general protection fault in addrconf_rt_table
19 views
Skip to first unread message
syzbot
Apr 11, 2019, 8:00:53 PM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: a03d0bba ANDROID: build.config: enforce trace_printk check
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=15619a97800000
kernel config: https://syzkaller.appspot.com/x/.config?x=499a13c4e119010c
dashboard link: https://syzkaller.appspot.com/bug?extid=30ed7a3c09ba09f97dac
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13fb5297800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17dee607800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+30ed7a...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
IPVS: Creating netns size=2536 id=1
IPVS: Creating netns size=2536 id=2
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 6 Comm: kworker/u4:0 Not tainted 4.9.98-ga03d0bb #21
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
task: ffff8801d9a38000 task.stack: ffff8801d9a40000
RIP: 0010:[<ffffffff83577e97>] [<ffffffff83577e97>]
addrconf_rt_table+0x127/0x290 net/ipv6/addrconf.c:2223
RSP: 0018:ffff8801d9a47520 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000200 RCX: ffff8801d9a38000
RDX: 0000000000000056 RSI: 0000000000000004 RDI: 00000000000002b0
RBP: ffff8801d9a47550 R08: ffff8801d9a38988 R09: 0000000000000001
R10: 0000000000000000 R11: 1ffff1003b34712c R12: 0000000000000000
R13: 00000000000000fe R14: ffff8801d694b300 R15: ffff8801b664c190
FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe90dfb2a4 CR3: 00000001c66f7000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffffffff83577d70 ffff8801d694b300 0000000000000000 ffff8801b5398000
ffff8801bbdbad00 ffff8801b664c190 ffff8801d9a47598 ffffffff83578783
0000000000000000 ffff880100000080 ffff8801b664c000 ffff8801b664c190
Call Trace:
[<ffffffff83578783>] addrconf_get_prefix_route+0x33/0x270
net/ipv6/addrconf.c:2277
[<ffffffff83578f98>] __ipv6_ifa_notify+0x5d8/0x790 net/ipv6/addrconf.c:5496
[<ffffffff8357a82f>] addrconf_ifdown+0x94f/0x10e0 net/ipv6/addrconf.c:3689
[<ffffffff83581ab8>] addrconf_notify+0x7f8/0x2160 net/ipv6/addrconf.c:3493
[<ffffffff8119f574>] notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
[<ffffffff8119f6fd>] __raw_notifier_call_chain kernel/notifier.c:394
[inline]
[<ffffffff8119f6fd>] raw_notifier_call_chain+0x2d/0x40
kernel/notifier.c:401
[<ffffffff83064eb5>] call_netdevice_notifiers_info+0x55/0x70
net/core/dev.c:1647
[<ffffffff8306afc4>] call_netdevice_notifiers net/core/dev.c:1663 [inline]
[<ffffffff8306afc4>] rollback_registered_many+0x5a4/0x920
net/core/dev.c:6832
[<ffffffff8306e5db>] unregister_netdevice_many.part.106+0x1b/0x110
net/core/dev.c:7879
[<ffffffff8306ea73>] unregister_netdevice_many net/core/dev.c:7878 [inline]
[<ffffffff8306ea73>] default_device_exit_batch+0x353/0x410
net/core/dev.c:8337
[<ffffffff83055cd5>] ops_exit_list.isra.6+0x105/0x160
net/core/net_namespace.c:139
[<ffffffff83058b51>] cleanup_net+0x321/0x630 net/core/net_namespace.c:473
[<ffffffff8118ae31>] process_one_work+0x7e1/0x1500 kernel/workqueue.c:2092
[<ffffffff8118bc26>] worker_thread+0xd6/0x10a0 kernel/workqueue.c:2226
[<ffffffff8119ad5d>] kthread+0x26d/0x300 kernel/kthread.c:211
[<ffffffff839f481c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Code: 83 be 01 00 00 00 48 c7 c7 20 ef 6d 84 e8 92 12 cc fd 49 8d bc 24 b0
02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02
84 c0 74 08 3c 03 0f 8e 34 01 00 00 45 8b bc 24 b0
RIP [<ffffffff83577e97>] addrconf_rt_table+0x127/0x290
net/ipv6/addrconf.c:2223
RSP <ffff8801d9a47520>
---[ end trace 89f6992350bc4f2e ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: a03d0bba ANDROID: build.config: enforce trace_printk check
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=15619a97800000
kernel config: https://syzkaller.appspot.com/x/.config?x=499a13c4e119010c
dashboard link: https://syzkaller.appspot.com/bug?extid=30ed7a3c09ba09f97dac
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13fb5297800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17dee607800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+30ed7a...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
IPVS: Creating netns size=2536 id=1
IPVS: Creating netns size=2536 id=2
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 6 Comm: kworker/u4:0 Not tainted 4.9.98-ga03d0bb #21
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
task: ffff8801d9a38000 task.stack: ffff8801d9a40000
RIP: 0010:[<ffffffff83577e97>] [<ffffffff83577e97>]
addrconf_rt_table+0x127/0x290 net/ipv6/addrconf.c:2223
RSP: 0018:ffff8801d9a47520 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000200 RCX: ffff8801d9a38000
RDX: 0000000000000056 RSI: 0000000000000004 RDI: 00000000000002b0
RBP: ffff8801d9a47550 R08: ffff8801d9a38988 R09: 0000000000000001
R10: 0000000000000000 R11: 1ffff1003b34712c R12: 0000000000000000
R13: 00000000000000fe R14: ffff8801d694b300 R15: ffff8801b664c190
FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe90dfb2a4 CR3: 00000001c66f7000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffffffff83577d70 ffff8801d694b300 0000000000000000 ffff8801b5398000
ffff8801bbdbad00 ffff8801b664c190 ffff8801d9a47598 ffffffff83578783
0000000000000000 ffff880100000080 ffff8801b664c000 ffff8801b664c190
Call Trace:
[<ffffffff83578783>] addrconf_get_prefix_route+0x33/0x270
net/ipv6/addrconf.c:2277
[<ffffffff83578f98>] __ipv6_ifa_notify+0x5d8/0x790 net/ipv6/addrconf.c:5496
[<ffffffff8357a82f>] addrconf_ifdown+0x94f/0x10e0 net/ipv6/addrconf.c:3689
[<ffffffff83581ab8>] addrconf_notify+0x7f8/0x2160 net/ipv6/addrconf.c:3493
[<ffffffff8119f574>] notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
[<ffffffff8119f6fd>] __raw_notifier_call_chain kernel/notifier.c:394
[inline]
[<ffffffff8119f6fd>] raw_notifier_call_chain+0x2d/0x40
kernel/notifier.c:401
[<ffffffff83064eb5>] call_netdevice_notifiers_info+0x55/0x70
net/core/dev.c:1647
[<ffffffff8306afc4>] call_netdevice_notifiers net/core/dev.c:1663 [inline]
[<ffffffff8306afc4>] rollback_registered_many+0x5a4/0x920
net/core/dev.c:6832
[<ffffffff8306e5db>] unregister_netdevice_many.part.106+0x1b/0x110
net/core/dev.c:7879
[<ffffffff8306ea73>] unregister_netdevice_many net/core/dev.c:7878 [inline]
[<ffffffff8306ea73>] default_device_exit_batch+0x353/0x410
net/core/dev.c:8337
[<ffffffff83055cd5>] ops_exit_list.isra.6+0x105/0x160
net/core/net_namespace.c:139
[<ffffffff83058b51>] cleanup_net+0x321/0x630 net/core/net_namespace.c:473
[<ffffffff8118ae31>] process_one_work+0x7e1/0x1500 kernel/workqueue.c:2092
[<ffffffff8118bc26>] worker_thread+0xd6/0x10a0 kernel/workqueue.c:2226
[<ffffffff8119ad5d>] kthread+0x26d/0x300 kernel/kthread.c:211
[<ffffffff839f481c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Code: 83 be 01 00 00 00 48 c7 c7 20 ef 6d 84 e8 92 12 cc fd 49 8d bc 24 b0
02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02
84 c0 74 08 3c 03 0f 8e 34 01 00 00 45 8b bc 24 b0
RIP [<ffffffff83577e97>] addrconf_rt_table+0x127/0x290
net/ipv6/addrconf.c:2223
RSP <ffff8801d9a47520>
---[ end trace 89f6992350bc4f2e ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 11, 2019, 8:01:08 PM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: ea91d158 Merge 4.14.83 into android-4.14
syzbot found the following crash on:
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=12503533400000
kernel config: https://syzkaller.appspot.com/x/.config?x=6b1f3a1ff5600d9d
dashboard link: https://syzkaller.appspot.com/bug?extid=ddfea31ae481ea039147
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=139e2b0b400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
audit: type=1400 audit(1543078772.570:9): avc: denied { map } for
pid=1837 comm="syz-execprog" path="/root/syzkaller-shm822419332" dev="sda1"
ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN NOPTI
kasan: GPF could be caused by NULL-ptr deref or user memory access
Modules linked in:
CPU: 1 PID: 64 Comm: kworker/u4:1 Not tainted 4.14.83+ #9
Workqueue: netns cleanup_net
task: ffff8801d9125e00 task.stack: ffff8801d91a0000
RIP: 0010:addrconf_rt_table+0x126/0x2a0 net/ipv6/addrconf.c:2292
RSP: 0018:ffff8801d91a76b8 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffff1003b224cc4
RDX: 000000000000004d RSI: 0000000000000005 RDI: 0000000000000268
RBP: ffff8801d91a76e0 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8801d91266d0 R11: 0000000000000001 R12: ffff8801c7e75500
R13: ffff8801c89c4000 R14: 00000000000001b8 R15: 00000000000000fe
FS: 0000000000000000(0000) GS:ffff8801db900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004d96d0 CR3: 0000000038022006 CR4: 00000000001606a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
addrconf_get_prefix_route+0x30/0x2f0 net/ipv6/addrconf.c:2346
__ipv6_ifa_notify+0x6b6/0x860 net/ipv6/addrconf.c:5597
addrconf_ifdown+0xa20/0x12e0 net/ipv6/addrconf.c:3721
addrconf_notify+0x8f1/0x1b30 net/ipv6/addrconf.c:3525
notifier_call_chain+0x114/0x1b0 kernel/notifier.c:93
call_netdevice_notifiers net/core/dev.c:1687 [inline]
rollback_registered_many+0x6b5/0xac0 net/core/dev.c:7210
unregister_netdevice_many+0x43/0x210 net/core/dev.c:8259
default_device_exit_batch+0x313/0x3d0 net/core/dev.c:8718
ops_exit_list.isra.3+0xfd/0x150 net/core/net_namespace.c:145
cleanup_net+0x3e9/0x880 net/core/net_namespace.c:483
process_one_work+0x86e/0x1670 kernel/workqueue.c:2114
worker_thread+0xdc/0x1000 kernel/workqueue.c:2248
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Code: 6d 8f be 01 00 00 00 48 c7 c7 a0 e8 4c 90 e8 12 91 b2 fe 48 8d bb 68
02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02
84 c0 74 08 3c 03 0f 8e 3f 01 00 00 44 8b ab 68 02
RIP: addrconf_rt_table+0x126/0x2a0 net/ipv6/addrconf.c:2292 RSP:
ffff8801d91a76b8
---[ end trace 800bd0a1576fd8e9 ]---
syzbot
Apr 13, 2019, 8:02:16 PM4/13/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: bc1cf222 ANDROID: sdcardfs: Add option to not link obb
syzbot found the following crash on:
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=12783e6d400000
kernel config: https://syzkaller.appspot.com/x/.config?x=e9e5117807e1d57d
dashboard link: https://syzkaller.appspot.com/bug?extid=9527944bfdd9749ed6aa
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c394db400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral
protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 2299 Comm: kworker/u4:4 Not tainted 4.4.165+ #15
Workqueue: netns cleanup_net
task: ffff8800b4f0df00 task.stack: ffff8801d18a8000
RIP: 0010:[<ffffffff825c55c6>] [<ffffffff825c55c6>]
addrconf_rt_table+0x126/0x290 net/ipv6/addrconf.c:2192
RSP: 0018:ffff8801d18af590 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000004
RDX: 0000000000000067 RSI: 0000000000000004 RDI: 0000000000000338
RBP: ffff8801d18af5c0 R08: ffff8800b4f0e7c8 R09: 0000000000000001
R10: 0000000000000000 R11: ffffffff831a2db8 R12: 00000000000000fe
R13: ffff8801d2dc3300 R14: 0000000000000218 R15: ffff8800b834a418
FS: 0000000000000000(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000025d7b30 CR3: 0000000002e0a000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
ffffffff825c54a0 ffff8801d2dc3300 0000000000000000 ffff8800b2148000
ffff8801d2f27700 ffff8800b834a418 ffff8801d18af608 ffffffff825c5e33
00000000b834a280 ffff880100000080 ffff8800b834a280 ffff8800b834a418
Call Trace:
[<ffffffff825c5e33>] addrconf_get_prefix_route+0x33/0x270
net/ipv6/addrconf.c:2246
[<ffffffff825c6662>] __ipv6_ifa_notify+0x5f2/0x760 net/ipv6/addrconf.c:5234
[<ffffffff825c7cce>] addrconf_ifdown+0x5ce/0xbc0 net/ipv6/addrconf.c:3477
[<ffffffff825ceb19>] addrconf_notify+0x8d9/0x1a60 net/ipv6/addrconf.c:3339
[<ffffffff811382f9>] notifier_call_chain+0xb9/0x1e0 kernel/notifier.c:93
[<ffffffff8113848d>] __raw_notifier_call_chain kernel/notifier.c:394
[inline]
[<ffffffff8113848d>] raw_notifier_call_chain+0x2d/0x40
kernel/notifier.c:401
[<ffffffff8221f995>] call_netdevice_notifiers_info+0x55/0x70
net/core/dev.c:1643
[<ffffffff8222d144>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
[<ffffffff8222d144>] rollback_registered_many+0x594/0x9a0
net/core/dev.c:6372
[<ffffffff822360e5>] unregister_netdevice_many+0x45/0x220
net/core/dev.c:7382
[<ffffffff822365ff>] default_device_exit_batch+0x33f/0x3f0
net/core/dev.c:7840
[<ffffffff8220fcf5>] ops_exit_list.isra.0+0x105/0x160
net/core/net_namespace.c:137
[<ffffffff82212af2>] cleanup_net+0x3f2/0x880 net/core/net_namespace.c:452
[<ffffffff81123204>] process_one_work+0x824/0x1730 kernel/workqueue.c:2064
[<ffffffff811241e9>] worker_thread+0xd9/0x1060 kernel/workqueue.c:2196
[<ffffffff81134788>] kthread+0x268/0x300 kernel/kthread.c:211
[<ffffffff82714505>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537
Code: 5c 82 be 01 00 00 00 48 c7 c7 60 72 ea 82 e8 52 e4 c3 fe 48 8d bb 38
03 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02
84 c0 74 08 3c 03 0f 8e 39 01 00 00 44 8b bb 38 03
RIP [<ffffffff825c55c6>] addrconf_rt_table+0x126/0x290
net/ipv6/addrconf.c:2192
RSP <ffff8801d18af590>
---[ end trace 4755062df8ded16d ]---
Reply all
Reply to author
Forward
0 new messages