WARNING in fib6_del (2)
11 views
Skip to first unread message
syzbot
Oct 30, 2019, 11:36:08 AM10/30/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=157f39d4e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=d1ef6facf9fdae239185
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d1ef6f...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): ip_vti0: link becomes ready
netlink: 2 bytes leftover after parsing attributes in process
`syz-executor.4'.
qtaguid: iface_stat: iface_check_stats_reset_and_adjust(lo): iface reset
its stats unexpectedly
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4254 at net/ipv6/ip6_fib.c:1477 fib6_del+0x946/0xb10
net/ipv6/ip6_fib.c:1477
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 4254 Comm: syz-executor.1 Not tainted 4.9.141+ #1
ffff8801d69667e8 ffffffff81b42e79 ffffffff82a38ce0 00000000ffffffff
ffffffff82cc1e00 0000000000000001 0000000000000009 ffff8801d69668a8
ffffffff813f7125 0000000041b58ab3 ffffffff82e2b62b ffffffff813f6f66
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff813f7125>] panic+0x1bf/0x39f kernel/panic.c:179
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=4290 comm=syz-executor.3
[<ffffffff813f7362>] __warn.cold.8+0x2f/0x2f kernel/panic.c:542
[<ffffffff810dc02c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
[<ffffffff826eeeb6>] fib6_del+0x946/0xb10 net/ipv6/ip6_fib.c:1477
[<ffffffff826ef2a0>] fib6_clean_node+0x220/0x4c0 net/ipv6/ip6_fib.c:1657
[<ffffffff826e6545>] fib6_walk_continue+0x3e5/0x640 net/ipv6/ip6_fib.c:1583
[<ffffffff826e6b01>] fib6_walk+0x91/0xf0 net/ipv6/ip6_fib.c:1628
[<ffffffff826e6c33>] fib6_clean_tree+0xd3/0x110 net/ipv6/ip6_fib.c:1702
[<ffffffff826e6d69>] __fib6_clean_all+0xf9/0x220 net/ipv6/ip6_fib.c:1718
[<ffffffff826ef567>] fib6_clean_all+0x27/0x30 net/ipv6/ip6_fib.c:1729
[<ffffffff826e4b51>] rt6_ifdown+0xa1/0x7f0 net/ipv6/route.c:2719
[<ffffffff826bf2e0>] addrconf_ifdown+0xd0/0x1420 net/ipv6/addrconf.c:3569
[<ffffffff826c74be>] addrconf_notify+0x8ee/0x2140 net/ipv6/addrconf.c:3493
[<ffffffff811478d4>] notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
[<ffffffff81147a5d>] __raw_notifier_call_chain kernel/notifier.c:394
[inline]
[<ffffffff81147a5d>] raw_notifier_call_chain+0x2d/0x40
kernel/notifier.c:401
[<ffffffff822f4a45>] call_netdevice_notifiers_info+0x55/0x70
net/core/dev.c:1647
[<ffffffff82306fbd>] netdev_state_change+0xdd/0x100 net/core/dev.c:1286
[<ffffffff8234e6d6>] do_setlink+0x2596/0x2ef0 net/core/rtnetlink.c:2199
[<ffffffff82354b10>] rtnl_group_changelink net/core/rtnetlink.c:2423
[inline]
[<ffffffff82354b10>] rtnl_newlink+0xbd0/0x1550 net/core/rtnetlink.c:2571
[<ffffffff8235592c>] rtnetlink_rcv_msg+0x49c/0x650
net/core/rtnetlink.c:4078
[<ffffffff823d59e5>] netlink_rcv_skb+0x145/0x370
net/netlink/af_netlink.c:2365
[<ffffffff8234abfa>] rtnetlink_rcv+0x2a/0x40 net/core/rtnetlink.c:4084
[<ffffffff823d4478>] netlink_unicast_kernel net/netlink/af_netlink.c:1285
[inline]
[<ffffffff823d4478>] netlink_unicast+0x4d8/0x6d0
net/netlink/af_netlink.c:1311
[<ffffffff823d4e44>] netlink_sendmsg+0x694/0xc30
net/netlink/af_netlink.c:1859
[<ffffffff822a063b>] sock_sendmsg_nosec net/socket.c:648 [inline]
[<ffffffff822a063b>] sock_sendmsg+0xbb/0x110 net/socket.c:658
[<ffffffff822a231c>] ___sys_sendmsg+0x6fc/0x840 net/socket.c:1982
[<ffffffff822a5339>] __sys_sendmsg+0xd9/0x190 net/socket.c:2016
[<ffffffff822a541d>] SYSC_sendmsg net/socket.c:2027 [inline]
[<ffffffff822a541d>] SyS_sendmsg+0x2d/0x50 net/socket.c:2023
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=157f39d4e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=d1ef6facf9fdae239185
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d1ef6f...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): ip_vti0: link becomes ready
netlink: 2 bytes leftover after parsing attributes in process
`syz-executor.4'.
qtaguid: iface_stat: iface_check_stats_reset_and_adjust(lo): iface reset
its stats unexpectedly
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4254 at net/ipv6/ip6_fib.c:1477 fib6_del+0x946/0xb10
net/ipv6/ip6_fib.c:1477
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 4254 Comm: syz-executor.1 Not tainted 4.9.141+ #1
ffff8801d69667e8 ffffffff81b42e79 ffffffff82a38ce0 00000000ffffffff
ffffffff82cc1e00 0000000000000001 0000000000000009 ffff8801d69668a8
ffffffff813f7125 0000000041b58ab3 ffffffff82e2b62b ffffffff813f6f66
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff813f7125>] panic+0x1bf/0x39f kernel/panic.c:179
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=4290 comm=syz-executor.3
[<ffffffff813f7362>] __warn.cold.8+0x2f/0x2f kernel/panic.c:542
[<ffffffff810dc02c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
[<ffffffff826eeeb6>] fib6_del+0x946/0xb10 net/ipv6/ip6_fib.c:1477
[<ffffffff826ef2a0>] fib6_clean_node+0x220/0x4c0 net/ipv6/ip6_fib.c:1657
[<ffffffff826e6545>] fib6_walk_continue+0x3e5/0x640 net/ipv6/ip6_fib.c:1583
[<ffffffff826e6b01>] fib6_walk+0x91/0xf0 net/ipv6/ip6_fib.c:1628
[<ffffffff826e6c33>] fib6_clean_tree+0xd3/0x110 net/ipv6/ip6_fib.c:1702
[<ffffffff826e6d69>] __fib6_clean_all+0xf9/0x220 net/ipv6/ip6_fib.c:1718
[<ffffffff826ef567>] fib6_clean_all+0x27/0x30 net/ipv6/ip6_fib.c:1729
[<ffffffff826e4b51>] rt6_ifdown+0xa1/0x7f0 net/ipv6/route.c:2719
[<ffffffff826bf2e0>] addrconf_ifdown+0xd0/0x1420 net/ipv6/addrconf.c:3569
[<ffffffff826c74be>] addrconf_notify+0x8ee/0x2140 net/ipv6/addrconf.c:3493
[<ffffffff811478d4>] notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
[<ffffffff81147a5d>] __raw_notifier_call_chain kernel/notifier.c:394
[inline]
[<ffffffff81147a5d>] raw_notifier_call_chain+0x2d/0x40
kernel/notifier.c:401
[<ffffffff822f4a45>] call_netdevice_notifiers_info+0x55/0x70
net/core/dev.c:1647
[<ffffffff82306fbd>] netdev_state_change+0xdd/0x100 net/core/dev.c:1286
[<ffffffff8234e6d6>] do_setlink+0x2596/0x2ef0 net/core/rtnetlink.c:2199
[<ffffffff82354b10>] rtnl_group_changelink net/core/rtnetlink.c:2423
[inline]
[<ffffffff82354b10>] rtnl_newlink+0xbd0/0x1550 net/core/rtnetlink.c:2571
[<ffffffff8235592c>] rtnetlink_rcv_msg+0x49c/0x650
net/core/rtnetlink.c:4078
[<ffffffff823d59e5>] netlink_rcv_skb+0x145/0x370
net/netlink/af_netlink.c:2365
[<ffffffff8234abfa>] rtnetlink_rcv+0x2a/0x40 net/core/rtnetlink.c:4084
[<ffffffff823d4478>] netlink_unicast_kernel net/netlink/af_netlink.c:1285
[inline]
[<ffffffff823d4478>] netlink_unicast+0x4d8/0x6d0
net/netlink/af_netlink.c:1311
[<ffffffff823d4e44>] netlink_sendmsg+0x694/0xc30
net/netlink/af_netlink.c:1859
[<ffffffff822a063b>] sock_sendmsg_nosec net/socket.c:648 [inline]
[<ffffffff822a063b>] sock_sendmsg+0xbb/0x110 net/socket.c:658
[<ffffffff822a231c>] ___sys_sendmsg+0x6fc/0x840 net/socket.c:1982
[<ffffffff822a5339>] __sys_sendmsg+0xd9/0x190 net/socket.c:2016
[<ffffffff822a541d>] SYSC_sendmsg net/socket.c:2027 [inline]
[<ffffffff822a541d>] SyS_sendmsg+0x2d/0x50 net/socket.c:2023
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Nov 12, 2019, 6:40:09 PM11/12/19
to syzkaller-a...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=10236d06e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1038e53ae00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d1ef6f...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
qtaguid: iface_stat: create6(lo): no inet dev
------------[ cut here ]------------
WARNING: CPU: 1 PID: 2213 at net/ipv6/ip6_fib.c:1477 fib6_del+0x946/0xb10
ffff8801c59c6928 ffffffff81b42e79 ffffffff82a38ce0 00000000ffffffff
ffffffff82cc1e00 0000000000000001 0000000000000009 ffff8801c59c69e8
[<ffffffff8150770b>] do_iter_readv_writev+0x3cb/0x4b0 fs/read_write.c:695
[<ffffffff8150b22a>] do_readv_writev+0x2fa/0x7b0 fs/read_write.c:871
[<ffffffff8150bcc7>] vfs_writev+0x87/0xc0 fs/read_write.c:910
[<ffffffff8150bde6>] do_writev+0xe6/0x260 fs/read_write.c:943
[<ffffffff8150f117>] SYSC_writev fs/read_write.c:1016 [inline]
[<ffffffff8150f117>] SyS_writev+0x27/0x30 fs/read_write.c:1013
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=d1ef6facf9fdae239185
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10880f3ae00000
dashboard link: https://syzkaller.appspot.com/bug?extid=d1ef6facf9fdae239185
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1038e53ae00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d1ef6f...@syzkaller.appspotmail.com
qtaguid: iface_stat: create6(lo): no inet dev
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
qtaguid: iface_stat: create6(lo): no inet dev
------------[ cut here ]------------
WARNING: CPU: 1 PID: 2213 at net/ipv6/ip6_fib.c:1477 fib6_del+0x946/0xb10
net/ipv6/ip6_fib.c:1477
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 2213 Comm: syz-executor287 Not tainted 4.9.141+ #1
Kernel panic - not syncing: panic_on_warn set ...
ffff8801c59c6928 ffffffff81b42e79 ffffffff82a38ce0 00000000ffffffff
ffffffff82cc1e00 0000000000000001 0000000000000009 ffff8801c59c69e8
ffffffff813f7125 0000000041b58ab3 ffffffff82e2b62b ffffffff813f6f66
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff813f7125>] panic+0x1bf/0x39f kernel/panic.c:179
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff813f7125>] panic+0x1bf/0x39f kernel/panic.c:179
[<ffffffff813f7362>] __warn.cold.8+0x2f/0x2f kernel/panic.c:542
[<ffffffff810dc02c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
[<ffffffff826eeeb6>] fib6_del+0x946/0xb10 net/ipv6/ip6_fib.c:1477
[<ffffffff826ef2a0>] fib6_clean_node+0x220/0x4c0 net/ipv6/ip6_fib.c:1657
[<ffffffff826e6545>] fib6_walk_continue+0x3e5/0x640 net/ipv6/ip6_fib.c:1583
[<ffffffff826e6b01>] fib6_walk+0x91/0xf0 net/ipv6/ip6_fib.c:1628
[<ffffffff826e6c33>] fib6_clean_tree+0xd3/0x110 net/ipv6/ip6_fib.c:1702
[<ffffffff826e6d69>] __fib6_clean_all+0xf9/0x220 net/ipv6/ip6_fib.c:1718
[<ffffffff826ef567>] fib6_clean_all+0x27/0x30 net/ipv6/ip6_fib.c:1729
[<ffffffff826e4b51>] rt6_ifdown+0xa1/0x7f0 net/ipv6/route.c:2719
[<ffffffff826bf2e0>] addrconf_ifdown+0xd0/0x1420 net/ipv6/addrconf.c:3569
[<ffffffff826c74be>] addrconf_notify+0x8ee/0x2140 net/ipv6/addrconf.c:3493
[<ffffffff811478d4>] notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
[<ffffffff81147a5d>] __raw_notifier_call_chain kernel/notifier.c:394
[inline]
[<ffffffff81147a5d>] raw_notifier_call_chain+0x2d/0x40
kernel/notifier.c:401
[<ffffffff822f4a45>] call_netdevice_notifiers_info+0x55/0x70
net/core/dev.c:1647
[<ffffffff82306fbd>] netdev_state_change+0xdd/0x100 net/core/dev.c:1286
[<ffffffff8234e6d6>] do_setlink+0x2596/0x2ef0 net/core/rtnetlink.c:2199
[<ffffffff8234f240>] rtnl_setlink+0x210/0x310 net/core/rtnetlink.c:2241
[<ffffffff810dc02c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
[<ffffffff826eeeb6>] fib6_del+0x946/0xb10 net/ipv6/ip6_fib.c:1477
[<ffffffff826ef2a0>] fib6_clean_node+0x220/0x4c0 net/ipv6/ip6_fib.c:1657
[<ffffffff826e6545>] fib6_walk_continue+0x3e5/0x640 net/ipv6/ip6_fib.c:1583
[<ffffffff826e6b01>] fib6_walk+0x91/0xf0 net/ipv6/ip6_fib.c:1628
[<ffffffff826e6c33>] fib6_clean_tree+0xd3/0x110 net/ipv6/ip6_fib.c:1702
[<ffffffff826e6d69>] __fib6_clean_all+0xf9/0x220 net/ipv6/ip6_fib.c:1718
[<ffffffff826ef567>] fib6_clean_all+0x27/0x30 net/ipv6/ip6_fib.c:1729
[<ffffffff826e4b51>] rt6_ifdown+0xa1/0x7f0 net/ipv6/route.c:2719
[<ffffffff826bf2e0>] addrconf_ifdown+0xd0/0x1420 net/ipv6/addrconf.c:3569
[<ffffffff826c74be>] addrconf_notify+0x8ee/0x2140 net/ipv6/addrconf.c:3493
[<ffffffff811478d4>] notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
[<ffffffff81147a5d>] __raw_notifier_call_chain kernel/notifier.c:394
[inline]
[<ffffffff81147a5d>] raw_notifier_call_chain+0x2d/0x40
kernel/notifier.c:401
[<ffffffff822f4a45>] call_netdevice_notifiers_info+0x55/0x70
net/core/dev.c:1647
[<ffffffff82306fbd>] netdev_state_change+0xdd/0x100 net/core/dev.c:1286
[<ffffffff8234e6d6>] do_setlink+0x2596/0x2ef0 net/core/rtnetlink.c:2199
[<ffffffff8235592c>] rtnetlink_rcv_msg+0x49c/0x650
net/core/rtnetlink.c:4078
[<ffffffff823d59e5>] netlink_rcv_skb+0x145/0x370
net/netlink/af_netlink.c:2365
[<ffffffff8234abfa>] rtnetlink_rcv+0x2a/0x40 net/core/rtnetlink.c:4084
[<ffffffff823d4478>] netlink_unicast_kernel net/netlink/af_netlink.c:1285
[inline]
[<ffffffff823d4478>] netlink_unicast+0x4d8/0x6d0
net/netlink/af_netlink.c:1311
[<ffffffff823d4e44>] netlink_sendmsg+0x694/0xc30
net/netlink/af_netlink.c:1859
[<ffffffff822a063b>] sock_sendmsg_nosec net/socket.c:648 [inline]
[<ffffffff822a063b>] sock_sendmsg+0xbb/0x110 net/socket.c:658
[<ffffffff822a08b3>] sock_write_iter+0x223/0x3b0 net/socket.c:856
net/core/rtnetlink.c:4078
[<ffffffff823d59e5>] netlink_rcv_skb+0x145/0x370
net/netlink/af_netlink.c:2365
[<ffffffff8234abfa>] rtnetlink_rcv+0x2a/0x40 net/core/rtnetlink.c:4084
[<ffffffff823d4478>] netlink_unicast_kernel net/netlink/af_netlink.c:1285
[inline]
[<ffffffff823d4478>] netlink_unicast+0x4d8/0x6d0
net/netlink/af_netlink.c:1311
[<ffffffff823d4e44>] netlink_sendmsg+0x694/0xc30
net/netlink/af_netlink.c:1859
[<ffffffff822a063b>] sock_sendmsg_nosec net/socket.c:648 [inline]
[<ffffffff822a063b>] sock_sendmsg+0xbb/0x110 net/socket.c:658
[<ffffffff8150770b>] do_iter_readv_writev+0x3cb/0x4b0 fs/read_write.c:695
[<ffffffff8150b22a>] do_readv_writev+0x2fa/0x7b0 fs/read_write.c:871
[<ffffffff8150bcc7>] vfs_writev+0x87/0xc0 fs/read_write.c:910
[<ffffffff8150bde6>] do_writev+0xe6/0x260 fs/read_write.c:943
[<ffffffff8150f117>] SYSC_writev fs/read_write.c:1016 [inline]
[<ffffffff8150f117>] SyS_writev+0x27/0x30 fs/read_write.c:1013
Reply all
Reply to author
Forward
0 new messages