core/net_namespace.c:152
 cleanup_net+0x51d/0xb20 net/core/net_namespace.c:523
 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
 kthread+0x345/0x410 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..

WARNING in xfrm6_tunnel_net_exit (2)

2018-05-19 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:2c71d338bef2 Merge tag 'powerpc-4.17-6' of git://git.kerne..
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12a7bd5780
kernel config:  https://syzkaller.appspot.com/x/.config?x=f3b4e30da84ec1ed
dashboard link: https://syzkaller.appspot.com/bug?extid=e9aebef558e3ed673934
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=17409d5780

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e9aebef558e3ed673...@syzkaller.appspotmail.com

bond0: Enslaving bond_slave_1 as an active interface with an up link
IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
WARNING: CPU: 1 PID: 6 at net/ipv6/xfrm6_tunnel.c:348  
xfrm6_tunnel_net_exit+0x2df/0x510 net/ipv6/xfrm6_tunnel.c:348

IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 6 Comm: kworker/u4:0 Not tainted 4.17.0-rc5+ #57
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: netns cleanup_net
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 panic+0x22f/0x4de kernel/panic.c:184
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536
 report_bug+0x252/0x2d0 lib/bug.c:186
IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
RIP: 0010:xfrm6_tunnel_net_exit+0x2df/0x510 net/ipv6/xfrm6_tunnel.c:348
RSP: 0018:8801d9a973d8 EFLAGS: 00010293
RAX: 8801d9a88180 RBX: 8801b6eda2b8 RCX: 868ff5f5
RDX:  RSI: 868ff5ff RDI: 0007
RBP: 8801d9a974f8 R08: 8801d9a88180 R09: 0006
R10: 8801d9a88180 R11:  R12: 00ff
R13: ed003b352e82 R14: 8801d9a974d0 R15: 8801b32f0700
 ops_exit_list.isra.7+0xb0/0x160 net/core/net_namespace.c:152
 cleanup_net+0x51d/0xb20 net/core/net_namespace.c:523
 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
 kthread+0x345/0x410 kernel/kthread.c:240
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

general protection fault in smc_ioctl

2018-05-18 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:1f7455c3912d tcp: tcp_rack_reo_wnd() can be static
git tree:   net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=171a133780
kernel config:  https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1
dashboard link: https://syzkaller.appspot.com/bug?extid=e6714328fda813fc670f
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=15782d5780
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=108711a780

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e6714328fda813fc6...@syzkaller.appspotmail.com

random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4559 Comm: syz-executor292 Not tainted 4.17.0-rc4+ #50
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

RIP: 0010:smc_ioctl+0x3dc/0x9f0 net/smc/af_smc.c:1499
RSP: 0018:8801ad22f770 EFLAGS: 00010202
RAX: dc00 RBX: 8801ad0df7c0 RCX: 8741188f
RDX: 0004 RSI: 8741189e RDI: 0020
RBP: 8801ad22f9d0 R08: 8801ae87e6c0 R09: ed00363e1818
R10: ed00363e1818 R11: 8801b1f0c0c3 R12: 110035a45ef1
R13: 2080 R14:  R15: 
FS:  017b7880() GS:8801daf0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7ffd1f18f038 CR3: 0001ad044000 CR4: 001406e0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 sock_do_ioctl+0xe4/0x3e0 net/socket.c:957
 sock_ioctl+0x30d/0x680 net/socket.c:1081
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1cf/0x16a0 fs/ioctl.c:684
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
 __do_sys_ioctl fs/ioctl.c:708 [inline]
 __se_sys_ioctl fs/ioctl.c:706 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43fca9
RSP: 002b:7ffd1f073588 EFLAGS: 0213 ORIG_RAX: 0010
RAX: ffda RBX: 004002c8 RCX: 0043fca9
RDX: 2080 RSI: 5411 RDI: 0003
RBP: 006ca018 R08: 004002c8 R09: 004002c8
R10: 004002c8 R11: 0213 R12: 004015d0
R13: 00401660 R14:  R15: 
Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 7d 05 00 00 4c 8b b3 90 04 00 00 48  
b8 00 00 00 00 00 fc ff df 49 8d 7e 20 48 89 fa 48 c1 ea 03 <0f> b6 04 02  
84 c0 74 08 3c 03 0f 8e 47 05 00 00 45 8b 7e 20 4c

RIP: smc_ioctl+0x3dc/0x9f0 net/smc/af_smc.c:1499 RSP: 8801ad22f770
---[ end trace b586e1eb098f7714 ]---


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

KASAN: use-after-free Read in timer_is_static_object

2018-05-17 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:e6506eb24187 Merge tag 'trace-v4.17-rc4-2' of git://git.ke..
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=177fe47780
kernel config:  https://syzkaller.appspot.com/x/.config?x=f3b4e30da84ec1ed
dashboard link: https://syzkaller.appspot.com/bug?extid=5d47e9ec91a6f15dbd6f
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+5d47e9ec91a6f15db...@syzkaller.appspotmail.com

RDX:  RSI:  RDI: 0016
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 0017
R13: 0053 R14: 006f4868 R15: 0001
==
BUG: KASAN: use-after-free in timer_is_static_object+0x80/0x90  
kernel/time/timer.c:607

Read of size 8 at addr 8801bebb5118 by task syz-executor2/25299

CPU: 1 PID: 25299 Comm: syz-executor2 Not tainted 4.17.0-rc5+ #54
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 timer_is_static_object+0x80/0x90 kernel/time/timer.c:607
 debug_object_activate+0x2d9/0x670 lib/debugobjects.c:508
 debug_timer_activate kernel/time/timer.c:709 [inline]
 debug_activate kernel/time/timer.c:764 [inline]
 __mod_timer kernel/time/timer.c:1041 [inline]
 mod_timer+0x4d3/0x13b0 kernel/time/timer.c:1102
 sk_reset_timer+0x22/0x60 net/core/sock.c:2742
 ccid2_hc_tx_rto_expire+0x587/0x680 net/dccp/ccids/ccid2.c:147
 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
 expire_timers kernel/time/timer.c:1363 [inline]
 __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
 invoke_softirq kernel/softirq.c:365 [inline]
 irq_exit+0x1d1/0x200 kernel/softirq.c:405
 exiting_irq arch/x86/include/asm/apic.h:525 [inline]
 smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
 
RIP: 0010:cap_capable+0x3f/0x260 security/commoncap.c:82
RSP: 0018:8801ac75f8c8 EFLAGS: 0246 ORIG_RAX: ff13
RAX: dc00 RBX: 88d5be00 RCX: 
RDX: 1100386dc571 RSI: 830ee893 RDI: 8801c36e2b88
RBP: 8801ac75f910 R08: 8801ac126440 R09: 8801ac75fcb8
R10: 8801ac126c78 R11: 8801ac75fc78 R12: dc00
R13: dc00 R14: 8801c36e2b00 R15: 0021
 cap_vm_enough_memory+0x50/0x70 security/commoncap.c:1307
 security_vm_enough_memory_mm+0x71/0xc0 security/security.c:327
 mmap_region+0x37b/0x1870 mm/mmap.c:1714
 do_mmap+0xde2/0x1360 mm/mmap.c:1535
 do_mmap_pgoff include/linux/mm.h:2237 [inline]
 vm_mmap_pgoff+0x1fb/0x2a0 mm/util.c:357
 ksys_mmap_pgoff+0x26e/0x640 mm/mmap.c:1585
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
 __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a5a
RSP: 002b:00a3e778 EFLAGS: 0246 ORIG_RAX: 0009
RAX: ffda RBX: 0003 RCX: 00455a5a
RDX: 0003 RSI: 00021000 RDI: 
RBP:  R08:  R09: 
R10: 00020022 R11: 0246 R12: 
R13: 00021000 R14: 00020022 R15: 

Allocated by task 25374:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
 ccid_new+0x25b/0x3e0 net/dccp/ccid.c:151
 dccp_hdlr_ccid+0x27/0x150 net/dccp/feat.c:44
 __dccp_feat_activate+0x184/0x270 net/dccp/feat.c:344
 dccp_feat_activate_values+0x3a7/0x819 net/dccp/feat.c:1538
 dccp_create_openreq_child+0x472/0x610 net/dccp/minisocks.c:128
 dccp_v4_request_recv_sock+0x12c/0xca0 net/dccp/ipv4.c:408
 dccp_v6_request_recv_sock+0x125d/0x1f10 net/dccp/ipv6.c:415
 dccp_check_req+0x455/0x6a0 net/dccp/minisocks.c:197
 dccp_v4_rcv+0x7b8/0x1f3f net/dccp/ipv4.c:841
 ip_local_deliver_finish+0x2e3/0xd80 net/ipv4/ip_input.c:215
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_local_deliver+0x1e1/0x720 net/ipv4/ip_input.c:256
 dst_input include/net/dst.h:450 [inline

kernel BUG at lib/string.c:LINE! (4)

2018-05-16 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:0b7d9978406f Merge branch 'Microsemi-Ocelot-Ethernet-switc..
git tree:   net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=16e9101780
kernel config:  https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1
dashboard link: https://syzkaller.appspot.com/bug?extid=aac887f77319868646df
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1665d63780
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1051710780

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+aac887f7731986864...@syzkaller.appspotmail.com

IPVS: Unknown mcast interface: veth1_to�a
IPVS: Unknown mcast interface: veth1_to�a
IPVS: Unknown mcast interface: veth1_to�a
detected buffer overflow in strlen
[ cut here ]
kernel BUG at lib/string.c:1052!
invalid opcode:  [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
RSP: 0018:8801c976f800 EFLAGS: 00010282
RAX: 0022 RBX: 0040 RCX: 
RDX: 0022 RSI: 8160f6f1 RDI: ed00392edef6
RBP: 8801c976f800 R08: 8801cf4c62c0 R09: ed003b5e4fb0
R10: ed003b5e4fb0 R11: 8801daf27d87 R12: 8801c976fa20
R13: 8801c976fae4 R14: 8801c976fae0 R15: 048b
FS:  7fd99f75e700() GS:8801daf0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 21c0 CR3: 0001d6843000 CR4: 001406e0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 strlen include/linux/string.h:270 [inline]
 strlcpy include/linux/string.h:293 [inline]
 do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115
 ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253
 udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487
 ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917
 tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057
 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046
 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
 __do_sys_setsockopt net/socket.c:1914 [inline]
 __se_sys_setsockopt net/socket.c:1911 [inline]
 __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x447369
RSP: 002b:7fd99f75dda8 EFLAGS: 0246 ORIG_RAX: 0036
RAX: ffda RBX: 006e39e4 RCX: 00447369
RDX: 048b RSI:  RDI: 0003
RBP:  R08: 0018 R09: 
R10: 21c0 R11: 0246 R12: 006e39e0
R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0001
Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb  
de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90  
90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56

RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: 8801c976f800
---[ end trace 624046f2d9af7702 ]---


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

WARNING: kmalloc bug in memdup_user (3)

2018-05-16 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:c5c7d7f3c451 Merge branch 'bpf-sock-hashmap'
git tree:   bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1626ae3780
kernel config:  https://syzkaller.appspot.com/x/.config?x=10c4dc62055b68f5
dashboard link: https://syzkaller.appspot.com/bug?extid=0f92a17b0706231d0a09
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=126a519780
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1598c47780

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0f92a17b0706231d0...@syzkaller.appspotmail.com

random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
WARNING: CPU: 0 PID: 4531 at mm/slab_common.c:996 kmalloc_slab+0x56/0x70  
mm/slab_common.c:996

Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 4531 Comm: syz-executor594 Not tainted 4.17.0-rc3+ #9
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 panic+0x22f/0x4de kernel/panic.c:184
 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536
 report_bug+0x252/0x2d0 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
RIP: 0010:kmalloc_slab+0x56/0x70 mm/slab_common.c:996
RSP: 0018:8801ad4b7c48 EFLAGS: 00010246
RAX:  RBX: fff4 RCX: 8185e678
RDX: 8185e6eb RSI:  RDI: fffd
RBP: 8801ad4b7c48 R08: 8801adb3e2c0 R09: ed0035ba1f08
R10: ed0035ba1f08 R11: 8801add0f843 R12: fffd
R13: 2240 R14:  R15: 014200c0
 __do_kmalloc mm/slab.c:3713 [inline]
 __kmalloc_track_caller+0x21/0x760 mm/slab.c:3733
 memdup_user+0x2c/0xa0 mm/util.c:160
 map_delete_elem+0x21b/0x4e0 kernel/bpf/syscall.c:796
 __do_sys_bpf kernel/bpf/syscall.c:2128 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:2096 [inline]
 __x64_sys_bpf+0x33f/0x4f0 kernel/bpf/syscall.c:2096
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43fd89
RSP: 002b:7ffe3ad9ad78 EFLAGS: 0213 ORIG_RAX: 0141
RAX: ffda RBX: 004002c8 RCX: 0043fd89
RDX: 0010 RSI: 2000 RDI: 0003
RBP: 006ca018 R08: 004002c8 R09: 004002c8
R10: 004002c8 R11: 0213 R12: 004016b0
R13: 00401740 R14:  R15: 
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

WARNING: kmalloc bug in map_get_next_key

2018-05-16 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:c5c7d7f3c451 Merge branch 'bpf-sock-hashmap'
git tree:   bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=13ec787780
kernel config:  https://syzkaller.appspot.com/x/.config?x=10c4dc62055b68f5
dashboard link: https://syzkaller.appspot.com/bug?extid=e4566d29080e7f3460ff
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=12c3541780
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=178c97f780

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e4566d29080e7f346...@syzkaller.appspotmail.com

random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
WARNING: CPU: 0 PID: 4499 at mm/slab_common.c:996 kmalloc_slab+0x56/0x70  
mm/slab_common.c:996

Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 4499 Comm: syz-executor050 Not tainted 4.17.0-rc3+ #9
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 panic+0x22f/0x4de kernel/panic.c:184
 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536
 report_bug+0x252/0x2d0 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
RIP: 0010:kmalloc_slab+0x56/0x70 mm/slab_common.c:996
RSP: 0018:8801d907fc58 EFLAGS: 00010246
RAX:  RBX: 8801aeecb280 RCX: 8185ebd7
RDX:  RSI:  RDI: ffe1
RBP: 8801d907fc58 R08: 8801adb5e1c0 R09: ed0035a84700
R10: ed0035a84700 R11: 8801ad423803 R12: 8801aeecb280
R13: fff4 R14: 8801ad891a00 R15: 014200c0
 __do_kmalloc mm/slab.c:3713 [inline]
 __kmalloc+0x25/0x760 mm/slab.c:3727
 kmalloc include/linux/slab.h:517 [inline]
 map_get_next_key+0x24a/0x640 kernel/bpf/syscall.c:858
 __do_sys_bpf kernel/bpf/syscall.c:2131 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:2096 [inline]
 __x64_sys_bpf+0x354/0x4f0 kernel/bpf/syscall.c:2096
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43fd89
RSP: 002b:7ffd6aab4668 EFLAGS: 0213 ORIG_RAX: 0141
RAX: ffda RBX: 004002c8 RCX: 0043fd89
RDX: 0007 RSI: 2040 RDI: 0004
RBP: 006ca018 R08: 004002c8 R09: 004002c8
R10: 004002c8 R11: 0213 R12: 004016b0
R13: 00401740 R14:  R15: 
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

INFO: rcu detected stall in ip_route_output_key_hash

2018-05-16 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:0b7d9978406f Merge branch 'Microsemi-Ocelot-Ethernet-switc..
git tree:   net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1138c47780
kernel config:  https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1
dashboard link: https://syzkaller.appspot.com/bug?extid=769a7ccbbb4b5074f125
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+769a7ccbbb4b5074f...@syzkaller.appspotmail.com

netlink: 4 bytes leftover after parsing attributes in process  
`syz-executor2'.

random: crng init done
INFO: rcu_sched self-detected stall on CPU
	1-...!: (121515 ticks this GP) idle=e7e/1/4611686018427387908  
softirq=31362/31362 fqs=7

 (t=125000 jiffies g=16439 c=16438 q=668508)
rcu_sched kthread starved for 124958 jiffies! g16439 c16438 f0x2  
RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=0

RCU grace-period kthread stack dump:
rcu_sched   R  running task23768 9  2 0x8000
Call Trace:
 context_switch kernel/sched/core.c:2848 [inline]
 __schedule+0x801/0x1e30 kernel/sched/core.c:3490
 schedule+0xef/0x430 kernel/sched/core.c:3549
 schedule_timeout+0x138/0x240 kernel/time/timer.c:1801
 rcu_gp_kthread+0x6b5/0x1940 kernel/rcu/tree.c:2231
 kthread+0x345/0x410 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
NMI backtrace for cpu 1
CPU: 1 PID: 4488 Comm: syz-fuzzer Not tainted 4.17.0-rc4+ #45
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
 nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
 trigger_single_cpu_backtrace include/linux/nmi.h:156 [inline]
 rcu_dump_cpu_stacks+0x175/0x1c2 kernel/rcu/tree.c:1376
 print_cpu_stall kernel/rcu/tree.c:1525 [inline]
 check_cpu_stall.isra.61.cold.80+0x36c/0x59a kernel/rcu/tree.c:1593
 __rcu_pending kernel/rcu/tree.c:3356 [inline]
 rcu_pending kernel/rcu/tree.c:3401 [inline]
 rcu_check_callbacks+0x21b/0xad0 kernel/rcu/tree.c:2763
 update_process_times+0x2d/0x70 kernel/time/timer.c:1636
 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:164
 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274
 __run_hrtimer kernel/time/hrtimer.c:1398 [inline]
 __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1460
 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
 smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
RIP: 0010:rcu_is_watching+0x6/0x140 kernel/rcu/tree.c:1071
RSP: :8801daf06620 EFLAGS: 0206 ORIG_RAX: ff13
RAX: 8801ad526240 RBX:  RCX: 8656
RDX: 0100 RSI: 86b8 RDI: 0001
RBP: 8801daf06628 R08: 8801ad526240 R09: 0002
R10: 8801ad526240 R11:  R12: 11003b5e0cca
R13: 88008ff1a100 R14:  R15: 8801daf066d0
 rcu_read_unlock include/linux/rcupdate.h:684 [inline]
 ip_route_output_key_hash+0x2cd/0x390 net/ipv4/route.c:2303
 __ip_route_output_key include/net/route.h:124 [inline]
 ip_route_output_flow+0x28/0xc0 net/ipv4/route.c:2557
 ip_route_output_key include/net/route.h:134 [inline]
 sctp_v4_get_dst+0x50e/0x17a0 net/sctp/protocol.c:447
 sctp_transport_route+0x132/0x360 net/sctp/transport.c:303
 sctp_packet_config+0x926/0xdd0 net/sctp/output.c:118
 sctp_outq_select_transport+0x2bb/0x9c0 net/sctp/outqueue.c:877
 sctp_outq_flush_ctrl.constprop.12+0x2ad/0xe60 net/sctp/outqueue.c:911
 sctp_outq_flush+0x2ef/0x3430 net/sctp/outqueue.c:1203
 sctp_outq_uncork+0x6a/0x80 net/sctp/outqueue.c:776
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1820 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
 sctp_do_sm+0x596/0x7160 net/sctp/sm_sideeffect.c:1191
 sctp_generate_heartbeat_event+0x218/0x450 net/sctp/sm_sideeffect.c:406
 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
 expire_timers kernel/time/timer.c:1363 [inline]
 __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
 invoke_softirq kernel/softirq.c:365 [inline]
 irq_exit+0x1d1/0x200 kernel/softirq.c:405
 exiting_irq arch/x86/include/asm/apic.h:525 [inline]
 smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
 
RIP: 0033:0x40b55d
RSP: 002b:00c424bedca8 EFLAGS: 0293 ORIG_RAX: ff13
RAX: 00c4244e5470 RBX: 4d36768c RCX: 00

INFO: rcu detected stall in sctp_packet_transmit

2018-05-16 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:961423f9fcbc Merge branch 'sctp-Introduce-sctp_flush_ctx'
git tree:   net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1366aea780
kernel config:  https://syzkaller.appspot.com/x/.config?x=51fb0a6913f757db
dashboard link: https://syzkaller.appspot.com/bug?extid=ff0b569fb5111dcd1a36
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ff0b569fb5111dcd1...@syzkaller.appspotmail.com

INFO: rcu_sched self-detected stall on CPU
	0-: (1 GPs behind) idle=dae/1/4611686018427387908 softirq=93090/93091  
fqs=30902

 (t=125000 jiffies g=51107 c=51106 q=972)
NMI backtrace for cpu 0
CPU: 0 PID: 24668 Comm: syz-executor6 Not tainted 4.17.0-rc4+ #44
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
 nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
 trigger_single_cpu_backtrace include/linux/nmi.h:156 [inline]
 rcu_dump_cpu_stacks+0x175/0x1c2 kernel/rcu/tree.c:1376
 print_cpu_stall kernel/rcu/tree.c:1525 [inline]
 check_cpu_stall.isra.61.cold.80+0x36c/0x59a kernel/rcu/tree.c:1593
 __rcu_pending kernel/rcu/tree.c:3356 [inline]
 rcu_pending kernel/rcu/tree.c:3401 [inline]
 rcu_check_callbacks+0x21b/0xad0 kernel/rcu/tree.c:2763
 update_process_times+0x2d/0x70 kernel/time/timer.c:1636
 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:164
 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274
 __run_hrtimer kernel/time/hrtimer.c:1398 [inline]
 __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1460
 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
 smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
RIP: 0010:sctp_v6_xmit+0x259/0x6b0 net/sctp/ipv6.c:219
RSP: 0018:8801dae068e8 EFLAGS: 0246 ORIG_RAX: ff13
RAX: 0007 RBX: 8801bb7ec800 RCX: 86f1b345
RDX:  RSI: 86f1b381 RDI: 8801b73d97c4
RBP: 8801dae06988 R08: 88019505c300 R09: ed003b5c46c2
R10: ed003b5c46c2 R11: 8801dae23613 R12: 88011fd57300
R13: 8801bb7ecec8 R14: 0029 R15: 0002
 sctp_packet_transmit+0x26f6/0x3ba0 net/sctp/output.c:642
 sctp_outq_flush_transports net/sctp/outqueue.c:1164 [inline]
 sctp_outq_flush+0x5f5/0x3430 net/sctp/outqueue.c:1212
 sctp_outq_uncork+0x6a/0x80 net/sctp/outqueue.c:776
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1820 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
 sctp_do_sm+0x596/0x7160 net/sctp/sm_sideeffect.c:1191
 sctp_generate_heartbeat_event+0x218/0x450 net/sctp/sm_sideeffect.c:406
 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
 expire_timers kernel/time/timer.c:1363 [inline]
 __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
 invoke_softirq kernel/softirq.c:365 [inline]
 irq_exit+0x1d1/0x200 kernel/softirq.c:405
 exiting_irq arch/x86/include/asm/apic.h:525 [inline]
 smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
 
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:783  
[inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160  
[inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xa1/0xc0  
kernel/locking/spinlock.c:184

RSP: 0018:880196227328 EFLAGS: 0286 ORIG_RAX: ff13
RAX: dc00 RBX: 0286 RCX: 
RDX: 111a316d RSI: 0001 RDI: 0286
RBP: 880196227338 R08: ed003b5c4b81 R09: 
R10:  R11:  R12: 8801dae25c00
R13: 8801dae25c80 R14: 880196227758 R15: 8801dae25c00
 unlock_hrtimer_base kernel/time/hrtimer.c:887 [inline]
 hrtimer_start_range_ns+0x692/0xd10 kernel/time/hrtimer.c:1118
 hrtimer_start_expires include/linux/hrtimer.h:412 [inline]
 futex_wait_queue_me+0x304/0x820 kernel/futex.c:2517
 futex_wait+0x450/0x9f0 kernel/futex.c:2645
 do_futex+0x336/0x27d0 kernel/futex.c:3527
 __do_sys_futex kernel/futex.c:3587 [inline]
 __se_sys_futex kernel/futex.c:3555 [inline]
 __x64_sys_futex+0x46a/0x680 kernel/futex.c:3555
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a09
RSP: 002b:00a3e938 EFLAGS: 0246 ORIG_RAX: 00ca
RAX

KMSAN: uninit-value in __sctp_v6_cmp_addr

2018-05-15 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:74ee2200b89f kmsan: bump .config.example to v4.17-rc3
git tree:   https://github.com/google/kmsan.git/master
console output: https://syzkaller.appspot.com/x/log.txt?x=169efb5b80
kernel config:  https://syzkaller.appspot.com/x/.config?x=4ca1e57bafa8ab1f
dashboard link: https://syzkaller.appspot.com/bug?extid=85490c30c260afff22f2
compiler:   clang version 7.0.0 (trunk 329391)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=157e923780
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10fe5de780

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+85490c30c260afff2...@syzkaller.appspotmail.com

random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
==
BUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x49a/0x850  
net/sctp/ipv6.c:580

CPU: 0 PID: 4453 Comm: syz-executor325 Not tainted 4.17.0-rc3+ #88
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
 __sctp_v6_cmp_addr+0x49a/0x850 net/sctp/ipv6.c:580
 sctp_inet6_cmp_addr+0x3dc/0x400 net/sctp/ipv6.c:898
 sctp_bind_addr_match+0x18b/0x2f0 net/sctp/bind_addr.c:330
 sctp_addrs_lookup_transport+0x904/0xa20 net/sctp/input.c:942
 __sctp_lookup_association net/sctp/input.c:985 [inline]
 __sctp_rcv_lookup net/sctp/input.c:1249 [inline]
 sctp_rcv+0x15e6/0x4d30 net/sctp/input.c:170
 ip_local_deliver_finish+0x874/0xec0 net/ipv4/ip_input.c:215
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:256
 dst_input include/net/dst.h:450 [inline]
 ip_rcv_finish+0xa36/0x1d00 net/ipv4/ip_input.c:396
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_rcv+0x118f/0x16d0 net/ipv4/ip_input.c:492
 __netif_receive_skb_core+0x47df/0x4a90 net/core/dev.c:4592
 __netif_receive_skb net/core/dev.c:4657 [inline]
 process_backlog+0x62d/0xe20 net/core/dev.c:5337
 napi_poll net/core/dev.c:5735 [inline]
 net_rx_action+0x7c1/0x1a70 net/core/dev.c:5801
 __do_softirq+0x56d/0x93d kernel/softirq.c:285
 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1046
 
 do_softirq kernel/softirq.c:329 [inline]
 __local_bh_enable_ip+0x114/0x140 kernel/softirq.c:182
 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
 rcu_read_unlock_bh include/linux/rcupdate.h:728 [inline]
 ip_finish_output2+0x135a/0x1470 net/ipv4/ip_output.c:231
 ip_finish_output+0xcb2/0xff0 net/ipv4/ip_output.c:317
 NF_HOOK_COND include/linux/netfilter.h:277 [inline]
 ip_output+0x505/0x5d0 net/ipv4/ip_output.c:405
 dst_output include/net/dst.h:444 [inline]
 ip_local_out net/ipv4/ip_output.c:124 [inline]
 ip_queue_xmit+0x1a1e/0x1d10 net/ipv4/ip_output.c:504
 sctp_v4_xmit+0x188/0x210 net/sctp/protocol.c:983
 sctp_packet_transmit+0x3eaa/0x4350 net/sctp/output.c:650
 sctp_outq_flush+0x1a7a/0x6320 net/sctp/outqueue.c:1197
 sctp_outq_uncork+0xd2/0xf0 net/sctp/outqueue.c:776
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1820 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
 sctp_do_sm+0x8707/0x8d20 net/sctp/sm_sideeffect.c:1191
 sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:200
 sctp_apply_peer_addr_params+0x207/0x1670 net/sctp/socket.c:2487
 sctp_setsockopt_peer_addr_params net/sctp/socket.c:2683 [inline]
 sctp_setsockopt+0x10e5f/0x11600 net/sctp/socket.c:4258
 sock_common_setsockopt+0x136/0x170 net/core/sock.c:3039
 __sys_setsockopt+0x4af/0x560 net/socket.c:1903
 __do_sys_setsockopt net/socket.c:1914 [inline]
 __se_sys_setsockopt net/socket.c:1911 [inline]
 __x64_sys_setsockopt+0x15c/0x1c0 net/socket.c:1911
 do_syscall_64+0x154/0x220 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x43fef9
RSP: 002b:7ffc00d9bfd8 EFLAGS: 0207 ORIG_RAX: 0036
RAX: ffda RBX: 004002c8 RCX: 0043fef9
RDX: 0009 RSI: 0084 RDI: 0003
RBP: 006ca018 R08: 0098 R09: 001c
R10: 2180 R11: 0207 R12: 00401820
R13: 004018b0 R14:  R15: 

Local variable description: dest@sctp_rcv
Variable was created at:
 sctp_rcv+0x13d/0x4d30 net/sctp/input.c:97
 ip_local_deliver_finish+0x874/0xec0 net/ipv4/ip_input.c:215
==


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com

KMSAN: uninit-value in tipc_conn_rcv_sub

2018-05-13 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:74ee2200b89f kmsan: bump .config.example to v4.17-rc3
git tree:   https://github.com/google/kmsan.git/master
console output: https://syzkaller.appspot.com/x/log.txt?x=12ab863780
kernel config:  https://syzkaller.appspot.com/x/.config?x=4ca1e57bafa8ab1f
dashboard link: https://syzkaller.appspot.com/bug?extid=8951a3065ee7fd6d6e23
compiler:   clang version 7.0.0 (trunk 329391)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=15a497f780
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=177c190780

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8951a3065ee7fd6d6...@syzkaller.appspotmail.com

random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
==
BUG: KMSAN: uninit-value in tipc_conn_rcv_sub+0x184/0x950  
net/tipc/topsrv.c:373

CPU: 0 PID: 66 Comm: kworker/u4:4 Not tainted 4.17.0-rc3+ #88
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: tipc_rcv tipc_conn_recv_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
 tipc_conn_rcv_sub+0x184/0x950 net/tipc/topsrv.c:373
 tipc_conn_rcv_from_sock net/tipc/topsrv.c:409 [inline]
 tipc_conn_recv_work+0x3cd/0x560 net/tipc/topsrv.c:424
 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2145
 worker_thread+0x113c/0x24f0 kernel/workqueue.c:2279
 kthread+0x539/0x720 kernel/kthread.c:239
 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:412

Local variable description: s.i@tipc_conn_recv_work
Variable was created at:
 tipc_conn_recv_work+0x65/0x560 net/tipc/topsrv.c:419
 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2145
==
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 66 Comm: kworker/u4:4 Tainted: GB 4.17.0-rc3+  
#88
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: tipc_rcv tipc_conn_recv_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 panic+0x39d/0x940 kernel/panic.c:184
 kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
 tipc_conn_rcv_sub+0x184/0x950 net/tipc/topsrv.c:373
 tipc_conn_rcv_from_sock net/tipc/topsrv.c:409 [inline]
 tipc_conn_recv_work+0x3cd/0x560 net/tipc/topsrv.c:424
 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2145
 worker_thread+0x113c/0x24f0 kernel/workqueue.c:2279
 kthread+0x539/0x720 kernel/kthread.c:239
 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:412
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

WARNING in iov_iter_revert

2018-05-13 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:427fbe89261d Merge branch 'next' of git://git.kernel.org/p..
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16b3347780
kernel config:  https://syzkaller.appspot.com/x/.config?x=fcce42b221691ff9
dashboard link: https://syzkaller.appspot.com/bug?extid=c226690f7b3126c5ee04
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=144f199780
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=141d541780

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c226690f7b3126c5e...@syzkaller.appspotmail.com

random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
WARNING: CPU: 1 PID: 4542 at lib/iov_iter.c:857 iov_iter_revert+0x2ee/0xaa0  
lib/iov_iter.c:857

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 4542 Comm: syz-executor650 Not tainted 4.17.0-rc4+ #44
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 panic+0x22f/0x4de kernel/panic.c:184
 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536
 report_bug+0x252/0x2d0 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
RIP: 0010:iov_iter_revert+0x2ee/0xaa0 lib/iov_iter.c:857
RSP: 0018:8801ad1bf700 EFLAGS: 00010293
RAX: 8801ac55e6c0 RBX:  RCX: 835104a1
RDX:  RSI: 8351074e RDI: 0007
RBP: 8801ad1bf760 R08: 8801ac55e6c0 R09: ed003b5e46c2
R10: 0003 R11: 0001 R12: 0001
R13: 8801ad1bfd60 R14: 0011 R15: 8801ae9ac040
 tls_sw_sendmsg+0xf1c/0x12d0 net/tls/tls_sw.c:448
 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:639
 ___sys_sendmsg+0x805/0x940 net/socket.c:2117
 __sys_sendmsg+0x115/0x270 net/socket.c:2155
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2162
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4403a9
RSP: 002b:7ffdcdfbd6c8 EFLAGS: 0207 ORIG_RAX: 002e
RAX: ffda RBX: 004002c8 RCX: 004403a9
RDX:  RSI: 20001340 RDI: 0003
RBP: 006ca018 R08: 001c R09: 001c
R10: 2180 R11: 0207 R12: 00401cd0
R13: 00401d60 R14:  R15: 
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

KASAN: use-after-free Read in sctp_do_sm

2018-05-08 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:f142f08bf7ec Fix typo in comment.
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1159ade780
kernel config:  https://syzkaller.appspot.com/x/.config?x=31f4b3733894ef79
dashboard link: https://syzkaller.appspot.com/bug?extid=141d898c5f24489db4aa
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+141d898c5f24489db...@syzkaller.appspotmail.com

RDX: 0008 RSI: 2000 RDI: 0014
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 0015
R13: 071e R14: 006feb70 R15: 0007
==
BUG: KASAN: use-after-free in sctp_cmd_interpreter  
net/sctp/sm_sideeffect.c:1817 [inline]
BUG: KASAN: use-after-free in sctp_side_effects  
net/sctp/sm_sideeffect.c:1220 [inline]
BUG: KASAN: use-after-free in sctp_do_sm+0x6015/0x7160  
net/sctp/sm_sideeffect.c:1191

Read of size 1 at addr 8801c7883cb8 by task syz-executor6/18616

CPU: 1 PID: 18616 Comm: syz-executor6 Not tainted 4.17.0-rc4+ #38
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1817 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
 sctp_do_sm+0x6015/0x7160 net/sctp/sm_sideeffect.c:1191
 sctp_assoc_bh_rcv+0x30f/0x520 net/sctp/associola.c:1065
 sctp_inq_push+0x263/0x320 net/sctp/inqueue.c:95
 sctp_backlog_rcv+0x192/0xc00 net/sctp/input.c:350
 sk_backlog_rcv include/net/sock.h:909 [inline]
 __release_sock+0x12f/0x3a0 net/core/sock.c:2335
 release_sock+0xa4/0x2b0 net/core/sock.c:2850
 sctp_sendmsg+0x13cc/0x1d70 net/sctp/socket.c:2128
 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:639
 sock_write_iter+0x35a/0x5a0 net/socket.c:908
 call_write_iter include/linux/fs.h:1784 [inline]
 new_sync_write fs/read_write.c:474 [inline]
 __vfs_write+0x64d/0x960 fs/read_write.c:487
 vfs_write+0x1f8/0x560 fs/read_write.c:549
 ksys_write+0xf9/0x250 fs/read_write.c:598
 __do_sys_write fs/read_write.c:610 [inline]
 __se_sys_write fs/read_write.c:607 [inline]
 __x64_sys_write+0x73/0xb0 fs/read_write.c:607
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455979
RSP: 002b:7f6fad842c68 EFLAGS: 0246 ORIG_RAX: 0001
RAX: ffda RBX: 7f6fad8436d4 RCX: 00455979
RDX: 0008 RSI: 2000 RDI: 0014
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 0015
R13: 071e R14: 006feb70 R15: 0007

Allocated by task 18616:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
 kmem_cache_zalloc include/linux/slab.h:691 [inline]
 sctp_chunkify+0xce/0x400 net/sctp/sm_make_chunk.c:1355
 sctp_rcv+0xc65/0x3a60 net/sctp/input.c:221
 sctp6_rcv+0x15/0x30 net/sctp/ipv6.c:1045
 ip6_input_finish+0x3ff/0x1a30 net/ipv6/ip6_input.c:284
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip6_input+0xe1/0x5e0 net/ipv6/ip6_input.c:327
 dst_input include/net/dst.h:450 [inline]
 ip6_rcv_finish+0x29c/0xa10 net/ipv6/ip6_input.c:71
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ipv6_rcv+0xed6/0x22a0 net/ipv6/ip6_input.c:208
 __netif_receive_skb_core+0x26f5/0x3630 net/core/dev.c:4592
 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657
 process_backlog+0x219/0x760 net/core/dev.c:5337
 napi_poll net/core/dev.c:5735 [inline]
 net_rx_action+0x7b7/0x1930 net/core/dev.c:5801
 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285

Freed by task 18616:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kmem_cache_free+0x86/0x2d0 mm/slab.c:3756
 sctp_chunk_destroy net/sctp/sm_make_chunk.c:1481 [inline]
 sctp_chunk_put+0x321/0x440 net/sctp/sm_make_chunk.c:1504
 sctp_ulpevent_make_rcvmsg+0x955/0xd40 net/sctp/ulpevent.c:718
 sctp_ulpq_tail_data+0xa8/0x12b0 net/sctp/ulpqueue.c:108
 sctp_cmd_interpreter net/sctp

INFO: rcu detected stall in sctp_generate_heartbeat_event

2018-05-08 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:90278871d4b0 Merge git://git.kernel.org/pub/scm/linux/kern..
git tree:   net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=119a723780
kernel config:  https://syzkaller.appspot.com/x/.config?x=aea320d3af5ef99d
dashboard link: https://syzkaller.appspot.com/bug?extid=e4a5bbd54260c93014f9
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e4a5bbd54260c9301...@syzkaller.appspotmail.com

device bridge0 left promiscuous mode
IPVS: set_ctl: invalid protocol: 56 0.0.0.0:20003 fo
IPVS: set_ctl: invalid protocol: 175 224.0.0.2:20003 dh
INFO: rcu_sched self-detected stall on CPU
	0-...!: (119824 ticks this GP) idle=4b6/1/4611686018427387908  
softirq=23864/23864 fqs=5

 (t=125000 jiffies g=13072 c=13071 q=480954)
NMI backtrace for cpu 0
CPU: 0 PID: 4547 Comm: udevd Not tainted 4.17.0-rc3+ #34
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
 nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
 trigger_single_cpu_backtrace include/linux/nmi.h:156 [inline]
 rcu_dump_cpu_stacks+0x175/0x1c2 kernel/rcu/tree.c:1376
 print_cpu_stall kernel/rcu/tree.c:1525 [inline]
 check_cpu_stall.isra.61.cold.80+0x36c/0x59a kernel/rcu/tree.c:1593
 __rcu_pending kernel/rcu/tree.c:3356 [inline]
 rcu_pending kernel/rcu/tree.c:3401 [inline]
 rcu_check_callbacks+0x21b/0xad0 kernel/rcu/tree.c:2763
 update_process_times+0x2d/0x70 kernel/time/timer.c:1636
 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:164
 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274
 __run_hrtimer kernel/time/hrtimer.c:1398 [inline]
 __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1460
 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
 smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
RIP: 0010:rep_nop arch/x86/include/asm/processor.h:667 [inline]
RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:672 [inline]
RIP: 0010:virt_spin_lock arch/x86/include/asm/qspinlock.h:69 [inline]
RIP: 0010:native_queued_spin_lock_slowpath+0x204/0xde0  
kernel/locking/qspinlock.c:305

RSP: 0018:8801dae07390 EFLAGS: 0202 ORIG_RAX: ff13
RAX:  RBX: ed003b5c0e8b RCX: 0004
RDX:  RSI: 0004 RDI: 8801a9e9d088
RBP: 8801dae07700 R08: ed00353d3a12 R09: ed00353d3a11
R10: ed00353d3a11 R11: 8801a9e9d08b R12: 8801a9e9d088
R13: 8801dae076d8 R14: 0001 R15: dc00
 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:674 [inline]
 queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:30 [inline]
 queued_spin_lock include/asm-generic/qspinlock.h:90 [inline]
 do_raw_spin_lock+0x1a7/0x200 kernel/locking/spinlock_debug.c:113
 __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
 _raw_spin_lock+0x32/0x40 kernel/locking/spinlock.c:144
 spin_lock include/linux/spinlock.h:310 [inline]
 sctp_generate_heartbeat_event+0xa4/0x450 net/sctp/sm_sideeffect.c:386
 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
 expire_timers kernel/time/timer.c:1363 [inline]
 __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
 invoke_softirq kernel/softirq.c:365 [inline]
 irq_exit+0x1d1/0x200 kernel/softirq.c:405
 exiting_irq arch/x86/include/asm/apic.h:525 [inline]
 smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
 
RIP: 0010:rcu_is_watching+0x41/0x140 kernel/rcu/tree.c:1071
RSP: 0018:8801ad457848 EFLAGS: 0296 ORIG_RAX: ff13
RAX: ed0035a8af0a RBX: 110035a8af0a RCX: 8801ad4578f0
RDX:  RSI: 8801ad457f58 RDI: 897bf004
RBP: 8801ad4578d8 R08: 8801ad457978 R09: 8801ad53e040
R10: ed0035a8af32 R11: 8801ad457997 R12: 8801ad457988
R13:  R14: 8801ad4578b0 R15: dc00
syz-executor3 (7657) used greatest stack depth: 15968 bytes left
 kernel_text_address+0x61/0xf0 kernel/extable.c:140
 __kernel_text_address+0xd/0x40 kernel/extable.c:107
 unwind_get_return_address+0x61/0xa0 arch/x86/kernel/unwind_frame.c:18
 __save_stack_trace+0x7e/0xd0 arch/x86/kernel/stacktrace.c:45
 save_stack_trace+0x1a/0x20 arch/x86/kernel/stacktrace.c:60
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm

BUG: spinlock bad magic in tun_do_read

2018-05-07 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:75bc37fefc44 Linux 4.17-rc4
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1162c69780
kernel config:  https://syzkaller.appspot.com/x/.config?x=31f4b3733894ef79
dashboard link: https://syzkaller.appspot.com/bug?extid=e8b902c3c3fadf0a9dba
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=172e4c9780

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e8b902c3c3fadf0a9...@syzkaller.appspotmail.com

random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
IPVS: ftp: loaded support on port[0] = 21
BUG: spinlock bad magic on CPU#0, syz-executor0/4586
 lock: 0x8801ae8928c8, .magic: , .owner: /-1, .owner_cpu:  
0

CPU: 0 PID: 4586 Comm: syz-executor0 Not tainted 4.17.0-rc4+ #62
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 spin_dump+0x160/0x169 kernel/locking/spinlock_debug.c:67
 spin_bug kernel/locking/spinlock_debug.c:75 [inline]
 debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
 do_raw_spin_lock.cold.3+0x37/0x3c kernel/locking/spinlock_debug.c:112
 __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
 _raw_spin_lock+0x32/0x40 kernel/locking/spinlock.c:144
 spin_lock include/linux/spinlock.h:310 [inline]
 ptr_ring_consume include/linux/ptr_ring.h:335 [inline]
 tun_ring_recv drivers/net/tun.c:2143 [inline]
 tun_do_read+0x18b1/0x29f0 drivers/net/tun.c:2182
 tun_chr_read_iter+0xe5/0x1e0 drivers/net/tun.c:2214
 call_read_iter include/linux/fs.h:1778 [inline]
 new_sync_read fs/read_write.c:406 [inline]
 __vfs_read+0x696/0xa50 fs/read_write.c:418
 vfs_read+0x17f/0x3d0 fs/read_write.c:452
 ksys_pread64+0x174/0x1a0 fs/read_write.c:626
 __do_compat_sys_x86_pread arch/x86/ia32/sys_ia32.c:177 [inline]
 __se_compat_sys_x86_pread arch/x86/ia32/sys_ia32.c:174 [inline]
 __ia32_compat_sys_x86_pread+0xc4/0x130 arch/x86/ia32/sys_ia32.c:174
 do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline]
 do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7fc0cb9
RSP: 002b:f7fbc0ac EFLAGS: 0282 ORIG_RAX: 00b4
RAX: ffda RBX: 0003 RCX: 2080
RDX: 006e RSI:  RDI: 
RBP:  R08:  R09: 
R10:  R11: 0292 R12: 
R13:  R14:  R15: 


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

INFO: task hung in flush_work

2018-05-07 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:8fb11a9a8d51 net/ipv6: rename rt6_next to fib6_next
git tree:   net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12ca275b80
kernel config:  https://syzkaller.appspot.com/x/.config?x=c416c61f3cd96be
dashboard link: https://syzkaller.appspot.com/bug?extid=2e7b6af5956e05e5cff7
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2e7b6af5956e05e5c...@syzkaller.appspotmail.com

netlink: 4 bytes leftover after parsing attributes in process  
`syz-executor7'.
netlink: 4 bytes leftover after parsing attributes in process  
`syz-executor7'.

INFO: task syz-executor4:17145 blocked for more than 120 seconds.
  Not tainted 4.17.0-rc3+ #33
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor4   D21736 17145   4542 0x8002
Call Trace:
 context_switch kernel/sched/core.c:2848 [inline]
 __schedule+0x801/0x1e30 kernel/sched/core.c:3490
 schedule+0xef/0x430 kernel/sched/core.c:3549
 schedule_timeout+0x1b5/0x240 kernel/time/timer.c:1777
 do_wait_for_common kernel/sched/completion.c:83 [inline]
 __wait_for_common kernel/sched/completion.c:104 [inline]
 wait_for_common kernel/sched/completion.c:115 [inline]
 wait_for_completion+0x3e7/0x870 kernel/sched/completion.c:136
 flush_work+0x531/0x900 kernel/workqueue.c:2903
 smc_close_active+0x618/0x9c0 net/smc/smc_close.c:189
 smc_release+0x46b/0x610 net/smc/af_smc.c:141
 sock_release+0x96/0x1b0 net/socket.c:594
 sock_close+0x16/0x20 net/socket.c:1149
 __fput+0x34d/0x890 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1e4/0x290 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x1aee/0x2730 kernel/exit.c:865
 do_group_exit+0x16f/0x430 kernel/exit.c:968
 get_signal+0x886/0x1960 kernel/signal.c:2469
 do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810
 exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162
 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
 do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455979
RSP: 002b:7f4181b74ce8 EFLAGS: 0246 ORIG_RAX: 00ca
RAX: fe00 RBX: 0072bf78 RCX: 00455979
RDX:  RSI:  RDI: 0072bf78
RBP: 0072bf78 R08:  R09: 0072bf50
R10:  R11: 0246 R12: 
R13: 00a3e81f R14: 7f4181b759c0 R15: 0001

Showing all locks held in the system:
2 locks held by khungtaskd/894:
 #0: 2a4a1b2a (rcu_read_lock){}, at:  
check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline]
 #0: 2a4a1b2a (rcu_read_lock){}, at: watchdog+0x1ff/0xf60  
kernel/hung_task.c:249
 #1: 472c3276 (tasklist_lock){.+.+}, at:  
debug_show_all_locks+0xde/0x34a kernel/locking/lockdep.c:4470

2 locks held by getty/4468:
 #0: 65ad3d93 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: bfe7ad12 (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4469:
 #0: 6f6b456f (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: d44cbfd2 (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4470:
 #0: 39a0b4b8 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: 422d9092 (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4471:
 #0: 49ab501c (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: b1883d82 (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4472:
 #0: e473e0f9 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: d6a5f6ee (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4473:
 #0: af39adc0 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: 5b852d11 (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4474:
 #0: b68f2084 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: 34e0241f (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by kworker/0:3/4924:
 #0: 53ed24fb ((wq_completion)"events"){+.+.}, at:  
__write_once_size include/li

INFO: task hung in tls_push_record

2018-05-06 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:8fb11a9a8d51 net/ipv6: rename rt6_next to fib6_next
git tree:   net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=108e923780
kernel config:  https://syzkaller.appspot.com/x/.config?x=c416c61f3cd96be
dashboard link: https://syzkaller.appspot.com/bug?extid=4006516aae0b06e7050f
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+4006516aae0b06e70...@syzkaller.appspotmail.com

INFO: task syz-executor7:20304 blocked for more than 120 seconds.
  Not tainted 4.17.0-rc3+ #33
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor7   D24680 20304   4547 0x0004
Call Trace:
 context_switch kernel/sched/core.c:2848 [inline]
 __schedule+0x801/0x1e30 kernel/sched/core.c:3490
 schedule+0xef/0x430 kernel/sched/core.c:3549
 schedule_timeout+0x1b5/0x240 kernel/time/timer.c:1777
 do_wait_for_common kernel/sched/completion.c:83 [inline]
 __wait_for_common kernel/sched/completion.c:104 [inline]
 wait_for_common kernel/sched/completion.c:115 [inline]
 wait_for_completion+0x3e7/0x870 kernel/sched/completion.c:136
 crypto_wait_req include/linux/crypto.h:512 [inline]
 tls_do_encryption net/tls/tls_sw.c:217 [inline]
 tls_push_record+0xedc/0x13e0 net/tls/tls_sw.c:248
 tls_sw_sendmsg+0x8d7/0x12b0 net/tls/tls_sw.c:440
 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:639
 sock_write_iter+0x35a/0x5a0 net/socket.c:908
 call_write_iter include/linux/fs.h:1784 [inline]
 new_sync_write fs/read_write.c:474 [inline]
 __vfs_write+0x64d/0x960 fs/read_write.c:487
 vfs_write+0x1f8/0x560 fs/read_write.c:549
 ksys_write+0xf9/0x250 fs/read_write.c:598
 __do_sys_write fs/read_write.c:610 [inline]
 __se_sys_write fs/read_write.c:607 [inline]
 __x64_sys_write+0x73/0xb0 fs/read_write.c:607
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455979
RSP: 002b:7fad08582c68 EFLAGS: 0246 ORIG_RAX: 0001
RAX: ffda RBX: 7fad085836d4 RCX: 00455979
RDX: 0050 RSI: 2280 RDI: 0013
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 
R13: 0713 R14: 006fea68 R15: 

Showing all locks held in the system:
2 locks held by khungtaskd/892:
 #0: 3f978916 (rcu_read_lock){}, at:  
check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline]
 #0: 3f978916 (rcu_read_lock){}, at: watchdog+0x1ff/0xf60  
kernel/hung_task.c:249
 #1: a6e1e84d (tasklist_lock){.+.+}, at:  
debug_show_all_locks+0xde/0x34a kernel/locking/lockdep.c:4470

2 locks held by getty/4466:
 #0: bb90ee4c (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: 5c64e739 (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4467:
 #0: a703ee54 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: c6bc54dc (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4468:
 #0: 7e39712e (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: 3afa8b0a (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4469:
 #0: 4a2f1f14 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: a9bb6673 (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4470:
 #0: 5c9ac5a5 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: e940f7ee (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4471:
 #0: b0318201 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: faa92852 (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4472:
 #0: 2f556699 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: c5b4fb47 (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

1 lock held by syz-executor7/20304:
 #0: 1da4f4a9 (sk_lock-AF_INET6){+.+.}, at: lock_sock  
include/net/sock.h:1474 [inline]
 #0: 1da4f4a9 (sk_lock-AF_INET6){+.+.}, at:  
tls_sw_sendmsg+0x1b9/0x12b0 net/tls/tls_sw.c:384

1 lock held by syz-executor7/20375:
 #0: 286d2e23 (sk_lock-AF_INET6){+.+.}, at: lock_sock

BUG: please report to d...@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx_his

2018-05-05 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:c1c07416cdd4 Merge tag 'kbuild-fixes-v4.17' of git://git.k..
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13d5de4780
kernel config:  https://syzkaller.appspot.com/x/.config?x=5a1dc06635c10d27
dashboard link: https://syzkaller.appspot.com/bug?extid=99858724c0ba555a12ea
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=170afde780
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=141b4be780

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+99858724c0ba555a1...@syzkaller.appspotmail.com

random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
BUG: please report to d...@vger.kernel.org => prev = 0, last = 0 at  
net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()

CPU: 0 PID: 4495 Comm: syz-executor551 Not tainted 4.17.0-rc3+ #34
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 tfrc_rx_hist_sample_rtt.cold.3+0x54/0x5c  
net/dccp/ccids/lib/packet_history.c:422

 ccid3_hc_rx_packet_recv+0x5c8/0xed0 net/dccp/ccids/ccid3.c:765
 ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
 dccp_deliver_input_to_ccids+0xf0/0x280 net/dccp/input.c:180
 dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378
 dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654
 sk_backlog_rcv include/net/sock.h:909 [inline]
 __sk_receive_skb+0x3a2/0xd60 net/core/sock.c:513
 dccp_v4_rcv+0x10e5/0x1f3f net/dccp/ipv4.c:875
 ip_local_deliver_finish+0x2e3/0xd80 net/ipv4/ip_input.c:215
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_local_deliver+0x1e1/0x720 net/ipv4/ip_input.c:256
 dst_input include/net/dst.h:450 [inline]
 ip_rcv_finish+0x81b/0x2200 net/ipv4/ip_input.c:396
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_rcv+0xb70/0x143d net/ipv4/ip_input.c:492
 __netif_receive_skb_core+0x26f5/0x3630 net/core/dev.c:4592
 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657
 process_backlog+0x219/0x760 net/core/dev.c:5337
 napi_poll net/core/dev.c:5735 [inline]
 net_rx_action+0x7b7/0x1930 net/core/dev.c:5801
 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1046
 
 do_softirq.part.17+0x14d/0x190 kernel/softirq.c:329
 do_softirq arch/x86/include/asm/preempt.h:23 [inline]
 __local_bh_enable_ip+0x1ec/0x230 kernel/softirq.c:182
 local_bh_enable include/linux/bottom_half.h:32 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:728 [inline]
 ip_finish_output2+0xab2/0x1840 net/ipv4/ip_output.c:231
 ip_finish_output+0x828/0xf80 net/ipv4/ip_output.c:317
 NF_HOOK_COND include/linux/netfilter.h:277 [inline]
 ip_output+0x21b/0x850 net/ipv4/ip_output.c:405
 dst_output include/net/dst.h:444 [inline]
 ip_local_out+0xc5/0x1b0 net/ipv4/ip_output.c:124
 ip_queue_xmit+0x9d7/0x1f70 net/ipv4/ip_output.c:504
 dccp_transmit_skb+0x999/0x12e0 net/dccp/output.c:142
 dccp_xmit_packet+0x250/0x790 net/dccp/output.c:281
 dccp_write_xmit+0x190/0x1f0 net/dccp/output.c:363
 dccp_sendmsg+0x8c7/0x1020 net/dccp/proto.c:818
 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:639
 ___sys_sendmsg+0x525/0x940 net/socket.c:2117
 __sys_sendmmsg+0x240/0x6f0 net/socket.c:2212
 __do_sys_sendmmsg net/socket.c:2241 [inline]
 __se_sys_sendmmsg net/socket.c:2238 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2238
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445d09
RSP: 002b:7f3c7eff5d88 EFLAGS: 0293 ORIG_RAX: 0133
RAX: ffda RBX: 006dac40 RCX: 00445d09
RDX: 0001 RSI: 00


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

possible deadlock in sk_diag_fill

2018-05-05 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:c1c07416cdd4 Merge tag 'kbuild-fixes-v4.17' of git://git.k..
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12164c9780
kernel config:  https://syzkaller.appspot.com/x/.config?x=5a1dc06635c10d27
dashboard link: https://syzkaller.appspot.com/bug?extid=c1872be62e587eae9669
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c1872be62e587eae9...@syzkaller.appspotmail.com


==
WARNING: possible circular locking dependency detected
4.17.0-rc3+ #59 Not tainted
--
syz-executor1/25282 is trying to acquire lock:
4fddf743 (&(>lock)->rlock/1){+.+.}, at: sk_diag_dump_icons  
net/unix/diag.c:82 [inline]
4fddf743 (&(>lock)->rlock/1){+.+.}, at:  
sk_diag_fill.isra.5+0xa43/0x10d0 net/unix/diag.c:144


but task is already holding lock:
b6895645 (rlock-AF_UNIX){+.+.}, at: spin_lock  
include/linux/spinlock.h:310 [inline]
b6895645 (rlock-AF_UNIX){+.+.}, at: sk_diag_dump_icons  
net/unix/diag.c:64 [inline]
b6895645 (rlock-AF_UNIX){+.+.}, at:  
sk_diag_fill.isra.5+0x94e/0x10d0 net/unix/diag.c:144


which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (rlock-AF_UNIX){+.+.}:
   __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
   _raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:152
   skb_queue_tail+0x26/0x150 net/core/skbuff.c:2900
   unix_dgram_sendmsg+0xf77/0x1730 net/unix/af_unix.c:1797
   sock_sendmsg_nosec net/socket.c:629 [inline]
   sock_sendmsg+0xd5/0x120 net/socket.c:639
   ___sys_sendmsg+0x525/0x940 net/socket.c:2117
   __sys_sendmmsg+0x3bb/0x6f0 net/socket.c:2205
   __compat_sys_sendmmsg net/compat.c:770 [inline]
   __do_compat_sys_sendmmsg net/compat.c:777 [inline]
   __se_compat_sys_sendmmsg net/compat.c:774 [inline]
   __ia32_compat_sys_sendmmsg+0x9f/0x100 net/compat.c:774
   do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline]
   do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394
   entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139

-> #0 (&(>lock)->rlock/1){+.+.}:
   lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920
   _raw_spin_lock_nested+0x28/0x40 kernel/locking/spinlock.c:354
   sk_diag_dump_icons net/unix/diag.c:82 [inline]
   sk_diag_fill.isra.5+0xa43/0x10d0 net/unix/diag.c:144
   sk_diag_dump net/unix/diag.c:178 [inline]
   unix_diag_dump+0x35f/0x550 net/unix/diag.c:206
   netlink_dump+0x507/0xd20 net/netlink/af_netlink.c:2226
   __netlink_dump_start+0x51a/0x780 net/netlink/af_netlink.c:2323
   netlink_dump_start include/linux/netlink.h:214 [inline]
   unix_diag_handler_dump+0x3f4/0x7b0 net/unix/diag.c:307
   __sock_diag_cmd net/core/sock_diag.c:230 [inline]
   sock_diag_rcv_msg+0x2e0/0x3d0 net/core/sock_diag.c:261
   netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2448
   sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:272
   netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
   netlink_unicast+0x58b/0x740 net/netlink/af_netlink.c:1336
   netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901
   sock_sendmsg_nosec net/socket.c:629 [inline]
   sock_sendmsg+0xd5/0x120 net/socket.c:639
   sock_write_iter+0x35a/0x5a0 net/socket.c:908
   call_write_iter include/linux/fs.h:1784 [inline]
   new_sync_write fs/read_write.c:474 [inline]
   __vfs_write+0x64d/0x960 fs/read_write.c:487
   vfs_write+0x1f8/0x560 fs/read_write.c:549
   ksys_write+0xf9/0x250 fs/read_write.c:598
   __do_sys_write fs/read_write.c:610 [inline]
   __se_sys_write fs/read_write.c:607 [inline]
   __ia32_sys_write+0x71/0xb0 fs/read_write.c:607
   do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline]
   do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394
   entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139

other info that might help us debug this:

 Possible unsafe locking scenario:

   CPU0CPU1
   
  lock(rlock-AF_UNIX);
   lock(&(>lock)->rlock/1);
   lock(rlock-AF_UNIX);
  lock(&(>lock)->rlock/1);

 *** DEADLOCK ***

5 locks held by syz-executor1/25282:
 #0: 3919e1bd (sock_diag_mutex){+.+.}, at: sock_diag_rcv+0x1b/0x40  
net/core/sock_diag.c:271
 #1: 4f328d3e (sock_diag_table_mutex){+.+.}, at: __sock_diag_cmd  
net/core/sock_diag.c:225 [inline]
 #1: 4f328d3e (sock_diag_table_mu

KMSAN: uninit-value in strcmp

2018-05-03 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:d2d741e5d189 kmsan: add initialization for shmem pages
git tree:   https://github.com/google/kmsan.git/master
console output: https://syzkaller.appspot.com/x/log.txt?x=1005149780
kernel config:  https://syzkaller.appspot.com/x/.config?x=48f9de3384bcd0f
dashboard link: https://syzkaller.appspot.com/bug?extid=df0257c92ffd4fcc58cd
compiler:   clang version 7.0.0 (trunk 329391)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1127565780
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17c3d5e780

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+df0257c92ffd4fcc5...@syzkaller.appspotmail.com

==
BUG: KMSAN: uninit-value in strcmp+0xf7/0x160 lib/string.c:329
CPU: 1 PID: 4527 Comm: syz-executor655 Not tainted 4.16.0+ #87
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
 strcmp+0xf7/0x160 lib/string.c:329
 tipc_nl_node_get_link+0x220/0x6f0 net/tipc/node.c:1881
 genl_family_rcv_msg net/netlink/genetlink.c:599 [inline]
 genl_rcv_msg+0x1686/0x1810 net/netlink/genetlink.c:624
 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2447
 genl_rcv+0x63/0x80 net/netlink/genetlink.c:635
 netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
 netlink_unicast+0x166b/0x1740 net/netlink/af_netlink.c:1337
 netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
 __sys_sendmsg net/socket.c:2080 [inline]
 SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
 SyS_sendmsg+0x54/0x80 net/socket.c:2087
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x445589
RSP: 002b:7fb7ee66cdb8 EFLAGS: 0246 ORIG_RAX: 002e
RAX: ffda RBX: 006dac24 RCX: 00445589
RDX:  RSI: 20023000 RDI: 0003
RBP: 006dac20 R08:  R09: 
R10:  R11: 0246 R12: 
R13: 7fffa2bf3f3f R14: 7fb7ee66d9c0 R15: 0001

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
 slab_post_alloc_hook mm/slab.h:445 [inline]
 slab_alloc_node mm/slub.c:2737 [inline]
 __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
 __kmalloc_reserve net/core/skbuff.c:138 [inline]
 __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:984 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline]
 netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
 __sys_sendmsg net/socket.c:2080 [inline]
 SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
 SyS_sendmsg+0x54/0x80 net/socket.c:2087
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
==


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

INFO: rcu detected stall in __schedule

2018-05-02 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:f2125992e7cb Merge tag 'xfs-4.17-fixes-1' of  
git://git.kern...

git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?id=4755940087693312
kernel config:   
https://syzkaller.appspot.com/x/.config?id=6493557782959164711

dashboard link: https://syzkaller.appspot.com/bug?extid=f16b3e3512a1e3c1d1f6
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f16b3e3512a1e3c1d...@syzkaller.appspotmail.com

do_dccp_getsockopt: sockopt(PACKET_SIZE) is deprecated: fix your app
do_dccp_getsockopt: sockopt(PACKET_SIZE) is deprecated: fix your app
ntfs: (device loop6): parse_options(): Unrecognized mount option  
error�n��uldip.

INFO: rcu_sched self-detected stall on CPU
	0-...!: (125000 ticks this GP) idle=f3e/1/4611686018427387906  
softirq=112858/112858 fqs=0

 (t=125000 jiffies g=61626 c=61625 q=1534)
rcu_sched kthread starved for 125000 jiffies! g61626 c61625 f0x0  
RCU_GP_WAIT_FQS(3) ->state=0x402 ->cpu=0

RCU grace-period kthread stack dump:
rcu_sched   I23592 9  2 0x8000
Call Trace:
 context_switch kernel/sched/core.c:2848 [inline]
 __schedule+0x801/0x1e30 kernel/sched/core.c:3490
 schedule+0xef/0x430 kernel/sched/core.c:3549
 schedule_timeout+0x138/0x240 kernel/time/timer.c:1801
 rcu_gp_kthread+0x6b5/0x1940 kernel/rcu/tree.c:2231
 kthread+0x345/0x410 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
NMI backtrace for cpu 0
CPU: 0 PID: 26694 Comm: syz-executor1 Not tainted 4.17.0-rc3+ #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
 nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
 trigger_single_cpu_backtrace include/linux/nmi.h:156 [inline]
 rcu_dump_cpu_stacks+0x175/0x1c2 kernel/rcu/tree.c:1376
 print_cpu_stall kernel/rcu/tree.c:1525 [inline]
 check_cpu_stall.isra.61.cold.80+0x36c/0x59a kernel/rcu/tree.c:1593
 __rcu_pending kernel/rcu/tree.c:3356 [inline]
 rcu_pending kernel/rcu/tree.c:3401 [inline]
 rcu_check_callbacks+0x21b/0xad0 kernel/rcu/tree.c:2763
 update_process_times+0x2d/0x70 kernel/time/timer.c:1636
 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:164
 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274
 __run_hrtimer kernel/time/hrtimer.c:1398 [inline]
 __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1460
 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
 smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
 
RIP: 0010:arch_local_irq_enable arch/x86/include/asm/paravirt.h:793 [inline]
RIP: 0010:__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168  
[inline]

RIP: 0010:_raw_spin_unlock_irq+0x56/0x70 kernel/locking/spinlock.c:192
RSP: 0018:8801b3dbf438 EFLAGS: 0282 ORIG_RAX: ff13
RAX: dc00 RBX: 8801dae2c680 RCX: 1100361ebd4d
RDX: 111a316f RSI: 8801b0f5ea48 RDI: 88d18b78
RBP: 8801b3dbf440 R08: 8801b0f5e9f8 R09: 0006
R10: 8801b0f5e1c0 R11:  R12: 8801b0f5e1c0
R13: 8801b0f5e7a0 R14: dc00 R15: 8801b0f5e1c0
 rq_unlock_irq kernel/sched/sched.h:1824 [inline]
 __schedule+0x144f/0x1e30 kernel/sched/core.c:3493
 schedule+0xef/0x430 kernel/sched/core.c:3549
 do_sched_yield+0x187/0x240 kernel/sched/core.c:4965
 yield+0xa5/0xe0 kernel/sched/core.c:5054
 tasklet_kill+0x4e/0xd0 kernel/softirq.c:559
 ppp_asynctty_close+0x9e/0x150 drivers/net/ppp/ppp_async.c:239
 ppp_asynctty_hangup+0x15/0x20 drivers/net/ppp/ppp_async.c:256
 tty_ldisc_hangup+0x138/0x640 drivers/tty/tty_ldisc.c:730
 __tty_hangup.part.21+0x2da/0x6e0 drivers/tty/tty_io.c:621
 __tty_hangup drivers/tty/tty_io.c:571 [inline]
 tty_vhangup+0x21/0x30 drivers/tty/tty_io.c:694
 pty_close+0x3bd/0x510 drivers/tty/pty.c:78
 tty_release+0x494/0x12e0 drivers/tty/tty_io.c:1656
 __fput+0x34d/0x890 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1e4/0x290 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
 do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455979
RSP: 002b:7f92c3751c68 EFLAGS: 0246 ORIG_RAX: 0003
RAX: 00

Re: KMSAN: uninit-value in _decode_session6

2018-05-01 Thread syzbot 

syzbot has found a reproducer for the following crash on:

HEAD commit:d2d741e5d189 kmsan: add initialization for shmem pages
git tree:   https://github.com/google/kmsan.git/master
console output: https://syzkaller.appspot.com/x/log.txt?id=6550343064223744
kernel config:   
https://syzkaller.appspot.com/x/.config?id=328654897048964367

dashboard link: https://syzkaller.appspot.com/bug?extid=2974b85346f85b586f4d
compiler:   clang version 7.0.0 (trunk 329391)
syzkaller  
repro:https://syzkaller.appspot.com/x/repro.syz?id=5023772637659136

C reproducer:   https://syzkaller.appspot.com/x/repro.c?id=5102535626981376

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2974b85346f85b586...@syzkaller.appspotmail.com

IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
8021q: adding VLAN 0 to HW filter on device team0
==
BUG: KMSAN: uninit-value in _decode_session6+0x6d2/0x16e0  
net/ipv6/xfrm6_policy.c:151

CPU: 0 PID: 4529 Comm: syz-executor165 Not tainted 4.16.0+ #87
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
 _decode_session6+0x6d2/0x16e0 net/ipv6/xfrm6_policy.c:151
 __xfrm_decode_session+0x151/0x200 net/xfrm/xfrm_policy.c:2368
 xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline]
 icmpv6_route_lookup net/ipv6/icmp.c:372 [inline]
 icmp6_send+0x2bf7/0x3730 net/ipv6/icmp.c:551
 icmpv6_send+0xe0/0x110 net/ipv6/ip6_icmp.c:43
 ip6_link_failure+0x8f/0x580 net/ipv6/route.c:2034
 dst_link_failure include/net/dst.h:426 [inline]
 ip6_tnl_xmit+0x1423/0x3af0 net/ipv6/ip6_tunnel.c:1215
 ip6ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1367 [inline]
 ip6_tnl_start_xmit+0x1cc0/0x1ef0 net/ipv6/ip6_tunnel.c:1390
 __netdev_start_xmit include/linux/netdevice.h:4066 [inline]
 netdev_start_xmit include/linux/netdevice.h:4075 [inline]
 xmit_one net/core/dev.c:3026 [inline]
 dev_hard_start_xmit+0x5f1/0xc70 net/core/dev.c:3042
 __dev_queue_xmit+0x27ee/0x3520 net/core/dev.c:3557
 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590
 neigh_direct_output+0x42/0x50 net/core/neighbour.c:1390
 neigh_output include/net/neighbour.h:482 [inline]
 ip6_finish_output2+0x1d01/0x2130 net/ipv6/ip6_output.c:120
 ip6_finish_output+0xae9/0xba0 net/ipv6/ip6_output.c:154
 NF_HOOK_COND include/linux/netfilter.h:277 [inline]
 ip6_output+0x597/0x6c0 net/ipv6/ip6_output.c:171
 dst_output include/net/dst.h:443 [inline]
 ip6_local_out+0x15e/0x1d0 net/ipv6/output_core.c:176
 ip6_send_skb net/ipv6/ip6_output.c:1682 [inline]
 ip6_push_pending_frames+0x218/0x4d0 net/ipv6/ip6_output.c:1702
 rawv6_push_pending_frames net/ipv6/raw.c:616 [inline]
 rawv6_sendmsg+0x4235/0x4fb0 net/ipv6/raw.c:935
 inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 sock_write_iter+0x3b9/0x470 net/socket.c:909
 call_write_iter include/linux/fs.h:1782 [inline]
 new_sync_write fs/read_write.c:469 [inline]
 __vfs_write+0x7fb/0x9f0 fs/read_write.c:482
 vfs_write+0x463/0x8d0 fs/read_write.c:544
 SYSC_write+0x172/0x360 fs/read_write.c:589
 SyS_write+0x55/0x80 fs/read_write.c:581
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x4418b9
RSP: 002b:7ffece331e68 EFLAGS: 0217 ORIG_RAX: 0001
RAX: ffda RBX: 0003 RCX: 004418b9
RDX: 036b RSI: 2240 RDI: 0004
RBP: 006cd018 R08:  R09: 
R10:  R11: 0217 R12: 004025b0
R13: 00402640 R14:  R15: 

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
 slab_post_alloc_hook mm/slab.h:445 [inline]
 slab_alloc_node mm/slub.c:2737 [inline]
 __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
 __kmalloc_reserve net/core/skbuff.c:138 [inline]
 pskb_expand_head+0x21d/0x1a70 net/core/skbuff.c:1458
 __pskb_pull_tail+0x1d7/0x2300 net/core/skbuff.c:1878
 pskb_may_pull include/linux/skbuff.h:2112 [inline]
 ip6_tnl_parse_tlv_enc_lim+0x7f5/0xa90 net/ipv6/ip6_tunnel.c:411
 ip6ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]
 ip6_tnl_start_xmit+0x911/0x1ef0 net/ipv6/ip6_tunnel.c:1390
 __netdev_start_xmit include/linux/netdevice.h:4066 [inline]
 netdev_start_xmit include/linux/netdevice.h:4075 [inline]
 xmit_one net/core/dev.c:3026 [inline]
 dev_hard_start_xmit+0x5f1/0xc70 net/core

INFO: rcu detected stall in kfree_skbmem

2018-04-30 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:5d1365940a68 Merge  
git://git.kernel.org/pub/scm/linux/kerne...

git tree:   net-next
console output: https://syzkaller.appspot.com/x/log.txt?id=5667997129637888
kernel config:   
https://syzkaller.appspot.com/x/.config?id=-5947642240294114534

dashboard link: https://syzkaller.appspot.com/bug?extid=fc78715ba3b3257caf6a
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fc78715ba3b3257ca...@syzkaller.appspotmail.com

INFO: rcu_sched self-detected stall on CPU
	1-...!: (1 GPs behind) idle=a3e/1/4611686018427387908 softirq=71980/71983  
fqs=33

 (t=125000 jiffies g=39438 c=39437 q=958)
rcu_sched kthread starved for 124829 jiffies! g39438 c39437 f0x0  
RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=0

RCU grace-period kthread stack dump:
rcu_sched   R  running task23768 9  2 0x8000
Call Trace:
 context_switch kernel/sched/core.c:2848 [inline]
 __schedule+0x801/0x1e30 kernel/sched/core.c:3490
 schedule+0xef/0x430 kernel/sched/core.c:3549
 schedule_timeout+0x138/0x240 kernel/time/timer.c:1801
 rcu_gp_kthread+0x6b5/0x1940 kernel/rcu/tree.c:2231
 kthread+0x345/0x410 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:411
NMI backtrace for cpu 1
CPU: 1 PID: 20560 Comm: syz-executor4 Not tainted 4.16.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
 nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
 trigger_single_cpu_backtrace include/linux/nmi.h:156 [inline]
 rcu_dump_cpu_stacks+0x175/0x1c2 kernel/rcu/tree.c:1376
 print_cpu_stall kernel/rcu/tree.c:1525 [inline]
 check_cpu_stall.isra.61.cold.80+0x36c/0x59a kernel/rcu/tree.c:1593
 __rcu_pending kernel/rcu/tree.c:3356 [inline]
 rcu_pending kernel/rcu/tree.c:3401 [inline]
 rcu_check_callbacks+0x21b/0xad0 kernel/rcu/tree.c:2763
 update_process_times+0x2d/0x70 kernel/time/timer.c:1636
 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:173
 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1283
 __run_hrtimer kernel/time/hrtimer.c:1386 [inline]
 __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1448
 hrtimer_interrupt+0x286/0x650 kernel/time/hrtimer.c:1506
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
 smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:862
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:783  
[inline]

RIP: 0010:kmem_cache_free+0xb3/0x2d0 mm/slab.c:3757
RSP: 0018:8801db105228 EFLAGS: 0282 ORIG_RAX: ff13
RAX: 0007 RBX: 8800b055c940 RCX: 11003b2345a5
RDX:  RSI: 8801d91a2d80 RDI: 0282
RBP: 8801db105248 R08: 8801d91a2cb8 R09: 0002
R10: 8801d91a2480 R11:  R12: 8801d9848e40
R13: 0282 R14: 85b7f27c R15: 
 kfree_skbmem+0x13c/0x210 net/core/skbuff.c:582
 __kfree_skb net/core/skbuff.c:642 [inline]
 kfree_skb+0x19d/0x560 net/core/skbuff.c:659
 enqueue_to_backlog+0x2fc/0xc90 net/core/dev.c:3968
 netif_rx_internal+0x14d/0xae0 net/core/dev.c:4181
 netif_rx+0xba/0x400 net/core/dev.c:4206
 loopback_xmit+0x283/0x741 drivers/net/loopback.c:91
 __netdev_start_xmit include/linux/netdevice.h:4087 [inline]
 netdev_start_xmit include/linux/netdevice.h:4096 [inline]
 xmit_one net/core/dev.c:3053 [inline]
 dev_hard_start_xmit+0x264/0xc10 net/core/dev.c:3069
 __dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617
 neigh_hh_output include/net/neighbour.h:472 [inline]
 neigh_output include/net/neighbour.h:480 [inline]
 ip6_finish_output2+0x134e/0x2810 net/ipv6/ip6_output.c:120
 ip6_finish_output+0x5fe/0xbc0 net/ipv6/ip6_output.c:154
 NF_HOOK_COND include/linux/netfilter.h:277 [inline]
 ip6_output+0x227/0x9b0 net/ipv6/ip6_output.c:171
 dst_output include/net/dst.h:444 [inline]
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip6_xmit+0xf51/0x23f0 net/ipv6/ip6_output.c:277
 sctp_v6_xmit+0x4a5/0x6b0 net/sctp/ipv6.c:225
 sctp_packet_transmit+0x26f6/0x3ba0 net/sctp/output.c:650
 sctp_outq_flush+0x1373/0x4370 net/sctp/outqueue.c:1197
 sctp_outq_uncork+0x6a/0x80 net/sctp/outqueue.c:776
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1820 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
 sctp_do_sm+0x596/0x7160 net/sctp/sm_sideeffect.c:1191
 sctp_generate_heartbeat_event+0x218/0x450 net/sctp/sm_sideeffect.c:406
 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
 expire_timers kerne

INFO: rcu detected stall in kmem_cache_alloc_node_trace

2018-04-30 Thread syzbot 

Hello,

syzbot found the following crash on:

HEAD commit:17dec0a94915 Merge branch 'userns-linus' of  
git://git.kerne...

git tree:   net-next
console output: https://syzkaller.appspot.com/x/log.txt?id=6093051722203136
kernel config:   
https://syzkaller.appspot.com/x/.config?id=-2735707888269579554

dashboard link: https://syzkaller.appspot.com/bug?extid=deec965c578bb9b81613
compiler:   gcc (GCC) 8.0.1 20180301 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+deec965c578bb9b81...@syzkaller.appspotmail.com

sctp: [Deprecated]: syz-executor3 (pid 10218) Use of int in max_burst  
socket option.

Use struct sctp_assoc_value instead
sctp: [Deprecated]: syz-executor3 (pid 10218) Use of int in max_burst  
socket option.

Use struct sctp_assoc_value instead
random: crng init done
INFO: rcu_sched self-detected stall on CPU
	0-: (120712 ticks this GP) idle=ac6/1/4611686018427387908  
softirq=31693/31693 fqs=31173

 (t=125001 jiffies g=17039 c=17038 q=303419)
NMI backtrace for cpu 0
CPU: 0 PID: 10218 Comm: syz-executor3 Not tainted 4.16.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b9/0x29f lib/dump_stack.c:53
 nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
 nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
 trigger_single_cpu_backtrace include/linux/nmi.h:156 [inline]
 rcu_dump_cpu_stacks+0x175/0x1c2 kernel/rcu/tree.c:1376
 print_cpu_stall kernel/rcu/tree.c:1525 [inline]
 check_cpu_stall.isra.61.cold.80+0x36c/0x59a kernel/rcu/tree.c:1593
 __rcu_pending kernel/rcu/tree.c:3356 [inline]
 rcu_pending kernel/rcu/tree.c:3401 [inline]
 rcu_check_callbacks+0x21b/0xad0 kernel/rcu/tree.c:2763
 update_process_times+0x2d/0x70 kernel/time/timer.c:1636
 tick_sched_handle+0xa0/0x180 kernel/time/tick-sched.c:162
 tick_sched_timer+0x42/0x130 kernel/time/tick-sched.c:1170
 __run_hrtimer kernel/time/hrtimer.c:1349 [inline]
 __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1411
 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1469
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
 smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:862
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:783  
[inline]

RIP: 0010:lock_is_held_type+0x18b/0x210 kernel/locking/lockdep.c:3960
RSP: 0018:8801db006400 EFLAGS: 0282 ORIG_RAX: ff12
RAX: dc00 RBX: 0282 RCX: 
RDX: 11162e55 RSI: 88b90c60 RDI: 0282
RBP: 8801db006420 R08: ed003b6046c3 R09: ed003b6046c2
R10: ed003b6046c2 R11: 8801db023613 R12: 8801b2f623c0
R13:  R14: 88009932bb00 R15: 
 lock_is_held include/linux/lockdep.h:344 [inline]
 rcu_read_lock_sched_held+0x108/0x120 kernel/rcu/update.c:117
 trace_kmalloc_node include/trace/events/kmem.h:100 [inline]
 kmem_cache_alloc_node_trace+0x34e/0x770 mm/slab.c:3652
 __do_kmalloc_node mm/slab.c:3669 [inline]
 __kmalloc_node_track_caller+0x33/0x70 mm/slab.c:3684
 __kmalloc_reserve.isra.38+0x3a/0xe0 net/core/skbuff.c:137
 __alloc_skb+0x14d/0x780 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:987 [inline]
 sctp_packet_transmit+0x45e/0x3ba0 net/sctp/output.c:585
 sctp_outq_flush+0x1373/0x4370 net/sctp/outqueue.c:1197
 sctp_outq_uncork+0x6a/0x80 net/sctp/outqueue.c:776
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1820 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
 sctp_do_sm+0x596/0x7160 net/sctp/sm_sideeffect.c:1191
 sctp_generate_heartbeat_event+0x218/0x450 net/sctp/sm_sideeffect.c:406
 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
 expire_timers kernel/time/timer.c:1363 [inline]
 __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
 invoke_softirq kernel/softirq.c:365 [inline]
 irq_exit+0x1d1/0x200 kernel/softirq.c:405
 exiting_irq arch/x86/include/asm/apic.h:525 [inline]
 smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:862
 
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:783  
[inline]

RIP: 0010:console_unlock+0xcdf/0x1100 kernel/printk/printk.c:2403
RSP: 0018:8801946eec00 EFLAGS: 0212 ORIG_RAX: ff12
RAX: 0004 RBX: 0200 RCX: c90002ee8000
RDX: 4461 RSI: 815f3446 RDI: 0212
RBP: 8801946eed68 R08: 8801b2f62c38 R09: 0006
R10: 8801b2f623c0 R11:  R12: 
R13

KASAN: use-after-free Read in perf_trace_rpc_stats_latency

2018-04-30 Thread syzbot 

Hello,

syzbot hit the following crash on bpf-next commit
f60ad0a0c441530280a4918eca781a6a94dffa50 (Sun Apr 29 15:45:55 2018 +)
Merge branch 'bpf_get_stack'
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=27db1f90e2b972a5f2d3


Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6741221342969856
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=4410550353033654931

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+27db1f90e2b972a5f...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

rpcbind: RPC call returned error 22
rpcbind: RPC call returned error 22
rpcbind: RPC call returned error 22
rpcbind: RPC call returned error 22
==
BUG: KASAN: use-after-free in strlen+0x83/0xa0 lib/string.c:482
Read of size 1 at addr 8801d6f0a1c0 by task syz-executor7/5079

CPU: 1 PID: 5079 Comm: syz-executor7 Not tainted 4.17.0-rc2+ #16
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
 strlen+0x83/0xa0 lib/string.c:482
 trace_event_get_offsets_rpc_stats_latency  
include/trace/events/sunrpc.h:215 [inline]

 perf_trace_rpc_stats_latency+0x318/0x10d0 include/trace/events/sunrpc.h:215
 trace_rpc_stats_latency include/trace/events/sunrpc.h:215 [inline]
 rpc_count_iostats_metrics+0x594/0x8a0 net/sunrpc/stats.c:182
 rpc_count_iostats+0x76/0x90 net/sunrpc/stats.c:195
 xprt_release+0xa3b/0x1110 net/sunrpc/xprt.c:1351
 rpc_release_resources_task+0x20/0xa0 net/sunrpc/sched.c:1024
 rpc_release_task net/sunrpc/sched.c:1068 [inline]
 __rpc_execute+0x5e9/0xf50 net/sunrpc/sched.c:833
 rpc_execute+0x37f/0x480 net/sunrpc/sched.c:852
 rpc_run_task+0x615/0x8c0 net/sunrpc/clnt.c:1053
 rpc_call_sync+0x196/0x290 net/sunrpc/clnt.c:1082
 rpc_ping+0x155/0x1f0 net/sunrpc/clnt.c:2513
 rpc_create_xprt+0x282/0x3f0 net/sunrpc/clnt.c:479
 rpc_create+0x52e/0x900 net/sunrpc/clnt.c:587
 nfs_create_rpc_client+0x63e/0x850 fs/nfs/client.c:523
 nfs_init_client+0x74/0x100 fs/nfs/client.c:634
 nfs_get_client+0x1065/0x1500 fs/nfs/client.c:425
 nfs_init_server+0x364/0xfb0 fs/nfs/client.c:670
 nfs_create_server+0x86/0x5f0 fs/nfs/client.c:953
 nfs_try_mount+0x177/0xab0 fs/nfs/super.c:1884
 nfs_fs_mount+0x17de/0x2efd fs/nfs/super.c:2695
 mount_fs+0xae/0x328 fs/super.c:1267
 vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2518 [inline]
 do_mount+0x564/0x3070 fs/namespace.c:2848
 ksys_mount+0x12d/0x140 fs/namespace.c:3064
 __do_sys_mount fs/namespace.c:3078 [inline]
 __se_sys_mount fs/namespace.c:3075 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455979
RSP: 002b:7f1e2785bc68 EFLAGS: 0246 ORIG_RAX: 00a5
RAX: ffda RBX: 7f1e2785c6d4 RCX: 00455979
RDX: 20fb5ffc RSI: 20343ff8 RDI: 2091dff8
RBP: 0072bf50 R08: 2000a000 R09: 
R10:  R11: 0246 R12: 
R13: 0440 R14: 006fa6a0 R15: 0001

Allocated by task 5079:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 __do_kmalloc mm/slab.c:3718 [inline]
 __kmalloc_track_caller+0x14a/0x760 mm/slab.c:3733
 kstrdup+0x39/0x70 mm/util.c:56
 xs_format_common_peer_ports+0x130/0x370 net/sunrpc/xprtsock.c:290
 xs_format_peer_addresses net/sunrpc/xprtsock.c:303 [inline]
 xs_setup_udp+0x5ea/0x880 net/sunrpc/xprtsock.c:3037
 xprt_create_transport+0x1d7/0x596 net/sunrpc/xprt.c:1433
 rpc_create+0x489/0x900 net/sunrpc/clnt.c:573
 nfs_create_rpc_client+0x63e/0x850 fs/nfs/client.c:523
 nfs_init_client+0x74/0x100 fs/nfs/client.c:634
 nfs_get_client+0x1065/0x1500 fs/nfs/client.c:425
 nfs_init_server+0x364/0xfb0 fs/nfs/client.c:670
 nfs_create_server+0x86/0x5f0 fs/nfs/client.c:953
 nfs_try_mount+0x177/0xab0 fs/nfs/super.c:1884
 nfs_fs_mount+0x17de/0x2efd fs/nfs/super.c:2695
 mount_fs+0xae/0x328 fs/super.c:1267
 vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2518 [inline]
 do_mount+0x564/0x3070 fs/namespace.c:2848
 ksys_mount+0x12d/0x140 fs/namespace.c:3064
 __do_sys_mount fs

INFO: rcu detected stall in skb_free_head

2018-04-29 Thread syzbot 

Hello,

syzbot hit the following crash on upstream commit
a27fc14219f2e3c4a46ba9177b04d9b52c875532 (Mon Apr 16 21:07:39 2018 +)
Merge branch 'parisc-4.17-3' of  
git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=cac7c17ec0aca89d3c45


Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6517400396627968
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-5914490758943236750

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+cac7c17ec0aca89d3...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

INFO: rcu_sched self-detected stall on CPU
	1-...!: (117917 ticks this GP) idle=036/1/4611686018427387906  
softirq=114416/114416 fqs=32

 (t=125000 jiffies g=60712 c=60711 q=345938)
rcu_sched kthread starved for 124847 jiffies! g60712 c60711 f0x2  
RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=0

RCU grace-period kthread stack dump:
rcu_sched   R  running task23592 9  2 0x8000
Call Trace:
 context_switch kernel/sched/core.c:2848 [inline]
 __schedule+0x801/0x1e30 kernel/sched/core.c:3490
 schedule+0xef/0x430 kernel/sched/core.c:3549
 schedule_timeout+0x138/0x240 kernel/time/timer.c:1801
 rcu_gp_kthread+0x6b5/0x1940 kernel/rcu/tree.c:2231
 kthread+0x345/0x410 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
NMI backtrace for cpu 1
CPU: 1 PID: 24 Comm: kworker/1:1 Not tainted 4.17.0-rc1+ #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: events rht_deferred_worker
Call Trace:
 
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
 nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
 trigger_single_cpu_backtrace include/linux/nmi.h:156 [inline]
 rcu_dump_cpu_stacks+0x175/0x1c2 kernel/rcu/tree.c:1376
 print_cpu_stall kernel/rcu/tree.c:1525 [inline]
 check_cpu_stall.isra.61.cold.80+0x36c/0x59a kernel/rcu/tree.c:1593
 __rcu_pending kernel/rcu/tree.c:3356 [inline]
 rcu_pending kernel/rcu/tree.c:3401 [inline]
 rcu_check_callbacks+0x21b/0xad0 kernel/rcu/tree.c:2763
 update_process_times+0x2d/0x70 kernel/time/timer.c:1636
 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:173
 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1283
 __run_hrtimer kernel/time/hrtimer.c:1386 [inline]
 __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1448
 hrtimer_interrupt+0x286/0x650 kernel/time/hrtimer.c:1506
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
 smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:783  
[inline]

RIP: 0010:kfree+0x124/0x260 mm/slab.c:3814
RSP: 0018:8801db105450 EFLAGS: 0286 ORIG_RAX: ff13
RAX: 0007 RBX: 88006c118040 RCX: 11003b3059e7
RDX:  RSI: 8801d982cf90 RDI: 0286
RBP: 8801db105470 R08: 8801d982ce78 R09: 0002
R10: 8801d982c640 R11:  R12: 0286
R13: 8801dac00ac0 R14: 85bd7b69 R15: 88006c0f8180
 skb_free_head+0x99/0xc0 net/core/skbuff.c:550
 skb_release_data+0x690/0x860 net/core/skbuff.c:570
 skb_release_all+0x4a/0x60 net/core/skbuff.c:627
 __kfree_skb net/core/skbuff.c:641 [inline]
 kfree_skb+0x195/0x560 net/core/skbuff.c:659
 enqueue_to_backlog+0x2fc/0xc90 net/core/dev.c:3968
 netif_rx_internal+0x14d/0xae0 net/core/dev.c:4181
 netif_rx+0xba/0x400 net/core/dev.c:4206
 loopback_xmit+0x283/0x741 drivers/net/loopback.c:91
 __netdev_start_xmit include/linux/netdevice.h:4087 [inline]
 netdev_start_xmit include/linux/netdevice.h:4096 [inline]
 xmit_one net/core/dev.c:3053 [inline]
 dev_hard_start_xmit+0x264/0xc10 net/core/dev.c:3069
 __dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617
 neigh_hh_output include/net/neighbour.h:472 [inline]
 neigh_output include/net/neighbour.h:480 [inline]
 ip_finish_output2+0x1046/0x1840 net/ipv4/ip_output.c:229
 ip_finish_output+0x828/0xf80 net/ipv4/ip_output.c:317
 NF_HOOK_COND include/linux/netfilter.h:277 [inline]
 ip_output+0x21b/0x850 net/ipv4/ip_output.c:405
 dst_output include/net/dst.h:444 [inline]
 ip_local_out+0xc5/0x1b0 net/ipv4/ip_output.c:124
 ip_queue_xmit+0x9d7/0x1f70 net/ipv4/ip_output.c:504
 sctp_v4_xmit+0x108/0x140 net/sctp/protocol.c:983
 sctp_packet_transmit+0x26f6/0x3ba0 net/sctp/output.c:650
 sctp_outq_flush+0x1373/0x4370 net/sctp/outqueue.

KMSAN: uninit-value in _decode_session4

2018-04-29 Thread syzbot 

Hello,

syzbot hit the following crash on  
https://github.com/google/kmsan.git/master commit

d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +)
kmsan: add initialization for shmem pages
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=e7fec512bc2eb4ae0781


So far this crash happened 6 times on  
https://github.com/google/kmsan.git/master.

C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5844177157881856
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=6093669123751936
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=4545366699540480

Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367
compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e7fec512bc2eb4ae0...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
8021q: adding VLAN 0 to HW filter on device team0
==
BUG: KMSAN: uninit-value in _decode_session4+0x11d3/0x1ce0  
net/ipv4/xfrm4_policy.c:126

CPU: 0 PID: 4502 Comm: syz-executor427 Not tainted 4.16.0+ #87
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
 _decode_session4+0x11d3/0x1ce0 net/ipv4/xfrm4_policy.c:126
 __xfrm_decode_session+0x151/0x200 net/xfrm/xfrm_policy.c:2368
 xfrm_decode_session include/net/xfrm.h:1206 [inline]
 vti6_tnl_xmit+0x49b/0x2070 net/ipv6/ip6_vti.c:546
 __netdev_start_xmit include/linux/netdevice.h:4066 [inline]
 netdev_start_xmit include/linux/netdevice.h:4075 [inline]
 xmit_one net/core/dev.c:3026 [inline]
 dev_hard_start_xmit+0x5f1/0xc70 net/core/dev.c:3042
 __dev_queue_xmit+0x27ee/0x3520 net/core/dev.c:3557
 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590
 packet_snd net/packet/af_packet.c:2944 [inline]
 packet_sendmsg+0x7c70/0x8a30 net/packet/af_packet.c:2969
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747
 SyS_sendto+0x8a/0xb0 net/socket.c:1715
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x4418f9
RSP: 002b:7ffcea97afc8 EFLAGS: 0216 ORIG_RAX: 002c
RAX: ffda RBX: 0003 RCX: 004418f9
RDX:  RSI: 21c0 RDI: 0003
RBP: 006cd018 R08: 2000 R09: 001c
R10:  R11: 0216 R12: 004025f0
R13: 00402680 R14:  R15: 

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
 slab_post_alloc_hook mm/slab.h:445 [inline]
 slab_alloc_node mm/slub.c:2737 [inline]
 __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
 __kmalloc_reserve net/core/skbuff.c:138 [inline]
 __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:984 [inline]
 alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234
 sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085
 packet_alloc_skb net/packet/af_packet.c:2803 [inline]
 packet_snd net/packet/af_packet.c:2894 [inline]
 packet_sendmsg+0x6454/0x8a30 net/packet/af_packet.c:2969
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747
 SyS_sendto+0x8a/0xb0 net/socket.c:1715
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
==


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation

WARNING: ODEBUG bug in __sk_destruct

2018-04-29 Thread syzbot 

Hello,

syzbot hit the following crash on net-next commit
af201bab50a89aa6cf4df952b2c3bf55895c8eee (Fri Apr 27 15:12:10 2018 +)
udp: remove stray export symbol
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=92209502e7aab127c75f


So far this crash happened 5 times on net-next.
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6049832271609856
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=4410550353033654931

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+92209502e7aab127c...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

[ cut here ]
ODEBUG: free active (active state 0) object type: work_struct hint:  
smc_tcp_listen_work+0x0/0xec0 net/smc/af_smc.c:1014
WARNING: CPU: 0 PID: 9815 at lib/debugobjects.c:329  
debug_print_object+0x16a/0x210 lib/debugobjects.c:326

Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 9815 Comm: syz-executor7 Not tainted 4.17.0-rc2+ #23
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 panic+0x22f/0x4de kernel/panic.c:184
 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536
 report_bug+0x252/0x2d0 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
RIP: 0010:debug_print_object+0x16a/0x210 lib/debugobjects.c:326
RSP: 0018:88019790ecf0 EFLAGS: 00010082
RAX: 0061 RBX: 0003 RCX: 818433e8
RDX:  RSI: 8160f561 RDI: 0001
RBP: 88019790ed30 R08: 8801aced62c0 R09: ed003b5c3eb2
R10: ed003b5c3eb2 R11: 8801dae1f597 R12: 0001
R13: 88d5f700 R14: 87fa3340 R15: 814ccec0
 __debug_check_no_obj_freed lib/debugobjects.c:783 [inline]
 debug_check_no_obj_freed+0x3a6/0x584 lib/debugobjects.c:815
 kmem_cache_free+0x216/0x2d0 mm/slab.c:3755
 sk_prot_free net/core/sock.c:1512 [inline]
 __sk_destruct+0x6fe/0xa40 net/core/sock.c:1596
 sk_destruct+0x78/0x90 net/core/sock.c:1604
 __sk_free+0x22e/0x340 net/core/sock.c:1615
 sk_free+0x42/0x50 net/core/sock.c:1626
 sock_put include/net/sock.h:1664 [inline]
 smc_release+0x459/0x610 net/smc/af_smc.c:162
 sock_release+0x96/0x1b0 net/socket.c:594
 sock_close+0x16/0x20 net/socket.c:1149
 __fput+0x34d/0x890 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1e4/0x290 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x1aee/0x2730 kernel/exit.c:865
 do_group_exit+0x16f/0x430 kernel/exit.c:968
 get_signal+0x886/0x1960 kernel/signal.c:2469
 do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810
 exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162
 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
 do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455979
RSP: 002b:7f6e1a1b9ce8 EFLAGS: 0246 ORIG_RAX: 00ca
RAX: fe00 RBX: 0072bec8 RCX: 00455979
RDX:  RSI:  RDI: 0072bec8
RBP: 0072bec8 R08:  R09: 0072bea0
R10:  R11: 0246 R12: 
R13: 00a3e81f R14: 7f6e1a1ba9c0 R15: 

==
WARNING: possible circular locking dependency detected
4.17.0-rc2+ #23 Not tainted
--
syz-executor7/9815 is trying to acquire lock:
(ptrval) ((console_sem).lock){-.-.}, at: down_trylock+0x13/0x70  
kernel/locking/semaphore.c:136


but task is already holding lock:
(ptrval) (_hash[i].lock){-.-.}, at: __debug_check_no_obj_freed  
lib/debugobjects.c:774 [inline]
(ptrval) (_hash[i].lock){-.-.}, at:  
debug_check_no_obj_freed+0x159/0x584 lib/debugobjects.c:815


which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 (_hash[i].lock){-.-.}:
   __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
   _raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:152
   __debug_object_init+0x11f/0x12c0 lib/debugobjects.c:381
   debug_object_init+0x16/0x20 lib/debugobjects.c:429
   debug_hrtimer_init kernel/time/hrtimer.c:400 [inline]
   debug_init kernel/time/hrtimer.c:448 [inline]
   hrtimer_init+0x8f/0x460 kernel/time/hrtime

WARNING: ODEBUG bug in del_timer

2018-04-29 Thread syzbot 

Hello,

syzbot hit the following crash on net-next commit
af201bab50a89aa6cf4df952b2c3bf55895c8eee (Fri Apr 27 15:12:10 2018 +)
udp: remove stray export symbol
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=03faa2dc16b8b64be396


So far this crash happened 26 times on net-next.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5925539139289088
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=4983245594689536
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5476181675606016
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=4410550353033654931

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+03faa2dc16b8b64be...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
[ cut here ]
ODEBUG: assert_init not available (active state 0) object type: timer_list  
hint:   (null)
WARNING: CPU: 1 PID: 4490 at lib/debugobjects.c:329  
debug_print_object+0x16a/0x210 lib/debugobjects.c:326

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 4490 Comm: syz-executor609 Not tainted 4.17.0-rc2+ #23
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 panic+0x22f/0x4de kernel/panic.c:184
 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536
 report_bug+0x252/0x2d0 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
RIP: 0010:debug_print_object+0x16a/0x210 lib/debugobjects.c:326
RSP: 0018:8801af1e7880 EFLAGS: 00010086
RAX: 0061 RBX: 0005 RCX: 818433e8
RDX:  RSI: 8160f561 RDI: 0001
RBP: 8801af1e78c0 R08: 8801afa62100 R09: ed003b5e3eb2
R10: ed003b5e3eb2 R11: 8801daf1f597 R12: 0001
R13: 88d96cc0 R14: 87fa34e0 R15: 81666d30
 debug_object_assert_init+0x309/0x500 lib/debugobjects.c:692
 debug_timer_assert_init kernel/time/timer.c:724 [inline]
 debug_assert_init kernel/time/timer.c:776 [inline]
 del_timer+0x74/0x140 kernel/time/timer.c:1198
 try_to_grab_pending+0x439/0x9a0 kernel/workqueue.c:1223
 mod_delayed_work_on+0x91/0x250 kernel/workqueue.c:1592
 mod_delayed_work include/linux/workqueue.h:541 [inline]
 smc_setsockopt+0x33d/0x630 net/smc/af_smc.c:1353
 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
 __do_sys_setsockopt net/socket.c:1914 [inline]
 __se_sys_setsockopt net/socket.c:1911 [inline]
 __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43fd09
RSP: 002b:7ffe1f251c58 EFLAGS: 0207 ORIG_RAX: 0036
RAX: ffda RBX: 004002c8 RCX: 0043fd09
RDX: 0001 RSI: 0006 RDI: 0003
RBP: 006ca018 R08: 0004 R09: 004002c8
R10: 2180 R11: 0207 R12: 00401630
R13: 004016c0 R14:  R15: 
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

Re: WARNING in tcp_enter_loss (2)

2018-04-27 Thread syzbot 

syzbot has found reproducer for the following crash on upstream commit
0644f186fc9d77bb5bd198369e59fb28927a3692 (Thu Apr 26 23:36:11 2018 +)
Merge tag 'for_linus' of  
git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=c5a3099b94cbdd9cd6da


So far this crash happened 2 times on net-next, upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5374384306913280
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=4821663019433984
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5119802469253120
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=7043958930931867332

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c5a3099b94cbdd9cd...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed.

WARNING: CPU: 0 PID: 4456 at net/ipv4/tcp_input.c:1955  
tcp_enter_loss+0xe4f/0x1110 net/ipv4/tcp_input.c:1955

Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 4456 Comm: syz-executor694 Not tainted 4.17.0-rc2+ #19
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 panic+0x22f/0x4de kernel/panic.c:184
 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536
 report_bug+0x252/0x2d0 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
RIP: 0010:tcp_enter_loss+0xe4f/0x1110 net/ipv4/tcp_input.c:1955
RSP: 0018:8801b66c7560 EFLAGS: 00010293
RAX: 8801b66686c0 RBX: 0001 RCX: 864ac155
RDX:  RSI: 864ac5bf RDI: 0004
RBP: 8801b66c75e0 R08: 8801b66686c0 R09: 
R10: ed0043fff001 R11: 88021fff8017 R12: 0003
R13: 0002 R14: 8801c8c6dd30 R15: 8801d02e5500
WARNING: CPU: 1 PID: 4450 at net/ipv4/tcp_input.c:1955  
tcp_enter_loss+0xe4f/0x1110 net/ipv4/tcp_input.c:1955

 tcp_retransmit_timer+0xc34/0x3060 net/ipv4/tcp_timer.c:486
Modules linked in:
CPU: 1 PID: 4450 Comm: syz-executor694 Not tainted 4.17.0-rc2+ #19
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

RIP: 0010:tcp_enter_loss+0xe4f/0x1110 net/ipv4/tcp_input.c:1955
RSP: 0018:8801b60b7560 EFLAGS: 00010293
RAX: 8801b662e500 RBX: 0001 RCX: 864ac155
RDX:  RSI: 864ac5bf RDI: 0004
RBP: 8801b60b75e0 R08: 8801b662e500 R09: 
R10: ed0043fff009 R11: 88021fff8057 R12: 0003
R13: 0002 R14: 8801cc3cf870 R15: 8801cd4f0a80
FS:  015e1880() GS:8801daf0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 2100 CR3: 0001b631c000 CR4: 001406e0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 tcp_write_timer_handler+0x339/0x960 net/ipv4/tcp_timer.c:573
 tcp_retransmit_timer+0xc34/0x3060 net/ipv4/tcp_timer.c:486
 tcp_release_cb+0x25e/0x2d0 net/ipv4/tcp_output.c:871
 release_sock+0x107/0x2b0 net/core/sock.c:2856
 do_tcp_setsockopt.isra.38+0x48e/0x2600 net/ipv4/tcp.c:2880
 tcp_write_timer_handler+0x339/0x960 net/ipv4/tcp_timer.c:573
 tcp_setsockopt+0xc1/0xe0 net/ipv4/tcp.c:2892
 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039
 tcp_release_cb+0x25e/0x2d0 net/ipv4/tcp_output.c:871
 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
 release_sock+0x107/0x2b0 net/core/sock.c:2856
 __do_sys_setsockopt net/socket.c:1914 [inline]
 __se_sys_setsockopt net/socket.c:1911 [inline]
 __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 do_tcp_setsockopt.isra.38+0x48e/0x2600 net/ipv4/tcp.c:2880
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441bc9
RSP: 002b:7ffe202bc838 EFLAGS: 0207
 ORIG_RAX: 0036
RAX: ffda RBX: 0003 RCX: 00441bc9
RDX: 0016 RSI: 0006 RDI: 0003
RBP: 006cd018 R08: 223b R09: 0010
 tcp_setsockopt+0xc1/0xe0 net/ipv4/tcp.c:2892
R10: 2040 R11: 0207 R12: 00402810
 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039
R13: 004028a0 R14:  R15: 
 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
 __do_sys_setsockopt net/socket.c:1914 [inline]
 __se_sys_setsockopt net/socket.c:1911 [inline]
 __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441bc9
RSP

Re: KMSAN: uninit-value in _copy_to_iter (2)

2018-04-25 Thread syzbot 
syzbot has found reproducer for the following crash on  
https://github.com/google/kmsan.git/master commit

d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +)
kmsan: add initialization for shmem pages
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=87cfa083e727a224754b


So far this crash happened 3 times on  
https://github.com/google/kmsan.git/master.

C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5122017598636032
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=6680049734385664
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5920461749747712

Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367
compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+87cfa083e727a2247...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed.

==
BUG: KMSAN: uninit-value in copyout lib/iov_iter.c:140 [inline]
BUG: KMSAN: uninit-value in _copy_to_iter+0x46d/0x28f0 lib/iov_iter.c:571
CPU: 1 PID: 4516 Comm: syz-executor879 Not tainted 4.16.0+ #87
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 kmsan_internal_check_memory+0x135/0x1e0 mm/kmsan/kmsan.c:1157
 kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
 copyout lib/iov_iter.c:140 [inline]
 _copy_to_iter+0x46d/0x28f0 lib/iov_iter.c:571
 copy_to_iter include/linux/uio.h:106 [inline]
 vhost_chr_read_iter+0x7ac/0xc50 drivers/vhost/vhost.c:1104
 vhost_net_chr_read_iter+0xf6/0x130 drivers/vhost/net.c:1365
 call_read_iter include/linux/fs.h:1776 [inline]
 aio_read+0x5c1/0x6f0 fs/aio.c:1517
 io_submit_one fs/aio.c:1633 [inline]
 do_io_submit+0x1bb4/0x2f60 fs/aio.c:1698
 SYSC_io_submit+0x98/0xb0 fs/aio.c:1723
 SyS_io_submit+0x56/0x80 fs/aio.c:1720
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x4457b9
RSP: 002b:7ff9343e4da8 EFLAGS: 0293 ORIG_RAX: 00d1
RAX: ffda RBX: 006dac44 RCX: 004457b9
RDX: 21c0 RSI: 0001 RDI: 7ff93439a000
RBP: 006dac40 R08:  R09: 
R10:  R11: 0293 R12: 901aeeff3a98f9ab
R13: 98c94b26f489688e R14: ae1b2dfa3c87200a R15: 0001

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
 __kmalloc+0x23c/0x350 mm/slub.c:3791
 kmalloc include/linux/slab.h:517 [inline]
 vhost_new_msg drivers/vhost/vhost.c:2340 [inline]
 vhost_iotlb_miss drivers/vhost/vhost.c:1124 [inline]
 translate_desc+0xbef/0x1120 drivers/vhost/vhost.c:1829
 __vhost_get_user_slow drivers/vhost/vhost.c:812 [inline]
 __vhost_get_user drivers/vhost/vhost.c:846 [inline]
 vhost_update_used_flags+0x469/0x8d0 drivers/vhost/vhost.c:1715
 vhost_vq_init_access+0x173/0xa20 drivers/vhost/vhost.c:1763
 vhost_net_set_backend drivers/vhost/net.c:1166 [inline]
 vhost_net_ioctl+0x22b0/0x3480 drivers/vhost/net.c:1322
 vfs_ioctl fs/ioctl.c:46 [inline]
 do_vfs_ioctl+0xaf0/0x2440 fs/ioctl.c:686
 SYSC_ioctl+0x1d2/0x260 fs/ioctl.c:701
 SyS_ioctl+0x54/0x80 fs/ioctl.c:692
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2

Bytes 4-7 of 72 are uninitialized
==

KASAN: stack-out-of-bounds Write in compat_copy_entries

2018-04-24 Thread syzbot 

Hello,

syzbot hit the following crash on upstream commit
24cac7009cb1b211f1c793ecb6a462c03dc35818 (Tue Apr 24 21:16:40 2018 +)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=4e42a04e0bc33cb6c087


So far this crash happened 3 times on upstream.
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=4827027970457600
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6212733133389824
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=7043958930931867332

compiler: gcc (GCC) 8.0.1 20180413 (experimental)
user-space arch: i386

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+4e42a04e0bc33cb6c...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
IPVS: ftp: loaded support on port[0] = 21
==
BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300  
[inline]
BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user  
net/bridge/netfilter/ebtables.c:1957 [inline]
BUG: KASAN: stack-out-of-bounds in ebt_size_mwt  
net/bridge/netfilter/ebtables.c:2059 [inline]
BUG: KASAN: stack-out-of-bounds in size_entry_mwt  
net/bridge/netfilter/ebtables.c:2155 [inline]
BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0  
net/bridge/netfilter/ebtables.c:2194

Write of size 33 at addr 8801b0abf888 by task syz-executor0/4504

CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
 memcpy+0x37/0x50 mm/kasan/kasan.c:303
 strlcpy include/linux/string.h:300 [inline]
 compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline]
 ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline]
 size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline]
 compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194
 compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285
 compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367
 compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
 compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156
 compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279
 inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041
 compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901
 compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050
 __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403
 __do_compat_sys_setsockopt net/compat.c:416 [inline]
 __se_compat_sys_setsockopt net/compat.c:413 [inline]
 __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413
 do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline]
 do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7fb3cb9
RSP: 002b:fff0c26c EFLAGS: 0282 ORIG_RAX: 016e
RAX: ffda RBX: 0003 RCX: 
RDX: 0080 RSI: 2300 RDI: 05f4
RBP:  R08:  R09: 
R10:  R11:  R12: 
R13:  R14:  R15: 

The buggy address belongs to the page:
page:ea0006c2afc0 count:0 mapcount:0 mapping: index:0x0
flags: 0x2fffc00()
raw: 02fffc00   
raw:  ea0006c20101  
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 8801b0abf780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 8801b0abf800: 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 f2 f2 f2

8801b0abf880: f2 00 00 00 07 f3 f3 f3 f3 00 00 00 00 00 00 00

   ^
 8801b0abf900: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
 8801b0abf980: 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
==


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep

general protection fault in smc_set_keepalive

2018-04-24 Thread syzbot 

Hello,

syzbot hit the following crash on net-next commit
9c20b9372fbaf6f7d4c05f5f925806a7928f0c73 (Tue Apr 24 03:08:41 2018 +)
net: fib_rules: fix l3mdev netlink attr processing
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=cf9012c597c8379d535c


So far this crash happened 2 times on net-next.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=4775309383565312
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=4978230683500544
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=4770663504019456
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-2918904850634584293

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+cf9012c597c8379d5...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 4455 Comm: syz-executor060 Not tainted 4.17.0-rc1+ #17
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

RIP: 0010:smc_set_keepalive+0x4e/0xd0 net/smc/af_smc.c:59
RSP: 0018:8801ced8fa68 EFLAGS: 00010202
RAX: dc00 RBX:  RCX: 85d72bcb
RDX: 0004 RSI: 873f0a94 RDI: 0020
RBP: 8801ced8fa80 R08: 8801b67e44c0 R09: 0006
R10: 8801b67e44c0 R11:  R12: 8801b6bff7c0
R13: 0001 R14: 0003 R15: 8801aee2b540
FS:  009e4880() GS:8801dae0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 2040 CR3: 0001b6e75000 CR4: 001406f0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 sock_setsockopt+0x14e2/0x1fe0 net/core/sock.c:801
 __sys_setsockopt+0x2df/0x390 net/socket.c:1899
 __do_sys_setsockopt net/socket.c:1914 [inline]
 __se_sys_setsockopt net/socket.c:1911 [inline]
 __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43fcf9
RSP: 002b:7ffe62977a78 EFLAGS: 0217 ORIG_RAX: 0036
RAX: ffda RBX: 004002c8 RCX: 0043fcf9
RDX: 0009 RSI: 0001 RDI: 0003
RBP: 006ca018 R08: 0004 R09: 004002c8
R10: 2040 R11: 0217 R12: 00401620
R13: 004016b0 R14:  R15: 
Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 78 48 8b 9b 50 04 00 00 48  
b8 00 00 00 00 00 fc ff df 48 8d 7b 20 48 89 fa 48 c1 ea 03 <80> 3c 02 00  
75 6b 48 b8 00 00 00 00 00 fc ff df 48 8b 5b 20 48

RIP: smc_set_keepalive+0x4e/0xd0 net/smc/af_smc.c:59 RSP: 8801ced8fa68
---[ end trace a76f9ed0fb111068 ]---


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

KMSAN: uninit-value in _copy_to_iter (2)

2018-04-23 Thread syzbot 

Hello,

syzbot hit the following crash on  
https://github.com/google/kmsan.git/master commit

d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +)
kmsan: add initialization for shmem pages
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=87cfa083e727a224754b


Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6616554548494336

Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367
compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+87cfa083e727a2247...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

==
BUG: KMSAN: uninit-value in copyout lib/iov_iter.c:140 [inline]
BUG: KMSAN: uninit-value in _copy_to_iter+0x1bb3/0x28f0 lib/iov_iter.c:571
CPU: 0 PID: 7670 Comm: syz-executor7 Not tainted 4.16.0+ #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 kmsan_internal_check_memory+0x135/0x1e0 mm/kmsan/kmsan.c:1157
 kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
 copyout lib/iov_iter.c:140 [inline]
 _copy_to_iter+0x1bb3/0x28f0 lib/iov_iter.c:571
 copy_to_iter include/linux/uio.h:106 [inline]
 skb_copy_datagram_iter+0x443/0xf70 net/core/datagram.c:431
 skb_copy_datagram_msg include/linux/skbuff.h:3264 [inline]
 netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1958
 sock_recvmsg_nosec net/socket.c:803 [inline]
 sock_recvmsg+0x1d0/0x230 net/socket.c:810
 ___sys_recvmsg+0x3fb/0x810 net/socket.c:2205
 __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
 SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394
 SyS_recvmmsg+0x76/0xa0 net/socket.c:2378
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x455389
RSP: 002b:7f0281d3dc68 EFLAGS: 0246 ORIG_RAX: 012b
RAX: ffda RBX: 7f0281d3e6d4 RCX: 00455389
RDX: 0003 RSI: 20001f80 RDI: 0014
RBP: 0072bea0 R08: 20002040 R09: 
R10:  R11: 0246 R12: 
R13: 049e R14: 006f9f70 R15: 

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
 kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:526
 __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:477
 __nla_put lib/nlattr.c:569 [inline]
 nla_put+0x276/0x340 lib/nlattr.c:627
 copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
 build_acquire net/xfrm/xfrm_user.c:2850 [inline]
 xfrm_send_acquire+0x1068/0x1690 net/xfrm/xfrm_user.c:2873
 km_query net/xfrm/xfrm_state.c:1953 [inline]
 xfrm_state_find+0x3ad8/0x4f40 net/xfrm/xfrm_state.c:1021
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:1393 [inline]
 xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:1437 [inline]
 xfrm_resolve_and_create_bundle+0xc31/0x5270 net/xfrm/xfrm_policy.c:1833
 xfrm_lookup+0x606/0x39d0 net/xfrm/xfrm_policy.c:2163
 xfrm_lookup_route+0xfa/0x360 net/xfrm/xfrm_policy.c:2283
 ip6_dst_lookup_flow+0x221/0x270 net/ipv6/ip6_output.c:1099
 ip6_datagram_dst_update+0x93a/0x1470 net/ipv6/datagram.c:91
 __ip6_datagram_connect+0x14f6/0x1a20 net/ipv6/datagram.c:257
 ip6_datagram_connect net/ipv6/datagram.c:280 [inline]
 ip6_datagram_connect_v6_only+0x104/0x180 net/ipv6/datagram.c:292
 inet_dgram_connect+0x2e8/0x4d0 net/ipv4/af_inet.c:542
 SYSC_connect+0x41a/0x510 net/socket.c:1639
 SyS_connect+0x54/0x80 net/socket.c:1620
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
Local variable description: upt.i.i@xfrm_send_acquire
Variable was created at:
 xfrm_send_acquire+0x73/0x1690 net/xfrm/xfrm_user.c:2864
 km_query net/xfrm/xfrm_state.c:1953 [inline]
 xfrm_state_find+0x3ad8/0x4f40 net/xfrm/xfrm_state.c:1021

Byte 200 of 207 is uninitialized
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
==
CPU: 1 PID: 7675 Comm: syz-executor3 Not tainted 4.16.0+ #86


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report

KMSAN: uninit-value in ip_vs_lblc_check_expire

2018-04-23 Thread syzbot 

Hello,

syzbot hit the following crash on  
https://github.com/google/kmsan.git/master commit

d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +)
kmsan: add initialization for shmem pages
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=3e9695f147fb529aa9bc


So far this crash happened 3 times on  
https://github.com/google/kmsan.git/master.

Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5822255644803072

Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367
compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3e9695f147fb529aa...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

kernel msg: ebtables bug: please report to author: bad policy
==
BUG: KMSAN: uninit-value in ip_vs_lblc_check_expire+0xe62/0xf10  
net/netfilter/ipvs/ip_vs_lblc.c:315

CPU: 0 PID: 11383 Comm: syz-executor3 Not tainted 4.16.0+ #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
 ip_vs_lblc_check_expire+0xe62/0xf10 net/netfilter/ipvs/ip_vs_lblc.c:315
 call_timer_fn+0x26a/0x5a0 kernel/time/timer.c:1326
 expire_timers kernel/time/timer.c:1363 [inline]
 __run_timers+0xda7/0x11c0 kernel/time/timer.c:1666
 run_timer_softirq+0x43/0x70 kernel/time/timer.c:1692
 __do_softirq+0x56d/0x93d kernel/softirq.c:285
 invoke_softirq kernel/softirq.c:365 [inline]
 irq_exit+0x202/0x240 kernel/softirq.c:405
 exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:541
 smp_apic_timer_interrupt+0x64/0x90 arch/x86/kernel/apic/apic.c:1055
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:857
 
RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:78 [inline]
RIP: 0010:vprintk_emit+0xcb2/0xff0 kernel/printk/printk.c:1899
RSP: 0018:8801c2a1f0d8 EFLAGS: 0296 ORIG_RAX: ff12
RAX: 0296 RBX: 8801574c4418 RCX: 0004
RDX: c900033a6000 RSI: 01bf RDI: 01c0
RBP: 8801c2a1f1f8 R08: 00219bfd8445 R09: 8801fd6d615d
R10:  R11:  R12: 
R13: 8b300430 R14:  R15: 
 vprintk_default+0x90/0xa0 kernel/printk/printk.c:1955
 vprintk_func+0x517/0x700 kernel/printk/printk_safe.c:379
 printk+0x1b6/0x1f0 kernel/printk/printk.c:1991
 translate_table+0x474/0x5e10 net/bridge/netfilter/ebtables.c:846
 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:1002
 do_replace+0x707/0x770 net/bridge/netfilter/ebtables.c:1141
 do_ebt_set_ctl+0x2ab/0x3c0 net/bridge/netfilter/ebtables.c:1518
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x476/0x4d0 net/netfilter/nf_sockopt.c:115
 ip_setsockopt+0x24b/0x2b0 net/ipv4/ip_sockglue.c:1261
 udp_setsockopt+0x108/0x1b0 net/ipv4/udp.c:2406
 ipv6_setsockopt+0x30c/0x340 net/ipv6/ipv6_sockglue.c:917
 udpv6_setsockopt+0x110/0x1c0 net/ipv6/udp.c:1422
 sock_common_setsockopt+0x136/0x170 net/core/sock.c:2975
 SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
 SyS_setsockopt+0x76/0xa0 net/socket.c:1828
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x455389
RSP: 002b:7f470c9e3c68 EFLAGS: 0246 ORIG_RAX: 0036
RAX: ffda RBX: 7f470c9e46d4 RCX: 00455389
RDX: 0080 RSI:  RDI: 0013
RBP: 0072bea0 R08: 0dd0 R09: 
R10: 2dc0 R11: 0246 R12: 
R13: 051d R14: 006fab58 R15: 

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_alloc_meta_for_pages+0x161/0x3a0 mm/kmsan/kmsan.c:814
 kmsan_alloc_page+0x82/0xe0 mm/kmsan/kmsan.c:868
 __alloc_pages_nodemask+0xf5b/0x5dc0 mm/page_alloc.c:4283
 alloc_pages_current+0x6b5/0x970 mm/mempolicy.c:2055
 alloc_pages include/linux/gfp.h:494 [inline]
 kmalloc_order mm/slab_common.c:1164 [inline]
 kmalloc_order_trace+0xb9/0x390 mm/slab_common.c:1175
 kmalloc_large include/linux/slab.h:446 [inline]
 __kmalloc+0x332/0x350 mm/slub.c:3778
 kmalloc include/linux/slab.h:517 [inline]
 ip_vs_lblc_init_svc+0x57/0x310 net/netfilter/ipvs/ip_vs_lblc.c:355
 ip_vs_bind_scheduler+0xa4/0x1e0 net/netfilter/ipvs/ip_vs_sched.c:51
 ip_vs_add_service+0xa91/0x1d70 net/netfilter/ipvs/ip_vs_ctl.c:1265
 do_ip_vs_set_ctl+0x25c8/0x2790 net/netfilter/ipvs

KMSAN: uninit-value in ip_vs_lblcr_check_expire

2018-04-23 Thread syzbot 

Hello,

syzbot hit the following crash on  
https://github.com/google/kmsan.git/master commit

d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +)
kmsan: add initialization for shmem pages
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=3dfdea57819073a04f21


So far this crash happened 2 times on  
https://github.com/google/kmsan.git/master.

Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6285034612850688

Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367
compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3dfdea57819073a04...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

RDX:  RSI: 2080 RDI: 0013
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 0014
R13: 04f3 R14: 006fa768 R15: 
==
BUG: KMSAN: uninit-value in ip_vs_lblcr_check_expire+0x1551/0x1600  
net/netfilter/ipvs/ip_vs_lblcr.c:479

CPU: 0 PID: 13883 Comm: syz-executor4 Not tainted 4.16.0+ #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
 ip_vs_lblcr_check_expire+0x1551/0x1600 net/netfilter/ipvs/ip_vs_lblcr.c:479
 call_timer_fn+0x26a/0x5a0 kernel/time/timer.c:1326
 expire_timers kernel/time/timer.c:1363 [inline]
 __run_timers+0xda7/0x11c0 kernel/time/timer.c:1666
 run_timer_softirq+0x43/0x70 kernel/time/timer.c:1692
 __do_softirq+0x56d/0x93d kernel/softirq.c:285
 invoke_softirq kernel/softirq.c:365 [inline]
 irq_exit+0x202/0x240 kernel/softirq.c:405
 exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:541
 smp_apic_timer_interrupt+0x64/0x90 arch/x86/kernel/apic/apic.c:1055
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:857
 
RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:78 [inline]
RIP: 0010:dump_stack+0x1af/0x1d0 lib/dump_stack.c:58
RSP: 0018:880156a2ef00 EFLAGS: 0286 ORIG_RAX: ff12
RAX: 8801fddc2590 RBX: 88014f62c418 RCX: 8800
RDX: 8801fd9c2590 RSI: b000 RDI: ea00
RBP: 880156a2ef48 R08: 0108 R09: 0002
R10:  R11:  R12: cf000109
R13: 0286 R14:  R15: 
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail+0x87b/0xab0 lib/fault-inject.c:149
 should_failslab+0x279/0x2a0 mm/failslab.c:32
 slab_pre_alloc_hook mm/slab.h:422 [inline]
 slab_alloc_node mm/slub.c:2663 [inline]
 slab_alloc mm/slub.c:2745 [inline]
 kmem_cache_alloc+0x136/0xb90 mm/slub.c:2750
 dst_alloc+0x295/0x860 net/core/dst.c:104
 __ip6_dst_alloc net/ipv6/route.c:361 [inline]
 ip6_rt_cache_alloc+0x445/0xd00 net/ipv6/route.c:1061
 ip6_pol_route+0x3f19/0x5da0 net/ipv6/route.c:1751
 ip6_pol_route_output+0xe6/0x110 net/ipv6/route.c:1892
 fib6_rule_lookup+0x494/0x720 net/ipv6/fib6_rules.c:87
 ip6_route_output_flags+0x4fa/0x590 net/ipv6/route.c:1920
 ip6_dst_lookup_tail+0x2fe/0x1a60 net/ipv6/ip6_output.c:992
 ip6_dst_lookup_flow+0xfc/0x270 net/ipv6/ip6_output.c:1093
 rawv6_sendmsg+0x1b05/0x4fb0 net/ipv6/raw.c:908
 inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
 __sys_sendmsg net/socket.c:2080 [inline]
 SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
 SyS_sendmsg+0x54/0x80 net/socket.c:2087
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x455389
RSP: 002b:7fa5b1000c68 EFLAGS: 0246 ORIG_RAX: 002e
RAX: ffda RBX: 7fa5b10016d4 RCX: 00455389
RDX:  RSI: 2080 RDI: 0013
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 0014
R13: 04f3 R14: 006fa768 R15: 

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_alloc_meta_for_pages+0x161/0x3a0 mm/kmsan/kmsan.c:814
 kmsan_alloc_page+0x82/0xe0 mm/kmsan/kmsan.c:868
 __alloc_pages_nodemask+0xf5b/0x5dc0 mm/page_alloc.c:4283
 alloc_pages_current+0x6b5/0x970 mm/mempolicy.c:2055
 alloc_pages include/linux/gfp.h:494 [inline]
 kmalloc_order mm/slab_common.c:1164

KMSAN: uninit-value in ebt_stp_mt_check

2018-04-23 Thread syzbot 

Hello,

syzbot hit the following crash on  
https://github.com/google/kmsan.git/master commit

a7f95e9c8a95e9fbb388c3999b61a17667cd3bbe (Sat Apr 21 13:50:22 2018 +)
kmsan: disable assembly checksums
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=5c06e318fc558cc27823


So far this crash happened 3 times on  
https://github.com/google/kmsan.git/master.

C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5411555638247424
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=6309829995921408
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=4546610964987904

Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367
compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+5c06e318fc558cc27...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

==
BUG: KMSAN: uninit-value in ebt_stp_mt_check+0x248/0x410  
net/bridge/netfilter/ebt_stp.c:164

CPU: 0 PID: 4520 Comm: syzkaller565841 Not tainted 4.16.0+ #85
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
 ebt_stp_mt_check+0x248/0x410 net/bridge/netfilter/ebt_stp.c:164
 xt_check_match+0x1449/0x1660 net/netfilter/x_tables.c:499
 ebt_check_match net/bridge/netfilter/ebtables.c:374 [inline]
 ebt_check_entry net/bridge/netfilter/ebtables.c:704 [inline]
 translate_table+0x3ffd/0x5e10 net/bridge/netfilter/ebtables.c:945
 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:1002
 do_replace+0x707/0x770 net/bridge/netfilter/ebtables.c:1141
 do_ebt_set_ctl+0x2ab/0x3c0 net/bridge/netfilter/ebtables.c:1518
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x476/0x4d0 net/netfilter/nf_sockopt.c:115
 ip_setsockopt+0x24b/0x2b0 net/ipv4/ip_sockglue.c:1261
 dccp_setsockopt+0x1c3/0x1f0 net/dccp/proto.c:576
 sock_common_setsockopt+0x136/0x170 net/core/sock.c:2975
 SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
 SyS_setsockopt+0x76/0xa0 net/socket.c:1828
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x445d39
RSP: 002b:7efff4e14da8 EFLAGS: 0246 ORIG_RAX: 0036
RAX: ffda RBX: 006dac24 RCX: 00445d39
RDX: 0080 RSI:  RDI: 0003
RBP:  R08: 0358 R09: 
R10: 28c0 R11: 0246 R12: 006dac20
R13: 006567646972625f R14: 6f745f3168746576 R15: 0002

Local variable description: mtpar.i@translate_table
Variable was created at:
 translate_table+0xb9/0x5e10 net/bridge/netfilter/ebtables.c:833
 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:1002
==


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

WARNING: suspicious RCU usage in rt6_check_expired

2018-04-23 Thread syzbot 

Hello,

syzbot hit the following crash on net-next commit
0638eb573cde5888c0886c7f35da604e5db209a6 (Sat Apr 21 20:06:14 2018 +)
Merge branch 'ipv6-Another-followup-to-the-fib6_info-change'
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=2422c9e35796659d2273


So far this crash happened 3 times on net-next.
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6081013801287680
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-8412024688694752032

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2422c9e35796659d2...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

netlink: 'syz-executor4': attribute type 6 has an invalid length.
netlink: 'syz-executor4': attribute type 1 has an invalid length.
netlink: 'syz-executor4': attribute type 6 has an invalid length.

=
WARNING: suspicious RCU usage
4.16.0+ #11 Not tainted
-
net/ipv6/route.c:410 suspicious rcu_dereference_check() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
1 lock held by syz-executor7/25958:
 #0: d1963139 (sk_lock-AF_INET6){+.+.}, at: lock_sock  
include/net/sock.h:1469 [inline]
 #0: d1963139 (sk_lock-AF_INET6){+.+.}, at:  
sock_setsockopt+0x19c/0x1fe0 net/core/sock.c:717


stack backtrace:
CPU: 1 PID: 25958 Comm: syz-executor7 Not tainted 4.16.0+ #11
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 lockdep_rcu_suspicious+0x14a/0x153 kernel/locking/lockdep.c:4592
 rt6_check_expired+0x38b/0x3e0 net/ipv6/route.c:410
 ip6_negative_advice+0x67/0xc0 net/ipv6/route.c:2204
 dst_negative_advice include/net/sock.h:1786 [inline]
 sock_setsockopt+0x138f/0x1fe0 net/core/sock.c:1051
 __sys_setsockopt+0x2df/0x390 net/socket.c:1899
 SYSC_setsockopt net/socket.c:1914 [inline]
 SyS_setsockopt+0x34/0x50 net/socket.c:1911
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x455389
RSP: 002b:7f7556e30c68 EFLAGS: 0246 ORIG_RAX: 0036
RAX: ffda RBX: 7f7556e316d4 RCX: 00455389
RDX: 0035 RSI: 0001 RDI: 0013
RBP: 0072bf58 R08: 0004 R09: 
R10: 2000 R11: 0246 R12: 
R13: 05ff R14: 006fc088 R15: 0001
netlink: 'syz-executor4': attribute type 4 has an invalid length.
netlink: 'syz-executor4': attribute type 4 has an invalid length.
IPVS: set_ctl: invalid protocol: 59 127.0.0.1:2 lc
IPVS: set_ctl: invalid protocol: 127 224.0.0.1:2 rr
IPVS: sync thread started: state = BACKUP, mcast_ifn = ip6tnl0, syncid = 4,  
id = 0

IPVS: set_ctl: invalid protocol: 127 224.0.0.1:2 rr
netlink: 72 bytes leftover after parsing attributes in process  
`syz-executor2'.
netlink: 72 bytes leftover after parsing attributes in process  
`syz-executor2'.

dccp_xmit_packet: Payload too large (65423) for featneg.
IPVS: set_ctl: invalid protocol: 29 1.0.0.0:2 wlc
IPVS: set_ctl: invalid protocol: 29 1.0.0.0:2 wlc
netlink: 32 bytes leftover after parsing attributes in process  
`syz-executor7'.
netlink: 12 bytes leftover after parsing attributes in process  
`syz-executor1'.
netlink: 12 bytes leftover after parsing attributes in process  
`syz-executor1'.

netlink: 'syz-executor1': attribute type 29 has an invalid length.
netlink: 8 bytes leftover after parsing attributes in process  
`syz-executor1'.

IPVS: set_ctl: invalid protocol: 108 224.0.0.1:20004 lblc
netlink: 'syz-executor1': attribute type 29 has an invalid length.
netlink: 8 bytes leftover after parsing attributes in process  
`syz-executor1'.

IPVS: set_ctl: invalid protocol: 108 224.0.0.1:20004 lblc


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

KMSAN: uninit-value in pppoe_connect

2018-04-23 Thread syzbot 

Hello,

syzbot hit the following crash on  
https://github.com/google/kmsan.git/master commit

a7f95e9c8a95e9fbb388c3999b61a17667cd3bbe (Sat Apr 21 13:50:22 2018 +)
kmsan: disable assembly checksums
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=4f03bdf92fdf9ef5ddab


So far this crash happened 2 times on  
https://github.com/google/kmsan.git/master.

Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5233317381144576

Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367
compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+4f03bdf92fdf9ef5d...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

==
BUG: KMSAN: uninit-value in pppoe_connect+0xe9a/0x2360  
drivers/net/ppp/pppoe.c:662

CPU: 1 PID: 8338 Comm: syz-executor2 Not tainted 4.16.0+ #85
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
 pppoe_connect+0xe9a/0x2360 drivers/net/ppp/pppoe.c:662
 SYSC_connect+0x41a/0x510 net/socket.c:1639
 SyS_connect+0x54/0x80 net/socket.c:1620
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x455389
RSP: 002b:7f5c253ecc68 EFLAGS: 0246 ORIG_RAX: 002a
RAX: ffda RBX: 7f5c253ed6d4 RCX: 00455389
RDX: 0001 RSI: 2040 RDI: 0013
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 
R13: 0063 R14: 006f39e8 R15: 

Local variable description: address@SYSC_connect
Variable was created at:
 SYSC_connect+0x6f/0x510 net/socket.c:1622
 SyS_connect+0x54/0x80 net/socket.c:1620
==


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

KMSAN: uninit-value in pppol2tp_connect

2018-04-23 Thread syzbot 

Hello,

syzbot hit the following crash on  
https://github.com/google/kmsan.git/master commit

a7f95e9c8a95e9fbb388c3999b61a17667cd3bbe (Sat Apr 21 13:50:22 2018 +)
kmsan: disable assembly checksums
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=a70ac890b23b1bf29f5c


So far this crash happened 3 times on  
https://github.com/google/kmsan.git/master.

C reproducer: https://syzkaller.appspot.com/x/repro.c?id=4946656566968320
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=5395971013869568
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5936570024591360

Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367
compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a70ac890b23b1bf29...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

==
BUG: KMSAN: uninit-value in pppol2tp_connect+0x258/0x1c50  
net/l2tp/l2tp_ppp.c:622

CPU: 1 PID: 4524 Comm: syzkaller735385 Not tainted 4.16.0+ #85
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
 pppol2tp_connect+0x258/0x1c50 net/l2tp/l2tp_ppp.c:622
 SYSC_connect+0x41a/0x510 net/socket.c:1639
 SyS_connect+0x54/0x80 net/socket.c:1620
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x445559
RSP: 002b:7f0b96f0ddb8 EFLAGS: 0246 ORIG_RAX: 002a
RAX: ffda RBX: 006dac24 RCX: 00445559
RDX:  RSI: 2200 RDI: 0003
RBP: 006dac20 R08:  R09: 
R10:  R11: 0246 R12: 
R13: 7ffec2b0929f R14: 7f0b96f0e9c0 R15: 0001

Local variable description: address@SYSC_connect
Variable was created at:
 SYSC_connect+0x6f/0x510 net/socket.c:1622
 SyS_connect+0x54/0x80 net/socket.c:1620
==


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

KMSAN: uninit-value in strnlen

2018-04-23 Thread syzbot 

Hello,

syzbot hit the following crash on  
https://github.com/google/kmsan.git/master commit

a7f95e9c8a95e9fbb388c3999b61a17667cd3bbe (Sat Apr 21 13:50:22 2018 +)
kmsan: disable assembly checksums
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=cd06c321e7147d03a65e


So far this crash happened 5 times on  
https://github.com/google/kmsan.git/master.

C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5785171018121216
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=5117671628603392
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6310764688179200

Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367
compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+cd06c321e7147d03a...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

==
BUG: KMSAN: uninit-value in strnlen+0xc4/0x110 lib/string.c:499
CPU: 1 PID: 4507 Comm: syzkaller579712 Not tainted 4.16.0+ #85
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
 strnlen+0xc4/0x110 lib/string.c:499
 dev_name_hash net/core/dev.c:209 [inline]
 dev_get_by_name_rcu net/core/dev.c:764 [inline]
 dev_get_by_name+0x6e/0x350 net/core/dev.c:791
 pppoe_connect+0xcb7/0x2360 drivers/net/ppp/pppoe.c:665
 SYSC_connect+0x41a/0x510 net/socket.c:1639
 SyS_connect+0x54/0x80 net/socket.c:1620
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x43fcf9
RSP: 002b:7ffca4bd4978 EFLAGS: 0213 ORIG_RAX: 002a
RAX: ffda RBX: 004002c8 RCX: 0043fcf9
RDX: 0007 RSI: 2040 RDI: 0003
RBP: 006ca018 R08: 004002c8 R09: 004002c8
R10: 004002c8 R11: 0213 R12: 00401620
R13: 004016b0 R14:  R15: 

Local variable description: address@SYSC_connect
Variable was created at:
 SYSC_connect+0x6f/0x510 net/socket.c:1622
 SyS_connect+0x54/0x80 net/socket.c:1620
==


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

KASAN: slab-out-of-bounds Read in __sctp_v6_cmp_addr

2018-04-22 Thread syzbot 

Hello,

syzbot hit the following crash on upstream commit
83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +)
Merge branch 'fixes' of  
git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=cd494c1dd681d4d93ebb


So far this crash happened 305 times on net-next, upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6684817483628544
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=6321732692475904
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5381423422767104
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=1808800213120130118

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+cd494c1dd681d4d93...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

==
BUG: KASAN: slab-out-of-bounds in ipv6_addr_equal include/net/ipv6.h:507  
[inline]
BUG: KASAN: slab-out-of-bounds in __sctp_v6_cmp_addr+0x4c7/0x530  
net/sctp/ipv6.c:580

Read of size 8 at addr 8801b58626d0 by task syzkaller106428/4452

CPU: 1 PID: 4452 Comm: syzkaller106428 Not tainted 4.17.0-rc1+ #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 ipv6_addr_equal include/net/ipv6.h:507 [inline]
 __sctp_v6_cmp_addr+0x4c7/0x530 net/sctp/ipv6.c:580
 sctp_inet6_cmp_addr+0x169/0x1a0 net/sctp/ipv6.c:898
 sctp_bind_addr_conflict+0x28c/0x470 net/sctp/bind_addr.c:368
 sctp_get_port_local+0x9fc/0x1540 net/sctp/socket.c:7515
 sctp_do_bind+0x21c/0x5f0 net/sctp/socket.c:435
 sctp_bindx_add+0x90/0x1a0 net/sctp/socket.c:529
 sctp_setsockopt_bindx+0x2ad/0x320 net/sctp/socket.c:1058
 sctp_setsockopt+0x12c4/0x7000 net/sctp/socket.c:4227
 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039
 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
 __do_sys_setsockopt net/socket.c:1914 [inline]
 __se_sys_setsockopt net/socket.c:1911 [inline]
 __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445839
RSP: 002b:7fbe3f0fdd98 EFLAGS: 0246 ORIG_RAX: 0036
RAX: ffda RBX: 006dac24 RCX: 00445839
RDX: 0064 RSI: 0084 RDI: 0004
RBP: 006dac20 R08: 0010 R09: a6fe
R10: 205ba000 R11: 0246 R12: 
R13: 7ffc1404827f R14: 7fbe3f0fe9c0 R15: 0003

Allocated by task 4452:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 __do_kmalloc_node mm/slab.c:3682 [inline]
 __kmalloc_node+0x47/0x70 mm/slab.c:3689
 kmalloc_node include/linux/slab.h:554 [inline]
 kvmalloc_node+0x6b/0x100 mm/util.c:421
 kvmalloc include/linux/mm.h:550 [inline]
 vmemdup_user+0x2d/0xa0 mm/util.c:186
 sctp_setsockopt_bindx+0x5d/0x320 net/sctp/socket.c:1022
 sctp_setsockopt+0x12c4/0x7000 net/sctp/socket.c:4227
 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039
 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
 __do_sys_setsockopt net/socket.c:1914 [inline]
 __se_sys_setsockopt net/socket.c:1911 [inline]
 __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 2818:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xd9/0x260 mm/slab.c:3813
 single_release+0x8f/0xb0 fs/seq_file.c:609
 __fput+0x34d/0x890 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1e4/0x290 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
 do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at 8801b58626c0
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 16 bytes inside of
 32-byte region [8801b58626c0, 8801b58626e0)
The buggy address belongs

KASAN: null-ptr-deref Read in refcount_inc_not_zero

2018-04-22 Thread syzbot 

Hello,

syzbot hit the following crash on upstream commit
285848b0f4074f04ab606f1e5dca296482033d54 (Sun Apr 22 04:20:48 2018 +)
Merge tag 'random_for_linus_stable' of  
git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=6a35cd2d9559c909d570


So far this crash happened 1772 times on upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5975533900791808
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=4813418829709312
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5008564225572864
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=1808800213120130118

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6a35cd2d9559c909d...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
==
BUG: KASAN: null-ptr-deref in atomic_read  
include/asm-generic/atomic-instrumented.h:21 [inline]
BUG: KASAN: null-ptr-deref in refcount_inc_not_zero+0x8f/0x2d0  
lib/refcount.c:120

Read of size 4 at addr 0004 by task syzkaller633288/4488

CPU: 0 PID: 4488 Comm: syzkaller633288 Not tainted 4.17.0-rc1+ #12
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 kasan_report_error mm/kasan/report.c:352 [inline]
 kasan_report.cold.7+0x6d/0x2fe mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
 kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
 atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
 refcount_inc_not_zero+0x8f/0x2d0 lib/refcount.c:120
 refcount_inc+0x15/0x70 lib/refcount.c:153
 llc_sap_hold include/net/llc.h:116 [inline]
 llc_ui_release+0xba/0x2b0 net/llc/af_llc.c:207
 sock_release+0x96/0x1b0 net/socket.c:594
 sock_close+0x16/0x20 net/socket.c:1149
 __fput+0x34d/0x890 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1e4/0x290 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x1aee/0x2730 kernel/exit.c:865
 do_group_exit+0x16f/0x430 kernel/exit.c:968
 __do_sys_exit_group kernel/exit.c:979 [inline]
 __se_sys_exit_group kernel/exit.c:977 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:977
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43e878
RSP: 002b:7ffd854075f8 EFLAGS: 0246 ORIG_RAX: 00e7
RAX: ffda RBX:  RCX: 0043e878
RDX:  RSI: 003c RDI: 
RBP: 004be220 R08: 00e7 R09: ffd0
R10:  R11: 0246 R12: 0001
R13: 006cc160 R14:  R15: 
==


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

Re: general protection fault in smc_getname

2018-04-21 Thread syzbot 

syzbot has found reproducer for the following crash on upstream commit
83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +)
Merge branch 'fixes' of  
git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=9605e6cace1b5efd4a0a


So far this crash happened 6 times on net-next, upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=4803108223844352
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=6277384739225600
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5836548759093248
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=1808800213120130118

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9605e6cace1b5efd4...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed.

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 4548 Comm: syzkaller769662 Not tainted 4.17.0-rc1+ #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

RIP: 0010:smc_getname+0x124/0x1c0 net/smc/af_smc.c:1089
RSP: 0018:8801ad1d7c20 EFLAGS: 00010206
RAX: dc00 RBX:  RCX: 873e3a58
RDX: 0005 RSI: 873e3af6 RDI: 0028
RBP: 8801ad1d7c48 R08: 8801b10ae280 R09: ed0036321370
R10: ed0036321370 R11: 8801b1909b83 R12: 
R13: 8801ad1d7d10 R14: 8801a866e0c0 R15: dc00
FS:  01a42880() GS:8801dae0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 2080 CR3: 0001ac8b3000 CR4: 001406f0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 __sys_getsockname+0x184/0x380 net/socket.c:1699
 __do_sys_getsockname net/socket.c:1714 [inline]
 __se_sys_getsockname net/socket.c:1711 [inline]
 __x64_sys_getsockname+0x73/0xb0 net/socket.c:1711
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43fce9
RSP: 002b:7fff2eba2418 EFLAGS: 0217 ORIG_RAX: 0033
RAX: ffda RBX: 004002c8 RCX: 0043fce9
RDX: 2080 RSI: 2000 RDI: 0003
RBP: 006ca018 R08: 004002c8 R09: 004002c8
R10: 004002c8 R11: 0217 R12: 00401610
R13: 004016a0 R14:  R15: 
Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 99 00 00 00 48 8b 9b 50 04 00 00 48  
b8 00 00 00 00 00 fc ff df 48 8d 7b 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00  
75 70 48 b8 00 00 00 00 00 fc ff df 4c 8b 73 28 49

RIP: smc_getname+0x124/0x1c0 net/smc/af_smc.c:1089 RSP: 8801ad1d7c20
---[ end trace 9f5c3169466d9443 ]---

Re: general protection fault in smc_getsockopt

2018-04-21 Thread syzbot 

syzbot has found reproducer for the following crash on upstream commit
83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +)
Merge branch 'fixes' of  
git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=28a2c86cf19c81d871fa


So far this crash happened 59 times on net-next, upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6375334488309760
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=6112997885870080
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5942131738804224
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=1808800213120130118

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+28a2c86cf19c81d87...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed.

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 4492 Comm: syzkaller771634 Not tainted 4.17.0-rc1+ #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

RIP: 0010:smc_getsockopt+0x8b/0x120 net/smc/af_smc.c:1298
RSP: 0018:8801d90b7cc0 EFLAGS: 00010206
RAX: dc00 RBX:  RCX: 2000
RDX: 0005 RSI: 873e3d16 RDI: 0028
RBP: 8801d90b7cf0 R08: 2040 R09: ed0036a05800
R10: ed0036a05800 R11: 8801b502c003 R12: 8801d90b7d40
R13:  R14: 0008 R15: 2000
FS:  02017880() GS:8801dae0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 2040 CR3: 0001ac552000 CR4: 001406f0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 __sys_getsockopt+0x1a5/0x370 net/socket.c:1940
 __do_sys_getsockopt net/socket.c:1951 [inline]
 __se_sys_getsockopt net/socket.c:1948 [inline]
 __x64_sys_getsockopt+0xbe/0x150 net/socket.c:1948
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43fcf9
RSP: 002b:7ffcb16b9c58 EFLAGS: 0217 ORIG_RAX: 0037
RAX: ffda RBX: 004002c8 RCX: 0043fcf9
RDX: 0008 RSI:  RDI: 0003
RBP: 006ca018 R08: 2040 R09: 004002c8
R10: 2000 R11: 0217 R12: 00401620
R13: 004016b0 R14:  R15: 
Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 93 00 00 00 48 8b 9b 50 04 00 00 48  
b8 00 00 00 00 00 fc ff df 48 8d 7b 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00  
75 62 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 28 49

RIP: smc_getsockopt+0x8b/0x120 net/smc/af_smc.c:1298 RSP: 8801d90b7cc0
---[ end trace 7e67761582d7c7ee ]---

Re: general protection fault in smc_setsockopt

2018-04-20 Thread syzbot 

syzbot has found reproducer for the following crash on upstream commit
83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +)
Merge branch 'fixes' of  
git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=9045fc589fcd196ef522


So far this crash happened 124 times on net-next, upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6522155797839872
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=5566093930266624
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6661555940753408
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=1808800213120130118

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9045fc589fcd196ef...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed.

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4520 Comm: syzkaller696326 Not tainted 4.17.0-rc1+ #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

RIP: 0010:smc_setsockopt+0x8b/0x120 net/smc/af_smc.c:1287
RSP: 0018:8801b433fcc8 EFLAGS: 00010206
RAX: dc00 RBX:  RCX: 2000
RDX: 0005 RSI: 873e3bf6 RDI: 0028
RBP: 8801b433fcf8 R08:  R09: ed00359a3780
R10: ed00359a3780 R11: 8801acd1bc03 R12: 8801b433fd40
R13: 0021 R14: 000d R15: 2000
FS:  00b01880() GS:8801daf0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 562e1fa410d0 CR3: 0001acf1e000 CR4: 001406e0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
 __do_sys_setsockopt net/socket.c:1914 [inline]
 __se_sys_setsockopt net/socket.c:1911 [inline]
 __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43fd19
RSP: 002b:7ffccc4960f8 EFLAGS: 0217 ORIG_RAX: 0036
RAX: ffda RBX: 004002c8 RCX: 0043fd19
RDX: 000d RSI: 0021 RDI: 0004
RBP: 006ca018 R08:  R09: 004002c8
R10: 2000 R11: 0217 R12: 00401640
R13: 004016d0 R14:  R15: 
Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 93 00 00 00 48 8b 9b 50 04 00 00 48  
b8 00 00 00 00 00 fc ff df 48 8d 7b 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00  
75 62 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 28 49

RIP: smc_setsockopt+0x8b/0x120 net/smc/af_smc.c:1287 RSP: 8801b433fcc8
---[ end trace 3858d0cd9ce5e4d4 ]---

Re: unregister_netdevice: waiting for DEV to become free

2018-04-20 Thread syzbot 
syzbot has found reproducer for the following crash on  
https://github.com/google/kmsan.git/master commit

48c6a2b0ab1b752451cdc40b5392471ed1a2a329 (Mon Apr 16 08:42:26 2018 +)
mm/kmsan: fix origin calculation in kmsan_internal_check_memory
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=2dfb68e639f0621b19fb


So far this crash happened 180 times on  
https://github.com/google/kmsan.git/master, net-next, upstream.

C reproducer: https://syzkaller.appspot.com/x/repro.c?id=4936564132020224
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=5817131010621440
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6313498770407424
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=6627248707860932248

compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2dfb68e639f0621b1...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed.

IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
unregister_netdevice: waiting for lo to become free. Usage count = 3

KMSAN: uninit-value in __udp4_lib_rcv

2018-04-19 Thread syzbot 

Hello,

syzbot hit the following crash on  
https://github.com/google/kmsan.git/master commit

35ff515e4bda2646f6c881d33951c306ea9c282a (Tue Apr 10 08:59:43 2018 +)
Merge pull request #11 from parkerduckworth/readme
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=493bccc5b8cfe9d5035e


So far this crash happened 11 times on  
https://github.com/google/kmsan.git/master.

C reproducer: https://syzkaller.appspot.com/x/repro.c?id=4935004320694272
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=5133260011077632
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5329144879513600
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=6627248707860932248

compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+493bccc5b8cfe9d50...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

==
BUG: KMSAN: uninit-value in __udp4_lib_rcv+0x628/0x4740 net/ipv4/udp.c:2066
CPU: 1 PID: 3573 Comm: syzkaller192717 Not tainted 4.16.0+ #83
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 __udp4_lib_rcv+0x628/0x4740 net/ipv4/udp.c:2066
 udp_rcv+0x5c/0x70 net/ipv4/udp.c:2287
 ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257
 dst_input include/net/dst.h:449 [inline]
 ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
 __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
 __netif_receive_skb net/core/dev.c:4627 [inline]
 process_backlog+0x62d/0xe20 net/core/dev.c:5307
 napi_poll net/core/dev.c:5705 [inline]
 net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
 __do_softirq+0x56d/0x93d kernel/softirq.c:285
 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1040
 
 do_softirq kernel/softirq.c:329 [inline]
 __local_bh_enable_ip+0x114/0x140 kernel/softirq.c:182
 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
 rcu_read_unlock_bh include/linux/rcupdate.h:726 [inline]
 ip_finish_output2+0x124e/0x1380 net/ipv4/ip_output.c:231
 ip_finish_output+0xcb0/0xff0 net/ipv4/ip_output.c:317
 NF_HOOK_COND include/linux/netfilter.h:277 [inline]
 ip_output+0x502/0x5c0 net/ipv4/ip_output.c:405
 dst_output include/net/dst.h:443 [inline]
 ip_local_out net/ipv4/ip_output.c:124 [inline]
 ip_send_skb+0x5f3/0x820 net/ipv4/ip_output.c:1414
 ip_push_pending_frames+0x105/0x170 net/ipv4/ip_output.c:1434
 raw_sendmsg+0x2960/0x3ed0 net/ipv4/raw.c:684
 inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
 __sys_sendmsg net/socket.c:2080 [inline]
 SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
 SyS_sendmsg+0x54/0x80 net/socket.c:2087
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x43fe99
RSP: 002b:7ffca5bf5be8 EFLAGS: 0217 ORIG_RAX: 002e
RAX: ffda RBX: 004002c8 RCX: 0043fe99
RDX:  RSI: 22c0 RDI: 0003
RBP: 006ca018 R08: 004002c8 R09: 004002c8
R10: 004002c8 R11: 0217 R12: 004017c0
R13: 00401850 R14:  R15: 

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
 kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:526
 __msan_memcpy+0x19f/0x1f0 mm/kmsan/kmsan_instr.c:470
 skb_copy_bits+0x63a/0xdb0 net/core/skbuff.c:2046
 __pskb_pull_tail+0x483/0x22e0 net/core/skbuff.c:1883
 pskb_may_pull include/linux/skbuff.h:2112 [inline]
 __udp4_lib_rcv+0x55f/0x4740 net/ipv4/udp.c:2058
 udp_rcv+0x5c/0x70 net/ipv4/udp.c:2287
 ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257
 dst_input include/net/dst.h:449 [inline]
 ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
 __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
 __netif_receive_skb net/core/dev.c:4627 [inline]
 process_backlog+0x62d/0xe20 net/core/dev.c:5307
 napi_poll net/core/dev.c:5705 [inline]
 net_rx_action+0x7c1/0x1a70 net

KMSAN: uninit-value in dccp_invalid_packet

2018-04-19 Thread syzbot 

Hello,

syzbot hit the following crash on  
https://github.com/google/kmsan.git/master commit

e2ab7e8abba47a2f2698216258e5d8727ae58717 (Fri Apr 6 16:24:31 2018 +)
kmsan: temporarily disable visitAsmInstruction() to help syzbot
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=00763607efc31f91b276


So far this crash happened 19 times on  
https://github.com/google/kmsan.git/master.

C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5163725019414528
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=4836676144726016
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=4771447134224384
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=6627248707860932248

compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+00763607efc31f91b...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
==
BUG: KMSAN: uninit-value in dccp_invalid_packet+0x3b8/0xf50  
net/dccp/ipv4.c:716

CPU: 1 PID: 3572 Comm: syzkaller338124 Not tainted 4.16.0+ #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 dccp_invalid_packet+0x3b8/0xf50 net/dccp/ipv4.c:716
 dccp_v4_rcv+0xf7/0x2630 net/dccp/ipv4.c:778
 ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257
 dst_input include/net/dst.h:449 [inline]
 ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
 __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
 __netif_receive_skb net/core/dev.c:4627 [inline]
 process_backlog+0x62d/0xe20 net/core/dev.c:5307
 napi_poll net/core/dev.c:5705 [inline]
 net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
 __do_softirq+0x56d/0x93d kernel/softirq.c:285
 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1040
 
 do_softirq kernel/softirq.c:329 [inline]
 __local_bh_enable_ip+0x114/0x140 kernel/softirq.c:182
 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
 rcu_read_unlock_bh include/linux/rcupdate.h:726 [inline]
 ip_finish_output2+0x124e/0x1380 net/ipv4/ip_output.c:231
 ip_finish_output+0xcb0/0xff0 net/ipv4/ip_output.c:317
 NF_HOOK_COND include/linux/netfilter.h:277 [inline]
 ip_output+0x502/0x5c0 net/ipv4/ip_output.c:405
 dst_output include/net/dst.h:443 [inline]
 ip_local_out net/ipv4/ip_output.c:124 [inline]
 ip_send_skb+0x5f3/0x820 net/ipv4/ip_output.c:1414
 ip_push_pending_frames+0x105/0x170 net/ipv4/ip_output.c:1434
 raw_sendmsg+0x2960/0x3ed0 net/ipv4/raw.c:684
 inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747
 SyS_sendto+0x8a/0xb0 net/socket.c:1715
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x441709
RSP: 002b:7de4d688 EFLAGS: 0217 ORIG_RAX: 002c
RAX: ffda RBX: 001b RCX: 00441709
RDX: 0030 RSI: 2140 RDI: 0003
RBP: 004a3318 R08: 2000 R09: 0010
R10:  R11: 0217 R12: 7de4d768
R13: 00402490 R14:  R15: 

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
 kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:526
 __msan_memcpy+0x19f/0x1f0 mm/kmsan/kmsan_instr.c:470
 skb_copy_bits+0x63a/0xdb0 net/core/skbuff.c:2046
 __pskb_pull_tail+0x483/0x22e0 net/core/skbuff.c:1883
 pskb_may_pull include/linux/skbuff.h:2112 [inline]
 dccp_invalid_packet+0x352/0xf50 net/dccp/ipv4.c:708
 dccp_v4_rcv+0xf7/0x2630 net/dccp/ipv4.c:778
 ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257
 dst_input include/net/dst.h:449 [inline]
 ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
 __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562

KASAN: use-after-free Read in llc_conn_tmr_common_cb

2018-04-19 Thread syzbot 

Hello,

syzbot hit the following crash on upstream commit
a27fc14219f2e3c4a46ba9177b04d9b52c875532 (Mon Apr 16 21:07:39 2018 +)
Merge branch 'parisc-4.17-3' of  
git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=f922284c18ea23a8e457


Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6056927826018304
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-5914490758943236750

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f922284c18ea23a8e...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

binder: 10195:10196 transaction failed 29189/-3, size 0-0 line 2963
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
==
BUG: KASAN: use-after-free in __lock_acquire+0x3888/0x5140  
kernel/locking/lockdep.c:3310

Read of size 8 at addr 8801a8c862e0 by task swapper/0/0

CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.17.0-rc1+ #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 __lock_acquire+0x3888/0x5140 kernel/locking/lockdep.c:3310
 lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
 spin_lock include/linux/spinlock.h:310 [inline]
 llc_conn_tmr_common_cb+0x8d/0x9e0 net/llc/llc_c_ac.c:1328
 llc_conn_ack_tmr_cb+0x1e/0x30 net/llc/llc_c_ac.c:1357
 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
 expire_timers kernel/time/timer.c:1363 [inline]
 __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
 invoke_softirq kernel/softirq.c:365 [inline]
 irq_exit+0x1d1/0x200 kernel/softirq.c:405
 exiting_irq arch/x86/include/asm/apic.h:525 [inline]
 smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
 
RIP: 0010:native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:54
RSP: 0018:88a07bc0 EFLAGS: 0282 ORIG_RAX: ff13
RAX: dc00 RBX: 11140f7b RCX: 
RDX: 11163130 RSI: 0001 RDI: 88b18980
RBP: 88a07bc0 R08: ed003b6046c3 R09: 
R10:  R11:  R12: 
R13: 88a07c78 R14: 89591560 R15: 
 arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline]
 default_idle+0xc2/0x440 arch/x86/kernel/process.c:354
 arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:345
 default_idle_call+0x6d/0x90 kernel/sched/idle.c:93
 cpuidle_idle_call kernel/sched/idle.c:153 [inline]
 do_idle+0x395/0x560 kernel/sched/idle.c:262
 cpu_startup_entry+0x104/0x120 kernel/sched/idle.c:368
 rest_init+0xe1/0xe4 init/main.c:441
 start_kernel+0x906/0x92d init/main.c:737
 x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:445
 x86_64_start_kernel+0x76/0x79 arch/x86/kernel/head64.c:426
 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:242

Allocated by task 10136:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 __do_kmalloc mm/slab.c:3718 [inline]
 __kmalloc+0x14e/0x760 mm/slab.c:3727
 kmalloc include/linux/slab.h:517 [inline]
 sk_prot_alloc+0x1ae/0x2e0 net/core/sock.c:1474
 sk_alloc+0x104/0x17b0 net/core/sock.c:1528
 llc_sk_alloc+0x35/0x4b0 net/llc/llc_conn.c:949
 llc_ui_create+0xf3/0x3e0 net/llc/af_llc.c:173
 __sock_create+0x526/0x920 net/socket.c:1285
 sock_create net/socket.c:1325 [inline]
 __sys_socket+0x100/0x250 net/socket.c:1355
 __do_sys_socket net/socket.c:1364 [inline]
 __se_sys_socket net/socket.c:1362 [inline]
 __x64_sys_socket+0x73/0xb0 net/socket.c:1362
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 10215:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xd9/0x260 mm/slab.c:3813
 sk_prot_free net/core/sock.c:1511 [inline]
 __sk_destruct+0x772

WARNING: suspicious RCU usage in fib6_info_alloc

2018-04-18 Thread syzbot 

Hello,

syzbot hit the following crash on net-next commit
0565de29cbd65b378147d36f9642f93a046240dc (Wed Apr 18 03:41:18 2018 +)
Merge branch 'ipv6-Separate-data-structures-for-FIB-and-data-path'
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=2add39b05179b31f912f


So far this crash happened 2 times on net-next.
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=4660613020123136
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5742127124316160
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-5947642240294114534

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2add39b05179b31f9...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21

=
WARNING: suspicious RCU usage
4.16.0+ #5 Not tainted
-
kernel/sched/core.c:6153 Illegal context switch in RCU-bh read-side  
critical section!


other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
4 locks held by kworker/1:1/25:
 #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
__write_once_size include/linux/compiler.h:215 [inline]
 #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
 #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
atomic64_set include/asm-generic/atomic-instrumented.h:40 [inline]
 #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
atomic_long_set include/asm-generic/atomic-long.h:57 [inline]
 #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
set_work_data kernel/workqueue.c:617 [inline]
 #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline]
 #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
process_one_work+0xaef/0x1b50 kernel/workqueue.c:2116
 #1: 7d88bc46 ((work_completion)(&(>dad_work)->work)){+.+.},  
at: process_one_work+0xb46/0x1b50 kernel/workqueue.c:2120
 #2: 943eaf98 (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20  
net/core/rtnetlink.c:74
 #3: a39c89a4 (rcu_read_lock_bh){}, at:  
ipv6_ifa_notify+0x0/0x210 net/ipv6/addrconf.c:5621


stack backtrace:
CPU: 1 PID: 25 Comm: kworker/1:1 Not tainted 4.16.0+ #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 lockdep_rcu_suspicious+0x14a/0x153 kernel/locking/lockdep.c:4592
 ___might_sleep+0x2e7/0x320 kernel/sched/core.c:6153
 __might_sleep+0x95/0x190 kernel/sched/core.c:6141
 slab_pre_alloc_hook mm/slab.h:421 [inline]
 slab_alloc mm/slab.c:3378 [inline]
 kmem_cache_alloc_trace+0x2bc/0x780 mm/slab.c:3618
 kmalloc include/linux/slab.h:512 [inline]
 kzalloc include/linux/slab.h:701 [inline]
 fib6_info_alloc+0xbb/0x280 net/ipv6/ip6_fib.c:152
 ip6_route_info_create+0x7bf/0x3240 net/ipv6/route.c:2891
 ip6_route_add+0x23/0xb0 net/ipv6/route.c:3030
 addrconf_prefix_route.isra.47+0x4f7/0x6f0 net/ipv6/addrconf.c:2347
 __ipv6_ifa_notify+0x591/0xa00 net/ipv6/addrconf.c:5620
 ipv6_ifa_notify+0xff/0x210 net/ipv6/addrconf.c:5650
 addrconf_dad_completed+0xeb/0xbf0 net/ipv6/addrconf.c:4083
 addrconf_dad_begin net/ipv6/addrconf.c:3889 [inline]
 addrconf_dad_work+0x873/0x1300 net/ipv6/addrconf.c:3991
 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
 kthread+0x345/0x410 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:411
BUG: sleeping function called from invalid context at mm/slab.h:421
in_atomic(): 1, irqs_disabled(): 0, pid: 25, name: kworker/1:1
4 locks held by kworker/1:1/25:
 #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
__write_once_size include/linux/compiler.h:215 [inline]
 #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
 #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
atomic64_set include/asm-generic/atomic-instrumented.h:40 [inline]
 #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
atomic_long_set include/asm-generic/atomic-long.h:57 [inline]
 #0: df858

general protection fault in encode_rpcb_string

2018-04-16 Thread syzbot 

Hello,

syzbot hit the following crash on bpf-next commit
5d1365940a68dd57b031b6e3c07d7d451cd69daf (Thu Apr 12 18:09:05 2018 +)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=4b98281f2401ab849f4b


So far this crash happened 2 times on bpf-next.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6433835633868800
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=6407311794896896
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5861511176126464
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-5947642240294114534

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+4b98281f2401ab849...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

RBP: 006dbc50 R08: 2000a000 R09: 3437
R10:  R11: 0246 R12: 7fe464ffed80
R13: 0030656c69662f2e R14:  R15: 0006
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 1861 Comm: kworker/u4:4 Not tainted 4.16.0+ #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: rpciod rpc_async_schedule
RIP: 0010:strlen+0x1f/0xa0 lib/string.c:479
RSP: 0018:8801cf75f318 EFLAGS: 00010296
RAX: dc00 RBX: 8801cf68f200 RCX: 86a8c407
RDX:  RSI: 86a84d7b RDI: 
RBP: 8801cf75f330 R08: 8801cf7de080 R09: ed0039ea3d43
R10: ed0039ea3d43 R11: 8801cf51ea1f R12: 
R13: 0200 R14:  R15: 8801cf75f3e0
FS:  () GS:8801db00() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7f64808a4000 CR3: 0001b566a000 CR4: 001406f0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 strlen include/linux/string.h:267 [inline]
 encode_rpcb_string+0x23/0x70 net/sunrpc/rpcb_clnt.c:914
 rpcb_enc_getaddr+0x146/0x1f0 net/sunrpc/rpcb_clnt.c:940
 rpcauth_wrap_req_encode net/sunrpc/auth.c:777 [inline]
 rpcauth_wrap_req+0x1a8/0x230 net/sunrpc/auth.c:791
 rpc_xdr_encode net/sunrpc/clnt.c:1754 [inline]
 call_transmit+0x8a9/0xfe0 net/sunrpc/clnt.c:1949
 __rpc_execute+0x28a/0xfe0 net/sunrpc/sched.c:784
 rpc_async_schedule+0x16/0x20 net/sunrpc/sched.c:857
 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
 kthread+0x345/0x410 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:411
Code: 37 ff ff ff 0f 1f 84 00 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 55  
48 89 fa 48 c1 ea 03 48 89 e5 41 54 49 89 fc 53 48 83 ec 08 <0f> b6 04 02  
48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 4d 41 80 3c

RIP: strlen+0x1f/0xa0 lib/string.c:479 RSP: 8801cf75f318
---[ end trace bd76ed0378a56845 ]---


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

KASAN: use-after-free Read in llc_conn_ac_send_sabme_cmd_p_set_x

2018-04-16 Thread syzbot 

Hello,

syzbot hit the following crash on upstream commit
18b7fd1c93e5204355ddbf2608a097d64df81b88 (Sat Apr 14 15:50:50 2018 +)
Merge branch 'akpm' (patches from Andrew)
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=6e181fc95081c2cf9051


Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5257422885093376
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-8852471259444315113

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6e181fc95081c2cf9...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

XFS (loop1): Invalid superblock magic number
==
BUG: KASAN: use-after-free in  
llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785

Read of size 1 at addr 88018be1a290 by task syz-executor7/13726

CPU: 0 PID: 13726 Comm: syz-executor7 Not tainted 4.16.0+ #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
 llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785
 llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline]
 llc_conn_service net/llc/llc_conn.c:400 [inline]
 llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75
 llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891
 sk_backlog_rcv include/net/sock.h:909 [inline]
 __release_sock+0x12f/0x3a0 net/core/sock.c:2335
 release_sock+0xa4/0x2b0 net/core/sock.c:2850
 llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204
 sock_release+0x96/0x1b0 net/socket.c:594
 sock_close+0x16/0x20 net/socket.c:1149
 __fput+0x34d/0x890 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1e4/0x290 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x1aee/0x2730 kernel/exit.c:865
 do_group_exit+0x16f/0x430 kernel/exit.c:968
 SYSC_exit_group kernel/exit.c:979 [inline]
 SyS_exit_group+0x1d/0x20 kernel/exit.c:977
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x455319
RSP: 002b:7ffc740e5db8 EFLAGS: 0246 ORIG_RAX: 00e7
RAX: ffda RBX: 00c4 RCX: 00455319
RDX: 000274e8 RSI: 00730500 RDI: 
RBP: 0013 R08:  R09: 
R10:  R11: 0246 R12: 0013
R13:  R14:  R15: 1380

Allocated by task 13728:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620
 kmalloc include/linux/slab.h:512 [inline]
 kzalloc include/linux/slab.h:701 [inline]
 llc_sap_alloc net/llc/llc_core.c:35 [inline]
 llc_sap_open+0x193/0x4d0 net/llc/llc_core.c:102
 llc_ui_bind+0xb8c/0xef0 net/llc/af_llc.c:354
 __sys_bind+0x331/0x440 net/socket.c:1484
 SYSC_bind net/socket.c:1495 [inline]
 SyS_bind+0x24/0x30 net/socket.c:1493
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 13726:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xd9/0x260 mm/slab.c:3813
 llc_sap_close+0x1d8/0x2d0 net/llc/llc_core.c:132
 llc_sap_put include/net/llc.h:124 [inline]
 llc_sap_remove_socket+0x460/0x5b0 net/llc/llc_conn.c:760
 llc_ui_release+0x1de/0x220 net/llc/af_llc.c:203
 sock_release+0x96/0x1b0 net/socket.c:594
 sock_close+0x16/0x20 net/socket.c:1149
 __fput+0x34d/0x890 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1e4/0x290 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x1aee/0x2730 kernel/exit.c:865
 do_group_exit+0x16f/0x430 kernel/exit.c:968
 SYSC_exit_group kernel/exit.c:979 [inline]
 SyS_exit_group+0x1d/0x20 kernel/exit.c:977
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at 88018be1a280
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 16 bytes inside of
 2048-byte region [88018be1a280, 88018be1aa80)
The buggy address belongs to the page:
page:ea00062f8680 count:1 mapcount:0

KASAN: use-after-free Read in tipc_nametbl_stop

2018-04-15 Thread syzbot 

Hello,

syzbot hit the following crash on net-next commit
5d1365940a68dd57b031b6e3c07d7d451cd69daf (Thu Apr 12 18:09:05 2018 +)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=d64b64afc55660106556


So far this crash happened 5 times on net-next, upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6319968803094528
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=6099825221173248
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=4953018151731200
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-5947642240294114534

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d64b64afc55660106...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

Failed to remove local publication {0,0,0}/20641
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
==
BUG: KASAN: use-after-free in tipc_service_delete net/tipc/name_table.c:751  
[inline]
BUG: KASAN: use-after-free in tipc_nametbl_stop+0x94e/0xd70  
net/tipc/name_table.c:780

Read of size 8 at addr 8801c4c25130 by task kworker/u4:2/30

CPU: 0 PID: 30 Comm: kworker/u4:2 Not tainted 4.16.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 tipc_service_delete net/tipc/name_table.c:751 [inline]
 tipc_nametbl_stop+0x94e/0xd70 net/tipc/name_table.c:780
 tipc_exit_net+0x2d/0x40 net/tipc/core.c:103
 ops_exit_list.isra.7+0xb0/0x160 net/core/net_namespace.c:152
 cleanup_net+0x51d/0xb20 net/core/net_namespace.c:523
 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
 kthread+0x345/0x410 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:411

Allocated by task 4535:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620
 kmalloc include/linux/slab.h:512 [inline]
 kzalloc include/linux/slab.h:701 [inline]
 tipc_service_create_range net/tipc/name_table.c:183 [inline]
 tipc_service_insert_publ net/tipc/name_table.c:207 [inline]
 tipc_nametbl_insert_publ+0x569/0x1910 net/tipc/name_table.c:371
 tipc_nametbl_publish+0x6c3/0xba0 net/tipc/name_table.c:618
 tipc_sk_publish+0x22a/0x510 net/tipc/socket.c:2604
 tipc_bind+0x206/0x330 net/tipc/socket.c:647
 __sys_bind+0x331/0x440 net/socket.c:1484
 SYSC_bind net/socket.c:1495 [inline]
 SyS_bind+0x24/0x30 net/socket.c:1493
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 30:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xd9/0x260 mm/slab.c:3813
 tipc_service_remove_publ.isra.8+0x909/0xc30 net/tipc/name_table.c:283
 tipc_service_delete net/tipc/name_table.c:753 [inline]
 tipc_nametbl_stop+0x746/0xd70 net/tipc/name_table.c:780
 tipc_exit_net+0x2d/0x40 net/tipc/core.c:103
 ops_exit_list.isra.7+0xb0/0x160 net/core/net_namespace.c:152
 cleanup_net+0x51d/0xb20 net/core/net_namespace.c:523
 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
 kthread+0x345/0x410 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:411

The buggy address belongs to the object at 8801c4c25100
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 48 bytes inside of
 64-byte region [8801c4c25100, 8801c4c25140)
The buggy address belongs to the page:
page:ea0007130940 count:1 mapcount:0 mapping:8801c4c25000 index:0x0
flags: 0x2fffc000100(slab)
raw: 02fffc000100 8801c4c25000  00010020
raw: ea0006ccf860 ea00070840a0 8801dac00340 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 8801c4c25000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 8801c4c25080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc

8801c4c25100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc

Re: INFO: task hung in do_ip_vs_set_ctl (2)

2018-04-13 Thread syzbot 

syzbot has found reproducer for the following crash on net-next commit
17dec0a949153d9ac00760ba2f5b78cb583e995f (Wed Apr 4 02:15:32 2018 +)
Merge branch 'userns-linus' of  
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=7810ed2e0cb359580c17


So far this crash happened 2 times on net-next, upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5922062967242752
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=5359824032235520
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6352399027404800
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-2735707888269579554

compiler: gcc (GCC) 8.0.1 20180301 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+7810ed2e0cb359580...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed.

INFO: task syzkaller402106:4498 blocked for more than 120 seconds.
  Not tainted 4.16.0+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syzkaller402106 D22184  4498   4494 0x
Call Trace:
 context_switch kernel/sched/core.c:2848 [inline]
 __schedule+0x807/0x1e40 kernel/sched/core.c:3490
 schedule+0xef/0x430 kernel/sched/core.c:3549
 schedule_preempt_disabled+0x10/0x20 kernel/sched/core.c:3607
 __mutex_lock_common kernel/locking/mutex.c:833 [inline]
 __mutex_lock+0xe38/0x17f0 kernel/locking/mutex.c:893
 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
 do_ip_vs_set_ctl+0x339/0x1d30 net/netfilter/ipvs/ip_vs_ctl.c:2393
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115
 ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253
 tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:2888
 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039
 smc_setsockopt+0xc7/0x120 net/smc/af_smc.c:1289
 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
 SYSC_setsockopt net/socket.c:1914 [inline]
 SyS_setsockopt+0x34/0x50 net/socket.c:1911
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x445959
RSP: 002b:7f2770618db8 EFLAGS: 0246 ORIG_RAX: 0036
RAX: ffda RBX: 006dac24 RCX: 00445959
RDX: 048c RSI:  RDI: 0003
RBP: 006dac20 R08: 0018 R09: 
R10: 2140 R11: 0246 R12: 
R13: 7ffd81ae8f6f R14: 7f27706199c0 R15: 0001

Showing all locks held in the system:
3 locks held by kworker/0:0/4:
 #0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
__write_once_size include/linux/compiler.h:215 [inline]
 #0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
 #0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
atomic64_set include/asm-generic/atomic-instrumented.h:40 [inline]
 #0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
atomic_long_set include/asm-generic/atomic-long.h:57 [inline]
 #0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
set_work_data kernel/workqueue.c:617 [inline]
 #0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline]
 #0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
process_one_work+0xaef/0x1b50 kernel/workqueue.c:2116
 #1: 894403a3 ((addr_chk_work).work){+.+.}, at:  
process_one_work+0xb46/0x1b50 kernel/workqueue.c:2120
 #2: ddc85278 (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20  
net/core/rtnetlink.c:74

2 locks held by khungtaskd/877:
 #0: 706bfe1c (rcu_read_lock){}, at:  
check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline]
 #0: 706bfe1c (rcu_read_lock){}, at: watchdog+0x1ff/0xf60  
kernel/hung_task.c:249
 #1: 761e40d2 (tasklist_lock){.+.+}, at:  
debug_show_all_locks+0xde/0x34a kernel/locking/lockdep.c:4470

2 locks held by getty/4464:
 #0: f90a9320 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: 5dd151b8 (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4465:
 #0: 737b5b26 (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: 17bb1ae5 (>atomic_read_lock){+.+.}, at:  
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131

2 locks held by getty/4466:
 #0: badd071e (>ldisc_sem){}, at:  
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
 #1: a46de9fa (>atomic_read_lock){+.+.}, at:  
n_tt

Re: KMSAN: uninit-value in __netif_receive_skb_core

2018-04-12 Thread syzbot 
syzbot has found reproducer for the following crash on  
https://github.com/google/kmsan.git/master commit

35ff515e4bda2646f6c881d33951c306ea9c282a (Tue Apr 10 08:59:43 2018 +)
Merge pull request #11 from parkerduckworth/readme
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=b202b7208664142954fa


So far this crash happened 3 times on  
https://github.com/google/kmsan.git/master.

C reproducer: https://syzkaller.appspot.com/x/repro.c?id=455991623680
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=4590273065648128
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=4631921027973120
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=6627248707860932248

compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b202b720866414295...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed.

==
BUG: KMSAN: uninit-value in __read_once_size include/linux/compiler.h:197  
[inline]
BUG: KMSAN: uninit-value in deliver_ptype_list_skb net/core/dev.c:1908  
[inline]
BUG: KMSAN: uninit-value in __netif_receive_skb_core+0x4630/0x4a80  
net/core/dev.c:4545

CPU: 0 PID: 3514 Comm: syzkaller031167 Not tainted 4.16.0+ #83
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 __read_once_size include/linux/compiler.h:197 [inline]
 deliver_ptype_list_skb net/core/dev.c:1908 [inline]
 __netif_receive_skb_core+0x4630/0x4a80 net/core/dev.c:4545
 __netif_receive_skb net/core/dev.c:4627 [inline]
 process_backlog+0x62d/0xe20 net/core/dev.c:5307
 napi_poll net/core/dev.c:5705 [inline]
 net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
 __do_softirq+0x56d/0x93d kernel/softirq.c:285
 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1040
 
 do_softirq kernel/softirq.c:329 [inline]
 __local_bh_enable_ip+0x114/0x140 kernel/softirq.c:182
 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
 rcu_read_unlock_bh include/linux/rcupdate.h:726 [inline]
 __dev_queue_xmit+0x2a31/0x2b60 net/core/dev.c:3584
 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590
 packet_snd net/packet/af_packet.c:2944 [inline]
 packet_sendmsg+0x7c57/0x8a10 net/packet/af_packet.c:2969
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 sock_write_iter+0x3b9/0x470 net/socket.c:909
 do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
 do_iter_write+0x30d/0xd40 fs/read_write.c:932
 vfs_writev fs/read_write.c:977 [inline]
 do_writev+0x3c9/0x830 fs/read_write.c:1012
 SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
 SyS_writev+0x56/0x80 fs/read_write.c:1082
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x43ffb9
RSP: 002b:7ffd42187708 EFLAGS: 0217 ORIG_RAX: 0014
RAX: ffda RBX: 004002c8 RCX: 0043ffb9
RDX: 0001 RSI: 200010c0 RDI: 0003
RBP: 006ca018 R08: 004002c8 R09: 004002c8
R10: 004002c8 R11: 0217 R12: 004018e0
R13: 00401970 R14:  R15: 

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
 skb_vlan_untag+0x950/0xee0 include/linux/if_vlan.h:597
 __netif_receive_skb_core+0x70a/0x4a80 net/core/dev.c:4460
 __netif_receive_skb net/core/dev.c:4627 [inline]
 process_backlog+0x62d/0xe20 net/core/dev.c:5307
 napi_poll net/core/dev.c:5705 [inline]
 net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
 __do_softirq+0x56d/0x93d kernel/softirq.c:285
Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
 slab_post_alloc_hook mm/slab.h:445 [inline]
 slab_alloc_node mm/slub.c:2737 [inline]
 __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
 __kmalloc_reserve net/core/skbuff.c:138 [inline]
 __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:984 [inline]
 alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234
 sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085
 packet_alloc_skb net/packet/af_packet.c:2803 [inline]
 packet_snd net/packet/af_packet.c:2894 [inline]
 packet_sendmsg+0x6444/0x8a10 net/packet/af_packet.c:2969
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 sock_write_iter+0x3b9/0x470 net

KMSAN: uninit-value in __netif_receive_skb_core

2018-04-12 Thread syzbot 

Hello,

syzbot hit the following crash on  
https://github.com/google/kmsan.git/master commit

e2ab7e8abba47a2f2698216258e5d8727ae58717 (Fri Apr 6 16:24:31 2018 +)
kmsan: temporarily disable visitAsmInstruction() to help syzbot
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=b202b7208664142954fa


Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=535651643762
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=6627248707860932248

compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b202b720866414295...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

==
BUG: KMSAN: uninit-value in __read_once_size include/linux/compiler.h:197  
[inline]
BUG: KMSAN: uninit-value in deliver_ptype_list_skb net/core/dev.c:1908  
[inline]
BUG: KMSAN: uninit-value in __netif_receive_skb_core+0x4630/0x4a80  
net/core/dev.c:4545

CPU: 0 PID: 5999 Comm: syz-executor3 Not tainted 4.16.0+ #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 __read_once_size include/linux/compiler.h:197 [inline]
 deliver_ptype_list_skb net/core/dev.c:1908 [inline]
 __netif_receive_skb_core+0x4630/0x4a80 net/core/dev.c:4545
 __netif_receive_skb net/core/dev.c:4627 [inline]
 process_backlog+0x62d/0xe20 net/core/dev.c:5307
 napi_poll net/core/dev.c:5705 [inline]
 net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
 __do_softirq+0x56d/0x93d kernel/softirq.c:285
 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1040
 
 do_softirq kernel/softirq.c:329 [inline]
 __local_bh_enable_ip+0x114/0x140 kernel/softirq.c:182
 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
 rcu_read_unlock_bh include/linux/rcupdate.h:726 [inline]
 __dev_queue_xmit+0x2a31/0x2b60 net/core/dev.c:3584
 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590
 packet_snd net/packet/af_packet.c:2944 [inline]
 packet_sendmsg+0x7c57/0x8a10 net/packet/af_packet.c:2969
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 sock_write_iter+0x3b9/0x470 net/socket.c:909
 do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
 do_iter_write+0x30d/0xd40 fs/read_write.c:932
 vfs_writev fs/read_write.c:977 [inline]
 do_writev+0x3c9/0x830 fs/read_write.c:1012
 SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
 SyS_writev+0x56/0x80 fs/read_write.c:1082
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x455259
RSP: 002b:7fb53ede8c68 EFLAGS: 0246 ORIG_RAX: 0014
RAX: ffda RBX: 7fb53ede96d4 RCX: 00455259
RDX: 0001 RSI: 200010c0 RDI: 0013
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 
R13: 06cd R14: 006fd3d8 R15: 

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
 skb_vlan_untag+0x950/0xee0 include/linux/if_vlan.h:597
 __netif_receive_skb_core+0x70a/0x4a80 net/core/dev.c:4460
 __netif_receive_skb net/core/dev.c:4627 [inline]
 process_backlog+0x62d/0xe20 net/core/dev.c:5307
 napi_poll net/core/dev.c:5705 [inline]
 net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771
 __do_softirq+0x56d/0x93d kernel/softirq.c:285
Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
 slab_post_alloc_hook mm/slab.h:445 [inline]
 slab_alloc_node mm/slub.c:2737 [inline]
 __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
 __kmalloc_reserve net/core/skbuff.c:138 [inline]
 __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:984 [inline]
 alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234
 sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085
 packet_alloc_skb net/packet/af_packet.c:2803 [inline]
 packet_snd net/packet/af_packet.c:2894 [inline]
 packet_sendmsg+0x6444/0x8a10 net/packet/af_packet.c:2969
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 sock_write_iter+0x3b9/0x470 net/socket.c:909
 do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
 do_iter_write+0x30d

KMSAN: uninit-value in netif_skb_features

2018-04-12 Thread syzbot 

Hello,

syzbot hit the following crash on  
https://github.com/google/kmsan.git/master commit

e2ab7e8abba47a2f2698216258e5d8727ae58717 (Fri Apr 6 16:24:31 2018 +)
kmsan: temporarily disable visitAsmInstruction() to help syzbot
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=0bbe42c764feafa82c5a


So far this crash happened 30 times on  
https://github.com/google/kmsan.git/master.

C reproducer: https://syzkaller.appspot.com/x/repro.c?id=4850744041668608
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=6289386287136768
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=4577411249209344
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=6627248707860932248

compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0bbe42c764feafa82...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

==
BUG: KMSAN: uninit-value in eth_type_vlan include/linux/if_vlan.h:283  
[inline]
BUG: KMSAN: uninit-value in skb_vlan_tagged_multi  
include/linux/if_vlan.h:656 [inline]
BUG: KMSAN: uninit-value in vlan_features_check include/linux/if_vlan.h:672  
[inline]

BUG: KMSAN: uninit-value in dflt_features_check net/core/dev.c:2949 [inline]
BUG: KMSAN: uninit-value in netif_skb_features+0xd1b/0xdc0  
net/core/dev.c:3009

CPU: 1 PID: 3582 Comm: syzkaller435149 Not tainted 4.16.0+ #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 eth_type_vlan include/linux/if_vlan.h:283 [inline]
 skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline]
 vlan_features_check include/linux/if_vlan.h:672 [inline]
 dflt_features_check net/core/dev.c:2949 [inline]
 netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009
 validate_xmit_skb+0x89/0x1320 net/core/dev.c:3084
 __dev_queue_xmit+0x1cb2/0x2b60 net/core/dev.c:3549
 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590
 packet_snd net/packet/af_packet.c:2944 [inline]
 packet_sendmsg+0x7c57/0x8a10 net/packet/af_packet.c:2969
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 sock_write_iter+0x3b9/0x470 net/socket.c:909
 do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
 do_iter_write+0x30d/0xd40 fs/read_write.c:932
 vfs_writev fs/read_write.c:977 [inline]
 do_writev+0x3c9/0x830 fs/read_write.c:1012
 SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
 SyS_writev+0x56/0x80 fs/read_write.c:1082
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x43ffa9
RSP: 002b:7fff2cff3948 EFLAGS: 0217 ORIG_RAX: 0014
RAX: ffda RBX: 004002c8 RCX: 0043ffa9
RDX: 0001 RSI: 2080 RDI: 0003
RBP: 006cb018 R08:  R09: 
R10:  R11: 0217 R12: 004018d0
R13: 00401960 R14:  R15: 

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
 slab_post_alloc_hook mm/slab.h:445 [inline]
 slab_alloc_node mm/slub.c:2737 [inline]
 __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
 __kmalloc_reserve net/core/skbuff.c:138 [inline]
 __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:984 [inline]
 alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234
 sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085
 packet_alloc_skb net/packet/af_packet.c:2803 [inline]
 packet_snd net/packet/af_packet.c:2894 [inline]
 packet_sendmsg+0x6444/0x8a10 net/packet/af_packet.c:2969
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 sock_write_iter+0x3b9/0x470 net/socket.c:909
 do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
 do_iter_write+0x30d/0xd40 fs/read_write.c:932
 vfs_writev fs/read_write.c:977 [inline]
 do_writev+0x3c9/0x830 fs/read_write.c:1012
 SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
 SyS_writev+0x56/0x80 fs/read_write.c:1082
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
==


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix

BUG: corrupted list in team_nl_cmd_options_set

2018-04-11 Thread syzbot 

Hello,

syzbot hit the following crash on upstream commit
b284d4d5a6785f8cd07eda2646a95782373cd01e (Tue Apr 10 19:25:30 2018 +)
Merge tag 'ceph-for-4.17-rc1' of git://github.com/ceph/ceph-client
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=4d4af685432dc0e56c91


C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6161158629228544
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=5600380654190592
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=4627738266697728
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-1223000601505858474

compiler: gcc (GCC) 8.0.1 20180301 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+4d4af685432dc0e56...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

8021q: adding VLAN 0 to HW filter on device team0
netlink: 'syzkaller556835': attribute type 3 has an invalid length.
netlink: 'syzkaller556835': attribute type 3 has an invalid length.
list_add double add: new=04f859c0, prev=c9745291,  
next=04f859c0.

[ cut here ]
kernel BUG at lib/list_debug.c:31!
invalid opcode:  [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 4466 Comm: syzkaller556835 Not tainted 4.16.0+ #17
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

RIP: 0010:__list_add_valid+0xaa/0xb0 lib/list_debug.c:29
RSP: 0018:8801b04bf248 EFLAGS: 00010286
RAX: 0058 RBX: 8801c8fc7a90 RCX: 
RDX: 0058 RSI: 815fbf41 RDI: ed0036097e3f
RBP: 8801b04bf260 R08: 8801b0b2a700 R09: ed003b604f90
R10: ed003b604f90 R11: 8801db027c87 R12: 8801c8fc7a90
R13: 8801c8fc7a90 R14: dc00 R15: 
FS:  00b98880() GS:8801db00() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 0043fc30 CR3: 0001afe8e000 CR4: 001406f0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 __list_add include/linux/list.h:60 [inline]
 list_add include/linux/list.h:79 [inline]
 team_nl_cmd_options_set+0x9ff/0x12b0 drivers/net/team/team.c:2571
 genl_family_rcv_msg+0x889/0x1120 net/netlink/genetlink.c:599
 genl_rcv_msg+0xc6/0x170 net/netlink/genetlink.c:624
 netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2448
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:635
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x58b/0x740 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:639
 ___sys_sendmsg+0x805/0x940 net/socket.c:2117
 __sys_sendmsg+0x115/0x270 net/socket.c:2155
 SYSC_sendmsg net/socket.c:2164 [inline]
 SyS_sendmsg+0x29/0x30 net/socket.c:2162
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4458b9
RSP: 002b:7ffd1d4a7278 EFLAGS: 0213 ORIG_RAX: 002e
RAX: ffda RBX: 001b RCX: 004458b9
RDX: 0010 RSI: 2d00 RDI: 0004
RBP: 004a74ed R08:  R09: 
R10:  R11: 0213 R12: 7ffd1d4a7348
R13: 00402a60 R14:  R15: 
Code: 75 e8 eb a9 48 89 f7 48 89 75 e8 e8 d1 85 7b fe 48 8b 75 e8 eb bb 48  
89 f2 48 89 d9 4c 89 e6 48 c7 c7 a0 84 d8 87 e8 ea 67 28 fe <0f> 0b 0f 1f  
40 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 41

RIP: __list_add_valid+0xaa/0xb0 lib/list_debug.c:29 RSP: 8801b04bf248
---[ end trace b4f71d7dd7ca6d10 ]---


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

WARNING: kobject bug in br_add_if

2018-04-11 Thread syzbot 

Hello,

syzbot hit the following crash on upstream commit
10b84daddbec72c6b440216a69de9a9605127f7a (Sat Mar 31 17:59:00 2018 +)
Merge branch 'perf-urgent-for-linus' of  
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=de73361ee4971b6e6f75


So far this crash happened 4 times on net-next, upstream.
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5007286875455488
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-2760467897697295172

compiler: gcc (GCC) 7.1.1 20170620

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+de73361ee4971b6e6...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

R13: 0369 R14: 006f7278 R15: 0006
[ cut here ]
binder: 23650:23651 unknown command 1078223622
kobject_add_internal failed for brport (error: -12 parent: bond0)
binder: 23650:23651 ioctl c0306201 2000dfd0 returned -22
WARNING: CPU: 1 PID: 23647 at lib/kobject.c:242  
kobject_add_internal+0x3f6/0xbc0 lib/kobject.c:240

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 23647 Comm: syz-executor7 Not tainted 4.16.0-rc7+ #374
binder: BINDER_SET_CONTEXT_MGR already set
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 panic+0x1e4/0x41c kernel/panic.c:183
 __warn+0x1dc/0x200 kernel/panic.c:547
 report_bug+0x1f4/0x2b0 lib/bug.c:186
 fixup_bug.part.10+0x37/0x80 arch/x86/kernel/traps.c:178
 fixup_bug arch/x86/kernel/traps.c:247 [inline]
 do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
RIP: 0010:kobject_add_internal+0x3f6/0xbc0 lib/kobject.c:240
RSP: 0018:8801d089f560 EFLAGS: 00010286
RAX: dc08 RBX: 8801adbee178 RCX: 815b193e
RDX: 0004 RSI: c900022aa000 RDI: 11003a113e31
RBP: 8801d089f658 R08: 11003a113df3 R09: 
R10:  R11:  R12: 11003a113eb2
R13: fff4 R14: 8801abd88828 R15: 8801d75a1e00
 kobject_add_varg lib/kobject.c:364 [inline]
 kobject_init_and_add+0xf9/0x150 lib/kobject.c:436
 br_add_if+0x79a/0x1a70 net/bridge/br_if.c:533
 add_del_if+0xf4/0x140 net/bridge/br_ioctl.c:101
 br_dev_ioctl+0xa2/0xc0 net/bridge/br_ioctl.c:396
 dev_ifsioc+0x333/0x9b0 net/core/dev_ioctl.c:334
 dev_ioctl+0x176/0xbe0 net/core/dev_ioctl.c:500
 sock_do_ioctl+0x1ba/0x390 net/socket.c:981
 sock_ioctl+0x367/0x670 net/socket.c:1081
 vfs_ioctl fs/ioctl.c:46 [inline]
 do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x454e79
RSP: 002b:7eff7dab7c68 EFLAGS: 0246 ORIG_RAX: 0010
RAX: ffda RBX: 7eff7dab86d4 RCX: 00454e79
RDX: 2000 RSI: 89a2 RDI: 0014
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 0015
R13: 0369 R14: 006f7278 R15: 0006
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

KASAN: use-after-free Read in tipc_sub_unsubscribe (2)

2018-04-11 Thread syzbot 

Hello,

syzbot hit the following crash on upstream commit
b284d4d5a6785f8cd07eda2646a95782373cd01e (Tue Apr 10 19:25:30 2018 +)
Merge tag 'ceph-for-4.17-rc1' of git://github.com/ceph/ceph-client
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=aa245f26d42b8305d157


So far this crash happened 2 times on upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5881855630901248
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=5979790213382144
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5808961445953536
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-1223000601505858474

compiler: gcc (GCC) 8.0.1 20180301 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+aa245f26d42b8305d...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

R10: 20b89fe4 R11: 0246 R12: 0005
R13:  R14:  R15: 
Service creation failed, no memory
Failed to subscribe for {1906,0,4294967295}
==
BUG: KASAN: use-after-free in tipc_sub_unsubscribe+0x22d/0x305  
net/tipc/subscr.c:167

Read of size 4 at addr 8801b78718d8 by task syzkaller446011/4466

CPU: 1 PID: 4466 Comm: syzkaller446011 Not tainted 4.16.0+ #19
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
 tipc_sub_unsubscribe+0x22d/0x305 net/tipc/subscr.c:167
 tipc_conn_delete_sub+0x32d/0x530 net/tipc/topsrv.c:245
 tipc_topsrv_kern_unsubscr+0x280/0x3f0 net/tipc/topsrv.c:598
 tipc_group_delete+0x2dd/0x3f0 net/tipc/group.c:231
 tipc_sk_leave+0x10e/0x210 net/tipc/socket.c:2800
 tipc_release+0x146/0x1290 net/tipc/socket.c:576
 sock_release+0x96/0x1b0 net/socket.c:594
 sock_close+0x16/0x20 net/socket.c:1149
 __fput+0x34d/0x890 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1e4/0x290 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x1aee/0x2730 kernel/exit.c:865
 do_group_exit+0x16f/0x430 kernel/exit.c:968
 SYSC_exit_group kernel/exit.c:979 [inline]
 SyS_exit_group+0x1d/0x20 kernel/exit.c:977
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x43f1f8
RSP: 002b:7fff7867bac8 EFLAGS: 0246 ORIG_RAX: 00e7
RAX: ffda RBX:  RCX: 0043f1f8
RDX:  RSI: 003c RDI: 
RBP: 004bf2e8 R08: 00e7 R09: ffd0
R10: 20b89fe4 R11: 0246 R12: 0001
R13: 006d1180 R14:  R15: 

Allocated by task 4466:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620
 kmalloc include/linux/slab.h:512 [inline]
 tipc_sub_subscribe+0x25a/0x6b0 net/tipc/subscr.c:143
 tipc_conn_rcv_sub.isra.5+0x42c/0x7e0 net/tipc/topsrv.c:381
 tipc_topsrv_kern_subscr+0x72b/0xad0 net/tipc/topsrv.c:582
 tipc_group_create+0x72e/0xa50 net/tipc/group.c:194
 tipc_sk_join net/tipc/socket.c:2766 [inline]
 tipc_setsockopt+0x2c9/0xd70 net/tipc/socket.c:2881
 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
 SYSC_setsockopt net/socket.c:1914 [inline]
 SyS_setsockopt+0x34/0x50 net/socket.c:1911
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 4466:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xd9/0x260 mm/slab.c:3813
 tipc_sub_kref_release net/tipc/subscr.c:117 [inline]
 kref_put include/linux/kref.h:70 [inline]
 tipc_sub_put+0x33/0x40 net/tipc/subscr.c:122
 tipc_nametbl_unsubscribe+0x52c/0xaf0 net/tipc/name_table.c:709
 tipc_sub_unsubscribe+0x6d/0x305 net/tipc/subscr.c:166
 tipc_conn_delete_sub+0x32d/0x530 net/tipc/topsrv.c:245
 tipc_topsrv_kern_unsubscr+0x280/0x3f0 net/tipc/topsrv.c:598
 tipc_group_delete+0x2dd/0x3f0 net/tipc/group.c:231
 tipc_sk_leave+0x10e/0x210 net/tipc/socket.c:2800
 tipc_release+0x146/0x1290 net/tipc/socket.c:576
 sock_release+0x96/0x1b0 net/socket.c:594
 sock_close+0x16/0x20 net/socket.c:1149
 __fput+0x34d/0x890 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x1e4/0x290

WARNING: possible recursive locking detected

2018-04-11 Thread syzbot 

Hello,

syzbot hit the following crash on upstream commit
b284d4d5a6785f8cd07eda2646a95782373cd01e (Tue Apr 10 19:25:30 2018 +)
Merge tag 'ceph-for-4.17-rc1' of git://github.com/ceph/ceph-client
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=3c43eecd7745a5ce1640


So far this crash happened 3 times on upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5103706542440448
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=5641659786199040
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5099510896263168
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-1223000601505858474

compiler: gcc (GCC) 8.0.1 20180301 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3c43eecd7745a5ce1...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

IPVS: sync thread started: state = BACKUP, mcast_ifn = lo, syncid = 0, id =  
0

IPVS: stopping backup sync thread 4546 ...


IPVS: stopping backup sync thread 4559 ...
WARNING: possible recursive locking detected
4.16.0+ #19 Not tainted

syzkaller046099/4543 is trying to acquire lock:
8d06d497 (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20  
net/core/rtnetlink.c:74


but task is already holding lock:
IPVS: stopping backup sync thread 4557 ...
8d06d497 (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20  
net/core/rtnetlink.c:74


other info that might help us debug this:
 Possible unsafe locking scenario:

   CPU0
   
  lock(rtnl_mutex);
  lock(rtnl_mutex);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

2 locks held by syzkaller046099/4543:
 #0: 8d06d497 (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20  
net/core/rtnetlink.c:74
 #1: 8326bc5c (ipvs->sync_mutex){+.+.}, at:  
do_ip_vs_set_ctl+0x562/0x1d30 net/netfilter/ipvs/ip_vs_ctl.c:2388


stack backtrace:
CPU: 1 PID: 4543 Comm: syzkaller046099 Not tainted 4.16.0+ #19
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_deadlock_bug kernel/locking/lockdep.c:1761 [inline]
 check_deadlock kernel/locking/lockdep.c:1805 [inline]
 validate_chain kernel/locking/lockdep.c:2401 [inline]
 __lock_acquire.cold.62+0x18c/0x55b kernel/locking/lockdep.c:3431
 lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920
 __mutex_lock_common kernel/locking/mutex.c:756 [inline]
 __mutex_lock+0x16d/0x17f0 kernel/locking/mutex.c:893
 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74
 ip_mc_drop_socket+0x8f/0x270 net/ipv4/igmp.c:2643
 inet_release+0x4e/0x1f0 net/ipv4/af_inet.c:413
 sock_release+0x96/0x1b0 net/socket.c:594
 start_sync_thread+0xdc3/0x2d40 net/netfilter/ipvs/ip_vs_sync.c:1924
 do_ip_vs_set_ctl+0x59c/0x1d30 net/netfilter/ipvs/ip_vs_ctl.c:2389
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115
 ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253
 udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2413
 ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917
 udpv6_setsockopt+0x62/0xa0 net/ipv6/udp.c:1424
 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039
 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
 SYSC_setsockopt net/socket.c:1914 [inline]
 SyS_setsockopt+0x34/0x50 net/socket.c:1911
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x447c19
RSP: 002b:7fb627a93db8 EFLAGS: 0246 ORIG_RAX: 0036
RAX: ffda RBX: 00700024 RCX: 00447c19
RDX: 048b RSI:  RDI: 0004
RBP: 00700020 R08: 0018 R09: 
R10: 2100 R11: 0246 R12: 
R13: 0080fe4f R14: 7fb627a949c0 R15: 2710


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the l

Re: KMSAN: uninit-value in tipc_subscrb_rcv_cb

2018-04-10 Thread syzbot 
syzbot has found reproducer for the following crash on  
https://github.com/google/kmsan.git/master commit

35ff515e4bda2646f6c881d33951c306ea9c282a (Tue Apr 10 08:59:43 2018 +)
Merge pull request #11 from parkerduckworth/readme
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=75e6e042c5bbf691fc82


So far this crash happened 3 times on  
https://github.com/google/kmsan.git/master.

C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6676653019234304
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=5693411524870144
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5043527943716864
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=6627248707860932248

compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+75e6e042c5bbf691f...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed.

==
BUG: KMSAN: uninit-value in htohl net/tipc/subscr.c:66 [inline]
BUG: KMSAN: uninit-value in tipc_subscrb_rcv_cb+0x418/0xe80  
net/tipc/subscr.c:339

CPU: 0 PID: 19 Comm: kworker/u4:1 Not tainted 4.16.0+ #83
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: tipc_rcv tipc_recv_work
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 htohl net/tipc/subscr.c:66 [inline]
 tipc_subscrb_rcv_cb+0x418/0xe80 net/tipc/subscr.c:339
 tipc_receive_from_sock+0x64c/0x800 net/tipc/server.c:271
 tipc_recv_work+0xd8/0x1f0 net/tipc/server.c:618
 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113
 worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247
 kthread+0x539/0x720 kernel/kthread.c:239
 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:406

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
 kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
 tipc_receive_from_sock+0x15c/0x800 net/tipc/server.c:253
 tipc_recv_work+0xd8/0x1f0 net/tipc/server.c:618
 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113
 worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247
 kthread+0x539/0x720 kernel/kthread.c:239
 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:406
==

WARNING in ip_rt_bug

2018-04-09 Thread syzbot 

Hello,

syzbot hit the following crash on net-next commit
8bde261e535257e81087d39ff808414e2f5aa39d (Sun Apr 1 02:31:43 2018 +)
Merge tag 'mlx5-updates-2018-03-30' of  
git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=b09ac67a2af842b12eab


Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5991727739437056
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=3327544840960562528

compiler: gcc (GCC) 7.1.1 20170620

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b09ac67a2af842b12...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

netlink: 'syz-executor6': attribute type 3 has an invalid length.
WARNING: CPU: 0 PID: 11678 at net/ipv4/route.c:1213 ip_rt_bug+0x15/0x20  
net/ipv4/route.c:1212

Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 11678 Comm: kworker/u4:7 Not tainted 4.16.0-rc6+ #289
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 panic+0x1e4/0x41c kernel/panic.c:183
 __warn+0x1dc/0x200 kernel/panic.c:547
 report_bug+0x1f4/0x2b0 lib/bug.c:186
 fixup_bug.part.10+0x37/0x80 arch/x86/kernel/traps.c:178
 fixup_bug arch/x86/kernel/traps.c:247 [inline]
 do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
RIP: 0010:ip_rt_bug+0x15/0x20 net/ipv4/route.c:1212
RSP: 0018:8801db007290 EFLAGS: 00010282
RAX: dc00 RBX: 8801d8dda3c0 RCX: 856c31ca
RDX: 0100 RSI: 8858c300 RDI: 0282
RBP: 8801db007298 R08: 11003b600de1 R09: 
R10:  R11:  R12: 8801d8dda3c0
R13: 88019bdb2200 R14: 88019bdeed80 R15: 8801d8dda418
 dst_output include/net/dst.h:444 [inline]
 ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124
 ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1414
 ip_push_pending_frames+0x64/0x80 net/ipv4/ip_output.c:1434
 icmp_push_reply+0x395/0x4f0 net/ipv4/icmp.c:394
 icmp_send+0x1136/0x19b0 net/ipv4/icmp.c:741
 ipv4_link_failure+0x2a/0x1b0 net/ipv4/route.c:1200
 dst_link_failure include/net/dst.h:427 [inline]
 arp_error_report+0xae/0x180 net/ipv4/arp.c:297
 neigh_invalidate+0x225/0x530 net/core/neighbour.c:883
 neigh_timer_handler+0x897/0xd60 net/core/neighbour.c:969
 call_timer_fn+0x228/0x820 kernel/time/timer.c:1326
 expire_timers kernel/time/timer.c:1363 [inline]
 __run_timers+0x7ee/0xb70 kernel/time/timer.c:1666
 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
 invoke_softirq kernel/softirq.c:365 [inline]
 irq_exit+0x1cc/0x200 kernel/softirq.c:405
 exiting_irq arch/x86/include/asm/apic.h:541 [inline]
 smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:857
 
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:778  
[inline]

RIP: 0010:lock_acquire+0x256/0x580 kernel/locking/lockdep.c:3923
RSP: 0018:880197b3f980 EFLAGS: 0282 ORIG_RAX: ff12
RAX: dc00 RBX: 8801d225e400 RCX: 
RDX: 110a24e5 RSI: b98b8227 RDI: 0282
RBP: 880197b3fa78 R08: 110032f67e93 R09: 0004
R10: 880197b3f960 R11: 0003 R12: 110032f67f36
R13:  R14:  R15: 0001
 down_write_killable+0x8a/0x140 kernel/locking/rwsem.c:84
 __bprm_mm_init fs/exec.c:297 [inline]
 bprm_mm_init fs/exec.c:414 [inline]
 do_execveat_common.isra.30+0xc8e/0x23c0 fs/exec.c:1771
 do_execve+0x31/0x40 fs/exec.c:1847
 call_usermodehelper_exec_async+0x457/0x8f0 kernel/umh.c:100
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:406
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

WARNING in ip_rt_bug

2018-04-08 Thread syzbot 

Hello,

syzbot hit the following crash on net-next commit
8bde261e535257e81087d39ff808414e2f5aa39d (Sun Apr 1 02:31:43 2018 +)
Merge tag 'mlx5-updates-2018-03-30' of  
git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=b09ac67a2af842b12eab


Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5991727739437056
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=3327544840960562528

compiler: gcc (GCC) 7.1.1 20170620

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b09ac67a2af842b12...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

netlink: 'syz-executor6': attribute type 3 has an invalid length.
WARNING: CPU: 0 PID: 11678 at net/ipv4/route.c:1213 ip_rt_bug+0x15/0x20  
net/ipv4/route.c:1212

Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 11678 Comm: kworker/u4:7 Not tainted 4.16.0-rc6+ #289
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 panic+0x1e4/0x41c kernel/panic.c:183
 __warn+0x1dc/0x200 kernel/panic.c:547
 report_bug+0x1f4/0x2b0 lib/bug.c:186
 fixup_bug.part.10+0x37/0x80 arch/x86/kernel/traps.c:178
 fixup_bug arch/x86/kernel/traps.c:247 [inline]
 do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
RIP: 0010:ip_rt_bug+0x15/0x20 net/ipv4/route.c:1212
RSP: 0018:8801db007290 EFLAGS: 00010282
RAX: dc00 RBX: 8801d8dda3c0 RCX: 856c31ca
RDX: 0100 RSI: 8858c300 RDI: 0282
RBP: 8801db007298 R08: 11003b600de1 R09: 
R10:  R11:  R12: 8801d8dda3c0
R13: 88019bdb2200 R14: 88019bdeed80 R15: 8801d8dda418
 dst_output include/net/dst.h:444 [inline]
 ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124
 ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1414
 ip_push_pending_frames+0x64/0x80 net/ipv4/ip_output.c:1434
 icmp_push_reply+0x395/0x4f0 net/ipv4/icmp.c:394
 icmp_send+0x1136/0x19b0 net/ipv4/icmp.c:741
 ipv4_link_failure+0x2a/0x1b0 net/ipv4/route.c:1200
 dst_link_failure include/net/dst.h:427 [inline]
 arp_error_report+0xae/0x180 net/ipv4/arp.c:297
 neigh_invalidate+0x225/0x530 net/core/neighbour.c:883
 neigh_timer_handler+0x897/0xd60 net/core/neighbour.c:969
 call_timer_fn+0x228/0x820 kernel/time/timer.c:1326
 expire_timers kernel/time/timer.c:1363 [inline]
 __run_timers+0x7ee/0xb70 kernel/time/timer.c:1666
 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
 invoke_softirq kernel/softirq.c:365 [inline]
 irq_exit+0x1cc/0x200 kernel/softirq.c:405
 exiting_irq arch/x86/include/asm/apic.h:541 [inline]
 smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:857
 
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:778  
[inline]

RIP: 0010:lock_acquire+0x256/0x580 kernel/locking/lockdep.c:3923
RSP: 0018:880197b3f980 EFLAGS: 0282 ORIG_RAX: ff12
RAX: dc00 RBX: 8801d225e400 RCX: 
RDX: 110a24e5 RSI: b98b8227 RDI: 0282
RBP: 880197b3fa78 R08: 110032f67e93 R09: 0004
R10: 880197b3f960 R11: 0003 R12: 110032f67f36
R13:  R14:  R15: 0001
 down_write_killable+0x8a/0x140 kernel/locking/rwsem.c:84
 __bprm_mm_init fs/exec.c:297 [inline]
 bprm_mm_init fs/exec.c:414 [inline]
 do_execveat_common.isra.30+0xc8e/0x23c0 fs/exec.c:1771
 do_execve+0x31/0x40 fs/exec.c:1847
 call_usermodehelper_exec_async+0x457/0x8f0 kernel/umh.c:100
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:406
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

KMSAN: uninit-value in tipc_subscrb_rcv_cb

2018-04-08 Thread syzbot 

Hello,

syzbot hit the following crash on  
https://github.com/google/kmsan.git/master commit

e2ab7e8abba47a2f2698216258e5d8727ae58717 (Fri Apr 6 16:24:31 2018 +)
kmsan: temporarily disable visitAsmInstruction() to help syzbot
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=75e6e042c5bbf691fc82


Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5784467448791040
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=6627248707860932248

compiler: clang version 7.0.0 (trunk 329060) (llvm/trunk 329054)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+75e6e042c5bbf691f...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

==
BUG: KMSAN: uninit-value in htohl net/tipc/subscr.c:66 [inline]
BUG: KMSAN: uninit-value in tipc_subscrb_rcv_cb+0x418/0xe80  
net/tipc/subscr.c:339

CPU: 1 PID: 5017 Comm: kworker/u4:6 Not tainted 4.16.0+ #81
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: tipc_rcv tipc_recv_work
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 htohl net/tipc/subscr.c:66 [inline]
 tipc_subscrb_rcv_cb+0x418/0xe80 net/tipc/subscr.c:339
 tipc_receive_from_sock+0x64c/0x800 net/tipc/server.c:271
 tipc_recv_work+0xd8/0x1f0 net/tipc/server.c:618
 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113
 worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247
 kthread+0x539/0x720 kernel/kthread.c:239
 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:406

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
 kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
 tipc_receive_from_sock+0x15c/0x800 net/tipc/server.c:253
 tipc_recv_work+0xd8/0x1f0 net/tipc/server.c:618
 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113
 worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247
 kthread+0x539/0x720 kernel/kthread.c:239
 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:406
==
Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 5017 Comm: kworker/u4:6 Tainted: GB4.16.0+ #81
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: tipc_rcv tipc_recv_work
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 panic+0x39d/0x940 kernel/panic.c:183
 kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 htohl net/tipc/subscr.c:66 [inline]
 tipc_subscrb_rcv_cb+0x418/0xe80 net/tipc/subscr.c:339
 tipc_receive_from_sock+0x64c/0x800 net/tipc/server.c:271
 tipc_recv_work+0xd8/0x1f0 net/tipc/server.c:618
 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113
 worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247
 kthread+0x539/0x720 kernel/kthread.c:239
 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:406
Shutting down cpus with NMI
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

KMSAN: uninit-value in _decode_session6

2018-04-08 Thread syzbot 

Hello,

syzbot hit the following crash on  
https://github.com/google/kmsan.git/master commit

e2ab7e8abba47a2f2698216258e5d8727ae58717 (Fri Apr 6 16:24:31 2018 +)
kmsan: temporarily disable visitAsmInstruction() to help syzbot
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=2974b85346f85b586f4d


Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=4871594698604544
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=6627248707860932248

compiler: clang version 7.0.0 (trunk 329060) (llvm/trunk 329054)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2974b85346f85b586...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

==
BUG: KMSAN: uninit-value in _decode_session6+0x6d1/0x1290  
net/ipv6/xfrm6_policy.c:151

CPU: 1 PID: 5714 Comm: blkid Not tainted 4.16.0+ #81
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 _decode_session6+0x6d1/0x1290 net/ipv6/xfrm6_policy.c:151
 __xfrm_decode_session+0x140/0x1c0 net/xfrm/xfrm_policy.c:2368
 xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline]
 icmpv6_route_lookup net/ipv6/icmp.c:372 [inline]
 icmp6_send+0x305f/0x3460 net/ipv6/icmp.c:551
 icmpv6_send+0xe0/0x110 net/ipv6/ip6_icmp.c:43
 ip6_link_failure+0x8f/0x580 net/ipv6/route.c:2034
 dst_link_failure include/net/dst.h:426 [inline]
 ndisc_error_report+0x101/0x1a0 net/ipv6/ndisc.c:695
 neigh_invalidate+0x385/0x930 net/core/neighbour.c:883
 neigh_timer_handler+0xd85/0x12d0 net/core/neighbour.c:969
 call_timer_fn+0x26a/0x5a0 kernel/time/timer.c:1326
 expire_timers kernel/time/timer.c:1363 [inline]
 __run_timers+0xda7/0x11c0 kernel/time/timer.c:1666
 run_timer_softirq+0x43/0x70 kernel/time/timer.c:1692
 __do_softirq+0x56d/0x93d kernel/softirq.c:285
 invoke_softirq kernel/softirq.c:365 [inline]
 irq_exit+0x202/0x240 kernel/softirq.c:405
 exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:541
 smp_apic_timer_interrupt+0x64/0x90 arch/x86/kernel/apic/apic.c:1055
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:857
 
RIP: 0010:kmsan_get_origin_address_noruntime+0x8f/0x260  
include/linux/mmzone.h:1206

RSP: :880165b0fb40 EFLAGS: 0202 ORIG_RAX: ff12
RAX: 8801e5b0fcc8 RBX:  RCX: 88021fff1580
RDX: 0580 RSI:  RDI: 880165b0fcc8
RBP: 880165b0fb78 R08: 01080020 R09: 0002
R10:  R11:  R12: 0068
R13: d3a0004b R14: 880165b0fcc8 R15: 
 kmsan_set_origin_inline+0x6b/0x120 mm/kmsan/kmsan_instr.c:585
 __msan_poison_alloca+0x15c/0x1d0 mm/kmsan/kmsan_instr.c:647
 handle_mm_fault+0x1c8/0x7ba0 mm/memory.c:4114
 __do_page_fault+0xec4/0x1a10 arch/x86/mm/fault.c:1423
 do_page_fault+0xd3/0x260 arch/x86/mm/fault.c:1500
 page_fault+0x45/0x50 arch/x86/entry/entry_64.S:1151
RIP: 0033:0x7f93ad8e4789
RSP: 002b:7ffd11b3cf20 EFLAGS: 00010216
RAX: 7f93ad4742a0 RBX: 7f93adaf79a8 RCX: 04a8
RDX: 7f93ad6a9028 RSI: aaab RDI: 
RBP: 7ffd11b3d000 R08: 0001 R09: 0010
R10: 7f93ad343a30 R11: 0206 R12: 7f93ad325000
R13: 7f93ad343220 R14: 7f93ad33d748 R15: 7f93adaef740

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
 kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:526
 __msan_memcpy+0x19f/0x1f0 mm/kmsan/kmsan_instr.c:470
 skb_copy_bits+0x63a/0xdb0 net/core/skbuff.c:2046
 __pskb_pull_tail+0x483/0x22e0 net/core/skbuff.c:1883
 pskb_may_pull include/linux/skbuff.h:2112 [inline]
 _decode_session6+0x79f/0x1290 net/ipv6/xfrm6_policy.c:152
 __xfrm_decode_session+0x140/0x1c0 net/xfrm/xfrm_policy.c:2368
 xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline]
 icmpv6_route_lookup net/ipv6/icmp.c:372 [inline]
 icmp6_send+0x305f/0x3460 net/ipv6/icmp.c:551
 icmpv6_send+0xe0/0x110 net/ipv6/ip6_icmp.c:43
 ip6_link_failure+0x8f/0x580 net/ipv6/route.c:2034
 dst_link_failure include/net/dst.h:426 [inline]
 ndisc_error_report+0x101/0x1a0 net/ipv6/ndisc.c:695
 neigh_invalidate+0x385/0x930 net/core/neighbour.c:883
 neigh_timer_handler+0xd85/0x12d0 net/core/neighbour.c:969
 call_timer_fn+0x26a/0x5a0 kernel/time/timer.c:1326
 expire_timers kernel/time/timer.c:1363 [inline]
 __run_timers+0xda7/0x11c0 kernel/time/timer.c:1666
 run_timer_softirq+0x43/0x70 kernel

Re: KMSAN: uninit-value in tipc_node_get_mtu

2018-04-07 Thread syzbot 
syzbot has found reproducer for the following crash on  
https://github.com/google/kmsan.git/master commit

e2ab7e8abba47a2f2698216258e5d8727ae58717 (Fri Apr 6 16:24:31 2018 +)
kmsan: temporarily disable visitAsmInstruction() to help syzbot
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=b0975ce9355b347c1546


So far this crash happened 16 times on  
https://github.com/google/kmsan.git/master.

C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5297557005664256
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=4600034989441024
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5107856890134528
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=6627248707860932248

compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b0975ce9355b347c1...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed.

==
BUG: KMSAN: uninit-value in tipc_node_find net/tipc/node.c:236 [inline]
BUG: KMSAN: uninit-value in tipc_node_get_mtu+0x200/0x7a0  
net/tipc/node.c:185

CPU: 1 PID: 3571 Comm: syzkaller770798 Not tainted 4.16.0+ #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 tipc_node_find net/tipc/node.c:236 [inline]
 tipc_node_get_mtu+0x200/0x7a0 net/tipc/node.c:185
 __tipc_sendmsg+0x1b32/0x41c0 net/tipc/socket.c:1364
 tipc_sendmsg+0xeb/0x140 net/tipc/socket.c:1265
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
 __sys_sendmsg net/socket.c:2080 [inline]
 SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
 SyS_sendmsg+0x54/0x80 net/socket.c:2087
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x43fd49
RSP: 002b:7ffd0061aba8 EFLAGS: 0213 ORIG_RAX: 002e
RAX: ffda RBX: 004002c8 RCX: 0043fd49
RDX:  RSI: 2095ffc8 RDI: 0003
RBP: 006ca018 R08: 004002c8 R09: 004002c8
R10: 004002c8 R11: 0213 R12: 00401670
R13: 00401700 R14:  R15: 

Local variable description: dnode@__tipc_sendmsg
Variable was created at:
 __tipc_sendmsg+0x20c/0x41c0 net/tipc/socket.c:1272
 tipc_sendmsg+0xeb/0x140 net/tipc/socket.c:1265
==
Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 3571 Comm: syzkaller770798 Tainted: GB4.16.0+  
#82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 panic+0x39d/0x940 kernel/panic.c:183
 kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 tipc_node_find net/tipc/node.c:236 [inline]
 tipc_node_get_mtu+0x200/0x7a0 net/tipc/node.c:185
 __tipc_sendmsg+0x1b32/0x41c0 net/tipc/socket.c:1364
 tipc_sendmsg+0xeb/0x140 net/tipc/socket.c:1265
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
 __sys_sendmsg net/socket.c:2080 [inline]
 SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
 SyS_sendmsg+0x54/0x80 net/socket.c:2087
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x43fd49
RSP: 002b:7ffd0061aba8 EFLAGS: 0213 ORIG_RAX: 002e
RAX: ffda RBX: 004002c8 RCX: 0043fd49
RDX:  RSI: 2095ffc8 RDI: 0003
RBP: 006ca018 R08: 004002c8 R09: 004002c8
R10: 004002c8 R11: 0213 R12: 00401670
R13: 00401700 R14:  R15: 
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..

KMSAN: uninit-value in tipc_node_get_mtu

2018-04-07 Thread syzbot 

Hello,

syzbot hit the following crash on  
https://github.com/google/kmsan.git/master commit

e2ab7e8abba47a2f2698216258e5d8727ae58717 (Fri Apr 6 16:24:31 2018 +)
kmsan: temporarily disable visitAsmInstruction() to help syzbot
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=b0975ce9355b347c1546


So far this crash happened 14 times on  
https://github.com/google/kmsan.git/master.

Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6058260943601664
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=6627248707860932248

compiler: clang version 7.0.0 (trunk 329060) (llvm/trunk 329054)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b0975ce9355b347c1...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

==
BUG: KMSAN: uninit-value in tipc_node_find net/tipc/node.c:236 [inline]
BUG: KMSAN: uninit-value in tipc_node_get_mtu+0x200/0x7a0  
net/tipc/node.c:185

CPU: 1 PID: 5393 Comm: syz-executor0 Not tainted 4.16.0+ #81
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 tipc_node_find net/tipc/node.c:236 [inline]
 tipc_node_get_mtu+0x200/0x7a0 net/tipc/node.c:185
 __tipc_sendmsg+0x1b32/0x41c0 net/tipc/socket.c:1364
 tipc_sendmsg+0xeb/0x140 net/tipc/socket.c:1265
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
 __sys_sendmsg net/socket.c:2080 [inline]
 SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
 SyS_sendmsg+0x54/0x80 net/socket.c:2087
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x455259
RSP: 002b:7feeb8eb4c68 EFLAGS: 0246 ORIG_RAX: 002e
RAX: ffda RBX: 7feeb8eb56d4 RCX: 00455259
RDX:  RSI: 20001840 RDI: 0013
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 
R13: 04cc R14: 006fa3c0 R15: 

Local variable description: dnode@__tipc_sendmsg
Variable was created at:
 __tipc_sendmsg+0x20c/0x41c0 net/tipc/socket.c:1272
 tipc_sendmsg+0xeb/0x140 net/tipc/socket.c:1265
==
Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 5393 Comm: syz-executor0 Tainted: GB4.16.0+ #81
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 panic+0x39d/0x940 kernel/panic.c:183
 kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 tipc_node_find net/tipc/node.c:236 [inline]
 tipc_node_get_mtu+0x200/0x7a0 net/tipc/node.c:185
 __tipc_sendmsg+0x1b32/0x41c0 net/tipc/socket.c:1364
 tipc_sendmsg+0xeb/0x140 net/tipc/socket.c:1265
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
 __sys_sendmsg net/socket.c:2080 [inline]
 SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
 SyS_sendmsg+0x54/0x80 net/socket.c:2087
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x455259
RSP: 002b:7feeb8eb4c68 EFLAGS: 0246 ORIG_RAX: 002e
RAX: ffda RBX: 7feeb8eb56d4 RCX: 00455259
RDX:  RSI: 20001840 RDI: 0013
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 
R13: 04cc R14: 006fa3c0 R15: 
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning

INFO: task hung in do_ip_vs_set_ctl (2)

2018-04-07 Thread syzbot 

Hello,

syzbot hit the following crash on upstream commit
3fd14cdcc05a682b03743683ce3a726898b20555 (Fri Apr 6 19:15:41 2018 +)
Merge tag 'mtd/for-4.17' of git://git.infradead.org/linux-mtd
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=7810ed2e0cb359580c17


Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5452586266132480
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-5813481738265533882

compiler: gcc (GCC) 8.0.1 20180301 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+7810ed2e0cb359580...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

IPVS: stopping backup sync thread 25820 ...
IPVS: sync thread started: state = BACKUP, mcast_ifn = lo, syncid = 0, id =  
0
IPVS: sync thread started: state = BACKUP, mcast_ifn = bridge0, syncid = 5,  
id = 0

IPVS: stopping backup sync thread 25825 ...
INFO: task syz-executor4:25814 blocked for more than 120 seconds.
  Not tainted 4.16.0+ #4
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor4   D23496 25814   4577 0x0004
Call Trace:
 context_switch kernel/sched/core.c:2848 [inline]
 __schedule+0x807/0x1e40 kernel/sched/core.c:3490
 schedule+0xef/0x430 kernel/sched/core.c:3549
 schedule_preempt_disabled+0x10/0x20 kernel/sched/core.c:3607
 __mutex_lock_common kernel/locking/mutex.c:833 [inline]
 __mutex_lock+0xe38/0x17f0 kernel/locking/mutex.c:893
 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
 do_ip_vs_set_ctl+0x562/0x1d30 net/netfilter/ipvs/ip_vs_ctl.c:2388
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115
 ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253
 udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2413
 ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917
 udpv6_setsockopt+0x62/0xa0 net/ipv6/udp.c:1424
 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039
 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
 SYSC_setsockopt net/socket.c:1914 [inline]
 SyS_setsockopt+0x34/0x50 net/socket.c:1911
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x455259
RSP: 002b:7f2f6a5c0c68 EFLAGS: 0246 ORIG_RAX: 0036
RAX: ffda RBX: 7f2f6a5c16d4 RCX: 00455259
RDX: 048b RSI:  RDI: 0019
RBP: 0072bea0 R08: 0018 R09: 
R10: 2100 R11: 0246 R12: 
R13: 0520 R14: 006faba0 R15: 

Showing all locks held in the system:
3 locks held by kworker/1:0/18:
 #0: 5979db97 ((wq_completion)"events"){+.+.}, at:  
__write_once_size include/linux/compiler.h:215 [inline]
 #0: 5979db97 ((wq_completion)"events"){+.+.}, at:  
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
 #0: 5979db97 ((wq_completion)"events"){+.+.}, at: atomic64_set  
include/asm-generic/atomic-instrumented.h:40 [inline]
 #0: 5979db97 ((wq_completion)"events"){+.+.}, at: atomic_long_set  
include/asm-generic/atomic-long.h:57 [inline]
 #0: 5979db97 ((wq_completion)"events"){+.+.}, at: set_work_data  
kernel/workqueue.c:617 [inline]
 #0: 5979db97 ((wq_completion)"events"){+.+.}, at:  
set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline]
 #0: 5979db97 ((wq_completion)"events"){+.+.}, at:  
process_one_work+0xaef/0x1b50 kernel/workqueue.c:2116
 #1: 34433a79 (deferred_process_work){+.+.}, at:  
process_one_work+0xb46/0x1b50 kernel/workqueue.c:2120
 #2: c152a7e0 (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20  
net/core/rtnetlink.c:74

3 locks held by kworker/1:1/25:
 #0: 04c9dcc7 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
__write_once_size include/linux/compiler.h:215 [inline]
 #0: 04c9dcc7 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
 #0: 04c9dcc7 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
atomic64_set include/asm-generic/atomic-instrumented.h:40 [inline]
 #0: 04c9dcc7 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
atomic_long_set include/asm-generic/atomic-long.h:57 [inline]
 #0: 04c9dcc7 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
set_work_data kernel/workqueue.c:617 [inline]
 #0: 04c9dcc7 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:  
set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline]
 #0: 04c9dcc7 ((wq_completion)&q

kernel BUG at drivers/vhost/vhost.c:LINE! (2)

2018-04-06 Thread syzbot 

Hello,

syzbot hit the following crash on upstream commit
38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6 04:29:35 2018 +)
Merge tag 'armsoc-drivers' of  
git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=65a84dde0214b0387ccd


So far this crash happened 4 times on upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6586748079439872
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=5974272052822016
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6224632407392256
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-5813481738265533882

compiler: gcc (GCC) 8.0.1 20180301 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+65a84dde0214b0387...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

[ cut here ]
kernel BUG at drivers/vhost/vhost.c:1652!
invalid opcode:  [#1] SMP KASAN
[ cut here ]
Dumping ftrace buffer:
kernel BUG at drivers/vhost/vhost.c:1652!
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4461 Comm: syzkaller684218 Not tainted 4.16.0+ #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

RIP: 0010:set_bit_to_user drivers/vhost/vhost.c:1652 [inline]
RIP: 0010:log_write+0x42a/0x4d0 drivers/vhost/vhost.c:1676
RSP: 0018:8801b256f920 EFLAGS: 00010293
RAX: 8801adc9e2c0 RBX: dc00 RCX: 85924a0f
RDX:  RSI: 85924cea RDI: 0005
RBP: 8801b256fa58 R08: 8801adc9e2c0 R09: ed003962412d
R10: 8801b256fad8 R11: 8801cb12096f R12: 0001
R13: ed00364adf36 R14:  R15: 8801b256fa30
FS:  7fdf24b19700() GS:8801db10() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 20bf6000 CR3: 0001ae6a7000 CR4: 001406e0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 vhost_update_used_flags+0x3af/0x4a0 drivers/vhost/vhost.c:1723
 vhost_vq_init_access+0x117/0x590 drivers/vhost/vhost.c:1763
 vhost_vsock_start drivers/vhost/vsock.c:446 [inline]
 vhost_vsock_dev_ioctl+0x751/0x920 drivers/vhost/vsock.c:678
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
 SYSC_ioctl fs/ioctl.c:708 [inline]
 SyS_ioctl+0x24/0x30 fs/ioctl.c:706
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4456c9
RSP: 002b:7fdf24b18da8 EFLAGS: 0297 ORIG_RAX: 0010
RAX: ffda RBX: 006dac24 RCX: 004456c9
RDX: 20f82ffc RSI: 4004af61 RDI: 001b
RBP: 006dac20 R08:  R09: 
R10:  R11: 0297 R12: 6b636f73762d7473
R13: 6f68762f7665642f R14: fffc R15: 0007
Code: e8 7c 5e e4 fb 4c 89 ef e8 e4 16 06 fc 48 8d 85 58 ff ff ff 48 c1 e8  
03 c6 04 18 f8 e9 46 ff ff ff 45 31 f6 eb 91 e8 56 5e e4 fb <0f> 0b e8 4f  
5e e4 fb 48 c7 c6 a0 a3 24 88 4c 89 ef e8 60 b6 10
RIP: set_bit_to_user drivers/vhost/vhost.c:1652 [inline] RSP:  
8801b256f920

RIP: log_write+0x42a/0x4d0 drivers/vhost/vhost.c:1676 RSP: 8801b256f920
invalid opcode:  [#2] SMP KASAN
---[ end trace 0d0ff45aa44d8a23 ]---
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.

Re: WARNING in xfrm6_tunnel_net_exit

2018-04-06 Thread syzbot 

syzbot has found reproducer for the following crash on upstream commit
3c8ba0d61d04ced9f8d9ff93977995a9e4e96e91 (Sat Mar 31 01:52:36 2018 +)
kernel.h: Retain constant expression output for max()/min()
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=777bf170a89e7b326405


So far this crash happened 10982 times on linux-next, mmots, net-next,  
upstream.
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=5399809707999232
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=4550974920196096
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-1647968177339044852

compiler: gcc (GCC) 8.0.1 20180301 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+777bf170a89e7b326...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed.

IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
WARNING: CPU: 0 PID: 180 at net/ipv6/xfrm6_tunnel.c:345  
xfrm6_tunnel_net_exit+0x2c0/0x4f0 net/ipv6/xfrm6_tunnel.c:345

Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 180 Comm: kworker/u4:4 Not tainted 4.16.0+ #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b9/0x29f lib/dump_stack.c:53
 panic+0x22f/0x4de kernel/panic.c:183
 __warn.cold.8+0x163/0x1a3 kernel/panic.c:547
 report_bug+0x252/0x2d0 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 do_error_trap+0x1bc/0x470 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:991
RIP: 0010:xfrm6_tunnel_net_exit+0x2c0/0x4f0 net/ipv6/xfrm6_tunnel.c:345
RSP: 0018:8801d96373d8 EFLAGS: 00010293
RAX: 8801d961c080 RBX: 8801b0e999a0 RCX: 866b08c6
RDX:  RSI: 866b08d0 RDI: 0007
RBP: 8801d96374f8 R08: 8801d961c080 R09: ed003b6046c2
R10: 0003 R11: 0003 R12: 007c
R13: ed003b2c6e82 R14: 8801d96374d0 R15: 8801b6185f80
 ops_exit_list.isra.7+0xb0/0x160 net/core/net_namespace.c:152
 cleanup_net+0x51d/0xb20 net/core/net_namespace.c:523
 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
 kthread+0x345/0x410 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:411
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..

KASAN: use-after-free Read in ccid2_hc_tx_packet_recv

2018-04-02 Thread syzbot 

Hello,

syzbot hit the following crash on upstream commit
0adb32858b0bddf4ada5f364a84ed60b196dbcda (Sun Apr 1 21:20:27 2018 +)
Linux 4.16
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=554ccde221001ab5479a


Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5822430194958336
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-2374466361298166459

compiler: gcc (GCC) 7.1.1 20170620
user-space arch: i386

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+554ccde221001ab54...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

R10:  R11:  R12: 
R13:  R14:  R15: 
dccp_parse_options: DCCP(7d56a000): Option 32 (len=7) error=9
==
dccp_check_seqno: Step 6 failed for RESET packet, (LSWL(279336972291068) <=  
P.seqno(279336972291066) <= S.SWH(279336972291142)) and (P.ackno exists or  
LAWL(234137106534459) <= P.ackno(234137106534459) <=  
S.AWH(234137106534460), sending SYNC...
BUG: KASAN: use-after-free in ccid2_hc_tx_packet_recv+0x234a/0x2440  
net/dccp/ccids/ccid2.c:598

Read of size 1 at addr 8801bb7a4a82 by task syz-executor1/1660

CPU: 1 PID: 1660 Comm: syz-executor1 Not tainted 4.16.0+ #285
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23c/0x360 mm/kasan/report.c:412
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
 ccid2_hc_tx_packet_recv+0x234a/0x2440 net/dccp/ccids/ccid2.c:598
 ccid_hc_tx_packet_recv net/dccp/ccid.h:192 [inline]
 dccp_deliver_input_to_ccids+0x1d0/0x250 net/dccp/input.c:186
 dccp_rcv_established+0x88/0xb0 net/dccp/input.c:378
 dccp_v4_do_rcv+0x135/0x160 net/dccp/ipv4.c:653
 sk_backlog_rcv include/net/sock.h:908 [inline]
 __release_sock+0x124/0x360 net/core/sock.c:2271
 release_sock+0xa4/0x2a0 net/core/sock.c:2786
 dccp_sendmsg+0x528/0xe60 net/dccp/proto.c:820
 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:640
 ___sys_sendmsg+0x320/0x8b0 net/socket.c:2046
 __sys_sendmmsg+0x31b/0x620 net/socket.c:2129
 C_SYSC_sendmmsg net/compat.c:745 [inline]
 compat_SyS_sendmmsg+0x32/0x40 net/compat.c:742
 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
 do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f6dc99
RSP: 002b:f5f690ac EFLAGS: 0282 ORIG_RAX: 0159
RAX: ffda RBX: 0013 RCX: 2000b880
RDX: 0122 RSI:  RDI: 
RBP:  R08:  R09: 
R10:  R11:  R12: 
R13:  R14:  R15: 

Allocated by task 1660:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
 __do_kmalloc_node mm/slab.c:3670 [inline]
 __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3684
 __kmalloc_reserve.isra.39+0x41/0xd0 net/core/skbuff.c:137
 __alloc_skb+0x13b/0x780 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:983 [inline]
 dccp_send_ack+0xb6/0x350 net/dccp/output.c:580
 ccid2_hc_rx_packet_recv+0x10d/0x180 net/dccp/ccids/ccid2.c:766
 ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
 dccp_deliver_input_to_ccids+0xd9/0x250 net/dccp/input.c:180
 dccp_rcv_established+0x88/0xb0 net/dccp/input.c:378
 dccp_v4_do_rcv+0x135/0x160 net/dccp/ipv4.c:653
 sk_backlog_rcv include/net/sock.h:908 [inline]
 __sk_receive_skb+0x33e/0xc10 net/core/sock.c:513
 dccp_v4_rcv+0xf5f/0x1c80 net/dccp/ipv4.c:874
 ip_local_deliver_finish+0x2f1/0xc50 net/ipv4/ip_input.c:216
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257
 dst_input include/net/dst.h:449 [inline]
 ip_rcv_finish+0xa36/0x2040 net/ipv4/ip_input.c:397
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_rcv+0xb76/0x1820 net/ipv4/ip_input.c:493
 __netif_receive_skb_core+0x1a41/0x3460 net/core/dev.c:4562
 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4627
 process_backlog+0x203/0x740 net/core/dev.c:5307
 napi_poll net/core/dev.c:5705 [inline]
 net_rx_action+0x792/0x1910 net/core/dev.c:5771
 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285

Freed by task 1660:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c

possible deadlock in skb_queue_tail

2018-04-02 Thread syzbot 

Hello,

syzbot hit the following crash on net-next commit
06b19fe9a6df7aaa423cd8404ebe5ac9ec4b2960 (Sun Apr 1 03:37:33 2018 +)
Merge branch 'chelsio-inline-tls'
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=6b495100f17ca8554ab9


Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6218830443446272
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=3327544840960562528

compiler: gcc (GCC) 7.1.1 20170620

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6b495100f17ca8554...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.


==
WARNING: possible circular locking dependency detected
4.16.0-rc6+ #290 Not tainted
--
syz-executor7/20971 is trying to acquire lock:
 (_unix_sk_receive_queue_lock_key){+.+.}, at: [<271ef0d8>]  
skb_queue_tail+0x26/0x150 net/core/skbuff.c:2899


but task is already holding lock:
 (&(>lock)->rlock/1){+.+.}, at: [<4e725e14>]  
unix_state_double_lock+0x7b/0xb0 net/unix/af_unix.c:1088


which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&(>lock)->rlock/1){+.+.}:
   _raw_spin_lock_nested+0x28/0x40 kernel/locking/spinlock.c:354
   sk_diag_dump_icons net/unix/diag.c:82 [inline]
   sk_diag_fill.isra.4+0xa52/0xfe0 net/unix/diag.c:144
   sk_diag_dump net/unix/diag.c:178 [inline]
   unix_diag_dump+0x400/0x4f0 net/unix/diag.c:206
   netlink_dump+0x492/0xcf0 net/netlink/af_netlink.c:2221
   __netlink_dump_start+0x4ec/0x710 net/netlink/af_netlink.c:2318
   netlink_dump_start include/linux/netlink.h:214 [inline]
   unix_diag_handler_dump+0x3e7/0x750 net/unix/diag.c:307
   __sock_diag_cmd net/core/sock_diag.c:230 [inline]
   sock_diag_rcv_msg+0x204/0x360 net/core/sock_diag.c:261
   netlink_rcv_skb+0x14b/0x380 net/netlink/af_netlink.c:2443
   sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:272
   netlink_unicast_kernel net/netlink/af_netlink.c:1307 [inline]
   netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1333
   netlink_sendmsg+0xa4a/0xe80 net/netlink/af_netlink.c:1896
   sock_sendmsg_nosec net/socket.c:629 [inline]
   sock_sendmsg+0xca/0x110 net/socket.c:639
   sock_write_iter+0x31a/0x5d0 net/socket.c:908
   call_write_iter include/linux/fs.h:1782 [inline]
   new_sync_write fs/read_write.c:469 [inline]
   __vfs_write+0x684/0x970 fs/read_write.c:482
   vfs_write+0x189/0x510 fs/read_write.c:544
   SYSC_write fs/read_write.c:589 [inline]
   SyS_write+0xef/0x220 fs/read_write.c:581
   do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
   entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #0 (_unix_sk_receive_queue_lock_key){+.+.}:
   lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
   __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
   _raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:152
   skb_queue_tail+0x26/0x150 net/core/skbuff.c:2899
   unix_dgram_sendmsg+0xa30/0x1610 net/unix/af_unix.c:1807
   sock_sendmsg_nosec net/socket.c:629 [inline]
   sock_sendmsg+0xca/0x110 net/socket.c:639
   ___sys_sendmsg+0x320/0x8b0 net/socket.c:2047
   __sys_sendmmsg+0x1ee/0x620 net/socket.c:2137
   SYSC_sendmmsg net/socket.c:2168 [inline]
   SyS_sendmmsg+0x35/0x60 net/socket.c:2163
   do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
   entry_SYSCALL_64_after_hwframe+0x42/0xb7

other info that might help us debug this:

 Possible unsafe locking scenario:

   CPU0CPU1
   
  lock(&(>lock)->rlock/1);
   lock(_unix_sk_receive_queue_lock_key);
   lock(&(>lock)->rlock/1);
  lock(_unix_sk_receive_queue_lock_key);

 *** DEADLOCK ***

1 lock held by syz-executor7/20971:
 #0:  (&(>lock)->rlock/1){+.+.}, at: [<4e725e14>]  
unix_state_double_lock+0x7b/0xb0 net/unix/af_unix.c:1088


stack backtrace:
CPU: 0 PID: 20971 Comm: syz-executor7 Not tainted 4.16.0-rc6+ #290
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223
 check_prev_add kernel/locking/lockdep.c:1863 [inline]
 check_prevs_add kernel/locking/lockdep.c:1976 [inline]
 validate_chain kernel/locking/lockdep.c:2417 [inline]
 __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431
 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:

general protection fault in tipc_nametbl_unsubscribe

2018-04-02 Thread syzbot 

Hello,

syzbot hit the following crash on upstream commit
10b84daddbec72c6b440216a69de9a9605127f7a (Sat Mar 31 17:59:00 2018 +)
Merge branch 'perf-urgent-for-linus' of  
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=4859fe19555ea87c42f3


So far this crash happened 3 times on upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=4775372465897472
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=4868734988582912
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=507380209544
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-2760467897697295172

compiler: gcc (GCC) 7.1.1 20170620

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+4859fe19555ea87c4...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

R13:  R14:  R15: 
Name sequence creation failed, no memory
Failed to create subscription for {24576,0,4294967295}
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4447 Comm: syzkaller851181 Not tainted 4.16.0-rc7+ #374
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

RIP: 0010:__list_del_entry_valid+0x7e/0x150 lib/list_debug.c:51
RSP: 0018:8801ae1aef48 EFLAGS: 00010246
RAX: dc00 RBX:  RCX: 
RDX:  RSI: 8801cf54c760 RDI: 8801cf54c768
RBP: 8801ae1aef60 R08: 110035c35cff R09: 89956150
R10: 8801ae1aee28 R11: 168a R12: 87745ea0
R13: 8801ae1af100 R14: 8801cf54c760 R15: 8801cf4c8cc0
FS:  () GS:8801db10() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 55dce15c3090 CR3: 0846a002 CR4: 001606e0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 __list_del_entry include/linux/list.h:117 [inline]
 list_del_init include/linux/list.h:159 [inline]
 tipc_nametbl_unsubscribe+0x318/0x990 net/tipc/name_table.c:848
 tipc_subscrb_subscrp_delete+0x1e9/0x460 net/tipc/subscr.c:212
 tipc_subscrb_delete net/tipc/subscr.c:242 [inline]
 tipc_subscrb_release_cb+0x17/0x30 net/tipc/subscr.c:321
 tipc_topsrv_kern_unsubscr+0x2c3/0x430 net/tipc/server.c:535
 tipc_group_delete+0x2c0/0x3d0 net/tipc/group.c:231
 tipc_sk_leave+0x10b/0x200 net/tipc/socket.c:2795
 tipc_release+0x154/0xff0 net/tipc/socket.c:577
 sock_release+0x8d/0x1e0 net/socket.c:595
 sock_close+0x16/0x20 net/socket.c:1149
 __fput+0x327/0x7e0 fs/file_table.c:209
 fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x199/0x270 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x9bb/0x1ad0 kernel/exit.c:865
 do_group_exit+0x149/0x400 kernel/exit.c:968
 SYSC_exit_group kernel/exit.c:979 [inline]
 SyS_exit_group+0x1d/0x20 kernel/exit.c:977
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x43f228
RSP: 002b:7ffde31217e8 EFLAGS: 0246 ORIG_RAX: 00e7
RAX: ffda RBX:  RCX: 0043f228
RDX:  RSI: 003c RDI: 
RBP: 004bf308 R08: 00e7 R09: ffd0
R10: 204ee000 R11: 0246 R12: 0001
R13: 006d1180 R14:  R15: 
Code: 00 00 00 00 ad de 49 39 c4 74 66 48 b8 00 02 00 00 00 00 ad de 48 89  
da 48 39 c3 74 65 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df <80> 3c 02 00  
75 7b 48 8b 13 48 39 f2 75 57 49 8d 7c 24 08 48 b8
RIP: __list_del_entry_valid+0x7e/0x150 lib/list_debug.c:51 RSP:  
8801ae1aef48

---[ end trace ba18c1598e2d5535 ]---


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of th

  1   2   >