WARNING in skb_try_coalesce
27 views
Skip to first unread message
syzbot
Apr 12, 2019, 8:00:49 PM4/12/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: a925dfbd Merge 4.9.125 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1175e849400000
kernel config: https://syzkaller.appspot.com/x/.config?x=e4e70395f75b2239
dashboard link: https://syzkaller.appspot.com/bug?extid=ef6f9535199f89763a4c
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112a717a400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142b5146400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ef6f95...@syzkaller.appspotmail.com
random: crng init done
------------[ cut here ]------------
WARNING: CPU: 1 PID: 2219 at net/core/skbuff.c:4353
skb_try_coalesce+0xeb1/0x1270 net/core/skbuff.c:4353
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 2219 Comm: syz-executor358 Not tainted 4.9.125+ #88
ffff8801c74473e0 ffffffff81af0ae9 ffffffff82838ba0 00000000ffffffff
0000000000000000 0000000000000001 0000000000001101 ffff8801c74474a0
ffffffff813df095 0000000041b58ab3 ffffffff82c28773 ffffffff813deed6
Call Trace:
[<ffffffff81af0ae9>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81af0ae9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff813df095>] panic+0x1bf/0x39f kernel/panic.c:179
[<ffffffff813df364>] __warn.cold.9+0xc1/0x17f kernel/panic.c:542
[<ffffffff810d93cc>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
[<ffffffff82250461>] skb_try_coalesce+0xeb1/0x1270 net/core/skbuff.c:4353
[<ffffffff8246ce79>] tcp_try_coalesce+0x159/0x490 net/ipv4/tcp_input.c:4362
[<ffffffff8246d2d7>] tcp_queue_rcv+0x127/0x590 net/ipv4/tcp_input.c:4616
[<ffffffff824834fd>] tcp_data_queue+0x96d/0x38a0 net/ipv4/tcp_input.c:4725
[<ffffffff8248696d>] tcp_rcv_established+0x53d/0x1ff0
net/ipv4/tcp_input.c:5613
[<ffffffff826b7ef1>] tcp_v6_do_rcv+0xcd1/0x10e0 net/ipv6/tcp_ipv6.c:1283
[<ffffffff822317ba>] sk_backlog_rcv include/net/sock.h:871 [inline]
[<ffffffff822317ba>] __release_sock+0x13a/0x390 net/core/sock.c:2059
[<ffffffff82237a37>] __sk_flush_backlog+0x27/0x40 net/core/sock.c:2079
[<ffffffff8246098e>] sk_flush_backlog include/net/sock.h:940 [inline]
[<ffffffff8246098e>] tcp_sendmsg+0x245e/0x2fd0 net/ipv4/tcp.c:1225
[<ffffffff82510da3>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:770
[<ffffffff8222361b>] sock_sendmsg_nosec net/socket.c:648 [inline]
[<ffffffff8222361b>] sock_sendmsg+0xbb/0x110 net/socket.c:658
[<ffffffff82227680>] SYSC_sendto net/socket.c:1683 [inline]
[<ffffffff82227680>] SyS_sendto+0x220/0x370 net/socket.c:1651
[<ffffffff8100554f>] do_syscall_64+0x19f/0x480 arch/x86/entry/common.c:282
[<ffffffff8278c193>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: a925dfbd Merge 4.9.125 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1175e849400000
kernel config: https://syzkaller.appspot.com/x/.config?x=e4e70395f75b2239
dashboard link: https://syzkaller.appspot.com/bug?extid=ef6f9535199f89763a4c
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112a717a400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142b5146400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ef6f95...@syzkaller.appspotmail.com
random: crng init done
------------[ cut here ]------------
WARNING: CPU: 1 PID: 2219 at net/core/skbuff.c:4353
skb_try_coalesce+0xeb1/0x1270 net/core/skbuff.c:4353
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 2219 Comm: syz-executor358 Not tainted 4.9.125+ #88
ffff8801c74473e0 ffffffff81af0ae9 ffffffff82838ba0 00000000ffffffff
0000000000000000 0000000000000001 0000000000001101 ffff8801c74474a0
ffffffff813df095 0000000041b58ab3 ffffffff82c28773 ffffffff813deed6
Call Trace:
[<ffffffff81af0ae9>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81af0ae9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff813df095>] panic+0x1bf/0x39f kernel/panic.c:179
[<ffffffff813df364>] __warn.cold.9+0xc1/0x17f kernel/panic.c:542
[<ffffffff810d93cc>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
[<ffffffff82250461>] skb_try_coalesce+0xeb1/0x1270 net/core/skbuff.c:4353
[<ffffffff8246ce79>] tcp_try_coalesce+0x159/0x490 net/ipv4/tcp_input.c:4362
[<ffffffff8246d2d7>] tcp_queue_rcv+0x127/0x590 net/ipv4/tcp_input.c:4616
[<ffffffff824834fd>] tcp_data_queue+0x96d/0x38a0 net/ipv4/tcp_input.c:4725
[<ffffffff8248696d>] tcp_rcv_established+0x53d/0x1ff0
net/ipv4/tcp_input.c:5613
[<ffffffff826b7ef1>] tcp_v6_do_rcv+0xcd1/0x10e0 net/ipv6/tcp_ipv6.c:1283
[<ffffffff822317ba>] sk_backlog_rcv include/net/sock.h:871 [inline]
[<ffffffff822317ba>] __release_sock+0x13a/0x390 net/core/sock.c:2059
[<ffffffff82237a37>] __sk_flush_backlog+0x27/0x40 net/core/sock.c:2079
[<ffffffff8246098e>] sk_flush_backlog include/net/sock.h:940 [inline]
[<ffffffff8246098e>] tcp_sendmsg+0x245e/0x2fd0 net/ipv4/tcp.c:1225
[<ffffffff82510da3>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:770
[<ffffffff8222361b>] sock_sendmsg_nosec net/socket.c:648 [inline]
[<ffffffff8222361b>] sock_sendmsg+0xbb/0x110 net/socket.c:658
[<ffffffff82227680>] SYSC_sendto net/socket.c:1683 [inline]
[<ffffffff82227680>] SyS_sendto+0x220/0x370 net/socket.c:1651
[<ffffffff8100554f>] do_syscall_64+0x19f/0x480 arch/x86/entry/common.c:282
[<ffffffff8278c193>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 12, 2019, 8:00:55 PM4/12/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: d63fdf61 Merge 4.4.120 into android-4.4
syzbot found the following crash on:
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1523c80b800000
kernel config: https://syzkaller.appspot.com/x/.config?x=b36b3c05dfb8e06d
dashboard link: https://syzkaller.appspot.com/bug?extid=03e1aea7fc992b0b3d5a
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14be9293800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=135b4373800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy
available)
random: sshd: uninitialized urandom read (32 bytes read, 103 bits of
entropy available)
random: sshd: uninitialized urandom read (32 bytes read, 115 bits of
entropy available)
random: sshd: uninitialized urandom read (32 bytes read, 121 bits of
entropy available)
------------[ cut here ]------------
WARNING: CPU: 1 PID: 3667 at net/core/skbuff.c:4183
skb_try_coalesce+0xfa6/0x15f0 net/core/skbuff.c:4183()
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 3667 Comm: syzkaller095651 Not tainted 4.4.120-gd63fdf6 #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
0000000000000000 86b1d0de4b52ce02 ffff8801db307228 ffffffff81d0408d
ffffffff83843b40 ffff8801db307300 ffffffff83ca8de0 0000000000000009
0000000000001057 ffff8801db3072f0 ffffffff8141ab2a 0000000041b58ab3
Call Trace:
<IRQ> [<ffffffff81d0408d>] __dump_stack lib/dump_stack.c:15 [inline]
<IRQ> [<ffffffff81d0408d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff8141ab2a>] panic+0x1aa/0x388 kernel/panic.c:112
[<ffffffff8112d885>] warn_slowpath_common+0x125/0x140 kernel/panic.c:455
[<ffffffff8112dae9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:492
[<ffffffff82e1b456>] skb_try_coalesce+0xfa6/0x15f0 net/core/skbuff.c:4183
[<ffffffff8312b34c>] tcp_try_coalesce+0x15c/0x4d0 net/ipv4/tcp_input.c:4273
[<ffffffff831335b7>] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485
[<ffffffff8313a9db>] tcp_data_queue+0xd9b/0x48e0 net/ipv4/tcp_input.c:4595
[<ffffffff8314908a>] tcp_rcv_established+0x7ca/0x2230
net/ipv4/tcp_input.c:5418
[<ffffffff833abd6d>] tcp_v6_do_rcv+0x42d/0x1470 net/ipv6/tcp_ipv6.c:1267
[<ffffffff833ae93d>] tcp_v6_rcv+0x1b8d/0x2800 net/ipv6/tcp_ipv6.c:1473
[<ffffffff83310379>] ip6_input_finish+0x329/0x1540 net/ipv6/ip6_input.c:248
[<ffffffff833134f6>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
[<ffffffff833134f6>] NF_HOOK include/linux/netfilter.h:249 [inline]
[<ffffffff833134f6>] ip6_input+0x106/0x200 net/ipv6/ip6_input.c:280
[<ffffffff8330fb58>] dst_input include/net/dst.h:504 [inline]
[<ffffffff8330fb58>] ip6_rcv_finish+0x138/0x630 net/ipv6/ip6_input.c:62
[<ffffffff833125e5>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
[<ffffffff833125e5>] NF_HOOK include/linux/netfilter.h:249 [inline]
[<ffffffff833125e5>] ipv6_rcv+0x1055/0x1e60 net/ipv6/ip6_input.c:186
[<ffffffff82e4c109>] __netif_receive_skb_core+0xa59/0x28f0
net/core/dev.c:4012
[<ffffffff82e4dffb>] __netif_receive_skb+0x5b/0x1c0 net/core/dev.c:4047
[<ffffffff82e50033>] process_backlog+0x213/0x690 net/core/dev.c:4640
[<ffffffff82e4f323>] napi_poll net/core/dev.c:4878 [inline]
[<ffffffff82e4f323>] net_rx_action+0x373/0xe70 net/core/dev.c:4943
[<ffffffff83776e57>] __do_softirq+0x227/0xa38 kernel/softirq.c:273
[<ffffffff83774bdc>] do_softirq_own_stack+0x1c/0x30
arch/x86/entry/entry_64.S:925
<EOI> [<ffffffff8113bcc4>] do_softirq.part.17+0x54/0x60
kernel/softirq.c:317
[<ffffffff8113bd8e>] do_softirq kernel/softirq.c:165 [inline]
[<ffffffff8113bd8e>] __local_bh_enable_ip+0xbe/0xd0 kernel/softirq.c:170
[<ffffffff83772e80>] __raw_spin_unlock_bh
include/linux/spinlock_api_smp.h:178 [inline]
[<ffffffff83772e80>] _raw_spin_unlock_bh+0x30/0x40
kernel/locking/spinlock.c:207
[<ffffffff82df8efe>] spin_unlock_bh include/linux/spinlock.h:352 [inline]
[<ffffffff82df8efe>] release_sock+0x3be/0x510 net/core/sock.c:2484
[<ffffffff8311f52f>] tcp_sendpage+0xaff/0x1830 net/ipv4/tcp.c:1034
[<ffffffff831d8227>] inet_sendpage+0x2d7/0x500 net/ipv4/af_inet.c:772
[<ffffffff82deacad>] kernel_sendpage+0x8d/0xe0 net/socket.c:3301
[<ffffffff82dead8c>] sock_sendpage+0x8c/0xc0 net/socket.c:780
[<ffffffff815b52c4>] pipe_to_sendpage+0x264/0x320 fs/splice.c:724
[<ffffffff815b7adf>] splice_from_pipe_feed fs/splice.c:776 [inline]
[<ffffffff815b7adf>] __splice_from_pipe+0x2ff/0x6f0 fs/splice.c:901
[<ffffffff815bad29>] splice_from_pipe+0xf9/0x160 fs/splice.c:936
[<ffffffff815badd0>] generic_splice_sendpage+0x40/0x50 fs/splice.c:1109
[<ffffffff815b5005>] do_splice_from fs/splice.c:1128 [inline]
[<ffffffff815b5005>] direct_splice_actor+0x125/0x180 fs/splice.c:1294
[<ffffffff815b6312>] splice_direct_to_actor+0x2d2/0x830 fs/splice.c:1247
[<ffffffff815b6a17>] do_splice_direct+0x1a7/0x270 fs/splice.c:1337
[<ffffffff81520e5c>] do_sendfile+0x54c/0xd30 fs/read_write.c:1227
[<ffffffff81522eb3>] SYSC_sendfile64 fs/read_write.c:1282 [inline]
[<ffffffff81522eb3>] SyS_sendfile64+0xc3/0x150 fs/read_write.c:1274
[<ffffffff8377395f>] entry_SYSCALL_64_fastpath+0x1c/0x98
Reply all
Reply to author
Forward
0 new messages