kernel BUG at net/ipv4/tcp_input.c:LINE!
10 views
Skip to first unread message
syzbot
Apr 14, 2019, 5:28:27 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 498bf612 ANDROID: zram: set comp_len to PAGE_SIZE when pag..
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=105cf225400000
kernel config: https://syzkaller.appspot.com/x/.config?x=91537011cdb01073
dashboard link: https://syzkaller.appspot.com/bug?extid=e4585c9a69200a831eef
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e4585c...@syzkaller.appspotmail.com
audit: type=1400 audit(1542412860.468:22): avc: denied { transfer } for
pid=5816 comm="syz-executor0"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder
permissive=1
------------[ cut here ]------------
kernel BUG at net/ipv4/tcp_input.c:4839!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 5859 Comm: syz-executor2 Not tainted 4.4.163+ #12
task: ffff8801d4c297c0 task.stack: ffff8800a6d70000
RIP: 0010:[<ffffffff8240bf0d>] [<ffffffff8240bf0d>]
tcp_collapse+0x98d/0xd00 net/ipv4/tcp_input.c:4839
RSP: 0018:ffff8801db707358 EFLAGS: 00010206
RAX: ffff8801d4c297c0 RBX: 0000000000000350 RCX: 000000005f4ae35a
RDX: 0000000000000100 RSI: ffffffff8240bf0d RDI: ffff8800b8325398
RBP: ffff8801db707490 R08: ffffed00164e08fb R09: ffffed00164e08f5
R10: ffffed00164e08fa R11: ffff8800b27047d7 R12: ffff8800b96e728c
R13: ffff8800b96e7260 R14: dffffc0000000000 R15: ffff8800b2704780
FS: 0000000000000000(0000) GS:ffff8801db700000(0063) knlGS:00000000f5753b40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00007ff6a0950000 CR3: 00000001d63b8000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8800b8325340 ffffed0017064a68 ffff8800b27047ac ffff8801db7073e8
ffffffff82c7da3d ffff8800b96e7288 0000000000000000 ffff8800b8325200
1ffff1003b6e0e79 00000350db7073b0 0000000000000000 00000000fffffd1a
Call Trace:
<IRQ>
[<ffffffff8240c91b>] tcp_prune_queue net/ipv4/tcp_input.c:4990 [inline]
[<ffffffff8240c91b>] tcp_try_rmem_schedule+0x69b/0x1270
net/ipv4/tcp_input.c:4386
[<ffffffff8240f02f>] tcp_data_queue_ofo net/ipv4/tcp_input.c:4410 [inline]
[<ffffffff8240f02f>] tcp_data_queue+0x10ff/0x3ad0 net/ipv4/tcp_input.c:4713
[<ffffffff8241c3fa>] tcp_rcv_established+0x57a/0x1fd0
net/ipv4/tcp_input.c:5538
[<ffffffff82443a53>] tcp_v4_do_rcv+0x553/0x7a0 net/ipv4/tcp_ipv4.c:1397
[<ffffffff82448669>] sk_backlog_rcv include/net/sock.h:871 [inline]
[<ffffffff82448669>] tcp_prequeue+0x4d9/0xdf0 net/ipv4/tcp_ipv4.c:1519
[<ffffffff8244edab>] tcp_v4_rcv+0x2a6b/0x3750 net/ipv4/tcp_ipv4.c:1679
[<ffffffff823af7d0>] ip_local_deliver_finish+0x3c0/0xa70
net/ipv4/ip_input.c:216
[<ffffffff823b178c>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
[<ffffffff823b178c>] NF_HOOK include/linux/netfilter.h:249 [inline]
[<ffffffff823b178c>] ip_local_deliver+0x1ac/0x390 net/ipv4/ip_input.c:257
[<ffffffff823b05d9>] dst_input include/net/dst.h:504 [inline]
[<ffffffff823b05d9>] ip_rcv_finish+0x759/0x1220 net/ipv4/ip_input.c:365
[<ffffffff823b2209>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
[<ffffffff823b2209>] NF_HOOK include/linux/netfilter.h:249 [inline]
[<ffffffff823b2209>] ip_rcv+0x899/0xfc0 net/ipv4/ip_input.c:455
[<ffffffff822282f8>] __netif_receive_skb_core+0x12c8/0x2820
net/core/dev.c:4041
[<ffffffff822309ab>] __netif_receive_skb+0x5b/0x1c0 net/core/dev.c:4076
[<ffffffff82237d4a>] process_backlog+0x20a/0x670 net/core/dev.c:4669
[<ffffffff82237157>] napi_poll net/core/dev.c:4907 [inline]
[<ffffffff82237157>] net_rx_action+0x367/0xd50 net/core/dev.c:4972
[<ffffffff827152ea>] __do_softirq+0x22a/0xa3e kernel/softirq.c:273
[<ffffffff827134dc>] do_softirq_own_stack+0x1c/0x30
arch/x86/entry/entry_64.S:929
<EOI>
[<ffffffff810e1c74>] do_softirq.part.2+0x54/0x60 kernel/softirq.c:317
[<ffffffff810e1d54>] do_softirq kernel/softirq.c:309 [inline]
[<ffffffff810e1d54>] __local_bh_enable_ip+0xd4/0xe0 kernel/softirq.c:170
[<ffffffff82711820>] __raw_spin_unlock_bh
include/linux/spinlock_api_smp.h:178 [inline]
[<ffffffff82711820>] _raw_spin_unlock_bh+0x30/0x40
kernel/locking/spinlock.c:207
[<ffffffff821dd806>] spin_unlock_bh include/linux/spinlock.h:352 [inline]
[<ffffffff821dd806>] release_sock+0x3b6/0x500 net/core/sock.c:2484
[<ffffffff821dda74>] sk_wait_data+0x124/0x3a0 net/core/sock.c:2064
[<ffffffff823ee0a2>] tcp_recvmsg+0x19d2/0x2de0 net/ipv4/tcp.c:1777
[<ffffffff824a233e>] inet_recvmsg+0x23e/0x4c0 net/ipv4/af_inet.c:786
[<ffffffff821d03e1>] sock_recvmsg_nosec net/socket.c:740 [inline]
[<ffffffff821d03e1>] sock_recvmsg+0x91/0xc0 net/socket.c:748
[<ffffffff821d1bd5>] ___sys_recvmsg+0x265/0x550 net/socket.c:2129
[<ffffffff821d4da6>] __sys_recvmsg+0xd6/0x190 net/socket.c:2175
[<ffffffff822a5baa>] C_SYSC_recvmsg net/compat.c:734 [inline]
[<ffffffff822a5baa>] compat_SyS_recvmsg+0x2a/0x40 net/compat.c:732
[<ffffffff8100629e>] do_syscall_32_irqs_on arch/x86/entry/common.c:396
[inline]
[<ffffffff8100629e>] do_fast_syscall_32+0x31e/0xa80
arch/x86/entry/common.c:463
[<ffffffff82713b50>] sysenter_flags_fixed+0xd/0x1a
Code: 03 38 ca 7c 08 84 c9 0f 85 ef 01 00 00 45 39 7c 24 28 0f 89 77 ff ff
ff e8 81 b3 ef fe 4d 8d 75 10 e9 72 ff ff ff e8 73 b3 ef fe <0f> 0b e8 6c
b3 ef fe 48 8b 8d f8 fe ff ff 4c 89 ee 48 8b 95 28
RIP [<ffffffff8240bf0d>] tcp_collapse+0x98d/0xd00 net/ipv4/tcp_input.c:4839
RSP <ffff8801db707358>
---[ end trace 29189a59848d08f6 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 498bf612 ANDROID: zram: set comp_len to PAGE_SIZE when pag..
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=105cf225400000
kernel config: https://syzkaller.appspot.com/x/.config?x=91537011cdb01073
dashboard link: https://syzkaller.appspot.com/bug?extid=e4585c9a69200a831eef
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e4585c...@syzkaller.appspotmail.com
audit: type=1400 audit(1542412860.468:22): avc: denied { transfer } for
pid=5816 comm="syz-executor0"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder
permissive=1
------------[ cut here ]------------
kernel BUG at net/ipv4/tcp_input.c:4839!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 5859 Comm: syz-executor2 Not tainted 4.4.163+ #12
task: ffff8801d4c297c0 task.stack: ffff8800a6d70000
RIP: 0010:[<ffffffff8240bf0d>] [<ffffffff8240bf0d>]
tcp_collapse+0x98d/0xd00 net/ipv4/tcp_input.c:4839
RSP: 0018:ffff8801db707358 EFLAGS: 00010206
RAX: ffff8801d4c297c0 RBX: 0000000000000350 RCX: 000000005f4ae35a
RDX: 0000000000000100 RSI: ffffffff8240bf0d RDI: ffff8800b8325398
RBP: ffff8801db707490 R08: ffffed00164e08fb R09: ffffed00164e08f5
R10: ffffed00164e08fa R11: ffff8800b27047d7 R12: ffff8800b96e728c
R13: ffff8800b96e7260 R14: dffffc0000000000 R15: ffff8800b2704780
FS: 0000000000000000(0000) GS:ffff8801db700000(0063) knlGS:00000000f5753b40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00007ff6a0950000 CR3: 00000001d63b8000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8800b8325340 ffffed0017064a68 ffff8800b27047ac ffff8801db7073e8
ffffffff82c7da3d ffff8800b96e7288 0000000000000000 ffff8800b8325200
1ffff1003b6e0e79 00000350db7073b0 0000000000000000 00000000fffffd1a
Call Trace:
<IRQ>
[<ffffffff8240c91b>] tcp_prune_queue net/ipv4/tcp_input.c:4990 [inline]
[<ffffffff8240c91b>] tcp_try_rmem_schedule+0x69b/0x1270
net/ipv4/tcp_input.c:4386
[<ffffffff8240f02f>] tcp_data_queue_ofo net/ipv4/tcp_input.c:4410 [inline]
[<ffffffff8240f02f>] tcp_data_queue+0x10ff/0x3ad0 net/ipv4/tcp_input.c:4713
[<ffffffff8241c3fa>] tcp_rcv_established+0x57a/0x1fd0
net/ipv4/tcp_input.c:5538
[<ffffffff82443a53>] tcp_v4_do_rcv+0x553/0x7a0 net/ipv4/tcp_ipv4.c:1397
[<ffffffff82448669>] sk_backlog_rcv include/net/sock.h:871 [inline]
[<ffffffff82448669>] tcp_prequeue+0x4d9/0xdf0 net/ipv4/tcp_ipv4.c:1519
[<ffffffff8244edab>] tcp_v4_rcv+0x2a6b/0x3750 net/ipv4/tcp_ipv4.c:1679
[<ffffffff823af7d0>] ip_local_deliver_finish+0x3c0/0xa70
net/ipv4/ip_input.c:216
[<ffffffff823b178c>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
[<ffffffff823b178c>] NF_HOOK include/linux/netfilter.h:249 [inline]
[<ffffffff823b178c>] ip_local_deliver+0x1ac/0x390 net/ipv4/ip_input.c:257
[<ffffffff823b05d9>] dst_input include/net/dst.h:504 [inline]
[<ffffffff823b05d9>] ip_rcv_finish+0x759/0x1220 net/ipv4/ip_input.c:365
[<ffffffff823b2209>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
[<ffffffff823b2209>] NF_HOOK include/linux/netfilter.h:249 [inline]
[<ffffffff823b2209>] ip_rcv+0x899/0xfc0 net/ipv4/ip_input.c:455
[<ffffffff822282f8>] __netif_receive_skb_core+0x12c8/0x2820
net/core/dev.c:4041
[<ffffffff822309ab>] __netif_receive_skb+0x5b/0x1c0 net/core/dev.c:4076
[<ffffffff82237d4a>] process_backlog+0x20a/0x670 net/core/dev.c:4669
[<ffffffff82237157>] napi_poll net/core/dev.c:4907 [inline]
[<ffffffff82237157>] net_rx_action+0x367/0xd50 net/core/dev.c:4972
[<ffffffff827152ea>] __do_softirq+0x22a/0xa3e kernel/softirq.c:273
[<ffffffff827134dc>] do_softirq_own_stack+0x1c/0x30
arch/x86/entry/entry_64.S:929
<EOI>
[<ffffffff810e1c74>] do_softirq.part.2+0x54/0x60 kernel/softirq.c:317
[<ffffffff810e1d54>] do_softirq kernel/softirq.c:309 [inline]
[<ffffffff810e1d54>] __local_bh_enable_ip+0xd4/0xe0 kernel/softirq.c:170
[<ffffffff82711820>] __raw_spin_unlock_bh
include/linux/spinlock_api_smp.h:178 [inline]
[<ffffffff82711820>] _raw_spin_unlock_bh+0x30/0x40
kernel/locking/spinlock.c:207
[<ffffffff821dd806>] spin_unlock_bh include/linux/spinlock.h:352 [inline]
[<ffffffff821dd806>] release_sock+0x3b6/0x500 net/core/sock.c:2484
[<ffffffff821dda74>] sk_wait_data+0x124/0x3a0 net/core/sock.c:2064
[<ffffffff823ee0a2>] tcp_recvmsg+0x19d2/0x2de0 net/ipv4/tcp.c:1777
[<ffffffff824a233e>] inet_recvmsg+0x23e/0x4c0 net/ipv4/af_inet.c:786
[<ffffffff821d03e1>] sock_recvmsg_nosec net/socket.c:740 [inline]
[<ffffffff821d03e1>] sock_recvmsg+0x91/0xc0 net/socket.c:748
[<ffffffff821d1bd5>] ___sys_recvmsg+0x265/0x550 net/socket.c:2129
[<ffffffff821d4da6>] __sys_recvmsg+0xd6/0x190 net/socket.c:2175
[<ffffffff822a5baa>] C_SYSC_recvmsg net/compat.c:734 [inline]
[<ffffffff822a5baa>] compat_SyS_recvmsg+0x2a/0x40 net/compat.c:732
[<ffffffff8100629e>] do_syscall_32_irqs_on arch/x86/entry/common.c:396
[inline]
[<ffffffff8100629e>] do_fast_syscall_32+0x31e/0xa80
arch/x86/entry/common.c:463
[<ffffffff82713b50>] sysenter_flags_fixed+0xd/0x1a
Code: 03 38 ca 7c 08 84 c9 0f 85 ef 01 00 00 45 39 7c 24 28 0f 89 77 ff ff
ff e8 81 b3 ef fe 4d 8d 75 10 e9 72 ff ff ff e8 73 b3 ef fe <0f> 0b e8 6c
b3 ef fe 48 8b 8d f8 fe ff ff 4c 89 ee 48 8b 95 28
RIP [<ffffffff8240bf0d>] tcp_collapse+0x98d/0xd00 net/ipv4/tcp_input.c:4839
RSP <ffff8801db707358>
---[ end trace 29189a59848d08f6 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
May 15, 2019, 8:02:03 PM5/15/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages