BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx_hist_sample_rtt()

121 views

Skip to first unread message

syzbot

unread,

Nov 5, 2017, 4:05:02 AM11/5/17

to da...@davemloft.net, dc...@vger.kernel.org, ger...@erg.abdn.ac.uk, linux-...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzkaller hit the following crash on
56546e3b9f2284a750c9ca24617544ff5cf56af4
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.

SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=8523 comm=syz-executor0
BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at
net/dccp/ccids/lib/packet_history.c:427/tfrc_rx_hist_sample_rtt()
CPU: 1 PID: 8547 Comm: syz-executor7 Not tainted 4.14.0-rc5+ #93
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
tfrc_rx_hist_sample_rtt+0x407/0x4d0 net/dccp/ccids/lib/packet_history.c:424
ccid3_hc_rx_packet_recv+0x690/0xea7 net/dccp/ccids/ccid3.c:765
ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
dccp_deliver_input_to_ccids+0xd9/0x250 net/dccp/input.c:180
dccp_rcv_established+0x88/0xb0 net/dccp/input.c:378
dccp_v4_do_rcv+0x12f/0x160 net/dccp/ipv4.c:653
sk_backlog_rcv include/net/sock.h:912 [inline]
__sk_receive_skb+0x33e/0xc20 net/core/sock.c:511
dccp_v4_rcv+0xef1/0x1c00 net/dccp/ipv4.c:874
ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216
NF_HOOK include/linux/netfilter.h:249 [inline]
ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257
dst_input include/net/dst.h:465 [inline]
ip_rcv_finish+0x887/0x19a0 net/ipv4/ip_input.c:397
NF_HOOK include/linux/netfilter.h:249 [inline]
ip_rcv+0xc3f/0x1820 net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x1a3e/0x34b0 net/core/dev.c:4477
__netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4542
process_backlog+0x203/0x740 net/core/dev.c:5221
napi_poll net/core/dev.c:5619 [inline]
net_rx_action+0x792/0x1910 net/core/dev.c:5685
__do_softirq+0x2d7/0xb85 kernel/softirq.c:284
do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:957
</IRQ>
do_softirq.part.22+0x14d/0x190 kernel/softirq.c:328
do_softirq kernel/softirq.c:176 [inline]
__local_bh_enable_ip+0x135/0x160 kernel/softirq.c:181
local_bh_enable include/linux/bottom_half.h:31 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:727 [inline]
ip_finish_output2+0x8ad/0x1460 net/ipv4/ip_output.c:231
ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317
NF_HOOK_COND include/linux/netfilter.h:238 [inline]
ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405
dst_output include/net/dst.h:459 [inline]
ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124
ip_queue_xmit+0x8c6/0x18e0 net/ipv4/ip_output.c:504
dccp_transmit_skb+0x9ac/0x10f0 net/dccp/output.c:142
dccp_xmit_packet+0x20f/0x730 net/dccp/output.c:281
dccp_write_xmit+0x17d/0x1d0 net/dccp/output.c:363
dccp_sendmsg+0x6d0/0xa80 net/dccp/proto.c:803
inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2049
__sys_sendmsg+0xe5/0x210 net/socket.c:2083
SYSC_sendmsg net/socket.c:2094 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2090
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x452869
RSP: 002b:00007f889164bbe8 EFLAGS: 00000212 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000758190 RCX: 0000000000452869
RDX: 0000000000000080 RSI: 00000000200ca000 RDI: 0000000000000016
RBP: 0000000000000163 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f01e8
R13: 00000000ffffffff R14: 00007f889164c6d4 R15: 0000000000000012
dccp_close: ABORT with 11 bytes unread
RDS: rds_bind could not find a transport for 172.20.3.187, load rds_tcp or
rds_rdma?
netlink: 13 bytes leftover after parsing attributes in process
`syz-executor5'.
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=0
sclass=netlink_tcpdiag_socket pig=8564 comm=syz-executor0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5
sclass=netlink_route_socket pig=8575 comm=syz-executor0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4
sclass=netlink_route_socket pig=8575 comm=syz-executor0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=8575 comm=syz-executor0
netlink: 5 bytes leftover after parsing attributes in process
`syz-executor1'.
netlink: 5 bytes leftover after parsing attributes in process
`syz-executor1'.
netlink: 2 bytes leftover after parsing attributes in process
`syz-executor5'.
PF_BRIDGE: br_mdb_parse() with non-bridge
RDS: rds_bind could not find a transport for 172.20.7.170, load rds_tcp or
rds_rdma?
device sit0 entered promiscuous mode
PF_BRIDGE: br_mdb_parse() with non-bridge
RDS: rds_bind could not find a transport for 255.255.255.255, load rds_tcp
or rds_rdma?
RDS: rds_bind could not find a transport for 172.20.7.170, load rds_tcp or
rds_rdma?
RDS: rds_bind could not find a transport for 255.255.255.255, load rds_tcp
or rds_rdma?
RDS: rds_bind could not find a transport for 172.20.7.170, load rds_tcp or
rds_rdma?
RDS: rds_bind could not find a transport for 172.20.7.170, load rds_tcp or
rds_rdma?
device syz1 entered promiscuous mode
device syz1 left promiscuous mode
device syz1 entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
device lo left promiscuous mode
sctp: [Deprecated]: syz-executor4 (pid 9115) Use of int in max_burst socket
option.
Use struct sctp_assoc_value instead
sctp: [Deprecated]: syz-executor4 (pid 9121) Use of int in max_burst socket
option.
Use struct sctp_assoc_value instead
sctp: [Deprecated]: syz-executor1 (pid 9292) Use of int in max_burst socket
option.
Use struct sctp_assoc_value instead
sctp: [Deprecated]: syz-executor1 (pid 9306) Use of int in max_burst socket
option.
Use struct sctp_assoc_value instead
sctp: [Deprecated]: syz-executor7 (pid 9330) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
device lo entered promiscuous mode
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
sctp: [Deprecated]: syz-executor7 (pid 9355) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
RDS: rds_bind could not find a transport for 255.255.255.255, load rds_tcp
or rds_rdma?
lo: Invalid MTU -16646140 requested, hw min 0
ICMPv6: NA: someone advertises our address
fe80:0000:0000:0000:0000:0000:0000:01aa on syz1!
ICMPv6: NA: someone advertises our address
fe80:0000:0000:0000:0000:0000:0000:01aa on syz1!
sctp: [Deprecated]: syz-executor1 (pid 9692) Use of struct sctp_assoc_value
in delayed_ack socket option.
Use struct sctp_sack_info instead
sctp: [Deprecated]: syz-executor1 (pid 9724) Use of struct sctp_assoc_value
in delayed_ack socket option.
Use struct sctp_sack_info instead
sctp: [Deprecated]: syz-executor2 (pid 9732) Use of struct sctp_assoc_value
in delayed_ack socket option.
Use struct sctp_sack_info instead
sctp: [Deprecated]: syz-executor4 (pid 9741) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
sctp: [Deprecated]: syz-executor4 (pid 9745) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
sctp: [Deprecated]: syz-executor2 (pid 9760) Use of struct sctp_assoc_value
in delayed_ack socket option.
Use struct sctp_sack_info instead
sctp: [Deprecated]: syz-executor3 (pid 9764) Use of struct sctp_assoc_value
in delayed_ack socket option.
Use struct sctp_sack_info instead
sctp: [Deprecated]: syz-executor3 (pid 9764) Use of struct sctp_assoc_value
in delayed_ack socket option.
Use struct sctp_sack_info instead
sctp: [Deprecated]: syz-executor4 (pid 9807) Use of int in max_burst socket
option.
Use struct sctp_assoc_value instead
do_dccp_setsockopt: sockopt(PACKET_SIZE) is deprecated: fix your app
do_dccp_setsockopt: sockopt(PACKET_SIZE) is deprecated: fix your app
dccp_invalid_packet: P.type (REQUEST) not Data || [Data]Ack, while P.X == 0
dccp_invalid_packet: P.type (REQUEST) not Data || [Data]Ack, while P.X == 0
dccp_invalid_packet: P.type (REQUEST) not Data || [Data]Ack, while P.X == 0
dccp_invalid_packet: P.type (REQUEST) not Data || [Data]Ack, while P.X == 0
sctp: [Deprecated]: syz-executor0 (pid 10122) Use of struct
sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
RDS: rds_bind could not find a transport for 255.255.255.255, load rds_tcp
or rds_rdma?
sctp: [Deprecated]: syz-executor0 (pid 10122) Use of struct
sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
sctp: [Deprecated]: syz-executor7 (pid 10177) Use of int in max_burst
socket option.
Use struct sctp_assoc_value instead
sctp: [Deprecated]: syz-executor7 (pid 10177) Use of int in max_burst
socket option.
Use struct sctp_assoc_value instead
nla_parse: 19 callbacks suppressed
netlink: 8 bytes leftover after parsing attributes in process
`syz-executor1'.
netlink: 8 bytes leftover after parsing attributes in process
`syz-executor1'.
selinux_nlmsg_perm: 14 callbacks suppressed
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=10309 comm=syz-executor5
netlink: 72 bytes leftover after parsing attributes in process
`syz-executor0'.
Bearer <> rejected, not supported in standalone mode
sctp: [Deprecated]: syz-executor2 (pid 10379) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=5
sclass=netlink_tcpdiag_socket pig=10366 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=4
sclass=netlink_tcpdiag_socket pig=10366 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=10366 comm=syz-executor5
Bearer <> rejected, not supported in standalone mode
netlink: 72 bytes leftover after parsing attributes in process
`syz-executor0'.
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=5
sclass=netlink_tcpdiag_socket pig=10412 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=4
sclass=netlink_tcpdiag_socket pig=10383 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=10366 comm=syz-executor5
netlink: 5 bytes leftover after parsing attributes in process
`syz-executor4'.
netlink: 5 bytes leftover after parsing attributes in process
`syz-executor4'.
sctp: [Deprecated]: syz-executor2 (pid 10332) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
RDS: rds_bind could not find a transport for 172.20.3.187, load rds_tcp or
rds_rdma?
RDS: rds_bind could not find a transport for 172.20.3.187, load rds_tcp or
rds_rdma?
netlink: 5 bytes leftover after parsing attributes in process
`syz-executor5'.
dccp_close: ABORT with 752 bytes unread
netlink: 5 bytes leftover after parsing attributes in process
`syz-executor5'.
netlink: 1 bytes leftover after parsing attributes in process
`syz-executor2'.
netlink: 1 bytes leftover after parsing attributes in process
`syz-executor2'.
syz-executor0: vmalloc: allocation failure: 17179377976 bytes,
mode:0x14080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null)
syz-executor0 cpuset=/ mems_allowed=0
CPU: 1 PID: 10838 Comm: syz-executor0 Not tainted 4.14.0-rc5+ #93
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
warn_alloc+0x1c2/0x2f0 mm/page_alloc.c:3254
__vmalloc_node_range+0x4f0/0x650 mm/vmalloc.c:1775
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=10896 comm=syz-executor2
__vmalloc_node mm/vmalloc.c:1804 [inline]
__vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1826
kvmalloc_node+0x82/0xd0 mm/util.c:406
kvmalloc include/linux/mm.h:529 [inline]
kvmalloc_array include/linux/mm.h:545 [inline]
xt_alloc_entry_offsets+0x21/0x30 net/netfilter/x_tables.c:774
translate_table+0x235/0x1690 net/ipv6/netfilter/ip6_tables.c:705
do_replace net/ipv6/netfilter/ip6_tables.c:1150 [inline]
do_ip6t_set_ctl+0x345/0x5c0 net/ipv6/netfilter/ip6_tables.c:1676
nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:927
tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2875
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2967
SYSC_setsockopt net/socket.c:1852 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1831
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x452869
RSP: 002b:00007f44781a2be8 EFLAGS: 00000212 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00000000007580d8 RCX: 0000000000452869
RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000015
RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000020001fde R11: 0000000000000212 R12: 0000000000000000
R13: 0000000000a6f7ff R14: 00007f44781a39c0 R15: 0000000000000001
warn_alloc_show_mem: 2 callbacks suppressed
Mem-Info:
syz-executor0: vmalloc: allocation failure: 17179377976 bytes,
mode:0x14080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null)
syz-executor0 cpuset=/ mems_allowed=0
CPU: 1 PID: 10870 Comm: syz-executor0 Not tainted 4.14.0-rc5+ #93
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
warn_alloc+0x1c2/0x2f0 mm/page_alloc.c:3254
__vmalloc_node_range+0x4f0/0x650 mm/vmalloc.c:1775
__vmalloc_node mm/vmalloc.c:1804 [inline]
__vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1826
kvmalloc_node+0x82/0xd0 mm/util.c:406
kvmalloc include/linux/mm.h:529 [inline]
kvmalloc_array include/linux/mm.h:545 [inline]
xt_alloc_entry_offsets+0x21/0x30 net/netfilter/x_tables.c:774
translate_table+0x235/0x1690 net/ipv6/netfilter/ip6_tables.c:705
do_replace net/ipv6/netfilter/ip6_tables.c:1150 [inline]
do_ip6t_set_ctl+0x345/0x5c0 net/ipv6/netfilter/ip6_tables.c:1676
nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:927
tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2875
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2967
SYSC_setsockopt net/socket.c:1852 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1831
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x452869
RSP: 002b:00007f4478181be8 EFLAGS: 00000212 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000758190 RCX: 0000000000452869
RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000018
RBP: 000000000000052b R08: 0000000000000004 R09: 0000000000000000
R10: 0000000020001fde R11: 0000000000000212 R12: 00000000006f5ca8
R13: 00000000ffffffff R14: 00007f44781826d4 R15: 000000000000001d
active_anon:74575 inactive_anon:32 isolated_anon:0
active_file:3782 inactive_file:7724 isolated_file:0
unevictable:0 dirty:286 writeback:0 unstable:0
slab_reclaimable:7718 slab_unreclaimable:91224
mapped:23103 shmem:39 pagetables:684 bounce:0
free:1419668 free_pcp:453 free_cma:0
Node 0 active_anon:298300kB inactive_anon:128kB active_file:15128kB
inactive_file:30896kB unevictable:0kB isolated(anon):0kB isolated(file):0kB
mapped:92412kB dirty:1144kB writeback:0kB shmem:156kB shmem_thp: 0kB
shmem_pmdmapped: 0kB anon_thp: 0kB writeback_tmp:0kB unstable:0kB
all_unreclaimable? no
Node 0 DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB
inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB
writepending:0kB present:15992kB managed:15908kB mlocked:0kB
kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB
free_cma:0kB
lowmem_reserve[]: 0 2886 6399 6399
Node 0 DMA32 free:2957608kB min:30408kB low:38008kB high:45608kB
active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB
unevictable:0kB writepending:0kB present:3129332kB managed:2958324kB
mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:716kB
local_pcp:0kB free_cma:0kB
lowmem_reserve[]: 0 0 3513 3513
Node 0 Normal free:2705140kB min:37008kB low:46260kB high:55512kB
active_anon:298300kB inactive_anon:128kB active_file:15128kB
inactive_file:30896kB unevictable:0kB writepending:1160kB present:4718592kB
managed:3597452kB mlocked:0kB kernel_stack:4032kB pagetables:2736kB
bounce:0kB free_pcp:1080kB local_pcp:416kB free_cma:0kB
lowmem_reserve[]: 0 0 0 0
Node 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U)
1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB
Node 0 DMA32: 4*4kB (M) 5*8kB (M) 3*16kB (M) 2*32kB (M) 2*64kB (M) 2*128kB
(M) 3*256kB (M) 2*512kB (M) 2*1024kB (M) 2*2048kB (M) 720*4096kB (M) =
2957608kB
Node 0 Normal: 637*4kB (UME) 265*8kB (UME) 167*16kB (UME) 396*32kB (UME)
465*64kB (UME) 89*128kB (UME) 8*256kB (M) 8*512kB (UME) 4*1024kB (UME)
8*2048kB (UM) 639*4096kB (UM) = 2705132kB
Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0
hugepages_size=2048kB
11550 total pagecache pages
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap = 0kB
Total swap = 0kB
1965979 pages RAM
0 pages HighMem/MovableOnly
323058 pages reserved
Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable
Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable
syz7: Invalid MTU 1634497129 requested, hw max 65535
syz7: Invalid MTU 1634497129 requested, hw max 65535
dccp_invalid_packet: P.Data Offset(172) too large
dccp_invalid_packet: P.Data Offset(172) too large
sctp: [Deprecated]: syz-executor1 (pid 11407) Use of int in max_burst
socket option deprecated.
Use struct sctp_assoc_value instead
sctp: [Deprecated]: syz-executor1 (pid 11407) Use of int in max_burst
socket option deprecated.
Use struct sctp_assoc_value instead
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=11484 comm=syz-executor4
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=16
sclass=netlink_tcpdiag_socket pig=11535 comm=syz-executor7
dccp_v4_rcv: dropped packet with invalid checksum
dccp_v4_rcv: dropped packet with invalid checksum
sctp: [Deprecated]: syz-executor5 (pid 11712) Use of struct
sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
RDS: rds_bind could not find a transport for 172.20.0.170, load rds_tcp or
rds_rdma?
sctp: [Deprecated]: syz-executor5 (pid 11773) Use of struct
sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
RDS: rds_bind could not find a transport for 172.20.5.187, load rds_tcp or
rds_rdma?
IPv6: Can't replace route, no match found
sctp: [Deprecated]: syz-executor5 (pid 11976) Use of struct
sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
IPv6: Can't replace route, no match found
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
sctp: [Deprecated]: syz-executor3 (pid 12001) Use of int in max_burst
socket option.
Use struct sctp_assoc_value instead

---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>

syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line.

config.txt

raw.log

syzbot

unread,

Dec 6, 2017, 4:40:02 PM12/6/17

to da...@davemloft.net, dc...@vger.kernel.org, gars...@embeddedor.com, ger...@erg.abdn.ac.uk, linux-...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com

syzkaller has found reproducer for the following crash on
e56d565d67ae7dd6b25ce6a331c43e691ff1d247
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master

compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.

syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers

dccp_close: ABORT with 36 bytes unread
dccp_close: ABORT with 36 bytes unread
dccp_close: ABORT with 36 bytes unread

BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at

net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
CPU: 0 PID: 3143 Comm: syz-executor0 Not tainted 4.15.0-rc2+ #210
dccp_close: ABORT with 36 bytes unread

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
tfrc_rx_hist_sample_rtt+0x407/0x4d0 net/dccp/ccids/lib/packet_history.c:422
dccp_close: ABORT with 36 bytes unread
ccid3_hc_rx_packet_recv+0x690/0xea7 net/dccp/ccids/ccid3.c:765
dccp_close: ABORT with 36 bytes unread

ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
dccp_deliver_input_to_ccids+0xd9/0x250 net/dccp/input.c:180
dccp_rcv_established+0x88/0xb0 net/dccp/input.c:378
dccp_v4_do_rcv+0x12f/0x160 net/dccp/ipv4.c:653

dccp_close: ABORT with 36 bytes unread
sk_backlog_rcv include/net/sock.h:911 [inline]
__sk_receive_skb+0x33e/0xc20 net/core/sock.c:511
dccp_close: ABORT with 36 bytes unread

dccp_v4_rcv+0xef1/0x1c00 net/dccp/ipv4.c:874
ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216

NF_HOOK include/linux/netfilter.h:250 [inline]
ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257
dst_input include/net/dst.h:466 [inline]
ip_rcv_finish+0x887/0x19a0 net/ipv4/ip_input.c:397
NF_HOOK include/linux/netfilter.h:250 [inline]
ip_rcv+0xc3f/0x1820 net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x1a3e/0x3450 net/core/dev.c:4461
__netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4526
process_backlog+0x203/0x740 net/core/dev.c:5205
napi_poll net/core/dev.c:5603 [inline]
net_rx_action+0x792/0x1910 net/core/dev.c:5669
__do_softirq+0x29d/0xbb2 kernel/softirq.c:285
do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:984
</IRQ>
do_softirq.part.19+0x14d/0x190 kernel/softirq.c:329
do_softirq kernel/softirq.c:177 [inline]
__local_bh_enable_ip+0x1ee/0x230 kernel/softirq.c:182
local_bh_enable include/linux/bottom_half.h:32 [inline]

rcu_read_unlock_bh include/linux/rcupdate.h:727 [inline]
ip_finish_output2+0x8ad/0x1460 net/ipv4/ip_output.c:231
ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317

NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405
dst_output include/net/dst.h:460 [inline]

ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124
ip_queue_xmit+0x8c6/0x18e0 net/ipv4/ip_output.c:504
dccp_transmit_skb+0x9ac/0x10f0 net/dccp/output.c:142
dccp_xmit_packet+0x20f/0x730 net/dccp/output.c:281
dccp_write_xmit+0x17d/0x1d0 net/dccp/output.c:363
dccp_sendmsg+0x6d0/0xa80 net/dccp/proto.c:803
inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763

sock_sendmsg_nosec net/socket.c:632 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:642
sock_write_iter+0x320/0x5e0 net/socket.c:911
call_write_iter include/linux/fs.h:1772 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x68a/0x970 fs/read_write.c:482
vfs_write+0x18f/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452a39
RSP: 002b:00007f550aae2c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f550aae3700 RCX: 0000000000452a39
RDX: 000000000000005a RSI: 000000002077f000 RDI: 0000000000000005
RBP: 00007ffc255caf30 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 00007ffc255caeaf R14: 00007f550aae39c0 R15: 000000000000000a

BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at

net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
CPU: 1 PID: 3225 Comm: syz-executor3 Not tainted 4.15.0-rc2+ #210

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
tfrc_rx_hist_sample_rtt+0x407/0x4d0 net/dccp/ccids/lib/packet_history.c:422

ccid3_hc_rx_packet_recv+0x690/0xea7 net/dccp/ccids/ccid3.c:765
ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
dccp_deliver_input_to_ccids+0xd9/0x250 net/dccp/input.c:180
dccp_rcv_established+0x88/0xb0 net/dccp/input.c:378
dccp_v4_do_rcv+0x12f/0x160 net/dccp/ipv4.c:653

sk_backlog_rcv include/net/sock.h:911 [inline]

__sk_receive_skb+0x33e/0xc20 net/core/sock.c:511
dccp_v4_rcv+0xef1/0x1c00 net/dccp/ipv4.c:874
ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216

BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at

net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
NF_HOOK include/linux/netfilter.h:250 [inline]
ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257
dst_input include/net/dst.h:466 [inline]
ip_rcv_finish+0x887/0x19a0 net/ipv4/ip_input.c:397
NF_HOOK include/linux/netfilter.h:250 [inline]
ip_rcv+0xc3f/0x1820 net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x1a3e/0x3450 net/core/dev.c:4461
__netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4526
process_backlog+0x203/0x740 net/core/dev.c:5205
napi_poll net/core/dev.c:5603 [inline]
net_rx_action+0x792/0x1910 net/core/dev.c:5669
__do_softirq+0x29d/0xbb2 kernel/softirq.c:285
do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:984
</IRQ>
do_softirq.part.19+0x14d/0x190 kernel/softirq.c:329
do_softirq kernel/softirq.c:177 [inline]
__local_bh_enable_ip+0x1ee/0x230 kernel/softirq.c:182
local_bh_enable include/linux/bottom_half.h:32 [inline]

rcu_read_unlock_bh include/linux/rcupdate.h:727 [inline]
ip_finish_output2+0x8ad/0x1460 net/ipv4/ip_output.c:231
ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317

NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405
dst_output include/net/dst.h:460 [inline]

sock_sendmsg_nosec net/socket.c:632 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:642
sock_write_iter+0x320/0x5e0 net/socket.c:911
call_write_iter include/linux/fs.h:1772 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x68a/0x970 fs/read_write.c:482
vfs_write+0x18f/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452a39
RSP: 002b:00007fcec03c2c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fcec03c3700 RCX: 0000000000452a39
RDX: 000000000000005a RSI: 000000002077f000 RDI: 0000000000000005
RBP: 00007ffef4f0a5c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 00007ffef4f0a53f R14: 00007fcec03c39c0 R15: 000000000000000a
CPU: 0 PID: 3258 Comm: syz-executor6 Not tainted 4.15.0-rc2+ #210

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
tfrc_rx_hist_sample_rtt+0x407/0x4d0 net/dccp/ccids/lib/packet_history.c:422

sk_backlog_rcv include/net/sock.h:911 [inline]

__sk_receive_skb+0x33e/0xc20 net/core/sock.c:511
dccp_v4_rcv+0xef1/0x1c00 net/dccp/ipv4.c:874
ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216

rcu_read_unlock_bh include/linux/rcupdate.h:727 [inline]
ip_finish_output2+0x8ad/0x1460 net/ipv4/ip_output.c:231
ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317

NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405
dst_output include/net/dst.h:460 [inline]

sock_sendmsg_nosec net/socket.c:632 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:642
sock_write_iter+0x320/0x5e0 net/socket.c:911
call_write_iter include/linux/fs.h:1772 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x68a/0x970 fs/read_write.c:482
vfs_write+0x18f/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452a39
RSP: 002b:00007ff4ae741c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007ff4ae742700 RCX: 0000000000452a39
RDX: 000000000000005a RSI: 000000002077f000 RDI: 0000000000000005
RBP: 00007ffe84eb1010 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 00007ffe84eb0f8f R14: 00007ff4ae7429c0 R15: 000000000000000a

BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at

net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()

BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at

net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
CPU: 1 PID: 3287 Comm: syz-executor3 Not tainted 4.15.0-rc2+ #210

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
tfrc_rx_hist_sample_rtt+0x407/0x4d0 net/dccp/ccids/lib/packet_history.c:422

sk_backlog_rcv include/net/sock.h:911 [inline]

__sk_receive_skb+0x33e/0xc20 net/core/sock.c:511
dccp_v4_rcv+0xef1/0x1c00 net/dccp/ipv4.c:874
ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216

rcu_read_unlock_bh include/linux/rcupdate.h:727 [inline]
ip_finish_output2+0x8ad/0x1460 net/ipv4/ip_output.c:231
ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317

NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405
dst_output include/net/dst.h:460 [inline]

sock_sendmsg_nosec net/socket.c:632 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:642
sock_write_iter+0x320/0x5e0 net/socket.c:911
call_write_iter include/linux/fs.h:1772 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x68a/0x970 fs/read_write.c:482
vfs_write+0x18f/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452a39
RSP: 002b:00007fcec03c2c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fcec03c3700 RCX: 0000000000452a39
RDX: 000000000000005a RSI: 000000002077f000 RDI: 0000000000000005
RBP: 00007ffef4f0a5c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 00007ffef4f0a53f R14: 00007fcec03c39c0 R15: 000000000000000a

BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at

net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
CPU: 1 PID: 3288 Comm: syz-executor5 Not tainted 4.15.0-rc2+ #210

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
tfrc_rx_hist_sample_rtt+0x407/0x4d0 net/dccp/ccids/lib/packet_history.c:422

sk_backlog_rcv include/net/sock.h:911 [inline]

__sk_receive_skb+0x33e/0xc20 net/core/sock.c:511
dccp_v4_rcv+0xef1/0x1c00 net/dccp/ipv4.c:874
ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216

rcu_read_unlock_bh include/linux/rcupdate.h:727 [inline]
ip_finish_output2+0x8ad/0x1460 net/ipv4/ip_output.c:231
ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317

NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405
dst_output include/net/dst.h:460 [inline]

sock_sendmsg_nosec net/socket.c:632 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:642
sock_write_iter+0x320/0x5e0 net/socket.c:911
call_write_iter include/linux/fs.h:1772 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x68a/0x970 fs/read_write.c:482
vfs_write+0x18f/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452a39
RSP: 002b:00007f4287754c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f4287755700 RCX: 0000000000452a39
RDX: 000000000000005a RSI: 000000002077f000 RDI: 0000000000000005
RBP: 00007ffd224ea870 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 00007ffd224ea7ef R14: 00007f42877559c0 R15: 000000000000000a

BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at

net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
CPU: 1 PID: 3291 Comm: syz-executor0 Not tainted 4.15.0-rc2+ #210

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
tfrc_rx_hist_sample_rtt+0x407/0x4d0 net/dccp/ccids/lib/packet_history.c:422

sk_backlog_rcv include/net/sock.h:911 [inline]

__sk_receive_skb+0x33e/0xc20 net/core/sock.c:511
dccp_v4_rcv+0xef1/0x1c00 net/dccp/ipv4.c:874
ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216

rcu_read_unlock_bh include/linux/rcupdate.h:727 [inline]
ip_finish_output2+0x8ad/0x1460 net/ipv4/ip_output.c:231
ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317

NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405
dst_output include/net/dst.h:460 [inline]

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
tfrc_rx_hist_sample_rtt+0x407/0x4d0 net/dccp/ccids/lib/packet_history.c:422

sk_backlog_rcv include/net/sock.h:911 [inline]

__sk_receive_skb+0x33e/0xc20 net/core/sock.c:511
dccp_v4_rcv+0xef1/0x1c00 net/dccp/ipv4.c:874
ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216

rcu_read_unlock_bh include/linux/rcupdate.h:727 [inline]
ip_finish_output2+0x8ad/0x1460 net/ipv4/ip_output.c:231
ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317

NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405
dst_output include/net/dst.h:460 [inline]

sock_sendmsg_nosec net/socket.c:632 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:642
sock_write_iter+0x320/0x5e0 net/socket.c:911
call_write_iter include/linux/fs.h:1772 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x68a/0x970 fs/read_write.c:482
vfs_write+0x18f/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452a39
RSP: 002b:00007fbfe66aac58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fbfe66ab700 RCX: 0000000000452a39
RDX: 000000000000005a RSI: 000000002077f000 RDI: 0000000000000005
RBP: 00007ffd503dc890 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 00007ffd503dc80f R14: 00007fbfe66ab9c0 R15: 000000000000000a
net_ratelimit: 46 callbacks suppressed
dccp_close: ABORT with 36 bytes unread
nla_parse: 101 callbacks suppressed

netlink: 2 bytes leftover after parsing attributes in process

`syz-executor0'.

netlink: 2 bytes leftover after parsing attributes in process

`syz-executor7'.

netlink: 2 bytes leftover after parsing attributes in process
`syz-executor5'.
netlink: 2 bytes leftover after parsing attributes in process

`syz-executor3'.

netlink: 2 bytes leftover after parsing attributes in process

`syz-executor4'.

netlink: 2 bytes leftover after parsing attributes in process

`syz-executor2'.

netlink: 2 bytes leftover after parsing attributes in process

`syz-executor6'.

netlink: 2 bytes leftover after parsing attributes in process
`syz-executor1'.
netlink: 2 bytes leftover after parsing attributes in process

`syz-executor0'.

netlink: 2 bytes leftover after parsing attributes in process
`syz-executor5'.

dccp_close: ABORT with 36 bytes unread
dccp_close: ABORT with 36 bytes unread
dccp_close: ABORT with 36 bytes unread
dccp_close: ABORT with 36 bytes unread
dccp_close: ABORT with 36 bytes unread
dccp_close: ABORT with 36 bytes unread
dccp_close: ABORT with 36 bytes unread
dccp_close: ABORT with 36 bytes unread
dccp_close: ABORT with 36 bytes unread

BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at

net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
CPU: 0 PID: 3398 Comm: syz-executor7 Not tainted 4.15.0-rc2+ #210

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
tfrc_rx_hist_sample_rtt+0x407/0x4d0 net/dccp/ccids/lib/packet_history.c:422

sk_backlog_rcv include/net/sock.h:911 [inline]

__sk_receive_skb+0x33e/0xc20 net/core/sock.c:511
dccp_v4_rcv+0xef1/0x1c00 net/dccp/ipv4.c:874
ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216

rcu_read_unlock_bh include/linux/rcupdate.h:727 [inline]
ip_finish_output2+0x8ad/0x1460 net/ipv4/ip_output.c:231
ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317

NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405
dst_output include/net/dst.h:460 [inline]

sock_sendmsg_nosec net/socket.c:632 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:642
sock_write_iter+0x320/0x5e0 net/socket.c:911
call_write_iter include/linux/fs.h:1772 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x68a/0x970 fs/read_write.c:482
vfs_write+0x18f/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452a39
RSP: 002b:00007f9e55414c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f9e55415700 RCX: 0000000000452a39
RDX: 000000000000005a RSI: 000000002077f000 RDI: 0000000000000005
RBP: 00007ffc6e18ab90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 00007ffc6e18ab0f R14: 00007f9e554159c0 R15: 000000000000000a

BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at

net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
CPU: 0 PID: 3414 Comm: syz-executor1 Not tainted 4.15.0-rc2+ #210

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
tfrc_rx_hist_sample_rtt+0x407/0x4d0 net/dccp/ccids/lib/packet_history.c:422

sk_backlog_rcv include/net/sock.h:911 [inline]

__sk_receive_skb+0x33e/0xc20 net/core/sock.c:511
dccp_v4_rcv+0xef1/0x1c00 net/dccp/ipv4.c:874
ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216

rcu_read_unlock_bh include/linux/rcupdate.h:727 [inline]
ip_finish_output2+0x8ad/0x1460 net/ipv4/ip_output.c:231
ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317

NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405
dst_output include/net/dst.h:460 [inline]

sock_sendmsg_nosec net/socket.c:632 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:642
sock_write_iter+0x320/0x5e0 net/socket.c:911
call_write_iter include/linux/fs.h:1772 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x68a/0x970 fs/read_write.c:482
vfs_write+0x18f/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452a39
RSP: 002b:00007fe376789c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452a39
RDX: 000000000000005a RSI: 000000002077f000 RDI: 0000000000000005
RBP: 0000000000000471 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f3b38
R13: 00000000ffffffff R14: 00007fe37678a6d4 R15: 0000000000000000

BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at

net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
CPU: 0 PID: 3449 Comm: syz-executor2 Not tainted 4.15.0-rc2+ #210

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
tfrc_rx_hist_sample_rtt+0x407/0x4d0 net/dccp/ccids/lib/packet_history.c:422

sk_backlog_rcv include/net/sock.h:911 [inline]

__sk_receive_skb+0x33e/0xc20 net/core/sock.c:511
dccp_v4_rcv+0xef1/0x1c00 net/dccp/ipv4.c:874
ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216

rcu_read_unlock_bh include/linux/rcupdate.h:727 [inline]
ip_finish_output2+0x8ad/0x1460 net/ipv4/ip_output.c:231
ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317

NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405
dst_output include/net/dst.h:460 [inline]

sock_sendmsg_nosec net/socket.c:632 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:642
sock_write_iter+0x320/0x5e0 net/socket.c:911
call_write_iter include/linux/fs.h:1772 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x68a/0x970 fs/read_write.c:482
vfs_write+0x18f/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452a39
RSP: 002b:00007fbfe66aac58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fbfe66ab700 RCX: 0000000000452a39
RDX: 000000000000005a RSI: 000000002077f000 RDI: 0000000000000005
RBP: 00007ffd503dc890 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 00007ffd503dc80f R14: 00007fbfe66ab9c0 R15: 000000000000000a

BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at

net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
CPU: 1 PID: 3450 Comm: syz-executor6 Not tainted 4.15.0-rc2+ #210

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
tfrc_rx_hist_sample_rtt+0x407/0x4d0 net/dccp/ccids/lib/packet_history.c:422

sk_backlog_rcv include/net/sock.h:911 [inline]

__sk_receive_skb+0x33e/0xc20 net/core/sock.c:511
dccp_v4_rcv+0xef1/0x1c00 net/dccp/ipv4.c:874
ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216

rcu_read_unlock_bh include/linux/rcupdate.h:727 [inline]
ip_finish_output2+0x8ad/0x1460 net/ipv4/ip_output.c:231
ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317

NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405
dst_output include/net/dst.h:460 [inline]

sock_sendmsg_nosec net/socket.c:632 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:642
sock_write_iter+0x320/0x5e0 net/socket.c:911
call_write_iter include/linux/fs.h:1772 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x68a/0x970 fs/read_write.c:482
vfs_write+0x18f/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452a39
RSP: 002b:00007ff4ae741c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007ff4ae742700 RCX: 0000000000452a39
RDX: 000000000000005a RSI: 000000002077f000 RDI: 0000000000000005
RBP: 00007ffe84eb1010 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 00007ffe84eb0f8f R14: 00007ff4ae7429c0 R15: 000000000000000a

BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at

net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()

BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at

net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
CPU: 0 PID: 3479 Comm: syz-executor7 Not tainted 4.15.0-rc2+ #210

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
tfrc_rx_hist_sample_rtt+0x407/0x4d0 net/dccp/ccids/lib/packet_history.c:422

sk_backlog_rcv include/net/sock.h:911 [inline]

__sk_receive_skb+0x33e/0xc20 net/core/sock.c:511
dccp_v4_rcv+0xef1/0x1c00 net/dccp/ipv4.c:874
ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216

rcu_read_unlock_bh include/linux/rcupdate.h:727 [inline]
ip_finish_output2+0x8ad/0x1460 net/ipv4/ip_output.c:231
ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317

NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405
dst_output include/net/dst.h:460 [inline]

sock_sendmsg_nosec net/socket.c:632 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:642
sock_write_iter+0x320/0x5e0 net/socket.c:911
call_write_iter include/linux/fs.h:1772 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x68a/0x970 fs/read_write.c:482
vfs_write+0x18f/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452a39
RSP: 002b:00007f9e55414c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f9e55415700 RCX: 0000000000452a39
RDX: 000000000000005a RSI: 000000002077f000 RDI: 0000000000000005
RBP: 00007ffc6e18ab90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 00007ffc6e18ab0f R14: 00007f9e554159c0 R15: 000000000000000a

BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at

net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
CPU: 0 PID: 3482 Comm: syz-executor3 Not tainted 4.15.0-rc2+ #210

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
tfrc_rx_hist_sample_rtt+0x407/0x4d0 net/dccp/ccids/lib/packet_history.c:422

sk_backlog_rcv include/net/sock.h:911 [inline]

__sk_receive_skb+0x33e/0xc20 net/core/sock.c:511
dccp_v4_rcv+0xef1/0x1c00 net/dccp/ipv4.c:874
ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216

config.txt

raw.log

repro.txt

syzbot

unread,

Jan 18, 2018, 4:34:03 AM1/18/18

to da...@davemloft.net, dc...@vger.kernel.org, gars...@embeddedor.com, ger...@erg.abdn.ac.uk, linux-...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com

syzbot has found reproducer for the following crash on linux-next commit
a362f6d2cdbd089dd7040ba66dcb0ad276a20cf7 (Thu Jan 18 07:07:54 2018 +0000)
Add linux-next specific files for 20180118

So far this crash happened 185 times on linux-next, mmots, net-next,
upstream.
C reproducer is attached.
syzkaller reproducer is attached.

Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620

.config is attached.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+3ca02e1a9272a28e...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed.

BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at

net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
CPU: 1 PID: 6246 Comm: syzkaller158939 Not tainted
4.15.0-rc8-next-20180118+ #100

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
tfrc_rx_hist_sample_rtt+0x407/0x4d0 net/dccp/ccids/lib/packet_history.c:422

ccid3_hc_rx_packet_recv+0x696/0xeb3 net/dccp/ccids/ccid3.c:765

ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
dccp_deliver_input_to_ccids+0xd9/0x250 net/dccp/input.c:180
dccp_rcv_established+0x88/0xb0 net/dccp/input.c:378

dccp_v4_do_rcv+0x135/0x160 net/dccp/ipv4.c:653
sk_backlog_rcv include/net/sock.h:908 [inline]
__sk_receive_skb+0x33e/0xc10 net/core/sock.c:513
dccp_v4_rcv+0xf5f/0x1c80 net/dccp/ipv4.c:874
ip_local_deliver_finish+0x2f1/0xc50 net/ipv4/ip_input.c:216
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257
dst_input include/net/dst.h:449 [inline]
ip_rcv_finish+0x953/0x1e30 net/ipv4/ip_input.c:397
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_rcv+0xc5a/0x1840 net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x1a41/0x3460 net/core/dev.c:4537
__netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4602
process_backlog+0x203/0x740 net/core/dev.c:5282
napi_poll net/core/dev.c:5680 [inline]
net_rx_action+0x792/0x1910 net/core/dev.c:5746
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1150

</IRQ>
do_softirq.part.19+0x14d/0x190 kernel/softirq.c:329
do_softirq kernel/softirq.c:177 [inline]
__local_bh_enable_ip+0x1ee/0x230 kernel/softirq.c:182
local_bh_enable include/linux/bottom_half.h:32 [inline]

rcu_read_unlock_bh include/linux/rcupdate.h:726 [inline]
ip_finish_output2+0x962/0x1550 net/ipv4/ip_output.c:231
ip_finish_output+0x864/0xd10 net/ipv4/ip_output.c:317
NF_HOOK_COND include/linux/netfilter.h:277 [inline]
ip_output+0x1d2/0x860 net/ipv4/ip_output.c:405
dst_output include/net/dst.h:443 [inline]
ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124
ip_queue_xmit+0x8c0/0x18e0 net/ipv4/ip_output.c:504
dccp_transmit_skb+0x9ac/0x10f0 net/dccp/output.c:142
dccp_xmit_packet+0x215/0x740 net/dccp/output.c:281
dccp_write_xmit+0x17d/0x1d0 net/dccp/output.c:363
dccp_sendmsg+0x95f/0xdc0 net/dccp/proto.c:813
inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
___sys_sendmsg+0x767/0x8b0 net/socket.c:2020
__sys_sendmsg+0xe5/0x210 net/socket.c:2054
SYSC_sendmsg net/socket.c:2065 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2061
entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x446469
RSP: 002b:00007fcecb23bda8 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006dbc3c RCX: 0000000000446469
RDX: 0000000000000080 RSI: 00000000206c8000 RDI: 0000000000000005
RBP: 00000000006dbc38 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: f8e4cbe49e572d45
R13: 54c1b85d98aba1df R14: a6eaa24dbeb18c29 R15: 000000000000000c

raw.log.txt

repro.syz.txt

repro.c.txt

config.txt

Eric Biggers

unread,

Apr 8, 2018, 5:56:27 PM4/8/18

to dc...@vger.kernel.org, ger...@erg.abdn.ac.uk, da...@davemloft.net, gars...@embeddedor.com, syzbot, linux-...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com

This is still happening. It *might* be related to the other bug "suspicious RCU
usage at ./include/net/inet_sock.h:LINE". Here's a simplified reproducer for
this one:

#include <linux/dccp.h>
#include <linux/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>

int main()
{
struct sockaddr_in addr = { .sin_family = AF_INET };
socklen_t addrlen = sizeof(addr);
int fd;

while (fork())
wait(NULL);
fd = socket(AF_INET, SOCK_DCCP, 0);
bind(fd, (void *)&addr, addrlen);
getsockname(fd, (void *)&addr, &addrlen);
listen(fd, 100);
if (fork()) {
fd = socket(AF_INET, SOCK_DCCP, 0);
setsockopt(fd, SOL_DCCP, DCCP_SOCKOPT_CCID, "\x03", 1);
connect(fd, (void *)&addr, sizeof(addr));
} else {
fd = accept(fd, NULL, 0);
}
for (int i = 0; i < 1000; i++)
write(fd, "X", 1);
}

Reply all

Reply to author

Forward

0 new messages