kernel BUG at ./include/linux/skbuff.h:LINE! (2)
7 views
Skip to first unread message
syzbot
Aug 16, 2019, 6:13:07 AM8/16/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: d1f8a9bb UPSTREAM: net/ipv6: allow sysctl to change link-l..
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=152f30ac600000
kernel config: https://syzkaller.appspot.com/x/.config?x=5944ab99bb3d7b7c
dashboard link: https://syzkaller.appspot.com/bug?extid=b750abcaa3fc29d7a510
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15c046a6600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b750ab...@syzkaller.appspotmail.com
audit: type=1400 audit(1565946567.438:5): avc: denied { associate } for
pid=2067 comm="syz-executor.0" name="syz0"
scontext=unconfined_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
------------[ cut here ]------------
kernel BUG at ./include/linux/skbuff.h:1294!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.9.189+ #1
task: 00000000a9eb28ed task.stack: 00000000099611de
RIP: 0010:[<ffffffff8252ad76>] [<000000005d970085>] skb_queue_prev
include/linux/skbuff.h:1294 [inline]
RIP: 0010:[<ffffffff8252ad76>] [<000000005d970085>] tcp_write_queue_prev
include/net/tcp.h:1563 [inline]
RIP: 0010:[<ffffffff8252ad76>] [<000000005d970085>] tcp_rtx_queue_tail
include/net/tcp.h:1616 [inline]
RIP: 0010:[<ffffffff8252ad76>] [<000000005d970085>]
tcp_fragment+0x1266/0x1390 net/ipv4/tcp_output.c:1195
RSP: 0018:ffff8801db707b90 EFLAGS: 00010206
RAX: ffff8801da6b2f80 RBX: ffff8801d1790000 RCX: 1ffff1003a2f207d
RDX: 0000000000000100 RSI: ffffffff8252ad76 RDI: ffff8801cb6c1b88
RBP: ffff8801db707be0 R08: 0000000002080020 R09: ffff8801cb6c1ba8
R10: ffff88021fffd050 R11: 0000000953c6deec R12: 0000000000000000
R13: ffff8801d17901f0 R14: ffff8801cb6c1b80 R15: ffff8801d1790244
FS: 0000000000000000(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000075c000 CR3: 00000001ceb61000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801cb6c1b80 ffff8801d17901f0 ffff8801cb6c1bf8 ffff880102080020
000068000000ffcb 0000000000006800 ffff8801d1790000 ffff8801cb6c1b80
000000000000ffcb ffff8801cb6c1bb4 ffff8801db707c30 ffffffff8253e6d5
Call Trace:
<IRQ> [ 38.157731] [<00000000a83f95e1>] tcp_write_wakeup+0x345/0x5b0
net/ipv4/tcp_output.c:3613
[<000000009332ab88>] tcp_send_probe0+0x4b/0x400 net/ipv4/tcp_output.c:3641
[<000000005978249b>] tcp_probe_timer net/ipv4/tcp_timer.c:379 [inline]
[<000000005978249b>] tcp_write_timer_handler+0x6a0/0x7a0
net/ipv4/tcp_timer.c:596
[<0000000006619ca6>] tcp_write_timer+0xc5/0x190 net/ipv4/tcp_timer.c:610
[<00000000767b5718>] call_timer_fn+0x167/0x6d0 kernel/time/timer.c:1319
[<000000004b4a58ad>] expire_timers+0x25b/0x5c0 kernel/time/timer.c:1359
[<00000000c0ae8e27>] __run_timers kernel/time/timer.c:1674 [inline]
[<00000000c0ae8e27>] run_timer_softirq+0x1ff/0x620 kernel/time/timer.c:1687
[<000000001d60fcc2>] __do_softirq+0x22d/0x964 kernel/softirq.c:288
[<000000000f4de382>] invoke_softirq kernel/softirq.c:368 [inline]
[<000000000f4de382>] irq_exit+0x119/0x160 kernel/softirq.c:409
[<000000001c4148b4>] exiting_irq arch/x86/include/asm/apic.h:669 [inline]
[<000000001c4148b4>] smp_apic_timer_interrupt+0x7e/0xb0
arch/x86/kernel/apic/apic.c:962
[<000000008e94ac25>] apic_timer_interrupt+0xa5/0xb0
arch/x86/entry/entry_64.S:653
<EOI> [ 38.307883] [<00000000f490af06>] ? native_safe_halt+0x41/0x60
arch/x86/include/asm/irqflags.h:59
[<00000000ebd30c63>] arch_safe_halt arch/x86/include/asm/paravirt.h:104
[inline]
[<00000000ebd30c63>] default_idle+0x56/0x370 arch/x86/kernel/process.c:500
[<00000000599e5156>] arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:491
[<000000000a7609e3>] default_idle_call+0x36/0x60 kernel/sched/idle.c:97
[<000000000390f32e>] cpuidle_idle_call kernel/sched/idle.c:155 [inline]
[<000000000390f32e>] cpu_idle_loop kernel/sched/idle.c:248 [inline]
[<000000000390f32e>] cpu_startup_entry+0x283/0x3a0 kernel/sched/idle.c:303
[<00000000dc26dc52>] start_secondary+0x31c/0x410
arch/x86/kernel/smpboot.c:251
Code: c1 ea 03 80 3c 02 00 0f 85 3a 01 00 00 4c 8b ab f8 01 00 00 ba 00 00
00 00 4c 3b 6d b8 4c 0f 44 ea e9 f9 fc ff ff e8 fa 75 df fe <0f> 0b e8 33
37 fd fe e9 6e f0 ff ff e8 29 37 fd fe e9 68 f3 ff
RIP [<000000005d970085>] skb_queue_prev include/linux/skbuff.h:1294
[inline]
RIP [<000000005d970085>] tcp_write_queue_prev include/net/tcp.h:1563
[inline]
RIP [<000000005d970085>] tcp_rtx_queue_tail include/net/tcp.h:1616 [inline]
RIP [<000000005d970085>] tcp_fragment+0x1266/0x1390
net/ipv4/tcp_output.c:1195
RSP <ffff8801db707b90>
---[ end trace aa12cf99faae09b4 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: d1f8a9bb UPSTREAM: net/ipv6: allow sysctl to change link-l..
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=152f30ac600000
kernel config: https://syzkaller.appspot.com/x/.config?x=5944ab99bb3d7b7c
dashboard link: https://syzkaller.appspot.com/bug?extid=b750abcaa3fc29d7a510
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15c046a6600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b750ab...@syzkaller.appspotmail.com
audit: type=1400 audit(1565946567.438:5): avc: denied { associate } for
pid=2067 comm="syz-executor.0" name="syz0"
scontext=unconfined_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
------------[ cut here ]------------
kernel BUG at ./include/linux/skbuff.h:1294!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.9.189+ #1
task: 00000000a9eb28ed task.stack: 00000000099611de
RIP: 0010:[<ffffffff8252ad76>] [<000000005d970085>] skb_queue_prev
include/linux/skbuff.h:1294 [inline]
RIP: 0010:[<ffffffff8252ad76>] [<000000005d970085>] tcp_write_queue_prev
include/net/tcp.h:1563 [inline]
RIP: 0010:[<ffffffff8252ad76>] [<000000005d970085>] tcp_rtx_queue_tail
include/net/tcp.h:1616 [inline]
RIP: 0010:[<ffffffff8252ad76>] [<000000005d970085>]
tcp_fragment+0x1266/0x1390 net/ipv4/tcp_output.c:1195
RSP: 0018:ffff8801db707b90 EFLAGS: 00010206
RAX: ffff8801da6b2f80 RBX: ffff8801d1790000 RCX: 1ffff1003a2f207d
RDX: 0000000000000100 RSI: ffffffff8252ad76 RDI: ffff8801cb6c1b88
RBP: ffff8801db707be0 R08: 0000000002080020 R09: ffff8801cb6c1ba8
R10: ffff88021fffd050 R11: 0000000953c6deec R12: 0000000000000000
R13: ffff8801d17901f0 R14: ffff8801cb6c1b80 R15: ffff8801d1790244
FS: 0000000000000000(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000075c000 CR3: 00000001ceb61000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801cb6c1b80 ffff8801d17901f0 ffff8801cb6c1bf8 ffff880102080020
000068000000ffcb 0000000000006800 ffff8801d1790000 ffff8801cb6c1b80
000000000000ffcb ffff8801cb6c1bb4 ffff8801db707c30 ffffffff8253e6d5
Call Trace:
<IRQ> [ 38.157731] [<00000000a83f95e1>] tcp_write_wakeup+0x345/0x5b0
net/ipv4/tcp_output.c:3613
[<000000009332ab88>] tcp_send_probe0+0x4b/0x400 net/ipv4/tcp_output.c:3641
[<000000005978249b>] tcp_probe_timer net/ipv4/tcp_timer.c:379 [inline]
[<000000005978249b>] tcp_write_timer_handler+0x6a0/0x7a0
net/ipv4/tcp_timer.c:596
[<0000000006619ca6>] tcp_write_timer+0xc5/0x190 net/ipv4/tcp_timer.c:610
[<00000000767b5718>] call_timer_fn+0x167/0x6d0 kernel/time/timer.c:1319
[<000000004b4a58ad>] expire_timers+0x25b/0x5c0 kernel/time/timer.c:1359
[<00000000c0ae8e27>] __run_timers kernel/time/timer.c:1674 [inline]
[<00000000c0ae8e27>] run_timer_softirq+0x1ff/0x620 kernel/time/timer.c:1687
[<000000001d60fcc2>] __do_softirq+0x22d/0x964 kernel/softirq.c:288
[<000000000f4de382>] invoke_softirq kernel/softirq.c:368 [inline]
[<000000000f4de382>] irq_exit+0x119/0x160 kernel/softirq.c:409
[<000000001c4148b4>] exiting_irq arch/x86/include/asm/apic.h:669 [inline]
[<000000001c4148b4>] smp_apic_timer_interrupt+0x7e/0xb0
arch/x86/kernel/apic/apic.c:962
[<000000008e94ac25>] apic_timer_interrupt+0xa5/0xb0
arch/x86/entry/entry_64.S:653
<EOI> [ 38.307883] [<00000000f490af06>] ? native_safe_halt+0x41/0x60
arch/x86/include/asm/irqflags.h:59
[<00000000ebd30c63>] arch_safe_halt arch/x86/include/asm/paravirt.h:104
[inline]
[<00000000ebd30c63>] default_idle+0x56/0x370 arch/x86/kernel/process.c:500
[<00000000599e5156>] arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:491
[<000000000a7609e3>] default_idle_call+0x36/0x60 kernel/sched/idle.c:97
[<000000000390f32e>] cpuidle_idle_call kernel/sched/idle.c:155 [inline]
[<000000000390f32e>] cpu_idle_loop kernel/sched/idle.c:248 [inline]
[<000000000390f32e>] cpu_startup_entry+0x283/0x3a0 kernel/sched/idle.c:303
[<00000000dc26dc52>] start_secondary+0x31c/0x410
arch/x86/kernel/smpboot.c:251
Code: c1 ea 03 80 3c 02 00 0f 85 3a 01 00 00 4c 8b ab f8 01 00 00 ba 00 00
00 00 4c 3b 6d b8 4c 0f 44 ea e9 f9 fc ff ff e8 fa 75 df fe <0f> 0b e8 33
37 fd fe e9 6e f0 ff ff e8 29 37 fd fe e9 68 f3 ff
RIP [<000000005d970085>] skb_queue_prev include/linux/skbuff.h:1294
[inline]
RIP [<000000005d970085>] tcp_write_queue_prev include/net/tcp.h:1563
[inline]
RIP [<000000005d970085>] tcp_rtx_queue_tail include/net/tcp.h:1616 [inline]
RIP [<000000005d970085>] tcp_fragment+0x1266/0x1390
net/ipv4/tcp_output.c:1195
RSP <ffff8801db707b90>
---[ end trace aa12cf99faae09b4 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages