Re: memory leak in bio_copy_user_iov
syzbot has bisected this bug to:
commit 664820265d70a759dceca87b6eb200cd2b93cda8
Author: Mike Snitzer
Date: Thu Feb 18 20:44:39 2016 +
dm: do not return target from dm_get_live_table_for_ioctl()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13f4eb6460
start commit: 0011572c Merge branch 'for-5.2-fixes' of git://git.kernel...
git tree: upstream
final crash:https://syzkaller.appspot.com/x/report.txt?x=100ceb6460
console output: https://syzkaller.appspot.com/x/log.txt?x=17f4eb6460
kernel config: https://syzkaller.appspot.com/x/.config?x=cb38d33cd06d8d48
dashboard link: https://syzkaller.appspot.com/bug?extid=03e5c8ebd22cc6c3a8cb
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13244221a0
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=117b2432a0
Reported-by: syzbot+03e5c8ebd22cc6c3a...@syzkaller.appspotmail.com
Fixes: 664820265d70 ("dm: do not return target from
dm_get_live_table_for_ioctl()")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
WARNING in xt_compat_add_offset
Hello, syzbot found the following crash on: HEAD commit:8a61716ff2ab Merge tag 'ceph-for-5.0-rc8' of git://github... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1456fa6cc0 kernel config: https://syzkaller.appspot.com/x/.config?x=7132344728e7ec3f dashboard link: https://syzkaller.appspot.com/bug?extid=276ddebab3382bbf72db compiler: gcc (GCC) 9.0.0 20181231 (experimental) userspace arch: i386 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=140c0914c0 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+276ddebab3382bbf7...@syzkaller.appspotmail.com IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready 8021q: adding VLAN 0 to HW filter on device batadv0 cannot load conntrack support for proto=7 WARNING: CPU: 1 PID: 7458 at net/netfilter/x_tables.c:654 xt_compat_add_offset+0x22a/0x290 net/netfilter/x_tables.c:654 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 7458 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #83 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 panic+0x2cb/0x65c kernel/panic.c:214 __warn.cold+0x20/0x45 kernel/panic.c:571 report_bug+0x263/0x2b0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] fixup_bug arch/x86/kernel/traps.c:173 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271 do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:290 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 RIP: 0010:xt_compat_add_offset+0x22a/0x290 net/netfilter/x_tables.c:654 Code: 00 01 e8 59 67 bb fb 44 89 e0 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 42 67 bb fb 0f 0b e9 56 fe ff ff e8 36 67 bb fb <0f> 0b 41 bc f4 ff ff ff eb ce 4c 89 f7 e8 14 6a f2 fb e9 75 ff ff RSP: 0018:8880a8197808 EFLAGS: 00010293 RAX: 88809055e040 RBX: 8882166548d0 RCX: 85b47892 RDX: RSI: 85b47a4a RDI: 8882166549f0 RBP: 8880a8197838 R08: 88809055e040 R09: ed1042cca92f R10: ed1042cca92e R11: 888216654977 R12: 0018 R13: 0030 R14: 88809055e040 R15: size_entry_mwt net/bridge/netfilter/ebtables.c:2183 [inline] compat_copy_entries+0x51b/0x1360 net/bridge/netfilter/ebtables.c:2208 compat_do_replace+0x3b3/0x680 net/bridge/netfilter/ebtables.c:2302 compat_do_ebt_set_ctl+0x229/0x278 net/bridge/netfilter/ebtables.c:2384 compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline] compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156 compat_ip_setsockopt net/ipv4/ip_sockglue.c:1284 [inline] compat_ip_setsockopt+0x106/0x140 net/ipv4/ip_sockglue.c:1265 compat_udp_setsockopt+0x68/0xb0 net/ipv4/udp.c:2629 compat_ipv6_setsockopt+0xca/0x210 net/ipv6/ipv6_sockglue.c:959 inet_csk_compat_setsockopt+0x99/0x120 net/ipv4/inet_connection_sock.c:1054 compat_tcp_setsockopt+0x4d/0x80 net/ipv4/tcp.c:3079 compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3002 __compat_sys_setsockopt+0x176/0x610 net/compat.c:404 __do_compat_sys_setsockopt net/compat.c:417 [inline] __se_compat_sys_setsockopt net/compat.c:414 [inline] __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:414 do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline] do_fast_syscall_32+0x281/0xc98 arch/x86/entry/common.c:397 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7fd3869 Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:f7fcf0cc EFLAGS: 0296 ORIG_RAX: 016e RAX: ffda RBX: 0006 RCX: RDX: 0080 RSI: 20c0 RDI: 0270 RBP: R08: R09: R10: R11: R12: R13: R14: R15: Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
Re: INFO: rcu detected stall in netlink_sendmsg
syzbot has found a reproducer for the following crash on: HEAD commit:8d33316d5205 Merge branch 'x86-urgent-for-linus' of git://.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14d5f3bcc0 kernel config: https://syzkaller.appspot.com/x/.config?x=ee434566c893c7b1 dashboard link: https://syzkaller.appspot.com/bug?extid=a910a514846e27f15348 compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13923b60c0 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+a910a514846e27f15...@syzkaller.appspotmail.com kernel msg: ebtables bug: please report to author: Entries_size never zero kernel msg: ebtables bug: please report to author: Entries_size never zero kernel msg: ebtables bug: please report to author: Entries_size never zero kernel msg: ebtables bug: please report to author: Entries_size never zero 32-bit node address hash set to aa1414ac rcu: INFO: rcu_preempt self-detected stall on CPU rcu: 1-: (1 GPs behind) idle=5aa/1/0x4002 softirq=10469/10470 fqs=5225 rcu: (t=10500 jiffies g=6081 q=489) NMI backtrace for cpu 1 CPU: 1 PID: 7809 Comm: syz-executor.3 Not tainted 5.0.0-rc6+ #76 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 nmi_cpu_backtrace.cold+0x63/0xa4 lib/nmi_backtrace.c:101 nmi_trigger_cpumask_backtrace+0x1be/0x236 lib/nmi_backtrace.c:62 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline] rcu_dump_cpu_stacks+0x183/0x1cf kernel/rcu/tree.c:1211 print_cpu_stall kernel/rcu/tree.c:1348 [inline] check_cpu_stall kernel/rcu/tree.c:1422 [inline] rcu_pending kernel/rcu/tree.c:3018 [inline] rcu_check_callbacks.cold+0x500/0xa4a kernel/rcu/tree.c:2521 update_process_times+0x32/0x80 kernel/time/timer.c:1635 tick_sched_handle+0xa2/0x190 kernel/time/tick-sched.c:161 tick_sched_timer+0x47/0x130 kernel/time/tick-sched.c:1271 __run_hrtimer kernel/time/hrtimer.c:1389 [inline] __hrtimer_run_queues+0x33e/0xde0 kernel/time/hrtimer.c:1451 hrtimer_interrupt+0x314/0x770 kernel/time/hrtimer.c:1509 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline] smp_apic_timer_interrupt+0x120/0x570 arch/x86/kernel/apic/apic.c:1060 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807 RIP: 0010:check_memory_region+0x21/0x190 mm/kasan/generic.c:190 Code: 2e 0f 1f 84 00 00 00 00 00 48 85 f6 0f 84 21 01 00 00 48 b8 ff ff ff ff ff 7f ff ff 55 0f b6 d2 48 39 c7 48 89 e5 41 55 41 54 <53> 0f 86 f6 00 00 00 4c 8d 5c 37 ff 49 89 f8 48 b8 00 00 00 00 00 RSP: 0018:88808b8fea60 EFLAGS: 0212 ORIG_RAX: ff13 RAX: 7fff RBX: e8d2f348 RCX: 8157be27 RDX: RSI: 0004 RDI: e8d2f348 RBP: 88808b8fea70 R08: 1d1a5e69 R09: f91a5e6a R10: f91a5e69 R11: e8d2f34b R12: 0001 R13: 0003 R14: f91a5e69 R15: 05e8 kasan_check_read+0x11/0x20 mm/kasan/common.c:100 atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] virt_spin_lock arch/x86/include/asm/qspinlock.h:83 [inline] native_queued_spin_lock_slowpath+0xb7/0x970 kernel/locking/qspinlock.c:337 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:653 [inline] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:50 [inline] queued_spin_lock include/asm-generic/qspinlock.h:90 [inline] do_raw_spin_lock+0x20e/0x2e0 kernel/locking/spinlock_debug.c:113 __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline] _raw_spin_lock+0x37/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:329 [inline] nf_ct_add_to_unconfirmed_list net/netfilter/nf_conntrack_core.c:462 [inline] init_conntrack.isra.0+0xa15/0x1180 net/netfilter/nf_conntrack_core.c:1437 resolve_normal_ct net/netfilter/nf_conntrack_core.c:1479 [inline] nf_conntrack_in+0xa68/0x1070 net/netfilter/nf_conntrack_core.c:1585 ipv4_conntrack_local+0x169/0x210 net/netfilter/nf_conntrack_proto.c:444 nf_hook_entry_hookfn include/linux/netfilter.h:119 [inline] nf_hook_slow+0xbf/0x1f0 net/netfilter/core.c:511 nf_hook include/linux/netfilter.h:244 [inline] __ip_local_out+0x403/0x880 net/ipv4/ip_output.c:113 ip_local_out+0x2d/0x1b0 net/ipv4/ip_output.c:122 iptunnel_xmit+0x58e/0x980 net/ipv4/ip_tunnel_core.c:91 udp_tunnel_xmit_skb+0x236/0x310 net/ipv4/udp_tunnel.c:200 tipc_udp_xmit.isra.0+0x7fd/0xcc0 net/tipc/udp_media.c:181 tipc_udp_send_msg+0x295/0x4a0 net/tipc/udp_media.c:247 tipc_bearer_xmit_skb+0x172/0x360 net/tipc/bearer.c:503 tipc_enable_bearer+0xac4/0xd20 net/tipc/bearer.c:328 __tipc_nl_bearer_enable+0x2d1/0x3b0 net/tipc/bearer.c:899 tipc_nl_bearer_enable+0x23/0x40 net/t
Re: general protection fault in nf_ct_gre_keymap_flush
syzbot has found a reproducer for the following crash on: HEAD commit:755d01d17697 Add linux-next specific files for 20190124 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=128f88c4c0 kernel config: https://syzkaller.appspot.com/x/.config?x=35842b82e8cde424 dashboard link: https://syzkaller.appspot.com/bug?extid=fcee88b2d87f0539dfe9 compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13e5f51740 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17da1cef40 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+fcee88b2d87f0539d...@syzkaller.appspotmail.com kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] PREEMPT SMP KASAN CPU: 0 PID: 7374 Comm: syz-executor189 Not tainted 5.0.0-rc3-next-20190124 #19 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:nf_ct_gre_keymap_flush+0xb9/0x2f0 net/netfilter/nf_conntrack_proto_gre.c:65 Code: 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 0f 85 2b 02 00 00 4c 8b bb f8 16 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fc 01 00 00 4c 3b bd 68 ff ff ff 4d 8b 27 0f 84 RSP: 0018:88808a6e7698 EFLAGS: 00010246 RAX: dc00 RBX: 8880930082c0 RCX: RDX: 1146e05a RSI: 0004 RDI: 88808a6e7600 RBP: 88808a6e7748 R08: 1110114dcec0 R09: ed10114dcec1 R10: ed10114dcec0 R11: 0003 R12: dc00 R13: 88808a6e7858 R14: 8880930099b8 R15: FS: 7febe4d2d700() GS:8880ae60() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7febe4d2cdb8 CR3: 901a3000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: nf_conntrack_proto_pernet_fini+0x16/0x1a net/netfilter/nf_conntrack_proto.c:617 nf_conntrack_cleanup_net_list+0x204/0x330 net/netfilter/nf_conntrack_core.c:2183 nf_conntrack_cleanup_net+0x1c5/0x270 net/netfilter/nf_conntrack_core.c:2156 nf_conntrack_pernet_init net/netfilter/nf_conntrack_standalone.c:1122 [inline] nf_conntrack_pernet_init+0xc3f/0xf00 net/netfilter/nf_conntrack_standalone.c:1091 ops_init+0x109/0x5d0 net/core/net_namespace.c:129 setup_net+0x38f/0x940 net/core/net_namespace.c:314 copy_net_ns+0x2ae/0x4b0 net/core/net_namespace.c:437 create_new_namespaces+0x4ce/0x930 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206 ksys_unshare+0x6d7/0xfb0 kernel/fork.c:2550 __do_sys_unshare kernel/fork.c:2618 [inline] __se_sys_unshare kernel/fork.c:2616 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:2616 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x449009 Code: e8 6c 14 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb 05 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7febe4d2ccf8 EFLAGS: 0246 ORIG_RAX: 0110 RAX: ffda RBX: 006e59f8 RCX: 00449009 RDX: 00449009 RSI: 00449009 RDI: 4000 RBP: 006e59f0 R08: R09: R10: R11: 0246 R12: 006e59fc R13: 7ffeec84fdaf R14: 7febe4d2d9c0 R15: 0001 Modules linked in: ---[ end trace e72b60d04a028cfc ]--- RIP: 0010:nf_ct_gre_keymap_flush+0xb9/0x2f0 net/netfilter/nf_conntrack_proto_gre.c:65 Code: 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 0f 85 2b 02 00 00 4c 8b bb f8 16 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fc 01 00 00 4c 3b bd 68 ff ff ff 4d 8b 27 0f 84 RSP: 0018:88808a6e7698 EFLAGS: 00010246 RAX: dc00 RBX: 8880930082c0 RCX: RDX: 1146e05a RSI: 0004 RDI: 88808a6e7600 RBP: 88808a6e7748 R08: 1110114dcec0 R09: ed10114dcec1 R10: ed10114dcec0 R11: 0003 R12: dc00 R13: 88808a6e7858 R14: 8880930099b8 R15: FS: 7febe4d2d700() GS:8880ae60() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7febe4d2cdb8 CR3: 901a3000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400
Re: general protection fault in nf_ct_gre_keymap_flush
syzbot has found a reproducer for the following crash on: HEAD commit:5b74ce505631 Add linux-next specific files for 20190123 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=1137e1b740 kernel config: https://syzkaller.appspot.com/x/.config?x=d4d5d672c7c71240 dashboard link: https://syzkaller.appspot.com/bug?extid=fcee88b2d87f0539dfe9 compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=165f80c0c0 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+fcee88b2d87f0539d...@syzkaller.appspotmail.com kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] PREEMPT SMP KASAN CPU: 1 PID: 8342 Comm: syz-executor2 Not tainted 5.0.0-rc3-next-20190123 #18 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:nf_ct_gre_keymap_flush+0xb9/0x2f0 net/netfilter/nf_conntrack_proto_gre.c:65 Code: 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 0f 85 2b 02 00 00 4c 8b bb f8 16 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fc 01 00 00 4c 3b bd 68 ff ff ff 4d 8b 27 0f 84 RSP: 0018:8880743eeef8 EFLAGS: 00010246 RAX: dc00 RBX: 888074c10240 RCX: RDX: 1146dff2 RSI: 0004 RDI: 8880743eee60 RBP: 8880743eefa8 R08: 11100e87ddcc R09: ed100e87ddcd R10: ed100e87ddcc R11: 0003 R12: dc00 R13: 8880743ef0b8 R14: 888074c11938 R15: FS: 7f7ceb928700() GS:8880ae70() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 2000 CR3: a089b000 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: nf_conntrack_proto_pernet_fini+0x16/0x1a net/netfilter/nf_conntrack_proto.c:617 nf_conntrack_cleanup_net_list+0x204/0x330 net/netfilter/nf_conntrack_core.c:2183 nf_conntrack_cleanup_net+0x1c5/0x270 net/netfilter/nf_conntrack_core.c:2156 nf_conntrack_pernet_init net/netfilter/nf_conntrack_standalone.c:1122 [inline] nf_conntrack_pernet_init+0xc3f/0xf00 net/netfilter/nf_conntrack_standalone.c:1091 ops_init+0x109/0x5d0 net/core/net_namespace.c:129 setup_net+0x38f/0x940 net/core/net_namespace.c:314 copy_net_ns+0x2ae/0x4b0 net/core/net_namespace.c:437 create_new_namespaces+0x4ce/0x930 kernel/nsproxy.c:107 copy_namespaces+0x3ff/0x4d0 kernel/nsproxy.c:165 copy_process+0x4a2d/0x8890 kernel/fork.c:1920 _do_fork+0x1a9/0x1170 kernel/fork.c:2227 __do_sys_clone kernel/fork.c:2334 [inline] __se_sys_clone kernel/fork.c:2328 [inline] __x64_sys_clone+0xbf/0x150 kernel/fork.c:2328 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x458099 Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f7ceb927c78 EFLAGS: 0246 ORIG_RAX: 0038 RAX: ffda RBX: 0005 RCX: 00458099 RDX: RSI: RDI: 70024103 RBP: 0073bfa0 R08: R09: R10: R11: 0246 R12: 7f7ceb9286d4 R13: 004be480 R14: 004ce960 R15: Modules linked in: ---[ end trace cdb65ca986e98ff1 ]--- RIP: 0010:nf_ct_gre_keymap_flush+0xb9/0x2f0 net/netfilter/nf_conntrack_proto_gre.c:65 Code: 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 0f 85 2b 02 00 00 4c 8b bb f8 16 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fc 01 00 00 4c 3b bd 68 ff ff ff 4d 8b 27 0f 84 RSP: 0018:8880743eeef8 EFLAGS: 00010246 RAX: dc00 RBX: 888074c10240 RCX: RDX: 1146dff2 RSI: 0004 RDI: 8880743eee60 RBP: 8880743eefa8 R08: 11100e87ddcc R09: ed100e87ddcd R10: ed100e87ddcc R11: 0003 R12: dc00 R13: 8880743ef0b8 R14: 888074c11938 R15: FS: 7f7ceb928700() GS:8880ae70() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 2000 CR3: a089b000 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400
general protection fault in nf_ct_gre_keymap_flush
Hello, syzbot found the following crash on: HEAD commit:5b22549b8c00 Add linux-next specific files for 20190122 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=11e6d908c0 kernel config: https://syzkaller.appspot.com/x/.config?x=9d3270828ee2eb2f dashboard link: https://syzkaller.appspot.com/bug?extid=fcee88b2d87f0539dfe9 compiler: gcc (GCC) 9.0.0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+fcee88b2d87f0539d...@syzkaller.appspotmail.com kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] PREEMPT SMP KASAN CPU: 1 PID: 25155 Comm: syz-executor3 Not tainted 5.0.0-rc3-next-20190122 #17 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:nf_ct_gre_keymap_flush+0xb9/0x2f0 net/netfilter/nf_conntrack_proto_gre.c:65 Code: 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 0f 85 2b 02 00 00 4c 8b bb f8 16 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fc 01 00 00 4c 3b bd 68 ff ff ff 4d 8b 27 0f 84 RSP: 0018:88804b687698 EFLAGS: 00010246 RAX: dc00 RBX: 88804a121840 RCX: RDX: 1146dfc2 RSI: 0004 RDI: 88804b687600 RBP: 88804b687748 R08: 1110096d0ec0 R09: ed10096d0ec1 R10: ed10096d0ec0 R11: 0003 R12: dc00 R13: 88804b687858 R14: 88804a122f38 R15: FS: 7f1b18c8e700() GS:8880ae70() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0070a158 CR3: a5f04000 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: nf_conntrack_proto_pernet_fini+0x16/0x1a net/netfilter/nf_conntrack_proto.c:617 nf_conntrack_cleanup_net_list+0x204/0x330 net/netfilter/nf_conntrack_core.c:2183 nf_conntrack_cleanup_net+0x1c5/0x270 net/netfilter/nf_conntrack_core.c:2156 nf_conntrack_pernet_init net/netfilter/nf_conntrack_standalone.c:1122 [inline] nf_conntrack_pernet_init+0xc3f/0xf00 net/netfilter/nf_conntrack_standalone.c:1091 ops_init+0x109/0x5d0 net/core/net_namespace.c:129 setup_net+0x38f/0x940 net/core/net_namespace.c:314 copy_net_ns+0x2ae/0x4b0 net/core/net_namespace.c:437 create_new_namespaces+0x4ce/0x930 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206 ksys_unshare+0x6d7/0xfb0 kernel/fork.c:2550 __do_sys_unshare kernel/fork.c:2618 [inline] __se_sys_unshare kernel/fork.c:2616 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:2616 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x458099 Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f1b18c8dc78 EFLAGS: 0246 ORIG_RAX: 0110 RAX: ffda RBX: 0001 RCX: 00458099 RDX: RSI: RDI: 4000 RBP: 0073bf00 R08: R09: R10: R11: 0246 R12: 7f1b18c8e6d4 R13: 004c6d60 R14: 004dc280 R15: Modules linked in: ---[ end trace 7a1b76d6af3e ]--- RIP: 0010:nf_ct_gre_keymap_flush+0xb9/0x2f0 net/netfilter/nf_conntrack_proto_gre.c:65 Code: 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 0f 85 2b 02 00 00 4c 8b bb f8 16 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fc 01 00 00 4c 3b bd 68 ff ff ff 4d 8b 27 0f 84 RSP: 0018:88804b687698 EFLAGS: 00010246 RAX: dc00 RBX: 88804a121840 RCX: RDX: 1146dfc2 RSI: 0004 RDI: 88804b687600 RBP: 88804b687748 R08: 1110096d0ec0 R09: ed10096d0ec1 R10: ed10096d0ec0 R11: 0003 R12: dc00 R13: 88804b687858 R14: 88804a122f38 R15: FS: 7f1b18c8e700() GS:8880ae70() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0070a158 CR3: a5f04000 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot.
INFO: rcu detected stall in gc_worker
Hello,
syzbot found the following crash on:
HEAD commit:133bbb18ab1a virtio-net: per-queue RPS config
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=16c98130c0
kernel config: https://syzkaller.appspot.com/x/.config?x=8a4dffabfb4e36f9
dashboard link: https://syzkaller.appspot.com/bug?extid=655174276c47216abab5
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+655174276c47216ab...@syzkaller.appspotmail.com
IPVS: ftp: loaded support on port[0] = 21
rcu: INFO: rcu_preempt self-detected stall on CPU
rcu: 1-: (10500 ticks this GP) idle=2fa/1/0x4002
softirq=16980/16980 fqs=5250
rcu: (t=10502 jiffies g=18501 q=1048)
NMI backtrace for cpu 1
CPU: 1 PID: 2980 Comm: kworker/1:2 Not tainted 5.0.0-rc2+ #12
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events_power_efficient gc_worker
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
nmi_cpu_backtrace.cold+0x63/0xa4 lib/nmi_backtrace.c:101
nmi_trigger_cpumask_backtrace+0x1be/0x236 lib/nmi_backtrace.c:62
arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline]
rcu_dump_cpu_stacks+0x183/0x1cf kernel/rcu/tree.c:1211
print_cpu_stall.cold+0x227/0x40c kernel/rcu/tree.c:1348
check_cpu_stall kernel/rcu/tree.c:1422 [inline]
rcu_pending kernel/rcu/tree.c:3018 [inline]
rcu_check_callbacks+0xb32/0x1380 kernel/rcu/tree.c:2521
update_process_times+0x32/0x80 kernel/time/timer.c:1635
tick_sched_handle+0xa2/0x190 kernel/time/tick-sched.c:161
tick_sched_timer+0x47/0x130 kernel/time/tick-sched.c:1271
__run_hrtimer kernel/time/hrtimer.c:1389 [inline]
__hrtimer_run_queues+0x3a7/0x1050 kernel/time/hrtimer.c:1451
hrtimer_interrupt+0x314/0x770 kernel/time/hrtimer.c:1509
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline]
smp_apic_timer_interrupt+0x18d/0x760 arch/x86/kernel/apic/apic.c:1060
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:666 [inline]
RIP: 0010:virt_spin_lock arch/x86/include/asm/qspinlock.h:84 [inline]
RIP: 0010:native_queued_spin_lock_slowpath+0x1b9/0x1290
kernel/locking/qspinlock.c:337
Code: 00 00 00 48 8b 45 d0 65 48 33 04 25 28 00 00 00 0f 85 68 0c 00 00 48
81 c4 a8 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 f3 90 33 ff ff ff
8b 83 c0 fe ff ff 3d 00 01 00 00 0f 84 e4 01 00 00
RSP: 0018:88809e65f328 EFLAGS: 0202 ORIG_RAX: ff13
RAX: RBX: 88809e65f4d0 RCX: 0004
RDX: dc00 RSI: 0004 RDI: e8d719d8
RBP: 88809e65f4f8 R08: 1d1ae33b R09: f91ae33c
R10: f91ae33b R11: e8d719db R12: ed1013ccbe88
R13: e8d719d8 R14: 0003 R15: 02f4
pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:653 [inline]
queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:50 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:90 [inline]
do_raw_spin_lock+0x2af/0x360 kernel/locking/spinlock_debug.c:113
__raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
_raw_spin_lock+0x37/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
nf_ct_add_to_dying_list+0xdb/0x210 net/netfilter/nf_conntrack_core.c:447
nf_ct_delete_from_lists+0x4a2/0x6a0 net/netfilter/nf_conntrack_core.c:585
nf_ct_delete net/netfilter/nf_conntrack_core.c:612 [inline]
nf_ct_delete+0x2a2/0x5e0 net/netfilter/nf_conntrack_core.c:590
nf_ct_kill include/net/netfilter/nf_conntrack.h:221 [inline]
nf_ct_gc_expired net/netfilter/nf_conntrack_core.c:654 [inline]
nf_ct_gc_expired+0x394/0x490 net/netfilter/nf_conntrack_core.c:648
gc_worker+0xcc9/0x1100 net/netfilter/nf_conntrack_core.c:1176
process_one_work+0xd0c/0x1ce0 kernel/workqueue.c:2153
worker_thread+0x143/0x14a0 kernel/workqueue.c:2296
kthread+0x357/0x430 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 1-... }
10631 jiffies s: 1297 root: 0x2/.
rcu: blocking rcu_node structures:
Task dump for CPU 1:
kworker/1:2 R running task22408 2980 2 0x8008
Workqueue: events_power_efficient gc_worker
Call Trace:
context_switch kernel/sched/core.c:2834 [inline]
__schedule+0x89f/0x1e60 kernel/sched/core.c:3472
atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:72 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:87 [inline]
do_raw_spin_lock+0x156/0x360 kernel/locking/spinlock_debug.c:113
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers c
INFO: rcu detected stall in tipc_disc_timeout
Hello, syzbot found the following crash on: HEAD commit:80b3671e9377 ip6_gre: update version related info when cha.. git tree: net console output: https://syzkaller.appspot.com/x/log.txt?x=151e546b40 kernel config: https://syzkaller.appspot.com/x/.config?x=8a4dffabfb4e36f9 dashboard link: https://syzkaller.appspot.com/bug?extid=9f5271e1f46f2954d29c compiler: gcc (GCC) 9.0.0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+9f5271e1f46f2954d...@syzkaller.appspotmail.com Enabling of bearer rejected, already enabled Enabling of bearer rejected, already enabled rcu: INFO: rcu_preempt self-detected stall on CPU rcu: 1-: (1 GPs behind) idle=776/1/0x4004 softirq=84430/84432 fqs=5221 rcu: (t=10500 jiffies g=117297 q=5397) NMI backtrace for cpu 1 CPU: 1 PID: 7906 Comm: syz-fuzzer Not tainted 5.0.0-rc2+ #21 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1db/0x2d0 lib/dump_stack.c:113 nmi_cpu_backtrace.cold+0x63/0xa4 lib/nmi_backtrace.c:101 nmi_trigger_cpumask_backtrace+0x1be/0x236 lib/nmi_backtrace.c:62 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline] rcu_dump_cpu_stacks+0x183/0x1cf kernel/rcu/tree.c:1211 print_cpu_stall.cold+0x227/0x40c kernel/rcu/tree.c:1348 check_cpu_stall kernel/rcu/tree.c:1422 [inline] rcu_pending kernel/rcu/tree.c:3018 [inline] rcu_check_callbacks+0xb32/0x1380 kernel/rcu/tree.c:2521 update_process_times+0x32/0x80 kernel/time/timer.c:1635 tick_sched_handle+0xa2/0x190 kernel/time/tick-sched.c:161 tick_sched_timer+0x47/0x130 kernel/time/tick-sched.c:1271 __run_hrtimer kernel/time/hrtimer.c:1389 [inline] __hrtimer_run_queues+0x3a7/0x1050 kernel/time/hrtimer.c:1451 hrtimer_interrupt+0x314/0x770 kernel/time/hrtimer.c:1509 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline] smp_apic_timer_interrupt+0x18d/0x760 arch/x86/kernel/apic/apic.c:1060 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807 RIP: 0010:kasan_check_read+0x8/0x20 mm/kasan/common.c:100 Code: 73 58 89 c2 48 c7 c7 70 a5 3c 89 f7 da e8 04 77 a2 ff e9 c4 f5 ff ff 90 90 90 90 90 90 90 90 90 90 90 55 89 f6 31 d2 48 89 e5 <48> 8b 4d 08 e8 ff 23 00 00 5d c3 0f 1f 00 66 2e 0f 1f 84 00 00 00 RSP: :8880ae706c30 EFLAGS: 0246 ORIG_RAX: ff13 RAX: RBX: 8880ae706de8 RCX: 0004 RDX: RSI: 0004 RDI: e8d6d738 RBP: 8880ae706c30 R08: 1d1adae7 R09: f91adae8 R10: f91adae7 R11: e8d6d73b R12: ed1015ce0dab R13: e8d6d738 R14: 0003 R15: 00fc atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] virt_spin_lock arch/x86/include/asm/qspinlock.h:83 [inline] native_queued_spin_lock_slowpath+0xfe/0x1290 kernel/locking/qspinlock.c:337 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:653 [inline] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:50 [inline] queued_spin_lock include/asm-generic/qspinlock.h:90 [inline] do_raw_spin_lock+0x2af/0x360 kernel/locking/spinlock_debug.c:113 __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline] _raw_spin_lock+0x37/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:329 [inline] nf_ct_add_to_unconfirmed_list net/netfilter/nf_conntrack_core.c:462 [inline] init_conntrack.isra.0+0xa5c/0x1380 net/netfilter/nf_conntrack_core.c:1421 resolve_normal_ct net/netfilter/nf_conntrack_core.c:1463 [inline] nf_conntrack_in+0xb95/0x1250 net/netfilter/nf_conntrack_core.c:1569 ipv4_conntrack_local+0x169/0x210 net/netfilter/nf_conntrack_proto.c:444 nf_hook_entry_hookfn include/linux/netfilter.h:119 [inline] nf_hook_slow+0xbf/0x1f0 net/netfilter/core.c:511 nf_hook include/linux/netfilter.h:244 [inline] __ip_local_out+0x542/0xa90 net/ipv4/ip_output.c:113 ip_local_out+0x2d/0x1b0 net/ipv4/ip_output.c:122 iptunnel_xmit+0x58e/0x980 net/ipv4/ip_tunnel_core.c:91 udp_tunnel_xmit_skb+0x236/0x310 net/ipv4/udp_tunnel.c:200 tipc_udp_xmit.isra.0+0xa9c/0xe40 net/tipc/udp_media.c:181 tipc_udp_send_msg+0x5b2/0x6e0 net/tipc/udp_media.c:235 tipc_bearer_xmit_skb+0x172/0x360 net/tipc/bearer.c:503 tipc_disc_timeout+0xb43/0x1070 net/tipc/discover.c:332 call_timer_fn+0x254/0x900 kernel/time/timer.c:1325 expire_timers kernel/time/timer.c:1362 [inline] __run_timers+0x6fc/0xd50 kernel/time/timer.c:1681 run_timer_softirq+0x52/0xb0 kernel/time/timer.c:1694 __do_softirq+0x30b/0xb11 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x180/0x1d0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0x1b7/0x760 arch/x86/
WARNING in cttimeout_default_get
Hello, syzbot found the following crash on: HEAD commit:da5322e65940 Merge tag 'selinux-pr-20181115' of git://git... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15d719eb40 kernel config: https://syzkaller.appspot.com/x/.config?x=4a0a89f12ca9b0f5 dashboard link: https://syzkaller.appspot.com/bug?extid=2fae8fa157dd92618cae compiler: gcc (GCC) 8.0.1 20180413 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=129e089340 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=125f66a340 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+2fae8fa157dd92618...@syzkaller.appspotmail.com audit: type=1800 audit(1542315810.422:30): pid=5877 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 netlink: 'syz-executor298': attribute type 3 has an invalid length. netlink: 'syz-executor298': attribute type 2 has an invalid length. WARNING: CPU: 0 PID: 6032 at net/netfilter/nfnetlink_cttimeout.c:478 cttimeout_default_get+0x1df/0xb30 net/netfilter/nfnetlink_cttimeout.c:478 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 6032 Comm: syz-executor298 Not tainted 4.20.0-rc2+ #336 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 panic+0x2ad/0x55c kernel/panic.c:188 __warn.cold.8+0x20/0x45 kernel/panic.c:540 report_bug+0x254/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:969 RIP: 0010:cttimeout_default_get+0x1df/0xb30 net/netfilter/nfnetlink_cttimeout.c:478 Code: 00 0f 87 8d 00 00 00 41 80 ff 06 0f 84 94 07 00 00 41 80 ff 11 0f 84 6c 07 00 00 41 80 ff 01 0f 84 44 07 00 00 e8 91 f1 20 fb <0f> 0b 41 bd a1 ff ff ff eb 06 41 bd a1 ff ff ff e8 7c f1 20 fb 48 RSP: 0018:8881b64c72b0 EFLAGS: 00010293 RAX: 8881c1686380 RBX: 88bf58e0 RCX: 865e961c RDX: RSI: 865e964f RDI: 0001 RBP: 8881b64c73c0 R08: 8881c1686380 R09: ed103b5c5b67 R10: 0002 R11: 8881dae2db3b R12: 0088 R13: 8881bf42b300 R14: R15: 0088 nfnetlink_rcv_msg+0xdd3/0x10c0 net/netfilter/nfnetlink.c:228 netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2477 nfnetlink_rcv+0x1c0/0x4d0 net/netfilter/nfnetlink.c:560 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x5a5/0x760 net/netlink/af_netlink.c:1336 netlink_sendmsg+0xa18/0xfc0 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:631 ___sys_sendmsg+0x7fd/0x930 net/socket.c:2116 __sys_sendmsg+0x11d/0x280 net/socket.c:2154 __do_sys_sendmsg net/socket.c:2163 [inline] __se_sys_sendmsg net/socket.c:2161 [inline] __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2161 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4400d9 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7ffc704c30c8 EFLAGS: 0213 ORIG_RAX: 002e RAX: ffda RBX: 004002c8 RCX: 004400d9 RDX: RSI: 20dddfc8 RDI: 0003 RBP: 006ca018 R08: R09: 004002c8 R10: R11: 0213 R12: 00401960 R13: 004019f0 R14: R15: Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
general protection fault in ctnetlink_alloc_filter
Hello, syzbot found the following crash on: HEAD commit:3eb5358079d3 Add linux-next specific files for 20180918 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=171ce6f140 kernel config: https://syzkaller.appspot.com/x/.config?x=786006c5dafbadf6 dashboard link: https://syzkaller.appspot.com/bug?extid=e45eda8eda6e93a03959 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=114f76fa40 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=102ed6c640 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+e45eda8eda6e93a03...@syzkaller.appspotmail.com kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] PREEMPT SMP KASAN CPU: 0 PID: 5551 Comm: syz-executor610 Not tainted 4.19.0-rc4-next-20180918+ #74 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:nla_get_be32 include/net/netlink.h:1082 [inline] RIP: 0010:ctnetlink_alloc_filter+0xb9/0x200 net/netfilter/nf_conntrack_netlink.c:843 Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 57 01 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 6c 24 40 49 8d 7d 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 06 RSP: 0018:8801c48f71a0 EFLAGS: 00010247 RAX: dc00 RBX: 8801d7acd580 RCX: RDX: RSI: 864dfefd RDI: 0004 RBP: 8801c48f71b8 R08: 8801d957a180 R09: ed003b585b57 R10: ed003b585b57 R11: 8801dac2dabb R12: 8801c48f7500 R13: R14: 8801d90ef2b8 R15: 8801d90ef291 FS: 00a90880() GS:8801dac0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 2100 CR3: 0001d9104000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: ctnetlink_start+0x10b/0x1b0 net/netfilter/nf_conntrack_netlink.c:857 __netlink_dump_start+0x43e/0x6f0 net/netlink/af_netlink.c:2312 netlink_dump_start include/linux/netlink.h:213 [inline] ctnetlink_get_conntrack+0x777/0x9f0 net/netfilter/nf_conntrack_netlink.c:1320 nfnetlink_rcv_msg+0xdd3/0x10c0 net/netfilter/nfnetlink.c:228 netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2447 nfnetlink_rcv+0x1c0/0x4d0 net/netfilter/nfnetlink.c:560 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x5a5/0x760 net/netlink/af_netlink.c:1336 netlink_sendmsg+0xa18/0xfc0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:632 ___sys_sendmsg+0x7fd/0x930 net/socket.c:2117 __sys_sendmsg+0x11d/0x280 net/socket.c:2155 __do_sys_sendmsg net/socket.c:2164 [inline] __se_sys_sendmsg net/socket.c:2162 [inline] __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2162 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4400d9 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fff461c2298 EFLAGS: 0213 ORIG_RAX: 002e RAX: ffda RBX: 004002c8 RCX: 004400d9 RDX: RSI: 20d65000 RDI: 0003 RBP: 006ca018 R08: R09: 004002c8 R10: R11: 0213 R12: 00401960 R13: 004019f0 R14: R15: Modules linked in: ---[ end trace 37c3db5bd5270e98 ]--- RIP: 0010:nla_get_be32 include/net/netlink.h:1082 [inline] RIP: 0010:ctnetlink_alloc_filter+0xb9/0x200 net/netfilter/nf_conntrack_netlink.c:843 Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 57 01 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 6c 24 40 49 8d 7d 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 06 RSP: 0018:8801c48f71a0 EFLAGS: 00010247 RAX: dc00 RBX: 8801d7acd580 RCX: RDX: RSI: 864dfefd RDI: 0004 RBP: 8801c48f71b8 R08: 8801d957a180 R09: ed003b585b57 R10: ed003b585b57 R11: 8801dac2dabb R12: 8801c48f7500 R13: R14: 8801d90ef2b8 R15: 8801d90ef291 FS: 00a90880() GS:8801dac0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 2100 CR3: 0001d9104000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ fo
KMSAN: uninit-value in strlcpy (2)
Hello, syzbot found the following crash on: HEAD commit:9822946c7fee kmsan: update .config.example to v4.17-rc5 git tree: https://github.com/google/kmsan.git/master console output: https://syzkaller.appspot.com/x/log.txt?x=169a519780 kernel config: https://syzkaller.appspot.com/x/.config?x=9fa436d3ae606638 dashboard link: https://syzkaller.appspot.com/bug?extid=c86cf7903306a6c201ba compiler: clang version 7.0.0 (trunk 329391) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d1b87b80 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1123541780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+c86cf7903306a6c20...@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) == BUG: KMSAN: uninit-value in strlen lib/string.c:482 [inline] BUG: KMSAN: uninit-value in strlcpy+0x68/0x1c0 lib/string.c:142 CPU: 0 PID: 4506 Comm: syz-executor160 Not tainted 4.17.0-rc5+ #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:113 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1084 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 strlen lib/string.c:482 [inline] strlcpy+0x68/0x1c0 lib/string.c:142 do_ip_vs_set_ctl+0x3f1/0x2760 net/netfilter/ipvs/ip_vs_ctl.c:2384 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x476/0x4d0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x24b/0x2b0 net/ipv4/ip_sockglue.c:1253 udp_setsockopt+0x108/0x1b0 net/ipv4/udp.c:2416 ipv6_setsockopt+0x30c/0x340 net/ipv6/ipv6_sockglue.c:917 tcp_setsockopt+0x1bb/0x1f0 net/ipv4/tcp.c:2891 sock_common_setsockopt+0x136/0x170 net/core/sock.c:3039 __sys_setsockopt+0x4af/0x560 net/socket.c:1903 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0x15c/0x1c0 net/socket.c:1911 do_syscall_64+0x154/0x220 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x43fce9 RSP: 002b:7ffea6b1dd08 EFLAGS: 0213 ORIG_RAX: 0036 RAX: ffda RBX: 004002c8 RCX: 0043fce9 RDX: 048b RSI: RDI: 0003 RBP: 006ca018 R08: 0018 R09: 004002c8 R10: 21c0 R11: 0213 R12: 00401610 R13: 004016a0 R14: R15: Local variable description: arg@do_ip_vs_set_ctl Variable was created at: read_pnet include/net/net_namespace.h:288 [inline] sock_net include/net/sock.h:2306 [inline] do_ip_vs_set_ctl+0x93/0x2760 net/netfilter/ipvs/ip_vs_ctl.c:2347 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x476/0x4d0 net/netfilter/nf_sockopt.c:115 == --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
KMSAN: uninit-value in do_ip_vs_set_ctl
Hello, syzbot found the following crash on: HEAD commit:06b2df0593a8 kmsan: unpoison only the created pages in get.. git tree: https://github.com/google/kmsan.git/master console output: https://syzkaller.appspot.com/x/log.txt?x=11a6ae3780 kernel config: https://syzkaller.appspot.com/x/.config?x=4ca1e57bafa8ab1f dashboard link: https://syzkaller.appspot.com/bug?extid=23b5f9e7caf61d9a3898 compiler: clang version 7.0.0 (trunk 329391) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1400841780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11deb01780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+23b5f9e7caf61d9a3...@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) == BUG: KMSAN: uninit-value in do_ip_vs_set_ctl+0x15ac/0x2760 net/netfilter/ipvs/ip_vs_ctl.c:2424 CPU: 1 PID: 4464 Comm: syz-executor844 Not tainted 4.17.0-rc3+ #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:113 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1084 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 do_ip_vs_set_ctl+0x15ac/0x2760 net/netfilter/ipvs/ip_vs_ctl.c:2424 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x476/0x4d0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x24b/0x2b0 net/ipv4/ip_sockglue.c:1253 raw_setsockopt+0x2e5/0x350 net/ipv4/raw.c:868 sock_common_setsockopt+0x136/0x170 net/core/sock.c:3039 __sys_setsockopt+0x4af/0x560 net/socket.c:1903 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0x15c/0x1c0 net/socket.c:1911 do_syscall_64+0x154/0x220 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x43fca9 RSP: 002b:7fff7a4795b8 EFLAGS: 0213 ORIG_RAX: 0036 RAX: ffda RBX: 004002c8 RCX: 0043fca9 RDX: 0480 RSI: RDI: 0003 RBP: 006ca018 R08: R09: 004002c8 R10: R11: 0213 R12: 004015d0 R13: 00401660 R14: R15: Local variable description: arg@do_ip_vs_set_ctl Variable was created at: read_pnet include/net/net_namespace.h:288 [inline] sock_net include/net/sock.h:2306 [inline] do_ip_vs_set_ctl+0x93/0x2760 net/netfilter/ipvs/ip_vs_ctl.c:2347 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x476/0x4d0 net/netfilter/nf_sockopt.c:115 == --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
KMSAN: uninit-value in iptable_mangle_hook (3)
Hello, syzbot found the following crash on: HEAD commit:d1c2a46a46f6 kmsan: update LLVM/Clang patches to r337583. git tree: https://github.com/google/kmsan.git/master console output: https://syzkaller.appspot.com/x/log.txt?x=16a2732c40 kernel config: https://syzkaller.appspot.com/x/.config?x=31cf75cbffdedb44 dashboard link: https://syzkaller.appspot.com/bug?extid=60f2e2b690c5cf94e35d compiler: clang version 7.0.0 (trunk 334104) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+60f2e2b690c5cf94e...@syzkaller.appspotmail.com == BUG: KMSAN: uninit-value in ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:64 [inline] BUG: KMSAN: uninit-value in iptable_mangle_hook+0x622/0x720 net/ipv4/netfilter/iptable_mangle.c:84 CPU: 0 PID: 15708 Comm: syz-executor0 Not tainted 4.18.0-rc5+ #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x185/0x1e0 lib/dump_stack.c:113 kmsan_report+0x195/0x2c0 mm/kmsan/kmsan.c:982 __msan_warning+0x7d/0xe0 mm/kmsan/kmsan_instr.c:645 ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:64 [inline] iptable_mangle_hook+0x622/0x720 net/ipv4/netfilter/iptable_mangle.c:84 nf_hook_entry_hookfn include/linux/netfilter.h:119 [inline] nf_hook_slow+0x15d/0x3e0 net/netfilter/core.c:511 nf_hook include/linux/netfilter.h:242 [inline] __ip_local_out+0x705/0x830 net/ipv4/ip_output.c:113 ip_local_out+0xa4/0x1d0 net/ipv4/ip_output.c:122 iptunnel_xmit+0x854/0xdb0 net/ipv4/ip_tunnel_core.c:91 ip_tunnel_xmit+0x373a/0x3b10 net/ipv4/ip_tunnel.c:778 __gre_xmit net/ipv4/ip_gre.c:449 [inline] ipgre_xmit+0xe16/0xef0 net/ipv4/ip_gre.c:701 __netdev_start_xmit include/linux/netdevice.h:4148 [inline] netdev_start_xmit include/linux/netdevice.h:4157 [inline] xmit_one net/core/dev.c:3034 [inline] dev_hard_start_xmit+0x60f/0xcc0 net/core/dev.c:3050 __dev_queue_xmit+0x3060/0x3c70 net/core/dev.c:3569 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3602 packet_snd net/packet/af_packet.c:2919 [inline] packet_sendmsg+0x8469/0x9010 net/packet/af_packet.c:2944 sock_sendmsg_nosec net/socket.c:641 [inline] sock_sendmsg net/socket.c:651 [inline] ___sys_sendmsg+0xed9/0x1350 net/socket.c:2125 __sys_sendmsg net/socket.c:2163 [inline] __do_sys_sendmsg net/socket.c:2172 [inline] __se_sys_sendmsg net/socket.c:2170 [inline] __x64_sys_sendmsg+0x3b0/0x520 net/socket.c:2170 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x455ab9 Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fd96a1bfc68 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 7fd96a1c06d4 RCX: 00455ab9 RDX: RSI: 2000 RDI: 0014 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: R13: 004c1066 R14: 004d16c8 R15: Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:256 [inline] kmsan_save_stack mm/kmsan/kmsan.c:271 [inline] kmsan_internal_chain_origin+0x13c/0x240 mm/kmsan/kmsan.c:573 __msan_chain_origin+0x76/0xd0 mm/kmsan/kmsan_instr.c:483 iptunnel_xmit+0xa48/0xdb0 net/ipv4/ip_tunnel_core.c:85 ip_tunnel_xmit+0x373a/0x3b10 net/ipv4/ip_tunnel.c:778 __gre_xmit net/ipv4/ip_gre.c:449 [inline] ipgre_xmit+0xe16/0xef0 net/ipv4/ip_gre.c:701 __netdev_start_xmit include/linux/netdevice.h:4148 [inline] netdev_start_xmit include/linux/netdevice.h:4157 [inline] xmit_one net/core/dev.c:3034 [inline] dev_hard_start_xmit+0x60f/0xcc0 net/core/dev.c:3050 __dev_queue_xmit+0x3060/0x3c70 net/core/dev.c:3569 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3602 packet_snd net/packet/af_packet.c:2919 [inline] packet_sendmsg+0x8469/0x9010 net/packet/af_packet.c:2944 sock_sendmsg_nosec net/socket.c:641 [inline] sock_sendmsg net/socket.c:651 [inline] ___sys_sendmsg+0xed9/0x1350 net/socket.c:2125 __sys_sendmsg net/socket.c:2163 [inline] __do_sys_sendmsg net/socket.c:2172 [inline] __se_sys_sendmsg net/socket.c:2170 [inline] __x64_sys_sendmsg+0x3b0/0x520 net/socket.c:2170 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x63/0xe7 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:256 [inline] kmsan_internal_poison_shadow+0xc8/0x1d0 mm/kmsan/kmsan.c:181 kmsan_kmalloc+0xa1/0x120 mm/kmsan/kmsan_hooks.c:91 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:100 slab_post_alloc_hook mm/slab.h:446 [inline] slab_alloc_node mm/slub.c:2720 [inline] __kmalloc_node_track_c
KMSAN: uninit-value in __nf_conntrack_find_get
Hello, syzbot found the following crash on: HEAD commit:b64f7ec04e12 kmsan: implement kmsan_memmove_shadow() and k.. git tree: https://github.com/google/kmsan.git/master console output: https://syzkaller.appspot.com/x/log.txt?x=109869d040 kernel config: https://syzkaller.appspot.com/x/.config?x=93d57043084eee38 dashboard link: https://syzkaller.appspot.com/bug?extid=6f18401420df260e37ed compiler: clang version 7.0.0 (trunk 334104) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=174cce7840 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16b0b56240 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+6f18401420df260e3...@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) == BUG: KMSAN: uninit-value in nf_conntrack_find net/netfilter/nf_conntrack_core.c:539 [inline] BUG: KMSAN: uninit-value in __nf_conntrack_find_get+0xc15/0x2190 net/netfilter/nf_conntrack_core.c:573 CPU: 0 PID: 4610 Comm: syz-executor884 Not tainted 4.18.0-rc4+ #24 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x185/0x1e0 lib/dump_stack.c:113 kmsan_report+0x195/0x2c0 mm/kmsan/kmsan.c:1092 __msan_warning_32+0x7d/0xe0 mm/kmsan/kmsan_instr.c:640 nf_conntrack_find net/netfilter/nf_conntrack_core.c:539 [inline] __nf_conntrack_find_get+0xc15/0x2190 net/netfilter/nf_conntrack_core.c:573 resolve_normal_ct net/netfilter/nf_conntrack_core.c:1331 [inline] nf_conntrack_in+0x1674/0x2070 net/netfilter/nf_conntrack_core.c:1416 ipv6_conntrack_local+0xc3/0xf0 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c:179 nf_hook_entry_hookfn include/linux/netfilter.h:119 [inline] nf_hook_slow+0x15d/0x3e0 net/netfilter/core.c:511 nf_hook include/linux/netfilter.h:242 [inline] __ip6_local_out+0x64c/0x770 net/ipv6/output_core.c:164 ip6_local_out+0xa4/0x1d0 net/ipv6/output_core.c:174 ip6_send_skb net/ipv6/ip6_output.c:1696 [inline] ip6_push_pending_frames+0x218/0x4d0 net/ipv6/ip6_output.c:1716 rawv6_push_pending_frames net/ipv6/raw.c:616 [inline] rawv6_sendmsg+0x45f0/0x5410 net/ipv6/raw.c:935 inet_sendmsg+0x3fc/0x760 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:641 [inline] sock_sendmsg net/socket.c:651 [inline] __sys_sendto+0x798/0x8e0 net/socket.c:1797 __do_sys_sendto net/socket.c:1809 [inline] __se_sys_sendto net/socket.c:1805 [inline] __x64_sys_sendto+0x1a1/0x210 net/socket.c:1805 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x4459c9 Code: e8 bc e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fa03df22d98 EFLAGS: 0212 ORIG_RAX: 002c RAX: ffda RBX: 006dac24 RCX: 004459c9 RDX: fedf RSI: 2000 RDI: 0004 RBP: R08: 2180 R09: 001a R10: R11: 0212 R12: 006dac20 R13: 616e732f7665642f R14: 7fa03df239c0 R15: 0001 Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:256 [inline] kmsan_save_stack mm/kmsan/kmsan.c:271 [inline] kmsan_internal_chain_origin+0x13c/0x240 mm/kmsan/kmsan.c:683 __msan_chain_origin+0x76/0xd0 mm/kmsan/kmsan_instr.c:483 __nf_conntrack_confirm+0x2700/0x3f70 net/netfilter/nf_conntrack_core.c:793 nf_conntrack_confirm include/net/netfilter/nf_conntrack_core.h:71 [inline] ipv6_confirm+0x573/0x740 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c:165 nf_hook_entry_hookfn include/linux/netfilter.h:119 [inline] nf_hook_slow+0x15d/0x3e0 net/netfilter/core.c:511 nf_hook include/linux/netfilter.h:242 [inline] NF_HOOK_COND include/linux/netfilter.h:275 [inline] ip6_output+0x37d/0x710 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:444 [inline] ip6_local_out+0x164/0x1d0 net/ipv6/output_core.c:176 ip6_send_skb net/ipv6/ip6_output.c:1696 [inline] ip6_push_pending_frames+0x218/0x4d0 net/ipv6/ip6_output.c:1716 rawv6_push_pending_frames net/ipv6/raw.c:616 [inline] rawv6_sendmsg+0x45f0/0x5410 net/ipv6/raw.c:935 inet_sendmsg+0x3fc/0x760 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:641 [inline] sock_sendmsg net/socket.c:651 [inline] __sys_sendto+0x798/0x8e0 net/socket.c:1797 __do_sys_sendto net/socket.c:1809 [inline] __se_sys_sendto net/socket.c:1805 [inline] __x64_sys_sendto+0x1a1/0x210 net/socket.c:1805 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x63/0xe7 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:256 [inline] kmsan_internal_poison_shadow+0xc8/0x1d0 mm/kmsan/kmsan.c:181 kmsan_kmalloc+0xa1/0x120 mm
KASAN: stack-out-of-bounds Read in vmalloc_fault
Hello, syzbot found the following crash on: HEAD commit:6fcf9b1d4d6c r8169: fix runtime suspend git tree: bpf-next console output: https://syzkaller.appspot.com/x/log.txt?x=174529b240 kernel config: https://syzkaller.appspot.com/x/.config?x=d264f2b04177ca7c dashboard link: https://syzkaller.appspot.com/bug?extid=7b269953d076326d7de0 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1397e2c240 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=120e462c40 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+7b269953d076326d7...@syzkaller.appspotmail.com IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready 8021q: adding VLAN 0 to HW filter on device team0 == BUG: KASAN: stack-out-of-bounds in pgd_val arch/x86/include/asm/paravirt.h:412 [inline] BUG: KASAN: stack-out-of-bounds in p4d_pfn arch/x86/include/asm/pgtable.h:205 [inline] BUG: KASAN: stack-out-of-bounds in vmalloc_fault+0x743/0x760 arch/x86/mm/fault.c:462 Read of size 8 at addr 8801a936f160 by task ksoftirqd/0/9 CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 4.18.0-rc3+ #47 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 pgd_val arch/x86/include/asm/paravirt.h:412 [inline] p4d_pfn arch/x86/include/asm/pgtable.h:205 [inline] vmalloc_fault+0x743/0x760 arch/x86/mm/fault.c:462 __do_page_fault+0x829/0xe50 arch/x86/mm/fault.c:1245 do_page_fault+0xf6/0x8c0 arch/x86/mm/fault.c:1471 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1160 RIP: 0010:ebt_do_table+0x1a7/0x2170 net/bridge/netfilter/ebtables.c:208 Code: 24 04 4d 8d ac 24 80 00 00 00 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 8f 1e 00 00 <41> 8b 44 24 04 49 8d 7c 24 38 65 8b 15 28 7f 39 79 48 c1 e0 04 48 RSP: 0018:8801d9ab6ab8 EFLAGS: 00010246 RAX: 0007 RBX: 0005 RCX: 81601dff RDX: RSI: 0004 RDI: c90001e2c004 RBP: 8801d9ab6c88 R08: ed003a6f4e49 R09: ed003a6f4e48 R10: ed003a6f4e48 R11: 8801d37a7243 R12: c90001e2c000 R13: c90001e2c080 R14: 8801d9ab6cc0 R15: 8801d9394380 ebt_broute+0x200/0x340 net/bridge/netfilter/ebtable_broute.c:60 br_handle_frame+0x6d1/0x1a20 net/bridge/br_input.c:292 __netif_receive_skb_core.constprop.140+0x142d/0x3620 net/core/dev.c:4697 __netif_receive_skb_one_core+0xd0/0x200 net/core/dev.c:4766 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4873 process_backlog+0x219/0x760 net/core/dev.c:5676 napi_poll net/core/dev.c:6088 [inline] net_rx_action+0x7a5/0x1950 net/core/dev.c:6154 __do_softirq+0x2e8/0xb17 kernel/softirq.c:288 run_ksoftirqd+0x86/0x100 kernel/softirq.c:649 smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164 kthread+0x345/0x410 kernel/kthread.c:240 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 The buggy address belongs to the page: page:ea0006a4dbc0 count:1 mapcount:0 mapping: index:0x0 flags: 0x2fffc00() raw: 02fffc00 dead0100 dead0200 raw: 0001 page dumped because: kasan: bad access detected Memory state around the buggy address: 8801a936f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8801a936f080: 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 8801a936f100: f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 f8 ^ 8801a936f180: f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 8801a936f200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 == --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: BUG: unable to handle kernel (3)
syzbot has found a reproducer for the following crash on: HEAD commit:4ca559bbdeaf kmsan: fix assertions in IRQ entry/exit hooks. git tree: https://github.com/google/kmsan.git/master console output: https://syzkaller.appspot.com/x/log.txt?x=13dafb2040 kernel config: https://syzkaller.appspot.com/x/.config?x=848e40757852af3e dashboard link: https://syzkaller.appspot.com/bug?extid=adfeaaee641dd4fdac43 compiler: clang version 7.0.0 (trunk 334104) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1549738440 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=123a42a440 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+adfeaaee641dd4fda...@syzkaller.appspotmail.com RDX: 2140 RSI: 2100 RDI: 20c0 RBP: R08: fffc R09: 0039 R10: 0311 R11: 0246 R12: 7f00bc56bd80 R13: 006dbc38 R14: 0006 R15: 0079656b5f676962 CPU: 1 PID: 4528 Comm: syz-executor237 Not tainted 4.17.0+ #17 BUG: unable to handle kernel Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 NULL pointer dereference at 0008 Call Trace: PGD 80019f3d5067 P4D 80019f3d5067 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:113 PUD 19ce9d067 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x87b/0xab0 lib/fault-inject.c:149 PMD 0 __should_failslab+0x278/0x2a0 mm/failslab.c:32 Oops: [#1] SMP PTI should_failslab+0x29/0x70 mm/slab_common.c:1522 Dumping ftrace buffer: slab_pre_alloc_hook mm/slab.h:423 [inline] slab_alloc_node mm/slub.c:2679 [inline] __kmalloc_node+0x22f/0x1200 mm/slub.c:3859 (ftrace buffer empty) Modules linked in: CPU: 0 PID: 4533 Comm: syz-executor237 Not tainted 4.17.0+ #17 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:map_vm_area+0x69/0x1f0 mm/vmalloc.c:1353 RSP: 0018:8801c07df8b8 EFLAGS: 00010046 kmalloc_node include/linux/slab.h:554 [inline] alloc_vmap_area+0x1e6/0x15a0 mm/vmalloc.c:420 RAX: 81b1e4bc RBX: RCX: 8801a8e58000 RDX: RSI: 8063 RDI: __get_vm_area_node+0x3a6/0x810 mm/vmalloc.c:1410 RBP: 8801c07df930 R08: R09: R10: c900019f R11: R12: 8b58d000 get_vm_area_caller+0xdb/0xf0 mm/vmalloc.c:1456 R13: R14: 0008 R15: FS: 7f00bc56c700() GS:88021fc0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0008 CR3: 00019e7d2000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 kmsan_vmap+0x79/0x1e0 mm/kmsan/kmsan.c:875 Call Trace: vmap+0x3b2/0x4b0 mm/vmalloc.c:1661 kmsan_vmap+0x137/0x1e0 mm/kmsan/kmsan.c:888 vmap+0x3b2/0x4b0 mm/vmalloc.c:1661 big_key_alloc_buffer+0x638/0xa30 security/keys/big_key.c:188 big_key_preparse+0x20a/0xed0 security/keys/big_key.c:228 big_key_alloc_buffer+0x638/0xa30 security/keys/big_key.c:188 big_key_preparse+0x20a/0xed0 security/keys/big_key.c:228 key_create_or_update+0x7a6/0x1a80 security/keys/key.c:849 __do_sys_add_key security/keys/keyctl.c:122 [inline] __se_sys_add_key+0x741/0x980 security/keys/keyctl.c:62 key_create_or_update+0x7a6/0x1a80 security/keys/key.c:849 __do_sys_add_key security/keys/keyctl.c:122 [inline] __se_sys_add_key+0x741/0x980 security/keys/keyctl.c:62 __x64_sys_add_key+0x15d/0x1b0 security/keys/keyctl.c:62 __x64_sys_add_key+0x15d/0x1b0 security/keys/keyctl.c:62 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x63/0xe7 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287 RIP: 0033:0x445dc9 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RSP: 002b:7f00bc58cd78 EFLAGS: 0246 RIP: 0033:0x445dc9 RSP: 002b:7f00bc56bd78 EFLAGS: 0246 ORIG_RAX: 00f8 ORIG_RAX: 00f8 RAX: ffda RBX: 006dbc24 RCX: 00445dc9 RAX: ffda RBX: 006dbc3c RCX: 00445dc9 RDX: 2140 RSI: 2100 RDI: 20c0 RDX: 2140 RSI: 2100 RDI: 20c0 RBP: R08: fffc R09: 0039 RBP: R08: fffc R09: 0039 R10: 0311 R11: 0246 R12: 7f00bc56bd80 R13: 006dbc38 R14: 0006 R15: 0079656b5f676962 R10: 0311 R11: 0246 R12: 7f00bc58cd80 Code: R13: 006dbc20 R14: 0005 R15: 0079656b5f676962 24 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 08 48 89 45 a0 41 8b 84 24 90 0c 00 00 89 45 cc 45 8b bc 24 88 0c 00
Re: KMSAN: uninit-value in ip_vs_lblc_check_expire
syzbot has found a reproducer for the following crash on: HEAD commit:123906095e30 kmsan: introduce kmsan_interrupt_enter()/kmsa.. git tree: https://github.com/google/kmsan.git/master console output: https://syzkaller.appspot.com/x/log.txt?x=134ad89040 kernel config: https://syzkaller.appspot.com/x/.config?x=848e40757852af3e dashboard link: https://syzkaller.appspot.com/bug?extid=3e9695f147fb529aa9bc compiler: clang version 7.0.0 (trunk 334104) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1150521840 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1168a49040 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+3e9695f147fb529aa...@syzkaller.appspotmail.com == BUG: KMSAN: uninit-value in ip_vs_lblc_check_expire+0xe62/0xf10 net/netfilter/ipvs/ip_vs_lblc.c:315 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.17.0+ #9 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:113 kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1125 __msan_warning_32+0x70/0xc0 mm/kmsan/kmsan_instr.c:620 ip_vs_lblc_check_expire+0xe62/0xf10 net/netfilter/ipvs/ip_vs_lblc.c:315 call_timer_fn+0x280/0x5d0 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0xd96/0x11b0 kernel/time/timer.c:1666 run_timer_softirq+0x43/0x70 kernel/time/timer.c:1692 __do_softirq+0x592/0x979 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x202/0x240 kernel/softirq.c:405 exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:525 smp_apic_timer_interrupt+0x64/0x90 arch/x86/kernel/apic/apic.c:1055 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:866 RIP: 0010:native_safe_halt arch/x86/include/asm/irqflags.h:55 [inline] RIP: 0010:arch_safe_halt arch/x86/include/asm/irqflags.h:97 [inline] RIP: 0010:default_idle+0x20b/0x3e0 arch/x86/kernel/process.c:500 RSP: 0018:8801d8e5fdf0 EFLAGS: 0246 ORIG_RAX: ff13 RAX: 8801fd432f18 RBX: RCX: 8800 RDX: 8801fd032f18 RSI: b000 RDI: ea00 RBP: 8801d8e5fe28 R08: 01080020 R09: 0002 R10: 0030de3d75c0 R11: 89fef830 R12: 8801d8e5fe8f R13: 8801d8da57c0 R14: 8801d8e5fe8c R15: 8801d8da6098 arch_cpu_idle+0x26/0x30 arch/x86/kernel/process.c:491 default_idle_call kernel/sched/idle.c:93 [inline] cpuidle_idle_call kernel/sched/idle.c:153 [inline] do_idle+0x36d/0x830 kernel/sched/idle.c:262 cpu_startup_entry+0x45/0x50 kernel/sched/idle.c:368 start_secondary+0x3c6/0x490 arch/x86/kernel/smpboot.c:272 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:242 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:282 [inline] kmsan_alloc_meta_for_pages+0x161/0x3a0 mm/kmsan/kmsan.c:819 kmsan_alloc_page+0x82/0xe0 mm/kmsan/kmsan.c:889 __alloc_pages_nodemask+0xf7b/0x5cc0 mm/page_alloc.c:4402 alloc_pages_current+0x6b1/0x970 mm/mempolicy.c:2093 alloc_pages include/linux/gfp.h:494 [inline] kmalloc_order mm/slab_common.c:1148 [inline] kmalloc_order_trace+0xbb/0x390 mm/slab_common.c:1159 kmalloc_large include/linux/slab.h:446 [inline] __kmalloc+0x335/0x350 mm/slub.c:3805 kmalloc include/linux/slab.h:517 [inline] ip_vs_lblc_init_svc+0x57/0x310 net/netfilter/ipvs/ip_vs_lblc.c:355 ip_vs_bind_scheduler+0xa9/0x1f0 net/netfilter/ipvs/ip_vs_sched.c:51 ip_vs_add_service+0xa9d/0x1d90 net/netfilter/ipvs/ip_vs_ctl.c:1265 do_ip_vs_set_ctl+0x2aa9/0x2cd0 net/netfilter/ipvs/ip_vs_ctl.c:2462 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x47c/0x4e0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x24b/0x2b0 net/ipv4/ip_sockglue.c:1251 udp_setsockopt+0x108/0x1b0 net/ipv4/udp.c:2416 ipv6_setsockopt+0x311/0x350 net/ipv6/ipv6_sockglue.c:917 tcp_setsockopt+0x1c0/0x1f0 net/ipv4/tcp.c:2891 sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3039 __sys_setsockopt+0x496/0x540 net/socket.c:1903 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0x15c/0x1c0 net/socket.c:1911 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x44/0xa9 == -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
BUG: unable to handle kernel (3)
Hello, syzbot found the following crash on: HEAD commit:861d9dd37526 Merge tag 'kbuild-fixes-v4.17-2' of git://git.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10bffd0f80 kernel config: https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02 dashboard link: https://syzkaller.appspot.com/bug?extid=adfeaaee641dd4fdac43 compiler: gcc (GCC) 8.0.1 20180413 (experimental) userspace arch: i386 syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1156a92f80 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+adfeaaee641dd4fda...@syzkaller.appspotmail.com IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready BUG: unable to handle kernel IPVS: ftp: loaded support on port[0] = 21 paging request at c90001f30003 PGD 1da946067 P4D 1da946067 PUD 1da947067 PMD 1afa9e067 PTE 8001b7d3e163 Oops: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 8 Comm: ksoftirqd/0 Not tainted 4.17.0-rc6+ #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:ebt_do_table+0x1983/0x2140 net/bridge/netfilter/ebtables.c:283 RSP: 0018:8801d9aaeb68 EFLAGS: 00010246 RAX: c90001f30003 RBX: c90001f30003 RCX: c90001f24000 RDX: RSI: 86a8513c RDI: RBP: 8801d9aaed38 R08: 8801d9a9c200 R09: ed003b5c46d2 R10: ed003b5c46d2 R11: 8801dae23693 R12: c90001f24000 R13: c90001f201a0 R14: c90001f200d0 R15: dc00 FS: () GS:8801dae0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: c90001f30003 CR3: 0001ad782000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: ebt_broute+0x1f8/0x320 net/bridge/netfilter/ebtable_broute.c:60 br_handle_frame+0x6b6/0x19f0 net/bridge/br_input.c:291 __netif_receive_skb_core+0xc6e/0x3630 net/core/dev.c:4546 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657 process_backlog+0x219/0x760 net/core/dev.c:5337 napi_poll net/core/dev.c:5735 [inline] net_rx_action+0x7b7/0x1930 net/core/dev.c:5801 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285 run_ksoftirqd+0x86/0x100 kernel/softirq.c:646 smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164 kthread+0x345/0x410 kernel/kthread.c:240 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 Code: 6c 24 08 48 89 d8 48 89 9d d0 fe ff ff 48 c1 e8 03 42 0f b6 04 38 84 c0 74 08 3c 03 0f 8e 3b 06 00 00 48 8b 85 d0 fe ff ff 31 ff <8b> 18 89 de e8 54 f1 d0 fa 85 db 0f 85 a0 02 00 00 e8 37 f0 d0 RIP: ebt_do_table+0x1983/0x2140 net/bridge/netfilter/ebtables.c:283 RSP: 8801d9aaeb68 CR2: c90001f30003 ---[ end trace d121cd1897af50a4 ]--- --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
kernel BUG at lib/string.c:LINE! (4)
Hello, syzbot found the following crash on: HEAD commit:0b7d9978406f Merge branch 'Microsemi-Ocelot-Ethernet-switc.. git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=16e9101780 kernel config: https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1 dashboard link: https://syzkaller.appspot.com/bug?extid=aac887f77319868646df compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1665d63780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1051710780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+aac887f7731986864...@syzkaller.appspotmail.com IPVS: Unknown mcast interface: veth1_to�a IPVS: Unknown mcast interface: veth1_to�a IPVS: Unknown mcast interface: veth1_to�a detected buffer overflow in strlen [ cut here ] kernel BUG at lib/string.c:1052! invalid opcode: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051 RSP: 0018:8801c976f800 EFLAGS: 00010282 RAX: 0022 RBX: 0040 RCX: RDX: 0022 RSI: 8160f6f1 RDI: ed00392edef6 RBP: 8801c976f800 R08: 8801cf4c62c0 R09: ed003b5e4fb0 R10: ed003b5e4fb0 R11: 8801daf27d87 R12: 8801c976fa20 R13: 8801c976fae4 R14: 8801c976fae0 R15: 048b FS: 7fd99f75e700() GS:8801daf0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 21c0 CR3: 0001d6843000 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: strlen include/linux/string.h:270 [inline] strlcpy include/linux/string.h:293 [inline] do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253 udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487 ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917 tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046 __sys_setsockopt+0x1bd/0x390 net/socket.c:1903 __do_sys_setsockopt net/socket.c:1914 [inline] __se_sys_setsockopt net/socket.c:1911 [inline] __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x447369 RSP: 002b:7fd99f75dda8 EFLAGS: 0246 ORIG_RAX: 0036 RAX: ffda RBX: 006e39e4 RCX: 00447369 RDX: 048b RSI: RDI: 0003 RBP: R08: 0018 R09: R10: 21c0 R11: 0246 R12: 006e39e0 R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0001 Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56 RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: 8801c976f800 ---[ end trace 624046f2d9af7702 ]--- --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
KASAN: stack-out-of-bounds Write in compat_copy_entries
Hello, syzbot hit the following crash on upstream commit 24cac7009cb1b211f1c793ecb6a462c03dc35818 (Tue Apr 24 21:16:40 2018 +) Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=4e42a04e0bc33cb6c087 So far this crash happened 3 times on upstream. syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=4827027970457600 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6212733133389824 Kernel config: https://syzkaller.appspot.com/x/.config?id=7043958930931867332 compiler: gcc (GCC) 8.0.1 20180413 (experimental) user-space arch: i386 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+4e42a04e0bc33cb6c...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) IPVS: ftp: loaded support on port[0] = 21 == BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline] BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline] BUG: KASAN: stack-out-of-bounds in ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline] BUG: KASAN: stack-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline] BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194 Write of size 33 at addr 8801b0abf888 by task syz-executor0/4504 CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 memcpy+0x37/0x50 mm/kasan/kasan.c:303 strlcpy include/linux/string.h:300 [inline] compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline] ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline] size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline] compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194 compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285 compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367 compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline] compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156 compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279 inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041 compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901 compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050 __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403 __do_compat_sys_setsockopt net/compat.c:416 [inline] __se_compat_sys_setsockopt net/compat.c:413 [inline] __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413 do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline] do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7fb3cb9 RSP: 002b:fff0c26c EFLAGS: 0282 ORIG_RAX: 016e RAX: ffda RBX: 0003 RCX: RDX: 0080 RSI: 2300 RDI: 05f4 RBP: R08: R09: R10: R11: R12: R13: R14: R15: The buggy address belongs to the page: page:ea0006c2afc0 count:0 mapcount:0 mapping: index:0x0 flags: 0x2fffc00() raw: 02fffc00 raw: ea0006c20101 page dumped because: kasan: bad access detected Memory state around the buggy address: 8801b0abf780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8801b0abf800: 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 f2 f2 f2 8801b0abf880: f2 00 00 00 07 f3 f3 f3 f3 00 00 00 00 00 00 00 ^ 8801b0abf900: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 8801b0abf980: 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 == --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep
KMSAN: uninit-value in ip_vs_lblcr_check_expire
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +) kmsan: add initialization for shmem pages syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=3dfdea57819073a04f21 So far this crash happened 2 times on https://github.com/google/kmsan.git/master. Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6285034612850688 Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+3dfdea57819073a04...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. RDX: RSI: 2080 RDI: 0013 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: 0014 R13: 04f3 R14: 006fa768 R15: == BUG: KMSAN: uninit-value in ip_vs_lblcr_check_expire+0x1551/0x1600 net/netfilter/ipvs/ip_vs_lblcr.c:479 CPU: 0 PID: 13883 Comm: syz-executor4 Not tainted 4.16.0+ #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 ip_vs_lblcr_check_expire+0x1551/0x1600 net/netfilter/ipvs/ip_vs_lblcr.c:479 call_timer_fn+0x26a/0x5a0 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0xda7/0x11c0 kernel/time/timer.c:1666 run_timer_softirq+0x43/0x70 kernel/time/timer.c:1692 __do_softirq+0x56d/0x93d kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x202/0x240 kernel/softirq.c:405 exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:541 smp_apic_timer_interrupt+0x64/0x90 arch/x86/kernel/apic/apic.c:1055 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:857 RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:37 [inline] RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:78 [inline] RIP: 0010:dump_stack+0x1af/0x1d0 lib/dump_stack.c:58 RSP: 0018:880156a2ef00 EFLAGS: 0286 ORIG_RAX: ff12 RAX: 8801fddc2590 RBX: 88014f62c418 RCX: 8800 RDX: 8801fd9c2590 RSI: b000 RDI: ea00 RBP: 880156a2ef48 R08: 0108 R09: 0002 R10: R11: R12: cf000109 R13: 0286 R14: R15: fail_dump lib/fault-inject.c:51 [inline] should_fail+0x87b/0xab0 lib/fault-inject.c:149 should_failslab+0x279/0x2a0 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc_node mm/slub.c:2663 [inline] slab_alloc mm/slub.c:2745 [inline] kmem_cache_alloc+0x136/0xb90 mm/slub.c:2750 dst_alloc+0x295/0x860 net/core/dst.c:104 __ip6_dst_alloc net/ipv6/route.c:361 [inline] ip6_rt_cache_alloc+0x445/0xd00 net/ipv6/route.c:1061 ip6_pol_route+0x3f19/0x5da0 net/ipv6/route.c:1751 ip6_pol_route_output+0xe6/0x110 net/ipv6/route.c:1892 fib6_rule_lookup+0x494/0x720 net/ipv6/fib6_rules.c:87 ip6_route_output_flags+0x4fa/0x590 net/ipv6/route.c:1920 ip6_dst_lookup_tail+0x2fe/0x1a60 net/ipv6/ip6_output.c:992 ip6_dst_lookup_flow+0xfc/0x270 net/ipv6/ip6_output.c:1093 rawv6_sendmsg+0x1b05/0x4fb0 net/ipv6/raw.c:908 inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x455389 RSP: 002b:7fa5b1000c68 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 7fa5b10016d4 RCX: 00455389 RDX: RSI: 2080 RDI: 0013 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: 0014 R13: 04f3 R14: 006fa768 R15: Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_alloc_meta_for_pages+0x161/0x3a0 mm/kmsan/kmsan.c:814 kmsan_alloc_page+0x82/0xe0 mm/kmsan/kmsan.c:868 __alloc_pages_nodemask+0xf5b/0x5dc0 mm/page_alloc.c:4283 alloc_pages_current+0x6b5/0x970 mm/mempolicy.c:2055 alloc_pages include/linux/gfp.h:494 [inline] kmalloc_order mm/slab_common.c
KMSAN: uninit-value in ip_vs_lblc_check_expire
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +) kmsan: add initialization for shmem pages syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=3e9695f147fb529aa9bc So far this crash happened 3 times on https://github.com/google/kmsan.git/master. Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5822255644803072 Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+3e9695f147fb529aa...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. kernel msg: ebtables bug: please report to author: bad policy == BUG: KMSAN: uninit-value in ip_vs_lblc_check_expire+0xe62/0xf10 net/netfilter/ipvs/ip_vs_lblc.c:315 CPU: 0 PID: 11383 Comm: syz-executor3 Not tainted 4.16.0+ #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 ip_vs_lblc_check_expire+0xe62/0xf10 net/netfilter/ipvs/ip_vs_lblc.c:315 call_timer_fn+0x26a/0x5a0 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0xda7/0x11c0 kernel/time/timer.c:1666 run_timer_softirq+0x43/0x70 kernel/time/timer.c:1692 __do_softirq+0x56d/0x93d kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x202/0x240 kernel/softirq.c:405 exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:541 smp_apic_timer_interrupt+0x64/0x90 arch/x86/kernel/apic/apic.c:1055 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:857 RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:37 [inline] RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:78 [inline] RIP: 0010:vprintk_emit+0xcb2/0xff0 kernel/printk/printk.c:1899 RSP: 0018:8801c2a1f0d8 EFLAGS: 0296 ORIG_RAX: ff12 RAX: 0296 RBX: 8801574c4418 RCX: 0004 RDX: c900033a6000 RSI: 01bf RDI: 01c0 RBP: 8801c2a1f1f8 R08: 00219bfd8445 R09: 8801fd6d615d R10: R11: R12: R13: 8b300430 R14: R15: vprintk_default+0x90/0xa0 kernel/printk/printk.c:1955 vprintk_func+0x517/0x700 kernel/printk/printk_safe.c:379 printk+0x1b6/0x1f0 kernel/printk/printk.c:1991 translate_table+0x474/0x5e10 net/bridge/netfilter/ebtables.c:846 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:1002 do_replace+0x707/0x770 net/bridge/netfilter/ebtables.c:1141 do_ebt_set_ctl+0x2ab/0x3c0 net/bridge/netfilter/ebtables.c:1518 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x476/0x4d0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x24b/0x2b0 net/ipv4/ip_sockglue.c:1261 udp_setsockopt+0x108/0x1b0 net/ipv4/udp.c:2406 ipv6_setsockopt+0x30c/0x340 net/ipv6/ipv6_sockglue.c:917 udpv6_setsockopt+0x110/0x1c0 net/ipv6/udp.c:1422 sock_common_setsockopt+0x136/0x170 net/core/sock.c:2975 SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849 SyS_setsockopt+0x76/0xa0 net/socket.c:1828 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x455389 RSP: 002b:7f470c9e3c68 EFLAGS: 0246 ORIG_RAX: 0036 RAX: ffda RBX: 7f470c9e46d4 RCX: 00455389 RDX: 0080 RSI: RDI: 0013 RBP: 0072bea0 R08: 0dd0 R09: R10: 2dc0 R11: 0246 R12: R13: 051d R14: 006fab58 R15: Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_alloc_meta_for_pages+0x161/0x3a0 mm/kmsan/kmsan.c:814 kmsan_alloc_page+0x82/0xe0 mm/kmsan/kmsan.c:868 __alloc_pages_nodemask+0xf5b/0x5dc0 mm/page_alloc.c:4283 alloc_pages_current+0x6b5/0x970 mm/mempolicy.c:2055 alloc_pages include/linux/gfp.h:494 [inline] kmalloc_order mm/slab_common.c:1164 [inline] kmalloc_order_trace+0xb9/0x390 mm/slab_common.c:1175 kmalloc_large include/linux/slab.h:446 [inline] __kmalloc+0x332/0x350 mm/slub.c:3778 kmalloc include/linux/slab.h:517 [inline] ip_vs_lblc_init_svc+0x57/0x310 net/netfilter/ipvs/ip_vs_lblc.c:355 ip_vs_bind_scheduler+0xa4/0x1e0 net/netfilter/ipvs/ip_vs_sched.c:51 ip_vs_add_service+0xa91/0x1d70 net/netfilter/ipvs/ip_vs_ctl.c:1265 do_ip_vs_set_ctl+0x25c8/0x2790 net/netfilter
KMSAN: uninit-value in ebt_stp_mt_check
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit a7f95e9c8a95e9fbb388c3999b61a17667cd3bbe (Sat Apr 21 13:50:22 2018 +) kmsan: disable assembly checksums syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=5c06e318fc558cc27823 So far this crash happened 3 times on https://github.com/google/kmsan.git/master. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5411555638247424 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=6309829995921408 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=4546610964987904 Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+5c06e318fc558cc27...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. == BUG: KMSAN: uninit-value in ebt_stp_mt_check+0x248/0x410 net/bridge/netfilter/ebt_stp.c:164 CPU: 0 PID: 4520 Comm: syzkaller565841 Not tainted 4.16.0+ #85 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 ebt_stp_mt_check+0x248/0x410 net/bridge/netfilter/ebt_stp.c:164 xt_check_match+0x1449/0x1660 net/netfilter/x_tables.c:499 ebt_check_match net/bridge/netfilter/ebtables.c:374 [inline] ebt_check_entry net/bridge/netfilter/ebtables.c:704 [inline] translate_table+0x3ffd/0x5e10 net/bridge/netfilter/ebtables.c:945 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:1002 do_replace+0x707/0x770 net/bridge/netfilter/ebtables.c:1141 do_ebt_set_ctl+0x2ab/0x3c0 net/bridge/netfilter/ebtables.c:1518 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x476/0x4d0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x24b/0x2b0 net/ipv4/ip_sockglue.c:1261 dccp_setsockopt+0x1c3/0x1f0 net/dccp/proto.c:576 sock_common_setsockopt+0x136/0x170 net/core/sock.c:2975 SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849 SyS_setsockopt+0x76/0xa0 net/socket.c:1828 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x445d39 RSP: 002b:7efff4e14da8 EFLAGS: 0246 ORIG_RAX: 0036 RAX: ffda RBX: 006dac24 RCX: 00445d39 RDX: 0080 RSI: RDI: 0003 RBP: R08: 0358 R09: R10: 28c0 R11: 0246 R12: 006dac20 R13: 006567646972625f R14: 6f745f3168746576 R15: 0002 Local variable description: mtpar.i@translate_table Variable was created at: translate_table+0xb9/0x5e10 net/bridge/netfilter/ebtables.c:833 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:1002 == --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: INFO: task hung in do_ip_vs_set_ctl (2)
syzbot has found reproducer for the following crash on net-next commit
17dec0a949153d9ac00760ba2f5b78cb583e995f (Wed Apr 4 02:15:32 2018 +)
Merge branch 'userns-linus' of
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=7810ed2e0cb359580c17
So far this crash happened 2 times on net-next, upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5922062967242752
syzkaller reproducer:
https://syzkaller.appspot.com/x/repro.syz?id=5359824032235520
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=6352399027404800
Kernel config:
https://syzkaller.appspot.com/x/.config?id=-2735707888269579554
compiler: gcc (GCC) 8.0.1 20180301 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+7810ed2e0cb359580...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed.
INFO: task syzkaller402106:4498 blocked for more than 120 seconds.
Not tainted 4.16.0+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syzkaller402106 D22184 4498 4494 0x
Call Trace:
context_switch kernel/sched/core.c:2848 [inline]
__schedule+0x807/0x1e40 kernel/sched/core.c:3490
schedule+0xef/0x430 kernel/sched/core.c:3549
schedule_preempt_disabled+0x10/0x20 kernel/sched/core.c:3607
__mutex_lock_common kernel/locking/mutex.c:833 [inline]
__mutex_lock+0xe38/0x17f0 kernel/locking/mutex.c:893
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
do_ip_vs_set_ctl+0x339/0x1d30 net/netfilter/ipvs/ip_vs_ctl.c:2393
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115
ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253
tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:2888
sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039
smc_setsockopt+0xc7/0x120 net/smc/af_smc.c:1289
__sys_setsockopt+0x1bd/0x390 net/socket.c:1903
SYSC_setsockopt net/socket.c:1914 [inline]
SyS_setsockopt+0x34/0x50 net/socket.c:1911
do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x445959
RSP: 002b:7f2770618db8 EFLAGS: 0246 ORIG_RAX: 0036
RAX: ffda RBX: 006dac24 RCX: 00445959
RDX: 048c RSI: RDI: 0003
RBP: 006dac20 R08: 0018 R09:
R10: 2140 R11: 0246 R12:
R13: 7ffd81ae8f6f R14: 7f27706199c0 R15: 0001
Showing all locks held in the system:
3 locks held by kworker/0:0/4:
#0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
__write_once_size include/linux/compiler.h:215 [inline]
#0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
atomic64_set include/asm-generic/atomic-instrumented.h:40 [inline]
#0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
atomic_long_set include/asm-generic/atomic-long.h:57 [inline]
#0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
set_work_data kernel/workqueue.c:617 [inline]
#0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline]
#0: 7346131c ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
process_one_work+0xaef/0x1b50 kernel/workqueue.c:2116
#1: 894403a3 ((addr_chk_work).work){+.+.}, at:
process_one_work+0xb46/0x1b50 kernel/workqueue.c:2120
#2: ddc85278 (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20
net/core/rtnetlink.c:74
2 locks held by khungtaskd/877:
#0: 706bfe1c (rcu_read_lock){}, at:
check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline]
#0: 706bfe1c (rcu_read_lock){}, at: watchdog+0x1ff/0xf60
kernel/hung_task.c:249
#1: 761e40d2 (tasklist_lock){.+.+}, at:
debug_show_all_locks+0xde/0x34a kernel/locking/lockdep.c:4470
2 locks held by getty/4464:
#0: f90a9320 (&tty->ldisc_sem){}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 5dd151b8 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4465:
#0: 737b5b26 (&tty->ldisc_sem){}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 17bb1ae5 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4466:
#0: badd071e (&tty->ldisc_sem){}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_lds
INFO: task hung in do_ip_vs_set_ctl (2)
Hello,
syzbot hit the following crash on upstream commit
3fd14cdcc05a682b03743683ce3a726898b20555 (Fri Apr 6 19:15:41 2018 +)
Merge tag 'mtd/for-4.17' of git://git.infradead.org/linux-mtd
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=7810ed2e0cb359580c17
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=5452586266132480
Kernel config:
https://syzkaller.appspot.com/x/.config?id=-5813481738265533882
compiler: gcc (GCC) 8.0.1 20180301 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+7810ed2e0cb359580...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
IPVS: stopping backup sync thread 25820 ...
IPVS: sync thread started: state = BACKUP, mcast_ifn = lo, syncid = 0, id =
0
IPVS: sync thread started: state = BACKUP, mcast_ifn = bridge0, syncid = 5,
id = 0
IPVS: stopping backup sync thread 25825 ...
INFO: task syz-executor4:25814 blocked for more than 120 seconds.
Not tainted 4.16.0+ #4
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor4 D23496 25814 4577 0x0004
Call Trace:
context_switch kernel/sched/core.c:2848 [inline]
__schedule+0x807/0x1e40 kernel/sched/core.c:3490
schedule+0xef/0x430 kernel/sched/core.c:3549
schedule_preempt_disabled+0x10/0x20 kernel/sched/core.c:3607
__mutex_lock_common kernel/locking/mutex.c:833 [inline]
__mutex_lock+0xe38/0x17f0 kernel/locking/mutex.c:893
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
do_ip_vs_set_ctl+0x562/0x1d30 net/netfilter/ipvs/ip_vs_ctl.c:2388
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115
ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253
udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2413
ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917
udpv6_setsockopt+0x62/0xa0 net/ipv6/udp.c:1424
sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039
__sys_setsockopt+0x1bd/0x390 net/socket.c:1903
SYSC_setsockopt net/socket.c:1914 [inline]
SyS_setsockopt+0x34/0x50 net/socket.c:1911
do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x455259
RSP: 002b:7f2f6a5c0c68 EFLAGS: 0246 ORIG_RAX: 0036
RAX: ffda RBX: 7f2f6a5c16d4 RCX: 00455259
RDX: 048b RSI: RDI: 0019
RBP: 0072bea0 R08: 0018 R09:
R10: 2100 R11: 0246 R12:
R13: 0520 R14: 006faba0 R15:
Showing all locks held in the system:
3 locks held by kworker/1:0/18:
#0: 5979db97 ((wq_completion)"events"){+.+.}, at:
__write_once_size include/linux/compiler.h:215 [inline]
#0: 5979db97 ((wq_completion)"events"){+.+.}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 5979db97 ((wq_completion)"events"){+.+.}, at: atomic64_set
include/asm-generic/atomic-instrumented.h:40 [inline]
#0: 5979db97 ((wq_completion)"events"){+.+.}, at: atomic_long_set
include/asm-generic/atomic-long.h:57 [inline]
#0: 5979db97 ((wq_completion)"events"){+.+.}, at: set_work_data
kernel/workqueue.c:617 [inline]
#0: 5979db97 ((wq_completion)"events"){+.+.}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline]
#0: 5979db97 ((wq_completion)"events"){+.+.}, at:
process_one_work+0xaef/0x1b50 kernel/workqueue.c:2116
#1: 34433a79 (deferred_process_work){+.+.}, at:
process_one_work+0xb46/0x1b50 kernel/workqueue.c:2120
#2: c152a7e0 (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20
net/core/rtnetlink.c:74
3 locks held by kworker/1:1/25:
#0: 04c9dcc7 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
__write_once_size include/linux/compiler.h:215 [inline]
#0: 04c9dcc7 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 04c9dcc7 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
atomic64_set include/asm-generic/atomic-instrumented.h:40 [inline]
#0: 04c9dcc7 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
atomic_long_set include/asm-generic/atomic-long.h:57 [inline]
#0: 04c9dcc7 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
set_work_data kernel/workqueue.c:617 [inline]
#0: 04c9dcc7 ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline]
#0: 04c9dcc7 ((w
Re: INFO: task hung in stop_sync_thread (2)
syzbot has found reproducer for the following crash on net-next commit 18845557fd6fc1998f2d0d8c30467f86db587529 (Thu Mar 29 20:24:06 2018 +) Merge tag 'wireless-drivers-next-for-davem-2018-03-29' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=5fe074c01b2032ce9618 So far this crash happened 2 times on net-next. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5531070485233664 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5632385408303104 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6520566391504896 Kernel config: https://syzkaller.appspot.com/x/.config?id=-37309782588693906 compiler: gcc (GCC) 7.1.1 20170620 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+5fe074c01b2032ce9...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. INFO: task syzkaller923914:4319 blocked for more than 120 seconds. Not tainted 4.16.0-rc6+ #286 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syzkaller923914 D23312 4319 4316 0x Call Trace: context_switch kernel/sched/core.c:2862 [inline] __schedule+0x8fb/0x1ec0 kernel/sched/core.c:3440 schedule+0xf5/0x430 kernel/sched/core.c:3499 schedule_timeout+0x1a3/0x230 kernel/time/timer.c:1777 do_wait_for_common kernel/sched/completion.c:86 [inline] __wait_for_common kernel/sched/completion.c:107 [inline] wait_for_common kernel/sched/completion.c:118 [inline] wait_for_completion+0x415/0x770 kernel/sched/completion.c:139 kthread_stop+0x14a/0x7a0 kernel/kthread.c:530 stop_sync_thread+0x3d9/0x740 net/netfilter/ipvs/ip_vs_sync.c:1996 do_ip_vs_set_ctl+0x2b1/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2394 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1253 udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2400 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:3039 SYSC_setsockopt net/socket.c:1850 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1829 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x4459d9 RSP: 002b:7f1d6f47cdb8 EFLAGS: 0297 ORIG_RAX: 0036 RAX: ffda RBX: 006dac24 RCX: 004459d9 RDX: 048c RSI: RDI: 0008 RBP: 006dac20 R08: 0018 R09: R10: 2000 R11: 0297 R12: R13: 7fffcf128acf R14: 7f1d6f47d9c0 R15: 0001 INFO: lockdep is turned off. NMI backtrace for cpu 1 CPU: 1 PID: 869 Comm: khungtaskd Not tainted 4.16.0-rc6+ #286 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 nmi_cpu_backtrace+0x1d2/0x210 lib/nmi_backtrace.c:103 nmi_trigger_cpumask_backtrace+0x123/0x180 lib/nmi_backtrace.c:62 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline] check_hung_task kernel/hung_task.c:132 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:190 [inline] watchdog+0x90c/0xd60 kernel/hung_task.c:249 kthread+0x33c/0x400 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:406 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 4317 Comm: syzkaller923914 Not tainted 4.16.0-rc6+ #286 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x50 RSP: 0018:8801b56df138 EFLAGS: 0093 RAX: 8801cbaae640 RBX: RCX: 866a3971 RDX: RSI: 0040 RDI: 8801db218038 RBP: 8801b56df168 R08: 88021fff801c R09: 88021fff8008 R10: 88021fff8010 R11: 88021fff801d R12: 8801db218038 R13: 0040 R14: 8801db218038 R15: FS: 01968880() GS:8801db20() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: ff600400 CR3: 0001c94dc001 CR4: 001606f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: cpumask_next+0x24/0x30 lib/cpumask.c:21 select_idle_smt kernel/sched/fair.c:6116 [inline] select_idle_sibling+0x86d/0xda0 kernel/sched/fair.c:6238 select_task_rq_fair+0xe0a/0x2910 kernel/sched/fair.c:6394 select_task_rq kernel/sched/core.c:1554 [inline] try_to_wake_up+0x4ee/0x15f0 kernel/sched/core.c:2064 default_wake_function+0x30/0x50 kernel/sched/core.c:3693 autoremove_wake_function+0x78/0x350 kernel/sched/wait.c:377 __wake_up_common+0x18e/0x780 kernel/sched/wait.c:97 __wa
INFO: task hung in stop_sync_thread (2)
Hello,
syzbot hit the following crash on net-next commit
5d22d47b9ed96eddb35821dc2cc4f629f45827f7 (Tue Mar 27 17:33:21 2018 +)
Merge branch 'sfc-filter-locking'
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=5fe074c01b2032ce9618
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=6119456711376896
Kernel config:
https://syzkaller.appspot.com/x/.config?id=4372867303600475372
compiler: gcc (GCC) 7.1.1 20170620
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+5fe074c01b2032ce9...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
IPVS: sync thread started: state = BACKUP, mcast_ifn = syz_tun, syncid = 4,
id = 0
IPVS: stopping backup sync thread 25415 ...
INFO: task syz-executor7:25421 blocked for more than 120 seconds.
Not tainted 4.16.0-rc6+ #284
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor7 D23688 25421 4408 0x0004
Call Trace:
context_switch kernel/sched/core.c:2862 [inline]
__schedule+0x8fb/0x1ec0 kernel/sched/core.c:3440
schedule+0xf5/0x430 kernel/sched/core.c:3499
schedule_timeout+0x1a3/0x230 kernel/time/timer.c:1777
do_wait_for_common kernel/sched/completion.c:86 [inline]
__wait_for_common kernel/sched/completion.c:107 [inline]
wait_for_common kernel/sched/completion.c:118 [inline]
wait_for_completion+0x415/0x770 kernel/sched/completion.c:139
kthread_stop+0x14a/0x7a0 kernel/kthread.c:530
stop_sync_thread+0x3d9/0x740 net/netfilter/ipvs/ip_vs_sync.c:1996
do_ip_vs_set_ctl+0x2b1/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2394
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1253
sctp_setsockopt+0x2ca/0x63e0 net/sctp/socket.c:4154
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:3039
SYSC_setsockopt net/socket.c:1850 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1829
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x454889
RSP: 002b:7fc927626c68 EFLAGS: 0246 ORIG_RAX: 0036
RAX: ffda RBX: 7fc9276276d4 RCX: 00454889
RDX: 048c RSI: RDI: 0017
RBP: 0072bf58 R08: 0018 R09:
R10: 2000 R11: 0246 R12:
R13: 051c R14: 006f9b40 R15: 0001
Showing all locks held in the system:
2 locks held by khungtaskd/868:
#0: (rcu_read_lock){}, at: [<a1a8f002>]
check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline]
#0: (rcu_read_lock){}, at: [<a1a8f002>] watchdog+0x1c5/0xd60
kernel/hung_task.c:249
#1: (tasklist_lock){.+.+}, at: [<37c2f8f9>]
debug_show_all_locks+0xd3/0x3d0 kernel/locking/lockdep.c:4470
1 lock held by rsyslogd/4247:
#0: (&f->f_pos_lock){+.+.}, at: [<0d8d6983>]
__fdget_pos+0x12b/0x190 fs/file.c:765
2 locks held by getty/4338:
#0: (&tty->ldisc_sem){}, at: [<bee98654>]
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (&ldata->atomic_read_lock){+.+.}, at: [<c1d180aa>]
n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
2 locks held by getty/4339:
#0: (&tty->ldisc_sem){}, at: [<bee98654>]
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (&ldata->atomic_read_lock){+.+.}, at: [<c1d180aa>]
n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
2 locks held by getty/4340:
#0: (&tty->ldisc_sem){}, at: [<bee98654>]
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (&ldata->atomic_read_lock){+.+.}, at: [<c1d180aa>]
n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
2 locks held by getty/4341:
#0: (&tty->ldisc_sem){}, at: [<bee98654>]
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (&ldata->atomic_read_lock){+.+.}, at: [<c1d180aa>]
n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
2 locks held by getty/4342:
#0: (&tty->ldisc_sem){}, at: [<bee98654>]
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (&ldata->atomic_read_lock){+.+.}, at: [<c1d180aa>]
n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
2 locks held by getty/4343:
#0: (&tty->ldisc_sem){}, at: [<bee98654>]
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (&ldata->atomic_read_lock){+.+.}, at: [<c1d180aa>]
n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
2 locks held by getty/4344:
#0: (&
WARNING: proc registration bug in clusterip_tg_check
Hello,
syzbot tried to test the proposed patch but build/boot failed:
kernel build failed: failed to run /usr/bin/make [make bzImage -j 32
CC=/syzkaller/gcc/bin/gcc]: exit status 2
scripts/kconfig/conf --silentoldconfig Kconfig
CHK include/config/kernel.release
CHK include/generated/uapi/linux/version.h
CHK include/generated/utsrelease.h
CHK scripts/mod/devicetable-offsets.h
CHK include/generated/bounds.h
CHK include/generated/timeconst.h
CHK include/generated/asm-offsets.h
CALLscripts/checksyscalls.sh
CHK include/generated/compile.h
CC net/ipv4/netfilter/ipt_CLUSTERIP.o
CC net/ipv4/netfilter/ipt_MASQUERADE.o
CC net/ipv4/netfilter/ipt_REJECT.o
CC net/ipv4/netfilter/ipt_SYNPROXY.o
CC net/ipv4/netfilter/arp_tables.o
CC net/ipv4/netfilter/arpt_mangle.o
CC net/ipv4/netfilter/arptable_filter.o
CC net/ipv4/netfilter/nf_dup_ipv4.o
net/ipv4/netfilter/ipt_CLUSTERIP.c: In function ‘clusterip_config_init’:
net/ipv4/netfilter/ipt_CLUSTERIP.c:253:22: error: expected ‘;’ before ‘:’
token
goto err_remove_pte:
^
scripts/Makefile.build:316: recipe for
target 'net/ipv4/netfilter/ipt_CLUSTERIP.o' failed
make[3]: *** [net/ipv4/netfilter/ipt_CLUSTERIP.o] Error 1
make[3]: *** Waiting for unfinished jobs
scripts/Makefile.build:575: recipe for target 'net/ipv4/netfilter' failed
make[2]: *** [net/ipv4/netfilter] Error 2
scripts/Makefile.build:575: recipe for target 'net/ipv4' failed
make[1]: *** [net/ipv4] Error 2
Makefile:1020: recipe for target 'net' failed
make: *** [net] Error 2
Tested on net commit
176bfb406d735655f9a69d868a7af0c3da959d51 (Tue Feb 6 16:48:40 2018 +)
Merge branch 'be2net-patch-set'
compiler: gcc (GCC) 7.1.1 20170620
Patch is attached.
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -230,17 +230,6 @@ clusterip_config_init(struct net *net, const struct
ipt_clusterip_tgt_info *i,
refcount_set(&c->refcount, 1);
refcount_set(&c->entries, 1);
- spin_lock_bh(&cn->lock);
- if (__clusterip_config_find(net, ip)) {
- spin_unlock_bh(&cn->lock);
- kfree(c);
-
- return ERR_PTR(-EBUSY);
- }
-
- list_add_rcu(&c->list, &cn->configs);
- spin_unlock_bh(&cn->lock);
-
#ifdef CONFIG_PROC_FS
{
char buffer[16];
@@ -257,20 +246,31 @@ clusterip_config_init(struct net *net, const struct
ipt_clusterip_tgt_info *i,
}
#endif
+ spin_lock_bh(&cn->lock);
+ if (__clusterip_config_find(net, ip)) {
+ spin_unlock_bh(&cn->lock);
+ err = -EBUSY;
+ goto err_remove_pte:
+ }
+
+ list_add_rcu(&c->list, &cn->configs);
+ spin_unlock_bh(&cn->lock);
+
c->notifier.notifier_call = clusterip_netdev_event;
err = register_netdevice_notifier(&c->notifier);
if (!err)
return c;
+ spin_lock_bh(&cn->lock);
+ list_del_rcu(&c->list);
+ spin_unlock_bh(&cn->lock);
+
+err_remove_pte:
#ifdef CONFIG_PROC_FS
proc_remove(c->pde);
err:
#endif
- spin_lock_bh(&cn->lock);
- list_del_rcu(&c->list);
- spin_unlock_bh(&cn->lock);
kfree(c);
-
return ERR_PTR(err);
}
WARNING: proc registration bug in clusterip_tg_check
Hello, syzbot tried to test the proposed patch but build/boot failed: kernel build failed: failed to run /usr/bin/make [make bzImage -j 32 CC=/syzkaller/gcc/bin/gcc]: exit status 2 scripts/kconfig/conf --silentoldconfig Kconfig CHK include/config/kernel.release CHK include/generated/uapi/linux/version.h CHK include/generated/utsrelease.h CHK scripts/mod/devicetable-offsets.h CHK include/generated/bounds.h CHK include/generated/timeconst.h CHK include/generated/asm-offsets.h CALLscripts/checksyscalls.sh CHK include/generated/compile.h CC net/psample/psample.o CC net/packet/af_packet.o CC net/strparser/strparser.o CC net/switchdev/switchdev.o CC net/rfkill/core.o CC net/compat.o CC net/rfkill/input.o CC net/sysctl_net.o CC net/tls/tls_main.o CC net/tls/tls_sw.o CC net/unix/af_unix.o CC net/wimax/id-table.o CC net/unix/garbage.o CC net/wimax/op-msg.o CC net/unix/sysctl_net_unix.o CC net/wimax/op-reset.o CC net/wimax/op-rfkill.o CC net/wimax/op-state-get.o AR net/ipv4/netfilter/nf_conntrack_ipv4.o AR net/ipv4/netfilter/nf_nat_ipv4.o CC net/vmw_vsock/af_vsock.o AR net/ipv4/netfilter/nf_nat_snmp_basic.o CC net/tipc/addr.o CC net/xfrm/xfrm_policy.o CC net/ipv4/netfilter/ipt_CLUSTERIP.o CC net/tipc/bcast.o CC net/wireless/core.o CC net/sunrpc/clnt.o CC net/rds/af_rds.o CC net/ipv4/netfilter/ipt_ECN.o CC net/sched/sch_generic.o CC net/sched/sch_mq.o CC net/sctp/sm_statetable.o CC net/sctp/sm_statefuns.o CC net/wimax/stack.o CC net/wimax/debugfs.o CC net/sctp/sm_sideeffect.o CC net/sctp/protocol.o AR net/psample/built-in.o CC net/sctp/endpointola.o CC net/rds/bind.o CC net/sunrpc/xprt.o CC net/rds/cong.o AR net/switchdev/built-in.o CC net/sched/sch_api.o AR net/rfkill/rfkill.o net/ipv4/netfilter/ipt_CLUSTERIP.c: In function ‘clusterip_config_init’: net/ipv4/netfilter/ipt_CLUSTERIP.c:253:22: error: expected ‘;’ before ‘:’ token goto err_remove_pte: ^ AR net/rfkill/built-in.o CC net/rds/connection.o scripts/Makefile.build:316: recipe for target 'net/ipv4/netfilter/ipt_CLUSTERIP.o' failed make[3]: *** [net/ipv4/netfilter/ipt_CLUSTERIP.o] Error 1 make[3]: *** Waiting for unfinished jobs CC net/rds/info.o CC net/sctp/associola.o CC net/sctp/transport.o AR net/strparser/built-in.o CC net/sctp/chunk.o CC net/sunrpc/socklib.o CC net/tipc/bearer.o scripts/Makefile.build:575: recipe for target 'net/ipv4/netfilter' failed make[2]: *** [net/ipv4/netfilter] Error 2 scripts/Makefile.build:575: recipe for target 'net/ipv4' failed make[1]: *** [net/ipv4] Error 2 make[1]: *** Waiting for unfinished jobs CC net/tipc/core.o CC net/sctp/sm_make_chunk.o CC net/wireless/sysfs.o CC net/wireless/radiotap.o AR net/tls/tls.o AR net/tls/built-in.o CC net/sched/sch_blackhole.o CC net/sched/cls_api.o CC net/sctp/ulpevent.o AR net/wimax/wimax.o AR net/wimax/built-in.o CC net/wireless/util.o CC net/rds/message.o CC net/sunrpc/xprtsock.o CC net/sctp/inqueue.o CC net/vmw_vsock/af_vsock_tap.o CC net/rds/recv.o CC net/wireless/reg.o CC net/rds/send.o CC net/tipc/link.o CC net/sctp/outqueue.o CC net/sched/act_api.o CC net/sched/act_police.o CC net/sctp/ulpqueue.o CC net/rds/stats.o CC net/rds/sysctl.o CC net/sctp/tsnmap.o CC net/sched/act_sample.o CC net/vmw_vsock/vsock_addr.o CC net/wireless/scan.o CC net/sctp/bind_addr.o CC net/rds/threads.o CC net/rds/transport.o CC net/sctp/socket.o CC net/sunrpc/sched.o AR net/unix/unix.o CC net/tipc/discover.o AR net/unix/built-in.o CC net/tipc/msg.o CC net/wireless/nl80211.o CC net/sched/act_nat.o CC net/rds/loop.o CC net/rds/page.o CC net/sctp/primitive.o CC net/sched/act_pedit.o CC net/sctp/output.o CC net/vmw_vsock/diag.o CC net/sctp/input.o CC net/vmw_vsock/virtio_transport.o CC net/sched/act_simple.o CC net/rds/rdma.o CC net/sched/act_bpf.o CC net/tipc/name_distr.o CC net/rds/tcp.o CC net/sctp/debug.o net/sctp/outqueue.c: In function ‘sctp_outq_flush’: net/sctp/outqueue.c:1205:1: warning: the frame size of 2144 bytes is larger than 2048 bytes [-Wframe-larger-than=] } ^ CC net/sctp/stream.o CC net/rds/tcp_connect.o CC net/sctp/auth.o CC net/rds/tcp_listen.o CC net/sched/sch_fifo.o C
Re: WARNING: proc registration bug in clusterip_tg_check
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git
master
Can't find the corresponding bug.
I can't reproduce the issue locally, so asking the syzbot to test the
tentive fix for me (and hoping I did not mess with the tag/format)
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 30 +++---
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c
b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 3a84a60f6b39..db103cd971a9 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -230,17 +230,6 @@ clusterip_config_init(struct net *net, const struct
ipt_clusterip_tgt_info *i,
refcount_set(&c->refcount, 1);
refcount_set(&c->entries, 1);
- spin_lock_bh(&cn->lock);
- if (__clusterip_config_find(net, ip)) {
- spin_unlock_bh(&cn->lock);
- kfree(c);
-
- return ERR_PTR(-EBUSY);
- }
-
- list_add_rcu(&c->list, &cn->configs);
- spin_unlock_bh(&cn->lock);
-
#ifdef CONFIG_PROC_FS
{
char buffer[16];
@@ -257,20 +246,31 @@ clusterip_config_init(struct net *net, const struct
ipt_clusterip_tgt_info *i,
}
#endif
+ spin_lock_bh(&cn->lock);
+ if (__clusterip_config_find(net, ip)) {
+ spin_unlock_bh(&cn->lock);
+ err = -EBUSY;
+ goto err_remove_pte:
+ }
+
+ list_add_rcu(&c->list, &cn->configs);
+ spin_unlock_bh(&cn->lock);
+
c->notifier.notifier_call = clusterip_netdev_event;
err = register_netdevice_notifier(&c->notifier);
if (!err)
return c;
+ spin_lock_bh(&cn->lock);
+ list_del_rcu(&c->list);
+ spin_unlock_bh(&cn->lock);
+
+err_remove_pte:
#ifdef CONFIG_PROC_FS
proc_remove(c->pde);
err:
#endif
- spin_lock_bh(&cn->lock);
- list_del_rcu(&c->list);
- spin_unlock_bh(&cn->lock);
kfree(c);
-
return ERR_PTR(err);
}
--
2.14.3
--
You received this message because you are subscribed to the Google
Groups "syzkaller-bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to syzkaller-bugs+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/syzkaller-bugs/945c8517a87c671825b61223088064ea2ad0a8cb.1517999262.git.pabeni%40redhat.com.
For more options, visit https://groups.google.com/d/optout.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
