kernel BUG at net/ipv4/tcp_output.c:LINE!
11 views
Skip to first unread message
syzbot
Apr 11, 2019, 4:44:57 AM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 4b08356a BACKPORT, FROMLIST: fscrypt: add Speck128/256 sup..
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=11e030d7800000
kernel config: https://syzkaller.appspot.com/x/.config?x=69a973bb5ca1350a
dashboard link: https://syzkaller.appspot.com/bug?extid=b47aba1fddcec638af15
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11f642b7800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=110765af800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b47aba...@syzkaller.appspotmail.com
------------[ cut here ]------------
kernel BUG at net/ipv4/tcp_output.c:2591!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 17386 Comm: syz-executor404 Not tainted 4.4.132-g4b08356 #50
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801d8a96000 task.stack: ffff8800b3b58000
RIP: 0010:[<ffffffff8328aff5>] [<ffffffff8328aff5>]
__tcp_retransmit_skb+0x17e5/0x1860 net/ipv4/tcp_output.c:2591
RSP: 0018:ffff8801db307b60 EFLAGS: 00010206
RAX: ffff8801d8a96000 RBX: ffff8800b63b9428 RCX: ffff8801d3c01744
RDX: 0000000000000100 RSI: ffffffff8328aff5 RDI: ffff8800b63b942c
RBP: ffff8801db307c08 R08: 0000007cce8d44e7 R09: 0000000000000006
R10: ffffed0043fffa09 R11: 0000000000000001 R12: 00000000c7600113
R13: 00000000c7511c5b R14: ffff8800b63b9400 R15: ffff8801d3c01500
FS: 00007ff725e36700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020600000 CR3: 00000001d2389000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000007cce8d44e7 ffffffffffffffff 0000007cce8f01c9 ffff8801d3c01500
0000000000000004 00000000c751208b dffffc0000000000 ffff8801d3c01744
ffff8801db307bc8 ffffffff833a936e ffff8801d3c01500 ffffffff833a8f50
Call Trace:
<IRQ>
[<ffffffff8328b763>] tcp_retransmit_skb+0x23/0x2c0
net/ipv4/tcp_output.c:2664
[<ffffffff8329104d>] tcp_retransmit_timer+0x7bd/0x1ed0
net/ipv4/tcp_timer.c:461
[<ffffffff83292951>] tcp_write_timer_handler+0x1f1/0x6f0
net/ipv4/tcp_timer.c:543
[<ffffffff83292f0a>] tcp_write_timer+0xba/0xd0 net/ipv4/tcp_timer.c:561
[<ffffffff8129085c>] call_timer_fn+0x18c/0x870 kernel/time/timer.c:1185
[<ffffffff81291582>] __run_timers kernel/time/timer.c:1261 [inline]
[<ffffffff81291582>] run_timer_softirq+0x642/0xb90 kernel/time/timer.c:1444
[<ffffffff838c376c>] __do_softirq+0x22c/0xa1a kernel/softirq.c:273
[<ffffffff8113f75d>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff8113f75d>] irq_exit+0x10d/0x140 kernel/softirq.c:391
[<ffffffff838c2ed1>] exiting_irq arch/x86/include/asm/apic.h:653 [inline]
[<ffffffff838c2ed1>] smp_apic_timer_interrupt+0x81/0xa0
arch/x86/kernel/apic/apic.c:926
[<ffffffff838c1e10>] apic_timer_interrupt+0xa0/0xb0
arch/x86/entry/entry_64.S:741
<EOI>
[<ffffffff81134024>] release_task.part.17+0xa94/0x1200 kernel/exit.c:212
[<ffffffff81135ddb>] release_task kernel/exit.c:630 [inline]
[<ffffffff81135ddb>] exit_notify kernel/exit.c:632 [inline]
[<ffffffff81135ddb>] do_exit+0x164b/0x26b0 kernel/exit.c:780
[<ffffffff8113b0c1>] do_group_exit+0x111/0x330 kernel/exit.c:889
[<ffffffff8115e45c>] get_signal+0x4ec/0x14b0 kernel/signal.c:2317
[<ffffffff8100e02b>] do_signal+0x8b/0x1d30 arch/x86/kernel/signal.c:712
[<ffffffff8100360a>] exit_to_usermode_loop+0x11a/0x160
arch/x86/entry/common.c:248
[<ffffffff81006535>] prepare_exit_to_usermode arch/x86/entry/common.c:283
[inline]
[<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
arch/x86/entry/common.c:348
[<ffffffff838c0435>] int_ret_from_sys_call+0x25/0xa3
Code: e0 26 fe e9 aa ed ff ff e8 89 e0 26 fe e9 4f f5 ff ff e8 7f e0 26 fe
e9 6b f5 ff ff e8 95 e0 26 fe e9 d3 ef ff ff e8 fb 61 0c fe <0f> 0b 4c 89
f7 e8 81 e0 26 fe e9 d9 ec ff ff e8 f7 e0 26 fe e9
RIP [<ffffffff8328aff5>] __tcp_retransmit_skb+0x17e5/0x1860
net/ipv4/tcp_output.c:2591
RSP <ffff8801db307b60>
---[ end trace 61a5349a41bafffe ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 4b08356a BACKPORT, FROMLIST: fscrypt: add Speck128/256 sup..
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=11e030d7800000
kernel config: https://syzkaller.appspot.com/x/.config?x=69a973bb5ca1350a
dashboard link: https://syzkaller.appspot.com/bug?extid=b47aba1fddcec638af15
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11f642b7800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=110765af800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b47aba...@syzkaller.appspotmail.com
------------[ cut here ]------------
kernel BUG at net/ipv4/tcp_output.c:2591!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 17386 Comm: syz-executor404 Not tainted 4.4.132-g4b08356 #50
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801d8a96000 task.stack: ffff8800b3b58000
RIP: 0010:[<ffffffff8328aff5>] [<ffffffff8328aff5>]
__tcp_retransmit_skb+0x17e5/0x1860 net/ipv4/tcp_output.c:2591
RSP: 0018:ffff8801db307b60 EFLAGS: 00010206
RAX: ffff8801d8a96000 RBX: ffff8800b63b9428 RCX: ffff8801d3c01744
RDX: 0000000000000100 RSI: ffffffff8328aff5 RDI: ffff8800b63b942c
RBP: ffff8801db307c08 R08: 0000007cce8d44e7 R09: 0000000000000006
R10: ffffed0043fffa09 R11: 0000000000000001 R12: 00000000c7600113
R13: 00000000c7511c5b R14: ffff8800b63b9400 R15: ffff8801d3c01500
FS: 00007ff725e36700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020600000 CR3: 00000001d2389000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000007cce8d44e7 ffffffffffffffff 0000007cce8f01c9 ffff8801d3c01500
0000000000000004 00000000c751208b dffffc0000000000 ffff8801d3c01744
ffff8801db307bc8 ffffffff833a936e ffff8801d3c01500 ffffffff833a8f50
Call Trace:
<IRQ>
[<ffffffff8328b763>] tcp_retransmit_skb+0x23/0x2c0
net/ipv4/tcp_output.c:2664
[<ffffffff8329104d>] tcp_retransmit_timer+0x7bd/0x1ed0
net/ipv4/tcp_timer.c:461
[<ffffffff83292951>] tcp_write_timer_handler+0x1f1/0x6f0
net/ipv4/tcp_timer.c:543
[<ffffffff83292f0a>] tcp_write_timer+0xba/0xd0 net/ipv4/tcp_timer.c:561
[<ffffffff8129085c>] call_timer_fn+0x18c/0x870 kernel/time/timer.c:1185
[<ffffffff81291582>] __run_timers kernel/time/timer.c:1261 [inline]
[<ffffffff81291582>] run_timer_softirq+0x642/0xb90 kernel/time/timer.c:1444
[<ffffffff838c376c>] __do_softirq+0x22c/0xa1a kernel/softirq.c:273
[<ffffffff8113f75d>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff8113f75d>] irq_exit+0x10d/0x140 kernel/softirq.c:391
[<ffffffff838c2ed1>] exiting_irq arch/x86/include/asm/apic.h:653 [inline]
[<ffffffff838c2ed1>] smp_apic_timer_interrupt+0x81/0xa0
arch/x86/kernel/apic/apic.c:926
[<ffffffff838c1e10>] apic_timer_interrupt+0xa0/0xb0
arch/x86/entry/entry_64.S:741
<EOI>
[<ffffffff81134024>] release_task.part.17+0xa94/0x1200 kernel/exit.c:212
[<ffffffff81135ddb>] release_task kernel/exit.c:630 [inline]
[<ffffffff81135ddb>] exit_notify kernel/exit.c:632 [inline]
[<ffffffff81135ddb>] do_exit+0x164b/0x26b0 kernel/exit.c:780
[<ffffffff8113b0c1>] do_group_exit+0x111/0x330 kernel/exit.c:889
[<ffffffff8115e45c>] get_signal+0x4ec/0x14b0 kernel/signal.c:2317
[<ffffffff8100e02b>] do_signal+0x8b/0x1d30 arch/x86/kernel/signal.c:712
[<ffffffff8100360a>] exit_to_usermode_loop+0x11a/0x160
arch/x86/entry/common.c:248
[<ffffffff81006535>] prepare_exit_to_usermode arch/x86/entry/common.c:283
[inline]
[<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
arch/x86/entry/common.c:348
[<ffffffff838c0435>] int_ret_from_sys_call+0x25/0xa3
Code: e0 26 fe e9 aa ed ff ff e8 89 e0 26 fe e9 4f f5 ff ff e8 7f e0 26 fe
e9 6b f5 ff ff e8 95 e0 26 fe e9 d3 ef ff ff e8 fb 61 0c fe <0f> 0b 4c 89
f7 e8 81 e0 26 fe e9 d9 ec ff ff e8 f7 e0 26 fe e9
RIP [<ffffffff8328aff5>] __tcp_retransmit_skb+0x17e5/0x1860
net/ipv4/tcp_output.c:2591
RSP <ffff8801db307b60>
---[ end trace 61a5349a41bafffe ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages