kernel BUG at lib/string.c:LINE! (4)

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: 0b7d9978406f Merge branch 'Microsemi-Ocelot-Ethernet-switc..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=16e91017800000
kernel config: https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1
dashboard link: https://syzkaller.appspot.com/bug?extid=aac887f77319868646df
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1665d637800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10517107800000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+aac887...@syzkaller.appspotmail.com

IPVS: Unknown mcast interface: veth1_to�a����
IPVS: Unknown mcast interface: veth1_to�a����
IPVS: Unknown mcast interface: veth1_to�a����
detected buffer overflow in strlen
------------[ cut here ]------------
kernel BUG at lib/string.c:1052!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
RSP: 0018:ffff8801c976f800 EFLAGS: 00010282
RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000
RDX: 0000000000000022 RSI: ffffffff8160f6f1 RDI: ffffed00392edef6
RBP: ffff8801c976f800 R08: ffff8801cf4c62c0 R09: ffffed003b5e4fb0
R10: ffffed003b5e4fb0 R11: ffff8801daf27d87 R12: ffff8801c976fa20
R13: ffff8801c976fae4 R14: ffff8801c976fae0 R15: 000000000000048b
FS: 00007fd99f75e700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200001c0 CR3: 00000001d6843000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
strlen include/linux/string.h:270 [inline]
strlcpy include/linux/string.h:293 [inline]
do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115
ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253
udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487
ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917
tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057
sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046
__sys_setsockopt+0x1bd/0x390 net/socket.c:1903
__do_sys_setsockopt net/socket.c:1914 [inline]
__se_sys_setsockopt net/socket.c:1911 [inline]
__x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x447369
RSP: 002b:00007fd99f75dda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00000000006e39e4 RCX: 0000000000447369
RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000018 R09: 0000000000000000
R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000006e39e0
R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0000000000000001
Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb
de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90
90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801c976f800
---[ end trace 624046f2d9af7702 ]---


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

[Paolo Abeni]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master
---
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index f36098887ad0..f1529d6a36bd 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2381,7 +2381,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
struct ipvs_sync_daemon_cfg cfg;

memset(&cfg, 0, sizeof(cfg));
- strlcpy(cfg.mcast_ifn, dm->mcast_ifn,
+ strscpy(cfg.mcast_ifn, dm->mcast_ifn,
sizeof(cfg.mcast_ifn));
cfg.syncid = dm->syncid;
ret = start_sync_thread(ipvs, &cfg, dm->state);

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:310 [inline]
ptr_ring_consume include/linux/ptr_ring.h:335 [inline]
ptr_ring_cleanup include/linux/ptr_ring.h:671 [inline]
tun_chr_close+0x334/0x6e0 drivers/net/tun.c:3248
__fput+0x34d/0x890 fs/file_table.c:209
____fput+0x15/0x20 fs/file_table.c:243
task_work_run+0x1e4/0x290 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x47fc44
RSP: 002b:000000c420135550 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000047fc44
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 000000c420135598 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000c42017ca32
R13: 000000c42017ca37 R14: 000000c42017ca30 R15: 000000c42017ca48

Allocated by task 4471:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
__do_kmalloc mm/slab.c:3718 [inline]
__kmalloc+0x14e/0x760 mm/slab.c:3727
kmalloc include/linux/slab.h:517 [inline]
sk_prot_alloc+0x1ae/0x2e0 net/core/sock.c:1474
sk_alloc+0x104/0x17b0 net/core/sock.c:1528
tun_chr_open+0xef/0x690 drivers/net/tun.c:3211
misc_open+0x3ca/0x560 drivers/char/misc.c:154
chrdev_open+0x256/0x760 fs/char_dev.c:417
do_dentry_open+0x7ef/0xf10 fs/open.c:784
vfs_open+0x139/0x230 fs/open.c:906
do_last fs/namei.c:3365 [inline]
path_openat+0x1676/0x4e20 fs/namei.c:3501
do_filp_open+0x249/0x350 fs/namei.c:3535
do_sys_open+0x56f/0x740 fs/open.c:1093
__do_sys_openat fs/open.c:1120 [inline]
__se_sys_openat fs/open.c:1114 [inline]
__x64_sys_openat+0x9d/0x100 fs/open.c:1114
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 4471:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kfree+0xd9/0x260 mm/slab.c:3813
sk_prot_free net/core/sock.c:1511 [inline]
__sk_destruct+0x772/0xa40 net/core/sock.c:1593
sk_destruct+0x78/0x90 net/core/sock.c:1601
__sk_free+0x22e/0x340 net/core/sock.c:1612
sk_free+0x42/0x50 net/core/sock.c:1623
sock_put include/net/sock.h:1664 [inline]
__tun_detach+0xacd/0x1170 drivers/net/tun.c:732
tun_detach drivers/net/tun.c:744 [inline]
tun_chr_close+0x596/0x6e0 drivers/net/tun.c:3247
__fput+0x34d/0x890 fs/file_table.c:209
____fput+0x15/0x20 fs/file_table.c:243
task_work_run+0x1e4/0x290 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8801b335a580
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1760 bytes inside of
2048-byte region [ffff8801b335a580, ffff8801b335ad80)
The buggy address belongs to the page:
page:ffffea0006ccd680 count:1 mapcount:0 mapping:ffff8801b335a580 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801b335a580 0000000000000000 0000000100000003
raw: ffffea0006ca5da0 ffffea0006b572a0 ffff8801da800c40 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8801b335ab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801b335ab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801b335ac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801b335ac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801b335ad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


[....] Starting enhanced syslogd: rsyslogd [?25l [?1c 7 [1G[ [32m ok
[39;49m 8 [?25h [?0c.
[....] Starting periodic command scheduler: cron [?25l [?1c 7 [1G[ [32m ok
[39;49m 8 [?25h [?0c.
[....] Starting OpenBSD Secure Shell server: sshd[ 18.002297] random:
sshd: uninitialized urandom read (32 bytes read)
[?25l [?1c 7 [1G[ [32m ok [39;49m 8 [?25h [?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [ 21.947302] random: sshd: uninitialized urandom read
(32 bytes read)
[ 22.246962] random: sshd: uninitialized urandom read (32 bytes read)
[ 23.087083] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.51' (ECDSA) to the list of known
hosts.
[ 28.630872] random: sshd: uninitialized urandom read (32 bytes read)
2018/05/16 16:28:07 fuzzer started
2018/05/16 16:28:08 connecting to host at 10.128.0.26:46047
2018/05/16 16:28:08 checking config...
[ 52.158714] can: request_module (can-proto-0) failed.
[ 52.168271] can: request_module (can-proto-0) failed.
[ 52.836690]
==================================================================
[ 52.844104] BUG: KASAN: use-after-free in __lock_acquire+0x3888/0x5140
[ 52.850754] Read of size 8 at addr ffff8801b335ac60 by task
syz-fuzzer/4471
[ 52.857828]
[ 52.859457] CPU: 1 PID: 4471 Comm: syz-fuzzer Not tainted 4.17.0-rc4+ #1
[ 52.866272] Hardware name: Google Google Compute Engine/Google Compute
Engine, BIOS Google 01/01/2011
[ 52.875601] Call Trace:
[ 52.878171] dump_stack+0x1b9/0x294
[ 52.881784] ? dump_stack_print_info.cold.2+0x52/0x52
[ 52.886952] ? printk+0x9e/0xba
[ 52.890209] ? kmsg_dump_rewind_nolock+0xe4/0xe4
[ 52.894944] ? kasan_check_write+0x14/0x20
[ 52.899156] print_address_description+0x6c/0x20b
[ 52.903977] ? __lock_acquire+0x3888/0x5140
[ 52.908282] kasan_report.cold.7+0x242/0x2fe
[ 52.912669] __asan_report_load8_noabort+0x14/0x20
[ 52.917585] __lock_acquire+0x3888/0x5140
[ 52.921712] ? kasan_check_write+0x14/0x20
[ 52.925926] ? __mutex_unlock_slowpath+0x180/0x8a0
[ 52.930837] ? __sk_destruct+0x70b/0xa40
[ 52.934885] ? wait_for_completion+0x870/0x870
[ 52.939445] ? debug_check_no_locks_freed+0x310/0x310
[ 52.944622] ? __mutex_lock+0x7d9/0x17f0
[ 52.948662] ? rtnl_lock+0x17/0x20
[ 52.952180] ? print_usage_bug+0xc0/0xc0
[ 52.956221] ? mutex_trylock+0x2a0/0x2a0
[ 52.960263] ? mutex_unlock+0xd/0x10
[ 52.963957] ? __rtnl_unlock+0x7e/0x90
[ 52.967825] ? netdev_run_todo+0x747/0xa50
[ 52.972050] ? refcount_inc_not_zero+0x2d0/0x2d0
[ 52.976784] ? refcount_inc_not_zero+0x2d0/0x2d0
[ 52.981517] ? register_netdev+0x50/0x50
[ 52.985561] ? sk_destruct+0x7d/0x90
[ 52.989254] ? __sk_free+0x233/0x340
[ 52.992944] ? sk_free+0x47/0x50
[ 52.996289] ? __tun_detach+0x1a3/0x1170
[ 53.000327] ? debug_check_no_locks_freed+0x310/0x310
[ 53.005505] ? tun_attach+0x1720/0x1720
[ 53.009457] lock_acquire+0x1dc/0x520
[ 53.013236] ? tun_chr_close+0x334/0x6e0
[ 53.017278] ? lock_release+0xa10/0xa10
[ 53.021231] ? __lock_is_held+0xb5/0x140
[ 53.025272] ? __tun_detach+0x1170/0x1170
[ 53.029408] _raw_spin_lock+0x2a/0x40
[ 53.033189] ? tun_chr_close+0x334/0x6e0
[ 53.037240] tun_chr_close+0x334/0x6e0
[ 53.041108] ? fcntl_setlk+0x1020/0x1020
[ 53.045147] ? __tun_detach+0x1170/0x1170
[ 53.049271] ? fsnotify+0xfc0/0xfc0
[ 53.052875] ? fsnotify_first_mark+0x330/0x330
[ 53.057447] ? __might_sleep+0x95/0x190
[ 53.061400] ? __tun_detach+0x1170/0x1170
[ 53.065535] __fput+0x34d/0x890
[ 53.068792] ? fput+0x1a0/0x1a0
[ 53.072051] ? _raw_spin_unlock_irq+0x27/0x70
[ 53.076541] ____fput+0x15/0x20
[ 53.079818] task_work_run+0x1e4/0x290
[ 53.083685] ? task_work_cancel+0x240/0x240
[ 53.087995] ? exit_to_usermode_loop+0x87/0x310
[ 53.092642] exit_to_usermode_loop+0x2bd/0x310
[ 53.097199] ? syscall_slow_exit_work+0x4f0/0x4f0
[ 53.102033] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 53.107552] do_syscall_64+0x6ac/0x800
[ 53.111420] ? syscall_slow_exit_work+0x4f0/0x4f0
[ 53.116242] ? syscall_return_slowpath+0x5c0/0x5c0
[ 53.121152] ? syscall_return_slowpath+0x30f/0x5c0
[ 53.126062] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[ 53.131409] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 53.136232] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 53.141401] RIP: 0033:0x47fc44
[ 53.144567] RSP: 002b:000000c420135550 EFLAGS: 00000246 ORIG_RAX:
0000000000000003
[ 53.152260] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
000000000047fc44
[ 53.159508] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000003
[ 53.166771] RBP: 000000c420135598 R08: 0000000000000000 R09:
0000000000000000
[ 53.174030] R10: 0000000000000000 R11: 0000000000000246 R12:
000000c42017ca32
[ 53.181279] R13: 000000c42017ca37 R14: 000000c42017ca30 R15:
000000c42017ca48
[ 53.188532]
[ 53.190147] Allocated by task 4471:
[ 53.193754] save_stack+0x43/0xd0
[ 53.197195] kasan_kmalloc+0xc4/0xe0
[ 53.200888] __kmalloc+0x14e/0x760
[ 53.204404] sk_prot_alloc+0x1ae/0x2e0
[ 53.208268] sk_alloc+0x104/0x17b0
[ 53.211784] tun_chr_open+0xef/0x690
[ 53.215478] misc_open+0x3ca/0x560
[ 53.218997] chrdev_open+0x256/0x760
[ 53.222691] do_dentry_open+0x7ef/0xf10
[ 53.226656] vfs_open+0x139/0x230
[ 53.230100] path_openat+0x1676/0x4e20
[ 53.233970] do_filp_open+0x249/0x350
[ 53.237748] do_sys_open+0x56f/0x740
[ 53.241441] __x64_sys_openat+0x9d/0x100
[ 53.245480] do_syscall_64+0x1b1/0x800
[ 53.249347] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 53.254506]
[ 53.256119] Freed by task 4471:
[ 53.259376] save_stack+0x43/0xd0
[ 53.262804] __kasan_slab_free+0x11a/0x170
[ 53.267030] kasan_slab_free+0xe/0x10
[ 53.270808] kfree+0xd9/0x260
[ 53.273890] __sk_destruct+0x772/0xa40
[ 53.277755] sk_destruct+0x78/0x90
[ 53.281271] __sk_free+0x22e/0x340
[ 53.284788] sk_free+0x42/0x50
[ 53.287960] __tun_detach+0xacd/0x1170
[ 53.291825] tun_chr_close+0x596/0x6e0
[ 53.295701] __fput+0x34d/0x890
[ 53.298956] ____fput+0x15/0x20
[ 53.302213] task_work_run+0x1e4/0x290
[ 53.306081] exit_to_usermode_loop+0x2bd/0x310
[ 53.310648] do_syscall_64+0x6ac/0x800
[ 53.314517] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 53.319684]
[ 53.321293] The buggy address belongs to the object at ffff8801b335a580
[ 53.321293] which belongs to the cache kmalloc-2048 of size 2048
[ 53.334113] The buggy address is located 1760 bytes inside of
[ 53.334113] 2048-byte region [ffff8801b335a580, ffff8801b335ad80)
[ 53.346138] The buggy address belongs to the page:
[ 53.351044] page:ffffea0006ccd680 count:1 mapcount:0
mapping:ffff8801b335a580 index:0x0 compound_mapcount: 0
[ 53.360987] flags: 0x2fffc0000008100(slab|head)
[ 53.365637] raw: 02fffc0000008100 ffff8801b335a580 0000000000000000
0000000100000003
[ 53.373496] raw: ffffea0006ca5da0 ffffea0006b572a0 ffff8801da800c40
0000000000000000
[ 53.381350] page dumped because: kasan: bad access detected
[ 53.387031]
[ 53.388634] Memory state around the buggy address:
[ 53.393539] ffff8801b335ab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[ 53.400874] ffff8801b335ab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[ 53.408212] >ffff8801b335ac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[ 53.415542] ^
[ 53.422028] ffff8801b335ac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[ 53.429364] ffff8801b335ad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[ 53.436698]
==================================================================
[ 53.444118] Disabling lock debugging due to kernel taint
[ 53.449545] Kernel panic - not syncing: panic_on_warn set ...
[ 53.449545]
[ 53.456890] CPU: 1 PID: 4471 Comm: syz-fuzzer Tainted: G
B 4.17.0-rc4+ #1
[ 53.465095] Hardware name: Google Google Compute Engine/Google Compute
Engine, BIOS Google 01/01/2011
[ 53.474424] Call Trace:
[ 53.476996] dump_stack+0x1b9/0x294
[ 53.480609] ? dump_stack_print_info.cold.2+0x52/0x52
[ 53.485780] ? lock_downgrade+0x8e0/0x8e0
[ 53.489917] ? vprintk_default+0x28/0x30
[ 53.493961] ? __lock_acquire+0x3790/0x5140
[ 53.498270] panic+0x22f/0x4de
[ 53.501441] ? add_taint.cold.5+0x16/0x16
[ 53.505588] ? add_taint.cold.5+0x5/0x16
[ 53.509630] ? do_raw_spin_unlock+0x9e/0x2e0
[ 53.514016] ? __lock_acquire+0x3888/0x5140
[ 53.518317] kasan_end_report+0x47/0x4f
[ 53.522269] kasan_report.cold.7+0x76/0x2fe
[ 53.526573] __asan_report_load8_noabort+0x14/0x20
[ 53.531484] __lock_acquire+0x3888/0x5140
[ 53.535612] ? kasan_check_write+0x14/0x20
[ 53.539827] ? __mutex_unlock_slowpath+0x180/0x8a0
[ 53.544755] ? __sk_destruct+0x70b/0xa40
[ 53.548811] ? wait_for_completion+0x870/0x870
[ 53.553378] ? debug_check_no_locks_freed+0x310/0x310
[ 53.558552] ? __mutex_lock+0x7d9/0x17f0
[ 53.562593] ? rtnl_lock+0x17/0x20
[ 53.566115] ? print_usage_bug+0xc0/0xc0
[ 53.570158] ? mutex_trylock+0x2a0/0x2a0
[ 53.574200] ? mutex_unlock+0xd/0x10
[ 53.577894] ? __rtnl_unlock+0x7e/0x90
[ 53.581761] ? netdev_run_todo+0x747/0xa50
[ 53.585979] ? refcount_inc_not_zero+0x2d0/0x2d0
[ 53.590711] ? refcount_inc_not_zero+0x2d0/0x2d0
[ 53.595445] ? register_netdev+0x50/0x50
[ 53.599489] ? sk_destruct+0x7d/0x90
[ 53.603188] ? __sk_free+0x233/0x340
[ 53.606880] ? sk_free+0x47/0x50
[ 53.610225] ? __tun_detach+0x1a3/0x1170
[ 53.614267] ? debug_check_no_locks_freed+0x310/0x310
[ 53.619434] ? tun_attach+0x1720/0x1720
[ 53.623387] lock_acquire+0x1dc/0x520
[ 53.627174] ? tun_chr_close+0x334/0x6e0
[ 53.631224] ? lock_release+0xa10/0xa10
[ 53.635175] ? __lock_is_held+0xb5/0x140
[ 53.639221] ? __tun_detach+0x1170/0x1170
[ 53.643351] _raw_spin_lock+0x2a/0x40
[ 53.647129] ? tun_chr_close+0x334/0x6e0
[ 53.651178] tun_chr_close+0x334/0x6e0
[ 53.655049] ? fcntl_setlk+0x1020/0x1020
[ 53.659091] ? __tun_detach+0x1170/0x1170
[ 53.663219] ? fsnotify+0xfc0/0xfc0
[ 53.666824] ? fsnotify_first_mark+0x330/0x330
[ 53.671396] ? __might_sleep+0x95/0x190
[ 53.675349] ? __tun_detach+0x1170/0x1170
[ 53.679491] __fput+0x34d/0x890
[ 53.682760] ? fput+0x1a0/0x1a0
[ 53.686022] ? _raw_spin_unlock_irq+0x27/0x70
[ 53.690496] ____fput+0x15/0x20
[ 53.693760] task_work_run+0x1e4/0x290
[ 53.697630] ? task_work_cancel+0x240/0x240
[ 53.701933] ? exit_to_usermode_loop+0x87/0x310
[ 53.706582] exit_to_usermode_loop+0x2bd/0x310
[ 53.711143] ? syscall_slow_exit_work+0x4f0/0x4f0
[ 53.715970] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 53.721488] do_syscall_64+0x6ac/0x800
[ 53.725356] ? syscall_slow_exit_work+0x4f0/0x4f0
[ 53.730179] ? syscall_return_slowpath+0x5c0/0x5c0
[ 53.735092] ? syscall_return_slowpath+0x30f/0x5c0
[ 53.740024] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[ 53.745368] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 53.750189] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 53.755357] RIP: 0033:0x47fc44
[ 53.758524] RSP: 002b:000000c420135550 EFLAGS: 00000246 ORIG_RAX:
0000000000000003
[ 53.766208] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
000000000047fc44
[ 53.773454] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000003
[ 53.780706] RBP: 000000c420135598 R08: 0000000000000000 R09:
0000000000000000
[ 53.787959] R10: 0000000000000000 R11: 0000000000000246 R12:
000000c42017ca32
[ 53.795211] R13: 000000c42017ca37 R14: 000000c42017ca30 R15:
000000c42017ca48
[ 53.803002] Dumping ftrace buffer:
[ 53.806523] (ftrace buffer empty)
[ 53.810220] Kernel Offset: disabled
[ 53.813827] Rebooting in 86400 seconds..


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=135a5197800000


Tested on:

commit: ab452c3ce7ba ipvlan: call netdevice notifier when master m..
git tree: net
kernel config: https://syzkaller.appspot.com/x/.config?x=3c81463aa207d27f

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=10a35417800000

[Paolo Abeni]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git 9d6b4bfb59a036d0da6406295481cdb3a5f4ffba

I'm wild-guessing that recent tun changes broke the syzbot setup, so
retesting on a slightly older tree

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+aac887...@syzkaller.appspotmail.com

Tested on:

commit: 9d6b4bfb59a0 Merge git://git.kernel.org/pub/scm/linux/kern..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git

kernel config: https://syzkaller.appspot.com/x/.config?x=3c81463aa207d27f
compiler: gcc (GCC) 8.0.1 20180413 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=11c43817800000

Note: testing is done by a robot and is best-effort only.

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+aac887...@syzkaller.appspotmail.com

Tested on:

commit: 7063efd33bb1 tuntap: fix use after free during release
git tree: net

kernel config: https://syzkaller.appspot.com/x/.config?x=3c81463aa207d27f
compiler: gcc (GCC) 8.0.1 20180413 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=1478c477800000

[Julian Anastasov]

Hello,

On Wed, 16 May 2018, syzbot wrote:

> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 0b7d9978406f Merge branch 'Microsemi-Ocelot-Ethernet-switc..
> git tree: net-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=16e91017800000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1
> dashboard link: https://syzkaller.appspot.com/bug?extid=aac887f77319868646df
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1665d637800000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10517107800000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+aac887...@syzkaller.appspotmail.com
>

> IPVS: Unknown mcast interface: veth1_to???a????????????
> IPVS: Unknown mcast interface: veth1_to???a????????????
> IPVS: Unknown mcast interface: veth1_to???a????????????

Just to let you know that I tested a patch with
the syzbot, will do more tests before submitting...

Regards

--
Julian Anastasov <j...@ssi.bg>

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+aac887...@syzkaller.appspotmail.com

Tested on:

commit: d775f26b295a cxgb4: fix offset in collecting TX rate limit..

git tree: net
kernel config: https://syzkaller.appspot.com/x/.config?x=3c81463aa207d27f

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=17a2ec0f800000