general protection fault in ipv6_rcv
19 views
Skip to first unread message
syzbot
Mar 9, 2019, 2:39:06 AM3/9/19
to da...@davemloft.net, kuz...@ms2.inr.ac.ru, linux-...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com, yosh...@linux-ipv6.org
Hello,
syzbot found the following crash on:
HEAD commit: d9862cfb Merge tag 'mips_5.1' of git://git.kernel.org/pub/..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15d1e5ad200000
kernel config: https://syzkaller.appspot.com/x/.config?x=73d88a42238825ad
dashboard link: https://syzkaller.appspot.com/bug?extid=6c54e67cc0b0c896aa4b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: amd64
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6c54e6...@syzkaller.appspotmail.com
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor.3'.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
Enabling of bearer <::�> rejected, illegal name
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.0.0+ #97
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__x86_indirect_thunk_rax+0x10/0x20 arch/x86/lib/retpoline.S:32
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor.3'.
Code: c4 ff 48 8d 0c ca e9 bd 42 c4 ff bb f2 ff ff ff 45 30 ff e9 63 47 c4
ff 90 90 e8 07 00 00 00 f3 90 0f ae e8 eb f9 48 89 04 24 <c3> 0f 1f 44 00
00 66 2e 0f 1f 84 00 00 00 00 00 e8 07 00 00 00 f3
RSP: 0018:ffff8880aa2c7a20 EFLAGS: 00010246
RAX: 0000ffffffff8607 RBX: ffff888096e276ca RCX: ffffffff8607ee22
RDX: 1ffff11012dc4ede RSI: ffffffff8607edc8 RDI: ffff88806509fd40
RBP: ffff8880aa2c7a58 R08: ffff8880aa2b2440 R09: ffffed1015d25bd0
R10: ffffed1015d25bcf R11: ffff8880ae92de7b R12: ffff88806509fd40
R13: 0000000000000001 R14: ffff88806509fd98 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fed7c51a518 CR3: 000000004654c000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
NF_HOOK include/linux/netfilter.h:289 [inline]
NF_HOOK include/linux/netfilter.h:283 [inline]
ipv6_rcv+0x10e/0x420 net/ipv6/ip6_input.c:272
__netif_receive_skb_one_core+0x115/0x1a0 net/core/dev.c:4973
__netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083
process_backlog+0x206/0x750 net/core/dev.c:5923
napi_poll net/core/dev.c:6346 [inline]
net_rx_action+0x4fa/0x1070 net/core/dev.c:6412
__do_softirq+0x266/0x95a kernel/softirq.c:292
run_ksoftirqd kernel/softirq.c:654 [inline]
run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646
smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
kthread+0x357/0x430 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Modules linked in:
---[ end trace 1ebaef9e8c3600e4 ]---
RIP: 0010:__x86_indirect_thunk_rax+0x10/0x20 arch/x86/lib/retpoline.S:32
Code: c4 ff 48 8d 0c ca e9 bd 42 c4 ff bb f2 ff ff ff 45 30 ff e9 63 47 c4
ff 90 90 e8 07 00 00 00 f3 90 0f ae e8 eb f9 48 89 04 24 <c3> 0f 1f 44 00
00 66 2e 0f 1f 84 00 00 00 00 00 e8 07 00 00 00 f3
Enabling of bearer <::�> rejected, illegal name
RSP: 0018:ffff8880aa2c7a20 EFLAGS: 00010246
RAX: 0000ffffffff8607 RBX: ffff888096e276ca RCX: ffffffff8607ee22
RDX: 1ffff11012dc4ede RSI: ffffffff8607edc8 RDI: ffff88806509fd40
RBP: ffff8880aa2c7a58 R08: ffff8880aa2b2440 R09: ffffed1015d25bd0
R10: ffffed1015d25bcf R11: ffff8880ae92de7b R12: ffff88806509fd40
R13: 0000000000000001 R14: ffff88806509fd98 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fed7c51a518 CR3: 000000004654c000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kobject: 'loop0' (00000000152428b3): kobject_uevent_env
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: d9862cfb Merge tag 'mips_5.1' of git://git.kernel.org/pub/..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15d1e5ad200000
kernel config: https://syzkaller.appspot.com/x/.config?x=73d88a42238825ad
dashboard link: https://syzkaller.appspot.com/bug?extid=6c54e67cc0b0c896aa4b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: amd64
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6c54e6...@syzkaller.appspotmail.com
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor.3'.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
Enabling of bearer <::�> rejected, illegal name
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.0.0+ #97
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__x86_indirect_thunk_rax+0x10/0x20 arch/x86/lib/retpoline.S:32
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor.3'.
Code: c4 ff 48 8d 0c ca e9 bd 42 c4 ff bb f2 ff ff ff 45 30 ff e9 63 47 c4
ff 90 90 e8 07 00 00 00 f3 90 0f ae e8 eb f9 48 89 04 24 <c3> 0f 1f 44 00
00 66 2e 0f 1f 84 00 00 00 00 00 e8 07 00 00 00 f3
RSP: 0018:ffff8880aa2c7a20 EFLAGS: 00010246
RAX: 0000ffffffff8607 RBX: ffff888096e276ca RCX: ffffffff8607ee22
RDX: 1ffff11012dc4ede RSI: ffffffff8607edc8 RDI: ffff88806509fd40
RBP: ffff8880aa2c7a58 R08: ffff8880aa2b2440 R09: ffffed1015d25bd0
R10: ffffed1015d25bcf R11: ffff8880ae92de7b R12: ffff88806509fd40
R13: 0000000000000001 R14: ffff88806509fd98 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fed7c51a518 CR3: 000000004654c000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
NF_HOOK include/linux/netfilter.h:289 [inline]
NF_HOOK include/linux/netfilter.h:283 [inline]
ipv6_rcv+0x10e/0x420 net/ipv6/ip6_input.c:272
__netif_receive_skb_one_core+0x115/0x1a0 net/core/dev.c:4973
__netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083
process_backlog+0x206/0x750 net/core/dev.c:5923
napi_poll net/core/dev.c:6346 [inline]
net_rx_action+0x4fa/0x1070 net/core/dev.c:6412
__do_softirq+0x266/0x95a kernel/softirq.c:292
run_ksoftirqd kernel/softirq.c:654 [inline]
run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646
smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
kthread+0x357/0x430 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Modules linked in:
---[ end trace 1ebaef9e8c3600e4 ]---
RIP: 0010:__x86_indirect_thunk_rax+0x10/0x20 arch/x86/lib/retpoline.S:32
Code: c4 ff 48 8d 0c ca e9 bd 42 c4 ff bb f2 ff ff ff 45 30 ff e9 63 47 c4
ff 90 90 e8 07 00 00 00 f3 90 0f ae e8 eb f9 48 89 04 24 <c3> 0f 1f 44 00
00 66 2e 0f 1f 84 00 00 00 00 00 e8 07 00 00 00 f3
Enabling of bearer <::�> rejected, illegal name
RSP: 0018:ffff8880aa2c7a20 EFLAGS: 00010246
RAX: 0000ffffffff8607 RBX: ffff888096e276ca RCX: ffffffff8607ee22
RDX: 1ffff11012dc4ede RSI: ffffffff8607edc8 RDI: ffff88806509fd40
RBP: ffff8880aa2c7a58 R08: ffff8880aa2b2440 R09: ffffed1015d25bd0
R10: ffffed1015d25bcf R11: ffff8880ae92de7b R12: ffff88806509fd40
R13: 0000000000000001 R14: ffff88806509fd98 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fed7c51a518 CR3: 000000004654c000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kobject: 'loop0' (00000000152428b3): kobject_uevent_env
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot
Oct 25, 2019, 4:42:07 AM10/25/19
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages