kernel BUG at ./include/linux/skbuff.h:LINE!
5 views
Skip to first unread message
syzbot
Aug 10, 2019, 4:48:07 AM8/10/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 57ac921e Merge 4.14.138 into android-4.14
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=10b782ba600000
kernel config: https://syzkaller.appspot.com/x/.config?x=2ac71e39ec484d3c
dashboard link: https://syzkaller.appspot.com/bug?extid=5e0d508e10728f4f907d
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17114c0e600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+5e0d50...@syzkaller.appspotmail.com
audit: type=1400 audit(1565424320.443:9): avc: denied { map } for
pid=1776 comm="syz-execprog" path="/root/syzkaller-shm324057342" dev="sda1"
ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
------------[ cut here ]------------
kernel BUG at ./include/linux/skbuff.h:1406!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
Modules linked in:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.14.138+ #30
task: (ptrval) task.stack: (ptrval)
RIP: 0010:skb_queue_prev include/linux/skbuff.h:1406 [inline]
RIP: 0010:tcp_write_queue_prev include/net/tcp.h:1651 [inline]
RIP: 0010:tcp_rtx_queue_tail include/net/tcp.h:1706 [inline]
RIP: 0010:tcp_fragment+0x12c6/0x13e0 net/ipv4/tcp_output.c:1284
RSP: 0018:ffff8881dba07bf8 EFLAGS: 00010206
RAX: ffffffff95e30c40 RBX: ffff8881d39b9500 RCX: 1ffff1103a7372e9
RDX: 0000000000000100 RSI: ffff8881cd1f4c80 RDI: ffff8881cd1f4c88
RBP: ffff8881cd1f4c80 R08: 0000000001080020 R09: ffff88821ffff008
R10: ffff88821ffff017 R11: ffff88821ffff010 R12: 0000000000000000
R13: 0000000000001880 R14: 0000000001080020 R15: ffff8881d39b9750
FS: 0000000000000000(0000) GS:ffff8881dba00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000075c000 CR3: 000000016a226001 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
tcp_write_wakeup+0x32b/0x570 net/ipv4/tcp_output.c:3708
tcp_send_probe0+0x46/0x3cc net/ipv4/tcp_output.c:3736
tcp_probe_timer net/ipv4/tcp_timer.c:365 [inline]
tcp_write_timer_handler+0x687/0x780 net/ipv4/tcp_timer.c:583
tcp_write_timer+0xc9/0x170 net/ipv4/tcp_timer.c:597
call_timer_fn+0x15b/0x6a0 kernel/time/timer.c:1279
expire_timers+0x227/0x4c0 kernel/time/timer.c:1318
__run_timers kernel/time/timer.c:1634 [inline]
run_timer_softirq+0x1eb/0x5d0 kernel/time/timer.c:1647
__do_softirq+0x234/0x9ec kernel/softirq.c:288
invoke_softirq kernel/softirq.c:368 [inline]
irq_exit+0x114/0x150 kernel/softirq.c:409
exiting_irq arch/x86/include/asm/apic.h:648 [inline]
smp_apic_timer_interrupt+0x1a7/0x650 arch/x86/kernel/apic/apic.c:1064
apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:792
</IRQ>
RIP: 0010:native_safe_halt+0x13/0x20 arch/x86/include/asm/irqflags.h:61
RSP: 0018:ffffffff95e07d48 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10
RAX: 0000000000000000 RBX: ffffffff9622dac8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff95e3146c
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff95e30c40 R15: dffffc0000000000
arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline]
default_idle+0x61/0x3b0 arch/x86/kernel/process.c:566
cpuidle_idle_call kernel/sched/idle.c:159 [inline]
do_idle+0x2e6/0x390 kernel/sched/idle.c:268
cpu_startup_entry+0xc6/0xd0 kernel/sched/idle.c:374
start_kernel+0x712/0x74a init/main.c:709
secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:240
Code: ea 03 80 3c 02 00 0f 85 2c 01 00 00 4c 8b bb 58 02 00 00 ba 00 00 00
00 4c 3b 7c 24 18 4c 0f 44 fa e9 bd fc ff ff e8 5a fc da fe <0f> 0b e8 33
bf fd fe e9 4d ef ff ff e8 29 bf fd fe e9 2d f2 ff
RIP: skb_queue_prev include/linux/skbuff.h:1406 [inline] RSP:
ffff8881dba07bf8
RIP: tcp_write_queue_prev include/net/tcp.h:1651 [inline] RSP:
ffff8881dba07bf8
RIP: tcp_rtx_queue_tail include/net/tcp.h:1706 [inline] RSP:
ffff8881dba07bf8
RIP: tcp_fragment+0x12c6/0x13e0 net/ipv4/tcp_output.c:1284 RSP:
ffff8881dba07bf8
---[ end trace 03140d88bf972157 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 57ac921e Merge 4.14.138 into android-4.14
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=10b782ba600000
kernel config: https://syzkaller.appspot.com/x/.config?x=2ac71e39ec484d3c
dashboard link: https://syzkaller.appspot.com/bug?extid=5e0d508e10728f4f907d
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17114c0e600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+5e0d50...@syzkaller.appspotmail.com
audit: type=1400 audit(1565424320.443:9): avc: denied { map } for
pid=1776 comm="syz-execprog" path="/root/syzkaller-shm324057342" dev="sda1"
ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
------------[ cut here ]------------
kernel BUG at ./include/linux/skbuff.h:1406!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
Modules linked in:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.14.138+ #30
task: (ptrval) task.stack: (ptrval)
RIP: 0010:skb_queue_prev include/linux/skbuff.h:1406 [inline]
RIP: 0010:tcp_write_queue_prev include/net/tcp.h:1651 [inline]
RIP: 0010:tcp_rtx_queue_tail include/net/tcp.h:1706 [inline]
RIP: 0010:tcp_fragment+0x12c6/0x13e0 net/ipv4/tcp_output.c:1284
RSP: 0018:ffff8881dba07bf8 EFLAGS: 00010206
RAX: ffffffff95e30c40 RBX: ffff8881d39b9500 RCX: 1ffff1103a7372e9
RDX: 0000000000000100 RSI: ffff8881cd1f4c80 RDI: ffff8881cd1f4c88
RBP: ffff8881cd1f4c80 R08: 0000000001080020 R09: ffff88821ffff008
R10: ffff88821ffff017 R11: ffff88821ffff010 R12: 0000000000000000
R13: 0000000000001880 R14: 0000000001080020 R15: ffff8881d39b9750
FS: 0000000000000000(0000) GS:ffff8881dba00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000075c000 CR3: 000000016a226001 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
tcp_write_wakeup+0x32b/0x570 net/ipv4/tcp_output.c:3708
tcp_send_probe0+0x46/0x3cc net/ipv4/tcp_output.c:3736
tcp_probe_timer net/ipv4/tcp_timer.c:365 [inline]
tcp_write_timer_handler+0x687/0x780 net/ipv4/tcp_timer.c:583
tcp_write_timer+0xc9/0x170 net/ipv4/tcp_timer.c:597
call_timer_fn+0x15b/0x6a0 kernel/time/timer.c:1279
expire_timers+0x227/0x4c0 kernel/time/timer.c:1318
__run_timers kernel/time/timer.c:1634 [inline]
run_timer_softirq+0x1eb/0x5d0 kernel/time/timer.c:1647
__do_softirq+0x234/0x9ec kernel/softirq.c:288
invoke_softirq kernel/softirq.c:368 [inline]
irq_exit+0x114/0x150 kernel/softirq.c:409
exiting_irq arch/x86/include/asm/apic.h:648 [inline]
smp_apic_timer_interrupt+0x1a7/0x650 arch/x86/kernel/apic/apic.c:1064
apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:792
</IRQ>
RIP: 0010:native_safe_halt+0x13/0x20 arch/x86/include/asm/irqflags.h:61
RSP: 0018:ffffffff95e07d48 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10
RAX: 0000000000000000 RBX: ffffffff9622dac8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff95e3146c
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff95e30c40 R15: dffffc0000000000
arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline]
default_idle+0x61/0x3b0 arch/x86/kernel/process.c:566
cpuidle_idle_call kernel/sched/idle.c:159 [inline]
do_idle+0x2e6/0x390 kernel/sched/idle.c:268
cpu_startup_entry+0xc6/0xd0 kernel/sched/idle.c:374
start_kernel+0x712/0x74a init/main.c:709
secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:240
Code: ea 03 80 3c 02 00 0f 85 2c 01 00 00 4c 8b bb 58 02 00 00 ba 00 00 00
00 4c 3b 7c 24 18 4c 0f 44 fa e9 bd fc ff ff e8 5a fc da fe <0f> 0b e8 33
bf fd fe e9 4d ef ff ff e8 29 bf fd fe e9 2d f2 ff
RIP: skb_queue_prev include/linux/skbuff.h:1406 [inline] RSP:
ffff8881dba07bf8
RIP: tcp_write_queue_prev include/net/tcp.h:1651 [inline] RSP:
ffff8881dba07bf8
RIP: tcp_rtx_queue_tail include/net/tcp.h:1706 [inline] RSP:
ffff8881dba07bf8
RIP: tcp_fragment+0x12c6/0x13e0 net/ipv4/tcp_output.c:1284 RSP:
ffff8881dba07bf8
---[ end trace 03140d88bf972157 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages