BUG: stack guard page was hit in corrupted (15)
1 view
Skip to first unread message
syzbot
Mar 24, 2022, 9:50:19 PM3/24/22
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: ab2d1d40a128 Revert "vsock: each transport cycles only on ..
git tree: android12-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=17bcae0b700000
kernel config: https://syzkaller.appspot.com/x/.config?x=75791a4a1d0f0a62
dashboard link: https://syzkaller.appspot.com/bug?extid=0538c6f61b93f1cf6030
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=144df271700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136541cb700000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0538c6...@syzkaller.appspotmail.com
BUG: stack guard page was hit at ffffc90000bbffe8 (stack is ffffc90000bc0000..ffffc90000bc7fff)
kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 365 Comm: syz-executor334 Not tainted 5.10.108-syzkaller-00653-gab2d1d40a128 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:update_stack_state+0x127/0x530 arch/x86/kernel/unwind_frame.c:205
Code: 45 b8 48 01 c1 48 89 4d 98 4d 8d 67 18 49 8d 47 28 48 89 45 c8 4d 89 fd 49 8d 47 20 48 89 85 78 ff ff ff 4c 89 f0 48 c1 e8 03 <48> 89 85 68 ff ff ff 48 89 55 80 48 c1 ea 03 48 89 95 70 ff ff ff
RSP: 0018:ffffc90000bbfff0 EFLAGS: 00010a02
RAX: 1ffff92000178025 RBX: dffffc0000000000 RCX: ffffc90000bc0120
RDX: ffffc90000bc0130 RSI: ffffc90000bc0110 RDI: ffffc90000bc0120
RBP: ffffc90000bc0088 R08: dffffc0000000000 R09: ffffc90000bc0120
R10: fffff52000178030 R11: 0000000000000000 R12: ffffc90000bc0138
R13: ffffc90000bc0120 R14: ffffc90000bc0128 R15: ffffc90000bc0120
FS: 00005555564be300(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90000bbffe8 CR3: 000000011ceb7000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
Modules linked in:
---[ end trace fab8bdc73d925443 ]---
RIP: 0010:update_stack_state+0x127/0x530 arch/x86/kernel/unwind_frame.c:205
Code: 45 b8 48 01 c1 48 89 4d 98 4d 8d 67 18 49 8d 47 28 48 89 45 c8 4d 89 fd 49 8d 47 20 48 89 85 78 ff ff ff 4c 89 f0 48 c1 e8 03 <48> 89 85 68 ff ff ff 48 89 55 80 48 c1 ea 03 48 89 95 70 ff ff ff
RSP: 0018:ffffc90000bbfff0 EFLAGS: 00010a02
RAX: 1ffff92000178025 RBX: dffffc0000000000 RCX: ffffc90000bc0120
RDX: ffffc90000bc0130 RSI: ffffc90000bc0110 RDI: ffffc90000bc0120
RBP: ffffc90000bc0088 R08: dffffc0000000000 R09: ffffc90000bc0120
R10: fffff52000178030 R11: 0000000000000000 R12: ffffc90000bc0138
R13: ffffc90000bc0120 R14: ffffc90000bc0128 R15: ffffc90000bc0120
FS: 00005555564be300(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90000bbffe8 CR3: 000000011ceb7000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 45 b8 48 01 c1 48 rex.RB mov $0x48c10148,%r8d
6: 89 4d 98 mov %ecx,-0x68(%rbp)
9: 4d 8d 67 18 lea 0x18(%r15),%r12
d: 49 8d 47 28 lea 0x28(%r15),%rax
11: 48 89 45 c8 mov %rax,-0x38(%rbp)
15: 4d 89 fd mov %r15,%r13
18: 49 8d 47 20 lea 0x20(%r15),%rax
1c: 48 89 85 78 ff ff ff mov %rax,-0x88(%rbp)
23: 4c 89 f0 mov %r14,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 48 89 85 68 ff ff ff mov %rax,-0x98(%rbp) <-- trapping instruction
31: 48 89 55 80 mov %rdx,-0x80(%rbp)
35: 48 c1 ea 03 shr $0x3,%rdx
39: 48 89 95 70 ff ff ff mov %rdx,-0x90(%rbp)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: ab2d1d40a128 Revert "vsock: each transport cycles only on ..
git tree: android12-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=17bcae0b700000
kernel config: https://syzkaller.appspot.com/x/.config?x=75791a4a1d0f0a62
dashboard link: https://syzkaller.appspot.com/bug?extid=0538c6f61b93f1cf6030
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=144df271700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136541cb700000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0538c6...@syzkaller.appspotmail.com
BUG: stack guard page was hit at ffffc90000bbffe8 (stack is ffffc90000bc0000..ffffc90000bc7fff)
kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 365 Comm: syz-executor334 Not tainted 5.10.108-syzkaller-00653-gab2d1d40a128 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:update_stack_state+0x127/0x530 arch/x86/kernel/unwind_frame.c:205
Code: 45 b8 48 01 c1 48 89 4d 98 4d 8d 67 18 49 8d 47 28 48 89 45 c8 4d 89 fd 49 8d 47 20 48 89 85 78 ff ff ff 4c 89 f0 48 c1 e8 03 <48> 89 85 68 ff ff ff 48 89 55 80 48 c1 ea 03 48 89 95 70 ff ff ff
RSP: 0018:ffffc90000bbfff0 EFLAGS: 00010a02
RAX: 1ffff92000178025 RBX: dffffc0000000000 RCX: ffffc90000bc0120
RDX: ffffc90000bc0130 RSI: ffffc90000bc0110 RDI: ffffc90000bc0120
RBP: ffffc90000bc0088 R08: dffffc0000000000 R09: ffffc90000bc0120
R10: fffff52000178030 R11: 0000000000000000 R12: ffffc90000bc0138
R13: ffffc90000bc0120 R14: ffffc90000bc0128 R15: ffffc90000bc0120
FS: 00005555564be300(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90000bbffe8 CR3: 000000011ceb7000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
Modules linked in:
---[ end trace fab8bdc73d925443 ]---
RIP: 0010:update_stack_state+0x127/0x530 arch/x86/kernel/unwind_frame.c:205
Code: 45 b8 48 01 c1 48 89 4d 98 4d 8d 67 18 49 8d 47 28 48 89 45 c8 4d 89 fd 49 8d 47 20 48 89 85 78 ff ff ff 4c 89 f0 48 c1 e8 03 <48> 89 85 68 ff ff ff 48 89 55 80 48 c1 ea 03 48 89 95 70 ff ff ff
RSP: 0018:ffffc90000bbfff0 EFLAGS: 00010a02
RAX: 1ffff92000178025 RBX: dffffc0000000000 RCX: ffffc90000bc0120
RDX: ffffc90000bc0130 RSI: ffffc90000bc0110 RDI: ffffc90000bc0120
RBP: ffffc90000bc0088 R08: dffffc0000000000 R09: ffffc90000bc0120
R10: fffff52000178030 R11: 0000000000000000 R12: ffffc90000bc0138
R13: ffffc90000bc0120 R14: ffffc90000bc0128 R15: ffffc90000bc0120
FS: 00005555564be300(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90000bbffe8 CR3: 000000011ceb7000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 45 b8 48 01 c1 48 rex.RB mov $0x48c10148,%r8d
6: 89 4d 98 mov %ecx,-0x68(%rbp)
9: 4d 8d 67 18 lea 0x18(%r15),%r12
d: 49 8d 47 28 lea 0x28(%r15),%rax
11: 48 89 45 c8 mov %rax,-0x38(%rbp)
15: 4d 89 fd mov %r15,%r13
18: 49 8d 47 20 lea 0x20(%r15),%rax
1c: 48 89 85 78 ff ff ff mov %rax,-0x88(%rbp)
23: 4c 89 f0 mov %r14,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 48 89 85 68 ff ff ff mov %rax,-0x98(%rbp) <-- trapping instruction
31: 48 89 55 80 mov %rdx,-0x80(%rbp)
35: 48 c1 ea 03 shr $0x3,%rdx
39: 48 89 95 70 ff ff ff mov %rdx,-0x90(%rbp)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Tadeusz Struk
Mar 25, 2022, 10:46:33 AM3/25/22
to syzbot, syzkaller-a...@googlegroups.com
syzbot
Mar 25, 2022, 10:55:08 AM3/25/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
rt_xmit+0x18d/0x2f0 net/core/dev.c:3607
__dev_queue_xmit+0x100c/0x1c30 net/core/dev.c:4173
dev_queue_xmit+0x17/0x20 net/core/dev.c:4206
neigh_connected_output+0x288/0x2b0 net/core/neighbour.c:1531
neigh_output include/net/neighbour.h:524 [inline]
ip6_finish_output2+0xde2/0x1440 net/ipv6/ip6_output.c:145
__ip6_finish_output+0x3e4/0x520 net/ipv6/ip6_output.c:210
ip6_finish_output+0x3f/0x220 net/ipv6/ip6_output.c:220
NF_HOOK_COND include/linux/netfilter.h:293 [inline]
ip6_output+0x1f8/0x4b0 net/ipv6/ip6_output.c:243
dst_output include/net/dst.h:443 [inline]
NF_HOOK+0xdd/0x280 include/linux/netfilter.h:304
ndisc_send_skb+0x646/0x9f0 net/ipv6/ndisc.c:508
ndisc_send_rs+0x26c/0x360 net/ipv6/ndisc.c:702
addrconf_dad_completed+0x4f3/0x9f0 net/ipv6/addrconf.c:4241
addrconf_dad_work+0x9c1/0x1520
process_one_work+0x3ca/0x660 kernel/workqueue.c:2298
worker_thread+0x709/0xa20 kernel/workqueue.c:2444
kthread+0x389/0x3c0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30
================================================================================
syzkaller
syzkaller login: [ 6.403942][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #80!!!
[ 14.443929][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #80!!!
[ 14.445744][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #80!!!
[ 14.497393][ T23] kauditd_printk_skb: 60 callbacks suppressed
[ 14.497403][ T23] audit: type=1400 audit(1648220056.010:71): avc: denied { transition } for pid=290 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 14.528450][ T23] audit: type=1400 audit(1648220056.040:72): avc: denied { write } for pid=290 comm="sh" path="pipe:[11334]" dev="pipefs" ino=11334 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1
Warning: Permanently added '10.128.0.74' (ECDSA) to the list of known hosts.
2022/03/25 14:54:23 fuzzer started
2022/03/25 14:54:23 connecting to host at 10.128.0.163:42437
2022/03/25 14:54:23 checking machine...
2022/03/25 14:54:23 checking revisions...
2022/03/25 14:54:23 testing simple program...
[ 22.149680][ T23] audit: type=1400 audit(1648220063.660:73): avc: denied { getattr } for pid=362 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 22.174419][ T370] cgroup: Unknown subsys name 'net'
[ 22.174964][ T23] audit: type=1400 audit(1648220063.670:74): avc: denied { read } for pid=362 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 22.202358][ T23] audit: type=1400 audit(1648220063.670:75): avc: denied { open } for pid=362 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 22.203113][ T370] cgroup: Unknown subsys name 'devices'
[ 22.285881][ T23] audit: type=1400 audit(1648220063.680:76): avc: denied { read } for pid=362 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 22.321289][ T23] audit: type=1400 audit(1648220063.680:77): avc: denied { open } for pid=362 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 22.346181][ T23] audit: type=1400 audit(1648220063.680:78): avc: denied { mounton } for pid=370 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 22.369551][ T23] audit: type=1400 audit(1648220063.680:79): avc: denied { mount } for pid=370 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 22.392684][ T23] audit: type=1400 audit(1648220063.690:80): avc: denied { unmount } for pid=370 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 22.526112][ T370] cgroup: Unknown subsys name 'hugetlb'
[ 22.532103][ T370] cgroup: Unknown subsys name 'rlimit'
[ 22.715004][ T23] audit: type=1400 audit(1648220064.230:81): avc: denied { setattr } for pid=370 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 22.740135][ T23] audit: type=1400 audit(1648220064.250:82): avc: denied { execmem } for pid=372 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 22.794940][ T373] bridge0: port 1(bridge_slave_0) entered blocking state
[ 22.802992][ T373] bridge0: port 1(bridge_slave_0) entered disabled state
[ 22.810942][ T373] device bridge_slave_0 entered promiscuous mode
[ 22.818193][ T373] bridge0: port 2(bridge_slave_1) entered blocking state
[ 22.825875][ T373] bridge0: port 2(bridge_slave_1) entered disabled state
[ 22.834205][ T373] device bridge_slave_1 entered promiscuous mode
[ 22.867813][ T373] bridge0: port 2(bridge_slave_1) entered blocking state
[ 22.875495][ T373] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 22.883012][ T373] bridge0: port 1(bridge_slave_0) entered blocking state
[ 22.891208][ T373] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 22.914424][ T374] bridge0: port 1(bridge_slave_0) entered disabled state
[ 22.923191][ T374] bridge0: port 2(bridge_slave_1) entered disabled state
[ 22.931360][ T374] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 22.939730][ T374] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 22.957078][ T374] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 22.967146][ T374] bridge0: port 1(bridge_slave_0) entered blocking state
[ 22.974647][ T374] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 22.983143][ T374] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 22.991856][ T374] bridge0: port 2(bridge_slave_1) entered blocking state
[ 22.999531][ T374] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 23.007170][ T374] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 23.015596][ T374] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 23.030617][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 23.042938][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 23.060458][ T374] ================================================================================
[ 23.070511][ T374] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2039:28
[ 23.074059][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!!
[ 23.078507][ T374] member access within address ffffc90000ba71c0 with insufficient space
[ 23.096949][ T374] for an object of type 'struct sk_buff'
[ 23.102674][ T374] CPU: 0 PID: 374 Comm: kworker/0:2 Not tainted 5.10.107-syzkaller-00407-g6b94b8c3b722 #0
[ 23.113160][ T374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 23.124521][ T374] Workqueue: ipv6_addrconf addrconf_dad_work
[ 23.130770][ T374] Call Trace:
[ 23.134916][ T374] dump_stack_lvl+0x1e2/0x24b
[ 23.140116][ T374] ? show_regs_print_info+0x18/0x18
[ 23.145316][ T374] ? wg_allowedips_lookup_dst+0x190/0x190
[ 23.151445][ T374] dump_stack+0x15/0x1d
[ 23.156017][ T374] ubsan_type_mismatch_common+0x1ed/0x3a0
[ 23.162040][ T374] ? __sanitizer_cov_trace_switch+0x74/0x90
[ 23.168700][ T374] __ubsan_handle_type_mismatch_v1+0x5b/0x70
[ 23.175471][ T374] wg_xmit+0x4a2/0xae0
[ 23.179895][ T374] ? wg_stop+0x5d0/0x5d0
[ 23.185034][ T374] ? __sanitizer_cov_trace_const_cmp2+0x19/0x20
[ 23.191406][ T374] netdev_start_xmit+0x8a/0x160
[ 23.196505][ T374] dev_hard_start_xmit+0x18d/0x2f0
[ 23.202258][ T374] __dev_queue_xmit+0x100c/0x1c30
[ 23.207969][ T374] ? dev_queue_xmit+0x20/0x20
[ 23.213146][ T374] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 23.219603][ T374] ? ndisc_constructor+0x690/0x8a0
[ 23.225173][ T374] ? _raw_write_unlock_bh+0x31/0x47
[ 23.231068][ T374] ? ___neigh_create+0x162d/0x1ab0
[ 23.236700][ T374] ? dev_hard_header+0xdb/0xf0
[ 23.241834][ T374] dev_queue_xmit+0x17/0x20
[ 23.246449][ T374] neigh_connected_output+0x288/0x2b0
[ 23.252253][ T374] ip6_finish_output2+0xde2/0x1440
[ 23.257692][ T374] ? __rcu_read_lock+0x50/0x50
[ 23.262906][ T374] ? __ip6_finish_output+0x520/0x520
[ 23.268785][ T374] ? dst_cow_metrics_generic+0x55/0x1d0
[ 23.274511][ T374] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 23.281245][ T374] ? ip6_skb_dst_mtu+0xaf/0x260
[ 23.286592][ T374] __ip6_finish_output+0x3e4/0x520
[ 23.291962][ T374] ip6_finish_output+0x3f/0x220
[ 23.297324][ T374] ? ip6_output+0x1d3/0x4b0
[ 23.301846][ T374] ip6_output+0x1f8/0x4b0
[ 23.306927][ T374] ? asan.module_dtor+0x20/0x20
[ 23.311835][ T374] ? skb_dst+0x40/0x40
[ 23.316153][ T374] ? __rcu_read_lock+0x50/0x50
[ 23.321157][ T374] ? selinux_ipv6_forward+0x50/0x50
[ 23.326907][ T374] ? __sanitizer_cov_trace_cmp8+0x18/0x20
[ 23.332932][ T374] ? nf_hook_slow+0x150/0x1b0
[ 23.338306][ T374] NF_HOOK+0xdd/0x280
[ 23.342678][ T374] ? addrconf_addr_solict_mult+0xe0/0xe0
[ 23.348475][ T374] ? NF_HOOK+0x280/0x280
[ 23.353393][ T374] ? __rcu_read_lock+0x50/0x50
[ 23.358163][ T374] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 23.364795][ T374] ? ndisc_send_skb+0x547/0x9f0
[ 23.369725][ T374] ? memcpy+0x56/0x70
[ 23.373995][ T374] ndisc_send_skb+0x646/0x9f0
[ 23.379848][ T374] ? slab_post_alloc_hook+0x90/0xa0
[ 23.385472][ T374] ? ndisc_fill_addr_option+0x2f0/0x2f0
[ 23.392072][ T374] ? skb_set_owner_w+0x1a8/0x310
[ 23.397171][ T374] ? __sanitizer_cov_trace_cmp4+0x19/0x20
[ 23.402977][ T374] ? skb_put+0x11d/0x210
[ 23.407314][ T374] ndisc_send_rs+0x26c/0x360
[ 23.411993][ T374] addrconf_dad_completed+0x4f3/0x9f0
[ 23.417757][ T374] ? addrconf_dad_stop+0x430/0x430
[ 23.423680][ T374] addrconf_dad_work+0x9c1/0x1520
[ 23.429010][ T374] ? move_linked_works+0x118/0x130
[ 23.434510][ T374] ? ipv6_use_optimistic_addr+0x1d0/0x1d0
[ 23.440567][ T374] ? __kasan_check_write+0x14/0x20
[ 23.445806][ T374] process_one_work+0x3ca/0x660
[ 23.451579][ T374] worker_thread+0x709/0xa20
[ 23.456504][ T374] ? __kthread_parkme+0x11b/0x150
[ 23.461632][ T374] kthread+0x389/0x3c0
[ 23.465709][ T374] ? pr_cont_work+0x110/0x110
[ 23.470436][ T374] ? __list_add+0xc0/0xc0
[ 23.475158][ T374] ret_from_fork+0x1f/0x30
[ 23.479666][ T374] ================================================================================
[ 23.489457][ T374] ================================================================================
[ 23.498846][ T374] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1932:2
[ 23.507621][ T374] member access within address ffffc90000ba71c0 with insufficient space
[ 23.517037][ T374] for an object of type 'struct sk_buff'
[ 23.522676][ T374] CPU: 0 PID: 374 Comm: kworker/0:2 Not tainted 5.10.107-syzkaller-00407-g6b94b8c3b722 #0
[ 23.533081][ T374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 23.543499][ T374] Workqueue: ipv6_addrconf addrconf_dad_work
[ 23.549486][ T374] Call Trace:
[ 23.552788][ T374] dump_stack_lvl+0x1e2/0x24b
[ 23.557754][ T374] ? show_regs_print_info+0x18/0x18
[ 23.563428][ T374] ? irq_exit_rcu+0x9/0x10
[ 23.568210][ T374] ? sysvec_call_function_single+0xcb/0xe0
[ 23.574628][ T374] dump_stack+0x15/0x1d
[ 23.578784][ T374] ubsan_type_mismatch_common+0x1ed/0x3a0
[ 23.584646][ T374] __ubsan_handle_type_mismatch_v1+0x5b/0x70
[ 23.590815][ T374] wg_xmit+0x513/0xae0
[ 23.595607][ T374] ? wg_stop+0x5d0/0x5d0
[ 23.600261][ T374] ? __sanitizer_cov_trace_const_cmp2+0x19/0x20
[ 23.606492][ T374] netdev_start_xmit+0x8a/0x160
[ 23.611625][ T374] dev_hard_start_xmit+0x18d/0x2f0
[ 23.616752][ T374] __dev_queue_xmit+0x100c/0x1c30
[ 23.622023][ T374] ? dev_queue_xmit+0x20/0x20
[ 23.627360][ T374] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 23.634115][ T374] ? ndisc_constructor+0x690/0x8a0
[ 23.639543][ T374] ? _raw_write_unlock_bh+0x31/0x47
[ 23.645126][ T374] ? ___neigh_create+0x162d/0x1ab0
[ 23.650636][ T374] ? dev_hard_header+0xdb/0xf0
[ 23.655893][ T374] dev_queue_xmit+0x17/0x20
[ 23.660412][ T374] neigh_connected_output+0x288/0x2b0
[ 23.665981][ T374] ip6_finish_output2+0xde2/0x1440
[ 23.671824][ T374] ? __rcu_read_lock+0x50/0x50
[ 23.676850][ T374] ? __ip6_finish_output+0x520/0x520
[ 23.682597][ T374] ? dst_cow_metrics_generic+0x55/0x1d0
[ 23.688746][ T374] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 23.695606][ T374] ? ip6_skb_dst_mtu+0xaf/0x260
[ 23.700989][ T374] __ip6_finish_output+0x3e4/0x520
[ 23.706362][ T374] ip6_finish_output+0x3f/0x220
[ 23.712423][ T374] ? ip6_output+0x1d3/0x4b0
[ 23.717296][ T374] ip6_output+0x1f8/0x4b0
[ 23.722339][ T374] ? asan.module_dtor+0x20/0x20
[ 23.727964][ T374] ? skb_dst+0x40/0x40
[ 23.732548][ T374] ? __rcu_read_lock+0x50/0x50
[ 23.737464][ T374] ? selinux_ipv6_forward+0x50/0x50
[ 23.742767][ T374] ? __sanitizer_cov_trace_cmp8+0x18/0x20
[ 23.749436][ T374] ? nf_hook_slow+0x150/0x1b0
[ 23.754824][ T374] NF_HOOK+0xdd/0x280
[ 23.758885][ T374] ? addrconf_addr_solict_mult+0xe0/0xe0
[ 23.764797][ T374] ? NF_HOOK+0x280/0x280
[ 23.769147][ T374] ? __rcu_read_lock+0x50/0x50
[ 23.774000][ T374] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 23.780814][ T374] ? ndisc_send_skb+0x547/0x9f0
[ 23.786355][ T374] ? memcpy+0x56/0x70
[ 23.790761][ T374] ndisc_send_skb+0x646/0x9f0
[ 23.795615][ T374] ? slab_post_alloc_hook+0x90/0xa0
[ 23.800963][ T374] ? ndisc_fill_addr_option+0x2f0/0x2f0
[ 23.806925][ T374] ? skb_set_owner_w+0x1a8/0x310
[ 23.812806][ T374] ? __sanitizer_cov_trace_cmp4+0x19/0x20
[ 23.818628][ T374] ? skb_put+0x11d/0x210
[ 23.822867][ T374] ndisc_send_rs+0x26c/0x360
[ 23.827557][ T374] addrconf_dad_completed+0x4f3/0x9f0
[ 23.833035][ T374] ? addrconf_dad_stop+0x430/0x430
[ 23.838148][ T374] addrconf_dad_work+0x9c1/0x1520
[ 23.843269][ T374] ? move_linked_works+0x118/0x130
[ 23.848362][ T374] ? ipv6_use_optimistic_addr+0x1d0/0x1d0
[ 23.854108][ T374] ? __kasan_check_write+0x14/0x20
[ 23.859447][ T374] process_one_work+0x3ca/0x660
[ 23.864676][ T374] worker_thread+0x709/0xa20
[ 23.869608][ T374] ? __kthread_parkme+0x11b/0x150
[ 23.875300][ T374] kthread+0x389/0x3c0
[ 23.879601][ T374] ? pr_cont_work+0x110/0x110
[ 23.884444][ T374] ? __list_add+0xc0/0xc0
[ 23.889231][ T374] ret_from_fork+0x1f/0x30
[ 23.894014][ T374] ================================================================================
[ 23.905143][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!!
[ 23.906820][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
2022/03/25 14:54:25 building call list...
[ 23.923136][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 23.932230][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 23.953486][ T373] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
[ 24.502720][ T9] device bridge_slave_1 left promiscuous mode
[ 24.509145][ T9] bridge0: port 2(bridge_slave_1) entered disabled state
[ 24.517449][ T9] device bridge_slave_0 left promiscuous mode
[ 24.524175][ T9] bridge0: port 1(bridge_slave_0) entered disabled state
executing program
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1333ce7d700000
Tested on:
commit: 6b94b8c3 ANDROID: KVM: arm64: Only map swap-backed pag..
git tree: https://android.googlesource.com/kernel/common android13-5.10
kernel config: https://syzkaller.appspot.com/x/.config?x=c49accf4224b02fa
syzbot tried to test the proposed patch but the build/boot failed:
rt_xmit+0x18d/0x2f0 net/core/dev.c:3607
__dev_queue_xmit+0x100c/0x1c30 net/core/dev.c:4173
dev_queue_xmit+0x17/0x20 net/core/dev.c:4206
neigh_connected_output+0x288/0x2b0 net/core/neighbour.c:1531
neigh_output include/net/neighbour.h:524 [inline]
ip6_finish_output2+0xde2/0x1440 net/ipv6/ip6_output.c:145
__ip6_finish_output+0x3e4/0x520 net/ipv6/ip6_output.c:210
ip6_finish_output+0x3f/0x220 net/ipv6/ip6_output.c:220
NF_HOOK_COND include/linux/netfilter.h:293 [inline]
ip6_output+0x1f8/0x4b0 net/ipv6/ip6_output.c:243
dst_output include/net/dst.h:443 [inline]
NF_HOOK+0xdd/0x280 include/linux/netfilter.h:304
ndisc_send_skb+0x646/0x9f0 net/ipv6/ndisc.c:508
ndisc_send_rs+0x26c/0x360 net/ipv6/ndisc.c:702
addrconf_dad_completed+0x4f3/0x9f0 net/ipv6/addrconf.c:4241
addrconf_dad_work+0x9c1/0x1520
process_one_work+0x3ca/0x660 kernel/workqueue.c:2298
worker_thread+0x709/0xa20 kernel/workqueue.c:2444
kthread+0x389/0x3c0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30
================================================================================
syzkaller
syzkaller login: [ 6.403942][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #80!!!
[ 14.443929][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #80!!!
[ 14.445744][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #80!!!
[ 14.497393][ T23] kauditd_printk_skb: 60 callbacks suppressed
[ 14.497403][ T23] audit: type=1400 audit(1648220056.010:71): avc: denied { transition } for pid=290 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 14.528450][ T23] audit: type=1400 audit(1648220056.040:72): avc: denied { write } for pid=290 comm="sh" path="pipe:[11334]" dev="pipefs" ino=11334 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1
Warning: Permanently added '10.128.0.74' (ECDSA) to the list of known hosts.
2022/03/25 14:54:23 fuzzer started
2022/03/25 14:54:23 connecting to host at 10.128.0.163:42437
2022/03/25 14:54:23 checking machine...
2022/03/25 14:54:23 checking revisions...
2022/03/25 14:54:23 testing simple program...
[ 22.149680][ T23] audit: type=1400 audit(1648220063.660:73): avc: denied { getattr } for pid=362 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 22.174419][ T370] cgroup: Unknown subsys name 'net'
[ 22.174964][ T23] audit: type=1400 audit(1648220063.670:74): avc: denied { read } for pid=362 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 22.202358][ T23] audit: type=1400 audit(1648220063.670:75): avc: denied { open } for pid=362 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 22.203113][ T370] cgroup: Unknown subsys name 'devices'
[ 22.285881][ T23] audit: type=1400 audit(1648220063.680:76): avc: denied { read } for pid=362 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 22.321289][ T23] audit: type=1400 audit(1648220063.680:77): avc: denied { open } for pid=362 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 22.346181][ T23] audit: type=1400 audit(1648220063.680:78): avc: denied { mounton } for pid=370 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 22.369551][ T23] audit: type=1400 audit(1648220063.680:79): avc: denied { mount } for pid=370 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 22.392684][ T23] audit: type=1400 audit(1648220063.690:80): avc: denied { unmount } for pid=370 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 22.526112][ T370] cgroup: Unknown subsys name 'hugetlb'
[ 22.532103][ T370] cgroup: Unknown subsys name 'rlimit'
[ 22.715004][ T23] audit: type=1400 audit(1648220064.230:81): avc: denied { setattr } for pid=370 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 22.740135][ T23] audit: type=1400 audit(1648220064.250:82): avc: denied { execmem } for pid=372 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 22.794940][ T373] bridge0: port 1(bridge_slave_0) entered blocking state
[ 22.802992][ T373] bridge0: port 1(bridge_slave_0) entered disabled state
[ 22.810942][ T373] device bridge_slave_0 entered promiscuous mode
[ 22.818193][ T373] bridge0: port 2(bridge_slave_1) entered blocking state
[ 22.825875][ T373] bridge0: port 2(bridge_slave_1) entered disabled state
[ 22.834205][ T373] device bridge_slave_1 entered promiscuous mode
[ 22.867813][ T373] bridge0: port 2(bridge_slave_1) entered blocking state
[ 22.875495][ T373] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 22.883012][ T373] bridge0: port 1(bridge_slave_0) entered blocking state
[ 22.891208][ T373] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 22.914424][ T374] bridge0: port 1(bridge_slave_0) entered disabled state
[ 22.923191][ T374] bridge0: port 2(bridge_slave_1) entered disabled state
[ 22.931360][ T374] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 22.939730][ T374] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 22.957078][ T374] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 22.967146][ T374] bridge0: port 1(bridge_slave_0) entered blocking state
[ 22.974647][ T374] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 22.983143][ T374] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 22.991856][ T374] bridge0: port 2(bridge_slave_1) entered blocking state
[ 22.999531][ T374] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 23.007170][ T374] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 23.015596][ T374] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 23.030617][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 23.042938][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 23.060458][ T374] ================================================================================
[ 23.070511][ T374] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2039:28
[ 23.074059][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!!
[ 23.078507][ T374] member access within address ffffc90000ba71c0 with insufficient space
[ 23.096949][ T374] for an object of type 'struct sk_buff'
[ 23.102674][ T374] CPU: 0 PID: 374 Comm: kworker/0:2 Not tainted 5.10.107-syzkaller-00407-g6b94b8c3b722 #0
[ 23.113160][ T374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 23.124521][ T374] Workqueue: ipv6_addrconf addrconf_dad_work
[ 23.130770][ T374] Call Trace:
[ 23.134916][ T374] dump_stack_lvl+0x1e2/0x24b
[ 23.140116][ T374] ? show_regs_print_info+0x18/0x18
[ 23.145316][ T374] ? wg_allowedips_lookup_dst+0x190/0x190
[ 23.151445][ T374] dump_stack+0x15/0x1d
[ 23.156017][ T374] ubsan_type_mismatch_common+0x1ed/0x3a0
[ 23.162040][ T374] ? __sanitizer_cov_trace_switch+0x74/0x90
[ 23.168700][ T374] __ubsan_handle_type_mismatch_v1+0x5b/0x70
[ 23.175471][ T374] wg_xmit+0x4a2/0xae0
[ 23.179895][ T374] ? wg_stop+0x5d0/0x5d0
[ 23.185034][ T374] ? __sanitizer_cov_trace_const_cmp2+0x19/0x20
[ 23.191406][ T374] netdev_start_xmit+0x8a/0x160
[ 23.196505][ T374] dev_hard_start_xmit+0x18d/0x2f0
[ 23.202258][ T374] __dev_queue_xmit+0x100c/0x1c30
[ 23.207969][ T374] ? dev_queue_xmit+0x20/0x20
[ 23.213146][ T374] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 23.219603][ T374] ? ndisc_constructor+0x690/0x8a0
[ 23.225173][ T374] ? _raw_write_unlock_bh+0x31/0x47
[ 23.231068][ T374] ? ___neigh_create+0x162d/0x1ab0
[ 23.236700][ T374] ? dev_hard_header+0xdb/0xf0
[ 23.241834][ T374] dev_queue_xmit+0x17/0x20
[ 23.246449][ T374] neigh_connected_output+0x288/0x2b0
[ 23.252253][ T374] ip6_finish_output2+0xde2/0x1440
[ 23.257692][ T374] ? __rcu_read_lock+0x50/0x50
[ 23.262906][ T374] ? __ip6_finish_output+0x520/0x520
[ 23.268785][ T374] ? dst_cow_metrics_generic+0x55/0x1d0
[ 23.274511][ T374] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 23.281245][ T374] ? ip6_skb_dst_mtu+0xaf/0x260
[ 23.286592][ T374] __ip6_finish_output+0x3e4/0x520
[ 23.291962][ T374] ip6_finish_output+0x3f/0x220
[ 23.297324][ T374] ? ip6_output+0x1d3/0x4b0
[ 23.301846][ T374] ip6_output+0x1f8/0x4b0
[ 23.306927][ T374] ? asan.module_dtor+0x20/0x20
[ 23.311835][ T374] ? skb_dst+0x40/0x40
[ 23.316153][ T374] ? __rcu_read_lock+0x50/0x50
[ 23.321157][ T374] ? selinux_ipv6_forward+0x50/0x50
[ 23.326907][ T374] ? __sanitizer_cov_trace_cmp8+0x18/0x20
[ 23.332932][ T374] ? nf_hook_slow+0x150/0x1b0
[ 23.338306][ T374] NF_HOOK+0xdd/0x280
[ 23.342678][ T374] ? addrconf_addr_solict_mult+0xe0/0xe0
[ 23.348475][ T374] ? NF_HOOK+0x280/0x280
[ 23.353393][ T374] ? __rcu_read_lock+0x50/0x50
[ 23.358163][ T374] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 23.364795][ T374] ? ndisc_send_skb+0x547/0x9f0
[ 23.369725][ T374] ? memcpy+0x56/0x70
[ 23.373995][ T374] ndisc_send_skb+0x646/0x9f0
[ 23.379848][ T374] ? slab_post_alloc_hook+0x90/0xa0
[ 23.385472][ T374] ? ndisc_fill_addr_option+0x2f0/0x2f0
[ 23.392072][ T374] ? skb_set_owner_w+0x1a8/0x310
[ 23.397171][ T374] ? __sanitizer_cov_trace_cmp4+0x19/0x20
[ 23.402977][ T374] ? skb_put+0x11d/0x210
[ 23.407314][ T374] ndisc_send_rs+0x26c/0x360
[ 23.411993][ T374] addrconf_dad_completed+0x4f3/0x9f0
[ 23.417757][ T374] ? addrconf_dad_stop+0x430/0x430
[ 23.423680][ T374] addrconf_dad_work+0x9c1/0x1520
[ 23.429010][ T374] ? move_linked_works+0x118/0x130
[ 23.434510][ T374] ? ipv6_use_optimistic_addr+0x1d0/0x1d0
[ 23.440567][ T374] ? __kasan_check_write+0x14/0x20
[ 23.445806][ T374] process_one_work+0x3ca/0x660
[ 23.451579][ T374] worker_thread+0x709/0xa20
[ 23.456504][ T374] ? __kthread_parkme+0x11b/0x150
[ 23.461632][ T374] kthread+0x389/0x3c0
[ 23.465709][ T374] ? pr_cont_work+0x110/0x110
[ 23.470436][ T374] ? __list_add+0xc0/0xc0
[ 23.475158][ T374] ret_from_fork+0x1f/0x30
[ 23.479666][ T374] ================================================================================
[ 23.489457][ T374] ================================================================================
[ 23.498846][ T374] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1932:2
[ 23.507621][ T374] member access within address ffffc90000ba71c0 with insufficient space
[ 23.517037][ T374] for an object of type 'struct sk_buff'
[ 23.522676][ T374] CPU: 0 PID: 374 Comm: kworker/0:2 Not tainted 5.10.107-syzkaller-00407-g6b94b8c3b722 #0
[ 23.533081][ T374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 23.543499][ T374] Workqueue: ipv6_addrconf addrconf_dad_work
[ 23.549486][ T374] Call Trace:
[ 23.552788][ T374] dump_stack_lvl+0x1e2/0x24b
[ 23.557754][ T374] ? show_regs_print_info+0x18/0x18
[ 23.563428][ T374] ? irq_exit_rcu+0x9/0x10
[ 23.568210][ T374] ? sysvec_call_function_single+0xcb/0xe0
[ 23.574628][ T374] dump_stack+0x15/0x1d
[ 23.578784][ T374] ubsan_type_mismatch_common+0x1ed/0x3a0
[ 23.584646][ T374] __ubsan_handle_type_mismatch_v1+0x5b/0x70
[ 23.590815][ T374] wg_xmit+0x513/0xae0
[ 23.595607][ T374] ? wg_stop+0x5d0/0x5d0
[ 23.600261][ T374] ? __sanitizer_cov_trace_const_cmp2+0x19/0x20
[ 23.606492][ T374] netdev_start_xmit+0x8a/0x160
[ 23.611625][ T374] dev_hard_start_xmit+0x18d/0x2f0
[ 23.616752][ T374] __dev_queue_xmit+0x100c/0x1c30
[ 23.622023][ T374] ? dev_queue_xmit+0x20/0x20
[ 23.627360][ T374] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 23.634115][ T374] ? ndisc_constructor+0x690/0x8a0
[ 23.639543][ T374] ? _raw_write_unlock_bh+0x31/0x47
[ 23.645126][ T374] ? ___neigh_create+0x162d/0x1ab0
[ 23.650636][ T374] ? dev_hard_header+0xdb/0xf0
[ 23.655893][ T374] dev_queue_xmit+0x17/0x20
[ 23.660412][ T374] neigh_connected_output+0x288/0x2b0
[ 23.665981][ T374] ip6_finish_output2+0xde2/0x1440
[ 23.671824][ T374] ? __rcu_read_lock+0x50/0x50
[ 23.676850][ T374] ? __ip6_finish_output+0x520/0x520
[ 23.682597][ T374] ? dst_cow_metrics_generic+0x55/0x1d0
[ 23.688746][ T374] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 23.695606][ T374] ? ip6_skb_dst_mtu+0xaf/0x260
[ 23.700989][ T374] __ip6_finish_output+0x3e4/0x520
[ 23.706362][ T374] ip6_finish_output+0x3f/0x220
[ 23.712423][ T374] ? ip6_output+0x1d3/0x4b0
[ 23.717296][ T374] ip6_output+0x1f8/0x4b0
[ 23.722339][ T374] ? asan.module_dtor+0x20/0x20
[ 23.727964][ T374] ? skb_dst+0x40/0x40
[ 23.732548][ T374] ? __rcu_read_lock+0x50/0x50
[ 23.737464][ T374] ? selinux_ipv6_forward+0x50/0x50
[ 23.742767][ T374] ? __sanitizer_cov_trace_cmp8+0x18/0x20
[ 23.749436][ T374] ? nf_hook_slow+0x150/0x1b0
[ 23.754824][ T374] NF_HOOK+0xdd/0x280
[ 23.758885][ T374] ? addrconf_addr_solict_mult+0xe0/0xe0
[ 23.764797][ T374] ? NF_HOOK+0x280/0x280
[ 23.769147][ T374] ? __rcu_read_lock+0x50/0x50
[ 23.774000][ T374] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 23.780814][ T374] ? ndisc_send_skb+0x547/0x9f0
[ 23.786355][ T374] ? memcpy+0x56/0x70
[ 23.790761][ T374] ndisc_send_skb+0x646/0x9f0
[ 23.795615][ T374] ? slab_post_alloc_hook+0x90/0xa0
[ 23.800963][ T374] ? ndisc_fill_addr_option+0x2f0/0x2f0
[ 23.806925][ T374] ? skb_set_owner_w+0x1a8/0x310
[ 23.812806][ T374] ? __sanitizer_cov_trace_cmp4+0x19/0x20
[ 23.818628][ T374] ? skb_put+0x11d/0x210
[ 23.822867][ T374] ndisc_send_rs+0x26c/0x360
[ 23.827557][ T374] addrconf_dad_completed+0x4f3/0x9f0
[ 23.833035][ T374] ? addrconf_dad_stop+0x430/0x430
[ 23.838148][ T374] addrconf_dad_work+0x9c1/0x1520
[ 23.843269][ T374] ? move_linked_works+0x118/0x130
[ 23.848362][ T374] ? ipv6_use_optimistic_addr+0x1d0/0x1d0
[ 23.854108][ T374] ? __kasan_check_write+0x14/0x20
[ 23.859447][ T374] process_one_work+0x3ca/0x660
[ 23.864676][ T374] worker_thread+0x709/0xa20
[ 23.869608][ T374] ? __kthread_parkme+0x11b/0x150
[ 23.875300][ T374] kthread+0x389/0x3c0
[ 23.879601][ T374] ? pr_cont_work+0x110/0x110
[ 23.884444][ T374] ? __list_add+0xc0/0xc0
[ 23.889231][ T374] ret_from_fork+0x1f/0x30
[ 23.894014][ T374] ================================================================================
[ 23.905143][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!!
[ 23.906820][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
2022/03/25 14:54:25 building call list...
[ 23.923136][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 23.932230][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 23.953486][ T373] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
[ 24.502720][ T9] device bridge_slave_1 left promiscuous mode
[ 24.509145][ T9] bridge0: port 2(bridge_slave_1) entered disabled state
[ 24.517449][ T9] device bridge_slave_0 left promiscuous mode
[ 24.524175][ T9] bridge0: port 1(bridge_slave_0) entered disabled state
executing program
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1333ce7d700000
Tested on:
commit: 6b94b8c3 ANDROID: KVM: arm64: Only map swap-backed pag..
git tree: https://android.googlesource.com/kernel/common android13-5.10
kernel config: https://syzkaller.appspot.com/x/.config?x=c49accf4224b02fa
dashboard link: https://syzkaller.appspot.com/bug?extid=0538c6f61b93f1cf6030
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
Tadeusz Struk
Mar 25, 2022, 11:11:52 AM3/25/22
to syzbot, syzkaller-a...@googlegroups.com
On 3/24/22 18:50, syzbot wrote:
index 0bd6520329f6..8ec46e3a503d 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -1933,9 +1933,10 @@ static inline void skb_queue_head_init_class(struct
sk_buff_head *list,
* The "__skb_xxxx()" functions are the non-atomic ones that
* can only be called with interrupts disabled.
*/
-static inline void __skb_insert(struct sk_buff *newsk,
- struct sk_buff *prev, struct sk_buff *next,
- struct sk_buff_head *list)
+static inline void __no_sanitize_undefined
+__skb_insert(struct sk_buff *newsk,
+ struct sk_buff *prev, struct sk_buff *next,
+ struct sk_buff_head *list)
{
/* See skb_queue_empty_lockless() and skb_peek_tail()
* for the opposite READ_ONCE()
@@ -1966,8 +1967,9 @@ static inline void __skb_queue_splice(const struct
sk_buff_head *list,
* @list: the new list to add
* @head: the place to add it in the first list
*/
-static inline void skb_queue_splice(const struct sk_buff_head *list,
- struct sk_buff_head *head)
+static inline void __no_sanitize_undefined
+skb_queue_splice(const struct sk_buff_head *list,
+ struct sk_buff_head *head)
{
if (!skb_queue_empty(list)) {
__skb_queue_splice(list, (struct sk_buff *) head, head->next);
@@ -1982,8 +1984,9 @@ static inline void skb_queue_splice(const struct
sk_buff_head *list,
*
* The list at @list is reinitialised
*/
-static inline void skb_queue_splice_init(struct sk_buff_head *list,
- struct sk_buff_head *head)
+static inline void __no_sanitize_undefined
+skb_queue_splice_init(struct sk_buff_head *list,
+ struct sk_buff_head *head)
{
if (!skb_queue_empty(list)) {
__skb_queue_splice(list, (struct sk_buff *) head, head->next);
@@ -1997,8 +2000,9 @@ static inline void skb_queue_splice_init(struct
sk_buff_head *list,
* @list: the new list to add
* @head: the place to add it in the first list
*/
-static inline void skb_queue_splice_tail(const struct sk_buff_head *list,
- struct sk_buff_head *head)
+static inline void __no_sanitize_undefined
+skb_queue_splice_tail(const struct sk_buff_head *list,
+ struct sk_buff_head *head)
{
if (!skb_queue_empty(list)) {
__skb_queue_splice(list, head->prev, (struct sk_buff *) head);
@@ -2014,8 +2018,9 @@ static inline void skb_queue_splice_tail(const struct
sk_buff_head *list,
* Each of the lists is a queue.
* The list at @list is reinitialised
*/
-static inline void skb_queue_splice_tail_init(struct sk_buff_head *list,
- struct sk_buff_head *head)
+static inline void __no_sanitize_undefined
+skb_queue_splice_tail_init(struct sk_buff_head *list,
+ struct sk_buff_head *head)
{
if (!skb_queue_empty(list)) {
__skb_queue_splice(list, head->prev, (struct sk_buff *) head);
@@ -2035,9 +2040,10 @@ static inline void skb_queue_splice_tail_init(struct
sk_buff_head *list,
*
* A buffer cannot be placed on two lists at the same time.
*/
-static inline void __skb_queue_after(struct sk_buff_head *list,
- struct sk_buff *prev,
- struct sk_buff *newsk)
+static inline void __no_sanitize_undefined
+__skb_queue_after(struct sk_buff_head *list,
+ struct sk_buff *prev,
+ struct sk_buff *newsk)
{
__skb_insert(newsk, prev, prev->next, list);
}
@@ -2045,9 +2051,10 @@ static inline void __skb_queue_after(struct sk_buff_head
*list,
void skb_append(struct sk_buff *old, struct sk_buff *newsk,
struct sk_buff_head *list);
-static inline void __skb_queue_before(struct sk_buff_head *list,
- struct sk_buff *next,
- struct sk_buff *newsk)
+static inline void __no_sanitize_undefined
+__skb_queue_before(struct sk_buff_head *list,
+ struct sk_buff *next,
+ struct sk_buff *newsk)
{
__skb_insert(newsk, next->prev, next, list);
}
@@ -2062,8 +2069,8 @@ static inline void __skb_queue_before(struct sk_buff_head
*list,
*
* A buffer cannot be placed on two lists at the same time.
*/
-static inline void __skb_queue_head(struct sk_buff_head *list,
- struct sk_buff *newsk)
+static inline void __no_sanitize_undefined
+__skb_queue_head(struct sk_buff_head *list, struct sk_buff *newsk)
{
__skb_queue_after(list, (struct sk_buff *)list, newsk);
}
@@ -2079,8 +2086,8 @@ void skb_queue_head(struct sk_buff_head *list, struct
sk_buff *newsk);
*
* A buffer cannot be placed on two lists at the same time.
*/
-static inline void __skb_queue_tail(struct sk_buff_head *list,
- struct sk_buff *newsk)
+static inline void __no_sanitize_undefined
+__skb_queue_tail(struct sk_buff_head *list, struct sk_buff *newsk)
{
__skb_queue_before(list, (struct sk_buff *)list, newsk);
}
syzbot
Mar 25, 2022, 12:28:18 PM3/25/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
syzbot tried to test the proposed patch but the build/boot failed:
checking file include/linux/skbuff.h
Hunk #1 FAILED at 1933.
Hunk #2 FAILED at 1966.
Hunk #3 FAILED at 1982.
Hunk #4 FAILED at 1997.
Hunk #5 FAILED at 2014.
Hunk #6 FAILED at 2035.
patch: **** unexpected end of file in patch
Tested on:
commit: 6b94b8c3 ANDROID: KVM: arm64: Only map swap-backed pag..
git tree: https://android.googlesource.com/kernel/common android13-5.10
Tadeusz Struk
Mar 25, 2022, 12:30:28 PM3/25/22
to syzbot, syzkaller-a...@googlegroups.com
On 3/24/22 18:50, syzbot wrote:
Tadeusz Struk
Mar 25, 2022, 1:31:40 PM3/25/22
to syzbot, syzkaller-a...@googlegroups.com
On 3/24/22 18:50, syzbot wrote:
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 3a02503b3637..8e58dfce3a56 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -1929,8 +1929,8 @@ static inline void __skb_insert(struct sk_buff *newsk,
*/
WRITE_ONCE(newsk->next, next);
WRITE_ONCE(newsk->prev, prev);
- WRITE_ONCE(next->prev, newsk);
- WRITE_ONCE(prev->next, newsk);
+ WRITE_ONCE(((struct sk_buff_list *)next)->prev, newsk);
+ WRITE_ONCE(((struct sk_buff_list *)prev)->next, newsk);
WRITE_ONCE(list->qlen, list->qlen + 1);
}
@@ -2026,7 +2026,7 @@ static inline void __skb_queue_after(struct sk_buff_head
*list,
struct sk_buff *prev,
struct sk_buff *newsk)
{
- __skb_insert(newsk, prev, prev->next, list);
+ __skb_insert(newsk, prev, ((struct sk_buff_list *)prev)->next, list);
}
void skb_append(struct sk_buff *old, struct sk_buff *newsk,
@@ -2036,7 +2036,7 @@ static inline void __skb_queue_before(struct sk_buff_head
void skb_append(struct sk_buff *old, struct sk_buff *newsk,
*list,
struct sk_buff *next,
struct sk_buff *newsk)
{
- __skb_insert(newsk, next->prev, next, list);
+ __skb_insert(newsk, ((struct sk_buff_list *)next)->prev, next, list);
}
/**
syzbot
Mar 25, 2022, 1:34:15 PM3/25/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
./include/linux/skbuff.h:1932:42: error: incomplete definition of type 'struct sk_buff_list'
syzbot tried to test the proposed patch but the build/boot failed:
./include/linux/skbuff.h:1933:42: error: incomplete definition of type 'struct sk_buff_list'
:1932:42: error: incomplete definition of type 'struct sk_buff_list'
Tested on:
commit: 4443600c UPSTREAM: mm: fix use-after-free when anon vm..
git tree: https://android.googlesource.com/kernel/common android13-5.10
dashboard link: https://syzkaller.appspot.com/bug?extid=0538c6f61b93f1cf6030
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1560f53b700000
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
Reply all
Reply to author
Forward
0 new messages