KASAN: use-after-free Read in __llc_lookup_established
Hello, syzbot found the following crash on: HEAD commit:3d647e62686f Merge tag 's390-4.19-4' of git://git.kernel.o.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1707d80940 kernel config: https://syzkaller.appspot.com/x/.config?x=88e9a8a39dc0be2d dashboard link: https://syzkaller.appspot.com/bug?extid=11e05f04c15e03be5254 compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+11e05f04c15e03be5...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in llc_estab_match net/llc/llc_conn.c:494 [inline] BUG: KASAN: use-after-free in __llc_lookup_established+0xc80/0xe10 net/llc/llc_conn.c:522 Read of size 1 at addr 8801c5794a7f by task syz-executor3/10277 CPU: 0 PID: 10277 Comm: syz-executor3 Not tainted 4.19.0-rc7+ #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 net_ratelimit: 9 callbacks suppressed openvswitch: netlink: Key type 12288 is out of range max 29 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 llc_estab_match net/llc/llc_conn.c:494 [inline] __llc_lookup_established+0xc80/0xe10 net/llc/llc_conn.c:522 openvswitch: netlink: Key type 12288 is out of range max 29 llc_lookup_established+0x36/0x60 net/llc/llc_conn.c:554 llc_ui_bind+0x810/0xdd0 net/llc/af_llc.c:381 __sys_bind+0x331/0x440 net/socket.c:1483 __do_sys_bind net/socket.c:1494 [inline] __se_sys_bind net/socket.c:1492 [inline] __x64_sys_bind+0x73/0xb0 net/socket.c:1492 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457579 Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f2a18100c78 EFLAGS: 0246 ORIG_RAX: 0031 RAX: ffda RBX: 0003 RCX: 00457579 RDX: 0010 RSI: 2040 RDI: 0006 RBP: 0072bf00 R08: R09: R10: R11: 0246 R12: 7f2a181016d4 R13: 004bd718 R14: 004cbfe0 R15: Allocated by task 10278: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 __do_kmalloc mm/slab.c:3718 [inline] __kmalloc+0x14e/0x760 mm/slab.c:3727 kmalloc include/linux/slab.h:518 [inline] sk_prot_alloc+0x1b0/0x2e0 net/core/sock.c:1468 sk_alloc+0x10d/0x1690 net/core/sock.c:1522 llc_sk_alloc+0x35/0x4b0 net/llc/llc_conn.c:949 llc_ui_create+0x142/0x520 net/llc/af_llc.c:173 __sock_create+0x536/0x930 net/socket.c:1277 sock_create net/socket.c:1317 [inline] __sys_socket+0x106/0x260 net/socket.c:1347 __do_sys_socket net/socket.c:1356 [inline] __se_sys_socket net/socket.c:1354 [inline] __x64_sys_socket+0x73/0xb0 net/socket.c:1354 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 10276: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xcf/0x230 mm/slab.c:3813 sk_prot_free net/core/sock.c:1505 [inline] __sk_destruct+0x797/0xa80 net/core/sock.c:1587 sk_destruct+0x78/0x90 net/core/sock.c:1595 __sk_free+0xcf/0x300 net/core/sock.c:1606 sk_free+0x42/0x50 net/core/sock.c:1617 sock_put include/net/sock.h:1691 [inline] llc_sk_free+0x9d/0xb0 net/llc/llc_conn.c:1017 llc_ui_release+0x161/0x2a0 net/llc/af_llc.c:218 __sock_release+0xd7/0x250 net/socket.c:579 sock_close+0x19/0x20 net/socket.c:1141 __fput+0x385/0xa30 fs/file_table.c:278 fput+0x15/0x20 fs/file_table.c:309 task_work_run+0x1e8/0x2a0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at 8801c5794600 which belongs to the cache kmalloc-2048 of size 2048 The buggy address is located 1151 bytes inside of 2048-byte region [8801c5794600, 8801c5794e00) The buggy address belongs to th
general protection fault in do_raw_spin_unlock
Hello, syzbot found the following crash on: HEAD commit:1d4eb636f0ab Add linux-next specific files for 20180716 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=1186bf0c40 kernel config: https://syzkaller.appspot.com/x/.config?x=ea5926dddb0db97a dashboard link: https://syzkaller.appspot.com/bug?extid=83a25334ef203851dc81 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=179ed0 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+83a25334ef203851d...@syzkaller.appspotmail.com IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN CPU: 1 PID: 24 Comm: kworker/1:1 Not tainted 4.18.0-rc5-next-20180716+ #8 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events p9_poll_workfn RIP: 0010:debug_spin_unlock kernel/locking/spinlock_debug.c:97 [inline] RIP: 0010:do_raw_spin_unlock+0x65/0x2f0 kernel/locking/spinlock_debug.c:134 Code: 0a bd 88 48 c7 85 78 ff ff ff b3 8a b5 41 48 c7 45 88 d0 3c 60 81 c7 02 f1 f1 f1 f1 c7 42 04 04 f2 f2 f2 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 65 48 8b 0c 25 28 00 00 00 48 89 4d d0 31 c9 RSP: 0018:8801d945f288 EFLAGS: 00010047 RAX: dc00 RBX: RCX: 8770a045 RDX: RSI: 0001 RDI: 0004 RBP: 8801d945f310 R08: 11003b28be45 R09: ed0035e7bd88 R10: ed0035e7bd88 R11: 8801af3dec43 R12: R13: 11003b28be51 R14: 8801d945f2e8 R15: 8801c5811d50 FS: () GS:8801daf0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0072c029 CR3: 0001b19fd000 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:159 [inline] _raw_spin_unlock_irqrestore+0x27/0xc0 kernel/locking/spinlock.c:184 spin_unlock_irqrestore include/linux/spinlock.h:384 [inline] p9_conn_cancel+0x9b6/0xd30 net/9p/trans_fd.c:208 p9_poll_mux net/9p/trans_fd.c:620 [inline] p9_poll_workfn+0x4b2/0x6d0 net/9p/trans_fd.c:1107 process_one_work+0xc73/0x1ba0 kernel/workqueue.c:2153 worker_thread+0x189/0x13c0 kernel/workqueue.c:2296 kthread+0x345/0x410 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415 Modules linked in: Dumping ftrace buffer: (ftrace buffer empty) ---[ end trace 4d86351f63a12683 ]--- RIP: 0010:debug_spin_unlock kernel/locking/spinlock_debug.c:97 [inline] RIP: 0010:do_raw_spin_unlock+0x65/0x2f0 kernel/locking/spinlock_debug.c:134 Code: 0a bd 88 48 c7 85 78 ff ff ff b3 8a b5 41 48 c7 45 88 d0 3c 60 81 c7 02 f1 f1 f1 f1 c7 42 04 04 f2 f2 f2 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 65 48 8b 0c 25 28 00 00 00 48 89 4d d0 31 c9 RSP: 0018:8801d945f288 EFLAGS: 00010047 RAX: dc00 RBX: RCX: 8770a045 RDX: RSI: 0001 RDI: 0004 RBP: 8801d945f310 R08: 11003b28be45 R09: ed0035e7bd88 R10: ed0035e7bd88 R11: 8801af3dec43 R12: R13: 11003b28be51 R14: 8801d945f2e8 R15: 8801c5811d50 FS: () GS:8801daf0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0072c029 CR3: 0001b19fd000 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
Re: BUG: MAX_LOCK_DEPTH too low! (2)
syzbot has found a reproducer for the following crash on: HEAD commit:6e6fddc78323 bpf: fix panic due to oob in bpf_prog_test_ru.. git tree: bpf console output: https://syzkaller.appspot.com/x/log.txt?x=1364db9440 kernel config: https://syzkaller.appspot.com/x/.config?x=2ca6c7a31d407f86 dashboard link: https://syzkaller.appspot.com/bug?extid=802a5abb8abae86eb6de compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1157279440 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16aff56840 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+802a5abb8abae86eb...@syzkaller.appspotmail.com IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 8021q: adding VLAN 0 to HW filter on device team0 BUG: MAX_LOCK_DEPTH too low! turning off the locking correctness validator. depth: 48 max: 48! 48 locks held by syz-executor169/4820: #0: (ptrval) (rcu_read_lock_bh){}, at: __dev_queue_xmit+0x328/0x3910 net/core/dev.c:3503 #1: (ptrval) (&(>seqlock)->rlock){+...}, at: spin_trylock include/linux/spinlock.h:320 [inline] #1: (ptrval) (&(>seqlock)->rlock){+...}, at: qdisc_run_begin include/net/sch_generic.h:124 [inline] #1: (ptrval) (&(>seqlock)->rlock){+...}, at: qdisc_run include/net/pkt_sched.h:117 [inline] #1: (ptrval) (&(>seqlock)->rlock){+...}, at: __dev_xmit_skb net/core/dev.c:3229 [inline] #1: (ptrval) (&(>seqlock)->rlock){+...}, at: __dev_queue_xmit+0x13a3/0x3910 net/core/dev.c:3537 #2: (ptrval) (dev->qdisc_running_key ?: _running_key){+...}, at: dev_queue_xmit+0x17/0x20 net/core/dev.c:3602 #3: (ptrval) (rcu_read_lock){}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #3: (ptrval) (rcu_read_lock){}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #4: (ptrval) (rcu_read_lock){}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #4: (ptrval) (rcu_read_lock){}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #5: (ptrval) (rcu_read_lock){}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #5: (ptrval) (rcu_read_lock){}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #6: (ptrval) (rcu_read_lock){}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #6: (ptrval) (rcu_read_lock){}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #7: (ptrval) (rcu_read_lock){}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #7: (ptrval) (rcu_read_lock){}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #8: (ptrval) (rcu_read_lock){}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #8: (ptrval) (rcu_read_lock){}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #9: (ptrval) (rcu_read_lock){}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #9: (ptrval) (rcu_read_lock){}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #10: (ptrval) (rcu_read_lock){}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #10: (ptrval) (rcu_read_lock){}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #11: (ptrval) (rcu_read_lock){}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #11: (ptrval) (rcu_read_lock){}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #12: (ptrval) (rcu_read_lock){}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #12: (ptrval) (rcu_read_lock){}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #13: (ptrval) (rcu_read_lock){}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #13: (ptrval) (rcu_read_lock){}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #14: (ptrval) (rcu_read_lock){}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #14: (ptrval) (rcu_read_lock){}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #15: (ptrval) (rcu_read_lock){}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #15: (ptrval) (rcu_read_lock){}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #16: (ptrval) (rcu_read_lock){}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #16: (ptrval) (rcu_read_lock){}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #17: (ptrval) (rcu_read_lock){}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #17: (ptrval) (rcu_read_lock){}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #18: (
KASAN: slab-out-of-bounds Read in rds_cong_queue_updates (2)
Hello, syzbot found the following crash on: HEAD commit:0026129c8629 rhashtable: add restart routine in rhashtable.. git tree: net console output: https://syzkaller.appspot.com/x/log.txt?x=10b7ced040 kernel config: https://syzkaller.appspot.com/x/.config?x=b88de6eac8694da6 dashboard link: https://syzkaller.appspot.com/bug?extid=0570fef57a5e020bdc87 compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+0570fef57a5e020bd...@syzkaller.appspotmail.com == BUG: KASAN: slab-out-of-bounds in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] BUG: KASAN: slab-out-of-bounds in refcount_read include/linux/refcount.h:42 [inline] BUG: KASAN: slab-out-of-bounds in check_net include/net/net_namespace.h:237 [inline] BUG: KASAN: slab-out-of-bounds in rds_destroy_pending net/rds/rds.h:902 [inline] BUG: KASAN: slab-out-of-bounds in rds_cong_queue_updates+0x25d/0x5b0 net/rds/cong.c:226 Read of size 4 at addr 88019f8ec204 by task syz-executor1/27023 CPU: 0 PID: 27023 Comm: syz-executor1 Not tainted 4.18.0-rc3+ #5 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272 atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] refcount_read include/linux/refcount.h:42 [inline] check_net include/net/net_namespace.h:237 [inline] rds_destroy_pending net/rds/rds.h:902 [inline] rds_cong_queue_updates+0x25d/0x5b0 net/rds/cong.c:226 rds_recv_rcvbuf_delta.part.3+0x332/0x3e0 net/rds/recv.c:123 rds_recv_rcvbuf_delta net/rds/recv.c:382 [inline] rds_recv_incoming+0x85a/0x1320 net/rds/recv.c:382 netlink: 'syz-executor2': attribute type 18 has an invalid length. rds_loop_xmit+0x16a/0x340 net/rds/loop.c:95 rds_send_xmit+0x1343/0x29c0 net/rds/send.c:355 netlink: 180 bytes leftover after parsing attributes in process `syz-executor5'. rds_sendmsg+0x229e/0x2a40 net/rds/send.c:1243 netlink: 180 bytes leftover after parsing attributes in process `syz-executor5'. sock_sendmsg_nosec net/socket.c:641 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:651 __sys_sendto+0x3d7/0x670 net/socket.c:1797 __do_sys_sendto net/socket.c:1809 [inline] __se_sys_sendto net/socket.c:1805 [inline] __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1805 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455e29 Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fd164b21c68 EFLAGS: 0246 ORIG_RAX: 002c RAX: ffda RBX: 7fd164b226d4 RCX: 00455e29 RDX: 0481 RSI: 2000 RDI: 0013 RBP: 0072bea0 R08: 2069affb R09: 0010 R10: R11: 0246 R12: R13: 004c14f2 R14: 004d1a08 R15: Allocated by task 26052: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554 getname_flags+0xd0/0x5a0 fs/namei.c:140 getname+0x19/0x20 fs/namei.c:211 do_sys_open+0x3a2/0x760 fs/open.c:1095 __do_sys_open fs/open.c:1119 [inline] __se_sys_open fs/open.c:1114 [inline] __x64_sys_open+0x7e/0xc0 fs/open.c:1114 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 26052: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kmem_cache_free+0x86/0x2d0 mm/slab.c:3756 putname+0xf2/0x130 fs/namei.c:261 do_sys_open+0x569/0x760 fs/open.c:1110 __do_sys_open fs/open.c:1119 [inline] __se_sys_open fs/open.c:1114 [inline] __x64_sys_open+0x7e/0xc0 fs/open.c:1114 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at 88019f8ec280 which belongs to the cache names_cache of size 4096 The buggy address is located 124 bytes to the left of 4096-byte region [88019f8ec280, 88019f8ed280) The
KASAN: use-after-free Read in p9_fd_poll
Hello, syzbot found the following crash on: HEAD commit:30c2c32d7f70 Merge tag 'drm-fixes-2018-07-10' of git://ano.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1662c5b240 kernel config: https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7 dashboard link: https://syzkaller.appspot.com/bug?extid=0442e6e2f7e1e33b1037 compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+0442e6e2f7e1e33b1...@syzkaller.appspotmail.com 9pnet: p9_errstr2errno: server reported unknown error etz0e&��?�d$5ܱI3� QAT: Invalid ioctl == BUG: KASAN: use-after-free in p9_fd_poll+0x280/0x2b0 net/9p/trans_fd.c:238 Read of size 8 at addr 8801c647ec80 by task kworker/1:3/5005 CPU: 1 PID: 5005 Comm: kworker/1:3 Not tainted 4.18.0-rc4+ #140 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events p9_poll_workfn Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 p9_fd_poll+0x280/0x2b0 net/9p/trans_fd.c:238 p9_poll_mux net/9p/trans_fd.c:617 [inline] p9_poll_workfn+0x463/0x6d0 net/9p/trans_fd.c:1107 process_one_work+0xc73/0x1ba0 kernel/workqueue.c:2153 worker_thread+0x189/0x13c0 kernel/workqueue.c:2296 kthread+0x345/0x410 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 Allocated by task 29121: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620 kmalloc include/linux/slab.h:513 [inline] kzalloc include/linux/slab.h:707 [inline] p9_fd_open net/9p/trans_fd.c:796 [inline] p9_fd_create+0x1a7/0x3f0 net/9p/trans_fd.c:1036 p9_client_create+0x915/0x16c9 net/9p/client.c:1062 v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400 v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135 mount_fs+0xae/0x328 fs/super.c:1277 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037 vfs_kern_mount fs/namespace.c:1027 [inline] do_new_mount fs/namespace.c:2518 [inline] do_mount+0x581/0x30e0 fs/namespace.c:2848 ksys_mount+0x12d/0x140 fs/namespace.c:3064 __do_sys_mount fs/namespace.c:3078 [inline] __se_sys_mount fs/namespace.c:3075 [inline] __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 29121: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xd9/0x260 mm/slab.c:3813 p9_fd_close+0x416/0x5b0 net/9p/trans_fd.c:893 p9_client_create+0xac2/0x16c9 net/9p/client.c:1076 v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400 v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135 mount_fs+0xae/0x328 fs/super.c:1277 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037 vfs_kern_mount fs/namespace.c:1027 [inline] do_new_mount fs/namespace.c:2518 [inline] do_mount+0x581/0x30e0 fs/namespace.c:2848 ksys_mount+0x12d/0x140 fs/namespace.c:3064 __do_sys_mount fs/namespace.c:3078 [inline] __se_sys_mount fs/namespace.c:3075 [inline] __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at 8801c647ec80 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 0 bytes inside of 512-byte region [8801c647ec80, 8801c647ee80) The buggy address belongs to the page: page:ea0007191f80 count:1 mapcount:0 mapping:8801da800940 index:0x0 flags: 0x2fffc000100(slab) raw: 02fffc000100 ea0006a8cc48 ea00074be548 8801da800940 raw: 8801c647e000 00010006 page dumped because: kasan: bad access detected Memory state around the buggy address: 8801c647eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8801c647ec00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8801c647ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ 8801c647ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 8801c647ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb == --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at sy
KASAN: slab-out-of-bounds Read in pdu_read
Hello, syzbot found the following crash on: HEAD commit:ca04b3cca11a Merge tag 'armsoc-fixes' of git://git.kernel... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1609e96840 kernel config: https://syzkaller.appspot.com/x/.config?x=2ca6c7a31d407f86 dashboard link: https://syzkaller.appspot.com/bug?extid=65c6b72f284a39d416b4 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1704f6d040 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17188a7840 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+65c6b72f284a39d41...@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) == BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:345 [inline] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 net/9p/protocol.c:59 Read of size 62219 at addr 8801c9e904ed by task syz-executor251/4548 CPU: 0 PID: 4548 Comm: syz-executor251 Not tainted 4.18.0-rc3+ #137 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 memcpy+0x23/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:345 [inline] pdu_read+0x90/0xd0 net/9p/protocol.c:59 p9pdu_vreadf net/9p/protocol.c:162 [inline] p9pdu_readf+0x579/0x2170 net/9p/protocol.c:536 p9_client_version net/9p/client.c:986 [inline] p9_client_create+0xde0/0x16c9 net/9p/client.c:1069 v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400 v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135 mount_fs+0xae/0x328 fs/super.c:1277 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037 vfs_kern_mount fs/namespace.c:1027 [inline] do_new_mount fs/namespace.c:2518 [inline] do_mount+0x581/0x30e0 fs/namespace.c:2848 ksys_mount+0x12d/0x140 fs/namespace.c:3064 __do_sys_mount fs/namespace.c:3078 [inline] __se_sys_mount fs/namespace.c:3075 [inline] __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x440319 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7ffdfd76d4e8 EFLAGS: 0206 ORIG_RAX: 00a5 RAX: ffda RBX: 0030656c69662f2e RCX: 00440319 RDX: 2140 RSI: 2100 RDI: RBP: 69736f7030707070 R08: 2280 R09: 0001 R10: 0001 R11: 0206 R12: 4c50473070707028 R13: 64663d736e617274 R14: R15: Allocated by task 4548: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 __do_kmalloc mm/slab.c:3718 [inline] __kmalloc+0x14e/0x760 mm/slab.c:3727 kmalloc include/linux/slab.h:518 [inline] p9_fcall_alloc+0x1e/0x90 net/9p/client.c:236 p9_tag_alloc net/9p/client.c:306 [inline] p9_client_prepare_req.part.8+0x754/0xcd0 net/9p/client.c:722 p9_client_prepare_req net/9p/client.c:757 [inline] p9_client_rpc+0x1bd/0x1400 net/9p/client.c:757 p9_client_version net/9p/client.c:976 [inline] p9_client_create+0xd09/0x16c9 net/9p/client.c:1069 v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400 v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135 mount_fs+0xae/0x328 fs/super.c:1277 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037 vfs_kern_mount fs/namespace.c:1027 [inline] do_new_mount fs/namespace.c:2518 [inline] do_mount+0x581/0x30e0 fs/namespace.c:2848 ksys_mount+0x12d/0x140 fs/namespace.c:3064 __do_sys_mount fs/namespace.c:3078 [inline] __se_sys_mount fs/namespace.c:3075 [inline] __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 0: (stack is not available) The buggy address belongs to the object at 8801c9e904c0 which belongs to the cache kmalloc-16384 of size 16384 The buggy address is located 45 bytes inside of 16384-byte region [8801c9e904c0, 8801c9e944c0) The buggy address belongs to the page: page:ea000727a400 count:1 mapcount:0 mapping:8801da802200 index:0x0 compound_mapcount: 0 flags: 0x2fffc008100(slab|hea
KASAN: use-after-free Read in __queue_work (2)
Hello, syzbot found the following crash on: HEAD commit:ca04b3cca11a Merge tag 'armsoc-fixes' of git://git.kernel... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1066e6dc40 kernel config: https://syzkaller.appspot.com/x/.config?x=2ca6c7a31d407f86 dashboard link: https://syzkaller.appspot.com/bug?extid=1c9db6a163a4000d0765 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1473a45240 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1408774840 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+1c9db6a163a4000d0...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in constant_test_bit arch/x86/include/asm/bitops.h:328 [inline] BUG: KASAN: use-after-free in work_is_static_object+0x39/0x40 kernel/workqueue.c:442 Read of size 8 at addr 8801d7a7fda0 by task kworker/0:2/27 CPU: 0 PID: 27 Comm: kworker/0:2 Not tainted 4.18.0-rc3+ #137 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events p9_poll_workfn Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 constant_test_bit arch/x86/include/asm/bitops.h:328 [inline] work_is_static_object+0x39/0x40 kernel/workqueue.c:442 debug_object_activate+0x2fc/0x690 lib/debugobjects.c:508 debug_work_activate kernel/workqueue.c:491 [inline] __queue_work+0x1ca/0x1410 kernel/workqueue.c:1380 queue_work_on+0x19a/0x1e0 kernel/workqueue.c:1486 queue_work include/linux/workqueue.h:512 [inline] schedule_work include/linux/workqueue.h:570 [inline] p9_poll_mux net/9p/trans_fd.c:628 [inline] p9_poll_workfn+0x55e/0x6d0 net/9p/trans_fd.c:1107 process_one_work+0xc73/0x1ba0 kernel/workqueue.c:2153 worker_thread+0x189/0x13c0 kernel/workqueue.c:2296 kthread+0x345/0x410 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 Allocated by task 4537: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620 kmalloc include/linux/slab.h:513 [inline] kzalloc include/linux/slab.h:707 [inline] p9_fd_open net/9p/trans_fd.c:796 [inline] p9_fd_create+0x1a7/0x3f0 net/9p/trans_fd.c:1036 p9_client_create+0x915/0x16c9 net/9p/client.c:1062 v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400 v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135 mount_fs+0xae/0x328 fs/super.c:1277 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037 vfs_kern_mount fs/namespace.c:1027 [inline] do_new_mount fs/namespace.c:2518 [inline] do_mount+0x581/0x30e0 fs/namespace.c:2848 ksys_mount+0x12d/0x140 fs/namespace.c:3064 __do_sys_mount fs/namespace.c:3078 [inline] __se_sys_mount fs/namespace.c:3075 [inline] __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 4537: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xd9/0x260 mm/slab.c:3813 p9_fd_close+0x416/0x5b0 net/9p/trans_fd.c:893 p9_client_create+0xac2/0x16c9 net/9p/client.c:1076 v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400 v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135 mount_fs+0xae/0x328 fs/super.c:1277 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037 vfs_kern_mount fs/namespace.c:1027 [inline] do_new_mount fs/namespace.c:2518 [inline] do_mount+0x581/0x30e0 fs/namespace.c:2848 ksys_mount+0x12d/0x140 fs/namespace.c:3064 __do_sys_mount fs/namespace.c:3078 [inline] __se_sys_mount fs/namespace.c:3075 [inline] __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at 8801d7a7fc80 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 288 bytes inside of 512-byte region [8801d7a7fc80, 8801d7a7fe80) The buggy address belongs to the page: page:ea00075e9fc0 count:1 mapcount:0 mapping:8801da800940 index:0x0 flags: 0x2fffc000100(slab) raw: 02fffc000100 ea0007616688 ea00075d9a88 8801da800940 raw: 8801d7a7f000 00010006 page dumped because: kasan: bad access detected Memory state around the buggy address: 8801d7a7fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 8801d7a7fd00: fb fb fb fb fb fb fb fb fb fb
Re: KASAN: use-after-free Read in tls_write_space
syzbot has found a reproducer for the following crash on: HEAD commit:c47078d6a33f tcp: remove redundant SOCK_DONE checks git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=120012c240 kernel config: https://syzkaller.appspot.com/x/.config?x=a501a01deaf0fe9 dashboard link: https://syzkaller.appspot.com/bug?extid=2134b6b74dec9f8c760f compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1695059440 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11d180c840 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+2134b6b74dec9f8c7...@syzkaller.appspotmail.com TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. == BUG: KASAN: use-after-free in tls_write_space+0x2c2/0x360 net/tls/tls_main.c:225 Read of size 1 at addr 8801aebdd420 by task ksoftirqd/1/18 CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.18.0-rc3+ #113 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 tls_write_space+0x2c2/0x360 net/tls/tls_main.c:225 tcp_new_space net/ipv4/tcp_input.c:5081 [inline] tcp_check_space+0x551/0x930 net/ipv4/tcp_input.c:5092 tcp_data_snd_check net/ipv4/tcp_input.c:5102 [inline] tcp_rcv_established+0x8db/0x2180 net/ipv4/tcp_input.c:5581 tcp_v6_do_rcv+0x4b2/0x1450 net/ipv6/tcp_ipv6.c:1325 tcp_v6_rcv+0x342a/0x3a70 net/ipv6/tcp_ipv6.c:1554 ip6_input_finish+0x407/0x1a40 net/ipv6/ip6_input.c:383 NF_HOOK include/linux/netfilter.h:287 [inline] ip6_input+0xe9/0x600 net/ipv6/ip6_input.c:426 dst_input include/net/dst.h:450 [inline] ip6_rcv_finish+0x17a/0x330 net/ipv6/ip6_input.c:76 NF_HOOK include/linux/netfilter.h:287 [inline] ipv6_rcv+0x11e/0x650 net/ipv6/ip6_input.c:271 __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4767 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4872 process_backlog+0x219/0x760 net/core/dev.c:5663 napi_poll net/core/dev.c:6078 [inline] net_rx_action+0x7a5/0x1950 net/core/dev.c:6144 __do_softirq+0x2e8/0xb17 kernel/softirq.c:288 run_ksoftirqd+0x86/0x100 kernel/softirq.c:649 smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164 kthread+0x345/0x410 kernel/kthread.c:240 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 Allocated by task 8159: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620 kmalloc include/linux/slab.h:513 [inline] kzalloc include/linux/slab.h:707 [inline] create_ctx net/tls/tls_main.c:535 [inline] tls_init+0x1e7/0xb20 net/tls/tls_main.c:659 tcp_set_ulp+0x1bc/0x520 net/ipv4/tcp_ulp.c:153 do_tcp_setsockopt.isra.41+0x44a/0x2680 net/ipv4/tcp.c:2748 tcp_setsockopt+0xc1/0xe0 net/ipv4/tcp.c:3059 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3083 __sys_setsockopt+0x1c5/0x3b0 net/socket.c:1911 __do_sys_setsockopt net/socket.c:1922 [inline] __se_sys_setsockopt net/socket.c:1919 [inline] __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1919 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 8159: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xd9/0x260 mm/slab.c:3813 tls_sk_proto_close+0x712/0xae0 net/tls/tls_main.c:297 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459 __sock_release+0xd7/0x260 net/socket.c:599 sock_close+0x19/0x20 net/socket.c:1150 __fput+0x355/0x8b0 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1ec/0x2a0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:192 [inline] exit_to_usermode_loop+0x313/0x370 arch/x86/entry/common.c:166 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at 8801aebdd340 which belongs
KMSAN: uninit-value in ebt_stp_mt_check (2)
Hello, syzbot found the following crash on: HEAD commit:c6a6aed994b6 kmsan: remove dead code to trigger syzbot build git tree: https://github.com/google/kmsan.git/master console output: https://syzkaller.appspot.com/x/log.txt?x=17bde74f80 kernel config: https://syzkaller.appspot.com/x/.config?x=848e40757852af3e dashboard link: https://syzkaller.appspot.com/bug?extid=da4494182233c23a5fcf compiler: clang version 7.0.0 (trunk 334104) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+da4494182233c23a5...@syzkaller.appspotmail.com == BUG: KMSAN: uninit-value in ebt_stp_mt_check+0x24b/0x450 net/bridge/netfilter/ebt_stp.c:162 CPU: 0 PID: 12006 Comm: syz-executor7 Not tainted 4.17.0+ #3 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:113 kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084 __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:620 ebt_stp_mt_check+0x24b/0x450 net/bridge/netfilter/ebt_stp.c:162 xt_check_match+0x1438/0x1650 net/netfilter/x_tables.c:506 ebt_check_match net/bridge/netfilter/ebtables.c:372 [inline] ebt_check_entry net/bridge/netfilter/ebtables.c:702 [inline] translate_table+0x4e88/0x6120 net/bridge/netfilter/ebtables.c:943 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:999 do_replace+0x719/0x780 net/bridge/netfilter/ebtables.c:1138 do_ebt_set_ctl+0x2ab/0x3c0 net/bridge/netfilter/ebtables.c:1517 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x47c/0x4e0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x24b/0x2b0 net/ipv4/ip_sockglue.c:1251 udp_setsockopt+0x108/0x1b0 net/ipv4/udp.c:2416 sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3039 __sys_setsockopt+0x496/0x540 net/socket.c:1903 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0x15c/0x1c0 net/socket.c:1911 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4559f9 RSP: 002b:7f45b9246c68 EFLAGS: 0246 ORIG_RAX: 0036 RAX: ffda RBX: 7f45b92476d4 RCX: 004559f9 RDX: 0080 RSI: RDI: 0014 RBP: 0072bea0 R08: 0300 R09: R10: 2480 R11: 0246 R12: R13: 004c0d6d R14: 004d07c8 R15: Local variable description: mtpar.i@translate_table Variable was created at: translate_table+0xbb/0x6120 net/bridge/netfilter/ebtables.c:831 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:999 == --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot.
BUG: unable to handle kernel (3)
Hello, syzbot found the following crash on: HEAD commit:861d9dd37526 Merge tag 'kbuild-fixes-v4.17-2' of git://git.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10bffd0f80 kernel config: https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02 dashboard link: https://syzkaller.appspot.com/bug?extid=adfeaaee641dd4fdac43 compiler: gcc (GCC) 8.0.1 20180413 (experimental) userspace arch: i386 syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1156a92f80 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+adfeaaee641dd4fda...@syzkaller.appspotmail.com IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready BUG: unable to handle kernel IPVS: ftp: loaded support on port[0] = 21 paging request at c90001f30003 PGD 1da946067 P4D 1da946067 PUD 1da947067 PMD 1afa9e067 PTE 8001b7d3e163 Oops: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 8 Comm: ksoftirqd/0 Not tainted 4.17.0-rc6+ #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:ebt_do_table+0x1983/0x2140 net/bridge/netfilter/ebtables.c:283 RSP: 0018:8801d9aaeb68 EFLAGS: 00010246 RAX: c90001f30003 RBX: c90001f30003 RCX: c90001f24000 RDX: RSI: 86a8513c RDI: RBP: 8801d9aaed38 R08: 8801d9a9c200 R09: ed003b5c46d2 R10: ed003b5c46d2 R11: 8801dae23693 R12: c90001f24000 R13: c90001f201a0 R14: c90001f200d0 R15: dc00 FS: () GS:8801dae0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: c90001f30003 CR3: 0001ad782000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: ebt_broute+0x1f8/0x320 net/bridge/netfilter/ebtable_broute.c:60 br_handle_frame+0x6b6/0x19f0 net/bridge/br_input.c:291 __netif_receive_skb_core+0xc6e/0x3630 net/core/dev.c:4546 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657 process_backlog+0x219/0x760 net/core/dev.c:5337 napi_poll net/core/dev.c:5735 [inline] net_rx_action+0x7b7/0x1930 net/core/dev.c:5801 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285 run_ksoftirqd+0x86/0x100 kernel/softirq.c:646 smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164 kthread+0x345/0x410 kernel/kthread.c:240 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 Code: 6c 24 08 48 89 d8 48 89 9d d0 fe ff ff 48 c1 e8 03 42 0f b6 04 38 84 c0 74 08 3c 03 0f 8e 3b 06 00 00 48 8b 85 d0 fe ff ff 31 ff <8b> 18 89 de e8 54 f1 d0 fa 85 db 0f 85 a0 02 00 00 e8 37 f0 d0 RIP: ebt_do_table+0x1983/0x2140 net/bridge/netfilter/ebtables.c:283 RSP: 8801d9aaeb68 CR2: c90001f30003 ---[ end trace d121cd1897af50a4 ]--- --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
possible deadlock in sock_hash_free
Hello, syzbot found the following crash on: HEAD commit:7a1a98c171ea Merge branch 'bpf-sendmsg-hook' git tree: bpf-next console output: https://syzkaller.appspot.com/x/log.txt?x=131f406780 kernel config: https://syzkaller.appspot.com/x/.config?x=e4078980b886800c dashboard link: https://syzkaller.appspot.com/bug?extid=83bdee62c80cc044cb1a compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=17a0be2f80 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=164cf10f80 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+83bdee62c80cc044c...@syzkaller.appspotmail.com == WARNING: possible circular locking dependency detected 4.17.0-rc6+ #25 Not tainted -- kworker/1:0/18 is trying to acquire lock: ef3a7ff3 (clock-AF_INET6){++..}, at: sock_hash_free+0x377/0x700 kernel/bpf/sockmap.c:2089 but task is already holding lock: 989798b8 (>buckets[i].lock){+...}, at: sock_hash_free+0x1d4/0x700 kernel/bpf/sockmap.c:2083 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (>buckets[i].lock){+...}: __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168 bpf_tcp_close+0x822/0x10b0 kernel/bpf/sockmap.c:285 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1aee/0x2730 kernel/exit.c:865 do_group_exit+0x16f/0x430 kernel/exit.c:968 __do_sys_exit_group kernel/exit.c:979 [inline] __se_sys_exit_group kernel/exit.c:977 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:977 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (clock-AF_INET6){++..}: lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920 __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline] _raw_write_lock_bh+0x31/0x40 kernel/locking/spinlock.c:312 sock_hash_free+0x377/0x700 kernel/bpf/sockmap.c:2089 bpf_map_free_deferred+0xba/0xf0 kernel/bpf/syscall.c:261 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279 kthread+0x345/0x410 kernel/kthread.c:240 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 other info that might help us debug this: Possible unsafe locking scenario: CPU0CPU1 lock(>buckets[i].lock); lock(clock-AF_INET6); lock(>buckets[i].lock); lock(clock-AF_INET6); *** DEADLOCK *** 4 locks held by kworker/1:0/18: #0: b569d373 ((wq_completion)"events"){+.+.}, at: __write_once_size include/linux/compiler.h:215 [inline] #0: b569d373 ((wq_completion)"events"){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: b569d373 ((wq_completion)"events"){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:40 [inline] #0: b569d373 ((wq_completion)"events"){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:57 [inline] #0: b569d373 ((wq_completion)"events"){+.+.}, at: set_work_data kernel/workqueue.c:617 [inline] #0: b569d373 ((wq_completion)"events"){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline] #0: b569d373 ((wq_completion)"events"){+.+.}, at: process_one_work+0xaef/0x1b50 kernel/workqueue.c:2116 #1: 41d1b332 ((work_completion)(>work)){+.+.}, at: process_one_work+0xb46/0x1b50 kernel/workqueue.c:2120 #2: da1a504c (rcu_read_lock){}, at: sock_hash_free+0x0/0x700 include/net/sock.h:2178 #3: 989798b8 (>buckets[i].lock){+...}, at: sock_hash_free+0x1d4/0x700 kernel/bpf/sockmap.c:2083 stack backtrace: CPU: 1 PID: 18 Comm: kworker/1:0 Not tainted 4.17.0-rc6+ #25 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events bpf_map_free_deferred Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_circular_bug.isra.36.cold.54+0x1bd/0x27d kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inlin
Re: possible deadlock in bpf_tcp_close
syzbot has found a reproducer for the following crash on: HEAD commit:7a1a98c171ea Merge branch 'bpf-sendmsg-hook' git tree: bpf-next console output: https://syzkaller.appspot.com/x/log.txt?x=149ae2b780 kernel config: https://syzkaller.appspot.com/x/.config?x=e4078980b886800c dashboard link: https://syzkaller.appspot.com/bug?extid=47ed903f50684f046b15 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1553b17b80 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1460be2f80 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+47ed903f50684f046...@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) == WARNING: possible circular locking dependency detected 4.17.0-rc6+ #25 Not tainted -- syz-executor800/4527 is trying to acquire lock: (ptrval) (>buckets[i].lock){+...}, at: bpf_tcp_close+0x822/0x10b0 kernel/bpf/sockmap.c:285 but task is already holding lock: (ptrval) (clock-AF_INET6){++..}, at: bpf_tcp_close+0x241/0x10b0 kernel/bpf/sockmap.c:260 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (clock-AF_INET6){++..}: __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline] _raw_write_lock_bh+0x31/0x40 kernel/locking/spinlock.c:312 sock_hash_delete_elem+0x7c6/0xaf0 kernel/bpf/sockmap.c:2338 map_delete_elem+0x32e/0x4e0 kernel/bpf/syscall.c:815 __do_sys_bpf kernel/bpf/syscall.c:2349 [inline] __se_sys_bpf kernel/bpf/syscall.c:2317 [inline] __x64_sys_bpf+0x342/0x510 kernel/bpf/syscall.c:2317 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (>buckets[i].lock){+...}: lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168 bpf_tcp_close+0x822/0x10b0 kernel/bpf/sockmap.c:285 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1aee/0x2730 kernel/exit.c:865 do_group_exit+0x16f/0x430 kernel/exit.c:968 get_signal+0x886/0x1960 kernel/signal.c:2482 do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810 exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Possible unsafe locking scenario: CPU0CPU1 lock(clock-AF_INET6); lock(>buckets[i].lock); lock(clock-AF_INET6); lock(>buckets[i].lock); *** DEADLOCK *** 2 locks held by syz-executor800/4527: #0: (ptrval) (rcu_read_lock){}, at: bpf_tcp_close+0x0/0x10b0 kernel/bpf/sockmap.c:2106 #1: (ptrval) (clock-AF_INET6){++..}, at: bpf_tcp_close+0x241/0x10b0 kernel/bpf/sockmap.c:260 stack backtrace: CPU: 0 PID: 4527 Comm: syz-executor800 Not tainted 4.17.0-rc6+ #25 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_circular_bug.isra.36.cold.54+0x1bd/0x27d kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x343e/0x5140 kernel/locking/lockdep.c:3431 lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168 bpf_tcp_close+0x822/0x10b0 kernel/bpf/sockmap.c:285 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 exit
possible deadlock in bpf_tcp_close
Hello, syzbot found the following crash on: HEAD commit:7a1a98c171ea Merge branch 'bpf-sendmsg-hook' git tree: bpf-next console output: https://syzkaller.appspot.com/x/log.txt?x=10fd82d780 kernel config: https://syzkaller.appspot.com/x/.config?x=e4078980b886800c dashboard link: https://syzkaller.appspot.com/bug?extid=47ed903f50684f046b15 compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+47ed903f50684f046...@syzkaller.appspotmail.com == WARNING: possible circular locking dependency detected 4.17.0-rc6+ #25 Not tainted -- syz-executor4/7489 is trying to acquire lock: (ptrval) (>buckets[i].lock#2){+...}, at: bpf_tcp_close+0x822/0x10b0 kernel/bpf/sockmap.c:285 but task is already holding lock: (ptrval) (clock-AF_INET6){++..}, at: bpf_tcp_close+0x241/0x10b0 kernel/bpf/sockmap.c:260 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (clock-AF_INET6){++..}: __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline] _raw_write_lock_bh+0x31/0x40 kernel/locking/spinlock.c:312 sock_hash_delete_elem+0x7c6/0xaf0 kernel/bpf/sockmap.c:2338 map_delete_elem+0x32e/0x4e0 kernel/bpf/syscall.c:815 __do_sys_bpf kernel/bpf/syscall.c:2349 [inline] __se_sys_bpf kernel/bpf/syscall.c:2317 [inline] __x64_sys_bpf+0x342/0x510 kernel/bpf/syscall.c:2317 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (>buckets[i].lock#2){+...}: lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168 bpf_tcp_close+0x822/0x10b0 kernel/bpf/sockmap.c:285 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1aee/0x2730 kernel/exit.c:865 do_group_exit+0x16f/0x430 kernel/exit.c:968 get_signal+0x886/0x1960 kernel/signal.c:2482 do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810 exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Possible unsafe locking scenario: CPU0CPU1 lock(clock-AF_INET6); lock(>buckets[i].lock#2); lock(clock-AF_INET6); lock(>buckets[i].lock#2); *** DEADLOCK *** 2 locks held by syz-executor4/7489: #0: (ptrval) (rcu_read_lock){}, at: bpf_tcp_close+0x0/0x10b0 kernel/bpf/sockmap.c:2106 #1: (ptrval) (clock-AF_INET6){++..}, at: bpf_tcp_close+0x241/0x10b0 kernel/bpf/sockmap.c:260 stack backtrace: CPU: 1 PID: 7489 Comm: syz-executor4 Not tainted 4.17.0-rc6+ #25 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_circular_bug.isra.36.cold.54+0x1bd/0x27d kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x343e/0x5140 kernel/locking/lockdep.c:3431 lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168 bpf_tcp_close+0x822/0x10b0 kernel/bpf/sockmap.c:285 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1aee/0x2730 kernel/exit.c:865 do_group_exit+0x16f/0x430 kernel/exit.c:968 get_signal+0x886/0x1960 kernel/signal.c:2482 do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810 exit_to_usermode_loop+0x28a/0x
KASAN: use-after-free Write in bpf_tcp_close
Hello, syzbot found the following crash on: HEAD commit:ff4fb475cea8 Merge branch 'btf-uapi-cleanups' git tree: bpf-next console output: https://syzkaller.appspot.com/x/log.txt?x=12b3d57780 kernel config: https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1 dashboard link: https://syzkaller.appspot.com/bug?extid=31025a5f3f7650081204 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=109a2f3780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171a727b80 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+31025a5f3f7650081...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in cmpxchg_size include/asm-generic/atomic-instrumented.h:355 [inline] BUG: KASAN: use-after-free in bpf_tcp_close+0x6f5/0xf80 kernel/bpf/sockmap.c:265 Write of size 8 at addr 8801ca277680 by task syz-executor749/9723 CPU: 0 PID: 9723 Comm: syz-executor749 Not tainted 4.17.0-rc4+ #19 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278 cmpxchg_size include/asm-generic/atomic-instrumented.h:355 [inline] bpf_tcp_close+0x6f5/0xf80 kernel/bpf/sockmap.c:265 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1aee/0x2730 kernel/exit.c:865 do_group_exit+0x16f/0x430 kernel/exit.c:968 __do_sys_exit_group kernel/exit.c:979 [inline] __se_sys_exit_group kernel/exit.c:977 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:977 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x440a59 RSP: 002b:7ffdadf92488 EFLAGS: 0206 ORIG_RAX: 00e7 RAX: ffda RBX: RCX: 00440a59 RDX: 00440a59 RSI: 0020 RDI: RBP: R08: 004002c8 R09: 00401ea0 R10: 004002c8 R11: 0206 R12: 0001b5ac R13: 00401ea0 R14: R15: Allocated by task 9723: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 __do_kmalloc_node mm/slab.c:3682 [inline] __kmalloc_node+0x47/0x70 mm/slab.c:3689 kmalloc_node include/linux/slab.h:554 [inline] bpf_map_area_alloc+0x3f/0x90 kernel/bpf/syscall.c:144 sock_map_alloc+0x376/0x410 kernel/bpf/sockmap.c:1555 find_and_alloc_map kernel/bpf/syscall.c:126 [inline] map_create+0x393/0x1010 kernel/bpf/syscall.c:448 __do_sys_bpf kernel/bpf/syscall.c:2128 [inline] __se_sys_bpf kernel/bpf/syscall.c:2105 [inline] __x64_sys_bpf+0x300/0x4f0 kernel/bpf/syscall.c:2105 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 4521: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xd9/0x260 mm/slab.c:3813 kvfree+0x61/0x70 mm/util.c:440 bpf_map_area_free+0x15/0x20 kernel/bpf/syscall.c:155 sock_map_remove_complete kernel/bpf/sockmap.c:1443 [inline] sock_map_free+0x408/0x540 kernel/bpf/sockmap.c:1619 bpf_map_free_deferred+0xba/0xf0 kernel/bpf/syscall.c:259 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279 kthread+0x345/0x410 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 The buggy address belongs to the object at 8801ca277680 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 0 bytes inside of 1024-byte region [8801ca277680, 8801ca277a80) The buggy address belongs to the page: page:ea0007289d80 count:1 mapcount:0 mapping:8801ca276000 index:0x0 compound_mapcount: 0 flags: 0x2fffc008100(slab|head) raw: 02fffc008100 8801ca276000 00010007 raw: ea0006d12b20 ea000763bba0 8801da800ac0 page dumped because: kasan: bad access detected Memory state around the buggy address: 8801ca277580: fc fc fc fc fc fc
Re: WARNING in bpf_int_jit_compile
syzbot has found a reproducer for the following crash on: HEAD commit:62d18ecfa641 Merge tag 'arm64-fixes' of git://git.kernel.o.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14c6bf5780 kernel config: https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02 dashboard link: https://syzkaller.appspot.com/bug?extid=9e762b52dd17e616a7a5 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=130e42b780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+9e762b52dd17e616a...@syzkaller.appspotmail.com RAX: ffda RBX: 02542914 RCX: 00455a09 RDX: 0048 RSI: 2240 RDI: 0005 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: 0003 R13: 0046 R14: 006f4730 R15: 0023 WARNING: CPU: 0 PID: 4752 at include/linux/filter.h:667 bpf_jit_binary_lock_ro include/linux/filter.h:667 [inline] WARNING: CPU: 0 PID: 4752 at include/linux/filter.h:667 bpf_int_jit_compile+0xbf7/0xef7 arch/x86/net/bpf_jit_comp.c:1271 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 4752 Comm: syz-executor0 Not tainted 4.17.0-rc6+ #67 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 panic+0x22f/0x4de kernel/panic.c:184 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536 report_bug+0x252/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992 RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:667 [inline] RIP: 0010:bpf_int_jit_compile+0xbf7/0xef7 arch/x86/net/bpf_jit_comp.c:1271 RSP: 0018:8801d85ff920 EFLAGS: 00010293 RAX: 8801d78c40c0 RBX: 0046 RCX: 81445d89 RDX: RSI: 81445d97 RDI: 0005 RBP: 8801d85ffa40 R08: 8801d78c40c0 R09: R10: R11: R12: c9000194e002 R13: 8801d85ffa18 R14: fff4 R15: 0003 bpf_prog_select_runtime+0x131/0x640 kernel/bpf/core.c:1541 bpf_prog_load+0x16c2/0x2070 kernel/bpf/syscall.c:1333 __do_sys_bpf kernel/bpf/syscall.c:2073 [inline] __se_sys_bpf kernel/bpf/syscall.c:2035 [inline] __x64_sys_bpf+0x389/0x4c0 kernel/bpf/syscall.c:2035 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455a09 RSP: 002b:7ffec3da2868 EFLAGS: 0246 ORIG_RAX: 0141 RAX: ffda RBX: 02542914 RCX: 00455a09 RDX: 0048 RSI: 2240 RDI: 0005 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: 0003 R13: 0046 R14: 006f4730 R15: 0023 Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds..
WARNING in bpf_int_jit_compile
Hello, syzbot found the following crash on: HEAD commit:203ec2fed17a Merge tag 'armsoc-fixes' of git://git.kernel... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14f0d5a780 kernel config: https://syzkaller.appspot.com/x/.config?x=f3b4e30da84ec1ed dashboard link: https://syzkaller.appspot.com/bug?extid=9e762b52dd17e616a7a5 compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+9e762b52dd17e616a...@syzkaller.appspotmail.com RAX: ffda RBX: 7f9da107d6d4 RCX: 00455a09 RDX: 0048 RSI: 2000e000 RDI: 0005 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: 0014 R13: 0046 R14: 006f4730 R15: 0021 WARNING: CPU: 0 PID: 20757 at include/linux/filter.h:667 bpf_jit_binary_lock_ro include/linux/filter.h:667 [inline] WARNING: CPU: 0 PID: 20757 at include/linux/filter.h:667 bpf_int_jit_compile+0xbf7/0xef7 arch/x86/net/bpf_jit_comp.c:1271 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 20757 Comm: syz-executor6 Not tainted 4.17.0-rc5+ #60 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 panic+0x22f/0x4de kernel/panic.c:184 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536 report_bug+0x252/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992 RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:667 [inline] RIP: 0010:bpf_int_jit_compile+0xbf7/0xef7 arch/x86/net/bpf_jit_comp.c:1271 RSP: 0018:8801b3fbf920 EFLAGS: 00010246 RAX: 0004 RBX: 0047 RCX: c900050da000 RDX: 0004 RSI: 81444d37 RDI: 0005 RBP: 8801b3fbfa40 R08: 8801b4c18040 R09: R10: R11: R12: c90001932002 R13: 8801b3fbfa18 R14: fff4 R15: 0003 bpf_prog_select_runtime+0x131/0x640 kernel/bpf/core.c:1491 bpf_prog_load+0x16c2/0x2070 kernel/bpf/syscall.c:1333 __do_sys_bpf kernel/bpf/syscall.c:2073 [inline] __se_sys_bpf kernel/bpf/syscall.c:2035 [inline] __x64_sys_bpf+0x389/0x4c0 kernel/bpf/syscall.c:2035 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455a09 RSP: 002b:7f9da107cc68 EFLAGS: 0246 ORIG_RAX: 0141 RAX: ffda RBX: 7f9da107d6d4 RCX: 00455a09 RDX: 0048 RSI: 2000e000 RDI: 0005 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: 0014 R13: 0046 R14: 006f4730 R15: 0021 Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot.
general protection fault in sock_do_ioctl
Hello, syzbot found the following crash on: HEAD commit:62c8a069b510 net: mvpp2: Add missing VLAN tag detection git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=10ad582780 kernel config: https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1 dashboard link: https://syzkaller.appspot.com/bug?extid=09b980aff7b322aac68d compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+09b980aff7b322aac...@syzkaller.appspotmail.com __sys_sendmsg+0x115/0x270 net/socket.c:2155 kasan: CONFIG_KASAN_INLINE enabled __do_sys_sendmsg net/socket.c:2164 [inline] __se_sys_sendmsg net/socket.c:2162 [inline] __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2162 kasan: GPF could be caused by NULL-ptr deref or user memory access do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 general protection fault: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) entry_SYSCALL_64_after_hwframe+0x49/0xbe Modules linked in: RIP: 0033:0x455a09 RSP: 002b:7f7f8526bc68 EFLAGS: 0246 ORIG_RAX: 002e CPU: 0 PID: 8176 Comm: syz-executor2 Not tainted 4.17.0-rc4+ #53 RAX: ffda RBX: 7f7f8526c6d4 RCX: 00455a09 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RDX: RSI: 200019c0 RDI: 0013 RIP: 0010:smc_tx_prepared_sends net/smc/smc_tx.h:27 [inline] RIP: 0010:smc_ioctl+0x6db/0x9f0 net/smc/af_smc.c:1506 RBP: 0072bea0 R08: R09: RSP: 0018:8801afe4f770 EFLAGS: 00010202 R10: R11: 0246 R12: 0014 R13: 059b R14: 006fc728 R15: 0005 RAX: dc00 RBX: RCX: dc00 RDX: 0004 RSI: 110035fc9f0d RDI: 0020 RBP: 8801afe4f9d0 R08: ed0035fc9f0e R09: ed0035fc9f0d R10: ed0035fc9f0d R11: 8801afe4f86f R12: 110035fc9ef1 R13: 23c0 R14: 8801afe4f868 R15: 8801afe4f828 FS: 7f6710832700() GS:8801dae0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 007270dc CR3: 0001c83ae000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sock_do_ioctl+0xe4/0x3e0 net/socket.c:957 sock_ioctl+0x30d/0x680 net/socket.c:1081 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x1cf/0x16a0 fs/ioctl.c:684 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 __do_sys_ioctl fs/ioctl.c:708 [inline] __se_sys_ioctl fs/ioctl.c:706 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 8189 Comm: syz-executor5 Not tainted 4.17.0-rc4+ #53 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 entry_SYSCALL_64_after_hwframe+0x49/0xbe Call Trace: RIP: 0033:0x455a09 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 RSP: 002b:7f6710831c68 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7f67108326d4 RCX: 00455a09 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold.4+0xa/0x1a lib/fault-inject.c:149 RDX: 23c0 RSI: 894b RDI: 0013 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: R13: 044c R14: 006fa7c0 R15: Code: f8 48 c1 e8 03 80 3c 10 00 0f 85 ed 01 00 00 48 8b 9b __should_failslab+0x124/0x180 mm/failslab.c:32 90 should_failslab+0x9/0x14 mm/slab_common.c:1522 04 slab_pre_alloc_hook mm/slab.h:423 [inline] slab_alloc mm/slab.c:3378 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3552 00 00 48 kmem_cache_zalloc include/linux/slab.h:691 [inline] fill_pool lib/debugobjects.c:134 [inline] __debug_object_init+0xbc0/0x12c0 lib/debugobjects.c:377 b8 00 00 00 00 00 fc ff df 48 8d 7b 20 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 debug_object_init+0x16/0x20 lib/debugobjects.c:429 0f debug_timer_init kernel/time/timer.c:704 [inline] debug_init kernel/time/timer.c:757 [inline] init_timer_key+0xa1/0x470 kernel/time/timer.c:806 8e b7 01 00 00 sctp_association_init net/sctp/associola.c:152 [inline] sctp_association_new+0xa90/0x2170 net/sctp/associola.c:312 8b 43 20 49 8d RIP: smc_tx_prepared_sends net/smc/smc_tx.h:27 [inline] RSP: 8801afe4f770 RIP: smc_ioctl+0x6db/0x9f0 net/smc/af_smc.c:1506 RSP: 8801afe4f770 ---[ end trace ed404e46621ff58c ]--- --- This bug is generated by a bot. It may contain error
general protection fault in bpf_tcp_close
Hello, syzbot found the following crash on: HEAD commit:fd0bfa8d6e04 Merge branch 'bpf-af-xdp-cleanups' git tree: bpf-next console output: https://syzkaller.appspot.com/x/log.txt?x=11da942780 kernel config: https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1 dashboard link: https://syzkaller.appspot.com/bug?extid=0ce137753c78f7b6acc1 compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+0ce137753c78f7b6a...@syzkaller.appspotmail.com kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 12139 Comm: syz-executor2 Not tainted 4.17.0-rc4+ #17 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__hlist_del include/linux/list.h:649 [inline] RIP: 0010:hlist_del_rcu include/linux/rculist.h:427 [inline] RIP: 0010:bpf_tcp_close+0x7d2/0xf80 kernel/bpf/sockmap.c:271 RSP: 0018:8801a8f8ef70 EFLAGS: 00010a02 RAX: ed00351f1dfd RBX: dc00 RCX: dead0200 RDX: RSI: 1bd5a040 RDI: 8801cb710910 RBP: 8801a8f8f110 R08: ed003350ac9d R09: ed003350ac9c R10: ed003350ac9c R11: 88019a8564e3 R12: 8801cb710380 R13: 8801b17ea6e0 R14: 8801cb710398 R15: 8801cb710900 FS: 7f9890c43700() GS:8801dae0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fde1a668000 CR3: 00019dca2000 CR4: 001406f0 DR0: 21c0 DR1: 21c0 DR2: DR3: DR6: fffe0ff0 DR7: 0600 Call Trace: inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1aee/0x2730 kernel/exit.c:865 do_group_exit+0x16f/0x430 kernel/exit.c:968 get_signal+0x886/0x1960 kernel/signal.c:2469 do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810 exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455a09 RSP: 002b:7f9890c42ce8 EFLAGS: 0246 ORIG_RAX: 00ca RAX: fe00 RBX: 0072bec8 RCX: 00455a09 RDX: RSI: RDI: 0072bec8 RBP: 0072bec8 R08: R09: 0072bea0 R10: R11: 0246 R12: R13: 7ffcb48ac3ff R14: 7f9890c439c0 R15: Code: ff 48 c1 e9 03 80 3c 19 00 0f 85 a9 05 00 00 49 8b 4f 18 48 8b 85 98 fe ff ff 48 89 ce c6 00 00 48 c1 ee 03 48 89 95 d8 fe ff ff <80> 3c 1e 00 0f 85 c6 05 00 00 48 8b 85 98 fe ff ff 48 85 d2 48 RIP: __hlist_del include/linux/list.h:649 [inline] RSP: 8801a8f8ef70 RIP: hlist_del_rcu include/linux/rculist.h:427 [inline] RSP: 8801a8f8ef70 RIP: bpf_tcp_close+0x7d2/0xf80 kernel/bpf/sockmap.c:271 RSP: 8801a8f8ef70 ---[ end trace e81227e93c7e7b75 ]--- --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot.
KASAN: use-after-free Read in bpf_tcp_close
Hello, syzbot found the following crash on: HEAD commit:3fb48d881dbe Merge branch 'bpf-fib-mtu-check' git tree: bpf-next console output: https://syzkaller.appspot.com/x/log.txt?x=15fc197780 kernel config: https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1 dashboard link: https://syzkaller.appspot.com/bug?extid=fce8f2462c403d02af98 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1310c85780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17de717780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+fce8f2462c403d02a...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in hlist_del_rcu include/linux/rculist.h:427 [inline] BUG: KASAN: use-after-free in bpf_tcp_close+0xd7f/0xf80 kernel/bpf/sockmap.c:271 Read of size 8 at addr 8801c884cf90 by task syz-executor330/11778 CPU: 1 PID: 11778 Comm: syz-executor330 Not tainted 4.17.0-rc4+ #18 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 hlist_del_rcu include/linux/rculist.h:427 [inline] bpf_tcp_close+0xd7f/0xf80 kernel/bpf/sockmap.c:271 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1aee/0x2730 kernel/exit.c:865 do_group_exit+0x16f/0x430 kernel/exit.c:968 get_signal+0x886/0x1960 kernel/signal.c:2469 do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810 exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x445ed9 RSP: 002b:7f0078c0adb8 EFLAGS: 0246 ORIG_RAX: 00ca RAX: fe00 RBX: 006dbc24 RCX: 00445ed9 RDX: RSI: RDI: 006dbc24 RBP: 006dbc20 R08: R09: R10: R11: 0246 R12: R13: 7ffcd147dbef R14: 7f0078c0b9c0 R15: 0007 Allocated by task 11787: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 __do_kmalloc_node mm/slab.c:3682 [inline] __kmalloc_node+0x47/0x70 mm/slab.c:3689 kmalloc_node include/linux/slab.h:554 [inline] alloc_sock_hash_elem kernel/bpf/sockmap.c:2114 [inline] sock_hash_ctx_update_elem.isra.23+0xa57/0x1560 kernel/bpf/sockmap.c:2245 sock_hash_update_elem+0x14f/0x2d0 kernel/bpf/sockmap.c:2303 map_update_elem+0x5c4/0xc90 kernel/bpf/syscall.c:760 __do_sys_bpf kernel/bpf/syscall.c:2134 [inline] __se_sys_bpf kernel/bpf/syscall.c:2105 [inline] __x64_sys_bpf+0x32a/0x4f0 kernel/bpf/syscall.c:2105 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 8998: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xd9/0x260 mm/slab.c:3813 sock_hash_free+0x24e/0x6e0 kernel/bpf/sockmap.c:2093 bpf_map_free_deferred+0xba/0xf0 kernel/bpf/syscall.c:259 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279 kthread+0x345/0x410 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 The buggy address belongs to the object at 8801c884cf80 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 16 bytes inside of 64-byte region [8801c884cf80, 8801c884cfc0) The buggy address belongs to the page: page:ea0007221300 count:1 mapcount:0 mapping:8801c884c000 index:0x0 flags: 0x2fffc000100(slab) raw: 02fffc000100 8801c884c000 00010020 raw: ea00072e08e0 ea0006e99660 8801da800340 page dumped because: kasan: bad access detected Memory state around the buggy address: 8801c884ce80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc 8801c884cf00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc 8801c884cf80: fb fb fb fb fb fb fb fb
Re: WARNING: ODEBUG bug in __sk_destruct
syzbot has found a reproducer for the following crash on: HEAD commit:e52cde717093 net: dsa: dsa_loop: Make dynamic debugging he.. git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=1424a4b780 kernel config: https://syzkaller.appspot.com/x/.config?x=e4078980b886800c dashboard link: https://syzkaller.appspot.com/bug?extid=92209502e7aab127c75f compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1071bc2f80 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16b51cb780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+92209502e7aab127c...@syzkaller.appspotmail.com [ cut here ] ODEBUG: free active (active state 0) object type: work_struct hint: smc_tx_work+0x0/0x350 include/linux/compiler.h:188 WARNING: CPU: 0 PID: 5254 at lib/debugobjects.c:329 debug_print_object+0x16a/0x210 lib/debugobjects.c:326 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 5254 Comm: syz-executor351 Not tainted 4.17.0-rc6+ #64 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 panic+0x22f/0x4de kernel/panic.c:184 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536 report_bug+0x252/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992 RIP: 0010:debug_print_object+0x16a/0x210 lib/debugobjects.c:326 RSP: 0018:8801c6f67158 EFLAGS: 00010082 RAX: 0059 RBX: 0003 RCX: 818435f8 RDX: RSI: 8160f2c1 RDI: 0001 RBP: 8801c6f67198 R08: 8801cb640580 R09: ed003b5c3eb2 R10: ed003b5c3eb2 R11: 8801dae1f597 R12: 0001 R13: 88d5f040 R14: 87fa2a00 R15: 814ccb10 __debug_check_no_obj_freed lib/debugobjects.c:783 [inline] debug_check_no_obj_freed+0x3a6/0x584 lib/debugobjects.c:815 kmem_cache_free+0x216/0x2d0 mm/slab.c:3755 sk_prot_free net/core/sock.c:1516 [inline] __sk_destruct+0x6fe/0xa40 net/core/sock.c:1600 sk_destruct+0x78/0x90 net/core/sock.c:1608 __sk_free+0xcf/0x300 net/core/sock.c:1619 sk_free+0x42/0x50 net/core/sock.c:1630 sock_put include/net/sock.h:1669 [inline] smc_release+0x459/0x610 net/smc/af_smc.c:156 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1aee/0x2730 kernel/exit.c:865 do_group_exit+0x16f/0x430 kernel/exit.c:968 __do_sys_exit_group kernel/exit.c:979 [inline] __se_sys_exit_group kernel/exit.c:977 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:977 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4424f9 RSP: 002b:7ffcbea55c78 EFLAGS: 0202 ORIG_RAX: 00e7 RAX: ffda RBX: 02c0 RCX: 004424f9 RDX: 004424f9 RSI: 0001 RDI: RBP: 7ffcbea55db0 R08: 0003 R09: 7ffcbea55cc0 R10: 0004 R11: 0202 R12: R13: R14: 1380 R15: 7ffcbea55dd8 == WARNING: possible circular locking dependency detected 4.17.0-rc6+ #64 Not tainted -- syz-executor351/5254 is trying to acquire lock: (ptrval) ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 kernel/locking/semaphore.c:136 but task is already holding lock: (ptrval) (_hash[i].lock){-.-.}, at: __debug_check_no_obj_freed lib/debugobjects.c:774 [inline] (ptrval) (_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0x159/0x584 lib/debugobjects.c:815 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (_hash[i].lock){-.-.}: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:152 __debug_object_init+0x11f/0x12c0 lib/debugobjects.c:381 debug_object_init+0x16/0x20 lib/debugobjects.c:429 debug_hrtimer_init kernel/time/hrtimer.c:410 [inline] debug_init kernel/time/hrtimer.c:458 [inline] hrtimer_init+0x8f/0x460 kernel/time/hrtimer.c:1308 init_dl_task_timer+0x1b/0x50 kernel/sched/deadline.c:1056 __sched_fork+0x2ae/0xc20 kernel/sched/core.c:2166 init_idle+0x75/0x7a0 kernel/sched/core.c:5402 sched_init+0xbeb/0xd10 kernel/sched/core.c:6100 start_kernel+0x475/0x
KASAN: use-after-free Write in tls_push_record
Hello, syzbot found the following crash on: HEAD commit:13405468f49d bpfilter: don't pass O_CREAT when opening con.. git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=109ad82f80 kernel config: https://syzkaller.appspot.com/x/.config?x=8be0182d69f8d422 dashboard link: https://syzkaller.appspot.com/bug?extid=709f2810a6a05f11d4d3 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=151ec3a780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=154d302f80 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+709f2810a6a05f11d...@syzkaller.appspotmail.com RDX: fdef RSI: 25c0 RDI: 0003 RBP: 7ffd6ccdd780 R08: 2000 R09: 001c R10: R11: 0212 R12: 0004 R13: R14: R15: == BUG: KASAN: use-after-free in tls_fill_prepend include/net/tls.h:339 [inline] BUG: KASAN: use-after-free in tls_push_record+0x1023/0x13e0 net/tls/tls_sw.c:240 Write of size 1 at addr 8801d88d5000 by task syz-executor377/4600 CPU: 1 PID: 4600 Comm: syz-executor377 Not tainted 4.17.0-rc6+ #61 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435 tls_fill_prepend include/net/tls.h:339 [inline] tls_push_record+0x1023/0x13e0 net/tls/tls_sw.c:240 tls_sw_sendmsg+0x9de/0x12b0 net/tls/tls_sw.c:484 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 __sys_sendto+0x3d7/0x670 net/socket.c:1789 __do_sys_sendto net/socket.c:1801 [inline] __se_sys_sendto net/socket.c:1797 [inline] __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1797 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4416d9 RSP: 002b:7ffd6ccdd758 EFLAGS: 0212 ORIG_RAX: 002c RAX: ffda RBX: RCX: 004416d9 RDX: fdef RSI: 25c0 RDI: 0003 RBP: 7ffd6ccdd780 R08: 2000 R09: 001c R10: R11: 0212 R12: 0004 R13: R14: R15: The buggy address belongs to the page: page:ea0007623540 count:0 mapcount:0 mapping: index:0x0 flags: 0x2fffc00() raw: 02fffc00 raw: ea0007592b60 8801dae2fdd8 page dumped because: kasan: bad access detected Memory state around the buggy address: 8801d88d4f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8801d88d4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8801d88d5000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ 8801d88d5080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 8801d88d5100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff == --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
Re: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
syzbot has found a reproducer for the following crash on: HEAD commit:b50694381cfc Merge branch 'stable/for-linus-4.17' of git:/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=17151cb780 kernel config: https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02 dashboard link: https://syzkaller.appspot.com/bug?extid=554ccde221001ab5479a compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1363ccb780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1272e2b780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+554ccde221001ab54...@syzkaller.appspotmail.com Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 == fail_dump lib/fault-inject.c:51 [inline] should_fail.cold.4+0xa/0x1a lib/fault-inject.c:149 BUG: KASAN: use-after-free in ccid2_hc_tx_packet_recv+0x2383/0x275e net/dccp/ccids/ccid2.c:597 Read of size 1 at addr 8801ba4911c2 by task syz-executor940/4542 __should_failslab+0x124/0x180 mm/failslab.c:32 should_failslab+0x9/0x14 mm/slab_common.c:1522 slab_pre_alloc_hook mm/slab.h:423 [inline] slab_alloc mm/slab.c:3378 [inline] kmem_cache_alloc_trace+0x4b/0x780 mm/slab.c:3618 kmalloc include/linux/slab.h:512 [inline] dccp_ackvec_parsed_add+0xa1/0x310 net/dccp/ackvec.c:352 ccid2_hc_tx_parse_options+0x9a/0xb0 net/dccp/ccids/ccid2.c:510 ccid_hc_tx_parse_options net/dccp/ccid.h:207 [inline] dccp_parse_options+0x658/0x11f0 net/dccp/options.c:233 dccp_rcv_established+0x44/0xb0 net/dccp/input.c:374 dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654 sk_backlog_rcv include/net/sock.h:909 [inline] __release_sock+0x12f/0x3a0 net/core/sock.c:2335 release_sock+0xa4/0x2b0 net/core/sock.c:2850 dccp_sendmsg+0x771/0x1020 net/dccp/proto.c:820 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 ___sys_sendmsg+0x525/0x940 net/socket.c:2117 __sys_sendmmsg+0x240/0x6f0 net/socket.c:2212 __do_sys_sendmmsg net/socket.c:2241 [inline] __se_sys_sendmmsg net/socket.c:2238 [inline] __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2238 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x441819 RSP: 002b:7ffdb9a9df08 EFLAGS: 0246 ORIG_RAX: 0133 RAX: ffda RBX: RCX: 00441819 RDX: 040001e6 RSI: 2c00 RDI: 0005 RBP: 7ffdb9a9df20 R08: 0002 R09: R10: R11: 0246 R12: R13: 040001e6 R14: 0006 R15: CPU: 0 PID: 4542 Comm: syz-executor940 Not tainted 4.17.0-rc6+ #66 dccp_parse_options: DCCP((ptrval)): Option 38 (len=1) error=5 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 ccid2_hc_tx_packet_recv+0x2383/0x275e net/dccp/ccids/ccid2.c:597 ccid_hc_tx_packet_recv net/dccp/ccid.h:192 [inline] dccp_deliver_input_to_ccids+0x203/0x280 net/dccp/input.c:186 dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378 dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654 sk_backlog_rcv include/net/sock.h:909 [inline] __release_sock+0x12f/0x3a0 net/core/sock.c:2335 release_sock+0xa4/0x2b0 net/core/sock.c:2850 dccp_sendmsg+0x771/0x1020 net/dccp/proto.c:820 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 ___sys_sendmsg+0x525/0x940 net/socket.c:2117 __sys_sendmmsg+0x240/0x6f0 net/socket.c:2212 __do_sys_sendmmsg net/socket.c:2241 [inline] __se_sys_sendmmsg net/socket.c:2238 [inline] __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2238 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x441819 RSP: 002b:7ffdb9a9df08 EFLAGS: 0246 ORIG_RAX: 0133 RAX: ffda RBX: RCX: 00441819 RDX: 040001e6 RSI: 2c00 RDI: 0005 RBP: 7ffdb9a9df20 R08: 0002 R09: R10: R11: 0246 R12: R13: 040001e6 R14: 0006 R15: Allocated by task 4542: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan
INFO: rcu detected stall in corrupted
Hello, syzbot found the following crash on: HEAD commit:771c577c23ba Linux 4.17-rc6 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1713435780 kernel config: https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02 dashboard link: https://syzkaller.appspot.com/bug?extid=f116bc1994efe725d51b compiler: gcc (GCC) 8.0.1 20180413 (experimental) userspace arch: i386 syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=14e5a7cf80 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+f116bc1994efe725d...@syzkaller.appspotmail.com IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 8021q: adding VLAN 0 to HW filter on device team0 8021q: adding VLAN 0 to HW filter on device team0 INFO: rcu_sched self-detected stall on CPU INFO: rcu_sched detected stalls on CPUs/tasks: 0-...!: (124975 ticks this GP) idle=a36/1/4611686018427387906 softirq=14002/14002 fqs=10 0-...!: (124975 ticks this GP) idle=a36/1/4611686018427387906 softirq=14002/14002 fqs=10 (t=125002 jiffies g=7347 c=7346 q=349000) (detected by 1, t=125002 jiffies, g=7347, c=7346, q=349000) rcu_sched kthread starved for 124927 jiffies! g7347 c7346 f0x2 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=1 Sending NMI from CPU 1 to CPUs 0: RCU grace-period kthread stack dump: NMI backtrace for cpu 0 CPU: 0 PID: 8 Comm: ksoftirqd/0 Not tainted 4.17.0-rc6+ #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:get_current arch/x86/include/asm/current.h:15 [inline] RIP: 0010:write_comp_data+0xa/0x70 kernel/kcov.c:121 RSP: 0018:8801dae06d30 EFLAGS: 0006 RAX: 00010105 RBX: 0006 RCX: 876bdc58 RDX: RSI: 0005 RDI: 0001 RBP: 8801dae06d68 R08: 8801d9a9c200 R09: fbfff14da4bc R10: fbfff14da4bc R11: 8a6d25e0 R12: 88644220 R13: R14: 0001 R15: 0008 FS: () GS:8801dae0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f595e194270 CR3: 0001b09c2000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: vsnprintf+0x1b8/0x1b40 lib/vsprintf.c:2252 sprintf+0xa7/0xd0 lib/vsprintf.c:2498 print_time kernel/printk/printk.c:1223 [inline] print_prefix+0x26a/0x3f0 kernel/printk/printk.c:1246 msg_print_text+0xca/0x1c0 kernel/printk/printk.c:1273 console_unlock+0x4f5/0x1100 kernel/printk/printk.c:2369 vprintk_emit+0x6ad/0xdd0 kernel/printk/printk.c:1907 vprintk_default+0x28/0x30 kernel/printk/printk.c:1947 vprintk_func+0x7a/0xe7 kernel/printk/printk_safe.c:379 printk+0x9e/0xba kernel/printk/printk.c:1980 rcu_check_gp_kthread_starvation+0x325/0x3a4 kernel/rcu/tree.c:1353 print_cpu_stall kernel/rcu/tree.c:1523 [inline] check_cpu_stall.isra.61.cold.80+0x364/0x59a kernel/rcu/tree.c:1593 __rcu_pending kernel/rcu/tree.c:3356 [inline] rcu_pending kernel/rcu/tree.c:3401 [inline] rcu_check_callbacks+0x21b/0xad0 kernel/rcu/tree.c:2763 update_process_times+0x2d/0x70 kernel/time/timer.c:1636 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:164 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274 __run_hrtimer kernel/time/hrtimer.c:1398 [inline] __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1460 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline] smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 RIP: 0010:__sanitizer_cov_trace_pc+0x1/0x50 kernel/kcov.c:94 RSP: 0018:8801d9aad680 EFLAGS: 0293 ORIG_RAX: ff13 RAX: 0103 RBX: 0002 RCX: 867e02e0 RDX: RSI: 0002 RDI: 0005 RBP: 8801d9aad7e0 R08: 8801d9a9c200 R09: 8801d9aadaf0 R10: ed003b5c46c2 R11: 8801dae23613 R12: 8801ce597c40 R13: R14: 0002 R15: find_match+0x244/0x13a0 net/ipv6/route.c:691 find_rr_leaf net/ipv6/route.c:729 [inline] rt6_select net/ipv6/route.c:779 [inline] ip6_pol_route+0x946/0x3d40 net/ipv6/route.c:1705 ip6_pol_route_output+0x54/0x70 net/ipv6/route.c:1969 fib6_rule_lookup+0x211/0x6d0 net/ipv6/fib6_rules.c:89 ip6_route_output_flags+0x2c5/0x350 net/ipv6/route.c:1997 ip6_dst_lookup_tail+0x47b/0x1b30 net/ipv6/ip6_output.c:995 ip6_dst_lookup_flow+0xc1/0x260 net/ipv6/ip6_output.c:1096 sctp_v6_get_dst+0x16b4/0x20b0 net/sctp/ipv6.c:327 sctp_transport_route+0xad/0x450 net/sctp/transport.c:293 sctp_packet_config+0xb89/0xfd0 net/sctp/output.c:123 sctp_outq_flush+0x79c/
Re: INFO: task hung in tls_push_record
syzbot has found a reproducer for the following crash on: HEAD commit:eb38401c779d net: stmmac: Populate missing callbacks in HW.. git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=16d0820f80 kernel config: https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1 dashboard link: https://syzkaller.appspot.com/bug?extid=4006516aae0b06e7050f compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=10f6927b80 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15b7a20f80 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+4006516aae0b06e70...@syzkaller.appspotmail.com INFO: task syz-executor793:4489 blocked for more than 120 seconds. Not tainted 4.17.0-rc4+ #52 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor793 D23464 4489 4486 0x Call Trace: context_switch kernel/sched/core.c:2848 [inline] __schedule+0x801/0x1e30 kernel/sched/core.c:3490 schedule+0xef/0x430 kernel/sched/core.c:3549 schedule_timeout+0x1b5/0x240 kernel/time/timer.c:1777 do_wait_for_common kernel/sched/completion.c:83 [inline] __wait_for_common kernel/sched/completion.c:104 [inline] wait_for_common kernel/sched/completion.c:115 [inline] wait_for_completion+0x3e7/0x870 kernel/sched/completion.c:136 crypto_wait_req include/linux/crypto.h:512 [inline] tls_do_encryption net/tls/tls_sw.c:217 [inline] tls_push_record+0xedc/0x13e0 net/tls/tls_sw.c:248 tls_sw_sendmsg+0x8d7/0x12b0 net/tls/tls_sw.c:440 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 __sys_sendto+0x3d7/0x670 net/socket.c:1789 __do_sys_sendto net/socket.c:1801 [inline] __se_sys_sendto net/socket.c:1797 [inline] __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1797 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4457d9 RSP: 002b:7fa388d06da8 EFLAGS: 0216 ORIG_RAX: 002c RAX: ffda RBX: 006dac24 RCX: 004457d9 RDX: fdef RSI: 25c0 RDI: 0022 RBP: 006dac20 R08: 2000 R09: 001c R10: R11: 0216 R12: R13: 7ffd5148ecaf R14: 7fa388d079c0 R15: 0001 Showing all locks held in the system: 2 locks held by khungtaskd/892: #0: 9dfaae0c (rcu_read_lock){}, at: check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline] #0: 9dfaae0c (rcu_read_lock){}, at: watchdog+0x1ff/0xf60 kernel/hung_task.c:249 #1: 58f79a8d (tasklist_lock){.+.+}, at: debug_show_all_locks+0xde/0x34a kernel/locking/lockdep.c:4470 1 lock held by rsyslogd/4370: #0: 59c3c7ae (>f_pos_lock){+.+.}, at: __fdget_pos+0x1a9/0x1e0 fs/file.c:766 2 locks held by getty/4460: #0: e25a52c3 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: 2caea50f (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4461: #0: d38c9806 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: eaffe99d (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4462: #0: cec6abe7 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: 00afd91c (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4463: #0: 3456fca5 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: 38a65d91 (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4464: #0: 01e783b1 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: 3ecd2e34 (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4465: #0: 7ef8b451 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: 6996c3ed (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4466: #0: d15d9a92 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: ee44bcf4 (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 1 lock held by syz-executor793/4489: #0: 08c84b0d (sk_lock-AF_INET6){+.+.}, at: lock_sock include/net/sock.h:1474 [inline] #0: 08c84b0d (sk_lock-AF_INET6){+.+.}, at: tls_sw_sendmsg+0x1b9/0x12b0 net/tls/tls_sw.c:384 1 lock held by syz-executor793/4494: #0: f2de7555 (sk_lock-AF_INET6){+.+.}, at: lock_soc
INFO: rcu detected stall in is_bpf_text_address
Hello, syzbot found the following crash on: HEAD commit:73fcb1a370c7 Merge branch 'akpm' (patches from Andrew) git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1462ec0f80 kernel config: https://syzkaller.appspot.com/x/.config?x=f3b4e30da84ec1ed dashboard link: https://syzkaller.appspot.com/bug?extid=3dcd59a1f907245f891f compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1079cf8f80 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=156daf9780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+3dcd59a1f907245f8...@syzkaller.appspotmail.com 8021q: adding VLAN 0 to HW filter on device team0 8021q: adding VLAN 0 to HW filter on device team0 8021q: adding VLAN 0 to HW filter on device team0 8021q: adding VLAN 0 to HW filter on device team0 8021q: adding VLAN 0 to HW filter on device team0 INFO: rcu_sched self-detected stall on CPU 0-...!: (124998 ticks this GP) idle=0be/1/4611686018427387908 softirq=15234/15234 fqs=59 (t=125000 jiffies g=7610 c=7609 q=351640) rcu_sched kthread starved for 124739 jiffies! g7610 c7609 f0x2 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=1 RCU grace-period kthread stack dump: rcu_sched R running task23896 9 2 0x8000 Call Trace: context_switch kernel/sched/core.c:2859 [inline] __schedule+0x801/0x1e30 kernel/sched/core.c:3501 schedule+0xef/0x430 kernel/sched/core.c:3545 schedule_timeout+0x138/0x240 kernel/time/timer.c:1801 rcu_gp_kthread+0x6b5/0x1940 kernel/rcu/tree.c:2231 kthread+0x345/0x410 kernel/kthread.c:240 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 NMI backtrace for cpu 0 CPU: 0 PID: 6381 Comm: sh Not tainted 4.17.0-rc5+ #58 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103 nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 trigger_single_cpu_backtrace include/linux/nmi.h:156 [inline] rcu_dump_cpu_stacks+0x175/0x1c2 kernel/rcu/tree.c:1376 print_cpu_stall kernel/rcu/tree.c:1525 [inline] check_cpu_stall.isra.61.cold.80+0x36c/0x59a kernel/rcu/tree.c:1593 __rcu_pending kernel/rcu/tree.c:3356 [inline] rcu_pending kernel/rcu/tree.c:3401 [inline] rcu_check_callbacks+0x21b/0xad0 kernel/rcu/tree.c:2763 update_process_times+0x2d/0x70 kernel/time/timer.c:1636 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:164 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274 __run_hrtimer kernel/time/hrtimer.c:1398 [inline] __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1460 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline] smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:783 [inline] RIP: 0010:lock_acquire+0x257/0x520 kernel/locking/lockdep.c:3923 RSP: :8801dae06b60 EFLAGS: 0286 ORIG_RAX: ff13 RAX: dc00 RBX: 11003b5c0d71 RCX: RDX: 111a30e5 RSI: 8801c7b54c38 RDI: 0286 RBP: 8801dae06c50 R08: 0008 R09: 0003 R10: 8801c7b54cb0 R11: 8801c7b54400 R12: 8801c7b54400 R13: 0002 R14: R15: rcu_lock_acquire include/linux/rcupdate.h:246 [inline] rcu_read_lock include/linux/rcupdate.h:632 [inline] is_bpf_text_address+0x3b/0x170 kernel/bpf/core.c:478 kernel_text_address+0x79/0xf0 kernel/extable.c:152 __kernel_text_address+0xd/0x40 kernel/extable.c:107 unwind_get_return_address+0x61/0xa0 arch/x86/kernel/unwind_frame.c:18 __save_stack_trace+0x7e/0xd0 arch/x86/kernel/stacktrace.c:45 save_stack_trace+0x1a/0x20 arch/x86/kernel/stacktrace.c:60 save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 slab_post_alloc_hook mm/slab.h:444 [inline] slab_alloc_node mm/slab.c:3335 [inline] kmem_cache_alloc_node+0x131/0x780 mm/slab.c:3642 __alloc_skb+0x111/0x780 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:987 [inline] _sctp_make_chunk+0x58/0x280 net/sctp/sm_make_chunk.c:1417 sctp_make_control net/sctp/sm_make_chunk.c:1464 [inline] sctp_make_heartbeat+0x8f/0x430 net/sctp/sm_make_chunk.c:1177 sctp_sf_heartbeat.isra.23+0x26/0x180 net/sctp/sm_statefuns.c:1005 sctp_sf_sendbeat_8_3+0x38e/0x550 net/sctp/sm_statefuns.c:1049 sctp_do_sm+0x1ab/0x7160 net/sctp/sm_sideeffect.c:1188 sctp_generate_heartbeat_event+0x218/0x450 net/sctp/sm_sideeffect.c:406 call_ti
Re: WARNING in xfrm6_tunnel_net_exit (2)
syzbot has found a reproducer for the following crash on: HEAD commit:eb38401c779d net: stmmac: Populate missing callbacks in HW.. git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=1233a82780 kernel config: https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1 dashboard link: https://syzkaller.appspot.com/bug?extid=e9aebef558e3ed673934 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1547dbcf80 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=132307cf80 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+e9aebef558e3ed673...@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) IPVS: ftp: loaded support on port[0] = 21 WARNING: CPU: 1 PID: 44 at net/ipv6/xfrm6_tunnel.c:348 xfrm6_tunnel_net_exit+0x2df/0x510 net/ipv6/xfrm6_tunnel.c:348 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 44 Comm: kworker/u4:2 Not tainted 4.17.0-rc4+ #52 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 panic+0x22f/0x4de kernel/panic.c:184 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536 report_bug+0x252/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992 RIP: 0010:xfrm6_tunnel_net_exit+0x2df/0x510 net/ipv6/xfrm6_tunnel.c:348 RSP: 0018:8801d95273d8 EFLAGS: 00010293 RAX: 8801d955c380 RBX: 8801b03399f8 RCX: 86925525 RDX: RSI: 8692552f RDI: 0007 RBP: 8801d95274f8 R08: 8801d955c380 R09: 0006 R10: 8801d955c380 R11: R12: 00ff R13: ed003b2a4e82 R14: 8801d95274d0 R15: 8801b3e25780 ops_exit_list.isra.7+0xb0/0x160 net/core/net_namespace.c:152 cleanup_net+0x51d/0xb20 net/core/net_namespace.c:523 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279 kthread+0x345/0x410 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds..
WARNING in xfrm6_tunnel_net_exit (2)
Hello, syzbot found the following crash on: HEAD commit:2c71d338bef2 Merge tag 'powerpc-4.17-6' of git://git.kerne.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12a7bd5780 kernel config: https://syzkaller.appspot.com/x/.config?x=f3b4e30da84ec1ed dashboard link: https://syzkaller.appspot.com/bug?extid=e9aebef558e3ed673934 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=17409d5780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+e9aebef558e3ed673...@syzkaller.appspotmail.com bond0: Enslaving bond_slave_1 as an active interface with an up link IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready WARNING: CPU: 1 PID: 6 at net/ipv6/xfrm6_tunnel.c:348 xfrm6_tunnel_net_exit+0x2df/0x510 net/ipv6/xfrm6_tunnel.c:348 IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 6 Comm: kworker/u4:0 Not tainted 4.17.0-rc5+ #57 IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 panic+0x22f/0x4de kernel/panic.c:184 IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready __warn.cold.8+0x163/0x1b3 kernel/panic.c:536 report_bug+0x252/0x2d0 lib/bug.c:186 IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992 RIP: 0010:xfrm6_tunnel_net_exit+0x2df/0x510 net/ipv6/xfrm6_tunnel.c:348 RSP: 0018:8801d9a973d8 EFLAGS: 00010293 RAX: 8801d9a88180 RBX: 8801b6eda2b8 RCX: 868ff5f5 RDX: RSI: 868ff5ff RDI: 0007 RBP: 8801d9a974f8 R08: 8801d9a88180 R09: 0006 R10: 8801d9a88180 R11: R12: 00ff R13: ed003b352e82 R14: 8801d9a974d0 R15: 8801b32f0700 ops_exit_list.isra.7+0xb0/0x160 net/core/net_namespace.c:152 cleanup_net+0x51d/0xb20 net/core/net_namespace.c:523 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279 kthread+0x345/0x410 kernel/kthread.c:240 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
general protection fault in smc_ioctl
Hello, syzbot found the following crash on: HEAD commit:1f7455c3912d tcp: tcp_rack_reo_wnd() can be static git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=171a133780 kernel config: https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1 dashboard link: https://syzkaller.appspot.com/bug?extid=e6714328fda813fc670f compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=15782d5780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=108711a780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+e6714328fda813fc6...@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 4559 Comm: syz-executor292 Not tainted 4.17.0-rc4+ #50 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:smc_ioctl+0x3dc/0x9f0 net/smc/af_smc.c:1499 RSP: 0018:8801ad22f770 EFLAGS: 00010202 RAX: dc00 RBX: 8801ad0df7c0 RCX: 8741188f RDX: 0004 RSI: 8741189e RDI: 0020 RBP: 8801ad22f9d0 R08: 8801ae87e6c0 R09: ed00363e1818 R10: ed00363e1818 R11: 8801b1f0c0c3 R12: 110035a45ef1 R13: 2080 R14: R15: FS: 017b7880() GS:8801daf0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7ffd1f18f038 CR3: 0001ad044000 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sock_do_ioctl+0xe4/0x3e0 net/socket.c:957 sock_ioctl+0x30d/0x680 net/socket.c:1081 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x1cf/0x16a0 fs/ioctl.c:684 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 __do_sys_ioctl fs/ioctl.c:708 [inline] __se_sys_ioctl fs/ioctl.c:706 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x43fca9 RSP: 002b:7ffd1f073588 EFLAGS: 0213 ORIG_RAX: 0010 RAX: ffda RBX: 004002c8 RCX: 0043fca9 RDX: 2080 RSI: 5411 RDI: 0003 RBP: 006ca018 R08: 004002c8 R09: 004002c8 R10: 004002c8 R11: 0213 R12: 004015d0 R13: 00401660 R14: R15: Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 7d 05 00 00 4c 8b b3 90 04 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7e 20 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 47 05 00 00 45 8b 7e 20 4c RIP: smc_ioctl+0x3dc/0x9f0 net/smc/af_smc.c:1499 RSP: 8801ad22f770 ---[ end trace b586e1eb098f7714 ]--- --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
KASAN: use-after-free Read in timer_is_static_object
Hello, syzbot found the following crash on: HEAD commit:e6506eb24187 Merge tag 'trace-v4.17-rc4-2' of git://git.ke.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=177fe47780 kernel config: https://syzkaller.appspot.com/x/.config?x=f3b4e30da84ec1ed dashboard link: https://syzkaller.appspot.com/bug?extid=5d47e9ec91a6f15dbd6f compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+5d47e9ec91a6f15db...@syzkaller.appspotmail.com RDX: RSI: RDI: 0016 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: 0017 R13: 0053 R14: 006f4868 R15: 0001 == BUG: KASAN: use-after-free in timer_is_static_object+0x80/0x90 kernel/time/timer.c:607 Read of size 8 at addr 8801bebb5118 by task syz-executor2/25299 CPU: 1 PID: 25299 Comm: syz-executor2 Not tainted 4.17.0-rc5+ #54 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 timer_is_static_object+0x80/0x90 kernel/time/timer.c:607 debug_object_activate+0x2d9/0x670 lib/debugobjects.c:508 debug_timer_activate kernel/time/timer.c:709 [inline] debug_activate kernel/time/timer.c:764 [inline] __mod_timer kernel/time/timer.c:1041 [inline] mod_timer+0x4d3/0x13b0 kernel/time/timer.c:1102 sk_reset_timer+0x22/0x60 net/core/sock.c:2742 ccid2_hc_tx_rto_expire+0x587/0x680 net/dccp/ccids/ccid2.c:147 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x79e/0xc50 kernel/time/timer.c:1666 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1d1/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:525 [inline] smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 RIP: 0010:cap_capable+0x3f/0x260 security/commoncap.c:82 RSP: 0018:8801ac75f8c8 EFLAGS: 0246 ORIG_RAX: ff13 RAX: dc00 RBX: 88d5be00 RCX: RDX: 1100386dc571 RSI: 830ee893 RDI: 8801c36e2b88 RBP: 8801ac75f910 R08: 8801ac126440 R09: 8801ac75fcb8 R10: 8801ac126c78 R11: 8801ac75fc78 R12: dc00 R13: dc00 R14: 8801c36e2b00 R15: 0021 cap_vm_enough_memory+0x50/0x70 security/commoncap.c:1307 security_vm_enough_memory_mm+0x71/0xc0 security/security.c:327 mmap_region+0x37b/0x1870 mm/mmap.c:1714 do_mmap+0xde2/0x1360 mm/mmap.c:1535 do_mmap_pgoff include/linux/mm.h:2237 [inline] vm_mmap_pgoff+0x1fb/0x2a0 mm/util.c:357 ksys_mmap_pgoff+0x26e/0x640 mm/mmap.c:1585 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline] __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455a5a RSP: 002b:00a3e778 EFLAGS: 0246 ORIG_RAX: 0009 RAX: ffda RBX: 0003 RCX: 00455a5a RDX: 0003 RSI: 00021000 RDI: RBP: R08: R09: R10: 00020022 R11: 0246 R12: R13: 00021000 R14: 00020022 R15: Allocated by task 25374: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554 ccid_new+0x25b/0x3e0 net/dccp/ccid.c:151 dccp_hdlr_ccid+0x27/0x150 net/dccp/feat.c:44 __dccp_feat_activate+0x184/0x270 net/dccp/feat.c:344 dccp_feat_activate_values+0x3a7/0x819 net/dccp/feat.c:1538 dccp_create_openreq_child+0x472/0x610 net/dccp/minisocks.c:128 dccp_v4_request_recv_sock+0x12c/0xca0 net/dccp/ipv4.c:408 dccp_v6_request_recv_sock+0x125d/0x1f10 net/dccp/ipv6.c:415 dccp_check_req+0x455/0x6a0 net/dccp/minisocks.c:197 dccp_v4_rcv+0x7b8/0x1f3f net/dccp/ipv4.c:841 ip_local_deliver_finish+0x2e3/0xd80 net/ipv4/ip_input.c:215 NF_HOOK include/linux/netfilter.h:288 [inline] ip_local_deliver+0x1e1/0x720 net/ipv4/ip_input.c:256 dst_input include/net/dst.h:450 [inline
kernel BUG at lib/string.c:LINE! (4)
Hello, syzbot found the following crash on: HEAD commit:0b7d9978406f Merge branch 'Microsemi-Ocelot-Ethernet-switc.. git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=16e9101780 kernel config: https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1 dashboard link: https://syzkaller.appspot.com/bug?extid=aac887f77319868646df compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1665d63780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1051710780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+aac887f7731986864...@syzkaller.appspotmail.com IPVS: Unknown mcast interface: veth1_to�a IPVS: Unknown mcast interface: veth1_to�a IPVS: Unknown mcast interface: veth1_to�a detected buffer overflow in strlen [ cut here ] kernel BUG at lib/string.c:1052! invalid opcode: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051 RSP: 0018:8801c976f800 EFLAGS: 00010282 RAX: 0022 RBX: 0040 RCX: RDX: 0022 RSI: 8160f6f1 RDI: ed00392edef6 RBP: 8801c976f800 R08: 8801cf4c62c0 R09: ed003b5e4fb0 R10: ed003b5e4fb0 R11: 8801daf27d87 R12: 8801c976fa20 R13: 8801c976fae4 R14: 8801c976fae0 R15: 048b FS: 7fd99f75e700() GS:8801daf0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 21c0 CR3: 0001d6843000 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: strlen include/linux/string.h:270 [inline] strlcpy include/linux/string.h:293 [inline] do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253 udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487 ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917 tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x447369 RSP: 002b:7fd99f75dda8 EFLAGS: 0246 ORIG_RAX: 0036 RAX: ffda RBX: 006e39e4 RCX: 00447369 RDX: 048b RSI: RDI: 0003 RBP: R08: 0018 R09: R10: 21c0 R11: 0246 R12: 006e39e0 R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0001 Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56 RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: 8801c976f800 ---[ end trace 624046f2d9af7702 ]--- --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
WARNING: kmalloc bug in memdup_user (3)
Hello, syzbot found the following crash on: HEAD commit:c5c7d7f3c451 Merge branch 'bpf-sock-hashmap' git tree: bpf-next console output: https://syzkaller.appspot.com/x/log.txt?x=1626ae3780 kernel config: https://syzkaller.appspot.com/x/.config?x=10c4dc62055b68f5 dashboard link: https://syzkaller.appspot.com/bug?extid=0f92a17b0706231d0a09 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=126a519780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1598c47780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+0f92a17b0706231d0...@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) WARNING: CPU: 0 PID: 4531 at mm/slab_common.c:996 kmalloc_slab+0x56/0x70 mm/slab_common.c:996 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 4531 Comm: syz-executor594 Not tainted 4.17.0-rc3+ #9 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 panic+0x22f/0x4de kernel/panic.c:184 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536 report_bug+0x252/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992 RIP: 0010:kmalloc_slab+0x56/0x70 mm/slab_common.c:996 RSP: 0018:8801ad4b7c48 EFLAGS: 00010246 RAX: RBX: fff4 RCX: 8185e678 RDX: 8185e6eb RSI: RDI: fffd RBP: 8801ad4b7c48 R08: 8801adb3e2c0 R09: ed0035ba1f08 R10: ed0035ba1f08 R11: 8801add0f843 R12: fffd R13: 2240 R14: R15: 014200c0 __do_kmalloc mm/slab.c:3713 [inline] __kmalloc_track_caller+0x21/0x760 mm/slab.c:3733 memdup_user+0x2c/0xa0 mm/util.c:160 map_delete_elem+0x21b/0x4e0 kernel/bpf/syscall.c:796 __do_sys_bpf kernel/bpf/syscall.c:2128 [inline] __se_sys_bpf kernel/bpf/syscall.c:2096 [inline] __x64_sys_bpf+0x33f/0x4f0 kernel/bpf/syscall.c:2096 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x43fd89 RSP: 002b:7ffe3ad9ad78 EFLAGS: 0213 ORIG_RAX: 0141 RAX: ffda RBX: 004002c8 RCX: 0043fd89 RDX: 0010 RSI: 2000 RDI: 0003 RBP: 006ca018 R08: 004002c8 R09: 004002c8 R10: 004002c8 R11: 0213 R12: 004016b0 R13: 00401740 R14: R15: Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
WARNING: kmalloc bug in map_get_next_key
Hello, syzbot found the following crash on: HEAD commit:c5c7d7f3c451 Merge branch 'bpf-sock-hashmap' git tree: bpf-next console output: https://syzkaller.appspot.com/x/log.txt?x=13ec787780 kernel config: https://syzkaller.appspot.com/x/.config?x=10c4dc62055b68f5 dashboard link: https://syzkaller.appspot.com/bug?extid=e4566d29080e7f3460ff compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=12c3541780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=178c97f780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+e4566d29080e7f346...@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) WARNING: CPU: 0 PID: 4499 at mm/slab_common.c:996 kmalloc_slab+0x56/0x70 mm/slab_common.c:996 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 4499 Comm: syz-executor050 Not tainted 4.17.0-rc3+ #9 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 panic+0x22f/0x4de kernel/panic.c:184 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536 report_bug+0x252/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992 RIP: 0010:kmalloc_slab+0x56/0x70 mm/slab_common.c:996 RSP: 0018:8801d907fc58 EFLAGS: 00010246 RAX: RBX: 8801aeecb280 RCX: 8185ebd7 RDX: RSI: RDI: ffe1 RBP: 8801d907fc58 R08: 8801adb5e1c0 R09: ed0035a84700 R10: ed0035a84700 R11: 8801ad423803 R12: 8801aeecb280 R13: fff4 R14: 8801ad891a00 R15: 014200c0 __do_kmalloc mm/slab.c:3713 [inline] __kmalloc+0x25/0x760 mm/slab.c:3727 kmalloc include/linux/slab.h:517 [inline] map_get_next_key+0x24a/0x640 kernel/bpf/syscall.c:858 __do_sys_bpf kernel/bpf/syscall.c:2131 [inline] __se_sys_bpf kernel/bpf/syscall.c:2096 [inline] __x64_sys_bpf+0x354/0x4f0 kernel/bpf/syscall.c:2096 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x43fd89 RSP: 002b:7ffd6aab4668 EFLAGS: 0213 ORIG_RAX: 0141 RAX: ffda RBX: 004002c8 RCX: 0043fd89 RDX: 0007 RSI: 2040 RDI: 0004 RBP: 006ca018 R08: 004002c8 R09: 004002c8 R10: 004002c8 R11: 0213 R12: 004016b0 R13: 00401740 R14: R15: Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
INFO: rcu detected stall in ip_route_output_key_hash
Hello, syzbot found the following crash on: HEAD commit:0b7d9978406f Merge branch 'Microsemi-Ocelot-Ethernet-switc.. git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=1138c47780 kernel config: https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1 dashboard link: https://syzkaller.appspot.com/bug?extid=769a7ccbbb4b5074f125 compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+769a7ccbbb4b5074f...@syzkaller.appspotmail.com netlink: 4 bytes leftover after parsing attributes in process `syz-executor2'. random: crng init done INFO: rcu_sched self-detected stall on CPU 1-...!: (121515 ticks this GP) idle=e7e/1/4611686018427387908 softirq=31362/31362 fqs=7 (t=125000 jiffies g=16439 c=16438 q=668508) rcu_sched kthread starved for 124958 jiffies! g16439 c16438 f0x2 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=0 RCU grace-period kthread stack dump: rcu_sched R running task23768 9 2 0x8000 Call Trace: context_switch kernel/sched/core.c:2848 [inline] __schedule+0x801/0x1e30 kernel/sched/core.c:3490 schedule+0xef/0x430 kernel/sched/core.c:3549 schedule_timeout+0x138/0x240 kernel/time/timer.c:1801 rcu_gp_kthread+0x6b5/0x1940 kernel/rcu/tree.c:2231 kthread+0x345/0x410 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 NMI backtrace for cpu 1 CPU: 1 PID: 4488 Comm: syz-fuzzer Not tainted 4.17.0-rc4+ #45 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103 nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 trigger_single_cpu_backtrace include/linux/nmi.h:156 [inline] rcu_dump_cpu_stacks+0x175/0x1c2 kernel/rcu/tree.c:1376 print_cpu_stall kernel/rcu/tree.c:1525 [inline] check_cpu_stall.isra.61.cold.80+0x36c/0x59a kernel/rcu/tree.c:1593 __rcu_pending kernel/rcu/tree.c:3356 [inline] rcu_pending kernel/rcu/tree.c:3401 [inline] rcu_check_callbacks+0x21b/0xad0 kernel/rcu/tree.c:2763 update_process_times+0x2d/0x70 kernel/time/timer.c:1636 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:164 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274 __run_hrtimer kernel/time/hrtimer.c:1398 [inline] __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1460 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline] smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 RIP: 0010:rcu_is_watching+0x6/0x140 kernel/rcu/tree.c:1071 RSP: :8801daf06620 EFLAGS: 0206 ORIG_RAX: ff13 RAX: 8801ad526240 RBX: RCX: 8656 RDX: 0100 RSI: 86b8 RDI: 0001 RBP: 8801daf06628 R08: 8801ad526240 R09: 0002 R10: 8801ad526240 R11: R12: 11003b5e0cca R13: 88008ff1a100 R14: R15: 8801daf066d0 rcu_read_unlock include/linux/rcupdate.h:684 [inline] ip_route_output_key_hash+0x2cd/0x390 net/ipv4/route.c:2303 __ip_route_output_key include/net/route.h:124 [inline] ip_route_output_flow+0x28/0xc0 net/ipv4/route.c:2557 ip_route_output_key include/net/route.h:134 [inline] sctp_v4_get_dst+0x50e/0x17a0 net/sctp/protocol.c:447 sctp_transport_route+0x132/0x360 net/sctp/transport.c:303 sctp_packet_config+0x926/0xdd0 net/sctp/output.c:118 sctp_outq_select_transport+0x2bb/0x9c0 net/sctp/outqueue.c:877 sctp_outq_flush_ctrl.constprop.12+0x2ad/0xe60 net/sctp/outqueue.c:911 sctp_outq_flush+0x2ef/0x3430 net/sctp/outqueue.c:1203 sctp_outq_uncork+0x6a/0x80 net/sctp/outqueue.c:776 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1820 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline] sctp_do_sm+0x596/0x7160 net/sctp/sm_sideeffect.c:1191 sctp_generate_heartbeat_event+0x218/0x450 net/sctp/sm_sideeffect.c:406 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x79e/0xc50 kernel/time/timer.c:1666 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1d1/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:525 [inline] smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 RIP: 0033:0x40b55d RSP: 002b:00c424bedca8 EFLAGS: 0293 ORIG_RAX: ff13 RAX: 00c4244e5470 RBX: 4d36768c RCX: 00
INFO: rcu detected stall in sctp_packet_transmit
Hello, syzbot found the following crash on: HEAD commit:961423f9fcbc Merge branch 'sctp-Introduce-sctp_flush_ctx' git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=1366aea780 kernel config: https://syzkaller.appspot.com/x/.config?x=51fb0a6913f757db dashboard link: https://syzkaller.appspot.com/bug?extid=ff0b569fb5111dcd1a36 compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+ff0b569fb5111dcd1...@syzkaller.appspotmail.com INFO: rcu_sched self-detected stall on CPU 0-: (1 GPs behind) idle=dae/1/4611686018427387908 softirq=93090/93091 fqs=30902 (t=125000 jiffies g=51107 c=51106 q=972) NMI backtrace for cpu 0 CPU: 0 PID: 24668 Comm: syz-executor6 Not tainted 4.17.0-rc4+ #44 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103 nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 trigger_single_cpu_backtrace include/linux/nmi.h:156 [inline] rcu_dump_cpu_stacks+0x175/0x1c2 kernel/rcu/tree.c:1376 print_cpu_stall kernel/rcu/tree.c:1525 [inline] check_cpu_stall.isra.61.cold.80+0x36c/0x59a kernel/rcu/tree.c:1593 __rcu_pending kernel/rcu/tree.c:3356 [inline] rcu_pending kernel/rcu/tree.c:3401 [inline] rcu_check_callbacks+0x21b/0xad0 kernel/rcu/tree.c:2763 update_process_times+0x2d/0x70 kernel/time/timer.c:1636 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:164 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274 __run_hrtimer kernel/time/hrtimer.c:1398 [inline] __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1460 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline] smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 RIP: 0010:sctp_v6_xmit+0x259/0x6b0 net/sctp/ipv6.c:219 RSP: 0018:8801dae068e8 EFLAGS: 0246 ORIG_RAX: ff13 RAX: 0007 RBX: 8801bb7ec800 RCX: 86f1b345 RDX: RSI: 86f1b381 RDI: 8801b73d97c4 RBP: 8801dae06988 R08: 88019505c300 R09: ed003b5c46c2 R10: ed003b5c46c2 R11: 8801dae23613 R12: 88011fd57300 R13: 8801bb7ecec8 R14: 0029 R15: 0002 sctp_packet_transmit+0x26f6/0x3ba0 net/sctp/output.c:642 sctp_outq_flush_transports net/sctp/outqueue.c:1164 [inline] sctp_outq_flush+0x5f5/0x3430 net/sctp/outqueue.c:1212 sctp_outq_uncork+0x6a/0x80 net/sctp/outqueue.c:776 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1820 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline] sctp_do_sm+0x596/0x7160 net/sctp/sm_sideeffect.c:1191 sctp_generate_heartbeat_event+0x218/0x450 net/sctp/sm_sideeffect.c:406 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x79e/0xc50 kernel/time/timer.c:1666 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1d1/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:525 [inline] smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:783 [inline] RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0xa1/0xc0 kernel/locking/spinlock.c:184 RSP: 0018:880196227328 EFLAGS: 0286 ORIG_RAX: ff13 RAX: dc00 RBX: 0286 RCX: RDX: 111a316d RSI: 0001 RDI: 0286 RBP: 880196227338 R08: ed003b5c4b81 R09: R10: R11: R12: 8801dae25c00 R13: 8801dae25c80 R14: 880196227758 R15: 8801dae25c00 unlock_hrtimer_base kernel/time/hrtimer.c:887 [inline] hrtimer_start_range_ns+0x692/0xd10 kernel/time/hrtimer.c:1118 hrtimer_start_expires include/linux/hrtimer.h:412 [inline] futex_wait_queue_me+0x304/0x820 kernel/futex.c:2517 futex_wait+0x450/0x9f0 kernel/futex.c:2645 do_futex+0x336/0x27d0 kernel/futex.c:3527 __do_sys_futex kernel/futex.c:3587 [inline] __se_sys_futex kernel/futex.c:3555 [inline] __x64_sys_futex+0x46a/0x680 kernel/futex.c:3555 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455a09 RSP: 002b:00a3e938 EFLAGS: 0246 ORIG_RAX: 00ca RAX
KMSAN: uninit-value in __sctp_v6_cmp_addr
Hello, syzbot found the following crash on: HEAD commit:74ee2200b89f kmsan: bump .config.example to v4.17-rc3 git tree: https://github.com/google/kmsan.git/master console output: https://syzkaller.appspot.com/x/log.txt?x=169efb5b80 kernel config: https://syzkaller.appspot.com/x/.config?x=4ca1e57bafa8ab1f dashboard link: https://syzkaller.appspot.com/bug?extid=85490c30c260afff22f2 compiler: clang version 7.0.0 (trunk 329391) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=157e923780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10fe5de780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+85490c30c260afff2...@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) == BUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x49a/0x850 net/sctp/ipv6.c:580 CPU: 0 PID: 4453 Comm: syz-executor325 Not tainted 4.17.0-rc3+ #88 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:113 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 __sctp_v6_cmp_addr+0x49a/0x850 net/sctp/ipv6.c:580 sctp_inet6_cmp_addr+0x3dc/0x400 net/sctp/ipv6.c:898 sctp_bind_addr_match+0x18b/0x2f0 net/sctp/bind_addr.c:330 sctp_addrs_lookup_transport+0x904/0xa20 net/sctp/input.c:942 __sctp_lookup_association net/sctp/input.c:985 [inline] __sctp_rcv_lookup net/sctp/input.c:1249 [inline] sctp_rcv+0x15e6/0x4d30 net/sctp/input.c:170 ip_local_deliver_finish+0x874/0xec0 net/ipv4/ip_input.c:215 NF_HOOK include/linux/netfilter.h:288 [inline] ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:256 dst_input include/net/dst.h:450 [inline] ip_rcv_finish+0xa36/0x1d00 net/ipv4/ip_input.c:396 NF_HOOK include/linux/netfilter.h:288 [inline] ip_rcv+0x118f/0x16d0 net/ipv4/ip_input.c:492 __netif_receive_skb_core+0x47df/0x4a90 net/core/dev.c:4592 __netif_receive_skb net/core/dev.c:4657 [inline] process_backlog+0x62d/0xe20 net/core/dev.c:5337 napi_poll net/core/dev.c:5735 [inline] net_rx_action+0x7c1/0x1a70 net/core/dev.c:5801 __do_softirq+0x56d/0x93d kernel/softirq.c:285 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1046 do_softirq kernel/softirq.c:329 [inline] __local_bh_enable_ip+0x114/0x140 kernel/softirq.c:182 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32 rcu_read_unlock_bh include/linux/rcupdate.h:728 [inline] ip_finish_output2+0x135a/0x1470 net/ipv4/ip_output.c:231 ip_finish_output+0xcb2/0xff0 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip_output+0x505/0x5d0 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:444 [inline] ip_local_out net/ipv4/ip_output.c:124 [inline] ip_queue_xmit+0x1a1e/0x1d10 net/ipv4/ip_output.c:504 sctp_v4_xmit+0x188/0x210 net/sctp/protocol.c:983 sctp_packet_transmit+0x3eaa/0x4350 net/sctp/output.c:650 sctp_outq_flush+0x1a7a/0x6320 net/sctp/outqueue.c:1197 sctp_outq_uncork+0xd2/0xf0 net/sctp/outqueue.c:776 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1820 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline] sctp_do_sm+0x8707/0x8d20 net/sctp/sm_sideeffect.c:1191 sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:200 sctp_apply_peer_addr_params+0x207/0x1670 net/sctp/socket.c:2487 sctp_setsockopt_peer_addr_params net/sctp/socket.c:2683 [inline] sctp_setsockopt+0x10e5f/0x11600 net/sctp/socket.c:4258 sock_common_setsockopt+0x136/0x170 net/core/sock.c:3039 __sys_setsockopt+0x4af/0x560 net/socket.c:1903 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0x15c/0x1c0 net/socket.c:1911 do_syscall_64+0x154/0x220 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x43fef9 RSP: 002b:7ffc00d9bfd8 EFLAGS: 0207 ORIG_RAX: 0036 RAX: ffda RBX: 004002c8 RCX: 0043fef9 RDX: 0009 RSI: 0084 RDI: 0003 RBP: 006ca018 R08: 0098 R09: 001c R10: 2180 R11: 0207 R12: 00401820 R13: 004018b0 R14: R15: Local variable description: dest@sctp_rcv Variable was created at: sctp_rcv+0x13d/0x4d30 net/sctp/input.c:97 ip_local_deliver_finish+0x874/0xec0 net/ipv4/ip_input.c:215 == --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com
KMSAN: uninit-value in tipc_conn_rcv_sub
Hello, syzbot found the following crash on: HEAD commit:74ee2200b89f kmsan: bump .config.example to v4.17-rc3 git tree: https://github.com/google/kmsan.git/master console output: https://syzkaller.appspot.com/x/log.txt?x=12ab863780 kernel config: https://syzkaller.appspot.com/x/.config?x=4ca1e57bafa8ab1f dashboard link: https://syzkaller.appspot.com/bug?extid=8951a3065ee7fd6d6e23 compiler: clang version 7.0.0 (trunk 329391) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=15a497f780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177c190780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+8951a3065ee7fd6d6...@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) == BUG: KMSAN: uninit-value in tipc_conn_rcv_sub+0x184/0x950 net/tipc/topsrv.c:373 CPU: 0 PID: 66 Comm: kworker/u4:4 Not tainted 4.17.0-rc3+ #88 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: tipc_rcv tipc_conn_recv_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:113 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 tipc_conn_rcv_sub+0x184/0x950 net/tipc/topsrv.c:373 tipc_conn_rcv_from_sock net/tipc/topsrv.c:409 [inline] tipc_conn_recv_work+0x3cd/0x560 net/tipc/topsrv.c:424 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2145 worker_thread+0x113c/0x24f0 kernel/workqueue.c:2279 kthread+0x539/0x720 kernel/kthread.c:239 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:412 Local variable description: s.i@tipc_conn_recv_work Variable was created at: tipc_conn_recv_work+0x65/0x560 net/tipc/topsrv.c:419 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2145 == Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 66 Comm: kworker/u4:4 Tainted: GB 4.17.0-rc3+ #88 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: tipc_rcv tipc_conn_recv_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:113 panic+0x39d/0x940 kernel/panic.c:184 kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 tipc_conn_rcv_sub+0x184/0x950 net/tipc/topsrv.c:373 tipc_conn_rcv_from_sock net/tipc/topsrv.c:409 [inline] tipc_conn_recv_work+0x3cd/0x560 net/tipc/topsrv.c:424 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2145 worker_thread+0x113c/0x24f0 kernel/workqueue.c:2279 kthread+0x539/0x720 kernel/kthread.c:239 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:412 Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
WARNING in iov_iter_revert
Hello, syzbot found the following crash on: HEAD commit:427fbe89261d Merge branch 'next' of git://git.kernel.org/p.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16b3347780 kernel config: https://syzkaller.appspot.com/x/.config?x=fcce42b221691ff9 dashboard link: https://syzkaller.appspot.com/bug?extid=c226690f7b3126c5ee04 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=144f199780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=141d541780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+c226690f7b3126c5e...@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) WARNING: CPU: 1 PID: 4542 at lib/iov_iter.c:857 iov_iter_revert+0x2ee/0xaa0 lib/iov_iter.c:857 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 4542 Comm: syz-executor650 Not tainted 4.17.0-rc4+ #44 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 panic+0x22f/0x4de kernel/panic.c:184 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536 report_bug+0x252/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992 RIP: 0010:iov_iter_revert+0x2ee/0xaa0 lib/iov_iter.c:857 RSP: 0018:8801ad1bf700 EFLAGS: 00010293 RAX: 8801ac55e6c0 RBX: RCX: 835104a1 RDX: RSI: 8351074e RDI: 0007 RBP: 8801ad1bf760 R08: 8801ac55e6c0 R09: ed003b5e46c2 R10: 0003 R11: 0001 R12: 0001 R13: 8801ad1bfd60 R14: 0011 R15: 8801ae9ac040 tls_sw_sendmsg+0xf1c/0x12d0 net/tls/tls_sw.c:448 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 ___sys_sendmsg+0x805/0x940 net/socket.c:2117 __sys_sendmsg+0x115/0x270 net/socket.c:2155 __do_sys_sendmsg net/socket.c:2164 [inline] __se_sys_sendmsg net/socket.c:2162 [inline] __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2162 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4403a9 RSP: 002b:7ffdcdfbd6c8 EFLAGS: 0207 ORIG_RAX: 002e RAX: ffda RBX: 004002c8 RCX: 004403a9 RDX: RSI: 20001340 RDI: 0003 RBP: 006ca018 R08: 001c R09: 001c R10: 2180 R11: 0207 R12: 00401cd0 R13: 00401d60 R14: R15: Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
KASAN: use-after-free Read in sctp_do_sm
Hello, syzbot found the following crash on: HEAD commit:f142f08bf7ec Fix typo in comment. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1159ade780 kernel config: https://syzkaller.appspot.com/x/.config?x=31f4b3733894ef79 dashboard link: https://syzkaller.appspot.com/bug?extid=141d898c5f24489db4aa compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+141d898c5f24489db...@syzkaller.appspotmail.com RDX: 0008 RSI: 2000 RDI: 0014 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: 0015 R13: 071e R14: 006feb70 R15: 0007 == BUG: KASAN: use-after-free in sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1817 [inline] BUG: KASAN: use-after-free in sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline] BUG: KASAN: use-after-free in sctp_do_sm+0x6015/0x7160 net/sctp/sm_sideeffect.c:1191 Read of size 1 at addr 8801c7883cb8 by task syz-executor6/18616 CPU: 1 PID: 18616 Comm: syz-executor6 Not tainted 4.17.0-rc4+ #38 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1817 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline] sctp_do_sm+0x6015/0x7160 net/sctp/sm_sideeffect.c:1191 sctp_assoc_bh_rcv+0x30f/0x520 net/sctp/associola.c:1065 sctp_inq_push+0x263/0x320 net/sctp/inqueue.c:95 sctp_backlog_rcv+0x192/0xc00 net/sctp/input.c:350 sk_backlog_rcv include/net/sock.h:909 [inline] __release_sock+0x12f/0x3a0 net/core/sock.c:2335 release_sock+0xa4/0x2b0 net/core/sock.c:2850 sctp_sendmsg+0x13cc/0x1d70 net/sctp/socket.c:2128 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 sock_write_iter+0x35a/0x5a0 net/socket.c:908 call_write_iter include/linux/fs.h:1784 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x64d/0x960 fs/read_write.c:487 vfs_write+0x1f8/0x560 fs/read_write.c:549 ksys_write+0xf9/0x250 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455979 RSP: 002b:7f6fad842c68 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 7f6fad8436d4 RCX: 00455979 RDX: 0008 RSI: 2000 RDI: 0014 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: 0015 R13: 071e R14: 006feb70 R15: 0007 Allocated by task 18616: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554 kmem_cache_zalloc include/linux/slab.h:691 [inline] sctp_chunkify+0xce/0x400 net/sctp/sm_make_chunk.c:1355 sctp_rcv+0xc65/0x3a60 net/sctp/input.c:221 sctp6_rcv+0x15/0x30 net/sctp/ipv6.c:1045 ip6_input_finish+0x3ff/0x1a30 net/ipv6/ip6_input.c:284 NF_HOOK include/linux/netfilter.h:288 [inline] ip6_input+0xe1/0x5e0 net/ipv6/ip6_input.c:327 dst_input include/net/dst.h:450 [inline] ip6_rcv_finish+0x29c/0xa10 net/ipv6/ip6_input.c:71 NF_HOOK include/linux/netfilter.h:288 [inline] ipv6_rcv+0xed6/0x22a0 net/ipv6/ip6_input.c:208 __netif_receive_skb_core+0x26f5/0x3630 net/core/dev.c:4592 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657 process_backlog+0x219/0x760 net/core/dev.c:5337 napi_poll net/core/dev.c:5735 [inline] net_rx_action+0x7b7/0x1930 net/core/dev.c:5801 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285 Freed by task 18616: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kmem_cache_free+0x86/0x2d0 mm/slab.c:3756 sctp_chunk_destroy net/sctp/sm_make_chunk.c:1481 [inline] sctp_chunk_put+0x321/0x440 net/sctp/sm_make_chunk.c:1504 sctp_ulpevent_make_rcvmsg+0x955/0xd40 net/sctp/ulpevent.c:718 sctp_ulpq_tail_data+0xa8/0x12b0 net/sctp/ulpqueue.c:108 sctp_cmd_interpreter net/sctp
INFO: rcu detected stall in sctp_generate_heartbeat_event
Hello, syzbot found the following crash on: HEAD commit:90278871d4b0 Merge git://git.kernel.org/pub/scm/linux/kern.. git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=119a723780 kernel config: https://syzkaller.appspot.com/x/.config?x=aea320d3af5ef99d dashboard link: https://syzkaller.appspot.com/bug?extid=e4a5bbd54260c93014f9 compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+e4a5bbd54260c9301...@syzkaller.appspotmail.com device bridge0 left promiscuous mode IPVS: set_ctl: invalid protocol: 56 0.0.0.0:20003 fo IPVS: set_ctl: invalid protocol: 175 224.0.0.2:20003 dh INFO: rcu_sched self-detected stall on CPU 0-...!: (119824 ticks this GP) idle=4b6/1/4611686018427387908 softirq=23864/23864 fqs=5 (t=125000 jiffies g=13072 c=13071 q=480954) NMI backtrace for cpu 0 CPU: 0 PID: 4547 Comm: udevd Not tainted 4.17.0-rc3+ #34 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103 nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 trigger_single_cpu_backtrace include/linux/nmi.h:156 [inline] rcu_dump_cpu_stacks+0x175/0x1c2 kernel/rcu/tree.c:1376 print_cpu_stall kernel/rcu/tree.c:1525 [inline] check_cpu_stall.isra.61.cold.80+0x36c/0x59a kernel/rcu/tree.c:1593 __rcu_pending kernel/rcu/tree.c:3356 [inline] rcu_pending kernel/rcu/tree.c:3401 [inline] rcu_check_callbacks+0x21b/0xad0 kernel/rcu/tree.c:2763 update_process_times+0x2d/0x70 kernel/time/timer.c:1636 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:164 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274 __run_hrtimer kernel/time/hrtimer.c:1398 [inline] __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1460 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline] smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 RIP: 0010:rep_nop arch/x86/include/asm/processor.h:667 [inline] RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:672 [inline] RIP: 0010:virt_spin_lock arch/x86/include/asm/qspinlock.h:69 [inline] RIP: 0010:native_queued_spin_lock_slowpath+0x204/0xde0 kernel/locking/qspinlock.c:305 RSP: 0018:8801dae07390 EFLAGS: 0202 ORIG_RAX: ff13 RAX: RBX: ed003b5c0e8b RCX: 0004 RDX: RSI: 0004 RDI: 8801a9e9d088 RBP: 8801dae07700 R08: ed00353d3a12 R09: ed00353d3a11 R10: ed00353d3a11 R11: 8801a9e9d08b R12: 8801a9e9d088 R13: 8801dae076d8 R14: 0001 R15: dc00 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:674 [inline] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:30 [inline] queued_spin_lock include/asm-generic/qspinlock.h:90 [inline] do_raw_spin_lock+0x1a7/0x200 kernel/locking/spinlock_debug.c:113 __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline] _raw_spin_lock+0x32/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:310 [inline] sctp_generate_heartbeat_event+0xa4/0x450 net/sctp/sm_sideeffect.c:386 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x79e/0xc50 kernel/time/timer.c:1666 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1d1/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:525 [inline] smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 RIP: 0010:rcu_is_watching+0x41/0x140 kernel/rcu/tree.c:1071 RSP: 0018:8801ad457848 EFLAGS: 0296 ORIG_RAX: ff13 RAX: ed0035a8af0a RBX: 110035a8af0a RCX: 8801ad4578f0 RDX: RSI: 8801ad457f58 RDI: 897bf004 RBP: 8801ad4578d8 R08: 8801ad457978 R09: 8801ad53e040 R10: ed0035a8af32 R11: 8801ad457997 R12: 8801ad457988 R13: R14: 8801ad4578b0 R15: dc00 syz-executor3 (7657) used greatest stack depth: 15968 bytes left kernel_text_address+0x61/0xf0 kernel/extable.c:140 __kernel_text_address+0xd/0x40 kernel/extable.c:107 unwind_get_return_address+0x61/0xa0 arch/x86/kernel/unwind_frame.c:18 __save_stack_trace+0x7e/0xd0 arch/x86/kernel/stacktrace.c:45 save_stack_trace+0x1a/0x20 arch/x86/kernel/stacktrace.c:60 save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm
BUG: spinlock bad magic in tun_do_read
Hello, syzbot found the following crash on: HEAD commit:75bc37fefc44 Linux 4.17-rc4 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1162c69780 kernel config: https://syzkaller.appspot.com/x/.config?x=31f4b3733894ef79 dashboard link: https://syzkaller.appspot.com/bug?extid=e8b902c3c3fadf0a9dba compiler: gcc (GCC) 8.0.1 20180413 (experimental) userspace arch: i386 syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=172e4c9780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+e8b902c3c3fadf0a9...@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) IPVS: ftp: loaded support on port[0] = 21 BUG: spinlock bad magic on CPU#0, syz-executor0/4586 lock: 0x8801ae8928c8, .magic: , .owner: /-1, .owner_cpu: 0 CPU: 0 PID: 4586 Comm: syz-executor0 Not tainted 4.17.0-rc4+ #62 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 spin_dump+0x160/0x169 kernel/locking/spinlock_debug.c:67 spin_bug kernel/locking/spinlock_debug.c:75 [inline] debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] do_raw_spin_lock.cold.3+0x37/0x3c kernel/locking/spinlock_debug.c:112 __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline] _raw_spin_lock+0x32/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:310 [inline] ptr_ring_consume include/linux/ptr_ring.h:335 [inline] tun_ring_recv drivers/net/tun.c:2143 [inline] tun_do_read+0x18b1/0x29f0 drivers/net/tun.c:2182 tun_chr_read_iter+0xe5/0x1e0 drivers/net/tun.c:2214 call_read_iter include/linux/fs.h:1778 [inline] new_sync_read fs/read_write.c:406 [inline] __vfs_read+0x696/0xa50 fs/read_write.c:418 vfs_read+0x17f/0x3d0 fs/read_write.c:452 ksys_pread64+0x174/0x1a0 fs/read_write.c:626 __do_compat_sys_x86_pread arch/x86/ia32/sys_ia32.c:177 [inline] __se_compat_sys_x86_pread arch/x86/ia32/sys_ia32.c:174 [inline] __ia32_compat_sys_x86_pread+0xc4/0x130 arch/x86/ia32/sys_ia32.c:174 do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline] do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7fc0cb9 RSP: 002b:f7fbc0ac EFLAGS: 0282 ORIG_RAX: 00b4 RAX: ffda RBX: 0003 RCX: 2080 RDX: 006e RSI: RDI: RBP: R08: R09: R10: R11: 0292 R12: R13: R14: R15: --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
INFO: task hung in flush_work
Hello, syzbot found the following crash on: HEAD commit:8fb11a9a8d51 net/ipv6: rename rt6_next to fib6_next git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=12ca275b80 kernel config: https://syzkaller.appspot.com/x/.config?x=c416c61f3cd96be dashboard link: https://syzkaller.appspot.com/bug?extid=2e7b6af5956e05e5cff7 compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+2e7b6af5956e05e5c...@syzkaller.appspotmail.com netlink: 4 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor7'. INFO: task syz-executor4:17145 blocked for more than 120 seconds. Not tainted 4.17.0-rc3+ #33 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor4 D21736 17145 4542 0x8002 Call Trace: context_switch kernel/sched/core.c:2848 [inline] __schedule+0x801/0x1e30 kernel/sched/core.c:3490 schedule+0xef/0x430 kernel/sched/core.c:3549 schedule_timeout+0x1b5/0x240 kernel/time/timer.c:1777 do_wait_for_common kernel/sched/completion.c:83 [inline] __wait_for_common kernel/sched/completion.c:104 [inline] wait_for_common kernel/sched/completion.c:115 [inline] wait_for_completion+0x3e7/0x870 kernel/sched/completion.c:136 flush_work+0x531/0x900 kernel/workqueue.c:2903 smc_close_active+0x618/0x9c0 net/smc/smc_close.c:189 smc_release+0x46b/0x610 net/smc/af_smc.c:141 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1aee/0x2730 kernel/exit.c:865 do_group_exit+0x16f/0x430 kernel/exit.c:968 get_signal+0x886/0x1960 kernel/signal.c:2469 do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810 exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455979 RSP: 002b:7f4181b74ce8 EFLAGS: 0246 ORIG_RAX: 00ca RAX: fe00 RBX: 0072bf78 RCX: 00455979 RDX: RSI: RDI: 0072bf78 RBP: 0072bf78 R08: R09: 0072bf50 R10: R11: 0246 R12: R13: 00a3e81f R14: 7f4181b759c0 R15: 0001 Showing all locks held in the system: 2 locks held by khungtaskd/894: #0: 2a4a1b2a (rcu_read_lock){}, at: check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline] #0: 2a4a1b2a (rcu_read_lock){}, at: watchdog+0x1ff/0xf60 kernel/hung_task.c:249 #1: 472c3276 (tasklist_lock){.+.+}, at: debug_show_all_locks+0xde/0x34a kernel/locking/lockdep.c:4470 2 locks held by getty/4468: #0: 65ad3d93 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: bfe7ad12 (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4469: #0: 6f6b456f (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: d44cbfd2 (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4470: #0: 39a0b4b8 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: 422d9092 (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4471: #0: 49ab501c (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: b1883d82 (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4472: #0: e473e0f9 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: d6a5f6ee (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4473: #0: af39adc0 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: 5b852d11 (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4474: #0: b68f2084 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: 34e0241f (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by kworker/0:3/4924: #0: 53ed24fb ((wq_completion)"events"){+.+.}, at: __write_once_size include/li
INFO: task hung in tls_push_record
Hello, syzbot found the following crash on: HEAD commit:8fb11a9a8d51 net/ipv6: rename rt6_next to fib6_next git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=108e923780 kernel config: https://syzkaller.appspot.com/x/.config?x=c416c61f3cd96be dashboard link: https://syzkaller.appspot.com/bug?extid=4006516aae0b06e7050f compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+4006516aae0b06e70...@syzkaller.appspotmail.com INFO: task syz-executor7:20304 blocked for more than 120 seconds. Not tainted 4.17.0-rc3+ #33 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor7 D24680 20304 4547 0x0004 Call Trace: context_switch kernel/sched/core.c:2848 [inline] __schedule+0x801/0x1e30 kernel/sched/core.c:3490 schedule+0xef/0x430 kernel/sched/core.c:3549 schedule_timeout+0x1b5/0x240 kernel/time/timer.c:1777 do_wait_for_common kernel/sched/completion.c:83 [inline] __wait_for_common kernel/sched/completion.c:104 [inline] wait_for_common kernel/sched/completion.c:115 [inline] wait_for_completion+0x3e7/0x870 kernel/sched/completion.c:136 crypto_wait_req include/linux/crypto.h:512 [inline] tls_do_encryption net/tls/tls_sw.c:217 [inline] tls_push_record+0xedc/0x13e0 net/tls/tls_sw.c:248 tls_sw_sendmsg+0x8d7/0x12b0 net/tls/tls_sw.c:440 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 sock_write_iter+0x35a/0x5a0 net/socket.c:908 call_write_iter include/linux/fs.h:1784 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x64d/0x960 fs/read_write.c:487 vfs_write+0x1f8/0x560 fs/read_write.c:549 ksys_write+0xf9/0x250 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455979 RSP: 002b:7fad08582c68 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 7fad085836d4 RCX: 00455979 RDX: 0050 RSI: 2280 RDI: 0013 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: R13: 0713 R14: 006fea68 R15: Showing all locks held in the system: 2 locks held by khungtaskd/892: #0: 3f978916 (rcu_read_lock){}, at: check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline] #0: 3f978916 (rcu_read_lock){}, at: watchdog+0x1ff/0xf60 kernel/hung_task.c:249 #1: a6e1e84d (tasklist_lock){.+.+}, at: debug_show_all_locks+0xde/0x34a kernel/locking/lockdep.c:4470 2 locks held by getty/4466: #0: bb90ee4c (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: 5c64e739 (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4467: #0: a703ee54 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: c6bc54dc (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4468: #0: 7e39712e (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: 3afa8b0a (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4469: #0: 4a2f1f14 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: a9bb6673 (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4470: #0: 5c9ac5a5 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: e940f7ee (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4471: #0: b0318201 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: faa92852 (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4472: #0: 2f556699 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: c5b4fb47 (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 1 lock held by syz-executor7/20304: #0: 1da4f4a9 (sk_lock-AF_INET6){+.+.}, at: lock_sock include/net/sock.h:1474 [inline] #0: 1da4f4a9 (sk_lock-AF_INET6){+.+.}, at: tls_sw_sendmsg+0x1b9/0x12b0 net/tls/tls_sw.c:384 1 lock held by syz-executor7/20375: #0: 286d2e23 (sk_lock-AF_INET6){+.+.}, at: lock_sock
BUG: please report to d...@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx_his
Hello, syzbot found the following crash on: HEAD commit:c1c07416cdd4 Merge tag 'kbuild-fixes-v4.17' of git://git.k.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=13d5de4780 kernel config: https://syzkaller.appspot.com/x/.config?x=5a1dc06635c10d27 dashboard link: https://syzkaller.appspot.com/bug?extid=99858724c0ba555a12ea compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=170afde780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=141b4be780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+99858724c0ba555a1...@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) BUG: please report to d...@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt() CPU: 0 PID: 4495 Comm: syz-executor551 Not tainted 4.17.0-rc3+ #34 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 tfrc_rx_hist_sample_rtt.cold.3+0x54/0x5c net/dccp/ccids/lib/packet_history.c:422 ccid3_hc_rx_packet_recv+0x5c8/0xed0 net/dccp/ccids/ccid3.c:765 ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline] dccp_deliver_input_to_ccids+0xf0/0x280 net/dccp/input.c:180 dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378 dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654 sk_backlog_rcv include/net/sock.h:909 [inline] __sk_receive_skb+0x3a2/0xd60 net/core/sock.c:513 dccp_v4_rcv+0x10e5/0x1f3f net/dccp/ipv4.c:875 ip_local_deliver_finish+0x2e3/0xd80 net/ipv4/ip_input.c:215 NF_HOOK include/linux/netfilter.h:288 [inline] ip_local_deliver+0x1e1/0x720 net/ipv4/ip_input.c:256 dst_input include/net/dst.h:450 [inline] ip_rcv_finish+0x81b/0x2200 net/ipv4/ip_input.c:396 NF_HOOK include/linux/netfilter.h:288 [inline] ip_rcv+0xb70/0x143d net/ipv4/ip_input.c:492 __netif_receive_skb_core+0x26f5/0x3630 net/core/dev.c:4592 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657 process_backlog+0x219/0x760 net/core/dev.c:5337 napi_poll net/core/dev.c:5735 [inline] net_rx_action+0x7b7/0x1930 net/core/dev.c:5801 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1046 do_softirq.part.17+0x14d/0x190 kernel/softirq.c:329 do_softirq arch/x86/include/asm/preempt.h:23 [inline] __local_bh_enable_ip+0x1ec/0x230 kernel/softirq.c:182 local_bh_enable include/linux/bottom_half.h:32 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:728 [inline] ip_finish_output2+0xab2/0x1840 net/ipv4/ip_output.c:231 ip_finish_output+0x828/0xf80 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip_output+0x21b/0x850 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:444 [inline] ip_local_out+0xc5/0x1b0 net/ipv4/ip_output.c:124 ip_queue_xmit+0x9d7/0x1f70 net/ipv4/ip_output.c:504 dccp_transmit_skb+0x999/0x12e0 net/dccp/output.c:142 dccp_xmit_packet+0x250/0x790 net/dccp/output.c:281 dccp_write_xmit+0x190/0x1f0 net/dccp/output.c:363 dccp_sendmsg+0x8c7/0x1020 net/dccp/proto.c:818 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 ___sys_sendmsg+0x525/0x940 net/socket.c:2117 __sys_sendmmsg+0x240/0x6f0 net/socket.c:2212 __do_sys_sendmmsg net/socket.c:2241 [inline] __se_sys_sendmmsg net/socket.c:2238 [inline] __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2238 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x445d09 RSP: 002b:7f3c7eff5d88 EFLAGS: 0293 ORIG_RAX: 0133 RAX: ffda RBX: 006dac40 RCX: 00445d09 RDX: 0001 RSI: 00 --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
possible deadlock in sk_diag_fill
Hello, syzbot found the following crash on: HEAD commit:c1c07416cdd4 Merge tag 'kbuild-fixes-v4.17' of git://git.k.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12164c9780 kernel config: https://syzkaller.appspot.com/x/.config?x=5a1dc06635c10d27 dashboard link: https://syzkaller.appspot.com/bug?extid=c1872be62e587eae9669 compiler: gcc (GCC) 8.0.1 20180413 (experimental) userspace arch: i386 Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+c1872be62e587eae9...@syzkaller.appspotmail.com == WARNING: possible circular locking dependency detected 4.17.0-rc3+ #59 Not tainted -- syz-executor1/25282 is trying to acquire lock: 4fddf743 (&(>lock)->rlock/1){+.+.}, at: sk_diag_dump_icons net/unix/diag.c:82 [inline] 4fddf743 (&(>lock)->rlock/1){+.+.}, at: sk_diag_fill.isra.5+0xa43/0x10d0 net/unix/diag.c:144 but task is already holding lock: b6895645 (rlock-AF_UNIX){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline] b6895645 (rlock-AF_UNIX){+.+.}, at: sk_diag_dump_icons net/unix/diag.c:64 [inline] b6895645 (rlock-AF_UNIX){+.+.}, at: sk_diag_fill.isra.5+0x94e/0x10d0 net/unix/diag.c:144 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (rlock-AF_UNIX){+.+.}: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:152 skb_queue_tail+0x26/0x150 net/core/skbuff.c:2900 unix_dgram_sendmsg+0xf77/0x1730 net/unix/af_unix.c:1797 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 ___sys_sendmsg+0x525/0x940 net/socket.c:2117 __sys_sendmmsg+0x3bb/0x6f0 net/socket.c:2205 __compat_sys_sendmmsg net/compat.c:770 [inline] __do_compat_sys_sendmmsg net/compat.c:777 [inline] __se_compat_sys_sendmmsg net/compat.c:774 [inline] __ia32_compat_sys_sendmmsg+0x9f/0x100 net/compat.c:774 do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline] do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 -> #0 (&(>lock)->rlock/1){+.+.}: lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920 _raw_spin_lock_nested+0x28/0x40 kernel/locking/spinlock.c:354 sk_diag_dump_icons net/unix/diag.c:82 [inline] sk_diag_fill.isra.5+0xa43/0x10d0 net/unix/diag.c:144 sk_diag_dump net/unix/diag.c:178 [inline] unix_diag_dump+0x35f/0x550 net/unix/diag.c:206 netlink_dump+0x507/0xd20 net/netlink/af_netlink.c:2226 __netlink_dump_start+0x51a/0x780 net/netlink/af_netlink.c:2323 netlink_dump_start include/linux/netlink.h:214 [inline] unix_diag_handler_dump+0x3f4/0x7b0 net/unix/diag.c:307 __sock_diag_cmd net/core/sock_diag.c:230 [inline] sock_diag_rcv_msg+0x2e0/0x3d0 net/core/sock_diag.c:261 netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2448 sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:272 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x58b/0x740 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 sock_write_iter+0x35a/0x5a0 net/socket.c:908 call_write_iter include/linux/fs.h:1784 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x64d/0x960 fs/read_write.c:487 vfs_write+0x1f8/0x560 fs/read_write.c:549 ksys_write+0xf9/0x250 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __ia32_sys_write+0x71/0xb0 fs/read_write.c:607 do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline] do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 other info that might help us debug this: Possible unsafe locking scenario: CPU0CPU1 lock(rlock-AF_UNIX); lock(&(>lock)->rlock/1); lock(rlock-AF_UNIX); lock(&(>lock)->rlock/1); *** DEADLOCK *** 5 locks held by syz-executor1/25282: #0: 3919e1bd (sock_diag_mutex){+.+.}, at: sock_diag_rcv+0x1b/0x40 net/core/sock_diag.c:271 #1: 4f328d3e (sock_diag_table_mutex){+.+.}, at: __sock_diag_cmd net/core/sock_diag.c:225 [inline] #1: 4f328d3e (sock_diag_table_mu
KMSAN: uninit-value in strcmp
Hello, syzbot found the following crash on: HEAD commit:d2d741e5d189 kmsan: add initialization for shmem pages git tree: https://github.com/google/kmsan.git/master console output: https://syzkaller.appspot.com/x/log.txt?x=1005149780 kernel config: https://syzkaller.appspot.com/x/.config?x=48f9de3384bcd0f dashboard link: https://syzkaller.appspot.com/bug?extid=df0257c92ffd4fcc58cd compiler: clang version 7.0.0 (trunk 329391) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1127565780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c3d5e780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+df0257c92ffd4fcc5...@syzkaller.appspotmail.com == BUG: KMSAN: uninit-value in strcmp+0xf7/0x160 lib/string.c:329 CPU: 1 PID: 4527 Comm: syz-executor655 Not tainted 4.16.0+ #87 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 strcmp+0xf7/0x160 lib/string.c:329 tipc_nl_node_get_link+0x220/0x6f0 net/tipc/node.c:1881 genl_family_rcv_msg net/netlink/genetlink.c:599 [inline] genl_rcv_msg+0x1686/0x1810 net/netlink/genetlink.c:624 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2447 genl_rcv+0x63/0x80 net/netlink/genetlink.c:635 netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] netlink_unicast+0x166b/0x1740 net/netlink/af_netlink.c:1337 netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x445589 RSP: 002b:7fb7ee66cdb8 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 006dac24 RCX: 00445589 RDX: RSI: 20023000 RDI: 0003 RBP: 006dac20 R08: R09: R10: R11: 0246 R12: R13: 7fffa2bf3f3f R14: 7fb7ee66d9c0 R15: 0001 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 slab_post_alloc_hook mm/slab.h:445 [inline] slab_alloc_node mm/slub.c:2737 [inline] __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:984 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline] netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 == --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
INFO: rcu detected stall in __schedule
Hello, syzbot found the following crash on: HEAD commit:f2125992e7cb Merge tag 'xfs-4.17-fixes-1' of git://git.kern... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?id=4755940087693312 kernel config: https://syzkaller.appspot.com/x/.config?id=6493557782959164711 dashboard link: https://syzkaller.appspot.com/bug?extid=f16b3e3512a1e3c1d1f6 compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+f16b3e3512a1e3c1d...@syzkaller.appspotmail.com do_dccp_getsockopt: sockopt(PACKET_SIZE) is deprecated: fix your app do_dccp_getsockopt: sockopt(PACKET_SIZE) is deprecated: fix your app ntfs: (device loop6): parse_options(): Unrecognized mount option error�n��uldip. INFO: rcu_sched self-detected stall on CPU 0-...!: (125000 ticks this GP) idle=f3e/1/4611686018427387906 softirq=112858/112858 fqs=0 (t=125000 jiffies g=61626 c=61625 q=1534) rcu_sched kthread starved for 125000 jiffies! g61626 c61625 f0x0 RCU_GP_WAIT_FQS(3) ->state=0x402 ->cpu=0 RCU grace-period kthread stack dump: rcu_sched I23592 9 2 0x8000 Call Trace: context_switch kernel/sched/core.c:2848 [inline] __schedule+0x801/0x1e30 kernel/sched/core.c:3490 schedule+0xef/0x430 kernel/sched/core.c:3549 schedule_timeout+0x138/0x240 kernel/time/timer.c:1801 rcu_gp_kthread+0x6b5/0x1940 kernel/rcu/tree.c:2231 kthread+0x345/0x410 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 NMI backtrace for cpu 0 CPU: 0 PID: 26694 Comm: syz-executor1 Not tainted 4.17.0-rc3+ #28 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103 nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 trigger_single_cpu_backtrace include/linux/nmi.h:156 [inline] rcu_dump_cpu_stacks+0x175/0x1c2 kernel/rcu/tree.c:1376 print_cpu_stall kernel/rcu/tree.c:1525 [inline] check_cpu_stall.isra.61.cold.80+0x36c/0x59a kernel/rcu/tree.c:1593 __rcu_pending kernel/rcu/tree.c:3356 [inline] rcu_pending kernel/rcu/tree.c:3401 [inline] rcu_check_callbacks+0x21b/0xad0 kernel/rcu/tree.c:2763 update_process_times+0x2d/0x70 kernel/time/timer.c:1636 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:164 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274 __run_hrtimer kernel/time/hrtimer.c:1398 [inline] __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1460 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline] smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 RIP: 0010:arch_local_irq_enable arch/x86/include/asm/paravirt.h:793 [inline] RIP: 0010:__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline] RIP: 0010:_raw_spin_unlock_irq+0x56/0x70 kernel/locking/spinlock.c:192 RSP: 0018:8801b3dbf438 EFLAGS: 0282 ORIG_RAX: ff13 RAX: dc00 RBX: 8801dae2c680 RCX: 1100361ebd4d RDX: 111a316f RSI: 8801b0f5ea48 RDI: 88d18b78 RBP: 8801b3dbf440 R08: 8801b0f5e9f8 R09: 0006 R10: 8801b0f5e1c0 R11: R12: 8801b0f5e1c0 R13: 8801b0f5e7a0 R14: dc00 R15: 8801b0f5e1c0 rq_unlock_irq kernel/sched/sched.h:1824 [inline] __schedule+0x144f/0x1e30 kernel/sched/core.c:3493 schedule+0xef/0x430 kernel/sched/core.c:3549 do_sched_yield+0x187/0x240 kernel/sched/core.c:4965 yield+0xa5/0xe0 kernel/sched/core.c:5054 tasklet_kill+0x4e/0xd0 kernel/softirq.c:559 ppp_asynctty_close+0x9e/0x150 drivers/net/ppp/ppp_async.c:239 ppp_asynctty_hangup+0x15/0x20 drivers/net/ppp/ppp_async.c:256 tty_ldisc_hangup+0x138/0x640 drivers/tty/tty_ldisc.c:730 __tty_hangup.part.21+0x2da/0x6e0 drivers/tty/tty_io.c:621 __tty_hangup drivers/tty/tty_io.c:571 [inline] tty_vhangup+0x21/0x30 drivers/tty/tty_io.c:694 pty_close+0x3bd/0x510 drivers/tty/pty.c:78 tty_release+0x494/0x12e0 drivers/tty/tty_io.c:1656 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455979 RSP: 002b:7f92c3751c68 EFLAGS: 0246 ORIG_RAX: 0003 RAX: 00
Re: KMSAN: uninit-value in _decode_session6
syzbot has found a reproducer for the following crash on: HEAD commit:d2d741e5d189 kmsan: add initialization for shmem pages git tree: https://github.com/google/kmsan.git/master console output: https://syzkaller.appspot.com/x/log.txt?id=6550343064223744 kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367 dashboard link: https://syzkaller.appspot.com/bug?extid=2974b85346f85b586f4d compiler: clang version 7.0.0 (trunk 329391) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?id=5023772637659136 C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5102535626981376 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+2974b85346f85b586...@syzkaller.appspotmail.com IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 8021q: adding VLAN 0 to HW filter on device team0 == BUG: KMSAN: uninit-value in _decode_session6+0x6d2/0x16e0 net/ipv6/xfrm6_policy.c:151 CPU: 0 PID: 4529 Comm: syz-executor165 Not tainted 4.16.0+ #87 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 _decode_session6+0x6d2/0x16e0 net/ipv6/xfrm6_policy.c:151 __xfrm_decode_session+0x151/0x200 net/xfrm/xfrm_policy.c:2368 xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline] icmpv6_route_lookup net/ipv6/icmp.c:372 [inline] icmp6_send+0x2bf7/0x3730 net/ipv6/icmp.c:551 icmpv6_send+0xe0/0x110 net/ipv6/ip6_icmp.c:43 ip6_link_failure+0x8f/0x580 net/ipv6/route.c:2034 dst_link_failure include/net/dst.h:426 [inline] ip6_tnl_xmit+0x1423/0x3af0 net/ipv6/ip6_tunnel.c:1215 ip6ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1367 [inline] ip6_tnl_start_xmit+0x1cc0/0x1ef0 net/ipv6/ip6_tunnel.c:1390 __netdev_start_xmit include/linux/netdevice.h:4066 [inline] netdev_start_xmit include/linux/netdevice.h:4075 [inline] xmit_one net/core/dev.c:3026 [inline] dev_hard_start_xmit+0x5f1/0xc70 net/core/dev.c:3042 __dev_queue_xmit+0x27ee/0x3520 net/core/dev.c:3557 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590 neigh_direct_output+0x42/0x50 net/core/neighbour.c:1390 neigh_output include/net/neighbour.h:482 [inline] ip6_finish_output2+0x1d01/0x2130 net/ipv6/ip6_output.c:120 ip6_finish_output+0xae9/0xba0 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip6_output+0x597/0x6c0 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:443 [inline] ip6_local_out+0x15e/0x1d0 net/ipv6/output_core.c:176 ip6_send_skb net/ipv6/ip6_output.c:1682 [inline] ip6_push_pending_frames+0x218/0x4d0 net/ipv6/ip6_output.c:1702 rawv6_push_pending_frames net/ipv6/raw.c:616 [inline] rawv6_sendmsg+0x4235/0x4fb0 net/ipv6/raw.c:935 inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] sock_write_iter+0x3b9/0x470 net/socket.c:909 call_write_iter include/linux/fs.h:1782 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x7fb/0x9f0 fs/read_write.c:482 vfs_write+0x463/0x8d0 fs/read_write.c:544 SYSC_write+0x172/0x360 fs/read_write.c:589 SyS_write+0x55/0x80 fs/read_write.c:581 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x4418b9 RSP: 002b:7ffece331e68 EFLAGS: 0217 ORIG_RAX: 0001 RAX: ffda RBX: 0003 RCX: 004418b9 RDX: 036b RSI: 2240 RDI: 0004 RBP: 006cd018 R08: R09: R10: R11: 0217 R12: 004025b0 R13: 00402640 R14: R15: Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 slab_post_alloc_hook mm/slab.h:445 [inline] slab_alloc_node mm/slub.c:2737 [inline] __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 __kmalloc_reserve net/core/skbuff.c:138 [inline] pskb_expand_head+0x21d/0x1a70 net/core/skbuff.c:1458 __pskb_pull_tail+0x1d7/0x2300 net/core/skbuff.c:1878 pskb_may_pull include/linux/skbuff.h:2112 [inline] ip6_tnl_parse_tlv_enc_lim+0x7f5/0xa90 net/ipv6/ip6_tunnel.c:411 ip6ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] ip6_tnl_start_xmit+0x911/0x1ef0 net/ipv6/ip6_tunnel.c:1390 __netdev_start_xmit include/linux/netdevice.h:4066 [inline] netdev_start_xmit include/linux/netdevice.h:4075 [inline] xmit_one net/core/dev.c:3026 [inline] dev_hard_start_xmit+0x5f1/0xc70 net/core
INFO: rcu detected stall in kfree_skbmem
Hello, syzbot found the following crash on: HEAD commit:5d1365940a68 Merge git://git.kernel.org/pub/scm/linux/kerne... git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?id=5667997129637888 kernel config: https://syzkaller.appspot.com/x/.config?id=-5947642240294114534 dashboard link: https://syzkaller.appspot.com/bug?extid=fc78715ba3b3257caf6a compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+fc78715ba3b3257ca...@syzkaller.appspotmail.com INFO: rcu_sched self-detected stall on CPU 1-...!: (1 GPs behind) idle=a3e/1/4611686018427387908 softirq=71980/71983 fqs=33 (t=125000 jiffies g=39438 c=39437 q=958) rcu_sched kthread starved for 124829 jiffies! g39438 c39437 f0x0 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=0 RCU grace-period kthread stack dump: rcu_sched R running task23768 9 2 0x8000 Call Trace: context_switch kernel/sched/core.c:2848 [inline] __schedule+0x801/0x1e30 kernel/sched/core.c:3490 schedule+0xef/0x430 kernel/sched/core.c:3549 schedule_timeout+0x138/0x240 kernel/time/timer.c:1801 rcu_gp_kthread+0x6b5/0x1940 kernel/rcu/tree.c:2231 kthread+0x345/0x410 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:411 NMI backtrace for cpu 1 CPU: 1 PID: 20560 Comm: syz-executor4 Not tainted 4.16.0+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103 nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 trigger_single_cpu_backtrace include/linux/nmi.h:156 [inline] rcu_dump_cpu_stacks+0x175/0x1c2 kernel/rcu/tree.c:1376 print_cpu_stall kernel/rcu/tree.c:1525 [inline] check_cpu_stall.isra.61.cold.80+0x36c/0x59a kernel/rcu/tree.c:1593 __rcu_pending kernel/rcu/tree.c:3356 [inline] rcu_pending kernel/rcu/tree.c:3401 [inline] rcu_check_callbacks+0x21b/0xad0 kernel/rcu/tree.c:2763 update_process_times+0x2d/0x70 kernel/time/timer.c:1636 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:173 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1283 __run_hrtimer kernel/time/hrtimer.c:1386 [inline] __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1448 hrtimer_interrupt+0x286/0x650 kernel/time/hrtimer.c:1506 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline] smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:862 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:783 [inline] RIP: 0010:kmem_cache_free+0xb3/0x2d0 mm/slab.c:3757 RSP: 0018:8801db105228 EFLAGS: 0282 ORIG_RAX: ff13 RAX: 0007 RBX: 8800b055c940 RCX: 11003b2345a5 RDX: RSI: 8801d91a2d80 RDI: 0282 RBP: 8801db105248 R08: 8801d91a2cb8 R09: 0002 R10: 8801d91a2480 R11: R12: 8801d9848e40 R13: 0282 R14: 85b7f27c R15: kfree_skbmem+0x13c/0x210 net/core/skbuff.c:582 __kfree_skb net/core/skbuff.c:642 [inline] kfree_skb+0x19d/0x560 net/core/skbuff.c:659 enqueue_to_backlog+0x2fc/0xc90 net/core/dev.c:3968 netif_rx_internal+0x14d/0xae0 net/core/dev.c:4181 netif_rx+0xba/0x400 net/core/dev.c:4206 loopback_xmit+0x283/0x741 drivers/net/loopback.c:91 __netdev_start_xmit include/linux/netdevice.h:4087 [inline] netdev_start_xmit include/linux/netdevice.h:4096 [inline] xmit_one net/core/dev.c:3053 [inline] dev_hard_start_xmit+0x264/0xc10 net/core/dev.c:3069 __dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617 neigh_hh_output include/net/neighbour.h:472 [inline] neigh_output include/net/neighbour.h:480 [inline] ip6_finish_output2+0x134e/0x2810 net/ipv6/ip6_output.c:120 ip6_finish_output+0x5fe/0xbc0 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip6_output+0x227/0x9b0 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:444 [inline] NF_HOOK include/linux/netfilter.h:288 [inline] ip6_xmit+0xf51/0x23f0 net/ipv6/ip6_output.c:277 sctp_v6_xmit+0x4a5/0x6b0 net/sctp/ipv6.c:225 sctp_packet_transmit+0x26f6/0x3ba0 net/sctp/output.c:650 sctp_outq_flush+0x1373/0x4370 net/sctp/outqueue.c:1197 sctp_outq_uncork+0x6a/0x80 net/sctp/outqueue.c:776 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1820 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline] sctp_do_sm+0x596/0x7160 net/sctp/sm_sideeffect.c:1191 sctp_generate_heartbeat_event+0x218/0x450 net/sctp/sm_sideeffect.c:406 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326 expire_timers kerne
INFO: rcu detected stall in kmem_cache_alloc_node_trace
Hello, syzbot found the following crash on: HEAD commit:17dec0a94915 Merge branch 'userns-linus' of git://git.kerne... git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?id=6093051722203136 kernel config: https://syzkaller.appspot.com/x/.config?id=-2735707888269579554 dashboard link: https://syzkaller.appspot.com/bug?extid=deec965c578bb9b81613 compiler: gcc (GCC) 8.0.1 20180301 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+deec965c578bb9b81...@syzkaller.appspotmail.com sctp: [Deprecated]: syz-executor3 (pid 10218) Use of int in max_burst socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor3 (pid 10218) Use of int in max_burst socket option. Use struct sctp_assoc_value instead random: crng init done INFO: rcu_sched self-detected stall on CPU 0-: (120712 ticks this GP) idle=ac6/1/4611686018427387908 softirq=31693/31693 fqs=31173 (t=125001 jiffies g=17039 c=17038 q=303419) NMI backtrace for cpu 0 CPU: 0 PID: 10218 Comm: syz-executor3 Not tainted 4.16.0+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b9/0x29f lib/dump_stack.c:53 nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103 nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 trigger_single_cpu_backtrace include/linux/nmi.h:156 [inline] rcu_dump_cpu_stacks+0x175/0x1c2 kernel/rcu/tree.c:1376 print_cpu_stall kernel/rcu/tree.c:1525 [inline] check_cpu_stall.isra.61.cold.80+0x36c/0x59a kernel/rcu/tree.c:1593 __rcu_pending kernel/rcu/tree.c:3356 [inline] rcu_pending kernel/rcu/tree.c:3401 [inline] rcu_check_callbacks+0x21b/0xad0 kernel/rcu/tree.c:2763 update_process_times+0x2d/0x70 kernel/time/timer.c:1636 tick_sched_handle+0xa0/0x180 kernel/time/tick-sched.c:162 tick_sched_timer+0x42/0x130 kernel/time/tick-sched.c:1170 __run_hrtimer kernel/time/hrtimer.c:1349 [inline] __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1411 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1469 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline] smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:862 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:783 [inline] RIP: 0010:lock_is_held_type+0x18b/0x210 kernel/locking/lockdep.c:3960 RSP: 0018:8801db006400 EFLAGS: 0282 ORIG_RAX: ff12 RAX: dc00 RBX: 0282 RCX: RDX: 11162e55 RSI: 88b90c60 RDI: 0282 RBP: 8801db006420 R08: ed003b6046c3 R09: ed003b6046c2 R10: ed003b6046c2 R11: 8801db023613 R12: 8801b2f623c0 R13: R14: 88009932bb00 R15: lock_is_held include/linux/lockdep.h:344 [inline] rcu_read_lock_sched_held+0x108/0x120 kernel/rcu/update.c:117 trace_kmalloc_node include/trace/events/kmem.h:100 [inline] kmem_cache_alloc_node_trace+0x34e/0x770 mm/slab.c:3652 __do_kmalloc_node mm/slab.c:3669 [inline] __kmalloc_node_track_caller+0x33/0x70 mm/slab.c:3684 __kmalloc_reserve.isra.38+0x3a/0xe0 net/core/skbuff.c:137 __alloc_skb+0x14d/0x780 net/core/skbuff.c:205 alloc_skb include/linux/skbuff.h:987 [inline] sctp_packet_transmit+0x45e/0x3ba0 net/sctp/output.c:585 sctp_outq_flush+0x1373/0x4370 net/sctp/outqueue.c:1197 sctp_outq_uncork+0x6a/0x80 net/sctp/outqueue.c:776 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1820 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline] sctp_do_sm+0x596/0x7160 net/sctp/sm_sideeffect.c:1191 sctp_generate_heartbeat_event+0x218/0x450 net/sctp/sm_sideeffect.c:406 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x79e/0xc50 kernel/time/timer.c:1666 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1d1/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:525 [inline] smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:862 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:783 [inline] RIP: 0010:console_unlock+0xcdf/0x1100 kernel/printk/printk.c:2403 RSP: 0018:8801946eec00 EFLAGS: 0212 ORIG_RAX: ff12 RAX: 0004 RBX: 0200 RCX: c90002ee8000 RDX: 4461 RSI: 815f3446 RDI: 0212 RBP: 8801946eed68 R08: 8801b2f62c38 R09: 0006 R10: 8801b2f623c0 R11: R12: R13
KASAN: use-after-free Read in perf_trace_rpc_stats_latency
Hello, syzbot hit the following crash on bpf-next commit f60ad0a0c441530280a4918eca781a6a94dffa50 (Sun Apr 29 15:45:55 2018 +) Merge branch 'bpf_get_stack' syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=27db1f90e2b972a5f2d3 Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6741221342969856 Kernel config: https://syzkaller.appspot.com/x/.config?id=4410550353033654931 compiler: gcc (GCC) 8.0.1 20180413 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+27db1f90e2b972a5f...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. rpcbind: RPC call returned error 22 rpcbind: RPC call returned error 22 rpcbind: RPC call returned error 22 rpcbind: RPC call returned error 22 == BUG: KASAN: use-after-free in strlen+0x83/0xa0 lib/string.c:482 Read of size 1 at addr 8801d6f0a1c0 by task syz-executor7/5079 CPU: 1 PID: 5079 Comm: syz-executor7 Not tainted 4.17.0-rc2+ #16 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 strlen+0x83/0xa0 lib/string.c:482 trace_event_get_offsets_rpc_stats_latency include/trace/events/sunrpc.h:215 [inline] perf_trace_rpc_stats_latency+0x318/0x10d0 include/trace/events/sunrpc.h:215 trace_rpc_stats_latency include/trace/events/sunrpc.h:215 [inline] rpc_count_iostats_metrics+0x594/0x8a0 net/sunrpc/stats.c:182 rpc_count_iostats+0x76/0x90 net/sunrpc/stats.c:195 xprt_release+0xa3b/0x1110 net/sunrpc/xprt.c:1351 rpc_release_resources_task+0x20/0xa0 net/sunrpc/sched.c:1024 rpc_release_task net/sunrpc/sched.c:1068 [inline] __rpc_execute+0x5e9/0xf50 net/sunrpc/sched.c:833 rpc_execute+0x37f/0x480 net/sunrpc/sched.c:852 rpc_run_task+0x615/0x8c0 net/sunrpc/clnt.c:1053 rpc_call_sync+0x196/0x290 net/sunrpc/clnt.c:1082 rpc_ping+0x155/0x1f0 net/sunrpc/clnt.c:2513 rpc_create_xprt+0x282/0x3f0 net/sunrpc/clnt.c:479 rpc_create+0x52e/0x900 net/sunrpc/clnt.c:587 nfs_create_rpc_client+0x63e/0x850 fs/nfs/client.c:523 nfs_init_client+0x74/0x100 fs/nfs/client.c:634 nfs_get_client+0x1065/0x1500 fs/nfs/client.c:425 nfs_init_server+0x364/0xfb0 fs/nfs/client.c:670 nfs_create_server+0x86/0x5f0 fs/nfs/client.c:953 nfs_try_mount+0x177/0xab0 fs/nfs/super.c:1884 nfs_fs_mount+0x17de/0x2efd fs/nfs/super.c:2695 mount_fs+0xae/0x328 fs/super.c:1267 vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037 vfs_kern_mount fs/namespace.c:1027 [inline] do_new_mount fs/namespace.c:2518 [inline] do_mount+0x564/0x3070 fs/namespace.c:2848 ksys_mount+0x12d/0x140 fs/namespace.c:3064 __do_sys_mount fs/namespace.c:3078 [inline] __se_sys_mount fs/namespace.c:3075 [inline] __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455979 RSP: 002b:7f1e2785bc68 EFLAGS: 0246 ORIG_RAX: 00a5 RAX: ffda RBX: 7f1e2785c6d4 RCX: 00455979 RDX: 20fb5ffc RSI: 20343ff8 RDI: 2091dff8 RBP: 0072bf50 R08: 2000a000 R09: R10: R11: 0246 R12: R13: 0440 R14: 006fa6a0 R15: 0001 Allocated by task 5079: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 __do_kmalloc mm/slab.c:3718 [inline] __kmalloc_track_caller+0x14a/0x760 mm/slab.c:3733 kstrdup+0x39/0x70 mm/util.c:56 xs_format_common_peer_ports+0x130/0x370 net/sunrpc/xprtsock.c:290 xs_format_peer_addresses net/sunrpc/xprtsock.c:303 [inline] xs_setup_udp+0x5ea/0x880 net/sunrpc/xprtsock.c:3037 xprt_create_transport+0x1d7/0x596 net/sunrpc/xprt.c:1433 rpc_create+0x489/0x900 net/sunrpc/clnt.c:573 nfs_create_rpc_client+0x63e/0x850 fs/nfs/client.c:523 nfs_init_client+0x74/0x100 fs/nfs/client.c:634 nfs_get_client+0x1065/0x1500 fs/nfs/client.c:425 nfs_init_server+0x364/0xfb0 fs/nfs/client.c:670 nfs_create_server+0x86/0x5f0 fs/nfs/client.c:953 nfs_try_mount+0x177/0xab0 fs/nfs/super.c:1884 nfs_fs_mount+0x17de/0x2efd fs/nfs/super.c:2695 mount_fs+0xae/0x328 fs/super.c:1267 vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037 vfs_kern_mount fs/namespace.c:1027 [inline] do_new_mount fs/namespace.c:2518 [inline] do_mount+0x564/0x3070 fs/namespace.c:2848 ksys_mount+0x12d/0x140 fs/namespace.c:3064 __do_sys_mount fs
INFO: rcu detected stall in skb_free_head
Hello, syzbot hit the following crash on upstream commit a27fc14219f2e3c4a46ba9177b04d9b52c875532 (Mon Apr 16 21:07:39 2018 +) Merge branch 'parisc-4.17-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=cac7c17ec0aca89d3c45 Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6517400396627968 Kernel config: https://syzkaller.appspot.com/x/.config?id=-5914490758943236750 compiler: gcc (GCC) 8.0.1 20180413 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+cac7c17ec0aca89d3...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. INFO: rcu_sched self-detected stall on CPU 1-...!: (117917 ticks this GP) idle=036/1/4611686018427387906 softirq=114416/114416 fqs=32 (t=125000 jiffies g=60712 c=60711 q=345938) rcu_sched kthread starved for 124847 jiffies! g60712 c60711 f0x2 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=0 RCU grace-period kthread stack dump: rcu_sched R running task23592 9 2 0x8000 Call Trace: context_switch kernel/sched/core.c:2848 [inline] __schedule+0x801/0x1e30 kernel/sched/core.c:3490 schedule+0xef/0x430 kernel/sched/core.c:3549 schedule_timeout+0x138/0x240 kernel/time/timer.c:1801 rcu_gp_kthread+0x6b5/0x1940 kernel/rcu/tree.c:2231 kthread+0x345/0x410 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 NMI backtrace for cpu 1 CPU: 1 PID: 24 Comm: kworker/1:1 Not tainted 4.17.0-rc1+ #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events rht_deferred_worker Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103 nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 trigger_single_cpu_backtrace include/linux/nmi.h:156 [inline] rcu_dump_cpu_stacks+0x175/0x1c2 kernel/rcu/tree.c:1376 print_cpu_stall kernel/rcu/tree.c:1525 [inline] check_cpu_stall.isra.61.cold.80+0x36c/0x59a kernel/rcu/tree.c:1593 __rcu_pending kernel/rcu/tree.c:3356 [inline] rcu_pending kernel/rcu/tree.c:3401 [inline] rcu_check_callbacks+0x21b/0xad0 kernel/rcu/tree.c:2763 update_process_times+0x2d/0x70 kernel/time/timer.c:1636 tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:173 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1283 __run_hrtimer kernel/time/hrtimer.c:1386 [inline] __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1448 hrtimer_interrupt+0x286/0x650 kernel/time/hrtimer.c:1506 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline] smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:783 [inline] RIP: 0010:kfree+0x124/0x260 mm/slab.c:3814 RSP: 0018:8801db105450 EFLAGS: 0286 ORIG_RAX: ff13 RAX: 0007 RBX: 88006c118040 RCX: 11003b3059e7 RDX: RSI: 8801d982cf90 RDI: 0286 RBP: 8801db105470 R08: 8801d982ce78 R09: 0002 R10: 8801d982c640 R11: R12: 0286 R13: 8801dac00ac0 R14: 85bd7b69 R15: 88006c0f8180 skb_free_head+0x99/0xc0 net/core/skbuff.c:550 skb_release_data+0x690/0x860 net/core/skbuff.c:570 skb_release_all+0x4a/0x60 net/core/skbuff.c:627 __kfree_skb net/core/skbuff.c:641 [inline] kfree_skb+0x195/0x560 net/core/skbuff.c:659 enqueue_to_backlog+0x2fc/0xc90 net/core/dev.c:3968 netif_rx_internal+0x14d/0xae0 net/core/dev.c:4181 netif_rx+0xba/0x400 net/core/dev.c:4206 loopback_xmit+0x283/0x741 drivers/net/loopback.c:91 __netdev_start_xmit include/linux/netdevice.h:4087 [inline] netdev_start_xmit include/linux/netdevice.h:4096 [inline] xmit_one net/core/dev.c:3053 [inline] dev_hard_start_xmit+0x264/0xc10 net/core/dev.c:3069 __dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617 neigh_hh_output include/net/neighbour.h:472 [inline] neigh_output include/net/neighbour.h:480 [inline] ip_finish_output2+0x1046/0x1840 net/ipv4/ip_output.c:229 ip_finish_output+0x828/0xf80 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip_output+0x21b/0x850 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:444 [inline] ip_local_out+0xc5/0x1b0 net/ipv4/ip_output.c:124 ip_queue_xmit+0x9d7/0x1f70 net/ipv4/ip_output.c:504 sctp_v4_xmit+0x108/0x140 net/sctp/protocol.c:983 sctp_packet_transmit+0x26f6/0x3ba0 net/sctp/output.c:650 sctp_outq_flush+0x1373/0x4370 net/sctp/outqueue.
KMSAN: uninit-value in _decode_session4
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +) kmsan: add initialization for shmem pages syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=e7fec512bc2eb4ae0781 So far this crash happened 6 times on https://github.com/google/kmsan.git/master. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5844177157881856 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=6093669123751936 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=4545366699540480 Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+e7fec512bc2eb4ae0...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 8021q: adding VLAN 0 to HW filter on device team0 == BUG: KMSAN: uninit-value in _decode_session4+0x11d3/0x1ce0 net/ipv4/xfrm4_policy.c:126 CPU: 0 PID: 4502 Comm: syz-executor427 Not tainted 4.16.0+ #87 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 _decode_session4+0x11d3/0x1ce0 net/ipv4/xfrm4_policy.c:126 __xfrm_decode_session+0x151/0x200 net/xfrm/xfrm_policy.c:2368 xfrm_decode_session include/net/xfrm.h:1206 [inline] vti6_tnl_xmit+0x49b/0x2070 net/ipv6/ip6_vti.c:546 __netdev_start_xmit include/linux/netdevice.h:4066 [inline] netdev_start_xmit include/linux/netdevice.h:4075 [inline] xmit_one net/core/dev.c:3026 [inline] dev_hard_start_xmit+0x5f1/0xc70 net/core/dev.c:3042 __dev_queue_xmit+0x27ee/0x3520 net/core/dev.c:3557 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590 packet_snd net/packet/af_packet.c:2944 [inline] packet_sendmsg+0x7c70/0x8a30 net/packet/af_packet.c:2969 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747 SyS_sendto+0x8a/0xb0 net/socket.c:1715 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x4418f9 RSP: 002b:7ffcea97afc8 EFLAGS: 0216 ORIG_RAX: 002c RAX: ffda RBX: 0003 RCX: 004418f9 RDX: RSI: 21c0 RDI: 0003 RBP: 006cd018 R08: 2000 R09: 001c R10: R11: 0216 R12: 004025f0 R13: 00402680 R14: R15: Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 slab_post_alloc_hook mm/slab.h:445 [inline] slab_alloc_node mm/slub.c:2737 [inline] __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:984 [inline] alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234 sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085 packet_alloc_skb net/packet/af_packet.c:2803 [inline] packet_snd net/packet/af_packet.c:2894 [inline] packet_sendmsg+0x6454/0x8a30 net/packet/af_packet.c:2969 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747 SyS_sendto+0x8a/0xb0 net/socket.c:1715 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 == --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation
WARNING: ODEBUG bug in __sk_destruct
Hello, syzbot hit the following crash on net-next commit af201bab50a89aa6cf4df952b2c3bf55895c8eee (Fri Apr 27 15:12:10 2018 +) udp: remove stray export symbol syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=92209502e7aab127c75f So far this crash happened 5 times on net-next. Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6049832271609856 Kernel config: https://syzkaller.appspot.com/x/.config?id=4410550353033654931 compiler: gcc (GCC) 8.0.1 20180413 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+92209502e7aab127c...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. [ cut here ] ODEBUG: free active (active state 0) object type: work_struct hint: smc_tcp_listen_work+0x0/0xec0 net/smc/af_smc.c:1014 WARNING: CPU: 0 PID: 9815 at lib/debugobjects.c:329 debug_print_object+0x16a/0x210 lib/debugobjects.c:326 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 9815 Comm: syz-executor7 Not tainted 4.17.0-rc2+ #23 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 panic+0x22f/0x4de kernel/panic.c:184 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536 report_bug+0x252/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992 RIP: 0010:debug_print_object+0x16a/0x210 lib/debugobjects.c:326 RSP: 0018:88019790ecf0 EFLAGS: 00010082 RAX: 0061 RBX: 0003 RCX: 818433e8 RDX: RSI: 8160f561 RDI: 0001 RBP: 88019790ed30 R08: 8801aced62c0 R09: ed003b5c3eb2 R10: ed003b5c3eb2 R11: 8801dae1f597 R12: 0001 R13: 88d5f700 R14: 87fa3340 R15: 814ccec0 __debug_check_no_obj_freed lib/debugobjects.c:783 [inline] debug_check_no_obj_freed+0x3a6/0x584 lib/debugobjects.c:815 kmem_cache_free+0x216/0x2d0 mm/slab.c:3755 sk_prot_free net/core/sock.c:1512 [inline] __sk_destruct+0x6fe/0xa40 net/core/sock.c:1596 sk_destruct+0x78/0x90 net/core/sock.c:1604 __sk_free+0x22e/0x340 net/core/sock.c:1615 sk_free+0x42/0x50 net/core/sock.c:1626 sock_put include/net/sock.h:1664 [inline] smc_release+0x459/0x610 net/smc/af_smc.c:162 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1aee/0x2730 kernel/exit.c:865 do_group_exit+0x16f/0x430 kernel/exit.c:968 get_signal+0x886/0x1960 kernel/signal.c:2469 do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810 exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455979 RSP: 002b:7f6e1a1b9ce8 EFLAGS: 0246 ORIG_RAX: 00ca RAX: fe00 RBX: 0072bec8 RCX: 00455979 RDX: RSI: RDI: 0072bec8 RBP: 0072bec8 R08: R09: 0072bea0 R10: R11: 0246 R12: R13: 00a3e81f R14: 7f6e1a1ba9c0 R15: == WARNING: possible circular locking dependency detected 4.17.0-rc2+ #23 Not tainted -- syz-executor7/9815 is trying to acquire lock: (ptrval) ((console_sem).lock){-.-.}, at: down_trylock+0x13/0x70 kernel/locking/semaphore.c:136 but task is already holding lock: (ptrval) (_hash[i].lock){-.-.}, at: __debug_check_no_obj_freed lib/debugobjects.c:774 [inline] (ptrval) (_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0x159/0x584 lib/debugobjects.c:815 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (_hash[i].lock){-.-.}: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:152 __debug_object_init+0x11f/0x12c0 lib/debugobjects.c:381 debug_object_init+0x16/0x20 lib/debugobjects.c:429 debug_hrtimer_init kernel/time/hrtimer.c:400 [inline] debug_init kernel/time/hrtimer.c:448 [inline] hrtimer_init+0x8f/0x460 kernel/time/hrtime
WARNING: ODEBUG bug in del_timer
Hello, syzbot hit the following crash on net-next commit af201bab50a89aa6cf4df952b2c3bf55895c8eee (Fri Apr 27 15:12:10 2018 +) udp: remove stray export symbol syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=03faa2dc16b8b64be396 So far this crash happened 26 times on net-next. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5925539139289088 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=4983245594689536 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5476181675606016 Kernel config: https://syzkaller.appspot.com/x/.config?id=4410550353033654931 compiler: gcc (GCC) 8.0.1 20180413 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+03faa2dc16b8b64be...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) [ cut here ] ODEBUG: assert_init not available (active state 0) object type: timer_list hint: (null) WARNING: CPU: 1 PID: 4490 at lib/debugobjects.c:329 debug_print_object+0x16a/0x210 lib/debugobjects.c:326 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 4490 Comm: syz-executor609 Not tainted 4.17.0-rc2+ #23 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 panic+0x22f/0x4de kernel/panic.c:184 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536 report_bug+0x252/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992 RIP: 0010:debug_print_object+0x16a/0x210 lib/debugobjects.c:326 RSP: 0018:8801af1e7880 EFLAGS: 00010086 RAX: 0061 RBX: 0005 RCX: 818433e8 RDX: RSI: 8160f561 RDI: 0001 RBP: 8801af1e78c0 R08: 8801afa62100 R09: ed003b5e3eb2 R10: ed003b5e3eb2 R11: 8801daf1f597 R12: 0001 R13: 88d96cc0 R14: 87fa34e0 R15: 81666d30 debug_object_assert_init+0x309/0x500 lib/debugobjects.c:692 debug_timer_assert_init kernel/time/timer.c:724 [inline] debug_assert_init kernel/time/timer.c:776 [inline] del_timer+0x74/0x140 kernel/time/timer.c:1198 try_to_grab_pending+0x439/0x9a0 kernel/workqueue.c:1223 mod_delayed_work_on+0x91/0x250 kernel/workqueue.c:1592 mod_delayed_work include/linux/workqueue.h:541 [inline] smc_setsockopt+0x33d/0x630 net/smc/af_smc.c:1353 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x43fd09 RSP: 002b:7ffe1f251c58 EFLAGS: 0207 ORIG_RAX: 0036 RAX: ffda RBX: 004002c8 RCX: 0043fd09 RDX: 0001 RSI: 0006 RDI: 0003 RBP: 006ca018 R08: 0004 R09: 004002c8 R10: 2180 R11: 0207 R12: 00401630 R13: 004016c0 R14: R15: Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
Re: WARNING in tcp_enter_loss (2)
syzbot has found reproducer for the following crash on upstream commit 0644f186fc9d77bb5bd198369e59fb28927a3692 (Thu Apr 26 23:36:11 2018 +) Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=c5a3099b94cbdd9cd6da So far this crash happened 2 times on net-next, upstream. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5374384306913280 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=4821663019433984 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5119802469253120 Kernel config: https://syzkaller.appspot.com/x/.config?id=7043958930931867332 compiler: gcc (GCC) 8.0.1 20180413 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+c5a3099b94cbdd9cd...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. WARNING: CPU: 0 PID: 4456 at net/ipv4/tcp_input.c:1955 tcp_enter_loss+0xe4f/0x1110 net/ipv4/tcp_input.c:1955 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 4456 Comm: syz-executor694 Not tainted 4.17.0-rc2+ #19 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 panic+0x22f/0x4de kernel/panic.c:184 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536 report_bug+0x252/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992 RIP: 0010:tcp_enter_loss+0xe4f/0x1110 net/ipv4/tcp_input.c:1955 RSP: 0018:8801b66c7560 EFLAGS: 00010293 RAX: 8801b66686c0 RBX: 0001 RCX: 864ac155 RDX: RSI: 864ac5bf RDI: 0004 RBP: 8801b66c75e0 R08: 8801b66686c0 R09: R10: ed0043fff001 R11: 88021fff8017 R12: 0003 R13: 0002 R14: 8801c8c6dd30 R15: 8801d02e5500 WARNING: CPU: 1 PID: 4450 at net/ipv4/tcp_input.c:1955 tcp_enter_loss+0xe4f/0x1110 net/ipv4/tcp_input.c:1955 tcp_retransmit_timer+0xc34/0x3060 net/ipv4/tcp_timer.c:486 Modules linked in: CPU: 1 PID: 4450 Comm: syz-executor694 Not tainted 4.17.0-rc2+ #19 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:tcp_enter_loss+0xe4f/0x1110 net/ipv4/tcp_input.c:1955 RSP: 0018:8801b60b7560 EFLAGS: 00010293 RAX: 8801b662e500 RBX: 0001 RCX: 864ac155 RDX: RSI: 864ac5bf RDI: 0004 RBP: 8801b60b75e0 R08: 8801b662e500 R09: R10: ed0043fff009 R11: 88021fff8057 R12: 0003 R13: 0002 R14: 8801cc3cf870 R15: 8801cd4f0a80 FS: 015e1880() GS:8801daf0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 2100 CR3: 0001b631c000 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: tcp_write_timer_handler+0x339/0x960 net/ipv4/tcp_timer.c:573 tcp_retransmit_timer+0xc34/0x3060 net/ipv4/tcp_timer.c:486 tcp_release_cb+0x25e/0x2d0 net/ipv4/tcp_output.c:871 release_sock+0x107/0x2b0 net/core/sock.c:2856 do_tcp_setsockopt.isra.38+0x48e/0x2600 net/ipv4/tcp.c:2880 tcp_write_timer_handler+0x339/0x960 net/ipv4/tcp_timer.c:573 tcp_setsockopt+0xc1/0xe0 net/ipv4/tcp.c:2892 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039 tcp_release_cb+0x25e/0x2d0 net/ipv4/tcp_output.c:871 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903 release_sock+0x107/0x2b0 net/core/sock.c:2856 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 do_tcp_setsockopt.isra.38+0x48e/0x2600 net/ipv4/tcp.c:2880 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x441bc9 RSP: 002b:7ffe202bc838 EFLAGS: 0207 ORIG_RAX: 0036 RAX: ffda RBX: 0003 RCX: 00441bc9 RDX: 0016 RSI: 0006 RDI: 0003 RBP: 006cd018 R08: 223b R09: 0010 tcp_setsockopt+0xc1/0xe0 net/ipv4/tcp.c:2892 R10: 2040 R11: 0207 R12: 00402810 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039 R13: 004028a0 R14: R15: __sys_setsockopt+0x1bd/0x390 net/socket.c:1903 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x441bc9 RSP
Re: KMSAN: uninit-value in _copy_to_iter (2)
syzbot has found reproducer for the following crash on https://github.com/google/kmsan.git/master commit d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +) kmsan: add initialization for shmem pages syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=87cfa083e727a224754b So far this crash happened 3 times on https://github.com/google/kmsan.git/master. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5122017598636032 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=6680049734385664 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5920461749747712 Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+87cfa083e727a2247...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. == BUG: KMSAN: uninit-value in copyout lib/iov_iter.c:140 [inline] BUG: KMSAN: uninit-value in _copy_to_iter+0x46d/0x28f0 lib/iov_iter.c:571 CPU: 1 PID: 4516 Comm: syz-executor879 Not tainted 4.16.0+ #87 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 kmsan_internal_check_memory+0x135/0x1e0 mm/kmsan/kmsan.c:1157 kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199 copyout lib/iov_iter.c:140 [inline] _copy_to_iter+0x46d/0x28f0 lib/iov_iter.c:571 copy_to_iter include/linux/uio.h:106 [inline] vhost_chr_read_iter+0x7ac/0xc50 drivers/vhost/vhost.c:1104 vhost_net_chr_read_iter+0xf6/0x130 drivers/vhost/net.c:1365 call_read_iter include/linux/fs.h:1776 [inline] aio_read+0x5c1/0x6f0 fs/aio.c:1517 io_submit_one fs/aio.c:1633 [inline] do_io_submit+0x1bb4/0x2f60 fs/aio.c:1698 SYSC_io_submit+0x98/0xb0 fs/aio.c:1723 SyS_io_submit+0x56/0x80 fs/aio.c:1720 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x4457b9 RSP: 002b:7ff9343e4da8 EFLAGS: 0293 ORIG_RAX: 00d1 RAX: ffda RBX: 006dac44 RCX: 004457b9 RDX: 21c0 RSI: 0001 RDI: 7ff93439a000 RBP: 006dac40 R08: R09: R10: R11: 0293 R12: 901aeeff3a98f9ab R13: 98c94b26f489688e R14: ae1b2dfa3c87200a R15: 0001 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 __kmalloc+0x23c/0x350 mm/slub.c:3791 kmalloc include/linux/slab.h:517 [inline] vhost_new_msg drivers/vhost/vhost.c:2340 [inline] vhost_iotlb_miss drivers/vhost/vhost.c:1124 [inline] translate_desc+0xbef/0x1120 drivers/vhost/vhost.c:1829 __vhost_get_user_slow drivers/vhost/vhost.c:812 [inline] __vhost_get_user drivers/vhost/vhost.c:846 [inline] vhost_update_used_flags+0x469/0x8d0 drivers/vhost/vhost.c:1715 vhost_vq_init_access+0x173/0xa20 drivers/vhost/vhost.c:1763 vhost_net_set_backend drivers/vhost/net.c:1166 [inline] vhost_net_ioctl+0x22b0/0x3480 drivers/vhost/net.c:1322 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0xaf0/0x2440 fs/ioctl.c:686 SYSC_ioctl+0x1d2/0x260 fs/ioctl.c:701 SyS_ioctl+0x54/0x80 fs/ioctl.c:692 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Bytes 4-7 of 72 are uninitialized ==
KASAN: stack-out-of-bounds Write in compat_copy_entries
Hello, syzbot hit the following crash on upstream commit 24cac7009cb1b211f1c793ecb6a462c03dc35818 (Tue Apr 24 21:16:40 2018 +) Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=4e42a04e0bc33cb6c087 So far this crash happened 3 times on upstream. syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=4827027970457600 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6212733133389824 Kernel config: https://syzkaller.appspot.com/x/.config?id=7043958930931867332 compiler: gcc (GCC) 8.0.1 20180413 (experimental) user-space arch: i386 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+4e42a04e0bc33cb6c...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) IPVS: ftp: loaded support on port[0] = 21 == BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline] BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline] BUG: KASAN: stack-out-of-bounds in ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline] BUG: KASAN: stack-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline] BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194 Write of size 33 at addr 8801b0abf888 by task syz-executor0/4504 CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 memcpy+0x37/0x50 mm/kasan/kasan.c:303 strlcpy include/linux/string.h:300 [inline] compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline] ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline] size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline] compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194 compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285 compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367 compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline] compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156 compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279 inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041 compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901 compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050 __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403 __do_compat_sys_setsockopt net/compat.c:416 [inline] __se_compat_sys_setsockopt net/compat.c:413 [inline] __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413 do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline] do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7fb3cb9 RSP: 002b:fff0c26c EFLAGS: 0282 ORIG_RAX: 016e RAX: ffda RBX: 0003 RCX: RDX: 0080 RSI: 2300 RDI: 05f4 RBP: R08: R09: R10: R11: R12: R13: R14: R15: The buggy address belongs to the page: page:ea0006c2afc0 count:0 mapcount:0 mapping: index:0x0 flags: 0x2fffc00() raw: 02fffc00 raw: ea0006c20101 page dumped because: kasan: bad access detected Memory state around the buggy address: 8801b0abf780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8801b0abf800: 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 f2 f2 f2 8801b0abf880: f2 00 00 00 07 f3 f3 f3 f3 00 00 00 00 00 00 00 ^ 8801b0abf900: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 8801b0abf980: 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 == --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep
general protection fault in smc_set_keepalive
Hello, syzbot hit the following crash on net-next commit 9c20b9372fbaf6f7d4c05f5f925806a7928f0c73 (Tue Apr 24 03:08:41 2018 +) net: fib_rules: fix l3mdev netlink attr processing syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=cf9012c597c8379d535c So far this crash happened 2 times on net-next. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=4775309383565312 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=4978230683500544 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=4770663504019456 Kernel config: https://syzkaller.appspot.com/x/.config?id=-2918904850634584293 compiler: gcc (GCC) 8.0.1 20180413 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+cf9012c597c8379d5...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 4455 Comm: syz-executor060 Not tainted 4.17.0-rc1+ #17 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:smc_set_keepalive+0x4e/0xd0 net/smc/af_smc.c:59 RSP: 0018:8801ced8fa68 EFLAGS: 00010202 RAX: dc00 RBX: RCX: 85d72bcb RDX: 0004 RSI: 873f0a94 RDI: 0020 RBP: 8801ced8fa80 R08: 8801b67e44c0 R09: 0006 R10: 8801b67e44c0 R11: R12: 8801b6bff7c0 R13: 0001 R14: 0003 R15: 8801aee2b540 FS: 009e4880() GS:8801dae0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 2040 CR3: 0001b6e75000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sock_setsockopt+0x14e2/0x1fe0 net/core/sock.c:801 __sys_setsockopt+0x2df/0x390 net/socket.c:1899 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x43fcf9 RSP: 002b:7ffe62977a78 EFLAGS: 0217 ORIG_RAX: 0036 RAX: ffda RBX: 004002c8 RCX: 0043fcf9 RDX: 0009 RSI: 0001 RDI: 0003 RBP: 006ca018 R08: 0004 R09: 004002c8 R10: 2040 R11: 0217 R12: 00401620 R13: 004016b0 R14: R15: Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 78 48 8b 9b 50 04 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 20 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 6b 48 b8 00 00 00 00 00 fc ff df 48 8b 5b 20 48 RIP: smc_set_keepalive+0x4e/0xd0 net/smc/af_smc.c:59 RSP: 8801ced8fa68 ---[ end trace a76f9ed0fb111068 ]--- --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
KMSAN: uninit-value in _copy_to_iter (2)
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +) kmsan: add initialization for shmem pages syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=87cfa083e727a224754b Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6616554548494336 Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+87cfa083e727a2247...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. == BUG: KMSAN: uninit-value in copyout lib/iov_iter.c:140 [inline] BUG: KMSAN: uninit-value in _copy_to_iter+0x1bb3/0x28f0 lib/iov_iter.c:571 CPU: 0 PID: 7670 Comm: syz-executor7 Not tainted 4.16.0+ #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 kmsan_internal_check_memory+0x135/0x1e0 mm/kmsan/kmsan.c:1157 kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199 copyout lib/iov_iter.c:140 [inline] _copy_to_iter+0x1bb3/0x28f0 lib/iov_iter.c:571 copy_to_iter include/linux/uio.h:106 [inline] skb_copy_datagram_iter+0x443/0xf70 net/core/datagram.c:431 skb_copy_datagram_msg include/linux/skbuff.h:3264 [inline] netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1958 sock_recvmsg_nosec net/socket.c:803 [inline] sock_recvmsg+0x1d0/0x230 net/socket.c:810 ___sys_recvmsg+0x3fb/0x810 net/socket.c:2205 __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313 SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394 SyS_recvmmsg+0x76/0xa0 net/socket.c:2378 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x455389 RSP: 002b:7f0281d3dc68 EFLAGS: 0246 ORIG_RAX: 012b RAX: ffda RBX: 7f0281d3e6d4 RCX: 00455389 RDX: 0003 RSI: 20001f80 RDI: 0014 RBP: 0072bea0 R08: 20002040 R09: R10: R11: 0246 R12: R13: 049e R14: 006f9f70 R15: Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:526 __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:477 __nla_put lib/nlattr.c:569 [inline] nla_put+0x276/0x340 lib/nlattr.c:627 copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline] build_acquire net/xfrm/xfrm_user.c:2850 [inline] xfrm_send_acquire+0x1068/0x1690 net/xfrm/xfrm_user.c:2873 km_query net/xfrm/xfrm_state.c:1953 [inline] xfrm_state_find+0x3ad8/0x4f40 net/xfrm/xfrm_state.c:1021 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:1393 [inline] xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:1437 [inline] xfrm_resolve_and_create_bundle+0xc31/0x5270 net/xfrm/xfrm_policy.c:1833 xfrm_lookup+0x606/0x39d0 net/xfrm/xfrm_policy.c:2163 xfrm_lookup_route+0xfa/0x360 net/xfrm/xfrm_policy.c:2283 ip6_dst_lookup_flow+0x221/0x270 net/ipv6/ip6_output.c:1099 ip6_datagram_dst_update+0x93a/0x1470 net/ipv6/datagram.c:91 __ip6_datagram_connect+0x14f6/0x1a20 net/ipv6/datagram.c:257 ip6_datagram_connect net/ipv6/datagram.c:280 [inline] ip6_datagram_connect_v6_only+0x104/0x180 net/ipv6/datagram.c:292 inet_dgram_connect+0x2e8/0x4d0 net/ipv4/af_inet.c:542 SYSC_connect+0x41a/0x510 net/socket.c:1639 SyS_connect+0x54/0x80 net/socket.c:1620 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Local variable description: upt.i.i@xfrm_send_acquire Variable was created at: xfrm_send_acquire+0x73/0x1690 net/xfrm/xfrm_user.c:2864 km_query net/xfrm/xfrm_state.c:1953 [inline] xfrm_state_find+0x3ad8/0x4f40 net/xfrm/xfrm_state.c:1021 Byte 200 of 207 is uninitialized FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 == CPU: 1 PID: 7675 Comm: syz-executor3 Not tainted 4.16.0+ #86 --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title To mark this as a duplicate of another syzbot report
KMSAN: uninit-value in ip_vs_lblc_check_expire
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +) kmsan: add initialization for shmem pages syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=3e9695f147fb529aa9bc So far this crash happened 3 times on https://github.com/google/kmsan.git/master. Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5822255644803072 Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+3e9695f147fb529aa...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. kernel msg: ebtables bug: please report to author: bad policy == BUG: KMSAN: uninit-value in ip_vs_lblc_check_expire+0xe62/0xf10 net/netfilter/ipvs/ip_vs_lblc.c:315 CPU: 0 PID: 11383 Comm: syz-executor3 Not tainted 4.16.0+ #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 ip_vs_lblc_check_expire+0xe62/0xf10 net/netfilter/ipvs/ip_vs_lblc.c:315 call_timer_fn+0x26a/0x5a0 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0xda7/0x11c0 kernel/time/timer.c:1666 run_timer_softirq+0x43/0x70 kernel/time/timer.c:1692 __do_softirq+0x56d/0x93d kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x202/0x240 kernel/softirq.c:405 exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:541 smp_apic_timer_interrupt+0x64/0x90 arch/x86/kernel/apic/apic.c:1055 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:857 RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:37 [inline] RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:78 [inline] RIP: 0010:vprintk_emit+0xcb2/0xff0 kernel/printk/printk.c:1899 RSP: 0018:8801c2a1f0d8 EFLAGS: 0296 ORIG_RAX: ff12 RAX: 0296 RBX: 8801574c4418 RCX: 0004 RDX: c900033a6000 RSI: 01bf RDI: 01c0 RBP: 8801c2a1f1f8 R08: 00219bfd8445 R09: 8801fd6d615d R10: R11: R12: R13: 8b300430 R14: R15: vprintk_default+0x90/0xa0 kernel/printk/printk.c:1955 vprintk_func+0x517/0x700 kernel/printk/printk_safe.c:379 printk+0x1b6/0x1f0 kernel/printk/printk.c:1991 translate_table+0x474/0x5e10 net/bridge/netfilter/ebtables.c:846 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:1002 do_replace+0x707/0x770 net/bridge/netfilter/ebtables.c:1141 do_ebt_set_ctl+0x2ab/0x3c0 net/bridge/netfilter/ebtables.c:1518 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x476/0x4d0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x24b/0x2b0 net/ipv4/ip_sockglue.c:1261 udp_setsockopt+0x108/0x1b0 net/ipv4/udp.c:2406 ipv6_setsockopt+0x30c/0x340 net/ipv6/ipv6_sockglue.c:917 udpv6_setsockopt+0x110/0x1c0 net/ipv6/udp.c:1422 sock_common_setsockopt+0x136/0x170 net/core/sock.c:2975 SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849 SyS_setsockopt+0x76/0xa0 net/socket.c:1828 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x455389 RSP: 002b:7f470c9e3c68 EFLAGS: 0246 ORIG_RAX: 0036 RAX: ffda RBX: 7f470c9e46d4 RCX: 00455389 RDX: 0080 RSI: RDI: 0013 RBP: 0072bea0 R08: 0dd0 R09: R10: 2dc0 R11: 0246 R12: R13: 051d R14: 006fab58 R15: Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_alloc_meta_for_pages+0x161/0x3a0 mm/kmsan/kmsan.c:814 kmsan_alloc_page+0x82/0xe0 mm/kmsan/kmsan.c:868 __alloc_pages_nodemask+0xf5b/0x5dc0 mm/page_alloc.c:4283 alloc_pages_current+0x6b5/0x970 mm/mempolicy.c:2055 alloc_pages include/linux/gfp.h:494 [inline] kmalloc_order mm/slab_common.c:1164 [inline] kmalloc_order_trace+0xb9/0x390 mm/slab_common.c:1175 kmalloc_large include/linux/slab.h:446 [inline] __kmalloc+0x332/0x350 mm/slub.c:3778 kmalloc include/linux/slab.h:517 [inline] ip_vs_lblc_init_svc+0x57/0x310 net/netfilter/ipvs/ip_vs_lblc.c:355 ip_vs_bind_scheduler+0xa4/0x1e0 net/netfilter/ipvs/ip_vs_sched.c:51 ip_vs_add_service+0xa91/0x1d70 net/netfilter/ipvs/ip_vs_ctl.c:1265 do_ip_vs_set_ctl+0x25c8/0x2790 net/netfilter/ipvs
KMSAN: uninit-value in ip_vs_lblcr_check_expire
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +) kmsan: add initialization for shmem pages syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=3dfdea57819073a04f21 So far this crash happened 2 times on https://github.com/google/kmsan.git/master. Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6285034612850688 Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+3dfdea57819073a04...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. RDX: RSI: 2080 RDI: 0013 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: 0014 R13: 04f3 R14: 006fa768 R15: == BUG: KMSAN: uninit-value in ip_vs_lblcr_check_expire+0x1551/0x1600 net/netfilter/ipvs/ip_vs_lblcr.c:479 CPU: 0 PID: 13883 Comm: syz-executor4 Not tainted 4.16.0+ #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 ip_vs_lblcr_check_expire+0x1551/0x1600 net/netfilter/ipvs/ip_vs_lblcr.c:479 call_timer_fn+0x26a/0x5a0 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0xda7/0x11c0 kernel/time/timer.c:1666 run_timer_softirq+0x43/0x70 kernel/time/timer.c:1692 __do_softirq+0x56d/0x93d kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x202/0x240 kernel/softirq.c:405 exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:541 smp_apic_timer_interrupt+0x64/0x90 arch/x86/kernel/apic/apic.c:1055 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:857 RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:37 [inline] RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:78 [inline] RIP: 0010:dump_stack+0x1af/0x1d0 lib/dump_stack.c:58 RSP: 0018:880156a2ef00 EFLAGS: 0286 ORIG_RAX: ff12 RAX: 8801fddc2590 RBX: 88014f62c418 RCX: 8800 RDX: 8801fd9c2590 RSI: b000 RDI: ea00 RBP: 880156a2ef48 R08: 0108 R09: 0002 R10: R11: R12: cf000109 R13: 0286 R14: R15: fail_dump lib/fault-inject.c:51 [inline] should_fail+0x87b/0xab0 lib/fault-inject.c:149 should_failslab+0x279/0x2a0 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc_node mm/slub.c:2663 [inline] slab_alloc mm/slub.c:2745 [inline] kmem_cache_alloc+0x136/0xb90 mm/slub.c:2750 dst_alloc+0x295/0x860 net/core/dst.c:104 __ip6_dst_alloc net/ipv6/route.c:361 [inline] ip6_rt_cache_alloc+0x445/0xd00 net/ipv6/route.c:1061 ip6_pol_route+0x3f19/0x5da0 net/ipv6/route.c:1751 ip6_pol_route_output+0xe6/0x110 net/ipv6/route.c:1892 fib6_rule_lookup+0x494/0x720 net/ipv6/fib6_rules.c:87 ip6_route_output_flags+0x4fa/0x590 net/ipv6/route.c:1920 ip6_dst_lookup_tail+0x2fe/0x1a60 net/ipv6/ip6_output.c:992 ip6_dst_lookup_flow+0xfc/0x270 net/ipv6/ip6_output.c:1093 rawv6_sendmsg+0x1b05/0x4fb0 net/ipv6/raw.c:908 inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x455389 RSP: 002b:7fa5b1000c68 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 7fa5b10016d4 RCX: 00455389 RDX: RSI: 2080 RDI: 0013 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: 0014 R13: 04f3 R14: 006fa768 R15: Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_alloc_meta_for_pages+0x161/0x3a0 mm/kmsan/kmsan.c:814 kmsan_alloc_page+0x82/0xe0 mm/kmsan/kmsan.c:868 __alloc_pages_nodemask+0xf5b/0x5dc0 mm/page_alloc.c:4283 alloc_pages_current+0x6b5/0x970 mm/mempolicy.c:2055 alloc_pages include/linux/gfp.h:494 [inline] kmalloc_order mm/slab_common.c:1164
KMSAN: uninit-value in ebt_stp_mt_check
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit a7f95e9c8a95e9fbb388c3999b61a17667cd3bbe (Sat Apr 21 13:50:22 2018 +) kmsan: disable assembly checksums syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=5c06e318fc558cc27823 So far this crash happened 3 times on https://github.com/google/kmsan.git/master. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5411555638247424 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=6309829995921408 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=4546610964987904 Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+5c06e318fc558cc27...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. == BUG: KMSAN: uninit-value in ebt_stp_mt_check+0x248/0x410 net/bridge/netfilter/ebt_stp.c:164 CPU: 0 PID: 4520 Comm: syzkaller565841 Not tainted 4.16.0+ #85 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 ebt_stp_mt_check+0x248/0x410 net/bridge/netfilter/ebt_stp.c:164 xt_check_match+0x1449/0x1660 net/netfilter/x_tables.c:499 ebt_check_match net/bridge/netfilter/ebtables.c:374 [inline] ebt_check_entry net/bridge/netfilter/ebtables.c:704 [inline] translate_table+0x3ffd/0x5e10 net/bridge/netfilter/ebtables.c:945 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:1002 do_replace+0x707/0x770 net/bridge/netfilter/ebtables.c:1141 do_ebt_set_ctl+0x2ab/0x3c0 net/bridge/netfilter/ebtables.c:1518 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x476/0x4d0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x24b/0x2b0 net/ipv4/ip_sockglue.c:1261 dccp_setsockopt+0x1c3/0x1f0 net/dccp/proto.c:576 sock_common_setsockopt+0x136/0x170 net/core/sock.c:2975 SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849 SyS_setsockopt+0x76/0xa0 net/socket.c:1828 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x445d39 RSP: 002b:7efff4e14da8 EFLAGS: 0246 ORIG_RAX: 0036 RAX: ffda RBX: 006dac24 RCX: 00445d39 RDX: 0080 RSI: RDI: 0003 RBP: R08: 0358 R09: R10: 28c0 R11: 0246 R12: 006dac20 R13: 006567646972625f R14: 6f745f3168746576 R15: 0002 Local variable description: mtpar.i@translate_table Variable was created at: translate_table+0xb9/0x5e10 net/bridge/netfilter/ebtables.c:833 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:1002 == --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
WARNING: suspicious RCU usage in rt6_check_expired
Hello, syzbot hit the following crash on net-next commit 0638eb573cde5888c0886c7f35da604e5db209a6 (Sat Apr 21 20:06:14 2018 +) Merge branch 'ipv6-Another-followup-to-the-fib6_info-change' syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=2422c9e35796659d2273 So far this crash happened 3 times on net-next. Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6081013801287680 Kernel config: https://syzkaller.appspot.com/x/.config?id=-8412024688694752032 compiler: gcc (GCC) 8.0.1 20180413 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+2422c9e35796659d2...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. netlink: 'syz-executor4': attribute type 6 has an invalid length. netlink: 'syz-executor4': attribute type 1 has an invalid length. netlink: 'syz-executor4': attribute type 6 has an invalid length. = WARNING: suspicious RCU usage 4.16.0+ #11 Not tainted - net/ipv6/route.c:410 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz-executor7/25958: #0: d1963139 (sk_lock-AF_INET6){+.+.}, at: lock_sock include/net/sock.h:1469 [inline] #0: d1963139 (sk_lock-AF_INET6){+.+.}, at: sock_setsockopt+0x19c/0x1fe0 net/core/sock.c:717 stack backtrace: CPU: 1 PID: 25958 Comm: syz-executor7 Not tainted 4.16.0+ #11 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 lockdep_rcu_suspicious+0x14a/0x153 kernel/locking/lockdep.c:4592 rt6_check_expired+0x38b/0x3e0 net/ipv6/route.c:410 ip6_negative_advice+0x67/0xc0 net/ipv6/route.c:2204 dst_negative_advice include/net/sock.h:1786 [inline] sock_setsockopt+0x138f/0x1fe0 net/core/sock.c:1051 __sys_setsockopt+0x2df/0x390 net/socket.c:1899 SYSC_setsockopt net/socket.c:1914 [inline] SyS_setsockopt+0x34/0x50 net/socket.c:1911 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x455389 RSP: 002b:7f7556e30c68 EFLAGS: 0246 ORIG_RAX: 0036 RAX: ffda RBX: 7f7556e316d4 RCX: 00455389 RDX: 0035 RSI: 0001 RDI: 0013 RBP: 0072bf58 R08: 0004 R09: R10: 2000 R11: 0246 R12: R13: 05ff R14: 006fc088 R15: 0001 netlink: 'syz-executor4': attribute type 4 has an invalid length. netlink: 'syz-executor4': attribute type 4 has an invalid length. IPVS: set_ctl: invalid protocol: 59 127.0.0.1:2 lc IPVS: set_ctl: invalid protocol: 127 224.0.0.1:2 rr IPVS: sync thread started: state = BACKUP, mcast_ifn = ip6tnl0, syncid = 4, id = 0 IPVS: set_ctl: invalid protocol: 127 224.0.0.1:2 rr netlink: 72 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 72 bytes leftover after parsing attributes in process `syz-executor2'. dccp_xmit_packet: Payload too large (65423) for featneg. IPVS: set_ctl: invalid protocol: 29 1.0.0.0:2 wlc IPVS: set_ctl: invalid protocol: 29 1.0.0.0:2 wlc netlink: 32 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 'syz-executor1': attribute type 29 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor1'. IPVS: set_ctl: invalid protocol: 108 224.0.0.1:20004 lblc netlink: 'syz-executor1': attribute type 29 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor1'. IPVS: set_ctl: invalid protocol: 108 224.0.0.1:20004 lblc --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
KMSAN: uninit-value in pppoe_connect
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit a7f95e9c8a95e9fbb388c3999b61a17667cd3bbe (Sat Apr 21 13:50:22 2018 +) kmsan: disable assembly checksums syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=4f03bdf92fdf9ef5ddab So far this crash happened 2 times on https://github.com/google/kmsan.git/master. Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5233317381144576 Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+4f03bdf92fdf9ef5d...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. == BUG: KMSAN: uninit-value in pppoe_connect+0xe9a/0x2360 drivers/net/ppp/pppoe.c:662 CPU: 1 PID: 8338 Comm: syz-executor2 Not tainted 4.16.0+ #85 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 pppoe_connect+0xe9a/0x2360 drivers/net/ppp/pppoe.c:662 SYSC_connect+0x41a/0x510 net/socket.c:1639 SyS_connect+0x54/0x80 net/socket.c:1620 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x455389 RSP: 002b:7f5c253ecc68 EFLAGS: 0246 ORIG_RAX: 002a RAX: ffda RBX: 7f5c253ed6d4 RCX: 00455389 RDX: 0001 RSI: 2040 RDI: 0013 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: R13: 0063 R14: 006f39e8 R15: Local variable description: address@SYSC_connect Variable was created at: SYSC_connect+0x6f/0x510 net/socket.c:1622 SyS_connect+0x54/0x80 net/socket.c:1620 == --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
KMSAN: uninit-value in pppol2tp_connect
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit a7f95e9c8a95e9fbb388c3999b61a17667cd3bbe (Sat Apr 21 13:50:22 2018 +) kmsan: disable assembly checksums syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=a70ac890b23b1bf29f5c So far this crash happened 3 times on https://github.com/google/kmsan.git/master. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=4946656566968320 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5395971013869568 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5936570024591360 Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+a70ac890b23b1bf29...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. == BUG: KMSAN: uninit-value in pppol2tp_connect+0x258/0x1c50 net/l2tp/l2tp_ppp.c:622 CPU: 1 PID: 4524 Comm: syzkaller735385 Not tainted 4.16.0+ #85 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 pppol2tp_connect+0x258/0x1c50 net/l2tp/l2tp_ppp.c:622 SYSC_connect+0x41a/0x510 net/socket.c:1639 SyS_connect+0x54/0x80 net/socket.c:1620 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x445559 RSP: 002b:7f0b96f0ddb8 EFLAGS: 0246 ORIG_RAX: 002a RAX: ffda RBX: 006dac24 RCX: 00445559 RDX: RSI: 2200 RDI: 0003 RBP: 006dac20 R08: R09: R10: R11: 0246 R12: R13: 7ffec2b0929f R14: 7f0b96f0e9c0 R15: 0001 Local variable description: address@SYSC_connect Variable was created at: SYSC_connect+0x6f/0x510 net/socket.c:1622 SyS_connect+0x54/0x80 net/socket.c:1620 == --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
KMSAN: uninit-value in strnlen
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit a7f95e9c8a95e9fbb388c3999b61a17667cd3bbe (Sat Apr 21 13:50:22 2018 +) kmsan: disable assembly checksums syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=cd06c321e7147d03a65e So far this crash happened 5 times on https://github.com/google/kmsan.git/master. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5785171018121216 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5117671628603392 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6310764688179200 Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+cd06c321e7147d03a...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. == BUG: KMSAN: uninit-value in strnlen+0xc4/0x110 lib/string.c:499 CPU: 1 PID: 4507 Comm: syzkaller579712 Not tainted 4.16.0+ #85 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 strnlen+0xc4/0x110 lib/string.c:499 dev_name_hash net/core/dev.c:209 [inline] dev_get_by_name_rcu net/core/dev.c:764 [inline] dev_get_by_name+0x6e/0x350 net/core/dev.c:791 pppoe_connect+0xcb7/0x2360 drivers/net/ppp/pppoe.c:665 SYSC_connect+0x41a/0x510 net/socket.c:1639 SyS_connect+0x54/0x80 net/socket.c:1620 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x43fcf9 RSP: 002b:7ffca4bd4978 EFLAGS: 0213 ORIG_RAX: 002a RAX: ffda RBX: 004002c8 RCX: 0043fcf9 RDX: 0007 RSI: 2040 RDI: 0003 RBP: 006ca018 R08: 004002c8 R09: 004002c8 R10: 004002c8 R11: 0213 R12: 00401620 R13: 004016b0 R14: R15: Local variable description: address@SYSC_connect Variable was created at: SYSC_connect+0x6f/0x510 net/socket.c:1622 SyS_connect+0x54/0x80 net/socket.c:1620 == --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
KASAN: slab-out-of-bounds Read in __sctp_v6_cmp_addr
Hello, syzbot hit the following crash on upstream commit 83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +) Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=cd494c1dd681d4d93ebb So far this crash happened 305 times on net-next, upstream. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6684817483628544 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=6321732692475904 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5381423422767104 Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118 compiler: gcc (GCC) 8.0.1 20180413 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+cd494c1dd681d4d93...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. == BUG: KASAN: slab-out-of-bounds in ipv6_addr_equal include/net/ipv6.h:507 [inline] BUG: KASAN: slab-out-of-bounds in __sctp_v6_cmp_addr+0x4c7/0x530 net/sctp/ipv6.c:580 Read of size 8 at addr 8801b58626d0 by task syzkaller106428/4452 CPU: 1 PID: 4452 Comm: syzkaller106428 Not tainted 4.17.0-rc1+ #10 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 ipv6_addr_equal include/net/ipv6.h:507 [inline] __sctp_v6_cmp_addr+0x4c7/0x530 net/sctp/ipv6.c:580 sctp_inet6_cmp_addr+0x169/0x1a0 net/sctp/ipv6.c:898 sctp_bind_addr_conflict+0x28c/0x470 net/sctp/bind_addr.c:368 sctp_get_port_local+0x9fc/0x1540 net/sctp/socket.c:7515 sctp_do_bind+0x21c/0x5f0 net/sctp/socket.c:435 sctp_bindx_add+0x90/0x1a0 net/sctp/socket.c:529 sctp_setsockopt_bindx+0x2ad/0x320 net/sctp/socket.c:1058 sctp_setsockopt+0x12c4/0x7000 net/sctp/socket.c:4227 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x445839 RSP: 002b:7fbe3f0fdd98 EFLAGS: 0246 ORIG_RAX: 0036 RAX: ffda RBX: 006dac24 RCX: 00445839 RDX: 0064 RSI: 0084 RDI: 0004 RBP: 006dac20 R08: 0010 R09: a6fe R10: 205ba000 R11: 0246 R12: R13: 7ffc1404827f R14: 7fbe3f0fe9c0 R15: 0003 Allocated by task 4452: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 __do_kmalloc_node mm/slab.c:3682 [inline] __kmalloc_node+0x47/0x70 mm/slab.c:3689 kmalloc_node include/linux/slab.h:554 [inline] kvmalloc_node+0x6b/0x100 mm/util.c:421 kvmalloc include/linux/mm.h:550 [inline] vmemdup_user+0x2d/0xa0 mm/util.c:186 sctp_setsockopt_bindx+0x5d/0x320 net/sctp/socket.c:1022 sctp_setsockopt+0x12c4/0x7000 net/sctp/socket.c:4227 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 2818: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xd9/0x260 mm/slab.c:3813 single_release+0x8f/0xb0 fs/seq_file.c:609 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at 8801b58626c0 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 16 bytes inside of 32-byte region [8801b58626c0, 8801b58626e0) The buggy address belongs
KASAN: null-ptr-deref Read in refcount_inc_not_zero
Hello, syzbot hit the following crash on upstream commit 285848b0f4074f04ab606f1e5dca296482033d54 (Sun Apr 22 04:20:48 2018 +) Merge tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=6a35cd2d9559c909d570 So far this crash happened 1772 times on upstream. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5975533900791808 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=4813418829709312 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5008564225572864 Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118 compiler: gcc (GCC) 8.0.1 20180413 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+6a35cd2d9559c909d...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) == BUG: KASAN: null-ptr-deref in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] BUG: KASAN: null-ptr-deref in refcount_inc_not_zero+0x8f/0x2d0 lib/refcount.c:120 Read of size 4 at addr 0004 by task syzkaller633288/4488 CPU: 0 PID: 4488 Comm: syzkaller633288 Not tainted 4.17.0-rc1+ #12 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 kasan_report_error mm/kasan/report.c:352 [inline] kasan_report.cold.7+0x6d/0x2fe mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272 atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] refcount_inc_not_zero+0x8f/0x2d0 lib/refcount.c:120 refcount_inc+0x15/0x70 lib/refcount.c:153 llc_sap_hold include/net/llc.h:116 [inline] llc_ui_release+0xba/0x2b0 net/llc/af_llc.c:207 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1aee/0x2730 kernel/exit.c:865 do_group_exit+0x16f/0x430 kernel/exit.c:968 __do_sys_exit_group kernel/exit.c:979 [inline] __se_sys_exit_group kernel/exit.c:977 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:977 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x43e878 RSP: 002b:7ffd854075f8 EFLAGS: 0246 ORIG_RAX: 00e7 RAX: ffda RBX: RCX: 0043e878 RDX: RSI: 003c RDI: RBP: 004be220 R08: 00e7 R09: ffd0 R10: R11: 0246 R12: 0001 R13: 006cc160 R14: R15: == --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
Re: general protection fault in smc_getname
syzbot has found reproducer for the following crash on upstream commit 83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +) Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=9605e6cace1b5efd4a0a So far this crash happened 6 times on net-next, upstream. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=4803108223844352 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=6277384739225600 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5836548759093248 Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118 compiler: gcc (GCC) 8.0.1 20180413 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+9605e6cace1b5efd4...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 4548 Comm: syzkaller769662 Not tainted 4.17.0-rc1+ #10 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:smc_getname+0x124/0x1c0 net/smc/af_smc.c:1089 RSP: 0018:8801ad1d7c20 EFLAGS: 00010206 RAX: dc00 RBX: RCX: 873e3a58 RDX: 0005 RSI: 873e3af6 RDI: 0028 RBP: 8801ad1d7c48 R08: 8801b10ae280 R09: ed0036321370 R10: ed0036321370 R11: 8801b1909b83 R12: R13: 8801ad1d7d10 R14: 8801a866e0c0 R15: dc00 FS: 01a42880() GS:8801dae0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 2080 CR3: 0001ac8b3000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __sys_getsockname+0x184/0x380 net/socket.c:1699 __do_sys_getsockname net/socket.c:1714 [inline] __se_sys_getsockname net/socket.c:1711 [inline] __x64_sys_getsockname+0x73/0xb0 net/socket.c:1711 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x43fce9 RSP: 002b:7fff2eba2418 EFLAGS: 0217 ORIG_RAX: 0033 RAX: ffda RBX: 004002c8 RCX: 0043fce9 RDX: 2080 RSI: 2000 RDI: 0003 RBP: 006ca018 R08: 004002c8 R09: 004002c8 R10: 004002c8 R11: 0217 R12: 00401610 R13: 004016a0 R14: R15: Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 99 00 00 00 48 8b 9b 50 04 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 70 48 b8 00 00 00 00 00 fc ff df 4c 8b 73 28 49 RIP: smc_getname+0x124/0x1c0 net/smc/af_smc.c:1089 RSP: 8801ad1d7c20 ---[ end trace 9f5c3169466d9443 ]---
Re: general protection fault in smc_getsockopt
syzbot has found reproducer for the following crash on upstream commit 83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +) Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=28a2c86cf19c81d871fa So far this crash happened 59 times on net-next, upstream. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6375334488309760 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=6112997885870080 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5942131738804224 Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118 compiler: gcc (GCC) 8.0.1 20180413 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+28a2c86cf19c81d87...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 4492 Comm: syzkaller771634 Not tainted 4.17.0-rc1+ #10 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:smc_getsockopt+0x8b/0x120 net/smc/af_smc.c:1298 RSP: 0018:8801d90b7cc0 EFLAGS: 00010206 RAX: dc00 RBX: RCX: 2000 RDX: 0005 RSI: 873e3d16 RDI: 0028 RBP: 8801d90b7cf0 R08: 2040 R09: ed0036a05800 R10: ed0036a05800 R11: 8801b502c003 R12: 8801d90b7d40 R13: R14: 0008 R15: 2000 FS: 02017880() GS:8801dae0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 2040 CR3: 0001ac552000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __sys_getsockopt+0x1a5/0x370 net/socket.c:1940 __do_sys_getsockopt net/socket.c:1951 [inline] __se_sys_getsockopt net/socket.c:1948 [inline] __x64_sys_getsockopt+0xbe/0x150 net/socket.c:1948 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x43fcf9 RSP: 002b:7ffcb16b9c58 EFLAGS: 0217 ORIG_RAX: 0037 RAX: ffda RBX: 004002c8 RCX: 0043fcf9 RDX: 0008 RSI: RDI: 0003 RBP: 006ca018 R08: 2040 R09: 004002c8 R10: 2000 R11: 0217 R12: 00401620 R13: 004016b0 R14: R15: Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 93 00 00 00 48 8b 9b 50 04 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 62 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 28 49 RIP: smc_getsockopt+0x8b/0x120 net/smc/af_smc.c:1298 RSP: 8801d90b7cc0 ---[ end trace 7e67761582d7c7ee ]---
Re: general protection fault in smc_setsockopt
syzbot has found reproducer for the following crash on upstream commit 83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +) Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=9045fc589fcd196ef522 So far this crash happened 124 times on net-next, upstream. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6522155797839872 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5566093930266624 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6661555940753408 Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118 compiler: gcc (GCC) 8.0.1 20180413 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+9045fc589fcd196ef...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 4520 Comm: syzkaller696326 Not tainted 4.17.0-rc1+ #10 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:smc_setsockopt+0x8b/0x120 net/smc/af_smc.c:1287 RSP: 0018:8801b433fcc8 EFLAGS: 00010206 RAX: dc00 RBX: RCX: 2000 RDX: 0005 RSI: 873e3bf6 RDI: 0028 RBP: 8801b433fcf8 R08: R09: ed00359a3780 R10: ed00359a3780 R11: 8801acd1bc03 R12: 8801b433fd40 R13: 0021 R14: 000d R15: 2000 FS: 00b01880() GS:8801daf0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 562e1fa410d0 CR3: 0001acf1e000 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __sys_setsockopt+0x1bd/0x390 net/socket.c:1903 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x43fd19 RSP: 002b:7ffccc4960f8 EFLAGS: 0217 ORIG_RAX: 0036 RAX: ffda RBX: 004002c8 RCX: 0043fd19 RDX: 000d RSI: 0021 RDI: 0004 RBP: 006ca018 R08: R09: 004002c8 R10: 2000 R11: 0217 R12: 00401640 R13: 004016d0 R14: R15: Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 93 00 00 00 48 8b 9b 50 04 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 62 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 28 49 RIP: smc_setsockopt+0x8b/0x120 net/smc/af_smc.c:1287 RSP: 8801b433fcc8 ---[ end trace 3858d0cd9ce5e4d4 ]---
Re: unregister_netdevice: waiting for DEV to become free
syzbot has found reproducer for the following crash on https://github.com/google/kmsan.git/master commit 48c6a2b0ab1b752451cdc40b5392471ed1a2a329 (Mon Apr 16 08:42:26 2018 +) mm/kmsan: fix origin calculation in kmsan_internal_check_memory syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=2dfb68e639f0621b19fb So far this crash happened 180 times on https://github.com/google/kmsan.git/master, net-next, upstream. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=4936564132020224 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5817131010621440 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6313498770407424 Kernel config: https://syzkaller.appspot.com/x/.config?id=6627248707860932248 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+2dfb68e639f0621b1...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state unregister_netdevice: waiting for lo to become free. Usage count = 3
KMSAN: uninit-value in __udp4_lib_rcv
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit 35ff515e4bda2646f6c881d33951c306ea9c282a (Tue Apr 10 08:59:43 2018 +) Merge pull request #11 from parkerduckworth/readme syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=493bccc5b8cfe9d5035e So far this crash happened 11 times on https://github.com/google/kmsan.git/master. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=4935004320694272 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5133260011077632 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5329144879513600 Kernel config: https://syzkaller.appspot.com/x/.config?id=6627248707860932248 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+493bccc5b8cfe9d50...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. == BUG: KMSAN: uninit-value in __udp4_lib_rcv+0x628/0x4740 net/ipv4/udp.c:2066 CPU: 1 PID: 3573 Comm: syzkaller192717 Not tainted 4.16.0+ #83 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 __udp4_lib_rcv+0x628/0x4740 net/ipv4/udp.c:2066 udp_rcv+0x5c/0x70 net/ipv4/udp.c:2287 ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216 NF_HOOK include/linux/netfilter.h:288 [inline] ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257 dst_input include/net/dst.h:449 [inline] ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397 NF_HOOK include/linux/netfilter.h:288 [inline] ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493 __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562 __netif_receive_skb net/core/dev.c:4627 [inline] process_backlog+0x62d/0xe20 net/core/dev.c:5307 napi_poll net/core/dev.c:5705 [inline] net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771 __do_softirq+0x56d/0x93d kernel/softirq.c:285 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1040 do_softirq kernel/softirq.c:329 [inline] __local_bh_enable_ip+0x114/0x140 kernel/softirq.c:182 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32 rcu_read_unlock_bh include/linux/rcupdate.h:726 [inline] ip_finish_output2+0x124e/0x1380 net/ipv4/ip_output.c:231 ip_finish_output+0xcb0/0xff0 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip_output+0x502/0x5c0 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:443 [inline] ip_local_out net/ipv4/ip_output.c:124 [inline] ip_send_skb+0x5f3/0x820 net/ipv4/ip_output.c:1414 ip_push_pending_frames+0x105/0x170 net/ipv4/ip_output.c:1434 raw_sendmsg+0x2960/0x3ed0 net/ipv4/raw.c:684 inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x43fe99 RSP: 002b:7ffca5bf5be8 EFLAGS: 0217 ORIG_RAX: 002e RAX: ffda RBX: 004002c8 RCX: 0043fe99 RDX: RSI: 22c0 RDI: 0003 RBP: 006ca018 R08: 004002c8 R09: 004002c8 R10: 004002c8 R11: 0217 R12: 004017c0 R13: 00401850 R14: R15: Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:526 __msan_memcpy+0x19f/0x1f0 mm/kmsan/kmsan_instr.c:470 skb_copy_bits+0x63a/0xdb0 net/core/skbuff.c:2046 __pskb_pull_tail+0x483/0x22e0 net/core/skbuff.c:1883 pskb_may_pull include/linux/skbuff.h:2112 [inline] __udp4_lib_rcv+0x55f/0x4740 net/ipv4/udp.c:2058 udp_rcv+0x5c/0x70 net/ipv4/udp.c:2287 ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216 NF_HOOK include/linux/netfilter.h:288 [inline] ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257 dst_input include/net/dst.h:449 [inline] ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397 NF_HOOK include/linux/netfilter.h:288 [inline] ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493 __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562 __netif_receive_skb net/core/dev.c:4627 [inline] process_backlog+0x62d/0xe20 net/core/dev.c:5307 napi_poll net/core/dev.c:5705 [inline] net_rx_action+0x7c1/0x1a70 net
KMSAN: uninit-value in dccp_invalid_packet
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit e2ab7e8abba47a2f2698216258e5d8727ae58717 (Fri Apr 6 16:24:31 2018 +) kmsan: temporarily disable visitAsmInstruction() to help syzbot syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=00763607efc31f91b276 So far this crash happened 19 times on https://github.com/google/kmsan.git/master. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5163725019414528 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=4836676144726016 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=4771447134224384 Kernel config: https://syzkaller.appspot.com/x/.config?id=6627248707860932248 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+00763607efc31f91b...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready == BUG: KMSAN: uninit-value in dccp_invalid_packet+0x3b8/0xf50 net/dccp/ipv4.c:716 CPU: 1 PID: 3572 Comm: syzkaller338124 Not tainted 4.16.0+ #82 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 dccp_invalid_packet+0x3b8/0xf50 net/dccp/ipv4.c:716 dccp_v4_rcv+0xf7/0x2630 net/dccp/ipv4.c:778 ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216 NF_HOOK include/linux/netfilter.h:288 [inline] ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257 dst_input include/net/dst.h:449 [inline] ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397 NF_HOOK include/linux/netfilter.h:288 [inline] ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493 __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562 __netif_receive_skb net/core/dev.c:4627 [inline] process_backlog+0x62d/0xe20 net/core/dev.c:5307 napi_poll net/core/dev.c:5705 [inline] net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771 __do_softirq+0x56d/0x93d kernel/softirq.c:285 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1040 do_softirq kernel/softirq.c:329 [inline] __local_bh_enable_ip+0x114/0x140 kernel/softirq.c:182 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32 rcu_read_unlock_bh include/linux/rcupdate.h:726 [inline] ip_finish_output2+0x124e/0x1380 net/ipv4/ip_output.c:231 ip_finish_output+0xcb0/0xff0 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip_output+0x502/0x5c0 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:443 [inline] ip_local_out net/ipv4/ip_output.c:124 [inline] ip_send_skb+0x5f3/0x820 net/ipv4/ip_output.c:1414 ip_push_pending_frames+0x105/0x170 net/ipv4/ip_output.c:1434 raw_sendmsg+0x2960/0x3ed0 net/ipv4/raw.c:684 inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747 SyS_sendto+0x8a/0xb0 net/socket.c:1715 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x441709 RSP: 002b:7de4d688 EFLAGS: 0217 ORIG_RAX: 002c RAX: ffda RBX: 001b RCX: 00441709 RDX: 0030 RSI: 2140 RDI: 0003 RBP: 004a3318 R08: 2000 R09: 0010 R10: R11: 0217 R12: 7de4d768 R13: 00402490 R14: R15: Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:526 __msan_memcpy+0x19f/0x1f0 mm/kmsan/kmsan_instr.c:470 skb_copy_bits+0x63a/0xdb0 net/core/skbuff.c:2046 __pskb_pull_tail+0x483/0x22e0 net/core/skbuff.c:1883 pskb_may_pull include/linux/skbuff.h:2112 [inline] dccp_invalid_packet+0x352/0xf50 net/dccp/ipv4.c:708 dccp_v4_rcv+0xf7/0x2630 net/dccp/ipv4.c:778 ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216 NF_HOOK include/linux/netfilter.h:288 [inline] ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257 dst_input include/net/dst.h:449 [inline] ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397 NF_HOOK include/linux/netfilter.h:288 [inline] ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493 __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
KASAN: use-after-free Read in llc_conn_tmr_common_cb
Hello, syzbot hit the following crash on upstream commit a27fc14219f2e3c4a46ba9177b04d9b52c875532 (Mon Apr 16 21:07:39 2018 +) Merge branch 'parisc-4.17-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=f922284c18ea23a8e457 Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6056927826018304 Kernel config: https://syzkaller.appspot.com/x/.config?id=-5914490758943236750 compiler: gcc (GCC) 8.0.1 20180413 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+f922284c18ea23a8e...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. binder: 10195:10196 transaction failed 29189/-3, size 0-0 line 2963 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 == BUG: KASAN: use-after-free in __lock_acquire+0x3888/0x5140 kernel/locking/lockdep.c:3310 Read of size 8 at addr 8801a8c862e0 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.17.0-rc1+ #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 __lock_acquire+0x3888/0x5140 kernel/locking/lockdep.c:3310 lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:310 [inline] llc_conn_tmr_common_cb+0x8d/0x9e0 net/llc/llc_c_ac.c:1328 llc_conn_ack_tmr_cb+0x1e/0x30 net/llc/llc_c_ac.c:1357 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x79e/0xc50 kernel/time/timer.c:1666 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1d1/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:525 [inline] smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 RIP: 0010:native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:54 RSP: 0018:88a07bc0 EFLAGS: 0282 ORIG_RAX: ff13 RAX: dc00 RBX: 11140f7b RCX: RDX: 11163130 RSI: 0001 RDI: 88b18980 RBP: 88a07bc0 R08: ed003b6046c3 R09: R10: R11: R12: R13: 88a07c78 R14: 89591560 R15: arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline] default_idle+0xc2/0x440 arch/x86/kernel/process.c:354 arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:345 default_idle_call+0x6d/0x90 kernel/sched/idle.c:93 cpuidle_idle_call kernel/sched/idle.c:153 [inline] do_idle+0x395/0x560 kernel/sched/idle.c:262 cpu_startup_entry+0x104/0x120 kernel/sched/idle.c:368 rest_init+0xe1/0xe4 init/main.c:441 start_kernel+0x906/0x92d init/main.c:737 x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:445 x86_64_start_kernel+0x76/0x79 arch/x86/kernel/head64.c:426 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:242 Allocated by task 10136: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 __do_kmalloc mm/slab.c:3718 [inline] __kmalloc+0x14e/0x760 mm/slab.c:3727 kmalloc include/linux/slab.h:517 [inline] sk_prot_alloc+0x1ae/0x2e0 net/core/sock.c:1474 sk_alloc+0x104/0x17b0 net/core/sock.c:1528 llc_sk_alloc+0x35/0x4b0 net/llc/llc_conn.c:949 llc_ui_create+0xf3/0x3e0 net/llc/af_llc.c:173 __sock_create+0x526/0x920 net/socket.c:1285 sock_create net/socket.c:1325 [inline] __sys_socket+0x100/0x250 net/socket.c:1355 __do_sys_socket net/socket.c:1364 [inline] __se_sys_socket net/socket.c:1362 [inline] __x64_sys_socket+0x73/0xb0 net/socket.c:1362 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 10215: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xd9/0x260 mm/slab.c:3813 sk_prot_free net/core/sock.c:1511 [inline] __sk_destruct+0x772
WARNING: suspicious RCU usage in fib6_info_alloc
Hello, syzbot hit the following crash on net-next commit 0565de29cbd65b378147d36f9642f93a046240dc (Wed Apr 18 03:41:18 2018 +) Merge branch 'ipv6-Separate-data-structures-for-FIB-and-data-path' syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=2add39b05179b31f912f So far this crash happened 2 times on net-next. syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=4660613020123136 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5742127124316160 Kernel config: https://syzkaller.appspot.com/x/.config?id=-5947642240294114534 compiler: gcc (GCC) 8.0.1 20180413 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+2add39b05179b31f9...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 = WARNING: suspicious RCU usage 4.16.0+ #5 Not tainted - kernel/sched/core.c:6153 Illegal context switch in RCU-bh read-side critical section! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 4 locks held by kworker/1:1/25: #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: __write_once_size include/linux/compiler.h:215 [inline] #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:40 [inline] #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:57 [inline] #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: set_work_data kernel/workqueue.c:617 [inline] #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline] #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: process_one_work+0xaef/0x1b50 kernel/workqueue.c:2116 #1: 7d88bc46 ((work_completion)(&(>dad_work)->work)){+.+.}, at: process_one_work+0xb46/0x1b50 kernel/workqueue.c:2120 #2: 943eaf98 (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 #3: a39c89a4 (rcu_read_lock_bh){}, at: ipv6_ifa_notify+0x0/0x210 net/ipv6/addrconf.c:5621 stack backtrace: CPU: 1 PID: 25 Comm: kworker/1:1 Not tainted 4.16.0+ #5 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 lockdep_rcu_suspicious+0x14a/0x153 kernel/locking/lockdep.c:4592 ___might_sleep+0x2e7/0x320 kernel/sched/core.c:6153 __might_sleep+0x95/0x190 kernel/sched/core.c:6141 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3378 [inline] kmem_cache_alloc_trace+0x2bc/0x780 mm/slab.c:3618 kmalloc include/linux/slab.h:512 [inline] kzalloc include/linux/slab.h:701 [inline] fib6_info_alloc+0xbb/0x280 net/ipv6/ip6_fib.c:152 ip6_route_info_create+0x7bf/0x3240 net/ipv6/route.c:2891 ip6_route_add+0x23/0xb0 net/ipv6/route.c:3030 addrconf_prefix_route.isra.47+0x4f7/0x6f0 net/ipv6/addrconf.c:2347 __ipv6_ifa_notify+0x591/0xa00 net/ipv6/addrconf.c:5620 ipv6_ifa_notify+0xff/0x210 net/ipv6/addrconf.c:5650 addrconf_dad_completed+0xeb/0xbf0 net/ipv6/addrconf.c:4083 addrconf_dad_begin net/ipv6/addrconf.c:3889 [inline] addrconf_dad_work+0x873/0x1300 net/ipv6/addrconf.c:3991 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279 kthread+0x345/0x410 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:411 BUG: sleeping function called from invalid context at mm/slab.h:421 in_atomic(): 1, irqs_disabled(): 0, pid: 25, name: kworker/1:1 4 locks held by kworker/1:1/25: #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: __write_once_size include/linux/compiler.h:215 [inline] #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:40 [inline] #0: df858653 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:57 [inline] #0: df858
general protection fault in encode_rpcb_string
Hello, syzbot hit the following crash on bpf-next commit 5d1365940a68dd57b031b6e3c07d7d451cd69daf (Thu Apr 12 18:09:05 2018 +) Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=4b98281f2401ab849f4b So far this crash happened 2 times on bpf-next. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6433835633868800 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=6407311794896896 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5861511176126464 Kernel config: https://syzkaller.appspot.com/x/.config?id=-5947642240294114534 compiler: gcc (GCC) 8.0.1 20180413 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+4b98281f2401ab849...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. RBP: 006dbc50 R08: 2000a000 R09: 3437 R10: R11: 0246 R12: 7fe464ffed80 R13: 0030656c69662f2e R14: R15: 0006 kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 1861 Comm: kworker/u4:4 Not tainted 4.16.0+ #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: rpciod rpc_async_schedule RIP: 0010:strlen+0x1f/0xa0 lib/string.c:479 RSP: 0018:8801cf75f318 EFLAGS: 00010296 RAX: dc00 RBX: 8801cf68f200 RCX: 86a8c407 RDX: RSI: 86a84d7b RDI: RBP: 8801cf75f330 R08: 8801cf7de080 R09: ed0039ea3d43 R10: ed0039ea3d43 R11: 8801cf51ea1f R12: R13: 0200 R14: R15: 8801cf75f3e0 FS: () GS:8801db00() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f64808a4000 CR3: 0001b566a000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: strlen include/linux/string.h:267 [inline] encode_rpcb_string+0x23/0x70 net/sunrpc/rpcb_clnt.c:914 rpcb_enc_getaddr+0x146/0x1f0 net/sunrpc/rpcb_clnt.c:940 rpcauth_wrap_req_encode net/sunrpc/auth.c:777 [inline] rpcauth_wrap_req+0x1a8/0x230 net/sunrpc/auth.c:791 rpc_xdr_encode net/sunrpc/clnt.c:1754 [inline] call_transmit+0x8a9/0xfe0 net/sunrpc/clnt.c:1949 __rpc_execute+0x28a/0xfe0 net/sunrpc/sched.c:784 rpc_async_schedule+0x16/0x20 net/sunrpc/sched.c:857 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279 kthread+0x345/0x410 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:411 Code: 37 ff ff ff 0f 1f 84 00 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 fa 48 c1 ea 03 48 89 e5 41 54 49 89 fc 53 48 83 ec 08 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 4d 41 80 3c RIP: strlen+0x1f/0xa0 lib/string.c:479 RSP: 8801cf75f318 ---[ end trace bd76ed0378a56845 ]--- --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
KASAN: use-after-free Read in llc_conn_ac_send_sabme_cmd_p_set_x
Hello, syzbot hit the following crash on upstream commit 18b7fd1c93e5204355ddbf2608a097d64df81b88 (Sat Apr 14 15:50:50 2018 +) Merge branch 'akpm' (patches from Andrew) syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=6e181fc95081c2cf9051 Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5257422885093376 Kernel config: https://syzkaller.appspot.com/x/.config?id=-8852471259444315113 compiler: gcc (GCC) 8.0.1 20180413 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+6e181fc95081c2cf9...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. XFS (loop1): Invalid superblock magic number == BUG: KASAN: use-after-free in llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785 Read of size 1 at addr 88018be1a290 by task syz-executor7/13726 CPU: 0 PID: 13726 Comm: syz-executor7 Not tainted 4.16.0+ #3 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785 llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline] llc_conn_service net/llc/llc_conn.c:400 [inline] llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75 llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891 sk_backlog_rcv include/net/sock.h:909 [inline] __release_sock+0x12f/0x3a0 net/core/sock.c:2335 release_sock+0xa4/0x2b0 net/core/sock.c:2850 llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1aee/0x2730 kernel/exit.c:865 do_group_exit+0x16f/0x430 kernel/exit.c:968 SYSC_exit_group kernel/exit.c:979 [inline] SyS_exit_group+0x1d/0x20 kernel/exit.c:977 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x455319 RSP: 002b:7ffc740e5db8 EFLAGS: 0246 ORIG_RAX: 00e7 RAX: ffda RBX: 00c4 RCX: 00455319 RDX: 000274e8 RSI: 00730500 RDI: RBP: 0013 R08: R09: R10: R11: 0246 R12: 0013 R13: R14: R15: 1380 Allocated by task 13728: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620 kmalloc include/linux/slab.h:512 [inline] kzalloc include/linux/slab.h:701 [inline] llc_sap_alloc net/llc/llc_core.c:35 [inline] llc_sap_open+0x193/0x4d0 net/llc/llc_core.c:102 llc_ui_bind+0xb8c/0xef0 net/llc/af_llc.c:354 __sys_bind+0x331/0x440 net/socket.c:1484 SYSC_bind net/socket.c:1495 [inline] SyS_bind+0x24/0x30 net/socket.c:1493 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 13726: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xd9/0x260 mm/slab.c:3813 llc_sap_close+0x1d8/0x2d0 net/llc/llc_core.c:132 llc_sap_put include/net/llc.h:124 [inline] llc_sap_remove_socket+0x460/0x5b0 net/llc/llc_conn.c:760 llc_ui_release+0x1de/0x220 net/llc/af_llc.c:203 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1aee/0x2730 kernel/exit.c:865 do_group_exit+0x16f/0x430 kernel/exit.c:968 SYSC_exit_group kernel/exit.c:979 [inline] SyS_exit_group+0x1d/0x20 kernel/exit.c:977 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 The buggy address belongs to the object at 88018be1a280 which belongs to the cache kmalloc-2048 of size 2048 The buggy address is located 16 bytes inside of 2048-byte region [88018be1a280, 88018be1aa80) The buggy address belongs to the page: page:ea00062f8680 count:1 mapcount:0
KASAN: use-after-free Read in tipc_nametbl_stop
Hello, syzbot hit the following crash on net-next commit 5d1365940a68dd57b031b6e3c07d7d451cd69daf (Thu Apr 12 18:09:05 2018 +) Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=d64b64afc55660106556 So far this crash happened 5 times on net-next, upstream. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6319968803094528 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=6099825221173248 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=4953018151731200 Kernel config: https://syzkaller.appspot.com/x/.config?id=-5947642240294114534 compiler: gcc (GCC) 8.0.1 20180413 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+d64b64afc55660106...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. Failed to remove local publication {0,0,0}/20641 IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 == BUG: KASAN: use-after-free in tipc_service_delete net/tipc/name_table.c:751 [inline] BUG: KASAN: use-after-free in tipc_nametbl_stop+0x94e/0xd70 net/tipc/name_table.c:780 Read of size 8 at addr 8801c4c25130 by task kworker/u4:2/30 CPU: 0 PID: 30 Comm: kworker/u4:2 Not tainted 4.16.0+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 tipc_service_delete net/tipc/name_table.c:751 [inline] tipc_nametbl_stop+0x94e/0xd70 net/tipc/name_table.c:780 tipc_exit_net+0x2d/0x40 net/tipc/core.c:103 ops_exit_list.isra.7+0xb0/0x160 net/core/net_namespace.c:152 cleanup_net+0x51d/0xb20 net/core/net_namespace.c:523 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279 kthread+0x345/0x410 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:411 Allocated by task 4535: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620 kmalloc include/linux/slab.h:512 [inline] kzalloc include/linux/slab.h:701 [inline] tipc_service_create_range net/tipc/name_table.c:183 [inline] tipc_service_insert_publ net/tipc/name_table.c:207 [inline] tipc_nametbl_insert_publ+0x569/0x1910 net/tipc/name_table.c:371 tipc_nametbl_publish+0x6c3/0xba0 net/tipc/name_table.c:618 tipc_sk_publish+0x22a/0x510 net/tipc/socket.c:2604 tipc_bind+0x206/0x330 net/tipc/socket.c:647 __sys_bind+0x331/0x440 net/socket.c:1484 SYSC_bind net/socket.c:1495 [inline] SyS_bind+0x24/0x30 net/socket.c:1493 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 30: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xd9/0x260 mm/slab.c:3813 tipc_service_remove_publ.isra.8+0x909/0xc30 net/tipc/name_table.c:283 tipc_service_delete net/tipc/name_table.c:753 [inline] tipc_nametbl_stop+0x746/0xd70 net/tipc/name_table.c:780 tipc_exit_net+0x2d/0x40 net/tipc/core.c:103 ops_exit_list.isra.7+0xb0/0x160 net/core/net_namespace.c:152 cleanup_net+0x51d/0xb20 net/core/net_namespace.c:523 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279 kthread+0x345/0x410 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:411 The buggy address belongs to the object at 8801c4c25100 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 48 bytes inside of 64-byte region [8801c4c25100, 8801c4c25140) The buggy address belongs to the page: page:ea0007130940 count:1 mapcount:0 mapping:8801c4c25000 index:0x0 flags: 0x2fffc000100(slab) raw: 02fffc000100 8801c4c25000 00010020 raw: ea0006ccf860 ea00070840a0 8801dac00340 page dumped because: kasan: bad access detected Memory state around the buggy address: 8801c4c25000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc 8801c4c25080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc 8801c4c25100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
Re: INFO: task hung in do_ip_vs_set_ctl (2)
syzbot has found reproducer for the following crash on net-next commit 17dec0a949153d9ac00760ba2f5b78cb583e995f (Wed Apr 4 02:15:32 2018 +) Merge branch 'userns-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=7810ed2e0cb359580c17 So far this crash happened 2 times on net-next, upstream. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5922062967242752 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5359824032235520 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6352399027404800 Kernel config: https://syzkaller.appspot.com/x/.config?id=-2735707888269579554 compiler: gcc (GCC) 8.0.1 20180301 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+7810ed2e0cb359580...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. INFO: task syzkaller402106:4498 blocked for more than 120 seconds. Not tainted 4.16.0+ #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syzkaller402106 D22184 4498 4494 0x Call Trace: context_switch kernel/sched/core.c:2848 [inline] __schedule+0x807/0x1e40 kernel/sched/core.c:3490 schedule+0xef/0x430 kernel/sched/core.c:3549 schedule_preempt_disabled+0x10/0x20 kernel/sched/core.c:3607 __mutex_lock_common kernel/locking/mutex.c:833 [inline] __mutex_lock+0xe38/0x17f0 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 do_ip_vs_set_ctl+0x339/0x1d30 net/netfilter/ipvs/ip_vs_ctl.c:2393 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253 tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:2888 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039 smc_setsockopt+0xc7/0x120 net/smc/af_smc.c:1289 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903 SYSC_setsockopt net/socket.c:1914 [inline] SyS_setsockopt+0x34/0x50 net/socket.c:1911 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x445959 RSP: 002b:7f2770618db8 EFLAGS: 0246 ORIG_RAX: 0036 RAX: ffda RBX: 006dac24 RCX: 00445959 RDX: 048c RSI: RDI: 0003 RBP: 006dac20 R08: 0018 R09: R10: 2140 R11: 0246 R12: R13: 7ffd81ae8f6f R14: 7f27706199c0 R15: 0001 Showing all locks held in the system: 3 locks held by kworker/0:0/4: #0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: __write_once_size include/linux/compiler.h:215 [inline] #0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:40 [inline] #0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:57 [inline] #0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: set_work_data kernel/workqueue.c:617 [inline] #0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline] #0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: process_one_work+0xaef/0x1b50 kernel/workqueue.c:2116 #1: 894403a3 ((addr_chk_work).work){+.+.}, at: process_one_work+0xb46/0x1b50 kernel/workqueue.c:2120 #2: ddc85278 (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 2 locks held by khungtaskd/877: #0: 706bfe1c (rcu_read_lock){}, at: check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline] #0: 706bfe1c (rcu_read_lock){}, at: watchdog+0x1ff/0xf60 kernel/hung_task.c:249 #1: 761e40d2 (tasklist_lock){.+.+}, at: debug_show_all_locks+0xde/0x34a kernel/locking/lockdep.c:4470 2 locks held by getty/4464: #0: f90a9320 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: 5dd151b8 (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4465: #0: 737b5b26 (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: 17bb1ae5 (>atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131 2 locks held by getty/4466: #0: badd071e (>ldisc_sem){}, at: ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: a46de9fa (>atomic_read_lock){+.+.}, at: n_tt
Re: KMSAN: uninit-value in __netif_receive_skb_core
syzbot has found reproducer for the following crash on https://github.com/google/kmsan.git/master commit 35ff515e4bda2646f6c881d33951c306ea9c282a (Tue Apr 10 08:59:43 2018 +) Merge pull request #11 from parkerduckworth/readme syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=b202b7208664142954fa So far this crash happened 3 times on https://github.com/google/kmsan.git/master. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=455991623680 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=4590273065648128 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=4631921027973120 Kernel config: https://syzkaller.appspot.com/x/.config?id=6627248707860932248 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+b202b720866414295...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. == BUG: KMSAN: uninit-value in __read_once_size include/linux/compiler.h:197 [inline] BUG: KMSAN: uninit-value in deliver_ptype_list_skb net/core/dev.c:1908 [inline] BUG: KMSAN: uninit-value in __netif_receive_skb_core+0x4630/0x4a80 net/core/dev.c:4545 CPU: 0 PID: 3514 Comm: syzkaller031167 Not tainted 4.16.0+ #83 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 __read_once_size include/linux/compiler.h:197 [inline] deliver_ptype_list_skb net/core/dev.c:1908 [inline] __netif_receive_skb_core+0x4630/0x4a80 net/core/dev.c:4545 __netif_receive_skb net/core/dev.c:4627 [inline] process_backlog+0x62d/0xe20 net/core/dev.c:5307 napi_poll net/core/dev.c:5705 [inline] net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771 __do_softirq+0x56d/0x93d kernel/softirq.c:285 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1040 do_softirq kernel/softirq.c:329 [inline] __local_bh_enable_ip+0x114/0x140 kernel/softirq.c:182 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32 rcu_read_unlock_bh include/linux/rcupdate.h:726 [inline] __dev_queue_xmit+0x2a31/0x2b60 net/core/dev.c:3584 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590 packet_snd net/packet/af_packet.c:2944 [inline] packet_sendmsg+0x7c57/0x8a10 net/packet/af_packet.c:2969 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] sock_write_iter+0x3b9/0x470 net/socket.c:909 do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776 do_iter_write+0x30d/0xd40 fs/read_write.c:932 vfs_writev fs/read_write.c:977 [inline] do_writev+0x3c9/0x830 fs/read_write.c:1012 SYSC_writev+0x9b/0xb0 fs/read_write.c:1085 SyS_writev+0x56/0x80 fs/read_write.c:1082 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x43ffb9 RSP: 002b:7ffd42187708 EFLAGS: 0217 ORIG_RAX: 0014 RAX: ffda RBX: 004002c8 RCX: 0043ffb9 RDX: 0001 RSI: 200010c0 RDI: 0003 RBP: 006ca018 R08: 004002c8 R09: 004002c8 R10: 004002c8 R11: 0217 R12: 004018e0 R13: 00401970 R14: R15: Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521 skb_vlan_untag+0x950/0xee0 include/linux/if_vlan.h:597 __netif_receive_skb_core+0x70a/0x4a80 net/core/dev.c:4460 __netif_receive_skb net/core/dev.c:4627 [inline] process_backlog+0x62d/0xe20 net/core/dev.c:5307 napi_poll net/core/dev.c:5705 [inline] net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771 __do_softirq+0x56d/0x93d kernel/softirq.c:285 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 slab_post_alloc_hook mm/slab.h:445 [inline] slab_alloc_node mm/slub.c:2737 [inline] __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:984 [inline] alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234 sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085 packet_alloc_skb net/packet/af_packet.c:2803 [inline] packet_snd net/packet/af_packet.c:2894 [inline] packet_sendmsg+0x6444/0x8a10 net/packet/af_packet.c:2969 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] sock_write_iter+0x3b9/0x470 net
KMSAN: uninit-value in __netif_receive_skb_core
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit e2ab7e8abba47a2f2698216258e5d8727ae58717 (Fri Apr 6 16:24:31 2018 +) kmsan: temporarily disable visitAsmInstruction() to help syzbot syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=b202b7208664142954fa Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=535651643762 Kernel config: https://syzkaller.appspot.com/x/.config?id=6627248707860932248 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+b202b720866414295...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. == BUG: KMSAN: uninit-value in __read_once_size include/linux/compiler.h:197 [inline] BUG: KMSAN: uninit-value in deliver_ptype_list_skb net/core/dev.c:1908 [inline] BUG: KMSAN: uninit-value in __netif_receive_skb_core+0x4630/0x4a80 net/core/dev.c:4545 CPU: 0 PID: 5999 Comm: syz-executor3 Not tainted 4.16.0+ #82 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 __read_once_size include/linux/compiler.h:197 [inline] deliver_ptype_list_skb net/core/dev.c:1908 [inline] __netif_receive_skb_core+0x4630/0x4a80 net/core/dev.c:4545 __netif_receive_skb net/core/dev.c:4627 [inline] process_backlog+0x62d/0xe20 net/core/dev.c:5307 napi_poll net/core/dev.c:5705 [inline] net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771 __do_softirq+0x56d/0x93d kernel/softirq.c:285 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1040 do_softirq kernel/softirq.c:329 [inline] __local_bh_enable_ip+0x114/0x140 kernel/softirq.c:182 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32 rcu_read_unlock_bh include/linux/rcupdate.h:726 [inline] __dev_queue_xmit+0x2a31/0x2b60 net/core/dev.c:3584 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590 packet_snd net/packet/af_packet.c:2944 [inline] packet_sendmsg+0x7c57/0x8a10 net/packet/af_packet.c:2969 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] sock_write_iter+0x3b9/0x470 net/socket.c:909 do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776 do_iter_write+0x30d/0xd40 fs/read_write.c:932 vfs_writev fs/read_write.c:977 [inline] do_writev+0x3c9/0x830 fs/read_write.c:1012 SYSC_writev+0x9b/0xb0 fs/read_write.c:1085 SyS_writev+0x56/0x80 fs/read_write.c:1082 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x455259 RSP: 002b:7fb53ede8c68 EFLAGS: 0246 ORIG_RAX: 0014 RAX: ffda RBX: 7fb53ede96d4 RCX: 00455259 RDX: 0001 RSI: 200010c0 RDI: 0013 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: R13: 06cd R14: 006fd3d8 R15: Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521 skb_vlan_untag+0x950/0xee0 include/linux/if_vlan.h:597 __netif_receive_skb_core+0x70a/0x4a80 net/core/dev.c:4460 __netif_receive_skb net/core/dev.c:4627 [inline] process_backlog+0x62d/0xe20 net/core/dev.c:5307 napi_poll net/core/dev.c:5705 [inline] net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771 __do_softirq+0x56d/0x93d kernel/softirq.c:285 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 slab_post_alloc_hook mm/slab.h:445 [inline] slab_alloc_node mm/slub.c:2737 [inline] __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:984 [inline] alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234 sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085 packet_alloc_skb net/packet/af_packet.c:2803 [inline] packet_snd net/packet/af_packet.c:2894 [inline] packet_sendmsg+0x6444/0x8a10 net/packet/af_packet.c:2969 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] sock_write_iter+0x3b9/0x470 net/socket.c:909 do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776 do_iter_write+0x30d
KMSAN: uninit-value in netif_skb_features
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit e2ab7e8abba47a2f2698216258e5d8727ae58717 (Fri Apr 6 16:24:31 2018 +) kmsan: temporarily disable visitAsmInstruction() to help syzbot syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=0bbe42c764feafa82c5a So far this crash happened 30 times on https://github.com/google/kmsan.git/master. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=4850744041668608 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=6289386287136768 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=4577411249209344 Kernel config: https://syzkaller.appspot.com/x/.config?id=6627248707860932248 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+0bbe42c764feafa82...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. == BUG: KMSAN: uninit-value in eth_type_vlan include/linux/if_vlan.h:283 [inline] BUG: KMSAN: uninit-value in skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline] BUG: KMSAN: uninit-value in vlan_features_check include/linux/if_vlan.h:672 [inline] BUG: KMSAN: uninit-value in dflt_features_check net/core/dev.c:2949 [inline] BUG: KMSAN: uninit-value in netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009 CPU: 1 PID: 3582 Comm: syzkaller435149 Not tainted 4.16.0+ #82 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 eth_type_vlan include/linux/if_vlan.h:283 [inline] skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline] vlan_features_check include/linux/if_vlan.h:672 [inline] dflt_features_check net/core/dev.c:2949 [inline] netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009 validate_xmit_skb+0x89/0x1320 net/core/dev.c:3084 __dev_queue_xmit+0x1cb2/0x2b60 net/core/dev.c:3549 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590 packet_snd net/packet/af_packet.c:2944 [inline] packet_sendmsg+0x7c57/0x8a10 net/packet/af_packet.c:2969 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] sock_write_iter+0x3b9/0x470 net/socket.c:909 do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776 do_iter_write+0x30d/0xd40 fs/read_write.c:932 vfs_writev fs/read_write.c:977 [inline] do_writev+0x3c9/0x830 fs/read_write.c:1012 SYSC_writev+0x9b/0xb0 fs/read_write.c:1085 SyS_writev+0x56/0x80 fs/read_write.c:1082 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x43ffa9 RSP: 002b:7fff2cff3948 EFLAGS: 0217 ORIG_RAX: 0014 RAX: ffda RBX: 004002c8 RCX: 0043ffa9 RDX: 0001 RSI: 2080 RDI: 0003 RBP: 006cb018 R08: R09: R10: R11: 0217 R12: 004018d0 R13: 00401960 R14: R15: Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 slab_post_alloc_hook mm/slab.h:445 [inline] slab_alloc_node mm/slub.c:2737 [inline] __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:984 [inline] alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234 sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085 packet_alloc_skb net/packet/af_packet.c:2803 [inline] packet_snd net/packet/af_packet.c:2894 [inline] packet_sendmsg+0x6444/0x8a10 net/packet/af_packet.c:2969 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] sock_write_iter+0x3b9/0x470 net/socket.c:909 do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776 do_iter_write+0x30d/0xd40 fs/read_write.c:932 vfs_writev fs/read_write.c:977 [inline] do_writev+0x3c9/0x830 fs/read_write.c:1012 SYSC_writev+0x9b/0xb0 fs/read_write.c:1085 SyS_writev+0x56/0x80 fs/read_write.c:1082 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 == --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix
BUG: corrupted list in team_nl_cmd_options_set
Hello, syzbot hit the following crash on upstream commit b284d4d5a6785f8cd07eda2646a95782373cd01e (Tue Apr 10 19:25:30 2018 +) Merge tag 'ceph-for-4.17-rc1' of git://github.com/ceph/ceph-client syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=4d4af685432dc0e56c91 C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6161158629228544 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5600380654190592 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=4627738266697728 Kernel config: https://syzkaller.appspot.com/x/.config?id=-1223000601505858474 compiler: gcc (GCC) 8.0.1 20180301 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+4d4af685432dc0e56...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. 8021q: adding VLAN 0 to HW filter on device team0 netlink: 'syzkaller556835': attribute type 3 has an invalid length. netlink: 'syzkaller556835': attribute type 3 has an invalid length. list_add double add: new=04f859c0, prev=c9745291, next=04f859c0. [ cut here ] kernel BUG at lib/list_debug.c:31! invalid opcode: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 4466 Comm: syzkaller556835 Not tainted 4.16.0+ #17 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__list_add_valid+0xaa/0xb0 lib/list_debug.c:29 RSP: 0018:8801b04bf248 EFLAGS: 00010286 RAX: 0058 RBX: 8801c8fc7a90 RCX: RDX: 0058 RSI: 815fbf41 RDI: ed0036097e3f RBP: 8801b04bf260 R08: 8801b0b2a700 R09: ed003b604f90 R10: ed003b604f90 R11: 8801db027c87 R12: 8801c8fc7a90 R13: 8801c8fc7a90 R14: dc00 R15: FS: 00b98880() GS:8801db00() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0043fc30 CR3: 0001afe8e000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __list_add include/linux/list.h:60 [inline] list_add include/linux/list.h:79 [inline] team_nl_cmd_options_set+0x9ff/0x12b0 drivers/net/team/team.c:2571 genl_family_rcv_msg+0x889/0x1120 net/netlink/genetlink.c:599 genl_rcv_msg+0xc6/0x170 net/netlink/genetlink.c:624 netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2448 genl_rcv+0x28/0x40 net/netlink/genetlink.c:635 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x58b/0x740 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 ___sys_sendmsg+0x805/0x940 net/socket.c:2117 __sys_sendmsg+0x115/0x270 net/socket.c:2155 SYSC_sendmsg net/socket.c:2164 [inline] SyS_sendmsg+0x29/0x30 net/socket.c:2162 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x4458b9 RSP: 002b:7ffd1d4a7278 EFLAGS: 0213 ORIG_RAX: 002e RAX: ffda RBX: 001b RCX: 004458b9 RDX: 0010 RSI: 2d00 RDI: 0004 RBP: 004a74ed R08: R09: R10: R11: 0213 R12: 7ffd1d4a7348 R13: 00402a60 R14: R15: Code: 75 e8 eb a9 48 89 f7 48 89 75 e8 e8 d1 85 7b fe 48 8b 75 e8 eb bb 48 89 f2 48 89 d9 4c 89 e6 48 c7 c7 a0 84 d8 87 e8 ea 67 28 fe <0f> 0b 0f 1f 40 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 41 RIP: __list_add_valid+0xaa/0xb0 lib/list_debug.c:29 RSP: 8801b04bf248 ---[ end trace b4f71d7dd7ca6d10 ]--- --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
WARNING: kobject bug in br_add_if
Hello, syzbot hit the following crash on upstream commit 10b84daddbec72c6b440216a69de9a9605127f7a (Sat Mar 31 17:59:00 2018 +) Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=de73361ee4971b6e6f75 So far this crash happened 4 times on net-next, upstream. Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5007286875455488 Kernel config: https://syzkaller.appspot.com/x/.config?id=-2760467897697295172 compiler: gcc (GCC) 7.1.1 20170620 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+de73361ee4971b6e6...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. R13: 0369 R14: 006f7278 R15: 0006 [ cut here ] binder: 23650:23651 unknown command 1078223622 kobject_add_internal failed for brport (error: -12 parent: bond0) binder: 23650:23651 ioctl c0306201 2000dfd0 returned -22 WARNING: CPU: 1 PID: 23647 at lib/kobject.c:242 kobject_add_internal+0x3f6/0xbc0 lib/kobject.c:240 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 23647 Comm: syz-executor7 Not tainted 4.16.0-rc7+ #374 binder: BINDER_SET_CONTEXT_MGR already set Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 panic+0x1e4/0x41c kernel/panic.c:183 __warn+0x1dc/0x200 kernel/panic.c:547 report_bug+0x1f4/0x2b0 lib/bug.c:186 fixup_bug.part.10+0x37/0x80 arch/x86/kernel/traps.c:178 fixup_bug arch/x86/kernel/traps.c:247 [inline] do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986 RIP: 0010:kobject_add_internal+0x3f6/0xbc0 lib/kobject.c:240 RSP: 0018:8801d089f560 EFLAGS: 00010286 RAX: dc08 RBX: 8801adbee178 RCX: 815b193e RDX: 0004 RSI: c900022aa000 RDI: 11003a113e31 RBP: 8801d089f658 R08: 11003a113df3 R09: R10: R11: R12: 11003a113eb2 R13: fff4 R14: 8801abd88828 R15: 8801d75a1e00 kobject_add_varg lib/kobject.c:364 [inline] kobject_init_and_add+0xf9/0x150 lib/kobject.c:436 br_add_if+0x79a/0x1a70 net/bridge/br_if.c:533 add_del_if+0xf4/0x140 net/bridge/br_ioctl.c:101 br_dev_ioctl+0xa2/0xc0 net/bridge/br_ioctl.c:396 dev_ifsioc+0x333/0x9b0 net/core/dev_ioctl.c:334 dev_ioctl+0x176/0xbe0 net/core/dev_ioctl.c:500 sock_do_ioctl+0x1ba/0x390 net/socket.c:981 sock_ioctl+0x367/0x670 net/socket.c:1081 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x454e79 RSP: 002b:7eff7dab7c68 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7eff7dab86d4 RCX: 00454e79 RDX: 2000 RSI: 89a2 RDI: 0014 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: 0015 R13: 0369 R14: 006f7278 R15: 0006 Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
KASAN: use-after-free Read in tipc_sub_unsubscribe (2)
Hello, syzbot hit the following crash on upstream commit b284d4d5a6785f8cd07eda2646a95782373cd01e (Tue Apr 10 19:25:30 2018 +) Merge tag 'ceph-for-4.17-rc1' of git://github.com/ceph/ceph-client syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=aa245f26d42b8305d157 So far this crash happened 2 times on upstream. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5881855630901248 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5979790213382144 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5808961445953536 Kernel config: https://syzkaller.appspot.com/x/.config?id=-1223000601505858474 compiler: gcc (GCC) 8.0.1 20180301 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+aa245f26d42b8305d...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. R10: 20b89fe4 R11: 0246 R12: 0005 R13: R14: R15: Service creation failed, no memory Failed to subscribe for {1906,0,4294967295} == BUG: KASAN: use-after-free in tipc_sub_unsubscribe+0x22d/0x305 net/tipc/subscr.c:167 Read of size 4 at addr 8801b78718d8 by task syzkaller446011/4466 CPU: 1 PID: 4466 Comm: syzkaller446011 Not tainted 4.16.0+ #19 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432 tipc_sub_unsubscribe+0x22d/0x305 net/tipc/subscr.c:167 tipc_conn_delete_sub+0x32d/0x530 net/tipc/topsrv.c:245 tipc_topsrv_kern_unsubscr+0x280/0x3f0 net/tipc/topsrv.c:598 tipc_group_delete+0x2dd/0x3f0 net/tipc/group.c:231 tipc_sk_leave+0x10e/0x210 net/tipc/socket.c:2800 tipc_release+0x146/0x1290 net/tipc/socket.c:576 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1aee/0x2730 kernel/exit.c:865 do_group_exit+0x16f/0x430 kernel/exit.c:968 SYSC_exit_group kernel/exit.c:979 [inline] SyS_exit_group+0x1d/0x20 kernel/exit.c:977 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x43f1f8 RSP: 002b:7fff7867bac8 EFLAGS: 0246 ORIG_RAX: 00e7 RAX: ffda RBX: RCX: 0043f1f8 RDX: RSI: 003c RDI: RBP: 004bf2e8 R08: 00e7 R09: ffd0 R10: 20b89fe4 R11: 0246 R12: 0001 R13: 006d1180 R14: R15: Allocated by task 4466: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620 kmalloc include/linux/slab.h:512 [inline] tipc_sub_subscribe+0x25a/0x6b0 net/tipc/subscr.c:143 tipc_conn_rcv_sub.isra.5+0x42c/0x7e0 net/tipc/topsrv.c:381 tipc_topsrv_kern_subscr+0x72b/0xad0 net/tipc/topsrv.c:582 tipc_group_create+0x72e/0xa50 net/tipc/group.c:194 tipc_sk_join net/tipc/socket.c:2766 [inline] tipc_setsockopt+0x2c9/0xd70 net/tipc/socket.c:2881 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903 SYSC_setsockopt net/socket.c:1914 [inline] SyS_setsockopt+0x34/0x50 net/socket.c:1911 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 4466: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xd9/0x260 mm/slab.c:3813 tipc_sub_kref_release net/tipc/subscr.c:117 [inline] kref_put include/linux/kref.h:70 [inline] tipc_sub_put+0x33/0x40 net/tipc/subscr.c:122 tipc_nametbl_unsubscribe+0x52c/0xaf0 net/tipc/name_table.c:709 tipc_sub_unsubscribe+0x6d/0x305 net/tipc/subscr.c:166 tipc_conn_delete_sub+0x32d/0x530 net/tipc/topsrv.c:245 tipc_topsrv_kern_unsubscr+0x280/0x3f0 net/tipc/topsrv.c:598 tipc_group_delete+0x2dd/0x3f0 net/tipc/group.c:231 tipc_sk_leave+0x10e/0x210 net/tipc/socket.c:2800 tipc_release+0x146/0x1290 net/tipc/socket.c:576 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290
WARNING: possible recursive locking detected
Hello, syzbot hit the following crash on upstream commit b284d4d5a6785f8cd07eda2646a95782373cd01e (Tue Apr 10 19:25:30 2018 +) Merge tag 'ceph-for-4.17-rc1' of git://github.com/ceph/ceph-client syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=3c43eecd7745a5ce1640 So far this crash happened 3 times on upstream. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5103706542440448 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5641659786199040 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5099510896263168 Kernel config: https://syzkaller.appspot.com/x/.config?id=-1223000601505858474 compiler: gcc (GCC) 8.0.1 20180301 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+3c43eecd7745a5ce1...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. IPVS: sync thread started: state = BACKUP, mcast_ifn = lo, syncid = 0, id = 0 IPVS: stopping backup sync thread 4546 ... IPVS: stopping backup sync thread 4559 ... WARNING: possible recursive locking detected 4.16.0+ #19 Not tainted syzkaller046099/4543 is trying to acquire lock: 8d06d497 (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 but task is already holding lock: IPVS: stopping backup sync thread 4557 ... 8d06d497 (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 other info that might help us debug this: Possible unsafe locking scenario: CPU0 lock(rtnl_mutex); lock(rtnl_mutex); *** DEADLOCK *** May be due to missing lock nesting notation 2 locks held by syzkaller046099/4543: #0: 8d06d497 (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 #1: 8326bc5c (ipvs->sync_mutex){+.+.}, at: do_ip_vs_set_ctl+0x562/0x1d30 net/netfilter/ipvs/ip_vs_ctl.c:2388 stack backtrace: CPU: 1 PID: 4543 Comm: syzkaller046099 Not tainted 4.16.0+ #19 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_deadlock_bug kernel/locking/lockdep.c:1761 [inline] check_deadlock kernel/locking/lockdep.c:1805 [inline] validate_chain kernel/locking/lockdep.c:2401 [inline] __lock_acquire.cold.62+0x18c/0x55b kernel/locking/lockdep.c:3431 lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16d/0x17f0 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 ip_mc_drop_socket+0x8f/0x270 net/ipv4/igmp.c:2643 inet_release+0x4e/0x1f0 net/ipv4/af_inet.c:413 sock_release+0x96/0x1b0 net/socket.c:594 start_sync_thread+0xdc3/0x2d40 net/netfilter/ipvs/ip_vs_sync.c:1924 do_ip_vs_set_ctl+0x59c/0x1d30 net/netfilter/ipvs/ip_vs_ctl.c:2389 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253 udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2413 ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917 udpv6_setsockopt+0x62/0xa0 net/ipv6/udp.c:1424 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903 SYSC_setsockopt net/socket.c:1914 [inline] SyS_setsockopt+0x34/0x50 net/socket.c:1911 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x447c19 RSP: 002b:7fb627a93db8 EFLAGS: 0246 ORIG_RAX: 0036 RAX: ffda RBX: 00700024 RCX: 00447c19 RDX: 048b RSI: RDI: 0004 RBP: 00700020 R08: 0018 R09: R10: 2100 R11: 0246 R12: R13: 0080fe4f R14: 7fb627a949c0 R15: 2710 --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the l
Re: KMSAN: uninit-value in tipc_subscrb_rcv_cb
syzbot has found reproducer for the following crash on https://github.com/google/kmsan.git/master commit 35ff515e4bda2646f6c881d33951c306ea9c282a (Tue Apr 10 08:59:43 2018 +) Merge pull request #11 from parkerduckworth/readme syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=75e6e042c5bbf691fc82 So far this crash happened 3 times on https://github.com/google/kmsan.git/master. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6676653019234304 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5693411524870144 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5043527943716864 Kernel config: https://syzkaller.appspot.com/x/.config?id=6627248707860932248 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+75e6e042c5bbf691f...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. == BUG: KMSAN: uninit-value in htohl net/tipc/subscr.c:66 [inline] BUG: KMSAN: uninit-value in tipc_subscrb_rcv_cb+0x418/0xe80 net/tipc/subscr.c:339 CPU: 0 PID: 19 Comm: kworker/u4:1 Not tainted 4.16.0+ #83 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: tipc_rcv tipc_recv_work Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 htohl net/tipc/subscr.c:66 [inline] tipc_subscrb_rcv_cb+0x418/0xe80 net/tipc/subscr.c:339 tipc_receive_from_sock+0x64c/0x800 net/tipc/server.c:271 tipc_recv_work+0xd8/0x1f0 net/tipc/server.c:618 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113 worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247 kthread+0x539/0x720 kernel/kthread.c:239 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:406 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756 tipc_receive_from_sock+0x15c/0x800 net/tipc/server.c:253 tipc_recv_work+0xd8/0x1f0 net/tipc/server.c:618 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113 worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247 kthread+0x539/0x720 kernel/kthread.c:239 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:406 ==
WARNING in ip_rt_bug
Hello, syzbot hit the following crash on net-next commit 8bde261e535257e81087d39ff808414e2f5aa39d (Sun Apr 1 02:31:43 2018 +) Merge tag 'mlx5-updates-2018-03-30' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=b09ac67a2af842b12eab Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5991727739437056 Kernel config: https://syzkaller.appspot.com/x/.config?id=3327544840960562528 compiler: gcc (GCC) 7.1.1 20170620 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+b09ac67a2af842b12...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. netlink: 'syz-executor6': attribute type 3 has an invalid length. WARNING: CPU: 0 PID: 11678 at net/ipv4/route.c:1213 ip_rt_bug+0x15/0x20 net/ipv4/route.c:1212 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 11678 Comm: kworker/u4:7 Not tainted 4.16.0-rc6+ #289 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 panic+0x1e4/0x41c kernel/panic.c:183 __warn+0x1dc/0x200 kernel/panic.c:547 report_bug+0x1f4/0x2b0 lib/bug.c:186 fixup_bug.part.10+0x37/0x80 arch/x86/kernel/traps.c:178 fixup_bug arch/x86/kernel/traps.c:247 [inline] do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986 RIP: 0010:ip_rt_bug+0x15/0x20 net/ipv4/route.c:1212 RSP: 0018:8801db007290 EFLAGS: 00010282 RAX: dc00 RBX: 8801d8dda3c0 RCX: 856c31ca RDX: 0100 RSI: 8858c300 RDI: 0282 RBP: 8801db007298 R08: 11003b600de1 R09: R10: R11: R12: 8801d8dda3c0 R13: 88019bdb2200 R14: 88019bdeed80 R15: 8801d8dda418 dst_output include/net/dst.h:444 [inline] ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124 ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1414 ip_push_pending_frames+0x64/0x80 net/ipv4/ip_output.c:1434 icmp_push_reply+0x395/0x4f0 net/ipv4/icmp.c:394 icmp_send+0x1136/0x19b0 net/ipv4/icmp.c:741 ipv4_link_failure+0x2a/0x1b0 net/ipv4/route.c:1200 dst_link_failure include/net/dst.h:427 [inline] arp_error_report+0xae/0x180 net/ipv4/arp.c:297 neigh_invalidate+0x225/0x530 net/core/neighbour.c:883 neigh_timer_handler+0x897/0xd60 net/core/neighbour.c:969 call_timer_fn+0x228/0x820 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x7ee/0xb70 kernel/time/timer.c:1666 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1cc/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:541 [inline] smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:857 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:778 [inline] RIP: 0010:lock_acquire+0x256/0x580 kernel/locking/lockdep.c:3923 RSP: 0018:880197b3f980 EFLAGS: 0282 ORIG_RAX: ff12 RAX: dc00 RBX: 8801d225e400 RCX: RDX: 110a24e5 RSI: b98b8227 RDI: 0282 RBP: 880197b3fa78 R08: 110032f67e93 R09: 0004 R10: 880197b3f960 R11: 0003 R12: 110032f67f36 R13: R14: R15: 0001 down_write_killable+0x8a/0x140 kernel/locking/rwsem.c:84 __bprm_mm_init fs/exec.c:297 [inline] bprm_mm_init fs/exec.c:414 [inline] do_execveat_common.isra.30+0xc8e/0x23c0 fs/exec.c:1771 do_execve+0x31/0x40 fs/exec.c:1847 call_usermodehelper_exec_async+0x457/0x8f0 kernel/umh.c:100 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:406 Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
WARNING in ip_rt_bug
Hello, syzbot hit the following crash on net-next commit 8bde261e535257e81087d39ff808414e2f5aa39d (Sun Apr 1 02:31:43 2018 +) Merge tag 'mlx5-updates-2018-03-30' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=b09ac67a2af842b12eab Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5991727739437056 Kernel config: https://syzkaller.appspot.com/x/.config?id=3327544840960562528 compiler: gcc (GCC) 7.1.1 20170620 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+b09ac67a2af842b12...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. netlink: 'syz-executor6': attribute type 3 has an invalid length. WARNING: CPU: 0 PID: 11678 at net/ipv4/route.c:1213 ip_rt_bug+0x15/0x20 net/ipv4/route.c:1212 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 11678 Comm: kworker/u4:7 Not tainted 4.16.0-rc6+ #289 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 panic+0x1e4/0x41c kernel/panic.c:183 __warn+0x1dc/0x200 kernel/panic.c:547 report_bug+0x1f4/0x2b0 lib/bug.c:186 fixup_bug.part.10+0x37/0x80 arch/x86/kernel/traps.c:178 fixup_bug arch/x86/kernel/traps.c:247 [inline] do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986 RIP: 0010:ip_rt_bug+0x15/0x20 net/ipv4/route.c:1212 RSP: 0018:8801db007290 EFLAGS: 00010282 RAX: dc00 RBX: 8801d8dda3c0 RCX: 856c31ca RDX: 0100 RSI: 8858c300 RDI: 0282 RBP: 8801db007298 R08: 11003b600de1 R09: R10: R11: R12: 8801d8dda3c0 R13: 88019bdb2200 R14: 88019bdeed80 R15: 8801d8dda418 dst_output include/net/dst.h:444 [inline] ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124 ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1414 ip_push_pending_frames+0x64/0x80 net/ipv4/ip_output.c:1434 icmp_push_reply+0x395/0x4f0 net/ipv4/icmp.c:394 icmp_send+0x1136/0x19b0 net/ipv4/icmp.c:741 ipv4_link_failure+0x2a/0x1b0 net/ipv4/route.c:1200 dst_link_failure include/net/dst.h:427 [inline] arp_error_report+0xae/0x180 net/ipv4/arp.c:297 neigh_invalidate+0x225/0x530 net/core/neighbour.c:883 neigh_timer_handler+0x897/0xd60 net/core/neighbour.c:969 call_timer_fn+0x228/0x820 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x7ee/0xb70 kernel/time/timer.c:1666 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1cc/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:541 [inline] smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:857 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:778 [inline] RIP: 0010:lock_acquire+0x256/0x580 kernel/locking/lockdep.c:3923 RSP: 0018:880197b3f980 EFLAGS: 0282 ORIG_RAX: ff12 RAX: dc00 RBX: 8801d225e400 RCX: RDX: 110a24e5 RSI: b98b8227 RDI: 0282 RBP: 880197b3fa78 R08: 110032f67e93 R09: 0004 R10: 880197b3f960 R11: 0003 R12: 110032f67f36 R13: R14: R15: 0001 down_write_killable+0x8a/0x140 kernel/locking/rwsem.c:84 __bprm_mm_init fs/exec.c:297 [inline] bprm_mm_init fs/exec.c:414 [inline] do_execveat_common.isra.30+0xc8e/0x23c0 fs/exec.c:1771 do_execve+0x31/0x40 fs/exec.c:1847 call_usermodehelper_exec_async+0x457/0x8f0 kernel/umh.c:100 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:406 Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
KMSAN: uninit-value in tipc_subscrb_rcv_cb
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit e2ab7e8abba47a2f2698216258e5d8727ae58717 (Fri Apr 6 16:24:31 2018 +) kmsan: temporarily disable visitAsmInstruction() to help syzbot syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=75e6e042c5bbf691fc82 Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5784467448791040 Kernel config: https://syzkaller.appspot.com/x/.config?id=6627248707860932248 compiler: clang version 7.0.0 (trunk 329060) (llvm/trunk 329054) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+75e6e042c5bbf691f...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. == BUG: KMSAN: uninit-value in htohl net/tipc/subscr.c:66 [inline] BUG: KMSAN: uninit-value in tipc_subscrb_rcv_cb+0x418/0xe80 net/tipc/subscr.c:339 CPU: 1 PID: 5017 Comm: kworker/u4:6 Not tainted 4.16.0+ #81 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: tipc_rcv tipc_recv_work Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 htohl net/tipc/subscr.c:66 [inline] tipc_subscrb_rcv_cb+0x418/0xe80 net/tipc/subscr.c:339 tipc_receive_from_sock+0x64c/0x800 net/tipc/server.c:271 tipc_recv_work+0xd8/0x1f0 net/tipc/server.c:618 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113 worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247 kthread+0x539/0x720 kernel/kthread.c:239 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:406 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756 tipc_receive_from_sock+0x15c/0x800 net/tipc/server.c:253 tipc_recv_work+0xd8/0x1f0 net/tipc/server.c:618 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113 worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247 kthread+0x539/0x720 kernel/kthread.c:239 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:406 == Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 5017 Comm: kworker/u4:6 Tainted: GB4.16.0+ #81 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: tipc_rcv tipc_recv_work Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 panic+0x39d/0x940 kernel/panic.c:183 kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 htohl net/tipc/subscr.c:66 [inline] tipc_subscrb_rcv_cb+0x418/0xe80 net/tipc/subscr.c:339 tipc_receive_from_sock+0x64c/0x800 net/tipc/server.c:271 tipc_recv_work+0xd8/0x1f0 net/tipc/server.c:618 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113 worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247 kthread+0x539/0x720 kernel/kthread.c:239 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:406 Shutting down cpus with NMI Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
KMSAN: uninit-value in _decode_session6
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit e2ab7e8abba47a2f2698216258e5d8727ae58717 (Fri Apr 6 16:24:31 2018 +) kmsan: temporarily disable visitAsmInstruction() to help syzbot syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=2974b85346f85b586f4d Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=4871594698604544 Kernel config: https://syzkaller.appspot.com/x/.config?id=6627248707860932248 compiler: clang version 7.0.0 (trunk 329060) (llvm/trunk 329054) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+2974b85346f85b586...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. == BUG: KMSAN: uninit-value in _decode_session6+0x6d1/0x1290 net/ipv6/xfrm6_policy.c:151 CPU: 1 PID: 5714 Comm: blkid Not tainted 4.16.0+ #81 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 _decode_session6+0x6d1/0x1290 net/ipv6/xfrm6_policy.c:151 __xfrm_decode_session+0x140/0x1c0 net/xfrm/xfrm_policy.c:2368 xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline] icmpv6_route_lookup net/ipv6/icmp.c:372 [inline] icmp6_send+0x305f/0x3460 net/ipv6/icmp.c:551 icmpv6_send+0xe0/0x110 net/ipv6/ip6_icmp.c:43 ip6_link_failure+0x8f/0x580 net/ipv6/route.c:2034 dst_link_failure include/net/dst.h:426 [inline] ndisc_error_report+0x101/0x1a0 net/ipv6/ndisc.c:695 neigh_invalidate+0x385/0x930 net/core/neighbour.c:883 neigh_timer_handler+0xd85/0x12d0 net/core/neighbour.c:969 call_timer_fn+0x26a/0x5a0 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0xda7/0x11c0 kernel/time/timer.c:1666 run_timer_softirq+0x43/0x70 kernel/time/timer.c:1692 __do_softirq+0x56d/0x93d kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x202/0x240 kernel/softirq.c:405 exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:541 smp_apic_timer_interrupt+0x64/0x90 arch/x86/kernel/apic/apic.c:1055 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:857 RIP: 0010:kmsan_get_origin_address_noruntime+0x8f/0x260 include/linux/mmzone.h:1206 RSP: :880165b0fb40 EFLAGS: 0202 ORIG_RAX: ff12 RAX: 8801e5b0fcc8 RBX: RCX: 88021fff1580 RDX: 0580 RSI: RDI: 880165b0fcc8 RBP: 880165b0fb78 R08: 01080020 R09: 0002 R10: R11: R12: 0068 R13: d3a0004b R14: 880165b0fcc8 R15: kmsan_set_origin_inline+0x6b/0x120 mm/kmsan/kmsan_instr.c:585 __msan_poison_alloca+0x15c/0x1d0 mm/kmsan/kmsan_instr.c:647 handle_mm_fault+0x1c8/0x7ba0 mm/memory.c:4114 __do_page_fault+0xec4/0x1a10 arch/x86/mm/fault.c:1423 do_page_fault+0xd3/0x260 arch/x86/mm/fault.c:1500 page_fault+0x45/0x50 arch/x86/entry/entry_64.S:1151 RIP: 0033:0x7f93ad8e4789 RSP: 002b:7ffd11b3cf20 EFLAGS: 00010216 RAX: 7f93ad4742a0 RBX: 7f93adaf79a8 RCX: 04a8 RDX: 7f93ad6a9028 RSI: aaab RDI: RBP: 7ffd11b3d000 R08: 0001 R09: 0010 R10: 7f93ad343a30 R11: 0206 R12: 7f93ad325000 R13: 7f93ad343220 R14: 7f93ad33d748 R15: 7f93adaef740 Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:526 __msan_memcpy+0x19f/0x1f0 mm/kmsan/kmsan_instr.c:470 skb_copy_bits+0x63a/0xdb0 net/core/skbuff.c:2046 __pskb_pull_tail+0x483/0x22e0 net/core/skbuff.c:1883 pskb_may_pull include/linux/skbuff.h:2112 [inline] _decode_session6+0x79f/0x1290 net/ipv6/xfrm6_policy.c:152 __xfrm_decode_session+0x140/0x1c0 net/xfrm/xfrm_policy.c:2368 xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline] icmpv6_route_lookup net/ipv6/icmp.c:372 [inline] icmp6_send+0x305f/0x3460 net/ipv6/icmp.c:551 icmpv6_send+0xe0/0x110 net/ipv6/ip6_icmp.c:43 ip6_link_failure+0x8f/0x580 net/ipv6/route.c:2034 dst_link_failure include/net/dst.h:426 [inline] ndisc_error_report+0x101/0x1a0 net/ipv6/ndisc.c:695 neigh_invalidate+0x385/0x930 net/core/neighbour.c:883 neigh_timer_handler+0xd85/0x12d0 net/core/neighbour.c:969 call_timer_fn+0x26a/0x5a0 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0xda7/0x11c0 kernel/time/timer.c:1666 run_timer_softirq+0x43/0x70 kernel
Re: KMSAN: uninit-value in tipc_node_get_mtu
syzbot has found reproducer for the following crash on https://github.com/google/kmsan.git/master commit e2ab7e8abba47a2f2698216258e5d8727ae58717 (Fri Apr 6 16:24:31 2018 +) kmsan: temporarily disable visitAsmInstruction() to help syzbot syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=b0975ce9355b347c1546 So far this crash happened 16 times on https://github.com/google/kmsan.git/master. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5297557005664256 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=4600034989441024 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5107856890134528 Kernel config: https://syzkaller.appspot.com/x/.config?id=6627248707860932248 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+b0975ce9355b347c1...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. == BUG: KMSAN: uninit-value in tipc_node_find net/tipc/node.c:236 [inline] BUG: KMSAN: uninit-value in tipc_node_get_mtu+0x200/0x7a0 net/tipc/node.c:185 CPU: 1 PID: 3571 Comm: syzkaller770798 Not tainted 4.16.0+ #82 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 tipc_node_find net/tipc/node.c:236 [inline] tipc_node_get_mtu+0x200/0x7a0 net/tipc/node.c:185 __tipc_sendmsg+0x1b32/0x41c0 net/tipc/socket.c:1364 tipc_sendmsg+0xeb/0x140 net/tipc/socket.c:1265 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x43fd49 RSP: 002b:7ffd0061aba8 EFLAGS: 0213 ORIG_RAX: 002e RAX: ffda RBX: 004002c8 RCX: 0043fd49 RDX: RSI: 2095ffc8 RDI: 0003 RBP: 006ca018 R08: 004002c8 R09: 004002c8 R10: 004002c8 R11: 0213 R12: 00401670 R13: 00401700 R14: R15: Local variable description: dnode@__tipc_sendmsg Variable was created at: __tipc_sendmsg+0x20c/0x41c0 net/tipc/socket.c:1272 tipc_sendmsg+0xeb/0x140 net/tipc/socket.c:1265 == Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 3571 Comm: syzkaller770798 Tainted: GB4.16.0+ #82 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 panic+0x39d/0x940 kernel/panic.c:183 kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 tipc_node_find net/tipc/node.c:236 [inline] tipc_node_get_mtu+0x200/0x7a0 net/tipc/node.c:185 __tipc_sendmsg+0x1b32/0x41c0 net/tipc/socket.c:1364 tipc_sendmsg+0xeb/0x140 net/tipc/socket.c:1265 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x43fd49 RSP: 002b:7ffd0061aba8 EFLAGS: 0213 ORIG_RAX: 002e RAX: ffda RBX: 004002c8 RCX: 0043fd49 RDX: RSI: 2095ffc8 RDI: 0003 RBP: 006ca018 R08: 004002c8 R09: 004002c8 R10: 004002c8 R11: 0213 R12: 00401670 R13: 00401700 R14: R15: Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds..
KMSAN: uninit-value in tipc_node_get_mtu
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit e2ab7e8abba47a2f2698216258e5d8727ae58717 (Fri Apr 6 16:24:31 2018 +) kmsan: temporarily disable visitAsmInstruction() to help syzbot syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=b0975ce9355b347c1546 So far this crash happened 14 times on https://github.com/google/kmsan.git/master. Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6058260943601664 Kernel config: https://syzkaller.appspot.com/x/.config?id=6627248707860932248 compiler: clang version 7.0.0 (trunk 329060) (llvm/trunk 329054) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+b0975ce9355b347c1...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. == BUG: KMSAN: uninit-value in tipc_node_find net/tipc/node.c:236 [inline] BUG: KMSAN: uninit-value in tipc_node_get_mtu+0x200/0x7a0 net/tipc/node.c:185 CPU: 1 PID: 5393 Comm: syz-executor0 Not tainted 4.16.0+ #81 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 tipc_node_find net/tipc/node.c:236 [inline] tipc_node_get_mtu+0x200/0x7a0 net/tipc/node.c:185 __tipc_sendmsg+0x1b32/0x41c0 net/tipc/socket.c:1364 tipc_sendmsg+0xeb/0x140 net/tipc/socket.c:1265 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x455259 RSP: 002b:7feeb8eb4c68 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 7feeb8eb56d4 RCX: 00455259 RDX: RSI: 20001840 RDI: 0013 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: R13: 04cc R14: 006fa3c0 R15: Local variable description: dnode@__tipc_sendmsg Variable was created at: __tipc_sendmsg+0x20c/0x41c0 net/tipc/socket.c:1272 tipc_sendmsg+0xeb/0x140 net/tipc/socket.c:1265 == Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 5393 Comm: syz-executor0 Tainted: GB4.16.0+ #81 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 panic+0x39d/0x940 kernel/panic.c:183 kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 tipc_node_find net/tipc/node.c:236 [inline] tipc_node_get_mtu+0x200/0x7a0 net/tipc/node.c:185 __tipc_sendmsg+0x1b32/0x41c0 net/tipc/socket.c:1364 tipc_sendmsg+0xeb/0x140 net/tipc/socket.c:1265 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x455259 RSP: 002b:7feeb8eb4c68 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 7feeb8eb56d4 RCX: 00455259 RDX: RSI: 20001840 RDI: 0013 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: R13: 04cc R14: 006fa3c0 R15: Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning
INFO: task hung in do_ip_vs_set_ctl (2)
Hello, syzbot hit the following crash on upstream commit 3fd14cdcc05a682b03743683ce3a726898b20555 (Fri Apr 6 19:15:41 2018 +) Merge tag 'mtd/for-4.17' of git://git.infradead.org/linux-mtd syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=7810ed2e0cb359580c17 Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5452586266132480 Kernel config: https://syzkaller.appspot.com/x/.config?id=-5813481738265533882 compiler: gcc (GCC) 8.0.1 20180301 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+7810ed2e0cb359580...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. IPVS: stopping backup sync thread 25820 ... IPVS: sync thread started: state = BACKUP, mcast_ifn = lo, syncid = 0, id = 0 IPVS: sync thread started: state = BACKUP, mcast_ifn = bridge0, syncid = 5, id = 0 IPVS: stopping backup sync thread 25825 ... INFO: task syz-executor4:25814 blocked for more than 120 seconds. Not tainted 4.16.0+ #4 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor4 D23496 25814 4577 0x0004 Call Trace: context_switch kernel/sched/core.c:2848 [inline] __schedule+0x807/0x1e40 kernel/sched/core.c:3490 schedule+0xef/0x430 kernel/sched/core.c:3549 schedule_preempt_disabled+0x10/0x20 kernel/sched/core.c:3607 __mutex_lock_common kernel/locking/mutex.c:833 [inline] __mutex_lock+0xe38/0x17f0 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 do_ip_vs_set_ctl+0x562/0x1d30 net/netfilter/ipvs/ip_vs_ctl.c:2388 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253 udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2413 ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917 udpv6_setsockopt+0x62/0xa0 net/ipv6/udp.c:1424 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903 SYSC_setsockopt net/socket.c:1914 [inline] SyS_setsockopt+0x34/0x50 net/socket.c:1911 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x455259 RSP: 002b:7f2f6a5c0c68 EFLAGS: 0246 ORIG_RAX: 0036 RAX: ffda RBX: 7f2f6a5c16d4 RCX: 00455259 RDX: 048b RSI: RDI: 0019 RBP: 0072bea0 R08: 0018 R09: R10: 2100 R11: 0246 R12: R13: 0520 R14: 006faba0 R15: Showing all locks held in the system: 3 locks held by kworker/1:0/18: #0: 5979db97 ((wq_completion)"events"){+.+.}, at: __write_once_size include/linux/compiler.h:215 [inline] #0: 5979db97 ((wq_completion)"events"){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: 5979db97 ((wq_completion)"events"){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:40 [inline] #0: 5979db97 ((wq_completion)"events"){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:57 [inline] #0: 5979db97 ((wq_completion)"events"){+.+.}, at: set_work_data kernel/workqueue.c:617 [inline] #0: 5979db97 ((wq_completion)"events"){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline] #0: 5979db97 ((wq_completion)"events"){+.+.}, at: process_one_work+0xaef/0x1b50 kernel/workqueue.c:2116 #1: 34433a79 (deferred_process_work){+.+.}, at: process_one_work+0xb46/0x1b50 kernel/workqueue.c:2120 #2: c152a7e0 (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 3 locks held by kworker/1:1/25: #0: 04c9dcc7 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: __write_once_size include/linux/compiler.h:215 [inline] #0: 04c9dcc7 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: 04c9dcc7 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:40 [inline] #0: 04c9dcc7 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:57 [inline] #0: 04c9dcc7 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: set_work_data kernel/workqueue.c:617 [inline] #0: 04c9dcc7 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline] #0: 04c9dcc7 ((wq_completion)&q
kernel BUG at drivers/vhost/vhost.c:LINE! (2)
Hello, syzbot hit the following crash on upstream commit 38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6 04:29:35 2018 +) Merge tag 'armsoc-drivers' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=65a84dde0214b0387ccd So far this crash happened 4 times on upstream. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6586748079439872 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5974272052822016 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6224632407392256 Kernel config: https://syzkaller.appspot.com/x/.config?id=-5813481738265533882 compiler: gcc (GCC) 8.0.1 20180301 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+65a84dde0214b0387...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. [ cut here ] kernel BUG at drivers/vhost/vhost.c:1652! invalid opcode: [#1] SMP KASAN [ cut here ] Dumping ftrace buffer: kernel BUG at drivers/vhost/vhost.c:1652! (ftrace buffer empty) Modules linked in: CPU: 1 PID: 4461 Comm: syzkaller684218 Not tainted 4.16.0+ #3 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:set_bit_to_user drivers/vhost/vhost.c:1652 [inline] RIP: 0010:log_write+0x42a/0x4d0 drivers/vhost/vhost.c:1676 RSP: 0018:8801b256f920 EFLAGS: 00010293 RAX: 8801adc9e2c0 RBX: dc00 RCX: 85924a0f RDX: RSI: 85924cea RDI: 0005 RBP: 8801b256fa58 R08: 8801adc9e2c0 R09: ed003962412d R10: 8801b256fad8 R11: 8801cb12096f R12: 0001 R13: ed00364adf36 R14: R15: 8801b256fa30 FS: 7fdf24b19700() GS:8801db10() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 20bf6000 CR3: 0001ae6a7000 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: vhost_update_used_flags+0x3af/0x4a0 drivers/vhost/vhost.c:1723 vhost_vq_init_access+0x117/0x590 drivers/vhost/vhost.c:1763 vhost_vsock_start drivers/vhost/vsock.c:446 [inline] vhost_vsock_dev_ioctl+0x751/0x920 drivers/vhost/vsock.c:678 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 SYSC_ioctl fs/ioctl.c:708 [inline] SyS_ioctl+0x24/0x30 fs/ioctl.c:706 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x4456c9 RSP: 002b:7fdf24b18da8 EFLAGS: 0297 ORIG_RAX: 0010 RAX: ffda RBX: 006dac24 RCX: 004456c9 RDX: 20f82ffc RSI: 4004af61 RDI: 001b RBP: 006dac20 R08: R09: R10: R11: 0297 R12: 6b636f73762d7473 R13: 6f68762f7665642f R14: fffc R15: 0007 Code: e8 7c 5e e4 fb 4c 89 ef e8 e4 16 06 fc 48 8d 85 58 ff ff ff 48 c1 e8 03 c6 04 18 f8 e9 46 ff ff ff 45 31 f6 eb 91 e8 56 5e e4 fb <0f> 0b e8 4f 5e e4 fb 48 c7 c6 a0 a3 24 88 4c 89 ef e8 60 b6 10 RIP: set_bit_to_user drivers/vhost/vhost.c:1652 [inline] RSP: 8801b256f920 RIP: log_write+0x42a/0x4d0 drivers/vhost/vhost.c:1676 RSP: 8801b256f920 invalid opcode: [#2] SMP KASAN ---[ end trace 0d0ff45aa44d8a23 ]--- Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
Re: WARNING in xfrm6_tunnel_net_exit
syzbot has found reproducer for the following crash on upstream commit 3c8ba0d61d04ced9f8d9ff93977995a9e4e96e91 (Sat Mar 31 01:52:36 2018 +) kernel.h: Retain constant expression output for max()/min() syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=777bf170a89e7b326405 So far this crash happened 10982 times on linux-next, mmots, net-next, upstream. syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5399809707999232 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=4550974920196096 Kernel config: https://syzkaller.appspot.com/x/.config?id=-1647968177339044852 compiler: gcc (GCC) 8.0.1 20180301 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+777bf170a89e7b326...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 WARNING: CPU: 0 PID: 180 at net/ipv6/xfrm6_tunnel.c:345 xfrm6_tunnel_net_exit+0x2c0/0x4f0 net/ipv6/xfrm6_tunnel.c:345 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 180 Comm: kworker/u4:4 Not tainted 4.16.0+ #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b9/0x29f lib/dump_stack.c:53 panic+0x22f/0x4de kernel/panic.c:183 __warn.cold.8+0x163/0x1a3 kernel/panic.c:547 report_bug+0x252/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1bc/0x470 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:991 RIP: 0010:xfrm6_tunnel_net_exit+0x2c0/0x4f0 net/ipv6/xfrm6_tunnel.c:345 RSP: 0018:8801d96373d8 EFLAGS: 00010293 RAX: 8801d961c080 RBX: 8801b0e999a0 RCX: 866b08c6 RDX: RSI: 866b08d0 RDI: 0007 RBP: 8801d96374f8 R08: 8801d961c080 R09: ed003b6046c2 R10: 0003 R11: 0003 R12: 007c R13: ed003b2c6e82 R14: 8801d96374d0 R15: 8801b6185f80 ops_exit_list.isra.7+0xb0/0x160 net/core/net_namespace.c:152 cleanup_net+0x51d/0xb20 net/core/net_namespace.c:523 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279 kthread+0x345/0x410 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:411 Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds..
KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
Hello, syzbot hit the following crash on upstream commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda (Sun Apr 1 21:20:27 2018 +) Linux 4.16 syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=554ccde221001ab5479a Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5822430194958336 Kernel config: https://syzkaller.appspot.com/x/.config?id=-2374466361298166459 compiler: gcc (GCC) 7.1.1 20170620 user-space arch: i386 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+554ccde221001ab54...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. R10: R11: R12: R13: R14: R15: dccp_parse_options: DCCP(7d56a000): Option 32 (len=7) error=9 == dccp_check_seqno: Step 6 failed for RESET packet, (LSWL(279336972291068) <= P.seqno(279336972291066) <= S.SWH(279336972291142)) and (P.ackno exists or LAWL(234137106534459) <= P.ackno(234137106534459) <= S.AWH(234137106534460), sending SYNC... BUG: KASAN: use-after-free in ccid2_hc_tx_packet_recv+0x234a/0x2440 net/dccp/ccids/ccid2.c:598 Read of size 1 at addr 8801bb7a4a82 by task syz-executor1/1660 CPU: 1 PID: 1660 Comm: syz-executor1 Not tainted 4.16.0+ #285 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x23c/0x360 mm/kasan/report.c:412 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 ccid2_hc_tx_packet_recv+0x234a/0x2440 net/dccp/ccids/ccid2.c:598 ccid_hc_tx_packet_recv net/dccp/ccid.h:192 [inline] dccp_deliver_input_to_ccids+0x1d0/0x250 net/dccp/input.c:186 dccp_rcv_established+0x88/0xb0 net/dccp/input.c:378 dccp_v4_do_rcv+0x135/0x160 net/dccp/ipv4.c:653 sk_backlog_rcv include/net/sock.h:908 [inline] __release_sock+0x124/0x360 net/core/sock.c:2271 release_sock+0xa4/0x2a0 net/core/sock.c:2786 dccp_sendmsg+0x528/0xe60 net/dccp/proto.c:820 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 ___sys_sendmsg+0x320/0x8b0 net/socket.c:2046 __sys_sendmmsg+0x31b/0x620 net/socket.c:2129 C_SYSC_sendmmsg net/compat.c:745 [inline] compat_SyS_sendmmsg+0x32/0x40 net/compat.c:742 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f6dc99 RSP: 002b:f5f690ac EFLAGS: 0282 ORIG_RAX: 0159 RAX: ffda RBX: 0013 RCX: 2000b880 RDX: 0122 RSI: RDI: RBP: R08: R09: R10: R11: R12: R13: R14: R15: Allocated by task 1660: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552 __do_kmalloc_node mm/slab.c:3670 [inline] __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3684 __kmalloc_reserve.isra.39+0x41/0xd0 net/core/skbuff.c:137 __alloc_skb+0x13b/0x780 net/core/skbuff.c:205 alloc_skb include/linux/skbuff.h:983 [inline] dccp_send_ack+0xb6/0x350 net/dccp/output.c:580 ccid2_hc_rx_packet_recv+0x10d/0x180 net/dccp/ccids/ccid2.c:766 ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline] dccp_deliver_input_to_ccids+0xd9/0x250 net/dccp/input.c:180 dccp_rcv_established+0x88/0xb0 net/dccp/input.c:378 dccp_v4_do_rcv+0x135/0x160 net/dccp/ipv4.c:653 sk_backlog_rcv include/net/sock.h:908 [inline] __sk_receive_skb+0x33e/0xc10 net/core/sock.c:513 dccp_v4_rcv+0xf5f/0x1c80 net/dccp/ipv4.c:874 ip_local_deliver_finish+0x2f1/0xc50 net/ipv4/ip_input.c:216 NF_HOOK include/linux/netfilter.h:288 [inline] ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257 dst_input include/net/dst.h:449 [inline] ip_rcv_finish+0xa36/0x2040 net/ipv4/ip_input.c:397 NF_HOOK include/linux/netfilter.h:288 [inline] ip_rcv+0xb76/0x1820 net/ipv4/ip_input.c:493 __netif_receive_skb_core+0x1a41/0x3460 net/core/dev.c:4562 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4627 process_backlog+0x203/0x740 net/core/dev.c:5307 napi_poll net/core/dev.c:5705 [inline] net_rx_action+0x792/0x1910 net/core/dev.c:5771 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 Freed by task 1660: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c
possible deadlock in skb_queue_tail
Hello, syzbot hit the following crash on net-next commit 06b19fe9a6df7aaa423cd8404ebe5ac9ec4b2960 (Sun Apr 1 03:37:33 2018 +) Merge branch 'chelsio-inline-tls' syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=6b495100f17ca8554ab9 Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6218830443446272 Kernel config: https://syzkaller.appspot.com/x/.config?id=3327544840960562528 compiler: gcc (GCC) 7.1.1 20170620 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+6b495100f17ca8554...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. == WARNING: possible circular locking dependency detected 4.16.0-rc6+ #290 Not tainted -- syz-executor7/20971 is trying to acquire lock: (_unix_sk_receive_queue_lock_key){+.+.}, at: [<271ef0d8>] skb_queue_tail+0x26/0x150 net/core/skbuff.c:2899 but task is already holding lock: (&(>lock)->rlock/1){+.+.}, at: [<4e725e14>] unix_state_double_lock+0x7b/0xb0 net/unix/af_unix.c:1088 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&(>lock)->rlock/1){+.+.}: _raw_spin_lock_nested+0x28/0x40 kernel/locking/spinlock.c:354 sk_diag_dump_icons net/unix/diag.c:82 [inline] sk_diag_fill.isra.4+0xa52/0xfe0 net/unix/diag.c:144 sk_diag_dump net/unix/diag.c:178 [inline] unix_diag_dump+0x400/0x4f0 net/unix/diag.c:206 netlink_dump+0x492/0xcf0 net/netlink/af_netlink.c:2221 __netlink_dump_start+0x4ec/0x710 net/netlink/af_netlink.c:2318 netlink_dump_start include/linux/netlink.h:214 [inline] unix_diag_handler_dump+0x3e7/0x750 net/unix/diag.c:307 __sock_diag_cmd net/core/sock_diag.c:230 [inline] sock_diag_rcv_msg+0x204/0x360 net/core/sock_diag.c:261 netlink_rcv_skb+0x14b/0x380 net/netlink/af_netlink.c:2443 sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:272 netlink_unicast_kernel net/netlink/af_netlink.c:1307 [inline] netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1333 netlink_sendmsg+0xa4a/0xe80 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xca/0x110 net/socket.c:639 sock_write_iter+0x31a/0x5d0 net/socket.c:908 call_write_iter include/linux/fs.h:1782 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x684/0x970 fs/read_write.c:482 vfs_write+0x189/0x510 fs/read_write.c:544 SYSC_write fs/read_write.c:589 [inline] SyS_write+0xef/0x220 fs/read_write.c:581 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 -> #0 (_unix_sk_receive_queue_lock_key){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:152 skb_queue_tail+0x26/0x150 net/core/skbuff.c:2899 unix_dgram_sendmsg+0xa30/0x1610 net/unix/af_unix.c:1807 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xca/0x110 net/socket.c:639 ___sys_sendmsg+0x320/0x8b0 net/socket.c:2047 __sys_sendmmsg+0x1ee/0x620 net/socket.c:2137 SYSC_sendmmsg net/socket.c:2168 [inline] SyS_sendmmsg+0x35/0x60 net/socket.c:2163 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 other info that might help us debug this: Possible unsafe locking scenario: CPU0CPU1 lock(&(>lock)->rlock/1); lock(_unix_sk_receive_queue_lock_key); lock(&(>lock)->rlock/1); lock(_unix_sk_receive_queue_lock_key); *** DEADLOCK *** 1 lock held by syz-executor7/20971: #0: (&(>lock)->rlock/1){+.+.}, at: [<4e725e14>] unix_state_double_lock+0x7b/0xb0 net/unix/af_unix.c:1088 stack backtrace: CPU: 0 PID: 20971 Comm: syz-executor7 Not tainted 4.16.0-rc6+ #290 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:
general protection fault in tipc_nametbl_unsubscribe
Hello, syzbot hit the following crash on upstream commit 10b84daddbec72c6b440216a69de9a9605127f7a (Sat Mar 31 17:59:00 2018 +) Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=4859fe19555ea87c42f3 So far this crash happened 3 times on upstream. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=4775372465897472 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=4868734988582912 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=507380209544 Kernel config: https://syzkaller.appspot.com/x/.config?id=-2760467897697295172 compiler: gcc (GCC) 7.1.1 20170620 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+4859fe19555ea87c4...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. R13: R14: R15: Name sequence creation failed, no memory Failed to create subscription for {24576,0,4294967295} kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 4447 Comm: syzkaller851181 Not tainted 4.16.0-rc7+ #374 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__list_del_entry_valid+0x7e/0x150 lib/list_debug.c:51 RSP: 0018:8801ae1aef48 EFLAGS: 00010246 RAX: dc00 RBX: RCX: RDX: RSI: 8801cf54c760 RDI: 8801cf54c768 RBP: 8801ae1aef60 R08: 110035c35cff R09: 89956150 R10: 8801ae1aee28 R11: 168a R12: 87745ea0 R13: 8801ae1af100 R14: 8801cf54c760 R15: 8801cf4c8cc0 FS: () GS:8801db10() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 55dce15c3090 CR3: 0846a002 CR4: 001606e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __list_del_entry include/linux/list.h:117 [inline] list_del_init include/linux/list.h:159 [inline] tipc_nametbl_unsubscribe+0x318/0x990 net/tipc/name_table.c:848 tipc_subscrb_subscrp_delete+0x1e9/0x460 net/tipc/subscr.c:212 tipc_subscrb_delete net/tipc/subscr.c:242 [inline] tipc_subscrb_release_cb+0x17/0x30 net/tipc/subscr.c:321 tipc_topsrv_kern_unsubscr+0x2c3/0x430 net/tipc/server.c:535 tipc_group_delete+0x2c0/0x3d0 net/tipc/group.c:231 tipc_sk_leave+0x10b/0x200 net/tipc/socket.c:2795 tipc_release+0x154/0xff0 net/tipc/socket.c:577 sock_release+0x8d/0x1e0 net/socket.c:595 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x327/0x7e0 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x199/0x270 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x9bb/0x1ad0 kernel/exit.c:865 do_group_exit+0x149/0x400 kernel/exit.c:968 SYSC_exit_group kernel/exit.c:979 [inline] SyS_exit_group+0x1d/0x20 kernel/exit.c:977 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x43f228 RSP: 002b:7ffde31217e8 EFLAGS: 0246 ORIG_RAX: 00e7 RAX: ffda RBX: RCX: 0043f228 RDX: RSI: 003c RDI: RBP: 004bf308 R08: 00e7 R09: ffd0 R10: 204ee000 R11: 0246 R12: 0001 R13: 006d1180 R14: R15: Code: 00 00 00 00 ad de 49 39 c4 74 66 48 b8 00 02 00 00 00 00 ad de 48 89 da 48 39 c3 74 65 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df <80> 3c 02 00 75 7b 48 8b 13 48 39 f2 75 57 49 8d 7c 24 08 48 b8 RIP: __list_del_entry_valid+0x7e/0x150 lib/list_debug.c:51 RSP: 8801ae1aef48 ---[ end trace ba18c1598e2d5535 ]--- --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of th