kernel BUG at net/ipv4/tcp_input.c:LINE! (2)
8 views
Skip to first unread message
syzbot
Oct 25, 2019, 3:47:10 AM10/25/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1140ef54e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link: https://syzkaller.appspot.com/bug?extid=8932c0de2805c5a66f48
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12262f44e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13762cb7600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8932c0...@syzkaller.appspotmail.com
------------[ cut here ]------------
kernel BUG at net/ipv4/tcp_input.c:4839!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 2219 Comm: syz-executor442 Not tainted 4.4.174+ #17
task: ffff8801d3cd2f80 task.stack: ffff8801d3788000
RIP: 0010:[<ffffffff824121bd>] [<ffffffff824121bd>]
tcp_collapse+0x9bd/0xda0 net/ipv4/tcp_input.c:4839
RSP: 0018:ffff8801db6073c8 EFLAGS: 00010206
RAX: ffff8801d3cd2f80 RBX: 0000000000000450 RCX: 000000000a40b7bb
RDX: 0000000000000100 RSI: ffffffff824121bd RDI: 0000000000000450
RBP: ffff8801db607518 R08: 1ffff10016ea6ecd R09: ffffed0016ea6ed3
R10: ffffed0016ea6ed2 R11: ffff8800b7537697 R12: ffff8801d2c0d78c
R13: ffff8801d2c0d760 R14: dffffc0000000000 R15: ffff8800b7537640
FS: 0000000000000000(0000) GS:ffff8801db600000(0063) knlGS:00000000f77cdb40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000001cef42000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8800b8722a40 ffffed00170e4548 ffff8800b753766c ffff8801db607460
ffff8801d3725680 ffff880000000900 0000000000000000 ffff8800b8722900
1ffff1003b6c0e86 0000000000000000 fffffc1800000450 ffff8800b8722a30
Call Trace:
<IRQ>
[<ffffffff82412c5a>] tcp_prune_queue net/ipv4/tcp_input.c:4990 [inline]
[<ffffffff82412c5a>] tcp_try_rmem_schedule+0x6ba/0x1280
net/ipv4/tcp_input.c:4386
[<ffffffff82415462>] tcp_data_queue_ofo net/ipv4/tcp_input.c:4410 [inline]
[<ffffffff82415462>] tcp_data_queue+0x11f2/0x3a90 net/ipv4/tcp_input.c:4713
[<ffffffff82422a99>] tcp_rcv_established+0x599/0x2070
net/ipv4/tcp_input.c:5538
[<ffffffff8244a483>] tcp_v4_do_rcv+0x553/0x7a0 net/ipv4/tcp_ipv4.c:1397
[<ffffffff8244f06d>] sk_backlog_rcv include/net/sock.h:875 [inline]
[<ffffffff8244f06d>] tcp_prequeue net/ipv4/tcp_ipv4.c:1519 [inline]
[<ffffffff8244f06d>] tcp_prequeue+0x4dd/0xdc0 net/ipv4/tcp_ipv4.c:1489
[<ffffffff82455693>] tcp_v4_rcv+0x29a3/0x36b0 net/ipv4/tcp_ipv4.c:1679
[<ffffffff823b59c0>] ip_local_deliver_finish+0x3c0/0xa70
net/ipv4/ip_input.c:216
[<ffffffff823b797f>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
[<ffffffff823b797f>] NF_HOOK include/linux/netfilter.h:249 [inline]
[<ffffffff823b797f>] ip_local_deliver+0x1af/0x390 net/ipv4/ip_input.c:257
[<ffffffff823b67d8>] dst_input include/net/dst.h:504 [inline]
[<ffffffff823b67d8>] ip_rcv_finish+0x768/0x1220 net/ipv4/ip_input.c:365
[<ffffffff823b845a>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
[<ffffffff823b845a>] NF_HOOK include/linux/netfilter.h:249 [inline]
[<ffffffff823b845a>] ip_rcv+0x8fa/0xe70 net/ipv4/ip_input.c:456
[<ffffffff82230640>] __netif_receive_skb_core+0x1300/0x2950
net/core/dev.c:4041
[<ffffffff82238bd8>] __netif_receive_skb+0x58/0x1c0 net/core/dev.c:4076
[<ffffffff8223fec0>] process_backlog+0x200/0x630 net/core/dev.c:4673
[<ffffffff8223f2f7>] napi_poll net/core/dev.c:4911 [inline]
[<ffffffff8223f2f7>] net_rx_action+0x367/0xd30 net/core/dev.c:4976
[<ffffffff8271bb16>] __do_softirq+0x226/0xa3f kernel/softirq.c:273
[<ffffffff82719cdc>] do_softirq_own_stack+0x1c/0x30
arch/x86/entry/entry_64.S:956
<EOI>
[<ffffffff810e1744>] do_softirq.part.0+0x54/0x60 kernel/softirq.c:317
[<ffffffff810e181c>] do_softirq kernel/softirq.c:309 [inline]
[<ffffffff810e181c>] __local_bh_enable_ip+0xcc/0xe0 kernel/softirq.c:170
[<ffffffff82717fc1>] __raw_spin_unlock_bh
include/linux/spinlock_api_smp.h:178 [inline]
[<ffffffff82717fc1>] _raw_spin_unlock_bh+0x31/0x40
kernel/locking/spinlock.c:207
[<ffffffff821e6078>] spin_unlock_bh include/linux/spinlock.h:352 [inline]
[<ffffffff821e6078>] release_sock+0x3a8/0x500 net/core/sock.c:2488
[<ffffffff821e6308>] sk_wait_data+0x138/0x3b0 net/core/sock.c:2065
[<ffffffff823f3cc6>] tcp_recvmsg+0xfb6/0x2d10 net/ipv4/tcp.c:1777
[<ffffffff824a86ae>] inet_recvmsg+0x23e/0x4d0 net/ipv4/af_inet.c:786
[<ffffffff821d8d9f>] sock_recvmsg_nosec net/socket.c:740 [inline]
[<ffffffff821d8d9f>] sock_recvmsg net/socket.c:748 [inline]
[<ffffffff821d8d9f>] sock_recvmsg+0x8f/0xc0 net/socket.c:743
[<ffffffff821da5e7>] ___sys_recvmsg+0x257/0x530 net/socket.c:2129
[<ffffffff821dd5b5>] __sys_recvmsg+0xc5/0x160 net/socket.c:2175
[<ffffffff822ace5a>] C_SYSC_recvmsg net/compat.c:737 [inline]
[<ffffffff822ace5a>] compat_SyS_recvmsg+0x2a/0x40 net/compat.c:735
[<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330
[inline]
[<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90
arch/x86/entry/common.c:397
[<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a
Code: 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 03 02 00 00 44 3b
73 28 79 a5 e8 3e 74 ef fe 4c 8d 7b 10 eb a3 e8 33 74 ef fe <0f> 0b e8 2c
74 ef fe 48 8b 8d e0 fe ff ff 4c 89 ee 48 8b 95 08
RIP [<ffffffff824121bd>] tcp_collapse+0x9bd/0xda0 net/ipv4/tcp_input.c:4839
RSP <ffff8801db6073c8>
---[ end trace d4789cf5fd5835d7 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1140ef54e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link: https://syzkaller.appspot.com/bug?extid=8932c0de2805c5a66f48
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12262f44e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13762cb7600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8932c0...@syzkaller.appspotmail.com
------------[ cut here ]------------
kernel BUG at net/ipv4/tcp_input.c:4839!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 2219 Comm: syz-executor442 Not tainted 4.4.174+ #17
task: ffff8801d3cd2f80 task.stack: ffff8801d3788000
RIP: 0010:[<ffffffff824121bd>] [<ffffffff824121bd>]
tcp_collapse+0x9bd/0xda0 net/ipv4/tcp_input.c:4839
RSP: 0018:ffff8801db6073c8 EFLAGS: 00010206
RAX: ffff8801d3cd2f80 RBX: 0000000000000450 RCX: 000000000a40b7bb
RDX: 0000000000000100 RSI: ffffffff824121bd RDI: 0000000000000450
RBP: ffff8801db607518 R08: 1ffff10016ea6ecd R09: ffffed0016ea6ed3
R10: ffffed0016ea6ed2 R11: ffff8800b7537697 R12: ffff8801d2c0d78c
R13: ffff8801d2c0d760 R14: dffffc0000000000 R15: ffff8800b7537640
FS: 0000000000000000(0000) GS:ffff8801db600000(0063) knlGS:00000000f77cdb40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000001cef42000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8800b8722a40 ffffed00170e4548 ffff8800b753766c ffff8801db607460
ffff8801d3725680 ffff880000000900 0000000000000000 ffff8800b8722900
1ffff1003b6c0e86 0000000000000000 fffffc1800000450 ffff8800b8722a30
Call Trace:
<IRQ>
[<ffffffff82412c5a>] tcp_prune_queue net/ipv4/tcp_input.c:4990 [inline]
[<ffffffff82412c5a>] tcp_try_rmem_schedule+0x6ba/0x1280
net/ipv4/tcp_input.c:4386
[<ffffffff82415462>] tcp_data_queue_ofo net/ipv4/tcp_input.c:4410 [inline]
[<ffffffff82415462>] tcp_data_queue+0x11f2/0x3a90 net/ipv4/tcp_input.c:4713
[<ffffffff82422a99>] tcp_rcv_established+0x599/0x2070
net/ipv4/tcp_input.c:5538
[<ffffffff8244a483>] tcp_v4_do_rcv+0x553/0x7a0 net/ipv4/tcp_ipv4.c:1397
[<ffffffff8244f06d>] sk_backlog_rcv include/net/sock.h:875 [inline]
[<ffffffff8244f06d>] tcp_prequeue net/ipv4/tcp_ipv4.c:1519 [inline]
[<ffffffff8244f06d>] tcp_prequeue+0x4dd/0xdc0 net/ipv4/tcp_ipv4.c:1489
[<ffffffff82455693>] tcp_v4_rcv+0x29a3/0x36b0 net/ipv4/tcp_ipv4.c:1679
[<ffffffff823b59c0>] ip_local_deliver_finish+0x3c0/0xa70
net/ipv4/ip_input.c:216
[<ffffffff823b797f>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
[<ffffffff823b797f>] NF_HOOK include/linux/netfilter.h:249 [inline]
[<ffffffff823b797f>] ip_local_deliver+0x1af/0x390 net/ipv4/ip_input.c:257
[<ffffffff823b67d8>] dst_input include/net/dst.h:504 [inline]
[<ffffffff823b67d8>] ip_rcv_finish+0x768/0x1220 net/ipv4/ip_input.c:365
[<ffffffff823b845a>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
[<ffffffff823b845a>] NF_HOOK include/linux/netfilter.h:249 [inline]
[<ffffffff823b845a>] ip_rcv+0x8fa/0xe70 net/ipv4/ip_input.c:456
[<ffffffff82230640>] __netif_receive_skb_core+0x1300/0x2950
net/core/dev.c:4041
[<ffffffff82238bd8>] __netif_receive_skb+0x58/0x1c0 net/core/dev.c:4076
[<ffffffff8223fec0>] process_backlog+0x200/0x630 net/core/dev.c:4673
[<ffffffff8223f2f7>] napi_poll net/core/dev.c:4911 [inline]
[<ffffffff8223f2f7>] net_rx_action+0x367/0xd30 net/core/dev.c:4976
[<ffffffff8271bb16>] __do_softirq+0x226/0xa3f kernel/softirq.c:273
[<ffffffff82719cdc>] do_softirq_own_stack+0x1c/0x30
arch/x86/entry/entry_64.S:956
<EOI>
[<ffffffff810e1744>] do_softirq.part.0+0x54/0x60 kernel/softirq.c:317
[<ffffffff810e181c>] do_softirq kernel/softirq.c:309 [inline]
[<ffffffff810e181c>] __local_bh_enable_ip+0xcc/0xe0 kernel/softirq.c:170
[<ffffffff82717fc1>] __raw_spin_unlock_bh
include/linux/spinlock_api_smp.h:178 [inline]
[<ffffffff82717fc1>] _raw_spin_unlock_bh+0x31/0x40
kernel/locking/spinlock.c:207
[<ffffffff821e6078>] spin_unlock_bh include/linux/spinlock.h:352 [inline]
[<ffffffff821e6078>] release_sock+0x3a8/0x500 net/core/sock.c:2488
[<ffffffff821e6308>] sk_wait_data+0x138/0x3b0 net/core/sock.c:2065
[<ffffffff823f3cc6>] tcp_recvmsg+0xfb6/0x2d10 net/ipv4/tcp.c:1777
[<ffffffff824a86ae>] inet_recvmsg+0x23e/0x4d0 net/ipv4/af_inet.c:786
[<ffffffff821d8d9f>] sock_recvmsg_nosec net/socket.c:740 [inline]
[<ffffffff821d8d9f>] sock_recvmsg net/socket.c:748 [inline]
[<ffffffff821d8d9f>] sock_recvmsg+0x8f/0xc0 net/socket.c:743
[<ffffffff821da5e7>] ___sys_recvmsg+0x257/0x530 net/socket.c:2129
[<ffffffff821dd5b5>] __sys_recvmsg+0xc5/0x160 net/socket.c:2175
[<ffffffff822ace5a>] C_SYSC_recvmsg net/compat.c:737 [inline]
[<ffffffff822ace5a>] compat_SyS_recvmsg+0x2a/0x40 net/compat.c:735
[<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330
[inline]
[<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90
arch/x86/entry/common.c:397
[<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a
Code: 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 03 02 00 00 44 3b
73 28 79 a5 e8 3e 74 ef fe 4c 8d 7b 10 eb a3 e8 33 74 ef fe <0f> 0b e8 2c
74 ef fe 48 8b 8d e0 fe ff ff 4c 89 ee 48 8b 95 08
RIP [<ffffffff824121bd>] tcp_collapse+0x9bd/0xda0 net/ipv4/tcp_input.c:4839
RSP <ffff8801db6073c8>
---[ end trace d4789cf5fd5835d7 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages